LibreSign / libresign / 24083305764

                parent::__construct($l10n, $folderService, $logger);

                rewind($resource);

                $content = stream_get_contents($resource);

                preg_match_all('/\/Contents\s*<([0-9a-fA-F]+)>/', $content, $contents, PREG_OFFSET_CAPTURE);

                if (empty($contents[1])) {

                        throw new LibresignException($this->l10n->t('Unsigned file.'));

                $seenHexSignatures = [];

                foreach ($contents[1] as $match) {

                        $signatureHex = $match[0];

                        if (isset($seenHexSignatures[$signatureHex])) {

                        $seenHexSignatures[$signatureHex] = true;

                        $decodedSignature = @hex2bin($signatureHex);

                        if ($decodedSignature === false) {

                        yield $decodedSignature;

                $certificates = [];

                foreach ($this->getSignatures($resource) as $signature) {

                        if (!$signature) {

                        $result = $this->processSignature($resource, $signature);

                        if (empty($result['chain'])) {

                        $certificates[] = $result;

                return $certificates;

                $result = [];

                if (!$signature) {

                $decoded = ASN1::decodeBER($signature);

                $result = $this->extractTimestampData($decoded, $result);

                $chain = $this->extractCertificateChain($signature);

                if (!empty($chain)) {

                        $result['chain'] = $this->orderCertificates($chain);

                        $result = $this->enrichLeafWithPopplerData($resource, $result);

                $result = $this->extractDocMdpData($resource, $result);

                $result = $this->applyLibreSignRootCAFlag($result);

                return $result;

                if (empty($signer['chain'])) {

                foreach ($signer['chain'] as $key => $cert) {

                        if ($cert['isLibreSignRootCA']

                                && isset($cert['certificate_validation'])

                                && $cert['certificate_validation']['id'] !== 1

                return $signer;

                if (empty($result['chain'])) {

                $docMdpData = $this->docMdpHandler->extractDocMdpData($resource);

                return array_merge($result, $docMdpData);

                $tsa = new TSA();

                        $timestampData = $tsa->extract($decoded);

                        if (!empty($timestampData['genTime']) || !empty($timestampData['policy']) || !empty($timestampData['serialNumber'])) {

                                $result['timestamp'] = $timestampData;

                if (!isset($result['signingTime']) || !$result['signingTime'] instanceof \DateTime) {

                        $result['signingTime'] = $tsa->getSigninTime($decoded);

                return $result;

                $pkcs7PemSignature = $this->der2pem($signature);

                $pemCertificates = [];

                if (!openssl_pkcs7_read($pkcs7PemSignature, $pemCertificates)) {

                $chain = [];

                $isLibreSignRootCA = false;

                $certificateEngine = $this->getCertificateEngine();

                foreach ($pemCertificates as $index => $pemCertificate) {

                        $parsed = $certificateEngine->parseCertificate($pemCertificate);

                        if ($parsed) {

                                $parsed['signature_validation'] = [

                                        'id' => 1,

                                        'label' => $this->l10n->t('Signature is valid.'),

                                ];

                                if (!$isLibreSignRootCA) {

                                        $isLibreSignRootCA = $this->isLibreSignRootCA($pemCertificate, $parsed);

                                $parsed['isLibreSignRootCA'] = $isLibreSignRootCA;

                                $chain[$index] = $parsed;

                if ($isLibreSignRootCA || $this->isLibreSignFile) {

                return $chain;

                $crlUrls = $parsed['crl_urls'] ?? [];

                $rootCertificatePem = is_array($crlUrls) ? $this->crlService->getRootCertificateFromCrlUrls($crlUrls) : '';

                if (empty($rootCertificatePem)) {

                        $rootCertificatePem = $this->getRootCertificatePem();

                if (empty($rootCertificatePem)) {

                        return false;

                if (!empty($this->rootCertificatePem)) {

                $configPath = $this->appConfig->getValueString(Application::APP_ID, 'config_path');

                if (empty($configPath)

                        || !is_readable($configPath . DIRECTORY_SEPARATOR . 'ca.pem')

                        return '';

                if (empty($result['chain'])) {

                $popplerOnlyFields = ['field', 'range', 'certificate_validation'];

                if (!isset($result['chain'][0]['subject'])) {

                $needPoppler = false;

                foreach ($popplerOnlyFields as $field) {

                        if (empty($result['chain'][0][$field])) {

                                $needPoppler = true;

                                break;

                if (!isset($result['chain'][0]['signature_validation']) || $result['chain'][0]['signature_validation']['id'] !== 1) {

                if (!$needPoppler) {

                $popplerChain = $this->chainFromPoppler($result['chain'][0]['subject'], $resource);

                if (empty($popplerChain)) {

                        return $result;

                $fromFallback = $this->popplerUtilsPdfSignFallback($resource);

                foreach ($fromFallback as $popplerSig) {

                        if (!isset($popplerSig['chain'][0]['subject'])) {

                        if ($popplerSig['chain'][0]['subject'] == $subject) {

                return [];

                if (!empty($this->signaturesFromPoppler)) {

                        return $this->signaturesFromPoppler;

                if (shell_exec('which pdfsig') === null) {

                rewind($resource);

                $content = stream_get_contents($resource);

                $tempFile = $this->tempManager->getTemporaryFile('file.pdf');

                file_put_contents($tempFile, $content);

                $content = shell_exec('env TZ=UTC pdfsig ' . $tempFile);

                if (empty($content)) {

                $lines = explode("\n", $content);

                $lastSignature = 0;

                foreach ($lines as $item) {

                        $isFirstLevel = preg_match('/^Signature\s#(\d)/', $item, $match);

                        if ($isFirstLevel) {

                                $lastSignature = (int)$match[1] - 1;

                                $this->signaturesFromPoppler[$lastSignature] = [];

                                continue;

                        $match = [];

                        $isSecondLevel = preg_match('/^\s+-\s(?<key>.+):\s(?<value>.*)/', $item, $match);

                        if ($isSecondLevel) {

                                switch ((string)$match['key']) {

                                        case 'Signing Time':

                                                $this->signaturesFromPoppler[$lastSignature]['signingTime'] = DateTime::createFromFormat('M d Y H:i:s', $match['value'], new \DateTimeZone('UTC'));

                                                break;

                                        case 'Signer full Distinguished Name':

                                                $this->signaturesFromPoppler[$lastSignature]['chain'][0]['subject'] = $this->parseDistinguishedNameWithMultipleValues($match['value']);

                                                $this->signaturesFromPoppler[$lastSignature]['chain'][0]['name'] = $match['value'];

                                                break;

                                        case 'Signing Hash Algorithm':

                                                $this->signaturesFromPoppler[$lastSignature]['chain'][0]['signatureTypeSN'] = $match['value'];

                                                break;

                                        case 'Signature Validation':

                                                $this->signaturesFromPoppler[$lastSignature]['chain'][0]['signature_validation'] = $this->getReadableSigState($match['value']);

                                                break;

                                        case 'Certificate Validation':

                                                $this->signaturesFromPoppler[$lastSignature]['chain'][0]['certificate_validation'] = $this->getReadableCertState($match['value']);

                                                break;

                                        case 'Signed Ranges':

                                                if (preg_match('/\[(\d+) - (\d+)\], \[(\d+) - (\d+)\]/', $match['value'], $ranges)) {

                                                        $this->signaturesFromPoppler[$lastSignature]['chain'][0]['range'] = [

                                                                'offset1' => (int)$ranges[1],

                                                                'length1' => (int)$ranges[2],

                                                                'offset2' => (int)$ranges[3],

                                                                'length2' => (int)$ranges[4],

                                                        ];

                                                break;

                                        case 'Signature Field Name':

                                                $this->signaturesFromPoppler[$lastSignature]['chain'][0]['field'] = $match['value'];

                                                break;

                                        case 'Signature Validation':

                                        case 'Signature Type':

                                        case 'Total document signed':

                                        case 'Not total document signed':

                                                break;

                return $this->signaturesFromPoppler;

                return match ($status) {

                        'Signature is Valid.' => [

                                'id' => 1,

                                'label' => $this->l10n->t('Signature is valid.'),

                        ],

                        default => [

                                'id' => 6,

                                'label' => $this->l10n->t('Unknown validation failure.'),

                        ],

                };

                return match ($status) {

                        "Certificate issuer isn't Trusted." => [

                                'id' => 2,

                                'label' => $this->l10n->t("Certificate issuer isn't trusted."),

                        ],

                        'Certificate issuer is unknown.' => [

                                'id' => 3,

                                'label' => $this->l10n->t('Certificate issuer is unknown.'),

                        ],

                        default => [

                                'id' => 7,

                                'label' => $this->l10n->t('Unknown issue with Certificate or corrupted data.')

                        ],

                };

                $result = [];

                $pairs = preg_split('/,(?=(?:[^"]*"[^"]*")*[^"]*$)/', $dn);

                foreach ($pairs as $pair) {

                        [$key, $value] = explode('=', $pair, 2);

                        if (empty($key) || empty($value)) {

                        $key = trim($key);

                        $value = trim($value);

                        $value = trim($value, '"');

                        if (!isset($result[$key])) {

                                $result[$key] = $value;

                return $result;

                $pem = chunk_split(base64_encode((string)$derData), 64, "\n");

                $pem = "-----BEGIN CERTIFICATE-----\n" . $pem . "-----END CERTIFICATE-----\n";

                return $pem;

                $sign_engine = $this->appConfig->getValueString(Application::APP_ID, 'signature_engine', 'JSignPdf');

                $property = lcfirst($sign_engine) . 'Handler';

                if (!property_exists($this, $property)) {

                $classHandler = 'OCA\\Libresign\\Handler\\SignEngine\\' . ucfirst($property);

                if (!$this->$property instanceof $classHandler) {

                        $this->$property = \OCP\Server::get($classHandler);

                return $this->$property;

                $this->beforeSign();

                $signedContent = $this->getHandler()

                        ->setCertificate($this->getCertificate())

                        ->setInputFile($this->getInputFile())

                        ->setPassword($this->getPassword())

                        ->setSignatureParams($this->getSignatureParams())

                        ->setVisibleElements($this->getVisibleElements())

                        ->getSignedContent();

                return $this->certificateEngineFactory->getEngine()->isSetupOk();