@opentdf/sdk 0.12.0-beta.109 → 0.12.0-beta.113

package/dist/types/tdf3/src/crypto/core/ec.d.ts

@@ -0,0 +1,11 @@
+import { type ECCurve, type HkdfParams, type KeyPair, type PrivateKey, type PublicKey, type SymmetricKey } from '../declarations.js';
+/**
+ * Generate an EC key pair for ECDH key agreement.
+ */
+export declare function generateECKeyPair(curve?: ECCurve): Promise<KeyPair>;
+/**
+ * Perform ECDH key agreement followed by HKDF key derivation.
+ * Returns opaque symmetric key for symmetric encryption.
+ */
+export declare function deriveKeyFromECDH(privateKey: PrivateKey, publicKey: PublicKey, hkdfParams: HkdfParams): Promise<SymmetricKey>;
+//# sourceMappingURL=ec.d.ts.map

package/dist/types/tdf3/src/crypto/core/ec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ec.d.ts","sourceRoot":"","sources":["../../../../../../tdf3/src/crypto/core/ec.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,OAAO,EACZ,KAAK,UAAU,EAEf,KAAK,OAAO,EACZ,KAAK,UAAU,EACf,KAAK,SAAS,EACd,KAAK,YAAY,EAClB,MAAM,oBAAoB,CAAC;AAoB5B;;GAEG;AACH,wBAAsB,iBAAiB,CAAC,KAAK,GAAE,OAAiB,GAAG,OAAO,CAAC,OAAO,CAAC,CA4BlF;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CACrC,UAAU,EAAE,UAAU,EACtB,SAAS,EAAE,SAAS,EACpB,UAAU,EAAE,UAAU,GACrB,OAAO,CAAC,YAAY,CAAC,CAgDvB"}

package/dist/types/tdf3/src/crypto/core/key-format.d.ts

@@ -0,0 +1,41 @@
+import { type KeyOptions, type PrivateKey, type PublicKey, type PublicKeyInfo } from '../declarations.js';
+/**
+ * Extract PEM public key from X.509 certificate or return PEM key as-is.
+ */
+export declare function extractPublicKeyPem(certOrPem: string, jwaAlgorithm?: string): Promise<string>;
+/**
+ * Import and validate a PEM public key, returning algorithm info.
+ * Uses JWK export for robust key parameter detection.
+ */
+export declare function parsePublicKeyPem(pem: string): Promise<PublicKeyInfo>;
+/**
+ * Convert a JWK (JSON Web Key) to PEM format.
+ */
+export declare function jwkToPublicKeyPem(jwk: JsonWebKey): Promise<string>;
+/**
+ * Convert a PEM public key to JWK format.
+ * Returns only public key components (no private key data).
+ */
+export declare function publicKeyPemToJwk(publicKeyPem: string): Promise<JsonWebKey>;
+/**
+ * Import a PEM public key as an opaque key.
+ */
+export declare function importPublicKey(pem: string, options: KeyOptions): Promise<PublicKey>;
+/**
+ * Import a PEM private key as an opaque key.
+ */
+export declare function importPrivateKey(pem: string, options: KeyOptions): Promise<PrivateKey>;
+/**
+ * Export an opaque public key to PEM format.
+ */
+export declare function exportPublicKeyPem(key: PublicKey): Promise<string>;
+/**
+ * Export an opaque private key to PEM format.
+ * ONLY USE FOR TESTING/DEVELOPMENT. Private keys should NOT be exportable in secure environments.
+ */
+export declare function exportPrivateKeyPem(key: PrivateKey): Promise<string>;
+/**
+ * Export an opaque public key to JWK format.
+ */
+export declare function exportPublicKeyJwk(key: PublicKey): Promise<JsonWebKey>;
+//# sourceMappingURL=key-format.d.ts.map

package/dist/types/tdf3/src/crypto/core/key-format.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-format.d.ts","sourceRoot":"","sources":["../../../../../../tdf3/src/crypto/core/key-format.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,KAAK,UAAU,EAEf,KAAK,UAAU,EACf,KAAK,SAAS,EACd,KAAK,aAAa,EACnB,MAAM,oBAAoB,CAAC;AAc5B;;GAEG;AACH,wBAAsB,mBAAmB,CACvC,SAAS,EAAE,MAAM,EACjB,YAAY,CAAC,EAAE,MAAM,GACpB,OAAO,CAAC,MAAM,CAAC,CAqBjB;AAiDD;;;GAGG;AACH,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CAmD3E;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,CAqBxE;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CAoCjF;AAED;;GAEG;AACH,wBAAsB,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,CA6D1F;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,CAqG5F;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CAAC,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAIxE;AAED;;;GAGG;AACH,wBAAsB,mBAAmB,CAAC,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,CAI1E;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CAAC,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC,CAG5E"}

package/dist/types/tdf3/src/crypto/core/keys.d.ts

@@ -0,0 +1,27 @@
+import { type KeyAlgorithm, type PrivateKey, type PublicKey, type SymmetricKey } from '../declarations.js';
+/**
+ * Wrap a CryptoKey as an opaque PublicKey.
+ * @internal
+ */
+export declare function wrapPublicKey(key: CryptoKey, algorithm: KeyAlgorithm): PublicKey;
+/**
+ * Wrap a CryptoKey as an opaque PrivateKey.
+ * @internal
+ */
+export declare function wrapPrivateKey(key: CryptoKey, algorithm: KeyAlgorithm): PrivateKey;
+/**
+ * Unwrap an opaque key to get the internal CryptoKey.
+ * @internal
+ */
+export declare function unwrapKey(key: PublicKey | PrivateKey): CryptoKey;
+/**
+ * Wrap raw key bytes as an opaque SymmetricKey.
+ * @internal
+ */
+export declare function wrapSymmetricKey(keyBytes: Uint8Array): SymmetricKey;
+/**
+ * Unwrap an opaque SymmetricKey to get raw bytes.
+ * @internal
+ */
+export declare function unwrapSymmetricKey(key: SymmetricKey): Uint8Array;
+//# sourceMappingURL=keys.d.ts.map

package/dist/types/tdf3/src/crypto/core/keys.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keys.d.ts","sourceRoot":"","sources":["../../../../../../tdf3/src/crypto/core/keys.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,YAAY,EACjB,KAAK,UAAU,EACf,KAAK,SAAS,EACd,KAAK,YAAY,EAClB,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,GAAG,SAAS,CAoBhF;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,GAAG,UAAU,CAoBlF;AAED;;;GAGG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,SAAS,GAAG,UAAU,GAAG,SAAS,CAEhE;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,UAAU,GAAG,YAAY,CAMnE;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,YAAY,GAAG,UAAU,CAEhE"}

package/dist/types/tdf3/src/crypto/core/rsa.d.ts

@@ -0,0 +1,35 @@
+import { Binary } from '../../binary.js';
+import { type KeyPair, type PrivateKey, type PublicKey, type SymmetricKey } from '../declarations.js';
+/**
+ * Get a DOMString representing the algorithm to use for an
+ * asymmetric key generation.
+ */
+export declare function rsaOaepSha1(modulusLength?: number): RsaHashedKeyGenParams;
+export declare function rsaPkcs1Sha256(modulusLength?: number): RsaHashedKeyGenParams;
+/**
+ * Generate an RSA key pair
+ * @see    {@link https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/generateKey}
+ * @param  size in bits
+ */
+export declare function generateKeyPair(size?: number): Promise<KeyPair>;
+/**
+ * Generate an RSA key pair suitable for signatures
+ * @see    {@link https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/generateKey}
+ */
+export declare function generateSigningKeyPair(): Promise<KeyPair>;
+/**
+ * Encrypt using a public key (RSA-OAEP).
+ * Accepts Binary or SymmetricKey for key wrapping.
+ * @param payload Payload to encrypt (Binary) or symmetric key to wrap (SymmetricKey)
+ * @param publicKey Opaque public key
+ * @return Encrypted payload
+ */
+export declare function encryptWithPublicKey(payload: Binary | SymmetricKey, publicKey: PublicKey): Promise<Binary>;
+/**
+ * Decrypt a public-key encrypted payload with a private key
+ * @param  encryptedPayload  Payload to decrypt
+ * @param  privateKey        Opaque private key
+ * @return Decrypted payload
+ */
+export declare function decryptWithPrivateKey(encryptedPayload: Binary, privateKey: PrivateKey): Promise<Binary>;
+//# sourceMappingURL=rsa.d.ts.map

package/dist/types/tdf3/src/crypto/core/rsa.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rsa.d.ts","sourceRoot":"","sources":["../../../../../../tdf3/src/crypto/core/rsa.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAC;AACzC,OAAO,EAEL,KAAK,OAAO,EAEZ,KAAK,UAAU,EACf,KAAK,SAAS,EACd,KAAK,YAAY,EAClB,MAAM,oBAAoB,CAAC;AAO5B;;;GAGG;AACH,wBAAgB,WAAW,CACzB,aAAa,GAAE,MAAqC,GACnD,qBAAqB,CAavB;AAED,wBAAgB,cAAc,CAC5B,aAAa,GAAE,MAAqC,GACnD,qBAAqB,CAavB;AAED;;;;GAIG;AACH,wBAAsB,eAAe,CAAC,IAAI,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAqBrE;AAED;;;GAGG;AACH,wBAAsB,sBAAsB,IAAI,OAAO,CAAC,OAAO,CAAC,CAS/D;AAED;;;;;;GAMG;AACH,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,MAAM,GAAG,YAAY,EAC9B,SAAS,EAAE,SAAS,GACnB,OAAO,CAAC,MAAM,CAAC,CAejB;AAED;;;;;GAKG;AACH,wBAAsB,qBAAqB,CACzC,gBAAgB,EAAE,MAAM,EACxB,UAAU,EAAE,UAAU,GACrB,OAAO,CAAC,MAAM,CAAC,CAWjB"}

package/dist/types/tdf3/src/crypto/core/signing.d.ts

@@ -0,0 +1,10 @@
+import { type AsymmetricSigningAlgorithm, type PrivateKey, type PublicKey } from '../declarations.js';
+/**
+ * Sign data with an asymmetric private key.
+ */
+export declare function sign(data: Uint8Array, privateKey: PrivateKey, algorithm: AsymmetricSigningAlgorithm): Promise<Uint8Array>;
+/**
+ * Verify signature with an asymmetric public key.
+ */
+export declare function verify(data: Uint8Array, signature: Uint8Array, publicKey: PublicKey, algorithm: AsymmetricSigningAlgorithm): Promise<boolean>;
+//# sourceMappingURL=signing.d.ts.map

package/dist/types/tdf3/src/crypto/core/signing.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signing.d.ts","sourceRoot":"","sources":["../../../../../../tdf3/src/crypto/core/signing.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,0BAA0B,EAC/B,KAAK,UAAU,EACf,KAAK,SAAS,EACf,MAAM,oBAAoB,CAAC;AA0K5B;;GAEG;AACH,wBAAsB,IAAI,CACxB,IAAI,EAAE,UAAU,EAChB,UAAU,EAAE,UAAU,EACtB,SAAS,EAAE,0BAA0B,GACpC,OAAO,CAAC,UAAU,CAAC,CAWrB;AAED;;GAEG;AACH,wBAAsB,MAAM,CAC1B,IAAI,EAAE,UAAU,EAChB,SAAS,EAAE,UAAU,EACrB,SAAS,EAAE,SAAS,EACpB,SAAS,EAAE,0BAA0B,GACpC,OAAO,CAAC,OAAO,CAAC,CAWlB"}

package/dist/types/tdf3/src/crypto/core/symmetric.d.ts

@@ -0,0 +1,68 @@
+import { type AlgorithmUrn } from '../../ciphers/algorithms.js';
+import { Binary } from '../../binary.js';
+import { type DecryptResult, type EncryptResult, type HashAlgorithm, type SymmetricKey } from '../declarations.js';
+/**
+ * Generate a random symmetric key (opaque).
+ * @param length - Key length in bytes (default 32 for AES-256)
+ * @return Opaque symmetric key
+ */
+export declare function generateKey(length?: number): Promise<SymmetricKey>;
+export declare function randomBytes(byteLength: number): Promise<Uint8Array>;
+/**
+ * Returns a promise to the encryption key as a binary string.
+ *
+ * Note: This function should almost never fail as it includes a fallback
+ * if for some reason the native generate key fails.
+ *
+ * @param length The key length, defaults to 256
+ *
+ * @returns The hex string.
+ */
+export declare function randomBytesAsHex(length: number): Promise<string>;
+/**
+ * Decrypt content synchronously
+ * @param payload The payload to decrypt
+ * @param key     The symmetric encryption key (opaque)
+ * @param iv      The initialization vector
+ * @param algorithm The algorithm to use for encryption
+ * @param authTag The authentication tag for authenticated crypto.
+ */
+export declare function decrypt(payload: Binary, key: SymmetricKey, iv: Binary, algorithm?: AlgorithmUrn, authTag?: Binary): Promise<DecryptResult>;
+/**
+ * Encrypt content synchronously
+ * @param payload   The payload to encrypt
+ * @param key       The encryption key
+ * @param iv        The initialization vector
+ * @param algorithm The algorithm to use for encryption
+ */
+export declare function encrypt(payload: Binary | SymmetricKey, key: SymmetricKey, iv: Binary, algorithm?: AlgorithmUrn): Promise<EncryptResult>;
+/**
+ * Create an ArrayBuffer from a hex string.
+ * https://developers.google.com/web/updates/2012/06/How-to-convert-ArrayBuffer-to-and-from-String?hl=en
+ * @param  hex - Hex string
+ */
+export declare function hex2Ab(hex: string): ArrayBuffer;
+/**
+ * Compute hash digest.
+ */
+export declare function digest(algorithm: HashAlgorithm, data: Uint8Array): Promise<Uint8Array>;
+/**
+ * Compute HMAC-SHA256 of data with a symmetric key.
+ */
+export declare function hmac(data: Uint8Array, key: SymmetricKey): Promise<Uint8Array>;
+/**
+ * Verify HMAC-SHA256.
+ * Standalone utility — not part of CryptoService interface.
+ */
+export declare function verifyHmac(data: Uint8Array, signature: Uint8Array, key: SymmetricKey): Promise<boolean>;
+/**
+ * Import raw key bytes as an opaque symmetric key.
+ * Used for external keys (e.g., unwrapped from KAS).
+ */
+export declare function importSymmetricKey(keyBytes: Uint8Array): Promise<SymmetricKey>;
+/**
+ * Merge symmetric key shares back into the original key using XOR.
+ * Key bytes are extracted internally for merging.
+ */
+export declare function mergeSymmetricKeys(shares: SymmetricKey[]): Promise<SymmetricKey>;
+//# sourceMappingURL=symmetric.d.ts.map

package/dist/types/tdf3/src/crypto/core/symmetric.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"symmetric.d.ts","sourceRoot":"","sources":["../../../../../../tdf3/src/crypto/core/symmetric.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,KAAK,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC5E,OAAO,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAC;AACzC,OAAO,EACL,KAAK,aAAa,EAClB,KAAK,aAAa,EAClB,KAAK,aAAa,EAClB,KAAK,YAAY,EAClB,MAAM,oBAAoB,CAAC;AAQ5B;;;;GAIG;AACH,wBAAsB,WAAW,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAGxE;AAED,wBAAsB,WAAW,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CAIzE;AAED;;;;;;;;;GASG;AACH,wBAAsB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAKtE;AAED;;;;;;;GAOG;AACH,wBAAgB,OAAO,CACrB,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,YAAY,EACjB,EAAE,EAAE,MAAM,EACV,SAAS,CAAC,EAAE,YAAY,EACxB,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC,aAAa,CAAC,CAExB;AAED;;;;;;GAMG;AACH,wBAAgB,OAAO,CACrB,OAAO,EAAE,MAAM,GAAG,YAAY,EAC9B,GAAG,EAAE,YAAY,EACjB,EAAE,EAAE,MAAM,EACV,SAAS,CAAC,EAAE,YAAY,GACvB,OAAO,CAAC,aAAa,CAAC,CAExB;AAsGD;;;;GAIG;AACH,wBAAgB,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,WAAW,CAS/C;AAED;;GAEG;AACH,wBAAsB,MAAM,CAAC,SAAS,EAAE,aAAa,EAAE,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,CAQ5F;AAED;;GAEG;AACH,wBAAsB,IAAI,CAAC,IAAI,EAAE,UAAU,EAAE,GAAG,EAAE,YAAY,GAAG,OAAO,CAAC,UAAU,CAAC,CAYnF;AAED;;;GAGG;AACH,wBAAsB,UAAU,CAC9B,IAAI,EAAE,UAAU,EAChB,SAAS,EAAE,UAAU,EACrB,GAAG,EAAE,YAAY,GAChB,OAAO,CAAC,OAAO,CAAC,CAUlB;AAED;;;GAGG;AACH,wBAAsB,kBAAkB,CAAC,QAAQ,EAAE,UAAU,GAAG,OAAO,CAAC,YAAY,CAAC,CAEpF;AAED;;;GAGG;AACH,wBAAsB,kBAAkB,CAAC,MAAM,EAAE,YAAY,EAAE,GAAG,OAAO,CAAC,YAAY,CAAC,CAItF"}

package/dist/types/tdf3/src/crypto/index.d.ts

@@ -3,178 +3,25 @@
  *
  * @private
  */
-import { Binary } from '../binary.js';
-import { type AsymmetricSigningAlgorithm, type CryptoService, type DecryptResult, type ECCurve, type EncryptResult, type HashAlgorithm, type HkdfParams, type KeyOptions, type KeyPair, type PrivateKey, type PublicKey, type PublicKeyInfo, type SymmetricKey } from './declarations.js';
-import { AlgorithmUrn } from '../ciphers/algorithms.js';
+import { type CryptoService, type SymmetricKey } from './declarations.js';
+import { decrypt, digest, encrypt, generateKey, hex2Ab, hmac, importSymmetricKey, mergeSymmetricKeys, randomBytes, randomBytesAsHex, verifyHmac } from './core/symmetric.js';
+import { decryptWithPrivateKey, encryptWithPublicKey, generateKeyPair, generateSigningKeyPair, rsaOaepSha1, rsaPkcs1Sha256 } from './core/rsa.js';
+import { deriveKeyFromECDH, generateECKeyPair } from './core/ec.js';
+import { sign, verify } from './core/signing.js';
+import { exportPrivateKeyPem, exportPublicKeyJwk, exportPublicKeyPem, extractPublicKeyPem, importPrivateKey, importPublicKey, jwkToPublicKeyPem, parsePublicKeyPem, publicKeyPemToJwk } from './core/key-format.js';
 export declare const isSupported: boolean;
 export declare const method = "http://www.w3.org/2001/04/xmlenc#aes256-cbc";
 export declare const name = "BrowserNativeCryptoService";
-/**
- * Get a DOMString representing the algorithm to use for an
- * asymmetric key generation.
- */
-export declare function rsaOaepSha1(modulusLength?: number): RsaHashedKeyGenParams;
-export declare function rsaPkcs1Sha256(modulusLength?: number): RsaHashedKeyGenParams;
-/**
- * Generate a random symmetric key (opaque).
- * @param length - Key length in bytes (default 32 for AES-256)
- * @return Opaque symmetric key
- */
-export declare function generateKey(length?: number): Promise<SymmetricKey>;
-/**
- * Generate an RSA key pair
- * @see    {@link https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/generateKey}
- * @param  size in bits
- */
-export declare function generateKeyPair(size?: number): Promise<KeyPair>;
-/**
- * Generate an RSA key pair suitable for signatures
- * @see    {@link https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/generateKey}
- */
-export declare function generateSigningKeyPair(): Promise<KeyPair>;
-/**
- * Encrypt using a public key (RSA-OAEP).
- * Accepts Binary or SymmetricKey for key wrapping.
- * @param payload Payload to encrypt (Binary) or symmetric key to wrap (SymmetricKey)
- * @param publicKey Opaque public key
- * @return Encrypted payload
- */
-export declare function encryptWithPublicKey(payload: Binary | SymmetricKey, publicKey: PublicKey): Promise<Binary>;
-export declare function randomBytes(byteLength: number): Promise<Uint8Array>;
-/**
- * Returns a promise to the encryption key as a binary string.
- *
- * Note: This function should almost never fail as it includes a fallback
- * if for some reason the native generate key fails.
- *
- * @param length The key length, defaults to 256
- *
- * @returns The hex string.
- */
-export declare function randomBytesAsHex(length: number): Promise<string>;
-/**
- * Decrypt a public-key encrypted payload with a private key
- * @param  encryptedPayload  Payload to decrypt
- * @param  privateKey        Opaque private key
- * @return Decrypted payload
- */
-export declare function decryptWithPrivateKey(encryptedPayload: Binary, privateKey: PrivateKey): Promise<Binary>;
-/**
- * Decrypt content synchronously
- * @param payload The payload to decrypt
- * @param key     The symmetric encryption key (opaque)
- * @param iv      The initialization vector
- * @param algorithm The algorithm to use for encryption
- * @param authTag The authentication tag for authenticated crypto.
- */
-export declare function decrypt(payload: Binary, key: SymmetricKey, iv: Binary, algorithm?: AlgorithmUrn, authTag?: Binary): Promise<DecryptResult>;
-/**
- * Encrypt content synchronously
- * @param payload   The payload to encrypt
- * @param key       The encryption key
- * @param iv        The initialization vector
- * @param algorithm The algorithm to use for encryption
- */
-export declare function encrypt(payload: Binary | SymmetricKey, key: SymmetricKey, iv: Binary, algorithm?: AlgorithmUrn): Promise<EncryptResult>;
-/**
- * Create a SHA256 hash. Code refrenced from MDN:
- * https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest
- * @param  content  String content
- * @return Hex hash
- */
-/**
- * Create an ArrayBuffer from a hex string.
- * https://developers.google.com/web/updates/2012/06/How-to-convert-ArrayBuffer-to-and-from-String?hl=en
- * @param  hex - Hex string
- */
-export declare function hex2Ab(hex: string): ArrayBuffer;
-/**
- * Sign data with an asymmetric private key.
- */
-export declare function sign(data: Uint8Array, privateKey: PrivateKey, algorithm: AsymmetricSigningAlgorithm): Promise<Uint8Array>;
-/**
- * Verify signature with an asymmetric public key.
- */
-export declare function verify(data: Uint8Array, signature: Uint8Array, publicKey: PublicKey, algorithm: AsymmetricSigningAlgorithm): Promise<boolean>;
-/**
- * Compute hash digest.
- */
-export declare function digest(algorithm: HashAlgorithm, data: Uint8Array): Promise<Uint8Array>;
-/**
- * Extract PEM public key from X.509 certificate or return PEM key as-is.
- *
- * @param certOrPem - A PEM-encoded X.509 certificate or public key
- * @param jwaAlgorithm - JWA algorithm hint for certificate parsing (RS256, RS512, ES256, ES384, ES512).
- *                       If not provided for a certificate, will attempt to auto-detect from OIDs.
- */
-export declare function extractPublicKeyPem(certOrPem: string, jwaAlgorithm?: string): Promise<string>;
-/**
- * Generate an EC key pair for ECDH key agreement.
- */
-export declare function generateECKeyPair(curve?: ECCurve): Promise<KeyPair>;
-/**
- * Perform ECDH key agreement followed by HKDF key derivation.
- * Returns opaque symmetric key for symmetric encryption.
- */
-export declare function deriveKeyFromECDH(privateKey: PrivateKey, publicKey: PublicKey, hkdfParams: HkdfParams): Promise<SymmetricKey>;
-/**
- * Compute HMAC-SHA256 of data with a symmetric key.
- */
-export declare function hmac(data: Uint8Array, key: SymmetricKey): Promise<Uint8Array>;
-/**
- * Verify HMAC-SHA256. Standalone utility — not part of CryptoService interface.
- */
-export declare function verifyHmac(data: Uint8Array, signature: Uint8Array, key: SymmetricKey): Promise<boolean>;
-/**
- * Import and validate a PEM public key, returning algorithm info.
- * Uses JWK export for robust key parameter detection.
- */
-export declare function parsePublicKeyPem(pem: string): Promise<PublicKeyInfo>;
-/**
- * Convert a JWK (JSON Web Key) to PEM format.
- */
-export declare function jwkToPublicKeyPem(jwk: JsonWebKey): Promise<string>;
-/**
- * Convert a PEM public key to JWK format.
- * Returns only public key components (no private key data).
- */
-export declare function publicKeyPemToJwk(publicKeyPem: string): Promise<JsonWebKey>;
-/**
- * Import a PEM public key as an opaque key.
- */
-export declare function importPublicKey(pem: string, options: KeyOptions): Promise<PublicKey>;
-/**
- * Import a PEM private key as an opaque key.
- */
-export declare function importPrivateKey(pem: string, options: KeyOptions): Promise<PrivateKey>;
-/**
- * Export an opaque public key to PEM format.
- */
-export declare function exportPublicKeyPem(key: PublicKey): Promise<string>;
-/**
- * Export an opaque private key to PEM format.
- * ONLY USE FOR TESTING/DEVELOPMENT. Private keys should NOT be exportable in secure environments.
- */
-export declare function exportPrivateKeyPem(key: PrivateKey): Promise<string>;
-/**
- * Export an opaque public key to JWK format.
- */
-export declare function exportPublicKeyJwk(key: PublicKey): Promise<JsonWebKey>;
-/**
- * Import raw key bytes as an opaque symmetric key.
- * Used for external keys (e.g., unwrapped from KAS).
- */
-export declare function importSymmetricKey(keyBytes: Uint8Array): Promise<SymmetricKey>;
 /**
  * Split a symmetric key into N shares using XOR secret sharing.
  * Key bytes are extracted internally for splitting.
  * HSM implementations cannot extract bytes and should throw ConfigurationError.
+ *
+ * NOTE: This wrapper lives in index.ts (instead of core/symmetric.ts) because it
+ * needs DefaultCryptoService for keySplit() randomness. Moving it to core/symmetric
+ * would require importing DefaultCryptoService and create a circular dependency.
  */
 export declare function splitSymmetricKey(key: SymmetricKey, numShares: number): Promise<SymmetricKey[]>;
-/**
- * Merge symmetric key shares back into the original key using XOR.
- * Key bytes are extracted internally for merging.
- */
-export declare function mergeSymmetricKeys(shares: SymmetricKey[]): Promise<SymmetricKey>;
+export { decrypt, decryptWithPrivateKey, deriveKeyFromECDH, digest, encrypt, encryptWithPublicKey, exportPrivateKeyPem, exportPublicKeyJwk, exportPublicKeyPem, extractPublicKeyPem, generateECKeyPair, generateKey, generateKeyPair, generateSigningKeyPair, hex2Ab, hmac, importPrivateKey, importPublicKey, importSymmetricKey, jwkToPublicKeyPem, mergeSymmetricKeys, parsePublicKeyPem, publicKeyPemToJwk, randomBytes, randomBytesAsHex, rsaOaepSha1, rsaPkcs1Sha256, sign, verify, verifyHmac, };
 export declare const DefaultCryptoService: CryptoService;
 //# sourceMappingURL=index.d.ts.map

package/dist/types/tdf3/src/crypto/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../tdf3/src/crypto/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AACtC,OAAO,EACL,KAAK,0BAA0B,EAC/B,KAAK,aAAa,EAClB,KAAK,aAAa,EAClB,KAAK,OAAO,EACZ,KAAK,aAAa,EAClB,KAAK,aAAa,EAClB,KAAK,UAAU,EAEf,KAAK,UAAU,EACf,KAAK,OAAO,EAEZ,KAAK,UAAU,EACf,KAAK,SAAS,EACd,KAAK,aAAa,EAClB,KAAK,YAAY,EAClB,MAAM,mBAAmB,CAAC;AAK3B,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAYxD,eAAO,MAAM,WAAW,SAA4C,CAAC;AAErE,eAAO,MAAM,MAAM,gDAAgD,CAAC;AACpE,eAAO,MAAM,IAAI,+BAA+B,CAAC;AAEjD;;;GAGG;AACH,wBAAgB,WAAW,CACzB,aAAa,GAAE,MAAqC,GACnD,qBAAqB,CAYvB;AAED,wBAAgB,cAAc,CAC5B,aAAa,GAAE,MAAqC,GACnD,qBAAqB,CAYvB;AAED;;;;GAIG;AACH,wBAAsB,WAAW,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAGxE;AAsFD;;;;GAIG;AACH,wBAAsB,eAAe,CAAC,IAAI,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAqBrE;AAED;;;GAGG;AACH,wBAAsB,sBAAsB,IAAI,OAAO,CAAC,OAAO,CAAC,CAS/D;AAED;;;;;;GAMG;AACH,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,MAAM,GAAG,YAAY,EAC9B,SAAS,EAAE,SAAS,GACnB,OAAO,CAAC,MAAM,CAAC,CAejB;AAED,wBAAsB,WAAW,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CAIzE;AAED;;;;;;;;;GASG;AACH,wBAAsB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAKtE;AAED;;;;;GAKG;AACH,wBAAsB,qBAAqB,CACzC,gBAAgB,EAAE,MAAM,EACxB,UAAU,EAAE,UAAU,GACrB,OAAO,CAAC,MAAM,CAAC,CAWjB;AAED;;;;;;;GAOG;AACH,wBAAgB,OAAO,CACrB,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,YAAY,EACjB,EAAE,EAAE,MAAM,EACV,SAAS,CAAC,EAAE,YAAY,EACxB,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC,aAAa,CAAC,CAExB;AAED;;;;;;GAMG;AACH,wBAAgB,OAAO,CACrB,OAAO,EAAE,MAAM,GAAG,YAAY,EAC9B,GAAG,EAAE,YAAY,EACjB,EAAE,EAAE,MAAM,EACV,SAAS,CAAC,EAAE,YAAY,GACvB,OAAO,CAAC,aAAa,CAAC,CAExB;AA0GD;;;;;GAKG;AAEH;;;;GAIG;AACH,wBAAgB,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,WAAW,CAS/C;AAyKD;;GAEG;AACH,wBAAsB,IAAI,CACxB,IAAI,EAAE,UAAU,EAChB,UAAU,EAAE,UAAU,EACtB,SAAS,EAAE,0BAA0B,GACpC,OAAO,CAAC,UAAU,CAAC,CAWrB;AAED;;GAEG;AACH,wBAAsB,MAAM,CAC1B,IAAI,EAAE,UAAU,EAChB,SAAS,EAAE,UAAU,EACrB,SAAS,EAAE,SAAS,EACpB,SAAS,EAAE,0BAA0B,GACpC,OAAO,CAAC,OAAO,CAAC,CAWlB;AAED;;GAEG;AACH,wBAAsB,MAAM,CAAC,SAAS,EAAE,aAAa,EAAE,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,CAS5F;AAED;;;;;;GAMG;AACH,wBAAsB,mBAAmB,CACvC,SAAS,EAAE,MAAM,EACjB,YAAY,CAAC,EAAE,MAAM,GACpB,OAAO,CAAC,MAAM,CAAC,CAqBjB;AAkBD;;GAEG;AACH,wBAAsB,iBAAiB,CAAC,KAAK,GAAE,OAAiB,GAAG,OAAO,CAAC,OAAO,CAAC,CA4BlF;AAiCD;;;GAGG;AACH,wBAAsB,iBAAiB,CACrC,UAAU,EAAE,UAAU,EACtB,SAAS,EAAE,SAAS,EACpB,UAAU,EAAE,UAAU,GACrB,OAAO,CAAC,YAAY,CAAC,CA+CvB;AAED;;GAEG;AACH,wBAAsB,IAAI,CAAC,IAAI,EAAE,UAAU,EAAE,GAAG,EAAE,YAAY,GAAG,OAAO,CAAC,UAAU,CAAC,CAanF;AAED;;GAEG;AACH,wBAAsB,UAAU,CAC9B,IAAI,EAAE,UAAU,EAChB,SAAS,EAAE,UAAU,EACrB,GAAG,EAAE,YAAY,GAChB,OAAO,CAAC,OAAO,CAAC,CAUlB;AAuBD;;;GAGG;AACH,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CAmD3E;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,CAqBxE;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CAoCjF;AAMD;;GAEG;AACH,wBAAsB,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,CA8D1F;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,CAqG5F;AAMD;;GAEG;AACH,wBAAsB,kBAAkB,CAAC,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAIxE;AAED;;;GAGG;AACH,wBAAsB,mBAAmB,CAAC,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,CAI1E;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CAAC,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC,CAG5E;AAED;;;GAGG;AACH,wBAAsB,kBAAkB,CAAC,QAAQ,EAAE,UAAU,GAAG,OAAO,CAAC,YAAY,CAAC,CAEpF;AAED;;;;GAIG;AACH,wBAAsB,iBAAiB,CACrC,GAAG,EAAE,YAAY,EACjB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,YAAY,EAAE,CAAC,CAIzB;AAED;;;GAGG;AACH,wBAAsB,kBAAkB,CAAC,MAAM,EAAE,YAAY,EAAE,GAAG,OAAO,CAAC,YAAY,CAAC,CAItF;AAED,eAAO,MAAM,oBAAoB,EAAE,aA6BlC,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../tdf3/src/crypto/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,KAAK,aAAa,EAAE,KAAK,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAC1E,OAAO,EACL,OAAO,EACP,MAAM,EACN,OAAO,EACP,WAAW,EACX,MAAM,EACN,IAAI,EACJ,kBAAkB,EAClB,kBAAkB,EAClB,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,qBAAqB,CAAC;AAG7B,OAAO,EACL,qBAAqB,EACrB,oBAAoB,EACpB,eAAe,EACf,sBAAsB,EACtB,WAAW,EACX,cAAc,EACf,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACpE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AACjD,OAAO,EACL,mBAAmB,EACnB,kBAAkB,EAClB,kBAAkB,EAClB,mBAAmB,EACnB,gBAAgB,EAChB,eAAe,EACf,iBAAiB,EACjB,iBAAiB,EACjB,iBAAiB,EAClB,MAAM,sBAAsB,CAAC;AAE9B,eAAO,MAAM,WAAW,SAA4C,CAAC;AACrE,eAAO,MAAM,MAAM,gDAAgD,CAAC;AACpE,eAAO,MAAM,IAAI,+BAA+B,CAAC;AAEjD;;;;;;;;GAQG;AACH,wBAAsB,iBAAiB,CACrC,GAAG,EAAE,YAAY,EACjB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,YAAY,EAAE,CAAC,CAIzB;AAED,OAAO,EACL,OAAO,EACP,qBAAqB,EACrB,iBAAiB,EACjB,MAAM,EACN,OAAO,EACP,oBAAoB,EACpB,mBAAmB,EACnB,kBAAkB,EAClB,kBAAkB,EAClB,mBAAmB,EACnB,iBAAiB,EACjB,WAAW,EACX,eAAe,EACf,sBAAsB,EACtB,MAAM,EACN,IAAI,EACJ,gBAAgB,EAChB,eAAe,EACf,kBAAkB,EAClB,iBAAiB,EACjB,kBAAkB,EAClB,iBAAiB,EACjB,iBAAiB,EACjB,WAAW,EACX,gBAAgB,EAChB,WAAW,EACX,cAAc,EACd,IAAI,EACJ,MAAM,EACN,UAAU,GACX,CAAC;AAEF,eAAO,MAAM,oBAAoB,EAAE,aA6BlC,CAAC"}

package/dist/web/tdf3/src/crypto/core/ec.js

@@ -0,0 +1,84 @@
+import { ConfigurationError } from '../../../../src/errors.js';
+import { unwrapKey, wrapPrivateKey, wrapPublicKey, wrapSymmetricKey } from './keys.js';
+/**
+ * Map ECCurve to Web Crypto named curve.
+ */
+function curveToNamedCurve(curve) {
+    switch (curve) {
+        case 'P-256':
+            return 'P-256';
+        case 'P-384':
+            return 'P-384';
+        case 'P-521':
+            return 'P-521';
+        default:
+            throw new ConfigurationError(`Unsupported curve: ${curve}`);
+    }
+}
+/**
+ * Generate an EC key pair for ECDH key agreement.
+ */
+export async function generateECKeyPair(curve = 'P-256') {
+    const namedCurve = curveToNamedCurve(curve);
+    // Generate key pair for ECDH key agreement
+    const keyPair = await crypto.subtle.generateKey({ name: 'ECDH', namedCurve }, true, [
+        'deriveBits',
+    ]);
+    // Map to KeyAlgorithm literal type
+    let algorithm;
+    switch (namedCurve) {
+        case 'P-256':
+            algorithm = 'ec:secp256r1';
+            break;
+        case 'P-384':
+            algorithm = 'ec:secp384r1';
+            break;
+        case 'P-521':
+            algorithm = 'ec:secp521r1';
+            break;
+        default:
+            throw new ConfigurationError(`Unsupported curve: ${namedCurve}`);
+    }
+    return {
+        publicKey: wrapPublicKey(keyPair.publicKey, algorithm),
+        privateKey: wrapPrivateKey(keyPair.privateKey, algorithm),
+    };
+}
+/**
+ * Perform ECDH key agreement followed by HKDF key derivation.
+ * Returns opaque symmetric key for symmetric encryption.
+ */
+export async function deriveKeyFromECDH(privateKey, publicKey, hkdfParams) {
+    // Unwrap the internal CryptoKeys
+    const privateKeyCrypto = unwrapKey(privateKey);
+    const publicKeyCrypto = unwrapKey(publicKey);
+    // Get curve from key metadata
+    const curve = publicKey.curve;
+    if (!curve) {
+        throw new ConfigurationError('EC curve not found on public key');
+    }
+    // Determine bits based on curve
+    const curveBits = {
+        'P-256': 256,
+        'P-384': 384,
+        // P-521 derives 528 bits (66 bytes)
+        'P-521': 528,
+    };
+    const bits = curveBits[curve];
+    // Perform ECDH to get shared secret
+    const sharedSecret = await crypto.subtle.deriveBits({ name: 'ECDH', public: publicKeyCrypto }, privateKeyCrypto, bits);
+    // Import shared secret as HKDF key material
+    const hkdfKey = await crypto.subtle.importKey('raw', sharedSecret, 'HKDF', false, ['deriveKey']);
+    // Derive the final key using HKDF
+    const keyLength = hkdfParams.keyLength ?? 256;
+    const derivedKey = await crypto.subtle.deriveKey({
+        name: 'HKDF',
+        hash: hkdfParams.hash,
+        salt: hkdfParams.salt,
+        info: hkdfParams.info ?? new Uint8Array(0),
+    }, hkdfKey, { name: 'AES-GCM', length: keyLength }, true, ['encrypt', 'decrypt']);
+    // Export the derived key as raw bytes and wrap as SymmetricKey
+    const keyBytes = await crypto.subtle.exportKey('raw', derivedKey);
+    return wrapSymmetricKey(new Uint8Array(keyBytes));
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZWMuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi8uLi8uLi90ZGYzL3NyYy9jcnlwdG8vY29yZS9lYy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFTQSxPQUFPLEVBQUUsa0JBQWtCLEVBQUUsTUFBTSwyQkFBMkIsQ0FBQztBQUMvRCxPQUFPLEVBQUUsU0FBUyxFQUFFLGNBQWMsRUFBRSxhQUFhLEVBQUUsZ0JBQWdCLEVBQUUsTUFBTSxXQUFXLENBQUM7QUFFdkY7O0dBRUc7QUFDSCxTQUFTLGlCQUFpQixDQUFDLEtBQWM7SUFDdkMsUUFBUSxLQUFLLEVBQUUsQ0FBQztRQUNkLEtBQUssT0FBTztZQUNWLE9BQU8sT0FBTyxDQUFDO1FBQ2pCLEtBQUssT0FBTztZQUNWLE9BQU8sT0FBTyxDQUFDO1FBQ2pCLEtBQUssT0FBTztZQUNWLE9BQU8sT0FBTyxDQUFDO1FBQ2pCO1lBQ0UsTUFBTSxJQUFJLGtCQUFrQixDQUFDLHNCQUFzQixLQUFLLEVBQUUsQ0FBQyxDQUFDO0lBQ2hFLENBQUM7QUFDSCxDQUFDO0FBRUQ7O0dBRUc7QUFDSCxNQUFNLENBQUMsS0FBSyxVQUFVLGlCQUFpQixDQUFDLFFBQWlCLE9BQU87SUFDOUQsTUFBTSxVQUFVLEdBQUcsaUJBQWlCLENBQUMsS0FBSyxDQUFDLENBQUM7SUFFNUMsMkNBQTJDO0lBQzNDLE1BQU0sT0FBTyxHQUFHLE1BQU0sTUFBTSxDQUFDLE1BQU0sQ0FBQyxXQUFXLENBQUMsRUFBRSxJQUFJLEVBQUUsTUFBTSxFQUFFLFVBQVUsRUFBRSxFQUFFLElBQUksRUFBRTtRQUNsRixZQUFZO0tBQ2IsQ0FBQyxDQUFDO0lBRUgsbUNBQW1DO0lBQ25DLElBQUksU0FBdUIsQ0FBQztJQUM1QixRQUFRLFVBQVUsRUFBRSxDQUFDO1FBQ25CLEtBQUssT0FBTztZQUNWLFNBQVMsR0FBRyxjQUFjLENBQUM7WUFDM0IsTUFBTTtRQUNSLEtBQUssT0FBTztZQUNWLFNBQVMsR0FBRyxjQUFjLENBQUM7WUFDM0IsTUFBTTtRQUNSLEtBQUssT0FBTztZQUNWLFNBQVMsR0FBRyxjQUFjLENBQUM7WUFDM0IsTUFBTTtRQUNSO1lBQ0UsTUFBTSxJQUFJLGtCQUFrQixDQUFDLHNCQUFzQixVQUFVLEVBQUUsQ0FBQyxDQUFDO0lBQ3JFLENBQUM7SUFFRCxPQUFPO1FBQ0wsU0FBUyxFQUFFLGFBQWEsQ0FBQyxPQUFPLENBQUMsU0FBUyxFQUFFLFNBQVMsQ0FBQztRQUN0RCxVQUFVLEVBQUUsY0FBYyxDQUFDLE9BQU8sQ0FBQyxVQUFVLEVBQUUsU0FBUyxDQUFDO0tBQzFELENBQUM7QUFDSixDQUFDO0FBRUQ7OztHQUdHO0FBQ0gsTUFBTSxDQUFDLEtBQUssVUFBVSxpQkFBaUIsQ0FDckMsVUFBc0IsRUFDdEIsU0FBb0IsRUFDcEIsVUFBc0I7SUFFdEIsaUNBQWlDO0lBQ2pDLE1BQU0sZ0JBQWdCLEdBQUcsU0FBUyxDQUFDLFVBQVUsQ0FBQyxDQUFDO0lBQy9DLE1BQU0sZUFBZSxHQUFHLFNBQVMsQ0FBQyxTQUFTLENBQUMsQ0FBQztJQUU3Qyw4QkFBOEI7SUFDOUIsTUFBTSxLQUFLLEdBQUcsU0FBUyxDQUFDLEtBQUssQ0FBQztJQUM5QixJQUFJLENBQUMsS0FBSyxFQUFFLENBQUM7UUFDWCxNQUFNLElBQUksa0JBQWtCLENBQUMsa0NBQWtDLENBQUMsQ0FBQztJQUNuRSxDQUFDO0lBRUQsZ0NBQWdDO0lBQ2hDLE1BQU0sU0FBUyxHQUE0QjtRQUN6QyxPQUFPLEVBQUUsR0FBRztRQUNaLE9BQU8sRUFBRSxHQUFHO1FBQ1osb0NBQW9DO1FBQ3BDLE9BQU8sRUFBRSxHQUFHO0tBQ2IsQ0FBQztJQUNGLE1BQU0sSUFBSSxHQUFHLFNBQVMsQ0FBQyxLQUFLLENBQUMsQ0FBQztJQUU5QixvQ0FBb0M7SUFDcEMsTUFBTSxZQUFZLEdBQUcsTUFBTSxNQUFNLENBQUMsTUFBTSxDQUFDLFVBQVUsQ0FDakQsRUFBRSxJQUFJLEVBQUUsTUFBTSxFQUFFLE1BQU0sRUFBRSxlQUFlLEVBQUUsRUFDekMsZ0JBQWdCLEVBQ2hCLElBQUksQ0FDTCxDQUFDO0lBRUYsNENBQTRDO0lBQzVDLE1BQU0sT0FBTyxHQUFHLE1BQU0sTUFBTSxDQUFDLE1BQU0sQ0FBQyxTQUFTLENBQUMsS0FBSyxFQUFFLFlBQVksRUFBRSxNQUFNLEVBQUUsS0FBSyxFQUFFLENBQUMsV0FBVyxDQUFDLENBQUMsQ0FBQztJQUVqRyxrQ0FBa0M7SUFDbEMsTUFBTSxTQUFTLEdBQUcsVUFBVSxDQUFDLFNBQVMsSUFBSSxHQUFHLENBQUM7SUFDOUMsTUFBTSxVQUFVLEdBQUcsTUFBTSxNQUFNLENBQUMsTUFBTSxDQUFDLFNBQVMsQ0FDOUM7UUFDRSxJQUFJLEVBQUUsTUFBTTtRQUNaLElBQUksRUFBRSxVQUFVLENBQUMsSUFBSTtRQUNyQixJQUFJLEVBQUUsVUFBVSxDQUFDLElBQUk7UUFDckIsSUFBSSxFQUFFLFVBQVUsQ0FBQyxJQUFJLElBQUksSUFBSSxVQUFVLENBQUMsQ0FBQyxDQUFDO0tBQzNDLEVBQ0QsT0FBTyxFQUNQLEVBQUUsSUFBSSxFQUFFLFNBQVMsRUFBRSxNQUFNLEVBQUUsU0FBUyxFQUFFLEVBQ3RDLElBQUksRUFDSixDQUFDLFNBQVMsRUFBRSxTQUFTLENBQUMsQ0FDdkIsQ0FBQztJQUVGLCtEQUErRDtJQUMvRCxNQUFNLFFBQVEsR0FBRyxNQUFNLE1BQU0sQ0FBQyxNQUFNLENBQUMsU0FBUyxDQUFDLEtBQUssRUFBRSxVQUFVLENBQUMsQ0FBQztJQUNsRSxPQUFPLGdCQUFnQixDQUFDLElBQUksVUFBVSxDQUFDLFFBQVEsQ0FBQyxDQUFDLENBQUM7QUFDcEQsQ0FBQyJ9