class HexaPDF::DigitalSignature::Signing::DefaultHandler

Parent

This is the default signing handler which provides the ability to sign a document with the adbe.pkcs7.detached or ETSI.CAdES.detached algorithms. It is registered under the :default name.

Usage

The signing handler is used by default by all methods that need a signing handler. Therefore it is usually only necessary to provide the actual attribute values.

Note: Currently only RSA is supported, DSA and ECDSA are not. See the examples below for how to handle them using external signing.

CMS and PAdES Signatures

The handler supports the older standard of CMS signatures as well as the newer PAdES signatures specified in PDF 2.0. By default, CMS signatures are created but this can be changed by setting signature_type to :pades.

When creating PAdES signatures the following two PAdES baseline signatures are supported: B-B and B-T. The difference between those two is that a timestamp handler was defined for B-T compatibility.

Signing Modes - Internal, External, External/Asynchronous

This handler provides two ways to create the CMS signed-data structure required by Signatures#add:

  • By providing the signing certificate together with the signing key and the certificate chain, HexaPDF itself does the signing internally. It is the preferred way if all the needed information is available.

    Assign the respective data to the certificate, key and certificate_chain attributes.

  • By using an *external signing mechanism*, a callable object assigned to external_signing. Here the actual signing happens “outside” of HexaPDF, for example, in custom code or even asynchronously. This is needed in case the signing key is not directly available but only an interface to it (e.g. when dealing with a HSM).

    Depending on whether certificate is set the signing happens differently:

    • If certificate is not set, the callable object is used instead of sign, so it needs to accept the same arguments as sign and needs to return a complete, DER-serialized CMS signed data object.

    • If certificate is set, the CMS signed data object is created by HexaPDF. The callable external_signing object is called with the used digest algorithm and the already digested data which needs to be signed (but not digested) and the signature returned.

    If the signing process needs to be asynchronous, make sure to set the signature_size appropriately, return an empty string during signing and later use Signatures.embed_signature to embed the actual signature.

Optional Data

Besides the required data, some optional attributes can also be specified:

  • Reason, location and contact information

  • Making the signature a certification signature by applying the DocMDP transform method and a DoCMDP permission

Examples

# Signing using certificate + key
document.sign("output.pdf", certificate: my_cert, key: my_key,
              certificate_chain: my_chain)

# Signing using an external mechanism without certificate set
signing_proc = lambda do |io, byte_range|
  io.pos = byte_range[0]
  data = io.read(byte_range[1])
  io.pos = byte_range[2]
  data << io.read(byte_range[3])
  signing_service.pkcs7_sign(data).to_der
end
document.sign("output.pdf", signature_size: 10_000, external_signing: signing_proc)

# Signing using external mechanism with certificate set
signing_proc = lambda do |digest_method, hash|
  signing_service.sign_raw(digest_method, hash)
end
document.sign("output.pdf", certificate: my_cert, certificate_chain: my_chain,
              external_signing: signing_proc)

# Signing with DSA or ECDSA certificate/keys
signing_proc = lambda do |io, byte_range|
  io.pos = byte_range[0]
  data = io.read(byte_range[1])
  io.pos = byte_range[2]
  data << io.read(byte_range[3])
  OpenSSL::PKCS7.sign(certificate, key, data, certificate_chain,
                      OpenSSL::PKCS7::DETACHED | OpenSSL::PKCS7::BINARY).to_der
end
document.sign("output.pdf", signature_size: 10_000, external_signing: signing_proc)

Implementing a Signing Handler

This class also serves as an example on how to create a custom handler: The public methods signature_size, finalize_objects and sign are used by the digital signature algorithm. See their descriptions for details.

Once a custom signing handler has been created, it can be registered under the ‘signature.signing_handler’ configuration option for easy use. It has to take keyword arguments in its initialize method to be compatible with the Signatures#handler method.

Attributes

certificate[RW]

The certificate with which to sign the PDF.

If the certificate is provided, HexaPDF creates the signature object. Otherwise the external_signing callable object has to create it.

See the class documentation section “Signing Modes” on how certificate, key and external_signing play together.

certificate_chain[RW]

The certificate chain that should be embedded in the PDF; usually contains all certificates up to the root certificate.

contact_info[RW]

The contact information. If used, will be set on the signature dictionary.

digest_algorithm[RW]

The digest algorithm that should be used when creating the signature.

See SignedDataCreator#digest_algorithm for the default value (if nothing is set) and for the allowed values.

doc_mdp_permissions[R]

The DocMDP permissions that should be set on the document.

See doc_mdp_permissions=

external_signing[RW]

A callable object for custom signing mechanisms.

The callable object has two different uses depending on whether certificate is set:

  • If certificate is not set, it fulfills the same role as the sign method and needs to conform to that interface.

  • If certificate is set and key is not, it is just used for signing. Here it needs to accept the used digest algorithm and the already digested data as arguments and return the signature.

Also dee the class documentation section “Signing Modes” on how certificate, key and external_signing play together.

key[RW]

The private key for the certificate.

If the key is provided, HexaPDF does the signing. Otherwise the external_signing callable object has to sign the data.

See the class documentation section “Signing Modes” on how certificate, key and external_signing play together.

location[RW]

The signing location. If used, will be set on the signature dictionary.

reason[RW]

The reason for signing. If used, will be set on the signature dictionary.

signature_size[W]

The size of the serialized signature that should be reserved.

If this attribute is not set, an empty string will be signed using sign to determine the signature size.

The size needs to be at least as big as the final signature, otherwise signing results in an error.

signature_type[RW]

The type of signature to be written (i.e. the value of the /SubFilter key).

The value can either be :cms (the default; uses a detached CMS signature) or :pades (uses an ETSI CAdES compatible signature).

signing_time[RW]

The custom signing time.

The signing time is usually the time when signing actually happens. This is also what HexaPDF uses. If it is known that signing happened at a different point in time, that time can be provided using this accessor.

timestamp_handler[RW]

The timestamp handler that should be used for timestamping the signature.

If this attribute is set, a timestamp token is embedded into the CMS object.

Public Class Methods

new(**arguments)

Creates a new DefaultHandler instance with the given attributes.

Public Instance Methods

doc_mdp_permissions=(permissions)

Sets the DocMDP permissions that should be applied to the document.

Valid values for permissions are:

nil

Don’t set any DocMDP permissions (default).

:no_changes or 1

No changes whatsoever are allowed.

:form_filling or 2

Only filling in forms and signing are allowed.

:form_filling_and_annotations or 3

Only filling in forms, signing and annotation creation/deletion/modification are allowed.

finalize_objects(_signature_field, signature)

Finalizes the signature field as well as the signature dictionary before writing.

sign(io, byte_range)

Returns the DER serialized CMS signed data object containing the signature for the given IO byte ranges.

The byte_range argument is an array containing four numbers [offset1, length1, offset2, length2]. The offset numbers are byte positions in the io argument and the to-be-signed data can be determined by reading length bytes at the offsets.

signature_size

The size of the serialized signature that should be reserved.

If this attribute is not set, an empty string will be signed using sign to determine the signature size.

The size needs to be at least as big as the final signature, otherwise signing results in an error.