diff --git a/.env.example b/.env.example index 47d959a..fd7ae48 100644 --- a/.env.example +++ b/.env.example @@ -41,3 +41,19 @@ LAMBDA_API_KEY=your-lambda-api-key-64-chars-hex # Lambda Functions URLs LAMBDA_PDF_TO_IMAGES_URL=https://your-lambda-url.lambda-url.eu-west-3.on.aws/ + +# Odentas Sign - Lambda PAdES Seal +# Lambda pour sceller les PDFs avec signature électronique qualifiée (PAdES) +LAMBDA_PADES_URL=https://to6vdbnrcencifu3rlg5rygrua0hhdqc.lambda-url.eu-west-3.on.aws/ + +# Odentas Sign - Lambda TSA Timestamp +# Lambda pour horodater les documents signés (RFC 3161) +LAMBDA_TSA_URL=https://fs5drdovby3tye4i3fmb27b3gi0zfqyw.lambda-url.eu-west-3.on.aws/ + +# Odentas Sign - KMS Key ID +# Clé KMS AWS pour chiffrer les signatures +KMS_KEY_ID=arn:aws:kms:eu-west-3:292468105557:key/4d08be1d-a871-486e-bf70-f651f18c5f19 + +# Odentas Sign - TSA Timestamp Authority +# URL du serveur d'horodatage (Sectigo par défaut) +TSA_URL=https://timestamp.sectigo.com diff --git a/ODENTAS_SIGN_LAMBDA_URLS.md b/ODENTAS_SIGN_LAMBDA_URLS.md new file mode 100644 index 0000000..c9345a3 --- /dev/null +++ b/ODENTAS_SIGN_LAMBDA_URLS.md @@ -0,0 +1,101 @@ +# Odentas Sign - Configuration Lambda URLs + +## URLs des Lambdas de Production + +### Lambda PAdES Seal +**Fonction:** Scellage des PDFs avec signature électronique qualifiée (PAdES) +- **Nom:** `odentas-pades-sign` +- **URL:** `https://to6vdbnrcencifu3rlg5rygrua0hhdqc.lambda-url.eu-west-3.on.aws/` +- **Région:** eu-west-3 (Paris) +- **Variable d'environnement:** `LAMBDA_PADES_URL` + +### Lambda TSA Timestamp +**Fonction:** Horodatage des documents signés (RFC 3161) +- **Nom:** `odentas-tsa-stamp` +- **URL:** `https://fs5drdovby3tye4i3fmb27b3gi0zfqyw.lambda-url.eu-west-3.on.aws/` +- **Région:** eu-west-3 (Paris) +- **Variable d'environnement:** `LAMBDA_TSA_URL` + +## Configuration KMS + +**Clé KMS pour chiffrement des signatures:** +``` +arn:aws:kms:eu-west-3:292468105557:key/4d08be1d-a871-486e-bf70-f651f18c5f19 +``` +**Variable d'environnement:** `KMS_KEY_ID` + +## Serveur d'Horodatage TSA + +**URL du serveur TSA (Sectigo):** +``` +https://timestamp.sectigo.com +``` +**Variable d'environnement:** `TSA_URL` + +## Configuration dans .env + +Ajoutez ces lignes dans votre fichier `.env` : + +```bash +# Odentas Sign - Lambda URLs +LAMBDA_PADES_URL=https://to6vdbnrcencifu3rlg5rygrua0hhdqc.lambda-url.eu-west-3.on.aws/ +LAMBDA_TSA_URL=https://fs5drdovby3tye4i3fmb27b3gi0zfqyw.lambda-url.eu-west-3.on.aws/ +KMS_KEY_ID=arn:aws:kms:eu-west-3:292468105557:key/4d08be1d-a871-486e-bf70-f651f18c5f19 +TSA_URL=https://timestamp.sectigo.com +``` + +## Déploiement sur Vercel + +Pour déployer en production sur Vercel, ajoutez ces variables d'environnement : + +1. Aller dans **Settings** > **Environment Variables** +2. Ajouter chaque variable : + - `LAMBDA_PADES_URL` + - `LAMBDA_TSA_URL` + - `KMS_KEY_ID` + - `TSA_URL` +3. Sélectionner **Production**, **Preview**, et **Development** +4. Redéployer l'application + +## Workflow de Signature Complet + +1. **Signature électronique** → Les signataires signent via l'interface web +2. **Déclenchement automatique** → Quand tous ont signé, webhook appelé +3. **Lambda PAdES** → Scellage du PDF avec signature qualifiée +4. **Lambda TSA** → Horodatage du document +5. **S3 Archive** → Stockage avec compliance lock (10 ans) +6. **Email de confirmation** → Notification aux signataires + +## Gestion des Erreurs + +Si une Lambda échoue : +- ❌ Le statut de la demande passe à `failed` +- 🔔 Un événement `sealing_failed` est loggé +- 🚫 Le document n'est **pas** marqué comme `completed` + +Avant ce correctif, le système marquait le document comme `completed` même en cas d'échec du scellage, ce qui posait un problème de conformité. + +## Vérification des URLs + +Pour vérifier que les Lambdas sont accessibles : + +```bash +# Test Lambda PAdES +curl -X POST https://to6vdbnrcencifu3rlg5rygrua0hhdqc.lambda-url.eu-west-3.on.aws/ \ + -H "Content-Type: application/json" \ + -d '{}' + +# Test Lambda TSA +curl -X POST https://fs5drdovby3tye4i3fmb27b3gi0zfqyw.lambda-url.eu-west-3.on.aws/ \ + -H "Content-Type: application/json" \ + -d '{}' +``` + +## Sécurité + +Les Function URLs sont actuellement configurées avec `auth-type: NONE` pour permettre l'accès direct depuis Next.js. + +Pour une sécurité renforcée en production, considérez : +- Utiliser IAM authentication +- Ajouter une API Gateway avec authentification +- Implémenter un système de tokens/signatures diff --git a/app/api/odentas-sign/webhooks/completion/route.ts b/app/api/odentas-sign/webhooks/completion/route.ts index a9f2d4e..5dbe251 100644 --- a/app/api/odentas-sign/webhooks/completion/route.ts +++ b/app/api/odentas-sign/webhooks/completion/route.ts @@ -154,28 +154,51 @@ export async function POST(request: NextRequest) { console.log(`[WEBHOOK] Payload PAdES:`, JSON.stringify(padesPayload, null, 2)); - // En local, on simule la Lambda (en production, faire un appel Lambda réel) - const padesResponse = await fetch(process.env.LAMBDA_PADES_URL || 'http://localhost:9000/2015-03-31/functions/function/invocations', { + // Vérifier que les Lambdas sont configurées + if (!process.env.LAMBDA_PADES_URL || !process.env.LAMBDA_TSA_URL) { + const error = 'LAMBDA_PADES_URL et LAMBDA_TSA_URL doivent être configurées pour le scellage'; + console.error(`[WEBHOOK] ❌ ${error}`); + + // Mettre à jour le statut en 'failed' + await supabaseAdmin + .from('sign_requests') + .update({ status: 'failed' }) + .eq('id', requestId); + + await logSignEvent({ + requestId: signRequest.id, + event: 'sealing_failed', + metadata: { error, reason: 'Lambda URLs not configured' }, + }); + + return NextResponse.json( + { error, details: 'Veuillez configurer LAMBDA_PADES_URL et LAMBDA_TSA_URL dans .env' }, + { status: 500 } + ); + } + + // Appel Lambda PAdES + const padesResponse = await fetch(process.env.LAMBDA_PADES_URL, { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(padesPayload), }).catch((err) => { - console.error('[WEBHOOK] ⚠️ Lambda PAdES non accessible (normal en local):', err.message); - return null; + console.error('[WEBHOOK] ❌ Erreur appel Lambda PAdES:', err.message); + throw new Error(`Lambda PAdES inaccessible: ${err.message}`); }); - let sealedPdfKey = `signed/${signRequest.ref}.pdf`; - let pdfHash = ''; - - if (padesResponse && padesResponse.ok) { - const padesResult = await padesResponse.json(); - console.log(`[WEBHOOK] ✅ PAdES seal appliqué`); - sealedPdfKey = padesResult.signed_pdf_key; - pdfHash = padesResult.pdf_sha256; - } else { - console.log(`[WEBHOOK] ⚠️ PAdES seal skipped (Lambda non disponible en local)`); + if (!padesResponse.ok) { + const errorText = await padesResponse.text(); + console.error('[WEBHOOK] ❌ Lambda PAdES a échoué:', errorText); + throw new Error(`Lambda PAdES failed: ${padesResponse.status} - ${errorText}`); } + const padesResult = await padesResponse.json(); + console.log(`[WEBHOOK] ✅ PAdES seal appliqué`); + + const sealedPdfKey = padesResult.signed_pdf_key; + const pdfHash = padesResult.pdf_sha256; + // Étape 2: Appeler lambda-tsaStamp pour horodater console.log(`[WEBHOOK] ⏱️ Appel de lambda-tsaStamp...`); @@ -184,29 +207,28 @@ export async function POST(request: NextRequest) { hash_to_timestamp: pdfHash, }; - const tsaResponse = await fetch(process.env.LAMBDA_TSA_URL || 'http://localhost:9001/2015-03-31/functions/function/invocations', { + const tsaResponse = await fetch(process.env.LAMBDA_TSA_URL, { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(tsaPayload), }).catch((err) => { - console.error('[WEBHOOK] ⚠️ Lambda TSA non accessible (normal en local):', err.message); - return null; + console.error('[WEBHOOK] ❌ Erreur appel Lambda TSA:', err.message); + throw new Error(`Lambda TSA inaccessible: ${err.message}`); }); - let tsaSerial = null; - let tsaPolicyOid = null; - let tsrKey = ''; - - if (tsaResponse && tsaResponse.ok) { - const tsaResult = await tsaResponse.json(); - console.log(`[WEBHOOK] ✅ TSA timestamp obtenu`); - tsaSerial = tsaResult.serial_number; - tsaPolicyOid = tsaResult.policy_oid; - tsrKey = tsaResult.tsr_s3_key; - } else { - console.log(`[WEBHOOK] ⚠️ TSA timestamp skipped (Lambda non disponible en local)`); + if (!tsaResponse.ok) { + const errorText = await tsaResponse.text(); + console.error('[WEBHOOK] ❌ Lambda TSA a échoué:', errorText); + throw new Error(`Lambda TSA failed: ${tsaResponse.status} - ${errorText}`); } + const tsaResult = await tsaResponse.json(); + console.log(`[WEBHOOK] ✅ TSA timestamp obtenu`); + + const tsaSerial = tsaResult.serial_number; + const tsaPolicyOid = tsaResult.policy_oid; + const tsrKey = tsaResult.tsr_s3_key; + // Étape 3: Mettre à jour l'evidence bundle avec les infos de scellage evidenceBundle.seal.sealed_at = new Date().toISOString(); evidenceBundle.seal.pdf_sha256 = pdfHash; @@ -257,15 +279,27 @@ export async function POST(request: NextRequest) { } catch (sealError) { console.error('[WEBHOOK] ❌ Erreur workflow de scellage:', sealError); - // En cas d'erreur, on complète quand même la demande - const { error: updateError } = await supabaseAdmin + // Mettre à jour le statut en 'failed' au lieu de 'completed' + await supabaseAdmin .from('sign_requests') - .update({ status: 'completed' }) + .update({ status: 'failed' }) .eq('id', requestId); - if (updateError) { - console.error('[WEBHOOK] Erreur mise à jour statut:', updateError); - } + await logSignEvent({ + requestId: signRequest.id, + event: 'sealing_failed', + metadata: { + error: sealError instanceof Error ? sealError.message : String(sealError), + }, + }); + + return NextResponse.json( + { + error: 'Échec du workflow de scellage', + details: sealError instanceof Error ? sealError.message : String(sealError) + }, + { status: 500 } + ); } // 7. Logger la completion diff --git a/lambda-odentas-pades-sign/Dockerfile b/lambda-odentas-pades-sign/Dockerfile index 8593b3e..8b1364e 100644 --- a/lambda-odentas-pades-sign/Dockerfile +++ b/lambda-odentas-pades-sign/Dockerfile @@ -1,4 +1,4 @@ -FROM public.ecr.aws/lambda/nodejs:18 +FROM --platform=linux/amd64 public.ecr.aws/lambda/nodejs:18 # pkijs nécessite des dépendances build (si tu ajoutes d'autres libs native) RUN yum -y install openssl && yum clean all diff --git a/lambda-odentas-pades-sign/certs/ca-odentas.conf b/lambda-odentas-pades-sign/certs/ca-odentas.conf new file mode 100644 index 0000000..e8ecdb7 --- /dev/null +++ b/lambda-odentas-pades-sign/certs/ca-odentas.conf @@ -0,0 +1,18 @@ +[req] +default_bits = 4096 +prompt = no +default_md = sha256 +distinguished_name = dn +x509_extensions = v3_ca + +[dn] +C=FR +O=Odentas Media SAS +OU=Autorite de Certification +CN=Odentas Media SAS Root CA + +[v3_ca] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer +basicConstraints = critical,CA:true +keyUsage = critical, keyCertSign, cRLSign diff --git a/lambda-odentas-pades-sign/certs/ca-odentas.crt b/lambda-odentas-pades-sign/certs/ca-odentas.crt new file mode 100644 index 0000000..5ca35cd --- /dev/null +++ b/lambda-odentas-pades-sign/certs/ca-odentas.crt @@ -0,0 +1,34 @@ +-----BEGIN CERTIFICATE----- +MIIF0zCCA7ugAwIBAgIUKjztdgtaFlRP/N6rP3nVwGYuPXwwDQYJKoZIhvcNAQEL +BQAwcTELMAkGA1UEBhMCRlIxGjAYBgNVBAoMEU9kZW50YXMgTWVkaWEgU0FTMSIw +IAYDVQQLDBlBdXRvcml0ZSBkZSBDZXJ0aWZpY2F0aW9uMSIwIAYDVQQDDBlPZGVu +dGFzIE1lZGlhIFNBUyBSb290IENBMB4XDTI1MTAyODE4MDU1OFoXDTQ1MTAyMzE4 +MDU1OFowcTELMAkGA1UEBhMCRlIxGjAYBgNVBAoMEU9kZW50YXMgTWVkaWEgU0FT +MSIwIAYDVQQLDBlBdXRvcml0ZSBkZSBDZXJ0aWZpY2F0aW9uMSIwIAYDVQQDDBlP +ZGVudGFzIE1lZGlhIFNBUyBSb290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A +MIICCgKCAgEAvV0QbPzSsZ+Ys4J4tYIIIM7LdOCkE7cNAh3casLB072ACFjFq0iw +Mg1ZXROk9i2sOVELN7q4ra+8E1528e9U8TyOKWPwGIdPmr+FokJ8zrxLBp8XtqO1 +ti2XNN2GK6EHb9C931m0JgCUkRA/jVB2tbjtR2JRl81ZOdszdwNektUwWQIqZBDg +JNye+LiMZflcob/DSEqWjBye4KnAhgxGpy0GcaDVOU1pJ0xXmu+Khlj6hVsnklLc +H2Gtx+ePfaWLmfQKyVfzFUVSrS8MlPJCwI+H+o1GmwmJkt4Z6kcbpdOdiMP8D8rj +UHWXX5hXbxalg39COhpvZwSwfkWBRICCBjzAqOQNZu6COHA8dWOeP4EjIBQhnz54 +he5vka3HENpqAduXtbtTZxcFKkM7YAGSY/2+oo3G4i54zy6316UpzYJWRfdaIYV8 +tw6mPk4f7ecpV9sjMdmdI4IrUQii/QkKIBr1kKYSGcuTINKxGXioFcF29MqwWTsI +w+Ukf11vqlCsFSwwtOxRGukgHbeN/OPiS8sOtPmeFnErFK+ZsNmMw/gQuxlc5OJK +jRUj4QZw/eqVvMBvuTeYQgW387bNUWTro4hxH/LBpL7hY+2rnRCjDAizjJljh00J ++xZkt9WfGZliepQTJuaeAfwZVPptmw4OwXOTyKQvzLhFAicV2OzGxlkCAwEAAaNj +MGEwHQYDVR0OBBYEFIw45IxZ3n9y9n2O3jm4c2E4gINzMB8GA1UdIwQYMBaAFIw4 +5IxZ3n9y9n2O3jm4c2E4gINzMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD +AgEGMA0GCSqGSIb3DQEBCwUAA4ICAQA6ohYP4UVh08CJCinnVtmkUQykJCqOqm4q +PS3xFqgHL9GbvCUfDh/p75A1fomJVojRP86SZ/JYGj8dbwzeLxHWEDW89k/SJK+V +u20mQQkuZ7KhobBti2m+JzU7XP6Qd+jZBOKK3xOrVSScvO3ITJNaxkeJgEFL5/Jk +yDyuzFOrQeqmtKiWpN7YWLgZumEtVNY3LBxu+zm13his4XJhFc4PAAk8jWGxCwvW +s6hAT6nQWXr0MvO7USKvyji/6DQCthfgoMi5Qq9uox93iXieV+R4QAv/eOXYTPt7 +G3vwh1h8QUU/yERQ2BTMp8Kryd7S0Jbbhg0oXlc2qGHjSVs+T4saTlxkW3WLrMdv +44r3Nt5IUDgRatTOgSD/D78Ael/Lsmw1yvcIwkSsUX9mwcOPkg/t8I32eEYyjbDJ +REXkc4epaIgYfSk9/wa8jPyDrt/t30WG2komzCVkZWYJqkVlvVfbpmD/9e+ASM4M +t9Awzh7YR1ydJVZXp+YK9xNLxH4yqduBopCT9zoWK7BaAggwiAL4AhvAYpUNlLBI +sGOJbGG9+8JnOu3HiLtsW4dDm3Yvm3AIeYh5en4xQXRQ5iecyY7foIowk6sUU4EL +LwGigxzWpYUgWLkWPVi9E4qi214qIFLkn1LFUmV0SMyiAUhntH5+S8D5B7jCB5BX +iglXKmpPYg== +-----END CERTIFICATE----- diff --git a/lambda-odentas-pades-sign/certs/ca-odentas.key b/lambda-odentas-pades-sign/certs/ca-odentas.key new file mode 100644 index 0000000..dbb5392 --- /dev/null +++ b/lambda-odentas-pades-sign/certs/ca-odentas.key @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQC9XRBs/NKxn5iz +gni1ggggzst04KQTtw0CHdxqwsHTvYAIWMWrSLAyDVldE6T2Law5UQs3uritr7wT +Xnbx71TxPI4pY/AYh0+av4WiQnzOvEsGnxe2o7W2LZc03YYroQdv0L3fWbQmAJSR +ED+NUHa1uO1HYlGXzVk52zN3A16S1TBZAipkEOAk3J74uIxl+Vyhv8NISpaMHJ7g +qcCGDEanLQZxoNU5TWknTFea74qGWPqFWyeSUtwfYa3H5499pYuZ9ArJV/MVRVKt +LwyU8kLAj4f6jUabCYmS3hnqRxul052Iw/wPyuNQdZdfmFdvFqWDf0I6Gm9nBLB+ +RYFEgIIGPMCo5A1m7oI4cDx1Y54/gSMgFCGfPniF7m+RrccQ2moB25e1u1NnFwUq +QztgAZJj/b6ijcbiLnjPLrfXpSnNglZF91ohhXy3DqY+Th/t5ylX2yMx2Z0jgitR +CKL9CQogGvWQphIZy5Mg0rEZeKgVwXb0yrBZOwjD5SR/XW+qUKwVLDC07FEa6SAd +t4384+JLyw60+Z4WcSsUr5mw2YzD+BC7GVzk4kqNFSPhBnD96pW8wG+5N5hCBbfz +ts1RZOujiHEf8sGkvuFj7audEKMMCLOMmWOHTQn7FmS31Z8ZmWJ6lBMm5p4B/BlU ++m2bDg7Bc5PIpC/MuEUCJxXY7MbGWQIDAQABAoICAAkt5xdPaKO7W668+P68dUoo +2Bg78PwzLAZhne8Pbo+l8JxG+FsJmJ/ugXnXc1BLLb1wCioLCzuBKK3sLvoimsSg +ZbhIK8n2mjNjTBYt4KixXDYvlVnRRQRWIK2rfN7lzQtcrC2U5ryOW+VNyzTdlQmR +U7A5igDAr630LCIdZ9LYkoHIDve/kSv8RVkDcivZywWcuvnIwtQ7KXD0zZw54V1m +e3jb3eYrlFi3NMpyCO4jB07aWLhZO6oqRR8rAIvLz/D4MWMp+CK8c+no/VRFi5qT +wpjQyx7GFzUHPuyaQpL253yrGm+GC1+Zuaskwn1ENOUDUNmp8SNGaQtP8XiZfaP8 +FXPzguUT3a+8B3f+4xovE+9utitwb8GoJbIFqaOEjIu2ezFi+pPbZDI6qoq68rnr +Uwz6lt+CxT/1SlIPzbnjuuKvX7sKLz4c435JojLN0CwIxwV51jXoLTQ107/bDmeo +2KreIrmauh1wc2ClYnl7aQqFCGlv4Vvo3OA1DveW492wIhacZ8Z6ZKWNJJ5E7uRk +EinkFyci0wvm2xkQ8yAzxfqpHxX7EJU/ouE08DfO8tGYF4PxCFE/9iDlReQ4ty0+ +Rg9B9gJH7ypgy6NAz0PNUsSG09pLlCalYL+uuGkT0qiVUpf8P7PK8FRymwPZppnu +bTn+WmsbhVEN5ZWrXSNxAoIBAQDwaJYLPoM6HL9W/+euQB6CQhlMDjP1shZNZD6j +d5YmD/cRIVpLuWjOcsA0GXOMumv9Lbol7YEcrh9OuKRBVRODx9XkQNAey+YZ7hHE +5gzTNf+5l8RXAJXLgCsywdDRZrl8n9S/n1rROWMCaCeD2PVX9yuCVkq2aEYCsjWl +NAxsXGSGKTAsvFxqZDYZjkBdHdz4tmzO8Qlr282PDw/K0EiMgB7+3MmyOKBW1tHV +E/j23xnL60z168LmWa8YyUENj1rjo56EMLmmZmOf0TOXdnH4SzpLM6CXpUA/fM22 +zubvnPKjY223yQUkWvGSl0jE93FcY6EhREZdQq98G5ewOTdJAoIBAQDJpP8oUKZr +wqX5w0kDeWuhbJL5D8pxhiJHHb5ypDzFnIL1BHRh6l4EjmAeR8FdpkUtBQr21ZLb +mWmiWV046vY2ifjpp/nODhi2yInCc2PKpx2XkCQ9+HfihDxTVFH5yl17fKXoMYPx +9l67MnwvKT+gfBM2ATJslutboRxY1u1jQySjBoq9/6qG+8+e3yhzxvSH5wvw72mN +HdKFs90EXa9VWY6l8sv+ULvNWXi65Kt+AKsKbUXdgl6a8OOYD1Nd92NPeM0L874+ +/jl4aNE1ClhnDExqTMezMR5v2X7Y/cNrrIm0Vgz7KeC33Q8ck4hFuwyuY1xbXwry +1RHkiEkyvMaRAoIBAQDqE7s8eYKGW6VGDWdEt7O8+qTs88tNyDeE5T1EJtUwfE0B +BeuIXaAZm4tfbwSeGom4+wQLl+Qly7g6CvgLkM2uey3cz+qUgc2qo63zfFcyc5pp +18bZO32epk3pXuN2cEHcgTdB2OQxYWHw3v7SlrXUD5ryjhiy4HaCe4hWMYaDH7bV +FleMx15oTOiMG4C56bDVDbKGEBUvStYsG+sxe3mYK8uCNfHBMPeVdhbbFFZN8U6J +ybKmpAaiCOK/DH3luRYzHYXjihnJVlpcKvLD4BT6QC0jOcJ8xO74ogkenPgoiDWM +NuyGjRkPm+ko5Vp6Rb+/yFYEMRkeByccfTVF5X/ZAoIBAHzotZquovi74f7e5tq9 +G1wqmryn+HrsYU12cmQnsvGiq0jGEqYY/VaLL6VyQ6kUd2OU7R7MXCWmWdZUzzeT +7SMJwuRSxp7LAqovfY6z1gxSCzW494pf4TuzOH9SC1nV7qSxKUC1c4uuVy5U7rJ0 +NdLfKTNZ+Hdl4bOoEJxDv1eu3wIR6l4aAvONBybeC/v0McQB7ta4J8VfxOpH6dBr +jFItoPzRc2Y9cqiZFP2I62apWUqjOBUoThxivkmSrMzXk3BGX5ZYze/NoaIiI/5c +QzjKWIe8ujQZaEZXD4mxYJ3RipfoejAX1/lteY/1IAQ6A3f/WtXLAUg9jtDnT5ib +cdECggEAcuDnm2fDuJjiNBGg0Wg+xX2sWI+HyD5sF3u5kS91kY191b6Ss2Sg8EqL +atr8ezNl3aOY6mJ5/WI8iUwO2bHjHt9I5a+KYhyz5jwIarBOiPCTg8FdeRwesRxN +9aKuNFqDr2+RpmJE1agzQNjpdrDga+29NT5x9RTS3a0Qr5DXtmVtaBpQR8wpuiXb +VxAwunqn4cjvOCijq2UiNvBq0BXafp5/6augScsYr6Sz8KJ9SC1LKTr4aBIhC7WR +alplWSoUz3uP20dra0Aw+4mu6tVFWljIQ/W/ZiaBCEXiFwSs7E5g/ThcLakwE3Pp +haJ1yojCjtrnTE8J+F33wdDR1Yx2MQ== +-----END PRIVATE KEY----- diff --git a/lambda-odentas-pades-sign/certs/ca-odentas.srl b/lambda-odentas-pades-sign/certs/ca-odentas.srl new file mode 100644 index 0000000..f56fd9b --- /dev/null +++ b/lambda-odentas-pades-sign/certs/ca-odentas.srl @@ -0,0 +1 @@ +7743E688AB10F7DD56C2F43BF384997C934D2E70 diff --git a/lambda-odentas-pades-sign/certs/chain-odentas-final.pem b/lambda-odentas-pades-sign/certs/chain-odentas-final.pem new file mode 100644 index 0000000..29678cc --- /dev/null +++ b/lambda-odentas-pades-sign/certs/chain-odentas-final.pem @@ -0,0 +1,65 @@ +-----BEGIN CERTIFICATE----- +MIIFZjCCA06gAwIBAgIUd0PmiKsQ991WwvQ784SZfJNNLnAwDQYJKoZIhvcNAQEL +BQAwcTELMAkGA1UEBhMCRlIxGjAYBgNVBAoMEU9kZW50YXMgTWVkaWEgU0FTMSIw +IAYDVQQLDBlBdXRvcml0ZSBkZSBDZXJ0aWZpY2F0aW9uMSIwIAYDVQQDDBlPZGVu +dGFzIE1lZGlhIFNBUyBSb290IENBMB4XDTI1MTAyODE4MDYzMFoXDTM1MTAyNjE4 +MDYzMFowYTELMAkGA1UEBhMCRlIxGjAYBgNVBAoMEU9kZW50YXMgTWVkaWEgU0FT +MR8wHQYDVQQLDBZTaWduYXR1cmUgRWxlY3Ryb25pcXVlMRUwEwYDVQQDDAxPZGVu +dGFzIFNlYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDigTvq8d/t +W9/nzjsSzQ+x+RsKdHg5ZnA2qSgZJsZGSO86XjNIfkW3ZIuwdZFvrSc1IgoblLtw +8G6sy4FCNbTyqcyaoCE9/b8j3YUFJzy3Z+A3L3LJyWj2kyHB9/JWjCQfzuEk9YJ+ +B24108EsRWCNCOWx4d+clwyQPdEC7xYMLb0I4g4OxCdUSSG9sTCiRG3kAlwNmbZJ +ciONMwSb3mCeKzHGnst86DLgdMJvO/jiE6N6QZNPWEE5Z1m3pqTSdkAT1jnJpPrN +ewmMDXrt3gKCI8shLEgTrOG55HkaXOsdZ4OiBKVGk41eWyar12O5pvzdcGXr0vQ9 +sbYPmpPXHHVjAgMBAAGjggEEMIIBADAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIG +wDATBgNVHSUEDDAKBggrBgEFBQcDBDAdBgNVHQ4EFgQUP1wBi05/I2FVHpNHkop4 +U1DDHT4wga4GA1UdIwSBpjCBo4AUjDjkjFnef3L2fY7eObhzYTiAg3OhdaRzMHEx +CzAJBgNVBAYTAkZSMRowGAYDVQQKDBFPZGVudGFzIE1lZGlhIFNBUzEiMCAGA1UE +CwwZQXV0b3JpdGUgZGUgQ2VydGlmaWNhdGlvbjEiMCAGA1UEAwwZT2RlbnRhcyBN +ZWRpYSBTQVMgUm9vdCBDQYIUKjztdgtaFlRP/N6rP3nVwGYuPXwwDQYJKoZIhvcN +AQELBQADggIBAEGadnfqKpmpWSls2rln0IXcN6SbGoxKRSzYup5Boo+SIwt1pDPx +67caXUaKo/nBB1FPNdhOhzLEszLYOzJ/sV5pl5IDDIOSyoCyCu2Z4i4GEDrgXC0C +eew6ZDL4W5YzDVOjlk/fOJ15OPsQ1ri2fbP0VTdvoykAHLgQFiXc1IIoE77UmX9C +T2k0LTZmoGvGfhyTssDyXRknbKBGe3mnmM3/CHseQ4enC3CKetFqy9qfQ7r0rK/t +Cdeyql/a2WmHLXmQ0HtyEgTbZNMylLkh5ZEq9S7xQOvh68oVOwq7G72p+gwbXxEa +6J5/Seq9p12imGXHjoivSdLzZUgHA60TetFFE0Zg/1KHRtLtKN90zP09NucCeWJw +KMXpF0tvDEpLoy5/VxqiSQmxiyRvdeK48I57+hpCmkHE+9gX3Tqr+uyNLzBgug5s +hB+f9GOWQcUorTk0EGx4prfDAX06tNF2UcyMFDu3R+VkT2NBWbySJ4g7XAzX0QnC ++083j10sY+05vURXaPdbuCutKp4XENxeYbzWpQWbaaA7f/yGd2vjbG/ANN4QZqL8 +2lSgh4b61s8F7Uaw7v1xRO986QpxyWwNlsZJnjLkLfoHL9ODN9QkMEV+iK7yncac +Km5la5sTyN8pABuNtrKBW+2SpBQYM2Iu7g+Q9n1ZFFlUG9h30HpuCyRk +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIF0zCCA7ugAwIBAgIUKjztdgtaFlRP/N6rP3nVwGYuPXwwDQYJKoZIhvcNAQEL +BQAwcTELMAkGA1UEBhMCRlIxGjAYBgNVBAoMEU9kZW50YXMgTWVkaWEgU0FTMSIw +IAYDVQQLDBlBdXRvcml0ZSBkZSBDZXJ0aWZpY2F0aW9uMSIwIAYDVQQDDBlPZGVu +dGFzIE1lZGlhIFNBUyBSb290IENBMB4XDTI1MTAyODE4MDU1OFoXDTQ1MTAyMzE4 +MDU1OFowcTELMAkGA1UEBhMCRlIxGjAYBgNVBAoMEU9kZW50YXMgTWVkaWEgU0FT +MSIwIAYDVQQLDBlBdXRvcml0ZSBkZSBDZXJ0aWZpY2F0aW9uMSIwIAYDVQQDDBlP +ZGVudGFzIE1lZGlhIFNBUyBSb290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A +MIICCgKCAgEAvV0QbPzSsZ+Ys4J4tYIIIM7LdOCkE7cNAh3casLB072ACFjFq0iw +Mg1ZXROk9i2sOVELN7q4ra+8E1528e9U8TyOKWPwGIdPmr+FokJ8zrxLBp8XtqO1 +ti2XNN2GK6EHb9C931m0JgCUkRA/jVB2tbjtR2JRl81ZOdszdwNektUwWQIqZBDg +JNye+LiMZflcob/DSEqWjBye4KnAhgxGpy0GcaDVOU1pJ0xXmu+Khlj6hVsnklLc +H2Gtx+ePfaWLmfQKyVfzFUVSrS8MlPJCwI+H+o1GmwmJkt4Z6kcbpdOdiMP8D8rj +UHWXX5hXbxalg39COhpvZwSwfkWBRICCBjzAqOQNZu6COHA8dWOeP4EjIBQhnz54 +he5vka3HENpqAduXtbtTZxcFKkM7YAGSY/2+oo3G4i54zy6316UpzYJWRfdaIYV8 +tw6mPk4f7ecpV9sjMdmdI4IrUQii/QkKIBr1kKYSGcuTINKxGXioFcF29MqwWTsI +w+Ukf11vqlCsFSwwtOxRGukgHbeN/OPiS8sOtPmeFnErFK+ZsNmMw/gQuxlc5OJK +jRUj4QZw/eqVvMBvuTeYQgW387bNUWTro4hxH/LBpL7hY+2rnRCjDAizjJljh00J ++xZkt9WfGZliepQTJuaeAfwZVPptmw4OwXOTyKQvzLhFAicV2OzGxlkCAwEAAaNj +MGEwHQYDVR0OBBYEFIw45IxZ3n9y9n2O3jm4c2E4gINzMB8GA1UdIwQYMBaAFIw4 +5IxZ3n9y9n2O3jm4c2E4gINzMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD +AgEGMA0GCSqGSIb3DQEBCwUAA4ICAQA6ohYP4UVh08CJCinnVtmkUQykJCqOqm4q +PS3xFqgHL9GbvCUfDh/p75A1fomJVojRP86SZ/JYGj8dbwzeLxHWEDW89k/SJK+V +u20mQQkuZ7KhobBti2m+JzU7XP6Qd+jZBOKK3xOrVSScvO3ITJNaxkeJgEFL5/Jk +yDyuzFOrQeqmtKiWpN7YWLgZumEtVNY3LBxu+zm13his4XJhFc4PAAk8jWGxCwvW +s6hAT6nQWXr0MvO7USKvyji/6DQCthfgoMi5Qq9uox93iXieV+R4QAv/eOXYTPt7 +G3vwh1h8QUU/yERQ2BTMp8Kryd7S0Jbbhg0oXlc2qGHjSVs+T4saTlxkW3WLrMdv +44r3Nt5IUDgRatTOgSD/D78Ael/Lsmw1yvcIwkSsUX9mwcOPkg/t8I32eEYyjbDJ +REXkc4epaIgYfSk9/wa8jPyDrt/t30WG2komzCVkZWYJqkVlvVfbpmD/9e+ASM4M +t9Awzh7YR1ydJVZXp+YK9xNLxH4yqduBopCT9zoWK7BaAggwiAL4AhvAYpUNlLBI +sGOJbGG9+8JnOu3HiLtsW4dDm3Yvm3AIeYh5en4xQXRQ5iecyY7foIowk6sUU4EL +LwGigxzWpYUgWLkWPVi9E4qi214qIFLkn1LFUmV0SMyiAUhntH5+S8D5B7jCB5BX +iglXKmpPYg== +-----END CERTIFICATE----- diff --git a/lambda-odentas-pades-sign/certs/chain-odentas.pem b/lambda-odentas-pades-sign/certs/chain-odentas.pem new file mode 100644 index 0000000..18e3f28 --- /dev/null +++ b/lambda-odentas-pades-sign/certs/chain-odentas.pem @@ -0,0 +1,42 @@ +-----BEGIN CERTIFICATE----- +MIIDijCCAnKgAwIBAgIUBRDEld1KCipJV1oVjCCOWp3MolIwDQYJKoZIhvcNAQEL +BQAwQDELMAkGA1UEBhMCRlIxGjAYBgNVBAoMEU9kZW50YXMgTWVkaWEgU0FTMRUw +EwYDVQQDDAxPZGVudGFzIFNlYWwwHhcNMjUxMDI4MTgwMzA4WhcNMzUxMDI2MTgw +MzA4WjBAMQswCQYDVQQGEwJGUjEaMBgGA1UECgwRT2RlbnRhcyBNZWRpYSBTQVMx +FTATBgNVBAMMDE9kZW50YXMgU2VhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBAOjB01uI8maGdWrm3Tgir9NdbIyBZKRkxeiHykepDR17hWsCq2HjIHfy +nqjlOH86KPVmbZMCHUZx33qsvFIpcTnO5+zqgwIVdEXK/2Qjc9xldKhYF2UQCF4W +2M4144NCNaZKD1YgX4LnhFHAyJyuDyijXq/FRSs/rGb6zV1jVIv/GBIs6sN4Oh12 +LGoBNzqVQ6eciJRErXZ9oYhfIhI1aIDbW7szFZhq2QabYpSa0znipaxa2PMgGzM2 +apdgHluX/t06LDV6499ec1p+STmQxZuqnkwBNnru5awKHl0UF6/MUfwTB9FpbVti +Qla45vNZFeiwDwj/WNuVnr53fBf5l2cCAwEAAaN8MHowCQYDVR0TBAIwADAOBgNV +HQ8BAf8EBAMCBsAwHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMDMB0GA1Ud +DgQWBBTKICdSy6Xr2VtCd0zVBSnJbcx83zAfBgNVHSMEGDAWgBRJH7WUdlCT0tCl +H+99w4YI1Km/3jANBgkqhkiG9w0BAQsFAAOCAQEAm4ruChVyXxhJ/aSPGzC5YtV0 +7ntnqgS5BAWHuLqwRMLKX+SSntVf5E9XUlIiUUPRCqClcYsaNnHFyz8zrp8/LvPy +0ALJTx2NFdtmM/408g3cLIK9FOwrH4U2HWzJ6qt8aYEY2vQeuNbrfV2O6Bphvhuv +3IK8eDhE50Rbn+v4N6owQfaoxov33/JzmgdAK4FGj+WBzaaOuA4qhrw/b9BxRHJl +TWTLhWFLxdANmX2i+UarCAAjVxLgJ1XB6gQghVs+ZaHLCCPZYimCV8G8HrLO/Ibt +ISiyMS01dssIj1Wmpmp3a+KSUkWRDX3Leb+Je00CDDQ9GEXGrDFPE8s4jRL4YA== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDcTCCAlmgAwIBAgIUeAOREUHzNG+Ow6Jvjkqi1OKyFowwDQYJKoZIhvcNAQEL +BQAwQDELMAkGA1UEBhMCRlIxGjAYBgNVBAoMEU9kZW50YXMgTWVkaWEgU0FTMRUw +EwYDVQQDDAxPZGVudGFzIFNlYWwwHhcNMjUxMDI4MTgwMjQzWhcNMzUxMDI2MTgw +MjQzWjBAMQswCQYDVQQGEwJGUjEaMBgGA1UECgwRT2RlbnRhcyBNZWRpYSBTQVMx +FTATBgNVBAMMDE9kZW50YXMgU2VhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBANcTtER+DaoHVnhLQlbeoCTjXgj3vxTcjyUE9e055X4whDT3ZXnvKH0z +aCGFcRMlMkWftg5naaxJXr77XY0ZoTrqc8GAuzAgXwzUa4IhSCSy3IADcQuaUCEF +ktosN9msS5VSaDtcoYuMLopfQAMvRUUIDVh19BX9zLEanISvEDbmCmnC26bmdBS6 +aqe3fiGq8ELiBBSRFiaBk8LKa4omXtUBVsJilbJpidCvLF8DPPCdO9KgRcukQa+i +7Fz0cPTSL7/u904CoVNhSDxO0fHsGYaJa0HdOFbuMvmVsbMohkH2FGgkBjSE810q +/5cpoLCqztOtiBeie519Z0Icr9eqQp8CAwEAAaNjMGEwHQYDVR0OBBYEFEkftZR2 +UJPS0KUf733DhgjUqb/eMB8GA1UdIwQYMBaAFEkftZR2UJPS0KUf733DhgjUqb/e +MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUA +A4IBAQA6x20LfafjIFEq9FUJLvsL99wXm9rpGuDAjHR4vrpIsbfg4htWg2WwmWWo +SIp+QFHKWtwzF+H+OX/jchTEJSqQOc150jMHLJBgNguGDV1aNQGn1shKUmsNsATX +YmRz47wF0Sg2OXjSNeiNIzCqHAuxl+3S/rnVnUtcPB8DOlo8obytNsOTD9/w0LrY +9i4z0we0ARjt4i5F9R5iy4oiMiyKgmcQRtkR25I9QuQ3z6gVYklrZw66reOLtrbs +QqFqPCXc9W6aF4ZWm9acYjz05b5sYKNYExmTeFtlFGy9HmT9FCUcx7yYi1XfgiQm +cPtoDMMIPvKCacNpliYSAm/GtYta +-----END CERTIFICATE----- diff --git a/lambda-odentas-pades-sign/certs/odentas-media-sas.conf b/lambda-odentas-pades-sign/certs/odentas-media-sas.conf new file mode 100644 index 0000000..78c6eee --- /dev/null +++ b/lambda-odentas-pades-sign/certs/odentas-media-sas.conf @@ -0,0 +1,17 @@ +[req] +default_bits = 2048 +prompt = no +default_md = sha256 +distinguished_name = dn +x509_extensions = v3_ca + +[dn] +C=FR +O=Odentas Media SAS +CN=Odentas Seal + +[v3_ca] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer +basicConstraints = critical,CA:true +keyUsage = critical, digitalSignature, keyCertSign, cRLSign diff --git a/lambda-odentas-pades-sign/certs/signer-extensions.conf b/lambda-odentas-pades-sign/certs/signer-extensions.conf new file mode 100644 index 0000000..3906c77 --- /dev/null +++ b/lambda-odentas-pades-sign/certs/signer-extensions.conf @@ -0,0 +1,5 @@ +basicConstraints=CA:FALSE +keyUsage = critical, digitalSignature, nonRepudiation +extendedKeyUsage = emailProtection, codeSigning +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer diff --git a/lambda-odentas-pades-sign/certs/signer-odentas.conf b/lambda-odentas-pades-sign/certs/signer-odentas.conf new file mode 100644 index 0000000..bf53f50 --- /dev/null +++ b/lambda-odentas-pades-sign/certs/signer-odentas.conf @@ -0,0 +1,11 @@ +[req] +default_bits = 2048 +prompt = no +default_md = sha256 +distinguished_name = dn + +[dn] +C=FR +O=Odentas Media SAS +OU=Signature Electronique +CN=Odentas Seal diff --git a/lambda-odentas-pades-sign/certs/signer-odentas.crt b/lambda-odentas-pades-sign/certs/signer-odentas.crt new file mode 100644 index 0000000..5c70a6d --- /dev/null +++ b/lambda-odentas-pades-sign/certs/signer-odentas.crt @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFZjCCA06gAwIBAgIUd0PmiKsQ991WwvQ784SZfJNNLnAwDQYJKoZIhvcNAQEL +BQAwcTELMAkGA1UEBhMCRlIxGjAYBgNVBAoMEU9kZW50YXMgTWVkaWEgU0FTMSIw +IAYDVQQLDBlBdXRvcml0ZSBkZSBDZXJ0aWZpY2F0aW9uMSIwIAYDVQQDDBlPZGVu +dGFzIE1lZGlhIFNBUyBSb290IENBMB4XDTI1MTAyODE4MDYzMFoXDTM1MTAyNjE4 +MDYzMFowYTELMAkGA1UEBhMCRlIxGjAYBgNVBAoMEU9kZW50YXMgTWVkaWEgU0FT +MR8wHQYDVQQLDBZTaWduYXR1cmUgRWxlY3Ryb25pcXVlMRUwEwYDVQQDDAxPZGVu +dGFzIFNlYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDigTvq8d/t +W9/nzjsSzQ+x+RsKdHg5ZnA2qSgZJsZGSO86XjNIfkW3ZIuwdZFvrSc1IgoblLtw +8G6sy4FCNbTyqcyaoCE9/b8j3YUFJzy3Z+A3L3LJyWj2kyHB9/JWjCQfzuEk9YJ+ +B24108EsRWCNCOWx4d+clwyQPdEC7xYMLb0I4g4OxCdUSSG9sTCiRG3kAlwNmbZJ +ciONMwSb3mCeKzHGnst86DLgdMJvO/jiE6N6QZNPWEE5Z1m3pqTSdkAT1jnJpPrN +ewmMDXrt3gKCI8shLEgTrOG55HkaXOsdZ4OiBKVGk41eWyar12O5pvzdcGXr0vQ9 +sbYPmpPXHHVjAgMBAAGjggEEMIIBADAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIG +wDATBgNVHSUEDDAKBggrBgEFBQcDBDAdBgNVHQ4EFgQUP1wBi05/I2FVHpNHkop4 +U1DDHT4wga4GA1UdIwSBpjCBo4AUjDjkjFnef3L2fY7eObhzYTiAg3OhdaRzMHEx +CzAJBgNVBAYTAkZSMRowGAYDVQQKDBFPZGVudGFzIE1lZGlhIFNBUzEiMCAGA1UE +CwwZQXV0b3JpdGUgZGUgQ2VydGlmaWNhdGlvbjEiMCAGA1UEAwwZT2RlbnRhcyBN +ZWRpYSBTQVMgUm9vdCBDQYIUKjztdgtaFlRP/N6rP3nVwGYuPXwwDQYJKoZIhvcN +AQELBQADggIBAEGadnfqKpmpWSls2rln0IXcN6SbGoxKRSzYup5Boo+SIwt1pDPx +67caXUaKo/nBB1FPNdhOhzLEszLYOzJ/sV5pl5IDDIOSyoCyCu2Z4i4GEDrgXC0C +eew6ZDL4W5YzDVOjlk/fOJ15OPsQ1ri2fbP0VTdvoykAHLgQFiXc1IIoE77UmX9C +T2k0LTZmoGvGfhyTssDyXRknbKBGe3mnmM3/CHseQ4enC3CKetFqy9qfQ7r0rK/t +Cdeyql/a2WmHLXmQ0HtyEgTbZNMylLkh5ZEq9S7xQOvh68oVOwq7G72p+gwbXxEa +6J5/Seq9p12imGXHjoivSdLzZUgHA60TetFFE0Zg/1KHRtLtKN90zP09NucCeWJw +KMXpF0tvDEpLoy5/VxqiSQmxiyRvdeK48I57+hpCmkHE+9gX3Tqr+uyNLzBgug5s +hB+f9GOWQcUorTk0EGx4prfDAX06tNF2UcyMFDu3R+VkT2NBWbySJ4g7XAzX0QnC ++083j10sY+05vURXaPdbuCutKp4XENxeYbzWpQWbaaA7f/yGd2vjbG/ANN4QZqL8 +2lSgh4b61s8F7Uaw7v1xRO986QpxyWwNlsZJnjLkLfoHL9ODN9QkMEV+iK7yncac +Km5la5sTyN8pABuNtrKBW+2SpBQYM2Iu7g+Q9n1ZFFlUG9h30HpuCyRk +-----END CERTIFICATE----- diff --git a/lambda-odentas-pades-sign/certs/signer-odentas.csr b/lambda-odentas-pades-sign/certs/signer-odentas.csr new file mode 100644 index 0000000..6704e29 --- /dev/null +++ b/lambda-odentas-pades-sign/certs/signer-odentas.csr @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICpjCCAY4CAQAwYTELMAkGA1UEBhMCRlIxGjAYBgNVBAoMEU9kZW50YXMgTWVk +aWEgU0FTMR8wHQYDVQQLDBZTaWduYXR1cmUgRWxlY3Ryb25pcXVlMRUwEwYDVQQD +DAxPZGVudGFzIFNlYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDi +gTvq8d/tW9/nzjsSzQ+x+RsKdHg5ZnA2qSgZJsZGSO86XjNIfkW3ZIuwdZFvrSc1 +IgoblLtw8G6sy4FCNbTyqcyaoCE9/b8j3YUFJzy3Z+A3L3LJyWj2kyHB9/JWjCQf +zuEk9YJ+B24108EsRWCNCOWx4d+clwyQPdEC7xYMLb0I4g4OxCdUSSG9sTCiRG3k +AlwNmbZJciONMwSb3mCeKzHGnst86DLgdMJvO/jiE6N6QZNPWEE5Z1m3pqTSdkAT +1jnJpPrNewmMDXrt3gKCI8shLEgTrOG55HkaXOsdZ4OiBKVGk41eWyar12O5pvzd +cGXr0vQ9sbYPmpPXHHVjAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAfFUh+jSr +rVMEWnqLh9y5TQmo7m4+AO5xbEYeqPYCify0waj5Pg8BB1TKShK/51KkGRcGNlvF +w8rdxmHlztMDlfAWuh51QaOxP9pl/TNpJ5EzxwMOu6B1dscxy1xQeycy8cKYV2O1 +cn/rD/+/ua8kgxv5xo/Jl3RQsNTafZDDa8OW5pYTpgNp/Ly8diDgWKJGxV0FUJTJ +Wc3LYlG+TPNMzTopDzrx6y6o01m/INGtV3rvixIzFK4SWz9QzD7GYFukPNx38nij +g/uVitWvfzuXzInDFLgH6QTGUTqhVZSnLVOm20FIOvdbizDKAH0inR1JEfnlpU67 +ilK+vkalOEDmxg== +-----END CERTIFICATE REQUEST----- diff --git a/lambda-odentas-pades-sign/certs/signer-odentas.key b/lambda-odentas-pades-sign/certs/signer-odentas.key new file mode 100644 index 0000000..edfbd49 --- /dev/null +++ b/lambda-odentas-pades-sign/certs/signer-odentas.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDigTvq8d/tW9/n +zjsSzQ+x+RsKdHg5ZnA2qSgZJsZGSO86XjNIfkW3ZIuwdZFvrSc1IgoblLtw8G6s +y4FCNbTyqcyaoCE9/b8j3YUFJzy3Z+A3L3LJyWj2kyHB9/JWjCQfzuEk9YJ+B241 +08EsRWCNCOWx4d+clwyQPdEC7xYMLb0I4g4OxCdUSSG9sTCiRG3kAlwNmbZJciON +MwSb3mCeKzHGnst86DLgdMJvO/jiE6N6QZNPWEE5Z1m3pqTSdkAT1jnJpPrNewmM +DXrt3gKCI8shLEgTrOG55HkaXOsdZ4OiBKVGk41eWyar12O5pvzdcGXr0vQ9sbYP +mpPXHHVjAgMBAAECggEAZrrujhS9103AM8aZjGFtKO8ukINas83+Pwxhn2ayrtYN +io+G+u4qeI8lvBbWq6wBCFwz8WZ3zTV/POff7EOnmhfhMJBIA3G+62lhF4FATH7U +drMSgOrUrGD3Ap6OTyqoh7Sw8K5ZTQfZuJgeGRIuREkwxIkJfmAT1qfy0D3X5hVN +9cxy7+Ug+KJA78v2WBRpy8rsD6FitDeL6OsD+k04FxzO4aXO43oKs08kA5fK6TY7 +Z5F+W/3w4I7Fru6jV6tnvpPl5o7OKLMNPKrwhQqLJ4mJFj8Ny7j6uj7P202hQGWT +EKy95sBZDRE1iu0NxNCgdOic+nh94HZi2+Kld75FgQKBgQD64e9r/BVO6SamEZgN +XwV5MyfKfJk9LsNg7uMpsjUJZHSSS37IGR8gJE2T8oYIIc7KMRn7kzT8yv42P8kM +fcU0JpJU1ja9/e8TJXpP185x1sQW0dfvmkARH/ikWwO9sHhfhKGHTPXwQFl4s8pv +p6DMB3TKVxQgP+pdIN633vmtcwKBgQDnIACl5N0R+D/sr5q4o4K84S5r/l53vzKi +gbo62G0RDCC/QeWvLqe04Xs2LjM/vKROICauLwbfb56WCQB5PJ8jMrhVB+wlqha+ ++Pyt5N+2RW32HJ4RnuIP/xaid15xjPumskhuLf7D5WKidh3CV7JLG7Nz3iVz1Rc1 +f4PvT0wcUQKBgQCZFAq2ZNXLlE9UvR996SC51xDMaEJIJqRoHNrWsjnSRU0rho0R +IuLvBbegMja994LptBQagLOwG1wJVdoimQseyvo2cY5tVuftUszSsubwZw62rcuI +EyJMUKmx/ybFM0v/XDoDCF53/YuaLnmyryFZ3KLSY1eQZe9ma4v5vT+zKQKBgQDf +9JKsLWhJ0VOf9UjnQQmeHFTvMDw5rHtUHIBoJO8KZcYVjbUSWxMGorbReVMPn6tW +SLEydz8hovb4SyC6WZOad7tGKbcZiAciZgHyPqTH6d7zbCd+y4YiGfvE0gYh4Yq3 +rGmi2c7T46H/6pRLjM6nGOB6lfeUlhc3L6iYay5FAQKBgFJOGF8tosDvYin/nt8W +ONRatFr5UXZqgebBXZYvX7b0+tKt56VhfyleQBXY0KLpusjRIbvDDKnGaz+V9i6K +juP+HOoJsrThel9Jx+yjB/LA1SE1gtOsAR1WFy4JIYTiQOWnlk9XU9Dp37GvPyC9 +O5NrTXXwBxMcbksK0omd08zr +-----END PRIVATE KEY----- diff --git a/lambda-odentas-pades-sign/certs/signer-v3.ext b/lambda-odentas-pades-sign/certs/signer-v3.ext new file mode 100644 index 0000000..29222a6 --- /dev/null +++ b/lambda-odentas-pades-sign/certs/signer-v3.ext @@ -0,0 +1,5 @@ +basicConstraints=CA:FALSE +keyUsage = critical, digitalSignature, nonRepudiation +extendedKeyUsage = emailProtection +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always diff --git a/lambda-odentas-pades-sign/helpers/pades.js b/lambda-odentas-pades-sign/helpers/pades.js index e85aed1..63a6651 100644 --- a/lambda-odentas-pades-sign/helpers/pades.js +++ b/lambda-odentas-pades-sign/helpers/pades.js @@ -23,6 +23,7 @@ const OID_ID_DATA = '1.2.840.113549.1.7.1'; const OID_ATTR_CONTENT_TYPE = '1.2.840.113549.1.9.3'; const OID_ATTR_SIGNING_TIME = '1.2.840.113549.1.9.5'; const OID_ATTR_MESSAGE_DIGEST = '1.2.840.113549.1.9.4'; +const OID_ATTR_SIGNING_CERTIFICATE_V2 = '1.2.840.113549.1.9.16.2.47'; // ESSCertIDv2 (RFC 5035) /** * Étape 1: Préparer le PDF avec les vraies valeurs ByteRange calculées @@ -184,6 +185,10 @@ endobj /Type /Sig /Filter /Adobe.PPKLite /SubFilter /ETSI.CAdES.detached +/Name (Odentas Seal) +/Reason (Certification de contrat de travail) +/Location (France) +/ContactInfo (contact@odentas.com) `; // Ajouter ByteRange - soit placeholder (passe 1) soit valeurs réelles paddées (passe 2)