npm - edockit - Versions diffs - 0.2.4 → 0.3.0 - Mend

edockit 0.2.4 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/CHANGELOG.md +19 -0
package/README.md +33 -10
package/dist/core/rsa-digestinfo-workaround.d.ts +29 -0
package/dist/core/verification.d.ts +28 -0
package/dist/index.cjs.js +502 -25
package/dist/index.cjs.js.map +1 -1
package/dist/index.esm.js +502 -25
package/dist/index.esm.js.map +1 -1
package/dist/index.umd.js +12 -15
package/dist/index.umd.js.map +1 -1
package/package.json +3 -1

package/CHANGELOG.md CHANGED Viewed

@@ -5,6 +5,23 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [0.3.0] - 2026-01-04
+### Added
+- **Multi-state validation results** - `VerificationResult` now includes granular status beyond boolean `isValid`:
+  - `status`: `"VALID"` | `"INVALID"` | `"INDETERMINATE"` | `"UNSUPPORTED"`
+  - `statusMessage`: Human-readable explanation
+  - `limitations`: Array describing platform/environment constraints
+- **Platform limitation detection** - Detect unsupported RSA key sizes (>4096 bits) in Safari/WebKit and return `UNSUPPORTED` status instead of failing as `INVALID`
+- **Cross-browser testing** - Added Safari/WebKit and Firefox to browser test suite locally
+### Fixed
+- **C14N 1.1 canonicalization** - Fixed bug where C14N 1.1 incorrectly added newlines between XML elements when the original had none. This caused signature verification to fail for compact XML.
+- **INDETERMINATE for expired timestamps** - Return `INDETERMINATE` status (instead of `INVALID`) when timestamp or certificate has expired but signature is otherwise valid
+- **Legacy RSA DigestInfo verification** - Fix signature verification for old documents signed with pre-Java 8 tools that produced non-standard DigestInfo format (missing NULL in AlgorithmIdentifier)
 ## [0.2.4] - 2025-12-31
 ### Fixed
@@ -70,6 +87,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - File checksum verification (SHA-256/384/512)
 - Browser and Node.js support
+[Unreleased]: https://github.com/edgarsj/edockit/compare/v0.3.0...HEAD
+[0.3.0]: https://github.com/edgarsj/edockit/compare/v0.2.4...v0.3.0
 [0.2.4]: https://github.com/edgarsj/edockit/compare/v0.2.3...v0.2.4
 [0.2.3]: https://github.com/edgarsj/edockit/compare/v0.2.2...v0.2.3
 [0.2.2]: https://github.com/edgarsj/edockit/compare/v0.2.1...v0.2.2

package/README.md CHANGED Viewed

@@ -51,7 +51,14 @@ const result = await verifySignature(container.signatures[0], container.files, {
   verifyTime: new Date()   // Verify certificate at specific time (default: timestamp time if present, otherwise now)
 });
 // result = {
-//   isValid: boolean,                // Overall validity
+//   isValid: boolean,                // Overall validity (for backwards compatibility)
+//   status: 'VALID' | 'INVALID' | 'INDETERMINATE' | 'UNSUPPORTED',  // Granular status
+//   statusMessage?: string,          // Human-readable explanation
+//   limitations?: [{                 // Platform/environment constraints (if any)
+//     code: string,                  // e.g., 'RSA_KEY_SIZE_UNSUPPORTED'
+//     description: string,
+//     platform?: string              // e.g., 'Safari/WebKit'
+//   }],
 //   certificate: {
 //     isValid: boolean,              // Certificate validity (time-based)
 //     revocation: {                  // Revocation check result
@@ -90,7 +97,22 @@ for (const signature of container.signatures) {
     checkRevocation: true,
     verifyTimestamps: true
   });
-  console.log(`Signature valid: ${result.isValid}`);
+  // Use granular status for detailed handling
+  console.log(`Status: ${result.status}`);  // VALID, INVALID, INDETERMINATE, or UNSUPPORTED
+  if (result.status === 'VALID') {
+    console.log('Signature is valid');
+  } else if (result.status === 'UNSUPPORTED') {
+    // Platform limitation (e.g., RSA >4096 bits in Safari)
+    console.log(`Cannot verify: ${result.statusMessage}`);
+  } else if (result.status === 'INDETERMINATE') {
+    // Can't conclude (e.g., revocation status unknown)
+    console.log(`Inconclusive: ${result.statusMessage}`);
+  } else {
+    // INVALID - definitely wrong
+    console.log(`Invalid: ${result.statusMessage}`);
+  }
   if (result.timestamp?.info) {
     console.log(`Signed at (TSA): ${result.timestamp.info.genTime}`);
@@ -99,10 +121,6 @@ for (const signature of container.signatures) {
   if (result.certificate.revocation) {
     console.log(`Revocation status: ${result.certificate.revocation.status}`);
   }
-  if (!result.isValid && result.errors) {
-    console.log(`Errors: ${result.errors.join(', ')}`);
-  }
 }
 ```
@@ -128,14 +146,19 @@ async function verifyDocument(url) {
       },
     });
-    console.log(`Valid: ${result.isValid}`);
+    // Handle different validation states
+    if (result.status === 'VALID') {
+      console.log('Signature verified successfully');
+    } else if (result.status === 'UNSUPPORTED') {
+      // Some signatures can't be verified in certain browsers (e.g., RSA >4096 in Safari)
+      console.log(`Browser limitation: ${result.statusMessage}`);
+    } else {
+      console.log(`${result.status}: ${result.statusMessage}`);
+    }
     if (result.timestamp?.info) {
       console.log(`Timestamp: ${result.timestamp.info.genTime}`);
     }
-    if (result.certificate.revocation) {
-      console.log(`Revocation: ${result.certificate.revocation.status}`);
-    }
   }
 }
 ```

package/dist/core/rsa-digestinfo-workaround.d.ts ADDED Viewed

@@ -0,0 +1,29 @@
+/**
+ * RSA DigestInfo Workaround
+ *
+ * Some older signing tools (particularly pre-Java 8) produced RSA signatures with
+ * non-standard DigestInfo format - missing the NULL parameter in AlgorithmIdentifier.
+ *
+ * Standard DigestInfo for SHA-1:  30 21 30 09 06 05 2b0e03021a 05 00 04 14 [hash]
+ * Non-standard (missing NULL):    30 1f 30 07 06 05 2b0e03021a       04 14 [hash]
+ *
+ * Web Crypto API's subtle.verify() is strict and rejects the non-standard format.
+ * This module provides a fallback that manually performs RSA verification using
+ * BigInt math, which works in both browser and Node.js environments.
+ */
+/**
+ * Verify RSA signature with non-standard DigestInfo format.
+ *
+ * This function performs RSA signature verification that tolerates
+ * non-standard DigestInfo formats (missing NULL in AlgorithmIdentifier).
+ *
+ * - Node.js: Uses native crypto.publicDecrypt() for speed
+ * - Browser: Uses BigInt math (Web Crypto doesn't expose raw RSA)
+ *
+ * @param publicKeyData SPKI-formatted public key
+ * @param signatureBytes Raw signature bytes
+ * @param dataToVerify The data that was signed
+ * @param hashAlgorithm Hash algorithm name (e.g., "SHA-1", "SHA-256")
+ * @returns true if signature is valid, false otherwise
+ */
+export declare function verifyRsaWithNonStandardDigestInfo(publicKeyData: ArrayBuffer, signatureBytes: Uint8Array, dataToVerify: Uint8Array, hashAlgorithm: string): Promise<boolean>;

package/dist/core/verification.d.ts CHANGED Viewed

@@ -35,6 +35,8 @@ export interface ChecksumVerificationResult {
 export interface SignatureVerificationResult {
     isValid: boolean;
     reason?: string;
+    /** True if verification failed due to platform limitation (e.g., RSA >4096 in Safari) */
+    unsupportedPlatform?: boolean;
     errorDetails?: {
         category: string;
         originalMessage: string;
@@ -53,11 +55,37 @@ export interface CertificateVerificationResult {
     /** Revocation check result (if checkRevocation was enabled) */
     revocation?: RevocationResult;
 }
+/**
+ * Validation status for granular verification results
+ * - VALID: Signature cryptographically valid, all checks pass
+ * - INVALID: Definitely wrong (bad checksum, tampered content, crypto failure with supported key)
+ * - INDETERMINATE: Can't conclude (expired cert without POE, missing chain, revocation unknown)
+ * - UNSUPPORTED: Platform can't verify (e.g., RSA >4096 bits in Safari/WebKit)
+ */
+export type ValidationStatus = "VALID" | "INVALID" | "INDETERMINATE" | "UNSUPPORTED";
+/**
+ * Describes a limitation that prevented full verification
+ */
+export interface ValidationLimitation {
+    /** Machine-readable code (e.g., 'RSA_KEY_SIZE_UNSUPPORTED', 'CERT_EXPIRED_NO_POE') */
+    code: string;
+    /** Human-readable description */
+    description: string;
+    /** Platform where this limitation applies (e.g., 'Safari/WebKit') */
+    platform?: string;
+}
 /**
  * Complete verification result
  */
 export interface VerificationResult {
+    /** Whether the signature is valid (for backwards compatibility) */
     isValid: boolean;
+    /** Granular validation status */
+    status: ValidationStatus;
+    /** Human-readable status explanation */
+    statusMessage?: string;
+    /** Limitations that prevented full verification (for INDETERMINATE/UNSUPPORTED) */
+    limitations?: ValidationLimitation[];
     certificate: CertificateVerificationResult;
     checksums: ChecksumVerificationResult;
     signature?: SignatureVerificationResult;