origami-docspring 2.3.1 → 2.3.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f96c9c3796b9fcb1d5c078aea87af6756f11770b596fa10eb04d50a993ceecee
-  data.tar.gz: 1966d4921273de9c9bbc7d4818ca82fd06ad945ffc3d38058c6e6b99d89e4fcf
+  metadata.gz: e2404e2f61e089ef30323cb132ac9af123f99124c28505a25b148d0d59d0d49a
+  data.tar.gz: 89f0eb165da4b1d762ca102fc52d74681346026e6093067705725346e9df18f4
 SHA512:
-  metadata.gz: 413cc0bf7fcdd3801ef34336eac5a4bdbbcb67e7320efe8fdde08ba730e4705d8f9c5a78b54e5a5cc059fc38d4bcbdccf2c3ff013236649e66eca57366433fa7
-  data.tar.gz: d4722708378130d9e62dc58e013454c6e5697e701d369d94d4ece4981ce937cf95ba98ad3bf6f3bb2d89d3c641d4edeb4d8268b2306fa28b535858d3e874d549
+  metadata.gz: 8352a4ee288b72d720734c817ed2fe7c31a99cbaf383c50e3545bf4585d02d15f8c4d5b47a69cc8017c73a7f6a20696ad8d5ea9a59373bcdffb89bbdd76ade7b
+  data.tar.gz: 8c17549cef4f4a533541a2b266b6df73e8a142b1fb50e2f10fe2850a955ddf840d787bdb643dfa5f720bf70e61e43f2c34dd2574b153195af5b9079ca6fae79e

data/CHANGELOG.md

@@ -1,3 +1,13 @@
+2.3.2 (2025-03-25)
+-----
+* Added support for verifying multiple signatures in PDFs
+* Only validate ByteRange for the last signature in multi-signature files
+* Added new `signatures` method to get all signatures in a PDF
+
+2.3.1 (2025-03-25)
+-----
+* Loosened runtime dependencies, removed specific version constraints
+
 2.3.0 (2025-03-25)
 -----
 * Updated to support Ruby 3.2, 3.3, and 3.4

data/README.md

@@ -1,8 +1,11 @@
 Origami
 =====
-[![Gem Version](https://badge.fury.io/rb/origami.svg)](https://rubygems.org/gems/origami)
-[![Downloads](https://img.shields.io/gem/dt/origami.svg)](https://rubygems.org/gems/origami)
-[![Build Status](https://secure.travis-ci.org/gdelugre/origami.svg?branch=master)](https://travis-ci.org/gdelugre/origami)
+
+> **Note**: This is a maintained fork of the original Origami library, released as the gem [origami-docspring](https://rubygems.org/gems/origami-docspring) on RubyGems. Despite the name change, you still `require 'origami'` and use the `Origami` module in your code.
+
+[![Gem Version](https://badge.fury.io/rb/origami-docspring.svg)](https://rubygems.org/gems/origami-docspring)
+[![Build Status](https://github.com/DocSpring/origami-docspring/actions/workflows/ci.yml/badge.svg)](https://github.com/DocSpring/origami-docspring/actions/workflows/ci.yml)
+[![Downloads](https://img.shields.io/gem/dt/origami-docspring.svg)](https://rubygems.org/gems/origami-docspring)
 [![License: LGPL v3](https://img.shields.io/badge/License-LGPL%20v3-blue.svg)](https://www.gnu.org/licenses/lgpl-3.0)
 
 Overview
@@ -27,7 +30,7 @@ Origami is able to parse PDF, FDF and PPKLite (Adobe certificate store) files.
 Requirements
 ------------
 
-As of version 2, the minimal version required to run Origami is Ruby 2.1.
+As of version 2.3.0, the minimal version required to run origami-docspring is Ruby 3.2.
 
 Some optional features require additional gems:
 
@@ -36,9 +39,9 @@ Some optional features require additional gems:
 Quick start
 -----------
 
-First install Origami using the latest gem available:
+First install the gem:
 
-    $ gem install origami
+    $ gem install origami-docspring
 
 Then import Origami with:
 
@@ -109,6 +112,7 @@ License
 Origami is distributed under the [LGPL](COPYING.LESSER) license.
 
 Copyright © 2019 Guillaume Delugré.
+Copyright © 2025 DocSpring, Inc.
 
 [the-ruby-racer]: https://rubygems.org/gems/therubyracer
 [pdfwalker-gem]: https://rubygems.org/gems/pdfwalker

data/lib/origami/signature.rb

@@ -38,31 +38,34 @@ module Origami
       use_system_store: false,
       allow_self_signed: false,
       &verify_cb)
-      digsig = signature
-      digsig = digsig.cast_to(Signature::DigitalSignature) unless digsig.is_a?(Signature::DigitalSignature)
+      signatures.each_with_index do |digsig, index|
+        digsig = digsig.cast_to(Signature::DigitalSignature) unless digsig.is_a?(Signature::DigitalSignature)
 
-      signature = digsig.signature_data
-      chain = digsig.certificate_chain
-      subfilter = digsig.SubFilter.value
+        signature = digsig.signature_data
+        chain = digsig.certificate_chain
+        subfilter = digsig.SubFilter.value
 
-      store = OpenSSL::X509::Store.new
-      store.set_default_paths if use_system_store
-      trusted_certs.each { |ca| store.add_cert(ca) }
+        store = OpenSSL::X509::Store.new
+        store.set_default_paths if use_system_store
+        trusted_certs.each { |ca| store.add_cert(ca) }
 
-      store.verify_callback = ->(success, ctx) {
-        return true if success
+        store.verify_callback = ->(success, ctx) {
+          return true if success
 
-        error = ctx.error
-        is_self_signed = error == OpenSSL::X509::V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
-          error == OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN
+          error = ctx.error
+          is_self_signed = error == OpenSSL::X509::V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
+            error == OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN
 
-        return true if is_self_signed && allow_self_signed && verify_cb.nil?
+          return true if is_self_signed && allow_self_signed && verify_cb.nil?
 
-        verify_cb.call(ctx) unless verify_cb.nil?
-      }
+          verify_cb.call(ctx) unless verify_cb.nil?
+        }
 
-      data = extract_signed_data(digsig)
-      Signature.verify(subfilter.to_s, data, signature, store, chain)
+        data = (index == signatures.length - 1) ? extract_signed_data(digsig, last_sig: true) : extract_signed_data(digsig)
+        return false unless Signature.verify(subfilter.to_s, data, signature, store, chain)
+      end
+
+      true
     end
 
     #
@@ -300,28 +303,44 @@ module Origami
       raise SignatureError, "Cannot find digital signature"
     end
 
+    def signatures
+      raise SignatureError, "Not a signed document" unless signed?
+
+      dig_sigs = []
+      each_field do |field|
+        dig_sigs << field.V if field.FT == :Sig && field.V.is_a?(Dictionary)
+      end
+
+      return dig_sigs if dig_sigs.count > 0
+      raise SignatureError, "Cannot find digital signature"
+    end
+
     private
 
     #
     # Verifies the ByteRange field of a digital signature and returned the signed data.
+    # Only check for valid ByteRange when it is the last signature
     #
-    def extract_signed_data(digsig)
+    def extract_signed_data(digsig, last_sig: false)
       # Computes the boundaries of the Contents field.
-      start_sig = digsig[:Contents].file_offset
+      r1, r2 = digsig.ranges
 
-      stream = StringScanner.new(original_data)
-      stream.pos = digsig[:Contents].file_offset
-      Object.typeof(stream).parse(stream)
-      end_sig = stream.pos
-      stream.terminate
+      if last_sig
+        start_sig = digsig[:Contents].file_offset
 
-      r1, r2 = digsig.ranges
-      if (r1.begin != 0) ||
-          (r2.end != original_data.size) ||
-          (r1.end != start_sig) ||
-          (r2.begin != end_sig)
+        stream = StringScanner.new(original_data)
+        stream.pos = digsig[:Contents].file_offset
+        Object.typeof(stream).parse(stream)
+        end_sig = stream.pos
+        stream.terminate
+
+        if (r1.begin != 0) ||
+            (r2.end != original_data.size) ||
+            (r1.end != start_sig) ||
+            (r2.begin != end_sig)
 
-        raise SignatureError, "Invalid signature byte range"
+          raise SignatureError, "Invalid signature byte range"
+        end
       end
 
       original_data[r1] + original_data[r2]

data/lib/origami/version.rb

@@ -19,5 +19,5 @@
 #
 
 module Origami
-  VERSION = "2.3.1"
+  VERSION = "2.3.2"
 end

data/test/test_pdf_sign.rb

@@ -3,8 +3,11 @@
 require 'minitest/autorun'
 require 'stringio'
 require 'openssl'
+require 'origami'
 
 class TestSign < Minitest::Test
+  include Origami
+
   def create_self_signed_ca_certificate(key_size, expires)
     key = OpenSSL::PKey::RSA.new key_size
 
@@ -55,13 +58,7 @@ class TestSign < Minitest::Test
   def sign_document_with_method(method)
     document, annotation = setup_document_with_annotation
 
-    document.sign(@cert, @key,
-      method: method,
-      annotation: annotation,
-      issuer: "Guillaume Delugré",
-      location: "France",
-      contact: "origami@localhost",
-      reason: "Example")
+    sign_document(annotation, document, method)
 
     assert document.frozen?
     assert document.signed?
@@ -83,6 +80,27 @@ class TestSign < Minitest::Test
     assert result
   end
 
+  def sign_document_twice_with_method(method)
+    document, annotation = setup_document_with_annotation
+
+    2.times do
+      sign_document(annotation, document, method)
+    end
+
+    assert document.frozen?
+    assert document.signed?
+
+    output = StringIO.new
+    document.save(output)
+
+    document = PDF.read(output.reopen(output.string, 'r'), verbosity: Parser::VERBOSE_QUIET)
+
+    refute document.verify
+    assert document.verify(allow_self_signed: true)
+    assert document.verify(trusted_certs: [@cert])
+    refute document.verify(trusted_certs: [@other_cert])
+  end
+
   def test_sign_pkcs7_sha1
     sign_document_with_method(Signature::PKCS7_SHA1)
   end
@@ -94,4 +112,28 @@ class TestSign < Minitest::Test
   def test_sign_x509_sha1
     sign_document_with_method(Signature::PKCS1_RSA_SHA1)
   end
+
+  def test_sign_pkcs7_sha1_twice
+    sign_document_twice_with_method(Signature::PKCS7_SHA1)
+  end
+
+  def test_sign_pkcs7_detached_twice
+    sign_document_twice_with_method(Signature::PKCS7_DETACHED)
+  end
+
+  def test_sign_x509_sha1_twice
+    sign_document_twice_with_method(Signature::PKCS1_RSA_SHA1)
+  end
+
+  private
+
+  def sign_document(annotation, document, method)
+    document.sign(@cert, @key,
+      method: method,
+      annotation: annotation,
+      issuer: "Guillaume Delugré",
+      location: "France",
+      contact: "origami@localhost",
+      reason: "Example")
+  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: origami-docspring
 version: !ruby/object:Gem::Version
-  version: 2.3.1
+  version: 2.3.2
 platform: ruby
 authors:
 - Guillaume Delugré