Digital Signature and Certificate verification by beurdouche · Pull Request #21247 · mozilla/pdf.js

beurdouche · 2026-05-09T17:08:38Z

No description provided.

codecov-commenter · 2026-05-09T17:10:29Z

Codecov Report

❌ Patch coverage is 25.11962% with 313 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.23%. Comparing base (e86e9d9) to head (4a77dd4).
⚠️ Report is 330 commits behind head on master.

Files with missing lines	Patch %	Lines
web/digital_signature_properties_manager.js	1.98%	297 Missing ⚠️
src/core/document.js	89.77%	9 Missing ⚠️
web/app.js	70.58%	5 Missing ⚠️
src/display/api.js	71.42%	2 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##           master   #21247       +/-   ##
===========================================
+ Coverage   54.57%   89.23%   +34.66%     
===========================================
  Files         216      261       +45     
  Lines       58860    66485     +7625     
===========================================
+ Hits        32120    59331    +27211     
+ Misses      26740     7154    -19586

Flag	Coverage Δ
browsertest	`66.60% <5.15%> (?)`
fonttest	`9.02% <ø> (?)`
integrationtest	`68.49% <5.74%> (?)`
unittest	`57.26% <88.65%> (?)`
unittestcli	`56.22% <88.65%> (+1.65%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Switch the panel row icons and the toolbar button state badge from `background-image:` (full-colour SVG, never themes) to `mask-image:` + `background-color:`. The colour comes from new `--sig-icon-*` tint vars that resolve via `light-dark()` in normal mode and collapse to `CanvasText` in `forced-colors: active`. - Rewrite `toolbarButton-signaturePropertiesVerified/Warn/Error.svg` as mono filled-disc silhouettes with a transparent glyph cutout (via `<mask>`). - New `signature-properties-row-check.svg` — outline check used by the default/fine row states (supersedes `signature-properties-status-check.svg`). - Drop `--signatureProperties-statusCheck-icon`, add `--signatureProperties-rowCheck-icon`. - Add `--sig-icon-{default,warn,error,verified}` tint vars with forced-colors fallbacks; toolbar + row rules both reference them.

Per Calixte's review feedback on web/signature_properties.css:1 (use "digital signature" terminology to avoid confusion with the handwritten-signature feature), rename: - web/signature_properties.css -> web/digital_signature_properties.css - web/signature_properties_manager.js -> web/digital_signature_properties_manager.js Updates references in web/viewer.css (@import), web/viewer.html (import map), gulpfile.mjs (import alias) and web/app.js (import). The exported SignaturePropertiesManager class name is left unchanged.

@Snuffleupagus

- src/core/document.js: short comment explaining why `stream.end` is used (raw-buffer end matches the coordinate system of /ByteRange offsets, which `stream.length` does not after `moveStart`). Resolves the follow-up question from @Snuffleupagus on the document.js:2079 thread. - test/unit/document_spec.js: update the two assertions that still expected an empty array for the "no signatures" case — the getter now returns `null` (per @Snuffleupagus on display/api.js:1082), so switch to `.toBeNull()`. These were the unit-test failures in CI run 27538005889.

Five hardening fixes from a stack review: 1. `/ByteRange` bounds validation in `#parseSignatureDict` — reject signatures that lie about the byte spans they cover (`a == 0`, `b > 0`, `d >= 0`, `a + b <= c`, `c + d <= fileLength`), and compute `coversWholeDocument` from the trailer-gap rather than the absolute last-signed-byte position. 2. Split signature metadata from byte payload across the worker boundary. The `signatures` getter now ships small metadata only; the PKCS#7 blob and signed-data byte spans live in a worker-side `#signatureData` Map and are fetched on demand via a new `getSignatureData(id)` worker RPC. The viewer pulls bytes one signature at a time, immediately before passing them to the verifier, so they don't sit in main-thread memory for the document's lifetime. 3. Per-load `Symbol` token in `loadFromDocument` / `reset()`. In-flight `#verify()` promises capture the token at start and bail on resolve if it has changed, so a verification for doc A can't write into doc B's results map after a fast doc-switch. 4. `expirationDateForCert` no longer falls back to a future leaf `notAfter` when the chain doesn't contain a past date. Showing "Expired (Jan 1, 2027)" was misleading; the caller now renders the dateless `Certificate: Expired` label instead. 5. Test update: `pkcs7` / `data` are no longer attached to the metadata array, so the unit test fetches bytes via the new `getSignatureData(id)` helper. Pad the test stream so ByteRanges fit within `stream.end`.

@bcolsson

Three follow-ups from @bcolsson on viewer.ftl: - Sentence case: `Digital Signature properties` → `Digital signature properties` everywhere (button title, aria-label, label, group comment, test corpus README/generator, in-source doc comments). - The status row only ever shows one of three distinct English strings, so collapse `-status-untrusted` / `-expired` / `-revoked` into the existing `-status-verified` (the cert chain issue lives on the cert row below). `STATUS_INFO` in the manager maps all cryptographically-verified statuses to the same id, and a group comment in viewer.ftl explains the design. - Rewrite the comment for `pdfjs-...-reason`: the variable holds an NSS error message for an invalid signature, not text from the PDF's /Sig dictionary. Also rename every Fluent id from `pdfjs-signature-properties-...` to `pdfjs-digital-signature-properties-...` so the id namespace matches the filename and the panel name.

bcolsson

Looks good, thanks!

beurdouche requested a review from a team as a code owner May 9, 2026 17:08

beurdouche temporarily deployed to code-coverage May 9, 2026 17:08 — with GitHub Actions Inactive

beurdouche force-pushed the master branch from 08cc890 to 72ad5bf Compare May 9, 2026 17:35

beurdouche temporarily deployed to code-coverage May 9, 2026 17:35 — with GitHub Actions Inactive

beurdouche force-pushed the master branch from 72ad5bf to 9e8d4ff Compare May 9, 2026 17:44

beurdouche temporarily deployed to code-coverage May 9, 2026 17:44 — with GitHub Actions Inactive