origami 1.2.1 → 1.2.2

data/{origami → lib/origami}/parsers/fdf.rb

@@ -20,11 +20,10 @@
 =end
 
 require 'origami/parser'
-require 'origami/adobe/fdf'
 
 module Origami
 
-  class Adobe::FDF
+  class FDF
     class Parser < Origami::Parser
       def parse(stream) #:nodoc:
         super
@@ -33,11 +32,15 @@ module Origami
         fdf.header = Adobe::FDF::Header.parse(stream)
         @options[:callback].call(fdf.header)
         
-        parse_objects(fdf)
-        parse_xreftable(fdf)
-        parse_trailer(fdf)
+        loop do 
+          break if (object = parse_object).nil?
+          fdf << object
+        end
+        
+        fdf.revisions.first.xreftable = parse_xreftable
+        fdf.revisions.first.trailer = parse_trailer
 
-        addrbk
+        fdf
       end
     end
   end

data/{origami/parsers/pdf/linear.rb → lib/origami/parsers/pdf.rb}

@@ -1,10 +1,14 @@
 =begin
 
 = File
-	parsers/linear.rb
+	parsers/pdf.rb
 
 = Info
-	Origami is free software: you can redistribute it and/or modify
+	This file is part of Origami, PDF manipulation framework for Ruby
+	Copyright (C) 2010	Guillaume Delugré <guillaume@security-labs.org>
+	All right reserved.
+	
+  Origami is free software: you can redistribute it and/or modify
   it under the terms of the GNU Lesser General Public License as published by
   the Free Software Foundation, either version 3 of the License, or
   (at your option) any later version.
@@ -19,21 +23,29 @@
 
 =end
 
-
 require 'origami/parser'
-require 'origami/pdf'
 
 module Origami
-
+  
   class PDF
+    class Parser < Origami::Parser
+      def initialize(params = {})
+        options =
+        {
+          :password => '',            # Default password being tried when opening a protected document.
+          :prompt_password => Proc.new { 
+            print "Password: "
+            gets.chomp 
+          },                          # Callback procedure to prompt password when document is encrypted.
+          :force => false             # Force PDF header detection
+        }.update(params)
+
+        super(options)
+      end
 
-    #
-    # Create a new PDF linear Parser.
-    #
-    class LinearParser < Origami::Parser
-      def parse(stream)
-        super
-        
+      private
+
+      def parse_initialize #:nodoc:
         if @options[:force] == true
           @data.skip_until(/%PDF-/).nil?
           @data.pos = @data.pos - 5
@@ -52,34 +64,11 @@ module Origami
             raise e
           end
         end
-        
-        #
-        # Parse each revision
-        #
-        revision = 0
-        until @data.eos? do
-          
-          begin
-            
-            pdf.add_new_revision unless revision.zero?
-            revision = revision.succ
-            
-            info "...Parsing revision #{pdf.revisions.size}..."
-            parse_objects(pdf)
-            parse_xreftable(pdf)
-            parse_trailer(pdf)
-            
-          rescue SystemExit
-            raise
-          rescue Exception => e
-            error "Cannot read : " + (@data.peek(10) + "...").inspect
-            error "Stopped on exception : " + e.message
-            
-            break
-          end
-          
-        end
 
+        pdf
+      end
+
+      def parse_finalize(pdf) #:nodoc:
         warn "This file has been linearized." if pdf.is_linearized?
 
         #
@@ -109,5 +98,8 @@ module Origami
       end
     end
   end
+
 end
 
+require 'origami/parsers/pdf/linear'
+

data/lib/origami/parsers/pdf/linear.rb

@@ -0,0 +1,84 @@
+=begin
+
+= File
+	parsers/linear.rb
+
+= Info
+	Origami is free software: you can redistribute it and/or modify
+  it under the terms of the GNU Lesser General Public License as published by
+  the Free Software Foundation, either version 3 of the License, or
+  (at your option) any later version.
+
+  Origami is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU Lesser General Public License for more details.
+
+  You should have received a copy of the GNU Lesser General Public License
+  along with Origami.  If not, see <http://www.gnu.org/licenses/>.
+
+=end
+
+
+require 'origami/parser'
+require 'origami/pdf'
+
+module Origami
+
+  class PDF
+
+    #
+    # Create a new PDF linear Parser.
+    #
+    class LinearParser < Parser
+      def parse(stream)
+        super
+        
+        pdf = parse_initialize
+
+        #
+        # Parse each revision
+        #
+        revision = 0
+        until @data.eos? do
+          
+          begin
+            pdf.add_new_revision unless revision.zero?
+            revision = revision + 1
+            
+            info "...Parsing revision #{pdf.revisions.size}..."
+            loop do
+              break if (object = parse_object).nil?
+              pdf.insert(object)
+            end
+            
+            pdf.revisions.last.xreftable = parse_xreftable
+           
+            trailer = parse_trailer
+            pdf.revisions.last.trailer = trailer
+
+            xrefstm = pdf.get_object_by_offset(trailer.startxref) || 
+              (pdf.get_object_by_offset(trailer.XRefStm) if trailer.has_field? :XRefStm)
+
+            if not xrefstm.nil?
+              debug "Found a XRefStream for this revision at #{xrefstm.reference}"
+              pdf.revisions.last.xrefstm = xrefstm
+            end
+
+          rescue SystemExit
+            raise
+          rescue Exception => e
+            error "Cannot read : " + (@data.peek(10) + "...").inspect
+            error "Stopped on exception : " + e.message
+            
+            break
+          end
+          
+        end
+
+        parse_finalize(pdf)
+      end
+    end
+  end
+end
+

data/lib/origami/parsers/ppklite.rb

@@ -0,0 +1,93 @@
+=begin
+
+= File
+	parsers/ppklite.rb
+
+= Info
+	Origami is free software: you can redistribute it and/or modify
+  it under the terms of the GNU Lesser General Public License as published by
+  the Free Software Foundation, either version 3 of the License, or
+  (at your option) any later version.
+
+  Origami is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU Lesser General Public License for more details.
+
+  You should have received a copy of the GNU Lesser General Public License
+  along with Origami.  If not, see <http://www.gnu.org/licenses/>.
+
+=end
+
+require 'origami/parser'
+
+module Origami
+
+  module Adobe
+
+    class PPKLite
+
+      class Parser < Origami::Parser
+        def parse(stream) #:nodoc:
+          super
+
+          addrbk = Adobe::PPKLite.new
+          addrbk.header = Adobe::PPKLite::Header.parse(stream)
+          @options[:callback].call(addrbk.header)
+          
+          loop do
+            break if (object = parse_object).nil?
+            addrbk << object
+          end
+
+          addrbk.revisions.first.xreftable = parse_xreftable
+          addrbm.revisions.first.trailer = parse_trailer
+          book_specialize_entries(addrbk)
+
+          addrbk
+        end
+        
+        def book_specialize_entries(addrbk) #:nodoc:
+          addrbk.revisions.first.body.each_pair do |ref, obj|
+            
+            if obj.is_a?(Dictionary)
+              
+              if obj[:Type] == :Catalog
+                
+                o = Adobe::PPKLite::Catalog.new(obj)
+                o.generation, o.no, o.file_offset = obj.generation, obj.no, obj.file_offset
+                
+                if o.PPK.is_a?(Dictionary) and o.PPK[:Type] == :PPK
+                  o.PPK = Adobe::PPKLite::PPK.new(o.PPK)
+                  
+                  if o.PPK.User.is_a?(Dictionary) and o.PPK.User[:Type] == :User
+                    o.PPK.User = Adobe::PPKLite::UserList.new(o.PPK.User)
+                  end
+                  
+                  if o.PPK.AddressBook.is_a?(Dictionary) and o.PPK.AddressBook[:Type] == :AddressBook
+                    o.PPK.AddressBook = Adobe::PPKLite::AddressList.new(o.PPK.AddressBook)
+                  end
+                end
+                
+                addrbk.revisions.first.body[ref] = o
+                
+              elsif obj[:ABEType] == Adobe::PPKLite::Descriptor::USER
+                o = Adobe::PPKLite::User.new(obj)
+                o.generation, o.no, o.file_offset = obj.generation, obj.no, obj.file_offset
+                
+                addrbk.revisions.first.body[ref] = o
+              elsif obj[:ABEType] == Adobe::PPKLite::Descriptor::CERTIFICATE
+                o = Adobe::PPKLite::Certificate.new(obj)
+                o.generation, o.no, o.file_offset = obj.generation, obj.no, obj.file_offset
+                
+                addrbk.revisions.first.body[ref] = o
+              end
+
+            end
+          end
+        end
+      end
+    end
+  end
+end
+

data/{origami → lib/origami}/pdf.rb

@@ -57,10 +57,12 @@ require 'origami/xfa'
 require 'origami/javascript'
 require 'origami/outputintents'
 
+require 'origami/parsers/pdf'
+
 module Origami
 
-  VERSION   = "1.2.1"
-  REVISION  = "$Revision: rev 130/, 2011/10/05 12:33:53 darko $" #:nodoc:
+  VERSION   = "1.2.2"
+  REVISION  = "$Revision: rev 135/, 2011/10/17 11:59:41 $" #:nodoc:
   
   #
   # Global options for Origami.
@@ -181,7 +183,7 @@ module Origami
       #
       # Reads and parses a PDF file from disk.
       #
-      def read(filename, options = {:verbosity => Parser::VERBOSE_INSANE})
+      def read(filename, options = {})
         filename = File.expand_path(filename) if filename.is_a?(::String)
         PDF::LinearParser.new(options).parse(filename)
       end
@@ -293,6 +295,7 @@ module Origami
       if path.respond_to?(:write)
         fd = path
       else
+        path = File.expand_path(path)
         fd = File.open(path, 'w').binmode
       end
       

data/{origami → lib/origami}/signature.rb

@@ -19,9 +19,71 @@
 
 =end
 
+require 'openssl'
+require 'digest/sha1'
+
 module Origami
 
   class PDF
+
+    class SignatureError < Exception #:nodoc:
+    end
+
+    #
+    # Verify a document signature.
+    #   Options:
+    #     _:trusted_: an array of trusted X509 certificates.
+    #   If no argument is passed, embedded certificates are treated as trusted.
+    #
+    def verify(options = {})
+      params =
+      {
+        :trusted => []
+      }.update(options)
+
+      digsig = self.signature
+
+      unless digsig[:Contents].is_a?(String)
+        raise SignatureError, "Invalid digital signature contents"
+      end
+
+      store = OpenSSL::X509::Store.new
+      params[:trusted].each do |ca| store.add_cert(ca) end
+      flags = 0
+      flags |= OpenSSL::PKCS7::NOVERIFY if params[:trusted].empty?
+
+      stream = StringScanner.new(self.original_data)
+      stream.pos = digsig[:Contents].file_offset
+      Object.typeof(stream).parse(stream)
+      endofsig_offset = stream.pos
+      stream.terminate
+
+      s1,l1,s2,l2 = digsig.ByteRange
+      if s1.value != 0 or 
+        (s2.value + l2.value) != self.original_data.size or
+        (s1.value + l1.value) != digsig[:Contents].file_offset or
+        s2.value != endofsig_offset
+
+        raise SignatureError, "Invalid signature byte range"
+      end
+
+      data = self.original_data[s1,l1] + self.original_data[s2,l2]
+      
+      case digsig.SubFilter.value.to_s 
+        when 'adbe.pkcs7.detached'
+          flags |= OpenSSL::PKCS7::DETACHED 
+          p7 = OpenSSL::PKCS7.new(digsig[:Contents].value)
+          raise SignatureError, "Not a PKCS7 detached signature" unless p7.detached?
+          p7.verify([], store, data, flags)
+
+        when 'adbe.pkcs7.sha1'          
+          p7 = OpenSSL::PKCS7.new(digsig[:Contents].value)
+          p7.verify([], store, nil, flags) and p7.data == Digest::SHA1.digest(data)
+          
+      else
+        raise NotImplementedError, "Unsupported method #{digsig.SubFilter}"
+      end
+    end
     
     #
     # Sign the document with the given key and x509 certificate.
@@ -29,11 +91,21 @@ module Origami
     # _key_:: The private key associated with the certificate.
     # _ca_:: Optional CA certificates used to sign the user certificate.
     #
-    def sign(certificate, key, ca = [], annotation = nil, location = nil, contact = nil, reason = nil)
+    def sign(certificate, key, options = {})
       
       unless Origami::OPTIONS[:use_openssl]
         fail "OpenSSL is not present or has been disabled."
       end
+
+      params =
+      {
+        :method => "adbe.pkcs7.detached",
+        :ca => [],
+        :annotation => nil,
+        :location => nil,
+        :contact => nil,
+        :reason => nil
+      }.update(options)
       
       unless certificate.is_a?(OpenSSL::X509::Certificate)
         raise TypeError, "A OpenSSL::X509::Certificate object must be passed."
@@ -43,19 +115,53 @@ module Origami
         raise TypeError, "A OpenSSL::PKey::RSA object must be passed."
       end
       
+      ca = params[:ca]
       unless ca.is_a?(::Array)
         raise TypeError, "Expected an Array of CA certificate."
       end
       
+      annotation = params[:annotation]
       unless annotation.nil? or annotation.is_a?(Annotation::Widget::Signature)
         raise TypeError, "Expected a Annotation::Widget::Signature object."
       end
-      
-      def signfield_size(certificate, key, ca = []) #;nodoc:
-        datatest = "abcdefghijklmnopqrstuvwxyz"
-        OpenSSL::PKCS7.sign(certificate, key, datatest, ca, OpenSSL::PKCS7::DETACHED | OpenSSL::PKCS7::BINARY).to_der.size + 128
+
+      case params[:method]
+        when 'adbe.pkcs7.detached'
+          signfield_size = lambda{|crt,key,ca|
+            datatest = "abcdefghijklmnopqrstuvwxyz"
+            OpenSSL::PKCS7.sign(
+              crt, 
+              key, 
+              datatest, 
+              ca, 
+              OpenSSL::PKCS7::DETACHED | OpenSSL::PKCS7::BINARY
+            ).to_der.size + 128
+          }
+        when 'adbe.pkcs7.sha1'
+          signfield_size = lambda{|crt,key,ca|
+            datatest = "abcdefghijklmnopqrstuvwxyz"
+            OpenSSL::PKCS7.sign(
+              crt, 
+              key, 
+              Digest::SHA1.digest(datatest), 
+              ca, 
+              OpenSSL::PKCS7::BINARY
+            ).to_der.size + 128
+          }
+
+        when 'adbe.x509.rsa_sha1'
+          signfield_size = lambda{|crt,key,ca|
+            datatest = "abcdefghijklmnopqrstuvwxyz"
+            key.private_encrypt(
+              Digest::SHA1.digest(datatest)
+            ).size + 128
+          }
+          raise NotImplementedError, "Unsupported method #{params[:method].inspect}"
+          
+      else
+        raise NotImplementedError, "Unsupported method #{params[:method].inspect}"
       end
-      
+
       digsig = Signature::DigitalSignature.new.set_indirect(true)
      
       if annotation.nil?
@@ -63,20 +169,30 @@ module Origami
         annotation.Rect = Rectangle[:llx => 0.0, :lly => 0.0, :urx => 0.0, :ury => 0.0]        
       end
       
-      annotation.V = digsig ;
+      annotation.V = digsig
       add_fields(annotation)
-      self.Catalog.AcroForm.SigFlags = InteractiveForm::SigFlags::SIGNATURESEXIST | InteractiveForm::SigFlags::APPENDONLY
+      self.Catalog.AcroForm.SigFlags = 
+        InteractiveForm::SigFlags::SIGNATURESEXIST | InteractiveForm::SigFlags::APPENDONLY
       
       digsig.Type = :Sig #:nodoc:
-      digsig.Contents = HexaString.new("\x00" * signfield_size(certificate, key, ca)) #:nodoc:
+      digsig.Contents = HexaString.new("\x00" * signfield_size[certificate, key, ca]) #:nodoc:
       digsig.Filter = Name.new("Adobe.PPKMS") #:nodoc:
-      digsig.SubFilter = Name.new("adbe.pkcs7.detached") #:nodoc:
+      digsig.SubFilter = Name.new(params[:method]) #:nodoc:
       digsig.ByteRange = [0, 0, 0, 0] #:nodoc:
       
-      digsig.Location = HexaString.new(location) if location
-      digsig.ContactInfo = HexaString.new(contact) if contact
-      digsig.Reason = HexaString.new(reason) if reason
+      digsig.Location = HexaString.new(params[:location]) if params[:location]
+      digsig.ContactInfo = HexaString.new(params[:contact]) if params[:contact]
+      digsig.Reason = HexaString.new(params[:reason]) if params[:reason]
       
+      if params[:method] == 'adbe.x509.rsa_sha1'
+        digsig.Cert =
+          if ca.empty?
+            HexaString.new(certificate.to_der)
+          else
+            [ HexaString.new(certificate.to_der) ] + ca.map{ |crt| HexaString.new(crt.to_der) }
+          end
+      end
+
       #
       #  Flattening the PDF to get file view.
       #
@@ -105,7 +221,30 @@ module Origami
       filedata = self.to_bin
       signable_data = filedata[digsig.ByteRange[0],digsig.ByteRange[1]] + filedata[digsig.ByteRange[2],digsig.ByteRange[3]]
       
-      signature = OpenSSL::PKCS7.sign(certificate, key, signable_data, ca, OpenSSL::PKCS7::DETACHED | OpenSSL::PKCS7::BINARY).to_der
+      signature = 
+        case params[:method]
+          when 'adbe.pkcs7.detached'
+            OpenSSL::PKCS7.sign(
+              certificate, 
+              key, 
+              signable_data, 
+              ca, 
+              OpenSSL::PKCS7::DETACHED | OpenSSL::PKCS7::BINARY
+            ).to_der
+
+          when 'adbe.pkcs7.sha1'
+            OpenSSL::PKCS7.sign(
+              certificate,
+              key,
+              Digest::SHA1.digest(signable_data),
+              ca,
+              OpenSSL::PKCS7::BINARY
+            ).to_der
+
+          when 'adbe.x509.rsa_sha1'
+            key.private_encrypt(Digest::SHA1.digest(signable_data))
+        end
+
       digsig.Contents[0, signature.size] = signature
       
       #
@@ -120,7 +259,7 @@ module Origami
     def is_signed?
       not self.Catalog.AcroForm.nil? and 
       self.Catalog.AcroForm.has_key?(:SigFlags) and 
-      (self.Catalog.AcroForm[:SigFlags].solve & InteractiveForm::SigFlags::SIGNATURESEXIST != 0)
+      (self.Catalog.AcroForm.SigFlags & InteractiveForm::SigFlags::SIGNATURESEXIST != 0)
     end
     
     #
@@ -129,10 +268,10 @@ module Origami
     #
     def enable_usage_rights(cert, pkey, *rights)
       
-      def signfield_size(certificate, key, ca = []) #:nodoc:
+      signfield_size = lambda{|crt, key, ca|
         datatest = "abcdefghijklmnopqrstuvwxyz"
-        OpenSSL::PKCS7.sign(certificate, key, datatest, ca, OpenSSL::PKCS7::DETACHED | OpenSSL::PKCS7::BINARY).to_der.size + 128
-      end
+        OpenSSL::PKCS7.sign(crt, key, datatest, ca, OpenSSL::PKCS7::DETACHED | OpenSSL::PKCS7::BINARY).to_der.size + 128
+      }
       
       unless Origami::OPTIONS[:use_openssl]
         fail "OpenSSL is not present or has been disabled."
@@ -153,7 +292,7 @@ module Origami
       #self.Catalog.AcroForm.SigFlags = InteractiveForm::SigFlags::APPENDONLY
       
       digsig.Type = :Sig #:nodoc:
-      digsig.Contents = HexaString.new("\x00" * signfield_size(certificate, key, [])) #:nodoc:
+      digsig.Contents = HexaString.new("\x00" * signfield_size[certificate, key, []]) #:nodoc:
       digsig.Filter = Name.new("Adobe.PPKLite") #:nodoc:
       digsig.Name = "ARE Acrobat Product v8.0 P23 0002337" #:nodoc:
       digsig.SubFilter = Name.new("adbe.pkcs7.detached") #:nodoc:
@@ -221,6 +360,18 @@ module Origami
       not self.Catalog.Perms.nil? and (not self.Catalog.Perms.has_key?(:UR3) or not self.Catalog.Perms.has_key?(:UR))
     end
 
+    def signature
+      raise SignatureError, "Not a signed document" unless self.is_signed?
+
+      self.each_field do |field|
+        if field.FT == :Sig and field.V.is_a?(Dictionary)
+          return field.V
+        end
+      end
+
+      raise SignatureError, "Cannot find digital signature"
+    end
+
   end
   
   class Perms < Dictionary