pdf-lite 1.0.2 → 1.0.3

package/EXAMPLES.md

@@ -1510,3 +1510,357 @@ for (const obj of preservingDecoder) {
     console.log('Match:', simpleDict === reconstructed)
 }
 ```
+
+## PDF verify signatures example
+
+```typescript
+import { PdfArray } from 'pdf-lite/core/objects/pdf-array'
+import { PdfDictionary } from 'pdf-lite/core/objects/pdf-dictionary'
+import { PdfIndirectObject } from 'pdf-lite/core/objects/pdf-indirect-object'
+import { PdfName } from 'pdf-lite/core/objects/pdf-name'
+import { PdfNumber } from 'pdf-lite/core/objects/pdf-number'
+import { PdfObjectReference } from 'pdf-lite/core/objects/pdf-object-reference'
+import { PdfStream } from 'pdf-lite/core/objects/pdf-stream'
+import { PdfDocument } from 'pdf-lite/pdf/pdf-document'
+import { PdfString } from 'pdf-lite/core/objects/pdf-string'
+import {
+    PdfAdbePkcsX509RsaSha1SignatureObject,
+    PdfAdbePkcs7DetachedSignatureObject,
+    PdfAdbePkcs7Sha1SignatureObject,
+    PdfEtsiCadesDetachedSignatureObject,
+    PdfEtsiRfc3161SignatureObject,
+} from 'pdf-lite'
+import { rsaSigningKeys } from '../packages/pdf-lite/test/unit/fixtures/rsa-2048/index'
+
+function createPage(
+    contentStreamRef: PdfObjectReference,
+): PdfIndirectObject<PdfDictionary> {
+    const pageDict = new PdfDictionary()
+    pageDict.set('Type', new PdfName('Page'))
+    pageDict.set(
+        'MediaBox',
+        new PdfArray([
+            new PdfNumber(0),
+            new PdfNumber(0),
+            new PdfNumber(612),
+            new PdfNumber(792),
+        ]),
+    )
+    pageDict.set('Contents', contentStreamRef)
+    return new PdfIndirectObject({ content: pageDict })
+}
+
+function createPages(
+    pages: PdfIndirectObject<PdfDictionary>[],
+): PdfIndirectObject<PdfDictionary> {
+    const pagesDict = new PdfDictionary()
+    pagesDict.set('Type', new PdfName('Pages'))
+    pagesDict.set('Kids', new PdfArray(pages.map((x) => x.reference)))
+    pagesDict.set('Count', new PdfNumber(pages.length))
+    return new PdfIndirectObject({ content: pagesDict })
+}
+
+function createCatalog(
+    pagesRef: PdfObjectReference,
+): PdfIndirectObject<PdfDictionary> {
+    const catalogDict = new PdfDictionary()
+    catalogDict.set('Type', new PdfName('Catalog'))
+    catalogDict.set('Pages', pagesRef)
+    return new PdfIndirectObject({ content: catalogDict })
+}
+
+function createFont(): PdfIndirectObject<PdfDictionary> {
+    const fontDict = new PdfDictionary()
+    fontDict.set('Type', new PdfName('Font'))
+    fontDict.set('Subtype', new PdfName('Type1'))
+    fontDict.set('BaseFont', new PdfName('Helvetica'))
+    return new PdfIndirectObject({ content: fontDict })
+}
+
+function createResources(
+    fontRef: PdfObjectReference,
+): PdfIndirectObject<PdfDictionary> {
+    const resourcesDict = new PdfDictionary()
+    const fontDict = new PdfDictionary()
+    fontDict.set('F1', fontRef)
+    resourcesDict.set('Font', fontDict)
+    return new PdfIndirectObject({ content: resourcesDict })
+}
+
+function createPageWithSignatureField(
+    contentStreamRef: PdfObjectReference,
+    signatureAnnotRef: PdfObjectReference,
+): PdfIndirectObject<PdfDictionary> {
+    const pageDict = new PdfDictionary()
+    pageDict.set('Type', new PdfName('Page'))
+    pageDict.set(
+        'MediaBox',
+        new PdfArray([
+            new PdfNumber(0),
+            new PdfNumber(0),
+            new PdfNumber(612),
+            new PdfNumber(792),
+        ]),
+    )
+    pageDict.set('Contents', contentStreamRef)
+    pageDict.set('Annots', new PdfArray([signatureAnnotRef]))
+
+    return new PdfIndirectObject({ content: pageDict })
+}
+
+function createSignatureAnnotation(
+    signatureRef: PdfObjectReference,
+    appearanceStreamRef: PdfObjectReference,
+    pageRef: PdfObjectReference,
+    signatureName: string,
+): PdfIndirectObject<PdfDictionary> {
+    const signatureAnnotation = new PdfDictionary()
+    signatureAnnotation.set('Type', new PdfName('Annot'))
+    signatureAnnotation.set('Subtype', new PdfName('Widget'))
+    signatureAnnotation.set('FT', new PdfName('Sig'))
+    signatureAnnotation.set('T', new PdfString(signatureName))
+    signatureAnnotation.set(
+        'Rect',
+        new PdfArray([
+            new PdfNumber(135), // x1: Start after "Signature: " text (~72 + 63)
+            new PdfNumber(640), // y1: Bottom of signature area (652 - 12)
+            new PdfNumber(400), // x2: End of signature line
+            new PdfNumber(665), // y2: Top of signature area (652 + 13)
+        ]),
+    )
+    signatureAnnotation.set('F', new PdfNumber(4))
+    signatureAnnotation.set('P', pageRef) // Reference to parent page
+    signatureAnnotation.set('V', signatureRef)
+
+    // Add appearance dictionary
+    const appearanceDict = new PdfDictionary()
+    appearanceDict.set('N', appearanceStreamRef)
+    signatureAnnotation.set('AP', appearanceDict)
+
+    return new PdfIndirectObject({ content: signatureAnnotation })
+}
+
+function createSignatureAppearance(): PdfIndirectObject<PdfStream> {
+    // Create font for appearance
+    const appearanceFont = new PdfDictionary()
+    appearanceFont.set('Type', new PdfName('Font'))
+    appearanceFont.set('Subtype', new PdfName('Type1'))
+    appearanceFont.set('BaseFont', new PdfName('Helvetica'))
+
+    const fontDict = new PdfDictionary()
+    fontDict.set('F1', appearanceFont)
+
+    const resourcesDict = new PdfDictionary()
+    resourcesDict.set('Font', fontDict)
+
+    // Create appearance stream header
+    const appearanceHeader = new PdfDictionary()
+    appearanceHeader.set('Type', new PdfName('XObject'))
+    appearanceHeader.set('Subtype', new PdfName('Form'))
+    appearanceHeader.set(
+        'BBox',
+        new PdfArray([
+            new PdfNumber(0),
+            new PdfNumber(0),
+            new PdfNumber(265), // Width: 400 - 135
+            new PdfNumber(25), // Height: 665 - 640
+        ]),
+    )
+    appearanceHeader.set('Resources', resourcesDict)
+
+    // Create appearance stream for the signature
+    return new PdfIndirectObject({
+        content: new PdfStream({
+            header: appearanceHeader,
+            original:
+                'BT /F1 10 Tf 5 14 Td (Digitally signed by: Jake Shirley) Tj ET',
+        }),
+    })
+}
+
+// Create the document
+const document = new PdfDocument()
+
+// Create font
+const font = createFont()
+document.add(font)
+
+// Create resources with the font
+const resources = createResources(font.reference)
+document.add(resources)
+
+// Create content stream for first page
+const contentStream = new PdfIndirectObject({
+    content: new PdfStream({
+        header: new PdfDictionary(),
+        original: 'BT /F1 24 Tf 100 700 Td (Hello, PDF-Lite!) Tj ET',
+    }),
+})
+document.add(contentStream)
+
+// Create first page
+const page1 = createPage(contentStream.reference)
+page1.content.set('Resources', resources.reference)
+document.add(page1)
+
+// Array to hold all pages and signature objects
+const allPages: PdfIndirectObject<PdfDictionary>[] = [page1]
+const allSignatures: any[] = []
+const signatureFields: PdfObjectReference[] = []
+
+// Helper function to create a signature page
+function createSignaturePage(
+    signatureType: string,
+    signatureObj: any,
+    pageNumber: number,
+) {
+    const content = new PdfIndirectObject({
+        content: new PdfStream({
+            header: new PdfDictionary(),
+            original: `BT /F1 12 Tf 72 712 Td (Signature Type: ${signatureType}) Tj 0 -60 Td (Signature: ________________________________) Tj ET`,
+        }),
+    })
+    document.add(content)
+
+    const appearance = createSignatureAppearance()
+    document.add(appearance)
+
+    // Create page first to get its reference
+    const page = createPageWithSignatureField(
+        content.reference,
+        new PdfObjectReference(0, 0), // Temporary placeholder
+    )
+    page.content.set('Resources', resources.reference)
+    document.add(page)
+
+    // Now create annotation with page reference
+    const annotation = createSignatureAnnotation(
+        signatureObj.reference,
+        appearance.reference,
+        page.reference,
+        `Signature${pageNumber}`,
+    )
+    document.add(annotation)
+
+    // Update page's Annots array with actual annotation reference
+    page.content.set('Annots', new PdfArray([annotation.reference]))
+
+    signatureFields.push(annotation.reference)
+    return page
+}
+
+// Page 2: Adobe PKCS7 Detached
+const pkcs7DetachedSig = new PdfAdbePkcs7DetachedSignatureObject({
+    privateKey: rsaSigningKeys.privateKey,
+    certificate: rsaSigningKeys.cert,
+    issuerCertificate: rsaSigningKeys.caCert,
+    name: 'Jake Shirley',
+    location: 'Earth',
+    reason: 'PKCS7 Detached Signature',
+    contactInfo: 'test@test.com',
+    revocationInfo: {
+        crls: [rsaSigningKeys.caCrl],
+        ocsps: [rsaSigningKeys.ocspResponse],
+    },
+})
+allSignatures.push(pkcs7DetachedSig)
+allPages.push(createSignaturePage('Adobe PKCS7 Detached', pkcs7DetachedSig, 2))
+
+// Page 3: Adobe PKCS7 SHA1
+const pkcs7Sha1Sig = new PdfAdbePkcs7Sha1SignatureObject({
+    privateKey: rsaSigningKeys.privateKey,
+    certificate: rsaSigningKeys.cert,
+    issuerCertificate: rsaSigningKeys.caCert,
+    name: 'Jake Shirley',
+    location: 'Earth',
+    reason: 'PKCS7 SHA1 Signature',
+    contactInfo: 'test@test.com',
+})
+allSignatures.push(pkcs7Sha1Sig)
+allPages.push(createSignaturePage('Adobe PKCS7 SHA1', pkcs7Sha1Sig, 3))
+
+// Page 4: Adobe X509 RSA SHA1
+const x509RsaSha1Sig = new PdfAdbePkcsX509RsaSha1SignatureObject({
+    privateKey: rsaSigningKeys.privateKey,
+    certificate: rsaSigningKeys.cert,
+    additionalCertificates: [rsaSigningKeys.caCert],
+    name: 'Jake Shirley',
+    location: 'Earth',
+    reason: 'X509 RSA SHA1 Signature',
+    contactInfo: 'test@test.com',
+    revocationInfo: {
+        crls: [rsaSigningKeys.caCrl],
+        ocsps: [rsaSigningKeys.ocspResponse],
+    },
+})
+allSignatures.push(x509RsaSha1Sig)
+allPages.push(createSignaturePage('Adobe X509 RSA SHA1', x509RsaSha1Sig, 4))
+
+// Page 5: ETSI CAdES Detached
+const cadesDetachedSig = new PdfEtsiCadesDetachedSignatureObject({
+    privateKey: rsaSigningKeys.privateKey,
+    certificate: rsaSigningKeys.cert,
+    issuerCertificate: rsaSigningKeys.caCert,
+    name: 'Jake Shirley',
+    location: 'Earth',
+    reason: 'CAdES Detached Signature',
+    contactInfo: 'test@test.com',
+    revocationInfo: {
+        crls: [rsaSigningKeys.caCrl],
+        ocsps: [rsaSigningKeys.ocspResponse],
+    },
+})
+allSignatures.push(cadesDetachedSig)
+allPages.push(createSignaturePage('ETSI CAdES Detached', cadesDetachedSig, 5))
+
+// Page 6: ETSI RFC3161 (Timestamp)
+const rfc3161Sig = new PdfEtsiRfc3161SignatureObject({
+    timeStampAuthority: {
+        url: 'https://freetsa.org/tsr',
+    },
+})
+allSignatures.push(rfc3161Sig)
+allPages.push(createSignaturePage('ETSI RFC3161 Timestamp', rfc3161Sig, 6))
+
+// Create pages collection with all pages
+const pages = createPages(allPages)
+// Set parent reference for all pages
+allPages.forEach((page) => {
+    page.content.set('Parent', pages.reference)
+})
+document.add(pages)
+
+// Create catalog with AcroForm
+const catalog = createCatalog(pages.reference)
+
+// Add AcroForm to catalog with all signature fields
+const acroForm = new PdfDictionary()
+acroForm.set('Fields', new PdfArray(signatureFields))
+acroForm.set('SigFlags', new PdfNumber(3))
+const acroFormObj = new PdfIndirectObject({ content: acroForm })
+document.add(acroFormObj)
+catalog.content.set('AcroForm', acroFormObj.reference)
+
+document.add(catalog)
+
+// Set the catalog as the root
+document.trailerDict.set('Root', catalog.reference)
+
+// IMPORTANT: Add all signatures LAST - after all other objects
+// This ensures the ByteRange is calculated correctly for each signature
+allSignatures.forEach((sig) => {
+    document.startNewRevision()
+    document.add(sig)
+})
+
+await document.commit()
+
+const documentBytes = document.toBytes()
+const newDocument = await PdfDocument.fromBytes([documentBytes])
+
+const validationResult = await newDocument.verifySignatures()
+console.log(
+    'Signature validation result:',
+    JSON.stringify(validationResult, null, 2),
+)
+```

package/README.md

@@ -8,10 +8,6 @@ A low-level, minimal-dependency, type-safe PDF library that works in the browser
 
 PRs and issues are welcome!
 
-## License
-
-MIT License - see [LICENSE](LICENSE) for details.
-
 ## Features
 
 - **Zero dependencies**: No external libraries are required, making it lightweight and easy to integrate.
@@ -99,6 +95,7 @@ Long-Term Validation (LTV) support ensures that digital signatures remain valid
 **Other features:**
 
 - [x] Timestamping
+- [x] Verification of existing signatures
 
 ## Future Plans
 
@@ -283,3 +280,7 @@ import {
     PdfEtsiRfc3161SignatureObject,
 } from 'pdf-lite'
 ```
+
+## License
+
+MIT License - see [LICENSE](LICENSE) for details.

package/dist/core/tokens/number-token.js

@@ -13,13 +13,14 @@ export class PdfNumberToken extends PdfToken {
             options instanceof Ref ||
             options instanceof PdfNumberToken) {
             this.#value = PdfNumberToken.getValue(options);
-            this.padTo = padTo ?? 0;
-            this.decimalPlaces = decimalPlaces ?? 0;
+            this.padTo = padTo ?? PdfNumberToken.getPadding(options);
+            this.decimalPlaces =
+                decimalPlaces ?? PdfNumberToken.getDecimalPlaces(options);
             this.isByteToken = false;
             return;
         }
         this.#value = PdfNumberToken.getValue(options.value);
-        this.padTo = options.padTo ?? 0;
+        this.padTo = options.padTo ?? PdfNumberToken.getPadding(options.value);
         this.decimalPlaces =
             options.decimalPlaces ??
                 PdfNumberToken.getDecimalPlaces(options.value);
@@ -63,12 +64,16 @@ export class PdfNumberToken extends PdfToken {
         if (typeof bytes === 'number') {
             bytes = PdfNumberToken.toBytes(bytes);
         }
-        let padding = 0;
+        // Count leading zeros
+        let leadingZeros = 0;
+        const originalLength = bytes.length;
         while (bytes.length && bytes[0] === 0x30) {
             bytes = bytes.slice(1);
-            padding++;
+            leadingZeros++;
         }
-        return padding;
+        // If all characters were zeros (value is 0), padding should be total length
+        // Otherwise, padding should be total length (to maintain original formatting)
+        return originalLength;
     }
     static getDecimalPlaces(bytes) {
         if (bytes instanceof PdfNumberToken) {

package/dist/pdf/pdf-document.d.ts

@@ -11,7 +11,7 @@ import { PdfEncryptionDictionaryObject } from '../security/types';
 import { PdfTrailerEntries } from '../core/objects/pdf-trailer';
 import { PdfDocumentSecurityStoreObject } from '../signing/document-security-store';
 import { ByteArray } from '../types';
-import { PdfSigner } from '../signing/signer';
+import { PdfDocumentVerificationResult, PdfSigner } from '../signing/signer';
 /**
  * Represents a PDF document with support for reading, writing, and modifying PDF files.
  * Handles document structure, revisions, encryption, and digital signatures.
@@ -214,9 +214,9 @@ export declare class PdfDocument extends PdfObject {
      * Sets whether the document should use incremental updates.
      * When true, locks all existing revisions to preserve original content.
      *
-     * @param value - True to enable incremental mode, false to disable
+     * @param value - True to enable incremental mode, false to disable. Defaults to true.
      */
-    setIncremental(value: boolean): void;
+    setIncremental(value?: boolean): void;
     /**
      * Checks if the document is in incremental mode.
      *
@@ -274,4 +274,10 @@ export declare class PdfDocument extends PdfObject {
      */
     static fromBytes(input: AsyncIterable<ByteArray> | Iterable<ByteArray>): Promise<PdfDocument>;
     isModified(): boolean;
+    /**
+     * Verifies all digital signatures in the document.
+     *
+     * @returns A promise that resolves to the verification result
+     */
+    verifySignatures(): Promise<PdfDocumentVerificationResult>;
 }

package/dist/pdf/pdf-document.js

@@ -148,7 +148,11 @@ export class PdfDocument extends PdfObject {
         const revision = this.revisions.find((rev) => rev.xref.offset === lastStartXRef.offset.ref) ??
             this.revisions.find((rev) => rev.xref.offset.equals(lastStartXRef.offset.value));
         if (!revision) {
-            throw new Error('Cannot find revision for last StartXRef');
+            throw new Error('Cannot find revision for last StartXRef with offset ' +
+                `${lastStartXRef.offset.value}. Options are: ` +
+                this.revisions
+                    .map((rev) => rev.xref.offset.value)
+                    .join(', '));
         }
         return revision;
     }
@@ -497,9 +501,9 @@ export class PdfDocument extends PdfObject {
      * Sets whether the document should use incremental updates.
      * When true, locks all existing revisions to preserve original content.
      *
-     * @param value - True to enable incremental mode, false to disable
+     * @param value - True to enable incremental mode, false to disable. Defaults to true.
      */
-    setIncremental(value) {
+    setIncremental(value = true) {
         for (const revision of this.revisions) {
             revision.locked = value;
         }
@@ -685,4 +689,12 @@ export class PdfDocument extends PdfObject {
     isModified() {
         return (super.isModified() || this.revisions.some((rev) => rev.isModified()));
     }
+    /**
+     * Verifies all digital signatures in the document.
+     *
+     * @returns A promise that resolves to the verification result
+     */
+    async verifySignatures() {
+        return await this.signer.verify(this);
+    }
 }

package/dist/signing/index.d.ts

@@ -1,3 +1,4 @@
 export * from './signatures';
 export * from './document-security-store';
 export * from './types';
+export * from './signer';

package/dist/signing/index.js

@@ -1,3 +1,4 @@
 export * from './signatures';
 export * from './document-security-store';
 export * from './types';
+export * from './signer';

package/dist/signing/signatures/adbe-pkcs7-detached.d.ts

@@ -54,4 +54,11 @@ export declare class PdfAdbePkcs7DetachedSignatureObject extends PdfSignatureObj
      * @returns The CMS SignedData and revocation information.
      */
     sign: PdfSignatureObject['sign'];
+    /**
+     * Verifies the signature against the provided document bytes.
+     *
+     * @param options - Verification options including the signed bytes.
+     * @returns The verification result.
+     */
+    verify: PdfSignatureObject['verify'];
 }

package/dist/signing/signatures/adbe-pkcs7-detached.js

@@ -114,4 +114,40 @@ export class PdfAdbePkcs7DetachedSignatureObject extends PdfSignatureObject {
             revocationInfo,
         };
     };
+    /**
+     * Verifies the signature against the provided document bytes.
+     *
+     * @param options - Verification options including the signed bytes.
+     * @returns The verification result.
+     */
+    verify = async (options) => {
+        const { bytes, certificateValidation } = options;
+        try {
+            const signedData = SignedData.fromCms(this.signedBytes);
+            const certValidationOptions = certificateValidation === true
+                ? {}
+                : certificateValidation || undefined;
+            const result = await signedData.verify({
+                data: bytes,
+                certificateValidation: certValidationOptions,
+            });
+            if (result.valid) {
+                return { valid: true };
+            }
+            else {
+                return {
+                    valid: false,
+                    reasons: result.reasons,
+                };
+            }
+        }
+        catch (error) {
+            return {
+                valid: false,
+                reasons: [
+                    `Failed to verify signature: ${error instanceof Error ? error.message : String(error)}`,
+                ],
+            };
+        }
+    };
 }

package/dist/signing/signatures/adbe-pkcs7-sha1.d.ts

@@ -52,4 +52,11 @@ export declare class PdfAdbePkcs7Sha1SignatureObject extends PdfSignatureObject
      * @returns The CMS SignedData and revocation information.
      */
     sign: PdfSignatureObject['sign'];
+    /**
+     * Verifies the signature against the provided document bytes.
+     *
+     * @param options - Verification options including the signed bytes.
+     * @returns The verification result.
+     */
+    verify: PdfSignatureObject['verify'];
 }

package/dist/signing/signatures/adbe-pkcs7-sha1.js

@@ -118,4 +118,58 @@ export class PdfAdbePkcs7Sha1SignatureObject extends PdfSignatureObject {
             revocationInfo,
         };
     };
+    /**
+     * Verifies the signature against the provided document bytes.
+     *
+     * @param options - Verification options including the signed bytes.
+     * @returns The verification result.
+     */
+    verify = async (options) => {
+        const { bytes, certificateValidation } = options;
+        try {
+            const signedData = SignedData.fromCms(this.signedBytes);
+            // For adbe.pkcs7.sha1, the signed content is the SHA-1 hash of the document
+            // We need to compute the SHA-1 hash of the data and compare with the embedded content
+            const expectedHash = await DigestAlgorithmIdentifier.digestAlgorithm('SHA-1').digest(bytes);
+            const certValidationOptions = certificateValidation === true
+                ? {}
+                : certificateValidation || undefined;
+            // Verify the signature with the hash as the data (non-detached mode)
+            const result = await signedData.verify({
+                certificateValidation: certValidationOptions,
+            });
+            if (!result.valid) {
+                return {
+                    valid: false,
+                    reasons: result.reasons,
+                };
+            }
+            // Additionally verify that the embedded hash matches the document hash
+            const embeddedContent = signedData.encapContentInfo.eContent;
+            if (!embeddedContent) {
+                return {
+                    valid: false,
+                    reasons: ['No embedded content in SignedData'],
+                };
+            }
+            // Compare the hashes
+            if (!this.compareArrays(embeddedContent, expectedHash)) {
+                return {
+                    valid: false,
+                    reasons: [
+                        'Document hash does not match embedded signature hash',
+                    ],
+                };
+            }
+            return { valid: true };
+        }
+        catch (error) {
+            return {
+                valid: false,
+                reasons: [
+                    `Failed to verify signature: ${error instanceof Error ? error.message : String(error)}`,
+                ],
+            };
+        }
+    };
 }

package/dist/signing/signatures/adbe-x509-rsa-sha1.d.ts

@@ -46,4 +46,11 @@ export declare class PdfAdbePkcsX509RsaSha1SignatureObject extends PdfSignatureO
      * @returns The signature bytes and revocation information.
      */
     sign: PdfSignatureObject['sign'];
+    /**
+     * Verifies the signature against the provided document bytes.
+     *
+     * @param options - Verification options including the signed bytes.
+     * @returns The verification result.
+     */
+    verify: PdfSignatureObject['verify'];
 }

package/dist/signing/signatures/adbe-x509-rsa-sha1.js

@@ -2,7 +2,10 @@ import { PrivateKeyInfo } from 'pki-lite/keys/PrivateKeyInfo';
 import { PdfSignatureObject } from './base';
 import { OctetString } from 'pki-lite/asn1/OctetString';
 import { AlgorithmIdentifier } from 'pki-lite/algorithms/AlgorithmIdentifier';
+import { Certificate } from 'pki-lite/x509/Certificate';
 import { fetchRevocationInfo } from '../utils';
+import { PdfArray } from '../../core/objects/pdf-array';
+import { PdfHexadecimal } from '../../core/objects/pdf-hexadecimal';
 /**
  * X.509 RSA-SHA1 signature object (adbe.x509.rsa_sha1).
  * Creates a raw RSA-SHA1 signature with certificates in the Cert entry.
@@ -78,4 +81,78 @@ export class PdfAdbePkcsX509RsaSha1SignatureObject extends PdfSignatureObject {
             revocationInfo,
         };
     };
+    /**
+     * Verifies the signature against the provided document bytes.
+     *
+     * @param options - Verification options including the signed bytes.
+     * @returns The verification result.
+     */
+    verify = async (options) => {
+        const { bytes } = options;
+        try {
+            const certificates = [];
+            const Cert = this.content.get('Cert');
+            if (Cert instanceof PdfArray) {
+                for (const certObj of Cert.items) {
+                    const certBytes = certObj instanceof PdfHexadecimal
+                        ? certObj.bytes
+                        : certObj.raw;
+                    const certificate = Certificate.fromDer(certBytes);
+                    certificates.push(certificate);
+                }
+            }
+            else if (Cert instanceof PdfHexadecimal) {
+                const certificate = Certificate.fromDer(Cert.bytes);
+                certificates.push(certificate);
+            }
+            else if (Cert) {
+                const certificate = Certificate.fromDer(Cert.raw);
+                certificates.push(certificate);
+            }
+            else {
+                throw new Error('No Cert entry found in signature dictionary');
+            }
+            if (certificates.length === 0) {
+                return {
+                    valid: false,
+                    reasons: [
+                        'No certificates available for adbe.x509.rsa_sha1 verification',
+                    ],
+                };
+            }
+            // Parse the signature as an OctetString
+            const signatureOctetString = OctetString.fromDer(this.signedBytes);
+            const signatureValue = signatureOctetString.bytes;
+            const signatureAlgorithm = AlgorithmIdentifier.signatureAlgorithm(PdfAdbePkcsX509RsaSha1SignatureObject.ALGORITHM);
+            for (const cert of certificates) {
+                const isValid = await signatureAlgorithm.verify(bytes, signatureValue, cert.tbsCertificate.subjectPublicKeyInfo);
+                if (isValid) {
+                    if (options.certificateValidation === true) {
+                        await cert.validate({
+                            //TODO: implement default validation options
+                            checkSignature: true,
+                            validateChain: true,
+                            otherCertificates: certificates,
+                        });
+                    }
+                    else if (options.certificateValidation) {
+                        await cert.validate(options.certificateValidation);
+                    }
+                    return { valid: true };
+                }
+            }
+            return {
+                valid: false,
+                reasons: ['Signature verification failed for all certificates'],
+            };
+        }
+        catch (error) {
+            return {
+                valid: false,
+                reasons: [
+                    `Failed to verify signature: ${error instanceof Error ? error.message : String(error)}`,
+                ],
+            };
+        }
+    };
 }

package/dist/signing/signatures/base.d.ts

@@ -1,5 +1,5 @@
 import { PdfDictionary } from '../../core/objects/pdf-dictionary';
-import { PdfSignatureDictionaryEntries, PdfSignatureSubType, RevocationInfo } from '../types';
+import { PdfSignatureDictionaryEntries, PdfSignatureSubType, PdfSignatureVerificationOptions, PdfSignatureVerificationResult, RevocationInfo } from '../types';
 import { PdfHexadecimal } from '../../core/objects/pdf-hexadecimal';
 import { PdfIndirectObject } from '../../core/objects/pdf-indirect-object';
 import { ByteArray } from '../../types';
@@ -71,6 +71,13 @@ export declare abstract class PdfSignatureObject extends PdfIndirectObject<PdfSi
         signedBytes: ByteArray;
         revocationInfo?: RevocationInfo;
     }>;
+    /**
+     * Verifies the signature against the provided document bytes.
+     *
+     * @param options - Verification options including the signed bytes.
+     * @returns The verification result.
+     */
+    abstract verify(options: PdfSignatureVerificationOptions): Promise<PdfSignatureVerificationResult>;
     /**
      * Gets the signature hexadecimal content.
      *
@@ -104,4 +111,12 @@ export declare abstract class PdfSignatureObject extends PdfIndirectObject<PdfSi
      * @returns High order value to place signature near end of document.
      */
     order(): number;
+    /**
+     * Compares two byte arrays for equality.
+     *
+     * @param a - First byte array.
+     * @param b - Second byte array.
+     * @returns True if arrays are equal, false otherwise.
+     */
+    protected compareArrays(a: ByteArray, b: ByteArray): boolean;
 }

package/dist/signing/signatures/base.js

@@ -142,4 +142,22 @@ export class PdfSignatureObject extends PdfIndirectObject {
     order() {
         return PdfIndirectObject.MAX_ORDER_INDEX - 10;
     }
+    /**
+     * Compares two byte arrays for equality.
+     *
+     * @param a - First byte array.
+     * @param b - Second byte array.
+     * @returns True if arrays are equal, false otherwise.
+     */
+    compareArrays(a, b) {
+        if (a.length !== b.length) {
+            return false;
+        }
+        for (let i = 0; i < a.length; i++) {
+            if (a[i] !== b[i]) {
+                return false;
+            }
+        }
+        return true;
+    }
 }

package/dist/signing/signatures/etsi-cades-detached.d.ts

@@ -61,4 +61,11 @@ export declare class PdfEtsiCadesDetachedSignatureObject extends PdfSignatureObj
      * @returns The CMS SignedData and revocation information.
      */
     sign: PdfSignatureObject['sign'];
+    /**
+     * Verifies the signature against the provided document bytes.
+     *
+     * @param options - Verification options including the signed bytes.
+     * @returns The verification result.
+     */
+    verify: PdfSignatureObject['verify'];
 }

package/dist/signing/signatures/etsi-cades-detached.js

@@ -156,4 +156,40 @@ export class PdfEtsiCadesDetachedSignatureObject extends PdfSignatureObject {
             revocationInfo,
         };
     };
+    /**
+     * Verifies the signature against the provided document bytes.
+     *
+     * @param options - Verification options including the signed bytes.
+     * @returns The verification result.
+     */
+    verify = async (options) => {
+        const { bytes, certificateValidation } = options;
+        try {
+            const signedData = SignedData.fromCms(this.signedBytes);
+            const certValidationOptions = certificateValidation === true
+                ? {}
+                : certificateValidation || undefined;
+            const result = await signedData.verify({
+                data: bytes,
+                certificateValidation: certValidationOptions,
+            });
+            if (result.valid) {
+                return { valid: true };
+            }
+            else {
+                return {
+                    valid: false,
+                    reasons: result.reasons,
+                };
+            }
+        }
+        catch (error) {
+            return {
+                valid: false,
+                reasons: [
+                    `Failed to verify signature: ${error instanceof Error ? error.message : String(error)}`,
+                ],
+            };
+        }
+    };
 }

package/dist/signing/signatures/etsi-rfc3161.d.ts

@@ -34,4 +34,11 @@ export declare class PdfEtsiRfc3161SignatureObject extends PdfSignatureObject {
      * @throws Error if no timestamp token is received.
      */
     sign: PdfSignatureObject['sign'];
+    /**
+     * Verifies the timestamp signature against the provided document bytes.
+     *
+     * @param options - Verification options including the signed bytes.
+     * @returns The verification result.
+     */
+    verify: PdfSignatureObject['verify'];
 }

package/dist/signing/signatures/etsi-rfc3161.js

@@ -1,9 +1,12 @@
 import { PdfSignatureObject } from './base';
 import { DigestAlgorithmIdentifier } from 'pki-lite/algorithms/AlgorithmIdentifier';
 import { TimeStampReq } from 'pki-lite/timestamp/TimeStampReq';
+import { TSTInfo } from 'pki-lite/timestamp/TSTInfo';
 import { MessageImprint } from 'pki-lite/timestamp/MessageImprint';
 import { SignedData } from 'pki-lite/pkcs7/SignedData';
 import { fetchRevocationInfo } from '../utils';
+import { Certificate } from 'pki-lite/x509/Certificate';
+import { OIDs } from 'pki-lite/core/OIDs';
 /**
  * RFC 3161 timestamp signature object (ETSI.RFC3161).
  * Creates document timestamps using a Time Stamp Authority (TSA).
@@ -67,4 +70,103 @@ export class PdfEtsiRfc3161SignatureObject extends PdfSignatureObject {
             revocationInfo,
         };
     };
+    /**
+     * Verifies the timestamp signature against the provided document bytes.
+     *
+     * @param options - Verification options including the signed bytes.
+     * @returns The verification result.
+     */
+    verify = async (options) => {
+        const { bytes, certificateValidation } = options;
+        const digestAlgorithm = DigestAlgorithmIdentifier.digestAlgorithm('SHA-512');
+        const expectedMessageImprint = new MessageImprint({
+            hashAlgorithm: digestAlgorithm,
+            hashedMessage: await digestAlgorithm.digest(bytes),
+        });
+        try {
+            const signedData = SignedData.fromCms(this.signedBytes);
+            // Extract TSTInfo from the signed data's encapsulated content
+            // The eContentType should be id-ct-TSTInfo (1.2.840.113549.1.9.16.1.4)
+            const encapContentInfo = signedData.encapContentInfo;
+            if (encapContentInfo.eContentType.toString() !== OIDs.PKCS7.TST_INFO) {
+                return {
+                    valid: false,
+                    reasons: [
+                        `Invalid content type: expected id-ct-TSTInfo (${OIDs.PKCS7.TST_INFO}), got ${encapContentInfo.eContentType.toString()}`,
+                    ],
+                };
+            }
+            if (!encapContentInfo.eContent) {
+                return {
+                    valid: false,
+                    reasons: ['No TSTInfo content found in timestamp token'],
+                };
+            }
+            // Parse the TSTInfo from the encapsulated content
+            const tstInfo = TSTInfo.fromDer(encapContentInfo.eContent);
+            // Verify that the messageImprint in TSTInfo matches what we computed
+            const tstMessageImprint = tstInfo.messageImprint;
+            if (tstMessageImprint.hashAlgorithm.algorithm.toString() !==
+                expectedMessageImprint.hashAlgorithm.algorithm.toString()) {
+                return {
+                    valid: false,
+                    reasons: [
+                        `Hash algorithm mismatch: TSTInfo uses ${tstMessageImprint.hashAlgorithm.algorithm.toString()}, expected ${expectedMessageImprint.hashAlgorithm.algorithm.toString()}`,
+                    ],
+                };
+            }
+            const tstHash = tstMessageImprint.hashedMessage;
+            const expectedHash = expectedMessageImprint.hashedMessage;
+            if (tstHash.length !== expectedHash.length) {
+                return {
+                    valid: false,
+                    reasons: [
+                        `Hash length mismatch: TSTInfo has ${tstHash.length} bytes, expected ${expectedHash.length} bytes`,
+                    ],
+                };
+            }
+            for (let i = 0; i < tstHash.length; i++) {
+                if (tstHash[i] !== expectedHash[i]) {
+                    return {
+                        valid: false,
+                        reasons: [
+                            'Message imprint mismatch: the timestamp does not match the document',
+                        ],
+                    };
+                }
+            }
+            // Verify the signature on the SignedData
+            const certValidationOptions = certificateValidation === true
+                ? {}
+                : certificateValidation || undefined;
+            if (options.certificateValidation) {
+                const certificates = signedData.certificates ?? [];
+                for (const cert of certificates) {
+                    if (!(cert instanceof Certificate)) {
+                        //TODO: support other cert types
+                        continue;
+                    }
+                    if (!(await cert.validate(certValidationOptions))) {
+                        return {
+                            valid: false,
+                            reasons: [
+                                'Certificate validation failed for timestamp signer',
+                            ],
+                        };
+                    }
+                }
+            }
+            return {
+                valid: true,
+            };
+        }
+        catch (error) {
+            return {
+                valid: false,
+                reasons: [
+                    `Failed to verify signature: ${error instanceof Error ? error.message : String(error)}`,
+                ],
+            };
+        }
+    };
 }

package/dist/signing/signer.d.ts

@@ -1,4 +1,24 @@
 import { PdfDocument } from '../pdf/pdf-document';
+import { PdfSignatureObject } from './signatures';
+import { PdfSignatureVerificationResult, CertificateValidationOptions, PdfSignatureSubType } from './types';
+/**
+ * Result of verifying all signatures in a document.
+ */
+export type PdfDocumentVerificationResult = {
+    /** Whether all signatures in the document are valid. */
+    valid: boolean;
+    /** Individual signature verification results. */
+    signatures: {
+        /** The signature subfilter type. */
+        type: PdfSignatureSubType;
+        /** Index of the signature in the document. */
+        index: number;
+        /** The signature object. */
+        signature: PdfSignatureObject;
+        /** The verification result. */
+        result: PdfSignatureVerificationResult;
+    }[];
+};
 /**
  * Handles digital signing operations for PDF documents.
  * Processes signature objects and optionally stores revocation information in the DSS.
@@ -20,4 +40,39 @@ export declare class PdfSigner {
      * @returns The signed document.
      */
     sign(document: PdfDocument): Promise<PdfDocument>;
+    /**
+     * Instantiates the appropriate signature object based on SubFilter type.
+     *
+     * @param signatureDict - The signature dictionary.
+     * @returns A properly typed PdfSignatureObject subclass.
+     */
+    private instantiateSignatureObject;
+    /**
+     * Verifies all signatures in the document.
+     * First serializes the document to bytes and reloads it to ensure signatures
+     * are properly deserialized into the correct classes before verification.
+     * Then searches for signature objects, computes their byte ranges, and verifies each one.
+     *
+     * @param document - The PDF document to verify.
+     * @param options - Optional verification options.
+     * @returns The verification result for all signatures.
+     *
+     * @example
+     * ```typescript
+     * const signer = new PdfSigner()
+     * const result = await signer.verify(document)
+     * if (result.valid) {
+     *     console.log('All signatures are valid')
+     * } else {
+     *     result.signatures.forEach(sig => {
+     *         if (!sig.result.valid) {
+     *             console.log(`Signature ${sig.index} invalid:`, sig.result.reasons)
+     *         }
+     *     })
+     * }
+     * ```
+     */
+    verify(document: PdfDocument, options?: {
+        certificateValidation?: CertificateValidationOptions | boolean;
+    }): Promise<PdfDocumentVerificationResult>;
 }

package/dist/signing/signer.js

@@ -3,7 +3,11 @@ import { PdfHexadecimalToken } from '../core/tokens/hexadecimal-token';
 import { PdfNameToken } from '../core/tokens/name-token';
 import { concatUint8Arrays } from '../utils/concatUint8Arrays';
 import { PdfDocumentSecurityStoreObject } from './document-security-store';
-import { PdfSignatureObject } from './signatures';
+import { PdfSignatureObject, PdfAdbePkcs7DetachedSignatureObject, PdfAdbePkcs7Sha1SignatureObject, PdfAdbePkcsX509RsaSha1SignatureObject, PdfEtsiCadesDetachedSignatureObject, PdfEtsiRfc3161SignatureObject, PdfSignatureDictionary, } from './signatures';
+import { PdfNumber } from '../core/objects/pdf-number';
+import { PdfIndirectObject } from '../core/objects/pdf-indirect-object';
+import { PdfDictionary } from '../core/objects/pdf-dictionary';
+import { PdfArray } from '../core/objects/pdf-array';
 /**
  * Handles digital signing operations for PDF documents.
  * Processes signature objects and optionally stores revocation information in the DSS.
@@ -89,4 +93,195 @@ export class PdfSigner {
         }
         return document;
     }
+    /**
+     * Instantiates the appropriate signature object based on SubFilter type.
+     *
+     * @param signatureDict - The signature dictionary.
+     * @returns A properly typed PdfSignatureObject subclass.
+     */
+    instantiateSignatureObject(signatureDict) {
+        const content = signatureDict.content;
+        const subFilter = content.get('SubFilter').value;
+        // Create a PdfSignatureDictionary wrapper
+        const sigDict = new PdfSignatureDictionary({
+            Type: content.get('Type'),
+            Filter: content.get('Filter'),
+            SubFilter: content.get('SubFilter'),
+            Reason: content.get('Reason'),
+            M: content.get('M'),
+            Name: content.get('Name'),
+            Reference: content.get('Reference'),
+            ContactInfo: content.get('ContactInfo'),
+            Location: content.get('Location'),
+            Cert: content.get('Cert'),
+            ByteRange: content.get('ByteRange'),
+            Contents: content.get('Contents'),
+        });
+        // Instantiate the appropriate signature type based on SubFilter
+        let signatureObj;
+        switch (subFilter) {
+            case 'adbe.pkcs7.detached':
+                signatureObj = new PdfAdbePkcs7DetachedSignatureObject({
+                    privateKey: new Uint8Array(),
+                    certificate: new Uint8Array(),
+                });
+                break;
+            case 'adbe.pkcs7.sha1':
+                signatureObj = new PdfAdbePkcs7Sha1SignatureObject({
+                    privateKey: new Uint8Array(),
+                    certificate: new Uint8Array(),
+                });
+                break;
+            case 'adbe.x509.rsa_sha1':
+                signatureObj = new PdfAdbePkcsX509RsaSha1SignatureObject({
+                    privateKey: new Uint8Array(),
+                    certificate: new Uint8Array(),
+                });
+                break;
+            case 'ETSI.CAdES.detached':
+                signatureObj = new PdfEtsiCadesDetachedSignatureObject({
+                    privateKey: new Uint8Array(),
+                    certificate: new Uint8Array(),
+                });
+                break;
+            case 'ETSI.RFC3161':
+                signatureObj = new PdfEtsiRfc3161SignatureObject({
+                    timeStampAuthority: {
+                        url: '',
+                    },
+                });
+                break;
+            default:
+                throw new Error(`Unsupported signature SubFilter type: ${subFilter}`);
+        }
+        // Replace the content with the actual signature dictionary
+        signatureObj.content = sigDict;
+        signatureObj.objectNumber = signatureDict.objectNumber;
+        signatureObj.generationNumber = signatureDict.generationNumber;
+        return signatureObj;
+    }
+    /**
+     * Verifies all signatures in the document.
+     * First serializes the document to bytes and reloads it to ensure signatures
+     * are properly deserialized into the correct classes before verification.
+     * Then searches for signature objects, computes their byte ranges, and verifies each one.
+     *
+     * @param document - The PDF document to verify.
+     * @param options - Optional verification options.
+     * @returns The verification result for all signatures.
+     *
+     * @example
+     * ```typescript
+     * const signer = new PdfSigner()
+     * const result = await signer.verify(document)
+     * if (result.valid) {
+     *     console.log('All signatures are valid')
+     * } else {
+     *     result.signatures.forEach(sig => {
+     *         if (!sig.result.valid) {
+     *             console.log(`Signature ${sig.index} invalid:`, sig.result.reasons)
+     *         }
+     *     })
+     * }
+     * ```
+     */
+    async verify(document, options) {
+        const documentBytes = document.toBytes();
+        const results = [];
+        let allValid = true;
+        const documentObjects = document.objects;
+        for (let i = 0; i < documentObjects.length; i++) {
+            const obj = documentObjects[i];
+            if (!(obj instanceof PdfIndirectObject)) {
+                continue;
+            }
+            if (!(obj.content instanceof PdfDictionary)) {
+                continue;
+            }
+            // Check if this is a signature dictionary by looking for Type = /Sig or SubFilter
+            const typeEntry = obj.content.get('Type');
+            const subFilterEntry = obj.content.get('SubFilter');
+            // A signature can be identified by Type=/Sig or by having a SubFilter entry
+            const isSignature = (typeEntry && typeEntry.toString() === '/Sig') ||
+                (subFilterEntry &&
+                    subFilterEntry.toString().startsWith('/adbe.')) ||
+                subFilterEntry?.toString().startsWith('/ETSI.');
+            if (!isSignature) {
+                continue;
+            }
+            const signatureDict = obj;
+            const subFilter = signatureDict.content.get('SubFilter').value;
+            // Instantiate the correct signature type
+            const signature = this.instantiateSignatureObject(signatureDict);
+            // Get the ByteRange from the signature dictionary
+            const byteRangeEntry = signatureDict.content.get('ByteRange');
+            if (!byteRangeEntry) {
+                results.push({
+                    type: subFilter,
+                    index: i,
+                    signature,
+                    result: {
+                        valid: false,
+                        reasons: ['Signature is missing ByteRange entry'],
+                    },
+                });
+                allValid = false;
+                continue;
+            }
+            // Extract the byte range values
+            const byteRangeArray = byteRangeEntry.as(PdfArray);
+            if (!byteRangeArray) {
+                results.push({
+                    type: subFilter,
+                    index: i,
+                    signature,
+                    result: {
+                        valid: false,
+                        reasons: ['ByteRange is not an array'],
+                    },
+                });
+                allValid = false;
+                continue;
+            }
+            const byteRange = byteRangeArray.items.map((item) => {
+                if (item instanceof PdfNumber) {
+                    return item.value;
+                }
+                return 0;
+            });
+            if (byteRange.length !== 4) {
+                results.push({
+                    type: subFilter,
+                    index: i,
+                    signature,
+                    result: {
+                        valid: false,
+                        reasons: ['Invalid ByteRange format'],
+                    },
+                });
+                allValid = false;
+                continue;
+            }
+            // Compute the bytes that were signed (excluding the signature contents)
+            const signedBytes = concatUint8Arrays(documentBytes.slice(byteRange[0], byteRange[0] + byteRange[1]), documentBytes.slice(byteRange[2], byteRange[2] + byteRange[3]));
+            // Verify the signature
+            const result = await signature.verify({
+                bytes: signedBytes,
+                certificateValidation: options?.certificateValidation,
+            });
+            results.push({
+                type: subFilter,
+                index: i,
+                signature,
+                result,
+            });
+            if (!result.valid) {
+                allValid = false;
+            }
+        }
+        return {
+            valid: allValid,
+            signatures: results,
+        };
+    }
 }

package/dist/signing/types.d.ts

@@ -1,4 +1,5 @@
 import { HashAlgorithm } from 'pki-lite/core/crypto/index.js';
+import type { CertificateValidationOptions, CertificateValidationResult, TrustAnchor } from 'pki-lite/core/CertificateValidator.js';
 import { PdfDictionary } from '../core/objects/pdf-dictionary';
 import { PdfName } from '../core/objects/pdf-name';
 import { PdfHexadecimal } from '../core/objects/pdf-hexadecimal';
@@ -6,6 +7,7 @@ import { PdfArray } from '../core/objects/pdf-array';
 import { PdfNumber } from '../core/objects/pdf-number';
 import { PdfString } from '../core/objects/pdf-string';
 import { ByteArray } from '../types';
+export type { CertificateValidationOptions, CertificateValidationResult, TrustAnchor, };
 /**
  * PDF signature subfilter types defining the signature format.
  * - 'adbe.pkcs7.detached': PKCS#7 detached signature
@@ -76,3 +78,27 @@ export type SignaturePolicyDocument = {
     /** Hash algorithm used for the policy document. */
     hashAlgorithm: HashAlgorithm;
 };
+/**
+ * Result of a PDF signature verification operation.
+ */
+export type PdfSignatureVerificationResult = {
+    /** Whether the signature is valid. */
+    valid: boolean;
+    /** Reasons for verification failure, if any. */
+    reasons?: string[];
+    /** Certificate validation result, if certificate validation was performed. */
+    certificateValidationResult?: CertificateValidationResult;
+};
+/**
+ * Options for PDF signature verification.
+ */
+export type PdfSignatureVerificationOptions = {
+    /** The original document bytes that were signed. */
+    bytes: ByteArray;
+    /**
+     * Certificate validation options.
+     * Pass `true` to use default certificate validation, or provide custom options.
+     * Pass `undefined` or `false` to skip certificate validation.
+     */
+    certificateValidation?: CertificateValidationOptions | boolean;
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pdf-lite",
-  "version": "1.0.2",
+  "version": "1.0.3",
   "main": "dist/index.js",
   "type": "module",
   "exports": {
@@ -54,8 +54,8 @@
   ],
   "dependencies": {
     "pako": "2.1.0",
-    "pki-lite": "^1.0.10",
-    "pki-lite-crypto-extended": "^1.0.10"
+    "pki-lite": "^1.0.12",
+    "pki-lite-crypto-extended": "^1.0.12"
   },
   "scripts": {
     "test:acceptance": "vitest run test/acceptance",