@opentdf/sdk 0.9.0-beta.91 → 0.9.0-beta.93

package/dist/web/tdf3/src/utils/index.js

@@ -1,4 +1,3 @@
-import * as WebCryptoService from '../crypto/index.js';
 import { SplitKey } from '../models/index.js';
 import { AesGcmCipher } from '../ciphers/aes-gcm-cipher.js';
 import { ConfigurationError } from '../../../src/errors.js';
@@ -237,12 +236,12 @@ export function base64ToBytes(str) {
  *
  * @returns {Object}:
  * {
- *   keyForEncryption: Binary;
- *   keyForManifest: Binary;
+ *   keyForEncryption: KeyInfo;
+ *   keyForManifest: KeyInfo;
  * }
  */
-export async function keyMiddleware() {
-    const cipher = new AesGcmCipher(WebCryptoService);
+export async function keyMiddleware(cryptoService) {
+    const cipher = new AesGcmCipher(cryptoService);
     const encryptionInformation = new SplitKey(cipher);
     if (!encryptionInformation?.generateKey) {
         throw new ConfigurationError('Crypto service not initialised');
@@ -250,4 +249,4 @@ export async function keyMiddleware() {
     const key = await encryptionInformation.generateKey();
     return { keyForEncryption: key, keyForManifest: key };
 }
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi8uLi90ZGYzL3NyYy91dGlscy9pbmRleC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLEtBQUssZ0JBQWdCLE1BQU0sb0JBQW9CLENBQUM7QUFDdkQsT0FBTyxFQUFXLFFBQVEsRUFBRSxNQUFNLG9CQUFvQixDQUFDO0FBRXZELE9BQU8sRUFBRSxZQUFZLEVBQUUsTUFBTSw4QkFBOEIsQ0FBQztBQUM1RCxPQUFPLEVBQUUsa0JBQWtCLEVBQUUsTUFBTSx3QkFBd0IsQ0FBQztBQUM1RCxPQUFPLEVBQUUsaUJBQWlCLEVBQUUsaUJBQWlCLEVBQUUsTUFBTSxrQ0FBa0MsQ0FBQztBQUV4RixPQUFPLEVBQUUsU0FBUyxFQUFFLFlBQVksRUFBRSxNQUFNLGlCQUFpQixDQUFDO0FBQzFELE9BQU8sRUFBRSxTQUFTLEVBQUUsTUFBTSxpQkFBaUIsQ0FBQztBQUM1QyxPQUFPLEVBQUUsUUFBUSxFQUFFLFFBQVEsRUFBRSxNQUFNLGVBQWUsQ0FBQztBQUNuRCxPQUFPLEVBQUUsY0FBYyxFQUFFLE1BQU0sc0NBQXNDLENBQUM7QUFJdEUsTUFBTSxtQkFBbUIsR0FBRyxDQUFDLEdBQUcsRUFBRTtJQUNoQyxNQUFNLFFBQVEsR0FBRyxrQkFBa0IsQ0FBQztJQUNwQyxNQUFNLEtBQUssR0FBRyxJQUFJLEtBQUssQ0FBQyxHQUFHLENBQUMsQ0FBQztJQUM3QixLQUFLLElBQUksQ0FBQyxHQUFHLENBQUMsRUFBRSxDQUFDLEdBQUcsRUFBRSxFQUFFLEVBQUUsQ0FBQyxFQUFFLENBQUM7UUFDNUIsTUFBTSxHQUFHLEdBQUcsQ0FBQyxHQUFHLEVBQUUsQ0FBQztRQUNuQixLQUFLLElBQUksQ0FBQyxHQUFHLENBQUMsRUFBRSxDQUFDLEdBQUcsRUFBRSxFQUFFLEVBQUUsQ0FBQyxFQUFFLENBQUM7WUFDNUIsS0FBSyxDQUFDLEdBQUcsR0FBRyxDQUFDLENBQUMsR0FBRyxRQUFRLENBQUMsQ0FBQyxDQUFDLEdBQUcsUUFBUSxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQzdDLENBQUM7SUFDSCxDQUFDO0lBQ0QsT0FBTyxLQUFLLENBQUM7QUFDZixDQUFDLENBQUMsRUFBRSxDQUFDO0FBRUwsTUFBTSxVQUFVLFdBQVcsQ0FBQyxXQUF5QjtJQUNuRCxNQUFNLFNBQVMsR0FBRyxXQUFXLENBQUMsTUFBTSxDQUNsQyxDQUFDLFdBQVcsRUFBRSxZQUFZLEVBQUUsRUFBRSxDQUFDLFdBQVcsR0FBRyxZQUFZLENBQUMsTUFBTSxFQUNoRSxDQUFDLENBQ0YsQ0FBQztJQUNGLE1BQU0sa0JBQWtCLEdBQUcsSUFBSSxVQUFVLENBQUMsU0FBUyxDQUFDLENBQUM7SUFFckQsSUFBSSxNQUFNLEdBQUcsQ0FBQyxDQUFDO0lBQ2YsS0FBSyxNQUFNLFVBQVUsSUFBSSxXQUFXLEVBQUUsQ0FBQztRQUNyQyxrQkFBa0IsQ0FBQyxHQUFHLENBQUMsVUFBVSxFQUFFLE1BQU0sQ0FBQyxDQUFDO1FBQzNDLE1BQU0sSUFBSSxVQUFVLENBQUMsTUFBTSxDQUFDO0lBQzlCLENBQUM7SUFFRCxPQUFPLGtCQUFrQixDQUFDO0FBQzVCLENBQUM7QUFFRCxNQUFNLFVBQVUsWUFBWSxDQUFDLFVBQXNCLEVBQUUsTUFBYztJQUNqRSxPQUFPLENBQ0wsQ0FBQyxVQUFVLENBQUMsTUFBTSxDQUFDO1FBQ2pCLENBQUMsVUFBVSxDQUFDLE1BQU0sR0FBRyxDQUFDLENBQUMsSUFBSSxDQUFDLENBQUM7UUFDN0IsQ0FBQyxVQUFVLENBQUMsTUFBTSxHQUFHLENBQUMsQ0FBQyxJQUFJLEVBQUUsQ0FBQztRQUM5QixDQUFDLFVBQVUsQ0FBQyxNQUFNLEdBQUcsQ0FBQyxDQUFDLElBQUksRUFBRSxDQUFDLENBQUM7UUFDakMsQ0FBQyxDQUNGLENBQUM7QUFDSixDQUFDO0FBRUQsTUFBTSxVQUFVLFlBQVksQ0FBQyxVQUFzQixFQUFFLE1BQWM7SUFDakUsT0FBTyxVQUFVLENBQUMsTUFBTSxDQUFDLEdBQUcsQ0FBQyxVQUFVLENBQUMsTUFBTSxHQUFHLENBQUMsQ0FBQyxJQUFJLENBQUMsQ0FBQyxDQUFDO0FBQzVELENBQUM7QUFFRCxNQUFNLFVBQVUsWUFBWSxDQUFDLFdBQXdCLEVBQUUsTUFBYztJQUNuRSxNQUFNLElBQUksR0FBRyxJQUFJLFFBQVEsQ0FBQyxXQUFXLEVBQUUsTUFBTSxFQUFFLENBQUMsQ0FBQyxDQUFDO0lBQ2xELE9BQU8sSUFBSSxDQUFDLFNBQVMsQ0FBQyxDQUFDLEVBQUUsS0FBSyxDQUFDLENBQUM7QUFDbEMsQ0FBQztBQUVELE1BQU0sVUFBVSxhQUFhLENBQUMsVUFBc0IsRUFBRSxLQUFhLEVBQUUsTUFBYztJQUNqRixVQUFVLENBQUMsTUFBTSxDQUFDLEdBQUcsS0FBSyxHQUFHLElBQUksQ0FBQztJQUNsQyxVQUFVLENBQUMsTUFBTSxHQUFHLENBQUMsQ0FBQyxHQUFHLENBQUMsS0FBSyxJQUFJLENBQUMsQ0FBQyxHQUFHLElBQUksQ0FBQztBQUMvQyxDQUFDO0FBRUQsTUFBTSxVQUFVLGFBQWEsQ0FBQyxVQUFzQixFQUFFLEtBQWEsRUFBRSxNQUFjO0lBQ2pGLFVBQVUsQ0FBQyxNQUFNLENBQUMsR0FBRyxLQUFLLEdBQUcsSUFBSSxDQUFDO0lBQ2xDLFVBQVUsQ0FBQyxNQUFNLEdBQUcsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxLQUFLLElBQUksQ0FBQyxDQUFDLEdBQUcsSUFBSSxDQUFDO0lBQzdDLFVBQVUsQ0FBQyxNQUFNLEdBQUcsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxLQUFLLElBQUksRUFBRSxDQUFDLEdBQUcsSUFBSSxDQUFDO0lBQzlDLFVBQVUsQ0FBQyxNQUFNLEdBQUcsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxLQUFLLElBQUksRUFBRSxDQUFDLEdBQUcsSUFBSSxDQUFDO0FBQ2hELENBQUM7QUFFRCxNQUFNLFVBQVUsWUFBWSxDQUMxQixNQUFrQixFQUNsQixNQUFrQixFQUNsQixjQUFzQixDQUFDLEVBQ3ZCLGNBQXNCLENBQUMsRUFDdkIsWUFBb0IsTUFBTSxDQUFDLE1BQU07SUFFakMsTUFBTSxNQUFNLEdBQUcsSUFBSSxDQUFDLEdBQUcsQ0FBQyxTQUFTLEdBQUcsV0FBVyxFQUFFLE1BQU0sQ0FBQyxNQUFNLEdBQUcsV0FBVyxDQUFDLENBQUM7SUFDOUUsTUFBTSxDQUFDLEdBQUcsQ0FBQyxNQUFNLENBQUMsUUFBUSxDQUFDLFdBQVcsRUFBRSxXQUFXLEdBQUcsTUFBTSxDQUFDLEVBQUUsV0FBVyxDQUFDLENBQUM7SUFDNUUsT0FBTyxNQUFNLENBQUM7QUFDaEIsQ0FBQztBQUVELDhEQUE4RDtBQUM5RCxTQUFTLFFBQVEsQ0FBQyxHQUFlLEVBQUUsUUFBZ0IsQ0FBQyxFQUFFLE1BQWMsR0FBRyxDQUFDLE1BQU07SUFDNUUsTUFBTSxHQUFHLEdBQUcsR0FBRyxDQUFDLE1BQU0sQ0FBQztJQUV2QixJQUFJLENBQUMsS0FBSyxJQUFJLEtBQUssR0FBRyxDQUFDO1FBQUUsS0FBSyxHQUFHLENBQUMsQ0FBQztJQUNuQyxJQUFJLENBQUMsR0FBRyxJQUFJLEdBQUcsR0FBRyxDQUFDLElBQUksR0FBRyxHQUFHLEdBQUc7UUFBRSxHQUFHLEdBQUcsR0FBRyxDQUFDO0lBRTVDLElBQUksR0FBRyxHQUFHLEVBQUUsQ0FBQztJQUNiLEtBQUssSUFBSSxDQUFDLEdBQUcsS0FBSyxFQUFFLENBQUMsR0FBRyxHQUFHLEVBQUUsRUFBRSxDQUFDLEVBQUUsQ0FBQztRQUNqQyxHQUFHLElBQUksbUJBQW1CLENBQUMsR0FBRyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUM7SUFDckMsQ0FBQztJQUNELE9BQU8sR0FBRyxDQUFDO0FBQ2IsQ0FBQztBQUVELDhEQUE4RDtBQUM5RCxTQUFTLFdBQVcsQ0FBQyxHQUFlLEVBQUUsS0FBYSxFQUFFLEdBQVc7SUFDOUQsSUFBSSxNQUFNLEdBQUcsRUFBRSxDQUFDO0lBQ2hCLEdBQUcsR0FBRyxJQUFJLENBQUMsR0FBRyxDQUFDLEdBQUcsQ0FBQyxNQUFNLEVBQUUsR0FBRyxDQUFDLENBQUM7SUFFaEMsS0FBSyxJQUFJLENBQUMsR0FBRyxLQUFLLEVBQUUsQ0FBQyxHQUFHLEdBQUcsRUFBRSxFQUFFLENBQUMsRUFBRSxDQUFDO1FBQ2pDLE1BQU0sSUFBSSxNQUFNLENBQUMsWUFBWSxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDO0lBQ3hDLENBQUM7SUFFRCxPQUFPLE1BQU0sQ0FBQztBQUNoQixDQUFDO0FBRUQsU0FBUyxXQUFXLENBQUMsR0FBZSxFQUFFLEtBQWEsRUFBRSxHQUFXO0lBQzlELElBQUksS0FBSyxLQUFLLENBQUMsSUFBSSxHQUFHLEtBQUssR0FBRyxDQUFDLE1BQU0sRUFBRSxDQUFDO1FBQ3RDLE9BQU8saUJBQWlCLENBQUMsR0FBRyxDQUFDLENBQUM7SUFDaEMsQ0FBQztTQUFNLENBQUM7UUFDTixPQUFPLGlCQUFpQixDQUFDLEdBQUcsQ0FBQyxLQUFLLENBQUMsS0FBSyxFQUFFLEdBQUcsQ0FBQyxDQUFDLENBQUM7SUFDbEQsQ0FBQztBQUNILENBQUM7QUFFRCw2REFBNkQ7QUFDN0QsTUFBTSxVQUFVLFlBQVksQ0FDMUIsTUFBa0IsRUFDbEIsV0FBOEIsTUFBTSxFQUNwQyxLQUFLLEdBQUcsQ0FBQyxFQUNULEdBQUcsR0FBRyxNQUFNLENBQUMsTUFBTTtJQUVuQixJQUFJLEtBQUssR0FBRyxDQUFDLEVBQUUsQ0FBQztRQUNkLEtBQUssR0FBRyxDQUFDLENBQUM7SUFDWixDQUFDO0lBRUQsSUFBSSxHQUFHLEdBQUcsTUFBTSxDQUFDLE1BQU0sRUFBRSxDQUFDO1FBQ3hCLEdBQUcsR0FBRyxNQUFNLENBQUMsTUFBTSxDQUFDO0lBQ3RCLENBQUM7SUFFRCwrRUFBK0U7SUFDL0UsdUJBQXVCO0lBQ3ZCLElBQUksS0FBSyxHQUFHLE1BQU0sQ0FBQyxNQUFNLElBQUksR0FBRyxJQUFJLENBQUMsSUFBSSxHQUFHLElBQUksS0FBSyxFQUFFLENBQUM7UUFDdEQsT0FBTyxFQUFFLENBQUM7SUFDWixDQUFDO0lBRUQsUUFBUSxRQUFRLEVBQUUsQ0FBQztRQUNqQixLQUFLLEtBQUs7WUFDUixPQUFPLFFBQVEsQ0FBQyxNQUFNLEVBQUUsS0FBSyxFQUFFLEdBQUcsQ0FBQyxDQUFDO1FBRXRDLEtBQUssTUFBTSxDQUFDO1FBQ1osS0FBSyxPQUFPO1lBQ1YsT0FBTyxTQUFTLENBQUMsTUFBTSxFQUFFLEtBQUssRUFBRSxHQUFHLENBQUMsQ0FBQztRQUV2QyxLQUFLLFFBQVEsQ0FBQztRQUNkLEtBQUssUUFBUTtZQUNYLE9BQU8sV0FBVyxDQUFDLE1BQU0sRUFBRSxLQUFLLEVBQUUsR0FBRyxDQUFDLENBQUM7UUFFekMsS0FBSyxRQUFRO1lBQ1gsT0FBTyxXQUFXLENBQUMsTUFBTSxFQUFFLEtBQUssRUFBRSxHQUFHLENBQUMsQ0FBQztJQUMzQyxDQUFDO0FBQ0gsQ0FBQztBQUVELDZEQUE2RDtBQUM3RCxNQUFNLFVBQVUsU0FBUyxDQUFDLEdBQWUsRUFBRSxLQUFhLEVBQUUsR0FBVztJQUNuRSxHQUFHLEdBQUcsSUFBSSxDQUFDLEdBQUcsQ0FBQyxHQUFHLENBQUMsTUFBTSxFQUFFLEdBQUcsQ0FBQyxDQUFDO0lBQ2hDLE1BQU0sR0FBRyxHQUFhLEVBQUUsQ0FBQztJQUV6QixJQUFJLENBQUMsR0FBRyxLQUFLLENBQUM7SUFDZCxPQUFPLENBQUMsR0FBRyxHQUFHLEVBQUUsQ0FBQztRQUNmLE1BQU0sU0FBUyxHQUFHLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUN6QixJQUFJLFNBQVMsR0FBa0IsSUFBSSxDQUFDO1FBQ3BDLElBQUksZ0JBQWdCLEdBQUcsU0FBUyxHQUFHLElBQUksQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxTQUFTLEdBQUcsSUFBSSxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDLFNBQVMsR0FBRyxJQUFJLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBRTlGLElBQUksQ0FBQyxHQUFHLGdCQUFnQixJQUFJLEdBQUcsRUFBRSxDQUFDO1lBQ2hDLElBQUksVUFBVSxFQUFFLFNBQVMsRUFBRSxVQUFVLEVBQUUsYUFBYSxDQUFDO1lBRXJELFFBQVEsZ0JBQWdCLEVBQUUsQ0FBQztnQkFDekIsS0FBSyxDQUFDO29CQUNKLElBQUksU0FBUyxHQUFHLElBQUksRUFBRSxDQUFDO3dCQUNyQixTQUFTLEdBQUcsU0FBUyxDQUFDO29CQUN4QixDQUFDO29CQUNELE1BQU07Z0JBQ1IsS0FBSyxDQUFDO29CQUNKLFVBQVUsR0FBRyxHQUFHLENBQUMsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDO29CQUN4QixJQUFJLENBQUMsVUFBVSxHQUFHLElBQUksQ0FBQyxLQUFLLElBQUksRUFBRSxDQUFDO3dCQUNqQyxhQUFhLEdBQUcsQ0FBQyxDQUFDLFNBQVMsR0FBRyxJQUFJLENBQUMsSUFBSSxHQUFHLENBQUMsR0FBRyxDQUFDLFVBQVUsR0FBRyxJQUFJLENBQUMsQ0FBQzt3QkFDbEUsSUFBSSxhQUFhLEdBQUcsSUFBSSxFQUFFLENBQUM7NEJBQ3pCLFNBQVMsR0FBRyxhQUFhLENBQUM7d0JBQzVCLENBQUM7b0JBQ0gsQ0FBQztvQkFDRCxNQUFNO2dCQUNSLEtBQUssQ0FBQztvQkFDSixVQUFVLEdBQUcsR0FBRyxDQUFDLENBQUMsR0FBRyxDQUFDLENBQUMsQ0FBQztvQkFDeEIsU0FBUyxHQUFHLEdBQUcsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUM7b0JBQ3ZCLElBQUksQ0FBQyxVQUFVLEdBQUcsSUFBSSxDQUFDLEtBQUssSUFBSSxJQUFJLENBQUMsU0FBUyxHQUFHLElBQUksQ0FBQyxLQUFLLElBQUksRUFBRSxDQUFDO3dCQUNoRSxhQUFhOzRCQUNYLENBQUMsQ0FBQyxTQUFTLEdBQUcsR0FBRyxDQUFDLElBQUksR0FBRyxDQUFDLEdBQUcsQ0FBQyxDQUFDLFVBQVUsR0FBRyxJQUFJLENBQUMsSUFBSSxHQUFHLENBQUMsR0FBRyxDQUFDLFNBQVMsR0FBRyxJQUFJLENBQUMsQ0FBQzt3QkFDakYsSUFBSSxhQUFhLEdBQUcsS0FBSyxJQUFJLENBQUMsYUFBYSxHQUFHLE1BQU0sSUFBSSxhQUFhLEdBQUcsTUFBTSxDQUFDLEVBQUUsQ0FBQzs0QkFDaEYsU0FBUyxHQUFHLGFBQWEsQ0FBQzt3QkFDNUIsQ0FBQztvQkFDSCxDQUFDO29CQUNELE1BQU07Z0JBQ1IsS0FBSyxDQUFDO29CQUNKLFVBQVUsR0FBRyxHQUFHLENBQUMsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDO29CQUN4QixTQUFTLEdBQUcsR0FBRyxDQUFDLENBQUMsR0FBRyxDQUFDLENBQUMsQ0FBQztvQkFDdkIsVUFBVSxHQUFHLEdBQUcsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUM7b0JBQ3hCLElBQ0UsQ0FBQyxVQUFVLEdBQUcsSUFBSSxDQUFDLEtBQUssSUFBSTt3QkFDNUIsQ0FBQyxTQUFTLEdBQUcsSUFBSSxDQUFDLEtBQUssSUFBSTt3QkFDM0IsQ0FBQyxVQUFVLEdBQUcsSUFBSSxDQUFDLEtBQUssSUFBSSxFQUM1QixDQUFDO3dCQUNELGFBQWE7NEJBQ1gsQ0FBQyxDQUFDLFNBQVMsR0FBRyxHQUFHLENBQUMsSUFBSSxJQUFJLENBQUM7Z0NBQzNCLENBQUMsQ0FBQyxVQUFVLEdBQUcsSUFBSSxDQUFDLElBQUksR0FBRyxDQUFDO2dDQUM1QixDQUFDLENBQUMsU0FBUyxHQUFHLElBQUksQ0FBQyxJQUFJLEdBQUcsQ0FBQztnQ0FDM0IsQ0FBQyxVQUFVLEdBQUcsSUFBSSxDQUFDLENBQUM7d0JBQ3RCLElBQUksYUFBYSxHQUFHLE1BQU0sSUFBSSxhQUFhLEdBQUcsUUFBUSxFQUFFLENBQUM7NEJBQ3ZELFNBQVMsR0FBRyxhQUFhLENBQUM7d0JBQzVCLENBQUM7b0JBQ0gsQ0FBQztZQUNMLENBQUM7UUFDSCxDQUFDO1FBRUQsSUFBSSxTQUFTLEtBQUssSUFBSSxFQUFFLENBQUM7WUFDdkIsb0RBQW9EO1lBQ3BELG9EQUFvRDtZQUNwRCxTQUFTLEdBQUcsTUFBTSxDQUFDO1lBQ25CLGdCQUFnQixHQUFHLENBQUMsQ0FBQztRQUN2QixDQUFDO2FBQU0sSUFBSSxTQUFTLEdBQUcsTUFBTSxFQUFFLENBQUM7WUFDOUIseUNBQXlDO1lBQ3pDLFNBQVMsSUFBSSxPQUFPLENBQUM7WUFDckIsR0FBRyxDQUFDLElBQUksQ0FBQyxDQUFDLENBQUMsU0FBUyxLQUFLLEVBQUUsQ0FBQyxHQUFHLEtBQUssQ0FBQyxHQUFHLE1BQU0sQ0FBQyxDQUFDO1lBQ2hELFNBQVMsR0FBRyxNQUFNLEdBQUcsQ0FBQyxTQUFTLEdBQUcsS0FBSyxDQUFDLENBQUM7UUFDM0MsQ0FBQztRQUVELEdBQUcsQ0FBQyxJQUFJLENBQUMsU0FBUyxDQUFDLENBQUM7UUFDcEIsQ0FBQyxJQUFJLGdCQUFnQixDQUFDO0lBQ3hCLENBQUM7SUFFRCxPQUFPLHFCQUFxQixDQUFDLEdBQUcsQ0FBQyxDQUFDO0FBQ3BDLENBQUM7QUFFRCxNQUFNLG9CQUFvQixHQUFHLE1BQU0sQ0FBQztBQUVwQyw4REFBOEQ7QUFDOUQsU0FBUyxxQkFBcUIsQ0FBQyxVQUFvQjtJQUNqRCxNQUFNLEdBQUcsR0FBRyxVQUFVLENBQUMsTUFBTSxDQUFDO0lBQzlCLElBQUksR0FBRyxJQUFJLG9CQUFvQixFQUFFLENBQUM7UUFDaEMsT0FBTyxNQUFNLENBQUMsWUFBWSxDQUFDLEdBQUcsVUFBVSxDQUFDLENBQUMsQ0FBQyxzQkFBc0I7SUFDbkUsQ0FBQztJQUVELHdEQUF3RDtJQUN4RCxJQUFJLEdBQUcsR0FBRyxFQUFFLENBQUM7SUFDYixJQUFJLENBQUMsR0FBRyxDQUFDLENBQUM7SUFDVixPQUFPLENBQUMsR0FBRyxHQUFHLEVBQUUsQ0FBQztRQUNmLEdBQUcsSUFBSSxNQUFNLENBQUMsWUFBWSxDQUFDLEdBQUcsVUFBVSxDQUFDLEtBQUssQ0FBQyxDQUFDLEVBQUUsQ0FBQyxDQUFDLElBQUksb0JBQW9CLENBQUMsQ0FBQyxDQUFDLENBQUM7SUFDbEYsQ0FBQztJQUNELE9BQU8sR0FBRyxDQUFDO0FBQ2IsQ0FBQztBQUVELE1BQU0saUJBQWlCLEdBQUcsbUJBQW1CLENBQUM7QUFFOUM7Ozs7Ozs7Ozs7O0dBV0c7QUFDSCxTQUFTLFdBQVcsQ0FBQyxHQUFXO0lBQzlCLHVEQUF1RDtJQUN2RCxHQUFHLEdBQUcsR0FBRyxDQUFDLEtBQUssQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQztJQUN4Qix3RkFBd0Y7SUFDeEYsR0FBRyxHQUFHLEdBQUcsQ0FBQyxJQUFJLEVBQUUsQ0FBQyxPQUFPLENBQUMsaUJBQWlCLEVBQUUsRUFBRSxDQUFDLENBQUM7SUFDaEQsOENBQThDO0lBQzlDLElBQUksR0FBRyxDQUFDLE1BQU0sR0FBRyxDQUFDO1FBQUUsT0FBTyxFQUFFLENBQUM7SUFDOUIsdUZBQXVGO0lBQ3ZGLE9BQU8sR0FBRyxDQUFDLE1BQU0sR0FBRyxDQUFDLEtBQUssQ0FBQyxFQUFFLENBQUM7UUFDNUIsR0FBRyxHQUFHLEdBQUcsR0FBRyxHQUFHLENBQUM7SUFDbEIsQ0FBQztJQUNELE9BQU8sR0FBRyxDQUFDO0FBQ2IsQ0FBQztBQUVELE1BQU0sVUFBVSxhQUFhLENBQUMsR0FBVztJQUN2QyxPQUFPLElBQUksVUFBVSxDQUFDLGlCQUFpQixDQUFDLFdBQVcsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLENBQUM7QUFDN0QsQ0FBQztBQUVEOzs7Ozs7Ozs7O0dBVUc7QUFDSCxNQUFNLENBQUMsS0FBSyxVQUFVLGFBQWE7SUFJakMsTUFBTSxNQUFNLEdBQUcsSUFBSSxZQUFZLENBQUMsZ0JBQWdCLENBQUMsQ0FBQztJQUNsRCxNQUFNLHFCQUFxQixHQUFHLElBQUksUUFBUSxDQUFDLE1BQU0sQ0FBQyxDQUFDO0lBQ25ELElBQUksQ0FBQyxxQkFBcUIsRUFBRSxXQUFXLEVBQUUsQ0FBQztRQUN4QyxNQUFNLElBQUksa0JBQWtCLENBQUMsZ0NBQWdDLENBQUMsQ0FBQztJQUNqRSxDQUFDO0lBQ0QsTUFBTSxHQUFHLEdBQUcsTUFBTSxxQkFBcUIsQ0FBQyxXQUFXLEVBQUUsQ0FBQztJQUN0RCxPQUFPLEVBQUUsZ0JBQWdCLEVBQUUsR0FBRyxFQUFFLGNBQWMsRUFBRSxHQUFHLEVBQUUsQ0FBQztBQUN4RCxDQUFDIn0=
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi8uLi90ZGYzL3NyYy91dGlscy9pbmRleC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLEVBQVcsUUFBUSxFQUFFLE1BQU0sb0JBQW9CLENBQUM7QUFDdkQsT0FBTyxFQUFFLFlBQVksRUFBRSxNQUFNLDhCQUE4QixDQUFDO0FBQzVELE9BQU8sRUFBRSxrQkFBa0IsRUFBRSxNQUFNLHdCQUF3QixDQUFDO0FBRTVELE9BQU8sRUFBRSxpQkFBaUIsRUFBRSxpQkFBaUIsRUFBRSxNQUFNLGtDQUFrQyxDQUFDO0FBRXhGLE9BQU8sRUFBRSxTQUFTLEVBQUUsWUFBWSxFQUFFLE1BQU0saUJBQWlCLENBQUM7QUFDMUQsT0FBTyxFQUFFLFNBQVMsRUFBRSxNQUFNLGlCQUFpQixDQUFDO0FBQzVDLE9BQU8sRUFBRSxRQUFRLEVBQUUsUUFBUSxFQUFFLE1BQU0sZUFBZSxDQUFDO0FBQ25ELE9BQU8sRUFBRSxjQUFjLEVBQUUsTUFBTSxzQ0FBc0MsQ0FBQztBQUl0RSxNQUFNLG1CQUFtQixHQUFHLENBQUMsR0FBRyxFQUFFO0lBQ2hDLE1BQU0sUUFBUSxHQUFHLGtCQUFrQixDQUFDO0lBQ3BDLE1BQU0sS0FBSyxHQUFHLElBQUksS0FBSyxDQUFDLEdBQUcsQ0FBQyxDQUFDO0lBQzdCLEtBQUssSUFBSSxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUMsR0FBRyxFQUFFLEVBQUUsRUFBRSxDQUFDLEVBQUUsQ0FBQztRQUM1QixNQUFNLEdBQUcsR0FBRyxDQUFDLEdBQUcsRUFBRSxDQUFDO1FBQ25CLEtBQUssSUFBSSxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUMsR0FBRyxFQUFFLEVBQUUsRUFBRSxDQUFDLEVBQUUsQ0FBQztZQUM1QixLQUFLLENBQUMsR0FBRyxHQUFHLENBQUMsQ0FBQyxHQUFHLFFBQVEsQ0FBQyxDQUFDLENBQUMsR0FBRyxRQUFRLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDN0MsQ0FBQztJQUNILENBQUM7SUFDRCxPQUFPLEtBQUssQ0FBQztBQUNmLENBQUMsQ0FBQyxFQUFFLENBQUM7QUFFTCxNQUFNLFVBQVUsV0FBVyxDQUFDLFdBQXlCO0lBQ25ELE1BQU0sU0FBUyxHQUFHLFdBQVcsQ0FBQyxNQUFNLENBQ2xDLENBQUMsV0FBVyxFQUFFLFlBQVksRUFBRSxFQUFFLENBQUMsV0FBVyxHQUFHLFlBQVksQ0FBQyxNQUFNLEVBQ2hFLENBQUMsQ0FDRixDQUFDO0lBQ0YsTUFBTSxrQkFBa0IsR0FBRyxJQUFJLFVBQVUsQ0FBQyxTQUFTLENBQUMsQ0FBQztJQUVyRCxJQUFJLE1BQU0sR0FBRyxDQUFDLENBQUM7SUFDZixLQUFLLE1BQU0sVUFBVSxJQUFJLFdBQVcsRUFBRSxDQUFDO1FBQ3JDLGtCQUFrQixDQUFDLEdBQUcsQ0FBQyxVQUFVLEVBQUUsTUFBTSxDQUFDLENBQUM7UUFDM0MsTUFBTSxJQUFJLFVBQVUsQ0FBQyxNQUFNLENBQUM7SUFDOUIsQ0FBQztJQUVELE9BQU8sa0JBQWtCLENBQUM7QUFDNUIsQ0FBQztBQUVELE1BQU0sVUFBVSxZQUFZLENBQUMsVUFBc0IsRUFBRSxNQUFjO0lBQ2pFLE9BQU8sQ0FDTCxDQUFDLFVBQVUsQ0FBQyxNQUFNLENBQUM7UUFDakIsQ0FBQyxVQUFVLENBQUMsTUFBTSxHQUFHLENBQUMsQ0FBQyxJQUFJLENBQUMsQ0FBQztRQUM3QixDQUFDLFVBQVUsQ0FBQyxNQUFNLEdBQUcsQ0FBQyxDQUFDLElBQUksRUFBRSxDQUFDO1FBQzlCLENBQUMsVUFBVSxDQUFDLE1BQU0sR0FBRyxDQUFDLENBQUMsSUFBSSxFQUFFLENBQUMsQ0FBQztRQUNqQyxDQUFDLENBQ0YsQ0FBQztBQUNKLENBQUM7QUFFRCxNQUFNLFVBQVUsWUFBWSxDQUFDLFVBQXNCLEVBQUUsTUFBYztJQUNqRSxPQUFPLFVBQVUsQ0FBQyxNQUFNLENBQUMsR0FBRyxDQUFDLFVBQVUsQ0FBQyxNQUFNLEdBQUcsQ0FBQyxDQUFDLElBQUksQ0FBQyxDQUFDLENBQUM7QUFDNUQsQ0FBQztBQUVELE1BQU0sVUFBVSxZQUFZLENBQUMsV0FBd0IsRUFBRSxNQUFjO0lBQ25FLE1BQU0sSUFBSSxHQUFHLElBQUksUUFBUSxDQUFDLFdBQVcsRUFBRSxNQUFNLEVBQUUsQ0FBQyxDQUFDLENBQUM7SUFDbEQsT0FBTyxJQUFJLENBQUMsU0FBUyxDQUFDLENBQUMsRUFBRSxLQUFLLENBQUMsQ0FBQztBQUNsQyxDQUFDO0FBRUQsTUFBTSxVQUFVLGFBQWEsQ0FBQyxVQUFzQixFQUFFLEtBQWEsRUFBRSxNQUFjO0lBQ2pGLFVBQVUsQ0FBQyxNQUFNLENBQUMsR0FBRyxLQUFLLEdBQUcsSUFBSSxDQUFDO0lBQ2xDLFVBQVUsQ0FBQyxNQUFNLEdBQUcsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxLQUFLLElBQUksQ0FBQyxDQUFDLEdBQUcsSUFBSSxDQUFDO0FBQy9DLENBQUM7QUFFRCxNQUFNLFVBQVUsYUFBYSxDQUFDLFVBQXNCLEVBQUUsS0FBYSxFQUFFLE1BQWM7SUFDakYsVUFBVSxDQUFDLE1BQU0sQ0FBQyxHQUFHLEtBQUssR0FBRyxJQUFJLENBQUM7SUFDbEMsVUFBVSxDQUFDLE1BQU0sR0FBRyxDQUFDLENBQUMsR0FBRyxDQUFDLEtBQUssSUFBSSxDQUFDLENBQUMsR0FBRyxJQUFJLENBQUM7SUFDN0MsVUFBVSxDQUFDLE1BQU0sR0FBRyxDQUFDLENBQUMsR0FBRyxDQUFDLEtBQUssSUFBSSxFQUFFLENBQUMsR0FBRyxJQUFJLENBQUM7SUFDOUMsVUFBVSxDQUFDLE1BQU0sR0FBRyxDQUFDLENBQUMsR0FBRyxDQUFDLEtBQUssSUFBSSxFQUFFLENBQUMsR0FBRyxJQUFJLENBQUM7QUFDaEQsQ0FBQztBQUVELE1BQU0sVUFBVSxZQUFZLENBQzFCLE1BQWtCLEVBQ2xCLE1BQWtCLEVBQ2xCLGNBQXNCLENBQUMsRUFDdkIsY0FBc0IsQ0FBQyxFQUN2QixZQUFvQixNQUFNLENBQUMsTUFBTTtJQUVqQyxNQUFNLE1BQU0sR0FBRyxJQUFJLENBQUMsR0FBRyxDQUFDLFNBQVMsR0FBRyxXQUFXLEVBQUUsTUFBTSxDQUFDLE1BQU0sR0FBRyxXQUFXLENBQUMsQ0FBQztJQUM5RSxNQUFNLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxRQUFRLENBQUMsV0FBVyxFQUFFLFdBQVcsR0FBRyxNQUFNLENBQUMsRUFBRSxXQUFXLENBQUMsQ0FBQztJQUM1RSxPQUFPLE1BQU0sQ0FBQztBQUNoQixDQUFDO0FBRUQsOERBQThEO0FBQzlELFNBQVMsUUFBUSxDQUFDLEdBQWUsRUFBRSxRQUFnQixDQUFDLEVBQUUsTUFBYyxHQUFHLENBQUMsTUFBTTtJQUM1RSxNQUFNLEdBQUcsR0FBRyxHQUFHLENBQUMsTUFBTSxDQUFDO0lBRXZCLElBQUksQ0FBQyxLQUFLLElBQUksS0FBSyxHQUFHLENBQUM7UUFBRSxLQUFLLEdBQUcsQ0FBQyxDQUFDO0lBQ25DLElBQUksQ0FBQyxHQUFHLElBQUksR0FBRyxHQUFHLENBQUMsSUFBSSxHQUFHLEdBQUcsR0FBRztRQUFFLEdBQUcsR0FBRyxHQUFHLENBQUM7SUFFNUMsSUFBSSxHQUFHLEdBQUcsRUFBRSxDQUFDO0lBQ2IsS0FBSyxJQUFJLENBQUMsR0FBRyxLQUFLLEVBQUUsQ0FBQyxHQUFHLEdBQUcsRUFBRSxFQUFFLENBQUMsRUFBRSxDQUFDO1FBQ2pDLEdBQUcsSUFBSSxtQkFBbUIsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQztJQUNyQyxDQUFDO0lBQ0QsT0FBTyxHQUFHLENBQUM7QUFDYixDQUFDO0FBRUQsOERBQThEO0FBQzlELFNBQVMsV0FBVyxDQUFDLEdBQWUsRUFBRSxLQUFhLEVBQUUsR0FBVztJQUM5RCxJQUFJLE1BQU0sR0FBRyxFQUFFLENBQUM7SUFDaEIsR0FBRyxHQUFHLElBQUksQ0FBQyxHQUFHLENBQUMsR0FBRyxDQUFDLE1BQU0sRUFBRSxHQUFHLENBQUMsQ0FBQztJQUVoQyxLQUFLLElBQUksQ0FBQyxHQUFHLEtBQUssRUFBRSxDQUFDLEdBQUcsR0FBRyxFQUFFLEVBQUUsQ0FBQyxFQUFFLENBQUM7UUFDakMsTUFBTSxJQUFJLE1BQU0sQ0FBQyxZQUFZLENBQUMsR0FBRyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUM7SUFDeEMsQ0FBQztJQUVELE9BQU8sTUFBTSxDQUFDO0FBQ2hCLENBQUM7QUFFRCxTQUFTLFdBQVcsQ0FBQyxHQUFlLEVBQUUsS0FBYSxFQUFFLEdBQVc7SUFDOUQsSUFBSSxLQUFLLEtBQUssQ0FBQyxJQUFJLEdBQUcsS0FBSyxHQUFHLENBQUMsTUFBTSxFQUFFLENBQUM7UUFDdEMsT0FBTyxpQkFBaUIsQ0FBQyxHQUFHLENBQUMsQ0FBQztJQUNoQyxDQUFDO1NBQU0sQ0FBQztRQUNOLE9BQU8saUJBQWlCLENBQUMsR0FBRyxDQUFDLEtBQUssQ0FBQyxLQUFLLEVBQUUsR0FBRyxDQUFDLENBQUMsQ0FBQztJQUNsRCxDQUFDO0FBQ0gsQ0FBQztBQUVELDZEQUE2RDtBQUM3RCxNQUFNLFVBQVUsWUFBWSxDQUMxQixNQUFrQixFQUNsQixXQUE4QixNQUFNLEVBQ3BDLEtBQUssR0FBRyxDQUFDLEVBQ1QsR0FBRyxHQUFHLE1BQU0sQ0FBQyxNQUFNO0lBRW5CLElBQUksS0FBSyxHQUFHLENBQUMsRUFBRSxDQUFDO1FBQ2QsS0FBSyxHQUFHLENBQUMsQ0FBQztJQUNaLENBQUM7SUFFRCxJQUFJLEdBQUcsR0FBRyxNQUFNLENBQUMsTUFBTSxFQUFFLENBQUM7UUFDeEIsR0FBRyxHQUFHLE1BQU0sQ0FBQyxNQUFNLENBQUM7SUFDdEIsQ0FBQztJQUVELCtFQUErRTtJQUMvRSx1QkFBdUI7SUFDdkIsSUFBSSxLQUFLLEdBQUcsTUFBTSxDQUFDLE1BQU0sSUFBSSxHQUFHLElBQUksQ0FBQyxJQUFJLEdBQUcsSUFBSSxLQUFLLEVBQUUsQ0FBQztRQUN0RCxPQUFPLEVBQUUsQ0FBQztJQUNaLENBQUM7SUFFRCxRQUFRLFFBQVEsRUFBRSxDQUFDO1FBQ2pCLEtBQUssS0FBSztZQUNSLE9BQU8sUUFBUSxDQUFDLE1BQU0sRUFBRSxLQUFLLEVBQUUsR0FBRyxDQUFDLENBQUM7UUFFdEMsS0FBSyxNQUFNLENBQUM7UUFDWixLQUFLLE9BQU87WUFDVixPQUFPLFNBQVMsQ0FBQyxNQUFNLEVBQUUsS0FBSyxFQUFFLEdBQUcsQ0FBQyxDQUFDO1FBRXZDLEtBQUssUUFBUSxDQUFDO1FBQ2QsS0FBSyxRQUFRO1lBQ1gsT0FBTyxXQUFXLENBQUMsTUFBTSxFQUFFLEtBQUssRUFBRSxHQUFHLENBQUMsQ0FBQztRQUV6QyxLQUFLLFFBQVE7WUFDWCxPQUFPLFdBQVcsQ0FBQyxNQUFNLEVBQUUsS0FBSyxFQUFFLEdBQUcsQ0FBQyxDQUFDO0lBQzNDLENBQUM7QUFDSCxDQUFDO0FBRUQsNkRBQTZEO0FBQzdELE1BQU0sVUFBVSxTQUFTLENBQUMsR0FBZSxFQUFFLEtBQWEsRUFBRSxHQUFXO0lBQ25FLEdBQUcsR0FBRyxJQUFJLENBQUMsR0FBRyxDQUFDLEdBQUcsQ0FBQyxNQUFNLEVBQUUsR0FBRyxDQUFDLENBQUM7SUFDaEMsTUFBTSxHQUFHLEdBQWEsRUFBRSxDQUFDO0lBRXpCLElBQUksQ0FBQyxHQUFHLEtBQUssQ0FBQztJQUNkLE9BQU8sQ0FBQyxHQUFHLEdBQUcsRUFBRSxDQUFDO1FBQ2YsTUFBTSxTQUFTLEdBQUcsR0FBRyxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQ3pCLElBQUksU0FBUyxHQUFrQixJQUFJLENBQUM7UUFDcEMsSUFBSSxnQkFBZ0IsR0FBRyxTQUFTLEdBQUcsSUFBSSxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDLFNBQVMsR0FBRyxJQUFJLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUMsU0FBUyxHQUFHLElBQUksQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFFOUYsSUFBSSxDQUFDLEdBQUcsZ0JBQWdCLElBQUksR0FBRyxFQUFFLENBQUM7WUFDaEMsSUFBSSxVQUFVLEVBQUUsU0FBUyxFQUFFLFVBQVUsRUFBRSxhQUFhLENBQUM7WUFFckQsUUFBUSxnQkFBZ0IsRUFBRSxDQUFDO2dCQUN6QixLQUFLLENBQUM7b0JBQ0osSUFBSSxTQUFTLEdBQUcsSUFBSSxFQUFFLENBQUM7d0JBQ3JCLFNBQVMsR0FBRyxTQUFTLENBQUM7b0JBQ3hCLENBQUM7b0JBQ0QsTUFBTTtnQkFDUixLQUFLLENBQUM7b0JBQ0osVUFBVSxHQUFHLEdBQUcsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUM7b0JBQ3hCLElBQUksQ0FBQyxVQUFVLEdBQUcsSUFBSSxDQUFDLEtBQUssSUFBSSxFQUFFLENBQUM7d0JBQ2pDLGFBQWEsR0FBRyxDQUFDLENBQUMsU0FBUyxHQUFHLElBQUksQ0FBQyxJQUFJLEdBQUcsQ0FBQyxHQUFHLENBQUMsVUFBVSxHQUFHLElBQUksQ0FBQyxDQUFDO3dCQUNsRSxJQUFJLGFBQWEsR0FBRyxJQUFJLEVBQUUsQ0FBQzs0QkFDekIsU0FBUyxHQUFHLGFBQWEsQ0FBQzt3QkFDNUIsQ0FBQztvQkFDSCxDQUFDO29CQUNELE1BQU07Z0JBQ1IsS0FBSyxDQUFDO29CQUNKLFVBQVUsR0FBRyxHQUFHLENBQUMsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDO29CQUN4QixTQUFTLEdBQUcsR0FBRyxDQUFDLENBQUMsR0FBRyxDQUFDLENBQUMsQ0FBQztvQkFDdkIsSUFBSSxDQUFDLFVBQVUsR0FBRyxJQUFJLENBQUMsS0FBSyxJQUFJLElBQUksQ0FBQyxTQUFTLEdBQUcsSUFBSSxDQUFDLEtBQUssSUFBSSxFQUFFLENBQUM7d0JBQ2hFLGFBQWE7NEJBQ1gsQ0FBQyxDQUFDLFNBQVMsR0FBRyxHQUFHLENBQUMsSUFBSSxHQUFHLENBQUMsR0FBRyxDQUFDLENBQUMsVUFBVSxHQUFHLElBQUksQ0FBQyxJQUFJLEdBQUcsQ0FBQyxHQUFHLENBQUMsU0FBUyxHQUFHLElBQUksQ0FBQyxDQUFDO3dCQUNqRixJQUFJLGFBQWEsR0FBRyxLQUFLLElBQUksQ0FBQyxhQUFhLEdBQUcsTUFBTSxJQUFJLGFBQWEsR0FBRyxNQUFNLENBQUMsRUFBRSxDQUFDOzRCQUNoRixTQUFTLEdBQUcsYUFBYSxDQUFDO3dCQUM1QixDQUFDO29CQUNILENBQUM7b0JBQ0QsTUFBTTtnQkFDUixLQUFLLENBQUM7b0JBQ0osVUFBVSxHQUFHLEdBQUcsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUM7b0JBQ3hCLFNBQVMsR0FBRyxHQUFHLENBQUMsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDO29CQUN2QixVQUFVLEdBQUcsR0FBRyxDQUFDLENBQUMsR0FBRyxDQUFDLENBQUMsQ0FBQztvQkFDeEIsSUFDRSxDQUFDLFVBQVUsR0FBRyxJQUFJLENBQUMsS0FBSyxJQUFJO3dCQUM1QixDQUFDLFNBQVMsR0FBRyxJQUFJLENBQUMsS0FBSyxJQUFJO3dCQUMzQixDQUFDLFVBQVUsR0FBRyxJQUFJLENBQUMsS0FBSyxJQUFJLEVBQzVCLENBQUM7d0JBQ0QsYUFBYTs0QkFDWCxDQUFDLENBQUMsU0FBUyxHQUFHLEdBQUcsQ0FBQyxJQUFJLElBQUksQ0FBQztnQ0FDM0IsQ0FBQyxDQUFDLFVBQVUsR0FBRyxJQUFJLENBQUMsSUFBSSxHQUFHLENBQUM7Z0NBQzVCLENBQUMsQ0FBQyxTQUFTLEdBQUcsSUFBSSxDQUFDLElBQUksR0FBRyxDQUFDO2dDQUMzQixDQUFDLFVBQVUsR0FBRyxJQUFJLENBQUMsQ0FBQzt3QkFDdEIsSUFBSSxhQUFhLEdBQUcsTUFBTSxJQUFJLGFBQWEsR0FBRyxRQUFRLEVBQUUsQ0FBQzs0QkFDdkQsU0FBUyxHQUFHLGFBQWEsQ0FBQzt3QkFDNUIsQ0FBQztvQkFDSCxDQUFDO1lBQ0wsQ0FBQztRQUNILENBQUM7UUFFRCxJQUFJLFNBQVMsS0FBSyxJQUFJLEVBQUUsQ0FBQztZQUN2QixvREFBb0Q7WUFDcEQsb0RBQW9EO1lBQ3BELFNBQVMsR0FBRyxNQUFNLENBQUM7WUFDbkIsZ0JBQWdCLEdBQUcsQ0FBQyxDQUFDO1FBQ3ZCLENBQUM7YUFBTSxJQUFJLFNBQVMsR0FBRyxNQUFNLEVBQUUsQ0FBQztZQUM5Qix5Q0FBeUM7WUFDekMsU0FBUyxJQUFJLE9BQU8sQ0FBQztZQUNyQixHQUFHLENBQUMsSUFBSSxDQUFDLENBQUMsQ0FBQyxTQUFTLEtBQUssRUFBRSxDQUFDLEdBQUcsS0FBSyxDQUFDLEdBQUcsTUFBTSxDQUFDLENBQUM7WUFDaEQsU0FBUyxHQUFHLE1BQU0sR0FBRyxDQUFDLFNBQVMsR0FBRyxLQUFLLENBQUMsQ0FBQztRQUMzQyxDQUFDO1FBRUQsR0FBRyxDQUFDLElBQUksQ0FBQyxTQUFTLENBQUMsQ0FBQztRQUNwQixDQUFDLElBQUksZ0JBQWdCLENBQUM7SUFDeEIsQ0FBQztJQUVELE9BQU8scUJBQXFCLENBQUMsR0FBRyxDQUFDLENBQUM7QUFDcEMsQ0FBQztBQUVELE1BQU0sb0JBQW9CLEdBQUcsTUFBTSxDQUFDO0FBRXBDLDhEQUE4RDtBQUM5RCxTQUFTLHFCQUFxQixDQUFDLFVBQW9CO0lBQ2pELE1BQU0sR0FBRyxHQUFHLFVBQVUsQ0FBQyxNQUFNLENBQUM7SUFDOUIsSUFBSSxHQUFHLElBQUksb0JBQW9CLEVBQUUsQ0FBQztRQUNoQyxPQUFPLE1BQU0sQ0FBQyxZQUFZLENBQUMsR0FBRyxVQUFVLENBQUMsQ0FBQyxDQUFDLHNCQUFzQjtJQUNuRSxDQUFDO0lBRUQsd0RBQXdEO0lBQ3hELElBQUksR0FBRyxHQUFHLEVBQUUsQ0FBQztJQUNiLElBQUksQ0FBQyxHQUFHLENBQUMsQ0FBQztJQUNWLE9BQU8sQ0FBQyxHQUFHLEdBQUcsRUFBRSxDQUFDO1FBQ2YsR0FBRyxJQUFJLE1BQU0sQ0FBQyxZQUFZLENBQUMsR0FBRyxVQUFVLENBQUMsS0FBSyxDQUFDLENBQUMsRUFBRSxDQUFDLENBQUMsSUFBSSxvQkFBb0IsQ0FBQyxDQUFDLENBQUMsQ0FBQztJQUNsRixDQUFDO0lBQ0QsT0FBTyxHQUFHLENBQUM7QUFDYixDQUFDO0FBRUQsTUFBTSxpQkFBaUIsR0FBRyxtQkFBbUIsQ0FBQztBQUU5Qzs7Ozs7Ozs7Ozs7R0FXRztBQUNILFNBQVMsV0FBVyxDQUFDLEdBQVc7SUFDOUIsdURBQXVEO0lBQ3ZELEdBQUcsR0FBRyxHQUFHLENBQUMsS0FBSyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDO0lBQ3hCLHdGQUF3RjtJQUN4RixHQUFHLEdBQUcsR0FBRyxDQUFDLElBQUksRUFBRSxDQUFDLE9BQU8sQ0FBQyxpQkFBaUIsRUFBRSxFQUFFLENBQUMsQ0FBQztJQUNoRCw4Q0FBOEM7SUFDOUMsSUFBSSxHQUFHLENBQUMsTUFBTSxHQUFHLENBQUM7UUFBRSxPQUFPLEVBQUUsQ0FBQztJQUM5Qix1RkFBdUY7SUFDdkYsT0FBTyxHQUFHLENBQUMsTUFBTSxHQUFHLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQztRQUM1QixHQUFHLEdBQUcsR0FBRyxHQUFHLEdBQUcsQ0FBQztJQUNsQixDQUFDO0lBQ0QsT0FBTyxHQUFHLENBQUM7QUFDYixDQUFDO0FBRUQsTUFBTSxVQUFVLGFBQWEsQ0FBQyxHQUFXO0lBQ3ZDLE9BQU8sSUFBSSxVQUFVLENBQUMsaUJBQWlCLENBQUMsV0FBVyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQztBQUM3RCxDQUFDO0FBRUQ7Ozs7Ozs7Ozs7R0FVRztBQUNILE1BQU0sQ0FBQyxLQUFLLFVBQVUsYUFBYSxDQUFDLGFBQTRCO0lBSTlELE1BQU0sTUFBTSxHQUFHLElBQUksWUFBWSxDQUFDLGFBQWEsQ0FBQyxDQUFDO0lBQy9DLE1BQU0scUJBQXFCLEdBQUcsSUFBSSxRQUFRLENBQUMsTUFBTSxDQUFDLENBQUM7SUFDbkQsSUFBSSxDQUFDLHFCQUFxQixFQUFFLFdBQVcsRUFBRSxDQUFDO1FBQ3hDLE1BQU0sSUFBSSxrQkFBa0IsQ0FBQyxnQ0FBZ0MsQ0FBQyxDQUFDO0lBQ2pFLENBQUM7SUFDRCxNQUFNLEdBQUcsR0FBRyxNQUFNLHFCQUFxQixDQUFDLFdBQVcsRUFBRSxDQUFDO0lBQ3RELE9BQU8sRUFBRSxnQkFBZ0IsRUFBRSxHQUFHLEVBQUUsY0FBYyxFQUFFLEdBQUcsRUFBRSxDQUFDO0FBQ3hELENBQUMifQ==

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opentdf/sdk",
-  "version": "0.9.0-beta.91",
+  "version": "0.9.0-beta.93",
   "description": "OpenTDF for the Web",
   "homepage": "https://github.com/opentdf/web-sdk",
   "bugs": {
@@ -48,6 +48,13 @@
         "import": "./dist/web/src/encodings/index.js"
       }
     },
+    "./cryptoutils": {
+      "default": {
+        "types": "./dist/types/src/crypto/index.d.ts",
+        "require": "./dist/cjs/src/crypto/index.js",
+        "import": "./dist/web/src/crypto/index.js"
+      }
+    },
     "./platform": {
       "types": "./dist/types/src/platform.d.ts",
       "require": "./dist/cjs/src/platform.js",
@@ -60,7 +67,7 @@
     }
   },
   "scripts": {
-    "build": "npm run clean && tsc && tsc --project tsconfig.commonjs.json && ../scripts/add-module-types.sh",
+    "build": "npm run vendor:jose-jwt-helpers && npm run clean && tsc && tsc --project tsconfig.commonjs.json && ../scripts/add-module-types.sh",
     "build:watch": "tsc --watch",
     "clean": "rm -rf {build,coverage,dist,tests/mocha/dist}",
     "coverage:merge": "for x in mocha wtr; do cp coverage/$x/coverage-final.json coverage/$x.json; done; nyc report --reporter text --reporter lcov -t coverage --lines 75 --statements 75 --branches 70 --functions 65 --check-coverage >coverage/coverage.txt",
@@ -71,6 +78,7 @@
     "lint": "eslint ./src/**/*.ts ./tdf3/**/*.ts ./tests/**/*.ts",
     "prepack": "npm run build",
     "test": "npm run build && npm run test:with-server",
+    "vendor:jose-jwt-helpers": "node scripts/vendor-jose-jwt-helpers.cjs",
     "mock:platform": "npm run build && node dist/web/tests/server.js",
     "test:with-server": "node dist/web/tests/server.js & trap \"node dist/web/tests/stopServer.js\" EXIT; npm run test:mocha && npm run test:wtr && npm run test:browser && npm run coverage:merge",
     "test:browser": "npx webpack --config webpack.test.config.cjs && npx karma start karma.conf.cjs",
@@ -83,8 +91,7 @@
     "@connectrpc/connect": "^2.0.2",
     "@connectrpc/connect-web": "^2.0.2",
     "buffer-crc32": "^1.0.0",
-    "dpop": "^1.4.1",
-    "jose": "^6.0.8",
+    "jose": "6.0.8",
     "json-canonicalize": "^1.0.6",
     "uuid": "~11.1.0"
   },

package/src/access/access-fetch.ts

@@ -1,9 +1,4 @@
-import {
-  KasPublicKeyAlgorithm,
-  KasPublicKeyInfo,
-  noteInvalidPublicKey,
-  OriginAllowList,
-} from '../access.js';
+import { KasPublicKeyAlgorithm, KasPublicKeyInfo, OriginAllowList } from '../access.js';
 import { type AuthProvider } from '../auth/auth.js';
 import {
   ConfigurationError,
@@ -13,7 +8,7 @@ import {
   ServiceError,
   UnauthenticatedError,
 } from '../errors.js';
-import { pemToCryptoPublicKey, validateSecureUrl } from '../utils.js';
+import { validateSecureUrl } from '../utils.js';
 
 export type RewrapRequest = {
   signedRequestToken: string;
@@ -194,7 +189,6 @@ export async function fetchKasPubKey(
     );
   }
   return {
-    key: noteInvalidPublicKey(pkUrlV2, pemToCryptoPublicKey(publicKey)),
     publicKey,
     url: kasEndpoint,
     algorithm: algorithm || 'rsa:2048',

package/src/access/access-rpc.ts

@@ -3,7 +3,6 @@ import {
   isPublicKeyAlgorithm,
   KasPublicKeyAlgorithm,
   KasPublicKeyInfo,
-  noteInvalidPublicKey,
   OriginAllowList,
 } from '../access.js';
 
@@ -22,7 +21,6 @@ import { ListKeyAccessServersResponse } from '../platform/policy/kasregistry/key
 import {
   extractRpcErrorMessage,
   getPlatformUrlFromKasEndpoint,
-  pemToCryptoPublicKey,
   validateSecureUrl,
 } from '../utils.js';
 import { X_REWRAP_ADDITIONAL_CONTEXT } from './constants.js';
@@ -201,7 +199,6 @@ export async function fetchKasPubKey(
       v: '2',
     });
     const result: KasPublicKeyInfo = {
-      key: noteInvalidPublicKey(new URL(platformUrl), pemToCryptoPublicKey(publicKey)),
       publicKey,
       url: kasEndpoint,
       algorithm: algorithm || 'rsa:2048',
@@ -240,10 +237,6 @@ export async function fetchKasBasePubKey(kasEndpoint: string): Promise<KasPublic
     }
 
     const result: KasPublicKeyInfo = {
-      key: noteInvalidPublicKey(
-        new URL(baseKey.kas_uri),
-        pemToCryptoPublicKey(baseKey.public_key.pem)
-      ),
       publicKey: baseKey.public_key.pem,
       url: baseKey.kas_uri,
       algorithm: baseKey.public_key.algorithm,

package/src/access.ts

@@ -1,5 +1,4 @@
 import { type AuthProvider } from './auth/auth.js';
-import { ServiceError } from './errors.js';
 import { RewrapResponse } from './platform/kas/kas_pb.js';
 import { getPlatformUrlFromKasEndpoint, validateSecureUrl } from './utils.js';
 import { base64 } from './encodings/index.js';
@@ -155,24 +154,8 @@ export type KasPublicKeyInfo = {
 
   /** The key value, encoded within a PEM envelope */
   publicKey: string;
-
-  /** A subtle crypto version of the key.
-   * This can be used for wrapping key data for key access objects (with RSA)
-   * or to derive key data (with EC keys). */
-  key: Promise<CryptoKey>;
 };
 
-export async function noteInvalidPublicKey(url: URL, r: Promise<CryptoKey>): Promise<CryptoKey> {
-  try {
-    return await r;
-  } catch (e) {
-    if (e instanceof TypeError) {
-      throw new ServiceError(`invalid public key from [${url}]`, e);
-    }
-    throw e;
-  }
-}
-
 /**
  * Fetches the key access servers for a given platform URL.
  * @param platformUrl The platform URL to fetch key access servers for.

package/src/auth/auth.ts

@@ -1,4 +1,9 @@
-import { type JWTHeaderParameters, type JWTPayload, SignJWT } from 'jose';
+import {
+  type CryptoService,
+  type KeyPair,
+  type PrivateKey,
+} from '../../tdf3/src/crypto/declarations.js';
+import { signJwt, type JwtHeader, type JwtPayload } from '../../tdf3/src/crypto/jwt.js';
 
 export type HttpMethod =
   | 'GET'
@@ -54,22 +59,26 @@ function getTimestampInSeconds() {
 
 /**
  * Generate a JWT (or JWS-ed object)
- * @param toSign the data to sign. Interpreted as JWTPayload but AFAIK this isn't required
- * @param privateKey an RSA key
+ * @param toSign the data to sign. Interpreted as JwtPayload but AFAIK this isn't required
+ * @param privateKey an opaque RSA private key
+ * @param cryptoService the crypto service to use for signing
+ * @param jwtProtectedHeader optional JWT header, defaults to RS256
  * @returns the signed object, with a JWS header. This may be a JWT.
  */
 export async function reqSignature(
   toSign: unknown,
-  privateKey: CryptoKey,
-  jwtProtectedHeader: JWTHeaderParameters = { alg: 'RS256' }
+  privateKey: PrivateKey,
+  cryptoService: CryptoService,
+  jwtProtectedHeader: JwtHeader = { alg: 'RS256' }
 ) {
   const now = getTimestampInSeconds();
   const anHour = 3600;
-  return new SignJWT(toSign as JWTPayload)
-    .setProtectedHeader(jwtProtectedHeader)
-    .setIssuedAt(now - anHour)
-    .setExpirationTime(now + anHour)
-    .sign(privateKey);
+  const payload: JwtPayload = {
+    ...(toSign as JwtPayload),
+    iat: now - anHour,
+    exp: now + anHour,
+  };
+  return signJwt(cryptoService, payload, privateKey, jwtProtectedHeader);
 }
 
 /**
@@ -90,10 +99,10 @@ export type AuthProvider = {
    * using the cached refresh token, and update the auth server config with the
    * current key.
    *
-   * @param signingKey the client signing key pair. Will be bound
+   * @param signingKey the client signing key pair (opaque keys). Will be bound
    * to the OIDC token and require a DPoP header, when set.
    */
-  updateClientPublicKey(signingKey?: CryptoKeyPair): Promise<void>;
+  updateClientPublicKey(signingKey?: KeyPair): Promise<void>;
 
   /**
    * Augment the provided http request with custom auth info to be used by backend services.

package/src/auth/dpop.ts

@@ -0,0 +1,222 @@
+// pulled from https://github.com/panva/dpop/tree/v1.4.1
+// Modified to use CryptoService instead of crypto.subtle
+
+import type {
+  CryptoService,
+  KeyPair,
+  PrivateKey,
+  AsymmetricSigningAlgorithm,
+} from '../../tdf3/src/crypto/declarations.js';
+
+export type JsonObject = { [Key in string]?: JsonValue };
+export type JsonArray = JsonValue[];
+export type JsonPrimitive = string | number | boolean | null;
+export type JsonValue = JsonPrimitive | JsonObject | JsonArray;
+
+const encoder = new TextEncoder();
+
+function buf(input: string): Uint8Array {
+  return encoder.encode(input);
+}
+
+interface DPoPJwtHeaderParameters {
+  alg: JWSAlgorithm;
+  typ: string;
+  jwk: JsonWebKey;
+}
+
+/**
+ * Minimal JWT sign() implementation using CryptoService.
+ */
+async function jwt(
+  header: DPoPJwtHeaderParameters,
+  claimsSet: Record<string, unknown>,
+  privateKey: PrivateKey,
+  cryptoService: CryptoService
+) {
+  const input = `${b64u(buf(JSON.stringify(header)))}.${b64u(buf(JSON.stringify(claimsSet)))}`;
+  const signature = await cryptoService.sign(
+    buf(input),
+    privateKey,
+    header.alg as AsymmetricSigningAlgorithm
+  );
+  return `${input}.${b64u(signature)}`;
+}
+
+const CHUNK_SIZE = 0x8000;
+function encodeBase64Url(input: Uint8Array | ArrayBuffer) {
+  const bytes = input instanceof ArrayBuffer ? new Uint8Array(input) : input;
+
+  const arr = [];
+  for (let i = 0; i < bytes.byteLength; i += CHUNK_SIZE) {
+    arr.push(
+      String.fromCharCode.apply(null, bytes.subarray(i, i + CHUNK_SIZE) as unknown as number[])
+    );
+  }
+  return btoa(arr.join('')).replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_');
+}
+
+function b64u(input: Uint8Array | ArrayBuffer) {
+  return encodeBase64Url(input);
+}
+
+/**
+ * Generates 32 random bytes and encodes them using base64url.
+ */
+async function randomBytes(cryptoService: CryptoService) {
+  return b64u(await cryptoService.randomBytes(32));
+}
+
+/**
+ * Supported JWS `alg` Algorithm identifiers.
+ *
+ * @example PS256 CryptoKey algorithm
+ * ```ts
+ * interface Ps256Algorithm extends RsaHashedKeyAlgorithm {
+ *   name: 'RSA-PSS'
+ *   hash: { name: 'SHA-256' }
+ * }
+ * ```
+ *
+ * @example CryptoKey algorithm for the `ES256` JWS Algorithm Identifier
+ * ```ts
+ * interface Es256Algorithm extends EcKeyAlgorithm {
+ *   name: 'ECDSA'
+ *   namedCurve: 'P-256'
+ * }
+ * ```
+ *
+ * @example CryptoKey algorithm for the `RS256` JWS Algorithm Identifier
+ * ```ts
+ * interface Rs256Algorithm extends RsaHashedKeyAlgorithm {
+ *   name: 'RSASSA-PKCS1-v1_5'
+ *   hash: { name: 'SHA-256' }
+ * }
+ * ```
+ *
+ * @example CryptoKey algorithm for the `EdDSA` JWS Algorithm Identifier (Experimental)
+ *
+ * Runtime support for this algorithm is very limited, it depends on the [Secure Curves in the Web
+ * Cryptography API](https://wicg.github.io/webcrypto-secure-curves/) proposal which is yet to be
+ * widely adopted. If the proposal changes this implementation will follow up with a minor release.
+ *
+ * ```ts
+ * interface EdDSAAlgorithm extends KeyAlgorithm {
+ *   name: 'Ed25519'
+ * }
+ * ```
+ */
+export type JWSAlgorithm = 'PS256' | 'ES256' | 'ES384' | 'ES512' | 'RS256' | 'EdDSA';
+
+class UnsupportedOperationError extends Error {
+  constructor(message?: string) {
+    super(message ?? 'operation not supported');
+    this.name = this.constructor.name;
+    Error.captureStackTrace?.(this, this.constructor);
+  }
+}
+
+/**
+ * Determines a supported JWS `alg` identifier from PublicKeyInfo algorithm string.
+ */
+function determineJWSAlgorithmFromKeyInfo(algorithm: string): JWSAlgorithm {
+  if (algorithm.startsWith('rsa:')) {
+    return 'RS256';
+  }
+  switch (algorithm) {
+    case 'ec:secp256r1':
+      return 'ES256';
+    case 'ec:secp384r1':
+      return 'ES384';
+    case 'ec:secp521r1':
+      return 'ES512';
+    default:
+      throw new UnsupportedOperationError(`unsupported key algorithm: ${algorithm}`);
+  }
+}
+
+/**
+ * Returns the current unix timestamp in seconds.
+ */
+function epochTime() {
+  return Math.floor(Date.now() / 1000);
+}
+
+/**
+ * Generates a unique DPoP Proof JWT.
+ *
+ * @param keypair Opaque key pair
+ * @param cryptoService CryptoService for cryptographic operations
+ * @param htu The HTTP URI (without query and fragment parts) of the request
+ * @param htm The HTTP method of the request
+ * @param nonce Server-provided nonce.
+ * @param accessToken Associated access token's value.
+ * @param additional Any additional claims.
+ */
+export default async function DPoP(
+  keypair: KeyPair,
+  cryptoService: CryptoService,
+  htu: string,
+  htm: string,
+  nonce?: string,
+  accessToken?: string,
+  additional?: Record<string, JsonValue>
+): Promise<string> {
+  const privateKey = keypair?.privateKey;
+  const publicKey = keypair?.publicKey;
+
+  if (typeof htu !== 'string') {
+    throw new TypeError('"htu" must be a string');
+  }
+
+  if (typeof htm !== 'string') {
+    throw new TypeError('"htm" must be a string');
+  }
+
+  if (nonce !== undefined && typeof nonce !== 'string') {
+    throw new TypeError('"nonce" must be a string or undefined');
+  }
+
+  if (accessToken !== undefined && typeof accessToken !== 'string') {
+    throw new TypeError('"accessToken" must be a string or undefined');
+  }
+
+  if (
+    additional !== undefined &&
+    (typeof additional !== 'object' || additional === null || Array.isArray(additional))
+  ) {
+    throw new TypeError('"additional" must be an object');
+  }
+
+  // Detect algorithm from opaque key metadata
+  const alg = determineJWSAlgorithmFromKeyInfo(publicKey.algorithm);
+
+  // Export public key as JWK for the header
+  const jwk = await cryptoService.exportPublicKeyJwk(publicKey);
+
+  // Compute access token hash if provided
+  let ath: string | undefined;
+  if (accessToken) {
+    const athBytes = await cryptoService.digest('SHA-256', buf(accessToken));
+    ath = b64u(athBytes);
+  }
+
+  return jwt(
+    {
+      alg,
+      typ: 'dpop+jwt',
+      jwk,
+    },
+    {
+      ...additional,
+      iat: epochTime(),
+      jti: await randomBytes(cryptoService),
+      htm,
+      nonce,
+      htu,
+      ath,
+    },
+    privateKey,
+    cryptoService
+  );
+}

package/src/auth/oidc-clientcredentials-provider.ts

@@ -1,32 +1,40 @@
 import { ConfigurationError } from '../errors.js';
 import { AuthProvider, type HttpRequest } from './auth.js';
 import { AccessToken, type ClientSecretCredentials } from './oidc.js';
+import * as defaultCryptoService from '../../tdf3/src/crypto/index.js';
+import { type CryptoService, type KeyPair } from '../../tdf3/src/crypto/declarations.js';
 
 export class OIDCClientCredentialsProvider implements AuthProvider {
   oidcAuth: AccessToken;
 
-  constructor({
-    clientId,
-    clientSecret,
-    oidcOrigin,
-    oidcTokenEndpoint,
-    oidcUserInfoEndpoint,
-  }: Partial<ClientSecretCredentials> & Omit<ClientSecretCredentials, 'exchange'>) {
-    if (!clientId || !clientSecret) {
-      throw new ConfigurationError('clientId & clientSecret required for client credentials flow');
-    }
-
-    this.oidcAuth = new AccessToken({
-      exchange: 'client',
+  constructor(
+    {
       clientId,
       clientSecret,
       oidcOrigin,
       oidcTokenEndpoint,
       oidcUserInfoEndpoint,
-    });
+    }: Partial<ClientSecretCredentials> & Omit<ClientSecretCredentials, 'exchange'>,
+    cryptoService: CryptoService = defaultCryptoService
+  ) {
+    if (!clientId || !clientSecret) {
+      throw new ConfigurationError('clientId & clientSecret required for client credentials flow');
+    }
+
+    this.oidcAuth = new AccessToken(
+      {
+        exchange: 'client',
+        clientId,
+        clientSecret,
+        oidcOrigin,
+        oidcTokenEndpoint,
+        oidcUserInfoEndpoint,
+      },
+      cryptoService
+    );
   }
 
-  async updateClientPublicKey(signingKey: CryptoKeyPair): Promise<void> {
+  async updateClientPublicKey(signingKey: KeyPair): Promise<void> {
     await this.oidcAuth.refreshTokenClaimsWithClientPubkeyIfNeeded(signingKey);
   }
 

package/src/auth/oidc-externaljwt-provider.ts

@@ -1,35 +1,43 @@
 import { ConfigurationError } from '../errors.js';
 import { type AuthProvider, type HttpRequest } from './auth.js';
 import { AccessToken, type ExternalJwtCredentials } from './oidc.js';
+import * as defaultCryptoService from '../../tdf3/src/crypto/index.js';
+import { type CryptoService, type KeyPair } from '../../tdf3/src/crypto/declarations.js';
 
 export class OIDCExternalJwtProvider implements AuthProvider {
   oidcAuth: AccessToken;
   externalJwt?: string;
 
-  constructor({
-    clientId,
-    externalJwt,
-    oidcOrigin,
-    oidcTokenEndpoint,
-    oidcUserInfoEndpoint,
-  }: Partial<ExternalJwtCredentials> & Omit<ExternalJwtCredentials, 'exchange'>) {
-    if (!clientId || !externalJwt) {
-      throw new ConfigurationError('external JWT exchange reequires client id and jwt');
-    }
-
-    this.oidcAuth = new AccessToken({
-      exchange: 'external',
+  constructor(
+    {
       clientId,
       externalJwt,
       oidcOrigin,
       oidcTokenEndpoint,
       oidcUserInfoEndpoint,
-    });
+    }: Partial<ExternalJwtCredentials> & Omit<ExternalJwtCredentials, 'exchange'>,
+    cryptoService: CryptoService = defaultCryptoService
+  ) {
+    if (!clientId || !externalJwt) {
+      throw new ConfigurationError('external JWT exchange reequires client id and jwt');
+    }
+
+    this.oidcAuth = new AccessToken(
+      {
+        exchange: 'external',
+        clientId,
+        externalJwt,
+        oidcOrigin,
+        oidcTokenEndpoint,
+        oidcUserInfoEndpoint,
+      },
+      cryptoService
+    );
 
     this.externalJwt = externalJwt;
   }
 
-  async updateClientPublicKey(signingKey: CryptoKeyPair): Promise<void> {
+  async updateClientPublicKey(signingKey: KeyPair): Promise<void> {
     this.oidcAuth.refreshTokenClaimsWithClientPubkeyIfNeeded(signingKey);
   }
 

package/src/auth/oidc-refreshtoken-provider.ts

@@ -1,6 +1,8 @@
 import { ConfigurationError } from '../errors.js';
 import { type AuthProvider, type HttpRequest } from './auth.js';
 import { AccessToken, type RefreshTokenCredentials } from './oidc.js';
+import * as defaultCryptoService from '../../tdf3/src/crypto/index.js';
+import { type CryptoService, type KeyPair } from '../../tdf3/src/crypto/declarations.js';
 
 /**
  * An AuthProvider that uses an OIDC refresh token to obtain an access token.
@@ -20,29 +22,35 @@ export class OIDCRefreshTokenProvider implements AuthProvider {
   oidcAuth: AccessToken;
   refreshToken?: string;
 
-  constructor({
-    clientId,
-    refreshToken,
-    oidcOrigin,
-    oidcTokenEndpoint,
-    oidcUserInfoEndpoint,
-  }: Partial<RefreshTokenCredentials> & Omit<RefreshTokenCredentials, 'exchange'>) {
-    if (!clientId || !refreshToken) {
-      throw new ConfigurationError('refresh token or client id missing');
-    }
-
-    this.oidcAuth = new AccessToken({
-      exchange: 'refresh',
+  constructor(
+    {
       clientId,
       refreshToken,
       oidcOrigin,
       oidcTokenEndpoint,
       oidcUserInfoEndpoint,
-    });
+    }: Partial<RefreshTokenCredentials> & Omit<RefreshTokenCredentials, 'exchange'>,
+    cryptoService: CryptoService = defaultCryptoService
+  ) {
+    if (!clientId || !refreshToken) {
+      throw new ConfigurationError('refresh token or client id missing');
+    }
+
+    this.oidcAuth = new AccessToken(
+      {
+        exchange: 'refresh',
+        clientId,
+        refreshToken,
+        oidcOrigin,
+        oidcTokenEndpoint,
+        oidcUserInfoEndpoint,
+      },
+      cryptoService
+    );
     this.refreshToken = refreshToken;
   }
 
-  async updateClientPublicKey(signingKey: CryptoKeyPair): Promise<void> {
+  async updateClientPublicKey(signingKey: KeyPair): Promise<void> {
     await this.oidcAuth.refreshTokenClaimsWithClientPubkeyIfNeeded(signingKey);
   }