hexapdf 0.28.0 → 0.29.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 874e09b094ea4e793d1d123cfbaded6d1cc5ba93af3b57587e9faf402786a30f
-  data.tar.gz: c1eed6a778936cd360b4f1878a18abc3e5727c1f36b5eab4838a9a72817dff7b
+  metadata.gz: 1fdace78c8d34d39c345e2ccd04edda4755e2fc8076cc7320793a4ef16f48520
+  data.tar.gz: a0ec03dc2d579eb8663512ec0c84cadbc877b9ec43cabb8ea0d6ab58df337585
 SHA512:
-  metadata.gz: b66a7587a239acbeb9ebbb20f851b2fa7738c5a4c2f8a95ae7ae3d7419b84ae37b5d1fb48a6b7023bff0df3e1728c395b5351c9c42c05707fabd5a1722e2b88a
-  data.tar.gz: 62ac7d070bb8ae3426685af497a047096dd32dc16a102baa961512652222b388198561776fc1227be69bdd0713183d91fa25e411262eec34a29227aae9723d5c
+  metadata.gz: a8b18782359af03f0eda710658d0839554f0e95cd8068683dcaea56e8493c3b8a0b4cc30c9e39a3fdbe743df4d5e34b84ce4ab27125c8c14300b861ecbff16e9
+  data.tar.gz: 8d5c60a368d85fa9c2b118d955933943f5d0cf79e91d744348cf1e3f1c9435d44880033c844b58ab098c8ab8d1e2e7cd4c5e04710133b25543f31457277d0ba2

data/CHANGELOG.md

@@ -1,3 +1,34 @@
+## 0.29.0 - 2023-01-30
+
+### Added
+
+* [HexaPDF::DigitalSignature::Signing::SignedDataCreator] for creating custom
+  CMS signed data objects
+
+### Changed
+
+* **Breaking change**: Refactored digital signature support and moved all
+  related code under the [HexaPDF::DigitalSignature] module
+* **Breaking change**: New external signing mode without the need for creating
+  the PKCS#7/CMS signed data object for
+  [HexaPDF::DigitalSignature::Signing::DefaultHandler]
+* **Breaking change**: Use value :pades instead of :etsi for
+  [HexaPDF::DigitalSignature::Signing::DefaultHandler#signature_type]
+* [HexaPDF::DigitalSignature::Signing::DefaultHandler] to allow creating PAdES
+  level B-B and B-T signatures
+* [HexaPDF::DigitalSignature::Signing::DefaultHandler] to allow specifying the
+  used digest algorithm
+* [HexaPDF::DigitalSignature::Signing::DefaultHandler] to allow specifying a
+  timestamp handler for including a timestamp token in the signature
+* Moved setting of signature entries /Filter, /SubFilter and /M fields to the
+  signing handlers
+
+### Fixed
+
+* [HexaPDF::DictionaryFields::DateConverter] to handle invalid timezone hour and
+  minute values
+
+
 ## 0.28.0 - 2022-12-30
 
 ### Added
@@ -61,30 +92,30 @@
 ### Added
 
 * Support for timestamp signatures through the
-  [HexaPDF::Document::Signatures::TimestampHandler]
+  `HexaPDF::Document::Signatures::TimestampHandler`
 * [HexaPDF::Document::Destinations#resolve] for resolving destination values
 * [HexaPDF::Document::Destinations::Destination#value] to return the destination
   array
 * Support for verifying document timestamp signatures
-* [HexaPDF::Document::Signatures::DefaultHandler#signature_size] to support
+* `HexaPDF::Document::Signatures::DefaultHandler#signature_size` to support
   setting custom signature sizes
-* [HexaPDF::Document::Signatures::DefaultHandler#external_signing] to support
+* `HexaPDF::Document::Signatures::DefaultHandler#external_signing` to support
   signing via custom mechanisms
-* [HexaPDF::Document::Signatures::embed_signature] to enable asynchronous
+* `HexaPDF::Document::Signatures::embed_signature` to enable asynchronous
   external signing
 
 ### Changed
 
 * **Breaking change**: The crop box is now used instead of the media box in most
   cases to be in line with the specification
-* [HexaPDF::Document::Signatures::DefaultHandler] to allow setting the used
+* `HexaPDF::Document::Signatures::DefaultHandler` to allow setting the used
   signature method
-* **Breaking change**: [HexaPDF::Document::Signatures::DefaultHandler#sign]
+* **Breaking change**: `HexaPDF::Document::Signatures::DefaultHandler#sign`
   needs to accept the IO object and the byte range instead of just the data
 * **Breaking change**: Enhanced support for outline items with new methods
   `#level` and `#destination_page` as well as changes to `#add` and `#each_item`
 * **Breaking change**: Removed `#filter_name` and `#sub_filter_name` from
-  [HexaPDF::Document::Signatures::DefaultHandler]
+  `HexaPDF::Document::Signatures::DefaultHandler`
 * `HexaPDF::Type::Resources#perform_validation` to not add a default procedure
   set since this feature is deprecated
 
@@ -101,7 +132,7 @@
 * [HexaPDF::Type::OutlineItem] to always be an indirect object
 * `HexaPDF::Tokenizer#parse_number` to handle references correctly in all cases
 * [HexaPDF::Type::Page#rotate] to correctly flatten all page boxes
-* [HexaPDF::Document::Signatures#add] to raise an error if the reserved space
+* `HexaPDF::Document::Signatures#add` to raise an error if the reserved space
   for the signature is not enough
 * `HexaPDF::Type::AcroForm::Form#perform_validation` to fix broken /Parent
   entries and to remove invalid objects from the field hierarchy
@@ -276,7 +307,7 @@
   moved node doesn't change
 * [HexaPDF::Type::PageTreeNode#move_page] to use the correct target position
   when the moved node is before the target position
-* [HexaPDF::Document::Signatures#add] to work in case the signature object is
+* `HexaPDF::Document::Signatures#add` to work in case the signature object is
   the last object written
 * CLI command `hexapdf inspect` to show correct byte range of the last revision
 * [HexaPDF::Writer#write_incremental] to only use a cross-reference stream if a
@@ -285,7 +316,7 @@
   disabled
 * [HexaPDF::Font::Encoding::GlyphList] to use binary reading to avoid problems
   on Windows
-* [HexaPDF::Document::Signatures#add] to use binary writing to avoid problems on
+* `HexaPDF::Document::Signatures#add` to use binary writing to avoid problems on
   Windows
 
 

data/examples/024-digital-signatures.rb

@@ -0,0 +1,23 @@
+# # Images
+#
+# This example shows how to embed images into a PDF document, directly on a
+# page's canvas and through the high-level [HexaPDF::Composer].
+#
+# Usage:
+# : `ruby digital-signatures.rb`
+#
+
+require 'hexapdf'
+require HexaPDF.data_dir + '/cert/demo_cert.rb'
+
+doc = if ARGV[0]
+        HexaPDF::Document.open(ARGV[0])
+      else
+        HexaPDF::Document.new.pages.add.document
+      end
+doc.sign("digital-signatures.pdf",
+         reason: 'Some reason',
+         certificate: HexaPDF.demo_cert.cert,
+         key: HexaPDF.demo_cert.key,
+         certificate_chain: [HexaPDF.demo_cert.sub_ca,
+                             HexaPDF.demo_cert.root_ca])

data/lib/hexapdf/configuration.rb

@@ -393,8 +393,8 @@ module HexaPDF
   #
   # signature.sub_filter_map::
   #    A mapping from a PDF name (a Symbol) to a signature handler class (see
-  #    HexaPDF::Type::Signature::Handler). If the value is a String, it should contain the name of a
-  #    constant to such a class.
+  #    HexaPDF::DigitalSignature::Handler). If the value is a String, it should contain the name of
+  #    a constant to such a class.
   #
   #    The sub filter map is used for mapping specific signature algorithms to handler classes. The
   #    filter value of a signature dictionary is ignored since we only support the standard
@@ -486,14 +486,14 @@ module HexaPDF
                         link: 'HexaPDF::Layout::Style::LinkLayer',
                       },
                       'signature.signing_handler' => {
-                        default: 'HexaPDF::Document::Signatures::DefaultHandler',
-                        timestamp: 'HexaPDF::Document::Signatures::TimestampHandler',
+                        default: 'HexaPDF::DigitalSignature::Signing::DefaultHandler',
+                        timestamp: 'HexaPDF::DigitalSignature::Signing::TimestampHandler',
                       },
                       'signature.sub_filter_map' => {
-                        'adbe.x509.rsa_sha1': 'HexaPDF::Type::Signature::AdbeX509RsaSha1',
-                        'adbe.pkcs7.detached': 'HexaPDF::Type::Signature::AdbePkcs7Detached',
-                        'ETSI.CAdES.detached': 'HexaPDF::Type::Signature::AdbePkcs7Detached',
-                        'ETSI.RFC3161': 'HexaPDF::Type::Signature::AdbePkcs7Detached',
+                        'adbe.x509.rsa_sha1': 'HexaPDF::DigitalSignature::PKCS1Handler',
+                        'adbe.pkcs7.detached': 'HexaPDF::DigitalSignature::CMSHandler',
+                        'ETSI.CAdES.detached': 'HexaPDF::DigitalSignature::CMSHandler',
+                        'ETSI.RFC3161': 'HexaPDF::DigitalSignature::CMSHandler',
                       },
                       'task.map' => {
                         optimize: 'HexaPDF::Task::Optimize',
@@ -583,10 +583,10 @@ module HexaPDF
                         SigFieldLock: 'HexaPDF::Type::AcroForm::SignatureField::LockDictionary',
                         SV: 'HexaPDF::Type::AcroForm::SignatureField::SeedValueDictionary',
                         SVCert: 'HexaPDF::Type::AcroForm::SignatureField::CertificateSeedValueDictionary',
-                        Sig: 'HexaPDF::Type::Signature',
-                        DocTimeStamp: 'HexaPDF::Type::Signature',
-                        SigRef: 'HexaPDF::Type::Signature::SignatureReference',
-                        TransformParams: 'HexaPDF::Type::Signature::TransformParams',
+                        Sig: 'HexaPDF::DigitalSignature::Signature',
+                        DocTimeStamp: 'HexaPDF::DigitalSignature::Signature',
+                        SigRef: 'HexaPDF::DigitalSignature::Signature::SignatureReference',
+                        TransformParams: 'HexaPDF::DigitalSignature::Signature::TransformParams',
                         Outlines: 'HexaPDF::Type::Outline',
                         XXOutlineItem: 'HexaPDF::Type::OutlineItem',
                         PageLabel: 'HexaPDF::Type::PageLabel',

data/lib/hexapdf/dictionary_fields.rb

@@ -293,14 +293,18 @@ module HexaPDF
       end
 
       # :nodoc:
-      DATE_RE = /\AD:(\d{4})(\d\d)?(\d\d)?(\d\d)?(\d\d)?(\d\d)?([Z+-])?(?:(\d\d)(?:'|'([0-5]\d)'?|\z)?)?\z/n
+      DATE_RE = /\AD:(\d{4})(\d\d)?(\d\d)?(\d\d)?(\d\d)?(\d\d)?([Z+-])?(?:(\d+)(?:'|'(\d+)'?|\z)?)?\z/n
 
       # Checks if the given object is a string and converts into a Time object if possible.
       # Otherwise returns +nil+.
       def self.convert(str, _type, _document)
         return unless str.kind_of?(String) && (m = str.match(DATE_RE))
 
-        utc_offset = (m[7].nil? || m[7] == 'Z' ? 0 : "#{m[7]}#{m[8]}:#{m[9] || '00'}")
+        utc_offset = if m[7].nil? || m[7] == 'Z'
+                       0
+                     else
+                       (m[7] == '-' ? -1 : 1) * (m[8].to_i * 3600 + m[9].to_i * 60).clamp(0, 86399)
+                     end
         Time.new(m[1].to_i, (m[2] ? m[2].to_i : 1), (m[3] ? m[3].to_i : 1),
                  m[4].to_i, m[5].to_i, m[6].to_i, utc_offset)
       end

data/lib/hexapdf/digital_signature/cms_handler.rb

@@ -0,0 +1,137 @@
+# -*- encoding: utf-8; frozen_string_literal: true -*-
+#
+#--
+# This file is part of HexaPDF.
+#
+# HexaPDF - A Versatile PDF Creation and Manipulation Library For Ruby
+# Copyright (C) 2014-2022 Thomas Leitner
+#
+# HexaPDF is free software: you can redistribute it and/or modify it
+# under the terms of the GNU Affero General Public License version 3 as
+# published by the Free Software Foundation with the addition of the
+# following permission added to Section 15 as permitted in Section 7(a):
+# FOR ANY PART OF THE COVERED WORK IN WHICH THE COPYRIGHT IS OWNED BY
+# THOMAS LEITNER, THOMAS LEITNER DISCLAIMS THE WARRANTY OF NON
+# INFRINGEMENT OF THIRD PARTY RIGHTS.
+#
+# HexaPDF is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public
+# License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with HexaPDF. If not, see <http://www.gnu.org/licenses/>.
+#
+# The interactive user interfaces in modified source and object code
+# versions of HexaPDF must display Appropriate Legal Notices, as required
+# under Section 5 of the GNU Affero General Public License version 3.
+#
+# In accordance with Section 7(b) of the GNU Affero General Public
+# License, a covered work must retain the producer line in every PDF that
+# is created or manipulated using HexaPDF.
+#
+# If the GNU Affero General Public License doesn't fit your need,
+# commercial licenses are available at <https://gettalong.at/hexapdf/>.
+#++
+
+require 'openssl'
+require 'hexapdf/digital_signature/handler'
+
+module HexaPDF
+  module DigitalSignature
+
+    # The signature handler for PKCS#7 a.k.a. CMS signatures. Those include, for example, the
+    # adbe.pkcs7.detached sub-filter.
+    #
+    # See: PDF1.7/2.0 s12.8.3.3
+    class CMSHandler < Handler
+
+      # Creates a new signature handler for the given signature dictionary.
+      def initialize(signature_dict)
+        super
+        @pkcs7 = OpenSSL::PKCS7.new(signature_dict.contents)
+      end
+
+      # Returns the common name of the signer.
+      def signer_name
+        signer_certificate.subject.to_a.assoc("CN")&.[](1) || super
+      end
+
+      # Returns the time of signing.
+      def signing_time
+        signer_info.signed_time rescue super
+      end
+
+      # Returns the certificate chain.
+      def certificate_chain
+        @pkcs7.certificates
+      end
+
+      # Returns the signer certificate (an instance of OpenSSL::X509::Certificate).
+      def signer_certificate
+        info = signer_info
+        certificate_chain.find {|cert| cert.issuer == info.issuer && cert.serial == info.serial }
+      end
+
+      # Returns the signer information object (an instance of OpenSSL::PKCS7::SignerInfo).
+      def signer_info
+        @pkcs7.signers.first
+      end
+
+      # Verifies the signature using the provided OpenSSL::X509::Store object.
+      def verify(store, allow_self_signed: false)
+        result = super
+
+        signer_info = self.signer_info
+        signer_certificate = self.signer_certificate
+        certificate_chain = self.certificate_chain
+
+        if certificate_chain.empty?
+          result.log(:error, "No certificates found in signature")
+          return result
+        end
+
+        if @pkcs7.signers.size != 1
+          result.log(:error, "Exactly one signer needed, found #{@pkcs7.signers.size}")
+        end
+
+        unless signer_certificate
+          result.log(:error, "Signer serial=#{signer_info.serial} issuer=#{signer_info.issuer} " \
+                     "not found in certificates stored in PKCS7 object")
+          return result
+        end
+
+        key_usage = signer_certificate.extensions.find {|ext| ext.oid == 'keyUsage' }
+        unless key_usage && key_usage.value.split(', ').include?("Digital Signature")
+          result.log(:error, "Certificate key usage is missing 'Digital Signature'")
+        end
+
+        if signature_dict.signature_type == 'ETSI.RFC3161'
+          # Getting the needed values is not directly supported by Ruby OpenSSL
+          p7 = OpenSSL::ASN1.decode(signature_dict.contents.sub(/\x00*\z/, ''))
+          signed_data = p7.value[1].value[0]
+          content_info = signed_data.value[2]
+          content = OpenSSL::ASN1.decode(content_info.value[1].value[0].value)
+          digest_algorithm = content.value[2].value[0].value[0].value
+          original_hash = content.value[2].value[1].value
+          recomputed_hash = OpenSSL::Digest.digest(digest_algorithm, signature_dict.signed_data)
+          hash_valid = (original_hash == recomputed_hash)
+        else
+          data = signature_dict.signed_data
+          hash_valid = true # hash will be checked by @pkcs7.verify
+        end
+        if hash_valid && @pkcs7.verify(certificate_chain, store, data,
+                                       OpenSSL::PKCS7::DETACHED | OpenSSL::PKCS7::BINARY)
+          result.log(:info, "Signature valid")
+        else
+          result.log(:error, "Signature verification failed")
+        end
+
+        result
+      end
+
+    end
+
+  end
+end
+

data/lib/hexapdf/digital_signature/handler.rb

@@ -0,0 +1,138 @@
+# -*- encoding: utf-8; frozen_string_literal: true -*-
+#
+#--
+# This file is part of HexaPDF.
+#
+# HexaPDF - A Versatile PDF Creation and Manipulation Library For Ruby
+# Copyright (C) 2014-2022 Thomas Leitner
+#
+# HexaPDF is free software: you can redistribute it and/or modify it
+# under the terms of the GNU Affero General Public License version 3 as
+# published by the Free Software Foundation with the addition of the
+# following permission added to Section 15 as permitted in Section 7(a):
+# FOR ANY PART OF THE COVERED WORK IN WHICH THE COPYRIGHT IS OWNED BY
+# THOMAS LEITNER, THOMAS LEITNER DISCLAIMS THE WARRANTY OF NON
+# INFRINGEMENT OF THIRD PARTY RIGHTS.
+#
+# HexaPDF is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public
+# License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with HexaPDF. If not, see <http://www.gnu.org/licenses/>.
+#
+# The interactive user interfaces in modified source and object code
+# versions of HexaPDF must display Appropriate Legal Notices, as required
+# under Section 5 of the GNU Affero General Public License version 3.
+#
+# In accordance with Section 7(b) of the GNU Affero General Public
+# License, a covered work must retain the producer line in every PDF that
+# is created or manipulated using HexaPDF.
+#
+# If the GNU Affero General Public License doesn't fit your need,
+# commercial licenses are available at <https://gettalong.at/hexapdf/>.
+#++
+
+require 'hexapdf/digital_signature/verification_result'
+
+module HexaPDF
+  module DigitalSignature
+
+    # The base signature handler providing common functionality.
+    #
+    # Specific signature handler need to override methods if necessary and implement the needed
+    # ones that don't have a default implementation.
+    class Handler
+
+      # The signature dictionary used by the handler.
+      attr_reader :signature_dict
+
+      # Creates a new signature handler for the given signature dictionary.
+      def initialize(signature_dict)
+        @signature_dict = signature_dict
+      end
+
+      # Returns the common name of the signer (/Name field of the signature dictionary).
+      def signer_name
+        @signature_dict[:Name]
+      end
+
+      # Returns the time of signing (/M field of the signature dictionary).
+      def signing_time
+        @signature_dict[:M]
+      end
+
+      # Returns the certificate chain.
+      #
+      # Needs to be implemented by specific handlers.
+      def certificate_chain
+        raise "Needs to be implemented by specific handlers"
+      end
+
+      # Returns the certificate used for signing.
+      #
+      # Needs to be implemented by specific handlers.
+      def signer_certificate
+        raise "Needs to be implemented by specific handlers"
+      end
+
+      # Verifies general signature properties and prepares the provided OpenSSL::X509::Store
+      # object for use by concrete implementations.
+      #
+      # Needs to be called by specific handlers.
+      def verify(store, allow_self_signed: false)
+        result = VerificationResult.new
+        check_certified_signature(result)
+        verify_signing_time(result)
+        store.verify_callback =
+          store_verification_callback(result, allow_self_signed: allow_self_signed)
+        result
+      end
+
+      protected
+
+      # Verifies that the signing time was within the validity period of the signer certificate.
+      def verify_signing_time(result)
+        time = signing_time
+        cert = signer_certificate
+        if time && cert && (time < cert.not_before || time > cert.not_after)
+          result.log(:error, "Signer certificate not valid at signing time")
+        end
+      end
+
+      DOCMDP_PERMS_MESSAGE_MAP = { # :nodoc:
+        1 => "No changes allowed",
+        2 => "Form filling and signing allowed",
+        3 => "Form filling, signing and annotation manipulation allowed",
+      }
+
+      # Sets an informational message on +result+ whether the signature is a certified signature.
+      def check_certified_signature(result)
+        sigref = signature_dict[:Reference]&.find {|ref| ref[:TransformMethod] == :DocMDP }
+        if sigref && signature_dict.document.catalog[:Perms]&.[](:DocMDP) == signature_dict
+          perms = sigref[:TransformParams]&.[](:P) || 2
+          result.log(:info, "Certified signature (#{DOCMDP_PERMS_MESSAGE_MAP[perms]})")
+        end
+      end
+
+      # Returns the block that should be used as the OpenSSL::X509::Store verification callback.
+      #
+      # +result+:: The VerificationResult object that should be updated if problems are found.
+      #
+      # +allow_self_signed+:: Specifies whether self-signed certificates are allowed.
+      def store_verification_callback(result, allow_self_signed: false)
+        lambda do |_success, context|
+          if context.error == OpenSSL::X509::V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
+              context.error == OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN
+            result.log(allow_self_signed ? :info : :error, "Self-signed certificate found")
+          end
+
+          true
+        end
+      end
+
+    end
+
+  end
+end

data/lib/hexapdf/digital_signature/pkcs1_handler.rb

@@ -0,0 +1,96 @@
+# -*- encoding: utf-8; frozen_string_literal: true -*-
+#
+#--
+# This file is part of HexaPDF.
+#
+# HexaPDF - A Versatile PDF Creation and Manipulation Library For Ruby
+# Copyright (C) 2014-2022 Thomas Leitner
+#
+# HexaPDF is free software: you can redistribute it and/or modify it
+# under the terms of the GNU Affero General Public License version 3 as
+# published by the Free Software Foundation with the addition of the
+# following permission added to Section 15 as permitted in Section 7(a):
+# FOR ANY PART OF THE COVERED WORK IN WHICH THE COPYRIGHT IS OWNED BY
+# THOMAS LEITNER, THOMAS LEITNER DISCLAIMS THE WARRANTY OF NON
+# INFRINGEMENT OF THIRD PARTY RIGHTS.
+#
+# HexaPDF is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public
+# License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with HexaPDF. If not, see <http://www.gnu.org/licenses/>.
+#
+# The interactive user interfaces in modified source and object code
+# versions of HexaPDF must display Appropriate Legal Notices, as required
+# under Section 5 of the GNU Affero General Public License version 3.
+#
+# In accordance with Section 7(b) of the GNU Affero General Public
+# License, a covered work must retain the producer line in every PDF that
+# is created or manipulated using HexaPDF.
+#
+# If the GNU Affero General Public License doesn't fit your need,
+# commercial licenses are available at <https://gettalong.at/hexapdf/>.
+#++
+
+require 'openssl'
+require 'hexapdf/digital_signature/handler'
+
+module HexaPDF
+  module DigitalSignature
+
+    # The signature handler for PKCS#1 based sub-filters, the only being the adbe.x509.rsa_sha1
+    # sub-filter.
+    #
+    # Since PKCS#1 signatures are deprecated with PDF 2.0, the handler only provides the
+    # implementation for reading and verifying signatures.
+    #
+    # See: PDF1.7/2.0 s12.8.3.2
+    class PKCS1Handler < Handler
+
+      # Returns the certificate chain.
+      def certificate_chain
+        return [] unless signature_dict.key?(:Cert)
+        [signature_dict[:Cert]].flatten.map {|str| OpenSSL::X509::Certificate.new(str) }
+      end
+
+      # Returns the signer certificate (an instance of OpenSSL::X509::Certificate).
+      def signer_certificate
+        certificate_chain.first
+      end
+
+      # Verifies the signature using the provided OpenSSL::X509::Store object.
+      def verify(store, allow_self_signed: false)
+        result = super
+
+        signer_certificate = self.signer_certificate
+        certificate_chain = self.certificate_chain
+
+        if certificate_chain.empty?
+          result.log(:error, "No certificates for verification found")
+          return result
+        end
+
+        signature = OpenSSL::ASN1.decode(signature_dict.contents)
+        if signature.tag != OpenSSL::ASN1::OCTET_STRING
+          result.log(:error, "PKCS1 signature object invalid, octet string expected")
+          return result
+        end
+
+        store.verify(signer_certificate, certificate_chain)
+
+        if signer_certificate.public_key.verify(OpenSSL::Digest.new('SHA1'),
+                                                signature.value, signature_dict.signed_data)
+          result.log(:info, "Signature valid")
+        else
+          result.log(:error, "Signature verification failed")
+        end
+
+        result
+      end
+
+    end
+
+  end
+end

data/lib/hexapdf/{type → digital_signature}/signature.rb

@@ -39,7 +39,7 @@ require 'hexapdf/dictionary'
 require 'hexapdf/error'
 
 module HexaPDF
-  module Type
+  module DigitalSignature
 
     # Represents a digital signature that is used to authenticate a user and the contents of the
     # document.
@@ -53,14 +53,9 @@ module HexaPDF
     # By defining a custom signature handler one is able to also customize the signature
     # verification.
     #
-    # See: PDF1.7 s12.8.1, PDF2.0 s12.8.1, HexaPDF::Type::AcroForm::SignatureField
+    # See: PDF1.7/2.0 s12.8.1, HexaPDF::Type::AcroForm::SignatureField
     class Signature < Dictionary
 
-      autoload :Handler, 'hexapdf/type/signature/handler'
-      autoload :AdbeX509RsaSha1, 'hexapdf/type/signature/adbe_x509_rsa_sha1'
-      autoload :AdbePkcs7Detached, 'hexapdf/type/signature/adbe_pkcs7_detached'
-      autoload :VerificationResult, 'hexapdf/type/signature/verification_result'
-
       # Represents a transform parameters dictionary.
       #
       # The allowed fields depend on the transform method, so not all fields are available all the
@@ -122,7 +117,7 @@ module HexaPDF
 
       # Represents a signature reference dictionary.
       #
-      # See: PDF1.7 s12.8.1, PDF2.0 s12.8.1, HexaPDF::Type::Signature
+      # See: PDF1.7/2.0 s12.8.1, HexaPDF::DigitalSignature::Signature
       class SignatureReference < Dictionary
 
         define_type :SigRef