hexapdf 0.20.0 → 0.20.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: afdc2d646f24ddd3dacfb52ddc7b0f0d1de9dfdaff138e615a2126e16c86d1f4
-  data.tar.gz: 482f839f70fe4f68d9006f3e8db7427a27d9fbc7a71da219da63653ddfeedb3a
+  metadata.gz: bc35303fc0e58d54568facf02c328c5b29ca0b63fc4e3104cf705d99d8619aa4
+  data.tar.gz: 6803a1286003cd4029fd71971ac854ef4022ff9b7b4f6dcf9fc91e416edae9f0
 SHA512:
-  metadata.gz: 40c32b6df0f349e3f071e54b37fd546f1c87aef0fd645b9990b5e3b6cfa1c5c0bedb734bbc91b3fb09d968f95fdd8e6b78be004383920583cf91f920aa1623ea
-  data.tar.gz: e9f3f0a0fa0850e2adb308999d2edd7561ecf1871cbd7b2e244ff6f9144b97466a24afa7ebdadb9f27fc8fcb7964ddd913dc3a41c0b46aed01fd10bc4e26c92a
+  metadata.gz: e218312b96bc4b7c46a03f8bf47c808d1db07b7161db100a92164fdff90c88603e3494a5e2b0db648ae446b33dfbbecbb82c4d51afa982f8bdda10e3cfe9c4e0
+  data.tar.gz: f9c469bc564f675a52cedf7d373da7ba2fc650653459f0cd779ad041488924af3c0575aa7fcd24160b61c4899d92fc3df1e83f11fc2d4a1a32a3e6e9685c6fe8

data/CHANGELOG.md

@@ -1,3 +1,15 @@
+## 0.20.1 - 2022-01-05
+
+### Changed
+
+* Refactored signature handlers, making `#store_verification_callback` a
+  protected method
+
+### Fixed
+
+* [HexaPDF::Task::Dereference] to work for even very deeply nested structures
+
+
 ## 0.20.0 - 2021-12-30
 
 ### Added

data/lib/hexapdf/task/dereference.rb

@@ -68,9 +68,9 @@ module HexaPDF
 
       def execute #:nodoc:
         if @object
-          dereference(@object)
+          dereference_all(@object)
         else
-          dereference(@doc.trailer)
+          dereference_all(@doc.trailer)
           @result = []
           @doc.each(only_current: false) do |obj|
             if !@seen.key?(obj.data) && obj.type != :ObjStm && obj.type != :XRef
@@ -83,6 +83,11 @@ module HexaPDF
         end
       end
 
+      def dereference_all(object) # :nodoc:
+        @dereference_later = [object]
+        dereference(@dereference_later.pop) until @dereference_later.empty?
+      end
+
       def dereference(object) #:nodoc:
         return object if object.nil? || @seen.key?(object.data)
         @seen[object.data] = true
@@ -97,9 +102,12 @@ module HexaPDF
         when Array
           val.map! {|v| recurse(v) }
         when HexaPDF::Reference
-          dereference(@doc.object(val))
+          val = @doc.object(val)
+          @dereference_later.push(val)
+          val
         when HexaPDF::Object
-          dereference(val)
+          @dereference_later.push(val)
+          val
         else
           val
         end

data/lib/hexapdf/type/signature/adbe_pkcs7_detached.rb

@@ -78,7 +78,7 @@ module HexaPDF
 
         # Verifies the signature using the provided OpenSSL::X509::Store object.
         def verify(store, allow_self_signed: false)
-          result = VerificationResult.new
+          result = super
 
           signer_info = self.signer_info
           signer_certificate = self.signer_certificate
@@ -104,10 +104,6 @@ module HexaPDF
             result.log(:error, "Certificate key usage is missing 'Digital Signature'")
           end
 
-          verify_signing_time(result)
-
-          store.verify_callback = store_verification_callback(result,
-                                                              allow_self_signed: allow_self_signed)
           if @pkcs7.verify(certificate_chain, store, signature_dict.signed_data,
                            OpenSSL::PKCS7::DETACHED | OpenSSL::PKCS7::BINARY)
             result.log(:info, "Signature valid")

data/lib/hexapdf/type/signature/adbe_x509_rsa_sha1.rb

@@ -60,7 +60,7 @@ module HexaPDF
 
         # Verifies the signature using the provided OpenSSL::X509::Store object.
         def verify(store, allow_self_signed: false)
-          result = VerificationResult.new
+          result = super
 
           signer_certificate = self.signer_certificate
           certificate_chain = self.certificate_chain
@@ -76,10 +76,6 @@ module HexaPDF
             return result
           end
 
-          verify_signing_time(result)
-
-          store.verify_callback = store_verification_callback(result,
-                                                              allow_self_signed: allow_self_signed)
           store.verify(signer_certificate, certificate_chain)
 
           if signer_certificate.public_key.verify(OpenSSL::Digest.new('SHA1'),

data/lib/hexapdf/type/signature/handler.rb

@@ -78,6 +78,45 @@ module HexaPDF
           raise "Needs to be implemented by specific handlers"
         end
 
+        # Verifies general signature properties and prepares the provided OpenSSL::X509::Store
+        # object for use by concrete implementations.
+        #
+        # Needs to be called by specific handlers.
+        def verify(store, allow_self_signed: false)
+          result = VerificationResult.new
+          check_certified_signature(result)
+          verify_signing_time(result)
+          store.verify_callback =
+            store_verification_callback(result, allow_self_signed: allow_self_signed)
+          result
+        end
+
+        protected
+
+        # Verifies that the signing time was within the validity period of the signer certificate.
+        def verify_signing_time(result)
+          time = signing_time
+          cert = signer_certificate
+          if time && cert && (time < cert.not_before || time > cert.not_after)
+            result.log(:error, "Signer certificate not valid at signing time")
+          end
+        end
+
+        DOCMDP_PERMS_MESSAGE_MAP = { # :nodoc:
+          1 => "No changes allowed",
+          2 => "Form filling and signing allowed",
+          3 => "Form filling, signing and annotation manipulation allowed",
+        }
+
+        # Sets an informational message on +result+ whether the signature is a certified signature.
+        def check_certified_signature(result)
+          sigref = signature_dict[:Reference]&.find {|ref| ref[:TransformMethod] == :DocMDP }
+          if sigref && signature_dict.document.catalog[:Perms]&.[](:DocMDP) == signature_dict
+            perms = sigref[:TransformParams]&.[](:P) || 2
+            result.log(:info, "Certified signature (#{DOCMDP_PERMS_MESSAGE_MAP[perms]})")
+          end
+        end
+
         # Returns the block that should be used as the OpenSSL::X509::Store verification callback.
         #
         # +result+:: The VerificationResult object that should be updated if problems are found.
@@ -94,17 +133,6 @@ module HexaPDF
           end
         end
 
-        protected
-
-        # Verifies that the signing time was within the validity period of the signer certificate.
-        def verify_signing_time(result)
-          time = signing_time
-          cert = signer_certificate
-          if time && (time < cert.not_before || time > cert.not_after)
-            result.log(:error, "Signer certificate not valid at signing time")
-          end
-        end
-
       end
 
     end

data/lib/hexapdf/version.rb

@@ -37,6 +37,6 @@
 module HexaPDF
 
   # The version of HexaPDF.
-  VERSION = '0.20.0'
+  VERSION = '0.20.1'
 
 end

data/test/hexapdf/test_writer.rb

@@ -40,7 +40,7 @@ describe HexaPDF::Writer do
       219
       %%EOF
       3 0 obj
-      <</Producer(HexaPDF version 0.20.0)>>
+      <</Producer(HexaPDF version 0.20.1)>>
       endobj
       xref
       3 1
@@ -72,7 +72,7 @@ describe HexaPDF::Writer do
       141
       %%EOF
       6 0 obj
-      <</Producer(HexaPDF version 0.20.0)>>
+      <</Producer(HexaPDF version 0.20.1)>>
       endobj
       2 0 obj
       <</Length 10>>stream

data/test/hexapdf/type/signature/test_handler.rb

@@ -2,6 +2,7 @@
 
 require 'test_helper'
 require 'hexapdf/type/signature'
+require 'hexapdf/document'
 require 'time'
 require 'ostruct'
 
@@ -10,6 +11,7 @@ describe HexaPDF::Type::Signature::Handler do
     @time = Time.parse("2021-11-14 7:00")
     @dict = {Name: "handler", M: @time}
     @handler = HexaPDF::Type::Signature::Handler.new(@dict)
+    @result = HexaPDF::Type::Signature::VerificationResult.new
   end
 
   it "returns the signer name" do
@@ -30,7 +32,6 @@ describe HexaPDF::Type::Signature::Handler do
 
   describe "store_verification_callback" do
     before do
-      @result = HexaPDF::Type::Signature::VerificationResult.new
       @context = OpenStruct.new
     end
 
@@ -40,7 +41,7 @@ describe HexaPDF::Type::Signature::Handler do
         [true, false].each do |allow_self_signed|
           @result.messages.clear
           @context.error = error
-          @handler.store_verification_callback(@result, allow_self_signed: allow_self_signed).
+          @handler.send(:store_verification_callback, @result, allow_self_signed: allow_self_signed).
             call(false, @context)
           assert_equal(1, @result.messages.size)
           assert_match(/self-signed certificate/i, @result.messages[0].content)
@@ -51,26 +52,51 @@ describe HexaPDF::Type::Signature::Handler do
   end
 
   it "verifies the signing time" do
-    result = HexaPDF::Type::Signature::VerificationResult.new
     [
       [true, '6:00', '8:00'],
       [false, '7:30', '8:00'],
       [false, '5:00', '6:00'],
     ].each do |success, not_before, not_after|
-      result.messages.clear
+      @result.messages.clear
       @handler.define_singleton_method(:signer_certificate) do
         OpenStruct.new.tap do |struct|
           struct.not_before = Time.parse("2021-11-14 #{not_before}")
           struct.not_after = Time.parse("2021-11-14 #{not_after}")
         end
       end
-      @handler.send(:verify_signing_time, result)
+      @handler.send(:verify_signing_time, @result)
       if success
-        assert(result.messages.empty?)
+        assert(@result.messages.empty?)
       else
-        assert_equal(1, result.messages.size)
+        assert_equal(1, @result.messages.size)
       end
       @handler.singleton_class.remove_method(:signer_certificate)
     end
   end
+
+  describe "check_certified_signature" do
+    before do
+      @dict = HexaPDF::Document.new.wrap({Type: :Sig})
+      @handler.instance_variable_set(:@signature_dict, @dict)
+    end
+
+    it "logs nothing if there is no signature reference dictionary" do
+      @handler.send(:check_certified_signature, @result)
+      assert(@result.messages.empty?)
+    end
+
+    it "logs nothing if the global DocMDP permissions entry doesn't point to the signature" do
+      @dict[:Reference] = [{TransformMethod: :DocMDP}]
+      @handler.send(:check_certified_signature, @result)
+      assert(@result.messages.empty?)
+    end
+
+    it "logs a message if the signature is a certified one" do
+      @dict[:Reference] = [{TransformMethod: :DocMDP}]
+      @dict.document.catalog[:Perms] = {DocMDP: @dict}
+      @handler.send(:check_certified_signature, @result)
+      assert_equal(1, @result.messages.size)
+      assert_match(/certified signature/i, @result.messages[0].content)
+    end
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: hexapdf
 version: !ruby/object:Gem::Version
-  version: 0.20.0
+  version: 0.20.1
 platform: ruby
 authors:
 - Thomas Leitner
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-12-30 00:00:00.000000000 Z
+date: 2022-01-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cmdparse
@@ -671,7 +671,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.32
+rubygems_version: 3.3.3
 signing_key: 
 specification_version: 4
 summary: HexaPDF - A Versatile PDF Creation and Manipulation Library For Ruby