pdf-lite 1.0.2 → 1.0.4

package/dist/filters/index.js

@@ -0,0 +1,7 @@
+export * from './ascii85.js';
+export * from './asciihex.js';
+export * from './flate.js';
+export * from './lzw.js';
+export * from './pass-through.js';
+export * from './runlength.js';
+export * from './types.js';

package/dist/index.d.ts

@@ -1,4 +1,8 @@
 export * from './types.js';
-export * from './pdf/index.js';
 export * from './core/index.js';
+export * from './crypto/index.js';
+export * from './filters/index.js';
+export * from './pdf/index.js';
+export * from './security/index.js';
 export * from './signing/index.js';
+export * from './utils/index.js';

package/dist/index.js

@@ -1,4 +1,8 @@
 export * from './types.js';
-export * from './pdf/index.js';
 export * from './core/index.js';
+export * from './crypto/index.js';
+export * from './filters/index.js';
+export * from './pdf/index.js';
+export * from './security/index.js';
 export * from './signing/index.js';
+export * from './utils/index.js';

package/dist/pdf/index.d.ts

@@ -1,4 +1,5 @@
-export * from './pdf-document';
-export * from './pdf-reader';
-export * from './pdf-revision';
-export * from './pdf-xref-lookup';
+export * from './errors.js';
+export * from './pdf-document.js';
+export * from './pdf-reader.js';
+export * from './pdf-revision.js';
+export * from './pdf-xref-lookup.js';

package/dist/pdf/index.js

@@ -1,4 +1,5 @@
-export * from './pdf-document';
-export * from './pdf-reader';
-export * from './pdf-revision';
-export * from './pdf-xref-lookup';
+export * from './errors.js';
+export * from './pdf-document.js';
+export * from './pdf-reader.js';
+export * from './pdf-revision.js';
+export * from './pdf-xref-lookup.js';

package/dist/pdf/pdf-document.d.ts

@@ -11,7 +11,7 @@ import { PdfEncryptionDictionaryObject } from '../security/types';
 import { PdfTrailerEntries } from '../core/objects/pdf-trailer';
 import { PdfDocumentSecurityStoreObject } from '../signing/document-security-store';
 import { ByteArray } from '../types';
-import { PdfSigner } from '../signing/signer';
+import { PdfDocumentVerificationResult, PdfSigner } from '../signing/signer';
 /**
  * Represents a PDF document with support for reading, writing, and modifying PDF files.
  * Handles document structure, revisions, encryption, and digital signatures.
@@ -214,9 +214,9 @@ export declare class PdfDocument extends PdfObject {
      * Sets whether the document should use incremental updates.
      * When true, locks all existing revisions to preserve original content.
      *
-     * @param value - True to enable incremental mode, false to disable
+     * @param value - True to enable incremental mode, false to disable. Defaults to true.
      */
-    setIncremental(value: boolean): void;
+    setIncremental(value?: boolean): void;
     /**
      * Checks if the document is in incremental mode.
      *
@@ -274,4 +274,10 @@ export declare class PdfDocument extends PdfObject {
      */
     static fromBytes(input: AsyncIterable<ByteArray> | Iterable<ByteArray>): Promise<PdfDocument>;
     isModified(): boolean;
+    /**
+     * Verifies all digital signatures in the document.
+     *
+     * @returns A promise that resolves to the verification result
+     */
+    verifySignatures(): Promise<PdfDocumentVerificationResult>;
 }

package/dist/pdf/pdf-document.js

@@ -148,7 +148,11 @@ export class PdfDocument extends PdfObject {
         const revision = this.revisions.find((rev) => rev.xref.offset === lastStartXRef.offset.ref) ??
             this.revisions.find((rev) => rev.xref.offset.equals(lastStartXRef.offset.value));
         if (!revision) {
-            throw new Error('Cannot find revision for last StartXRef');
+            throw new Error('Cannot find revision for last StartXRef with offset ' +
+                `${lastStartXRef.offset.value}. Options are: ` +
+                this.revisions
+                    .map((rev) => rev.xref.offset.value)
+                    .join(', '));
         }
         return revision;
     }
@@ -497,9 +501,9 @@ export class PdfDocument extends PdfObject {
      * Sets whether the document should use incremental updates.
      * When true, locks all existing revisions to preserve original content.
      *
-     * @param value - True to enable incremental mode, false to disable
+     * @param value - True to enable incremental mode, false to disable. Defaults to true.
      */
-    setIncremental(value) {
+    setIncremental(value = true) {
         for (const revision of this.revisions) {
             revision.locked = value;
         }
@@ -685,4 +689,12 @@ export class PdfDocument extends PdfObject {
     isModified() {
         return (super.isModified() || this.revisions.some((rev) => rev.isModified()));
     }
+    /**
+     * Verifies all digital signatures in the document.
+     *
+     * @returns A promise that resolves to the verification result
+     */
+    async verifySignatures() {
+        return await this.signer.verify(this);
+    }
 }

package/dist/security/index.d.ts

@@ -0,0 +1,13 @@
+export * from './crypt-filters/aesv2.js';
+export * from './crypt-filters/aesv3.js';
+export * from './crypt-filters/base.js';
+export * from './crypt-filters/identity.js';
+export * from './crypt-filters/v2.js';
+export * from './handlers/base.js';
+export * from './handlers/pubSec.js';
+export * from './handlers/utils.js';
+export * from './handlers/v1.js';
+export * from './handlers/v2.js';
+export * from './handlers/v4.js';
+export * from './handlers/v5.js';
+export * from './types.js';

package/dist/security/index.js

@@ -0,0 +1,13 @@
+export * from './crypt-filters/aesv2.js';
+export * from './crypt-filters/aesv3.js';
+export * from './crypt-filters/base.js';
+export * from './crypt-filters/identity.js';
+export * from './crypt-filters/v2.js';
+export * from './handlers/base.js';
+export * from './handlers/pubSec.js';
+export * from './handlers/utils.js';
+export * from './handlers/v1.js';
+export * from './handlers/v2.js';
+export * from './handlers/v4.js';
+export * from './handlers/v5.js';
+export * from './types.js';

package/dist/signing/index.d.ts

@@ -1,3 +1,5 @@
-export * from './signatures';
-export * from './document-security-store';
-export * from './types';
+export * from './document-security-store.js';
+export * from './signatures/index.js';
+export * from './signer.js';
+export * from './types.js';
+export * from './utils.js';

package/dist/signing/index.js

@@ -1,3 +1,5 @@
-export * from './signatures';
-export * from './document-security-store';
-export * from './types';
+export * from './document-security-store.js';
+export * from './signatures/index.js';
+export * from './signer.js';
+export * from './types.js';
+export * from './utils.js';

package/dist/signing/signatures/adbe-pkcs7-detached.d.ts

@@ -54,4 +54,11 @@ export declare class PdfAdbePkcs7DetachedSignatureObject extends PdfSignatureObj
      * @returns The CMS SignedData and revocation information.
      */
     sign: PdfSignatureObject['sign'];
+    /**
+     * Verifies the signature against the provided document bytes.
+     *
+     * @param options - Verification options including the signed bytes.
+     * @returns The verification result.
+     */
+    verify: PdfSignatureObject['verify'];
 }

package/dist/signing/signatures/adbe-pkcs7-detached.js

@@ -114,4 +114,40 @@ export class PdfAdbePkcs7DetachedSignatureObject extends PdfSignatureObject {
             revocationInfo,
         };
     };
+    /**
+     * Verifies the signature against the provided document bytes.
+     *
+     * @param options - Verification options including the signed bytes.
+     * @returns The verification result.
+     */
+    verify = async (options) => {
+        const { bytes, certificateValidation } = options;
+        try {
+            const signedData = SignedData.fromCms(this.signedBytes);
+            const certValidationOptions = certificateValidation === true
+                ? {}
+                : certificateValidation || undefined;
+            const result = await signedData.verify({
+                data: bytes,
+                certificateValidation: certValidationOptions,
+            });
+            if (result.valid) {
+                return { valid: true };
+            }
+            else {
+                return {
+                    valid: false,
+                    reasons: result.reasons,
+                };
+            }
+        }
+        catch (error) {
+            return {
+                valid: false,
+                reasons: [
+                    `Failed to verify signature: ${error instanceof Error ? error.message : String(error)}`,
+                ],
+            };
+        }
+    };
 }

package/dist/signing/signatures/adbe-pkcs7-sha1.d.ts

@@ -52,4 +52,11 @@ export declare class PdfAdbePkcs7Sha1SignatureObject extends PdfSignatureObject
      * @returns The CMS SignedData and revocation information.
      */
     sign: PdfSignatureObject['sign'];
+    /**
+     * Verifies the signature against the provided document bytes.
+     *
+     * @param options - Verification options including the signed bytes.
+     * @returns The verification result.
+     */
+    verify: PdfSignatureObject['verify'];
 }

package/dist/signing/signatures/adbe-pkcs7-sha1.js

@@ -118,4 +118,58 @@ export class PdfAdbePkcs7Sha1SignatureObject extends PdfSignatureObject {
             revocationInfo,
         };
     };
+    /**
+     * Verifies the signature against the provided document bytes.
+     *
+     * @param options - Verification options including the signed bytes.
+     * @returns The verification result.
+     */
+    verify = async (options) => {
+        const { bytes, certificateValidation } = options;
+        try {
+            const signedData = SignedData.fromCms(this.signedBytes);
+            // For adbe.pkcs7.sha1, the signed content is the SHA-1 hash of the document
+            // We need to compute the SHA-1 hash of the data and compare with the embedded content
+            const expectedHash = await DigestAlgorithmIdentifier.digestAlgorithm('SHA-1').digest(bytes);
+            const certValidationOptions = certificateValidation === true
+                ? {}
+                : certificateValidation || undefined;
+            // Verify the signature with the hash as the data (non-detached mode)
+            const result = await signedData.verify({
+                certificateValidation: certValidationOptions,
+            });
+            if (!result.valid) {
+                return {
+                    valid: false,
+                    reasons: result.reasons,
+                };
+            }
+            // Additionally verify that the embedded hash matches the document hash
+            const embeddedContent = signedData.encapContentInfo.eContent;
+            if (!embeddedContent) {
+                return {
+                    valid: false,
+                    reasons: ['No embedded content in SignedData'],
+                };
+            }
+            // Compare the hashes
+            if (!this.compareArrays(embeddedContent, expectedHash)) {
+                return {
+                    valid: false,
+                    reasons: [
+                        'Document hash does not match embedded signature hash',
+                    ],
+                };
+            }
+            return { valid: true };
+        }
+        catch (error) {
+            return {
+                valid: false,
+                reasons: [
+                    `Failed to verify signature: ${error instanceof Error ? error.message : String(error)}`,
+                ],
+            };
+        }
+    };
 }

package/dist/signing/signatures/adbe-x509-rsa-sha1.d.ts

@@ -46,4 +46,11 @@ export declare class PdfAdbePkcsX509RsaSha1SignatureObject extends PdfSignatureO
      * @returns The signature bytes and revocation information.
      */
     sign: PdfSignatureObject['sign'];
+    /**
+     * Verifies the signature against the provided document bytes.
+     *
+     * @param options - Verification options including the signed bytes.
+     * @returns The verification result.
+     */
+    verify: PdfSignatureObject['verify'];
 }

package/dist/signing/signatures/adbe-x509-rsa-sha1.js

@@ -2,7 +2,10 @@ import { PrivateKeyInfo } from 'pki-lite/keys/PrivateKeyInfo';
 import { PdfSignatureObject } from './base';
 import { OctetString } from 'pki-lite/asn1/OctetString';
 import { AlgorithmIdentifier } from 'pki-lite/algorithms/AlgorithmIdentifier';
+import { Certificate } from 'pki-lite/x509/Certificate';
 import { fetchRevocationInfo } from '../utils';
+import { PdfArray } from '../../core/objects/pdf-array';
+import { PdfHexadecimal } from '../../core/objects/pdf-hexadecimal';
 /**
  * X.509 RSA-SHA1 signature object (adbe.x509.rsa_sha1).
  * Creates a raw RSA-SHA1 signature with certificates in the Cert entry.
@@ -78,4 +81,78 @@ export class PdfAdbePkcsX509RsaSha1SignatureObject extends PdfSignatureObject {
             revocationInfo,
         };
     };
+    /**
+     * Verifies the signature against the provided document bytes.
+     *
+     * @param options - Verification options including the signed bytes.
+     * @returns The verification result.
+     */
+    verify = async (options) => {
+        const { bytes } = options;
+        try {
+            const certificates = [];
+            const Cert = this.content.get('Cert');
+            if (Cert instanceof PdfArray) {
+                for (const certObj of Cert.items) {
+                    const certBytes = certObj instanceof PdfHexadecimal
+                        ? certObj.bytes
+                        : certObj.raw;
+                    const certificate = Certificate.fromDer(certBytes);
+                    certificates.push(certificate);
+                }
+            }
+            else if (Cert instanceof PdfHexadecimal) {
+                const certificate = Certificate.fromDer(Cert.bytes);
+                certificates.push(certificate);
+            }
+            else if (Cert) {
+                const certificate = Certificate.fromDer(Cert.raw);
+                certificates.push(certificate);
+            }
+            else {
+                throw new Error('No Cert entry found in signature dictionary');
+            }
+            if (certificates.length === 0) {
+                return {
+                    valid: false,
+                    reasons: [
+                        'No certificates available for adbe.x509.rsa_sha1 verification',
+                    ],
+                };
+            }
+            // Parse the signature as an OctetString
+            const signatureOctetString = OctetString.fromDer(this.signedBytes);
+            const signatureValue = signatureOctetString.bytes;
+            const signatureAlgorithm = AlgorithmIdentifier.signatureAlgorithm(PdfAdbePkcsX509RsaSha1SignatureObject.ALGORITHM);
+            for (const cert of certificates) {
+                const isValid = await signatureAlgorithm.verify(bytes, signatureValue, cert.tbsCertificate.subjectPublicKeyInfo);
+                if (isValid) {
+                    if (options.certificateValidation === true) {
+                        await cert.validate({
+                            //TODO: implement default validation options
+                            checkSignature: true,
+                            validateChain: true,
+                            otherCertificates: certificates,
+                        });
+                    }
+                    else if (options.certificateValidation) {
+                        await cert.validate(options.certificateValidation);
+                    }
+                    return { valid: true };
+                }
+            }
+            return {
+                valid: false,
+                reasons: ['Signature verification failed for all certificates'],
+            };
+        }
+        catch (error) {
+            return {
+                valid: false,
+                reasons: [
+                    `Failed to verify signature: ${error instanceof Error ? error.message : String(error)}`,
+                ],
+            };
+        }
+    };
 }

package/dist/signing/signatures/base.d.ts

@@ -1,5 +1,5 @@
 import { PdfDictionary } from '../../core/objects/pdf-dictionary';
-import { PdfSignatureDictionaryEntries, PdfSignatureSubType, RevocationInfo } from '../types';
+import { PdfSignatureDictionaryEntries, PdfSignatureSubType, PdfSignatureVerificationOptions, PdfSignatureVerificationResult, RevocationInfo } from '../types';
 import { PdfHexadecimal } from '../../core/objects/pdf-hexadecimal';
 import { PdfIndirectObject } from '../../core/objects/pdf-indirect-object';
 import { ByteArray } from '../../types';
@@ -71,6 +71,13 @@ export declare abstract class PdfSignatureObject extends PdfIndirectObject<PdfSi
         signedBytes: ByteArray;
         revocationInfo?: RevocationInfo;
     }>;
+    /**
+     * Verifies the signature against the provided document bytes.
+     *
+     * @param options - Verification options including the signed bytes.
+     * @returns The verification result.
+     */
+    abstract verify(options: PdfSignatureVerificationOptions): Promise<PdfSignatureVerificationResult>;
     /**
      * Gets the signature hexadecimal content.
      *
@@ -104,4 +111,12 @@ export declare abstract class PdfSignatureObject extends PdfIndirectObject<PdfSi
      * @returns High order value to place signature near end of document.
      */
     order(): number;
+    /**
+     * Compares two byte arrays for equality.
+     *
+     * @param a - First byte array.
+     * @param b - Second byte array.
+     * @returns True if arrays are equal, false otherwise.
+     */
+    protected compareArrays(a: ByteArray, b: ByteArray): boolean;
 }

package/dist/signing/signatures/base.js

@@ -142,4 +142,22 @@ export class PdfSignatureObject extends PdfIndirectObject {
     order() {
         return PdfIndirectObject.MAX_ORDER_INDEX - 10;
     }
+    /**
+     * Compares two byte arrays for equality.
+     *
+     * @param a - First byte array.
+     * @param b - Second byte array.
+     * @returns True if arrays are equal, false otherwise.
+     */
+    compareArrays(a, b) {
+        if (a.length !== b.length) {
+            return false;
+        }
+        for (let i = 0; i < a.length; i++) {
+            if (a[i] !== b[i]) {
+                return false;
+            }
+        }
+        return true;
+    }
 }

package/dist/signing/signatures/etsi-cades-detached.d.ts

@@ -61,4 +61,11 @@ export declare class PdfEtsiCadesDetachedSignatureObject extends PdfSignatureObj
      * @returns The CMS SignedData and revocation information.
      */
     sign: PdfSignatureObject['sign'];
+    /**
+     * Verifies the signature against the provided document bytes.
+     *
+     * @param options - Verification options including the signed bytes.
+     * @returns The verification result.
+     */
+    verify: PdfSignatureObject['verify'];
 }

package/dist/signing/signatures/etsi-cades-detached.js

@@ -156,4 +156,40 @@ export class PdfEtsiCadesDetachedSignatureObject extends PdfSignatureObject {
             revocationInfo,
         };
     };
+    /**
+     * Verifies the signature against the provided document bytes.
+     *
+     * @param options - Verification options including the signed bytes.
+     * @returns The verification result.
+     */
+    verify = async (options) => {
+        const { bytes, certificateValidation } = options;
+        try {
+            const signedData = SignedData.fromCms(this.signedBytes);
+            const certValidationOptions = certificateValidation === true
+                ? {}
+                : certificateValidation || undefined;
+            const result = await signedData.verify({
+                data: bytes,
+                certificateValidation: certValidationOptions,
+            });
+            if (result.valid) {
+                return { valid: true };
+            }
+            else {
+                return {
+                    valid: false,
+                    reasons: result.reasons,
+                };
+            }
+        }
+        catch (error) {
+            return {
+                valid: false,
+                reasons: [
+                    `Failed to verify signature: ${error instanceof Error ? error.message : String(error)}`,
+                ],
+            };
+        }
+    };
 }

package/dist/signing/signatures/etsi-rfc3161.d.ts

@@ -34,4 +34,11 @@ export declare class PdfEtsiRfc3161SignatureObject extends PdfSignatureObject {
      * @throws Error if no timestamp token is received.
      */
     sign: PdfSignatureObject['sign'];
+    /**
+     * Verifies the timestamp signature against the provided document bytes.
+     *
+     * @param options - Verification options including the signed bytes.
+     * @returns The verification result.
+     */
+    verify: PdfSignatureObject['verify'];
 }

package/dist/signing/signatures/etsi-rfc3161.js

@@ -1,9 +1,12 @@
 import { PdfSignatureObject } from './base';
 import { DigestAlgorithmIdentifier } from 'pki-lite/algorithms/AlgorithmIdentifier';
 import { TimeStampReq } from 'pki-lite/timestamp/TimeStampReq';
+import { TSTInfo } from 'pki-lite/timestamp/TSTInfo';
 import { MessageImprint } from 'pki-lite/timestamp/MessageImprint';
 import { SignedData } from 'pki-lite/pkcs7/SignedData';
 import { fetchRevocationInfo } from '../utils';
+import { Certificate } from 'pki-lite/x509/Certificate';
+import { OIDs } from 'pki-lite/core/OIDs';
 /**
  * RFC 3161 timestamp signature object (ETSI.RFC3161).
  * Creates document timestamps using a Time Stamp Authority (TSA).
@@ -67,4 +70,103 @@ export class PdfEtsiRfc3161SignatureObject extends PdfSignatureObject {
             revocationInfo,
         };
     };
+    /**
+     * Verifies the timestamp signature against the provided document bytes.
+     *
+     * @param options - Verification options including the signed bytes.
+     * @returns The verification result.
+     */
+    verify = async (options) => {
+        const { bytes, certificateValidation } = options;
+        const digestAlgorithm = DigestAlgorithmIdentifier.digestAlgorithm('SHA-512');
+        const expectedMessageImprint = new MessageImprint({
+            hashAlgorithm: digestAlgorithm,
+            hashedMessage: await digestAlgorithm.digest(bytes),
+        });
+        try {
+            const signedData = SignedData.fromCms(this.signedBytes);
+            // Extract TSTInfo from the signed data's encapsulated content
+            // The eContentType should be id-ct-TSTInfo (1.2.840.113549.1.9.16.1.4)
+            const encapContentInfo = signedData.encapContentInfo;
+            if (encapContentInfo.eContentType.toString() !== OIDs.PKCS7.TST_INFO) {
+                return {
+                    valid: false,
+                    reasons: [
+                        `Invalid content type: expected id-ct-TSTInfo (${OIDs.PKCS7.TST_INFO}), got ${encapContentInfo.eContentType.toString()}`,
+                    ],
+                };
+            }
+            if (!encapContentInfo.eContent) {
+                return {
+                    valid: false,
+                    reasons: ['No TSTInfo content found in timestamp token'],
+                };
+            }
+            // Parse the TSTInfo from the encapsulated content
+            const tstInfo = TSTInfo.fromDer(encapContentInfo.eContent);
+            // Verify that the messageImprint in TSTInfo matches what we computed
+            const tstMessageImprint = tstInfo.messageImprint;
+            if (tstMessageImprint.hashAlgorithm.algorithm.toString() !==
+                expectedMessageImprint.hashAlgorithm.algorithm.toString()) {
+                return {
+                    valid: false,
+                    reasons: [
+                        `Hash algorithm mismatch: TSTInfo uses ${tstMessageImprint.hashAlgorithm.algorithm.toString()}, expected ${expectedMessageImprint.hashAlgorithm.algorithm.toString()}`,
+                    ],
+                };
+            }
+            const tstHash = tstMessageImprint.hashedMessage;
+            const expectedHash = expectedMessageImprint.hashedMessage;
+            if (tstHash.length !== expectedHash.length) {
+                return {
+                    valid: false,
+                    reasons: [
+                        `Hash length mismatch: TSTInfo has ${tstHash.length} bytes, expected ${expectedHash.length} bytes`,
+                    ],
+                };
+            }
+            for (let i = 0; i < tstHash.length; i++) {
+                if (tstHash[i] !== expectedHash[i]) {
+                    return {
+                        valid: false,
+                        reasons: [
+                            'Message imprint mismatch: the timestamp does not match the document',
+                        ],
+                    };
+                }
+            }
+            // Verify the signature on the SignedData
+            const certValidationOptions = certificateValidation === true
+                ? {}
+                : certificateValidation || undefined;
+            if (options.certificateValidation) {
+                const certificates = signedData.certificates ?? [];
+                for (const cert of certificates) {
+                    if (!(cert instanceof Certificate)) {
+                        //TODO: support other cert types
+                        continue;
+                    }
+                    if (!(await cert.validate(certValidationOptions))) {
+                        return {
+                            valid: false,
+                            reasons: [
+                                'Certificate validation failed for timestamp signer',
+                            ],
+                        };
+                    }
+                }
+            }
+            return {
+                valid: true,
+            };
+        }
+        catch (error) {
+            return {
+                valid: false,
+                reasons: [
+                    `Failed to verify signature: ${error instanceof Error ? error.message : String(error)}`,
+                ],
+            };
+        }
+    };
 }