npm - @peculiar/certificates-viewer - Versions diffs - 4.6.1 → 4.7.1-alpha.1 - Mend

@peculiar/certificates-viewer 4.6.1 → 4.7.1-alpha.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (252) hide show

package/dist/cjs/{certification_request-CxHe71zR.js → ssh_certificate-s3-rwdMT.js} RENAMED Viewed

@@ -5411,11 +5411,11 @@ exports.CRLNumber = __decorate$1([
 ], exports.CRLNumber);
 const id_ce_deltaCRLIndicator = `${id_ce}.27`;
-let BaseCRLNumber = class BaseCRLNumber extends exports.CRLNumber {
+exports.BaseCRLNumber = class BaseCRLNumber extends exports.CRLNumber {
 };
-BaseCRLNumber = __decorate$1([
+exports.BaseCRLNumber = __decorate$1([
     AsnType({ type: exports.AsnTypeTypes.Choice })
-], BaseCRLNumber);
+], exports.BaseCRLNumber);
 var CRLDistributionPoints_1;
 const id_ce_cRLDistributionPoints = `${id_ce}.31`;
@@ -5613,17 +5613,17 @@ exports.ExtendedKeyUsage = ExtendedKeyUsage_1 = __decorate$1([
 ], exports.ExtendedKeyUsage);
 const id_ce_inhibitAnyPolicy = `${id_ce}.54`;
-let InhibitAnyPolicy = class InhibitAnyPolicy {
+exports.InhibitAnyPolicy = class InhibitAnyPolicy {
     constructor(value = new ArrayBuffer(0)) {
         this.value = value;
     }
 };
 __decorate$1([
     AsnProp({ type: exports.AsnPropTypes.Integer, converter: AsnIntegerArrayBufferConverter })
-], InhibitAnyPolicy.prototype, "value", void 0);
-InhibitAnyPolicy = __decorate$1([
+], exports.InhibitAnyPolicy.prototype, "value", void 0);
+exports.InhibitAnyPolicy = __decorate$1([
     AsnType({ type: exports.AsnTypeTypes.Choice })
-], InhibitAnyPolicy);
+], exports.InhibitAnyPolicy);
 const id_ce_invalidityDate = `${id_ce}.24`;
 exports.InvalidityDate = class InvalidityDate {
@@ -5643,15 +5643,15 @@ exports.InvalidityDate = __decorate$1([
 var IssueAlternativeName_1;
 const id_ce_issuerAltName = `${id_ce}.18`;
-let IssueAlternativeName = IssueAlternativeName_1 = class IssueAlternativeName extends GeneralNames {
+exports.IssueAlternativeName = IssueAlternativeName_1 = class IssueAlternativeName extends GeneralNames {
     constructor(items) {
         super(items);
         Object.setPrototypeOf(this, IssueAlternativeName_1.prototype);
     }
 };
-IssueAlternativeName = IssueAlternativeName_1 = __decorate$1([
+exports.IssueAlternativeName = IssueAlternativeName_1 = __decorate$1([
     AsnType({ type: exports.AsnTypeTypes.Sequence })
-], IssueAlternativeName);
+], exports.IssueAlternativeName);
 const id_ce_keyUsage = `${id_ce}.15`;
 var KeyUsageFlags;
@@ -6767,6 +6767,10 @@ const crlEntryExtensions = "CRL Entry Extensions";
 const previewCertificate = "Preview certificate";
 const viewDetails = "View details";
 const downloadOptions = "Download options";
+const keyId = "Key ID";
+const principals = "Principals";
+const criticalOptions = "Critical Options";
+const signingCA = "Signing CA";
 var en = {
 	basicInformation: basicInformation,
 	subjectName: subjectName,
@@ -6814,7 +6818,11 @@ var en = {
 	crlEntryExtensions: crlEntryExtensions,
 	previewCertificate: previewCertificate,
 	viewDetails: viewDetails,
-	downloadOptions: downloadOptions
+	downloadOptions: downloadOptions,
+	keyId: keyId,
+	principals: principals,
+	criticalOptions: criticalOptions,
+	signingCA: signingCA
 };
 /**
@@ -8089,6 +8097,7 @@ const OIDs = {
     '1.3.6.1.4.1.16334.509.2.3': 'Ngc Class3',
     '1.3.6.1.4.1.17326.10.8.12.1.2': 'Camerfirma EV policy',
     '1.3.6.1.4.1.17326.10.14.2.1.2': 'Camerfirma EV policy',
+    '1.3.6.1.4.1.22112.2.1': 'Private Key Possession Statement',
     '1.3.6.1.4.1.22234.2.5.2.3.1': 'Cert Plus EV policy',
     '1.3.6.1.4.1.23223.1.1.1': 'Start Com EV policy',
     '1.3.6.1.4.1.23629.1.4.2.1.1': 'Safenet Usage Limit',
@@ -8482,6 +8491,7 @@ const OIDs = {
     '1.3.132.0.37': 'Sect409r1',
     '1.3.132.0.38': 'Sect571k1',
     '1.3.132.0.39': 'Sect571r1',
+    '1.3.132.1.12': 'ECDH',
     '1.3.133.16.840.9.84': 'x984',
     '1.3.133.16.840.9.84.0': 'x984 Module',
     '1.3.133.16.840.9.84.0.1': 'x984 Biometrics',
@@ -9232,13 +9242,13 @@ const OIDs = {
  * This source code is licensed under the MIT license found in the
  * LICENSE file in the root directory of this source tree.
  */
-var __classPrivateFieldSet$1 = (undefined && undefined.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+var __classPrivateFieldSet$2 = (undefined && undefined.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
     if (kind === "m") throw new TypeError("Private method is not writable");
     if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
     if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
     return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
 };
-var __classPrivateFieldGet$1 = (undefined && undefined.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+var __classPrivateFieldGet$2 = (undefined && undefined.__classPrivateFieldGet) || function (receiver, state, kind, f) {
     if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
     if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
     return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
@@ -9248,15 +9258,15 @@ class Name {
     constructor(data) {
         _Name_asn.set(this, new exports.Name$1());
         if (buildExports.BufferSourceConverter.isBufferSource(data)) {
-            __classPrivateFieldSet$1(this, _Name_asn, AsnParser.parse(data, exports.Name$1), "f");
+            __classPrivateFieldSet$2(this, _Name_asn, AsnParser.parse(data, exports.Name$1), "f");
         }
         else {
-            __classPrivateFieldSet$1(this, _Name_asn, data, "f");
+            __classPrivateFieldSet$2(this, _Name_asn, data, "f");
         }
     }
     toJSON() {
         const res = [];
-        __classPrivateFieldGet$1(this, _Name_asn, "f").forEach((o) => (o.forEach((a) => {
+        __classPrivateFieldGet$2(this, _Name_asn, "f").forEach((o) => (o.forEach((a) => {
             res.push({
                 type: a.type,
                 name: OIDs[a.type],
@@ -9971,27 +9981,6 @@ class SignedCertificateTimestamp extends Structure {
     }
 }
-const id_certificateTransparency = "1.3.6.1.4.1.11129.2.4.2";
-class CertificateTransparency extends OctetString {
-    constructor() {
-        super(...arguments);
-        this.items = [];
-    }
-    fromASN(asn) {
-        super.fromASN(asn);
-        const stream = new ByteStream(this.buffer);
-        const len = stream.readNumber(2);
-        this.items = [];
-        while (stream.position < len) {
-            this.items.push(new SignedCertificateTimestamp(stream));
-        }
-        return this;
-    }
-    toJSON() {
-        return this.items.map((o) => o.toJSON());
-    }
-}
 var Version$1;
 (function (Version) {
     Version[Version["v1"] = 1] = "v1";
@@ -10241,8 +10230,6 @@ __decorate$1([
     AsnProp({ type: OtherLogotypeInfo, context: 3, repeated: "sequence", optional: true })
 ], LogotypeExtn.prototype, "otherLogos", void 0);
-const id_pe_logotype = "1.3.6.1.5.5.7.1.12";
 var JWTClaimNames_1, JWTClaimPermittedValuesList_1, TNAuthorizationList_1;
 const id_pkix = "1.3.6.1.5.5.7";
 const id_pe = `${id_pkix}.1`;
@@ -10820,13 +10807,13 @@ __decorate([
  * This source code is licensed under the MIT license found in the
  * LICENSE file in the root directory of this source tree.
  */
-var __classPrivateFieldSet = (undefined && undefined.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+var __classPrivateFieldSet$1 = (undefined && undefined.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
     if (kind === "m") throw new TypeError("Private method is not writable");
     if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
     if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
     return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
 };
-var __classPrivateFieldGet = (undefined && undefined.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+var __classPrivateFieldGet$1 = (undefined && undefined.__classPrivateFieldGet) || function (receiver, state, kind, f) {
     if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
     if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
     return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
@@ -10839,99 +10826,24 @@ class AsnData {
         _AsnData_raw.set(this, void 0);
         if (args.length === 1) {
             // asn
-            __classPrivateFieldSet(this, _AsnData_asn, args[0], "f");
-            __classPrivateFieldSet(this, _AsnData_raw, AsnConvert.serialize(__classPrivateFieldGet(this, _AsnData_asn, "f")), "f");
+            __classPrivateFieldSet$1(this, _AsnData_asn, args[0], "f");
+            __classPrivateFieldSet$1(this, _AsnData_raw, AsnConvert.serialize(__classPrivateFieldGet$1(this, _AsnData_asn, "f")), "f");
         }
         else {
             // raw, type
-            __classPrivateFieldSet(this, _AsnData_asn, AsnConvert.parse(args[0], args[1]), "f");
-            __classPrivateFieldSet(this, _AsnData_raw, buildExports.BufferSourceConverter.toArrayBuffer(args[0]), "f");
+            __classPrivateFieldSet$1(this, _AsnData_asn, AsnConvert.parse(args[0], args[1]), "f");
+            __classPrivateFieldSet$1(this, _AsnData_raw, buildExports.BufferSourceConverter.toArrayBuffer(args[0]), "f");
         }
     }
     get asn() {
-        return __classPrivateFieldGet(this, _AsnData_asn, "f");
+        return __classPrivateFieldGet$1(this, _AsnData_asn, "f");
     }
     get raw() {
-        return __classPrivateFieldGet(this, _AsnData_raw, "f");
+        return __classPrivateFieldGet$1(this, _AsnData_raw, "f");
     }
 }
 _AsnData_asn = new WeakMap(), _AsnData_raw = new WeakMap();
-/**
- * @license
- * Copyright (c) Peculiar Ventures, LLC.
- *
- * This source code is licensed under the MIT license found in the
- * LICENSE file in the root directory of this source tree.
- */
-const extensionParsers = {
-    [id_pe_authorityInfoAccess]: exports.AuthorityInfoAccessSyntax,
-    [id_ce_authorityKeyIdentifier]: AuthorityKeyIdentifier,
-    [id_ce_basicConstraints]: BasicConstraints,
-    [id_ce_certificateIssuer]: exports.CertificateIssuer,
-    [id_ce_certificatePolicies]: exports.CertificatePolicies,
-    [id_ce_cRLDistributionPoints]: exports.CRLDistributionPoints,
-    '2.5.29.46': exports.CRLDistributionPoints,
-    [id_ce_issuingDistributionPoint]: IssuingDistributionPoint,
-    [id_ce_cRLReasons]: exports.CRLReason,
-    [id_ce_extKeyUsage]: exports.ExtendedKeyUsage,
-    [id_ce_inhibitAnyPolicy]: InhibitAnyPolicy,
-    [id_ce_invalidityDate]: exports.InvalidityDate,
-    [id_ce_issuerAltName]: IssueAlternativeName,
-    [id_ce_keyUsage]: KeyUsage,
-    [id_ce_nameConstraints]: NameConstraints,
-    [id_ce_policyConstraints]: PolicyConstraints,
-    [id_ce_policyMappings]: exports.PolicyMappings,
-    [id_ce_subjectAltName]: exports.SubjectAlternativeName,
-    [id_ce_subjectDirectoryAttributes]: exports.SubjectDirectoryAttributes,
-    [id_ce_subjectKeyIdentifier]: SubjectKeyIdentifier,
-    [id_pe_qcStatements]: exports.QCStatements,
-    [id_certificateTemplate]: CertificateTemplate,
-    [id_enrollCertType]: exports.EnrollCertTypeChoice,
-    [id_netscapeComment]: exports.NetscapeComment,
-    [id_netscapeCertType]: NetscapeCertType,
-    [id_caVersion]: exports.CaVersion,
-    [id_certificateTransparency]: CertificateTransparency,
-    [id_lei]: exports.LeiChoice,
-    [id_role]: exports.LeiRole,
-    [id_adbe_timestamp]: Timestamp,
-    [id_adbe_archiveRevInfo]: ArchiveRevInfo,
-    [id_ce_privateKeyUsagePeriod]: PrivateKeyUsagePeriod,
-    [id_entrust_entrustVersInfo]: EntrustVersionInfo,
-    '2.16.724.1.2.2.4.1': exports.BiometricSyntax,
-    [id_pe_biometricInfo]: exports.BiometricSyntax,
-    [id_pe_logotype]: LogotypeExtn,
-    [id_pe_TNAuthList]: exports.TNAuthorizationList,
-    [id_pe_subjectInfoAccess]: exports.SubjectInfoAccessSyntax,
-    [id_ce_cRLNumber]: exports.CRLNumber,
-    [id_ce_deltaCRLIndicator]: BaseCRLNumber,
-    [id_ce_keyDescription]: NonStandardKeyDescription,
-    [id_cabforganizationIdentifier]: CabforganizationIdentifier,
-};
-class Extension extends AsnData {
-    getAsnExtnValue() {
-        return this.asn.extnValue.buffer;
-    }
-    constructor(raw) {
-        super(raw, Extension$1);
-        const asnExtnValue = this.getAsnExtnValue();
-        try {
-            const target = extensionParsers[this.asn.extnID];
-            if (target) {
-                this.value = AsnParser.parse(asnExtnValue, target);
-            }
-            else {
-                console.warn(`Didn't detect parser for "${this.asn.extnID}" extension.`);
-                this.value = buildExports.Convert.ToHex(asnExtnValue);
-            }
-        }
-        catch (error) {
-            console.error(`Error parse "${this.asn.extnID}" extension:`, error.message);
-            this.value = buildExports.Convert.ToHex(asnExtnValue);
-        }
-    }
-}
 /**
  * @license
  * Copyright (c) Peculiar Ventures, LLC.
@@ -12726,6 +12638,22 @@ SMIMECapabilities = SMIMECapabilities_1 = __decorate$1([
     AsnType({ type: exports.AsnTypeTypes.Sequence, itemType: SMIMECapability })
 ], SMIMECapabilities);
+const id_at_statementOfPossession = "1.3.6.1.4.1.22112.2.1";
+exports.PrivateKeyPossessionStatement = class PrivateKeyPossessionStatement {
+    constructor(params = {}) {
+        Object.assign(this, params);
+    }
+};
+__decorate$1([
+    AsnProp({ type: IssuerAndSerialNumber })
+], exports.PrivateKeyPossessionStatement.prototype, "signer", void 0);
+__decorate$1([
+    AsnProp({ type: Certificate, optional: true })
+], exports.PrivateKeyPossessionStatement.prototype, "cert", void 0);
+exports.PrivateKeyPossessionStatement = __decorate$1([
+    AsnType({ type: exports.AsnTypeTypes.Sequence })
+], exports.PrivateKeyPossessionStatement);
 var Attributes_1;
 let Attributes = Attributes_1 = class Attributes extends AsnArray {
     constructor(items) {
@@ -12777,6 +12705,1645 @@ __decorate$1([
     AsnProp({ type: exports.AsnPropTypes.BitString })
 ], CertificationRequest.prototype, "signature", void 0);
+let globalCrypto = globalThis.crypto;
+function getCrypto() {
+    return globalCrypto;
+}
+class SshError extends Error {
+    code;
+    constructor(message, code) {
+        super(message);
+        this.code = code;
+        this.name = this.constructor.name;
+        if (Error.captureStackTrace) {
+            Error.captureStackTrace(this, this.constructor);
+        }
+    }
+}
+class UnsupportedAlgorithmError extends SshError {
+    constructor(algorithm, supportedAlgorithms) {
+        const supported = supportedAlgorithms ? ` Supported: ${supportedAlgorithms.join(', ')}` : '';
+        super(`Unsupported algorithm: ${algorithm}.${supported}`, 'UNSUPPORTED_ALGORITHM');
+    }
+}
+class InvalidFormatError extends SshError {
+    constructor(format, expectedFormat) {
+        const expected = expectedFormat ? ` Expected: ${expectedFormat}` : '';
+        super(`Invalid format: ${format}.${expected}`, 'INVALID_FORMAT');
+    }
+}
+class UnsupportedKeyTypeError extends SshError {
+    constructor(keyType, supportedTypes) {
+        const supported = supportedTypes ? ` Supported: ${supportedTypes.join(', ')}` : '';
+        super(`Unsupported key type: ${keyType}.${supported}`, 'UNSUPPORTED_KEY_TYPE');
+    }
+}
+class InvalidPrivateKeyFormatError extends SshError {
+    constructor(details) {
+        const message = details
+            ? `Invalid SSH private key format: ${details}`
+            : 'Invalid SSH private key format';
+        super(message, 'INVALID_PRIVATE_KEY_FORMAT');
+    }
+}
+class EncryptedKeyNotSupportedError extends SshError {
+    constructor(cipher) {
+        const message = cipher
+            ? `Encrypted SSH private keys are not supported (cipher: ${cipher})`
+            : 'Encrypted SSH private keys are not supported';
+        super(message, 'ENCRYPTED_KEY_NOT_SUPPORTED');
+    }
+}
+class InvalidKeyDataError extends SshError {
+    constructor(details) {
+        const message = details ? `Invalid key data: ${details}` : 'Invalid key data';
+        super(message, 'INVALID_KEY_DATA');
+    }
+}
+class UnexpectedEOFError extends SshError {
+    constructor(expected, actual) {
+        const details = expected !== undefined && actual !== undefined
+            ? ` Expected ${expected} bytes, got ${actual}`
+            : '';
+        super(`Unexpected end of data${details}`, 'UNEXPECTED_EOF');
+    }
+}
+const encoder = new TextEncoder();
+const decoder = new TextDecoder();
+class SshReader {
+    buffer;
+    offset;
+    constructor(data) {
+        this.buffer = data;
+        this.offset = 0;
+    }
+    readUint8() {
+        if (this.offset >= this.buffer.length) {
+            throw new UnexpectedEOFError(1, 0);
+        }
+        return this.buffer[this.offset++];
+    }
+    readUint32() {
+        const value = (this.readUint8() << 24) |
+            (this.readUint8() << 16) |
+            (this.readUint8() << 8) |
+            this.readUint8();
+        return value >>> 0;
+    }
+    readUint64() {
+        const high = this.readUint32();
+        const low = this.readUint32();
+        return (BigInt(high) << 32n) | BigInt(low);
+    }
+    readBytes(length) {
+        if (length < 0) {
+            throw new InvalidFormatError(`Invalid length: ${length}`);
+        }
+        if (this.offset + length > this.buffer.length) {
+            throw new UnexpectedEOFError(length, this.buffer.length - this.offset);
+        }
+        const result = this.buffer.subarray(this.offset, this.offset + length);
+        this.offset += length;
+        return result;
+    }
+    readString() {
+        const length = this.readUint32();
+        const bytes = this.readBytes(length);
+        return decoder.decode(bytes);
+    }
+    peekString(length) {
+        if (this.offset + length > this.buffer.length) {
+            throw new UnexpectedEOFError(length, this.buffer.length - this.offset);
+        }
+        const bytes = this.buffer.subarray(this.offset, this.offset + length);
+        return decoder.decode(bytes);
+    }
+    readMpInt(sshEncoding = false) {
+        const length = this.readUint32();
+        const bytes = this.readBytes(length);
+        if (sshEncoding && bytes.length > 1 && bytes[0] === 0x00) {
+            return bytes.subarray(1);
+        }
+        return bytes;
+    }
+    readMpIntSsh() {
+        return this.readMpInt(true);
+    }
+    remaining() {
+        return this.buffer.length - this.offset;
+    }
+    getOffset() {
+        return this.offset;
+    }
+    seek(offset) {
+        if (offset < 0 || offset > this.buffer.length) {
+            throw new InvalidFormatError(`Invalid offset: ${offset}. Buffer length: ${this.buffer.length}`);
+        }
+        this.offset = offset;
+    }
+}
+class SshWriter {
+    buffer;
+    offset;
+    constructor(initialSize = 1024) {
+        this.buffer = new Uint8Array(initialSize);
+        this.offset = 0;
+    }
+    ensureCapacity(additional) {
+        const required = this.offset + additional;
+        if (required > this.buffer.length) {
+            const newSize = Math.max(required, this.buffer.length * 2);
+            const newBuffer = new Uint8Array(newSize);
+            newBuffer.set(this.buffer.subarray(0, this.offset));
+            this.buffer = newBuffer;
+        }
+    }
+    reserve(minCapacity) {
+        if (minCapacity > this.buffer.length) {
+            const newBuffer = new Uint8Array(minCapacity);
+            newBuffer.set(this.buffer.subarray(0, this.offset));
+            this.buffer = newBuffer;
+        }
+    }
+    writeUint8(value) {
+        this.ensureCapacity(1);
+        this.buffer[this.offset++] = value & 0xff;
+    }
+    writeUint32(value) {
+        this.ensureCapacity(4);
+        this.buffer[this.offset++] = (value >>> 24) & 0xff;
+        this.buffer[this.offset++] = (value >>> 16) & 0xff;
+        this.buffer[this.offset++] = (value >>> 8) & 0xff;
+        this.buffer[this.offset++] = value & 0xff;
+    }
+    writeUint64(value) {
+        this.ensureCapacity(8);
+        const high = Number(value >> 32n);
+        const low = Number(value & 0xffffffffn);
+        this.writeUint32(high);
+        this.writeUint32(low);
+    }
+    writeBytes(data) {
+        this.ensureCapacity(data.length);
+        this.buffer.set(data, this.offset);
+        this.offset += data.length;
+    }
+    writeString(value) {
+        const bytes = encoder.encode(value);
+        this.writeUint32(bytes.length);
+        this.writeBytes(bytes);
+    }
+    writeMpInt(value, sshEncoding = false) {
+        if (sshEncoding && value.length > 0 && (value[0] & 0x80) !== 0) {
+            const paddedBytes = new Uint8Array(value.length + 1);
+            paddedBytes[0] = 0x00;
+            paddedBytes.set(value, 1);
+            this.writeUint32(paddedBytes.length);
+            this.writeBytes(paddedBytes);
+        }
+        else {
+            this.writeUint32(value.length);
+            this.writeBytes(value);
+        }
+    }
+    writeMpIntSsh(value) {
+        this.writeMpInt(value, true);
+    }
+    toUint8Array() {
+        return this.buffer.subarray(0, this.offset);
+    }
+    getOffset() {
+        return this.offset;
+    }
+    seek(offset) {
+        if (offset < 0 || offset > this.buffer.length) {
+            throw new InvalidFormatError('Invalid offset');
+        }
+        this.offset = offset;
+    }
+}
+class RsaBinding {
+    hash = 'SHA-256';
+    constructor(hash = 'SHA-256') {
+        this.hash = hash;
+    }
+    async importPublicSsh(params) {
+        const { blob, crypto } = params;
+        const reader = new SshReader(blob);
+        reader.readString();
+        const e = reader.readMpInt(true);
+        const n = reader.readMpInt(true);
+        const jwk = {
+            kty: 'RSA',
+            n: buildExports.Convert.ToBase64Url(n),
+            e: buildExports.Convert.ToBase64Url(e),
+        };
+        return crypto.subtle.importKey('jwk', jwk, {
+            name: 'RSASSA-PKCS1-v1_5',
+            hash: this.hash,
+        }, true, ['verify']);
+    }
+    async exportPublicSsh(params) {
+        const { publicKey, crypto } = params;
+        const jwk = await crypto.subtle.exportKey('jwk', publicKey);
+        if (!jwk.n || !jwk.e) {
+            throw new InvalidKeyDataError('RSA JWK missing required parameters (n, e)');
+        }
+        const n = buildExports.BufferSourceConverter.toUint8Array(buildExports.Convert.FromBase64Url(jwk.n));
+        const e = buildExports.BufferSourceConverter.toUint8Array(buildExports.Convert.FromBase64Url(jwk.e));
+        const writer = new SshWriter();
+        writer.writeString('ssh-rsa');
+        writer.writeMpInt(e, true);
+        writer.writeMpInt(n, true);
+        return writer.toUint8Array();
+    }
+    async importPublicSpki(params) {
+        const { spki, crypto } = params;
+        return crypto.subtle.importKey('spki', spki, {
+            name: 'RSASSA-PKCS1-v1_5',
+            hash: this.hash,
+        }, true, ['verify']);
+    }
+    async exportPublicSpki(params) {
+        const { publicKey, crypto } = params;
+        const spki = await crypto.subtle.exportKey('spki', publicKey);
+        return buildExports.BufferSourceConverter.toUint8Array(spki);
+    }
+    async importPrivatePkcs8(params) {
+        const { pkcs8, crypto } = params;
+        return crypto.subtle.importKey('pkcs8', pkcs8, {
+            name: 'RSASSA-PKCS1-v1_5',
+            hash: this.hash,
+        }, true, ['sign']);
+    }
+    async exportPrivatePkcs8(params) {
+        const { privateKey, crypto } = params;
+        const pkcs8 = await crypto.subtle.exportKey('pkcs8', privateKey);
+        return buildExports.BufferSourceConverter.toUint8Array(pkcs8);
+    }
+    async importPrivateSsh(params) {
+        const { sshKey, crypto } = params;
+        const base64Data = sshKey
+            .replace(/-----BEGIN OPENSSH PRIVATE KEY-----/, '')
+            .replace(/-----END OPENSSH PRIVATE KEY-----/, '')
+            .replace(/\s/g, '');
+        const binaryData = buildExports.Convert.FromBase64(base64Data);
+        const reader = new SshReader(buildExports.BufferSourceConverter.toUint8Array(binaryData));
+        const magic = reader.readBytes(15);
+        if (buildExports.Convert.ToHex(magic) !== '6f70656e7373682d6b65792d763100') {
+            throw new InvalidPrivateKeyFormatError('invalid magic string');
+        }
+        const _cipherName = reader.readString();
+        reader.readString();
+        reader.readString();
+        if (_cipherName !== 'none') {
+            throw new EncryptedKeyNotSupportedError(_cipherName);
+        }
+        const numKeys = reader.readUint32();
+        if (numKeys !== 1) {
+            throw new InvalidPrivateKeyFormatError('multiple keys not supported');
+        }
+        const publicKeyLength = reader.readUint32();
+        reader.readBytes(publicKeyLength);
+        const privateKeyLength = reader.readUint32();
+        const privateKeyData = reader.readBytes(privateKeyLength);
+        const privateReader = new SshReader(privateKeyData);
+        const checkint1 = privateReader.readUint32();
+        const checkint2 = privateReader.readUint32();
+        if (checkint1 !== checkint2) {
+            throw new InvalidPrivateKeyFormatError('invalid checkints');
+        }
+        privateReader.readString();
+        const n = privateReader.readMpInt(true);
+        const e = privateReader.readMpInt(true);
+        const d = privateReader.readMpInt(true);
+        const iqmp = privateReader.readMpInt(true);
+        const p = privateReader.readMpInt(true);
+        const q = privateReader.readMpInt(true);
+        privateReader.readString();
+        const dBig = BigInt('0x' + buildExports.Convert.ToHex(d));
+        const pBig = BigInt('0x' + buildExports.Convert.ToHex(p));
+        const qBig = BigInt('0x' + buildExports.Convert.ToHex(q));
+        const dpBig = dBig % (pBig - 1n);
+        const dqBig = dBig % (qBig - 1n);
+        const dpBytes = buildExports.Convert.FromHex(dpBig.toString(16).padStart(p.length * 2, '0'));
+        const dqBytes = buildExports.Convert.FromHex(dqBig.toString(16).padStart(q.length * 2, '0'));
+        const jwk = {
+            kty: 'RSA',
+            n: buildExports.Convert.ToBase64Url(n),
+            e: buildExports.Convert.ToBase64Url(e),
+            d: buildExports.Convert.ToBase64Url(d),
+            p: buildExports.Convert.ToBase64Url(p),
+            q: buildExports.Convert.ToBase64Url(q),
+            dp: buildExports.Convert.ToBase64Url(dpBytes),
+            dq: buildExports.Convert.ToBase64Url(dqBytes),
+            qi: buildExports.Convert.ToBase64Url(iqmp),
+        };
+        return crypto.subtle.importKey('jwk', jwk, {
+            name: 'RSASSA-PKCS1-v1_5',
+            hash: this.hash,
+        }, true, ['sign']);
+    }
+    async exportPrivateSsh(params) {
+        const { privateKey, crypto, jwk: providedJwk } = params;
+        const jwk = providedJwk || (await crypto.subtle.exportKey('jwk', privateKey));
+        if (!jwk.n || !jwk.e || !jwk.d || !jwk.p || !jwk.q) {
+            throw new InvalidKeyDataError('RSA JWK missing required parameters');
+        }
+        const n = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.n));
+        const e = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.e));
+        const d = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.d));
+        const p = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.p));
+        const q = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.q));
+        const qi = jwk.qi ? new Uint8Array(buildExports.Convert.FromBase64Url(jwk.qi)) : new Uint8Array();
+        const writer = new SshWriter();
+        writer.writeString('ssh-rsa');
+        writer.writeMpInt(n, true);
+        writer.writeMpInt(e, true);
+        writer.writeMpInt(d, true);
+        writer.writeMpInt(qi, true);
+        writer.writeMpInt(p, true);
+        writer.writeMpInt(q, true);
+        return writer.toUint8Array();
+    }
+    async sign(params) {
+        const { privateKey, data, crypto, hash } = params;
+        if (hash && hash !== this.hash) {
+            throw new InvalidKeyDataError(`Hash ${hash} not supported for this RSA algorithm`);
+        }
+        if (!privateKey.extractable) {
+            throw new InvalidKeyDataError('Private key is not extractable');
+        }
+        const pkcs8 = await this.exportPrivatePkcs8({ privateKey, crypto });
+        const keyToUse = await this.importPrivatePkcs8({ pkcs8: new Uint8Array(pkcs8), crypto });
+        const signature = await crypto.subtle.sign('RSASSA-PKCS1-v1_5', keyToUse, data);
+        return buildExports.BufferSourceConverter.toUint8Array(signature);
+    }
+    async verify(params) {
+        const { publicKey, signature, data, crypto, hash } = params;
+        if (hash && hash !== this.hash) {
+            return false;
+        }
+        if (!publicKey.extractable) {
+            throw new InvalidKeyDataError('Public key is not extractable');
+        }
+        const spki = await this.exportPublicSpki({ publicKey, crypto });
+        const keyToUse = await this.importPublicSpki({ spki: new Uint8Array(spki), crypto });
+        return crypto.subtle.verify('RSASSA-PKCS1-v1_5', keyToUse, signature, data);
+    }
+    encodeSignature(params) {
+        const { signature, algo } = params;
+        const writer = new SshWriter();
+        writer.writeString(algo);
+        writer.writeUint32(signature.byteLength);
+        writer.writeBytes(signature);
+        return writer.toUint8Array();
+    }
+    decodeSignature(params) {
+        const { signature } = params;
+        const reader = new SshReader(signature);
+        const algo = reader.readString();
+        const sigLength = reader.readUint32();
+        const sig = reader.readBytes(sigLength);
+        return { signature: sig, algo };
+    }
+    supportsCryptoKey(cryptoKey) {
+        return cryptoKey.algorithm.name === 'RSASSA-PKCS1-v1_5';
+    }
+    parsePublicKey(reader) {
+        const publicKeyExponent = reader.readBytes(reader.readUint32());
+        const publicKeyModulus = reader.readBytes(reader.readUint32());
+        const writer = new SshWriter();
+        writer.writeString('ssh-rsa');
+        writer.writeMpInt(publicKeyExponent);
+        writer.writeMpInt(publicKeyModulus);
+        return {
+            type: 'ssh-rsa',
+            keyData: writer.toUint8Array(),
+        };
+    }
+    writePublicKey(writer, publicKey) {
+        const publicKeyReader = new SshReader(publicKey.keyData);
+        publicKeyReader.readString();
+        const e = publicKeyReader.readMpInt();
+        const n = publicKeyReader.readMpInt();
+        writer.writeUint32(e.length);
+        writer.writeBytes(e);
+        writer.writeUint32(n.length);
+        writer.writeBytes(n);
+    }
+    getCertificateType() {
+        return 'ssh-rsa-cert-v01@openssh.com';
+    }
+    getSignatureAlgo() {
+        return this.hash === 'SHA-256' ? 'rsa-sha2-256' : 'rsa-sha2-512';
+    }
+}
+class EcdsaBinding {
+    curveName;
+    sshType;
+    namedCurve;
+    constructor(curveName, sshType, namedCurve) {
+        this.curveName = curveName;
+        this.sshType = sshType;
+        this.namedCurve = namedCurve;
+    }
+    getHashAlgorithm() {
+        switch (this.namedCurve) {
+            case 'P-256':
+                return 'SHA-256';
+            case 'P-384':
+                return 'SHA-384';
+            case 'P-521':
+                return 'SHA-512';
+            default:
+                return 'SHA-256';
+        }
+    }
+    getExpectedLength() {
+        switch (this.namedCurve) {
+            case 'P-256':
+                return 32;
+            case 'P-384':
+                return 48;
+            case 'P-521':
+                return 66;
+            default:
+                return 32;
+        }
+    }
+    getSignatureCoordLength() {
+        return this.getExpectedLength();
+    }
+    async importPublicSsh(params) {
+        const { blob, crypto } = params;
+        const reader = new SshReader(blob);
+        reader.readString();
+        const curve = reader.readString();
+        if (curve !== this.curveName) {
+            throw new InvalidKeyDataError(`ECDSA curve name ${curve}, expected ${this.curveName}`);
+        }
+        const q = reader.readMpInt();
+        const coordLength = Math.floor((q.length - 1) / 2);
+        const jwk = {
+            kty: 'EC',
+            crv: this.namedCurve,
+            x: buildExports.Convert.ToBase64Url(q.slice(1, 1 + coordLength)),
+            y: buildExports.Convert.ToBase64Url(q.slice(1 + coordLength)),
+        };
+        return crypto.subtle.importKey('jwk', jwk, {
+            name: 'ECDSA',
+            namedCurve: this.namedCurve,
+        }, true, ['verify']);
+    }
+    async exportPublicSsh(params) {
+        const { publicKey, crypto } = params;
+        const jwk = await crypto.subtle.exportKey('jwk', publicKey);
+        if (!jwk.x || !jwk.y) {
+            throw new InvalidKeyDataError('ECDSA JWK missing x or y parameters');
+        }
+        const x = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.x));
+        const y = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.y));
+        const q = new Uint8Array(1 + x.length + y.length);
+        q[0] = 0x04;
+        q.set(x, 1);
+        q.set(y, 1 + x.length);
+        const writer = new SshWriter();
+        writer.writeString(this.sshType);
+        writer.writeString(this.curveName);
+        writer.writeMpInt(q);
+        return writer.toUint8Array();
+    }
+    async importPublicSpki(params) {
+        const { spki, crypto } = params;
+        return crypto.subtle.importKey('spki', spki, {
+            name: 'ECDSA',
+            namedCurve: this.namedCurve,
+        }, true, ['verify']);
+    }
+    async exportPublicSpki(params) {
+        const { publicKey, crypto } = params;
+        const spki = await crypto.subtle.exportKey('spki', publicKey);
+        return buildExports.BufferSourceConverter.toUint8Array(spki);
+    }
+    async importPrivatePkcs8(params) {
+        const { pkcs8, crypto } = params;
+        return crypto.subtle.importKey('pkcs8', pkcs8, {
+            name: 'ECDSA',
+            namedCurve: this.namedCurve,
+        }, true, ['sign']);
+    }
+    async exportPrivatePkcs8(params) {
+        const { privateKey, crypto } = params;
+        const pkcs8 = await crypto.subtle.exportKey('pkcs8', privateKey);
+        return buildExports.BufferSourceConverter.toUint8Array(pkcs8);
+    }
+    async exportPrivateSsh(params) {
+        const { privateKey, crypto, jwk: providedJwk } = params;
+        const jwk = providedJwk || (await crypto.subtle.exportKey('jwk', privateKey));
+        if (!jwk.d || !jwk.x || !jwk.y) {
+            throw new InvalidKeyDataError('ECDSA private key JWK missing required parameters');
+        }
+        const x = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.x));
+        const y = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.y));
+        const d = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.d));
+        const publicPoint = new Uint8Array(1 + x.length + y.length);
+        publicPoint[0] = 0x04;
+        publicPoint.set(x, 1);
+        publicPoint.set(y, 1 + x.length);
+        const writer = new SshWriter();
+        writer.writeString(this.sshType);
+        writer.writeString(this.curveName);
+        writer.writeMpInt(publicPoint);
+        writer.writeMpInt(d);
+        return writer.toUint8Array();
+    }
+    async importPrivateSsh(params) {
+        const { sshKey, crypto } = params;
+        const base64Data = sshKey
+            .replace(/-----BEGIN OPENSSH PRIVATE KEY-----/, '')
+            .replace(/-----END OPENSSH PRIVATE KEY-----/, '')
+            .replace(/\s/g, '');
+        const binaryData = buildExports.Convert.FromBase64(base64Data);
+        const reader = new SshReader(buildExports.BufferSourceConverter.toUint8Array(binaryData));
+        const magic = reader.readBytes(15);
+        if (buildExports.Convert.ToHex(magic) !== '6f70656e7373682d6b65792d763100') {
+            throw new InvalidPrivateKeyFormatError('invalid magic string');
+        }
+        const _cipherName = reader.readString();
+        reader.readString();
+        reader.readString();
+        if (_cipherName !== 'none') {
+            throw new EncryptedKeyNotSupportedError(_cipherName);
+        }
+        const numKeys = reader.readUint32();
+        if (numKeys !== 1) {
+            throw new InvalidPrivateKeyFormatError('multiple keys not supported');
+        }
+        const publicKeyLength = reader.readUint32();
+        reader.readBytes(publicKeyLength);
+        const privateKeyLength = reader.readUint32();
+        const privateKeyData = reader.readBytes(privateKeyLength);
+        const privateReader = new SshReader(privateKeyData);
+        const checkint1 = privateReader.readUint32();
+        const checkint2 = privateReader.readUint32();
+        if (checkint1 !== checkint2) {
+            throw new InvalidPrivateKeyFormatError('invalid checkints');
+        }
+        privateReader.readString();
+        privateReader.readString();
+        const publicKeyPoint = privateReader.readMpInt();
+        const privateKeyValue = privateReader.readMpInt();
+        privateReader.readString();
+        if (publicKeyPoint[0] !== 0x04) {
+            throw new InvalidKeyDataError('invalid ECDSA public key point format');
+        }
+        const coordLength = Math.floor((publicKeyPoint.length - 1) / 2);
+        const x = publicKeyPoint.slice(1, 1 + coordLength);
+        const y = publicKeyPoint.slice(1 + coordLength);
+        const jwk = {
+            kty: 'EC',
+            crv: this.namedCurve,
+            x: buildExports.Convert.ToBase64Url(x),
+            y: buildExports.Convert.ToBase64Url(y),
+            d: buildExports.Convert.ToBase64Url(privateKeyValue),
+        };
+        return crypto.subtle.importKey('jwk', jwk, {
+            name: 'ECDSA',
+            namedCurve: this.namedCurve,
+        }, true, ['sign']);
+    }
+    async sign(params) {
+        const { privateKey, data, crypto, hash } = params;
+        const expectedHash = this.getHashAlgorithm();
+        if (hash && hash !== expectedHash) {
+            throw new InvalidKeyDataError(`ECDSA ${this.namedCurve} requires ${expectedHash}, got ${hash}`);
+        }
+        const signature = await crypto.subtle.sign({
+            name: 'ECDSA',
+            hash: expectedHash,
+        }, privateKey, data);
+        return buildExports.BufferSourceConverter.toUint8Array(signature);
+    }
+    async verify(params) {
+        const { publicKey, signature, data, crypto, hash } = params;
+        const expectedHash = this.getHashAlgorithm();
+        if (hash && hash !== expectedHash) {
+            throw new InvalidKeyDataError(`ECDSA ${this.namedCurve} requires ${expectedHash}, got ${hash}`);
+        }
+        return crypto.subtle.verify({
+            name: 'ECDSA',
+            hash: expectedHash,
+        }, publicKey, signature, data);
+    }
+    encodeSignature(params) {
+        const { signature, algo } = params;
+        if (algo.startsWith('ecdsa-sha2-')) {
+            const coordLength = this.getSignatureCoordLength();
+            const r = signature.subarray(0, coordLength);
+            const s = signature.subarray(coordLength);
+            const writer = new SshWriter();
+            writer.writeString(algo);
+            const sigWriter = new SshWriter();
+            sigWriter.writeMpInt(r, true);
+            sigWriter.writeMpInt(s, true);
+            const sigData = sigWriter.toUint8Array();
+            writer.writeUint32(sigData.length);
+            writer.writeBytes(sigData);
+            return writer.toUint8Array();
+        }
+        const writer = new SshWriter();
+        writer.writeString(algo);
+        writer.writeUint32(signature.byteLength);
+        writer.writeBytes(signature);
+        return writer.toUint8Array();
+    }
+    decodeSignature(params) {
+        const { signature } = params;
+        const reader = new SshReader(signature);
+        const algo = reader.readString();
+        const sigLength = reader.readUint32();
+        const sig = reader.readBytes(sigLength);
+        if (algo.startsWith('ecdsa-sha2-')) {
+            const sigReader = new SshReader(sig);
+            let r = sigReader.readMpInt();
+            let s = sigReader.readMpInt();
+            if (r[0] === 0x00 && r.length > 1 && (r[1] & 0x80) === 0) {
+                r = r.slice(1);
+            }
+            if (s[0] === 0x00 && s.length > 1 && (s[1] & 0x80) === 0) {
+                s = s.slice(1);
+            }
+            const expectedLength = this.getExpectedLength();
+            const rPadded = new Uint8Array(expectedLength);
+            const sPadded = new Uint8Array(expectedLength);
+            if (r.length <= expectedLength) {
+                rPadded.set(r, expectedLength - r.length);
+            }
+            else {
+                rPadded.set(r.slice(r.length - expectedLength), 0);
+            }
+            if (s.length <= expectedLength) {
+                sPadded.set(s, expectedLength - s.length);
+            }
+            else {
+                sPadded.set(s.slice(s.length - expectedLength), 0);
+            }
+            const rawSignature = new Uint8Array([...rPadded, ...sPadded]);
+            return { signature: rawSignature, algo };
+        }
+        return { signature: sig, algo };
+    }
+    supportsCryptoKey(cryptoKey) {
+        return (cryptoKey.algorithm.name === 'ECDSA' &&
+            cryptoKey.algorithm.namedCurve === this.namedCurve);
+    }
+    parsePublicKey(reader) {
+        const curveName = reader.readString();
+        if (curveName !== this.curveName) {
+            throw new InvalidKeyDataError(`ECDSA certificate curve name ${curveName}, expected ${this.curveName}`);
+        }
+        const publicKeyPoint = reader.readBytes(reader.readUint32());
+        const writer = new SshWriter();
+        writer.writeString(this.sshType);
+        writer.writeString(curveName);
+        writer.writeMpInt(publicKeyPoint);
+        return {
+            type: this.sshType,
+            keyData: writer.toUint8Array(),
+        };
+    }
+    writePublicKey(writer, publicKey) {
+        const publicKeyReader = new SshReader(publicKey.keyData);
+        publicKeyReader.readString();
+        const curveName = publicKeyReader.readString();
+        const publicPoint = publicKeyReader.readMpInt();
+        writer.writeString(curveName);
+        writer.writeUint32(publicPoint.length);
+        writer.writeBytes(publicPoint);
+    }
+    getCertificateType() {
+        return `${this.sshType}-cert-v01@openssh.com`;
+    }
+    getSignatureAlgo() {
+        return this.sshType;
+    }
+}
+const EcdsaP256Binding = new EcdsaBinding('nistp256', 'ecdsa-sha2-nistp256', 'P-256');
+const EcdsaP384Binding = new EcdsaBinding('nistp384', 'ecdsa-sha2-nistp384', 'P-384');
+const EcdsaP521Binding = new EcdsaBinding('nistp521', 'ecdsa-sha2-nistp521', 'P-521');
+class Ed25519Binding {
+    async importPublicSsh(params) {
+        const { blob, crypto } = params;
+        const reader = new SshReader(blob);
+        reader.readString();
+        const keyLength = reader.readUint32();
+        if (keyLength !== 32) {
+            throw new InvalidKeyDataError(`Ed25519 key length ${keyLength}, expected 32`);
+        }
+        const publicKeyBytes = reader.readBytes(keyLength);
+        return crypto.subtle.importKey('raw', publicKeyBytes, 'Ed25519', true, [
+            'verify',
+        ]);
+    }
+    async exportPublicSsh(params) {
+        const { publicKey, crypto } = params;
+        const jwk = await crypto.subtle.exportKey('jwk', publicKey);
+        if (!jwk.x) {
+            throw new InvalidKeyDataError('Ed25519 JWK missing x parameter');
+        }
+        const keyBytes = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.x));
+        const writer = new SshWriter();
+        writer.writeString('ssh-ed25519');
+        writer.writeUint32(keyBytes.length);
+        writer.writeBytes(keyBytes);
+        return writer.toUint8Array();
+    }
+    async importPublicSpki(params) {
+        const { spki, crypto } = params;
+        return crypto.subtle.importKey('spki', spki, 'Ed25519', true, ['verify']);
+    }
+    async exportPublicSpki(params) {
+        const { publicKey, crypto } = params;
+        const spki = await crypto.subtle.exportKey('spki', publicKey);
+        return buildExports.BufferSourceConverter.toUint8Array(spki);
+    }
+    async importPrivatePkcs8(params) {
+        const { pkcs8, crypto } = params;
+        return crypto.subtle.importKey('pkcs8', pkcs8, 'Ed25519', true, ['sign']);
+    }
+    async exportPrivatePkcs8(params) {
+        const { privateKey, crypto } = params;
+        const pkcs8 = await crypto.subtle.exportKey('pkcs8', privateKey);
+        return buildExports.BufferSourceConverter.toUint8Array(pkcs8);
+    }
+    async exportPrivateSsh(params) {
+        const { privateKey, crypto, jwk: providedJwk } = params;
+        const jwk = providedJwk || (await crypto.subtle.exportKey('jwk', privateKey));
+        if (!jwk.d || !jwk.x) {
+            throw new InvalidKeyDataError('Ed25519 private key JWK missing required parameters');
+        }
+        const privateBytes = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.d));
+        const publicBytes = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.x));
+        const writer = new SshWriter();
+        writer.writeString('ssh-ed25519');
+        writer.writeUint32(publicBytes.length);
+        writer.writeBytes(publicBytes);
+        const privKeyPart = new Uint8Array(64);
+        privKeyPart.set(privateBytes, 0);
+        privKeyPart.set(publicBytes, 32);
+        writer.writeUint32(privKeyPart.length);
+        writer.writeBytes(privKeyPart);
+        return writer.toUint8Array();
+    }
+    async importPrivateSsh(params) {
+        const { sshKey, crypto } = params;
+        const base64Data = sshKey
+            .replace(/-----BEGIN OPENSSH PRIVATE KEY-----/, '')
+            .replace(/-----END OPENSSH PRIVATE KEY-----/, '')
+            .replace(/\s/g, '');
+        const binaryData = buildExports.Convert.FromBase64(base64Data);
+        const reader = new SshReader(buildExports.BufferSourceConverter.toUint8Array(binaryData));
+        const magic = reader.readBytes(15);
+        if (buildExports.Convert.ToHex(magic) !== '6f70656e7373682d6b65792d763100') {
+            throw new InvalidPrivateKeyFormatError('invalid magic string');
+        }
+        const _cipherName = reader.readString();
+        reader.readString();
+        reader.readString();
+        if (_cipherName !== 'none') {
+            throw new EncryptedKeyNotSupportedError(_cipherName);
+        }
+        const numKeys = reader.readUint32();
+        if (numKeys !== 1) {
+            throw new InvalidPrivateKeyFormatError('multiple keys not supported');
+        }
+        const publicKeyLength = reader.readUint32();
+        reader.readBytes(publicKeyLength);
+        const privateKeyLength = reader.readUint32();
+        const privateKeyData = reader.readBytes(privateKeyLength);
+        const privateReader = new SshReader(privateKeyData);
+        const checkint1 = privateReader.readUint32();
+        const checkint2 = privateReader.readUint32();
+        if (checkint1 !== checkint2) {
+            throw new InvalidPrivateKeyFormatError('invalid checkints');
+        }
+        privateReader.readString();
+        const pubKeyLength = privateReader.readUint32();
+        const _publicKeyBytes = privateReader.readBytes(pubKeyLength);
+        const privKeyLength = privateReader.readUint32();
+        const privateKeyBytes = privateReader.readBytes(privKeyLength);
+        privateReader.readString();
+        const privateKey = privateKeyBytes.slice(0, 32);
+        const jwk = {
+            kty: 'OKP',
+            crv: 'Ed25519',
+            d: buildExports.Convert.ToBase64Url(privateKey),
+            x: buildExports.Convert.ToBase64Url(_publicKeyBytes),
+        };
+        return crypto.subtle.importKey('jwk', jwk, 'Ed25519', true, ['sign']);
+    }
+    async sign(params) {
+        const { privateKey, data, crypto } = params;
+        const signature = await crypto.subtle.sign('Ed25519', privateKey, data);
+        return buildExports.BufferSourceConverter.toUint8Array(signature);
+    }
+    async verify(params) {
+        const { publicKey, signature, data, crypto } = params;
+        return crypto.subtle.verify('Ed25519', publicKey, signature, data);
+    }
+    encodeSignature(params) {
+        const { signature, algo } = params;
+        const sigBytes = new Uint8Array(signature);
+        const writer = new SshWriter();
+        writer.writeString(algo);
+        writer.writeUint32(sigBytes.length);
+        writer.writeBytes(sigBytes);
+        return writer.toUint8Array();
+    }
+    decodeSignature(params) {
+        const { signature } = params;
+        const reader = new SshReader(signature);
+        const algo = reader.readString();
+        const sigLength = reader.readUint32();
+        const sigBytes = reader.readBytes(sigLength);
+        return {
+            signature: sigBytes,
+            algo,
+        };
+    }
+    supportsCryptoKey(cryptoKey) {
+        return cryptoKey.algorithm.name === 'Ed25519';
+    }
+    parsePublicKey(reader) {
+        const publicKeyData = reader.readBytes(reader.readUint32());
+        const writer = new SshWriter();
+        writer.writeString('ssh-ed25519');
+        writer.writeUint32(publicKeyData.length);
+        writer.writeBytes(publicKeyData);
+        return {
+            type: 'ssh-ed25519',
+            keyData: writer.toUint8Array(),
+        };
+    }
+    writePublicKey(writer, publicKey) {
+        const publicKeyReader = new SshReader(publicKey.keyData);
+        publicKeyReader.readString();
+        const keyLength = publicKeyReader.readUint32();
+        const rawKeyData = publicKeyReader.readBytes(keyLength);
+        writer.writeUint32(rawKeyData.length);
+        writer.writeBytes(rawKeyData);
+    }
+    getCertificateType() {
+        return 'ssh-ed25519-cert-v01@openssh.com';
+    }
+    getSignatureAlgo() {
+        return 'ssh-ed25519';
+    }
+}
+const registry = new Map();
+class AlgorithmRegistry {
+    static get(name) {
+        const binding = registry.get(name);
+        if (!binding) {
+            throw new UnsupportedKeyTypeError(name, Array.from(registry.keys()));
+        }
+        return binding;
+    }
+    static register(name, binding) {
+        registry.set(name, binding);
+    }
+    static getSshTypeFromCryptoKey(cryptoKey) {
+        for (const [sshType, binding] of registry.entries()) {
+            if (binding.supportsCryptoKey(cryptoKey)) {
+                return sshType;
+            }
+        }
+        throw new UnsupportedKeyTypeError(cryptoKey.algorithm.name, Array.from(registry.keys()));
+    }
+    static certTypeToKeyType(certType) {
+        const mapping = {
+            'ssh-rsa-cert-v01@openssh.com': 'ssh-rsa',
+            'ssh-ed25519-cert-v01@openssh.com': 'ssh-ed25519',
+            'ecdsa-sha2-nistp256-cert-v01@openssh.com': 'ecdsa-sha2-nistp256',
+            'ecdsa-sha2-nistp384-cert-v01@openssh.com': 'ecdsa-sha2-nistp384',
+            'ecdsa-sha2-nistp521-cert-v01@openssh.com': 'ecdsa-sha2-nistp521',
+        };
+        return mapping[certType];
+    }
+    static getSupportedCertTypes() {
+        return Object.keys({
+            'ssh-rsa-cert-v01@openssh.com': 'ssh-rsa',
+            'ssh-ed25519-cert-v01@openssh.com': 'ssh-ed25519',
+            'ecdsa-sha2-nistp256-cert-v01@openssh.com': 'ecdsa-sha2-nistp256',
+            'ecdsa-sha2-nistp384-cert-v01@openssh.com': 'ecdsa-sha2-nistp384',
+            'ecdsa-sha2-nistp521-cert-v01@openssh.com': 'ecdsa-sha2-nistp521',
+        });
+    }
+}
+AlgorithmRegistry.register('ssh-ed25519', new Ed25519Binding());
+AlgorithmRegistry.register('ssh-rsa', new RsaBinding('SHA-256'));
+AlgorithmRegistry.register('rsa-sha2-256', new RsaBinding('SHA-256'));
+AlgorithmRegistry.register('rsa-sha2-512', new RsaBinding('SHA-512'));
+AlgorithmRegistry.register('ecdsa-sha2-nistp256', EcdsaP256Binding);
+AlgorithmRegistry.register('ecdsa-sha2-nistp384', EcdsaP384Binding);
+AlgorithmRegistry.register('ecdsa-sha2-nistp521', EcdsaP521Binding);
+function parsePublicKey(input) {
+    const parts = typeof input === 'string' ? input.trim().split(/\s+/) : null;
+    if (!parts || parts.length < 2) {
+        throw new InvalidFormatError('Invalid SSH public key format');
+    }
+    const type = parts[0];
+    const blob = new Uint8Array(buildExports.Convert.FromBase64(parts[1]));
+    const comment = parts.length > 2 ? parts.slice(2).join(' ') : undefined;
+    const reader = new SshReader(blob);
+    const blobType = reader.readString();
+    if (blobType !== type) {
+        throw new InvalidFormatError('Key type mismatch');
+    }
+    return {
+        type,
+        keyData: blob,
+        comment,
+    };
+}
+function serializePublicKey(blob) {
+    const base64 = buildExports.Convert.ToBase64(blob.keyData);
+    const parts = [blob.type, base64];
+    if (blob.comment) {
+        parts.push(blob.comment);
+    }
+    return parts.join(' ');
+}
+function parse(input) {
+    if (typeof input === 'string') {
+        const parts = input.trim().split(/\s+/);
+        if (parts.length < 2) {
+            throw new InvalidFormatError('SSH certificate string', 'type base64 [comment]');
+        }
+        const type = parts[0];
+        const blob = new Uint8Array(buildExports.Convert.FromBase64(parts[1]));
+        const comment = parts.length > 2 ? parts.slice(2).join(' ') : undefined;
+        const reader = new SshReader(blob);
+        const blobType = reader.readString();
+        if (blobType !== type) {
+            throw new InvalidFormatError(`certificate blob type ${blobType}`, `expected ${type}`);
+        }
+        return {
+            type,
+            keyData: blob,
+            comment,
+        };
+    }
+    else {
+        const reader = new SshReader(input);
+        const type = reader.readString();
+        const keyData = input.slice(reader.getOffset());
+        return {
+            type,
+            keyData,
+        };
+    }
+}
+function parseCertificateData(keyData) {
+    const reader = new SshReader(keyData);
+    const certType = reader.readString();
+    const nonce = reader.readBytes(reader.readUint32());
+    const mappedKeyType = AlgorithmRegistry.certTypeToKeyType(certType);
+    if (!mappedKeyType) {
+        throw new UnsupportedAlgorithmError(certType, AlgorithmRegistry.getSupportedCertTypes());
+    }
+    const binding = AlgorithmRegistry.get(mappedKeyType);
+    const publicKey = binding.parsePublicKey(reader);
+    const keyType = mappedKeyType;
+    const serial = reader.readUint64();
+    const typeValue = reader.readUint32();
+    const type = typeValue === 1 ? 'user' : 'host';
+    const keyId = reader.readString();
+    const principalsLength = reader.readUint32();
+    const principalsData = reader.readBytes(principalsLength);
+    const validPrincipals = [];
+    if (principalsData.length > 0) {
+        const principalsReader = new SshReader(principalsData);
+        while (principalsReader.getOffset() < principalsData.length) {
+            try {
+                const principal = principalsReader.readString();
+                validPrincipals.push(principal);
+            }
+            catch {
+                break;
+            }
+        }
+    }
+    const validAfter = reader.readUint64();
+    const validBefore = reader.readUint64();
+    const criticalOptions = {};
+    const criticalLength = reader.readUint32();
+    const criticalData = reader.readBytes(criticalLength);
+    if (criticalData.length > 0) {
+        const optionsReader = new SshReader(criticalData);
+        while (optionsReader.getOffset() < criticalData.length) {
+            try {
+                const name = optionsReader.readString();
+                const valueData = optionsReader.readBytes(optionsReader.readUint32());
+                const value = valueData.length === 0 ? '' : decoder.decode(valueData);
+                criticalOptions[name] = value;
+            }
+            catch {
+                break;
+            }
+        }
+    }
+    const extensions = {};
+    const extensionsLength = reader.readUint32();
+    const extensionsData = reader.readBytes(extensionsLength);
+    if (extensionsData.length > 0) {
+        const extReader = new SshReader(extensionsData);
+        while (extReader.getOffset() < extensionsData.length) {
+            try {
+                const name = extReader.readString();
+                const valueData = extReader.readBytes(extReader.readUint32());
+                const value = valueData.length === 0 ? '' : decoder.decode(valueData);
+                extensions[name] = value;
+            }
+            catch {
+                break;
+            }
+        }
+    }
+    const reservedLength = reader.readUint32();
+    const reserved = reader.readBytes(reservedLength);
+    const signatureKeyLength = reader.readUint32();
+    const signatureKeyData = reader.readBytes(signatureKeyLength);
+    const signatureKeyReader = new SshReader(signatureKeyData);
+    const signatureKeyType = signatureKeyReader.readString();
+    const signatureKey = {
+        type: signatureKeyType,
+        keyData: signatureKeyData,
+    };
+    const signatureLength = reader.readUint32();
+    const signature = reader.readBytes(signatureLength);
+    return {
+        nonce,
+        keyType,
+        publicKey,
+        serial,
+        type,
+        keyId,
+        validPrincipals,
+        validAfter,
+        validBefore,
+        criticalOptions,
+        extensions,
+        reserved,
+        signatureKey,
+        signature,
+    };
+}
+function serialize(cert) {
+    const base64 = buildExports.Convert.ToBase64(cert.keyData);
+    const parts = [cert.type, base64];
+    if (cert.comment) {
+        parts.push(cert.comment);
+    }
+    return parts.join(' ');
+}
+function parseSignature(data) {
+    const reader = new SshReader(data);
+    if (data.length >= 6 && new TextDecoder().decode(data.subarray(0, 6)) === 'SSHSIG') {
+        return parseSshSignatureFormat(reader);
+    }
+    else {
+        return parseLegacyFormat(reader);
+    }
+}
+function parseSshSignatureFormat(reader) {
+    const magicBytes = reader.readBytes(6);
+    const magic = new TextDecoder().decode(magicBytes);
+    if (magic !== 'SSHSIG') {
+        throw new InvalidFormatError(magic, 'SSHSIG');
+    }
+    const version = reader.readUint32();
+    const publicKeyLength = reader.readUint32();
+    const publicKey = reader.readBytes(publicKeyLength);
+    const namespace = reader.readString();
+    const reserved = reader.readString();
+    const hashAlgorithm = reader.readString();
+    const signatureLength = reader.readUint32();
+    const signatureData = reader.readBytes(signatureLength);
+    const sigReader = new SshReader(signatureData);
+    const algorithm = sigReader.readString();
+    const signatureLength2 = sigReader.readUint32();
+    const signature = sigReader.readBytes(signatureLength2);
+    return {
+        format: 'ssh-signature',
+        algorithm,
+        signature,
+        version,
+        publicKey,
+        namespace,
+        reserved,
+        hashAlgorithm,
+    };
+}
+function parseLegacyFormat(reader) {
+    const algorithm = reader.readString();
+    const signatureLength = reader.readUint32();
+    const signature = reader.readBytes(signatureLength);
+    return {
+        format: 'legacy',
+        algorithm,
+        signature,
+    };
+}
+function serializeSignature(blob) {
+    if (blob.format === 'ssh-signature') {
+        return serializeSshSignatureFormat(blob);
+    }
+    else {
+        return serializeLegacyFormat(blob);
+    }
+}
+function serializeSshSignatureFormat(blob) {
+    const writer = new SshWriter();
+    writer.writeBytes(new TextEncoder().encode('SSHSIG'));
+    writer.writeUint32(blob.version || 1);
+    if (blob.publicKey) {
+        writer.writeUint32(blob.publicKey.length);
+        writer.writeBytes(blob.publicKey);
+    }
+    else {
+        writer.writeUint32(0);
+    }
+    writer.writeString(blob.namespace || 'file');
+    writer.writeString(blob.reserved || '');
+    writer.writeString(blob.hashAlgorithm || 'sha512');
+    const sigWriter = new SshWriter();
+    sigWriter.writeString(blob.algorithm);
+    sigWriter.writeUint32(blob.signature.length);
+    sigWriter.writeBytes(blob.signature);
+    const sigData = sigWriter.toUint8Array();
+    writer.writeUint32(sigData.length);
+    writer.writeBytes(sigData);
+    return writer.toUint8Array();
+}
+function serializeLegacyFormat(blob) {
+    const writer = new SshWriter();
+    writer.writeString(blob.algorithm);
+    writer.writeUint32(blob.signature.length);
+    writer.writeBytes(blob.signature);
+    return writer.toUint8Array();
+}
+class SshObject {
+}
+class SshPublicKey extends SshObject {
+    static TYPE = 'public-key';
+    type = SshPublicKey.TYPE;
+    blob;
+    cachedCryptoKey;
+    constructor(blob) {
+        super();
+        this.blob = blob;
+    }
+    async getCryptoKey(crypto = getCrypto()) {
+        if (!this.cachedCryptoKey) {
+            const binding = AlgorithmRegistry.get(this.blob.type);
+            this.cachedCryptoKey = await binding.importPublicSsh({ blob: this.blob.keyData, crypto });
+        }
+        return this.cachedCryptoKey;
+    }
+    static async fromSSH(sshKey, crypto = getCrypto()) {
+        const blob = parsePublicKey(sshKey);
+        const binding = AlgorithmRegistry.get(blob.type);
+        await binding.importPublicSsh({ blob: blob.keyData, crypto });
+        return new SshPublicKey(blob);
+    }
+    static async fromSPKI(spki, type, crypto = getCrypto()) {
+        const binding = AlgorithmRegistry.get(type);
+        const cryptoKey = await binding.importPublicSpki({ spki, crypto });
+        const exported = await binding.exportPublicSsh({ publicKey: cryptoKey, crypto });
+        const blob = {
+            type,
+            keyData: exported,
+        };
+        return new SshPublicKey(blob);
+    }
+    static async fromWebCrypto(cryptoKey, type, crypto = getCrypto()) {
+        const sshType = type || AlgorithmRegistry.getSshTypeFromCryptoKey(cryptoKey);
+        const binding = AlgorithmRegistry.get(sshType);
+        const exported = await binding.exportPublicSsh({ publicKey: cryptoKey, crypto });
+        const blob = {
+            type: sshType,
+            keyData: exported,
+        };
+        return new SshPublicKey(blob);
+    }
+    async export(format = 'ssh', crypto = getCrypto()) {
+        if (format === 'ssh') {
+            return serializePublicKey(this.blob);
+        }
+        else if (format === 'spki') {
+            const cryptoKey = await this.getCryptoKey(crypto);
+            const binding = AlgorithmRegistry.get(this.blob.type);
+            const spki = await binding.exportPublicSpki({ publicKey: cryptoKey, crypto });
+            return new Uint8Array(spki);
+        }
+        throw new UnsupportedKeyTypeError(`Unsupported export format: ${format}`);
+    }
+    async toSSH() {
+        const result = await this.export('ssh');
+        return result;
+    }
+    async toSPKI() {
+        const result = await this.export('spki');
+        return result;
+    }
+    async toWebCrypto(crypto = getCrypto()) {
+        return this.getCryptoKey(crypto);
+    }
+    async verify(algorithm, signature, data, crypto = getCrypto()) {
+        const binding = AlgorithmRegistry.get(algorithm);
+        const cryptoKey = await this.toWebCrypto(crypto);
+        return binding.verify({
+            publicKey: cryptoKey,
+            signature,
+            data,
+            crypto,
+        });
+    }
+    get keyType() {
+        return this.blob.type;
+    }
+    get comment() {
+        return this.blob.comment;
+    }
+    getBlob() {
+        return { ...this.blob };
+    }
+    async thumbprint(algorithm = 'sha256', crypto = getCrypto()) {
+        const hashAlgorithm = algorithm === 'sha256' ? 'SHA-256' : 'SHA-512';
+        const data = this.blob.keyData;
+        const hash = await crypto.subtle.digest(hashAlgorithm, data);
+        return new Uint8Array(hash);
+    }
+}
+class SshSignature extends SshObject {
+    static TYPE = 'signature';
+    type = SshSignature.TYPE;
+    blob;
+    format;
+    algorithm;
+    signature;
+    version;
+    publicKey;
+    namespace;
+    reserved;
+    hashAlgorithm;
+    constructor(blob) {
+        super();
+        this.blob = blob;
+        this.format = blob.format;
+        this.algorithm = blob.algorithm;
+        this.signature = blob.signature;
+        this.version = blob.version;
+        this.namespace = blob.namespace;
+        this.reserved = blob.reserved;
+        this.hashAlgorithm = blob.hashAlgorithm;
+        if (blob.publicKey) {
+            const reader = new SshReader(blob.publicKey);
+            const type = reader.readString();
+            this.publicKey = new SshPublicKey({ type, keyData: blob.publicKey });
+        }
+    }
+    static parse(data) {
+        const blob = parseSignature(data);
+        return new SshSignature(blob);
+    }
+    static fromBlob(blob) {
+        return new SshSignature(blob);
+    }
+    static fromBase64(base64) {
+        const data = new Uint8Array(buildExports.Convert.FromBase64(base64));
+        return SshSignature.parse(data);
+    }
+    static fromText(text) {
+        const base64 = text
+            .replace(/-----BEGIN SSH SIGNATURE-----/, '')
+            .replace(/-----END SSH SIGNATURE-----/, '')
+            .replace(/[\r\n\s]/g, '');
+        return SshSignature.fromBase64(base64);
+    }
+    serialize() {
+        return serializeSignature(this.blob);
+    }
+    toBase64() {
+        return buildExports.Convert.ToBase64(this.serialize());
+    }
+    toText() {
+        const base64 = this.toBase64();
+        const lines = [];
+        for (let i = 0; i < base64.length; i += 70) {
+            lines.push(base64.substring(i, i + 70));
+        }
+        return ['-----BEGIN SSH SIGNATURE-----', ...lines, '-----END SSH SIGNATURE-----'].join('\n');
+    }
+    async toSSH() {
+        return this.toText();
+    }
+    async verify(data, publicKey) {
+        const binding = AlgorithmRegistry.get(this.algorithm);
+        const cryptoKey = await publicKey['getCryptoKey']();
+        const crypto = getCrypto();
+        let dataToVerify = data;
+        if (this.format === 'ssh-signature') {
+            const hashAlg = this.hashAlgorithm || 'sha512';
+            const namespace = this.namespace || 'file';
+            const reserved = this.reserved || '';
+            const hashAlgorithm = hashAlg === 'sha256' ? 'SHA-256' : 'SHA-512';
+            const messageHash = await crypto.subtle.digest(hashAlgorithm, data);
+            const messageHashBytes = new Uint8Array(messageHash);
+            const writer = new SshWriter();
+            writer.writeBytes(new TextEncoder().encode('SSHSIG'));
+            writer.writeString(namespace);
+            writer.writeString(reserved);
+            writer.writeString(hashAlg);
+            writer.writeUint32(messageHashBytes.length);
+            writer.writeBytes(messageHashBytes);
+            dataToVerify = writer.toUint8Array();
+        }
+        let hashAlgorithm;
+        if (this.algorithm === 'rsa-sha2-256') {
+            hashAlgorithm = 'SHA-256';
+        }
+        else if (this.algorithm === 'rsa-sha2-512') {
+            hashAlgorithm = 'SHA-512';
+        }
+        let signatureToVerify;
+        if (this.format === 'legacy' || this.format === 'ssh-signature') {
+            const sigWriter = new SshWriter();
+            sigWriter.writeString(this.algorithm);
+            sigWriter.writeUint32(this.signature.length);
+            sigWriter.writeBytes(this.signature);
+            const wireFormatSignature = sigWriter.toUint8Array();
+            const decodedSig = binding.decodeSignature({
+                signature: wireFormatSignature,
+            });
+            signatureToVerify = decodedSig.signature;
+        }
+        else {
+            signatureToVerify = this.signature;
+        }
+        return binding.verify({
+            publicKey: cryptoKey,
+            signature: signatureToVerify,
+            data: dataToVerify,
+            crypto,
+            hash: hashAlgorithm,
+        });
+    }
+    static fromLegacy(algorithm, signature) {
+        const binding = AlgorithmRegistry.get(algorithm);
+        const encodedSignature = binding.encodeSignature({
+            signature,
+            algo: algorithm,
+        });
+        const sigReader = new SshReader(encodedSignature);
+        sigReader.readString();
+        const sigLength = sigReader.readUint32();
+        const signatureData = sigReader.readBytes(sigLength);
+        return new SshSignature({
+            format: 'legacy',
+            algorithm,
+            signature: signatureData,
+        });
+    }
+    static fromSshSignature(algorithm, signature, options = {}) {
+        const blob = {
+            format: 'ssh-signature',
+            algorithm,
+            signature,
+            version: options.version || 1,
+            publicKey: options.publicKey ? options.publicKey.getBlob().keyData : undefined,
+            namespace: options.namespace || 'file',
+            reserved: options.reserved || '',
+            hashAlgorithm: options.hashAlgorithm || 'sha512',
+        };
+        return new SshSignature(blob);
+    }
+    static async sign(algorithm, privateKey, data, options = {}) {
+        const { format = 'legacy', namespace = 'file' } = options;
+        if (format === 'legacy') {
+            const rawSignature = await privateKey.sign(algorithm, data);
+            const algorithmUsed = algorithm || privateKey.keyType;
+            return SshSignature.fromLegacy(algorithmUsed, rawSignature);
+        }
+        else {
+            const signatureAlgorithm = algorithm;
+            const binding = AlgorithmRegistry.get(signatureAlgorithm);
+            const hashAlgorithm = algorithm === 'rsa-sha2-256' ? 'sha256' : 'sha512';
+            const publicKey = await privateKey.getPublicKey();
+            const crypto = getCrypto();
+            const webCryptoHashAlg = hashAlgorithm === 'sha256' ? 'SHA-256' : 'SHA-512';
+            const messageHash = await crypto.subtle.digest(webCryptoHashAlg, data);
+            const messageHashBytes = new Uint8Array(messageHash);
+            const writer = new SshWriter();
+            writer.writeBytes(new TextEncoder().encode('SSHSIG'));
+            writer.writeString(namespace);
+            writer.writeString('');
+            writer.writeString(hashAlgorithm);
+            writer.writeUint32(messageHashBytes.length);
+            writer.writeBytes(messageHashBytes);
+            const dataToSign = writer.toUint8Array();
+            const rawSignature = await privateKey.sign(signatureAlgorithm, dataToSign);
+            const encodedSignature = binding.encodeSignature({
+                signature: rawSignature,
+                algo: signatureAlgorithm,
+            });
+            const sigReader = new SshReader(encodedSignature);
+            sigReader.readString();
+            const sigLength = sigReader.readUint32();
+            const signatureData = sigReader.readBytes(sigLength);
+            return SshSignature.fromSshSignature(signatureAlgorithm, signatureData, {
+                namespace,
+                hashAlgorithm,
+                publicKey,
+            });
+        }
+    }
+}
+let SshCertificate$1 = class SshCertificate extends SshObject {
+    static TYPE = 'certificate';
+    type = SshCertificate.TYPE;
+    _blob;
+    data;
+    _validAfter;
+    _validBefore;
+    keyId;
+    principals;
+    certType;
+    serial;
+    validAfter;
+    validBefore;
+    publicKey;
+    signatureKey;
+    criticalOptions;
+    extensions;
+    constructor(blob) {
+        super();
+        this._blob = blob;
+        this.data = parseCertificateData(blob.keyData);
+        this._validAfter = this.data.validAfter;
+        this._validBefore = this.data.validBefore;
+        this.keyId = this.data.keyId;
+        this.principals = this.data.validPrincipals;
+        this.certType = this.data.type;
+        this.serial = this.data.serial;
+        this.validAfter = new Date(Number(this.data.validAfter) * 1000);
+        this.validBefore = new Date(Number(this.data.validBefore) * 1000);
+        this.publicKey = new SshPublicKey(this.data.publicKey);
+        this.signatureKey = new SshPublicKey(this.data.signatureKey);
+        this.criticalOptions = { ...this.data.criticalOptions };
+        this.extensions = { ...this.data.extensions };
+    }
+    static async fromSSH(text) {
+        const blob = parse(text);
+        return new SshCertificate(blob);
+    }
+    static async fromBlob(blob) {
+        return new SshCertificate(blob);
+    }
+    async toSSH() {
+        return serialize(this._blob);
+    }
+    toBlob() {
+        return { ...this._blob };
+    }
+    get blob() {
+        return this.toBlob();
+    }
+    validate(date = new Date()) {
+        const ts = BigInt(Math.floor(date.getTime() / 1000));
+        const after = this._validAfter;
+        const before = this._validBefore;
+        const INFINITY = 0xffffffffffffffffn;
+        const upper = before === INFINITY ? ts : before;
+        return ts >= after && ts <= upper;
+    }
+    async verify(caPublicKey, crypto = getCrypto()) {
+        const verifyKey = caPublicKey || this.signatureKey;
+        const signedData = this.getSignedData();
+        const sshSignature = SshSignature.parse(this.data.signature);
+        const binding = AlgorithmRegistry.get(sshSignature.algorithm);
+        const cryptoKey = await verifyKey.toWebCrypto(crypto);
+        return binding.verify({
+            publicKey: cryptoKey,
+            signature: sshSignature.signature,
+            data: signedData,
+            crypto,
+        });
+    }
+    getSignedData() {
+        const reader = new SshReader(this._blob.keyData);
+        reader.readString();
+        reader.readBytes(reader.readUint32());
+        if (this.data.keyType === 'ssh-ed25519') {
+            reader.readBytes(reader.readUint32());
+        }
+        else if (this.data.keyType === 'ssh-rsa') {
+            reader.readBytes(reader.readUint32());
+            reader.readBytes(reader.readUint32());
+        }
+        else if (this.data.keyType.startsWith('ecdsa-sha2-')) {
+            reader.readString();
+            reader.readBytes(reader.readUint32());
+        }
+        reader.readUint64();
+        reader.readUint32();
+        reader.readBytes(reader.readUint32());
+        reader.readBytes(reader.readUint32());
+        reader.readUint64();
+        reader.readUint64();
+        reader.readBytes(reader.readUint32());
+        reader.readBytes(reader.readUint32());
+        reader.readBytes(reader.readUint32());
+        reader.readBytes(reader.readUint32());
+        const signedDataEnd = reader.getOffset();
+        return this._blob.keyData.slice(0, signedDataEnd);
+    }
+};
+var __classPrivateFieldSet = (undefined && undefined.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (undefined && undefined.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var _SshCertificate_cert;
+class SshCertificate {
+    constructor(raw) {
+        _SshCertificate_cert.set(this, void 0);
+        const blob = parse(raw.trim());
+        // @ts-expect-error - SshCertificateType is not a constructor
+        __classPrivateFieldSet(this, _SshCertificate_cert, new SshCertificate$1(blob), "f");
+        this.notBefore = __classPrivateFieldGet(this, _SshCertificate_cert, "f").validAfter;
+        this.notAfter = __classPrivateFieldGet(this, _SshCertificate_cert, "f").validBefore;
+        this.validity = dateDiff(this.notBefore, this.notAfter);
+        this.type = [__classPrivateFieldGet(this, _SshCertificate_cert, "f").blob.type, __classPrivateFieldGet(this, _SshCertificate_cert, "f").certType, __classPrivateFieldGet(this, _SshCertificate_cert, "f").type].join(' ');
+        this.serialNumber = __classPrivateFieldGet(this, _SshCertificate_cert, "f").serial.toString();
+        this.keyId = __classPrivateFieldGet(this, _SshCertificate_cert, "f").keyId;
+        this.principals = __classPrivateFieldGet(this, _SshCertificate_cert, "f").principals;
+        this.extensions = __classPrivateFieldGet(this, _SshCertificate_cert, "f").extensions;
+        this.criticalOptions = __classPrivateFieldGet(this, _SshCertificate_cert, "f").criticalOptions;
+    }
+    async parseSignatureKey() {
+        const key = await __classPrivateFieldGet(this, _SshCertificate_cert, "f").signatureKey.toWebCrypto();
+        const blob = __classPrivateFieldGet(this, _SshCertificate_cert, "f").signatureKey.getBlob();
+        const thumbprint = await __classPrivateFieldGet(this, _SshCertificate_cert, "f").signatureKey.thumbprint('sha256');
+        this.signatureKey = {
+            algorithm: key.algorithm.name,
+            type: blob.type,
+            value: await __classPrivateFieldGet(this, _SshCertificate_cert, "f").signatureKey.toSSH(),
+            thumbprint: buildExports.Convert.ToBase64(thumbprint),
+        };
+    }
+    async parsePublicKey() {
+        const key = await __classPrivateFieldGet(this, _SshCertificate_cert, "f").publicKey.toWebCrypto();
+        const blob = __classPrivateFieldGet(this, _SshCertificate_cert, "f").publicKey.getBlob();
+        const thumbprint = await __classPrivateFieldGet(this, _SshCertificate_cert, "f").publicKey.thumbprint('sha256');
+        this.publicKey = {
+            algorithm: key.algorithm.name,
+            type: blob.type,
+            value: await __classPrivateFieldGet(this, _SshCertificate_cert, "f").publicKey.toSSH(),
+            thumbprint: buildExports.Convert.ToBase64(thumbprint),
+        };
+    }
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    async toString(_format = 'pem') {
+        return __classPrivateFieldGet(this, _SshCertificate_cert, "f").toSSH();
+    }
+}
+_SshCertificate_cert = new WeakMap();
 exports.ArchiveRevInfo = ArchiveRevInfo;
 exports.AsnArray = AsnArray;
 exports.AsnConvert = AsnConvert;
@@ -12790,17 +14357,17 @@ exports.Attribute = Attribute$1;
 exports.AttributeCertificate = AttributeCertificate;
 exports.AuthorityKeyIdentifier = AuthorityKeyIdentifier;
 exports.BasicConstraints = BasicConstraints;
+exports.ByteStream = ByteStream;
 exports.CabforganizationIdentifier = CabforganizationIdentifier;
 exports.Certificate = Certificate;
 exports.CertificateList = CertificateList;
 exports.CertificateTemplate = CertificateTemplate;
-exports.CertificateTransparency = CertificateTransparency;
 exports.CertificationRequest = CertificationRequest;
 exports.ContentInfo = ContentInfo;
 exports.Download = Download;
 exports.EDIPartyName = EDIPartyName;
 exports.EntrustVersionInfo = EntrustVersionInfo;
-exports.Extension = Extension;
+exports.Extension = Extension$1;
 exports.IssuingDistributionPoint = IssuingDistributionPoint;
 exports.KeyUsage = KeyUsage;
 exports.LogotypeExtn = LogotypeExtn;
@@ -12817,7 +14384,9 @@ exports.PrivateKeyUsagePeriod = PrivateKeyUsagePeriod;
 exports.RSAPublicKey = RSAPublicKey;
 exports.RootOfTrust = RootOfTrust;
 exports.SemanticsInformation = SemanticsInformation;
+exports.SignedCertificateTimestamp = SignedCertificateTimestamp;
 exports.SignedData = SignedData;
+exports.SshCertificate = SshCertificate;
 exports.SubjectKeyIdentifier = SubjectKeyIdentifier;
 exports.Timestamp = Timestamp;
 exports.UserNotice = UserNotice;
@@ -12837,15 +14406,54 @@ exports.id_InsuranceValue = id_InsuranceValue;
 exports.id_TypeRelationship = id_TypeRelationship;
 exports.id_ValuationRanking = id_ValuationRanking;
 exports.id_WebGDPR = id_WebGDPR;
+exports.id_adbe_archiveRevInfo = id_adbe_archiveRevInfo;
+exports.id_adbe_timestamp = id_adbe_timestamp;
 exports.id_alg_composite = id_alg_composite;
+exports.id_at_statementOfPossession = id_at_statementOfPossession;
+exports.id_caVersion = id_caVersion;
+exports.id_cabforganizationIdentifier = id_cabforganizationIdentifier;
+exports.id_ce_authorityKeyIdentifier = id_ce_authorityKeyIdentifier;
+exports.id_ce_basicConstraints = id_ce_basicConstraints;
+exports.id_ce_cRLDistributionPoints = id_ce_cRLDistributionPoints;
+exports.id_ce_cRLNumber = id_ce_cRLNumber;
+exports.id_ce_cRLReasons = id_ce_cRLReasons;
+exports.id_ce_certificateIssuer = id_ce_certificateIssuer;
+exports.id_ce_certificatePolicies = id_ce_certificatePolicies;
+exports.id_ce_deltaCRLIndicator = id_ce_deltaCRLIndicator;
+exports.id_ce_extKeyUsage = id_ce_extKeyUsage;
+exports.id_ce_inhibitAnyPolicy = id_ce_inhibitAnyPolicy;
+exports.id_ce_invalidityDate = id_ce_invalidityDate;
+exports.id_ce_issuerAltName = id_ce_issuerAltName;
+exports.id_ce_issuingDistributionPoint = id_ce_issuingDistributionPoint;
+exports.id_ce_keyDescription = id_ce_keyDescription;
+exports.id_ce_keyUsage = id_ce_keyUsage;
+exports.id_ce_nameConstraints = id_ce_nameConstraints;
+exports.id_ce_policyConstraints = id_ce_policyConstraints;
+exports.id_ce_policyMappings = id_ce_policyMappings;
+exports.id_ce_privateKeyUsagePeriod = id_ce_privateKeyUsagePeriod;
+exports.id_ce_subjectAltName = id_ce_subjectAltName;
+exports.id_ce_subjectDirectoryAttributes = id_ce_subjectDirectoryAttributes;
+exports.id_ce_subjectKeyIdentifier = id_ce_subjectKeyIdentifier;
+exports.id_certificateTemplate = id_certificateTemplate;
 exports.id_composite_key = id_composite_key;
 exports.id_ecPublicKey = id_ecPublicKey;
+exports.id_enrollCertType = id_enrollCertType;
+exports.id_entrust_entrustVersInfo = id_entrust_entrustVersInfo;
+exports.id_lei = id_lei;
+exports.id_netscapeCertType = id_netscapeCertType;
+exports.id_netscapeComment = id_netscapeComment;
+exports.id_pe_TNAuthList = id_pe_TNAuthList;
+exports.id_pe_authorityInfoAccess = id_pe_authorityInfoAccess;
+exports.id_pe_biometricInfo = id_pe_biometricInfo;
+exports.id_pe_qcStatements = id_pe_qcStatements;
+exports.id_pe_subjectInfoAccess = id_pe_subjectInfoAccess;
 exports.id_pkcs9_at_challengePassword = id_pkcs9_at_challengePassword;
 exports.id_pkcs9_at_extensionRequest = id_pkcs9_at_extensionRequest;
 exports.id_pkcs9_at_unstructuredName = id_pkcs9_at_unstructuredName;
 exports.id_qcs_pkixQCSyntax_v2 = id_qcs_pkixQCSyntax_v2;
+exports.id_role = id_role;
 exports.id_rsaEncryption = id_rsaEncryption;
 exports.l10n = l10n;
-//# sourceMappingURL=certification_request-CxHe71zR.js.map
+//# sourceMappingURL=ssh_certificate-s3-rwdMT.js.map
-//# sourceMappingURL=certification_request-CxHe71zR.js.map
+//# sourceMappingURL=ssh_certificate-s3-rwdMT.js.map