npm - @intlayer/backend - Versions diffs - 7.0.9-canary.0 → 7.0.9-canary.3 - Mend

@intlayer/backend 7.0.9-canary.0 → 7.0.9-canary.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (915) hide show

package/dist/esm/node_modules/node-forge/lib/x509.mjs ADDED Viewed

@@ -0,0 +1,2168 @@
+import { __commonJS } from "../../../_virtual/rolldown_runtime.mjs";
+import { require_forge } from "./forge.mjs";
+import { require_util } from "./util.mjs";
+import { require_aes } from "./aes.mjs";
+import { require_oids } from "./oids.mjs";
+import { require_asn1 } from "./asn1.mjs";
+import { require_md } from "./md.mjs";
+import { require_pem } from "./pem.mjs";
+import { require_des } from "./des.mjs";
+import { require_rsa } from "./rsa.mjs";
+import { require_mgf } from "./mgf.mjs";
+import { require_pss } from "./pss.mjs";
+//#region ../../node_modules/node-forge/lib/x509.js
+var require_x509 = /* @__PURE__ */ __commonJS({ "../../node_modules/node-forge/lib/x509.js": ((exports, module) => {
+	/**
+	* Javascript implementation of X.509 and related components (such as
+	* Certification Signing Requests) of a Public Key Infrastructure.
+	*
+	* @author Dave Longley
+	*
+	* Copyright (c) 2010-2014 Digital Bazaar, Inc.
+	*
+	* The ASN.1 representation of an X.509v3 certificate is as follows
+	* (see RFC 2459):
+	*
+	* Certificate ::= SEQUENCE {
+	*   tbsCertificate       TBSCertificate,
+	*   signatureAlgorithm   AlgorithmIdentifier,
+	*   signatureValue       BIT STRING
+	* }
+	*
+	* TBSCertificate ::= SEQUENCE {
+	*   version         [0]  EXPLICIT Version DEFAULT v1,
+	*   serialNumber         CertificateSerialNumber,
+	*   signature            AlgorithmIdentifier,
+	*   issuer               Name,
+	*   validity             Validity,
+	*   subject              Name,
+	*   subjectPublicKeyInfo SubjectPublicKeyInfo,
+	*   issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
+	*                        -- If present, version shall be v2 or v3
+	*   subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
+	*                        -- If present, version shall be v2 or v3
+	*   extensions      [3]  EXPLICIT Extensions OPTIONAL
+	*                        -- If present, version shall be v3
+	* }
+	*
+	* Version ::= INTEGER  { v1(0), v2(1), v3(2) }
+	*
+	* CertificateSerialNumber ::= INTEGER
+	*
+	* Name ::= CHOICE {
+	*   // only one possible choice for now
+	*   RDNSequence
+	* }
+	*
+	* RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+	*
+	* RelativeDistinguishedName ::= SET OF AttributeTypeAndValue
+	*
+	* AttributeTypeAndValue ::= SEQUENCE {
+	*   type     AttributeType,
+	*   value    AttributeValue
+	* }
+	* AttributeType ::= OBJECT IDENTIFIER
+	* AttributeValue ::= ANY DEFINED BY AttributeType
+	*
+	* Validity ::= SEQUENCE {
+	*   notBefore      Time,
+	*   notAfter       Time
+	* }
+	*
+	* Time ::= CHOICE {
+	*   utcTime        UTCTime,
+	*   generalTime    GeneralizedTime
+	* }
+	*
+	* UniqueIdentifier ::= BIT STRING
+	*
+	* SubjectPublicKeyInfo ::= SEQUENCE {
+	*   algorithm            AlgorithmIdentifier,
+	*   subjectPublicKey     BIT STRING
+	* }
+	*
+	* Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
+	*
+	* Extension ::= SEQUENCE {
+	*   extnID      OBJECT IDENTIFIER,
+	*   critical    BOOLEAN DEFAULT FALSE,
+	*   extnValue   OCTET STRING
+	* }
+	*
+	* The only key algorithm currently supported for PKI is RSA.
+	*
+	* RSASSA-PSS signatures are described in RFC 3447 and RFC 4055.
+	*
+	* PKCS#10 v1.7 describes certificate signing requests:
+	*
+	* CertificationRequestInfo:
+	*
+	* CertificationRequestInfo ::= SEQUENCE {
+	*   version       INTEGER { v1(0) } (v1,...),
+	*   subject       Name,
+	*   subjectPKInfo SubjectPublicKeyInfo{{ PKInfoAlgorithms }},
+	*   attributes    [0] Attributes{{ CRIAttributes }}
+	* }
+	*
+	* Attributes { ATTRIBUTE:IOSet } ::= SET OF Attribute{{ IOSet }}
+	*
+	* CRIAttributes  ATTRIBUTE  ::= {
+	*   ... -- add any locally defined attributes here -- }
+	*
+	* Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE {
+	*   type   ATTRIBUTE.&id({IOSet}),
+	*   values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type})
+	* }
+	*
+	* CertificationRequest ::= SEQUENCE {
+	*   certificationRequestInfo CertificationRequestInfo,
+	*   signatureAlgorithm AlgorithmIdentifier{{ SignatureAlgorithms }},
+	*   signature          BIT STRING
+	* }
+	*/
+	var forge = require_forge();
+	require_aes();
+	require_asn1();
+	require_des();
+	require_md();
+	require_mgf();
+	require_oids();
+	require_pem();
+	require_pss();
+	require_rsa();
+	require_util();
+	var asn1 = forge.asn1;
+	var pki = module.exports = forge.pki = forge.pki || {};
+	var oids = pki.oids;
+	var _shortNames = {};
+	_shortNames["CN"] = oids["commonName"];
+	_shortNames["commonName"] = "CN";
+	_shortNames["C"] = oids["countryName"];
+	_shortNames["countryName"] = "C";
+	_shortNames["L"] = oids["localityName"];
+	_shortNames["localityName"] = "L";
+	_shortNames["ST"] = oids["stateOrProvinceName"];
+	_shortNames["stateOrProvinceName"] = "ST";
+	_shortNames["O"] = oids["organizationName"];
+	_shortNames["organizationName"] = "O";
+	_shortNames["OU"] = oids["organizationalUnitName"];
+	_shortNames["organizationalUnitName"] = "OU";
+	_shortNames["E"] = oids["emailAddress"];
+	_shortNames["emailAddress"] = "E";
+	var publicKeyValidator = forge.pki.rsa.publicKeyValidator;
+	var x509CertificateValidator = {
+		name: "Certificate",
+		tagClass: asn1.Class.UNIVERSAL,
+		type: asn1.Type.SEQUENCE,
+		constructed: true,
+		value: [
+			{
+				name: "Certificate.TBSCertificate",
+				tagClass: asn1.Class.UNIVERSAL,
+				type: asn1.Type.SEQUENCE,
+				constructed: true,
+				captureAsn1: "tbsCertificate",
+				value: [
+					{
+						name: "Certificate.TBSCertificate.version",
+						tagClass: asn1.Class.CONTEXT_SPECIFIC,
+						type: 0,
+						constructed: true,
+						optional: true,
+						value: [{
+							name: "Certificate.TBSCertificate.version.integer",
+							tagClass: asn1.Class.UNIVERSAL,
+							type: asn1.Type.INTEGER,
+							constructed: false,
+							capture: "certVersion"
+						}]
+					},
+					{
+						name: "Certificate.TBSCertificate.serialNumber",
+						tagClass: asn1.Class.UNIVERSAL,
+						type: asn1.Type.INTEGER,
+						constructed: false,
+						capture: "certSerialNumber"
+					},
+					{
+						name: "Certificate.TBSCertificate.signature",
+						tagClass: asn1.Class.UNIVERSAL,
+						type: asn1.Type.SEQUENCE,
+						constructed: true,
+						value: [{
+							name: "Certificate.TBSCertificate.signature.algorithm",
+							tagClass: asn1.Class.UNIVERSAL,
+							type: asn1.Type.OID,
+							constructed: false,
+							capture: "certinfoSignatureOid"
+						}, {
+							name: "Certificate.TBSCertificate.signature.parameters",
+							tagClass: asn1.Class.UNIVERSAL,
+							optional: true,
+							captureAsn1: "certinfoSignatureParams"
+						}]
+					},
+					{
+						name: "Certificate.TBSCertificate.issuer",
+						tagClass: asn1.Class.UNIVERSAL,
+						type: asn1.Type.SEQUENCE,
+						constructed: true,
+						captureAsn1: "certIssuer"
+					},
+					{
+						name: "Certificate.TBSCertificate.validity",
+						tagClass: asn1.Class.UNIVERSAL,
+						type: asn1.Type.SEQUENCE,
+						constructed: true,
+						value: [
+							{
+								name: "Certificate.TBSCertificate.validity.notBefore (utc)",
+								tagClass: asn1.Class.UNIVERSAL,
+								type: asn1.Type.UTCTIME,
+								constructed: false,
+								optional: true,
+								capture: "certValidity1UTCTime"
+							},
+							{
+								name: "Certificate.TBSCertificate.validity.notBefore (generalized)",
+								tagClass: asn1.Class.UNIVERSAL,
+								type: asn1.Type.GENERALIZEDTIME,
+								constructed: false,
+								optional: true,
+								capture: "certValidity2GeneralizedTime"
+							},
+							{
+								name: "Certificate.TBSCertificate.validity.notAfter (utc)",
+								tagClass: asn1.Class.UNIVERSAL,
+								type: asn1.Type.UTCTIME,
+								constructed: false,
+								optional: true,
+								capture: "certValidity3UTCTime"
+							},
+							{
+								name: "Certificate.TBSCertificate.validity.notAfter (generalized)",
+								tagClass: asn1.Class.UNIVERSAL,
+								type: asn1.Type.GENERALIZEDTIME,
+								constructed: false,
+								optional: true,
+								capture: "certValidity4GeneralizedTime"
+							}
+						]
+					},
+					{
+						name: "Certificate.TBSCertificate.subject",
+						tagClass: asn1.Class.UNIVERSAL,
+						type: asn1.Type.SEQUENCE,
+						constructed: true,
+						captureAsn1: "certSubject"
+					},
+					publicKeyValidator,
+					{
+						name: "Certificate.TBSCertificate.issuerUniqueID",
+						tagClass: asn1.Class.CONTEXT_SPECIFIC,
+						type: 1,
+						constructed: true,
+						optional: true,
+						value: [{
+							name: "Certificate.TBSCertificate.issuerUniqueID.id",
+							tagClass: asn1.Class.UNIVERSAL,
+							type: asn1.Type.BITSTRING,
+							constructed: false,
+							captureBitStringValue: "certIssuerUniqueId"
+						}]
+					},
+					{
+						name: "Certificate.TBSCertificate.subjectUniqueID",
+						tagClass: asn1.Class.CONTEXT_SPECIFIC,
+						type: 2,
+						constructed: true,
+						optional: true,
+						value: [{
+							name: "Certificate.TBSCertificate.subjectUniqueID.id",
+							tagClass: asn1.Class.UNIVERSAL,
+							type: asn1.Type.BITSTRING,
+							constructed: false,
+							captureBitStringValue: "certSubjectUniqueId"
+						}]
+					},
+					{
+						name: "Certificate.TBSCertificate.extensions",
+						tagClass: asn1.Class.CONTEXT_SPECIFIC,
+						type: 3,
+						constructed: true,
+						captureAsn1: "certExtensions",
+						optional: true
+					}
+				]
+			},
+			{
+				name: "Certificate.signatureAlgorithm",
+				tagClass: asn1.Class.UNIVERSAL,
+				type: asn1.Type.SEQUENCE,
+				constructed: true,
+				value: [{
+					name: "Certificate.signatureAlgorithm.algorithm",
+					tagClass: asn1.Class.UNIVERSAL,
+					type: asn1.Type.OID,
+					constructed: false,
+					capture: "certSignatureOid"
+				}, {
+					name: "Certificate.TBSCertificate.signature.parameters",
+					tagClass: asn1.Class.UNIVERSAL,
+					optional: true,
+					captureAsn1: "certSignatureParams"
+				}]
+			},
+			{
+				name: "Certificate.signatureValue",
+				tagClass: asn1.Class.UNIVERSAL,
+				type: asn1.Type.BITSTRING,
+				constructed: false,
+				captureBitStringValue: "certSignature"
+			}
+		]
+	};
+	var rsassaPssParameterValidator = {
+		name: "rsapss",
+		tagClass: asn1.Class.UNIVERSAL,
+		type: asn1.Type.SEQUENCE,
+		constructed: true,
+		value: [
+			{
+				name: "rsapss.hashAlgorithm",
+				tagClass: asn1.Class.CONTEXT_SPECIFIC,
+				type: 0,
+				constructed: true,
+				value: [{
+					name: "rsapss.hashAlgorithm.AlgorithmIdentifier",
+					tagClass: asn1.Class.UNIVERSAL,
+					type: asn1.Class.SEQUENCE,
+					constructed: true,
+					optional: true,
+					value: [{
+						name: "rsapss.hashAlgorithm.AlgorithmIdentifier.algorithm",
+						tagClass: asn1.Class.UNIVERSAL,
+						type: asn1.Type.OID,
+						constructed: false,
+						capture: "hashOid"
+					}]
+				}]
+			},
+			{
+				name: "rsapss.maskGenAlgorithm",
+				tagClass: asn1.Class.CONTEXT_SPECIFIC,
+				type: 1,
+				constructed: true,
+				value: [{
+					name: "rsapss.maskGenAlgorithm.AlgorithmIdentifier",
+					tagClass: asn1.Class.UNIVERSAL,
+					type: asn1.Class.SEQUENCE,
+					constructed: true,
+					optional: true,
+					value: [{
+						name: "rsapss.maskGenAlgorithm.AlgorithmIdentifier.algorithm",
+						tagClass: asn1.Class.UNIVERSAL,
+						type: asn1.Type.OID,
+						constructed: false,
+						capture: "maskGenOid"
+					}, {
+						name: "rsapss.maskGenAlgorithm.AlgorithmIdentifier.params",
+						tagClass: asn1.Class.UNIVERSAL,
+						type: asn1.Type.SEQUENCE,
+						constructed: true,
+						value: [{
+							name: "rsapss.maskGenAlgorithm.AlgorithmIdentifier.params.algorithm",
+							tagClass: asn1.Class.UNIVERSAL,
+							type: asn1.Type.OID,
+							constructed: false,
+							capture: "maskGenHashOid"
+						}]
+					}]
+				}]
+			},
+			{
+				name: "rsapss.saltLength",
+				tagClass: asn1.Class.CONTEXT_SPECIFIC,
+				type: 2,
+				optional: true,
+				value: [{
+					name: "rsapss.saltLength.saltLength",
+					tagClass: asn1.Class.UNIVERSAL,
+					type: asn1.Class.INTEGER,
+					constructed: false,
+					capture: "saltLength"
+				}]
+			},
+			{
+				name: "rsapss.trailerField",
+				tagClass: asn1.Class.CONTEXT_SPECIFIC,
+				type: 3,
+				optional: true,
+				value: [{
+					name: "rsapss.trailer.trailer",
+					tagClass: asn1.Class.UNIVERSAL,
+					type: asn1.Class.INTEGER,
+					constructed: false,
+					capture: "trailer"
+				}]
+			}
+		]
+	};
+	var certificationRequestInfoValidator = {
+		name: "CertificationRequestInfo",
+		tagClass: asn1.Class.UNIVERSAL,
+		type: asn1.Type.SEQUENCE,
+		constructed: true,
+		captureAsn1: "certificationRequestInfo",
+		value: [
+			{
+				name: "CertificationRequestInfo.integer",
+				tagClass: asn1.Class.UNIVERSAL,
+				type: asn1.Type.INTEGER,
+				constructed: false,
+				capture: "certificationRequestInfoVersion"
+			},
+			{
+				name: "CertificationRequestInfo.subject",
+				tagClass: asn1.Class.UNIVERSAL,
+				type: asn1.Type.SEQUENCE,
+				constructed: true,
+				captureAsn1: "certificationRequestInfoSubject"
+			},
+			publicKeyValidator,
+			{
+				name: "CertificationRequestInfo.attributes",
+				tagClass: asn1.Class.CONTEXT_SPECIFIC,
+				type: 0,
+				constructed: true,
+				optional: true,
+				capture: "certificationRequestInfoAttributes",
+				value: [{
+					name: "CertificationRequestInfo.attributes",
+					tagClass: asn1.Class.UNIVERSAL,
+					type: asn1.Type.SEQUENCE,
+					constructed: true,
+					value: [{
+						name: "CertificationRequestInfo.attributes.type",
+						tagClass: asn1.Class.UNIVERSAL,
+						type: asn1.Type.OID,
+						constructed: false
+					}, {
+						name: "CertificationRequestInfo.attributes.value",
+						tagClass: asn1.Class.UNIVERSAL,
+						type: asn1.Type.SET,
+						constructed: true
+					}]
+				}]
+			}
+		]
+	};
+	var certificationRequestValidator = {
+		name: "CertificationRequest",
+		tagClass: asn1.Class.UNIVERSAL,
+		type: asn1.Type.SEQUENCE,
+		constructed: true,
+		captureAsn1: "csr",
+		value: [
+			certificationRequestInfoValidator,
+			{
+				name: "CertificationRequest.signatureAlgorithm",
+				tagClass: asn1.Class.UNIVERSAL,
+				type: asn1.Type.SEQUENCE,
+				constructed: true,
+				value: [{
+					name: "CertificationRequest.signatureAlgorithm.algorithm",
+					tagClass: asn1.Class.UNIVERSAL,
+					type: asn1.Type.OID,
+					constructed: false,
+					capture: "csrSignatureOid"
+				}, {
+					name: "CertificationRequest.signatureAlgorithm.parameters",
+					tagClass: asn1.Class.UNIVERSAL,
+					optional: true,
+					captureAsn1: "csrSignatureParams"
+				}]
+			},
+			{
+				name: "CertificationRequest.signature",
+				tagClass: asn1.Class.UNIVERSAL,
+				type: asn1.Type.BITSTRING,
+				constructed: false,
+				captureBitStringValue: "csrSignature"
+			}
+		]
+	};
+	/**
+	* Converts an RDNSequence of ASN.1 DER-encoded RelativeDistinguishedName
+	* sets into an array with objects that have type and value properties.
+	*
+	* @param rdn the RDNSequence to convert.
+	* @param md a message digest to append type and value to if provided.
+	*/
+	pki.RDNAttributesAsArray = function(rdn, md) {
+		var rval = [];
+		var set, attr, obj;
+		for (var si = 0; si < rdn.value.length; ++si) {
+			set = rdn.value[si];
+			for (var i = 0; i < set.value.length; ++i) {
+				obj = {};
+				attr = set.value[i];
+				obj.type = asn1.derToOid(attr.value[0].value);
+				obj.value = attr.value[1].value;
+				obj.valueTagClass = attr.value[1].type;
+				if (obj.type in oids) {
+					obj.name = oids[obj.type];
+					if (obj.name in _shortNames) obj.shortName = _shortNames[obj.name];
+				}
+				if (md) {
+					md.update(obj.type);
+					md.update(obj.value);
+				}
+				rval.push(obj);
+			}
+		}
+		return rval;
+	};
+	/**
+	* Converts ASN.1 CRIAttributes into an array with objects that have type and
+	* value properties.
+	*
+	* @param attributes the CRIAttributes to convert.
+	*/
+	pki.CRIAttributesAsArray = function(attributes) {
+		var rval = [];
+		for (var si = 0; si < attributes.length; ++si) {
+			var seq = attributes[si];
+			var type = asn1.derToOid(seq.value[0].value);
+			var values = seq.value[1].value;
+			for (var vi = 0; vi < values.length; ++vi) {
+				var obj = {};
+				obj.type = type;
+				obj.value = values[vi].value;
+				obj.valueTagClass = values[vi].type;
+				if (obj.type in oids) {
+					obj.name = oids[obj.type];
+					if (obj.name in _shortNames) obj.shortName = _shortNames[obj.name];
+				}
+				if (obj.type === oids.extensionRequest) {
+					obj.extensions = [];
+					for (var ei = 0; ei < obj.value.length; ++ei) obj.extensions.push(pki.certificateExtensionFromAsn1(obj.value[ei]));
+				}
+				rval.push(obj);
+			}
+		}
+		return rval;
+	};
+	/**
+	* Gets an issuer or subject attribute from its name, type, or short name.
+	*
+	* @param obj the issuer or subject object.
+	* @param options a short name string or an object with:
+	*          shortName the short name for the attribute.
+	*          name the name for the attribute.
+	*          type the type for the attribute.
+	*
+	* @return the attribute.
+	*/
+	function _getAttribute(obj, options) {
+		if (typeof options === "string") options = { shortName: options };
+		var rval = null;
+		var attr;
+		for (var i = 0; rval === null && i < obj.attributes.length; ++i) {
+			attr = obj.attributes[i];
+			if (options.type && options.type === attr.type) rval = attr;
+			else if (options.name && options.name === attr.name) rval = attr;
+			else if (options.shortName && options.shortName === attr.shortName) rval = attr;
+		}
+		return rval;
+	}
+	/**
+	* Converts signature parameters from ASN.1 structure.
+	*
+	* Currently only RSASSA-PSS supported.  The PKCS#1 v1.5 signature scheme had
+	* no parameters.
+	*
+	* RSASSA-PSS-params  ::=  SEQUENCE  {
+	*   hashAlgorithm      [0] HashAlgorithm DEFAULT
+	*                             sha1Identifier,
+	*   maskGenAlgorithm   [1] MaskGenAlgorithm DEFAULT
+	*                             mgf1SHA1Identifier,
+	*   saltLength         [2] INTEGER DEFAULT 20,
+	*   trailerField       [3] INTEGER DEFAULT 1
+	* }
+	*
+	* HashAlgorithm  ::=  AlgorithmIdentifier
+	*
+	* MaskGenAlgorithm  ::=  AlgorithmIdentifier
+	*
+	* AlgorithmIdentifer ::= SEQUENCE {
+	*   algorithm OBJECT IDENTIFIER,
+	*   parameters ANY DEFINED BY algorithm OPTIONAL
+	* }
+	*
+	* @param oid The OID specifying the signature algorithm
+	* @param obj The ASN.1 structure holding the parameters
+	* @param fillDefaults Whether to use return default values where omitted
+	* @return signature parameter object
+	*/
+	var _readSignatureParameters = function(oid, obj, fillDefaults) {
+		var params = {};
+		if (oid !== oids["RSASSA-PSS"]) return params;
+		if (fillDefaults) params = {
+			hash: { algorithmOid: oids["sha1"] },
+			mgf: {
+				algorithmOid: oids["mgf1"],
+				hash: { algorithmOid: oids["sha1"] }
+			},
+			saltLength: 20
+		};
+		var capture = {};
+		var errors = [];
+		if (!asn1.validate(obj, rsassaPssParameterValidator, capture, errors)) {
+			var error = /* @__PURE__ */ new Error("Cannot read RSASSA-PSS parameter block.");
+			error.errors = errors;
+			throw error;
+		}
+		if (capture.hashOid !== void 0) {
+			params.hash = params.hash || {};
+			params.hash.algorithmOid = asn1.derToOid(capture.hashOid);
+		}
+		if (capture.maskGenOid !== void 0) {
+			params.mgf = params.mgf || {};
+			params.mgf.algorithmOid = asn1.derToOid(capture.maskGenOid);
+			params.mgf.hash = params.mgf.hash || {};
+			params.mgf.hash.algorithmOid = asn1.derToOid(capture.maskGenHashOid);
+		}
+		if (capture.saltLength !== void 0) params.saltLength = capture.saltLength.charCodeAt(0);
+		return params;
+	};
+	/**
+	* Create signature digest for OID.
+	*
+	* @param options
+	*   signatureOid: the OID specifying the signature algorithm.
+	*   type: a human readable type for error messages
+	* @return a created md instance. throws if unknown oid.
+	*/
+	var _createSignatureDigest = function(options) {
+		switch (oids[options.signatureOid]) {
+			case "sha1WithRSAEncryption":
+			case "sha1WithRSASignature": return forge.md.sha1.create();
+			case "md5WithRSAEncryption": return forge.md.md5.create();
+			case "sha256WithRSAEncryption": return forge.md.sha256.create();
+			case "sha384WithRSAEncryption": return forge.md.sha384.create();
+			case "sha512WithRSAEncryption": return forge.md.sha512.create();
+			case "RSASSA-PSS": return forge.md.sha256.create();
+			default:
+				var error = /* @__PURE__ */ new Error("Could not compute " + options.type + " digest. Unknown signature OID.");
+				error.signatureOid = options.signatureOid;
+				throw error;
+		}
+	};
+	/**
+	* Verify signature on certificate or CSR.
+	*
+	* @param options:
+	*   certificate the certificate or CSR to verify.
+	*   md the signature digest.
+	*   signature the signature
+	* @return a created md instance. throws if unknown oid.
+	*/
+	var _verifySignature = function(options) {
+		var cert = options.certificate;
+		var scheme;
+		switch (cert.signatureOid) {
+			case oids.sha1WithRSAEncryption:
+			case oids.sha1WithRSASignature: break;
+			case oids["RSASSA-PSS"]:
+				var hash = oids[cert.signatureParameters.mgf.hash.algorithmOid], mgf;
+				if (hash === void 0 || forge.md[hash] === void 0) {
+					var error = /* @__PURE__ */ new Error("Unsupported MGF hash function.");
+					error.oid = cert.signatureParameters.mgf.hash.algorithmOid;
+					error.name = hash;
+					throw error;
+				}
+				mgf = oids[cert.signatureParameters.mgf.algorithmOid];
+				if (mgf === void 0 || forge.mgf[mgf] === void 0) {
+					var error = /* @__PURE__ */ new Error("Unsupported MGF function.");
+					error.oid = cert.signatureParameters.mgf.algorithmOid;
+					error.name = mgf;
+					throw error;
+				}
+				mgf = forge.mgf[mgf].create(forge.md[hash].create());
+				hash = oids[cert.signatureParameters.hash.algorithmOid];
+				if (hash === void 0 || forge.md[hash] === void 0) {
+					var error = /* @__PURE__ */ new Error("Unsupported RSASSA-PSS hash function.");
+					error.oid = cert.signatureParameters.hash.algorithmOid;
+					error.name = hash;
+					throw error;
+				}
+				scheme = forge.pss.create(forge.md[hash].create(), mgf, cert.signatureParameters.saltLength);
+				break;
+		}
+		return cert.publicKey.verify(options.md.digest().getBytes(), options.signature, scheme);
+	};
+	/**
+	* Converts an X.509 certificate from PEM format.
+	*
+	* Note: If the certificate is to be verified then compute hash should
+	* be set to true. This will scan the TBSCertificate part of the ASN.1
+	* object while it is converted so it doesn't need to be converted back
+	* to ASN.1-DER-encoding later.
+	*
+	* @param pem the PEM-formatted certificate.
+	* @param computeHash true to compute the hash for verification.
+	* @param strict true to be strict when checking ASN.1 value lengths, false to
+	*          allow truncated values (default: true).
+	*
+	* @return the certificate.
+	*/
+	pki.certificateFromPem = function(pem, computeHash, strict) {
+		var msg = forge.pem.decode(pem)[0];
+		if (msg.type !== "CERTIFICATE" && msg.type !== "X509 CERTIFICATE" && msg.type !== "TRUSTED CERTIFICATE") {
+			var error = /* @__PURE__ */ new Error("Could not convert certificate from PEM; PEM header type is not \"CERTIFICATE\", \"X509 CERTIFICATE\", or \"TRUSTED CERTIFICATE\".");
+			error.headerType = msg.type;
+			throw error;
+		}
+		if (msg.procType && msg.procType.type === "ENCRYPTED") throw new Error("Could not convert certificate from PEM; PEM is encrypted.");
+		var obj = asn1.fromDer(msg.body, strict);
+		return pki.certificateFromAsn1(obj, computeHash);
+	};
+	/**
+	* Converts an X.509 certificate to PEM format.
+	*
+	* @param cert the certificate.
+	* @param maxline the maximum characters per line, defaults to 64.
+	*
+	* @return the PEM-formatted certificate.
+	*/
+	pki.certificateToPem = function(cert, maxline) {
+		var msg = {
+			type: "CERTIFICATE",
+			body: asn1.toDer(pki.certificateToAsn1(cert)).getBytes()
+		};
+		return forge.pem.encode(msg, { maxline });
+	};
+	/**
+	* Converts an RSA public key from PEM format.
+	*
+	* @param pem the PEM-formatted public key.
+	*
+	* @return the public key.
+	*/
+	pki.publicKeyFromPem = function(pem) {
+		var msg = forge.pem.decode(pem)[0];
+		if (msg.type !== "PUBLIC KEY" && msg.type !== "RSA PUBLIC KEY") {
+			var error = /* @__PURE__ */ new Error("Could not convert public key from PEM; PEM header type is not \"PUBLIC KEY\" or \"RSA PUBLIC KEY\".");
+			error.headerType = msg.type;
+			throw error;
+		}
+		if (msg.procType && msg.procType.type === "ENCRYPTED") throw new Error("Could not convert public key from PEM; PEM is encrypted.");
+		var obj = asn1.fromDer(msg.body);
+		return pki.publicKeyFromAsn1(obj);
+	};
+	/**
+	* Converts an RSA public key to PEM format (using a SubjectPublicKeyInfo).
+	*
+	* @param key the public key.
+	* @param maxline the maximum characters per line, defaults to 64.
+	*
+	* @return the PEM-formatted public key.
+	*/
+	pki.publicKeyToPem = function(key, maxline) {
+		var msg = {
+			type: "PUBLIC KEY",
+			body: asn1.toDer(pki.publicKeyToAsn1(key)).getBytes()
+		};
+		return forge.pem.encode(msg, { maxline });
+	};
+	/**
+	* Converts an RSA public key to PEM format (using an RSAPublicKey).
+	*
+	* @param key the public key.
+	* @param maxline the maximum characters per line, defaults to 64.
+	*
+	* @return the PEM-formatted public key.
+	*/
+	pki.publicKeyToRSAPublicKeyPem = function(key, maxline) {
+		var msg = {
+			type: "RSA PUBLIC KEY",
+			body: asn1.toDer(pki.publicKeyToRSAPublicKey(key)).getBytes()
+		};
+		return forge.pem.encode(msg, { maxline });
+	};
+	/**
+	* Gets a fingerprint for the given public key.
+	*
+	* @param options the options to use.
+	*          [md] the message digest object to use (defaults to forge.md.sha1).
+	*          [type] the type of fingerprint, such as 'RSAPublicKey',
+	*            'SubjectPublicKeyInfo' (defaults to 'RSAPublicKey').
+	*          [encoding] an alternative output encoding, such as 'hex'
+	*            (defaults to none, outputs a byte buffer).
+	*          [delimiter] the delimiter to use between bytes for 'hex' encoded
+	*            output, eg: ':' (defaults to none).
+	*
+	* @return the fingerprint as a byte buffer or other encoding based on options.
+	*/
+	pki.getPublicKeyFingerprint = function(key, options) {
+		options = options || {};
+		var md = options.md || forge.md.sha1.create();
+		var type = options.type || "RSAPublicKey";
+		var bytes;
+		switch (type) {
+			case "RSAPublicKey":
+				bytes = asn1.toDer(pki.publicKeyToRSAPublicKey(key)).getBytes();
+				break;
+			case "SubjectPublicKeyInfo":
+				bytes = asn1.toDer(pki.publicKeyToAsn1(key)).getBytes();
+				break;
+			default: throw new Error("Unknown fingerprint type \"" + options.type + "\".");
+		}
+		md.start();
+		md.update(bytes);
+		var digest = md.digest();
+		if (options.encoding === "hex") {
+			var hex = digest.toHex();
+			if (options.delimiter) return hex.match(/.{2}/g).join(options.delimiter);
+			return hex;
+		} else if (options.encoding === "binary") return digest.getBytes();
+		else if (options.encoding) throw new Error("Unknown encoding \"" + options.encoding + "\".");
+		return digest;
+	};
+	/**
+	* Converts a PKCS#10 certification request (CSR) from PEM format.
+	*
+	* Note: If the certification request is to be verified then compute hash
+	* should be set to true. This will scan the CertificationRequestInfo part of
+	* the ASN.1 object while it is converted so it doesn't need to be converted
+	* back to ASN.1-DER-encoding later.
+	*
+	* @param pem the PEM-formatted certificate.
+	* @param computeHash true to compute the hash for verification.
+	* @param strict true to be strict when checking ASN.1 value lengths, false to
+	*          allow truncated values (default: true).
+	*
+	* @return the certification request (CSR).
+	*/
+	pki.certificationRequestFromPem = function(pem, computeHash, strict) {
+		var msg = forge.pem.decode(pem)[0];
+		if (msg.type !== "CERTIFICATE REQUEST") {
+			var error = /* @__PURE__ */ new Error("Could not convert certification request from PEM; PEM header type is not \"CERTIFICATE REQUEST\".");
+			error.headerType = msg.type;
+			throw error;
+		}
+		if (msg.procType && msg.procType.type === "ENCRYPTED") throw new Error("Could not convert certification request from PEM; PEM is encrypted.");
+		var obj = asn1.fromDer(msg.body, strict);
+		return pki.certificationRequestFromAsn1(obj, computeHash);
+	};
+	/**
+	* Converts a PKCS#10 certification request (CSR) to PEM format.
+	*
+	* @param csr the certification request.
+	* @param maxline the maximum characters per line, defaults to 64.
+	*
+	* @return the PEM-formatted certification request.
+	*/
+	pki.certificationRequestToPem = function(csr, maxline) {
+		var msg = {
+			type: "CERTIFICATE REQUEST",
+			body: asn1.toDer(pki.certificationRequestToAsn1(csr)).getBytes()
+		};
+		return forge.pem.encode(msg, { maxline });
+	};
+	/**
+	* Creates an empty X.509v3 RSA certificate.
+	*
+	* @return the certificate.
+	*/
+	pki.createCertificate = function() {
+		var cert = {};
+		cert.version = 2;
+		cert.serialNumber = "00";
+		cert.signatureOid = null;
+		cert.signature = null;
+		cert.siginfo = {};
+		cert.siginfo.algorithmOid = null;
+		cert.validity = {};
+		cert.validity.notBefore = /* @__PURE__ */ new Date();
+		cert.validity.notAfter = /* @__PURE__ */ new Date();
+		cert.issuer = {};
+		cert.issuer.getField = function(sn) {
+			return _getAttribute(cert.issuer, sn);
+		};
+		cert.issuer.addField = function(attr) {
+			_fillMissingFields([attr]);
+			cert.issuer.attributes.push(attr);
+		};
+		cert.issuer.attributes = [];
+		cert.issuer.hash = null;
+		cert.subject = {};
+		cert.subject.getField = function(sn) {
+			return _getAttribute(cert.subject, sn);
+		};
+		cert.subject.addField = function(attr) {
+			_fillMissingFields([attr]);
+			cert.subject.attributes.push(attr);
+		};
+		cert.subject.attributes = [];
+		cert.subject.hash = null;
+		cert.extensions = [];
+		cert.publicKey = null;
+		cert.md = null;
+		/**
+		* Sets the subject of this certificate.
+		*
+		* @param attrs the array of subject attributes to use.
+		* @param uniqueId an optional a unique ID to use.
+		*/
+		cert.setSubject = function(attrs, uniqueId) {
+			_fillMissingFields(attrs);
+			cert.subject.attributes = attrs;
+			delete cert.subject.uniqueId;
+			if (uniqueId) cert.subject.uniqueId = uniqueId;
+			cert.subject.hash = null;
+		};
+		/**
+		* Sets the issuer of this certificate.
+		*
+		* @param attrs the array of issuer attributes to use.
+		* @param uniqueId an optional a unique ID to use.
+		*/
+		cert.setIssuer = function(attrs, uniqueId) {
+			_fillMissingFields(attrs);
+			cert.issuer.attributes = attrs;
+			delete cert.issuer.uniqueId;
+			if (uniqueId) cert.issuer.uniqueId = uniqueId;
+			cert.issuer.hash = null;
+		};
+		/**
+		* Sets the extensions of this certificate.
+		*
+		* @param exts the array of extensions to use.
+		*/
+		cert.setExtensions = function(exts) {
+			for (var i = 0; i < exts.length; ++i) _fillMissingExtensionFields(exts[i], { cert });
+			cert.extensions = exts;
+		};
+		/**
+		* Gets an extension by its name or id.
+		*
+		* @param options the name to use or an object with:
+		*          name the name to use.
+		*          id the id to use.
+		*
+		* @return the extension or null if not found.
+		*/
+		cert.getExtension = function(options) {
+			if (typeof options === "string") options = { name: options };
+			var rval = null;
+			var ext;
+			for (var i = 0; rval === null && i < cert.extensions.length; ++i) {
+				ext = cert.extensions[i];
+				if (options.id && ext.id === options.id) rval = ext;
+				else if (options.name && ext.name === options.name) rval = ext;
+			}
+			return rval;
+		};
+		/**
+		* Signs this certificate using the given private key.
+		*
+		* @param key the private key to sign with.
+		* @param md the message digest object to use (defaults to forge.md.sha1).
+		*/
+		cert.sign = function(key, md) {
+			cert.md = md || forge.md.sha1.create();
+			var algorithmOid = oids[cert.md.algorithm + "WithRSAEncryption"];
+			if (!algorithmOid) {
+				var error = /* @__PURE__ */ new Error("Could not compute certificate digest. Unknown message digest algorithm OID.");
+				error.algorithm = cert.md.algorithm;
+				throw error;
+			}
+			cert.signatureOid = cert.siginfo.algorithmOid = algorithmOid;
+			cert.tbsCertificate = pki.getTBSCertificate(cert);
+			var bytes = asn1.toDer(cert.tbsCertificate);
+			cert.md.update(bytes.getBytes());
+			cert.signature = key.sign(cert.md);
+		};
+		/**
+		* Attempts verify the signature on the passed certificate using this
+		* certificate's public key.
+		*
+		* @param child the certificate to verify.
+		*
+		* @return true if verified, false if not.
+		*/
+		cert.verify = function(child) {
+			var rval = false;
+			if (!cert.issued(child)) {
+				var issuer = child.issuer;
+				var subject = cert.subject;
+				var error = /* @__PURE__ */ new Error("The parent certificate did not issue the given child certificate; the child certificate's issuer does not match the parent's subject.");
+				error.expectedIssuer = subject.attributes;
+				error.actualIssuer = issuer.attributes;
+				throw error;
+			}
+			var md = child.md;
+			if (md === null) {
+				md = _createSignatureDigest({
+					signatureOid: child.signatureOid,
+					type: "certificate"
+				});
+				var tbsCertificate = child.tbsCertificate || pki.getTBSCertificate(child);
+				var bytes = asn1.toDer(tbsCertificate);
+				md.update(bytes.getBytes());
+			}
+			if (md !== null) rval = _verifySignature({
+				certificate: cert,
+				md,
+				signature: child.signature
+			});
+			return rval;
+		};
+		/**
+		* Returns true if this certificate's issuer matches the passed
+		* certificate's subject. Note that no signature check is performed.
+		*
+		* @param parent the certificate to check.
+		*
+		* @return true if this certificate's issuer matches the passed certificate's
+		*         subject.
+		*/
+		cert.isIssuer = function(parent) {
+			var rval = false;
+			var i = cert.issuer;
+			var s = parent.subject;
+			if (i.hash && s.hash) rval = i.hash === s.hash;
+			else if (i.attributes.length === s.attributes.length) {
+				rval = true;
+				var iattr, sattr;
+				for (var n = 0; rval && n < i.attributes.length; ++n) {
+					iattr = i.attributes[n];
+					sattr = s.attributes[n];
+					if (iattr.type !== sattr.type || iattr.value !== sattr.value) rval = false;
+				}
+			}
+			return rval;
+		};
+		/**
+		* Returns true if this certificate's subject matches the issuer of the
+		* given certificate). Note that not signature check is performed.
+		*
+		* @param child the certificate to check.
+		*
+		* @return true if this certificate's subject matches the passed
+		*         certificate's issuer.
+		*/
+		cert.issued = function(child) {
+			return child.isIssuer(cert);
+		};
+		/**
+		* Generates the subjectKeyIdentifier for this certificate as byte buffer.
+		*
+		* @return the subjectKeyIdentifier for this certificate as byte buffer.
+		*/
+		cert.generateSubjectKeyIdentifier = function() {
+			return pki.getPublicKeyFingerprint(cert.publicKey, { type: "RSAPublicKey" });
+		};
+		/**
+		* Verifies the subjectKeyIdentifier extension value for this certificate
+		* against its public key. If no extension is found, false will be
+		* returned.
+		*
+		* @return true if verified, false if not.
+		*/
+		cert.verifySubjectKeyIdentifier = function() {
+			var oid = oids["subjectKeyIdentifier"];
+			for (var i = 0; i < cert.extensions.length; ++i) {
+				var ext = cert.extensions[i];
+				if (ext.id === oid) {
+					var ski = cert.generateSubjectKeyIdentifier().getBytes();
+					return forge.util.hexToBytes(ext.subjectKeyIdentifier) === ski;
+				}
+			}
+			return false;
+		};
+		return cert;
+	};
+	/**
+	* Converts an X.509v3 RSA certificate from an ASN.1 object.
+	*
+	* Note: If the certificate is to be verified then compute hash should
+	* be set to true. There is currently no implementation for converting
+	* a certificate back to ASN.1 so the TBSCertificate part of the ASN.1
+	* object needs to be scanned before the cert object is created.
+	*
+	* @param obj the asn1 representation of an X.509v3 RSA certificate.
+	* @param computeHash true to compute the hash for verification.
+	*
+	* @return the certificate.
+	*/
+	pki.certificateFromAsn1 = function(obj, computeHash) {
+		var capture = {};
+		var errors = [];
+		if (!asn1.validate(obj, x509CertificateValidator, capture, errors)) {
+			var error = /* @__PURE__ */ new Error("Cannot read X.509 certificate. ASN.1 object is not an X509v3 Certificate.");
+			error.errors = errors;
+			throw error;
+		}
+		if (asn1.derToOid(capture.publicKeyOid) !== pki.oids.rsaEncryption) throw new Error("Cannot read public key. OID is not RSA.");
+		var cert = pki.createCertificate();
+		cert.version = capture.certVersion ? capture.certVersion.charCodeAt(0) : 0;
+		cert.serialNumber = forge.util.createBuffer(capture.certSerialNumber).toHex();
+		cert.signatureOid = forge.asn1.derToOid(capture.certSignatureOid);
+		cert.signatureParameters = _readSignatureParameters(cert.signatureOid, capture.certSignatureParams, true);
+		cert.siginfo.algorithmOid = forge.asn1.derToOid(capture.certinfoSignatureOid);
+		cert.siginfo.parameters = _readSignatureParameters(cert.siginfo.algorithmOid, capture.certinfoSignatureParams, false);
+		cert.signature = capture.certSignature;
+		var validity = [];
+		if (capture.certValidity1UTCTime !== void 0) validity.push(asn1.utcTimeToDate(capture.certValidity1UTCTime));
+		if (capture.certValidity2GeneralizedTime !== void 0) validity.push(asn1.generalizedTimeToDate(capture.certValidity2GeneralizedTime));
+		if (capture.certValidity3UTCTime !== void 0) validity.push(asn1.utcTimeToDate(capture.certValidity3UTCTime));
+		if (capture.certValidity4GeneralizedTime !== void 0) validity.push(asn1.generalizedTimeToDate(capture.certValidity4GeneralizedTime));
+		if (validity.length > 2) throw new Error("Cannot read notBefore/notAfter validity times; more than two times were provided in the certificate.");
+		if (validity.length < 2) throw new Error("Cannot read notBefore/notAfter validity times; they were not provided as either UTCTime or GeneralizedTime.");
+		cert.validity.notBefore = validity[0];
+		cert.validity.notAfter = validity[1];
+		cert.tbsCertificate = capture.tbsCertificate;
+		if (computeHash) {
+			cert.md = _createSignatureDigest({
+				signatureOid: cert.signatureOid,
+				type: "certificate"
+			});
+			var bytes = asn1.toDer(cert.tbsCertificate);
+			cert.md.update(bytes.getBytes());
+		}
+		var imd = forge.md.sha1.create();
+		var ibytes = asn1.toDer(capture.certIssuer);
+		imd.update(ibytes.getBytes());
+		cert.issuer.getField = function(sn) {
+			return _getAttribute(cert.issuer, sn);
+		};
+		cert.issuer.addField = function(attr) {
+			_fillMissingFields([attr]);
+			cert.issuer.attributes.push(attr);
+		};
+		cert.issuer.attributes = pki.RDNAttributesAsArray(capture.certIssuer);
+		if (capture.certIssuerUniqueId) cert.issuer.uniqueId = capture.certIssuerUniqueId;
+		cert.issuer.hash = imd.digest().toHex();
+		var smd = forge.md.sha1.create();
+		var sbytes = asn1.toDer(capture.certSubject);
+		smd.update(sbytes.getBytes());
+		cert.subject.getField = function(sn) {
+			return _getAttribute(cert.subject, sn);
+		};
+		cert.subject.addField = function(attr) {
+			_fillMissingFields([attr]);
+			cert.subject.attributes.push(attr);
+		};
+		cert.subject.attributes = pki.RDNAttributesAsArray(capture.certSubject);
+		if (capture.certSubjectUniqueId) cert.subject.uniqueId = capture.certSubjectUniqueId;
+		cert.subject.hash = smd.digest().toHex();
+		if (capture.certExtensions) cert.extensions = pki.certificateExtensionsFromAsn1(capture.certExtensions);
+		else cert.extensions = [];
+		cert.publicKey = pki.publicKeyFromAsn1(capture.subjectPublicKeyInfo);
+		return cert;
+	};
+	/**
+	* Converts an ASN.1 extensions object (with extension sequences as its
+	* values) into an array of extension objects with types and values.
+	*
+	* Supported extensions:
+	*
+	* id-ce-keyUsage OBJECT IDENTIFIER ::=  { id-ce 15 }
+	* KeyUsage ::= BIT STRING {
+	*   digitalSignature        (0),
+	*   nonRepudiation          (1),
+	*   keyEncipherment         (2),
+	*   dataEncipherment        (3),
+	*   keyAgreement            (4),
+	*   keyCertSign             (5),
+	*   cRLSign                 (6),
+	*   encipherOnly            (7),
+	*   decipherOnly            (8)
+	* }
+	*
+	* id-ce-basicConstraints OBJECT IDENTIFIER ::=  { id-ce 19 }
+	* BasicConstraints ::= SEQUENCE {
+	*   cA                      BOOLEAN DEFAULT FALSE,
+	*   pathLenConstraint       INTEGER (0..MAX) OPTIONAL
+	* }
+	*
+	* subjectAltName EXTENSION ::= {
+	*   SYNTAX GeneralNames
+	*   IDENTIFIED BY id-ce-subjectAltName
+	* }
+	*
+	* GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
+	*
+	* GeneralName ::= CHOICE {
+	*   otherName      [0] INSTANCE OF OTHER-NAME,
+	*   rfc822Name     [1] IA5String,
+	*   dNSName        [2] IA5String,
+	*   x400Address    [3] ORAddress,
+	*   directoryName  [4] Name,
+	*   ediPartyName   [5] EDIPartyName,
+	*   uniformResourceIdentifier [6] IA5String,
+	*   IPAddress      [7] OCTET STRING,
+	*   registeredID   [8] OBJECT IDENTIFIER
+	* }
+	*
+	* OTHER-NAME ::= TYPE-IDENTIFIER
+	*
+	* EDIPartyName ::= SEQUENCE {
+	*   nameAssigner [0] DirectoryString {ub-name} OPTIONAL,
+	*   partyName    [1] DirectoryString {ub-name}
+	* }
+	*
+	* @param exts the extensions ASN.1 with extension sequences to parse.
+	*
+	* @return the array.
+	*/
+	pki.certificateExtensionsFromAsn1 = function(exts) {
+		var rval = [];
+		for (var i = 0; i < exts.value.length; ++i) {
+			var extseq = exts.value[i];
+			for (var ei = 0; ei < extseq.value.length; ++ei) rval.push(pki.certificateExtensionFromAsn1(extseq.value[ei]));
+		}
+		return rval;
+	};
+	/**
+	* Parses a single certificate extension from ASN.1.
+	*
+	* @param ext the extension in ASN.1 format.
+	*
+	* @return the parsed extension as an object.
+	*/
+	pki.certificateExtensionFromAsn1 = function(ext) {
+		var e = {};
+		e.id = asn1.derToOid(ext.value[0].value);
+		e.critical = false;
+		if (ext.value[1].type === asn1.Type.BOOLEAN) {
+			e.critical = ext.value[1].value.charCodeAt(0) !== 0;
+			e.value = ext.value[2].value;
+		} else e.value = ext.value[1].value;
+		if (e.id in oids) {
+			e.name = oids[e.id];
+			if (e.name === "keyUsage") {
+				var ev = asn1.fromDer(e.value);
+				var b2 = 0;
+				var b3 = 0;
+				if (ev.value.length > 1) {
+					b2 = ev.value.charCodeAt(1);
+					b3 = ev.value.length > 2 ? ev.value.charCodeAt(2) : 0;
+				}
+				e.digitalSignature = (b2 & 128) === 128;
+				e.nonRepudiation = (b2 & 64) === 64;
+				e.keyEncipherment = (b2 & 32) === 32;
+				e.dataEncipherment = (b2 & 16) === 16;
+				e.keyAgreement = (b2 & 8) === 8;
+				e.keyCertSign = (b2 & 4) === 4;
+				e.cRLSign = (b2 & 2) === 2;
+				e.encipherOnly = (b2 & 1) === 1;
+				e.decipherOnly = (b3 & 128) === 128;
+			} else if (e.name === "basicConstraints") {
+				var ev = asn1.fromDer(e.value);
+				if (ev.value.length > 0 && ev.value[0].type === asn1.Type.BOOLEAN) e.cA = ev.value[0].value.charCodeAt(0) !== 0;
+				else e.cA = false;
+				var value = null;
+				if (ev.value.length > 0 && ev.value[0].type === asn1.Type.INTEGER) value = ev.value[0].value;
+				else if (ev.value.length > 1) value = ev.value[1].value;
+				if (value !== null) e.pathLenConstraint = asn1.derToInteger(value);
+			} else if (e.name === "extKeyUsage") {
+				var ev = asn1.fromDer(e.value);
+				for (var vi = 0; vi < ev.value.length; ++vi) {
+					var oid = asn1.derToOid(ev.value[vi].value);
+					if (oid in oids) e[oids[oid]] = true;
+					else e[oid] = true;
+				}
+			} else if (e.name === "nsCertType") {
+				var ev = asn1.fromDer(e.value);
+				var b2 = 0;
+				if (ev.value.length > 1) b2 = ev.value.charCodeAt(1);
+				e.client = (b2 & 128) === 128;
+				e.server = (b2 & 64) === 64;
+				e.email = (b2 & 32) === 32;
+				e.objsign = (b2 & 16) === 16;
+				e.reserved = (b2 & 8) === 8;
+				e.sslCA = (b2 & 4) === 4;
+				e.emailCA = (b2 & 2) === 2;
+				e.objCA = (b2 & 1) === 1;
+			} else if (e.name === "subjectAltName" || e.name === "issuerAltName") {
+				e.altNames = [];
+				var gn;
+				var ev = asn1.fromDer(e.value);
+				for (var n = 0; n < ev.value.length; ++n) {
+					gn = ev.value[n];
+					var altName = {
+						type: gn.type,
+						value: gn.value
+					};
+					e.altNames.push(altName);
+					switch (gn.type) {
+						case 1:
+						case 2:
+						case 6: break;
+						case 7:
+							altName.ip = forge.util.bytesToIP(gn.value);
+							break;
+						case 8:
+							altName.oid = asn1.derToOid(gn.value);
+							break;
+						default:
+					}
+				}
+			} else if (e.name === "subjectKeyIdentifier") {
+				var ev = asn1.fromDer(e.value);
+				e.subjectKeyIdentifier = forge.util.bytesToHex(ev.value);
+			}
+		}
+		return e;
+	};
+	/**
+	* Converts a PKCS#10 certification request (CSR) from an ASN.1 object.
+	*
+	* Note: If the certification request is to be verified then compute hash
+	* should be set to true. There is currently no implementation for converting
+	* a certificate back to ASN.1 so the CertificationRequestInfo part of the
+	* ASN.1 object needs to be scanned before the csr object is created.
+	*
+	* @param obj the asn1 representation of a PKCS#10 certification request (CSR).
+	* @param computeHash true to compute the hash for verification.
+	*
+	* @return the certification request (CSR).
+	*/
+	pki.certificationRequestFromAsn1 = function(obj, computeHash) {
+		var capture = {};
+		var errors = [];
+		if (!asn1.validate(obj, certificationRequestValidator, capture, errors)) {
+			var error = /* @__PURE__ */ new Error("Cannot read PKCS#10 certificate request. ASN.1 object is not a PKCS#10 CertificationRequest.");
+			error.errors = errors;
+			throw error;
+		}
+		if (asn1.derToOid(capture.publicKeyOid) !== pki.oids.rsaEncryption) throw new Error("Cannot read public key. OID is not RSA.");
+		var csr = pki.createCertificationRequest();
+		csr.version = capture.csrVersion ? capture.csrVersion.charCodeAt(0) : 0;
+		csr.signatureOid = forge.asn1.derToOid(capture.csrSignatureOid);
+		csr.signatureParameters = _readSignatureParameters(csr.signatureOid, capture.csrSignatureParams, true);
+		csr.siginfo.algorithmOid = forge.asn1.derToOid(capture.csrSignatureOid);
+		csr.siginfo.parameters = _readSignatureParameters(csr.siginfo.algorithmOid, capture.csrSignatureParams, false);
+		csr.signature = capture.csrSignature;
+		csr.certificationRequestInfo = capture.certificationRequestInfo;
+		if (computeHash) {
+			csr.md = _createSignatureDigest({
+				signatureOid: csr.signatureOid,
+				type: "certification request"
+			});
+			var bytes = asn1.toDer(csr.certificationRequestInfo);
+			csr.md.update(bytes.getBytes());
+		}
+		var smd = forge.md.sha1.create();
+		csr.subject.getField = function(sn) {
+			return _getAttribute(csr.subject, sn);
+		};
+		csr.subject.addField = function(attr) {
+			_fillMissingFields([attr]);
+			csr.subject.attributes.push(attr);
+		};
+		csr.subject.attributes = pki.RDNAttributesAsArray(capture.certificationRequestInfoSubject, smd);
+		csr.subject.hash = smd.digest().toHex();
+		csr.publicKey = pki.publicKeyFromAsn1(capture.subjectPublicKeyInfo);
+		csr.getAttribute = function(sn) {
+			return _getAttribute(csr, sn);
+		};
+		csr.addAttribute = function(attr) {
+			_fillMissingFields([attr]);
+			csr.attributes.push(attr);
+		};
+		csr.attributes = pki.CRIAttributesAsArray(capture.certificationRequestInfoAttributes || []);
+		return csr;
+	};
+	/**
+	* Creates an empty certification request (a CSR or certificate signing
+	* request). Once created, its public key and attributes can be set and then
+	* it can be signed.
+	*
+	* @return the empty certification request.
+	*/
+	pki.createCertificationRequest = function() {
+		var csr = {};
+		csr.version = 0;
+		csr.signatureOid = null;
+		csr.signature = null;
+		csr.siginfo = {};
+		csr.siginfo.algorithmOid = null;
+		csr.subject = {};
+		csr.subject.getField = function(sn) {
+			return _getAttribute(csr.subject, sn);
+		};
+		csr.subject.addField = function(attr) {
+			_fillMissingFields([attr]);
+			csr.subject.attributes.push(attr);
+		};
+		csr.subject.attributes = [];
+		csr.subject.hash = null;
+		csr.publicKey = null;
+		csr.attributes = [];
+		csr.getAttribute = function(sn) {
+			return _getAttribute(csr, sn);
+		};
+		csr.addAttribute = function(attr) {
+			_fillMissingFields([attr]);
+			csr.attributes.push(attr);
+		};
+		csr.md = null;
+		/**
+		* Sets the subject of this certification request.
+		*
+		* @param attrs the array of subject attributes to use.
+		*/
+		csr.setSubject = function(attrs) {
+			_fillMissingFields(attrs);
+			csr.subject.attributes = attrs;
+			csr.subject.hash = null;
+		};
+		/**
+		* Sets the attributes of this certification request.
+		*
+		* @param attrs the array of attributes to use.
+		*/
+		csr.setAttributes = function(attrs) {
+			_fillMissingFields(attrs);
+			csr.attributes = attrs;
+		};
+		/**
+		* Signs this certification request using the given private key.
+		*
+		* @param key the private key to sign with.
+		* @param md the message digest object to use (defaults to forge.md.sha1).
+		*/
+		csr.sign = function(key, md) {
+			csr.md = md || forge.md.sha1.create();
+			var algorithmOid = oids[csr.md.algorithm + "WithRSAEncryption"];
+			if (!algorithmOid) {
+				var error = /* @__PURE__ */ new Error("Could not compute certification request digest. Unknown message digest algorithm OID.");
+				error.algorithm = csr.md.algorithm;
+				throw error;
+			}
+			csr.signatureOid = csr.siginfo.algorithmOid = algorithmOid;
+			csr.certificationRequestInfo = pki.getCertificationRequestInfo(csr);
+			var bytes = asn1.toDer(csr.certificationRequestInfo);
+			csr.md.update(bytes.getBytes());
+			csr.signature = key.sign(csr.md);
+		};
+		/**
+		* Attempts verify the signature on the passed certification request using
+		* its public key.
+		*
+		* A CSR that has been exported to a file in PEM format can be verified using
+		* OpenSSL using this command:
+		*
+		* openssl req -in <the-csr-pem-file> -verify -noout -text
+		*
+		* @return true if verified, false if not.
+		*/
+		csr.verify = function() {
+			var rval = false;
+			var md = csr.md;
+			if (md === null) {
+				md = _createSignatureDigest({
+					signatureOid: csr.signatureOid,
+					type: "certification request"
+				});
+				var cri = csr.certificationRequestInfo || pki.getCertificationRequestInfo(csr);
+				var bytes = asn1.toDer(cri);
+				md.update(bytes.getBytes());
+			}
+			if (md !== null) rval = _verifySignature({
+				certificate: csr,
+				md,
+				signature: csr.signature
+			});
+			return rval;
+		};
+		return csr;
+	};
+	/**
+	* Converts an X.509 subject or issuer to an ASN.1 RDNSequence.
+	*
+	* @param obj the subject or issuer (distinguished name).
+	*
+	* @return the ASN.1 RDNSequence.
+	*/
+	function _dnToAsn1(obj) {
+		var rval = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, []);
+		var attr, set;
+		var attrs = obj.attributes;
+		for (var i = 0; i < attrs.length; ++i) {
+			attr = attrs[i];
+			var value = attr.value;
+			var valueTagClass = asn1.Type.PRINTABLESTRING;
+			if ("valueTagClass" in attr) {
+				valueTagClass = attr.valueTagClass;
+				if (valueTagClass === asn1.Type.UTF8) value = forge.util.encodeUtf8(value);
+			}
+			set = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SET, true, [asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false, asn1.oidToDer(attr.type).getBytes()), asn1.create(asn1.Class.UNIVERSAL, valueTagClass, false, value)])]);
+			rval.value.push(set);
+		}
+		return rval;
+	}
+	/**
+	* Fills in missing fields in attributes.
+	*
+	* @param attrs the attributes to fill missing fields in.
+	*/
+	function _fillMissingFields(attrs) {
+		var attr;
+		for (var i = 0; i < attrs.length; ++i) {
+			attr = attrs[i];
+			if (typeof attr.name === "undefined") {
+				if (attr.type && attr.type in pki.oids) attr.name = pki.oids[attr.type];
+				else if (attr.shortName && attr.shortName in _shortNames) attr.name = pki.oids[_shortNames[attr.shortName]];
+			}
+			if (typeof attr.type === "undefined") if (attr.name && attr.name in pki.oids) attr.type = pki.oids[attr.name];
+			else {
+				var error = /* @__PURE__ */ new Error("Attribute type not specified.");
+				error.attribute = attr;
+				throw error;
+			}
+			if (typeof attr.shortName === "undefined") {
+				if (attr.name && attr.name in _shortNames) attr.shortName = _shortNames[attr.name];
+			}
+			if (attr.type === oids.extensionRequest) {
+				attr.valueConstructed = true;
+				attr.valueTagClass = asn1.Type.SEQUENCE;
+				if (!attr.value && attr.extensions) {
+					attr.value = [];
+					for (var ei = 0; ei < attr.extensions.length; ++ei) attr.value.push(pki.certificateExtensionToAsn1(_fillMissingExtensionFields(attr.extensions[ei])));
+				}
+			}
+			if (typeof attr.value === "undefined") {
+				var error = /* @__PURE__ */ new Error("Attribute value not specified.");
+				error.attribute = attr;
+				throw error;
+			}
+		}
+	}
+	/**
+	* Fills in missing fields in certificate extensions.
+	*
+	* @param e the extension.
+	* @param [options] the options to use.
+	*          [cert] the certificate the extensions are for.
+	*
+	* @return the extension.
+	*/
+	function _fillMissingExtensionFields(e, options) {
+		options = options || {};
+		if (typeof e.name === "undefined") {
+			if (e.id && e.id in pki.oids) e.name = pki.oids[e.id];
+		}
+		if (typeof e.id === "undefined") if (e.name && e.name in pki.oids) e.id = pki.oids[e.name];
+		else {
+			var error = /* @__PURE__ */ new Error("Extension ID not specified.");
+			error.extension = e;
+			throw error;
+		}
+		if (typeof e.value !== "undefined") return e;
+		if (e.name === "keyUsage") {
+			var unused = 0;
+			var b2 = 0;
+			var b3 = 0;
+			if (e.digitalSignature) {
+				b2 |= 128;
+				unused = 7;
+			}
+			if (e.nonRepudiation) {
+				b2 |= 64;
+				unused = 6;
+			}
+			if (e.keyEncipherment) {
+				b2 |= 32;
+				unused = 5;
+			}
+			if (e.dataEncipherment) {
+				b2 |= 16;
+				unused = 4;
+			}
+			if (e.keyAgreement) {
+				b2 |= 8;
+				unused = 3;
+			}
+			if (e.keyCertSign) {
+				b2 |= 4;
+				unused = 2;
+			}
+			if (e.cRLSign) {
+				b2 |= 2;
+				unused = 1;
+			}
+			if (e.encipherOnly) {
+				b2 |= 1;
+				unused = 0;
+			}
+			if (e.decipherOnly) {
+				b3 |= 128;
+				unused = 7;
+			}
+			var value = String.fromCharCode(unused);
+			if (b3 !== 0) value += String.fromCharCode(b2) + String.fromCharCode(b3);
+			else if (b2 !== 0) value += String.fromCharCode(b2);
+			e.value = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.BITSTRING, false, value);
+		} else if (e.name === "basicConstraints") {
+			e.value = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, []);
+			if (e.cA) e.value.value.push(asn1.create(asn1.Class.UNIVERSAL, asn1.Type.BOOLEAN, false, String.fromCharCode(255)));
+			if ("pathLenConstraint" in e) e.value.value.push(asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false, asn1.integerToDer(e.pathLenConstraint).getBytes()));
+		} else if (e.name === "extKeyUsage") {
+			e.value = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, []);
+			var seq = e.value.value;
+			for (var key in e) {
+				if (e[key] !== true) continue;
+				if (key in oids) seq.push(asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false, asn1.oidToDer(oids[key]).getBytes()));
+				else if (key.indexOf(".") !== -1) seq.push(asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false, asn1.oidToDer(key).getBytes()));
+			}
+		} else if (e.name === "nsCertType") {
+			var unused = 0;
+			var b2 = 0;
+			if (e.client) {
+				b2 |= 128;
+				unused = 7;
+			}
+			if (e.server) {
+				b2 |= 64;
+				unused = 6;
+			}
+			if (e.email) {
+				b2 |= 32;
+				unused = 5;
+			}
+			if (e.objsign) {
+				b2 |= 16;
+				unused = 4;
+			}
+			if (e.reserved) {
+				b2 |= 8;
+				unused = 3;
+			}
+			if (e.sslCA) {
+				b2 |= 4;
+				unused = 2;
+			}
+			if (e.emailCA) {
+				b2 |= 2;
+				unused = 1;
+			}
+			if (e.objCA) {
+				b2 |= 1;
+				unused = 0;
+			}
+			var value = String.fromCharCode(unused);
+			if (b2 !== 0) value += String.fromCharCode(b2);
+			e.value = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.BITSTRING, false, value);
+		} else if (e.name === "subjectAltName" || e.name === "issuerAltName") {
+			e.value = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, []);
+			var altName;
+			for (var n = 0; n < e.altNames.length; ++n) {
+				altName = e.altNames[n];
+				var value = altName.value;
+				if (altName.type === 7 && altName.ip) {
+					value = forge.util.bytesFromIP(altName.ip);
+					if (value === null) {
+						var error = /* @__PURE__ */ new Error("Extension \"ip\" value is not a valid IPv4 or IPv6 address.");
+						error.extension = e;
+						throw error;
+					}
+				} else if (altName.type === 8) if (altName.oid) value = asn1.oidToDer(asn1.oidToDer(altName.oid));
+				else value = asn1.oidToDer(value);
+				e.value.value.push(asn1.create(asn1.Class.CONTEXT_SPECIFIC, altName.type, false, value));
+			}
+		} else if (e.name === "nsComment" && options.cert) {
+			if (!/^[\x00-\x7F]*$/.test(e.comment) || e.comment.length < 1 || e.comment.length > 128) throw new Error("Invalid \"nsComment\" content.");
+			e.value = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.IA5STRING, false, e.comment);
+		} else if (e.name === "subjectKeyIdentifier" && options.cert) {
+			var ski = options.cert.generateSubjectKeyIdentifier();
+			e.subjectKeyIdentifier = ski.toHex();
+			e.value = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OCTETSTRING, false, ski.getBytes());
+		} else if (e.name === "authorityKeyIdentifier" && options.cert) {
+			e.value = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, []);
+			var seq = e.value.value;
+			if (e.keyIdentifier) {
+				var keyIdentifier = e.keyIdentifier === true ? options.cert.generateSubjectKeyIdentifier().getBytes() : e.keyIdentifier;
+				seq.push(asn1.create(asn1.Class.CONTEXT_SPECIFIC, 0, false, keyIdentifier));
+			}
+			if (e.authorityCertIssuer) {
+				var authorityCertIssuer = [asn1.create(asn1.Class.CONTEXT_SPECIFIC, 4, true, [_dnToAsn1(e.authorityCertIssuer === true ? options.cert.issuer : e.authorityCertIssuer)])];
+				seq.push(asn1.create(asn1.Class.CONTEXT_SPECIFIC, 1, true, authorityCertIssuer));
+			}
+			if (e.serialNumber) {
+				var serialNumber = forge.util.hexToBytes(e.serialNumber === true ? options.cert.serialNumber : e.serialNumber);
+				seq.push(asn1.create(asn1.Class.CONTEXT_SPECIFIC, 2, false, serialNumber));
+			}
+		} else if (e.name === "cRLDistributionPoints") {
+			e.value = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, []);
+			var seq = e.value.value;
+			var subSeq = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, []);
+			var fullNameGeneralNames = asn1.create(asn1.Class.CONTEXT_SPECIFIC, 0, true, []);
+			var altName;
+			for (var n = 0; n < e.altNames.length; ++n) {
+				altName = e.altNames[n];
+				var value = altName.value;
+				if (altName.type === 7 && altName.ip) {
+					value = forge.util.bytesFromIP(altName.ip);
+					if (value === null) {
+						var error = /* @__PURE__ */ new Error("Extension \"ip\" value is not a valid IPv4 or IPv6 address.");
+						error.extension = e;
+						throw error;
+					}
+				} else if (altName.type === 8) if (altName.oid) value = asn1.oidToDer(asn1.oidToDer(altName.oid));
+				else value = asn1.oidToDer(value);
+				fullNameGeneralNames.value.push(asn1.create(asn1.Class.CONTEXT_SPECIFIC, altName.type, false, value));
+			}
+			subSeq.value.push(asn1.create(asn1.Class.CONTEXT_SPECIFIC, 0, true, [fullNameGeneralNames]));
+			seq.push(subSeq);
+		}
+		if (typeof e.value === "undefined") {
+			var error = /* @__PURE__ */ new Error("Extension value not specified.");
+			error.extension = e;
+			throw error;
+		}
+		return e;
+	}
+	/**
+	* Convert signature parameters object to ASN.1
+	*
+	* @param {String} oid Signature algorithm OID
+	* @param params The signature parametrs object
+	* @return ASN.1 object representing signature parameters
+	*/
+	function _signatureParametersToAsn1(oid, params) {
+		switch (oid) {
+			case oids["RSASSA-PSS"]:
+				var parts = [];
+				if (params.hash.algorithmOid !== void 0) parts.push(asn1.create(asn1.Class.CONTEXT_SPECIFIC, 0, true, [asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false, asn1.oidToDer(params.hash.algorithmOid).getBytes()), asn1.create(asn1.Class.UNIVERSAL, asn1.Type.NULL, false, "")])]));
+				if (params.mgf.algorithmOid !== void 0) parts.push(asn1.create(asn1.Class.CONTEXT_SPECIFIC, 1, true, [asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false, asn1.oidToDer(params.mgf.algorithmOid).getBytes()), asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false, asn1.oidToDer(params.mgf.hash.algorithmOid).getBytes()), asn1.create(asn1.Class.UNIVERSAL, asn1.Type.NULL, false, "")])])]));
+				if (params.saltLength !== void 0) parts.push(asn1.create(asn1.Class.CONTEXT_SPECIFIC, 2, true, [asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false, asn1.integerToDer(params.saltLength).getBytes())]));
+				return asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, parts);
+			default: return asn1.create(asn1.Class.UNIVERSAL, asn1.Type.NULL, false, "");
+		}
+	}
+	/**
+	* Converts a certification request's attributes to an ASN.1 set of
+	* CRIAttributes.
+	*
+	* @param csr certification request.
+	*
+	* @return the ASN.1 set of CRIAttributes.
+	*/
+	function _CRIAttributesToAsn1(csr) {
+		var rval = asn1.create(asn1.Class.CONTEXT_SPECIFIC, 0, true, []);
+		if (csr.attributes.length === 0) return rval;
+		var attrs = csr.attributes;
+		for (var i = 0; i < attrs.length; ++i) {
+			var attr = attrs[i];
+			var value = attr.value;
+			var valueTagClass = asn1.Type.UTF8;
+			if ("valueTagClass" in attr) valueTagClass = attr.valueTagClass;
+			if (valueTagClass === asn1.Type.UTF8) value = forge.util.encodeUtf8(value);
+			var valueConstructed = false;
+			if ("valueConstructed" in attr) valueConstructed = attr.valueConstructed;
+			var seq = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false, asn1.oidToDer(attr.type).getBytes()), asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SET, true, [asn1.create(asn1.Class.UNIVERSAL, valueTagClass, valueConstructed, value)])]);
+			rval.value.push(seq);
+		}
+		return rval;
+	}
+	var jan_1_1950 = /* @__PURE__ */ new Date("1950-01-01T00:00:00Z");
+	var jan_1_2050 = /* @__PURE__ */ new Date("2050-01-01T00:00:00Z");
+	/**
+	* Converts a Date object to ASN.1
+	* Handles the different format before and after 1st January 2050
+	*
+	* @param date date object.
+	*
+	* @return the ASN.1 object representing the date.
+	*/
+	function _dateToAsn1(date) {
+		if (date >= jan_1_1950 && date < jan_1_2050) return asn1.create(asn1.Class.UNIVERSAL, asn1.Type.UTCTIME, false, asn1.dateToUtcTime(date));
+		else return asn1.create(asn1.Class.UNIVERSAL, asn1.Type.GENERALIZEDTIME, false, asn1.dateToGeneralizedTime(date));
+	}
+	/**
+	* Gets the ASN.1 TBSCertificate part of an X.509v3 certificate.
+	*
+	* @param cert the certificate.
+	*
+	* @return the asn1 TBSCertificate.
+	*/
+	pki.getTBSCertificate = function(cert) {
+		var notBefore = _dateToAsn1(cert.validity.notBefore);
+		var notAfter = _dateToAsn1(cert.validity.notAfter);
+		var tbs = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [
+			asn1.create(asn1.Class.CONTEXT_SPECIFIC, 0, true, [asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false, asn1.integerToDer(cert.version).getBytes())]),
+			asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false, forge.util.hexToBytes(cert.serialNumber)),
+			asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false, asn1.oidToDer(cert.siginfo.algorithmOid).getBytes()), _signatureParametersToAsn1(cert.siginfo.algorithmOid, cert.siginfo.parameters)]),
+			_dnToAsn1(cert.issuer),
+			asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [notBefore, notAfter]),
+			_dnToAsn1(cert.subject),
+			pki.publicKeyToAsn1(cert.publicKey)
+		]);
+		if (cert.issuer.uniqueId) tbs.value.push(asn1.create(asn1.Class.CONTEXT_SPECIFIC, 1, true, [asn1.create(asn1.Class.UNIVERSAL, asn1.Type.BITSTRING, false, String.fromCharCode(0) + cert.issuer.uniqueId)]));
+		if (cert.subject.uniqueId) tbs.value.push(asn1.create(asn1.Class.CONTEXT_SPECIFIC, 2, true, [asn1.create(asn1.Class.UNIVERSAL, asn1.Type.BITSTRING, false, String.fromCharCode(0) + cert.subject.uniqueId)]));
+		if (cert.extensions.length > 0) tbs.value.push(pki.certificateExtensionsToAsn1(cert.extensions));
+		return tbs;
+	};
+	/**
+	* Gets the ASN.1 CertificationRequestInfo part of a
+	* PKCS#10 CertificationRequest.
+	*
+	* @param csr the certification request.
+	*
+	* @return the asn1 CertificationRequestInfo.
+	*/
+	pki.getCertificationRequestInfo = function(csr) {
+		return asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [
+			asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false, asn1.integerToDer(csr.version).getBytes()),
+			_dnToAsn1(csr.subject),
+			pki.publicKeyToAsn1(csr.publicKey),
+			_CRIAttributesToAsn1(csr)
+		]);
+	};
+	/**
+	* Converts a DistinguishedName (subject or issuer) to an ASN.1 object.
+	*
+	* @param dn the DistinguishedName.
+	*
+	* @return the asn1 representation of a DistinguishedName.
+	*/
+	pki.distinguishedNameToAsn1 = function(dn) {
+		return _dnToAsn1(dn);
+	};
+	/**
+	* Converts an X.509v3 RSA certificate to an ASN.1 object.
+	*
+	* @param cert the certificate.
+	*
+	* @return the asn1 representation of an X.509v3 RSA certificate.
+	*/
+	pki.certificateToAsn1 = function(cert) {
+		var tbsCertificate = cert.tbsCertificate || pki.getTBSCertificate(cert);
+		return asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [
+			tbsCertificate,
+			asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false, asn1.oidToDer(cert.signatureOid).getBytes()), _signatureParametersToAsn1(cert.signatureOid, cert.signatureParameters)]),
+			asn1.create(asn1.Class.UNIVERSAL, asn1.Type.BITSTRING, false, String.fromCharCode(0) + cert.signature)
+		]);
+	};
+	/**
+	* Converts X.509v3 certificate extensions to ASN.1.
+	*
+	* @param exts the extensions to convert.
+	*
+	* @return the extensions in ASN.1 format.
+	*/
+	pki.certificateExtensionsToAsn1 = function(exts) {
+		var rval = asn1.create(asn1.Class.CONTEXT_SPECIFIC, 3, true, []);
+		var seq = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, []);
+		rval.value.push(seq);
+		for (var i = 0; i < exts.length; ++i) seq.value.push(pki.certificateExtensionToAsn1(exts[i]));
+		return rval;
+	};
+	/**
+	* Converts a single certificate extension to ASN.1.
+	*
+	* @param ext the extension to convert.
+	*
+	* @return the extension in ASN.1 format.
+	*/
+	pki.certificateExtensionToAsn1 = function(ext) {
+		var extseq = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, []);
+		extseq.value.push(asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false, asn1.oidToDer(ext.id).getBytes()));
+		if (ext.critical) extseq.value.push(asn1.create(asn1.Class.UNIVERSAL, asn1.Type.BOOLEAN, false, String.fromCharCode(255)));
+		var value = ext.value;
+		if (typeof ext.value !== "string") value = asn1.toDer(value).getBytes();
+		extseq.value.push(asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OCTETSTRING, false, value));
+		return extseq;
+	};
+	/**
+	* Converts a PKCS#10 certification request to an ASN.1 object.
+	*
+	* @param csr the certification request.
+	*
+	* @return the asn1 representation of a certification request.
+	*/
+	pki.certificationRequestToAsn1 = function(csr) {
+		var cri = csr.certificationRequestInfo || pki.getCertificationRequestInfo(csr);
+		return asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [
+			cri,
+			asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false, asn1.oidToDer(csr.signatureOid).getBytes()), _signatureParametersToAsn1(csr.signatureOid, csr.signatureParameters)]),
+			asn1.create(asn1.Class.UNIVERSAL, asn1.Type.BITSTRING, false, String.fromCharCode(0) + csr.signature)
+		]);
+	};
+	/**
+	* Creates a CA store.
+	*
+	* @param certs an optional array of certificate objects or PEM-formatted
+	*          certificate strings to add to the CA store.
+	*
+	* @return the CA store.
+	*/
+	pki.createCaStore = function(certs) {
+		var caStore = { certs: {} };
+		/**
+		* Gets the certificate that issued the passed certificate or its
+		* 'parent'.
+		*
+		* @param cert the certificate to get the parent for.
+		*
+		* @return the parent certificate or null if none was found.
+		*/
+		caStore.getIssuer = function(cert$1) {
+			return getBySubject(cert$1.issuer);
+		};
+		/**
+		* Adds a trusted certificate to the store.
+		*
+		* @param cert the certificate to add as a trusted certificate (either a
+		*          pki.certificate object or a PEM-formatted certificate).
+		*/
+		caStore.addCertificate = function(cert$1) {
+			if (typeof cert$1 === "string") cert$1 = forge.pki.certificateFromPem(cert$1);
+			ensureSubjectHasHash(cert$1.subject);
+			if (!caStore.hasCertificate(cert$1)) if (cert$1.subject.hash in caStore.certs) {
+				var tmp = caStore.certs[cert$1.subject.hash];
+				if (!forge.util.isArray(tmp)) tmp = [tmp];
+				tmp.push(cert$1);
+				caStore.certs[cert$1.subject.hash] = tmp;
+			} else caStore.certs[cert$1.subject.hash] = cert$1;
+		};
+		/**
+		* Checks to see if the given certificate is in the store.
+		*
+		* @param cert the certificate to check (either a pki.certificate or a
+		*          PEM-formatted certificate).
+		*
+		* @return true if the certificate is in the store, false if not.
+		*/
+		caStore.hasCertificate = function(cert$1) {
+			if (typeof cert$1 === "string") cert$1 = forge.pki.certificateFromPem(cert$1);
+			var match = getBySubject(cert$1.subject);
+			if (!match) return false;
+			if (!forge.util.isArray(match)) match = [match];
+			var der1 = asn1.toDer(pki.certificateToAsn1(cert$1)).getBytes();
+			for (var i$1 = 0; i$1 < match.length; ++i$1) if (der1 === asn1.toDer(pki.certificateToAsn1(match[i$1])).getBytes()) return true;
+			return false;
+		};
+		/**
+		* Lists all of the certificates kept in the store.
+		*
+		* @return an array of all of the pki.certificate objects in the store.
+		*/
+		caStore.listAllCertificates = function() {
+			var certList = [];
+			for (var hash in caStore.certs) if (caStore.certs.hasOwnProperty(hash)) {
+				var value = caStore.certs[hash];
+				if (!forge.util.isArray(value)) certList.push(value);
+				else for (var i$1 = 0; i$1 < value.length; ++i$1) certList.push(value[i$1]);
+			}
+			return certList;
+		};
+		/**
+		* Removes a certificate from the store.
+		*
+		* @param cert the certificate to remove (either a pki.certificate or a
+		*          PEM-formatted certificate).
+		*
+		* @return the certificate that was removed or null if the certificate
+		*           wasn't in store.
+		*/
+		caStore.removeCertificate = function(cert$1) {
+			var result;
+			if (typeof cert$1 === "string") cert$1 = forge.pki.certificateFromPem(cert$1);
+			ensureSubjectHasHash(cert$1.subject);
+			if (!caStore.hasCertificate(cert$1)) return null;
+			var match = getBySubject(cert$1.subject);
+			if (!forge.util.isArray(match)) {
+				result = caStore.certs[cert$1.subject.hash];
+				delete caStore.certs[cert$1.subject.hash];
+				return result;
+			}
+			var der1 = asn1.toDer(pki.certificateToAsn1(cert$1)).getBytes();
+			for (var i$1 = 0; i$1 < match.length; ++i$1) if (der1 === asn1.toDer(pki.certificateToAsn1(match[i$1])).getBytes()) {
+				result = match[i$1];
+				match.splice(i$1, 1);
+			}
+			if (match.length === 0) delete caStore.certs[cert$1.subject.hash];
+			return result;
+		};
+		function getBySubject(subject) {
+			ensureSubjectHasHash(subject);
+			return caStore.certs[subject.hash] || null;
+		}
+		function ensureSubjectHasHash(subject) {
+			if (!subject.hash) {
+				var md = forge.md.sha1.create();
+				subject.attributes = pki.RDNAttributesAsArray(_dnToAsn1(subject), md);
+				subject.hash = md.digest().toHex();
+			}
+		}
+		if (certs) for (var i = 0; i < certs.length; ++i) {
+			var cert = certs[i];
+			caStore.addCertificate(cert);
+		}
+		return caStore;
+	};
+	/**
+	* Certificate verification errors, based on TLS.
+	*/
+	pki.certificateError = {
+		bad_certificate: "forge.pki.BadCertificate",
+		unsupported_certificate: "forge.pki.UnsupportedCertificate",
+		certificate_revoked: "forge.pki.CertificateRevoked",
+		certificate_expired: "forge.pki.CertificateExpired",
+		certificate_unknown: "forge.pki.CertificateUnknown",
+		unknown_ca: "forge.pki.UnknownCertificateAuthority"
+	};
+	/**
+	* Verifies a certificate chain against the given Certificate Authority store
+	* with an optional custom verify callback.
+	*
+	* @param caStore a certificate store to verify against.
+	* @param chain the certificate chain to verify, with the root or highest
+	*          authority at the end (an array of certificates).
+	* @param options a callback to be called for every certificate in the chain or
+	*                  an object with:
+	*                  verify a callback to be called for every certificate in the
+	*                    chain
+	*                  validityCheckDate the date against which the certificate
+	*                    validity period should be checked. Pass null to not check
+	*                    the validity period. By default, the current date is used.
+	*
+	* The verify callback has the following signature:
+	*
+	* verified - Set to true if certificate was verified, otherwise the
+	*   pki.certificateError for why the certificate failed.
+	* depth - The current index in the chain, where 0 is the end point's cert.
+	* certs - The certificate chain, *NOTE* an empty chain indicates an anonymous
+	*   end point.
+	*
+	* The function returns true on success and on failure either the appropriate
+	* pki.certificateError or an object with 'error' set to the appropriate
+	* pki.certificateError and 'message' set to a custom error message.
+	*
+	* @return true if successful, error thrown if not.
+	*/
+	pki.verifyCertificateChain = function(caStore, chain, options) {
+		if (typeof options === "function") options = { verify: options };
+		options = options || {};
+		chain = chain.slice(0);
+		var certs = chain.slice(0);
+		var validityCheckDate = options.validityCheckDate;
+		if (typeof validityCheckDate === "undefined") validityCheckDate = /* @__PURE__ */ new Date();
+		var first = true;
+		var error = null;
+		var depth = 0;
+		do {
+			var cert = chain.shift();
+			var parent = null;
+			var selfSigned = false;
+			if (validityCheckDate) {
+				if (validityCheckDate < cert.validity.notBefore || validityCheckDate > cert.validity.notAfter) error = {
+					message: "Certificate is not valid yet or has expired.",
+					error: pki.certificateError.certificate_expired,
+					notBefore: cert.validity.notBefore,
+					notAfter: cert.validity.notAfter,
+					now: validityCheckDate
+				};
+			}
+			if (error === null) {
+				parent = chain[0] || caStore.getIssuer(cert);
+				if (parent === null) {
+					if (cert.isIssuer(cert)) {
+						selfSigned = true;
+						parent = cert;
+					}
+				}
+				if (parent) {
+					var parents = parent;
+					if (!forge.util.isArray(parents)) parents = [parents];
+					var verified = false;
+					while (!verified && parents.length > 0) {
+						parent = parents.shift();
+						try {
+							verified = parent.verify(cert);
+						} catch (ex) {}
+					}
+					if (!verified) error = {
+						message: "Certificate signature is invalid.",
+						error: pki.certificateError.bad_certificate
+					};
+				}
+				if (error === null && (!parent || selfSigned) && !caStore.hasCertificate(cert)) error = {
+					message: "Certificate is not trusted.",
+					error: pki.certificateError.unknown_ca
+				};
+			}
+			if (error === null && parent && !cert.isIssuer(parent)) error = {
+				message: "Certificate issuer is invalid.",
+				error: pki.certificateError.bad_certificate
+			};
+			if (error === null) {
+				var se = {
+					keyUsage: true,
+					basicConstraints: true
+				};
+				for (var i = 0; error === null && i < cert.extensions.length; ++i) {
+					var ext = cert.extensions[i];
+					if (ext.critical && !(ext.name in se)) error = {
+						message: "Certificate has an unsupported critical extension.",
+						error: pki.certificateError.unsupported_certificate
+					};
+				}
+			}
+			if (error === null && (!first || chain.length === 0 && (!parent || selfSigned))) {
+				var bcExt = cert.getExtension("basicConstraints");
+				var keyUsageExt = cert.getExtension("keyUsage");
+				if (keyUsageExt !== null) {
+					if (!keyUsageExt.keyCertSign || bcExt === null) error = {
+						message: "Certificate keyUsage or basicConstraints conflict or indicate that the certificate is not a CA. If the certificate is the only one in the chain or isn't the first then the certificate must be a valid CA.",
+						error: pki.certificateError.bad_certificate
+					};
+				}
+				if (error === null && bcExt !== null && !bcExt.cA) error = {
+					message: "Certificate basicConstraints indicates the certificate is not a CA.",
+					error: pki.certificateError.bad_certificate
+				};
+				if (error === null && keyUsageExt !== null && "pathLenConstraint" in bcExt) {
+					if (depth - 1 > bcExt.pathLenConstraint) error = {
+						message: "Certificate basicConstraints pathLenConstraint violated.",
+						error: pki.certificateError.bad_certificate
+					};
+				}
+			}
+			var vfd = error === null ? true : error.error;
+			var ret = options.verify ? options.verify(vfd, depth, certs) : vfd;
+			if (ret === true) error = null;
+			else {
+				if (vfd === true) error = {
+					message: "The application rejected the certificate.",
+					error: pki.certificateError.bad_certificate
+				};
+				if (ret || ret === 0) {
+					if (typeof ret === "object" && !forge.util.isArray(ret)) {
+						if (ret.message) error.message = ret.message;
+						if (ret.error) error.error = ret.error;
+					} else if (typeof ret === "string") error.error = ret;
+				}
+				throw error;
+			}
+			first = false;
+			++depth;
+		} while (chain.length > 0);
+		return true;
+	};
+}) });
+//#endregion
+export default require_x509();
+export { require_x509 };
+//# sourceMappingURL=x509.mjs.map