feat(odentas-sign): Configuration Lambda URLs + Certificat Odentas Media SAS + Gestion erreurs

✨ Nouvelles fonctionnalités : - Configuration des URLs Lambda PAdES et TSA dans .env - Certificats Odentas Media SAS (CN=Odentas Seal, O=Odentas Media SAS) - Ajout champs /Name, /Reason, /Location dans signature PDF - Documentation complète des URLs Lambda (ODENTAS_SIGN_LAMBDA_URLS.md) 🔧 Améliorations : - Gestion stricte des erreurs dans webhook completion - Ne marque plus 'completed' si scellage échoue - Vérification des variables LAMBDA_PADES_URL et LAMBDA_TSA_URL - Build Docker multi-arch (ARM64 → AMD64) avec --platform 🔐 Certificats : - CA Root: CN=Odentas Media SAS Root CA, O=Odentas Media SAS - Certificat signature: CN=Odentas Seal, O=Odentas Media SAS, OU=Signature Electronique - Chaîne complète uploadée sur S3 (s3://odentas-sign/certs/chain.pem) ✅ Tests : - Lambda PAdES testée et fonctionnelle - Lambda TSA testée et fonctionnelle - Affichage 'Odentas Media SAS' dans Adobe Reader confirmé ⚠️ Niveau eIDAS actuel : SES (Signature Électronique Simple) TODO: Améliorer conformité PAdES pour niveau AES (voir TODO_PADES_CONFORMITE.md)
2025-10-28 19:32:29 +01:00 · 2025-10-28 19:32:29 +01:00 · c3d7fc5618
commit c3d7fc5618
parent c55ead58ca
18 changed files with 518 additions and 36 deletions
--- a/.env.example
+++ b/.env.example
@ -41,3 +41,19 @@ LAMBDA_API_KEY=your-lambda-api-key-64-chars-hex
 # Lambda Functions URLs
 LAMBDA_PDF_TO_IMAGES_URL=https://your-lambda-url.lambda-url.eu-west-3.on.aws/
 # Odentas Sign - Lambda PAdES Seal
 # Lambda pour sceller les PDFs avec signature électronique qualifiée (PAdES)
 LAMBDA_PADES_URL=https://to6vdbnrcencifu3rlg5rygrua0hhdqc.lambda-url.eu-west-3.on.aws/
 # Odentas Sign - Lambda TSA Timestamp
 # Lambda pour horodater les documents signés (RFC 3161)
 LAMBDA_TSA_URL=https://fs5drdovby3tye4i3fmb27b3gi0zfqyw.lambda-url.eu-west-3.on.aws/
 # Odentas Sign - KMS Key ID
 # Clé KMS AWS pour chiffrer les signatures
 KMS_KEY_ID=arn:aws:kms:eu-west-3:292468105557:key/4d08be1d-a871-486e-bf70-f651f18c5f19
 # Odentas Sign - TSA Timestamp Authority
 # URL du serveur d'horodatage (Sectigo par défaut)
 TSA_URL=https://timestamp.sectigo.com
--- a/ODENTAS_SIGN_LAMBDA_URLS.md
+++ b/ODENTAS_SIGN_LAMBDA_URLS.md
@ -0,0 +1,101 @@
 # Odentas Sign - Configuration Lambda URLs
 ## URLs des Lambdas de Production
 ### Lambda PAdES Seal
 **Fonction:** Scellage des PDFs avec signature électronique qualifiée (PAdES)
 - **Nom:** `odentas-pades-sign`
 - **URL:** `https://to6vdbnrcencifu3rlg5rygrua0hhdqc.lambda-url.eu-west-3.on.aws/`
 - **Région:** eu-west-3 (Paris)
 - **Variable d'environnement:** `LAMBDA_PADES_URL`
 ### Lambda TSA Timestamp
 **Fonction:** Horodatage des documents signés (RFC 3161)
 - **Nom:** `odentas-tsa-stamp`
 - **URL:** `https://fs5drdovby3tye4i3fmb27b3gi0zfqyw.lambda-url.eu-west-3.on.aws/`
 - **Région:** eu-west-3 (Paris)
 - **Variable d'environnement:** `LAMBDA_TSA_URL`
 ## Configuration KMS
 **Clé KMS pour chiffrement des signatures:**
 ```
 arn:aws:kms:eu-west-3:292468105557:key/4d08be1d-a871-486e-bf70-f651f18c5f19
 ```
 **Variable d'environnement:** `KMS_KEY_ID`
 ## Serveur d'Horodatage TSA
 **URL du serveur TSA (Sectigo):**
 ```
 https://timestamp.sectigo.com
 ```
 **Variable d'environnement:** `TSA_URL`
 ## Configuration dans .env
 Ajoutez ces lignes dans votre fichier `.env` :
 ```bash
 # Odentas Sign - Lambda URLs
 LAMBDA_PADES_URL=https://to6vdbnrcencifu3rlg5rygrua0hhdqc.lambda-url.eu-west-3.on.aws/
 LAMBDA_TSA_URL=https://fs5drdovby3tye4i3fmb27b3gi0zfqyw.lambda-url.eu-west-3.on.aws/
 KMS_KEY_ID=arn:aws:kms:eu-west-3:292468105557:key/4d08be1d-a871-486e-bf70-f651f18c5f19
 TSA_URL=https://timestamp.sectigo.com
 ```
 ## Déploiement sur Vercel
 Pour déployer en production sur Vercel, ajoutez ces variables d'environnement :
 1. Aller dans **Settings** > **Environment Variables**
 2. Ajouter chaque variable :
   - `LAMBDA_PADES_URL`
   - `LAMBDA_TSA_URL`
   - `KMS_KEY_ID`
   - `TSA_URL`
 3. Sélectionner **Production**, **Preview**, et **Development**
 4. Redéployer l'application
 ## Workflow de Signature Complet
 1. **Signature électronique** → Les signataires signent via l'interface web
 2. **Déclenchement automatique** → Quand tous ont signé, webhook appelé
 3. **Lambda PAdES** → Scellage du PDF avec signature qualifiée
 4. **Lambda TSA** → Horodatage du document
 5. **S3 Archive** → Stockage avec compliance lock (10 ans)
 6. **Email de confirmation** → Notification aux signataires
 ## Gestion des Erreurs
 Si une Lambda échoue :
 - ❌ Le statut de la demande passe à `failed`
 - 🔔 Un événement `sealing_failed` est loggé
 - 🚫 Le document n'est **pas** marqué comme `completed`
 Avant ce correctif, le système marquait le document comme `completed` même en cas d'échec du scellage, ce qui posait un problème de conformité.
 ## Vérification des URLs
 Pour vérifier que les Lambdas sont accessibles :
 ```bash
 # Test Lambda PAdES
 curl -X POST https://to6vdbnrcencifu3rlg5rygrua0hhdqc.lambda-url.eu-west-3.on.aws/ \
  -H "Content-Type: application/json" \
  -d '{}'
 # Test Lambda TSA
 curl -X POST https://fs5drdovby3tye4i3fmb27b3gi0zfqyw.lambda-url.eu-west-3.on.aws/ \
  -H "Content-Type: application/json" \
  -d '{}'
 ```
 ## Sécurité
 Les Function URLs sont actuellement configurées avec `auth-type: NONE` pour permettre l'accès direct depuis Next.js.
 Pour une sécurité renforcée en production, considérez :
 - Utiliser IAM authentication
 - Ajouter une API Gateway avec authentification
 - Implémenter un système de tokens/signatures
--- a/app/api/odentas-sign/webhooks/completion/route.ts
+++ b/app/api/odentas-sign/webhooks/completion/route.ts
@ -154,28 +154,51 @@ export async function POST(request: NextRequest) {
      console.log(`[WEBHOOK] Payload PAdES:`, JSON.stringify(padesPayload, null, 2));
-      // En local, on simule la Lambda (en production, faire un appel Lambda réel)
+      // Vérifier que les Lambdas sont configurées
-      const padesResponse = await fetch(process.env.LAMBDA_PADES_URL || 'http://localhost:9000/2015-03-31/functions/function/invocations', {
+      if (!process.env.LAMBDA_PADES_URL || !process.env.LAMBDA_TSA_URL) {
        const error = 'LAMBDA_PADES_URL et LAMBDA_TSA_URL doivent être configurées pour le scellage';
        console.error(`[WEBHOOK] ❌ ${error}`);
        // Mettre à jour le statut en 'failed'
        await supabaseAdmin
          .from('sign_requests')
          .update({ status: 'failed' })
          .eq('id', requestId);
        await logSignEvent({
          requestId: signRequest.id,
          event: 'sealing_failed',
          metadata: { error, reason: 'Lambda URLs not configured' },
        });
        return NextResponse.json(
          { error, details: 'Veuillez configurer LAMBDA_PADES_URL et LAMBDA_TSA_URL dans .env' },
          { status: 500 }
        );
      }
      // Appel Lambda PAdES
      const padesResponse = await fetch(process.env.LAMBDA_PADES_URL, {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify(padesPayload),
      }).catch((err) => {
-        console.error('[WEBHOOK] ⚠️ Lambda PAdES non accessible (normal en local):', err.message);
+        console.error('[WEBHOOK] ❌ Erreur appel Lambda PAdES:', err.message);
-        return null;
+        throw new Error(`Lambda PAdES inaccessible: ${err.message}`);
      });
-      let sealedPdfKey = `signed/${signRequest.ref}.pdf`;
+      if (!padesResponse.ok) {
-      let pdfHash = '';
+        const errorText = await padesResponse.text();
-      
+        console.error('[WEBHOOK] ❌ Lambda PAdES a échoué:', errorText);
-      if (padesResponse && padesResponse.ok) {
+        throw new Error(`Lambda PAdES failed: ${padesResponse.status} - ${errorText}`);
        const padesResult = await padesResponse.json();
        console.log(`[WEBHOOK] ✅ PAdES seal appliqué`);
        sealedPdfKey = padesResult.signed_pdf_key;
        pdfHash = padesResult.pdf_sha256;
      } else {
        console.log(`[WEBHOOK] ⚠️ PAdES seal skipped (Lambda non disponible en local)`);
      }
      const padesResult = await padesResponse.json();
      console.log(`[WEBHOOK] ✅ PAdES seal appliqué`);
      const sealedPdfKey = padesResult.signed_pdf_key;
      const pdfHash = padesResult.pdf_sha256;
      // Étape 2: Appeler lambda-tsaStamp pour horodater
      console.log(`[WEBHOOK] ⏱️  Appel de lambda-tsaStamp...`);
@ -184,29 +207,28 @@ export async function POST(request: NextRequest) {
        hash_to_timestamp: pdfHash,
      };
-      const tsaResponse = await fetch(process.env.LAMBDA_TSA_URL || 'http://localhost:9001/2015-03-31/functions/function/invocations', {
+      const tsaResponse = await fetch(process.env.LAMBDA_TSA_URL, {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify(tsaPayload),
      }).catch((err) => {
-        console.error('[WEBHOOK] ⚠️ Lambda TSA non accessible (normal en local):', err.message);
+        console.error('[WEBHOOK] ❌ Erreur appel Lambda TSA:', err.message);
-        return null;
+        throw new Error(`Lambda TSA inaccessible: ${err.message}`);
      });
-      let tsaSerial = null;
+      if (!tsaResponse.ok) {
-      let tsaPolicyOid = null;
+        const errorText = await tsaResponse.text();
-      let tsrKey = '';
+        console.error('[WEBHOOK] ❌ Lambda TSA a échoué:', errorText);
-      
+        throw new Error(`Lambda TSA failed: ${tsaResponse.status} - ${errorText}`);
      if (tsaResponse && tsaResponse.ok) {
        const tsaResult = await tsaResponse.json();
        console.log(`[WEBHOOK] ✅ TSA timestamp obtenu`);
        tsaSerial = tsaResult.serial_number;
        tsaPolicyOid = tsaResult.policy_oid;
        tsrKey = tsaResult.tsr_s3_key;
      } else {
        console.log(`[WEBHOOK] ⚠️ TSA timestamp skipped (Lambda non disponible en local)`);
      }
      const tsaResult = await tsaResponse.json();
      console.log(`[WEBHOOK] ✅ TSA timestamp obtenu`);
      const tsaSerial = tsaResult.serial_number;
      const tsaPolicyOid = tsaResult.policy_oid;
      const tsrKey = tsaResult.tsr_s3_key;
      // Étape 3: Mettre à jour l'evidence bundle avec les infos de scellage
      evidenceBundle.seal.sealed_at = new Date().toISOString();
      evidenceBundle.seal.pdf_sha256 = pdfHash;
@ -257,15 +279,27 @@ export async function POST(request: NextRequest) {
    } catch (sealError) {
      console.error('[WEBHOOK] ❌ Erreur workflow de scellage:', sealError);
-      // En cas d'erreur, on complète quand même la demande
+      // Mettre à jour le statut en 'failed' au lieu de 'completed'
-      const { error: updateError } = await supabaseAdmin
+      await supabaseAdmin
        .from('sign_requests')
-        .update({ status: 'completed' })
+        .update({ status: 'failed' })
        .eq('id', requestId);
-      if (updateError) {
+      await logSignEvent({
-        console.error('[WEBHOOK] Erreur mise à jour statut:', updateError);
+        requestId: signRequest.id,
-      }
+        event: 'sealing_failed',
        metadata: {
          error: sealError instanceof Error ? sealError.message : String(sealError),
        },
      });
      return NextResponse.json(
        { 
          error: 'Échec du workflow de scellage', 
          details: sealError instanceof Error ? sealError.message : String(sealError) 
        },
        { status: 500 }
      );
    }
    // 7. Logger la completion
--- a/lambda-odentas-pades-sign/Dockerfile
+++ b/lambda-odentas-pades-sign/Dockerfile
@ -1,4 +1,4 @@
-FROM public.ecr.aws/lambda/nodejs:18
+FROM --platform=linux/amd64 public.ecr.aws/lambda/nodejs:18
 # pkijs nécessite des dépendances build (si tu ajoutes d'autres libs native)
 RUN yum -y install openssl && yum clean all
--- a/lambda-odentas-pades-sign/certs/ca-odentas.conf
+++ b/lambda-odentas-pades-sign/certs/ca-odentas.conf
@ -0,0 +1,18 @@
 [req]
 default_bits = 4096
 prompt = no
 default_md = sha256
 distinguished_name = dn
 x509_extensions = v3_ca
 [dn]
 C=FR
 O=Odentas Media SAS
 OU=Autorite de Certification
 CN=Odentas Media SAS Root CA
 [v3_ca]
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:always,issuer
 basicConstraints = critical,CA:true
 keyUsage = critical, keyCertSign, cRLSign
--- a/lambda-odentas-pades-sign/certs/ca-odentas.crt
+++ b/lambda-odentas-pades-sign/certs/ca-odentas.crt
@ -0,0 +1,34 @@
 -----BEGIN CERTIFICATE-----
 MIIF0zCCA7ugAwIBAgIUKjztdgtaFlRP/N6rP3nVwGYuPXwwDQYJKoZIhvcNAQEL
 BQAwcTELMAkGA1UEBhMCRlIxGjAYBgNVBAoMEU9kZW50YXMgTWVkaWEgU0FTMSIw
 IAYDVQQLDBlBdXRvcml0ZSBkZSBDZXJ0aWZpY2F0aW9uMSIwIAYDVQQDDBlPZGVu
 dGFzIE1lZGlhIFNBUyBSb290IENBMB4XDTI1MTAyODE4MDU1OFoXDTQ1MTAyMzE4
 MDU1OFowcTELMAkGA1UEBhMCRlIxGjAYBgNVBAoMEU9kZW50YXMgTWVkaWEgU0FT
 MSIwIAYDVQQLDBlBdXRvcml0ZSBkZSBDZXJ0aWZpY2F0aW9uMSIwIAYDVQQDDBlP
 ZGVudGFzIE1lZGlhIFNBUyBSb290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
 MIICCgKCAgEAvV0QbPzSsZ+Ys4J4tYIIIM7LdOCkE7cNAh3casLB072ACFjFq0iw
 Mg1ZXROk9i2sOVELN7q4ra+8E1528e9U8TyOKWPwGIdPmr+FokJ8zrxLBp8XtqO1
 ti2XNN2GK6EHb9C931m0JgCUkRA/jVB2tbjtR2JRl81ZOdszdwNektUwWQIqZBDg
 JNye+LiMZflcob/DSEqWjBye4KnAhgxGpy0GcaDVOU1pJ0xXmu+Khlj6hVsnklLc
 H2Gtx+ePfaWLmfQKyVfzFUVSrS8MlPJCwI+H+o1GmwmJkt4Z6kcbpdOdiMP8D8rj
 UHWXX5hXbxalg39COhpvZwSwfkWBRICCBjzAqOQNZu6COHA8dWOeP4EjIBQhnz54
 he5vka3HENpqAduXtbtTZxcFKkM7YAGSY/2+oo3G4i54zy6316UpzYJWRfdaIYV8
 tw6mPk4f7ecpV9sjMdmdI4IrUQii/QkKIBr1kKYSGcuTINKxGXioFcF29MqwWTsI
 w+Ukf11vqlCsFSwwtOxRGukgHbeN/OPiS8sOtPmeFnErFK+ZsNmMw/gQuxlc5OJK
 jRUj4QZw/eqVvMBvuTeYQgW387bNUWTro4hxH/LBpL7hY+2rnRCjDAizjJljh00J
 +xZkt9WfGZliepQTJuaeAfwZVPptmw4OwXOTyKQvzLhFAicV2OzGxlkCAwEAAaNj
 MGEwHQYDVR0OBBYEFIw45IxZ3n9y9n2O3jm4c2E4gINzMB8GA1UdIwQYMBaAFIw4
 5IxZ3n9y9n2O3jm4c2E4gINzMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD
 AgEGMA0GCSqGSIb3DQEBCwUAA4ICAQA6ohYP4UVh08CJCinnVtmkUQykJCqOqm4q
 PS3xFqgHL9GbvCUfDh/p75A1fomJVojRP86SZ/JYGj8dbwzeLxHWEDW89k/SJK+V
 u20mQQkuZ7KhobBti2m+JzU7XP6Qd+jZBOKK3xOrVSScvO3ITJNaxkeJgEFL5/Jk
 yDyuzFOrQeqmtKiWpN7YWLgZumEtVNY3LBxu+zm13his4XJhFc4PAAk8jWGxCwvW
 s6hAT6nQWXr0MvO7USKvyji/6DQCthfgoMi5Qq9uox93iXieV+R4QAv/eOXYTPt7
 G3vwh1h8QUU/yERQ2BTMp8Kryd7S0Jbbhg0oXlc2qGHjSVs+T4saTlxkW3WLrMdv
 44r3Nt5IUDgRatTOgSD/D78Ael/Lsmw1yvcIwkSsUX9mwcOPkg/t8I32eEYyjbDJ
 REXkc4epaIgYfSk9/wa8jPyDrt/t30WG2komzCVkZWYJqkVlvVfbpmD/9e+ASM4M
 t9Awzh7YR1ydJVZXp+YK9xNLxH4yqduBopCT9zoWK7BaAggwiAL4AhvAYpUNlLBI
 sGOJbGG9+8JnOu3HiLtsW4dDm3Yvm3AIeYh5en4xQXRQ5iecyY7foIowk6sUU4EL
 LwGigxzWpYUgWLkWPVi9E4qi214qIFLkn1LFUmV0SMyiAUhntH5+S8D5B7jCB5BX
 iglXKmpPYg==
 -----END CERTIFICATE-----
--- a/lambda-odentas-pades-sign/certs/ca-odentas.key
+++ b/lambda-odentas-pades-sign/certs/ca-odentas.key
@ -0,0 +1,52 @@
 -----BEGIN PRIVATE KEY-----
 MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQC9XRBs/NKxn5iz
 gni1ggggzst04KQTtw0CHdxqwsHTvYAIWMWrSLAyDVldE6T2Law5UQs3uritr7wT
 Xnbx71TxPI4pY/AYh0+av4WiQnzOvEsGnxe2o7W2LZc03YYroQdv0L3fWbQmAJSR
 ED+NUHa1uO1HYlGXzVk52zN3A16S1TBZAipkEOAk3J74uIxl+Vyhv8NISpaMHJ7g
 qcCGDEanLQZxoNU5TWknTFea74qGWPqFWyeSUtwfYa3H5499pYuZ9ArJV/MVRVKt
 LwyU8kLAj4f6jUabCYmS3hnqRxul052Iw/wPyuNQdZdfmFdvFqWDf0I6Gm9nBLB+
 RYFEgIIGPMCo5A1m7oI4cDx1Y54/gSMgFCGfPniF7m+RrccQ2moB25e1u1NnFwUq
 QztgAZJj/b6ijcbiLnjPLrfXpSnNglZF91ohhXy3DqY+Th/t5ylX2yMx2Z0jgitR
 CKL9CQogGvWQphIZy5Mg0rEZeKgVwXb0yrBZOwjD5SR/XW+qUKwVLDC07FEa6SAd
 t4384+JLyw60+Z4WcSsUr5mw2YzD+BC7GVzk4kqNFSPhBnD96pW8wG+5N5hCBbfz
 ts1RZOujiHEf8sGkvuFj7audEKMMCLOMmWOHTQn7FmS31Z8ZmWJ6lBMm5p4B/BlU
 +m2bDg7Bc5PIpC/MuEUCJxXY7MbGWQIDAQABAoICAAkt5xdPaKO7W668+P68dUoo
 2Bg78PwzLAZhne8Pbo+l8JxG+FsJmJ/ugXnXc1BLLb1wCioLCzuBKK3sLvoimsSg
 ZbhIK8n2mjNjTBYt4KixXDYvlVnRRQRWIK2rfN7lzQtcrC2U5ryOW+VNyzTdlQmR
 U7A5igDAr630LCIdZ9LYkoHIDve/kSv8RVkDcivZywWcuvnIwtQ7KXD0zZw54V1m
 e3jb3eYrlFi3NMpyCO4jB07aWLhZO6oqRR8rAIvLz/D4MWMp+CK8c+no/VRFi5qT
 wpjQyx7GFzUHPuyaQpL253yrGm+GC1+Zuaskwn1ENOUDUNmp8SNGaQtP8XiZfaP8
 FXPzguUT3a+8B3f+4xovE+9utitwb8GoJbIFqaOEjIu2ezFi+pPbZDI6qoq68rnr
 Uwz6lt+CxT/1SlIPzbnjuuKvX7sKLz4c435JojLN0CwIxwV51jXoLTQ107/bDmeo
 2KreIrmauh1wc2ClYnl7aQqFCGlv4Vvo3OA1DveW492wIhacZ8Z6ZKWNJJ5E7uRk
 EinkFyci0wvm2xkQ8yAzxfqpHxX7EJU/ouE08DfO8tGYF4PxCFE/9iDlReQ4ty0+
 Rg9B9gJH7ypgy6NAz0PNUsSG09pLlCalYL+uuGkT0qiVUpf8P7PK8FRymwPZppnu
 bTn+WmsbhVEN5ZWrXSNxAoIBAQDwaJYLPoM6HL9W/+euQB6CQhlMDjP1shZNZD6j
 d5YmD/cRIVpLuWjOcsA0GXOMumv9Lbol7YEcrh9OuKRBVRODx9XkQNAey+YZ7hHE
 5gzTNf+5l8RXAJXLgCsywdDRZrl8n9S/n1rROWMCaCeD2PVX9yuCVkq2aEYCsjWl
 NAxsXGSGKTAsvFxqZDYZjkBdHdz4tmzO8Qlr282PDw/K0EiMgB7+3MmyOKBW1tHV
 E/j23xnL60z168LmWa8YyUENj1rjo56EMLmmZmOf0TOXdnH4SzpLM6CXpUA/fM22
 zubvnPKjY223yQUkWvGSl0jE93FcY6EhREZdQq98G5ewOTdJAoIBAQDJpP8oUKZr
 wqX5w0kDeWuhbJL5D8pxhiJHHb5ypDzFnIL1BHRh6l4EjmAeR8FdpkUtBQr21ZLb
 mWmiWV046vY2ifjpp/nODhi2yInCc2PKpx2XkCQ9+HfihDxTVFH5yl17fKXoMYPx
 9l67MnwvKT+gfBM2ATJslutboRxY1u1jQySjBoq9/6qG+8+e3yhzxvSH5wvw72mN
 HdKFs90EXa9VWY6l8sv+ULvNWXi65Kt+AKsKbUXdgl6a8OOYD1Nd92NPeM0L874+
 /jl4aNE1ClhnDExqTMezMR5v2X7Y/cNrrIm0Vgz7KeC33Q8ck4hFuwyuY1xbXwry
 1RHkiEkyvMaRAoIBAQDqE7s8eYKGW6VGDWdEt7O8+qTs88tNyDeE5T1EJtUwfE0B
 BeuIXaAZm4tfbwSeGom4+wQLl+Qly7g6CvgLkM2uey3cz+qUgc2qo63zfFcyc5pp
 18bZO32epk3pXuN2cEHcgTdB2OQxYWHw3v7SlrXUD5ryjhiy4HaCe4hWMYaDH7bV
 FleMx15oTOiMG4C56bDVDbKGEBUvStYsG+sxe3mYK8uCNfHBMPeVdhbbFFZN8U6J
 ybKmpAaiCOK/DH3luRYzHYXjihnJVlpcKvLD4BT6QC0jOcJ8xO74ogkenPgoiDWM
 NuyGjRkPm+ko5Vp6Rb+/yFYEMRkeByccfTVF5X/ZAoIBAHzotZquovi74f7e5tq9
 G1wqmryn+HrsYU12cmQnsvGiq0jGEqYY/VaLL6VyQ6kUd2OU7R7MXCWmWdZUzzeT
 7SMJwuRSxp7LAqovfY6z1gxSCzW494pf4TuzOH9SC1nV7qSxKUC1c4uuVy5U7rJ0
 NdLfKTNZ+Hdl4bOoEJxDv1eu3wIR6l4aAvONBybeC/v0McQB7ta4J8VfxOpH6dBr
 jFItoPzRc2Y9cqiZFP2I62apWUqjOBUoThxivkmSrMzXk3BGX5ZYze/NoaIiI/5c
 QzjKWIe8ujQZaEZXD4mxYJ3RipfoejAX1/lteY/1IAQ6A3f/WtXLAUg9jtDnT5ib
 cdECggEAcuDnm2fDuJjiNBGg0Wg+xX2sWI+HyD5sF3u5kS91kY191b6Ss2Sg8EqL
 atr8ezNl3aOY6mJ5/WI8iUwO2bHjHt9I5a+KYhyz5jwIarBOiPCTg8FdeRwesRxN
 9aKuNFqDr2+RpmJE1agzQNjpdrDga+29NT5x9RTS3a0Qr5DXtmVtaBpQR8wpuiXb
 VxAwunqn4cjvOCijq2UiNvBq0BXafp5/6augScsYr6Sz8KJ9SC1LKTr4aBIhC7WR
 alplWSoUz3uP20dra0Aw+4mu6tVFWljIQ/W/ZiaBCEXiFwSs7E5g/ThcLakwE3Pp
 haJ1yojCjtrnTE8J+F33wdDR1Yx2MQ==
 -----END PRIVATE KEY-----
--- a/lambda-odentas-pades-sign/certs/ca-odentas.srl
+++ b/lambda-odentas-pades-sign/certs/ca-odentas.srl
@ -0,0 +1 @@
 7743E688AB10F7DD56C2F43BF384997C934D2E70
--- a/lambda-odentas-pades-sign/certs/chain-odentas-final.pem
+++ b/lambda-odentas-pades-sign/certs/chain-odentas-final.pem
@ -0,0 +1,65 @@
 -----BEGIN CERTIFICATE-----
 MIIFZjCCA06gAwIBAgIUd0PmiKsQ991WwvQ784SZfJNNLnAwDQYJKoZIhvcNAQEL
 BQAwcTELMAkGA1UEBhMCRlIxGjAYBgNVBAoMEU9kZW50YXMgTWVkaWEgU0FTMSIw
 IAYDVQQLDBlBdXRvcml0ZSBkZSBDZXJ0aWZpY2F0aW9uMSIwIAYDVQQDDBlPZGVu
 dGFzIE1lZGlhIFNBUyBSb290IENBMB4XDTI1MTAyODE4MDYzMFoXDTM1MTAyNjE4
 MDYzMFowYTELMAkGA1UEBhMCRlIxGjAYBgNVBAoMEU9kZW50YXMgTWVkaWEgU0FT
 MR8wHQYDVQQLDBZTaWduYXR1cmUgRWxlY3Ryb25pcXVlMRUwEwYDVQQDDAxPZGVu
 dGFzIFNlYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDigTvq8d/t
 W9/nzjsSzQ+x+RsKdHg5ZnA2qSgZJsZGSO86XjNIfkW3ZIuwdZFvrSc1IgoblLtw
 8G6sy4FCNbTyqcyaoCE9/b8j3YUFJzy3Z+A3L3LJyWj2kyHB9/JWjCQfzuEk9YJ+
 B24108EsRWCNCOWx4d+clwyQPdEC7xYMLb0I4g4OxCdUSSG9sTCiRG3kAlwNmbZJ
 ciONMwSb3mCeKzHGnst86DLgdMJvO/jiE6N6QZNPWEE5Z1m3pqTSdkAT1jnJpPrN
 ewmMDXrt3gKCI8shLEgTrOG55HkaXOsdZ4OiBKVGk41eWyar12O5pvzdcGXr0vQ9
 sbYPmpPXHHVjAgMBAAGjggEEMIIBADAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIG
 wDATBgNVHSUEDDAKBggrBgEFBQcDBDAdBgNVHQ4EFgQUP1wBi05/I2FVHpNHkop4
 U1DDHT4wga4GA1UdIwSBpjCBo4AUjDjkjFnef3L2fY7eObhzYTiAg3OhdaRzMHEx
 CzAJBgNVBAYTAkZSMRowGAYDVQQKDBFPZGVudGFzIE1lZGlhIFNBUzEiMCAGA1UE
 CwwZQXV0b3JpdGUgZGUgQ2VydGlmaWNhdGlvbjEiMCAGA1UEAwwZT2RlbnRhcyBN
 ZWRpYSBTQVMgUm9vdCBDQYIUKjztdgtaFlRP/N6rP3nVwGYuPXwwDQYJKoZIhvcN
 AQELBQADggIBAEGadnfqKpmpWSls2rln0IXcN6SbGoxKRSzYup5Boo+SIwt1pDPx
 67caXUaKo/nBB1FPNdhOhzLEszLYOzJ/sV5pl5IDDIOSyoCyCu2Z4i4GEDrgXC0C
 eew6ZDL4W5YzDVOjlk/fOJ15OPsQ1ri2fbP0VTdvoykAHLgQFiXc1IIoE77UmX9C
 T2k0LTZmoGvGfhyTssDyXRknbKBGe3mnmM3/CHseQ4enC3CKetFqy9qfQ7r0rK/t
 Cdeyql/a2WmHLXmQ0HtyEgTbZNMylLkh5ZEq9S7xQOvh68oVOwq7G72p+gwbXxEa
 6J5/Seq9p12imGXHjoivSdLzZUgHA60TetFFE0Zg/1KHRtLtKN90zP09NucCeWJw
 KMXpF0tvDEpLoy5/VxqiSQmxiyRvdeK48I57+hpCmkHE+9gX3Tqr+uyNLzBgug5s
 hB+f9GOWQcUorTk0EGx4prfDAX06tNF2UcyMFDu3R+VkT2NBWbySJ4g7XAzX0QnC
 +083j10sY+05vURXaPdbuCutKp4XENxeYbzWpQWbaaA7f/yGd2vjbG/ANN4QZqL8
 2lSgh4b61s8F7Uaw7v1xRO986QpxyWwNlsZJnjLkLfoHL9ODN9QkMEV+iK7yncac
 Km5la5sTyN8pABuNtrKBW+2SpBQYM2Iu7g+Q9n1ZFFlUG9h30HpuCyRk
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIF0zCCA7ugAwIBAgIUKjztdgtaFlRP/N6rP3nVwGYuPXwwDQYJKoZIhvcNAQEL
 BQAwcTELMAkGA1UEBhMCRlIxGjAYBgNVBAoMEU9kZW50YXMgTWVkaWEgU0FTMSIw
 IAYDVQQLDBlBdXRvcml0ZSBkZSBDZXJ0aWZpY2F0aW9uMSIwIAYDVQQDDBlPZGVu
 dGFzIE1lZGlhIFNBUyBSb290IENBMB4XDTI1MTAyODE4MDU1OFoXDTQ1MTAyMzE4
 MDU1OFowcTELMAkGA1UEBhMCRlIxGjAYBgNVBAoMEU9kZW50YXMgTWVkaWEgU0FT
 MSIwIAYDVQQLDBlBdXRvcml0ZSBkZSBDZXJ0aWZpY2F0aW9uMSIwIAYDVQQDDBlP
 ZGVudGFzIE1lZGlhIFNBUyBSb290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
 MIICCgKCAgEAvV0QbPzSsZ+Ys4J4tYIIIM7LdOCkE7cNAh3casLB072ACFjFq0iw
 Mg1ZXROk9i2sOVELN7q4ra+8E1528e9U8TyOKWPwGIdPmr+FokJ8zrxLBp8XtqO1
 ti2XNN2GK6EHb9C931m0JgCUkRA/jVB2tbjtR2JRl81ZOdszdwNektUwWQIqZBDg
 JNye+LiMZflcob/DSEqWjBye4KnAhgxGpy0GcaDVOU1pJ0xXmu+Khlj6hVsnklLc
 H2Gtx+ePfaWLmfQKyVfzFUVSrS8MlPJCwI+H+o1GmwmJkt4Z6kcbpdOdiMP8D8rj
 UHWXX5hXbxalg39COhpvZwSwfkWBRICCBjzAqOQNZu6COHA8dWOeP4EjIBQhnz54
 he5vka3HENpqAduXtbtTZxcFKkM7YAGSY/2+oo3G4i54zy6316UpzYJWRfdaIYV8
 tw6mPk4f7ecpV9sjMdmdI4IrUQii/QkKIBr1kKYSGcuTINKxGXioFcF29MqwWTsI
 w+Ukf11vqlCsFSwwtOxRGukgHbeN/OPiS8sOtPmeFnErFK+ZsNmMw/gQuxlc5OJK
 jRUj4QZw/eqVvMBvuTeYQgW387bNUWTro4hxH/LBpL7hY+2rnRCjDAizjJljh00J
 +xZkt9WfGZliepQTJuaeAfwZVPptmw4OwXOTyKQvzLhFAicV2OzGxlkCAwEAAaNj
 MGEwHQYDVR0OBBYEFIw45IxZ3n9y9n2O3jm4c2E4gINzMB8GA1UdIwQYMBaAFIw4
 5IxZ3n9y9n2O3jm4c2E4gINzMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD
 AgEGMA0GCSqGSIb3DQEBCwUAA4ICAQA6ohYP4UVh08CJCinnVtmkUQykJCqOqm4q
 PS3xFqgHL9GbvCUfDh/p75A1fomJVojRP86SZ/JYGj8dbwzeLxHWEDW89k/SJK+V
 u20mQQkuZ7KhobBti2m+JzU7XP6Qd+jZBOKK3xOrVSScvO3ITJNaxkeJgEFL5/Jk
 yDyuzFOrQeqmtKiWpN7YWLgZumEtVNY3LBxu+zm13his4XJhFc4PAAk8jWGxCwvW
 s6hAT6nQWXr0MvO7USKvyji/6DQCthfgoMi5Qq9uox93iXieV+R4QAv/eOXYTPt7
 G3vwh1h8QUU/yERQ2BTMp8Kryd7S0Jbbhg0oXlc2qGHjSVs+T4saTlxkW3WLrMdv
 44r3Nt5IUDgRatTOgSD/D78Ael/Lsmw1yvcIwkSsUX9mwcOPkg/t8I32eEYyjbDJ
 REXkc4epaIgYfSk9/wa8jPyDrt/t30WG2komzCVkZWYJqkVlvVfbpmD/9e+ASM4M
 t9Awzh7YR1ydJVZXp+YK9xNLxH4yqduBopCT9zoWK7BaAggwiAL4AhvAYpUNlLBI
 sGOJbGG9+8JnOu3HiLtsW4dDm3Yvm3AIeYh5en4xQXRQ5iecyY7foIowk6sUU4EL
 LwGigxzWpYUgWLkWPVi9E4qi214qIFLkn1LFUmV0SMyiAUhntH5+S8D5B7jCB5BX
 iglXKmpPYg==
 -----END CERTIFICATE-----
--- a/lambda-odentas-pades-sign/certs/chain-odentas.pem
+++ b/lambda-odentas-pades-sign/certs/chain-odentas.pem
@ -0,0 +1,42 @@
 -----BEGIN CERTIFICATE-----
 MIIDijCCAnKgAwIBAgIUBRDEld1KCipJV1oVjCCOWp3MolIwDQYJKoZIhvcNAQEL
 BQAwQDELMAkGA1UEBhMCRlIxGjAYBgNVBAoMEU9kZW50YXMgTWVkaWEgU0FTMRUw
 EwYDVQQDDAxPZGVudGFzIFNlYWwwHhcNMjUxMDI4MTgwMzA4WhcNMzUxMDI2MTgw
 MzA4WjBAMQswCQYDVQQGEwJGUjEaMBgGA1UECgwRT2RlbnRhcyBNZWRpYSBTQVMx
 FTATBgNVBAMMDE9kZW50YXMgU2VhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
 AQoCggEBAOjB01uI8maGdWrm3Tgir9NdbIyBZKRkxeiHykepDR17hWsCq2HjIHfy
 nqjlOH86KPVmbZMCHUZx33qsvFIpcTnO5+zqgwIVdEXK/2Qjc9xldKhYF2UQCF4W
 2M4144NCNaZKD1YgX4LnhFHAyJyuDyijXq/FRSs/rGb6zV1jVIv/GBIs6sN4Oh12
 LGoBNzqVQ6eciJRErXZ9oYhfIhI1aIDbW7szFZhq2QabYpSa0znipaxa2PMgGzM2
 apdgHluX/t06LDV6499ec1p+STmQxZuqnkwBNnru5awKHl0UF6/MUfwTB9FpbVti
 Qla45vNZFeiwDwj/WNuVnr53fBf5l2cCAwEAAaN8MHowCQYDVR0TBAIwADAOBgNV
 HQ8BAf8EBAMCBsAwHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMDMB0GA1Ud
 DgQWBBTKICdSy6Xr2VtCd0zVBSnJbcx83zAfBgNVHSMEGDAWgBRJH7WUdlCT0tCl
 H+99w4YI1Km/3jANBgkqhkiG9w0BAQsFAAOCAQEAm4ruChVyXxhJ/aSPGzC5YtV0
 7ntnqgS5BAWHuLqwRMLKX+SSntVf5E9XUlIiUUPRCqClcYsaNnHFyz8zrp8/LvPy
 0ALJTx2NFdtmM/408g3cLIK9FOwrH4U2HWzJ6qt8aYEY2vQeuNbrfV2O6Bphvhuv
 3IK8eDhE50Rbn+v4N6owQfaoxov33/JzmgdAK4FGj+WBzaaOuA4qhrw/b9BxRHJl
 TWTLhWFLxdANmX2i+UarCAAjVxLgJ1XB6gQghVs+ZaHLCCPZYimCV8G8HrLO/Ibt
 ISiyMS01dssIj1Wmpmp3a+KSUkWRDX3Leb+Je00CDDQ9GEXGrDFPE8s4jRL4YA==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIDcTCCAlmgAwIBAgIUeAOREUHzNG+Ow6Jvjkqi1OKyFowwDQYJKoZIhvcNAQEL
 BQAwQDELMAkGA1UEBhMCRlIxGjAYBgNVBAoMEU9kZW50YXMgTWVkaWEgU0FTMRUw
 EwYDVQQDDAxPZGVudGFzIFNlYWwwHhcNMjUxMDI4MTgwMjQzWhcNMzUxMDI2MTgw
 MjQzWjBAMQswCQYDVQQGEwJGUjEaMBgGA1UECgwRT2RlbnRhcyBNZWRpYSBTQVMx
 FTATBgNVBAMMDE9kZW50YXMgU2VhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
 AQoCggEBANcTtER+DaoHVnhLQlbeoCTjXgj3vxTcjyUE9e055X4whDT3ZXnvKH0z
 aCGFcRMlMkWftg5naaxJXr77XY0ZoTrqc8GAuzAgXwzUa4IhSCSy3IADcQuaUCEF
 ktosN9msS5VSaDtcoYuMLopfQAMvRUUIDVh19BX9zLEanISvEDbmCmnC26bmdBS6
 aqe3fiGq8ELiBBSRFiaBk8LKa4omXtUBVsJilbJpidCvLF8DPPCdO9KgRcukQa+i
 7Fz0cPTSL7/u904CoVNhSDxO0fHsGYaJa0HdOFbuMvmVsbMohkH2FGgkBjSE810q
 /5cpoLCqztOtiBeie519Z0Icr9eqQp8CAwEAAaNjMGEwHQYDVR0OBBYEFEkftZR2
 UJPS0KUf733DhgjUqb/eMB8GA1UdIwQYMBaAFEkftZR2UJPS0KUf733DhgjUqb/e
 MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUA
 A4IBAQA6x20LfafjIFEq9FUJLvsL99wXm9rpGuDAjHR4vrpIsbfg4htWg2WwmWWo
 SIp+QFHKWtwzF+H+OX/jchTEJSqQOc150jMHLJBgNguGDV1aNQGn1shKUmsNsATX
 YmRz47wF0Sg2OXjSNeiNIzCqHAuxl+3S/rnVnUtcPB8DOlo8obytNsOTD9/w0LrY
 9i4z0we0ARjt4i5F9R5iy4oiMiyKgmcQRtkR25I9QuQ3z6gVYklrZw66reOLtrbs
 QqFqPCXc9W6aF4ZWm9acYjz05b5sYKNYExmTeFtlFGy9HmT9FCUcx7yYi1XfgiQm
 cPtoDMMIPvKCacNpliYSAm/GtYta
 -----END CERTIFICATE-----
--- a/lambda-odentas-pades-sign/certs/odentas-media-sas.conf
+++ b/lambda-odentas-pades-sign/certs/odentas-media-sas.conf
@ -0,0 +1,17 @@
 [req]
 default_bits = 2048
 prompt = no
 default_md = sha256
 distinguished_name = dn
 x509_extensions = v3_ca
 [dn]
 C=FR
 O=Odentas Media SAS
 CN=Odentas Seal
 [v3_ca]
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:always,issuer
 basicConstraints = critical,CA:true
 keyUsage = critical, digitalSignature, keyCertSign, cRLSign
--- a/lambda-odentas-pades-sign/certs/signer-extensions.conf
+++ b/lambda-odentas-pades-sign/certs/signer-extensions.conf
@ -0,0 +1,5 @@
 basicConstraints=CA:FALSE
 keyUsage = critical, digitalSignature, nonRepudiation
 extendedKeyUsage = emailProtection, codeSigning
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
--- a/lambda-odentas-pades-sign/certs/signer-odentas.conf
+++ b/lambda-odentas-pades-sign/certs/signer-odentas.conf
@ -0,0 +1,11 @@
 [req]
 default_bits = 2048
 prompt = no
 default_md = sha256
 distinguished_name = dn
 [dn]
 C=FR
 O=Odentas Media SAS
 OU=Signature Electronique
 CN=Odentas Seal
--- a/lambda-odentas-pades-sign/certs/signer-odentas.crt
+++ b/lambda-odentas-pades-sign/certs/signer-odentas.crt
@ -0,0 +1,31 @@
 -----BEGIN CERTIFICATE-----
 MIIFZjCCA06gAwIBAgIUd0PmiKsQ991WwvQ784SZfJNNLnAwDQYJKoZIhvcNAQEL
 BQAwcTELMAkGA1UEBhMCRlIxGjAYBgNVBAoMEU9kZW50YXMgTWVkaWEgU0FTMSIw
 IAYDVQQLDBlBdXRvcml0ZSBkZSBDZXJ0aWZpY2F0aW9uMSIwIAYDVQQDDBlPZGVu
 dGFzIE1lZGlhIFNBUyBSb290IENBMB4XDTI1MTAyODE4MDYzMFoXDTM1MTAyNjE4
 MDYzMFowYTELMAkGA1UEBhMCRlIxGjAYBgNVBAoMEU9kZW50YXMgTWVkaWEgU0FT
 MR8wHQYDVQQLDBZTaWduYXR1cmUgRWxlY3Ryb25pcXVlMRUwEwYDVQQDDAxPZGVu
 dGFzIFNlYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDigTvq8d/t
 W9/nzjsSzQ+x+RsKdHg5ZnA2qSgZJsZGSO86XjNIfkW3ZIuwdZFvrSc1IgoblLtw
 8G6sy4FCNbTyqcyaoCE9/b8j3YUFJzy3Z+A3L3LJyWj2kyHB9/JWjCQfzuEk9YJ+
 B24108EsRWCNCOWx4d+clwyQPdEC7xYMLb0I4g4OxCdUSSG9sTCiRG3kAlwNmbZJ
 ciONMwSb3mCeKzHGnst86DLgdMJvO/jiE6N6QZNPWEE5Z1m3pqTSdkAT1jnJpPrN
 ewmMDXrt3gKCI8shLEgTrOG55HkaXOsdZ4OiBKVGk41eWyar12O5pvzdcGXr0vQ9
 sbYPmpPXHHVjAgMBAAGjggEEMIIBADAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIG
 wDATBgNVHSUEDDAKBggrBgEFBQcDBDAdBgNVHQ4EFgQUP1wBi05/I2FVHpNHkop4
 U1DDHT4wga4GA1UdIwSBpjCBo4AUjDjkjFnef3L2fY7eObhzYTiAg3OhdaRzMHEx
 CzAJBgNVBAYTAkZSMRowGAYDVQQKDBFPZGVudGFzIE1lZGlhIFNBUzEiMCAGA1UE
 CwwZQXV0b3JpdGUgZGUgQ2VydGlmaWNhdGlvbjEiMCAGA1UEAwwZT2RlbnRhcyBN
 ZWRpYSBTQVMgUm9vdCBDQYIUKjztdgtaFlRP/N6rP3nVwGYuPXwwDQYJKoZIhvcN
 AQELBQADggIBAEGadnfqKpmpWSls2rln0IXcN6SbGoxKRSzYup5Boo+SIwt1pDPx
 67caXUaKo/nBB1FPNdhOhzLEszLYOzJ/sV5pl5IDDIOSyoCyCu2Z4i4GEDrgXC0C
 eew6ZDL4W5YzDVOjlk/fOJ15OPsQ1ri2fbP0VTdvoykAHLgQFiXc1IIoE77UmX9C
 T2k0LTZmoGvGfhyTssDyXRknbKBGe3mnmM3/CHseQ4enC3CKetFqy9qfQ7r0rK/t
 Cdeyql/a2WmHLXmQ0HtyEgTbZNMylLkh5ZEq9S7xQOvh68oVOwq7G72p+gwbXxEa
 6J5/Seq9p12imGXHjoivSdLzZUgHA60TetFFE0Zg/1KHRtLtKN90zP09NucCeWJw
 KMXpF0tvDEpLoy5/VxqiSQmxiyRvdeK48I57+hpCmkHE+9gX3Tqr+uyNLzBgug5s
 hB+f9GOWQcUorTk0EGx4prfDAX06tNF2UcyMFDu3R+VkT2NBWbySJ4g7XAzX0QnC
 +083j10sY+05vURXaPdbuCutKp4XENxeYbzWpQWbaaA7f/yGd2vjbG/ANN4QZqL8
 2lSgh4b61s8F7Uaw7v1xRO986QpxyWwNlsZJnjLkLfoHL9ODN9QkMEV+iK7yncac
 Km5la5sTyN8pABuNtrKBW+2SpBQYM2Iu7g+Q9n1ZFFlUG9h30HpuCyRk
 -----END CERTIFICATE-----
--- a/lambda-odentas-pades-sign/certs/signer-odentas.csr
+++ b/lambda-odentas-pades-sign/certs/signer-odentas.csr
@ -0,0 +1,17 @@
 -----BEGIN CERTIFICATE REQUEST-----
 MIICpjCCAY4CAQAwYTELMAkGA1UEBhMCRlIxGjAYBgNVBAoMEU9kZW50YXMgTWVk
 aWEgU0FTMR8wHQYDVQQLDBZTaWduYXR1cmUgRWxlY3Ryb25pcXVlMRUwEwYDVQQD
 DAxPZGVudGFzIFNlYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDi
 gTvq8d/tW9/nzjsSzQ+x+RsKdHg5ZnA2qSgZJsZGSO86XjNIfkW3ZIuwdZFvrSc1
 IgoblLtw8G6sy4FCNbTyqcyaoCE9/b8j3YUFJzy3Z+A3L3LJyWj2kyHB9/JWjCQf
 zuEk9YJ+B24108EsRWCNCOWx4d+clwyQPdEC7xYMLb0I4g4OxCdUSSG9sTCiRG3k
 AlwNmbZJciONMwSb3mCeKzHGnst86DLgdMJvO/jiE6N6QZNPWEE5Z1m3pqTSdkAT
 1jnJpPrNewmMDXrt3gKCI8shLEgTrOG55HkaXOsdZ4OiBKVGk41eWyar12O5pvzd
 cGXr0vQ9sbYPmpPXHHVjAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAfFUh+jSr
 rVMEWnqLh9y5TQmo7m4+AO5xbEYeqPYCify0waj5Pg8BB1TKShK/51KkGRcGNlvF
 w8rdxmHlztMDlfAWuh51QaOxP9pl/TNpJ5EzxwMOu6B1dscxy1xQeycy8cKYV2O1
 cn/rD/+/ua8kgxv5xo/Jl3RQsNTafZDDa8OW5pYTpgNp/Ly8diDgWKJGxV0FUJTJ
 Wc3LYlG+TPNMzTopDzrx6y6o01m/INGtV3rvixIzFK4SWz9QzD7GYFukPNx38nij
 g/uVitWvfzuXzInDFLgH6QTGUTqhVZSnLVOm20FIOvdbizDKAH0inR1JEfnlpU67
 ilK+vkalOEDmxg==
 -----END CERTIFICATE REQUEST-----
--- a/lambda-odentas-pades-sign/certs/signer-odentas.key
+++ b/lambda-odentas-pades-sign/certs/signer-odentas.key
@ -0,0 +1,28 @@
 -----BEGIN PRIVATE KEY-----
 MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDigTvq8d/tW9/n
 zjsSzQ+x+RsKdHg5ZnA2qSgZJsZGSO86XjNIfkW3ZIuwdZFvrSc1IgoblLtw8G6s
 y4FCNbTyqcyaoCE9/b8j3YUFJzy3Z+A3L3LJyWj2kyHB9/JWjCQfzuEk9YJ+B241
 08EsRWCNCOWx4d+clwyQPdEC7xYMLb0I4g4OxCdUSSG9sTCiRG3kAlwNmbZJciON
 MwSb3mCeKzHGnst86DLgdMJvO/jiE6N6QZNPWEE5Z1m3pqTSdkAT1jnJpPrNewmM
 DXrt3gKCI8shLEgTrOG55HkaXOsdZ4OiBKVGk41eWyar12O5pvzdcGXr0vQ9sbYP
 mpPXHHVjAgMBAAECggEAZrrujhS9103AM8aZjGFtKO8ukINas83+Pwxhn2ayrtYN
 io+G+u4qeI8lvBbWq6wBCFwz8WZ3zTV/POff7EOnmhfhMJBIA3G+62lhF4FATH7U
 drMSgOrUrGD3Ap6OTyqoh7Sw8K5ZTQfZuJgeGRIuREkwxIkJfmAT1qfy0D3X5hVN
 9cxy7+Ug+KJA78v2WBRpy8rsD6FitDeL6OsD+k04FxzO4aXO43oKs08kA5fK6TY7
 Z5F+W/3w4I7Fru6jV6tnvpPl5o7OKLMNPKrwhQqLJ4mJFj8Ny7j6uj7P202hQGWT
 EKy95sBZDRE1iu0NxNCgdOic+nh94HZi2+Kld75FgQKBgQD64e9r/BVO6SamEZgN
 XwV5MyfKfJk9LsNg7uMpsjUJZHSSS37IGR8gJE2T8oYIIc7KMRn7kzT8yv42P8kM
 fcU0JpJU1ja9/e8TJXpP185x1sQW0dfvmkARH/ikWwO9sHhfhKGHTPXwQFl4s8pv
 p6DMB3TKVxQgP+pdIN633vmtcwKBgQDnIACl5N0R+D/sr5q4o4K84S5r/l53vzKi
 gbo62G0RDCC/QeWvLqe04Xs2LjM/vKROICauLwbfb56WCQB5PJ8jMrhVB+wlqha+
 +Pyt5N+2RW32HJ4RnuIP/xaid15xjPumskhuLf7D5WKidh3CV7JLG7Nz3iVz1Rc1
 f4PvT0wcUQKBgQCZFAq2ZNXLlE9UvR996SC51xDMaEJIJqRoHNrWsjnSRU0rho0R
 IuLvBbegMja994LptBQagLOwG1wJVdoimQseyvo2cY5tVuftUszSsubwZw62rcuI
 EyJMUKmx/ybFM0v/XDoDCF53/YuaLnmyryFZ3KLSY1eQZe9ma4v5vT+zKQKBgQDf
 9JKsLWhJ0VOf9UjnQQmeHFTvMDw5rHtUHIBoJO8KZcYVjbUSWxMGorbReVMPn6tW
 SLEydz8hovb4SyC6WZOad7tGKbcZiAciZgHyPqTH6d7zbCd+y4YiGfvE0gYh4Yq3
 rGmi2c7T46H/6pRLjM6nGOB6lfeUlhc3L6iYay5FAQKBgFJOGF8tosDvYin/nt8W
 ONRatFr5UXZqgebBXZYvX7b0+tKt56VhfyleQBXY0KLpusjRIbvDDKnGaz+V9i6K
 juP+HOoJsrThel9Jx+yjB/LA1SE1gtOsAR1WFy4JIYTiQOWnlk9XU9Dp37GvPyC9
 O5NrTXXwBxMcbksK0omd08zr
 -----END PRIVATE KEY-----
--- a/lambda-odentas-pades-sign/certs/signer-v3.ext
+++ b/lambda-odentas-pades-sign/certs/signer-v3.ext
@ -0,0 +1,5 @@
 basicConstraints=CA:FALSE
 keyUsage = critical, digitalSignature, nonRepudiation
 extendedKeyUsage = emailProtection
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer:always
--- a/lambda-odentas-pades-sign/helpers/pades.js
+++ b/lambda-odentas-pades-sign/helpers/pades.js
@ -23,6 +23,7 @@ const OID_ID_DATA = '1.2.840.113549.1.7.1';
 const OID_ATTR_CONTENT_TYPE = '1.2.840.113549.1.9.3';
 const OID_ATTR_SIGNING_TIME = '1.2.840.113549.1.9.5';
 const OID_ATTR_MESSAGE_DIGEST = '1.2.840.113549.1.9.4';
 const OID_ATTR_SIGNING_CERTIFICATE_V2 = '1.2.840.113549.1.9.16.2.47'; // ESSCertIDv2 (RFC 5035)
 /**
 * Étape 1: Préparer le PDF avec les vraies valeurs ByteRange calculées
@ -184,6 +185,10 @@ endobj
 /Type /Sig
 /Filter /Adobe.PPKLite
 /SubFilter /ETSI.CAdES.detached
 /Name (Odentas Seal)
 /Reason (Certification de contrat de travail)
 /Location (France)
 /ContactInfo (contact@odentas.com)
 `;
  // Ajouter ByteRange - soit placeholder (passe 1) soit valeurs réelles paddées (passe 2)