signature

package
v1.0.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 23, 2026 License: MIT Imports: 19 Imported by: 0

Documentation

Overview

Package signature provides CMS/PKCS#7 digital signatures for PDF documents.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CorruptECDSASignature 

func CorruptECDSASignature(cmsData []byte) []byte

CorruptECDSASignature creates a copy of CMS data with a corrupted ECDSA signature value. This is used for negative testing of signature verification.

func CorruptRSASignature 

func CorruptRSASignature(cmsData []byte) []byte

CorruptRSASignature creates a copy of CMS data with a corrupted RSA signature value.

func Sign 

func Sign(pdfData []byte, signer Signer, opts ...Option) ([]byte, error)

Sign adds a digital signature to a PDF document. It returns the signed PDF as a new byte slice.

func TamperByte 

func TamperByte(pdfData []byte, offset int) []byte

TamperByte modifies a single byte in the PDF data outside the signature Contents region, simulating document tampering. Returns a copy of the data with the byte at the given offset XORed with 0xFF.

Types

type Option 

type Option func(*signConfig)

Option configures the signing process.

func WithLocation 

func WithLocation(location string) Option

WithLocation sets the location of signing.

func WithReason 

func WithReason(reason string) Option

WithReason sets the reason for signing.

func WithSignTime 

func WithSignTime(t time.Time) Option

WithSignTime sets the signing time (default: current time).

func WithTimestamp 

func WithTimestamp(tsaURL string) Option

WithTimestamp enables RFC 3161 timestamping from the given TSA URL.

type SignatureInfo 

type SignatureInfo struct {
	// PDF-level fields
	Filter    string // e.g. "Adobe.PPKLite"
	SubFilter string // e.g. "adbe.pkcs7.detached"
	Reason    string
	Location  string
	SignTime  string // raw /M value
	ByteRange [4]int64

	// CMS-level fields
	CMSData         []byte            // raw CMS/PKCS#7 DER data
	Certificate     *x509.Certificate // signer certificate
	DigestAlgorithm asn1.ObjectIdentifier
	SignatureAlg    asn1.ObjectIdentifier
	MessageDigest   []byte // from signed attributes
	RawSignature    []byte // the cryptographic signature value
	SignedAttrsRaw  []byte // DER-encoded signed attributes (for verification)

	// Timestamp fields
	HasTimestamp   bool   // true if RFC 3161 timestamp token is present
	TimestampToken []byte // raw DER of the timestamp token (ContentInfo)
}

SignatureInfo holds parsed signature information from a signed PDF.

func ParseSignatureInfo 

func ParseSignatureInfo(pdfData []byte) (*SignatureInfo, error)

ParseSignatureInfo extracts signature information from a signed PDF.

func (*SignatureInfo) CertOrganization 

func (info *SignatureInfo) CertOrganization() []string

CertOrganization returns the certificate subject Organization.

func (*SignatureInfo) CertSubject 

func (info *SignatureInfo) CertSubject() string

CertSubject returns the certificate subject CommonName.

func (*SignatureInfo) ECDSACurve 

func (info *SignatureInfo) ECDSACurve() string

ECDSACurve returns the ECDSA curve name, or "" if not ECDSA.

func (*SignatureInfo) FindSafeByteRange 

func (info *SignatureInfo) FindSafeByteRange() int

FindSafeByteRange computes offsets from ByteRange that are safe to tamper (i.e., within the signed region but outside the Contents placeholder). Returns an offset in the first byte range (the PDF header region).

func (*SignatureInfo) IsECDSA 

func (info *SignatureInfo) IsECDSA() bool

IsECDSA returns true if the signature uses ECDSA.

func (*SignatureInfo) IsRSA 

func (info *SignatureInfo) IsRSA() bool

IsRSA returns true if the signature uses RSA.

func (*SignatureInfo) RSAKeySize 

func (info *SignatureInfo) RSAKeySize() int

RSAKeySize returns the RSA key size in bits, or 0 if not RSA.

func (*SignatureInfo) VerifyByteRangeHash 

func (info *SignatureInfo) VerifyByteRangeHash(pdfData []byte) error

VerifyByteRangeHash recomputes the SHA-256 hash over the ByteRange regions and compares it with the messageDigest in the CMS signed attributes.

func (*SignatureInfo) VerifyECDSACurveP256 

func (info *SignatureInfo) VerifyECDSACurveP256() bool

VerifyECDSACurveP256 checks that the ECDSA key uses the P-256 curve.

func (*SignatureInfo) VerifyIntegrity 

func (info *SignatureInfo) VerifyIntegrity(pdfData []byte) error

VerifyIntegrity performs full integrity verification: 1. Recomputes ByteRange hash and checks against messageDigest 2. Cryptographically verifies the CMS signature

func (*SignatureInfo) VerifySignature 

func (info *SignatureInfo) VerifySignature() error

VerifySignature cryptographically verifies the CMS signature using the certificate's public key.

type Signer 

type Signer struct {
	Certificate *x509.Certificate
	PrivateKey  crypto.PrivateKey
	Chain       []*x509.Certificate // intermediate certificates (optional)
}

Signer represents a signing identity (certificate + private key).

func GenerateTestCertificate 

func GenerateTestCertificate() (Signer, error)

GenerateTestCertificate creates a self-signed RSA certificate for testing.

func GenerateTestECCertificate 

func GenerateTestECCertificate() (Signer, error)

GenerateTestECCertificate creates a self-signed EC certificate for testing.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.