edockit 0.2.0 → 0.2.2

package/dist/index.esm.js

@@ -107,9 +107,16 @@ function createXMLParser() {
 function queryByXPath(parent, xpathExpression, namespaces = NAMESPACES) {
     try {
         // Browser environment with native XPath
-        if (typeof document !== "undefined" && document.evaluate) {
+        if (typeof document !== "undefined" && typeof document.evaluate === "function") {
+            // Use the document that owns the parent node, not the global document
+            const ownerDoc = "ownerDocument" in parent ? parent.ownerDocument : parent;
+            if (!ownerDoc || typeof ownerDoc.evaluate !== "function") {
+                // XMLDocuments from DOMParser don't have evaluate - silently return null
+                // (caller should use DOM traversal fallback)
+                return null;
+            }
             const nsResolver = createNsResolverForBrowser(namespaces);
-            const result = document.evaluate(xpathExpression, parent, nsResolver, XPathResult.FIRST_ORDERED_NODE_TYPE, null);
+            const result = ownerDoc.evaluate(xpathExpression, parent, nsResolver, XPathResult.FIRST_ORDERED_NODE_TYPE, null);
             return result.singleNodeValue;
         }
         // Node.js environment with xpath module
@@ -157,9 +164,16 @@ function queryByXPath(parent, xpathExpression, namespaces = NAMESPACES) {
 function queryAllByXPath(parent, xpathExpression, namespaces = NAMESPACES) {
     try {
         // Browser environment with native XPath
-        if (typeof document !== "undefined" && document.evaluate) {
+        if (typeof document !== "undefined" && typeof document.evaluate === "function") {
+            // Use the document that owns the parent node, not the global document
+            const ownerDoc = "ownerDocument" in parent ? parent.ownerDocument : parent;
+            if (!ownerDoc || typeof ownerDoc.evaluate !== "function") {
+                // XMLDocuments from DOMParser don't have evaluate - silently return empty
+                // (caller should use DOM traversal fallback)
+                return [];
+            }
             const nsResolver = createNsResolverForBrowser(namespaces);
-            const result = document.evaluate(xpathExpression, parent, nsResolver, XPathResult.ORDERED_NODE_SNAPSHOT_TYPE, null);
+            const result = ownerDoc.evaluate(xpathExpression, parent, nsResolver, XPathResult.ORDERED_NODE_SNAPSHOT_TYPE, null);
             const elements = [];
             for (let i = 0; i < result.snapshotLength; i++) {
                 elements.push(result.snapshotItem(i));
@@ -7922,7 +7936,9 @@ __decorate([
  * @returns FetchResult with binary data or error
  */
 async function fetchBinary(url, options = {}) {
-    const { timeout = 10000, method = "GET", body, contentType, accept } = options;
+    const { timeout = 10000, method = "GET", body, contentType, accept, proxyUrl } = options;
+    // Apply proxy URL if provided
+    const fetchUrl = proxyUrl ? `${proxyUrl}${encodeURIComponent(url)}` : url;
     const controller = new AbortController();
     const timeoutId = setTimeout(() => controller.abort(), timeout);
     try {
@@ -7933,7 +7949,7 @@ async function fetchBinary(url, options = {}) {
         if (accept) {
             headers["Accept"] = accept;
         }
-        const response = await fetch(url, {
+        const response = await fetch(fetchUrl, {
             method,
             headers,
             body: body ? new Uint8Array(body) : undefined,
@@ -7982,41 +7998,47 @@ async function fetchBinary(url, options = {}) {
  * @param url OCSP responder URL
  * @param request DER-encoded OCSP request
  * @param timeout Timeout in milliseconds
+ * @param proxyUrl Optional CORS proxy URL
  * @returns FetchResult with OCSP response data
  */
-async function fetchOCSP(url, request, timeout = 5000) {
+async function fetchOCSP(url, request, timeout = 5000, proxyUrl) {
     return fetchBinary(url, {
         method: "POST",
         body: request,
         contentType: "application/ocsp-request",
         accept: "application/ocsp-response",
         timeout,
+        proxyUrl,
     });
 }
 /**
  * Fetch CRL from distribution point
  * @param url CRL distribution point URL
  * @param timeout Timeout in milliseconds
+ * @param proxyUrl Optional CORS proxy URL
  * @returns FetchResult with CRL data
  */
-async function fetchCRL(url, timeout = 10000) {
+async function fetchCRL(url, timeout = 10000, proxyUrl) {
     return fetchBinary(url, {
         method: "GET",
         accept: "application/pkix-crl",
         timeout,
+        proxyUrl,
     });
 }
 /**
  * Fetch issuer certificate from AIA extension
  * @param url CA Issuers URL
  * @param timeout Timeout in milliseconds
+ * @param proxyUrl Optional CORS proxy URL
  * @returns FetchResult with certificate data
  */
-async function fetchIssuerCertificate(url, timeout = 5000) {
+async function fetchIssuerCertificate(url, timeout = 5000, proxyUrl) {
     return fetchBinary(url, {
         method: "GET",
         accept: "application/pkix-cert",
         timeout,
+        proxyUrl,
     });
 }
 
@@ -8173,13 +8195,14 @@ function findIssuerInChain(cert, chain) {
  * Fetch issuer certificate from AIA extension
  * @param cert Certificate to fetch issuer for
  * @param timeout Timeout in ms
+ * @param proxyUrl Optional CORS proxy URL
  * @returns Issuer certificate or null
  */
-async function fetchIssuerFromAIA(cert, timeout = 5000) {
+async function fetchIssuerFromAIA(cert, timeout = 5000, proxyUrl) {
     const urls = extractCAIssuersUrls(cert);
     for (const url of urls) {
         try {
-            const result = await fetchIssuerCertificate(url, timeout);
+            const result = await fetchIssuerCertificate(url, timeout, proxyUrl);
             if (result.ok && result.data) {
                 // Try to parse as DER first, then PEM
                 try {
@@ -8372,7 +8395,7 @@ function parseOCSPResponse(responseData) {
  * @returns Revocation result
  */
 async function checkOCSP(cert, issuerCert, options = {}) {
-    const { timeout = 5000, certificateChain = [] } = options;
+    const { timeout = 5000, certificateChain = [], proxyUrl } = options;
     const now = new Date();
     // Get OCSP URLs
     const ocspUrls = extractOCSPUrls(cert);
@@ -8393,7 +8416,7 @@ async function checkOCSP(cert, issuerCert, options = {}) {
     }
     if (!issuer) {
         // Try AIA extension
-        issuer = await fetchIssuerFromAIA(cert, timeout);
+        issuer = await fetchIssuerFromAIA(cert, timeout, proxyUrl);
     }
     if (!issuer) {
         return {
@@ -8421,7 +8444,7 @@ async function checkOCSP(cert, issuerCert, options = {}) {
     // Try each OCSP URL
     for (const url of ocspUrls) {
         try {
-            const result = await fetchOCSP(url, request, timeout);
+            const result = await fetchOCSP(url, request, timeout, proxyUrl);
             if (result.ok && result.data) {
                 return parseOCSPResponse(result.data);
             }
@@ -8528,7 +8551,7 @@ function parseCRL(data) {
  * @returns Revocation result
  */
 async function checkCRL(cert, options = {}) {
-    const { timeout = 10000 } = options;
+    const { timeout = 10000, proxyUrl } = options;
     const now = new Date();
     // Get CRL URLs
     const crlUrls = extractCRLUrls(cert);
@@ -8545,7 +8568,7 @@ async function checkCRL(cert, options = {}) {
     const errors = [];
     for (const url of crlUrls) {
         try {
-            const result = await fetchCRL(url, timeout);
+            const result = await fetchCRL(url, timeout, proxyUrl);
             if (!result.ok || !result.data) {
                 errors.push(`${url}: ${result.error || "Failed to fetch"}`);
                 continue;
@@ -8634,6 +8657,7 @@ async function checkCertificateRevocation(cert, options = {}) {
         ocspResult = await checkOCSP(x509Cert, null, {
             timeout: opts.ocspTimeout,
             certificateChain: opts.certificateChain,
+            proxyUrl: options.proxyUrl,
         });
         // If OCSP gives a definitive answer (good or revoked), use it
         if (ocspResult.status === "good" || ocspResult.status === "revoked") {
@@ -8645,6 +8669,7 @@ async function checkCertificateRevocation(cert, options = {}) {
     if (opts.crlEnabled) {
         crlResult = await checkCRL(x509Cert, {
             timeout: opts.crlTimeout,
+            proxyUrl: options.proxyUrl,
         });
         // If CRL gives a definitive answer, use it
         if (crlResult.status === "good" || crlResult.status === "revoked") {
@@ -10107,7 +10132,7 @@ async function verifyTimestamp(timestampBase64, options = {}) {
             // Check TSA certificate revocation if requested
             if (options.checkTsaRevocation !== false) {
                 try {
-                    tsaRevocation = await checkCertificateRevocation(tsaCert);
+                    tsaRevocation = await checkCertificateRevocation(tsaCert, options.revocationOptions);
                     // If TSA certificate is revoked, the timestamp is invalid
                     if (tsaRevocation.status === "revoked") {
                         return {
@@ -10515,6 +10540,7 @@ async function verifySignature(signatureInfo, files, options = {}) {
         timestampResult = await verifyTimestamp(signatureInfo.signatureTimestamp, {
             signatureValue: signatureInfo.signatureValue,
             verifyTsaCertificate: true,
+            revocationOptions: options.revocationOptions,
         });
         if (timestampResult.isValid && timestampResult.info) {
             // Use timestamp time as the trusted signing time