@keetanetwork/anchor 0.0.45 → 0.0.47

package/lib/sensitive-attribute.d.ts

@@ -0,0 +1,87 @@
+import * as KeetaNetClient from '@keetanetwork/keetanet-client';
+import { Buffer } from './utils/buffer.js';
+import type { SensitiveAttributeType, CertificateAttributeValue, CertificateAttributeOIDDB } from '../services/kyc/iso20022.generated.js';
+type AccountKeyAlgorithm = InstanceType<typeof KeetaNetClient.lib.Account>['keyType'];
+/**
+ * An alias for the KeetaNetAccount type
+ */
+type KeetaNetAccount = ReturnType<typeof KeetaNetClient.lib.Account.fromSeed<AccountKeyAlgorithm>>;
+/**
+ * Type for certificate attribute names (derived from generated OID database)
+ */
+export type CertificateAttributeNames = keyof typeof CertificateAttributeOIDDB;
+/**
+ * Encode an attribute value using its ASN.1 schema
+ */
+export declare function encodeAttribute(name: CertificateAttributeNames, value: unknown): ArrayBuffer;
+/**
+ * Prepare a value for inclusion in a SensitiveAttribute: pre-encode complex and date types
+ */
+export declare function encodeForSensitive(name: CertificateAttributeNames | undefined, value: SensitiveAttributeType | Buffer | ArrayBuffer): Buffer;
+export type SensitiveAttributeJSON = {
+    version: string;
+    publicKey: string;
+    cipher: {
+        algorithm: string;
+        iv: string;
+        key: string;
+    };
+    hashedValue: {
+        encryptedSalt: string;
+        algorithm: string;
+        value: string;
+    };
+    encryptedValue: string;
+};
+export declare class SensitiveAttribute<T = ArrayBuffer> {
+    #private;
+    private static readonly SensitiveAttributeObjectTypeID;
+    private readonly SensitiveAttributeObjectTypeID;
+    constructor(account: KeetaNetAccount, data: Buffer | ArrayBuffer, decoder?: (data: Buffer | ArrayBuffer) => T | Promise<T>);
+    /**
+     * Check if a value is a SensitiveAttribute instance
+     */
+    static isInstance(input: unknown): input is SensitiveAttribute<unknown>;
+    /**
+     * Get the public key this attribute was encrypted for
+     */
+    get publicKey(): string;
+    /**
+     * Get the raw encrypted DER for certificate embedding
+     */
+    toDER(): ArrayBuffer;
+    private decode;
+    /**
+     * Get the value of the sensitive attribute
+     *
+     * This will decrypt the value using the account's private key
+     * and return the value as an ArrayBuffer
+     *
+     * Since sensitive attributes are binary blobs, this returns an
+     * ArrayBuffer
+     */
+    get(): Promise<ArrayBuffer>;
+    getValue(): Promise<T>;
+    /**
+     * Generate a proof that a sensitive attribute is a given value,
+     * which can be validated by a third party using the certificate
+     * and the `validateProof` method
+     */
+    getProof(): Promise<{
+        value: string;
+        hash: {
+            salt: string;
+        };
+    }>;
+    /**
+     * Validate the proof that a sensitive attribute is a given value
+     */
+    validateProof(proof: Awaited<ReturnType<this['getProof']>>): Promise<boolean>;
+    toJSON(): SensitiveAttributeJSON;
+    /**
+     * Encrypt a value and create a new SensitiveAttribute
+     */
+    static create<K extends CertificateAttributeNames>(account: KeetaNetAccount, name: K, value: CertificateAttributeValue<K> | Buffer | ArrayBuffer): Promise<SensitiveAttribute<CertificateAttributeValue<K>>>;
+}
+export {};
+//# sourceMappingURL=sensitive-attribute.d.ts.map

package/lib/sensitive-attribute.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sensitive-attribute.d.ts","sourceRoot":"","sources":["../../src/lib/sensitive-attribute.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,cAAc,MAAM,+BAA+B,CAAC;AAGhE,OAAO,EAAgD,MAAM,EAAuB,MAAM,mBAAmB,CAAC;AAE9G,OAAO,KAAK,EAAE,sBAAsB,EAAE,yBAAyB,EAAG,yBAAyB,EAAE,MAAM,uCAAuC,CAAC;AAU3I,KAAK,mBAAmB,GAAG,YAAY,CAAC,OAAO,cAAc,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,CAAC;AAEtF;;GAEG;AACH,KAAK,eAAe,GAAG,UAAU,CAAC,OAAO,cAAc,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC,CAAC;AAEnG;;GAEG;AACH,MAAM,MAAM,yBAAyB,GAAG,MAAM,OAAO,yBAAyB,CAAC;AA2E/E;;GAEG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE,yBAAyB,EAAE,KAAK,EAAE,OAAO,GAAG,WAAW,CAqB5F;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CACjC,IAAI,EAAE,yBAAyB,GAAG,SAAS,EAC3C,KAAK,EAAE,sBAAsB,GAAG,MAAM,GAAG,WAAW,GAClD,MAAM,CAoBR;AAyGD,MAAM,MAAM,sBAAsB,GAAG;IACpC,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE;QACP,SAAS,EAAE,MAAM,CAAC;QAClB,EAAE,EAAE,MAAM,CAAC;QACX,GAAG,EAAE,MAAM,CAAC;KACZ,CAAC;IACF,WAAW,EAAE;QACZ,aAAa,EAAE,MAAM,CAAC;QACtB,SAAS,EAAE,MAAM,CAAC;QAClB,KAAK,EAAE,MAAM,CAAC;KACd,CAAC;IACF,cAAc,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF,qBAAa,kBAAkB,CAAC,CAAC,GAAG,WAAW;;IAC9C,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,8BAA8B,CAA0C;IAChG,OAAO,CAAC,QAAQ,CAAC,8BAA8B,CAAU;gBAQxD,OAAO,EAAE,eAAe,EACxB,IAAI,EAAE,MAAM,GAAG,WAAW,EAC1B,OAAO,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,GAAG,WAAW,KAAK,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC;IAezD;;OAEG;IACH,MAAM,CAAC,UAAU,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,kBAAkB,CAAC,OAAO,CAAC;IAQvE;;OAEG;IACH,IAAI,SAAS,IAAI,MAAM,CAEtB;IAED;;OAEG;IACH,KAAK,IAAI,WAAW;IAIpB,OAAO,CAAC,MAAM;IA6Dd;;;;;;;;OAQG;IACG,GAAG,IAAI,OAAO,CAAC,WAAW,CAAC;IAK3B,QAAQ,IAAI,OAAO,CAAC,CAAC,CAAC;IAiB5B;;;;OAIG;IACG,QAAQ,IAAI,OAAO,CAAC;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE;YAAE,IAAI,EAAE,MAAM,CAAA;SAAE,CAAA;KAAC,CAAC;IAYnE;;OAEG;IACG,aAAa,CAAC,KAAK,EAAE,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC;IAcnF,MAAM,IAAI,sBAAsB;IAKhC;;OAEG;WACU,MAAM,CAAC,CAAC,SAAS,yBAAyB,EACtD,OAAO,EAAE,eAAe,EACxB,IAAI,EAAE,CAAC,EACP,KAAK,EAAE,yBAAyB,CAAC,CAAC,CAAC,GAAG,MAAM,GAAG,WAAW,GACxD,OAAO,CAAC,kBAAkB,CAAC,yBAAyB,CAAC,CAAC,CAAC,CAAC,CAAC;CAoE5D"}

package/lib/sensitive-attribute.js

@@ -0,0 +1,419 @@
+import * as KeetaNetClient from '@keetanetwork/keetanet-client';
+import * as oids from '../services/kyc/oids.generated.js';
+import * as ASN1 from './utils/asn1.js';
+import { arrayBufferLikeToBuffer, arrayBufferToBuffer, Buffer, bufferToArrayBuffer } from './utils/buffer.js';
+import crypto from './utils/crypto.js';
+import { CertificateAttributeSchema } from '../services/kyc/iso20022.generated.js';
+import { getOID, lookupByOID } from './utils/oid.js';
+/**
+ * Short alias for printing a debug representation of an object
+ */
+const DPO = KeetaNetClient.lib.Utils.Helper.debugPrintableObject.bind(KeetaNetClient.lib.Utils.Helper);
+/**
+ * Sensitive Attribute Schema
+ *
+ * ASN.1 Schema:
+ * SensitiveAttributes DEFINITIONS ::= BEGIN
+ *         SensitiveAttribute ::= SEQUENCE {
+ *                 version        INTEGER { v1(0) },
+ *                 cipher         SEQUENCE {
+ *                         algorithm    OBJECT IDENTIFIER,
+ *                         ivOrNonce    OCTET STRING,
+ *                         key          OCTET STRING
+ *                 },
+ *                 hashedValue    SEQUENCE {
+ *                         encryptedSalt  OCTET STRING,
+ *                         algorithm      OBJECT IDENTIFIER,
+ *                         value          OCTET STRING
+ *                 },
+ *                 encryptedValue OCTET STRING
+ *         }
+ * END
+ *
+ * https://keeta.notion.site/Keeta-KYC-Certificate-Extensions-13e5da848e588042bdcef81fc40458b7
+ *
+ * @internal
+ */
+const SensitiveAttributeSchemaInternal = [
+    0n,
+    [
+        ASN1.ValidateASN1.IsOID,
+        ASN1.ValidateASN1.IsOctetString,
+        ASN1.ValidateASN1.IsOctetString
+    ],
+    [
+        ASN1.ValidateASN1.IsOctetString,
+        ASN1.ValidateASN1.IsOID,
+        ASN1.ValidateASN1.IsOctetString
+    ],
+    ASN1.ValidateASN1.IsOctetString
+];
+/*
+ * Database of permitted algorithms and their OIDs
+ */
+const sensitiveAttributeOIDDB = {
+    'aes-256-gcm': oids.AES_256_GCM,
+    'aes-256-cbc': oids.AES_256_CBC,
+    'sha2-256': oids.SHA2_256,
+    'sha3-256': oids.SHA3_256,
+    'sha256': oids.SHA2_256,
+    'aes256-gcm': oids.AES_256_GCM,
+    'aes256-cbc': oids.AES_256_CBC
+};
+/**
+ * Encode an attribute value using its ASN.1 schema
+ */
+export function encodeAttribute(name, value) {
+    const schema = CertificateAttributeSchema[name];
+    let encodedJS;
+    try {
+        encodedJS = new ASN1.ValidateASN1(schema).fromJavaScriptObject(value);
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        throw (new Error(`Attribute ${name}: ${message} (value: ${JSON.stringify(DPO(value))})`));
+    }
+    if (encodedJS === undefined) {
+        throw (new Error(`Unsupported attribute value for encoding: ${JSON.stringify(DPO(value))}`));
+    }
+    const asn1Object = ASN1.JStoASN1(encodedJS);
+    if (!asn1Object) {
+        throw (new Error(`Failed to encode value for attribute ${name}`));
+    }
+    return (asn1Object.toBER(false));
+}
+/**
+ * Prepare a value for inclusion in a SensitiveAttribute: pre-encode complex and date types
+ */
+export function encodeForSensitive(name, value) {
+    if (Buffer.isBuffer(value)) {
+        return (value);
+    }
+    if (value instanceof ArrayBuffer) {
+        return (arrayBufferToBuffer(value));
+    }
+    if (typeof value === 'string') {
+        const asn1 = ASN1.JStoASN1({ type: 'string', kind: 'utf8', value });
+        return (arrayBufferToBuffer(asn1.toBER(false)));
+    }
+    if (value instanceof Date) {
+        const asn1 = ASN1.JStoASN1(value);
+        return (arrayBufferToBuffer(asn1.toBER(false)));
+    }
+    if (typeof value === 'object' && value !== null) {
+        if (!name) {
+            throw (new Error('attributeName required for complex types'));
+        }
+        const encoded = encodeAttribute(name, value);
+        return (arrayBufferToBuffer(encoded));
+    }
+    return (Buffer.from(String(value), 'utf-8'));
+}
+/**
+ * Check if value is an ASN.1-like wrapper object
+ */
+function isASN1Wrapper(obj) {
+    return ('type' in obj && 'value' in obj && typeof obj.type === 'string');
+}
+/**
+ * Normalize the result (unwrap ASN.1-like objects)
+ */
+function normalizeDecodedValue(input) {
+    if (input === undefined || input === null || typeof input !== 'object') {
+        return (input);
+    }
+    if (input instanceof Date || Buffer.isBuffer(input) || input instanceof ArrayBuffer) {
+        return (input);
+    }
+    if (Array.isArray(input)) {
+        return (input.map(item => normalizeDecodedValue(item)));
+    }
+    // Unwrap ASN.1-like objects
+    if (isASN1Wrapper(input)) {
+        if (input.type === 'string' && typeof input.value === 'string') {
+            return (input.value);
+        }
+        if (input.type === 'date' && input.value instanceof Date) {
+            return (input.value);
+        }
+    }
+    // Recursively normalize object properties
+    const result = {};
+    for (const [key, value] of Object.entries(input)) {
+        result[key] = normalizeDecodedValue(value);
+    }
+    return (result);
+}
+/**
+ * Decode ASN.1 data using a schema
+ *
+ * Note: The ASN1 library uses dynamic typing internally, so we consolidate
+ * the unsafe operations here rather than scattering them throughout the code.
+ */
+function decodeWithSchema(buffer, schema) {
+    /* eslint-disable
+        @typescript-eslint/no-explicit-any,
+        @typescript-eslint/consistent-type-assertions,
+        @typescript-eslint/no-unsafe-member-access,
+        @typescript-eslint/no-unsafe-call,
+        @typescript-eslint/no-unsafe-assignment
+    */
+    let decodedASN1;
+    try {
+        decodedASN1 = new ASN1.BufferStorageASN1(buffer, schema).getASN1();
+    }
+    catch {
+        decodedASN1 = ASN1.ASN1toJS(buffer);
+    }
+    if (decodedASN1 === undefined) {
+        throw (new Error('Failed to decode ASN1 data'));
+    }
+    const validator = new ASN1.ValidateASN1(schema);
+    return (validator.toJavaScriptObject(decodedASN1));
+    /* eslint-enable */
+}
+/**
+ * GCM cipher helpers - Node's crypto types don't properly type getAuthTag/setAuthTag
+ * when using createCipheriv/createDecipheriv, so we use typed wrappers.
+ */
+/* eslint-disable @typescript-eslint/consistent-type-assertions -- Reflect.get returns unknown */
+function getGCMAuthTag(cipher) {
+    const getAuthTag = Reflect.get(cipher, 'getAuthTag');
+    if (typeof getAuthTag !== 'function') {
+        throw (new TypeError('getAuthTag is not available on cipher'));
+    }
+    return (getAuthTag.call(cipher));
+}
+function setGCMAuthTag(decipher, tag) {
+    const setAuthTag = Reflect.get(decipher, 'setAuthTag');
+    if (typeof setAuthTag !== 'function') {
+        throw (new TypeError('setAuthTag is not available on decipher'));
+    }
+    setAuthTag.call(decipher, tag);
+}
+/* eslint-enable @typescript-eslint/consistent-type-assertions */
+/**
+ * Decode a value from its ASN.1 representation back to the original type
+ *
+ * @internal
+ */
+function decodeForSensitive(name, data) {
+    const buffer = Buffer.isBuffer(data) ? bufferToArrayBuffer(data) : data;
+    const schema = CertificateAttributeSchema[name];
+    const plainObject = decodeWithSchema(buffer, schema);
+    return (normalizeDecodedValue(plainObject));
+}
+export class SensitiveAttribute {
+    static SensitiveAttributeObjectTypeID = 'c0cc9591-cebb-4441-babe-23739279e3f2';
+    SensitiveAttributeObjectTypeID;
+    #account;
+    #encryptedDER;
+    #info;
+    #decoder;
+    constructor(account, data, decoder) {
+        Object.defineProperty(this, 'SensitiveAttributeObjectTypeID', {
+            value: SensitiveAttribute.SensitiveAttributeObjectTypeID,
+            enumerable: false
+        });
+        this.#account = account;
+        this.#encryptedDER = Buffer.isBuffer(data) ? bufferToArrayBuffer(data) : data;
+        this.#info = this.decode(data);
+        if (decoder) {
+            this.#decoder = decoder;
+        }
+    }
+    /**
+     * Check if a value is a SensitiveAttribute instance
+     */
+    static isInstance(input) {
+        if (typeof input !== 'object' || input === null) {
+            return (false);
+        }
+        return (Reflect.get(input, 'SensitiveAttributeObjectTypeID') === SensitiveAttribute.SensitiveAttributeObjectTypeID);
+    }
+    /**
+     * Get the public key this attribute was encrypted for
+     */
+    get publicKey() {
+        return (this.#account.publicKeyString.get());
+    }
+    /**
+     * Get the raw encrypted DER for certificate embedding
+     */
+    toDER() {
+        return (this.#encryptedDER);
+    }
+    decode(data) {
+        if (Buffer.isBuffer(data)) {
+            data = bufferToArrayBuffer(data);
+        }
+        let decodedAttribute;
+        try {
+            const dataObject = new ASN1.BufferStorageASN1(data, SensitiveAttributeSchemaInternal);
+            decodedAttribute = dataObject.getASN1();
+        }
+        catch {
+            const js = ASN1.ASN1toJS(data);
+            throw (new Error(`SensitiveAttribute.decode: unexpected DER shape ${JSON.stringify(DPO(js))}`));
+        }
+        const decodedVersion = decodedAttribute[0] + 1n;
+        if (decodedVersion !== 1n) {
+            throw (new Error(`Unsupported Sensitive Attribute version (${decodedVersion})`));
+        }
+        return ({
+            version: decodedVersion,
+            publicKey: this.#account.publicKeyString.get(),
+            cipher: {
+                algorithm: lookupByOID(decodedAttribute[1][0].oid, sensitiveAttributeOIDDB),
+                iv: decodedAttribute[1][1],
+                key: decodedAttribute[1][2]
+            },
+            hashedValue: {
+                encryptedSalt: decodedAttribute[2][0],
+                algorithm: lookupByOID(decodedAttribute[2][1].oid, sensitiveAttributeOIDDB),
+                value: decodedAttribute[2][2]
+            },
+            encryptedValue: decodedAttribute[3]
+        });
+    }
+    async #decryptValue(value) {
+        const decryptedKey = await this.#account.decrypt(bufferToArrayBuffer(this.#info.cipher.key));
+        const algorithm = this.#info.cipher.algorithm;
+        const iv = this.#info.cipher.iv;
+        const decipher = crypto.createDecipheriv(algorithm, Buffer.from(decryptedKey), iv);
+        // For AES-GCM, extract and set the 16-byte authentication tag
+        if (algorithm === 'aes-256-gcm') {
+            const authTag = value.subarray(-16);
+            const ciphertext = value.subarray(0, -16);
+            setGCMAuthTag(decipher, authTag);
+            const decrypted = decipher.update(ciphertext);
+            decipher.final(); // Verify auth tag
+            return (decrypted);
+        }
+        // For other algorithms (like CBC), just decrypt normally
+        const decrypted = decipher.update(value);
+        decipher.final();
+        return (decrypted);
+    }
+    /**
+     * Get the value of the sensitive attribute
+     *
+     * This will decrypt the value using the account's private key
+     * and return the value as an ArrayBuffer
+     *
+     * Since sensitive attributes are binary blobs, this returns an
+     * ArrayBuffer
+     */
+    async get() {
+        const decryptedValue = await this.#decryptValue(arrayBufferLikeToBuffer(this.#info.encryptedValue));
+        return (bufferToArrayBuffer(decryptedValue));
+    }
+    async getValue() {
+        const value = await this.get();
+        if (!this.#decoder) {
+            /**
+             * TypeScript complains that T may not be the correct
+             * type here, but gives us no tools to enforce that it
+             * is -- it should always be ArrayBuffer if no decoder
+             * is provided, but someone could always specify a
+             * type parameter in that case and we cannot check
+             * that at runtime since T is only a compile-time type.
+             */
+            // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
+            return value;
+        }
+        return (await this.#decoder(value));
+    }
+    /**
+     * Generate a proof that a sensitive attribute is a given value,
+     * which can be validated by a third party using the certificate
+     * and the `validateProof` method
+     */
+    async getProof() {
+        const value = await this.get();
+        const salt = await this.#decryptValue(arrayBufferLikeToBuffer(this.#info.hashedValue.encryptedSalt));
+        return ({
+            value: Buffer.from(value).toString('base64'),
+            hash: {
+                salt: salt.toString('base64')
+            }
+        });
+    }
+    /**
+     * Validate the proof that a sensitive attribute is a given value
+     */
+    async validateProof(proof) {
+        const plaintextValue = Buffer.from(proof.value, 'base64');
+        const proofSaltBuffer = Buffer.from(proof.hash.salt, 'base64');
+        const publicKeyBuffer = Buffer.from(this.#account.publicKey.get());
+        const encryptedValue = this.#info.encryptedValue;
+        const hashInput = Buffer.concat([proofSaltBuffer, publicKeyBuffer, encryptedValue, plaintextValue]);
+        const hashedAndSaltedValue = KeetaNetClient.lib.Utils.Hash.Hash(hashInput);
+        const hashedAndSaltedValueBuffer = Buffer.from(hashedAndSaltedValue);
+        return (this.#info.hashedValue.value.equals(hashedAndSaltedValueBuffer));
+    }
+    toJSON() {
+        const info = KeetaNetClient.lib.Utils.Conversion.toJSONSerializable(this.#info);
+        return (info);
+    }
+    /**
+     * Encrypt a value and create a new SensitiveAttribute
+     */
+    static async create(account, name, value) {
+        // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
+        const encodedValue = encodeForSensitive(name, value);
+        const salt = crypto.randomBytes(32);
+        const hashingAlgorithm = KeetaNetClient.lib.Utils.Hash.HashFunctionName;
+        const publicKey = Buffer.from(account.publicKey.get());
+        const cipher = 'aes-256-gcm';
+        const key = crypto.randomBytes(32);
+        const nonce = crypto.randomBytes(12);
+        const encryptedKey = await account.encrypt(bufferToArrayBuffer(key));
+        function encrypt(input) {
+            const cipherObject = crypto.createCipheriv(cipher, key, nonce);
+            let retval = Buffer.concat([cipherObject.update(input), cipherObject.final()]);
+            // For AES-GCM, append the 16-byte authentication tag
+            if (cipher === 'aes-256-gcm') {
+                retval = Buffer.concat([retval, getGCMAuthTag(cipherObject)]);
+            }
+            return (retval);
+        }
+        const encryptedValue = encrypt(encodedValue);
+        const encryptedSalt = encrypt(arrayBufferLikeToBuffer(salt));
+        const saltedValue = Buffer.concat([salt, publicKey, encryptedValue, encodedValue]);
+        const hashedAndSaltedValue = KeetaNetClient.lib.Utils.Hash.Hash(saltedValue);
+        const attributeStructure = [
+            /* Version */
+            0n,
+            /* Cipher Details */
+            [
+                /* Algorithm */
+                { type: 'oid', oid: getOID(cipher, sensitiveAttributeOIDDB) },
+                /* IV or Nonce */
+                nonce,
+                /* Symmetric key, encrypted with the public key of the account */
+                Buffer.from(encryptedKey)
+            ],
+            /* Hashed Value */
+            [
+                /* Encrypted Salt */
+                Buffer.from(encryptedSalt),
+                /* Hashing Algorithm */
+                { type: 'oid', oid: getOID(hashingAlgorithm, sensitiveAttributeOIDDB) },
+                /* Hash of <Encrypted Salt> || <Public Key> || <Value> */
+                Buffer.from(hashedAndSaltedValue)
+            ],
+            /* Encrypted Value, encrypted with the Cipher above */
+            encryptedValue
+        ];
+        const encodedAttributeObject = ASN1.JStoASN1(attributeStructure);
+        const encryptedDER = encodedAttributeObject.toBER(false);
+        const decoder = function (data) {
+            // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
+            return decodeForSensitive(name, data);
+        };
+        const result = new SensitiveAttribute(account, encryptedDER, decoder);
+        return (result);
+    }
+}
+//# sourceMappingURL=sensitive-attribute.js.map

package/lib/sensitive-attribute.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sensitive-attribute.js","sourceRoot":"","sources":["../../src/lib/sensitive-attribute.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,cAAc,MAAM,+BAA+B,CAAC;AAChE,OAAO,KAAK,IAAI,MAAM,mCAAmC,CAAC;AAC1D,OAAO,KAAK,IAAI,MAAM,iBAAiB,CAAC;AACxC,OAAO,EAAE,uBAAuB,EAAE,mBAAmB,EAAE,MAAM,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AAC9G,OAAO,MAAM,MAAM,mBAAmB,CAAC;AAEvC,OAAO,EAAE,0BAA0B,EAAE,MAAM,uCAAuC,CAAC;AACnF,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAErD;;GAEG;AACH,MAAM,GAAG,GAAG,cAAc,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,oBAAoB,CAAC,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;AAevG;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,gCAAgC,GAalC;IACH,EAAE;IACF;QACC,IAAI,CAAC,YAAY,CAAC,KAAK;QACvB,IAAI,CAAC,YAAY,CAAC,aAAa;QAC/B,IAAI,CAAC,YAAY,CAAC,aAAa;KAC/B;IACD;QACC,IAAI,CAAC,YAAY,CAAC,aAAa;QAC/B,IAAI,CAAC,YAAY,CAAC,KAAK;QACvB,IAAI,CAAC,YAAY,CAAC,aAAa;KAC/B;IACD,IAAI,CAAC,YAAY,CAAC,aAAa;CAC/B,CAAC;AASF;;GAEG;AACH,MAAM,uBAAuB,GAAG;IAC/B,aAAa,EAAE,IAAI,CAAC,WAAW;IAC/B,aAAa,EAAE,IAAI,CAAC,WAAW;IAC/B,UAAU,EAAE,IAAI,CAAC,QAAQ;IACzB,UAAU,EAAE,IAAI,CAAC,QAAQ;IACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;IACvB,YAAY,EAAE,IAAI,CAAC,WAAW;IAC9B,YAAY,EAAE,IAAI,CAAC,WAAW;CAC9B,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,IAA+B,EAAE,KAAc;IAC9E,MAAM,MAAM,GAAG,0BAA0B,CAAC,IAAI,CAAC,CAAC;IAEhD,IAAI,SAAS,CAAC;IACd,IAAI,CAAC;QACJ,SAAS,GAAG,IAAI,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,oBAAoB,CAAC,KAAK,CAAC,CAAC;IACvE,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACd,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,MAAK,CAAC,IAAI,KAAK,CAAC,aAAa,IAAI,KAAK,OAAO,YAAY,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1F,CAAC;IAED,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;QAC7B,MAAK,CAAC,IAAI,KAAK,CAAC,6CAA6C,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAC7F,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;IAC5C,IAAI,CAAC,UAAU,EAAE,CAAC;QACjB,MAAK,CAAC,IAAI,KAAK,CAAC,wCAAwC,IAAI,EAAE,CAAC,CAAC,CAAC;IAClE,CAAC;IAED,OAAM,CAAC,UAAU,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC;AACjC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CACjC,IAA2C,EAC3C,KAAoD;IAEpD,IAAI,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QAAC,OAAM,CAAC,KAAK,CAAC,CAAC;IAAC,CAAC;IAC9C,IAAI,KAAK,YAAY,WAAW,EAAE,CAAC;QAAC,OAAM,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC,CAAC;IAAC,CAAC;IACzE,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC/B,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QACpE,OAAM,CAAC,mBAAmB,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAChD,CAAC;IAED,IAAI,KAAK,YAAY,IAAI,EAAE,CAAC;QAC3B,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAClC,OAAM,CAAC,mBAAmB,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAChD,CAAC;IAED,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QACjD,IAAI,CAAC,IAAI,EAAE,CAAC;YAAC,MAAK,CAAC,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC,CAAC;QAAC,CAAC;QAC5E,MAAM,OAAO,GAAG,eAAe,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QAC7C,OAAM,CAAC,mBAAmB,CAAC,OAAO,CAAC,CAAC,CAAC;IACtC,CAAC;IAED,OAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;AAC7C,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CAAC,GAAW;IACjC,OAAM,CAAC,MAAM,IAAI,GAAG,IAAI,OAAO,IAAI,GAAG,IAAI,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC;AACzE,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAAC,KAAc;IAC5C,IAAI,KAAK,KAAK,SAAS,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACxE,OAAM,CAAC,KAAK,CAAC,CAAC;IACf,CAAC;IACD,IAAI,KAAK,YAAY,IAAI,IAAI,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,YAAY,WAAW,EAAE,CAAC;QACrF,OAAM,CAAC,KAAK,CAAC,CAAC;IACf,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAM,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACxD,CAAC;IACD,4BAA4B;IAC5B,IAAI,aAAa,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1B,IAAI,KAAK,CAAC,IAAI,KAAK,QAAQ,IAAI,OAAO,KAAK,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;YAChE,OAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QACrB,CAAC;QACD,IAAI,KAAK,CAAC,IAAI,KAAK,MAAM,IAAI,KAAK,CAAC,KAAK,YAAY,IAAI,EAAE,CAAC;YAC1D,OAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QACrB,CAAC;IACF,CAAC;IACD,0CAA0C;IAC1C,MAAM,MAAM,GAA+B,EAAE,CAAC;IAC9C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAClD,MAAM,CAAC,GAAG,CAAC,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;IAC5C,CAAC;IACD,OAAM,CAAC,MAAM,CAAC,CAAC;AAChB,CAAC;AAED;;;;;GAKG;AACH,SAAS,gBAAgB,CAAC,MAAmB,EAAE,MAAe;IAC7D;;;;;;MAMK;IACL,IAAI,WAAuC,CAAC;IAC5C,IAAI,CAAC;QACJ,WAAW,GAAG,IAAK,IAAI,CAAC,iBAAyB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,OAAO,EAAoB,CAAC;IAC/F,CAAC;IAAC,MAAM,CAAC;QACR,WAAW,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACrC,CAAC;IACD,IAAI,WAAW,KAAK,SAAS,EAAE,CAAC;QAC/B,MAAK,CAAC,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC,CAAC;IAChD,CAAC;IAED,MAAM,SAAS,GAAG,IAAK,IAAI,CAAC,YAAoB,CAAC,MAAM,CAAC,CAAC;IACzD,OAAM,CAAC,SAAS,CAAC,kBAAkB,CAAC,WAAW,CAAC,CAAC,CAAC;IAClD,mBAAmB;AACpB,CAAC;AAED;;;GAGG;AACH,iGAAiG;AACjG,SAAS,aAAa,CAAC,MAAgD;IACtE,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,YAAY,CAA+B,CAAC;IACnF,IAAI,OAAO,UAAU,KAAK,UAAU,EAAE,CAAC;QACtC,MAAK,CAAC,IAAI,SAAS,CAAC,uCAAuC,CAAC,CAAC,CAAC;IAC/D,CAAC;IACD,OAAM,CAAC,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;AACjC,CAAC;AAED,SAAS,aAAa,CAAC,QAAoD,EAAE,GAAW;IACvF,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,YAAY,CAAwC,CAAC;IAC9F,IAAI,OAAO,UAAU,KAAK,UAAU,EAAE,CAAC;QACtC,MAAK,CAAC,IAAI,SAAS,CAAC,yCAAyC,CAAC,CAAC,CAAC;IACjE,CAAC;IACD,UAAU,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;AAChC,CAAC;AACD,iEAAiE;AAEjE;;;;GAIG;AACH,SAAS,kBAAkB,CAC1B,IAA+B,EAC/B,IAA0B;IAE1B,MAAM,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACxE,MAAM,MAAM,GAAY,0BAA0B,CAAC,IAAI,CAAC,CAAC;IACzD,MAAM,WAAW,GAAG,gBAAgB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACrD,OAAM,CAAC,qBAAqB,CAAC,WAAW,CAAC,CAAC,CAAC;AAC5C,CAAC;AAkBD,MAAM,OAAO,kBAAkB;IACtB,MAAM,CAAU,8BAA8B,GAAG,sCAAsC,CAAC;IAC/E,8BAA8B,CAAU;IAEhD,QAAQ,CAAkB;IAC1B,aAAa,CAAc;IAC3B,KAAK,CAA8C;IACnD,QAAQ,CAAkD;IAEnE,YACC,OAAwB,EACxB,IAA0B,EAC1B,OAAwD;QAExD,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,gCAAgC,EAAE;YAC7D,KAAK,EAAE,kBAAkB,CAAC,8BAA8B;YACxD,UAAU,EAAE,KAAK;SACjB,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC;QACxB,IAAI,CAAC,aAAa,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QAC9E,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAC/B,IAAI,OAAO,EAAE,CAAC;YACb,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC;QACzB,CAAC;IACF,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,UAAU,CAAC,KAAc;QAC/B,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;YACjD,OAAM,CAAC,KAAK,CAAC,CAAC;QACf,CAAC;QAED,OAAM,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,gCAAgC,CAAC,KAAK,kBAAkB,CAAC,8BAA8B,CAAC,CAAC;IACpH,CAAC;IAED;;OAEG;IACH,IAAI,SAAS;QACZ,OAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,eAAe,CAAC,GAAG,EAAE,CAAC,CAAC;IAC7C,CAAC;IAED;;OAEG;IACH,KAAK;QACJ,OAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAC5B,CAAC;IAEO,MAAM,CAAC,IAA0B;QACxC,IAAI,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,IAAI,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;QAClC,CAAC;QAED,IAAI,gBAAgB,CAAC;QACrB,IAAI,CAAC;YACJ,MAAM,UAAU,GAAG,IAAI,IAAI,CAAC,iBAAiB,CAAC,IAAI,EAAE,gCAAgC,CAAC,CAAC;YACtF,gBAAgB,GAAG,UAAU,CAAC,OAAO,EAAE,CAAC;QACzC,CAAC;QAAC,MAAM,CAAC;YACR,MAAM,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YAC/B,MAAK,CAAC,IAAI,KAAK,CAAC,mDAAmD,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QAChG,CAAC;QAED,MAAM,cAAc,GAAG,gBAAgB,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC;QAChD,IAAI,cAAc,KAAK,EAAE,EAAE,CAAC;YAC3B,MAAK,CAAC,IAAI,KAAK,CAAC,4CAA4C,cAAc,GAAG,CAAC,CAAC,CAAC;QACjF,CAAC;QAED,OAAM,CAAC;YACN,OAAO,EAAE,cAAc;YACvB,SAAS,EAAE,IAAI,CAAC,QAAQ,CAAC,eAAe,CAAC,GAAG,EAAE;YAC9C,MAAM,EAAE;gBACP,SAAS,EAAE,WAAW,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,EAAE,uBAAuB,CAAC;gBAC3E,EAAE,EAAE,gBAAgB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC1B,GAAG,EAAE,gBAAgB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;aAC3B;YACD,WAAW,EAAE;gBACZ,aAAa,EAAE,gBAAgB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBACrC,SAAS,EAAE,WAAW,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,EAAE,uBAAuB,CAAC;gBAC3E,KAAK,EAAE,gBAAgB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;aAC7B;YACD,cAAc,EAAE,gBAAgB,CAAC,CAAC,CAAC;SACnC,CAAC,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,KAAa;QAChC,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,mBAAmB,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QAC7F,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC;QAC9C,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;QAEhC,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CAAC,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,EAAE,CAAC,CAAC;QAEnF,8DAA8D;QAC9D,IAAI,SAAS,KAAK,aAAa,EAAE,CAAC;YACjC,MAAM,OAAO,GAAG,KAAK,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC;YACpC,MAAM,UAAU,GAAG,KAAK,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;YAE1C,aAAa,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YAEjC,MAAM,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;YAC9C,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,kBAAkB;YACpC,OAAM,CAAC,SAAS,CAAC,CAAC;QACnB,CAAC;QAED,yDAAyD;QACzD,MAAM,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACzC,QAAQ,CAAC,KAAK,EAAE,CAAC;QACjB,OAAM,CAAC,SAAS,CAAC,CAAC;IACnB,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,GAAG;QACR,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,uBAAuB,CAAC,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC;QACpG,OAAM,CAAC,mBAAmB,CAAC,cAAc,CAAC,CAAC,CAAC;IAC7C,CAAC;IAED,KAAK,CAAC,QAAQ;QACb,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,GAAG,EAAE,CAAC;QAC/B,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACpB;;;;;;;eAOG;YACH,yEAAyE;YACzE,OAAO,KAAsB,CAAC;QAC/B,CAAC;QACD,OAAM,CAAC,MAAM,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;IACpC,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,QAAQ;QACb,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,GAAG,EAAE,CAAC;QAC/B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,uBAAuB,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,aAAa,CAAC,CAAC,CAAC;QAErG,OAAM,CAAC;YACN,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAC5C,IAAI,EAAE;gBACL,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC;aAC7B;SACD,CAAC,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CAAC,KAA4C;QAC/D,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;QAC1D,MAAM,eAAe,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;QAE/D,MAAM,eAAe,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,GAAG,EAAE,CAAC,CAAC;QACnE,MAAM,cAAc,GAAG,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC;QAEjD,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,eAAe,EAAE,eAAe,EAAE,cAAc,EAAE,cAAc,CAAC,CAAC,CAAC;QACpG,MAAM,oBAAoB,GAAG,cAAc,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAC3E,MAAM,0BAA0B,GAAG,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;QAErE,OAAM,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,KAAK,CAAC,MAAM,CAAC,0BAA0B,CAAC,CAAC,CAAC;IACzE,CAAC;IAED,MAAM;QACL,MAAM,IAAI,GAAG,cAAc,CAAC,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,kBAAkB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAChF,OAAM,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,MAAM,CAClB,OAAwB,EACxB,IAAO,EACP,KAA0D;QAE1D,yEAAyE;QACzE,MAAM,YAAY,GAAG,kBAAkB,CAAC,IAAI,EAAE,KAAsD,CAAC,CAAC;QAEtG,MAAM,IAAI,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QAEpC,MAAM,gBAAgB,GAAG,cAAc,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC;QACxE,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,GAAG,EAAE,CAAC,CAAC;QAEvD,MAAM,MAAM,GAAG,aAAa,CAAC;QAC7B,MAAM,GAAG,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QACnC,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QACrC,MAAM,YAAY,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC,CAAC;QAErE,SAAS,OAAO,CAAC,KAAa;YAC7B,MAAM,YAAY,GAAG,MAAM,CAAC,cAAc,CAAC,MAAM,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;YAC/D,IAAI,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,YAAY,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;YAE/E,qDAAqD;YACrD,IAAI,MAAM,KAAK,aAAa,EAAE,CAAC;gBAC9B,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,aAAa,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YAC/D,CAAC;YAED,OAAM,CAAC,MAAM,CAAC,CAAC;QAChB,CAAC;QAED,MAAM,cAAc,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;QAC7C,MAAM,aAAa,GAAG,OAAO,CAAC,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC;QAE7D,MAAM,WAAW,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,SAAS,EAAE,cAAc,EAAE,YAAY,CAAC,CAAC,CAAC;QACnF,MAAM,oBAAoB,GAAG,cAAc,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAE7E,MAAM,kBAAkB,GAA6B;YACpD,aAAa;YACb,EAAE;YACF,oBAAoB;YACpB;gBACC,eAAe;gBACf,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,uBAAuB,CAAC,EAAE;gBAC7D,iBAAiB;gBACjB,KAAK;gBACL,iEAAiE;gBACjE,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC;aACzB;YACD,kBAAkB;YAClB;gBACC,oBAAoB;gBACpB,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC;gBAC1B,uBAAuB;gBACvB,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,CAAC,gBAAgB,EAAE,uBAAuB,CAAC,EAAE;gBACvE,yDAAyD;gBACzD,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC;aACjC;YACD,sDAAsD;YACtD,cAAc;SACd,CAAC;QAEF,MAAM,sBAAsB,GAAG,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAAC;QACjE,MAAM,YAAY,GAAG,sBAAsB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAEzD,MAAM,OAAO,GAAG,UAAS,IAA0B;YAClD,yEAAyE;YACzE,OAAO,kBAAkB,CAAC,IAAI,EAAE,IAAI,CAAkC,CAAC;QACxE,CAAC,CAAC;QAEF,MAAM,MAAM,GAAG,IAAI,kBAAkB,CAA+B,OAAO,EAAE,YAAY,EAAE,OAAO,CAAC,CAAC;QACpG,OAAM,CAAC,MAAM,CAAC,CAAC;IAChB,CAAC","sourcesContent":["import * as KeetaNetClient from '@keetanetwork/keetanet-client';\nimport * as oids from '../services/kyc/oids.generated.js';\nimport * as ASN1 from './utils/asn1.js';\nimport { arrayBufferLikeToBuffer, arrayBufferToBuffer, Buffer, bufferToArrayBuffer } from './utils/buffer.js';\nimport crypto from './utils/crypto.js';\nimport type { SensitiveAttributeType, CertificateAttributeValue , CertificateAttributeOIDDB } from '../services/kyc/iso20022.generated.js';\nimport { CertificateAttributeSchema } from '../services/kyc/iso20022.generated.js';\nimport { getOID, lookupByOID } from './utils/oid.js';\n\n/**\n * Short alias for printing a debug representation of an object\n */\nconst DPO = KeetaNetClient.lib.Utils.Helper.debugPrintableObject.bind(KeetaNetClient.lib.Utils.Helper);\n\n/* ENUM */\ntype AccountKeyAlgorithm = InstanceType<typeof KeetaNetClient.lib.Account>['keyType'];\n\n/**\n * An alias for the KeetaNetAccount type\n */\ntype KeetaNetAccount = ReturnType<typeof KeetaNetClient.lib.Account.fromSeed<AccountKeyAlgorithm>>;\n\n/**\n * Type for certificate attribute names (derived from generated OID database)\n */\nexport type CertificateAttributeNames = keyof typeof CertificateAttributeOIDDB;\n\n/**\n * Sensitive Attribute Schema\n *\n * ASN.1 Schema:\n * SensitiveAttributes DEFINITIONS ::= BEGIN\n *         SensitiveAttribute ::= SEQUENCE {\n *                 version        INTEGER { v1(0) },\n *                 cipher         SEQUENCE {\n *                         algorithm    OBJECT IDENTIFIER,\n *                         ivOrNonce    OCTET STRING,\n *                         key          OCTET STRING\n *                 },\n *                 hashedValue    SEQUENCE {\n *                         encryptedSalt  OCTET STRING,\n *                         algorithm      OBJECT IDENTIFIER,\n *                         value          OCTET STRING\n *                 },\n *                 encryptedValue OCTET STRING\n *         }\n * END\n *\n * https://keeta.notion.site/Keeta-KYC-Certificate-Extensions-13e5da848e588042bdcef81fc40458b7\n *\n * @internal\n */\nconst SensitiveAttributeSchemaInternal: [\n\tversion: 0n,\n\tcipher: [\n\t\talgorithm: typeof ASN1.ValidateASN1.IsOID,\n\t\tiv: typeof ASN1.ValidateASN1.IsOctetString,\n\t\tkey: typeof ASN1.ValidateASN1.IsOctetString\n\t],\n\thashedValue: [\n\t\tencryptedSalt: typeof ASN1.ValidateASN1.IsOctetString,\n\t\talgorithm: typeof ASN1.ValidateASN1.IsOID,\n\t\tvalue: typeof ASN1.ValidateASN1.IsOctetString\n\t],\n\tencryptedValue: typeof ASN1.ValidateASN1.IsOctetString\n] = [\n\t0n,\n\t[\n\t\tASN1.ValidateASN1.IsOID,\n\t\tASN1.ValidateASN1.IsOctetString,\n\t\tASN1.ValidateASN1.IsOctetString\n\t],\n\t[\n\t\tASN1.ValidateASN1.IsOctetString,\n\t\tASN1.ValidateASN1.IsOID,\n\t\tASN1.ValidateASN1.IsOctetString\n\t],\n\tASN1.ValidateASN1.IsOctetString\n];\n\n/**\n * The Sensitive Attribute Schema Internal\n *\n * @internal\n */\ntype SensitiveAttributeSchema = ASN1.SchemaMap<typeof SensitiveAttributeSchemaInternal>;\n\n/*\n * Database of permitted algorithms and their OIDs\n */\nconst sensitiveAttributeOIDDB = {\n\t'aes-256-gcm': oids.AES_256_GCM,\n\t'aes-256-cbc': oids.AES_256_CBC,\n\t'sha2-256': oids.SHA2_256,\n\t'sha3-256': oids.SHA3_256,\n\t'sha256': oids.SHA2_256,\n\t'aes256-gcm': oids.AES_256_GCM,\n\t'aes256-cbc': oids.AES_256_CBC\n};\n\n/**\n * Encode an attribute value using its ASN.1 schema\n */\nexport function encodeAttribute(name: CertificateAttributeNames, value: unknown): ArrayBuffer {\n\tconst schema = CertificateAttributeSchema[name];\n\n\tlet encodedJS;\n\ttry {\n\t\tencodedJS = new ASN1.ValidateASN1(schema).fromJavaScriptObject(value);\n\t} catch (err) {\n\t\tconst message = err instanceof Error ? err.message : String(err);\n\t\tthrow(new Error(`Attribute ${name}: ${message} (value: ${JSON.stringify(DPO(value))})`));\n\t}\n\n\tif (encodedJS === undefined) {\n\t\tthrow(new Error(`Unsupported attribute value for encoding: ${JSON.stringify(DPO(value))}`));\n\t}\n\n\tconst asn1Object = ASN1.JStoASN1(encodedJS);\n\tif (!asn1Object) {\n\t\tthrow(new Error(`Failed to encode value for attribute ${name}`));\n\t}\n\n\treturn(asn1Object.toBER(false));\n}\n\n/**\n * Prepare a value for inclusion in a SensitiveAttribute: pre-encode complex and date types\n */\nexport function encodeForSensitive(\n\tname: CertificateAttributeNames | undefined,\n\tvalue: SensitiveAttributeType | Buffer | ArrayBuffer\n): Buffer {\n\tif (Buffer.isBuffer(value)) { return(value); }\n\tif (value instanceof ArrayBuffer) { return(arrayBufferToBuffer(value)); }\n\tif (typeof value === 'string') {\n\t\tconst asn1 = ASN1.JStoASN1({ type: 'string', kind: 'utf8', value });\n\t\treturn(arrayBufferToBuffer(asn1.toBER(false)));\n\t}\n\n\tif (value instanceof Date) {\n\t\tconst asn1 = ASN1.JStoASN1(value);\n\t\treturn(arrayBufferToBuffer(asn1.toBER(false)));\n\t}\n\n\tif (typeof value === 'object' && value !== null) {\n\t\tif (!name) { throw(new Error('attributeName required for complex types')); }\n\t\tconst encoded = encodeAttribute(name, value);\n\t\treturn(arrayBufferToBuffer(encoded));\n\t}\n\n\treturn(Buffer.from(String(value), 'utf-8'));\n}\n\n/**\n * Check if value is an ASN.1-like wrapper object\n */\nfunction isASN1Wrapper(obj: object): obj is { type: string; value: unknown } {\n\treturn('type' in obj && 'value' in obj && typeof obj.type === 'string');\n}\n\n/**\n * Normalize the result (unwrap ASN.1-like objects)\n */\nfunction normalizeDecodedValue(input: unknown): unknown {\n\tif (input === undefined || input === null || typeof input !== 'object') {\n\t\treturn(input);\n\t}\n\tif (input instanceof Date || Buffer.isBuffer(input) || input instanceof ArrayBuffer) {\n\t\treturn(input);\n\t}\n\tif (Array.isArray(input)) {\n\t\treturn(input.map(item => normalizeDecodedValue(item)));\n\t}\n\t// Unwrap ASN.1-like objects\n\tif (isASN1Wrapper(input)) {\n\t\tif (input.type === 'string' && typeof input.value === 'string') {\n\t\t\treturn(input.value);\n\t\t}\n\t\tif (input.type === 'date' && input.value instanceof Date) {\n\t\t\treturn(input.value);\n\t\t}\n\t}\n\t// Recursively normalize object properties\n\tconst result: { [key: string]: unknown } = {};\n\tfor (const [key, value] of Object.entries(input)) {\n\t\tresult[key] = normalizeDecodedValue(value);\n\t}\n\treturn(result);\n}\n\n/**\n * Decode ASN.1 data using a schema\n *\n * Note: The ASN1 library uses dynamic typing internally, so we consolidate\n * the unsafe operations here rather than scattering them throughout the code.\n */\nfunction decodeWithSchema(buffer: ArrayBuffer, schema: unknown): unknown {\n\t/* eslint-disable\n        @typescript-eslint/no-explicit-any,\n        @typescript-eslint/consistent-type-assertions,\n\t\t@typescript-eslint/no-unsafe-member-access,\n        @typescript-eslint/no-unsafe-call,\n\t\t@typescript-eslint/no-unsafe-assignment\n    */\n\tlet decodedASN1: ASN1.ASN1AnyJS | undefined;\n\ttry {\n\t\tdecodedASN1 = new (ASN1.BufferStorageASN1 as any)(buffer, schema).getASN1() as ASN1.ASN1AnyJS;\n\t} catch {\n\t\tdecodedASN1 = ASN1.ASN1toJS(buffer);\n\t}\n\tif (decodedASN1 === undefined) {\n\t\tthrow(new Error('Failed to decode ASN1 data'));\n\t}\n\n\tconst validator = new (ASN1.ValidateASN1 as any)(schema);\n\treturn(validator.toJavaScriptObject(decodedASN1));\n\t/* eslint-enable */\n}\n\n/**\n * GCM cipher helpers - Node's crypto types don't properly type getAuthTag/setAuthTag\n * when using createCipheriv/createDecipheriv, so we use typed wrappers.\n */\n/* eslint-disable @typescript-eslint/consistent-type-assertions -- Reflect.get returns unknown */\nfunction getGCMAuthTag(cipher: ReturnType<typeof crypto.createCipheriv>): Buffer {\n\tconst getAuthTag = Reflect.get(cipher, 'getAuthTag') as (() => Buffer) | undefined;\n\tif (typeof getAuthTag !== 'function') {\n\t\tthrow(new TypeError('getAuthTag is not available on cipher'));\n\t}\n\treturn(getAuthTag.call(cipher));\n}\n\nfunction setGCMAuthTag(decipher: ReturnType<typeof crypto.createDecipheriv>, tag: Buffer): void {\n\tconst setAuthTag = Reflect.get(decipher, 'setAuthTag') as ((tag: Buffer) => void) | undefined;\n\tif (typeof setAuthTag !== 'function') {\n\t\tthrow(new TypeError('setAuthTag is not available on decipher'));\n\t}\n\tsetAuthTag.call(decipher, tag);\n}\n/* eslint-enable @typescript-eslint/consistent-type-assertions */\n\n/**\n * Decode a value from its ASN.1 representation back to the original type\n *\n * @internal\n */\nfunction decodeForSensitive(\n\tname: CertificateAttributeNames,\n\tdata: Buffer | ArrayBuffer\n): unknown {\n\tconst buffer = Buffer.isBuffer(data) ? bufferToArrayBuffer(data) : data;\n\tconst schema: unknown = CertificateAttributeSchema[name];\n\tconst plainObject = decodeWithSchema(buffer, schema);\n\treturn(normalizeDecodedValue(plainObject));\n}\n\nexport type SensitiveAttributeJSON = {\n\tversion: string;\n\tpublicKey: string;\n\tcipher: {\n\t\talgorithm: string;\n\t\tiv: string;\n\t\tkey: string;\n\t};\n\thashedValue: {\n\t\tencryptedSalt: string;\n\t\talgorithm: string;\n\t\tvalue: string;\n\t};\n\tencryptedValue: string;\n};\n\nexport class SensitiveAttribute<T = ArrayBuffer> {\n\tprivate static readonly SensitiveAttributeObjectTypeID = 'c0cc9591-cebb-4441-babe-23739279e3f2';\n\tprivate readonly SensitiveAttributeObjectTypeID!: string;\n\n\treadonly #account: KeetaNetAccount;\n\treadonly #encryptedDER: ArrayBuffer;\n\treadonly #info: ReturnType<SensitiveAttribute<T>['decode']>;\n\treadonly #decoder?: (data: Buffer | ArrayBuffer) => T | Promise<T>;\n\n\tconstructor(\n\t\taccount: KeetaNetAccount,\n\t\tdata: Buffer | ArrayBuffer,\n\t\tdecoder?: (data: Buffer | ArrayBuffer) => T | Promise<T>\n\t) {\n\t\tObject.defineProperty(this, 'SensitiveAttributeObjectTypeID', {\n\t\t\tvalue: SensitiveAttribute.SensitiveAttributeObjectTypeID,\n\t\t\tenumerable: false\n\t\t});\n\n\t\tthis.#account = account;\n\t\tthis.#encryptedDER = Buffer.isBuffer(data) ? bufferToArrayBuffer(data) : data;\n\t\tthis.#info = this.decode(data);\n\t\tif (decoder) {\n\t\t\tthis.#decoder = decoder;\n\t\t}\n\t}\n\n\t/**\n\t * Check if a value is a SensitiveAttribute instance\n\t */\n\tstatic isInstance(input: unknown): input is SensitiveAttribute<unknown> {\n\t\tif (typeof input !== 'object' || input === null) {\n\t\t\treturn(false);\n\t\t}\n\n\t\treturn(Reflect.get(input, 'SensitiveAttributeObjectTypeID') === SensitiveAttribute.SensitiveAttributeObjectTypeID);\n\t}\n\n\t/**\n\t * Get the public key this attribute was encrypted for\n\t */\n\tget publicKey(): string {\n\t\treturn(this.#account.publicKeyString.get());\n\t}\n\n\t/**\n\t * Get the raw encrypted DER for certificate embedding\n\t */\n\ttoDER(): ArrayBuffer {\n\t\treturn(this.#encryptedDER);\n\t}\n\n\tprivate decode(data: Buffer | ArrayBuffer) {\n\t\tif (Buffer.isBuffer(data)) {\n\t\t\tdata = bufferToArrayBuffer(data);\n\t\t}\n\n\t\tlet decodedAttribute;\n\t\ttry {\n\t\t\tconst dataObject = new ASN1.BufferStorageASN1(data, SensitiveAttributeSchemaInternal);\n\t\t\tdecodedAttribute = dataObject.getASN1();\n\t\t} catch {\n\t\t\tconst js = ASN1.ASN1toJS(data);\n\t\t\tthrow(new Error(`SensitiveAttribute.decode: unexpected DER shape ${JSON.stringify(DPO(js))}`));\n\t\t}\n\n\t\tconst decodedVersion = decodedAttribute[0] + 1n;\n\t\tif (decodedVersion !== 1n) {\n\t\t\tthrow(new Error(`Unsupported Sensitive Attribute version (${decodedVersion})`));\n\t\t}\n\n\t\treturn({\n\t\t\tversion: decodedVersion,\n\t\t\tpublicKey: this.#account.publicKeyString.get(),\n\t\t\tcipher: {\n\t\t\t\talgorithm: lookupByOID(decodedAttribute[1][0].oid, sensitiveAttributeOIDDB),\n\t\t\t\tiv: decodedAttribute[1][1],\n\t\t\t\tkey: decodedAttribute[1][2]\n\t\t\t},\n\t\t\thashedValue: {\n\t\t\t\tencryptedSalt: decodedAttribute[2][0],\n\t\t\t\talgorithm: lookupByOID(decodedAttribute[2][1].oid, sensitiveAttributeOIDDB),\n\t\t\t\tvalue: decodedAttribute[2][2]\n\t\t\t},\n\t\t\tencryptedValue: decodedAttribute[3]\n\t\t});\n\t}\n\n\tasync #decryptValue(value: Buffer) {\n\t\tconst decryptedKey = await this.#account.decrypt(bufferToArrayBuffer(this.#info.cipher.key));\n\t\tconst algorithm = this.#info.cipher.algorithm;\n\t\tconst iv = this.#info.cipher.iv;\n\n\t\tconst decipher = crypto.createDecipheriv(algorithm, Buffer.from(decryptedKey), iv);\n\n\t\t// For AES-GCM, extract and set the 16-byte authentication tag\n\t\tif (algorithm === 'aes-256-gcm') {\n\t\t\tconst authTag = value.subarray(-16);\n\t\t\tconst ciphertext = value.subarray(0, -16);\n\n\t\t\tsetGCMAuthTag(decipher, authTag);\n\n\t\t\tconst decrypted = decipher.update(ciphertext);\n\t\t\tdecipher.final(); // Verify auth tag\n\t\t\treturn(decrypted);\n\t\t}\n\n\t\t// For other algorithms (like CBC), just decrypt normally\n\t\tconst decrypted = decipher.update(value);\n\t\tdecipher.final();\n\t\treturn(decrypted);\n\t}\n\n\t/**\n\t * Get the value of the sensitive attribute\n\t *\n\t * This will decrypt the value using the account's private key\n\t * and return the value as an ArrayBuffer\n\t *\n\t * Since sensitive attributes are binary blobs, this returns an\n\t * ArrayBuffer\n\t */\n\tasync get(): Promise<ArrayBuffer> {\n\t\tconst decryptedValue = await this.#decryptValue(arrayBufferLikeToBuffer(this.#info.encryptedValue));\n\t\treturn(bufferToArrayBuffer(decryptedValue));\n\t}\n\n\tasync getValue(): Promise<T> {\n\t\tconst value = await this.get();\n\t\tif (!this.#decoder) {\n\t\t\t/**\n\t\t\t * TypeScript complains that T may not be the correct\n\t\t\t * type here, but gives us no tools to enforce that it\n\t\t\t * is -- it should always be ArrayBuffer if no decoder\n\t\t\t * is provided, but someone could always specify a\n\t\t\t * type parameter in that case and we cannot check\n\t\t\t * that at runtime since T is only a compile-time type.\n\t\t\t */\n\t\t\t// eslint-disable-next-line @typescript-eslint/consistent-type-assertions\n\t\t\treturn(value as unknown as T);\n\t\t}\n\t\treturn(await this.#decoder(value));\n\t}\n\n\t/**\n\t * Generate a proof that a sensitive attribute is a given value,\n\t * which can be validated by a third party using the certificate\n\t * and the `validateProof` method\n\t */\n\tasync getProof(): Promise<{ value: string; hash: { salt: string }}> {\n\t\tconst value = await this.get();\n\t\tconst salt = await this.#decryptValue(arrayBufferLikeToBuffer(this.#info.hashedValue.encryptedSalt));\n\n\t\treturn({\n\t\t\tvalue: Buffer.from(value).toString('base64'),\n\t\t\thash: {\n\t\t\t\tsalt: salt.toString('base64')\n\t\t\t}\n\t\t});\n\t}\n\n\t/**\n\t * Validate the proof that a sensitive attribute is a given value\n\t */\n\tasync validateProof(proof: Awaited<ReturnType<this['getProof']>>): Promise<boolean> {\n\t\tconst plaintextValue = Buffer.from(proof.value, 'base64');\n\t\tconst proofSaltBuffer = Buffer.from(proof.hash.salt, 'base64');\n\n\t\tconst publicKeyBuffer = Buffer.from(this.#account.publicKey.get());\n\t\tconst encryptedValue = this.#info.encryptedValue;\n\n\t\tconst hashInput = Buffer.concat([proofSaltBuffer, publicKeyBuffer, encryptedValue, plaintextValue]);\n\t\tconst hashedAndSaltedValue = KeetaNetClient.lib.Utils.Hash.Hash(hashInput);\n\t\tconst hashedAndSaltedValueBuffer = Buffer.from(hashedAndSaltedValue);\n\n\t\treturn(this.#info.hashedValue.value.equals(hashedAndSaltedValueBuffer));\n\t}\n\n\ttoJSON(): SensitiveAttributeJSON {\n\t\tconst info = KeetaNetClient.lib.Utils.Conversion.toJSONSerializable(this.#info);\n\t\treturn(info);\n\t}\n\n\t/**\n\t * Encrypt a value and create a new SensitiveAttribute\n\t */\n\tstatic async create<K extends CertificateAttributeNames>(\n\t\taccount: KeetaNetAccount,\n\t\tname: K,\n\t\tvalue: CertificateAttributeValue<K> | Buffer | ArrayBuffer\n\t): Promise<SensitiveAttribute<CertificateAttributeValue<K>>> {\n\t\t// eslint-disable-next-line @typescript-eslint/consistent-type-assertions\n\t\tconst encodedValue = encodeForSensitive(name, value as SensitiveAttributeType | Buffer | ArrayBuffer);\n\n\t\tconst salt = crypto.randomBytes(32);\n\n\t\tconst hashingAlgorithm = KeetaNetClient.lib.Utils.Hash.HashFunctionName;\n\t\tconst publicKey = Buffer.from(account.publicKey.get());\n\n\t\tconst cipher = 'aes-256-gcm';\n\t\tconst key = crypto.randomBytes(32);\n\t\tconst nonce = crypto.randomBytes(12);\n\t\tconst encryptedKey = await account.encrypt(bufferToArrayBuffer(key));\n\n\t\tfunction encrypt(input: Buffer) {\n\t\t\tconst cipherObject = crypto.createCipheriv(cipher, key, nonce);\n\t\t\tlet retval = Buffer.concat([cipherObject.update(input), cipherObject.final()]);\n\n\t\t\t// For AES-GCM, append the 16-byte authentication tag\n\t\t\tif (cipher === 'aes-256-gcm') {\n\t\t\t\tretval = Buffer.concat([retval, getGCMAuthTag(cipherObject)]);\n\t\t\t}\n\n\t\t\treturn(retval);\n\t\t}\n\n\t\tconst encryptedValue = encrypt(encodedValue);\n\t\tconst encryptedSalt = encrypt(arrayBufferLikeToBuffer(salt));\n\n\t\tconst saltedValue = Buffer.concat([salt, publicKey, encryptedValue, encodedValue]);\n\t\tconst hashedAndSaltedValue = KeetaNetClient.lib.Utils.Hash.Hash(saltedValue);\n\n\t\tconst attributeStructure: SensitiveAttributeSchema = [\n\t\t\t/* Version */\n\t\t\t0n,\n\t\t\t/* Cipher Details */\n\t\t\t[\n\t\t\t\t/* Algorithm */\n\t\t\t\t{ type: 'oid', oid: getOID(cipher, sensitiveAttributeOIDDB) },\n\t\t\t\t/* IV or Nonce */\n\t\t\t\tnonce,\n\t\t\t\t/* Symmetric key, encrypted with the public key of the account */\n\t\t\t\tBuffer.from(encryptedKey)\n\t\t\t],\n\t\t\t/* Hashed Value */\n\t\t\t[\n\t\t\t\t/* Encrypted Salt */\n\t\t\t\tBuffer.from(encryptedSalt),\n\t\t\t\t/* Hashing Algorithm */\n\t\t\t\t{ type: 'oid', oid: getOID(hashingAlgorithm, sensitiveAttributeOIDDB) },\n\t\t\t\t/* Hash of <Encrypted Salt> || <Public Key> || <Value> */\n\t\t\t\tBuffer.from(hashedAndSaltedValue)\n\t\t\t],\n\t\t\t/* Encrypted Value, encrypted with the Cipher above */\n\t\t\tencryptedValue\n\t\t];\n\n\t\tconst encodedAttributeObject = ASN1.JStoASN1(attributeStructure);\n\t\tconst encryptedDER = encodedAttributeObject.toBER(false);\n\n\t\tconst decoder = function(data: Buffer | ArrayBuffer): CertificateAttributeValue<K> {\n\t\t\t// eslint-disable-next-line @typescript-eslint/consistent-type-assertions\n\t\t\treturn(decodeForSensitive(name, data) as CertificateAttributeValue<K>);\n\t\t};\n\n\t\tconst result = new SensitiveAttribute<CertificateAttributeValue<K>>(account, encryptedDER, decoder);\n\t\treturn(result);\n\t}\n}\n"]}

package/lib/token-metadata.d.ts

@@ -0,0 +1,21 @@
+export interface TokenMetadata {
+    decimalPlaces: number;
+    logoURI?: string;
+}
+export interface TokenMetadataJSON extends Omit<TokenMetadata, "decimalPlaces"> {
+    decimalPlaces: number | string;
+}
+/**
+ * Parse token metadata from a base64-encoded JSON string or a TokenMetadataJSON object, returning a TokenMetadata object.
+ * @param encoded the value to parse
+ * @returns the parsed TokenMetadata object
+ */
+export declare function decodeTokenMetadata(encoded: string | TokenMetadataJSON | TokenMetadata): TokenMetadata;
+/**
+ * Encodes token metadata into a base64-encoded JSON string.
+ *
+ * @param metadata - The token metadata to encode {@link TokenMetadata}
+ * @returns The base64-encoded JSON string containing the token metadata
+ */
+export declare function encodeTokenMetadata(metadata: TokenMetadata | TokenMetadataJSON): string;
+//# sourceMappingURL=token-metadata.d.ts.map

package/lib/token-metadata.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-metadata.d.ts","sourceRoot":"","sources":["../../src/lib/token-metadata.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,aAAa;IAC7B,aAAa,EAAE,MAAM,CAAC;IACtB,OAAO,CAAC,EAAE,MAAM,CAAC;CACjB;AAGD,MAAM,WAAW,iBAAkB,SAAQ,IAAI,CAAC,aAAa,EAAE,eAAe,CAAC;IAC9E,aAAa,EAAE,MAAM,GAAG,MAAM,CAAC;CAC/B;AAgCD;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,iBAAiB,GAAG,aAAa,GAAG,aAAa,CAYtG;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,aAAa,GAAG,iBAAiB,GAAG,MAAM,CAKvF"}

package/lib/token-metadata.generated.d.ts

@@ -0,0 +1,5 @@
+import type { TokenMetadataJSON } from "./token-metadata.js";
+export declare const parseTokenMetadataJSON: (input: string) => TokenMetadataJSON;
+export declare const stringifyTokenMetadataJSON: (input: TokenMetadataJSON) => string;
+export declare const assertTokenMetadataJSON: (input: unknown) => TokenMetadataJSON;
+//# sourceMappingURL=token-metadata.generated.d.ts.map

package/lib/token-metadata.generated.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-metadata.generated.d.ts","sourceRoot":"","sources":["../../src/lib/token-metadata.generated.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAE7D,eAAO,MAAM,sBAAsB,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,iBAA+D,CAAC;AACxH,eAAO,MAAM,0BAA0B,EAAE,CAAC,KAAK,EAAE,iBAAiB,KAAK,MAAkD,CAAC;AAC1H,eAAO,MAAM,uBAAuB,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,iBAAqD,CAAC"}