mirror of
https://github.com/mozilla/pdf.js.git
synced 2026-07-01 20:55:48 +02:00
Adds a new "Digital signature properties" doorhanger to the pdf.js toolbar that lists every digital signature found in the opened PDF, verifies each one (via NSS in the Firefox build through a new chrome bridge), and shows per-signature status + certificate state. The viewer side parses /Sig dicts in the worker (`PDFDocument.signatures`), strict-validates the /ByteRange offsets before slicing, and ships only signature metadata across the worker boundary. The PKCS#7 blob and signed-data byte spans live in a worker-side map and are fetched lazily one signature at a time via a new `getSignatureData(id)` RPC, immediately before verification runs, so the bytes never sit in main-thread memory for the document's lifetime. The panel is feature-gated by `pdfjs.enableSignatureVerification` (true in MOZCENTRAL/TESTING, off by default in the GENERIC build). External services expose a `createSignatureVerifier()` factory that the Firefox build wires up to `nsIX509CertDB.asyncVerifyPKCS7Object`; GENERIC builds return null and the toolbar button stays hidden. UI summary: - Toolbar button states: loading dots while in flight, then green check, orange `!`, or red `✕` based on the worst aggregate signature status. - Doorhanger contains a banner summarising the document state, then one card per signature with status row + certificate row (sub- signatures nested under their outer revision via /ByteRange containment). - Icons are mono SVGs themed via `mask-image` + `background-color` so they pick up light/dark/HCM via `--sig-icon-*` vars; flipped under RTL via `scaleX(var(--dir-factor))`. The HCM mapping reuses the alt-text vocabulary (ButtonFace / ButtonText / ButtonBorder / GrayText / AccentColor / LinkText) so this panel reads the same as the rest of the editor toolbar in high-contrast mode. - All visible strings are localized via Fluent (`pdfjs-digital-signature-properties-*`); status row, banner, and certificate row use explicit lookup tables instead of generated ids so a grep finds them. - Esc + outside-click close the panel through the viewer's existing handlers; the manager exposes `isOpen`, `close()`, and `shouldCloseOnClick(target)` for that. This commit also adds a `test/pdfs/sig_corpus/` directory holding a Python generator that produces a corpus of signed PDFs covering every visible state of the doorhanger (verified / untrusted / expired / invalid / unknown / multi-signature variants). The corpus is intentionally NOT part of the automated test suite — it is a manual-test tool. Generated `.pdf` files are gitignored; only the generator, README, and a `user.js.example` snippet are tracked. The generator shells out to mozilla-central's `security/manager/tools/pycms.py` (resolved via `--mozilla-central <path>` or the `MOZILLA_CENTRAL_SRC` env var) and the embedded test trust anchors (`pdf-sign-ca` / `pdf-sign-ca-expired`), gated by `security.pdf_signature_verification.enable_test_trust_anchors` so the test certificates never validate in shipping Firefox.
81 lines
2.3 KiB
JavaScript
81 lines
2.3 KiB
JavaScript
/* Copyright 2024 Mozilla Foundation
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
class BaseExternalServices {
|
|
constructor() {
|
|
if (
|
|
(typeof PDFJSDev === "undefined" || PDFJSDev.test("TESTING")) &&
|
|
this.constructor === BaseExternalServices
|
|
) {
|
|
throw new Error("Cannot initialize BaseExternalServices.");
|
|
}
|
|
}
|
|
|
|
updateFindControlState(data) {}
|
|
|
|
updateFindMatchesCount(data) {}
|
|
|
|
initPassiveLoading() {}
|
|
|
|
reportTelemetry(data) {}
|
|
|
|
reportText(data) {}
|
|
|
|
/**
|
|
* @returns {Promise<L10n>}
|
|
*/
|
|
async createL10n() {
|
|
throw new Error("Not implemented: createL10n");
|
|
}
|
|
|
|
createScripting() {
|
|
throw new Error("Not implemented: createScripting");
|
|
}
|
|
|
|
createSignatureStorage() {
|
|
throw new Error("Not implemented: createSignatureStorage");
|
|
}
|
|
|
|
/**
|
|
* Build a signature verifier for the Digital signature properties panel.
|
|
*
|
|
* The MOZCENTRAL build returns a verifier that calls into NSS via
|
|
* the chrome bridge. The default GENERIC implementation returns
|
|
* `null` — there is no portable cryptographic verification path
|
|
* outside Firefox, so the toolbar button stays hidden and the
|
|
* worker is never asked for `getSignatures()`.
|
|
*
|
|
* Downstream consumers of `pdfjs-dist` that want the Signature
|
|
* Properties UI should subclass `BaseExternalServices` and return
|
|
* an object exposing `verify(signature)` (and optionally
|
|
* `viewCertificate(certificate)`) that resolves to a
|
|
* `VerificationResult` — see `web/firefoxcom.js` for the exact
|
|
* shape.
|
|
*
|
|
* @returns {Object|null}
|
|
*/
|
|
createSignatureVerifier() {
|
|
return null;
|
|
}
|
|
|
|
updateEditorStates(data) {
|
|
throw new Error("Not implemented: updateEditorStates");
|
|
}
|
|
|
|
dispatchGlobalEvent(_event) {}
|
|
}
|
|
|
|
export { BaseExternalServices };
|