@opentdf/sdk 0.1.0-beta.1701

package/dist/cjs/src/errors.js

@@ -0,0 +1,138 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UnsupportedFeatureError = exports.PermissionDeniedError = exports.UnauthenticatedError = exports.ServiceError = exports.NetworkError = exports.UnsafeUrlError = exports.IntegrityError = exports.DecryptError = exports.InvalidFileError = exports.AttributeValidationError = exports.ConfigurationError = exports.TdfError = void 0;
+function scrubCause(error, d) {
+    if (!error || (d && d > 4)) {
+        return {};
+    }
+    if (!error.name) {
+        return {};
+    }
+    const cause = new Error(error.name, scrubCause(error.cause, (d || 0) + 1));
+    if (error.message) {
+        cause.message = error.message;
+    }
+    if (error.stack) {
+        cause.stack = error.stack;
+    }
+    return { cause };
+}
+/**
+ * Root class for all errors thrown by this library.
+ * This should not be thrown directly, but rather one of its subclasses.
+ */
+class TdfError extends Error {
+    constructor(message, cause) {
+        super(message, scrubCause(cause));
+        this.name = 'TdfError';
+        // Error is funny (only on ES5? So  guess just IE11 we have to worry about?)
+        // https://github.com/Microsoft/TypeScript-wiki/blob/main/Breaking-Changes.md#extending-built-ins-like-error-array-and-map-may-no-longer-work
+        // https://stackoverflow.com/questions/41102060/typescript-extending-error-class#comment70895020_41102306
+        Object.setPrototypeOf(this, new.target.prototype);
+    }
+}
+exports.TdfError = TdfError;
+/**
+ * Errors that indicate the client or method does not have valid options.
+ */
+class ConfigurationError extends TdfError {
+    constructor() {
+        super(...arguments);
+        this.name = 'ConfigurationError';
+    }
+}
+exports.ConfigurationError = ConfigurationError;
+/**
+ * The assigned data attribute is not in the correct form.
+ */
+class AttributeValidationError extends ConfigurationError {
+    constructor(message, attribute, cause) {
+        super(message, cause);
+        this.name = 'AttributeValidationError';
+        this.attribute = attribute;
+    }
+}
+exports.AttributeValidationError = AttributeValidationError;
+/**
+ * Errors that indicate the TDF object is corrupt, invalid, or fails validation or decrypt.
+ */
+class InvalidFileError extends TdfError {
+}
+exports.InvalidFileError = InvalidFileError;
+/**
+ * Indicates a decrypt failure, either due to an incorrect key, corrupt ciphertext, or inappropriate key parameters.
+ */
+class DecryptError extends InvalidFileError {
+    constructor() {
+        super(...arguments);
+        this.name = 'DecryptError';
+    }
+}
+exports.DecryptError = DecryptError;
+class IntegrityError extends InvalidFileError {
+    constructor() {
+        super(...arguments);
+        this.name = 'IntegrityError';
+    }
+}
+exports.IntegrityError = IntegrityError;
+/**
+ * Thrown when a KAS URL found in one or more required key access objects are not in the list of known and allowed KASes in the client.
+ * This may indicate a malicious file - e.g. an attempt to DDoS a server by listing it as the KAS for many files, or to siphon credentials using a lookalike URL.
+ */
+class UnsafeUrlError extends InvalidFileError {
+    constructor(message, ...url) {
+        super(message);
+        this.name = 'UnsafeUrlError';
+        Object.setPrototypeOf(this, new.target.prototype);
+        this.url = url;
+    }
+}
+exports.UnsafeUrlError = UnsafeUrlError;
+/**
+ * A network error (no response) from rewrap or other endpoint, Possibly fixed by retrying or adjusting your network settings; could indicate network failure.
+ */
+class NetworkError extends TdfError {
+    constructor() {
+        super(...arguments);
+        this.name = 'NetworkError';
+    }
+}
+exports.NetworkError = NetworkError;
+/**
+ * The service reports an unexpected error on its behalf, or a subcomponent (5xx).
+ */
+class ServiceError extends TdfError {
+    constructor() {
+        super(...arguments);
+        this.name = 'ServiceError';
+    }
+}
+exports.ServiceError = ServiceError;
+/** Authentication failure (401) */
+class UnauthenticatedError extends TdfError {
+    constructor() {
+        super(...arguments);
+        this.name = 'UnauthenticatedError';
+    }
+}
+exports.UnauthenticatedError = UnauthenticatedError;
+/** Authorization failure (403) */
+class PermissionDeniedError extends TdfError {
+    constructor() {
+        super(...arguments);
+        this.name = 'PermissionDeniedError';
+    }
+}
+exports.PermissionDeniedError = PermissionDeniedError;
+/**
+ * Version of file is unsupported, or file uses a feature that is not supported by this version of the library.
+ */
+class UnsupportedFeatureError extends TdfError {
+    constructor() {
+        super(...arguments);
+        this.name = 'UnsupportedFeatureError';
+    }
+}
+exports.UnsupportedFeatureError = UnsupportedFeatureError;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZXJyb3JzLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2Vycm9ycy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUFBQSxTQUFTLFVBQVUsQ0FBQyxLQUFhLEVBQUUsQ0FBVTtJQUMzQyxJQUFJLENBQUMsS0FBSyxJQUFJLENBQUMsQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLENBQUMsRUFBRTtRQUMxQixPQUFPLEVBQUUsQ0FBQztLQUNYO0lBQ0QsSUFBSSxDQUFDLEtBQUssQ0FBQyxJQUFJLEVBQUU7UUFDZixPQUFPLEVBQUUsQ0FBQztLQUNYO0lBQ0QsTUFBTSxLQUFLLEdBQUcsSUFBSSxLQUFLLENBQUMsS0FBSyxDQUFDLElBQUksRUFBRSxVQUFVLENBQUMsS0FBSyxDQUFDLEtBQWMsRUFBRSxDQUFDLENBQUMsSUFBSSxDQUFDLENBQUMsR0FBRyxDQUFDLENBQUMsQ0FBQyxDQUFDO0lBQ3BGLElBQUksS0FBSyxDQUFDLE9BQU8sRUFBRTtRQUNqQixLQUFLLENBQUMsT0FBTyxHQUFHLEtBQUssQ0FBQyxPQUFPLENBQUM7S0FDL0I7SUFDRCxJQUFJLEtBQUssQ0FBQyxLQUFLLEVBQUU7UUFDZixLQUFLLENBQUMsS0FBSyxHQUFHLEtBQUssQ0FBQyxLQUFLLENBQUM7S0FDM0I7SUFDRCxPQUFPLEVBQUUsS0FBSyxFQUFFLENBQUM7QUFDbkIsQ0FBQztBQUVEOzs7R0FHRztBQUNILE1BQWEsUUFBUyxTQUFRLEtBQUs7SUFHakMsWUFBWSxPQUFnQixFQUFFLEtBQWE7UUFDekMsS0FBSyxDQUFDLE9BQU8sRUFBRSxVQUFVLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQztRQUgzQixTQUFJLEdBQUcsVUFBVSxDQUFDO1FBSXpCLDRFQUE0RTtRQUM1RSw2SUFBNkk7UUFDN0kseUdBQXlHO1FBQ3pHLE1BQU0sQ0FBQyxjQUFjLENBQUMsSUFBSSxFQUFFLEdBQUcsQ0FBQyxNQUFNLENBQUMsU0FBUyxDQUFDLENBQUM7SUFDcEQsQ0FBQztDQUNGO0FBVkQsNEJBVUM7QUFFRDs7R0FFRztBQUNILE1BQWEsa0JBQW1CLFNBQVEsUUFBUTtJQUFoRDs7UUFDVyxTQUFJLEdBQUcsb0JBQW9CLENBQUM7SUFDdkMsQ0FBQztDQUFBO0FBRkQsZ0RBRUM7QUFFRDs7R0FFRztBQUNILE1BQWEsd0JBQXlCLFNBQVEsa0JBQWtCO0lBRzlELFlBQVksT0FBZSxFQUFFLFNBQWtCLEVBQUUsS0FBYTtRQUM1RCxLQUFLLENBQUMsT0FBTyxFQUFFLEtBQUssQ0FBQyxDQUFDO1FBSGYsU0FBSSxHQUFHLDBCQUEwQixDQUFDO1FBSXpDLElBQUksQ0FBQyxTQUFTLEdBQUcsU0FBUyxDQUFDO0lBQzdCLENBQUM7Q0FDRjtBQVBELDREQU9DO0FBRUQ7O0dBRUc7QUFDSCxNQUFhLGdCQUFpQixTQUFRLFFBQVE7Q0FBRztBQUFqRCw0Q0FBaUQ7QUFFakQ7O0dBRUc7QUFDSCxNQUFhLFlBQWEsU0FBUSxnQkFBZ0I7SUFBbEQ7O1FBQ1csU0FBSSxHQUFHLGNBQWMsQ0FBQztJQUNqQyxDQUFDO0NBQUE7QUFGRCxvQ0FFQztBQUVELE1BQWEsY0FBZSxTQUFRLGdCQUFnQjtJQUFwRDs7UUFDVyxTQUFJLEdBQUcsZ0JBQWdCLENBQUM7SUFDbkMsQ0FBQztDQUFBO0FBRkQsd0NBRUM7QUFFRDs7O0dBR0c7QUFDSCxNQUFhLGNBQWUsU0FBUSxnQkFBZ0I7SUFJbEQsWUFBWSxPQUFlLEVBQUUsR0FBRyxHQUFhO1FBQzNDLEtBQUssQ0FBQyxPQUFPLENBQUMsQ0FBQztRQUpSLFNBQUksR0FBRyxnQkFBZ0IsQ0FBQztRQUsvQixNQUFNLENBQUMsY0FBYyxDQUFDLElBQUksRUFBRSxHQUFHLENBQUMsTUFBTSxDQUFDLFNBQVMsQ0FBQyxDQUFDO1FBQ2xELElBQUksQ0FBQyxHQUFHLEdBQUcsR0FBRyxDQUFDO0lBQ2pCLENBQUM7Q0FDRjtBQVRELHdDQVNDO0FBRUQ7O0dBRUc7QUFDSCxNQUFhLFlBQWEsU0FBUSxRQUFRO0lBQTFDOztRQUNXLFNBQUksR0FBRyxjQUFjLENBQUM7SUFDakMsQ0FBQztDQUFBO0FBRkQsb0NBRUM7QUFFRDs7R0FFRztBQUNILE1BQWEsWUFBYSxTQUFRLFFBQVE7SUFBMUM7O1FBQ1csU0FBSSxHQUFHLGNBQWMsQ0FBQztJQUNqQyxDQUFDO0NBQUE7QUFGRCxvQ0FFQztBQUVELG1DQUFtQztBQUNuQyxNQUFhLG9CQUFxQixTQUFRLFFBQVE7SUFBbEQ7O1FBQ1csU0FBSSxHQUFHLHNCQUFzQixDQUFDO0lBQ3pDLENBQUM7Q0FBQTtBQUZELG9EQUVDO0FBRUQsa0NBQWtDO0FBQ2xDLE1BQWEscUJBQXNCLFNBQVEsUUFBUTtJQUFuRDs7UUFDVyxTQUFJLEdBQUcsdUJBQXVCLENBQUM7SUFDMUMsQ0FBQztDQUFBO0FBRkQsc0RBRUM7QUFFRDs7R0FFRztBQUNILE1BQWEsdUJBQXdCLFNBQVEsUUFBUTtJQUFyRDs7UUFDVyxTQUFJLEdBQUcseUJBQXlCLENBQUM7SUFDNUMsQ0FBQztDQUFBO0FBRkQsMERBRUMifQ==

package/dist/cjs/src/index.js

@@ -0,0 +1,344 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.clientType = exports.version = exports.AuthProviders = exports.NanoTDFDatasetClient = exports.NanoTDFClient = exports.attributeFQNsAsValues = void 0;
+const index_js_1 = require("./nanotdf/index.js");
+const index_js_2 = require("./nanotdf-crypto/index.js");
+const index_js_3 = require("./tdf/index.js");
+const access_js_1 = require("./access.js");
+const errors_js_1 = require("./errors.js");
+var api_js_1 = require("./policy/api.js");
+Object.defineProperty(exports, "attributeFQNsAsValues", { enumerable: true, get: function () { return api_js_1.attributeFQNsAsValues; } });
+// Define default options
+const defaultOptions = {
+    ecdsaBinding: false,
+};
+/**
+ * NanoTDF SDK Client
+ *
+ * @example
+ * ```
+ * import { clientSecretAuthProvider, NanoTDFClient } from '@opentdf/sdk';
+ *
+ * const OIDC_ENDPOINT = 'http://localhost:65432/auth/realms/opentdf-demo';
+ * const KAS_URL = 'http://localhost:65432/api/kas/';
+ *
+ * const ciphertext = '...';
+ * const client = new NanoTDFClient({
+ *   authProvider: await clientSecretAuthProvider({
+ *     clientId: 'tdf-client',
+ *     clientSecret: '123-456',
+ *     oidcOrigin: OIDC_ENDPOINT,
+ *   }),
+ *   kasEndpoint: KAS_URL
+ *  }
+ * );
+ * client.decrypt(ciphertext)
+ *   .then(plaintext => {
+ *     console.log('Plaintext', plaintext);
+ *   })
+ *   .catch(err => {
+ *     console.error('Some error occurred', err);
+ *   })
+ */
+class NanoTDFClient extends index_js_1.Client {
+    /**
+     * Decrypt ciphertext
+     *
+     * Pass a base64 string, TypedArray, or ArrayBuffer ciphertext and get a promise which resolves plaintext
+     *
+     * @param ciphertext Ciphertext to decrypt
+     */
+    async decrypt(ciphertext) {
+        // Parse ciphertext
+        const nanotdf = index_js_1.NanoTDF.from(ciphertext);
+        await this.fetchOIDCToken();
+        // TODO: The version number should be fetched from the API
+        const version = '0.0.1';
+        const kasUrl = nanotdf.header.getKasRewrapUrl();
+        // Rewrap key on every request
+        const ukey = await this.rewrapKey(nanotdf.header.toBuffer(), kasUrl, nanotdf.header.magicNumberVersion, version);
+        if (!ukey) {
+            throw new Error('internal: key rewrap failure');
+        }
+        // Return decrypt promise
+        return (0, index_js_1.decrypt)(ukey, nanotdf);
+    }
+    /**
+     * Decrypt ciphertext of the legacy TDF, with the older, smaller i.v. calculation.
+     *
+     * Pass a base64 string, TypedArray, or ArrayBuffer ciphertext and get a promise which resolves plaintext
+     *
+     * @param ciphertext Ciphertext to decrypt
+     */
+    async decryptLegacyTDF(ciphertext) {
+        // Parse ciphertext
+        const nanotdf = index_js_1.NanoTDF.from(ciphertext, undefined, true);
+        await this.fetchOIDCToken();
+        const legacyVersion = '0.0.0';
+        // Rewrap key on every request
+        const key = await this.rewrapKey(nanotdf.header.toBuffer(), nanotdf.header.getKasRewrapUrl(), nanotdf.header.magicNumberVersion, legacyVersion);
+        if (!key) {
+            throw new Error('internal: failed unwrap');
+        }
+        // Return decrypt promise
+        return (0, index_js_1.decrypt)(key, nanotdf);
+    }
+    /**
+     * Encrypts the given data using the NanoTDF encryption scheme.
+     *
+     * @param {string | TypedArray | ArrayBuffer} data - The data to be encrypted.
+     * @param {EncryptOptions} [options=defaultOptions] - The encryption options (currently unused).
+     * @returns {Promise<ArrayBuffer>} A promise that resolves to the encrypted data as an ArrayBuffer.
+     * @throws {Error} If the initialization vector is not a number.
+     */
+    async encrypt(data, options) {
+        // For encrypt always generate the client ephemeralKeyPair
+        const ephemeralKeyPair = await this.ephemeralKeyPair;
+        const initializationVector = this.iv;
+        if (typeof initializationVector !== 'number') {
+            throw new errors_js_1.ConfigurationError('NanoTDF clients are single use. Please generate a new client and keypair.');
+        }
+        delete this.iv;
+        if (!this.kasPubKey) {
+            this.kasPubKey = await (0, access_js_1.fetchECKasPubKey)(this.kasUrl);
+        }
+        // Create a policy for the tdf
+        const policy = new index_js_3.Policy();
+        // Add data attributes.
+        for (const dataAttribute of this.dataAttributes) {
+            const attribute = await (0, index_js_3.createAttribute)(dataAttribute, this.kasPubKey, this.kasUrl);
+            policy.addAttribute(attribute);
+        }
+        if (this.dissems.length == 0 && this.dataAttributes.length == 0) {
+            console.warn('This policy has an empty attributes list and an empty dissemination list. This will allow any entity with a valid Entity Object to access this TDF.');
+        }
+        // Encrypt the policy.
+        const policyObjectAsStr = policy.toJSON();
+        // IV is always '1', since the new keypair is generated on encrypt
+        // using the same key is fine.
+        const lengthAsUint32 = new Uint32Array(1);
+        lengthAsUint32[0] = initializationVector;
+        const lengthAsUint24 = new Uint8Array(lengthAsUint32.buffer);
+        // NOTE: We are only interested in only first 3 bytes.
+        const payloadIV = new Uint8Array(12).fill(0);
+        payloadIV[9] = lengthAsUint24[2];
+        payloadIV[10] = lengthAsUint24[1];
+        payloadIV[11] = lengthAsUint24[0];
+        const mergedOptions = { ...defaultOptions, ...options };
+        return (0, index_js_1.encrypt)(policyObjectAsStr, this.kasPubKey, ephemeralKeyPair, payloadIV, data, mergedOptions.ecdsaBinding);
+    }
+}
+exports.NanoTDFClient = NanoTDFClient;
+/**
+ * NanoTDF Dataset SDK Client
+ *
+ *
+ * @example
+ * ```
+ * import { clientSecretAuthProvider, NanoTDFDatasetClient } from '@opentdf/sdk';
+ *
+ * const OIDC_ENDPOINT = 'http://localhost:65432/auth/realms/tdf';
+ * const KAS_URL = 'http://localhost:65432/api/kas/';
+ *
+ * const ciphertext = '...';
+ * const client = new NanoTDFDatasetClient({
+ *   authProvider: await clientSecretAuthProvider({
+ *     clientId: 'tdf-client',
+ *     clientSecret: '123-456',
+ *     exchange: 'client',
+ *     oidcOrigin: OIDC_ENDPOINT,
+ *   }),
+ *   kasEndpoint: KAS_URL,
+ * });
+ * const plaintext = client.decrypt(ciphertext);
+ * console.log('Plaintext', plaintext);
+ * ```
+ */
+class NanoTDFDatasetClient extends index_js_1.Client {
+    /**
+     * Create new NanoTDF Dataset Client
+     *
+     * The Ephemeral Key Pair can either be provided or will be generate when fetching the entity object. Once set it
+     * cannot be changed. If a new ephemeral key is desired it a new client should be initialized.
+     * There is no performance impact for creating a new client IFF the ephemeral key pair is provided.
+     *
+     * @param clientConfig OIDC client credentials
+     * @param kasUrl Key access service URL
+     * @param ephemeralKeyPair (optional) ephemeral key pair to use
+     * @param maxKeyIterations Max iteration to performe without a key rotation
+     */
+    constructor(opts) {
+        if (opts.maxKeyIterations &&
+            opts.maxKeyIterations > NanoTDFDatasetClient.NTDF_MAX_KEY_ITERATIONS) {
+            throw new errors_js_1.ConfigurationError(`key iteration exceeds max iterations(${NanoTDFDatasetClient.NTDF_MAX_KEY_ITERATIONS})`);
+        }
+        super(opts);
+        this.maxKeyIteration = opts.maxKeyIterations || NanoTDFDatasetClient.NTDF_MAX_KEY_ITERATIONS;
+        this.keyIterationCount = 0;
+    }
+    /**
+     * Encrypt data
+     *
+     * Pass a string, TypedArray, or ArrayBuffer data and get a promise which resolves ciphertext
+     *
+     * @param data to decrypt
+     */
+    async encrypt(data, options) {
+        // Intial encrypt
+        if (this.keyIterationCount == 0) {
+            const mergedOptions = { ...defaultOptions, ...options };
+            this.ecdsaBinding = mergedOptions.ecdsaBinding;
+            // For encrypt always generate the client ephemeralKeyPair
+            const ephemeralKeyPair = await this.ephemeralKeyPair;
+            if (!this.kasPubKey) {
+                this.kasPubKey = await (0, access_js_1.fetchECKasPubKey)(this.kasUrl);
+            }
+            // Create a policy for the tdf
+            const policy = new index_js_3.Policy();
+            // Add data attributes.
+            for (const dataAttribute of this.dataAttributes) {
+                const attribute = await (0, index_js_3.createAttribute)(dataAttribute, this.kasPubKey, this.kasUrl);
+                policy.addAttribute(attribute);
+            }
+            if (this.dissems.length == 0 || this.dataAttributes.length == 0) {
+                console.warn('This policy has an empty attributes list and an empty dissemination list. This will allow any entity with a valid Entity Object to access this TDF.');
+            }
+            // Encrypt the policy.
+            const policyObjectAsStr = policy.toJSON();
+            const ivVector = this.generateIV();
+            // Generate a symmetric key.
+            this.symmetricKey = await (0, index_js_2.keyAgreement)(ephemeralKeyPair.privateKey, await this.kasPubKey.key, await (0, index_js_1.getHkdfSalt)(index_js_1.DefaultParams.magicNumberVersion));
+            const nanoTDFBuffer = await (0, index_js_1.encrypt)(policyObjectAsStr, this.kasPubKey, ephemeralKeyPair, ivVector, data, this.ecdsaBinding);
+            // Cache the header and increment the key iteration
+            if (!this.cachedHeader) {
+                const nanoTDF = index_js_1.NanoTDF.from(nanoTDFBuffer);
+                this.cachedHeader = nanoTDF.header;
+            }
+            this.keyIterationCount += 1;
+            return nanoTDFBuffer;
+        }
+        this.keyIterationCount += 1;
+        if (!this.cachedHeader) {
+            throw new errors_js_1.ConfigurationError('invalid dataset client: empty nanoTDF header');
+        }
+        if (!this.symmetricKey) {
+            throw new errors_js_1.ConfigurationError('invalid dataset client: empty dek');
+        }
+        this.keyIterationCount += 1;
+        if (this.keyIterationCount == this.maxKeyIteration) {
+            // reset the key iteration
+            this.keyIterationCount = 0;
+        }
+        const ivVector = this.generateIV();
+        return (0, index_js_1.encryptDataset)(this.symmetricKey, this.cachedHeader, ivVector, data);
+    }
+    /**
+     * Decrypt ciphertext
+     *
+     * Pass a base64 string, TypedArray, or ArrayBuffer ciphertext and get a promise which resolves plaintext
+     *
+     * @param ciphertext Ciphertext to decrypt
+     */
+    async decrypt(ciphertext) {
+        // Parse ciphertext
+        const nanotdf = index_js_1.NanoTDF.from(ciphertext);
+        if (!this.cachedEphemeralKey) {
+            // First decrypt
+            return this.rewrapAndDecrypt(nanotdf);
+        }
+        // Other encrypts
+        if (this.cachedEphemeralKey.toString() == nanotdf.header.ephemeralPublicKey.toString()) {
+            const ukey = this.unwrappedKey;
+            if (!ukey) {
+                // These should have thrown already.
+                throw new Error('internal: key rewrap failure');
+            }
+            // Return decrypt promise
+            return (0, index_js_1.decrypt)(ukey, nanotdf);
+        }
+        else {
+            return this.rewrapAndDecrypt(nanotdf);
+        }
+    }
+    async rewrapAndDecrypt(nanotdf) {
+        // TODO: The version number should be fetched from the API
+        await this.fetchOIDCToken();
+        const version = '0.0.1';
+        // Rewrap key on every request
+        const ukey = await this.rewrapKey(nanotdf.header.toBuffer(), nanotdf.header.getKasRewrapUrl(), nanotdf.header.magicNumberVersion, version);
+        if (!ukey) {
+            // These should have thrown already.
+            throw new Error('internal: key rewrap failure');
+        }
+        this.cachedEphemeralKey = nanotdf.header.ephemeralPublicKey;
+        this.unwrappedKey = ukey;
+        // Return decrypt promise
+        return (0, index_js_1.decrypt)(ukey, nanotdf);
+    }
+    generateIV() {
+        const iv = this.iv;
+        if (iv === undefined) {
+            // iv has passed the maximum iteration count for this dek
+            throw new errors_js_1.ConfigurationError('dataset full');
+        }
+        // assert iv ∈ ℤ ∩ (0, 2^24)
+        if (!Number.isInteger(iv) || iv <= 0 || 16777215 < iv) {
+            // Something has fiddled with the iv outside of the expected behavior
+            // could indicate a race condition, e.g. if two workers or handlers are
+            // processing the file at once, for example.
+            throw new Error('internal: invalid state');
+        }
+        const lengthAsUint32 = new Uint32Array(1);
+        lengthAsUint32[0] = iv;
+        const lengthAsUint24 = new Uint8Array(lengthAsUint32.buffer);
+        // NOTE: We are only interested in only first 3 bytes.
+        const ivVector = new Uint8Array(index_js_1.Client.IV_SIZE).fill(0);
+        ivVector[9] = lengthAsUint24[2];
+        ivVector[10] = lengthAsUint24[1];
+        ivVector[11] = lengthAsUint24[0];
+        // Increment the IV
+        if (iv == 16777215) {
+            delete this.iv;
+        }
+        else {
+            this.iv = iv + 1;
+        }
+        return ivVector;
+    }
+}
+exports.NanoTDFDatasetClient = NanoTDFDatasetClient;
+// Total unique IVs(2^24 -1) used for encrypting the nano tdf payloads
+// IV starts from 1 since the 0 IV is reserved for policy encryption
+NanoTDFDatasetClient.NTDF_MAX_KEY_ITERATIONS = 8388606;
+/**
+ * Authorization for connecting authZ tokens to
+ * remote requests.
+ */
+exports.AuthProviders = __importStar(require("./auth/providers.js"));
+var version_js_1 = require("./version.js");
+Object.defineProperty(exports, "version", { enumerable: true, get: function () { return version_js_1.version; } });
+Object.defineProperty(exports, "clientType", { enumerable: true, get: function () { return version_js_1.clientType; } });
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7QUFBQSxpREFTNEI7QUFDNUIsd0RBQXlEO0FBQ3pELDZDQUFxRTtBQUNyRSwyQ0FBK0M7QUFFL0MsMkNBQWlEO0FBQ2pELDBDQUF3RDtBQUEvQywrR0FBQSxxQkFBcUIsT0FBQTtBQU85Qix5QkFBeUI7QUFDekIsTUFBTSxjQUFjLEdBQW1CO0lBQ3JDLFlBQVksRUFBRSxLQUFLO0NBQ3BCLENBQUM7QUFFRjs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7O0dBMkJHO0FBQ0gsTUFBYSxhQUFjLFNBQVEsaUJBQU07SUFDdkM7Ozs7OztPQU1HO0lBQ0gsS0FBSyxDQUFDLE9BQU8sQ0FBQyxVQUE2QztRQUN6RCxtQkFBbUI7UUFDbkIsTUFBTSxPQUFPLEdBQUcsa0JBQU8sQ0FBQyxJQUFJLENBQUMsVUFBVSxDQUFDLENBQUM7UUFFekMsTUFBTSxJQUFJLENBQUMsY0FBYyxFQUFFLENBQUM7UUFFNUIsMERBQTBEO1FBQzFELE1BQU0sT0FBTyxHQUFHLE9BQU8sQ0FBQztRQUN4QixNQUFNLE1BQU0sR0FBRyxPQUFPLENBQUMsTUFBTSxDQUFDLGVBQWUsRUFBRSxDQUFDO1FBRWhELDhCQUE4QjtRQUM5QixNQUFNLElBQUksR0FBRyxNQUFNLElBQUksQ0FBQyxTQUFTLENBQy9CLE9BQU8sQ0FBQyxNQUFNLENBQUMsUUFBUSxFQUFFLEVBQ3pCLE1BQU0sRUFDTixPQUFPLENBQUMsTUFBTSxDQUFDLGtCQUFrQixFQUNqQyxPQUFPLENBQ1IsQ0FBQztRQUVGLElBQUksQ0FBQyxJQUFJLEVBQUU7WUFDVCxNQUFNLElBQUksS0FBSyxDQUFDLDhCQUE4QixDQUFDLENBQUM7U0FDakQ7UUFDRCx5QkFBeUI7UUFDekIsT0FBTyxJQUFBLGtCQUFPLEVBQUMsSUFBSSxFQUFFLE9BQU8sQ0FBQyxDQUFDO0lBQ2hDLENBQUM7SUFFRDs7Ozs7O09BTUc7SUFDSCxLQUFLLENBQUMsZ0JBQWdCLENBQUMsVUFBNkM7UUFDbEUsbUJBQW1CO1FBQ25CLE1BQU0sT0FBTyxHQUFHLGtCQUFPLENBQUMsSUFBSSxDQUFDLFVBQVUsRUFBRSxTQUFTLEVBQUUsSUFBSSxDQUFDLENBQUM7UUFFMUQsTUFBTSxJQUFJLENBQUMsY0FBYyxFQUFFLENBQUM7UUFFNUIsTUFBTSxhQUFhLEdBQUcsT0FBTyxDQUFDO1FBQzlCLDhCQUE4QjtRQUM5QixNQUFNLEdBQUcsR0FBRyxNQUFNLElBQUksQ0FBQyxTQUFTLENBQzlCLE9BQU8sQ0FBQyxNQUFNLENBQUMsUUFBUSxFQUFFLEVBQ3pCLE9BQU8sQ0FBQyxNQUFNLENBQUMsZUFBZSxFQUFFLEVBQ2hDLE9BQU8sQ0FBQyxNQUFNLENBQUMsa0JBQWtCLEVBQ2pDLGFBQWEsQ0FDZCxDQUFDO1FBRUYsSUFBSSxDQUFDLEdBQUcsRUFBRTtZQUNSLE1BQU0sSUFBSSxLQUFLLENBQUMseUJBQXlCLENBQUMsQ0FBQztTQUM1QztRQUNELHlCQUF5QjtRQUN6QixPQUFPLElBQUEsa0JBQU8sRUFBQyxHQUFHLEVBQUUsT0FBTyxDQUFDLENBQUM7SUFDL0IsQ0FBQztJQUVEOzs7Ozs7O09BT0c7SUFDSCxLQUFLLENBQUMsT0FBTyxDQUNYLElBQXVDLEVBQ3ZDLE9BQXdCO1FBRXhCLDBEQUEwRDtRQUMxRCxNQUFNLGdCQUFnQixHQUFHLE1BQU0sSUFBSSxDQUFDLGdCQUFnQixDQUFDO1FBQ3JELE1BQU0sb0JBQW9CLEdBQUcsSUFBSSxDQUFDLEVBQUUsQ0FBQztRQUVyQyxJQUFJLE9BQU8sb0JBQW9CLEtBQUssUUFBUSxFQUFFO1lBQzVDLE1BQU0sSUFBSSw4QkFBa0IsQ0FDMUIsMkVBQTJFLENBQzVFLENBQUM7U0FDSDtRQUNELE9BQU8sSUFBSSxDQUFDLEVBQUUsQ0FBQztRQUVmLElBQUksQ0FBQyxJQUFJLENBQUMsU0FBUyxFQUFFO1lBQ25CLElBQUksQ0FBQyxTQUFTLEdBQUcsTUFBTSxJQUFBLDRCQUFnQixFQUFDLElBQUksQ0FBQyxNQUFNLENBQUMsQ0FBQztTQUN0RDtRQUVELDhCQUE4QjtRQUM5QixNQUFNLE1BQU0sR0FBRyxJQUFJLGlCQUFNLEVBQUUsQ0FBQztRQUU1Qix1QkFBdUI7UUFDdkIsS0FBSyxNQUFNLGFBQWEsSUFBSSxJQUFJLENBQUMsY0FBYyxFQUFFO1lBQy9DLE1BQU0sU0FBUyxHQUFHLE1BQU0sSUFBQSwwQkFBZSxFQUFDLGFBQWEsRUFBRSxJQUFJLENBQUMsU0FBUyxFQUFFLElBQUksQ0FBQyxNQUFNLENBQUMsQ0FBQztZQUNwRixNQUFNLENBQUMsWUFBWSxDQUFDLFNBQVMsQ0FBQyxDQUFDO1NBQ2hDO1FBRUQsSUFBSSxJQUFJLENBQUMsT0FBTyxDQUFDLE1BQU0sSUFBSSxDQUFDLElBQUksSUFBSSxDQUFDLGNBQWMsQ0FBQyxNQUFNLElBQUksQ0FBQyxFQUFFO1lBQy9ELE9BQU8sQ0FBQyxJQUFJLENBQ1YscUpBQXFKLENBQ3RKLENBQUM7U0FDSDtRQUVELHNCQUFzQjtRQUN0QixNQUFNLGlCQUFpQixHQUFHLE1BQU0sQ0FBQyxNQUFNLEVBQUUsQ0FBQztRQUUxQyxrRUFBa0U7UUFDbEUsOEJBQThCO1FBQzlCLE1BQU0sY0FBYyxHQUFHLElBQUksV0FBVyxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQzFDLGNBQWMsQ0FBQyxDQUFDLENBQUMsR0FBRyxvQkFBb0IsQ0FBQztRQUV6QyxNQUFNLGNBQWMsR0FBRyxJQUFJLFVBQVUsQ0FBQyxjQUFjLENBQUMsTUFBTSxDQUFDLENBQUM7UUFFN0Qsc0RBQXNEO1FBQ3RELE1BQU0sU0FBUyxHQUFHLElBQUksVUFBVSxDQUFDLEVBQUUsQ0FBQyxDQUFDLElBQUksQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUM3QyxTQUFTLENBQUMsQ0FBQyxDQUFDLEdBQUcsY0FBYyxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQ2pDLFNBQVMsQ0FBQyxFQUFFLENBQUMsR0FBRyxjQUFjLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDbEMsU0FBUyxDQUFDLEVBQUUsQ0FBQyxHQUFHLGNBQWMsQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUVsQyxNQUFNLGFBQWEsR0FBbUIsRUFBRSxHQUFHLGNBQWMsRUFBRSxHQUFHLE9BQU8sRUFBRSxDQUFDO1FBQ3hFLE9BQU8sSUFBQSxrQkFBTyxFQUNaLGlCQUFpQixFQUNqQixJQUFJLENBQUMsU0FBUyxFQUNkLGdCQUFnQixFQUNoQixTQUFTLEVBQ1QsSUFBSSxFQUNKLGFBQWEsQ0FBQyxZQUFZLENBQzNCLENBQUM7SUFDSixDQUFDO0NBQ0Y7QUFsSUQsc0NBa0lDO0FBTUQ7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7OztHQXdCRztBQUNILE1BQWEsb0JBQXFCLFNBQVEsaUJBQU07SUFhOUM7Ozs7Ozs7Ozs7O09BV0c7SUFDSCxZQUFZLElBQW1CO1FBQzdCLElBQ0UsSUFBSSxDQUFDLGdCQUFnQjtZQUNyQixJQUFJLENBQUMsZ0JBQWdCLEdBQUcsb0JBQW9CLENBQUMsdUJBQXVCLEVBQ3BFO1lBQ0EsTUFBTSxJQUFJLDhCQUFrQixDQUMxQix3Q0FBd0Msb0JBQW9CLENBQUMsdUJBQXVCLEdBQUcsQ0FDeEYsQ0FBQztTQUNIO1FBQ0QsS0FBSyxDQUFDLElBQUksQ0FBQyxDQUFDO1FBRVosSUFBSSxDQUFDLGVBQWUsR0FBRyxJQUFJLENBQUMsZ0JBQWdCLElBQUksb0JBQW9CLENBQUMsdUJBQXVCLENBQUM7UUFDN0YsSUFBSSxDQUFDLGlCQUFpQixHQUFHLENBQUMsQ0FBQztJQUM3QixDQUFDO0lBRUQ7Ozs7OztPQU1HO0lBQ0gsS0FBSyxDQUFDLE9BQU8sQ0FDWCxJQUF1QyxFQUN2QyxPQUF3QjtRQUV4QixpQkFBaUI7UUFDakIsSUFBSSxJQUFJLENBQUMsaUJBQWlCLElBQUksQ0FBQyxFQUFFO1lBQy9CLE1BQU0sYUFBYSxHQUFtQixFQUFFLEdBQUcsY0FBYyxFQUFFLEdBQUcsT0FBTyxFQUFFLENBQUM7WUFDeEUsSUFBSSxDQUFDLFlBQVksR0FBRyxhQUFhLENBQUMsWUFBWSxDQUFDO1lBQy9DLDBEQUEwRDtZQUMxRCxNQUFNLGdCQUFnQixHQUFHLE1BQU0sSUFBSSxDQUFDLGdCQUFnQixDQUFDO1lBRXJELElBQUksQ0FBQyxJQUFJLENBQUMsU0FBUyxFQUFFO2dCQUNuQixJQUFJLENBQUMsU0FBUyxHQUFHLE1BQU0sSUFBQSw0QkFBZ0IsRUFBQyxJQUFJLENBQUMsTUFBTSxDQUFDLENBQUM7YUFDdEQ7WUFFRCw4QkFBOEI7WUFDOUIsTUFBTSxNQUFNLEdBQUcsSUFBSSxpQkFBTSxFQUFFLENBQUM7WUFFNUIsdUJBQXVCO1lBQ3ZCLEtBQUssTUFBTSxhQUFhLElBQUksSUFBSSxDQUFDLGNBQWMsRUFBRTtnQkFDL0MsTUFBTSxTQUFTLEdBQUcsTUFBTSxJQUFBLDBCQUFlLEVBQUMsYUFBYSxFQUFFLElBQUksQ0FBQyxTQUFTLEVBQUUsSUFBSSxDQUFDLE1BQU0sQ0FBQyxDQUFDO2dCQUNwRixNQUFNLENBQUMsWUFBWSxDQUFDLFNBQVMsQ0FBQyxDQUFDO2FBQ2hDO1lBRUQsSUFBSSxJQUFJLENBQUMsT0FBTyxDQUFDLE1BQU0sSUFBSSxDQUFDLElBQUksSUFBSSxDQUFDLGNBQWMsQ0FBQyxNQUFNLElBQUksQ0FBQyxFQUFFO2dCQUMvRCxPQUFPLENBQUMsSUFBSSxDQUNWLHFKQUFxSixDQUN0SixDQUFDO2FBQ0g7WUFFRCxzQkFBc0I7WUFDdEIsTUFBTSxpQkFBaUIsR0FBRyxNQUFNLENBQUMsTUFBTSxFQUFFLENBQUM7WUFFMUMsTUFBTSxRQUFRLEdBQUcsSUFBSSxDQUFDLFVBQVUsRUFBRSxDQUFDO1lBRW5DLDRCQUE0QjtZQUM1QixJQUFJLENBQUMsWUFBWSxHQUFHLE1BQU0sSUFBQSx1QkFBWSxFQUNwQyxnQkFBZ0IsQ0FBQyxVQUFVLEVBQzNCLE1BQU0sSUFBSSxDQUFDLFNBQVMsQ0FBQyxHQUFHLEVBQ3hCLE1BQU0sSUFBQSxzQkFBVyxFQUFDLHdCQUFhLENBQUMsa0JBQWtCLENBQUMsQ0FDcEQsQ0FBQztZQUVGLE1BQU0sYUFBYSxHQUFHLE1BQU0sSUFBQSxrQkFBTyxFQUNqQyxpQkFBaUIsRUFDakIsSUFBSSxDQUFDLFNBQVMsRUFDZCxnQkFBZ0IsRUFDaEIsUUFBUSxFQUNSLElBQUksRUFDSixJQUFJLENBQUMsWUFBWSxDQUNsQixDQUFDO1lBRUYsbURBQW1EO1lBQ25ELElBQUksQ0FBQyxJQUFJLENBQUMsWUFBWSxFQUFFO2dCQUN0QixNQUFNLE9BQU8sR0FBRyxrQkFBTyxDQUFDLElBQUksQ0FBQyxhQUFhLENBQUMsQ0FBQztnQkFDNUMsSUFBSSxDQUFDLFlBQVksR0FBRyxPQUFPLENBQUMsTUFBTSxDQUFDO2FBQ3BDO1lBRUQsSUFBSSxDQUFDLGlCQUFpQixJQUFJLENBQUMsQ0FBQztZQUU1QixPQUFPLGFBQWEsQ0FBQztTQUN0QjtRQUVELElBQUksQ0FBQyxpQkFBaUIsSUFBSSxDQUFDLENBQUM7UUFFNUIsSUFBSSxDQUFDLElBQUksQ0FBQyxZQUFZLEVBQUU7WUFDdEIsTUFBTSxJQUFJLDhCQUFrQixDQUFDLDhDQUE4QyxDQUFDLENBQUM7U0FDOUU7UUFDRCxJQUFJLENBQUMsSUFBSSxDQUFDLFlBQVksRUFBRTtZQUN0QixNQUFNLElBQUksOEJBQWtCLENBQUMsbUNBQW1DLENBQUMsQ0FBQztTQUNuRTtRQUVELElBQUksQ0FBQyxpQkFBaUIsSUFBSSxDQUFDLENBQUM7UUFDNUIsSUFBSSxJQUFJLENBQUMsaUJBQWlCLElBQUksSUFBSSxDQUFDLGVBQWUsRUFBRTtZQUNsRCwwQkFBMEI7WUFDMUIsSUFBSSxDQUFDLGlCQUFpQixHQUFHLENBQUMsQ0FBQztTQUM1QjtRQUVELE1BQU0sUUFBUSxHQUFHLElBQUksQ0FBQyxVQUFVLEVBQUUsQ0FBQztRQUVuQyxPQUFPLElBQUEseUJBQWMsRUFBQyxJQUFJLENBQUMsWUFBWSxFQUFFLElBQUksQ0FBQyxZQUFZLEVBQUUsUUFBUSxFQUFFLElBQUksQ0FBQyxDQUFDO0lBQzlFLENBQUM7SUFFRDs7Ozs7O09BTUc7SUFDSCxLQUFLLENBQUMsT0FBTyxDQUFDLFVBQTZDO1FBQ3pELG1CQUFtQjtRQUNuQixNQUFNLE9BQU8sR0FBRyxrQkFBTyxDQUFDLElBQUksQ0FBQyxVQUFVLENBQUMsQ0FBQztRQUV6QyxJQUFJLENBQUMsSUFBSSxDQUFDLGtCQUFrQixFQUFFO1lBQzVCLGdCQUFnQjtZQUNoQixPQUFPLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxPQUFPLENBQUMsQ0FBQztTQUN2QztRQUVELGlCQUFpQjtRQUNqQixJQUFJLElBQUksQ0FBQyxrQkFBa0IsQ0FBQyxRQUFRLEVBQUUsSUFBSSxPQUFPLENBQUMsTUFBTSxDQUFDLGtCQUFrQixDQUFDLFFBQVEsRUFBRSxFQUFFO1lBQ3RGLE1BQU0sSUFBSSxHQUFHLElBQUksQ0FBQyxZQUFZLENBQUM7WUFDL0IsSUFBSSxDQUFDLElBQUksRUFBRTtnQkFDVCxvQ0FBb0M7Z0JBQ3BDLE1BQU0sSUFBSSxLQUFLLENBQUMsOEJBQThCLENBQUMsQ0FBQzthQUNqRDtZQUNELHlCQUF5QjtZQUN6QixPQUFPLElBQUEsa0JBQU8sRUFBQyxJQUFJLEVBQUUsT0FBTyxDQUFDLENBQUM7U0FDL0I7YUFBTTtZQUNMLE9BQU8sSUFBSSxDQUFDLGdCQUFnQixDQUFDLE9BQU8sQ0FBQyxDQUFDO1NBQ3ZDO0lBQ0gsQ0FBQztJQUVELEtBQUssQ0FBQyxnQkFBZ0IsQ0FBQyxPQUFnQjtRQUNyQywwREFBMEQ7UUFDMUQsTUFBTSxJQUFJLENBQUMsY0FBYyxFQUFFLENBQUM7UUFFNUIsTUFBTSxPQUFPLEdBQUcsT0FBTyxDQUFDO1FBQ3hCLDhCQUE4QjtRQUM5QixNQUFNLElBQUksR0FBRyxNQUFNLElBQUksQ0FBQyxTQUFTLENBQy9CLE9BQU8sQ0FBQyxNQUFNLENBQUMsUUFBUSxFQUFFLEVBQ3pCLE9BQU8sQ0FBQyxNQUFNLENBQUMsZUFBZSxFQUFFLEVBQ2hDLE9BQU8sQ0FBQyxNQUFNLENBQUMsa0JBQWtCLEVBQ2pDLE9BQU8sQ0FDUixDQUFDO1FBQ0YsSUFBSSxDQUFDLElBQUksRUFBRTtZQUNULG9DQUFvQztZQUNwQyxNQUFNLElBQUksS0FBSyxDQUFDLDhCQUE4QixDQUFDLENBQUM7U0FDakQ7UUFFRCxJQUFJLENBQUMsa0JBQWtCLEdBQUcsT0FBTyxDQUFDLE1BQU0sQ0FBQyxrQkFBa0IsQ0FBQztRQUM1RCxJQUFJLENBQUMsWUFBWSxHQUFHLElBQUksQ0FBQztRQUV6Qix5QkFBeUI7UUFDekIsT0FBTyxJQUFBLGtCQUFPLEVBQUMsSUFBSSxFQUFFLE9BQU8sQ0FBQyxDQUFDO0lBQ2hDLENBQUM7SUFFRCxVQUFVO1FBQ1IsTUFBTSxFQUFFLEdBQUcsSUFBSSxDQUFDLEVBQUUsQ0FBQztRQUNuQixJQUFJLEVBQUUsS0FBSyxTQUFTLEVBQUU7WUFDcEIseURBQXlEO1lBQ3pELE1BQU0sSUFBSSw4QkFBa0IsQ0FBQyxjQUFjLENBQUMsQ0FBQztTQUM5QztRQUNELDRCQUE0QjtRQUM1QixJQUFJLENBQUMsTUFBTSxDQUFDLFNBQVMsQ0FBQyxFQUFFLENBQUMsSUFBSSxFQUFFLElBQUksQ0FBQyxJQUFJLFFBQVMsR0FBRyxFQUFFLEVBQUU7WUFDdEQscUVBQXFFO1lBQ3JFLHVFQUF1RTtZQUN2RSw0Q0FBNEM7WUFDNUMsTUFBTSxJQUFJLEtBQUssQ0FBQyx5QkFBeUIsQ0FBQyxDQUFDO1NBQzVDO1FBRUQsTUFBTSxjQUFjLEdBQUcsSUFBSSxXQUFXLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDMUMsY0FBYyxDQUFDLENBQUMsQ0FBQyxHQUFHLEVBQUUsQ0FBQztRQUV2QixNQUFNLGNBQWMsR0FBRyxJQUFJLFVBQVUsQ0FBQyxjQUFjLENBQUMsTUFBTSxDQUFDLENBQUM7UUFFN0Qsc0RBQXNEO1FBQ3RELE1BQU0sUUFBUSxHQUFHLElBQUksVUFBVSxDQUFDLGlCQUFNLENBQUMsT0FBTyxDQUFDLENBQUMsSUFBSSxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQ3hELFFBQVEsQ0FBQyxDQUFDLENBQUMsR0FBRyxjQUFjLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDaEMsUUFBUSxDQUFDLEVBQUUsQ0FBQyxHQUFHLGNBQWMsQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUNqQyxRQUFRLENBQUMsRUFBRSxDQUFDLEdBQUcsY0FBYyxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBRWpDLG1CQUFtQjtRQUNuQixJQUFJLEVBQUUsSUFBSSxRQUFTLEVBQUU7WUFDbkIsT0FBTyxJQUFJLENBQUMsRUFBRSxDQUFDO1NBQ2hCO2FBQU07WUFDTCxJQUFJLENBQUMsRUFBRSxHQUFHLEVBQUUsR0FBRyxDQUFDLENBQUM7U0FDbEI7UUFFRCxPQUFPLFFBQVEsQ0FBQztJQUNsQixDQUFDOztBQXhOSCxvREF5TkM7QUF4TkMsc0VBQXNFO0FBQ3RFLG9FQUFvRTtBQUNwRCw0Q0FBdUIsR0FBRyxPQUFPLENBQUM7QUF3TnBEOzs7R0FHRztBQUNILHFFQUFxRDtBQUNyRCwyQ0FBbUQ7QUFBMUMscUdBQUEsT0FBTyxPQUFBO0FBQUUsd0dBQUEsVUFBVSxPQUFBIn0=