@opentdf/sdk 0.11.0 → 0.12.0-beta.112

package/dist/web/tdf3/src/crypto/core/rsa.js

@@ -0,0 +1,112 @@
+import { Binary } from '../../binary.js';
+import { MIN_ASYMMETRIC_KEY_SIZE_BITS, } from '../declarations.js';
+import { ConfigurationError } from '../../../../src/errors.js';
+import { unwrapKey, unwrapSymmetricKey, wrapPrivateKey, wrapPublicKey } from './keys.js';
+const ENC_DEC_METHODS = ['encrypt', 'decrypt'];
+const SIGN_VERIFY_METHODS = ['sign', 'verify'];
+/**
+ * Get a DOMString representing the algorithm to use for an
+ * asymmetric key generation.
+ */
+export function rsaOaepSha1(modulusLength = MIN_ASYMMETRIC_KEY_SIZE_BITS) {
+    if (!modulusLength || modulusLength < MIN_ASYMMETRIC_KEY_SIZE_BITS) {
+        throw new ConfigurationError('Invalid key size requested');
+    }
+    return {
+        name: 'RSA-OAEP',
+        hash: {
+            name: 'SHA-1',
+        },
+        modulusLength,
+        // 24 bit representation of 65537
+        publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
+    };
+}
+export function rsaPkcs1Sha256(modulusLength = MIN_ASYMMETRIC_KEY_SIZE_BITS) {
+    if (!modulusLength || modulusLength < MIN_ASYMMETRIC_KEY_SIZE_BITS) {
+        throw new ConfigurationError('Invalid key size requested');
+    }
+    return {
+        name: 'RSASSA-PKCS1-v1_5',
+        hash: {
+            name: 'SHA-256',
+        },
+        modulusLength,
+        // 24 bit representation of 65537
+        publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
+    };
+}
+/**
+ * Generate an RSA key pair
+ * @see    {@link https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/generateKey}
+ * @param  size in bits
+ */
+export async function generateKeyPair(size) {
+    const keySize = size || MIN_ASYMMETRIC_KEY_SIZE_BITS;
+    const algoDomString = rsaOaepSha1(keySize);
+    const keyPair = await crypto.subtle.generateKey(algoDomString, true, ENC_DEC_METHODS);
+    // Map to supported algorithm sizes
+    let algorithm;
+    if (keySize === 2048) {
+        algorithm = 'rsa:2048';
+    }
+    else if (keySize === 4096) {
+        algorithm = 'rsa:4096';
+    }
+    else {
+        throw new ConfigurationError(`Unsupported RSA key size: ${keySize}. Only 2048 and 4096 are supported.`);
+    }
+    return {
+        publicKey: wrapPublicKey(keyPair.publicKey, algorithm),
+        privateKey: wrapPrivateKey(keyPair.privateKey, algorithm),
+    };
+}
+/**
+ * Generate an RSA key pair suitable for signatures
+ * @see    {@link https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/generateKey}
+ */
+export async function generateSigningKeyPair() {
+    const rsaParams = rsaPkcs1Sha256(2048);
+    const keyPair = await crypto.subtle.generateKey(rsaParams, true, SIGN_VERIFY_METHODS);
+    const algorithm = 'rsa:2048';
+    return {
+        publicKey: wrapPublicKey(keyPair.publicKey, algorithm),
+        privateKey: wrapPrivateKey(keyPair.privateKey, algorithm),
+    };
+}
+/**
+ * Encrypt using a public key (RSA-OAEP).
+ * Accepts Binary or SymmetricKey for key wrapping.
+ * @param payload Payload to encrypt (Binary) or symmetric key to wrap (SymmetricKey)
+ * @param publicKey Opaque public key
+ * @return Encrypted payload
+ */
+export async function encryptWithPublicKey(payload, publicKey) {
+    let payloadBuffer;
+    // Handle SymmetricKey unwrapping
+    if ('_brand' in payload && payload._brand === 'SymmetricKey') {
+        // Pass Uint8Array directly — Web Crypto respects byteOffset/byteLength on typed array views.
+        payloadBuffer = unwrapSymmetricKey(payload);
+    }
+    else {
+        // Binary payload
+        payloadBuffer = payload.asArrayBuffer();
+    }
+    const cryptoKey = unwrapKey(publicKey);
+    const result = await crypto.subtle.encrypt({ name: 'RSA-OAEP' }, cryptoKey, payloadBuffer);
+    return Binary.fromArrayBuffer(result);
+}
+/**
+ * Decrypt a public-key encrypted payload with a private key
+ * @param  encryptedPayload  Payload to decrypt
+ * @param  privateKey        Opaque private key
+ * @return Decrypted payload
+ */
+export async function decryptWithPrivateKey(encryptedPayload, privateKey) {
+    console.assert(typeof encryptedPayload === 'object', 'encryptedPayload must be object');
+    const cryptoKey = unwrapKey(privateKey);
+    const payload = await crypto.subtle.decrypt({ name: 'RSA-OAEP' }, cryptoKey, encryptedPayload.asArrayBuffer());
+    const bufferView = new Uint8Array(payload);
+    return Binary.fromArrayBuffer(bufferView.buffer);
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoicnNhLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vLi4vLi4vdGRmMy9zcmMvY3J5cHRvL2NvcmUvcnNhLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sRUFBRSxNQUFNLEVBQUUsTUFBTSxpQkFBaUIsQ0FBQztBQUN6QyxPQUFPLEVBR0wsNEJBQTRCLEdBSTdCLE1BQU0sb0JBQW9CLENBQUM7QUFDNUIsT0FBTyxFQUFFLGtCQUFrQixFQUFFLE1BQU0sMkJBQTJCLENBQUM7QUFDL0QsT0FBTyxFQUFFLFNBQVMsRUFBRSxrQkFBa0IsRUFBRSxjQUFjLEVBQUUsYUFBYSxFQUFFLE1BQU0sV0FBVyxDQUFDO0FBRXpGLE1BQU0sZUFBZSxHQUFlLENBQUMsU0FBUyxFQUFFLFNBQVMsQ0FBQyxDQUFDO0FBQzNELE1BQU0sbUJBQW1CLEdBQWUsQ0FBQyxNQUFNLEVBQUUsUUFBUSxDQUFDLENBQUM7QUFFM0Q7OztHQUdHO0FBQ0gsTUFBTSxVQUFVLFdBQVcsQ0FDekIsZ0JBQXdCLDRCQUE0QjtJQUVwRCxJQUFJLENBQUMsYUFBYSxJQUFJLGFBQWEsR0FBRyw0QkFBNEIsRUFBRSxDQUFDO1FBQ25FLE1BQU0sSUFBSSxrQkFBa0IsQ0FBQyw0QkFBNEIsQ0FBQyxDQUFDO0lBQzdELENBQUM7SUFDRCxPQUFPO1FBQ0wsSUFBSSxFQUFFLFVBQVU7UUFDaEIsSUFBSSxFQUFFO1lBQ0osSUFBSSxFQUFFLE9BQU87U0FDZDtRQUNELGFBQWE7UUFDYixpQ0FBaUM7UUFDakMsY0FBYyxFQUFFLElBQUksVUFBVSxDQUFDLENBQUMsSUFBSSxFQUFFLElBQUksRUFBRSxJQUFJLENBQUMsQ0FBQztLQUNuRCxDQUFDO0FBQ0osQ0FBQztBQUVELE1BQU0sVUFBVSxjQUFjLENBQzVCLGdCQUF3Qiw0QkFBNEI7SUFFcEQsSUFBSSxDQUFDLGFBQWEsSUFBSSxhQUFhLEdBQUcsNEJBQTRCLEVBQUUsQ0FBQztRQUNuRSxNQUFNLElBQUksa0JBQWtCLENBQUMsNEJBQTRCLENBQUMsQ0FBQztJQUM3RCxDQUFDO0lBQ0QsT0FBTztRQUNMLElBQUksRUFBRSxtQkFBbUI7UUFDekIsSUFBSSxFQUFFO1lBQ0osSUFBSSxFQUFFLFNBQVM7U0FDaEI7UUFDRCxhQUFhO1FBQ2IsaUNBQWlDO1FBQ2pDLGNBQWMsRUFBRSxJQUFJLFVBQVUsQ0FBQyxDQUFDLElBQUksRUFBRSxJQUFJLEVBQUUsSUFBSSxDQUFDLENBQUM7S0FDbkQsQ0FBQztBQUNKLENBQUM7QUFFRDs7OztHQUlHO0FBQ0gsTUFBTSxDQUFDLEtBQUssVUFBVSxlQUFlLENBQUMsSUFBYTtJQUNqRCxNQUFNLE9BQU8sR0FBRyxJQUFJLElBQUksNEJBQTRCLENBQUM7SUFDckQsTUFBTSxhQUFhLEdBQUcsV0FBVyxDQUFDLE9BQU8sQ0FBQyxDQUFDO0lBQzNDLE1BQU0sT0FBTyxHQUFHLE1BQU0sTUFBTSxDQUFDLE1BQU0sQ0FBQyxXQUFXLENBQUMsYUFBYSxFQUFFLElBQUksRUFBRSxlQUFlLENBQUMsQ0FBQztJQUV0RixtQ0FBbUM7SUFDbkMsSUFBSSxTQUF1QixDQUFDO0lBQzVCLElBQUksT0FBTyxLQUFLLElBQUksRUFBRSxDQUFDO1FBQ3JCLFNBQVMsR0FBRyxVQUFVLENBQUM7SUFDekIsQ0FBQztTQUFNLElBQUksT0FBTyxLQUFLLElBQUksRUFBRSxDQUFDO1FBQzVCLFNBQVMsR0FBRyxVQUFVLENBQUM7SUFDekIsQ0FBQztTQUFNLENBQUM7UUFDTixNQUFNLElBQUksa0JBQWtCLENBQzFCLDZCQUE2QixPQUFPLHFDQUFxQyxDQUMxRSxDQUFDO0lBQ0osQ0FBQztJQUVELE9BQU87UUFDTCxTQUFTLEVBQUUsYUFBYSxDQUFDLE9BQU8sQ0FBQyxTQUFTLEVBQUUsU0FBUyxDQUFDO1FBQ3RELFVBQVUsRUFBRSxjQUFjLENBQUMsT0FBTyxDQUFDLFVBQVUsRUFBRSxTQUFTLENBQUM7S0FDMUQsQ0FBQztBQUNKLENBQUM7QUFFRDs7O0dBR0c7QUFDSCxNQUFNLENBQUMsS0FBSyxVQUFVLHNCQUFzQjtJQUMxQyxNQUFNLFNBQVMsR0FBRyxjQUFjLENBQUMsSUFBSSxDQUFDLENBQUM7SUFDdkMsTUFBTSxPQUFPLEdBQUcsTUFBTSxNQUFNLENBQUMsTUFBTSxDQUFDLFdBQVcsQ0FBQyxTQUFTLEVBQUUsSUFBSSxFQUFFLG1CQUFtQixDQUFDLENBQUM7SUFFdEYsTUFBTSxTQUFTLEdBQWlCLFVBQVUsQ0FBQztJQUMzQyxPQUFPO1FBQ0wsU0FBUyxFQUFFLGFBQWEsQ0FBQyxPQUFPLENBQUMsU0FBUyxFQUFFLFNBQVMsQ0FBQztRQUN0RCxVQUFVLEVBQUUsY0FBYyxDQUFDLE9BQU8sQ0FBQyxVQUFVLEVBQUUsU0FBUyxDQUFDO0tBQzFELENBQUM7QUFDSixDQUFDO0FBRUQ7Ozs7OztHQU1HO0FBQ0gsTUFBTSxDQUFDLEtBQUssVUFBVSxvQkFBb0IsQ0FDeEMsT0FBOEIsRUFDOUIsU0FBb0I7SUFFcEIsSUFBSSxhQUEyQixDQUFDO0lBRWhDLGlDQUFpQztJQUNqQyxJQUFJLFFBQVEsSUFBSSxPQUFPLElBQUksT0FBTyxDQUFDLE1BQU0sS0FBSyxjQUFjLEVBQUUsQ0FBQztRQUM3RCw2RkFBNkY7UUFDN0YsYUFBYSxHQUFHLGtCQUFrQixDQUFDLE9BQU8sQ0FBQyxDQUFDO0lBQzlDLENBQUM7U0FBTSxDQUFDO1FBQ04saUJBQWlCO1FBQ2pCLGFBQWEsR0FBSSxPQUFrQixDQUFDLGFBQWEsRUFBRSxDQUFDO0lBQ3RELENBQUM7SUFFRCxNQUFNLFNBQVMsR0FBRyxTQUFTLENBQUMsU0FBUyxDQUFDLENBQUM7SUFDdkMsTUFBTSxNQUFNLEdBQUcsTUFBTSxNQUFNLENBQUMsTUFBTSxDQUFDLE9BQU8sQ0FBQyxFQUFFLElBQUksRUFBRSxVQUFVLEVBQUUsRUFBRSxTQUFTLEVBQUUsYUFBYSxDQUFDLENBQUM7SUFDM0YsT0FBTyxNQUFNLENBQUMsZUFBZSxDQUFDLE1BQU0sQ0FBQyxDQUFDO0FBQ3hDLENBQUM7QUFFRDs7Ozs7R0FLRztBQUNILE1BQU0sQ0FBQyxLQUFLLFVBQVUscUJBQXFCLENBQ3pDLGdCQUF3QixFQUN4QixVQUFzQjtJQUV0QixPQUFPLENBQUMsTUFBTSxDQUFDLE9BQU8sZ0JBQWdCLEtBQUssUUFBUSxFQUFFLGlDQUFpQyxDQUFDLENBQUM7SUFFeEYsTUFBTSxTQUFTLEdBQUcsU0FBUyxDQUFDLFVBQVUsQ0FBQyxDQUFDO0lBQ3hDLE1BQU0sT0FBTyxHQUFHLE1BQU0sTUFBTSxDQUFDLE1BQU0sQ0FBQyxPQUFPLENBQ3pDLEVBQUUsSUFBSSxFQUFFLFVBQVUsRUFBRSxFQUNwQixTQUFTLEVBQ1QsZ0JBQWdCLENBQUMsYUFBYSxFQUFFLENBQ2pDLENBQUM7SUFDRixNQUFNLFVBQVUsR0FBRyxJQUFJLFVBQVUsQ0FBQyxPQUFPLENBQUMsQ0FBQztJQUMzQyxPQUFPLE1BQU0sQ0FBQyxlQUFlLENBQUMsVUFBVSxDQUFDLE1BQU0sQ0FBQyxDQUFDO0FBQ25ELENBQUMifQ==

package/dist/web/tdf3/src/crypto/core/signing.js

@@ -0,0 +1,174 @@
+import { ConfigurationError } from '../../../../src/errors.js';
+import { unwrapKey } from './keys.js';
+/**
+ * Get the Web Crypto algorithm parameters for a signing algorithm.
+ */
+function getSigningAlgorithmParams(algorithm) {
+    switch (algorithm) {
+        case 'RS256':
+            return {
+                importParams: { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' },
+                signParams: 'RSASSA-PKCS1-v1_5',
+            };
+        case 'ES256':
+            return {
+                importParams: { name: 'ECDSA', namedCurve: 'P-256' },
+                signParams: { name: 'ECDSA', hash: 'SHA-256' },
+            };
+        case 'ES384':
+            return {
+                importParams: { name: 'ECDSA', namedCurve: 'P-384' },
+                signParams: { name: 'ECDSA', hash: 'SHA-384' },
+            };
+        case 'ES512':
+            return {
+                importParams: { name: 'ECDSA', namedCurve: 'P-521' },
+                signParams: { name: 'ECDSA', hash: 'SHA-512' },
+            };
+        default:
+            throw new ConfigurationError(`Unsupported signing algorithm: ${algorithm}`);
+    }
+}
+/**
+ * Convert IEEE P1363 signature format (used by WebCrypto ECDSA) to DER format (used by JWT).
+ * RS256 signatures don't need conversion.
+ */
+function ieeeP1363ToDer(signature, algorithm) {
+    if (algorithm === 'RS256') {
+        return signature;
+    }
+    // IEEE P1363: r || s where each is padded to key size
+    const halfLen = signature.length / 2;
+    const r = signature.slice(0, halfLen);
+    const s = signature.slice(halfLen);
+    // Remove leading zeros but keep one if the high bit is set
+    const trimLeadingZeros = (arr) => {
+        let i = 0;
+        while (i < arr.length - 1 && arr[i] === 0)
+            i++;
+        return arr.slice(i);
+    };
+    let rTrimmed = trimLeadingZeros(r);
+    let sTrimmed = trimLeadingZeros(s);
+    // Add leading zero if high bit is set (to keep positive in DER)
+    if (rTrimmed[0] & 0x80) {
+        const padded = new Uint8Array(rTrimmed.length + 1);
+        padded.set(rTrimmed, 1);
+        rTrimmed = padded;
+    }
+    if (sTrimmed[0] & 0x80) {
+        const padded = new Uint8Array(sTrimmed.length + 1);
+        padded.set(sTrimmed, 1);
+        sTrimmed = padded;
+    }
+    // DER SEQUENCE: 0x30 [length] [r INTEGER] [s INTEGER]
+    // INTEGER: 0x02 [length] [value]
+    const rDer = new Uint8Array([0x02, rTrimmed.length, ...rTrimmed]);
+    const sDer = new Uint8Array([0x02, sTrimmed.length, ...sTrimmed]);
+    const seqLen = rDer.length + sDer.length;
+    // DER length: short-form for < 128, long-form (0x81 nn) for 128-255.
+    // ECDSA sequences never exceed 255 bytes for any supported curve.
+    const lenBytes = seqLen < 128 ? new Uint8Array([seqLen]) : new Uint8Array([0x81, seqLen]);
+    const result = new Uint8Array(1 + lenBytes.length + seqLen);
+    result[0] = 0x30;
+    result.set(lenBytes, 1);
+    result.set(rDer, 1 + lenBytes.length);
+    result.set(sDer, 1 + lenBytes.length + rDer.length);
+    return result;
+}
+/**
+ * Convert DER signature format (used by JWT) to IEEE P1363 format (used by WebCrypto ECDSA).
+ * RS256 signatures don't need conversion.
+ */
+function derToIeeeP1363(signature, algorithm) {
+    if (algorithm === 'RS256') {
+        return signature;
+    }
+    // Determine the expected component length based on algorithm
+    let componentLen;
+    switch (algorithm) {
+        case 'ES256':
+            componentLen = 32;
+            break;
+        case 'ES384':
+            componentLen = 48;
+            break;
+        case 'ES512':
+            componentLen = 66;
+            break;
+        default:
+            throw new ConfigurationError(`Unsupported algorithm for DER conversion: ${algorithm}`);
+    }
+    if (signature[0] !== 0x30) {
+        throw new ConfigurationError('Invalid DER signature: expected SEQUENCE');
+    }
+    // Skip SEQUENCE tag, then parse DER length (short- or long-form).
+    let offset = 1;
+    if (signature[offset] & 0x80) {
+        // Long-form: low 7 bits = number of subsequent length bytes.
+        const lenBytesCount = signature[offset] & 0x7f;
+        if (lenBytesCount === 0 || lenBytesCount > 4) {
+            throw new ConfigurationError('Invalid DER signature: invalid long-form length');
+        }
+        offset += 1 + lenBytesCount;
+        if (offset > signature.length) {
+            throw new ConfigurationError('Invalid DER signature: length bytes exceed signature length');
+        }
+    }
+    else {
+        // Short-form: single length byte.
+        offset += 1;
+    }
+    // Parse r INTEGER
+    if (signature[offset] !== 0x02) {
+        throw new ConfigurationError('Invalid DER signature: expected INTEGER for r');
+    }
+    const rLen = signature[offset + 1];
+    offset += 2;
+    let r = signature.slice(offset, offset + rLen);
+    offset += rLen;
+    // Parse s INTEGER
+    if (signature[offset] !== 0x02) {
+        throw new ConfigurationError('Invalid DER signature: expected INTEGER for s');
+    }
+    const sLen = signature[offset + 1];
+    offset += 2;
+    let s = signature.slice(offset, offset + sLen);
+    // Remove leading zero padding if present
+    if (r[0] === 0 && r.length > componentLen) {
+        r = r.slice(1);
+    }
+    if (s[0] === 0 && s.length > componentLen) {
+        s = s.slice(1);
+    }
+    // Pad to component length
+    const result = new Uint8Array(componentLen * 2);
+    result.set(r, componentLen - r.length);
+    result.set(s, componentLen * 2 - s.length);
+    return result;
+}
+/**
+ * Sign data with an asymmetric private key.
+ */
+export async function sign(data, privateKey, algorithm) {
+    const { signParams } = getSigningAlgorithmParams(algorithm);
+    // Unwrap the internal CryptoKey
+    const key = unwrapKey(privateKey);
+    // Sign the data
+    const signature = await crypto.subtle.sign(signParams, key, data);
+    // Convert from IEEE P1363 to DER for EC algorithms
+    return ieeeP1363ToDer(new Uint8Array(signature), algorithm);
+}
+/**
+ * Verify signature with an asymmetric public key.
+ */
+export async function verify(data, signature, publicKey, algorithm) {
+    const { signParams } = getSigningAlgorithmParams(algorithm);
+    // Unwrap the internal CryptoKey
+    const key = unwrapKey(publicKey);
+    // Convert from DER to IEEE P1363 for EC algorithms
+    const ieeeSignature = derToIeeeP1363(signature, algorithm);
+    // Verify the signature
+    return crypto.subtle.verify(signParams, key, ieeeSignature, data);
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2lnbmluZy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uLy4uLy4uL3RkZjMvc3JjL2NyeXB0by9jb3JlL3NpZ25pbmcudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBS0EsT0FBTyxFQUFFLGtCQUFrQixFQUFFLE1BQU0sMkJBQTJCLENBQUM7QUFDL0QsT0FBTyxFQUFFLFNBQVMsRUFBRSxNQUFNLFdBQVcsQ0FBQztBQUV0Qzs7R0FFRztBQUNILFNBQVMseUJBQXlCLENBQUMsU0FBcUM7SUFJdEUsUUFBUSxTQUFTLEVBQUUsQ0FBQztRQUNsQixLQUFLLE9BQU87WUFDVixPQUFPO2dCQUNMLFlBQVksRUFBRSxFQUFFLElBQUksRUFBRSxtQkFBbUIsRUFBRSxJQUFJLEVBQUUsU0FBUyxFQUFFO2dCQUM1RCxVQUFVLEVBQUUsbUJBQW1CO2FBQ2hDLENBQUM7UUFDSixLQUFLLE9BQU87WUFDVixPQUFPO2dCQUNMLFlBQVksRUFBRSxFQUFFLElBQUksRUFBRSxPQUFPLEVBQUUsVUFBVSxFQUFFLE9BQU8sRUFBRTtnQkFDcEQsVUFBVSxFQUFFLEVBQUUsSUFBSSxFQUFFLE9BQU8sRUFBRSxJQUFJLEVBQUUsU0FBUyxFQUFpQjthQUM5RCxDQUFDO1FBQ0osS0FBSyxPQUFPO1lBQ1YsT0FBTztnQkFDTCxZQUFZLEVBQUUsRUFBRSxJQUFJLEVBQUUsT0FBTyxFQUFFLFVBQVUsRUFBRSxPQUFPLEVBQUU7Z0JBQ3BELFVBQVUsRUFBRSxFQUFFLElBQUksRUFBRSxPQUFPLEVBQUUsSUFBSSxFQUFFLFNBQVMsRUFBaUI7YUFDOUQsQ0FBQztRQUNKLEtBQUssT0FBTztZQUNWLE9BQU87Z0JBQ0wsWUFBWSxFQUFFLEVBQUUsSUFBSSxFQUFFLE9BQU8sRUFBRSxVQUFVLEVBQUUsT0FBTyxFQUFFO2dCQUNwRCxVQUFVLEVBQUUsRUFBRSxJQUFJLEVBQUUsT0FBTyxFQUFFLElBQUksRUFBRSxTQUFTLEVBQWlCO2FBQzlELENBQUM7UUFDSjtZQUNFLE1BQU0sSUFBSSxrQkFBa0IsQ0FBQyxrQ0FBa0MsU0FBUyxFQUFFLENBQUMsQ0FBQztJQUNoRixDQUFDO0FBQ0gsQ0FBQztBQUVEOzs7R0FHRztBQUNILFNBQVMsY0FBYyxDQUFDLFNBQXFCLEVBQUUsU0FBcUM7SUFDbEYsSUFBSSxTQUFTLEtBQUssT0FBTyxFQUFFLENBQUM7UUFDMUIsT0FBTyxTQUFTLENBQUM7SUFDbkIsQ0FBQztJQUVELHNEQUFzRDtJQUN0RCxNQUFNLE9BQU8sR0FBRyxTQUFTLENBQUMsTUFBTSxHQUFHLENBQUMsQ0FBQztJQUNyQyxNQUFNLENBQUMsR0FBRyxTQUFTLENBQUMsS0FBSyxDQUFDLENBQUMsRUFBRSxPQUFPLENBQUMsQ0FBQztJQUN0QyxNQUFNLENBQUMsR0FBRyxTQUFTLENBQUMsS0FBSyxDQUFDLE9BQU8sQ0FBQyxDQUFDO0lBRW5DLDJEQUEyRDtJQUMzRCxNQUFNLGdCQUFnQixHQUFHLENBQUMsR0FBZSxFQUFjLEVBQUU7UUFDdkQsSUFBSSxDQUFDLEdBQUcsQ0FBQyxDQUFDO1FBQ1YsT0FBTyxDQUFDLEdBQUcsR0FBRyxDQUFDLE1BQU0sR0FBRyxDQUFDLElBQUksR0FBRyxDQUFDLENBQUMsQ0FBQyxLQUFLLENBQUM7WUFBRSxDQUFDLEVBQUUsQ0FBQztRQUMvQyxPQUFPLEdBQUcsQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLENBQUM7SUFDdEIsQ0FBQyxDQUFDO0lBRUYsSUFBSSxRQUFRLEdBQUcsZ0JBQWdCLENBQUMsQ0FBQyxDQUFDLENBQUM7SUFDbkMsSUFBSSxRQUFRLEdBQUcsZ0JBQWdCLENBQUMsQ0FBQyxDQUFDLENBQUM7SUFFbkMsZ0VBQWdFO0lBQ2hFLElBQUksUUFBUSxDQUFDLENBQUMsQ0FBQyxHQUFHLElBQUksRUFBRSxDQUFDO1FBQ3ZCLE1BQU0sTUFBTSxHQUFHLElBQUksVUFBVSxDQUFDLFFBQVEsQ0FBQyxNQUFNLEdBQUcsQ0FBQyxDQUFDLENBQUM7UUFDbkQsTUFBTSxDQUFDLEdBQUcsQ0FBQyxRQUFRLEVBQUUsQ0FBQyxDQUFDLENBQUM7UUFDeEIsUUFBUSxHQUFHLE1BQU0sQ0FBQztJQUNwQixDQUFDO0lBQ0QsSUFBSSxRQUFRLENBQUMsQ0FBQyxDQUFDLEdBQUcsSUFBSSxFQUFFLENBQUM7UUFDdkIsTUFBTSxNQUFNLEdBQUcsSUFBSSxVQUFVLENBQUMsUUFBUSxDQUFDLE1BQU0sR0FBRyxDQUFDLENBQUMsQ0FBQztRQUNuRCxNQUFNLENBQUMsR0FBRyxDQUFDLFFBQVEsRUFBRSxDQUFDLENBQUMsQ0FBQztRQUN4QixRQUFRLEdBQUcsTUFBTSxDQUFDO0lBQ3BCLENBQUM7SUFFRCxzREFBc0Q7SUFDdEQsaUNBQWlDO0lBQ2pDLE1BQU0sSUFBSSxHQUFHLElBQUksVUFBVSxDQUFDLENBQUMsSUFBSSxFQUFFLFFBQVEsQ0FBQyxNQUFNLEVBQUUsR0FBRyxRQUFRLENBQUMsQ0FBQyxDQUFDO0lBQ2xFLE1BQU0sSUFBSSxHQUFHLElBQUksVUFBVSxDQUFDLENBQUMsSUFBSSxFQUFFLFFBQVEsQ0FBQyxNQUFNLEVBQUUsR0FBRyxRQUFRLENBQUMsQ0FBQyxDQUFDO0lBRWxFLE1BQU0sTUFBTSxHQUFHLElBQUksQ0FBQyxNQUFNLEdBQUcsSUFBSSxDQUFDLE1BQU0sQ0FBQztJQUN6QyxxRUFBcUU7SUFDckUsa0VBQWtFO0lBQ2xFLE1BQU0sUUFBUSxHQUFHLE1BQU0sR0FBRyxHQUFHLENBQUMsQ0FBQyxDQUFDLElBQUksVUFBVSxDQUFDLENBQUMsTUFBTSxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUMsSUFBSSxVQUFVLENBQUMsQ0FBQyxJQUFJLEVBQUUsTUFBTSxDQUFDLENBQUMsQ0FBQztJQUMxRixNQUFNLE1BQU0sR0FBRyxJQUFJLFVBQVUsQ0FBQyxDQUFDLEdBQUcsUUFBUSxDQUFDLE1BQU0sR0FBRyxNQUFNLENBQUMsQ0FBQztJQUM1RCxNQUFNLENBQUMsQ0FBQyxDQUFDLEdBQUcsSUFBSSxDQUFDO0lBQ2pCLE1BQU0sQ0FBQyxHQUFHLENBQUMsUUFBUSxFQUFFLENBQUMsQ0FBQyxDQUFDO0lBQ3hCLE1BQU0sQ0FBQyxHQUFHLENBQUMsSUFBSSxFQUFFLENBQUMsR0FBRyxRQUFRLENBQUMsTUFBTSxDQUFDLENBQUM7SUFDdEMsTUFBTSxDQUFDLEdBQUcsQ0FBQyxJQUFJLEVBQUUsQ0FBQyxHQUFHLFFBQVEsQ0FBQyxNQUFNLEdBQUcsSUFBSSxDQUFDLE1BQU0sQ0FBQyxDQUFDO0lBRXBELE9BQU8sTUFBTSxDQUFDO0FBQ2hCLENBQUM7QUFFRDs7O0dBR0c7QUFDSCxTQUFTLGNBQWMsQ0FBQyxTQUFxQixFQUFFLFNBQXFDO0lBQ2xGLElBQUksU0FBUyxLQUFLLE9BQU8sRUFBRSxDQUFDO1FBQzFCLE9BQU8sU0FBUyxDQUFDO0lBQ25CLENBQUM7SUFFRCw2REFBNkQ7SUFDN0QsSUFBSSxZQUFvQixDQUFDO0lBQ3pCLFFBQVEsU0FBUyxFQUFFLENBQUM7UUFDbEIsS0FBSyxPQUFPO1lBQ1YsWUFBWSxHQUFHLEVBQUUsQ0FBQztZQUNsQixNQUFNO1FBQ1IsS0FBSyxPQUFPO1lBQ1YsWUFBWSxHQUFHLEVBQUUsQ0FBQztZQUNsQixNQUFNO1FBQ1IsS0FBSyxPQUFPO1lBQ1YsWUFBWSxHQUFHLEVBQUUsQ0FBQztZQUNsQixNQUFNO1FBQ1I7WUFDRSxNQUFNLElBQUksa0JBQWtCLENBQUMsNkNBQTZDLFNBQVMsRUFBRSxDQUFDLENBQUM7SUFDM0YsQ0FBQztJQUVELElBQUksU0FBUyxDQUFDLENBQUMsQ0FBQyxLQUFLLElBQUksRUFBRSxDQUFDO1FBQzFCLE1BQU0sSUFBSSxrQkFBa0IsQ0FBQywwQ0FBMEMsQ0FBQyxDQUFDO0lBQzNFLENBQUM7SUFFRCxrRUFBa0U7SUFDbEUsSUFBSSxNQUFNLEdBQUcsQ0FBQyxDQUFDO0lBQ2YsSUFBSSxTQUFTLENBQUMsTUFBTSxDQUFDLEdBQUcsSUFBSSxFQUFFLENBQUM7UUFDN0IsNkRBQTZEO1FBQzdELE1BQU0sYUFBYSxHQUFHLFNBQVMsQ0FBQyxNQUFNLENBQUMsR0FBRyxJQUFJLENBQUM7UUFDL0MsSUFBSSxhQUFhLEtBQUssQ0FBQyxJQUFJLGFBQWEsR0FBRyxDQUFDLEVBQUUsQ0FBQztZQUM3QyxNQUFNLElBQUksa0JBQWtCLENBQUMsaURBQWlELENBQUMsQ0FBQztRQUNsRixDQUFDO1FBQ0QsTUFBTSxJQUFJLENBQUMsR0FBRyxhQUFhLENBQUM7UUFDNUIsSUFBSSxNQUFNLEdBQUcsU0FBUyxDQUFDLE1BQU0sRUFBRSxDQUFDO1lBQzlCLE1BQU0sSUFBSSxrQkFBa0IsQ0FBQyw2REFBNkQsQ0FBQyxDQUFDO1FBQzlGLENBQUM7SUFDSCxDQUFDO1NBQU0sQ0FBQztRQUNOLGtDQUFrQztRQUNsQyxNQUFNLElBQUksQ0FBQyxDQUFDO0lBQ2QsQ0FBQztJQUVELGtCQUFrQjtJQUNsQixJQUFJLFNBQVMsQ0FBQyxNQUFNLENBQUMsS0FBSyxJQUFJLEVBQUUsQ0FBQztRQUMvQixNQUFNLElBQUksa0JBQWtCLENBQUMsK0NBQStDLENBQUMsQ0FBQztJQUNoRixDQUFDO0lBQ0QsTUFBTSxJQUFJLEdBQUcsU0FBUyxDQUFDLE1BQU0sR0FBRyxDQUFDLENBQUMsQ0FBQztJQUNuQyxNQUFNLElBQUksQ0FBQyxDQUFDO0lBQ1osSUFBSSxDQUFDLEdBQUcsU0FBUyxDQUFDLEtBQUssQ0FBQyxNQUFNLEVBQUUsTUFBTSxHQUFHLElBQUksQ0FBQyxDQUFDO0lBQy9DLE1BQU0sSUFBSSxJQUFJLENBQUM7SUFFZixrQkFBa0I7SUFDbEIsSUFBSSxTQUFTLENBQUMsTUFBTSxDQUFDLEtBQUssSUFBSSxFQUFFLENBQUM7UUFDL0IsTUFBTSxJQUFJLGtCQUFrQixDQUFDLCtDQUErQyxDQUFDLENBQUM7SUFDaEYsQ0FBQztJQUNELE1BQU0sSUFBSSxHQUFHLFNBQVMsQ0FBQyxNQUFNLEdBQUcsQ0FBQyxDQUFDLENBQUM7SUFDbkMsTUFBTSxJQUFJLENBQUMsQ0FBQztJQUNaLElBQUksQ0FBQyxHQUFHLFNBQVMsQ0FBQyxLQUFLLENBQUMsTUFBTSxFQUFFLE1BQU0sR0FBRyxJQUFJLENBQUMsQ0FBQztJQUUvQyx5Q0FBeUM7SUFDekMsSUFBSSxDQUFDLENBQUMsQ0FBQyxDQUFDLEtBQUssQ0FBQyxJQUFJLENBQUMsQ0FBQyxNQUFNLEdBQUcsWUFBWSxFQUFFLENBQUM7UUFDMUMsQ0FBQyxHQUFHLENBQUMsQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLENBQUM7SUFDakIsQ0FBQztJQUNELElBQUksQ0FBQyxDQUFDLENBQUMsQ0FBQyxLQUFLLENBQUMsSUFBSSxDQUFDLENBQUMsTUFBTSxHQUFHLFlBQVksRUFBRSxDQUFDO1FBQzFDLENBQUMsR0FBRyxDQUFDLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxDQUFDO0lBQ2pCLENBQUM7SUFFRCwwQkFBMEI7SUFDMUIsTUFBTSxNQUFNLEdBQUcsSUFBSSxVQUFVLENBQUMsWUFBWSxHQUFHLENBQUMsQ0FBQyxDQUFDO0lBQ2hELE1BQU0sQ0FBQyxHQUFHLENBQUMsQ0FBQyxFQUFFLFlBQVksR0FBRyxDQUFDLENBQUMsTUFBTSxDQUFDLENBQUM7SUFDdkMsTUFBTSxDQUFDLEdBQUcsQ0FBQyxDQUFDLEVBQUUsWUFBWSxHQUFHLENBQUMsR0FBRyxDQUFDLENBQUMsTUFBTSxDQUFDLENBQUM7SUFFM0MsT0FBTyxNQUFNLENBQUM7QUFDaEIsQ0FBQztBQUVEOztHQUVHO0FBQ0gsTUFBTSxDQUFDLEtBQUssVUFBVSxJQUFJLENBQ3hCLElBQWdCLEVBQ2hCLFVBQXNCLEVBQ3RCLFNBQXFDO0lBRXJDLE1BQU0sRUFBRSxVQUFVLEVBQUUsR0FBRyx5QkFBeUIsQ0FBQyxTQUFTLENBQUMsQ0FBQztJQUU1RCxnQ0FBZ0M7SUFDaEMsTUFBTSxHQUFHLEdBQUcsU0FBUyxDQUFDLFVBQVUsQ0FBQyxDQUFDO0lBRWxDLGdCQUFnQjtJQUNoQixNQUFNLFNBQVMsR0FBRyxNQUFNLE1BQU0sQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLFVBQVUsRUFBRSxHQUFHLEVBQUUsSUFBSSxDQUFDLENBQUM7SUFFbEUsbURBQW1EO0lBQ25ELE9BQU8sY0FBYyxDQUFDLElBQUksVUFBVSxDQUFDLFNBQVMsQ0FBQyxFQUFFLFNBQVMsQ0FBQyxDQUFDO0FBQzlELENBQUM7QUFFRDs7R0FFRztBQUNILE1BQU0sQ0FBQyxLQUFLLFVBQVUsTUFBTSxDQUMxQixJQUFnQixFQUNoQixTQUFxQixFQUNyQixTQUFvQixFQUNwQixTQUFxQztJQUVyQyxNQUFNLEVBQUUsVUFBVSxFQUFFLEdBQUcseUJBQXlCLENBQUMsU0FBUyxDQUFDLENBQUM7SUFFNUQsZ0NBQWdDO0lBQ2hDLE1BQU0sR0FBRyxHQUFHLFNBQVMsQ0FBQyxTQUFTLENBQUMsQ0FBQztJQUVqQyxtREFBbUQ7SUFDbkQsTUFBTSxhQUFhLEdBQUcsY0FBYyxDQUFDLFNBQVMsRUFBRSxTQUFTLENBQUMsQ0FBQztJQUUzRCx1QkFBdUI7SUFDdkIsT0FBTyxNQUFNLENBQUMsTUFBTSxDQUFDLE1BQU0sQ0FBQyxVQUFVLEVBQUUsR0FBRyxFQUFFLGFBQWEsRUFBRSxJQUFJLENBQUMsQ0FBQztBQUNwRSxDQUFDIn0=

package/dist/web/tdf3/src/crypto/core/symmetric.js

@@ -0,0 +1,192 @@
+import { Algorithms } from '../../ciphers/algorithms.js';
+import { Binary } from '../../binary.js';
+import { ConfigurationError, DecryptError } from '../../../../src/errors.js';
+import { encodeArrayBuffer as hexEncode } from '../../../../src/encodings/hex.js';
+import { keyMerge } from '../../utils/keysplit.js';
+import { unwrapSymmetricKey, wrapSymmetricKey } from './keys.js';
+const ENC_DEC_METHODS = ['encrypt', 'decrypt'];
+/**
+ * Generate a random symmetric key (opaque).
+ * @param length - Key length in bytes (default 32 for AES-256)
+ * @return Opaque symmetric key
+ */
+export async function generateKey(length) {
+    const keyBytes = await randomBytes(length || 32);
+    return wrapSymmetricKey(keyBytes);
+}
+export async function randomBytes(byteLength) {
+    const r = new Uint8Array(byteLength);
+    crypto.getRandomValues(r);
+    return r;
+}
+/**
+ * Returns a promise to the encryption key as a binary string.
+ *
+ * Note: This function should almost never fail as it includes a fallback
+ * if for some reason the native generate key fails.
+ *
+ * @param length The key length, defaults to 256
+ *
+ * @returns The hex string.
+ */
+export async function randomBytesAsHex(length) {
+    // Create a typed array of the correct length to fill
+    const r = new Uint8Array(length);
+    crypto.getRandomValues(r);
+    return hexEncode(r.buffer);
+}
+/**
+ * Decrypt content synchronously
+ * @param payload The payload to decrypt
+ * @param key     The symmetric encryption key (opaque)
+ * @param iv      The initialization vector
+ * @param algorithm The algorithm to use for encryption
+ * @param authTag The authentication tag for authenticated crypto.
+ */
+export function decrypt(payload, key, iv, algorithm, authTag) {
+    return _doDecrypt(payload, key, iv, algorithm, authTag);
+}
+/**
+ * Encrypt content synchronously
+ * @param payload   The payload to encrypt
+ * @param key       The encryption key
+ * @param iv        The initialization vector
+ * @param algorithm The algorithm to use for encryption
+ */
+export function encrypt(payload, key, iv, algorithm) {
+    return _doEncrypt(payload, key, iv, algorithm);
+}
+async function _doEncrypt(payload, key, iv, algorithm) {
+    console.assert(payload != null);
+    console.assert(key != null);
+    console.assert(iv != null);
+    // Handle both Binary and SymmetricKey payloads
+    let payloadBuffer;
+    if ('_brand' in payload && payload._brand === 'SymmetricKey') {
+        // Pass Uint8Array directly — Web Crypto respects byteOffset/byteLength on typed array views.
+        payloadBuffer = unwrapSymmetricKey(payload);
+    }
+    else {
+        // Binary payload
+        payloadBuffer = payload.asArrayBuffer();
+    }
+    const algoDomString = getSymmetricAlgoDomString(iv, algorithm);
+    const keyBytes = unwrapSymmetricKey(key);
+    const importedKey = await _importKey(keyBytes, algoDomString);
+    const encrypted = await crypto.subtle.encrypt(algoDomString, importedKey, payloadBuffer);
+    if (algoDomString.name === 'AES-GCM') {
+        return {
+            payload: Binary.fromArrayBuffer(encrypted.slice(0, -16)),
+            authTag: Binary.fromArrayBuffer(encrypted.slice(-16)),
+        };
+    }
+    return {
+        payload: Binary.fromArrayBuffer(encrypted),
+    };
+}
+async function _doDecrypt(payload, key, iv, algorithm, authTag) {
+    console.assert(payload != null);
+    console.assert(key != null);
+    console.assert(iv != null);
+    let payloadBuffer = payload.asArrayBuffer();
+    // Concat the the auth tag to the payload for decryption
+    if (authTag) {
+        const authTagBuffer = authTag.asArrayBuffer();
+        const gcmPayload = new Uint8Array(payloadBuffer.byteLength + authTagBuffer.byteLength);
+        gcmPayload.set(new Uint8Array(payloadBuffer), 0);
+        gcmPayload.set(new Uint8Array(authTagBuffer), payloadBuffer.byteLength);
+        payloadBuffer = gcmPayload.buffer;
+    }
+    const algoDomString = getSymmetricAlgoDomString(iv, algorithm);
+    const keyBytes = unwrapSymmetricKey(key);
+    const importedKey = await _importKey(keyBytes, algoDomString);
+    algoDomString.iv = iv.asArrayBuffer();
+    const decrypted = await crypto.subtle
+        .decrypt(algoDomString, importedKey, payloadBuffer)
+        // Catching this error so we can specifically check for OperationError
+        .catch((err) => {
+        if (err.name === 'OperationError') {
+            throw new DecryptError(err);
+        }
+        throw err;
+    });
+    return { payload: Binary.fromArrayBuffer(decrypted) };
+}
+function _importKey(keyBytes, algorithm) {
+    return crypto.subtle.importKey('raw', keyBytes, algorithm, true, ENC_DEC_METHODS);
+}
+/**
+ * Get a DOMString representing the algorithm to use for a crypto
+ * operation. Defaults to AES-CBC.
+ * @param  {String|undefined} algorithm
+ * @return {DOMString} Algorithm to use
+ */
+function getSymmetricAlgoDomString(iv, algorithm) {
+    let nativeAlgorithm = 'AES-CBC';
+    if (algorithm === Algorithms.AES_256_GCM) {
+        nativeAlgorithm = 'AES-GCM';
+    }
+    return {
+        name: nativeAlgorithm,
+        iv: iv.asArrayBuffer(),
+    };
+}
+/**
+ * Create an ArrayBuffer from a hex string.
+ * https://developers.google.com/web/updates/2012/06/How-to-convert-ArrayBuffer-to-and-from-String?hl=en
+ * @param  hex - Hex string
+ */
+export function hex2Ab(hex) {
+    const buffer = new ArrayBuffer(hex.length / 2);
+    const bufferView = new Uint8Array(buffer);
+    for (let i = 0; i < hex.length; i += 2) {
+        bufferView[i / 2] = parseInt(hex.substr(i, 2), 16);
+    }
+    return buffer;
+}
+/**
+ * Compute hash digest.
+ */
+export async function digest(algorithm, data) {
+    const validAlgorithms = ['SHA-256', 'SHA-384', 'SHA-512'];
+    if (!validAlgorithms.includes(algorithm)) {
+        throw new ConfigurationError(`Unsupported hash algorithm: ${algorithm}`);
+    }
+    const hashBuffer = await crypto.subtle.digest(algorithm, data);
+    return new Uint8Array(hashBuffer);
+}
+/**
+ * Compute HMAC-SHA256 of data with a symmetric key.
+ */
+export async function hmac(data, key) {
+    const keyBytes = unwrapSymmetricKey(key);
+    const cryptoKey = await crypto.subtle.importKey('raw', keyBytes, { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
+    const signature = await crypto.subtle.sign('HMAC', cryptoKey, data);
+    return new Uint8Array(signature);
+}
+/**
+ * Verify HMAC-SHA256.
+ * Standalone utility — not part of CryptoService interface.
+ */
+export async function verifyHmac(data, signature, key) {
+    const keyBytes = unwrapSymmetricKey(key);
+    const cryptoKey = await crypto.subtle.importKey('raw', keyBytes, { name: 'HMAC', hash: 'SHA-256' }, false, ['verify']);
+    return crypto.subtle.verify('HMAC', cryptoKey, signature, data);
+}
+/**
+ * Import raw key bytes as an opaque symmetric key.
+ * Used for external keys (e.g., unwrapped from KAS).
+ */
+export async function importSymmetricKey(keyBytes) {
+    return wrapSymmetricKey(keyBytes);
+}
+/**
+ * Merge symmetric key shares back into the original key using XOR.
+ * Key bytes are extracted internally for merging.
+ */
+export async function mergeSymmetricKeys(shares) {
+    const splitBytes = shares.map(unwrapSymmetricKey);
+    const merged = keyMerge(splitBytes);
+    return wrapSymmetricKey(merged);
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic3ltbWV0cmljLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vLi4vLi4vdGRmMy9zcmMvY3J5cHRvL2NvcmUvc3ltbWV0cmljLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sRUFBRSxVQUFVLEVBQXFCLE1BQU0sNkJBQTZCLENBQUM7QUFDNUUsT0FBTyxFQUFFLE1BQU0sRUFBRSxNQUFNLGlCQUFpQixDQUFDO0FBT3pDLE9BQU8sRUFBRSxrQkFBa0IsRUFBRSxZQUFZLEVBQUUsTUFBTSwyQkFBMkIsQ0FBQztBQUM3RSxPQUFPLEVBQUUsaUJBQWlCLElBQUksU0FBUyxFQUFFLE1BQU0sa0NBQWtDLENBQUM7QUFDbEYsT0FBTyxFQUFFLFFBQVEsRUFBRSxNQUFNLHlCQUF5QixDQUFDO0FBQ25ELE9BQU8sRUFBRSxrQkFBa0IsRUFBRSxnQkFBZ0IsRUFBRSxNQUFNLFdBQVcsQ0FBQztBQUVqRSxNQUFNLGVBQWUsR0FBZSxDQUFDLFNBQVMsRUFBRSxTQUFTLENBQUMsQ0FBQztBQUUzRDs7OztHQUlHO0FBQ0gsTUFBTSxDQUFDLEtBQUssVUFBVSxXQUFXLENBQUMsTUFBZTtJQUMvQyxNQUFNLFFBQVEsR0FBRyxNQUFNLFdBQVcsQ0FBQyxNQUFNLElBQUksRUFBRSxDQUFDLENBQUM7SUFDakQsT0FBTyxnQkFBZ0IsQ0FBQyxRQUFRLENBQUMsQ0FBQztBQUNwQyxDQUFDO0FBRUQsTUFBTSxDQUFDLEtBQUssVUFBVSxXQUFXLENBQUMsVUFBa0I7SUFDbEQsTUFBTSxDQUFDLEdBQUcsSUFBSSxVQUFVLENBQUMsVUFBVSxDQUFDLENBQUM7SUFDckMsTUFBTSxDQUFDLGVBQWUsQ0FBQyxDQUFDLENBQUMsQ0FBQztJQUMxQixPQUFPLENBQUMsQ0FBQztBQUNYLENBQUM7QUFFRDs7Ozs7Ozs7O0dBU0c7QUFDSCxNQUFNLENBQUMsS0FBSyxVQUFVLGdCQUFnQixDQUFDLE1BQWM7SUFDbkQscURBQXFEO0lBQ3JELE1BQU0sQ0FBQyxHQUFHLElBQUksVUFBVSxDQUFDLE1BQU0sQ0FBQyxDQUFDO0lBQ2pDLE1BQU0sQ0FBQyxlQUFlLENBQUMsQ0FBQyxDQUFDLENBQUM7SUFDMUIsT0FBTyxTQUFTLENBQUMsQ0FBQyxDQUFDLE1BQU0sQ0FBQyxDQUFDO0FBQzdCLENBQUM7QUFFRDs7Ozs7OztHQU9HO0FBQ0gsTUFBTSxVQUFVLE9BQU8sQ0FDckIsT0FBZSxFQUNmLEdBQWlCLEVBQ2pCLEVBQVUsRUFDVixTQUF3QixFQUN4QixPQUFnQjtJQUVoQixPQUFPLFVBQVUsQ0FBQyxPQUFPLEVBQUUsR0FBRyxFQUFFLEVBQUUsRUFBRSxTQUFTLEVBQUUsT0FBTyxDQUFDLENBQUM7QUFDMUQsQ0FBQztBQUVEOzs7Ozs7R0FNRztBQUNILE1BQU0sVUFBVSxPQUFPLENBQ3JCLE9BQThCLEVBQzlCLEdBQWlCLEVBQ2pCLEVBQVUsRUFDVixTQUF3QjtJQUV4QixPQUFPLFVBQVUsQ0FBQyxPQUFPLEVBQUUsR0FBRyxFQUFFLEVBQUUsRUFBRSxTQUFTLENBQUMsQ0FBQztBQUNqRCxDQUFDO0FBRUQsS0FBSyxVQUFVLFVBQVUsQ0FDdkIsT0FBOEIsRUFDOUIsR0FBaUIsRUFDakIsRUFBVSxFQUNWLFNBQXdCO0lBRXhCLE9BQU8sQ0FBQyxNQUFNLENBQUMsT0FBTyxJQUFJLElBQUksQ0FBQyxDQUFDO0lBQ2hDLE9BQU8sQ0FBQyxNQUFNLENBQUMsR0FBRyxJQUFJLElBQUksQ0FBQyxDQUFDO0lBQzVCLE9BQU8sQ0FBQyxNQUFNLENBQUMsRUFBRSxJQUFJLElBQUksQ0FBQyxDQUFDO0lBRTNCLCtDQUErQztJQUMvQyxJQUFJLGFBQTJCLENBQUM7SUFDaEMsSUFBSSxRQUFRLElBQUksT0FBTyxJQUFJLE9BQU8sQ0FBQyxNQUFNLEtBQUssY0FBYyxFQUFFLENBQUM7UUFDN0QsNkZBQTZGO1FBQzdGLGFBQWEsR0FBRyxrQkFBa0IsQ0FBQyxPQUFPLENBQUMsQ0FBQztJQUM5QyxDQUFDO1NBQU0sQ0FBQztRQUNOLGlCQUFpQjtRQUNqQixhQUFhLEdBQUksT0FBa0IsQ0FBQyxhQUFhLEVBQUUsQ0FBQztJQUN0RCxDQUFDO0lBRUQsTUFBTSxhQUFhLEdBQUcseUJBQXlCLENBQUMsRUFBRSxFQUFFLFNBQVMsQ0FBQyxDQUFDO0lBQy9ELE1BQU0sUUFBUSxHQUFHLGtCQUFrQixDQUFDLEdBQUcsQ0FBQyxDQUFDO0lBQ3pDLE1BQU0sV0FBVyxHQUFHLE1BQU0sVUFBVSxDQUFDLFFBQVEsRUFBRSxhQUFhLENBQUMsQ0FBQztJQUM5RCxNQUFNLFNBQVMsR0FBRyxNQUFNLE1BQU0sQ0FBQyxNQUFNLENBQUMsT0FBTyxDQUFDLGFBQWEsRUFBRSxXQUFXLEVBQUUsYUFBYSxDQUFDLENBQUM7SUFDekYsSUFBSSxhQUFhLENBQUMsSUFBSSxLQUFLLFNBQVMsRUFBRSxDQUFDO1FBQ3JDLE9BQU87WUFDTCxPQUFPLEVBQUUsTUFBTSxDQUFDLGVBQWUsQ0FBQyxTQUFTLENBQUMsS0FBSyxDQUFDLENBQUMsRUFBRSxDQUFDLEVBQUUsQ0FBQyxDQUFDO1lBQ3hELE9BQU8sRUFBRSxNQUFNLENBQUMsZUFBZSxDQUFDLFNBQVMsQ0FBQyxLQUFLLENBQUMsQ0FBQyxFQUFFLENBQUMsQ0FBQztTQUN0RCxDQUFDO0lBQ0osQ0FBQztJQUNELE9BQU87UUFDTCxPQUFPLEVBQUUsTUFBTSxDQUFDLGVBQWUsQ0FBQyxTQUFTLENBQUM7S0FDM0MsQ0FBQztBQUNKLENBQUM7QUFFRCxLQUFLLFVBQVUsVUFBVSxDQUN2QixPQUFlLEVBQ2YsR0FBaUIsRUFDakIsRUFBVSxFQUNWLFNBQXdCLEVBQ3hCLE9BQWdCO0lBRWhCLE9BQU8sQ0FBQyxNQUFNLENBQUMsT0FBTyxJQUFJLElBQUksQ0FBQyxDQUFDO0lBQ2hDLE9BQU8sQ0FBQyxNQUFNLENBQUMsR0FBRyxJQUFJLElBQUksQ0FBQyxDQUFDO0lBQzVCLE9BQU8sQ0FBQyxNQUFNLENBQUMsRUFBRSxJQUFJLElBQUksQ0FBQyxDQUFDO0lBRTNCLElBQUksYUFBYSxHQUFHLE9BQU8sQ0FBQyxhQUFhLEVBQUUsQ0FBQztJQUU1Qyx3REFBd0Q7SUFDeEQsSUFBSSxPQUFPLEVBQUUsQ0FBQztRQUNaLE1BQU0sYUFBYSxHQUFHLE9BQU8sQ0FBQyxhQUFhLEVBQUUsQ0FBQztRQUM5QyxNQUFNLFVBQVUsR0FBRyxJQUFJLFVBQVUsQ0FBQyxhQUFhLENBQUMsVUFBVSxHQUFHLGFBQWEsQ0FBQyxVQUFVLENBQUMsQ0FBQztRQUN2RixVQUFVLENBQUMsR0FBRyxDQUFDLElBQUksVUFBVSxDQUFDLGFBQWEsQ0FBQyxFQUFFLENBQUMsQ0FBQyxDQUFDO1FBQ2pELFVBQVUsQ0FBQyxHQUFHLENBQUMsSUFBSSxVQUFVLENBQUMsYUFBYSxDQUFDLEVBQUUsYUFBYSxDQUFDLFVBQVUsQ0FBQyxDQUFDO1FBQ3hFLGFBQWEsR0FBRyxVQUFVLENBQUMsTUFBTSxDQUFDO0lBQ3BDLENBQUM7SUFFRCxNQUFNLGFBQWEsR0FBRyx5QkFBeUIsQ0FBQyxFQUFFLEVBQUUsU0FBUyxDQUFDLENBQUM7SUFDL0QsTUFBTSxRQUFRLEdBQUcsa0JBQWtCLENBQUMsR0FBRyxDQUFDLENBQUM7SUFDekMsTUFBTSxXQUFXLEdBQUcsTUFBTSxVQUFVLENBQUMsUUFBUSxFQUFFLGFBQWEsQ0FBQyxDQUFDO0lBQzlELGFBQWEsQ0FBQyxFQUFFLEdBQUcsRUFBRSxDQUFDLGFBQWEsRUFBRSxDQUFDO0lBRXRDLE1BQU0sU0FBUyxHQUFHLE1BQU0sTUFBTSxDQUFDLE1BQU07U0FDbEMsT0FBTyxDQUFDLGFBQWEsRUFBRSxXQUFXLEVBQUUsYUFBYSxDQUFDO1FBQ25ELHNFQUFzRTtTQUNyRSxLQUFLLENBQUMsQ0FBQyxHQUFHLEVBQUUsRUFBRTtRQUNiLElBQUksR0FBRyxDQUFDLElBQUksS0FBSyxnQkFBZ0IsRUFBRSxDQUFDO1lBQ2xDLE1BQU0sSUFBSSxZQUFZLENBQUMsR0FBRyxDQUFDLENBQUM7UUFDOUIsQ0FBQztRQUVELE1BQU0sR0FBRyxDQUFDO0lBQ1osQ0FBQyxDQUFDLENBQUM7SUFDTCxPQUFPLEVBQUUsT0FBTyxFQUFFLE1BQU0sQ0FBQyxlQUFlLENBQUMsU0FBUyxDQUFDLEVBQUUsQ0FBQztBQUN4RCxDQUFDO0FBRUQsU0FBUyxVQUFVLENBQUMsUUFBb0IsRUFBRSxTQUFzQztJQUM5RSxPQUFPLE1BQU0sQ0FBQyxNQUFNLENBQUMsU0FBUyxDQUFDLEtBQUssRUFBRSxRQUFRLEVBQUUsU0FBUyxFQUFFLElBQUksRUFBRSxlQUFlLENBQUMsQ0FBQztBQUNwRixDQUFDO0FBRUQ7Ozs7O0dBS0c7QUFDSCxTQUFTLHlCQUF5QixDQUNoQyxFQUFVLEVBQ1YsU0FBd0I7SUFFeEIsSUFBSSxlQUFlLEdBQUcsU0FBUyxDQUFDO0lBQ2hDLElBQUksU0FBUyxLQUFLLFVBQVUsQ0FBQyxXQUFXLEVBQUUsQ0FBQztRQUN6QyxlQUFlLEdBQUcsU0FBUyxDQUFDO0lBQzlCLENBQUM7SUFFRCxPQUFPO1FBQ0wsSUFBSSxFQUFFLGVBQWU7UUFDckIsRUFBRSxFQUFFLEVBQUUsQ0FBQyxhQUFhLEVBQUU7S0FDdkIsQ0FBQztBQUNKLENBQUM7QUFFRDs7OztHQUlHO0FBQ0gsTUFBTSxVQUFVLE1BQU0sQ0FBQyxHQUFXO0lBQ2hDLE1BQU0sTUFBTSxHQUFHLElBQUksV0FBVyxDQUFDLEdBQUcsQ0FBQyxNQUFNLEdBQUcsQ0FBQyxDQUFDLENBQUM7SUFDL0MsTUFBTSxVQUFVLEdBQUcsSUFBSSxVQUFVLENBQUMsTUFBTSxDQUFDLENBQUM7SUFFMUMsS0FBSyxJQUFJLENBQUMsR0FBRyxDQUFDLEVBQUUsQ0FBQyxHQUFHLEdBQUcsQ0FBQyxNQUFNLEVBQUUsQ0FBQyxJQUFJLENBQUMsRUFBRSxDQUFDO1FBQ3ZDLFVBQVUsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxDQUFDLEdBQUcsUUFBUSxDQUFDLEdBQUcsQ0FBQyxNQUFNLENBQUMsQ0FBQyxFQUFFLENBQUMsQ0FBQyxFQUFFLEVBQUUsQ0FBQyxDQUFDO0lBQ3JELENBQUM7SUFFRCxPQUFPLE1BQU0sQ0FBQztBQUNoQixDQUFDO0FBRUQ7O0dBRUc7QUFDSCxNQUFNLENBQUMsS0FBSyxVQUFVLE1BQU0sQ0FBQyxTQUF3QixFQUFFLElBQWdCO0lBQ3JFLE1BQU0sZUFBZSxHQUFvQixDQUFDLFNBQVMsRUFBRSxTQUFTLEVBQUUsU0FBUyxDQUFDLENBQUM7SUFDM0UsSUFBSSxDQUFDLGVBQWUsQ0FBQyxRQUFRLENBQUMsU0FBUyxDQUFDLEVBQUUsQ0FBQztRQUN6QyxNQUFNLElBQUksa0JBQWtCLENBQUMsK0JBQStCLFNBQVMsRUFBRSxDQUFDLENBQUM7SUFDM0UsQ0FBQztJQUVELE1BQU0sVUFBVSxHQUFHLE1BQU0sTUFBTSxDQUFDLE1BQU0sQ0FBQyxNQUFNLENBQUMsU0FBUyxFQUFFLElBQUksQ0FBQyxDQUFDO0lBQy9ELE9BQU8sSUFBSSxVQUFVLENBQUMsVUFBVSxDQUFDLENBQUM7QUFDcEMsQ0FBQztBQUVEOztHQUVHO0FBQ0gsTUFBTSxDQUFDLEtBQUssVUFBVSxJQUFJLENBQUMsSUFBZ0IsRUFBRSxHQUFpQjtJQUM1RCxNQUFNLFFBQVEsR0FBRyxrQkFBa0IsQ0FBQyxHQUFHLENBQUMsQ0FBQztJQUN6QyxNQUFNLFNBQVMsR0FBRyxNQUFNLE1BQU0sQ0FBQyxNQUFNLENBQUMsU0FBUyxDQUM3QyxLQUFLLEVBQ0wsUUFBUSxFQUNSLEVBQUUsSUFBSSxFQUFFLE1BQU0sRUFBRSxJQUFJLEVBQUUsU0FBUyxFQUFFLEVBQ2pDLEtBQUssRUFDTCxDQUFDLE1BQU0sQ0FBQyxDQUNULENBQUM7SUFFRixNQUFNLFNBQVMsR0FBRyxNQUFNLE1BQU0sQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLE1BQU0sRUFBRSxTQUFTLEVBQUUsSUFBSSxDQUFDLENBQUM7SUFDcEUsT0FBTyxJQUFJLFVBQVUsQ0FBQyxTQUFTLENBQUMsQ0FBQztBQUNuQyxDQUFDO0FBRUQ7OztHQUdHO0FBQ0gsTUFBTSxDQUFDLEtBQUssVUFBVSxVQUFVLENBQzlCLElBQWdCLEVBQ2hCLFNBQXFCLEVBQ3JCLEdBQWlCO0lBRWpCLE1BQU0sUUFBUSxHQUFHLGtCQUFrQixDQUFDLEdBQUcsQ0FBQyxDQUFDO0lBQ3pDLE1BQU0sU0FBUyxHQUFHLE1BQU0sTUFBTSxDQUFDLE1BQU0sQ0FBQyxTQUFTLENBQzdDLEtBQUssRUFDTCxRQUFRLEVBQ1IsRUFBRSxJQUFJLEVBQUUsTUFBTSxFQUFFLElBQUksRUFBRSxTQUFTLEVBQUUsRUFDakMsS0FBSyxFQUNMLENBQUMsUUFBUSxDQUFDLENBQ1gsQ0FBQztJQUNGLE9BQU8sTUFBTSxDQUFDLE1BQU0sQ0FBQyxNQUFNLENBQUMsTUFBTSxFQUFFLFNBQVMsRUFBRSxTQUFTLEVBQUUsSUFBSSxDQUFDLENBQUM7QUFDbEUsQ0FBQztBQUVEOzs7R0FHRztBQUNILE1BQU0sQ0FBQyxLQUFLLFVBQVUsa0JBQWtCLENBQUMsUUFBb0I7SUFDM0QsT0FBTyxnQkFBZ0IsQ0FBQyxRQUFRLENBQUMsQ0FBQztBQUNwQyxDQUFDO0FBRUQ7OztHQUdHO0FBQ0gsTUFBTSxDQUFDLEtBQUssVUFBVSxrQkFBa0IsQ0FBQyxNQUFzQjtJQUM3RCxNQUFNLFVBQVUsR0FBRyxNQUFNLENBQUMsR0FBRyxDQUFDLGtCQUFrQixDQUFDLENBQUM7SUFDbEQsTUFBTSxNQUFNLEdBQUcsUUFBUSxDQUFDLFVBQVUsQ0FBQyxDQUFDO0lBQ3BDLE9BQU8sZ0JBQWdCLENBQUMsTUFBTSxDQUFDLENBQUM7QUFDbEMsQ0FBQyJ9