pdf-lite 1.0.1 → 1.0.3

package/README.md

@@ -8,10 +8,6 @@ A low-level, minimal-dependency, type-safe PDF library that works in the browser
 
 PRs and issues are welcome!
 
-## License
-
-MIT License - see [LICENSE](LICENSE) for details.
-
 ## Features
 
 - **Zero dependencies**: No external libraries are required, making it lightweight and easy to integrate.
@@ -99,6 +95,7 @@ Long-Term Validation (LTV) support ensures that digital signatures remain valid
 **Other features:**
 
 - [x] Timestamping
+- [x] Verification of existing signatures
 
 ## Future Plans
 
@@ -283,3 +280,7 @@ import {
     PdfEtsiRfc3161SignatureObject,
 } from 'pdf-lite'
 ```
+
+## License
+
+MIT License - see [LICENSE](LICENSE) for details.

package/dist/core/tokens/number-token.js

@@ -13,13 +13,14 @@ export class PdfNumberToken extends PdfToken {
             options instanceof Ref ||
             options instanceof PdfNumberToken) {
             this.#value = PdfNumberToken.getValue(options);
-            this.padTo = padTo ?? 0;
-            this.decimalPlaces = decimalPlaces ?? 0;
+            this.padTo = padTo ?? PdfNumberToken.getPadding(options);
+            this.decimalPlaces =
+                decimalPlaces ?? PdfNumberToken.getDecimalPlaces(options);
             this.isByteToken = false;
             return;
         }
         this.#value = PdfNumberToken.getValue(options.value);
-        this.padTo = options.padTo ?? 0;
+        this.padTo = options.padTo ?? PdfNumberToken.getPadding(options.value);
         this.decimalPlaces =
             options.decimalPlaces ??
                 PdfNumberToken.getDecimalPlaces(options.value);
@@ -63,12 +64,16 @@ export class PdfNumberToken extends PdfToken {
         if (typeof bytes === 'number') {
             bytes = PdfNumberToken.toBytes(bytes);
         }
-        let padding = 0;
+        // Count leading zeros
+        let leadingZeros = 0;
+        const originalLength = bytes.length;
         while (bytes.length && bytes[0] === 0x30) {
             bytes = bytes.slice(1);
-            padding++;
+            leadingZeros++;
         }
-        return padding;
+        // If all characters were zeros (value is 0), padding should be total length
+        // Otherwise, padding should be total length (to maintain original formatting)
+        return originalLength;
     }
     static getDecimalPlaces(bytes) {
         if (bytes instanceof PdfNumberToken) {

package/dist/pdf/pdf-document.d.ts

@@ -11,7 +11,7 @@ import { PdfEncryptionDictionaryObject } from '../security/types';
 import { PdfTrailerEntries } from '../core/objects/pdf-trailer';
 import { PdfDocumentSecurityStoreObject } from '../signing/document-security-store';
 import { ByteArray } from '../types';
-import { PdfSigner } from '../signing/signer';
+import { PdfDocumentVerificationResult, PdfSigner } from '../signing/signer';
 /**
  * Represents a PDF document with support for reading, writing, and modifying PDF files.
  * Handles document structure, revisions, encryption, and digital signatures.
@@ -214,9 +214,9 @@ export declare class PdfDocument extends PdfObject {
      * Sets whether the document should use incremental updates.
      * When true, locks all existing revisions to preserve original content.
      *
-     * @param value - True to enable incremental mode, false to disable
+     * @param value - True to enable incremental mode, false to disable. Defaults to true.
      */
-    setIncremental(value: boolean): void;
+    setIncremental(value?: boolean): void;
     /**
      * Checks if the document is in incremental mode.
      *
@@ -274,4 +274,10 @@ export declare class PdfDocument extends PdfObject {
      */
     static fromBytes(input: AsyncIterable<ByteArray> | Iterable<ByteArray>): Promise<PdfDocument>;
     isModified(): boolean;
+    /**
+     * Verifies all digital signatures in the document.
+     *
+     * @returns A promise that resolves to the verification result
+     */
+    verifySignatures(): Promise<PdfDocumentVerificationResult>;
 }

package/dist/pdf/pdf-document.js

@@ -148,7 +148,11 @@ export class PdfDocument extends PdfObject {
         const revision = this.revisions.find((rev) => rev.xref.offset === lastStartXRef.offset.ref) ??
             this.revisions.find((rev) => rev.xref.offset.equals(lastStartXRef.offset.value));
         if (!revision) {
-            throw new Error('Cannot find revision for last StartXRef');
+            throw new Error('Cannot find revision for last StartXRef with offset ' +
+                `${lastStartXRef.offset.value}. Options are: ` +
+                this.revisions
+                    .map((rev) => rev.xref.offset.value)
+                    .join(', '));
         }
         return revision;
     }
@@ -497,9 +501,9 @@ export class PdfDocument extends PdfObject {
      * Sets whether the document should use incremental updates.
      * When true, locks all existing revisions to preserve original content.
      *
-     * @param value - True to enable incremental mode, false to disable
+     * @param value - True to enable incremental mode, false to disable. Defaults to true.
      */
-    setIncremental(value) {
+    setIncremental(value = true) {
         for (const revision of this.revisions) {
             revision.locked = value;
         }
@@ -685,4 +689,12 @@ export class PdfDocument extends PdfObject {
     isModified() {
         return (super.isModified() || this.revisions.some((rev) => rev.isModified()));
     }
+    /**
+     * Verifies all digital signatures in the document.
+     *
+     * @returns A promise that resolves to the verification result
+     */
+    async verifySignatures() {
+        return await this.signer.verify(this);
+    }
 }

package/dist/signing/index.d.ts

@@ -1,3 +1,4 @@
 export * from './signatures';
 export * from './document-security-store';
 export * from './types';
+export * from './signer';

package/dist/signing/index.js

@@ -1,3 +1,4 @@
 export * from './signatures';
 export * from './document-security-store';
 export * from './types';
+export * from './signer';

package/dist/signing/signatures/adbe-pkcs7-detached.d.ts

@@ -54,4 +54,11 @@ export declare class PdfAdbePkcs7DetachedSignatureObject extends PdfSignatureObj
      * @returns The CMS SignedData and revocation information.
      */
     sign: PdfSignatureObject['sign'];
+    /**
+     * Verifies the signature against the provided document bytes.
+     *
+     * @param options - Verification options including the signed bytes.
+     * @returns The verification result.
+     */
+    verify: PdfSignatureObject['verify'];
 }

package/dist/signing/signatures/adbe-pkcs7-detached.js

@@ -114,4 +114,40 @@ export class PdfAdbePkcs7DetachedSignatureObject extends PdfSignatureObject {
             revocationInfo,
         };
     };
+    /**
+     * Verifies the signature against the provided document bytes.
+     *
+     * @param options - Verification options including the signed bytes.
+     * @returns The verification result.
+     */
+    verify = async (options) => {
+        const { bytes, certificateValidation } = options;
+        try {
+            const signedData = SignedData.fromCms(this.signedBytes);
+            const certValidationOptions = certificateValidation === true
+                ? {}
+                : certificateValidation || undefined;
+            const result = await signedData.verify({
+                data: bytes,
+                certificateValidation: certValidationOptions,
+            });
+            if (result.valid) {
+                return { valid: true };
+            }
+            else {
+                return {
+                    valid: false,
+                    reasons: result.reasons,
+                };
+            }
+        }
+        catch (error) {
+            return {
+                valid: false,
+                reasons: [
+                    `Failed to verify signature: ${error instanceof Error ? error.message : String(error)}`,
+                ],
+            };
+        }
+    };
 }

package/dist/signing/signatures/adbe-pkcs7-sha1.d.ts

@@ -52,4 +52,11 @@ export declare class PdfAdbePkcs7Sha1SignatureObject extends PdfSignatureObject
      * @returns The CMS SignedData and revocation information.
      */
     sign: PdfSignatureObject['sign'];
+    /**
+     * Verifies the signature against the provided document bytes.
+     *
+     * @param options - Verification options including the signed bytes.
+     * @returns The verification result.
+     */
+    verify: PdfSignatureObject['verify'];
 }

package/dist/signing/signatures/adbe-pkcs7-sha1.js

@@ -118,4 +118,58 @@ export class PdfAdbePkcs7Sha1SignatureObject extends PdfSignatureObject {
             revocationInfo,
         };
     };
+    /**
+     * Verifies the signature against the provided document bytes.
+     *
+     * @param options - Verification options including the signed bytes.
+     * @returns The verification result.
+     */
+    verify = async (options) => {
+        const { bytes, certificateValidation } = options;
+        try {
+            const signedData = SignedData.fromCms(this.signedBytes);
+            // For adbe.pkcs7.sha1, the signed content is the SHA-1 hash of the document
+            // We need to compute the SHA-1 hash of the data and compare with the embedded content
+            const expectedHash = await DigestAlgorithmIdentifier.digestAlgorithm('SHA-1').digest(bytes);
+            const certValidationOptions = certificateValidation === true
+                ? {}
+                : certificateValidation || undefined;
+            // Verify the signature with the hash as the data (non-detached mode)
+            const result = await signedData.verify({
+                certificateValidation: certValidationOptions,
+            });
+            if (!result.valid) {
+                return {
+                    valid: false,
+                    reasons: result.reasons,
+                };
+            }
+            // Additionally verify that the embedded hash matches the document hash
+            const embeddedContent = signedData.encapContentInfo.eContent;
+            if (!embeddedContent) {
+                return {
+                    valid: false,
+                    reasons: ['No embedded content in SignedData'],
+                };
+            }
+            // Compare the hashes
+            if (!this.compareArrays(embeddedContent, expectedHash)) {
+                return {
+                    valid: false,
+                    reasons: [
+                        'Document hash does not match embedded signature hash',
+                    ],
+                };
+            }
+            return { valid: true };
+        }
+        catch (error) {
+            return {
+                valid: false,
+                reasons: [
+                    `Failed to verify signature: ${error instanceof Error ? error.message : String(error)}`,
+                ],
+            };
+        }
+    };
 }

package/dist/signing/signatures/adbe-x509-rsa-sha1.d.ts

@@ -46,4 +46,11 @@ export declare class PdfAdbePkcsX509RsaSha1SignatureObject extends PdfSignatureO
      * @returns The signature bytes and revocation information.
      */
     sign: PdfSignatureObject['sign'];
+    /**
+     * Verifies the signature against the provided document bytes.
+     *
+     * @param options - Verification options including the signed bytes.
+     * @returns The verification result.
+     */
+    verify: PdfSignatureObject['verify'];
 }

package/dist/signing/signatures/adbe-x509-rsa-sha1.js

@@ -2,7 +2,10 @@ import { PrivateKeyInfo } from 'pki-lite/keys/PrivateKeyInfo';
 import { PdfSignatureObject } from './base';
 import { OctetString } from 'pki-lite/asn1/OctetString';
 import { AlgorithmIdentifier } from 'pki-lite/algorithms/AlgorithmIdentifier';
+import { Certificate } from 'pki-lite/x509/Certificate';
 import { fetchRevocationInfo } from '../utils';
+import { PdfArray } from '../../core/objects/pdf-array';
+import { PdfHexadecimal } from '../../core/objects/pdf-hexadecimal';
 /**
  * X.509 RSA-SHA1 signature object (adbe.x509.rsa_sha1).
  * Creates a raw RSA-SHA1 signature with certificates in the Cert entry.
@@ -78,4 +81,78 @@ export class PdfAdbePkcsX509RsaSha1SignatureObject extends PdfSignatureObject {
             revocationInfo,
         };
     };
+    /**
+     * Verifies the signature against the provided document bytes.
+     *
+     * @param options - Verification options including the signed bytes.
+     * @returns The verification result.
+     */
+    verify = async (options) => {
+        const { bytes } = options;
+        try {
+            const certificates = [];
+            const Cert = this.content.get('Cert');
+            if (Cert instanceof PdfArray) {
+                for (const certObj of Cert.items) {
+                    const certBytes = certObj instanceof PdfHexadecimal
+                        ? certObj.bytes
+                        : certObj.raw;
+                    const certificate = Certificate.fromDer(certBytes);
+                    certificates.push(certificate);
+                }
+            }
+            else if (Cert instanceof PdfHexadecimal) {
+                const certificate = Certificate.fromDer(Cert.bytes);
+                certificates.push(certificate);
+            }
+            else if (Cert) {
+                const certificate = Certificate.fromDer(Cert.raw);
+                certificates.push(certificate);
+            }
+            else {
+                throw new Error('No Cert entry found in signature dictionary');
+            }
+            if (certificates.length === 0) {
+                return {
+                    valid: false,
+                    reasons: [
+                        'No certificates available for adbe.x509.rsa_sha1 verification',
+                    ],
+                };
+            }
+            // Parse the signature as an OctetString
+            const signatureOctetString = OctetString.fromDer(this.signedBytes);
+            const signatureValue = signatureOctetString.bytes;
+            const signatureAlgorithm = AlgorithmIdentifier.signatureAlgorithm(PdfAdbePkcsX509RsaSha1SignatureObject.ALGORITHM);
+            for (const cert of certificates) {
+                const isValid = await signatureAlgorithm.verify(bytes, signatureValue, cert.tbsCertificate.subjectPublicKeyInfo);
+                if (isValid) {
+                    if (options.certificateValidation === true) {
+                        await cert.validate({
+                            //TODO: implement default validation options
+                            checkSignature: true,
+                            validateChain: true,
+                            otherCertificates: certificates,
+                        });
+                    }
+                    else if (options.certificateValidation) {
+                        await cert.validate(options.certificateValidation);
+                    }
+                    return { valid: true };
+                }
+            }
+            return {
+                valid: false,
+                reasons: ['Signature verification failed for all certificates'],
+            };
+        }
+        catch (error) {
+            return {
+                valid: false,
+                reasons: [
+                    `Failed to verify signature: ${error instanceof Error ? error.message : String(error)}`,
+                ],
+            };
+        }
+    };
 }

package/dist/signing/signatures/base.d.ts

@@ -1,5 +1,5 @@
 import { PdfDictionary } from '../../core/objects/pdf-dictionary';
-import { PdfSignatureDictionaryEntries, PdfSignatureSubType, RevocationInfo } from '../types';
+import { PdfSignatureDictionaryEntries, PdfSignatureSubType, PdfSignatureVerificationOptions, PdfSignatureVerificationResult, RevocationInfo } from '../types';
 import { PdfHexadecimal } from '../../core/objects/pdf-hexadecimal';
 import { PdfIndirectObject } from '../../core/objects/pdf-indirect-object';
 import { ByteArray } from '../../types';
@@ -71,6 +71,13 @@ export declare abstract class PdfSignatureObject extends PdfIndirectObject<PdfSi
         signedBytes: ByteArray;
         revocationInfo?: RevocationInfo;
     }>;
+    /**
+     * Verifies the signature against the provided document bytes.
+     *
+     * @param options - Verification options including the signed bytes.
+     * @returns The verification result.
+     */
+    abstract verify(options: PdfSignatureVerificationOptions): Promise<PdfSignatureVerificationResult>;
     /**
      * Gets the signature hexadecimal content.
      *
@@ -104,4 +111,12 @@ export declare abstract class PdfSignatureObject extends PdfIndirectObject<PdfSi
      * @returns High order value to place signature near end of document.
      */
     order(): number;
+    /**
+     * Compares two byte arrays for equality.
+     *
+     * @param a - First byte array.
+     * @param b - Second byte array.
+     * @returns True if arrays are equal, false otherwise.
+     */
+    protected compareArrays(a: ByteArray, b: ByteArray): boolean;
 }

package/dist/signing/signatures/base.js

@@ -142,4 +142,22 @@ export class PdfSignatureObject extends PdfIndirectObject {
     order() {
         return PdfIndirectObject.MAX_ORDER_INDEX - 10;
     }
+    /**
+     * Compares two byte arrays for equality.
+     *
+     * @param a - First byte array.
+     * @param b - Second byte array.
+     * @returns True if arrays are equal, false otherwise.
+     */
+    compareArrays(a, b) {
+        if (a.length !== b.length) {
+            return false;
+        }
+        for (let i = 0; i < a.length; i++) {
+            if (a[i] !== b[i]) {
+                return false;
+            }
+        }
+        return true;
+    }
 }

package/dist/signing/signatures/etsi-cades-detached.d.ts

@@ -61,4 +61,11 @@ export declare class PdfEtsiCadesDetachedSignatureObject extends PdfSignatureObj
      * @returns The CMS SignedData and revocation information.
      */
     sign: PdfSignatureObject['sign'];
+    /**
+     * Verifies the signature against the provided document bytes.
+     *
+     * @param options - Verification options including the signed bytes.
+     * @returns The verification result.
+     */
+    verify: PdfSignatureObject['verify'];
 }

package/dist/signing/signatures/etsi-cades-detached.js

@@ -156,4 +156,40 @@ export class PdfEtsiCadesDetachedSignatureObject extends PdfSignatureObject {
             revocationInfo,
         };
     };
+    /**
+     * Verifies the signature against the provided document bytes.
+     *
+     * @param options - Verification options including the signed bytes.
+     * @returns The verification result.
+     */
+    verify = async (options) => {
+        const { bytes, certificateValidation } = options;
+        try {
+            const signedData = SignedData.fromCms(this.signedBytes);
+            const certValidationOptions = certificateValidation === true
+                ? {}
+                : certificateValidation || undefined;
+            const result = await signedData.verify({
+                data: bytes,
+                certificateValidation: certValidationOptions,
+            });
+            if (result.valid) {
+                return { valid: true };
+            }
+            else {
+                return {
+                    valid: false,
+                    reasons: result.reasons,
+                };
+            }
+        }
+        catch (error) {
+            return {
+                valid: false,
+                reasons: [
+                    `Failed to verify signature: ${error instanceof Error ? error.message : String(error)}`,
+                ],
+            };
+        }
+    };
 }

package/dist/signing/signatures/etsi-rfc3161.d.ts

@@ -34,4 +34,11 @@ export declare class PdfEtsiRfc3161SignatureObject extends PdfSignatureObject {
      * @throws Error if no timestamp token is received.
      */
     sign: PdfSignatureObject['sign'];
+    /**
+     * Verifies the timestamp signature against the provided document bytes.
+     *
+     * @param options - Verification options including the signed bytes.
+     * @returns The verification result.
+     */
+    verify: PdfSignatureObject['verify'];
 }

package/dist/signing/signatures/etsi-rfc3161.js

@@ -1,9 +1,12 @@
 import { PdfSignatureObject } from './base';
 import { DigestAlgorithmIdentifier } from 'pki-lite/algorithms/AlgorithmIdentifier';
 import { TimeStampReq } from 'pki-lite/timestamp/TimeStampReq';
+import { TSTInfo } from 'pki-lite/timestamp/TSTInfo';
 import { MessageImprint } from 'pki-lite/timestamp/MessageImprint';
 import { SignedData } from 'pki-lite/pkcs7/SignedData';
 import { fetchRevocationInfo } from '../utils';
+import { Certificate } from 'pki-lite/x509/Certificate';
+import { OIDs } from 'pki-lite/core/OIDs';
 /**
  * RFC 3161 timestamp signature object (ETSI.RFC3161).
  * Creates document timestamps using a Time Stamp Authority (TSA).
@@ -67,4 +70,103 @@ export class PdfEtsiRfc3161SignatureObject extends PdfSignatureObject {
             revocationInfo,
         };
     };
+    /**
+     * Verifies the timestamp signature against the provided document bytes.
+     *
+     * @param options - Verification options including the signed bytes.
+     * @returns The verification result.
+     */
+    verify = async (options) => {
+        const { bytes, certificateValidation } = options;
+        const digestAlgorithm = DigestAlgorithmIdentifier.digestAlgorithm('SHA-512');
+        const expectedMessageImprint = new MessageImprint({
+            hashAlgorithm: digestAlgorithm,
+            hashedMessage: await digestAlgorithm.digest(bytes),
+        });
+        try {
+            const signedData = SignedData.fromCms(this.signedBytes);
+            // Extract TSTInfo from the signed data's encapsulated content
+            // The eContentType should be id-ct-TSTInfo (1.2.840.113549.1.9.16.1.4)
+            const encapContentInfo = signedData.encapContentInfo;
+            if (encapContentInfo.eContentType.toString() !== OIDs.PKCS7.TST_INFO) {
+                return {
+                    valid: false,
+                    reasons: [
+                        `Invalid content type: expected id-ct-TSTInfo (${OIDs.PKCS7.TST_INFO}), got ${encapContentInfo.eContentType.toString()}`,
+                    ],
+                };
+            }
+            if (!encapContentInfo.eContent) {
+                return {
+                    valid: false,
+                    reasons: ['No TSTInfo content found in timestamp token'],
+                };
+            }
+            // Parse the TSTInfo from the encapsulated content
+            const tstInfo = TSTInfo.fromDer(encapContentInfo.eContent);
+            // Verify that the messageImprint in TSTInfo matches what we computed
+            const tstMessageImprint = tstInfo.messageImprint;
+            if (tstMessageImprint.hashAlgorithm.algorithm.toString() !==
+                expectedMessageImprint.hashAlgorithm.algorithm.toString()) {
+                return {
+                    valid: false,
+                    reasons: [
+                        `Hash algorithm mismatch: TSTInfo uses ${tstMessageImprint.hashAlgorithm.algorithm.toString()}, expected ${expectedMessageImprint.hashAlgorithm.algorithm.toString()}`,
+                    ],
+                };
+            }
+            const tstHash = tstMessageImprint.hashedMessage;
+            const expectedHash = expectedMessageImprint.hashedMessage;
+            if (tstHash.length !== expectedHash.length) {
+                return {
+                    valid: false,
+                    reasons: [
+                        `Hash length mismatch: TSTInfo has ${tstHash.length} bytes, expected ${expectedHash.length} bytes`,
+                    ],
+                };
+            }
+            for (let i = 0; i < tstHash.length; i++) {
+                if (tstHash[i] !== expectedHash[i]) {
+                    return {
+                        valid: false,
+                        reasons: [
+                            'Message imprint mismatch: the timestamp does not match the document',
+                        ],
+                    };
+                }
+            }
+            // Verify the signature on the SignedData
+            const certValidationOptions = certificateValidation === true
+                ? {}
+                : certificateValidation || undefined;
+            if (options.certificateValidation) {
+                const certificates = signedData.certificates ?? [];
+                for (const cert of certificates) {
+                    if (!(cert instanceof Certificate)) {
+                        //TODO: support other cert types
+                        continue;
+                    }
+                    if (!(await cert.validate(certValidationOptions))) {
+                        return {
+                            valid: false,
+                            reasons: [
+                                'Certificate validation failed for timestamp signer',
+                            ],
+                        };
+                    }
+                }
+            }
+            return {
+                valid: true,
+            };
+        }
+        catch (error) {
+            return {
+                valid: false,
+                reasons: [
+                    `Failed to verify signature: ${error instanceof Error ? error.message : String(error)}`,
+                ],
+            };
+        }
+    };
 }