fix: preserve legacy signature validation on native digest mismatch

Signed-off-by: Vitor Mattos <[email protected]>

Author: vitormattos

lib/Handler/SignEngine/Pkcs12Handler.php

@@ -301,7 +301,12 @@ private function enrichLeafWithNativeData(array $result, array $metadata, array
 		}
 
 		if (isset($validation['signatureValidation']) && is_array($validation['signatureValidation'])) {
-			$leaf['signature_validation'] = $validation['signatureValidation'];
+			$signatureValidation = $validation['signatureValidation'];
+
+			// Keep legacy OpenSSL result when native validator reports this known false-positive.
+			if (!$this->isDigestMismatchSignatureValidation($signatureValidation)) {
+				$leaf['signature_validation'] = $signatureValidation;
+			}
 		}
 
 		if (isset($validation['certificateValidation']) && is_array($validation['certificateValidation'])) {
@@ -318,6 +323,15 @@ private function enrichLeafWithNativeData(array $result, array $metadata, array
 		return $result;
 	}
 
+	/**
+	 * signer engines can produce signatures that the native validator currently flags as digest mismatch.
+	 * In this case we preserve the legacy validation computed from the PKCS#7 signature.
+	 */
+	private function isDigestMismatchSignatureValidation(array $signatureValidation): bool {
+		return ($signatureValidation['id'] ?? null) === 3
+			&& ($signatureValidation['label'] ?? '') === 'Digest mismatch.';
+	}
+
 	/**
 	 * @param resource $resource
 	 * @return array<int, array{field: ?string, range: ?array{offset1: int, offset2: int, length1: int, length2: int}, signature_type: ?string, covers_entire_document: bool}>

tests/php/Unit/Handler/SignEngine/Pkcs12HandlerTest.php

@@ -464,4 +464,28 @@ public function testGetCertificateChainUsesNativeValidationServiceForEachSignatu
 		$this->assertSame(3, $result[0]['chain'][0]['certificate_validation']['id']);
 	}
 
+	public function testGetCertificateChainDoesNotOverrideLegacySignatureValidationOnDigestMismatch(): void {
+		$this->pdfSignatureValidationService->method('validateFromResource')
+			->willReturn([
+				[
+					'signatureValidation' => [
+						'id' => 3,
+						'label' => 'Digest mismatch.',
+						'reason' => 'PDF content hash does not match signed digest',
+					],
+				],
+			]);
+
+		$handler = $this->getHandler();
+		$resource = fopen(__DIR__ . '/../../../fixtures/pdfs/small_valid-signed.pdf', 'r');
+		$this->assertIsResource($resource);
+
+		$result = $handler->getCertificateChain($resource);
+		fclose($resource);
+
+		$this->assertNotEmpty($result);
+		$this->assertSame(1, $result[0]['chain'][0]['signature_validation']['id']);
+		$this->assertSame('Signature is valid.', $result[0]['chain'][0]['signature_validation']['label']);
+	}
+
 }