@libpdf/core 0.3.0 → 0.3.2

package/dist/index.d.mts

@@ -10508,6 +10508,8 @@ declare class GoogleKmsSigner implements Signer {
   /**
    * Hash data using the specified algorithm.
    *
+   * Uses the Web Crypto API for native-speed hashing.
+   *
    * @returns The digest bytes and the KMS digest key name
    */
   private hashData;

package/dist/index.mjs

@@ -11,7 +11,7 @@ import { createCMSECDSASignature } from "pkijs";
 import { base64 } from "@scure/base";
 
 //#region package.json
-var version = "0.3.0";
+var version = "0.3.2";
 
 //#endregion
 //#region src/objects/pdf-array.ts
@@ -34186,19 +34186,21 @@ function encryptStreamDict(stream, ctx) {
 */
 function collectReachableRefs(registry, root, info, encrypt) {
 	const visited = /* @__PURE__ */ new Set();
-	const walk = (obj) => {
-		if (obj === null) return;
+	const stack = [root];
+	if (info) stack.push(info);
+	if (encrypt) stack.push(encrypt);
+	while (stack.length > 0) {
+		const obj = stack.pop();
 		if (obj instanceof PdfRef) {
 			const key$1 = `${obj.objectNumber} ${obj.generation}`;
-			if (visited.has(key$1)) return;
+			if (visited.has(key$1)) continue;
 			visited.add(key$1);
-			walk(registry.resolve(obj));
-		} else if (obj instanceof PdfDict) for (const [, value] of obj) walk(value);
-		else if (obj instanceof PdfArray) for (const item of obj) walk(item);
-	};
-	walk(root);
-	if (info) walk(info);
-	if (encrypt) walk(encrypt);
+			const resolved = registry.resolve(obj);
+			if (resolved !== null) stack.push(resolved);
+		} else if (obj instanceof PdfDict) {
+			for (const [, value] of obj) if (value != null) stack.push(value);
+		} else if (obj instanceof PdfArray) for (const item of obj) stack.push(item);
+	}
 	return visited;
 }
 /**
@@ -38222,9 +38224,6 @@ const OID_AD_CA_ISSUERS = "1.3.6.1.5.5.7.48.2";
 //#endregion
 //#region src/signatures/utils.ts
 /**
-* Shared utilities for signature operations.
-*/
-/**
 * Escape special characters in PDF literal string.
 *
 * PDF strings use backslash escapes for special characters.
@@ -38238,16 +38237,17 @@ function escapePdfString(str) {
 /**
 * Hash data using the specified algorithm.
 *
+* Uses the Web Crypto API for native-speed hashing, which is significantly
+* faster than pure-JS implementations for large inputs (e.g. hashing an
+* entire PDF during signing).
+*
 * @param data - Data to hash
 * @param algorithm - Digest algorithm
 * @returns Hash bytes
 */
-function hashData(data, algorithm) {
-	switch (algorithm) {
-		case "SHA-256": return sha256(data);
-		case "SHA-384": return sha384(data);
-		case "SHA-512": return sha512(data);
-	}
+async function hashData(data, algorithm) {
+	const digest = await crypto.subtle.digest(algorithm, data);
+	return new Uint8Array(digest);
 }
 
 //#endregion
@@ -38363,7 +38363,7 @@ var CAdESDetachedBuilder = class {
 		const { signer, documentHash, digestAlgorithm, signingTime } = options;
 		const signerCert = parseCertificate$1(signer.certificate);
 		const allCerts = [signerCert, ...(signer.certificateChain ?? []).map(parseCertificate$1)];
-		const signedAttrs = this.buildSignedAttributes(documentHash, digestAlgorithm, signer, signerCert, signingTime);
+		const signedAttrs = await this.buildSignedAttributes(documentHash, digestAlgorithm, signer, signerCert, signingTime);
 		const signedAttrsForSigning = encodeSignedAttributesForSigning(signedAttrs);
 		this.signatureValue = await signer.sign(new Uint8Array(signedAttrsForSigning), digestAlgorithm);
 		this.signerInfo = new pkijs.SignerInfo({
@@ -38414,7 +38414,7 @@ var CAdESDetachedBuilder = class {
 	/**
 	* Build the signed attributes for CAdES signature.
 	*/
-	buildSignedAttributes(documentHash, digestAlgorithm, signer, signerCert, signingTime) {
+	async buildSignedAttributes(documentHash, digestAlgorithm, signer, signerCert, signingTime) {
 		const attrs = [];
 		attrs.push(new pkijs.Attribute({
 			type: OID_CONTENT_TYPE,
@@ -38429,7 +38429,7 @@ var CAdESDetachedBuilder = class {
 			type: OID_MESSAGE_DIGEST,
 			values: [new OctetString({ valueHex: toArrayBuffer(documentHash) })]
 		}));
-		attrs.push(this.buildSigningCertificateV2(signerCert, digestAlgorithm));
+		attrs.push(await this.buildSigningCertificateV2(signerCert, digestAlgorithm));
 		return attrs;
 	}
 	/**
@@ -38450,9 +38450,9 @@ var CAdESDetachedBuilder = class {
 	*   issuerSerial            IssuerSerial OPTIONAL
 	* }
 	*/
-	buildSigningCertificateV2(signerCert, digestAlgorithm) {
+	async buildSigningCertificateV2(signerCert, digestAlgorithm) {
 		const certDer = signerCert.toSchema().toBER(false);
-		const certHash = hashData(new Uint8Array(certDer), digestAlgorithm);
+		const certHash = await hashData(new Uint8Array(certDer), digestAlgorithm);
 		const generalName = new pkijs.GeneralName({
 			type: 4,
 			value: signerCert.issuer
@@ -41609,7 +41609,7 @@ var PDFSignature = class {
 		const placeholders = findPlaceholders(pdfBytes);
 		const byteRange = calculateByteRange(pdfBytes, placeholders);
 		patchByteRange(pdfBytes, placeholders, byteRange);
-		const documentHash = hashData(extractSignedBytes(pdfBytes, byteRange), resolved.digestAlgorithm);
+		const documentHash = await hashData(extractSignedBytes(pdfBytes, byteRange), resolved.digestAlgorithm);
 		const signedData = await this.getFormatBuilder(resolved.subFilter).create({
 			signer: resolved.signer,
 			documentHash,
@@ -41617,7 +41617,7 @@ var PDFSignature = class {
 			signingTime: resolved.signingTime
 		});
 		if (resolved.timestampAuthority) {
-			const signatureHash = hashData(signedData.getSignatureValue(), resolved.digestAlgorithm);
+			const signatureHash = await hashData(signedData.getSignatureValue(), resolved.digestAlgorithm);
 			const timestampToken = await resolved.timestampAuthority.timestamp(signatureHash, resolved.digestAlgorithm);
 			signedData.addTimestampToken(timestampToken);
 		}
@@ -41769,7 +41769,7 @@ var PDFSignature = class {
 		const placeholders = findPlaceholders(savedBytes);
 		const byteRange = calculateByteRange(savedBytes, placeholders);
 		patchByteRange(savedBytes, placeholders, byteRange);
-		const documentHash = hashData(extractSignedBytes(savedBytes, byteRange), digestAlgorithm);
+		const documentHash = await hashData(extractSignedBytes(savedBytes, byteRange), digestAlgorithm);
 		const timestampToken = await timestampAuthority.timestamp(documentHash, digestAlgorithm);
 		patchContents(savedBytes, placeholders, timestampToken);
 		await this.pdf.reload(savedBytes);
@@ -44531,7 +44531,7 @@ var GoogleKmsSigner = class GoogleKmsSigner {
 	*/
 	async sign(data, algorithm) {
 		if (algorithm !== this.digestAlgorithm) throw new KmsSignerError(`Digest algorithm mismatch: this KMS key requires ${this.digestAlgorithm}, but ${algorithm} was requested`);
-		const { digest, digestKey } = this.hashData(data, algorithm);
+		const { digest, digestKey } = await this.hashData(data, algorithm);
 		try {
 			const [response] = await this.client.asymmetricSign({
 				name: this.keyVersionName,
@@ -44549,23 +44549,21 @@ var GoogleKmsSigner = class GoogleKmsSigner {
 	/**
 	* Hash data using the specified algorithm.
 	*
+	* Uses the Web Crypto API for native-speed hashing.
+	*
 	* @returns The digest bytes and the KMS digest key name
 	*/
-	hashData(data, algorithm) {
-		switch (algorithm) {
-			case "SHA-256": return {
-				digest: sha256(data),
-				digestKey: "sha256"
-			};
-			case "SHA-384": return {
-				digest: sha384(data),
-				digestKey: "sha384"
-			};
-			case "SHA-512": return {
-				digest: sha512(data),
-				digestKey: "sha512"
-			};
-		}
+	async hashData(data, algorithm) {
+		const digestKeyMap = {
+			"SHA-256": "sha256",
+			"SHA-384": "sha384",
+			"SHA-512": "sha512"
+		};
+		const arrayBuffer = await crypto.subtle.digest(algorithm, data);
+		return {
+			digest: new Uint8Array(arrayBuffer),
+			digestKey: digestKeyMap[algorithm]
+		};
 	}
 };