@matter/protocol 0.15.0-alpha.0-20250616-4b3754906 → 0.15.0-alpha.0-20250619-df2264f15

package/dist/cjs/certificate/CertificateManager.js

@@ -1,843 +0,0 @@
-"use strict";
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-var __copyProps = (to, from, except, desc) => {
-  if (from && typeof from === "object" || typeof from === "function") {
-    for (let key of __getOwnPropNames(from))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
-  }
-  return to;
-};
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-var CertificateManager_exports = {};
-__export(CertificateManager_exports, {
-  CertificateError: () => CertificateError,
-  CertificateManager: () => CertificateManager,
-  FabricId_Matter: () => FabricId_Matter,
-  FirmwareSigningId_Matter: () => FirmwareSigningId_Matter,
-  IcacId_Matter: () => IcacId_Matter,
-  NocCat_Matter: () => NocCat_Matter,
-  NodeId_Matter: () => NodeId_Matter,
-  ProductId_Matter: () => ProductId_Matter,
-  RcacId_Matter: () => RcacId_Matter,
-  TlvCertificationDeclaration: () => TlvCertificationDeclaration,
-  TlvIntermediateCertificate: () => TlvIntermediateCertificate,
-  TlvOperationalCertificate: () => TlvOperationalCertificate,
-  TlvRootCertificate: () => TlvRootCertificate,
-  VendorId_Matter: () => VendorId_Matter,
-  jsToMatterDate: () => jsToMatterDate,
-  matterToJsDate: () => matterToJsDate
-});
-module.exports = __toCommonJS(CertificateManager_exports);
-var import_general = require("#general");
-var import_types = require("#types");
-/**
- * @license
- * Copyright 2022-2025 Matter.js Authors
- * SPDX-License-Identifier: Apache-2.0
- */
-const logger = import_general.Logger.get("CertificateManager");
-class CertificateError extends import_general.MatterError {
-}
-const YEAR_S = 365 * 24 * 60 * 60;
-const EPOCH_OFFSET_S = 10957 * 24 * 60 * 60;
-const MAX_DER_CERTIFICATE_SIZE = 600;
-const MAX_TLV_CERTIFICATE_SIZE = 400;
-function matterToJsDate(date) {
-  return date === 0 ? import_general.X520.NON_WELL_DEFINED_DATE : new Date((date + EPOCH_OFFSET_S) * 1e3);
-}
-function jsToMatterDate(date, addYears = 0) {
-  return date.getTime() === import_general.X520.NON_WELL_DEFINED_DATE.getTime() ? 0 : Math.floor(date.getTime() / 1e3) - EPOCH_OFFSET_S + addYears * YEAR_S;
-}
-function intTo16Chars(value) {
-  const byteArray = new Uint8Array(8);
-  const dataView = import_general.Bytes.dataViewOf(byteArray);
-  dataView.setBigUint64(0, typeof value === "bigint" ? value : BigInt(value));
-  return import_general.Bytes.toHex(byteArray).toUpperCase();
-}
-function uInt16To8Chars(value) {
-  const byteArray = new Uint8Array(4);
-  const dataView = import_general.Bytes.dataViewOf(byteArray);
-  dataView.setUint32(0, value);
-  return import_general.Bytes.toHex(byteArray).toUpperCase();
-}
-function uInt16To4Chars(value) {
-  const byteArray = new Uint8Array(2);
-  const dataView = import_general.Bytes.dataViewOf(byteArray);
-  dataView.setUint16(0, value);
-  return import_general.Bytes.toHex(byteArray).toUpperCase();
-}
-const GenericMatterOpCertObject = (id, valueConverter) => (value) => [
-  (0, import_general.DerObject)(`2b0601040182a27c01${id.toString(16).padStart(2, "0")}`, {
-    value: (valueConverter ?? intTo16Chars)(value)
-  })
-];
-const GenericMatterAttCertObject = (id, valueConverter) => (value) => [
-  (0, import_general.DerObject)(`2b0601040182a27c02${id.toString(16).padStart(2, "0")}`, {
-    value: (valueConverter ?? intTo16Chars)(value)
-  })
-];
-const NodeId_Matter = GenericMatterOpCertObject(1);
-const FirmwareSigningId_Matter = GenericMatterOpCertObject(2);
-const IcacId_Matter = GenericMatterOpCertObject(3);
-const RcacId_Matter = GenericMatterOpCertObject(4);
-const FabricId_Matter = GenericMatterOpCertObject(5);
-const NocCat_Matter = GenericMatterOpCertObject(6, uInt16To8Chars);
-const VendorId_Matter = GenericMatterAttCertObject(1, uInt16To4Chars);
-const ProductId_Matter = GenericMatterAttCertObject(2, uInt16To4Chars);
-const AllowedSubjectAndIssuerMatterFields = {
-  nodeId: (0, import_types.TlvOptionalField)(17, import_types.TlvNodeId),
-  firmwareSigningId: (0, import_types.TlvOptionalField)(18, import_types.TlvUInt32),
-  icacId: (0, import_types.TlvOptionalField)(19, import_types.TlvUInt64),
-  rcacId: (0, import_types.TlvOptionalField)(20, import_types.TlvUInt64),
-  fabricId: (0, import_types.TlvOptionalField)(21, import_types.TlvFabricId),
-  caseAuthenticatedTags: (0, import_types.TlvOptionalRepeatedField)(22, import_types.TlvCaseAuthenticatedTag, { maxLength: 3 })
-};
-const TlvGenericMatterSubjectOrIssuerTaggedList = (matterFields) => {
-  const fields = {
-    // Standard DNs
-    commonName: (0, import_types.TlvOptionalField)(1, import_types.TlvString),
-    sureName: (0, import_types.TlvOptionalField)(2, import_types.TlvString),
-    serialNum: (0, import_types.TlvOptionalField)(3, import_types.TlvString),
-    countryName: (0, import_types.TlvOptionalField)(4, import_types.TlvString),
-    localityName: (0, import_types.TlvOptionalField)(5, import_types.TlvString),
-    stateOrProvinceName: (0, import_types.TlvOptionalField)(6, import_types.TlvString),
-    orgName: (0, import_types.TlvOptionalField)(7, import_types.TlvString),
-    orgUnitName: (0, import_types.TlvOptionalField)(8, import_types.TlvString),
-    title: (0, import_types.TlvOptionalField)(9, import_types.TlvString),
-    name: (0, import_types.TlvOptionalField)(10, import_types.TlvString),
-    givenName: (0, import_types.TlvOptionalField)(11, import_types.TlvString),
-    initials: (0, import_types.TlvOptionalField)(12, import_types.TlvString),
-    genQualifier: (0, import_types.TlvOptionalField)(13, import_types.TlvString),
-    dnQualifier: (0, import_types.TlvOptionalField)(14, import_types.TlvString),
-    pseudonym: (0, import_types.TlvOptionalField)(15, import_types.TlvString),
-    domainComponent: (0, import_types.TlvOptionalField)(16, import_types.TlvString),
-    // Matter specific DNs
-    ...matterFields,
-    // Standard DNs when encoded as Printable String
-    commonNamePs: (0, import_types.TlvOptionalField)(129, import_types.TlvString),
-    sureNamePs: (0, import_types.TlvOptionalField)(130, import_types.TlvString),
-    serialNumPs: (0, import_types.TlvOptionalField)(131, import_types.TlvString),
-    countryNamePs: (0, import_types.TlvOptionalField)(132, import_types.TlvString),
-    localityNamePs: (0, import_types.TlvOptionalField)(133, import_types.TlvString),
-    stateOrProvinceNamePs: (0, import_types.TlvOptionalField)(134, import_types.TlvString),
-    orgNamePs: (0, import_types.TlvOptionalField)(135, import_types.TlvString),
-    orgUnitNamePs: (0, import_types.TlvOptionalField)(136, import_types.TlvString),
-    titlePs: (0, import_types.TlvOptionalField)(137, import_types.TlvString),
-    namePs: (0, import_types.TlvOptionalField)(138, import_types.TlvString),
-    givenNamePs: (0, import_types.TlvOptionalField)(139, import_types.TlvString),
-    initialsPs: (0, import_types.TlvOptionalField)(140, import_types.TlvString),
-    genQualifierPs: (0, import_types.TlvOptionalField)(141, import_types.TlvString),
-    dnQualifierPs: (0, import_types.TlvOptionalField)(142, import_types.TlvString),
-    pseudonymPs: (0, import_types.TlvOptionalField)(143, import_types.TlvString)
-  };
-  return (0, import_types.TlvTaggedList)(fields);
-};
-const ExtensionKeyUsageBitmap = {
-  digitalSignature: (0, import_types.BitFlag)(0),
-  nonRepudiation: (0, import_types.BitFlag)(1),
-  keyEncipherment: (0, import_types.BitFlag)(2),
-  dataEncipherment: (0, import_types.BitFlag)(3),
-  keyAgreement: (0, import_types.BitFlag)(4),
-  keyCertSign: (0, import_types.BitFlag)(5),
-  cRLSign: (0, import_types.BitFlag)(6),
-  encipherOnly: (0, import_types.BitFlag)(7),
-  decipherOnly: (0, import_types.BitFlag)(8)
-};
-const ExtensionKeyUsageSchema = (0, import_types.BitmapSchema)(ExtensionKeyUsageBitmap);
-const BaseMatterCertificate = (matterFields) => (0, import_types.TlvObjectWithMaxSize)(
-  {
-    serialNumber: (0, import_types.TlvField)(1, import_types.TlvByteString.bound({ maxLength: 20 })),
-    signatureAlgorithm: (0, import_types.TlvField)(2, import_types.TlvUInt8),
-    issuer: (0, import_types.TlvField)(
-      3,
-      TlvGenericMatterSubjectOrIssuerTaggedList({
-        ...AllowedSubjectAndIssuerMatterFields,
-        ...matterFields?.issuer ?? {}
-      })
-    ),
-    notBefore: (0, import_types.TlvField)(4, import_types.TlvUInt32),
-    notAfter: (0, import_types.TlvField)(5, import_types.TlvUInt32),
-    subject: (0, import_types.TlvField)(
-      6,
-      TlvGenericMatterSubjectOrIssuerTaggedList({
-        ...AllowedSubjectAndIssuerMatterFields,
-        ...matterFields?.subject ?? {}
-      })
-    ),
-    publicKeyAlgorithm: (0, import_types.TlvField)(7, import_types.TlvUInt8),
-    ellipticCurveIdentifier: (0, import_types.TlvField)(8, import_types.TlvUInt8),
-    ellipticCurvePublicKey: (0, import_types.TlvField)(9, import_types.TlvByteString),
-    extensions: (0, import_types.TlvField)(
-      10,
-      (0, import_types.TlvTaggedList)({
-        basicConstraints: (0, import_types.TlvField)(
-          1,
-          (0, import_types.TlvObject)({
-            isCa: (0, import_types.TlvField)(1, import_types.TlvBoolean),
-            pathLen: (0, import_types.TlvOptionalField)(2, import_types.TlvUInt8)
-          })
-        ),
-        keyUsage: (0, import_types.TlvField)(2, (0, import_types.TlvBitmap)(import_types.TlvUInt16, ExtensionKeyUsageBitmap)),
-        extendedKeyUsage: (0, import_types.TlvOptionalField)(3, (0, import_types.TlvArray)(import_types.TlvUInt8)),
-        subjectKeyIdentifier: (0, import_types.TlvField)(4, import_types.TlvByteString.bound({ length: 20 })),
-        authorityKeyIdentifier: (0, import_types.TlvField)(5, import_types.TlvByteString.bound({ length: 20 })),
-        futureExtension: (0, import_types.TlvOptionalRepeatedField)(6, import_types.TlvByteString)
-      })
-    ),
-    signature: (0, import_types.TlvField)(11, import_types.TlvByteString)
-  },
-  MAX_TLV_CERTIFICATE_SIZE
-);
-const TlvRootCertificate = BaseMatterCertificate({
-  subject: {
-    rcacId: (0, import_types.TlvField)(20, import_types.TlvUInt64),
-    fabricId: (0, import_types.TlvOptionalField)(21, import_types.TlvFabricId)
-  },
-  issuer: AllowedSubjectAndIssuerMatterFields
-});
-const TlvOperationalCertificate = BaseMatterCertificate({
-  subject: {
-    nodeId: (0, import_types.TlvField)(17, import_types.TlvNodeId),
-    fabricId: (0, import_types.TlvField)(21, import_types.TlvFabricId),
-    caseAuthenticatedTags: (0, import_types.TlvOptionalRepeatedField)(22, import_types.TlvCaseAuthenticatedTag, { maxLength: 3 })
-  },
-  issuer: AllowedSubjectAndIssuerMatterFields
-});
-const TlvIntermediateCertificate = BaseMatterCertificate({
-  subject: {
-    icacId: (0, import_types.TlvField)(19, import_types.TlvUInt64),
-    fabricId: (0, import_types.TlvOptionalField)(21, import_types.TlvFabricId)
-  },
-  issuer: AllowedSubjectAndIssuerMatterFields
-});
-const TlvBaseCertificate = BaseMatterCertificate();
-const TlvCertificationDeclaration = (0, import_types.TlvObject)({
-  formatVersion: (0, import_types.TlvField)(0, import_types.TlvUInt16),
-  vendorId: (0, import_types.TlvField)(1, import_types.TlvVendorId),
-  produceIdArray: (0, import_types.TlvField)(2, (0, import_types.TlvArray)(import_types.TlvUInt16, { minLength: 1, maxLength: 100 })),
-  deviceTypeId: (0, import_types.TlvField)(3, import_types.TlvUInt32),
-  certificateId: (0, import_types.TlvField)(4, import_types.TlvString.bound({ length: 19 })),
-  securityLevel: (0, import_types.TlvField)(5, import_types.TlvUInt8),
-  securityInformation: (0, import_types.TlvField)(6, import_types.TlvUInt16),
-  versionNumber: (0, import_types.TlvField)(7, import_types.TlvUInt16),
-  certificationType: (0, import_types.TlvField)(8, import_types.TlvUInt8),
-  dacOriginVendorId: (0, import_types.TlvOptionalField)(9, import_types.TlvVendorId),
-  dacOriginProductId: (0, import_types.TlvOptionalField)(10, import_types.TlvUInt16),
-  authorizedPaaList: (0, import_types.TlvOptionalField)(
-    11,
-    (0, import_types.TlvArray)(import_types.TlvByteString.bound({ length: 20 }), { minLength: 1, maxLength: 10 })
-  )
-});
-function subjectOrIssuerToAsn1(data) {
-  const asn = {};
-  Object.entries(data).forEach(([key, value]) => {
-    if (value === void 0) {
-      return;
-    }
-    switch (key) {
-      case "commonName":
-        asn.commonName = import_general.X520.CommonName(value);
-        break;
-      case "sureName":
-        asn.sureName = import_general.X520.SurName(value);
-        break;
-      case "serialNum":
-        asn.serialNum = import_general.X520.SerialNumber(value);
-        break;
-      case "countryName":
-        asn.countryName = import_general.X520.CountryName(value);
-        break;
-      case "localityName":
-        asn.localityName = import_general.X520.LocalityName(value);
-        break;
-      case "stateOrProvinceName":
-        asn.stateOrProvinceName = import_general.X520.StateOrProvinceName(value);
-        break;
-      case "orgName":
-        asn.orgName = import_general.X520.OrganisationName(value);
-        break;
-      case "orgUnitName":
-        asn.orgUnitName = import_general.X520.OrganizationalUnitName(value);
-        break;
-      case "title":
-        asn.title = import_general.X520.Title(value);
-        break;
-      case "name":
-        asn.name = import_general.X520.Name(value);
-        break;
-      case "givenName":
-        asn.givenName = import_general.X520.GivenName(value);
-        break;
-      case "initials":
-        asn.initials = import_general.X520.Initials(value);
-        break;
-      case "genQualifier":
-        asn.genQualifier = import_general.X520.GenerationQualifier(value);
-        break;
-      case "dnQualifier":
-        asn.dnQualifier = import_general.X520.DnQualifier(value);
-        break;
-      case "pseudonym":
-        asn.pseudonym = import_general.X520.Pseudonym(value);
-        break;
-      case "domainComponent":
-        asn.domainComponent = import_general.X520.DomainComponent(value);
-        break;
-      case "nodeId":
-        asn.nodeId = NodeId_Matter(value);
-        break;
-      case "firmwareSigningId":
-        asn.firmwareSigningId = FirmwareSigningId_Matter(value);
-        break;
-      case "icacId":
-        asn.icacId = IcacId_Matter(value);
-        break;
-      case "rcacId":
-        asn.rcacId = RcacId_Matter(value);
-        break;
-      case "fabricId":
-        asn.fabricId = FabricId_Matter(value);
-        break;
-      case "caseAuthenticatedTags":
-        const caseAuthenticatedTags = value;
-        import_types.CaseAuthenticatedTag.validateNocTagList(caseAuthenticatedTags);
-        const cat0 = caseAuthenticatedTags[0];
-        const cat1 = caseAuthenticatedTags[1];
-        const cat2 = caseAuthenticatedTags[2];
-        if (cat0 !== void 0) {
-          asn.caseAuthenticatedTag0 = NocCat_Matter(cat0);
-        }
-        if (cat1 !== void 0) {
-          asn.caseAuthenticatedTag1 = NocCat_Matter(cat1);
-        }
-        if (cat2 !== void 0) {
-          asn.caseAuthenticatedTag2 = NocCat_Matter(cat2);
-        }
-        break;
-      case "vendorId":
-        asn.vendorId = VendorId_Matter(value);
-        break;
-      case "productId":
-        asn.productId = ProductId_Matter(value);
-        break;
-      case "commonNamePs":
-        asn.commonNamePs = import_general.X520.CommonName(value, true);
-        break;
-      case "sureNamePs":
-        asn.sureNamePs = import_general.X520.SurName(value, true);
-        break;
-      case "serialNumPs":
-        asn.serialNumPs = import_general.X520.SerialNumber(value, true);
-        break;
-      case "countryNamePs":
-        asn.countryNamePs = import_general.X520.CountryName(value, true);
-        break;
-      case "localityNamePs":
-        asn.localityNamePs = import_general.X520.LocalityName(value, true);
-        break;
-      case "stateOrProvinceNamePs":
-        asn.stateOrProvinceNamePs = import_general.X520.StateOrProvinceName(value, true);
-        break;
-      case "orgNamePs":
-        asn.orgNamePs = import_general.X520.OrganisationName(value, true);
-        break;
-      case "orgUnitNamePs":
-        asn.orgUnitNamePs = import_general.X520.OrganizationalUnitName(value, true);
-        break;
-      case "titlePs":
-        asn.titlePs = import_general.X520.Title(value, true);
-        break;
-      case "namePs":
-        asn.namePs = import_general.X520.Name(value, true);
-        break;
-      case "givenNamePs":
-        asn.givenNamePs = import_general.X520.GivenName(value, true);
-        break;
-      case "initialsPs":
-        asn.initialsPs = import_general.X520.Initials(value, true);
-        break;
-      case "genQualifierPs":
-        asn.genQualifierPs = import_general.X520.GenerationQualifier(value, true);
-        break;
-      case "dnQualifierPs":
-        asn.dnQualifierPs = import_general.X520.DnQualifier(value, true);
-        break;
-      case "pseudonymPs":
-        asn.pseudonymPs = import_general.X520.Pseudonym(value, true);
-        break;
-    }
-  });
-  return asn;
-}
-function extensionsToAsn1(extensions) {
-  const asn = {};
-  Object.entries(extensions).forEach(([key, value]) => {
-    if (value === void 0) {
-      return;
-    }
-    switch (key) {
-      case "basicConstraints":
-        asn.basicConstraints = import_general.X509.BasicConstraints(value);
-        break;
-      case "keyUsage":
-        asn.keyUsage = import_general.X509.KeyUsage(
-          ExtensionKeyUsageSchema.encode(value)
-        );
-        break;
-      case "extendedKeyUsage":
-        asn.extendedKeyUsage = import_general.X509.ExtendedKeyUsage(value);
-        break;
-      case "subjectKeyIdentifier":
-        asn.subjectKeyIdentifier = import_general.X509.SubjectKeyIdentifier(value);
-        break;
-      case "authorityKeyIdentifier":
-        asn.authorityKeyIdentifier = import_general.X509.AuthorityKeyIdentifier(value);
-        break;
-      case "futureExtension":
-        asn.futureExtension = (0, import_general.RawBytes)(import_general.Bytes.concat(...value ?? []));
-        break;
-    }
-  });
-  return asn;
-}
-function genericBuildAsn1Structure({
-  serialNumber,
-  notBefore,
-  notAfter,
-  issuer,
-  subject,
-  ellipticCurvePublicKey,
-  extensions
-}) {
-  const {
-    basicConstraints: { isCa, pathLen }
-  } = extensions;
-  if (!isCa && pathLen !== void 0) {
-    throw new CertificateError("Path length must be undefined for non-CA certificates.");
-  }
-  return {
-    version: (0, import_general.ContextTagged)(0, 2),
-    // v3
-    serialNumber: (0, import_general.DatatypeOverride)(import_general.DerType.Integer, serialNumber),
-    signatureAlgorithm: import_general.X962.EcdsaWithSHA256,
-    issuer: subjectOrIssuerToAsn1(issuer),
-    validity: {
-      notBefore: matterToJsDate(notBefore),
-      notAfter: matterToJsDate(notAfter)
-    },
-    subject: subjectOrIssuerToAsn1(subject),
-    publicKey: import_general.X962.PublicKeyEcPrime256v1(ellipticCurvePublicKey),
-    extensions: (0, import_general.ContextTagged)(3, extensionsToAsn1(extensions))
-  };
-}
-function genericCertToAsn1(cert) {
-  const certBytes = import_general.DerCodec.encode(genericBuildAsn1Structure(cert));
-  assertCertificateDerSize(certBytes);
-  return certBytes;
-}
-function assertCertificateDerSize(certBytes) {
-  if (certBytes.length > MAX_DER_CERTIFICATE_SIZE) {
-    throw new import_general.ImplementationError(
-      `Certificate to generate is too big: ${certBytes.length} bytes instead of max ${MAX_DER_CERTIFICATE_SIZE} bytes`
-    );
-  }
-}
-class CertificateManager {
-  #crypto;
-  constructor(crypto) {
-    this.#crypto = crypto;
-  }
-  get crypto() {
-    return this.#crypto;
-  }
-  rootCertToAsn1(cert) {
-    const {
-      extensions: {
-        basicConstraints: { isCa }
-      }
-    } = cert;
-    if (!isCa) {
-      throw new CertificateError("Root certificate must be a CA.");
-    }
-    return genericCertToAsn1(cert);
-  }
-  intermediateCaCertToAsn1(cert) {
-    const {
-      extensions: {
-        basicConstraints: { isCa }
-      }
-    } = cert;
-    if (!isCa) {
-      throw new CertificateError("Intermediate certificate must be a CA.");
-    }
-    return genericCertToAsn1(cert);
-  }
-  nodeOperationalCertToAsn1(cert) {
-    const {
-      issuer: { icacId, rcacId },
-      extensions: {
-        basicConstraints: { isCa }
-      }
-    } = cert;
-    if (icacId === void 0 && rcacId === void 0) {
-      throw new CertificateError("Issuer RCAC or ICAC ID must be defined for an operational certificate.");
-    }
-    if (isCa) {
-      throw new CertificateError("Node operational certificate must not be a CA.");
-    }
-    return genericCertToAsn1(cert);
-  }
-  async deviceAttestationCertToAsn1(cert, key) {
-    const certificate = genericBuildAsn1Structure(cert);
-    const signature = await this.#crypto.signEcdsa(key, import_general.DerCodec.encode(certificate), "der");
-    const certBytes = import_general.DerCodec.encode({
-      certificate,
-      signAlgorithm: import_general.X962.EcdsaWithSHA256,
-      signature: (0, import_general.DerBitString)(signature)
-    });
-    assertCertificateDerSize(certBytes);
-    return certBytes;
-  }
-  async productAttestationIntermediateCertToAsn1(cert, key) {
-    const certificate = genericBuildAsn1Structure(cert);
-    const signature = await this.#crypto.signEcdsa(key, import_general.DerCodec.encode(certificate), "der");
-    const certBytes = import_general.DerCodec.encode({
-      certificate,
-      signAlgorithm: import_general.X962.EcdsaWithSHA256,
-      signature: (0, import_general.DerBitString)(signature)
-    });
-    assertCertificateDerSize(certBytes);
-    return certBytes;
-  }
-  async productAttestationAuthorityCertToAsn1(cert, key) {
-    const certificate = genericBuildAsn1Structure(cert);
-    const certBytes = import_general.DerCodec.encode({
-      certificate,
-      signAlgorithm: import_general.X962.EcdsaWithSHA256,
-      signature: (0, import_general.DerBitString)(await this.#crypto.signEcdsa(key, import_general.DerCodec.encode(certificate), "der"))
-    });
-    assertCertificateDerSize(certBytes);
-    return certBytes;
-  }
-  async certificationDeclarationToAsn1(eContent, subjectKeyIdentifier, privateKey) {
-    const certificate = {
-      version: 3,
-      digestAlgorithm: [import_general.SHA256_CMS],
-      encapContentInfo: import_general.Pkcs7.Data(eContent),
-      signerInfo: [
-        {
-          version: 3,
-          subjectKeyIdentifier: (0, import_general.ContextTaggedBytes)(0, subjectKeyIdentifier),
-          digestAlgorithm: import_general.SHA256_CMS,
-          signatureAlgorithm: import_general.X962.EcdsaWithSHA256,
-          signature: await this.#crypto.signEcdsa(privateKey, eContent, "der")
-        }
-      ]
-    };
-    const certBytes = import_general.DerCodec.encode(import_general.Pkcs7.SignedData(certificate));
-    assertCertificateDerSize(certBytes);
-    return certBytes;
-  }
-  /**
-   * Validate general requirements a Matter certificate fields must fulfill.
-   * Rules for this are listed in @see {@link MatterSpecification.v12.Core} §6.5.x
-   */
-  validateGeneralCertificateFields(cert) {
-    if (cert.serialNumber.length > 20)
-      throw new CertificateError(
-        `Serial number must not be longer then 20 octets. Current serial number has ${cert.serialNumber.length} octets.`
-      );
-    if (cert.signatureAlgorithm !== 1) {
-      throw new CertificateError(`Unsupported signature algorithm: ${cert.signatureAlgorithm}`);
-    }
-    if (cert.publicKeyAlgorithm !== 1) {
-      throw new CertificateError(`Unsupported public key algorithm: ${cert.publicKeyAlgorithm}`);
-    }
-    if (cert.ellipticCurveIdentifier !== 1) {
-      throw new CertificateError(`Unsupported elliptic curve identifier: ${cert.ellipticCurveIdentifier}`);
-    }
-    if (Object.keys(cert.subject).length > 5) {
-      throw new CertificateError(`Certificate subject must not contain more than 5 RDNs.`);
-    }
-    if (Object.keys(cert.issuer).length > 5) {
-      throw new CertificateError(`Certificate issuer must not contain more than 5 RDNs.`);
-    }
-    if (cert.notBefore * 1e3 > import_general.Time.nowMs()) {
-      logger.warn(`Certificate notBefore date is in the future: ${cert.notBefore * 1e3} vs ${import_general.Time.nowMs()}`);
-    }
-  }
-  /**
-   * Verify requirements a Matter Root certificate must fulfill.
-   * Rules for this are listed in @see {@link MatterSpecification.v12.Core} §6.5.x
-   */
-  async verifyRootCertificate(rootCert) {
-    this.validateGeneralCertificateFields(rootCert);
-    if ("nodeId" in rootCert.subject) {
-      throw new CertificateError(`Root certificate must not contain a nodeId.`);
-    }
-    if (rootCert.subject.fabricId !== void 0) {
-      if (Array.isArray(rootCert.subject.fabricId)) {
-        throw new CertificateError(
-          `Invalid fabricId in NoC certificate: ${import_general.Diagnostic.json(rootCert.subject.fabricId)}`
-        );
-      }
-      if (rootCert.subject.fabricId === (0, import_types.FabricId)(0)) {
-        throw new CertificateError(
-          `Invalid fabricId in NoC certificate: ${import_general.Diagnostic.json(rootCert.subject.fabricId)}`
-        );
-      }
-    }
-    if ("icacId" in rootCert.subject) {
-      throw new CertificateError(`Root certificate must not contain an icacId.`);
-    }
-    if (rootCert.subject.rcacId === void 0 || Array.isArray(rootCert.subject.rcacId)) {
-      throw new CertificateError(
-        `Invalid rcacId in Root certificate: ${import_general.Diagnostic.json(rootCert.subject.rcacId)}`
-      );
-    }
-    if ("caseAuthenticatedTags" in rootCert.subject) {
-      throw new CertificateError(`Root certificate must not contain a caseAuthenticatedTags.`);
-    }
-    if (rootCert.extensions.basicConstraints.isCa !== true) {
-      throw new CertificateError(`Root certificate must have isCa set to true.`);
-    }
-    if (ExtensionKeyUsageSchema.encode(rootCert.extensions.keyUsage) !== 96 && ExtensionKeyUsageSchema.encode(rootCert.extensions.keyUsage) !== 97) {
-      throw new CertificateError(
-        `Root certificate keyUsage must have keyCertSign and CRLSign and optionally digitalSignature set.`
-      );
-    }
-    if (rootCert.extensions.extendedKeyUsage !== void 0) {
-      throw new CertificateError(`Root certificate must not have extendedKeyUsage set.`);
-    }
-    if (rootCert.extensions.subjectKeyIdentifier === void 0) {
-      throw new CertificateError(`Root certificate must have subjectKeyIdentifier set.`);
-    }
-    if (rootCert.extensions.subjectKeyIdentifier.length !== 20) {
-      throw new CertificateError(`Root certificate subjectKeyIdentifier must be 160 bit.`);
-    }
-    if (rootCert.extensions.authorityKeyIdentifier === void 0) {
-      throw new CertificateError(`Root certificate must have authorityKeyIdentifier set.`);
-    }
-    if (rootCert.extensions.authorityKeyIdentifier.length !== 20) {
-      throw new CertificateError(`Root certificate authorityKeyIdentifier must be 160 bit.`);
-    }
-    if (!import_general.Bytes.areEqual(rootCert.extensions.authorityKeyIdentifier, rootCert.extensions.subjectKeyIdentifier)) {
-      throw new CertificateError(
-        `Root certificate authorityKeyIdentifier must be equal to subjectKeyIdentifier.`
-      );
-    }
-    await this.#crypto.verifyEcdsa(
-      (0, import_general.PublicKey)(rootCert.ellipticCurvePublicKey),
-      this.rootCertToAsn1(rootCert),
-      rootCert.signature
-    );
-  }
-  /**
-   * Verify requirements a Matter Node Operational certificate must fulfill.
-   * Rules for this are listed in @see {@link MatterSpecification.v12.Core} §6.5.x
-   */
-  async verifyNodeOperationalCertificate(nocCert, rootCert, icaCert) {
-    this.validateGeneralCertificateFields(nocCert);
-    if (nocCert.subject.nodeId === void 0 || Array.isArray(nocCert.subject.nodeId)) {
-      throw new CertificateError(`Invalid nodeId in NoC certificate: ${import_general.Diagnostic.json(nocCert.subject.nodeId)}`);
-    }
-    if (!import_types.NodeId.isOperationalNodeId(nocCert.subject.nodeId)) {
-      throw new CertificateError(`Invalid nodeId in NoC certificate: ${import_general.Diagnostic.json(nocCert.subject.nodeId)}`);
-    }
-    if (nocCert.subject.fabricId === void 0 || Array.isArray(nocCert.subject.fabricId)) {
-      throw new CertificateError(
-        `Invalid fabricId in NoC certificate: ${import_general.Diagnostic.json(nocCert.subject.fabricId)}`
-      );
-    }
-    if (nocCert.subject.fabricId === (0, import_types.FabricId)(0)) {
-      throw new CertificateError(
-        `Invalid fabricId in NoC certificate: ${import_general.Diagnostic.json(nocCert.subject.fabricId)}`
-      );
-    }
-    if ("icacId" in nocCert.subject) {
-      throw new CertificateError(`Noc certificate must not contain an icacId.`);
-    }
-    if ("rcacId" in nocCert.subject) {
-      throw new CertificateError(`Noc certificate must not contain an rcacId.`);
-    }
-    if (nocCert.subject.caseAuthenticatedTags !== void 0) {
-      import_types.CaseAuthenticatedTag.validateNocTagList(nocCert.subject.caseAuthenticatedTags);
-    }
-    if (rootCert.subject.fabricId !== void 0 && rootCert.subject.fabricId !== nocCert.subject.fabricId) {
-      throw new CertificateError(
-        `FabricId in NoC certificate does not match the fabricId in the parent certificate. ${import_general.Diagnostic.json(
-          rootCert.subject.fabricId
-        )} !== ${import_general.Diagnostic.json(nocCert.subject.fabricId)}`
-      );
-    }
-    if (icaCert !== void 0 && icaCert.subject.fabricId !== void 0 && icaCert.subject.fabricId !== nocCert.subject.fabricId) {
-      throw new CertificateError(
-        `FabricId in NoC certificate does not match the fabricId in the parent certificate. ${import_general.Diagnostic.json(
-          icaCert.subject.fabricId
-        )} !== ${import_general.Diagnostic.json(nocCert.subject.fabricId)}`
-      );
-    }
-    if (nocCert.extensions.basicConstraints.isCa) {
-      throw new CertificateError(`Noc certificate must not have isCa set to true.`);
-    }
-    if (!nocCert.extensions.keyUsage.digitalSignature) {
-      throw new CertificateError(`Noc certificate must have keyUsage set to digitalSignature.`);
-    }
-    if (nocCert.extensions.extendedKeyUsage === void 0 || !nocCert.extensions.extendedKeyUsage.includes(1) && !nocCert.extensions.extendedKeyUsage.includes(2)) {
-      throw new CertificateError(
-        `Noc certificate must have extendedKeyUsage with serverAuth and clientAuth: ${import_general.Diagnostic.json(nocCert.extensions.extendedKeyUsage)}`
-      );
-    }
-    if (nocCert.extensions.subjectKeyIdentifier === void 0) {
-      throw new CertificateError(`Noc certificate must have subjectKeyIdentifier set.`);
-    }
-    if (nocCert.extensions.subjectKeyIdentifier.length !== 20) {
-      throw new CertificateError(`Noc certificate subjectKeyIdentifier must be 160 bit.`);
-    }
-    if (nocCert.extensions.authorityKeyIdentifier === void 0) {
-      throw new CertificateError(`Noc certificate must have authorityKeyIdentifier set.`);
-    }
-    if (nocCert.extensions.authorityKeyIdentifier.length !== 20) {
-      throw new CertificateError(`Noc certificate authorityKeyIdentifier must be 160 bit.`);
-    }
-    if (!import_general.Bytes.areEqual(
-      nocCert.extensions.authorityKeyIdentifier,
-      (icaCert ?? rootCert).extensions.subjectKeyIdentifier
-    )) {
-      throw new CertificateError(
-        `Noc certificate authorityKeyIdentifier must be equal to Root/Ica subjectKeyIdentifier.`
-      );
-    }
-    await this.#crypto.verifyEcdsa(
-      (0, import_general.PublicKey)((icaCert ?? rootCert).ellipticCurvePublicKey),
-      this.nodeOperationalCertToAsn1(nocCert),
-      nocCert.signature
-    );
-  }
-  /**
-   * Verify requirements a Matter Intermediate CA certificate must fulfill.
-   * Rules for this are listed in @see {@link MatterSpecification.v12.Core} §6.5.x
-   */
-  async verifyIntermediateCaCertificate(rootCert, icaCert) {
-    this.validateGeneralCertificateFields(icaCert);
-    if ("nodeId" in icaCert.subject) {
-      throw new CertificateError(`Ica certificate must not contain a nodeId.`);
-    }
-    if (icaCert.subject.fabricId !== void 0) {
-      if (Array.isArray(icaCert.subject.fabricId)) {
-        throw new CertificateError(
-          `Invalid fabricId in NoC certificate: ${import_general.Diagnostic.json(icaCert.subject.fabricId)}`
-        );
-      }
-      if (icaCert.subject.fabricId === (0, import_types.FabricId)(0)) {
-        throw new CertificateError(
-          `Invalid fabricId in NoC certificate: ${import_general.Diagnostic.json(icaCert.subject.fabricId)}`
-        );
-      }
-    }
-    if (icaCert.subject.icacId === void 0 || Array.isArray(icaCert.subject.icacId)) {
-      throw new CertificateError(`Invalid icacId in Ica certificate: ${import_general.Diagnostic.json(icaCert.subject.icacId)}`);
-    }
-    if ("rcacId" in icaCert.subject) {
-      throw new CertificateError(`Ica certificate must not contain an rcacId.`);
-    }
-    if ("caseAuthenticatedTags" in icaCert.subject) {
-      throw new CertificateError(`Ica certificate must not contain a caseAuthenticatedTags.`);
-    }
-    if (rootCert.subject.fabricId !== void 0 && icaCert.subject.fabricId !== void 0 && rootCert.subject.fabricId !== icaCert.subject.fabricId) {
-      throw new CertificateError(
-        `FabricId in Ica certificate does not match the fabricId in the parent certificate. ${import_general.Diagnostic.json(
-          rootCert.subject.fabricId
-        )} !== ${import_general.Diagnostic.json(icaCert.subject.fabricId)}`
-      );
-    }
-    if (rootCert.subject.rcacId !== icaCert.issuer.rcacId) {
-      throw new CertificateError(
-        `RcacId in Ica certificate does not match the rcacId in the parent certificate. ${import_general.Diagnostic.json(
-          rootCert.subject.rcacId
-        )} !== ${import_general.Diagnostic.json(icaCert.issuer.rcacId)}`
-      );
-    }
-    if (!icaCert.extensions.basicConstraints.isCa) {
-      throw new CertificateError(`Ica certificate must have isCa set to true.`);
-    }
-    if (ExtensionKeyUsageSchema.encode(rootCert.extensions.keyUsage) !== 96 && ExtensionKeyUsageSchema.encode(rootCert.extensions.keyUsage) !== 97) {
-      throw new CertificateError(
-        `Ica certificate keyUsage must have keyCertSign and CRLSign and optionally digitalSignature set.`
-      );
-    }
-    if (icaCert.extensions.extendedKeyUsage !== void 0) {
-      throw new CertificateError(`Ica certificate must not have extendedKeyUsage set.`);
-    }
-    if (icaCert.extensions.subjectKeyIdentifier === void 0) {
-      throw new CertificateError(`Ica certificate must have subjectKeyIdentifier set.`);
-    }
-    if (icaCert.extensions.subjectKeyIdentifier.length !== 20) {
-      throw new CertificateError(`Ica certificate subjectKeyIdentifier must be 160 bit.`);
-    }
-    if (icaCert.extensions.authorityKeyIdentifier === void 0) {
-      throw new CertificateError(`Ica certificate must have authorityKeyIdentifier set.`);
-    }
-    if (icaCert.extensions.authorityKeyIdentifier.length !== 20) {
-      throw new CertificateError(`Ica certificate authorityKeyIdentifier must be 160 bit.`);
-    }
-    if (!import_general.Bytes.areEqual(icaCert.extensions.authorityKeyIdentifier, rootCert.extensions.subjectKeyIdentifier)) {
-      throw new CertificateError(
-        `Ica certificate authorityKeyIdentifier must be equal to root cert subjectKeyIdentifier.`
-      );
-    }
-    await this.#crypto.verifyEcdsa(
-      (0, import_general.PublicKey)(rootCert.ellipticCurvePublicKey),
-      this.intermediateCaCertToAsn1(icaCert),
-      icaCert.signature
-    );
-  }
-  async createCertificateSigningRequest(key) {
-    const request = {
-      version: 0,
-      subject: { organization: import_general.X520.OrganisationName("CSR") },
-      publicKey: import_general.X962.PublicKeyEcPrime256v1(key.publicKey),
-      endSignedBytes: (0, import_general.ContextTagged)(0)
-    };
-    return import_general.DerCodec.encode({
-      request,
-      signAlgorithm: import_general.X962.EcdsaWithSHA256,
-      signature: (0, import_general.DerBitString)(await this.#crypto.signEcdsa(key, import_general.DerCodec.encode(request), "der"))
-    });
-  }
-  async getPublicKeyFromCsr(csr) {
-    const { [import_general.DerKey.Elements]: rootElements } = import_general.DerCodec.decode(csr);
-    if (rootElements?.length !== 3) throw new CertificateError("Invalid CSR data");
-    const [requestNode, signAlgorithmNode, signatureNode] = rootElements;
-    const { [import_general.DerKey.Elements]: requestElements } = requestNode;
-    if (requestElements?.length !== 4) throw new CertificateError("Invalid CSR data");
-    const [versionNode, _subjectNode, publicKeyNode] = requestElements;
-    const requestVersion = versionNode[import_general.DerKey.Bytes][0];
-    if (requestVersion !== 0) throw new CertificateError(`Unsupported request version${requestVersion}`);
-    const { [import_general.DerKey.Elements]: publicKeyElements } = publicKeyNode;
-    if (publicKeyElements?.length !== 2) throw new CertificateError("Invalid CSR data");
-    const [_publicKeyTypeNode, publicKeyBytesNode] = publicKeyElements;
-    const publicKey = publicKeyBytesNode[import_general.DerKey.Bytes];
-    if (signAlgorithmNode[import_general.DerKey.Elements]?.[0]?.[import_general.DerKey.Bytes] === void 0 || !import_general.Bytes.areEqual(
-      import_general.X962.EcdsaWithSHA256[import_general.DerKey.ObjectId][import_general.DerKey.Bytes],
-      signAlgorithmNode[import_general.DerKey.Elements]?.[0]?.[import_general.DerKey.Bytes]
-    ))
-      throw new CertificateError("Unsupported signature type");
-    await this.#crypto.verifyEcdsa(
-      (0, import_general.PublicKey)(publicKey),
-      import_general.DerCodec.encode(requestNode),
-      signatureNode[import_general.DerKey.Bytes],
-      "der"
-    );
-    return publicKey;
-  }
-}
-//# sourceMappingURL=CertificateManager.js.map