edockit 0.2.2 → 0.2.4

package/CHANGELOG.md

@@ -5,6 +5,22 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.2.4] - 2025-12-31
+
+### Fixed
+
+- **OCSP issuerKeyHash calculation** - Fixed critical bug where OCSP requests used wrong hash (full SPKI instead of public key BIT STRING), causing incorrect revocation status responses
+- **Timestamp signature coverage verification** - Now correctly verifies that timestamps cover the canonicalized ds:SignatureValue XML element per XAdES (ETSI EN 319 132-1) specification, fixing `coversSignature: false` issue
+- **TSA name formatting** - Fixed timestamp TSA name showing as `[object Object]` instead of readable DN string like `CN=..., O=..., C=...`
+- **Base64 whitespace handling** - Fixed browser `atob` errors when decoding base64 strings containing whitespace from XML
+- **ECDSA signature format normalization** - Fixed signature verification failures for ECDSA signatures with leading zero padding by normalizing to IEEE P1363 format expected by Web Crypto API
+
+## [0.2.3] - 2025-12-30
+
+### Fixed
+
+- **Long-Term Validation (LTV) for revoked certificates** - Signatures made before certificate revocation are now correctly validated as valid when a trusted timestamp proves the signing time
+
 ## [0.2.2] - 2025-12-30
 
 ### Fixed
@@ -54,6 +70,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - File checksum verification (SHA-256/384/512)
 - Browser and Node.js support
 
+[0.2.4]: https://github.com/edgarsj/edockit/compare/v0.2.3...v0.2.4
+[0.2.3]: https://github.com/edgarsj/edockit/compare/v0.2.2...v0.2.3
 [0.2.2]: https://github.com/edgarsj/edockit/compare/v0.2.1...v0.2.2
 [0.2.1]: https://github.com/edgarsj/edockit/compare/v0.2.0...v0.2.1
 [0.2.0]: https://github.com/edgarsj/edockit/compare/v0.1.2...v0.2.0

package/dist/core/parser/types.d.ts

@@ -34,6 +34,7 @@ export interface SignatureInfo {
     references: string[];
     algorithm?: string;
     signatureValue?: string;
+    canonicalSignatureValue?: string;
     signedInfoXml?: string;
     rawXml?: string;
     canonicalizationMethod?: string;

package/dist/core/timestamp/types.d.ts

@@ -39,8 +39,8 @@ export interface TimestampVerificationResult {
  * Options for timestamp verification
  */
 export interface TimestampVerificationOptions {
-    /** The signature value that the timestamp should cover (base64) */
-    signatureValue?: string;
+    /** The canonicalized ds:SignatureValue XML element (per XAdES spec) */
+    canonicalSignatureValue?: string;
     /** Verify the TSA certificate chain */
     verifyTsaCertificate?: boolean;
     /** Check TSA certificate revocation */

package/dist/core/timestamp/verify.d.ts

@@ -7,15 +7,15 @@ import { TimestampInfo, TimestampVerificationResult, TimestampVerificationOption
 export declare function parseTimestamp(timestampBase64: string): TimestampInfo | null;
 /**
  * Verify that timestamp covers the signature value
- * XAdES timestamps can cover either:
- * 1. The decoded signature value bytes (standard per ETSI EN 319 132-1)
- * 2. The base64-encoded string (some implementations)
+ *
+ * Per XAdES (ETSI EN 319 132-1), the SignatureTimeStamp covers the canonicalized
+ * ds:SignatureValue XML element, not just its base64 content.
  *
  * @param timestampInfo Parsed timestamp info
- * @param signatureValueBase64 Base64-encoded signature value
+ * @param canonicalSignatureValue Canonicalized ds:SignatureValue XML element
  * @returns True if the timestamp covers the signature
  */
-export declare function verifyTimestampCoversSignature(timestampInfo: TimestampInfo, signatureValueBase64: string): Promise<boolean>;
+export declare function verifyTimestampCoversSignature(timestampInfo: TimestampInfo, canonicalSignatureValue: string): Promise<boolean>;
 /**
  * Verify an RFC 3161 timestamp token
  * @param timestampBase64 Base64-encoded timestamp token

package/dist/index.cjs.js

@@ -1212,6 +1212,17 @@ function parseSignatureElement(signatureElement, xmlDoc) {
     // Get signature value
     const signatureValueEl = querySelector(signatureElement, "ds\\:SignatureValue, SignatureValue");
     const signatureValue = signatureValueEl?.textContent?.replace(/\s+/g, "") || "";
+    // Compute canonicalized SignatureValue element for timestamp verification
+    let canonicalSignatureValue;
+    if (signatureValueEl) {
+        try {
+            const canonicalizer = new XMLCanonicalizer();
+            canonicalSignatureValue = canonicalizer.canonicalize(signatureValueEl);
+        }
+        catch {
+            // Canonicalization failed - leave undefined
+        }
+    }
     // Get certificate(s)
     let certificate = "";
     let certificatePEM = "";
@@ -1343,6 +1354,7 @@ function parseSignatureElement(signatureElement, xmlDoc) {
         references,
         algorithm: signatureAlgorithm,
         signatureValue,
+        canonicalSignatureValue,
         signedInfoXml,
         canonicalizationMethod,
         signatureTimestamp,
@@ -8068,11 +8080,14 @@ function arrayBufferToBase64(buffer) {
 }
 /**
  * Convert base64 string to ArrayBuffer
+ * Handles base64 strings with whitespace (common in XML)
  */
 function base64ToArrayBuffer(base64) {
+    // Strip whitespace (newlines, spaces, tabs) that may be present in XML
+    const cleanBase64 = base64.replace(/\s/g, "");
     if (typeof atob === "function") {
         // Browser
-        const binary = atob(base64);
+        const binary = atob(cleanBase64);
         const bytes = new Uint8Array(binary.length);
         for (let i = 0; i < binary.length; i++) {
             bytes[i] = binary.charCodeAt(i);
@@ -8080,7 +8095,7 @@ function base64ToArrayBuffer(base64) {
         return bytes.buffer;
     }
     // Node.js
-    const buffer = Buffer.from(base64, "base64");
+    const buffer = Buffer.from(cleanBase64, "base64");
     return buffer.buffer.slice(buffer.byteOffset, buffer.byteOffset + buffer.byteLength);
 }
 /**
@@ -8233,10 +8248,12 @@ async function fetchIssuerFromAIA(cert, timeout = 5000, proxyUrl) {
  */
 async function buildOCSPRequest(cert, issuerCert) {
     // Get issuer name hash (SHA-1 of issuer's DN in DER)
-    const issuerNameDer = AsnConvert.serialize(issuerCert.subjectName.toJSON());
+    // Parse the raw certificate to get the proper ASN.1 structures for serialization
+    const issuerCertAsn = AsnParser.parse(issuerCert.rawData, Certificate);
+    const issuerNameDer = AsnConvert.serialize(issuerCertAsn.tbsCertificate.subject);
     const issuerNameHash = await computeSHA1(issuerNameDer);
-    // Get issuer key hash (SHA-1 of issuer's public key)
-    const issuerKeyHash = await computeSHA1(issuerCert.publicKey.rawData);
+    // Get issuer key hash (SHA-1 of issuer's public key BIT STRING value, not the full SPKI)
+    const issuerKeyHash = await computeSHA1(issuerCertAsn.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey);
     // Get certificate serial number
     const serialNumber = hexToArrayBuffer(cert.serialNumber);
     // Build CertID
@@ -9948,6 +9965,38 @@ function getHashAlgorithmName(oid) {
     };
     return hashAlgorithms[oid] || oid;
 }
+/**
+ * Common OID to attribute name mappings for X.500 distinguished names
+ */
+const oidToAttributeName = {
+    "2.5.4.3": "CN",
+    "2.5.4.6": "C",
+    "2.5.4.7": "L",
+    "2.5.4.8": "ST",
+    "2.5.4.10": "O",
+    "2.5.4.11": "OU",
+    "2.5.4.5": "serialNumber",
+    "1.2.840.113549.1.9.1": "emailAddress",
+};
+/**
+ * Format an X.500 Name (directoryName) to a readable string
+ * @param name The Name object to format
+ * @returns Formatted string like "CN=Example, O=Company, C=US"
+ */
+function formatDirectoryName(name) {
+    const parts = [];
+    for (const rdn of name) {
+        for (const attr of rdn) {
+            const attrName = oidToAttributeName[attr.type] || attr.type;
+            // attr.value can be various ASN.1 string types
+            const value = attr.value?.toString() || "";
+            if (value) {
+                parts.push(`${attrName}=${value}`);
+            }
+        }
+    }
+    return parts.join(", ");
+}
 /**
  * Parse RFC 3161 TimeStampToken from base64
  * @param timestampBase64 Base64-encoded timestamp token
@@ -10003,7 +10052,7 @@ function parseTimestamp(timestampBase64) {
         let tsaName;
         if (tstInfo.tsa) {
             if (tstInfo.tsa.directoryName) {
-                tsaName = tstInfo.tsa.directoryName.toString();
+                tsaName = formatDirectoryName(tstInfo.tsa.directoryName);
             }
             else if (tstInfo.tsa.uniformResourceIdentifier) {
                 tsaName = tstInfo.tsa.uniformResourceIdentifier;
@@ -10059,33 +10108,22 @@ async function computeHash(data, algorithm) {
 }
 /**
  * Verify that timestamp covers the signature value
- * XAdES timestamps can cover either:
- * 1. The decoded signature value bytes (standard per ETSI EN 319 132-1)
- * 2. The base64-encoded string (some implementations)
+ *
+ * Per XAdES (ETSI EN 319 132-1), the SignatureTimeStamp covers the canonicalized
+ * ds:SignatureValue XML element, not just its base64 content.
  *
  * @param timestampInfo Parsed timestamp info
- * @param signatureValueBase64 Base64-encoded signature value
+ * @param canonicalSignatureValue Canonicalized ds:SignatureValue XML element
  * @returns True if the timestamp covers the signature
  */
-async function verifyTimestampCoversSignature(timestampInfo, signatureValueBase64) {
+async function verifyTimestampCoversSignature(timestampInfo, canonicalSignatureValue) {
     try {
         const messageImprintLower = timestampInfo.messageImprint.toLowerCase();
-        // Try 1: Hash of decoded signature value bytes (standard approach)
-        const signatureValue = base64ToArrayBuffer(signatureValueBase64);
-        const computedHash = await computeHash(signatureValue, timestampInfo.hashAlgorithm);
-        const computedHashHex = arrayBufferToHex(computedHash);
-        if (computedHashHex.toLowerCase() === messageImprintLower) {
-            return true;
-        }
-        // Try 2: Hash of base64 string (some implementations)
         const encoder = new TextEncoder();
-        const base64Bytes = encoder.encode(signatureValueBase64);
-        const base64Hash = await computeHash(base64Bytes.buffer, timestampInfo.hashAlgorithm);
-        const base64HashHex = arrayBufferToHex(base64Hash);
-        if (base64HashHex.toLowerCase() === messageImprintLower) {
-            return true;
-        }
-        return false;
+        const canonicalBytes = encoder.encode(canonicalSignatureValue);
+        const canonicalHash = await computeHash(canonicalBytes.buffer, timestampInfo.hashAlgorithm);
+        const canonicalHashHex = arrayBufferToHex(canonicalHash);
+        return canonicalHashHex.toLowerCase() === messageImprintLower;
     }
     catch (error) {
         console.error("Failed to verify timestamp coverage:", error instanceof Error ? error.message : String(error));
@@ -10108,15 +10146,12 @@ async function verifyTimestamp(timestampBase64, options = {}) {
         };
     }
     // Verify timestamp covers the signature if provided
-    // Note: coversSignature failure is informational - the timestamp is still valid
-    // and can be used for genTime. The signature value hashing varies by implementation.
     let coversSignature;
     let coversSignatureReason;
-    if (options.signatureValue) {
-        coversSignature = await verifyTimestampCoversSignature(info, options.signatureValue);
+    if (options.canonicalSignatureValue) {
+        coversSignature = await verifyTimestampCoversSignature(info, options.canonicalSignatureValue);
         if (!coversSignature) {
-            coversSignatureReason =
-                "Could not verify timestamp covers signature (implementation-specific hashing)";
+            coversSignatureReason = "Could not verify timestamp covers signature (hash mismatch)";
         }
     }
     // Verify TSA certificate if requested
@@ -10148,7 +10183,7 @@ async function verifyTimestamp(timestampBase64, options = {}) {
                         };
                     }
                     // Note: 'unknown' status is a soft fail - timestamp remains valid
-                    // but user can check tsaRevocation.status to see if it couldn't be verified
+                    // but user can check tsaRevocation.status to see the actual status
                 }
                 catch (error) {
                     // Revocation check failed - soft fail, add to result but don't invalidate
@@ -10403,6 +10438,115 @@ async function verifyCertificate(certificatePEM, verifyTime = new Date()) {
         };
     }
 }
+/**
+ * Get the expected component size for an ECDSA curve
+ */
+function getEcdsaComponentSize(namedCurve) {
+    switch (namedCurve) {
+        case "P-256":
+            return 32;
+        case "P-384":
+            return 48;
+        case "P-521":
+            return 66;
+        default:
+            return 32; // Default to P-256
+    }
+}
+/**
+ * Normalize ECDSA signature to IEEE P1363 format (raw R||S) expected by Web Crypto API
+ * Handles both raw format with potential padding and DER-encoded signatures
+ */
+function normalizeEcdsaSignature(signatureBytes, namedCurve) {
+    const componentSize = getEcdsaComponentSize(namedCurve);
+    const expectedLength = componentSize * 2;
+    // If already correct length, return as-is
+    if (signatureBytes.length === expectedLength) {
+        return signatureBytes;
+    }
+    // Check if it's DER-encoded (starts with SEQUENCE tag 0x30)
+    if (signatureBytes[0] === 0x30) {
+        return derToRawEcdsa(signatureBytes, componentSize);
+    }
+    // Handle raw R||S with potential leading zeros
+    // Some implementations pad R and S with leading zeros
+    if (signatureBytes.length > expectedLength) {
+        const halfLength = signatureBytes.length / 2;
+        if (Number.isInteger(halfLength)) {
+            const r = signatureBytes.slice(0, halfLength);
+            const s = signatureBytes.slice(halfLength);
+            // Normalize R and S to exact component size
+            const normalizedR = normalizeComponent(r, componentSize);
+            const normalizedS = normalizeComponent(s, componentSize);
+            const result = new Uint8Array(expectedLength);
+            result.set(normalizedR, 0);
+            result.set(normalizedS, componentSize);
+            return result;
+        }
+    }
+    // Return as-is if we can't normalize
+    return signatureBytes;
+}
+/**
+ * Normalize a single ECDSA component (R or S) to exact size
+ * Strips leading zeros or pads with leading zeros as needed
+ */
+function normalizeComponent(component, size) {
+    // Strip leading zeros
+    let start = 0;
+    while (start < component.length - 1 && component[start] === 0) {
+        start++;
+    }
+    const stripped = component.slice(start);
+    if (stripped.length === size) {
+        return stripped;
+    }
+    else if (stripped.length < size) {
+        // Pad with leading zeros
+        const padded = new Uint8Array(size);
+        padded.set(stripped, size - stripped.length);
+        return padded;
+    }
+    else {
+        // Component too large - take the last 'size' bytes
+        return stripped.slice(stripped.length - size);
+    }
+}
+/**
+ * Convert DER-encoded ECDSA signature to raw IEEE P1363 format
+ */
+function derToRawEcdsa(derSignature, componentSize) {
+    // DER structure: SEQUENCE { INTEGER r, INTEGER s }
+    // 0x30 len 0x02 rLen r... 0x02 sLen s...
+    let offset = 0;
+    // Skip SEQUENCE tag
+    if (derSignature[offset++] !== 0x30) {
+        throw new Error("Invalid DER signature: missing SEQUENCE tag");
+    }
+    // Skip sequence length (may be 1 or 2 bytes)
+    const seqLen = derSignature[offset++];
+    if (seqLen & 0x80) {
+        offset += seqLen & 0x7f; // Skip length bytes
+    }
+    // Parse R
+    if (derSignature[offset++] !== 0x02) {
+        throw new Error("Invalid DER signature: missing INTEGER tag for R");
+    }
+    const rLen = derSignature[offset++];
+    const r = derSignature.slice(offset, offset + rLen);
+    offset += rLen;
+    // Parse S
+    if (derSignature[offset++] !== 0x02) {
+        throw new Error("Invalid DER signature: missing INTEGER tag for S");
+    }
+    const sLen = derSignature[offset++];
+    const s = derSignature.slice(offset, offset + sLen);
+    // Normalize and concatenate
+    const result = new Uint8Array(componentSize * 2);
+    result.set(normalizeComponent(r, componentSize), 0);
+    result.set(normalizeComponent(s, componentSize), componentSize);
+    return result;
+}
 /**
  * Safely get the crypto.subtle implementation in either browser or Node.js
  * @returns The SubtleCrypto interface
@@ -10454,6 +10598,10 @@ async function verifySignedInfo(signatureXml, signatureValue, publicKeyData, alg
                 reason: `Failed to decode signature value: ${error instanceof Error ? error.message : String(error)}`,
             };
         }
+        // For ECDSA, normalize signature to IEEE P1363 format (raw R||S) expected by Web Crypto
+        if (algorithm.name === "ECDSA") {
+            signatureBytes = normalizeEcdsaSignature(signatureBytes, algorithm.namedCurve);
+        }
         // Import the public key
         let publicKey;
         try {
@@ -10542,7 +10690,7 @@ async function verifySignature(signatureInfo, files, options = {}) {
     let trustedSigningTime = options.verifyTime || signatureInfo.signingTime;
     if (signatureInfo.signatureTimestamp && options.verifyTimestamps !== false) {
         timestampResult = await verifyTimestamp(signatureInfo.signatureTimestamp, {
-            signatureValue: signatureInfo.signatureValue,
+            canonicalSignatureValue: signatureInfo.canonicalSignatureValue,
             verifyTsaCertificate: true,
             revocationOptions: options.revocationOptions,
         });
@@ -10569,14 +10717,28 @@ async function verifySignature(signatureInfo, files, options = {}) {
                 ...options.revocationOptions,
             });
             certResult.revocation = revocationResult;
-            // If certificate is revoked, mark certificate as invalid
+            // If certificate is revoked, check if signature was made before revocation (LTV)
             if (revocationResult.status === "revoked") {
-                certResult.isValid = false;
-                certResult.reason = revocationResult.reason || "Certificate has been revoked";
-                errors.push(`Certificate revoked: ${revocationResult.reason || "No reason provided"}`);
+                const revokedAt = revocationResult.revokedAt;
+                const hasValidRevocationTime = revokedAt && revokedAt.getTime() > 0;
+                // Long-Term Validation: if we have a trusted timestamp proving the signature
+                // was made before revocation, the signature is still valid
+                if (hasValidRevocationTime && trustedSigningTime < revokedAt) {
+                    // Signature was made before revocation - still valid (LTV)
+                    certResult.revocation.isValid = true;
+                    certResult.revocation.reason = `Certificate was revoked on ${revokedAt.toISOString()}, but signature was made on ${trustedSigningTime.toISOString()} (before revocation)`;
+                }
+                else {
+                    // Signature was made after revocation or no valid revocation date available
+                    certResult.isValid = false;
+                    const revokedAtStr = hasValidRevocationTime ? ` on ${revokedAt.toISOString()}` : "";
+                    certResult.reason =
+                        revocationResult.reason || `Certificate has been revoked${revokedAtStr}`;
+                    errors.push(revocationResult.reason || `Certificate revoked${revokedAtStr}`);
+                }
             }
             // Note: 'unknown' status is a soft fail - certificate remains valid
-            // but user can check revocation.status to see if it couldn't be verified
+            // but user can check revocation.status to see the actual status
         }
         catch (error) {
             // Revocation check failed - soft fail, add to result but don't invalidate