mirror of
https://github.com/documenso/documenso.git
synced 2026-06-22 04:12:06 +10:00
Lucas Smith
d5ce222482
Adds Cloud Signature Consortium (CSC) integration for AES/QES signing against a configured TSP. v1 ships as instance-wide configuration via environment variables, with per-envelope signature level selection, license gating, and an OAuth-driven signing flow (capture + FIFO signers, SAD session, blocking/in-progress recipient pages). Includes signature level compatibility checks (role, signing order, dictate next signer), envelope mutability assertions, Prisma migration for signature level and CSC tables, and docs for the new signing certificate options.
24 lines
1.1 KiB
TypeScript
24 lines
1.1 KiB
TypeScript
import { bytesToHex, utf8ToBytes } from '@noble/ciphers/utils';
|
|
import { sha1 } from '@noble/hashes/legacy';
|
|
|
|
/**
|
|
* Deterministic PDF object names for CSC TSP signing.
|
|
*
|
|
* Materialise-time and sign-time both derive these from the same
|
|
* `(recipient, item [, page])` tuple — they MUST agree byte-for-byte.
|
|
*
|
|
* Output is opaque: SHA-1(label) hex-encoded uppercase (40 chars). The PDF
|
|
* persists only the hex serial so recipient / envelope-item IDs never leak
|
|
* into the document.
|
|
*/
|
|
|
|
const hashToOpaqueSerial = (label: string): string => bytesToHex(sha1(utf8ToBytes(label))).toUpperCase();
|
|
|
|
/** AcroForm signature-field name (TSP anchor) for a recipient + envelope item. */
|
|
export const buildTspAnchorName = (recipientId: number, envelopeItemId: string): string =>
|
|
hashToOpaqueSerial(`recipient:${recipientId}|item:${envelopeItemId}`);
|
|
|
|
/** `/Stamp` annotation name for a recipient + envelope item on a specific page. */
|
|
export const buildTspStampName = (recipientId: number, envelopeItemId: string, pageNumber: number): string =>
|
|
hashToOpaqueSerial(`recipient:${recipientId}|item:${envelopeItemId}|page:${pageNumber}`);
|