@naylence/advanced-security 0.3.4 → 0.3.5-test.0

package/dist/cjs/browser.js

@@ -1,6 +1,34 @@
 "use strict";
+/**
+ * Browser-friendly entry point that exposes only modules compatible with
+ * runtimes lacking Node.js built-ins. Node-specific certificate authority
+ * helpers and Fastify bindings are intentionally excluded.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerAdvancedSecurityFactories = exports.EdDSAEnvelopeVerifier = exports.ADVANCED_EDDSA_ENVELOPE_VERIFIER_FACTORY_META = exports.AdvancedEdDSAEnvelopeVerifierFactory = exports.ADVANCED_EDDSA_ENVELOPE_SIGNER_FACTORY_META = exports.AdvancedEdDSAEnvelopeSignerFactory = exports.formatCertificateInfo = exports.extractCertificateInfo = exports.ENV_VAR_FAME_CA_SERVICE_URL = exports.CAServiceClient = exports.GRANT_PURPOSE_CA_SIGN = exports.publicKeyFromX5c = exports.validateJwkX5cCertificate = void 0;
 const tslib_1 = require("tslib");
-// Browser-friendly entry point. Limit exports to APIs that are safe for browser usage.
-tslib_1.__exportStar(require("./index.js"), exports);
+var util_js_1 = require("./naylence/fame/security/cert/util.js");
+Object.defineProperty(exports, "validateJwkX5cCertificate", { enumerable: true, get: function () { return util_js_1.validateJwkX5cCertificate; } });
+Object.defineProperty(exports, "publicKeyFromX5c", { enumerable: true, get: function () { return util_js_1.publicKeyFromX5c; } });
+var grants_js_1 = require("./naylence/fame/security/cert/grants.js");
+Object.defineProperty(exports, "GRANT_PURPOSE_CA_SIGN", { enumerable: true, get: function () { return grants_js_1.GRANT_PURPOSE_CA_SIGN; } });
+var ca_service_client_js_1 = require("./naylence/fame/security/cert/ca-service-client.js");
+Object.defineProperty(exports, "CAServiceClient", { enumerable: true, get: function () { return ca_service_client_js_1.CAServiceClient; } });
+Object.defineProperty(exports, "ENV_VAR_FAME_CA_SERVICE_URL", { enumerable: true, get: function () { return ca_service_client_js_1.ENV_VAR_FAME_CA_SERVICE_URL; } });
+Object.defineProperty(exports, "extractCertificateInfo", { enumerable: true, get: function () { return ca_service_client_js_1.extractCertificateInfo; } });
+Object.defineProperty(exports, "formatCertificateInfo", { enumerable: true, get: function () { return ca_service_client_js_1.formatCertificateInfo; } });
+tslib_1.__exportStar(require("./naylence/fame/security/encryption/index.js"), exports);
+var eddsa_envelope_signer_factory_js_1 = require("./naylence/fame/security/signing/eddsa-envelope-signer-factory.js");
+Object.defineProperty(exports, "AdvancedEdDSAEnvelopeSignerFactory", { enumerable: true, get: function () { return eddsa_envelope_signer_factory_js_1.AdvancedEdDSAEnvelopeSignerFactory; } });
+Object.defineProperty(exports, "ADVANCED_EDDSA_ENVELOPE_SIGNER_FACTORY_META", { enumerable: true, get: function () { return eddsa_envelope_signer_factory_js_1.FACTORY_META; } });
+var eddsa_envelope_verifier_factory_js_1 = require("./naylence/fame/security/signing/eddsa-envelope-verifier-factory.js");
+Object.defineProperty(exports, "AdvancedEdDSAEnvelopeVerifierFactory", { enumerable: true, get: function () { return eddsa_envelope_verifier_factory_js_1.AdvancedEdDSAEnvelopeVerifierFactory; } });
+Object.defineProperty(exports, "ADVANCED_EDDSA_ENVELOPE_VERIFIER_FACTORY_META", { enumerable: true, get: function () { return eddsa_envelope_verifier_factory_js_1.FACTORY_META; } });
+var eddsa_envelope_verifier_js_1 = require("./naylence/fame/security/signing/eddsa-envelope-verifier.js");
+Object.defineProperty(exports, "EdDSAEnvelopeVerifier", { enumerable: true, get: function () { return eddsa_envelope_verifier_js_1.EdDSAEnvelopeVerifier; } });
+tslib_1.__exportStar(require("./naylence/fame/security/keys/index.js"), exports);
+var register_advanced_security_factories_js_1 = require("./naylence/fame/security/register-advanced-security-factories.js");
+Object.defineProperty(exports, "registerAdvancedSecurityFactories", { enumerable: true, get: function () { return register_advanced_security_factories_js_1.registerAdvancedSecurityFactories; } });
+tslib_1.__exportStar(require("./naylence/fame/stickiness/index.js"), exports);
+tslib_1.__exportStar(require("./naylence/fame/welcome/index.js"), exports);
 //# sourceMappingURL=browser.js.map

package/dist/cjs/browser.js.map

@@ -1 +1 @@
-{"version":3,"file":"browser.js","sourceRoot":"","sources":["../../src/browser.ts"],"names":[],"mappings":";;;AAAA,uFAAuF;AACvF,qDAA2B"}
+{"version":3,"file":"browser.js","sourceRoot":"","sources":["../../src/browser.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;;AAEH,iEAM+C;AAL9C,oHAAA,yBAAyB,OAAA;AAGzB,2GAAA,gBAAgB,OAAA;AAGjB,qEAAgF;AAAvE,kHAAA,qBAAqB,OAAA;AAC9B,2FAO4D;AAN3D,uHAAA,eAAe,OAAA;AAGf,mIAAA,2BAA2B,OAAA;AAC3B,8HAAA,sBAAsB,OAAA;AACtB,6HAAA,qBAAqB,OAAA;AAGtB,uFAA6D;AAE7D,sHAI2E;AAH1E,sJAAA,kCAAkC,OAAA;AAClC,+JAAA,YAAY,OAA+C;AAG5D,0HAI6E;AAH5E,0JAAA,oCAAoC,OAAA;AACpC,mKAAA,YAAY,OAAiD;AAG9D,0GAIqE;AAHpE,mIAAA,qBAAqB,OAAA;AAKtB,iFAAuD;AAEvD,4HAG0E;AAFzE,4JAAA,iCAAiC,OAAA;AAIlC,8EAAoD;AACpD,2EAAiD"}

package/dist/cjs/naylence/fame/security/cert/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../src/naylence/fame/security/cert/index.ts"],"names":[],"mappings":";;;AAAA,qCAKmB;AAJjB,oHAAA,yBAAyB,OAAA;AAGzB,2GAAA,gBAAgB,OAAA;AAElB,yCAAoD;AAA3C,kHAAA,qBAAqB,OAAA;AAC9B,mFAI0C;AAHxC,2IAAA,yBAAyB,OAAA;AAI3B,mGAIkD;AAHhD,0JAAA,gCAAgC,OAAA;AAChC,kKAAA,YAAY,OAA4C;AAI1D,gDAAgD;AAChD,6CAOuB;AAHrB,wGAAA,SAAS,OAAA;AACT,sHAAA,uBAAuB,OAAA;AAGzB,+DAOgC;AAN9B,uHAAA,eAAe,OAAA;AACf,8HAAA,sBAAsB,OAAA;AACtB,6HAAA,qBAAqB,OAAA;AAGrB,mIAAA,2BAA2B,OAAA;AAE7B,mEAakC;AAZhC,0HAAA,gBAAgB,OAAA;AAEhB,iHAAA,OAAO,OAAA;AACP,sHAAA,YAAY,OAAA;AACZ,qHAAA,WAAW,OAAA;AACX,sHAAA,YAAY,OAAA;AACZ,iIAAA,uBAAuB,OAAA;AACvB,4HAAA,kBAAkB,OAAA;AAClB,+HAAA,qBAAqB,OAAA;AACrB,qIAAA,2BAA2B,OAAA;AAC3B,gIAAA,sBAAsB,OAAA;AACtB,gIAAA,sBAAsB,OAAA;AAExB,iEAaiC;AAZ/B,yHAAA,gBAAgB,OAAA;AAEhB,8HAAA,qBAAqB,OAAA;AACrB,6HAAA,oBAAoB,OAAA;AACpB,6HAAA,oBAAoB,OAAA;AACpB,4HAAA,mBAAmB,OAAA;AACnB,yIAAA,gCAAgC,OAAA;AAChC,wIAAA,+BAA+B,OAAA;AAC/B,mIAAA,0BAA0B,OAAA;AAC1B,kIAAA,yBAAyB,OAAA;AACzB,kIAAA,yBAAyB,OAAA;AACzB,iIAAA,wBAAwB,OAAA;AAE1B,iEAIiC;AAH/B,yHAAA,gBAAgB,OAAA;AAEhB,qIAAA,4BAA4B,OAAA;AAE9B,iFAGyC;AAFvC,wIAAA,uBAAuB,OAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../src/naylence/fame/security/cert/index.ts"],"names":[],"mappings":";;;AAAA,qCAMmB;AALjB,oHAAA,yBAAyB,OAAA;AAGzB,2GAAA,gBAAgB,OAAA;AAGlB,yCAAoD;AAA3C,kHAAA,qBAAqB,OAAA;AAC9B,mFAI0C;AAHxC,2IAAA,yBAAyB,OAAA;AAI3B,mGAIkD;AAHhD,0JAAA,gCAAgC,OAAA;AAChC,kKAAA,YAAY,OAA4C;AAI1D,gDAAgD;AAChD,6CAOuB;AAHrB,wGAAA,SAAS,OAAA;AACT,sHAAA,uBAAuB,OAAA;AAGzB,+DAOgC;AAN9B,uHAAA,eAAe,OAAA;AACf,8HAAA,sBAAsB,OAAA;AACtB,6HAAA,qBAAqB,OAAA;AAGrB,mIAAA,2BAA2B,OAAA;AAE7B,mEAakC;AAZhC,0HAAA,gBAAgB,OAAA;AAEhB,iHAAA,OAAO,OAAA;AACP,sHAAA,YAAY,OAAA;AACZ,qHAAA,WAAW,OAAA;AACX,sHAAA,YAAY,OAAA;AACZ,iIAAA,uBAAuB,OAAA;AACvB,4HAAA,kBAAkB,OAAA;AAClB,+HAAA,qBAAqB,OAAA;AACrB,qIAAA,2BAA2B,OAAA;AAC3B,gIAAA,sBAAsB,OAAA;AACtB,gIAAA,sBAAsB,OAAA;AAExB,iEAaiC;AAZ/B,yHAAA,gBAAgB,OAAA;AAEhB,8HAAA,qBAAqB,OAAA;AACrB,6HAAA,oBAAoB,OAAA;AACpB,6HAAA,oBAAoB,OAAA;AACpB,4HAAA,mBAAmB,OAAA;AACnB,yIAAA,gCAAgC,OAAA;AAChC,wIAAA,+BAA+B,OAAA;AAC/B,mIAAA,0BAA0B,OAAA;AAC1B,kIAAA,yBAAyB,OAAA;AACzB,kIAAA,yBAAyB,OAAA;AACzB,iIAAA,wBAAwB,OAAA;AAE1B,iEAIiC;AAH/B,yHAAA,gBAAgB,OAAA;AAEhB,qIAAA,4BAA4B,OAAA;AAE9B,iFAGyC;AAFvC,wIAAA,uBAAuB,OAAA"}

package/dist/cjs/naylence/fame/security/cert/util.js

@@ -1,19 +1,62 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.validateJwkX5cCertificate = validateJwkX5cCertificate;
 exports.publicKeyFromX5c = publicKeyFromX5c;
+exports.validateJwkX5cCertificate = validateJwkX5cCertificate;
 const asn1_schema_1 = require("@peculiar/asn1-schema");
 const asn1_x509_1 = require("@peculiar/asn1-x509");
+const sha256_1 = require("@noble/hashes/sha256");
+const sha2_js_1 = require("@noble/hashes/sha2.js");
+const ed25519_1 = require("@noble/ed25519");
 const runtime_1 = require("@naylence/runtime");
 const logger = (0, runtime_1.getLogger)("naylence.fame.security.cert.util");
-/**
- * Temporary TypeScript port of validate_jwk_x5c_certificate.
- *
- * NOTE: The full certificate chain validation logic from the Python runtime
- * is still being ported. This implementation performs lightweight structure
- * checks and defers deep X.509 validation until the remaining modules are
- * available.
- */
+const CACHE_LIMIT = 512;
+const OID_ED25519 = "1.3.101.112";
+const textEncoder = new TextEncoder();
+const trustCache = new Map();
+function publicKeyFromX5c(x5c, options = {}) {
+    if (!Array.isArray(x5c) || x5c.length === 0) {
+        throw new Error("Empty certificate chain");
+    }
+    const callId = generateCallId();
+    const enforceNameConstraints = options.enforceNameConstraints ?? true;
+    const trustStorePem = normalizeTrustStoreOption(options.trustStorePem ?? null);
+    const returnCertificate = options.returnCertificate ?? false;
+    const { parsed, chainBytes } = parseCertificateChain(x5c);
+    logger.debug("public_key_from_x5c_called", {
+        call_id: callId,
+        x5c_count: parsed.length,
+        enforce_name_constraints: enforceNameConstraints,
+        has_trust_store: Boolean(trustStorePem),
+        return_cert: returnCertificate,
+    });
+    let cacheKey = null;
+    if (!returnCertificate) {
+        cacheKey = buildCacheKey(chainBytes, trustStorePem, enforceNameConstraints);
+        const cached = getCachedPublicKey(cacheKey);
+        if (cached) {
+            logger.debug("certificate_cache_hit", {
+                call_id: callId,
+                cache_key: cacheKey,
+            });
+            return cached;
+        }
+        logger.debug("certificate_cache_miss", {
+            call_id: callId,
+            cache_key: cacheKey,
+        });
+    }
+    const validation = validateCertificateChain(parsed, enforceNameConstraints, trustStorePem);
+    if (cacheKey) {
+        setCachedPublicKey(cacheKey, validation.publicKey, validation.notAfter);
+    }
+    if (returnCertificate) {
+        return {
+            publicKey: validation.publicKey.slice(),
+            certificate: validation.certificate,
+        };
+    }
+    return validation.publicKey.slice();
+}
 function validateJwkX5cCertificate(options) {
     const { jwk, trustStorePem = null, enforceNameConstraints = true, strict = true, } = options;
     if (!jwk || typeof jwk !== "object") {
@@ -36,85 +79,442 @@ function validateJwkX5cCertificate(options) {
         }
         return { isValid: false, error };
     }
-    // Until full validation is available we only log that certificate validation
-    // was requested. This preserves the call sites and allows adding the full
-    // chain validation later without changing behaviour.
-    logger.debug("validate_jwk_x5c_certificate_placeholder", {
-        enforce_name_constraints: enforceNameConstraints,
-        has_trust_store: Boolean(trustStorePem),
-        chain_length: x5c.length,
+    try {
+        publicKeyFromX5c(x5c, {
+            trustStorePem,
+            enforceNameConstraints,
+        });
+        return { isValid: true };
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error ?? "unknown");
+        const normalized = `Certificate validation failed: ${message}`;
+        if (strict) {
+            throw new Error(normalized);
+        }
+        return { isValid: false, error: normalized };
+    }
+}
+function validateCertificateChain(parsed, enforceNameConstraints, trustStorePem) {
+    const leaf = parsed[0];
+    const nowMs = Date.now();
+    const notBefore = leaf.certificate.tbsCertificate.validity.notBefore.getTime();
+    const notAfter = leaf.certificate.tbsCertificate.validity.notAfter.getTime();
+    const notBeforeMs = notBefore.getTime();
+    const notAfterMs = notAfter.getTime();
+    if (nowMs < notBeforeMs || nowMs > notAfterMs) {
+        throw new Error(`Certificate is not currently valid (notBefore: ${notBefore.toISOString()}, notAfter: ${notAfter.toISOString()}, now: ${new Date(nowMs).toISOString()})`);
+    }
+    const issuers = parsed.slice(1);
+    if (enforceNameConstraints && issuers.length > 0) {
+        const leafUris = extractUrisFromCert(leaf.certificate);
+        validateNameConstraints(issuers, leafUris);
+    }
+    if (trustStorePem) {
+        validateTrustAnchor(parsed, trustStorePem);
+    }
+    validateChainContinuity(parsed);
+    const publicKey = leaf.subjectPublicKey.slice();
+    return {
+        publicKey,
+        certificate: leaf.certificate,
+        notAfter,
+    };
+}
+function parseCertificateChain(x5c) {
+    const parsed = [];
+    const derChunks = [];
+    for (let index = 0; index < x5c.length; index += 1) {
+        const entry = x5c[index];
+        if (typeof entry !== "string" || entry.trim().length === 0) {
+            throw new Error(`Invalid certificate at index ${index}`);
+        }
+        let der;
+        try {
+            der = decodeBase64(entry);
+        }
+        catch (error) {
+            const reason = error instanceof Error ? error.message : String(error);
+            throw new Error(`Failed to decode certificate at index ${index}: ${reason}`);
+        }
+        let certificate;
+        try {
+            certificate = asn1_schema_1.AsnConvert.parse(der, asn1_x509_1.Certificate);
+        }
+        catch (error) {
+            const reason = error instanceof Error ? error.message : String(error);
+            throw new Error(`Failed to parse certificate at index ${index}: ${reason}`);
+        }
+        parsed.push(createParsedCertificate(certificate, der));
+        derChunks.push(der);
+    }
+    return { parsed, chainBytes: concatBytes(derChunks) };
+}
+function createParsedCertificate(certificate, raw) {
+    return {
+        raw,
+        certificate,
+        serialNumber: toHex(new Uint8Array(certificate.tbsCertificate.serialNumber)).toUpperCase(),
+        subjectName: serializeName(certificate.tbsCertificate.subject),
+        issuerName: serializeName(certificate.tbsCertificate.issuer),
+        subjectPublicKey: new Uint8Array(certificate.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey).slice(),
+    };
+}
+function extractUrisFromCert(cert) {
+    const extension = findExtension(cert, asn1_x509_1.id_ce_subjectAltName);
+    if (!extension) {
+        return [];
+    }
+    const subjectAlternativeName = asn1_schema_1.AsnConvert.parse(extension.extnValue.buffer, asn1_x509_1.SubjectAlternativeName);
+    const uris = [];
+    for (const generalName of subjectAlternativeName) {
+        if (generalName.uniformResourceIdentifier) {
+            uris.push(generalName.uniformResourceIdentifier);
+        }
+    }
+    return uris;
+}
+function validateNameConstraints(issuers, leafUris) {
+    for (const issuer of issuers) {
+        const extension = findExtension(issuer.certificate, asn1_x509_1.id_ce_nameConstraints);
+        if (!extension) {
+            continue;
+        }
+        const constraints = asn1_schema_1.AsnConvert.parse(extension.extnValue.buffer, asn1_x509_1.NameConstraints);
+        if (!constraints.permittedSubtrees) {
+            continue;
+        }
+        const permittedUris = collectPermittedUris(Array.from(constraints.permittedSubtrees));
+        if (permittedUris.length === 0) {
+            continue;
+        }
+        for (const uri of leafUris) {
+            const allowed = permittedUris.some((prefix) => uri.startsWith(prefix));
+            if (!allowed) {
+                throw new Error(`URI '${uri}' violates name constraints - not in permitted subtrees: ${permittedUris.join(", ")}`);
+            }
+        }
+    }
+}
+function collectPermittedUris(subtrees) {
+    const uris = [];
+    for (const subtree of subtrees) {
+        if (subtree.base.uniformResourceIdentifier &&
+            subtree.base.uniformResourceIdentifier.length > 0) {
+            uris.push(subtree.base.uniformResourceIdentifier);
+        }
+    }
+    return uris;
+}
+function validateTrustAnchor(chain, trustStorePem) {
+    const trustedCerts = parseTrustStore(trustStorePem);
+    if (trustedCerts.length === 0) {
+        throw new Error("No valid certificates found in trust store");
+    }
+    logger.debug("trust_anchor_validation_start", {
+        chain_length: chain.length,
+        trust_store_cert_count: trustedCerts.length,
     });
-    return { isValid: true };
-}
-/**
- * Extract public key from X.509 certificate chain.
- *
- * Parses the leaf certificate from an x5c array and extracts the raw public key bytes.
- * For Ed25519 certificates, this returns the 32-byte public key.
- *
- * @param x5c - Array of base64-encoded DER certificates (leaf first)
- * @param options - Validation options
- * @returns The raw public key bytes from the leaf certificate
- * @throws Error if certificate parsing or validation fails
- */
-function publicKeyFromX5c(x5c, options = {}) {
-    if (!x5c || x5c.length === 0) {
-        throw new Error("Empty certificate chain");
+    const chainInfo = chain.map((cert, index) => `[${index}] ${cert.subjectName} (Serial: ${cert.serialNumber})`);
+    const trustedInfo = trustedCerts.map((cert, index) => `[${index}] ${cert.subjectName} (Serial: ${cert.serialNumber})`);
+    logger.debug("certificate_chain_validation", {
+        chain_certificates: chainInfo,
+        trust_store_certificates: trustedInfo,
+    });
+    // Strategy 1: direct trust (exact certificate match)
+    for (let i = 0; i < chain.length; i += 1) {
+        const cert = chain[i];
+        const match = trustedCerts.find((trusted) => trusted.serialNumber === cert.serialNumber &&
+            namesEqual(trusted.certificate.tbsCertificate.subject, cert.certificate.tbsCertificate.subject));
+        if (match) {
+            logger.debug("certificate_chain_trust_validation_passed", {
+                matching_serial: match.serialNumber,
+                validation_strategy: `direct_trust_cert_${i}`,
+            });
+            return;
+        }
     }
-    // Decode leaf certificate
-    const certB64 = x5c[0];
-    if (typeof certB64 !== "string") {
-        throw new Error("Invalid certificate in x5c array - must be base64 string");
+    const leaf = chain[0];
+    // Strategy 2: leaf issuer in trust store
+    for (const trusted of trustedCerts) {
+        if (namesEqual(trusted.certificate.tbsCertificate.subject, leaf.certificate.tbsCertificate.issuer) &&
+            trusted.serialNumber !== leaf.serialNumber) {
+            verifyCertificateSignature(leaf.certificate, trusted.certificate);
+            logger.debug("certificate_chain_trust_validation_passed", {
+                matching_serial: trusted.serialNumber,
+                validation_strategy: "leaf_issuer_trust",
+            });
+            return;
+        }
     }
-    let derBytes;
-    try {
-        derBytes = Buffer.from(certB64, "base64");
+    // Strategy 3: any intermediate issuer in trust store
+    for (let index = 1; index < chain.length; index += 1) {
+        const intermediate = chain[index];
+        for (const trusted of trustedCerts) {
+            if (namesEqual(trusted.certificate.tbsCertificate.subject, intermediate.certificate.tbsCertificate.issuer) &&
+                trusted.serialNumber !== intermediate.serialNumber) {
+                verifyCertificateSignature(intermediate.certificate, trusted.certificate);
+                logger.debug("certificate_chain_trust_validation_passed", {
+                    matching_serial: trusted.serialNumber,
+                    validation_strategy: `intermediate_issuer_trust_cert_${index}`,
+                });
+                return;
+            }
+        }
     }
-    catch (error) {
-        throw new Error(`Failed to decode base64 certificate: ${error instanceof Error ? error.message : String(error)}`);
+    logger.warning("certificate_chain_trust_validation_failed", {
+        leaf_subject: leaf.subjectName,
+        leaf_issuer: leaf.issuerName,
+        leaf_serial: leaf.serialNumber,
+        trusted_certificates: trustedInfo,
+        chain_certificates: chainInfo,
+        reason: "no_matching_trust_anchor",
+    });
+    throw new Error("Certificate chain is not rooted in a trusted anchor");
+}
+function parseTrustStore(trustStorePem) {
+    const normalized = normalizePem(trustStorePem);
+    const blocks = extractPemBlocks(normalized);
+    const parsed = [];
+    for (const block of blocks) {
+        try {
+            const der = decodeBase64(block);
+            const certificate = asn1_schema_1.AsnConvert.parse(der, asn1_x509_1.Certificate);
+            parsed.push(createParsedCertificate(certificate, der));
+        }
+        catch (error) {
+            const reason = error instanceof Error ? error.message : String(error);
+            logger.debug("trust_store_certificate_parse_failed", { reason });
+        }
     }
-    // Parse DER-encoded certificate
-    let cert;
-    try {
-        cert = asn1_schema_1.AsnConvert.parse(derBytes, asn1_x509_1.Certificate);
+    return parsed;
+}
+function extractPemBlocks(pem) {
+    const blocks = [];
+    const regex = /-----BEGIN CERTIFICATE-----([\s\S]*?)-----END CERTIFICATE-----/gu;
+    let match;
+    // eslint-disable-next-line no-cond-assign
+    while ((match = regex.exec(pem)) !== null) {
+        const body = match[1] ?? "";
+        blocks.push(body.replace(/\s+/gu, ""));
     }
-    catch (error) {
-        throw new Error(`Failed to parse X.509 certificate: ${error instanceof Error ? error.message : String(error)}`);
-    }
-    // Basic temporal validity check
-    const now = Date.now(); // milliseconds since epoch
-    const notBefore = cert.tbsCertificate.validity.notBefore;
-    const notAfter = cert.tbsCertificate.validity.notAfter;
-    // Time from ASN.1 has getTime() method returning Date object
-    const notBeforeDate = notBefore.getTime();
-    const notAfterDate = notAfter.getTime();
-    const notBeforeMs = notBeforeDate instanceof Date
-        ? notBeforeDate.getTime()
-        : Number(notBeforeDate);
-    const notAfterMs = notAfterDate instanceof Date
-        ? notAfterDate.getTime()
-        : Number(notAfterDate);
-    if (now < notBeforeMs || now > notAfterMs) {
-        throw new Error(`Certificate is not currently valid (notBefore: ${new Date(notBeforeMs).toISOString()}, notAfter: ${new Date(notAfterMs).toISOString()}, now: ${new Date(now).toISOString()})`);
-    }
-    // TODO: Implement name constraints validation when enforceNameConstraints is true
-    if (options.enforceNameConstraints) {
-        logger.debug("name_constraints_validation_not_implemented", {
-            enforcement_requested: true,
-        });
+    return blocks;
+}
+function validateChainContinuity(chain) {
+    if (chain.length <= 1) {
+        return;
     }
-    // TODO: Implement trust store validation when trustStorePem is provided
-    if (options.trustStorePem) {
-        logger.debug("trust_store_validation_not_implemented", {
-            has_trust_store: true,
-        });
+    logger.debug("validating_chain_continuity", { chain_length: chain.length });
+    for (let index = 0; index < chain.length - 1; index += 1) {
+        const cert = chain[index];
+        const issuer = chain[index + 1];
+        if (!namesEqual(cert.certificate.tbsCertificate.issuer, issuer.certificate.tbsCertificate.subject)) {
+            logger.warning("certificate_chain_continuity_failed", {
+                cert_index: index,
+                cert_subject: cert.subjectName,
+                cert_issuer: cert.issuerName,
+                expected_issuer_subject: issuer.subjectName,
+                reason: "issuer_name_mismatch",
+            });
+            throw new Error(`Certificate chain continuity broken: certificate at index ${index} issuer does not match next certificate subject`);
+        }
+        try {
+            verifyCertificateSignature(cert.certificate, issuer.certificate);
+            logger.debug("chain_continuity_verification_success", {
+                cert_index: index,
+                cert_serial: cert.serialNumber,
+                issuer_serial: issuer.serialNumber,
+            });
+        }
+        catch (error) {
+            const reason = error instanceof Error ? error.message : String(error);
+            logger.warning("certificate_chain_continuity_failed", {
+                cert_index: index,
+                cert_subject: cert.subjectName,
+                issuer_subject: issuer.subjectName,
+                cert_serial: cert.serialNumber,
+                issuer_serial: issuer.serialNumber,
+                error: reason,
+                reason: "signature_verification_failed",
+            });
+            throw new Error(`Certificate chain continuity broken: certificate at index ${index} was not signed by certificate at index ${index + 1}: ${reason}`);
+        }
+    }
+    logger.debug("chain_continuity_validation_passed", {
+        chain_length: chain.length,
+    });
+}
+function verifyCertificateSignature(certificate, issuer) {
+    ensureEd25519Support();
+    const signatureAlgorithm = certificate.signatureAlgorithm.algorithm;
+    const issuerAlgorithm = issuer.tbsCertificate.subjectPublicKeyInfo.algorithm.algorithm;
+    if (signatureAlgorithm !== OID_ED25519 || issuerAlgorithm !== OID_ED25519) {
+        throw new Error(`Unsupported signature algorithm (certificate: ${signatureAlgorithm}, issuer: ${issuerAlgorithm})`);
+    }
+    const signatureBytes = new Uint8Array(certificate.signatureValue);
+    const tbsBytes = new Uint8Array(asn1_schema_1.AsnConvert.serialize(certificate.tbsCertificate));
+    const issuerKey = new Uint8Array(issuer.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey);
+    if (issuerKey.length !== 32) {
+        throw new Error("Issuer Ed25519 public key must be 32 bytes");
+    }
+    const valid = (0, ed25519_1.verify)(signatureBytes, tbsBytes, issuerKey);
+    if (!valid) {
+        throw new Error("Certificate signature verification failed");
+    }
+}
+function ensureEd25519Support() {
+    const etcPatch = ed25519_1.etc;
+    if (!etcPatch.sha512) {
+        etcPatch.sha512 = (message) => (0, sha2_js_1.sha512)(message);
+    }
+    if (!etcPatch.sha512Sync) {
+        etcPatch.sha512Sync = (...messages) => {
+            if (messages.length === 1) {
+                return (0, sha2_js_1.sha512)(messages[0]);
+            }
+            const combined = ed25519_1.etc.concatBytes(...messages);
+            return (0, sha2_js_1.sha512)(combined);
+        };
+    }
+}
+function findExtension(certificate, oid) {
+    const extensions = certificate.tbsCertificate.extensions;
+    if (!extensions) {
+        return null;
+    }
+    for (const extension of extensions) {
+        if (extension.extnID === oid) {
+            return extension;
+        }
+    }
+    return null;
+}
+function namesEqual(a, b) {
+    const left = new Uint8Array(asn1_schema_1.AsnConvert.serialize(a));
+    const right = new Uint8Array(asn1_schema_1.AsnConvert.serialize(b));
+    if (left.length !== right.length) {
+        return false;
+    }
+    for (let i = 0; i < left.length; i += 1) {
+        if (left[i] !== right[i]) {
+            return false;
+        }
+    }
+    return true;
+}
+function serializeName(name) {
+    const rdns = Array.from(name);
+    return rdns
+        .map((rdn) => Array.from(rdn)
+        .map((attr) => `${oidToLabel(attr.type)}=${attr.value.toString()}`)
+        .join("+"))
+        .join(",");
+}
+function oidToLabel(oid) {
+    switch (oid) {
+        case "2.5.4.3":
+            return "CN";
+        case "2.5.4.6":
+            return "C";
+        case "2.5.4.7":
+            return "L";
+        case "2.5.4.8":
+            return "ST";
+        case "2.5.4.10":
+            return "O";
+        case "2.5.4.11":
+            return "OU";
+        default:
+            return oid;
+    }
+}
+function concatBytes(chunks) {
+    const totalLength = chunks.reduce((sum, chunk) => sum + chunk.length, 0);
+    const result = new Uint8Array(totalLength);
+    let offset = 0;
+    for (const chunk of chunks) {
+        result.set(chunk, offset);
+        offset += chunk.length;
+    }
+    return result;
+}
+function decodeBase64(input) {
+    if (typeof Buffer !== "undefined") {
+        const normalized = input.replace(/\s+/gu, "");
+        return new Uint8Array(Buffer.from(normalized, "base64"));
+    }
+    if (typeof atob === "function") {
+        const normalized = input.replace(/\s+/gu, "");
+        const binary = atob(normalized);
+        const bytes = new Uint8Array(binary.length);
+        for (let i = 0; i < binary.length; i += 1) {
+            bytes[i] = binary.charCodeAt(i);
+        }
+        return bytes;
+    }
+    throw new Error("No base64 decoder available in this environment");
+}
+function toHex(data) {
+    return Array.from(data)
+        .map((byte) => byte.toString(16).padStart(2, "0"))
+        .join("");
+}
+function buildCacheKey(chainBytes, trustStorePem, enforceNameConstraints) {
+    const chainHash = toHex((0, sha256_1.sha256)(chainBytes));
+    const trustHash = trustStorePem
+        ? toHex((0, sha256_1.sha256)(textEncoder.encode(trustStorePem)))
+        : "no-trust";
+    const constraintFlag = enforceNameConstraints ? "nc1" : "nc0";
+    return `${chainHash}|${trustHash}|${constraintFlag}`;
+}
+function getCachedPublicKey(cacheKey) {
+    const entry = trustCache.get(cacheKey);
+    if (!entry) {
+        return null;
+    }
+    if (Date.now() > entry.expiresAt) {
+        trustCache.delete(cacheKey);
+        logger.debug("certificate_cache_expired", { cache_key: cacheKey });
+        return null;
+    }
+    return entry.value.slice();
+}
+function setCachedPublicKey(cacheKey, value, notAfter) {
+    while (trustCache.size >= CACHE_LIMIT) {
+        const firstKey = trustCache.keys().next().value;
+        if (firstKey === undefined) {
+            break;
+        }
+        trustCache.delete(firstKey);
+        logger.debug("certificate_cache_evicted", { cache_key: firstKey });
+    }
+    trustCache.set(cacheKey, {
+        value: value.slice(),
+        expiresAt: notAfter.getTime(),
+    });
+    logger.debug("certificate_cache_stored", {
+        cache_key: cacheKey,
+        expires_at: notAfter.toISOString(),
+        cache_size: trustCache.size,
+    });
+}
+function normalizeTrustStoreOption(value) {
+    if (!value) {
+        return null;
+    }
+    const trimmed = value.trim();
+    if (trimmed.length === 0) {
+        return null;
     }
-    // Extract public key from leaf certificate
-    const publicKeyInfo = cert.tbsCertificate.subjectPublicKeyInfo;
-    // For Ed25519, the subjectPublicKey is a BIT STRING containing the raw 32-byte public key
-    // The BIT STRING is stored as an ArrayBuffer
-    const publicKeyBitString = publicKeyInfo.subjectPublicKey;
-    // Convert ArrayBuffer to Uint8Array
-    return new Uint8Array(publicKeyBitString);
+    if (!trimmed.includes("-----BEGIN CERTIFICATE-----")) {
+        throw new Error("trustStorePem must contain PEM-encoded certificates when provided");
+    }
+    return normalizePem(trimmed);
+}
+function normalizePem(pem) {
+    return pem.replace(/\r/gu, "").trim();
+}
+function generateCallId() {
+    return Math.random().toString(36).slice(2, 10);
 }
 //# sourceMappingURL=util.js.map