pdf-lite 1.0.0

package/packages/pdf-lite/src/security/types.ts

@@ -0,0 +1,158 @@
+import { PdfArray } from '../core/objects/pdf-array'
+import { PdfBoolean } from '../core/objects/pdf-boolean'
+import { PdfDictionary } from '../core/objects/pdf-dictionary'
+import { PdfHexadecimal } from '../core/objects/pdf-hexadecimal'
+import { PdfIndirectObject } from '../core/objects/pdf-indirect-object'
+import { PdfName } from '../core/objects/pdf-name'
+import { PdfNumber } from '../core/objects/pdf-number'
+import { PdfString } from '../core/objects/pdf-string'
+import { ByteArray } from '../types'
+
+/**
+ * Represents the PDF document ID array containing two hexadecimal identifiers.
+ * The first element is the permanent ID assigned when the document is created,
+ * and the second is updated when the document is modified.
+ */
+export type PdfId = PdfArray<PdfHexadecimal>
+
+/**
+ * Dictionary defining a crypt filter for PDF encryption.
+ * Specifies the encryption method and authentication event trigger.
+ */
+export type PdfCryptFilterDictionary = PdfDictionary<{
+    AuthEvent: PdfName<'DocOpen' | 'EFOpen'>
+    CFM: PdfName<'None' | 'V2' | 'AESV2' | 'AESV3'>
+    Length?: PdfNumber
+}>
+
+/**
+ * The encryption dictionary stored in the PDF trailer.
+ * Contains all encryption parameters including filter type, version, revision,
+ * owner/user keys, permissions, and crypt filter configurations.
+ */
+export type PdfEncryptionDictionary = PdfDictionary<{
+    Filter: PdfName<'Standard' | 'Adobe.PubSec'>
+    SubFilter?: PdfName<'adbe.pkcs7.s3' | 'adbe.pkcs7.s4' | 'adbe.pkcs7.s5'>
+    V: PdfNumber
+    R: PdfNumber
+    O: PdfString | PdfHexadecimal
+    OE?: PdfString | PdfHexadecimal
+    U: PdfString | PdfHexadecimal
+    UE?: PdfString | PdfHexadecimal
+    P: PdfNumber
+    Perms?: PdfString | PdfHexadecimal
+    Length: PdfNumber
+    CF?: PdfDictionary<{
+        [key: string]: PdfCryptFilterDictionary
+    }>
+    StmF?: PdfName
+    StrF?: PdfName
+    EFF?: PdfName
+    EncryptMetadata?: PdfBoolean
+    ID?: PdfArray<PdfHexadecimal>
+    Recipients?: PdfArray<PdfHexadecimal>
+}>
+
+/**
+ * An indirect object containing the encryption dictionary.
+ */
+export type PdfEncryptionDictionaryObject =
+    PdfIndirectObject<PdfEncryptionDictionary>
+
+/**
+ * Specifies the type of content being encrypted.
+ * - 'string': PDF string objects
+ * - 'stream': PDF stream objects
+ * - 'file': Embedded file streams
+ */
+export type CryptFilterType = 'string' | 'stream' | 'file'
+
+/**
+ * Recipient information for public key encryption.
+ * Contains the certificate for encryption and optional private key for decryption.
+ */
+export type PdfEncryptionRecipient = {
+    certificate?: ByteArray
+    privateKey?: ByteArray
+}
+
+/**
+ * Supported encryption algorithm types.
+ * - 'RC4-40': 40-bit RC4 encryption (weak, legacy)
+ * - 'RC4-128': 128-bit RC4 encryption (legacy)
+ * - 'AES-128-CBC': 128-bit AES in CBC mode
+ * - 'AES-256-CBC': 256-bit AES in CBC mode (recommended)
+ * - 'none': No encryption (identity filter)
+ */
+export type PdfEncryptionAlgorithmType =
+    | 'RC4-40'
+    | 'RC4-128'
+    | 'AES-128-CBC'
+    | 'AES-256-CBC'
+    | 'none'
+
+/**
+ * RC4-40 encryption configuration.
+ */
+type Rc40 = {
+    default: 'RC4-40'
+}
+
+/**
+ * RC4-128 encryption configuration.
+ */
+type Rc128 = {
+    default: 'RC4-128'
+}
+
+/**
+ * AES-128 encryption configuration with optional per-type crypt filters.
+ */
+type Aes128WithCryptFilters = {
+    default: 'AES-128-CBC'
+    streams?: 'AES-128-CBC' | 'RC4-128' | 'RC4-40' | 'none'
+    strings?: 'AES-128-CBC' | 'RC4-128' | 'RC4-40' | 'none'
+}
+
+/**
+ * AES-256 encryption configuration with optional per-type crypt filters.
+ */
+type Aes256 = {
+    default: 'AES-256-CBC' | 'none'
+    streams?: 'AES-256-CBC' | 'AES-128-CBC' | 'RC4-128' | 'none'
+    files?: 'AES-256-CBC' | 'AES-128-CBC' | 'RC4-128' | 'none'
+    strings?: 'AES-256-CBC' | 'AES-128-CBC' | 'RC4-128' | 'none'
+}
+
+/**
+ * Union of all encryption algorithm configuration options.
+ */
+export type PdfEncryptionAlgorithmOptions =
+    | Rc40
+    | Rc128
+    | Aes128WithCryptFilters
+    | Aes256
+
+/**
+ * Options for configuring PDF encryption.
+ * Includes encryption method, passwords, document ID, and permission settings.
+ */
+export type PdfEncryptionOptions = {
+    method?: PdfEncryptionAlgorithmOptions
+    password?: ByteArray | string
+    ownerPassword?: ByteArray | string
+    documentId?: PdfId | ByteArray | string
+    encryptMetadata?: boolean
+    recipients?: PdfEncryptionRecipient[]
+    permissions?: {
+        print?: boolean
+        modify?: boolean
+        copy?: boolean
+        annotate?: boolean
+        fill?: boolean
+        extract?: boolean
+        assemble?: boolean
+        printHighQuality?: boolean
+        all?: boolean
+    }
+}

package/packages/pdf-lite/src/signing/document-security-store.ts

@@ -0,0 +1,224 @@
+import { PdfArray } from '../core/objects/pdf-array'
+import { PdfDate } from '../core/objects/pdf-date'
+import { PdfDictionary } from '../core/objects/pdf-dictionary'
+import { PdfIndirectObject } from '../core/objects/pdf-indirect-object'
+import { PdfName } from '../core/objects/pdf-name'
+import { PdfObjectReference } from '../core/objects/pdf-object-reference'
+import { PdfStream } from '../core/objects/pdf-stream'
+import { PdfString } from '../core/objects/pdf-string'
+import { PdfDocument } from '../pdf/pdf-document'
+import { ByteArray } from '../types'
+import { RevocationInfo } from './types'
+
+/**
+ * Indirect object containing a certificate stream.
+ */
+export class PdfCertObject extends PdfIndirectObject<PdfStream> {}
+
+/**
+ * Indirect object containing a CRL stream.
+ */
+export class PdfCrlObject extends PdfIndirectObject<PdfStream> {}
+
+/**
+ * Indirect object containing an OCSP response stream.
+ */
+export class PdfOcspObject extends PdfIndirectObject<PdfStream> {}
+
+/**
+ * Validation Related Information (VRI) dictionary.
+ * Associates revocation data with specific certificate hashes.
+ */
+export type PdfVriObject = PdfIndirectObject<
+    PdfDictionary<{
+        [CertHash: string]: PdfDictionary<{
+            Type?: PdfName<'VRI'>
+            Cert?: PdfObjectReference
+            OCSP?: PdfObjectReference
+            CRL?: PdfObjectReference
+            TU?: PdfDate
+            TS?: PdfString
+        }>
+    }>
+>
+
+/**
+ * Dictionary for the Document Security Store (DSS).
+ * Contains arrays of certificates, CRLs, OCSPs, and VRI entries.
+ */
+export class PdfDocumentSecurityStoreDictionary extends PdfDictionary<{
+    Type?: PdfName<'DSS'>
+    VRI?: PdfObjectReference
+    OCSPs?: PdfArray<PdfObjectReference>
+    CRLs?: PdfArray<PdfObjectReference>
+    Certs?: PdfArray<PdfObjectReference>
+}> {}
+
+/**
+ * Document Security Store (DSS) object for PAdES LTV signatures.
+ * Stores validation data (certificates, CRLs, OCSPs) for long-term validation.
+ *
+ * @example
+ * ```typescript
+ * const dss = new PdfDocumentSecurityStoreObject(document)
+ * await dss.addCert(certificateBytes)
+ * await dss.addCrl(crlBytes)
+ * await dss.addOcsp(ocspBytes)
+ * ```
+ */
+export class PdfDocumentSecurityStoreObject extends PdfIndirectObject<PdfDocumentSecurityStoreDictionary> {
+    /** Reference to the parent document. */
+    private document: PdfDocument
+
+    /**
+     * Creates a new DSS object.
+     *
+     * @param document - The parent PDF document.
+     * @param content - Optional pre-existing DSS dictionary.
+     */
+    constructor(
+        document: PdfDocument,
+        content?: PdfDocumentSecurityStoreDictionary,
+    ) {
+        super(content ?? new PdfDocumentSecurityStoreDictionary())
+        this.document = document
+    }
+
+    /**
+     * Adds an OCSP response to the DSS, avoiding duplicates.
+     *
+     * @param ocsp - The DER-encoded OCSP response.
+     * @returns The created or existing OCSP object.
+     */
+    async addOcsp(ocsp: ByteArray): Promise<PdfOcspObject> {
+        const newOcsp = new PdfStream(ocsp)
+        let ocspArray = this.content.get('OCSPs')
+
+        const currentOcsps = (await Promise.all(
+            (ocspArray?.items ?? []).map(async (ref) => {
+                const obj = await this.document.readObject(ref)
+                return obj
+            }),
+        )) as PdfIndirectObject<PdfStream>[]
+
+        for (const existingOcsp of currentOcsps) {
+            if (existingOcsp.content.equals(newOcsp)) {
+                return existingOcsp as PdfOcspObject
+            }
+        }
+
+        const ocspObject = new PdfOcspObject(newOcsp)
+        this.document.add(ocspObject)
+
+        if (!ocspArray) {
+            ocspArray = new PdfArray<PdfObjectReference>([])
+            this.content.set('OCSPs', ocspArray)
+        }
+
+        ocspArray.items.push(ocspObject.reference)
+
+        return ocspObject
+    }
+
+    /**
+     * Adds a CRL to the DSS, avoiding duplicates.
+     *
+     * @param crl - The DER-encoded CRL.
+     * @returns The created or existing CRL object.
+     */
+    async addCrl(crl: ByteArray): Promise<PdfCrlObject> {
+        let crlArray = this.content.get('CRLs')
+
+        const currentCrls = (await Promise.all(
+            (crlArray?.items ?? []).map(async (ref) => {
+                const obj = await this.document.readObject(ref)
+                return obj
+            }),
+        )) as PdfIndirectObject<PdfStream>[]
+
+        for (const existingCrl of currentCrls) {
+            if (existingCrl.content.equals(new PdfStream(crl))) {
+                return existingCrl as PdfCrlObject
+            }
+        }
+
+        const crlObject = new PdfCrlObject(new PdfStream(crl))
+        this.document.add(crlObject)
+
+        if (!crlArray) {
+            crlArray = new PdfArray<PdfObjectReference>([])
+            this.content.set('CRLs', crlArray)
+        }
+
+        crlArray.items.push(crlObject.reference)
+
+        return crlObject
+    }
+
+    /**
+     * Adds a certificate to the DSS, avoiding duplicates.
+     *
+     * @param cert - The DER-encoded certificate.
+     * @returns The created or existing certificate object.
+     */
+    async addCert(cert: ByteArray): Promise<PdfCertObject> {
+        let certArray = this.content.get('Certs')
+
+        const currentCerts = (await Promise.all(
+            (certArray?.items ?? []).map(async (ref) => {
+                const obj = await this.document.readObject(ref)
+                return obj
+            }),
+        )) as PdfIndirectObject<PdfStream>[]
+
+        for (const existingCert of currentCerts) {
+            if (existingCert.content.equals(new PdfStream(cert))) {
+                return existingCert as PdfCertObject
+            }
+        }
+
+        const certObject = new PdfCertObject(new PdfStream(cert))
+        this.document.add(certObject)
+
+        if (!certArray) {
+            certArray = new PdfArray<PdfObjectReference>([])
+            this.content.set('Certs', certArray)
+        }
+
+        certArray.items.push(certObject.reference)
+
+        return certObject
+    }
+
+    /**
+     * Adds revocation information (CRLs and OCSPs) to the DSS.
+     *
+     * @param revocationInfo - The revocation information to add.
+     */
+    async addRevocationInfo(revocationInfo: RevocationInfo): Promise<void> {
+        for (const ocsp of revocationInfo.ocsps ?? []) {
+            await this.addOcsp(ocsp)
+        }
+
+        for (const crl of revocationInfo.crls ?? []) {
+            await this.addCrl(crl)
+        }
+    }
+
+    /**
+     * Checks if the DSS is empty (contains no certificates, CRLs, or OCSPs).
+     *
+     * @returns True if the DSS has no stored data.
+     */
+    isEmpty(): boolean {
+        const certs = this.content.get('Certs')
+        const crls = this.content.get('CRLs')
+        const ocsps = this.content.get('OCSPs')
+
+        return (
+            (!certs || certs.items.length === 0) &&
+            (!crls || crls.items.length === 0) &&
+            (!ocsps || ocsps.items.length === 0)
+        )
+    }
+}

package/packages/pdf-lite/src/signing/index.ts

@@ -0,0 +1,3 @@
+export * from './signatures'
+export * from './document-security-store'
+export * from './types'

package/packages/pdf-lite/src/signing/signatures/adbe-pkcs7-detached.ts

@@ -0,0 +1,154 @@
+import { RevocationInfo, TimeStampAuthority } from '../types'
+import { SignedData } from 'pki-lite/pkcs7/SignedData'
+import { Certificate } from 'pki-lite/x509/Certificate'
+import { SignerInfo } from 'pki-lite/pkcs7/SignerInfo'
+import { Attribute } from 'pki-lite/x509/Attribute'
+import { RevocationInfoArchival } from 'pki-lite/adobe/RevocationInfoArchival'
+import { CertificateList } from 'pki-lite/x509/CertificateList'
+import { OCSPResponse } from 'pki-lite/ocsp/OCSPResponse'
+import { PrivateKeyInfo } from 'pki-lite/keys/PrivateKeyInfo'
+import { OtherRevInfo } from 'pki-lite/adobe/OtherRevInfo'
+import { AsymmetricEncryptionAlgorithmParams } from 'pki-lite/core/index'
+import { fetchRevocationInfo } from '../utils'
+import { PdfSignatureObject, PdfSignatureSignOptions } from './base'
+import { ByteArray } from '../../types'
+
+/**
+ * PKCS#7 detached signature object (adbe.pkcs7.detached).
+ * Creates CMS SignedData with the document hash as external data.
+ *
+ * @example
+ * ```typescript
+ * const signature = new PdfAdbePkcs7DetachedSignatureObject({
+ *     privateKey: keyBytes,
+ *     certificate: certBytes,
+ *     reason: 'Document approval',
+ *     timeStampAuthority: true
+ * })
+ * ```
+ */
+export class PdfAdbePkcs7DetachedSignatureObject extends PdfSignatureObject {
+    /** Private key for signing. */
+    privateKey: ByteArray
+    /** Signer certificate. */
+    certificate: ByteArray
+    /** Additional certificates for chain building. */
+    additionalCertificates: ByteArray[]
+    /** Issuer certificate for OCSP requests. */
+    issuerCertificate?: ByteArray
+    /** Signing date. */
+    date?: Date
+    /** Signature algorithm parameters. */
+    algorithm?: AsymmetricEncryptionAlgorithmParams
+    /** Revocation information or 'fetch' to retrieve automatically. */
+    revocationInfo?: RevocationInfo | 'fetch'
+    /** Timestamp authority configuration. */
+    timeStampAuthority?: TimeStampAuthority
+
+    /**
+     * Creates a new PKCS#7 detached signature object.
+     *
+     * @param options - Signature configuration options.
+     */
+    constructor(
+        options: PdfSignatureSignOptions & {
+            privateKey: ByteArray
+            certificate: ByteArray
+            issuerCertificate?: ByteArray
+            additionalCertificates?: ByteArray[]
+            algorithm?: AsymmetricEncryptionAlgorithmParams
+            revocationInfo?: RevocationInfo | 'fetch'
+            timeStampAuthority?: TimeStampAuthority | true
+        },
+    ) {
+        super({
+            ...options,
+            subfilter: 'adbe.pkcs7.detached',
+        })
+
+        this.privateKey = options.privateKey
+        this.certificate = options.certificate
+        this.issuerCertificate = options.issuerCertificate
+        this.additionalCertificates = options.additionalCertificates || []
+        this.date = options.date
+        this.algorithm = options.algorithm
+        this.revocationInfo = options.revocationInfo
+        this.timeStampAuthority =
+            options.timeStampAuthority === true
+                ? {
+                      url: 'http://timestamp.digicert.com',
+                  }
+                : options.timeStampAuthority
+    }
+
+    /**
+     * Signs the document bytes using PKCS#7 detached format.
+     *
+     * @param options - Signing options with bytes and revocation embedding flag.
+     * @returns The CMS SignedData and revocation information.
+     */
+    sign: PdfSignatureObject['sign'] = async (options) => {
+        const { bytes } = options
+
+        const certificate: Certificate = Certificate.fromDer(this.certificate)
+        const additionalCertificates: Certificate[] =
+            this.additionalCertificates.map(Certificate.fromDer)
+
+        const signedAttributes = new SignerInfo.SignedAttributes()
+        const unsignedAttributes = new SignerInfo.UnsignedAttributes()
+
+        signedAttributes.push(Attribute.signingTime(this.date ?? new Date()))
+
+        const revocationInfo =
+            this.revocationInfo === 'fetch'
+                ? await fetchRevocationInfo({
+                      certificates: [
+                          this.certificate,
+                          ...(this.additionalCertificates ?? []),
+                      ],
+                      issuerCertificate: this.issuerCertificate,
+                  })
+                : this.revocationInfo
+
+        if (options.embedRevocationInfo && revocationInfo) {
+            signedAttributes.push(
+                Attribute.adobeRevocationInfoArchival(
+                    new RevocationInfoArchival({
+                        crls: revocationInfo.crls?.map((x) =>
+                            CertificateList.fromDer(x),
+                        ),
+                        ocsps: revocationInfo.ocsps?.map((x) =>
+                            OCSPResponse.fromDer(x),
+                        ),
+                        otherRevInfo: revocationInfo.otherRevInfo?.map(
+                            (x) =>
+                                new OtherRevInfo({
+                                    type: x.type,
+                                    value: x.value,
+                                }),
+                        ),
+                    }),
+                ),
+            )
+        }
+
+        const signedData = await SignedData.builder()
+            .addCertificate(...additionalCertificates)
+            .setData(bytes)
+            .setDetached(true)
+            .addSigner({
+                certificate,
+                privateKeyInfo: PrivateKeyInfo.fromDer(this.privateKey),
+                encryptionAlgorithm: this.algorithm,
+                signedAttrs: signedAttributes,
+                unsignedAttrs: unsignedAttributes,
+                tsa: this.timeStampAuthority,
+            })
+            .build()
+
+        return {
+            signedBytes: signedData.toCms().toDer(),
+            revocationInfo,
+        }
+    }
+}

package/packages/pdf-lite/src/signing/signatures/adbe-pkcs7-sha1.ts

@@ -0,0 +1,161 @@
+import { RevocationInfo, TimeStampAuthority } from '../types'
+import { SignedData } from 'pki-lite/pkcs7/SignedData'
+import { Certificate } from 'pki-lite/x509/Certificate'
+import { SignerInfo } from 'pki-lite/pkcs7/SignerInfo'
+import { Attribute } from 'pki-lite/x509/Attribute'
+import { RevocationInfoArchival } from 'pki-lite/adobe/RevocationInfoArchival'
+import { CertificateList } from 'pki-lite/x509/CertificateList'
+import { OCSPResponse } from 'pki-lite/ocsp/OCSPResponse'
+import { PrivateKeyInfo } from 'pki-lite/keys/PrivateKeyInfo'
+import { OtherRevInfo } from 'pki-lite/adobe/OtherRevInfo'
+import { AsymmetricEncryptionAlgorithmParams } from 'pki-lite/core/index'
+import { fetchRevocationInfo } from '../utils'
+import { PdfSignatureObject, PdfSignatureSignOptions } from './base'
+import { DigestAlgorithmIdentifier } from 'pki-lite/algorithms/AlgorithmIdentifier'
+import { ByteArray } from '../../types'
+
+/**
+ * PKCS#7 SHA-1 signature object (adbe.pkcs7.sha1).
+ * Creates CMS SignedData with SHA-1 hash embedded as signed content.
+ *
+ * @example
+ * ```typescript
+ * const signature = new PdfAdbePkcs7Sha1SignatureObject({
+ *     privateKey: keyBytes,
+ *     certificate: certBytes
+ * })
+ * ```
+ */
+export class PdfAdbePkcs7Sha1SignatureObject extends PdfSignatureObject {
+    /** Fixed algorithm for SHA-1 signatures. */
+    static readonly ALGORITHM: AsymmetricEncryptionAlgorithmParams = {
+        type: 'RSASSA_PKCS1_v1_5',
+        params: {
+            hash: 'SHA-1',
+        },
+    }
+
+    /** Private key for signing. */
+    privateKey: ByteArray
+    /** Signer certificate. */
+    certificate: ByteArray
+    /** Additional certificates for chain building. */
+    additionalCertificates: ByteArray[]
+    /** Issuer certificate for OCSP requests. */
+    issuerCertificate?: ByteArray
+    /** Signing date. */
+    date?: Date
+    /** Revocation information or 'fetch' to retrieve automatically. */
+    revocationInfo?: RevocationInfo | 'fetch'
+    /** Timestamp authority configuration. */
+    timeStampAuthority?: TimeStampAuthority
+
+    /**
+     * Creates a new PKCS#7 SHA-1 signature object.
+     *
+     * @param options - Signature configuration options.
+     */
+    constructor(
+        options: PdfSignatureSignOptions & {
+            privateKey: ByteArray
+            certificate: ByteArray
+            issuerCertificate?: ByteArray
+            additionalCertificates?: ByteArray[]
+            algorithm?: AsymmetricEncryptionAlgorithmParams
+            revocationInfo?: RevocationInfo | 'fetch'
+            timeStampAuthority?: TimeStampAuthority | true
+        },
+    ) {
+        super({
+            ...options,
+            subfilter: 'adbe.pkcs7.sha1',
+        })
+
+        this.privateKey = options.privateKey
+        this.certificate = options.certificate
+        this.issuerCertificate = options.issuerCertificate
+        this.additionalCertificates = options.additionalCertificates || []
+        this.date = options.date
+        this.revocationInfo = options.revocationInfo
+        this.timeStampAuthority =
+            options.timeStampAuthority === true
+                ? {
+                      url: 'http://timestamp.digicert.com',
+                  }
+                : options.timeStampAuthority
+    }
+
+    /**
+     * Signs the document bytes using PKCS#7 SHA-1 format.
+     *
+     * @param options - Signing options with bytes and revocation embedding flag.
+     * @returns The CMS SignedData and revocation information.
+     */
+    sign: PdfSignatureObject['sign'] = async (options) => {
+        const { bytes } = options
+
+        const certificate: Certificate = Certificate.fromDer(this.certificate)
+        const additionalCertificates: Certificate[] =
+            this.additionalCertificates.map(Certificate.fromDer)
+
+        const signedAttributes = new SignerInfo.SignedAttributes()
+        const unsignedAttributes = new SignerInfo.UnsignedAttributes()
+
+        signedAttributes.push(Attribute.signingTime(this.date ?? new Date()))
+        const revocationInfo =
+            this.revocationInfo === 'fetch'
+                ? await fetchRevocationInfo({
+                      certificates: [
+                          this.certificate,
+                          ...(this.additionalCertificates ?? []),
+                      ],
+                      issuerCertificate: this.issuerCertificate,
+                  })
+                : this.revocationInfo
+
+        if (options.embedRevocationInfo && revocationInfo) {
+            signedAttributes.push(
+                Attribute.adobeRevocationInfoArchival(
+                    new RevocationInfoArchival({
+                        crls: revocationInfo.crls?.map((x) =>
+                            CertificateList.fromDer(x),
+                        ),
+                        ocsps: revocationInfo.ocsps?.map((x) =>
+                            OCSPResponse.fromDer(x),
+                        ),
+                        otherRevInfo: revocationInfo.otherRevInfo?.map(
+                            (x) =>
+                                new OtherRevInfo({
+                                    type: x.type,
+                                    value: x.value,
+                                }),
+                        ),
+                    }),
+                ),
+            )
+        }
+
+        const digest =
+            await DigestAlgorithmIdentifier.digestAlgorithm('SHA-1').digest(
+                bytes,
+            )
+        const signedData = await SignedData.builder()
+            .addCertificate(...additionalCertificates)
+            .setData(digest)
+            .setDetached(false)
+            .addSigner({
+                certificate,
+                privateKeyInfo: PrivateKeyInfo.fromDer(this.privateKey),
+                encryptionAlgorithm: PdfAdbePkcs7Sha1SignatureObject.ALGORITHM,
+                signedAttrs: signedAttributes,
+                unsignedAttrs: unsignedAttributes,
+                tsa: this.timeStampAuthority,
+            })
+            .build()
+
+        return {
+            signedBytes: signedData.toCms().toDer(),
+            revocationInfo,
+        }
+    }
+}