edockit 0.2.0 → 0.2.2

package/CHANGELOG.md

@@ -5,6 +5,21 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.2.2] - 2025-12-30
+
+### Fixed
+
+- **proxyUrl now works for timestamp revocation** - TSA certificate revocation checks now correctly use the proxy
+- **XPath DOM mismatch error in browser** - Fixed "Node cannot be used in a document other than the one in which it was created" error when parsing XML in browsers
+
+## [0.2.1] - 2025-12-30
+
+### Added
+
+- **CORS Proxy Support** - New `proxyUrl` option in `revocationOptions` for browser environments
+  - Routes OCSP, CRL, and CA issuer certificate requests through a CORS proxy
+  - Enables revocation checking in browsers where direct requests are blocked by CORS
+
 ## [0.2.0] - 2025-12-29
 
 ### Added
@@ -39,5 +54,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - File checksum verification (SHA-256/384/512)
 - Browser and Node.js support
 
+[0.2.2]: https://github.com/edgarsj/edockit/compare/v0.2.1...v0.2.2
+[0.2.1]: https://github.com/edgarsj/edockit/compare/v0.2.0...v0.2.1
 [0.2.0]: https://github.com/edgarsj/edockit/compare/v0.1.2...v0.2.0
 [0.1.2]: https://github.com/edgarsj/edockit/releases/tag/v0.1.2

package/README.md

@@ -45,6 +45,7 @@ const result = await verifySignature(container.signatures[0], container.files, {
   revocationOptions: {     // Optional: configure revocation check behavior
     ocspTimeout: 5000,     // OCSP request timeout in ms (default: 5000)
     crlTimeout: 10000,     // CRL fetch timeout in ms (default: 10000)
+    proxyUrl: 'https://cors-proxy.example.com/?url=',  // CORS proxy for browser (optional)
   },
   verifyTimestamps: true,  // RFC 3161 timestamp verification (default: true)
   verifyTime: new Date()   // Verify certificate at specific time (default: timestamp time if present, otherwise now)
@@ -119,8 +120,13 @@ async function verifyDocument(url) {
   console.log("Documents:", container.documentFileList);
 
   for (const signature of container.signatures) {
-    const result = await verifySignature(signature, container.files);
-    // checkRevocation and verifyTimestamps default to true
+    const result = await verifySignature(signature, container.files, {
+      checkRevocation: true,
+      revocationOptions: {
+        // Use a CORS proxy for OCSP/CRL requests in browser environments
+        proxyUrl: 'https://your-cors-proxy.example.com/?url=',
+      },
+    });
 
     console.log(`Valid: ${result.isValid}`);
 
@@ -134,6 +140,8 @@ async function verifyDocument(url) {
 }
 ```
 
+> **Note:** OCSP and CRL endpoints typically don't support CORS, so browser environments need a proxy to perform revocation checks. The `proxyUrl` option routes all revocation requests through the specified proxy, which should accept the original URL as a query parameter.
+
 ### Timestamp Utilities
 
 For advanced timestamp handling, you can use the timestamp utilities directly:

package/dist/core/revocation/crl.d.ts

@@ -31,4 +31,5 @@ export declare function parseCRL(data: ArrayBuffer): X509Crl | null;
  */
 export declare function checkCRL(cert: X509Certificate, options?: {
     timeout?: number;
+    proxyUrl?: string;
 }): Promise<RevocationResult>;

package/dist/core/revocation/fetch.d.ts

@@ -13,6 +13,12 @@ export interface FetchOptions {
     contentType?: string;
     /** Accept header */
     accept?: string;
+    /**
+     * CORS proxy URL for browser environments.
+     * When set, the original URL will be URL-encoded and appended to this proxy URL.
+     * Example: "https://cors-proxy.example.com/?url="
+     */
+    proxyUrl?: string;
 }
 export interface FetchResult {
     ok: boolean;
@@ -32,20 +38,23 @@ export declare function fetchBinary(url: string, options?: FetchOptions): Promis
  * @param url OCSP responder URL
  * @param request DER-encoded OCSP request
  * @param timeout Timeout in milliseconds
+ * @param proxyUrl Optional CORS proxy URL
  * @returns FetchResult with OCSP response data
  */
-export declare function fetchOCSP(url: string, request: ArrayBuffer, timeout?: number): Promise<FetchResult>;
+export declare function fetchOCSP(url: string, request: ArrayBuffer, timeout?: number, proxyUrl?: string): Promise<FetchResult>;
 /**
  * Fetch CRL from distribution point
  * @param url CRL distribution point URL
  * @param timeout Timeout in milliseconds
+ * @param proxyUrl Optional CORS proxy URL
  * @returns FetchResult with CRL data
  */
-export declare function fetchCRL(url: string, timeout?: number): Promise<FetchResult>;
+export declare function fetchCRL(url: string, timeout?: number, proxyUrl?: string): Promise<FetchResult>;
 /**
  * Fetch issuer certificate from AIA extension
  * @param url CA Issuers URL
  * @param timeout Timeout in milliseconds
+ * @param proxyUrl Optional CORS proxy URL
  * @returns FetchResult with certificate data
  */
-export declare function fetchIssuerCertificate(url: string, timeout?: number): Promise<FetchResult>;
+export declare function fetchIssuerCertificate(url: string, timeout?: number, proxyUrl?: string): Promise<FetchResult>;

package/dist/core/revocation/ocsp.d.ts

@@ -23,9 +23,10 @@ export declare function findIssuerInChain(cert: X509Certificate, chain: string[]
  * Fetch issuer certificate from AIA extension
  * @param cert Certificate to fetch issuer for
  * @param timeout Timeout in ms
+ * @param proxyUrl Optional CORS proxy URL
  * @returns Issuer certificate or null
  */
-export declare function fetchIssuerFromAIA(cert: X509Certificate, timeout?: number): Promise<X509Certificate | null>;
+export declare function fetchIssuerFromAIA(cert: X509Certificate, timeout?: number, proxyUrl?: string): Promise<X509Certificate | null>;
 /**
  * Build OCSP request for a certificate
  * @param cert Certificate to check
@@ -49,4 +50,5 @@ export declare function parseOCSPResponse(responseData: ArrayBuffer): Revocation
 export declare function checkOCSP(cert: X509Certificate, issuerCert: X509Certificate | null, options?: {
     timeout?: number;
     certificateChain?: string[];
+    proxyUrl?: string;
 }): Promise<RevocationResult>;

package/dist/core/revocation/types.d.ts

@@ -29,11 +29,18 @@ export interface RevocationCheckOptions {
     crlTimeout?: number;
     /** Certificate chain for finding issuer (PEM strings) */
     certificateChain?: string[];
+    /**
+     * CORS proxy URL for browser environments.
+     * When set, all OCSP/CRL fetch requests will be routed through this proxy.
+     * The original URL will be URL-encoded and appended as a query parameter.
+     * Example: "https://cors-proxy.example.com/?url="
+     */
+    proxyUrl?: string;
 }
 /**
  * Default options for revocation checking
  */
-export declare const DEFAULT_REVOCATION_OPTIONS: Required<Omit<RevocationCheckOptions, "certificateChain">>;
+export declare const DEFAULT_REVOCATION_OPTIONS: Required<Omit<RevocationCheckOptions, "certificateChain" | "proxyUrl">>;
 /**
  * OID constants for certificate extensions
  */

package/dist/core/timestamp/types.d.ts

@@ -1,4 +1,4 @@
-import { RevocationResult } from "../revocation/types";
+import { RevocationResult, RevocationCheckOptions } from "../revocation/types";
 /**
  * Parsed timestamp information from RFC 3161 TimeStampToken
  */
@@ -45,4 +45,6 @@ export interface TimestampVerificationOptions {
     verifyTsaCertificate?: boolean;
     /** Check TSA certificate revocation */
     checkTsaRevocation?: boolean;
+    /** Options for TSA certificate revocation checking (timeouts, proxy, etc.) */
+    revocationOptions?: RevocationCheckOptions;
 }

package/dist/index.cjs.js

@@ -111,9 +111,16 @@ function createXMLParser() {
 function queryByXPath(parent, xpathExpression, namespaces = NAMESPACES) {
     try {
         // Browser environment with native XPath
-        if (typeof document !== "undefined" && document.evaluate) {
+        if (typeof document !== "undefined" && typeof document.evaluate === "function") {
+            // Use the document that owns the parent node, not the global document
+            const ownerDoc = "ownerDocument" in parent ? parent.ownerDocument : parent;
+            if (!ownerDoc || typeof ownerDoc.evaluate !== "function") {
+                // XMLDocuments from DOMParser don't have evaluate - silently return null
+                // (caller should use DOM traversal fallback)
+                return null;
+            }
             const nsResolver = createNsResolverForBrowser(namespaces);
-            const result = document.evaluate(xpathExpression, parent, nsResolver, XPathResult.FIRST_ORDERED_NODE_TYPE, null);
+            const result = ownerDoc.evaluate(xpathExpression, parent, nsResolver, XPathResult.FIRST_ORDERED_NODE_TYPE, null);
             return result.singleNodeValue;
         }
         // Node.js environment with xpath module
@@ -161,9 +168,16 @@ function queryByXPath(parent, xpathExpression, namespaces = NAMESPACES) {
 function queryAllByXPath(parent, xpathExpression, namespaces = NAMESPACES) {
     try {
         // Browser environment with native XPath
-        if (typeof document !== "undefined" && document.evaluate) {
+        if (typeof document !== "undefined" && typeof document.evaluate === "function") {
+            // Use the document that owns the parent node, not the global document
+            const ownerDoc = "ownerDocument" in parent ? parent.ownerDocument : parent;
+            if (!ownerDoc || typeof ownerDoc.evaluate !== "function") {
+                // XMLDocuments from DOMParser don't have evaluate - silently return empty
+                // (caller should use DOM traversal fallback)
+                return [];
+            }
             const nsResolver = createNsResolverForBrowser(namespaces);
-            const result = document.evaluate(xpathExpression, parent, nsResolver, XPathResult.ORDERED_NODE_SNAPSHOT_TYPE, null);
+            const result = ownerDoc.evaluate(xpathExpression, parent, nsResolver, XPathResult.ORDERED_NODE_SNAPSHOT_TYPE, null);
             const elements = [];
             for (let i = 0; i < result.snapshotLength; i++) {
                 elements.push(result.snapshotItem(i));
@@ -7926,7 +7940,9 @@ __decorate([
  * @returns FetchResult with binary data or error
  */
 async function fetchBinary(url, options = {}) {
-    const { timeout = 10000, method = "GET", body, contentType, accept } = options;
+    const { timeout = 10000, method = "GET", body, contentType, accept, proxyUrl } = options;
+    // Apply proxy URL if provided
+    const fetchUrl = proxyUrl ? `${proxyUrl}${encodeURIComponent(url)}` : url;
     const controller = new AbortController();
     const timeoutId = setTimeout(() => controller.abort(), timeout);
     try {
@@ -7937,7 +7953,7 @@ async function fetchBinary(url, options = {}) {
         if (accept) {
             headers["Accept"] = accept;
         }
-        const response = await fetch(url, {
+        const response = await fetch(fetchUrl, {
             method,
             headers,
             body: body ? new Uint8Array(body) : undefined,
@@ -7986,41 +8002,47 @@ async function fetchBinary(url, options = {}) {
  * @param url OCSP responder URL
  * @param request DER-encoded OCSP request
  * @param timeout Timeout in milliseconds
+ * @param proxyUrl Optional CORS proxy URL
  * @returns FetchResult with OCSP response data
  */
-async function fetchOCSP(url, request, timeout = 5000) {
+async function fetchOCSP(url, request, timeout = 5000, proxyUrl) {
     return fetchBinary(url, {
         method: "POST",
         body: request,
         contentType: "application/ocsp-request",
         accept: "application/ocsp-response",
         timeout,
+        proxyUrl,
     });
 }
 /**
  * Fetch CRL from distribution point
  * @param url CRL distribution point URL
  * @param timeout Timeout in milliseconds
+ * @param proxyUrl Optional CORS proxy URL
  * @returns FetchResult with CRL data
  */
-async function fetchCRL(url, timeout = 10000) {
+async function fetchCRL(url, timeout = 10000, proxyUrl) {
     return fetchBinary(url, {
         method: "GET",
         accept: "application/pkix-crl",
         timeout,
+        proxyUrl,
     });
 }
 /**
  * Fetch issuer certificate from AIA extension
  * @param url CA Issuers URL
  * @param timeout Timeout in milliseconds
+ * @param proxyUrl Optional CORS proxy URL
  * @returns FetchResult with certificate data
  */
-async function fetchIssuerCertificate(url, timeout = 5000) {
+async function fetchIssuerCertificate(url, timeout = 5000, proxyUrl) {
     return fetchBinary(url, {
         method: "GET",
         accept: "application/pkix-cert",
         timeout,
+        proxyUrl,
     });
 }
 
@@ -8177,13 +8199,14 @@ function findIssuerInChain(cert, chain) {
  * Fetch issuer certificate from AIA extension
  * @param cert Certificate to fetch issuer for
  * @param timeout Timeout in ms
+ * @param proxyUrl Optional CORS proxy URL
  * @returns Issuer certificate or null
  */
-async function fetchIssuerFromAIA(cert, timeout = 5000) {
+async function fetchIssuerFromAIA(cert, timeout = 5000, proxyUrl) {
     const urls = extractCAIssuersUrls(cert);
     for (const url of urls) {
         try {
-            const result = await fetchIssuerCertificate(url, timeout);
+            const result = await fetchIssuerCertificate(url, timeout, proxyUrl);
             if (result.ok && result.data) {
                 // Try to parse as DER first, then PEM
                 try {
@@ -8376,7 +8399,7 @@ function parseOCSPResponse(responseData) {
  * @returns Revocation result
  */
 async function checkOCSP(cert, issuerCert, options = {}) {
-    const { timeout = 5000, certificateChain = [] } = options;
+    const { timeout = 5000, certificateChain = [], proxyUrl } = options;
     const now = new Date();
     // Get OCSP URLs
     const ocspUrls = extractOCSPUrls(cert);
@@ -8397,7 +8420,7 @@ async function checkOCSP(cert, issuerCert, options = {}) {
     }
     if (!issuer) {
         // Try AIA extension
-        issuer = await fetchIssuerFromAIA(cert, timeout);
+        issuer = await fetchIssuerFromAIA(cert, timeout, proxyUrl);
     }
     if (!issuer) {
         return {
@@ -8425,7 +8448,7 @@ async function checkOCSP(cert, issuerCert, options = {}) {
     // Try each OCSP URL
     for (const url of ocspUrls) {
         try {
-            const result = await fetchOCSP(url, request, timeout);
+            const result = await fetchOCSP(url, request, timeout, proxyUrl);
             if (result.ok && result.data) {
                 return parseOCSPResponse(result.data);
             }
@@ -8532,7 +8555,7 @@ function parseCRL(data) {
  * @returns Revocation result
  */
 async function checkCRL(cert, options = {}) {
-    const { timeout = 10000 } = options;
+    const { timeout = 10000, proxyUrl } = options;
     const now = new Date();
     // Get CRL URLs
     const crlUrls = extractCRLUrls(cert);
@@ -8549,7 +8572,7 @@ async function checkCRL(cert, options = {}) {
     const errors = [];
     for (const url of crlUrls) {
         try {
-            const result = await fetchCRL(url, timeout);
+            const result = await fetchCRL(url, timeout, proxyUrl);
             if (!result.ok || !result.data) {
                 errors.push(`${url}: ${result.error || "Failed to fetch"}`);
                 continue;
@@ -8638,6 +8661,7 @@ async function checkCertificateRevocation(cert, options = {}) {
         ocspResult = await checkOCSP(x509Cert, null, {
             timeout: opts.ocspTimeout,
             certificateChain: opts.certificateChain,
+            proxyUrl: options.proxyUrl,
         });
         // If OCSP gives a definitive answer (good or revoked), use it
         if (ocspResult.status === "good" || ocspResult.status === "revoked") {
@@ -8649,6 +8673,7 @@ async function checkCertificateRevocation(cert, options = {}) {
     if (opts.crlEnabled) {
         crlResult = await checkCRL(x509Cert, {
             timeout: opts.crlTimeout,
+            proxyUrl: options.proxyUrl,
         });
         // If CRL gives a definitive answer, use it
         if (crlResult.status === "good" || crlResult.status === "revoked") {
@@ -10111,7 +10136,7 @@ async function verifyTimestamp(timestampBase64, options = {}) {
             // Check TSA certificate revocation if requested
             if (options.checkTsaRevocation !== false) {
                 try {
-                    tsaRevocation = await checkCertificateRevocation(tsaCert);
+                    tsaRevocation = await checkCertificateRevocation(tsaCert, options.revocationOptions);
                     // If TSA certificate is revoked, the timestamp is invalid
                     if (tsaRevocation.status === "revoked") {
                         return {
@@ -10519,6 +10544,7 @@ async function verifySignature(signatureInfo, files, options = {}) {
         timestampResult = await verifyTimestamp(signatureInfo.signatureTimestamp, {
             signatureValue: signatureInfo.signatureValue,
             verifyTsaCertificate: true,
+            revocationOptions: options.revocationOptions,
         });
         if (timestampResult.isValid && timestampResult.info) {
             // Use timestamp time as the trusted signing time