From 5e0ba126871c57a8a688b36614f2b8d78c2675b3 Mon Sep 17 00:00:00 2001
From: Masamichi Hosoda <trueroad@trueroad.jp>
Date: Thu, 26 Sep 2019 23:36:14 +0900
Subject: Fix /Contents value representation in a signature dictionary

Table 8.93 "Entries in a signature dictionary" in PDF 1.5 reference
describes that the value of Contents entry is a hexadecimal string
representation when ByteRange is specified.

This commit makes QPDF always uses hexadecimal strings representation
instead of literal strings for it.
---
 include/qpdf/QPDFWriter.hh                         |   1 +
 libqpdf/QPDFWriter.cc                              |  19 +++++++++++++++++-
 qpdf/qpdf.testcov                                  |   1 +
 qpdf/qtest/qpdf.test                               |  22 +++++++++++++++++++++
 .../qpdf/digitally-signed-sig-dict-contents.out    |   1 +
 qpdf/qtest/qpdf/digitally-signed.pdf               | Bin 0 -> 68846 bytes
 6 files changed, 43 insertions(+), 1 deletion(-)
 create mode 100644 qpdf/qtest/qpdf/digitally-signed-sig-dict-contents.out
 create mode 100644 qpdf/qtest/qpdf/digitally-signed.pdf

diff --git a/include/qpdf/QPDFWriter.hh b/include/qpdf/QPDFWriter.hh
index c3818ae4..edea3c15 100644
--- a/include/qpdf/QPDFWriter.hh
+++ b/include/qpdf/QPDFWriter.hh
@@ -470,6 +470,7 @@ class QPDFWriter
     static int const f_stream = 	1 << 0;
     static int const f_filtered =	1 << 1;
     static int const f_in_ostream =     1 << 2;
+    static int const f_hex_string =     1 << 3;
 
     enum trailer_e { t_normal, t_lin_first, t_lin_second };
 
diff --git a/libqpdf/QPDFWriter.cc b/libqpdf/QPDFWriter.cc
index 116d493f..4397c3ad 100644
--- a/libqpdf/QPDFWriter.cc
+++ b/libqpdf/QPDFWriter.cc
@@ -1687,7 +1687,20 @@ QPDFWriter::unparseObject(QPDFObjectHandle object, int level,
 	    writeStringNoQDF(" ");
 	    writeString(QPDF_Name::normalizeName(key));
 	    writeString(" ");
-            unparseChild(object.getKey(key), level + 1, child_flags);
+	    if (key == "/Contents" &&
+		object.hasKey("/Type") &&
+		object.getKey("/Type").isName() &&
+		object.getKey("/Type").getName() == "/Sig" &&
+		object.hasKey("/ByteRange"))
+	    {
+                QTC::TC("qpdf", "QPDFWriter no encryption sig contents");
+		unparseChild(object.getKey(key), level + 1,
+			     child_flags | f_hex_string);
+	    }
+	    else
+	    {
+		unparseChild(object.getKey(key), level + 1, child_flags);
+	    }
 	    writeStringQDF("\n");
 	}
 
@@ -1882,6 +1895,10 @@ QPDFWriter::unparseObject(QPDFObjectHandle object, int level,
 		val = QPDF_String(std::string(tmp, vlen)).unparse();
 	    }
 	}
+	else if (flags & f_hex_string)
+	{
+	    val = QPDF_String(object.getStringValue()).unparse(true);
+	}
 	else
 	{
 	    val = object.unparseResolved();
diff --git a/qpdf/qpdf.testcov b/qpdf/qpdf.testcov
index a34a3f39..82ac9684 100644
--- a/qpdf/qpdf.testcov
+++ b/qpdf/qpdf.testcov
@@ -446,3 +446,4 @@ QPDF_encryption user matches owner V < 5 0
 QPDF_encryption same password 1
 QPDFWriter stream in ostream 0
 QPDFObjectHandle duplicate dict key 0
+QPDFWriter no encryption sig contents 0
diff --git a/qpdf/qtest/qpdf.test b/qpdf/qtest/qpdf.test
index 6c3ea8ef..9fdf9ba2 100644
--- a/qpdf/qtest/qpdf.test
+++ b/qpdf/qtest/qpdf.test
@@ -3995,6 +3995,28 @@ $td->runtest("fix-qdf with big object stream", # > 255 objects in a stream
              {$td->FILE => "big-ostream.pdf",
               $td->EXIT_STATUS => 0});
 
+show_ntests();
+# ----------
+$td->notify("--- Signature Dictionary ---");
+$n_tests += 4;
+
+foreach my $i (qw(preserve disable))
+{
+    $td->runtest("sig dict contents hex (object-streams=$i)",
+                 {$td->COMMAND =>
+                      "qpdf --object-streams=$i digitally-signed.pdf a.pdf"},
+                 {$td->STRING => "",
+                      $td->EXIT_STATUS => 0});
+    # Use grep -f rather than writing something in test_driver because
+    # the point of the test is to ensure that the contents appears in
+    # the output file in the correct format.
+    $td->runtest("find desired contents (object-streams=$i)",
+                 {$td->COMMAND =>
+                      "grep -f digitally-signed-sig-dict-contents.out a.pdf"},
+                 {$td->REGEXP => ".*",
+                      $td->EXIT_STATUS => 0});
+}
+
 show_ntests();
 # ----------
 $td->notify("--- Large File Tests ---");
diff --git a/qpdf/qtest/qpdf/digitally-signed-sig-dict-contents.out b/qpdf/qtest/qpdf/digitally-signed-sig-dict-contents.out
new file mode 100644
index 00000000..a5bc48c1
--- /dev/null
+++ b/qpdf/qtest/qpdf/digitally-signed-sig-dict-contents.out
@@ -0,0 +1 @@
+<3082053e06092a864886f70d010702a082052f3082052b020101310f300d06096086480165030402010500300b06092a864886f70d010701a082032a308203263082020ea003020102020a89839b114e3fe6fb56c0300d06092a864886f70d01010b050030413111300f060355040313084a6f686e20446f65311f301d06092a864886f70d01090116106a646f65406578616d706c652e6f7267310b3009060355040613024a50301e170d3139303932373131303335385a170d3234303932373131303335385a30413111300f060355040313084a6f686e20446f65311f301d06092a864886f70d01090116106a646f65406578616d706c652e6f7267310b3009060355040613024a5030820122300d06092a864886f70d01010105000382010f003082010a0282010100a7aa77c89dd7162ba40a510f82381d947d4e3e37722d8e9ab6d1fac80f65d554693266ca556fbab60821c14028bc815c1db5ec4e8376573b2bdb39a3e97395203479c3f0fc31bf20700c40ff734f61fb78c393f753dff74213b66c4d87dea828e4ac05d10da91e9eb03b3fd1b1f70c33b93dd7dd5b2207baa7e2868a782ca65ec351063720c3cca067b99022e576b5382930a502e22ccb096bab7546cb08b9258c86c255555cd6adc3522960b9c77d4928aebff4efd1d2fa8cd398219ce615c6f5055a8833970838096bc89d51e840977a2460e7b4aed0bfeb21a9a7adb7f2e5692d9c050f4d51fd4fd70c52cb0657e83be335365883beab77557d0462c3d60f0203010001a320301e300f06092a864886f72f01010a04020500300b0603551d0f040403020780300d06092a864886f70d01010b0500038201010063250d3d7f8ba247a2287f601932600f1eb3aa4b4c46a329807a3282e4783925bde4f0cf3efaa9050d5b5c9862c1d192eaf9fb709c21c3ed352033335e79adb04cdb8221916eb6149fb414b51dcd9fa30c271f9b4ca13fadd4f490103fb9b6a0b9341cc3d308db53f0220a38edaa57ae14d231036ef33e61b0e90b2ce618947df1001648960bf502e0fb155d522edffcebf62fcc339bd800540cbe8b4075da6fcdcbcbc6865ee4adc6619faabe0f6cb95b8bc0a11b1f420205901df3ccbaabf04c91dcdba6015aa9d2c7a5b337e730965e8288b5c8362c60ce56d8fd559ebe02d51d315baeaae995a291cd4aad77e74b9c6946110f2a97c9c935ebe334f45ffe318201d8308201d4020101304f30413111300f060355040313084a6f686e20446f65311f301d06092a864886f70d01090116106a646f65406578616d706c652e6f7267310b3009060355040613024a50020a89839b114e3fe6fb56c0300d06096086480165030402010500a05c300f06092a864886f72f01010831023000301806092a864886f70d010903310b06092a864886f70d010701302f06092a864886f70d0109043122042086a00dff97b85b073bc5bf33e259238db835b1357957eef1c0e882e44167a697300d06092a864886f70d01010b0500048201005cfe06ea79c8bc21e8ea5baa67290841a2683109a04410f73a3c9569945de91d5dfa6d0c18d03626b308415c8823abcd616a85af7e4aa9697b94ff73e2282ef961f5a30f0027f1744a54b4af166d239f97d00eea66701445d45145bd3e2362e989f9f4b7f27990d60892bacc011c9cfc6d9bf119ac9de4e2c43e9a1e10a99b807e10b2e759ead8ad5e4c4d02a94ea83739d603606b2deddd063a19c808f6580cd2d7d22e5d2876054d6386c006abf8e57ca6c1fa8f24f29f106d33052a8f83e6b03fa926d78078d84d5952b1058c9e4761f5ea0ad183b07a99e7c2f86f97838147297f80314c8668639dc1dcc4a5ff4cf4271bd1e4eaa32c4f261f327e031c0c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000>
\ No newline at end of file
diff --git a/qpdf/qtest/qpdf/digitally-signed.pdf b/qpdf/qtest/qpdf/digitally-signed.pdf
new file mode 100644
index 00000000..e94313cf
Binary files /dev/null and b/qpdf/qtest/qpdf/digitally-signed.pdf differ
-- 
cgit v1.2.3-70-g09d2