Merge branch 'release/1.5.1'

vbuch · Mar 2, 2023 · 5fb54ee · 5fb54ee
2 parents bf9ba11 + afc66db
commit 5fb54ee
Show file tree

Hide file tree

Showing 7 changed files with 23 additions and 12 deletions.
diff --git a/.github/stale.yml b/.github/stale.yml
@@ -6,8 +6,6 @@ daysUntilClose: 10
 exemptLabels:
   - pinned
   - security
-# Label to use when marking an issue as stale
-staleLabel: wontfix
 # Comment to post when marking an issue as stale. Set to `false` to disable
 markComment: >
   This issue has been automatically marked as stale because it has not had

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # CHANGELOG
 
+## [1.5.1]
+
+* Reorder authenticatedAttributes so that EU's verification passes;
+
 ## [1.5.0]
 
 * Reworked reading xref table;

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -23,3 +23,6 @@
 * [brunoserrano](https://github.com/brunoserrano)
 * [waaronking](https://github.com/waaronking)
 * [dhensby](https://github.com/dhensby)
+* [pernikov](https://github.com/pernikov)
+* [timotheeg](https://github.com/timotheeg)
+* [ElTimuro](https://github.com/ElTimuro)
diff --git a/README.md b/README.md
@@ -32,13 +32,13 @@ In practice we expect that most people will just read through the code we've wri
 
 ### With pdfkit-created document
 
-You have already created a PDF using foliojs/pdfkit and you want to sign that. Before saving (writing to fs, or just converting to `Buffer`) your file, you need to a add a signature placeholder to it. We have a helper for that. This is demonstrated in [the `signs input PDF` test](./src/signpdf.test.js#L111).
+You have already created a PDF using foliojs/pdfkit and you want to sign that. Before saving (writing to fs, or just converting to `Buffer`) your file, you need to a add a signature placeholder to it. We have a helper for that. This is demonstrated in [the `signs input PDF` test](./src/signpdf.test.js#L125).
 
 Once you have the placeholder, just [[sign the document]](#sign-the-document).
 
 ### With any PDF document
 
-Yes. This is new since version 1.0. We have a helper that can add a signature placeholder in at least the most basic PDFs without depending on pdfkit. You can see how this is done in [the `signs a ready pdf` test](./src/signpdf.test.js#L136).
+Yes. This is new since version 1.0. We have a helper that can add a signature placeholder in at least the most basic PDFs without depending on pdfkit. You can see how this is done in [the `signs a ready pdf` test](./src/signpdf.test.js#L167).
 
 Once you have the placeholder, just [[sign the document]](#sign-the-document).
 
@@ -55,7 +55,7 @@ const signedPdf = signer.sign(
 
 ## Notes
 
-* The process of signing a document is described in the [Digital Signatures in PDF](https://www.adobe.com/devnet-docs/etk_deprecated/tools/DigSig/Acrobat_DigitalSignatures_in_PDF.pdf) document. As Adobe's files are deprecated, [here is the standard as defined by ETSI](https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/eSignature+standards#eSignaturestandards-PAdES%28PDFAdvancedElectronicSignature%29BaselineProfile).
+* The process of signing a document is described in the [Digital Signatures in PDF](https://www.adobe.com/devnet-docs/etk_deprecated/tools/DigSig/Acrobat_DigitalSignatures_in_PDF.pdf) document. As Adobe's files are deprecated, [here is the standard as defined by ETSI](<https://ec.europa.eu/digital-building-blocks/wikis/display/DIGITAL/Standards+and+specifications#Standardsandspecifications-PAdES(PDFAdvancedElectronicSignature)BaselineProfile>).
 * This lib:
   * requires the [signature placeholder](#append-a-signature-placeholder) to already be in the document (There are helpers included that can try to add it);
   * requires the `Contents` descriptor in the `Sig` be placed after the `ByteRange` one;

diff --git a/dist/signpdf.js b/dist/signpdf.js
@@ -140,6 +140,9 @@ class SignPdf {
     if (typeof certificate === 'undefined') {
       throw new _SignPdfError.default('Failed to find a certificate that matches the private key.', _SignPdfError.default.TYPE_INPUT);
     } // Add a sha256 signer. That's what Adobe.PPKLite adbe.pkcs7.detached expects.
+    // Note that the authenticatedAttributes order is relevant for correct
+    // EU signature validation:
+    // https://ec.europa.eu/digital-building-blocks/DSS/webapp-demo/validation
 
 
     p7.addSigner({
@@ -149,15 +152,15 @@ class SignPdf {
       authenticatedAttributes: [{
         type: _nodeForge.default.pki.oids.contentType,
         value: _nodeForge.default.pki.oids.data
-      }, {
-        type: _nodeForge.default.pki.oids.messageDigest // value will be auto-populated at signing time
-
       }, {
         type: _nodeForge.default.pki.oids.signingTime,
         // value can also be auto-populated at signing time
         // We may also support passing this as an option to sign().
         // Would be useful to match the creation time of the document for example.
         value: new Date()
+      }, {
+        type: _nodeForge.default.pki.oids.messageDigest // value will be auto-populated at signing time
+
       }]
     }); // Sign in detached mode.
 

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
     "name": "node-signpdf",
-    "version": "1.5.0",
+    "version": "1.5.1",
     "description": "Simple signing of PDFs in node.",
     "repository": {
         "type": "git",

diff --git a/src/signpdf.js b/src/signpdf.js
@@ -128,6 +128,9 @@ export class SignPdf {
         }
 
         // Add a sha256 signer. That's what Adobe.PPKLite adbe.pkcs7.detached expects.
+        // Note that the authenticatedAttributes order is relevant for correct
+        // EU signature validation:
+        // https://ec.europa.eu/digital-building-blocks/DSS/webapp-demo/validation
         p7.addSigner({
             key: privateKey,
             certificate,
@@ -136,15 +139,15 @@ export class SignPdf {
                 {
                     type: forge.pki.oids.contentType,
                     value: forge.pki.oids.data,
-                }, {
-                    type: forge.pki.oids.messageDigest,
-                    // value will be auto-populated at signing time
                 }, {
                     type: forge.pki.oids.signingTime,
                     // value can also be auto-populated at signing time
                     // We may also support passing this as an option to sign().
                     // Would be useful to match the creation time of the document for example.
                     value: new Date(),
+                }, {
+                    type: forge.pki.oids.messageDigest,
+                    // value will be auto-populated at signing time
                 },
             ],
         });