feat(odentas-sign): Configuration Lambda URLs + Certificat Odentas Media SAS + Gestion erreurs

✨ Nouvelles fonctionnalités : - Configuration des URLs Lambda PAdES et TSA dans .env - Certificats Odentas Media SAS (CN=Odentas Seal, O=Odentas Media SAS) - Ajout champs /Name, /Reason, /Location dans signature PDF - Documentation complète des URLs Lambda (ODENTAS_SIGN_LAMBDA_URLS.md) 🔧 Améliorations : - Gestion stricte des erreurs dans webhook completion - Ne marque plus 'completed' si scellage échoue - Vérification des variables LAMBDA_PADES_URL et LAMBDA_TSA_URL - Build Docker multi-arch (ARM64 → AMD64) avec --platform 🔐 Certificats : - CA Root: CN=Odentas Media SAS Root CA, O=Odentas Media SAS - Certificat signature: CN=Odentas Seal, O=Odentas Media SAS, OU=Signature Electronique - Chaîne complète uploadée sur S3 (s3://odentas-sign/certs/chain.pem) ✅ Tests : - Lambda PAdES testée et fonctionnelle - Lambda TSA testée et fonctionnelle - Affichage 'Odentas Media SAS' dans Adobe Reader confirmé ⚠️ Niveau eIDAS actuel : SES (Signature Électronique Simple) TODO: Améliorer conformité PAdES pour niveau AES (voir TODO_PADES_CONFORMITE.md)
2025-10-28 19:32:29 +01:00 · 2025-10-28 19:32:29 +01:00 · c3d7fc5618
commit c3d7fc5618
parent c55ead58ca
18 changed files with 518 additions and 36 deletions
--- a/.env.example
+++ b/.env.example
@ -41,3 +41,19 @@ LAMBDA_API_KEY=your-lambda-api-key-64-chars-hex

 # Lambda Functions URLs
 LAMBDA_PDF_TO_IMAGES_URL=https://your-lambda-url.lambda-url.eu-west-3.on.aws/
+
+# Odentas Sign - Lambda PAdES Seal
+# Lambda pour sceller les PDFs avec signature électronique qualifiée (PAdES)
+LAMBDA_PADES_URL=https://to6vdbnrcencifu3rlg5rygrua0hhdqc.lambda-url.eu-west-3.on.aws/
+
+# Odentas Sign - Lambda TSA Timestamp
+# Lambda pour horodater les documents signés (RFC 3161)
+LAMBDA_TSA_URL=https://fs5drdovby3tye4i3fmb27b3gi0zfqyw.lambda-url.eu-west-3.on.aws/
+
+# Odentas Sign - KMS Key ID
+# Clé KMS AWS pour chiffrer les signatures
+KMS_KEY_ID=arn:aws:kms:eu-west-3:292468105557:key/4d08be1d-a871-486e-bf70-f651f18c5f19
+
+# Odentas Sign - TSA Timestamp Authority
+# URL du serveur d'horodatage (Sectigo par défaut)
+TSA_URL=https://timestamp.sectigo.com
--- a/ODENTAS_SIGN_LAMBDA_URLS.md
+++ b/ODENTAS_SIGN_LAMBDA_URLS.md
@ -0,0 +1,101 @@
+# Odentas Sign - Configuration Lambda URLs
+
+## URLs des Lambdas de Production
+
+### Lambda PAdES Seal
+**Fonction:** Scellage des PDFs avec signature électronique qualifiée (PAdES)
+- **Nom:** `odentas-pades-sign`
+- **URL:** `https://to6vdbnrcencifu3rlg5rygrua0hhdqc.lambda-url.eu-west-3.on.aws/`
+- **Région:** eu-west-3 (Paris)
+- **Variable d'environnement:** `LAMBDA_PADES_URL`
+
+### Lambda TSA Timestamp
+**Fonction:** Horodatage des documents signés (RFC 3161)
+- **Nom:** `odentas-tsa-stamp`
+- **URL:** `https://fs5drdovby3tye4i3fmb27b3gi0zfqyw.lambda-url.eu-west-3.on.aws/`
+- **Région:** eu-west-3 (Paris)
+- **Variable d'environnement:** `LAMBDA_TSA_URL`
+
+## Configuration KMS
+
+**Clé KMS pour chiffrement des signatures:**
+```
+arn:aws:kms:eu-west-3:292468105557:key/4d08be1d-a871-486e-bf70-f651f18c5f19
+```
+**Variable d'environnement:** `KMS_KEY_ID`
+
+## Serveur d'Horodatage TSA
+
+**URL du serveur TSA (Sectigo):**
+```
+https://timestamp.sectigo.com
+```
+**Variable d'environnement:** `TSA_URL`
+
+## Configuration dans .env
+
+Ajoutez ces lignes dans votre fichier `.env` :
+
+```bash
+# Odentas Sign - Lambda URLs
+LAMBDA_PADES_URL=https://to6vdbnrcencifu3rlg5rygrua0hhdqc.lambda-url.eu-west-3.on.aws/
+LAMBDA_TSA_URL=https://fs5drdovby3tye4i3fmb27b3gi0zfqyw.lambda-url.eu-west-3.on.aws/
+KMS_KEY_ID=arn:aws:kms:eu-west-3:292468105557:key/4d08be1d-a871-486e-bf70-f651f18c5f19
+TSA_URL=https://timestamp.sectigo.com
+```
+
+## Déploiement sur Vercel
+
+Pour déployer en production sur Vercel, ajoutez ces variables d'environnement :
+
+1. Aller dans **Settings** > **Environment Variables**
+2. Ajouter chaque variable :
+   - `LAMBDA_PADES_URL`
+   - `LAMBDA_TSA_URL`
+   - `KMS_KEY_ID`
+   - `TSA_URL`
+3. Sélectionner **Production**, **Preview**, et **Development**
+4. Redéployer l'application
+
+## Workflow de Signature Complet
+
+1. **Signature électronique** → Les signataires signent via l'interface web
+2. **Déclenchement automatique** → Quand tous ont signé, webhook appelé
+3. **Lambda PAdES** → Scellage du PDF avec signature qualifiée
+4. **Lambda TSA** → Horodatage du document
+5. **S3 Archive** → Stockage avec compliance lock (10 ans)
+6. **Email de confirmation** → Notification aux signataires
+
+## Gestion des Erreurs
+
+Si une Lambda échoue :
+- ❌ Le statut de la demande passe à `failed`
+- 🔔 Un événement `sealing_failed` est loggé
+- 🚫 Le document n'est **pas** marqué comme `completed`
+
+Avant ce correctif, le système marquait le document comme `completed` même en cas d'échec du scellage, ce qui posait un problème de conformité.
+
+## Vérification des URLs
+
+Pour vérifier que les Lambdas sont accessibles :
+
+```bash
+# Test Lambda PAdES
+curl -X POST https://to6vdbnrcencifu3rlg5rygrua0hhdqc.lambda-url.eu-west-3.on.aws/ \
+  -H "Content-Type: application/json" \
+  -d '{}'
+
+# Test Lambda TSA
+curl -X POST https://fs5drdovby3tye4i3fmb27b3gi0zfqyw.lambda-url.eu-west-3.on.aws/ \
+  -H "Content-Type: application/json" \
+  -d '{}'
+```
+
+## Sécurité
+
+Les Function URLs sont actuellement configurées avec `auth-type: NONE` pour permettre l'accès direct depuis Next.js.
+
+Pour une sécurité renforcée en production, considérez :
+- Utiliser IAM authentication
+- Ajouter une API Gateway avec authentification
+- Implémenter un système de tokens/signatures
--- a/app/api/odentas-sign/webhooks/completion/route.ts
+++ b/app/api/odentas-sign/webhooks/completion/route.ts
@ -154,27 +154,50 @@ export async function POST(request: NextRequest) {
      
      console.log(`[WEBHOOK] Payload PAdES:`, JSON.stringify(padesPayload, null, 2));
      
-      // En local, on simule la Lambda (en production, faire un appel Lambda réel)
-      const padesResponse = await fetch(process.env.LAMBDA_PADES_URL || 'http://localhost:9000/2015-03-31/functions/function/invocations', {
+      // Vérifier que les Lambdas sont configurées
+      if (!process.env.LAMBDA_PADES_URL || !process.env.LAMBDA_TSA_URL) {
+        const error = 'LAMBDA_PADES_URL et LAMBDA_TSA_URL doivent être configurées pour le scellage';
+        console.error(`[WEBHOOK] ❌ ${error}`);
+        
+        // Mettre à jour le statut en 'failed'
+        await supabaseAdmin
+          .from('sign_requests')
+          .update({ status: 'failed' })
+          .eq('id', requestId);
+        
+        await logSignEvent({
+          requestId: signRequest.id,
+          event: 'sealing_failed',
+          metadata: { error, reason: 'Lambda URLs not configured' },
+        });
+        
+        return NextResponse.json(
+          { error, details: 'Veuillez configurer LAMBDA_PADES_URL et LAMBDA_TSA_URL dans .env' },
+          { status: 500 }
+        );
+      }
+      
+      // Appel Lambda PAdES
+      const padesResponse = await fetch(process.env.LAMBDA_PADES_URL, {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify(padesPayload),
      }).catch((err) => {
-        console.error('[WEBHOOK] ⚠️ Lambda PAdES non accessible (normal en local):', err.message);
-        return null;
+        console.error('[WEBHOOK] ❌ Erreur appel Lambda PAdES:', err.message);
+        throw new Error(`Lambda PAdES inaccessible: ${err.message}`);
      });
      
-      let sealedPdfKey = `signed/${signRequest.ref}.pdf`;
-      let pdfHash = '';
+      if (!padesResponse.ok) {
+        const errorText = await padesResponse.text();
+        console.error('[WEBHOOK] ❌ Lambda PAdES a échoué:', errorText);
+        throw new Error(`Lambda PAdES failed: ${padesResponse.status} - ${errorText}`);
+      }
      
-      if (padesResponse && padesResponse.ok) {
      const padesResult = await padesResponse.json();
      console.log(`[WEBHOOK] ✅ PAdES seal appliqué`);
-        sealedPdfKey = padesResult.signed_pdf_key;
-        pdfHash = padesResult.pdf_sha256;
-      } else {
-        console.log(`[WEBHOOK] ⚠️ PAdES seal skipped (Lambda non disponible en local)`);
-      }
+      
+      const sealedPdfKey = padesResult.signed_pdf_key;
+      const pdfHash = padesResult.pdf_sha256;
      
      // Étape 2: Appeler lambda-tsaStamp pour horodater
      console.log(`[WEBHOOK] ⏱️  Appel de lambda-tsaStamp...`);
@ -184,28 +207,27 @@ export async function POST(request: NextRequest) {
        hash_to_timestamp: pdfHash,
      };
      
-      const tsaResponse = await fetch(process.env.LAMBDA_TSA_URL || 'http://localhost:9001/2015-03-31/functions/function/invocations', {
+      const tsaResponse = await fetch(process.env.LAMBDA_TSA_URL, {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify(tsaPayload),
      }).catch((err) => {
-        console.error('[WEBHOOK] ⚠️ Lambda TSA non accessible (normal en local):', err.message);
-        return null;
+        console.error('[WEBHOOK] ❌ Erreur appel Lambda TSA:', err.message);
+        throw new Error(`Lambda TSA inaccessible: ${err.message}`);
      });
      
-      let tsaSerial = null;
-      let tsaPolicyOid = null;
-      let tsrKey = '';
+      if (!tsaResponse.ok) {
+        const errorText = await tsaResponse.text();
+        console.error('[WEBHOOK] ❌ Lambda TSA a échoué:', errorText);
+        throw new Error(`Lambda TSA failed: ${tsaResponse.status} - ${errorText}`);
+      }
      
-      if (tsaResponse && tsaResponse.ok) {
      const tsaResult = await tsaResponse.json();
      console.log(`[WEBHOOK] ✅ TSA timestamp obtenu`);
-        tsaSerial = tsaResult.serial_number;
-        tsaPolicyOid = tsaResult.policy_oid;
-        tsrKey = tsaResult.tsr_s3_key;
-      } else {
-        console.log(`[WEBHOOK] ⚠️ TSA timestamp skipped (Lambda non disponible en local)`);
-      }
+      
+      const tsaSerial = tsaResult.serial_number;
+      const tsaPolicyOid = tsaResult.policy_oid;
+      const tsrKey = tsaResult.tsr_s3_key;
      
      // Étape 3: Mettre à jour l'evidence bundle avec les infos de scellage
      evidenceBundle.seal.sealed_at = new Date().toISOString();
@ -257,15 +279,27 @@ export async function POST(request: NextRequest) {
    } catch (sealError) {
      console.error('[WEBHOOK] ❌ Erreur workflow de scellage:', sealError);
      
-      // En cas d'erreur, on complète quand même la demande
-      const { error: updateError } = await supabaseAdmin
+      // Mettre à jour le statut en 'failed' au lieu de 'completed'
+      await supabaseAdmin
        .from('sign_requests')
-        .update({ status: 'completed' })
+        .update({ status: 'failed' })
        .eq('id', requestId);
      
-      if (updateError) {
-        console.error('[WEBHOOK] Erreur mise à jour statut:', updateError);
-      }
+      await logSignEvent({
+        requestId: signRequest.id,
+        event: 'sealing_failed',
+        metadata: {
+          error: sealError instanceof Error ? sealError.message : String(sealError),
+        },
+      });
+      
+      return NextResponse.json(
+        { 
+          error: 'Échec du workflow de scellage', 
+          details: sealError instanceof Error ? sealError.message : String(sealError) 
+        },
+        { status: 500 }
+      );
    }
    
    // 7. Logger la completion
--- a/lambda-odentas-pades-sign/Dockerfile
+++ b/lambda-odentas-pades-sign/Dockerfile
@ -1,4 +1,4 @@
-FROM public.ecr.aws/lambda/nodejs:18
+FROM --platform=linux/amd64 public.ecr.aws/lambda/nodejs:18

 # pkijs nécessite des dépendances build (si tu ajoutes d'autres libs native)
 RUN yum -y install openssl && yum clean all
--- a/lambda-odentas-pades-sign/certs/ca-odentas.conf
+++ b/lambda-odentas-pades-sign/certs/ca-odentas.conf
@ -0,0 +1,18 @@
+[req]
+default_bits = 4096
+prompt = no
+default_md = sha256
+distinguished_name = dn
+x509_extensions = v3_ca
+
+[dn]
+C=FR
+O=Odentas Media SAS
+OU=Autorite de Certification
+CN=Odentas Media SAS Root CA
+
+[v3_ca]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+basicConstraints = critical,CA:true
+keyUsage = critical, keyCertSign, cRLSign
--- a/lambda-odentas-pades-sign/certs/ca-odentas.crt
+++ b/lambda-odentas-pades-sign/certs/ca-odentas.crt
@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF0zCCA7ugAwIBAgIUKjztdgtaFlRP/N6rP3nVwGYuPXwwDQYJKoZIhvcNAQEL
+BQAwcTELMAkGA1UEBhMCRlIxGjAYBgNVBAoMEU9kZW50YXMgTWVkaWEgU0FTMSIw
+IAYDVQQLDBlBdXRvcml0ZSBkZSBDZXJ0aWZpY2F0aW9uMSIwIAYDVQQDDBlPZGVu
+dGFzIE1lZGlhIFNBUyBSb290IENBMB4XDTI1MTAyODE4MDU1OFoXDTQ1MTAyMzE4
+MDU1OFowcTELMAkGA1UEBhMCRlIxGjAYBgNVBAoMEU9kZW50YXMgTWVkaWEgU0FT
+MSIwIAYDVQQLDBlBdXRvcml0ZSBkZSBDZXJ0aWZpY2F0aW9uMSIwIAYDVQQDDBlP
+ZGVudGFzIE1lZGlhIFNBUyBSb290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
+MIICCgKCAgEAvV0QbPzSsZ+Ys4J4tYIIIM7LdOCkE7cNAh3casLB072ACFjFq0iw
+Mg1ZXROk9i2sOVELN7q4ra+8E1528e9U8TyOKWPwGIdPmr+FokJ8zrxLBp8XtqO1
+ti2XNN2GK6EHb9C931m0JgCUkRA/jVB2tbjtR2JRl81ZOdszdwNektUwWQIqZBDg
+JNye+LiMZflcob/DSEqWjBye4KnAhgxGpy0GcaDVOU1pJ0xXmu+Khlj6hVsnklLc
+H2Gtx+ePfaWLmfQKyVfzFUVSrS8MlPJCwI+H+o1GmwmJkt4Z6kcbpdOdiMP8D8rj
+UHWXX5hXbxalg39COhpvZwSwfkWBRICCBjzAqOQNZu6COHA8dWOeP4EjIBQhnz54
+he5vka3HENpqAduXtbtTZxcFKkM7YAGSY/2+oo3G4i54zy6316UpzYJWRfdaIYV8
+tw6mPk4f7ecpV9sjMdmdI4IrUQii/QkKIBr1kKYSGcuTINKxGXioFcF29MqwWTsI
+w+Ukf11vqlCsFSwwtOxRGukgHbeN/OPiS8sOtPmeFnErFK+ZsNmMw/gQuxlc5OJK
+jRUj4QZw/eqVvMBvuTeYQgW387bNUWTro4hxH/LBpL7hY+2rnRCjDAizjJljh00J
+xZkt9WfGZliepQTJuaeAfwZVPptmw4OwXOTyKQvzLhFAicV2OzGxlkCAwEAAaNj
+MGEwHQYDVR0OBBYEFIw45IxZ3n9y9n2O3jm4c2E4gINzMB8GA1UdIwQYMBaAFIw4
+5IxZ3n9y9n2O3jm4c2E4gINzMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD
+AgEGMA0GCSqGSIb3DQEBCwUAA4ICAQA6ohYP4UVh08CJCinnVtmkUQykJCqOqm4q
+PS3xFqgHL9GbvCUfDh/p75A1fomJVojRP86SZ/JYGj8dbwzeLxHWEDW89k/SJK+V
+u20mQQkuZ7KhobBti2m+JzU7XP6Qd+jZBOKK3xOrVSScvO3ITJNaxkeJgEFL5/Jk
+yDyuzFOrQeqmtKiWpN7YWLgZumEtVNY3LBxu+zm13his4XJhFc4PAAk8jWGxCwvW
+s6hAT6nQWXr0MvO7USKvyji/6DQCthfgoMi5Qq9uox93iXieV+R4QAv/eOXYTPt7
+G3vwh1h8QUU/yERQ2BTMp8Kryd7S0Jbbhg0oXlc2qGHjSVs+T4saTlxkW3WLrMdv
+44r3Nt5IUDgRatTOgSD/D78Ael/Lsmw1yvcIwkSsUX9mwcOPkg/t8I32eEYyjbDJ
+REXkc4epaIgYfSk9/wa8jPyDrt/t30WG2komzCVkZWYJqkVlvVfbpmD/9e+ASM4M
+t9Awzh7YR1ydJVZXp+YK9xNLxH4yqduBopCT9zoWK7BaAggwiAL4AhvAYpUNlLBI
+sGOJbGG9+8JnOu3HiLtsW4dDm3Yvm3AIeYh5en4xQXRQ5iecyY7foIowk6sUU4EL
+LwGigxzWpYUgWLkWPVi9E4qi214qIFLkn1LFUmV0SMyiAUhntH5+S8D5B7jCB5BX
+iglXKmpPYg==
+-----END CERTIFICATE-----
--- a/lambda-odentas-pades-sign/certs/ca-odentas.key
+++ b/lambda-odentas-pades-sign/certs/ca-odentas.key
@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQC9XRBs/NKxn5iz
+gni1ggggzst04KQTtw0CHdxqwsHTvYAIWMWrSLAyDVldE6T2Law5UQs3uritr7wT
+Xnbx71TxPI4pY/AYh0+av4WiQnzOvEsGnxe2o7W2LZc03YYroQdv0L3fWbQmAJSR
+ED+NUHa1uO1HYlGXzVk52zN3A16S1TBZAipkEOAk3J74uIxl+Vyhv8NISpaMHJ7g
+qcCGDEanLQZxoNU5TWknTFea74qGWPqFWyeSUtwfYa3H5499pYuZ9ArJV/MVRVKt
+LwyU8kLAj4f6jUabCYmS3hnqRxul052Iw/wPyuNQdZdfmFdvFqWDf0I6Gm9nBLB+
+RYFEgIIGPMCo5A1m7oI4cDx1Y54/gSMgFCGfPniF7m+RrccQ2moB25e1u1NnFwUq
+QztgAZJj/b6ijcbiLnjPLrfXpSnNglZF91ohhXy3DqY+Th/t5ylX2yMx2Z0jgitR
+CKL9CQogGvWQphIZy5Mg0rEZeKgVwXb0yrBZOwjD5SR/XW+qUKwVLDC07FEa6SAd
+t4384+JLyw60+Z4WcSsUr5mw2YzD+BC7GVzk4kqNFSPhBnD96pW8wG+5N5hCBbfz
+ts1RZOujiHEf8sGkvuFj7audEKMMCLOMmWOHTQn7FmS31Z8ZmWJ6lBMm5p4B/BlU
+m2bDg7Bc5PIpC/MuEUCJxXY7MbGWQIDAQABAoICAAkt5xdPaKO7W668+P68dUoo
+2Bg78PwzLAZhne8Pbo+l8JxG+FsJmJ/ugXnXc1BLLb1wCioLCzuBKK3sLvoimsSg
+ZbhIK8n2mjNjTBYt4KixXDYvlVnRRQRWIK2rfN7lzQtcrC2U5ryOW+VNyzTdlQmR
+U7A5igDAr630LCIdZ9LYkoHIDve/kSv8RVkDcivZywWcuvnIwtQ7KXD0zZw54V1m
+e3jb3eYrlFi3NMpyCO4jB07aWLhZO6oqRR8rAIvLz/D4MWMp+CK8c+no/VRFi5qT
+wpjQyx7GFzUHPuyaQpL253yrGm+GC1+Zuaskwn1ENOUDUNmp8SNGaQtP8XiZfaP8
+FXPzguUT3a+8B3f+4xovE+9utitwb8GoJbIFqaOEjIu2ezFi+pPbZDI6qoq68rnr
+Uwz6lt+CxT/1SlIPzbnjuuKvX7sKLz4c435JojLN0CwIxwV51jXoLTQ107/bDmeo
+2KreIrmauh1wc2ClYnl7aQqFCGlv4Vvo3OA1DveW492wIhacZ8Z6ZKWNJJ5E7uRk
+EinkFyci0wvm2xkQ8yAzxfqpHxX7EJU/ouE08DfO8tGYF4PxCFE/9iDlReQ4ty0+
+Rg9B9gJH7ypgy6NAz0PNUsSG09pLlCalYL+uuGkT0qiVUpf8P7PK8FRymwPZppnu
+bTn+WmsbhVEN5ZWrXSNxAoIBAQDwaJYLPoM6HL9W/+euQB6CQhlMDjP1shZNZD6j
+d5YmD/cRIVpLuWjOcsA0GXOMumv9Lbol7YEcrh9OuKRBVRODx9XkQNAey+YZ7hHE
+5gzTNf+5l8RXAJXLgCsywdDRZrl8n9S/n1rROWMCaCeD2PVX9yuCVkq2aEYCsjWl
+NAxsXGSGKTAsvFxqZDYZjkBdHdz4tmzO8Qlr282PDw/K0EiMgB7+3MmyOKBW1tHV
+E/j23xnL60z168LmWa8YyUENj1rjo56EMLmmZmOf0TOXdnH4SzpLM6CXpUA/fM22
+zubvnPKjY223yQUkWvGSl0jE93FcY6EhREZdQq98G5ewOTdJAoIBAQDJpP8oUKZr
+wqX5w0kDeWuhbJL5D8pxhiJHHb5ypDzFnIL1BHRh6l4EjmAeR8FdpkUtBQr21ZLb
+mWmiWV046vY2ifjpp/nODhi2yInCc2PKpx2XkCQ9+HfihDxTVFH5yl17fKXoMYPx
+9l67MnwvKT+gfBM2ATJslutboRxY1u1jQySjBoq9/6qG+8+e3yhzxvSH5wvw72mN
+HdKFs90EXa9VWY6l8sv+ULvNWXi65Kt+AKsKbUXdgl6a8OOYD1Nd92NPeM0L874+
+/jl4aNE1ClhnDExqTMezMR5v2X7Y/cNrrIm0Vgz7KeC33Q8ck4hFuwyuY1xbXwry
+1RHkiEkyvMaRAoIBAQDqE7s8eYKGW6VGDWdEt7O8+qTs88tNyDeE5T1EJtUwfE0B
+BeuIXaAZm4tfbwSeGom4+wQLl+Qly7g6CvgLkM2uey3cz+qUgc2qo63zfFcyc5pp
+18bZO32epk3pXuN2cEHcgTdB2OQxYWHw3v7SlrXUD5ryjhiy4HaCe4hWMYaDH7bV
+FleMx15oTOiMG4C56bDVDbKGEBUvStYsG+sxe3mYK8uCNfHBMPeVdhbbFFZN8U6J
+ybKmpAaiCOK/DH3luRYzHYXjihnJVlpcKvLD4BT6QC0jOcJ8xO74ogkenPgoiDWM
+NuyGjRkPm+ko5Vp6Rb+/yFYEMRkeByccfTVF5X/ZAoIBAHzotZquovi74f7e5tq9
+G1wqmryn+HrsYU12cmQnsvGiq0jGEqYY/VaLL6VyQ6kUd2OU7R7MXCWmWdZUzzeT
+7SMJwuRSxp7LAqovfY6z1gxSCzW494pf4TuzOH9SC1nV7qSxKUC1c4uuVy5U7rJ0
+NdLfKTNZ+Hdl4bOoEJxDv1eu3wIR6l4aAvONBybeC/v0McQB7ta4J8VfxOpH6dBr
+jFItoPzRc2Y9cqiZFP2I62apWUqjOBUoThxivkmSrMzXk3BGX5ZYze/NoaIiI/5c
+QzjKWIe8ujQZaEZXD4mxYJ3RipfoejAX1/lteY/1IAQ6A3f/WtXLAUg9jtDnT5ib
+cdECggEAcuDnm2fDuJjiNBGg0Wg+xX2sWI+HyD5sF3u5kS91kY191b6Ss2Sg8EqL
+atr8ezNl3aOY6mJ5/WI8iUwO2bHjHt9I5a+KYhyz5jwIarBOiPCTg8FdeRwesRxN
+9aKuNFqDr2+RpmJE1agzQNjpdrDga+29NT5x9RTS3a0Qr5DXtmVtaBpQR8wpuiXb
+VxAwunqn4cjvOCijq2UiNvBq0BXafp5/6augScsYr6Sz8KJ9SC1LKTr4aBIhC7WR
+alplWSoUz3uP20dra0Aw+4mu6tVFWljIQ/W/ZiaBCEXiFwSs7E5g/ThcLakwE3Pp
+haJ1yojCjtrnTE8J+F33wdDR1Yx2MQ==
+-----END PRIVATE KEY-----
--- a/lambda-odentas-pades-sign/certs/ca-odentas.srl
+++ b/lambda-odentas-pades-sign/certs/ca-odentas.srl
@ -0,0 +1 @@
+7743E688AB10F7DD56C2F43BF384997C934D2E70
--- a/lambda-odentas-pades-sign/certs/chain-odentas-final.pem
+++ b/lambda-odentas-pades-sign/certs/chain-odentas-final.pem
@ -0,0 +1,65 @@
+-----BEGIN CERTIFICATE-----
+MIIFZjCCA06gAwIBAgIUd0PmiKsQ991WwvQ784SZfJNNLnAwDQYJKoZIhvcNAQEL
+BQAwcTELMAkGA1UEBhMCRlIxGjAYBgNVBAoMEU9kZW50YXMgTWVkaWEgU0FTMSIw
+IAYDVQQLDBlBdXRvcml0ZSBkZSBDZXJ0aWZpY2F0aW9uMSIwIAYDVQQDDBlPZGVu
+dGFzIE1lZGlhIFNBUyBSb290IENBMB4XDTI1MTAyODE4MDYzMFoXDTM1MTAyNjE4
+MDYzMFowYTELMAkGA1UEBhMCRlIxGjAYBgNVBAoMEU9kZW50YXMgTWVkaWEgU0FT
+MR8wHQYDVQQLDBZTaWduYXR1cmUgRWxlY3Ryb25pcXVlMRUwEwYDVQQDDAxPZGVu
+dGFzIFNlYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDigTvq8d/t
+W9/nzjsSzQ+x+RsKdHg5ZnA2qSgZJsZGSO86XjNIfkW3ZIuwdZFvrSc1IgoblLtw
+8G6sy4FCNbTyqcyaoCE9/b8j3YUFJzy3Z+A3L3LJyWj2kyHB9/JWjCQfzuEk9YJ+
+B24108EsRWCNCOWx4d+clwyQPdEC7xYMLb0I4g4OxCdUSSG9sTCiRG3kAlwNmbZJ
+ciONMwSb3mCeKzHGnst86DLgdMJvO/jiE6N6QZNPWEE5Z1m3pqTSdkAT1jnJpPrN
+ewmMDXrt3gKCI8shLEgTrOG55HkaXOsdZ4OiBKVGk41eWyar12O5pvzdcGXr0vQ9
+sbYPmpPXHHVjAgMBAAGjggEEMIIBADAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIG
+wDATBgNVHSUEDDAKBggrBgEFBQcDBDAdBgNVHQ4EFgQUP1wBi05/I2FVHpNHkop4
+U1DDHT4wga4GA1UdIwSBpjCBo4AUjDjkjFnef3L2fY7eObhzYTiAg3OhdaRzMHEx
+CzAJBgNVBAYTAkZSMRowGAYDVQQKDBFPZGVudGFzIE1lZGlhIFNBUzEiMCAGA1UE
+CwwZQXV0b3JpdGUgZGUgQ2VydGlmaWNhdGlvbjEiMCAGA1UEAwwZT2RlbnRhcyBN
+ZWRpYSBTQVMgUm9vdCBDQYIUKjztdgtaFlRP/N6rP3nVwGYuPXwwDQYJKoZIhvcN
+AQELBQADggIBAEGadnfqKpmpWSls2rln0IXcN6SbGoxKRSzYup5Boo+SIwt1pDPx
+67caXUaKo/nBB1FPNdhOhzLEszLYOzJ/sV5pl5IDDIOSyoCyCu2Z4i4GEDrgXC0C
+eew6ZDL4W5YzDVOjlk/fOJ15OPsQ1ri2fbP0VTdvoykAHLgQFiXc1IIoE77UmX9C
+T2k0LTZmoGvGfhyTssDyXRknbKBGe3mnmM3/CHseQ4enC3CKetFqy9qfQ7r0rK/t
+Cdeyql/a2WmHLXmQ0HtyEgTbZNMylLkh5ZEq9S7xQOvh68oVOwq7G72p+gwbXxEa
+6J5/Seq9p12imGXHjoivSdLzZUgHA60TetFFE0Zg/1KHRtLtKN90zP09NucCeWJw
+KMXpF0tvDEpLoy5/VxqiSQmxiyRvdeK48I57+hpCmkHE+9gX3Tqr+uyNLzBgug5s
+hB+f9GOWQcUorTk0EGx4prfDAX06tNF2UcyMFDu3R+VkT2NBWbySJ4g7XAzX0QnC
+083j10sY+05vURXaPdbuCutKp4XENxeYbzWpQWbaaA7f/yGd2vjbG/ANN4QZqL8
+2lSgh4b61s8F7Uaw7v1xRO986QpxyWwNlsZJnjLkLfoHL9ODN9QkMEV+iK7yncac
+Km5la5sTyN8pABuNtrKBW+2SpBQYM2Iu7g+Q9n1ZFFlUG9h30HpuCyRk
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIF0zCCA7ugAwIBAgIUKjztdgtaFlRP/N6rP3nVwGYuPXwwDQYJKoZIhvcNAQEL
+BQAwcTELMAkGA1UEBhMCRlIxGjAYBgNVBAoMEU9kZW50YXMgTWVkaWEgU0FTMSIw
+IAYDVQQLDBlBdXRvcml0ZSBkZSBDZXJ0aWZpY2F0aW9uMSIwIAYDVQQDDBlPZGVu
+dGFzIE1lZGlhIFNBUyBSb290IENBMB4XDTI1MTAyODE4MDU1OFoXDTQ1MTAyMzE4
+MDU1OFowcTELMAkGA1UEBhMCRlIxGjAYBgNVBAoMEU9kZW50YXMgTWVkaWEgU0FT
+MSIwIAYDVQQLDBlBdXRvcml0ZSBkZSBDZXJ0aWZpY2F0aW9uMSIwIAYDVQQDDBlP
+ZGVudGFzIE1lZGlhIFNBUyBSb290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
+MIICCgKCAgEAvV0QbPzSsZ+Ys4J4tYIIIM7LdOCkE7cNAh3casLB072ACFjFq0iw
+Mg1ZXROk9i2sOVELN7q4ra+8E1528e9U8TyOKWPwGIdPmr+FokJ8zrxLBp8XtqO1
+ti2XNN2GK6EHb9C931m0JgCUkRA/jVB2tbjtR2JRl81ZOdszdwNektUwWQIqZBDg
+JNye+LiMZflcob/DSEqWjBye4KnAhgxGpy0GcaDVOU1pJ0xXmu+Khlj6hVsnklLc
+H2Gtx+ePfaWLmfQKyVfzFUVSrS8MlPJCwI+H+o1GmwmJkt4Z6kcbpdOdiMP8D8rj
+UHWXX5hXbxalg39COhpvZwSwfkWBRICCBjzAqOQNZu6COHA8dWOeP4EjIBQhnz54
+he5vka3HENpqAduXtbtTZxcFKkM7YAGSY/2+oo3G4i54zy6316UpzYJWRfdaIYV8
+tw6mPk4f7ecpV9sjMdmdI4IrUQii/QkKIBr1kKYSGcuTINKxGXioFcF29MqwWTsI
+w+Ukf11vqlCsFSwwtOxRGukgHbeN/OPiS8sOtPmeFnErFK+ZsNmMw/gQuxlc5OJK
+jRUj4QZw/eqVvMBvuTeYQgW387bNUWTro4hxH/LBpL7hY+2rnRCjDAizjJljh00J
+xZkt9WfGZliepQTJuaeAfwZVPptmw4OwXOTyKQvzLhFAicV2OzGxlkCAwEAAaNj
+MGEwHQYDVR0OBBYEFIw45IxZ3n9y9n2O3jm4c2E4gINzMB8GA1UdIwQYMBaAFIw4
+5IxZ3n9y9n2O3jm4c2E4gINzMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD
+AgEGMA0GCSqGSIb3DQEBCwUAA4ICAQA6ohYP4UVh08CJCinnVtmkUQykJCqOqm4q
+PS3xFqgHL9GbvCUfDh/p75A1fomJVojRP86SZ/JYGj8dbwzeLxHWEDW89k/SJK+V
+u20mQQkuZ7KhobBti2m+JzU7XP6Qd+jZBOKK3xOrVSScvO3ITJNaxkeJgEFL5/Jk
+yDyuzFOrQeqmtKiWpN7YWLgZumEtVNY3LBxu+zm13his4XJhFc4PAAk8jWGxCwvW
+s6hAT6nQWXr0MvO7USKvyji/6DQCthfgoMi5Qq9uox93iXieV+R4QAv/eOXYTPt7
+G3vwh1h8QUU/yERQ2BTMp8Kryd7S0Jbbhg0oXlc2qGHjSVs+T4saTlxkW3WLrMdv
+44r3Nt5IUDgRatTOgSD/D78Ael/Lsmw1yvcIwkSsUX9mwcOPkg/t8I32eEYyjbDJ
+REXkc4epaIgYfSk9/wa8jPyDrt/t30WG2komzCVkZWYJqkVlvVfbpmD/9e+ASM4M
+t9Awzh7YR1ydJVZXp+YK9xNLxH4yqduBopCT9zoWK7BaAggwiAL4AhvAYpUNlLBI
+sGOJbGG9+8JnOu3HiLtsW4dDm3Yvm3AIeYh5en4xQXRQ5iecyY7foIowk6sUU4EL
+LwGigxzWpYUgWLkWPVi9E4qi214qIFLkn1LFUmV0SMyiAUhntH5+S8D5B7jCB5BX
+iglXKmpPYg==
+-----END CERTIFICATE-----
--- a/lambda-odentas-pades-sign/certs/chain-odentas.pem
+++ b/lambda-odentas-pades-sign/certs/chain-odentas.pem
@ -0,0 +1,42 @@
+-----BEGIN CERTIFICATE-----
+MIIDijCCAnKgAwIBAgIUBRDEld1KCipJV1oVjCCOWp3MolIwDQYJKoZIhvcNAQEL
+BQAwQDELMAkGA1UEBhMCRlIxGjAYBgNVBAoMEU9kZW50YXMgTWVkaWEgU0FTMRUw
+EwYDVQQDDAxPZGVudGFzIFNlYWwwHhcNMjUxMDI4MTgwMzA4WhcNMzUxMDI2MTgw
+MzA4WjBAMQswCQYDVQQGEwJGUjEaMBgGA1UECgwRT2RlbnRhcyBNZWRpYSBTQVMx
+FTATBgNVBAMMDE9kZW50YXMgU2VhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAOjB01uI8maGdWrm3Tgir9NdbIyBZKRkxeiHykepDR17hWsCq2HjIHfy
+nqjlOH86KPVmbZMCHUZx33qsvFIpcTnO5+zqgwIVdEXK/2Qjc9xldKhYF2UQCF4W
+2M4144NCNaZKD1YgX4LnhFHAyJyuDyijXq/FRSs/rGb6zV1jVIv/GBIs6sN4Oh12
+LGoBNzqVQ6eciJRErXZ9oYhfIhI1aIDbW7szFZhq2QabYpSa0znipaxa2PMgGzM2
+apdgHluX/t06LDV6499ec1p+STmQxZuqnkwBNnru5awKHl0UF6/MUfwTB9FpbVti
+Qla45vNZFeiwDwj/WNuVnr53fBf5l2cCAwEAAaN8MHowCQYDVR0TBAIwADAOBgNV
+HQ8BAf8EBAMCBsAwHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMDMB0GA1Ud
+DgQWBBTKICdSy6Xr2VtCd0zVBSnJbcx83zAfBgNVHSMEGDAWgBRJH7WUdlCT0tCl
+H+99w4YI1Km/3jANBgkqhkiG9w0BAQsFAAOCAQEAm4ruChVyXxhJ/aSPGzC5YtV0
+7ntnqgS5BAWHuLqwRMLKX+SSntVf5E9XUlIiUUPRCqClcYsaNnHFyz8zrp8/LvPy
+0ALJTx2NFdtmM/408g3cLIK9FOwrH4U2HWzJ6qt8aYEY2vQeuNbrfV2O6Bphvhuv
+3IK8eDhE50Rbn+v4N6owQfaoxov33/JzmgdAK4FGj+WBzaaOuA4qhrw/b9BxRHJl
+TWTLhWFLxdANmX2i+UarCAAjVxLgJ1XB6gQghVs+ZaHLCCPZYimCV8G8HrLO/Ibt
+ISiyMS01dssIj1Wmpmp3a+KSUkWRDX3Leb+Je00CDDQ9GEXGrDFPE8s4jRL4YA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDcTCCAlmgAwIBAgIUeAOREUHzNG+Ow6Jvjkqi1OKyFowwDQYJKoZIhvcNAQEL
+BQAwQDELMAkGA1UEBhMCRlIxGjAYBgNVBAoMEU9kZW50YXMgTWVkaWEgU0FTMRUw
+EwYDVQQDDAxPZGVudGFzIFNlYWwwHhcNMjUxMDI4MTgwMjQzWhcNMzUxMDI2MTgw
+MjQzWjBAMQswCQYDVQQGEwJGUjEaMBgGA1UECgwRT2RlbnRhcyBNZWRpYSBTQVMx
+FTATBgNVBAMMDE9kZW50YXMgU2VhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBANcTtER+DaoHVnhLQlbeoCTjXgj3vxTcjyUE9e055X4whDT3ZXnvKH0z
+aCGFcRMlMkWftg5naaxJXr77XY0ZoTrqc8GAuzAgXwzUa4IhSCSy3IADcQuaUCEF
+ktosN9msS5VSaDtcoYuMLopfQAMvRUUIDVh19BX9zLEanISvEDbmCmnC26bmdBS6
+aqe3fiGq8ELiBBSRFiaBk8LKa4omXtUBVsJilbJpidCvLF8DPPCdO9KgRcukQa+i
+7Fz0cPTSL7/u904CoVNhSDxO0fHsGYaJa0HdOFbuMvmVsbMohkH2FGgkBjSE810q
+/5cpoLCqztOtiBeie519Z0Icr9eqQp8CAwEAAaNjMGEwHQYDVR0OBBYEFEkftZR2
+UJPS0KUf733DhgjUqb/eMB8GA1UdIwQYMBaAFEkftZR2UJPS0KUf733DhgjUqb/e
+MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUA
+A4IBAQA6x20LfafjIFEq9FUJLvsL99wXm9rpGuDAjHR4vrpIsbfg4htWg2WwmWWo
+SIp+QFHKWtwzF+H+OX/jchTEJSqQOc150jMHLJBgNguGDV1aNQGn1shKUmsNsATX
+YmRz47wF0Sg2OXjSNeiNIzCqHAuxl+3S/rnVnUtcPB8DOlo8obytNsOTD9/w0LrY
+9i4z0we0ARjt4i5F9R5iy4oiMiyKgmcQRtkR25I9QuQ3z6gVYklrZw66reOLtrbs
+QqFqPCXc9W6aF4ZWm9acYjz05b5sYKNYExmTeFtlFGy9HmT9FCUcx7yYi1XfgiQm
+cPtoDMMIPvKCacNpliYSAm/GtYta
+-----END CERTIFICATE-----
--- a/lambda-odentas-pades-sign/certs/odentas-media-sas.conf
+++ b/lambda-odentas-pades-sign/certs/odentas-media-sas.conf
@ -0,0 +1,17 @@
+[req]
+default_bits = 2048
+prompt = no
+default_md = sha256
+distinguished_name = dn
+x509_extensions = v3_ca
+
+[dn]
+C=FR
+O=Odentas Media SAS
+CN=Odentas Seal
+
+[v3_ca]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+basicConstraints = critical,CA:true
+keyUsage = critical, digitalSignature, keyCertSign, cRLSign
--- a/lambda-odentas-pades-sign/certs/signer-extensions.conf
+++ b/lambda-odentas-pades-sign/certs/signer-extensions.conf
@ -0,0 +1,5 @@
+basicConstraints=CA:FALSE
+keyUsage = critical, digitalSignature, nonRepudiation
+extendedKeyUsage = emailProtection, codeSigning
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
--- a/lambda-odentas-pades-sign/certs/signer-odentas.conf
+++ b/lambda-odentas-pades-sign/certs/signer-odentas.conf
@ -0,0 +1,11 @@
+[req]
+default_bits = 2048
+prompt = no
+default_md = sha256
+distinguished_name = dn
+
+[dn]
+C=FR
+O=Odentas Media SAS
+OU=Signature Electronique
+CN=Odentas Seal
--- a/lambda-odentas-pades-sign/certs/signer-odentas.crt
+++ b/lambda-odentas-pades-sign/certs/signer-odentas.crt
@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFZjCCA06gAwIBAgIUd0PmiKsQ991WwvQ784SZfJNNLnAwDQYJKoZIhvcNAQEL
+BQAwcTELMAkGA1UEBhMCRlIxGjAYBgNVBAoMEU9kZW50YXMgTWVkaWEgU0FTMSIw
+IAYDVQQLDBlBdXRvcml0ZSBkZSBDZXJ0aWZpY2F0aW9uMSIwIAYDVQQDDBlPZGVu
+dGFzIE1lZGlhIFNBUyBSb290IENBMB4XDTI1MTAyODE4MDYzMFoXDTM1MTAyNjE4
+MDYzMFowYTELMAkGA1UEBhMCRlIxGjAYBgNVBAoMEU9kZW50YXMgTWVkaWEgU0FT
+MR8wHQYDVQQLDBZTaWduYXR1cmUgRWxlY3Ryb25pcXVlMRUwEwYDVQQDDAxPZGVu
+dGFzIFNlYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDigTvq8d/t
+W9/nzjsSzQ+x+RsKdHg5ZnA2qSgZJsZGSO86XjNIfkW3ZIuwdZFvrSc1IgoblLtw
+8G6sy4FCNbTyqcyaoCE9/b8j3YUFJzy3Z+A3L3LJyWj2kyHB9/JWjCQfzuEk9YJ+
+B24108EsRWCNCOWx4d+clwyQPdEC7xYMLb0I4g4OxCdUSSG9sTCiRG3kAlwNmbZJ
+ciONMwSb3mCeKzHGnst86DLgdMJvO/jiE6N6QZNPWEE5Z1m3pqTSdkAT1jnJpPrN
+ewmMDXrt3gKCI8shLEgTrOG55HkaXOsdZ4OiBKVGk41eWyar12O5pvzdcGXr0vQ9
+sbYPmpPXHHVjAgMBAAGjggEEMIIBADAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIG
+wDATBgNVHSUEDDAKBggrBgEFBQcDBDAdBgNVHQ4EFgQUP1wBi05/I2FVHpNHkop4
+U1DDHT4wga4GA1UdIwSBpjCBo4AUjDjkjFnef3L2fY7eObhzYTiAg3OhdaRzMHEx
+CzAJBgNVBAYTAkZSMRowGAYDVQQKDBFPZGVudGFzIE1lZGlhIFNBUzEiMCAGA1UE
+CwwZQXV0b3JpdGUgZGUgQ2VydGlmaWNhdGlvbjEiMCAGA1UEAwwZT2RlbnRhcyBN
+ZWRpYSBTQVMgUm9vdCBDQYIUKjztdgtaFlRP/N6rP3nVwGYuPXwwDQYJKoZIhvcN
+AQELBQADggIBAEGadnfqKpmpWSls2rln0IXcN6SbGoxKRSzYup5Boo+SIwt1pDPx
+67caXUaKo/nBB1FPNdhOhzLEszLYOzJ/sV5pl5IDDIOSyoCyCu2Z4i4GEDrgXC0C
+eew6ZDL4W5YzDVOjlk/fOJ15OPsQ1ri2fbP0VTdvoykAHLgQFiXc1IIoE77UmX9C
+T2k0LTZmoGvGfhyTssDyXRknbKBGe3mnmM3/CHseQ4enC3CKetFqy9qfQ7r0rK/t
+Cdeyql/a2WmHLXmQ0HtyEgTbZNMylLkh5ZEq9S7xQOvh68oVOwq7G72p+gwbXxEa
+6J5/Seq9p12imGXHjoivSdLzZUgHA60TetFFE0Zg/1KHRtLtKN90zP09NucCeWJw
+KMXpF0tvDEpLoy5/VxqiSQmxiyRvdeK48I57+hpCmkHE+9gX3Tqr+uyNLzBgug5s
+hB+f9GOWQcUorTk0EGx4prfDAX06tNF2UcyMFDu3R+VkT2NBWbySJ4g7XAzX0QnC
+083j10sY+05vURXaPdbuCutKp4XENxeYbzWpQWbaaA7f/yGd2vjbG/ANN4QZqL8
+2lSgh4b61s8F7Uaw7v1xRO986QpxyWwNlsZJnjLkLfoHL9ODN9QkMEV+iK7yncac
+Km5la5sTyN8pABuNtrKBW+2SpBQYM2Iu7g+Q9n1ZFFlUG9h30HpuCyRk
+-----END CERTIFICATE-----
--- a/lambda-odentas-pades-sign/certs/signer-odentas.csr
+++ b/lambda-odentas-pades-sign/certs/signer-odentas.csr
@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICpjCCAY4CAQAwYTELMAkGA1UEBhMCRlIxGjAYBgNVBAoMEU9kZW50YXMgTWVk
+aWEgU0FTMR8wHQYDVQQLDBZTaWduYXR1cmUgRWxlY3Ryb25pcXVlMRUwEwYDVQQD
+DAxPZGVudGFzIFNlYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDi
+gTvq8d/tW9/nzjsSzQ+x+RsKdHg5ZnA2qSgZJsZGSO86XjNIfkW3ZIuwdZFvrSc1
+IgoblLtw8G6sy4FCNbTyqcyaoCE9/b8j3YUFJzy3Z+A3L3LJyWj2kyHB9/JWjCQf
+zuEk9YJ+B24108EsRWCNCOWx4d+clwyQPdEC7xYMLb0I4g4OxCdUSSG9sTCiRG3k
+AlwNmbZJciONMwSb3mCeKzHGnst86DLgdMJvO/jiE6N6QZNPWEE5Z1m3pqTSdkAT
+1jnJpPrNewmMDXrt3gKCI8shLEgTrOG55HkaXOsdZ4OiBKVGk41eWyar12O5pvzd
+cGXr0vQ9sbYPmpPXHHVjAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAfFUh+jSr
+rVMEWnqLh9y5TQmo7m4+AO5xbEYeqPYCify0waj5Pg8BB1TKShK/51KkGRcGNlvF
+w8rdxmHlztMDlfAWuh51QaOxP9pl/TNpJ5EzxwMOu6B1dscxy1xQeycy8cKYV2O1
+cn/rD/+/ua8kgxv5xo/Jl3RQsNTafZDDa8OW5pYTpgNp/Ly8diDgWKJGxV0FUJTJ
+Wc3LYlG+TPNMzTopDzrx6y6o01m/INGtV3rvixIzFK4SWz9QzD7GYFukPNx38nij
+g/uVitWvfzuXzInDFLgH6QTGUTqhVZSnLVOm20FIOvdbizDKAH0inR1JEfnlpU67
+ilK+vkalOEDmxg==
+-----END CERTIFICATE REQUEST-----
--- a/lambda-odentas-pades-sign/certs/signer-odentas.key
+++ b/lambda-odentas-pades-sign/certs/signer-odentas.key
@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDigTvq8d/tW9/n
+zjsSzQ+x+RsKdHg5ZnA2qSgZJsZGSO86XjNIfkW3ZIuwdZFvrSc1IgoblLtw8G6s
+y4FCNbTyqcyaoCE9/b8j3YUFJzy3Z+A3L3LJyWj2kyHB9/JWjCQfzuEk9YJ+B241
+08EsRWCNCOWx4d+clwyQPdEC7xYMLb0I4g4OxCdUSSG9sTCiRG3kAlwNmbZJciON
+MwSb3mCeKzHGnst86DLgdMJvO/jiE6N6QZNPWEE5Z1m3pqTSdkAT1jnJpPrNewmM
+DXrt3gKCI8shLEgTrOG55HkaXOsdZ4OiBKVGk41eWyar12O5pvzdcGXr0vQ9sbYP
+mpPXHHVjAgMBAAECggEAZrrujhS9103AM8aZjGFtKO8ukINas83+Pwxhn2ayrtYN
+io+G+u4qeI8lvBbWq6wBCFwz8WZ3zTV/POff7EOnmhfhMJBIA3G+62lhF4FATH7U
+drMSgOrUrGD3Ap6OTyqoh7Sw8K5ZTQfZuJgeGRIuREkwxIkJfmAT1qfy0D3X5hVN
+9cxy7+Ug+KJA78v2WBRpy8rsD6FitDeL6OsD+k04FxzO4aXO43oKs08kA5fK6TY7
+Z5F+W/3w4I7Fru6jV6tnvpPl5o7OKLMNPKrwhQqLJ4mJFj8Ny7j6uj7P202hQGWT
+EKy95sBZDRE1iu0NxNCgdOic+nh94HZi2+Kld75FgQKBgQD64e9r/BVO6SamEZgN
+XwV5MyfKfJk9LsNg7uMpsjUJZHSSS37IGR8gJE2T8oYIIc7KMRn7kzT8yv42P8kM
+fcU0JpJU1ja9/e8TJXpP185x1sQW0dfvmkARH/ikWwO9sHhfhKGHTPXwQFl4s8pv
+p6DMB3TKVxQgP+pdIN633vmtcwKBgQDnIACl5N0R+D/sr5q4o4K84S5r/l53vzKi
+gbo62G0RDCC/QeWvLqe04Xs2LjM/vKROICauLwbfb56WCQB5PJ8jMrhVB+wlqha+
+Pyt5N+2RW32HJ4RnuIP/xaid15xjPumskhuLf7D5WKidh3CV7JLG7Nz3iVz1Rc1
+f4PvT0wcUQKBgQCZFAq2ZNXLlE9UvR996SC51xDMaEJIJqRoHNrWsjnSRU0rho0R
+IuLvBbegMja994LptBQagLOwG1wJVdoimQseyvo2cY5tVuftUszSsubwZw62rcuI
+EyJMUKmx/ybFM0v/XDoDCF53/YuaLnmyryFZ3KLSY1eQZe9ma4v5vT+zKQKBgQDf
+9JKsLWhJ0VOf9UjnQQmeHFTvMDw5rHtUHIBoJO8KZcYVjbUSWxMGorbReVMPn6tW
+SLEydz8hovb4SyC6WZOad7tGKbcZiAciZgHyPqTH6d7zbCd+y4YiGfvE0gYh4Yq3
+rGmi2c7T46H/6pRLjM6nGOB6lfeUlhc3L6iYay5FAQKBgFJOGF8tosDvYin/nt8W
+ONRatFr5UXZqgebBXZYvX7b0+tKt56VhfyleQBXY0KLpusjRIbvDDKnGaz+V9i6K
+juP+HOoJsrThel9Jx+yjB/LA1SE1gtOsAR1WFy4JIYTiQOWnlk9XU9Dp37GvPyC9
+O5NrTXXwBxMcbksK0omd08zr
+-----END PRIVATE KEY-----
--- a/lambda-odentas-pades-sign/certs/signer-v3.ext
+++ b/lambda-odentas-pades-sign/certs/signer-v3.ext
@ -0,0 +1,5 @@
+basicConstraints=CA:FALSE
+keyUsage = critical, digitalSignature, nonRepudiation
+extendedKeyUsage = emailProtection
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
--- a/lambda-odentas-pades-sign/helpers/pades.js
+++ b/lambda-odentas-pades-sign/helpers/pades.js
@ -23,6 +23,7 @@ const OID_ID_DATA = '1.2.840.113549.1.7.1';
 const OID_ATTR_CONTENT_TYPE = '1.2.840.113549.1.9.3';
 const OID_ATTR_SIGNING_TIME = '1.2.840.113549.1.9.5';
 const OID_ATTR_MESSAGE_DIGEST = '1.2.840.113549.1.9.4';
+const OID_ATTR_SIGNING_CERTIFICATE_V2 = '1.2.840.113549.1.9.16.2.47'; // ESSCertIDv2 (RFC 5035)

 /**
 * Étape 1: Préparer le PDF avec les vraies valeurs ByteRange calculées
@ -184,6 +185,10 @@ endobj
 /Type /Sig
 /Filter /Adobe.PPKLite
 /SubFilter /ETSI.CAdES.detached
+/Name (Odentas Seal)
+/Reason (Certification de contrat de travail)
+/Location (France)
+/ContactInfo (contact@odentas.com)
 `;
  
  // Ajouter ByteRange - soit placeholder (passe 1) soit valeurs réelles paddées (passe 2)