@peculiar/certificates-viewer 4.6.1 → 4.7.1-alpha.1

package/dist/esm/{certification_request-PeMaLTUD.js → ssh_certificate-Ct-r021h.js}

@@ -6765,6 +6765,10 @@ const crlEntryExtensions = "CRL Entry Extensions";
 const previewCertificate = "Preview certificate";
 const viewDetails = "View details";
 const downloadOptions = "Download options";
+const keyId = "Key ID";
+const principals = "Principals";
+const criticalOptions = "Critical Options";
+const signingCA = "Signing CA";
 var en = {
 	basicInformation: basicInformation,
 	subjectName: subjectName,
@@ -6812,7 +6816,11 @@ var en = {
 	crlEntryExtensions: crlEntryExtensions,
 	previewCertificate: previewCertificate,
 	viewDetails: viewDetails,
-	downloadOptions: downloadOptions
+	downloadOptions: downloadOptions,
+	keyId: keyId,
+	principals: principals,
+	criticalOptions: criticalOptions,
+	signingCA: signingCA
 };
 
 /**
@@ -8087,6 +8095,7 @@ const OIDs = {
     '1.3.6.1.4.1.16334.509.2.3': 'Ngc Class3',
     '1.3.6.1.4.1.17326.10.8.12.1.2': 'Camerfirma EV policy',
     '1.3.6.1.4.1.17326.10.14.2.1.2': 'Camerfirma EV policy',
+    '1.3.6.1.4.1.22112.2.1': 'Private Key Possession Statement',
     '1.3.6.1.4.1.22234.2.5.2.3.1': 'Cert Plus EV policy',
     '1.3.6.1.4.1.23223.1.1.1': 'Start Com EV policy',
     '1.3.6.1.4.1.23629.1.4.2.1.1': 'Safenet Usage Limit',
@@ -8480,6 +8489,7 @@ const OIDs = {
     '1.3.132.0.37': 'Sect409r1',
     '1.3.132.0.38': 'Sect571k1',
     '1.3.132.0.39': 'Sect571r1',
+    '1.3.132.1.12': 'ECDH',
     '1.3.133.16.840.9.84': 'x984',
     '1.3.133.16.840.9.84.0': 'x984 Module',
     '1.3.133.16.840.9.84.0.1': 'x984 Biometrics',
@@ -9230,13 +9240,13 @@ const OIDs = {
  * This source code is licensed under the MIT license found in the
  * LICENSE file in the root directory of this source tree.
  */
-var __classPrivateFieldSet$1 = (undefined && undefined.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+var __classPrivateFieldSet$2 = (undefined && undefined.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
     if (kind === "m") throw new TypeError("Private method is not writable");
     if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
     if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
     return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
 };
-var __classPrivateFieldGet$1 = (undefined && undefined.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+var __classPrivateFieldGet$2 = (undefined && undefined.__classPrivateFieldGet) || function (receiver, state, kind, f) {
     if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
     if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
     return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
@@ -9246,15 +9256,15 @@ class Name {
     constructor(data) {
         _Name_asn.set(this, new Name$1());
         if (buildExports.BufferSourceConverter.isBufferSource(data)) {
-            __classPrivateFieldSet$1(this, _Name_asn, AsnParser.parse(data, Name$1), "f");
+            __classPrivateFieldSet$2(this, _Name_asn, AsnParser.parse(data, Name$1), "f");
         }
         else {
-            __classPrivateFieldSet$1(this, _Name_asn, data, "f");
+            __classPrivateFieldSet$2(this, _Name_asn, data, "f");
         }
     }
     toJSON() {
         const res = [];
-        __classPrivateFieldGet$1(this, _Name_asn, "f").forEach((o) => (o.forEach((a) => {
+        __classPrivateFieldGet$2(this, _Name_asn, "f").forEach((o) => (o.forEach((a) => {
             res.push({
                 type: a.type,
                 name: OIDs[a.type],
@@ -9969,27 +9979,6 @@ class SignedCertificateTimestamp extends Structure {
     }
 }
 
-const id_certificateTransparency = "1.3.6.1.4.1.11129.2.4.2";
-class CertificateTransparency extends OctetString {
-    constructor() {
-        super(...arguments);
-        this.items = [];
-    }
-    fromASN(asn) {
-        super.fromASN(asn);
-        const stream = new ByteStream(this.buffer);
-        const len = stream.readNumber(2);
-        this.items = [];
-        while (stream.position < len) {
-            this.items.push(new SignedCertificateTimestamp(stream));
-        }
-        return this;
-    }
-    toJSON() {
-        return this.items.map((o) => o.toJSON());
-    }
-}
-
 var Version$1;
 (function (Version) {
     Version[Version["v1"] = 1] = "v1";
@@ -10239,8 +10228,6 @@ __decorate$1([
     AsnProp({ type: OtherLogotypeInfo, context: 3, repeated: "sequence", optional: true })
 ], LogotypeExtn.prototype, "otherLogos", void 0);
 
-const id_pe_logotype = "1.3.6.1.5.5.7.1.12";
-
 var JWTClaimNames_1, JWTClaimPermittedValuesList_1, TNAuthorizationList_1;
 const id_pkix = "1.3.6.1.5.5.7";
 const id_pe = `${id_pkix}.1`;
@@ -10818,13 +10805,13 @@ __decorate([
  * This source code is licensed under the MIT license found in the
  * LICENSE file in the root directory of this source tree.
  */
-var __classPrivateFieldSet = (undefined && undefined.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+var __classPrivateFieldSet$1 = (undefined && undefined.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
     if (kind === "m") throw new TypeError("Private method is not writable");
     if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
     if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
     return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
 };
-var __classPrivateFieldGet = (undefined && undefined.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+var __classPrivateFieldGet$1 = (undefined && undefined.__classPrivateFieldGet) || function (receiver, state, kind, f) {
     if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
     if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
     return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
@@ -10837,99 +10824,24 @@ class AsnData {
         _AsnData_raw.set(this, void 0);
         if (args.length === 1) {
             // asn
-            __classPrivateFieldSet(this, _AsnData_asn, args[0], "f");
-            __classPrivateFieldSet(this, _AsnData_raw, AsnConvert.serialize(__classPrivateFieldGet(this, _AsnData_asn, "f")), "f");
+            __classPrivateFieldSet$1(this, _AsnData_asn, args[0], "f");
+            __classPrivateFieldSet$1(this, _AsnData_raw, AsnConvert.serialize(__classPrivateFieldGet$1(this, _AsnData_asn, "f")), "f");
         }
         else {
             // raw, type
-            __classPrivateFieldSet(this, _AsnData_asn, AsnConvert.parse(args[0], args[1]), "f");
-            __classPrivateFieldSet(this, _AsnData_raw, buildExports.BufferSourceConverter.toArrayBuffer(args[0]), "f");
+            __classPrivateFieldSet$1(this, _AsnData_asn, AsnConvert.parse(args[0], args[1]), "f");
+            __classPrivateFieldSet$1(this, _AsnData_raw, buildExports.BufferSourceConverter.toArrayBuffer(args[0]), "f");
         }
     }
     get asn() {
-        return __classPrivateFieldGet(this, _AsnData_asn, "f");
+        return __classPrivateFieldGet$1(this, _AsnData_asn, "f");
     }
     get raw() {
-        return __classPrivateFieldGet(this, _AsnData_raw, "f");
+        return __classPrivateFieldGet$1(this, _AsnData_raw, "f");
     }
 }
 _AsnData_asn = new WeakMap(), _AsnData_raw = new WeakMap();
 
-/**
- * @license
- * Copyright (c) Peculiar Ventures, LLC.
- *
- * This source code is licensed under the MIT license found in the
- * LICENSE file in the root directory of this source tree.
- */
-const extensionParsers = {
-    [id_pe_authorityInfoAccess]: AuthorityInfoAccessSyntax,
-    [id_ce_authorityKeyIdentifier]: AuthorityKeyIdentifier,
-    [id_ce_basicConstraints]: BasicConstraints,
-    [id_ce_certificateIssuer]: CertificateIssuer,
-    [id_ce_certificatePolicies]: CertificatePolicies,
-    [id_ce_cRLDistributionPoints]: CRLDistributionPoints,
-    '2.5.29.46': CRLDistributionPoints,
-    [id_ce_issuingDistributionPoint]: IssuingDistributionPoint,
-    [id_ce_cRLReasons]: CRLReason,
-    [id_ce_extKeyUsage]: ExtendedKeyUsage,
-    [id_ce_inhibitAnyPolicy]: InhibitAnyPolicy,
-    [id_ce_invalidityDate]: InvalidityDate,
-    [id_ce_issuerAltName]: IssueAlternativeName,
-    [id_ce_keyUsage]: KeyUsage,
-    [id_ce_nameConstraints]: NameConstraints,
-    [id_ce_policyConstraints]: PolicyConstraints,
-    [id_ce_policyMappings]: PolicyMappings,
-    [id_ce_subjectAltName]: SubjectAlternativeName,
-    [id_ce_subjectDirectoryAttributes]: SubjectDirectoryAttributes,
-    [id_ce_subjectKeyIdentifier]: SubjectKeyIdentifier,
-    [id_pe_qcStatements]: QCStatements,
-    [id_certificateTemplate]: CertificateTemplate,
-    [id_enrollCertType]: EnrollCertTypeChoice,
-    [id_netscapeComment]: NetscapeComment,
-    [id_netscapeCertType]: NetscapeCertType,
-    [id_caVersion]: CaVersion,
-    [id_certificateTransparency]: CertificateTransparency,
-    [id_lei]: LeiChoice,
-    [id_role]: LeiRole,
-    [id_adbe_timestamp]: Timestamp,
-    [id_adbe_archiveRevInfo]: ArchiveRevInfo,
-    [id_ce_privateKeyUsagePeriod]: PrivateKeyUsagePeriod,
-    [id_entrust_entrustVersInfo]: EntrustVersionInfo,
-    '2.16.724.1.2.2.4.1': BiometricSyntax,
-    [id_pe_biometricInfo]: BiometricSyntax,
-    [id_pe_logotype]: LogotypeExtn,
-    [id_pe_TNAuthList]: TNAuthorizationList,
-    [id_pe_subjectInfoAccess]: SubjectInfoAccessSyntax,
-    [id_ce_cRLNumber]: CRLNumber,
-    [id_ce_deltaCRLIndicator]: BaseCRLNumber,
-    [id_ce_keyDescription]: NonStandardKeyDescription,
-    [id_cabforganizationIdentifier]: CabforganizationIdentifier,
-};
-class Extension extends AsnData {
-    getAsnExtnValue() {
-        return this.asn.extnValue.buffer;
-    }
-    constructor(raw) {
-        super(raw, Extension$1);
-        const asnExtnValue = this.getAsnExtnValue();
-        try {
-            const target = extensionParsers[this.asn.extnID];
-            if (target) {
-                this.value = AsnParser.parse(asnExtnValue, target);
-            }
-            else {
-                console.warn(`Didn't detect parser for "${this.asn.extnID}" extension.`);
-                this.value = buildExports.Convert.ToHex(asnExtnValue);
-            }
-        }
-        catch (error) {
-            console.error(`Error parse "${this.asn.extnID}" extension:`, error.message);
-            this.value = buildExports.Convert.ToHex(asnExtnValue);
-        }
-    }
-}
-
 /**
  * @license
  * Copyright (c) Peculiar Ventures, LLC.
@@ -12724,6 +12636,22 @@ SMIMECapabilities = SMIMECapabilities_1 = __decorate$1([
     AsnType({ type: AsnTypeTypes.Sequence, itemType: SMIMECapability })
 ], SMIMECapabilities);
 
+const id_at_statementOfPossession = "1.3.6.1.4.1.22112.2.1";
+let PrivateKeyPossessionStatement = class PrivateKeyPossessionStatement {
+    constructor(params = {}) {
+        Object.assign(this, params);
+    }
+};
+__decorate$1([
+    AsnProp({ type: IssuerAndSerialNumber })
+], PrivateKeyPossessionStatement.prototype, "signer", void 0);
+__decorate$1([
+    AsnProp({ type: Certificate, optional: true })
+], PrivateKeyPossessionStatement.prototype, "cert", void 0);
+PrivateKeyPossessionStatement = __decorate$1([
+    AsnType({ type: AsnTypeTypes.Sequence })
+], PrivateKeyPossessionStatement);
+
 var Attributes_1;
 let Attributes = Attributes_1 = class Attributes extends AsnArray {
     constructor(items) {
@@ -12775,7 +12703,1646 @@ __decorate$1([
     AsnProp({ type: AsnPropTypes.BitString })
 ], CertificationRequest.prototype, "signature", void 0);
 
-export { SignedData as $, AsnData as A, id_pkcs9_at_unstructuredName as B, Certificate as C, Download as D, Extension as E, id_pkcs9_at_challengePassword as F, id_ValuationRanking as G, id_InsuranceValue as H, InsuranceValue as I, id_WebGDPR as J, id_ActivityDescription as K, id_TypeRelationship as L, id_DomainNameTechnicalOperator as M, Name as N, id_DomainNameOwner as O, PemConverter as P, id_DomainNameLegalRepresentative as Q, RSAPublicKey as R, id_DomainNameBeneficiary as S, TypeRelationship as T, UnstructuredName as U, ValuationRanking as V, WebGDPR as W, CertificationRequest as X, l10n as Y, dateShort as Z, OIDs as _, dateDiff as a, EncapsulatedContent as a0, OctetString as a1, CertificateSet as a2, CertificateChoices as a3, ContentInfo as a4, Name$1 as a5, CRLReason as a6, InvalidityDate as a7, CertificateIssuer as a8, OtherName as a9, NameConstraints as aA, CertificateTemplate as aB, EnrollCertTypeChoice as aC, CaVersion as aD, QCStatements as aE, NetscapeComment as aF, NetscapeCertType as aG, LeiRole as aH, LeiChoice as aI, Timestamp as aJ, ArchiveRevInfo as aK, SubjectDirectoryAttributes as aL, PrivateKeyUsagePeriod as aM, EntrustVersionInfo as aN, BiometricSyntax as aO, LogotypeExtn as aP, TNAuthorizationList as aQ, PolicyConstraints as aR, PolicyMappings as aS, CRLNumber as aT, IssuingDistributionPoint as aU, NonStandardKeyDescription as aV, CabforganizationIdentifier as aW, DisplayText as aa, UserNotice as ab, EDIPartyName as ac, __decorate$1 as ad, AsnProp as ae, AsnPropTypes as af, AsnType as ag, AsnTypeTypes as ah, AsnArray as ai, id_qcs_pkixQCSyntax_v2 as aj, SemanticsInformation as ak, AsnIntegerArrayBufferConverter as al, AttestationApplicationId as am, RootOfTrust as an, IntegerSet as ao, KeyUsage as ap, BasicConstraints as aq, ExtendedKeyUsage as ar, SubjectKeyIdentifier as as, AuthorityKeyIdentifier as at, CRLDistributionPoints as au, AuthorityInfoAccessSyntax as av, SubjectInfoAccessSyntax as aw, SubjectAlternativeName as ax, CertificatePolicies as ay, CertificateTransparency as az, buildExports as b, certificateRawToBuffer as c, downloadFromBuffer as d, AsnConvert as e, ECParameters as f, id_rsaEncryption as g, id_composite_key as h, id_ecPublicKey as i, CompositePublicKey as j, id_alg_composite as k, CompositeSignatureValue as l, CompositeParams as m, getCertificateThumbprint as n, AttributeCertificate as o, CertificateList as p, Attribute$1 as q, AsnParser as r, ExtensionRequest as s, ChallengePassword as t, ActivityDescription as u, DomainNameTechnicalOperator as v, DomainNameOwner as w, DomainNameLegalRepresentative as x, DomainNameBeneficiary as y, id_pkcs9_at_extensionRequest as z };
-//# sourceMappingURL=certification_request-PeMaLTUD.js.map
+let globalCrypto = globalThis.crypto;
+function getCrypto() {
+    return globalCrypto;
+}
+
+class SshError extends Error {
+    code;
+    constructor(message, code) {
+        super(message);
+        this.code = code;
+        this.name = this.constructor.name;
+        if (Error.captureStackTrace) {
+            Error.captureStackTrace(this, this.constructor);
+        }
+    }
+}
+class UnsupportedAlgorithmError extends SshError {
+    constructor(algorithm, supportedAlgorithms) {
+        const supported = supportedAlgorithms ? ` Supported: ${supportedAlgorithms.join(', ')}` : '';
+        super(`Unsupported algorithm: ${algorithm}.${supported}`, 'UNSUPPORTED_ALGORITHM');
+    }
+}
+class InvalidFormatError extends SshError {
+    constructor(format, expectedFormat) {
+        const expected = expectedFormat ? ` Expected: ${expectedFormat}` : '';
+        super(`Invalid format: ${format}.${expected}`, 'INVALID_FORMAT');
+    }
+}
+class UnsupportedKeyTypeError extends SshError {
+    constructor(keyType, supportedTypes) {
+        const supported = supportedTypes ? ` Supported: ${supportedTypes.join(', ')}` : '';
+        super(`Unsupported key type: ${keyType}.${supported}`, 'UNSUPPORTED_KEY_TYPE');
+    }
+}
+class InvalidPrivateKeyFormatError extends SshError {
+    constructor(details) {
+        const message = details
+            ? `Invalid SSH private key format: ${details}`
+            : 'Invalid SSH private key format';
+        super(message, 'INVALID_PRIVATE_KEY_FORMAT');
+    }
+}
+class EncryptedKeyNotSupportedError extends SshError {
+    constructor(cipher) {
+        const message = cipher
+            ? `Encrypted SSH private keys are not supported (cipher: ${cipher})`
+            : 'Encrypted SSH private keys are not supported';
+        super(message, 'ENCRYPTED_KEY_NOT_SUPPORTED');
+    }
+}
+class InvalidKeyDataError extends SshError {
+    constructor(details) {
+        const message = details ? `Invalid key data: ${details}` : 'Invalid key data';
+        super(message, 'INVALID_KEY_DATA');
+    }
+}
+class UnexpectedEOFError extends SshError {
+    constructor(expected, actual) {
+        const details = expected !== undefined && actual !== undefined
+            ? ` Expected ${expected} bytes, got ${actual}`
+            : '';
+        super(`Unexpected end of data${details}`, 'UNEXPECTED_EOF');
+    }
+}
+
+const encoder = new TextEncoder();
+const decoder = new TextDecoder();
+
+class SshReader {
+    buffer;
+    offset;
+    constructor(data) {
+        this.buffer = data;
+        this.offset = 0;
+    }
+    readUint8() {
+        if (this.offset >= this.buffer.length) {
+            throw new UnexpectedEOFError(1, 0);
+        }
+        return this.buffer[this.offset++];
+    }
+    readUint32() {
+        const value = (this.readUint8() << 24) |
+            (this.readUint8() << 16) |
+            (this.readUint8() << 8) |
+            this.readUint8();
+        return value >>> 0;
+    }
+    readUint64() {
+        const high = this.readUint32();
+        const low = this.readUint32();
+        return (BigInt(high) << 32n) | BigInt(low);
+    }
+    readBytes(length) {
+        if (length < 0) {
+            throw new InvalidFormatError(`Invalid length: ${length}`);
+        }
+        if (this.offset + length > this.buffer.length) {
+            throw new UnexpectedEOFError(length, this.buffer.length - this.offset);
+        }
+        const result = this.buffer.subarray(this.offset, this.offset + length);
+        this.offset += length;
+        return result;
+    }
+    readString() {
+        const length = this.readUint32();
+        const bytes = this.readBytes(length);
+        return decoder.decode(bytes);
+    }
+    peekString(length) {
+        if (this.offset + length > this.buffer.length) {
+            throw new UnexpectedEOFError(length, this.buffer.length - this.offset);
+        }
+        const bytes = this.buffer.subarray(this.offset, this.offset + length);
+        return decoder.decode(bytes);
+    }
+    readMpInt(sshEncoding = false) {
+        const length = this.readUint32();
+        const bytes = this.readBytes(length);
+        if (sshEncoding && bytes.length > 1 && bytes[0] === 0x00) {
+            return bytes.subarray(1);
+        }
+        return bytes;
+    }
+    readMpIntSsh() {
+        return this.readMpInt(true);
+    }
+    remaining() {
+        return this.buffer.length - this.offset;
+    }
+    getOffset() {
+        return this.offset;
+    }
+    seek(offset) {
+        if (offset < 0 || offset > this.buffer.length) {
+            throw new InvalidFormatError(`Invalid offset: ${offset}. Buffer length: ${this.buffer.length}`);
+        }
+        this.offset = offset;
+    }
+}
+
+class SshWriter {
+    buffer;
+    offset;
+    constructor(initialSize = 1024) {
+        this.buffer = new Uint8Array(initialSize);
+        this.offset = 0;
+    }
+    ensureCapacity(additional) {
+        const required = this.offset + additional;
+        if (required > this.buffer.length) {
+            const newSize = Math.max(required, this.buffer.length * 2);
+            const newBuffer = new Uint8Array(newSize);
+            newBuffer.set(this.buffer.subarray(0, this.offset));
+            this.buffer = newBuffer;
+        }
+    }
+    reserve(minCapacity) {
+        if (minCapacity > this.buffer.length) {
+            const newBuffer = new Uint8Array(minCapacity);
+            newBuffer.set(this.buffer.subarray(0, this.offset));
+            this.buffer = newBuffer;
+        }
+    }
+    writeUint8(value) {
+        this.ensureCapacity(1);
+        this.buffer[this.offset++] = value & 0xff;
+    }
+    writeUint32(value) {
+        this.ensureCapacity(4);
+        this.buffer[this.offset++] = (value >>> 24) & 0xff;
+        this.buffer[this.offset++] = (value >>> 16) & 0xff;
+        this.buffer[this.offset++] = (value >>> 8) & 0xff;
+        this.buffer[this.offset++] = value & 0xff;
+    }
+    writeUint64(value) {
+        this.ensureCapacity(8);
+        const high = Number(value >> 32n);
+        const low = Number(value & 0xffffffffn);
+        this.writeUint32(high);
+        this.writeUint32(low);
+    }
+    writeBytes(data) {
+        this.ensureCapacity(data.length);
+        this.buffer.set(data, this.offset);
+        this.offset += data.length;
+    }
+    writeString(value) {
+        const bytes = encoder.encode(value);
+        this.writeUint32(bytes.length);
+        this.writeBytes(bytes);
+    }
+    writeMpInt(value, sshEncoding = false) {
+        if (sshEncoding && value.length > 0 && (value[0] & 0x80) !== 0) {
+            const paddedBytes = new Uint8Array(value.length + 1);
+            paddedBytes[0] = 0x00;
+            paddedBytes.set(value, 1);
+            this.writeUint32(paddedBytes.length);
+            this.writeBytes(paddedBytes);
+        }
+        else {
+            this.writeUint32(value.length);
+            this.writeBytes(value);
+        }
+    }
+    writeMpIntSsh(value) {
+        this.writeMpInt(value, true);
+    }
+    toUint8Array() {
+        return this.buffer.subarray(0, this.offset);
+    }
+    getOffset() {
+        return this.offset;
+    }
+    seek(offset) {
+        if (offset < 0 || offset > this.buffer.length) {
+            throw new InvalidFormatError('Invalid offset');
+        }
+        this.offset = offset;
+    }
+}
+
+class RsaBinding {
+    hash = 'SHA-256';
+    constructor(hash = 'SHA-256') {
+        this.hash = hash;
+    }
+    async importPublicSsh(params) {
+        const { blob, crypto } = params;
+        const reader = new SshReader(blob);
+        reader.readString();
+        const e = reader.readMpInt(true);
+        const n = reader.readMpInt(true);
+        const jwk = {
+            kty: 'RSA',
+            n: buildExports.Convert.ToBase64Url(n),
+            e: buildExports.Convert.ToBase64Url(e),
+        };
+        return crypto.subtle.importKey('jwk', jwk, {
+            name: 'RSASSA-PKCS1-v1_5',
+            hash: this.hash,
+        }, true, ['verify']);
+    }
+    async exportPublicSsh(params) {
+        const { publicKey, crypto } = params;
+        const jwk = await crypto.subtle.exportKey('jwk', publicKey);
+        if (!jwk.n || !jwk.e) {
+            throw new InvalidKeyDataError('RSA JWK missing required parameters (n, e)');
+        }
+        const n = buildExports.BufferSourceConverter.toUint8Array(buildExports.Convert.FromBase64Url(jwk.n));
+        const e = buildExports.BufferSourceConverter.toUint8Array(buildExports.Convert.FromBase64Url(jwk.e));
+        const writer = new SshWriter();
+        writer.writeString('ssh-rsa');
+        writer.writeMpInt(e, true);
+        writer.writeMpInt(n, true);
+        return writer.toUint8Array();
+    }
+    async importPublicSpki(params) {
+        const { spki, crypto } = params;
+        return crypto.subtle.importKey('spki', spki, {
+            name: 'RSASSA-PKCS1-v1_5',
+            hash: this.hash,
+        }, true, ['verify']);
+    }
+    async exportPublicSpki(params) {
+        const { publicKey, crypto } = params;
+        const spki = await crypto.subtle.exportKey('spki', publicKey);
+        return buildExports.BufferSourceConverter.toUint8Array(spki);
+    }
+    async importPrivatePkcs8(params) {
+        const { pkcs8, crypto } = params;
+        return crypto.subtle.importKey('pkcs8', pkcs8, {
+            name: 'RSASSA-PKCS1-v1_5',
+            hash: this.hash,
+        }, true, ['sign']);
+    }
+    async exportPrivatePkcs8(params) {
+        const { privateKey, crypto } = params;
+        const pkcs8 = await crypto.subtle.exportKey('pkcs8', privateKey);
+        return buildExports.BufferSourceConverter.toUint8Array(pkcs8);
+    }
+    async importPrivateSsh(params) {
+        const { sshKey, crypto } = params;
+        const base64Data = sshKey
+            .replace(/-----BEGIN OPENSSH PRIVATE KEY-----/, '')
+            .replace(/-----END OPENSSH PRIVATE KEY-----/, '')
+            .replace(/\s/g, '');
+        const binaryData = buildExports.Convert.FromBase64(base64Data);
+        const reader = new SshReader(buildExports.BufferSourceConverter.toUint8Array(binaryData));
+        const magic = reader.readBytes(15);
+        if (buildExports.Convert.ToHex(magic) !== '6f70656e7373682d6b65792d763100') {
+            throw new InvalidPrivateKeyFormatError('invalid magic string');
+        }
+        const _cipherName = reader.readString();
+        reader.readString();
+        reader.readString();
+        if (_cipherName !== 'none') {
+            throw new EncryptedKeyNotSupportedError(_cipherName);
+        }
+        const numKeys = reader.readUint32();
+        if (numKeys !== 1) {
+            throw new InvalidPrivateKeyFormatError('multiple keys not supported');
+        }
+        const publicKeyLength = reader.readUint32();
+        reader.readBytes(publicKeyLength);
+        const privateKeyLength = reader.readUint32();
+        const privateKeyData = reader.readBytes(privateKeyLength);
+        const privateReader = new SshReader(privateKeyData);
+        const checkint1 = privateReader.readUint32();
+        const checkint2 = privateReader.readUint32();
+        if (checkint1 !== checkint2) {
+            throw new InvalidPrivateKeyFormatError('invalid checkints');
+        }
+        privateReader.readString();
+        const n = privateReader.readMpInt(true);
+        const e = privateReader.readMpInt(true);
+        const d = privateReader.readMpInt(true);
+        const iqmp = privateReader.readMpInt(true);
+        const p = privateReader.readMpInt(true);
+        const q = privateReader.readMpInt(true);
+        privateReader.readString();
+        const dBig = BigInt('0x' + buildExports.Convert.ToHex(d));
+        const pBig = BigInt('0x' + buildExports.Convert.ToHex(p));
+        const qBig = BigInt('0x' + buildExports.Convert.ToHex(q));
+        const dpBig = dBig % (pBig - 1n);
+        const dqBig = dBig % (qBig - 1n);
+        const dpBytes = buildExports.Convert.FromHex(dpBig.toString(16).padStart(p.length * 2, '0'));
+        const dqBytes = buildExports.Convert.FromHex(dqBig.toString(16).padStart(q.length * 2, '0'));
+        const jwk = {
+            kty: 'RSA',
+            n: buildExports.Convert.ToBase64Url(n),
+            e: buildExports.Convert.ToBase64Url(e),
+            d: buildExports.Convert.ToBase64Url(d),
+            p: buildExports.Convert.ToBase64Url(p),
+            q: buildExports.Convert.ToBase64Url(q),
+            dp: buildExports.Convert.ToBase64Url(dpBytes),
+            dq: buildExports.Convert.ToBase64Url(dqBytes),
+            qi: buildExports.Convert.ToBase64Url(iqmp),
+        };
+        return crypto.subtle.importKey('jwk', jwk, {
+            name: 'RSASSA-PKCS1-v1_5',
+            hash: this.hash,
+        }, true, ['sign']);
+    }
+    async exportPrivateSsh(params) {
+        const { privateKey, crypto, jwk: providedJwk } = params;
+        const jwk = providedJwk || (await crypto.subtle.exportKey('jwk', privateKey));
+        if (!jwk.n || !jwk.e || !jwk.d || !jwk.p || !jwk.q) {
+            throw new InvalidKeyDataError('RSA JWK missing required parameters');
+        }
+        const n = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.n));
+        const e = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.e));
+        const d = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.d));
+        const p = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.p));
+        const q = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.q));
+        const qi = jwk.qi ? new Uint8Array(buildExports.Convert.FromBase64Url(jwk.qi)) : new Uint8Array();
+        const writer = new SshWriter();
+        writer.writeString('ssh-rsa');
+        writer.writeMpInt(n, true);
+        writer.writeMpInt(e, true);
+        writer.writeMpInt(d, true);
+        writer.writeMpInt(qi, true);
+        writer.writeMpInt(p, true);
+        writer.writeMpInt(q, true);
+        return writer.toUint8Array();
+    }
+    async sign(params) {
+        const { privateKey, data, crypto, hash } = params;
+        if (hash && hash !== this.hash) {
+            throw new InvalidKeyDataError(`Hash ${hash} not supported for this RSA algorithm`);
+        }
+        if (!privateKey.extractable) {
+            throw new InvalidKeyDataError('Private key is not extractable');
+        }
+        const pkcs8 = await this.exportPrivatePkcs8({ privateKey, crypto });
+        const keyToUse = await this.importPrivatePkcs8({ pkcs8: new Uint8Array(pkcs8), crypto });
+        const signature = await crypto.subtle.sign('RSASSA-PKCS1-v1_5', keyToUse, data);
+        return buildExports.BufferSourceConverter.toUint8Array(signature);
+    }
+    async verify(params) {
+        const { publicKey, signature, data, crypto, hash } = params;
+        if (hash && hash !== this.hash) {
+            return false;
+        }
+        if (!publicKey.extractable) {
+            throw new InvalidKeyDataError('Public key is not extractable');
+        }
+        const spki = await this.exportPublicSpki({ publicKey, crypto });
+        const keyToUse = await this.importPublicSpki({ spki: new Uint8Array(spki), crypto });
+        return crypto.subtle.verify('RSASSA-PKCS1-v1_5', keyToUse, signature, data);
+    }
+    encodeSignature(params) {
+        const { signature, algo } = params;
+        const writer = new SshWriter();
+        writer.writeString(algo);
+        writer.writeUint32(signature.byteLength);
+        writer.writeBytes(signature);
+        return writer.toUint8Array();
+    }
+    decodeSignature(params) {
+        const { signature } = params;
+        const reader = new SshReader(signature);
+        const algo = reader.readString();
+        const sigLength = reader.readUint32();
+        const sig = reader.readBytes(sigLength);
+        return { signature: sig, algo };
+    }
+    supportsCryptoKey(cryptoKey) {
+        return cryptoKey.algorithm.name === 'RSASSA-PKCS1-v1_5';
+    }
+    parsePublicKey(reader) {
+        const publicKeyExponent = reader.readBytes(reader.readUint32());
+        const publicKeyModulus = reader.readBytes(reader.readUint32());
+        const writer = new SshWriter();
+        writer.writeString('ssh-rsa');
+        writer.writeMpInt(publicKeyExponent);
+        writer.writeMpInt(publicKeyModulus);
+        return {
+            type: 'ssh-rsa',
+            keyData: writer.toUint8Array(),
+        };
+    }
+    writePublicKey(writer, publicKey) {
+        const publicKeyReader = new SshReader(publicKey.keyData);
+        publicKeyReader.readString();
+        const e = publicKeyReader.readMpInt();
+        const n = publicKeyReader.readMpInt();
+        writer.writeUint32(e.length);
+        writer.writeBytes(e);
+        writer.writeUint32(n.length);
+        writer.writeBytes(n);
+    }
+    getCertificateType() {
+        return 'ssh-rsa-cert-v01@openssh.com';
+    }
+    getSignatureAlgo() {
+        return this.hash === 'SHA-256' ? 'rsa-sha2-256' : 'rsa-sha2-512';
+    }
+}
+
+class EcdsaBinding {
+    curveName;
+    sshType;
+    namedCurve;
+    constructor(curveName, sshType, namedCurve) {
+        this.curveName = curveName;
+        this.sshType = sshType;
+        this.namedCurve = namedCurve;
+    }
+    getHashAlgorithm() {
+        switch (this.namedCurve) {
+            case 'P-256':
+                return 'SHA-256';
+            case 'P-384':
+                return 'SHA-384';
+            case 'P-521':
+                return 'SHA-512';
+            default:
+                return 'SHA-256';
+        }
+    }
+    getExpectedLength() {
+        switch (this.namedCurve) {
+            case 'P-256':
+                return 32;
+            case 'P-384':
+                return 48;
+            case 'P-521':
+                return 66;
+            default:
+                return 32;
+        }
+    }
+    getSignatureCoordLength() {
+        return this.getExpectedLength();
+    }
+    async importPublicSsh(params) {
+        const { blob, crypto } = params;
+        const reader = new SshReader(blob);
+        reader.readString();
+        const curve = reader.readString();
+        if (curve !== this.curveName) {
+            throw new InvalidKeyDataError(`ECDSA curve name ${curve}, expected ${this.curveName}`);
+        }
+        const q = reader.readMpInt();
+        const coordLength = Math.floor((q.length - 1) / 2);
+        const jwk = {
+            kty: 'EC',
+            crv: this.namedCurve,
+            x: buildExports.Convert.ToBase64Url(q.slice(1, 1 + coordLength)),
+            y: buildExports.Convert.ToBase64Url(q.slice(1 + coordLength)),
+        };
+        return crypto.subtle.importKey('jwk', jwk, {
+            name: 'ECDSA',
+            namedCurve: this.namedCurve,
+        }, true, ['verify']);
+    }
+    async exportPublicSsh(params) {
+        const { publicKey, crypto } = params;
+        const jwk = await crypto.subtle.exportKey('jwk', publicKey);
+        if (!jwk.x || !jwk.y) {
+            throw new InvalidKeyDataError('ECDSA JWK missing x or y parameters');
+        }
+        const x = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.x));
+        const y = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.y));
+        const q = new Uint8Array(1 + x.length + y.length);
+        q[0] = 0x04;
+        q.set(x, 1);
+        q.set(y, 1 + x.length);
+        const writer = new SshWriter();
+        writer.writeString(this.sshType);
+        writer.writeString(this.curveName);
+        writer.writeMpInt(q);
+        return writer.toUint8Array();
+    }
+    async importPublicSpki(params) {
+        const { spki, crypto } = params;
+        return crypto.subtle.importKey('spki', spki, {
+            name: 'ECDSA',
+            namedCurve: this.namedCurve,
+        }, true, ['verify']);
+    }
+    async exportPublicSpki(params) {
+        const { publicKey, crypto } = params;
+        const spki = await crypto.subtle.exportKey('spki', publicKey);
+        return buildExports.BufferSourceConverter.toUint8Array(spki);
+    }
+    async importPrivatePkcs8(params) {
+        const { pkcs8, crypto } = params;
+        return crypto.subtle.importKey('pkcs8', pkcs8, {
+            name: 'ECDSA',
+            namedCurve: this.namedCurve,
+        }, true, ['sign']);
+    }
+    async exportPrivatePkcs8(params) {
+        const { privateKey, crypto } = params;
+        const pkcs8 = await crypto.subtle.exportKey('pkcs8', privateKey);
+        return buildExports.BufferSourceConverter.toUint8Array(pkcs8);
+    }
+    async exportPrivateSsh(params) {
+        const { privateKey, crypto, jwk: providedJwk } = params;
+        const jwk = providedJwk || (await crypto.subtle.exportKey('jwk', privateKey));
+        if (!jwk.d || !jwk.x || !jwk.y) {
+            throw new InvalidKeyDataError('ECDSA private key JWK missing required parameters');
+        }
+        const x = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.x));
+        const y = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.y));
+        const d = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.d));
+        const publicPoint = new Uint8Array(1 + x.length + y.length);
+        publicPoint[0] = 0x04;
+        publicPoint.set(x, 1);
+        publicPoint.set(y, 1 + x.length);
+        const writer = new SshWriter();
+        writer.writeString(this.sshType);
+        writer.writeString(this.curveName);
+        writer.writeMpInt(publicPoint);
+        writer.writeMpInt(d);
+        return writer.toUint8Array();
+    }
+    async importPrivateSsh(params) {
+        const { sshKey, crypto } = params;
+        const base64Data = sshKey
+            .replace(/-----BEGIN OPENSSH PRIVATE KEY-----/, '')
+            .replace(/-----END OPENSSH PRIVATE KEY-----/, '')
+            .replace(/\s/g, '');
+        const binaryData = buildExports.Convert.FromBase64(base64Data);
+        const reader = new SshReader(buildExports.BufferSourceConverter.toUint8Array(binaryData));
+        const magic = reader.readBytes(15);
+        if (buildExports.Convert.ToHex(magic) !== '6f70656e7373682d6b65792d763100') {
+            throw new InvalidPrivateKeyFormatError('invalid magic string');
+        }
+        const _cipherName = reader.readString();
+        reader.readString();
+        reader.readString();
+        if (_cipherName !== 'none') {
+            throw new EncryptedKeyNotSupportedError(_cipherName);
+        }
+        const numKeys = reader.readUint32();
+        if (numKeys !== 1) {
+            throw new InvalidPrivateKeyFormatError('multiple keys not supported');
+        }
+        const publicKeyLength = reader.readUint32();
+        reader.readBytes(publicKeyLength);
+        const privateKeyLength = reader.readUint32();
+        const privateKeyData = reader.readBytes(privateKeyLength);
+        const privateReader = new SshReader(privateKeyData);
+        const checkint1 = privateReader.readUint32();
+        const checkint2 = privateReader.readUint32();
+        if (checkint1 !== checkint2) {
+            throw new InvalidPrivateKeyFormatError('invalid checkints');
+        }
+        privateReader.readString();
+        privateReader.readString();
+        const publicKeyPoint = privateReader.readMpInt();
+        const privateKeyValue = privateReader.readMpInt();
+        privateReader.readString();
+        if (publicKeyPoint[0] !== 0x04) {
+            throw new InvalidKeyDataError('invalid ECDSA public key point format');
+        }
+        const coordLength = Math.floor((publicKeyPoint.length - 1) / 2);
+        const x = publicKeyPoint.slice(1, 1 + coordLength);
+        const y = publicKeyPoint.slice(1 + coordLength);
+        const jwk = {
+            kty: 'EC',
+            crv: this.namedCurve,
+            x: buildExports.Convert.ToBase64Url(x),
+            y: buildExports.Convert.ToBase64Url(y),
+            d: buildExports.Convert.ToBase64Url(privateKeyValue),
+        };
+        return crypto.subtle.importKey('jwk', jwk, {
+            name: 'ECDSA',
+            namedCurve: this.namedCurve,
+        }, true, ['sign']);
+    }
+    async sign(params) {
+        const { privateKey, data, crypto, hash } = params;
+        const expectedHash = this.getHashAlgorithm();
+        if (hash && hash !== expectedHash) {
+            throw new InvalidKeyDataError(`ECDSA ${this.namedCurve} requires ${expectedHash}, got ${hash}`);
+        }
+        const signature = await crypto.subtle.sign({
+            name: 'ECDSA',
+            hash: expectedHash,
+        }, privateKey, data);
+        return buildExports.BufferSourceConverter.toUint8Array(signature);
+    }
+    async verify(params) {
+        const { publicKey, signature, data, crypto, hash } = params;
+        const expectedHash = this.getHashAlgorithm();
+        if (hash && hash !== expectedHash) {
+            throw new InvalidKeyDataError(`ECDSA ${this.namedCurve} requires ${expectedHash}, got ${hash}`);
+        }
+        return crypto.subtle.verify({
+            name: 'ECDSA',
+            hash: expectedHash,
+        }, publicKey, signature, data);
+    }
+    encodeSignature(params) {
+        const { signature, algo } = params;
+        if (algo.startsWith('ecdsa-sha2-')) {
+            const coordLength = this.getSignatureCoordLength();
+            const r = signature.subarray(0, coordLength);
+            const s = signature.subarray(coordLength);
+            const writer = new SshWriter();
+            writer.writeString(algo);
+            const sigWriter = new SshWriter();
+            sigWriter.writeMpInt(r, true);
+            sigWriter.writeMpInt(s, true);
+            const sigData = sigWriter.toUint8Array();
+            writer.writeUint32(sigData.length);
+            writer.writeBytes(sigData);
+            return writer.toUint8Array();
+        }
+        const writer = new SshWriter();
+        writer.writeString(algo);
+        writer.writeUint32(signature.byteLength);
+        writer.writeBytes(signature);
+        return writer.toUint8Array();
+    }
+    decodeSignature(params) {
+        const { signature } = params;
+        const reader = new SshReader(signature);
+        const algo = reader.readString();
+        const sigLength = reader.readUint32();
+        const sig = reader.readBytes(sigLength);
+        if (algo.startsWith('ecdsa-sha2-')) {
+            const sigReader = new SshReader(sig);
+            let r = sigReader.readMpInt();
+            let s = sigReader.readMpInt();
+            if (r[0] === 0x00 && r.length > 1 && (r[1] & 0x80) === 0) {
+                r = r.slice(1);
+            }
+            if (s[0] === 0x00 && s.length > 1 && (s[1] & 0x80) === 0) {
+                s = s.slice(1);
+            }
+            const expectedLength = this.getExpectedLength();
+            const rPadded = new Uint8Array(expectedLength);
+            const sPadded = new Uint8Array(expectedLength);
+            if (r.length <= expectedLength) {
+                rPadded.set(r, expectedLength - r.length);
+            }
+            else {
+                rPadded.set(r.slice(r.length - expectedLength), 0);
+            }
+            if (s.length <= expectedLength) {
+                sPadded.set(s, expectedLength - s.length);
+            }
+            else {
+                sPadded.set(s.slice(s.length - expectedLength), 0);
+            }
+            const rawSignature = new Uint8Array([...rPadded, ...sPadded]);
+            return { signature: rawSignature, algo };
+        }
+        return { signature: sig, algo };
+    }
+    supportsCryptoKey(cryptoKey) {
+        return (cryptoKey.algorithm.name === 'ECDSA' &&
+            cryptoKey.algorithm.namedCurve === this.namedCurve);
+    }
+    parsePublicKey(reader) {
+        const curveName = reader.readString();
+        if (curveName !== this.curveName) {
+            throw new InvalidKeyDataError(`ECDSA certificate curve name ${curveName}, expected ${this.curveName}`);
+        }
+        const publicKeyPoint = reader.readBytes(reader.readUint32());
+        const writer = new SshWriter();
+        writer.writeString(this.sshType);
+        writer.writeString(curveName);
+        writer.writeMpInt(publicKeyPoint);
+        return {
+            type: this.sshType,
+            keyData: writer.toUint8Array(),
+        };
+    }
+    writePublicKey(writer, publicKey) {
+        const publicKeyReader = new SshReader(publicKey.keyData);
+        publicKeyReader.readString();
+        const curveName = publicKeyReader.readString();
+        const publicPoint = publicKeyReader.readMpInt();
+        writer.writeString(curveName);
+        writer.writeUint32(publicPoint.length);
+        writer.writeBytes(publicPoint);
+    }
+    getCertificateType() {
+        return `${this.sshType}-cert-v01@openssh.com`;
+    }
+    getSignatureAlgo() {
+        return this.sshType;
+    }
+}
+const EcdsaP256Binding = new EcdsaBinding('nistp256', 'ecdsa-sha2-nistp256', 'P-256');
+const EcdsaP384Binding = new EcdsaBinding('nistp384', 'ecdsa-sha2-nistp384', 'P-384');
+const EcdsaP521Binding = new EcdsaBinding('nistp521', 'ecdsa-sha2-nistp521', 'P-521');
+
+class Ed25519Binding {
+    async importPublicSsh(params) {
+        const { blob, crypto } = params;
+        const reader = new SshReader(blob);
+        reader.readString();
+        const keyLength = reader.readUint32();
+        if (keyLength !== 32) {
+            throw new InvalidKeyDataError(`Ed25519 key length ${keyLength}, expected 32`);
+        }
+        const publicKeyBytes = reader.readBytes(keyLength);
+        return crypto.subtle.importKey('raw', publicKeyBytes, 'Ed25519', true, [
+            'verify',
+        ]);
+    }
+    async exportPublicSsh(params) {
+        const { publicKey, crypto } = params;
+        const jwk = await crypto.subtle.exportKey('jwk', publicKey);
+        if (!jwk.x) {
+            throw new InvalidKeyDataError('Ed25519 JWK missing x parameter');
+        }
+        const keyBytes = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.x));
+        const writer = new SshWriter();
+        writer.writeString('ssh-ed25519');
+        writer.writeUint32(keyBytes.length);
+        writer.writeBytes(keyBytes);
+        return writer.toUint8Array();
+    }
+    async importPublicSpki(params) {
+        const { spki, crypto } = params;
+        return crypto.subtle.importKey('spki', spki, 'Ed25519', true, ['verify']);
+    }
+    async exportPublicSpki(params) {
+        const { publicKey, crypto } = params;
+        const spki = await crypto.subtle.exportKey('spki', publicKey);
+        return buildExports.BufferSourceConverter.toUint8Array(spki);
+    }
+    async importPrivatePkcs8(params) {
+        const { pkcs8, crypto } = params;
+        return crypto.subtle.importKey('pkcs8', pkcs8, 'Ed25519', true, ['sign']);
+    }
+    async exportPrivatePkcs8(params) {
+        const { privateKey, crypto } = params;
+        const pkcs8 = await crypto.subtle.exportKey('pkcs8', privateKey);
+        return buildExports.BufferSourceConverter.toUint8Array(pkcs8);
+    }
+    async exportPrivateSsh(params) {
+        const { privateKey, crypto, jwk: providedJwk } = params;
+        const jwk = providedJwk || (await crypto.subtle.exportKey('jwk', privateKey));
+        if (!jwk.d || !jwk.x) {
+            throw new InvalidKeyDataError('Ed25519 private key JWK missing required parameters');
+        }
+        const privateBytes = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.d));
+        const publicBytes = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.x));
+        const writer = new SshWriter();
+        writer.writeString('ssh-ed25519');
+        writer.writeUint32(publicBytes.length);
+        writer.writeBytes(publicBytes);
+        const privKeyPart = new Uint8Array(64);
+        privKeyPart.set(privateBytes, 0);
+        privKeyPart.set(publicBytes, 32);
+        writer.writeUint32(privKeyPart.length);
+        writer.writeBytes(privKeyPart);
+        return writer.toUint8Array();
+    }
+    async importPrivateSsh(params) {
+        const { sshKey, crypto } = params;
+        const base64Data = sshKey
+            .replace(/-----BEGIN OPENSSH PRIVATE KEY-----/, '')
+            .replace(/-----END OPENSSH PRIVATE KEY-----/, '')
+            .replace(/\s/g, '');
+        const binaryData = buildExports.Convert.FromBase64(base64Data);
+        const reader = new SshReader(buildExports.BufferSourceConverter.toUint8Array(binaryData));
+        const magic = reader.readBytes(15);
+        if (buildExports.Convert.ToHex(magic) !== '6f70656e7373682d6b65792d763100') {
+            throw new InvalidPrivateKeyFormatError('invalid magic string');
+        }
+        const _cipherName = reader.readString();
+        reader.readString();
+        reader.readString();
+        if (_cipherName !== 'none') {
+            throw new EncryptedKeyNotSupportedError(_cipherName);
+        }
+        const numKeys = reader.readUint32();
+        if (numKeys !== 1) {
+            throw new InvalidPrivateKeyFormatError('multiple keys not supported');
+        }
+        const publicKeyLength = reader.readUint32();
+        reader.readBytes(publicKeyLength);
+        const privateKeyLength = reader.readUint32();
+        const privateKeyData = reader.readBytes(privateKeyLength);
+        const privateReader = new SshReader(privateKeyData);
+        const checkint1 = privateReader.readUint32();
+        const checkint2 = privateReader.readUint32();
+        if (checkint1 !== checkint2) {
+            throw new InvalidPrivateKeyFormatError('invalid checkints');
+        }
+        privateReader.readString();
+        const pubKeyLength = privateReader.readUint32();
+        const _publicKeyBytes = privateReader.readBytes(pubKeyLength);
+        const privKeyLength = privateReader.readUint32();
+        const privateKeyBytes = privateReader.readBytes(privKeyLength);
+        privateReader.readString();
+        const privateKey = privateKeyBytes.slice(0, 32);
+        const jwk = {
+            kty: 'OKP',
+            crv: 'Ed25519',
+            d: buildExports.Convert.ToBase64Url(privateKey),
+            x: buildExports.Convert.ToBase64Url(_publicKeyBytes),
+        };
+        return crypto.subtle.importKey('jwk', jwk, 'Ed25519', true, ['sign']);
+    }
+    async sign(params) {
+        const { privateKey, data, crypto } = params;
+        const signature = await crypto.subtle.sign('Ed25519', privateKey, data);
+        return buildExports.BufferSourceConverter.toUint8Array(signature);
+    }
+    async verify(params) {
+        const { publicKey, signature, data, crypto } = params;
+        return crypto.subtle.verify('Ed25519', publicKey, signature, data);
+    }
+    encodeSignature(params) {
+        const { signature, algo } = params;
+        const sigBytes = new Uint8Array(signature);
+        const writer = new SshWriter();
+        writer.writeString(algo);
+        writer.writeUint32(sigBytes.length);
+        writer.writeBytes(sigBytes);
+        return writer.toUint8Array();
+    }
+    decodeSignature(params) {
+        const { signature } = params;
+        const reader = new SshReader(signature);
+        const algo = reader.readString();
+        const sigLength = reader.readUint32();
+        const sigBytes = reader.readBytes(sigLength);
+        return {
+            signature: sigBytes,
+            algo,
+        };
+    }
+    supportsCryptoKey(cryptoKey) {
+        return cryptoKey.algorithm.name === 'Ed25519';
+    }
+    parsePublicKey(reader) {
+        const publicKeyData = reader.readBytes(reader.readUint32());
+        const writer = new SshWriter();
+        writer.writeString('ssh-ed25519');
+        writer.writeUint32(publicKeyData.length);
+        writer.writeBytes(publicKeyData);
+        return {
+            type: 'ssh-ed25519',
+            keyData: writer.toUint8Array(),
+        };
+    }
+    writePublicKey(writer, publicKey) {
+        const publicKeyReader = new SshReader(publicKey.keyData);
+        publicKeyReader.readString();
+        const keyLength = publicKeyReader.readUint32();
+        const rawKeyData = publicKeyReader.readBytes(keyLength);
+        writer.writeUint32(rawKeyData.length);
+        writer.writeBytes(rawKeyData);
+    }
+    getCertificateType() {
+        return 'ssh-ed25519-cert-v01@openssh.com';
+    }
+    getSignatureAlgo() {
+        return 'ssh-ed25519';
+    }
+}
+
+const registry = new Map();
+class AlgorithmRegistry {
+    static get(name) {
+        const binding = registry.get(name);
+        if (!binding) {
+            throw new UnsupportedKeyTypeError(name, Array.from(registry.keys()));
+        }
+        return binding;
+    }
+    static register(name, binding) {
+        registry.set(name, binding);
+    }
+    static getSshTypeFromCryptoKey(cryptoKey) {
+        for (const [sshType, binding] of registry.entries()) {
+            if (binding.supportsCryptoKey(cryptoKey)) {
+                return sshType;
+            }
+        }
+        throw new UnsupportedKeyTypeError(cryptoKey.algorithm.name, Array.from(registry.keys()));
+    }
+    static certTypeToKeyType(certType) {
+        const mapping = {
+            'ssh-rsa-cert-v01@openssh.com': 'ssh-rsa',
+            'ssh-ed25519-cert-v01@openssh.com': 'ssh-ed25519',
+            'ecdsa-sha2-nistp256-cert-v01@openssh.com': 'ecdsa-sha2-nistp256',
+            'ecdsa-sha2-nistp384-cert-v01@openssh.com': 'ecdsa-sha2-nistp384',
+            'ecdsa-sha2-nistp521-cert-v01@openssh.com': 'ecdsa-sha2-nistp521',
+        };
+        return mapping[certType];
+    }
+    static getSupportedCertTypes() {
+        return Object.keys({
+            'ssh-rsa-cert-v01@openssh.com': 'ssh-rsa',
+            'ssh-ed25519-cert-v01@openssh.com': 'ssh-ed25519',
+            'ecdsa-sha2-nistp256-cert-v01@openssh.com': 'ecdsa-sha2-nistp256',
+            'ecdsa-sha2-nistp384-cert-v01@openssh.com': 'ecdsa-sha2-nistp384',
+            'ecdsa-sha2-nistp521-cert-v01@openssh.com': 'ecdsa-sha2-nistp521',
+        });
+    }
+}
+AlgorithmRegistry.register('ssh-ed25519', new Ed25519Binding());
+AlgorithmRegistry.register('ssh-rsa', new RsaBinding('SHA-256'));
+AlgorithmRegistry.register('rsa-sha2-256', new RsaBinding('SHA-256'));
+AlgorithmRegistry.register('rsa-sha2-512', new RsaBinding('SHA-512'));
+AlgorithmRegistry.register('ecdsa-sha2-nistp256', EcdsaP256Binding);
+AlgorithmRegistry.register('ecdsa-sha2-nistp384', EcdsaP384Binding);
+AlgorithmRegistry.register('ecdsa-sha2-nistp521', EcdsaP521Binding);
+
+function parsePublicKey(input) {
+    const parts = typeof input === 'string' ? input.trim().split(/\s+/) : null;
+    if (!parts || parts.length < 2) {
+        throw new InvalidFormatError('Invalid SSH public key format');
+    }
+    const type = parts[0];
+    const blob = new Uint8Array(buildExports.Convert.FromBase64(parts[1]));
+    const comment = parts.length > 2 ? parts.slice(2).join(' ') : undefined;
+    const reader = new SshReader(blob);
+    const blobType = reader.readString();
+    if (blobType !== type) {
+        throw new InvalidFormatError('Key type mismatch');
+    }
+    return {
+        type,
+        keyData: blob,
+        comment,
+    };
+}
+function serializePublicKey(blob) {
+    const base64 = buildExports.Convert.ToBase64(blob.keyData);
+    const parts = [blob.type, base64];
+    if (blob.comment) {
+        parts.push(blob.comment);
+    }
+    return parts.join(' ');
+}
+
+function parse(input) {
+    if (typeof input === 'string') {
+        const parts = input.trim().split(/\s+/);
+        if (parts.length < 2) {
+            throw new InvalidFormatError('SSH certificate string', 'type base64 [comment]');
+        }
+        const type = parts[0];
+        const blob = new Uint8Array(buildExports.Convert.FromBase64(parts[1]));
+        const comment = parts.length > 2 ? parts.slice(2).join(' ') : undefined;
+        const reader = new SshReader(blob);
+        const blobType = reader.readString();
+        if (blobType !== type) {
+            throw new InvalidFormatError(`certificate blob type ${blobType}`, `expected ${type}`);
+        }
+        return {
+            type,
+            keyData: blob,
+            comment,
+        };
+    }
+    else {
+        const reader = new SshReader(input);
+        const type = reader.readString();
+        const keyData = input.slice(reader.getOffset());
+        return {
+            type,
+            keyData,
+        };
+    }
+}
+function parseCertificateData(keyData) {
+    const reader = new SshReader(keyData);
+    const certType = reader.readString();
+    const nonce = reader.readBytes(reader.readUint32());
+    const mappedKeyType = AlgorithmRegistry.certTypeToKeyType(certType);
+    if (!mappedKeyType) {
+        throw new UnsupportedAlgorithmError(certType, AlgorithmRegistry.getSupportedCertTypes());
+    }
+    const binding = AlgorithmRegistry.get(mappedKeyType);
+    const publicKey = binding.parsePublicKey(reader);
+    const keyType = mappedKeyType;
+    const serial = reader.readUint64();
+    const typeValue = reader.readUint32();
+    const type = typeValue === 1 ? 'user' : 'host';
+    const keyId = reader.readString();
+    const principalsLength = reader.readUint32();
+    const principalsData = reader.readBytes(principalsLength);
+    const validPrincipals = [];
+    if (principalsData.length > 0) {
+        const principalsReader = new SshReader(principalsData);
+        while (principalsReader.getOffset() < principalsData.length) {
+            try {
+                const principal = principalsReader.readString();
+                validPrincipals.push(principal);
+            }
+            catch {
+                break;
+            }
+        }
+    }
+    const validAfter = reader.readUint64();
+    const validBefore = reader.readUint64();
+    const criticalOptions = {};
+    const criticalLength = reader.readUint32();
+    const criticalData = reader.readBytes(criticalLength);
+    if (criticalData.length > 0) {
+        const optionsReader = new SshReader(criticalData);
+        while (optionsReader.getOffset() < criticalData.length) {
+            try {
+                const name = optionsReader.readString();
+                const valueData = optionsReader.readBytes(optionsReader.readUint32());
+                const value = valueData.length === 0 ? '' : decoder.decode(valueData);
+                criticalOptions[name] = value;
+            }
+            catch {
+                break;
+            }
+        }
+    }
+    const extensions = {};
+    const extensionsLength = reader.readUint32();
+    const extensionsData = reader.readBytes(extensionsLength);
+    if (extensionsData.length > 0) {
+        const extReader = new SshReader(extensionsData);
+        while (extReader.getOffset() < extensionsData.length) {
+            try {
+                const name = extReader.readString();
+                const valueData = extReader.readBytes(extReader.readUint32());
+                const value = valueData.length === 0 ? '' : decoder.decode(valueData);
+                extensions[name] = value;
+            }
+            catch {
+                break;
+            }
+        }
+    }
+    const reservedLength = reader.readUint32();
+    const reserved = reader.readBytes(reservedLength);
+    const signatureKeyLength = reader.readUint32();
+    const signatureKeyData = reader.readBytes(signatureKeyLength);
+    const signatureKeyReader = new SshReader(signatureKeyData);
+    const signatureKeyType = signatureKeyReader.readString();
+    const signatureKey = {
+        type: signatureKeyType,
+        keyData: signatureKeyData,
+    };
+    const signatureLength = reader.readUint32();
+    const signature = reader.readBytes(signatureLength);
+    return {
+        nonce,
+        keyType,
+        publicKey,
+        serial,
+        type,
+        keyId,
+        validPrincipals,
+        validAfter,
+        validBefore,
+        criticalOptions,
+        extensions,
+        reserved,
+        signatureKey,
+        signature,
+    };
+}
+function serialize(cert) {
+    const base64 = buildExports.Convert.ToBase64(cert.keyData);
+    const parts = [cert.type, base64];
+    if (cert.comment) {
+        parts.push(cert.comment);
+    }
+    return parts.join(' ');
+}
+
+function parseSignature(data) {
+    const reader = new SshReader(data);
+    if (data.length >= 6 && new TextDecoder().decode(data.subarray(0, 6)) === 'SSHSIG') {
+        return parseSshSignatureFormat(reader);
+    }
+    else {
+        return parseLegacyFormat(reader);
+    }
+}
+function parseSshSignatureFormat(reader) {
+    const magicBytes = reader.readBytes(6);
+    const magic = new TextDecoder().decode(magicBytes);
+    if (magic !== 'SSHSIG') {
+        throw new InvalidFormatError(magic, 'SSHSIG');
+    }
+    const version = reader.readUint32();
+    const publicKeyLength = reader.readUint32();
+    const publicKey = reader.readBytes(publicKeyLength);
+    const namespace = reader.readString();
+    const reserved = reader.readString();
+    const hashAlgorithm = reader.readString();
+    const signatureLength = reader.readUint32();
+    const signatureData = reader.readBytes(signatureLength);
+    const sigReader = new SshReader(signatureData);
+    const algorithm = sigReader.readString();
+    const signatureLength2 = sigReader.readUint32();
+    const signature = sigReader.readBytes(signatureLength2);
+    return {
+        format: 'ssh-signature',
+        algorithm,
+        signature,
+        version,
+        publicKey,
+        namespace,
+        reserved,
+        hashAlgorithm,
+    };
+}
+function parseLegacyFormat(reader) {
+    const algorithm = reader.readString();
+    const signatureLength = reader.readUint32();
+    const signature = reader.readBytes(signatureLength);
+    return {
+        format: 'legacy',
+        algorithm,
+        signature,
+    };
+}
+function serializeSignature(blob) {
+    if (blob.format === 'ssh-signature') {
+        return serializeSshSignatureFormat(blob);
+    }
+    else {
+        return serializeLegacyFormat(blob);
+    }
+}
+function serializeSshSignatureFormat(blob) {
+    const writer = new SshWriter();
+    writer.writeBytes(new TextEncoder().encode('SSHSIG'));
+    writer.writeUint32(blob.version || 1);
+    if (blob.publicKey) {
+        writer.writeUint32(blob.publicKey.length);
+        writer.writeBytes(blob.publicKey);
+    }
+    else {
+        writer.writeUint32(0);
+    }
+    writer.writeString(blob.namespace || 'file');
+    writer.writeString(blob.reserved || '');
+    writer.writeString(blob.hashAlgorithm || 'sha512');
+    const sigWriter = new SshWriter();
+    sigWriter.writeString(blob.algorithm);
+    sigWriter.writeUint32(blob.signature.length);
+    sigWriter.writeBytes(blob.signature);
+    const sigData = sigWriter.toUint8Array();
+    writer.writeUint32(sigData.length);
+    writer.writeBytes(sigData);
+    return writer.toUint8Array();
+}
+function serializeLegacyFormat(blob) {
+    const writer = new SshWriter();
+    writer.writeString(blob.algorithm);
+    writer.writeUint32(blob.signature.length);
+    writer.writeBytes(blob.signature);
+    return writer.toUint8Array();
+}
+
+class SshObject {
+}
+
+class SshPublicKey extends SshObject {
+    static TYPE = 'public-key';
+    type = SshPublicKey.TYPE;
+    blob;
+    cachedCryptoKey;
+    constructor(blob) {
+        super();
+        this.blob = blob;
+    }
+    async getCryptoKey(crypto = getCrypto()) {
+        if (!this.cachedCryptoKey) {
+            const binding = AlgorithmRegistry.get(this.blob.type);
+            this.cachedCryptoKey = await binding.importPublicSsh({ blob: this.blob.keyData, crypto });
+        }
+        return this.cachedCryptoKey;
+    }
+    static async fromSSH(sshKey, crypto = getCrypto()) {
+        const blob = parsePublicKey(sshKey);
+        const binding = AlgorithmRegistry.get(blob.type);
+        await binding.importPublicSsh({ blob: blob.keyData, crypto });
+        return new SshPublicKey(blob);
+    }
+    static async fromSPKI(spki, type, crypto = getCrypto()) {
+        const binding = AlgorithmRegistry.get(type);
+        const cryptoKey = await binding.importPublicSpki({ spki, crypto });
+        const exported = await binding.exportPublicSsh({ publicKey: cryptoKey, crypto });
+        const blob = {
+            type,
+            keyData: exported,
+        };
+        return new SshPublicKey(blob);
+    }
+    static async fromWebCrypto(cryptoKey, type, crypto = getCrypto()) {
+        const sshType = type || AlgorithmRegistry.getSshTypeFromCryptoKey(cryptoKey);
+        const binding = AlgorithmRegistry.get(sshType);
+        const exported = await binding.exportPublicSsh({ publicKey: cryptoKey, crypto });
+        const blob = {
+            type: sshType,
+            keyData: exported,
+        };
+        return new SshPublicKey(blob);
+    }
+    async export(format = 'ssh', crypto = getCrypto()) {
+        if (format === 'ssh') {
+            return serializePublicKey(this.blob);
+        }
+        else if (format === 'spki') {
+            const cryptoKey = await this.getCryptoKey(crypto);
+            const binding = AlgorithmRegistry.get(this.blob.type);
+            const spki = await binding.exportPublicSpki({ publicKey: cryptoKey, crypto });
+            return new Uint8Array(spki);
+        }
+        throw new UnsupportedKeyTypeError(`Unsupported export format: ${format}`);
+    }
+    async toSSH() {
+        const result = await this.export('ssh');
+        return result;
+    }
+    async toSPKI() {
+        const result = await this.export('spki');
+        return result;
+    }
+    async toWebCrypto(crypto = getCrypto()) {
+        return this.getCryptoKey(crypto);
+    }
+    async verify(algorithm, signature, data, crypto = getCrypto()) {
+        const binding = AlgorithmRegistry.get(algorithm);
+        const cryptoKey = await this.toWebCrypto(crypto);
+        return binding.verify({
+            publicKey: cryptoKey,
+            signature,
+            data,
+            crypto,
+        });
+    }
+    get keyType() {
+        return this.blob.type;
+    }
+    get comment() {
+        return this.blob.comment;
+    }
+    getBlob() {
+        return { ...this.blob };
+    }
+    async thumbprint(algorithm = 'sha256', crypto = getCrypto()) {
+        const hashAlgorithm = algorithm === 'sha256' ? 'SHA-256' : 'SHA-512';
+        const data = this.blob.keyData;
+        const hash = await crypto.subtle.digest(hashAlgorithm, data);
+        return new Uint8Array(hash);
+    }
+}
+
+class SshSignature extends SshObject {
+    static TYPE = 'signature';
+    type = SshSignature.TYPE;
+    blob;
+    format;
+    algorithm;
+    signature;
+    version;
+    publicKey;
+    namespace;
+    reserved;
+    hashAlgorithm;
+    constructor(blob) {
+        super();
+        this.blob = blob;
+        this.format = blob.format;
+        this.algorithm = blob.algorithm;
+        this.signature = blob.signature;
+        this.version = blob.version;
+        this.namespace = blob.namespace;
+        this.reserved = blob.reserved;
+        this.hashAlgorithm = blob.hashAlgorithm;
+        if (blob.publicKey) {
+            const reader = new SshReader(blob.publicKey);
+            const type = reader.readString();
+            this.publicKey = new SshPublicKey({ type, keyData: blob.publicKey });
+        }
+    }
+    static parse(data) {
+        const blob = parseSignature(data);
+        return new SshSignature(blob);
+    }
+    static fromBlob(blob) {
+        return new SshSignature(blob);
+    }
+    static fromBase64(base64) {
+        const data = new Uint8Array(buildExports.Convert.FromBase64(base64));
+        return SshSignature.parse(data);
+    }
+    static fromText(text) {
+        const base64 = text
+            .replace(/-----BEGIN SSH SIGNATURE-----/, '')
+            .replace(/-----END SSH SIGNATURE-----/, '')
+            .replace(/[\r\n\s]/g, '');
+        return SshSignature.fromBase64(base64);
+    }
+    serialize() {
+        return serializeSignature(this.blob);
+    }
+    toBase64() {
+        return buildExports.Convert.ToBase64(this.serialize());
+    }
+    toText() {
+        const base64 = this.toBase64();
+        const lines = [];
+        for (let i = 0; i < base64.length; i += 70) {
+            lines.push(base64.substring(i, i + 70));
+        }
+        return ['-----BEGIN SSH SIGNATURE-----', ...lines, '-----END SSH SIGNATURE-----'].join('\n');
+    }
+    async toSSH() {
+        return this.toText();
+    }
+    async verify(data, publicKey) {
+        const binding = AlgorithmRegistry.get(this.algorithm);
+        const cryptoKey = await publicKey['getCryptoKey']();
+        const crypto = getCrypto();
+        let dataToVerify = data;
+        if (this.format === 'ssh-signature') {
+            const hashAlg = this.hashAlgorithm || 'sha512';
+            const namespace = this.namespace || 'file';
+            const reserved = this.reserved || '';
+            const hashAlgorithm = hashAlg === 'sha256' ? 'SHA-256' : 'SHA-512';
+            const messageHash = await crypto.subtle.digest(hashAlgorithm, data);
+            const messageHashBytes = new Uint8Array(messageHash);
+            const writer = new SshWriter();
+            writer.writeBytes(new TextEncoder().encode('SSHSIG'));
+            writer.writeString(namespace);
+            writer.writeString(reserved);
+            writer.writeString(hashAlg);
+            writer.writeUint32(messageHashBytes.length);
+            writer.writeBytes(messageHashBytes);
+            dataToVerify = writer.toUint8Array();
+        }
+        let hashAlgorithm;
+        if (this.algorithm === 'rsa-sha2-256') {
+            hashAlgorithm = 'SHA-256';
+        }
+        else if (this.algorithm === 'rsa-sha2-512') {
+            hashAlgorithm = 'SHA-512';
+        }
+        let signatureToVerify;
+        if (this.format === 'legacy' || this.format === 'ssh-signature') {
+            const sigWriter = new SshWriter();
+            sigWriter.writeString(this.algorithm);
+            sigWriter.writeUint32(this.signature.length);
+            sigWriter.writeBytes(this.signature);
+            const wireFormatSignature = sigWriter.toUint8Array();
+            const decodedSig = binding.decodeSignature({
+                signature: wireFormatSignature,
+            });
+            signatureToVerify = decodedSig.signature;
+        }
+        else {
+            signatureToVerify = this.signature;
+        }
+        return binding.verify({
+            publicKey: cryptoKey,
+            signature: signatureToVerify,
+            data: dataToVerify,
+            crypto,
+            hash: hashAlgorithm,
+        });
+    }
+    static fromLegacy(algorithm, signature) {
+        const binding = AlgorithmRegistry.get(algorithm);
+        const encodedSignature = binding.encodeSignature({
+            signature,
+            algo: algorithm,
+        });
+        const sigReader = new SshReader(encodedSignature);
+        sigReader.readString();
+        const sigLength = sigReader.readUint32();
+        const signatureData = sigReader.readBytes(sigLength);
+        return new SshSignature({
+            format: 'legacy',
+            algorithm,
+            signature: signatureData,
+        });
+    }
+    static fromSshSignature(algorithm, signature, options = {}) {
+        const blob = {
+            format: 'ssh-signature',
+            algorithm,
+            signature,
+            version: options.version || 1,
+            publicKey: options.publicKey ? options.publicKey.getBlob().keyData : undefined,
+            namespace: options.namespace || 'file',
+            reserved: options.reserved || '',
+            hashAlgorithm: options.hashAlgorithm || 'sha512',
+        };
+        return new SshSignature(blob);
+    }
+    static async sign(algorithm, privateKey, data, options = {}) {
+        const { format = 'legacy', namespace = 'file' } = options;
+        if (format === 'legacy') {
+            const rawSignature = await privateKey.sign(algorithm, data);
+            const algorithmUsed = algorithm || privateKey.keyType;
+            return SshSignature.fromLegacy(algorithmUsed, rawSignature);
+        }
+        else {
+            const signatureAlgorithm = algorithm;
+            const binding = AlgorithmRegistry.get(signatureAlgorithm);
+            const hashAlgorithm = algorithm === 'rsa-sha2-256' ? 'sha256' : 'sha512';
+            const publicKey = await privateKey.getPublicKey();
+            const crypto = getCrypto();
+            const webCryptoHashAlg = hashAlgorithm === 'sha256' ? 'SHA-256' : 'SHA-512';
+            const messageHash = await crypto.subtle.digest(webCryptoHashAlg, data);
+            const messageHashBytes = new Uint8Array(messageHash);
+            const writer = new SshWriter();
+            writer.writeBytes(new TextEncoder().encode('SSHSIG'));
+            writer.writeString(namespace);
+            writer.writeString('');
+            writer.writeString(hashAlgorithm);
+            writer.writeUint32(messageHashBytes.length);
+            writer.writeBytes(messageHashBytes);
+            const dataToSign = writer.toUint8Array();
+            const rawSignature = await privateKey.sign(signatureAlgorithm, dataToSign);
+            const encodedSignature = binding.encodeSignature({
+                signature: rawSignature,
+                algo: signatureAlgorithm,
+            });
+            const sigReader = new SshReader(encodedSignature);
+            sigReader.readString();
+            const sigLength = sigReader.readUint32();
+            const signatureData = sigReader.readBytes(sigLength);
+            return SshSignature.fromSshSignature(signatureAlgorithm, signatureData, {
+                namespace,
+                hashAlgorithm,
+                publicKey,
+            });
+        }
+    }
+}
+
+let SshCertificate$1 = class SshCertificate extends SshObject {
+    static TYPE = 'certificate';
+    type = SshCertificate.TYPE;
+    _blob;
+    data;
+    _validAfter;
+    _validBefore;
+    keyId;
+    principals;
+    certType;
+    serial;
+    validAfter;
+    validBefore;
+    publicKey;
+    signatureKey;
+    criticalOptions;
+    extensions;
+    constructor(blob) {
+        super();
+        this._blob = blob;
+        this.data = parseCertificateData(blob.keyData);
+        this._validAfter = this.data.validAfter;
+        this._validBefore = this.data.validBefore;
+        this.keyId = this.data.keyId;
+        this.principals = this.data.validPrincipals;
+        this.certType = this.data.type;
+        this.serial = this.data.serial;
+        this.validAfter = new Date(Number(this.data.validAfter) * 1000);
+        this.validBefore = new Date(Number(this.data.validBefore) * 1000);
+        this.publicKey = new SshPublicKey(this.data.publicKey);
+        this.signatureKey = new SshPublicKey(this.data.signatureKey);
+        this.criticalOptions = { ...this.data.criticalOptions };
+        this.extensions = { ...this.data.extensions };
+    }
+    static async fromSSH(text) {
+        const blob = parse(text);
+        return new SshCertificate(blob);
+    }
+    static async fromBlob(blob) {
+        return new SshCertificate(blob);
+    }
+    async toSSH() {
+        return serialize(this._blob);
+    }
+    toBlob() {
+        return { ...this._blob };
+    }
+    get blob() {
+        return this.toBlob();
+    }
+    validate(date = new Date()) {
+        const ts = BigInt(Math.floor(date.getTime() / 1000));
+        const after = this._validAfter;
+        const before = this._validBefore;
+        const INFINITY = 0xffffffffffffffffn;
+        const upper = before === INFINITY ? ts : before;
+        return ts >= after && ts <= upper;
+    }
+    async verify(caPublicKey, crypto = getCrypto()) {
+        const verifyKey = caPublicKey || this.signatureKey;
+        const signedData = this.getSignedData();
+        const sshSignature = SshSignature.parse(this.data.signature);
+        const binding = AlgorithmRegistry.get(sshSignature.algorithm);
+        const cryptoKey = await verifyKey.toWebCrypto(crypto);
+        return binding.verify({
+            publicKey: cryptoKey,
+            signature: sshSignature.signature,
+            data: signedData,
+            crypto,
+        });
+    }
+    getSignedData() {
+        const reader = new SshReader(this._blob.keyData);
+        reader.readString();
+        reader.readBytes(reader.readUint32());
+        if (this.data.keyType === 'ssh-ed25519') {
+            reader.readBytes(reader.readUint32());
+        }
+        else if (this.data.keyType === 'ssh-rsa') {
+            reader.readBytes(reader.readUint32());
+            reader.readBytes(reader.readUint32());
+        }
+        else if (this.data.keyType.startsWith('ecdsa-sha2-')) {
+            reader.readString();
+            reader.readBytes(reader.readUint32());
+        }
+        reader.readUint64();
+        reader.readUint32();
+        reader.readBytes(reader.readUint32());
+        reader.readBytes(reader.readUint32());
+        reader.readUint64();
+        reader.readUint64();
+        reader.readBytes(reader.readUint32());
+        reader.readBytes(reader.readUint32());
+        reader.readBytes(reader.readUint32());
+        reader.readBytes(reader.readUint32());
+        const signedDataEnd = reader.getOffset();
+        return this._blob.keyData.slice(0, signedDataEnd);
+    }
+};
+
+var __classPrivateFieldSet = (undefined && undefined.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (undefined && undefined.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var _SshCertificate_cert;
+class SshCertificate {
+    constructor(raw) {
+        _SshCertificate_cert.set(this, void 0);
+        const blob = parse(raw.trim());
+        // @ts-expect-error - SshCertificateType is not a constructor
+        __classPrivateFieldSet(this, _SshCertificate_cert, new SshCertificate$1(blob), "f");
+        this.notBefore = __classPrivateFieldGet(this, _SshCertificate_cert, "f").validAfter;
+        this.notAfter = __classPrivateFieldGet(this, _SshCertificate_cert, "f").validBefore;
+        this.validity = dateDiff(this.notBefore, this.notAfter);
+        this.type = [__classPrivateFieldGet(this, _SshCertificate_cert, "f").blob.type, __classPrivateFieldGet(this, _SshCertificate_cert, "f").certType, __classPrivateFieldGet(this, _SshCertificate_cert, "f").type].join(' ');
+        this.serialNumber = __classPrivateFieldGet(this, _SshCertificate_cert, "f").serial.toString();
+        this.keyId = __classPrivateFieldGet(this, _SshCertificate_cert, "f").keyId;
+        this.principals = __classPrivateFieldGet(this, _SshCertificate_cert, "f").principals;
+        this.extensions = __classPrivateFieldGet(this, _SshCertificate_cert, "f").extensions;
+        this.criticalOptions = __classPrivateFieldGet(this, _SshCertificate_cert, "f").criticalOptions;
+    }
+    async parseSignatureKey() {
+        const key = await __classPrivateFieldGet(this, _SshCertificate_cert, "f").signatureKey.toWebCrypto();
+        const blob = __classPrivateFieldGet(this, _SshCertificate_cert, "f").signatureKey.getBlob();
+        const thumbprint = await __classPrivateFieldGet(this, _SshCertificate_cert, "f").signatureKey.thumbprint('sha256');
+        this.signatureKey = {
+            algorithm: key.algorithm.name,
+            type: blob.type,
+            value: await __classPrivateFieldGet(this, _SshCertificate_cert, "f").signatureKey.toSSH(),
+            thumbprint: buildExports.Convert.ToBase64(thumbprint),
+        };
+    }
+    async parsePublicKey() {
+        const key = await __classPrivateFieldGet(this, _SshCertificate_cert, "f").publicKey.toWebCrypto();
+        const blob = __classPrivateFieldGet(this, _SshCertificate_cert, "f").publicKey.getBlob();
+        const thumbprint = await __classPrivateFieldGet(this, _SshCertificate_cert, "f").publicKey.thumbprint('sha256');
+        this.publicKey = {
+            algorithm: key.algorithm.name,
+            type: blob.type,
+            value: await __classPrivateFieldGet(this, _SshCertificate_cert, "f").publicKey.toSSH(),
+            thumbprint: buildExports.Convert.ToBase64(thumbprint),
+        };
+    }
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    async toString(_format = 'pem') {
+        return __classPrivateFieldGet(this, _SshCertificate_cert, "f").toSSH();
+    }
+}
+_SshCertificate_cert = new WeakMap();
+
+export { OIDs as $, AsnData as A, id_pkcs9_at_extensionRequest as B, Certificate as C, Download as D, ECParameters as E, id_pkcs9_at_unstructuredName as F, id_pkcs9_at_challengePassword as G, id_ValuationRanking as H, InsuranceValue as I, id_InsuranceValue as J, id_WebGDPR as K, id_ActivityDescription as L, id_TypeRelationship as M, Name as N, id_DomainNameTechnicalOperator as O, PemConverter as P, id_DomainNameOwner as Q, RSAPublicKey as R, id_DomainNameLegalRepresentative as S, TypeRelationship as T, UnstructuredName as U, ValuationRanking as V, WebGDPR as W, id_DomainNameBeneficiary as X, CertificationRequest as Y, l10n as Z, dateShort as _, dateDiff as a, id_ce_subjectDirectoryAttributes as a$, OctetString as a0, ByteStream as a1, SignedCertificateTimestamp as a2, Extension$1 as a3, CabforganizationIdentifier as a4, NonStandardKeyDescription as a5, BaseCRLNumber as a6, CRLNumber as a7, SubjectInfoAccessSyntax as a8, TNAuthorizationList as a9, IssuingDistributionPoint as aA, CRLDistributionPoints as aB, CertificatePolicies as aC, CertificateIssuer as aD, BasicConstraints as aE, AuthorityKeyIdentifier as aF, AuthorityInfoAccessSyntax as aG, id_cabforganizationIdentifier as aH, id_ce_keyDescription as aI, id_ce_deltaCRLIndicator as aJ, id_ce_cRLNumber as aK, id_pe_subjectInfoAccess as aL, id_pe_TNAuthList as aM, id_pe_biometricInfo as aN, id_entrust_entrustVersInfo as aO, id_ce_privateKeyUsagePeriod as aP, id_adbe_archiveRevInfo as aQ, id_adbe_timestamp as aR, id_role as aS, id_lei as aT, id_caVersion as aU, id_netscapeCertType as aV, id_netscapeComment as aW, id_enrollCertType as aX, id_certificateTemplate as aY, id_pe_qcStatements as aZ, id_ce_subjectKeyIdentifier as a_, LogotypeExtn as aa, BiometricSyntax as ab, EntrustVersionInfo as ac, PrivateKeyUsagePeriod as ad, ArchiveRevInfo as ae, Timestamp as af, LeiRole as ag, LeiChoice as ah, CaVersion as ai, NetscapeCertType as aj, NetscapeComment as ak, EnrollCertTypeChoice as al, CertificateTemplate as am, QCStatements as an, SubjectKeyIdentifier as ao, SubjectDirectoryAttributes as ap, SubjectAlternativeName as aq, PolicyMappings as ar, PolicyConstraints as as, NameConstraints as at, KeyUsage as au, IssueAlternativeName as av, InvalidityDate as aw, InhibitAnyPolicy as ax, ExtendedKeyUsage as ay, CRLReason as az, buildExports as b, id_ce_subjectAltName as b0, id_ce_policyMappings as b1, id_ce_policyConstraints as b2, id_ce_nameConstraints as b3, id_ce_keyUsage as b4, id_ce_issuerAltName as b5, id_ce_invalidityDate as b6, id_ce_inhibitAnyPolicy as b7, id_ce_extKeyUsage as b8, id_ce_cRLReasons as b9, AsnIntegerArrayBufferConverter as bA, AttestationApplicationId as bB, RootOfTrust as bC, IntegerSet as bD, id_ce_issuingDistributionPoint as ba, id_ce_cRLDistributionPoints as bb, id_ce_certificatePolicies as bc, id_ce_certificateIssuer as bd, id_ce_basicConstraints as be, id_ce_authorityKeyIdentifier as bf, id_pe_authorityInfoAccess as bg, SignedData as bh, EncapsulatedContent as bi, CertificateSet as bj, CertificateChoices as bk, ContentInfo as bl, SshCertificate as bm, Name$1 as bn, OtherName as bo, DisplayText as bp, UserNotice as bq, EDIPartyName as br, __decorate$1 as bs, AsnProp as bt, AsnPropTypes as bu, AsnType as bv, AsnTypeTypes as bw, AsnArray as bx, id_qcs_pkixQCSyntax_v2 as by, SemanticsInformation as bz, certificateRawToBuffer as c, downloadFromBuffer as d, AsnConvert as e, id_rsaEncryption as f, id_composite_key as g, CompositePublicKey as h, id_ecPublicKey as i, id_alg_composite as j, CompositeSignatureValue as k, CompositeParams as l, getCertificateThumbprint as m, AttributeCertificate as n, CertificateList as o, Attribute$1 as p, AsnParser as q, PrivateKeyPossessionStatement as r, ExtensionRequest as s, ChallengePassword as t, ActivityDescription as u, DomainNameTechnicalOperator as v, DomainNameOwner as w, DomainNameLegalRepresentative as x, DomainNameBeneficiary as y, id_at_statementOfPossession as z };
+//# sourceMappingURL=ssh_certificate-Ct-r021h.js.map
 
-//# sourceMappingURL=certification_request-PeMaLTUD.js.map
+//# sourceMappingURL=ssh_certificate-Ct-r021h.js.map