npm - @mkabatek/pptx-viewer - Versions diffs - 1.5.3 → 1.5.5 - Mend

@mkabatek/pptx-viewer 1.5.3 → 1.5.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (44) hide show

package/node_modules/pptx-viewer-core/dist/signature-node/index.mjs DELETED Viewed

@@ -1,1143 +0,0 @@
-import { DOMParser, XMLSerializer } from '@xmldom/xmldom';
-import { SignedXml } from 'xml-crypto';
-import crypto from 'crypto';
-import path from 'path';
-import tls from 'tls';
-import forge from 'node-forge';
-import http from 'http';
-import https from 'https';
-import fs from 'fs/promises';
-import JSZip from 'jszip';
-// src/core/utils/signature-constants.ts
-var DIGITAL_SIGNATURE_ORIGIN_REL_TYPE = "http://schemas.openxmlformats.org/package/2006/relationships/digital-signature/origin";
-var DIGITAL_SIGNATURE_REL_TYPE = "http://schemas.openxmlformats.org/package/2006/relationships/digital-signature/signature";
-var PPTX_VIEWER_MANIFEST_NS = "urn:pptx-viewer:ooxml-signature:v1";
-var XMLDSIG_NS = "http://www.w3.org/2000/09/xmldsig#";
-var OPC_RELATIONSHIP_TRANSFORM = "http://schemas.openxmlformats.org/package/2006/RelationshipTransform";
-var XML_TRANSFORM_ENVELOPED_SIGNATURE = "http://www.w3.org/2000/09/xmldsig#enveloped-signature";
-var SUPPORTED_XML_CANON_TRANSFORMS = /* @__PURE__ */ new Set([
-  "http://www.w3.org/TR/2001/REC-xml-c14n-20010315",
-  "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments",
-  "http://www.w3.org/2001/10/xml-exc-c14n#",
-  "http://www.w3.org/2001/10/xml-exc-c14n#WithComments",
-  XML_TRANSFORM_ENVELOPED_SIGNATURE
-]);
-var ENTERPRISE_TRUST_ROOTS_FILE_ENV = "PPTX_VIEWER_TRUST_ROOTS_FILE";
-var ENTERPRISE_TRUST_ROOTS_PEM_ENV = "PPTX_VIEWER_TRUST_ROOTS_PEM";
-var ENTERPRISE_REQUIRE_REVOCATION_ENV = "PPTX_VIEWER_REQUIRE_REVOCATION_CHECK";
-var ENTERPRISE_FAIL_ON_REVOCATION_UNKNOWN_ENV = "PPTX_VIEWER_FAIL_ON_REVOCATION_UNKNOWN";
-var ENTERPRISE_REQUIRE_TIMESTAMP_ENV = "PPTX_VIEWER_REQUIRE_TIMESTAMP";
-var DIGEST_ALGORITHM_TO_HASH = {
-  "http://www.w3.org/2000/09/xmldsig#sha1": "sha1",
-  "http://www.w3.org/2001/04/xmlenc#sha256": "sha256",
-  "http://www.w3.org/2001/04/xmlenc#sha384": "sha384",
-  "http://www.w3.org/2001/04/xmlenc#sha512": "sha512"
-};
-var DIGEST_ALGORITHM_TO_WEB_CRYPTO = {
-  "http://www.w3.org/2000/09/xmldsig#sha1": "SHA-1",
-  "http://www.w3.org/2001/04/xmlenc#sha256": "SHA-256",
-  "http://www.w3.org/2001/04/xmlenc#sha384": "SHA-384",
-  "http://www.w3.org/2001/04/xmlenc#sha512": "SHA-512"
-};
-// src/core/utils/signature-xml-utils.ts
-function escapeXmlAttr(value) {
-  return value.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&apos;");
-}
-function escapeXmlText(value) {
-  return value.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
-}
-function isValidBase64(value) {
-  return typeof value === "string" && value.length > 0 && /^[A-Za-z0-9+/=\s]+$/.test(value);
-}
-function extractTagAttribute(xml, tagName, attributeName) {
-  const pattern = new RegExp(
-    `<${tagName}\\b[^>]*\\b${attributeName}="(?<attributeValue>[^"]+)"`,
-    "i"
-  );
-  const match = xml.match(pattern);
-  return match?.groups?.["attributeValue"]?.trim();
-}
-function extractFirstTagText(xml, localName) {
-  const pattern = new RegExp(
-    `<([\\w.-]+:)?${localName}\\b[^>]*>([\\s\\S]*?)<\\/([\\w.-]+:)?${localName}>`,
-    "i"
-  );
-  const match = xml.match(pattern);
-  return match?.[2]?.replace(/\s+/g, "").trim() || void 0;
-}
-function extractAllTagText(xml, localName) {
-  const result = [];
-  const regex = new RegExp(
-    `<([\\w.-]+:)?${localName}\\b[^>]*>([\\s\\S]*?)<\\/([\\w.-]+:)?${localName}>`,
-    "gi"
-  );
-  let match = regex.exec(xml);
-  while (match) {
-    const value = match[2]?.replace(/\s+/g, "").trim();
-    if (value) {
-      result.push(value);
-    }
-    match = regex.exec(xml);
-  }
-  return result;
-}
-// src/core/utils/signature-reference-utils.ts
-function normalizePartPath(partPath) {
-  return partPath.replace(/\\/g, "/").replace(/^\/+/, "");
-}
-function resolveReferenceUriToPart(uri) {
-  const trimmed = uri.trim();
-  if (trimmed.length === 0 || trimmed.startsWith("#")) {
-    return void 0;
-  }
-  const decoded = decodeURIComponent(trimmed);
-  return normalizePartPath(decoded.startsWith("/") ? decoded.slice(1) : decoded);
-}
-// src/core/utils/signature-digest.ts
-async function computeDigestBase64(content, digestAlgorithmUri) {
-  const webCryptoAlgo = DIGEST_ALGORITHM_TO_WEB_CRYPTO[digestAlgorithmUri];
-  if (!webCryptoAlgo) {
-    return void 0;
-  }
-  if (typeof globalThis.crypto?.subtle === "undefined") {
-    return void 0;
-  }
-  const buf = new ArrayBuffer(content.byteLength);
-  new Uint8Array(buf).set(content);
-  const digest = await globalThis.crypto.subtle.digest(webCryptoAlgo, buf);
-  return uint8ArrayToBase64(new Uint8Array(digest));
-}
-function uint8ArrayToBase64(bytes) {
-  let binary = "";
-  for (let i = 0; i < bytes.byteLength; i++) {
-    binary += String.fromCharCode(bytes[i]);
-  }
-  return btoa(binary);
-}
-// src/core/utils/signature-inspection-status.ts
-function computeDetailStatus(detail, policy) {
-  const hasDigestMismatch = detail.referenceChecks.some(
-    (check) => check.digestStatus === "mismatch"
-  );
-  const hasMissingPart = detail.missingPartReferences.length > 0;
-  const hasVerifiedDigest = detail.referenceChecks.some(
-    (check) => check.digestStatus === "verified"
-  );
-  const revocationUnknown = detail.certificateRevocationStatus === "unknown" || detail.certificateRevocationStatus === "not-checked" || detail.certificateRevocationStatus === "error";
-  const timestampMissingOrUntrusted = detail.timestampAuthorityStatus === "not-present" || detail.timestampAuthorityStatus === "not-checked" || detail.timestampAuthorityStatus === "error" || detail.timestampAuthorityStatus === "untrusted";
-  if (detail.signatureValueStatus === "invalid") {
-    return "signature-invalid";
-  }
-  if (hasMissingPart) {
-    return "reference-missing";
-  }
-  if (hasDigestMismatch) {
-    return "digest-mismatch";
-  }
-  if (detail.certificateRevocationStatus === "revoked") {
-    return "certificate-revoked";
-  }
-  if (policy.requireRevocationCheck && (policy.failOnRevocationUnknown ? revocationUnknown : detail.certificateRevocationStatus !== "good")) {
-    return "certificate-untrusted";
-  }
-  if (detail.timestampAuthorityStatus === "invalid") {
-    return "timestamp-invalid";
-  }
-  if (policy.requireTimestamp && timestampMissingOrUntrusted) {
-    return "timestamp-untrusted";
-  }
-  if (detail.timestampAuthorityStatus === "untrusted") {
-    return "timestamp-untrusted";
-  }
-  if (detail.certificateTrustStatus === "untrusted" && detail.signatureValueStatus === "verified") {
-    return "certificate-untrusted";
-  }
-  if (hasVerifiedDigest && detail.signatureValueStatus === "verified") {
-    return "verified";
-  }
-  return "structural-only";
-}
-function computeVerificationStatus(details) {
-  const hasInvalidSignature = details.some((detail) => detail.status === "signature-invalid");
-  const hasMissing = details.some((detail) => detail.status === "reference-missing");
-  const hasMismatch = details.some((detail) => detail.status === "digest-mismatch");
-  const hasUntrusted = details.some((detail) => detail.status === "certificate-untrusted");
-  const hasRevoked = details.some((detail) => detail.status === "certificate-revoked");
-  const hasTimestampInvalid = details.some((detail) => detail.status === "timestamp-invalid");
-  const hasTimestampUntrusted = details.some((detail) => detail.status === "timestamp-untrusted");
-  const allVerified = details.every((detail) => detail.status === "verified");
-  return hasInvalidSignature ? "signature-invalid" : hasRevoked ? "certificate-revoked" : hasTimestampInvalid ? "timestamp-invalid" : hasTimestampUntrusted ? "timestamp-untrusted" : hasMissing ? "reference-missing" : hasMismatch ? "digest-mismatch" : allVerified ? "verified-trusted" : hasUntrusted ? "verified-untrusted" : "present-not-verified";
-}
-function getNodeLocalName(node) {
-  const localNameNode = node;
-  if (localNameNode.localName) {
-    return localNameNode.localName;
-  }
-  const nodeName = node.nodeName || "";
-  const sep = nodeName.indexOf(":");
-  return sep >= 0 ? nodeName.slice(sep + 1) : nodeName;
-}
-function getFirstDescendantElementByLocalName(parent, localName) {
-  const elements = parent.getElementsByTagName("*");
-  for (let index = 0; index < elements.length; index += 1) {
-    const element = elements.item(index);
-    if (!element) {
-      continue;
-    }
-    if (getNodeLocalName(element) === localName) {
-      return element;
-    }
-  }
-  return void 0;
-}
-function canonicalizeNode(node, algorithm) {
-  const canonicalizer = new SignedXml();
-  return canonicalizer.getCanonXml([algorithm], node);
-}
-function canonicalizeSignedInfoXml(signedInfoXml) {
-  const parser = new DOMParser();
-  const signedInfoDoc = parser.parseFromString(signedInfoXml, "text/xml");
-  if (!signedInfoDoc.documentElement) {
-    throw new Error("Unable to canonicalize SignedInfo: invalid XML.");
-  }
-  return canonicalizeNode(signedInfoDoc.documentElement, "http://www.w3.org/2001/10/xml-exc-c14n#");
-}
-function certPemFromBase64(certBase64) {
-  try {
-    const der = Buffer.from(certBase64, "base64");
-    if (der.length === 0) {
-      return void 0;
-    }
-    const b64 = der.toString("base64");
-    const lines = b64.match(/.{1,64}/g);
-    if (!lines) {
-      return void 0;
-    }
-    return `-----BEGIN CERTIFICATE-----
-${lines.join("\n")}
------END CERTIFICATE-----`;
-  } catch {
-    return void 0;
-  }
-}
-function certFingerprintSha256(certPem) {
-  try {
-    const cert = new crypto.X509Certificate(certPem);
-    return cert.fingerprint256.replace(/:/g, "").toLowerCase();
-  } catch {
-    return void 0;
-  }
-}
-function asn1Child(node, index) {
-  return Array.isArray(node.value) ? node.value[index] : void 0;
-}
-function asn1Bytes(node) {
-  return typeof node.value === "string" ? node.value : "";
-}
-function extractOcspUrls(certPem) {
-  try {
-    const cert = new crypto.X509Certificate(certPem);
-    const infoAccess = cert.infoAccess;
-    if (!infoAccess) {
-      return [];
-    }
-    const urls = [];
-    for (const line of infoAccess.split("\n")) {
-      const match = /OCSP\s*-\s*URI:(https?:\/\/\S+)/i.exec(line.trim());
-      if (match?.[1]) {
-        urls.push(match[1]);
-      }
-    }
-    return urls;
-  } catch {
-    return [];
-  }
-}
-var HTTP_TIMEOUT_MS = 1e4;
-function httpPost(url, body, contentType) {
-  return new Promise((resolve, reject) => {
-    let parsed;
-    try {
-      parsed = new URL(url);
-    } catch {
-      reject(new Error("Invalid URL"));
-      return;
-    }
-    if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
-      reject(new Error("Unsupported protocol"));
-      return;
-    }
-    const transport = parsed.protocol === "https:" ? https : http;
-    const req = transport.request(
-      {
-        hostname: parsed.hostname,
-        port: parsed.port || void 0,
-        path: parsed.pathname + parsed.search,
-        method: "POST",
-        headers: {
-          "Content-Type": contentType,
-          "Content-Length": body.length
-        },
-        timeout: HTTP_TIMEOUT_MS
-      },
-      (res) => {
-        const chunks = [];
-        res.on("data", (chunk) => chunks.push(chunk));
-        res.on("end", () => resolve(Buffer.concat(chunks)));
-        res.on("error", reject);
-      }
-    );
-    req.on("error", reject);
-    req.on("timeout", () => {
-      req.destroy();
-      reject(new Error("Timeout"));
-    });
-    req.write(body);
-    req.end();
-  });
-}
-var SHA1_OID = "1.3.14.3.2.26";
-function buildOcspRequestDer(leafPem, issuerPem) {
-  try {
-    const leaf = forge.pki.certificateFromPem(leafPem);
-    const issuer = forge.pki.certificateFromPem(issuerPem);
-    const issuerNameDer = forge.asn1.toDer(forge.pki.distinguishedNameToAsn1(issuer.subject)).getBytes();
-    const issuerNameHash = forge.md.sha1.create().update(issuerNameDer).digest().getBytes();
-    const pubKeyDer = forge.asn1.toDer(forge.pki.publicKeyToAsn1(issuer.publicKey)).getBytes();
-    const pubKeyAsn1 = forge.asn1.fromDer(pubKeyDer);
-    const bitString = asn1Child(pubKeyAsn1, 1);
-    const rawKey = bitString ? asn1Bytes(bitString).substring(1) : "";
-    const issuerKeyHash = forge.md.sha1.create().update(rawKey).digest().getBytes();
-    const serialBytes = forge.util.hexToBytes(leaf.serialNumber);
-    const request = forge.asn1.create(forge.asn1.Class.UNIVERSAL, forge.asn1.Type.SEQUENCE, true, [
-      forge.asn1.create(forge.asn1.Class.UNIVERSAL, forge.asn1.Type.SEQUENCE, true, [
-        forge.asn1.create(forge.asn1.Class.UNIVERSAL, forge.asn1.Type.SEQUENCE, true, [
-          forge.asn1.create(forge.asn1.Class.UNIVERSAL, forge.asn1.Type.SEQUENCE, true, [
-            forge.asn1.create(forge.asn1.Class.UNIVERSAL, forge.asn1.Type.SEQUENCE, true, [
-              forge.asn1.create(forge.asn1.Class.UNIVERSAL, forge.asn1.Type.SEQUENCE, true, [
-                forge.asn1.create(
-                  forge.asn1.Class.UNIVERSAL,
-                  forge.asn1.Type.OID,
-                  false,
-                  forge.asn1.oidToDer(SHA1_OID).getBytes()
-                ),
-                forge.asn1.create(forge.asn1.Class.UNIVERSAL, forge.asn1.Type.NULL, false, "")
-              ]),
-              forge.asn1.create(
-                forge.asn1.Class.UNIVERSAL,
-                forge.asn1.Type.OCTETSTRING,
-                false,
-                issuerNameHash
-              ),
-              forge.asn1.create(
-                forge.asn1.Class.UNIVERSAL,
-                forge.asn1.Type.OCTETSTRING,
-                false,
-                issuerKeyHash
-              ),
-              forge.asn1.create(
-                forge.asn1.Class.UNIVERSAL,
-                forge.asn1.Type.INTEGER,
-                false,
-                serialBytes
-              )
-            ])
-          ])
-        ])
-      ])
-    ]);
-    return Buffer.from(forge.asn1.toDer(request).getBytes(), "binary");
-  } catch {
-    return void 0;
-  }
-}
-function parseOcspResponseStatus(data) {
-  try {
-    const asn1 = forge.asn1.fromDer(forge.util.createBuffer(data.toString("binary")));
-    const statusNode = asn1Child(asn1, 0);
-    if (!statusNode || asn1Bytes(statusNode) !== "\0") {
-      return "error";
-    }
-    const respBytesWrapper = asn1Child(asn1, 1);
-    if (!respBytesWrapper) {
-      return "unknown";
-    }
-    const respBytesSeq = asn1Child(respBytesWrapper, 0);
-    if (!respBytesSeq) {
-      return "unknown";
-    }
-    const respOctet = asn1Child(respBytesSeq, 1);
-    if (!respOctet) {
-      return "unknown";
-    }
-    const basicResp = forge.asn1.fromDer(forge.util.createBuffer(asn1Bytes(respOctet)));
-    const tbsData = asn1Child(basicResp, 0);
-    if (!tbsData) {
-      return "unknown";
-    }
-    const first = asn1Child(tbsData, 0);
-    const responsesIdx = first?.tagClass === forge.asn1.Class.CONTEXT_SPECIFIC && first.type === 0 ? 3 : 2;
-    const responses = asn1Child(tbsData, responsesIdx);
-    if (!responses) {
-      return "unknown";
-    }
-    const single = asn1Child(responses, 0);
-    if (!single) {
-      return "unknown";
-    }
-    const certStatus = asn1Child(single, 1);
-    if (!certStatus) {
-      return "unknown";
-    }
-    if (certStatus.tagClass === forge.asn1.Class.CONTEXT_SPECIFIC) {
-      if (certStatus.type === 0) {
-        return "good";
-      }
-      if (certStatus.type === 1) {
-        return "revoked";
-      }
-    }
-    return "unknown";
-  } catch {
-    return "error";
-  }
-}
-async function evaluateCertificateRevocation(leafCertPem, issuerCertPem) {
-  const ocspUrls = extractOcspUrls(leafCertPem);
-  const checkedOcspUrls = [];
-  const checkedCrlUrls = [];
-  if (issuerCertPem && ocspUrls.length > 0) {
-    const reqDer = buildOcspRequestDer(leafCertPem, issuerCertPem);
-    if (reqDer) {
-      for (const url of ocspUrls) {
-        checkedOcspUrls.push(url);
-        try {
-          const resp = await httpPost(url, reqDer, "application/ocsp-request");
-          const status = parseOcspResponseStatus(resp);
-          if (status === "good" || status === "revoked") {
-            return { status, checkedOcspUrls, checkedCrlUrls };
-          }
-        } catch {
-        }
-      }
-    }
-  }
-  if (checkedOcspUrls.length === 0) {
-    return { status: "not-checked", checkedOcspUrls, checkedCrlUrls };
-  }
-  return {
-    status: "unknown",
-    error: "Could not determine revocation status from available responders.",
-    checkedOcspUrls,
-    checkedCrlUrls
-  };
-}
-var TIMESTAMP_TAG_REGEX = /<(?:[\w.-]+:)?(?:EncapsulatedTimeStamp|SignatureTimeStamp)[^>]*>([\s\S]*?)<\/(?:[\w.-]+:)?(?:EncapsulatedTimeStamp|SignatureTimeStamp)>/i;
-async function evaluateTimestampAuthority(signatureXml) {
-  try {
-    const match = TIMESTAMP_TAG_REGEX.exec(signatureXml);
-    if (!match?.[1]?.trim()) {
-      return { status: "not-present" };
-    }
-    const tokenBase64 = match[1].replace(/\s+/g, "");
-    const tokenDer = Buffer.from(tokenBase64, "base64");
-    if (tokenDer.length === 0) {
-      return { status: "invalid", error: "Empty timestamp token." };
-    }
-    const asn1 = forge.asn1.fromDer(forge.util.createBuffer(tokenDer.toString("binary")));
-    const contentType = asn1Child(asn1, 0);
-    if (!contentType) {
-      return {
-        status: "invalid",
-        error: "Malformed timestamp token structure."
-      };
-    }
-    return { status: "valid" };
-  } catch (err) {
-    return {
-      status: "error",
-      error: `Timestamp evaluation failed: ${String(err)}`
-    };
-  }
-}
-// src/signature-node/certificate-utils.ts
-function certificateInfoFromBase64(certBase64) {
-  try {
-    const certificate = new crypto.X509Certificate(Buffer.from(certBase64, "base64"));
-    return {
-      subject: certificate.subject || void 0,
-      issuer: certificate.issuer || void 0,
-      serialNumber: certificate.serialNumber || void 0,
-      validFrom: certificate.validFrom || void 0,
-      validTo: certificate.validTo || void 0
-    };
-  } catch {
-    return void 0;
-  }
-}
-function validateCertificateChain(certBase64List, additionalRootsPem) {
-  if (certBase64List.length === 0) {
-    return { status: "not-checked" };
-  }
-  try {
-    const chain = certBase64List.map((value) => {
-      const der = forge.util.decode64(value);
-      return forge.pki.certificateFromAsn1(forge.asn1.fromDer(der));
-    });
-    const rootPem = [...tls.rootCertificates, ...additionalRootsPem];
-    const caStore = forge.pki.createCaStore(rootPem);
-    const verified = forge.pki.verifyCertificateChain(caStore, chain);
-    return verified ? { status: "trusted" } : {
-      status: "untrusted",
-      error: "Certificate chain is not trusted."
-    };
-  } catch (error) {
-    return {
-      status: "untrusted",
-      error: `Certificate trust validation failed: ${String(error)}`
-    };
-  }
-}
-function signatureAlgorithmToVerifyAlgorithm(signatureMethod) {
-  switch (signatureMethod) {
-    case "http://www.w3.org/2000/09/xmldsig#rsa-sha1":
-      return "RSA-SHA1";
-    case "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256":
-      return "RSA-SHA256";
-    case "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384":
-      return "RSA-SHA384";
-    case "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512":
-      return "RSA-SHA512";
-    default:
-      return void 0;
-  }
-}
-function verifySignatureValue(signatureXml, certBase64List) {
-  try {
-    const parser = new DOMParser();
-    const doc = parser.parseFromString(signatureXml, "text/xml");
-    const signatureNode = doc.getElementsByTagNameNS(XMLDSIG_NS, "Signature")[0];
-    if (!signatureNode) {
-      return "not-checked";
-    }
-    const certPem = certBase64List.length > 0 ? certPemFromBase64(certBase64List[0]) : void 0;
-    if (!certPem) {
-      return "not-checked";
-    }
-    const signedInfoNode = doc.getElementsByTagNameNS(XMLDSIG_NS, "SignedInfo")[0];
-    const signatureValueNode = doc.getElementsByTagNameNS(XMLDSIG_NS, "SignatureValue")[0];
-    if (!signedInfoNode || !signatureValueNode) {
-      return "invalid";
-    }
-    const canonicalizationMethod = doc.getElementsByTagNameNS(XMLDSIG_NS, "CanonicalizationMethod").item(0)?.getAttribute("Algorithm") ?? "http://www.w3.org/2001/10/xml-exc-c14n#";
-    const signatureMethod = doc.getElementsByTagNameNS(XMLDSIG_NS, "SignatureMethod").item(0)?.getAttribute("Algorithm");
-    const verifyAlgorithm = signatureAlgorithmToVerifyAlgorithm(signatureMethod ?? void 0);
-    if (!verifyAlgorithm) {
-      return "invalid";
-    }
-    const canonicalSignedInfo = canonicalizeNode(signedInfoNode, canonicalizationMethod);
-    const signatureValueBase64 = signatureValueNode.textContent?.replace(/\s+/g, "").trim() ?? "";
-    if (signatureValueBase64.length === 0) {
-      return "invalid";
-    }
-    const verifier = crypto.createVerify(verifyAlgorithm);
-    verifier.update(Buffer.from(canonicalSignedInfo, "utf8"));
-    verifier.end();
-    const isValid = verifier.verify(certPem, Buffer.from(signatureValueBase64, "base64"));
-    return isValid ? "verified" : "invalid";
-  } catch {
-    return "invalid";
-  }
-}
-function loadSigningMaterialFromBuffer(certificateBuffer, certificatePath, certificatePassword) {
-  const extension = path.extname(certificatePath).toLowerCase();
-  if (extension === ".pfx" || extension === ".p12") {
-    const p12Der = forge.util.createBuffer(Buffer.from(certificateBuffer).toString("binary"));
-    const p12Asn1 = forge.asn1.fromDer(p12Der);
-    const p12 = forge.pkcs12.pkcs12FromAsn1(p12Asn1, certificatePassword || "");
-    const keyBag = p12.getBags({
-      bagType: forge.pki.oids.pkcs8ShroudedKeyBag
-    })[forge.pki.oids.pkcs8ShroudedKeyBag];
-    const certBag = p12.getBags({ bagType: forge.pki.oids.certBag })[forge.pki.oids.certBag];
-    if (!keyBag || keyBag.length === 0 || !keyBag[0]?.key) {
-      throw new Error("No private key found in PKCS#12 certificate.");
-    }
-    if (!certBag || certBag.length === 0 || !certBag[0]?.cert) {
-      throw new Error("No certificate found in PKCS#12 certificate.");
-    }
-    return {
-      privateKeyPem: forge.pki.privateKeyToPem(keyBag[0].key),
-      certificatePem: forge.pki.certificateToPem(certBag[0].cert)
-    };
-  }
-  const pem = Buffer.from(certificateBuffer).toString("utf8");
-  const privateKeyMatch = pem.match(
-    /-----BEGIN (?:RSA |EC |ENCRYPTED )?PRIVATE KEY-----[\s\S]+?-----END (?:RSA |EC |ENCRYPTED )?PRIVATE KEY-----/m
-  );
-  const certMatch = pem.match(/-----BEGIN CERTIFICATE-----[\s\S]+?-----END CERTIFICATE-----/m);
-  if (!privateKeyMatch || !certMatch) {
-    throw new Error("PEM certificate must contain both private key and certificate.");
-  }
-  return {
-    privateKeyPem: privateKeyMatch[0],
-    certificatePem: certMatch[0]
-  };
-}
-function pemCertificateToBase64(pem) {
-  return pem.replace(/-----BEGIN CERTIFICATE-----/g, "").replace(/-----END CERTIFICATE-----/g, "").replace(/\s+/g, "").trim();
-}
-function extractPemCertificatesFromText(text) {
-  const matches = text.match(/-----BEGIN CERTIFICATE-----[\s\S]*?-----END CERTIFICATE-----/g) ?? [];
-  return matches.map((value) => value.trim()).filter((value) => value.length > 0);
-}
-function parseBooleanEnv(envValue) {
-  if (!envValue) {
-    return false;
-  }
-  const normalized = envValue.trim().toLowerCase();
-  return normalized === "1" || normalized === "true" || normalized === "yes";
-}
-function parseListEnv(envValue) {
-  if (!envValue) {
-    return [];
-  }
-  return envValue.split(/[;,]/).map((value) => value.trim()).filter((value) => value.length > 0);
-}
-async function loadEnterpriseTrustRoots() {
-  const roots = [];
-  const inlinePem = process.env[ENTERPRISE_TRUST_ROOTS_PEM_ENV];
-  if (inlinePem) {
-    roots.push(...extractPemCertificatesFromText(inlinePem));
-  }
-  const trustRootPaths = parseListEnv(process.env[ENTERPRISE_TRUST_ROOTS_FILE_ENV]);
-  for (const trustRootPath of trustRootPaths) {
-    try {
-      const pemText = await fs.readFile(trustRootPath, "utf8");
-      roots.push(...extractPemCertificatesFromText(pemText));
-    } catch {
-    }
-  }
-  return roots;
-}
-function getSignatureValidationPolicy() {
-  return {
-    requireRevocationCheck: parseBooleanEnv(process.env[ENTERPRISE_REQUIRE_REVOCATION_ENV]),
-    failOnRevocationUnknown: parseBooleanEnv(
-      process.env[ENTERPRISE_FAIL_ON_REVOCATION_UNKNOWN_ENV]
-    ),
-    requireTimestamp: parseBooleanEnv(process.env[ENTERPRISE_REQUIRE_TIMESTAMP_ENV])
-  };
-}
-function extractReferenceTransforms(referenceNode) {
-  const transforms = [];
-  const transformNodes = referenceNode.getElementsByTagNameNS(XMLDSIG_NS, "Transform");
-  for (let index = 0; index < transformNodes.length; index += 1) {
-    const transformNode = transformNodes.item(index);
-    if (!transformNode) {
-      continue;
-    }
-    const algorithm = transformNode.getAttribute("Algorithm")?.trim();
-    if (!algorithm) {
-      continue;
-    }
-    const relationshipReferenceIds = [];
-    const childNodes = transformNode.getElementsByTagName("*");
-    for (let childIndex = 0; childIndex < childNodes.length; childIndex += 1) {
-      const childNode = childNodes.item(childIndex);
-      if (!childNode) {
-        continue;
-      }
-      if (getNodeLocalName(childNode) !== "RelationshipReference") {
-        continue;
-      }
-      const sourceId = childNode.getAttribute("SourceId")?.trim();
-      if (sourceId && sourceId.length > 0) {
-        relationshipReferenceIds.push(sourceId);
-      }
-    }
-    transforms.push({ algorithm, relationshipReferenceIds });
-  }
-  return transforms;
-}
-function applyRelationshipTransform(xmlText, relationshipIds) {
-  try {
-    const parser = new DOMParser();
-    const serializer = new XMLSerializer();
-    const doc = parser.parseFromString(xmlText, "text/xml");
-    const relationshipsRoot = getFirstDescendantElementByLocalName(doc, "Relationships");
-    if (!relationshipsRoot) {
-      return void 0;
-    }
-    if (relationshipIds.length === 0) {
-      return serializer.serializeToString(doc);
-    }
-    const idSet = new Set(relationshipIds);
-    const relationshipNodes = Array.from(relationshipsRoot.getElementsByTagName("*")).filter(
-      (node) => getNodeLocalName(node) === "Relationship"
-    );
-    for (const relationshipNode of relationshipNodes) {
-      const relId = relationshipNode.getAttribute("Id")?.trim();
-      if (!relId || !idSet.has(relId)) {
-        relationshipNode.parentNode?.removeChild(relationshipNode);
-      }
-    }
-    return serializer.serializeToString(doc);
-  } catch {
-    return void 0;
-  }
-}
-function applyReferenceTransforms(partBytes, transforms) {
-  let transformedBytes = partBytes;
-  const unsupportedAlgorithms = [];
-  for (const transform of transforms) {
-    if (transform.algorithm === OPC_RELATIONSHIP_TRANSFORM) {
-      const nextXml = applyRelationshipTransform(
-        Buffer.from(transformedBytes).toString("utf8"),
-        transform.relationshipReferenceIds
-      );
-      if (!nextXml) {
-        unsupportedAlgorithms.push(transform.algorithm);
-        continue;
-      }
-      transformedBytes = new Uint8Array(Buffer.from(nextXml, "utf8"));
-      continue;
-    }
-    if (!SUPPORTED_XML_CANON_TRANSFORMS.has(transform.algorithm)) {
-      unsupportedAlgorithms.push(transform.algorithm);
-      continue;
-    }
-    try {
-      const parser = new DOMParser();
-      const doc = parser.parseFromString(
-        Buffer.from(transformedBytes).toString("utf8"),
-        "text/xml"
-      );
-      if (!doc.documentElement) {
-        unsupportedAlgorithms.push(transform.algorithm);
-        continue;
-      }
-      const canonical = canonicalizeNode(doc.documentElement, transform.algorithm);
-      transformedBytes = new Uint8Array(Buffer.from(canonical, "utf8"));
-    } catch {
-      unsupportedAlgorithms.push(transform.algorithm);
-    }
-  }
-  return { data: transformedBytes, unsupportedAlgorithms };
-}
-function computeDigestBase642(content, digestAlgorithmUri) {
-  const hashName = DIGEST_ALGORITHM_TO_HASH[digestAlgorithmUri];
-  if (!hashName) {
-    return void 0;
-  }
-  return crypto.createHash(hashName).update(Buffer.from(content)).digest("base64");
-}
-async function buildReferenceChecksFromSignatureXml(zip, signatureXml) {
-  const parser = new DOMParser();
-  const doc = parser.parseFromString(signatureXml, "text/xml");
-  const referenceNodes = doc.getElementsByTagNameNS(XMLDSIG_NS, "Reference");
-  const checks = [];
-  for (let index = 0; index < referenceNodes.length; index += 1) {
-    const referenceNode = referenceNodes.item(index);
-    if (!referenceNode) {
-      continue;
-    }
-    const uri = referenceNode.getAttribute("URI")?.trim() ?? "";
-    const digestMethodNode = getFirstDescendantElementByLocalName(referenceNode, "DigestMethod");
-    const digestValueNode = getFirstDescendantElementByLocalName(referenceNode, "DigestValue");
-    const digestAlgorithm = digestMethodNode?.getAttribute("Algorithm")?.trim();
-    const digestExpectedBase64 = digestValueNode?.textContent?.replace(/\s+/g, "").trim();
-    const transforms = extractReferenceTransforms(referenceNode);
-    const transformAlgorithms = transforms.map((transform) => transform.algorithm);
-    const resolvedPartPath = resolveReferenceUriToPart(uri);
-    if (!resolvedPartPath) {
-      checks.push({
-        uri,
-        existsInPackage: true,
-        digestAlgorithm,
-        digestExpectedBase64,
-        digestStatus: "insufficient-data",
-        transformAlgorithms
-      });
-      continue;
-    }
-    const part = zip.file(resolvedPartPath);
-    if (!part) {
-      checks.push({
-        uri,
-        resolvedPartPath,
-        existsInPackage: false,
-        digestAlgorithm,
-        digestExpectedBase64,
-        digestStatus: "missing-part",
-        transformAlgorithms
-      });
-      continue;
-    }
-    if (!digestAlgorithm || !digestExpectedBase64) {
-      checks.push({
-        uri,
-        resolvedPartPath,
-        existsInPackage: true,
-        digestAlgorithm,
-        digestExpectedBase64,
-        digestStatus: "insufficient-data",
-        transformAlgorithms
-      });
-      continue;
-    }
-    const rawContent = await part.async("uint8array");
-    const transformed = applyReferenceTransforms(rawContent, transforms);
-    if (transformed.unsupportedAlgorithms.length > 0) {
-      checks.push({
-        uri,
-        resolvedPartPath,
-        existsInPackage: true,
-        digestAlgorithm,
-        digestExpectedBase64,
-        digestStatus: "unsupported-transform",
-        transformAlgorithms
-      });
-      continue;
-    }
-    const digestActualBase64 = computeDigestBase642(transformed.data, digestAlgorithm);
-    if (!digestActualBase64) {
-      checks.push({
-        uri,
-        resolvedPartPath,
-        existsInPackage: true,
-        digestAlgorithm,
-        digestExpectedBase64,
-        digestStatus: "unsupported-algorithm",
-        transformAlgorithms
-      });
-      continue;
-    }
-    checks.push({
-      uri,
-      resolvedPartPath,
-      existsInPackage: true,
-      digestAlgorithm,
-      digestExpectedBase64,
-      digestActualBase64,
-      digestStatus: digestActualBase64 === digestExpectedBase64 ? "verified" : "mismatch",
-      transformAlgorithms
-    });
-  }
-  return checks;
-}
-async function buildReferenceChecksFromPptxViewerManifest(zip, signatureXml) {
-  const parser = new DOMParser();
-  const doc = parser.parseFromString(signatureXml, "text/xml");
-  const partNodes = Array.from(doc.getElementsByTagNameNS(PPTX_VIEWER_MANIFEST_NS, "Part"));
-  const checks = [];
-  for (const partNode of partNodes) {
-    const rawName = partNode.getAttribute("Name") || "";
-    const digestAlgorithm = partNode.getAttribute("DigestMethod") || void 0;
-    const digestExpectedBase64 = partNode.getAttribute("DigestValue") || void 0;
-    const resolvedPartPath = resolveReferenceUriToPart(rawName);
-    if (!resolvedPartPath) {
-      checks.push({
-        uri: rawName,
-        existsInPackage: true,
-        digestAlgorithm,
-        digestExpectedBase64,
-        digestStatus: "insufficient-data",
-        transformAlgorithms: []
-      });
-      continue;
-    }
-    const partFile = zip.file(resolvedPartPath);
-    if (!partFile) {
-      checks.push({
-        uri: rawName,
-        resolvedPartPath,
-        existsInPackage: false,
-        digestAlgorithm,
-        digestExpectedBase64,
-        digestStatus: "missing-part",
-        transformAlgorithms: []
-      });
-      continue;
-    }
-    if (!digestAlgorithm || !digestExpectedBase64) {
-      checks.push({
-        uri: rawName,
-        resolvedPartPath,
-        existsInPackage: true,
-        digestAlgorithm,
-        digestExpectedBase64,
-        digestStatus: "insufficient-data",
-        transformAlgorithms: []
-      });
-      continue;
-    }
-    const partBytes = await partFile.async("uint8array");
-    const actualDigest = computeDigestBase642(partBytes, digestAlgorithm);
-    if (!actualDigest) {
-      checks.push({
-        uri: rawName,
-        resolvedPartPath,
-        existsInPackage: true,
-        digestAlgorithm,
-        digestExpectedBase64,
-        digestStatus: "unsupported-algorithm",
-        transformAlgorithms: []
-      });
-      continue;
-    }
-    checks.push({
-      uri: rawName,
-      resolvedPartPath,
-      existsInPackage: true,
-      digestAlgorithm,
-      digestExpectedBase64,
-      digestActualBase64: actualDigest,
-      digestStatus: actualDigest === digestExpectedBase64 ? "verified" : "mismatch",
-      transformAlgorithms: []
-    });
-  }
-  return checks;
-}
-async function inspectPptxDigitalSignatures(data) {
-  try {
-    const zip = await JSZip.loadAsync(Buffer.from(data));
-    const signaturePaths = Object.keys(zip.files).filter(
-      (entryPath) => entryPath.startsWith("_xmlsignatures/") && entryPath.endsWith(".xml")
-    );
-    const rootRelsXml = await zip.file("_rels/.rels")?.async("string");
-    const hasOriginRelationship = Boolean(rootRelsXml?.includes(DIGITAL_SIGNATURE_ORIGIN_REL_TYPE));
-    if (signaturePaths.length === 0) {
-      return {
-        supported: true,
-        hasSignature: false,
-        signatureCount: 0,
-        signaturePaths: [],
-        verificationStatus: "unsigned",
-        hasOriginRelationship
-      };
-    }
-    const additionalRootsPem = await loadEnterpriseTrustRoots();
-    const policy = getSignatureValidationPolicy();
-    const details = [];
-    for (const signaturePath of signaturePaths) {
-      const signatureXml = await zip.file(signaturePath)?.async("string") ?? "";
-      const manifestChecks = await buildReferenceChecksFromPptxViewerManifest(zip, signatureXml);
-      const referenceChecks = manifestChecks.length > 0 ? manifestChecks : await buildReferenceChecksFromSignatureXml(zip, signatureXml);
-      const missingPartReferences = referenceChecks.filter((check) => check.digestStatus === "missing-part").map((check) => check.uri);
-      const unsupportedTransforms = referenceChecks.flatMap(
-        (check) => check.digestStatus === "unsupported-transform" ? check.transformAlgorithms : []
-      ).filter((value, index, all) => all.indexOf(value) === index);
-      const certs = extractAllTagText(signatureXml, "X509Certificate");
-      const trust = validateCertificateChain(certs, additionalRootsPem);
-      const signatureValueStatus = verifySignatureValue(signatureXml, certs);
-      const leafCertPem = certs.length > 0 ? certPemFromBase64(certs[0]) : void 0;
-      const issuerCertPem = certs.length > 1 ? certPemFromBase64(certs[1]) : leafCertPem;
-      const revocation = leafCertPem ? await evaluateCertificateRevocation(leafCertPem, issuerCertPem) : {
-        status: "not-checked",
-        checkedOcspUrls: [],
-        checkedCrlUrls: []
-      };
-      const timestamp = await evaluateTimestampAuthority(signatureXml);
-      const detailBase = {
-        path: signaturePath,
-        signatureMethod: extractTagAttribute(
-          signatureXml,
-          "([\\w.-]+:)?SignatureMethod",
-          "Algorithm"
-        ),
-        canonicalizationMethod: extractTagAttribute(
-          signatureXml,
-          "([\\w.-]+:)?CanonicalizationMethod",
-          "Algorithm"
-        ),
-        signingTime: extractFirstTagText(signatureXml, "SigningTime"),
-        referenceCount: referenceChecks.length,
-        missingPartReferences,
-        unsupportedTransforms,
-        referenceChecks,
-        certificate: certs.length > 0 ? certificateInfoFromBase64(certs[0]) : void 0,
-        signatureValueStatus,
-        certificateTrustStatus: trust.status,
-        certificateTrustError: trust.error,
-        certificateRevocationStatus: revocation.status,
-        certificateRevocationError: revocation.error,
-        timestampAuthorityStatus: timestamp.status,
-        timestampAuthorityError: timestamp.error,
-        certificateFingerprintSha256: leafCertPem ? certFingerprintSha256(leafCertPem) : void 0
-      };
-      details.push({
-        ...detailBase,
-        status: computeDetailStatus(detailBase, policy)
-      });
-    }
-    return {
-      supported: true,
-      hasSignature: true,
-      signatureCount: signaturePaths.length,
-      signaturePaths,
-      verificationStatus: computeVerificationStatus(details),
-      details,
-      hasOriginRelationship
-    };
-  } catch (error) {
-    return {
-      supported: true,
-      hasSignature: false,
-      signatureCount: 0,
-      signaturePaths: [],
-      verificationStatus: "invalid-package",
-      error: `Unable to inspect digital signature parts: ${String(error)}`
-    };
-  }
-}
-// src/signature-node/signing.ts
-async function upsertRootOriginRelationship(zip) {
-  const parser = new DOMParser();
-  const serializer = new XMLSerializer();
-  const relsPath = "_rels/.rels";
-  const xml = await zip.file(relsPath)?.async("string") || '<?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"></Relationships>';
-  const doc = parser.parseFromString(xml, "text/xml");
-  const relationships = doc.documentElement;
-  const existing = Array.from(relationships.getElementsByTagName("Relationship")).find(
-    (node) => node.getAttribute("Type") === DIGITAL_SIGNATURE_ORIGIN_REL_TYPE
-  );
-  if (!existing) {
-    const rel = doc.createElement("Relationship");
-    rel.setAttribute("Id", "rIdDigitalSignatureOrigin");
-    rel.setAttribute("Type", DIGITAL_SIGNATURE_ORIGIN_REL_TYPE);
-    rel.setAttribute("Target", "_xmlsignatures/origin.sigs");
-    relationships.appendChild(rel);
-  }
-  zip.file(relsPath, serializer.serializeToString(doc));
-}
-async function upsertContentTypesForSignature(zip, signaturePath) {
-  const parser = new DOMParser();
-  const serializer = new XMLSerializer();
-  const pathInContentTypes = "[Content_Types].xml";
-  const xml = await zip.file(pathInContentTypes)?.async("string") || "";
-  if (!xml) {
-    return;
-  }
-  const doc = parser.parseFromString(xml, "text/xml");
-  const types = doc.documentElement;
-  const ensureOverride = (partName, contentType) => {
-    const existing = Array.from(types.getElementsByTagName("Override")).find(
-      (node) => node.getAttribute("PartName") === partName
-    );
-    if (existing) {
-      existing.setAttribute("ContentType", contentType);
-      return;
-    }
-    const override = doc.createElement("Override");
-    override.setAttribute("PartName", partName);
-    override.setAttribute("ContentType", contentType);
-    types.appendChild(override);
-  };
-  ensureOverride(
-    "/_xmlsignatures/origin.sigs",
-    "application/vnd.openxmlformats-package.digital-signature-origin"
-  );
-  ensureOverride(
-    `/${signaturePath}`,
-    "application/vnd.openxmlformats-package.digital-signature-xmlsignature+xml"
-  );
-  zip.file(pathInContentTypes, serializer.serializeToString(doc));
-}
-async function buildOfficeReferenceList(zip) {
-  const references = [];
-  const digestMethod = "http://www.w3.org/2001/04/xmlenc#sha256";
-  for (const entryPath of Object.keys(zip.files)) {
-    const entry = zip.file(entryPath);
-    if (!entry || entry.dir) {
-      continue;
-    }
-    if (entryPath.startsWith("_xmlsignatures/")) {
-      continue;
-    }
-    const entryBytes = await entry.async("uint8array");
-    const digestValue = crypto.createHash("sha256").update(Buffer.from(entryBytes)).digest("base64");
-    references.push({
-      uri: `/${normalizePartPath(entryPath)}`,
-      digestMethod,
-      digestValue
-    });
-  }
-  references.sort((left, right) => left.uri.localeCompare(right.uri));
-  return references;
-}
-function buildOfficeSignatureXml(references, privateKeyPem, certificatePem) {
-  const signedInfoReferencesXml = references.map(
-    (reference) => `<Reference URI="${escapeXmlAttr(reference.uri)}"><DigestMethod Algorithm="${escapeXmlAttr(reference.digestMethod)}"/><DigestValue>${escapeXmlText(reference.digestValue)}</DigestValue></Reference>`
-  ).join("");
-  const signedInfoXml = `<SignedInfo xmlns="${XMLDSIG_NS}"><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>${signedInfoReferencesXml}</SignedInfo>`;
-  const canonicalSignedInfo = canonicalizeSignedInfoXml(signedInfoXml);
-  const signer = crypto.createSign("RSA-SHA256");
-  signer.update(Buffer.from(canonicalSignedInfo, "utf8"));
-  signer.end();
-  const signatureValueBase64 = signer.sign(privateKeyPem).toString("base64");
-  const certificateBase64 = pemCertificateToBase64(certificatePem);
-  if (!isValidBase64(signatureValueBase64)) {
-    throw new Error("Generated SignatureValue is not valid base64");
-  }
-  if (!isValidBase64(certificateBase64)) {
-    throw new Error("X.509 certificate is not valid base64");
-  }
-  const signingTime = (/* @__PURE__ */ new Date()).toISOString();
-  return `<Signature xmlns="${XMLDSIG_NS}">${signedInfoXml}<SignatureValue>${escapeXmlText(signatureValueBase64)}</SignatureValue><KeyInfo><X509Data><X509Certificate>${escapeXmlText(certificateBase64)}</X509Certificate></X509Data></KeyInfo><Object><SignatureProperties><SignatureProperty><SigningTime>${escapeXmlText(signingTime)}</SigningTime></SignatureProperty></SignatureProperties></Object></Signature>`;
-}
-async function signPptxWithCertificate(data, certificateBuffer, options) {
-  try {
-    const signing = loadSigningMaterialFromBuffer(
-      certificateBuffer,
-      options.certificatePath,
-      options.certificatePassword
-    );
-    const zip = await JSZip.loadAsync(Buffer.from(data));
-    for (const entryPath of Object.keys(zip.files)) {
-      if (entryPath.startsWith("_xmlsignatures/")) {
-        zip.remove(entryPath);
-      }
-    }
-    const signaturePath = "_xmlsignatures/sig1.xml";
-    await upsertRootOriginRelationship(zip);
-    await upsertContentTypesForSignature(zip, signaturePath);
-    const references = await buildOfficeReferenceList(zip);
-    const signatureXml = buildOfficeSignatureXml(
-      references,
-      signing.privateKeyPem,
-      signing.certificatePem
-    );
-    zip.file(signaturePath, signatureXml);
-    zip.file("_xmlsignatures/origin.sigs", "<SignatureOrigin/>");
-    zip.file(
-      "_xmlsignatures/_rels/origin.sigs.rels",
-      `<?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rIdSig1" Type="${DIGITAL_SIGNATURE_REL_TYPE}" Target="sig1.xml"/></Relationships>`
-    );
-    const signedData = await zip.generateAsync({ type: "uint8array" });
-    const report = await inspectPptxDigitalSignatures(signedData);
-    return { success: true, signedData, report };
-  } catch (error) {
-    const errorReport = {
-      supported: true,
-      hasSignature: false,
-      signatureCount: 0,
-      signaturePaths: [],
-      verificationStatus: "error",
-      error: `Failed to sign PPTX: ${String(error)}`
-    };
-    return {
-      success: false,
-      report: errorReport,
-      error: `Failed to sign PPTX: ${String(error)}`
-    };
-  }
-}
-export { DIGEST_ALGORITHM_TO_HASH, DIGEST_ALGORITHM_TO_WEB_CRYPTO, DIGITAL_SIGNATURE_ORIGIN_REL_TYPE, DIGITAL_SIGNATURE_REL_TYPE, ENTERPRISE_FAIL_ON_REVOCATION_UNKNOWN_ENV, ENTERPRISE_REQUIRE_REVOCATION_ENV, ENTERPRISE_REQUIRE_TIMESTAMP_ENV, ENTERPRISE_TRUST_ROOTS_FILE_ENV, ENTERPRISE_TRUST_ROOTS_PEM_ENV, OPC_RELATIONSHIP_TRANSFORM, PPTX_VIEWER_MANIFEST_NS, SUPPORTED_XML_CANON_TRANSFORMS, XMLDSIG_NS, XML_TRANSFORM_ENVELOPED_SIGNATURE, applyReferenceTransforms, buildOcspRequestDer, buildReferenceChecksFromPptxViewerManifest, buildReferenceChecksFromSignatureXml, canonicalizeNode, canonicalizeSignedInfoXml, certFingerprintSha256, certPemFromBase64, certificateInfoFromBase64, computeDetailStatus, computeDigestBase642 as computeDigestBase64, computeDigestBase64 as computeDigestBase64WebCrypto, computeVerificationStatus, escapeXmlAttr, escapeXmlText, evaluateCertificateRevocation, evaluateTimestampAuthority, extractAllTagText, extractFirstTagText, extractOcspUrls, extractPemCertificatesFromText, extractReferenceTransforms, extractTagAttribute, getFirstDescendantElementByLocalName, getNodeLocalName, getSignatureValidationPolicy, inspectPptxDigitalSignatures, isValidBase64, loadEnterpriseTrustRoots, loadSigningMaterialFromBuffer, normalizePartPath, parseOcspResponseStatus, pemCertificateToBase64, resolveReferenceUriToPart, signPptxWithCertificate, validateCertificateChain, verifySignatureValue };