@opentdf/sdk 0.9.0-beta.91 → 0.9.0-beta.93

package/dist/web/tdf3/src/crypto/jose/jwt-claims-set.js

@@ -0,0 +1,5 @@
+import jwtClaimsSet from './vendor/lib/jwt_claims_set.js';
+export default function joseJwtClaimsSet(protectedHeader, encodedPayload, options) {
+    return jwtClaimsSet(protectedHeader, encodedPayload, options);
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiand0LWNsYWltcy1zZXQuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi8uLi8uLi90ZGYzL3NyYy9jcnlwdG8vam9zZS9qd3QtY2xhaW1zLXNldC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFDQSxPQUFPLFlBQVksTUFBTSxnQ0FBZ0MsQ0FBQztBQUUxRCxNQUFNLENBQUMsT0FBTyxVQUFVLGdCQUFnQixDQUN0QyxlQUFvQyxFQUNwQyxjQUEwQixFQUMxQixPQUEwQjtJQUUxQixPQUFPLFlBQVksQ0FBQyxlQUFlLEVBQUUsY0FBYyxFQUFFLE9BQU8sQ0FBZSxDQUFDO0FBQzlFLENBQUMifQ==

package/dist/web/tdf3/src/crypto/jose/validate-crit.js

@@ -0,0 +1,3 @@
+import validateCrit from './vendor/lib/validate_crit.js';
+export default validateCrit;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidmFsaWRhdGUtY3JpdC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uLy4uLy4uL3RkZjMvc3JjL2NyeXB0by9qb3NlL3ZhbGlkYXRlLWNyaXQudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxZQUFZLE1BQU0sK0JBQStCLENBQUM7QUFFekQsZUFBZSxZQU1DLENBQUMifQ==

package/dist/web/tdf3/src/crypto/jose/vendor/lib/buffer_utils.js

@@ -0,0 +1,35 @@
+// @ts-nocheck
+// Generated from jose@6.0.8. Do not edit directly.
+export const encoder = new TextEncoder();
+export const decoder = new TextDecoder();
+const MAX_INT32 = 2 ** 32;
+export function concat(...buffers) {
+    const size = buffers.reduce((acc, { length }) => acc + length, 0);
+    const buf = new Uint8Array(size);
+    let i = 0;
+    for (const buffer of buffers) {
+        buf.set(buffer, i);
+        i += buffer.length;
+    }
+    return buf;
+}
+function writeUInt32BE(buf, value, offset) {
+    if (value < 0 || value >= MAX_INT32) {
+        throw new RangeError(`value must be >= 0 and <= ${MAX_INT32 - 1}. Received ${value}`);
+    }
+    buf.set([value >>> 24, value >>> 16, value >>> 8, value & 0xff], offset);
+}
+export function uint64be(value) {
+    const high = Math.floor(value / MAX_INT32);
+    const low = value % MAX_INT32;
+    const buf = new Uint8Array(8);
+    writeUInt32BE(buf, high, 0);
+    writeUInt32BE(buf, low, 4);
+    return buf;
+}
+export function uint32be(value) {
+    const buf = new Uint8Array(4);
+    writeUInt32BE(buf, value);
+    return buf;
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYnVmZmVyX3V0aWxzLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vdGRmMy9zcmMvY3J5cHRvL2pvc2UvdmVuZG9yL2xpYi9idWZmZXJfdXRpbHMudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsY0FBYztBQUNkLG1EQUFtRDtBQUNuRCxNQUFNLENBQUMsTUFBTSxPQUFPLEdBQUcsSUFBSSxXQUFXLEVBQUUsQ0FBQztBQUN6QyxNQUFNLENBQUMsTUFBTSxPQUFPLEdBQUcsSUFBSSxXQUFXLEVBQUUsQ0FBQztBQUN6QyxNQUFNLFNBQVMsR0FBRyxDQUFDLElBQUksRUFBRSxDQUFDO0FBQzFCLE1BQU0sVUFBVSxNQUFNLENBQUMsR0FBRyxPQUFPO0lBQzdCLE1BQU0sSUFBSSxHQUFHLE9BQU8sQ0FBQyxNQUFNLENBQUMsQ0FBQyxHQUFHLEVBQUUsRUFBRSxNQUFNLEVBQUUsRUFBRSxFQUFFLENBQUMsR0FBRyxHQUFHLE1BQU0sRUFBRSxDQUFDLENBQUMsQ0FBQztJQUNsRSxNQUFNLEdBQUcsR0FBRyxJQUFJLFVBQVUsQ0FBQyxJQUFJLENBQUMsQ0FBQztJQUNqQyxJQUFJLENBQUMsR0FBRyxDQUFDLENBQUM7SUFDVixLQUFLLE1BQU0sTUFBTSxJQUFJLE9BQU8sRUFBRSxDQUFDO1FBQzNCLEdBQUcsQ0FBQyxHQUFHLENBQUMsTUFBTSxFQUFFLENBQUMsQ0FBQyxDQUFDO1FBQ25CLENBQUMsSUFBSSxNQUFNLENBQUMsTUFBTSxDQUFDO0lBQ3ZCLENBQUM7SUFDRCxPQUFPLEdBQUcsQ0FBQztBQUNmLENBQUM7QUFDRCxTQUFTLGFBQWEsQ0FBQyxHQUFHLEVBQUUsS0FBSyxFQUFFLE1BQU07SUFDckMsSUFBSSxLQUFLLEdBQUcsQ0FBQyxJQUFJLEtBQUssSUFBSSxTQUFTLEVBQUUsQ0FBQztRQUNsQyxNQUFNLElBQUksVUFBVSxDQUFDLDZCQUE2QixTQUFTLEdBQUcsQ0FBQyxjQUFjLEtBQUssRUFBRSxDQUFDLENBQUM7SUFDMUYsQ0FBQztJQUNELEdBQUcsQ0FBQyxHQUFHLENBQUMsQ0FBQyxLQUFLLEtBQUssRUFBRSxFQUFFLEtBQUssS0FBSyxFQUFFLEVBQUUsS0FBSyxLQUFLLENBQUMsRUFBRSxLQUFLLEdBQUcsSUFBSSxDQUFDLEVBQUUsTUFBTSxDQUFDLENBQUM7QUFDN0UsQ0FBQztBQUNELE1BQU0sVUFBVSxRQUFRLENBQUMsS0FBSztJQUMxQixNQUFNLElBQUksR0FBRyxJQUFJLENBQUMsS0FBSyxDQUFDLEtBQUssR0FBRyxTQUFTLENBQUMsQ0FBQztJQUMzQyxNQUFNLEdBQUcsR0FBRyxLQUFLLEdBQUcsU0FBUyxDQUFDO0lBQzlCLE1BQU0sR0FBRyxHQUFHLElBQUksVUFBVSxDQUFDLENBQUMsQ0FBQyxDQUFDO0lBQzlCLGFBQWEsQ0FBQyxHQUFHLEVBQUUsSUFBSSxFQUFFLENBQUMsQ0FBQyxDQUFDO0lBQzVCLGFBQWEsQ0FBQyxHQUFHLEVBQUUsR0FBRyxFQUFFLENBQUMsQ0FBQyxDQUFDO0lBQzNCLE9BQU8sR0FBRyxDQUFDO0FBQ2YsQ0FBQztBQUNELE1BQU0sVUFBVSxRQUFRLENBQUMsS0FBSztJQUMxQixNQUFNLEdBQUcsR0FBRyxJQUFJLFVBQVUsQ0FBQyxDQUFDLENBQUMsQ0FBQztJQUM5QixhQUFhLENBQUMsR0FBRyxFQUFFLEtBQUssQ0FBQyxDQUFDO0lBQzFCLE9BQU8sR0FBRyxDQUFDO0FBQ2YsQ0FBQyJ9

package/dist/web/tdf3/src/crypto/jose/vendor/lib/epoch.js

@@ -0,0 +1,4 @@
+// @ts-nocheck
+// Generated from jose@6.0.8. Do not edit directly.
+export default (date) => Math.floor(date.getTime() / 1000);
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZXBvY2guanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi90ZGYzL3NyYy9jcnlwdG8vam9zZS92ZW5kb3IvbGliL2Vwb2NoLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLGNBQWM7QUFDZCxtREFBbUQ7QUFDbkQsZUFBZSxDQUFDLElBQUksRUFBRSxFQUFFLENBQUMsSUFBSSxDQUFDLEtBQUssQ0FBQyxJQUFJLENBQUMsT0FBTyxFQUFFLEdBQUcsSUFBSSxDQUFDLENBQUMifQ==

package/dist/web/tdf3/src/crypto/jose/vendor/lib/is_object.js

@@ -0,0 +1,19 @@
+// @ts-nocheck
+// Generated from jose@6.0.8. Do not edit directly.
+function isObjectLike(value) {
+    return typeof value === 'object' && value !== null;
+}
+export default (input) => {
+    if (!isObjectLike(input) || Object.prototype.toString.call(input) !== '[object Object]') {
+        return false;
+    }
+    if (Object.getPrototypeOf(input) === null) {
+        return true;
+    }
+    let proto = input;
+    while (Object.getPrototypeOf(proto) !== null) {
+        proto = Object.getPrototypeOf(proto);
+    }
+    return Object.getPrototypeOf(input) === proto;
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaXNfb2JqZWN0LmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vdGRmMy9zcmMvY3J5cHRvL2pvc2UvdmVuZG9yL2xpYi9pc19vYmplY3QudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsY0FBYztBQUNkLG1EQUFtRDtBQUNuRCxTQUFTLFlBQVksQ0FBQyxLQUFLO0lBQ3ZCLE9BQU8sT0FBTyxLQUFLLEtBQUssUUFBUSxJQUFJLEtBQUssS0FBSyxJQUFJLENBQUM7QUFDdkQsQ0FBQztBQUNELGVBQWUsQ0FBQyxLQUFLLEVBQUUsRUFBRTtJQUNyQixJQUFJLENBQUMsWUFBWSxDQUFDLEtBQUssQ0FBQyxJQUFJLE1BQU0sQ0FBQyxTQUFTLENBQUMsUUFBUSxDQUFDLElBQUksQ0FBQyxLQUFLLENBQUMsS0FBSyxpQkFBaUIsRUFBRSxDQUFDO1FBQ3RGLE9BQU8sS0FBSyxDQUFDO0lBQ2pCLENBQUM7SUFDRCxJQUFJLE1BQU0sQ0FBQyxjQUFjLENBQUMsS0FBSyxDQUFDLEtBQUssSUFBSSxFQUFFLENBQUM7UUFDeEMsT0FBTyxJQUFJLENBQUM7SUFDaEIsQ0FBQztJQUNELElBQUksS0FBSyxHQUFHLEtBQUssQ0FBQztJQUNsQixPQUFPLE1BQU0sQ0FBQyxjQUFjLENBQUMsS0FBSyxDQUFDLEtBQUssSUFBSSxFQUFFLENBQUM7UUFDM0MsS0FBSyxHQUFHLE1BQU0sQ0FBQyxjQUFjLENBQUMsS0FBSyxDQUFDLENBQUM7SUFDekMsQ0FBQztJQUNELE9BQU8sTUFBTSxDQUFDLGNBQWMsQ0FBQyxLQUFLLENBQUMsS0FBSyxLQUFLLENBQUM7QUFDbEQsQ0FBQyxDQUFDIn0=

package/dist/web/tdf3/src/crypto/jose/vendor/lib/jwt_claims_set.js

@@ -0,0 +1,107 @@
+// @ts-nocheck
+// Generated from jose@6.0.8. Do not edit directly.
+import { JWTClaimValidationFailed, JWTExpired, JWTInvalid } from '../util/errors.js';
+import { decoder } from './buffer_utils.js';
+import epoch from './epoch.js';
+import secs from './secs.js';
+import isObject from './is_object.js';
+const normalizeTyp = (value) => value.toLowerCase().replace(/^application\//, '');
+const checkAudiencePresence = (audPayload, audOption) => {
+    if (typeof audPayload === 'string') {
+        return audOption.includes(audPayload);
+    }
+    if (Array.isArray(audPayload)) {
+        return audOption.some(Set.prototype.has.bind(new Set(audPayload)));
+    }
+    return false;
+};
+export default (protectedHeader, encodedPayload, options = {}) => {
+    let payload;
+    try {
+        payload = JSON.parse(decoder.decode(encodedPayload));
+    }
+    catch {
+    }
+    if (!isObject(payload)) {
+        throw new JWTInvalid('JWT Claims Set must be a top-level JSON object');
+    }
+    const { typ } = options;
+    if (typ &&
+        (typeof protectedHeader.typ !== 'string' ||
+            normalizeTyp(protectedHeader.typ) !== normalizeTyp(typ))) {
+        throw new JWTClaimValidationFailed('unexpected "typ" JWT header value', payload, 'typ', 'check_failed');
+    }
+    const { requiredClaims = [], issuer, subject, audience, maxTokenAge } = options;
+    const presenceCheck = [...requiredClaims];
+    if (maxTokenAge !== undefined)
+        presenceCheck.push('iat');
+    if (audience !== undefined)
+        presenceCheck.push('aud');
+    if (subject !== undefined)
+        presenceCheck.push('sub');
+    if (issuer !== undefined)
+        presenceCheck.push('iss');
+    for (const claim of new Set(presenceCheck.reverse())) {
+        if (!(claim in payload)) {
+            throw new JWTClaimValidationFailed(`missing required "${claim}" claim`, payload, claim, 'missing');
+        }
+    }
+    if (issuer &&
+        !(Array.isArray(issuer) ? issuer : [issuer]).includes(payload.iss)) {
+        throw new JWTClaimValidationFailed('unexpected "iss" claim value', payload, 'iss', 'check_failed');
+    }
+    if (subject && payload.sub !== subject) {
+        throw new JWTClaimValidationFailed('unexpected "sub" claim value', payload, 'sub', 'check_failed');
+    }
+    if (audience &&
+        !checkAudiencePresence(payload.aud, typeof audience === 'string' ? [audience] : audience)) {
+        throw new JWTClaimValidationFailed('unexpected "aud" claim value', payload, 'aud', 'check_failed');
+    }
+    let tolerance;
+    switch (typeof options.clockTolerance) {
+        case 'string':
+            tolerance = secs(options.clockTolerance);
+            break;
+        case 'number':
+            tolerance = options.clockTolerance;
+            break;
+        case 'undefined':
+            tolerance = 0;
+            break;
+        default:
+            throw new TypeError('Invalid clockTolerance option type');
+    }
+    const { currentDate } = options;
+    const now = epoch(currentDate || new Date());
+    if ((payload.iat !== undefined || maxTokenAge) && typeof payload.iat !== 'number') {
+        throw new JWTClaimValidationFailed('"iat" claim must be a number', payload, 'iat', 'invalid');
+    }
+    if (payload.nbf !== undefined) {
+        if (typeof payload.nbf !== 'number') {
+            throw new JWTClaimValidationFailed('"nbf" claim must be a number', payload, 'nbf', 'invalid');
+        }
+        if (payload.nbf > now + tolerance) {
+            throw new JWTClaimValidationFailed('"nbf" claim timestamp check failed', payload, 'nbf', 'check_failed');
+        }
+    }
+    if (payload.exp !== undefined) {
+        if (typeof payload.exp !== 'number') {
+            throw new JWTClaimValidationFailed('"exp" claim must be a number', payload, 'exp', 'invalid');
+        }
+        if (payload.exp <= now - tolerance) {
+            throw new JWTExpired('"exp" claim timestamp check failed', payload, 'exp', 'check_failed');
+        }
+    }
+    if (maxTokenAge) {
+        const age = now - payload.iat;
+        const max = typeof maxTokenAge === 'number' ? maxTokenAge : secs(maxTokenAge);
+        if (age - tolerance > max) {
+            throw new JWTExpired('"iat" claim timestamp check failed (too far in the past)', payload, 'iat', 'check_failed');
+        }
+        if (age < 0 - tolerance) {
+            throw new JWTClaimValidationFailed('"iat" claim timestamp check failed (it should be in the past)', payload, 'iat', 'check_failed');
+        }
+    }
+    return payload;
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiand0X2NsYWltc19zZXQuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi90ZGYzL3NyYy9jcnlwdG8vam9zZS92ZW5kb3IvbGliL2p3dF9jbGFpbXNfc2V0LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLGNBQWM7QUFDZCxtREFBbUQ7QUFDbkQsT0FBTyxFQUFFLHdCQUF3QixFQUFFLFVBQVUsRUFBRSxVQUFVLEVBQUUsTUFBTSxtQkFBbUIsQ0FBQztBQUNyRixPQUFPLEVBQUUsT0FBTyxFQUFFLE1BQU0sbUJBQW1CLENBQUM7QUFDNUMsT0FBTyxLQUFLLE1BQU0sWUFBWSxDQUFDO0FBQy9CLE9BQU8sSUFBSSxNQUFNLFdBQVcsQ0FBQztBQUM3QixPQUFPLFFBQVEsTUFBTSxnQkFBZ0IsQ0FBQztBQUN0QyxNQUFNLFlBQVksR0FBRyxDQUFDLEtBQUssRUFBRSxFQUFFLENBQUMsS0FBSyxDQUFDLFdBQVcsRUFBRSxDQUFDLE9BQU8sQ0FBQyxnQkFBZ0IsRUFBRSxFQUFFLENBQUMsQ0FBQztBQUNsRixNQUFNLHFCQUFxQixHQUFHLENBQUMsVUFBVSxFQUFFLFNBQVMsRUFBRSxFQUFFO0lBQ3BELElBQUksT0FBTyxVQUFVLEtBQUssUUFBUSxFQUFFLENBQUM7UUFDakMsT0FBTyxTQUFTLENBQUMsUUFBUSxDQUFDLFVBQVUsQ0FBQyxDQUFDO0lBQzFDLENBQUM7SUFDRCxJQUFJLEtBQUssQ0FBQyxPQUFPLENBQUMsVUFBVSxDQUFDLEVBQUUsQ0FBQztRQUM1QixPQUFPLFNBQVMsQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLFNBQVMsQ0FBQyxHQUFHLENBQUMsSUFBSSxDQUFDLElBQUksR0FBRyxDQUFDLFVBQVUsQ0FBQyxDQUFDLENBQUMsQ0FBQztJQUN2RSxDQUFDO0lBQ0QsT0FBTyxLQUFLLENBQUM7QUFDakIsQ0FBQyxDQUFDO0FBQ0YsZUFBZSxDQUFDLGVBQWUsRUFBRSxjQUFjLEVBQUUsT0FBTyxHQUFHLEVBQUUsRUFBRSxFQUFFO0lBQzdELElBQUksT0FBTyxDQUFDO0lBQ1osSUFBSSxDQUFDO1FBQ0QsT0FBTyxHQUFHLElBQUksQ0FBQyxLQUFLLENBQUMsT0FBTyxDQUFDLE1BQU0sQ0FBQyxjQUFjLENBQUMsQ0FBQyxDQUFDO0lBQ3pELENBQUM7SUFDRCxNQUFNLENBQUM7SUFDUCxDQUFDO0lBQ0QsSUFBSSxDQUFDLFFBQVEsQ0FBQyxPQUFPLENBQUMsRUFBRSxDQUFDO1FBQ3JCLE1BQU0sSUFBSSxVQUFVLENBQUMsZ0RBQWdELENBQUMsQ0FBQztJQUMzRSxDQUFDO0lBQ0QsTUFBTSxFQUFFLEdBQUcsRUFBRSxHQUFHLE9BQU8sQ0FBQztJQUN4QixJQUFJLEdBQUc7UUFDSCxDQUFDLE9BQU8sZUFBZSxDQUFDLEdBQUcsS0FBSyxRQUFRO1lBQ3BDLFlBQVksQ0FBQyxlQUFlLENBQUMsR0FBRyxDQUFDLEtBQUssWUFBWSxDQUFDLEdBQUcsQ0FBQyxDQUFDLEVBQUUsQ0FBQztRQUMvRCxNQUFNLElBQUksd0JBQXdCLENBQUMsbUNBQW1DLEVBQUUsT0FBTyxFQUFFLEtBQUssRUFBRSxjQUFjLENBQUMsQ0FBQztJQUM1RyxDQUFDO0lBQ0QsTUFBTSxFQUFFLGNBQWMsR0FBRyxFQUFFLEVBQUUsTUFBTSxFQUFFLE9BQU8sRUFBRSxRQUFRLEVBQUUsV0FBVyxFQUFFLEdBQUcsT0FBTyxDQUFDO0lBQ2hGLE1BQU0sYUFBYSxHQUFHLENBQUMsR0FBRyxjQUFjLENBQUMsQ0FBQztJQUMxQyxJQUFJLFdBQVcsS0FBSyxTQUFTO1FBQ3pCLGFBQWEsQ0FBQyxJQUFJLENBQUMsS0FBSyxDQUFDLENBQUM7SUFDOUIsSUFBSSxRQUFRLEtBQUssU0FBUztRQUN0QixhQUFhLENBQUMsSUFBSSxDQUFDLEtBQUssQ0FBQyxDQUFDO0lBQzlCLElBQUksT0FBTyxLQUFLLFNBQVM7UUFDckIsYUFBYSxDQUFDLElBQUksQ0FBQyxLQUFLLENBQUMsQ0FBQztJQUM5QixJQUFJLE1BQU0sS0FBSyxTQUFTO1FBQ3BCLGFBQWEsQ0FBQyxJQUFJLENBQUMsS0FBSyxDQUFDLENBQUM7SUFDOUIsS0FBSyxNQUFNLEtBQUssSUFBSSxJQUFJLEdBQUcsQ0FBQyxhQUFhLENBQUMsT0FBTyxFQUFFLENBQUMsRUFBRSxDQUFDO1FBQ25ELElBQUksQ0FBQyxDQUFDLEtBQUssSUFBSSxPQUFPLENBQUMsRUFBRSxDQUFDO1lBQ3RCLE1BQU0sSUFBSSx3QkFBd0IsQ0FBQyxxQkFBcUIsS0FBSyxTQUFTLEVBQUUsT0FBTyxFQUFFLEtBQUssRUFBRSxTQUFTLENBQUMsQ0FBQztRQUN2RyxDQUFDO0lBQ0wsQ0FBQztJQUNELElBQUksTUFBTTtRQUNOLENBQUMsQ0FBQyxLQUFLLENBQUMsT0FBTyxDQUFDLE1BQU0sQ0FBQyxDQUFDLENBQUMsQ0FBQyxNQUFNLENBQUMsQ0FBQyxDQUFDLENBQUMsTUFBTSxDQUFDLENBQUMsQ0FBQyxRQUFRLENBQUMsT0FBTyxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUM7UUFDckUsTUFBTSxJQUFJLHdCQUF3QixDQUFDLDhCQUE4QixFQUFFLE9BQU8sRUFBRSxLQUFLLEVBQUUsY0FBYyxDQUFDLENBQUM7SUFDdkcsQ0FBQztJQUNELElBQUksT0FBTyxJQUFJLE9BQU8sQ0FBQyxHQUFHLEtBQUssT0FBTyxFQUFFLENBQUM7UUFDckMsTUFBTSxJQUFJLHdCQUF3QixDQUFDLDhCQUE4QixFQUFFLE9BQU8sRUFBRSxLQUFLLEVBQUUsY0FBYyxDQUFDLENBQUM7SUFDdkcsQ0FBQztJQUNELElBQUksUUFBUTtRQUNSLENBQUMscUJBQXFCLENBQUMsT0FBTyxDQUFDLEdBQUcsRUFBRSxPQUFPLFFBQVEsS0FBSyxRQUFRLENBQUMsQ0FBQyxDQUFDLENBQUMsUUFBUSxDQUFDLENBQUMsQ0FBQyxDQUFDLFFBQVEsQ0FBQyxFQUFFLENBQUM7UUFDNUYsTUFBTSxJQUFJLHdCQUF3QixDQUFDLDhCQUE4QixFQUFFLE9BQU8sRUFBRSxLQUFLLEVBQUUsY0FBYyxDQUFDLENBQUM7SUFDdkcsQ0FBQztJQUNELElBQUksU0FBUyxDQUFDO0lBQ2QsUUFBUSxPQUFPLE9BQU8sQ0FBQyxjQUFjLEVBQUUsQ0FBQztRQUNwQyxLQUFLLFFBQVE7WUFDVCxTQUFTLEdBQUcsSUFBSSxDQUFDLE9BQU8sQ0FBQyxjQUFjLENBQUMsQ0FBQztZQUN6QyxNQUFNO1FBQ1YsS0FBSyxRQUFRO1lBQ1QsU0FBUyxHQUFHLE9BQU8sQ0FBQyxjQUFjLENBQUM7WUFDbkMsTUFBTTtRQUNWLEtBQUssV0FBVztZQUNaLFNBQVMsR0FBRyxDQUFDLENBQUM7WUFDZCxNQUFNO1FBQ1Y7WUFDSSxNQUFNLElBQUksU0FBUyxDQUFDLG9DQUFvQyxDQUFDLENBQUM7SUFDbEUsQ0FBQztJQUNELE1BQU0sRUFBRSxXQUFXLEVBQUUsR0FBRyxPQUFPLENBQUM7SUFDaEMsTUFBTSxHQUFHLEdBQUcsS0FBSyxDQUFDLFdBQVcsSUFBSSxJQUFJLElBQUksRUFBRSxDQUFDLENBQUM7SUFDN0MsSUFBSSxDQUFDLE9BQU8sQ0FBQyxHQUFHLEtBQUssU0FBUyxJQUFJLFdBQVcsQ0FBQyxJQUFJLE9BQU8sT0FBTyxDQUFDLEdBQUcsS0FBSyxRQUFRLEVBQUUsQ0FBQztRQUNoRixNQUFNLElBQUksd0JBQXdCLENBQUMsOEJBQThCLEVBQUUsT0FBTyxFQUFFLEtBQUssRUFBRSxTQUFTLENBQUMsQ0FBQztJQUNsRyxDQUFDO0lBQ0QsSUFBSSxPQUFPLENBQUMsR0FBRyxLQUFLLFNBQVMsRUFBRSxDQUFDO1FBQzVCLElBQUksT0FBTyxPQUFPLENBQUMsR0FBRyxLQUFLLFFBQVEsRUFBRSxDQUFDO1lBQ2xDLE1BQU0sSUFBSSx3QkFBd0IsQ0FBQyw4QkFBOEIsRUFBRSxPQUFPLEVBQUUsS0FBSyxFQUFFLFNBQVMsQ0FBQyxDQUFDO1FBQ2xHLENBQUM7UUFDRCxJQUFJLE9BQU8sQ0FBQyxHQUFHLEdBQUcsR0FBRyxHQUFHLFNBQVMsRUFBRSxDQUFDO1lBQ2hDLE1BQU0sSUFBSSx3QkFBd0IsQ0FBQyxvQ0FBb0MsRUFBRSxPQUFPLEVBQUUsS0FBSyxFQUFFLGNBQWMsQ0FBQyxDQUFDO1FBQzdHLENBQUM7SUFDTCxDQUFDO0lBQ0QsSUFBSSxPQUFPLENBQUMsR0FBRyxLQUFLLFNBQVMsRUFBRSxDQUFDO1FBQzVCLElBQUksT0FBTyxPQUFPLENBQUMsR0FBRyxLQUFLLFFBQVEsRUFBRSxDQUFDO1lBQ2xDLE1BQU0sSUFBSSx3QkFBd0IsQ0FBQyw4QkFBOEIsRUFBRSxPQUFPLEVBQUUsS0FBSyxFQUFFLFNBQVMsQ0FBQyxDQUFDO1FBQ2xHLENBQUM7UUFDRCxJQUFJLE9BQU8sQ0FBQyxHQUFHLElBQUksR0FBRyxHQUFHLFNBQVMsRUFBRSxDQUFDO1lBQ2pDLE1BQU0sSUFBSSxVQUFVLENBQUMsb0NBQW9DLEVBQUUsT0FBTyxFQUFFLEtBQUssRUFBRSxjQUFjLENBQUMsQ0FBQztRQUMvRixDQUFDO0lBQ0wsQ0FBQztJQUNELElBQUksV0FBVyxFQUFFLENBQUM7UUFDZCxNQUFNLEdBQUcsR0FBRyxHQUFHLEdBQUcsT0FBTyxDQUFDLEdBQUcsQ0FBQztRQUM5QixNQUFNLEdBQUcsR0FBRyxPQUFPLFdBQVcsS0FBSyxRQUFRLENBQUMsQ0FBQyxDQUFDLFdBQVcsQ0FBQyxDQUFDLENBQUMsSUFBSSxDQUFDLFdBQVcsQ0FBQyxDQUFDO1FBQzlFLElBQUksR0FBRyxHQUFHLFNBQVMsR0FBRyxHQUFHLEVBQUUsQ0FBQztZQUN4QixNQUFNLElBQUksVUFBVSxDQUFDLDBEQUEwRCxFQUFFLE9BQU8sRUFBRSxLQUFLLEVBQUUsY0FBYyxDQUFDLENBQUM7UUFDckgsQ0FBQztRQUNELElBQUksR0FBRyxHQUFHLENBQUMsR0FBRyxTQUFTLEVBQUUsQ0FBQztZQUN0QixNQUFNLElBQUksd0JBQXdCLENBQUMsK0RBQStELEVBQUUsT0FBTyxFQUFFLEtBQUssRUFBRSxjQUFjLENBQUMsQ0FBQztRQUN4SSxDQUFDO0lBQ0wsQ0FBQztJQUNELE9BQU8sT0FBTyxDQUFDO0FBQ25CLENBQUMsQ0FBQyJ9

package/dist/web/tdf3/src/crypto/jose/vendor/lib/secs.js

@@ -0,0 +1,58 @@
+// @ts-nocheck
+// Generated from jose@6.0.8. Do not edit directly.
+const minute = 60;
+const hour = minute * 60;
+const day = hour * 24;
+const week = day * 7;
+const year = day * 365.25;
+const REGEX = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;
+export default (str) => {
+    const matched = REGEX.exec(str);
+    if (!matched || (matched[4] && matched[1])) {
+        throw new TypeError('Invalid time period format');
+    }
+    const value = parseFloat(matched[2]);
+    const unit = matched[3].toLowerCase();
+    let numericDate;
+    switch (unit) {
+        case 'sec':
+        case 'secs':
+        case 'second':
+        case 'seconds':
+        case 's':
+            numericDate = Math.round(value);
+            break;
+        case 'minute':
+        case 'minutes':
+        case 'min':
+        case 'mins':
+        case 'm':
+            numericDate = Math.round(value * minute);
+            break;
+        case 'hour':
+        case 'hours':
+        case 'hr':
+        case 'hrs':
+        case 'h':
+            numericDate = Math.round(value * hour);
+            break;
+        case 'day':
+        case 'days':
+        case 'd':
+            numericDate = Math.round(value * day);
+            break;
+        case 'week':
+        case 'weeks':
+        case 'w':
+            numericDate = Math.round(value * week);
+            break;
+        default:
+            numericDate = Math.round(value * year);
+            break;
+    }
+    if (matched[1] === '-' || matched[4] === 'ago') {
+        return -numericDate;
+    }
+    return numericDate;
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2Vjcy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uLy4uLy4uLy4uLy4uL3RkZjMvc3JjL2NyeXB0by9qb3NlL3ZlbmRvci9saWIvc2Vjcy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxjQUFjO0FBQ2QsbURBQW1EO0FBQ25ELE1BQU0sTUFBTSxHQUFHLEVBQUUsQ0FBQztBQUNsQixNQUFNLElBQUksR0FBRyxNQUFNLEdBQUcsRUFBRSxDQUFDO0FBQ3pCLE1BQU0sR0FBRyxHQUFHLElBQUksR0FBRyxFQUFFLENBQUM7QUFDdEIsTUFBTSxJQUFJLEdBQUcsR0FBRyxHQUFHLENBQUMsQ0FBQztBQUNyQixNQUFNLElBQUksR0FBRyxHQUFHLEdBQUcsTUFBTSxDQUFDO0FBQzFCLE1BQU0sS0FBSyxHQUFHLG1JQUFtSSxDQUFDO0FBQ2xKLGVBQWUsQ0FBQyxHQUFHLEVBQUUsRUFBRTtJQUNuQixNQUFNLE9BQU8sR0FBRyxLQUFLLENBQUMsSUFBSSxDQUFDLEdBQUcsQ0FBQyxDQUFDO0lBQ2hDLElBQUksQ0FBQyxPQUFPLElBQUksQ0FBQyxPQUFPLENBQUMsQ0FBQyxDQUFDLElBQUksT0FBTyxDQUFDLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQztRQUN6QyxNQUFNLElBQUksU0FBUyxDQUFDLDRCQUE0QixDQUFDLENBQUM7SUFDdEQsQ0FBQztJQUNELE1BQU0sS0FBSyxHQUFHLFVBQVUsQ0FBQyxPQUFPLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQztJQUNyQyxNQUFNLElBQUksR0FBRyxPQUFPLENBQUMsQ0FBQyxDQUFDLENBQUMsV0FBVyxFQUFFLENBQUM7SUFDdEMsSUFBSSxXQUFXLENBQUM7SUFDaEIsUUFBUSxJQUFJLEVBQUUsQ0FBQztRQUNYLEtBQUssS0FBSyxDQUFDO1FBQ1gsS0FBSyxNQUFNLENBQUM7UUFDWixLQUFLLFFBQVEsQ0FBQztRQUNkLEtBQUssU0FBUyxDQUFDO1FBQ2YsS0FBSyxHQUFHO1lBQ0osV0FBVyxHQUFHLElBQUksQ0FBQyxLQUFLLENBQUMsS0FBSyxDQUFDLENBQUM7WUFDaEMsTUFBTTtRQUNWLEtBQUssUUFBUSxDQUFDO1FBQ2QsS0FBSyxTQUFTLENBQUM7UUFDZixLQUFLLEtBQUssQ0FBQztRQUNYLEtBQUssTUFBTSxDQUFDO1FBQ1osS0FBSyxHQUFHO1lBQ0osV0FBVyxHQUFHLElBQUksQ0FBQyxLQUFLLENBQUMsS0FBSyxHQUFHLE1BQU0sQ0FBQyxDQUFDO1lBQ3pDLE1BQU07UUFDVixLQUFLLE1BQU0sQ0FBQztRQUNaLEtBQUssT0FBTyxDQUFDO1FBQ2IsS0FBSyxJQUFJLENBQUM7UUFDVixLQUFLLEtBQUssQ0FBQztRQUNYLEtBQUssR0FBRztZQUNKLFdBQVcsR0FBRyxJQUFJLENBQUMsS0FBSyxDQUFDLEtBQUssR0FBRyxJQUFJLENBQUMsQ0FBQztZQUN2QyxNQUFNO1FBQ1YsS0FBSyxLQUFLLENBQUM7UUFDWCxLQUFLLE1BQU0sQ0FBQztRQUNaLEtBQUssR0FBRztZQUNKLFdBQVcsR0FBRyxJQUFJLENBQUMsS0FBSyxDQUFDLEtBQUssR0FBRyxHQUFHLENBQUMsQ0FBQztZQUN0QyxNQUFNO1FBQ1YsS0FBSyxNQUFNLENBQUM7UUFDWixLQUFLLE9BQU8sQ0FBQztRQUNiLEtBQUssR0FBRztZQUNKLFdBQVcsR0FBRyxJQUFJLENBQUMsS0FBSyxDQUFDLEtBQUssR0FBRyxJQUFJLENBQUMsQ0FBQztZQUN2QyxNQUFNO1FBQ1Y7WUFDSSxXQUFXLEdBQUcsSUFBSSxDQUFDLEtBQUssQ0FBQyxLQUFLLEdBQUcsSUFBSSxDQUFDLENBQUM7WUFDdkMsTUFBTTtJQUNkLENBQUM7SUFDRCxJQUFJLE9BQU8sQ0FBQyxDQUFDLENBQUMsS0FBSyxHQUFHLElBQUksT0FBTyxDQUFDLENBQUMsQ0FBQyxLQUFLLEtBQUssRUFBRSxDQUFDO1FBQzdDLE9BQU8sQ0FBQyxXQUFXLENBQUM7SUFDeEIsQ0FBQztJQUNELE9BQU8sV0FBVyxDQUFDO0FBQ3ZCLENBQUMsQ0FBQyJ9

package/dist/web/tdf3/src/crypto/jose/vendor/lib/validate_crit.js

@@ -0,0 +1,36 @@
+// @ts-nocheck
+// Generated from jose@6.0.8. Do not edit directly.
+import { JOSENotSupported } from '../util/errors.js';
+export default (Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) => {
+    if (joseHeader.crit !== undefined && protectedHeader?.crit === undefined) {
+        throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
+    }
+    if (!protectedHeader || protectedHeader.crit === undefined) {
+        return new Set();
+    }
+    if (!Array.isArray(protectedHeader.crit) ||
+        protectedHeader.crit.length === 0 ||
+        protectedHeader.crit.some((input) => typeof input !== 'string' || input.length === 0)) {
+        throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
+    }
+    let recognized;
+    if (recognizedOption !== undefined) {
+        recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);
+    }
+    else {
+        recognized = recognizedDefault;
+    }
+    for (const parameter of protectedHeader.crit) {
+        if (!recognized.has(parameter)) {
+            throw new JOSENotSupported(`Extension Header Parameter "${parameter}" is not recognized`);
+        }
+        if (joseHeader[parameter] === undefined) {
+            throw new Err(`Extension Header Parameter "${parameter}" is missing`);
+        }
+        if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {
+            throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`);
+        }
+    }
+    return new Set(protectedHeader.crit);
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidmFsaWRhdGVfY3JpdC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uLy4uLy4uLy4uLy4uL3RkZjMvc3JjL2NyeXB0by9qb3NlL3ZlbmRvci9saWIvdmFsaWRhdGVfY3JpdC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxjQUFjO0FBQ2QsbURBQW1EO0FBQ25ELE9BQU8sRUFBRSxnQkFBZ0IsRUFBMEIsTUFBTSxtQkFBbUIsQ0FBQztBQUM3RSxlQUFlLENBQUMsR0FBRyxFQUFFLGlCQUFpQixFQUFFLGdCQUFnQixFQUFFLGVBQWUsRUFBRSxVQUFVLEVBQUUsRUFBRTtJQUNyRixJQUFJLFVBQVUsQ0FBQyxJQUFJLEtBQUssU0FBUyxJQUFJLGVBQWUsRUFBRSxJQUFJLEtBQUssU0FBUyxFQUFFLENBQUM7UUFDdkUsTUFBTSxJQUFJLEdBQUcsQ0FBQyxnRUFBZ0UsQ0FBQyxDQUFDO0lBQ3BGLENBQUM7SUFDRCxJQUFJLENBQUMsZUFBZSxJQUFJLGVBQWUsQ0FBQyxJQUFJLEtBQUssU0FBUyxFQUFFLENBQUM7UUFDekQsT0FBTyxJQUFJLEdBQUcsRUFBRSxDQUFDO0lBQ3JCLENBQUM7SUFDRCxJQUFJLENBQUMsS0FBSyxDQUFDLE9BQU8sQ0FBQyxlQUFlLENBQUMsSUFBSSxDQUFDO1FBQ3BDLGVBQWUsQ0FBQyxJQUFJLENBQUMsTUFBTSxLQUFLLENBQUM7UUFDakMsZUFBZSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsQ0FBQyxLQUFLLEVBQUUsRUFBRSxDQUFDLE9BQU8sS0FBSyxLQUFLLFFBQVEsSUFBSSxLQUFLLENBQUMsTUFBTSxLQUFLLENBQUMsQ0FBQyxFQUFFLENBQUM7UUFDeEYsTUFBTSxJQUFJLEdBQUcsQ0FBQyx1RkFBdUYsQ0FBQyxDQUFDO0lBQzNHLENBQUM7SUFDRCxJQUFJLFVBQVUsQ0FBQztJQUNmLElBQUksZ0JBQWdCLEtBQUssU0FBUyxFQUFFLENBQUM7UUFDakMsVUFBVSxHQUFHLElBQUksR0FBRyxDQUFDLENBQUMsR0FBRyxNQUFNLENBQUMsT0FBTyxDQUFDLGdCQUFnQixDQUFDLEVBQUUsR0FBRyxpQkFBaUIsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxDQUFDLENBQUM7SUFDaEcsQ0FBQztTQUNJLENBQUM7UUFDRixVQUFVLEdBQUcsaUJBQWlCLENBQUM7SUFDbkMsQ0FBQztJQUNELEtBQUssTUFBTSxTQUFTLElBQUksZUFBZSxDQUFDLElBQUksRUFBRSxDQUFDO1FBQzNDLElBQUksQ0FBQyxVQUFVLENBQUMsR0FBRyxDQUFDLFNBQVMsQ0FBQyxFQUFFLENBQUM7WUFDN0IsTUFBTSxJQUFJLGdCQUFnQixDQUFDLCtCQUErQixTQUFTLHFCQUFxQixDQUFDLENBQUM7UUFDOUYsQ0FBQztRQUNELElBQUksVUFBVSxDQUFDLFNBQVMsQ0FBQyxLQUFLLFNBQVMsRUFBRSxDQUFDO1lBQ3RDLE1BQU0sSUFBSSxHQUFHLENBQUMsK0JBQStCLFNBQVMsY0FBYyxDQUFDLENBQUM7UUFDMUUsQ0FBQztRQUNELElBQUksVUFBVSxDQUFDLEdBQUcsQ0FBQyxTQUFTLENBQUMsSUFBSSxlQUFlLENBQUMsU0FBUyxDQUFDLEtBQUssU0FBUyxFQUFFLENBQUM7WUFDeEUsTUFBTSxJQUFJLEdBQUcsQ0FBQywrQkFBK0IsU0FBUywrQkFBK0IsQ0FBQyxDQUFDO1FBQzNGLENBQUM7SUFDTCxDQUFDO0lBQ0QsT0FBTyxJQUFJLEdBQUcsQ0FBQyxlQUFlLENBQUMsSUFBSSxDQUFDLENBQUM7QUFDekMsQ0FBQyxDQUFDIn0=

package/dist/web/tdf3/src/crypto/jose/vendor/util/errors.js

@@ -0,0 +1,117 @@
+// @ts-nocheck
+// Generated from jose@6.0.8. Do not edit directly.
+export class JOSEError extends Error {
+    constructor(message, options) {
+        super(message, options);
+        this.code = 'ERR_JOSE_GENERIC';
+        this.name = this.constructor.name;
+        Error.captureStackTrace?.(this, this.constructor);
+    }
+}
+JOSEError.code = 'ERR_JOSE_GENERIC';
+export class JWTClaimValidationFailed extends JOSEError {
+    constructor(message, payload, claim = 'unspecified', reason = 'unspecified') {
+        super(message, { cause: { claim, reason, payload } });
+        this.code = 'ERR_JWT_CLAIM_VALIDATION_FAILED';
+        this.claim = claim;
+        this.reason = reason;
+        this.payload = payload;
+    }
+}
+JWTClaimValidationFailed.code = 'ERR_JWT_CLAIM_VALIDATION_FAILED';
+export class JWTExpired extends JOSEError {
+    constructor(message, payload, claim = 'unspecified', reason = 'unspecified') {
+        super(message, { cause: { claim, reason, payload } });
+        this.code = 'ERR_JWT_EXPIRED';
+        this.claim = claim;
+        this.reason = reason;
+        this.payload = payload;
+    }
+}
+JWTExpired.code = 'ERR_JWT_EXPIRED';
+export class JOSEAlgNotAllowed extends JOSEError {
+    constructor() {
+        super(...arguments);
+        this.code = 'ERR_JOSE_ALG_NOT_ALLOWED';
+    }
+}
+JOSEAlgNotAllowed.code = 'ERR_JOSE_ALG_NOT_ALLOWED';
+export class JOSENotSupported extends JOSEError {
+    constructor() {
+        super(...arguments);
+        this.code = 'ERR_JOSE_NOT_SUPPORTED';
+    }
+}
+JOSENotSupported.code = 'ERR_JOSE_NOT_SUPPORTED';
+export class JWEDecryptionFailed extends JOSEError {
+    constructor(message = 'decryption operation failed', options) {
+        super(message, options);
+        this.code = 'ERR_JWE_DECRYPTION_FAILED';
+    }
+}
+JWEDecryptionFailed.code = 'ERR_JWE_DECRYPTION_FAILED';
+export class JWEInvalid extends JOSEError {
+    constructor() {
+        super(...arguments);
+        this.code = 'ERR_JWE_INVALID';
+    }
+}
+JWEInvalid.code = 'ERR_JWE_INVALID';
+export class JWSInvalid extends JOSEError {
+    constructor() {
+        super(...arguments);
+        this.code = 'ERR_JWS_INVALID';
+    }
+}
+JWSInvalid.code = 'ERR_JWS_INVALID';
+export class JWTInvalid extends JOSEError {
+    constructor() {
+        super(...arguments);
+        this.code = 'ERR_JWT_INVALID';
+    }
+}
+JWTInvalid.code = 'ERR_JWT_INVALID';
+export class JWKInvalid extends JOSEError {
+    constructor() {
+        super(...arguments);
+        this.code = 'ERR_JWK_INVALID';
+    }
+}
+JWKInvalid.code = 'ERR_JWK_INVALID';
+export class JWKSInvalid extends JOSEError {
+    constructor() {
+        super(...arguments);
+        this.code = 'ERR_JWKS_INVALID';
+    }
+}
+JWKSInvalid.code = 'ERR_JWKS_INVALID';
+export class JWKSNoMatchingKey extends JOSEError {
+    constructor(message = 'no applicable key found in the JSON Web Key Set', options) {
+        super(message, options);
+        this.code = 'ERR_JWKS_NO_MATCHING_KEY';
+    }
+}
+JWKSNoMatchingKey.code = 'ERR_JWKS_NO_MATCHING_KEY';
+export class JWKSMultipleMatchingKeys extends JOSEError {
+    constructor(message = 'multiple matching keys found in the JSON Web Key Set', options) {
+        super(message, options);
+        this.code = 'ERR_JWKS_MULTIPLE_MATCHING_KEYS';
+    }
+}
+Symbol.asyncIterator;
+JWKSMultipleMatchingKeys.code = 'ERR_JWKS_MULTIPLE_MATCHING_KEYS';
+export class JWKSTimeout extends JOSEError {
+    constructor(message = 'request timed out', options) {
+        super(message, options);
+        this.code = 'ERR_JWKS_TIMEOUT';
+    }
+}
+JWKSTimeout.code = 'ERR_JWKS_TIMEOUT';
+export class JWSSignatureVerificationFailed extends JOSEError {
+    constructor(message = 'signature verification failed', options) {
+        super(message, options);
+        this.code = 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED';
+    }
+}
+JWSSignatureVerificationFailed.code = 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED';
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZXJyb3JzLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vdGRmMy9zcmMvY3J5cHRvL2pvc2UvdmVuZG9yL3V0aWwvZXJyb3JzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLGNBQWM7QUFDZCxtREFBbUQ7QUFDbkQsTUFBTSxPQUFPLFNBQVUsU0FBUSxLQUFLO0lBR2hDLFlBQVksT0FBTyxFQUFFLE9BQU87UUFDeEIsS0FBSyxDQUFDLE9BQU8sRUFBRSxPQUFPLENBQUMsQ0FBQztRQUY1QixTQUFJLEdBQUcsa0JBQWtCLENBQUM7UUFHdEIsSUFBSSxDQUFDLElBQUksR0FBRyxJQUFJLENBQUMsV0FBVyxDQUFDLElBQUksQ0FBQztRQUNsQyxLQUFLLENBQUMsaUJBQWlCLEVBQUUsQ0FBQyxJQUFJLEVBQUUsSUFBSSxDQUFDLFdBQVcsQ0FBQyxDQUFDO0lBQ3RELENBQUM7O0FBTk0sY0FBSSxHQUFHLGtCQUFrQixBQUFyQixDQUFzQjtBQVFyQyxNQUFNLE9BQU8sd0JBQXlCLFNBQVEsU0FBUztJQU1uRCxZQUFZLE9BQU8sRUFBRSxPQUFPLEVBQUUsS0FBSyxHQUFHLGFBQWEsRUFBRSxNQUFNLEdBQUcsYUFBYTtRQUN2RSxLQUFLLENBQUMsT0FBTyxFQUFFLEVBQUUsS0FBSyxFQUFFLEVBQUUsS0FBSyxFQUFFLE1BQU0sRUFBRSxPQUFPLEVBQUUsRUFBRSxDQUFDLENBQUM7UUFMMUQsU0FBSSxHQUFHLGlDQUFpQyxDQUFDO1FBTXJDLElBQUksQ0FBQyxLQUFLLEdBQUcsS0FBSyxDQUFDO1FBQ25CLElBQUksQ0FBQyxNQUFNLEdBQUcsTUFBTSxDQUFDO1FBQ3JCLElBQUksQ0FBQyxPQUFPLEdBQUcsT0FBTyxDQUFDO0lBQzNCLENBQUM7O0FBVk0sNkJBQUksR0FBRyxpQ0FBaUMsQUFBcEMsQ0FBcUM7QUFZcEQsTUFBTSxPQUFPLFVBQVcsU0FBUSxTQUFTO0lBTXJDLFlBQVksT0FBTyxFQUFFLE9BQU8sRUFBRSxLQUFLLEdBQUcsYUFBYSxFQUFFLE1BQU0sR0FBRyxhQUFhO1FBQ3ZFLEtBQUssQ0FBQyxPQUFPLEVBQUUsRUFBRSxLQUFLLEVBQUUsRUFBRSxLQUFLLEVBQUUsTUFBTSxFQUFFLE9BQU8sRUFBRSxFQUFFLENBQUMsQ0FBQztRQUwxRCxTQUFJLEdBQUcsaUJBQWlCLENBQUM7UUFNckIsSUFBSSxDQUFDLEtBQUssR0FBRyxLQUFLLENBQUM7UUFDbkIsSUFBSSxDQUFDLE1BQU0sR0FBRyxNQUFNLENBQUM7UUFDckIsSUFBSSxDQUFDLE9BQU8sR0FBRyxPQUFPLENBQUM7SUFDM0IsQ0FBQzs7QUFWTSxlQUFJLEdBQUcsaUJBQWlCLEFBQXBCLENBQXFCO0FBWXBDLE1BQU0sT0FBTyxpQkFBa0IsU0FBUSxTQUFTO0lBQWhEOztRQUVJLFNBQUksR0FBRywwQkFBMEIsQ0FBQztJQUN0QyxDQUFDOztBQUZVLHNCQUFJLEdBQUcsMEJBQTBCLEFBQTdCLENBQThCO0FBRzdDLE1BQU0sT0FBTyxnQkFBaUIsU0FBUSxTQUFTO0lBQS9DOztRQUVJLFNBQUksR0FBRyx3QkFBd0IsQ0FBQztJQUNwQyxDQUFDOztBQUZVLHFCQUFJLEdBQUcsd0JBQXdCLEFBQTNCLENBQTRCO0FBRzNDLE1BQU0sT0FBTyxtQkFBb0IsU0FBUSxTQUFTO0lBRzlDLFlBQVksT0FBTyxHQUFHLDZCQUE2QixFQUFFLE9BQU87UUFDeEQsS0FBSyxDQUFDLE9BQU8sRUFBRSxPQUFPLENBQUMsQ0FBQztRQUY1QixTQUFJLEdBQUcsMkJBQTJCLENBQUM7SUFHbkMsQ0FBQzs7QUFKTSx3QkFBSSxHQUFHLDJCQUEyQixBQUE5QixDQUErQjtBQU05QyxNQUFNLE9BQU8sVUFBVyxTQUFRLFNBQVM7SUFBekM7O1FBRUksU0FBSSxHQUFHLGlCQUFpQixDQUFDO0lBQzdCLENBQUM7O0FBRlUsZUFBSSxHQUFHLGlCQUFpQixBQUFwQixDQUFxQjtBQUdwQyxNQUFNLE9BQU8sVUFBVyxTQUFRLFNBQVM7SUFBekM7O1FBRUksU0FBSSxHQUFHLGlCQUFpQixDQUFDO0lBQzdCLENBQUM7O0FBRlUsZUFBSSxHQUFHLGlCQUFpQixBQUFwQixDQUFxQjtBQUdwQyxNQUFNLE9BQU8sVUFBVyxTQUFRLFNBQVM7SUFBekM7O1FBRUksU0FBSSxHQUFHLGlCQUFpQixDQUFDO0lBQzdCLENBQUM7O0FBRlUsZUFBSSxHQUFHLGlCQUFpQixBQUFwQixDQUFxQjtBQUdwQyxNQUFNLE9BQU8sVUFBVyxTQUFRLFNBQVM7SUFBekM7O1FBRUksU0FBSSxHQUFHLGlCQUFpQixDQUFDO0lBQzdCLENBQUM7O0FBRlUsZUFBSSxHQUFHLGlCQUFpQixBQUFwQixDQUFxQjtBQUdwQyxNQUFNLE9BQU8sV0FBWSxTQUFRLFNBQVM7SUFBMUM7O1FBRUksU0FBSSxHQUFHLGtCQUFrQixDQUFDO0lBQzlCLENBQUM7O0FBRlUsZ0JBQUksR0FBRyxrQkFBa0IsQUFBckIsQ0FBc0I7QUFHckMsTUFBTSxPQUFPLGlCQUFrQixTQUFRLFNBQVM7SUFHNUMsWUFBWSxPQUFPLEdBQUcsaURBQWlELEVBQUUsT0FBTztRQUM1RSxLQUFLLENBQUMsT0FBTyxFQUFFLE9BQU8sQ0FBQyxDQUFDO1FBRjVCLFNBQUksR0FBRywwQkFBMEIsQ0FBQztJQUdsQyxDQUFDOztBQUpNLHNCQUFJLEdBQUcsMEJBQTBCLEFBQTdCLENBQThCO0FBTTdDLE1BQU0sT0FBTyx3QkFBeUIsU0FBUSxTQUFTO0lBSW5ELFlBQVksT0FBTyxHQUFHLHNEQUFzRCxFQUFFLE9BQU87UUFDakYsS0FBSyxDQUFDLE9BQU8sRUFBRSxPQUFPLENBQUMsQ0FBQztRQUY1QixTQUFJLEdBQUcsaUNBQWlDLENBQUM7SUFHekMsQ0FBQzs7QUFMQSxNQUFNLENBQUMsYUFBYTtBQUNkLDZCQUFJLEdBQUcsaUNBQWlDLEFBQXBDLENBQXFDO0FBTXBELE1BQU0sT0FBTyxXQUFZLFNBQVEsU0FBUztJQUd0QyxZQUFZLE9BQU8sR0FBRyxtQkFBbUIsRUFBRSxPQUFPO1FBQzlDLEtBQUssQ0FBQyxPQUFPLEVBQUUsT0FBTyxDQUFDLENBQUM7UUFGNUIsU0FBSSxHQUFHLGtCQUFrQixDQUFDO0lBRzFCLENBQUM7O0FBSk0sZ0JBQUksR0FBRyxrQkFBa0IsQUFBckIsQ0FBc0I7QUFNckMsTUFBTSxPQUFPLDhCQUErQixTQUFRLFNBQVM7SUFHekQsWUFBWSxPQUFPLEdBQUcsK0JBQStCLEVBQUUsT0FBTztRQUMxRCxLQUFLLENBQUMsT0FBTyxFQUFFLE9BQU8sQ0FBQyxDQUFDO1FBRjVCLFNBQUksR0FBRyx1Q0FBdUMsQ0FBQztJQUcvQyxDQUFDOztBQUpNLG1DQUFJLEdBQUcsdUNBQXVDLEFBQTFDLENBQTJDIn0=

package/dist/web/tdf3/src/crypto/jwt.js

@@ -0,0 +1,174 @@
+import { base64 } from '../../../src/encodings/index.js';
+import { decodeProtectedHeader as joseDecodeProtectedHeader, errors as joseErrors, } from 'jose';
+import jwtClaimsSet from './jose/jwt-claims-set.js';
+import validateCrit from './jose/validate-crit.js';
+/**
+ * Base64url encode data per RFC 4648 Section 5.
+ * Uses URL-safe alphabet (- and _ instead of + and /) with no padding.
+ * Exported for testing purposes.
+ */
+export function base64urlEncode(data) {
+    if (typeof data === 'string') {
+        // Encode string to base64url
+        const bytes = new TextEncoder().encode(data);
+        return base64.encodeArrayBuffer(bytes.buffer, true); // urlSafe = true
+    }
+    else {
+        // Encode Uint8Array to base64url
+        const buffer = data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength);
+        return base64.encodeArrayBuffer(buffer, true); // urlSafe = true
+    }
+}
+/**
+ * Helper to convert base64url to standard base64 with padding.
+ */
+function base64urlToBase64(str) {
+    // Convert base64url to base64: replace - with +, _ with /
+    let b64 = str.replace(/-/g, '+').replace(/_/g, '/');
+    // Add padding if needed
+    const padding = (4 - (b64.length % 4)) % 4;
+    b64 += '='.repeat(padding);
+    return b64;
+}
+/**
+ * Base64url decode to Uint8Array per RFC 4648 Section 5.
+ */
+function base64urlDecodeBytes(str) {
+    const b64 = base64urlToBase64(str);
+    return new Uint8Array(base64.decodeArrayBuffer(b64));
+}
+/**
+ * Decode the protected header from a JWT without verifying the signature.
+ * Useful for inspecting the header to determine key type before verification.
+ *
+ * @param token - The JWT string
+ * @returns The decoded header
+ * @throws Error if the token is malformed or uses alg "none"
+ */
+export function decodeProtectedHeader(token) {
+    return joseDecodeProtectedHeader(token);
+}
+/**
+ * Sign a JWT using CryptoService. Replaces jose SignJWT.
+ *
+ * Implementation:
+ * 1. Base64url encode header and payload as JSON
+ * 2. Create signing input: `${headerB64}.${payloadB64}`
+ * 3. Sign via cryptoService.sign() (asymmetric) or hmac() (HS256)
+ * 4. Return compact JWT: `${headerB64}.${payloadB64}.${signatureB64}`
+ *
+ * @param cryptoService - Crypto implementation to use
+ * @param payload - JWT payload (claims)
+ * @param key - PEM-encoded private key for asymmetric algorithms, or raw key bytes for HS256
+ * @param header - JWT header (must include alg)
+ * @param options - Optional signing options (e.g., crit header handling)
+ * @returns Compact JWT string
+ */
+export async function signJwt(cryptoService, payload, key, header, options) {
+    validateCrit(joseErrors.JWSInvalid, new Map([['b64', true]]), options?.crit, header, header);
+    // Encode header and payload per RFC 7515
+    const headerB64 = base64urlEncode(JSON.stringify(header));
+    const payloadB64 = base64urlEncode(JSON.stringify(payload));
+    // Create signing input
+    const signingInput = `${headerB64}.${payloadB64}`;
+    const signingInputBytes = new TextEncoder().encode(signingInput);
+    // Sign via CryptoService - route based on algorithm
+    let signature;
+    if (header.alg === 'HS256') {
+        if (key._brand !== 'SymmetricKey') {
+            throw new Error('HS256 requires a SymmetricKey');
+        }
+        signature = await cryptoService.hmac(signingInputBytes, key);
+    }
+    else {
+        if (key._brand !== 'PrivateKey') {
+            throw new Error(`${header.alg} requires a PrivateKey`);
+        }
+        signature = await cryptoService.sign(signingInputBytes, key, header.alg);
+    }
+    // Return compact JWT
+    return `${signingInput}.${base64urlEncode(signature)}`;
+}
+/**
+ * Verify a JWT and return its contents. Replaces jose jwtVerify.
+ *
+ * Implementation:
+ * 1. Split token into header.payload.signature
+ * 2. Decode header, validate algorithm against allowlist
+ * 3. Verify signature via cryptoService.verify() (asymmetric) or verifyHmac() (HS256)
+ * 4. Validate JWT claims (aud, iss, exp, nbf, etc.)
+ * 5. Return decoded header and payload
+ *
+ * @param cryptoService - Crypto implementation to use
+ * @param token - The JWT string to verify
+ * @param key - For asymmetric: PEM string or PublicKey (opaque). For HS256: Uint8Array or SymmetricKey (opaque).
+ * @param options - Verification options including algorithm allowlist and claim validations
+ * @throws Error if signature invalid, algorithm not in allowlist, claims invalid, or token malformed
+ * @returns Decoded header and payload
+ */
+export async function verifyJwt(cryptoService, token, key, options) {
+    const parts = token.split('.');
+    if (parts.length !== 3) {
+        throw new joseErrors.JWTInvalid('Invalid Token or Protected Header formatting');
+    }
+    const [headerB64, payloadB64, signatureB64] = parts;
+    // Decode and validate header
+    const headerRaw = decodeProtectedHeader(token);
+    if (typeof headerRaw.alg !== 'string' || !headerRaw.alg) {
+        throw new joseErrors.JWTInvalid('JWS "alg" (Algorithm) Header Parameter missing or invalid');
+    }
+    if (headerRaw.alg === 'none') {
+        throw new joseErrors.JWTInvalid('Invalid JWT: alg "none" not allowed');
+    }
+    // Validate algorithm is in allowlist if provided
+    if (options?.algorithms && !options.algorithms.includes(headerRaw.alg)) {
+        throw new joseErrors.JWTInvalid(`Invalid JWT: algorithm "${headerRaw.alg}" not in allowlist`);
+    }
+    const extensions = validateCrit(joseErrors.JWSInvalid, new Map([['b64', true]]), options?.crit, headerRaw, headerRaw);
+    // Now we know it's a valid algorithm
+    const header = headerRaw;
+    // Verify signature via CryptoService - route based on algorithm
+    const signingInput = `${headerB64}.${payloadB64}`;
+    const signingInputBytes = new TextEncoder().encode(signingInput);
+    const signature = base64urlDecodeBytes(signatureB64);
+    let valid;
+    if (header.alg === 'HS256') {
+        // Symmetric verification - accept Uint8Array or SymmetricKey
+        if (typeof key === 'string') {
+            throw new Error('HS256 requires a Uint8Array or SymmetricKey, not a PEM string');
+        }
+        if ('_brand' in key && key._brand === 'PublicKey') {
+            throw new Error('HS256 requires a SymmetricKey, not a PublicKey');
+        }
+        // Convert Uint8Array to SymmetricKey if needed, otherwise assume it's already SymmetricKey
+        const symmetricKey = key instanceof Uint8Array
+            ? await cryptoService.importSymmetricKey(key)
+            : key;
+        valid = await cryptoService.verifyHmac(signingInputBytes, signature, symmetricKey);
+    }
+    else {
+        // Asymmetric verification - accept string (PEM) or PublicKey
+        if (key instanceof Uint8Array) {
+            throw new Error(`${header.alg} requires a PEM string or PublicKey, not Uint8Array`);
+        }
+        if (typeof key === 'object' && '_brand' in key && key._brand === 'SymmetricKey') {
+            throw new Error(`${header.alg} requires a PublicKey, not a SymmetricKey`);
+        }
+        // Convert PEM string to PublicKey if needed, otherwise assume it's already PublicKey
+        const publicKey = typeof key === 'string'
+            ? await cryptoService.importPublicKey(key, { usage: 'sign' })
+            : key;
+        valid = await cryptoService.verify(signingInputBytes, signature, publicKey, header.alg);
+    }
+    if (!valid) {
+        throw new joseErrors.JWTInvalid('Invalid JWT: signature verification failed');
+    }
+    if (extensions.has('b64') && header.b64 === false) {
+        throw new joseErrors.JWTInvalid('JWTs MUST NOT use unencoded payload');
+    }
+    // Decode payload and validate JWT claims
+    const payloadBytes = base64urlDecodeBytes(payloadB64);
+    const payload = jwtClaimsSet(header, payloadBytes, options);
+    return { header, payload };
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiand0LmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vLi4vdGRmMy9zcmMvY3J5cHRvL2p3dC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFRQSxPQUFPLEVBQUUsTUFBTSxFQUFFLE1BQU0saUNBQWlDLENBQUM7QUFDekQsT0FBTyxFQUNMLHFCQUFxQixJQUFJLHlCQUF5QixFQUNsRCxNQUFNLElBQUksVUFBVSxHQUtyQixNQUFNLE1BQU0sQ0FBQztBQUNkLE9BQU8sWUFBWSxNQUFNLDBCQUEwQixDQUFDO0FBQ3BELE9BQU8sWUFBWSxNQUFNLHlCQUF5QixDQUFDO0FBdUJuRDs7OztHQUlHO0FBQ0gsTUFBTSxVQUFVLGVBQWUsQ0FBQyxJQUF5QjtJQUN2RCxJQUFJLE9BQU8sSUFBSSxLQUFLLFFBQVEsRUFBRSxDQUFDO1FBQzdCLDZCQUE2QjtRQUM3QixNQUFNLEtBQUssR0FBRyxJQUFJLFdBQVcsRUFBRSxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsQ0FBQztRQUM3QyxPQUFPLE1BQU0sQ0FBQyxpQkFBaUIsQ0FBQyxLQUFLLENBQUMsTUFBTSxFQUFFLElBQUksQ0FBQyxDQUFDLENBQUMsaUJBQWlCO0lBQ3hFLENBQUM7U0FBTSxDQUFDO1FBQ04saUNBQWlDO1FBQ2pDLE1BQU0sTUFBTSxHQUFHLElBQUksQ0FBQyxNQUFNLENBQUMsS0FBSyxDQUFDLElBQUksQ0FBQyxVQUFVLEVBQUUsSUFBSSxDQUFDLFVBQVUsR0FBRyxJQUFJLENBQUMsVUFBVSxDQUFDLENBQUM7UUFDckYsT0FBTyxNQUFNLENBQUMsaUJBQWlCLENBQUMsTUFBTSxFQUFFLElBQUksQ0FBQyxDQUFDLENBQUMsaUJBQWlCO0lBQ2xFLENBQUM7QUFDSCxDQUFDO0FBRUQ7O0dBRUc7QUFDSCxTQUFTLGlCQUFpQixDQUFDLEdBQVc7SUFDcEMsMERBQTBEO0lBQzFELElBQUksR0FBRyxHQUFHLEdBQUcsQ0FBQyxPQUFPLENBQUMsSUFBSSxFQUFFLEdBQUcsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxJQUFJLEVBQUUsR0FBRyxDQUFDLENBQUM7SUFFcEQsd0JBQXdCO0lBQ3hCLE1BQU0sT0FBTyxHQUFHLENBQUMsQ0FBQyxHQUFHLENBQUMsR0FBRyxDQUFDLE1BQU0sR0FBRyxDQUFDLENBQUMsQ0FBQyxHQUFHLENBQUMsQ0FBQztJQUMzQyxHQUFHLElBQUksR0FBRyxDQUFDLE1BQU0sQ0FBQyxPQUFPLENBQUMsQ0FBQztJQUUzQixPQUFPLEdBQUcsQ0FBQztBQUNiLENBQUM7QUFFRDs7R0FFRztBQUNILFNBQVMsb0JBQW9CLENBQUMsR0FBVztJQUN2QyxNQUFNLEdBQUcsR0FBRyxpQkFBaUIsQ0FBQyxHQUFHLENBQUMsQ0FBQztJQUNuQyxPQUFPLElBQUksVUFBVSxDQUFDLE1BQU0sQ0FBQyxpQkFBaUIsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDO0FBQ3ZELENBQUM7QUFFRDs7Ozs7OztHQU9HO0FBQ0gsTUFBTSxVQUFVLHFCQUFxQixDQUFDLEtBQWE7SUFDakQsT0FBTyx5QkFBeUIsQ0FBQyxLQUFLLENBQWMsQ0FBQztBQUN2RCxDQUFDO0FBRUQ7Ozs7Ozs7Ozs7Ozs7OztHQWVHO0FBQ0gsTUFBTSxDQUFDLEtBQUssVUFBVSxPQUFPLENBQzNCLGFBQTRCLEVBQzVCLE9BQW1CLEVBQ25CLEdBQThCLEVBQzlCLE1BQWlCLEVBQ2pCLE9BQXdCO0lBRXhCLFlBQVksQ0FBQyxVQUFVLENBQUMsVUFBVSxFQUFFLElBQUksR0FBRyxDQUFDLENBQUMsQ0FBQyxLQUFLLEVBQUUsSUFBSSxDQUFDLENBQUMsQ0FBQyxFQUFFLE9BQU8sRUFBRSxJQUFJLEVBQUUsTUFBTSxFQUFFLE1BQU0sQ0FBQyxDQUFDO0lBRTdGLHlDQUF5QztJQUN6QyxNQUFNLFNBQVMsR0FBRyxlQUFlLENBQUMsSUFBSSxDQUFDLFNBQVMsQ0FBQyxNQUFNLENBQUMsQ0FBQyxDQUFDO0lBQzFELE1BQU0sVUFBVSxHQUFHLGVBQWUsQ0FBQyxJQUFJLENBQUMsU0FBUyxDQUFDLE9BQU8sQ0FBQyxDQUFDLENBQUM7SUFFNUQsdUJBQXVCO0lBQ3ZCLE1BQU0sWUFBWSxHQUFHLEdBQUcsU0FBUyxJQUFJLFVBQVUsRUFBRSxDQUFDO0lBQ2xELE1BQU0saUJBQWlCLEdBQUcsSUFBSSxXQUFXLEVBQUUsQ0FBQyxNQUFNLENBQUMsWUFBWSxDQUFDLENBQUM7SUFFakUsb0RBQW9EO0lBQ3BELElBQUksU0FBcUIsQ0FBQztJQUMxQixJQUFJLE1BQU0sQ0FBQyxHQUFHLEtBQUssT0FBTyxFQUFFLENBQUM7UUFDM0IsSUFBSSxHQUFHLENBQUMsTUFBTSxLQUFLLGNBQWMsRUFBRSxDQUFDO1lBQ2xDLE1BQU0sSUFBSSxLQUFLLENBQUMsK0JBQStCLENBQUMsQ0FBQztRQUNuRCxDQUFDO1FBQ0QsU0FBUyxHQUFHLE1BQU0sYUFBYSxDQUFDLElBQUksQ0FBQyxpQkFBaUIsRUFBRSxHQUFHLENBQUMsQ0FBQztJQUMvRCxDQUFDO1NBQU0sQ0FBQztRQUNOLElBQUksR0FBRyxDQUFDLE1BQU0sS0FBSyxZQUFZLEVBQUUsQ0FBQztZQUNoQyxNQUFNLElBQUksS0FBSyxDQUFDLEdBQUcsTUFBTSxDQUFDLEdBQUcsd0JBQXdCLENBQUMsQ0FBQztRQUN6RCxDQUFDO1FBQ0QsU0FBUyxHQUFHLE1BQU0sYUFBYSxDQUFDLElBQUksQ0FDbEMsaUJBQWlCLEVBQ2pCLEdBQUcsRUFDSCxNQUFNLENBQUMsR0FBaUMsQ0FDekMsQ0FBQztJQUNKLENBQUM7SUFFRCxxQkFBcUI7SUFDckIsT0FBTyxHQUFHLFlBQVksSUFBSSxlQUFlLENBQUMsU0FBUyxDQUFDLEVBQUUsQ0FBQztBQUN6RCxDQUFDO0FBRUQ7Ozs7Ozs7Ozs7Ozs7Ozs7R0FnQkc7QUFDSCxNQUFNLENBQUMsS0FBSyxVQUFVLFNBQVMsQ0FDN0IsYUFBNEIsRUFDNUIsS0FBYSxFQUNiLEdBQW1ELEVBQ25ELE9BQTBCO0lBRTFCLE1BQU0sS0FBSyxHQUFHLEtBQUssQ0FBQyxLQUFLLENBQUMsR0FBRyxDQUFDLENBQUM7SUFDL0IsSUFBSSxLQUFLLENBQUMsTUFBTSxLQUFLLENBQUMsRUFBRSxDQUFDO1FBQ3ZCLE1BQU0sSUFBSSxVQUFVLENBQUMsVUFBVSxDQUFDLDhDQUE4QyxDQUFDLENBQUM7SUFDbEYsQ0FBQztJQUNELE1BQU0sQ0FBQyxTQUFTLEVBQUUsVUFBVSxFQUFFLFlBQVksQ0FBQyxHQUFHLEtBQUssQ0FBQztJQUVwRCw2QkFBNkI7SUFDN0IsTUFBTSxTQUFTLEdBQUcscUJBQXFCLENBQUMsS0FBSyxDQUFDLENBQUM7SUFDL0MsSUFBSSxPQUFPLFNBQVMsQ0FBQyxHQUFHLEtBQUssUUFBUSxJQUFJLENBQUMsU0FBUyxDQUFDLEdBQUcsRUFBRSxDQUFDO1FBQ3hELE1BQU0sSUFBSSxVQUFVLENBQUMsVUFBVSxDQUFDLDJEQUEyRCxDQUFDLENBQUM7SUFDL0YsQ0FBQztJQUNELElBQUssU0FBUyxDQUFDLEdBQWMsS0FBSyxNQUFNLEVBQUUsQ0FBQztRQUN6QyxNQUFNLElBQUksVUFBVSxDQUFDLFVBQVUsQ0FBQyxxQ0FBcUMsQ0FBQyxDQUFDO0lBQ3pFLENBQUM7SUFFRCxpREFBaUQ7SUFDakQsSUFBSSxPQUFPLEVBQUUsVUFBVSxJQUFJLENBQUMsT0FBTyxDQUFDLFVBQVUsQ0FBQyxRQUFRLENBQUMsU0FBUyxDQUFDLEdBQXVCLENBQUMsRUFBRSxDQUFDO1FBQzNGLE1BQU0sSUFBSSxVQUFVLENBQUMsVUFBVSxDQUFDLDJCQUEyQixTQUFTLENBQUMsR0FBRyxvQkFBb0IsQ0FBQyxDQUFDO0lBQ2hHLENBQUM7SUFFRCxNQUFNLFVBQVUsR0FBRyxZQUFZLENBQzdCLFVBQVUsQ0FBQyxVQUFVLEVBQ3JCLElBQUksR0FBRyxDQUFDLENBQUMsQ0FBQyxLQUFLLEVBQUUsSUFBSSxDQUFDLENBQUMsQ0FBQyxFQUN4QixPQUFPLEVBQUUsSUFBSSxFQUNiLFNBQVMsRUFDVCxTQUFTLENBQ1YsQ0FBQztJQUVGLHFDQUFxQztJQUNyQyxNQUFNLE1BQU0sR0FBRyxTQUFzQixDQUFDO0lBRXRDLGdFQUFnRTtJQUNoRSxNQUFNLFlBQVksR0FBRyxHQUFHLFNBQVMsSUFBSSxVQUFVLEVBQUUsQ0FBQztJQUNsRCxNQUFNLGlCQUFpQixHQUFHLElBQUksV0FBVyxFQUFFLENBQUMsTUFBTSxDQUFDLFlBQVksQ0FBQyxDQUFDO0lBQ2pFLE1BQU0sU0FBUyxHQUFHLG9CQUFvQixDQUFDLFlBQVksQ0FBQyxDQUFDO0lBRXJELElBQUksS0FBYyxDQUFDO0lBQ25CLElBQUksTUFBTSxDQUFDLEdBQUcsS0FBSyxPQUFPLEVBQUUsQ0FBQztRQUMzQiw2REFBNkQ7UUFDN0QsSUFBSSxPQUFPLEdBQUcsS0FBSyxRQUFRLEVBQUUsQ0FBQztZQUM1QixNQUFNLElBQUksS0FBSyxDQUFDLCtEQUErRCxDQUFDLENBQUM7UUFDbkYsQ0FBQztRQUNELElBQUksUUFBUSxJQUFJLEdBQUcsSUFBSSxHQUFHLENBQUMsTUFBTSxLQUFLLFdBQVcsRUFBRSxDQUFDO1lBQ2xELE1BQU0sSUFBSSxLQUFLLENBQUMsZ0RBQWdELENBQUMsQ0FBQztRQUNwRSxDQUFDO1FBQ0QsMkZBQTJGO1FBQzNGLE1BQU0sWUFBWSxHQUNoQixHQUFHLFlBQVksVUFBVTtZQUN2QixDQUFDLENBQUMsTUFBTSxhQUFhLENBQUMsa0JBQWtCLENBQUMsR0FBRyxDQUFDO1lBQzdDLENBQUMsQ0FBRSxHQUFvQixDQUFDO1FBQzVCLEtBQUssR0FBRyxNQUFNLGFBQWEsQ0FBQyxVQUFVLENBQUMsaUJBQWlCLEVBQUUsU0FBUyxFQUFFLFlBQVksQ0FBQyxDQUFDO0lBQ3JGLENBQUM7U0FBTSxDQUFDO1FBQ04sNkRBQTZEO1FBQzdELElBQUksR0FBRyxZQUFZLFVBQVUsRUFBRSxDQUFDO1lBQzlCLE1BQU0sSUFBSSxLQUFLLENBQUMsR0FBRyxNQUFNLENBQUMsR0FBRyxxREFBcUQsQ0FBQyxDQUFDO1FBQ3RGLENBQUM7UUFDRCxJQUFJLE9BQU8sR0FBRyxLQUFLLFFBQVEsSUFBSSxRQUFRLElBQUksR0FBRyxJQUFJLEdBQUcsQ0FBQyxNQUFNLEtBQUssY0FBYyxFQUFFLENBQUM7WUFDaEYsTUFBTSxJQUFJLEtBQUssQ0FBQyxHQUFHLE1BQU0sQ0FBQyxHQUFHLDJDQUEyQyxDQUFDLENBQUM7UUFDNUUsQ0FBQztRQUNELHFGQUFxRjtRQUNyRixNQUFNLFNBQVMsR0FDYixPQUFPLEdBQUcsS0FBSyxRQUFRO1lBQ3JCLENBQUMsQ0FBQyxNQUFNLGFBQWEsQ0FBQyxlQUFlLENBQUMsR0FBRyxFQUFFLEVBQUUsS0FBSyxFQUFFLE1BQU0sRUFBRSxDQUFDO1lBQzdELENBQUMsQ0FBRSxHQUFpQixDQUFDO1FBQ3pCLEtBQUssR0FBRyxNQUFNLGFBQWEsQ0FBQyxNQUFNLENBQ2hDLGlCQUFpQixFQUNqQixTQUFTLEVBQ1QsU0FBUyxFQUNULE1BQU0sQ0FBQyxHQUFpQyxDQUN6QyxDQUFDO0lBQ0osQ0FBQztJQUVELElBQUksQ0FBQyxLQUFLLEVBQUUsQ0FBQztRQUNYLE1BQU0sSUFBSSxVQUFVLENBQUMsVUFBVSxDQUFDLDRDQUE0QyxDQUFDLENBQUM7SUFDaEYsQ0FBQztJQUVELElBQUksVUFBVSxDQUFDLEdBQUcsQ0FBQyxLQUFLLENBQUMsSUFBSyxNQUE0QixDQUFDLEdBQUcsS0FBSyxLQUFLLEVBQUUsQ0FBQztRQUN6RSxNQUFNLElBQUksVUFBVSxDQUFDLFVBQVUsQ0FBQyxxQ0FBcUMsQ0FBQyxDQUFDO0lBQ3pFLENBQUM7SUFFRCx5Q0FBeUM7SUFDekMsTUFBTSxZQUFZLEdBQUcsb0JBQW9CLENBQUMsVUFBVSxDQUFDLENBQUM7SUFDdEQsTUFBTSxPQUFPLEdBQUcsWUFBWSxDQUFDLE1BQU0sRUFBRSxZQUFZLEVBQUUsT0FBTyxDQUFlLENBQUM7SUFFMUUsT0FBTyxFQUFFLE1BQU0sRUFBRSxPQUFPLEVBQUUsQ0FBQztBQUM3QixDQUFDIn0=

package/dist/web/tdf3/src/crypto/salt.js

@@ -1,9 +1,15 @@
-const generateSalt = async () => {
+let cachedSalt = null;
+/**
+ * Get the ZTDF salt (SHA-256 of "TDF").
+ * Lazily computed on first call and cached thereafter.
+ */
+export async function getZtdfSalt(cryptoService) {
+    if (cachedSalt) {
+        return cachedSalt;
+    }
     const encoder = new TextEncoder();
     const data = encoder.encode('TDF');
-    // Generate hash
-    const hashBuffer = await crypto.subtle.digest('SHA-256', data);
-    return new Uint8Array(hashBuffer);
-};
-export const ztdfSalt = generateSalt();
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2FsdC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uLy4uL3RkZjMvc3JjL2NyeXB0by9zYWx0LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE1BQU0sWUFBWSxHQUFHLEtBQUssSUFBSSxFQUFFO0lBQzlCLE1BQU0sT0FBTyxHQUFHLElBQUksV0FBVyxFQUFFLENBQUM7SUFDbEMsTUFBTSxJQUFJLEdBQUcsT0FBTyxDQUFDLE1BQU0sQ0FBQyxLQUFLLENBQUMsQ0FBQztJQUVuQyxnQkFBZ0I7SUFDaEIsTUFBTSxVQUFVLEdBQUcsTUFBTSxNQUFNLENBQUMsTUFBTSxDQUFDLE1BQU0sQ0FBQyxTQUFTLEVBQUUsSUFBSSxDQUFDLENBQUM7SUFFL0QsT0FBTyxJQUFJLFVBQVUsQ0FBQyxVQUFVLENBQUMsQ0FBQztBQUNwQyxDQUFDLENBQUM7QUFFRixNQUFNLENBQUMsTUFBTSxRQUFRLEdBQUcsWUFBWSxFQUFFLENBQUMifQ==
+    cachedSalt = await cryptoService.digest('SHA-256', data);
+    return cachedSalt;
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2FsdC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uLy4uL3RkZjMvc3JjL2NyeXB0by9zYWx0LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUVBLElBQUksVUFBVSxHQUFzQixJQUFJLENBQUM7QUFFekM7OztHQUdHO0FBQ0gsTUFBTSxDQUFDLEtBQUssVUFBVSxXQUFXLENBQUMsYUFBNEI7SUFDNUQsSUFBSSxVQUFVLEVBQUUsQ0FBQztRQUNmLE9BQU8sVUFBVSxDQUFDO0lBQ3BCLENBQUM7SUFFRCxNQUFNLE9BQU8sR0FBRyxJQUFJLFdBQVcsRUFBRSxDQUFDO0lBQ2xDLE1BQU0sSUFBSSxHQUFHLE9BQU8sQ0FBQyxNQUFNLENBQUMsS0FBSyxDQUFDLENBQUM7SUFFbkMsVUFBVSxHQUFHLE1BQU0sYUFBYSxDQUFDLE1BQU0sQ0FBQyxTQUFTLEVBQUUsSUFBSSxDQUFDLENBQUM7SUFDekQsT0FBTyxVQUFVLENBQUM7QUFDcEIsQ0FBQyJ9