edockit 0.2.2 → 0.2.3

package/dist/index.esm.js

@@ -10565,11 +10565,23 @@ async function verifySignature(signatureInfo, files, options = {}) {
                 ...options.revocationOptions,
             });
             certResult.revocation = revocationResult;
-            // If certificate is revoked, mark certificate as invalid
+            // If certificate is revoked, check if signature was made before revocation (LTV)
             if (revocationResult.status === "revoked") {
-                certResult.isValid = false;
-                certResult.reason = revocationResult.reason || "Certificate has been revoked";
-                errors.push(`Certificate revoked: ${revocationResult.reason || "No reason provided"}`);
+                const revokedAt = revocationResult.revokedAt;
+                // Long-Term Validation: if we have a trusted timestamp proving the signature
+                // was made before revocation, the signature is still valid
+                if (revokedAt && trustedSigningTime < revokedAt) {
+                    // Signature was made before revocation - still valid (LTV)
+                    certResult.revocation.isValid = true;
+                    certResult.revocation.reason = `Certificate was revoked on ${revokedAt.toISOString()}, but signature was made on ${trustedSigningTime.toISOString()} (before revocation)`;
+                }
+                else {
+                    // Signature was made after revocation or no revocation date available
+                    certResult.isValid = false;
+                    const revokedAtStr = revokedAt ? ` on ${revokedAt.toISOString()}` : "";
+                    certResult.reason = `Certificate was revoked${revokedAtStr}`;
+                    errors.push(`Certificate revoked${revokedAtStr}`);
+                }
             }
             // Note: 'unknown' status is a soft fail - certificate remains valid
             // but user can check revocation.status to see if it couldn't be verified