@mkabatek/pptx-viewer 1.5.4 → 1.5.11

package/node_modules/pptx-viewer-core/dist/signature-node/index.js

@@ -1,1206 +0,0 @@
-'use strict';
-
-var xmldom = require('@xmldom/xmldom');
-var xmlCrypto = require('xml-crypto');
-var crypto = require('crypto');
-var path = require('path');
-var tls = require('tls');
-var forge = require('node-forge');
-var http = require('http');
-var https = require('https');
-var fs = require('fs/promises');
-var JSZip = require('jszip');
-
-function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
-
-var crypto__default = /*#__PURE__*/_interopDefault(crypto);
-var path__default = /*#__PURE__*/_interopDefault(path);
-var tls__default = /*#__PURE__*/_interopDefault(tls);
-var forge__default = /*#__PURE__*/_interopDefault(forge);
-var http__default = /*#__PURE__*/_interopDefault(http);
-var https__default = /*#__PURE__*/_interopDefault(https);
-var fs__default = /*#__PURE__*/_interopDefault(fs);
-var JSZip__default = /*#__PURE__*/_interopDefault(JSZip);
-
-// src/core/utils/signature-constants.ts
-var DIGITAL_SIGNATURE_ORIGIN_REL_TYPE = "http://schemas.openxmlformats.org/package/2006/relationships/digital-signature/origin";
-var DIGITAL_SIGNATURE_REL_TYPE = "http://schemas.openxmlformats.org/package/2006/relationships/digital-signature/signature";
-var PPTX_VIEWER_MANIFEST_NS = "urn:pptx-viewer:ooxml-signature:v1";
-var XMLDSIG_NS = "http://www.w3.org/2000/09/xmldsig#";
-var OPC_RELATIONSHIP_TRANSFORM = "http://schemas.openxmlformats.org/package/2006/RelationshipTransform";
-var XML_TRANSFORM_ENVELOPED_SIGNATURE = "http://www.w3.org/2000/09/xmldsig#enveloped-signature";
-var SUPPORTED_XML_CANON_TRANSFORMS = /* @__PURE__ */ new Set([
-  "http://www.w3.org/TR/2001/REC-xml-c14n-20010315",
-  "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments",
-  "http://www.w3.org/2001/10/xml-exc-c14n#",
-  "http://www.w3.org/2001/10/xml-exc-c14n#WithComments",
-  XML_TRANSFORM_ENVELOPED_SIGNATURE
-]);
-var ENTERPRISE_TRUST_ROOTS_FILE_ENV = "PPTX_VIEWER_TRUST_ROOTS_FILE";
-var ENTERPRISE_TRUST_ROOTS_PEM_ENV = "PPTX_VIEWER_TRUST_ROOTS_PEM";
-var ENTERPRISE_REQUIRE_REVOCATION_ENV = "PPTX_VIEWER_REQUIRE_REVOCATION_CHECK";
-var ENTERPRISE_FAIL_ON_REVOCATION_UNKNOWN_ENV = "PPTX_VIEWER_FAIL_ON_REVOCATION_UNKNOWN";
-var ENTERPRISE_REQUIRE_TIMESTAMP_ENV = "PPTX_VIEWER_REQUIRE_TIMESTAMP";
-var DIGEST_ALGORITHM_TO_HASH = {
-  "http://www.w3.org/2000/09/xmldsig#sha1": "sha1",
-  "http://www.w3.org/2001/04/xmlenc#sha256": "sha256",
-  "http://www.w3.org/2001/04/xmlenc#sha384": "sha384",
-  "http://www.w3.org/2001/04/xmlenc#sha512": "sha512"
-};
-var DIGEST_ALGORITHM_TO_WEB_CRYPTO = {
-  "http://www.w3.org/2000/09/xmldsig#sha1": "SHA-1",
-  "http://www.w3.org/2001/04/xmlenc#sha256": "SHA-256",
-  "http://www.w3.org/2001/04/xmlenc#sha384": "SHA-384",
-  "http://www.w3.org/2001/04/xmlenc#sha512": "SHA-512"
-};
-
-// src/core/utils/signature-xml-utils.ts
-function escapeXmlAttr(value) {
-  return value.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&apos;");
-}
-function escapeXmlText(value) {
-  return value.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
-}
-function isValidBase64(value) {
-  return typeof value === "string" && value.length > 0 && /^[A-Za-z0-9+/=\s]+$/.test(value);
-}
-function extractTagAttribute(xml, tagName, attributeName) {
-  const pattern = new RegExp(
-    `<${tagName}\\b[^>]*\\b${attributeName}="(?<attributeValue>[^"]+)"`,
-    "i"
-  );
-  const match = xml.match(pattern);
-  return match?.groups?.["attributeValue"]?.trim();
-}
-function extractFirstTagText(xml, localName) {
-  const pattern = new RegExp(
-    `<([\\w.-]+:)?${localName}\\b[^>]*>([\\s\\S]*?)<\\/([\\w.-]+:)?${localName}>`,
-    "i"
-  );
-  const match = xml.match(pattern);
-  return match?.[2]?.replace(/\s+/g, "").trim() || void 0;
-}
-function extractAllTagText(xml, localName) {
-  const result = [];
-  const regex = new RegExp(
-    `<([\\w.-]+:)?${localName}\\b[^>]*>([\\s\\S]*?)<\\/([\\w.-]+:)?${localName}>`,
-    "gi"
-  );
-  let match = regex.exec(xml);
-  while (match) {
-    const value = match[2]?.replace(/\s+/g, "").trim();
-    if (value) {
-      result.push(value);
-    }
-    match = regex.exec(xml);
-  }
-  return result;
-}
-
-// src/core/utils/signature-reference-utils.ts
-function normalizePartPath(partPath) {
-  return partPath.replace(/\\/g, "/").replace(/^\/+/, "");
-}
-function resolveReferenceUriToPart(uri) {
-  const trimmed = uri.trim();
-  if (trimmed.length === 0 || trimmed.startsWith("#")) {
-    return void 0;
-  }
-  const decoded = decodeURIComponent(trimmed);
-  return normalizePartPath(decoded.startsWith("/") ? decoded.slice(1) : decoded);
-}
-
-// src/core/utils/signature-digest.ts
-async function computeDigestBase64(content, digestAlgorithmUri) {
-  const webCryptoAlgo = DIGEST_ALGORITHM_TO_WEB_CRYPTO[digestAlgorithmUri];
-  if (!webCryptoAlgo) {
-    return void 0;
-  }
-  if (typeof globalThis.crypto?.subtle === "undefined") {
-    return void 0;
-  }
-  const buf = new ArrayBuffer(content.byteLength);
-  new Uint8Array(buf).set(content);
-  const digest = await globalThis.crypto.subtle.digest(webCryptoAlgo, buf);
-  return uint8ArrayToBase64(new Uint8Array(digest));
-}
-function uint8ArrayToBase64(bytes) {
-  let binary = "";
-  for (let i = 0; i < bytes.byteLength; i++) {
-    binary += String.fromCharCode(bytes[i]);
-  }
-  return btoa(binary);
-}
-
-// src/core/utils/signature-inspection-status.ts
-function computeDetailStatus(detail, policy) {
-  const hasDigestMismatch = detail.referenceChecks.some(
-    (check) => check.digestStatus === "mismatch"
-  );
-  const hasMissingPart = detail.missingPartReferences.length > 0;
-  const hasVerifiedDigest = detail.referenceChecks.some(
-    (check) => check.digestStatus === "verified"
-  );
-  const revocationUnknown = detail.certificateRevocationStatus === "unknown" || detail.certificateRevocationStatus === "not-checked" || detail.certificateRevocationStatus === "error";
-  const timestampMissingOrUntrusted = detail.timestampAuthorityStatus === "not-present" || detail.timestampAuthorityStatus === "not-checked" || detail.timestampAuthorityStatus === "error" || detail.timestampAuthorityStatus === "untrusted";
-  if (detail.signatureValueStatus === "invalid") {
-    return "signature-invalid";
-  }
-  if (hasMissingPart) {
-    return "reference-missing";
-  }
-  if (hasDigestMismatch) {
-    return "digest-mismatch";
-  }
-  if (detail.certificateRevocationStatus === "revoked") {
-    return "certificate-revoked";
-  }
-  if (policy.requireRevocationCheck && (policy.failOnRevocationUnknown ? revocationUnknown : detail.certificateRevocationStatus !== "good")) {
-    return "certificate-untrusted";
-  }
-  if (detail.timestampAuthorityStatus === "invalid") {
-    return "timestamp-invalid";
-  }
-  if (policy.requireTimestamp && timestampMissingOrUntrusted) {
-    return "timestamp-untrusted";
-  }
-  if (detail.timestampAuthorityStatus === "untrusted") {
-    return "timestamp-untrusted";
-  }
-  if (detail.certificateTrustStatus === "untrusted" && detail.signatureValueStatus === "verified") {
-    return "certificate-untrusted";
-  }
-  if (hasVerifiedDigest && detail.signatureValueStatus === "verified") {
-    return "verified";
-  }
-  return "structural-only";
-}
-function computeVerificationStatus(details) {
-  const hasInvalidSignature = details.some((detail) => detail.status === "signature-invalid");
-  const hasMissing = details.some((detail) => detail.status === "reference-missing");
-  const hasMismatch = details.some((detail) => detail.status === "digest-mismatch");
-  const hasUntrusted = details.some((detail) => detail.status === "certificate-untrusted");
-  const hasRevoked = details.some((detail) => detail.status === "certificate-revoked");
-  const hasTimestampInvalid = details.some((detail) => detail.status === "timestamp-invalid");
-  const hasTimestampUntrusted = details.some((detail) => detail.status === "timestamp-untrusted");
-  const allVerified = details.every((detail) => detail.status === "verified");
-  return hasInvalidSignature ? "signature-invalid" : hasRevoked ? "certificate-revoked" : hasTimestampInvalid ? "timestamp-invalid" : hasTimestampUntrusted ? "timestamp-untrusted" : hasMissing ? "reference-missing" : hasMismatch ? "digest-mismatch" : allVerified ? "verified-trusted" : hasUntrusted ? "verified-untrusted" : "present-not-verified";
-}
-function getNodeLocalName(node) {
-  const localNameNode = node;
-  if (localNameNode.localName) {
-    return localNameNode.localName;
-  }
-  const nodeName = node.nodeName || "";
-  const sep = nodeName.indexOf(":");
-  return sep >= 0 ? nodeName.slice(sep + 1) : nodeName;
-}
-function getFirstDescendantElementByLocalName(parent, localName) {
-  const elements = parent.getElementsByTagName("*");
-  for (let index = 0; index < elements.length; index += 1) {
-    const element = elements.item(index);
-    if (!element) {
-      continue;
-    }
-    if (getNodeLocalName(element) === localName) {
-      return element;
-    }
-  }
-  return void 0;
-}
-function canonicalizeNode(node, algorithm) {
-  const canonicalizer = new xmlCrypto.SignedXml();
-  return canonicalizer.getCanonXml([algorithm], node);
-}
-function canonicalizeSignedInfoXml(signedInfoXml) {
-  const parser = new xmldom.DOMParser();
-  const signedInfoDoc = parser.parseFromString(signedInfoXml, "text/xml");
-  if (!signedInfoDoc.documentElement) {
-    throw new Error("Unable to canonicalize SignedInfo: invalid XML.");
-  }
-  return canonicalizeNode(signedInfoDoc.documentElement, "http://www.w3.org/2001/10/xml-exc-c14n#");
-}
-function certPemFromBase64(certBase64) {
-  try {
-    const der = Buffer.from(certBase64, "base64");
-    if (der.length === 0) {
-      return void 0;
-    }
-    const b64 = der.toString("base64");
-    const lines = b64.match(/.{1,64}/g);
-    if (!lines) {
-      return void 0;
-    }
-    return `-----BEGIN CERTIFICATE-----
-${lines.join("\n")}
------END CERTIFICATE-----`;
-  } catch {
-    return void 0;
-  }
-}
-function certFingerprintSha256(certPem) {
-  try {
-    const cert = new crypto__default.default.X509Certificate(certPem);
-    return cert.fingerprint256.replace(/:/g, "").toLowerCase();
-  } catch {
-    return void 0;
-  }
-}
-function asn1Child(node, index) {
-  return Array.isArray(node.value) ? node.value[index] : void 0;
-}
-function asn1Bytes(node) {
-  return typeof node.value === "string" ? node.value : "";
-}
-function extractOcspUrls(certPem) {
-  try {
-    const cert = new crypto__default.default.X509Certificate(certPem);
-    const infoAccess = cert.infoAccess;
-    if (!infoAccess) {
-      return [];
-    }
-    const urls = [];
-    for (const line of infoAccess.split("\n")) {
-      const match = /OCSP\s*-\s*URI:(https?:\/\/\S+)/i.exec(line.trim());
-      if (match?.[1]) {
-        urls.push(match[1]);
-      }
-    }
-    return urls;
-  } catch {
-    return [];
-  }
-}
-var HTTP_TIMEOUT_MS = 1e4;
-function httpPost(url, body, contentType) {
-  return new Promise((resolve, reject) => {
-    let parsed;
-    try {
-      parsed = new URL(url);
-    } catch {
-      reject(new Error("Invalid URL"));
-      return;
-    }
-    if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
-      reject(new Error("Unsupported protocol"));
-      return;
-    }
-    const transport = parsed.protocol === "https:" ? https__default.default : http__default.default;
-    const req = transport.request(
-      {
-        hostname: parsed.hostname,
-        port: parsed.port || void 0,
-        path: parsed.pathname + parsed.search,
-        method: "POST",
-        headers: {
-          "Content-Type": contentType,
-          "Content-Length": body.length
-        },
-        timeout: HTTP_TIMEOUT_MS
-      },
-      (res) => {
-        const chunks = [];
-        res.on("data", (chunk) => chunks.push(chunk));
-        res.on("end", () => resolve(Buffer.concat(chunks)));
-        res.on("error", reject);
-      }
-    );
-    req.on("error", reject);
-    req.on("timeout", () => {
-      req.destroy();
-      reject(new Error("Timeout"));
-    });
-    req.write(body);
-    req.end();
-  });
-}
-var SHA1_OID = "1.3.14.3.2.26";
-function buildOcspRequestDer(leafPem, issuerPem) {
-  try {
-    const leaf = forge__default.default.pki.certificateFromPem(leafPem);
-    const issuer = forge__default.default.pki.certificateFromPem(issuerPem);
-    const issuerNameDer = forge__default.default.asn1.toDer(forge__default.default.pki.distinguishedNameToAsn1(issuer.subject)).getBytes();
-    const issuerNameHash = forge__default.default.md.sha1.create().update(issuerNameDer).digest().getBytes();
-    const pubKeyDer = forge__default.default.asn1.toDer(forge__default.default.pki.publicKeyToAsn1(issuer.publicKey)).getBytes();
-    const pubKeyAsn1 = forge__default.default.asn1.fromDer(pubKeyDer);
-    const bitString = asn1Child(pubKeyAsn1, 1);
-    const rawKey = bitString ? asn1Bytes(bitString).substring(1) : "";
-    const issuerKeyHash = forge__default.default.md.sha1.create().update(rawKey).digest().getBytes();
-    const serialBytes = forge__default.default.util.hexToBytes(leaf.serialNumber);
-    const request = forge__default.default.asn1.create(forge__default.default.asn1.Class.UNIVERSAL, forge__default.default.asn1.Type.SEQUENCE, true, [
-      forge__default.default.asn1.create(forge__default.default.asn1.Class.UNIVERSAL, forge__default.default.asn1.Type.SEQUENCE, true, [
-        forge__default.default.asn1.create(forge__default.default.asn1.Class.UNIVERSAL, forge__default.default.asn1.Type.SEQUENCE, true, [
-          forge__default.default.asn1.create(forge__default.default.asn1.Class.UNIVERSAL, forge__default.default.asn1.Type.SEQUENCE, true, [
-            forge__default.default.asn1.create(forge__default.default.asn1.Class.UNIVERSAL, forge__default.default.asn1.Type.SEQUENCE, true, [
-              forge__default.default.asn1.create(forge__default.default.asn1.Class.UNIVERSAL, forge__default.default.asn1.Type.SEQUENCE, true, [
-                forge__default.default.asn1.create(
-                  forge__default.default.asn1.Class.UNIVERSAL,
-                  forge__default.default.asn1.Type.OID,
-                  false,
-                  forge__default.default.asn1.oidToDer(SHA1_OID).getBytes()
-                ),
-                forge__default.default.asn1.create(forge__default.default.asn1.Class.UNIVERSAL, forge__default.default.asn1.Type.NULL, false, "")
-              ]),
-              forge__default.default.asn1.create(
-                forge__default.default.asn1.Class.UNIVERSAL,
-                forge__default.default.asn1.Type.OCTETSTRING,
-                false,
-                issuerNameHash
-              ),
-              forge__default.default.asn1.create(
-                forge__default.default.asn1.Class.UNIVERSAL,
-                forge__default.default.asn1.Type.OCTETSTRING,
-                false,
-                issuerKeyHash
-              ),
-              forge__default.default.asn1.create(
-                forge__default.default.asn1.Class.UNIVERSAL,
-                forge__default.default.asn1.Type.INTEGER,
-                false,
-                serialBytes
-              )
-            ])
-          ])
-        ])
-      ])
-    ]);
-    return Buffer.from(forge__default.default.asn1.toDer(request).getBytes(), "binary");
-  } catch {
-    return void 0;
-  }
-}
-function parseOcspResponseStatus(data) {
-  try {
-    const asn1 = forge__default.default.asn1.fromDer(forge__default.default.util.createBuffer(data.toString("binary")));
-    const statusNode = asn1Child(asn1, 0);
-    if (!statusNode || asn1Bytes(statusNode) !== "\0") {
-      return "error";
-    }
-    const respBytesWrapper = asn1Child(asn1, 1);
-    if (!respBytesWrapper) {
-      return "unknown";
-    }
-    const respBytesSeq = asn1Child(respBytesWrapper, 0);
-    if (!respBytesSeq) {
-      return "unknown";
-    }
-    const respOctet = asn1Child(respBytesSeq, 1);
-    if (!respOctet) {
-      return "unknown";
-    }
-    const basicResp = forge__default.default.asn1.fromDer(forge__default.default.util.createBuffer(asn1Bytes(respOctet)));
-    const tbsData = asn1Child(basicResp, 0);
-    if (!tbsData) {
-      return "unknown";
-    }
-    const first = asn1Child(tbsData, 0);
-    const responsesIdx = first?.tagClass === forge__default.default.asn1.Class.CONTEXT_SPECIFIC && first.type === 0 ? 3 : 2;
-    const responses = asn1Child(tbsData, responsesIdx);
-    if (!responses) {
-      return "unknown";
-    }
-    const single = asn1Child(responses, 0);
-    if (!single) {
-      return "unknown";
-    }
-    const certStatus = asn1Child(single, 1);
-    if (!certStatus) {
-      return "unknown";
-    }
-    if (certStatus.tagClass === forge__default.default.asn1.Class.CONTEXT_SPECIFIC) {
-      if (certStatus.type === 0) {
-        return "good";
-      }
-      if (certStatus.type === 1) {
-        return "revoked";
-      }
-    }
-    return "unknown";
-  } catch {
-    return "error";
-  }
-}
-async function evaluateCertificateRevocation(leafCertPem, issuerCertPem) {
-  const ocspUrls = extractOcspUrls(leafCertPem);
-  const checkedOcspUrls = [];
-  const checkedCrlUrls = [];
-  if (issuerCertPem && ocspUrls.length > 0) {
-    const reqDer = buildOcspRequestDer(leafCertPem, issuerCertPem);
-    if (reqDer) {
-      for (const url of ocspUrls) {
-        checkedOcspUrls.push(url);
-        try {
-          const resp = await httpPost(url, reqDer, "application/ocsp-request");
-          const status = parseOcspResponseStatus(resp);
-          if (status === "good" || status === "revoked") {
-            return { status, checkedOcspUrls, checkedCrlUrls };
-          }
-        } catch {
-        }
-      }
-    }
-  }
-  if (checkedOcspUrls.length === 0) {
-    return { status: "not-checked", checkedOcspUrls, checkedCrlUrls };
-  }
-  return {
-    status: "unknown",
-    error: "Could not determine revocation status from available responders.",
-    checkedOcspUrls,
-    checkedCrlUrls
-  };
-}
-var TIMESTAMP_TAG_REGEX = /<(?:[\w.-]+:)?(?:EncapsulatedTimeStamp|SignatureTimeStamp)[^>]*>([\s\S]*?)<\/(?:[\w.-]+:)?(?:EncapsulatedTimeStamp|SignatureTimeStamp)>/i;
-async function evaluateTimestampAuthority(signatureXml) {
-  try {
-    const match = TIMESTAMP_TAG_REGEX.exec(signatureXml);
-    if (!match?.[1]?.trim()) {
-      return { status: "not-present" };
-    }
-    const tokenBase64 = match[1].replace(/\s+/g, "");
-    const tokenDer = Buffer.from(tokenBase64, "base64");
-    if (tokenDer.length === 0) {
-      return { status: "invalid", error: "Empty timestamp token." };
-    }
-    const asn1 = forge__default.default.asn1.fromDer(forge__default.default.util.createBuffer(tokenDer.toString("binary")));
-    const contentType = asn1Child(asn1, 0);
-    if (!contentType) {
-      return {
-        status: "invalid",
-        error: "Malformed timestamp token structure."
-      };
-    }
-    return { status: "valid" };
-  } catch (err) {
-    return {
-      status: "error",
-      error: `Timestamp evaluation failed: ${String(err)}`
-    };
-  }
-}
-
-// src/signature-node/certificate-utils.ts
-function certificateInfoFromBase64(certBase64) {
-  try {
-    const certificate = new crypto__default.default.X509Certificate(Buffer.from(certBase64, "base64"));
-    return {
-      subject: certificate.subject || void 0,
-      issuer: certificate.issuer || void 0,
-      serialNumber: certificate.serialNumber || void 0,
-      validFrom: certificate.validFrom || void 0,
-      validTo: certificate.validTo || void 0
-    };
-  } catch {
-    return void 0;
-  }
-}
-function validateCertificateChain(certBase64List, additionalRootsPem) {
-  if (certBase64List.length === 0) {
-    return { status: "not-checked" };
-  }
-  try {
-    const chain = certBase64List.map((value) => {
-      const der = forge__default.default.util.decode64(value);
-      return forge__default.default.pki.certificateFromAsn1(forge__default.default.asn1.fromDer(der));
-    });
-    const rootPem = [...tls__default.default.rootCertificates, ...additionalRootsPem];
-    const caStore = forge__default.default.pki.createCaStore(rootPem);
-    const verified = forge__default.default.pki.verifyCertificateChain(caStore, chain);
-    return verified ? { status: "trusted" } : {
-      status: "untrusted",
-      error: "Certificate chain is not trusted."
-    };
-  } catch (error) {
-    return {
-      status: "untrusted",
-      error: `Certificate trust validation failed: ${String(error)}`
-    };
-  }
-}
-function signatureAlgorithmToVerifyAlgorithm(signatureMethod) {
-  switch (signatureMethod) {
-    case "http://www.w3.org/2000/09/xmldsig#rsa-sha1":
-      return "RSA-SHA1";
-    case "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256":
-      return "RSA-SHA256";
-    case "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384":
-      return "RSA-SHA384";
-    case "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512":
-      return "RSA-SHA512";
-    default:
-      return void 0;
-  }
-}
-function verifySignatureValue(signatureXml, certBase64List) {
-  try {
-    const parser = new xmldom.DOMParser();
-    const doc = parser.parseFromString(signatureXml, "text/xml");
-    const signatureNode = doc.getElementsByTagNameNS(XMLDSIG_NS, "Signature")[0];
-    if (!signatureNode) {
-      return "not-checked";
-    }
-    const certPem = certBase64List.length > 0 ? certPemFromBase64(certBase64List[0]) : void 0;
-    if (!certPem) {
-      return "not-checked";
-    }
-    const signedInfoNode = doc.getElementsByTagNameNS(XMLDSIG_NS, "SignedInfo")[0];
-    const signatureValueNode = doc.getElementsByTagNameNS(XMLDSIG_NS, "SignatureValue")[0];
-    if (!signedInfoNode || !signatureValueNode) {
-      return "invalid";
-    }
-    const canonicalizationMethod = doc.getElementsByTagNameNS(XMLDSIG_NS, "CanonicalizationMethod").item(0)?.getAttribute("Algorithm") ?? "http://www.w3.org/2001/10/xml-exc-c14n#";
-    const signatureMethod = doc.getElementsByTagNameNS(XMLDSIG_NS, "SignatureMethod").item(0)?.getAttribute("Algorithm");
-    const verifyAlgorithm = signatureAlgorithmToVerifyAlgorithm(signatureMethod ?? void 0);
-    if (!verifyAlgorithm) {
-      return "invalid";
-    }
-    const canonicalSignedInfo = canonicalizeNode(signedInfoNode, canonicalizationMethod);
-    const signatureValueBase64 = signatureValueNode.textContent?.replace(/\s+/g, "").trim() ?? "";
-    if (signatureValueBase64.length === 0) {
-      return "invalid";
-    }
-    const verifier = crypto__default.default.createVerify(verifyAlgorithm);
-    verifier.update(Buffer.from(canonicalSignedInfo, "utf8"));
-    verifier.end();
-    const isValid = verifier.verify(certPem, Buffer.from(signatureValueBase64, "base64"));
-    return isValid ? "verified" : "invalid";
-  } catch {
-    return "invalid";
-  }
-}
-function loadSigningMaterialFromBuffer(certificateBuffer, certificatePath, certificatePassword) {
-  const extension = path__default.default.extname(certificatePath).toLowerCase();
-  if (extension === ".pfx" || extension === ".p12") {
-    const p12Der = forge__default.default.util.createBuffer(Buffer.from(certificateBuffer).toString("binary"));
-    const p12Asn1 = forge__default.default.asn1.fromDer(p12Der);
-    const p12 = forge__default.default.pkcs12.pkcs12FromAsn1(p12Asn1, certificatePassword || "");
-    const keyBag = p12.getBags({
-      bagType: forge__default.default.pki.oids.pkcs8ShroudedKeyBag
-    })[forge__default.default.pki.oids.pkcs8ShroudedKeyBag];
-    const certBag = p12.getBags({ bagType: forge__default.default.pki.oids.certBag })[forge__default.default.pki.oids.certBag];
-    if (!keyBag || keyBag.length === 0 || !keyBag[0]?.key) {
-      throw new Error("No private key found in PKCS#12 certificate.");
-    }
-    if (!certBag || certBag.length === 0 || !certBag[0]?.cert) {
-      throw new Error("No certificate found in PKCS#12 certificate.");
-    }
-    return {
-      privateKeyPem: forge__default.default.pki.privateKeyToPem(keyBag[0].key),
-      certificatePem: forge__default.default.pki.certificateToPem(certBag[0].cert)
-    };
-  }
-  const pem = Buffer.from(certificateBuffer).toString("utf8");
-  const privateKeyMatch = pem.match(
-    /-----BEGIN (?:RSA |EC |ENCRYPTED )?PRIVATE KEY-----[\s\S]+?-----END (?:RSA |EC |ENCRYPTED )?PRIVATE KEY-----/m
-  );
-  const certMatch = pem.match(/-----BEGIN CERTIFICATE-----[\s\S]+?-----END CERTIFICATE-----/m);
-  if (!privateKeyMatch || !certMatch) {
-    throw new Error("PEM certificate must contain both private key and certificate.");
-  }
-  return {
-    privateKeyPem: privateKeyMatch[0],
-    certificatePem: certMatch[0]
-  };
-}
-function pemCertificateToBase64(pem) {
-  return pem.replace(/-----BEGIN CERTIFICATE-----/g, "").replace(/-----END CERTIFICATE-----/g, "").replace(/\s+/g, "").trim();
-}
-function extractPemCertificatesFromText(text) {
-  const matches = text.match(/-----BEGIN CERTIFICATE-----[\s\S]*?-----END CERTIFICATE-----/g) ?? [];
-  return matches.map((value) => value.trim()).filter((value) => value.length > 0);
-}
-function parseBooleanEnv(envValue) {
-  if (!envValue) {
-    return false;
-  }
-  const normalized = envValue.trim().toLowerCase();
-  return normalized === "1" || normalized === "true" || normalized === "yes";
-}
-function parseListEnv(envValue) {
-  if (!envValue) {
-    return [];
-  }
-  return envValue.split(/[;,]/).map((value) => value.trim()).filter((value) => value.length > 0);
-}
-async function loadEnterpriseTrustRoots() {
-  const roots = [];
-  const inlinePem = process.env[ENTERPRISE_TRUST_ROOTS_PEM_ENV];
-  if (inlinePem) {
-    roots.push(...extractPemCertificatesFromText(inlinePem));
-  }
-  const trustRootPaths = parseListEnv(process.env[ENTERPRISE_TRUST_ROOTS_FILE_ENV]);
-  for (const trustRootPath of trustRootPaths) {
-    try {
-      const pemText = await fs__default.default.readFile(trustRootPath, "utf8");
-      roots.push(...extractPemCertificatesFromText(pemText));
-    } catch {
-    }
-  }
-  return roots;
-}
-function getSignatureValidationPolicy() {
-  return {
-    requireRevocationCheck: parseBooleanEnv(process.env[ENTERPRISE_REQUIRE_REVOCATION_ENV]),
-    failOnRevocationUnknown: parseBooleanEnv(
-      process.env[ENTERPRISE_FAIL_ON_REVOCATION_UNKNOWN_ENV]
-    ),
-    requireTimestamp: parseBooleanEnv(process.env[ENTERPRISE_REQUIRE_TIMESTAMP_ENV])
-  };
-}
-function extractReferenceTransforms(referenceNode) {
-  const transforms = [];
-  const transformNodes = referenceNode.getElementsByTagNameNS(XMLDSIG_NS, "Transform");
-  for (let index = 0; index < transformNodes.length; index += 1) {
-    const transformNode = transformNodes.item(index);
-    if (!transformNode) {
-      continue;
-    }
-    const algorithm = transformNode.getAttribute("Algorithm")?.trim();
-    if (!algorithm) {
-      continue;
-    }
-    const relationshipReferenceIds = [];
-    const childNodes = transformNode.getElementsByTagName("*");
-    for (let childIndex = 0; childIndex < childNodes.length; childIndex += 1) {
-      const childNode = childNodes.item(childIndex);
-      if (!childNode) {
-        continue;
-      }
-      if (getNodeLocalName(childNode) !== "RelationshipReference") {
-        continue;
-      }
-      const sourceId = childNode.getAttribute("SourceId")?.trim();
-      if (sourceId && sourceId.length > 0) {
-        relationshipReferenceIds.push(sourceId);
-      }
-    }
-    transforms.push({ algorithm, relationshipReferenceIds });
-  }
-  return transforms;
-}
-function applyRelationshipTransform(xmlText, relationshipIds) {
-  try {
-    const parser = new xmldom.DOMParser();
-    const serializer = new xmldom.XMLSerializer();
-    const doc = parser.parseFromString(xmlText, "text/xml");
-    const relationshipsRoot = getFirstDescendantElementByLocalName(doc, "Relationships");
-    if (!relationshipsRoot) {
-      return void 0;
-    }
-    if (relationshipIds.length === 0) {
-      return serializer.serializeToString(doc);
-    }
-    const idSet = new Set(relationshipIds);
-    const relationshipNodes = Array.from(relationshipsRoot.getElementsByTagName("*")).filter(
-      (node) => getNodeLocalName(node) === "Relationship"
-    );
-    for (const relationshipNode of relationshipNodes) {
-      const relId = relationshipNode.getAttribute("Id")?.trim();
-      if (!relId || !idSet.has(relId)) {
-        relationshipNode.parentNode?.removeChild(relationshipNode);
-      }
-    }
-    return serializer.serializeToString(doc);
-  } catch {
-    return void 0;
-  }
-}
-function applyReferenceTransforms(partBytes, transforms) {
-  let transformedBytes = partBytes;
-  const unsupportedAlgorithms = [];
-  for (const transform of transforms) {
-    if (transform.algorithm === OPC_RELATIONSHIP_TRANSFORM) {
-      const nextXml = applyRelationshipTransform(
-        Buffer.from(transformedBytes).toString("utf8"),
-        transform.relationshipReferenceIds
-      );
-      if (!nextXml) {
-        unsupportedAlgorithms.push(transform.algorithm);
-        continue;
-      }
-      transformedBytes = new Uint8Array(Buffer.from(nextXml, "utf8"));
-      continue;
-    }
-    if (!SUPPORTED_XML_CANON_TRANSFORMS.has(transform.algorithm)) {
-      unsupportedAlgorithms.push(transform.algorithm);
-      continue;
-    }
-    try {
-      const parser = new xmldom.DOMParser();
-      const doc = parser.parseFromString(
-        Buffer.from(transformedBytes).toString("utf8"),
-        "text/xml"
-      );
-      if (!doc.documentElement) {
-        unsupportedAlgorithms.push(transform.algorithm);
-        continue;
-      }
-      const canonical = canonicalizeNode(doc.documentElement, transform.algorithm);
-      transformedBytes = new Uint8Array(Buffer.from(canonical, "utf8"));
-    } catch {
-      unsupportedAlgorithms.push(transform.algorithm);
-    }
-  }
-  return { data: transformedBytes, unsupportedAlgorithms };
-}
-function computeDigestBase642(content, digestAlgorithmUri) {
-  const hashName = DIGEST_ALGORITHM_TO_HASH[digestAlgorithmUri];
-  if (!hashName) {
-    return void 0;
-  }
-  return crypto__default.default.createHash(hashName).update(Buffer.from(content)).digest("base64");
-}
-async function buildReferenceChecksFromSignatureXml(zip, signatureXml) {
-  const parser = new xmldom.DOMParser();
-  const doc = parser.parseFromString(signatureXml, "text/xml");
-  const referenceNodes = doc.getElementsByTagNameNS(XMLDSIG_NS, "Reference");
-  const checks = [];
-  for (let index = 0; index < referenceNodes.length; index += 1) {
-    const referenceNode = referenceNodes.item(index);
-    if (!referenceNode) {
-      continue;
-    }
-    const uri = referenceNode.getAttribute("URI")?.trim() ?? "";
-    const digestMethodNode = getFirstDescendantElementByLocalName(referenceNode, "DigestMethod");
-    const digestValueNode = getFirstDescendantElementByLocalName(referenceNode, "DigestValue");
-    const digestAlgorithm = digestMethodNode?.getAttribute("Algorithm")?.trim();
-    const digestExpectedBase64 = digestValueNode?.textContent?.replace(/\s+/g, "").trim();
-    const transforms = extractReferenceTransforms(referenceNode);
-    const transformAlgorithms = transforms.map((transform) => transform.algorithm);
-    const resolvedPartPath = resolveReferenceUriToPart(uri);
-    if (!resolvedPartPath) {
-      checks.push({
-        uri,
-        existsInPackage: true,
-        digestAlgorithm,
-        digestExpectedBase64,
-        digestStatus: "insufficient-data",
-        transformAlgorithms
-      });
-      continue;
-    }
-    const part = zip.file(resolvedPartPath);
-    if (!part) {
-      checks.push({
-        uri,
-        resolvedPartPath,
-        existsInPackage: false,
-        digestAlgorithm,
-        digestExpectedBase64,
-        digestStatus: "missing-part",
-        transformAlgorithms
-      });
-      continue;
-    }
-    if (!digestAlgorithm || !digestExpectedBase64) {
-      checks.push({
-        uri,
-        resolvedPartPath,
-        existsInPackage: true,
-        digestAlgorithm,
-        digestExpectedBase64,
-        digestStatus: "insufficient-data",
-        transformAlgorithms
-      });
-      continue;
-    }
-    const rawContent = await part.async("uint8array");
-    const transformed = applyReferenceTransforms(rawContent, transforms);
-    if (transformed.unsupportedAlgorithms.length > 0) {
-      checks.push({
-        uri,
-        resolvedPartPath,
-        existsInPackage: true,
-        digestAlgorithm,
-        digestExpectedBase64,
-        digestStatus: "unsupported-transform",
-        transformAlgorithms
-      });
-      continue;
-    }
-    const digestActualBase64 = computeDigestBase642(transformed.data, digestAlgorithm);
-    if (!digestActualBase64) {
-      checks.push({
-        uri,
-        resolvedPartPath,
-        existsInPackage: true,
-        digestAlgorithm,
-        digestExpectedBase64,
-        digestStatus: "unsupported-algorithm",
-        transformAlgorithms
-      });
-      continue;
-    }
-    checks.push({
-      uri,
-      resolvedPartPath,
-      existsInPackage: true,
-      digestAlgorithm,
-      digestExpectedBase64,
-      digestActualBase64,
-      digestStatus: digestActualBase64 === digestExpectedBase64 ? "verified" : "mismatch",
-      transformAlgorithms
-    });
-  }
-  return checks;
-}
-async function buildReferenceChecksFromPptxViewerManifest(zip, signatureXml) {
-  const parser = new xmldom.DOMParser();
-  const doc = parser.parseFromString(signatureXml, "text/xml");
-  const partNodes = Array.from(doc.getElementsByTagNameNS(PPTX_VIEWER_MANIFEST_NS, "Part"));
-  const checks = [];
-  for (const partNode of partNodes) {
-    const rawName = partNode.getAttribute("Name") || "";
-    const digestAlgorithm = partNode.getAttribute("DigestMethod") || void 0;
-    const digestExpectedBase64 = partNode.getAttribute("DigestValue") || void 0;
-    const resolvedPartPath = resolveReferenceUriToPart(rawName);
-    if (!resolvedPartPath) {
-      checks.push({
-        uri: rawName,
-        existsInPackage: true,
-        digestAlgorithm,
-        digestExpectedBase64,
-        digestStatus: "insufficient-data",
-        transformAlgorithms: []
-      });
-      continue;
-    }
-    const partFile = zip.file(resolvedPartPath);
-    if (!partFile) {
-      checks.push({
-        uri: rawName,
-        resolvedPartPath,
-        existsInPackage: false,
-        digestAlgorithm,
-        digestExpectedBase64,
-        digestStatus: "missing-part",
-        transformAlgorithms: []
-      });
-      continue;
-    }
-    if (!digestAlgorithm || !digestExpectedBase64) {
-      checks.push({
-        uri: rawName,
-        resolvedPartPath,
-        existsInPackage: true,
-        digestAlgorithm,
-        digestExpectedBase64,
-        digestStatus: "insufficient-data",
-        transformAlgorithms: []
-      });
-      continue;
-    }
-    const partBytes = await partFile.async("uint8array");
-    const actualDigest = computeDigestBase642(partBytes, digestAlgorithm);
-    if (!actualDigest) {
-      checks.push({
-        uri: rawName,
-        resolvedPartPath,
-        existsInPackage: true,
-        digestAlgorithm,
-        digestExpectedBase64,
-        digestStatus: "unsupported-algorithm",
-        transformAlgorithms: []
-      });
-      continue;
-    }
-    checks.push({
-      uri: rawName,
-      resolvedPartPath,
-      existsInPackage: true,
-      digestAlgorithm,
-      digestExpectedBase64,
-      digestActualBase64: actualDigest,
-      digestStatus: actualDigest === digestExpectedBase64 ? "verified" : "mismatch",
-      transformAlgorithms: []
-    });
-  }
-  return checks;
-}
-async function inspectPptxDigitalSignatures(data) {
-  try {
-    const zip = await JSZip__default.default.loadAsync(Buffer.from(data));
-    const signaturePaths = Object.keys(zip.files).filter(
-      (entryPath) => entryPath.startsWith("_xmlsignatures/") && entryPath.endsWith(".xml")
-    );
-    const rootRelsXml = await zip.file("_rels/.rels")?.async("string");
-    const hasOriginRelationship = Boolean(rootRelsXml?.includes(DIGITAL_SIGNATURE_ORIGIN_REL_TYPE));
-    if (signaturePaths.length === 0) {
-      return {
-        supported: true,
-        hasSignature: false,
-        signatureCount: 0,
-        signaturePaths: [],
-        verificationStatus: "unsigned",
-        hasOriginRelationship
-      };
-    }
-    const additionalRootsPem = await loadEnterpriseTrustRoots();
-    const policy = getSignatureValidationPolicy();
-    const details = [];
-    for (const signaturePath of signaturePaths) {
-      const signatureXml = await zip.file(signaturePath)?.async("string") ?? "";
-      const manifestChecks = await buildReferenceChecksFromPptxViewerManifest(zip, signatureXml);
-      const referenceChecks = manifestChecks.length > 0 ? manifestChecks : await buildReferenceChecksFromSignatureXml(zip, signatureXml);
-      const missingPartReferences = referenceChecks.filter((check) => check.digestStatus === "missing-part").map((check) => check.uri);
-      const unsupportedTransforms = referenceChecks.flatMap(
-        (check) => check.digestStatus === "unsupported-transform" ? check.transformAlgorithms : []
-      ).filter((value, index, all) => all.indexOf(value) === index);
-      const certs = extractAllTagText(signatureXml, "X509Certificate");
-      const trust = validateCertificateChain(certs, additionalRootsPem);
-      const signatureValueStatus = verifySignatureValue(signatureXml, certs);
-      const leafCertPem = certs.length > 0 ? certPemFromBase64(certs[0]) : void 0;
-      const issuerCertPem = certs.length > 1 ? certPemFromBase64(certs[1]) : leafCertPem;
-      const revocation = leafCertPem ? await evaluateCertificateRevocation(leafCertPem, issuerCertPem) : {
-        status: "not-checked",
-        checkedOcspUrls: [],
-        checkedCrlUrls: []
-      };
-      const timestamp = await evaluateTimestampAuthority(signatureXml);
-      const detailBase = {
-        path: signaturePath,
-        signatureMethod: extractTagAttribute(
-          signatureXml,
-          "([\\w.-]+:)?SignatureMethod",
-          "Algorithm"
-        ),
-        canonicalizationMethod: extractTagAttribute(
-          signatureXml,
-          "([\\w.-]+:)?CanonicalizationMethod",
-          "Algorithm"
-        ),
-        signingTime: extractFirstTagText(signatureXml, "SigningTime"),
-        referenceCount: referenceChecks.length,
-        missingPartReferences,
-        unsupportedTransforms,
-        referenceChecks,
-        certificate: certs.length > 0 ? certificateInfoFromBase64(certs[0]) : void 0,
-        signatureValueStatus,
-        certificateTrustStatus: trust.status,
-        certificateTrustError: trust.error,
-        certificateRevocationStatus: revocation.status,
-        certificateRevocationError: revocation.error,
-        timestampAuthorityStatus: timestamp.status,
-        timestampAuthorityError: timestamp.error,
-        certificateFingerprintSha256: leafCertPem ? certFingerprintSha256(leafCertPem) : void 0
-      };
-      details.push({
-        ...detailBase,
-        status: computeDetailStatus(detailBase, policy)
-      });
-    }
-    return {
-      supported: true,
-      hasSignature: true,
-      signatureCount: signaturePaths.length,
-      signaturePaths,
-      verificationStatus: computeVerificationStatus(details),
-      details,
-      hasOriginRelationship
-    };
-  } catch (error) {
-    return {
-      supported: true,
-      hasSignature: false,
-      signatureCount: 0,
-      signaturePaths: [],
-      verificationStatus: "invalid-package",
-      error: `Unable to inspect digital signature parts: ${String(error)}`
-    };
-  }
-}
-
-// src/signature-node/signing.ts
-async function upsertRootOriginRelationship(zip) {
-  const parser = new xmldom.DOMParser();
-  const serializer = new xmldom.XMLSerializer();
-  const relsPath = "_rels/.rels";
-  const xml = await zip.file(relsPath)?.async("string") || '<?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"></Relationships>';
-  const doc = parser.parseFromString(xml, "text/xml");
-  const relationships = doc.documentElement;
-  const existing = Array.from(relationships.getElementsByTagName("Relationship")).find(
-    (node) => node.getAttribute("Type") === DIGITAL_SIGNATURE_ORIGIN_REL_TYPE
-  );
-  if (!existing) {
-    const rel = doc.createElement("Relationship");
-    rel.setAttribute("Id", "rIdDigitalSignatureOrigin");
-    rel.setAttribute("Type", DIGITAL_SIGNATURE_ORIGIN_REL_TYPE);
-    rel.setAttribute("Target", "_xmlsignatures/origin.sigs");
-    relationships.appendChild(rel);
-  }
-  zip.file(relsPath, serializer.serializeToString(doc));
-}
-async function upsertContentTypesForSignature(zip, signaturePath) {
-  const parser = new xmldom.DOMParser();
-  const serializer = new xmldom.XMLSerializer();
-  const pathInContentTypes = "[Content_Types].xml";
-  const xml = await zip.file(pathInContentTypes)?.async("string") || "";
-  if (!xml) {
-    return;
-  }
-  const doc = parser.parseFromString(xml, "text/xml");
-  const types = doc.documentElement;
-  const ensureOverride = (partName, contentType) => {
-    const existing = Array.from(types.getElementsByTagName("Override")).find(
-      (node) => node.getAttribute("PartName") === partName
-    );
-    if (existing) {
-      existing.setAttribute("ContentType", contentType);
-      return;
-    }
-    const override = doc.createElement("Override");
-    override.setAttribute("PartName", partName);
-    override.setAttribute("ContentType", contentType);
-    types.appendChild(override);
-  };
-  ensureOverride(
-    "/_xmlsignatures/origin.sigs",
-    "application/vnd.openxmlformats-package.digital-signature-origin"
-  );
-  ensureOverride(
-    `/${signaturePath}`,
-    "application/vnd.openxmlformats-package.digital-signature-xmlsignature+xml"
-  );
-  zip.file(pathInContentTypes, serializer.serializeToString(doc));
-}
-async function buildOfficeReferenceList(zip) {
-  const references = [];
-  const digestMethod = "http://www.w3.org/2001/04/xmlenc#sha256";
-  for (const entryPath of Object.keys(zip.files)) {
-    const entry = zip.file(entryPath);
-    if (!entry || entry.dir) {
-      continue;
-    }
-    if (entryPath.startsWith("_xmlsignatures/")) {
-      continue;
-    }
-    const entryBytes = await entry.async("uint8array");
-    const digestValue = crypto__default.default.createHash("sha256").update(Buffer.from(entryBytes)).digest("base64");
-    references.push({
-      uri: `/${normalizePartPath(entryPath)}`,
-      digestMethod,
-      digestValue
-    });
-  }
-  references.sort((left, right) => left.uri.localeCompare(right.uri));
-  return references;
-}
-function buildOfficeSignatureXml(references, privateKeyPem, certificatePem) {
-  const signedInfoReferencesXml = references.map(
-    (reference) => `<Reference URI="${escapeXmlAttr(reference.uri)}"><DigestMethod Algorithm="${escapeXmlAttr(reference.digestMethod)}"/><DigestValue>${escapeXmlText(reference.digestValue)}</DigestValue></Reference>`
-  ).join("");
-  const signedInfoXml = `<SignedInfo xmlns="${XMLDSIG_NS}"><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>${signedInfoReferencesXml}</SignedInfo>`;
-  const canonicalSignedInfo = canonicalizeSignedInfoXml(signedInfoXml);
-  const signer = crypto__default.default.createSign("RSA-SHA256");
-  signer.update(Buffer.from(canonicalSignedInfo, "utf8"));
-  signer.end();
-  const signatureValueBase64 = signer.sign(privateKeyPem).toString("base64");
-  const certificateBase64 = pemCertificateToBase64(certificatePem);
-  if (!isValidBase64(signatureValueBase64)) {
-    throw new Error("Generated SignatureValue is not valid base64");
-  }
-  if (!isValidBase64(certificateBase64)) {
-    throw new Error("X.509 certificate is not valid base64");
-  }
-  const signingTime = (/* @__PURE__ */ new Date()).toISOString();
-  return `<Signature xmlns="${XMLDSIG_NS}">${signedInfoXml}<SignatureValue>${escapeXmlText(signatureValueBase64)}</SignatureValue><KeyInfo><X509Data><X509Certificate>${escapeXmlText(certificateBase64)}</X509Certificate></X509Data></KeyInfo><Object><SignatureProperties><SignatureProperty><SigningTime>${escapeXmlText(signingTime)}</SigningTime></SignatureProperty></SignatureProperties></Object></Signature>`;
-}
-async function signPptxWithCertificate(data, certificateBuffer, options) {
-  try {
-    const signing = loadSigningMaterialFromBuffer(
-      certificateBuffer,
-      options.certificatePath,
-      options.certificatePassword
-    );
-    const zip = await JSZip__default.default.loadAsync(Buffer.from(data));
-    for (const entryPath of Object.keys(zip.files)) {
-      if (entryPath.startsWith("_xmlsignatures/")) {
-        zip.remove(entryPath);
-      }
-    }
-    const signaturePath = "_xmlsignatures/sig1.xml";
-    await upsertRootOriginRelationship(zip);
-    await upsertContentTypesForSignature(zip, signaturePath);
-    const references = await buildOfficeReferenceList(zip);
-    const signatureXml = buildOfficeSignatureXml(
-      references,
-      signing.privateKeyPem,
-      signing.certificatePem
-    );
-    zip.file(signaturePath, signatureXml);
-    zip.file("_xmlsignatures/origin.sigs", "<SignatureOrigin/>");
-    zip.file(
-      "_xmlsignatures/_rels/origin.sigs.rels",
-      `<?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rIdSig1" Type="${DIGITAL_SIGNATURE_REL_TYPE}" Target="sig1.xml"/></Relationships>`
-    );
-    const signedData = await zip.generateAsync({ type: "uint8array" });
-    const report = await inspectPptxDigitalSignatures(signedData);
-    return { success: true, signedData, report };
-  } catch (error) {
-    const errorReport = {
-      supported: true,
-      hasSignature: false,
-      signatureCount: 0,
-      signaturePaths: [],
-      verificationStatus: "error",
-      error: `Failed to sign PPTX: ${String(error)}`
-    };
-    return {
-      success: false,
-      report: errorReport,
-      error: `Failed to sign PPTX: ${String(error)}`
-    };
-  }
-}
-
-exports.DIGEST_ALGORITHM_TO_HASH = DIGEST_ALGORITHM_TO_HASH;
-exports.DIGEST_ALGORITHM_TO_WEB_CRYPTO = DIGEST_ALGORITHM_TO_WEB_CRYPTO;
-exports.DIGITAL_SIGNATURE_ORIGIN_REL_TYPE = DIGITAL_SIGNATURE_ORIGIN_REL_TYPE;
-exports.DIGITAL_SIGNATURE_REL_TYPE = DIGITAL_SIGNATURE_REL_TYPE;
-exports.ENTERPRISE_FAIL_ON_REVOCATION_UNKNOWN_ENV = ENTERPRISE_FAIL_ON_REVOCATION_UNKNOWN_ENV;
-exports.ENTERPRISE_REQUIRE_REVOCATION_ENV = ENTERPRISE_REQUIRE_REVOCATION_ENV;
-exports.ENTERPRISE_REQUIRE_TIMESTAMP_ENV = ENTERPRISE_REQUIRE_TIMESTAMP_ENV;
-exports.ENTERPRISE_TRUST_ROOTS_FILE_ENV = ENTERPRISE_TRUST_ROOTS_FILE_ENV;
-exports.ENTERPRISE_TRUST_ROOTS_PEM_ENV = ENTERPRISE_TRUST_ROOTS_PEM_ENV;
-exports.OPC_RELATIONSHIP_TRANSFORM = OPC_RELATIONSHIP_TRANSFORM;
-exports.PPTX_VIEWER_MANIFEST_NS = PPTX_VIEWER_MANIFEST_NS;
-exports.SUPPORTED_XML_CANON_TRANSFORMS = SUPPORTED_XML_CANON_TRANSFORMS;
-exports.XMLDSIG_NS = XMLDSIG_NS;
-exports.XML_TRANSFORM_ENVELOPED_SIGNATURE = XML_TRANSFORM_ENVELOPED_SIGNATURE;
-exports.applyReferenceTransforms = applyReferenceTransforms;
-exports.buildOcspRequestDer = buildOcspRequestDer;
-exports.buildReferenceChecksFromPptxViewerManifest = buildReferenceChecksFromPptxViewerManifest;
-exports.buildReferenceChecksFromSignatureXml = buildReferenceChecksFromSignatureXml;
-exports.canonicalizeNode = canonicalizeNode;
-exports.canonicalizeSignedInfoXml = canonicalizeSignedInfoXml;
-exports.certFingerprintSha256 = certFingerprintSha256;
-exports.certPemFromBase64 = certPemFromBase64;
-exports.certificateInfoFromBase64 = certificateInfoFromBase64;
-exports.computeDetailStatus = computeDetailStatus;
-exports.computeDigestBase64 = computeDigestBase642;
-exports.computeDigestBase64WebCrypto = computeDigestBase64;
-exports.computeVerificationStatus = computeVerificationStatus;
-exports.escapeXmlAttr = escapeXmlAttr;
-exports.escapeXmlText = escapeXmlText;
-exports.evaluateCertificateRevocation = evaluateCertificateRevocation;
-exports.evaluateTimestampAuthority = evaluateTimestampAuthority;
-exports.extractAllTagText = extractAllTagText;
-exports.extractFirstTagText = extractFirstTagText;
-exports.extractOcspUrls = extractOcspUrls;
-exports.extractPemCertificatesFromText = extractPemCertificatesFromText;
-exports.extractReferenceTransforms = extractReferenceTransforms;
-exports.extractTagAttribute = extractTagAttribute;
-exports.getFirstDescendantElementByLocalName = getFirstDescendantElementByLocalName;
-exports.getNodeLocalName = getNodeLocalName;
-exports.getSignatureValidationPolicy = getSignatureValidationPolicy;
-exports.inspectPptxDigitalSignatures = inspectPptxDigitalSignatures;
-exports.isValidBase64 = isValidBase64;
-exports.loadEnterpriseTrustRoots = loadEnterpriseTrustRoots;
-exports.loadSigningMaterialFromBuffer = loadSigningMaterialFromBuffer;
-exports.normalizePartPath = normalizePartPath;
-exports.parseOcspResponseStatus = parseOcspResponseStatus;
-exports.pemCertificateToBase64 = pemCertificateToBase64;
-exports.resolveReferenceUriToPart = resolveReferenceUriToPart;
-exports.signPptxWithCertificate = signPptxWithCertificate;
-exports.validateCertificateChain = validateCertificateChain;
-exports.verifySignatureValue = verifySignatureValue;