@limrun/ui 0.9.0-rc.12 → 0.9.0-rc.14

package/src/components/remote-control.tsx

@@ -142,33 +142,25 @@ interface RemoteControlProps {
   axMaxBackoffMs?: number;
 
   /**
-   * Optional outbound camera input.
+   * Fires whenever the iOS simulator's camera demand state changes —
+   * i.e. an app inside the sim called
+   * `[AVCaptureSession startRunning]` or `[stopRunning]`. The
+   * component handles the `navigator.mediaDevices.getUserMedia` prompt
+   * and SDP plumbing internally; this callback is purely so the host
+   * UI can render a status indicator ("simulator is using your
+   * camera", etc.).
    *
-   * When provided, every video track on this `MediaStream` is forwarded
-   * up the same `RTCPeerConnection` that already carries the device
-   * screen downstream. On iOS instances, the limulator-side injector
-   * splices those frames into apps that use AVFoundation, so the user's
-   * browser camera becomes the iOS camera (`AVCaptureDevice.default(for:
-   * .video)`).
+   * `active` reflects whether the sim is currently asking for
+   * frames. `granted` is set only on the call that follows a
+   * `getUserMedia` attempt: `true` when the user accepted the
+   * browser prompt, `false` when they denied or the call failed
+   * (in which case the limulator side switches to a black-frame
+   * fallback so the app keeps ticking).
    *
-   * Today this is only honored by iOS instances launched with the
-   * camera runtime; Android instances ignore it.
-   *
-   * Lifecycle expectations:
-   * - Pass `null`/`undefined` to skip outbound camera (default).
-   * - Pass a `MediaStream` obtained from
-   *   `navigator.mediaDevices.getUserMedia({ video: true })` (or any
-   *   other source — screen capture, virtual camera, etc.).
-   * - Changing the `MediaStream.id` triggers a connection restart so
-   *   the new track is included in the SDP offer. The reference itself
-   *   is allowed to be unstable across renders — we key the reconnect
-   *   on `id`, not object identity, so memoization isn't required.
-   * - Stopping the tracks (e.g. `track.stop()`) on the parent side is
-   *   sufficient to cut the outbound feed without restarting; the peer
-   *   connection just stops getting frames on that track. To fully
-   *   detach the track from the SDP, swap the prop to `null`.
+   * Only iOS instances ever fire this callback; Android instances
+   * have no camera-injector path and stay silent.
    */
-  cameraStream?: MediaStream | null;
+  onCameraDemandChange?: (active: boolean, granted?: boolean) => void;
 }
 
 interface ScreenshotData {
@@ -367,7 +359,7 @@ export const RemoteControl = forwardRef<RemoteControlHandle, RemoteControlProps>
       onAxStatusChange,
       axPollIntervalMs,
       axMaxBackoffMs,
-      cameraStream,
+      onCameraDemandChange,
     }: RemoteControlProps,
     ref,
   ) => {
@@ -393,13 +385,29 @@ export const RemoteControl = forwardRef<RemoteControlHandle, RemoteControlProps>
     // Mirrored to a ref so stale closures in event handlers see the latest value.
     const autoReconnectRef = useRef(autoReconnect);
     autoReconnectRef.current = autoReconnect;
-    // Outbound camera input. Held in a ref so the deferred WebRTC setup
-    // path picks up the latest stream even if React re-renders between
-    // the connection effect firing and `startAttempt` reaching the
-    // `addTrack` step. Reconnects are keyed on `MediaStream.id`, not
-    // reference identity (see the connection effect's deps).
-    const cameraStreamRef = useRef<MediaStream | null>(cameraStream ?? null);
-    cameraStreamRef.current = cameraStream ?? null;
+    // Demand-driven outbound camera state.
+    //
+    // The limulator side broadcasts a `cameraRequest` WS message whenever
+    // an app inside the simulator opens/closes an `AVCaptureSession`.
+    // We respond by calling `navigator.mediaDevices.getUserMedia(...)`
+    // and `replaceTrack`ing the result onto a pre-allocated sendonly
+    // video transceiver. Pre-allocating the transceiver lets us
+    // attach/detach the local camera without renegotiating the SDP
+    // (the slot is already in the answer's a=video block, just with
+    // `inactive`/empty until we install the track).
+    //
+    // Refs (not state) because all callers live inside event-handler
+    // closures and the ref read happens during message processing, not
+    // during render. We keep both the sender and the active local
+    // stream so teardown can stop tracks without leaking the camera
+    // green light.
+    const outboundCameraSenderRef = useRef<RTCRtpSender | null>(null);
+    const outboundLocalStreamRef = useRef<MediaStream | null>(null);
+    // Mirror the demand-change callback into a ref so the WS message
+    // handler always sees the freshest customer callback even when the
+    // parent re-renders mid-session.
+    const onCameraDemandChangeRef = useRef(onCameraDemandChange);
+    onCameraDemandChangeRef.current = onCameraDemandChange;
     const firstFrameShownRef = useRef(false);
     const pendingScreenshotResolversRef = useRef<
       Map<string, (value: ScreenshotData | PromiseLike<ScreenshotData>) => void>
@@ -1472,6 +1480,32 @@ export const RemoteControl = forwardRef<RemoteControlHandle, RemoteControlProps>
       setVideoLoaded(true);
     };
 
+    // Stop every track on a MediaStream and release the device handle.
+    // The browser keeps the camera "on" indicator lit until at least
+    // one track on the underlying source is stopped, so we have to
+    // call stop() explicitly — closing the peer connection alone
+    // won't do it.
+    const stopMediaStream = (stream: MediaStream) => {
+      for (const track of stream.getTracks()) {
+        try {
+          track.stop();
+        } catch (err) {
+          debugWarn('track.stop() failed:', err);
+        }
+      }
+    };
+
+    // Stop and forget any currently-attached outbound camera stream.
+    // Safe to call when nothing is attached. Does not touch the
+    // sender — the caller is responsible for `replaceTrack(null)`
+    // separately when it wants the SDP slot itself empty.
+    const stopOutboundLocalStream = () => {
+      const stream = outboundLocalStreamRef.current;
+      if (!stream) return;
+      outboundLocalStreamRef.current = null;
+      stopMediaStream(stream);
+    };
+
     const teardownConnection = () => {
       clearConnectionSuccessTimeout();
       clearIceDisconnectedGrace();
@@ -1480,6 +1514,11 @@ export const RemoteControl = forwardRef<RemoteControlHandle, RemoteControlProps>
         axFetcherRef.current.stop();
         axFetcherRef.current = null;
       }
+      // Drop any active outbound camera before the PC dies so the
+      // browser doesn't leave the camera indicator lit between
+      // reconnects.
+      stopOutboundLocalStream();
+      outboundCameraSenderRef.current = null;
       // A scheduled cursor flush would otherwise call setState on a
       // teardown component once the next frame runs.
       if (cursorRafIdRef.current !== undefined) {
@@ -1681,26 +1720,18 @@ export const RemoteControl = forwardRef<RemoteControlHandle, RemoteControlProps>
         peerConnection.addTransceiver('audio', { direction: 'recvonly' });
         const videoTransceiver = peerConnection.addTransceiver('video', { direction: 'recvonly' });
 
-        // Outbound camera input — splice the parent-provided MediaStream's
-        // video tracks into the same PC. `addTrack` creates an implicit
-        // sendonly transceiver and lands the track in the SDP offer; the
-        // limulator side picks it up via `peerConnection(_:didAdd:)` and
-        // forwards every frame into the camera-injector IOSurface ring.
-        // We pass the original MediaStream so the answerer can recover
-        // the parent stream id if it cares; today nothing does, but it
-        // costs nothing to be correct.
-        const outboundCamera = cameraStreamRef.current;
-        if (outboundCamera) {
-          for (const track of outboundCamera.getVideoTracks()) {
-            peerConnection.addTrack(track, outboundCamera);
-          }
-          debugLog(
-            'Attached outbound camera tracks:',
-            outboundCamera.getVideoTracks().length,
-            'streamId:',
-            outboundCamera.id,
-          );
-        }
+        // Pre-allocate a sendonly video slot for the user's camera.
+        // The track stays `null` until the limulator side asks for one
+        // (via the `cameraRequest` WS message), at which point we call
+        // `replaceTrack` with a `getUserMedia` result. Allocating
+        // up-front means we don't have to renegotiate the SDP when the
+        // simulator app actually opens its `AVCaptureSession` — the
+        // codec/SSRC negotiation happens once, here, and turning the
+        // camera on/off later is just a track-replace.
+        const outboundCameraTransceiver = peerConnection.addTransceiver('video', {
+          direction: 'sendonly',
+        });
+        outboundCameraSenderRef.current = outboundCameraTransceiver.sender;
 
         // As hardware encoder, we use H265 for iOS and VP9 for Android.
         // We make sure these two are the first ones in the list.
@@ -2030,6 +2061,85 @@ export const RemoteControl = forwardRef<RemoteControlHandle, RemoteControlProps>
               pendingScreenshotResolversRef.current.delete(message.id);
               pendingScreenshotRejectersRef.current.delete(message.id);
               break;
+            case 'cameraRequest': {
+              const active = message.active === true;
+              if (!active) {
+                // Sim no longer wants frames. Drop our local track and
+                // shut the browser's camera green light off.
+                const sender = outboundCameraSenderRef.current;
+                if (sender) {
+                  try {
+                    await sender.replaceTrack(null);
+                  } catch (err) {
+                    debugWarn('replaceTrack(null) on camera detach failed:', err);
+                  }
+                }
+                stopOutboundLocalStream();
+                safeInvoke('onCameraDemandChange', onCameraDemandChangeRef.current, false);
+                break;
+              }
+              // Sim is asking for camera. Ask the browser; the user's
+              // prompt response is reported back to the host via a
+              // `cameraResult` message so it can swap to a
+              // black-frame fallback on denial.
+              safeInvoke('onCameraDemandChange', onCameraDemandChangeRef.current, true);
+              let stream: MediaStream | null = null;
+              try {
+                stream = await navigator.mediaDevices.getUserMedia({
+                  video: true,
+                  audio: false,
+                });
+              } catch (err) {
+                debugWarn('getUserMedia denied/failed:', err);
+              }
+              if (!isCurrentAttempt() || wsRef.current !== ws) {
+                if (stream) stopMediaStream(stream);
+                return;
+              }
+              if (!stream) {
+                ws.send(JSON.stringify({ type: 'cameraResult', granted: false }));
+                safeInvoke('onCameraDemandChange', onCameraDemandChangeRef.current, true, false);
+                break;
+              }
+              // Replace any previous local stream (e.g. an earlier
+              // cameraRequest that resolved with a different device)
+              // before we install the new tracks.
+              stopOutboundLocalStream();
+              outboundLocalStreamRef.current = stream;
+              const sender = outboundCameraSenderRef.current;
+              const videoTrack = stream.getVideoTracks()[0] ?? null;
+              if (!sender || !videoTrack) {
+                if (stream) stopMediaStream(stream);
+                outboundLocalStreamRef.current = null;
+                ws.send(JSON.stringify({ type: 'cameraResult', granted: false }));
+                safeInvoke('onCameraDemandChange', onCameraDemandChangeRef.current, true, false);
+                break;
+              }
+              try {
+                await sender.replaceTrack(videoTrack);
+              } catch (err) {
+                debugWarn('replaceTrack(videoTrack) failed:', err);
+                stopMediaStream(stream);
+                outboundLocalStreamRef.current = null;
+                ws.send(JSON.stringify({ type: 'cameraResult', granted: false }));
+                safeInvoke('onCameraDemandChange', onCameraDemandChangeRef.current, true, false);
+                break;
+              }
+              // If the browser revokes the track later (extension,
+              // user clicks Stop in the camera tab UI, etc.), notify
+              // the host so it can switch to black frames.
+              videoTrack.onended = () => {
+                if (outboundLocalStreamRef.current !== stream) return;
+                stopOutboundLocalStream();
+                if (wsRef.current === ws && ws.readyState === WebSocket.OPEN) {
+                  ws.send(JSON.stringify({ type: 'cameraResult', granted: false }));
+                }
+                safeInvoke('onCameraDemandChange', onCameraDemandChangeRef.current, true, false);
+              };
+              ws.send(JSON.stringify({ type: 'cameraResult', granted: true }));
+              safeInvoke('onCameraDemandChange', onCameraDemandChangeRef.current, true, true);
+              break;
+            }
             case 'terminateAppResult':
               if (typeof message.id !== 'string') {
                 debugWarn('Received invalid terminateApp result message:', message);
@@ -2138,13 +2248,12 @@ export const RemoteControl = forwardRef<RemoteControlHandle, RemoteControlProps>
         stop();
         document.removeEventListener('visibilitychange', handleVisibilityChange);
       };
-      // We key reconnects on `MediaStream.id` rather than the prop's
-      // object identity so callers don't have to memoize the stream —
-      // turning the camera on/off swaps the underlying MediaStream and
-      // its id, but rerenders that happen to re-create the parent's
-      // wrapping object don't trigger churn.
+      // Camera attach/detach happens entirely inside the WS message
+      // loop now (sendonly transceiver + `replaceTrack`), so the
+      // connection effect doesn't need to bounce when the camera
+      // turns on/off — no SDP-affecting change.
       // eslint-disable-next-line react-hooks/exhaustive-deps
-    }, [url, token, propSessionId, cameraStream?.id]);
+    }, [url, token, propSessionId]);
 
     // Recompute the inspect-overlay geometry (container-local pixel rect of
     // the actually-rendered video content) from the current mapping context.

package/src/core/device-install/apple/client.ts

@@ -0,0 +1,152 @@
+import { AppleGsaSrpClient } from './gsa-srp';
+import {
+  createAppleRelaySession,
+  deleteAppleRelaySession,
+  fetchAppleAccountSession,
+  proxyPhoneTwoFactorCode,
+  proxySrpComplete,
+  proxySrpInit,
+  proxyTwoFactorCode,
+  triggerPhoneTwoFactor,
+  triggerTrustedDeviceTwoFactor,
+  type AppleRelayResponse,
+} from './relay';
+
+export type AppleIDLoginInput = {
+  limbuildApiUrl: string;
+  accountName: string;
+  password: string;
+  token?: string;
+};
+
+export type AppleIDLoginResult = {
+  appleSessionId: string;
+  completeResponse: AppleRelayResponse;
+  twoFactorChallengeResponse?: AppleRelayResponse;
+  requiresTwoFactor: boolean;
+  finishTwoFactor: (code: string) => Promise<AppleRelayResponse>;
+  finalize: () => Promise<AppleRelayResponse>;
+  close: () => Promise<void>;
+};
+
+type TwoFactorMethod =
+  | { type: 'trustedDevice' }
+  | { type: 'phone'; phoneNumberId: number; mode: string };
+
+export async function startBrowserOwnedAppleIDLogin({
+  limbuildApiUrl,
+  accountName,
+  password,
+  token,
+}: AppleIDLoginInput): Promise<AppleIDLoginResult> {
+  const { appleSessionId } = await createAppleRelaySession(limbuildApiUrl, token);
+  try {
+    const srp = new AppleGsaSrpClient(accountName);
+    const initResponse = await proxySrpInit(limbuildApiUrl, appleSessionId, await srp.init(), token);
+    if (initResponse.status < 200 || initResponse.status >= 300) {
+      throw new Error(`Apple SRP init failed: HTTP ${initResponse.status} ${initResponse.rawBody ?? ''}`.trim());
+    }
+    if (!initResponse.body) {
+      throw new Error('Apple SRP init response did not include a body.');
+    }
+    const proof = await srp.complete(password, initResponse.body);
+    const completeResponse = await proxySrpComplete(
+      limbuildApiUrl,
+      appleSessionId,
+      {
+        ...proof,
+        rememberMe: false,
+        trustTokens: [],
+      },
+      token,
+    );
+    const requiresTwoFactor = completeResponse.status === 409;
+    let twoFactorChallengeResponse: AppleRelayResponse | undefined;
+    let twoFactorMethod: TwoFactorMethod = { type: 'trustedDevice' };
+    if (requiresTwoFactor) {
+      twoFactorChallengeResponse = await triggerTrustedDeviceTwoFactor(limbuildApiUrl, appleSessionId, token);
+      const phone = trustedPhoneNumberFromChallenge(twoFactorChallengeResponse.body);
+      if (phone) {
+        twoFactorMethod = {
+          type: 'phone',
+          phoneNumberId: phone.id,
+          mode: phone.pushMode ?? 'sms',
+        };
+      }
+      if (twoFactorChallengeResponse.status === 412) {
+        if (!phone) {
+          throw new Error('Apple requested phone verification but did not include a trusted phone number.');
+        }
+        twoFactorChallengeResponse = await triggerPhoneTwoFactor(
+          limbuildApiUrl,
+          appleSessionId,
+          phone.id,
+          phone.pushMode ?? 'sms',
+          token,
+        );
+      }
+      if (twoFactorChallengeResponse.status < 200 || twoFactorChallengeResponse.status >= 300) {
+        throw new Error(
+          `Apple two-factor challenge failed: HTTP ${twoFactorChallengeResponse.status} ${
+            twoFactorChallengeResponse.rawBody ?? ''
+          }`.trim(),
+        );
+      }
+    } else if (completeResponse.status < 200 || completeResponse.status >= 300) {
+      throw new Error(`Apple SRP complete failed: HTTP ${completeResponse.status} ${completeResponse.rawBody ?? ''}`.trim());
+    }
+    return {
+      appleSessionId,
+      completeResponse,
+      twoFactorChallengeResponse,
+      requiresTwoFactor,
+      finishTwoFactor: async (code) => {
+        const response =
+          twoFactorMethod.type === 'phone'
+            ? await proxyPhoneTwoFactorCode(
+                limbuildApiUrl,
+                appleSessionId,
+                twoFactorMethod.phoneNumberId,
+                code,
+                twoFactorMethod.mode,
+                token,
+              )
+            : await proxyTwoFactorCode(limbuildApiUrl, appleSessionId, code, token);
+        if (response.status < 200 || response.status >= 300) {
+          throw new Error(`Apple two-factor code failed: HTTP ${response.status} ${response.rawBody ?? ''}`.trim());
+        }
+        return response;
+      },
+      finalize: async () => fetchAppleAccountSession(limbuildApiUrl, appleSessionId, token),
+      close: () => deleteAppleRelaySession(limbuildApiUrl, appleSessionId, token),
+    };
+  } catch (error) {
+    await deleteAppleRelaySession(limbuildApiUrl, appleSessionId, token).catch(() => undefined);
+    throw error;
+  }
+}
+
+function trustedPhoneNumberFromChallenge(body: unknown) {
+  if (!isRecord(body)) return undefined;
+  const verification = isRecord(body.phoneNumberVerification) ? body.phoneNumberVerification : undefined;
+  const trustedPhoneNumber =
+    recordValue(verification?.trustedPhoneNumber) ??
+    recordValue(body.trustedPhoneNumber) ??
+    recordValue(body.phoneNumber);
+  if (!trustedPhoneNumber) return undefined;
+  const id = trustedPhoneNumber.id;
+  if (typeof id !== 'number') return undefined;
+  const pushMode =
+    typeof trustedPhoneNumber.pushMode === 'string' ? trustedPhoneNumber.pushMode
+    : typeof body.mode === 'string' ? body.mode
+    : undefined;
+  return { id, pushMode };
+}
+
+function recordValue(value: unknown) {
+  return isRecord(value) ? value : undefined;
+}
+
+function isRecord(value: unknown): value is Record<string, unknown> {
+  return typeof value === 'object' && value !== null && !Array.isArray(value);
+}

package/src/core/device-install/apple/crypto.ts

@@ -0,0 +1,202 @@
+import forge from 'node-forge';
+
+export type AppleSigningKeyMaterial = {
+  privateKey: CryptoKey;
+  privateKeyPKCS8Base64: string;
+  publicKeySPKIBase64: string;
+  csrPEM: string;
+  csrBase64: string;
+};
+
+export type AppleCSRInput = {
+  commonName: string;
+  emailAddress?: string;
+};
+
+export type ExportP12Input = {
+  privateKeyPKCS8Base64: string;
+  certificateBase64?: string;
+  certificatePEM?: string;
+  password: string;
+  friendlyName?: string;
+};
+
+const rsaAlgorithm: RsaHashedKeyGenParams = {
+  name: 'RSASSA-PKCS1-v1_5',
+  modulusLength: 2048,
+  publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
+  hash: 'SHA-256',
+};
+
+export async function generateAppleSigningKeyAndCSR(input: AppleCSRInput): Promise<AppleSigningKeyMaterial> {
+  if (!crypto.subtle) {
+    throw new Error('WebCrypto is not available in this browser.');
+  }
+  const keyPair = await crypto.subtle.generateKey(rsaAlgorithm, true, ['sign', 'verify']);
+  const publicKeySPKI = new Uint8Array(await crypto.subtle.exportKey('spki', keyPair.publicKey));
+  const certificationRequestInfo = derSequence(
+    derInteger(0),
+    derName(input),
+    publicKeySPKI,
+    derContext(0, new Uint8Array()),
+  );
+  const signature = new Uint8Array(
+    await crypto.subtle.sign('RSASSA-PKCS1-v1_5', keyPair.privateKey, toArrayBuffer(certificationRequestInfo)),
+  );
+  const csrDER = derSequence(
+    certificationRequestInfo,
+    derSequence(derOID('1.2.840.113549.1.1.11'), derNull()),
+    derBitString(signature),
+  );
+  const privateKeyPKCS8 = new Uint8Array(await crypto.subtle.exportKey('pkcs8', keyPair.privateKey));
+  return {
+    privateKey: keyPair.privateKey,
+    privateKeyPKCS8Base64: bytesToBase64(privateKeyPKCS8),
+    publicKeySPKIBase64: bytesToBase64(publicKeySPKI),
+    csrPEM: pemBlock('CERTIFICATE REQUEST', csrDER),
+    csrBase64: bytesToBase64(csrDER),
+  };
+}
+
+export function exportAppleCertificateP12(input: ExportP12Input) {
+  if (!input.certificateBase64 && !input.certificatePEM) {
+    throw new Error('certificateBase64 or certificatePEM is required.');
+  }
+  const privateKey = forge.pki.privateKeyFromPem(
+    pemFromBase64('PRIVATE KEY', input.privateKeyPKCS8Base64),
+  );
+  const certificate = input.certificatePEM
+    ? forge.pki.certificateFromPem(input.certificatePEM)
+    : forge.pki.certificateFromAsn1(
+        forge.asn1.fromDer(forge.util.createBuffer(base64ToBinary(input.certificateBase64!))),
+      );
+  const p12 = forge.pkcs12.toPkcs12Asn1(privateKey, [certificate], input.password, {
+    algorithm: '3des',
+    friendlyName: input.friendlyName,
+  });
+  const der = forge.asn1.toDer(p12).getBytes();
+  return binaryToBase64(der);
+}
+
+function derName(input: AppleCSRInput) {
+  const attributes = [derAttribute('2.5.4.3', derUTF8String(input.commonName))];
+  if (input.emailAddress) {
+    attributes.push(derAttribute('1.2.840.113549.1.9.1', derIA5String(input.emailAddress)));
+  }
+  return derSequence(...attributes);
+}
+
+function derAttribute(oid: string, value: Uint8Array) {
+  return derSet(derSequence(derOID(oid), value));
+}
+
+function derSequence(...values: Uint8Array[]) {
+  return derTLV(0x30, concatBytes(...values));
+}
+
+function derSet(...values: Uint8Array[]) {
+  return derTLV(0x31, concatBytes(...values));
+}
+
+function derContext(tag: number, value: Uint8Array) {
+  return derTLV(0xa0 + tag, value);
+}
+
+function derInteger(value: number) {
+  return derTLV(0x02, new Uint8Array([value]));
+}
+
+function derNull() {
+  return new Uint8Array([0x05, 0x00]);
+}
+
+function derUTF8String(value: string) {
+  return derTLV(0x0c, new TextEncoder().encode(value));
+}
+
+function derIA5String(value: string) {
+  return derTLV(0x16, new TextEncoder().encode(value));
+}
+
+function derBitString(value: Uint8Array) {
+  return derTLV(0x03, concatBytes(new Uint8Array([0]), value));
+}
+
+function derOID(oid: string) {
+  const parts = oid.split('.').map((part) => parseInt(part, 10));
+  if (parts.length < 2 || parts.some((part) => !Number.isFinite(part))) {
+    throw new Error(`Invalid OID: ${oid}`);
+  }
+  const encoded = [parts[0] * 40 + parts[1]];
+  for (const part of parts.slice(2)) {
+    const stack = [part & 0x7f];
+    let value = part >> 7;
+    while (value > 0) {
+      stack.unshift((value & 0x7f) | 0x80);
+      value >>= 7;
+    }
+    encoded.push(...stack);
+  }
+  return derTLV(0x06, new Uint8Array(encoded));
+}
+
+function derTLV(tag: number, value: Uint8Array) {
+  return concatBytes(new Uint8Array([tag]), derLength(value.byteLength), value);
+}
+
+function derLength(length: number) {
+  if (length < 0x80) {
+    return new Uint8Array([length]);
+  }
+  const bytes: number[] = [];
+  let value = length;
+  while (value > 0) {
+    bytes.unshift(value & 0xff);
+    value >>= 8;
+  }
+  return new Uint8Array([0x80 | bytes.length, ...bytes]);
+}
+
+function concatBytes(...chunks: Uint8Array[]) {
+  const length = chunks.reduce((sum, chunk) => sum + chunk.byteLength, 0);
+  const out = new Uint8Array(length);
+  let offset = 0;
+  for (const chunk of chunks) {
+    out.set(chunk, offset);
+    offset += chunk.byteLength;
+  }
+  return out;
+}
+
+function pemBlock(label: string, der: Uint8Array) {
+  const base64 = bytesToBase64(der);
+  const lines = base64.match(/.{1,64}/g) ?? [];
+  return `-----BEGIN ${label}-----\n${lines.join('\n')}\n-----END ${label}-----\n`;
+}
+
+function pemFromBase64(label: string, base64: string) {
+  const lines = base64.match(/.{1,64}/g) ?? [];
+  return `-----BEGIN ${label}-----\n${lines.join('\n')}\n-----END ${label}-----\n`;
+}
+
+function bytesToBase64(bytes: Uint8Array) {
+  let binary = '';
+  for (const byte of bytes) {
+    binary += String.fromCharCode(byte);
+  }
+  return btoa(binary);
+}
+
+function binaryToBase64(binary: string) {
+  return btoa(binary);
+}
+
+function base64ToBinary(value: string) {
+  return atob(value);
+}
+
+function toArrayBuffer(bytes: Uint8Array): ArrayBuffer {
+  const copy = new Uint8Array(bytes.byteLength);
+  copy.set(bytes);
+  return copy.buffer;
+}