@libpdf/core 0.0.1-beta.7 → 0.0.1-beta.9

package/dist/index.d.mts

@@ -1,4 +1,3 @@
-import { z } from "zod";
 import * as _google_cloud_kms0 from "@google-cloud/kms";
 import * as _google_cloud_secret_manager0 from "@google-cloud/secret-manager";
 
@@ -1931,6 +1930,12 @@ interface Permissions {
 }
 //#endregion
 //#region src/security/schemas.d.ts
+/**
+ * Zod schemas for PDF encryption dictionary validation.
+ *
+ * These schemas provide type-safe parsing of encryption parameters
+ * with proper validation and TypeScript type inference.
+ */
 /**
  * Valid encryption versions (V entry).
  *
@@ -1940,8 +1945,7 @@ interface Permissions {
  * - 4: AES-128 or RC4 with crypt filters (PDF 1.5)
  * - 5: AES-256 (PDF 2.0)
  */
-declare const VersionSchema: z.ZodUnion<readonly [z.ZodLiteral<1>, z.ZodLiteral<2>, z.ZodLiteral<3>, z.ZodLiteral<4>, z.ZodLiteral<5>]>;
-type Version = z.infer<typeof VersionSchema>;
+type EncryptionVersion = 1 | 2 | 3 | 4 | 5;
 /**
  * Valid encryption revisions (R entry).
  *
@@ -1951,25 +1955,31 @@ type Version = z.infer<typeof VersionSchema>;
  * - 5: V=5, AES-256 (draft, Adobe Extension Level 3)
  * - 6: V=5, AES-256 (final, ISO 32000-2)
  */
-declare const RevisionSchema: z.ZodUnion<readonly [z.ZodLiteral<2>, z.ZodLiteral<3>, z.ZodLiteral<4>, z.ZodLiteral<5>, z.ZodLiteral<6>]>;
-type Revision = z.infer<typeof RevisionSchema>;
+type EncryptionRevision = 2 | 3 | 4 | 5 | 6;
+/**
+ * Crypt filter methods (CFM entry).
+ *
+ * - None: Identity (no encryption)
+ * - V2: RC4
+ * - AESV2: AES-128
+ * - AESV3: AES-256
+ */
+type CryptFilterMethod = "None" | "V2" | "AESV2" | "AESV3";
+/**
+ * Authentication events (AuthEvent entry).
+ *
+ * - DocOpen: Authentication when document is opened
+ * - EFOpen: Authentication when embedded file is accessed
+ */
+type AuthEvent = "DocOpen" | "EFOpen";
 /**
  * Complete crypt filter configuration.
  */
-declare const CryptFilterSchema: z.ZodObject<{
-  cfm: z.ZodEnum<{
-    None: "None";
-    V2: "V2";
-    AESV2: "AESV2";
-    AESV3: "AESV3";
-  }>;
-  authEvent: z.ZodOptional<z.ZodEnum<{
-    DocOpen: "DocOpen";
-    EFOpen: "EFOpen";
-  }>>;
-  length: z.ZodOptional<z.ZodNumber>;
-}, z.core.$strip>;
-type CryptFilter = z.infer<typeof CryptFilterSchema>;
+interface CryptFilter {
+  cfm: CryptFilterMethod;
+  authEvent?: AuthEvent;
+  length?: number;
+}
 /**
  * Supported encryption algorithms.
  *
@@ -1977,12 +1987,7 @@ type CryptFilter = z.infer<typeof CryptFilterSchema>;
  * - AES-128: AES with 128-bit key (R4)
  * - AES-256: AES with 256-bit key (R5-R6)
  */
-declare const EncryptionAlgorithmSchema: z.ZodEnum<{
-  RC4: "RC4";
-  "AES-128": "AES-128";
-  "AES-256": "AES-256";
-}>;
-type EncryptionAlgorithm = z.infer<typeof EncryptionAlgorithmSchema>;
+type EncryptionAlgorithm = "RC4" | "AES-128" | "AES-256";
 //#endregion
 //#region src/security/errors.d.ts
 /**
@@ -2021,9 +2026,9 @@ interface EncryptionDict {
   /** Security handler filter (always "Standard" for this implementation) */
   filter: "Standard";
   /** Algorithm version: 1, 2, 3, 4, or 5 */
-  version: Version;
+  version: EncryptionVersion;
   /** Standard security handler revision: 2, 3, 4, 5, or 6 */
-  revision: Revision;
+  revision: EncryptionRevision;
   /** Key length in bits (40-256) */
   keyLengthBits: number;
   /** Owner password verification value (32 bytes for R2-R4, 48 bytes for R5-R6) */
@@ -2120,11 +2125,11 @@ declare class StandardSecurityHandler {
   /**
    * Get the encryption version.
    */
-  get version(): Version;
+  get version(): EncryptionVersion;
   /**
    * Get the encryption revision.
    */
-  get revision(): Revision;
+  get revision(): EncryptionRevision;
   /**
    * Get document permissions.
    */
@@ -2339,18 +2344,22 @@ interface Signer {
   /** Signature algorithm - required for CMS construction */
   readonly signatureAlgorithm: SignatureAlgorithm;
   /**
-   * Sign data and return raw signature bytes.
+   * Sign data and return signature bytes.
    *
    * The signer is responsible for hashing the data using the specified algorithm
    * before creating the signature. For WebCrypto-based implementations, this is
    * handled automatically by the sign() function.
    *
-   * For RSA: PKCS#1 v1.5 or PSS signature
-   * For ECDSA: DER-encoded (r, s) pair
+   * Signature format requirements:
+   * - RSA: PKCS#1 v1.5 or PSS signature bytes
+   * - ECDSA: DER-encoded SEQUENCE { INTEGER r, INTEGER s }
+   *
+   * Note: WebCrypto returns ECDSA signatures in P1363 format (r || s concatenated).
+   * Use pkijs.createCMSECDSASignature() to convert to DER format.
    *
    * @param data - The data to sign (will be hashed internally)
    * @param algorithm - The digest algorithm to use for hashing
-   * @returns Raw signature bytes
+   * @returns Signature bytes in the format required by CMS/PKCS#7
    */
   sign(data: Uint8Array, algorithm: DigestAlgorithm): Promise<Uint8Array>;
 }
@@ -6492,6 +6501,16 @@ interface FlattenOptions {
   font?: FormFont;
   /** Font size to use (0 = auto) */
   fontSize?: number;
+  /**
+   * Skip signature fields during flattening.
+   *
+   * When true, signature fields are preserved as interactive fields while
+   * all other fields are flattened. This is useful when you want to flatten
+   * filled form data but keep signature fields available for signing.
+   *
+   * @default false
+   */
+  skipSignatures?: boolean;
 }
 //#endregion
 //#region src/document/forms/acro-form.d.ts
@@ -7245,6 +7264,13 @@ declare class PDFForm {
    * await pdf.form.flatten();
    * const bytes = await pdf.save();
    * ```
+   *
+   * @example Flatten while preserving signature fields
+   * ```typescript
+   * await pdf.form.fill({ name: "John Doe" });
+   * await pdf.form.flatten({ skipSignatures: true });
+   * // Signature fields remain interactive for signing
+   * ```
    */
   flatten(options?: FlattenOptions): void;
   /**

package/dist/index.mjs

@@ -1,15 +1,15 @@
 import pako, { deflate, inflate } from "pako";
-import { z } from "zod";
 import { cbc, ecb } from "@noble/ciphers/aes.js";
 import { randomBytes } from "@noble/ciphers/utils.js";
 import { md5, sha1 } from "@noble/hashes/legacy.js";
 import { sha256, sha384, sha512 } from "@noble/hashes/sha2.js";
 import { Boolean, Constructed, Integer, Null, ObjectIdentifier, OctetString, Sequence, UTCTime, fromBER } from "asn1js";
 import * as pkijs from "pkijs";
+import { createCMSECDSASignature } from "pkijs";
 import { base64 } from "@scure/base";
 
 //#region package.json
-var version = "0.0.1-beta.7";
+var version = "0.0.1-beta.9";
 
 //#endregion
 //#region src/objects/pdf-array.ts
@@ -3923,85 +3923,23 @@ function encodePermissions(permissions) {
 
 //#endregion
 //#region src/security/schemas.ts
-/**
-* Zod schemas for PDF encryption dictionary validation.
-*
-* These schemas provide type-safe parsing of encryption parameters
-* with proper validation and TypeScript type inference.
-*/
-/**
-* Valid encryption versions (V entry).
-*
-* - 1: 40-bit RC4 (PDF 1.1)
-* - 2: 40-128 bit RC4 (PDF 1.4)
-* - 3: Unpublished (rare)
-* - 4: AES-128 or RC4 with crypt filters (PDF 1.5)
-* - 5: AES-256 (PDF 2.0)
-*/
-const VersionSchema = z.union([
-	z.literal(1),
-	z.literal(2),
-	z.literal(3),
-	z.literal(4),
-	z.literal(5)
-]);
-/**
-* Valid encryption revisions (R entry).
-*
-* - 2: V=1, 40-bit RC4
-* - 3: V=2, 40-128 bit RC4
-* - 4: V=4, AES-128 or RC4
-* - 5: V=5, AES-256 (draft, Adobe Extension Level 3)
-* - 6: V=5, AES-256 (final, ISO 32000-2)
-*/
-const RevisionSchema = z.union([
-	z.literal(2),
-	z.literal(3),
-	z.literal(4),
-	z.literal(5),
-	z.literal(6)
-]);
-/**
-* Crypt filter methods (CFM entry).
-*
-* - None: Identity (no encryption)
-* - V2: RC4
-* - AESV2: AES-128
-* - AESV3: AES-256
-*/
-const CryptFilterMethodSchema = z.enum([
-	"None",
-	"V2",
-	"AESV2",
-	"AESV3"
-]);
-/**
-* Authentication events (AuthEvent entry).
-*
-* - DocOpen: Authentication when document is opened
-* - EFOpen: Authentication when embedded file is accessed
-*/
-const AuthEventSchema = z.enum(["DocOpen", "EFOpen"]);
-/**
-* Complete crypt filter configuration.
-*/
-const CryptFilterSchema = z.object({
-	cfm: CryptFilterMethodSchema,
-	authEvent: AuthEventSchema.optional(),
-	length: z.number().optional()
-});
-/**
-* Supported encryption algorithms.
-*
-* - RC4: Legacy stream cipher (R2-R4)
-* - AES-128: AES with 128-bit key (R4)
-* - AES-256: AES with 256-bit key (R5-R6)
-*/
-const EncryptionAlgorithmSchema = z.enum([
-	"RC4",
-	"AES-128",
-	"AES-256"
-]);
+const isEncryptionVersion = (version$1) => {
+	return typeof version$1 === "number" && version$1 >= 1 && version$1 <= 5;
+};
+const isEncryptionRevision = (revision) => {
+	return typeof revision === "number" && revision >= 2 && revision <= 6;
+};
+const isCryptFilterMethod = (method) => {
+	return typeof method === "string" && [
+		"None",
+		"V2",
+		"AESV2",
+		"AESV3"
+	].includes(method);
+};
+const isAuthEvent = (event) => {
+	return typeof event === "string" && ["DocOpen", "EFOpen"].includes(event);
+};
 
 //#endregion
 //#region src/security/encryption-dict.ts
@@ -4014,22 +3952,16 @@ const EncryptionAlgorithmSchema = z.enum([
 * @see PDF 2.0 Specification, Section 7.6.2 (Standard encryption dictionary)
 */
 /**
-* Parse a crypt filter dictionary with Zod validation.
+* Parse a crypt filter dictionary.
 */
 function parseCryptFilter(dict) {
-	const cfmRaw = dict.getName("CFM")?.value ?? "None";
-	const authEventRaw = dict.getName("AuthEvent")?.value;
+	const cfm = dict.getName("CFM")?.value ?? "None";
+	const authEvent = dict.getName("AuthEvent")?.value;
 	const length = dict.getNumber("Length")?.value;
-	const cfmResult = CryptFilterMethodSchema.safeParse(cfmRaw);
-	if (!cfmResult.success) throw new EncryptionDictError(`Invalid crypt filter method: ${cfmRaw}`);
-	let authEvent;
-	if (authEventRaw !== void 0) {
-		const authEventResult = AuthEventSchema.safeParse(authEventRaw);
-		if (!authEventResult.success) throw new EncryptionDictError(`Invalid auth event: ${authEventRaw}`);
-		authEvent = authEventResult.data;
-	}
+	if (!isCryptFilterMethod(cfm)) throw new EncryptionDictError(`Invalid crypt filter method: ${cfm}`);
+	if (authEvent !== void 0 && !isAuthEvent(authEvent)) throw new EncryptionDictError(`Invalid auth event: ${authEvent}`);
 	return {
-		cfm: cfmResult.data,
+		cfm,
 		authEvent,
 		length
 	};
@@ -4055,21 +3987,19 @@ function determineAlgorithm(version$1, revision, cryptFilters, streamFilter) {
 * Parse and validate the encryption version.
 */
 function parseVersion(dict) {
-	const versionRaw = dict.getNumber("V")?.value;
-	if (versionRaw === void 0) throw new EncryptionDictError("Missing /V (version) in encryption dictionary");
-	const result = VersionSchema.safeParse(versionRaw);
-	if (!result.success) throw new EncryptionDictError(`Unsupported encryption version: ${versionRaw}`);
-	return result.data;
+	const version$1 = dict.getNumber("V")?.value;
+	if (version$1 === void 0) throw new EncryptionDictError("Missing /V (version) in encryption dictionary");
+	if (!isEncryptionVersion(version$1)) throw new EncryptionDictError(`Unsupported encryption version: ${version$1}`);
+	return version$1;
 }
 /**
 * Parse and validate the encryption revision.
 */
 function parseRevision(dict) {
-	const revisionRaw = dict.getNumber("R")?.value;
-	if (revisionRaw === void 0) throw new EncryptionDictError("Missing /R (revision) in encryption dictionary");
-	const result = RevisionSchema.safeParse(revisionRaw);
-	if (!result.success) throw new EncryptionDictError(`Unsupported encryption revision: ${revisionRaw}`);
-	return result.data;
+	const revision = dict.getNumber("R")?.value;
+	if (revision === void 0) throw new EncryptionDictError("Missing /R (revision) in encryption dictionary");
+	if (!isEncryptionRevision(revision)) throw new EncryptionDictError(`Unsupported encryption revision: ${revision}`);
+	return revision;
 }
 /**
 * Parse an encryption dictionary from a PDF dictionary.
@@ -26236,30 +26166,36 @@ var FormFlattener = class {
 	* Flatten all form fields into static page content.
 	*/
 	flatten(options = {}) {
-		if (options.font || options.fontSize !== void 0) {
-			const fields = this.form.getFields();
-			for (const field of fields) {
-				if (field.isReadOnly()) continue;
-				if (options.font) field.setFont(options.font);
-				if (options.fontSize !== void 0) field.setFontSize(options.fontSize);
-			}
+		const allFields = this.form.getFields();
+		const skipSignatures = options.skipSignatures ?? false;
+		const signatureFields = skipSignatures ? allFields.filter((f) => f instanceof SignatureField) : [];
+		const fieldsToFlatten = skipSignatures ? allFields.filter((f) => !(f instanceof SignatureField)) : allFields;
+		if (options.font || options.fontSize !== void 0) for (const field of fieldsToFlatten) {
+			if (field.isReadOnly()) continue;
+			if (options.font) field.setFont(options.font);
+			if (options.fontSize !== void 0) field.setFontSize(options.fontSize);
 		}
 		if (!options.skipAppearanceUpdate) this.form.updateAppearances({ forceRegenerate: options.regenerateAppearances });
-		const pageWidgets = this.collectWidgetsByPage();
+		const pageWidgets = this.collectWidgetsByPage(fieldsToFlatten);
 		for (const { pageRef, widgets } of pageWidgets.values()) this.flattenWidgetsOnPage(pageRef, widgets);
 		const dict = this.form.getDict();
-		dict.set("Fields", new PdfArray([]));
+		if (signatureFields.length > 0) {
+			const sigRefs = signatureFields.map((f) => f.getRef()).filter((ref) => ref !== null);
+			dict.set("Fields", PdfArray.of(...sigRefs));
+		} else dict.set("Fields", new PdfArray([]));
 		dict.delete("NeedAppearances");
 		dict.delete("XFA");
-		if (!this.form.hasSignatures) dict.delete("SigFlags");
+		if (!this.form.hasSignatures && signatureFields.length === 0) dict.delete("SigFlags");
 	}
 	/**
 	* Collect all widgets grouped by their containing page.
+	*
+	* @param fields Optional list of fields to collect from. If not provided, uses all form fields.
 	*/
-	collectWidgetsByPage() {
+	collectWidgetsByPage(fields) {
 		const result = /* @__PURE__ */ new Map();
-		const fields = this.form.getFields();
-		for (const field of fields) for (const widget of field.getWidgets()) {
+		const fieldsToProcess = fields ?? this.form.getFields();
+		for (const field of fieldsToProcess) for (const widget of field.getWidgets()) {
 			let pageRef = widget.pageRef;
 			if (!pageRef) pageRef = this.findPageForWidget(widget);
 			if (!pageRef) {
@@ -27838,9 +27774,22 @@ var PDFForm = class PDFForm {
 	* await pdf.form.flatten();
 	* const bytes = await pdf.save();
 	* ```
+	*
+	* @example Flatten while preserving signature fields
+	* ```typescript
+	* await pdf.form.fill({ name: "John Doe" });
+	* await pdf.form.flatten({ skipSignatures: true });
+	* // Signature fields remain interactive for signing
+	* ```
 	*/
 	flatten(options = {}) {
 		this._acroForm.flatten(options);
+		if (options.skipSignatures) {
+			const sigFields = this.allFields.filter((f) => f instanceof SignatureField);
+			this.allFields = sigFields;
+			this.fieldsByName = new Map(sigFields.map((f) => [f.name, f]));
+			return;
+		}
 		this._ctx.catalog.removeAcroForm();
 		this.allFields = [];
 		this.fieldsByName.clear();
@@ -38293,6 +38242,14 @@ var PDF = class PDF {
 				securityHandler = handler;
 			}
 		}
+		if (useIncremental && !fileId) {
+			const idArray = this.ctx.info.trailer.getArray("ID");
+			if (idArray && idArray.length >= 2) {
+				const id1 = idArray.at(0);
+				const id2 = idArray.at(1);
+				if (id1 instanceof PdfString && id2 instanceof PdfString) fileId = [id1.bytes, id2.bytes];
+			}
+		}
 		const useXRefStream = options.useXRefStream ?? (useIncremental ? this.usesXRefStreams : false);
 		if (useIncremental) {
 			const result$1 = writeIncremental(this.ctx.registry, {
@@ -38448,6 +38405,7 @@ var CryptoKeySigner = class {
 				break;
 		}
 		const signature = await cryptoEngine$1.sign(signAlgorithm, this.privateKey, new Uint8Array(data));
+		if (this.signatureAlgorithm === "ECDSA") return new Uint8Array(createCMSECDSASignature(signature));
 		return new Uint8Array(signature);
 	}
 	/**
@@ -40829,6 +40787,7 @@ var P12Signer = class P12Signer {
 				break;
 		}
 		const signature = await cryptoEngine.sign(signAlgorithm, this.privateKey, new Uint8Array(data));
+		if (this.signatureAlgorithm === "ECDSA") return new Uint8Array(createCMSECDSASignature(signature));
 		return new Uint8Array(signature);
 	}
 	/**