npm - @naylence/advanced-security - Versions diffs - 0.3.7 → 0.3.8 - Mend

@naylence/advanced-security 0.3.7 → 0.3.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (292) hide show

package/dist/cjs/naylence/fame/security/cert/index.js CHANGED Viewed

@@ -1,52 +1,18 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.DefaultCAServiceFactory = exports.CA_SERVICE_FACTORY_BASE_TYPE = exports.CAServiceFactory = exports.ENV_FAME_SIGNING_KEY_PEM = exports.ENV_FAME_SIGNING_KEY_FILE = exports.ENV_FAME_SIGNING_CERT_PEM = exports.ENV_FAME_SIGNING_CERT_FILE = exports.ENV_FAME_INTERMEDIATE_CHAIN_PEM = exports.ENV_FAME_INTERMEDIATE_CHAIN_FILE = exports.ENV_FAME_CA_KEY_PEM = exports.ENV_FAME_CA_KEY_FILE = exports.ENV_FAME_CA_CERT_PEM = exports.ENV_FAME_CA_CERT_FILE = exports.DefaultCAService = exports.verifyCertSidIntegrity = exports.extractSidFromSpiffeId = exports.extractLogicalHostsFromCert = exports.extractNodeIdFromCert = exports.extractSidFromCert = exports.extractSpiffeIdFromCert = exports.createTestCA = exports.NODE_ID_OID = exports.LOGICALS_OID = exports.SID_OID = exports.CASigningService = exports.ENV_VAR_FAME_CA_SERVICE_URL = exports.formatCertificateInfo = exports.extractCertificateInfo = exports.CAServiceClient = exports.CertificateRequestError = exports.CAService = exports.DEFAULT_CERTIFICATE_MANAGER_FACTORY_META = exports.DefaultCertificateManagerFactory = exports.DefaultCertificateManager = exports.GRANT_PURPOSE_CA_SIGN = exports.publicKeyFromX5c = exports.validateJwkX5cCertificate = void 0;
-var util_js_1 = require("./util.js");
-Object.defineProperty(exports, "validateJwkX5cCertificate", { enumerable: true, get: function () { return util_js_1.validateJwkX5cCertificate; } });
-Object.defineProperty(exports, "publicKeyFromX5c", { enumerable: true, get: function () { return util_js_1.publicKeyFromX5c; } });
-var grants_js_1 = require("./grants.js");
-Object.defineProperty(exports, "GRANT_PURPOSE_CA_SIGN", { enumerable: true, get: function () { return grants_js_1.GRANT_PURPOSE_CA_SIGN; } });
-var default_certificate_manager_js_1 = require("./default-certificate-manager.js");
-Object.defineProperty(exports, "DefaultCertificateManager", { enumerable: true, get: function () { return default_certificate_manager_js_1.DefaultCertificateManager; } });
-var default_certificate_manager_factory_js_1 = require("./default-certificate-manager-factory.js");
-Object.defineProperty(exports, "DefaultCertificateManagerFactory", { enumerable: true, get: function () { return default_certificate_manager_factory_js_1.DefaultCertificateManagerFactory; } });
-Object.defineProperty(exports, "DEFAULT_CERTIFICATE_MANAGER_FACTORY_META", { enumerable: true, get: function () { return default_certificate_manager_factory_js_1.FACTORY_META; } });
+export { validateJwkX5cCertificate, publicKeyFromX5c, } from "./util.js";
+export { GRANT_PURPOSE_CA_SIGN } from "./grants.js";
+export { createEd25519CsrFromPem, } from "./node-ed25519-csr.js";
+export { createEd25519Csr, } from "./browser-csr.js";
+export { DefaultCertificateManager, } from "./default-certificate-manager.js";
+export { DefaultCertificateManagerFactory, FACTORY_META as DEFAULT_CERTIFICATE_MANAGER_FACTORY_META, } from "./default-certificate-manager-factory.js";
+export { TrustStoreProviderFactory, NullTrustStoreProvider, TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE, } from "./trust-store/trust-store-provider-factory.js";
+export { EnvTrustStoreProviderFactory, FACTORY_META as ENV_TRUST_STORE_PROVIDER_FACTORY_META, } from "./trust-store/node-trust-store-provider-factory.js";
+export { BrowserTrustStoreProviderFactory, FACTORY_META as BROWSER_TRUST_STORE_PROVIDER_FACTORY_META, } from "./trust-store/browser-trust-store-provider-factory.js";
 // Certificate Authority (CA) types and services
-var ca_types_js_1 = require("./ca-types.js");
-Object.defineProperty(exports, "CAService", { enumerable: true, get: function () { return ca_types_js_1.CAService; } });
-Object.defineProperty(exports, "CertificateRequestError", { enumerable: true, get: function () { return ca_types_js_1.CertificateRequestError; } });
-var ca_service_client_js_1 = require("./ca-service-client.js");
-Object.defineProperty(exports, "CAServiceClient", { enumerable: true, get: function () { return ca_service_client_js_1.CAServiceClient; } });
-Object.defineProperty(exports, "extractCertificateInfo", { enumerable: true, get: function () { return ca_service_client_js_1.extractCertificateInfo; } });
-Object.defineProperty(exports, "formatCertificateInfo", { enumerable: true, get: function () { return ca_service_client_js_1.formatCertificateInfo; } });
-Object.defineProperty(exports, "ENV_VAR_FAME_CA_SERVICE_URL", { enumerable: true, get: function () { return ca_service_client_js_1.ENV_VAR_FAME_CA_SERVICE_URL; } });
-var internal_ca_service_js_1 = require("./internal-ca-service.js");
-Object.defineProperty(exports, "CASigningService", { enumerable: true, get: function () { return internal_ca_service_js_1.CASigningService; } });
-Object.defineProperty(exports, "SID_OID", { enumerable: true, get: function () { return internal_ca_service_js_1.SID_OID; } });
-Object.defineProperty(exports, "LOGICALS_OID", { enumerable: true, get: function () { return internal_ca_service_js_1.LOGICALS_OID; } });
-Object.defineProperty(exports, "NODE_ID_OID", { enumerable: true, get: function () { return internal_ca_service_js_1.NODE_ID_OID; } });
-Object.defineProperty(exports, "createTestCA", { enumerable: true, get: function () { return internal_ca_service_js_1.createTestCA; } });
-Object.defineProperty(exports, "extractSpiffeIdFromCert", { enumerable: true, get: function () { return internal_ca_service_js_1.extractSpiffeIdFromCert; } });
-Object.defineProperty(exports, "extractSidFromCert", { enumerable: true, get: function () { return internal_ca_service_js_1.extractSidFromCert; } });
-Object.defineProperty(exports, "extractNodeIdFromCert", { enumerable: true, get: function () { return internal_ca_service_js_1.extractNodeIdFromCert; } });
-Object.defineProperty(exports, "extractLogicalHostsFromCert", { enumerable: true, get: function () { return internal_ca_service_js_1.extractLogicalHostsFromCert; } });
-Object.defineProperty(exports, "extractSidFromSpiffeId", { enumerable: true, get: function () { return internal_ca_service_js_1.extractSidFromSpiffeId; } });
-Object.defineProperty(exports, "verifyCertSidIntegrity", { enumerable: true, get: function () { return internal_ca_service_js_1.verifyCertSidIntegrity; } });
-var default_ca_service_js_1 = require("./default-ca-service.js");
-Object.defineProperty(exports, "DefaultCAService", { enumerable: true, get: function () { return default_ca_service_js_1.DefaultCAService; } });
-Object.defineProperty(exports, "ENV_FAME_CA_CERT_FILE", { enumerable: true, get: function () { return default_ca_service_js_1.ENV_FAME_CA_CERT_FILE; } });
-Object.defineProperty(exports, "ENV_FAME_CA_CERT_PEM", { enumerable: true, get: function () { return default_ca_service_js_1.ENV_FAME_CA_CERT_PEM; } });
-Object.defineProperty(exports, "ENV_FAME_CA_KEY_FILE", { enumerable: true, get: function () { return default_ca_service_js_1.ENV_FAME_CA_KEY_FILE; } });
-Object.defineProperty(exports, "ENV_FAME_CA_KEY_PEM", { enumerable: true, get: function () { return default_ca_service_js_1.ENV_FAME_CA_KEY_PEM; } });
-Object.defineProperty(exports, "ENV_FAME_INTERMEDIATE_CHAIN_FILE", { enumerable: true, get: function () { return default_ca_service_js_1.ENV_FAME_INTERMEDIATE_CHAIN_FILE; } });
-Object.defineProperty(exports, "ENV_FAME_INTERMEDIATE_CHAIN_PEM", { enumerable: true, get: function () { return default_ca_service_js_1.ENV_FAME_INTERMEDIATE_CHAIN_PEM; } });
-Object.defineProperty(exports, "ENV_FAME_SIGNING_CERT_FILE", { enumerable: true, get: function () { return default_ca_service_js_1.ENV_FAME_SIGNING_CERT_FILE; } });
-Object.defineProperty(exports, "ENV_FAME_SIGNING_CERT_PEM", { enumerable: true, get: function () { return default_ca_service_js_1.ENV_FAME_SIGNING_CERT_PEM; } });
-Object.defineProperty(exports, "ENV_FAME_SIGNING_KEY_FILE", { enumerable: true, get: function () { return default_ca_service_js_1.ENV_FAME_SIGNING_KEY_FILE; } });
-Object.defineProperty(exports, "ENV_FAME_SIGNING_KEY_PEM", { enumerable: true, get: function () { return default_ca_service_js_1.ENV_FAME_SIGNING_KEY_PEM; } });
-var ca_service_factory_js_1 = require("./ca-service-factory.js");
-Object.defineProperty(exports, "CAServiceFactory", { enumerable: true, get: function () { return ca_service_factory_js_1.CAServiceFactory; } });
-Object.defineProperty(exports, "CA_SERVICE_FACTORY_BASE_TYPE", { enumerable: true, get: function () { return ca_service_factory_js_1.CA_SERVICE_FACTORY_BASE_TYPE; } });
-var default_ca_service_factory_js_1 = require("./default-ca-service-factory.js");
-Object.defineProperty(exports, "DefaultCAServiceFactory", { enumerable: true, get: function () { return default_ca_service_factory_js_1.DefaultCAServiceFactory; } });
+export { CAService, CertificateRequestError, } from "./ca-types.js";
+export { CAServiceClient, extractCertificateInfo, formatCertificateInfo, ENV_VAR_FAME_CA_SERVICE_URL, } from "./ca-service-client.js";
+export { CASigningService, createTestCA, extractSpiffeIdFromCert, extractSidFromCert, extractNodeIdFromCert, extractLogicalHostsFromCert, extractSidFromSpiffeId, verifyCertSidIntegrity, } from "./internal-ca-service.js";
+export { SID_OID, LOGICALS_OID, NODE_ID_OID } from "./oid-constants.js";
+export { DefaultCAService, ENV_FAME_CA_CERT_FILE, ENV_FAME_CA_CERT_PEM, ENV_FAME_CA_KEY_FILE, ENV_FAME_CA_KEY_PEM, ENV_FAME_INTERMEDIATE_CHAIN_FILE, ENV_FAME_INTERMEDIATE_CHAIN_PEM, ENV_FAME_SIGNING_CERT_FILE, ENV_FAME_SIGNING_CERT_PEM, ENV_FAME_SIGNING_KEY_FILE, ENV_FAME_SIGNING_KEY_PEM, } from "./default-ca-service.js";
+export { CAServiceFactory, CA_SERVICE_FACTORY_BASE_TYPE, } from "./ca-service-factory.js";
+export { DefaultCAServiceFactory, } from "./default-ca-service-factory.js";
 //# sourceMappingURL=index.js.map

package/dist/cjs/naylence/fame/security/cert/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../src/naylence/fame/security/cert/index.ts"],"names":[],"mappings":"~~;;;~~AAAA,~~qCAMmB;AALjB~~,~~oHAAA~~,yBAAyB,~~OAAA;AAGzB~~,~~2GAAA,~~gBAAgB,~~OAAA;AAGlB~~,~~yCAAoD~~;~~AAA3C~~,~~kHAAA~~,qBAAqB,~~OAAA;AAC9B~~,~~mFAI0C~~;~~AAHxC~~,~~2IAAA~~,~~yBAAyB~~,~~OAAA;AAI3B~~,~~mGAIkD;AAHhD~~,~~0JAAA~~,~~gCAAgC~~,~~OAAA~~;~~AAChC~~,~~kKAAA~~,~~YAAY~~,~~OAA4C;AAI1D~~,~~gDAAgD;AAChD~~,~~6CAOuB~~;~~AAHrB~~,~~wGAAA~~,~~SAAS~~,~~OAAA;AACT~~,~~sHAAA~~,~~uBAAuB~~,~~OAAA~~;~~AAGzB,+DAOgC;AAN9B~~,~~uHAAA~~,~~eAAe~~,~~OAAA;AACf~~,~~8HAAA~~,~~sBAAsB~~,~~OAAA;AACtB~~,~~6HAAA~~,~~qBAAqB~~,~~OAAA~~;~~AAGrB~~,~~mIAAA~~,~~2BAA2B~~,~~OAAA;AAE7B~~,~~mEAakC;AAZhC~~,~~0HAAA~~,~~gBAAgB~~,~~OAAA;AAEhB~~,~~iHAAA~~,~~OAAO~~,~~OAAA~~;~~AACP~~,~~sHAAA~~,YAAY,~~OAAA;AACZ~~,~~qHAAA~~,~~WAAW~~,~~OAAA~~;~~AACX~~,~~sHAAA~~,YAAY,~~OAAA~~;~~AACZ~~,~~iIAAA~~,uBAAuB,~~OAAA~~;AACvB,~~4HAAA~~,~~kBAAkB~~,~~OAAA;AAClB,+HAAA~~,qBAAqB,~~OAAA~~;~~AACrB~~,~~qIAAA~~,2BAA2B,~~OAAA;AAC3B~~,~~gIAAA~~,sBAAsB,~~OAAA;AACtB~~,~~gIAAA~~,~~sBAAsB~~,~~OAAA~~;~~AAExB~~,~~iEAaiC;AAZ/B~~,~~yHAAA~~,~~gBAAgB~~,~~OAAA;AAEhB~~,~~8HAAA~~,~~qBAAqB~~,~~OAAA;AACrB~~,~~6HAAA~~,oBAAoB,~~OAAA~~;~~AACpB~~,~~6HAAA~~,oBAAoB,~~OAAA;AACpB~~,~~4HAAA~~,mBAAmB,~~OAAA;AACnB~~,~~yIAAA,~~gCAAgC,~~OAAA;AAChC,wIAAA~~,+BAA+B,~~OAAA;AAC~~/B,~~mIAAA,~~0BAA0B,~~OAAA;AAC1B~~,~~kIAAA,~~yBAAyB,~~OAAA;AACzB~~,~~kIAAA,~~yBAAyB,~~OAAA;AACzB~~,~~iIAAA,~~wBAAwB,~~OAAA;AAE1B~~,~~iEAIiC~~;~~AAH/B~~,~~yHAAA~~,gBAAgB,~~OAAA;AAEhB~~,~~qIAAA,~~4BAA4B,~~OAAA;AAE9B~~,~~iFAGyC~~;~~AAFvC~~,~~wIAAA~~,uBAAuB,~~OAAA~~"}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../src/naylence/fame/security/cert/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,yBAAyB,EAGzB,gBAAgB,GAEjB,MAAM,WAAW,CAAC;AACnB,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EACL,uBAAuB,GAExB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,gBAAgB,GAEjB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,yBAAyB,GAG1B,MAAM,kCAAkC,CAAC;AAC1C,OAAO,EACL,gCAAgC,EAChC,YAAY,IAAI,wCAAwC,GAEzD,MAAM,0CAA0C,CAAC;AAElD,OAAO,EACL,yBAAyB,EACzB,sBAAsB,EACtB,sCAAsC,GAGvC,MAAM,+CAA+C,CAAC;AACvD,OAAO,EACL,4BAA4B,EAC5B,YAAY,IAAI,qCAAqC,GAEtD,MAAM,oDAAoD,CAAC;AAC5D,OAAO,EACL,gCAAgC,EAChC,YAAY,IAAI,yCAAyC,GAE1D,MAAM,uDAAuD,CAAC;AAE/D,gDAAgD;AAChD,OAAO,EAIL,SAAS,EACT,uBAAuB,GAExB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,eAAe,EACf,sBAAsB,EACtB,qBAAqB,EAGrB,2BAA2B,GAC5B,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,gBAAgB,EAEhB,YAAY,EACZ,uBAAuB,EACvB,kBAAkB,EAClB,qBAAqB,EACrB,2BAA2B,EAC3B,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACxE,OAAO,EACL,gBAAgB,EAEhB,qBAAqB,EACrB,oBAAoB,EACpB,oBAAoB,EACpB,mBAAmB,EACnB,gCAAgC,EAChC,+BAA+B,EAC/B,0BAA0B,EAC1B,yBAAyB,EACzB,yBAAyB,EACzB,wBAAwB,GACzB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,gBAAgB,EAEhB,4BAA4B,GAC7B,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,uBAAuB,GAExB,MAAM,iCAAiC,CAAC"}

package/dist/cjs/naylence/fame/security/cert/internal-ca-service.js CHANGED Viewed

@@ -1,61 +1,15 @@
-"use strict";
 /**
  * Certificate Authority signing service for node certificates.
  *
  * Provides in-process API for issuing certificates with node physical
  * and host-like logical address information using SPIFFE-compliant identities.
  */
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.CASigningService = exports.NODE_ID_OID = exports.LOGICALS_OID = exports.SID_OID = void 0;
-exports.createTestCA = createTestCA;
-exports.extractSpiffeIdFromCert = extractSpiffeIdFromCert;
-exports.extractSidFromCert = extractSidFromCert;
-exports.extractNodeIdFromCert = extractNodeIdFromCert;
-exports.extractLogicalHostsFromCert = extractLogicalHostsFromCert;
-exports.extractSidFromSpiffeId = extractSidFromSpiffeId;
-exports.verifyCertSidIntegrity = verifyCertSidIntegrity;
-const asn1_schema_1 = require("@peculiar/asn1-schema");
-const asn1_x509_1 = require("@peculiar/asn1-x509");
-const asn1_csr_1 = require("@peculiar/asn1-csr");
-const runtime_1 = require("@naylence/runtime");
-const ca_types_js_1 = require("./ca-types.js");
-// Certificate extension OIDs (using placeholder PEN)
-exports.SID_OID = "1.3.6.1.4.1.58530.1";
-exports.LOGICALS_OID = "1.3.6.1.4.1.58530.2";
-exports.NODE_ID_OID = "1.3.6.1.4.1.58530.4";
+import { AsnConvert, OctetString } from "@peculiar/asn1-schema";
+import { AlgorithmIdentifier, AttributeTypeAndValue, AttributeValue, AuthorityKeyIdentifier, BasicConstraints, Certificate, Extension, Extensions, ExtendedKeyUsage, GeneralName, GeneralSubtree, GeneralSubtrees, KeyIdentifier, KeyUsage as X509KeyUsage, KeyUsageFlags, Name, NameConstraints, RelativeDistinguishedName, SubjectAlternativeName, SubjectPublicKeyInfo, SubjectKeyIdentifier, TBSCertificate, Validity, Version, id_ce_authorityKeyIdentifier, id_ce_basicConstraints, id_ce_extKeyUsage, id_ce_keyUsage, id_ce_nameConstraints, id_ce_subjectAltName, id_ce_subjectKeyIdentifier, id_kp_clientAuth, id_kp_serverAuth, } from "@peculiar/asn1-x509";
+import { CertificationRequest } from "@peculiar/asn1-csr";
+import { secureDigest, validateHostLogical } from "@naylence/runtime";
+import { CAService } from "./ca-types.js";
+import { LOGICALS_OID, NODE_ID_OID, SID_OID } from "./oid-constants.js";
 const ED25519_OID = "1.3.101.112";
 let x509ModulePromise = null;
 let cryptoPromise = null;
@@ -65,7 +19,8 @@ let subtleCryptoPromise = null;
  */
 async function loadX509Module() {
     if (!x509ModulePromise) {
-        x509ModulePromise = Promise.resolve().then(() => __importStar(require("@peculiar/x509"))).then((mod) => {
+        x509ModulePromise = import("@peculiar/x509")
+            .then((mod) => {
             if (mod && typeof mod.X509Certificate === "function") {
                 return mod;
             }
@@ -85,7 +40,7 @@ async function ensureCrypto() {
     if (!cryptoPromise) {
         if (typeof process !== "undefined" &&
             typeof process.versions?.node === "string") {
-            cryptoPromise = Promise.resolve().then(() => __importStar(require("crypto"))).then((cryptoModule) => {
+            cryptoPromise = import("node:crypto").then((cryptoModule) => {
                 const webcrypto = cryptoModule
                     .webcrypto;
                 if (!webcrypto || !webcrypto.subtle) {
@@ -147,7 +102,7 @@ function toArrayBuffer(view) {
     return new Uint8Array(view).buffer;
 }
 function serializeAsn(value) {
-    return asn1_schema_1.AsnConvert.serialize(value);
+    return AsnConvert.serialize(value);
 }
 function hexToArrayBuffer(hex) {
     const normalized = hex.length % 2 === 0 ? hex : `0${hex}`;
@@ -165,26 +120,26 @@ async function createEd25519Certificate(options) {
     const issuerName = cloneName(options.issuer);
     const subjectName = cloneName(options.subject);
     const subjectSpki = await subtle.exportKey("spki", options.subjectPublicKey);
-    const subjectPublicKeyInfo = asn1_schema_1.AsnConvert.parse(subjectSpki, asn1_x509_1.SubjectPublicKeyInfo);
-    subjectPublicKeyInfo.algorithm = new asn1_x509_1.AlgorithmIdentifier({
+    const subjectPublicKeyInfo = AsnConvert.parse(subjectSpki, SubjectPublicKeyInfo);
+    subjectPublicKeyInfo.algorithm = new AlgorithmIdentifier({
         algorithm: ED25519_OID,
     });
-    const signatureAlgorithm = new asn1_x509_1.AlgorithmIdentifier({
+    const signatureAlgorithm = new AlgorithmIdentifier({
         algorithm: ED25519_OID,
     });
     const extensions = options.extensions?.length
-        ? new asn1_x509_1.Extensions(options.extensions.map((ext) => new asn1_x509_1.Extension({
+        ? new Extensions(options.extensions.map((ext) => new Extension({
             extnID: ext.type,
             critical: ext.critical,
-            extnValue: new asn1_schema_1.OctetString(ext.value),
+            extnValue: new OctetString(ext.value),
         })))
         : undefined;
-    const tbsCertificate = new asn1_x509_1.TBSCertificate({
-        version: asn1_x509_1.Version.v3,
+    const tbsCertificate = new TBSCertificate({
+        version: Version.v3,
         serialNumber: hexToArrayBuffer(serialHex),
         signature: signatureAlgorithm,
         issuer: issuerName,
-        validity: new asn1_x509_1.Validity({
+        validity: new Validity({
             notBefore: options.notBefore,
             notAfter: options.notAfter,
         }),
@@ -192,15 +147,15 @@ async function createEd25519Certificate(options) {
         subjectPublicKeyInfo,
         extensions,
     });
-    const tbsDer = asn1_schema_1.AsnConvert.serialize(tbsCertificate);
+    const tbsDer = AsnConvert.serialize(tbsCertificate);
     const signature = await subtle.sign("Ed25519", options.signingKey, tbsDer);
-    const certificate = new asn1_x509_1.Certificate({
+    const certificate = new Certificate({
         tbsCertificate,
         signatureAlgorithm,
         signatureValue: signature,
     });
     certificate.tbsCertificateRaw = tbsDer;
-    return asn1_schema_1.AsnConvert.serialize(certificate);
+    return AsnConvert.serialize(certificate);
 }
 function derToPem(der, label) {
     const base64 = bufferToBase64(der);
@@ -231,10 +186,10 @@ const OID_COMMON_NAME = "2.5.4.3";
 const OID_ORGANIZATIONAL_UNIT = "2.5.4.11";
 const OID_ORGANIZATION = "2.5.4.10";
 function createRelativeDistinguishedName(oid, value) {
-    return new asn1_x509_1.RelativeDistinguishedName([
-        new asn1_x509_1.AttributeTypeAndValue({
+    return new RelativeDistinguishedName([
+        new AttributeTypeAndValue({
             type: oid,
-            value: new asn1_x509_1.AttributeValue({ utf8String: value }),
+            value: new AttributeValue({ utf8String: value }),
         }),
     ]);
 }
@@ -248,56 +203,56 @@ function buildCertificateName(commonName, organization, organizationalUnit) {
     if (organization) {
         rdns.push(createRelativeDistinguishedName(OID_ORGANIZATION, organization));
     }
-    return new asn1_x509_1.Name(rdns);
+    return new Name(rdns);
 }
 function cloneName(name) {
-    return asn1_schema_1.AsnConvert.parse(asn1_schema_1.AsnConvert.serialize(name), asn1_x509_1.Name);
+    return AsnConvert.parse(AsnConvert.serialize(name), Name);
 }
 function getCertificateIdentity(cert) {
-    const parsed = asn1_schema_1.AsnConvert.parse(cert.rawData, asn1_x509_1.Certificate);
+    const parsed = AsnConvert.parse(cert.rawData, Certificate);
     return {
         name: cloneName(parsed.tbsCertificate.subject),
-        subjectPublicKeyInfo: asn1_schema_1.AsnConvert.serialize(parsed.tbsCertificate.subjectPublicKeyInfo),
+        subjectPublicKeyInfo: AsnConvert.serialize(parsed.tbsCertificate.subjectPublicKeyInfo),
     };
 }
 async function buildCaExtensions(subjectPublicKey, issuerPublicKey, options) {
     const extensions = [];
-    const basicConstraints = new asn1_x509_1.BasicConstraints({ cA: true });
+    const basicConstraints = new BasicConstraints({ cA: true });
     if (options.pathLength !== null && options.pathLength !== undefined) {
         basicConstraints.pathLenConstraint = options.pathLength;
     }
     extensions.push({
-        type: asn1_x509_1.id_ce_basicConstraints,
+        type: id_ce_basicConstraints,
         critical: true,
         value: serializeAsn(basicConstraints),
     });
-    const keyUsageFlags = asn1_x509_1.KeyUsageFlags.digitalSignature |
-        asn1_x509_1.KeyUsageFlags.keyCertSign |
-        asn1_x509_1.KeyUsageFlags.cRLSign;
+    const keyUsageFlags = KeyUsageFlags.digitalSignature |
+        KeyUsageFlags.keyCertSign |
+        KeyUsageFlags.cRLSign;
     extensions.push({
-        type: asn1_x509_1.id_ce_keyUsage,
+        type: id_ce_keyUsage,
         critical: true,
-        value: serializeAsn(new asn1_x509_1.KeyUsage(keyUsageFlags)),
+        value: serializeAsn(new X509KeyUsage(keyUsageFlags)),
     });
     const subjectKeyId = await computeKeyIdentifier(subjectPublicKey);
     extensions.push({
-        type: asn1_x509_1.id_ce_subjectKeyIdentifier,
+        type: id_ce_subjectKeyIdentifier,
         critical: false,
-        value: serializeAsn(new asn1_x509_1.SubjectKeyIdentifier(subjectKeyId)),
+        value: serializeAsn(new SubjectKeyIdentifier(subjectKeyId)),
     });
     const authorityKeyId = await computeKeyIdentifier(issuerPublicKey);
     extensions.push({
-        type: asn1_x509_1.id_ce_authorityKeyIdentifier,
+        type: id_ce_authorityKeyIdentifier,
         critical: false,
-        value: serializeAsn(new asn1_x509_1.AuthorityKeyIdentifier({
-            keyIdentifier: new asn1_x509_1.KeyIdentifier(authorityKeyId),
+        value: serializeAsn(new AuthorityKeyIdentifier({
+            keyIdentifier: new KeyIdentifier(authorityKeyId),
         })),
     });
     if (options.permittedDnsDomains?.length) {
-        const permittedSubtrees = new asn1_x509_1.GeneralSubtrees(options.permittedDnsDomains.map((domain) => new asn1_x509_1.GeneralSubtree({ base: new asn1_x509_1.GeneralName({ dNSName: domain }) })));
-        const constraints = new asn1_x509_1.NameConstraints({ permittedSubtrees });
+        const permittedSubtrees = new GeneralSubtrees(options.permittedDnsDomains.map((domain) => new GeneralSubtree({ base: new GeneralName({ dNSName: domain }) })));
+        const constraints = new NameConstraints({ permittedSubtrees });
         extensions.push({
-            type: asn1_x509_1.id_ce_nameConstraints,
+            type: id_ce_nameConstraints,
             critical: true,
             value: serializeAsn(constraints),
         });
@@ -307,51 +262,51 @@ async function buildCaExtensions(subjectPublicKey, issuerPublicKey, options) {
 async function buildLeafExtensions(publicKey, nodeSid, nodeId, spiffeId, logicalHosts, issuerPublicKey) {
     const extensions = [];
     extensions.push({
-        type: asn1_x509_1.id_ce_subjectAltName,
+        type: id_ce_subjectAltName,
         critical: false,
-        value: serializeAsn(new asn1_x509_1.SubjectAlternativeName([
-            new asn1_x509_1.GeneralName({ uniformResourceIdentifier: spiffeId }),
+        value: serializeAsn(new SubjectAlternativeName([
+            new GeneralName({ uniformResourceIdentifier: spiffeId }),
         ])),
     });
-    const keyUsageFlags = asn1_x509_1.KeyUsageFlags.digitalSignature;
+    const keyUsageFlags = KeyUsageFlags.digitalSignature;
     extensions.push({
-        type: asn1_x509_1.id_ce_keyUsage,
+        type: id_ce_keyUsage,
         critical: true,
-        value: serializeAsn(new asn1_x509_1.KeyUsage(keyUsageFlags)),
+        value: serializeAsn(new X509KeyUsage(keyUsageFlags)),
     });
     extensions.push({
-        type: asn1_x509_1.id_ce_extKeyUsage,
+        type: id_ce_extKeyUsage,
         critical: false,
-        value: serializeAsn(new asn1_x509_1.ExtendedKeyUsage([asn1_x509_1.id_kp_clientAuth, asn1_x509_1.id_kp_serverAuth])),
+        value: serializeAsn(new ExtendedKeyUsage([id_kp_clientAuth, id_kp_serverAuth])),
     });
     const subjectKeyId = await computeKeyIdentifier(publicKey);
     extensions.push({
-        type: asn1_x509_1.id_ce_subjectKeyIdentifier,
+        type: id_ce_subjectKeyIdentifier,
         critical: false,
-        value: serializeAsn(new asn1_x509_1.SubjectKeyIdentifier(subjectKeyId)),
+        value: serializeAsn(new SubjectKeyIdentifier(subjectKeyId)),
     });
     const authorityKeyId = await computeKeyIdentifier(issuerPublicKey);
     extensions.push({
-        type: asn1_x509_1.id_ce_authorityKeyIdentifier,
+        type: id_ce_authorityKeyIdentifier,
         critical: false,
-        value: serializeAsn(new asn1_x509_1.AuthorityKeyIdentifier({
-            keyIdentifier: new asn1_x509_1.KeyIdentifier(authorityKeyId),
+        value: serializeAsn(new AuthorityKeyIdentifier({
+            keyIdentifier: new KeyIdentifier(authorityKeyId),
         })),
     });
     extensions.push({
-        type: exports.SID_OID,
+        type: SID_OID,
         critical: false,
         value: toArrayBuffer(new TextEncoder().encode(nodeSid)),
     });
     extensions.push({
-        type: exports.NODE_ID_OID,
+        type: NODE_ID_OID,
         critical: false,
         value: toArrayBuffer(new TextEncoder().encode(nodeId)),
     });
     if (logicalHosts.length) {
         const logicalsJson = JSON.stringify(logicalHosts);
         extensions.push({
-            type: exports.LOGICALS_OID,
+            type: LOGICALS_OID,
             critical: false,
             value: toArrayBuffer(new TextEncoder().encode(logicalsJson)),
         });
@@ -364,7 +319,7 @@ async function buildLeafExtensions(publicKey, nodeSid, nodeId, spiffeId, logical
  * Issues SPIFFE-compliant node certificates with Fame-specific extensions
  * for physical paths and logical addresses.
  */
-class CASigningService extends ca_types_js_1.CAService {
+export class CASigningService extends CAService {
     constructor(options) {
         super();
         this.rootCertPem = options.rootCertPem;
@@ -437,14 +392,14 @@ class CASigningService extends ca_types_js_1.CAService {
     async issueCertificate(csr) {
         // Parse PKCS#10 CSR to extract SubjectPublicKeyInfo
         const csrDer = pemToDer(csr.csrPem);
-        const certRequest = asn1_schema_1.AsnConvert.parse(csrDer, asn1_csr_1.CertificationRequest);
+        const certRequest = AsnConvert.parse(csrDer, CertificationRequest);
         const subjectPublicKeyInfo = certRequest.certificationRequestInfo.subjectPKInfo;
         // Convert SubjectPublicKeyInfo to PEM format
-        const publicKeyDer = asn1_schema_1.AsnConvert.serialize(subjectPublicKeyInfo);
+        const publicKeyDer = AsnConvert.serialize(subjectPublicKeyInfo);
         const publicKeyPem = derToPem(publicKeyDer, "PUBLIC KEY");
         // Determine node SID and physical path (mirrors Python logic)
         const physicalPath = csr.physicalPath || `/unknown/${csr.requesterId}`;
-        const nodeSid = (0, runtime_1.secureDigest)(physicalPath);
+        const nodeSid = secureDigest(physicalPath);
         const logicals = csr.logicals || [];
         // Issue the certificate (short-lived: 1 day)
         const certificatePem = await this.signNodeCert(publicKeyPem, csr.requesterId, // Use requesterId as node_id
@@ -452,7 +407,7 @@ class CASigningService extends ca_types_js_1.CAService {
         undefined);
         // Parse certificate to get expiration
         const certDer = pemToDer(certificatePem);
-        const cert = asn1_schema_1.AsnConvert.parse(certDer, asn1_x509_1.Certificate);
+        const cert = AsnConvert.parse(certDer, Certificate);
         const notAfter = cert.tbsCertificate.validity.notAfter.getTime();
         const expiresAt = new Date(notAfter).toISOString();
         return {
@@ -476,13 +431,13 @@ class CASigningService extends ca_types_js_1.CAService {
         await this.ensureSigningMaterials();
         const signingCert = this.getSigningCertificate();
         const signingKey = this.getSigningKey();
-        const expectedSid = (0, runtime_1.secureDigest)(physicalPath);
+        const expectedSid = secureDigest(physicalPath);
         if (expectedSid !== nodeSid) {
             throw new Error("Provided SID does not match the computed SID for the physical path");
         }
         const logicalHosts = logicals ?? [];
         for (const logical of logicalHosts) {
-            const [valid, error] = (0, runtime_1.validateHostLogical)(logical);
+            const [valid, error] = validateHostLogical(logical);
             if (!valid) {
                 throw new Error(`Invalid logical host '${logical}': ${error ?? "unknown error"}`);
             }
@@ -496,7 +451,7 @@ class CASigningService extends ca_types_js_1.CAService {
         const spiffeId = `spiffe://${spiffeTrustDomain}/nodes/${nodeSid}`;
         const extensions = await buildLeafExtensions(publicKey, nodeSid, nodeId, spiffeId, logicalHosts, issuerIdentity.subjectPublicKeyInfo);
         const issuerName = issuerIdentity.name;
-        const subjectName = new asn1_x509_1.Name([]); // SPIFFE X.509-SVIDs require an empty subject DN
+        const subjectName = new Name([]); // SPIFFE X.509-SVIDs require an empty subject DN
         const certDer = await createEd25519Certificate({
             subject: subjectName,
             issuer: issuerName,
@@ -546,7 +501,6 @@ class CASigningService extends ca_types_js_1.CAService {
         return derToPem(certDer, "CERTIFICATE");
     }
 }
-exports.CASigningService = CASigningService;
 /**
  * Create a test root CA for development/testing.
  *
@@ -554,7 +508,7 @@ exports.CASigningService = CASigningService;
  *
  * @returns Tuple of [rootCertPem, rootKeyPem]
  */
-async function createTestCA() {
+export async function createTestCA() {
     const subtle = await getSubtleCrypto();
     await ensureCrypto();
     const keyPair = await subtle.generateKey({
@@ -588,7 +542,7 @@ async function createTestCA() {
  * @param certPem - Certificate in PEM format
  * @returns SPIFFE ID string or null if not found
  */
-async function extractSpiffeIdFromCert(certPem) {
+export async function extractSpiffeIdFromCert(certPem) {
     const x509 = await loadX509Module();
     if (!x509) {
         throw new Error("@peculiar/x509 module not available");
@@ -612,7 +566,7 @@ async function extractSpiffeIdFromCert(certPem) {
  * @param certPem - Certificate in PEM format
  * @returns SID bytes or null if not found
  */
-async function extractSidFromCert(certPem) {
+export async function extractSidFromCert(certPem) {
     const x509 = await loadX509Module();
     if (!x509) {
         throw new Error("@peculiar/x509 module not available");
@@ -620,7 +574,7 @@ async function extractSidFromCert(certPem) {
     try {
         const certDer = pemToDer(certPem);
         const cert = new x509.X509Certificate(certDer);
-        const sidExtension = cert.getExtension(exports.SID_OID);
+        const sidExtension = cert.getExtension(SID_OID);
         if (sidExtension) {
             return new Uint8Array(sidExtension);
         }
@@ -637,7 +591,7 @@ async function extractSidFromCert(certPem) {
  * @param certPem - Certificate in PEM format
  * @returns Node ID string or null if not found
  */
-async function extractNodeIdFromCert(certPem) {
+export async function extractNodeIdFromCert(certPem) {
     const x509 = await loadX509Module();
     if (!x509) {
         throw new Error("@peculiar/x509 module not available");
@@ -645,7 +599,7 @@ async function extractNodeIdFromCert(certPem) {
     try {
         const certDer = pemToDer(certPem);
         const cert = new x509.X509Certificate(certDer);
-        const nodeIdExtension = cert.getExtension(exports.NODE_ID_OID);
+        const nodeIdExtension = cert.getExtension(NODE_ID_OID);
         if (nodeIdExtension) {
             const decoder = new TextDecoder();
             return decoder.decode(nodeIdExtension);
@@ -663,7 +617,7 @@ async function extractNodeIdFromCert(certPem) {
  * @param certPem - Certificate in PEM format
  * @returns List of logical host addresses, empty if none found
  */
-async function extractLogicalHostsFromCert(certPem) {
+export async function extractLogicalHostsFromCert(certPem) {
     const x509 = await loadX509Module();
     if (!x509) {
         throw new Error("@peculiar/x509 module not available");
@@ -671,7 +625,7 @@ async function extractLogicalHostsFromCert(certPem) {
     try {
         const certDer = pemToDer(certPem);
         const cert = new x509.X509Certificate(certDer);
-        const logicalsExtension = cert.getExtension(exports.LOGICALS_OID);
+        const logicalsExtension = cert.getExtension(LOGICALS_OID);
         if (logicalsExtension) {
             const decoder = new TextDecoder();
             const jsonStr = decoder.decode(logicalsExtension);
@@ -690,7 +644,7 @@ async function extractLogicalHostsFromCert(certPem) {
  * @param spiffeId - SPIFFE ID in format spiffe://trust-domain/nodes/<sid>
  * @returns SID string (base62-encoded) or null if not a valid node SPIFFE ID
  */
-function extractSidFromSpiffeId(spiffeId) {
+export function extractSidFromSpiffeId(spiffeId) {
     if (!spiffeId.startsWith("spiffe://")) {
         return null;
     }
@@ -708,7 +662,7 @@ function extractSidFromSpiffeId(spiffeId) {
  * @param physicalPath - The expected physical path to verify against
  * @returns True if SID matches computed hash of physical path, False otherwise
  */
-async function verifyCertSidIntegrity(certPem, physicalPath) {
+export async function verifyCertSidIntegrity(certPem, physicalPath) {
     const sidBytes = await extractSidFromCert(certPem);
     if (!sidBytes) {
         return false;