npm - @credo-ts/core - Versions diffs - 0.6.2-alpha-20251211125344 → 0.6.2-alpha-20260108172346 - Mend

@credo-ts/core 0.6.2-alpha-20251211125344 → 0.6.2-alpha-20260108172346

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (80) hide show

package/build/modules/mdoc/MdocContext.mjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"MdocContext.mjs","names":[],"sources":["../../../src/modules/mdoc/MdocContext.ts"],"sourcesContent":["import type { MdocContext, X509Context } from '@animo-id/mdoc'\nimport { p256 } from '@noble/curves/nist.js'\nimport { hkdf } from '@noble/hashes/hkdf.js'\nimport { sha256 } from '@noble/hashes/sha2.js'\nimport type { AgentContext } from '../../agent'\nimport { CredoWebCrypto, Hasher } from '../../crypto'\nimport { TypedArrayEncoder } from '../../utils'\nimport { KeyManagementApi, type KmsJwkPublicAsymmetric, type KnownJwaSignatureAlgorithm, PublicJwk } from '../kms'\nimport { X509Certificate, X509Service } from '../x509'\n\nexport const getMdocContext = (agentContext: AgentContext): MdocContext => {\n const crypto = new CredoWebCrypto(agentContext)\n const kms = agentContext.resolve(KeyManagementApi)\n\n return {\n crypto: {\n digest: async (input) => {\n const { bytes, digestAlgorithm } = input\n\n return new Uint8Array(\n crypto.digest(\n digestAlgorithm,\n // NOTE: extra Uint8Array wrapping is needed here, somehow if we use `bytes.buffer` directly\n // it's not working. Maybe due to Uint8array lengt\n new Uint8Array(bytes).buffer\n )\n )\n },\n random: (length) => {\n return crypto.getRandomValues(new Uint8Array(length))\n },\n calculateEphemeralMacKeyJwk: async (input) => {\n const { privateKey, publicKey, sessionTranscriptBytes } = input\n const ikm = p256.getSharedSecret(privateKey, publicKey, true).slice(1)\n const salt = Hasher.hash(sessionTranscriptBytes, 'sha-256')\n const info = TypedArrayEncoder.fromString('EMacKey')\n const hk1 = hkdf(sha256, ikm, salt, info, 32)\n\n return {\n key_ops: ['sign', 'verify'],\n ext: true,\n kty: 'oct',\n k: TypedArrayEncoder.toBase64URL(hk1),\n alg: 'HS256',\n }\n },\n },\n\n cose: {\n mac0: {\n sign: async (input) => {\n const { jwk, mac0 } = input\n const { data } = mac0.getRawSigningData()\n\n const publicJwk = PublicJwk.fromUnknown(jwk)\n const algorithm = mac0.algName ?? publicJwk.signatureAlgorithm\n\n const { signature } = await kms.sign({\n data,\n algorithm,\n keyId: publicJwk.keyId,\n })\n\n return signature\n },\n verify: async (input) => {\n const { mac0, jwk, options } = input\n const { data, signature } = mac0.getRawVerificationData(options)\n\n const publicJwk = PublicJwk.fromUnknown(jwk)\n const algorithm = mac0.algName ?? publicJwk.signatureAlgorithm\n\n const { verified } = await kms.verify({\n key: {\n publicJwk: jwk as KmsJwkPublicAsymmetric,\n },\n data,\n algorithm,\n signature,\n })\n\n return verified\n },\n },\n sign1: {\n sign: async (input) => {\n const { jwk, sign1 } = input\n const { data } = sign1.getRawSigningData()\n\n const publicJwk = PublicJwk.fromUnknown(jwk)\n const algorithm = sign1.algName ?? publicJwk.signatureAlgorithm\n\n const { signature } = await kms.sign({\n data,\n algorithm: algorithm as KnownJwaSignatureAlgorithm,\n keyId: publicJwk.keyId,\n })\n\n return signature\n },\n verify: async (input) => {\n const { sign1, jwk, options } = input\n const { data, signature } = sign1.getRawVerificationData(options)\n\n const publicJwk = PublicJwk.fromUnknown(jwk)\n const algorithm = sign1.algName ?? publicJwk.signatureAlgorithm\n\n const { verified } = await kms.verify({\n key: {\n publicJwk: jwk as KmsJwkPublicAsymmetric,\n },\n data,\n algorithm: algorithm as KnownJwaSignatureAlgorithm,\n signature,\n })\n\n return verified\n },\n },\n },\n\n x509: {\n getIssuerNameField: (input) => {\n const { certificate, field } = input\n const x509Certificate = X509Certificate.fromRawCertificate(certificate)\n return x509Certificate.getIssuerNameField(field)\n },\n getPublicKey: async (input) => {\n const certificate = X509Certificate.fromRawCertificate(input.certificate)\n return certificate.publicJwk.toJson()\n },\n validateCertificateChain: async (input) => {\n const certificateChain = input.x5chain.map((cert) => X509Certificate.fromRawCertificate(cert).toString('pem'))\n const trustedCertificates = input.trustedCertificates.map((cert) =>\n X509Certificate.fromRawCertificate(cert).toString('pem')\n ) as [string, ...string[]]\n\n await X509Service.validateCertificateChain(agentContext, {\n certificateChain,\n trustedCertificates,\n })\n },\n getCertificateData: async (input) => {\n const { certificate } = input\n const x509Certificate = X509Certificate.fromRawCertificate(certificate)\n return {\n ...x509Certificate.data,\n thumbprint: await x509Certificate.~~getThumprintInHex~~(agentContext),\n }\n },\n } satisfies X509Context,\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAUA,MAAa,kBAAkB,iBAA4C;CACzE,MAAM,SAAS,IAAI,eAAe,aAAa;CAC/C,MAAM,MAAM,aAAa,QAAQ,iBAAiB;AAElD,QAAO;EACL,QAAQ;GACN,QAAQ,OAAO,UAAU;IACvB,MAAM,EAAE,OAAO,oBAAoB;AAEnC,WAAO,IAAI,WACT,OAAO,OACL,iBAGA,IAAI,WAAW,MAAM,CAAC,OACvB,CACF;;GAEH,SAAS,WAAW;AAClB,WAAO,OAAO,gBAAgB,IAAI,WAAW,OAAO,CAAC;;GAEvD,6BAA6B,OAAO,UAAU;IAC5C,MAAM,EAAE,YAAY,WAAW,2BAA2B;IAI1D,MAAM,MAAM,KAAK,QAHL,KAAK,gBAAgB,YAAY,WAAW,KAAK,CAAC,MAAM,EAAE,EACzD,OAAO,KAAK,wBAAwB,UAAU,EAC9C,kBAAkB,WAAW,UAAU,EACV,GAAG;AAE7C,WAAO;KACL,SAAS,CAAC,QAAQ,SAAS;KAC3B,KAAK;KACL,KAAK;KACL,GAAG,kBAAkB,YAAY,IAAI;KACrC,KAAK;KACN;;GAEJ;EAED,MAAM;GACJ,MAAM;IACJ,MAAM,OAAO,UAAU;KACrB,MAAM,EAAE,KAAK,SAAS;KACtB,MAAM,EAAE,SAAS,KAAK,mBAAmB;KAEzC,MAAM,YAAY,UAAU,YAAY,IAAI;KAC5C,MAAM,YAAY,KAAK,WAAW,UAAU;KAE5C,MAAM,EAAE,cAAc,MAAM,IAAI,KAAK;MACnC;MACA;MACA,OAAO,UAAU;MAClB,CAAC;AAEF,YAAO;;IAET,QAAQ,OAAO,UAAU;KACvB,MAAM,EAAE,MAAM,KAAK,YAAY;KAC/B,MAAM,EAAE,MAAM,cAAc,KAAK,uBAAuB,QAAQ;KAEhE,MAAM,YAAY,UAAU,YAAY,IAAI;KAC5C,MAAM,YAAY,KAAK,WAAW,UAAU;KAE5C,MAAM,EAAE,aAAa,MAAM,IAAI,OAAO;MACpC,KAAK,EACH,WAAW,KACZ;MACD;MACA;MACA;MACD,CAAC;AAEF,YAAO;;IAEV;GACD,OAAO;IACL,MAAM,OAAO,UAAU;KACrB,MAAM,EAAE,KAAK,UAAU;KACvB,MAAM,EAAE,SAAS,MAAM,mBAAmB;KAE1C,MAAM,YAAY,UAAU,YAAY,IAAI;KAC5C,MAAM,YAAY,MAAM,WAAW,UAAU;KAE7C,MAAM,EAAE,cAAc,MAAM,IAAI,KAAK;MACnC;MACW;MACX,OAAO,UAAU;MAClB,CAAC;AAEF,YAAO;;IAET,QAAQ,OAAO,UAAU;KACvB,MAAM,EAAE,OAAO,KAAK,YAAY;KAChC,MAAM,EAAE,MAAM,cAAc,MAAM,uBAAuB,QAAQ;KAEjE,MAAM,YAAY,UAAU,YAAY,IAAI;KAC5C,MAAM,YAAY,MAAM,WAAW,UAAU;KAE7C,MAAM,EAAE,aAAa,MAAM,IAAI,OAAO;MACpC,KAAK,EACH,WAAW,KACZ;MACD;MACW;MACX;MACD,CAAC;AAEF,YAAO;;IAEV;GACF;EAED,MAAM;GACJ,qBAAqB,UAAU;IAC7B,MAAM,EAAE,aAAa,UAAU;AAE/B,WADwB,gBAAgB,mBAAmB,YAAY,CAChD,mBAAmB,MAAM;;GAElD,cAAc,OAAO,UAAU;AAE7B,WADoB,gBAAgB,mBAAmB,MAAM,YAAY,CACtD,UAAU,QAAQ;;GAEvC,0BAA0B,OAAO,UAAU;IACzC,MAAM,mBAAmB,MAAM,QAAQ,KAAK,SAAS,gBAAgB,mBAAmB,KAAK,CAAC,SAAS,MAAM,CAAC;IAC9G,MAAM,sBAAsB,MAAM,oBAAoB,KAAK,SACzD,gBAAgB,mBAAmB,KAAK,CAAC,SAAS,MAAM,CACzD;AAED,UAAM,YAAY,yBAAyB,cAAc;KACvD;KACA;KACD,CAAC;;GAEJ,oBAAoB,OAAO,UAAU;IACnC,MAAM,EAAE,gBAAgB;IACxB,MAAM,kBAAkB,gBAAgB,mBAAmB,YAAY;AACvE,WAAO;KACL,GAAG,gBAAgB;KACnB,YAAY,MAAM,gBAAgB,~~kBAAkB~~,aAAa;~~KAClE~~;;GAEJ;EACF"}
1	+ {"version":3,"file":"MdocContext.mjs","names":[],"sources":["../../../src/modules/mdoc/MdocContext.ts"],"sourcesContent":["import type { MdocContext, X509Context } from '@animo-id/mdoc'\nimport { p256 } from '@noble/curves/nist.js'\nimport { hkdf } from '@noble/hashes/hkdf.js'\nimport { sha256 } from '@noble/hashes/sha2.js'\nimport type { AgentContext } from '../../agent'\nimport { CredoWebCrypto, Hasher } from '../../crypto'\nimport { TypedArrayEncoder } from '../../utils'\nimport { KeyManagementApi, type KmsJwkPublicAsymmetric, type KnownJwaSignatureAlgorithm, PublicJwk } from '../kms'\nimport { X509Certificate, X509Service } from '../x509'\n\nexport const getMdocContext = (agentContext: AgentContext): MdocContext => {\n const crypto = new CredoWebCrypto(agentContext)\n const kms = agentContext.resolve(KeyManagementApi)\n\n return {\n crypto: {\n digest: async (input) => {\n const { bytes, digestAlgorithm } = input\n\n return new Uint8Array(\n crypto.digest(\n digestAlgorithm,\n // NOTE: extra Uint8Array wrapping is needed here, somehow if we use `bytes.buffer` directly\n // it's not working. Maybe due to Uint8array lengt\n new Uint8Array(bytes).buffer\n )\n )\n },\n random: (length) => {\n return crypto.getRandomValues(new Uint8Array(length))\n },\n calculateEphemeralMacKeyJwk: async (input) => {\n const { privateKey, publicKey, sessionTranscriptBytes } = input\n const ikm = p256.getSharedSecret(privateKey, publicKey, true).slice(1)\n const salt = Hasher.hash(sessionTranscriptBytes, 'sha-256')\n const info = TypedArrayEncoder.fromString('EMacKey')\n const hk1 = hkdf(sha256, ikm, salt, info, 32)\n\n return {\n key_ops: ['sign', 'verify'],\n ext: true,\n kty: 'oct',\n k: TypedArrayEncoder.toBase64URL(hk1),\n alg: 'HS256',\n }\n },\n },\n\n cose: {\n mac0: {\n sign: async (input) => {\n const { jwk, mac0 } = input\n const { data } = mac0.getRawSigningData()\n\n const publicJwk = PublicJwk.fromUnknown(jwk)\n const algorithm = mac0.algName ?? publicJwk.signatureAlgorithm\n\n const { signature } = await kms.sign({\n data,\n algorithm,\n keyId: publicJwk.keyId,\n })\n\n return signature\n },\n verify: async (input) => {\n const { mac0, jwk, options } = input\n const { data, signature } = mac0.getRawVerificationData(options)\n\n const publicJwk = PublicJwk.fromUnknown(jwk)\n const algorithm = mac0.algName ?? publicJwk.signatureAlgorithm\n\n const { verified } = await kms.verify({\n key: {\n publicJwk: jwk as KmsJwkPublicAsymmetric,\n },\n data,\n algorithm,\n signature,\n })\n\n return verified\n },\n },\n sign1: {\n sign: async (input) => {\n const { jwk, sign1 } = input\n const { data } = sign1.getRawSigningData()\n\n const publicJwk = PublicJwk.fromUnknown(jwk)\n const algorithm = sign1.algName ?? publicJwk.signatureAlgorithm\n\n const { signature } = await kms.sign({\n data,\n algorithm: algorithm as KnownJwaSignatureAlgorithm,\n keyId: publicJwk.keyId,\n })\n\n return signature\n },\n verify: async (input) => {\n const { sign1, jwk, options } = input\n const { data, signature } = sign1.getRawVerificationData(options)\n\n const publicJwk = PublicJwk.fromUnknown(jwk)\n const algorithm = sign1.algName ?? publicJwk.signatureAlgorithm\n\n const { verified } = await kms.verify({\n key: {\n publicJwk: jwk as KmsJwkPublicAsymmetric,\n },\n data,\n algorithm: algorithm as KnownJwaSignatureAlgorithm,\n signature,\n })\n\n return verified\n },\n },\n },\n\n x509: {\n getIssuerNameField: (input) => {\n const { certificate, field } = input\n const x509Certificate = X509Certificate.fromRawCertificate(certificate)\n return x509Certificate.getIssuerNameField(field)\n },\n getPublicKey: async (input) => {\n const certificate = X509Certificate.fromRawCertificate(input.certificate)\n return certificate.publicJwk.toJson()\n },\n validateCertificateChain: async (input) => {\n const certificateChain = input.x5chain.map((cert) => X509Certificate.fromRawCertificate(cert).toString('pem'))\n const trustedCertificates = input.trustedCertificates.map((cert) =>\n X509Certificate.fromRawCertificate(cert).toString('pem')\n ) as [string, ...string[]]\n\n await X509Service.validateCertificateChain(agentContext, {\n certificateChain,\n trustedCertificates,\n })\n },\n getCertificateData: async (input) => {\n const { certificate } = input\n const x509Certificate = X509Certificate.fromRawCertificate(certificate)\n return {\n ...x509Certificate.data,\n thumbprint: await x509Certificate.getThumbprintInHex(agentContext),\n }\n },\n } satisfies X509Context,\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAUA,MAAa,kBAAkB,iBAA4C;CACzE,MAAM,SAAS,IAAI,eAAe,aAAa;CAC/C,MAAM,MAAM,aAAa,QAAQ,iBAAiB;AAElD,QAAO;EACL,QAAQ;GACN,QAAQ,OAAO,UAAU;IACvB,MAAM,EAAE,OAAO,oBAAoB;AAEnC,WAAO,IAAI,WACT,OAAO,OACL,iBAGA,IAAI,WAAW,MAAM,CAAC,OACvB,CACF;;GAEH,SAAS,WAAW;AAClB,WAAO,OAAO,gBAAgB,IAAI,WAAW,OAAO,CAAC;;GAEvD,6BAA6B,OAAO,UAAU;IAC5C,MAAM,EAAE,YAAY,WAAW,2BAA2B;IAI1D,MAAM,MAAM,KAAK,QAHL,KAAK,gBAAgB,YAAY,WAAW,KAAK,CAAC,MAAM,EAAE,EACzD,OAAO,KAAK,wBAAwB,UAAU,EAC9C,kBAAkB,WAAW,UAAU,EACV,GAAG;AAE7C,WAAO;KACL,SAAS,CAAC,QAAQ,SAAS;KAC3B,KAAK;KACL,KAAK;KACL,GAAG,kBAAkB,YAAY,IAAI;KACrC,KAAK;KACN;;GAEJ;EAED,MAAM;GACJ,MAAM;IACJ,MAAM,OAAO,UAAU;KACrB,MAAM,EAAE,KAAK,SAAS;KACtB,MAAM,EAAE,SAAS,KAAK,mBAAmB;KAEzC,MAAM,YAAY,UAAU,YAAY,IAAI;KAC5C,MAAM,YAAY,KAAK,WAAW,UAAU;KAE5C,MAAM,EAAE,cAAc,MAAM,IAAI,KAAK;MACnC;MACA;MACA,OAAO,UAAU;MAClB,CAAC;AAEF,YAAO;;IAET,QAAQ,OAAO,UAAU;KACvB,MAAM,EAAE,MAAM,KAAK,YAAY;KAC/B,MAAM,EAAE,MAAM,cAAc,KAAK,uBAAuB,QAAQ;KAEhE,MAAM,YAAY,UAAU,YAAY,IAAI;KAC5C,MAAM,YAAY,KAAK,WAAW,UAAU;KAE5C,MAAM,EAAE,aAAa,MAAM,IAAI,OAAO;MACpC,KAAK,EACH,WAAW,KACZ;MACD;MACA;MACA;MACD,CAAC;AAEF,YAAO;;IAEV;GACD,OAAO;IACL,MAAM,OAAO,UAAU;KACrB,MAAM,EAAE,KAAK,UAAU;KACvB,MAAM,EAAE,SAAS,MAAM,mBAAmB;KAE1C,MAAM,YAAY,UAAU,YAAY,IAAI;KAC5C,MAAM,YAAY,MAAM,WAAW,UAAU;KAE7C,MAAM,EAAE,cAAc,MAAM,IAAI,KAAK;MACnC;MACW;MACX,OAAO,UAAU;MAClB,CAAC;AAEF,YAAO;;IAET,QAAQ,OAAO,UAAU;KACvB,MAAM,EAAE,OAAO,KAAK,YAAY;KAChC,MAAM,EAAE,MAAM,cAAc,MAAM,uBAAuB,QAAQ;KAEjE,MAAM,YAAY,UAAU,YAAY,IAAI;KAC5C,MAAM,YAAY,MAAM,WAAW,UAAU;KAE7C,MAAM,EAAE,aAAa,MAAM,IAAI,OAAO;MACpC,KAAK,EACH,WAAW,KACZ;MACD;MACW;MACX;MACD,CAAC;AAEF,YAAO;;IAEV;GACF;EAED,MAAM;GACJ,qBAAqB,UAAU;IAC7B,MAAM,EAAE,aAAa,UAAU;AAE/B,WADwB,gBAAgB,mBAAmB,YAAY,CAChD,mBAAmB,MAAM;;GAElD,cAAc,OAAO,UAAU;AAE7B,WADoB,gBAAgB,mBAAmB,MAAM,YAAY,CACtD,UAAU,QAAQ;;GAEvC,0BAA0B,OAAO,UAAU;IACzC,MAAM,mBAAmB,MAAM,QAAQ,KAAK,SAAS,gBAAgB,mBAAmB,KAAK,CAAC,SAAS,MAAM,CAAC;IAC9G,MAAM,sBAAsB,MAAM,oBAAoB,KAAK,SACzD,gBAAgB,mBAAmB,KAAK,CAAC,SAAS,MAAM,CACzD;AAED,UAAM,YAAY,yBAAyB,cAAc;KACvD;KACA;KACD,CAAC;;GAEJ,oBAAoB,OAAO,UAAU;IACnC,MAAM,EAAE,gBAAgB;IACxB,MAAM,kBAAkB,gBAAgB,mBAAmB,YAAY;AACvE,WAAO;KACL,GAAG,gBAAgB;KACnB,YAAY,MAAM,gBAAgB,mBAAmB,aAAa;KACnE;;GAEJ;EACF"}

package/build/modules/x509/CertificateSigningRequest.d.mts ADDED Viewed

@@ -0,0 +1,58 @@
+import { AnyUint8Array } from "../../types.mjs";
+import { CredoWebCrypto } from "../../crypto/webcrypto/CredoWebCrypto.mjs";
+import "../../crypto/webcrypto/index.mjs";
+import { X509CreateCertificateSigningRequestOptions } from "./X509ServiceOptions.mjs";
+import { X509ExtendedKeyUsage, X509KeyUsage } from "./X509Certificate.mjs";
+import { PublicJwk } from "../kms/jwk/PublicJwk.mjs";
+import "../kms/index.mjs";
+import * as x509 from "@peculiar/x509";
+//#region src/modules/x509/CertificateSigningRequest.d.ts
+type CertificateSigningRequestOptions = {
+  publicJwk: PublicJwk;
+  certificateRequest: x509.Pkcs10CertificateRequest;
+};
+declare class CertificateSigningRequest {
+  publicJwk: PublicJwk;
+  private certificateRequest;
+  private constructor();
+  set keyId(keyId: string);
+  get keyId(): string;
+  get hasKeyId(): boolean;
+  static fromRawCertificateRequest(rawCertificateRequest: AnyUint8Array): CertificateSigningRequest;
+  static fromEncodedCertificateRequest(encodedCertificateRequest: string): CertificateSigningRequest;
+  private static parseCertificateRequest;
+  private getMatchingExtensions;
+  get rawCertificateRequest(): Uint8Array<ArrayBuffer>;
+  get subjectAlternativeNames(): {
+    type: x509.GeneralNameType;
+    value: string;
+  }[];
+  get sanDnsNames(): string[];
+  get sanUriNames(): string[];
+  get subjectKeyIdentifier(): string | undefined;
+  get keyUsage(): X509KeyUsage[];
+  get extendedKeyUsage(): X509ExtendedKeyUsage[];
+  isExtensionCritical(id: string): boolean;
+  static create(options: X509CreateCertificateSigningRequestOptions, webCrypto: CredoWebCrypto): Promise<CertificateSigningRequest>;
+  get subject(): string;
+  get subjectName(): string;
+  verify(webCrypto: CredoWebCrypto): Promise<void>;
+  /**
+   * Get the data elements of the certificate signing request
+   */
+  get data(): {
+    subjectName: string;
+    subject: string;
+    pem: string;
+  };
+  getSubjectNameField(field: string): string[];
+  /**
+   * @param format the format to export to, defaults to `pem`
+   */
+  toString(format?: 'asn' | 'pem' | 'hex' | 'base64' | 'text' | 'base64url'): string;
+  equal(certificateRequest: CertificateSigningRequest): boolean;
+}
+//#endregion
+export { CertificateSigningRequest, CertificateSigningRequestOptions };
+//# sourceMappingURL=CertificateSigningRequest.d.mts.map

package/build/modules/x509/CertificateSigningRequest.d.mts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"CertificateSigningRequest.d.mts","names":[],"sources":["../../../src/modules/x509/CertificateSigningRequest.ts"],"sourcesContent":[],"mappings":";;;;;;;;;;KA6BY,gCAAA;aACC;sBACS,IAAA,CAAK;;cAGd,yBAAA;aACO;EANR,QAAA,kBAAA;EAKC,QAAA,WAAA,CAAA;EACO,IAAA,KAAA,CAAA,KAAA,EAAA,MAAA;EAoB6C,IAAA,KAAA,CAAA,CAAA,EAAA,MAAA;EAAgB,IAAA,QAAA,CAAA,CAAA,EAAA,OAAA;EAKC,OAAA,yBAAA,CAAA,qBAAA,EALjB,aAKiB,CAAA,EALD,yBAKC;EAqBhD,OAAA,6BAAA,CAAA,yBAAA,EAAA,MAAA,CAAA,EArBgD,yBAqBhD;EAAA,eAAA,uBAAA;;EA6Bb,IAAA,qBAAA,CAAA,CAAA,EA7Ba,UA6Bb,CA7Ba,WA6Bb,CAAA;EAiBQ,IAAA,uBAAA,CAAA,CAAA,EAAA;IAqBS,IAAA,sBAAA;IAAuD,KAAA,EAAA,MAAA;EAAc,CAAA,EAAA;EAAA,IAAA,WAAA,CAAA,CAAA,EAAA,MAAA,EAAA;EAuD1E,IAAA,WAAA,CAAA,CAAA,EAAA,MAAA,EAAA;EAAc,IAAA,oBAAA,CAAA,CAAA,EAAA,MAAA,GAAA,SAAA;EAgCZ,IAAA,QAAA,CAAA,CAAA,EA7Hd,YA6Hc,EAAA;EAAyB,IAAA,gBAAA,CAAA,CAAA,EA5G/B,oBA4G+B,EAAA;;yBAvFtB,uDAAuD,iBAAc,QAAA;;;oBAuD1E,iBAAc;;;;;;;;;;;;;;4BAgCZ"}

package/build/modules/x509/CertificateSigningRequest.mjs ADDED Viewed

@@ -0,0 +1,148 @@
+import "../kms/index.mjs";
+import { CredoWebCryptoKey } from "../../crypto/webcrypto/CredoWebCryptoKey.mjs";
+import { jwaAlgorithmToKeySignParams } from "../../crypto/webcrypto/types.mjs";
+import { publicJwkToCryptoKeyAlgorithm, spkiToPublicJwk } from "../../crypto/webcrypto/utils/keyAlgorithmConversion.mjs";
+import "../../crypto/webcrypto/utils/index.mjs";
+import "../../crypto/webcrypto/index.mjs";
+import { createExtendedKeyUsagesExtension, createKeyUsagesExtension, createSubjectAlternativeNameExtension, createSubjectKeyIdentifierExtension } from "./utils/extensions.mjs";
+import { X509Error } from "./X509Error.mjs";
+import { convertName } from "./utils/nameConversion.mjs";
+import "./utils/index.mjs";
+import { X509KeyUsage } from "./X509Certificate.mjs";
+import { AsnParser } from "@peculiar/asn1-schema";
+import { SubjectPublicKeyInfo, id_ce_extKeyUsage, id_ce_keyUsage, id_ce_subjectAltName, id_ce_subjectKeyIdentifier } from "@peculiar/asn1-x509";
+import * as x509 from "@peculiar/x509";
+//#region src/modules/x509/CertificateSigningRequest.ts
+var CertificateSigningRequest = class CertificateSigningRequest {
+	constructor(options) {
+		this.publicJwk = options.publicJwk;
+		this.certificateRequest = options.certificateRequest;
+	}
+	set keyId(keyId) {
+		this.publicJwk.keyId = keyId;
+	}
+	get keyId() {
+		return this.publicJwk.keyId;
+	}
+	get hasKeyId() {
+		return this.publicJwk.hasKeyId;
+	}
+	static fromRawCertificateRequest(rawCertificateRequest) {
+		const certificateRequest = new x509.Pkcs10CertificateRequest(rawCertificateRequest);
+		return CertificateSigningRequest.parseCertificateRequest(certificateRequest);
+	}
+	static fromEncodedCertificateRequest(encodedCertificateRequest) {
+		const certificateRequest = new x509.Pkcs10CertificateRequest(encodedCertificateRequest);
+		return CertificateSigningRequest.parseCertificateRequest(certificateRequest);
+	}
+	static parseCertificateRequest(certificateRequest) {
+		return new CertificateSigningRequest({
+			publicJwk: spkiToPublicJwk(AsnParser.parse(certificateRequest.publicKey.rawData, SubjectPublicKeyInfo)),
+			certificateRequest
+		});
+	}
+	getMatchingExtensions(objectIdentifier) {
+		const matchingExtensions = this.certificateRequest.extensions.filter((e) => e.type === objectIdentifier);
+		if (matchingExtensions.length === 0) return void 0;
+		return matchingExtensions;
+	}
+	get rawCertificateRequest() {
+		return new Uint8Array(this.certificateRequest.rawData);
+	}
+	get subjectAlternativeNames() {
+		return this.getMatchingExtensions(id_ce_subjectAltName)?.flatMap((s) => s.names.items ?? []).map((i) => ({
+			type: i.type,
+			value: i.value
+		})) ?? [];
+	}
+	get sanDnsNames() {
+		return this.subjectAlternativeNames.filter((san) => san.type === "dns").map((san) => san.value);
+	}
+	get sanUriNames() {
+		return this.subjectAlternativeNames.filter((san) => san.type === "url").map((san) => san.value);
+	}
+	get subjectKeyIdentifier() {
+		const keyIds = this.getMatchingExtensions(id_ce_subjectKeyIdentifier)?.map((e) => e.keyId);
+		if (keyIds && keyIds.length > 1) throw new X509Error("Multiple Subject Key Identifiers are not allowed");
+		return keyIds?.[0];
+	}
+	get keyUsage() {
+		const keyUsages = this.getMatchingExtensions(id_ce_keyUsage)?.map((e) => e.usages);
+		if (keyUsages && keyUsages.length > 1) throw new X509Error("Multiple Key Usages are not allowed");
+		if (keyUsages && keyUsages.length > 0) return Object.values(X509KeyUsage).filter((key) => typeof key === "number").filter((flagValue) => (keyUsages[0] & flagValue) === flagValue).map((flagValue) => flagValue);
+		return [];
+	}
+	get extendedKeyUsage() {
+		const extendedKeyUsages = this.getMatchingExtensions(id_ce_extKeyUsage)?.map((e) => e.usages);
+		if (extendedKeyUsages && extendedKeyUsages.length > 1) throw new X509Error("Multiple Extended Key Usages are not allowed");
+		return extendedKeyUsages?.[0] ?? [];
+	}
+	isExtensionCritical(id) {
+		const extension = this.getMatchingExtensions(id);
+		if (!extension) throw new X509Error(`extension with id '${id}' is not found`);
+		return !!extension[0].critical;
+	}
+	static async create(options, webCrypto) {
+		const signingKey = new CredoWebCryptoKey(options.subjectPublicKey, publicJwkToCryptoKeyAlgorithm(options.subjectPublicKey), false, "private", ["sign"]);
+		const publicKey = new CredoWebCryptoKey(options.subjectPublicKey, publicJwkToCryptoKeyAlgorithm(options.subjectPublicKey), true, "public", ["verify"]);
+		const extensions = [];
+		extensions.push(createSubjectKeyIdentifierExtension(options.extensions?.subjectKeyIdentifier, { publicJwk: options.subjectPublicKey }));
+		extensions.push(createKeyUsagesExtension(options.extensions?.keyUsage));
+		extensions.push(createExtendedKeyUsagesExtension(options.extensions?.extendedKeyUsage));
+		extensions.push(createSubjectAlternativeNameExtension(options.extensions?.subjectAlternativeName));
+		const subjectName = convertName(options.subject);
+		const jwaAlgorithm = options.subjectPublicKey.signatureAlgorithm;
+		const signingAlgorithm = jwaAlgorithmToKeySignParams(jwaAlgorithm);
+		const csr = await x509.Pkcs10CertificateRequestGenerator.create({
+			keys: {
+				publicKey,
+				privateKey: signingKey
+			},
+			name: subjectName,
+			signingAlgorithm,
+			extensions: extensions.filter((e) => e !== void 0)
+		}, webCrypto);
+		const csrInstance = CertificateSigningRequest.parseCertificateRequest(csr);
+		if (options.subjectPublicKey.hasKeyId) csrInstance.publicJwk.keyId = options.subjectPublicKey.keyId;
+		return csrInstance;
+	}
+	get subject() {
+		return this.certificateRequest.subject;
+	}
+	get subjectName() {
+		return this.certificateRequest.subjectName.toString();
+	}
+	async verify(webCrypto) {
+		if (!await this.certificateRequest.verify(webCrypto)) throw new X509Error(`Certificate Signing Request for '${this.certificateRequest.subject}' has an invalid signature`);
+	}
+	/**
+	* Get the data elements of the certificate signing request
+	*/
+	get data() {
+		return {
+			subjectName: this.certificateRequest.subjectName.toString(),
+			subject: this.certificateRequest.subject,
+			pem: this.certificateRequest.toString()
+		};
+	}
+	getSubjectNameField(field) {
+		return this.certificateRequest.subjectName.getField(field);
+	}
+	/**
+	* @param format the format to export to, defaults to `pem`
+	*/
+	toString(format) {
+		return this.certificateRequest.toString(format ?? "pem");
+	}
+	equal(certificateRequest) {
+		const parsedOther = new x509.Pkcs10CertificateRequest(certificateRequest.rawCertificateRequest);
+		return this.certificateRequest.equal(parsedOther);
+	}
+};
+//#endregion
+export { CertificateSigningRequest };
+//# sourceMappingURL=CertificateSigningRequest.mjs.map

package/build/modules/x509/CertificateSigningRequest.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"CertificateSigningRequest.mjs","names":["extensions: Array<x509.Extension | undefined>"],"sources":["../../../src/modules/x509/CertificateSigningRequest.ts"],"sourcesContent":["import { AsnParser } from '@peculiar/asn1-schema'\nimport {\n id_ce_extKeyUsage,\n id_ce_keyUsage,\n id_ce_subjectAltName,\n id_ce_subjectKeyIdentifier,\n SubjectPublicKeyInfo,\n} from '@peculiar/asn1-x509'\nimport * as x509 from '@peculiar/x509'\nimport {\n CredoWebCrypto,\n CredoWebCryptoKey,\n jwaAlgorithmToKeySignParams,\n publicJwkToCryptoKeyAlgorithm,\n} from '../../crypto/webcrypto'\nimport { spkiToPublicJwk } from '../../crypto/webcrypto/utils'\nimport type { AnyUint8Array } from '../../types'\nimport { PublicJwk } from '../kms'\nimport {\n convertName,\n createExtendedKeyUsagesExtension,\n createKeyUsagesExtension,\n createSubjectAlternativeNameExtension,\n createSubjectKeyIdentifierExtension,\n} from './utils'\nimport { X509ExtendedKeyUsage, X509KeyUsage } from './X509Certificate'\nimport { X509Error } from './X509Error'\nimport type { X509CreateCertificateSigningRequestOptions } from './X509ServiceOptions'\n\nexport type CertificateSigningRequestOptions = {\n publicJwk: PublicJwk\n certificateRequest: x509.Pkcs10CertificateRequest\n}\n\nexport class CertificateSigningRequest {\n public publicJwk: PublicJwk\n private certificateRequest: x509.Pkcs10CertificateRequest\n\n private constructor(options: CertificateSigningRequestOptions) {\n this.publicJwk = options.publicJwk\n this.certificateRequest = options.certificateRequest\n }\n\n public set keyId(keyId: string) {\n this.publicJwk.keyId = keyId\n }\n\n public get keyId(): string {\n return this.publicJwk.keyId\n }\n\n public get hasKeyId(): boolean {\n return this.publicJwk.hasKeyId\n }\n\n public static fromRawCertificateRequest(rawCertificateRequest: AnyUint8Array): CertificateSigningRequest {\n const certificateRequest = new x509.Pkcs10CertificateRequest(rawCertificateRequest)\n return CertificateSigningRequest.parseCertificateRequest(certificateRequest)\n }\n\n public static fromEncodedCertificateRequest(encodedCertificateRequest: string): CertificateSigningRequest {\n const certificateRequest = new x509.Pkcs10CertificateRequest(encodedCertificateRequest)\n return CertificateSigningRequest.parseCertificateRequest(certificateRequest)\n }\n\n private static parseCertificateRequest(certificateRequest: x509.Pkcs10CertificateRequest): CertificateSigningRequest {\n const spki = AsnParser.parse(certificateRequest.publicKey.rawData, SubjectPublicKeyInfo)\n const publicJwk = spkiToPublicJwk(spki)\n\n return new CertificateSigningRequest({\n publicJwk,\n certificateRequest,\n })\n }\n\n private getMatchingExtensions<T = { critical: boolean }>(objectIdentifier: string): Array<T> | undefined {\n const matchingExtensions = this.certificateRequest.extensions.filter((e) => e.type === objectIdentifier)\n if (matchingExtensions.length === 0) return undefined\n return matchingExtensions as Array<T>\n }\n\n public get rawCertificateRequest() {\n return new Uint8Array(this.certificateRequest.rawData)\n }\n\n public get subjectAlternativeNames() {\n const san = this.getMatchingExtensions<x509.SubjectAlternativeNameExtension>(id_ce_subjectAltName)\n return san?.flatMap((s) => s.names.items ?? []).map((i) => ({ type: i.type, value: i.value })) ?? []\n }\n\n public get sanDnsNames() {\n return this.subjectAlternativeNames.filter((san) => san.type === 'dns').map((san) => san.value)\n }\n\n public get sanUriNames() {\n return this.subjectAlternativeNames.filter((san) => san.type === 'url').map((san) => san.value)\n }\n\n public get subjectKeyIdentifier() {\n const keyIds = this.getMatchingExtensions<x509.SubjectKeyIdentifierExtension>(id_ce_subjectKeyIdentifier)?.map(\n (e) => e.keyId\n )\n\n if (keyIds && keyIds.length > 1) {\n throw new X509Error('Multiple Subject Key Identifiers are not allowed')\n }\n\n return keyIds?.[0]\n }\n\n public get keyUsage() {\n const keyUsages = this.getMatchingExtensions<x509.KeyUsagesExtension>(id_ce_keyUsage)?.map((e) => e.usages)\n\n if (keyUsages && keyUsages.length > 1) {\n throw new X509Error('Multiple Key Usages are not allowed')\n }\n\n if (keyUsages && keyUsages.length > 0) {\n return Object.values(X509KeyUsage)\n .filter((key): key is number => typeof key === 'number')\n .filter((flagValue) => (keyUsages[0] & flagValue) === flagValue)\n .map((flagValue) => flagValue as X509KeyUsage)\n }\n\n return []\n }\n\n public get extendedKeyUsage() {\n const extendedKeyUsages = this.getMatchingExtensions<x509.ExtendedKeyUsageExtension>(id_ce_extKeyUsage)?.map(\n (e) => e.usages\n )\n\n if (extendedKeyUsages && extendedKeyUsages.length > 1) {\n throw new X509Error('Multiple Extended Key Usages are not allowed')\n }\n\n return (extendedKeyUsages?.[0] as Array<X509ExtendedKeyUsage> | undefined) ?? []\n }\n\n public isExtensionCritical(id: string): boolean {\n const extension = this.getMatchingExtensions(id)\n if (!extension) {\n throw new X509Error(`extension with id '${id}' is not found`)\n }\n\n return !!extension[0].critical\n }\n\n public static async create(options: X509CreateCertificateSigningRequestOptions, webCrypto: CredoWebCrypto) {\n const signingKey = new CredoWebCryptoKey(\n options.subjectPublicKey,\n publicJwkToCryptoKeyAlgorithm(options.subjectPublicKey),\n false,\n 'private',\n ['sign']\n )\n const publicKey = new CredoWebCryptoKey(\n options.subjectPublicKey,\n publicJwkToCryptoKeyAlgorithm(options.subjectPublicKey),\n true,\n 'public',\n ['verify']\n )\n\n const extensions: Array<x509.Extension | undefined> = []\n extensions.push(\n createSubjectKeyIdentifierExtension(options.extensions?.subjectKeyIdentifier, {\n publicJwk: options.subjectPublicKey,\n })\n )\n extensions.push(createKeyUsagesExtension(options.extensions?.keyUsage))\n extensions.push(createExtendedKeyUsagesExtension(options.extensions?.extendedKeyUsage))\n extensions.push(createSubjectAlternativeNameExtension(options.extensions?.subjectAlternativeName))\n\n const subjectName = convertName(options.subject)\n\n // Get the JWA signature algorithm from the public key and convert to KeySignParams\n const jwaAlgorithm = options.subjectPublicKey.signatureAlgorithm\n const signingAlgorithm = jwaAlgorithmToKeySignParams(jwaAlgorithm)\n\n const csr = await x509.Pkcs10CertificateRequestGenerator.create(\n {\n keys: { publicKey, privateKey: signingKey },\n name: subjectName,\n signingAlgorithm,\n extensions: extensions.filter((e) => e !== undefined),\n },\n webCrypto\n )\n\n const csrInstance = CertificateSigningRequest.parseCertificateRequest(csr)\n if (options.subjectPublicKey.hasKeyId) csrInstance.publicJwk.keyId = options.subjectPublicKey.keyId\n return csrInstance\n }\n\n public get subject() {\n return this.certificateRequest.subject\n }\n\n public get subjectName() {\n return this.certificateRequest.subjectName.toString()\n }\n\n public async verify(webCrypto: CredoWebCrypto) {\n const isValid = await this.certificateRequest.verify(webCrypto)\n\n if (!isValid) {\n throw new X509Error(\n `Certificate Signing Request for '${this.certificateRequest.subject}' has an invalid signature`\n )\n }\n }\n\n /**\n * Get the data elements of the certificate signing request\n */\n public get data() {\n return {\n subjectName: this.certificateRequest.subjectName.toString(),\n subject: this.certificateRequest.subject,\n pem: this.certificateRequest.toString(),\n }\n }\n\n public getSubjectNameField(field: string) {\n return this.certificateRequest.subjectName.getField(field)\n }\n\n /**\n * @param format the format to export to, defaults to `pem`\n */\n public toString(format?: 'asn' | 'pem' | 'hex' | 'base64' | 'text' | 'base64url') {\n return this.certificateRequest.toString(format ?? 'pem')\n }\n\n public equal(certificateRequest: CertificateSigningRequest) {\n const parsedOther = new x509.Pkcs10CertificateRequest(certificateRequest.rawCertificateRequest)\n\n return this.certificateRequest.equal(parsedOther)\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAkCA,IAAa,4BAAb,MAAa,0BAA0B;CAIrC,AAAQ,YAAY,SAA2C;AAC7D,OAAK,YAAY,QAAQ;AACzB,OAAK,qBAAqB,QAAQ;;CAGpC,IAAW,MAAM,OAAe;AAC9B,OAAK,UAAU,QAAQ;;CAGzB,IAAW,QAAgB;AACzB,SAAO,KAAK,UAAU;;CAGxB,IAAW,WAAoB;AAC7B,SAAO,KAAK,UAAU;;CAGxB,OAAc,0BAA0B,uBAAiE;EACvG,MAAM,qBAAqB,IAAI,KAAK,yBAAyB,sBAAsB;AACnF,SAAO,0BAA0B,wBAAwB,mBAAmB;;CAG9E,OAAc,8BAA8B,2BAA8D;EACxG,MAAM,qBAAqB,IAAI,KAAK,yBAAyB,0BAA0B;AACvF,SAAO,0BAA0B,wBAAwB,mBAAmB;;CAG9E,OAAe,wBAAwB,oBAA8E;AAInH,SAAO,IAAI,0BAA0B;GACnC,WAHgB,gBADL,UAAU,MAAM,mBAAmB,UAAU,SAAS,qBAAqB,CACjD;GAIrC;GACD,CAAC;;CAGJ,AAAQ,sBAAiD,kBAAgD;EACvG,MAAM,qBAAqB,KAAK,mBAAmB,WAAW,QAAQ,MAAM,EAAE,SAAS,iBAAiB;AACxG,MAAI,mBAAmB,WAAW,EAAG,QAAO;AAC5C,SAAO;;CAGT,IAAW,wBAAwB;AACjC,SAAO,IAAI,WAAW,KAAK,mBAAmB,QAAQ;;CAGxD,IAAW,0BAA0B;AAEnC,SADY,KAAK,sBAA4D,qBAAqB,EACtF,SAAS,MAAM,EAAE,MAAM,SAAS,EAAE,CAAC,CAAC,KAAK,OAAO;GAAE,MAAM,EAAE;GAAM,OAAO,EAAE;GAAO,EAAE,IAAI,EAAE;;CAGtG,IAAW,cAAc;AACvB,SAAO,KAAK,wBAAwB,QAAQ,QAAQ,IAAI,SAAS,MAAM,CAAC,KAAK,QAAQ,IAAI,MAAM;;CAGjG,IAAW,cAAc;AACvB,SAAO,KAAK,wBAAwB,QAAQ,QAAQ,IAAI,SAAS,MAAM,CAAC,KAAK,QAAQ,IAAI,MAAM;;CAGjG,IAAW,uBAAuB;EAChC,MAAM,SAAS,KAAK,sBAA0D,2BAA2B,EAAE,KACxG,MAAM,EAAE,MACV;AAED,MAAI,UAAU,OAAO,SAAS,EAC5B,OAAM,IAAI,UAAU,mDAAmD;AAGzE,SAAO,SAAS;;CAGlB,IAAW,WAAW;EACpB,MAAM,YAAY,KAAK,sBAA+C,eAAe,EAAE,KAAK,MAAM,EAAE,OAAO;AAE3G,MAAI,aAAa,UAAU,SAAS,EAClC,OAAM,IAAI,UAAU,sCAAsC;AAG5D,MAAI,aAAa,UAAU,SAAS,EAClC,QAAO,OAAO,OAAO,aAAa,CAC/B,QAAQ,QAAuB,OAAO,QAAQ,SAAS,CACvD,QAAQ,eAAe,UAAU,KAAK,eAAe,UAAU,CAC/D,KAAK,cAAc,UAA0B;AAGlD,SAAO,EAAE;;CAGX,IAAW,mBAAmB;EAC5B,MAAM,oBAAoB,KAAK,sBAAsD,kBAAkB,EAAE,KACtG,MAAM,EAAE,OACV;AAED,MAAI,qBAAqB,kBAAkB,SAAS,EAClD,OAAM,IAAI,UAAU,+CAA+C;AAGrE,SAAQ,oBAAoB,MAAkD,EAAE;;CAGlF,AAAO,oBAAoB,IAAqB;EAC9C,MAAM,YAAY,KAAK,sBAAsB,GAAG;AAChD,MAAI,CAAC,UACH,OAAM,IAAI,UAAU,sBAAsB,GAAG,gBAAgB;AAG/D,SAAO,CAAC,CAAC,UAAU,GAAG;;CAGxB,aAAoB,OAAO,SAAqD,WAA2B;EACzG,MAAM,aAAa,IAAI,kBACrB,QAAQ,kBACR,8BAA8B,QAAQ,iBAAiB,EACvD,OACA,WACA,CAAC,OAAO,CACT;EACD,MAAM,YAAY,IAAI,kBACpB,QAAQ,kBACR,8BAA8B,QAAQ,iBAAiB,EACvD,MACA,UACA,CAAC,SAAS,CACX;EAED,MAAMA,aAAgD,EAAE;AACxD,aAAW,KACT,oCAAoC,QAAQ,YAAY,sBAAsB,EAC5E,WAAW,QAAQ,kBACpB,CAAC,CACH;AACD,aAAW,KAAK,yBAAyB,QAAQ,YAAY,SAAS,CAAC;AACvE,aAAW,KAAK,iCAAiC,QAAQ,YAAY,iBAAiB,CAAC;AACvF,aAAW,KAAK,sCAAsC,QAAQ,YAAY,uBAAuB,CAAC;EAElG,MAAM,cAAc,YAAY,QAAQ,QAAQ;EAGhD,MAAM,eAAe,QAAQ,iBAAiB;EAC9C,MAAM,mBAAmB,4BAA4B,aAAa;EAElE,MAAM,MAAM,MAAM,KAAK,kCAAkC,OACvD;GACE,MAAM;IAAE;IAAW,YAAY;IAAY;GAC3C,MAAM;GACN;GACA,YAAY,WAAW,QAAQ,MAAM,MAAM,OAAU;GACtD,EACD,UACD;EAED,MAAM,cAAc,0BAA0B,wBAAwB,IAAI;AAC1E,MAAI,QAAQ,iBAAiB,SAAU,aAAY,UAAU,QAAQ,QAAQ,iBAAiB;AAC9F,SAAO;;CAGT,IAAW,UAAU;AACnB,SAAO,KAAK,mBAAmB;;CAGjC,IAAW,cAAc;AACvB,SAAO,KAAK,mBAAmB,YAAY,UAAU;;CAGvD,MAAa,OAAO,WAA2B;AAG7C,MAAI,CAFY,MAAM,KAAK,mBAAmB,OAAO,UAAU,CAG7D,OAAM,IAAI,UACR,oCAAoC,KAAK,mBAAmB,QAAQ,4BACrE;;;;;CAOL,IAAW,OAAO;AAChB,SAAO;GACL,aAAa,KAAK,mBAAmB,YAAY,UAAU;GAC3D,SAAS,KAAK,mBAAmB;GACjC,KAAK,KAAK,mBAAmB,UAAU;GACxC;;CAGH,AAAO,oBAAoB,OAAe;AACxC,SAAO,KAAK,mBAAmB,YAAY,SAAS,MAAM;;;;;CAM5D,AAAO,SAAS,QAAkE;AAChF,SAAO,KAAK,mBAAmB,SAAS,UAAU,MAAM;;CAG1D,AAAO,MAAM,oBAA+C;EAC1D,MAAM,cAAc,IAAI,KAAK,yBAAyB,mBAAmB,sBAAsB;AAE/F,SAAO,KAAK,mBAAmB,MAAM,YAAY"}

package/build/modules/x509/X509Api.d.mts CHANGED Viewed

@@ -1,5 +1,6 @@
-import { X509CreateCertificateOptions, X509ValidateCertificateChainOptions } from "./X509ServiceOptions.mjs";
+import { X509CreateCertificateOptions, X509CreateCertificateSigningRequestOptions, X509ParseCertificateSigningRequestOptions, X509ValidateCertificateChainOptions } from "./X509ServiceOptions.mjs";
 import { X509Certificate } from "./X509Certificate.mjs";
+import { CertificateSigningRequest } from "./CertificateSigningRequest.mjs";
 import { X509ModuleConfig } from "./X509ModuleConfig.mjs";
 import { AgentContext } from "../../agent/context/AgentContext.mjs";
 import "../../agent/index.mjs";
@@ -18,6 +19,8 @@ declare class X509Api {
    * @param options X509CreateCertificateOptions
    */
   createCertificate(options: X509CreateCertificateOptions): Promise<X509Certificate>;
+  createCertificateSigningRequest(options: X509CreateCertificateSigningRequestOptions): Promise<CertificateSigningRequest>;
+  parseCertificateSigningRequest(options: X509ParseCertificateSigningRequestOptions): CertificateSigningRequest;
   /**
    * Validate a certificate chain.
    *

package/build/modules/x509/X509Api.d.mts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"X509Api.d.mts","names":[],"sources":["../../../src/modules/x509/X509Api.ts"],"sourcesContent":[],"mappings":"~~;;;;;;;;;;cAWa~~,OAAA;;UAGM;EAHN,~~WAAO~~,CAAA,~~YAAA~~,~~EAEM~~,~~YAFN~~,EAAA,~~MAAA~~,~~EAGD~~,~~gBAHC~~;~~EAGD;;;;;EAQmD~~,~~iBAAA,~~CAAA,OAAA,~~EAA5B~~,~~4BAA4B~~,CAAA,~~EAAA~~,OAAA,CAAA,~~eAAA~~,~~CAAA~~;~~EASrB~~;;;;;~~oCAAA~~,~~sCAAmC~~,~~QAAA~~,eAAA"}
1	+ {"version":3,"file":"X509Api.d.mts","names":[],"sources":["../../../src/modules/x509/X509Api.ts"],"sourcesContent":[],"mappings":";;;;;;;;;;;cAgBa,OAAA;;UAGM;4BADO,sBACP;EAHN;;;;;EAWyD,iBAAA,CAAA,OAAA,EAA5B,4BAA4B,CAAA,EAAA,OAAA,CAAA,eAAA,CAAA;EAAA,+BAAA,CAAA,OAAA,EAId,0CAJc,CAAA,EAI4B,OAJ5B,CAI4B,yBAAA,CAJ5B;EAId,8BAAA,CAAA,OAAA,EAIP,yCAJO,CAAA,EAIkC,yBAJlC;EAA0C;;;;;EAad,wBAAA,CAAA,OAAA,EAAnC,mCAAmC,CAAA,EAAA,OAAA,CAAA,eAAA,EAAA,CAAA"}

package/build/modules/x509/X509Api.mjs CHANGED Viewed

@@ -23,6 +23,12 @@ let X509Api = class X509Api$1 {
 	async createCertificate(options) {
 		return await X509Service.createCertificate(this.agentContext, options);
 	}
+	async createCertificateSigningRequest(options) {
+		return await X509Service.createCertificateSigningRequest(this.agentContext, options);
+	}
+	parseCertificateSigningRequest(options) {
+		return X509Service.parseCertificateSigningRequest(options);
+	}
 	/**
 	* Validate a certificate chain.
 	*

package/build/modules/x509/X509Api.mjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"X509Api.mjs","names":["X509Api","agentContext: AgentContext","config: X509ModuleConfig"],"sources":["../../../src/modules/x509/X509Api.ts"],"sourcesContent":["import { AgentContext } from '../../agent'\nimport { injectable } from '../../plugins'\n\nimport { X509ModuleConfig } from './X509ModuleConfig'\nimport { X509Service } from './X509Service'\nimport type { X509CreateCertificateOptions, X509ValidateCertificateChainOptions } from './X509ServiceOptions'\n\n/*\n @public\n /\n@injectable()\nexport class X509Api {\n public constructor(\n private agentContext: AgentContext,\n public config: X509ModuleConfig\n ) {}\n\n /\n Creates a X.509 certificate.\n \n @param options X509CreateCertificateOptions\n /\n public async createCertificate(options: X509CreateCertificateOptions) {\n return await X509Service.createCertificate(this.agentContext, options)\n }\n\n /\n Validate a certificate chain.\n \n @param options X509ValidateCertificateChainOptions\n */\n public async validateCertificateChain(options: X509ValidateCertificateChainOptions) {\n return await X509Service.validateCertificateChain(this.agentContext, options)\n }\n}\n"],"mappings":";;;;;;;;;;;;~~AAWO~~,oBAAMA,UAAQ;CACnB,AAAO,YACL,AAAQC,cACR,AAAOC,QACP;EAFQ;EACD;;;;;;;CAQT,MAAa,kBAAkB,SAAuC;AACpE,SAAO,MAAM,YAAY,kBAAkB,KAAK,cAAc,QAAQ;;;;;;;~~CAQxE~~,MAAa,yBAAyB,SAA8C;AAClF,SAAO,MAAM,YAAY,yBAAyB,KAAK,cAAc,QAAQ;;;~~sBAtBhF~~,YAAY"}
1	+ {"version":3,"file":"X509Api.mjs","names":["X509Api","agentContext: AgentContext","config: X509ModuleConfig"],"sources":["../../../src/modules/x509/X509Api.ts"],"sourcesContent":["import { AgentContext } from '../../agent'\nimport { injectable } from '../../plugins'\n\nimport { X509ModuleConfig } from './X509ModuleConfig'\nimport { X509Service } from './X509Service'\nimport type {\n X509CreateCertificateOptions,\n X509CreateCertificateSigningRequestOptions,\n X509ParseCertificateSigningRequestOptions,\n X509ValidateCertificateChainOptions,\n} from './X509ServiceOptions'\n\n/*\n @public\n /\n@injectable()\nexport class X509Api {\n public constructor(\n private agentContext: AgentContext,\n public config: X509ModuleConfig\n ) {}\n\n /\n Creates a X.509 certificate.\n \n @param options X509CreateCertificateOptions\n /\n public async createCertificate(options: X509CreateCertificateOptions) {\n return await X509Service.createCertificate(this.agentContext, options)\n }\n\n public async createCertificateSigningRequest(options: X509CreateCertificateSigningRequestOptions) {\n return await X509Service.createCertificateSigningRequest(this.agentContext, options)\n }\n\n public parseCertificateSigningRequest(options: X509ParseCertificateSigningRequestOptions) {\n return X509Service.parseCertificateSigningRequest(options)\n }\n\n /\n Validate a certificate chain.\n \n @param options X509ValidateCertificateChainOptions\n */\n public async validateCertificateChain(options: X509ValidateCertificateChainOptions) {\n return await X509Service.validateCertificateChain(this.agentContext, options)\n }\n}\n"],"mappings":";;;;;;;;;;;;AAgBO,oBAAMA,UAAQ;CACnB,AAAO,YACL,AAAQC,cACR,AAAOC,QACP;EAFQ;EACD;;;;;;;CAQT,MAAa,kBAAkB,SAAuC;AACpE,SAAO,MAAM,YAAY,kBAAkB,KAAK,cAAc,QAAQ;;CAGxE,MAAa,gCAAgC,SAAqD;AAChG,SAAO,MAAM,YAAY,gCAAgC,KAAK,cAAc,QAAQ;;CAGtF,AAAO,+BAA+B,SAAoD;AACxF,SAAO,YAAY,+BAA+B,QAAQ;;;;;;;CAQ5D,MAAa,yBAAyB,SAA8C;AAClF,SAAO,MAAM,YAAY,yBAAyB,KAAK,cAAc,QAAQ;;;sBA9BhF,YAAY"}

package/build/modules/x509/X509Certificate.d.mts CHANGED Viewed

@@ -62,7 +62,7 @@ declare class X509Certificate {
   get authorityKeyIdentifier(): string | undefined;
   get subjectKeyIdentifier(): string | undefined;
   get keyUsage(): X509KeyUsage[] | undefined;
-  get extendedKeyUsage(): X509ExtendedKeyUsage | undefined;
+  get extendedKeyUsage(): X509ExtendedKeyUsage[];
   isExtensionCritical(id: string): boolean;
   static create(options: X509CreateCertificateOptions, webCrypto: CredoWebCrypto): Promise<X509Certificate>;
   get subject(): string;
@@ -79,7 +79,7 @@ declare class X509Certificate {
      * as whether the certificate is not expired).
      *
      * This can be useful when an non-self-signed certificate is directly trusted, and it may
-     * not be possible to verify the certifcate as the root/intermediate certificate containing
+     * not be possible to verify the certificate as the root/intermediate certificate containing
      * the key of the signer/intermediate is not present.
      *
      * @default false
@@ -87,9 +87,9 @@ declare class X509Certificate {
     skipSignatureVerification?: boolean;
   }, webCrypto: CredoWebCrypto): Promise<void>;
   /**
-   * Get the thumprint of the X509 certificate in hex format.
+   * Get the thumbprint of the X509 certificate in hex format.
    */
-  getThumprintInHex(agentContext: AgentContext): Promise<string>;
+  getThumbprintInHex(agentContext: AgentContext): Promise<string>;
   /**
    * Get the data elements of the x509 certificate
    */

package/build/modules/x509/X509Certificate.d.mts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"X509Certificate.d.mts","names":[],"sources":["../../../src/modules/x509/X509Certificate.ts"],"sourcesContent":[],"mappings":";;;;;;;;;;;aA+BY,YAAA;;;;;;;EAAA,OAAA,GAAA,EAAA;EAYA,YAAA,GAAA,GAAA;EAUA,YAAA,GAAA,GAAA;;AAEG,aAZH,oBAAA;EAaO,UAAK,GAAA,mBAAA;EAAe,UAAA,GAAA,mBAAA;EAG1B,WAAA,GAAA,mBAAe;EACR,eAAA,GAAA,mBAAA;EACE,YAAA,GAAA,mBAAA;EAqB6B,WAAA,GAAA,mBAAA;EAAgB,KAAA,GAAA,iBAAA;;AA2BxC,KAxDf,sBAAA,GAwDe;EAAA,SAAA,EAvDd,SAuDc;eAtDZ;mBACI,IAAA,CAAK;CA4GH;~~AAwBgB~~,~~cAjIxB~~,eAAA,~~CAiIwB~~;~~EAYC~~,SAAA,EA5IlB,SA4IkB;EAAyC,UAAA,CAAA,EA3IzD,aA2IyD;EAAc,QAAA,eAAA;EAAA,QAAA,WAAA,CAAA;EA6FvF,IAAA,KAAA,CAAA,KAAA,EAAA,MAAA;EACA,IAAA,KAAA,CAAA,CAAA,EAAA,MAAA;EACA,IAAA,QAAA,CAAA,CAAA,EAAA,OAAA;EAEkB,OAAA,kBAAA,CAAA,cAAA,EAvN2B,aAuN3B,CAAA,EAvN2C,eAuN3C;EACN,OAAA,sBAAA,CAAA,kBAAA,EAAA,MAAA,CAAA,EAnNkD,eAmNlD;EAcH,eAAA,gBAAA;EAAc,QAAA,qBAAA;~~EAiCkB~~,IAAA,cAAA,CAAA,CAAA,~~EA5OpB~~,~~UA4OoB~~,~~CA5OpB~~,~~WA4OoB~~,CAAA;EAAY,IAAA,uBAAA,CAAA,CAAA,EAAA;;;~~EAkC/B~~,CAAA,EAAA;EAAe,IAAA,sBAAA,CAAA,CAAA,EAAA;;;;;;;;;;kBAvNtB;~~0BAwBgB~~;;~~yBAYC~~,yCAAyC,iBAAc,QAAA;;;;;;;;sBAiGrE;gBACN;;;;;;;;;;;;gBAcH,iBAAc;;;;~~kCAiCkB~~,eAAY;;;;;;;;;;;;;;;;;;;~~qBAkC/B~~"}
1	+ {"version":3,"file":"X509Certificate.d.mts","names":[],"sources":["../../../src/modules/x509/X509Certificate.ts"],"sourcesContent":[],"mappings":";;;;;;;;;;;aA+BY,YAAA;;;;;;;EAAA,OAAA,GAAA,EAAA;EAYA,YAAA,GAAA,GAAA;EAUA,YAAA,GAAA,GAAA;;AAEG,aAZH,oBAAA;EAaO,UAAK,GAAA,mBAAA;EAAe,UAAA,GAAA,mBAAA;EAG1B,WAAA,GAAA,mBAAe;EACR,eAAA,GAAA,mBAAA;EACE,YAAA,GAAA,mBAAA;EAqB6B,WAAA,GAAA,mBAAA;EAAgB,KAAA,GAAA,iBAAA;;AA2BxC,KAxDf,sBAAA,GAwDe;EAAA,SAAA,EAvDd,SAuDc;eAtDZ;mBACI,IAAA,CAAK;CA4GH;AAeQ,cAxHhB,eAAA,CAwHgB;EAqBS,SAAA,EA5IlB,SA4IkB;EAAyC,UAAA,CAAA,EA3IzD,aA2IyD;EAAc,QAAA,eAAA;EAAA,QAAA,WAAA,CAAA;EA6FvF,IAAA,KAAA,CAAA,KAAA,EAAA,MAAA;EACA,IAAA,KAAA,CAAA,CAAA,EAAA,MAAA;EACA,IAAA,QAAA,CAAA,CAAA,EAAA,OAAA;EAEkB,OAAA,kBAAA,CAAA,cAAA,EAvN2B,aAuN3B,CAAA,EAvN2C,eAuN3C;EACN,OAAA,sBAAA,CAAA,kBAAA,EAAA,MAAA,CAAA,EAnNkD,eAmNlD;EAcH,eAAA,gBAAA;EAAc,QAAA,qBAAA;EAiCmB,IAAA,cAAA,CAAA,CAAA,EA5OrB,UA4OqB,CA5OrB,WA4OqB,CAAA;EAAY,IAAA,uBAAA,CAAA,CAAA,EAAA;;;EAkChC,CAAA,EAAA;EAAe,IAAA,sBAAA,CAAA,CAAA,EAAA;;;;;;;;;;kBAvNtB;0BAeQ;;yBAqBS,yCAAyC,iBAAc,QAAA;;;;;;;;sBAiGrE;gBACN;;;;;;;;;;;;gBAcH,iBAAc;;;;mCAiCmB,eAAY;;;;;;;;;;;;;;;;;;;qBAkChC"}

package/build/modules/x509/X509Certificate.mjs CHANGED Viewed

@@ -120,7 +120,7 @@ var X509Certificate = class X509Certificate {
 	get extendedKeyUsage() {
 		const extendedKeyUsages = this.getMatchingExtensions(id_ce_extKeyUsage)?.map((e) => e.usages);
 		if (extendedKeyUsages && extendedKeyUsages.length > 1) throw new X509Error("Multiple Key Usages are not allowed");
-		return extendedKeyUsages?.[0];
+		return extendedKeyUsages?.[0] ?? [];
 	}
 	isExtensionCritical(id) {
 		const extension = this.getMatchingExtensions(id);
@@ -195,9 +195,9 @@ var X509Certificate = class X509Certificate {
 		if (!isNotAfterValid) throw new X509Error(`Certificate: '${this.x509Certificate.subject}' used after it is allowed`);
 	}
 	/**
-	* Get the thumprint of the X509 certificate in hex format.
+	* Get the thumbprint of the X509 certificate in hex format.
 	*/
-	async getThumprintInHex(agentContext) {
+	async getThumbprintInHex(agentContext) {
 		const thumbprint = await this.x509Certificate.getThumbprint(new CredoWebCrypto(agentContext));
 		return TypedArrayEncoder.toHex(new Uint8Array(thumbprint));
 	}

package/build/modules/x509/X509Certificate.mjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"X509Certificate.mjs","names":["extensions: Array<x509.Extension \| undefined>","certificate","certificateInstance","publicCryptoKey: CredoWebCryptoKey \| undefined"],"sources":["../../../src/modules/x509/X509Certificate.ts"],"sourcesContent":["import { AsnParser } from '@peculiar/asn1-schema'\nimport {\n id_ce_authorityKeyIdentifier,\n id_ce_extKeyUsage,\n id_ce_issuerAltName,\n id_ce_keyUsage,\n id_ce_subjectAltName,\n id_ce_subjectKeyIdentifier,\n SubjectPublicKeyInfo,\n} from '@peculiar/asn1-x509'\nimport * as x509 from '@peculiar/x509'\nimport type { AgentContext } from '../../agent'\nimport { CredoWebCrypto, CredoWebCryptoKey } from '../../crypto/webcrypto'\nimport { publicJwkToCryptoKeyAlgorithm, spkiToPublicJwk } from '../../crypto/webcrypto/utils'\nimport type { AnyUint8Array } from '../../types'\nimport { TypedArrayEncoder } from '../../utils'\nimport { asymmetricPublicJwkMatches, PublicJwk } from '../kms'\nimport {\n convertName,\n createAuthorityKeyIdentifierExtension,\n createBasicConstraintsExtension,\n createCrlDistributionPointsExtension,\n createExtendedKeyUsagesExtension,\n createIssuerAlternativeNameExtension,\n createKeyUsagesExtension,\n createSubjectAlternativeNameExtension,\n createSubjectKeyIdentifierExtension,\n} from './utils'\nimport { X509Error } from './X509Error'\nimport type { X509CreateCertificateOptions } from './X509ServiceOptions'\n\nexport enum X509KeyUsage {\n DigitalSignature = 1,\n NonRepudiation = 2,\n KeyEncipherment = 4,\n DataEncipherment = 8,\n KeyAgreement = 16,\n KeyCertSign = 32,\n CrlSign = 64,\n EncipherOnly = 128,\n DecipherOnly = 256,\n}\n\nexport enum X509ExtendedKeyUsage {\n ServerAuth = '1.3.6.1.5.5.7.3.1',\n ClientAuth = '1.3.6.1.5.5.7.3.2',\n CodeSigning = '1.3.6.1.5.5.7.3.3',\n EmailProtection = '1.3.6.1.5.5.7.3.4',\n TimeStamping = '1.3.6.1.5.5.7.3.8',\n OcspSigning = '1.3.6.1.5.5.7.3.9',\n MdlDs = '1.0.18013.5.1.2',\n}\n\nexport type X509CertificateOptions = {\n publicJwk: PublicJwk\n privateKey?: AnyUint8Array\n x509Certificate: x509.X509Certificate\n}\n\nexport class X509Certificate {\n public publicJwk: PublicJwk\n public privateKey?: AnyUint8Array\n private x509Certificate: x509.X509Certificate\n\n private constructor(options: X509CertificateOptions) {\n this.publicJwk = options.publicJwk\n this.privateKey = options.privateKey\n this.x509Certificate = options.x509Certificate\n }\n\n public set keyId(keyId: string) {\n this.publicJwk.keyId = keyId\n }\n\n public get keyId(): string {\n return this.publicJwk.keyId\n }\n\n public get hasKeyId(): boolean {\n return this.publicJwk.hasKeyId\n }\n\n public static fromRawCertificate(rawCertificate: AnyUint8Array): X509Certificate {\n const certificate = new x509.X509Certificate(rawCertificate)\n return X509Certificate.parseCertificate(certificate)\n }\n\n public static fromEncodedCertificate(encodedCertificate: string): X509Certificate {\n const certificate = new x509.X509Certificate(encodedCertificate)\n return X509Certificate.parseCertificate(certificate)\n }\n\n private static parseCertificate(certificate: x509.X509Certificate): X509Certificate {\n const spki = AsnParser.parse(certificate.publicKey.rawData, SubjectPublicKeyInfo)\n const privateKey = certificate.privateKey ? new Uint8Array(certificate.privateKey.rawData) : undefined\n\n const publicJwk = spkiToPublicJwk(spki)\n\n return new X509Certificate({\n publicJwk,\n privateKey,\n x509Certificate: certificate,\n })\n }\n\n private getMatchingExtensions<T = { critical: boolean }>(objectIdentifier: string): Array<T> \| undefined {\n return this.x509Certificate.extensions.filter((e) => e.type === objectIdentifier) as Array<T> \| undefined\n }\n\n public get rawCertificate() {\n return new Uint8Array(this.x509Certificate.rawData)\n }\n\n public get subjectAlternativeNames() {\n const san = this.getMatchingExtensions<x509.SubjectAlternativeNameExtension>(id_ce_subjectAltName)\n return san?.flatMap((s) => s.names.items).map((i) => ({ type: i.type, value: i.value })) ?? []\n }\n\n public get issuerAlternativeNames() {\n const ian = this.getMatchingExtensions<x509.IssuerAlternativeNameExtension>(id_ce_issuerAltName)\n return ian?.flatMap((i) => i.names.items).map((i) => ({ type: i.type, value: i.value })) ?? []\n }\n\n public get sanDnsNames() {\n return this.subjectAlternativeNames.filter((san) => san.type === 'dns').map((san) => san.value)\n }\n\n public get sanUriNames() {\n return this.subjectAlternativeNames.filter((ian) => ian.type === 'url').map((ian) => ian.value)\n }\n\n public get ianDnsNames() {\n return this.issuerAlternativeNames.filter((san) => san.type === 'dns').map((san) => san.value)\n }\n\n public get ianUriNames() {\n return this.issuerAlternativeNames.filter((ian) => ian.type === 'url').map((ian) => ian.value)\n }\n\n public get authorityKeyIdentifier() {\n const keyIds = this.getMatchingExtensions<x509.AuthorityKeyIdentifierExtension>(id_ce_authorityKeyIdentifier)?.map(\n (e) => e.keyId\n )\n\n if (keyIds && keyIds.length > 1) {\n throw new X509Error('Multiple Authority Key Identifiers are not allowed')\n }\n\n return keyIds?.[0]\n }\n\n public get subjectKeyIdentifier() {\n const keyIds = this.getMatchingExtensions<x509.SubjectKeyIdentifierExtension>(id_ce_subjectKeyIdentifier)?.map(\n (e) => e.keyId\n )\n\n if (keyIds && keyIds.length > 1) {\n throw new X509Error('Multiple Subject Key Identifiers are not allowed')\n }\n\n return keyIds?.[0]\n }\n\n // biome-ignore lint/suspicious/useGetterReturn: no explanation\n public get keyUsage() {\n const keyUsages = this.getMatchingExtensions<x509.KeyUsagesExtension>(id_ce_keyUsage)?.map((e) => e.usages)\n\n if (keyUsages && keyUsages.length > 1) {\n throw new X509Error('Multiple Key Usages are not allowed')\n }\n\n if (keyUsages) {\n return Object.values(X509KeyUsage)\n .filter((key): key is number => typeof key === 'number')\n .filter((flagValue) => (keyUsages[0] & flagValue) === flagValue)\n .map((flagValue) => flagValue as X509KeyUsage)\n }\n }\n\n public get extendedKeyUsage() {\n const extendedKeyUsages = this.getMatchingExtensions<x509.ExtendedKeyUsageExtension>(id_ce_extKeyUsage)?.map(\n (e) => e.usages\n )\n\n if (extendedKeyUsages && extendedKeyUsages.length > 1) {\n throw new X509Error('Multiple Key Usages are not allowed')\n }\n\n return extendedKeyUsages?.[0] as X509ExtendedKeyUsage \| undefined\n }\n\n public isExtensionCritical(id: string): boolean {\n const extension = this.getMatchingExtensions(id)\n if (!extension) {\n throw new X509Error(`extension with id '${id}' is not found`)\n }\n\n return !!extension[0].critical\n }\n\n public static async create(options: X509CreateCertificateOptions, webCrypto: CredoWebCrypto) {\n const subjectPublicKey = options.subjectPublicKey ?? options.authorityKey\n const isSelfSignedCertificate = asymmetricPublicJwkMatches(options.authorityKey.toJson(), subjectPublicKey.toJson())\n\n const signingKey = new CredoWebCryptoKey(\n options.authorityKey,\n publicJwkToCryptoKeyAlgorithm(options.authorityKey),\n false,\n 'private',\n ['sign']\n )\n const publicKey = new CredoWebCryptoKey(\n subjectPublicKey,\n publicJwkToCryptoKeyAlgorithm(options.authorityKey),\n true,\n 'public',\n ['verify']\n )\n\n const issuerName = convertName(options.issuer)\n\n const extensions: Array<x509.Extension \| undefined> = []\n extensions.push(\n createSubjectKeyIdentifierExtension(options.extensions?.subjectKeyIdentifier, { publicJwk: subjectPublicKey })\n )\n extensions.push(createKeyUsagesExtension(options.extensions?.keyUsage))\n extensions.push(createExtendedKeyUsagesExtension(options.extensions?.extendedKeyUsage))\n extensions.push(\n createAuthorityKeyIdentifierExtension(options.extensions?.authorityKeyIdentifier, {\n publicJwk: options.authorityKey,\n })\n )\n extensions.push(createIssuerAlternativeNameExtension(options.extensions?.issuerAlternativeName))\n extensions.push(createSubjectAlternativeNameExtension(options.extensions?.subjectAlternativeName))\n extensions.push(createBasicConstraintsExtension(options.extensions?.basicConstraints))\n extensions.push(createCrlDistributionPointsExtension(options.extensions?.crlDistributionPoints))\n\n if (isSelfSignedCertificate) {\n if (options.subject) {\n throw new X509Error('Do not provide a subject name when the certificate is supposed to be self signed')\n }\n\n const certificate = await x509.X509CertificateGenerator.createSelfSigned(\n {\n keys: { publicKey, privateKey: signingKey },\n name: issuerName,\n notBefore: options.validity?.notBefore,\n notAfter: options.validity?.notAfter,\n extensions: extensions.filter((e) => e !== undefined),\n serialNumber: options.serialNumber,\n },\n webCrypto\n )\n\n const certificateInstance = X509Certificate.parseCertificate(certificate)\n if (subjectPublicKey.hasKeyId) certificateInstance.publicJwk.keyId = subjectPublicKey.keyId\n return certificateInstance\n }\n\n if (!options.subject) {\n throw new X509Error('Provide a subject name when the certificate is not supposed to be self signed')\n }\n\n const subjectName = convertName(options.subject)\n\n const certificate = await x509.X509CertificateGenerator.create(\n {\n signingKey,\n publicKey,\n issuer: issuerName,\n subject: subjectName,\n notBefore: options.validity?.notBefore,\n notAfter: options.validity?.notAfter,\n extensions: extensions.filter((e) => e !== undefined),\n },\n webCrypto\n )\n\n const certificateInstance = X509Certificate.parseCertificate(certificate)\n if (subjectPublicKey.hasKeyId) certificateInstance.publicJwk.keyId = subjectPublicKey.keyId\n return certificateInstance\n }\n\n public get subject() {\n return this.x509Certificate.subject\n }\n\n public get issuer() {\n return this.x509Certificate.issuer\n }\n\n public async verify(\n {\n verificationDate = new Date(),\n publicJwk,\n skipSignatureVerification = false,\n }: {\n verificationDate: Date\n publicJwk?: PublicJwk\n\n /*\n Whether to skip the verification of the signature and only perform other checks (such\n * as whether the certificate is not expired).\n \n This can be useful when an non-self-signed certificate is directly trusted, and it may\n * not be possible to verify the certifcate as the root/intermediate certificate containing\n * the key of the signer/intermediate is not present.\n \n @default false\n /\n skipSignatureVerification?: boolean\n },\n webCrypto: CredoWebCrypto\n ) {\n let publicCryptoKey: CredoWebCryptoKey \| undefined\n if (publicJwk) {\n const cryptoKeyAlgorithm = publicJwkToCryptoKeyAlgorithm(publicJwk)\n publicCryptoKey = new CredoWebCryptoKey(publicJwk, cryptoKeyAlgorithm, true, 'public', ['verify'])\n }\n\n // We use the library to validate the signature, but the date is manually verified\n const isSignatureValid = skipSignatureVerification\n ? true\n : await this.x509Certificate.verify({ signatureOnly: true, publicKey: publicCryptoKey }, webCrypto)\n const time = verificationDate.getTime()\n\n const isNotBeforeValid = this.x509Certificate.notBefore.getTime() <= time\n const isNotAfterValid = time <= this.x509Certificate.notAfter.getTime()\n\n if (!isSignatureValid) {\n throw new X509Error(`Certificate: '${this.x509Certificate.subject}' has an invalid signature`)\n }\n\n if (!isNotBeforeValid) {\n throw new X509Error(`Certificate: '${this.x509Certificate.subject}' used before it is allowed`)\n }\n\n if (!isNotAfterValid) {\n throw new X509Error(`Certificate: '${this.x509Certificate.subject}' used after it is allowed`)\n }\n }\n\n /\n Get the thumprint of the X509 certificate in hex format.\n /\n public async getThumprintInHex(agentContext: AgentContext) {\n const thumbprint = await this.x509Certificate.getThumbprint(new CredoWebCrypto(agentContext))\n const thumbprintHex = TypedArrayEncoder.toHex(new Uint8Array(thumbprint))\n\n return thumbprintHex\n }\n\n /\n Get the data elements of the x509 certificate\n /\n public get data() {\n return {\n issuerName: this.x509Certificate.issuerName.toString(),\n issuer: this.x509Certificate.issuer,\n subjectName: this.x509Certificate.subjectName.toString(),\n subject: this.x509Certificate.subject,\n serialNumber: this.x509Certificate.serialNumber,\n pem: this.x509Certificate.toString(),\n notBefore: this.x509Certificate.notBefore,\n notAfter: this.x509Certificate.notAfter,\n }\n }\n\n public getIssuerNameField(field: string) {\n return this.x509Certificate.issuerName.getField(field)\n }\n\n /\n @param format the format to export to, defaults to `pem`\n */\n public toString(format?: 'asn' \| 'pem' \| 'hex' \| 'base64' \| 'text' \| 'base64url') {\n return this.x509Certificate.toString(format ?? 'pem')\n }\n\n public equal(certificate: X509Certificate) {\n const parsedOther = new x509.X509Certificate(certificate.rawCertificate)\n\n return this.x509Certificate.equal(parsedOther)\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AA+BA,IAAY,wDAAL;AACL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;;AAGF,IAAY,wEAAL;AACL;AACA;AACA;AACA;AACA;AACA;AACA;;;AASF,IAAa,kBAAb,MAAa,gBAAgB;CAK3B,AAAQ,YAAY,SAAiC;AACnD,OAAK,YAAY,QAAQ;AACzB,OAAK,aAAa,QAAQ;AAC1B,OAAK,kBAAkB,QAAQ;;CAGjC,IAAW,MAAM,OAAe;AAC9B,OAAK,UAAU,QAAQ;;CAGzB,IAAW,QAAgB;AACzB,SAAO,KAAK,UAAU;;CAGxB,IAAW,WAAoB;AAC7B,SAAO,KAAK,UAAU;;CAGxB,OAAc,mBAAmB,gBAAgD;EAC/E,MAAM,cAAc,IAAI,KAAK,gBAAgB,eAAe;AAC5D,SAAO,gBAAgB,iBAAiB,YAAY;;CAGtD,OAAc,uBAAuB,oBAA6C;EAChF,MAAM,cAAc,IAAI,KAAK,gBAAgB,mBAAmB;AAChE,SAAO,gBAAgB,iBAAiB,YAAY;;CAGtD,OAAe,iBAAiB,aAAoD;EAClF,MAAM,OAAO,UAAU,MAAM,YAAY,UAAU,SAAS,qBAAqB;EACjF,MAAM,aAAa,YAAY,aAAa,IAAI,WAAW,YAAY,WAAW,QAAQ,GAAG;AAI7F,SAAO,IAAI,gBAAgB;GACzB,WAHgB,gBAAgB,KAAK;GAIrC;GACA,iBAAiB;GAClB,CAAC;;CAGJ,AAAQ,sBAAiD,kBAAgD;AACvG,SAAO,KAAK,gBAAgB,WAAW,QAAQ,MAAM,EAAE,SAAS,iBAAiB;;CAGnF,IAAW,iBAAiB;AAC1B,SAAO,IAAI,WAAW,KAAK,gBAAgB,QAAQ;;CAGrD,IAAW,0BAA0B;AAEnC,SADY,KAAK,sBAA4D,qBAAqB,EACtF,SAAS,MAAM,EAAE,MAAM,MAAM,CAAC,KAAK,OAAO;GAAE,MAAM,EAAE;GAAM,OAAO,EAAE;GAAO,EAAE,IAAI,EAAE;;CAGhG,IAAW,yBAAyB;AAElC,SADY,KAAK,sBAA2D,oBAAoB,EACpF,SAAS,MAAM,EAAE,MAAM,MAAM,CAAC,KAAK,OAAO;GAAE,MAAM,EAAE;GAAM,OAAO,EAAE;GAAO,EAAE,IAAI,EAAE;;CAGhG,IAAW,cAAc;AACvB,SAAO,KAAK,wBAAwB,QAAQ,QAAQ,IAAI,SAAS,MAAM,CAAC,KAAK,QAAQ,IAAI,MAAM;;CAGjG,IAAW,cAAc;AACvB,SAAO,KAAK,wBAAwB,QAAQ,QAAQ,IAAI,SAAS,MAAM,CAAC,KAAK,QAAQ,IAAI,MAAM;;CAGjG,IAAW,cAAc;AACvB,SAAO,KAAK,uBAAuB,QAAQ,QAAQ,IAAI,SAAS,MAAM,CAAC,KAAK,QAAQ,IAAI,MAAM;;CAGhG,IAAW,cAAc;AACvB,SAAO,KAAK,uBAAuB,QAAQ,QAAQ,IAAI,SAAS,MAAM,CAAC,KAAK,QAAQ,IAAI,MAAM;;CAGhG,IAAW,yBAAyB;EAClC,MAAM,SAAS,KAAK,sBAA4D,6BAA6B,EAAE,KAC5G,MAAM,EAAE,MACV;AAED,MAAI,UAAU,OAAO,SAAS,EAC5B,OAAM,IAAI,UAAU,qDAAqD;AAG3E,SAAO,SAAS;;CAGlB,IAAW,uBAAuB;EAChC,MAAM,SAAS,KAAK,sBAA0D,2BAA2B,EAAE,KACxG,MAAM,EAAE,MACV;AAED,MAAI,UAAU,OAAO,SAAS,EAC5B,OAAM,IAAI,UAAU,mDAAmD;AAGzE,SAAO,SAAS;;CAIlB,IAAW,WAAW;EACpB,MAAM,YAAY,KAAK,sBAA+C,eAAe,EAAE,KAAK,MAAM,EAAE,OAAO;AAE3G,MAAI,aAAa,UAAU,SAAS,EAClC,OAAM,IAAI,UAAU,sCAAsC;AAG5D,MAAI,UACF,QAAO,OAAO,OAAO,aAAa,CAC/B,QAAQ,QAAuB,OAAO,QAAQ,SAAS,CACvD,QAAQ,eAAe,UAAU,KAAK,eAAe,UAAU,CAC/D,KAAK,cAAc,UAA0B;;CAIpD,IAAW,mBAAmB;EAC5B,MAAM,oBAAoB,KAAK,sBAAsD,kBAAkB,EAAE,KACtG,MAAM,EAAE,OACV;AAED,MAAI,qBAAqB,kBAAkB,SAAS,EAClD,OAAM,IAAI,UAAU,sCAAsC;AAG5D,SAAO,oBAAoB;;CAG7B,AAAO,oBAAoB,IAAqB;EAC9C,MAAM,YAAY,KAAK,sBAAsB,GAAG;AAChD,MAAI,CAAC,UACH,OAAM,IAAI,UAAU,sBAAsB,GAAG,gBAAgB;AAG/D,SAAO,CAAC,CAAC,UAAU,GAAG;;CAGxB,aAAoB,OAAO,SAAuC,WAA2B;EAC3F,MAAM,mBAAmB,QAAQ,oBAAoB,QAAQ;EAC7D,MAAM,0BAA0B,2BAA2B,QAAQ,aAAa,QAAQ,EAAE,iBAAiB,QAAQ,CAAC;EAEpH,MAAM,aAAa,IAAI,kBACrB,QAAQ,cACR,8BAA8B,QAAQ,aAAa,EACnD,OACA,WACA,CAAC,OAAO,CACT;EACD,MAAM,YAAY,IAAI,kBACpB,kBACA,8BAA8B,QAAQ,aAAa,EACnD,MACA,UACA,CAAC,SAAS,CACX;EAED,MAAM,aAAa,YAAY,QAAQ,OAAO;EAE9C,MAAMA,aAAgD,EAAE;AACxD,aAAW,KACT,oCAAoC,QAAQ,YAAY,sBAAsB,EAAE,WAAW,kBAAkB,CAAC,CAC/G;AACD,aAAW,KAAK,yBAAyB,QAAQ,YAAY,SAAS,CAAC;AACvE,aAAW,KAAK,iCAAiC,QAAQ,YAAY,iBAAiB,CAAC;AACvF,aAAW,KACT,sCAAsC,QAAQ,YAAY,wBAAwB,EAChF,WAAW,QAAQ,cACpB,CAAC,CACH;AACD,aAAW,KAAK,qCAAqC,QAAQ,YAAY,sBAAsB,CAAC;AAChG,aAAW,KAAK,sCAAsC,QAAQ,YAAY,uBAAuB,CAAC;AAClG,aAAW,KAAK,gCAAgC,QAAQ,YAAY,iBAAiB,CAAC;AACtF,aAAW,KAAK,qCAAqC,QAAQ,YAAY,sBAAsB,CAAC;AAEhG,MAAI,yBAAyB;AAC3B,OAAI,QAAQ,QACV,OAAM,IAAI,UAAU,mFAAmF;GAGzG,MAAMC,gBAAc,MAAM,KAAK,yBAAyB,iBACtD;IACE,MAAM;KAAE;KAAW,YAAY;KAAY;IAC3C,MAAM;IACN,WAAW,QAAQ,UAAU;IAC7B,UAAU,QAAQ,UAAU;IAC5B,YAAY,WAAW,QAAQ,MAAM,MAAM,OAAU;IACrD,cAAc,QAAQ;IACvB,EACD,UACD;GAED,MAAMC,wBAAsB,gBAAgB,iBAAiBD,cAAY;AACzE,OAAI,iBAAiB,SAAU,uBAAoB,UAAU,QAAQ,iBAAiB;AACtF,UAAOC;;AAGT,MAAI,CAAC,QAAQ,QACX,OAAM,IAAI,UAAU,gFAAgF;EAGtG,MAAM,cAAc,YAAY,QAAQ,QAAQ;EAEhD,MAAM,cAAc,MAAM,KAAK,yBAAyB,OACtD;GACE;GACA;GACA,QAAQ;GACR,SAAS;GACT,WAAW,QAAQ,UAAU;GAC7B,UAAU,QAAQ,UAAU;GAC5B,YAAY,WAAW,QAAQ,MAAM,MAAM,OAAU;GACtD,EACD,UACD;EAED,MAAM,sBAAsB,gBAAgB,iBAAiB,YAAY;AACzE,MAAI,iBAAiB,SAAU,qBAAoB,UAAU,QAAQ,iBAAiB;AACtF,SAAO;;CAGT,IAAW,UAAU;AACnB,SAAO,KAAK,gBAAgB;;CAG9B,IAAW,SAAS;AAClB,SAAO,KAAK,gBAAgB;;CAG9B,MAAa,OACX,EACE,mCAAmB,IAAI,MAAM,EAC7B,WACA,4BAA4B,SAiB9B,WACA;EACA,IAAIC;AACJ,MAAI,UAEF,mBAAkB,IAAI,kBAAkB,WADb,8BAA8B,UAAU,EACI,MAAM,UAAU,CAAC,SAAS,CAAC;EAIpG,MAAM,mBAAmB,4BACrB,OACA,MAAM,KAAK,gBAAgB,OAAO;GAAE,eAAe;GAAM,WAAW;GAAiB,EAAE,UAAU;EACrG,MAAM,OAAO,iBAAiB,SAAS;EAEvC,MAAM,mBAAmB,KAAK,gBAAgB,UAAU,SAAS,IAAI;EACrE,MAAM,kBAAkB,QAAQ,KAAK,gBAAgB,SAAS,SAAS;AAEvE,MAAI,CAAC,iBACH,OAAM,IAAI,UAAU,iBAAiB,KAAK,gBAAgB,QAAQ,4BAA4B;AAGhG,MAAI,CAAC,iBACH,OAAM,IAAI,UAAU,iBAAiB,KAAK,gBAAgB,QAAQ,6BAA6B;AAGjG,MAAI,CAAC,gBACH,OAAM,IAAI,UAAU,iBAAiB,KAAK,gBAAgB,QAAQ,4BAA4B;;;;;CAOlG,MAAa,kBAAkB,cAA4B;EACzD,MAAM,aAAa,MAAM,KAAK,gBAAgB,cAAc,IAAI,eAAe,aAAa,CAAC;AAG7F,SAFsB,kBAAkB,MAAM,IAAI,WAAW,WAAW,CAAC;;;;;CAQ3E,IAAW,OAAO;AAChB,SAAO;GACL,YAAY,KAAK,gBAAgB,WAAW,UAAU;GACtD,QAAQ,KAAK,gBAAgB;GAC7B,aAAa,KAAK,gBAAgB,YAAY,UAAU;GACxD,SAAS,KAAK,gBAAgB;GAC9B,cAAc,KAAK,gBAAgB;GACnC,KAAK,KAAK,gBAAgB,UAAU;GACpC,WAAW,KAAK,gBAAgB;GAChC,UAAU,KAAK,gBAAgB;GAChC;;CAGH,AAAO,mBAAmB,OAAe;AACvC,SAAO,KAAK,gBAAgB,WAAW,SAAS,MAAM;;;;;CAMxD,AAAO,SAAS,QAAkE;AAChF,SAAO,KAAK,gBAAgB,SAAS,UAAU,MAAM;;CAGvD,AAAO,MAAM,aAA8B;EACzC,MAAM,cAAc,IAAI,KAAK,gBAAgB,YAAY,eAAe;AAExE,SAAO,KAAK,gBAAgB,MAAM,YAAY"}
1	+ {"version":3,"file":"X509Certificate.mjs","names":["extensions: Array<x509.Extension \| undefined>","certificate","certificateInstance","publicCryptoKey: CredoWebCryptoKey \| undefined"],"sources":["../../../src/modules/x509/X509Certificate.ts"],"sourcesContent":["import { AsnParser } from '@peculiar/asn1-schema'\nimport {\n id_ce_authorityKeyIdentifier,\n id_ce_extKeyUsage,\n id_ce_issuerAltName,\n id_ce_keyUsage,\n id_ce_subjectAltName,\n id_ce_subjectKeyIdentifier,\n SubjectPublicKeyInfo,\n} from '@peculiar/asn1-x509'\nimport * as x509 from '@peculiar/x509'\nimport type { AgentContext } from '../../agent'\nimport { CredoWebCrypto, CredoWebCryptoKey } from '../../crypto/webcrypto'\nimport { publicJwkToCryptoKeyAlgorithm, spkiToPublicJwk } from '../../crypto/webcrypto/utils'\nimport type { AnyUint8Array } from '../../types'\nimport { TypedArrayEncoder } from '../../utils'\nimport { asymmetricPublicJwkMatches, PublicJwk } from '../kms'\nimport {\n convertName,\n createAuthorityKeyIdentifierExtension,\n createBasicConstraintsExtension,\n createCrlDistributionPointsExtension,\n createExtendedKeyUsagesExtension,\n createIssuerAlternativeNameExtension,\n createKeyUsagesExtension,\n createSubjectAlternativeNameExtension,\n createSubjectKeyIdentifierExtension,\n} from './utils'\nimport { X509Error } from './X509Error'\nimport type { X509CreateCertificateOptions } from './X509ServiceOptions'\n\nexport enum X509KeyUsage {\n DigitalSignature = 1,\n NonRepudiation = 2,\n KeyEncipherment = 4,\n DataEncipherment = 8,\n KeyAgreement = 16,\n KeyCertSign = 32,\n CrlSign = 64,\n EncipherOnly = 128,\n DecipherOnly = 256,\n}\n\nexport enum X509ExtendedKeyUsage {\n ServerAuth = '1.3.6.1.5.5.7.3.1',\n ClientAuth = '1.3.6.1.5.5.7.3.2',\n CodeSigning = '1.3.6.1.5.5.7.3.3',\n EmailProtection = '1.3.6.1.5.5.7.3.4',\n TimeStamping = '1.3.6.1.5.5.7.3.8',\n OcspSigning = '1.3.6.1.5.5.7.3.9',\n MdlDs = '1.0.18013.5.1.2',\n}\n\nexport type X509CertificateOptions = {\n publicJwk: PublicJwk\n privateKey?: AnyUint8Array\n x509Certificate: x509.X509Certificate\n}\n\nexport class X509Certificate {\n public publicJwk: PublicJwk\n public privateKey?: AnyUint8Array\n private x509Certificate: x509.X509Certificate\n\n private constructor(options: X509CertificateOptions) {\n this.publicJwk = options.publicJwk\n this.privateKey = options.privateKey\n this.x509Certificate = options.x509Certificate\n }\n\n public set keyId(keyId: string) {\n this.publicJwk.keyId = keyId\n }\n\n public get keyId(): string {\n return this.publicJwk.keyId\n }\n\n public get hasKeyId(): boolean {\n return this.publicJwk.hasKeyId\n }\n\n public static fromRawCertificate(rawCertificate: AnyUint8Array): X509Certificate {\n const certificate = new x509.X509Certificate(rawCertificate)\n return X509Certificate.parseCertificate(certificate)\n }\n\n public static fromEncodedCertificate(encodedCertificate: string): X509Certificate {\n const certificate = new x509.X509Certificate(encodedCertificate)\n return X509Certificate.parseCertificate(certificate)\n }\n\n private static parseCertificate(certificate: x509.X509Certificate): X509Certificate {\n const spki = AsnParser.parse(certificate.publicKey.rawData, SubjectPublicKeyInfo)\n const privateKey = certificate.privateKey ? new Uint8Array(certificate.privateKey.rawData) : undefined\n\n const publicJwk = spkiToPublicJwk(spki)\n\n return new X509Certificate({\n publicJwk,\n privateKey,\n x509Certificate: certificate,\n })\n }\n\n private getMatchingExtensions<T = { critical: boolean }>(objectIdentifier: string): Array<T> \| undefined {\n return this.x509Certificate.extensions.filter((e) => e.type === objectIdentifier) as Array<T> \| undefined\n }\n\n public get rawCertificate() {\n return new Uint8Array(this.x509Certificate.rawData)\n }\n\n public get subjectAlternativeNames() {\n const san = this.getMatchingExtensions<x509.SubjectAlternativeNameExtension>(id_ce_subjectAltName)\n return san?.flatMap((s) => s.names.items).map((i) => ({ type: i.type, value: i.value })) ?? []\n }\n\n public get issuerAlternativeNames() {\n const ian = this.getMatchingExtensions<x509.IssuerAlternativeNameExtension>(id_ce_issuerAltName)\n return ian?.flatMap((i) => i.names.items).map((i) => ({ type: i.type, value: i.value })) ?? []\n }\n\n public get sanDnsNames() {\n return this.subjectAlternativeNames.filter((san) => san.type === 'dns').map((san) => san.value)\n }\n\n public get sanUriNames() {\n return this.subjectAlternativeNames.filter((ian) => ian.type === 'url').map((ian) => ian.value)\n }\n\n public get ianDnsNames() {\n return this.issuerAlternativeNames.filter((san) => san.type === 'dns').map((san) => san.value)\n }\n\n public get ianUriNames() {\n return this.issuerAlternativeNames.filter((ian) => ian.type === 'url').map((ian) => ian.value)\n }\n\n public get authorityKeyIdentifier() {\n const keyIds = this.getMatchingExtensions<x509.AuthorityKeyIdentifierExtension>(id_ce_authorityKeyIdentifier)?.map(\n (e) => e.keyId\n )\n\n if (keyIds && keyIds.length > 1) {\n throw new X509Error('Multiple Authority Key Identifiers are not allowed')\n }\n\n return keyIds?.[0]\n }\n\n public get subjectKeyIdentifier() {\n const keyIds = this.getMatchingExtensions<x509.SubjectKeyIdentifierExtension>(id_ce_subjectKeyIdentifier)?.map(\n (e) => e.keyId\n )\n\n if (keyIds && keyIds.length > 1) {\n throw new X509Error('Multiple Subject Key Identifiers are not allowed')\n }\n\n return keyIds?.[0]\n }\n\n // biome-ignore lint/suspicious/useGetterReturn: no explanation\n public get keyUsage() {\n const keyUsages = this.getMatchingExtensions<x509.KeyUsagesExtension>(id_ce_keyUsage)?.map((e) => e.usages)\n\n if (keyUsages && keyUsages.length > 1) {\n throw new X509Error('Multiple Key Usages are not allowed')\n }\n\n if (keyUsages) {\n return Object.values(X509KeyUsage)\n .filter((key): key is number => typeof key === 'number')\n .filter((flagValue) => (keyUsages[0] & flagValue) === flagValue)\n .map((flagValue) => flagValue as X509KeyUsage)\n }\n }\n\n public get extendedKeyUsage() {\n const extendedKeyUsages = this.getMatchingExtensions<x509.ExtendedKeyUsageExtension>(id_ce_extKeyUsage)?.map(\n (e) => e.usages\n )\n\n if (extendedKeyUsages && extendedKeyUsages.length > 1) {\n throw new X509Error('Multiple Key Usages are not allowed')\n }\n\n return (extendedKeyUsages?.[0] as Array<X509ExtendedKeyUsage> \| undefined) ?? []\n }\n\n public isExtensionCritical(id: string): boolean {\n const extension = this.getMatchingExtensions(id)\n if (!extension) {\n throw new X509Error(`extension with id '${id}' is not found`)\n }\n\n return !!extension[0].critical\n }\n\n public static async create(options: X509CreateCertificateOptions, webCrypto: CredoWebCrypto) {\n const subjectPublicKey = options.subjectPublicKey ?? options.authorityKey\n const isSelfSignedCertificate = asymmetricPublicJwkMatches(options.authorityKey.toJson(), subjectPublicKey.toJson())\n\n const signingKey = new CredoWebCryptoKey(\n options.authorityKey,\n publicJwkToCryptoKeyAlgorithm(options.authorityKey),\n false,\n 'private',\n ['sign']\n )\n const publicKey = new CredoWebCryptoKey(\n subjectPublicKey,\n publicJwkToCryptoKeyAlgorithm(options.authorityKey),\n true,\n 'public',\n ['verify']\n )\n\n const issuerName = convertName(options.issuer)\n\n const extensions: Array<x509.Extension \| undefined> = []\n extensions.push(\n createSubjectKeyIdentifierExtension(options.extensions?.subjectKeyIdentifier, { publicJwk: subjectPublicKey })\n )\n extensions.push(createKeyUsagesExtension(options.extensions?.keyUsage))\n extensions.push(createExtendedKeyUsagesExtension(options.extensions?.extendedKeyUsage))\n extensions.push(\n createAuthorityKeyIdentifierExtension(options.extensions?.authorityKeyIdentifier, {\n publicJwk: options.authorityKey,\n })\n )\n extensions.push(createIssuerAlternativeNameExtension(options.extensions?.issuerAlternativeName))\n extensions.push(createSubjectAlternativeNameExtension(options.extensions?.subjectAlternativeName))\n extensions.push(createBasicConstraintsExtension(options.extensions?.basicConstraints))\n extensions.push(createCrlDistributionPointsExtension(options.extensions?.crlDistributionPoints))\n\n if (isSelfSignedCertificate) {\n if (options.subject) {\n throw new X509Error('Do not provide a subject name when the certificate is supposed to be self signed')\n }\n\n const certificate = await x509.X509CertificateGenerator.createSelfSigned(\n {\n keys: { publicKey, privateKey: signingKey },\n name: issuerName,\n notBefore: options.validity?.notBefore,\n notAfter: options.validity?.notAfter,\n extensions: extensions.filter((e) => e !== undefined),\n serialNumber: options.serialNumber,\n },\n webCrypto\n )\n\n const certificateInstance = X509Certificate.parseCertificate(certificate)\n if (subjectPublicKey.hasKeyId) certificateInstance.publicJwk.keyId = subjectPublicKey.keyId\n return certificateInstance\n }\n\n if (!options.subject) {\n throw new X509Error('Provide a subject name when the certificate is not supposed to be self signed')\n }\n\n const subjectName = convertName(options.subject)\n\n const certificate = await x509.X509CertificateGenerator.create(\n {\n signingKey,\n publicKey,\n issuer: issuerName,\n subject: subjectName,\n notBefore: options.validity?.notBefore,\n notAfter: options.validity?.notAfter,\n extensions: extensions.filter((e) => e !== undefined),\n },\n webCrypto\n )\n\n const certificateInstance = X509Certificate.parseCertificate(certificate)\n if (subjectPublicKey.hasKeyId) certificateInstance.publicJwk.keyId = subjectPublicKey.keyId\n return certificateInstance\n }\n\n public get subject() {\n return this.x509Certificate.subject\n }\n\n public get issuer() {\n return this.x509Certificate.issuer\n }\n\n public async verify(\n {\n verificationDate = new Date(),\n publicJwk,\n skipSignatureVerification = false,\n }: {\n verificationDate: Date\n publicJwk?: PublicJwk\n\n /*\n Whether to skip the verification of the signature and only perform other checks (such\n * as whether the certificate is not expired).\n \n This can be useful when an non-self-signed certificate is directly trusted, and it may\n * not be possible to verify the certificate as the root/intermediate certificate containing\n * the key of the signer/intermediate is not present.\n \n @default false\n /\n skipSignatureVerification?: boolean\n },\n webCrypto: CredoWebCrypto\n ) {\n let publicCryptoKey: CredoWebCryptoKey \| undefined\n if (publicJwk) {\n const cryptoKeyAlgorithm = publicJwkToCryptoKeyAlgorithm(publicJwk)\n publicCryptoKey = new CredoWebCryptoKey(publicJwk, cryptoKeyAlgorithm, true, 'public', ['verify'])\n }\n\n // We use the library to validate the signature, but the date is manually verified\n const isSignatureValid = skipSignatureVerification\n ? true\n : await this.x509Certificate.verify({ signatureOnly: true, publicKey: publicCryptoKey }, webCrypto)\n const time = verificationDate.getTime()\n\n const isNotBeforeValid = this.x509Certificate.notBefore.getTime() <= time\n const isNotAfterValid = time <= this.x509Certificate.notAfter.getTime()\n\n if (!isSignatureValid) {\n throw new X509Error(`Certificate: '${this.x509Certificate.subject}' has an invalid signature`)\n }\n\n if (!isNotBeforeValid) {\n throw new X509Error(`Certificate: '${this.x509Certificate.subject}' used before it is allowed`)\n }\n\n if (!isNotAfterValid) {\n throw new X509Error(`Certificate: '${this.x509Certificate.subject}' used after it is allowed`)\n }\n }\n\n /\n Get the thumbprint of the X509 certificate in hex format.\n /\n public async getThumbprintInHex(agentContext: AgentContext) {\n const thumbprint = await this.x509Certificate.getThumbprint(new CredoWebCrypto(agentContext))\n const thumbprintHex = TypedArrayEncoder.toHex(new Uint8Array(thumbprint))\n\n return thumbprintHex\n }\n\n /\n Get the data elements of the x509 certificate\n /\n public get data() {\n return {\n issuerName: this.x509Certificate.issuerName.toString(),\n issuer: this.x509Certificate.issuer,\n subjectName: this.x509Certificate.subjectName.toString(),\n subject: this.x509Certificate.subject,\n serialNumber: this.x509Certificate.serialNumber,\n pem: this.x509Certificate.toString(),\n notBefore: this.x509Certificate.notBefore,\n notAfter: this.x509Certificate.notAfter,\n }\n }\n\n public getIssuerNameField(field: string) {\n return this.x509Certificate.issuerName.getField(field)\n }\n\n /\n @param format the format to export to, defaults to `pem`\n */\n public toString(format?: 'asn' \| 'pem' \| 'hex' \| 'base64' \| 'text' \| 'base64url') {\n return this.x509Certificate.toString(format ?? 'pem')\n }\n\n public equal(certificate: X509Certificate) {\n const parsedOther = new x509.X509Certificate(certificate.rawCertificate)\n\n return this.x509Certificate.equal(parsedOther)\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AA+BA,IAAY,wDAAL;AACL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;;AAGF,IAAY,wEAAL;AACL;AACA;AACA;AACA;AACA;AACA;AACA;;;AASF,IAAa,kBAAb,MAAa,gBAAgB;CAK3B,AAAQ,YAAY,SAAiC;AACnD,OAAK,YAAY,QAAQ;AACzB,OAAK,aAAa,QAAQ;AAC1B,OAAK,kBAAkB,QAAQ;;CAGjC,IAAW,MAAM,OAAe;AAC9B,OAAK,UAAU,QAAQ;;CAGzB,IAAW,QAAgB;AACzB,SAAO,KAAK,UAAU;;CAGxB,IAAW,WAAoB;AAC7B,SAAO,KAAK,UAAU;;CAGxB,OAAc,mBAAmB,gBAAgD;EAC/E,MAAM,cAAc,IAAI,KAAK,gBAAgB,eAAe;AAC5D,SAAO,gBAAgB,iBAAiB,YAAY;;CAGtD,OAAc,uBAAuB,oBAA6C;EAChF,MAAM,cAAc,IAAI,KAAK,gBAAgB,mBAAmB;AAChE,SAAO,gBAAgB,iBAAiB,YAAY;;CAGtD,OAAe,iBAAiB,aAAoD;EAClF,MAAM,OAAO,UAAU,MAAM,YAAY,UAAU,SAAS,qBAAqB;EACjF,MAAM,aAAa,YAAY,aAAa,IAAI,WAAW,YAAY,WAAW,QAAQ,GAAG;AAI7F,SAAO,IAAI,gBAAgB;GACzB,WAHgB,gBAAgB,KAAK;GAIrC;GACA,iBAAiB;GAClB,CAAC;;CAGJ,AAAQ,sBAAiD,kBAAgD;AACvG,SAAO,KAAK,gBAAgB,WAAW,QAAQ,MAAM,EAAE,SAAS,iBAAiB;;CAGnF,IAAW,iBAAiB;AAC1B,SAAO,IAAI,WAAW,KAAK,gBAAgB,QAAQ;;CAGrD,IAAW,0BAA0B;AAEnC,SADY,KAAK,sBAA4D,qBAAqB,EACtF,SAAS,MAAM,EAAE,MAAM,MAAM,CAAC,KAAK,OAAO;GAAE,MAAM,EAAE;GAAM,OAAO,EAAE;GAAO,EAAE,IAAI,EAAE;;CAGhG,IAAW,yBAAyB;AAElC,SADY,KAAK,sBAA2D,oBAAoB,EACpF,SAAS,MAAM,EAAE,MAAM,MAAM,CAAC,KAAK,OAAO;GAAE,MAAM,EAAE;GAAM,OAAO,EAAE;GAAO,EAAE,IAAI,EAAE;;CAGhG,IAAW,cAAc;AACvB,SAAO,KAAK,wBAAwB,QAAQ,QAAQ,IAAI,SAAS,MAAM,CAAC,KAAK,QAAQ,IAAI,MAAM;;CAGjG,IAAW,cAAc;AACvB,SAAO,KAAK,wBAAwB,QAAQ,QAAQ,IAAI,SAAS,MAAM,CAAC,KAAK,QAAQ,IAAI,MAAM;;CAGjG,IAAW,cAAc;AACvB,SAAO,KAAK,uBAAuB,QAAQ,QAAQ,IAAI,SAAS,MAAM,CAAC,KAAK,QAAQ,IAAI,MAAM;;CAGhG,IAAW,cAAc;AACvB,SAAO,KAAK,uBAAuB,QAAQ,QAAQ,IAAI,SAAS,MAAM,CAAC,KAAK,QAAQ,IAAI,MAAM;;CAGhG,IAAW,yBAAyB;EAClC,MAAM,SAAS,KAAK,sBAA4D,6BAA6B,EAAE,KAC5G,MAAM,EAAE,MACV;AAED,MAAI,UAAU,OAAO,SAAS,EAC5B,OAAM,IAAI,UAAU,qDAAqD;AAG3E,SAAO,SAAS;;CAGlB,IAAW,uBAAuB;EAChC,MAAM,SAAS,KAAK,sBAA0D,2BAA2B,EAAE,KACxG,MAAM,EAAE,MACV;AAED,MAAI,UAAU,OAAO,SAAS,EAC5B,OAAM,IAAI,UAAU,mDAAmD;AAGzE,SAAO,SAAS;;CAIlB,IAAW,WAAW;EACpB,MAAM,YAAY,KAAK,sBAA+C,eAAe,EAAE,KAAK,MAAM,EAAE,OAAO;AAE3G,MAAI,aAAa,UAAU,SAAS,EAClC,OAAM,IAAI,UAAU,sCAAsC;AAG5D,MAAI,UACF,QAAO,OAAO,OAAO,aAAa,CAC/B,QAAQ,QAAuB,OAAO,QAAQ,SAAS,CACvD,QAAQ,eAAe,UAAU,KAAK,eAAe,UAAU,CAC/D,KAAK,cAAc,UAA0B;;CAIpD,IAAW,mBAAmB;EAC5B,MAAM,oBAAoB,KAAK,sBAAsD,kBAAkB,EAAE,KACtG,MAAM,EAAE,OACV;AAED,MAAI,qBAAqB,kBAAkB,SAAS,EAClD,OAAM,IAAI,UAAU,sCAAsC;AAG5D,SAAQ,oBAAoB,MAAkD,EAAE;;CAGlF,AAAO,oBAAoB,IAAqB;EAC9C,MAAM,YAAY,KAAK,sBAAsB,GAAG;AAChD,MAAI,CAAC,UACH,OAAM,IAAI,UAAU,sBAAsB,GAAG,gBAAgB;AAG/D,SAAO,CAAC,CAAC,UAAU,GAAG;;CAGxB,aAAoB,OAAO,SAAuC,WAA2B;EAC3F,MAAM,mBAAmB,QAAQ,oBAAoB,QAAQ;EAC7D,MAAM,0BAA0B,2BAA2B,QAAQ,aAAa,QAAQ,EAAE,iBAAiB,QAAQ,CAAC;EAEpH,MAAM,aAAa,IAAI,kBACrB,QAAQ,cACR,8BAA8B,QAAQ,aAAa,EACnD,OACA,WACA,CAAC,OAAO,CACT;EACD,MAAM,YAAY,IAAI,kBACpB,kBACA,8BAA8B,QAAQ,aAAa,EACnD,MACA,UACA,CAAC,SAAS,CACX;EAED,MAAM,aAAa,YAAY,QAAQ,OAAO;EAE9C,MAAMA,aAAgD,EAAE;AACxD,aAAW,KACT,oCAAoC,QAAQ,YAAY,sBAAsB,EAAE,WAAW,kBAAkB,CAAC,CAC/G;AACD,aAAW,KAAK,yBAAyB,QAAQ,YAAY,SAAS,CAAC;AACvE,aAAW,KAAK,iCAAiC,QAAQ,YAAY,iBAAiB,CAAC;AACvF,aAAW,KACT,sCAAsC,QAAQ,YAAY,wBAAwB,EAChF,WAAW,QAAQ,cACpB,CAAC,CACH;AACD,aAAW,KAAK,qCAAqC,QAAQ,YAAY,sBAAsB,CAAC;AAChG,aAAW,KAAK,sCAAsC,QAAQ,YAAY,uBAAuB,CAAC;AAClG,aAAW,KAAK,gCAAgC,QAAQ,YAAY,iBAAiB,CAAC;AACtF,aAAW,KAAK,qCAAqC,QAAQ,YAAY,sBAAsB,CAAC;AAEhG,MAAI,yBAAyB;AAC3B,OAAI,QAAQ,QACV,OAAM,IAAI,UAAU,mFAAmF;GAGzG,MAAMC,gBAAc,MAAM,KAAK,yBAAyB,iBACtD;IACE,MAAM;KAAE;KAAW,YAAY;KAAY;IAC3C,MAAM;IACN,WAAW,QAAQ,UAAU;IAC7B,UAAU,QAAQ,UAAU;IAC5B,YAAY,WAAW,QAAQ,MAAM,MAAM,OAAU;IACrD,cAAc,QAAQ;IACvB,EACD,UACD;GAED,MAAMC,wBAAsB,gBAAgB,iBAAiBD,cAAY;AACzE,OAAI,iBAAiB,SAAU,uBAAoB,UAAU,QAAQ,iBAAiB;AACtF,UAAOC;;AAGT,MAAI,CAAC,QAAQ,QACX,OAAM,IAAI,UAAU,gFAAgF;EAGtG,MAAM,cAAc,YAAY,QAAQ,QAAQ;EAEhD,MAAM,cAAc,MAAM,KAAK,yBAAyB,OACtD;GACE;GACA;GACA,QAAQ;GACR,SAAS;GACT,WAAW,QAAQ,UAAU;GAC7B,UAAU,QAAQ,UAAU;GAC5B,YAAY,WAAW,QAAQ,MAAM,MAAM,OAAU;GACtD,EACD,UACD;EAED,MAAM,sBAAsB,gBAAgB,iBAAiB,YAAY;AACzE,MAAI,iBAAiB,SAAU,qBAAoB,UAAU,QAAQ,iBAAiB;AACtF,SAAO;;CAGT,IAAW,UAAU;AACnB,SAAO,KAAK,gBAAgB;;CAG9B,IAAW,SAAS;AAClB,SAAO,KAAK,gBAAgB;;CAG9B,MAAa,OACX,EACE,mCAAmB,IAAI,MAAM,EAC7B,WACA,4BAA4B,SAiB9B,WACA;EACA,IAAIC;AACJ,MAAI,UAEF,mBAAkB,IAAI,kBAAkB,WADb,8BAA8B,UAAU,EACI,MAAM,UAAU,CAAC,SAAS,CAAC;EAIpG,MAAM,mBAAmB,4BACrB,OACA,MAAM,KAAK,gBAAgB,OAAO;GAAE,eAAe;GAAM,WAAW;GAAiB,EAAE,UAAU;EACrG,MAAM,OAAO,iBAAiB,SAAS;EAEvC,MAAM,mBAAmB,KAAK,gBAAgB,UAAU,SAAS,IAAI;EACrE,MAAM,kBAAkB,QAAQ,KAAK,gBAAgB,SAAS,SAAS;AAEvE,MAAI,CAAC,iBACH,OAAM,IAAI,UAAU,iBAAiB,KAAK,gBAAgB,QAAQ,4BAA4B;AAGhG,MAAI,CAAC,iBACH,OAAM,IAAI,UAAU,iBAAiB,KAAK,gBAAgB,QAAQ,6BAA6B;AAGjG,MAAI,CAAC,gBACH,OAAM,IAAI,UAAU,iBAAiB,KAAK,gBAAgB,QAAQ,4BAA4B;;;;;CAOlG,MAAa,mBAAmB,cAA4B;EAC1D,MAAM,aAAa,MAAM,KAAK,gBAAgB,cAAc,IAAI,eAAe,aAAa,CAAC;AAG7F,SAFsB,kBAAkB,MAAM,IAAI,WAAW,WAAW,CAAC;;;;;CAQ3E,IAAW,OAAO;AAChB,SAAO;GACL,YAAY,KAAK,gBAAgB,WAAW,UAAU;GACtD,QAAQ,KAAK,gBAAgB;GAC7B,aAAa,KAAK,gBAAgB,YAAY,UAAU;GACxD,SAAS,KAAK,gBAAgB;GAC9B,cAAc,KAAK,gBAAgB;GACnC,KAAK,KAAK,gBAAgB,UAAU;GACpC,WAAW,KAAK,gBAAgB;GAChC,UAAU,KAAK,gBAAgB;GAChC;;CAGH,AAAO,mBAAmB,OAAe;AACvC,SAAO,KAAK,gBAAgB,WAAW,SAAS,MAAM;;;;;CAMxD,AAAO,SAAS,QAAkE;AAChF,SAAO,KAAK,gBAAgB,SAAS,UAAU,MAAM;;CAGvD,AAAO,MAAM,aAA8B;EACzC,MAAM,cAAc,IAAI,KAAK,gBAAgB,YAAY,eAAe;AAExE,SAAO,KAAK,gBAAgB,MAAM,YAAY"}

package/build/modules/x509/X509Service.d.mts CHANGED Viewed

@@ -1,5 +1,6 @@
-import { X509CreateCertificateOptions, X509GetLeafCertificateOptions, X509ParseCertificateOptions, X509ValidateCertificateChainOptions } from "./X509ServiceOptions.mjs";
+import { X509CreateCertificateOptions, X509CreateCertificateSigningRequestOptions, X509GetLeafCertificateOptions, X509ParseCertificateOptions, X509ParseCertificateSigningRequestOptions, X509ValidateCertificateChainOptions } from "./X509ServiceOptions.mjs";
 import { X509Certificate } from "./X509Certificate.mjs";
+import { CertificateSigningRequest } from "./CertificateSigningRequest.mjs";
 import { AgentContext } from "../../agent/context/AgentContext.mjs";
 import "../../agent/index.mjs";
@@ -16,11 +17,11 @@ declare class X509Service {
    *
    * The Issuer of the certificate is found with the following algorithm:
    * - Check if there is an AuthorityKeyIdentifierExtension
-   * - Go through all the other certificates and see if the SubjectKeyIdentifier is equal to thje AuthorityKeyIdentifier
+   * - Go through all the other certificates and see if the SubjectKeyIdentifier is equal to the AuthorityKeyIdentifier
    * - If they are equal, the certificate is verified and returned as the issuer
    *
    * Additional validation:
-   *   - Make sure atleast a single certificate is in the chain
+   *   - Make sure at least a single certificate is in the chain
    *   - Check whether a certificate in the chain matches with a trusted certificate
    */
   static validateCertificateChain(agentContext: AgentContext, {
@@ -41,6 +42,10 @@ declare class X509Service {
     certificateChain
   }: X509GetLeafCertificateOptions): X509Certificate;
   static createCertificate(agentContext: AgentContext, options: X509CreateCertificateOptions): Promise<X509Certificate>;
+  static createCertificateSigningRequest(agentContext: AgentContext, options: X509CreateCertificateSigningRequestOptions): Promise<CertificateSigningRequest>;
+  static parseCertificateSigningRequest({
+    encodedCertificateSigningRequest
+  }: X509ParseCertificateSigningRequestOptions): CertificateSigningRequest;
 }
 //#endregion
 export { X509Service };

package/build/modules/x509/X509Service.d.mts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"X509Service.d.mts","names":[],"sources":["../../../src/modules/x509/X509Service.ts"],"sourcesContent":[],"mappings":"~~;;;;;;cAea~~,WAAA;;;;;AAFb;;;;;;;;;;;;;;EA4IM,OAAA,wBAAA,CAAA,YAAA,EAtHY,YAsHZ,EAAA;IAAA,gBAAA;IAAA,WAAA;IAAA,gBAAA;IAAA;EAAA,CAAA,EAhHC,mCAgHD,CAAA,EAhHoC,OAgHpC,CAhHoC,eAgHpC,EAAA,CAAA;EAAoB;;;;;EAS+E,OAAA,gBAAA,CAAA,aAAA,EAnBtF,YAmBsF,EAAA;IAAA;EAAA,CAAA,EAlB7E,2BAkB6E,CAAA,EAjBpG,eAiBoG;~~EAAA~~,OAAA,kBAAA,CAAA,aAAA,~~EAVtF~~,~~YAUsF~~,EAAA;IAAA;EAAA,CAAA,~~EAT/E~~,~~6BAS+E~~,CAAA,~~EARpG~~,~~eAQoG~~;~~yCAAnD~~,~~uBAAuB~~,+~~BAA4B~~,~~QAAA~~"}
1	+ {"version":3,"file":"X509Service.d.mts","names":[],"sources":["../../../src/modules/x509/X509Service.ts"],"sourcesContent":[],"mappings":";;;;;;;cAkBa,WAAA;;;;;AAFb;;;;;;;;;;;;;;EA4IM,OAAA,wBAAA,CAAA,YAAA,EAtHY,YAsHZ,EAAA;IAAA,gBAAA;IAAA,WAAA;IAAA,gBAAA;IAAA;EAAA,CAAA,EAhHC,mCAgHD,CAAA,EAhHoC,OAgHpC,CAhHoC,eAgHpC,EAAA,CAAA;EAAoB;;;;;EAS+E,OAAA,gBAAA,CAAA,aAAA,EAnBtF,YAmBsF,EAAA;IAAA;EAAA,CAAA,EAlB7E,2BAkB6E,CAAA,EAjBpG,eAiBoG;EASvF,OAAA,kBAAA,CAAA,aAAA,EAnBC,YAmBD,EAAA;IAAA;EAAA,CAAA,EAlBQ,6BAkBR,CAAA,EAjBb,eAiBa;EACL,OAAA,iBAAA,CAAA,YAAA,EAVyC,YAUzC,EAAA,OAAA,EAVgE,4BAUhE,CAAA,EAV4F,OAU5F,CAV4F,eAU5F,CAAA;EAA0C,OAAA,+BAAA,CAAA,YAAA,EADrC,YACqC,EAAA,OAAA,EAA1C,0CAA0C,CAAA,EAAA,OAAA,CAAA,yBAAA,CAAA;EAAA,OAAA,8BAAA,CAAA;IAAA;EAAA,CAAA,EAWlD,yCAXkD,CAAA,EAWT,yBAXS"}

package/build/modules/x509/X509Service.mjs CHANGED Viewed

@@ -6,6 +6,7 @@ import { CredoWebCrypto } from "../../crypto/webcrypto/CredoWebCrypto.mjs";
 import "../../crypto/webcrypto/index.mjs";
 import { X509Error } from "./X509Error.mjs";
 import { X509Certificate } from "./X509Certificate.mjs";
+import { CertificateSigningRequest } from "./CertificateSigningRequest.mjs";
 import { injectable } from "tsyringe";
 import * as x509 from "@peculiar/x509";
@@ -22,11 +23,11 @@ let X509Service = class X509Service$1 {
 	*
 	* The Issuer of the certificate is found with the following algorithm:
 	* - Check if there is an AuthorityKeyIdentifierExtension
-	* - Go through all the other certificates and see if the SubjectKeyIdentifier is equal to thje AuthorityKeyIdentifier
+	* - Go through all the other certificates and see if the SubjectKeyIdentifier is equal to the AuthorityKeyIdentifier
 	* - If they are equal, the certificate is verified and returned as the issuer
 	*
 	* Additional validation:
-	*   - Make sure atleast a single certificate is in the chain
+	*   - Make sure at least a single certificate is in the chain
 	*   - Check whether a certificate in the chain matches with a trusted certificate
 	*/
 	static async validateCertificateChain(agentContext, { certificateChain, certificate = certificateChain[0], verificationDate = /* @__PURE__ */ new Date(), trustedCertificates }) {
@@ -81,6 +82,13 @@ let X509Service = class X509Service$1 {
 		const webCrypto = new CredoWebCrypto(agentContext);
 		return await X509Certificate.create(options, webCrypto);
 	}
+	static async createCertificateSigningRequest(agentContext, options) {
+		const webCrypto = new CredoWebCrypto(agentContext);
+		return await CertificateSigningRequest.create(options, webCrypto);
+	}
+	static parseCertificateSigningRequest({ encodedCertificateSigningRequest }) {
+		return CertificateSigningRequest.fromEncodedCertificateRequest(encodedCertificateSigningRequest);
+	}
 };
 X509Service = __decorate([injectable()], X509Service);

package/build/modules/x509/X509Service.mjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"X509Service.mjs","names":["X509Service","parsedLeafCertificate: x509.X509Certificate","certificatesToBuildChain: x509.X509Certificate[]","previousCertificate: X509Certificate \| undefined"],"sources":["../../../src/modules/x509/X509Service.ts"],"sourcesContent":["import * as x509 from '@peculiar/x509'\nimport { injectable } from 'tsyringe'\nimport { AgentContext } from '../../agent'\nimport { CredoWebCrypto } from '../../crypto/webcrypto'\nimport { X509Certificate } from './X509Certificate'\nimport { X509Error } from './X509Error'\nimport type {\n X509CreateCertificateOptions,\n X509GetLeafCertificateOptions,\n X509ParseCertificateOptions,\n X509ValidateCertificateChainOptions,\n} from './X509ServiceOptions'\n\n@injectable()\n// biome-ignore lint/complexity/noStaticOnlyClass: no explanation\nexport class X509Service {\n /*\n \n * Validate a chain of X.509 certificates according to RFC 5280\n \n This function requires a list of base64 encoded certificates and, optionally, a certificate that should be found in the chain.\n * If no certificate is provided, it will just assume the leaf certificate\n \n The leaf certificate should be the 0th index and the root the last\n \n The Issuer of the certificate is found with the following algorithm:\n * - Check if there is an AuthorityKeyIdentifierExtension\n * - Go through all the other certificates and see if the SubjectKeyIdentifier is equal to thje AuthorityKeyIdentifier\n * - If they are equal, the certificate is verified and returned as the issuer\n \n Additional validation:\n * - Make sure atleast a single certificate is in the chain\n * - Check whether a certificate in the chain matches with a trusted certificate\n /\n public static async validateCertificateChain(\n agentContext: AgentContext,\n {\n certificateChain,\n certificate = certificateChain[0],\n verificationDate = new Date(),\n trustedCertificates,\n }: X509ValidateCertificateChainOptions\n ) {\n if (certificateChain.length === 0) throw new X509Error('Certificate chain is empty')\n const webCrypto = new CredoWebCrypto(agentContext)\n\n let parsedLeafCertificate: x509.X509Certificate\n let certificatesToBuildChain: x509.X509Certificate[]\n try {\n parsedLeafCertificate = new x509.X509Certificate(certificate)\n certificatesToBuildChain = [...certificateChain, ...(trustedCertificates ?? [])].map(\n (c) => new x509.X509Certificate(c)\n )\n } catch (error) {\n throw new X509Error('Error during parsing of x509 certificate', { cause: error })\n }\n\n const certificateChainBuilder = new x509.X509ChainBuilder({\n certificates: certificatesToBuildChain,\n })\n\n const chain = await certificateChainBuilder.build(parsedLeafCertificate, webCrypto)\n\n // The chain is reversed here as the `x5c` header (the expected input),\n // has the leaf certificate as the first entry, while the `x509` library expects this as the last\n let parsedChain = chain.map((c) => X509Certificate.fromRawCertificate(new Uint8Array(c.rawData))).reverse()\n\n // We allow longer parsed chain, in case the root cert was not part of the chain, but in the\n // list of trusted certificates\n if (parsedChain.length < certificateChain.length) {\n throw new X509Error('Could not parse the full chain. Likely due to incorrect ordering')\n }\n\n let previousCertificate: X509Certificate \| undefined\n\n if (trustedCertificates) {\n const parsedTrustedCertificates = trustedCertificates.map((trustedCertificate) =>\n X509Certificate.fromEncodedCertificate(trustedCertificate)\n )\n\n const trustedCertificateIndex = parsedChain.findIndex((cert) =>\n parsedTrustedCertificates.some((tCert) => cert.equal(tCert))\n )\n\n if (trustedCertificateIndex === -1) {\n throw new X509Error('No trusted certificate was found while validating the X.509 chain')\n }\n\n if (trustedCertificateIndex > 0) {\n // When we trust a certificate other than the first certificate in the provided chain we keep a reference to the\n // previous certificate as we need the key of this certificate to verify the first certificate in the chain as\n // it's not self-sigend.\n previousCertificate = parsedChain[trustedCertificateIndex - 1]\n\n // Pop everything off before the index of the trusted certificate (those are more root) as it is not relevant for validation\n parsedChain = parsedChain.slice(trustedCertificateIndex)\n }\n }\n\n // Verify the certificate with the publicKey of the certificate above\n for (let i = 0; i < parsedChain.length; i++) {\n const cert = parsedChain[i]\n const publicJwk = previousCertificate ? previousCertificate.publicJwk : undefined\n\n // The only scenario where this will trigger is if the trusted certificates and the x509 chain both do not contain the\n // intermediate/root certificate needed. E.g. for ISO 18013-5 mDL the root cert MUST NOT be in the chain. If the signer\n // certificate is then trusted, it will fail, as we can't verify the signer certifciate without having access to the signer\n // key of the root certificate.\n // See also https://github.com/openid/OpenID4VCI/issues/62\n //\n // In this case we could skip the signature verification (not other verifications), as we already trust the signer certificate,\n // but i think the purpose of ISO 18013-5 mDL is that you trust the root certificate. If we can't verify the whole chain e.g.\n // when we receive a credential we have the chance it will fail later on.\n const skipSignatureVerification = i === 0 && trustedCertificates && !publicJwk\n // NOTE: at some point we might want to change this to throw an error instead of skipping the signature verification of the trusted\n // but it would basically prevent mDOCs from unknown issuers to be verified in the wallet. Verifiers should only trust the root certificate\n // anyway.\n // if (i === 0 && trustedCertificates && cert.issuer !== cert.subject && !publicKey) {\n // throw new X509Error(\n // 'Unable to verify the certificate chain. A non-self-signed certificate is the first certificate in the chain, and no parent certificate was found in the trusted certificates, meaning the first certificate in the chain cannot be verified. Ensure the certificate is added '\n // )\n // }\n\n await cert.verify(\n {\n publicJwk,\n verificationDate,\n skipSignatureVerification,\n },\n webCrypto\n )\n previousCertificate = cert\n }\n\n return parsedChain\n }\n\n /\n \n * Parses a base64-encoded X.509 certificate into a {@link X509Certificate}\n \n /\n public static parseCertificate(\n _agentContext: AgentContext,\n { encodedCertificate }: X509ParseCertificateOptions\n ): X509Certificate {\n const certificate = X509Certificate.fromEncodedCertificate(encodedCertificate)\n\n return certificate\n }\n\n public static getLeafCertificate(\n _agentContext: AgentContext,\n { certificateChain }: X509GetLeafCertificateOptions\n ): X509Certificate {\n if (certificateChain.length === 0) throw new X509Error('Certificate chain is empty')\n\n const certificate = X509Certificate.fromEncodedCertificate(certificateChain[0])\n\n return certificate\n }\n\n public static async createCertificate(agentContext: AgentContext, options: X509CreateCertificateOptions) {\n const webCrypto = new CredoWebCrypto(agentContext)\n\n const certificate = await X509Certificate.create(options, webCrypto)\n\n return certificate\n }\n}\n"],"mappings":";;;;;;;;;;;;AAeO,wBAAMA,cAAY;;;;;;;;;;;;;;;;;;;CAmBvB,aAAoB,yBAClB,cACA,EACE,kBACA,cAAc,iBAAiB,IAC/B,mCAAmB,IAAI,MAAM,EAC7B,uBAEF;AACA,MAAI,iBAAiB,WAAW,EAAG,OAAM,IAAI,UAAU,6BAA6B;EACpF,MAAM,YAAY,IAAI,eAAe,aAAa;EAElD,IAAIC;EACJ,IAAIC;AACJ,MAAI;AACF,2BAAwB,IAAI,KAAK,gBAAgB,YAAY;AAC7D,8BAA2B,CAAC,GAAG,kBAAkB,GAAI,uBAAuB,EAAE,CAAE,CAAC,KAC9E,MAAM,IAAI,KAAK,gBAAgB,EAAE,CACnC;WACM,OAAO;AACd,SAAM,IAAI,UAAU,4CAA4C,EAAE,OAAO,OAAO,CAAC;;EAWnF,IAAI,eAJU,MAJkB,IAAI,KAAK,iBAAiB,EACxD,cAAc,0BACf,CAAC,CAE0C,MAAM,uBAAuB,UAAU,EAI3D,KAAK,MAAM,gBAAgB,mBAAmB,IAAI,WAAW,EAAE,QAAQ,CAAC,CAAC,CAAC,SAAS;AAI3G,MAAI,YAAY,SAAS,iBAAiB,OACxC,OAAM,IAAI,UAAU,mEAAmE;EAGzF,IAAIC;AAEJ,MAAI,qBAAqB;GACvB,MAAM,4BAA4B,oBAAoB,KAAK,uBACzD,gBAAgB,uBAAuB,mBAAmB,CAC3D;GAED,MAAM,0BAA0B,YAAY,WAAW,SACrD,0BAA0B,MAAM,UAAU,KAAK,MAAM,MAAM,CAAC,CAC7D;AAED,OAAI,4BAA4B,GAC9B,OAAM,IAAI,UAAU,oEAAoE;AAG1F,OAAI,0BAA0B,GAAG;AAI/B,0BAAsB,YAAY,0BAA0B;AAG5D,kBAAc,YAAY,MAAM,wBAAwB;;;AAK5D,OAAK,IAAI,IAAI,GAAG,IAAI,YAAY,QAAQ,KAAK;GAC3C,MAAM,OAAO,YAAY;GACzB,MAAM,YAAY,sBAAsB,oBAAoB,YAAY;GAWxE,MAAM,4BAA4B,MAAM,KAAK,uBAAuB,CAAC;AAUrE,SAAM,KAAK,OACT;IACE;IACA;IACA;IACD,EACD,UACD;AACD,yBAAsB;;AAGxB,SAAO;;;;;;;CAQT,OAAc,iBACZ,eACA,EAAE,sBACe;AAGjB,SAFoB,gBAAgB,uBAAuB,mBAAmB;;CAKhF,OAAc,mBACZ,eACA,EAAE,oBACe;AACjB,MAAI,iBAAiB,WAAW,EAAG,OAAM,IAAI,UAAU,6BAA6B;AAIpF,SAFoB,gBAAgB,uBAAuB,iBAAiB,GAAG;;CAKjF,aAAoB,kBAAkB,cAA4B,SAAuC;EACvG,MAAM,YAAY,IAAI,eAAe,aAAa;AAIlD,SAFoB,MAAM,gBAAgB,OAAO,SAAS,UAAU;;;0BAxJvE,YAAY"}
1	+ {"version":3,"file":"X509Service.mjs","names":["X509Service","parsedLeafCertificate: x509.X509Certificate","certificatesToBuildChain: x509.X509Certificate[]","previousCertificate: X509Certificate \| undefined"],"sources":["../../../src/modules/x509/X509Service.ts"],"sourcesContent":["import * as x509 from '@peculiar/x509'\nimport { injectable } from 'tsyringe'\nimport { AgentContext } from '../../agent'\nimport { CredoWebCrypto } from '../../crypto/webcrypto'\nimport { CertificateSigningRequest } from './CertificateSigningRequest'\nimport { X509Certificate } from './X509Certificate'\nimport { X509Error } from './X509Error'\nimport type {\n X509CreateCertificateOptions,\n X509CreateCertificateSigningRequestOptions,\n X509GetLeafCertificateOptions,\n X509ParseCertificateOptions,\n X509ParseCertificateSigningRequestOptions,\n X509ValidateCertificateChainOptions,\n} from './X509ServiceOptions'\n\n@injectable()\n// biome-ignore lint/complexity/noStaticOnlyClass: no explanation\nexport class X509Service {\n /*\n \n * Validate a chain of X.509 certificates according to RFC 5280\n \n This function requires a list of base64 encoded certificates and, optionally, a certificate that should be found in the chain.\n * If no certificate is provided, it will just assume the leaf certificate\n \n The leaf certificate should be the 0th index and the root the last\n \n The Issuer of the certificate is found with the following algorithm:\n * - Check if there is an AuthorityKeyIdentifierExtension\n * - Go through all the other certificates and see if the SubjectKeyIdentifier is equal to the AuthorityKeyIdentifier\n * - If they are equal, the certificate is verified and returned as the issuer\n \n Additional validation:\n * - Make sure at least a single certificate is in the chain\n * - Check whether a certificate in the chain matches with a trusted certificate\n /\n public static async validateCertificateChain(\n agentContext: AgentContext,\n {\n certificateChain,\n certificate = certificateChain[0],\n verificationDate = new Date(),\n trustedCertificates,\n }: X509ValidateCertificateChainOptions\n ) {\n if (certificateChain.length === 0) throw new X509Error('Certificate chain is empty')\n const webCrypto = new CredoWebCrypto(agentContext)\n\n let parsedLeafCertificate: x509.X509Certificate\n let certificatesToBuildChain: x509.X509Certificate[]\n try {\n parsedLeafCertificate = new x509.X509Certificate(certificate)\n certificatesToBuildChain = [...certificateChain, ...(trustedCertificates ?? [])].map(\n (c) => new x509.X509Certificate(c)\n )\n } catch (error) {\n throw new X509Error('Error during parsing of x509 certificate', { cause: error })\n }\n\n const certificateChainBuilder = new x509.X509ChainBuilder({\n certificates: certificatesToBuildChain,\n })\n\n const chain = await certificateChainBuilder.build(parsedLeafCertificate, webCrypto)\n\n // The chain is reversed here as the `x5c` header (the expected input),\n // has the leaf certificate as the first entry, while the `x509` library expects this as the last\n let parsedChain = chain.map((c) => X509Certificate.fromRawCertificate(new Uint8Array(c.rawData))).reverse()\n\n // We allow longer parsed chain, in case the root cert was not part of the chain, but in the\n // list of trusted certificates\n if (parsedChain.length < certificateChain.length) {\n throw new X509Error('Could not parse the full chain. Likely due to incorrect ordering')\n }\n\n let previousCertificate: X509Certificate \| undefined\n\n if (trustedCertificates) {\n const parsedTrustedCertificates = trustedCertificates.map((trustedCertificate) =>\n X509Certificate.fromEncodedCertificate(trustedCertificate)\n )\n\n const trustedCertificateIndex = parsedChain.findIndex((cert) =>\n parsedTrustedCertificates.some((tCert) => cert.equal(tCert))\n )\n\n if (trustedCertificateIndex === -1) {\n throw new X509Error('No trusted certificate was found while validating the X.509 chain')\n }\n\n if (trustedCertificateIndex > 0) {\n // When we trust a certificate other than the first certificate in the provided chain we keep a reference to the\n // previous certificate as we need the key of this certificate to verify the first certificate in the chain as\n // it's not self-sigend.\n previousCertificate = parsedChain[trustedCertificateIndex - 1]\n\n // Pop everything off before the index of the trusted certificate (those are more root) as it is not relevant for validation\n parsedChain = parsedChain.slice(trustedCertificateIndex)\n }\n }\n\n // Verify the certificate with the publicKey of the certificate above\n for (let i = 0; i < parsedChain.length; i++) {\n const cert = parsedChain[i]\n const publicJwk = previousCertificate ? previousCertificate.publicJwk : undefined\n\n // The only scenario where this will trigger is if the trusted certificates and the x509 chain both do not contain the\n // intermediate/root certificate needed. E.g. for ISO 18013-5 mDL the root cert MUST NOT be in the chain. If the signer\n // certificate is then trusted, it will fail, as we can't verify the signer certifciate without having access to the signer\n // key of the root certificate.\n // See also https://github.com/openid/OpenID4VCI/issues/62\n //\n // In this case we could skip the signature verification (not other verifications), as we already trust the signer certificate,\n // but i think the purpose of ISO 18013-5 mDL is that you trust the root certificate. If we can't verify the whole chain e.g.\n // when we receive a credential we have the chance it will fail later on.\n const skipSignatureVerification = i === 0 && trustedCertificates && !publicJwk\n // NOTE: at some point we might want to change this to throw an error instead of skipping the signature verification of the trusted\n // but it would basically prevent mDOCs from unknown issuers to be verified in the wallet. Verifiers should only trust the root certificate\n // anyway.\n // if (i === 0 && trustedCertificates && cert.issuer !== cert.subject && !publicKey) {\n // throw new X509Error(\n // 'Unable to verify the certificate chain. A non-self-signed certificate is the first certificate in the chain, and no parent certificate was found in the trusted certificates, meaning the first certificate in the chain cannot be verified. Ensure the certificate is added '\n // )\n // }\n\n await cert.verify(\n {\n publicJwk,\n verificationDate,\n skipSignatureVerification,\n },\n webCrypto\n )\n previousCertificate = cert\n }\n\n return parsedChain\n }\n\n /\n \n * Parses a base64-encoded X.509 certificate into a {@link X509Certificate}\n \n /\n public static parseCertificate(\n _agentContext: AgentContext,\n { encodedCertificate }: X509ParseCertificateOptions\n ): X509Certificate {\n const certificate = X509Certificate.fromEncodedCertificate(encodedCertificate)\n\n return certificate\n }\n\n public static getLeafCertificate(\n _agentContext: AgentContext,\n { certificateChain }: X509GetLeafCertificateOptions\n ): X509Certificate {\n if (certificateChain.length === 0) throw new X509Error('Certificate chain is empty')\n\n const certificate = X509Certificate.fromEncodedCertificate(certificateChain[0])\n\n return certificate\n }\n\n public static async createCertificate(agentContext: AgentContext, options: X509CreateCertificateOptions) {\n const webCrypto = new CredoWebCrypto(agentContext)\n\n const certificate = await X509Certificate.create(options, webCrypto)\n\n return certificate\n }\n\n public static async createCertificateSigningRequest(\n agentContext: AgentContext,\n options: X509CreateCertificateSigningRequestOptions\n ) {\n const webCrypto = new CredoWebCrypto(agentContext)\n\n const csr = await CertificateSigningRequest.create(options, webCrypto)\n\n return csr\n }\n\n public static parseCertificateSigningRequest({\n encodedCertificateSigningRequest,\n }: X509ParseCertificateSigningRequestOptions) {\n const csr = CertificateSigningRequest.fromEncodedCertificateRequest(encodedCertificateSigningRequest)\n\n return csr\n }\n}\n"],"mappings":";;;;;;;;;;;;;AAkBO,wBAAMA,cAAY;;;;;;;;;;;;;;;;;;;CAmBvB,aAAoB,yBAClB,cACA,EACE,kBACA,cAAc,iBAAiB,IAC/B,mCAAmB,IAAI,MAAM,EAC7B,uBAEF;AACA,MAAI,iBAAiB,WAAW,EAAG,OAAM,IAAI,UAAU,6BAA6B;EACpF,MAAM,YAAY,IAAI,eAAe,aAAa;EAElD,IAAIC;EACJ,IAAIC;AACJ,MAAI;AACF,2BAAwB,IAAI,KAAK,gBAAgB,YAAY;AAC7D,8BAA2B,CAAC,GAAG,kBAAkB,GAAI,uBAAuB,EAAE,CAAE,CAAC,KAC9E,MAAM,IAAI,KAAK,gBAAgB,EAAE,CACnC;WACM,OAAO;AACd,SAAM,IAAI,UAAU,4CAA4C,EAAE,OAAO,OAAO,CAAC;;EAWnF,IAAI,eAJU,MAJkB,IAAI,KAAK,iBAAiB,EACxD,cAAc,0BACf,CAAC,CAE0C,MAAM,uBAAuB,UAAU,EAI3D,KAAK,MAAM,gBAAgB,mBAAmB,IAAI,WAAW,EAAE,QAAQ,CAAC,CAAC,CAAC,SAAS;AAI3G,MAAI,YAAY,SAAS,iBAAiB,OACxC,OAAM,IAAI,UAAU,mEAAmE;EAGzF,IAAIC;AAEJ,MAAI,qBAAqB;GACvB,MAAM,4BAA4B,oBAAoB,KAAK,uBACzD,gBAAgB,uBAAuB,mBAAmB,CAC3D;GAED,MAAM,0BAA0B,YAAY,WAAW,SACrD,0BAA0B,MAAM,UAAU,KAAK,MAAM,MAAM,CAAC,CAC7D;AAED,OAAI,4BAA4B,GAC9B,OAAM,IAAI,UAAU,oEAAoE;AAG1F,OAAI,0BAA0B,GAAG;AAI/B,0BAAsB,YAAY,0BAA0B;AAG5D,kBAAc,YAAY,MAAM,wBAAwB;;;AAK5D,OAAK,IAAI,IAAI,GAAG,IAAI,YAAY,QAAQ,KAAK;GAC3C,MAAM,OAAO,YAAY;GACzB,MAAM,YAAY,sBAAsB,oBAAoB,YAAY;GAWxE,MAAM,4BAA4B,MAAM,KAAK,uBAAuB,CAAC;AAUrE,SAAM,KAAK,OACT;IACE;IACA;IACA;IACD,EACD,UACD;AACD,yBAAsB;;AAGxB,SAAO;;;;;;;CAQT,OAAc,iBACZ,eACA,EAAE,sBACe;AAGjB,SAFoB,gBAAgB,uBAAuB,mBAAmB;;CAKhF,OAAc,mBACZ,eACA,EAAE,oBACe;AACjB,MAAI,iBAAiB,WAAW,EAAG,OAAM,IAAI,UAAU,6BAA6B;AAIpF,SAFoB,gBAAgB,uBAAuB,iBAAiB,GAAG;;CAKjF,aAAoB,kBAAkB,cAA4B,SAAuC;EACvG,MAAM,YAAY,IAAI,eAAe,aAAa;AAIlD,SAFoB,MAAM,gBAAgB,OAAO,SAAS,UAAU;;CAKtE,aAAoB,gCAClB,cACA,SACA;EACA,MAAM,YAAY,IAAI,eAAe,aAAa;AAIlD,SAFY,MAAM,0BAA0B,OAAO,SAAS,UAAU;;CAKxE,OAAc,+BAA+B,EAC3C,oCAC4C;AAG5C,SAFY,0BAA0B,8BAA8B,iCAAiC;;;0BA3KxG,YAAY"}