Releases: edgarsj/edockit
Releases · edgarsj/edockit
Release list
Release v0.4.1
Added
- Embedded XAdES RevocationValues exposed -
SignatureInfo.revocationValuesexposes the raw embedded OCSP/CRL material (base64 DER) fromxades:UnsignedSignatureProperties. These properties are unsigned, so edockit does not use them as a revocation verdict; they are provided for consumers performing their own authenticated long-term validation - Trusted-list bundle identifier - Compact trusted-list bundles and the bundled snapshot now carry a top-level
bundleId(derived fromgeneratedAt) so downstream consumers can identify a snapshot (previouslynull) - Resilient trusted-list regeneration -
npm run update-trusted-listcarries forward last-known-good services only when every advertised TSL endpoint for a territory explicitly fails to fetch or parse, so transient failures and HTTP 200 error pages cannot silently drop a country while valid empty TSLs and successful removals are not resurrected; it also falls back to Node's native http(s) client for endpoints that block undici's client fingerprint (e.g. Estonia'ssr.riik.ee)
Changed
- Lighter live revocation - The issuer certificate required to build an OCSP request is now also resolved from certificates embedded in the signature's
RevocationValuesOCSP responses, and OCSP issuer resolution requires a candidate whose key actually signed the certificate — a same-name certificate that did not issue it is rejected and the AIA lookup is used instead. When the container ships no certificate chain, this lets the small live OCSP query answer revocation instead of falling back to downloading the full CRL (verified end-to-end:method: "ocsp"instead of"crl"for the LV eID sample). The status in the embedded response is not trusted — a fresh OCSP query is still made - Refreshed bundled EU trusted-list snapshot - Regenerated from the EU LOTL with a fresh
generatedAtandbundleId - Declared direct dependencies -
asn1js,@peculiar/asn1-schema, and@peculiar/asn1-x509are now declared dependencies (previously relied on transitively)
Fixed
- Per-signature XAdES properties -
parseSignatureElementnow readsRevocationValues,CertificateValues,SigningTime, andSignatureTimeStampfrom the current signature element instead of document-wide, so a signature in a multi-signature document no longer inherits the first signature's embedded material (which would point OCSP issuer resolution at the wrong certs) - Large national CRL parsing -
parseCRL()now parses CRLs that exceed asn1js's defaultDEFAULT_MAX_NODES(10000) DoS guard (e.g. the ~13k-entry Latvian LV eID CRL) by re-parsing with a raised, bounded node limit. Fixescertificate_not_revoked_at_signing_timereturningINDETERMINATEwith "Failed to parse CRL data" againstasn1js@^3.0.9 - InclusiveNamespaces XPath warning - Node XPath queries now resolve namespace prefixes via
xpath.useNamespacesinstead of misusingxpath.select's third (single) argument as a resolver, eliminating noisy "XPath evaluation failed" errors during signature parsing
Security
- Dependency advisory cleanup - Updated the only affected runtime dependency,
@xmldom/xmldom, to 0.9.10 (resolves high-severity XML injection and serialization DoS advisories) and cleared all remainingnpm auditfindings in the dev/test toolchain via in-range bumps andesbuild/js-yamloverrides.npm auditnow reports 0 vulnerabilities
Release v0.3.0
Added
- Multi-state validation results -
VerificationResultnow includes granular status beyond booleanisValid:status:"VALID"|"INVALID"|"INDETERMINATE"|"UNSUPPORTED"statusMessage: Human-readable explanationlimitations: Array describing platform/environment constraints
- Platform limitation detection - Detect unsupported RSA key sizes (>4096 bits) in Safari/WebKit and return
UNSUPPORTEDstatus instead of failing asINVALID - Cross-browser testing - Added Safari/WebKit and Firefox to browser test suite locally
Fixed
- C14N 1.1 canonicalization - Fixed bug where C14N 1.1 incorrectly added newlines between XML elements when the original had none. This caused signature verification to fail for compact XML.
- INDETERMINATE for expired timestamps - Return
INDETERMINATEstatus (instead ofINVALID) when timestamp or certificate has expired but signature is otherwise valid - Legacy RSA DigestInfo verification - Fix signature verification for old documents signed with pre-Java 8 tools that produced non-standard DigestInfo format (missing NULL in AlgorithmIdentifier)
Release v0.2.4
Fixed
- OCSP issuerKeyHash calculation - Fixed critical bug where OCSP requests used wrong hash (full SPKI instead of public key BIT STRING), causing incorrect revocation status responses
- Timestamp signature coverage verification - Now correctly verifies that timestamps cover the canonicalized ds:SignatureValue XML element per XAdES (ETSI EN 319 132-1) specification, fixing
coversSignature: falseissue - TSA name formatting - Fixed timestamp TSA name showing as
[object Object]instead of readable DN string likeCN=..., O=..., C=... - Base64 whitespace handling - Fixed browser
atoberrors when decoding base64 strings containing whitespace from XML - ECDSA signature format normalization - Fixed signature verification failures for ECDSA signatures with leading zero padding by normalizing to IEEE P1363 format expected by Web Crypto API
Release v0.2.3
Fixed
- Long-Term Validation (LTV) for revoked certificates - Signatures made before certificate revocation are now correctly validated as valid when a trusted timestamp proves the signing time
Release v0.2.2
Fixed
- proxyUrl now works for timestamp revocation - TSA certificate revocation checks now correctly use the proxy
- XPath DOM mismatch error in browser - Fixed "Node cannot be used in a document other than the one in which it was created" error when parsing XML in browsers
Release v0.2.1
Added
- CORS Proxy Support - New
proxyUrloption inrevocationOptionsfor browser environments- Routes OCSP, CRL, and CA issuer certificate requests through a CORS proxy
- Enables revocation checking in browsers where direct requests are blocked by CORS
Release v0.2.0
Added
- Certificate Revocation Checking - OCSP-first verification with CRL fallback
- Soft-fail mode: network errors return
status: 'unknown', signature remains valid - Issuer certificate retrieval from XAdES chain or AIA extension
- Optional via
checkRevocation: falsefor offline-only verification
- Soft-fail mode: network errors return
- RFC 3161 Timestamp Verification
- Parse and verify RFC 3161 timestamps (SignatureTimeStamp)
- Check TSA certificate validity and revocation (OCSP/CRL)
- Use trusted TSA time for signer certificate validation
revocationOptionspass-through toverifySignature()
Changed
- Refactored encoding utilities (consolidated base64/hex/ArrayBuffer helpers)
Fixed
- Browser compatibility import fixes (direct paths vs barrel imports)
- Fixed vulnerable dev dependencies
Release v0.1.2
v0.1.1-beta.1
- Added GitHub url
v0.1.1-beta.0
Initial Beta Release
This is the first beta release of edockit, a JavaScript/TypeScript library for viewing and verifying EU standard ASiC-E containers (including Latvian eDoc files).
Features
- Support for EU standard ASiC-E containers and Latvian eDoc files
- List and extract files from ASiC-E/eDoc containers
- Extract and display signature information
- Verify XML signatures against file checksums
- Certificate validation (without OCSP checks)
Known Limitations
- OCSP validation (Online Certificate Status Protocol) is not yet implemented
- Limited testing with ASiC-E containers from different EU countries
- Needs more testing with various signature algorithms and certificate types
Compatibility
- Works in both browser and Node.js environments
- Includes ESM, CommonJS, and UMD builds
This is a work in progress and we welcome contributions, especially testing with real-world documents from various EU countries to ensure complete compatibility across different implementations.