rubrik 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 81d2c2fdaaf16157493e2d51d65e7b96695b6c3392456903f312e3809745405c
+  data.tar.gz: dc1d3640cca46b468417fc15065c621ccc4187f74687fba7431eabac3088a00a
+SHA512:
+  metadata.gz: cfa4044ac36e578939f5759b98a1e3f4ff87794dc66f7613f204097f27b0b7640d41353f728c5e5273ae6994310a6175a5df99c7a3685566342df359ae272d8f
+  data.tar.gz: 917ed93c196bb299da3e726fe09b4e534c8c333471a16a8c3ef672cc3dc2ef91971c6649c4770360df99e4f70c8a0037e563b7510a29b67f1f4764fa10d8d7c5

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2022 Tomás Coêlho
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,76 @@
+# Rubrik
+
+Rubrik is a complete and simple digital signature library that implements the PAdES standard (PDF Advanced Electronic
+Signatures) in pure Ruby. It conforms with PKCS#7 and **will be** compatible with Brazil's AD-RB, AD-RT and EU's B-B
+and B-T profiles.
+
+## Implementation Status
+
+This gem is under development and may be subjected to breaking changes.
+
+### PDF Features
+- [x] Modify PDFs with incremental updates (doesn't modify the documents, only append signature appearence)
+- []  Signature appearence (stamp)
+- []  External (offline) signatures
+
+### Signature Profiles
+- [x] CMS (PKCS#7)
+- []  PAdES B-B (conforms with PAdES-E-BES)
+- []  PAdES B-T (conforms with PAdES-E-BES)
+- []  PAdES AD-RB
+- []  PAdES AD-RT
+
+## Installation
+
+Install the gem and add to the application's Gemfile by executing:
+
+    $ bundle add rubrik
+
+If bundler is not being used to manage dependencies, install the gem by executing:
+
+    $ gem install rubrik
+
+## Usage
+
+With the gem loaded, run the following to sign an document:
+
+```ruby
+# The input and output can be of types `File`, `Tempfile` or `StringIO`.
+input_pdf = File.open("example.pdf", "rb")
+output_pdf = File.open("signed_example.pdf", "wb")
+
+# Load Certificate(s)
+certificate = File.open("example_cert.pem", "rb")
+private_key = OpenSSL::PKey::RSA.new(certificate, "")
+certificate.rewind
+public_key = OpenSSL::X509::Certificate.new(certificate)
+certificate.close
+
+# Will write the signed document to `output_pdf`
+Rubrik::Sign.call(input_pdf, output_pdf, private_key:, public_key:, certificate_chain: [])
+
+# Don't forget to close the files
+input_pdf.close
+output_pdf.close
+```
+Multiple signatures on a single document can be achieved by calling `Rubrik::Sign` repeatedly using the last signature
+output as input for the next signature. A better API for this use case may be developed.
+
+
+## Development
+
+After checking out the repo, run `bundle install` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/tomascco/rubrik. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/tomascco/rubrik/blob/main/CODE_OF_CONDUCT.md).
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
+
+## Code of Conduct
+
+Everyone interacting in the rubrik project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/tomascco/rubrik/blob/main/CODE_OF_CONDUCT.md).

data/lib/rubrik/document/increment.rb

@@ -0,0 +1,106 @@
+# typed: true
+# frozen_string_literal: true
+
+module Rubrik
+  class Document
+    module Increment
+      include Kernel
+
+      extend T::Sig
+      extend self
+
+      sig {params(document: Rubrik::Document, io: T.any(File, Tempfile, StringIO)).returns(T.any(File, Tempfile, StringIO))}
+      def call(document, io:)
+        document.io.rewind
+        IO.copy_stream(T.unsafe(document.io), T.unsafe(io))
+
+        io << "\n"
+        new_xref = Array.new
+
+        document.modified_objects.each do |object|
+          integer_id = T.let(object[:id].to_i, Integer)
+          new_xref << {id: integer_id, offset: io.pos}
+
+          io << "#{integer_id} 0 obj\n" "#{serialize(object[:value])}\n" "endobj\n\n"
+        end
+
+        updated_trailer = document.objects.trailer.dup
+        updated_trailer[:Prev] = last_xref_pos(document)
+        updated_trailer[:Size] = document.last_object_id + 1
+
+        new_xref_pos = io.pos
+
+        new_xref_subsections = new_xref
+          .sort_by { _1[:id] }
+          .chunk_while { _1[:id] + 1 == _2[:id] }
+
+        io << "xref\n"
+        io << "0 1\n"
+        io << "0000000000 65535 f\n"
+
+        new_xref_subsections.each do |subsection|
+          starting_id = subsection.first[:id]
+          length = subsection.length
+
+          io << "#{starting_id} #{length}\n"
+          subsection.each { |entry| io << "#{format("%010d", entry[:offset])} 00000 n\n" }
+        end
+
+        io << "trailer\n"
+        io << "#{serialize(updated_trailer)}\n"
+        io << "startxref\n"
+        io << "#{new_xref_pos.to_s}\n"
+        io << "%%EOF\n"
+
+        io.rewind
+        io
+      end
+
+      private
+
+      sig {params(obj: T.untyped).returns(String)}
+      def serialize(obj)
+        case obj
+        when Hash
+          serialized_objs = obj.flatten.map { |e| serialize(e) }
+          "<<#{serialized_objs.join(" ")}>>"
+        when Symbol
+          "/#{obj}"
+        when Array
+          serialized_objs = obj.map { |e| serialize(e) }
+          "[#{serialized_objs.join(" ")}]"
+        when PDF::Reader::Reference
+          "#{obj.id} #{obj.gen} R"
+        when String
+          "(#{obj})"
+        when TrueClass
+          "true"
+        when FalseClass
+          "false"
+        when Document::CONTENTS_PLACEHOLDER
+          "<#{"0" * Document::SIGNATURE_SIZE}>"
+        when Document::BYTE_RANGE_PLACEHOLDER
+          "[0 0000000000 0000000000 0000000000]"
+        when Numeric
+          obj.to_s
+        when NilClass
+          "null"
+        when PDF::Reader::Stream
+          <<~OBJECT.chomp
+            #{serialize(obj.hash)}
+            stream
+            #{obj.data}
+            endstream
+          OBJECT
+        else
+          raise NotImplementedError.new("Don't know how to serialize #{obj}")
+        end
+      end
+
+      sig {params(document: Rubrik::Document).returns(Integer)}
+      def last_xref_pos(document)
+        PDF::Reader::Buffer.new(document.io, seek: 0).find_first_xref_offset
+      end
+    end
+  end
+end

data/lib/rubrik/document.rb

@@ -0,0 +1,127 @@
+# typed: true
+# frozen_string_literal: true
+
+require "securerandom"
+
+module Rubrik
+  class Document
+    extend T::Sig
+
+    CONTENTS_PLACEHOLDER = Object.new.freeze
+    BYTE_RANGE_PLACEHOLDER = Object.new.freeze
+    SIGNATURE_SIZE = 8_192
+
+    sig {returns(T.any(File, Tempfile, StringIO))}
+    attr_reader :io
+
+    sig {returns(PDF::Reader::ObjectHash)}
+    attr_reader :objects
+
+    sig {returns(T::Array[{id: PDF::Reader::Reference, value: T.untyped}])}
+    attr_reader :modified_objects
+
+    sig {returns(PDF::Reader::Reference)}
+    attr_reader :interactive_form_id
+
+    sig {returns(Integer)}
+    attr_reader :last_object_id
+
+    sig {params(input: T.any(File, Tempfile, StringIO)).void}
+    def initialize(input)
+      self.io = input
+      self.objects = PDF::Reader::ObjectHash.new(input)
+      self.last_object_id = objects.size
+      self.modified_objects = []
+
+      fetch_or_create_interactive_form!
+    end
+
+    sig {void}
+    def add_signature_field
+      # create signature value dictionary
+      signature_value_id = assign_new_object_id!
+      modified_objects << {
+        id: signature_value_id,
+        value: {
+          Type: :Sig,
+          Filter: :"Adobe.PPKLite",
+          SubFilter: :"adbe.pkcs7.detached",
+          Contents: CONTENTS_PLACEHOLDER,
+          ByteRange: BYTE_RANGE_PLACEHOLDER
+        }
+      }
+
+      first_page_reference = T.must(objects.page_references[0])
+
+      # create signature field
+      signature_field_id = assign_new_object_id!
+      modified_objects << {
+        id: signature_field_id,
+        value: {
+          T: "Signature-#{SecureRandom.hex(2)}",
+          FT: :Sig,
+          V: signature_value_id,
+          Type: :Annot,
+          Subtype: :Widget,
+          Rect: [20, 20, 120, 120],
+          F: 4,
+          P: first_page_reference
+        }
+      }
+
+      modified_page = objects.fetch(first_page_reference).dup
+      (modified_page[:Annots] ||= []) << signature_field_id
+
+      modified_objects << {id: first_page_reference, value: modified_page}
+
+      (interactive_form[:Fields] ||= []) << signature_field_id
+    end
+
+    private
+
+    sig {returns(T::Hash[Symbol, T.untyped])}
+    def interactive_form
+      T.must(modified_objects.first).fetch(:value)
+    end
+
+    sig {void}
+    def fetch_or_create_interactive_form!
+      root_ref = objects.trailer[:Root]
+      root = T.let(objects.fetch(root_ref), Hash)
+
+      if root.key?(:AcroForm)
+        form_id = root[:AcroForm]
+
+        modified_objects << {id: form_id, value: objects.fetch(form_id).dup}
+      else
+        interactive_form_id = assign_new_object_id!
+        modified_objects << {id: interactive_form_id, value: {Fields: []}}
+
+        # we also need to create a new version of the document catalog to include the new form ref
+        updated_root = root.dup
+        updated_root[:AcroForm] = interactive_form_id
+
+        modified_objects << {id: root_ref, value: updated_root}
+      end
+
+      interactive_form[:SigFlags] = 3 # dont modify, append only
+    end
+
+    sig {returns(PDF::Reader::Reference)}
+    def assign_new_object_id!
+      PDF::Reader::Reference.new(self.last_object_id += 1, 0)
+    end
+
+    sig {params(io: T.any(File, Tempfile, StringIO)).returns(T.any(File, Tempfile, StringIO))}
+    attr_writer :io
+
+    sig {params(objects: PDF::Reader::ObjectHash).returns(PDF::Reader::ObjectHash)}
+    attr_writer :objects
+
+    sig {params(modified_objects: T::Array[{id: PDF::Reader::Reference, value: T.untyped}]).returns(T::Array[{id: PDF::Reader::Reference, value: T.untyped}])}
+    attr_writer :modified_objects
+
+    sig {params(last_object_id: Integer).returns(Integer)}
+    attr_writer :last_object_id
+  end
+end

data/lib/rubrik/fill_signature.rb

@@ -0,0 +1,72 @@
+# typed: true
+# frozen_string_literal: true
+
+require "openssl"
+
+module Rubrik
+  module FillSignature
+    extend T::Sig
+    extend self
+    include Kernel
+
+    sig {params(
+          io: T.any(File, StringIO, Tempfile),
+          signature_value_ref: PDF::Reader::Reference,
+          private_key: OpenSSL::PKey::RSA,
+          public_key: OpenSSL::X509::Certificate,
+          certificate_chain: T::Array[OpenSSL::X509::Certificate])
+        .returns(T.any(File, StringIO, Tempfile))}
+
+    FIRST_OFFSET = 0
+
+    def call(io, signature_value_ref:, private_key:, public_key:, certificate_chain: [])
+      io.rewind
+
+      signature_value_offset = PDF::Reader::XRef.new(io)[signature_value_ref]
+
+      io.pos = signature_value_offset
+      io.gets("/Contents")
+      io.gets("<")
+
+      first_length = io.pos - 1
+      # we need to double the SIGNATURE_SIZE because the hex encoding double the data size
+      # we also need to sum +2 to account for "<" and ">" of the hex string
+      second_offset = first_length + Document::SIGNATURE_SIZE + 2
+      second_length = io.size - second_offset
+
+      byte_range_array = [FIRST_OFFSET, first_length, second_offset, second_length]
+
+      io.pos = signature_value_offset
+
+      io.gets("/ByteRange")
+      byte_range_start = io.pos - "/ByteRange".size
+
+      io.gets("]")
+      byte_range_end = io.pos
+
+      byte_range_size = byte_range_end - byte_range_start + 1
+      actual_byte_range = " /ByteRange [#{byte_range_array.join(" ")}]".ljust(byte_range_size, " ")
+
+      io.seek(-byte_range_size, IO::SEEK_CUR)
+      io.write(actual_byte_range)
+
+      io.pos = FIRST_OFFSET
+      data_to_sign = T.must(io.read(first_length))
+
+      io.pos = second_offset
+      data_to_sign += T.must(io.read(second_length))
+
+      signature = OpenSSL::PKCS7.sign(public_key, private_key, data_to_sign, certificate_chain,
+                                      OpenSSL::PKCS7::DETACHED | OpenSSL::PKCS7::BINARY).to_der
+      hex_signature = T.let(signature, String).unpack1("H*")
+
+      padded_contents_field = "<#{hex_signature.ljust(Document::SIGNATURE_SIZE, "0")}>"
+
+      io.pos = first_length
+      io.write(padded_contents_field)
+
+      io.rewind
+      io
+    end
+  end
+end

data/lib/rubrik/sign.rb

@@ -0,0 +1,28 @@
+# typed: true
+# frozen_string_literal: true
+
+module Rubrik
+  module Sign
+    extend T::Sig
+
+    sig {params(
+           input: T.any(File, Tempfile, StringIO),
+           output: T.any(File, Tempfile, StringIO),
+           private_key: OpenSSL::PKey::RSA,
+           public_key: OpenSSL::X509::Certificate,
+           certificate_chain: T::Array[OpenSSL::X509::Certificate])
+         .void}
+    def self.call(input, output, private_key:, public_key:, certificate_chain: [])
+      document = Rubrik::Document.new(input)
+
+      document.add_signature_field
+
+      Document::Increment.call(document, io: output)
+
+      signature_value = T.must(document.modified_objects.find { _1.dig(:value, :Type) == :Sig })
+
+      signature_value_ref = T.let(signature_value[:id], PDF::Reader::Reference)
+      FillSignature.call(output, signature_value_ref:, private_key:, public_key:, certificate_chain:)
+    end
+  end
+end

data/lib/rubrik/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Rubrik
+  VERSION = "0.1.0"
+end

data/lib/rubrik.rb

@@ -0,0 +1,18 @@
+# typed: true
+# frozen_string_literal: true
+
+require "bundler"
+Bundler.setup(:default)
+
+require "sorbet-runtime"
+require "pdf-reader"
+require "irb"
+
+module Rubrik
+  class Error < StandardError; end
+end
+
+require_relative "rubrik/document"
+require_relative "rubrik/document/increment"
+require_relative "rubrik/fill_signature"
+require_relative "rubrik/sign"

metadata

@@ -0,0 +1,82 @@
+--- !ruby/object:Gem::Specification
+name: rubrik
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Tomás Coêlho
+autorequire:
+bindir: exe
+cert_chain: []
+date: 2023-10-16 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: pdf-reader
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.10'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.10'
+- !ruby/object:Gem::Dependency
+  name: sorbet-runtime
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.5'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.5'
+description: Sign PDFs digitally in pure Ruby
+email:
+- tomascoelho6@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE.txt
+- README.md
+- lib/rubrik.rb
+- lib/rubrik/document.rb
+- lib/rubrik/document/increment.rb
+- lib/rubrik/fill_signature.rb
+- lib/rubrik/sign.rb
+- lib/rubrik/version.rb
+homepage: https://github.com/tomascco/rubrik
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/tomascco/rubrik
+  source_code_uri: https://github.com/tomascco/rubrik
+  changelog_uri: https://github.com/tomascco/rubrik/blob/main/CHANGELOG.md
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.1.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.4.20
+signing_key:
+specification_version: 4
+summary: Sign PDFs digitally in pure Ruby
+test_files: []