Ryan/documenso
1
0
Fork 1
mirror of https://github.com/documenso/documenso.git synced 2026-06-22 04:12:06 +10:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5ce222482c2da81a1b0e6740e7d829752ea8f7f
documenso/packages/ee/server-only/signing/csc/signers/fifo-signer.ts
T
Lucas Smith d5ce222482 feat: add CSC AES/QES signing (v1 instance-wide config) (#2874) 
Adds Cloud Signature Consortium (CSC) integration for AES/QES signing
against a configured TSP. v1 ships as instance-wide configuration via
environment variables, with per-envelope signature level selection,
license gating, and an OAuth-driven signing flow (capture + FIFO
signers, SAD session, blocking/in-progress recipient pages).

Includes signature level compatibility checks (role, signing order,
dictate next signer), envelope mutability assertions, Prisma migration
for signature level and CSC tables, and docs for the new signing
certificate options.
2026-06-16 23:37:34 +10:00

58 lines
1.9 KiB
TypeScript
Raw Blame History

/**
* CSC embed-pass FIFO signer.
*
* `signatures/signHash` (CSC §11.9) returns one signature per submitted
* hash, in the same position-bound order as the request `hash[]` array.
* The embed pass re-runs `pdf.sign()` once per anchor in that same order,
* so a FIFO queue of signature bytes — popped on each `sign()` call —
* is sufficient to feed libpdf without any per-anchor binding metadata.
*/
import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
import type { Signer } from '@libpdf/core';
import type { LibpdfSignerAlgo } from '../algorithm-resolver';
type DigestAlgorithm = 'SHA-256' | 'SHA-384' | 'SHA-512';
type KeyType = 'RSA' | 'EC';
type SignatureAlgorithm = 'RSASSA-PKCS1-v1_5' | 'RSA-PSS' | 'ECDSA';
export type CscFifoSignerOptions = {
certificate: Uint8Array;
certificateChain?: Uint8Array[];
algo: LibpdfSignerAlgo;
/** Base64-decoded raw signature bytes in the order produced by `signatures/signHash`. */
signatures: Uint8Array[];
};
export class CscFifoSigner implements Signer {
readonly certificate: Uint8Array;
readonly certificateChain?: Uint8Array[];
readonly keyType: KeyType;
readonly signatureAlgorithm: SignatureAlgorithm;
private readonly queue: Uint8Array[];
constructor(options: CscFifoSignerOptions) {
this.certificate = options.certificate;
this.certificateChain = options.certificateChain;
this.keyType = options.algo.keyType;
this.signatureAlgorithm = options.algo.signatureAlgorithm;
this.queue = [...options.signatures];
}
// biome-ignore lint/suspicious/useAwait: intentional
async sign(_data: Uint8Array, _algorithm: DigestAlgorithm): Promise<Uint8Array> {
const next = this.queue.shift();
if (next === undefined) {
throw new AppError(AppErrorCode.INVALID_REQUEST, {
message: 'CSC FIFO signer exhausted — more sign() calls than queued signatures.',
});
}
return next;
}
}
Reference in New Issue View Git Blame Copy Permalink