chore: use rust based cms signing

2025-11-12 15:53:02 +10:00 · 2024-03-15 22:26:09 +11:00
parent b9dccdb359
commit 8859b2779f
15 changed files with 2364 additions and 64 deletions
--- a/packages/signing/constants/byte-range.ts
+++ b/packages/signing/constants/byte-range.ts
@ -0,0 +1,3 @@
+// We use stars as a placeholder since it's easy to find and replace,
+// the length of the placeholder is to support larger pdf files
+export const BYTE_RANGE_PLACEHOLDER = '**********';
--- a/packages/signing/helpers/add-signing-placeholder.ts
+++ b/packages/signing/helpers/add-signing-placeholder.ts
@ -1,4 +1,3 @@
-import signer from 'node-signpdf';
 import {
  PDFArray,
  PDFDocument,
@ -9,6 +8,8 @@ import {
  rectangle,
 } from 'pdf-lib';

+import { BYTE_RANGE_PLACEHOLDER } from '../constants/byte-range';
+
 export type AddSigningPlaceholderOptions = {
  pdf: Buffer;
 };
@ -20,9 +21,9 @@ export const addSigningPlaceholder = async ({ pdf }: AddSigningPlaceholderOption
  const byteRange = PDFArray.withContext(doc.context);

  byteRange.push(PDFNumber.of(0));
-  byteRange.push(PDFName.of(signer.byteRangePlaceholder));
-  byteRange.push(PDFName.of(signer.byteRangePlaceholder));
-  byteRange.push(PDFName.of(signer.byteRangePlaceholder));
+  byteRange.push(PDFName.of(BYTE_RANGE_PLACEHOLDER));
+  byteRange.push(PDFName.of(BYTE_RANGE_PLACEHOLDER));
+  byteRange.push(PDFName.of(BYTE_RANGE_PLACEHOLDER));

  const signature = doc.context.obj({
    Type: 'Sig',
--- a/packages/signing/helpers/update-signing-placeholder.test.ts
+++ b/packages/signing/helpers/update-signing-placeholder.test.ts
@ -0,0 +1,72 @@
+import { describe, expect, it } from 'vitest';
+
+import { updateSigningPlaceholder } from './update-signing-placeholder';
+
+describe('updateSigningPlaceholder', () => {
+  const pdf = Buffer.from(`
+      20 0 obj
+      <<
+      /Type /Sig
+      /Filter /Adobe.PPKLite
+      /SubFilter /adbe.pkcs7.detached
+      /ByteRange [ 0 /********** /********** /********** ]
+      /Contents <0000000000000000000000000000000000000000000000000000000>
+      /Reason (Signed by Documenso)
+      /M (D:20210101000000Z)
+      >>
+      endobj
+    `);
+
+  it('should not throw an error', () => {
+      expect(() => updateSigningPlaceholder({ pdf })).not.toThrowError();
+  });
+
+  it('should not modify the original PDF', () => {
+    const result = updateSigningPlaceholder({ pdf });
+
+    expect(result.pdf).not.toEqual(pdf);
+  });
+
+  it('should return a PDF with the same length as the original', () => {
+    const result = updateSigningPlaceholder({ pdf });
+
+    expect(result.pdf).toHaveLength(pdf.length);
+  });
+
+  it('should update the byte range and return it', () => {
+    const result = updateSigningPlaceholder({ pdf });
+
+    expect(result.byteRange).toEqual([0, 184, 241, 92]);
+  });
+
+  it('should only update the last signature in the PDF', () => {
+    const pdf = Buffer.from(`
+      20 0 obj
+      <<
+      /Type /Sig
+      /Filter /Adobe.PPKLite
+      /SubFilter /adbe.pkcs7.detached
+      /ByteRange [ 0 /********** /********** /********** ]
+      /Contents <0000000000000000000000000000000000000000000000000000000>
+      /Reason (Signed by Documenso)
+      /M (D:20210101000000Z)
+      >>
+      endobj
+      21 0 obj
+      <<
+      /Type /Sig
+      /Filter /Adobe.PPKLite
+      /SubFilter /adbe.pkcs7.detached
+      /ByteRange [ 0 /********** /********** /********** ]
+      /Contents <0000000000000000000000000000000000000000000000000000000>
+      /Reason (Signed by Documenso)
+      /M (D:20210101000000Z)
+      >>
+      endobj
+    `);
+
+    const result = updateSigningPlaceholder({ pdf });
+
+    expect(result.byteRange).toEqual([0, 512, 569, 92]);
+  });
+});
--- a/packages/signing/helpers/update-signing-placeholder.ts
+++ b/packages/signing/helpers/update-signing-placeholder.ts
@ -0,0 +1,39 @@
+export type UpdateSigningPlaceholderOptions = {
+  pdf: Buffer;
+};
+
+export const updateSigningPlaceholder = ({ pdf }: UpdateSigningPlaceholderOptions) => {
+  const length = pdf.length;
+
+  const byteRangePos = pdf.lastIndexOf('/ByteRange');
+  const byteRangeStart = pdf.indexOf('[', byteRangePos);
+  const byteRangeEnd = pdf.indexOf(']', byteRangePos);
+
+  const byteRangeSlice = pdf.subarray(byteRangeStart, byteRangeEnd + 1);
+
+  const signaturePos = pdf.indexOf('/Contents', byteRangeEnd);
+  const signatureStart = pdf.indexOf('<', signaturePos);
+  const signatureEnd = pdf.indexOf('>', signaturePos);
+
+  const signatureSlice = pdf.subarray(signatureStart, signatureEnd + 1);
+
+  const byteRange = [0, 0, 0, 0];
+
+  byteRange[1] = signatureStart;
+  byteRange[2] = byteRange[1] + signatureSlice.length;
+  byteRange[3] = length - byteRange[2];
+
+  const newByteRange = `[${byteRange.join(' ')}]`.padEnd(byteRangeSlice.length, ' ');
+
+  const updatedPdf = Buffer.concat([
+    pdf.subarray(0, byteRangeStart),
+    Buffer.from(newByteRange),
+    pdf.subarray(byteRangeEnd + 1),
+  ]);
+
+  if (updatedPdf.length !== length) {
+    throw new Error('Updated PDF length does not match original length');
+  }
+
+  return { pdf: updatedPdf, byteRange };
+};
--- a/packages/signing/index.ts
+++ b/packages/signing/index.ts
@ -1,5 +1,6 @@
 import { match } from 'ts-pattern';

+import { signWithGoogleCloudHSM } from './transports/google-cloud-hsm';
 import { signWithLocalCert } from './transports/local-cert';

 export type SignOptions = {
@ -11,6 +12,7 @@ export const signPdf = async ({ pdf }: SignOptions) => {

  return await match(transport)
    .with('local', async () => signWithLocalCert({ pdf }))
+    .with('gcloud-hsm', async () => signWithGoogleCloudHSM({ pdf }))
    .otherwise(() => {
      throw new Error(`Unsupported signing transport: ${transport}`);
    });
--- a/packages/signing/package.json
+++ b/packages/signing/package.json
@ -9,15 +9,15 @@
    "index.ts"
  ],
  "scripts": {
+    "test": "vitest"
  },
  "dependencies": {
    "@documenso/tsconfig": "*",
-    "node-forge": "^1.3.1",
-    "node-signpdf": "^2.0.0",
+    "@documenso/pdf-sign": "^0.1.0",
    "pdf-lib": "^1.17.1",
    "ts-pattern": "^5.0.5"
  },
  "devDependencies": {
-    "@types/node-forge": "^1.3.4"
+    "vitest": "^1.3.1"
  }
 }
--- a/packages/signing/transports/google-cloud-hsm.ts
+++ b/packages/signing/transports/google-cloud-hsm.ts
@ -0,0 +1,79 @@
+import fs from 'node:fs';
+
+import { signWithGCloud } from '@documenso/pdf-sign';
+
+import { addSigningPlaceholder } from '../helpers/add-signing-placeholder';
+import { updateSigningPlaceholder } from '../helpers/update-signing-placeholder';
+
+export type SignWithGoogleCloudHSMOptions = {
+  pdf: Buffer;
+};
+
+export const signWithGoogleCloudHSM = async ({ pdf }: SignWithGoogleCloudHSMOptions) => {
+  const keyPath = process.env.NEXT_PRIVATE_SIGNING_GCLOUD_HSM_KEY_PATH;
+
+  if (!keyPath) {
+    throw new Error('No certificate path provided for Google Cloud HSM signing');
+  }
+
+  // To handle hosting in serverless environments like Vercel we can supply the base64 encoded
+  // application credentials as an environment variable and write it to a file if it doesn't exist
+  if (
+    process.env.GOOGLE_APPLICATION_CREDENTIALS &&
+    process.env.NEXT_PRIVATE_SIGNING_GCLOUD_APPLICATION_CREDENTIALS_CONTENTS
+  ) {
+    if (!fs.existsSync(process.env.GOOGLE_APPLICATION_CREDENTIALS)) {
+      fs.writeFileSync(
+        process.env.GOOGLE_APPLICATION_CREDENTIALS,
+        Buffer.from(
+          process.env.NEXT_PRIVATE_SIGNING_GCLOUD_APPLICATION_CREDENTIALS_CONTENTS,
+          'base64',
+        ),
+      );
+    }
+  }
+
+  const { pdf: pdfWithPlaceholder, byteRange } = updateSigningPlaceholder({
+    pdf: await addSigningPlaceholder({ pdf }),
+  });
+
+  const pdfWithoutSignature = Buffer.concat([
+    pdfWithPlaceholder.subarray(0, byteRange[1]),
+    pdfWithPlaceholder.subarray(byteRange[2]),
+  ]);
+
+  const signatureLength = byteRange[2] - byteRange[1];
+
+  let cert: Buffer | null = null;
+
+  if (process.env.NEXT_PRIVATE_SIGNING_GCLOUD_HSM_PUBLIC_CRT_FILE_CONTENTS) {
+    cert = Buffer.from(
+      process.env.NEXT_PRIVATE_SIGNING_GCLOUD_HSM_PUBLIC_CRT_FILE_CONTENTS,
+      'base64',
+    );
+  }
+
+  if (!cert) {
+    cert = Buffer.from(
+      fs.readFileSync(
+        process.env.NEXT_PRIVATE_SIGNING_GCLOUD_HSM_PUBLIC_CRT_FILE_PATH || './example/cert.crt',
+      ),
+    );
+  }
+
+  const signature = signWithGCloud({
+    keyPath,
+    cert,
+    content: pdfWithoutSignature,
+  });
+
+  const signatureAsHex = signature.toString('hex');
+
+  const signedPdf = Buffer.concat([
+    pdfWithPlaceholder.subarray(0, byteRange[1]),
+    Buffer.from(`<${signatureAsHex.padEnd(signatureLength - 2, '0')}>`),
+    pdfWithPlaceholder.subarray(byteRange[2]),
+  ]);
+
+  return signedPdf;
+};
--- a/packages/signing/transports/local-cert.ts
+++ b/packages/signing/transports/local-cert.ts
@ -1,32 +1,51 @@
-import signer from 'node-signpdf';
 import fs from 'node:fs';

-import { addSigningPlaceholder } from '../helpers/addSigningPlaceholder';
+import { signWithP12 } from '@documenso/pdf-sign';
+
+import { addSigningPlaceholder } from '../helpers/add-signing-placeholder';
+import { updateSigningPlaceholder } from '../helpers/update-signing-placeholder';

 export type SignWithLocalCertOptions = {
  pdf: Buffer;
 };

 export const signWithLocalCert = async ({ pdf }: SignWithLocalCertOptions) => {
-  const pdfWithPlaceholder = await addSigningPlaceholder({ pdf });
+  const { pdf: pdfWithPlaceholder, byteRange } = updateSigningPlaceholder({
+    pdf: await addSigningPlaceholder({ pdf }),
+  });

-  let p12Cert: Buffer | null = null;
+  const pdfWithoutSignature = Buffer.concat([
+    pdfWithPlaceholder.subarray(0, byteRange[1]),
+    pdfWithPlaceholder.subarray(byteRange[2]),
+  ]);
+
+  const signatureLength = byteRange[2] - byteRange[1];
+
+  let cert: Buffer | null = null;

  if (process.env.NEXT_PRIVATE_SIGNING_LOCAL_FILE_CONTENTS) {
-    p12Cert = Buffer.from(process.env.NEXT_PRIVATE_SIGNING_LOCAL_FILE_CONTENTS, 'base64');
+    cert = Buffer.from(process.env.NEXT_PRIVATE_SIGNING_LOCAL_FILE_CONTENTS, 'base64');
  }

-  if (!p12Cert) {
-    p12Cert = Buffer.from(
+  if (!cert) {
+    cert = Buffer.from(
      fs.readFileSync(process.env.NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH || './example/cert.p12'),
    );
  }

-  if (process.env.NEXT_PRIVATE_SIGNING_PASSPHRASE) {
-    return signer.sign(pdfWithPlaceholder, p12Cert, {
-      passphrase: process.env.NEXT_PRIVATE_SIGNING_PASSPHRASE,
-    });
-  }
+  const signature = signWithP12({
+    cert,
+    content: pdfWithoutSignature,
+    password: process.env.NEXT_PRIVATE_SIGNING_PASSPHRASE || undefined,
+  });

-  return signer.sign(pdfWithPlaceholder, p12Cert);
+  const signatureAsHex = signature.toString('hex');
+
+  const signedPdf = Buffer.concat([
+    pdfWithPlaceholder.subarray(0, byteRange[1]),
+    Buffer.from(`<${signatureAsHex.padEnd(signatureLength - 2, '0')}>`),
+    pdfWithPlaceholder.subarray(byteRange[2]),
+  ]);
+
+  return signedPdf;
 };
--- a/packages/tsconfig/process-env.d.ts
+++ b/packages/tsconfig/process-env.d.ts
@ -30,6 +30,10 @@ declare namespace NodeJS {
    NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH?: string;
    NEXT_PRIVATE_SIGNING_LOCAL_FILE_CONTENTS?: string;
    NEXT_PRIVATE_SIGNING_LOCAL_FILE_ENCODING?: string;
+    NEXT_PRIVATE_SIGNING_GCLOUD_HSM_KEY_PATH?: string;
+    NEXT_PRIVATE_SIGNING_GCLOUD_HSM_PUBLIC_CRT_FILE_PATH?: string;
+    NEXT_PRIVATE_SIGNING_GCLOUD_HSM_PUBLIC_CRT_FILE_CONTENTS?: string;
+    NEXT_PRIVATE_SIGNING_GCLOUD_APPLICATION_CREDENTIALS_CONTENTS?: string;

    NEXT_PRIVATE_SMTP_TRANSPORT?: 'mailchannels' | 'resend' | 'smtp-auth' | 'smtp-api';