rubrik 0.2.1 → 1.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b9faab13628886a83554fb2dd75b71d7315701da037377bb70d7aba3e9769ffe
-  data.tar.gz: 90fbf56ed6afbd1ab7b54ad4290800ad079fd4b600eb4334f2974a248b2631c9
+  metadata.gz: a41daeeefd22b755dd4ae91177d7142e46eff64f5d1877a1c303f4885634f1a2
+  data.tar.gz: d205242211ab51a47a2ac8db5a89267bf90f2e2576450d60311e3de8a5b33d82
 SHA512:
-  metadata.gz: 3a83c73ca910d0ce84298c65d7f704ed93ccd3104bb44f1d70331b82bdcdecae1355fb2b5a0b8177a9954b3c39394153cbb521cf67ec4d4a677fc98684c90f5e
-  data.tar.gz: 0da9fd89c054a40db22642cfb4b390be64fb49c12b42f449d901c898b86bcd10d4f8e72892ecfc59618aca1678f115165209a41497315c3b2f1cde8d29882194
+  metadata.gz: 4e73a024012af2d658489a007a449ed05270c02ccbaf4fa9c49930827e98aeb4bc1ea71f70e1c923e7d5fafe17e334f27b5ae66a4e3f49959f34ea8e6836ec58
+  data.tar.gz: 23a4ca82df06a937feb613b5320351d44067c0a7db596ccc854486256609856f97361011be725cf987ede6fd7e6e9a2d4c7249ba8683ef010b5718e302fa0e8d

data/README.md

@@ -22,6 +22,7 @@ This gem is under development and may be subjected to breaking changes.
 
 ### PDF Features
 - [x] Modify PDFs with incremental updates (doesn't modify the documents, only append signature appearance)
+- [ ] Encryption Support
 - [ ] Signature appearance (stamp)
 - [ ] External (offline) signatures
 
@@ -52,14 +53,14 @@ input_pdf = File.open("example.pdf", "rb")
 output_pdf = File.open("signed_example.pdf", "wb+") # needs read permission
 
 # Load Certificate(s)
-certificate = File.open("example_cert.pem", "rb")
-private_key = OpenSSL::PKey::RSA.new(certificate, "")
-certificate.rewind
-public_key = OpenSSL::X509::Certificate.new(certificate)
-certificate.close
+certificate_file = File.open("example_cert.pem", "rb")
+private_key = OpenSSL::PKey::RSA.new(certificate_file, "")
+certificate_file.rewind
+certificate = OpenSSL::X509::Certificate.new(certificate_file)
+certificate_file.close
 
 # Will write the signed document to `output_pdf`
-Rubrik::Sign.call(input_pdf, output_pdf, private_key:, public_key:, certificate_chain: [])
+Rubrik::Sign.call(input_pdf, output_pdf, private_key:, certificate:, certificate_chain: [])
 
 # Don't forget to close the files
 input_pdf.close

data/lib/rubrik/document/increment.rb

@@ -46,11 +46,11 @@ module Rubrik
           io << "#{starting_id} #{length}\n"
 
           if starting_id.zero?
-            io << "0000000000 65535 f\n"
+            io << "#{format("%010d", document.first_free_object_id)} 65535 f \n"
             subsection.shift
           end
 
-          subsection.each { |entry| io << "#{format("%010d", entry[:offset])} 00000 n\n" }
+          subsection.each { |entry| io << "#{format("%010d", entry[:offset])} 00000 n \n" }
         end
 
         io << "trailer\n"

data/lib/rubrik/document.rb

@@ -17,19 +17,25 @@ module Rubrik
     sig {returns(PDF::Reader::ObjectHash)}
     attr_accessor :objects
 
+    sig {returns(Integer)}
+    attr_accessor :first_free_object_id
+
     sig {returns(T::Array[{id: PDF::Reader::Reference, value: T.untyped}])}
     attr_accessor :modified_objects
 
     sig {returns(Integer)}
     attr_accessor :last_object_id
 
-    private :io=, :objects=, :modified_objects=, :last_object_id=
+    private :io=, :objects=, :first_free_object_id=, :modified_objects=, :last_object_id=
 
     sig {params(input: T.any(File, Tempfile, StringIO)).void}
     def initialize(input)
       self.io = input
       self.objects = PDF::Reader::ObjectHash.new(input)
-      self.last_object_id = objects.size
+
+      self.last_object_id = objects.trailer[:Size] - 1
+      self.first_free_object_id = find_first_free_object_id
+
       self.modified_objects = []
 
       fetch_or_create_interactive_form!
@@ -70,10 +76,20 @@ module Rubrik
         }
       }
 
-      modified_page = objects.fetch(first_page_reference).dup
-      (modified_page[:Annots] ||= []) << signature_field_id
+      first_page = objects.fetch(first_page_reference)
+      annots = first_page[:Annots]
+
+      if annots.is_a?(PDF::Reader::Reference)
+        new_annots = objects.fetch(annots).dup
+        new_annots << signature_field_id
+
+        modified_objects << {id: annots, value: new_annots}
+      else
+        new_first_page = first_page.dup
+        (new_first_page[:Annots] ||= []) << signature_field_id
 
-      modified_objects << {id: first_page_reference, value: modified_page}
+        modified_objects << {id: first_page_reference, value: new_first_page}
+      end
 
       (interactive_form[:Fields] ||= []) << signature_field_id
 
@@ -87,6 +103,16 @@ module Rubrik
       T.must(modified_objects.first).fetch(:value)
     end
 
+    sig{returns(Integer)}
+    def find_first_free_object_id
+      return 0 if last_object_id == objects.size
+
+      xref = objects.send(:xref).instance_variable_get(:@xref)
+      missing_ids = (1..last_object_id).to_a - xref.keys
+
+      T.must(missing_ids.min)
+    end
+
     sig {void}
     def fetch_or_create_interactive_form!
       root_ref = objects.trailer[:Root]

data/lib/rubrik/fill_signature.rb

@@ -1,8 +1,6 @@
 # typed: true
 # frozen_string_literal: true
 
-require "openssl"
-
 module Rubrik
   module FillSignature
     extend T::Sig
@@ -13,13 +11,13 @@ module Rubrik
           io: T.any(File, StringIO, Tempfile),
           signature_value_ref: PDF::Reader::Reference,
           private_key: OpenSSL::PKey::RSA,
-          public_key: OpenSSL::X509::Certificate,
+          certificate: OpenSSL::X509::Certificate,
           certificate_chain: T::Array[OpenSSL::X509::Certificate])
         .void}
 
     FIRST_OFFSET = 0
 
-    def call(io, signature_value_ref:, private_key:, public_key:, certificate_chain: [])
+    def call(io, signature_value_ref:, private_key:, certificate:, certificate_chain: [])
       io.rewind
 
       signature_value_offset = PDF::Reader::XRef.new(io)[signature_value_ref]
@@ -55,8 +53,7 @@ module Rubrik
       io.pos = second_offset
       data_to_sign += T.must(io.read(second_length))
 
-      signature = OpenSSL::PKCS7.sign(public_key, private_key, data_to_sign, certificate_chain,
-                                      OpenSSL::PKCS7::DETACHED | OpenSSL::PKCS7::BINARY).to_der
+      signature = PKCS7Signature.call(data_to_sign, private_key:, certificate:)
       hex_signature = T.let(signature, String).unpack1("H*")
 
       padded_contents_field = "<#{hex_signature.ljust(Document::SIGNATURE_SIZE, "0")}>"

data/lib/rubrik/pkcs7_signature.rb

@@ -0,0 +1,24 @@
+# typed: true
+# frozen_string_literal: true
+
+require "openssl"
+
+module Rubrik
+  module PKCS7Signature
+    extend T::Sig
+    extend self
+
+    OPEN_SSL_FLAGS = OpenSSL::PKCS7::DETACHED | OpenSSL::PKCS7::BINARY
+
+    sig {params(
+        data: String,
+        private_key: OpenSSL::PKey::RSA,
+        certificate: OpenSSL::X509::Certificate,
+        certificate_chain: T::Array[OpenSSL::X509::Certificate]
+      ).returns(String)
+    }
+    def call(data, private_key:, certificate:, certificate_chain: [])
+      OpenSSL::PKCS7.sign(certificate, private_key, data, certificate_chain, OPEN_SSL_FLAGS).to_der
+    end
+  end
+end

data/lib/rubrik/sign.rb

@@ -9,10 +9,10 @@ module Rubrik
            input: T.any(File, Tempfile, StringIO),
            output: T.any(File, Tempfile, StringIO),
            private_key: OpenSSL::PKey::RSA,
-           public_key: OpenSSL::X509::Certificate,
+           certificate: OpenSSL::X509::Certificate,
            certificate_chain: T::Array[OpenSSL::X509::Certificate])
          .void}
-    def self.call(input, output, private_key:, public_key:, certificate_chain: [])
+    def self.call(input, output, private_key:, certificate:, certificate_chain: [])
       input.binmode
       output.reopen(T.unsafe(output), "wb+") if !output.is_a?(StringIO)
 
@@ -22,7 +22,7 @@ module Rubrik
 
       Document::Increment.call(document, io: output)
 
-      FillSignature.call(output, signature_value_ref:, private_key:, public_key:, certificate_chain:)
+      FillSignature.call(output, signature_value_ref:, private_key:, certificate:, certificate_chain:)
     end
   end
 end

data/lib/rubrik/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Rubrik
-  VERSION = "0.2.1"
+  VERSION = "1.0.1"
 end

data/lib/rubrik.rb

@@ -12,4 +12,5 @@ require_relative "rubrik/document"
 require_relative "rubrik/document/increment"
 require_relative "rubrik/document/serialize_object"
 require_relative "rubrik/fill_signature"
+require_relative "rubrik/pkcs7_signature"
 require_relative "rubrik/sign"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rubrik
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 1.0.1
 platform: ruby
 authors:
 - Tomás Coêlho
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-10-20 00:00:00.000000000 Z
+date: 2023-11-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: pdf-reader
@@ -66,6 +66,7 @@ files:
 - lib/rubrik/document/increment.rb
 - lib/rubrik/document/serialize_object.rb
 - lib/rubrik/fill_signature.rb
+- lib/rubrik/pkcs7_signature.rb
 - lib/rubrik/sign.rb
 - lib/rubrik/version.rb
 homepage: https://github.com/tomascco/rubrik