#!/bin/bash -xv
# Modified from From https://wiki.lyx.org/FAQ/PDF#digitalsignpdf
# Sign PDF file.
# signpdf <inpdf>
#  OR
# signpdf <inpdf> <outpdf>

# Personalize:
JSIGNPDF=PATHTOJSIGNPDF/jsignpdf-1.6.3/JSignPdf.jar
CERT=<PATHTOKEYFILE>/<KEYFILE>.pfx
PASS=<PASSWORDFORKEY>
LOCATION="<CITY>"
#SIGNTEXT='--l2-text "Signée numériquement par (${signer} le ${timestamp} à ${location}, ${reason}, ${contact})'
#SIGNTEXT2='--l4-text (${signer}, ${timestamp}, ${location}, ${reason}, ${contact})'

INFILE="$1"
OUTFILE="$2"

# In case directory was renamed, find other potential file.
if [[ ! -x "${INFILE}" ]] ; then
  FILEDIR=$(dirname "$INFILE")
  FILEDIR=$(dirname "$FILEDIR")
  FILENAME=$(basename "$INFILE")
  INFILE=$(realpath $(echo "${FILEDIR}/*/${FILENAME}"))
  echo Changed to "$INFILE"
fi

if [[ ${INFILE: -4} != '.pdf' ]] ; then
  echo Not a PDF $INFILE
  exit
fi


JSP="java -Duser.language=fr -jar $JSIGNPDF "
LOCATION="-l '${LOCATION}'"
# set TS=-ts https://freetsa.org/tsr  -ta NONE -tsh SHA512
TS="-ts http://timestamp.comodoca.com/rfc3161 -ta NONE -tsh SHA512"
OCSP=" --ocsp"
V=" -llx 5 -lly 0 -urx 500 -ury 30 -V -fs 8"
CL=" -cl CERTIFIED_NO_CHANGES_ALLOWED"
# CL=" -cl CERTIFIED_FORM_FILLING_AND_ANNOTATIONS"


TMPFILE=$(basename "${INFILE%.pdf}_signed.pdf")
if [[ "$OUTFILE" == "" ]] ; then
  # If target PDF is empty, backup source PDF
  OUTFILE="$INFILE"
  ORGFILE="${INFILE%.pdf}_unsigned.pdf"
fi

WORKDIR=/tmp
TMPFILE="${WORKDIR}/${TMPFILE}"
$JSP -d $WORKDIR -kst PKCS12 -ksf $CERT -ksp $PASS -ha SHA512 $TS $OCSP $V $CL $SIGNTEXT $SIGTEXT2  $INFILE 

mv "$INFILE" "$ORGFILE"
mv "$TMPFILE" "$OUTFILE"