edockit 0.2.1 → 0.2.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +15 -0
- package/dist/core/timestamp/types.d.ts +3 -1
- package/dist/index.cjs.js +36 -9
- package/dist/index.cjs.js.map +1 -1
- package/dist/index.esm.js +36 -9
- package/dist/index.esm.js.map +1 -1
- package/dist/index.umd.js +10 -10
- package/dist/index.umd.js.map +1 -1
- package/package.json +1 -1
package/dist/index.esm.js
CHANGED
|
@@ -107,9 +107,16 @@ function createXMLParser() {
|
|
|
107
107
|
function queryByXPath(parent, xpathExpression, namespaces = NAMESPACES) {
|
|
108
108
|
try {
|
|
109
109
|
// Browser environment with native XPath
|
|
110
|
-
if (typeof document !== "undefined" && document.evaluate) {
|
|
110
|
+
if (typeof document !== "undefined" && typeof document.evaluate === "function") {
|
|
111
|
+
// Use the document that owns the parent node, not the global document
|
|
112
|
+
const ownerDoc = "ownerDocument" in parent ? parent.ownerDocument : parent;
|
|
113
|
+
if (!ownerDoc || typeof ownerDoc.evaluate !== "function") {
|
|
114
|
+
// XMLDocuments from DOMParser don't have evaluate - silently return null
|
|
115
|
+
// (caller should use DOM traversal fallback)
|
|
116
|
+
return null;
|
|
117
|
+
}
|
|
111
118
|
const nsResolver = createNsResolverForBrowser(namespaces);
|
|
112
|
-
const result =
|
|
119
|
+
const result = ownerDoc.evaluate(xpathExpression, parent, nsResolver, XPathResult.FIRST_ORDERED_NODE_TYPE, null);
|
|
113
120
|
return result.singleNodeValue;
|
|
114
121
|
}
|
|
115
122
|
// Node.js environment with xpath module
|
|
@@ -157,9 +164,16 @@ function queryByXPath(parent, xpathExpression, namespaces = NAMESPACES) {
|
|
|
157
164
|
function queryAllByXPath(parent, xpathExpression, namespaces = NAMESPACES) {
|
|
158
165
|
try {
|
|
159
166
|
// Browser environment with native XPath
|
|
160
|
-
if (typeof document !== "undefined" && document.evaluate) {
|
|
167
|
+
if (typeof document !== "undefined" && typeof document.evaluate === "function") {
|
|
168
|
+
// Use the document that owns the parent node, not the global document
|
|
169
|
+
const ownerDoc = "ownerDocument" in parent ? parent.ownerDocument : parent;
|
|
170
|
+
if (!ownerDoc || typeof ownerDoc.evaluate !== "function") {
|
|
171
|
+
// XMLDocuments from DOMParser don't have evaluate - silently return empty
|
|
172
|
+
// (caller should use DOM traversal fallback)
|
|
173
|
+
return [];
|
|
174
|
+
}
|
|
161
175
|
const nsResolver = createNsResolverForBrowser(namespaces);
|
|
162
|
-
const result =
|
|
176
|
+
const result = ownerDoc.evaluate(xpathExpression, parent, nsResolver, XPathResult.ORDERED_NODE_SNAPSHOT_TYPE, null);
|
|
163
177
|
const elements = [];
|
|
164
178
|
for (let i = 0; i < result.snapshotLength; i++) {
|
|
165
179
|
elements.push(result.snapshotItem(i));
|
|
@@ -10118,7 +10132,7 @@ async function verifyTimestamp(timestampBase64, options = {}) {
|
|
|
10118
10132
|
// Check TSA certificate revocation if requested
|
|
10119
10133
|
if (options.checkTsaRevocation !== false) {
|
|
10120
10134
|
try {
|
|
10121
|
-
tsaRevocation = await checkCertificateRevocation(tsaCert);
|
|
10135
|
+
tsaRevocation = await checkCertificateRevocation(tsaCert, options.revocationOptions);
|
|
10122
10136
|
// If TSA certificate is revoked, the timestamp is invalid
|
|
10123
10137
|
if (tsaRevocation.status === "revoked") {
|
|
10124
10138
|
return {
|
|
@@ -10526,6 +10540,7 @@ async function verifySignature(signatureInfo, files, options = {}) {
|
|
|
10526
10540
|
timestampResult = await verifyTimestamp(signatureInfo.signatureTimestamp, {
|
|
10527
10541
|
signatureValue: signatureInfo.signatureValue,
|
|
10528
10542
|
verifyTsaCertificate: true,
|
|
10543
|
+
revocationOptions: options.revocationOptions,
|
|
10529
10544
|
});
|
|
10530
10545
|
if (timestampResult.isValid && timestampResult.info) {
|
|
10531
10546
|
// Use timestamp time as the trusted signing time
|
|
@@ -10550,11 +10565,23 @@ async function verifySignature(signatureInfo, files, options = {}) {
|
|
|
10550
10565
|
...options.revocationOptions,
|
|
10551
10566
|
});
|
|
10552
10567
|
certResult.revocation = revocationResult;
|
|
10553
|
-
// If certificate is revoked,
|
|
10568
|
+
// If certificate is revoked, check if signature was made before revocation (LTV)
|
|
10554
10569
|
if (revocationResult.status === "revoked") {
|
|
10555
|
-
|
|
10556
|
-
|
|
10557
|
-
|
|
10570
|
+
const revokedAt = revocationResult.revokedAt;
|
|
10571
|
+
// Long-Term Validation: if we have a trusted timestamp proving the signature
|
|
10572
|
+
// was made before revocation, the signature is still valid
|
|
10573
|
+
if (revokedAt && trustedSigningTime < revokedAt) {
|
|
10574
|
+
// Signature was made before revocation - still valid (LTV)
|
|
10575
|
+
certResult.revocation.isValid = true;
|
|
10576
|
+
certResult.revocation.reason = `Certificate was revoked on ${revokedAt.toISOString()}, but signature was made on ${trustedSigningTime.toISOString()} (before revocation)`;
|
|
10577
|
+
}
|
|
10578
|
+
else {
|
|
10579
|
+
// Signature was made after revocation or no revocation date available
|
|
10580
|
+
certResult.isValid = false;
|
|
10581
|
+
const revokedAtStr = revokedAt ? ` on ${revokedAt.toISOString()}` : "";
|
|
10582
|
+
certResult.reason = `Certificate was revoked${revokedAtStr}`;
|
|
10583
|
+
errors.push(`Certificate revoked${revokedAtStr}`);
|
|
10584
|
+
}
|
|
10558
10585
|
}
|
|
10559
10586
|
// Note: 'unknown' status is a soft fail - certificate remains valid
|
|
10560
10587
|
// but user can check revocation.status to see if it couldn't be verified
|