Class: HexaPDF::DigitalSignature::PKCS1Handler

Inherits:

Handler

Object
Handler
HexaPDF::DigitalSignature::PKCS1Handler

show all

Defined in:: lib/hexapdf/digital_signature/pkcs1_handler.rb

Overview

The signature handler for PKCS#1 based sub-filters, the only being the adbe.x509.rsa_sha1 sub-filter.

Since PKCS#1 signatures are deprecated with PDF 2.0, the handler only provides the implementation for reading and verifying signatures.

See: PDF1.7/2.0 s12.8.3.2

Instance Attribute Summary

Attributes inherited from Handler

#signature_dict

Instance Method Summary collapse

#certificate_chain ⇒ Object

Returns the certificate chain.
#signer_certificate ⇒ Object

Returns the signer certificate (an instance of OpenSSL::X509::Certificate).
#verify(store, allow_self_signed: false) ⇒ Object

Verifies the signature using the provided OpenSSL::X509::Store object.

Methods inherited from Handler

#initialize, #signer_name, #signing_time

Constructor Details

This class inherits a constructor from HexaPDF::DigitalSignature::Handler

Instance Method Details

#certificate_chain ⇒ `Object`

Returns the certificate chain.

# File 'lib/hexapdf/digital_signature/pkcs1_handler.rb', line 53

def certificate_chain
  return [] unless signature_dict.key?(:Cert)
  [signature_dict[:Cert]].flatten.map {|str| OpenSSL::X509::Certificate.new(str) }
end

#signer_certificate ⇒ `Object`

Returns the signer certificate (an instance of OpenSSL::X509::Certificate).



59
60
61

# File 'lib/hexapdf/digital_signature/pkcs1_handler.rb', line 59

def signer_certificate
  certificate_chain.first
end

#verify(store, allow_self_signed: false) ⇒ `Object`

Verifies the signature using the provided OpenSSL::X509::Store object.

# File 'lib/hexapdf/digital_signature/pkcs1_handler.rb', line 64

def verify(store, allow_self_signed: false)
  result = super

  signer_certificate = self.signer_certificate
  certificate_chain = self.certificate_chain

  if certificate_chain.empty?
    result.log(:error, "No certificates for verification found")
    return result
  end

  signature = OpenSSL::ASN1.decode(signature_dict.contents)
  if signature.tag != OpenSSL::ASN1::OCTET_STRING
    result.log(:error, "PKCS1 signature object invalid, octet string expected")
    return result
  end

  store.verify(signer_certificate, certificate_chain)

  if signer_certificate.public_key.verify(OpenSSL::Digest.new('SHA1'),
                                          signature.value, signature_dict.signed_data)
    result.log(:info, "Signature valid")
  else
    result.log(:error, "Signature verification failed")
  end

  result
end