UNPKG

pdf-signature-reader-sl

Version:

Verify digital signatures in PDF documents with content validation and enhanced support for Spanish certificates (FNMT, DNIe, corporate)

github.com/keviinmiichael/pdf-signature-reader

keviinmiichael/pdf-signature-reader

123 lines (100 loc) 3.28 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
const forge = require('node-forge'); const getCertificateName = (cert) => { const cn = cert.subject.getField('CN'); if (cn) return cn.value; const ou = cert.subject.getField('OU'); if (ou) return ou.value; const o = cert.subject.getField('O'); if (o) return o.value; return 'Unknown'; }; const getIssuerName = (cert) => { const cn = cert.issuer.getField('CN'); if (cn) return cn.value; const ou = cert.issuer.getField('OU'); if (ou) return ou.value; const o = cert.issuer.getField('O'); if (o) return o.value; return 'Unknown'; }; const findSigningCertificate = (leafCerts, signature, digest) => { if (leafCerts.length === 1) return leafCerts[0]; for (const cert of leafCerts) { try { if (cert.publicKey.verify(digest, signature)) { return cert; } } catch (error) { continue; } } return null; }; const buildRobustCertificateChain = (certificates, signature, digest) => { const certsBySubjectHash = new Map(); const certsByIssuerHash = new Map(); const uniqueCerts = []; const seenKeys = new Set(); for (const cert of certificates) { const key = `${cert.subject.hash}-${cert.issuer.hash}`; if (seenKeys.has(key)) continue; seenKeys.add(key); uniqueCerts.push(cert); if (!certsBySubjectHash.has(cert.subject.hash)) { certsBySubjectHash.set(cert.subject.hash, []); } certsBySubjectHash.get(cert.subject.hash).push(cert); if (!certsByIssuerHash.has(cert.issuer.hash)) { certsByIssuerHash.set(cert.issuer.hash, []); } certsByIssuerHash.get(cert.issuer.hash).push(cert); } const leafCerts = uniqueCerts.filter(cert => !certsByIssuerHash.has(cert.subject.hash) ); if (!leafCerts.length) { return { chain: [], isComplete: false, error: 'No leaf certificate found' }; } let actualSigningCert = leafCerts[0]; if (leafCerts.length > 1 && signature && digest) { const signingCert = findSigningCertificate(leafCerts, signature, digest); if (signingCert) { actualSigningCert = signingCert; } } const chain = []; let currentCert = actualSigningCert; const visitedHashes = new Set(); while (currentCert) { if (visitedHashes.has(currentCert.subject.hash)) break; visitedHashes.add(currentCert.subject.hash); const isRoot = currentCert.subject.hash === currentCert.issuer.hash; chain.push({ cert: currentCert.serialNumber, certificate: currentCert, level: chain.length, isRoot: isRoot, subjectCN: getCertificateName(currentCert), issuerCN: getIssuerName(currentCert), isSigningCert: currentCert === actualSigningCert }); if (isRoot) break; const issuers = certsBySubjectHash.get(currentCert.issuer.hash); currentCert = issuers?.[0] || null; if (!currentCert) break; } const isComplete = chain.length > 0 && chain[chain.length - 1].isRoot; return { chain, isComplete, signingCertificate: actualSigningCert.serialNumber, rootCertificate: isComplete ? chain[chain.length - 1].cert : null, }; }; module.exports = { buildRobustCertificateChain, };