@opentdf/sdk 0.9.0-beta.92 → 0.9.0-beta.93

package/dist/cjs/tdf3/src/crypto/jwt.js

@@ -0,0 +1,183 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.base64urlEncode = base64urlEncode;
+exports.decodeProtectedHeader = decodeProtectedHeader;
+exports.signJwt = signJwt;
+exports.verifyJwt = verifyJwt;
+const index_js_1 = require("../../../src/encodings/index.js");
+const jose_1 = require("jose");
+const jwt_claims_set_js_1 = __importDefault(require("./jose/jwt-claims-set.js"));
+const validate_crit_js_1 = __importDefault(require("./jose/validate-crit.js"));
+/**
+ * Base64url encode data per RFC 4648 Section 5.
+ * Uses URL-safe alphabet (- and _ instead of + and /) with no padding.
+ * Exported for testing purposes.
+ */
+function base64urlEncode(data) {
+    if (typeof data === 'string') {
+        // Encode string to base64url
+        const bytes = new TextEncoder().encode(data);
+        return index_js_1.base64.encodeArrayBuffer(bytes.buffer, true); // urlSafe = true
+    }
+    else {
+        // Encode Uint8Array to base64url
+        const buffer = data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength);
+        return index_js_1.base64.encodeArrayBuffer(buffer, true); // urlSafe = true
+    }
+}
+/**
+ * Helper to convert base64url to standard base64 with padding.
+ */
+function base64urlToBase64(str) {
+    // Convert base64url to base64: replace - with +, _ with /
+    let b64 = str.replace(/-/g, '+').replace(/_/g, '/');
+    // Add padding if needed
+    const padding = (4 - (b64.length % 4)) % 4;
+    b64 += '='.repeat(padding);
+    return b64;
+}
+/**
+ * Base64url decode to Uint8Array per RFC 4648 Section 5.
+ */
+function base64urlDecodeBytes(str) {
+    const b64 = base64urlToBase64(str);
+    return new Uint8Array(index_js_1.base64.decodeArrayBuffer(b64));
+}
+/**
+ * Decode the protected header from a JWT without verifying the signature.
+ * Useful for inspecting the header to determine key type before verification.
+ *
+ * @param token - The JWT string
+ * @returns The decoded header
+ * @throws Error if the token is malformed or uses alg "none"
+ */
+function decodeProtectedHeader(token) {
+    return (0, jose_1.decodeProtectedHeader)(token);
+}
+/**
+ * Sign a JWT using CryptoService. Replaces jose SignJWT.
+ *
+ * Implementation:
+ * 1. Base64url encode header and payload as JSON
+ * 2. Create signing input: `${headerB64}.${payloadB64}`
+ * 3. Sign via cryptoService.sign() (asymmetric) or hmac() (HS256)
+ * 4. Return compact JWT: `${headerB64}.${payloadB64}.${signatureB64}`
+ *
+ * @param cryptoService - Crypto implementation to use
+ * @param payload - JWT payload (claims)
+ * @param key - PEM-encoded private key for asymmetric algorithms, or raw key bytes for HS256
+ * @param header - JWT header (must include alg)
+ * @param options - Optional signing options (e.g., crit header handling)
+ * @returns Compact JWT string
+ */
+async function signJwt(cryptoService, payload, key, header, options) {
+    (0, validate_crit_js_1.default)(jose_1.errors.JWSInvalid, new Map([['b64', true]]), options?.crit, header, header);
+    // Encode header and payload per RFC 7515
+    const headerB64 = base64urlEncode(JSON.stringify(header));
+    const payloadB64 = base64urlEncode(JSON.stringify(payload));
+    // Create signing input
+    const signingInput = `${headerB64}.${payloadB64}`;
+    const signingInputBytes = new TextEncoder().encode(signingInput);
+    // Sign via CryptoService - route based on algorithm
+    let signature;
+    if (header.alg === 'HS256') {
+        if (key._brand !== 'SymmetricKey') {
+            throw new Error('HS256 requires a SymmetricKey');
+        }
+        signature = await cryptoService.hmac(signingInputBytes, key);
+    }
+    else {
+        if (key._brand !== 'PrivateKey') {
+            throw new Error(`${header.alg} requires a PrivateKey`);
+        }
+        signature = await cryptoService.sign(signingInputBytes, key, header.alg);
+    }
+    // Return compact JWT
+    return `${signingInput}.${base64urlEncode(signature)}`;
+}
+/**
+ * Verify a JWT and return its contents. Replaces jose jwtVerify.
+ *
+ * Implementation:
+ * 1. Split token into header.payload.signature
+ * 2. Decode header, validate algorithm against allowlist
+ * 3. Verify signature via cryptoService.verify() (asymmetric) or verifyHmac() (HS256)
+ * 4. Validate JWT claims (aud, iss, exp, nbf, etc.)
+ * 5. Return decoded header and payload
+ *
+ * @param cryptoService - Crypto implementation to use
+ * @param token - The JWT string to verify
+ * @param key - For asymmetric: PEM string or PublicKey (opaque). For HS256: Uint8Array or SymmetricKey (opaque).
+ * @param options - Verification options including algorithm allowlist and claim validations
+ * @throws Error if signature invalid, algorithm not in allowlist, claims invalid, or token malformed
+ * @returns Decoded header and payload
+ */
+async function verifyJwt(cryptoService, token, key, options) {
+    const parts = token.split('.');
+    if (parts.length !== 3) {
+        throw new jose_1.errors.JWTInvalid('Invalid Token or Protected Header formatting');
+    }
+    const [headerB64, payloadB64, signatureB64] = parts;
+    // Decode and validate header
+    const headerRaw = decodeProtectedHeader(token);
+    if (typeof headerRaw.alg !== 'string' || !headerRaw.alg) {
+        throw new jose_1.errors.JWTInvalid('JWS "alg" (Algorithm) Header Parameter missing or invalid');
+    }
+    if (headerRaw.alg === 'none') {
+        throw new jose_1.errors.JWTInvalid('Invalid JWT: alg "none" not allowed');
+    }
+    // Validate algorithm is in allowlist if provided
+    if (options?.algorithms && !options.algorithms.includes(headerRaw.alg)) {
+        throw new jose_1.errors.JWTInvalid(`Invalid JWT: algorithm "${headerRaw.alg}" not in allowlist`);
+    }
+    const extensions = (0, validate_crit_js_1.default)(jose_1.errors.JWSInvalid, new Map([['b64', true]]), options?.crit, headerRaw, headerRaw);
+    // Now we know it's a valid algorithm
+    const header = headerRaw;
+    // Verify signature via CryptoService - route based on algorithm
+    const signingInput = `${headerB64}.${payloadB64}`;
+    const signingInputBytes = new TextEncoder().encode(signingInput);
+    const signature = base64urlDecodeBytes(signatureB64);
+    let valid;
+    if (header.alg === 'HS256') {
+        // Symmetric verification - accept Uint8Array or SymmetricKey
+        if (typeof key === 'string') {
+            throw new Error('HS256 requires a Uint8Array or SymmetricKey, not a PEM string');
+        }
+        if ('_brand' in key && key._brand === 'PublicKey') {
+            throw new Error('HS256 requires a SymmetricKey, not a PublicKey');
+        }
+        // Convert Uint8Array to SymmetricKey if needed, otherwise assume it's already SymmetricKey
+        const symmetricKey = key instanceof Uint8Array
+            ? await cryptoService.importSymmetricKey(key)
+            : key;
+        valid = await cryptoService.verifyHmac(signingInputBytes, signature, symmetricKey);
+    }
+    else {
+        // Asymmetric verification - accept string (PEM) or PublicKey
+        if (key instanceof Uint8Array) {
+            throw new Error(`${header.alg} requires a PEM string or PublicKey, not Uint8Array`);
+        }
+        if (typeof key === 'object' && '_brand' in key && key._brand === 'SymmetricKey') {
+            throw new Error(`${header.alg} requires a PublicKey, not a SymmetricKey`);
+        }
+        // Convert PEM string to PublicKey if needed, otherwise assume it's already PublicKey
+        const publicKey = typeof key === 'string'
+            ? await cryptoService.importPublicKey(key, { usage: 'sign' })
+            : key;
+        valid = await cryptoService.verify(signingInputBytes, signature, publicKey, header.alg);
+    }
+    if (!valid) {
+        throw new jose_1.errors.JWTInvalid('Invalid JWT: signature verification failed');
+    }
+    if (extensions.has('b64') && header.b64 === false) {
+        throw new jose_1.errors.JWTInvalid('JWTs MUST NOT use unencoded payload');
+    }
+    // Decode payload and validate JWT claims
+    const payloadBytes = base64urlDecodeBytes(payloadB64);
+    const payload = (0, jwt_claims_set_js_1.default)(header, payloadBytes, options);
+    return { header, payload };
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiand0LmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vLi4vdGRmMy9zcmMvY3J5cHRvL2p3dC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7OztBQThDQSwwQ0FVQztBQWdDRCxzREFFQztBQWtCRCwwQkFxQ0M7QUFtQkQsOEJBMkZDO0FBdlBELDhEQUF5RDtBQUN6RCwrQkFPYztBQUNkLGlGQUFvRDtBQUNwRCwrRUFBbUQ7QUF1Qm5EOzs7O0dBSUc7QUFDSCxTQUFnQixlQUFlLENBQUMsSUFBeUI7SUFDdkQsSUFBSSxPQUFPLElBQUksS0FBSyxRQUFRLEVBQUUsQ0FBQztRQUM3Qiw2QkFBNkI7UUFDN0IsTUFBTSxLQUFLLEdBQUcsSUFBSSxXQUFXLEVBQUUsQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLENBQUM7UUFDN0MsT0FBTyxpQkFBTSxDQUFDLGlCQUFpQixDQUFDLEtBQUssQ0FBQyxNQUFNLEVBQUUsSUFBSSxDQUFDLENBQUMsQ0FBQyxpQkFBaUI7SUFDeEUsQ0FBQztTQUFNLENBQUM7UUFDTixpQ0FBaUM7UUFDakMsTUFBTSxNQUFNLEdBQUcsSUFBSSxDQUFDLE1BQU0sQ0FBQyxLQUFLLENBQUMsSUFBSSxDQUFDLFVBQVUsRUFBRSxJQUFJLENBQUMsVUFBVSxHQUFHLElBQUksQ0FBQyxVQUFVLENBQUMsQ0FBQztRQUNyRixPQUFPLGlCQUFNLENBQUMsaUJBQWlCLENBQUMsTUFBTSxFQUFFLElBQUksQ0FBQyxDQUFDLENBQUMsaUJBQWlCO0lBQ2xFLENBQUM7QUFDSCxDQUFDO0FBRUQ7O0dBRUc7QUFDSCxTQUFTLGlCQUFpQixDQUFDLEdBQVc7SUFDcEMsMERBQTBEO0lBQzFELElBQUksR0FBRyxHQUFHLEdBQUcsQ0FBQyxPQUFPLENBQUMsSUFBSSxFQUFFLEdBQUcsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxJQUFJLEVBQUUsR0FBRyxDQUFDLENBQUM7SUFFcEQsd0JBQXdCO0lBQ3hCLE1BQU0sT0FBTyxHQUFHLENBQUMsQ0FBQyxHQUFHLENBQUMsR0FBRyxDQUFDLE1BQU0sR0FBRyxDQUFDLENBQUMsQ0FBQyxHQUFHLENBQUMsQ0FBQztJQUMzQyxHQUFHLElBQUksR0FBRyxDQUFDLE1BQU0sQ0FBQyxPQUFPLENBQUMsQ0FBQztJQUUzQixPQUFPLEdBQUcsQ0FBQztBQUNiLENBQUM7QUFFRDs7R0FFRztBQUNILFNBQVMsb0JBQW9CLENBQUMsR0FBVztJQUN2QyxNQUFNLEdBQUcsR0FBRyxpQkFBaUIsQ0FBQyxHQUFHLENBQUMsQ0FBQztJQUNuQyxPQUFPLElBQUksVUFBVSxDQUFDLGlCQUFNLENBQUMsaUJBQWlCLENBQUMsR0FBRyxDQUFDLENBQUMsQ0FBQztBQUN2RCxDQUFDO0FBRUQ7Ozs7Ozs7R0FPRztBQUNILFNBQWdCLHFCQUFxQixDQUFDLEtBQWE7SUFDakQsT0FBTyxJQUFBLDRCQUF5QixFQUFDLEtBQUssQ0FBYyxDQUFDO0FBQ3ZELENBQUM7QUFFRDs7Ozs7Ozs7Ozs7Ozs7O0dBZUc7QUFDSSxLQUFLLFVBQVUsT0FBTyxDQUMzQixhQUE0QixFQUM1QixPQUFtQixFQUNuQixHQUE4QixFQUM5QixNQUFpQixFQUNqQixPQUF3QjtJQUV4QixJQUFBLDBCQUFZLEVBQUMsYUFBVSxDQUFDLFVBQVUsRUFBRSxJQUFJLEdBQUcsQ0FBQyxDQUFDLENBQUMsS0FBSyxFQUFFLElBQUksQ0FBQyxDQUFDLENBQUMsRUFBRSxPQUFPLEVBQUUsSUFBSSxFQUFFLE1BQU0sRUFBRSxNQUFNLENBQUMsQ0FBQztJQUU3Rix5Q0FBeUM7SUFDekMsTUFBTSxTQUFTLEdBQUcsZUFBZSxDQUFDLElBQUksQ0FBQyxTQUFTLENBQUMsTUFBTSxDQUFDLENBQUMsQ0FBQztJQUMxRCxNQUFNLFVBQVUsR0FBRyxlQUFlLENBQUMsSUFBSSxDQUFDLFNBQVMsQ0FBQyxPQUFPLENBQUMsQ0FBQyxDQUFDO0lBRTVELHVCQUF1QjtJQUN2QixNQUFNLFlBQVksR0FBRyxHQUFHLFNBQVMsSUFBSSxVQUFVLEVBQUUsQ0FBQztJQUNsRCxNQUFNLGlCQUFpQixHQUFHLElBQUksV0FBVyxFQUFFLENBQUMsTUFBTSxDQUFDLFlBQVksQ0FBQyxDQUFDO0lBRWpFLG9EQUFvRDtJQUNwRCxJQUFJLFNBQXFCLENBQUM7SUFDMUIsSUFBSSxNQUFNLENBQUMsR0FBRyxLQUFLLE9BQU8sRUFBRSxDQUFDO1FBQzNCLElBQUksR0FBRyxDQUFDLE1BQU0sS0FBSyxjQUFjLEVBQUUsQ0FBQztZQUNsQyxNQUFNLElBQUksS0FBSyxDQUFDLCtCQUErQixDQUFDLENBQUM7UUFDbkQsQ0FBQztRQUNELFNBQVMsR0FBRyxNQUFNLGFBQWEsQ0FBQyxJQUFJLENBQUMsaUJBQWlCLEVBQUUsR0FBRyxDQUFDLENBQUM7SUFDL0QsQ0FBQztTQUFNLENBQUM7UUFDTixJQUFJLEdBQUcsQ0FBQyxNQUFNLEtBQUssWUFBWSxFQUFFLENBQUM7WUFDaEMsTUFBTSxJQUFJLEtBQUssQ0FBQyxHQUFHLE1BQU0sQ0FBQyxHQUFHLHdCQUF3QixDQUFDLENBQUM7UUFDekQsQ0FBQztRQUNELFNBQVMsR0FBRyxNQUFNLGFBQWEsQ0FBQyxJQUFJLENBQ2xDLGlCQUFpQixFQUNqQixHQUFHLEVBQ0gsTUFBTSxDQUFDLEdBQWlDLENBQ3pDLENBQUM7SUFDSixDQUFDO0lBRUQscUJBQXFCO0lBQ3JCLE9BQU8sR0FBRyxZQUFZLElBQUksZUFBZSxDQUFDLFNBQVMsQ0FBQyxFQUFFLENBQUM7QUFDekQsQ0FBQztBQUVEOzs7Ozs7Ozs7Ozs7Ozs7O0dBZ0JHO0FBQ0ksS0FBSyxVQUFVLFNBQVMsQ0FDN0IsYUFBNEIsRUFDNUIsS0FBYSxFQUNiLEdBQW1ELEVBQ25ELE9BQTBCO0lBRTFCLE1BQU0sS0FBSyxHQUFHLEtBQUssQ0FBQyxLQUFLLENBQUMsR0FBRyxDQUFDLENBQUM7SUFDL0IsSUFBSSxLQUFLLENBQUMsTUFBTSxLQUFLLENBQUMsRUFBRSxDQUFDO1FBQ3ZCLE1BQU0sSUFBSSxhQUFVLENBQUMsVUFBVSxDQUFDLDhDQUE4QyxDQUFDLENBQUM7SUFDbEYsQ0FBQztJQUNELE1BQU0sQ0FBQyxTQUFTLEVBQUUsVUFBVSxFQUFFLFlBQVksQ0FBQyxHQUFHLEtBQUssQ0FBQztJQUVwRCw2QkFBNkI7SUFDN0IsTUFBTSxTQUFTLEdBQUcscUJBQXFCLENBQUMsS0FBSyxDQUFDLENBQUM7SUFDL0MsSUFBSSxPQUFPLFNBQVMsQ0FBQyxHQUFHLEtBQUssUUFBUSxJQUFJLENBQUMsU0FBUyxDQUFDLEdBQUcsRUFBRSxDQUFDO1FBQ3hELE1BQU0sSUFBSSxhQUFVLENBQUMsVUFBVSxDQUFDLDJEQUEyRCxDQUFDLENBQUM7SUFDL0YsQ0FBQztJQUNELElBQUssU0FBUyxDQUFDLEdBQWMsS0FBSyxNQUFNLEVBQUUsQ0FBQztRQUN6QyxNQUFNLElBQUksYUFBVSxDQUFDLFVBQVUsQ0FBQyxxQ0FBcUMsQ0FBQyxDQUFDO0lBQ3pFLENBQUM7SUFFRCxpREFBaUQ7SUFDakQsSUFBSSxPQUFPLEVBQUUsVUFBVSxJQUFJLENBQUMsT0FBTyxDQUFDLFVBQVUsQ0FBQyxRQUFRLENBQUMsU0FBUyxDQUFDLEdBQXVCLENBQUMsRUFBRSxDQUFDO1FBQzNGLE1BQU0sSUFBSSxhQUFVLENBQUMsVUFBVSxDQUFDLDJCQUEyQixTQUFTLENBQUMsR0FBRyxvQkFBb0IsQ0FBQyxDQUFDO0lBQ2hHLENBQUM7SUFFRCxNQUFNLFVBQVUsR0FBRyxJQUFBLDBCQUFZLEVBQzdCLGFBQVUsQ0FBQyxVQUFVLEVBQ3JCLElBQUksR0FBRyxDQUFDLENBQUMsQ0FBQyxLQUFLLEVBQUUsSUFBSSxDQUFDLENBQUMsQ0FBQyxFQUN4QixPQUFPLEVBQUUsSUFBSSxFQUNiLFNBQVMsRUFDVCxTQUFTLENBQ1YsQ0FBQztJQUVGLHFDQUFxQztJQUNyQyxNQUFNLE1BQU0sR0FBRyxTQUFzQixDQUFDO0lBRXRDLGdFQUFnRTtJQUNoRSxNQUFNLFlBQVksR0FBRyxHQUFHLFNBQVMsSUFBSSxVQUFVLEVBQUUsQ0FBQztJQUNsRCxNQUFNLGlCQUFpQixHQUFHLElBQUksV0FBVyxFQUFFLENBQUMsTUFBTSxDQUFDLFlBQVksQ0FBQyxDQUFDO0lBQ2pFLE1BQU0sU0FBUyxHQUFHLG9CQUFvQixDQUFDLFlBQVksQ0FBQyxDQUFDO0lBRXJELElBQUksS0FBYyxDQUFDO0lBQ25CLElBQUksTUFBTSxDQUFDLEdBQUcsS0FBSyxPQUFPLEVBQUUsQ0FBQztRQUMzQiw2REFBNkQ7UUFDN0QsSUFBSSxPQUFPLEdBQUcsS0FBSyxRQUFRLEVBQUUsQ0FBQztZQUM1QixNQUFNLElBQUksS0FBSyxDQUFDLCtEQUErRCxDQUFDLENBQUM7UUFDbkYsQ0FBQztRQUNELElBQUksUUFBUSxJQUFJLEdBQUcsSUFBSSxHQUFHLENBQUMsTUFBTSxLQUFLLFdBQVcsRUFBRSxDQUFDO1lBQ2xELE1BQU0sSUFBSSxLQUFLLENBQUMsZ0RBQWdELENBQUMsQ0FBQztRQUNwRSxDQUFDO1FBQ0QsMkZBQTJGO1FBQzNGLE1BQU0sWUFBWSxHQUNoQixHQUFHLFlBQVksVUFBVTtZQUN2QixDQUFDLENBQUMsTUFBTSxhQUFhLENBQUMsa0JBQWtCLENBQUMsR0FBRyxDQUFDO1lBQzdDLENBQUMsQ0FBRSxHQUFvQixDQUFDO1FBQzVCLEtBQUssR0FBRyxNQUFNLGFBQWEsQ0FBQyxVQUFVLENBQUMsaUJBQWlCLEVBQUUsU0FBUyxFQUFFLFlBQVksQ0FBQyxDQUFDO0lBQ3JGLENBQUM7U0FBTSxDQUFDO1FBQ04sNkRBQTZEO1FBQzdELElBQUksR0FBRyxZQUFZLFVBQVUsRUFBRSxDQUFDO1lBQzlCLE1BQU0sSUFBSSxLQUFLLENBQUMsR0FBRyxNQUFNLENBQUMsR0FBRyxxREFBcUQsQ0FBQyxDQUFDO1FBQ3RGLENBQUM7UUFDRCxJQUFJLE9BQU8sR0FBRyxLQUFLLFFBQVEsSUFBSSxRQUFRLElBQUksR0FBRyxJQUFJLEdBQUcsQ0FBQyxNQUFNLEtBQUssY0FBYyxFQUFFLENBQUM7WUFDaEYsTUFBTSxJQUFJLEtBQUssQ0FBQyxHQUFHLE1BQU0sQ0FBQyxHQUFHLDJDQUEyQyxDQUFDLENBQUM7UUFDNUUsQ0FBQztRQUNELHFGQUFxRjtRQUNyRixNQUFNLFNBQVMsR0FDYixPQUFPLEdBQUcsS0FBSyxRQUFRO1lBQ3JCLENBQUMsQ0FBQyxNQUFNLGFBQWEsQ0FBQyxlQUFlLENBQUMsR0FBRyxFQUFFLEVBQUUsS0FBSyxFQUFFLE1BQU0sRUFBRSxDQUFDO1lBQzdELENBQUMsQ0FBRSxHQUFpQixDQUFDO1FBQ3pCLEtBQUssR0FBRyxNQUFNLGFBQWEsQ0FBQyxNQUFNLENBQ2hDLGlCQUFpQixFQUNqQixTQUFTLEVBQ1QsU0FBUyxFQUNULE1BQU0sQ0FBQyxHQUFpQyxDQUN6QyxDQUFDO0lBQ0osQ0FBQztJQUVELElBQUksQ0FBQyxLQUFLLEVBQUUsQ0FBQztRQUNYLE1BQU0sSUFBSSxhQUFVLENBQUMsVUFBVSxDQUFDLDRDQUE0QyxDQUFDLENBQUM7SUFDaEYsQ0FBQztJQUVELElBQUksVUFBVSxDQUFDLEdBQUcsQ0FBQyxLQUFLLENBQUMsSUFBSyxNQUE0QixDQUFDLEdBQUcsS0FBSyxLQUFLLEVBQUUsQ0FBQztRQUN6RSxNQUFNLElBQUksYUFBVSxDQUFDLFVBQVUsQ0FBQyxxQ0FBcUMsQ0FBQyxDQUFDO0lBQ3pFLENBQUM7SUFFRCx5Q0FBeUM7SUFDekMsTUFBTSxZQUFZLEdBQUcsb0JBQW9CLENBQUMsVUFBVSxDQUFDLENBQUM7SUFDdEQsTUFBTSxPQUFPLEdBQUcsSUFBQSwyQkFBWSxFQUFDLE1BQU0sRUFBRSxZQUFZLEVBQUUsT0FBTyxDQUFlLENBQUM7SUFFMUUsT0FBTyxFQUFFLE1BQU0sRUFBRSxPQUFPLEVBQUUsQ0FBQztBQUM3QixDQUFDIn0=

package/dist/cjs/tdf3/src/crypto/salt.js

@@ -1,12 +1,18 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.ztdfSalt = void 0;
-const generateSalt = async () => {
+exports.getZtdfSalt = getZtdfSalt;
+let cachedSalt = null;
+/**
+ * Get the ZTDF salt (SHA-256 of "TDF").
+ * Lazily computed on first call and cached thereafter.
+ */
+async function getZtdfSalt(cryptoService) {
+    if (cachedSalt) {
+        return cachedSalt;
+    }
     const encoder = new TextEncoder();
     const data = encoder.encode('TDF');
-    // Generate hash
-    const hashBuffer = await crypto.subtle.digest('SHA-256', data);
-    return new Uint8Array(hashBuffer);
-};
-exports.ztdfSalt = generateSalt();
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2FsdC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uLy4uL3RkZjMvc3JjL2NyeXB0by9zYWx0LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7OztBQUFBLE1BQU0sWUFBWSxHQUFHLEtBQUssSUFBSSxFQUFFO0lBQzlCLE1BQU0sT0FBTyxHQUFHLElBQUksV0FBVyxFQUFFLENBQUM7SUFDbEMsTUFBTSxJQUFJLEdBQUcsT0FBTyxDQUFDLE1BQU0sQ0FBQyxLQUFLLENBQUMsQ0FBQztJQUVuQyxnQkFBZ0I7SUFDaEIsTUFBTSxVQUFVLEdBQUcsTUFBTSxNQUFNLENBQUMsTUFBTSxDQUFDLE1BQU0sQ0FBQyxTQUFTLEVBQUUsSUFBSSxDQUFDLENBQUM7SUFFL0QsT0FBTyxJQUFJLFVBQVUsQ0FBQyxVQUFVLENBQUMsQ0FBQztBQUNwQyxDQUFDLENBQUM7QUFFVyxRQUFBLFFBQVEsR0FBRyxZQUFZLEVBQUUsQ0FBQyJ9
+    cachedSalt = await cryptoService.digest('SHA-256', data);
+    return cachedSalt;
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2FsdC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uLy4uL3RkZjMvc3JjL2NyeXB0by9zYWx0LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7O0FBUUEsa0NBVUM7QUFoQkQsSUFBSSxVQUFVLEdBQXNCLElBQUksQ0FBQztBQUV6Qzs7O0dBR0c7QUFDSSxLQUFLLFVBQVUsV0FBVyxDQUFDLGFBQTRCO0lBQzVELElBQUksVUFBVSxFQUFFLENBQUM7UUFDZixPQUFPLFVBQVUsQ0FBQztJQUNwQixDQUFDO0lBRUQsTUFBTSxPQUFPLEdBQUcsSUFBSSxXQUFXLEVBQUUsQ0FBQztJQUNsQyxNQUFNLElBQUksR0FBRyxPQUFPLENBQUMsTUFBTSxDQUFDLEtBQUssQ0FBQyxDQUFDO0lBRW5DLFVBQVUsR0FBRyxNQUFNLGFBQWEsQ0FBQyxNQUFNLENBQUMsU0FBUyxFQUFFLElBQUksQ0FBQyxDQUFDO0lBQ3pELE9BQU8sVUFBVSxDQUFDO0FBQ3BCLENBQUMifQ==

package/dist/cjs/tdf3/src/models/encryption-information.js

@@ -1,8 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.SplitKey = void 0;
-const index_js_1 = require("../utils/index.js");
-const index_js_2 = require("../../../src/encodings/index.js");
+const index_js_1 = require("../../../src/encodings/index.js");
 const binary_js_1 = require("../binary.js");
 const errors_js_1 = require("../../../src/errors.js");
 class SplitKey {
@@ -13,26 +12,24 @@ class SplitKey {
     }
     async generateKey() {
         const unwrappedKey = await this.cipher.generateKey();
-        const unwrappedKeyBinary = binary_js_1.Binary.fromString(index_js_2.hex.decode(unwrappedKey));
         const unwrappedKeyIvBinary = await this.generateIvBinary();
-        return { unwrappedKeyBinary, unwrappedKeyIvBinary };
+        return { unwrappedKey, unwrappedKeyIvBinary };
     }
-    async encrypt(contentBinary, keyBinary, ivBinaryOptional) {
+    async encrypt(contentBinary, key, ivBinaryOptional) {
         const ivBinary = ivBinaryOptional || (await this.generateIvBinary());
-        return this.cipher.encrypt(contentBinary, keyBinary, ivBinary);
+        return this.cipher.encrypt(contentBinary, key, ivBinary);
     }
-    async decrypt(content, keyBinary) {
-        return this.cipher.decrypt(content, keyBinary);
+    async decrypt(content, key) {
+        return this.cipher.decrypt(content, key);
     }
     async getKeyAccessObjects(policy, keyInfo) {
         const splitIds = [...new Set(this.keyAccess.map(({ sid }) => sid))].sort((a = '', b = '') => a.localeCompare(b));
-        const unwrappedKeySplitBuffers = await (0, index_js_1.keySplit)(new Uint8Array(keyInfo.unwrappedKeyBinary.asByteArray()), splitIds.length, this.cryptoService);
-        const splitsByName = Object.fromEntries(splitIds.map((sid, index) => [sid, unwrappedKeySplitBuffers[index]]));
+        const unwrappedKeySplits = await this.cryptoService.splitSymmetricKey(keyInfo.unwrappedKey, splitIds.length);
+        const splitsByName = Object.fromEntries(splitIds.map((sid, index) => [sid, unwrappedKeySplits[index]]));
         const keyAccessObjects = [];
         for (const item of this.keyAccess) {
             // use the key split to encrypt metadata for each key access object
-            const unwrappedKeySplitBuffer = splitsByName[item.sid || ''];
-            const unwrappedKeySplitBinary = binary_js_1.Binary.fromArrayBuffer(unwrappedKeySplitBuffer.buffer);
+            const unwrappedKeySplit = splitsByName[item.sid || ''];
             const metadata = item.metadata || '';
             const metadataStr = (typeof metadata === 'object'
                 ? JSON.stringify(metadata)
@@ -42,20 +39,20 @@ class SplitKey {
                         throw new errors_js_1.ConfigurationError("KAO generation failure: metadata isn't a string or object");
                     });
             const metadataBinary = binary_js_1.Binary.fromArrayBuffer(new TextEncoder().encode(metadataStr));
-            const encryptedMetadataResult = await this.encrypt(metadataBinary, unwrappedKeySplitBinary, keyInfo.unwrappedKeyIvBinary);
+            const encryptedMetadataResult = await this.encrypt(metadataBinary, unwrappedKeySplit, keyInfo.unwrappedKeyIvBinary);
             const encryptedMetadataOb = {
-                ciphertext: index_js_2.base64.encode(encryptedMetadataResult.payload.asString()),
-                iv: index_js_2.base64.encode(keyInfo.unwrappedKeyIvBinary.asString()),
+                ciphertext: index_js_1.base64.encode(encryptedMetadataResult.payload.asString()),
+                iv: index_js_1.base64.encode(keyInfo.unwrappedKeyIvBinary.asString()),
             };
             const encryptedMetadataStr = JSON.stringify(encryptedMetadataOb);
-            const keyAccessObject = await item.write(policy, unwrappedKeySplitBuffer, encryptedMetadataStr);
+            const keyAccessObject = await item.write(policy, unwrappedKeySplit, encryptedMetadataStr);
             keyAccessObjects.push(keyAccessObject);
         }
         return keyAccessObjects;
     }
     async generateIvBinary() {
         const iv = await this.cipher.generateInitializationVector();
-        return binary_js_1.Binary.fromString(index_js_2.hex.decode(iv));
+        return binary_js_1.Binary.fromString(index_js_1.hex.decode(iv));
     }
     async write(policy, keyInfo) {
         const algorithm = this.cipher?.name;
@@ -65,14 +62,14 @@ class SplitKey {
         }
         const keyAccessObjects = await this.getKeyAccessObjects(policy, keyInfo);
         // For now we're only concerned with a single (first) key access object
-        const policyForManifest = index_js_2.base64.encode(JSON.stringify(policy));
+        const policyForManifest = index_js_1.base64.encode(JSON.stringify(policy));
         return {
             type: 'split',
             keyAccess: keyAccessObjects,
             method: {
                 algorithm,
                 isStreamable: false,
-                iv: index_js_2.base64.encode(keyInfo.unwrappedKeyIvBinary.asString()),
+                iv: index_js_1.base64.encode(keyInfo.unwrappedKeyIvBinary.asString()),
             },
             integrityInformation: {
                 rootSignature: {
@@ -87,4 +84,4 @@ class SplitKey {
     }
 }
 exports.SplitKey = SplitKey;
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZW5jcnlwdGlvbi1pbmZvcm1hdGlvbi5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uLy4uL3RkZjMvc3JjL21vZGVscy9lbmNyeXB0aW9uLWluZm9ybWF0aW9uLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7OztBQUFBLGdEQUE2QztBQUM3Qyw4REFBOEQ7QUFDOUQsNENBQXNDO0FBVXRDLHNEQUE0RDtBQXNDNUQsTUFBYSxRQUFRO0lBSW5CLFlBQTRCLE1BQXVCO1FBQXZCLFdBQU0sR0FBTixNQUFNLENBQWlCO1FBQ2pELElBQUksQ0FBQyxhQUFhLEdBQUcsTUFBTSxDQUFDLGFBQWEsQ0FBQztRQUMxQyxJQUFJLENBQUMsU0FBUyxHQUFHLEVBQUUsQ0FBQztJQUN0QixDQUFDO0lBRUQsS0FBSyxDQUFDLFdBQVc7UUFDZixNQUFNLFlBQVksR0FBRyxNQUFNLElBQUksQ0FBQyxNQUFNLENBQUMsV0FBVyxFQUFFLENBQUM7UUFDckQsTUFBTSxrQkFBa0IsR0FBRyxrQkFBTSxDQUFDLFVBQVUsQ0FBQyxjQUFHLENBQUMsTUFBTSxDQUFDLFlBQVksQ0FBQyxDQUFDLENBQUM7UUFDdkUsTUFBTSxvQkFBb0IsR0FBRyxNQUFNLElBQUksQ0FBQyxnQkFBZ0IsRUFBRSxDQUFDO1FBQzNELE9BQU8sRUFBRSxrQkFBa0IsRUFBRSxvQkFBb0IsRUFBRSxDQUFDO0lBQ3RELENBQUM7SUFFRCxLQUFLLENBQUMsT0FBTyxDQUNYLGFBQXFCLEVBQ3JCLFNBQWlCLEVBQ2pCLGdCQUF5QjtRQUV6QixNQUFNLFFBQVEsR0FBRyxnQkFBZ0IsSUFBSSxDQUFDLE1BQU0sSUFBSSxDQUFDLGdCQUFnQixFQUFFLENBQUMsQ0FBQztRQUNyRSxPQUFPLElBQUksQ0FBQyxNQUFNLENBQUMsT0FBTyxDQUFDLGFBQWEsRUFBRSxTQUFTLEVBQUUsUUFBUSxDQUFDLENBQUM7SUFDakUsQ0FBQztJQUVELEtBQUssQ0FBQyxPQUFPLENBQUMsT0FBbUIsRUFBRSxTQUFpQjtRQUNsRCxPQUFPLElBQUksQ0FBQyxNQUFNLENBQUMsT0FBTyxDQUFDLE9BQU8sRUFBRSxTQUFTLENBQUMsQ0FBQztJQUNqRCxDQUFDO0lBRUQsS0FBSyxDQUFDLG1CQUFtQixDQUFDLE1BQWMsRUFBRSxPQUFnQjtRQUN4RCxNQUFNLFFBQVEsR0FBRyxDQUFDLEdBQUcsSUFBSSxHQUFHLENBQUMsSUFBSSxDQUFDLFNBQVMsQ0FBQyxHQUFHLENBQUMsQ0FBQyxFQUFFLEdBQUcsRUFBRSxFQUFFLEVBQUUsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLENBQUMsSUFBSSxDQUFDLENBQUMsQ0FBQyxHQUFHLEVBQUUsRUFBRSxDQUFDLEdBQUcsRUFBRSxFQUFFLEVBQUUsQ0FDMUYsQ0FBQyxDQUFDLGFBQWEsQ0FBQyxDQUFDLENBQUMsQ0FDbkIsQ0FBQztRQUNGLE1BQU0sd0JBQXdCLEdBQUcsTUFBTSxJQUFBLG1CQUFRLEVBQzdDLElBQUksVUFBVSxDQUFDLE9BQU8sQ0FBQyxrQkFBa0IsQ0FBQyxXQUFXLEVBQUUsQ0FBQyxFQUN4RCxRQUFRLENBQUMsTUFBTSxFQUNmLElBQUksQ0FBQyxhQUFhLENBQ25CLENBQUM7UUFDRixNQUFNLFlBQVksR0FBRyxNQUFNLENBQUMsV0FBVyxDQUNyQyxRQUFRLENBQUMsR0FBRyxDQUFDLENBQUMsR0FBRyxFQUFFLEtBQUssRUFBRSxFQUFFLENBQUMsQ0FBQyxHQUFHLEVBQUUsd0JBQXdCLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxDQUNyRSxDQUFDO1FBRUYsTUFBTSxnQkFBZ0IsR0FBRyxFQUFFLENBQUM7UUFDNUIsS0FBSyxNQUFNLElBQUksSUFBSSxJQUFJLENBQUMsU0FBUyxFQUFFLENBQUM7WUFDbEMsbUVBQW1FO1lBQ25FLE1BQU0sdUJBQXVCLEdBQUcsWUFBWSxDQUFDLElBQUksQ0FBQyxHQUFHLElBQUksRUFBRSxDQUFDLENBQUM7WUFDN0QsTUFBTSx1QkFBdUIsR0FBRyxrQkFBTSxDQUFDLGVBQWUsQ0FBQyx1QkFBdUIsQ0FBQyxNQUFNLENBQUMsQ0FBQztZQUV2RixNQUFNLFFBQVEsR0FBRyxJQUFJLENBQUMsUUFBUSxJQUFJLEVBQUUsQ0FBQztZQUNyQyxNQUFNLFdBQVcsR0FBRyxDQUNsQixPQUFPLFFBQVEsS0FBSyxRQUFRO2dCQUMxQixDQUFDLENBQUMsSUFBSSxDQUFDLFNBQVMsQ0FBQyxRQUFRLENBQUM7Z0JBQzFCLENBQUMsQ0FBQyxPQUFPLFFBQVEsS0FBSyxRQUFRO29CQUM1QixDQUFDLENBQUMsUUFBUTtvQkFDVixDQUFDLENBQUMsR0FBRyxFQUFFO3dCQUNILE1BQU0sSUFBSSw4QkFBa0IsQ0FDMUIsMkRBQTJELENBQzVELENBQUM7b0JBQ0osQ0FBQyxDQUNFLENBQUM7WUFFWixNQUFNLGNBQWMsR0FBRyxrQkFBTSxDQUFDLGVBQWUsQ0FBQyxJQUFJLFdBQVcsRUFBRSxDQUFDLE1BQU0sQ0FBQyxXQUFXLENBQUMsQ0FBQyxDQUFDO1lBRXJGLE1BQU0sdUJBQXVCLEdBQUcsTUFBTSxJQUFJLENBQUMsT0FBTyxDQUNoRCxjQUFjLEVBQ2QsdUJBQXVCLEVBQ3ZCLE9BQU8sQ0FBQyxvQkFBb0IsQ0FDN0IsQ0FBQztZQUVGLE1BQU0sbUJBQW1CLEdBQUc7Z0JBQzFCLFVBQVUsRUFBRSxpQkFBTSxDQUFDLE1BQU0sQ0FBQyx1QkFBdUIsQ0FBQyxPQUFPLENBQUMsUUFBUSxFQUFFLENBQUM7Z0JBQ3JFLEVBQUUsRUFBRSxpQkFBTSxDQUFDLE1BQU0sQ0FBQyxPQUFPLENBQUMsb0JBQW9CLENBQUMsUUFBUSxFQUFFLENBQUM7YUFDM0QsQ0FBQztZQUVGLE1BQU0sb0JBQW9CLEdBQUcsSUFBSSxDQUFDLFNBQVMsQ0FBQyxtQkFBbUIsQ0FBQyxDQUFDO1lBQ2pFLE1BQU0sZUFBZSxHQUFHLE1BQU0sSUFBSSxDQUFDLEtBQUssQ0FDdEMsTUFBTSxFQUNOLHVCQUF1QixFQUN2QixvQkFBb0IsQ0FDckIsQ0FBQztZQUNGLGdCQUFnQixDQUFDLElBQUksQ0FBQyxlQUFlLENBQUMsQ0FBQztRQUN6QyxDQUFDO1FBRUQsT0FBTyxnQkFBZ0IsQ0FBQztJQUMxQixDQUFDO0lBRUQsS0FBSyxDQUFDLGdCQUFnQjtRQUNwQixNQUFNLEVBQUUsR0FBRyxNQUFNLElBQUksQ0FBQyxNQUFNLENBQUMsNEJBQTRCLEVBQUUsQ0FBQztRQUM1RCxPQUFPLGtCQUFNLENBQUMsVUFBVSxDQUFDLGNBQUcsQ0FBQyxNQUFNLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQztJQUMzQyxDQUFDO0lBRUQsS0FBSyxDQUFDLEtBQUssQ0FBQyxNQUFjLEVBQUUsT0FBZ0I7UUFDMUMsTUFBTSxTQUFTLEdBQUcsSUFBSSxDQUFDLE1BQU0sRUFBRSxJQUFJLENBQUM7UUFDcEMsSUFBSSxDQUFDLFNBQVMsRUFBRSxDQUFDO1lBQ2YseUVBQXlFO1lBQ3pFLE1BQU0sSUFBSSw4QkFBa0IsQ0FBQywyQkFBMkIsQ0FBQyxDQUFDO1FBQzVELENBQUM7UUFDRCxNQUFNLGdCQUFnQixHQUFHLE1BQU0sSUFBSSxDQUFDLG1CQUFtQixDQUFDLE1BQU0sRUFBRSxPQUFPLENBQUMsQ0FBQztRQUV6RSx1RUFBdUU7UUFDdkUsTUFBTSxpQkFBaUIsR0FBRyxpQkFBTSxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsU0FBUyxDQUFDLE1BQU0sQ0FBQyxDQUFDLENBQUM7UUFFaEUsT0FBTztZQUNMLElBQUksRUFBRSxPQUFPO1lBQ2IsU0FBUyxFQUFFLGdCQUFnQjtZQUMzQixNQUFNLEVBQUU7Z0JBQ04sU0FBUztnQkFDVCxZQUFZLEVBQUUsS0FBSztnQkFDbkIsRUFBRSxFQUFFLGlCQUFNLENBQUMsTUFBTSxDQUFDLE9BQU8sQ0FBQyxvQkFBb0IsQ0FBQyxRQUFRLEVBQUUsQ0FBQzthQUMzRDtZQUNELG9CQUFvQixFQUFFO2dCQUNwQixhQUFhLEVBQUU7b0JBQ2IsR0FBRyxFQUFFLE9BQU87b0JBQ1osR0FBRyxFQUFFLEVBQUU7aUJBQ1I7Z0JBQ0QsY0FBYyxFQUFFLE1BQU07Z0JBQ3RCLFFBQVEsRUFBRSxFQUFFO2FBQ2I7WUFDRCxNQUFNLEVBQUUsaUJBQWlCO1NBQzFCLENBQUM7SUFDSixDQUFDO0NBQ0Y7QUF6SEQsNEJBeUhDIn0=
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZW5jcnlwdGlvbi1pbmZvcm1hdGlvbi5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uLy4uL3RkZjMvc3JjL21vZGVscy9lbmNyeXB0aW9uLWluZm9ybWF0aW9uLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7OztBQUFBLDhEQUE4RDtBQUM5RCw0Q0FBc0M7QUFXdEMsc0RBQTREO0FBc0M1RCxNQUFhLFFBQVE7SUFJbkIsWUFBNEIsTUFBdUI7UUFBdkIsV0FBTSxHQUFOLE1BQU0sQ0FBaUI7UUFDakQsSUFBSSxDQUFDLGFBQWEsR0FBRyxNQUFNLENBQUMsYUFBYSxDQUFDO1FBQzFDLElBQUksQ0FBQyxTQUFTLEdBQUcsRUFBRSxDQUFDO0lBQ3RCLENBQUM7SUFFRCxLQUFLLENBQUMsV0FBVztRQUNmLE1BQU0sWUFBWSxHQUFHLE1BQU0sSUFBSSxDQUFDLE1BQU0sQ0FBQyxXQUFXLEVBQUUsQ0FBQztRQUNyRCxNQUFNLG9CQUFvQixHQUFHLE1BQU0sSUFBSSxDQUFDLGdCQUFnQixFQUFFLENBQUM7UUFDM0QsT0FBTyxFQUFFLFlBQVksRUFBRSxvQkFBb0IsRUFBRSxDQUFDO0lBQ2hELENBQUM7SUFFRCxLQUFLLENBQUMsT0FBTyxDQUNYLGFBQXFCLEVBQ3JCLEdBQWlCLEVBQ2pCLGdCQUF5QjtRQUV6QixNQUFNLFFBQVEsR0FBRyxnQkFBZ0IsSUFBSSxDQUFDLE1BQU0sSUFBSSxDQUFDLGdCQUFnQixFQUFFLENBQUMsQ0FBQztRQUNyRSxPQUFPLElBQUksQ0FBQyxNQUFNLENBQUMsT0FBTyxDQUFDLGFBQWEsRUFBRSxHQUFHLEVBQUUsUUFBUSxDQUFDLENBQUM7SUFDM0QsQ0FBQztJQUVELEtBQUssQ0FBQyxPQUFPLENBQUMsT0FBbUIsRUFBRSxHQUFpQjtRQUNsRCxPQUFPLElBQUksQ0FBQyxNQUFNLENBQUMsT0FBTyxDQUFDLE9BQU8sRUFBRSxHQUFHLENBQUMsQ0FBQztJQUMzQyxDQUFDO0lBRUQsS0FBSyxDQUFDLG1CQUFtQixDQUFDLE1BQWMsRUFBRSxPQUFnQjtRQUN4RCxNQUFNLFFBQVEsR0FBRyxDQUFDLEdBQUcsSUFBSSxHQUFHLENBQUMsSUFBSSxDQUFDLFNBQVMsQ0FBQyxHQUFHLENBQUMsQ0FBQyxFQUFFLEdBQUcsRUFBRSxFQUFFLEVBQUUsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLENBQUMsSUFBSSxDQUFDLENBQUMsQ0FBQyxHQUFHLEVBQUUsRUFBRSxDQUFDLEdBQUcsRUFBRSxFQUFFLEVBQUUsQ0FDMUYsQ0FBQyxDQUFDLGFBQWEsQ0FBQyxDQUFDLENBQUMsQ0FDbkIsQ0FBQztRQUNGLE1BQU0sa0JBQWtCLEdBQUcsTUFBTSxJQUFJLENBQUMsYUFBYSxDQUFDLGlCQUFpQixDQUNuRSxPQUFPLENBQUMsWUFBWSxFQUNwQixRQUFRLENBQUMsTUFBTSxDQUNoQixDQUFDO1FBQ0YsTUFBTSxZQUFZLEdBQUcsTUFBTSxDQUFDLFdBQVcsQ0FDckMsUUFBUSxDQUFDLEdBQUcsQ0FBQyxDQUFDLEdBQUcsRUFBRSxLQUFLLEVBQUUsRUFBRSxDQUFDLENBQUMsR0FBRyxFQUFFLGtCQUFrQixDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsQ0FDL0QsQ0FBQztRQUVGLE1BQU0sZ0JBQWdCLEdBQUcsRUFBRSxDQUFDO1FBQzVCLEtBQUssTUFBTSxJQUFJLElBQUksSUFBSSxDQUFDLFNBQVMsRUFBRSxDQUFDO1lBQ2xDLG1FQUFtRTtZQUNuRSxNQUFNLGlCQUFpQixHQUFHLFlBQVksQ0FBQyxJQUFJLENBQUMsR0FBRyxJQUFJLEVBQUUsQ0FBQyxDQUFDO1lBRXZELE1BQU0sUUFBUSxHQUFHLElBQUksQ0FBQyxRQUFRLElBQUksRUFBRSxDQUFDO1lBQ3JDLE1BQU0sV0FBVyxHQUFHLENBQ2xCLE9BQU8sUUFBUSxLQUFLLFFBQVE7Z0JBQzFCLENBQUMsQ0FBQyxJQUFJLENBQUMsU0FBUyxDQUFDLFFBQVEsQ0FBQztnQkFDMUIsQ0FBQyxDQUFDLE9BQU8sUUFBUSxLQUFLLFFBQVE7b0JBQzVCLENBQUMsQ0FBQyxRQUFRO29CQUNWLENBQUMsQ0FBQyxHQUFHLEVBQUU7d0JBQ0gsTUFBTSxJQUFJLDhCQUFrQixDQUMxQiwyREFBMkQsQ0FDNUQsQ0FBQztvQkFDSixDQUFDLENBQ0UsQ0FBQztZQUVaLE1BQU0sY0FBYyxHQUFHLGtCQUFNLENBQUMsZUFBZSxDQUFDLElBQUksV0FBVyxFQUFFLENBQUMsTUFBTSxDQUFDLFdBQVcsQ0FBQyxDQUFDLENBQUM7WUFFckYsTUFBTSx1QkFBdUIsR0FBRyxNQUFNLElBQUksQ0FBQyxPQUFPLENBQ2hELGNBQWMsRUFDZCxpQkFBaUIsRUFDakIsT0FBTyxDQUFDLG9CQUFvQixDQUM3QixDQUFDO1lBRUYsTUFBTSxtQkFBbUIsR0FBRztnQkFDMUIsVUFBVSxFQUFFLGlCQUFNLENBQUMsTUFBTSxDQUFDLHVCQUF1QixDQUFDLE9BQU8sQ0FBQyxRQUFRLEVBQUUsQ0FBQztnQkFDckUsRUFBRSxFQUFFLGlCQUFNLENBQUMsTUFBTSxDQUFDLE9BQU8sQ0FBQyxvQkFBb0IsQ0FBQyxRQUFRLEVBQUUsQ0FBQzthQUMzRCxDQUFDO1lBRUYsTUFBTSxvQkFBb0IsR0FBRyxJQUFJLENBQUMsU0FBUyxDQUFDLG1CQUFtQixDQUFDLENBQUM7WUFDakUsTUFBTSxlQUFlLEdBQUcsTUFBTSxJQUFJLENBQUMsS0FBSyxDQUFDLE1BQU0sRUFBRSxpQkFBaUIsRUFBRSxvQkFBb0IsQ0FBQyxDQUFDO1lBQzFGLGdCQUFnQixDQUFDLElBQUksQ0FBQyxlQUFlLENBQUMsQ0FBQztRQUN6QyxDQUFDO1FBRUQsT0FBTyxnQkFBZ0IsQ0FBQztJQUMxQixDQUFDO0lBRUQsS0FBSyxDQUFDLGdCQUFnQjtRQUNwQixNQUFNLEVBQUUsR0FBRyxNQUFNLElBQUksQ0FBQyxNQUFNLENBQUMsNEJBQTRCLEVBQUUsQ0FBQztRQUM1RCxPQUFPLGtCQUFNLENBQUMsVUFBVSxDQUFDLGNBQUcsQ0FBQyxNQUFNLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQztJQUMzQyxDQUFDO0lBRUQsS0FBSyxDQUFDLEtBQUssQ0FBQyxNQUFjLEVBQUUsT0FBZ0I7UUFDMUMsTUFBTSxTQUFTLEdBQUcsSUFBSSxDQUFDLE1BQU0sRUFBRSxJQUFJLENBQUM7UUFDcEMsSUFBSSxDQUFDLFNBQVMsRUFBRSxDQUFDO1lBQ2YseUVBQXlFO1lBQ3pFLE1BQU0sSUFBSSw4QkFBa0IsQ0FBQywyQkFBMkIsQ0FBQyxDQUFDO1FBQzVELENBQUM7UUFDRCxNQUFNLGdCQUFnQixHQUFHLE1BQU0sSUFBSSxDQUFDLG1CQUFtQixDQUFDLE1BQU0sRUFBRSxPQUFPLENBQUMsQ0FBQztRQUV6RSx1RUFBdUU7UUFDdkUsTUFBTSxpQkFBaUIsR0FBRyxpQkFBTSxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsU0FBUyxDQUFDLE1BQU0sQ0FBQyxDQUFDLENBQUM7UUFFaEUsT0FBTztZQUNMLElBQUksRUFBRSxPQUFPO1lBQ2IsU0FBUyxFQUFFLGdCQUFnQjtZQUMzQixNQUFNLEVBQUU7Z0JBQ04sU0FBUztnQkFDVCxZQUFZLEVBQUUsS0FBSztnQkFDbkIsRUFBRSxFQUFFLGlCQUFNLENBQUMsTUFBTSxDQUFDLE9BQU8sQ0FBQyxvQkFBb0IsQ0FBQyxRQUFRLEVBQUUsQ0FBQzthQUMzRDtZQUNELG9CQUFvQixFQUFFO2dCQUNwQixhQUFhLEVBQUU7b0JBQ2IsR0FBRyxFQUFFLE9BQU87b0JBQ1osR0FBRyxFQUFFLEVBQUU7aUJBQ1I7Z0JBQ0QsY0FBYyxFQUFFLE1BQU07Z0JBQ3RCLFFBQVEsRUFBRSxFQUFFO2FBQ2I7WUFDRCxNQUFNLEVBQUUsaUJBQWlCO1NBQzFCLENBQUM7SUFDSixDQUFDO0NBQ0Y7QUFsSEQsNEJBa0hDIn0=

package/dist/cjs/tdf3/src/models/key-access.js

@@ -1,78 +1,53 @@
 "use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.Wrapped = exports.ECWrapped = exports.schemaVersion = void 0;
 const index_js_1 = require("../../../src/encodings/index.js");
-const generateRandomNumber_js_1 = require("../../../src/crypto/generateRandomNumber.js");
-const keyAgreement_js_1 = require("../../../src/crypto/keyAgreement.js");
-const pemPublicToCrypto_js_1 = require("../../../src/crypto/pemPublicToCrypto.js");
-const utils_js_1 = require("../../../src/utils.js");
 const binary_js_1 = require("../binary.js");
-const cryptoService = __importStar(require("../crypto/index.js"));
 const salt_js_1 = require("../crypto/salt.js");
+const index_js_2 = require("../ciphers/index.js");
 exports.schemaVersion = '1.0';
 class ECWrapped {
-    constructor(url, kid, publicKey, metadata, sid) {
+    constructor(url, kid, publicKey, metadata, cryptoService, sid) {
         this.url = url;
         this.kid = kid;
         this.publicKey = publicKey;
         this.metadata = metadata;
+        this.cryptoService = cryptoService;
         this.sid = sid;
         this.type = 'ec-wrapped';
-        this.ephemeralKeyPair = crypto.subtle.generateKey({
-            name: 'ECDH',
-            namedCurve: 'P-256',
-        }, false, ['deriveBits', 'deriveKey']);
+        // Generate EC key pair using CryptoService - returns opaque keys
+        this.ephemeralKeyPair = this.cryptoService.generateECKeyPair('P-256');
     }
     async write(policy, dek, encryptedMetadataStr) {
         const policyStr = JSON.stringify(policy);
-        const [ek, clientPublicKey] = await Promise.all([
-            this.ephemeralKeyPair,
-            (0, pemPublicToCrypto_js_1.pemPublicToCrypto)(this.publicKey),
-        ]);
-        const kek = await (0, keyAgreement_js_1.keyAgreement)(ek.privateKey, clientPublicKey, {
-            hkdfSalt: await salt_js_1.ztdfSalt,
-            hkdfHash: 'SHA-256',
+        const ek = await this.ephemeralKeyPair;
+        // Import KAS public key from PEM
+        const kasPublicKey = await this.cryptoService.importPublicKey(this.publicKey, {
+            usage: 'derive',
         });
-        const iv = (0, generateRandomNumber_js_1.generateRandomNumber)(12);
-        const cek = await crypto.subtle.encrypt({ name: 'AES-GCM', iv, tagLength: 128 }, kek, dek);
-        const entityWrappedKey = new Uint8Array(iv.length + cek.byteLength);
+        // Derive encryption key using ECDH + HKDF via CryptoService
+        const derivedKey = await this.cryptoService.deriveKeyFromECDH(ek.privateKey, kasPublicKey, {
+            hash: 'SHA-256',
+            salt: await (0, salt_js_1.getZtdfSalt)(this.cryptoService),
+        });
+        // Generate random IV
+        const iv = await this.cryptoService.randomBytes(12);
+        // Encrypt DEK using derived key with AES-GCM
+        // Payload is SymmetricKey (the DEK), key is SymmetricKey (derived from ECDH)
+        const encryptResult = await this.cryptoService.encrypt(dek, derivedKey, binary_js_1.Binary.fromArrayBuffer(iv.buffer), index_js_2.Algorithms.AES_256_GCM);
+        // Combine IV, ciphertext, and authTag to form the wrapped key.
+        const ciphertext = new Uint8Array(encryptResult.payload.asArrayBuffer());
+        const authTag = encryptResult.authTag
+            ? new Uint8Array(encryptResult.authTag.asArrayBuffer())
+            : new Uint8Array(0);
+        const entityWrappedKey = new Uint8Array(iv.length + ciphertext.length + authTag.length);
         entityWrappedKey.set(iv);
-        entityWrappedKey.set(new Uint8Array(cek), iv.length);
-        const policyBinding = await cryptoService.hmac(index_js_1.hex.encodeArrayBuffer(dek), index_js_1.base64.encode(policyStr));
-        const ephemeralPublicKeyPEM = await (0, utils_js_1.cryptoPublicToPem)(ek.publicKey);
+        entityWrappedKey.set(ciphertext, iv.length);
+        entityWrappedKey.set(authTag, iv.length + ciphertext.length);
+        const policyBinding = index_js_1.hex.encodeArrayBuffer((await this.cryptoService.hmac(new TextEncoder().encode(index_js_1.base64.encode(policyStr)), dek))
+            .buffer);
+        // Export ephemeral public key to PEM for manifest
+        const ephemeralPublicKeyPem = await this.cryptoService.exportPublicKeyPem(ek.publicKey);
         const kao = {
             type: 'ec-wrapped',
             url: this.url,
@@ -84,7 +59,7 @@ class ECWrapped {
                 hash: index_js_1.base64.encode(policyBinding),
             },
             schemaVersion: exports.schemaVersion,
-            ephemeralPublicKey: ephemeralPublicKeyPEM,
+            ephemeralPublicKey: ephemeralPublicKeyPem,
         };
         if (this.kid) {
             kao.kid = this.kid;
@@ -98,19 +73,24 @@ class ECWrapped {
 }
 exports.ECWrapped = ECWrapped;
 class Wrapped {
-    constructor(url, kid, publicKey, metadata, sid) {
+    constructor(url, kid, publicKey, metadata, cryptoService, sid) {
         this.url = url;
         this.kid = kid;
         this.publicKey = publicKey;
         this.metadata = metadata;
+        this.cryptoService = cryptoService;
         this.sid = sid;
         this.type = 'wrapped';
     }
-    async write(policy, keyBuffer, encryptedMetadataStr) {
+    async write(policy, key, encryptedMetadataStr) {
         const policyStr = JSON.stringify(policy);
-        const unwrappedKeyBinary = binary_js_1.Binary.fromArrayBuffer(keyBuffer.buffer);
-        const wrappedKeyBinary = await cryptoService.encryptWithPublicKey(unwrappedKeyBinary, this.publicKey);
-        const policyBinding = await cryptoService.hmac(index_js_1.hex.encodeArrayBuffer(keyBuffer), index_js_1.base64.encode(policyStr));
+        // Import KAS public key from PEM
+        const kasPublicKey = await this.cryptoService.importPublicKey(this.publicKey, {
+            usage: 'encrypt',
+        });
+        const wrappedKeyBinary = await this.cryptoService.encryptWithPublicKey(key, kasPublicKey);
+        const policyBinding = index_js_1.hex.encodeArrayBuffer((await this.cryptoService.hmac(new TextEncoder().encode(index_js_1.base64.encode(policyStr)), key))
+            .buffer);
         this.keyAccessObject = {
             type: 'wrapped',
             url: this.url,
@@ -133,4 +113,4 @@ class Wrapped {
     }
 }
 exports.Wrapped = Wrapped;
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoia2V5LWFjY2Vzcy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uLy4uL3RkZjMvc3JjL21vZGVscy9rZXktYWNjZXNzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7OztBQUFBLDhEQUE4RDtBQUM5RCx5RkFBbUY7QUFDbkYseUVBQW1FO0FBQ25FLG1GQUE2RTtBQUM3RSxvREFBMEQ7QUFDMUQsNENBQXNDO0FBQ3RDLGtFQUFvRDtBQUNwRCwrQ0FBNkM7QUFLaEMsUUFBQSxhQUFhLEdBQUcsS0FBSyxDQUFDO0FBRW5DLE1BQWEsU0FBUztJQUtwQixZQUNrQixHQUFXLEVBQ1gsR0FBdUIsRUFDdkIsU0FBaUIsRUFDakIsUUFBaUIsRUFDakIsR0FBWTtRQUpaLFFBQUcsR0FBSCxHQUFHLENBQVE7UUFDWCxRQUFHLEdBQUgsR0FBRyxDQUFvQjtRQUN2QixjQUFTLEdBQVQsU0FBUyxDQUFRO1FBQ2pCLGFBQVEsR0FBUixRQUFRLENBQVM7UUFDakIsUUFBRyxHQUFILEdBQUcsQ0FBUztRQVRyQixTQUFJLEdBQUcsWUFBWSxDQUFDO1FBVzNCLElBQUksQ0FBQyxnQkFBZ0IsR0FBRyxNQUFNLENBQUMsTUFBTSxDQUFDLFdBQVcsQ0FDL0M7WUFDRSxJQUFJLEVBQUUsTUFBTTtZQUNaLFVBQVUsRUFBRSxPQUFPO1NBQ3BCLEVBQ0QsS0FBSyxFQUNMLENBQUMsWUFBWSxFQUFFLFdBQVcsQ0FBQyxDQUM1QixDQUFDO0lBQ0osQ0FBQztJQUVELEtBQUssQ0FBQyxLQUFLLENBQ1QsTUFBYyxFQUNkLEdBQWUsRUFDZixvQkFBNEI7UUFFNUIsTUFBTSxTQUFTLEdBQUcsSUFBSSxDQUFDLFNBQVMsQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUN6QyxNQUFNLENBQUMsRUFBRSxFQUFFLGVBQWUsQ0FBQyxHQUFHLE1BQU0sT0FBTyxDQUFDLEdBQUcsQ0FBQztZQUM5QyxJQUFJLENBQUMsZ0JBQWdCO1lBQ3JCLElBQUEsd0NBQWlCLEVBQUMsSUFBSSxDQUFDLFNBQVMsQ0FBQztTQUNsQyxDQUFDLENBQUM7UUFDSCxNQUFNLEdBQUcsR0FBRyxNQUFNLElBQUEsOEJBQVksRUFBQyxFQUFFLENBQUMsVUFBVSxFQUFFLGVBQWUsRUFBRTtZQUM3RCxRQUFRLEVBQUUsTUFBTSxrQkFBUTtZQUN4QixRQUFRLEVBQUUsU0FBUztTQUNwQixDQUFDLENBQUM7UUFDSCxNQUFNLEVBQUUsR0FBRyxJQUFBLDhDQUFvQixFQUFDLEVBQUUsQ0FBQyxDQUFDO1FBQ3BDLE1BQU0sR0FBRyxHQUFHLE1BQU0sTUFBTSxDQUFDLE1BQU0sQ0FBQyxPQUFPLENBQUMsRUFBRSxJQUFJLEVBQUUsU0FBUyxFQUFFLEVBQUUsRUFBRSxTQUFTLEVBQUUsR0FBRyxFQUFFLEVBQUUsR0FBRyxFQUFFLEdBQUcsQ0FBQyxDQUFDO1FBQzNGLE1BQU0sZ0JBQWdCLEdBQUcsSUFBSSxVQUFVLENBQUMsRUFBRSxDQUFDLE1BQU0sR0FBRyxHQUFHLENBQUMsVUFBVSxDQUFDLENBQUM7UUFDcEUsZ0JBQWdCLENBQUMsR0FBRyxDQUFDLEVBQUUsQ0FBQyxDQUFDO1FBQ3pCLGdCQUFnQixDQUFDLEdBQUcsQ0FBQyxJQUFJLFVBQVUsQ0FBQyxHQUFHLENBQUMsRUFBRSxFQUFFLENBQUMsTUFBTSxDQUFDLENBQUM7UUFFckQsTUFBTSxhQUFhLEdBQUcsTUFBTSxhQUFhLENBQUMsSUFBSSxDQUM1QyxjQUFHLENBQUMsaUJBQWlCLENBQUMsR0FBRyxDQUFDLEVBQzFCLGlCQUFNLENBQUMsTUFBTSxDQUFDLFNBQVMsQ0FBQyxDQUN6QixDQUFDO1FBRUYsTUFBTSxxQkFBcUIsR0FBRyxNQUFNLElBQUEsNEJBQWlCLEVBQUMsRUFBRSxDQUFDLFNBQVMsQ0FBQyxDQUFDO1FBQ3BFLE1BQU0sR0FBRyxHQUFvQjtZQUMzQixJQUFJLEVBQUUsWUFBWTtZQUNsQixHQUFHLEVBQUUsSUFBSSxDQUFDLEdBQUc7WUFDYixRQUFRLEVBQUUsS0FBSztZQUNmLFVBQVUsRUFBRSxpQkFBTSxDQUFDLGlCQUFpQixDQUFDLGdCQUFnQixDQUFDO1lBQ3RELGlCQUFpQixFQUFFLGlCQUFNLENBQUMsTUFBTSxDQUFDLG9CQUFvQixDQUFDO1lBQ3RELGFBQWEsRUFBRTtnQkFDYixHQUFHLEVBQUUsT0FBTztnQkFDWixJQUFJLEVBQUUsaUJBQU0sQ0FBQyxNQUFNLENBQUMsYUFBYSxDQUFDO2FBQ25DO1lBQ0QsYUFBYSxFQUFiLHFCQUFhO1lBQ2Isa0JBQWtCLEVBQUUscUJBQXFCO1NBQzFDLENBQUM7UUFDRixJQUFJLElBQUksQ0FBQyxHQUFHLEVBQUUsQ0FBQztZQUNiLEdBQUcsQ0FBQyxHQUFHLEdBQUcsSUFBSSxDQUFDLEdBQUcsQ0FBQztRQUNyQixDQUFDO1FBQ0QsSUFBSSxJQUFJLENBQUMsR0FBRyxFQUFFLE1BQU0sRUFBRSxDQUFDO1lBQ3JCLEdBQUcsQ0FBQyxHQUFHLEdBQUcsSUFBSSxDQUFDLEdBQUcsQ0FBQztRQUNyQixDQUFDO1FBQ0QsSUFBSSxDQUFDLGVBQWUsR0FBRyxHQUFHLENBQUM7UUFDM0IsT0FBTyxHQUFHLENBQUM7SUFDYixDQUFDO0NBQ0Y7QUF0RUQsOEJBc0VDO0FBRUQsTUFBYSxPQUFPO0lBSWxCLFlBQ2tCLEdBQVcsRUFDWCxHQUF1QixFQUN2QixTQUFpQixFQUNqQixRQUFpQixFQUNqQixHQUFZO1FBSlosUUFBRyxHQUFILEdBQUcsQ0FBUTtRQUNYLFFBQUcsR0FBSCxHQUFHLENBQW9CO1FBQ3ZCLGNBQVMsR0FBVCxTQUFTLENBQVE7UUFDakIsYUFBUSxHQUFSLFFBQVEsQ0FBUztRQUNqQixRQUFHLEdBQUgsR0FBRyxDQUFTO1FBUnJCLFNBQUksR0FBRyxTQUFTLENBQUM7SUFTdkIsQ0FBQztJQUVKLEtBQUssQ0FBQyxLQUFLLENBQ1QsTUFBYyxFQUNkLFNBQXFCLEVBQ3JCLG9CQUE0QjtRQUU1QixNQUFNLFNBQVMsR0FBRyxJQUFJLENBQUMsU0FBUyxDQUFDLE1BQU0sQ0FBQyxDQUFDO1FBQ3pDLE1BQU0sa0JBQWtCLEdBQUcsa0JBQU0sQ0FBQyxlQUFlLENBQUMsU0FBUyxDQUFDLE1BQU0sQ0FBQyxDQUFDO1FBQ3BFLE1BQU0sZ0JBQWdCLEdBQUcsTUFBTSxhQUFhLENBQUMsb0JBQW9CLENBQy9ELGtCQUFrQixFQUNsQixJQUFJLENBQUMsU0FBUyxDQUNmLENBQUM7UUFFRixNQUFNLGFBQWEsR0FBRyxNQUFNLGFBQWEsQ0FBQyxJQUFJLENBQzVDLGNBQUcsQ0FBQyxpQkFBaUIsQ0FBQyxTQUFTLENBQUMsRUFDaEMsaUJBQU0sQ0FBQyxNQUFNLENBQUMsU0FBUyxDQUFDLENBQ3pCLENBQUM7UUFFRixJQUFJLENBQUMsZUFBZSxHQUFHO1lBQ3JCLElBQUksRUFBRSxTQUFTO1lBQ2YsR0FBRyxFQUFFLElBQUksQ0FBQyxHQUFHO1lBQ2IsUUFBUSxFQUFFLEtBQUs7WUFDZixVQUFVLEVBQUUsaUJBQU0sQ0FBQyxNQUFNLENBQUMsZ0JBQWdCLENBQUMsUUFBUSxFQUFFLENBQUM7WUFDdEQsaUJBQWlCLEVBQUUsaUJBQU0sQ0FBQyxNQUFNLENBQUMsb0JBQW9CLENBQUM7WUFDdEQsYUFBYSxFQUFFO2dCQUNiLEdBQUcsRUFBRSxPQUFPO2dCQUNaLElBQUksRUFBRSxpQkFBTSxDQUFDLE1BQU0sQ0FBQyxhQUFhLENBQUM7YUFDbkM7WUFDRCxhQUFhLEVBQWIscUJBQWE7U0FDZCxDQUFDO1FBQ0YsSUFBSSxJQUFJLENBQUMsR0FBRyxFQUFFLENBQUM7WUFDYixJQUFJLENBQUMsZUFBZSxDQUFDLEdBQUcsR0FBRyxJQUFJLENBQUMsR0FBRyxDQUFDO1FBQ3RDLENBQUM7UUFDRCxJQUFJLElBQUksQ0FBQyxHQUFHLEVBQUUsTUFBTSxFQUFFLENBQUM7WUFDckIsSUFBSSxDQUFDLGVBQWUsQ0FBQyxHQUFHLEdBQUcsSUFBSSxDQUFDLEdBQUcsQ0FBQztRQUN0QyxDQUFDO1FBRUQsT0FBTyxJQUFJLENBQUMsZUFBZSxDQUFDO0lBQzlCLENBQUM7Q0FDRjtBQWxERCwwQkFrREMifQ==
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoia2V5LWFjY2Vzcy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uLy4uL3RkZjMvc3JjL21vZGVscy9rZXktYWNjZXNzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7OztBQUFBLDhEQUE4RDtBQUM5RCw0Q0FBc0M7QUFFdEMsK0NBQWdEO0FBQ2hELGtEQUFpRDtBQUtwQyxRQUFBLGFBQWEsR0FBRyxLQUFLLENBQUM7QUFFbkMsTUFBYSxTQUFTO0lBS3BCLFlBQ2tCLEdBQVcsRUFDWCxHQUF1QixFQUN2QixTQUFpQixFQUNqQixRQUFpQixFQUNqQixhQUE0QixFQUM1QixHQUFZO1FBTFosUUFBRyxHQUFILEdBQUcsQ0FBUTtRQUNYLFFBQUcsR0FBSCxHQUFHLENBQW9CO1FBQ3ZCLGNBQVMsR0FBVCxTQUFTLENBQVE7UUFDakIsYUFBUSxHQUFSLFFBQVEsQ0FBUztRQUNqQixrQkFBYSxHQUFiLGFBQWEsQ0FBZTtRQUM1QixRQUFHLEdBQUgsR0FBRyxDQUFTO1FBVnJCLFNBQUksR0FBRyxZQUFZLENBQUM7UUFZM0IsaUVBQWlFO1FBQ2pFLElBQUksQ0FBQyxnQkFBZ0IsR0FBRyxJQUFJLENBQUMsYUFBYSxDQUFDLGlCQUFpQixDQUFDLE9BQU8sQ0FBQyxDQUFDO0lBQ3hFLENBQUM7SUFFRCxLQUFLLENBQUMsS0FBSyxDQUNULE1BQWMsRUFDZCxHQUFpQixFQUNqQixvQkFBNEI7UUFFNUIsTUFBTSxTQUFTLEdBQUcsSUFBSSxDQUFDLFNBQVMsQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUN6QyxNQUFNLEVBQUUsR0FBRyxNQUFNLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQztRQUV2QyxpQ0FBaUM7UUFDakMsTUFBTSxZQUFZLEdBQUcsTUFBTSxJQUFJLENBQUMsYUFBYSxDQUFDLGVBQWUsQ0FBQyxJQUFJLENBQUMsU0FBUyxFQUFFO1lBQzVFLEtBQUssRUFBRSxRQUFRO1NBQ2hCLENBQUMsQ0FBQztRQUVILDREQUE0RDtRQUM1RCxNQUFNLFVBQVUsR0FBRyxNQUFNLElBQUksQ0FBQyxhQUFhLENBQUMsaUJBQWlCLENBQUMsRUFBRSxDQUFDLFVBQVUsRUFBRSxZQUFZLEVBQUU7WUFDekYsSUFBSSxFQUFFLFNBQVM7WUFDZixJQUFJLEVBQUUsTUFBTSxJQUFBLHFCQUFXLEVBQUMsSUFBSSxDQUFDLGFBQWEsQ0FBQztTQUM1QyxDQUFDLENBQUM7UUFFSCxxQkFBcUI7UUFDckIsTUFBTSxFQUFFLEdBQUcsTUFBTSxJQUFJLENBQUMsYUFBYSxDQUFDLFdBQVcsQ0FBQyxFQUFFLENBQUMsQ0FBQztRQUVwRCw2Q0FBNkM7UUFDN0MsNkVBQTZFO1FBQzdFLE1BQU0sYUFBYSxHQUFHLE1BQU0sSUFBSSxDQUFDLGFBQWEsQ0FBQyxPQUFPLENBQ3BELEdBQUcsRUFDSCxVQUFVLEVBQ1Ysa0JBQU0sQ0FBQyxlQUFlLENBQUMsRUFBRSxDQUFDLE1BQU0sQ0FBQyxFQUNqQyxxQkFBVSxDQUFDLFdBQVcsQ0FDdkIsQ0FBQztRQUVGLCtEQUErRDtRQUMvRCxNQUFNLFVBQVUsR0FBRyxJQUFJLFVBQVUsQ0FBQyxhQUFhLENBQUMsT0FBTyxDQUFDLGFBQWEsRUFBRSxDQUFDLENBQUM7UUFDekUsTUFBTSxPQUFPLEdBQUcsYUFBYSxDQUFDLE9BQU87WUFDbkMsQ0FBQyxDQUFDLElBQUksVUFBVSxDQUFDLGFBQWEsQ0FBQyxPQUFPLENBQUMsYUFBYSxFQUFFLENBQUM7WUFDdkQsQ0FBQyxDQUFDLElBQUksVUFBVSxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQ3RCLE1BQU0sZ0JBQWdCLEdBQUcsSUFBSSxVQUFVLENBQUMsRUFBRSxDQUFDLE1BQU0sR0FBRyxVQUFVLENBQUMsTUFBTSxHQUFHLE9BQU8sQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUN4RixnQkFBZ0IsQ0FBQyxHQUFHLENBQUMsRUFBRSxDQUFDLENBQUM7UUFDekIsZ0JBQWdCLENBQUMsR0FBRyxDQUFDLFVBQVUsRUFBRSxFQUFFLENBQUMsTUFBTSxDQUFDLENBQUM7UUFDNUMsZ0JBQWdCLENBQUMsR0FBRyxDQUFDLE9BQU8sRUFBRSxFQUFFLENBQUMsTUFBTSxHQUFHLFVBQVUsQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUU3RCxNQUFNLGFBQWEsR0FBRyxjQUFHLENBQUMsaUJBQWlCLENBQ3pDLENBQUMsTUFBTSxJQUFJLENBQUMsYUFBYSxDQUFDLElBQUksQ0FBQyxJQUFJLFdBQVcsRUFBRSxDQUFDLE1BQU0sQ0FBQyxpQkFBTSxDQUFDLE1BQU0sQ0FBQyxTQUFTLENBQUMsQ0FBQyxFQUFFLEdBQUcsQ0FBQyxDQUFDO2FBQ3JGLE1BQU0sQ0FDVixDQUFDO1FBRUYsa0RBQWtEO1FBQ2xELE1BQU0scUJBQXFCLEdBQUcsTUFBTSxJQUFJLENBQUMsYUFBYSxDQUFDLGtCQUFrQixDQUFDLEVBQUUsQ0FBQyxTQUFTLENBQUMsQ0FBQztRQUV4RixNQUFNLEdBQUcsR0FBb0I7WUFDM0IsSUFBSSxFQUFFLFlBQVk7WUFDbEIsR0FBRyxFQUFFLElBQUksQ0FBQyxHQUFHO1lBQ2IsUUFBUSxFQUFFLEtBQUs7WUFDZixVQUFVLEVBQUUsaUJBQU0sQ0FBQyxpQkFBaUIsQ0FBQyxnQkFBZ0IsQ0FBQztZQUN0RCxpQkFBaUIsRUFBRSxpQkFBTSxDQUFDLE1BQU0sQ0FBQyxvQkFBb0IsQ0FBQztZQUN0RCxhQUFhLEVBQUU7Z0JBQ2IsR0FBRyxFQUFFLE9BQU87Z0JBQ1osSUFBSSxFQUFFLGlCQUFNLENBQUMsTUFBTSxDQUFDLGFBQWEsQ0FBQzthQUNuQztZQUNELGFBQWEsRUFBYixxQkFBYTtZQUNiLGtCQUFrQixFQUFFLHFCQUFxQjtTQUMxQyxDQUFDO1FBQ0YsSUFBSSxJQUFJLENBQUMsR0FBRyxFQUFFLENBQUM7WUFDYixHQUFHLENBQUMsR0FBRyxHQUFHLElBQUksQ0FBQyxHQUFHLENBQUM7UUFDckIsQ0FBQztRQUNELElBQUksSUFBSSxDQUFDLEdBQUcsRUFBRSxNQUFNLEVBQUUsQ0FBQztZQUNyQixHQUFHLENBQUMsR0FBRyxHQUFHLElBQUksQ0FBQyxHQUFHLENBQUM7UUFDckIsQ0FBQztRQUNELElBQUksQ0FBQyxlQUFlLEdBQUcsR0FBRyxDQUFDO1FBQzNCLE9BQU8sR0FBRyxDQUFDO0lBQ2IsQ0FBQztDQUNGO0FBeEZELDhCQXdGQztBQUVELE1BQWEsT0FBTztJQUlsQixZQUNrQixHQUFXLEVBQ1gsR0FBdUIsRUFDdkIsU0FBaUIsRUFDakIsUUFBaUIsRUFDakIsYUFBNEIsRUFDNUIsR0FBWTtRQUxaLFFBQUcsR0FBSCxHQUFHLENBQVE7UUFDWCxRQUFHLEdBQUgsR0FBRyxDQUFvQjtRQUN2QixjQUFTLEdBQVQsU0FBUyxDQUFRO1FBQ2pCLGFBQVEsR0FBUixRQUFRLENBQVM7UUFDakIsa0JBQWEsR0FBYixhQUFhLENBQWU7UUFDNUIsUUFBRyxHQUFILEdBQUcsQ0FBUztRQVRyQixTQUFJLEdBQUcsU0FBUyxDQUFDO0lBVXZCLENBQUM7SUFFSixLQUFLLENBQUMsS0FBSyxDQUNULE1BQWMsRUFDZCxHQUFpQixFQUNqQixvQkFBNEI7UUFFNUIsTUFBTSxTQUFTLEdBQUcsSUFBSSxDQUFDLFNBQVMsQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUN6QyxpQ0FBaUM7UUFDakMsTUFBTSxZQUFZLEdBQUcsTUFBTSxJQUFJLENBQUMsYUFBYSxDQUFDLGVBQWUsQ0FBQyxJQUFJLENBQUMsU0FBUyxFQUFFO1lBQzVFLEtBQUssRUFBRSxTQUFTO1NBQ2pCLENBQUMsQ0FBQztRQUNILE1BQU0sZ0JBQWdCLEdBQUcsTUFBTSxJQUFJLENBQUMsYUFBYSxDQUFDLG9CQUFvQixDQUFDLEdBQUcsRUFBRSxZQUFZLENBQUMsQ0FBQztRQUUxRixNQUFNLGFBQWEsR0FBRyxjQUFHLENBQUMsaUJBQWlCLENBQ3pDLENBQUMsTUFBTSxJQUFJLENBQUMsYUFBYSxDQUFDLElBQUksQ0FBQyxJQUFJLFdBQVcsRUFBRSxDQUFDLE1BQU0sQ0FBQyxpQkFBTSxDQUFDLE1BQU0sQ0FBQyxTQUFTLENBQUMsQ0FBQyxFQUFFLEdBQUcsQ0FBQyxDQUFDO2FBQ3JGLE1BQU0sQ0FDVixDQUFDO1FBRUYsSUFBSSxDQUFDLGVBQWUsR0FBRztZQUNyQixJQUFJLEVBQUUsU0FBUztZQUNmLEdBQUcsRUFBRSxJQUFJLENBQUMsR0FBRztZQUNiLFFBQVEsRUFBRSxLQUFLO1lBQ2YsVUFBVSxFQUFFLGlCQUFNLENBQUMsTUFBTSxDQUFDLGdCQUFnQixDQUFDLFFBQVEsRUFBRSxDQUFDO1lBQ3RELGlCQUFpQixFQUFFLGlCQUFNLENBQUMsTUFBTSxDQUFDLG9CQUFvQixDQUFDO1lBQ3RELGFBQWEsRUFBRTtnQkFDYixHQUFHLEVBQUUsT0FBTztnQkFDWixJQUFJLEVBQUUsaUJBQU0sQ0FBQyxNQUFNLENBQUMsYUFBYSxDQUFDO2FBQ25DO1lBQ0QsYUFBYSxFQUFiLHFCQUFhO1NBQ2QsQ0FBQztRQUNGLElBQUksSUFBSSxDQUFDLEdBQUcsRUFBRSxDQUFDO1lBQ2IsSUFBSSxDQUFDLGVBQWUsQ0FBQyxHQUFHLEdBQUcsSUFBSSxDQUFDLEdBQUcsQ0FBQztRQUN0QyxDQUFDO1FBQ0QsSUFBSSxJQUFJLENBQUMsR0FBRyxFQUFFLE1BQU0sRUFBRSxDQUFDO1lBQ3JCLElBQUksQ0FBQyxlQUFlLENBQUMsR0FBRyxHQUFHLElBQUksQ0FBQyxHQUFHLENBQUM7UUFDdEMsQ0FBQztRQUVELE9BQU8sSUFBSSxDQUFDLGVBQWUsQ0FBQztJQUM5QixDQUFDO0NBQ0Y7QUFuREQsMEJBbURDIn0=