Simplify P12Signer implementation

Author: dcbr

packages/signer-p12/dist/P12Signer.d.ts

@@ -14,12 +14,13 @@ export class P12Signer extends Signer {
         asn1StrictParsing: boolean;
     };
     cert: any;
+    certBags: any;
+    keyBags: any;
     /**
-     * @param {Buffer} pdfBuffer
-     * @param {Date | undefined} signingTime
-     * @returns {Buffer}
+     * Retrieve all certificates from the safe bag and determine the signing certificate.
+     * @returns {Promise<Uint8Array[]>}
      */
-    sign(pdfBuffer: Buffer, signingTime?: Date | undefined): Buffer;
+    getCertificate(): Promise<Uint8Array[]>;
 }
 export type SignerOptions = {
     passphrase?: string;

packages/signer-p12/dist/P12Signer.d.ts.map

@@ -14,6 +14,9 @@ function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { de
  */
 
 class P12Signer extends _utils.Signer {
+  hashAlgorithm = 'SHA-256';
+  signAlgorithm = 'RSASSA-PKCS1-v1_5';
+
   /**
    * @param {Buffer | Uint8Array | string} p12Buffer
    * @param {SignerOptions} additionalOptions
@@ -26,82 +29,64 @@ class P12Signer extends _utils.Signer {
       passphrase: '',
       ...additionalOptions
     };
-    this.cert = _nodeForge.default.util.createBuffer(buffer.toString('binary'));
-  }
-
-  /**
-   * @param {Buffer} pdfBuffer
-   * @param {Date | undefined} signingTime
-   * @returns {Buffer}
-   */
-  async sign(pdfBuffer, signingTime = undefined) {
-    if (!(pdfBuffer instanceof Buffer)) {
-      throw new _utils.SignPdfError('PDF expected as Buffer.', _utils.SignPdfError.TYPE_INPUT);
-    }
 
     // Convert Buffer P12 to a forge implementation.
+    this.cert = _nodeForge.default.util.createBuffer(buffer.toString('binary'));
     const p12Asn1 = _nodeForge.default.asn1.fromDer(this.cert);
     const p12 = _nodeForge.default.pkcs12.pkcs12FromAsn1(p12Asn1, this.options.asn1StrictParsing, this.options.passphrase);
 
     // Extract safe bags by type.
     // We will need all the certificates and the private key.
-    const certBags = p12.getBags({
+    this.certBags = p12.getBags({
       bagType: _nodeForge.default.pki.oids.certBag
     })[_nodeForge.default.pki.oids.certBag];
-    const keyBags = p12.getBags({
+    this.keyBags = p12.getBags({
       bagType: _nodeForge.default.pki.oids.pkcs8ShroudedKeyBag
     })[_nodeForge.default.pki.oids.pkcs8ShroudedKeyBag];
-    const privateKey = keyBags[0].key;
-    // Here comes the actual PKCS#7 signing.
-    const p7 = _nodeForge.default.pkcs7.createSignedData();
-    // Start off by setting the content.
-    p7.content = _nodeForge.default.util.createBuffer(pdfBuffer.toString('binary'));
+  }
 
-    // Then add all the certificates (-cacerts & -clcerts)
-    // Keep track of the last found client certificate.
+  /**
+   * Retrieve all certificates from the safe bag and determine the signing certificate.
+   * @returns {Promise<Uint8Array[]>}
+   */
+  async getCertificate() {
+    const privateKey = this.keyBags[0].key;
+    // Retrieve all the certificates (-cacerts & -clcerts)
+    // Keep track of the last found client certificate matching the private key.
     // This will be the public key that will be bundled in the signature.
-    let certificate;
-    Object.keys(certBags).forEach(i => {
+    let signCertFound = false;
+    const certificates = [];
+    Object.values(this.certBags).forEach(bag => {
       const {
         publicKey
-      } = certBags[i].cert;
-      p7.addCertificate(certBags[i].cert);
+      } = bag.cert;
 
       // Try to find the certificate that matches the private key.
       if (privateKey.n.compareTo(publicKey.n) === 0 && privateKey.e.compareTo(publicKey.e) === 0) {
-        certificate = certBags[i].cert;
+        // Insert signing certificate in front
+        certificates.unshift(bag.cert);
+        signCertFound = true;
+      } else {
+        // Insert all other certificates at the end
+        certificates.push(bag.cert);
       }
     });
-    if (typeof certificate === 'undefined') {
+    if (!signCertFound) {
       throw new _utils.SignPdfError('Failed to find a certificate that matches the private key.', _utils.SignPdfError.TYPE_INPUT);
     }
+    // Convert certificates to their binary representation
+    return certificates.map(cert => Buffer.from(_nodeForge.default.asn1.toDer(_nodeForge.default.pki.certificateToAsn1(cert)).getBytes(), 'binary'));
+  }
 
-    // Add a sha256 signer. That's what Adobe.PPKLite adbe.pkcs7.detached expects.
-    // Note that the authenticatedAttributes order is relevant for correct
-    // EU signature validation:
-    // https://ec.europa.eu/digital-building-blocks/DSS/webapp-demo/validation
-    p7.addSigner({
-      key: privateKey,
-      certificate,
-      digestAlgorithm: _nodeForge.default.pki.oids.sha256,
-      authenticatedAttributes: [{
-        type: _nodeForge.default.pki.oids.contentType,
-        value: _nodeForge.default.pki.oids.data
-      }, {
-        type: _nodeForge.default.pki.oids.signingTime,
-        // value can also be auto-populated at signing time
-        value: signingTime !== null && signingTime !== void 0 ? signingTime : new Date()
-      }, {
-        type: _nodeForge.default.pki.oids.messageDigest
-        // value will be auto-populated at signing time
-      }]
-    });
-
-    // Sign in detached mode.
-    p7.sign({
-      detached: true
-    });
-    return Buffer.from(_nodeForge.default.asn1.toDer(p7.toAsn1()).getBytes(), 'binary');
+  /**
+   * Retrieve the private key from the safe bag.
+   * @returns {Promise<Uint8Array>}
+   */
+  async getKey() {
+    const privateKey = this.keyBags[0].key;
+    // Convert private key to its pkcs8 binary representation
+    const pkcs8 = _nodeForge.default.pki.wrapRsaPrivateKey(_nodeForge.default.pki.privateKeyToAsn1(privateKey));
+    return Buffer.from(_nodeForge.default.asn1.toDer(pkcs8).getBytes(), 'binary');
   }
 }
 exports.P12Signer = P12Signer;

packages/signer-p12/dist/P12Signer.js

@@ -8,6 +8,10 @@ import {convertBuffer, SignPdfError, Signer} from '@signpdf/utils';
  */
 
 export class P12Signer extends Signer {
+    hashAlgorithm = 'SHA-256';
+
+    signAlgorithm = 'RSASSA-PKCS1-v1_5';
+
     /**
      * @param {Buffer | Uint8Array | string} p12Buffer
      * @param {SignerOptions} additionalOptions
@@ -22,23 +26,9 @@ export class P12Signer extends Signer {
             passphrase: '',
             ...additionalOptions,
         };
-        this.cert = forge.util.createBuffer(buffer.toString('binary'));
-    }
-
-    /**
-     * @param {Buffer} pdfBuffer
-     * @param {Date | undefined} signingTime
-     * @returns {Buffer}
-     */
-    async sign(pdfBuffer, signingTime = undefined) {
-        if (!(pdfBuffer instanceof Buffer)) {
-            throw new SignPdfError(
-                'PDF expected as Buffer.',
-                SignPdfError.TYPE_INPUT,
-            );
-        }
 
         // Convert Buffer P12 to a forge implementation.
+        this.cert = forge.util.createBuffer(buffer.toString('binary'));
         const p12Asn1 = forge.asn1.fromDer(this.cert);
         const p12 = forge.pkcs12.pkcs12FromAsn1(
             p12Asn1,
@@ -48,69 +38,59 @@ export class P12Signer extends Signer {
 
         // Extract safe bags by type.
         // We will need all the certificates and the private key.
-        const certBags = p12.getBags({
+        this.certBags = p12.getBags({
             bagType: forge.pki.oids.certBag,
         })[forge.pki.oids.certBag];
-        const keyBags = p12.getBags({
+        this.keyBags = p12.getBags({
             bagType: forge.pki.oids.pkcs8ShroudedKeyBag,
         })[forge.pki.oids.pkcs8ShroudedKeyBag];
+    }
 
-        const privateKey = keyBags[0].key;
-        // Here comes the actual PKCS#7 signing.
-        const p7 = forge.pkcs7.createSignedData();
-        // Start off by setting the content.
-        p7.content = forge.util.createBuffer(pdfBuffer.toString('binary'));
-
-        // Then add all the certificates (-cacerts & -clcerts)
-        // Keep track of the last found client certificate.
+    /**
+     * Retrieve all certificates from the safe bag and determine the signing certificate.
+     * @returns {Promise<Uint8Array[]>}
+     */
+    async getCertificate() {
+        const privateKey = this.keyBags[0].key;
+        // Retrieve all the certificates (-cacerts & -clcerts)
+        // Keep track of the last found client certificate matching the private key.
         // This will be the public key that will be bundled in the signature.
-        let certificate;
-        Object.keys(certBags).forEach((i) => {
-            const {publicKey} = certBags[i].cert;
-
-            p7.addCertificate(certBags[i].cert);
+        let signCertFound = false;
+        const certificates = [];
+        Object.values(this.certBags).forEach((bag) => {
+            const {publicKey} = bag.cert;
 
             // Try to find the certificate that matches the private key.
             if (privateKey.n.compareTo(publicKey.n) === 0
                 && privateKey.e.compareTo(publicKey.e) === 0
             ) {
-                certificate = certBags[i].cert;
+                // Insert signing certificate in front
+                certificates.unshift(bag.cert);
+                signCertFound = true;
+            } else {
+                // Insert all other certificates at the end
+                certificates.push(bag.cert);
             }
         });
 
-        if (typeof certificate === 'undefined') {
+        if (!signCertFound) {
             throw new SignPdfError(
                 'Failed to find a certificate that matches the private key.',
                 SignPdfError.TYPE_INPUT,
             );
         }
+        // Convert certificates to their binary representation
+        return certificates.map((cert) => Buffer.from(forge.asn1.toDer(forge.pki.certificateToAsn1(cert)).getBytes(), 'binary'));
+    }
 
-        // Add a sha256 signer. That's what Adobe.PPKLite adbe.pkcs7.detached expects.
-        // Note that the authenticatedAttributes order is relevant for correct
-        // EU signature validation:
-        // https://ec.europa.eu/digital-building-blocks/DSS/webapp-demo/validation
-        p7.addSigner({
-            key: privateKey,
-            certificate,
-            digestAlgorithm: forge.pki.oids.sha256,
-            authenticatedAttributes: [
-                {
-                    type: forge.pki.oids.contentType,
-                    value: forge.pki.oids.data,
-                }, {
-                    type: forge.pki.oids.signingTime,
-                    // value can also be auto-populated at signing time
-                    value: signingTime ?? new Date(),
-                }, {
-                    type: forge.pki.oids.messageDigest,
-                    // value will be auto-populated at signing time
-                },
-            ],
-        });
-
-        // Sign in detached mode.
-        p7.sign({detached: true});
-
-        return Buffer.from(forge.asn1.toDer(p7.toAsn1()).getBytes(), 'binary');
+    /**
+     * Retrieve the private key from the safe bag.
+     * @returns {Promise<Uint8Array>}
+     */
+    async getKey() {
+        const privateKey = this.keyBags[0].key;
+        // Convert private key to its pkcs8 binary representation
+        const pkcs8 = forge.pki.wrapRsaPrivateKey(forge.pki.privateKeyToAsn1(privateKey));
+        return Buffer.from(forge.asn1.toDer(pkcs8).getBytes(), 'binary');
     }
 }