@opentdf/sdk 0.11.0 → 0.12.0-beta.112

package/dist/cjs/tdf3/src/crypto/core/key-format.js

@@ -0,0 +1,359 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.extractPublicKeyPem = extractPublicKeyPem;
+exports.parsePublicKeyPem = parsePublicKeyPem;
+exports.jwkToPublicKeyPem = jwkToPublicKeyPem;
+exports.publicKeyPemToJwk = publicKeyPemToJwk;
+exports.importPublicKey = importPublicKey;
+exports.importPrivateKey = importPrivateKey;
+exports.exportPublicKeyPem = exportPublicKeyPem;
+exports.exportPrivateKeyPem = exportPrivateKeyPem;
+exports.exportPublicKeyJwk = exportPublicKeyJwk;
+const declarations_js_1 = require("../declarations.js");
+const errors_js_1 = require("../../../../src/errors.js");
+const crypto_utils_js_1 = require("../crypto-utils.js");
+const hex_js_1 = require("../../../../src/encodings/hex.js");
+const base64_js_1 = require("../../../../src/encodings/base64.js");
+const jose_1 = require("jose");
+const pemPublicToCrypto_js_1 = require("../../../../src/crypto/pemPublicToCrypto.js");
+const keys_js_1 = require("./keys.js");
+const rsa_js_1 = require("./rsa.js");
+/**
+ * Extract PEM public key from X.509 certificate or return PEM key as-is.
+ */
+async function extractPublicKeyPem(certOrPem, jwaAlgorithm) {
+    // If it's a certificate, extract the public key
+    if (certOrPem.includes('-----BEGIN CERTIFICATE-----')) {
+        let alg = jwaAlgorithm;
+        if (!alg) {
+            // Auto-detect algorithm from certificate OIDs
+            const certBody = certOrPem.replace(/-----(BEGIN|END) CERTIFICATE-----|\s/g, '');
+            const certBytes = (0, base64_js_1.decodeArrayBuffer)(certBody);
+            const hex = (0, hex_js_1.encodeArrayBuffer)(certBytes);
+            alg = (0, pemPublicToCrypto_js_1.toJwsAlg)(hex);
+        }
+        const cert = await (0, jose_1.importX509)(certOrPem, alg, { extractable: true });
+        return (0, jose_1.exportSPKI)(cert);
+    }
+    // If it's already a PEM public key, return as-is
+    if (certOrPem.includes('-----BEGIN PUBLIC KEY-----')) {
+        return certOrPem;
+    }
+    throw new errors_js_1.ConfigurationError('Input must be a PEM-encoded certificate or public key');
+}
+const SUPPORTED_EC_CURVES = ['P-256', 'P-384', 'P-521'];
+/**
+ * Decode base64url string and return byte length.
+ * Uses the existing base64 decoder which handles both standard and URL-safe encoding.
+ */
+function base64urlByteLength(base64url) {
+    // Add padding if needed (base64url omits padding)
+    const padding = (4 - (base64url.length % 4)) % 4;
+    const padded = base64url + '='.repeat(padding);
+    return (0, base64_js_1.decodeArrayBuffer)(padded).byteLength;
+}
+/**
+ * Extract EC curve from a public key by parsing ASN.1 OIDs.
+ * Reuses the existing guessCurveName function that checks for curve OIDs.
+ */
+function extractEcCurveFromPublicKey(keyData) {
+    // Convert to hex for OID parsing
+    const hexKey = (0, hex_js_1.encodeArrayBuffer)(keyData);
+    // Use existing OID parser (returns 'P-256', 'P-384', or 'P-521')
+    const curveName = (0, pemPublicToCrypto_js_1.guessCurveName)(hexKey);
+    return curveName;
+}
+/**
+ * Extract RSA modulus bit length by importing key and exporting as JWK.
+ * Uses Web Crypto's built-in ASN.1 parsing for robustness.
+ */
+async function extractRsaModulusBitLength(keyData) {
+    const key = await crypto.subtle.importKey('spki', keyData, { name: 'RSA-OAEP', hash: 'SHA-256' }, true, ['encrypt']);
+    const jwk = await crypto.subtle.exportKey('jwk', key);
+    if (!jwk.n) {
+        throw new errors_js_1.ConfigurationError('Invalid RSA key: missing modulus');
+    }
+    // JWK 'n' is base64url-encoded modulus
+    // Decode and count bytes, multiply by 8 for bits
+    return base64urlByteLength(jwk.n) * 8;
+}
+/**
+ * Import and validate a PEM public key, returning algorithm info.
+ * Uses JWK export for robust key parameter detection.
+ */
+async function parsePublicKeyPem(pem) {
+    // First extract public key if it's a certificate
+    let publicKeyPem = pem;
+    if (pem.includes('-----BEGIN CERTIFICATE-----')) {
+        publicKeyPem = await extractPublicKeyPem(pem);
+    }
+    if (!publicKeyPem.includes('-----BEGIN PUBLIC KEY-----')) {
+        throw new errors_js_1.ConfigurationError('Input must be a PEM-encoded public key or certificate');
+    }
+    const keyData = (0, base64_js_1.decodeArrayBuffer)((0, crypto_utils_js_1.removePemFormatting)(publicKeyPem));
+    // Try RSA first - use JWK export to get modulus size
+    try {
+        const modulusBits = await extractRsaModulusBitLength(keyData);
+        let algorithm;
+        if (modulusBits < declarations_js_1.MIN_ASYMMETRIC_KEY_SIZE_BITS) {
+            throw new errors_js_1.ConfigurationError(`RSA key size ${modulusBits} bits is below the minimum of ${declarations_js_1.MIN_ASYMMETRIC_KEY_SIZE_BITS} bits`);
+        }
+        else if (modulusBits <= 2048) {
+            algorithm = 'rsa:2048';
+        }
+        else if (modulusBits <= 4096) {
+            algorithm = 'rsa:4096';
+        }
+        else {
+            throw new errors_js_1.ConfigurationError(`Unsupported RSA key size: ${modulusBits} bits`);
+        }
+        return { algorithm, pem: publicKeyPem };
+    }
+    catch (e) {
+        // If it's our own ConfigurationError, rethrow
+        if (e instanceof errors_js_1.ConfigurationError) {
+            throw e;
+        }
+        // Not an RSA key, try EC next
+    }
+    // Try EC - parse curve from OID
+    try {
+        const detectedCurve = extractEcCurveFromPublicKey(keyData);
+        const curveMap = {
+            'P-256': 'ec:secp256r1',
+            'P-384': 'ec:secp384r1',
+            'P-521': 'ec:secp521r1',
+        };
+        return { algorithm: curveMap[detectedCurve], pem: publicKeyPem };
+    }
+    catch {
+        // Not a valid EC key
+    }
+    throw new errors_js_1.ConfigurationError('Unable to determine public key algorithm - unsupported key type');
+}
+/**
+ * Convert a JWK (JSON Web Key) to PEM format.
+ */
+async function jwkToPublicKeyPem(jwk) {
+    let key;
+    if (jwk.kty === 'RSA') {
+        // RSA key
+        key = await crypto.subtle.importKey('jwk', jwk, { name: 'RSA-OAEP', hash: 'SHA-256' }, true, [
+            'encrypt',
+        ]);
+    }
+    else if (jwk.kty === 'EC') {
+        // EC key
+        const crv = jwk.crv;
+        if (!crv || !['P-256', 'P-384', 'P-521'].includes(crv)) {
+            throw new errors_js_1.ConfigurationError(`Unsupported EC curve: ${crv}`);
+        }
+        key = await crypto.subtle.importKey('jwk', jwk, { name: 'ECDH', namedCurve: crv }, true, []);
+    }
+    else {
+        throw new errors_js_1.ConfigurationError(`Unsupported JWK key type: ${jwk.kty}`);
+    }
+    const spkiBuffer = await crypto.subtle.exportKey('spki', key);
+    return (0, crypto_utils_js_1.formatAsPem)(spkiBuffer, 'PUBLIC KEY');
+}
+/**
+ * Convert a PEM public key to JWK format.
+ * Returns only public key components (no private key data).
+ */
+async function publicKeyPemToJwk(publicKeyPem) {
+    const keyDataBase64 = (0, crypto_utils_js_1.removePemFormatting)(publicKeyPem);
+    const keyBuffer = (0, base64_js_1.decodeArrayBuffer)(keyDataBase64);
+    const hex = (0, hex_js_1.encodeArrayBuffer)(keyBuffer);
+    // Detect key type using OID
+    const algorithmName = (0, pemPublicToCrypto_js_1.guessAlgorithmName)(hex);
+    if (algorithmName === 'ECDH' || algorithmName === 'ECDSA') {
+        // EC key - detect curve from OID
+        const namedCurve = (0, pemPublicToCrypto_js_1.guessCurveName)(hex);
+        const key = await crypto.subtle.importKey('spki', keyBuffer, { name: 'ECDSA', namedCurve }, true, ['verify']);
+        const jwk = await crypto.subtle.exportKey('jwk', key);
+        // Return only public key components
+        const { kty, crv, x, y } = jwk;
+        return { kty, crv, x, y };
+    }
+    else {
+        // RSA key
+        const key = await crypto.subtle.importKey('spki', keyBuffer, { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' }, true, ['verify']);
+        const jwk = await crypto.subtle.exportKey('jwk', key);
+        // Return only public key components
+        const { kty, e, n } = jwk;
+        return { kty, e, n };
+    }
+}
+/**
+ * Import a PEM public key as an opaque key.
+ */
+async function importPublicKey(pem, options) {
+    const { usage = 'encrypt', extractable = true, algorithmHint } = options;
+    // Detect algorithm from PEM; also normalises certificates → plain SPKI PEM.
+    const keyInfo = await parsePublicKeyPem(pem);
+    const algorithm = algorithmHint || keyInfo.algorithm;
+    // Use keyInfo.pem (normalised SPKI) not the original pem, which may be a certificate.
+    // Passing raw X.509 DER bytes to crypto.subtle.importKey('spki') would throw DataError.
+    const keyData = (0, crypto_utils_js_1.removePemFormatting)(keyInfo.pem);
+    const keyBuffer = (0, base64_js_1.decodeArrayBuffer)(keyData);
+    // Determine Web Crypto algorithm and usages based on key type and usage
+    let cryptoAlgorithm;
+    let keyUsages;
+    if (algorithm.startsWith('rsa:')) {
+        if (usage === 'encrypt') {
+            cryptoAlgorithm = (0, rsa_js_1.rsaOaepSha1)();
+            keyUsages = ['encrypt'];
+        }
+        else if (usage === 'sign') {
+            cryptoAlgorithm = { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' };
+            keyUsages = ['verify'];
+        }
+        else {
+            throw new errors_js_1.ConfigurationError('RSA keys only support usage: encrypt or sign');
+        }
+    }
+    else if (algorithm.startsWith('ec:')) {
+        const curve = algorithm.split(':')[1];
+        const namedCurve = curve === 'secp256r1'
+            ? 'P-256'
+            : curve === 'secp384r1'
+                ? 'P-384'
+                : curve === 'secp521r1'
+                    ? 'P-521'
+                    : (() => {
+                        throw new errors_js_1.ConfigurationError(`Unsupported EC curve: ${curve}`);
+                    })();
+        if (usage === 'derive') {
+            cryptoAlgorithm = { name: 'ECDH', namedCurve };
+            keyUsages = [];
+        }
+        else if (usage === 'sign') {
+            cryptoAlgorithm = { name: 'ECDSA', namedCurve };
+            keyUsages = ['verify'];
+        }
+        else {
+            throw new errors_js_1.ConfigurationError('EC keys only support usage: derive or sign');
+        }
+    }
+    else {
+        throw new errors_js_1.ConfigurationError(`Unsupported algorithm: ${algorithm}`);
+    }
+    // Import as CryptoKey
+    const cryptoKey = await crypto.subtle.importKey('spki', keyBuffer, cryptoAlgorithm, extractable, keyUsages);
+    return (0, keys_js_1.wrapPublicKey)(cryptoKey, algorithm);
+}
+/**
+ * Import a PEM private key as an opaque key.
+ */
+async function importPrivateKey(pem, options) {
+    const { usage = 'encrypt', extractable = true, algorithmHint } = options;
+    // Detect algorithm from PEM structure (similar to public key detection)
+    // For now, use algorithmHint if provided, otherwise detect from key structure
+    let algorithm;
+    const keyData = (0, crypto_utils_js_1.removePemFormatting)(pem);
+    const keyBuffer = (0, base64_js_1.decodeArrayBuffer)(keyData);
+    if (algorithmHint) {
+        algorithm = algorithmHint;
+    }
+    else {
+        // PKCS#8 PrivateKeyInfo embeds the same AlgorithmIdentifier OIDs as SPKI,
+        // so guessAlgorithmName / guessCurveName work on private key bytes too.
+        const hex = (0, hex_js_1.encodeArrayBuffer)(keyBuffer);
+        const algorithmName = (0, pemPublicToCrypto_js_1.guessAlgorithmName)(hex); // throws on unrecognised OID
+        if (algorithmName === 'ECDH' || algorithmName === 'ECDSA') {
+            const namedCurve = (0, pemPublicToCrypto_js_1.guessCurveName)(hex);
+            const curveMap = {
+                'P-256': 'ec:secp256r1',
+                'P-384': 'ec:secp384r1',
+                'P-521': 'ec:secp521r1',
+            };
+            const mapped = curveMap[namedCurve];
+            if (!mapped)
+                throw new errors_js_1.ConfigurationError(`Unsupported EC curve in private key: ${namedCurve}`);
+            algorithm = mapped;
+        }
+        else {
+            // RSA — determine key size by importing and reading modulus length from JWK
+            const tempKey = await crypto.subtle.importKey('pkcs8', keyBuffer, { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' }, true, ['sign']);
+            const jwk = await crypto.subtle.exportKey('jwk', tempKey);
+            if (!jwk.n) {
+                throw new errors_js_1.ConfigurationError('Invalid RSA private key: missing modulus');
+            }
+            const modulusBits = base64urlByteLength(jwk.n) * 8;
+            if (modulusBits < declarations_js_1.MIN_ASYMMETRIC_KEY_SIZE_BITS) {
+                throw new errors_js_1.ConfigurationError(`RSA key size ${modulusBits} bits is below the minimum of ${declarations_js_1.MIN_ASYMMETRIC_KEY_SIZE_BITS} bits`);
+            }
+            algorithm = modulusBits <= 2048 ? 'rsa:2048' : 'rsa:4096';
+        }
+    }
+    // Determine Web Crypto algorithm and usages
+    let cryptoAlgorithm;
+    let keyUsages;
+    if (algorithm.startsWith('rsa:')) {
+        if (usage === 'encrypt') {
+            cryptoAlgorithm = (0, rsa_js_1.rsaOaepSha1)();
+            keyUsages = ['decrypt'];
+        }
+        else if (usage === 'sign') {
+            cryptoAlgorithm = { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' };
+            keyUsages = ['sign'];
+        }
+        else {
+            throw new errors_js_1.ConfigurationError('RSA keys only support usage: encrypt or sign');
+        }
+    }
+    else if (algorithm.startsWith('ec:')) {
+        const curve = algorithm.split(':')[1];
+        const namedCurve = curve === 'secp256r1'
+            ? 'P-256'
+            : curve === 'secp384r1'
+                ? 'P-384'
+                : curve === 'secp521r1'
+                    ? 'P-521'
+                    : (() => {
+                        throw new errors_js_1.ConfigurationError(`Unsupported EC curve: ${curve}`);
+                    })();
+        if (usage === 'derive') {
+            cryptoAlgorithm = { name: 'ECDH', namedCurve };
+            keyUsages = ['deriveBits'];
+        }
+        else if (usage === 'sign') {
+            cryptoAlgorithm = { name: 'ECDSA', namedCurve };
+            keyUsages = ['sign'];
+        }
+        else {
+            throw new errors_js_1.ConfigurationError('EC keys only support usage: derive or sign');
+        }
+    }
+    else {
+        throw new errors_js_1.ConfigurationError(`Unsupported algorithm: ${algorithm}`);
+    }
+    // Import as CryptoKey
+    const cryptoKey = await crypto.subtle.importKey('pkcs8', keyBuffer, cryptoAlgorithm, extractable, keyUsages);
+    return (0, keys_js_1.wrapPrivateKey)(cryptoKey, algorithm);
+}
+/**
+ * Export an opaque public key to PEM format.
+ */
+async function exportPublicKeyPem(key) {
+    const cryptoKey = (0, keys_js_1.unwrapKey)(key);
+    const keyBuffer = await crypto.subtle.exportKey('spki', cryptoKey);
+    return (0, crypto_utils_js_1.formatAsPem)(keyBuffer, 'PUBLIC KEY');
+}
+/**
+ * Export an opaque private key to PEM format.
+ * ONLY USE FOR TESTING/DEVELOPMENT. Private keys should NOT be exportable in secure environments.
+ */
+async function exportPrivateKeyPem(key) {
+    const cryptoKey = (0, keys_js_1.unwrapKey)(key);
+    const keyBuffer = await crypto.subtle.exportKey('pkcs8', cryptoKey);
+    return (0, crypto_utils_js_1.formatAsPem)(keyBuffer, 'PRIVATE KEY');
+}
+/**
+ * Export an opaque public key to JWK format.
+ */
+async function exportPublicKeyJwk(key) {
+    const cryptoKey = (0, keys_js_1.unwrapKey)(key);
+    return await crypto.subtle.exportKey('jwk', cryptoKey);
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoia2V5LWZvcm1hdC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uLy4uLy4uL3RkZjMvc3JjL2NyeXB0by9jb3JlL2tleS1mb3JtYXQudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7QUF3QkEsa0RBd0JDO0FBcURELDhDQW1EQztBQUtELDhDQXFCQztBQU1ELDhDQW9DQztBQUtELDBDQTZEQztBQUtELDRDQXFHQztBQUtELGdEQUlDO0FBTUQsa0RBSUM7QUFLRCxnREFHQztBQW5hRCx3REFPNEI7QUFDNUIseURBQStEO0FBQy9ELHdEQUFzRTtBQUN0RSw2REFBa0Y7QUFDbEYsbUVBQXdGO0FBQ3hGLCtCQUE4QztBQUM5QyxzRkFJcUQ7QUFDckQsdUNBQXFFO0FBQ3JFLHFDQUF1QztBQUV2Qzs7R0FFRztBQUNJLEtBQUssVUFBVSxtQkFBbUIsQ0FDdkMsU0FBaUIsRUFDakIsWUFBcUI7SUFFckIsZ0RBQWdEO0lBQ2hELElBQUksU0FBUyxDQUFDLFFBQVEsQ0FBQyw2QkFBNkIsQ0FBQyxFQUFFLENBQUM7UUFDdEQsSUFBSSxHQUFHLEdBQUcsWUFBWSxDQUFDO1FBQ3ZCLElBQUksQ0FBQyxHQUFHLEVBQUUsQ0FBQztZQUNULDhDQUE4QztZQUM5QyxNQUFNLFFBQVEsR0FBRyxTQUFTLENBQUMsT0FBTyxDQUFDLHVDQUF1QyxFQUFFLEVBQUUsQ0FBQyxDQUFDO1lBQ2hGLE1BQU0sU0FBUyxHQUFHLElBQUEsNkJBQVksRUFBQyxRQUFRLENBQUMsQ0FBQztZQUN6QyxNQUFNLEdBQUcsR0FBRyxJQUFBLDBCQUFTLEVBQUMsU0FBUyxDQUFDLENBQUM7WUFDakMsR0FBRyxHQUFHLElBQUEsK0JBQVEsRUFBQyxHQUFHLENBQUMsQ0FBQztRQUN0QixDQUFDO1FBQ0QsTUFBTSxJQUFJLEdBQUcsTUFBTSxJQUFBLGlCQUFVLEVBQUMsU0FBUyxFQUFFLEdBQUcsRUFBRSxFQUFFLFdBQVcsRUFBRSxJQUFJLEVBQUUsQ0FBQyxDQUFDO1FBQ3JFLE9BQU8sSUFBQSxpQkFBVSxFQUFDLElBQUksQ0FBQyxDQUFDO0lBQzFCLENBQUM7SUFFRCxpREFBaUQ7SUFDakQsSUFBSSxTQUFTLENBQUMsUUFBUSxDQUFDLDRCQUE0QixDQUFDLEVBQUUsQ0FBQztRQUNyRCxPQUFPLFNBQVMsQ0FBQztJQUNuQixDQUFDO0lBRUQsTUFBTSxJQUFJLDhCQUFrQixDQUFDLHVEQUF1RCxDQUFDLENBQUM7QUFDeEYsQ0FBQztBQUVELE1BQU0sbUJBQW1CLEdBQUcsQ0FBQyxPQUFPLEVBQUUsT0FBTyxFQUFFLE9BQU8sQ0FBVSxDQUFDO0FBR2pFOzs7R0FHRztBQUNILFNBQVMsbUJBQW1CLENBQUMsU0FBaUI7SUFDNUMsa0RBQWtEO0lBQ2xELE1BQU0sT0FBTyxHQUFHLENBQUMsQ0FBQyxHQUFHLENBQUMsU0FBUyxDQUFDLE1BQU0sR0FBRyxDQUFDLENBQUMsQ0FBQyxHQUFHLENBQUMsQ0FBQztJQUNqRCxNQUFNLE1BQU0sR0FBRyxTQUFTLEdBQUcsR0FBRyxDQUFDLE1BQU0sQ0FBQyxPQUFPLENBQUMsQ0FBQztJQUMvQyxPQUFPLElBQUEsNkJBQVksRUFBQyxNQUFNLENBQUMsQ0FBQyxVQUFVLENBQUM7QUFDekMsQ0FBQztBQUVEOzs7R0FHRztBQUNILFNBQVMsMkJBQTJCLENBQUMsT0FBb0I7SUFDdkQsaUNBQWlDO0lBQ2pDLE1BQU0sTUFBTSxHQUFHLElBQUEsMEJBQVMsRUFBQyxPQUFPLENBQUMsQ0FBQztJQUNsQyxpRUFBaUU7SUFDakUsTUFBTSxTQUFTLEdBQUcsSUFBQSxxQ0FBYyxFQUFDLE1BQU0sQ0FBQyxDQUFDO0lBQ3pDLE9BQU8sU0FBNkIsQ0FBQztBQUN2QyxDQUFDO0FBRUQ7OztHQUdHO0FBQ0gsS0FBSyxVQUFVLDBCQUEwQixDQUFDLE9BQW9CO0lBQzVELE1BQU0sR0FBRyxHQUFHLE1BQU0sTUFBTSxDQUFDLE1BQU0sQ0FBQyxTQUFTLENBQ3ZDLE1BQU0sRUFDTixPQUFPLEVBQ1AsRUFBRSxJQUFJLEVBQUUsVUFBVSxFQUFFLElBQUksRUFBRSxTQUFTLEVBQUUsRUFDckMsSUFBSSxFQUNKLENBQUMsU0FBUyxDQUFDLENBQ1osQ0FBQztJQUNGLE1BQU0sR0FBRyxHQUFHLE1BQU0sTUFBTSxDQUFDLE1BQU0sQ0FBQyxTQUFTLENBQUMsS0FBSyxFQUFFLEdBQUcsQ0FBQyxDQUFDO0lBQ3RELElBQUksQ0FBQyxHQUFHLENBQUMsQ0FBQyxFQUFFLENBQUM7UUFDWCxNQUFNLElBQUksOEJBQWtCLENBQUMsa0NBQWtDLENBQUMsQ0FBQztJQUNuRSxDQUFDO0lBQ0QsdUNBQXVDO0lBQ3ZDLGlEQUFpRDtJQUNqRCxPQUFPLG1CQUFtQixDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsR0FBRyxDQUFDLENBQUM7QUFDeEMsQ0FBQztBQUVEOzs7R0FHRztBQUNJLEtBQUssVUFBVSxpQkFBaUIsQ0FBQyxHQUFXO0lBQ2pELGlEQUFpRDtJQUNqRCxJQUFJLFlBQVksR0FBRyxHQUFHLENBQUM7SUFDdkIsSUFBSSxHQUFHLENBQUMsUUFBUSxDQUFDLDZCQUE2QixDQUFDLEVBQUUsQ0FBQztRQUNoRCxZQUFZLEdBQUcsTUFBTSxtQkFBbUIsQ0FBQyxHQUFHLENBQUMsQ0FBQztJQUNoRCxDQUFDO0lBRUQsSUFBSSxDQUFDLFlBQVksQ0FBQyxRQUFRLENBQUMsNEJBQTRCLENBQUMsRUFBRSxDQUFDO1FBQ3pELE1BQU0sSUFBSSw4QkFBa0IsQ0FBQyx1REFBdUQsQ0FBQyxDQUFDO0lBQ3hGLENBQUM7SUFFRCxNQUFNLE9BQU8sR0FBRyxJQUFBLDZCQUFZLEVBQUMsSUFBQSxxQ0FBbUIsRUFBQyxZQUFZLENBQUMsQ0FBQyxDQUFDO0lBRWhFLHFEQUFxRDtJQUNyRCxJQUFJLENBQUM7UUFDSCxNQUFNLFdBQVcsR0FBRyxNQUFNLDBCQUEwQixDQUFDLE9BQU8sQ0FBQyxDQUFDO1FBQzlELElBQUksU0FBcUMsQ0FBQztRQUMxQyxJQUFJLFdBQVcsR0FBRyw4Q0FBNEIsRUFBRSxDQUFDO1lBQy9DLE1BQU0sSUFBSSw4QkFBa0IsQ0FDMUIsZ0JBQWdCLFdBQVcsaUNBQWlDLDhDQUE0QixPQUFPLENBQ2hHLENBQUM7UUFDSixDQUFDO2FBQU0sSUFBSSxXQUFXLElBQUksSUFBSSxFQUFFLENBQUM7WUFDL0IsU0FBUyxHQUFHLFVBQVUsQ0FBQztRQUN6QixDQUFDO2FBQU0sSUFBSSxXQUFXLElBQUksSUFBSSxFQUFFLENBQUM7WUFDL0IsU0FBUyxHQUFHLFVBQVUsQ0FBQztRQUN6QixDQUFDO2FBQU0sQ0FBQztZQUNOLE1BQU0sSUFBSSw4QkFBa0IsQ0FBQyw2QkFBNkIsV0FBVyxPQUFPLENBQUMsQ0FBQztRQUNoRixDQUFDO1FBQ0QsT0FBTyxFQUFFLFNBQVMsRUFBRSxHQUFHLEVBQUUsWUFBWSxFQUFFLENBQUM7SUFDMUMsQ0FBQztJQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7UUFDWCw4Q0FBOEM7UUFDOUMsSUFBSSxDQUFDLFlBQVksOEJBQWtCLEVBQUUsQ0FBQztZQUNwQyxNQUFNLENBQUMsQ0FBQztRQUNWLENBQUM7UUFDRCw4QkFBOEI7SUFDaEMsQ0FBQztJQUVELGdDQUFnQztJQUNoQyxJQUFJLENBQUM7UUFDSCxNQUFNLGFBQWEsR0FBRywyQkFBMkIsQ0FBQyxPQUFPLENBQUMsQ0FBQztRQUMzRCxNQUFNLFFBQVEsR0FBRztZQUNmLE9BQU8sRUFBRSxjQUFjO1lBQ3ZCLE9BQU8sRUFBRSxjQUFjO1lBQ3ZCLE9BQU8sRUFBRSxjQUFjO1NBQ2YsQ0FBQztRQUNYLE9BQU8sRUFBRSxTQUFTLEVBQUUsUUFBUSxDQUFDLGFBQWEsQ0FBQyxFQUFFLEdBQUcsRUFBRSxZQUFZLEVBQUUsQ0FBQztJQUNuRSxDQUFDO0lBQUMsTUFBTSxDQUFDO1FBQ1AscUJBQXFCO0lBQ3ZCLENBQUM7SUFFRCxNQUFNLElBQUksOEJBQWtCLENBQUMsaUVBQWlFLENBQUMsQ0FBQztBQUNsRyxDQUFDO0FBRUQ7O0dBRUc7QUFDSSxLQUFLLFVBQVUsaUJBQWlCLENBQUMsR0FBZTtJQUNyRCxJQUFJLEdBQWMsQ0FBQztJQUVuQixJQUFJLEdBQUcsQ0FBQyxHQUFHLEtBQUssS0FBSyxFQUFFLENBQUM7UUFDdEIsVUFBVTtRQUNWLEdBQUcsR0FBRyxNQUFNLE1BQU0sQ0FBQyxNQUFNLENBQUMsU0FBUyxDQUFDLEtBQUssRUFBRSxHQUFHLEVBQUUsRUFBRSxJQUFJLEVBQUUsVUFBVSxFQUFFLElBQUksRUFBRSxTQUFTLEVBQUUsRUFBRSxJQUFJLEVBQUU7WUFDM0YsU0FBUztTQUNWLENBQUMsQ0FBQztJQUNMLENBQUM7U0FBTSxJQUFJLEdBQUcsQ0FBQyxHQUFHLEtBQUssSUFBSSxFQUFFLENBQUM7UUFDNUIsU0FBUztRQUNULE1BQU0sR0FBRyxHQUFHLEdBQUcsQ0FBQyxHQUFHLENBQUM7UUFDcEIsSUFBSSxDQUFDLEdBQUcsSUFBSSxDQUFDLENBQUMsT0FBTyxFQUFFLE9BQU8sRUFBRSxPQUFPLENBQUMsQ0FBQyxRQUFRLENBQUMsR0FBRyxDQUFDLEVBQUUsQ0FBQztZQUN2RCxNQUFNLElBQUksOEJBQWtCLENBQUMseUJBQXlCLEdBQUcsRUFBRSxDQUFDLENBQUM7UUFDL0QsQ0FBQztRQUNELEdBQUcsR0FBRyxNQUFNLE1BQU0sQ0FBQyxNQUFNLENBQUMsU0FBUyxDQUFDLEtBQUssRUFBRSxHQUFHLEVBQUUsRUFBRSxJQUFJLEVBQUUsTUFBTSxFQUFFLFVBQVUsRUFBRSxHQUFHLEVBQUUsRUFBRSxJQUFJLEVBQUUsRUFBRSxDQUFDLENBQUM7SUFDL0YsQ0FBQztTQUFNLENBQUM7UUFDTixNQUFNLElBQUksOEJBQWtCLENBQUMsNkJBQTZCLEdBQUcsQ0FBQyxHQUFHLEVBQUUsQ0FBQyxDQUFDO0lBQ3ZFLENBQUM7SUFFRCxNQUFNLFVBQVUsR0FBRyxNQUFNLE1BQU0sQ0FBQyxNQUFNLENBQUMsU0FBUyxDQUFDLE1BQU0sRUFBRSxHQUFHLENBQUMsQ0FBQztJQUM5RCxPQUFPLElBQUEsNkJBQVcsRUFBQyxVQUFVLEVBQUUsWUFBWSxDQUFDLENBQUM7QUFDL0MsQ0FBQztBQUVEOzs7R0FHRztBQUNJLEtBQUssVUFBVSxpQkFBaUIsQ0FBQyxZQUFvQjtJQUMxRCxNQUFNLGFBQWEsR0FBRyxJQUFBLHFDQUFtQixFQUFDLFlBQVksQ0FBQyxDQUFDO0lBQ3hELE1BQU0sU0FBUyxHQUFHLElBQUEsNkJBQVksRUFBQyxhQUFhLENBQUMsQ0FBQztJQUM5QyxNQUFNLEdBQUcsR0FBRyxJQUFBLDBCQUFTLEVBQUMsU0FBUyxDQUFDLENBQUM7SUFFakMsNEJBQTRCO0lBQzVCLE1BQU0sYUFBYSxHQUFHLElBQUEseUNBQWtCLEVBQUMsR0FBRyxDQUFDLENBQUM7SUFFOUMsSUFBSSxhQUFhLEtBQUssTUFBTSxJQUFJLGFBQWEsS0FBSyxPQUFPLEVBQUUsQ0FBQztRQUMxRCxpQ0FBaUM7UUFDakMsTUFBTSxVQUFVLEdBQUcsSUFBQSxxQ0FBYyxFQUFDLEdBQUcsQ0FBQyxDQUFDO1FBQ3ZDLE1BQU0sR0FBRyxHQUFHLE1BQU0sTUFBTSxDQUFDLE1BQU0sQ0FBQyxTQUFTLENBQ3ZDLE1BQU0sRUFDTixTQUFTLEVBQ1QsRUFBRSxJQUFJLEVBQUUsT0FBTyxFQUFFLFVBQVUsRUFBRSxFQUM3QixJQUFJLEVBQ0osQ0FBQyxRQUFRLENBQUMsQ0FDWCxDQUFDO1FBQ0YsTUFBTSxHQUFHLEdBQUcsTUFBTSxNQUFNLENBQUMsTUFBTSxDQUFDLFNBQVMsQ0FBQyxLQUFLLEVBQUUsR0FBRyxDQUFDLENBQUM7UUFDdEQsb0NBQW9DO1FBQ3BDLE1BQU0sRUFBRSxHQUFHLEVBQUUsR0FBRyxFQUFFLENBQUMsRUFBRSxDQUFDLEVBQUUsR0FBRyxHQUFHLENBQUM7UUFDL0IsT0FBTyxFQUFFLEdBQUcsRUFBRSxHQUFHLEVBQUUsQ0FBQyxFQUFFLENBQUMsRUFBRSxDQUFDO0lBQzVCLENBQUM7U0FBTSxDQUFDO1FBQ04sVUFBVTtRQUNWLE1BQU0sR0FBRyxHQUFHLE1BQU0sTUFBTSxDQUFDLE1BQU0sQ0FBQyxTQUFTLENBQ3ZDLE1BQU0sRUFDTixTQUFTLEVBQ1QsRUFBRSxJQUFJLEVBQUUsbUJBQW1CLEVBQUUsSUFBSSxFQUFFLFNBQVMsRUFBRSxFQUM5QyxJQUFJLEVBQ0osQ0FBQyxRQUFRLENBQUMsQ0FDWCxDQUFDO1FBQ0YsTUFBTSxHQUFHLEdBQUcsTUFBTSxNQUFNLENBQUMsTUFBTSxDQUFDLFNBQVMsQ0FBQyxLQUFLLEVBQUUsR0FBRyxDQUFDLENBQUM7UUFDdEQsb0NBQW9DO1FBQ3BDLE1BQU0sRUFBRSxHQUFHLEVBQUUsQ0FBQyxFQUFFLENBQUMsRUFBRSxHQUFHLEdBQUcsQ0FBQztRQUMxQixPQUFPLEVBQUUsR0FBRyxFQUFFLENBQUMsRUFBRSxDQUFDLEVBQUUsQ0FBQztJQUN2QixDQUFDO0FBQ0gsQ0FBQztBQUVEOztHQUVHO0FBQ0ksS0FBSyxVQUFVLGVBQWUsQ0FBQyxHQUFXLEVBQUUsT0FBbUI7SUFDcEUsTUFBTSxFQUFFLEtBQUssR0FBRyxTQUFTLEVBQUUsV0FBVyxHQUFHLElBQUksRUFBRSxhQUFhLEVBQUUsR0FBRyxPQUFPLENBQUM7SUFFekUsNEVBQTRFO0lBQzVFLE1BQU0sT0FBTyxHQUFHLE1BQU0saUJBQWlCLENBQUMsR0FBRyxDQUFDLENBQUM7SUFDN0MsTUFBTSxTQUFTLEdBQUcsYUFBYSxJQUFJLE9BQU8sQ0FBQyxTQUFTLENBQUM7SUFDckQsc0ZBQXNGO0lBQ3RGLHdGQUF3RjtJQUN4RixNQUFNLE9BQU8sR0FBRyxJQUFBLHFDQUFtQixFQUFDLE9BQU8sQ0FBQyxHQUFHLENBQUMsQ0FBQztJQUNqRCxNQUFNLFNBQVMsR0FBRyxJQUFBLDZCQUFZLEVBQUMsT0FBTyxDQUFDLENBQUM7SUFFeEMsd0VBQXdFO0lBQ3hFLElBQUksZUFBMEQsQ0FBQztJQUMvRCxJQUFJLFNBQXFCLENBQUM7SUFFMUIsSUFBSSxTQUFTLENBQUMsVUFBVSxDQUFDLE1BQU0sQ0FBQyxFQUFFLENBQUM7UUFDakMsSUFBSSxLQUFLLEtBQUssU0FBUyxFQUFFLENBQUM7WUFDeEIsZUFBZSxHQUFHLElBQUEsb0JBQVcsR0FBRSxDQUFDO1lBQ2hDLFNBQVMsR0FBRyxDQUFDLFNBQVMsQ0FBQyxDQUFDO1FBQzFCLENBQUM7YUFBTSxJQUFJLEtBQUssS0FBSyxNQUFNLEVBQUUsQ0FBQztZQUM1QixlQUFlLEdBQUcsRUFBRSxJQUFJLEVBQUUsbUJBQW1CLEVBQUUsSUFBSSxFQUFFLFNBQVMsRUFBRSxDQUFDO1lBQ2pFLFNBQVMsR0FBRyxDQUFDLFFBQVEsQ0FBQyxDQUFDO1FBQ3pCLENBQUM7YUFBTSxDQUFDO1lBQ04sTUFBTSxJQUFJLDhCQUFrQixDQUFDLDhDQUE4QyxDQUFDLENBQUM7UUFDL0UsQ0FBQztJQUNILENBQUM7U0FBTSxJQUFJLFNBQVMsQ0FBQyxVQUFVLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQztRQUN2QyxNQUFNLEtBQUssR0FBRyxTQUFTLENBQUMsS0FBSyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQ3RDLE1BQU0sVUFBVSxHQUNkLEtBQUssS0FBSyxXQUFXO1lBQ25CLENBQUMsQ0FBQyxPQUFPO1lBQ1QsQ0FBQyxDQUFDLEtBQUssS0FBSyxXQUFXO2dCQUNyQixDQUFDLENBQUMsT0FBTztnQkFDVCxDQUFDLENBQUMsS0FBSyxLQUFLLFdBQVc7b0JBQ3JCLENBQUMsQ0FBQyxPQUFPO29CQUNULENBQUMsQ0FBQyxDQUFDLEdBQUcsRUFBRTt3QkFDSixNQUFNLElBQUksOEJBQWtCLENBQUMseUJBQXlCLEtBQUssRUFBRSxDQUFDLENBQUM7b0JBQ2pFLENBQUMsQ0FBQyxFQUFFLENBQUM7UUFFZixJQUFJLEtBQUssS0FBSyxRQUFRLEVBQUUsQ0FBQztZQUN2QixlQUFlLEdBQUcsRUFBRSxJQUFJLEVBQUUsTUFBTSxFQUFFLFVBQVUsRUFBRSxDQUFDO1lBQy9DLFNBQVMsR0FBRyxFQUFFLENBQUM7UUFDakIsQ0FBQzthQUFNLElBQUksS0FBSyxLQUFLLE1BQU0sRUFBRSxDQUFDO1lBQzVCLGVBQWUsR0FBRyxFQUFFLElBQUksRUFBRSxPQUFPLEVBQUUsVUFBVSxFQUFFLENBQUM7WUFDaEQsU0FBUyxHQUFHLENBQUMsUUFBUSxDQUFDLENBQUM7UUFDekIsQ0FBQzthQUFNLENBQUM7WUFDTixNQUFNLElBQUksOEJBQWtCLENBQUMsNENBQTRDLENBQUMsQ0FBQztRQUM3RSxDQUFDO0lBQ0gsQ0FBQztTQUFNLENBQUM7UUFDTixNQUFNLElBQUksOEJBQWtCLENBQUMsMEJBQTBCLFNBQVMsRUFBRSxDQUFDLENBQUM7SUFDdEUsQ0FBQztJQUVELHNCQUFzQjtJQUN0QixNQUFNLFNBQVMsR0FBRyxNQUFNLE1BQU0sQ0FBQyxNQUFNLENBQUMsU0FBUyxDQUM3QyxNQUFNLEVBQ04sU0FBUyxFQUNULGVBQWUsRUFDZixXQUFXLEVBQ1gsU0FBUyxDQUNWLENBQUM7SUFFRixPQUFPLElBQUEsdUJBQWEsRUFBQyxTQUFTLEVBQUUsU0FBUyxDQUFDLENBQUM7QUFDN0MsQ0FBQztBQUVEOztHQUVHO0FBQ0ksS0FBSyxVQUFVLGdCQUFnQixDQUFDLEdBQVcsRUFBRSxPQUFtQjtJQUNyRSxNQUFNLEVBQUUsS0FBSyxHQUFHLFNBQVMsRUFBRSxXQUFXLEdBQUcsSUFBSSxFQUFFLGFBQWEsRUFBRSxHQUFHLE9BQU8sQ0FBQztJQUV6RSx3RUFBd0U7SUFDeEUsOEVBQThFO0lBQzlFLElBQUksU0FBdUIsQ0FBQztJQUU1QixNQUFNLE9BQU8sR0FBRyxJQUFBLHFDQUFtQixFQUFDLEdBQUcsQ0FBQyxDQUFDO0lBQ3pDLE1BQU0sU0FBUyxHQUFHLElBQUEsNkJBQVksRUFBQyxPQUFPLENBQUMsQ0FBQztJQUV4QyxJQUFJLGFBQWEsRUFBRSxDQUFDO1FBQ2xCLFNBQVMsR0FBRyxhQUFhLENBQUM7SUFDNUIsQ0FBQztTQUFNLENBQUM7UUFDTiwwRUFBMEU7UUFDMUUsd0VBQXdFO1FBQ3hFLE1BQU0sR0FBRyxHQUFHLElBQUEsMEJBQVMsRUFBQyxTQUFTLENBQUMsQ0FBQztRQUNqQyxNQUFNLGFBQWEsR0FBRyxJQUFBLHlDQUFrQixFQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsNkJBQTZCO1FBQzVFLElBQUksYUFBYSxLQUFLLE1BQU0sSUFBSSxhQUFhLEtBQUssT0FBTyxFQUFFLENBQUM7WUFDMUQsTUFBTSxVQUFVLEdBQUcsSUFBQSxxQ0FBYyxFQUFDLEdBQUcsQ0FBQyxDQUFDO1lBQ3ZDLE1BQU0sUUFBUSxHQUFpQztnQkFDN0MsT0FBTyxFQUFFLGNBQWM7Z0JBQ3ZCLE9BQU8sRUFBRSxjQUFjO2dCQUN2QixPQUFPLEVBQUUsY0FBYzthQUN4QixDQUFDO1lBQ0YsTUFBTSxNQUFNLEdBQUcsUUFBUSxDQUFDLFVBQVUsQ0FBQyxDQUFDO1lBQ3BDLElBQUksQ0FBQyxNQUFNO2dCQUNULE1BQU0sSUFBSSw4QkFBa0IsQ0FBQyx3Q0FBd0MsVUFBVSxFQUFFLENBQUMsQ0FBQztZQUNyRixTQUFTLEdBQUcsTUFBTSxDQUFDO1FBQ3JCLENBQUM7YUFBTSxDQUFDO1lBQ04sNEVBQTRFO1lBQzVFLE1BQU0sT0FBTyxHQUFHLE1BQU0sTUFBTSxDQUFDLE1BQU0sQ0FBQyxTQUFTLENBQzNDLE9BQU8sRUFDUCxTQUFTLEVBQ1QsRUFBRSxJQUFJLEVBQUUsbUJBQW1CLEVBQUUsSUFBSSxFQUFFLFNBQVMsRUFBRSxFQUM5QyxJQUFJLEVBQ0osQ0FBQyxNQUFNLENBQUMsQ0FDVCxDQUFDO1lBQ0YsTUFBTSxHQUFHLEdBQUcsTUFBTSxNQUFNLENBQUMsTUFBTSxDQUFDLFNBQVMsQ0FBQyxLQUFLLEVBQUUsT0FBTyxDQUFDLENBQUM7WUFDMUQsSUFBSSxDQUFDLEdBQUcsQ0FBQyxDQUFDLEVBQUUsQ0FBQztnQkFDWCxNQUFNLElBQUksOEJBQWtCLENBQUMsMENBQTBDLENBQUMsQ0FBQztZQUMzRSxDQUFDO1lBQ0QsTUFBTSxXQUFXLEdBQUcsbUJBQW1CLENBQUMsR0FBRyxDQUFDLENBQUMsQ0FBQyxHQUFHLENBQUMsQ0FBQztZQUNuRCxJQUFJLFdBQVcsR0FBRyw4Q0FBNEIsRUFBRSxDQUFDO2dCQUMvQyxNQUFNLElBQUksOEJBQWtCLENBQzFCLGdCQUFnQixXQUFXLGlDQUFpQyw4Q0FBNEIsT0FBTyxDQUNoRyxDQUFDO1lBQ0osQ0FBQztZQUNELFNBQVMsR0FBRyxXQUFXLElBQUksSUFBSSxDQUFDLENBQUMsQ0FBQyxVQUFVLENBQUMsQ0FBQyxDQUFDLFVBQVUsQ0FBQztRQUM1RCxDQUFDO0lBQ0gsQ0FBQztJQUVELDRDQUE0QztJQUM1QyxJQUFJLGVBQTBELENBQUM7SUFDL0QsSUFBSSxTQUFxQixDQUFDO0lBRTFCLElBQUksU0FBUyxDQUFDLFVBQVUsQ0FBQyxNQUFNLENBQUMsRUFBRSxDQUFDO1FBQ2pDLElBQUksS0FBSyxLQUFLLFNBQVMsRUFBRSxDQUFDO1lBQ3hCLGVBQWUsR0FBRyxJQUFBLG9CQUFXLEdBQUUsQ0FBQztZQUNoQyxTQUFTLEdBQUcsQ0FBQyxTQUFTLENBQUMsQ0FBQztRQUMxQixDQUFDO2FBQU0sSUFBSSxLQUFLLEtBQUssTUFBTSxFQUFFLENBQUM7WUFDNUIsZUFBZSxHQUFHLEVBQUUsSUFBSSxFQUFFLG1CQUFtQixFQUFFLElBQUksRUFBRSxTQUFTLEVBQUUsQ0FBQztZQUNqRSxTQUFTLEdBQUcsQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUN2QixDQUFDO2FBQU0sQ0FBQztZQUNOLE1BQU0sSUFBSSw4QkFBa0IsQ0FBQyw4Q0FBOEMsQ0FBQyxDQUFDO1FBQy9FLENBQUM7SUFDSCxDQUFDO1NBQU0sSUFBSSxTQUFTLENBQUMsVUFBVSxDQUFDLEtBQUssQ0FBQyxFQUFFLENBQUM7UUFDdkMsTUFBTSxLQUFLLEdBQUcsU0FBUyxDQUFDLEtBQUssQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUN0QyxNQUFNLFVBQVUsR0FDZCxLQUFLLEtBQUssV0FBVztZQUNuQixDQUFDLENBQUMsT0FBTztZQUNULENBQUMsQ0FBQyxLQUFLLEtBQUssV0FBVztnQkFDckIsQ0FBQyxDQUFDLE9BQU87Z0JBQ1QsQ0FBQyxDQUFDLEtBQUssS0FBSyxXQUFXO29CQUNyQixDQUFDLENBQUMsT0FBTztvQkFDVCxDQUFDLENBQUMsQ0FBQyxHQUFHLEVBQUU7d0JBQ0osTUFBTSxJQUFJLDhCQUFrQixDQUFDLHlCQUF5QixLQUFLLEVBQUUsQ0FBQyxDQUFDO29CQUNqRSxDQUFDLENBQUMsRUFBRSxDQUFDO1FBRWYsSUFBSSxLQUFLLEtBQUssUUFBUSxFQUFFLENBQUM7WUFDdkIsZUFBZSxHQUFHLEVBQUUsSUFBSSxFQUFFLE1BQU0sRUFBRSxVQUFVLEVBQUUsQ0FBQztZQUMvQyxTQUFTLEdBQUcsQ0FBQyxZQUFZLENBQUMsQ0FBQztRQUM3QixDQUFDO2FBQU0sSUFBSSxLQUFLLEtBQUssTUFBTSxFQUFFLENBQUM7WUFDNUIsZUFBZSxHQUFHLEVBQUUsSUFBSSxFQUFFLE9BQU8sRUFBRSxVQUFVLEVBQUUsQ0FBQztZQUNoRCxTQUFTLEdBQUcsQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUN2QixDQUFDO2FBQU0sQ0FBQztZQUNOLE1BQU0sSUFBSSw4QkFBa0IsQ0FBQyw0Q0FBNEMsQ0FBQyxDQUFDO1FBQzdFLENBQUM7SUFDSCxDQUFDO1NBQU0sQ0FBQztRQUNOLE1BQU0sSUFBSSw4QkFBa0IsQ0FBQywwQkFBMEIsU0FBUyxFQUFFLENBQUMsQ0FBQztJQUN0RSxDQUFDO0lBRUQsc0JBQXNCO0lBQ3RCLE1BQU0sU0FBUyxHQUFHLE1BQU0sTUFBTSxDQUFDLE1BQU0sQ0FBQyxTQUFTLENBQzdDLE9BQU8sRUFDUCxTQUFTLEVBQ1QsZUFBZSxFQUNmLFdBQVcsRUFDWCxTQUFTLENBQ1YsQ0FBQztJQUVGLE9BQU8sSUFBQSx3QkFBYyxFQUFDLFNBQVMsRUFBRSxTQUFTLENBQUMsQ0FBQztBQUM5QyxDQUFDO0FBRUQ7O0dBRUc7QUFDSSxLQUFLLFVBQVUsa0JBQWtCLENBQUMsR0FBYztJQUNyRCxNQUFNLFNBQVMsR0FBRyxJQUFBLG1CQUFTLEVBQUMsR0FBRyxDQUFDLENBQUM7SUFDakMsTUFBTSxTQUFTLEdBQUcsTUFBTSxNQUFNLENBQUMsTUFBTSxDQUFDLFNBQVMsQ0FBQyxNQUFNLEVBQUUsU0FBUyxDQUFDLENBQUM7SUFDbkUsT0FBTyxJQUFBLDZCQUFXLEVBQUMsU0FBUyxFQUFFLFlBQVksQ0FBQyxDQUFDO0FBQzlDLENBQUM7QUFFRDs7O0dBR0c7QUFDSSxLQUFLLFVBQVUsbUJBQW1CLENBQUMsR0FBZTtJQUN2RCxNQUFNLFNBQVMsR0FBRyxJQUFBLG1CQUFTLEVBQUMsR0FBRyxDQUFDLENBQUM7SUFDakMsTUFBTSxTQUFTLEdBQUcsTUFBTSxNQUFNLENBQUMsTUFBTSxDQUFDLFNBQVMsQ0FBQyxPQUFPLEVBQUUsU0FBUyxDQUFDLENBQUM7SUFDcEUsT0FBTyxJQUFBLDZCQUFXLEVBQUMsU0FBUyxFQUFFLGFBQWEsQ0FBQyxDQUFDO0FBQy9DLENBQUM7QUFFRDs7R0FFRztBQUNJLEtBQUssVUFBVSxrQkFBa0IsQ0FBQyxHQUFjO0lBQ3JELE1BQU0sU0FBUyxHQUFHLElBQUEsbUJBQVMsRUFBQyxHQUFHLENBQUMsQ0FBQztJQUNqQyxPQUFPLE1BQU0sTUFBTSxDQUFDLE1BQU0sQ0FBQyxTQUFTLENBQUMsS0FBSyxFQUFFLFNBQVMsQ0FBQyxDQUFDO0FBQ3pELENBQUMifQ==

package/dist/cjs/tdf3/src/crypto/core/keys.js

@@ -0,0 +1,85 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.wrapPublicKey = wrapPublicKey;
+exports.wrapPrivateKey = wrapPrivateKey;
+exports.unwrapKey = unwrapKey;
+exports.wrapSymmetricKey = wrapSymmetricKey;
+exports.unwrapSymmetricKey = unwrapSymmetricKey;
+/**
+ * Wrap a CryptoKey as an opaque PublicKey.
+ * @internal
+ */
+function wrapPublicKey(key, algorithm) {
+    const result = {
+        _brand: 'PublicKey',
+        algorithm,
+        _internal: key,
+    };
+    if (algorithm.startsWith('rsa:')) {
+        result.modulusBits = parseInt(algorithm.split(':')[1], 10);
+    }
+    else if (algorithm.startsWith('ec:')) {
+        const curvePart = algorithm.split(':')[1];
+        result.curve =
+            curvePart === 'secp256r1'
+                ? 'P-256'
+                : curvePart === 'secp384r1'
+                    ? 'P-384'
+                    : curvePart === 'secp521r1'
+                        ? 'P-521'
+                        : undefined;
+    }
+    return result;
+}
+/**
+ * Wrap a CryptoKey as an opaque PrivateKey.
+ * @internal
+ */
+function wrapPrivateKey(key, algorithm) {
+    const result = {
+        _brand: 'PrivateKey',
+        algorithm,
+        _internal: key,
+    };
+    if (algorithm.startsWith('rsa:')) {
+        result.modulusBits = parseInt(algorithm.split(':')[1], 10);
+    }
+    else if (algorithm.startsWith('ec:')) {
+        const curvePart = algorithm.split(':')[1];
+        result.curve =
+            curvePart === 'secp256r1'
+                ? 'P-256'
+                : curvePart === 'secp384r1'
+                    ? 'P-384'
+                    : curvePart === 'secp521r1'
+                        ? 'P-521'
+                        : undefined;
+    }
+    return result;
+}
+/**
+ * Unwrap an opaque key to get the internal CryptoKey.
+ * @internal
+ */
+function unwrapKey(key) {
+    return key._internal;
+}
+/**
+ * Wrap raw key bytes as an opaque SymmetricKey.
+ * @internal
+ */
+function wrapSymmetricKey(keyBytes) {
+    return {
+        _brand: 'SymmetricKey',
+        length: keyBytes.length * 8, // bits
+        _internal: keyBytes,
+    };
+}
+/**
+ * Unwrap an opaque SymmetricKey to get raw bytes.
+ * @internal
+ */
+function unwrapSymmetricKey(key) {
+    return key._internal;
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoia2V5cy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uLy4uLy4uL3RkZjMvc3JjL2NyeXB0by9jb3JlL2tleXMudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7QUFXQSxzQ0FvQkM7QUFNRCx3Q0FvQkM7QUFNRCw4QkFFQztBQU1ELDRDQU1DO0FBTUQsZ0RBRUM7QUE5RUQ7OztHQUdHO0FBQ0gsU0FBZ0IsYUFBYSxDQUFDLEdBQWMsRUFBRSxTQUF1QjtJQUNuRSxNQUFNLE1BQU0sR0FBUTtRQUNsQixNQUFNLEVBQUUsV0FBVztRQUNuQixTQUFTO1FBQ1QsU0FBUyxFQUFFLEdBQUc7S0FDZixDQUFDO0lBQ0YsSUFBSSxTQUFTLENBQUMsVUFBVSxDQUFDLE1BQU0sQ0FBQyxFQUFFLENBQUM7UUFDakMsTUFBTSxDQUFDLFdBQVcsR0FBRyxRQUFRLENBQUMsU0FBUyxDQUFDLEtBQUssQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLENBQUMsRUFBRSxFQUFFLENBQUMsQ0FBQztJQUM3RCxDQUFDO1NBQU0sSUFBSSxTQUFTLENBQUMsVUFBVSxDQUFDLEtBQUssQ0FBQyxFQUFFLENBQUM7UUFDdkMsTUFBTSxTQUFTLEdBQUcsU0FBUyxDQUFDLEtBQUssQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUMxQyxNQUFNLENBQUMsS0FBSztZQUNWLFNBQVMsS0FBSyxXQUFXO2dCQUN2QixDQUFDLENBQUMsT0FBTztnQkFDVCxDQUFDLENBQUMsU0FBUyxLQUFLLFdBQVc7b0JBQ3pCLENBQUMsQ0FBQyxPQUFPO29CQUNULENBQUMsQ0FBQyxTQUFTLEtBQUssV0FBVzt3QkFDekIsQ0FBQyxDQUFDLE9BQU87d0JBQ1QsQ0FBQyxDQUFDLFNBQVMsQ0FBQztJQUN0QixDQUFDO0lBQ0QsT0FBTyxNQUFtQixDQUFDO0FBQzdCLENBQUM7QUFFRDs7O0dBR0c7QUFDSCxTQUFnQixjQUFjLENBQUMsR0FBYyxFQUFFLFNBQXVCO0lBQ3BFLE1BQU0sTUFBTSxHQUFRO1FBQ2xCLE1BQU0sRUFBRSxZQUFZO1FBQ3BCLFNBQVM7UUFDVCxTQUFTLEVBQUUsR0FBRztLQUNmLENBQUM7SUFDRixJQUFJLFNBQVMsQ0FBQyxVQUFVLENBQUMsTUFBTSxDQUFDLEVBQUUsQ0FBQztRQUNqQyxNQUFNLENBQUMsV0FBVyxHQUFHLFFBQVEsQ0FBQyxTQUFTLENBQUMsS0FBSyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQyxFQUFFLEVBQUUsQ0FBQyxDQUFDO0lBQzdELENBQUM7U0FBTSxJQUFJLFNBQVMsQ0FBQyxVQUFVLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQztRQUN2QyxNQUFNLFNBQVMsR0FBRyxTQUFTLENBQUMsS0FBSyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQzFDLE1BQU0sQ0FBQyxLQUFLO1lBQ1YsU0FBUyxLQUFLLFdBQVc7Z0JBQ3ZCLENBQUMsQ0FBQyxPQUFPO2dCQUNULENBQUMsQ0FBQyxTQUFTLEtBQUssV0FBVztvQkFDekIsQ0FBQyxDQUFDLE9BQU87b0JBQ1QsQ0FBQyxDQUFDLFNBQVMsS0FBSyxXQUFXO3dCQUN6QixDQUFDLENBQUMsT0FBTzt3QkFDVCxDQUFDLENBQUMsU0FBUyxDQUFDO0lBQ3RCLENBQUM7SUFDRCxPQUFPLE1BQW9CLENBQUM7QUFDOUIsQ0FBQztBQUVEOzs7R0FHRztBQUNILFNBQWdCLFNBQVMsQ0FBQyxHQUEyQjtJQUNuRCxPQUFRLEdBQVcsQ0FBQyxTQUFTLENBQUM7QUFDaEMsQ0FBQztBQUVEOzs7R0FHRztBQUNILFNBQWdCLGdCQUFnQixDQUFDLFFBQW9CO0lBQ25ELE9BQU87UUFDTCxNQUFNLEVBQUUsY0FBYztRQUN0QixNQUFNLEVBQUUsUUFBUSxDQUFDLE1BQU0sR0FBRyxDQUFDLEVBQUUsT0FBTztRQUNwQyxTQUFTLEVBQUUsUUFBUTtLQUNKLENBQUM7QUFDcEIsQ0FBQztBQUVEOzs7R0FHRztBQUNILFNBQWdCLGtCQUFrQixDQUFDLEdBQWlCO0lBQ2xELE9BQVEsR0FBVyxDQUFDLFNBQVMsQ0FBQztBQUNoQyxDQUFDIn0=

package/dist/cjs/tdf3/src/crypto/core/rsa.js

@@ -0,0 +1,120 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.rsaOaepSha1 = rsaOaepSha1;
+exports.rsaPkcs1Sha256 = rsaPkcs1Sha256;
+exports.generateKeyPair = generateKeyPair;
+exports.generateSigningKeyPair = generateSigningKeyPair;
+exports.encryptWithPublicKey = encryptWithPublicKey;
+exports.decryptWithPrivateKey = decryptWithPrivateKey;
+const binary_js_1 = require("../../binary.js");
+const declarations_js_1 = require("../declarations.js");
+const errors_js_1 = require("../../../../src/errors.js");
+const keys_js_1 = require("./keys.js");
+const ENC_DEC_METHODS = ['encrypt', 'decrypt'];
+const SIGN_VERIFY_METHODS = ['sign', 'verify'];
+/**
+ * Get a DOMString representing the algorithm to use for an
+ * asymmetric key generation.
+ */
+function rsaOaepSha1(modulusLength = declarations_js_1.MIN_ASYMMETRIC_KEY_SIZE_BITS) {
+    if (!modulusLength || modulusLength < declarations_js_1.MIN_ASYMMETRIC_KEY_SIZE_BITS) {
+        throw new errors_js_1.ConfigurationError('Invalid key size requested');
+    }
+    return {
+        name: 'RSA-OAEP',
+        hash: {
+            name: 'SHA-1',
+        },
+        modulusLength,
+        // 24 bit representation of 65537
+        publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
+    };
+}
+function rsaPkcs1Sha256(modulusLength = declarations_js_1.MIN_ASYMMETRIC_KEY_SIZE_BITS) {
+    if (!modulusLength || modulusLength < declarations_js_1.MIN_ASYMMETRIC_KEY_SIZE_BITS) {
+        throw new errors_js_1.ConfigurationError('Invalid key size requested');
+    }
+    return {
+        name: 'RSASSA-PKCS1-v1_5',
+        hash: {
+            name: 'SHA-256',
+        },
+        modulusLength,
+        // 24 bit representation of 65537
+        publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
+    };
+}
+/**
+ * Generate an RSA key pair
+ * @see    {@link https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/generateKey}
+ * @param  size in bits
+ */
+async function generateKeyPair(size) {
+    const keySize = size || declarations_js_1.MIN_ASYMMETRIC_KEY_SIZE_BITS;
+    const algoDomString = rsaOaepSha1(keySize);
+    const keyPair = await crypto.subtle.generateKey(algoDomString, true, ENC_DEC_METHODS);
+    // Map to supported algorithm sizes
+    let algorithm;
+    if (keySize === 2048) {
+        algorithm = 'rsa:2048';
+    }
+    else if (keySize === 4096) {
+        algorithm = 'rsa:4096';
+    }
+    else {
+        throw new errors_js_1.ConfigurationError(`Unsupported RSA key size: ${keySize}. Only 2048 and 4096 are supported.`);
+    }
+    return {
+        publicKey: (0, keys_js_1.wrapPublicKey)(keyPair.publicKey, algorithm),
+        privateKey: (0, keys_js_1.wrapPrivateKey)(keyPair.privateKey, algorithm),
+    };
+}
+/**
+ * Generate an RSA key pair suitable for signatures
+ * @see    {@link https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/generateKey}
+ */
+async function generateSigningKeyPair() {
+    const rsaParams = rsaPkcs1Sha256(2048);
+    const keyPair = await crypto.subtle.generateKey(rsaParams, true, SIGN_VERIFY_METHODS);
+    const algorithm = 'rsa:2048';
+    return {
+        publicKey: (0, keys_js_1.wrapPublicKey)(keyPair.publicKey, algorithm),
+        privateKey: (0, keys_js_1.wrapPrivateKey)(keyPair.privateKey, algorithm),
+    };
+}
+/**
+ * Encrypt using a public key (RSA-OAEP).
+ * Accepts Binary or SymmetricKey for key wrapping.
+ * @param payload Payload to encrypt (Binary) or symmetric key to wrap (SymmetricKey)
+ * @param publicKey Opaque public key
+ * @return Encrypted payload
+ */
+async function encryptWithPublicKey(payload, publicKey) {
+    let payloadBuffer;
+    // Handle SymmetricKey unwrapping
+    if ('_brand' in payload && payload._brand === 'SymmetricKey') {
+        // Pass Uint8Array directly — Web Crypto respects byteOffset/byteLength on typed array views.
+        payloadBuffer = (0, keys_js_1.unwrapSymmetricKey)(payload);
+    }
+    else {
+        // Binary payload
+        payloadBuffer = payload.asArrayBuffer();
+    }
+    const cryptoKey = (0, keys_js_1.unwrapKey)(publicKey);
+    const result = await crypto.subtle.encrypt({ name: 'RSA-OAEP' }, cryptoKey, payloadBuffer);
+    return binary_js_1.Binary.fromArrayBuffer(result);
+}
+/**
+ * Decrypt a public-key encrypted payload with a private key
+ * @param  encryptedPayload  Payload to decrypt
+ * @param  privateKey        Opaque private key
+ * @return Decrypted payload
+ */
+async function decryptWithPrivateKey(encryptedPayload, privateKey) {
+    console.assert(typeof encryptedPayload === 'object', 'encryptedPayload must be object');
+    const cryptoKey = (0, keys_js_1.unwrapKey)(privateKey);
+    const payload = await crypto.subtle.decrypt({ name: 'RSA-OAEP' }, cryptoKey, encryptedPayload.asArrayBuffer());
+    const bufferView = new Uint8Array(payload);
+    return binary_js_1.Binary.fromArrayBuffer(bufferView.buffer);
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoicnNhLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vLi4vLi4vdGRmMy9zcmMvY3J5cHRvL2NvcmUvcnNhLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7O0FBbUJBLGtDQWVDO0FBRUQsd0NBZUM7QUFPRCwwQ0FxQkM7QUFNRCx3REFTQztBQVNELG9EQWtCQztBQVFELHNEQWNDO0FBL0lELCtDQUF5QztBQUN6Qyx3REFPNEI7QUFDNUIseURBQStEO0FBQy9ELHVDQUF5RjtBQUV6RixNQUFNLGVBQWUsR0FBZSxDQUFDLFNBQVMsRUFBRSxTQUFTLENBQUMsQ0FBQztBQUMzRCxNQUFNLG1CQUFtQixHQUFlLENBQUMsTUFBTSxFQUFFLFFBQVEsQ0FBQyxDQUFDO0FBRTNEOzs7R0FHRztBQUNILFNBQWdCLFdBQVcsQ0FDekIsZ0JBQXdCLDhDQUE0QjtJQUVwRCxJQUFJLENBQUMsYUFBYSxJQUFJLGFBQWEsR0FBRyw4Q0FBNEIsRUFBRSxDQUFDO1FBQ25FLE1BQU0sSUFBSSw4QkFBa0IsQ0FBQyw0QkFBNEIsQ0FBQyxDQUFDO0lBQzdELENBQUM7SUFDRCxPQUFPO1FBQ0wsSUFBSSxFQUFFLFVBQVU7UUFDaEIsSUFBSSxFQUFFO1lBQ0osSUFBSSxFQUFFLE9BQU87U0FDZDtRQUNELGFBQWE7UUFDYixpQ0FBaUM7UUFDakMsY0FBYyxFQUFFLElBQUksVUFBVSxDQUFDLENBQUMsSUFBSSxFQUFFLElBQUksRUFBRSxJQUFJLENBQUMsQ0FBQztLQUNuRCxDQUFDO0FBQ0osQ0FBQztBQUVELFNBQWdCLGNBQWMsQ0FDNUIsZ0JBQXdCLDhDQUE0QjtJQUVwRCxJQUFJLENBQUMsYUFBYSxJQUFJLGFBQWEsR0FBRyw4Q0FBNEIsRUFBRSxDQUFDO1FBQ25FLE1BQU0sSUFBSSw4QkFBa0IsQ0FBQyw0QkFBNEIsQ0FBQyxDQUFDO0lBQzdELENBQUM7SUFDRCxPQUFPO1FBQ0wsSUFBSSxFQUFFLG1CQUFtQjtRQUN6QixJQUFJLEVBQUU7WUFDSixJQUFJLEVBQUUsU0FBUztTQUNoQjtRQUNELGFBQWE7UUFDYixpQ0FBaUM7UUFDakMsY0FBYyxFQUFFLElBQUksVUFBVSxDQUFDLENBQUMsSUFBSSxFQUFFLElBQUksRUFBRSxJQUFJLENBQUMsQ0FBQztLQUNuRCxDQUFDO0FBQ0osQ0FBQztBQUVEOzs7O0dBSUc7QUFDSSxLQUFLLFVBQVUsZUFBZSxDQUFDLElBQWE7SUFDakQsTUFBTSxPQUFPLEdBQUcsSUFBSSxJQUFJLDhDQUE0QixDQUFDO0lBQ3JELE1BQU0sYUFBYSxHQUFHLFdBQVcsQ0FBQyxPQUFPLENBQUMsQ0FBQztJQUMzQyxNQUFNLE9BQU8sR0FBRyxNQUFNLE1BQU0sQ0FBQyxNQUFNLENBQUMsV0FBVyxDQUFDLGFBQWEsRUFBRSxJQUFJLEVBQUUsZUFBZSxDQUFDLENBQUM7SUFFdEYsbUNBQW1DO0lBQ25DLElBQUksU0FBdUIsQ0FBQztJQUM1QixJQUFJLE9BQU8sS0FBSyxJQUFJLEVBQUUsQ0FBQztRQUNyQixTQUFTLEdBQUcsVUFBVSxDQUFDO0lBQ3pCLENBQUM7U0FBTSxJQUFJLE9BQU8sS0FBSyxJQUFJLEVBQUUsQ0FBQztRQUM1QixTQUFTLEdBQUcsVUFBVSxDQUFDO0lBQ3pCLENBQUM7U0FBTSxDQUFDO1FBQ04sTUFBTSxJQUFJLDhCQUFrQixDQUMxQiw2QkFBNkIsT0FBTyxxQ0FBcUMsQ0FDMUUsQ0FBQztJQUNKLENBQUM7SUFFRCxPQUFPO1FBQ0wsU0FBUyxFQUFFLElBQUEsdUJBQWEsRUFBQyxPQUFPLENBQUMsU0FBUyxFQUFFLFNBQVMsQ0FBQztRQUN0RCxVQUFVLEVBQUUsSUFBQSx3QkFBYyxFQUFDLE9BQU8sQ0FBQyxVQUFVLEVBQUUsU0FBUyxDQUFDO0tBQzFELENBQUM7QUFDSixDQUFDO0FBRUQ7OztHQUdHO0FBQ0ksS0FBSyxVQUFVLHNCQUFzQjtJQUMxQyxNQUFNLFNBQVMsR0FBRyxjQUFjLENBQUMsSUFBSSxDQUFDLENBQUM7SUFDdkMsTUFBTSxPQUFPLEdBQUcsTUFBTSxNQUFNLENBQUMsTUFBTSxDQUFDLFdBQVcsQ0FBQyxTQUFTLEVBQUUsSUFBSSxFQUFFLG1CQUFtQixDQUFDLENBQUM7SUFFdEYsTUFBTSxTQUFTLEdBQWlCLFVBQVUsQ0FBQztJQUMzQyxPQUFPO1FBQ0wsU0FBUyxFQUFFLElBQUEsdUJBQWEsRUFBQyxPQUFPLENBQUMsU0FBUyxFQUFFLFNBQVMsQ0FBQztRQUN0RCxVQUFVLEVBQUUsSUFBQSx3QkFBYyxFQUFDLE9BQU8sQ0FBQyxVQUFVLEVBQUUsU0FBUyxDQUFDO0tBQzFELENBQUM7QUFDSixDQUFDO0FBRUQ7Ozs7OztHQU1HO0FBQ0ksS0FBSyxVQUFVLG9CQUFvQixDQUN4QyxPQUE4QixFQUM5QixTQUFvQjtJQUVwQixJQUFJLGFBQTJCLENBQUM7SUFFaEMsaUNBQWlDO0lBQ2pDLElBQUksUUFBUSxJQUFJLE9BQU8sSUFBSSxPQUFPLENBQUMsTUFBTSxLQUFLLGNBQWMsRUFBRSxDQUFDO1FBQzdELDZGQUE2RjtRQUM3RixhQUFhLEdBQUcsSUFBQSw0QkFBa0IsRUFBQyxPQUFPLENBQUMsQ0FBQztJQUM5QyxDQUFDO1NBQU0sQ0FBQztRQUNOLGlCQUFpQjtRQUNqQixhQUFhLEdBQUksT0FBa0IsQ0FBQyxhQUFhLEVBQUUsQ0FBQztJQUN0RCxDQUFDO0lBRUQsTUFBTSxTQUFTLEdBQUcsSUFBQSxtQkFBUyxFQUFDLFNBQVMsQ0FBQyxDQUFDO0lBQ3ZDLE1BQU0sTUFBTSxHQUFHLE1BQU0sTUFBTSxDQUFDLE1BQU0sQ0FBQyxPQUFPLENBQUMsRUFBRSxJQUFJLEVBQUUsVUFBVSxFQUFFLEVBQUUsU0FBUyxFQUFFLGFBQWEsQ0FBQyxDQUFDO0lBQzNGLE9BQU8sa0JBQU0sQ0FBQyxlQUFlLENBQUMsTUFBTSxDQUFDLENBQUM7QUFDeEMsQ0FBQztBQUVEOzs7OztHQUtHO0FBQ0ksS0FBSyxVQUFVLHFCQUFxQixDQUN6QyxnQkFBd0IsRUFDeEIsVUFBc0I7SUFFdEIsT0FBTyxDQUFDLE1BQU0sQ0FBQyxPQUFPLGdCQUFnQixLQUFLLFFBQVEsRUFBRSxpQ0FBaUMsQ0FBQyxDQUFDO0lBRXhGLE1BQU0sU0FBUyxHQUFHLElBQUEsbUJBQVMsRUFBQyxVQUFVLENBQUMsQ0FBQztJQUN4QyxNQUFNLE9BQU8sR0FBRyxNQUFNLE1BQU0sQ0FBQyxNQUFNLENBQUMsT0FBTyxDQUN6QyxFQUFFLElBQUksRUFBRSxVQUFVLEVBQUUsRUFDcEIsU0FBUyxFQUNULGdCQUFnQixDQUFDLGFBQWEsRUFBRSxDQUNqQyxDQUFDO0lBQ0YsTUFBTSxVQUFVLEdBQUcsSUFBSSxVQUFVLENBQUMsT0FBTyxDQUFDLENBQUM7SUFDM0MsT0FBTyxrQkFBTSxDQUFDLGVBQWUsQ0FBQyxVQUFVLENBQUMsTUFBTSxDQUFDLENBQUM7QUFDbkQsQ0FBQyJ9