@opentdf/sdk 0.1.0-beta.1701

package/dist/web/tdf3/src/client/index.js

@@ -0,0 +1,423 @@
+import { v4 } from 'uuid';
+import axios from 'axios';
+import { ZipReader, fromBuffer, fromDataSource, streamToBuffer, isAppIdProviderCheck, keyMiddleware as defaultKeyMiddleware, } from '../utils/index.js';
+import { base64 } from '../../../src/encodings/index.js';
+import { buildKeyAccess, fetchKasPublicKey, loadTDFStream, unwrapHtml, validatePolicyObject, readStream, wrapHtml, writeStream, } from '../tdf.js';
+import { OIDCRefreshTokenProvider } from '../../../src/auth/oidc-refreshtoken-provider.js';
+import { OIDCExternalJwtProvider } from '../../../src/auth/oidc-externaljwt-provider.js';
+import { AppIdAuthProvider, HttpRequest, withHeaders, } from '../../../src/auth/auth.js';
+import EAS from '../../../src/auth/Eas.js';
+import { cryptoPublicToPem, pemToCryptoPublicKey, rstrip, validateSecureUrl, } from '../../../src/utils.js';
+import { DecoratedReadableStream } from './DecoratedReadableStream.js';
+import { DEFAULT_SEGMENT_SIZE, DecryptParamsBuilder, EncryptParamsBuilder, } from './builders.js';
+import { OriginAllowList } from '../../../src/access.js';
+import { ConfigurationError } from '../../../src/errors.js';
+import { AesGcmCipher } from '../ciphers/aes-gcm-cipher.js';
+import { toCryptoKeyPair } from '../crypto/crypto-utils.js';
+import * as defaultCryptoService from '../crypto/index.js';
+import { AttributeSet, SplitKey } from '../models/index.js';
+import { plan } from '../../../src/policy/granter.js';
+import { attributeFQNsAsValues } from '../../../src/policy/api.js';
+const GLOBAL_BYTE_LIMIT = 64 * 1000 * 1000 * 1000; // 64 GB, see WS-9363.
+const HTML_BYTE_LIMIT = 100 * 1000 * 1000; // 100 MB, see WS-9476.
+// No default config for now. Delegate to Virtru wrapper for endpoints.
+const defaultClientConfig = { oidcOrigin: '', cryptoService: defaultCryptoService };
+export const uploadBinaryToS3 = async function (stream, uploadUrl, fileSize) {
+    try {
+        const body = await streamToBuffer(stream);
+        await axios.put(uploadUrl, body, {
+            headers: {
+                'Content-Length': fileSize,
+                'content-type': 'application/zip',
+                'cache-control': 'no-store',
+            },
+            maxContentLength: Infinity,
+            maxBodyLength: Infinity,
+        });
+    }
+    catch (e) {
+        console.error(e);
+        throw e;
+    }
+};
+const getFirstTwoBytes = async (chunker) => new TextDecoder().decode(await chunker(0, 2));
+const makeChunkable = async (source) => {
+    if (!source) {
+        throw new ConfigurationError('invalid source');
+    }
+    // dump stream to buffer
+    // we don't support streams anyways (see zipreader.js)
+    let initialChunker;
+    let buf = null;
+    switch (source.type) {
+        case 'stream':
+            buf = await streamToBuffer(source.location);
+            initialChunker = fromBuffer(buf);
+            break;
+        case 'buffer':
+            buf = source.location;
+            initialChunker = fromBuffer(buf);
+            break;
+        case 'chunker':
+            initialChunker = source.location;
+            break;
+        default:
+            initialChunker = await fromDataSource(source);
+    }
+    const magic = await getFirstTwoBytes(initialChunker);
+    // Pull first two bytes from source.
+    if (magic === 'PK') {
+        return initialChunker;
+    }
+    // Unwrap if it's html.
+    // If NOT zip (html), convert/dump to buffer, unwrap, and continue.
+    const htmlBuf = buf ?? (await initialChunker());
+    const zipBuf = unwrapHtml(htmlBuf);
+    return fromBuffer(zipBuf);
+};
+/*
+ * Extract a keypair provided as part of the options dict.
+ * Default to using the clientwide keypair, generating one if necessary.
+ *
+ * Additionally, update the auth injector with the (potentially new) pubkey
+ */
+export async function createSessionKeys({ authProvider, 
+// FIXME use cryptoservice to generate keys again
+cryptoService, dpopKeys, }) {
+    let signingKeys;
+    if (dpopKeys) {
+        signingKeys = await dpopKeys;
+    }
+    else {
+        const keys = await cryptoService.generateSigningKeyPair();
+        // signingKeys = await crypto.subtle.generateKey(rsaPkcs1Sha256(), true, ['sign']);
+        signingKeys = await toCryptoKeyPair(keys);
+    }
+    // This will contact the auth server and forcibly refresh the auth token claims,
+    // binding the token and the (new) pubkey together.
+    // Note that we base64 encode the PEM string here as a quick workaround, simply because
+    // a formatted raw PEM string isn't a valid header value and sending it raw makes keycloak's
+    // header parser barf. There are more subtle ways to solve this, but this works for now.
+    if (authProvider && !isAppIdProviderCheck(authProvider)) {
+        await authProvider?.updateClientPublicKey(signingKeys);
+    }
+    return signingKeys;
+}
+/*
+ * Create a policy object for an encrypt operation.
+ */
+function asPolicy(scope) {
+    if (scope.policyObject) {
+        // use the client override if provided
+        return scope.policyObject;
+    }
+    const policyId = scope.policyId ?? v4();
+    let dataAttributes;
+    if (scope.attributeValues) {
+        dataAttributes = scope.attributeValues
+            .filter(({ fqn }) => !!fqn)
+            .map(({ fqn }) => {
+            return { attribute: fqn };
+        });
+    }
+    else {
+        dataAttributes = (scope.attributes ?? []).map((attribute) => typeof attribute === 'string' ? { attribute } : attribute);
+    }
+    return {
+        uuid: policyId,
+        body: {
+            dataAttributes,
+            dissem: scope.dissem ?? [],
+        },
+    };
+}
+export class Client {
+    /**
+     * An abstraction for protecting and accessing data using TDF3 services.
+     * @param {Object} [config.keypair] - keypair generated for signing. Optional, will be generated by sdk if not passed
+     * @param {String} [config.clientId]
+     * @param {String} [config.kasEndpoint] - Key Access Server url
+     * @param {String} [config.refreshToken] - After logging in to browser OIDC interface user
+     * receives fresh token that needed by SDK for auth needs
+     * @param {String} [config.externalJwt] - JWT from external authority (eg Google)
+     * @param {String} [config.oidcOrigin] - Endpoint of authentication service
+     */
+    constructor(config) {
+        this.kasKeys = {};
+        const clientConfig = { ...defaultClientConfig, ...config };
+        this.cryptoService = clientConfig.cryptoService;
+        this.dpopEnabled = !!(clientConfig.dpopEnabled || clientConfig.dpopKeys);
+        clientConfig.readerUrl && (this.readerUrl = clientConfig.readerUrl);
+        if (clientConfig.kasEndpoint) {
+            this.kasEndpoint = clientConfig.kasEndpoint;
+        }
+        else {
+            // handle Deprecated `kasRewrapEndpoint` parameter
+            if (!clientConfig.keyRewrapEndpoint) {
+                throw new ConfigurationError('KAS definition not found');
+            }
+            this.kasEndpoint = clientConfig.keyRewrapEndpoint.replace(/\/rewrap$/, '');
+        }
+        this.kasEndpoint = rstrip(this.kasEndpoint, '/');
+        if (clientConfig.policyEndpoint) {
+            this.policyEndpoint = rstrip(clientConfig.policyEndpoint, '/');
+        }
+        else if (this.kasEndpoint.endsWith('/kas')) {
+            this.policyEndpoint = this.kasEndpoint.slice(0, -4);
+        }
+        const kasOrigin = new URL(this.kasEndpoint).origin;
+        if (clientConfig.allowedKases) {
+            this.allowedKases = new OriginAllowList(clientConfig.allowedKases, !!clientConfig.ignoreAllowList);
+            if (!validateSecureUrl(this.kasEndpoint) && !this.allowedKases.allows(kasOrigin)) {
+                throw new ConfigurationError(`Invalid KAS endpoint [${this.kasEndpoint}]`);
+            }
+        }
+        else {
+            if (!validateSecureUrl(this.kasEndpoint)) {
+                throw new ConfigurationError(`Invalid KAS endpoint [${this.kasEndpoint}]; to force, please list it among allowedKases`);
+            }
+            this.allowedKases = new OriginAllowList([kasOrigin], !!clientConfig.ignoreAllowList);
+        }
+        this.authProvider = config.authProvider;
+        this.clientConfig = clientConfig;
+        if (this.authProvider && isAppIdProviderCheck(this.authProvider)) {
+            this.eas = new EAS({
+                authProvider: this.authProvider,
+                endpoint: clientConfig.entityObjectEndpoint ?? `${clientConfig.easEndpoint}/api/entityobject`,
+            });
+        }
+        this.clientId = clientConfig.clientId;
+        if (!this.authProvider) {
+            if (!clientConfig.clientId) {
+                throw new ConfigurationError('Client ID or custom AuthProvider must be defined');
+            }
+            //Are we exchanging a refreshToken for a bearer token (normal AuthCode browser auth flow)?
+            //If this is a browser context, we expect the caller to handle the initial
+            //browser-based OIDC login and authentication process against the OIDC endpoint using their chosen method,
+            //and provide us with a valid refresh token/clientId obtained from that process.
+            if (clientConfig.refreshToken) {
+                this.authProvider = new OIDCRefreshTokenProvider({
+                    clientId: clientConfig.clientId,
+                    refreshToken: clientConfig.refreshToken,
+                    oidcOrigin: clientConfig.oidcOrigin,
+                });
+            }
+            else if (clientConfig.externalJwt) {
+                //Are we exchanging a JWT previously issued by a trusted external entity (e.g. Google) for a bearer token?
+                this.authProvider = new OIDCExternalJwtProvider({
+                    clientId: clientConfig.clientId,
+                    externalJwt: clientConfig.externalJwt,
+                    oidcOrigin: clientConfig.oidcOrigin,
+                });
+            }
+        }
+        this.dpopKeys = createSessionKeys({
+            authProvider: this.authProvider,
+            cryptoService: this.cryptoService,
+            dpopKeys: clientConfig.dpopKeys,
+        });
+        if (clientConfig.kasPublicKey) {
+            this.kasKeys[this.kasEndpoint] = Promise.resolve({
+                url: this.kasEndpoint,
+                algorithm: 'rsa:2048',
+                key: pemToCryptoPublicKey(clientConfig.kasPublicKey),
+                publicKey: clientConfig.kasPublicKey,
+            });
+        }
+    }
+    /**
+     * Encrypt plaintext into TDF ciphertext. One of the core operations of the Virtru SDK.
+     *
+     * @param scope dissem and attributes for constructing the policy
+     * @param source source object of unencrypted data
+     * @param [asHtml] If we should wrap the TDF data in a self-opening HTML wrapper. Defaults to false
+     * @param [autoconfigure] If we should use scope.attributes to configure KAOs
+     * @param [metadata] Additional non-secret data to store with the TDF
+     * @param [opts] Test only
+     * @param [mimeType] mime type of source. defaults to `unknown`
+     * @param [offline] Where to store the policy. Defaults to `false` - which results in `upsert` events to store/update a policy
+     * @param [windowSize] - segment size in bytes. Defaults to a a million bytes.
+     * @param [keyMiddleware] - function that handle keys
+     * @param [streamMiddleware] - function that handle stream
+     * @param [eo] - (deprecated) entity object
+     * @return a {@link https://nodejs.org/api/stream.html#stream_class_stream_readable|Readable} a new stream containing the TDF ciphertext
+     */
+    async encrypt({ scope = { attributes: [], dissem: [] }, autoconfigure, source, asHtml = false, metadata, mimeType, offline = false, windowSize = DEFAULT_SEGMENT_SIZE, eo, keyMiddleware = defaultKeyMiddleware, streamMiddleware = async (stream) => stream, splitPlan, assertionConfigs = [], }) {
+        const dpopKeys = await this.dpopKeys;
+        const policyObject = asPolicy(scope);
+        validatePolicyObject(policyObject);
+        if (!splitPlan && autoconfigure) {
+            let avs = scope.attributeValues ?? [];
+            const fqns = scope.attributes
+                ? scope.attributes.map((attribute) => typeof attribute === 'string' ? attribute : attribute.attribute)
+                : [];
+            if (!avs.length && fqns.length) {
+                // Hydrate avs from policy endpoint givnen the fqns
+                if (!this.policyEndpoint) {
+                    throw new ConfigurationError('policyEndpoint not set in TDF3 Client constructor');
+                }
+                avs = await attributeFQNsAsValues(this.policyEndpoint, this.authProvider, ...fqns);
+            }
+            else if (scope.attributeValues) {
+                avs = scope.attributeValues;
+                if (!scope.attributes) {
+                    scope.attributes = avs.map(({ fqn }) => fqn);
+                }
+            }
+            if (avs.length != scope.attributes?.length ||
+                !avs.map(({ fqn }) => fqn).every((a) => fqns.indexOf(a) >= 0)) {
+                throw new ConfigurationError(`Attribute mismatch between [${fqns}] and explicit values ${JSON.stringify(avs.map(({ fqn }) => fqn))}`);
+            }
+            const detailedPlan = plan(avs);
+            splitPlan = detailedPlan.map((kat) => {
+                const { kas, sid } = kat;
+                if (kas?.publicKey?.cached?.keys && !(kas.uri in this.kasKeys)) {
+                    const keys = kas.publicKey.cached.keys.filter(({ alg }) => alg == 'KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048');
+                    if (keys?.length) {
+                        const key = keys[0];
+                        this.kasKeys[kas.uri] = Promise.resolve({
+                            key: pemToCryptoPublicKey(key.pem),
+                            publicKey: key.pem,
+                            url: kas.uri,
+                            algorithm: 'rsa:2048',
+                            kid: key.kid,
+                        });
+                    }
+                }
+                return { kas: kas.uri, sid };
+            });
+        }
+        // TODO: Refactor underlying builder to remove some of this unnecessary config.
+        const byteLimit = asHtml ? HTML_BYTE_LIMIT : GLOBAL_BYTE_LIMIT;
+        const encryptionInformation = new SplitKey(new AesGcmCipher(this.cryptoService));
+        let attributeSet;
+        let entity;
+        if (eo) {
+            entity = eo;
+            const s = new AttributeSet();
+            eo.attributes.forEach((attr) => s.addJwtAttribute(attr));
+            attributeSet = s;
+        }
+        const splits = splitPlan?.length ? splitPlan : [{ kas: this.kasEndpoint }];
+        encryptionInformation.keyAccess = await Promise.all(splits.map(async ({ kas, sid }) => {
+            if (!(kas in this.kasKeys)) {
+                this.kasKeys[kas] = fetchKasPublicKey(kas);
+            }
+            const kasPublicKey = await this.kasKeys[kas];
+            return buildKeyAccess({
+                attributeSet,
+                type: offline ? 'wrapped' : 'remote',
+                url: kasPublicKey.url,
+                kid: kasPublicKey.kid,
+                publicKey: kasPublicKey.publicKey,
+                metadata,
+                sid,
+            });
+        }));
+        const { keyForEncryption, keyForManifest } = await keyMiddleware();
+        const ecfg = {
+            allowList: this.allowedKases,
+            attributeSet,
+            byteLimit,
+            cryptoService: this.cryptoService,
+            dpopKeys,
+            encryptionInformation,
+            entity,
+            segmentSizeDefault: windowSize,
+            integrityAlgorithm: 'HS256',
+            segmentIntegrityAlgorithm: 'GMAC',
+            contentStream: source,
+            mimeType,
+            policy: policyObject,
+            authProvider: this.authProvider,
+            progressHandler: this.clientConfig.progressHandler,
+            keyForEncryption,
+            keyForManifest,
+            assertionConfigs,
+        };
+        const stream = await streamMiddleware(await writeStream(ecfg));
+        if (!asHtml) {
+            return stream;
+        }
+        // Wrap if it's html.
+        if (!stream.manifest) {
+            throw new Error('internal: missing manifest in encrypt function');
+        }
+        const htmlBuf = wrapHtml(await stream.toBuffer(), stream.manifest, this.readerUrl ?? '');
+        return new DecoratedReadableStream({
+            pull(controller) {
+                controller.enqueue(htmlBuf);
+                controller.close();
+            },
+        });
+    }
+    /**
+     * Decrypt TDF ciphertext into plaintext. One of the core operations of the Virtru SDK.
+     *
+     * @param params keyMiddleware fucntion to process key
+     * @param params streamMiddleware fucntion to process streamMiddleware
+     * @param params.source A data stream object, one of remote, stream, buffer, etc. types.
+     * @param params.eo Optional entity object (legacy AuthZ)
+     * @param params.assertionVerificationKeys Optional verification keys for assertions.
+     * @return a {@link https://nodejs.org/api/stream.html#stream_class_stream_readable|Readable} stream containing the decrypted plaintext.
+     * @see DecryptParamsBuilder
+     */
+    async decrypt({ eo, source, keyMiddleware = async (key) => key, streamMiddleware = async (stream) => stream, assertionVerificationKeys, noVerifyAssertions, }) {
+        const dpopKeys = await this.dpopKeys;
+        let entityObject;
+        if (this.eas || eo) {
+            const sessionPublicKey = await cryptoPublicToPem(dpopKeys.publicKey);
+            if (eo && eo.publicKey == sessionPublicKey) {
+                entityObject = eo;
+            }
+            else if (this.eas) {
+                entityObject = await this.eas.fetchEntityObject({
+                    publicKey: sessionPublicKey,
+                });
+            }
+        }
+        if (!this.authProvider) {
+            throw new ConfigurationError('AuthProvider missing');
+        }
+        const chunker = await makeChunkable(source);
+        // Await in order to catch any errors from this call.
+        // TODO: Write error event to stream and don't await.
+        return await streamMiddleware(await readStream({
+            allowList: this.allowedKases,
+            authProvider: this.authProvider,
+            chunker,
+            cryptoService: this.cryptoService,
+            dpopKeys,
+            entity: entityObject,
+            fileStreamServiceWorker: this.clientConfig.fileStreamServiceWorker,
+            keyMiddleware,
+            progressHandler: this.clientConfig.progressHandler,
+            assertionVerificationKeys,
+            noVerifyAssertions,
+        }));
+    }
+    /**
+     * Get the unique policyId associated with TDF ciphertext. Useful for managing authorization policies of encrypted data.
+     * <br/><br/>
+     * The policyId is embedded in the ciphertext so this is a local operation.
+     *
+     * @param {object} source - Required. TDF data stream,
+     * generated using {@link DecryptParamsBuilder#build|DecryptParamsBuilder's build()}.
+     * @return {string} - the unique policyId, which can be used for tracking purposes or policy management operations.
+     * @see DecryptParamsBuilder
+     */
+    async getPolicyId({ source }) {
+        const chunker = await makeChunkable(source);
+        const zipHelper = new ZipReader(chunker);
+        const centralDirectory = await zipHelper.getCentralDirectory();
+        const manifest = await zipHelper.getManifest(centralDirectory, '0.manifest.json');
+        const policyJson = base64.decode(manifest.encryptionInformation.policy);
+        return JSON.parse(policyJson).uuid;
+    }
+    async loadTDFStream({ source }) {
+        const chunker = await makeChunkable(source);
+        return loadTDFStream(chunker);
+    }
+}
+export { AppIdAuthProvider, DecryptParamsBuilder, EncryptParamsBuilder, HttpRequest, fromDataSource, withHeaders, };
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi8uLi90ZGYzL3NyYy9jbGllbnQvaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxFQUFFLEVBQUUsRUFBRSxNQUFNLE1BQU0sQ0FBQztBQUMxQixPQUFPLEtBQUssTUFBTSxPQUFPLENBQUM7QUFDMUIsT0FBTyxFQUNMLFNBQVMsRUFDVCxVQUFVLEVBQ1YsY0FBYyxFQUNkLGNBQWMsRUFDZCxvQkFBb0IsRUFFcEIsYUFBYSxJQUFJLG9CQUFvQixHQUN0QyxNQUFNLG1CQUFtQixDQUFDO0FBQzNCLE9BQU8sRUFBRSxNQUFNLEVBQUUsTUFBTSxpQ0FBaUMsQ0FBQztBQUN6RCxPQUFPLEVBQ0wsY0FBYyxFQUVkLGlCQUFpQixFQUNqQixhQUFhLEVBQ2IsVUFBVSxFQUNWLG9CQUFvQixFQUNwQixVQUFVLEVBQ1YsUUFBUSxFQUNSLFdBQVcsR0FDWixNQUFNLFdBQVcsQ0FBQztBQUNuQixPQUFPLEVBQUUsd0JBQXdCLEVBQUUsTUFBTSxpREFBaUQsQ0FBQztBQUMzRixPQUFPLEVBQUUsdUJBQXVCLEVBQUUsTUFBTSxnREFBZ0QsQ0FBQztBQUV6RixPQUFPLEVBRUwsaUJBQWlCLEVBQ2pCLFdBQVcsRUFDWCxXQUFXLEdBQ1osTUFBTSwyQkFBMkIsQ0FBQztBQUNuQyxPQUFPLEdBQUcsTUFBTSwwQkFBMEIsQ0FBQztBQUMzQyxPQUFPLEVBQ0wsaUJBQWlCLEVBQ2pCLG9CQUFvQixFQUNwQixNQUFNLEVBQ04saUJBQWlCLEdBQ2xCLE1BQU0sdUJBQXVCLENBQUM7QUFXL0IsT0FBTyxFQUFFLHVCQUF1QixFQUFFLE1BQU0sOEJBQThCLENBQUM7QUFFdkUsT0FBTyxFQUNMLG9CQUFvQixFQUNwQixvQkFBb0IsRUFFcEIsb0JBQW9CLEdBQ3JCLE1BQU0sZUFBZSxDQUFDO0FBQ3ZCLE9BQU8sRUFBb0IsZUFBZSxFQUFFLE1BQU0sd0JBQXdCLENBQUM7QUFDM0UsT0FBTyxFQUFFLGtCQUFrQixFQUFFLE1BQU0sd0JBQXdCLENBQUM7QUFHNUQsT0FBTyxFQUFFLFlBQVksRUFBRSxNQUFNLDhCQUE4QixDQUFDO0FBQzVELE9BQU8sRUFBRSxlQUFlLEVBQUUsTUFBTSwyQkFBMkIsQ0FBQztBQUM1RCxPQUFPLEtBQUssb0JBQW9CLE1BQU0sb0JBQW9CLENBQUM7QUFDM0QsT0FBTyxFQUF3QixZQUFZLEVBQWUsUUFBUSxFQUFFLE1BQU0sb0JBQW9CLENBQUM7QUFDL0YsT0FBTyxFQUFFLElBQUksRUFBRSxNQUFNLGdDQUFnQyxDQUFDO0FBQ3RELE9BQU8sRUFBRSxxQkFBcUIsRUFBRSxNQUFNLDRCQUE0QixDQUFDO0FBR25FLE1BQU0saUJBQWlCLEdBQUcsRUFBRSxHQUFHLElBQUksR0FBRyxJQUFJLEdBQUcsSUFBSSxDQUFDLENBQUMsc0JBQXNCO0FBQ3pFLE1BQU0sZUFBZSxHQUFHLEdBQUcsR0FBRyxJQUFJLEdBQUcsSUFBSSxDQUFDLENBQUMsdUJBQXVCO0FBRWxFLHVFQUF1RTtBQUN2RSxNQUFNLG1CQUFtQixHQUFHLEVBQUUsVUFBVSxFQUFFLEVBQUUsRUFBRSxhQUFhLEVBQUUsb0JBQW9CLEVBQUUsQ0FBQztBQUVwRixNQUFNLENBQUMsTUFBTSxnQkFBZ0IsR0FBRyxLQUFLLFdBQ25DLE1BQWtDLEVBQ2xDLFNBQWlCLEVBQ2pCLFFBQWdCO0lBRWhCLElBQUk7UUFDRixNQUFNLElBQUksR0FBZSxNQUFNLGNBQWMsQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUV0RCxNQUFNLEtBQUssQ0FBQyxHQUFHLENBQUMsU0FBUyxFQUFFLElBQUksRUFBRTtZQUMvQixPQUFPLEVBQUU7Z0JBQ1AsZ0JBQWdCLEVBQUUsUUFBUTtnQkFDMUIsY0FBYyxFQUFFLGlCQUFpQjtnQkFDakMsZUFBZSxFQUFFLFVBQVU7YUFDNUI7WUFDRCxnQkFBZ0IsRUFBRSxRQUFRO1lBQzFCLGFBQWEsRUFBRSxRQUFRO1NBQ3hCLENBQUMsQ0FBQztLQUNKO0lBQUMsT0FBTyxDQUFDLEVBQUU7UUFDVixPQUFPLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQ2pCLE1BQU0sQ0FBQyxDQUFDO0tBQ1Q7QUFDSCxDQUFDLENBQUM7QUFDRixNQUFNLGdCQUFnQixHQUFHLEtBQUssRUFBRSxPQUFnQixFQUFFLEVBQUUsQ0FBQyxJQUFJLFdBQVcsRUFBRSxDQUFDLE1BQU0sQ0FBQyxNQUFNLE9BQU8sQ0FBQyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUMsQ0FBQztBQUVuRyxNQUFNLGFBQWEsR0FBRyxLQUFLLEVBQUUsTUFBcUIsRUFBRSxFQUFFO0lBQ3BELElBQUksQ0FBQyxNQUFNLEVBQUU7UUFDWCxNQUFNLElBQUksa0JBQWtCLENBQUMsZ0JBQWdCLENBQUMsQ0FBQztLQUNoRDtJQUNELHdCQUF3QjtJQUN4QixzREFBc0Q7SUFDdEQsSUFBSSxjQUF1QixDQUFDO0lBQzVCLElBQUksR0FBRyxHQUFHLElBQUksQ0FBQztJQUNmLFFBQVEsTUFBTSxDQUFDLElBQUksRUFBRTtRQUNuQixLQUFLLFFBQVE7WUFDWCxHQUFHLEdBQUcsTUFBTSxjQUFjLENBQUMsTUFBTSxDQUFDLFFBQVEsQ0FBQyxDQUFDO1lBQzVDLGNBQWMsR0FBRyxVQUFVLENBQUMsR0FBRyxDQUFDLENBQUM7WUFDakMsTUFBTTtRQUNSLEtBQUssUUFBUTtZQUNYLEdBQUcsR0FBRyxNQUFNLENBQUMsUUFBUSxDQUFDO1lBQ3RCLGNBQWMsR0FBRyxVQUFVLENBQUMsR0FBRyxDQUFDLENBQUM7WUFDakMsTUFBTTtRQUNSLEtBQUssU0FBUztZQUNaLGNBQWMsR0FBRyxNQUFNLENBQUMsUUFBUSxDQUFDO1lBQ2pDLE1BQU07UUFDUjtZQUNFLGNBQWMsR0FBRyxNQUFNLGNBQWMsQ0FBQyxNQUFNLENBQUMsQ0FBQztLQUNqRDtJQUVELE1BQU0sS0FBSyxHQUFXLE1BQU0sZ0JBQWdCLENBQUMsY0FBYyxDQUFDLENBQUM7SUFDN0Qsb0NBQW9DO0lBQ3BDLElBQUksS0FBSyxLQUFLLElBQUksRUFBRTtRQUNsQixPQUFPLGNBQWMsQ0FBQztLQUN2QjtJQUNELHVCQUF1QjtJQUN2QixtRUFBbUU7SUFDbkUsTUFBTSxPQUFPLEdBQUcsR0FBRyxJQUFJLENBQUMsTUFBTSxjQUFjLEVBQUUsQ0FBQyxDQUFDO0lBQ2hELE1BQU0sTUFBTSxHQUFHLFVBQVUsQ0FBQyxPQUFPLENBQUMsQ0FBQztJQUNuQyxPQUFPLFVBQVUsQ0FBQyxNQUFNLENBQUMsQ0FBQztBQUM1QixDQUFDLENBQUM7QUFvQ0Y7Ozs7O0dBS0c7QUFDSCxNQUFNLENBQUMsS0FBSyxVQUFVLGlCQUFpQixDQUFDLEVBQ3RDLFlBQVk7QUFDWixpREFBaUQ7QUFDakQsYUFBYSxFQUNiLFFBQVEsR0FLVDtJQUNDLElBQUksV0FBMEIsQ0FBQztJQUMvQixJQUFJLFFBQVEsRUFBRTtRQUNaLFdBQVcsR0FBRyxNQUFNLFFBQVEsQ0FBQztLQUM5QjtTQUFNO1FBQ0wsTUFBTSxJQUFJLEdBQUcsTUFBTSxhQUFhLENBQUMsc0JBQXNCLEVBQUUsQ0FBQztRQUMxRCxtRkFBbUY7UUFDbkYsV0FBVyxHQUFHLE1BQU0sZUFBZSxDQUFDLElBQUksQ0FBQyxDQUFDO0tBQzNDO0lBRUQsZ0ZBQWdGO0lBQ2hGLG1EQUFtRDtJQUNuRCx1RkFBdUY7SUFDdkYsNEZBQTRGO0lBQzVGLHdGQUF3RjtJQUN4RixJQUFJLFlBQVksSUFBSSxDQUFDLG9CQUFvQixDQUFDLFlBQVksQ0FBQyxFQUFFO1FBQ3ZELE1BQU0sWUFBWSxFQUFFLHFCQUFxQixDQUFDLFdBQVcsQ0FBQyxDQUFDO0tBQ3hEO0lBQ0QsT0FBTyxXQUFXLENBQUM7QUFDckIsQ0FBQztBQUVEOztHQUVHO0FBQ0gsU0FBUyxRQUFRLENBQUMsS0FBWTtJQUM1QixJQUFJLEtBQUssQ0FBQyxZQUFZLEVBQUU7UUFDdEIsc0NBQXNDO1FBQ3RDLE9BQU8sS0FBSyxDQUFDLFlBQVksQ0FBQztLQUMzQjtJQUNELE1BQU0sUUFBUSxHQUFHLEtBQUssQ0FBQyxRQUFRLElBQUksRUFBRSxFQUFFLENBQUM7SUFDeEMsSUFBSSxjQUFpQyxDQUFDO0lBQ3RDLElBQUksS0FBSyxDQUFDLGVBQWUsRUFBRTtRQUN6QixjQUFjLEdBQUcsS0FBSyxDQUFDLGVBQWU7YUFDbkMsTUFBTSxDQUFDLENBQUMsRUFBRSxHQUFHLEVBQUUsRUFBRSxFQUFFLENBQUMsQ0FBQyxDQUFDLEdBQUcsQ0FBQzthQUMxQixHQUFHLENBQUMsQ0FBQyxFQUFFLEdBQUcsRUFBRSxFQUFtQixFQUFFO1lBQ2hDLE9BQU8sRUFBRSxTQUFTLEVBQUUsR0FBSSxFQUFFLENBQUM7UUFDN0IsQ0FBQyxDQUFDLENBQUM7S0FDTjtTQUFNO1FBQ0wsY0FBYyxHQUFHLENBQUMsS0FBSyxDQUFDLFVBQVUsSUFBSSxFQUFFLENBQUMsQ0FBQyxHQUFHLENBQUMsQ0FBQyxTQUFTLEVBQUUsRUFBRSxDQUMxRCxPQUFPLFNBQVMsS0FBSyxRQUFRLENBQUMsQ0FBQyxDQUFDLEVBQUUsU0FBUyxFQUFFLENBQUMsQ0FBQyxDQUFDLFNBQVMsQ0FDMUQsQ0FBQztLQUNIO0lBQ0QsT0FBTztRQUNMLElBQUksRUFBRSxRQUFRO1FBQ2QsSUFBSSxFQUFFO1lBQ0osY0FBYztZQUNkLE1BQU0sRUFBRSxLQUFLLENBQUMsTUFBTSxJQUFJLEVBQUU7U0FDM0I7S0FDRixDQUFDO0FBQ0osQ0FBQztBQUVELE1BQU0sT0FBTyxNQUFNO0lBMkNqQjs7Ozs7Ozs7O09BU0c7SUFDSCxZQUFZLE1BQW9CO1FBakN2QixZQUFPLEdBQThDLEVBQUUsQ0FBQztRQWtDL0QsTUFBTSxZQUFZLEdBQUcsRUFBRSxHQUFHLG1CQUFtQixFQUFFLEdBQUcsTUFBTSxFQUFFLENBQUM7UUFDM0QsSUFBSSxDQUFDLGFBQWEsR0FBRyxZQUFZLENBQUMsYUFBYSxDQUFDO1FBQ2hELElBQUksQ0FBQyxXQUFXLEdBQUcsQ0FBQyxDQUFDLENBQUMsWUFBWSxDQUFDLFdBQVcsSUFBSSxZQUFZLENBQUMsUUFBUSxDQUFDLENBQUM7UUFFekUsWUFBWSxDQUFDLFNBQVMsSUFBSSxDQUFDLElBQUksQ0FBQyxTQUFTLEdBQUcsWUFBWSxDQUFDLFNBQVMsQ0FBQyxDQUFDO1FBRXBFLElBQUksWUFBWSxDQUFDLFdBQVcsRUFBRTtZQUM1QixJQUFJLENBQUMsV0FBVyxHQUFHLFlBQVksQ0FBQyxXQUFXLENBQUM7U0FDN0M7YUFBTTtZQUNMLGtEQUFrRDtZQUNsRCxJQUFJLENBQUMsWUFBWSxDQUFDLGlCQUFpQixFQUFFO2dCQUNuQyxNQUFNLElBQUksa0JBQWtCLENBQUMsMEJBQTBCLENBQUMsQ0FBQzthQUMxRDtZQUNELElBQUksQ0FBQyxXQUFXLEdBQUcsWUFBWSxDQUFDLGlCQUFpQixDQUFDLE9BQU8sQ0FBQyxXQUFXLEVBQUUsRUFBRSxDQUFDLENBQUM7U0FDNUU7UUFDRCxJQUFJLENBQUMsV0FBVyxHQUFHLE1BQU0sQ0FBQyxJQUFJLENBQUMsV0FBVyxFQUFFLEdBQUcsQ0FBQyxDQUFDO1FBQ2pELElBQUksWUFBWSxDQUFDLGNBQWMsRUFBRTtZQUMvQixJQUFJLENBQUMsY0FBYyxHQUFHLE1BQU0sQ0FBQyxZQUFZLENBQUMsY0FBYyxFQUFFLEdBQUcsQ0FBQyxDQUFDO1NBQ2hFO2FBQU0sSUFBSSxJQUFJLENBQUMsV0FBVyxDQUFDLFFBQVEsQ0FBQyxNQUFNLENBQUMsRUFBRTtZQUM1QyxJQUFJLENBQUMsY0FBYyxHQUFHLElBQUksQ0FBQyxXQUFXLENBQUMsS0FBSyxDQUFDLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQyxDQUFDO1NBQ3JEO1FBRUQsTUFBTSxTQUFTLEdBQUcsSUFBSSxHQUFHLENBQUMsSUFBSSxDQUFDLFdBQVcsQ0FBQyxDQUFDLE1BQU0sQ0FBQztRQUNuRCxJQUFJLFlBQVksQ0FBQyxZQUFZLEVBQUU7WUFDN0IsSUFBSSxDQUFDLFlBQVksR0FBRyxJQUFJLGVBQWUsQ0FDckMsWUFBWSxDQUFDLFlBQVksRUFDekIsQ0FBQyxDQUFDLFlBQVksQ0FBQyxlQUFlLENBQy9CLENBQUM7WUFDRixJQUFJLENBQUMsaUJBQWlCLENBQUMsSUFBSSxDQUFDLFdBQVcsQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLFlBQVksQ0FBQyxNQUFNLENBQUMsU0FBUyxDQUFDLEVBQUU7Z0JBQ2hGLE1BQU0sSUFBSSxrQkFBa0IsQ0FBQyx5QkFBeUIsSUFBSSxDQUFDLFdBQVcsR0FBRyxDQUFDLENBQUM7YUFDNUU7U0FDRjthQUFNO1lBQ0wsSUFBSSxDQUFDLGlCQUFpQixDQUFDLElBQUksQ0FBQyxXQUFXLENBQUMsRUFBRTtnQkFDeEMsTUFBTSxJQUFJLGtCQUFrQixDQUMxQix5QkFBeUIsSUFBSSxDQUFDLFdBQVcsZ0RBQWdELENBQzFGLENBQUM7YUFDSDtZQUNELElBQUksQ0FBQyxZQUFZLEdBQUcsSUFBSSxlQUFlLENBQUMsQ0FBQyxTQUFTLENBQUMsRUFBRSxDQUFDLENBQUMsWUFBWSxDQUFDLGVBQWUsQ0FBQyxDQUFDO1NBQ3RGO1FBRUQsSUFBSSxDQUFDLFlBQVksR0FBRyxNQUFNLENBQUMsWUFBWSxDQUFDO1FBQ3hDLElBQUksQ0FBQyxZQUFZLEdBQUcsWUFBWSxDQUFDO1FBRWpDLElBQUksSUFBSSxDQUFDLFlBQVksSUFBSSxvQkFBb0IsQ0FBQyxJQUFJLENBQUMsWUFBWSxDQUFDLEVBQUU7WUFDaEUsSUFBSSxDQUFDLEdBQUcsR0FBRyxJQUFJLEdBQUcsQ0FBQztnQkFDakIsWUFBWSxFQUFFLElBQUksQ0FBQyxZQUFZO2dCQUMvQixRQUFRLEVBQ04sWUFBWSxDQUFDLG9CQUFvQixJQUFJLEdBQUcsWUFBWSxDQUFDLFdBQVcsbUJBQW1CO2FBQ3RGLENBQUMsQ0FBQztTQUNKO1FBRUQsSUFBSSxDQUFDLFFBQVEsR0FBRyxZQUFZLENBQUMsUUFBUSxDQUFDO1FBQ3RDLElBQUksQ0FBQyxJQUFJLENBQUMsWUFBWSxFQUFFO1lBQ3RCLElBQUksQ0FBQyxZQUFZLENBQUMsUUFBUSxFQUFFO2dCQUMxQixNQUFNLElBQUksa0JBQWtCLENBQUMsa0RBQWtELENBQUMsQ0FBQzthQUNsRjtZQUVELDBGQUEwRjtZQUMxRiwwRUFBMEU7WUFDMUUsMEdBQTBHO1lBQzFHLGdGQUFnRjtZQUNoRixJQUFJLFlBQVksQ0FBQyxZQUFZLEVBQUU7Z0JBQzdCLElBQUksQ0FBQyxZQUFZLEdBQUcsSUFBSSx3QkFBd0IsQ0FBQztvQkFDL0MsUUFBUSxFQUFFLFlBQVksQ0FBQyxRQUFRO29CQUMvQixZQUFZLEVBQUUsWUFBWSxDQUFDLFlBQVk7b0JBQ3ZDLFVBQVUsRUFBRSxZQUFZLENBQUMsVUFBVTtpQkFDcEMsQ0FBQyxDQUFDO2FBQ0o7aUJBQU0sSUFBSSxZQUFZLENBQUMsV0FBVyxFQUFFO2dCQUNuQywwR0FBMEc7Z0JBQzFHLElBQUksQ0FBQyxZQUFZLEdBQUcsSUFBSSx1QkFBdUIsQ0FBQztvQkFDOUMsUUFBUSxFQUFFLFlBQVksQ0FBQyxRQUFRO29CQUMvQixXQUFXLEVBQUUsWUFBWSxDQUFDLFdBQVc7b0JBQ3JDLFVBQVUsRUFBRSxZQUFZLENBQUMsVUFBVTtpQkFDcEMsQ0FBQyxDQUFDO2FBQ0o7U0FDRjtRQUNELElBQUksQ0FBQyxRQUFRLEdBQUcsaUJBQWlCLENBQUM7WUFDaEMsWUFBWSxFQUFFLElBQUksQ0FBQyxZQUFZO1lBQy9CLGFBQWEsRUFBRSxJQUFJLENBQUMsYUFBYTtZQUNqQyxRQUFRLEVBQUUsWUFBWSxDQUFDLFFBQVE7U0FDaEMsQ0FBQyxDQUFDO1FBQ0gsSUFBSSxZQUFZLENBQUMsWUFBWSxFQUFFO1lBQzdCLElBQUksQ0FBQyxPQUFPLENBQUMsSUFBSSxDQUFDLFdBQVcsQ0FBQyxHQUFHLE9BQU8sQ0FBQyxPQUFPLENBQUM7Z0JBQy9DLEdBQUcsRUFBRSxJQUFJLENBQUMsV0FBVztnQkFDckIsU0FBUyxFQUFFLFVBQVU7Z0JBQ3JCLEdBQUcsRUFBRSxvQkFBb0IsQ0FBQyxZQUFZLENBQUMsWUFBWSxDQUFDO2dCQUNwRCxTQUFTLEVBQUUsWUFBWSxDQUFDLFlBQVk7YUFDckMsQ0FBQyxDQUFDO1NBQ0o7SUFDSCxDQUFDO0lBRUQ7Ozs7Ozs7Ozs7Ozs7Ozs7T0FnQkc7SUFDSCxLQUFLLENBQUMsT0FBTyxDQUFDLEVBQ1osS0FBSyxHQUFHLEVBQUUsVUFBVSxFQUFFLEVBQUUsRUFBRSxNQUFNLEVBQUUsRUFBRSxFQUFFLEVBQ3RDLGFBQWEsRUFDYixNQUFNLEVBQ04sTUFBTSxHQUFHLEtBQUssRUFDZCxRQUFRLEVBQ1IsUUFBUSxFQUNSLE9BQU8sR0FBRyxLQUFLLEVBQ2YsVUFBVSxHQUFHLG9CQUFvQixFQUNqQyxFQUFFLEVBQ0YsYUFBYSxHQUFHLG9CQUFvQixFQUNwQyxnQkFBZ0IsR0FBRyxLQUFLLEVBQUUsTUFBK0IsRUFBRSxFQUFFLENBQUMsTUFBTSxFQUNwRSxTQUFTLEVBQ1QsZ0JBQWdCLEdBQUcsRUFBRSxHQUNQO1FBQ2QsTUFBTSxRQUFRLEdBQUcsTUFBTSxJQUFJLENBQUMsUUFBUSxDQUFDO1FBRXJDLE1BQU0sWUFBWSxHQUFHLFFBQVEsQ0FBQyxLQUFLLENBQUMsQ0FBQztRQUNyQyxvQkFBb0IsQ0FBQyxZQUFZLENBQUMsQ0FBQztRQUVuQyxJQUFJLENBQUMsU0FBUyxJQUFJLGFBQWEsRUFBRTtZQUMvQixJQUFJLEdBQUcsR0FBWSxLQUFLLENBQUMsZUFBZSxJQUFJLEVBQUUsQ0FBQztZQUMvQyxNQUFNLElBQUksR0FBYSxLQUFLLENBQUMsVUFBVTtnQkFDckMsQ0FBQyxDQUFDLEtBQUssQ0FBQyxVQUFVLENBQUMsR0FBRyxDQUFDLENBQUMsU0FBUyxFQUFFLEVBQUUsQ0FDakMsT0FBTyxTQUFTLEtBQUssUUFBUSxDQUFDLENBQUMsQ0FBQyxTQUFTLENBQUMsQ0FBQyxDQUFDLFNBQVMsQ0FBQyxTQUFTLENBQ2hFO2dCQUNILENBQUMsQ0FBQyxFQUFFLENBQUM7WUFFUCxJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sSUFBSSxJQUFJLENBQUMsTUFBTSxFQUFFO2dCQUM5QixtREFBbUQ7Z0JBQ25ELElBQUksQ0FBQyxJQUFJLENBQUMsY0FBYyxFQUFFO29CQUN4QixNQUFNLElBQUksa0JBQWtCLENBQUMsbURBQW1ELENBQUMsQ0FBQztpQkFDbkY7Z0JBQ0QsR0FBRyxHQUFHLE1BQU0scUJBQXFCLENBQy9CLElBQUksQ0FBQyxjQUFjLEVBQ25CLElBQUksQ0FBQyxZQUE0QixFQUNqQyxHQUFHLElBQUksQ0FDUixDQUFDO2FBQ0g7aUJBQU0sSUFBSSxLQUFLLENBQUMsZUFBZSxFQUFFO2dCQUNoQyxHQUFHLEdBQUcsS0FBSyxDQUFDLGVBQWUsQ0FBQztnQkFDNUIsSUFBSSxDQUFDLEtBQUssQ0FBQyxVQUFVLEVBQUU7b0JBQ3JCLEtBQUssQ0FBQyxVQUFVLEdBQUcsR0FBRyxDQUFDLEdBQUcsQ0FBQyxDQUFDLEVBQUUsR0FBRyxFQUFFLEVBQUUsRUFBRSxDQUFDLEdBQUcsQ0FBQyxDQUFDO2lCQUM5QzthQUNGO1lBQ0QsSUFDRSxHQUFHLENBQUMsTUFBTSxJQUFJLEtBQUssQ0FBQyxVQUFVLEVBQUUsTUFBTTtnQkFDdEMsQ0FBQyxHQUFHLENBQUMsR0FBRyxDQUFDLENBQUMsRUFBRSxHQUFHLEVBQUUsRUFBRSxFQUFFLENBQUMsR0FBRyxDQUFDLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxFQUFFLEVBQUUsQ0FBQyxJQUFJLENBQUMsT0FBTyxDQUFDLENBQUMsQ0FBQyxJQUFJLENBQUMsQ0FBQyxFQUM3RDtnQkFDQSxNQUFNLElBQUksa0JBQWtCLENBQzFCLCtCQUErQixJQUFJLHlCQUF5QixJQUFJLENBQUMsU0FBUyxDQUN4RSxHQUFHLENBQUMsR0FBRyxDQUFDLENBQUMsRUFBRSxHQUFHLEVBQUUsRUFBRSxFQUFFLENBQUMsR0FBRyxDQUFDLENBQzFCLEVBQUUsQ0FDSixDQUFDO2FBQ0g7WUFDRCxNQUFNLFlBQVksR0FBRyxJQUFJLENBQUMsR0FBRyxDQUFDLENBQUM7WUFDL0IsU0FBUyxHQUFHLFlBQVksQ0FBQyxHQUFHLENBQUMsQ0FBQyxHQUFHLEVBQUUsRUFBRTtnQkFDbkMsTUFBTSxFQUFFLEdBQUcsRUFBRSxHQUFHLEVBQUUsR0FBRyxHQUFHLENBQUM7Z0JBQ3pCLElBQUksR0FBRyxFQUFFLFNBQVMsRUFBRSxNQUFNLEVBQUUsSUFBSSxJQUFJLENBQUMsQ0FBQyxHQUFHLENBQUMsR0FBRyxJQUFJLElBQUksQ0FBQyxPQUFPLENBQUMsRUFBRTtvQkFDOUQsTUFBTSxJQUFJLEdBQUcsR0FBRyxDQUFDLFNBQVMsQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLE1BQU0sQ0FDM0MsQ0FBQyxFQUFFLEdBQUcsRUFBRSxFQUFFLEVBQUUsQ0FBQyxHQUFHLElBQUksa0NBQWtDLENBQ3ZELENBQUM7b0JBQ0YsSUFBSSxJQUFJLEVBQUUsTUFBTSxFQUFFO3dCQUNoQixNQUFNLEdBQUcsR0FBRyxJQUFJLENBQUMsQ0FBQyxDQUFDLENBQUM7d0JBQ3BCLElBQUksQ0FBQyxPQUFPLENBQUMsR0FBRyxDQUFDLEdBQUcsQ0FBQyxHQUFHLE9BQU8sQ0FBQyxPQUFPLENBQUM7NEJBQ3RDLEdBQUcsRUFBRSxvQkFBb0IsQ0FBQyxHQUFHLENBQUMsR0FBRyxDQUFDOzRCQUNsQyxTQUFTLEVBQUUsR0FBRyxDQUFDLEdBQUc7NEJBQ2xCLEdBQUcsRUFBRSxHQUFHLENBQUMsR0FBRzs0QkFDWixTQUFTLEVBQUUsVUFBVTs0QkFDckIsR0FBRyxFQUFFLEdBQUcsQ0FBQyxHQUFHO3lCQUNiLENBQUMsQ0FBQztxQkFDSjtpQkFDRjtnQkFDRCxPQUFPLEVBQUUsR0FBRyxFQUFFLEdBQUcsQ0FBQyxHQUFHLEVBQUUsR0FBRyxFQUFFLENBQUM7WUFDL0IsQ0FBQyxDQUFDLENBQUM7U0FDSjtRQUVELCtFQUErRTtRQUUvRSxNQUFNLFNBQVMsR0FBRyxNQUFNLENBQUMsQ0FBQyxDQUFDLGVBQWUsQ0FBQyxDQUFDLENBQUMsaUJBQWlCLENBQUM7UUFDL0QsTUFBTSxxQkFBcUIsR0FBRyxJQUFJLFFBQVEsQ0FBQyxJQUFJLFlBQVksQ0FBQyxJQUFJLENBQUMsYUFBYSxDQUFDLENBQUMsQ0FBQztRQUNqRixJQUFJLFlBQXNDLENBQUM7UUFDM0MsSUFBSSxNQUFnQyxDQUFDO1FBQ3JDLElBQUksRUFBRSxFQUFFO1lBQ04sTUFBTSxHQUFHLEVBQUUsQ0FBQztZQUNaLE1BQU0sQ0FBQyxHQUFHLElBQUksWUFBWSxFQUFFLENBQUM7WUFDN0IsRUFBRSxDQUFDLFVBQVUsQ0FBQyxPQUFPLENBQUMsQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUFDLENBQUMsQ0FBQyxlQUFlLENBQUMsSUFBSSxDQUFDLENBQUMsQ0FBQztZQUN6RCxZQUFZLEdBQUcsQ0FBQyxDQUFDO1NBQ2xCO1FBRUQsTUFBTSxNQUFNLEdBQWdCLFNBQVMsRUFBRSxNQUFNLENBQUMsQ0FBQyxDQUFDLFNBQVMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxFQUFFLEdBQUcsRUFBRSxJQUFJLENBQUMsV0FBVyxFQUFFLENBQUMsQ0FBQztRQUN4RixxQkFBcUIsQ0FBQyxTQUFTLEdBQUcsTUFBTSxPQUFPLENBQUMsR0FBRyxDQUNqRCxNQUFNLENBQUMsR0FBRyxDQUFDLEtBQUssRUFBRSxFQUFFLEdBQUcsRUFBRSxHQUFHLEVBQUUsRUFBRSxFQUFFO1lBQ2hDLElBQUksQ0FBQyxDQUFDLEdBQUcsSUFBSSxJQUFJLENBQUMsT0FBTyxDQUFDLEVBQUU7Z0JBQzFCLElBQUksQ0FBQyxPQUFPLENBQUMsR0FBRyxDQUFDLEdBQUcsaUJBQWlCLENBQUMsR0FBRyxDQUFDLENBQUM7YUFDNUM7WUFDRCxNQUFNLFlBQVksR0FBRyxNQUFNLElBQUksQ0FBQyxPQUFPLENBQUMsR0FBRyxDQUFDLENBQUM7WUFDN0MsT0FBTyxjQUFjLENBQUM7Z0JBQ3BCLFlBQVk7Z0JBQ1osSUFBSSxFQUFFLE9BQU8sQ0FBQyxDQUFDLENBQUMsU0FBUyxDQUFDLENBQUMsQ0FBQyxRQUFRO2dCQUNwQyxHQUFHLEVBQUUsWUFBWSxDQUFDLEdBQUc7Z0JBQ3JCLEdBQUcsRUFBRSxZQUFZLENBQUMsR0FBRztnQkFDckIsU0FBUyxFQUFFLFlBQVksQ0FBQyxTQUFTO2dCQUNqQyxRQUFRO2dCQUNSLEdBQUc7YUFDSixDQUFDLENBQUM7UUFDTCxDQUFDLENBQUMsQ0FDSCxDQUFDO1FBQ0YsTUFBTSxFQUFFLGdCQUFnQixFQUFFLGNBQWMsRUFBRSxHQUFHLE1BQU8sYUFBc0MsRUFBRSxDQUFDO1FBQzdGLE1BQU0sSUFBSSxHQUF5QjtZQUNqQyxTQUFTLEVBQUUsSUFBSSxDQUFDLFlBQVk7WUFDNUIsWUFBWTtZQUNaLFNBQVM7WUFDVCxhQUFhLEVBQUUsSUFBSSxDQUFDLGFBQWE7WUFDakMsUUFBUTtZQUNSLHFCQUFxQjtZQUNyQixNQUFNO1lBQ04sa0JBQWtCLEVBQUUsVUFBVTtZQUM5QixrQkFBa0IsRUFBRSxPQUFPO1lBQzNCLHlCQUF5QixFQUFFLE1BQU07WUFDakMsYUFBYSxFQUFFLE1BQU07WUFDckIsUUFBUTtZQUNSLE1BQU0sRUFBRSxZQUFZO1lBQ3BCLFlBQVksRUFBRSxJQUFJLENBQUMsWUFBWTtZQUMvQixlQUFlLEVBQUUsSUFBSSxDQUFDLFlBQVksQ0FBQyxlQUFlO1lBQ2xELGdCQUFnQjtZQUNoQixjQUFjO1lBQ2QsZ0JBQWdCO1NBQ2pCLENBQUM7UUFFRixNQUFNLE1BQU0sR0FBRyxNQUFPLGdCQUE0QyxDQUFDLE1BQU0sV0FBVyxDQUFDLElBQUksQ0FBQyxDQUFDLENBQUM7UUFFNUYsSUFBSSxDQUFDLE1BQU0sRUFBRTtZQUNYLE9BQU8sTUFBTSxDQUFDO1NBQ2Y7UUFFRCxxQkFBcUI7UUFDckIsSUFBSSxDQUFDLE1BQU0sQ0FBQyxRQUFRLEVBQUU7WUFDcEIsTUFBTSxJQUFJLEtBQUssQ0FBQyxnREFBZ0QsQ0FBQyxDQUFDO1NBQ25FO1FBQ0QsTUFBTSxPQUFPLEdBQUcsUUFBUSxDQUFDLE1BQU0sTUFBTSxDQUFDLFFBQVEsRUFBRSxFQUFFLE1BQU0sQ0FBQyxRQUFRLEVBQUUsSUFBSSxDQUFDLFNBQVMsSUFBSSxFQUFFLENBQUMsQ0FBQztRQUV6RixPQUFPLElBQUksdUJBQXVCLENBQUM7WUFDakMsSUFBSSxDQUFDLFVBQTJDO2dCQUM5QyxVQUFVLENBQUMsT0FBTyxDQUFDLE9BQU8sQ0FBQyxDQUFDO2dCQUM1QixVQUFVLENBQUMsS0FBSyxFQUFFLENBQUM7WUFDckIsQ0FBQztTQUNGLENBQUMsQ0FBQztJQUNMLENBQUM7SUFFRDs7Ozs7Ozs7OztPQVVHO0lBQ0gsS0FBSyxDQUFDLE9BQU8sQ0FBQyxFQUNaLEVBQUUsRUFDRixNQUFNLEVBQ04sYUFBYSxHQUFHLEtBQUssRUFBRSxHQUFXLEVBQUUsRUFBRSxDQUFDLEdBQUcsRUFDMUMsZ0JBQWdCLEdBQUcsS0FBSyxFQUFFLE1BQStCLEVBQUUsRUFBRSxDQUFDLE1BQU0sRUFDcEUseUJBQXlCLEVBQ3pCLGtCQUFrQixHQUNKO1FBQ2QsTUFBTSxRQUFRLEdBQUcsTUFBTSxJQUFJLENBQUMsUUFBUSxDQUFDO1FBQ3JDLElBQUksWUFBWSxDQUFDO1FBQ2pCLElBQUksSUFBSSxDQUFDLEdBQUcsSUFBSSxFQUFFLEVBQUU7WUFDbEIsTUFBTSxnQkFBZ0IsR0FBRyxNQUFNLGlCQUFpQixDQUFDLFFBQVEsQ0FBQyxTQUFTLENBQUMsQ0FBQztZQUNyRSxJQUFJLEVBQUUsSUFBSSxFQUFFLENBQUMsU0FBUyxJQUFJLGdCQUFnQixFQUFFO2dCQUMxQyxZQUFZLEdBQUcsRUFBRSxDQUFDO2FBQ25CO2lCQUFNLElBQUksSUFBSSxDQUFDLEdBQUcsRUFBRTtnQkFDbkIsWUFBWSxHQUFHLE1BQU0sSUFBSSxDQUFDLEdBQUcsQ0FBQyxpQkFBaUIsQ0FBQztvQkFDOUMsU0FBUyxFQUFFLGdCQUFnQjtpQkFDNUIsQ0FBQyxDQUFDO2FBQ0o7U0FDRjtRQUNELElBQUksQ0FBQyxJQUFJLENBQUMsWUFBWSxFQUFFO1lBQ3RCLE1BQU0sSUFBSSxrQkFBa0IsQ0FBQyxzQkFBc0IsQ0FBQyxDQUFDO1NBQ3REO1FBQ0QsTUFBTSxPQUFPLEdBQUcsTUFBTSxhQUFhLENBQUMsTUFBTSxDQUFDLENBQUM7UUFFNUMscURBQXFEO1FBQ3JELHFEQUFxRDtRQUNyRCxPQUFPLE1BQU8sZ0JBQTRDLENBQ3hELE1BQU0sVUFBVSxDQUFDO1lBQ2YsU0FBUyxFQUFFLElBQUksQ0FBQyxZQUFZO1lBQzVCLFlBQVksRUFBRSxJQUFJLENBQUMsWUFBWTtZQUMvQixPQUFPO1lBQ1AsYUFBYSxFQUFFLElBQUksQ0FBQyxhQUFhO1lBQ2pDLFFBQVE7WUFDUixNQUFNLEVBQUUsWUFBWTtZQUNwQix1QkFBdUIsRUFBRSxJQUFJLENBQUMsWUFBWSxDQUFDLHVCQUF1QjtZQUNsRSxhQUFhO1lBQ2IsZUFBZSxFQUFFLElBQUksQ0FBQyxZQUFZLENBQUMsZUFBZTtZQUNsRCx5QkFBeUI7WUFDekIsa0JBQWtCO1NBQ25CLENBQUMsQ0FDSCxDQUFDO0lBQ0osQ0FBQztJQUVEOzs7Ozs7Ozs7T0FTRztJQUNILEtBQUssQ0FBQyxXQUFXLENBQUMsRUFBRSxNQUFNLEVBQTZCO1FBQ3JELE1BQU0sT0FBTyxHQUFHLE1BQU0sYUFBYSxDQUFDLE1BQU0sQ0FBQyxDQUFDO1FBQzVDLE1BQU0sU0FBUyxHQUFHLElBQUksU0FBUyxDQUFDLE9BQU8sQ0FBQyxDQUFDO1FBQ3pDLE1BQU0sZ0JBQWdCLEdBQUcsTUFBTSxTQUFTLENBQUMsbUJBQW1CLEVBQUUsQ0FBQztRQUMvRCxNQUFNLFFBQVEsR0FBRyxNQUFNLFNBQVMsQ0FBQyxXQUFXLENBQUMsZ0JBQWdCLEVBQUUsaUJBQWlCLENBQUMsQ0FBQztRQUNsRixNQUFNLFVBQVUsR0FBRyxNQUFNLENBQUMsTUFBTSxDQUFDLFFBQVEsQ0FBQyxxQkFBcUIsQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUN4RSxPQUFPLElBQUksQ0FBQyxLQUFLLENBQUMsVUFBVSxDQUFDLENBQUMsSUFBSSxDQUFDO0lBQ3JDLENBQUM7SUFFRCxLQUFLLENBQUMsYUFBYSxDQUFDLEVBQUUsTUFBTSxFQUE2QjtRQUN2RCxNQUFNLE9BQU8sR0FBRyxNQUFNLGFBQWEsQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUM1QyxPQUFPLGFBQWEsQ0FBQyxPQUFPLENBQUMsQ0FBQztJQUNoQyxDQUFDO0NBQ0Y7QUFJRCxPQUFPLEVBQ0wsaUJBQWlCLEVBQ2pCLG9CQUFvQixFQUVwQixvQkFBb0IsRUFDcEIsV0FBVyxFQUNYLGNBQWMsRUFDZCxXQUFXLEdBQ1osQ0FBQyJ9

package/dist/web/tdf3/src/client/validation.js

@@ -0,0 +1,58 @@
+import { AttributeValidationError } from '../../../src/errors.js';
+const sageGetMatch = (match) => (match ? match[0] : null);
+export const ATTR_NAME_PROP_NAME = 'attr';
+export const ATTR_VALUE_PROP_NAME = 'value';
+// Validate attribute url protocol starts with `http://` or `https://`
+const SCHEME = '(https?://)';
+// validate url host be like `localhost:4000`
+const HOST_PORT = '([a-z0-9][a-z0-9]{1,}:[0-9]{1,4})';
+// validate url host be like `www.example.com`
+const WWW_HOST = '([a-z0-9](?:[a-z0-9-]*[a-z0-9])?\\.)+[a-z]{2,}';
+// validate url host be like `127.0.0.1:4000`
+const IP_HOST_PORT = '([0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}:[0-9]{1,4})';
+// validate host is one of those above
+const HOST = `(${HOST_PORT}|${WWW_HOST}|${IP_HOST_PORT})`;
+// validate attr  name be like `/attr/<attr_name>`
+export const ATTR_NAME = `(/${ATTR_NAME_PROP_NAME}/[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]?)`;
+// validate value pattern
+export const ATTR_VALUE = `(/${ATTR_VALUE_PROP_NAME}/[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]?)`;
+// validate attribute authority  e.g. https://example.com
+const ATTR_AUTHORITY_PATTERN = `(${SCHEME}${HOST})`;
+// validate attribute namespace e.g. https://example.com/attr/someattribute
+const ATTR_NAMESPACE_PATTERN = `(${ATTR_AUTHORITY_PATTERN}${ATTR_NAME})`;
+// validate whole attribute e.g. https://example.com/attr/someattribute/value/somevalue
+export const ATTR_ATTRIBUTE_PATTERN = `^(${ATTR_NAMESPACE_PATTERN}${ATTR_VALUE})$`;
+export const validateAttributeObject = (attr) => {
+    const isObject = typeof attr === 'object';
+    if (!isObject) {
+        throw new AttributeValidationError(`attribute should be an object`, attr);
+    }
+    const { attribute } = attr;
+    const isString = typeof attribute === 'string';
+    if (!isString) {
+        throw new AttributeValidationError(`attribute prop should be a string`, attr);
+    }
+    return validateAttribute(attribute);
+};
+export function validateAttribute(attribute) {
+    if (!attribute.match(ATTR_ATTRIBUTE_PATTERN)) {
+        throw new AttributeValidationError(`attribute is in invalid format [${attribute}]`, attribute);
+    }
+    const ATTR_NAME_PREFIX = `/${ATTR_NAME_PROP_NAME}/`;
+    const ATTR_VALUE_PREFIX = `/${ATTR_VALUE_PROP_NAME}/`;
+    const attrNameMatch = sageGetMatch(attribute.match(ATTR_NAME));
+    const attrValueMatch = sageGetMatch(attribute.match(ATTR_VALUE));
+    if (!attrNameMatch) {
+        throw new AttributeValidationError(`attribute name matching error`, attribute);
+    }
+    if (!attrValueMatch) {
+        throw new AttributeValidationError(`attribute value matching error`, attribute);
+    }
+    const attributeName = attrNameMatch.slice(ATTR_NAME_PREFIX.length);
+    const attributeValue = attrValueMatch.slice(ATTR_VALUE_PREFIX.length);
+    if (attributeName === attributeValue) {
+        throw new AttributeValidationError(`attribute name should be unique with its value`, attribute);
+    }
+    return true;
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidmFsaWRhdGlvbi5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uLy4uL3RkZjMvc3JjL2NsaWVudC92YWxpZGF0aW9uLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sRUFBRSx3QkFBd0IsRUFBRSxNQUFNLHdCQUF3QixDQUFDO0FBRWxFLE1BQU0sWUFBWSxHQUFHLENBQUMsS0FBOEIsRUFBRSxFQUFFLENBQUMsQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUMsSUFBSSxDQUFDLENBQUM7QUFFbkYsTUFBTSxDQUFDLE1BQU0sbUJBQW1CLEdBQUcsTUFBTSxDQUFDO0FBQzFDLE1BQU0sQ0FBQyxNQUFNLG9CQUFvQixHQUFHLE9BQU8sQ0FBQztBQUU1QyxzRUFBc0U7QUFDdEUsTUFBTSxNQUFNLEdBQUcsYUFBYSxDQUFDO0FBRTdCLDZDQUE2QztBQUM3QyxNQUFNLFNBQVMsR0FBRyxtQ0FBbUMsQ0FBQztBQUV0RCw4Q0FBOEM7QUFDOUMsTUFBTSxRQUFRLEdBQUcsZ0RBQWdELENBQUM7QUFFbEUsNkNBQTZDO0FBQzdDLE1BQU0sWUFBWSxHQUFHLGdFQUFnRSxDQUFDO0FBRXRGLHNDQUFzQztBQUN0QyxNQUFNLElBQUksR0FBRyxJQUFJLFNBQVMsSUFBSSxRQUFRLElBQUksWUFBWSxHQUFHLENBQUM7QUFFMUQsa0RBQWtEO0FBQ2xELE1BQU0sQ0FBQyxNQUFNLFNBQVMsR0FBRyxLQUFLLG1CQUFtQix3Q0FBd0MsQ0FBQztBQUUxRix5QkFBeUI7QUFDekIsTUFBTSxDQUFDLE1BQU0sVUFBVSxHQUFHLEtBQUssb0JBQW9CLHdDQUF3QyxDQUFDO0FBRTVGLHlEQUF5RDtBQUN6RCxNQUFNLHNCQUFzQixHQUFHLElBQUksTUFBTSxHQUFHLElBQUksR0FBRyxDQUFDO0FBRXBELDJFQUEyRTtBQUMzRSxNQUFNLHNCQUFzQixHQUFHLElBQUksc0JBQXNCLEdBQUcsU0FBUyxHQUFHLENBQUM7QUFFekUsdUZBQXVGO0FBQ3ZGLE1BQU0sQ0FBQyxNQUFNLHNCQUFzQixHQUFHLEtBQUssc0JBQXNCLEdBQUcsVUFBVSxJQUFJLENBQUM7QUFFbkYsTUFBTSxDQUFDLE1BQU0sdUJBQXVCLEdBQUcsQ0FBQyxJQUFhLEVBQWdCLEVBQUU7SUFDckUsTUFBTSxRQUFRLEdBQUcsT0FBTyxJQUFJLEtBQUssUUFBUSxDQUFDO0lBQzFDLElBQUksQ0FBQyxRQUFRLEVBQUU7UUFDYixNQUFNLElBQUksd0JBQXdCLENBQUMsK0JBQStCLEVBQUUsSUFBSSxDQUFDLENBQUM7S0FDM0U7SUFFRCxNQUFNLEVBQUUsU0FBUyxFQUFFLEdBQUcsSUFBK0IsQ0FBQztJQUN0RCxNQUFNLFFBQVEsR0FBRyxPQUFPLFNBQVMsS0FBSyxRQUFRLENBQUM7SUFDL0MsSUFBSSxDQUFDLFFBQVEsRUFBRTtRQUNiLE1BQU0sSUFBSSx3QkFBd0IsQ0FBQyxtQ0FBbUMsRUFBRSxJQUFJLENBQUMsQ0FBQztLQUMvRTtJQUVELE9BQU8saUJBQWlCLENBQUMsU0FBUyxDQUFDLENBQUM7QUFDdEMsQ0FBQyxDQUFDO0FBRUYsTUFBTSxVQUFVLGlCQUFpQixDQUFDLFNBQWlCO0lBQ2pELElBQUksQ0FBQyxTQUFTLENBQUMsS0FBSyxDQUFDLHNCQUFzQixDQUFDLEVBQUU7UUFDNUMsTUFBTSxJQUFJLHdCQUF3QixDQUFDLG1DQUFtQyxTQUFTLEdBQUcsRUFBRSxTQUFTLENBQUMsQ0FBQztLQUNoRztJQUVELE1BQU0sZ0JBQWdCLEdBQUcsSUFBSSxtQkFBbUIsR0FBRyxDQUFDO0lBQ3BELE1BQU0saUJBQWlCLEdBQUcsSUFBSSxvQkFBb0IsR0FBRyxDQUFDO0lBQ3RELE1BQU0sYUFBYSxHQUFHLFlBQVksQ0FBQyxTQUFTLENBQUMsS0FBSyxDQUFDLFNBQVMsQ0FBQyxDQUFDLENBQUM7SUFDL0QsTUFBTSxjQUFjLEdBQUcsWUFBWSxDQUFDLFNBQVMsQ0FBQyxLQUFLLENBQUMsVUFBVSxDQUFDLENBQUMsQ0FBQztJQUVqRSxJQUFJLENBQUMsYUFBYSxFQUFFO1FBQ2xCLE1BQU0sSUFBSSx3QkFBd0IsQ0FBQywrQkFBK0IsRUFBRSxTQUFTLENBQUMsQ0FBQztLQUNoRjtJQUVELElBQUksQ0FBQyxjQUFjLEVBQUU7UUFDbkIsTUFBTSxJQUFJLHdCQUF3QixDQUFDLGdDQUFnQyxFQUFFLFNBQVMsQ0FBQyxDQUFDO0tBQ2pGO0lBRUQsTUFBTSxhQUFhLEdBQUcsYUFBYSxDQUFDLEtBQUssQ0FBQyxnQkFBZ0IsQ0FBQyxNQUFNLENBQUMsQ0FBQztJQUNuRSxNQUFNLGNBQWMsR0FBRyxjQUFjLENBQUMsS0FBSyxDQUFDLGlCQUFpQixDQUFDLE1BQU0sQ0FBQyxDQUFDO0lBRXRFLElBQUksYUFBYSxLQUFLLGNBQWMsRUFBRTtRQUNwQyxNQUFNLElBQUksd0JBQXdCLENBQUMsZ0RBQWdELEVBQUUsU0FBUyxDQUFDLENBQUM7S0FDakc7SUFFRCxPQUFPLElBQUksQ0FBQztBQUNkLENBQUMifQ==

package/dist/web/tdf3/src/crypto/crypto-utils.js

@@ -0,0 +1,107 @@
+import { base64 } from '../../../src/encodings/index.js';
+import { rsaPkcs1Sha256 } from './index.js';
+/**
+ * Validates a specified key size
+ * @param size in bits requested
+ * @param minSize in bits allowed
+ */
+export const isValidAsymmetricKeySize = (size, minSize) => {
+    // No size specified is fine because the minSize will be used
+    if (size === undefined) {
+        return !!minSize;
+    }
+    if (typeof size !== 'number' || (minSize && size < minSize)) {
+        return false;
+    }
+    return true;
+};
+/**
+ * Format a base64 string representation of a key file
+ * in PEM PKCS#8 format by adding a header and footer
+ * and new lines.
+ *
+ * The PEM spec says to use <CR><LF> (\r\n) per
+ * https://tools.ietf.org/html/rfc1421#section-4.3.2.2, but
+ * many implementations use just \n, so this function
+ * follows the convention over the spec.
+ *
+ * @param  base64KeyString input
+ * @param  label header and footer label that identifies key type
+ * @return formatted output
+ */
+export const formatAsPem = (bytes, label) => {
+    let pemCert = `-----BEGIN ${label}-----\n`;
+    let nextIndex = 0;
+    const base64KeyString = base64.encodeArrayBuffer(bytes);
+    while (nextIndex < base64KeyString.length) {
+        if (nextIndex + 64 <= base64KeyString.length) {
+            pemCert += `${base64KeyString.substr(nextIndex, 64)}\n`;
+        }
+        else {
+            pemCert += `${base64KeyString.substr(nextIndex)}\n`;
+        }
+        nextIndex += 64;
+    }
+    pemCert += `-----END ${label}-----\n`;
+    return pemCert;
+};
+/**
+ * Remove PEM formatting (new line characters and headers / footers)
+ * from a PEM string
+ *
+ * @param  input - PEM formatted string
+ * @return String with formatting removed
+ */
+export const removePemFormatting = (input) => {
+    if (typeof input !== 'string') {
+        console.error('Not a pem string', input);
+        return input;
+    }
+    const oneLiner = input.replace(/[\n\r]/g, '');
+    // https://www.rfc-editor.org/rfc/rfc7468#section-2
+    return oneLiner.replace(/-----(?:BEGIN|END)\s(?:RSA\s)?(?:PUBLIC|PRIVATE|CERTIFICATE)\sKEY-----/g, '');
+};
+const PEMRE = /-----BEGIN\s((?:RSA\s)?(?:PUBLIC\sKEY|PRIVATE\sKEY|CERTIFICATE))-----[\s0-9A-Za-z+/=]+-----END\s\1-----/;
+export const isPemKeyPair = (i) => {
+    const { privateKey, publicKey } = i;
+    if (typeof privateKey !== 'string' || typeof publicKey !== 'string') {
+        return false;
+    }
+    const privateMatch = PEMRE.exec(privateKey);
+    if (!privateMatch || !privateMatch[1] || privateMatch[1].indexOf('PRIVATE KEY') < 0) {
+        return false;
+    }
+    const publicMatch = PEMRE.exec(publicKey);
+    if (!publicMatch || !publicMatch[1] || publicMatch[1].indexOf('PRIVATE') >= 0) {
+        return false;
+    }
+    return true;
+};
+export const isCryptoKeyPair = (i) => {
+    const { privateKey, publicKey } = i;
+    if (typeof privateKey !== 'object' || typeof publicKey !== 'object') {
+        return false;
+    }
+    if (!(privateKey instanceof CryptoKey) || !(publicKey instanceof CryptoKey)) {
+        return false;
+    }
+    return privateKey.type === 'private' && publicKey.type === 'public';
+};
+export const toCryptoKeyPair = async (input) => {
+    if (isCryptoKeyPair(input)) {
+        return input;
+    }
+    if (!isPemKeyPair(input)) {
+        throw new Error('internal: generated invalid keypair');
+    }
+    const k = [input.publicKey, input.privateKey]
+        .map(removePemFormatting)
+        .map((e) => base64.decodeArrayBuffer(e));
+    const algorithm = rsaPkcs1Sha256();
+    const [publicKey, privateKey] = await Promise.all([
+        crypto.subtle.importKey('spki', k[0], algorithm, true, ['verify']),
+        crypto.subtle.importKey('pkcs8', k[1], algorithm, true, ['sign']),
+    ]);
+    return { privateKey, publicKey };
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY3J5cHRvLXV0aWxzLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vLi4vdGRmMy9zcmMvY3J5cHRvL2NyeXB0by11dGlscy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLEVBQUUsTUFBTSxFQUFFLE1BQU0saUNBQWlDLENBQUM7QUFFekQsT0FBTyxFQUFFLGNBQWMsRUFBRSxNQUFNLFlBQVksQ0FBQztBQUU1Qzs7OztHQUlHO0FBQ0gsTUFBTSxDQUFDLE1BQU0sd0JBQXdCLEdBQUcsQ0FBQyxJQUF3QixFQUFFLE9BQWdCLEVBQVcsRUFBRTtJQUM5Riw2REFBNkQ7SUFDN0QsSUFBSSxJQUFJLEtBQUssU0FBUyxFQUFFO1FBQ3RCLE9BQU8sQ0FBQyxDQUFDLE9BQU8sQ0FBQztLQUNsQjtJQUVELElBQUksT0FBTyxJQUFJLEtBQUssUUFBUSxJQUFJLENBQUMsT0FBTyxJQUFJLElBQUksR0FBRyxPQUFPLENBQUMsRUFBRTtRQUMzRCxPQUFPLEtBQUssQ0FBQztLQUNkO0lBRUQsT0FBTyxJQUFJLENBQUM7QUFDZCxDQUFDLENBQUM7QUFFRjs7Ozs7Ozs7Ozs7OztHQWFHO0FBQ0gsTUFBTSxDQUFDLE1BQU0sV0FBVyxHQUFHLENBQUMsS0FBa0IsRUFBRSxLQUFhLEVBQVUsRUFBRTtJQUN2RSxJQUFJLE9BQU8sR0FBRyxjQUFjLEtBQUssU0FBUyxDQUFDO0lBQzNDLElBQUksU0FBUyxHQUFHLENBQUMsQ0FBQztJQUNsQixNQUFNLGVBQWUsR0FBRyxNQUFNLENBQUMsaUJBQWlCLENBQUMsS0FBSyxDQUFDLENBQUM7SUFDeEQsT0FBTyxTQUFTLEdBQUcsZUFBZSxDQUFDLE1BQU0sRUFBRTtRQUN6QyxJQUFJLFNBQVMsR0FBRyxFQUFFLElBQUksZUFBZSxDQUFDLE1BQU0sRUFBRTtZQUM1QyxPQUFPLElBQUksR0FBRyxlQUFlLENBQUMsTUFBTSxDQUFDLFNBQVMsRUFBRSxFQUFFLENBQUMsSUFBSSxDQUFDO1NBQ3pEO2FBQU07WUFDTCxPQUFPLElBQUksR0FBRyxlQUFlLENBQUMsTUFBTSxDQUFDLFNBQVMsQ0FBQyxJQUFJLENBQUM7U0FDckQ7UUFDRCxTQUFTLElBQUksRUFBRSxDQUFDO0tBQ2pCO0lBQ0QsT0FBTyxJQUFJLFlBQVksS0FBSyxTQUFTLENBQUM7SUFDdEMsT0FBTyxPQUFPLENBQUM7QUFDakIsQ0FBQyxDQUFDO0FBRUY7Ozs7OztHQU1HO0FBQ0gsTUFBTSxDQUFDLE1BQU0sbUJBQW1CLEdBQUcsQ0FBQyxLQUFhLEVBQVUsRUFBRTtJQUMzRCxJQUFJLE9BQU8sS0FBSyxLQUFLLFFBQVEsRUFBRTtRQUM3QixPQUFPLENBQUMsS0FBSyxDQUFDLGtCQUFrQixFQUFFLEtBQUssQ0FBQyxDQUFDO1FBQ3pDLE9BQU8sS0FBSyxDQUFDO0tBQ2Q7SUFDRCxNQUFNLFFBQVEsR0FBRyxLQUFLLENBQUMsT0FBTyxDQUFDLFNBQVMsRUFBRSxFQUFFLENBQUMsQ0FBQztJQUM5QyxtREFBbUQ7SUFDbkQsT0FBTyxRQUFRLENBQUMsT0FBTyxDQUNyQix5RUFBeUUsRUFDekUsRUFBRSxDQUNILENBQUM7QUFDSixDQUFDLENBQUM7QUFFRixNQUFNLEtBQUssR0FDVCx5R0FBeUcsQ0FBQztBQUU1RyxNQUFNLENBQUMsTUFBTSxZQUFZLEdBQUcsQ0FBQyxDQUFhLEVBQW1CLEVBQUU7SUFDN0QsTUFBTSxFQUFFLFVBQVUsRUFBRSxTQUFTLEVBQUUsR0FBRyxDQUFDLENBQUM7SUFDcEMsSUFBSSxPQUFPLFVBQVUsS0FBSyxRQUFRLElBQUksT0FBTyxTQUFTLEtBQUssUUFBUSxFQUFFO1FBQ25FLE9BQU8sS0FBSyxDQUFDO0tBQ2Q7SUFDRCxNQUFNLFlBQVksR0FBRyxLQUFLLENBQUMsSUFBSSxDQUFDLFVBQVUsQ0FBQyxDQUFDO0lBQzVDLElBQUksQ0FBQyxZQUFZLElBQUksQ0FBQyxZQUFZLENBQUMsQ0FBQyxDQUFDLElBQUksWUFBWSxDQUFDLENBQUMsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxhQUFhLENBQUMsR0FBRyxDQUFDLEVBQUU7UUFDbkYsT0FBTyxLQUFLLENBQUM7S0FDZDtJQUNELE1BQU0sV0FBVyxHQUFHLEtBQUssQ0FBQyxJQUFJLENBQUMsU0FBUyxDQUFDLENBQUM7SUFDMUMsSUFBSSxDQUFDLFdBQVcsSUFBSSxDQUFDLFdBQVcsQ0FBQyxDQUFDLENBQUMsSUFBSSxXQUFXLENBQUMsQ0FBQyxDQUFDLENBQUMsT0FBTyxDQUFDLFNBQVMsQ0FBQyxJQUFJLENBQUMsRUFBRTtRQUM3RSxPQUFPLEtBQUssQ0FBQztLQUNkO0lBQ0QsT0FBTyxJQUFJLENBQUM7QUFDZCxDQUFDLENBQUM7QUFFRixNQUFNLENBQUMsTUFBTSxlQUFlLEdBQUcsQ0FBQyxDQUFhLEVBQXNCLEVBQUU7SUFDbkUsTUFBTSxFQUFFLFVBQVUsRUFBRSxTQUFTLEVBQUUsR0FBRyxDQUFDLENBQUM7SUFDcEMsSUFBSSxPQUFPLFVBQVUsS0FBSyxRQUFRLElBQUksT0FBTyxTQUFTLEtBQUssUUFBUSxFQUFFO1FBQ25FLE9BQU8sS0FBSyxDQUFDO0tBQ2Q7SUFDRCxJQUFJLENBQUMsQ0FBQyxVQUFVLFlBQVksU0FBUyxDQUFDLElBQUksQ0FBQyxDQUFDLFNBQVMsWUFBWSxTQUFTLENBQUMsRUFBRTtRQUMzRSxPQUFPLEtBQUssQ0FBQztLQUNkO0lBQ0QsT0FBTyxVQUFVLENBQUMsSUFBSSxLQUFLLFNBQVMsSUFBSSxTQUFTLENBQUMsSUFBSSxLQUFLLFFBQVEsQ0FBQztBQUN0RSxDQUFDLENBQUM7QUFFRixNQUFNLENBQUMsTUFBTSxlQUFlLEdBQUcsS0FBSyxFQUFFLEtBQWlCLEVBQTBCLEVBQUU7SUFDakYsSUFBSSxlQUFlLENBQUMsS0FBSyxDQUFDLEVBQUU7UUFDMUIsT0FBTyxLQUFLLENBQUM7S0FDZDtJQUNELElBQUksQ0FBQyxZQUFZLENBQUMsS0FBSyxDQUFDLEVBQUU7UUFDeEIsTUFBTSxJQUFJLEtBQUssQ0FBQyxxQ0FBcUMsQ0FBQyxDQUFDO0tBQ3hEO0lBQ0QsTUFBTSxDQUFDLEdBQUcsQ0FBQyxLQUFLLENBQUMsU0FBUyxFQUFFLEtBQUssQ0FBQyxVQUFVLENBQUM7U0FDMUMsR0FBRyxDQUFDLG1CQUFtQixDQUFDO1NBQ3hCLEdBQUcsQ0FBQyxDQUFDLENBQUMsRUFBRSxFQUFFLENBQUMsTUFBTSxDQUFDLGlCQUFpQixDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUM7SUFDM0MsTUFBTSxTQUFTLEdBQUcsY0FBYyxFQUFFLENBQUM7SUFDbkMsTUFBTSxDQUFDLFNBQVMsRUFBRSxVQUFVLENBQUMsR0FBRyxNQUFNLE9BQU8sQ0FBQyxHQUFHLENBQUM7UUFDaEQsTUFBTSxDQUFDLE1BQU0sQ0FBQyxTQUFTLENBQUMsTUFBTSxFQUFFLENBQUMsQ0FBQyxDQUFDLENBQUMsRUFBRSxTQUFTLEVBQUUsSUFBSSxFQUFFLENBQUMsUUFBUSxDQUFDLENBQUM7UUFDbEUsTUFBTSxDQUFDLE1BQU0sQ0FBQyxTQUFTLENBQUMsT0FBTyxFQUFFLENBQUMsQ0FBQyxDQUFDLENBQUMsRUFBRSxTQUFTLEVBQUUsSUFBSSxFQUFFLENBQUMsTUFBTSxDQUFDLENBQUM7S0FDbEUsQ0FBQyxDQUFDO0lBQ0gsT0FBTyxFQUFFLFVBQVUsRUFBRSxTQUFTLEVBQUUsQ0FBQztBQUNuQyxDQUFDLENBQUMifQ==

package/dist/web/tdf3/src/crypto/declarations.js

@@ -0,0 +1,5 @@
+/**
+ * The minimum acceptable asymetric key size, currently 2^11.
+ */
+export const MIN_ASYMMETRIC_KEY_SIZE_BITS = 2048;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZGVjbGFyYXRpb25zLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vLi4vdGRmMy9zcmMvY3J5cHRvL2RlY2xhcmF0aW9ucy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFzQkE7O0dBRUc7QUFDSCxNQUFNLENBQUMsTUFBTSw0QkFBNEIsR0FBRyxJQUFJLENBQUMifQ==