edockit 0.2.4 → 0.3.0

package/dist/index.esm.js

@@ -367,25 +367,11 @@ const methods = {
         isCanonicalizationMethod: "c14n",
     },
     c14n11: {
-        beforeChildren: (hasElementChildren, hasMixedContent) => {
-            // If it's mixed content, don't add newlines
-            if (hasMixedContent)
-                return "";
-            return hasElementChildren ? "\n" : "";
-        },
-        afterChildren: (hasElementChildren, hasMixedContent) => {
-            // If it's mixed content, don't add newlines
-            if (hasMixedContent)
-                return "";
-            return hasElementChildren ? "\n" : "";
-        },
-        betweenChildren: (prevIsElement, nextIsElement, hasMixedContent) => {
-            // If it's mixed content, don't add newlines between elements
-            if (hasMixedContent)
-                return "";
-            // Only add newline between elements
-            return prevIsElement && nextIsElement ? "\n" : "";
-        },
+        // C14N 1.1 should NOT add newlines - it should preserve original whitespace
+        // The difference from C14N is in xml:id normalization, not formatting
+        beforeChildren: () => "",
+        afterChildren: () => "",
+        betweenChildren: () => "",
         afterElement: () => "",
         isCanonicalizationMethod: "c14n11",
     },
@@ -10221,6 +10207,273 @@ function getTimestampTime(timestampBase64) {
     return info?.genTime || null;
 }
 
+/**
+ * RSA DigestInfo Workaround
+ *
+ * Some older signing tools (particularly pre-Java 8) produced RSA signatures with
+ * non-standard DigestInfo format - missing the NULL parameter in AlgorithmIdentifier.
+ *
+ * Standard DigestInfo for SHA-1:  30 21 30 09 06 05 2b0e03021a 05 00 04 14 [hash]
+ * Non-standard (missing NULL):    30 1f 30 07 06 05 2b0e03021a       04 14 [hash]
+ *
+ * Web Crypto API's subtle.verify() is strict and rejects the non-standard format.
+ * This module provides a fallback that manually performs RSA verification using
+ * BigInt math, which works in both browser and Node.js environments.
+ */
+/**
+ * Parse RSA public key from SPKI format to extract modulus and exponent
+ */
+function parseRSAPublicKey(spkiData) {
+    const bytes = new Uint8Array(spkiData);
+    // SPKI structure:
+    // SEQUENCE {
+    //   SEQUENCE { algorithm OID, parameters (NULL or absent) }
+    //   BIT STRING { RSAPublicKey }
+    // }
+    // RSAPublicKey ::= SEQUENCE { modulus INTEGER, publicExponent INTEGER }
+    let pos = 0;
+    // Helper to read ASN.1 length
+    const readLength = () => {
+        const first = bytes[pos++];
+        if ((first & 0x80) === 0) {
+            return first;
+        }
+        const numBytes = first & 0x7f;
+        let length = 0;
+        for (let i = 0; i < numBytes; i++) {
+            length = (length << 8) | bytes[pos++];
+        }
+        return length;
+    };
+    // Helper to read INTEGER as BigInt
+    const readInteger = () => {
+        if (bytes[pos++] !== 0x02)
+            return BigInt(0); // INTEGER tag
+        const len = readLength();
+        let value = BigInt(0);
+        for (let i = 0; i < len; i++) {
+            value = (value << BigInt(8)) | BigInt(bytes[pos++]);
+        }
+        return value;
+    };
+    try {
+        // Outer SEQUENCE
+        if (bytes[pos++] !== 0x30)
+            return null;
+        readLength();
+        // AlgorithmIdentifier SEQUENCE
+        if (bytes[pos++] !== 0x30)
+            return null;
+        const algoLen = readLength();
+        pos += algoLen; // Skip algorithm identifier
+        // BIT STRING containing RSAPublicKey
+        if (bytes[pos++] !== 0x03)
+            return null;
+        readLength();
+        pos++; // Skip unused bits byte
+        // RSAPublicKey SEQUENCE
+        if (bytes[pos++] !== 0x30)
+            return null;
+        readLength();
+        // Read modulus and exponent
+        const n = readInteger();
+        const e = readInteger();
+        return { n, e };
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Perform modular exponentiation: base^exp mod mod
+ * Uses square-and-multiply algorithm for efficiency
+ */
+function modPow(base, exp, mod) {
+    let result = BigInt(1);
+    base = base % mod;
+    while (exp > 0) {
+        if (exp % BigInt(2) === BigInt(1)) {
+            result = (result * base) % mod;
+        }
+        exp = exp >> BigInt(1);
+        base = (base * base) % mod;
+    }
+    return result;
+}
+/**
+ * Convert Uint8Array to BigInt
+ */
+function bytesToBigInt(bytes) {
+    let result = BigInt(0);
+    for (const byte of bytes) {
+        result = (result << BigInt(8)) | BigInt(byte);
+    }
+    return result;
+}
+/**
+ * Convert BigInt to Uint8Array with specified length
+ */
+function bigIntToBytes(value, length) {
+    const result = new Uint8Array(length);
+    for (let i = length - 1; i >= 0; i--) {
+        result[i] = Number(value & BigInt(0xff));
+        value = value >> BigInt(8);
+    }
+    return result;
+}
+/**
+ * Verify PKCS#1 v1.5 signature padding and extract DigestInfo
+ * @param decrypted The decrypted signature block
+ * @returns The DigestInfo bytes, or null if padding is invalid
+ */
+function extractDigestInfoFromPKCS1(decrypted) {
+    // PKCS#1 v1.5 signature format:
+    // 0x00 0x01 [0xFF padding] 0x00 [DigestInfo]
+    if (decrypted[0] !== 0x00 || decrypted[1] !== 0x01) {
+        return null;
+    }
+    // Find the 0x00 separator after padding
+    let separatorIndex = -1;
+    for (let i = 2; i < decrypted.length; i++) {
+        if (decrypted[i] === 0x00) {
+            separatorIndex = i;
+            break;
+        }
+        if (decrypted[i] !== 0xff) {
+            return null; // Invalid padding byte
+        }
+    }
+    if (separatorIndex === -1 || separatorIndex < 10) {
+        return null; // No separator found or padding too short
+    }
+    return decrypted.slice(separatorIndex + 1);
+}
+/**
+ * Extract hash from DigestInfo structure
+ * Handles both standard (with NULL) and non-standard (without NULL) formats
+ */
+function extractHashFromDigestInfo(digestInfo, expectedHashLength) {
+    // DigestInfo ::= SEQUENCE { digestAlgorithm AlgorithmIdentifier, digest OCTET STRING }
+    // Look for OCTET STRING tag (0x04) followed by the hash
+    for (let i = 0; i < digestInfo.length - 1; i++) {
+        if (digestInfo[i] === 0x04) {
+            const len = digestInfo[i + 1];
+            if (len === expectedHashLength && i + 2 + len <= digestInfo.length) {
+                return digestInfo.slice(i + 2, i + 2 + len);
+            }
+        }
+    }
+    return null;
+}
+/**
+ * Get hash length in bytes for a given algorithm
+ */
+function getHashLength(hashAlgorithm) {
+    const algo = hashAlgorithm.toLowerCase().replace("-", "");
+    switch (algo) {
+        case "sha1":
+            return 20;
+        case "sha256":
+            return 32;
+        case "sha384":
+            return 48;
+        case "sha512":
+            return 64;
+        default:
+            return 32;
+    }
+}
+/**
+ * Detects if code is running in a browser environment
+ */
+function isBrowser$1() {
+    return (typeof window !== "undefined" &&
+        typeof window.crypto !== "undefined" &&
+        typeof window.crypto.subtle !== "undefined");
+}
+/**
+ * Verify RSA signature with non-standard DigestInfo format.
+ *
+ * This function performs RSA signature verification that tolerates
+ * non-standard DigestInfo formats (missing NULL in AlgorithmIdentifier).
+ *
+ * - Node.js: Uses native crypto.publicDecrypt() for speed
+ * - Browser: Uses BigInt math (Web Crypto doesn't expose raw RSA)
+ *
+ * @param publicKeyData SPKI-formatted public key
+ * @param signatureBytes Raw signature bytes
+ * @param dataToVerify The data that was signed
+ * @param hashAlgorithm Hash algorithm name (e.g., "SHA-1", "SHA-256")
+ * @returns true if signature is valid, false otherwise
+ */
+async function verifyRsaWithNonStandardDigestInfo(publicKeyData, signatureBytes, dataToVerify, hashAlgorithm) {
+    try {
+        let digestInfo;
+        if (isBrowser$1()) {
+            // Browser: Use BigInt math (Web Crypto doesn't expose raw RSA decryption)
+            const keyParams = parseRSAPublicKey(publicKeyData);
+            if (!keyParams) {
+                return false;
+            }
+            const { n, e } = keyParams;
+            const keyLength = Math.ceil(n.toString(16).length / 2);
+            const signatureInt = bytesToBigInt(signatureBytes);
+            const decryptedInt = modPow(signatureInt, e, n);
+            const decrypted = bigIntToBytes(decryptedInt, keyLength);
+            digestInfo = extractDigestInfoFromPKCS1(decrypted);
+        }
+        else {
+            // Node.js: Use native crypto.publicDecrypt() for speed
+            // eslint-disable-next-line @typescript-eslint/no-var-requires
+            const nodeCrypto = require("crypto");
+            const publicKey = nodeCrypto.createPublicKey({
+                key: Buffer.from(publicKeyData),
+                format: "der",
+                type: "spki",
+            });
+            const decrypted = nodeCrypto.publicDecrypt({ key: publicKey, padding: nodeCrypto.constants.RSA_PKCS1_PADDING }, Buffer.from(signatureBytes));
+            // Node's publicDecrypt already strips PKCS#1 padding, returns DigestInfo directly
+            digestInfo = new Uint8Array(decrypted);
+        }
+        if (!digestInfo) {
+            return false;
+        }
+        // Extract hash from DigestInfo (tolerates missing NULL)
+        const hashLength = getHashLength(hashAlgorithm);
+        const extractedHash = extractHashFromDigestInfo(digestInfo, hashLength);
+        if (!extractedHash) {
+            return false;
+        }
+        // Compute expected hash
+        let expectedHash;
+        if (isBrowser$1()) {
+            // Normalize to Web Crypto format: SHA-1, SHA-256, SHA-384, SHA-512
+            let hashName = hashAlgorithm.toUpperCase().replace(/-/g, "");
+            hashName = hashName.replace(/^SHA(\d)/, "SHA-$1");
+            const hashBuffer = await window.crypto.subtle.digest(hashName, dataToVerify);
+            expectedHash = new Uint8Array(hashBuffer);
+        }
+        else {
+            // eslint-disable-next-line @typescript-eslint/no-var-requires
+            const nodeCrypto = require("crypto");
+            const hashName = hashAlgorithm.toLowerCase().replace("-", "");
+            expectedHash = nodeCrypto.createHash(hashName).update(Buffer.from(dataToVerify)).digest();
+        }
+        // Compare hashes (constant-time comparison)
+        if (extractedHash.length !== expectedHash.length) {
+            return false;
+        }
+        let diff = 0;
+        for (let i = 0; i < extractedHash.length; i++) {
+            diff |= extractedHash[i] ^ expectedHash[i];
+        }
+        return diff === 0;
+    }
+    catch {
+        return false;
+    }
+}
+
 /**
  * Detects if code is running in a browser environment
  * @returns true if in browser, false otherwise
@@ -10230,6 +10483,105 @@ function isBrowser() {
         typeof window.crypto !== "undefined" &&
         typeof window.crypto.subtle !== "undefined");
 }
+/**
+ * Detects if running in Safari/WebKit browser
+ * Safari/WebKit handles RSA key DER encoding correctly and doesn't need the modulus padding fix
+ * This also detects Playwright's headless WebKit
+ * @returns true if Safari/WebKit, false otherwise
+ */
+function isWebKit() {
+    if (typeof navigator === "undefined")
+        return false;
+    const ua = navigator.userAgent;
+    // Detect WebKit-based browsers (Safari, or Playwright WebKit which includes "AppleWebKit" but not Chrome)
+    const hasWebKit = /AppleWebKit/.test(ua);
+    const isChromium = /Chrome/.test(ua) || /Chromium/.test(ua) || /Edg/.test(ua);
+    return hasWebKit && !isChromium;
+}
+/**
+ * Get RSA modulus length in bits from SPKI public key data
+ * @param publicKeyData The SPKI-formatted public key
+ * @returns Modulus length in bits, or 0 if not RSA or can't determine
+ */
+function getRSAModulusLength(publicKeyData) {
+    const keyBytes = new Uint8Array(publicKeyData);
+    // Check for RSA OID (1.2.840.113549.1.1.1)
+    const RSA_OID = [0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01];
+    let oidPosition = -1;
+    for (let i = 0; i <= keyBytes.length - RSA_OID.length; i++) {
+        let match = true;
+        for (let j = 0; j < RSA_OID.length; j++) {
+            if (keyBytes[i + j] !== RSA_OID[j]) {
+                match = false;
+                break;
+            }
+        }
+        if (match) {
+            oidPosition = i;
+            break;
+        }
+    }
+    if (oidPosition === -1)
+        return 0; // Not RSA
+    // Find BIT STRING containing the key
+    let bitStringPos = -1;
+    for (let i = oidPosition + RSA_OID.length; i < keyBytes.length; i++) {
+        if (keyBytes[i] === 0x03) {
+            bitStringPos = i;
+            break;
+        }
+    }
+    if (bitStringPos === -1)
+        return 0;
+    // Skip BIT STRING header to find inner SEQUENCE
+    let pos = bitStringPos + 1;
+    if ((keyBytes[pos] & 0x80) === 0) {
+        pos += 1; // short length
+    }
+    else {
+        pos += 1 + (keyBytes[pos] & 0x7f); // long length
+    }
+    pos += 1; // skip unused bits byte
+    if (keyBytes[pos] !== 0x30)
+        return 0; // Should be SEQUENCE
+    // Skip inner SEQUENCE header to find modulus INTEGER
+    pos += 1;
+    if ((keyBytes[pos] & 0x80) === 0) {
+        pos += 1;
+    }
+    else {
+        pos += 1 + (keyBytes[pos] & 0x7f);
+    }
+    if (keyBytes[pos] !== 0x02)
+        return 0; // Should be INTEGER (modulus)
+    // Get modulus length
+    pos += 1;
+    let modulusLength = 0;
+    if ((keyBytes[pos] & 0x80) === 0) {
+        modulusLength = keyBytes[pos];
+    }
+    else {
+        const numLenBytes = keyBytes[pos] & 0x7f;
+        for (let i = 0; i < numLenBytes; i++) {
+            modulusLength = (modulusLength << 8) | keyBytes[pos + 1 + i];
+        }
+    }
+    // Modulus might have leading 0x00 padding byte, subtract if present
+    // Return bits (bytes * 8), accounting for padding
+    return modulusLength * 8;
+}
+/**
+ * Check if RSA key size is supported in the current platform
+ * Safari/WebKit only supports RSA keys up to 4096 bits
+ */
+function isRSAKeySizeSupported(modulusLengthBits) {
+    if (!isBrowser())
+        return true; // Node.js supports all sizes
+    if (!isWebKit())
+        return true; // Chrome/Firefox support large keys
+    // Safari/WebKit: max 4096 bits
+    return modulusLengthBits <= 4096;
+}
 /**
  * Compute a digest (hash) of file content with browser/node compatibility
  * @param fileContent The file content as Uint8Array
@@ -10602,11 +10954,40 @@ async function verifySignedInfo(signatureXml, signatureValue, publicKeyData, alg
         let publicKey;
         try {
             const subtle = getCryptoSubtle();
-            if (isBrowser() && algorithm.name === "RSASSA-PKCS1-v1_5") {
-                // console.log("Browser environment detected, applying RSA key fix");
-                publicKeyData = fixRSAModulusPadding(publicKeyData);
+            const isRSA = algorithm.name === "RSASSA-PKCS1-v1_5" || algorithm.name === "RSA-PSS";
+            // Check RSA key size support before attempting import
+            if (isRSA) {
+                const modulusLengthBits = getRSAModulusLength(publicKeyData);
+                if (modulusLengthBits > 0 && !isRSAKeySizeSupported(modulusLengthBits)) {
+                    return {
+                        isValid: false,
+                        unsupportedPlatform: true,
+                        reason: `RSA key size (${modulusLengthBits} bits) not supported in this browser`,
+                        errorDetails: {
+                            category: "RSA_KEY_SIZE_UNSUPPORTED",
+                            originalMessage: `Safari/WebKit only supports RSA keys up to 4096 bits`,
+                            algorithm: { ...algorithm },
+                            environment: "browser",
+                            keyLength: publicKeyData.byteLength,
+                        },
+                    };
+                }
+            }
+            if (isBrowser() && isRSA) {
+                // Try importing original key first, then try with padding fix if it fails
+                // This handles browser differences (Chrome vs Safari/WebKit)
+                try {
+                    publicKey = await subtle.importKey("spki", publicKeyData, algorithm, false, ["verify"]);
+                }
+                catch {
+                    // Original key failed, try with modulus padding fix
+                    const fixedKeyData = fixRSAModulusPadding(publicKeyData);
+                    publicKey = await subtle.importKey("spki", fixedKeyData, algorithm, false, ["verify"]);
+                }
+            }
+            else {
+                publicKey = await subtle.importKey("spki", publicKeyData, algorithm, false, ["verify"]);
             }
-            publicKey = await subtle.importKey("spki", publicKeyData, algorithm, false, ["verify"]);
         }
         catch (unknownError) {
             // First cast to Error type if applicable
@@ -10653,12 +11034,36 @@ async function verifySignedInfo(signatureXml, signatureValue, publicKeyData, alg
         try {
             const subtle = getCryptoSubtle();
             const result = await subtle.verify(algorithm, publicKey, signatureBytes, signedData);
+            if (result) {
+                return {
+                    isValid: true,
+                };
+            }
+            // Standard verification failed - try fallback for RSA signatures
+            // Some older signatures use non-standard DigestInfo format (missing NULL in AlgorithmIdentifier)
+            if (algorithm.name === "RSASSA-PKCS1-v1_5") {
+                const fallbackResult = await verifyRsaWithNonStandardDigestInfo(publicKeyData, signatureBytes, signedData, algorithm.hash);
+                if (fallbackResult) {
+                    return {
+                        isValid: true,
+                    };
+                }
+            }
             return {
-                isValid: result,
-                reason: result ? undefined : "Signature verification failed",
+                isValid: false,
+                reason: "Signature verification failed",
             };
         }
         catch (error) {
+            // Try fallback for RSA signatures when subtle.verify throws
+            if (algorithm.name === "RSASSA-PKCS1-v1_5") {
+                const fallbackResult = await verifyRsaWithNonStandardDigestInfo(publicKeyData, signatureBytes, signedData, algorithm.hash);
+                if (fallbackResult) {
+                    return {
+                        isValid: true,
+                    };
+                }
+            }
             return {
                 isValid: false,
                 reason: `Signature verification error: ${error instanceof Error ? error.message : String(error)}`,
@@ -10852,9 +11257,81 @@ async function verifySignature(signatureInfo, files, options = {}) {
         options.verifyTimestamps === false ||
         (timestampResult?.isValid ?? true);
     const isValid = certResult.isValid && checksumResult.isValid && signatureResult.isValid && timestampValid;
+    // Determine validation status and limitations
+    let status = "VALID";
+    let statusMessage;
+    const limitations = [];
+    if (!isValid) {
+        // Check for platform unsupported (RSA key size)
+        if (signatureResult.unsupportedPlatform) {
+            status = "UNSUPPORTED";
+            statusMessage = signatureResult.reason;
+            limitations.push({
+                code: "RSA_KEY_SIZE_UNSUPPORTED",
+                description: signatureResult.reason || "RSA key size not supported",
+                platform: "Safari/WebKit",
+            });
+        }
+        // Check for checksum failure (definitely invalid)
+        else if (!checksumResult.isValid) {
+            status = "INVALID";
+            statusMessage = "File integrity check failed";
+        }
+        // Check for signature crypto failure with supported key
+        else if (!signatureResult.isValid && !signatureResult.unsupportedPlatform) {
+            status = "INVALID";
+            statusMessage = signatureResult.reason || "Signature verification failed";
+        }
+        // Check for certificate issues
+        else if (!certResult.isValid) {
+            // If cert expired and no valid timestamp, it's indeterminate
+            if (certResult.reason?.includes("expired") && !timestampResult?.isValid) {
+                status = "INDETERMINATE";
+                statusMessage = "Certificate expired and no valid timestamp proof";
+                limitations.push({
+                    code: "CERT_EXPIRED_NO_POE",
+                    description: "Certificate has expired and there is no valid timestamp to prove signature was made when certificate was valid",
+                });
+            }
+            else if (certResult.revocation?.status === "revoked") {
+                status = "INVALID";
+                statusMessage = "Certificate has been revoked";
+            }
+            else {
+                status = "INDETERMINATE";
+                statusMessage = certResult.reason || "Certificate validation inconclusive";
+            }
+        }
+        // Timestamp parsing/verification failed - can't establish POE
+        else if (timestampResult && !timestampResult.isValid) {
+            status = "INDETERMINATE";
+            statusMessage = timestampResult.reason || "Timestamp verification failed";
+            limitations.push({
+                code: "TIMESTAMP_VERIFICATION_FAILED",
+                description: timestampResult.reason || "Could not verify timestamp to establish proof of existence",
+            });
+        }
+        // Revocation unknown
+        else if (certResult.revocation?.status === "unknown") {
+            status = "INDETERMINATE";
+            statusMessage = "Certificate revocation status could not be determined";
+            limitations.push({
+                code: "REVOCATION_UNKNOWN",
+                description: certResult.revocation.reason || "Could not check certificate revocation status",
+            });
+        }
+        // Fallback
+        else {
+            status = "INVALID";
+            statusMessage = errors[0] || "Verification failed";
+        }
+    }
     // Return the complete result
     return {
         isValid,
+        status,
+        statusMessage,
+        limitations: limitations.length > 0 ? limitations : undefined,
         certificate: certResult,
         checksums: checksumResult,
         signature: options.verifySignatures !== false ? signatureResult : undefined,