hexapdf 0.28.0 → 0.31.0

data/lib/hexapdf/type/signature/adbe_pkcs7_detached.rb

@@ -1,135 +0,0 @@
-# -*- encoding: utf-8; frozen_string_literal: true -*-
-#
-#--
-# This file is part of HexaPDF.
-#
-# HexaPDF - A Versatile PDF Creation and Manipulation Library For Ruby
-# Copyright (C) 2014-2022 Thomas Leitner
-#
-# HexaPDF is free software: you can redistribute it and/or modify it
-# under the terms of the GNU Affero General Public License version 3 as
-# published by the Free Software Foundation with the addition of the
-# following permission added to Section 15 as permitted in Section 7(a):
-# FOR ANY PART OF THE COVERED WORK IN WHICH THE COPYRIGHT IS OWNED BY
-# THOMAS LEITNER, THOMAS LEITNER DISCLAIMS THE WARRANTY OF NON
-# INFRINGEMENT OF THIRD PARTY RIGHTS.
-#
-# HexaPDF is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public
-# License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with HexaPDF. If not, see <http://www.gnu.org/licenses/>.
-#
-# The interactive user interfaces in modified source and object code
-# versions of HexaPDF must display Appropriate Legal Notices, as required
-# under Section 5 of the GNU Affero General Public License version 3.
-#
-# In accordance with Section 7(b) of the GNU Affero General Public
-# License, a covered work must retain the producer line in every PDF that
-# is created or manipulated using HexaPDF.
-#
-# If the GNU Affero General Public License doesn't fit your need,
-# commercial licenses are available at <https://gettalong.at/hexapdf/>.
-#++
-
-require 'openssl'
-require 'hexapdf/type/signature'
-
-module HexaPDF
-  module Type
-    class Signature
-
-      # The signature handler for the adbe.pkcs7.detached sub-filter.
-      class AdbePkcs7Detached < Handler
-
-        # Creates a new signature handler for the given signature dictionary.
-        def initialize(signature_dict)
-          super
-          @pkcs7 = OpenSSL::PKCS7.new(signature_dict.contents)
-        end
-
-        # Returns the common name of the signer.
-        def signer_name
-          signer_certificate.subject.to_a.assoc("CN")&.[](1) || super
-        end
-
-        # Returns the time of signing.
-        def signing_time
-          signer_info.signed_time rescue super
-        end
-
-        # Returns the certificate chain.
-        def certificate_chain
-          @pkcs7.certificates
-        end
-
-        # Returns the signer certificate (an instance of OpenSSL::X509::Certificate).
-        def signer_certificate
-          info = signer_info
-          certificate_chain.find {|cert| cert.issuer == info.issuer && cert.serial == info.serial }
-        end
-
-        # Returns the signer information object (an instance of OpenSSL::PKCS7::SignerInfo).
-        def signer_info
-          @pkcs7.signers.first
-        end
-
-        # Verifies the signature using the provided OpenSSL::X509::Store object.
-        def verify(store, allow_self_signed: false)
-          result = super
-
-          signer_info = self.signer_info
-          signer_certificate = self.signer_certificate
-          certificate_chain = self.certificate_chain
-
-          if certificate_chain.empty?
-            result.log(:error, "No certificates found in signature")
-            return result
-          end
-
-          if @pkcs7.signers.size != 1
-            result.log(:error, "Exactly one signer needed, found #{@pkcs7.signers.size}")
-          end
-
-          unless signer_certificate
-            result.log(:error, "Signer serial=#{signer_info.serial} issuer=#{signer_info.issuer} " \
-                       "not found in certificates stored in PKCS7 object")
-            return result
-          end
-
-          key_usage = signer_certificate.extensions.find {|ext| ext.oid == 'keyUsage' }
-          unless key_usage && key_usage.value.split(', ').include?("Digital Signature")
-            result.log(:error, "Certificate key usage is missing 'Digital Signature'")
-          end
-
-          if signature_dict.signature_type == 'ETSI.RFC3161'
-            # Getting the needed values is not directly supported by Ruby OpenSSL
-            p7 = OpenSSL::ASN1.decode(signature_dict.contents.sub(/\x00*\z/, ''))
-            signed_data = p7.value[1].value[0]
-            content_info = signed_data.value[2]
-            content = OpenSSL::ASN1.decode(content_info.value[1].value[0].value)
-            digest_algorithm = content.value[2].value[0].value[0].value
-            original_hash = content.value[2].value[1].value
-            recomputed_hash = OpenSSL::Digest.digest(digest_algorithm, signature_dict.signed_data)
-            hash_valid = (original_hash == recomputed_hash)
-          else
-            data = signature_dict.signed_data
-            hash_valid = true # hash will be checked by @pkcs7.verify
-          end
-          if hash_valid && @pkcs7.verify(certificate_chain, store, data,
-                                         OpenSSL::PKCS7::DETACHED | OpenSSL::PKCS7::BINARY)
-            result.log(:info, "Signature valid")
-          else
-            result.log(:error, "Signature verification failed")
-          end
-
-          result
-        end
-
-      end
-
-    end
-  end
-end

data/lib/hexapdf/type/signature/adbe_x509_rsa_sha1.rb

@@ -1,95 +0,0 @@
-# -*- encoding: utf-8; frozen_string_literal: true -*-
-#
-#--
-# This file is part of HexaPDF.
-#
-# HexaPDF - A Versatile PDF Creation and Manipulation Library For Ruby
-# Copyright (C) 2014-2022 Thomas Leitner
-#
-# HexaPDF is free software: you can redistribute it and/or modify it
-# under the terms of the GNU Affero General Public License version 3 as
-# published by the Free Software Foundation with the addition of the
-# following permission added to Section 15 as permitted in Section 7(a):
-# FOR ANY PART OF THE COVERED WORK IN WHICH THE COPYRIGHT IS OWNED BY
-# THOMAS LEITNER, THOMAS LEITNER DISCLAIMS THE WARRANTY OF NON
-# INFRINGEMENT OF THIRD PARTY RIGHTS.
-#
-# HexaPDF is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public
-# License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with HexaPDF. If not, see <http://www.gnu.org/licenses/>.
-#
-# The interactive user interfaces in modified source and object code
-# versions of HexaPDF must display Appropriate Legal Notices, as required
-# under Section 5 of the GNU Affero General Public License version 3.
-#
-# In accordance with Section 7(b) of the GNU Affero General Public
-# License, a covered work must retain the producer line in every PDF that
-# is created or manipulated using HexaPDF.
-#
-# If the GNU Affero General Public License doesn't fit your need,
-# commercial licenses are available at <https://gettalong.at/hexapdf/>.
-#++
-
-require 'openssl'
-require 'hexapdf/type/signature'
-
-module HexaPDF
-  module Type
-    class Signature
-
-      # The signature handler for the adbe.x509.rsa_sha1 sub-filter.
-      #
-      # Since this handler is deprecated with PDF 2.0 it only provides the implementation for
-      # reading and verifying signatures.
-      class AdbeX509RsaSha1 < Handler
-
-        # Returns the certificate chain.
-        def certificate_chain
-          return [] unless signature_dict.key?(:Cert)
-          [signature_dict[:Cert]].flatten.map {|str| OpenSSL::X509::Certificate.new(str) }
-        end
-
-        # Returns the signer certificate (an instance of OpenSSL::X509::Certificate).
-        def signer_certificate
-          certificate_chain.first
-        end
-
-        # Verifies the signature using the provided OpenSSL::X509::Store object.
-        def verify(store, allow_self_signed: false)
-          result = super
-
-          signer_certificate = self.signer_certificate
-          certificate_chain = self.certificate_chain
-
-          if certificate_chain.empty?
-            result.log(:error, "No certificates for verification found")
-            return result
-          end
-
-          signature = OpenSSL::ASN1.decode(signature_dict.contents)
-          if signature.tag != OpenSSL::ASN1::OCTET_STRING
-            result.log(:error, "PKCS1 signature object invalid, octet string expected")
-            return result
-          end
-
-          store.verify(signer_certificate, certificate_chain)
-
-          if signer_certificate.public_key.verify(OpenSSL::Digest.new('SHA1'),
-                                                  signature.value, signature_dict.signed_data)
-            result.log(:info, "Signature valid")
-          else
-            result.log(:error, "Signature verification failed")
-          end
-
-          result
-        end
-
-      end
-
-    end
-  end
-end

data/lib/hexapdf/type/signature/handler.rb

@@ -1,140 +0,0 @@
-# -*- encoding: utf-8; frozen_string_literal: true -*-
-#
-#--
-# This file is part of HexaPDF.
-#
-# HexaPDF - A Versatile PDF Creation and Manipulation Library For Ruby
-# Copyright (C) 2014-2022 Thomas Leitner
-#
-# HexaPDF is free software: you can redistribute it and/or modify it
-# under the terms of the GNU Affero General Public License version 3 as
-# published by the Free Software Foundation with the addition of the
-# following permission added to Section 15 as permitted in Section 7(a):
-# FOR ANY PART OF THE COVERED WORK IN WHICH THE COPYRIGHT IS OWNED BY
-# THOMAS LEITNER, THOMAS LEITNER DISCLAIMS THE WARRANTY OF NON
-# INFRINGEMENT OF THIRD PARTY RIGHTS.
-#
-# HexaPDF is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public
-# License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with HexaPDF. If not, see <http://www.gnu.org/licenses/>.
-#
-# The interactive user interfaces in modified source and object code
-# versions of HexaPDF must display Appropriate Legal Notices, as required
-# under Section 5 of the GNU Affero General Public License version 3.
-#
-# In accordance with Section 7(b) of the GNU Affero General Public
-# License, a covered work must retain the producer line in every PDF that
-# is created or manipulated using HexaPDF.
-#
-# If the GNU Affero General Public License doesn't fit your need,
-# commercial licenses are available at <https://gettalong.at/hexapdf/>.
-#++
-
-require 'hexapdf/type/signature'
-
-module HexaPDF
-  module Type
-    class Signature
-
-      # The base signature handler providing common functionality.
-      #
-      # Specific signature handler need to override methods if necessary and implement the needed
-      # ones that don't have a default implementation.
-      class Handler
-
-        # The signature dictionary used by the handler.
-        attr_reader :signature_dict
-
-        # Creates a new signature handler for the given signature dictionary.
-        def initialize(signature_dict)
-          @signature_dict = signature_dict
-        end
-
-        # Returns the common name of the signer (/Name field of the signature dictionary).
-        def signer_name
-          @signature_dict[:Name]
-        end
-
-        # Returns the time of signing (/M field of the signature dictionary).
-        def signing_time
-          @signature_dict[:M]
-        end
-
-        # Returns the certificate chain.
-        #
-        # Needs to be implemented by specific handlers.
-        def certificate_chain
-          raise "Needs to be implemented by specific handlers"
-        end
-
-        # Returns the certificate used for signing.
-        #
-        # Needs to be implemented by specific handlers.
-        def signer_certificate
-          raise "Needs to be implemented by specific handlers"
-        end
-
-        # Verifies general signature properties and prepares the provided OpenSSL::X509::Store
-        # object for use by concrete implementations.
-        #
-        # Needs to be called by specific handlers.
-        def verify(store, allow_self_signed: false)
-          result = VerificationResult.new
-          check_certified_signature(result)
-          verify_signing_time(result)
-          store.verify_callback =
-            store_verification_callback(result, allow_self_signed: allow_self_signed)
-          result
-        end
-
-        protected
-
-        # Verifies that the signing time was within the validity period of the signer certificate.
-        def verify_signing_time(result)
-          time = signing_time
-          cert = signer_certificate
-          if time && cert && (time < cert.not_before || time > cert.not_after)
-            result.log(:error, "Signer certificate not valid at signing time")
-          end
-        end
-
-        DOCMDP_PERMS_MESSAGE_MAP = { # :nodoc:
-          1 => "No changes allowed",
-          2 => "Form filling and signing allowed",
-          3 => "Form filling, signing and annotation manipulation allowed",
-        }
-
-        # Sets an informational message on +result+ whether the signature is a certified signature.
-        def check_certified_signature(result)
-          sigref = signature_dict[:Reference]&.find {|ref| ref[:TransformMethod] == :DocMDP }
-          if sigref && signature_dict.document.catalog[:Perms]&.[](:DocMDP) == signature_dict
-            perms = sigref[:TransformParams]&.[](:P) || 2
-            result.log(:info, "Certified signature (#{DOCMDP_PERMS_MESSAGE_MAP[perms]})")
-          end
-        end
-
-        # Returns the block that should be used as the OpenSSL::X509::Store verification callback.
-        #
-        # +result+:: The VerificationResult object that should be updated if problems are found.
-        #
-        # +allow_self_signed+:: Specifies whether self-signed certificates are allowed.
-        def store_verification_callback(result, allow_self_signed: false)
-          lambda do |_success, context|
-            if context.error == OpenSSL::X509::V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
-                context.error == OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN
-              result.log(allow_self_signed ? :info : :error, "Self-signed certificate found")
-            end
-
-            true
-          end
-        end
-
-      end
-
-    end
-  end
-end