@joclaim/tls 0.1.0

package/lib/utils/additional-root-cas.js

@@ -0,0 +1,197 @@
+/* eslint indent: 0 */
+let TLS_ADDITIONAL_ROOT_CA_LIST;
+let TLS_INTERMEDIATE_CA_CACHE;
+if (typeof globalThis === 'object' && globalThis) {
+    TLS_ADDITIONAL_ROOT_CA_LIST = (globalThis.TLS_ADDITIONAL_ROOT_CA_LIST ||= []);
+    TLS_INTERMEDIATE_CA_CACHE = (globalThis.TLS_INTERMEDIATE_CA_CACHE ||= {});
+}
+else if (typeof window === 'object' && window) {
+    TLS_ADDITIONAL_ROOT_CA_LIST = (window.TLS_ADDITIONAL_ROOT_CA_LIST ||= []);
+    TLS_INTERMEDIATE_CA_CACHE = (window.TLS_INTERMEDIATE_CA_CACHE ||= {});
+}
+else {
+    TLS_ADDITIONAL_ROOT_CA_LIST = [];
+    TLS_INTERMEDIATE_CA_CACHE = {};
+}
+TLS_ADDITIONAL_ROOT_CA_LIST.push(`-----BEGIN CERTIFICATE-----
+MIIFjDCCA3SgAwIBAgIQfx8skC6D0OO2+zvuR4tegDANBgkqhkiG9w0BAQsFADBM
+MSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSNjETMBEGA1UEChMKR2xv
+YmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0yMzA3MTkwMzQzMjVaFw0y
+NjA3MTkwMDAwMDBaMFUxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWdu
+IG52LXNhMSswKQYDVQQDEyJHbG9iYWxTaWduIEdDQyBSNiBBbHBoYVNTTCBDQSAy
+MDIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA00Jvk5ADppO0rgDn
+j1M14XIb032Aas409JJFAb8cUjipFOth7ySLdaWLe3s63oSs5x3eWwzTpX4BFkzZ
+bxT1eoJSHfT2M0wZ5QOPcCIjsr+YB8TAvV2yJSyq+emRrN/FtgCSTaWXSJ5jipW8
+SJ/VAuXPMzuAP2yYpuPcjjQ5GyrssDXgu+FhtYxqyFP7BSvx9jQhh5QV5zhLycua
+n8n+J0Uw09WRQK6JGQ5HzDZQinkNel+fZZNRG1gE9Qeh+tHBplrkalB1g85qJkPO
+J7SoEvKsmDkajggk/sSq7NPyzFaa/VBGZiRRG+FkxCBniGD5618PQ4trcwHyMojS
+FObOHQIDAQABo4IBXzCCAVswDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsG
+AQUFBwMBBggrBgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBS9
+BbfzipM8c8t5+g+FEqF3lhiRdDAfBgNVHSMEGDAWgBSubAWjkxPioufi1xzWx/B/
+yGdToDB7BggrBgEFBQcBAQRvMG0wLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwMi5n
+bG9iYWxzaWduLmNvbS9yb290cjYwOwYIKwYBBQUHMAKGL2h0dHA6Ly9zZWN1cmUu
+Z2xvYmFsc2lnbi5jb20vY2FjZXJ0L3Jvb3QtcjYuY3J0MDYGA1UdHwQvMC0wK6Ap
+oCeGJWh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vcm9vdC1yNi5jcmwwIQYDVR0g
+BBowGDAIBgZngQwBAgEwDAYKKwYBBAGgMgoBAzANBgkqhkiG9w0BAQsFAAOCAgEA
+fMkkMo5g4mn1ft4d4xR2kHzYpDukhC1XYPwfSZN3A9nEBadjdKZMH7iuS1vF8uSc
+g26/30DRPen2fFRsr662ECyUCR4OfeiiGNdoQvcesM9Xpew3HLQP4qHg+s774hNL
+vGRD4aKSKwFqLMrcqCw6tEAfX99tFWsD4jzbC6k8tjSLzEl0fTUlfkJaWpvLVkpg
+9et8tD8d51bymCg5J6J6wcXpmsSGnksBobac1+nXmgB7jQC9edU8Z41FFo87BV3k
+CtrWWsdkQavObMsXUPl/AO8y/jOuAWz0wyvPnKom+o6W4vKDY6/6XPypNdebOJ6m
+jyaILp0quoQvhjx87BzENh5s57AIOyIGpS0sDEChVDPzLEfRsH2FJ8/W5woF0nvs
+BTqfYSCqblQbHeDDtCj7Mlf8JfqaMuqcbE4rMSyfeHyCdZQwnc/r9ujnth691AJh
+xyYeCM04metJIe7cB6d4dFm+Pd5ervY4x32r0uQ1Q0spy1VjNqUJjussYuXNyMmF
+HSuLQQ6PrePmH5lcSMQpYKzPoD/RiNVD/PK0O3vuO5vh3o7oKb1FfzoanDsFFTrw
+0aLOdRW/tmLPWVNVlAb8ad+B80YJsL4HXYnQG8wYAFb8LhwSDyT9v+C1C1lcIHE7
+nE0AAp9JSHxDYsma9pi4g0Phg3BgOm2euTRzw7R0SzU=
+-----END CERTIFICATE-----`, // GlobalSign GCC R6 AlphaSSL CA 2023 intermediate till 2026
+`-----BEGIN CERTIFICATE-----
+MIIGGTCCBAGgAwIBAgIQE31TnKp8MamkM3AZaIR6jTANBgkqhkiG9w0BAQwFADCB
+iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
+cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
+BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx
+MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBlTELMAkGA1UEBhMCR0IxGzAZBgNV
+BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE
+ChMPU2VjdGlnbyBMaW1pdGVkMT0wOwYDVQQDEzRTZWN0aWdvIFJTQSBPcmdhbml6
+YXRpb24gVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAnJMCRkVKUkiS/FeN+S3qU76zLNXYqKXsW2kDwB0Q
+9lkz3v4HSKjojHpnSvH1jcM3ZtAykffEnQRgxLVK4oOLp64m1F06XvjRFnG7ir1x
+on3IzqJgJLBSoDpFUd54k2xiYPHkVpy3O/c8Vdjf1XoxfDV/ElFw4Sy+BKzL+k/h
+fGVqwECn2XylY4QZ4ffK76q06Fha2ZnjJt+OErK43DOyNtoUHZZYQkBuCyKFHFEi
+rsTIBkVtkuZntxkj5Ng2a4XQf8dS48+wdQHgibSov4o2TqPgbOuEQc6lL0giE5dQ
+YkUeCaXMn2xXcEAG2yDoG9bzk4unMp63RBUJ16/9fAEc2wIDAQABo4IBbjCCAWow
+HwYDVR0jBBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFBfZ1iUn
+Z/kxwklD2TA2RIxsqU/rMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/
+AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYG
+BFUdIAAwCAYGZ4EMAQICMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNl
+cnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNy
+bDB2BggrBgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRy
+dXN0LmNvbS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZ
+aHR0cDovL29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAThNA
+lsnD5m5bwOO69Bfhrgkfyb/LDCUW8nNTs3Yat6tIBtbNAHwgRUNFbBZaGxNh10m6
+pAKkrOjOzi3JKnSj3N6uq9BoNviRrzwB93fVC8+Xq+uH5xWo+jBaYXEgscBDxLmP
+bYox6xU2JPti1Qucj+lmveZhUZeTth2HvbC1bP6mESkGYTQxMD0gJ3NR0N6Fg9N3
+OSBGltqnxloWJ4Wyz04PToxcvr44APhL+XJ71PJ616IphdAEutNCLFGIUi7RPSRn
+R+xVzBv0yjTqJsHe3cQhifa6ezIejpZehEU4z4CqN2mLYBd0FUiRnG3wTqN3yhsc
+SPr5z0noX0+FCuKPkBurcEya67emP7SsXaRfz+bYipaQ908mgWB2XQ8kd5GzKjGf
+FlqyXYwcKapInI5v03hAcNt37N3j0VcFcC3mSZiIBYRiBXBWdoY5TtMibx3+bfEO
+s2LEPMvAhblhHrrhFYBZlAyuBbuMf1a+HNJav5fyakywxnB2sJCNwQs2uRHY1ihc
+6k/+JLcYCpsM0MF8XPtpvcyiTcaQvKZN8rG61ppnW5YCUtCC+cQKXA0o4D/I+pWV
+idWkvklsQLI+qGu41SWyxP7x09fn1txDAXYw+zuLXfdKiXyaNb78yvBXAfCNP6CH
+MntHWpdLgtJmwsQt6j8k9Kf5qLnjatkYYaA7jBU=
+-----END CERTIFICATE-----`, //Sectigo RSA Organization Validation Secure Server CA
+`-----BEGIN CERTIFICATE-----
+MIII+DCCB+CgAwIBAgIQbAP9+jGpC4MAqlBK9HsanzANBgkqhkiG9w0BAQsFADCB
+lTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
+A1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMT0wOwYDVQQD
+EzRTZWN0aWdvIFJTQSBPcmdhbml6YXRpb24gVmFsaWRhdGlvbiBTZWN1cmUgU2Vy
+dmVyIENBMB4XDTI0MDgyNjAwMDAwMFoXDTI1MDgyNjIzNTk1OVowXTELMAkGA1UE
+BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExHDAaBgNVBAoTE1N0YXRlIG9mIENh
+bGlmb3JuaWExGzAZBgNVBAMTEmNvbm5lY3QuZGNhLmNhLmdvdjCCAiIwDQYJKoZI
+hvcNAQEBBQADggIPADCCAgoCggIBALqonPJQIJB5rqVt3lFhVCAWVDaUiHINR/0a
+BtHeqP2Ue5EsLGwdCNCRrj8ge0bCqQh25UBEmIOrTWU3HcmyBYPG51TPp+T5GER2
+r8daV5oqSFpVIThArZF58Omwsbv38hkNn1LCdZher/yqbuZJNHZd2Z/h3Xv410us
+y2EnrALnoKkRUvJ/hfX3Wpn9H+gYILEjwS3Bz4RZbMNnZCmaKFvKdk4hL/5Nyfgi
+ysHgJIM1jTitd24gilbA9RTLpak7naSxevb0SVa48hywpN8zoeDnOE/QIPGZ3CDJ
+70zHpZ9/T+soTtnTOAkVR3gCq6ZNshfizV6hqQTIvk6w8Ce7AoHv47EIRDwpb6RD
+gODEyZJFxR27/lZrXq3yvaiE0ZXkBFjJ6B4N+IuxpKrflRuddv5ObOm9AxunUsCM
+bhSf+7M8ECKk9j/IPYoKChfhxOyDQPKZSUtHx94+L5Z+7ri01S5ahkVlIY9O7VRz
+PU3YoqNslBUpAIrRYfjN1ej5FGgo867i5RUB9deFgJ/DMwbT0WN9e5DkVDcREbl4
+mJDRife0nZW88GgLDgFvvw3aFna+MtvE9BKgnTnPUUB9yiRJryj0i0qkIV30XF62
+CuNYEn8V24VvRv95wnsT6W758DGY7BspK18XVwL+LiA+GvkMFehhIRW6BBw1Txv9
++NYVTTm1AgMBAAGjggR5MIIEdTAfBgNVHSMEGDAWgBQX2dYlJ2f5McJJQ9kwNkSM
+bKlP6zAdBgNVHQ4EFgQUYXACOqlHJoJQcEG3L0ICy9gYsV4wDgYDVR0PAQH/BAQD
+AgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
+MEoGA1UdIARDMEEwNQYMKwYBBAGyMQECAQMEMCUwIwYIKwYBBQUHAgEWF2h0dHBz
+Oi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECAjBaBgNVHR8EUzBRME+gTaBLhklo
+dHRwOi8vY3JsLnNlY3RpZ28uY29tL1NlY3RpZ29SU0FPcmdhbml6YXRpb25WYWxp
+ZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3JsMIGKBggrBgEFBQcBAQR+MHwwVQYIKwYB
+BQUHMAKGSWh0dHA6Ly9jcnQuc2VjdGlnby5jb20vU2VjdGlnb1JTQU9yZ2FuaXph
+dGlvblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQwIwYIKwYBBQUHMAGGF2h0
+dHA6Ly9vY3NwLnNlY3RpZ28uY29tMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgA
+dQDd3Mo0ldfhFgXnlTL6x5/4PRxQ39sAOhQSdgosrLvIKgAAAZGPYefYAAAEAwBG
+MEQCIC3PuRJmsoXOdITZPFofbx+GkT9JlXYA4rFD66SEzQYNAiBFdkL0000FzUHJ
+A11IglFWjubgpuCz7ct1NqW7nDwxFQB2AA3h8jAr0w3BQGISCepVLvxHdHyx1+kw
+7w5CHrR+Tqo0AAABkY9h57UAAAQDAEcwRQIhAKN6rHqqCeFQKpBS36UE+z/kTXru
+A7bI/NrW6k+vZXNBAiBJ1mayfSQJPX3LVpPBNK1kHIXI612M9Tpmrt9prraFlgB3
+ABLxTjS9U3JMhAYZw48/ehP457Vih4icbTAFhOvlhiY6AAABkY9h57UAAAQDAEgw
+RgIhALJAVx2+PVTOBjKeEkYLyTChpUyITMx2yJoZ8Zxe4C1nAiEAyKSU0BY4Wu/e
+du3YZFHbBymWlfsDCPtkUYUXuaZPqrMwggE9BgNVHREEggE0MIIBMIISY29ubmVj
+dC5kY2EuY2EuZ292ghVjb25uZWN0LXdzLmNhYi5jYS5nb3aCFWNvbm5lY3Qtd3Mu
+Y2ZiLmNhLmdvdoIlY29ubmVjdC13cy5jb3VydHJlcG9ydGVyc2JvYXJkLmNhLmdv
+doIVY29ubmVjdC13cy5kY2EuY2EuZ292ghZjb25uZWN0LXdzLmxhdGMuY2EuZ292
+ghtjb25uZWN0LXdzLnBlc3Rib2FyZC5jYS5nb3aCEmNvbm5lY3QuY2FiLmNhLmdv
+doISY29ubmVjdC5jZmIuY2EuZ292giJjb25uZWN0LmNvdXJ0cmVwb3J0ZXJzYm9h
+cmQuY2EuZ292ghNjb25uZWN0LmxhdGMuY2EuZ292ghhjb25uZWN0LnBlc3Rib2Fy
+ZC5jYS5nb3YwDQYJKoZIhvcNAQELBQADggEBAH8SsgW//ibqOZhMifgDLy2z4srI
+OwYMaWi0mxRO/6fgCO9BcpvT22vrMZYo3JuaEHtKT0joh5mdsfm/3tttEgnFYV5h
+gK4xgkZ/BbXoKWi+lmZPvxQJJFoRRg1WPnTvH+S7hUS0JAi4Wzmt7GGKhKnr5Fp3
+qTMIS9g0NQNGrV9pYqK1AQFzk0BBdemBqzUHLQjJ1k176AlvXP7xjW9Fi/Fdasat
+dfOtR3XILf1FTAjKGeGS9q2e4h6aZvLmdsDlCiG+YocUpTIOtdiF00zA4MybExyZ
+pfy9x5+dKWTyekk5jr54LEFQ5kUDJaGZ0KnDuOxhDSpAO/Yb/Z/3ZAk2G0s=
+-----END CERTIFICATE-----`, //connect.dca.ca.gov
+`-----BEGIN CERTIFICATE-----
+MIIEjTCCA3WgAwIBAgIQDQd4KhM/xvmlcpbhMf/ReTANBgkqhkiG9w0BAQsFADBh
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
+MjAeFw0xNzExMDIxMjIzMzdaFw0yNzExMDIxMjIzMzdaMGAxCzAJBgNVBAYTAlVT
+MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
+b20xHzAdBgNVBAMTFkdlb1RydXN0IFRMUyBSU0EgQ0EgRzEwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC+F+jsvikKy/65LWEx/TMkCDIuWegh1Ngwvm4Q
+yISgP7oU5d79eoySG3vOhC3w/3jEMuipoH1fBtp7m0tTpsYbAhch4XA7rfuD6whU
+gajeErLVxoiWMPkC/DnUvbgi74BJmdBiuGHQSd7LwsuXpTEGG9fYXcbTVN5SATYq
+DfbexbYxTMwVJWoVb6lrBEgM3gBBqiiAiy800xu1Nq07JdCIQkBsNpFtZbIZhsDS
+fzlGWP4wEmBQ3O67c+ZXkFr2DcrXBEtHam80Gp2SNhou2U5U7UesDL/xgLK6/0d7
+6TnEVMSUVJkZ8VeZr+IUIlvoLrtjLbqugb0T3OYXW+CQU0kBAgMBAAGjggFAMIIB
+PDAdBgNVHQ4EFgQUlE/UXYvkpOKmgP792PkA76O+AlcwHwYDVR0jBBgwFoAUTiJU
+IBiV5uNu5g/6+rkS7QYXjzkwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsG
+AQUFBwMBBggrBgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMDQGCCsGAQUFBwEB
+BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEIGA1Ud
+HwQ7MDkwN6A1oDOGMWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEds
+b2JhbFJvb3RHMi5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEW
+HGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDQYJKoZIhvcNAQELBQADggEB
+AIIcBDqC6cWpyGUSXAjjAcYwsK4iiGF7KweG97i1RJz1kwZhRoo6orU1JtBYnjzB
+c4+/sXmnHJk3mlPyL1xuIAt9sMeC7+vreRIF5wFBC0MCN5sbHwhNN1JzKbifNeP5
+ozpZdQFmkCo+neBiKR6HqIA+LMTMCMMuv2khGGuPHmtDze4GmEGZtYLyF8EQpa5Y
+jPuV6k2Cr/N3XxFpT3hRpt/3usU/Zb9wfKPtWpoznZ4/44c1p9rzFcZYrWkj3A+7
+TNBJE0GmP2fhXhP1D/XVfIW/h0yCJGEiV9Glm/uGOa3DXHlmbAcxSyCRraG+ZBkA
+7h4SeM6Y8l/7MBRpPCz6l8Y=
+-----END CERTIFICATE-----`, //GeoTrust TLS RSA CA G1
+`-----BEGIN CERTIFICATE-----
+MIIGTDCCBDSgAwIBAgIQOXpmzCdWNi4NqofKbqvjsTANBgkqhkiG9w0BAQwFADBf
+MQswCQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTYwNAYDVQQD
+Ey1TZWN0aWdvIFB1YmxpYyBTZXJ2ZXIgQXV0aGVudGljYXRpb24gUm9vdCBSNDYw
+HhcNMjEwMzIyMDAwMDAwWhcNMzYwMzIxMjM1OTU5WjBgMQswCQYDVQQGEwJHQjEY
+MBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5TZWN0aWdvIFB1Ymxp
+YyBTZXJ2ZXIgQXV0aGVudGljYXRpb24gQ0EgRFYgUjM2MIIBojANBgkqhkiG9w0B
+AQEFAAOCAY8AMIIBigKCAYEAljZf2HIz7+SPUPQCQObZYcrxLTHYdf1ZtMRe7Yeq
+RPSwygz16qJ9cAWtWNTcuICc++p8Dct7zNGxCpqmEtqifO7NvuB5dEVexXn9RFFH
+12Hm+NtPRQgXIFjx6MSJcNWuVO3XGE57L1mHlcQYj+g4hny90aFh2SCZCDEVkAja
+EMMfYPKuCjHuuF+bzHFb/9gV8P9+ekcHENF2nR1efGWSKwnfG5RawlkaQDpRtZTm
+M64TIsv/r7cyFO4nSjs1jLdXYdz5q3a4L0NoabZfbdxVb+CUEHfB0bpulZQtH1Rv
+38e/lIdP7OTTIlZh6OYL6NhxP8So0/sht/4J9mqIGxRFc0/pC8suja+wcIUna0HB
+pXKfXTKpzgis+zmXDL06ASJf5E4A2/m+Hp6b84sfPAwQ766rI65mh50S0Di9E3Pn
+2WcaJc+PILsBmYpgtmgWTR9eV9otfKRUBfzHUHcVgarub/XluEpRlTtZudU5xbFN
+xx/DgMrXLUAPaI60fZ6wA+PTAgMBAAGjggGBMIIBfTAfBgNVHSMEGDAWgBRWc1hk
+lfmSGrASKgRieaFAFYghSTAdBgNVHQ4EFgQUaMASFhgOr872h6YyV6NGUV3LBycw
+DgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYwFAYI
+KwYBBQUHAwEGCCsGAQUFBwMCMBsGA1UdIAQUMBIwBgYEVR0gADAIBgZngQwBAgEw
+VAYDVR0fBE0wSzBJoEegRYZDaHR0cDovL2NybC5zZWN0aWdvLmNvbS9TZWN0aWdv
+UHVibGljU2VydmVyQXV0aGVudGljYXRpb25Sb290UjQ2LmNybDCBhAYIKwYBBQUH
+AQEEeDB2ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3Rp
+Z29QdWJsaWNTZXJ2ZXJBdXRoZW50aWNhdGlvblJvb3RSNDYucDdjMCMGCCsGAQUF
+BzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTANBgkqhkiG9w0BAQwFAAOCAgEA
+YtOC9Fy+TqECFw40IospI92kLGgoSZGPOSQXMBqmsGWZUQ7rux7cj1du6d9rD6C8
+ze1B2eQjkrGkIL/OF1s7vSmgYVafsRoZd/IHUrkoQvX8FZwUsmPu7amgBfaY3g+d
+q1x0jNGKb6I6Bzdl6LgMD9qxp+3i7GQOnd9J8LFSietY6Z4jUBzVoOoz8iAU84OF
+h2HhAuiPw1ai0VnY38RTI+8kepGWVfGxfBWzwH9uIjeooIeaosVFvE8cmYUB4TSH
+5dUyD0jHct2+8ceKEtIoFU/FfHq/mDaVnvcDCZXtIgitdMFQdMZaVehmObyhRdDD
+4NQCs0gaI9AAgFj4L9QtkARzhQLNyRf87Kln+YU0lgCGr9HLg3rGO8q+Y4ppLsOd
+unQZ6ZxPNGIfOApbPVf5hCe58EZwiWdHIMn9lPP6+F404y8NNugbQixBber+x536
+WrZhFZLjEkhp7fFXf9r32rNPfb74X/U90Bdy4lzp3+X1ukh1BuMxA/EEhDoTOS3l
+7ABvc7BYSQubQ2490OcdkIzUh3ZwDrakMVrbaTxUM2p24N6dB+ns2zptWCva6jzW
+r8IWKIMxzxLPv5Kt3ePKcUdvkBU/smqujSczTzzSjIoR5QqQA6lN1ZRSnuHIWCvh
+JEltkYnTAH41QJ6SAWO66GrrUESwN/cgZzL4JLEqz1Y=
+-----END CERTIFICATE-----` // Sectigo Public Server Authentication CA DV R36
+);
+export {};

package/lib/utils/client-hello.d.ts

@@ -0,0 +1,23 @@
+import type { Key, TLSHelloBaseOptions, TLSPresharedKey } from '../types/index.ts';
+import { SUPPORTED_NAMED_CURVE_MAP } from './constants.ts';
+type SupportedNamedCurve = keyof typeof SUPPORTED_NAMED_CURVE_MAP;
+type PublicKeyData = {
+    type: SupportedNamedCurve;
+    key: Key;
+};
+type ClientHelloOptions = TLSHelloBaseOptions & {
+    host: string;
+    keysToShare: PublicKeyData[];
+    random?: Uint8Array;
+    sessionId?: Uint8Array;
+    psk?: TLSPresharedKey;
+};
+export declare function packClientHello({ host, sessionId, random, keysToShare, psk, cipherSuites, supportedProtocolVersions, signatureAlgorithms, applicationLayerProtocols }: ClientHelloOptions): Promise<Uint8Array<ArrayBufferLike>>;
+export declare function computeBinderSuffix(packedHandshakePrefix: Uint8Array, psk: TLSPresharedKey): Promise<Uint8Array<ArrayBufferLike>>;
+/**
+ * Packs the preshared key extension; the binder is assumed to be 0
+ * The empty binder is suffixed to the end of the extension
+ * and should be replaced with the correct binder after the full handshake is computed
+ */
+export declare function packPresharedKeyExtension({ identity, ticketAge, cipherSuite }: TLSPresharedKey): Uint8Array<ArrayBuffer>;
+export {};

package/lib/utils/client-hello.js

@@ -0,0 +1,167 @@
+import { crypto } from "../crypto/index.js";
+import { getHash } from "../utils/decryption-utils.js";
+import { SUPPORTED_CIPHER_SUITE_MAP, SUPPORTED_EXTENSION_MAP, SUPPORTED_NAMED_CURVE_MAP, SUPPORTED_RECORD_TYPE_MAP, SUPPORTED_SIGNATURE_ALGS_MAP, TLS_PROTOCOL_VERSION_MAP } from "./constants.js";
+import { asciiToUint8Array, concatenateUint8Arrays, uint8ArrayToDataView } from "./generics.js";
+import { packWith3ByteLength, packWithLength } from "./packets.js";
+const CLIENT_VERSION = new Uint8Array([0x03, 0x03]);
+// no compression, as our client won't support it
+// neither does TLS1.3
+const COMPRESSION_MODE = new Uint8Array([0x01, 0x00]);
+const RENEGOTIATION_INFO = new Uint8Array([0xff, 0x01, 0x00, 0x01, 0x00]);
+export async function packClientHello({ host, sessionId = crypto.randomBytes(32), random = crypto.randomBytes(32), keysToShare, psk, cipherSuites, supportedProtocolVersions = Object
+    .keys(TLS_PROTOCOL_VERSION_MAP), signatureAlgorithms = Object
+    .keys(SUPPORTED_SIGNATURE_ALGS_MAP), applicationLayerProtocols = [] }) {
+    // generate random & sessionId if not provided
+    const packedSessionId = packWithLength(sessionId).slice(1);
+    const cipherSuiteList = (cipherSuites || Object.keys(SUPPORTED_CIPHER_SUITE_MAP)).map(cipherSuite => SUPPORTED_CIPHER_SUITE_MAP[cipherSuite].identifier);
+    const packedCipherSuites = packWithLength(concatenateUint8Arrays(cipherSuiteList));
+    const extensionsList = [
+        RENEGOTIATION_INFO,
+        packServerNameExtension(host),
+        packSupportedGroupsExtension(keysToShare.map(k => k.type)),
+        packSessionTicketExtension(),
+        packVersionsExtension(supportedProtocolVersions),
+        packSignatureAlgorithmsExtension(signatureAlgorithms),
+        packPresharedKeyModeExtension(),
+        await packKeyShareExtension(keysToShare),
+    ];
+    if (psk) {
+        extensionsList.push(packPresharedKeyExtension(psk));
+    }
+    if (applicationLayerProtocols.length) {
+        const protocols = applicationLayerProtocols.map(alp => (
+        // 1 byte for length
+        packWithLength(asciiToUint8Array(alp)).slice(1)));
+        extensionsList.push(packExtension({
+            type: 'ALPN',
+            data: concatenateUint8Arrays(protocols),
+        }));
+    }
+    const packedExtensions = packWithLength(concatenateUint8Arrays(extensionsList));
+    const handshakeData = concatenateUint8Arrays([
+        CLIENT_VERSION,
+        random,
+        packedSessionId,
+        packedCipherSuites,
+        COMPRESSION_MODE,
+        packedExtensions
+    ]);
+    const packedHandshake = concatenateUint8Arrays([
+        new Uint8Array([SUPPORTED_RECORD_TYPE_MAP.CLIENT_HELLO]),
+        packWith3ByteLength(handshakeData)
+    ]);
+    if (psk) {
+        const { hashLength } = SUPPORTED_CIPHER_SUITE_MAP[psk.cipherSuite];
+        const prefixHandshake = packedHandshake.slice(0, -hashLength - 3);
+        const binder = await computeBinderSuffix(prefixHandshake, psk);
+        packedHandshake.set(binder, packedHandshake.length - binder.length);
+    }
+    return packedHandshake;
+}
+export async function computeBinderSuffix(packedHandshakePrefix, psk) {
+    const { hashAlgorithm } = SUPPORTED_CIPHER_SUITE_MAP[psk.cipherSuite];
+    const hashedHelloHandshake = await getHash([packedHandshakePrefix], psk.cipherSuite);
+    return crypto.hmac(hashAlgorithm, psk.finishKey, hashedHelloHandshake);
+}
+/**
+ * Packs the preshared key extension; the binder is assumed to be 0
+ * The empty binder is suffixed to the end of the extension
+ * and should be replaced with the correct binder after the full handshake is computed
+ */
+export function packPresharedKeyExtension({ identity, ticketAge, cipherSuite }) {
+    const binderLength = SUPPORTED_CIPHER_SUITE_MAP[cipherSuite].hashLength;
+    const packedIdentity = packWithLength(identity);
+    const packedTicketAge = new Uint8Array(4);
+    const packedTicketAgeView = uint8ArrayToDataView(packedTicketAge);
+    packedTicketAgeView.setUint32(0, ticketAge);
+    const serialisedIdentity = concatenateUint8Arrays([
+        packedIdentity,
+        packedTicketAge
+    ]);
+    const identityPacked = packWithLength(serialisedIdentity);
+    const binderHolderBytes = new Uint8Array(binderLength + 2 + 1);
+    const binderHolderBytesView = uint8ArrayToDataView(binderHolderBytes);
+    binderHolderBytesView.setUint16(0, binderLength + 1);
+    binderHolderBytesView.setUint8(2, binderLength);
+    const total = concatenateUint8Arrays([
+        identityPacked,
+        // 2 bytes for binders
+        // 1 byte for each binder length
+        binderHolderBytes
+    ]);
+    const totalPacked = packWithLength(total);
+    const ext = new Uint8Array(2 + totalPacked.length);
+    ext.set(totalPacked, 2);
+    const extView = uint8ArrayToDataView(ext);
+    extView.setUint16(0, SUPPORTED_EXTENSION_MAP.PRE_SHARED_KEY);
+    return ext;
+}
+function packPresharedKeyModeExtension() {
+    return packExtension({
+        type: 'PRE_SHARED_KEY_MODE',
+        data: new Uint8Array([0x00, 0x01]),
+        lengthBytes: 1
+    });
+}
+function packSessionTicketExtension() {
+    return packExtension({
+        type: 'SESSION_TICKET',
+        data: new Uint8Array(),
+    });
+}
+function packVersionsExtension(supportedVersions) {
+    return packExtension({
+        type: 'SUPPORTED_VERSIONS',
+        data: concatenateUint8Arrays(supportedVersions.map(v => TLS_PROTOCOL_VERSION_MAP[v])),
+        lengthBytes: 1
+    });
+}
+function packSignatureAlgorithmsExtension(algs) {
+    return packExtension({
+        type: 'SIGNATURE_ALGS',
+        data: concatenateUint8Arrays(algs.map(v => SUPPORTED_SIGNATURE_ALGS_MAP[v].identifier))
+    });
+}
+function packSupportedGroupsExtension(namedCurves) {
+    return packExtension({
+        type: 'SUPPORTED_GROUPS',
+        data: concatenateUint8Arrays(namedCurves
+            .map(n => SUPPORTED_NAMED_CURVE_MAP[n].identifier))
+    });
+}
+async function packKeyShareExtension(keys) {
+    const buffs = [];
+    for (const { key, type } of keys) {
+        const exportedKey = await crypto.exportKey(key);
+        buffs.push(SUPPORTED_NAMED_CURVE_MAP[type].identifier, packWithLength(exportedKey));
+    }
+    return packExtension({
+        type: 'KEY_SHARE',
+        data: concatenateUint8Arrays(buffs)
+    });
+}
+function packServerNameExtension(host) {
+    return packExtension({
+        type: 'SERVER_NAME',
+        data: concatenateUint8Arrays([
+            // specify that this is a server hostname
+            new Uint8Array([0x0]),
+            // pack the remaining data prefixed with length
+            packWithLength(asciiToUint8Array(host))
+        ])
+    });
+}
+function packExtension({ type, data, lengthBytes }) {
+    lengthBytes ||= 2;
+    let packed = data.length ? packWithLength(data) : data;
+    if (lengthBytes === 1) {
+        packed = packed.slice(1);
+    }
+    // 2 bytes for type, 2 bytes for packed data length
+    const result = new Uint8Array(2 + 2 + packed.length);
+    const resultView = uint8ArrayToDataView(result);
+    resultView.setUint8(1, SUPPORTED_EXTENSION_MAP[type]);
+    resultView.setUint16(2, packed.length);
+    result.set(packed, 4);
+    return result;
+}

package/lib/utils/constants.d.ts

@@ -0,0 +1,239 @@
+/** Max size of an encrypted packet */
+export declare const MAX_ENC_PACKET_SIZE = 16380;
+export declare const TLS_PROTOCOL_VERSION_MAP: {
+    TLS1_3: Uint8Array<ArrayBuffer>;
+    TLS1_2: Uint8Array<ArrayBuffer>;
+};
+export declare const SUPPORTED_NAMED_CURVE_MAP: {
+    SECP256R1: {
+        readonly identifier: Uint8Array<ArrayBuffer>;
+        readonly algorithm: "P-256";
+    };
+    SECP384R1: {
+        readonly identifier: Uint8Array<ArrayBuffer>;
+        readonly algorithm: "P-384";
+    };
+    X25519: {
+        readonly identifier: Uint8Array<ArrayBuffer>;
+        readonly algorithm: "X25519";
+    };
+};
+export declare const SUPPORTED_RECORD_TYPE_MAP: {
+    CLIENT_HELLO: number;
+    SERVER_HELLO: number;
+    HELLO_RETRY_REQUEST: number;
+    SESSION_TICKET: number;
+    ENCRYPTED_EXTENSIONS: number;
+    CERTIFICATE: number;
+    SERVER_KEY_SHARE: number;
+    CERTIFICATE_REQUEST: number;
+    SERVER_HELLO_DONE: number;
+    CERTIFICATE_VERIFY: number;
+    CLIENT_KEY_SHARE: number;
+    FINISHED: number;
+    KEY_UPDATE: number;
+};
+export declare const CONTENT_TYPE_MAP: {
+    CHANGE_CIPHER_SPEC: number;
+    ALERT: number;
+    HANDSHAKE: number;
+    APPLICATION_DATA: number;
+};
+export declare const AUTH_TAG_BYTE_LENGTH = 16;
+export declare const SUPPORTED_NAMED_CURVES: (keyof typeof SUPPORTED_NAMED_CURVE_MAP)[];
+/**
+ * Supported cipher suites.
+ * In a client hello, these are sent in order of preference
+ * as listed below
+ */
+export declare const SUPPORTED_CIPHER_SUITE_MAP: {
+    readonly TLS_CHACHA20_POLY1305_SHA256: {
+        readonly identifier: Uint8Array<ArrayBuffer>;
+        readonly keyLength: 32;
+        readonly hashLength: 32;
+        readonly ivLength: 12;
+        readonly hashAlgorithm: "SHA-256";
+        readonly cipher: "CHACHA20-POLY1305";
+    };
+    readonly TLS_AES_256_GCM_SHA384: {
+        readonly identifier: Uint8Array<ArrayBuffer>;
+        readonly keyLength: 32;
+        readonly hashLength: 48;
+        readonly ivLength: 12;
+        readonly hashAlgorithm: "SHA-384";
+        readonly cipher: "AES-256-GCM";
+    };
+    readonly TLS_AES_128_GCM_SHA256: {
+        readonly identifier: Uint8Array<ArrayBuffer>;
+        readonly keyLength: 16;
+        readonly hashLength: 32;
+        readonly ivLength: 12;
+        readonly hashAlgorithm: "SHA-256";
+        readonly cipher: "AES-128-GCM";
+    };
+    readonly TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: {
+        readonly identifier: Uint8Array<ArrayBuffer>;
+        readonly keyLength: 32;
+        readonly hashLength: 32;
+        readonly ivLength: 12;
+        readonly hashAlgorithm: "SHA-256";
+        readonly cipher: "CHACHA20-POLY1305";
+    };
+    readonly TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: {
+        readonly identifier: Uint8Array<ArrayBuffer>;
+        readonly keyLength: 32;
+        readonly hashLength: 32;
+        readonly ivLength: 12;
+        readonly hashAlgorithm: "SHA-256";
+        readonly cipher: "CHACHA20-POLY1305";
+    };
+    readonly TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: {
+        readonly identifier: Uint8Array<ArrayBuffer>;
+        readonly keyLength: 16;
+        readonly hashLength: 32;
+        readonly ivLength: 4;
+        readonly hashAlgorithm: "SHA-256";
+        readonly cipher: "AES-128-GCM";
+    };
+    readonly TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: {
+        readonly identifier: Uint8Array<ArrayBuffer>;
+        readonly keyLength: 16;
+        readonly hashLength: 32;
+        readonly ivLength: 4;
+        readonly hashAlgorithm: "SHA-256";
+        readonly cipher: "AES-128-GCM";
+    };
+    readonly TLS_RSA_WITH_AES_128_GCM_SHA256: {
+        readonly identifier: Uint8Array<ArrayBuffer>;
+        readonly keyLength: 16;
+        readonly hashLength: 32;
+        readonly ivLength: 4;
+        readonly hashAlgorithm: "SHA-256";
+        readonly cipher: "AES-128-GCM";
+        readonly isRsaEcdh: true;
+    };
+    readonly TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: {
+        readonly identifier: Uint8Array<ArrayBuffer>;
+        readonly keyLength: 32;
+        readonly hashLength: 48;
+        readonly ivLength: 4;
+        readonly hashAlgorithm: "SHA-384";
+        readonly cipher: "AES-256-GCM";
+    };
+    readonly TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: {
+        readonly identifier: Uint8Array<ArrayBuffer>;
+        readonly keyLength: 32;
+        readonly hashLength: 48;
+        readonly ivLength: 4;
+        readonly hashAlgorithm: "SHA-384";
+        readonly cipher: "AES-256-GCM";
+    };
+    readonly TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: {
+        readonly identifier: Uint8Array<ArrayBuffer>;
+        readonly keyLength: 16;
+        readonly hashLength: 20;
+        readonly ivLength: 16;
+        readonly hashAlgorithm: "SHA-1";
+        readonly prfHashAlgorithm: "SHA-256";
+        readonly cipher: "AES-128-CBC";
+    };
+    readonly TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: {
+        readonly identifier: Uint8Array<ArrayBuffer>;
+        readonly keyLength: 16;
+        readonly hashLength: 20;
+        readonly ivLength: 16;
+        readonly hashAlgorithm: "SHA-1";
+        readonly prfHashAlgorithm: "SHA-256";
+        readonly cipher: "AES-128-CBC";
+    };
+};
+export declare const ALERT_LEVEL: {
+    WARNING: number;
+    FATAL: number;
+};
+export declare const ALERT_DESCRIPTION: {
+    CLOSE_NOTIFY: number;
+    UNEXPECTED_MESSAGE: number;
+    BAD_RECORD_MAC: number;
+    RECORD_OVERFLOW: number;
+    HANDSHAKE_FAILURE: number;
+    BAD_CERTIFICATE: number;
+    UNSUPPORTED_CERTIFICATE: number;
+    CERTIFICATE_REVOKED: number;
+    CERTIFICATE_EXPIRED: number;
+    CERTIFICATE_UNKNOWN: number;
+    ILLEGAL_PARAMETER: number;
+    UNKNOWN_CA: number;
+    ACCESS_DENIED: number;
+    DECODE_ERROR: number;
+    DECRYPT_ERROR: number;
+    PROTOCOL_VERSION: number;
+    INSUFFICIENT_SECURITY: number;
+    INTERNAL_ERROR: number;
+    INAPPROPRIATE_FALLBACK: number;
+    USER_CANCELED: number;
+    MISSING_EXTENSION: number;
+    UNSUPPORTED_EXTENSION: number;
+    UNRECOGNIZED_NAME: number;
+    BAD_CERTIFICATE_STATUS_RESPONSE: number;
+    UNKNOWN_PSK_IDENTITY: number;
+    CERTIFICATE_REQUIRED: number;
+    NO_APPLICATION_PROTOCOL: number;
+    DECRYPTION_FAILED_RESERVED: number;
+    DECOMPRESSION_FAILURE: number;
+    NO_CERTIFICATE_RESERVED: number;
+    EXPORT_RESTRICTION_RESERVED: number;
+    NO_RENEGOTIATION: number;
+};
+export declare const SUPPORTED_CIPHER_SUITES: (keyof typeof SUPPORTED_CIPHER_SUITE_MAP)[];
+export declare const SUPPORTED_SIGNATURE_ALGS_MAP: {
+    readonly ECDSA_SECP256R1_SHA256: {
+        readonly identifier: Uint8Array<ArrayBuffer>;
+        readonly algorithm: "ECDSA-SECP256R1-SHA256";
+    };
+    readonly ECDSA_SECP384R1_SHA256: {
+        readonly identifier: Uint8Array<ArrayBuffer>;
+        readonly algorithm: "ECDSA-SECP384R1-SHA384";
+    };
+    readonly RSA_PSS_RSAE_SHA256: {
+        readonly identifier: Uint8Array<ArrayBuffer>;
+        readonly algorithm: "RSA-PSS-SHA256";
+    };
+    readonly RSA_PKCS1_SHA256: {
+        readonly identifier: Uint8Array<ArrayBuffer>;
+        readonly algorithm: "RSA-PKCS1-SHA256";
+    };
+    readonly RSA_PKCS1_SHA384: {
+        readonly identifier: Uint8Array<ArrayBuffer>;
+        readonly algorithm: "RSA-PKCS1-SHA384";
+    };
+    readonly RSA_PKCS1_SHA512: {
+        readonly identifier: Uint8Array<ArrayBuffer>;
+        readonly algorithm: "RSA-PKCS1-SHA512";
+    };
+};
+export declare const SUPPORTED_SIGNATURE_ALGS: (keyof typeof SUPPORTED_SIGNATURE_ALGS_MAP)[];
+export declare const SUPPORTED_EXTENSION_MAP: {
+    SERVER_NAME: number;
+    MAX_FRAGMENT_LENGTH: number;
+    KEY_SHARE: number;
+    SUPPORTED_GROUPS: number;
+    SIGNATURE_ALGS: number;
+    SUPPORTED_VERSIONS: number;
+    SESSION_TICKET: number;
+    EARLY_DATA: number;
+    PRE_SHARED_KEY: number;
+    PRE_SHARED_KEY_MODE: number;
+    ALPN: number;
+};
+export declare const SUPPORTED_EXTENSIONS: (keyof typeof SUPPORTED_EXTENSION_MAP)[];
+export declare const PACKET_TYPE: {
+    HELLO: number;
+    WRAPPED_RECORD: number;
+    CHANGE_CIPHER_SPEC: number;
+    ALERT: number;
+};
+export declare const KEY_UPDATE_TYPE_MAP: {
+    UPDATE_NOT_REQUESTED: number;
+    UPDATE_REQUESTED: number;
+};