import { CertificateInfo } from "./certificate"; import { SignatureInfo } from "./parser"; import { RevocationResult, RevocationCheckOptions } from "./revocation/types"; import { TimestampVerificationResult } from "./timestamp/types"; import type { TrustListMatch, TrustListProvider } from "./trustedlist/contract"; import type { TrustedListFetchOptions } from "./trustedlist/types"; /** * Options for verification process */ export interface VerificationOptions { checkCertificateValidity?: boolean; verifySignatures?: boolean; verifyChecksums?: boolean; verifyTime?: Date; /** Check certificate revocation via OCSP/CRL (default: true) */ checkRevocation?: boolean; /** Options for revocation checking (timeouts, etc.) */ revocationOptions?: RevocationCheckOptions; /** Verify RFC 3161 timestamp if present (default: true) */ verifyTimestamps?: boolean; /** Include a structured verification checklist in the result (default: false) */ includeChecklist?: boolean; /** Trusted-list provider used for issuer and timestamp authority trust checks */ trustListProvider?: TrustListProvider; /** Options used when fetching issuer certificates needed for stronger trust-list matching */ trustedListFetchOptions?: TrustedListFetchOptions; /** Allow DN-only trusted-list matches to be treated as positive evidence */ allowWeakDnOnlyTrustMatch?: boolean; } /** * Result of a checksum verification */ export interface ChecksumVerificationResult { isValid: boolean; details: Record; } /** * Result of a signature verification */ export interface SignatureVerificationResult { isValid: boolean; reason?: string; /** True if verification failed due to platform limitation (e.g., RSA >4096 in Safari) */ unsupportedPlatform?: boolean; errorDetails?: { category: string; originalMessage: string; algorithm: any; environment: string; keyLength: number; }; } /** * Result of a certificate verification */ export interface CertificateVerificationResult { isValid: boolean; reason?: string; info?: CertificateInfo; /** Revocation check result (if checkRevocation was enabled) */ revocation?: RevocationResult; } /** * Validation status for granular verification results * - VALID: Signature cryptographically valid, all checks pass * - INVALID: Definitely wrong (bad checksum, tampered content, crypto failure with supported key) * - INDETERMINATE: Can't conclude (expired cert without POE, missing chain, revocation unknown) * - UNSUPPORTED: Platform can't verify (e.g., RSA >4096 bits in Safari/WebKit) */ export type ValidationStatus = "VALID" | "INVALID" | "INDETERMINATE" | "UNSUPPORTED"; /** * Describes a limitation that prevented full verification */ export interface ValidationLimitation { /** Machine-readable code (e.g., 'RSA_KEY_SIZE_UNSUPPORTED', 'CERT_EXPIRED_NO_POE') */ code: string; /** Human-readable description */ description: string; /** Platform where this limitation applies (e.g., 'Safari/WebKit') */ platform?: string; } export type ChecklistStatus = "pass" | "fail" | "skipped" | "indeterminate"; export type ChecklistCheck = "document_integrity" | "signature_valid" | "certificate_valid_at_signing_time" | "timestamp_present" | "timestamp_valid" | "timestamp_authority_trusted_at_signing_time" | "certificate_not_revoked_at_signing_time" | "issuer_trusted_at_signing_time"; export interface ChecklistItem { check: ChecklistCheck; label: string; status: ChecklistStatus; detail?: string; country?: string; } /** * Complete verification result */ export interface VerificationResult { /** Whether the signature is valid (for backwards compatibility) */ isValid: boolean; /** Granular validation status */ status: ValidationStatus; /** Human-readable status explanation */ statusMessage?: string; /** Limitations that prevented full verification (for INDETERMINATE/UNSUPPORTED) */ limitations?: ValidationLimitation[]; certificate: CertificateVerificationResult; checksums: ChecksumVerificationResult; signature?: SignatureVerificationResult; /** Timestamp verification result (if timestamp present and verifyTimestamps enabled) */ timestamp?: TimestampVerificationResult; checklist?: ChecklistItem[]; trustListMatch?: TrustListMatch; timestampTrustListMatch?: TrustListMatch; errors?: string[]; } /** * Compute a digest (hash) of file content with browser/node compatibility * @param fileContent The file content as Uint8Array * @param algorithm The digest algorithm to use (e.g., 'SHA-256') * @returns Promise with Base64-encoded digest */ export declare function computeDigest(fileContent: Uint8Array, algorithm: string): Promise; /** * Verify checksums of files against signature * @param signature The signature information * @param files Map of filenames to file contents * @returns Promise with verification results for each file */ export declare function verifyChecksums(signature: { signedChecksums: Record; digestAlgorithms?: Record; algorithm?: string; }, files: Map): Promise; /** * Verify certificate validity * @param certificatePEM PEM-formatted certificate * @param verifyTime Time to check validity against * @returns Certificate verification result */ export declare function verifyCertificate(certificatePEM: string, verifyTime?: Date): Promise; /** * Verify the XML signature specifically using SignedInfo and SignatureValue * @param signatureXml The XML string of the SignedInfo element * @param signatureValue The base64-encoded signature value * @param publicKeyData The public key raw data * @param algorithm Key algorithm details * @param canonicalizationMethod The canonicalization method used * @returns Signature verification result */ export declare function verifySignedInfo(signatureXml: string, signatureValue: string, publicKeyData: ArrayBuffer, algorithm: { name: string; hash: string; namedCurve?: string; }, canonicalizationMethod?: string): Promise; /** * Verify a complete signature (certificate, checksums, and signature) * @param signatureInfo Signature information * @param files File contents * @param options Verification options * @returns Complete verification result */ export declare function verifySignature(signatureInfo: SignatureInfo, files: Map, options?: VerificationOptions): Promise;