edockit 0.2.2 → 0.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/CHANGELOG.md +7 -0
  2. package/dist/index.cjs.js +16 -4
  3. package/dist/index.cjs.js.map +1 -1
  4. package/dist/index.esm.js +16 -4
  5. package/dist/index.esm.js.map +1 -1
  6. package/dist/index.umd.js +10 -10
  7. package/dist/index.umd.js.map +1 -1
  8. package/package.json +1 -1
package/CHANGELOG.md CHANGED
@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
5
5
  The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
6
6
  and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
7
7
 
8
+ ## [0.2.3] - 2025-12-30
9
+
10
+ ### Fixed
11
+
12
+ - **Long-Term Validation (LTV) for revoked certificates** - Signatures made before certificate revocation are now correctly validated as valid when a trusted timestamp proves the signing time
13
+
8
14
  ## [0.2.2] - 2025-12-30
9
15
 
10
16
  ### Fixed
@@ -54,6 +60,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
54
60
  - File checksum verification (SHA-256/384/512)
55
61
  - Browser and Node.js support
56
62
 
63
+ [0.2.3]: https://github.com/edgarsj/edockit/compare/v0.2.2...v0.2.3
57
64
  [0.2.2]: https://github.com/edgarsj/edockit/compare/v0.2.1...v0.2.2
58
65
  [0.2.1]: https://github.com/edgarsj/edockit/compare/v0.2.0...v0.2.1
59
66
  [0.2.0]: https://github.com/edgarsj/edockit/compare/v0.1.2...v0.2.0
package/dist/index.cjs.js CHANGED
@@ -10569,11 +10569,23 @@ async function verifySignature(signatureInfo, files, options = {}) {
10569
10569
  ...options.revocationOptions,
10570
10570
  });
10571
10571
  certResult.revocation = revocationResult;
10572
- // If certificate is revoked, mark certificate as invalid
10572
+ // If certificate is revoked, check if signature was made before revocation (LTV)
10573
10573
  if (revocationResult.status === "revoked") {
10574
- certResult.isValid = false;
10575
- certResult.reason = revocationResult.reason || "Certificate has been revoked";
10576
- errors.push(`Certificate revoked: ${revocationResult.reason || "No reason provided"}`);
10574
+ const revokedAt = revocationResult.revokedAt;
10575
+ // Long-Term Validation: if we have a trusted timestamp proving the signature
10576
+ // was made before revocation, the signature is still valid
10577
+ if (revokedAt && trustedSigningTime < revokedAt) {
10578
+ // Signature was made before revocation - still valid (LTV)
10579
+ certResult.revocation.isValid = true;
10580
+ certResult.revocation.reason = `Certificate was revoked on ${revokedAt.toISOString()}, but signature was made on ${trustedSigningTime.toISOString()} (before revocation)`;
10581
+ }
10582
+ else {
10583
+ // Signature was made after revocation or no revocation date available
10584
+ certResult.isValid = false;
10585
+ const revokedAtStr = revokedAt ? ` on ${revokedAt.toISOString()}` : "";
10586
+ certResult.reason = `Certificate was revoked${revokedAtStr}`;
10587
+ errors.push(`Certificate revoked${revokedAtStr}`);
10588
+ }
10577
10589
  }
10578
10590
  // Note: 'unknown' status is a soft fail - certificate remains valid
10579
10591
  // but user can check revocation.status to see if it couldn't be verified