@opentdf/sdk 0.12.0 → 0.13.0-rc.121
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/src/auth/dpop.js +4 -4
- package/dist/cjs/src/version.js +1 -1
- package/dist/cjs/tdf3/src/crypto/core/ec.js +88 -0
- package/dist/cjs/tdf3/src/crypto/core/key-format.js +359 -0
- package/dist/cjs/tdf3/src/crypto/core/keys.js +85 -0
- package/dist/cjs/tdf3/src/crypto/core/rsa.js +120 -0
- package/dist/cjs/tdf3/src/crypto/core/signing.js +178 -0
- package/dist/cjs/tdf3/src/crypto/core/symmetric.js +205 -0
- package/dist/cjs/tdf3/src/crypto/index.js +69 -1051
- package/dist/types/src/version.d.ts +1 -1
- package/dist/types/tdf3/src/crypto/core/ec.d.ts +11 -0
- package/dist/types/tdf3/src/crypto/core/ec.d.ts.map +1 -0
- package/dist/types/tdf3/src/crypto/core/key-format.d.ts +41 -0
- package/dist/types/tdf3/src/crypto/core/key-format.d.ts.map +1 -0
- package/dist/types/tdf3/src/crypto/core/keys.d.ts +27 -0
- package/dist/types/tdf3/src/crypto/core/keys.d.ts.map +1 -0
- package/dist/types/tdf3/src/crypto/core/rsa.d.ts +35 -0
- package/dist/types/tdf3/src/crypto/core/rsa.d.ts.map +1 -0
- package/dist/types/tdf3/src/crypto/core/signing.d.ts +10 -0
- package/dist/types/tdf3/src/crypto/core/signing.d.ts.map +1 -0
- package/dist/types/tdf3/src/crypto/core/symmetric.d.ts +68 -0
- package/dist/types/tdf3/src/crypto/core/symmetric.d.ts.map +1 -0
- package/dist/types/tdf3/src/crypto/index.d.ts +11 -164
- package/dist/types/tdf3/src/crypto/index.d.ts.map +1 -1
- package/dist/web/src/auth/dpop.js +4 -4
- package/dist/web/src/version.js +1 -1
- package/dist/web/tdf3/src/crypto/core/ec.js +84 -0
- package/dist/web/tdf3/src/crypto/core/key-format.js +348 -0
- package/dist/web/tdf3/src/crypto/core/keys.js +78 -0
- package/dist/web/tdf3/src/crypto/core/rsa.js +112 -0
- package/dist/web/tdf3/src/crypto/core/signing.js +174 -0
- package/dist/web/tdf3/src/crypto/core/symmetric.js +192 -0
- package/dist/web/tdf3/src/crypto/index.js +13 -994
- package/package.json +1 -1
- package/src/auth/dpop.ts +3 -3
- package/src/version.ts +1 -1
- package/tdf3/src/crypto/core/ec.ts +118 -0
- package/tdf3/src/crypto/core/key-format.ts +420 -0
- package/tdf3/src/crypto/core/keys.ts +86 -0
- package/tdf3/src/crypto/core/rsa.ts +144 -0
- package/tdf3/src/crypto/core/signing.ts +214 -0
- package/tdf3/src/crypto/core/symmetric.ts +265 -0
- package/tdf3/src/crypto/index.ts +71 -1239
|
@@ -30,8 +30,8 @@ function b64u(input) {
|
|
|
30
30
|
/**
|
|
31
31
|
* Generates 32 random bytes and encodes them using base64url.
|
|
32
32
|
*/
|
|
33
|
-
async function randomBytes(
|
|
34
|
-
return b64u(
|
|
33
|
+
async function randomBytes() {
|
|
34
|
+
return b64u(crypto.getRandomValues(new Uint8Array(32)));
|
|
35
35
|
}
|
|
36
36
|
class UnsupportedOperationError extends Error {
|
|
37
37
|
constructor(message) {
|
|
@@ -111,11 +111,11 @@ async function DPoP(keypair, cryptoService, htu, htm, nonce, accessToken, additi
|
|
|
111
111
|
}, {
|
|
112
112
|
...additional,
|
|
113
113
|
iat: epochTime(),
|
|
114
|
-
jti: await randomBytes(
|
|
114
|
+
jti: await randomBytes(),
|
|
115
115
|
htm,
|
|
116
116
|
nonce,
|
|
117
117
|
htu,
|
|
118
118
|
ath,
|
|
119
119
|
}, privateKey, cryptoService);
|
|
120
120
|
}
|
|
121
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
121
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZHBvcC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uL3NyYy9hdXRoL2Rwb3AudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IjtBQUFBLHdEQUF3RDtBQUN4RCx5REFBeUQ7O0FBMEp6RCx1QkFrRUM7QUE5TUQsTUFBTSxPQUFPLEdBQUcsSUFBSSxXQUFXLEVBQUUsQ0FBQztBQUVsQyxTQUFTLEdBQUcsQ0FBQyxLQUFhO0lBQ3hCLE9BQU8sT0FBTyxDQUFDLE1BQU0sQ0FBQyxLQUFLLENBQUMsQ0FBQztBQUMvQixDQUFDO0FBUUQ7O0dBRUc7QUFDSCxLQUFLLFVBQVUsR0FBRyxDQUNoQixNQUErQixFQUMvQixTQUFrQyxFQUNsQyxVQUFzQixFQUN0QixhQUE0QjtJQUU1QixNQUFNLEtBQUssR0FBRyxHQUFHLElBQUksQ0FBQyxHQUFHLENBQUMsSUFBSSxDQUFDLFNBQVMsQ0FBQyxNQUFNLENBQUMsQ0FBQyxDQUFDLElBQUksSUFBSSxDQUFDLEdBQUcsQ0FBQyxJQUFJLENBQUMsU0FBUyxDQUFDLFNBQVMsQ0FBQyxDQUFDLENBQUMsRUFBRSxDQUFDO0lBQzdGLE1BQU0sU0FBUyxHQUFHLE1BQU0sYUFBYSxDQUFDLElBQUksQ0FDeEMsR0FBRyxDQUFDLEtBQUssQ0FBQyxFQUNWLFVBQVUsRUFDVixNQUFNLENBQUMsR0FBaUMsQ0FDekMsQ0FBQztJQUNGLE9BQU8sR0FBRyxLQUFLLElBQUksSUFBSSxDQUFDLFNBQVMsQ0FBQyxFQUFFLENBQUM7QUFDdkMsQ0FBQztBQUVELE1BQU0sVUFBVSxHQUFHLE1BQU0sQ0FBQztBQUMxQixTQUFTLGVBQWUsQ0FBQyxLQUErQjtJQUN0RCxNQUFNLEtBQUssR0FBRyxLQUFLLFlBQVksV0FBVyxDQUFDLENBQUMsQ0FBQyxJQUFJLFVBQVUsQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLENBQUMsS0FBSyxDQUFDO0lBRTNFLE1BQU0sR0FBRyxHQUFHLEVBQUUsQ0FBQztJQUNmLEtBQUssSUFBSSxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUMsR0FBRyxLQUFLLENBQUMsVUFBVSxFQUFFLENBQUMsSUFBSSxVQUFVLEVBQUUsQ0FBQztRQUN0RCxHQUFHLENBQUMsSUFBSSxDQUNOLE1BQU0sQ0FBQyxZQUFZLENBQUMsS0FBSyxDQUFDLElBQUksRUFBRSxLQUFLLENBQUMsUUFBUSxDQUFDLENBQUMsRUFBRSxDQUFDLEdBQUcsVUFBVSxDQUF3QixDQUFDLENBQzFGLENBQUM7SUFDSixDQUFDO0lBQ0QsT0FBTyxJQUFJLENBQUMsR0FBRyxDQUFDLElBQUksQ0FBQyxFQUFFLENBQUMsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUFDLENBQUMsT0FBTyxDQUFDLEtBQUssRUFBRSxHQUFHLENBQUMsQ0FBQyxPQUFPLENBQUMsS0FBSyxFQUFFLEdBQUcsQ0FBQyxDQUFDO0FBQ3RGLENBQUM7QUFFRCxTQUFTLElBQUksQ0FBQyxLQUErQjtJQUMzQyxPQUFPLGVBQWUsQ0FBQyxLQUFLLENBQUMsQ0FBQztBQUNoQyxDQUFDO0FBRUQ7O0dBRUc7QUFDSCxLQUFLLFVBQVUsV0FBVztJQUN4QixPQUFPLElBQUksQ0FBQyxNQUFNLENBQUMsZUFBZSxDQUFDLElBQUksVUFBVSxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUMsQ0FBQztBQUMxRCxDQUFDO0FBMkNELE1BQU0seUJBQTBCLFNBQVEsS0FBSztJQUMzQyxZQUFZLE9BQWdCO1FBQzFCLEtBQUssQ0FBQyxPQUFPLElBQUkseUJBQXlCLENBQUMsQ0FBQztRQUM1QyxJQUFJLENBQUMsSUFBSSxHQUFHLElBQUksQ0FBQyxXQUFXLENBQUMsSUFBSSxDQUFDO1FBQ2xDLEtBQUssQ0FBQyxpQkFBaUIsRUFBRSxDQUFDLElBQUksRUFBRSxJQUFJLENBQUMsV0FBVyxDQUFDLENBQUM7SUFDcEQsQ0FBQztDQUNGO0FBRUQ7O0dBRUc7QUFDSCxTQUFTLGdDQUFnQyxDQUFDLFNBQWlCO0lBQ3pELElBQUksU0FBUyxDQUFDLFVBQVUsQ0FBQyxNQUFNLENBQUMsRUFBRSxDQUFDO1FBQ2pDLE9BQU8sT0FBTyxDQUFDO0lBQ2pCLENBQUM7SUFDRCxRQUFRLFNBQVMsRUFBRSxDQUFDO1FBQ2xCLEtBQUssY0FBYztZQUNqQixPQUFPLE9BQU8sQ0FBQztRQUNqQixLQUFLLGNBQWM7WUFDakIsT0FBTyxPQUFPLENBQUM7UUFDakIsS0FBSyxjQUFjO1lBQ2pCLE9BQU8sT0FBTyxDQUFDO1FBQ2pCO1lBQ0UsTUFBTSxJQUFJLHlCQUF5QixDQUFDLDhCQUE4QixTQUFTLEVBQUUsQ0FBQyxDQUFDO0lBQ25GLENBQUM7QUFDSCxDQUFDO0FBRUQ7O0dBRUc7QUFDSCxTQUFTLFNBQVM7SUFDaEIsT0FBTyxJQUFJLENBQUMsS0FBSyxDQUFDLElBQUksQ0FBQyxHQUFHLEVBQUUsR0FBRyxJQUFJLENBQUMsQ0FBQztBQUN2QyxDQUFDO0FBRUQ7Ozs7Ozs7Ozs7R0FVRztBQUNZLEtBQUssVUFBVSxJQUFJLENBQ2hDLE9BQWdCLEVBQ2hCLGFBQTRCLEVBQzVCLEdBQVcsRUFDWCxHQUFXLEVBQ1gsS0FBYyxFQUNkLFdBQW9CLEVBQ3BCLFVBQXNDO0lBRXRDLE1BQU0sVUFBVSxHQUFHLE9BQU8sRUFBRSxVQUFVLENBQUM7SUFDdkMsTUFBTSxTQUFTLEdBQUcsT0FBTyxFQUFFLFNBQVMsQ0FBQztJQUVyQyxJQUFJLE9BQU8sR0FBRyxLQUFLLFFBQVEsRUFBRSxDQUFDO1FBQzVCLE1BQU0sSUFBSSxTQUFTLENBQUMsd0JBQXdCLENBQUMsQ0FBQztJQUNoRCxDQUFDO0lBRUQsSUFBSSxPQUFPLEdBQUcsS0FBSyxRQUFRLEVBQUUsQ0FBQztRQUM1QixNQUFNLElBQUksU0FBUyxDQUFDLHdCQUF3QixDQUFDLENBQUM7SUFDaEQsQ0FBQztJQUVELElBQUksS0FBSyxLQUFLLFNBQVMsSUFBSSxPQUFPLEtBQUssS0FBSyxRQUFRLEVBQUUsQ0FBQztRQUNyRCxNQUFNLElBQUksU0FBUyxDQUFDLHVDQUF1QyxDQUFDLENBQUM7SUFDL0QsQ0FBQztJQUVELElBQUksV0FBVyxLQUFLLFNBQVMsSUFBSSxPQUFPLFdBQVcsS0FBSyxRQUFRLEVBQUUsQ0FBQztRQUNqRSxNQUFNLElBQUksU0FBUyxDQUFDLDZDQUE2QyxDQUFDLENBQUM7SUFDckUsQ0FBQztJQUVELElBQ0UsVUFBVSxLQUFLLFNBQVM7UUFDeEIsQ0FBQyxPQUFPLFVBQVUsS0FBSyxRQUFRLElBQUksVUFBVSxLQUFLLElBQUksSUFBSSxLQUFLLENBQUMsT0FBTyxDQUFDLFVBQVUsQ0FBQyxDQUFDLEVBQ3BGLENBQUM7UUFDRCxNQUFNLElBQUksU0FBUyxDQUFDLGdDQUFnQyxDQUFDLENBQUM7SUFDeEQsQ0FBQztJQUVELDRDQUE0QztJQUM1QyxNQUFNLEdBQUcsR0FBRyxnQ0FBZ0MsQ0FBQyxTQUFTLENBQUMsU0FBUyxDQUFDLENBQUM7SUFFbEUsMENBQTBDO0lBQzFDLE1BQU0sR0FBRyxHQUFHLE1BQU0sYUFBYSxDQUFDLGtCQUFrQixDQUFDLFNBQVMsQ0FBQyxDQUFDO0lBRTlELHdDQUF3QztJQUN4QyxJQUFJLEdBQXVCLENBQUM7SUFDNUIsSUFBSSxXQUFXLEVBQUUsQ0FBQztRQUNoQixNQUFNLFFBQVEsR0FBRyxNQUFNLGFBQWEsQ0FBQyxNQUFNLENBQUMsU0FBUyxFQUFFLEdBQUcsQ0FBQyxXQUFXLENBQUMsQ0FBQyxDQUFDO1FBQ3pFLEdBQUcsR0FBRyxJQUFJLENBQUMsUUFBUSxDQUFDLENBQUM7SUFDdkIsQ0FBQztJQUVELE9BQU8sR0FBRyxDQUNSO1FBQ0UsR0FBRztRQUNILEdBQUcsRUFBRSxVQUFVO1FBQ2YsR0FBRztLQUNKLEVBQ0Q7UUFDRSxHQUFHLFVBQVU7UUFDYixHQUFHLEVBQUUsU0FBUyxFQUFFO1FBQ2hCLEdBQUcsRUFBRSxNQUFNLFdBQVcsRUFBRTtRQUN4QixHQUFHO1FBQ0gsS0FBSztRQUNMLEdBQUc7UUFDSCxHQUFHO0tBQ0osRUFDRCxVQUFVLEVBQ1YsYUFBYSxDQUNkLENBQUM7QUFDSixDQUFDIn0=
|
package/dist/cjs/src/version.js
CHANGED
|
@@ -4,7 +4,7 @@ exports.tdfSpecVersion = exports.clientType = exports.version = void 0;
|
|
|
4
4
|
/**
|
|
5
5
|
* Exposes the released version number of the `@opentdf/sdk` package
|
|
6
6
|
*/
|
|
7
|
-
exports.version = '0.
|
|
7
|
+
exports.version = '0.13.0'; // x-release-please-version
|
|
8
8
|
/**
|
|
9
9
|
* A string name used to label requests as coming from this library client.
|
|
10
10
|
*/
|
|
@@ -0,0 +1,88 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.generateECKeyPair = generateECKeyPair;
|
|
4
|
+
exports.deriveKeyFromECDH = deriveKeyFromECDH;
|
|
5
|
+
const errors_js_1 = require("../../../../src/errors.js");
|
|
6
|
+
const keys_js_1 = require("./keys.js");
|
|
7
|
+
/**
|
|
8
|
+
* Map ECCurve to Web Crypto named curve.
|
|
9
|
+
*/
|
|
10
|
+
function curveToNamedCurve(curve) {
|
|
11
|
+
switch (curve) {
|
|
12
|
+
case 'P-256':
|
|
13
|
+
return 'P-256';
|
|
14
|
+
case 'P-384':
|
|
15
|
+
return 'P-384';
|
|
16
|
+
case 'P-521':
|
|
17
|
+
return 'P-521';
|
|
18
|
+
default:
|
|
19
|
+
throw new errors_js_1.ConfigurationError(`Unsupported curve: ${curve}`);
|
|
20
|
+
}
|
|
21
|
+
}
|
|
22
|
+
/**
|
|
23
|
+
* Generate an EC key pair for ECDH key agreement.
|
|
24
|
+
*/
|
|
25
|
+
async function generateECKeyPair(curve = 'P-256') {
|
|
26
|
+
const namedCurve = curveToNamedCurve(curve);
|
|
27
|
+
// Generate key pair for ECDH key agreement
|
|
28
|
+
const keyPair = await crypto.subtle.generateKey({ name: 'ECDH', namedCurve }, true, [
|
|
29
|
+
'deriveBits',
|
|
30
|
+
]);
|
|
31
|
+
// Map to KeyAlgorithm literal type
|
|
32
|
+
let algorithm;
|
|
33
|
+
switch (namedCurve) {
|
|
34
|
+
case 'P-256':
|
|
35
|
+
algorithm = 'ec:secp256r1';
|
|
36
|
+
break;
|
|
37
|
+
case 'P-384':
|
|
38
|
+
algorithm = 'ec:secp384r1';
|
|
39
|
+
break;
|
|
40
|
+
case 'P-521':
|
|
41
|
+
algorithm = 'ec:secp521r1';
|
|
42
|
+
break;
|
|
43
|
+
default:
|
|
44
|
+
throw new errors_js_1.ConfigurationError(`Unsupported curve: ${namedCurve}`);
|
|
45
|
+
}
|
|
46
|
+
return {
|
|
47
|
+
publicKey: (0, keys_js_1.wrapPublicKey)(keyPair.publicKey, algorithm),
|
|
48
|
+
privateKey: (0, keys_js_1.wrapPrivateKey)(keyPair.privateKey, algorithm),
|
|
49
|
+
};
|
|
50
|
+
}
|
|
51
|
+
/**
|
|
52
|
+
* Perform ECDH key agreement followed by HKDF key derivation.
|
|
53
|
+
* Returns opaque symmetric key for symmetric encryption.
|
|
54
|
+
*/
|
|
55
|
+
async function deriveKeyFromECDH(privateKey, publicKey, hkdfParams) {
|
|
56
|
+
// Unwrap the internal CryptoKeys
|
|
57
|
+
const privateKeyCrypto = (0, keys_js_1.unwrapKey)(privateKey);
|
|
58
|
+
const publicKeyCrypto = (0, keys_js_1.unwrapKey)(publicKey);
|
|
59
|
+
// Get curve from key metadata
|
|
60
|
+
const curve = publicKey.curve;
|
|
61
|
+
if (!curve) {
|
|
62
|
+
throw new errors_js_1.ConfigurationError('EC curve not found on public key');
|
|
63
|
+
}
|
|
64
|
+
// Determine bits based on curve
|
|
65
|
+
const curveBits = {
|
|
66
|
+
'P-256': 256,
|
|
67
|
+
'P-384': 384,
|
|
68
|
+
// P-521 derives 528 bits (66 bytes)
|
|
69
|
+
'P-521': 528,
|
|
70
|
+
};
|
|
71
|
+
const bits = curveBits[curve];
|
|
72
|
+
// Perform ECDH to get shared secret
|
|
73
|
+
const sharedSecret = await crypto.subtle.deriveBits({ name: 'ECDH', public: publicKeyCrypto }, privateKeyCrypto, bits);
|
|
74
|
+
// Import shared secret as HKDF key material
|
|
75
|
+
const hkdfKey = await crypto.subtle.importKey('raw', sharedSecret, 'HKDF', false, ['deriveKey']);
|
|
76
|
+
// Derive the final key using HKDF
|
|
77
|
+
const keyLength = hkdfParams.keyLength ?? 256;
|
|
78
|
+
const derivedKey = await crypto.subtle.deriveKey({
|
|
79
|
+
name: 'HKDF',
|
|
80
|
+
hash: hkdfParams.hash,
|
|
81
|
+
salt: hkdfParams.salt,
|
|
82
|
+
info: hkdfParams.info ?? new Uint8Array(0),
|
|
83
|
+
}, hkdfKey, { name: 'AES-GCM', length: keyLength }, true, ['encrypt', 'decrypt']);
|
|
84
|
+
// Export the derived key as raw bytes and wrap as SymmetricKey
|
|
85
|
+
const keyBytes = await crypto.subtle.exportKey('raw', derivedKey);
|
|
86
|
+
return (0, keys_js_1.wrapSymmetricKey)(new Uint8Array(keyBytes));
|
|
87
|
+
}
|
|
88
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZWMuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi8uLi8uLi90ZGYzL3NyYy9jcnlwdG8vY29yZS9lYy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOztBQStCQSw4Q0E0QkM7QUFNRCw4Q0FvREM7QUE1R0QseURBQStEO0FBQy9ELHVDQUF1RjtBQUV2Rjs7R0FFRztBQUNILFNBQVMsaUJBQWlCLENBQUMsS0FBYztJQUN2QyxRQUFRLEtBQUssRUFBRSxDQUFDO1FBQ2QsS0FBSyxPQUFPO1lBQ1YsT0FBTyxPQUFPLENBQUM7UUFDakIsS0FBSyxPQUFPO1lBQ1YsT0FBTyxPQUFPLENBQUM7UUFDakIsS0FBSyxPQUFPO1lBQ1YsT0FBTyxPQUFPLENBQUM7UUFDakI7WUFDRSxNQUFNLElBQUksOEJBQWtCLENBQUMsc0JBQXNCLEtBQUssRUFBRSxDQUFDLENBQUM7SUFDaEUsQ0FBQztBQUNILENBQUM7QUFFRDs7R0FFRztBQUNJLEtBQUssVUFBVSxpQkFBaUIsQ0FBQyxRQUFpQixPQUFPO0lBQzlELE1BQU0sVUFBVSxHQUFHLGlCQUFpQixDQUFDLEtBQUssQ0FBQyxDQUFDO0lBRTVDLDJDQUEyQztJQUMzQyxNQUFNLE9BQU8sR0FBRyxNQUFNLE1BQU0sQ0FBQyxNQUFNLENBQUMsV0FBVyxDQUFDLEVBQUUsSUFBSSxFQUFFLE1BQU0sRUFBRSxVQUFVLEVBQUUsRUFBRSxJQUFJLEVBQUU7UUFDbEYsWUFBWTtLQUNiLENBQUMsQ0FBQztJQUVILG1DQUFtQztJQUNuQyxJQUFJLFNBQXVCLENBQUM7SUFDNUIsUUFBUSxVQUFVLEVBQUUsQ0FBQztRQUNuQixLQUFLLE9BQU87WUFDVixTQUFTLEdBQUcsY0FBYyxDQUFDO1lBQzNCLE1BQU07UUFDUixLQUFLLE9BQU87WUFDVixTQUFTLEdBQUcsY0FBYyxDQUFDO1lBQzNCLE1BQU07UUFDUixLQUFLLE9BQU87WUFDVixTQUFTLEdBQUcsY0FBYyxDQUFDO1lBQzNCLE1BQU07UUFDUjtZQUNFLE1BQU0sSUFBSSw4QkFBa0IsQ0FBQyxzQkFBc0IsVUFBVSxFQUFFLENBQUMsQ0FBQztJQUNyRSxDQUFDO0lBRUQsT0FBTztRQUNMLFNBQVMsRUFBRSxJQUFBLHVCQUFhLEVBQUMsT0FBTyxDQUFDLFNBQVMsRUFBRSxTQUFTLENBQUM7UUFDdEQsVUFBVSxFQUFFLElBQUEsd0JBQWMsRUFBQyxPQUFPLENBQUMsVUFBVSxFQUFFLFNBQVMsQ0FBQztLQUMxRCxDQUFDO0FBQ0osQ0FBQztBQUVEOzs7R0FHRztBQUNJLEtBQUssVUFBVSxpQkFBaUIsQ0FDckMsVUFBc0IsRUFDdEIsU0FBb0IsRUFDcEIsVUFBc0I7SUFFdEIsaUNBQWlDO0lBQ2pDLE1BQU0sZ0JBQWdCLEdBQUcsSUFBQSxtQkFBUyxFQUFDLFVBQVUsQ0FBQyxDQUFDO0lBQy9DLE1BQU0sZUFBZSxHQUFHLElBQUEsbUJBQVMsRUFBQyxTQUFTLENBQUMsQ0FBQztJQUU3Qyw4QkFBOEI7SUFDOUIsTUFBTSxLQUFLLEdBQUcsU0FBUyxDQUFDLEtBQUssQ0FBQztJQUM5QixJQUFJLENBQUMsS0FBSyxFQUFFLENBQUM7UUFDWCxNQUFNLElBQUksOEJBQWtCLENBQUMsa0NBQWtDLENBQUMsQ0FBQztJQUNuRSxDQUFDO0lBRUQsZ0NBQWdDO0lBQ2hDLE1BQU0sU0FBUyxHQUE0QjtRQUN6QyxPQUFPLEVBQUUsR0FBRztRQUNaLE9BQU8sRUFBRSxHQUFHO1FBQ1osb0NBQW9DO1FBQ3BDLE9BQU8sRUFBRSxHQUFHO0tBQ2IsQ0FBQztJQUNGLE1BQU0sSUFBSSxHQUFHLFNBQVMsQ0FBQyxLQUFLLENBQUMsQ0FBQztJQUU5QixvQ0FBb0M7SUFDcEMsTUFBTSxZQUFZLEdBQUcsTUFBTSxNQUFNLENBQUMsTUFBTSxDQUFDLFVBQVUsQ0FDakQsRUFBRSxJQUFJLEVBQUUsTUFBTSxFQUFFLE1BQU0sRUFBRSxlQUFlLEVBQUUsRUFDekMsZ0JBQWdCLEVBQ2hCLElBQUksQ0FDTCxDQUFDO0lBRUYsNENBQTRDO0lBQzVDLE1BQU0sT0FBTyxHQUFHLE1BQU0sTUFBTSxDQUFDLE1BQU0sQ0FBQyxTQUFTLENBQUMsS0FBSyxFQUFFLFlBQVksRUFBRSxNQUFNLEVBQUUsS0FBSyxFQUFFLENBQUMsV0FBVyxDQUFDLENBQUMsQ0FBQztJQUVqRyxrQ0FBa0M7SUFDbEMsTUFBTSxTQUFTLEdBQUcsVUFBVSxDQUFDLFNBQVMsSUFBSSxHQUFHLENBQUM7SUFDOUMsTUFBTSxVQUFVLEdBQUcsTUFBTSxNQUFNLENBQUMsTUFBTSxDQUFDLFNBQVMsQ0FDOUM7UUFDRSxJQUFJLEVBQUUsTUFBTTtRQUNaLElBQUksRUFBRSxVQUFVLENBQUMsSUFBSTtRQUNyQixJQUFJLEVBQUUsVUFBVSxDQUFDLElBQUk7UUFDckIsSUFBSSxFQUFFLFVBQVUsQ0FBQyxJQUFJLElBQUksSUFBSSxVQUFVLENBQUMsQ0FBQyxDQUFDO0tBQzNDLEVBQ0QsT0FBTyxFQUNQLEVBQUUsSUFBSSxFQUFFLFNBQVMsRUFBRSxNQUFNLEVBQUUsU0FBUyxFQUFFLEVBQ3RDLElBQUksRUFDSixDQUFDLFNBQVMsRUFBRSxTQUFTLENBQUMsQ0FDdkIsQ0FBQztJQUVGLCtEQUErRDtJQUMvRCxNQUFNLFFBQVEsR0FBRyxNQUFNLE1BQU0sQ0FBQyxNQUFNLENBQUMsU0FBUyxDQUFDLEtBQUssRUFBRSxVQUFVLENBQUMsQ0FBQztJQUNsRSxPQUFPLElBQUEsMEJBQWdCLEVBQUMsSUFBSSxVQUFVLENBQUMsUUFBUSxDQUFDLENBQUMsQ0FBQztBQUNwRCxDQUFDIn0=
|
|
@@ -0,0 +1,359 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.extractPublicKeyPem = extractPublicKeyPem;
|
|
4
|
+
exports.parsePublicKeyPem = parsePublicKeyPem;
|
|
5
|
+
exports.jwkToPublicKeyPem = jwkToPublicKeyPem;
|
|
6
|
+
exports.publicKeyPemToJwk = publicKeyPemToJwk;
|
|
7
|
+
exports.importPublicKey = importPublicKey;
|
|
8
|
+
exports.importPrivateKey = importPrivateKey;
|
|
9
|
+
exports.exportPublicKeyPem = exportPublicKeyPem;
|
|
10
|
+
exports.exportPrivateKeyPem = exportPrivateKeyPem;
|
|
11
|
+
exports.exportPublicKeyJwk = exportPublicKeyJwk;
|
|
12
|
+
const declarations_js_1 = require("../declarations.js");
|
|
13
|
+
const errors_js_1 = require("../../../../src/errors.js");
|
|
14
|
+
const crypto_utils_js_1 = require("../crypto-utils.js");
|
|
15
|
+
const hex_js_1 = require("../../../../src/encodings/hex.js");
|
|
16
|
+
const base64_js_1 = require("../../../../src/encodings/base64.js");
|
|
17
|
+
const jose_1 = require("jose");
|
|
18
|
+
const pemPublicToCrypto_js_1 = require("../../../../src/crypto/pemPublicToCrypto.js");
|
|
19
|
+
const keys_js_1 = require("./keys.js");
|
|
20
|
+
const rsa_js_1 = require("./rsa.js");
|
|
21
|
+
/**
|
|
22
|
+
* Extract PEM public key from X.509 certificate or return PEM key as-is.
|
|
23
|
+
*/
|
|
24
|
+
async function extractPublicKeyPem(certOrPem, jwaAlgorithm) {
|
|
25
|
+
// If it's a certificate, extract the public key
|
|
26
|
+
if (certOrPem.includes('-----BEGIN CERTIFICATE-----')) {
|
|
27
|
+
let alg = jwaAlgorithm;
|
|
28
|
+
if (!alg) {
|
|
29
|
+
// Auto-detect algorithm from certificate OIDs
|
|
30
|
+
const certBody = certOrPem.replace(/-----(BEGIN|END) CERTIFICATE-----|\s/g, '');
|
|
31
|
+
const certBytes = (0, base64_js_1.decodeArrayBuffer)(certBody);
|
|
32
|
+
const hex = (0, hex_js_1.encodeArrayBuffer)(certBytes);
|
|
33
|
+
alg = (0, pemPublicToCrypto_js_1.toJwsAlg)(hex);
|
|
34
|
+
}
|
|
35
|
+
const cert = await (0, jose_1.importX509)(certOrPem, alg, { extractable: true });
|
|
36
|
+
return (0, jose_1.exportSPKI)(cert);
|
|
37
|
+
}
|
|
38
|
+
// If it's already a PEM public key, return as-is
|
|
39
|
+
if (certOrPem.includes('-----BEGIN PUBLIC KEY-----')) {
|
|
40
|
+
return certOrPem;
|
|
41
|
+
}
|
|
42
|
+
throw new errors_js_1.ConfigurationError('Input must be a PEM-encoded certificate or public key');
|
|
43
|
+
}
|
|
44
|
+
const SUPPORTED_EC_CURVES = ['P-256', 'P-384', 'P-521'];
|
|
45
|
+
/**
|
|
46
|
+
* Decode base64url string and return byte length.
|
|
47
|
+
* Uses the existing base64 decoder which handles both standard and URL-safe encoding.
|
|
48
|
+
*/
|
|
49
|
+
function base64urlByteLength(base64url) {
|
|
50
|
+
// Add padding if needed (base64url omits padding)
|
|
51
|
+
const padding = (4 - (base64url.length % 4)) % 4;
|
|
52
|
+
const padded = base64url + '='.repeat(padding);
|
|
53
|
+
return (0, base64_js_1.decodeArrayBuffer)(padded).byteLength;
|
|
54
|
+
}
|
|
55
|
+
/**
|
|
56
|
+
* Extract EC curve from a public key by parsing ASN.1 OIDs.
|
|
57
|
+
* Reuses the existing guessCurveName function that checks for curve OIDs.
|
|
58
|
+
*/
|
|
59
|
+
function extractEcCurveFromPublicKey(keyData) {
|
|
60
|
+
// Convert to hex for OID parsing
|
|
61
|
+
const hexKey = (0, hex_js_1.encodeArrayBuffer)(keyData);
|
|
62
|
+
// Use existing OID parser (returns 'P-256', 'P-384', or 'P-521')
|
|
63
|
+
const curveName = (0, pemPublicToCrypto_js_1.guessCurveName)(hexKey);
|
|
64
|
+
return curveName;
|
|
65
|
+
}
|
|
66
|
+
/**
|
|
67
|
+
* Extract RSA modulus bit length by importing key and exporting as JWK.
|
|
68
|
+
* Uses Web Crypto's built-in ASN.1 parsing for robustness.
|
|
69
|
+
*/
|
|
70
|
+
async function extractRsaModulusBitLength(keyData) {
|
|
71
|
+
const key = await crypto.subtle.importKey('spki', keyData, { name: 'RSA-OAEP', hash: 'SHA-256' }, true, ['encrypt']);
|
|
72
|
+
const jwk = await crypto.subtle.exportKey('jwk', key);
|
|
73
|
+
if (!jwk.n) {
|
|
74
|
+
throw new errors_js_1.ConfigurationError('Invalid RSA key: missing modulus');
|
|
75
|
+
}
|
|
76
|
+
// JWK 'n' is base64url-encoded modulus
|
|
77
|
+
// Decode and count bytes, multiply by 8 for bits
|
|
78
|
+
return base64urlByteLength(jwk.n) * 8;
|
|
79
|
+
}
|
|
80
|
+
/**
|
|
81
|
+
* Import and validate a PEM public key, returning algorithm info.
|
|
82
|
+
* Uses JWK export for robust key parameter detection.
|
|
83
|
+
*/
|
|
84
|
+
async function parsePublicKeyPem(pem) {
|
|
85
|
+
// First extract public key if it's a certificate
|
|
86
|
+
let publicKeyPem = pem;
|
|
87
|
+
if (pem.includes('-----BEGIN CERTIFICATE-----')) {
|
|
88
|
+
publicKeyPem = await extractPublicKeyPem(pem);
|
|
89
|
+
}
|
|
90
|
+
if (!publicKeyPem.includes('-----BEGIN PUBLIC KEY-----')) {
|
|
91
|
+
throw new errors_js_1.ConfigurationError('Input must be a PEM-encoded public key or certificate');
|
|
92
|
+
}
|
|
93
|
+
const keyData = (0, base64_js_1.decodeArrayBuffer)((0, crypto_utils_js_1.removePemFormatting)(publicKeyPem));
|
|
94
|
+
// Try RSA first - use JWK export to get modulus size
|
|
95
|
+
try {
|
|
96
|
+
const modulusBits = await extractRsaModulusBitLength(keyData);
|
|
97
|
+
let algorithm;
|
|
98
|
+
if (modulusBits < declarations_js_1.MIN_ASYMMETRIC_KEY_SIZE_BITS) {
|
|
99
|
+
throw new errors_js_1.ConfigurationError(`RSA key size ${modulusBits} bits is below the minimum of ${declarations_js_1.MIN_ASYMMETRIC_KEY_SIZE_BITS} bits`);
|
|
100
|
+
}
|
|
101
|
+
else if (modulusBits <= 2048) {
|
|
102
|
+
algorithm = 'rsa:2048';
|
|
103
|
+
}
|
|
104
|
+
else if (modulusBits <= 4096) {
|
|
105
|
+
algorithm = 'rsa:4096';
|
|
106
|
+
}
|
|
107
|
+
else {
|
|
108
|
+
throw new errors_js_1.ConfigurationError(`Unsupported RSA key size: ${modulusBits} bits`);
|
|
109
|
+
}
|
|
110
|
+
return { algorithm, pem: publicKeyPem };
|
|
111
|
+
}
|
|
112
|
+
catch (e) {
|
|
113
|
+
// If it's our own ConfigurationError, rethrow
|
|
114
|
+
if (e instanceof errors_js_1.ConfigurationError) {
|
|
115
|
+
throw e;
|
|
116
|
+
}
|
|
117
|
+
// Not an RSA key, try EC next
|
|
118
|
+
}
|
|
119
|
+
// Try EC - parse curve from OID
|
|
120
|
+
try {
|
|
121
|
+
const detectedCurve = extractEcCurveFromPublicKey(keyData);
|
|
122
|
+
const curveMap = {
|
|
123
|
+
'P-256': 'ec:secp256r1',
|
|
124
|
+
'P-384': 'ec:secp384r1',
|
|
125
|
+
'P-521': 'ec:secp521r1',
|
|
126
|
+
};
|
|
127
|
+
return { algorithm: curveMap[detectedCurve], pem: publicKeyPem };
|
|
128
|
+
}
|
|
129
|
+
catch {
|
|
130
|
+
// Not a valid EC key
|
|
131
|
+
}
|
|
132
|
+
throw new errors_js_1.ConfigurationError('Unable to determine public key algorithm - unsupported key type');
|
|
133
|
+
}
|
|
134
|
+
/**
|
|
135
|
+
* Convert a JWK (JSON Web Key) to PEM format.
|
|
136
|
+
*/
|
|
137
|
+
async function jwkToPublicKeyPem(jwk) {
|
|
138
|
+
let key;
|
|
139
|
+
if (jwk.kty === 'RSA') {
|
|
140
|
+
// RSA key
|
|
141
|
+
key = await crypto.subtle.importKey('jwk', jwk, { name: 'RSA-OAEP', hash: 'SHA-256' }, true, [
|
|
142
|
+
'encrypt',
|
|
143
|
+
]);
|
|
144
|
+
}
|
|
145
|
+
else if (jwk.kty === 'EC') {
|
|
146
|
+
// EC key
|
|
147
|
+
const crv = jwk.crv;
|
|
148
|
+
if (!crv || !['P-256', 'P-384', 'P-521'].includes(crv)) {
|
|
149
|
+
throw new errors_js_1.ConfigurationError(`Unsupported EC curve: ${crv}`);
|
|
150
|
+
}
|
|
151
|
+
key = await crypto.subtle.importKey('jwk', jwk, { name: 'ECDH', namedCurve: crv }, true, []);
|
|
152
|
+
}
|
|
153
|
+
else {
|
|
154
|
+
throw new errors_js_1.ConfigurationError(`Unsupported JWK key type: ${jwk.kty}`);
|
|
155
|
+
}
|
|
156
|
+
const spkiBuffer = await crypto.subtle.exportKey('spki', key);
|
|
157
|
+
return (0, crypto_utils_js_1.formatAsPem)(spkiBuffer, 'PUBLIC KEY');
|
|
158
|
+
}
|
|
159
|
+
/**
|
|
160
|
+
* Convert a PEM public key to JWK format.
|
|
161
|
+
* Returns only public key components (no private key data).
|
|
162
|
+
*/
|
|
163
|
+
async function publicKeyPemToJwk(publicKeyPem) {
|
|
164
|
+
const keyDataBase64 = (0, crypto_utils_js_1.removePemFormatting)(publicKeyPem);
|
|
165
|
+
const keyBuffer = (0, base64_js_1.decodeArrayBuffer)(keyDataBase64);
|
|
166
|
+
const hex = (0, hex_js_1.encodeArrayBuffer)(keyBuffer);
|
|
167
|
+
// Detect key type using OID
|
|
168
|
+
const algorithmName = (0, pemPublicToCrypto_js_1.guessAlgorithmName)(hex);
|
|
169
|
+
if (algorithmName === 'ECDH' || algorithmName === 'ECDSA') {
|
|
170
|
+
// EC key - detect curve from OID
|
|
171
|
+
const namedCurve = (0, pemPublicToCrypto_js_1.guessCurveName)(hex);
|
|
172
|
+
const key = await crypto.subtle.importKey('spki', keyBuffer, { name: 'ECDSA', namedCurve }, true, ['verify']);
|
|
173
|
+
const jwk = await crypto.subtle.exportKey('jwk', key);
|
|
174
|
+
// Return only public key components
|
|
175
|
+
const { kty, crv, x, y } = jwk;
|
|
176
|
+
return { kty, crv, x, y };
|
|
177
|
+
}
|
|
178
|
+
else {
|
|
179
|
+
// RSA key
|
|
180
|
+
const key = await crypto.subtle.importKey('spki', keyBuffer, { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' }, true, ['verify']);
|
|
181
|
+
const jwk = await crypto.subtle.exportKey('jwk', key);
|
|
182
|
+
// Return only public key components
|
|
183
|
+
const { kty, e, n } = jwk;
|
|
184
|
+
return { kty, e, n };
|
|
185
|
+
}
|
|
186
|
+
}
|
|
187
|
+
/**
|
|
188
|
+
* Import a PEM public key as an opaque key.
|
|
189
|
+
*/
|
|
190
|
+
async function importPublicKey(pem, options) {
|
|
191
|
+
const { usage = 'encrypt', extractable = true, algorithmHint } = options;
|
|
192
|
+
// Detect algorithm from PEM; also normalises certificates → plain SPKI PEM.
|
|
193
|
+
const keyInfo = await parsePublicKeyPem(pem);
|
|
194
|
+
const algorithm = algorithmHint || keyInfo.algorithm;
|
|
195
|
+
// Use keyInfo.pem (normalised SPKI) not the original pem, which may be a certificate.
|
|
196
|
+
// Passing raw X.509 DER bytes to crypto.subtle.importKey('spki') would throw DataError.
|
|
197
|
+
const keyData = (0, crypto_utils_js_1.removePemFormatting)(keyInfo.pem);
|
|
198
|
+
const keyBuffer = (0, base64_js_1.decodeArrayBuffer)(keyData);
|
|
199
|
+
// Determine Web Crypto algorithm and usages based on key type and usage
|
|
200
|
+
let cryptoAlgorithm;
|
|
201
|
+
let keyUsages;
|
|
202
|
+
if (algorithm.startsWith('rsa:')) {
|
|
203
|
+
if (usage === 'encrypt') {
|
|
204
|
+
cryptoAlgorithm = (0, rsa_js_1.rsaOaepSha1)();
|
|
205
|
+
keyUsages = ['encrypt'];
|
|
206
|
+
}
|
|
207
|
+
else if (usage === 'sign') {
|
|
208
|
+
cryptoAlgorithm = { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' };
|
|
209
|
+
keyUsages = ['verify'];
|
|
210
|
+
}
|
|
211
|
+
else {
|
|
212
|
+
throw new errors_js_1.ConfigurationError('RSA keys only support usage: encrypt or sign');
|
|
213
|
+
}
|
|
214
|
+
}
|
|
215
|
+
else if (algorithm.startsWith('ec:')) {
|
|
216
|
+
const curve = algorithm.split(':')[1];
|
|
217
|
+
const namedCurve = curve === 'secp256r1'
|
|
218
|
+
? 'P-256'
|
|
219
|
+
: curve === 'secp384r1'
|
|
220
|
+
? 'P-384'
|
|
221
|
+
: curve === 'secp521r1'
|
|
222
|
+
? 'P-521'
|
|
223
|
+
: (() => {
|
|
224
|
+
throw new errors_js_1.ConfigurationError(`Unsupported EC curve: ${curve}`);
|
|
225
|
+
})();
|
|
226
|
+
if (usage === 'derive') {
|
|
227
|
+
cryptoAlgorithm = { name: 'ECDH', namedCurve };
|
|
228
|
+
keyUsages = [];
|
|
229
|
+
}
|
|
230
|
+
else if (usage === 'sign') {
|
|
231
|
+
cryptoAlgorithm = { name: 'ECDSA', namedCurve };
|
|
232
|
+
keyUsages = ['verify'];
|
|
233
|
+
}
|
|
234
|
+
else {
|
|
235
|
+
throw new errors_js_1.ConfigurationError('EC keys only support usage: derive or sign');
|
|
236
|
+
}
|
|
237
|
+
}
|
|
238
|
+
else {
|
|
239
|
+
throw new errors_js_1.ConfigurationError(`Unsupported algorithm: ${algorithm}`);
|
|
240
|
+
}
|
|
241
|
+
// Import as CryptoKey
|
|
242
|
+
const cryptoKey = await crypto.subtle.importKey('spki', keyBuffer, cryptoAlgorithm, extractable, keyUsages);
|
|
243
|
+
return (0, keys_js_1.wrapPublicKey)(cryptoKey, algorithm);
|
|
244
|
+
}
|
|
245
|
+
/**
|
|
246
|
+
* Import a PEM private key as an opaque key.
|
|
247
|
+
*/
|
|
248
|
+
async function importPrivateKey(pem, options) {
|
|
249
|
+
const { usage = 'encrypt', extractable = true, algorithmHint } = options;
|
|
250
|
+
// Detect algorithm from PEM structure (similar to public key detection)
|
|
251
|
+
// For now, use algorithmHint if provided, otherwise detect from key structure
|
|
252
|
+
let algorithm;
|
|
253
|
+
const keyData = (0, crypto_utils_js_1.removePemFormatting)(pem);
|
|
254
|
+
const keyBuffer = (0, base64_js_1.decodeArrayBuffer)(keyData);
|
|
255
|
+
if (algorithmHint) {
|
|
256
|
+
algorithm = algorithmHint;
|
|
257
|
+
}
|
|
258
|
+
else {
|
|
259
|
+
// PKCS#8 PrivateKeyInfo embeds the same AlgorithmIdentifier OIDs as SPKI,
|
|
260
|
+
// so guessAlgorithmName / guessCurveName work on private key bytes too.
|
|
261
|
+
const hex = (0, hex_js_1.encodeArrayBuffer)(keyBuffer);
|
|
262
|
+
const algorithmName = (0, pemPublicToCrypto_js_1.guessAlgorithmName)(hex); // throws on unrecognised OID
|
|
263
|
+
if (algorithmName === 'ECDH' || algorithmName === 'ECDSA') {
|
|
264
|
+
const namedCurve = (0, pemPublicToCrypto_js_1.guessCurveName)(hex);
|
|
265
|
+
const curveMap = {
|
|
266
|
+
'P-256': 'ec:secp256r1',
|
|
267
|
+
'P-384': 'ec:secp384r1',
|
|
268
|
+
'P-521': 'ec:secp521r1',
|
|
269
|
+
};
|
|
270
|
+
const mapped = curveMap[namedCurve];
|
|
271
|
+
if (!mapped)
|
|
272
|
+
throw new errors_js_1.ConfigurationError(`Unsupported EC curve in private key: ${namedCurve}`);
|
|
273
|
+
algorithm = mapped;
|
|
274
|
+
}
|
|
275
|
+
else {
|
|
276
|
+
// RSA — determine key size by importing and reading modulus length from JWK
|
|
277
|
+
const tempKey = await crypto.subtle.importKey('pkcs8', keyBuffer, { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' }, true, ['sign']);
|
|
278
|
+
const jwk = await crypto.subtle.exportKey('jwk', tempKey);
|
|
279
|
+
if (!jwk.n) {
|
|
280
|
+
throw new errors_js_1.ConfigurationError('Invalid RSA private key: missing modulus');
|
|
281
|
+
}
|
|
282
|
+
const modulusBits = base64urlByteLength(jwk.n) * 8;
|
|
283
|
+
if (modulusBits < declarations_js_1.MIN_ASYMMETRIC_KEY_SIZE_BITS) {
|
|
284
|
+
throw new errors_js_1.ConfigurationError(`RSA key size ${modulusBits} bits is below the minimum of ${declarations_js_1.MIN_ASYMMETRIC_KEY_SIZE_BITS} bits`);
|
|
285
|
+
}
|
|
286
|
+
algorithm = modulusBits <= 2048 ? 'rsa:2048' : 'rsa:4096';
|
|
287
|
+
}
|
|
288
|
+
}
|
|
289
|
+
// Determine Web Crypto algorithm and usages
|
|
290
|
+
let cryptoAlgorithm;
|
|
291
|
+
let keyUsages;
|
|
292
|
+
if (algorithm.startsWith('rsa:')) {
|
|
293
|
+
if (usage === 'encrypt') {
|
|
294
|
+
cryptoAlgorithm = (0, rsa_js_1.rsaOaepSha1)();
|
|
295
|
+
keyUsages = ['decrypt'];
|
|
296
|
+
}
|
|
297
|
+
else if (usage === 'sign') {
|
|
298
|
+
cryptoAlgorithm = { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' };
|
|
299
|
+
keyUsages = ['sign'];
|
|
300
|
+
}
|
|
301
|
+
else {
|
|
302
|
+
throw new errors_js_1.ConfigurationError('RSA keys only support usage: encrypt or sign');
|
|
303
|
+
}
|
|
304
|
+
}
|
|
305
|
+
else if (algorithm.startsWith('ec:')) {
|
|
306
|
+
const curve = algorithm.split(':')[1];
|
|
307
|
+
const namedCurve = curve === 'secp256r1'
|
|
308
|
+
? 'P-256'
|
|
309
|
+
: curve === 'secp384r1'
|
|
310
|
+
? 'P-384'
|
|
311
|
+
: curve === 'secp521r1'
|
|
312
|
+
? 'P-521'
|
|
313
|
+
: (() => {
|
|
314
|
+
throw new errors_js_1.ConfigurationError(`Unsupported EC curve: ${curve}`);
|
|
315
|
+
})();
|
|
316
|
+
if (usage === 'derive') {
|
|
317
|
+
cryptoAlgorithm = { name: 'ECDH', namedCurve };
|
|
318
|
+
keyUsages = ['deriveBits'];
|
|
319
|
+
}
|
|
320
|
+
else if (usage === 'sign') {
|
|
321
|
+
cryptoAlgorithm = { name: 'ECDSA', namedCurve };
|
|
322
|
+
keyUsages = ['sign'];
|
|
323
|
+
}
|
|
324
|
+
else {
|
|
325
|
+
throw new errors_js_1.ConfigurationError('EC keys only support usage: derive or sign');
|
|
326
|
+
}
|
|
327
|
+
}
|
|
328
|
+
else {
|
|
329
|
+
throw new errors_js_1.ConfigurationError(`Unsupported algorithm: ${algorithm}`);
|
|
330
|
+
}
|
|
331
|
+
// Import as CryptoKey
|
|
332
|
+
const cryptoKey = await crypto.subtle.importKey('pkcs8', keyBuffer, cryptoAlgorithm, extractable, keyUsages);
|
|
333
|
+
return (0, keys_js_1.wrapPrivateKey)(cryptoKey, algorithm);
|
|
334
|
+
}
|
|
335
|
+
/**
|
|
336
|
+
* Export an opaque public key to PEM format.
|
|
337
|
+
*/
|
|
338
|
+
async function exportPublicKeyPem(key) {
|
|
339
|
+
const cryptoKey = (0, keys_js_1.unwrapKey)(key);
|
|
340
|
+
const keyBuffer = await crypto.subtle.exportKey('spki', cryptoKey);
|
|
341
|
+
return (0, crypto_utils_js_1.formatAsPem)(keyBuffer, 'PUBLIC KEY');
|
|
342
|
+
}
|
|
343
|
+
/**
|
|
344
|
+
* Export an opaque private key to PEM format.
|
|
345
|
+
* ONLY USE FOR TESTING/DEVELOPMENT. Private keys should NOT be exportable in secure environments.
|
|
346
|
+
*/
|
|
347
|
+
async function exportPrivateKeyPem(key) {
|
|
348
|
+
const cryptoKey = (0, keys_js_1.unwrapKey)(key);
|
|
349
|
+
const keyBuffer = await crypto.subtle.exportKey('pkcs8', cryptoKey);
|
|
350
|
+
return (0, crypto_utils_js_1.formatAsPem)(keyBuffer, 'PRIVATE KEY');
|
|
351
|
+
}
|
|
352
|
+
/**
|
|
353
|
+
* Export an opaque public key to JWK format.
|
|
354
|
+
*/
|
|
355
|
+
async function exportPublicKeyJwk(key) {
|
|
356
|
+
const cryptoKey = (0, keys_js_1.unwrapKey)(key);
|
|
357
|
+
return await crypto.subtle.exportKey('jwk', cryptoKey);
|
|
358
|
+
}
|
|
359
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoia2V5LWZvcm1hdC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uLy4uLy4uL3RkZjMvc3JjL2NyeXB0by9jb3JlL2tleS1mb3JtYXQudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7QUF3QkEsa0RBd0JDO0FBcURELDhDQW1EQztBQUtELDhDQXFCQztBQU1ELDhDQW9DQztBQUtELDBDQTZEQztBQUtELDRDQXFHQztBQUtELGdEQUlDO0FBTUQsa0RBSUM7QUFLRCxnREFHQztBQW5hRCx3REFPNEI7QUFDNUIseURBQStEO0FBQy9ELHdEQUFzRTtBQUN0RSw2REFBa0Y7QUFDbEYsbUVBQXdGO0FBQ3hGLCtCQUE4QztBQUM5QyxzRkFJcUQ7QUFDckQsdUNBQXFFO0FBQ3JFLHFDQUF1QztBQUV2Qzs7R0FFRztBQUNJLEtBQUssVUFBVSxtQkFBbUIsQ0FDdkMsU0FBaUIsRUFDakIsWUFBcUI7SUFFckIsZ0RBQWdEO0lBQ2hELElBQUksU0FBUyxDQUFDLFFBQVEsQ0FBQyw2QkFBNkIsQ0FBQyxFQUFFLENBQUM7UUFDdEQsSUFBSSxHQUFHLEdBQUcsWUFBWSxDQUFDO1FBQ3ZCLElBQUksQ0FBQyxHQUFHLEVBQUUsQ0FBQztZQUNULDhDQUE4QztZQUM5QyxNQUFNLFFBQVEsR0FBRyxTQUFTLENBQUMsT0FBTyxDQUFDLHVDQUF1QyxFQUFFLEVBQUUsQ0FBQyxDQUFDO1lBQ2hGLE1BQU0sU0FBUyxHQUFHLElBQUEsNkJBQVksRUFBQyxRQUFRLENBQUMsQ0FBQztZQUN6QyxNQUFNLEdBQUcsR0FBRyxJQUFBLDBCQUFTLEVBQUMsU0FBUyxDQUFDLENBQUM7WUFDakMsR0FBRyxHQUFHLElBQUEsK0JBQVEsRUFBQyxHQUFHLENBQUMsQ0FBQztRQUN0QixDQUFDO1FBQ0QsTUFBTSxJQUFJLEdBQUcsTUFBTSxJQUFBLGlCQUFVLEVBQUMsU0FBUyxFQUFFLEdBQUcsRUFBRSxFQUFFLFdBQVcsRUFBRSxJQUFJLEVBQUUsQ0FBQyxDQUFDO1FBQ3JFLE9BQU8sSUFBQSxpQkFBVSxFQUFDLElBQUksQ0FBQyxDQUFDO0lBQzFCLENBQUM7SUFFRCxpREFBaUQ7SUFDakQsSUFBSSxTQUFTLENBQUMsUUFBUSxDQUFDLDRCQUE0QixDQUFDLEVBQUUsQ0FBQztRQUNyRCxPQUFPLFNBQVMsQ0FBQztJQUNuQixDQUFDO0lBRUQsTUFBTSxJQUFJLDhCQUFrQixDQUFDLHVEQUF1RCxDQUFDLENBQUM7QUFDeEYsQ0FBQztBQUVELE1BQU0sbUJBQW1CLEdBQUcsQ0FBQyxPQUFPLEVBQUUsT0FBTyxFQUFFLE9BQU8sQ0FBVSxDQUFDO0FBR2pFOzs7R0FHRztBQUNILFNBQVMsbUJBQW1CLENBQUMsU0FBaUI7SUFDNUMsa0RBQWtEO0lBQ2xELE1BQU0sT0FBTyxHQUFHLENBQUMsQ0FBQyxHQUFHLENBQUMsU0FBUyxDQUFDLE1BQU0sR0FBRyxDQUFDLENBQUMsQ0FBQyxHQUFHLENBQUMsQ0FBQztJQUNqRCxNQUFNLE1BQU0sR0FBRyxTQUFTLEdBQUcsR0FBRyxDQUFDLE1BQU0sQ0FBQyxPQUFPLENBQUMsQ0FBQztJQUMvQyxPQUFPLElBQUEsNkJBQVksRUFBQyxNQUFNLENBQUMsQ0FBQyxVQUFVLENBQUM7QUFDekMsQ0FBQztBQUVEOzs7R0FHRztBQUNILFNBQVMsMkJBQTJCLENBQUMsT0FBb0I7SUFDdkQsaUNBQWlDO0lBQ2pDLE1BQU0sTUFBTSxHQUFHLElBQUEsMEJBQVMsRUFBQyxPQUFPLENBQUMsQ0FBQztJQUNsQyxpRUFBaUU7SUFDakUsTUFBTSxTQUFTLEdBQUcsSUFBQSxxQ0FBYyxFQUFDLE1BQU0sQ0FBQyxDQUFDO0lBQ3pDLE9BQU8sU0FBNkIsQ0FBQztBQUN2QyxDQUFDO0FBRUQ7OztHQUdHO0FBQ0gsS0FBSyxVQUFVLDBCQUEwQixDQUFDLE9BQW9CO0lBQzVELE1BQU0sR0FBRyxHQUFHLE1BQU0sTUFBTSxDQUFDLE1BQU0sQ0FBQyxTQUFTLENBQ3ZDLE1BQU0sRUFDTixPQUFPLEVBQ1AsRUFBRSxJQUFJLEVBQUUsVUFBVSxFQUFFLElBQUksRUFBRSxTQUFTLEVBQUUsRUFDckMsSUFBSSxFQUNKLENBQUMsU0FBUyxDQUFDLENBQ1osQ0FBQztJQUNGLE1BQU0sR0FBRyxHQUFHLE1BQU0sTUFBTSxDQUFDLE1BQU0sQ0FBQyxTQUFTLENBQUMsS0FBSyxFQUFFLEdBQUcsQ0FBQyxDQUFDO0lBQ3RELElBQUksQ0FBQyxHQUFHLENBQUMsQ0FBQyxFQUFFLENBQUM7UUFDWCxNQUFNLElBQUksOEJBQWtCLENBQUMsa0NBQWtDLENBQUMsQ0FBQztJQUNuRSxDQUFDO0lBQ0QsdUNBQXVDO0lBQ3ZDLGlEQUFpRDtJQUNqRCxPQUFPLG1CQUFtQixDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsR0FBRyxDQUFDLENBQUM7QUFDeEMsQ0FBQztBQUVEOzs7R0FHRztBQUNJLEtBQUssVUFBVSxpQkFBaUIsQ0FBQyxHQUFXO0lBQ2pELGlEQUFpRDtJQUNqRCxJQUFJLFlBQVksR0FBRyxHQUFHLENBQUM7SUFDdkIsSUFBSSxHQUFHLENBQUMsUUFBUSxDQUFDLDZCQUE2QixDQUFDLEVBQUUsQ0FBQztRQUNoRCxZQUFZLEdBQUcsTUFBTSxtQkFBbUIsQ0FBQyxHQUFHLENBQUMsQ0FBQztJQUNoRCxDQUFDO0lBRUQsSUFBSSxDQUFDLFlBQVksQ0FBQyxRQUFRLENBQUMsNEJBQTRCLENBQUMsRUFBRSxDQUFDO1FBQ3pELE1BQU0sSUFBSSw4QkFBa0IsQ0FBQyx1REFBdUQsQ0FBQyxDQUFDO0lBQ3hGLENBQUM7SUFFRCxNQUFNLE9BQU8sR0FBRyxJQUFBLDZCQUFZLEVBQUMsSUFBQSxxQ0FBbUIsRUFBQyxZQUFZLENBQUMsQ0FBQyxDQUFDO0lBRWhFLHFEQUFxRDtJQUNyRCxJQUFJLENBQUM7UUFDSCxNQUFNLFdBQVcsR0FBRyxNQUFNLDBCQUEwQixDQUFDLE9BQU8sQ0FBQyxDQUFDO1FBQzlELElBQUksU0FBcUMsQ0FBQztRQUMxQyxJQUFJLFdBQVcsR0FBRyw4Q0FBNEIsRUFBRSxDQUFDO1lBQy9DLE1BQU0sSUFBSSw4QkFBa0IsQ0FDMUIsZ0JBQWdCLFdBQVcsaUNBQWlDLDhDQUE0QixPQUFPLENBQ2hHLENBQUM7UUFDSixDQUFDO2FBQU0sSUFBSSxXQUFXLElBQUksSUFBSSxFQUFFLENBQUM7WUFDL0IsU0FBUyxHQUFHLFVBQVUsQ0FBQztRQUN6QixDQUFDO2FBQU0sSUFBSSxXQUFXLElBQUksSUFBSSxFQUFFLENBQUM7WUFDL0IsU0FBUyxHQUFHLFVBQVUsQ0FBQztRQUN6QixDQUFDO2FBQU0sQ0FBQztZQUNOLE1BQU0sSUFBSSw4QkFBa0IsQ0FBQyw2QkFBNkIsV0FBVyxPQUFPLENBQUMsQ0FBQztRQUNoRixDQUFDO1FBQ0QsT0FBTyxFQUFFLFNBQVMsRUFBRSxHQUFHLEVBQUUsWUFBWSxFQUFFLENBQUM7SUFDMUMsQ0FBQztJQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7UUFDWCw4Q0FBOEM7UUFDOUMsSUFBSSxDQUFDLFlBQVksOEJBQWtCLEVBQUUsQ0FBQztZQUNwQyxNQUFNLENBQUMsQ0FBQztRQUNWLENBQUM7UUFDRCw4QkFBOEI7SUFDaEMsQ0FBQztJQUVELGdDQUFnQztJQUNoQyxJQUFJLENBQUM7UUFDSCxNQUFNLGFBQWEsR0FBRywyQkFBMkIsQ0FBQyxPQUFPLENBQUMsQ0FBQztRQUMzRCxNQUFNLFFBQVEsR0FBRztZQUNmLE9BQU8sRUFBRSxjQUFjO1lBQ3ZCLE9BQU8sRUFBRSxjQUFjO1lBQ3ZCLE9BQU8sRUFBRSxjQUFjO1NBQ2YsQ0FBQztRQUNYLE9BQU8sRUFBRSxTQUFTLEVBQUUsUUFBUSxDQUFDLGFBQWEsQ0FBQyxFQUFFLEdBQUcsRUFBRSxZQUFZLEVBQUUsQ0FBQztJQUNuRSxDQUFDO0lBQUMsTUFBTSxDQUFDO1FBQ1AscUJBQXFCO0lBQ3ZCLENBQUM7SUFFRCxNQUFNLElBQUksOEJBQWtCLENBQUMsaUVBQWlFLENBQUMsQ0FBQztBQUNsRyxDQUFDO0FBRUQ7O0dBRUc7QUFDSSxLQUFLLFVBQVUsaUJBQWlCLENBQUMsR0FBZTtJQUNyRCxJQUFJLEdBQWMsQ0FBQztJQUVuQixJQUFJLEdBQUcsQ0FBQyxHQUFHLEtBQUssS0FBSyxFQUFFLENBQUM7UUFDdEIsVUFBVTtRQUNWLEdBQUcsR0FBRyxNQUFNLE1BQU0sQ0FBQyxNQUFNLENBQUMsU0FBUyxDQUFDLEtBQUssRUFBRSxHQUFHLEVBQUUsRUFBRSxJQUFJLEVBQUUsVUFBVSxFQUFFLElBQUksRUFBRSxTQUFTLEVBQUUsRUFBRSxJQUFJLEVBQUU7WUFDM0YsU0FBUztTQUNWLENBQUMsQ0FBQztJQUNMLENBQUM7U0FBTSxJQUFJLEdBQUcsQ0FBQyxHQUFHLEtBQUssSUFBSSxFQUFFLENBQUM7UUFDNUIsU0FBUztRQUNULE1BQU0sR0FBRyxHQUFHLEdBQUcsQ0FBQyxHQUFHLENBQUM7UUFDcEIsSUFBSSxDQUFDLEdBQUcsSUFBSSxDQUFDLENBQUMsT0FBTyxFQUFFLE9BQU8sRUFBRSxPQUFPLENBQUMsQ0FBQyxRQUFRLENBQUMsR0FBRyxDQUFDLEVBQUUsQ0FBQztZQUN2RCxNQUFNLElBQUksOEJBQWtCLENBQUMseUJBQXlCLEdBQUcsRUFBRSxDQUFDLENBQUM7UUFDL0QsQ0FBQztRQUNELEdBQUcsR0FBRyxNQUFNLE1BQU0sQ0FBQyxNQUFNLENBQUMsU0FBUyxDQUFDLEtBQUssRUFBRSxHQUFHLEVBQUUsRUFBRSxJQUFJLEVBQUUsTUFBTSxFQUFFLFVBQVUsRUFBRSxHQUFHLEVBQUUsRUFBRSxJQUFJLEVBQUUsRUFBRSxDQUFDLENBQUM7SUFDL0YsQ0FBQztTQUFNLENBQUM7UUFDTixNQUFNLElBQUksOEJBQWtCLENBQUMsNkJBQTZCLEdBQUcsQ0FBQyxHQUFHLEVBQUUsQ0FBQyxDQUFDO0lBQ3ZFLENBQUM7SUFFRCxNQUFNLFVBQVUsR0FBRyxNQUFNLE1BQU0sQ0FBQyxNQUFNLENBQUMsU0FBUyxDQUFDLE1BQU0sRUFBRSxHQUFHLENBQUMsQ0FBQztJQUM5RCxPQUFPLElBQUEsNkJBQVcsRUFBQyxVQUFVLEVBQUUsWUFBWSxDQUFDLENBQUM7QUFDL0MsQ0FBQztBQUVEOzs7R0FHRztBQUNJLEtBQUssVUFBVSxpQkFBaUIsQ0FBQyxZQUFvQjtJQUMxRCxNQUFNLGFBQWEsR0FBRyxJQUFBLHFDQUFtQixFQUFDLFlBQVksQ0FBQyxDQUFDO0lBQ3hELE1BQU0sU0FBUyxHQUFHLElBQUEsNkJBQVksRUFBQyxhQUFhLENBQUMsQ0FBQztJQUM5QyxNQUFNLEdBQUcsR0FBRyxJQUFBLDBCQUFTLEVBQUMsU0FBUyxDQUFDLENBQUM7SUFFakMsNEJBQTRCO0lBQzVCLE1BQU0sYUFBYSxHQUFHLElBQUEseUNBQWtCLEVBQUMsR0FBRyxDQUFDLENBQUM7SUFFOUMsSUFBSSxhQUFhLEtBQUssTUFBTSxJQUFJLGFBQWEsS0FBSyxPQUFPLEVBQUUsQ0FBQztRQUMxRCxpQ0FBaUM7UUFDakMsTUFBTSxVQUFVLEdBQUcsSUFBQSxxQ0FBYyxFQUFDLEdBQUcsQ0FBQyxDQUFDO1FBQ3ZDLE1BQU0sR0FBRyxHQUFHLE1BQU0sTUFBTSxDQUFDLE1BQU0sQ0FBQyxTQUFTLENBQ3ZDLE1BQU0sRUFDTixTQUFTLEVBQ1QsRUFBRSxJQUFJLEVBQUUsT0FBTyxFQUFFLFVBQVUsRUFBRSxFQUM3QixJQUFJLEVBQ0osQ0FBQyxRQUFRLENBQUMsQ0FDWCxDQUFDO1FBQ0YsTUFBTSxHQUFHLEdBQUcsTUFBTSxNQUFNLENBQUMsTUFBTSxDQUFDLFNBQVMsQ0FBQyxLQUFLLEVBQUUsR0FBRyxDQUFDLENBQUM7UUFDdEQsb0NBQW9DO1FBQ3BDLE1BQU0sRUFBRSxHQUFHLEVBQUUsR0FBRyxFQUFFLENBQUMsRUFBRSxDQUFDLEVBQUUsR0FBRyxHQUFHLENBQUM7UUFDL0IsT0FBTyxFQUFFLEdBQUcsRUFBRSxHQUFHLEVBQUUsQ0FBQyxFQUFFLENBQUMsRUFBRSxDQUFDO0lBQzVCLENBQUM7U0FBTSxDQUFDO1FBQ04sVUFBVTtRQUNWLE1BQU0sR0FBRyxHQUFHLE1BQU0sTUFBTSxDQUFDLE1BQU0sQ0FBQyxTQUFTLENBQ3ZDLE1BQU0sRUFDTixTQUFTLEVBQ1QsRUFBRSxJQUFJLEVBQUUsbUJBQW1CLEVBQUUsSUFBSSxFQUFFLFNBQVMsRUFBRSxFQUM5QyxJQUFJLEVBQ0osQ0FBQyxRQUFRLENBQUMsQ0FDWCxDQUFDO1FBQ0YsTUFBTSxHQUFHLEdBQUcsTUFBTSxNQUFNLENBQUMsTUFBTSxDQUFDLFNBQVMsQ0FBQyxLQUFLLEVBQUUsR0FBRyxDQUFDLENBQUM7UUFDdEQsb0NBQW9DO1FBQ3BDLE1BQU0sRUFBRSxHQUFHLEVBQUUsQ0FBQyxFQUFFLENBQUMsRUFBRSxHQUFHLEdBQUcsQ0FBQztRQUMxQixPQUFPLEVBQUUsR0FBRyxFQUFFLENBQUMsRUFBRSxDQUFDLEVBQUUsQ0FBQztJQUN2QixDQUFDO0FBQ0gsQ0FBQztBQUVEOztHQUVHO0FBQ0ksS0FBSyxVQUFVLGVBQWUsQ0FBQyxHQUFXLEVBQUUsT0FBbUI7SUFDcEUsTUFBTSxFQUFFLEtBQUssR0FBRyxTQUFTLEVBQUUsV0FBVyxHQUFHLElBQUksRUFBRSxhQUFhLEVBQUUsR0FBRyxPQUFPLENBQUM7SUFFekUsNEVBQTRFO0lBQzVFLE1BQU0sT0FBTyxHQUFHLE1BQU0saUJBQWlCLENBQUMsR0FBRyxDQUFDLENBQUM7SUFDN0MsTUFBTSxTQUFTLEdBQUcsYUFBYSxJQUFJLE9BQU8sQ0FBQyxTQUFTLENBQUM7SUFDckQsc0ZBQXNGO0lBQ3RGLHdGQUF3RjtJQUN4RixNQUFNLE9BQU8sR0FBRyxJQUFBLHFDQUFtQixFQUFDLE9BQU8sQ0FBQyxHQUFHLENBQUMsQ0FBQztJQUNqRCxNQUFNLFNBQVMsR0FBRyxJQUFBLDZCQUFZLEVBQUMsT0FBTyxDQUFDLENBQUM7SUFFeEMsd0VBQXdFO0lBQ3hFLElBQUksZUFBMEQsQ0FBQztJQUMvRCxJQUFJLFNBQXFCLENBQUM7SUFFMUIsSUFBSSxTQUFTLENBQUMsVUFBVSxDQUFDLE1BQU0sQ0FBQyxFQUFFLENBQUM7UUFDakMsSUFBSSxLQUFLLEtBQUssU0FBUyxFQUFFLENBQUM7WUFDeEIsZUFBZSxHQUFHLElBQUEsb0JBQVcsR0FBRSxDQUFDO1lBQ2hDLFNBQVMsR0FBRyxDQUFDLFNBQVMsQ0FBQyxDQUFDO1FBQzFCLENBQUM7YUFBTSxJQUFJLEtBQUssS0FBSyxNQUFNLEVBQUUsQ0FBQztZQUM1QixlQUFlLEdBQUcsRUFBRSxJQUFJLEVBQUUsbUJBQW1CLEVBQUUsSUFBSSxFQUFFLFNBQVMsRUFBRSxDQUFDO1lBQ2pFLFNBQVMsR0FBRyxDQUFDLFFBQVEsQ0FBQyxDQUFDO1FBQ3pCLENBQUM7YUFBTSxDQUFDO1lBQ04sTUFBTSxJQUFJLDhCQUFrQixDQUFDLDhDQUE4QyxDQUFDLENBQUM7UUFDL0UsQ0FBQztJQUNILENBQUM7U0FBTSxJQUFJLFNBQVMsQ0FBQyxVQUFVLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQztRQUN2QyxNQUFNLEtBQUssR0FBRyxTQUFTLENBQUMsS0FBSyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQ3RDLE1BQU0sVUFBVSxHQUNkLEtBQUssS0FBSyxXQUFXO1lBQ25CLENBQUMsQ0FBQyxPQUFPO1lBQ1QsQ0FBQyxDQUFDLEtBQUssS0FBSyxXQUFXO2dCQUNyQixDQUFDLENBQUMsT0FBTztnQkFDVCxDQUFDLENBQUMsS0FBSyxLQUFLLFdBQVc7b0JBQ3JCLENBQUMsQ0FBQyxPQUFPO29CQUNULENBQUMsQ0FBQyxDQUFDLEdBQUcsRUFBRTt3QkFDSixNQUFNLElBQUksOEJBQWtCLENBQUMseUJBQXlCLEtBQUssRUFBRSxDQUFDLENBQUM7b0JBQ2pFLENBQUMsQ0FBQyxFQUFFLENBQUM7UUFFZixJQUFJLEtBQUssS0FBSyxRQUFRLEVBQUUsQ0FBQztZQUN2QixlQUFlLEdBQUcsRUFBRSxJQUFJLEVBQUUsTUFBTSxFQUFFLFVBQVUsRUFBRSxDQUFDO1lBQy9DLFNBQVMsR0FBRyxFQUFFLENBQUM7UUFDakIsQ0FBQzthQUFNLElBQUksS0FBSyxLQUFLLE1BQU0sRUFBRSxDQUFDO1lBQzVCLGVBQWUsR0FBRyxFQUFFLElBQUksRUFBRSxPQUFPLEVBQUUsVUFBVSxFQUFFLENBQUM7WUFDaEQsU0FBUyxHQUFHLENBQUMsUUFBUSxDQUFDLENBQUM7UUFDekIsQ0FBQzthQUFNLENBQUM7WUFDTixNQUFNLElBQUksOEJBQWtCLENBQUMsNENBQTRDLENBQUMsQ0FBQztRQUM3RSxDQUFDO0lBQ0gsQ0FBQztTQUFNLENBQUM7UUFDTixNQUFNLElBQUksOEJBQWtCLENBQUMsMEJBQTBCLFNBQVMsRUFBRSxDQUFDLENBQUM7SUFDdEUsQ0FBQztJQUVELHNCQUFzQjtJQUN0QixNQUFNLFNBQVMsR0FBRyxNQUFNLE1BQU0sQ0FBQyxNQUFNLENBQUMsU0FBUyxDQUM3QyxNQUFNLEVBQ04sU0FBUyxFQUNULGVBQWUsRUFDZixXQUFXLEVBQ1gsU0FBUyxDQUNWLENBQUM7SUFFRixPQUFPLElBQUEsdUJBQWEsRUFBQyxTQUFTLEVBQUUsU0FBUyxDQUFDLENBQUM7QUFDN0MsQ0FBQztBQUVEOztHQUVHO0FBQ0ksS0FBSyxVQUFVLGdCQUFnQixDQUFDLEdBQVcsRUFBRSxPQUFtQjtJQUNyRSxNQUFNLEVBQUUsS0FBSyxHQUFHLFNBQVMsRUFBRSxXQUFXLEdBQUcsSUFBSSxFQUFFLGFBQWEsRUFBRSxHQUFHLE9BQU8sQ0FBQztJQUV6RSx3RUFBd0U7SUFDeEUsOEVBQThFO0lBQzlFLElBQUksU0FBdUIsQ0FBQztJQUU1QixNQUFNLE9BQU8sR0FBRyxJQUFBLHFDQUFtQixFQUFDLEdBQUcsQ0FBQyxDQUFDO0lBQ3pDLE1BQU0sU0FBUyxHQUFHLElBQUEsNkJBQVksRUFBQyxPQUFPLENBQUMsQ0FBQztJQUV4QyxJQUFJLGFBQWEsRUFBRSxDQUFDO1FBQ2xCLFNBQVMsR0FBRyxhQUFhLENBQUM7SUFDNUIsQ0FBQztTQUFNLENBQUM7UUFDTiwwRUFBMEU7UUFDMUUsd0VBQXdFO1FBQ3hFLE1BQU0sR0FBRyxHQUFHLElBQUEsMEJBQVMsRUFBQyxTQUFTLENBQUMsQ0FBQztRQUNqQyxNQUFNLGFBQWEsR0FBRyxJQUFBLHlDQUFrQixFQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsNkJBQTZCO1FBQzVFLElBQUksYUFBYSxLQUFLLE1BQU0sSUFBSSxhQUFhLEtBQUssT0FBTyxFQUFFLENBQUM7WUFDMUQsTUFBTSxVQUFVLEdBQUcsSUFBQSxxQ0FBYyxFQUFDLEdBQUcsQ0FBQyxDQUFDO1lBQ3ZDLE1BQU0sUUFBUSxHQUFpQztnQkFDN0MsT0FBTyxFQUFFLGNBQWM7Z0JBQ3ZCLE9BQU8sRUFBRSxjQUFjO2dCQUN2QixPQUFPLEVBQUUsY0FBYzthQUN4QixDQUFDO1lBQ0YsTUFBTSxNQUFNLEdBQUcsUUFBUSxDQUFDLFVBQVUsQ0FBQyxDQUFDO1lBQ3BDLElBQUksQ0FBQyxNQUFNO2dCQUNULE1BQU0sSUFBSSw4QkFBa0IsQ0FBQyx3Q0FBd0MsVUFBVSxFQUFFLENBQUMsQ0FBQztZQUNyRixTQUFTLEdBQUcsTUFBTSxDQUFDO1FBQ3JCLENBQUM7YUFBTSxDQUFDO1lBQ04sNEVBQTRFO1lBQzVFLE1BQU0sT0FBTyxHQUFHLE1BQU0sTUFBTSxDQUFDLE1BQU0sQ0FBQyxTQUFTLENBQzNDLE9BQU8sRUFDUCxTQUFTLEVBQ1QsRUFBRSxJQUFJLEVBQUUsbUJBQW1CLEVBQUUsSUFBSSxFQUFFLFNBQVMsRUFBRSxFQUM5QyxJQUFJLEVBQ0osQ0FBQyxNQUFNLENBQUMsQ0FDVCxDQUFDO1lBQ0YsTUFBTSxHQUFHLEdBQUcsTUFBTSxNQUFNLENBQUMsTUFBTSxDQUFDLFNBQVMsQ0FBQyxLQUFLLEVBQUUsT0FBTyxDQUFDLENBQUM7WUFDMUQsSUFBSSxDQUFDLEdBQUcsQ0FBQyxDQUFDLEVBQUUsQ0FBQztnQkFDWCxNQUFNLElBQUksOEJBQWtCLENBQUMsMENBQTBDLENBQUMsQ0FBQztZQUMzRSxDQUFDO1lBQ0QsTUFBTSxXQUFXLEdBQUcsbUJBQW1CLENBQUMsR0FBRyxDQUFDLENBQUMsQ0FBQyxHQUFHLENBQUMsQ0FBQztZQUNuRCxJQUFJLFdBQVcsR0FBRyw4Q0FBNEIsRUFBRSxDQUFDO2dCQUMvQyxNQUFNLElBQUksOEJBQWtCLENBQzFCLGdCQUFnQixXQUFXLGlDQUFpQyw4Q0FBNEIsT0FBTyxDQUNoRyxDQUFDO1lBQ0osQ0FBQztZQUNELFNBQVMsR0FBRyxXQUFXLElBQUksSUFBSSxDQUFDLENBQUMsQ0FBQyxVQUFVLENBQUMsQ0FBQyxDQUFDLFVBQVUsQ0FBQztRQUM1RCxDQUFDO0lBQ0gsQ0FBQztJQUVELDRDQUE0QztJQUM1QyxJQUFJLGVBQTBELENBQUM7SUFDL0QsSUFBSSxTQUFxQixDQUFDO0lBRTFCLElBQUksU0FBUyxDQUFDLFVBQVUsQ0FBQyxNQUFNLENBQUMsRUFBRSxDQUFDO1FBQ2pDLElBQUksS0FBSyxLQUFLLFNBQVMsRUFBRSxDQUFDO1lBQ3hCLGVBQWUsR0FBRyxJQUFBLG9CQUFXLEdBQUUsQ0FBQztZQUNoQyxTQUFTLEdBQUcsQ0FBQyxTQUFTLENBQUMsQ0FBQztRQUMxQixDQUFDO2FBQU0sSUFBSSxLQUFLLEtBQUssTUFBTSxFQUFFLENBQUM7WUFDNUIsZUFBZSxHQUFHLEVBQUUsSUFBSSxFQUFFLG1CQUFtQixFQUFFLElBQUksRUFBRSxTQUFTLEVBQUUsQ0FBQztZQUNqRSxTQUFTLEdBQUcsQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUN2QixDQUFDO2FBQU0sQ0FBQztZQUNOLE1BQU0sSUFBSSw4QkFBa0IsQ0FBQyw4Q0FBOEMsQ0FBQyxDQUFDO1FBQy9FLENBQUM7SUFDSCxDQUFDO1NBQU0sSUFBSSxTQUFTLENBQUMsVUFBVSxDQUFDLEtBQUssQ0FBQyxFQUFFLENBQUM7UUFDdkMsTUFBTSxLQUFLLEdBQUcsU0FBUyxDQUFDLEtBQUssQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUN0QyxNQUFNLFVBQVUsR0FDZCxLQUFLLEtBQUssV0FBVztZQUNuQixDQUFDLENBQUMsT0FBTztZQUNULENBQUMsQ0FBQyxLQUFLLEtBQUssV0FBVztnQkFDckIsQ0FBQyxDQUFDLE9BQU87Z0JBQ1QsQ0FBQyxDQUFDLEtBQUssS0FBSyxXQUFXO29CQUNyQixDQUFDLENBQUMsT0FBTztvQkFDVCxDQUFDLENBQUMsQ0FBQyxHQUFHLEVBQUU7d0JBQ0osTUFBTSxJQUFJLDhCQUFrQixDQUFDLHlCQUF5QixLQUFLLEVBQUUsQ0FBQyxDQUFDO29CQUNqRSxDQUFDLENBQUMsRUFBRSxDQUFDO1FBRWYsSUFBSSxLQUFLLEtBQUssUUFBUSxFQUFFLENBQUM7WUFDdkIsZUFBZSxHQUFHLEVBQUUsSUFBSSxFQUFFLE1BQU0sRUFBRSxVQUFVLEVBQUUsQ0FBQztZQUMvQyxTQUFTLEdBQUcsQ0FBQyxZQUFZLENBQUMsQ0FBQztRQUM3QixDQUFDO2FBQU0sSUFBSSxLQUFLLEtBQUssTUFBTSxFQUFFLENBQUM7WUFDNUIsZUFBZSxHQUFHLEVBQUUsSUFBSSxFQUFFLE9BQU8sRUFBRSxVQUFVLEVBQUUsQ0FBQztZQUNoRCxTQUFTLEdBQUcsQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUN2QixDQUFDO2FBQU0sQ0FBQztZQUNOLE1BQU0sSUFBSSw4QkFBa0IsQ0FBQyw0Q0FBNEMsQ0FBQyxDQUFDO1FBQzdFLENBQUM7SUFDSCxDQUFDO1NBQU0sQ0FBQztRQUNOLE1BQU0sSUFBSSw4QkFBa0IsQ0FBQywwQkFBMEIsU0FBUyxFQUFFLENBQUMsQ0FBQztJQUN0RSxDQUFDO0lBRUQsc0JBQXNCO0lBQ3RCLE1BQU0sU0FBUyxHQUFHLE1BQU0sTUFBTSxDQUFDLE1BQU0sQ0FBQyxTQUFTLENBQzdDLE9BQU8sRUFDUCxTQUFTLEVBQ1QsZUFBZSxFQUNmLFdBQVcsRUFDWCxTQUFTLENBQ1YsQ0FBQztJQUVGLE9BQU8sSUFBQSx3QkFBYyxFQUFDLFNBQVMsRUFBRSxTQUFTLENBQUMsQ0FBQztBQUM5QyxDQUFDO0FBRUQ7O0dBRUc7QUFDSSxLQUFLLFVBQVUsa0JBQWtCLENBQUMsR0FBYztJQUNyRCxNQUFNLFNBQVMsR0FBRyxJQUFBLG1CQUFTLEVBQUMsR0FBRyxDQUFDLENBQUM7SUFDakMsTUFBTSxTQUFTLEdBQUcsTUFBTSxNQUFNLENBQUMsTUFBTSxDQUFDLFNBQVMsQ0FBQyxNQUFNLEVBQUUsU0FBUyxDQUFDLENBQUM7SUFDbkUsT0FBTyxJQUFBLDZCQUFXLEVBQUMsU0FBUyxFQUFFLFlBQVksQ0FBQyxDQUFDO0FBQzlDLENBQUM7QUFFRDs7O0dBR0c7QUFDSSxLQUFLLFVBQVUsbUJBQW1CLENBQUMsR0FBZTtJQUN2RCxNQUFNLFNBQVMsR0FBRyxJQUFBLG1CQUFTLEVBQUMsR0FBRyxDQUFDLENBQUM7SUFDakMsTUFBTSxTQUFTLEdBQUcsTUFBTSxNQUFNLENBQUMsTUFBTSxDQUFDLFNBQVMsQ0FBQyxPQUFPLEVBQUUsU0FBUyxDQUFDLENBQUM7SUFDcEUsT0FBTyxJQUFBLDZCQUFXLEVBQUMsU0FBUyxFQUFFLGFBQWEsQ0FBQyxDQUFDO0FBQy9DLENBQUM7QUFFRDs7R0FFRztBQUNJLEtBQUssVUFBVSxrQkFBa0IsQ0FBQyxHQUFjO0lBQ3JELE1BQU0sU0FBUyxHQUFHLElBQUEsbUJBQVMsRUFBQyxHQUFHLENBQUMsQ0FBQztJQUNqQyxPQUFPLE1BQU0sTUFBTSxDQUFDLE1BQU0sQ0FBQyxTQUFTLENBQUMsS0FBSyxFQUFFLFNBQVMsQ0FBQyxDQUFDO0FBQ3pELENBQUMifQ==
|
|
@@ -0,0 +1,85 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.wrapPublicKey = wrapPublicKey;
|
|
4
|
+
exports.wrapPrivateKey = wrapPrivateKey;
|
|
5
|
+
exports.unwrapKey = unwrapKey;
|
|
6
|
+
exports.wrapSymmetricKey = wrapSymmetricKey;
|
|
7
|
+
exports.unwrapSymmetricKey = unwrapSymmetricKey;
|
|
8
|
+
/**
|
|
9
|
+
* Wrap a CryptoKey as an opaque PublicKey.
|
|
10
|
+
* @internal
|
|
11
|
+
*/
|
|
12
|
+
function wrapPublicKey(key, algorithm) {
|
|
13
|
+
const result = {
|
|
14
|
+
_brand: 'PublicKey',
|
|
15
|
+
algorithm,
|
|
16
|
+
_internal: key,
|
|
17
|
+
};
|
|
18
|
+
if (algorithm.startsWith('rsa:')) {
|
|
19
|
+
result.modulusBits = parseInt(algorithm.split(':')[1], 10);
|
|
20
|
+
}
|
|
21
|
+
else if (algorithm.startsWith('ec:')) {
|
|
22
|
+
const curvePart = algorithm.split(':')[1];
|
|
23
|
+
result.curve =
|
|
24
|
+
curvePart === 'secp256r1'
|
|
25
|
+
? 'P-256'
|
|
26
|
+
: curvePart === 'secp384r1'
|
|
27
|
+
? 'P-384'
|
|
28
|
+
: curvePart === 'secp521r1'
|
|
29
|
+
? 'P-521'
|
|
30
|
+
: undefined;
|
|
31
|
+
}
|
|
32
|
+
return result;
|
|
33
|
+
}
|
|
34
|
+
/**
|
|
35
|
+
* Wrap a CryptoKey as an opaque PrivateKey.
|
|
36
|
+
* @internal
|
|
37
|
+
*/
|
|
38
|
+
function wrapPrivateKey(key, algorithm) {
|
|
39
|
+
const result = {
|
|
40
|
+
_brand: 'PrivateKey',
|
|
41
|
+
algorithm,
|
|
42
|
+
_internal: key,
|
|
43
|
+
};
|
|
44
|
+
if (algorithm.startsWith('rsa:')) {
|
|
45
|
+
result.modulusBits = parseInt(algorithm.split(':')[1], 10);
|
|
46
|
+
}
|
|
47
|
+
else if (algorithm.startsWith('ec:')) {
|
|
48
|
+
const curvePart = algorithm.split(':')[1];
|
|
49
|
+
result.curve =
|
|
50
|
+
curvePart === 'secp256r1'
|
|
51
|
+
? 'P-256'
|
|
52
|
+
: curvePart === 'secp384r1'
|
|
53
|
+
? 'P-384'
|
|
54
|
+
: curvePart === 'secp521r1'
|
|
55
|
+
? 'P-521'
|
|
56
|
+
: undefined;
|
|
57
|
+
}
|
|
58
|
+
return result;
|
|
59
|
+
}
|
|
60
|
+
/**
|
|
61
|
+
* Unwrap an opaque key to get the internal CryptoKey.
|
|
62
|
+
* @internal
|
|
63
|
+
*/
|
|
64
|
+
function unwrapKey(key) {
|
|
65
|
+
return key._internal;
|
|
66
|
+
}
|
|
67
|
+
/**
|
|
68
|
+
* Wrap raw key bytes as an opaque SymmetricKey.
|
|
69
|
+
* @internal
|
|
70
|
+
*/
|
|
71
|
+
function wrapSymmetricKey(keyBytes) {
|
|
72
|
+
return {
|
|
73
|
+
_brand: 'SymmetricKey',
|
|
74
|
+
length: keyBytes.length * 8, // bits
|
|
75
|
+
_internal: keyBytes,
|
|
76
|
+
};
|
|
77
|
+
}
|
|
78
|
+
/**
|
|
79
|
+
* Unwrap an opaque SymmetricKey to get raw bytes.
|
|
80
|
+
* @internal
|
|
81
|
+
*/
|
|
82
|
+
function unwrapSymmetricKey(key) {
|
|
83
|
+
return key._internal;
|
|
84
|
+
}
|
|
85
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoia2V5cy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uLy4uLy4uL3RkZjMvc3JjL2NyeXB0by9jb3JlL2tleXMudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7QUFXQSxzQ0FvQkM7QUFNRCx3Q0FvQkM7QUFNRCw4QkFFQztBQU1ELDRDQU1DO0FBTUQsZ0RBRUM7QUE5RUQ7OztHQUdHO0FBQ0gsU0FBZ0IsYUFBYSxDQUFDLEdBQWMsRUFBRSxTQUF1QjtJQUNuRSxNQUFNLE1BQU0sR0FBUTtRQUNsQixNQUFNLEVBQUUsV0FBVztRQUNuQixTQUFTO1FBQ1QsU0FBUyxFQUFFLEdBQUc7S0FDZixDQUFDO0lBQ0YsSUFBSSxTQUFTLENBQUMsVUFBVSxDQUFDLE1BQU0sQ0FBQyxFQUFFLENBQUM7UUFDakMsTUFBTSxDQUFDLFdBQVcsR0FBRyxRQUFRLENBQUMsU0FBUyxDQUFDLEtBQUssQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLENBQUMsRUFBRSxFQUFFLENBQUMsQ0FBQztJQUM3RCxDQUFDO1NBQU0sSUFBSSxTQUFTLENBQUMsVUFBVSxDQUFDLEtBQUssQ0FBQyxFQUFFLENBQUM7UUFDdkMsTUFBTSxTQUFTLEdBQUcsU0FBUyxDQUFDLEtBQUssQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUMxQyxNQUFNLENBQUMsS0FBSztZQUNWLFNBQVMsS0FBSyxXQUFXO2dCQUN2QixDQUFDLENBQUMsT0FBTztnQkFDVCxDQUFDLENBQUMsU0FBUyxLQUFLLFdBQVc7b0JBQ3pCLENBQUMsQ0FBQyxPQUFPO29CQUNULENBQUMsQ0FBQyxTQUFTLEtBQUssV0FBVzt3QkFDekIsQ0FBQyxDQUFDLE9BQU87d0JBQ1QsQ0FBQyxDQUFDLFNBQVMsQ0FBQztJQUN0QixDQUFDO0lBQ0QsT0FBTyxNQUFtQixDQUFDO0FBQzdCLENBQUM7QUFFRDs7O0dBR0c7QUFDSCxTQUFnQixjQUFjLENBQUMsR0FBYyxFQUFFLFNBQXVCO0lBQ3BFLE1BQU0sTUFBTSxHQUFRO1FBQ2xCLE1BQU0sRUFBRSxZQUFZO1FBQ3BCLFNBQVM7UUFDVCxTQUFTLEVBQUUsR0FBRztLQUNmLENBQUM7SUFDRixJQUFJLFNBQVMsQ0FBQyxVQUFVLENBQUMsTUFBTSxDQUFDLEVBQUUsQ0FBQztRQUNqQyxNQUFNLENBQUMsV0FBVyxHQUFHLFFBQVEsQ0FBQyxTQUFTLENBQUMsS0FBSyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQyxFQUFFLEVBQUUsQ0FBQyxDQUFDO0lBQzdELENBQUM7U0FBTSxJQUFJLFNBQVMsQ0FBQyxVQUFVLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQztRQUN2QyxNQUFNLFNBQVMsR0FBRyxTQUFTLENBQUMsS0FBSyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQzFDLE1BQU0sQ0FBQyxLQUFLO1lBQ1YsU0FBUyxLQUFLLFdBQVc7Z0JBQ3ZCLENBQUMsQ0FBQyxPQUFPO2dCQUNULENBQUMsQ0FBQyxTQUFTLEtBQUssV0FBVztvQkFDekIsQ0FBQyxDQUFDLE9BQU87b0JBQ1QsQ0FBQyxDQUFDLFNBQVMsS0FBSyxXQUFXO3dCQUN6QixDQUFDLENBQUMsT0FBTzt3QkFDVCxDQUFDLENBQUMsU0FBUyxDQUFDO0lBQ3RCLENBQUM7SUFDRCxPQUFPLE1BQW9CLENBQUM7QUFDOUIsQ0FBQztBQUVEOzs7R0FHRztBQUNILFNBQWdCLFNBQVMsQ0FBQyxHQUEyQjtJQUNuRCxPQUFRLEdBQVcsQ0FBQyxTQUFTLENBQUM7QUFDaEMsQ0FBQztBQUVEOzs7R0FHRztBQUNILFNBQWdCLGdCQUFnQixDQUFDLFFBQW9CO0lBQ25ELE9BQU87UUFDTCxNQUFNLEVBQUUsY0FBYztRQUN0QixNQUFNLEVBQUUsUUFBUSxDQUFDLE1BQU0sR0FBRyxDQUFDLEVBQUUsT0FBTztRQUNwQyxTQUFTLEVBQUUsUUFBUTtLQUNKLENBQUM7QUFDcEIsQ0FBQztBQUVEOzs7R0FHRztBQUNILFNBQWdCLGtCQUFrQixDQUFDLEdBQWlCO0lBQ2xELE9BQVEsR0FBVyxDQUFDLFNBQVMsQ0FBQztBQUNoQyxDQUFDIn0=
|