19993337372

Committed 06 Dec 2025 07:39PM UTC coverage: 42.664%. First build

Build # 19993337372

Build Type

Pull #6012

github

Committed by

web-flow

Commit Message

Merge 352bc1328 into 9de3c9f7e

Pull Request Pull Request #6012: Feat/docmdp iso validation

Run Details

195 of 219 new or added lines in 4 files covered. (89.04%)

5449 of 12772 relevant lines covered (42.66%)

4.75 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

88.5

/lib/Handler/DocMdpHandler.php

<?php

declare(strict_types=1);

/**
 * SPDX-FileCopyrightText: 2025 LibreCode coop and contributors
 * SPDX-License-Identifier: AGPL-3.0-or-later
 */

namespace OCA\Libresign\Handler;

use OCA\Libresign\Db\File;
use OCA\Libresign\Enum\DocMdpLevel;
use OCP\IL10N;

class DocMdpHandler {
        /** @var array<string, string[]> Allowed modification types per DocMDP level */
        private const ALLOWED_MODIFICATIONS = [
                'NO_CHANGES' => [],
                'FORM_FILL' => ['form_field', 'template', 'signature'],
                'FORM_FILL_AND_ANNOTATIONS' => ['form_field', 'template', 'annotation', 'signature'],
        ];

        public function __construct(
                private IL10N $l10n,
        ) {
        }

        public function extractDocMdpData($resource): array {
                if (!is_resource($resource)) {
                        return [];
                }

                $docmdpLevel = $this->extractDocMdpLevel($resource);

                $result = [
                        'docmdp' => [
                                'level' => $docmdpLevel->value,
                                'label' => $docmdpLevel->getLabel($this->l10n),
                                'description' => $docmdpLevel->getDescription($this->l10n),
                                'isCertifying' => $docmdpLevel->isCertifying(),
                        ],
                ];

                $modificationInfo = $this->detectModifications($resource);
                $result['modifications'] = $modificationInfo;

                if ($modificationInfo['modified'] || $docmdpLevel->isCertifying()) {
                        $validation = $this->validateModifications($docmdpLevel, $modificationInfo, $resource);
                        $result['modification_validation'] = $validation;
                }

                return $result;
        }

        /**
         * Extract DocMDP permission level from PDF
         *
         * Validates ISO 32000-1 compliance:
         * - 12.8.2.2.1: Only ONE DocMDP signature allowed
         * - 12.8.2.2.1: DocMDP must be FIRST certifying signature
         * - Table 252: Signature dictionary validation (/Type /Sig, /Filter, /ByteRange)
         * - Table 253: Signature reference validation (/TransformMethod /DocMDP)
         * - Table 254: TransformParams validation (/P, /V /1.2)
         *
         * @return DocMdpLevel Permission level (NONE, NO_CHANGES, FORM_FILL, FORM_FILL_AND_ANNOTATIONS)
         */
        private function extractDocMdpLevel($pdfResource): DocMdpLevel {
                rewind($pdfResource);
                $content = stream_get_contents($pdfResource);

                if (!$this->validateIsoCompliance($content)) {
                        return DocMdpLevel::NONE;
                }

                $pValue = $this->extractPValue($content);
                if ($pValue === null) {
                        return DocMdpLevel::NONE;
                }

                return DocMdpLevel::tryFrom($pValue) ?? DocMdpLevel::NONE;
        }

        /**
         * Validate all ISO 32000-1 DocMDP requirements
         *
         * @return bool True if all validations pass
         */
        private function validateIsoCompliance(string $content): bool {
                return $this->validateSingleDocMdpSignature($content)
                        && $this->validateDocMdpIsFirstSignature($content)
                        && $this->validateSignatureDictionary($content)
                        && $this->validateSignatureReference($content);
        }

        /**
         * Extract /P value from TransformParams (permission level)
         * ISO 32000-1 Table 254: /P is optional, default 2
         *
         * @return int|null Permission value (1, 2, or 3) or null if not found/invalid
         */
        private function extractPValue(string $content): ?int {
                if (preg_match('/\/Reference\s*\[\s*(\d+\s+\d+\s+R)/', $content, $refMatch)) {
                        $pValue = $this->extractPValueFromIndirectReference($content, $refMatch[1]);
                        if ($pValue !== null) {
                                return $pValue;
                        }
                }

                $inlinePattern = '/\/Reference\s*\[\s*<<.*?\/TransformMethod\s*\/DocMDP.*?\/TransformParams\s*<<.*?\/P\s*(\d+).*?>>.*?>>.*?\]/s';
                if (preg_match($inlinePattern, $content, $matches)) {
                        if ($this->validateTransformParamsVersion($content, $matches[0])) {
                                return (int)$matches[1];
                        }
                }

                return null;
        }

        /**
         * Extract /P value from indirect reference structure
         *
         * @param string $content Full PDF content
         * @param string $indirectRef Reference like "7 0 R"
         * @return int|null Permission value or null
         */
        private function extractPValueFromIndirectReference(string $content, string $indirectRef): ?int {
                $objPattern = '/' . preg_quote($indirectRef, '/') . '.*?obj\s*<<.*?\/TransformMethod\s*\/DocMDP.*?\/TransformParams\s*(\d+\s+\d+\s+R|<<.*?\/P\s*(\d+).*?>>)/s';

                if (!preg_match($objPattern, $content, $objMatch)) {
                        return null;
                }

                if (isset($objMatch[2]) && is_numeric($objMatch[2])) {
                        if ($this->validateTransformParamsVersion($content, $objMatch[0])) {
                                return (int)$objMatch[2];
                        }
                        return null;
                }

                if (isset($objMatch[1]) && preg_match('/(\d+\s+\d+\s+R)/', $objMatch[1], $paramsRef)) {
                        $objNum = preg_replace('/\s+R$/', '', $paramsRef[1]);
                        $paramsPattern = '/' . preg_quote($objNum, '/') . '\s+obj\s*(<<.*?>>)\s*endobj/s';
                        if (preg_match($paramsPattern, $content, $paramsMatch)) {
                                if (preg_match('/\/P\s*(\d+)/', $paramsMatch[1], $pMatch)) {
                                        if ($this->validateTransformParamsVersion($content, $paramsMatch[0])) {
                                                return (int)$pMatch[1];
                                        }
                                }
                        }
                }

                return null;
        }

        /**
         * Parse all PDF objects (obj...endobj blocks) from content
         * Handles multi-line dictionaries with nested angle brackets
         *
         * @return array Array of objects with keys: objNum, dict, position
         */
        private function parsePdfObjects(string $content): array {
                if (!preg_match_all('/(\d+)\s+\d+\s+obj\s*(<<.*?>>)\s*endobj/s', $content, $matches, PREG_SET_ORDER | PREG_OFFSET_CAPTURE)) {
                        return [];
                }

                $objects = [];
                foreach ($matches as $match) {
                        $objects[] = [
                                'objNum' => $match[1][0],
                                'dict' => $match[2][0],
                                'position' => $match[2][1],
                        ];
                }
                return $objects;
        }

        /**
         * ICP-Brasil DOC-ICP-15.03: Validate /V /1.2 in TransformParams
         * ISO 32000-1 Table 254: /V is optional, default 1.2
         */
        private function validateTransformParamsVersion(string $content, string $context): bool {
                if (preg_match('/\/TransformParams\s*(\d+\s+\d+\s+R)/', $context, $paramsRef)) {
                        $objNum = preg_replace('/\s+R$/', '', $paramsRef[1]);
                        $paramsPattern = '/' . preg_quote($objNum, '/') . '\s+obj\s*(<<.*?>>)\s*endobj/s';
                        if (preg_match($paramsPattern, $content, $objMatch)) {
                                return preg_match('/\/V\s*\/1\.2/', $objMatch[1]) === 1;
                        }
                        return false;
                }
                return preg_match('/\/V\s*\/1\.2/', $context) === 1;
        }

        private function detectModifications($pdfResource): array {
                rewind($pdfResource);
                $content = stream_get_contents($pdfResource);
                $fileSize = strlen($content);

                preg_match_all(
                        '/ByteRange\s*\[\s*(?<offset1>\d+)\s+(?<length1>\d+)\s+(?<offset2>\d+)\s+(?<length2>\d+)\s*\]/',
                        $content,
                        $byteRanges,
                        PREG_SET_ORDER
                );

                if (empty($byteRanges)) {
                        return [
                                'modified' => false,
                                'revisionCount' => 0,
                                'details' => [],
                        ];
                }

                $modifications = [];
                foreach ($byteRanges as $index => $range) {
                        $coveredEnd = (int)$range['offset2'] + (int)$range['length2'];
                        $hasModifications = $coveredEnd < $fileSize;

                        $modifications[] = [
                                'signatureIndex' => $index,
                                'modified' => $hasModifications,
                                'coveredBytes' => $coveredEnd,
                                'totalBytes' => $fileSize,
                                'extraBytes' => $hasModifications ? ($fileSize - $coveredEnd) : 0,
                        ];
                }

                $isModified = array_reduce($modifications, fn ($carry, $item) => $carry || $item['modified'], false);

                return [
                        'modified' => $isModified,
                        'revisionCount' => count($byteRanges),
                        'details' => $modifications,
                ];
        }

        /**
         * Validate if modifications are allowed by DocMDP level
         * ISO 32000-1 Table 254: P=1 (no changes), P=2 (form fill), P=3 (form fill + annotations)
         *
         * @return array Validation result with keys: valid, status, message
         */
        private function validateModifications(DocMdpLevel $docmdpLevel, array $modificationInfo, $pdfResource): array {
                if (!$modificationInfo['modified']) {
                        return $this->buildValidationResult(
                                true,
                                File::MODIFICATION_UNMODIFIED,
                                'Document has not been modified after signing'
                        );
                }

                if ($docmdpLevel === DocMdpLevel::NONE) {
                        return $this->buildValidationResult(
                                true,
                                File::MODIFICATION_ALLOWED,
                                'Document was modified after signing'
                        );
                }

                $modificationType = $this->analyzeModificationType($pdfResource, $modificationInfo);
                $allowedTypes = self::ALLOWED_MODIFICATIONS[$docmdpLevel->name] ?? null;

                if ($allowedTypes === null) {
                        return $this->buildValidationResult(
                                false,
                                File::MODIFICATION_VIOLATION,
                                'Invalid: Document was modified after signing (DocMDP violation)'
                        );
                }

                $isAllowed = in_array($modificationType, $allowedTypes, true);

                return $isAllowed
                        ? $this->buildValidationResult(
                                true,
                                File::MODIFICATION_ALLOWED,
                                $this->getAllowedModificationMessage($docmdpLevel)
                        )
                        : $this->buildValidationResult(
                                false,
                                File::MODIFICATION_VIOLATION,
                                $this->getViolationMessage($docmdpLevel)
                        );
        }

        /**
         * Build validation result array
         *
         * @param bool $valid Whether modification is valid
         * @param int $status Status constant from File class
         * @param string $messageKey Translation key
         * @return array Validation result
         */
        private function buildValidationResult(bool $valid, int $status, string $messageKey): array {
                return [
                        'valid' => $valid,
                        'status' => $status,
                        'message' => $this->l10n->t($messageKey),
                ];
        }

        /**
         * Get success message for allowed modification
         *
         * @param DocMdpLevel $level DocMDP permission level
         * @return string Translated message
         */
        private function getAllowedModificationMessage(DocMdpLevel $level): string {
                return match ($level) {
                        DocMdpLevel::NO_CHANGES => 'Invalid: Document was modified after signing (DocMDP violation - no changes allowed)',
                        DocMdpLevel::FORM_FILL => 'Document form fields were modified (allowed by DocMDP P=2)',
                        DocMdpLevel::FORM_FILL_AND_ANNOTATIONS => 'Document form fields or annotations were modified (allowed by DocMDP P=3)',
                        default => 'Document was modified after signing',
                };
        }

        /**
         * Get error message for modification violation
         *
         * @param DocMdpLevel $level DocMDP permission level
         * @return string Translated message
         */
        private function getViolationMessage(DocMdpLevel $level): string {
                return match ($level) {
                        DocMdpLevel::NO_CHANGES => 'Invalid: Document was modified after signing (DocMDP violation - no changes allowed)',
                        DocMdpLevel::FORM_FILL => 'Invalid: Document was modified after signing (DocMDP P=2 only allows form field changes)',
                        DocMdpLevel::FORM_FILL_AND_ANNOTATIONS => 'Invalid: Document was modified after signing (DocMDP P=3 only allows form fields and annotations)',
                        default => 'Invalid: Document was modified after signing (DocMDP violation)',
                };
        }

        /**
         * Analyze type of modification made to PDF after signing
         *
         * Patterns are checked in priority order (most specific first) to ensure
         * accurate classification when multiple patterns could match.
         *
         * @param resource $pdfResource PDF file resource
         * @param array $modificationInfo Modification detection info
         * @return string Modification type: signature, form_field, template, annotation, structural, unknown
         */
        private function analyzeModificationType($pdfResource, array $modificationInfo): string {
                if (empty($modificationInfo['details'])) {
                        return 'unknown';
                }

                rewind($pdfResource);
                $content = stream_get_contents($pdfResource);
                $coveredEnd = $modificationInfo['details'][0]['coveredBytes'];
                $modifiedContent = substr($content, $coveredEnd);

                $patterns = [
                        'signature' => '/\/Type\s*\/Sig/',
                        'form_field' => '/\/FT\s*\/(?:Tx|Ch|Btn)/',
                        'template' => '/\/Type\s*\/XObject\s*\/Subtype\s*\/Form/',
                        'annotation' => '/\/Type\s*\/Annot/',
                        'structural' => '/\/Type\s*\/Pages?/',
                ];

                foreach ($patterns as $type => $pattern) {
                        if (preg_match($pattern, $modifiedContent)) {
                                return $type;
                        }
                }

                return 'unknown';
        }

        /**
         * ISO 32000-1 12.8.2.2.1: A document can contain only one signature field that contains a DocMDP transform method
         */
        private function validateSingleDocMdpSignature(string $content): bool {
                $docmdpCount = preg_match_all('/\/TransformMethod\s*\/DocMDP/', $content);
                return $docmdpCount === 1;
        }

        /**
         * ISO 32000-1 12.8.2.2.1: DocMDP shall be the first signed field
         *
         * "First signed field" means first CERTIFYING signature (has /Reference)
         * that has been applied (/Contents present). Approval signatures (without
         * /Reference) don't count as they cannot have DocMDP.
         *
         * @return bool True if DocMDP is in first certifying signature
         */
        private function validateDocMdpIsFirstSignature(string $content): bool {
                $certifyingSignatures = $this->filterCertifyingSignatures($this->parsePdfObjects($content));

                if (empty($certifyingSignatures)) {
                        return false;
                }

                usort($certifyingSignatures, fn ($a, $b) => $a['position'] <=> $b['position']);

                return $this->signatureHasDocMdp($content, $certifyingSignatures[0]['dict']);
        }

        /**
         * Filter only certifying signatures from parsed objects
         *
         * @param array $objects Parsed PDF objects
         * @return array Certifying signatures with /Filter, /ByteRange, /Contents, /Reference
         */
        private function filterCertifyingSignatures(array $objects): array {
                return array_filter($objects, function ($obj) {
                        $dict = $obj['dict'];
                        return preg_match('/\/Filter\s*\//', $dict)
                                && preg_match('/\/ByteRange\s*\[/', $dict)
                                && preg_match('/\/Contents\s*</', $dict)
                                && preg_match('/\/Reference\s*\[/', $dict);
                });
        }

        /**
         * Check if signature dictionary has DocMDP (inline or indirect)
         *
         * @param string $content Full PDF content
         * @param string $dict Signature dictionary
         * @return bool True if has DocMDP
         */
        private function signatureHasDocMdp(string $content, string $dict): bool {
                if (preg_match('/\/Reference\s*\[.*?\/TransformMethod\s*\/DocMDP/s', $dict)) {
                        return true;
                }

                if (preg_match('/\/Reference\s*\[\s*(\d+)\s+\d+\s+R/', $dict, $refMatch)) {
                        $refPattern = '/' . $refMatch[1] . '\s+\d+\s+obj\s*<<.*?\/TransformMethod\s*\/DocMDP.*?>>.*?endobj/s';
                        return (bool)preg_match($refPattern, $content);
                }

                return false;
        }

        /**
         * ISO 32000-1 Table 252: Validate signature dictionary entries
         *
         * Required entries:
         * - /Type /Sig (optional, but if present must be /Sig)
         * - /Filter (Required) - signature handler name
         * - /ByteRange (Required for DocMDP) - byte ranges covered by signature
         *
         * @return bool True if signature dictionary is valid
         */
        private function validateSignatureDictionary(string $content): bool {
                $objects = $this->parsePdfObjects($content);
                $sigDict = $this->findSignatureDictionary($objects);

                if (!$sigDict) {
                        return false;
                }

                return $this->validateDictionaryEntries($sigDict);
        }

        /**
         * Find signature dictionary with /Reference entry
         *
         * @param array $objects Parsed PDF objects
         * @return string|null Dictionary content or null
         */
        private function findSignatureDictionary(array $objects): ?string {
                foreach ($objects as $obj) {
                        if (preg_match('/\/Reference\s*\[/', $obj['dict'])) {
                                return $obj['dict'];
                        }
                }
                return null;
        }

        /**
         * Validate signature dictionary entries per ISO Table 252
         *
         * @param string $dict Dictionary content
         * @return bool True if all required entries are valid
         */
        private function validateDictionaryEntries(string $dict): bool {
                if (preg_match('/\/Type\s*\/(\w+)/', $dict, $typeMatch) && $typeMatch[1] !== 'Sig') {
                        return false;
                }

                if (!preg_match('/\/Filter\s*\/[\w.]+/', $dict)) {
                        return false;
                }

                return (bool)preg_match('/\/ByteRange\s*\[/', $dict);
        }

        /**
         * ISO 32000-1 Table 253: Validate signature reference dictionary
         *
         * @return bool True if /TransformMethod /DocMDP is present (inline or indirect)
         */
        private function validateSignatureReference(string $content): bool {
                return (bool)preg_match('/\/TransformMethod\s*\/DocMDP/', $content);
        }
}

1	<?php
2
3	declare(strict_types=1);
4
5	/**
6	* SPDX-FileCopyrightText: 2025 LibreCode coop and contributors
7	* SPDX-License-Identifier: AGPL-3.0-or-later
8	*/
9
10	namespace OCA\Libresign\Handler;
11
12	use OCA\Libresign\Db\File;
13	use OCA\Libresign\Enum\DocMdpLevel;
14	use OCP\IL10N;
15
16	class DocMdpHandler {
17	/** @var array<string, string[]> Allowed modification types per DocMDP level */
18	private const ALLOWED_MODIFICATIONS = [
19	'NO_CHANGES' => [],
20	'FORM_FILL' => ['form_field', 'template', 'signature'],
21	'FORM_FILL_AND_ANNOTATIONS' => ['form_field', 'template', 'annotation', 'signature'],
22	];
23
24	public function __construct(
25	private IL10N $l10n,
26	) {
27	}	59✔
28
29	public function extractDocMdpData($resource): array {
30	if (!is_resource($resource)) {	32✔
NEW 31	return [];	×
32	}
33
34	$docmdpLevel = $this->extractDocMdpLevel($resource);	32✔
35
36	$result = [	32✔
37	'docmdp' => [	32✔
38	'level' => $docmdpLevel->value,	32✔
39	'label' => $docmdpLevel->getLabel($this->l10n),	32✔
40	'description' => $docmdpLevel->getDescription($this->l10n),	32✔
41	'isCertifying' => $docmdpLevel->isCertifying(),	32✔
42	],	32✔
43	];	32✔
44
45	$modificationInfo = $this->detectModifications($resource);	32✔
46	$result['modifications'] = $modificationInfo;	32✔
47
48	if ($modificationInfo['modified'] \|\| $docmdpLevel->isCertifying()) {	32✔
49	$validation = $this->validateModifications($docmdpLevel, $modificationInfo, $resource);	22✔
50	$result['modification_validation'] = $validation;	22✔
51	}
52
53	return $result;	32✔
54	}
55
56	/**
57	* Extract DocMDP permission level from PDF
58	*
59	* Validates ISO 32000-1 compliance:
60	* - 12.8.2.2.1: Only ONE DocMDP signature allowed
61	* - 12.8.2.2.1: DocMDP must be FIRST certifying signature
62	* - Table 252: Signature dictionary validation (/Type /Sig, /Filter, /ByteRange)
63	* - Table 253: Signature reference validation (/TransformMethod /DocMDP)
64	* - Table 254: TransformParams validation (/P, /V /1.2)
65	*
66	* @return DocMdpLevel Permission level (NONE, NO_CHANGES, FORM_FILL, FORM_FILL_AND_ANNOTATIONS)
67	*/
68	private function extractDocMdpLevel($pdfResource): DocMdpLevel {
69	rewind($pdfResource);	32✔
70	$content = stream_get_contents($pdfResource);	32✔
71
72	if (!$this->validateIsoCompliance($content)) {	32✔
73	return DocMdpLevel::NONE;	9✔
74	}
75
76	$pValue = $this->extractPValue($content);	23✔
77	if ($pValue === null) {	23✔
78	return DocMdpLevel::NONE;	3✔
79	}
80
81	return DocMdpLevel::tryFrom($pValue) ?? DocMdpLevel::NONE;	20✔
82	}
83
84	/**
85	* Validate all ISO 32000-1 DocMDP requirements
86	*
87	* @return bool True if all validations pass
88	*/
89	private function validateIsoCompliance(string $content): bool {
90	return $this->validateSingleDocMdpSignature($content)	32✔
91	&& $this->validateDocMdpIsFirstSignature($content)	32✔
92	&& $this->validateSignatureDictionary($content)	32✔
93	&& $this->validateSignatureReference($content);	32✔
94	}
95
96	/**
97	* Extract /P value from TransformParams (permission level)
98	* ISO 32000-1 Table 254: /P is optional, default 2
99	*
100	* @return int\|null Permission value (1, 2, or 3) or null if not found/invalid
101	*/
102	private function extractPValue(string $content): ?int {
103	if (preg_match('/\/Reference\s\[\s(\d+\s+\d+\s+R)/', $content, $refMatch)) {	23✔
104	$pValue = $this->extractPValueFromIndirectReference($content, $refMatch[1]);	2✔
105	if ($pValue !== null) {	2✔
106	return $pValue;	1✔
107	}
108	}
109
110	$inlinePattern = '/\/Reference\s\[\s<<.?\/TransformMethod\s\/DocMDP.?\/TransformParams\s<<.?\/P\s(\d+).?>>.?>>.*?\]/s';	22✔
111	if (preg_match($inlinePattern, $content, $matches)) {	22✔
112	if ($this->validateTransformParamsVersion($content, $matches[0])) {	21✔
113	return (int)$matches[1];	19✔
114	}
115	}
116
117	return null;	3✔
118	}
119
120	/**
121	* Extract /P value from indirect reference structure
122	*
123	* @param string $content Full PDF content
124	* @param string $indirectRef Reference like "7 0 R"
125	* @return int\|null Permission value or null
126	*/
127	private function extractPValueFromIndirectReference(string $content, string $indirectRef): ?int {
128	$objPattern = '/' . preg_quote($indirectRef, '/') . '.?obj\s<<.?\/TransformMethod\s\/DocMDP.?\/TransformParams\s(\d+\s+\d+\s+R\|<<.?\/P\s(\d+).*?>>)/s';	2✔
129
130	if (!preg_match($objPattern, $content, $objMatch)) {	2✔
NEW 131	return null;	×
132	}
133
134	if (isset($objMatch[2]) && is_numeric($objMatch[2])) {	2✔
NEW 135	if ($this->validateTransformParamsVersion($content, $objMatch[0])) {	×
NEW 136	return (int)$objMatch[2];	×
137	}
NEW 138	return null;	×
139	}
140
141	if (isset($objMatch[1]) && preg_match('/(\d+\s+\d+\s+R)/', $objMatch[1], $paramsRef)) {	2✔
142	$objNum = preg_replace('/\s+R$/', '', $paramsRef[1]);	2✔
143	$paramsPattern = '/' . preg_quote($objNum, '/') . '\s+obj\s(<<.?>>)\s*endobj/s';	2✔
144	if (preg_match($paramsPattern, $content, $paramsMatch)) {	2✔
145	if (preg_match('/\/P\s*(\d+)/', $paramsMatch[1], $pMatch)) {	2✔
146	if ($this->validateTransformParamsVersion($content, $paramsMatch[0])) {	2✔
147	return (int)$pMatch[1];	1✔
148	}
149	}
150	}
151	}
152
153	return null;	1✔
154	}
155
156	/**
157	* Parse all PDF objects (obj...endobj blocks) from content
158	* Handles multi-line dictionaries with nested angle brackets
159	*
160	* @return array Array of objects with keys: objNum, dict, position
161	*/
162	private function parsePdfObjects(string $content): array {
163	if (!preg_match_all('/(\d+)\s+\d+\s+obj\s(<<.?>>)\s*endobj/s', $content, $matches, PREG_SET_ORDER \| PREG_OFFSET_CAPTURE)) {	27✔
NEW 164	return [];	×
165	}
166
167	$objects = [];	27✔
168	foreach ($matches as $match) {	27✔
169	$objects[] = [	27✔
170	'objNum' => $match[1][0],	27✔
171	'dict' => $match[2][0],	27✔
172	'position' => $match[2][1],	27✔
173	];	27✔
174	}
175	return $objects;	27✔
176	}
177
178	/**
179	* ICP-Brasil DOC-ICP-15.03: Validate /V /1.2 in TransformParams
180	* ISO 32000-1 Table 254: /V is optional, default 1.2
181	*/
182	private function validateTransformParamsVersion(string $content, string $context): bool {
183	if (preg_match('/\/TransformParams\s*(\d+\s+\d+\s+R)/', $context, $paramsRef)) {	23✔
NEW 184	$objNum = preg_replace('/\s+R$/', '', $paramsRef[1]);	×
NEW 185	$paramsPattern = '/' . preg_quote($objNum, '/') . '\s+obj\s(<<.?>>)\s*endobj/s';	×
NEW 186	if (preg_match($paramsPattern, $content, $objMatch)) {	×
NEW 187	return preg_match('/\/V\s*\/1\.2/', $objMatch[1]) === 1;	×
188	}
NEW 189	return false;	×
190	}
191	return preg_match('/\/V\s*\/1\.2/', $context) === 1;	23✔
192	}
193
194	private function detectModifications($pdfResource): array {
195	rewind($pdfResource);	32✔
196	$content = stream_get_contents($pdfResource);	32✔
197	$fileSize = strlen($content);	32✔
198
199	preg_match_all(	32✔
200	'/ByteRange\s\[\s(?<offset1>\d+)\s+(?<length1>\d+)\s+(?<offset2>\d+)\s+(?<length2>\d+)\s*\]/',	32✔
201	$content,	32✔
202	$byteRanges,	32✔
203	PREG_SET_ORDER	32✔
204	);	32✔
205
206	if (empty($byteRanges)) {	32✔
207	return [	4✔
208	'modified' => false,	4✔
209	'revisionCount' => 0,	4✔
210	'details' => [],	4✔
211	];	4✔
212	}
213
214	$modifications = [];	28✔
215	foreach ($byteRanges as $index => $range) {	28✔
216	$coveredEnd = (int)$range['offset2'] + (int)$range['length2'];	28✔
217	$hasModifications = $coveredEnd < $fileSize;	28✔
218
219	$modifications[] = [	28✔
220	'signatureIndex' => $index,	28✔
221	'modified' => $hasModifications,	28✔
222	'coveredBytes' => $coveredEnd,	28✔
223	'totalBytes' => $fileSize,	28✔
224	'extraBytes' => $hasModifications ? ($fileSize - $coveredEnd) : 0,	28✔
225	];	28✔
226	}
227
228	$isModified = array_reduce($modifications, fn ($carry, $item) => $carry \|\| $item['modified'], false);	28✔
229
230	return [	28✔
231	'modified' => $isModified,	28✔
232	'revisionCount' => count($byteRanges),	28✔
233	'details' => $modifications,	28✔
234	];	28✔
235	}
236
237	/**
238	* Validate if modifications are allowed by DocMDP level
239	* ISO 32000-1 Table 254: P=1 (no changes), P=2 (form fill), P=3 (form fill + annotations)
240	*
241	* @return array Validation result with keys: valid, status, message
242	*/
243	private function validateModifications(DocMdpLevel $docmdpLevel, array $modificationInfo, $pdfResource): array {
244	if (!$modificationInfo['modified']) {	22✔
245	return $this->buildValidationResult(	6✔
246	true,	6✔
247	File::MODIFICATION_UNMODIFIED,	6✔
248	'Document has not been modified after signing'	6✔
249	);	6✔
250	}
251
252	if ($docmdpLevel === DocMdpLevel::NONE) {	16✔
253	return $this->buildValidationResult(	4✔
254	true,	4✔
255	File::MODIFICATION_ALLOWED,	4✔
256	'Document was modified after signing'	4✔
257	);	4✔
258	}
259
260	$modificationType = $this->analyzeModificationType($pdfResource, $modificationInfo);	12✔
261	$allowedTypes = self::ALLOWED_MODIFICATIONS[$docmdpLevel->name] ?? null;	12✔
262
263	if ($allowedTypes === null) {	12✔
NEW 264	return $this->buildValidationResult(	×
NEW 265	false,	×
NEW 266	File::MODIFICATION_VIOLATION,	×
NEW 267	'Invalid: Document was modified after signing (DocMDP violation)'	×
NEW 268	);	×
269	}
270
271	$isAllowed = in_array($modificationType, $allowedTypes, true);	12✔
272
273	return $isAllowed	12✔
274	? $this->buildValidationResult(	7✔
275	true,	7✔
276	File::MODIFICATION_ALLOWED,	7✔
277	$this->getAllowedModificationMessage($docmdpLevel)	7✔
278	)	7✔
279	: $this->buildValidationResult(	12✔
280	false,	12✔
281	File::MODIFICATION_VIOLATION,	12✔
282	$this->getViolationMessage($docmdpLevel)	12✔
283	);	12✔
284	}
285
286	/**
287	* Build validation result array
288	*
289	* @param bool $valid Whether modification is valid
290	* @param int $status Status constant from File class
291	* @param string $messageKey Translation key
292	* @return array Validation result
293	*/
294	private function buildValidationResult(bool $valid, int $status, string $messageKey): array {
295	return [	22✔
296	'valid' => $valid,	22✔
297	'status' => $status,	22✔
298	'message' => $this->l10n->t($messageKey),	22✔
299	];	22✔
300	}
301
302	/**
303	* Get success message for allowed modification
304	*
305	* @param DocMdpLevel $level DocMDP permission level
306	* @return string Translated message
307	*/
308	private function getAllowedModificationMessage(DocMdpLevel $level): string {
309	return match ($level) {
310	DocMdpLevel::NO_CHANGES => 'Invalid: Document was modified after signing (DocMDP violation - no changes allowed)',	7✔
311	DocMdpLevel::FORM_FILL => 'Document form fields were modified (allowed by DocMDP P=2)',	7✔
312	DocMdpLevel::FORM_FILL_AND_ANNOTATIONS => 'Document form fields or annotations were modified (allowed by DocMDP P=3)',	4✔
313	default => 'Document was modified after signing',	7✔
314	};
315	}
316
317	/**
318	* Get error message for modification violation
319	*
320	* @param DocMdpLevel $level DocMDP permission level
321	* @return string Translated message
322	*/
323	private function getViolationMessage(DocMdpLevel $level): string {
324	return match ($level) {
325	DocMdpLevel::NO_CHANGES => 'Invalid: Document was modified after signing (DocMDP violation - no changes allowed)',	5✔
326	DocMdpLevel::FORM_FILL => 'Invalid: Document was modified after signing (DocMDP P=2 only allows form field changes)',	2✔
327	DocMdpLevel::FORM_FILL_AND_ANNOTATIONS => 'Invalid: Document was modified after signing (DocMDP P=3 only allows form fields and annotations)',	1✔
328	default => 'Invalid: Document was modified after signing (DocMDP violation)',	5✔
329	};
330	}
331
332	/**
333	* Analyze type of modification made to PDF after signing
334	*
335	* Patterns are checked in priority order (most specific first) to ensure
336	* accurate classification when multiple patterns could match.
337	*
338	* @param resource $pdfResource PDF file resource
339	* @param array $modificationInfo Modification detection info
340	* @return string Modification type: signature, form_field, template, annotation, structural, unknown
341	*/
342	private function analyzeModificationType($pdfResource, array $modificationInfo): string {
343	if (empty($modificationInfo['details'])) {	12✔
NEW 344	return 'unknown';	×
345	}
346
347	rewind($pdfResource);	12✔
348	$content = stream_get_contents($pdfResource);	12✔
349	$coveredEnd = $modificationInfo['details'][0]['coveredBytes'];	12✔
350	$modifiedContent = substr($content, $coveredEnd);	12✔
351
352	$patterns = [	12✔
353	'signature' => '/\/Type\s*\/Sig/',	12✔
354	'form_field' => '/\/FT\s*\/(?:Tx\|Ch\|Btn)/',	12✔
355	'template' => '/\/Type\s\/XObject\s\/Subtype\s*\/Form/',	12✔
356	'annotation' => '/\/Type\s*\/Annot/',	12✔
357	'structural' => '/\/Type\s*\/Pages?/',	12✔
358	];	12✔
359
360	foreach ($patterns as $type => $pattern) {	12✔
361	if (preg_match($pattern, $modifiedContent)) {	12✔
362	return $type;	12✔
363	}
364	}
365
NEW 366	return 'unknown';	×
367	}
368
369	/**
370	* ISO 32000-1 12.8.2.2.1: A document can contain only one signature field that contains a DocMDP transform method
371	*/
372	private function validateSingleDocMdpSignature(string $content): bool {
373	$docmdpCount = preg_match_all('/\/TransformMethod\s*\/DocMDP/', $content);	32✔
374	return $docmdpCount === 1;	32✔
375	}
376
377	/**
378	* ISO 32000-1 12.8.2.2.1: DocMDP shall be the first signed field
379	*
380	* "First signed field" means first CERTIFYING signature (has /Reference)
381	* that has been applied (/Contents present). Approval signatures (without
382	* /Reference) don't count as they cannot have DocMDP.
383	*
384	* @return bool True if DocMDP is in first certifying signature
385	*/
386	private function validateDocMdpIsFirstSignature(string $content): bool {
387	$certifyingSignatures = $this->filterCertifyingSignatures($this->parsePdfObjects($content));	27✔
388
389	if (empty($certifyingSignatures)) {	27✔
390	return false;	4✔
391	}
392
393	usort($certifyingSignatures, fn ($a, $b) => $a['position'] <=> $b['position']);	23✔
394
395	return $this->signatureHasDocMdp($content, $certifyingSignatures[0]['dict']);	23✔
396	}
397
398	/**
399	* Filter only certifying signatures from parsed objects
400	*
401	* @param array $objects Parsed PDF objects
402	* @return array Certifying signatures with /Filter, /ByteRange, /Contents, /Reference
403	*/
404	private function filterCertifyingSignatures(array $objects): array {
405	return array_filter($objects, function ($obj) {	27✔
406	$dict = $obj['dict'];	27✔
407	return preg_match('/\/Filter\s*\//', $dict)	27✔
408	&& preg_match('/\/ByteRange\s*\[/', $dict)	27✔
409	&& preg_match('/\/Contents\s*</', $dict)	27✔
410	&& preg_match('/\/Reference\s*\[/', $dict);	27✔
411	});	27✔
412	}
413
414	/**
415	* Check if signature dictionary has DocMDP (inline or indirect)
416	*
417	* @param string $content Full PDF content
418	* @param string $dict Signature dictionary
419	* @return bool True if has DocMDP
420	*/
421	private function signatureHasDocMdp(string $content, string $dict): bool {
422	if (preg_match('/\/Reference\s\[.?\/TransformMethod\s*\/DocMDP/s', $dict)) {	23✔
423	return true;	21✔
424	}
425
426	if (preg_match('/\/Reference\s\[\s(\d+)\s+\d+\s+R/', $dict, $refMatch)) {	2✔
427	$refPattern = '/' . $refMatch[1] . '\s+\d+\s+obj\s<<.?\/TransformMethod\s\/DocMDP.?>>.*?endobj/s';	2✔
428	return (bool)preg_match($refPattern, $content);	2✔
429	}
430
NEW 431	return false;	×
432	}
433
434	/**
435	* ISO 32000-1 Table 252: Validate signature dictionary entries
436	*
437	* Required entries:
438	* - /Type /Sig (optional, but if present must be /Sig)
439	* - /Filter (Required) - signature handler name
440	* - /ByteRange (Required for DocMDP) - byte ranges covered by signature
441	*
442	* @return bool True if signature dictionary is valid
443	*/
444	private function validateSignatureDictionary(string $content): bool {
445	$objects = $this->parsePdfObjects($content);	23✔
446	$sigDict = $this->findSignatureDictionary($objects);	23✔
447
448	if (!$sigDict) {	23✔
NEW 449	return false;	×
450	}
451
452	return $this->validateDictionaryEntries($sigDict);	23✔
453	}
454
455	/**
456	* Find signature dictionary with /Reference entry
457	*
458	* @param array $objects Parsed PDF objects
459	* @return string\|null Dictionary content or null
460	*/
461	private function findSignatureDictionary(array $objects): ?string {
462	foreach ($objects as $obj) {	23✔
463	if (preg_match('/\/Reference\s*\[/', $obj['dict'])) {	23✔
464	return $obj['dict'];	23✔
465	}
466	}
NEW 467	return null;	×
468	}
469
470	/**
471	* Validate signature dictionary entries per ISO Table 252
472	*
473	* @param string $dict Dictionary content
474	* @return bool True if all required entries are valid
475	*/
476	private function validateDictionaryEntries(string $dict): bool {
477	if (preg_match('/\/Type\s*\/(\w+)/', $dict, $typeMatch) && $typeMatch[1] !== 'Sig') {	23✔
NEW 478	return false;	×
479	}
480
481	if (!preg_match('/\/Filter\s*\/[\w.]+/', $dict)) {	23✔
NEW 482	return false;	×
483	}
484
485	return (bool)preg_match('/\/ByteRange\s*\[/', $dict);	23✔
486	}
487
488	/**
489	* ISO 32000-1 Table 253: Validate signature reference dictionary
490	*
491	* @return bool True if /TransformMethod /DocMDP is present (inline or indirect)
492	*/
493	private function validateSignatureReference(string $content): bool {
494	return (bool)preg_match('/\/TransformMethod\s*\/DocMDP/', $content);	23✔
495	}
496	}

LibreSign / libresign / 19993337372

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous