20819945179

Committed 08 Jan 2026 02:19PM UTC coverage: 44.612%. First build

Build # 20819945179

Build Type

Pull #6415

github

Committed by

web-flow

Commit Message

Merge b8f8ee862 into 7ea6fe959

Pull Request Pull Request #6415: fix: handle error when sign pdf

Run Details

0 of 25 new or added lines in 2 files covered. (0.0%)

6731 of 15088 relevant lines covered (44.61%)

5.01 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

15.77

/lib/Handler/SignEngine/JSignPdfHandler.php

<?php

declare(strict_types=1);
/**
 * SPDX-FileCopyrightText: 2020-2024 LibreCode coop and contributors
 * SPDX-License-Identifier: AGPL-3.0-or-later
 */

namespace OCA\Libresign\Handler\SignEngine;

use Imagick;
use ImagickPixel;
use OCA\Libresign\AppInfo\Application;
use OCA\Libresign\Exception\LibresignException;
use OCA\Libresign\Handler\CertificateEngine\CertificateEngineFactory;
use OCA\Libresign\Helper\JavaHelper;
use OCA\Libresign\Service\DocMdpConfigService;
use OCA\Libresign\Service\Install\InstallService;
use OCA\Libresign\Service\SignatureBackgroundService;
use OCA\Libresign\Service\SignatureTextService;
use OCA\Libresign\Service\SignerElementsService;
use OCA\Libresign\Vendor\Jeidison\JSignPDF\JSignPDF;
use OCA\Libresign\Vendor\Jeidison\JSignPDF\Sign\JSignParam;
use OCP\Files\File;
use OCP\IAppConfig;
use OCP\ITempManager;
use Psr\Log\LoggerInterface;

class JSignPdfHandler extends Pkcs12Handler {
        /** @var JSignPDF */
        private $jSignPdf;
        /** @var JSignParam */
        private $jSignParam;
        private array $parsedSignatureText = [];

        public function __construct(
                private IAppConfig $appConfig,
                private LoggerInterface $logger,
                private SignatureTextService $signatureTextService,
                private ITempManager $tempManager,
                private SignatureBackgroundService $signatureBackgroundService,
                protected CertificateEngineFactory $certificateEngineFactory,
                protected JavaHelper $javaHelper,
                private DocMdpConfigService $docMdpConfigService,
        ) {
        }

        public function setJSignPdf(JSignPDF $jSignPdf): void {
                $this->jSignPdf = $jSignPdf;
        }

        public function getJSignPdf(): JSignPDF {
                if (!$this->jSignPdf) {
                        // @codeCoverageIgnoreStart
                        $this->setJSignPdf(new JSignPDF());
                        // @codeCoverageIgnoreEnd
                }
                return $this->jSignPdf;
        }

        /**
         * @psalm-suppress MixedReturnStatement
         */
        public function getJSignParam(): JSignParam {
                if (!$this->jSignParam) {
                        $javaPath = $this->javaHelper->getJavaPath();
                        $tempPath = $this->appConfig->getValueString(Application::APP_ID, 'jsignpdf_temp_path', sys_get_temp_dir() . DIRECTORY_SEPARATOR);
                        if (!is_writable($tempPath)) {
                                throw new \Exception('The path ' . $tempPath . ' is not writtable. Fix this or change the LibreSign app setting jsignpdf_temp_path to a writtable path');
                        }
                        $jSignPdfJarPath = $this->appConfig->getValueString(Application::APP_ID, 'jsignpdf_jar_path', '/opt/jsignpdf-' . InstallService::JSIGNPDF_VERSION . '/JSignPdf.jar');
                        if (!file_exists($jSignPdfJarPath)) {
                                throw new \Exception('Invalid JSignPdf jar path. Run occ libresign:install --jsignpdf');
                        }
                        $this->jSignParam = (new JSignParam())
                                ->setTempPath($tempPath)
                                ->setIsUseJavaInstalled(empty($javaPath))
                                ->setJavaDownloadUrl('')
                                ->setJSignPdfDownloadUrl('')
                                ->setjSignPdfJarPath($jSignPdfJarPath);
                        if (!empty($javaPath)) {
                                if (!file_exists($javaPath)) {
                                        throw new \Exception('Invalid Java binary. Run occ libresign:install --java');
                                }
                                $this->jSignParam->setJavaPath(
                                        $this->getEnvironments()
                                        . $javaPath
                                        . ' -Duser.home=' . escapeshellarg($this->getHome()) . ' '
                                );
                        }

                        $certificationLevel = $this->getCertificationLevel();
                        if ($certificationLevel !== null) {
                                $this->jSignParam->setJSignParameters(' -cl ' . $certificationLevel);
                        }
                }
                return $this->jSignParam;
        }

        private function getEnvironments(): string {
                return 'JSIGNPDF_HOME=' . escapeshellarg($this->getHome()) . ' ';
        }

        /**
         * It's a workaround to create the folder structure that JSignPdf needs. Without
         * this, the JSignPdf will return the follow message to all commands:
         * > FINE Config file conf/conf.properties doesn't exists.
         * > FINE Default property file /root/.JSignPdf doesn't exists.
         */
        private function getHome(): string {
                $jSignPdfHome = $this->appConfig->getValueString(Application::APP_ID, 'jsignpdf_home', '');
                if ($jSignPdfHome && is_dir($jSignPdfHome)) {
                        return $jSignPdfHome;
                }
                $jsignpdfTempFolder = $this->tempManager->getTemporaryFolder('jsignpdf');
                if (!$jsignpdfTempFolder) {
                        throw new \Exception('Temporary file not accessible');
                }
                mkdir(
                        directory: $jsignpdfTempFolder . '/conf',
                        recursive: true
                );
                $configFile = fopen($jsignpdfTempFolder . '/conf/conf.properties', 'w');
                fclose($configFile);
                $propertyFile = fopen($jsignpdfTempFolder . '/.JSignPdf', 'w');
                fclose($propertyFile);
                return $jsignpdfTempFolder;
        }

        private function getHashAlgorithm(): string {
                $hashAlgorithm = $this->appConfig->getValueString(Application::APP_ID, 'signature_hash_algorithm', 'SHA256');
                /**
                 * Need to respect the follow code:
                 * https://github.com/intoolswetrust/jsignpdf/blob/JSignPdf_2_2_2/jsignpdf/src/main/java/net/sf/jsignpdf/types/HashAlgorithm.java#L46-L47
                 */
                $content = $this->getInputFile()->getContent();
                preg_match('/^%PDF-(?<version>\d+(\.\d+)?)/', $content, $match);
                if (isset($match['version'])) {
                        $version = (float)$match['version'];
                        if ($version < 1.6) {
                                return 'SHA1';
                        }
                        if ($version < 1.7) {
                                return 'SHA256';
                        }
                        if ($version >= 1.7 && $hashAlgorithm === 'SHA1') {
                                return 'SHA256';
                        }
                }

                if (in_array($hashAlgorithm, ['SHA1', 'SHA256', 'SHA384', 'SHA512', 'RIPEMD160'])) {
                        return $hashAlgorithm;
                }
                return 'SHA256';
        }

        private function getCertificationLevel(): ?string {
                if (!$this->docMdpConfigService->isEnabled()) {
                        return null;
                }

                return $this->docMdpConfigService->getLevel()->name;
        }

        #[\Override]
        public function sign(): File {
                $this->beforeSign();

                $signedContent = $this->getSignedContent();
                $this->getInputFile()->putContent($signedContent);
                return $this->getInputFile();
        }

        #[\Override]
        public function getSignedContent(): string {
                $param = $this->getJSignParam()
                        ->setCertificate($this->getCertificate())
                        ->setPdf($this->getInputFile()->getContent())
                        ->setPassword($this->getPassword());

                $signed = $this->signUsingVisibleElements();
                if ($signed) {
                        return $signed;
                }
                $jSignPdf = $this->getJSignPdf();
                $jSignPdf->setParam($param);
                return $this->signWrapper($jSignPdf);
        }

        private function signUsingVisibleElements(): string {
                $visibleElements = $this->getVisibleElements();
                if ($visibleElements) {
                        $jSignPdf = $this->getJSignPdf();

                        $renderMode = $this->signatureTextService->getRenderMode();

                        $params = [
                                '--l2-text' => $this->getSignatureText(),
                                '-V' => null,
                        ];

                        $fontSize = $this->parseSignatureText()['templateFontSize'];
                        if ($fontSize === 10.0 || !$fontSize || $params['--l2-text'] === '""') {
                                $fontSize = 0;
                        }

                        $backgroundType = $this->signatureBackgroundService->getSignatureBackgroundType();
                        if ($backgroundType !== 'deleted') {
                                $backgroundPath = $this->signatureBackgroundService->getImagePath();
                        } else {
                                $backgroundPath = '';
                        }

                        $param = $this->getJSignParam();
                        $originalParam = clone $param;

                        foreach ($visibleElements as $element) {
                                $params['-pg'] = $element->getFileElement()->getPage();
                                if ($params['-pg'] <= 1) {
                                        unset($params['-pg']);
                                }
                                $params['-llx'] = $element->getFileElement()->getLlx();
                                $params['-lly'] = $element->getFileElement()->getLly();
                                $params['-urx'] = $element->getFileElement()->getUrx();
                                $params['-ury'] = $element->getFileElement()->getUry();

                                $scaleFactor = $this->getScaleFactor($params['-urx'] - $params['-llx']);
                                if ($fontSize) {
                                        $params['--font-size'] = $fontSize * $scaleFactor;
                                }

                                $signatureImagePath = $element->getTempFile();
                                if ($backgroundType === 'deleted') {
                                        if ($renderMode === SignerElementsService::RENDER_MODE_SIGNAME_AND_DESCRIPTION) {
                                                $params['--render-mode'] = SignerElementsService::RENDER_MODE_GRAPHIC_AND_DESCRIPTION;
                                                $params['--img-path'] = $this->createTextImage(
                                                        width: ($params['-urx'] - $params['-llx']),
                                                        height: ($params['-ury'] - $params['-lly']),
                                                        fontSize: $this->signatureTextService->getSignatureFontSize() * $scaleFactor,
                                                        scaleFactor: $scaleFactor < 5 ? 5 : $scaleFactor,
                                                );
                                        } elseif ($signatureImagePath) {
                                                $params['--bg-path'] = $signatureImagePath;
                                        }
                                } elseif ($params['--l2-text'] === '""') {
                                        if ($backgroundPath) {
                                                $params['--bg-path'] = $this->mergeBackgroundWithSignature(
                                                        $backgroundPath,
                                                        $signatureImagePath,
                                                        $scaleFactor < 5 ? 5 : $scaleFactor
                                                );
                                        } else {
                                                $params['--bg-path'] = $signatureImagePath;
                                        }
                                } else {
                                        if ($renderMode === SignerElementsService::RENDER_MODE_GRAPHIC_AND_DESCRIPTION) {
                                                $params['--render-mode'] = SignerElementsService::RENDER_MODE_GRAPHIC_AND_DESCRIPTION;
                                                $params['--bg-path'] = $backgroundPath;
                                                $params['--img-path'] = $signatureImagePath;
                                        } elseif ($renderMode === SignerElementsService::RENDER_MODE_SIGNAME_AND_DESCRIPTION) {
                                                $params['--render-mode'] = SignerElementsService::RENDER_MODE_GRAPHIC_AND_DESCRIPTION;
                                                $params['--bg-path'] = $backgroundPath;
                                                $params['--img-path'] = $this->createTextImage(
                                                        width: (int)(($params['-urx'] - $params['-llx']) / 2),
                                                        height: $params['-ury'] - $params['-lly'],
                                                        fontSize: $this->signatureTextService->getSignatureFontSize() * $scaleFactor,
                                                        scaleFactor: $scaleFactor < 5 ? 5 : $scaleFactor,
                                                );

                                        } else {
                                                // --render-mode DESCRIPTION_ONLY, this is the default
                                                // render-mode, because this, is unecessary to set here
                                                $params['--bg-path'] = $backgroundPath;
                                        }
                                }

                                $param->setJSignParameters(
                                        $originalParam->getJSignParameters()
                                        . $this->listParamsToString($params)
                                );
                                $jSignPdf->setParam($param);
                                $signed = $this->signWrapper($jSignPdf);
                                $param->setPdf($signed);
                        }
                        return $signed;
                }
                return '';
        }

        private function getScaleFactor(float $width): float {
                $systemWidth = $this->signatureTextService->getFullSignatureWidth();
                if (!$systemWidth) {
                        return 1;
                }
                $widthScale = $width / $systemWidth;
                return $widthScale;
        }


        #[\Override]
        public function readCertificate(): array {
                $result = $this->certificateEngineFactory
                        ->getEngine()
                        ->readCertificate(
                                $this->getCertificate(),
                                $this->getPassword()
                        );

                if (!is_array($result)) {
                        throw new \RuntimeException('Failed to read certificate data');
                }

                return $result;
        }

        private function createTextImage(int $width, int $height, float $fontSize, float $scaleFactor): string {
                $params = $this->getSignatureParams();
                if (!empty($params['SignerCommonName'])) {
                        $commonName = $params['SignerCommonName'];
                } else {
                        $certificateData = $this->readCertificate();
                        $commonName = $certificateData['subject']['CN'] ?? throw new \RuntimeException('Certificate must have a Common Name (CN) in subject field');
                }
                $content = $this->signatureTextService->signerNameImage(
                        width: $width,
                        height: $height,
                        text: $commonName,
                        fontSize: $fontSize,
                        scale: $scaleFactor,
                );

                $tmpPath = $this->tempManager->getTemporaryFile('_text_image.png');
                if (!$tmpPath) {
                        throw new \Exception('Temporary file not accessible');
                }
                file_put_contents($tmpPath, $content);
                return $tmpPath;
        }

        private function mergeBackgroundWithSignature(string $backgroundPath, string $signaturePath, float $scaleFactor): string {
                if (!extension_loaded('imagick')) {
                        throw new \Exception('Extension imagick is not loaded.');
                }
                $baseWidth = $this->signatureTextService->getFullSignatureWidth();
                $baseHeight = $this->signatureTextService->getFullSignatureHeight();

                $canvasWidth = round($baseWidth * $scaleFactor);
                $canvasHeight = round($baseHeight * $scaleFactor);

                $background = new Imagick($backgroundPath);
                $signature = new Imagick($signaturePath);

                $background->setImageFormat('png');
                $signature->setImageFormat('png');

                $background->setImageAlphaChannel(Imagick::ALPHACHANNEL_ACTIVATE);
                $signature->setImageAlphaChannel(Imagick::ALPHACHANNEL_ACTIVATE);

                $background->resizeImage(
                        (int)round($background->getImageWidth() * $scaleFactor),
                        (int)round($background->getImageHeight() * $scaleFactor),
                        Imagick::FILTER_LANCZOS,
                        1
                );

                $signature->resizeImage(
                        (int)round($signature->getImageWidth() * $scaleFactor),
                        (int)round($signature->getImageHeight() * $scaleFactor),
                        Imagick::FILTER_LANCZOS,
                        1
                );

                $canvas = new Imagick();
                $canvas->newImage((int)$canvasWidth, (int)$canvasHeight, new ImagickPixel('transparent'));
                $canvas->setImageFormat('png32');
                $canvas->setImageAlphaChannel(Imagick::ALPHACHANNEL_ACTIVATE);

                $bgX = (int)(($canvasWidth - $background->getImageWidth()) / 2);
                $bgY = (int)(($canvasHeight - $background->getImageHeight()) / 2);
                $canvas->compositeImage($background, Imagick::COMPOSITE_OVER, $bgX, $bgY);

                $sigX = (int)(($canvasWidth - $signature->getImageWidth()) / 2);
                $sigY = (int)(($canvasHeight - $signature->getImageHeight()) / 2);
                $canvas->compositeImage($signature, Imagick::COMPOSITE_OVER, $sigX, $sigY);

                $tmpPath = $this->tempManager->getTemporaryFile('_merged.png');
                if (!$tmpPath) {
                        throw new \Exception('Temporary file not accessible');
                }
                $canvas->writeImage($tmpPath);

                $canvas->clear();
                $background->clear();
                $signature->clear();

                return $tmpPath;
        }

        private function parseSignatureText(): array {
                if (!$this->parsedSignatureText) {
                        $params = $this->getSignatureParams();
                        $params['ServerSignatureDate'] = '${timestamp}';
                        $this->parsedSignatureText = $this->signatureTextService->parse(context: $params);
                }
                return $this->parsedSignatureText;
        }

        public function getSignatureText(): string {
                $renderMode = $this->signatureTextService->getRenderMode();
                if ($renderMode !== 'GRAPHIC_ONLY') {
                        $data = $this->parseSignatureText();
                        $signatureText = '"' . str_replace(
                                ['"', '$'],
                                ['\"', '\$'],
                                $data['parsed']
                        ) . '"';
                } else {
                        $signatureText = '""';
                }

                return $signatureText;
        }

        private function listParamsToString(array $params): string {
                $paramString = '';
                foreach ($params as $flag => $value) {
                        $paramString .= ' ' . $flag;
                        if ($value !== null && $value !== '') {
                                $paramString .= ' ' . $value;
                        }
                }
                return $paramString;
        }

        private function getTsaParameters(): array {
                $tsaUrl = $this->appConfig->getValueString(Application::APP_ID, 'tsa_url', '');
                if (empty($tsaUrl)) {
                        return [];
                }

                $params = [
                        '--tsa-server-url' => $tsaUrl,
                        '--tsa-policy-oid' => $this->appConfig->getValueString(Application::APP_ID, 'tsa_policy_oid', ''),
                ];

                if (!$params['--tsa-policy-oid']) {
                        unset($params['--tsa-policy-oid']);
                }

                $tsaAuthType = $this->appConfig->getValueString(Application::APP_ID, 'tsa_auth_type', 'none');
                if ($tsaAuthType === 'basic') {
                        $tsaUsername = $this->appConfig->getValueString(Application::APP_ID, 'tsa_username', '');
                        $tsaPassword = $this->appConfig->getValueString(Application::APP_ID, 'tsa_password', '');

                        if (!empty($tsaUsername) && !empty($tsaPassword)) {
                                $params['--tsa-authentication'] = 'PASSWORD';
                                $params['--tsa-user'] = $tsaUsername;
                                $params['--tsa-password'] = $tsaPassword;
                        }
                }

                return $params;
        }

        private function signWrapper(JSignPDF $jSignPDF): string {
                try {
                        $params = [
                                '--hash-algorithm' => $this->getHashAlgorithm(),
                        ];

                        $params = array_merge($params, $this->getTsaParameters());
                        $param = $this->getJSignParam();
                        $param
                                ->setJSignParameters(
                                        $this->jSignParam->getJSignParameters()
                                        . $this->listParamsToString($params)
                                );
                        $jSignPDF->setParam($param);
                        return $jSignPDF->sign();
                } catch (\Throwable $th) {
                        $errorMessage = $th->getMessage();

                        $this->checkTsaError($errorMessage);
                        $this->checkHashAlgorithmError($errorMessage);

                        $this->logger->error('Error at JSignPdf side. LibreSign can not do nothing. Follow the error message: ' . $errorMessage);
                        throw new \Exception($errorMessage);
                }
        }

        private function checkTsaError(string $errorMessage): void {
                $tsaErrors = ['TSAClientBouncyCastle', 'UnknownHostException', 'Invalid TSA', 'Creating of signature failed'];
                $isTsaError = false;
                foreach ($tsaErrors as $error) {
                        if (str_contains($errorMessage, $error)) {
                                $isTsaError = true;
                                break;
                        }
                }

                if ($isTsaError) {
                        if (str_contains($errorMessage, 'Invalid TSA') && preg_match("/Invalid TSA '([^']+)'/", $errorMessage, $matches)) {
                                $friendlyMessage = 'Timestamp Authority (TSA) service is unavailable or misconfigured: ' . $matches[1];
                        } else {
                                $friendlyMessage = 'Timestamp Authority (TSA) service error.' . "\n"
                                        . 'Please check the TSA configuration.';
                        }
                        throw new LibresignException($friendlyMessage);
                }
        }

        private function checkHashAlgorithmError(string $errorMessage): void {
                $rows = str_getcsv($errorMessage);
                $hashAlgorithm = array_filter($rows, fn ($r) => str_contains((string)$r, 'The chosen hash algorithm'));

                if (!empty($hashAlgorithm)) {
                        $hashAlgorithm = current($hashAlgorithm);
                        $hashAlgorithm = trim((string)$hashAlgorithm, 'INFO ');
                        $hashAlgorithm = str_replace('\"', '"', $hashAlgorithm);
                        $hashAlgorithm = preg_replace('/\.( )/', ".\n", $hashAlgorithm);
                        throw new LibresignException($hashAlgorithm);
                }
        }
}

1	<?php
2
3	declare(strict_types=1);
4	/**
5	* SPDX-FileCopyrightText: 2020-2024 LibreCode coop and contributors
6	* SPDX-License-Identifier: AGPL-3.0-or-later
7	*/
8
9	namespace OCA\Libresign\Handler\SignEngine;
10
11	use Imagick;
12	use ImagickPixel;
13	use OCA\Libresign\AppInfo\Application;
14	use OCA\Libresign\Exception\LibresignException;
15	use OCA\Libresign\Handler\CertificateEngine\CertificateEngineFactory;
16	use OCA\Libresign\Helper\JavaHelper;
17	use OCA\Libresign\Service\DocMdpConfigService;
18	use OCA\Libresign\Service\Install\InstallService;
19	use OCA\Libresign\Service\SignatureBackgroundService;
20	use OCA\Libresign\Service\SignatureTextService;
21	use OCA\Libresign\Service\SignerElementsService;
22	use OCA\Libresign\Vendor\Jeidison\JSignPDF\JSignPDF;
23	use OCA\Libresign\Vendor\Jeidison\JSignPDF\Sign\JSignParam;
24	use OCP\Files\File;
25	use OCP\IAppConfig;
26	use OCP\ITempManager;
27	use Psr\Log\LoggerInterface;
28
29	class JSignPdfHandler extends Pkcs12Handler {
30	/** @var JSignPDF */
31	private $jSignPdf;
32	/** @var JSignParam */
33	private $jSignParam;
34	private array $parsedSignatureText = [];
35
36	public function __construct(
37	private IAppConfig $appConfig,
38	private LoggerInterface $logger,
39	private SignatureTextService $signatureTextService,
40	private ITempManager $tempManager,
41	private SignatureBackgroundService $signatureBackgroundService,
42	protected CertificateEngineFactory $certificateEngineFactory,
43	protected JavaHelper $javaHelper,
44	private DocMdpConfigService $docMdpConfigService,
45	) {
46	}	24✔
47
48	public function setJSignPdf(JSignPDF $jSignPdf): void {
49	$this->jSignPdf = $jSignPdf;	×
50	}
51
52	public function getJSignPdf(): JSignPDF {
53	if (!$this->jSignPdf) {	×
54	// @codeCoverageIgnoreStart
55	$this->setJSignPdf(new JSignPDF());
56	// @codeCoverageIgnoreEnd
57	}
58	return $this->jSignPdf;	×
59	}
60
61	/**
62	* @psalm-suppress MixedReturnStatement
63	*/
64	public function getJSignParam(): JSignParam {
65	if (!$this->jSignParam) {	8✔
66	$javaPath = $this->javaHelper->getJavaPath();	8✔
67	$tempPath = $this->appConfig->getValueString(Application::APP_ID, 'jsignpdf_temp_path', sys_get_temp_dir() . DIRECTORY_SEPARATOR);	8✔
68	if (!is_writable($tempPath)) {	8✔
69	throw new \Exception('The path ' . $tempPath . ' is not writtable. Fix this or change the LibreSign app setting jsignpdf_temp_path to a writtable path');	2✔
70	}
71	$jSignPdfJarPath = $this->appConfig->getValueString(Application::APP_ID, 'jsignpdf_jar_path', '/opt/jsignpdf-' . InstallService::JSIGNPDF_VERSION . '/JSignPdf.jar');	6✔
72	if (!file_exists($jSignPdfJarPath)) {	6✔
73	throw new \Exception('Invalid JSignPdf jar path. Run occ libresign:install --jsignpdf');	1✔
74	}
75	$this->jSignParam = (new JSignParam())	5✔
76	->setTempPath($tempPath)	5✔
77	->setIsUseJavaInstalled(empty($javaPath))	5✔
78	->setJavaDownloadUrl('')	5✔
79	->setJSignPdfDownloadUrl('')	5✔
80	->setjSignPdfJarPath($jSignPdfJarPath);	5✔
81	if (!empty($javaPath)) {	5✔
82	if (!file_exists($javaPath)) {	4✔
83	throw new \Exception('Invalid Java binary. Run occ libresign:install --java');	2✔
84	}
85	$this->jSignParam->setJavaPath(	2✔
86	$this->getEnvironments()	2✔
87	. $javaPath	2✔
88	. ' -Duser.home=' . escapeshellarg($this->getHome()) . ' '	2✔
89	);	2✔
90	}
91
92	$certificationLevel = $this->getCertificationLevel();	3✔
93	if ($certificationLevel !== null) {	3✔
94	$this->jSignParam->setJSignParameters(' -cl ' . $certificationLevel);	×
95	}
96	}
97	return $this->jSignParam;	3✔
98	}
99
100	private function getEnvironments(): string {
101	return 'JSIGNPDF_HOME=' . escapeshellarg($this->getHome()) . ' ';	2✔
102	}
103
104	/**
105	* It's a workaround to create the folder structure that JSignPdf needs. Without
106	* this, the JSignPdf will return the follow message to all commands:
107	* > FINE Config file conf/conf.properties doesn't exists.
108	* > FINE Default property file /root/.JSignPdf doesn't exists.
109	*/
110	private function getHome(): string {
111	$jSignPdfHome = $this->appConfig->getValueString(Application::APP_ID, 'jsignpdf_home', '');	2✔
112	if ($jSignPdfHome && is_dir($jSignPdfHome)) {	2✔
113	return $jSignPdfHome;	2✔
114	}
115	$jsignpdfTempFolder = $this->tempManager->getTemporaryFolder('jsignpdf');	×
116	if (!$jsignpdfTempFolder) {	×
117	throw new \Exception('Temporary file not accessible');	×
118	}
119	mkdir(	×
120	directory: $jsignpdfTempFolder . '/conf',	×
121	recursive: true	×
122	);	×
123	$configFile = fopen($jsignpdfTempFolder . '/conf/conf.properties', 'w');	×
124	fclose($configFile);	×
125	$propertyFile = fopen($jsignpdfTempFolder . '/.JSignPdf', 'w');	×
126	fclose($propertyFile);	×
127	return $jsignpdfTempFolder;	×
128	}
129
130	private function getHashAlgorithm(): string {
131	$hashAlgorithm = $this->appConfig->getValueString(Application::APP_ID, 'signature_hash_algorithm', 'SHA256');	×
132	/**
133	* Need to respect the follow code:
134	* https://github.com/intoolswetrust/jsignpdf/blob/JSignPdf_2_2_2/jsignpdf/src/main/java/net/sf/jsignpdf/types/HashAlgorithm.java#L46-L47
135	*/
136	$content = $this->getInputFile()->getContent();	×
137	preg_match('/^%PDF-(?<version>\d+(\.\d+)?)/', $content, $match);	×
138	if (isset($match['version'])) {	×
139	$version = (float)$match['version'];	×
140	if ($version < 1.6) {	×
141	return 'SHA1';	×
142	}
143	if ($version < 1.7) {	×
144	return 'SHA256';	×
145	}
146	if ($version >= 1.7 && $hashAlgorithm === 'SHA1') {	×
147	return 'SHA256';	×
148	}
149	}
150
151	if (in_array($hashAlgorithm, ['SHA1', 'SHA256', 'SHA384', 'SHA512', 'RIPEMD160'])) {	×
152	return $hashAlgorithm;	×
153	}
154	return 'SHA256';	×
155	}
156
157	private function getCertificationLevel(): ?string {
158	if (!$this->docMdpConfigService->isEnabled()) {	3✔
159	return null;	3✔
160	}
161
162	return $this->docMdpConfigService->getLevel()->name;	×
163	}
164
165	#[\Override]
166	public function sign(): File {
167	$this->beforeSign();	×
168
169	$signedContent = $this->getSignedContent();	×
170	$this->getInputFile()->putContent($signedContent);	×
171	return $this->getInputFile();	×
172	}
173
174	#[\Override]
175	public function getSignedContent(): string {
176	$param = $this->getJSignParam()	×
177	->setCertificate($this->getCertificate())	×
178	->setPdf($this->getInputFile()->getContent())	×
179	->setPassword($this->getPassword());	×
180
181	$signed = $this->signUsingVisibleElements();	×
182	if ($signed) {	×
183	return $signed;	×
184	}
185	$jSignPdf = $this->getJSignPdf();	×
186	$jSignPdf->setParam($param);	×
187	return $this->signWrapper($jSignPdf);	×
188	}
189
190	private function signUsingVisibleElements(): string {
191	$visibleElements = $this->getVisibleElements();	×
192	if ($visibleElements) {	×
193	$jSignPdf = $this->getJSignPdf();	×
194
195	$renderMode = $this->signatureTextService->getRenderMode();	×
196
197	$params = [	×
198	'--l2-text' => $this->getSignatureText(),	×
199	'-V' => null,	×
200	];	×
201
202	$fontSize = $this->parseSignatureText()['templateFontSize'];	×
203	if ($fontSize === 10.0 \|\| !$fontSize \|\| $params['--l2-text'] === '""') {	×
204	$fontSize = 0;	×
205	}
206
207	$backgroundType = $this->signatureBackgroundService->getSignatureBackgroundType();	×
208	if ($backgroundType !== 'deleted') {	×
209	$backgroundPath = $this->signatureBackgroundService->getImagePath();	×
210	} else {
211	$backgroundPath = '';	×
212	}
213
214	$param = $this->getJSignParam();	×
215	$originalParam = clone $param;	×
216
217	foreach ($visibleElements as $element) {	×
218	$params['-pg'] = $element->getFileElement()->getPage();	×
219	if ($params['-pg'] <= 1) {	×
220	unset($params['-pg']);	×
221	}
222	$params['-llx'] = $element->getFileElement()->getLlx();	×
223	$params['-lly'] = $element->getFileElement()->getLly();	×
224	$params['-urx'] = $element->getFileElement()->getUrx();	×
225	$params['-ury'] = $element->getFileElement()->getUry();	×
226
227	$scaleFactor = $this->getScaleFactor($params['-urx'] - $params['-llx']);	×
228	if ($fontSize) {	×
229	$params['--font-size'] = $fontSize * $scaleFactor;	×
230	}
231
232	$signatureImagePath = $element->getTempFile();	×
233	if ($backgroundType === 'deleted') {	×
234	if ($renderMode === SignerElementsService::RENDER_MODE_SIGNAME_AND_DESCRIPTION) {	×
235	$params['--render-mode'] = SignerElementsService::RENDER_MODE_GRAPHIC_AND_DESCRIPTION;	×
236	$params['--img-path'] = $this->createTextImage(	×
237	width: ($params['-urx'] - $params['-llx']),	×
238	height: ($params['-ury'] - $params['-lly']),	×
239	fontSize: $this->signatureTextService->getSignatureFontSize() * $scaleFactor,	×
240	scaleFactor: $scaleFactor < 5 ? 5 : $scaleFactor,	×
241	);	×
242	} elseif ($signatureImagePath) {	×
243	$params['--bg-path'] = $signatureImagePath;	×
244	}
245	} elseif ($params['--l2-text'] === '""') {	×
246	if ($backgroundPath) {	×
247	$params['--bg-path'] = $this->mergeBackgroundWithSignature(	×
248	$backgroundPath,	×
249	$signatureImagePath,	×
250	$scaleFactor < 5 ? 5 : $scaleFactor	×
251	);	×
252	} else {
253	$params['--bg-path'] = $signatureImagePath;	×
254	}
255	} else {
256	if ($renderMode === SignerElementsService::RENDER_MODE_GRAPHIC_AND_DESCRIPTION) {	×
257	$params['--render-mode'] = SignerElementsService::RENDER_MODE_GRAPHIC_AND_DESCRIPTION;	×
258	$params['--bg-path'] = $backgroundPath;	×
259	$params['--img-path'] = $signatureImagePath;	×
260	} elseif ($renderMode === SignerElementsService::RENDER_MODE_SIGNAME_AND_DESCRIPTION) {	×
261	$params['--render-mode'] = SignerElementsService::RENDER_MODE_GRAPHIC_AND_DESCRIPTION;	×
262	$params['--bg-path'] = $backgroundPath;	×
263	$params['--img-path'] = $this->createTextImage(	×
264	width: (int)(($params['-urx'] - $params['-llx']) / 2),	×
265	height: $params['-ury'] - $params['-lly'],	×
266	fontSize: $this->signatureTextService->getSignatureFontSize() * $scaleFactor,	×
267	scaleFactor: $scaleFactor < 5 ? 5 : $scaleFactor,	×
268	);	×
269
270	} else {
271	// --render-mode DESCRIPTION_ONLY, this is the default
272	// render-mode, because this, is unecessary to set here
273	$params['--bg-path'] = $backgroundPath;	×
274	}
275	}
276
277	$param->setJSignParameters(	×
278	$originalParam->getJSignParameters()	×
279	. $this->listParamsToString($params)	×
280	);	×
281	$jSignPdf->setParam($param);	×
282	$signed = $this->signWrapper($jSignPdf);	×
283	$param->setPdf($signed);	×
284	}
285	return $signed;	×
286	}
287	return '';	×
288	}
289
290	private function getScaleFactor(float $width): float {
291	$systemWidth = $this->signatureTextService->getFullSignatureWidth();	×
292	if (!$systemWidth) {	×
293	return 1;	×
294	}
295	$widthScale = $width / $systemWidth;	×
296	return $widthScale;	×
297	}
298
299
300	#[\Override]
301	public function readCertificate(): array {
302	$result = $this->certificateEngineFactory	×
303	->getEngine()	×
304	->readCertificate(	×
305	$this->getCertificate(),	×
306	$this->getPassword()	×
307	);	×
308
309	if (!is_array($result)) {	×
310	throw new \RuntimeException('Failed to read certificate data');	×
311	}
312
313	return $result;	×
314	}
315
316	private function createTextImage(int $width, int $height, float $fontSize, float $scaleFactor): string {
317	$params = $this->getSignatureParams();	×
318	if (!empty($params['SignerCommonName'])) {	×
319	$commonName = $params['SignerCommonName'];	×
320	} else {
321	$certificateData = $this->readCertificate();	×
322	$commonName = $certificateData['subject']['CN'] ?? throw new \RuntimeException('Certificate must have a Common Name (CN) in subject field');	×
323	}
324	$content = $this->signatureTextService->signerNameImage(	×
325	width: $width,	×
326	height: $height,	×
327	text: $commonName,	×
328	fontSize: $fontSize,	×
329	scale: $scaleFactor,	×
330	);	×
331
332	$tmpPath = $this->tempManager->getTemporaryFile('_text_image.png');	×
333	if (!$tmpPath) {	×
334	throw new \Exception('Temporary file not accessible');	×
335	}
336	file_put_contents($tmpPath, $content);	×
337	return $tmpPath;	×
338	}
339
340	private function mergeBackgroundWithSignature(string $backgroundPath, string $signaturePath, float $scaleFactor): string {
341	if (!extension_loaded('imagick')) {	×
342	throw new \Exception('Extension imagick is not loaded.');	×
343	}
344	$baseWidth = $this->signatureTextService->getFullSignatureWidth();	×
345	$baseHeight = $this->signatureTextService->getFullSignatureHeight();	×
346
347	$canvasWidth = round($baseWidth * $scaleFactor);	×
348	$canvasHeight = round($baseHeight * $scaleFactor);	×
349
350	$background = new Imagick($backgroundPath);	×
351	$signature = new Imagick($signaturePath);	×
352
353	$background->setImageFormat('png');	×
354	$signature->setImageFormat('png');	×
355
356	$background->setImageAlphaChannel(Imagick::ALPHACHANNEL_ACTIVATE);	×
357	$signature->setImageAlphaChannel(Imagick::ALPHACHANNEL_ACTIVATE);	×
358
359	$background->resizeImage(	×
360	(int)round($background->getImageWidth() * $scaleFactor),	×
361	(int)round($background->getImageHeight() * $scaleFactor),	×
362	Imagick::FILTER_LANCZOS,	×
363	1	×
364	);	×
365
366	$signature->resizeImage(	×
367	(int)round($signature->getImageWidth() * $scaleFactor),	×
368	(int)round($signature->getImageHeight() * $scaleFactor),	×
369	Imagick::FILTER_LANCZOS,	×
370	1	×
371	);	×
372
373	$canvas = new Imagick();	×
374	$canvas->newImage((int)$canvasWidth, (int)$canvasHeight, new ImagickPixel('transparent'));	×
375	$canvas->setImageFormat('png32');	×
376	$canvas->setImageAlphaChannel(Imagick::ALPHACHANNEL_ACTIVATE);	×
377
378	$bgX = (int)(($canvasWidth - $background->getImageWidth()) / 2);	×
379	$bgY = (int)(($canvasHeight - $background->getImageHeight()) / 2);	×
380	$canvas->compositeImage($background, Imagick::COMPOSITE_OVER, $bgX, $bgY);	×
381
382	$sigX = (int)(($canvasWidth - $signature->getImageWidth()) / 2);	×
383	$sigY = (int)(($canvasHeight - $signature->getImageHeight()) / 2);	×
384	$canvas->compositeImage($signature, Imagick::COMPOSITE_OVER, $sigX, $sigY);	×
385
386	$tmpPath = $this->tempManager->getTemporaryFile('_merged.png');	×
387	if (!$tmpPath) {	×
388	throw new \Exception('Temporary file not accessible');	×
389	}
390	$canvas->writeImage($tmpPath);	×
391
392	$canvas->clear();	×
393	$background->clear();	×
394	$signature->clear();	×
395
396	return $tmpPath;	×
397	}
398
399	private function parseSignatureText(): array {
400	if (!$this->parsedSignatureText) {	5✔
401	$params = $this->getSignatureParams();	5✔
402	$params['ServerSignatureDate'] = '${timestamp}';	5✔
403	$this->parsedSignatureText = $this->signatureTextService->parse(context: $params);	5✔
404	}
405	return $this->parsedSignatureText;	5✔
406	}
407
408	public function getSignatureText(): string {
409	$renderMode = $this->signatureTextService->getRenderMode();	10✔
410	if ($renderMode !== 'GRAPHIC_ONLY') {	10✔
411	$data = $this->parseSignatureText();	5✔
412	$signatureText = '"' . str_replace(	5✔
413	['"', '$'],	5✔
414	['\"', '\$'],	5✔
415	$data['parsed']	5✔
416	) . '"';	5✔
417	} else {
418	$signatureText = '""';	5✔
419	}
420
421	return $signatureText;	10✔
422	}
423
424	private function listParamsToString(array $params): string {
425	$paramString = '';	×
426	foreach ($params as $flag => $value) {	×
427	$paramString .= ' ' . $flag;	×
428	if ($value !== null && $value !== '') {	×
429	$paramString .= ' ' . $value;	×
430	}
431	}
432	return $paramString;	×
433	}
434
435	private function getTsaParameters(): array {
436	$tsaUrl = $this->appConfig->getValueString(Application::APP_ID, 'tsa_url', '');	×
437	if (empty($tsaUrl)) {	×
438	return [];	×
439	}
440
441	$params = [	×
442	'--tsa-server-url' => $tsaUrl,	×
443	'--tsa-policy-oid' => $this->appConfig->getValueString(Application::APP_ID, 'tsa_policy_oid', ''),	×
444	];	×
445
446	if (!$params['--tsa-policy-oid']) {	×
447	unset($params['--tsa-policy-oid']);	×
448	}
449
450	$tsaAuthType = $this->appConfig->getValueString(Application::APP_ID, 'tsa_auth_type', 'none');	×
451	if ($tsaAuthType === 'basic') {	×
452	$tsaUsername = $this->appConfig->getValueString(Application::APP_ID, 'tsa_username', '');	×
453	$tsaPassword = $this->appConfig->getValueString(Application::APP_ID, 'tsa_password', '');	×
454
455	if (!empty($tsaUsername) && !empty($tsaPassword)) {	×
456	$params['--tsa-authentication'] = 'PASSWORD';	×
457	$params['--tsa-user'] = $tsaUsername;	×
458	$params['--tsa-password'] = $tsaPassword;	×
459	}
460	}
461
462	return $params;	×
463	}
464
465	private function signWrapper(JSignPDF $jSignPDF): string {
466	try {
467	$params = [	×
468	'--hash-algorithm' => $this->getHashAlgorithm(),	×
469	];	×
470
471	$params = array_merge($params, $this->getTsaParameters());	×
472	$param = $this->getJSignParam();	×
473	$param	×
474	->setJSignParameters(	×
475	$this->jSignParam->getJSignParameters()	×
476	. $this->listParamsToString($params)	×
477	);	×
478	$jSignPDF->setParam($param);	×
479	return $jSignPDF->sign();	×
480	} catch (\Throwable $th) {	×
481	$errorMessage = $th->getMessage();	×
482
NEW 483	$this->checkTsaError($errorMessage);	×
NEW 484	$this->checkHashAlgorithmError($errorMessage);	×
485
486	$this->logger->error('Error at JSignPdf side. LibreSign can not do nothing. Follow the error message: ' . $errorMessage);	×
487	throw new \Exception($errorMessage);	×
488	}
489	}
490
491	private function checkTsaError(string $errorMessage): void {
NEW 492	$tsaErrors = ['TSAClientBouncyCastle', 'UnknownHostException', 'Invalid TSA', 'Creating of signature failed'];	×
NEW 493	$isTsaError = false;	×
NEW 494	foreach ($tsaErrors as $error) {	×
NEW 495	if (str_contains($errorMessage, $error)) {	×
NEW 496	$isTsaError = true;	×
NEW 497	break;	×
498	}
499	}
500
NEW 501	if ($isTsaError) {	×
NEW 502	if (str_contains($errorMessage, 'Invalid TSA') && preg_match("/Invalid TSA '([^']+)'/", $errorMessage, $matches)) {	×
NEW 503	$friendlyMessage = 'Timestamp Authority (TSA) service is unavailable or misconfigured: ' . $matches[1];	×
504	} else {
NEW 505	$friendlyMessage = 'Timestamp Authority (TSA) service error.' . "\n"	×
NEW 506	. 'Please check the TSA configuration.';	×
507	}
NEW 508	throw new LibresignException($friendlyMessage);	×
509	}
510	}
511
512	private function checkHashAlgorithmError(string $errorMessage): void {
NEW 513	$rows = str_getcsv($errorMessage);	×
NEW 514	$hashAlgorithm = array_filter($rows, fn ($r) => str_contains((string)$r, 'The chosen hash algorithm'));	×
515
NEW 516	if (!empty($hashAlgorithm)) {	×
NEW 517	$hashAlgorithm = current($hashAlgorithm);	×
NEW 518	$hashAlgorithm = trim((string)$hashAlgorithm, 'INFO ');	×
NEW 519	$hashAlgorithm = str_replace('\"', '"', $hashAlgorithm);	×
NEW 520	$hashAlgorithm = preg_replace('/\.( )/', ".\n", $hashAlgorithm);	×
NEW 521	throw new LibresignException($hashAlgorithm);	×
522	}
523	}
524	}

LibreSign / libresign / 20819945179

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous