edockit 0.3.0 → 0.4.0-dev.0

package/dist/core/trustedlist/bundled-provider.d.ts

@@ -0,0 +1,2 @@
+import type { TrustListProvider } from "./contract";
+export declare function createBundledTrustListProvider(): TrustListProvider;

package/dist/core/trustedlist/contract.d.ts

@@ -0,0 +1,19 @@
+export type TrustListQueryPurpose = "signature_issuer" | "timestamp_tsa";
+export type TrustMatchConfidence = "exact" | "ski_dn" | "dn_only";
+export interface TrustListQuery {
+    purpose: TrustListQueryPurpose;
+    time: Date;
+    spkiSha256Hex?: string | null;
+    skiHex?: string | null;
+    subjectDn?: string | null;
+}
+export interface TrustListMatch {
+    found: boolean;
+    trustedAtTime?: boolean;
+    confidence?: TrustMatchConfidence;
+    country?: string;
+    detail?: string;
+}
+export interface TrustListProvider {
+    match(query: TrustListQuery): Promise<TrustListMatch>;
+}

package/dist/core/trustedlist/dom.d.ts

@@ -0,0 +1,12 @@
+type XmlParent = Document | Element;
+export declare function parseXmlDocument(xml: string): Document;
+export declare function getDocumentElement(document: Document): Element | null;
+export declare function getChildElement(parent: XmlParent | null, localName: string): Element | null;
+export declare function getChildElements(parent: XmlParent | null, localName: string): Element[];
+export declare function getDescendantElement(parent: XmlParent | null, localName: string): Element | null;
+export declare function getDescendantElements(parent: XmlParent | null, localName: string): Element[];
+export declare function getElementText(element: Element | null | undefined): string | undefined;
+export declare function getChildText(parent: XmlParent | null, localName: string): string | undefined;
+export declare function getDescendantText(parent: XmlParent | null, localName: string): string | undefined;
+export declare function getLanguageAttribute(element: Element): string | undefined;
+export {};

package/dist/core/trustedlist/extract.d.ts

@@ -0,0 +1,6 @@
+import type { TslPointer, TrustedListSource, TrustedService } from "./types";
+export declare function parseLotlPointers(xml: string, source: TrustedListSource): TslPointer[];
+export declare function parseTrustedList(xml: string, context: {
+    source: TrustedListSource;
+    territoryHint?: string;
+}): Promise<TrustedService[]>;

package/dist/core/trustedlist/http.d.ts

@@ -0,0 +1,8 @@
+import type { TrustListProvider } from "./contract";
+export interface CreateRemoteTrustListProviderOptions {
+    url: string;
+    fetch?: typeof fetch;
+    headers?: HeadersInit;
+    timeout?: number;
+}
+export declare function createRemoteTrustListProvider(options: CreateRemoteTrustListProviderOptions): TrustListProvider;

package/dist/core/trustedlist/identity.d.ts

@@ -0,0 +1,7 @@
+import type { CertificateIdentity, IssuerIdentity, TrustedListFetchOptions } from "./types";
+export interface ExtractIssuerIdentityOptions {
+    certificateChain?: string[];
+    fetchOptions?: TrustedListFetchOptions;
+}
+export declare function extractIssuerIdentityFromCertificate(certificatePem: string, options?: ExtractIssuerIdentityOptions): Promise<IssuerIdentity>;
+export declare function extractCertificateIdentityFromCertificate(certificatePem: string): Promise<CertificateIdentity>;

package/dist/core/trustedlist/index.d.ts

@@ -0,0 +1,18 @@
+import type { CompactTrustedListBundle, TrustedListData, TrustedListFetchOptions, TrustedListSource } from "./types";
+export * from "./contract";
+export * from "./types";
+export * from "./normalize";
+export * from "./loader";
+export * from "./extract";
+export * from "./identity";
+export * from "./matcher";
+export * from "./reference-provider";
+export declare const DEFAULT_TRUSTED_LIST_SOURCES: TrustedListSource[];
+/**
+ * Low-level live fetch helper for LOTL/TSL processing.
+ *
+ * Primarily intended for Node.js build/update tooling. Browser callers generally
+ * need a proxy and should prefer the higher-level trusted-list update flow.
+ */
+export declare function fetchTrustedListBundle(sources?: TrustedListSource[], fetchOptions?: TrustedListFetchOptions): Promise<CompactTrustedListBundle>;
+export declare function updateTrustedList(sources?: TrustedListSource[], fetchOptions?: TrustedListFetchOptions): Promise<TrustedListData>;

package/dist/core/trustedlist/loader.d.ts

@@ -0,0 +1,5 @@
+import type { CompactTrustedListBundle, TrustedListData, TrustedListSource, TrustedService } from "./types";
+export declare function createEmptyTrustedListBundle(): CompactTrustedListBundle;
+export declare function buildTrustedListData(bundle: CompactTrustedListBundle): TrustedListData;
+export declare function buildCompactTrustedListBundle(services: TrustedService[], sources: TrustedListSource[], generatedAt?: string): CompactTrustedListBundle;
+export declare function dedupeTrustedServices(services: TrustedService[]): TrustedService[];

package/dist/core/trustedlist/matcher.d.ts

@@ -0,0 +1,11 @@
+import type { TrustListMatch, TrustListQuery } from "./contract";
+import type { IssuerIdentity, MatchCertificateToTrustedListOptions, MatchIssuerOptions, TrustedListData, TrustedListFetchOptions } from "./types";
+export interface MatchCertificateIssuerToTrustedListOptions extends MatchIssuerOptions {
+    certificateChain?: string[];
+    trustedListData: TrustedListData;
+    fetchOptions?: TrustedListFetchOptions;
+}
+export declare function matchTrustListQuery(query: TrustListQuery, trustedListData: TrustedListData): TrustListMatch;
+export declare function matchIssuerIdentityToTrustedList(issuerIdentity: IssuerIdentity, trustedListData: TrustedListData, options: MatchIssuerOptions): TrustListMatch;
+export declare function matchCertificateIssuerToTrustedList(certificatePem: string, options: MatchCertificateIssuerToTrustedListOptions): Promise<TrustListMatch>;
+export declare function matchCertificateToTrustedList(certificatePem: string, options: MatchCertificateToTrustedListOptions): Promise<TrustListMatch>;

package/dist/core/trustedlist/normalize.d.ts

@@ -0,0 +1,14 @@
+import type { TrustListQueryPurpose } from "./contract";
+import type { TrustListPurposeMask } from "./types";
+export declare function normalizeHex(input?: string | null): string | null;
+export declare function hexToBase64Url(input?: string | null): string | null;
+export declare function base64UrlToHex(input?: string | null): string | null;
+export declare function normalizeKeyIdentifier(input?: string | ArrayBuffer | ArrayBufferView | null): string | null;
+export declare function normalizeDistinguishedName(dn?: string | null): string;
+export declare function isTrustedServiceStatus(status: string): boolean;
+export declare function getRelevantServiceType(uri?: string | null): string | null;
+export declare function getTrustListPurposeMaskForQueryPurpose(purpose: TrustListQueryPurpose): TrustListPurposeMask;
+export declare function trustListPurposeMatchesMask(purpose: TrustListQueryPurpose, purposeMask: TrustListPurposeMask): boolean;
+export declare function getTrustListPurposeMaskForServiceType(serviceType: string): TrustListPurposeMask | null;
+export declare function getServiceStatusSuffix(uri?: string | null): string | null;
+export declare function isLikelyXmlTslUrl(url: string): boolean;

package/dist/core/trustedlist/reference-provider.d.ts

@@ -0,0 +1,12 @@
+import type { TrustListProvider } from "./contract";
+import type { CompactTrustedListBundle, TrustedListData } from "./types";
+export interface CreateTrustListProviderFromDataOptions {
+    data: CompactTrustedListBundle | TrustedListData;
+}
+export interface CreateTrustListProviderFromUrlOptions {
+    url: string;
+    fetch?: typeof fetch;
+    headers?: HeadersInit;
+}
+export type CreateTrustListProviderOptions = CreateTrustListProviderFromDataOptions | CreateTrustListProviderFromUrlOptions;
+export declare function createTrustListProvider(options: CreateTrustListProviderOptions): TrustListProvider;

package/dist/core/trustedlist/types.d.ts

@@ -0,0 +1,114 @@
+import type { TrustListQueryPurpose } from "./contract";
+export type { TrustListMatch, TrustListProvider, TrustListQuery, TrustListQueryPurpose, TrustMatchConfidence, } from "./contract";
+export interface TrustedListSource {
+    id: string;
+    label: string;
+    lotlUrl: string;
+}
+export type TrustListPurposeMask = 1 | 2 | 3;
+export interface TrustedListFetchOptions {
+    timeout?: number;
+    proxyUrl?: string;
+}
+export interface TrustedStatusPeriod {
+    status: string;
+    from: string;
+    to: string | null;
+}
+export interface TrustedService {
+    skiHex: string | null;
+    spkiSha256Hex: string;
+    subjectDn: string;
+    country: string;
+    tspName: string;
+    serviceType: string;
+    source: string;
+    sourceLabel: string;
+    history: TrustedStatusPeriod[];
+}
+export interface TrustedServiceSnapshot {
+    skiHex: string | null;
+    spkiSha256Hex: string;
+    subjectDn: string;
+    country: string;
+    tspName: string;
+    serviceType: string;
+    source: string;
+    sourceLabel: string;
+    status: string;
+    startTime: string;
+}
+export interface TrustedTrustInterval {
+    fromUnix: number;
+    toUnix: number | null;
+}
+export interface TrustedListEntry {
+    skiHex: string | null;
+    spkiSha256Hex: string | null;
+    subjectDn: string;
+    country: string;
+    purposeMask: TrustListPurposeMask;
+    trustIntervals: TrustedTrustInterval[];
+}
+export interface TslPointer {
+    url: string;
+    territory?: string;
+    source: TrustedListSource;
+}
+export interface TrustedListIndexes {
+    bySki: Map<string, TrustedListEntry[]>;
+    bySpkiSha256: Map<string, TrustedListEntry[]>;
+    bySubjectDn: Map<string, TrustedListEntry[]>;
+}
+export interface TrustedListData {
+    version: number;
+    generatedAt: string;
+    sources: TrustedListSource[];
+    services: TrustedListEntry[];
+    indexes: TrustedListIndexes;
+}
+export interface IssuerIdentity {
+    issuerSubjectDn: string;
+    authorityKeyIdentifierHex?: string | null;
+    issuerCertificate?: {
+        subjectDn: string;
+        spkiSha256Hex: string;
+    } | null;
+}
+export interface CertificateIdentity {
+    subjectDn: string;
+    subjectKeyIdentifierHex?: string | null;
+    spkiSha256Hex?: string | null;
+}
+export interface MatchIssuerOptions {
+    time: Date;
+}
+export interface MatchCertificateToTrustedListOptions {
+    purpose?: TrustListQueryPurpose;
+    time: Date;
+    trustedListData: TrustedListData;
+}
+export type CompactTrustedInterval = [fromUnix: number, toUnix: number | null];
+export type CompactTrustedService = [
+    spkiSha256Base64Url: string | null,
+    skiBase64Url: string | null,
+    subjectDnIdx: number,
+    country: string,
+    purposeMask: TrustListPurposeMask,
+    trustIntervals: CompactTrustedInterval[]
+];
+export type CompactTrustedListSource = [id: string, label: string, lotlUrl: string];
+export interface CompactTrustedListBundle {
+    v: 2;
+    generatedAt: string;
+    sources: CompactTrustedListSource[];
+    dns: string[];
+    services: CompactTrustedService[];
+}
+export interface TrustedListBundleManifest {
+    schemaVersion: number;
+    bundleId: string;
+    generatedAt: string;
+    url: string;
+    sha256: string;
+}

package/dist/core/verification.d.ts

@@ -2,6 +2,8 @@ import { CertificateInfo } from "./certificate";
 import { SignatureInfo } from "./parser";
 import { RevocationResult, RevocationCheckOptions } from "./revocation/types";
 import { TimestampVerificationResult } from "./timestamp/types";
+import type { TrustListMatch, TrustListProvider } from "./trustedlist/contract";
+import type { TrustedListFetchOptions } from "./trustedlist/types";
 /**
  * Options for verification process
  */
@@ -16,6 +18,14 @@ export interface VerificationOptions {
     revocationOptions?: RevocationCheckOptions;
     /** Verify RFC 3161 timestamp if present (default: true) */
     verifyTimestamps?: boolean;
+    /** Include a structured verification checklist in the result (default: false) */
+    includeChecklist?: boolean;
+    /** Trusted-list provider used for issuer and timestamp authority trust checks */
+    trustListProvider?: TrustListProvider;
+    /** Options used when fetching issuer certificates needed for stronger trust-list matching */
+    trustedListFetchOptions?: TrustedListFetchOptions;
+    /** Allow DN-only trusted-list matches to be treated as positive evidence */
+    allowWeakDnOnlyTrustMatch?: boolean;
 }
 /**
  * Result of a checksum verification
@@ -74,6 +84,15 @@ export interface ValidationLimitation {
     /** Platform where this limitation applies (e.g., 'Safari/WebKit') */
     platform?: string;
 }
+export type ChecklistStatus = "pass" | "fail" | "skipped" | "indeterminate";
+export type ChecklistCheck = "document_integrity" | "signature_valid" | "certificate_valid_at_signing_time" | "timestamp_present" | "timestamp_valid" | "timestamp_authority_trusted_at_signing_time" | "certificate_not_revoked_at_signing_time" | "issuer_trusted_at_signing_time";
+export interface ChecklistItem {
+    check: ChecklistCheck;
+    label: string;
+    status: ChecklistStatus;
+    detail?: string;
+    country?: string;
+}
 /**
  * Complete verification result
  */
@@ -91,6 +110,9 @@ export interface VerificationResult {
     signature?: SignatureVerificationResult;
     /** Timestamp verification result (if timestamp present and verifyTimestamps enabled) */
     timestamp?: TimestampVerificationResult;
+    checklist?: ChecklistItem[];
+    trustListMatch?: TrustListMatch;
+    timestampTrustListMatch?: TrustListMatch;
     errors?: string[];
 }
 /**

package/dist/data/trusted-list.d.ts

@@ -0,0 +1,3 @@
+import type { CompactTrustedListBundle } from "../core/trustedlist/types";
+declare const trustedListBundle: CompactTrustedListBundle;
+export default trustedListBundle;