pdf-lite 1.0.0

package/packages/pdf-lite/src/signing/signatures/adbe-x509-rsa-sha1.ts

@@ -0,0 +1,106 @@
+import { PrivateKeyInfo } from 'pki-lite/keys/PrivateKeyInfo'
+import { AsymmetricEncryptionAlgorithmParams } from 'pki-lite/core/index'
+import { PdfSignatureObject, PdfSignatureSignOptions } from './base'
+import { OctetString } from 'pki-lite/asn1/OctetString'
+import { AlgorithmIdentifier } from 'pki-lite/algorithms/AlgorithmIdentifier'
+import { ByteArray } from '../../types'
+import { RevocationInfo } from '../types'
+import { fetchRevocationInfo } from '../utils'
+
+/**
+ * X.509 RSA-SHA1 signature object (adbe.x509.rsa_sha1).
+ * Creates a raw RSA-SHA1 signature with certificates in the Cert entry.
+ *
+ * @example
+ * ```typescript
+ * const signature = new PdfAdbePkcsX509RsaSha1SignatureObject({
+ *     privateKey: keyBytes,
+ *     certificate: certBytes
+ * })
+ * ```
+ */
+export class PdfAdbePkcsX509RsaSha1SignatureObject extends PdfSignatureObject {
+    /** Fixed algorithm for RSA-SHA1 signatures. */
+    static readonly ALGORITHM: AsymmetricEncryptionAlgorithmParams = {
+        type: 'RSASSA_PKCS1_v1_5',
+        params: {
+            hash: 'SHA-1',
+        },
+    }
+
+    /** Private key for signing. */
+    privateKey: ByteArray
+    /** Signer certificate. */
+    certificate: ByteArray
+    /** Additional certificates for chain building. */
+    additionalCertificates?: ByteArray[]
+    /** Issuer certificate for OCSP requests. */
+    issuerCertificate?: ByteArray
+    /** Revocation information or 'fetch' to retrieve automatically. */
+    revocationInfo?: RevocationInfo | 'fetch'
+
+    /**
+     * Creates a new X.509 RSA-SHA1 signature object.
+     *
+     * @param options - Signature configuration options.
+     */
+    constructor(
+        options: PdfSignatureSignOptions & {
+            privateKey: ByteArray
+            certificate: ByteArray
+            additionalCertificates?: ByteArray[]
+            issuerCertificate?: ByteArray
+            revocationInfo?: RevocationInfo | 'fetch'
+        },
+    ) {
+        super({
+            ...options,
+            subfilter: 'adbe.x509.rsa_sha1',
+            certs: [
+                options.certificate,
+                ...(options.additionalCertificates ?? []),
+            ],
+        })
+
+        this.privateKey = options.privateKey
+        this.revocationInfo = options.revocationInfo
+        this.certificate = options.certificate
+        this.issuerCertificate = options.issuerCertificate
+        this.additionalCertificates = options.additionalCertificates
+    }
+
+    /**
+     * Signs the document bytes using RSA-SHA1 format.
+     *
+     * @param options - Signing options with bytes.
+     * @returns The signature bytes and revocation information.
+     */
+    sign: PdfSignatureObject['sign'] = async (options) => {
+        const { bytes } = options
+        const revocationInfo =
+            this.revocationInfo === 'fetch'
+                ? await fetchRevocationInfo({
+                      certificates: [
+                          this.certificate,
+                          ...(this.additionalCertificates ?? []),
+                      ],
+                      issuerCertificate: this.issuerCertificate,
+                  })
+                : this.revocationInfo
+
+        const privateKeyInfo = PrivateKeyInfo.fromDer(this.privateKey)
+        const signatureAlgorithm = AlgorithmIdentifier.signatureAlgorithm(
+            PdfAdbePkcsX509RsaSha1SignatureObject.ALGORITHM,
+        )
+
+        const signatureBytes = await signatureAlgorithm.sign(
+            bytes,
+            privateKeyInfo,
+        )
+
+        return {
+            signedBytes: new OctetString({ bytes: signatureBytes }).toDer(),
+            revocationInfo,
+        }
+    }
+}

package/packages/pdf-lite/src/signing/signatures/base.ts

@@ -0,0 +1,229 @@
+import { stringToBytes } from '../../utils/stringToBytes'
+import { padBytes } from '../../utils/padBytes'
+import { PdfDictionary } from '../../core/objects/pdf-dictionary'
+import {
+    PdfSignatureDictionaryEntries,
+    PdfSignatureSubType,
+    RevocationInfo,
+} from '../types'
+import { bytesToHexBytes } from '../../utils/bytesToHexBytes'
+import { PdfArray } from '../../core/objects/pdf-array'
+import { PdfNumber } from '../../core/objects/pdf-number'
+import { PdfHexadecimal } from '../../core/objects/pdf-hexadecimal'
+import { PdfIndirectObject } from '../../core/objects/pdf-indirect-object'
+import { ByteArray } from '../../types'
+import { PdfName } from '../../core/objects/pdf-name'
+import { PdfString } from '../../core/objects/pdf-string'
+import { PdfDate } from '../../core/objects/pdf-date'
+
+const PLACEHOLDER_BYTES = stringToBytes('placeholder_signature_bytes')
+const PADDING = 8192 * 4
+const OFFSET_PADDING = 12
+const PLACEHOLDER_HEX_BYTES = padBytes(
+    bytesToHexBytes(PLACEHOLDER_BYTES),
+    PADDING,
+)
+
+/**
+ * PDF signature dictionary containing all signature-related entries.
+ * Manages the ByteRange and Contents fields with appropriate placeholder sizing.
+ */
+export class PdfSignatureDictionary extends PdfDictionary<PdfSignatureDictionaryEntries> {
+    /**
+     * Creates a new signature dictionary.
+     *
+     * @param entries - The signature dictionary entries, ByteRange and Contents are auto-populated if not provided.
+     */
+    constructor(
+        entries: Omit<
+            PdfSignatureDictionaryEntries,
+            'ByteRange' | 'Contents'
+        > & {
+            ByteRange?: PdfSignatureDictionaryEntries['ByteRange']
+            Contents?: PdfSignatureDictionaryEntries['Contents']
+        },
+    ) {
+        super({
+            ...entries,
+            ByteRange:
+                entries.ByteRange ??
+                new PdfArray([
+                    new PdfNumber({ value: 0, padTo: OFFSET_PADDING }),
+                    new PdfNumber({ value: 0, padTo: OFFSET_PADDING }),
+                    new PdfNumber({ value: 0, padTo: OFFSET_PADDING }),
+                    new PdfNumber({ value: 0, padTo: OFFSET_PADDING }),
+                ]),
+            Contents:
+                entries.Contents ?? new PdfHexadecimal(PLACEHOLDER_HEX_BYTES),
+        })
+    }
+}
+
+/**
+ * Options for signature metadata.
+ */
+export type PdfSignatureSignOptions = {
+    /** Signing date. */
+    date?: Date
+    /** Signer name. */
+    name?: string
+    /** Reason for signing. */
+    reason?: string
+    /** Contact information. */
+    contactInfo?: string
+    /** Signing location. */
+    location?: string
+}
+
+/**
+ * Abstract base class for PDF signature objects.
+ * Subclasses implement specific signature formats (PKCS#7, CAdES, etc.).
+ *
+ * @example
+ * ```typescript
+ * const signature = new PdfAdbePkcs7DetachedSignatureObject({
+ *     privateKey,
+ *     certificate,
+ *     reason: 'Approval'
+ * })
+ * document.add(signature)
+ * await document.commit()
+ * ```
+ */
+export abstract class PdfSignatureObject extends PdfIndirectObject<PdfSignatureDictionary> {
+    /**
+     * Creates a new signature object.
+     *
+     * @param content - Either a signature dictionary or options to create one.
+     */
+    constructor(
+        content:
+            | PdfSignatureDictionary
+            | (PdfSignatureSignOptions & {
+                  subfilter: PdfSignatureSubType
+                  certs?: ByteArray[]
+              }),
+    ) {
+        super(
+            content instanceof PdfSignatureDictionary
+                ? content
+                : new PdfSignatureDictionary({
+                      Type: new PdfName('Sig'),
+                      Filter: new PdfName('Adobe.PPKLite'),
+                      SubFilter: new PdfName(content.subfilter),
+                      Reason: content.reason
+                          ? new PdfString(content.reason)
+                          : undefined,
+                      ContactInfo: content.contactInfo
+                          ? new PdfString(content.contactInfo)
+                          : undefined,
+                      Location: content.location
+                          ? new PdfString(content.location)
+                          : undefined,
+                      M: content.date ? new PdfDate(content.date) : undefined,
+                      Name: content.name
+                          ? new PdfString(content.name)
+                          : undefined,
+                      Cert: content.certs
+                          ? new PdfArray(
+                                content.certs.map(
+                                    (cert) => new PdfHexadecimal(cert, 'bytes'),
+                                ),
+                            )
+                          : undefined,
+                  }),
+        )
+    }
+
+    /**
+     * Signs the document bytes and returns the signature.
+     *
+     * @param options - Signing options including bytes to sign.
+     * @returns The signed bytes and optional revocation information.
+     */
+    abstract sign(options: {
+        bytes: ByteArray
+        embedRevocationInfo?: boolean
+    }): Promise<{
+        signedBytes: ByteArray
+        revocationInfo?: RevocationInfo
+    }>
+
+    /**
+     * Gets the signature hexadecimal content.
+     *
+     * @returns The Contents entry as hexadecimal.
+     * @throws Error if Contents entry is missing.
+     */
+    get signedHexadecimal(): PdfHexadecimal {
+        const contents = this.content.get('Contents')
+        if (!contents) {
+            throw new Error('Signature dictionary is missing Contents entry')
+        }
+
+        return contents
+    }
+
+    /**
+     * Gets the raw signature bytes.
+     *
+     * @returns The signature bytes.
+     */
+    get signedBytes(): ByteArray {
+        return this.signedHexadecimal.bytes
+    }
+
+    /**
+     * Sets the signed bytes in the signature dictionary.
+     *
+     * @param signedBytes - The signature bytes to set.
+     * @throws Error if Contents entry is missing.
+     */
+    setSignedBytes(signedBytes: ByteArray): void {
+        const contents = this.content.get('Contents')
+        if (!contents) {
+            throw new Error('Signature dictionary is missing Contents entry')
+        }
+
+        const newHexadecimal = PdfHexadecimal.toHexadecimal(
+            padBytes(signedBytes, contents.bytes.length),
+        )
+
+        this.content.set('Contents', newHexadecimal)
+    }
+
+    /**
+     * Sets the byte range array for the signature.
+     *
+     * @param byteRange - Array of [offset1, length1, offset2, length2].
+     * @throws Error if ByteRange entry is missing.
+     */
+    setByteRange(byteRange: number[]): void {
+        const byteRangeEntry = this.content.get('ByteRange')
+        if (!byteRangeEntry) {
+            throw new Error('Signature dictionary is missing ByteRange entry')
+        }
+
+        this.content.set(
+            'ByteRange',
+            new PdfArray(
+                byteRange.map(
+                    (x) =>
+                        new PdfNumber({
+                            value: x,
+                            padTo: OFFSET_PADDING,
+                        }),
+                ),
+            ),
+        )
+    }
+
+    /**
+     * Gets the insertion order for this object in the PDF.
+     *
+     * @returns High order value to place signature near end of document.
+     */
+    order(): number {
+        return PdfIndirectObject.MAX_ORDER_INDEX - 10
+    }
+}

package/packages/pdf-lite/src/signing/signatures/etsi-cades-detached.ts

@@ -0,0 +1,229 @@
+import {
+    SignaturePolicyDocument,
+    RevocationInfo,
+    TimeStampAuthority,
+} from '../types'
+import { SignedData } from 'pki-lite/pkcs7/SignedData'
+import { Certificate } from 'pki-lite/x509/Certificate'
+import { SignerInfo } from 'pki-lite/pkcs7/SignerInfo'
+import { Attribute } from 'pki-lite/x509/Attribute'
+import { RevocationInfoArchival } from 'pki-lite/adobe/RevocationInfoArchival'
+import { CertificateList } from 'pki-lite/x509/CertificateList'
+import { OCSPResponse } from 'pki-lite/ocsp/OCSPResponse'
+import { PrivateKeyInfo } from 'pki-lite/keys/PrivateKeyInfo'
+import { OtherRevInfo } from 'pki-lite/adobe/OtherRevInfo'
+import { AsymmetricEncryptionAlgorithmParams } from 'pki-lite/core/index'
+import { PdfName } from '../../core/objects/pdf-name'
+import { fetchRevocationInfo } from '../utils'
+import { PdfString } from '../../core/objects/pdf-string'
+import { PdfDate } from '../../core/objects/pdf-date'
+import {
+    PdfSignatureDictionary,
+    PdfSignatureObject,
+    PdfSignatureSignOptions,
+} from './base'
+import { SigningCertificateV2 } from 'pki-lite/x509/attributes/SigningCertificateV2'
+import {
+    OtherHashAlgAndValue,
+    SignaturePolicyId,
+} from 'pki-lite/x509/attributes/SignaturePolicyIdentifier'
+import { DigestAlgorithmIdentifier } from 'pki-lite/algorithms/AlgorithmIdentifier'
+import { ByteArray } from '../../types'
+
+/**
+ * ETSI CAdES detached signature object (ETSI.CAdES.detached).
+ * Creates CAdES-compliant signatures with enhanced attributes.
+ *
+ * @example
+ * ```typescript
+ * const signature = new PdfEtsiCadesDetachedSignatureObject({
+ *     privateKey: keyBytes,
+ *     certificate: certBytes,
+ *     reason: 'Approval',
+ *     timeStampAuthority: true
+ * })
+ * ```
+ */
+export class PdfEtsiCadesDetachedSignatureObject extends PdfSignatureObject {
+    /** Private key for signing. */
+    privateKey: ByteArray
+    /** Signer certificate. */
+    certificate: ByteArray
+    /** Additional certificates for chain building. */
+    additionalCertificates: ByteArray[]
+    /** Issuer certificate for OCSP requests. */
+    issuerCertificate?: ByteArray
+    /** Signing date. */
+    date?: Date
+    /** Reason for signing. */
+    reason?: string
+    /** Signing location. */
+    location?: string
+    /** Signature algorithm parameters. */
+    algorithm?: AsymmetricEncryptionAlgorithmParams
+    /** Revocation information or 'fetch' to retrieve automatically. */
+    revocationInfo?: RevocationInfo | 'fetch'
+    /** Timestamp authority configuration. */
+    timeStampAuthority?: TimeStampAuthority
+    /** Signature policy document reference. */
+    policyDocument?: SignaturePolicyDocument
+
+    /**
+     * Creates a new CAdES detached signature object.
+     *
+     * @param options - Signature configuration options.
+     */
+    constructor(
+        options: PdfSignatureSignOptions & {
+            privateKey: ByteArray
+            certificate: ByteArray
+            issuerCertificate?: ByteArray
+            additionalCertificates?: ByteArray[]
+            algorithm?: AsymmetricEncryptionAlgorithmParams
+            revocationInfo?: RevocationInfo | 'fetch'
+            timeStampAuthority?: TimeStampAuthority | true
+            policyDocument?: SignaturePolicyDocument
+        },
+    ) {
+        super(
+            new PdfSignatureDictionary({
+                Type: new PdfName('Sig'),
+                Filter: new PdfName('Adobe.PPKLite'),
+                SubFilter: new PdfName('ETSI.CAdES.detached'),
+                ContactInfo: options.contactInfo
+                    ? new PdfString(options.contactInfo)
+                    : undefined,
+                M: options.date ? new PdfDate(options.date) : undefined,
+                Name: options.name ? new PdfString(options.name) : undefined,
+            }),
+        )
+
+        this.privateKey = options.privateKey
+        this.certificate = options.certificate
+        this.issuerCertificate = options.issuerCertificate
+        this.additionalCertificates = options.additionalCertificates || []
+        this.date = options.date
+        this.reason = options.reason
+        this.location = options.location
+        this.algorithm = options.algorithm
+        this.revocationInfo = options.revocationInfo
+        this.timeStampAuthority =
+            options.timeStampAuthority === true
+                ? {
+                      url: 'https://freetsa.org/tsr',
+                  }
+                : options.timeStampAuthority
+        this.policyDocument = options.policyDocument
+    }
+
+    /**
+     * Signs the document bytes using CAdES detached format.
+     *
+     * @param options - Signing options with bytes and revocation embedding flag.
+     * @returns The CMS SignedData and revocation information.
+     */
+    sign: PdfSignatureObject['sign'] = async (options) => {
+        const { bytes } = options
+
+        const certificate: Certificate = Certificate.fromDer(this.certificate)
+        const additionalCertificates: Certificate[] =
+            this.additionalCertificates.map(Certificate.fromDer)
+
+        const signedAttributes = new SignerInfo.SignedAttributes()
+        const unsignedAttributes = new SignerInfo.UnsignedAttributes()
+
+        signedAttributes.push(
+            Attribute.signingCertificateV2(
+                await SigningCertificateV2.fromCertificates({
+                    certificates: [certificate, ...additionalCertificates],
+                }),
+            ),
+        )
+
+        signedAttributes.push(Attribute.signingTime(this.date ?? new Date()))
+
+        if (this.reason) {
+            signedAttributes.push(
+                Attribute.commitmentTypeIndication(this.reason),
+            )
+        }
+
+        if (this.location) {
+            signedAttributes.push(
+                Attribute.signingLocation({
+                    localityName: this.location,
+                }),
+            )
+        }
+
+        if (this.policyDocument) {
+            signedAttributes.push(
+                Attribute.signaturePolicyIdentifier(
+                    new SignaturePolicyId({
+                        sigPolicyId: this.policyDocument.oid,
+                        sigPolicyHash: new OtherHashAlgAndValue({
+                            hashAlgorithm:
+                                DigestAlgorithmIdentifier.digestAlgorithm(
+                                    this.policyDocument.hashAlgorithm,
+                                ),
+                            hashValue: this.policyDocument.hash,
+                        }),
+                        sigPolicyQualifiers: [],
+                    }),
+                ),
+            )
+        }
+
+        const revocationInfo =
+            this.revocationInfo === 'fetch'
+                ? await fetchRevocationInfo({
+                      certificates: [
+                          this.certificate,
+                          ...(this.additionalCertificates ?? []),
+                      ],
+                      issuerCertificate: this.issuerCertificate,
+                  })
+                : this.revocationInfo
+
+        if (options.embedRevocationInfo && revocationInfo) {
+            signedAttributes.push(
+                Attribute.adobeRevocationInfoArchival(
+                    new RevocationInfoArchival({
+                        crls: revocationInfo.crls?.map((x) =>
+                            CertificateList.fromDer(x),
+                        ),
+                        ocsps: revocationInfo.ocsps?.map((x) =>
+                            OCSPResponse.fromDer(x),
+                        ),
+                        otherRevInfo: revocationInfo.otherRevInfo?.map(
+                            (x) =>
+                                new OtherRevInfo({
+                                    type: x.type,
+                                    value: x.value,
+                                }),
+                        ),
+                    }),
+                ),
+            )
+        }
+
+        const signedData = await SignedData.builder()
+            .addCertificate(...additionalCertificates)
+            .setData(bytes)
+            .setDetached(true)
+            .addSigner({
+                certificate,
+                privateKeyInfo: PrivateKeyInfo.fromDer(this.privateKey),
+                signedAttrs: signedAttributes,
+                unsignedAttrs: unsignedAttributes,
+                tsa: this.timeStampAuthority,
+                encryptionAlgorithm: this.algorithm,
+            })
+            .build()
+
+        return {
+            signedBytes: signedData.toCms().toDer(),
+            revocationInfo,
+        }
+    }
+}

package/packages/pdf-lite/src/signing/signatures/etsi-rfc3161.ts

@@ -0,0 +1,92 @@
+import { TimeStampAuthority } from '../types'
+import { PdfSignatureObject, PdfSignatureSignOptions } from './base'
+import { DigestAlgorithmIdentifier } from 'pki-lite/algorithms/AlgorithmIdentifier'
+import { TimeStampReq } from 'pki-lite/timestamp/TimeStampReq'
+import { MessageImprint } from 'pki-lite/timestamp/MessageImprint'
+import { SignedData } from 'pki-lite/pkcs7/SignedData'
+import { fetchRevocationInfo } from '../utils'
+
+/**
+ * RFC 3161 timestamp signature object (ETSI.RFC3161).
+ * Creates document timestamps using a Time Stamp Authority (TSA).
+ *
+ * @example
+ * ```typescript
+ * const timestamp = new PdfEtsiRfc3161SignatureObject({
+ *     timeStampAuthority: { url: 'http://timestamp.example.com' }
+ * })
+ * ```
+ */
+export class PdfEtsiRfc3161SignatureObject extends PdfSignatureObject {
+    /** Timestamp authority configuration. */
+    timeStampAuthority: TimeStampAuthority
+
+    /**
+     * Creates a new RFC 3161 timestamp signature object.
+     *
+     * @param options - Configuration including optional TSA settings.
+     */
+    constructor(
+        options: PdfSignatureSignOptions & {
+            timeStampAuthority?: TimeStampAuthority
+            name?: string
+            reason?: string
+            contactInfo?: string
+            location?: string
+        },
+    ) {
+        super({
+            ...options,
+            subfilter: 'ETSI.RFC3161',
+        })
+
+        this.timeStampAuthority = options.timeStampAuthority ?? {
+            url: 'https://freetsa.org/tsr',
+        }
+    }
+
+    /**
+     * Creates a timestamp for the document bytes.
+     *
+     * @param options - Signing options with bytes to timestamp.
+     * @returns The timestamp token and revocation information.
+     * @throws Error if no timestamp token is received.
+     */
+    sign: PdfSignatureObject['sign'] = async (options) => {
+        const { bytes } = options
+
+        const digestAlgorithm =
+            DigestAlgorithmIdentifier.digestAlgorithm('SHA-512')
+
+        const timestampResponse = await TimeStampReq.create({
+            messageImprint: new MessageImprint({
+                hashAlgorithm: digestAlgorithm,
+                hashedMessage: await digestAlgorithm.digest(bytes),
+            }),
+            certReq: true,
+        }).request({
+            url: this.timeStampAuthority.url,
+            username: this.timeStampAuthority.username,
+            password: this.timeStampAuthority.password,
+        })
+
+        if (!timestampResponse.timeStampToken) {
+            throw new Error(
+                'No timestamp token received. Response: ' +
+                    timestampResponse.status,
+            )
+        }
+
+        const signatureBytes = timestampResponse.timeStampToken.toDer()
+
+        const signerCerts = SignedData.fromCms(signatureBytes).certificates
+        const revocationInfo = await fetchRevocationInfo({
+            certificates: signerCerts?.map((c) => c.toDer()) ?? [],
+        })
+
+        return {
+            signedBytes: signatureBytes,
+            revocationInfo,
+        }
+    }
+}

package/packages/pdf-lite/src/signing/signatures/index.ts

@@ -0,0 +1,6 @@
+export * from './adbe-pkcs7-detached'
+export * from './adbe-pkcs7-sha1'
+export * from './adbe-x509-rsa-sha1'
+export * from './etsi-cades-detached'
+export * from './etsi-rfc3161'
+export * from './base'