fix: address native validator review feedback

Signed-off-by: Vitor Mattos <[email protected]>

Author: vitormattos

composer.json

@@ -63,7 +63,7 @@
 	"require": {
 		"cweagans/composer-patches": "^2.0",
 		"jeidison/signer-php": "^1.0",
-		"libresign/pdf-signature-validator": "0.2.0",
+		"libresign/pdf-signature-validator": "^0.2.0",
 		"phpseclib/phpseclib": "^3.0"
 	}
 }

composer.lock

@@ -9,6 +9,9 @@
 namespace OCA\Libresign\Handler\SignEngine;
 
 use LibreSign\PdfSignatureValidator\Parser\PdfSignatureExtractor;
+use LibreSign\PdfSignatureValidator\Model\ValidationReason;
+use LibreSign\PdfSignatureValidator\Model\ValidationResult;
+use LibreSign\PdfSignatureValidator\Model\ValidationState;
 use OCA\Libresign\AppInfo\Application;
 use OCA\Libresign\Exception\LibresignException;
 use OCA\Libresign\Handler\CertificateEngine\CertificateEngineFactory;
@@ -93,27 +96,31 @@ public function setIsLibreSignFile(): void {
 	public function getCertificateChain($resource): array {
 		$certificates = [];
 		$nativeMetadata = array_values($this->extractNativeSignatureMetadata($resource));
+		rewind($resource);
 		$nativeValidation = array_values($this->pdfSignatureValidationService->validateFromResource($resource));
 		$index = 0;
 
 		foreach ($this->getSignatures($resource) as $signature) {
+			$metadata = $nativeMetadata[$index] ?? [];
+			$validation = $nativeValidation[$index] ?? [];
+			$index++;
+
 			if (!$signature) {
 				continue;
 			}
 
 			$result = $this->processSignature(
 				$resource,
 				$signature,
-				$nativeMetadata[$index] ?? ($nativeMetadata[0] ?? []),
-				$nativeValidation[$index] ?? ($nativeValidation[0] ?? [])
+				$metadata,
+				$validation
 			);
 
 			if (empty($result['chain'])) {
 				continue;
 			}
 
 			$certificates[] = $result;
-			$index++;
 		}
 		return $certificates;
 	}
@@ -304,7 +311,7 @@ private function enrichLeafWithNativeData(array $result, array $metadata, array
 			$signatureValidation = $validation['signatureValidation'];
 
 			// Keep legacy OpenSSL result when native validator reports this known false-positive.
-			if (!$this->isDigestMismatchSignatureValidation($signatureValidation)) {
+			if (!$this->isDigestMismatchSignatureValidation($validation)) {
 				$leaf['signature_validation'] = $signatureValidation;
 			}
 		}
@@ -327,9 +334,15 @@ private function enrichLeafWithNativeData(array $result, array $metadata, array
 	 * signer engines can produce signatures that the native validator currently flags as digest mismatch.
 	 * In this case we preserve the legacy validation computed from the PKCS#7 signature.
 	 */
-	private function isDigestMismatchSignatureValidation(array $signatureValidation): bool {
-		return ($signatureValidation['id'] ?? null) === 3
-			&& ($signatureValidation['label'] ?? '') === 'Digest mismatch.';
+	private function isDigestMismatchSignatureValidation(array $validation): bool {
+		$rawSignatureValidation = $validation['raw']['signature'] ?? null;
+		if ($rawSignatureValidation instanceof ValidationResult) {
+			return $rawSignatureValidation->reasonCode === ValidationReason::DIGEST_MISMATCH
+				|| $rawSignatureValidation->state === ValidationState::DIGEST_MISMATCH;
+		}
+
+		$signatureValidation = $validation['signatureValidation'] ?? null;
+		return is_array($signatureValidation) && ($signatureValidation['id'] ?? null) === 3;
 	}
 
 	/**

lib/Handler/SignEngine/Pkcs12Handler.php

@@ -8,7 +8,6 @@
 
 namespace OCA\Libresign\Service\Signature;
 
-use DateTime;
 use LibreSign\PdfSignatureValidator\Model\ValidationResult;
 use LibreSign\PdfSignatureValidator\Model\ValidationState;
 use LibreSign\PdfSignatureValidator\Parser\PdfSignatureValidator;
@@ -73,13 +72,12 @@ public function setTrustedRoots(array $certificates): void {
 	 * Validate PDF signatures from file resource.
 	 *
 	 * @param resource $resource PDF file resource
-	 * @param ?\DateTime $signatureTime Optional time to validate against (for historic validation)
 	 * @return list<array{signatureValidation: array, certificateValidation: array, raw: array{signature: ValidationResult, certificate: ValidationResult}}>
 	 */
-	public function validateFromResource($resource, ?DateTime $signatureTime = null): array {
+	public function validateFromResource($resource): array {
 		try {
 			$results = $this->validator->validateFromResource($resource);
-			return $this->mapValidationResults($results, $signatureTime);
+			return $this->mapValidationResults($results);
 		} catch (\Throwable $e) {
 			$this->logger->warning('PDF signature validation failed', [
 				'error' => $e->getMessage(),
@@ -93,13 +91,12 @@ public function validateFromResource($resource, ?DateTime $signatureTime = null)
 	 * Validate PDF signatures from binary content.
 	 *
 	 * @param string $pdfContent Binary PDF content
-	 * @param ?\DateTime $signatureTime Optional time to validate against (for historic validation)
 	 * @return list<array{signatureValidation: array, certificateValidation: array, raw: array{signature: ValidationResult, certificate: ValidationResult}}>
 	 */
-	public function validateFromString(string $pdfContent, ?DateTime $signatureTime = null): array {
+	public function validateFromString(string $pdfContent): array {
 		try {
 			$results = $this->validator->validateFromString($pdfContent);
-			return $this->mapValidationResults($results, $signatureTime);
+			return $this->mapValidationResults($results);
 		} catch (\Throwable $e) {
 			$this->logger->warning('PDF signature validation failed', [
 				'error' => $e->getMessage(),
@@ -113,10 +110,9 @@ public function validateFromString(string $pdfContent, ?DateTime $signatureTime
 	 * Map validation results from PdfSignatureValidator to LibreSign format.
 	 *
 	 * @param list<array> $results Results from PdfSignatureValidator
-	 * @param ?\DateTime $signatureTime
 	 * @return list<array{signatureValidation: array, certificateValidation: array, raw: array{signature: ValidationResult, certificate: ValidationResult}}>
 	 */
-	private function mapValidationResults(array $results, ?DateTime $signatureTime = null): array {
+	private function mapValidationResults(array $results): array {
 		$mapped = [];
 
 		foreach ($results as $result) {