chore: use rust based cms signing

2025-11-20 19:51:32 +10:00 · 2024-03-15 22:26:09 +11:00
parent b9dccdb359
commit 8859b2779f
15 changed files with 2364 additions and 64 deletions
--- a/packages/signing/transports/google-cloud-hsm.ts
+++ b/packages/signing/transports/google-cloud-hsm.ts
@ -0,0 +1,79 @@
+import fs from 'node:fs';
+
+import { signWithGCloud } from '@documenso/pdf-sign';
+
+import { addSigningPlaceholder } from '../helpers/add-signing-placeholder';
+import { updateSigningPlaceholder } from '../helpers/update-signing-placeholder';
+
+export type SignWithGoogleCloudHSMOptions = {
+  pdf: Buffer;
+};
+
+export const signWithGoogleCloudHSM = async ({ pdf }: SignWithGoogleCloudHSMOptions) => {
+  const keyPath = process.env.NEXT_PRIVATE_SIGNING_GCLOUD_HSM_KEY_PATH;
+
+  if (!keyPath) {
+    throw new Error('No certificate path provided for Google Cloud HSM signing');
+  }
+
+  // To handle hosting in serverless environments like Vercel we can supply the base64 encoded
+  // application credentials as an environment variable and write it to a file if it doesn't exist
+  if (
+    process.env.GOOGLE_APPLICATION_CREDENTIALS &&
+    process.env.NEXT_PRIVATE_SIGNING_GCLOUD_APPLICATION_CREDENTIALS_CONTENTS
+  ) {
+    if (!fs.existsSync(process.env.GOOGLE_APPLICATION_CREDENTIALS)) {
+      fs.writeFileSync(
+        process.env.GOOGLE_APPLICATION_CREDENTIALS,
+        Buffer.from(
+          process.env.NEXT_PRIVATE_SIGNING_GCLOUD_APPLICATION_CREDENTIALS_CONTENTS,
+          'base64',
+        ),
+      );
+    }
+  }
+
+  const { pdf: pdfWithPlaceholder, byteRange } = updateSigningPlaceholder({
+    pdf: await addSigningPlaceholder({ pdf }),
+  });
+
+  const pdfWithoutSignature = Buffer.concat([
+    pdfWithPlaceholder.subarray(0, byteRange[1]),
+    pdfWithPlaceholder.subarray(byteRange[2]),
+  ]);
+
+  const signatureLength = byteRange[2] - byteRange[1];
+
+  let cert: Buffer | null = null;
+
+  if (process.env.NEXT_PRIVATE_SIGNING_GCLOUD_HSM_PUBLIC_CRT_FILE_CONTENTS) {
+    cert = Buffer.from(
+      process.env.NEXT_PRIVATE_SIGNING_GCLOUD_HSM_PUBLIC_CRT_FILE_CONTENTS,
+      'base64',
+    );
+  }
+
+  if (!cert) {
+    cert = Buffer.from(
+      fs.readFileSync(
+        process.env.NEXT_PRIVATE_SIGNING_GCLOUD_HSM_PUBLIC_CRT_FILE_PATH || './example/cert.crt',
+      ),
+    );
+  }
+
+  const signature = signWithGCloud({
+    keyPath,
+    cert,
+    content: pdfWithoutSignature,
+  });
+
+  const signatureAsHex = signature.toString('hex');
+
+  const signedPdf = Buffer.concat([
+    pdfWithPlaceholder.subarray(0, byteRange[1]),
+    Buffer.from(`<${signatureAsHex.padEnd(signatureLength - 2, '0')}>`),
+    pdfWithPlaceholder.subarray(byteRange[2]),
+  ]);
+
+  return signedPdf;
+};
--- a/packages/signing/transports/local-cert.ts
+++ b/packages/signing/transports/local-cert.ts
@ -1,32 +1,51 @@
-import signer from 'node-signpdf';
 import fs from 'node:fs';

-import { addSigningPlaceholder } from '../helpers/addSigningPlaceholder';
+import { signWithP12 } from '@documenso/pdf-sign';
+
+import { addSigningPlaceholder } from '../helpers/add-signing-placeholder';
+import { updateSigningPlaceholder } from '../helpers/update-signing-placeholder';

 export type SignWithLocalCertOptions = {
  pdf: Buffer;
 };

 export const signWithLocalCert = async ({ pdf }: SignWithLocalCertOptions) => {
-  const pdfWithPlaceholder = await addSigningPlaceholder({ pdf });
+  const { pdf: pdfWithPlaceholder, byteRange } = updateSigningPlaceholder({
+    pdf: await addSigningPlaceholder({ pdf }),
+  });

-  let p12Cert: Buffer | null = null;
+  const pdfWithoutSignature = Buffer.concat([
+    pdfWithPlaceholder.subarray(0, byteRange[1]),
+    pdfWithPlaceholder.subarray(byteRange[2]),
+  ]);
+
+  const signatureLength = byteRange[2] - byteRange[1];
+
+  let cert: Buffer | null = null;

  if (process.env.NEXT_PRIVATE_SIGNING_LOCAL_FILE_CONTENTS) {
-    p12Cert = Buffer.from(process.env.NEXT_PRIVATE_SIGNING_LOCAL_FILE_CONTENTS, 'base64');
+    cert = Buffer.from(process.env.NEXT_PRIVATE_SIGNING_LOCAL_FILE_CONTENTS, 'base64');
  }

-  if (!p12Cert) {
-    p12Cert = Buffer.from(
+  if (!cert) {
+    cert = Buffer.from(
      fs.readFileSync(process.env.NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH || './example/cert.p12'),
    );
  }

-  if (process.env.NEXT_PRIVATE_SIGNING_PASSPHRASE) {
-    return signer.sign(pdfWithPlaceholder, p12Cert, {
-      passphrase: process.env.NEXT_PRIVATE_SIGNING_PASSPHRASE,
-    });
-  }
+  const signature = signWithP12({
+    cert,
+    content: pdfWithoutSignature,
+    password: process.env.NEXT_PRIVATE_SIGNING_PASSPHRASE || undefined,
+  });

-  return signer.sign(pdfWithPlaceholder, p12Cert);
+  const signatureAsHex = signature.toString('hex');
+
+  const signedPdf = Buffer.concat([
+    pdfWithPlaceholder.subarray(0, byteRange[1]),
+    Buffer.from(`<${signatureAsHex.padEnd(signatureLength - 2, '0')}>`),
+    pdfWithPlaceholder.subarray(byteRange[2]),
+  ]);
+
+  return signedPdf;
 };