/** * PDF digital signature — verification and creation. * * Implements: * - ASN.1 DER decode/encode (shared codec) * - PKCS#7 / CMS SignedData parse and build * - X.509 certificate public key extraction * - PDF /ByteRange extraction and hash computation * - Signature verification (RSA PKCS#1 v1.5 + SHA-256) * - Signature creation (with ByteRange placeholder/backfill) * * Uses platform-native RSA via `@utils/crypto` (node:crypto on Node, * Web Crypto API in browsers). * * @see RFC 5652 — CMS (Cryptographic Message Syntax) * @see ITU-T X.690 — ASN.1 DER encoding rules * @see ISO 32000-2:2020 §12.8 — Digital Signatures in PDF */ /** Parsed ASN.1 node. */ export interface Asn1Node { tag: number; /** Raw bytes of the value (for primitive types). */ bytes: Uint8Array; /** Child nodes (for constructed types). */ children: Asn1Node[]; } /** * Parse ASN.1 DER data from the root. */ export declare function asn1Parse(data: Uint8Array): Asn1Node; /** Parsed CMS SignedData info for verification. */ export interface CmsSignedData { /** The signer's certificate (DER). */ certificate: Uint8Array; /** The signature value. */ signature: Uint8Array; /** The digest algorithm OID. */ digestAlgorithmOid: string; /** The signed attributes (DER-encoded SET for hash computation). */ signedAttrsRaw: Uint8Array; /** The message digest from signed attributes. */ messageDigest: Uint8Array; } /** * Parse a PKCS#7 / CMS SignedData structure from DER bytes. * Extracts the first signer's info for verification. */ export declare function parseCmsSignedData(derBytes: Uint8Array): CmsSignedData; /** Options for building a CMS SignedData for PDF signing. */ export interface SignOptions { /** DER-encoded X.509 certificate. */ certificate: Uint8Array; /** DER-encoded PKCS#8 private key. */ privateKey: Uint8Array; /** The data to sign (the PDF byte ranges). */ data: Uint8Array; } /** * Build a CMS SignedData (PKCS#7) structure for a PDF signature. * * Uses SHA-256 for digest and RSA PKCS#1 v1.5 for signing. * The signature is created over signed attributes that include * the content-type, message-digest, and signing-time. */ export declare function buildCmsSignedData(options: SignOptions): Promise; /** Result of verifying a PDF signature. */ export interface SignatureVerificationResult { /** Whether the signature is cryptographically valid. */ valid: boolean; /** Whether the signed byte ranges cover the entire file (no unsigned gaps). */ coversWholeFile: boolean; /** Digest algorithm used. */ digestAlgorithm: string; /** Reason for failure, if any. */ reason?: string; } /** * Verify a digital signature in a PDF document. * * @param pdfData - The complete PDF file bytes * @param signatureHex - The hex-encoded PKCS#7 signature from the /Contents field * @param byteRange - The /ByteRange array [offset1, length1, offset2, length2] */ export declare function verifyPdfSignature(pdfData: Uint8Array, signatureHex: string, byteRange: [number, number, number, number]): Promise; /** * Create a PDF signature dictionary string with a placeholder /Contents. * Returns the dict string and the placeholder that will be replaced. * * @param signerName - Optional signer name for /Name field * @param reason - Optional reason for /Reason field */ export declare function buildSignatureDictPlaceholder(options?: { name?: string; reason?: string; location?: string; contactInfo?: string; }): { dictString: string; placeholder: string; }; /** * Patch a PDF with a real signature after the /ByteRange placeholder has been written. * * @param pdfBytes - The PDF bytes with placeholder /Contents and /ByteRange * @param certificate - DER-encoded X.509 certificate * @param privateKey - DER-encoded PKCS#8 private key * @returns The signed PDF bytes */ export declare function signPdf(pdfBytes: Uint8Array, certificate: Uint8Array, privateKey: Uint8Array): Promise;