edockit 0.2.1 → 0.2.3

package/CHANGELOG.md

@@ -5,6 +5,19 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.2.3] - 2025-12-30
+
+### Fixed
+
+- **Long-Term Validation (LTV) for revoked certificates** - Signatures made before certificate revocation are now correctly validated as valid when a trusted timestamp proves the signing time
+
+## [0.2.2] - 2025-12-30
+
+### Fixed
+
+- **proxyUrl now works for timestamp revocation** - TSA certificate revocation checks now correctly use the proxy
+- **XPath DOM mismatch error in browser** - Fixed "Node cannot be used in a document other than the one in which it was created" error when parsing XML in browsers
+
 ## [0.2.1] - 2025-12-30
 
 ### Added
@@ -47,6 +60,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - File checksum verification (SHA-256/384/512)
 - Browser and Node.js support
 
+[0.2.3]: https://github.com/edgarsj/edockit/compare/v0.2.2...v0.2.3
+[0.2.2]: https://github.com/edgarsj/edockit/compare/v0.2.1...v0.2.2
 [0.2.1]: https://github.com/edgarsj/edockit/compare/v0.2.0...v0.2.1
 [0.2.0]: https://github.com/edgarsj/edockit/compare/v0.1.2...v0.2.0
 [0.1.2]: https://github.com/edgarsj/edockit/releases/tag/v0.1.2

package/dist/core/timestamp/types.d.ts

@@ -1,4 +1,4 @@
-import { RevocationResult } from "../revocation/types";
+import { RevocationResult, RevocationCheckOptions } from "../revocation/types";
 /**
  * Parsed timestamp information from RFC 3161 TimeStampToken
  */
@@ -45,4 +45,6 @@ export interface TimestampVerificationOptions {
     verifyTsaCertificate?: boolean;
     /** Check TSA certificate revocation */
     checkTsaRevocation?: boolean;
+    /** Options for TSA certificate revocation checking (timeouts, proxy, etc.) */
+    revocationOptions?: RevocationCheckOptions;
 }

package/dist/index.cjs.js

@@ -111,9 +111,16 @@ function createXMLParser() {
 function queryByXPath(parent, xpathExpression, namespaces = NAMESPACES) {
     try {
         // Browser environment with native XPath
-        if (typeof document !== "undefined" && document.evaluate) {
+        if (typeof document !== "undefined" && typeof document.evaluate === "function") {
+            // Use the document that owns the parent node, not the global document
+            const ownerDoc = "ownerDocument" in parent ? parent.ownerDocument : parent;
+            if (!ownerDoc || typeof ownerDoc.evaluate !== "function") {
+                // XMLDocuments from DOMParser don't have evaluate - silently return null
+                // (caller should use DOM traversal fallback)
+                return null;
+            }
             const nsResolver = createNsResolverForBrowser(namespaces);
-            const result = document.evaluate(xpathExpression, parent, nsResolver, XPathResult.FIRST_ORDERED_NODE_TYPE, null);
+            const result = ownerDoc.evaluate(xpathExpression, parent, nsResolver, XPathResult.FIRST_ORDERED_NODE_TYPE, null);
             return result.singleNodeValue;
         }
         // Node.js environment with xpath module
@@ -161,9 +168,16 @@ function queryByXPath(parent, xpathExpression, namespaces = NAMESPACES) {
 function queryAllByXPath(parent, xpathExpression, namespaces = NAMESPACES) {
     try {
         // Browser environment with native XPath
-        if (typeof document !== "undefined" && document.evaluate) {
+        if (typeof document !== "undefined" && typeof document.evaluate === "function") {
+            // Use the document that owns the parent node, not the global document
+            const ownerDoc = "ownerDocument" in parent ? parent.ownerDocument : parent;
+            if (!ownerDoc || typeof ownerDoc.evaluate !== "function") {
+                // XMLDocuments from DOMParser don't have evaluate - silently return empty
+                // (caller should use DOM traversal fallback)
+                return [];
+            }
             const nsResolver = createNsResolverForBrowser(namespaces);
-            const result = document.evaluate(xpathExpression, parent, nsResolver, XPathResult.ORDERED_NODE_SNAPSHOT_TYPE, null);
+            const result = ownerDoc.evaluate(xpathExpression, parent, nsResolver, XPathResult.ORDERED_NODE_SNAPSHOT_TYPE, null);
             const elements = [];
             for (let i = 0; i < result.snapshotLength; i++) {
                 elements.push(result.snapshotItem(i));
@@ -10122,7 +10136,7 @@ async function verifyTimestamp(timestampBase64, options = {}) {
             // Check TSA certificate revocation if requested
             if (options.checkTsaRevocation !== false) {
                 try {
-                    tsaRevocation = await checkCertificateRevocation(tsaCert);
+                    tsaRevocation = await checkCertificateRevocation(tsaCert, options.revocationOptions);
                     // If TSA certificate is revoked, the timestamp is invalid
                     if (tsaRevocation.status === "revoked") {
                         return {
@@ -10530,6 +10544,7 @@ async function verifySignature(signatureInfo, files, options = {}) {
         timestampResult = await verifyTimestamp(signatureInfo.signatureTimestamp, {
             signatureValue: signatureInfo.signatureValue,
             verifyTsaCertificate: true,
+            revocationOptions: options.revocationOptions,
         });
         if (timestampResult.isValid && timestampResult.info) {
             // Use timestamp time as the trusted signing time
@@ -10554,11 +10569,23 @@ async function verifySignature(signatureInfo, files, options = {}) {
                 ...options.revocationOptions,
             });
             certResult.revocation = revocationResult;
-            // If certificate is revoked, mark certificate as invalid
+            // If certificate is revoked, check if signature was made before revocation (LTV)
             if (revocationResult.status === "revoked") {
-                certResult.isValid = false;
-                certResult.reason = revocationResult.reason || "Certificate has been revoked";
-                errors.push(`Certificate revoked: ${revocationResult.reason || "No reason provided"}`);
+                const revokedAt = revocationResult.revokedAt;
+                // Long-Term Validation: if we have a trusted timestamp proving the signature
+                // was made before revocation, the signature is still valid
+                if (revokedAt && trustedSigningTime < revokedAt) {
+                    // Signature was made before revocation - still valid (LTV)
+                    certResult.revocation.isValid = true;
+                    certResult.revocation.reason = `Certificate was revoked on ${revokedAt.toISOString()}, but signature was made on ${trustedSigningTime.toISOString()} (before revocation)`;
+                }
+                else {
+                    // Signature was made after revocation or no revocation date available
+                    certResult.isValid = false;
+                    const revokedAtStr = revokedAt ? ` on ${revokedAt.toISOString()}` : "";
+                    certResult.reason = `Certificate was revoked${revokedAtStr}`;
+                    errors.push(`Certificate revoked${revokedAtStr}`);
+                }
             }
             // Note: 'unknown' status is a soft fail - certificate remains valid
             // but user can check revocation.status to see if it couldn't be verified