origami-docspring 2.2.0 → 2.3.0

data/lib/origami/signature.rb

@@ -1,702 +1,694 @@
-=begin
+# frozen_string_literal: true
+
+#
+#     This file is part of Origami, PDF manipulation framework for Ruby
+#     Copyright (C) 2016	Guillaume Delugré.
+#
+#     Origami is free software: you can redistribute it and/or modify
+#     it under the terms of the GNU Lesser General Public License as published by
+#     the Free Software Foundation, either version 3 of the License, or
+#     (at your option) any later version.
+#
+#     Origami is distributed in the hope that it will be useful,
+#     but WITHOUT ANY WARRANTY; without even the implied warranty of
+#     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#     GNU Lesser General Public License for more details.
+#
+#     You should have received a copy of the GNU Lesser General Public License
+#     along with Origami.  If not, see <http://www.gnu.org/licenses/>.
+#
 
-    This file is part of Origami, PDF manipulation framework for Ruby
-    Copyright (C) 2016	Guillaume Delugré.
+require 'openssl'
+require 'digest/sha1'
 
-    Origami is free software: you can redistribute it and/or modify
-    it under the terms of the GNU Lesser General Public License as published by
-    the Free Software Foundation, either version 3 of the License, or
-    (at your option) any later version.
+module Origami
+  class SignatureError < Error # :nodoc:
+  end
+
+  class PDF
+    #
+    # Verify a document signature.
+    #   _:trusted_certs_: an array of trusted X509 certificates.
+    #   _:use_system_store_: use the system store for certificate authorities.
+    #   _:allow_self_signed_: allow self-signed certificates in the verification chain.
+    #   _verify_cb_: block called when encountering a certificate that cannot be verified.
+    #                Passed argument in the OpenSSL::X509::StoreContext.
+    #
+    def verify(trusted_certs: [],
+      use_system_store: false,
+      allow_self_signed: false,
+      &verify_cb)
+      digsig = signature
+      digsig = digsig.cast_to(Signature::DigitalSignature) unless digsig.is_a?(Signature::DigitalSignature)
+
+      signature = digsig.signature_data
+      chain = digsig.certificate_chain
+      subfilter = digsig.SubFilter.value
+
+      store = OpenSSL::X509::Store.new
+      store.set_default_paths if use_system_store
+      trusted_certs.each { |ca| store.add_cert(ca) }
+
+      store.verify_callback = ->(success, ctx) {
+        return true if success
+
+        error = ctx.error
+        is_self_signed = error == OpenSSL::X509::V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
+          error == OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN
+
+        return true if is_self_signed && allow_self_signed && verify_cb.nil?
+
+        verify_cb.call(ctx) unless verify_cb.nil?
+      }
+
+      data = extract_signed_data(digsig)
+      Signature.verify(subfilter.to_s, data, signature, store, chain)
+    end
 
-    Origami is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU Lesser General Public License for more details.
+    #
+    # Sign the document with the given key and x509 certificate.
+    # _certificate_:: The X509 certificate containing the public key.
+    # _key_:: The private key associated with the certificate.
+    # _method_:: The PDF signature identifier.
+    # _ca_:: Optional CA certificates used to sign the user certificate.
+    # _annotation_:: Annotation associated with the signature.
+    # _issuer_:: Issuer name.
+    # _location_:: Signature location.
+    # _contact_:: Signer contact.
+    # _reason_:: Signing reason.
+    #
+    def sign(certificate, key,
+      method: Signature::PKCS7_DETACHED,
+      ca: [],
+      annotation: nil,
+      issuer: nil,
+      location: nil,
+      contact: nil,
+      reason: nil)
+      unless certificate.is_a?(OpenSSL::X509::Certificate)
+        raise TypeError, "A OpenSSL::X509::Certificate object must be passed."
+      end
+
+      unless key.is_a?(OpenSSL::PKey::RSA)
+        raise TypeError, "A OpenSSL::PKey::RSA object must be passed."
+      end
+
+      unless ca.is_a?(::Array)
+        raise TypeError, "Expected an Array of CA certificates."
+      end
+
+      unless annotation.nil? || annotation.is_a?(Annotation::Widget::Signature)
+        raise TypeError, "Expected a Annotation::Widget::Signature object."
+      end
+
+      #
+      # XXX: Currently signing a linearized document will result in a broken document.
+      # Delinearize the document first until we find a proper way to handle this case.
+      #
+      if linearized?
+        delinearize!
+      end
+
+      digsig = Signature::DigitalSignature.new.set_indirect(true)
+
+      if annotation.nil?
+        annotation = Annotation::Widget::Signature.new
+        annotation.Rect = Rectangle[llx: 0.0, lly: 0.0, urx: 0.0, ury: 0.0]
+      end
+
+      annotation.V = digsig
+      add_fields(annotation)
+      self.Catalog.AcroForm.SigFlags =
+        InteractiveForm::SigFlags::SIGNATURES_EXIST | InteractiveForm::SigFlags::APPEND_ONLY
+
+      digsig.Type = :Sig
+      digsig.Contents = HexaString.new("\x00" * Signature.required_size(method, certificate, key, ca))
+      digsig.Filter = :'Adobe.PPKLite'
+      digsig.SubFilter = Name.new(method)
+      digsig.ByteRange = [0, 0, 0, 0]
+      digsig.Name = issuer
+
+      digsig.Location = HexaString.new(location) if location
+      digsig.ContactInfo = HexaString.new(contact) if contact
+      digsig.Reason = HexaString.new(reason) if reason
+
+      # PKCS1 signatures require a Cert entry.
+      if method == Signature::PKCS1_RSA_SHA1
+        digsig.Cert =
+          if ca.empty?
+            HexaString.new(certificate.to_der)
+          else
+            [HexaString.new(certificate.to_der)] + ca.map { |crt| HexaString.new(crt.to_der) }
+          end
+      end
+
+      #
+      #  Flattening the PDF to get file view.
+      #
+      compile
+
+      #
+      # Creating an empty Xref table to compute signature byte range.
+      #
+      rebuild_dummy_xrefs
+
+      sig_offset = get_object_offset(digsig.no, digsig.generation) + digsig.signature_offset
+
+      digsig.ByteRange[0] = 0
+      digsig.ByteRange[1] = sig_offset
+      digsig.ByteRange[2] = sig_offset + digsig.Contents.to_s.bytesize
+
+      until digsig.ByteRange[3] == filesize - digsig.ByteRange[2]
+        digsig.ByteRange[3] = filesize - digsig.ByteRange[2]
+      end
+
+      # From that point on, the file size remains constant
+
+      #
+      # Correct Xrefs variations caused by ByteRange modifications.
+      #
+      rebuild_xrefs
+
+      file_data = output
+      signable_data = file_data[digsig.ByteRange[0], digsig.ByteRange[1]] +
+        file_data[digsig.ByteRange[2], digsig.ByteRange[3]]
+
+      #
+      # Computes and inserts the signature.
+      #
+      signature = Signature.compute(method, signable_data, certificate, key, ca)
+      digsig.Contents[0, signature.size] = signature
+
+      #
+      # No more modification are allowed after signing.
+      #
+      freeze
+    end
 
-    You should have received a copy of the GNU Lesser General Public License
-    along with Origami.  If not, see <http://www.gnu.org/licenses/>.
+    #
+    # Returns whether the document contains a digital signature.
+    #
+    def signed?
+      self.Catalog.AcroForm.is_a?(Dictionary) and
+        self.Catalog.AcroForm.SigFlags.is_a?(Integer) and
+        (self.Catalog.AcroForm.SigFlags & InteractiveForm::SigFlags::SIGNATURES_EXIST != 0)
+    rescue InvalidReferenceError
+      false
+    end
 
-=end
+    #
+    # Enable the document Usage Rights.
+    # _rights_:: list of rights defined in UsageRights::Rights
+    #
+    def enable_usage_rights(cert, pkey, *rights)
+      # Always uses a detached PKCS7 signature for UR.
+      method = Signature::PKCS7_DETACHED
+
+      #
+      # Load key pair
+      #
+      key = pkey.is_a?(OpenSSL::PKey::RSA) ? pkey : OpenSSL::PKey::RSA.new(pkey)
+      certificate = cert.is_a?(OpenSSL::X509::Certificate) ? cert : OpenSSL::X509::Certificate.new(cert)
+
+      #
+      # Forge digital signature dictionary
+      #
+      digsig = Signature::DigitalSignature.new.set_indirect(true)
+
+      self.Catalog.AcroForm ||= InteractiveForm.new
+      # self.Catalog.AcroForm.SigFlags = InteractiveForm::SigFlags::APPEND_ONLY
+
+      digsig.Type = :Sig
+      digsig.Contents = HexaString.new("\x00" * Signature.required_size(method, certificate, key, []))
+      digsig.Filter = :'Adobe.PPKLite'
+      digsig.Name = "ARE Acrobat Product v8.0 P23 0002337"
+      digsig.SubFilter = Name.new(method)
+      digsig.ByteRange = [0, 0, 0, 0]
+
+      sigref = Signature::Reference.new
+      sigref.Type = :SigRef
+      sigref.TransformMethod = :UR3
+      sigref.Data = self.Catalog
+
+      sigref.TransformParams = UsageRights::TransformParams.new
+      sigref.TransformParams.P = true
+      sigref.TransformParams.Type = :TransformParams
+      sigref.TransformParams.V = UsageRights::TransformParams::VERSION
+
+      rights.each do |right|
+        sigref.TransformParams[right.first] ||= []
+        sigref.TransformParams[right.first].concat(right[1..])
+      end
+
+      digsig.Reference = [sigref]
+
+      self.Catalog.Perms ||= Perms.new
+      self.Catalog.Perms.UR3 = digsig
+
+      #
+      #  Flattening the PDF to get file view.
+      #
+      compile
+
+      #
+      # Creating an empty Xref table to compute signature byte range.
+      #
+      rebuild_dummy_xrefs
+
+      sig_offset = get_object_offset(digsig.no, digsig.generation) + digsig.signature_offset
+
+      digsig.ByteRange[0] = 0
+      digsig.ByteRange[1] = sig_offset
+      digsig.ByteRange[2] = sig_offset + digsig.Contents.size
+
+      until digsig.ByteRange[3] == filesize - digsig.ByteRange[2]
+        digsig.ByteRange[3] = filesize - digsig.ByteRange[2]
+      end
+
+      # From that point on, the file size remains constant
+
+      #
+      # Correct Xrefs variations caused by ByteRange modifications.
+      #
+      rebuild_xrefs
+
+      file_data = output
+      signable_data = file_data[digsig.ByteRange[0], digsig.ByteRange[1]] +
+        file_data[digsig.ByteRange[2], digsig.ByteRange[3]]
+
+      signature = Signature.compute(method, signable_data, certificate, key, [])
+      digsig.Contents[0, signature.size] = signature
+
+      #
+      # No more modification are allowed after signing.
+      #
+      freeze
+    end
 
-require 'openssl'
-require 'digest/sha1'
+    def usage_rights?
+      !self.Catalog.Perms.nil? and
+        (!self.Catalog.Perms.has_key?(:UR3) or !self.Catalog.Perms.has_key?(:UR))
+    end
 
-module Origami
+    def signature
+      raise SignatureError, "Not a signed document" unless signed?
+
+      each_field do |field|
+        return field.V if (field.FT == :Sig) && field.V.is_a?(Dictionary)
+      end
 
-    class SignatureError < Error #:nodoc:
+      raise SignatureError, "Cannot find digital signature"
     end
 
-    class PDF
-        #
-        # Verify a document signature.
-        #   _:trusted_certs_: an array of trusted X509 certificates.
-        #   _:use_system_store_: use the system store for certificate authorities.
-        #   _:allow_self_signed_: allow self-signed certificates in the verification chain.
-        #   _verify_cb_: block called when encountering a certificate that cannot be verified.
-        #                Passed argument in the OpenSSL::X509::StoreContext.
-        #
-        def verify(trusted_certs: [],
-                   use_system_store: false,
-                   allow_self_signed: false,
-                   &verify_cb)
+    private
 
-            digsig = self.signature
-            digsig = digsig.cast_to(Signature::DigitalSignature) unless digsig.is_a?(Signature::DigitalSignature)
+    #
+    # Verifies the ByteRange field of a digital signature and returned the signed data.
+    #
+    def extract_signed_data(digsig)
+      # Computes the boundaries of the Contents field.
+      start_sig = digsig[:Contents].file_offset
 
-            signature = digsig.signature_data
-            chain = digsig.certificate_chain
-            subfilter = digsig.SubFilter.value
+      stream = StringScanner.new(original_data)
+      stream.pos = digsig[:Contents].file_offset
+      Object.typeof(stream).parse(stream)
+      end_sig = stream.pos
+      stream.terminate
 
-            store = OpenSSL::X509::Store.new
-            store.set_default_paths if use_system_store
-            trusted_certs.each { |ca| store.add_cert(ca) }
+      r1, r2 = digsig.ranges
+      if (r1.begin != 0) ||
+          (r2.end != original_data.size) ||
+          (r1.end != start_sig) ||
+          (r2.begin != end_sig)
 
-            store.verify_callback = -> (success, ctx) {
-                return true if success
+        raise SignatureError, "Invalid signature byte range"
+      end
 
-                error = ctx.error
-                is_self_signed = (error == OpenSSL::X509::V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
-                                  error == OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN)
+      original_data[r1] + original_data[r2]
+    end
+  end
 
-                return true if is_self_signed && allow_self_signed && verify_cb.nil?
+  class Perms < Dictionary
+    include StandardObject
 
-                verify_cb.call(ctx) unless verify_cb.nil?
-            }
+    field :DocMDP, Type: Dictionary
+    field :UR, Type: Dictionary
+    field :UR3, Type: Dictionary, Version: "1.6"
+  end
 
-            data = extract_signed_data(digsig)
-            Signature.verify(subfilter.to_s, data, signature, store, chain)
-        end
+  module Signature
+    PKCS1_RSA_SHA1 = "adbe.x509.rsa_sha1"
+    PKCS7_SHA1 = "adbe.pkcs7.sha1"
+    PKCS7_DETACHED = "adbe.pkcs7.detached"
 
-        #
-        # Sign the document with the given key and x509 certificate.
-        # _certificate_:: The X509 certificate containing the public key.
-        # _key_:: The private key associated with the certificate.
-        # _method_:: The PDF signature identifier.
-        # _ca_:: Optional CA certificates used to sign the user certificate.
-        # _annotation_:: Annotation associated with the signature.
-        # _issuer_:: Issuer name.
-        # _location_:: Signature location.
-        # _contact_:: Signer contact.
-        # _reason_:: Signing reason.
-        #
-        def sign(certificate, key,
-                 method: Signature::PKCS7_DETACHED,
-                 ca: [],
-                 annotation: nil,
-                 issuer: nil,
-                 location: nil,
-                 contact: nil,
-                 reason: nil)
-
-            unless certificate.is_a?(OpenSSL::X509::Certificate)
-                raise TypeError, "A OpenSSL::X509::Certificate object must be passed."
-            end
-
-            unless key.is_a?(OpenSSL::PKey::RSA)
-                raise TypeError, "A OpenSSL::PKey::RSA object must be passed."
-            end
-
-            unless ca.is_a?(::Array)
-                raise TypeError, "Expected an Array of CA certificates."
-            end
-
-            unless annotation.nil? or annotation.is_a?(Annotation::Widget::Signature)
-                raise TypeError, "Expected a Annotation::Widget::Signature object."
-            end
-
-            #
-            # XXX: Currently signing a linearized document will result in a broken document.
-            # Delinearize the document first until we find a proper way to handle this case.
-            #
-            if self.linearized?
-                self.delinearize!
-            end
-
-            digsig = Signature::DigitalSignature.new.set_indirect(true)
-
-            if annotation.nil?
-                annotation = Annotation::Widget::Signature.new
-                annotation.Rect = Rectangle[:llx => 0.0, :lly => 0.0, :urx => 0.0, :ury => 0.0]
-            end
-
-            annotation.V = digsig
-            add_fields(annotation)
-            self.Catalog.AcroForm.SigFlags =
-                InteractiveForm::SigFlags::SIGNATURES_EXIST | InteractiveForm::SigFlags::APPEND_ONLY
-
-            digsig.Type = :Sig
-            digsig.Contents = HexaString.new("\x00" * Signature::required_size(method, certificate, key, ca))
-            digsig.Filter = :"Adobe.PPKLite"
-            digsig.SubFilter = Name.new(method)
-            digsig.ByteRange = [0, 0, 0, 0]
-            digsig.Name = issuer
-
-            digsig.Location = HexaString.new(location) if location
-            digsig.ContactInfo = HexaString.new(contact) if contact
-            digsig.Reason = HexaString.new(reason) if reason
-
-            # PKCS1 signatures require a Cert entry.
-            if method == Signature::PKCS1_RSA_SHA1
-                digsig.Cert =
-                    if ca.empty?
-                        HexaString.new(certificate.to_der)
-                    else
-                        [ HexaString.new(certificate.to_der) ] + ca.map{ |crt| HexaString.new(crt.to_der) }
-                    end
-            end
-
-            #
-            #  Flattening the PDF to get file view.
-            #
-            compile
-
-            #
-            # Creating an empty Xref table to compute signature byte range.
-            #
-            rebuild_dummy_xrefs
-
-            sig_offset = get_object_offset(digsig.no, digsig.generation) + digsig.signature_offset
-
-            digsig.ByteRange[0] = 0
-            digsig.ByteRange[1] = sig_offset
-            digsig.ByteRange[2] = sig_offset + digsig.Contents.to_s.bytesize
-
-            until digsig.ByteRange[3] == filesize - digsig.ByteRange[2]
-                digsig.ByteRange[3] = filesize - digsig.ByteRange[2]
-            end
-
-            # From that point on, the file size remains constant
-
-            #
-            # Correct Xrefs variations caused by ByteRange modifications.
-            #
-            rebuild_xrefs
-
-            file_data = output()
-            signable_data = file_data[digsig.ByteRange[0],digsig.ByteRange[1]] +
-                file_data[digsig.ByteRange[2],digsig.ByteRange[3]]
-
-            #
-            # Computes and inserts the signature.
-            #
-            signature = Signature.compute(method, signable_data, certificate, key, ca)
-            digsig.Contents[0, signature.size] = signature
-
-            #
-            # No more modification are allowed after signing.
-            #
-            self.freeze
-        end
+    #
+    # PKCS1 class used for adbe.x509.rsa_sha1.
+    #
+    class PKCS1
+      class PKCS1Error < SignatureError; end
 
-        #
-        # Returns whether the document contains a digital signature.
-        #
-        def signed?
-            begin
-                self.Catalog.AcroForm.is_a?(Dictionary) and
-                self.Catalog.AcroForm.SigFlags.is_a?(Integer) and
-                (self.Catalog.AcroForm.SigFlags & InteractiveForm::SigFlags::SIGNATURES_EXIST != 0)
-            rescue InvalidReferenceError
-                false
-            end
-        end
+      def initialize(signature)
+        @signature_object = decode_pkcs1(signature)
+      end
 
-        #
-        # Enable the document Usage Rights.
-        # _rights_:: list of rights defined in UsageRights::Rights
-        #
-        def enable_usage_rights(cert, pkey, *rights)
-
-            # Always uses a detached PKCS7 signature for UR.
-            method = Signature::PKCS7_DETACHED
-
-            #
-            # Load key pair
-            #
-            key = pkey.is_a?(OpenSSL::PKey::RSA) ? pkey : OpenSSL::PKey::RSA.new(pkey)
-            certificate = cert.is_a?(OpenSSL::X509::Certificate) ? cert : OpenSSL::X509::Certificate.new(cert)
-
-            #
-            # Forge digital signature dictionary
-            #
-            digsig = Signature::DigitalSignature.new.set_indirect(true)
-
-            self.Catalog.AcroForm ||= InteractiveForm.new
-            #self.Catalog.AcroForm.SigFlags = InteractiveForm::SigFlags::APPEND_ONLY
-
-            digsig.Type = :Sig
-            digsig.Contents = HexaString.new("\x00" * Signature.required_size(method, certificate, key, []))
-            digsig.Filter = :"Adobe.PPKLite"
-            digsig.Name = "ARE Acrobat Product v8.0 P23 0002337"
-            digsig.SubFilter = Name.new(method )
-            digsig.ByteRange = [0, 0, 0, 0]
-
-            sigref = Signature::Reference.new
-            sigref.Type = :SigRef
-            sigref.TransformMethod = :UR3
-            sigref.Data = self.Catalog
-
-            sigref.TransformParams = UsageRights::TransformParams.new
-            sigref.TransformParams.P = true
-            sigref.TransformParams.Type = :TransformParams
-            sigref.TransformParams.V = UsageRights::TransformParams::VERSION
-
-            rights.each do |right|
-                sigref.TransformParams[right.first] ||= []
-                sigref.TransformParams[right.first].concat(right[1..-1])
-            end
-
-            digsig.Reference = [ sigref ]
-
-            self.Catalog.Perms ||= Perms.new
-            self.Catalog.Perms.UR3 = digsig
-
-            #
-            #  Flattening the PDF to get file view.
-            #
-            compile
-
-            #
-            # Creating an empty Xref table to compute signature byte range.
-            #
-            rebuild_dummy_xrefs
-
-            sig_offset = get_object_offset(digsig.no, digsig.generation) + digsig.signature_offset
-
-            digsig.ByteRange[0] = 0
-            digsig.ByteRange[1] = sig_offset
-            digsig.ByteRange[2] = sig_offset + digsig.Contents.size
-
-            until digsig.ByteRange[3] == filesize - digsig.ByteRange[2]
-                digsig.ByteRange[3] = filesize - digsig.ByteRange[2]
-            end
-
-            # From that point on, the file size remains constant
-
-            #
-            # Correct Xrefs variations caused by ByteRange modifications.
-            #
-            rebuild_xrefs
-
-            file_data = output()
-            signable_data = file_data[digsig.ByteRange[0],digsig.ByteRange[1]] +
-                file_data[digsig.ByteRange[2],digsig.ByteRange[3]]
-
-            signature = Signature.compute(method, signable_data, certificate, key, [])
-            digsig.Contents[0, signature.size] = signature
-
-            #
-            # No more modification are allowed after signing.
-            #
-            self.freeze
-        end
-
-        def usage_rights?
-            not self.Catalog.Perms.nil? and
-                (not self.Catalog.Perms.has_key?(:UR3) or not self.Catalog.Perms.has_key?(:UR))
-        end
+      def verify(certificate, chain, store, data)
+        store.verify(certificate, chain) and certificate.public_key.verify(OpenSSL::Digest.new('SHA1'), @signature_object.value, data)
+      end
 
-        def signature
-            raise SignatureError, "Not a signed document" unless self.signed?
+      def self.sign(certificate, key, data)
+        raise PKCS1Error, "Invalid key for certificate" unless certificate.check_private_key(key)
 
-            self.each_field do |field|
-                return field.V if field.FT == :Sig and field.V.is_a?(Dictionary)
-            end
+        new encode_pkcs1 key.sign(OpenSSL::Digest.new('SHA1'), data)
+      end
 
-            raise SignatureError, "Cannot find digital signature"
-        end
+      def to_der
+        @signature_object.to_der
+      end
 
-        private
+      private
 
+      def decode_pkcs1(data)
         #
-        # Verifies the ByteRange field of a digital signature and returned the signed data.
+        # Extracts the first ASN.1 object from the data and discards the rest.
+        # Must be an octet string.
         #
-        def extract_signed_data(digsig)
-            # Computes the boundaries of the Contents field.
-            start_sig = digsig[:Contents].file_offset
-
-            stream = StringScanner.new(self.original_data)
-            stream.pos = digsig[:Contents].file_offset
-            Object.typeof(stream).parse(stream)
-            end_sig = stream.pos
-            stream.terminate
-
-            r1, r2 = digsig.ranges
-            if r1.begin != 0 or
-                r2.end != self.original_data.size or
-                r1.end != start_sig or
-                r2.begin != end_sig
-
-                raise SignatureError, "Invalid signature byte range"
-            end
-
-            self.original_data[r1] + self.original_data[r2]
-        end
+        signature_len = 0
+        OpenSSL::ASN1.traverse(data) do |_, offset, hdr_len, len, _, _, tag|
+          raise PKCS1Error, "Invalid PKCS1 object, expected an ASN.1 octet string" unless tag == OpenSSL::ASN1::OCTET_STRING
 
-    end
+          signature_len = offset + hdr_len + len
+          break
+        end
 
-    class Perms < Dictionary
-        include StandardObject
+        OpenSSL::ASN1.decode(data[0, signature_len])
+      end
 
-        field   :DocMDP,          :Type => Dictionary
-        field   :UR,              :Type => Dictionary
-        field   :UR3,             :Type => Dictionary, :Version => "1.6"
+      def self.encode_pkcs1(data)
+        OpenSSL::ASN1::OctetString.new(data).to_der
+      end
+      private_class_method :encode_pkcs1
     end
 
-    module Signature
+    def self.verify(method, data, signature, store, chain)
+      case method
+      when PKCS7_DETACHED
+        pkcs7 = OpenSSL::PKCS7.new(signature)
+        raise SignatureError, "Not a PKCS7 detached signature" unless pkcs7.detached?
+        pkcs7.verify([], store, data, OpenSSL::PKCS7::DETACHED | OpenSSL::PKCS7::BINARY)
+
+      when PKCS7_SHA1
+        pkcs7 = OpenSSL::PKCS7.new(signature)
+        pkcs7.verify([], store, nil, OpenSSL::PKCS7::BINARY) and pkcs7.data == Digest::SHA1.digest(data)
+
+      when PKCS1_RSA_SHA1
+        raise SignatureError, "Cannot verify RSA signature without a certificate" if chain.empty?
+        cert = chain.shift
+        pkcs1 = PKCS1.new(signature)
+        pkcs1.verify(cert, chain, store, data)
+
+      else
+        raise NotImplementedError, "Unsupported signature method #{method.inspect}"
+      end
+    end
 
-        PKCS1_RSA_SHA1  = "adbe.x509.rsa_sha1"
-        PKCS7_SHA1      = "adbe.pkcs7.sha1"
-        PKCS7_DETACHED  = "adbe.pkcs7.detached"
+    #
+    # Computes the required size in bytes for storing the signature.
+    #
+    def self.required_size(method, certificate, key, ca)
+      compute(method, "", certificate, key, ca).size
+    end
 
-        #
-        # PKCS1 class used for adbe.x509.rsa_sha1.
-        #
-        class PKCS1
-            class PKCS1Error < SignatureError; end
+    #
+    # Computes the signature using the specified subfilter method.
+    #
+    def self.compute(method, data, certificate, key, ca)
+      case method
+      when PKCS7_DETACHED
+        OpenSSL::PKCS7.sign(certificate, key, data, ca, OpenSSL::PKCS7::DETACHED | OpenSSL::PKCS7::BINARY).to_der
 
-            def initialize(signature)
-                @signature_object = decode_pkcs1(signature)
-            end
+      when PKCS7_SHA1
+        OpenSSL::PKCS7.sign(certificate, key, Digest::SHA1.digest(data), ca, OpenSSL::PKCS7::BINARY).to_der
 
-            def verify(certificate, chain, store, data)
-                store.verify(certificate, chain) and certificate.public_key.verify(OpenSSL::Digest::SHA1.new, @signature_object.value, data)
-            end
+      when PKCS1_RSA_SHA1
+        PKCS1.sign(certificate, key, data).to_der
 
-            def self.sign(certificate, key, data)
-                raise PKCS1Error, "Invalid key for certificate" unless certificate.check_private_key(key)
+      else
+        raise NotImplementedError, "Unsupported signature method #{method.inspect}"
+      end
+    end
 
-                self.new encode_pkcs1 key.sign(OpenSSL::Digest::SHA1.new, data)
-            end
+    #
+    # Class representing a signature which can be embedded in DigitalSignature dictionary.
+    # It must be a direct object.
+    #
+    class Reference < Dictionary
+      include StandardObject
 
-            def to_der
-                @signature_object.to_der
-            end
+      add_type_signature Type: :SigRef
 
-            private
+      field :Type, Type: Name, Default: :SigRef
+      field :TransformMethod, Type: Name, Default: :DocMDP, Required: true
+      field :TransformParams, Type: Dictionary
+      field :Data, Type: Object
+      field :DigestMethod, Type: Name, Default: :MD5
+      field :DigestValue, Type: String
+      field :DigestLocation, Type: Array
 
-            def decode_pkcs1(data)
-                #
-                # Extracts the first ASN.1 object from the data and discards the rest.
-                # Must be an octet string.
-                #
-                signature_len = 0
-                OpenSSL::ASN1.traverse(data) do |_, offset, hdr_len, len, _, _, tag|
-                    raise PKCS1Error, "Invalid PKCS1 object, expected an ASN.1 octet string" unless tag == OpenSSL::ASN1::OCTET_STRING
+      def initialize(hash = {}, parser = nil)
+        set_indirect(false)
 
-                    signature_len = offset + hdr_len + len
-                    break
-                end
+        super
+      end
+    end
 
-                OpenSSL::ASN1.decode(data[0, signature_len])
-            end
+    class BuildData < Dictionary
+      include StandardObject
 
-            def self.encode_pkcs1(data)
-                OpenSSL::ASN1::OctetString.new(data).to_der
-            end
-            private_class_method :encode_pkcs1
-        end
+      field :Name, Type: Name, Version: "1.5"
+      field :Date, Type: String, Version: "1.5"
+      field :R, Type: Number, Version: "1.5"
+      field :PreRelease, Type: Boolean, Default: false, Version: "1.5"
+      field :OS, Type: Array, Version: "1.5"
+      field :NonEFontNoWarn, Type: Boolean, Version: "1.5"
+      field :TrustedMode, Type: Boolean, Version: "1.5"
+      field :V, Type: Number, Version: "1.5"
 
-        def self.verify(method, data, signature, store, chain)
-            case method
-            when PKCS7_DETACHED
-                pkcs7 = OpenSSL::PKCS7.new(signature)
-                raise SignatureError, "Not a PKCS7 detached signature" unless pkcs7.detached?
-                pkcs7.verify([], store, data, OpenSSL::PKCS7::DETACHED | OpenSSL::PKCS7::BINARY)
-
-            when PKCS7_SHA1
-                pkcs7 = OpenSSL::PKCS7.new(signature)
-                pkcs7.verify([], store, nil, OpenSSL::PKCS7::BINARY) and pkcs7.data == Digest::SHA1.digest(data)
-
-            when PKCS1_RSA_SHA1
-                raise SignatureError, "Cannot verify RSA signature without a certificate" if chain.empty?
-                cert = chain.shift
-                pkcs1 = PKCS1.new(signature)
-                pkcs1.verify(cert, chain, store, data)
-
-            else
-                raise NotImplementedError, "Unsupported signature method #{method.inspect}"
-            end
-        end
+      def initialize(hash = {}, parser = nil)
+        set_indirect(false)
 
-        #
-        # Computes the required size in bytes for storing the signature.
-        #
-        def self.required_size(method, certificate, key, ca)
-            self.compute(method, "", certificate, key, ca).size
-        end
+        super
+      end
+    end
 
-        #
-        # Computes the signature using the specified subfilter method.
-        #
-        def self.compute(method, data, certificate, key, ca)
-            case method
-            when PKCS7_DETACHED
-                OpenSSL::PKCS7.sign(certificate, key, data, ca, OpenSSL::PKCS7::DETACHED | OpenSSL::PKCS7::BINARY).to_der
+    class AppData < BuildData
+      field :REx, Type: String, Version: "1.6"
+    end
 
-            when PKCS7_SHA1
-                OpenSSL::PKCS7.sign(certificate, key, Digest::SHA1.digest(data), ca, OpenSSL::PKCS7::BINARY).to_der
+    class SigQData < BuildData
+      field :Preview, Type: Boolean, Default: false, Version: "1.7"
+    end
 
-            when PKCS1_RSA_SHA1
-                PKCS1.sign(certificate, key, data).to_der
+    class BuildProperties < Dictionary
+      include StandardObject
+
+      field :Filter, Type: BuildData, Version: "1.5"
+      field :PubSec, Type: BuildData, Version: "1.5"
+      field :App, Type: AppData, Version: "1.5"
+      field :SigQ, Type: SigQData, Version: "1.7"
+
+      def initialize(hash = {}, parser = nil)
+        set_indirect(false)
+
+        super
+      end
+
+      def pre_build # :nodoc:
+        self.Filter ||= BuildData.new
+        self.Filter.Name ||= :'Adobe.PPKLite'
+        self.Filter.R ||= 0x20020
+        self.Filter.V ||= 2
+        self.Filter.Date ||= Time.now.to_s
+
+        self.PubSec ||= BuildData.new
+        self.PubSec.NonEFontNoWarn ||= true
+        self.PubSec.Date ||= Time.now.to_s
+        self.PubSec.R ||= 0x20021
+
+        self.App ||= AppData.new
+        self.App.Name ||= :Reader
+        self.App.REx = "11.0.8"
+        self.App.TrustedMode ||= true
+        self.App.OS ||= [:Win]
+        self.App.R ||= 0xb0008
+
+        super
+      end
+    end
 
-            else
-                raise NotImplementedError, "Unsupported signature method #{method.inspect}"
-            end
+    #
+    # Class representing a digital signature.
+    #
+    class DigitalSignature < Dictionary
+      include StandardObject
+
+      add_type_signature Filter: :'Adobe.PPKLite'
+      add_type_signature Filter: :'Adobe.PPKMS'
+
+      field :Type, Type: Name, Default: :Sig
+      field :Filter, Type: Name, Default: :'Adobe.PPKLite', Required: true
+      field :SubFilter, Type: Name
+      field :Contents, Type: String, Required: true
+      field :Cert, Type: [String, Array.of(String)]
+      field :ByteRange, Type: Array.of(Integer, length: 4)
+      field :Reference, Type: Array.of(Reference), Version: "1.5"
+      field :Changes, Type: Array
+      field :Name, Type: String
+      field :M, Type: String
+      field :Location, Type: String
+      field :Reason, Type: String
+      field :ContactInfo, Type: String
+      field :R, Type: Integer
+      field :V, Type: Integer, Default: 0, Version: "1.5"
+      field :Prop_Build, Type: BuildProperties, Version: "1.5"
+      field :Prop_AuthTime, Type: Integer, Version: "1.5"
+      field :Prop_AuthType, Type: Name, Version: "1.5"
+
+      def pre_build # :nodoc:
+        self.M = Origami::Date.now
+        self.Prop_Build ||= BuildProperties.new.pre_build
+
+        super
+      end
+
+      def to_s(indent: nil, tab: nil, eol: nil) # :nodoc:
+        # Must be deterministic, ignore parameters
+        indent_value = 1
+        tab_value = "\t"
+        eol_value = $/
+
+        content = TOKENS.first + eol_value
+
+        to_a.sort_by { |key, _| key }.reverse_each do |key, value|
+          content << tab_value * indent_value << key.to_s << " "
+          content << (value.is_a?(Dictionary) ? value.to_s(indent: indent_value + 1) : value.to_s) << eol_value
         end
 
-        #
-        # Class representing a signature which can be embedded in DigitalSignature dictionary.
-        # It must be a direct object.
-        #
-        class Reference < Dictionary
-            include StandardObject
+        content << tab_value * (indent_value - 1) << TOKENS.last
 
-            add_type_signature        :Type => :SigRef
+        output(content)
+      end
 
-            field   :Type,            :Type => Name, :Default => :SigRef
-            field   :TransformMethod, :Type => Name, :Default => :DocMDP, :Required => true
-            field   :TransformParams, :Type => Dictionary
-            field   :Data,            :Type => Object
-            field   :DigestMethod,    :Type => Name, :Default => :MD5
-            field   :DigestValue,     :Type => String
-            field   :DigestLocation,  :Type => Array
+      def ranges
+        byte_range = self.ByteRange
 
-            def initialize(hash = {}, parser = nil)
-                set_indirect(false)
+        unless byte_range.is_a?(Array) && (byte_range.length == 4) && byte_range.all? { |i| i.is_a?(Integer) }
+          raise SignatureError, "Invalid ByteRange field value"
+        end
 
-                super(hash, parser)
-            end
+        byte_range.map(&:to_i).each_slice(2).map do |start, length|
+          (start...start + length)
         end
+      end
 
-        class BuildData < Dictionary
-            include StandardObject
+      def signature_data
+        raise SignatureError, "Invalid signature data" unless self[:Contents].is_a?(String)
 
-            field   :Name,              :Type => Name,  :Version => "1.5"
-            field   :Date,              :Type => String, :Version => "1.5"
-            field   :R,                 :Type => Number, :Version => "1.5"
-            field   :PreRelease,        :Type => Boolean, :Default => false, :Version => "1.5"
-            field   :OS,                :Type => Array, :Version => "1.5"
-            field   :NonEFontNoWarn,    :Type => Boolean, :Version => "1.5"
-            field   :TrustedMode,       :Type => Boolean, :Version => "1.5"
-            field   :V,                 :Type => Number, :Version => "1.5"
+        self[:Contents]
+      end
 
-            def initialize(hash = {}, parser = nil)
-                set_indirect(false)
+      def certificate_chain
+        return [] unless key?(:Cert)
 
-                super(hash, parser)
-            end
+        chain = self.Cert
+        if !chain.is_a?(String) && !(chain.is_a?(Array) && chain.all? { |cert| cert.is_a?(String) })
+          return SignatureError, "Invalid embedded certificate chain"
         end
 
-        class AppData < BuildData
-            field   :REx,               :Type => String, :Version => "1.6"
-        end
+        [chain].flatten.map! { |str| OpenSSL::X509::Certificate.new(str) }
+      end
 
-        class SigQData < BuildData
-            field   :Preview,           :Type => Boolean, :Default => false, :Version => "1.7"
-        end
+      def signature_offset # :nodoc:
+        indent_value = 1
+        tab_value = "\t"
+        eol_value = $/
+        content = "#{no} #{generation} obj" + eol_value + TOKENS.first + eol_value
 
-        class BuildProperties < Dictionary
-            include StandardObject
-
-            field   :Filter,          :Type => BuildData, :Version => "1.5"
-            field   :PubSec,          :Type => BuildData, :Version => "1.5"
-            field   :App,             :Type => AppData, :Version => "1.5"
-            field   :SigQ,            :Type => SigQData, :Version => "1.7"
-
-            def initialize(hash = {}, parser = nil)
-                set_indirect(false)
-
-                super(hash, parser)
-            end
-
-            def pre_build #:nodoc:
-                self.Filter ||= BuildData.new
-                self.Filter.Name ||= :"Adobe.PPKLite"
-                self.Filter.R ||= 0x20020
-                self.Filter.V ||= 2
-                self.Filter.Date ||= Time.now.to_s
-
-                self.PubSec ||= BuildData.new
-                self.PubSec.NonEFontNoWarn ||= true
-                self.PubSec.Date ||= Time.now.to_s
-                self.PubSec.R ||= 0x20021
-
-                self.App ||= AppData.new
-                self.App.Name ||= :Reader
-                self.App.REx = "11.0.8"
-                self.App.TrustedMode ||= true
-                self.App.OS ||= [ :Win ]
-                self.App.R ||= 0xb0008
-
-                super
-            end
-        end
+        to_a.sort_by { |key, _| key }.reverse_each do |key, value|
+          if key == :Contents
+            content << tab_value * indent_value + key.to_s + " "
 
-        #
-        # Class representing a digital signature.
-        #
-        class DigitalSignature < Dictionary
-            include StandardObject
-
-            add_type_signature        :Filter => :"Adobe.PPKLite"
-            add_type_signature        :Filter => :"Adobe.PPKMS"
-
-            field   :Type,            :Type => Name, :Default => :Sig
-            field   :Filter,          :Type => Name, :Default => :"Adobe.PPKLite", :Required => true
-            field   :SubFilter,       :Type => Name
-            field   :Contents,        :Type => String, :Required => true
-            field   :Cert,            :Type => [ String, Array.of(String) ]
-            field   :ByteRange,       :Type => Array.of(Integer, length: 4)
-            field   :Reference,       :Type => Array.of(Reference), :Version => "1.5"
-            field   :Changes,         :Type => Array
-            field   :Name,            :Type => String
-            field   :M,               :Type => String
-            field   :Location,        :Type => String
-            field   :Reason,          :Type => String
-            field   :ContactInfo,     :Type => String
-            field   :R,               :Type => Integer
-            field   :V,               :Type => Integer, :Default => 0, :Version => "1.5"
-            field   :Prop_Build,      :Type => BuildProperties, :Version => "1.5"
-            field   :Prop_AuthTime,   :Type => Integer, :Version => "1.5"
-            field   :Prop_AuthType,   :Type => Name, :Version => "1.5"
-
-            def pre_build #:nodoc:
-                self.M = Origami::Date.now
-                self.Prop_Build ||= BuildProperties.new.pre_build
-
-                super
-            end
-
-            def to_s(indent: 1, tab: "\t", eol: $/) #:nodoc:
-
-                # Must be deterministic.
-                indent, tab, eol = 1, "\t", $/
-
-                content = TOKENS.first + eol
-
-                self.to_a.sort_by{ |key, _| key }.reverse_each do |key, value|
-                    content << tab * indent << key.to_s << " "
-                    content << (value.is_a?(Dictionary) ? value.to_s(indent: indent + 1) : value.to_s) << eol
-                end
-
-                content << tab * (indent - 1) << TOKENS.last
-
-                output(content)
-            end
-
-            def ranges
-                byte_range = self.ByteRange
-
-                unless byte_range.is_a?(Array) and byte_range.length == 4 and byte_range.all? {|i| i.is_a?(Integer) }
-                    raise SignatureError, "Invalid ByteRange field value"
-                end
-
-                byte_range.map(&:to_i).each_slice(2).map do |start, length|
-                    (start...start + length)
-                end
-            end
-
-            def signature_data
-                raise SignatureError, "Invalid signature data" unless self[:Contents].is_a?(String)
-
-                self[:Contents]
-            end
-
-            def certificate_chain
-                return [] unless key?(:Cert)
-
-                chain = self.Cert
-                unless chain.is_a?(String) or (chain.is_a?(Array) and chain.all?{|cert| cert.is_a?(String)})
-                    return SignatureError, "Invalid embedded certificate chain"
-                end
-
-                [ chain ].flatten.map! {|str| OpenSSL::X509::Certificate.new(str) }
-            end
-
-            def signature_offset #:nodoc:
-                indent, tab, eol = 1, "\t", $/
-                content = "#{no} #{generation} obj" + eol + TOKENS.first + eol
-
-                self.to_a.sort_by{ |key, _| key }.reverse_each do |key, value|
-                    if key == :Contents
-                        content << tab * indent + key.to_s + " "
-
-                        return content.size
-                    else
-                        content << tab * indent + key.to_s << " "
-                        content << (value.is_a?(Dictionary) ? value.to_s(indent: indent + 1) : value.to_s) << eol
-                    end
-                end
-
-                nil
-            end
+            return content.size
+          else
+            content << tab_value * indent_value + key.to_s << " "
+            content << (value.is_a?(Dictionary) ? value.to_s(indent: indent_value + 1) : value.to_s) << eol_value
+          end
         end
 
+        nil
+      end
+    end
+  end
+
+  module UsageRights
+    module Rights
+      DOCUMENT_FULLSAVE = %i[Document FullSave]
+      DOCUMENT_ALL = DOCUMENT_FULLSAVE
+
+      ANNOTS_CREATE = %i[Annots Create]
+      ANNOTS_DELETE = %i[Annots Delete]
+      ANNOTS_MODIFY = %i[Annots Modify]
+      ANNOTS_COPY = %i[Annots Copy]
+      ANNOTS_IMPORT = %i[Annots Import]
+      ANNOTS_EXPORT = %i[Annots Export]
+      ANNOTS_ONLINE = %i[Annots Online]
+      ANNOTS_SUMMARYVIEW = %i[Annots SummaryView]
+      ANNOTS_ALL = %i[Annots Create Modify Copy Import Export Online SummaryView]
+
+      FORM_FILLIN = %i[Form FillIn]
+      FORM_IMPORT = %i[Form Import]
+      FORM_EXPORT = %i[Form Export]
+      FORM_SUBMITSTANDALONE = %i[Form SubmitStandAlone]
+      FORM_SPAWNTEMPLATE = %i[Form SpawnTemplate]
+      FORM_BARCODEPLAINTEXT = %i[Form BarcodePlaintext]
+      FORM_ONLINE = %i[Form Online]
+      FORM_ALL = %i[Form FillIn Import Export SubmitStandAlone SpawnTemplate BarcodePlaintext Online]
+
+      FORMEX_BARCODEPLAINTEXT = %i[FormEx BarcodePlaintext]
+      FORMEX_ALL = FORMEX_BARCODEPLAINTEXT
+
+      SIGNATURE_MODIFY = %i[Signature Modify]
+      SIGNATURE_ALL = SIGNATURE_MODIFY
+
+      EF_CREATE = %i[EF Create]
+      EF_DELETE = %i[EF Delete]
+      EF_MODIFY = %i[EF Modify]
+      EF_IMPORT = %i[EF Import]
+      EF_ALL = %i[EF Create Delete Modify Import]
+
+      ALL = [DOCUMENT_ALL, ANNOTS_ALL, FORM_ALL, SIGNATURE_ALL, EF_ALL]
     end
 
-    module UsageRights
-
-        module Rights
-            DOCUMENT_FULLSAVE = %i[Document FullSave]
-            DOCUMENT_ALL = DOCUMENT_FULLSAVE
-
-            ANNOTS_CREATE = %i[Annots Create]
-            ANNOTS_DELETE = %i[Annots Delete]
-            ANNOTS_MODIFY = %i[Annots Modify]
-            ANNOTS_COPY = %i[Annots Copy]
-            ANNOTS_IMPORT = %i[Annots Import]
-            ANNOTS_EXPORT = %i[Annots Export]
-            ANNOTS_ONLINE = %i[Annots Online]
-            ANNOTS_SUMMARYVIEW = %i[Annots SummaryView]
-            ANNOTS_ALL = %i[Annots Create Modify Copy Import Export Online SummaryView]
-
-            FORM_FILLIN = %i[Form FillIn]
-            FORM_IMPORT = %i[Form Import]
-            FORM_EXPORT = %i[Form Export]
-            FORM_SUBMITSTANDALONE = %i[Form SubmitStandAlone]
-            FORM_SPAWNTEMPLATE = %i[Form SpawnTemplate]
-            FORM_BARCODEPLAINTEXT = %i[Form BarcodePlaintext]
-            FORM_ONLINE = %i[Form Online]
-            FORM_ALL = %i[Form FillIn Import Export SubmitStandAlone SpawnTemplate BarcodePlaintext Online]
-
-            FORMEX_BARCODEPLAINTEXT = %i[FormEx BarcodePlaintext]
-            FORMEX_ALL = FORMEX_BARCODEPLAINTEXT
-
-            SIGNATURE_MODIFY = %i[Signature Modify]
-            SIGNATURE_ALL = SIGNATURE_MODIFY
-
-            EF_CREATE = %i[EF Create]
-            EF_DELETE = %i[EF Delete]
-            EF_MODIFY = %i[EF Modify]
-            EF_IMPORT = %i[EF Import]
-            EF_ALL = %i[EF Create Delete Modify Import]
-
-            ALL = [ DOCUMENT_ALL, ANNOTS_ALL, FORM_ALL, SIGNATURE_ALL, EF_ALL ]
-        end
-
-        class TransformParams < Dictionary
-            include StandardObject
+    class TransformParams < Dictionary
+      include StandardObject
 
-            VERSION = Name.new("2.2")
+      VERSION = Name.new("2.2")
 
-            field   :Type,              :Type => Name, :Default => :TransformParams
-            field   :Document,          :Type => Array.of(Name)
-            field   :Msg,               :Type => String
-            field   :V,                 :Type => Name, :Default => VERSION
-            field   :Annots,            :Type => Array.of(Name)
-            field   :Form,              :Type => Array.of(Name)
-            field   :FormEx,            :Type => Array.of(Name)
-            field   :Signature,         :Type => Array.of(Name)
-            field   :EF,                :Type => Array.of(Name), :Version => "1.6"
-            field   :P,                 :Type => Boolean, :Default => false, :Version => "1.6"
+      field :Type, Type: Name, Default: :TransformParams
+      field :Document, Type: Array.of(Name)
+      field :Msg, Type: String
+      field :V, Type: Name, Default: VERSION
+      field :Annots, Type: Array.of(Name)
+      field :Form, Type: Array.of(Name)
+      field :FormEx, Type: Array.of(Name)
+      field :Signature, Type: Array.of(Name)
+      field :EF, Type: Array.of(Name), Version: "1.6"
+      field :P, Type: Boolean, Default: false, Version: "1.6"
 
-            def initialize(hash = {}, parser = nil)
-                set_indirect(false)
+      def initialize(hash = {}, parser = nil)
+        set_indirect(false)
 
-                super(hash, parser)
-            end
-        end
+        super
+      end
     end
-
+  end
 end