@peculiar/certificates-viewer 4.7.0 → 4.7.1-alpha.1

package/dist/cjs/{certification_request-DISQwgjn.js → ssh_certificate-s3-rwdMT.js}

@@ -6767,6 +6767,10 @@ const crlEntryExtensions = "CRL Entry Extensions";
 const previewCertificate = "Preview certificate";
 const viewDetails = "View details";
 const downloadOptions = "Download options";
+const keyId = "Key ID";
+const principals = "Principals";
+const criticalOptions = "Critical Options";
+const signingCA = "Signing CA";
 var en = {
 	basicInformation: basicInformation,
 	subjectName: subjectName,
@@ -6814,7 +6818,11 @@ var en = {
 	crlEntryExtensions: crlEntryExtensions,
 	previewCertificate: previewCertificate,
 	viewDetails: viewDetails,
-	downloadOptions: downloadOptions
+	downloadOptions: downloadOptions,
+	keyId: keyId,
+	principals: principals,
+	criticalOptions: criticalOptions,
+	signingCA: signingCA
 };
 
 /**
@@ -9234,13 +9242,13 @@ const OIDs = {
  * This source code is licensed under the MIT license found in the
  * LICENSE file in the root directory of this source tree.
  */
-var __classPrivateFieldSet$1 = (undefined && undefined.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+var __classPrivateFieldSet$2 = (undefined && undefined.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
     if (kind === "m") throw new TypeError("Private method is not writable");
     if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
     if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
     return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
 };
-var __classPrivateFieldGet$1 = (undefined && undefined.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+var __classPrivateFieldGet$2 = (undefined && undefined.__classPrivateFieldGet) || function (receiver, state, kind, f) {
     if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
     if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
     return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
@@ -9250,15 +9258,15 @@ class Name {
     constructor(data) {
         _Name_asn.set(this, new exports.Name$1());
         if (buildExports.BufferSourceConverter.isBufferSource(data)) {
-            __classPrivateFieldSet$1(this, _Name_asn, AsnParser.parse(data, exports.Name$1), "f");
+            __classPrivateFieldSet$2(this, _Name_asn, AsnParser.parse(data, exports.Name$1), "f");
         }
         else {
-            __classPrivateFieldSet$1(this, _Name_asn, data, "f");
+            __classPrivateFieldSet$2(this, _Name_asn, data, "f");
         }
     }
     toJSON() {
         const res = [];
-        __classPrivateFieldGet$1(this, _Name_asn, "f").forEach((o) => (o.forEach((a) => {
+        __classPrivateFieldGet$2(this, _Name_asn, "f").forEach((o) => (o.forEach((a) => {
             res.push({
                 type: a.type,
                 name: OIDs[a.type],
@@ -10799,13 +10807,13 @@ __decorate([
  * This source code is licensed under the MIT license found in the
  * LICENSE file in the root directory of this source tree.
  */
-var __classPrivateFieldSet = (undefined && undefined.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+var __classPrivateFieldSet$1 = (undefined && undefined.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
     if (kind === "m") throw new TypeError("Private method is not writable");
     if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
     if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
     return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
 };
-var __classPrivateFieldGet = (undefined && undefined.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+var __classPrivateFieldGet$1 = (undefined && undefined.__classPrivateFieldGet) || function (receiver, state, kind, f) {
     if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
     if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
     return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
@@ -10818,20 +10826,20 @@ class AsnData {
         _AsnData_raw.set(this, void 0);
         if (args.length === 1) {
             // asn
-            __classPrivateFieldSet(this, _AsnData_asn, args[0], "f");
-            __classPrivateFieldSet(this, _AsnData_raw, AsnConvert.serialize(__classPrivateFieldGet(this, _AsnData_asn, "f")), "f");
+            __classPrivateFieldSet$1(this, _AsnData_asn, args[0], "f");
+            __classPrivateFieldSet$1(this, _AsnData_raw, AsnConvert.serialize(__classPrivateFieldGet$1(this, _AsnData_asn, "f")), "f");
         }
         else {
             // raw, type
-            __classPrivateFieldSet(this, _AsnData_asn, AsnConvert.parse(args[0], args[1]), "f");
-            __classPrivateFieldSet(this, _AsnData_raw, buildExports.BufferSourceConverter.toArrayBuffer(args[0]), "f");
+            __classPrivateFieldSet$1(this, _AsnData_asn, AsnConvert.parse(args[0], args[1]), "f");
+            __classPrivateFieldSet$1(this, _AsnData_raw, buildExports.BufferSourceConverter.toArrayBuffer(args[0]), "f");
         }
     }
     get asn() {
-        return __classPrivateFieldGet(this, _AsnData_asn, "f");
+        return __classPrivateFieldGet$1(this, _AsnData_asn, "f");
     }
     get raw() {
-        return __classPrivateFieldGet(this, _AsnData_raw, "f");
+        return __classPrivateFieldGet$1(this, _AsnData_raw, "f");
     }
 }
 _AsnData_asn = new WeakMap(), _AsnData_raw = new WeakMap();
@@ -12697,6 +12705,1645 @@ __decorate$1([
     AsnProp({ type: exports.AsnPropTypes.BitString })
 ], CertificationRequest.prototype, "signature", void 0);
 
+let globalCrypto = globalThis.crypto;
+function getCrypto() {
+    return globalCrypto;
+}
+
+class SshError extends Error {
+    code;
+    constructor(message, code) {
+        super(message);
+        this.code = code;
+        this.name = this.constructor.name;
+        if (Error.captureStackTrace) {
+            Error.captureStackTrace(this, this.constructor);
+        }
+    }
+}
+class UnsupportedAlgorithmError extends SshError {
+    constructor(algorithm, supportedAlgorithms) {
+        const supported = supportedAlgorithms ? ` Supported: ${supportedAlgorithms.join(', ')}` : '';
+        super(`Unsupported algorithm: ${algorithm}.${supported}`, 'UNSUPPORTED_ALGORITHM');
+    }
+}
+class InvalidFormatError extends SshError {
+    constructor(format, expectedFormat) {
+        const expected = expectedFormat ? ` Expected: ${expectedFormat}` : '';
+        super(`Invalid format: ${format}.${expected}`, 'INVALID_FORMAT');
+    }
+}
+class UnsupportedKeyTypeError extends SshError {
+    constructor(keyType, supportedTypes) {
+        const supported = supportedTypes ? ` Supported: ${supportedTypes.join(', ')}` : '';
+        super(`Unsupported key type: ${keyType}.${supported}`, 'UNSUPPORTED_KEY_TYPE');
+    }
+}
+class InvalidPrivateKeyFormatError extends SshError {
+    constructor(details) {
+        const message = details
+            ? `Invalid SSH private key format: ${details}`
+            : 'Invalid SSH private key format';
+        super(message, 'INVALID_PRIVATE_KEY_FORMAT');
+    }
+}
+class EncryptedKeyNotSupportedError extends SshError {
+    constructor(cipher) {
+        const message = cipher
+            ? `Encrypted SSH private keys are not supported (cipher: ${cipher})`
+            : 'Encrypted SSH private keys are not supported';
+        super(message, 'ENCRYPTED_KEY_NOT_SUPPORTED');
+    }
+}
+class InvalidKeyDataError extends SshError {
+    constructor(details) {
+        const message = details ? `Invalid key data: ${details}` : 'Invalid key data';
+        super(message, 'INVALID_KEY_DATA');
+    }
+}
+class UnexpectedEOFError extends SshError {
+    constructor(expected, actual) {
+        const details = expected !== undefined && actual !== undefined
+            ? ` Expected ${expected} bytes, got ${actual}`
+            : '';
+        super(`Unexpected end of data${details}`, 'UNEXPECTED_EOF');
+    }
+}
+
+const encoder = new TextEncoder();
+const decoder = new TextDecoder();
+
+class SshReader {
+    buffer;
+    offset;
+    constructor(data) {
+        this.buffer = data;
+        this.offset = 0;
+    }
+    readUint8() {
+        if (this.offset >= this.buffer.length) {
+            throw new UnexpectedEOFError(1, 0);
+        }
+        return this.buffer[this.offset++];
+    }
+    readUint32() {
+        const value = (this.readUint8() << 24) |
+            (this.readUint8() << 16) |
+            (this.readUint8() << 8) |
+            this.readUint8();
+        return value >>> 0;
+    }
+    readUint64() {
+        const high = this.readUint32();
+        const low = this.readUint32();
+        return (BigInt(high) << 32n) | BigInt(low);
+    }
+    readBytes(length) {
+        if (length < 0) {
+            throw new InvalidFormatError(`Invalid length: ${length}`);
+        }
+        if (this.offset + length > this.buffer.length) {
+            throw new UnexpectedEOFError(length, this.buffer.length - this.offset);
+        }
+        const result = this.buffer.subarray(this.offset, this.offset + length);
+        this.offset += length;
+        return result;
+    }
+    readString() {
+        const length = this.readUint32();
+        const bytes = this.readBytes(length);
+        return decoder.decode(bytes);
+    }
+    peekString(length) {
+        if (this.offset + length > this.buffer.length) {
+            throw new UnexpectedEOFError(length, this.buffer.length - this.offset);
+        }
+        const bytes = this.buffer.subarray(this.offset, this.offset + length);
+        return decoder.decode(bytes);
+    }
+    readMpInt(sshEncoding = false) {
+        const length = this.readUint32();
+        const bytes = this.readBytes(length);
+        if (sshEncoding && bytes.length > 1 && bytes[0] === 0x00) {
+            return bytes.subarray(1);
+        }
+        return bytes;
+    }
+    readMpIntSsh() {
+        return this.readMpInt(true);
+    }
+    remaining() {
+        return this.buffer.length - this.offset;
+    }
+    getOffset() {
+        return this.offset;
+    }
+    seek(offset) {
+        if (offset < 0 || offset > this.buffer.length) {
+            throw new InvalidFormatError(`Invalid offset: ${offset}. Buffer length: ${this.buffer.length}`);
+        }
+        this.offset = offset;
+    }
+}
+
+class SshWriter {
+    buffer;
+    offset;
+    constructor(initialSize = 1024) {
+        this.buffer = new Uint8Array(initialSize);
+        this.offset = 0;
+    }
+    ensureCapacity(additional) {
+        const required = this.offset + additional;
+        if (required > this.buffer.length) {
+            const newSize = Math.max(required, this.buffer.length * 2);
+            const newBuffer = new Uint8Array(newSize);
+            newBuffer.set(this.buffer.subarray(0, this.offset));
+            this.buffer = newBuffer;
+        }
+    }
+    reserve(minCapacity) {
+        if (minCapacity > this.buffer.length) {
+            const newBuffer = new Uint8Array(minCapacity);
+            newBuffer.set(this.buffer.subarray(0, this.offset));
+            this.buffer = newBuffer;
+        }
+    }
+    writeUint8(value) {
+        this.ensureCapacity(1);
+        this.buffer[this.offset++] = value & 0xff;
+    }
+    writeUint32(value) {
+        this.ensureCapacity(4);
+        this.buffer[this.offset++] = (value >>> 24) & 0xff;
+        this.buffer[this.offset++] = (value >>> 16) & 0xff;
+        this.buffer[this.offset++] = (value >>> 8) & 0xff;
+        this.buffer[this.offset++] = value & 0xff;
+    }
+    writeUint64(value) {
+        this.ensureCapacity(8);
+        const high = Number(value >> 32n);
+        const low = Number(value & 0xffffffffn);
+        this.writeUint32(high);
+        this.writeUint32(low);
+    }
+    writeBytes(data) {
+        this.ensureCapacity(data.length);
+        this.buffer.set(data, this.offset);
+        this.offset += data.length;
+    }
+    writeString(value) {
+        const bytes = encoder.encode(value);
+        this.writeUint32(bytes.length);
+        this.writeBytes(bytes);
+    }
+    writeMpInt(value, sshEncoding = false) {
+        if (sshEncoding && value.length > 0 && (value[0] & 0x80) !== 0) {
+            const paddedBytes = new Uint8Array(value.length + 1);
+            paddedBytes[0] = 0x00;
+            paddedBytes.set(value, 1);
+            this.writeUint32(paddedBytes.length);
+            this.writeBytes(paddedBytes);
+        }
+        else {
+            this.writeUint32(value.length);
+            this.writeBytes(value);
+        }
+    }
+    writeMpIntSsh(value) {
+        this.writeMpInt(value, true);
+    }
+    toUint8Array() {
+        return this.buffer.subarray(0, this.offset);
+    }
+    getOffset() {
+        return this.offset;
+    }
+    seek(offset) {
+        if (offset < 0 || offset > this.buffer.length) {
+            throw new InvalidFormatError('Invalid offset');
+        }
+        this.offset = offset;
+    }
+}
+
+class RsaBinding {
+    hash = 'SHA-256';
+    constructor(hash = 'SHA-256') {
+        this.hash = hash;
+    }
+    async importPublicSsh(params) {
+        const { blob, crypto } = params;
+        const reader = new SshReader(blob);
+        reader.readString();
+        const e = reader.readMpInt(true);
+        const n = reader.readMpInt(true);
+        const jwk = {
+            kty: 'RSA',
+            n: buildExports.Convert.ToBase64Url(n),
+            e: buildExports.Convert.ToBase64Url(e),
+        };
+        return crypto.subtle.importKey('jwk', jwk, {
+            name: 'RSASSA-PKCS1-v1_5',
+            hash: this.hash,
+        }, true, ['verify']);
+    }
+    async exportPublicSsh(params) {
+        const { publicKey, crypto } = params;
+        const jwk = await crypto.subtle.exportKey('jwk', publicKey);
+        if (!jwk.n || !jwk.e) {
+            throw new InvalidKeyDataError('RSA JWK missing required parameters (n, e)');
+        }
+        const n = buildExports.BufferSourceConverter.toUint8Array(buildExports.Convert.FromBase64Url(jwk.n));
+        const e = buildExports.BufferSourceConverter.toUint8Array(buildExports.Convert.FromBase64Url(jwk.e));
+        const writer = new SshWriter();
+        writer.writeString('ssh-rsa');
+        writer.writeMpInt(e, true);
+        writer.writeMpInt(n, true);
+        return writer.toUint8Array();
+    }
+    async importPublicSpki(params) {
+        const { spki, crypto } = params;
+        return crypto.subtle.importKey('spki', spki, {
+            name: 'RSASSA-PKCS1-v1_5',
+            hash: this.hash,
+        }, true, ['verify']);
+    }
+    async exportPublicSpki(params) {
+        const { publicKey, crypto } = params;
+        const spki = await crypto.subtle.exportKey('spki', publicKey);
+        return buildExports.BufferSourceConverter.toUint8Array(spki);
+    }
+    async importPrivatePkcs8(params) {
+        const { pkcs8, crypto } = params;
+        return crypto.subtle.importKey('pkcs8', pkcs8, {
+            name: 'RSASSA-PKCS1-v1_5',
+            hash: this.hash,
+        }, true, ['sign']);
+    }
+    async exportPrivatePkcs8(params) {
+        const { privateKey, crypto } = params;
+        const pkcs8 = await crypto.subtle.exportKey('pkcs8', privateKey);
+        return buildExports.BufferSourceConverter.toUint8Array(pkcs8);
+    }
+    async importPrivateSsh(params) {
+        const { sshKey, crypto } = params;
+        const base64Data = sshKey
+            .replace(/-----BEGIN OPENSSH PRIVATE KEY-----/, '')
+            .replace(/-----END OPENSSH PRIVATE KEY-----/, '')
+            .replace(/\s/g, '');
+        const binaryData = buildExports.Convert.FromBase64(base64Data);
+        const reader = new SshReader(buildExports.BufferSourceConverter.toUint8Array(binaryData));
+        const magic = reader.readBytes(15);
+        if (buildExports.Convert.ToHex(magic) !== '6f70656e7373682d6b65792d763100') {
+            throw new InvalidPrivateKeyFormatError('invalid magic string');
+        }
+        const _cipherName = reader.readString();
+        reader.readString();
+        reader.readString();
+        if (_cipherName !== 'none') {
+            throw new EncryptedKeyNotSupportedError(_cipherName);
+        }
+        const numKeys = reader.readUint32();
+        if (numKeys !== 1) {
+            throw new InvalidPrivateKeyFormatError('multiple keys not supported');
+        }
+        const publicKeyLength = reader.readUint32();
+        reader.readBytes(publicKeyLength);
+        const privateKeyLength = reader.readUint32();
+        const privateKeyData = reader.readBytes(privateKeyLength);
+        const privateReader = new SshReader(privateKeyData);
+        const checkint1 = privateReader.readUint32();
+        const checkint2 = privateReader.readUint32();
+        if (checkint1 !== checkint2) {
+            throw new InvalidPrivateKeyFormatError('invalid checkints');
+        }
+        privateReader.readString();
+        const n = privateReader.readMpInt(true);
+        const e = privateReader.readMpInt(true);
+        const d = privateReader.readMpInt(true);
+        const iqmp = privateReader.readMpInt(true);
+        const p = privateReader.readMpInt(true);
+        const q = privateReader.readMpInt(true);
+        privateReader.readString();
+        const dBig = BigInt('0x' + buildExports.Convert.ToHex(d));
+        const pBig = BigInt('0x' + buildExports.Convert.ToHex(p));
+        const qBig = BigInt('0x' + buildExports.Convert.ToHex(q));
+        const dpBig = dBig % (pBig - 1n);
+        const dqBig = dBig % (qBig - 1n);
+        const dpBytes = buildExports.Convert.FromHex(dpBig.toString(16).padStart(p.length * 2, '0'));
+        const dqBytes = buildExports.Convert.FromHex(dqBig.toString(16).padStart(q.length * 2, '0'));
+        const jwk = {
+            kty: 'RSA',
+            n: buildExports.Convert.ToBase64Url(n),
+            e: buildExports.Convert.ToBase64Url(e),
+            d: buildExports.Convert.ToBase64Url(d),
+            p: buildExports.Convert.ToBase64Url(p),
+            q: buildExports.Convert.ToBase64Url(q),
+            dp: buildExports.Convert.ToBase64Url(dpBytes),
+            dq: buildExports.Convert.ToBase64Url(dqBytes),
+            qi: buildExports.Convert.ToBase64Url(iqmp),
+        };
+        return crypto.subtle.importKey('jwk', jwk, {
+            name: 'RSASSA-PKCS1-v1_5',
+            hash: this.hash,
+        }, true, ['sign']);
+    }
+    async exportPrivateSsh(params) {
+        const { privateKey, crypto, jwk: providedJwk } = params;
+        const jwk = providedJwk || (await crypto.subtle.exportKey('jwk', privateKey));
+        if (!jwk.n || !jwk.e || !jwk.d || !jwk.p || !jwk.q) {
+            throw new InvalidKeyDataError('RSA JWK missing required parameters');
+        }
+        const n = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.n));
+        const e = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.e));
+        const d = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.d));
+        const p = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.p));
+        const q = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.q));
+        const qi = jwk.qi ? new Uint8Array(buildExports.Convert.FromBase64Url(jwk.qi)) : new Uint8Array();
+        const writer = new SshWriter();
+        writer.writeString('ssh-rsa');
+        writer.writeMpInt(n, true);
+        writer.writeMpInt(e, true);
+        writer.writeMpInt(d, true);
+        writer.writeMpInt(qi, true);
+        writer.writeMpInt(p, true);
+        writer.writeMpInt(q, true);
+        return writer.toUint8Array();
+    }
+    async sign(params) {
+        const { privateKey, data, crypto, hash } = params;
+        if (hash && hash !== this.hash) {
+            throw new InvalidKeyDataError(`Hash ${hash} not supported for this RSA algorithm`);
+        }
+        if (!privateKey.extractable) {
+            throw new InvalidKeyDataError('Private key is not extractable');
+        }
+        const pkcs8 = await this.exportPrivatePkcs8({ privateKey, crypto });
+        const keyToUse = await this.importPrivatePkcs8({ pkcs8: new Uint8Array(pkcs8), crypto });
+        const signature = await crypto.subtle.sign('RSASSA-PKCS1-v1_5', keyToUse, data);
+        return buildExports.BufferSourceConverter.toUint8Array(signature);
+    }
+    async verify(params) {
+        const { publicKey, signature, data, crypto, hash } = params;
+        if (hash && hash !== this.hash) {
+            return false;
+        }
+        if (!publicKey.extractable) {
+            throw new InvalidKeyDataError('Public key is not extractable');
+        }
+        const spki = await this.exportPublicSpki({ publicKey, crypto });
+        const keyToUse = await this.importPublicSpki({ spki: new Uint8Array(spki), crypto });
+        return crypto.subtle.verify('RSASSA-PKCS1-v1_5', keyToUse, signature, data);
+    }
+    encodeSignature(params) {
+        const { signature, algo } = params;
+        const writer = new SshWriter();
+        writer.writeString(algo);
+        writer.writeUint32(signature.byteLength);
+        writer.writeBytes(signature);
+        return writer.toUint8Array();
+    }
+    decodeSignature(params) {
+        const { signature } = params;
+        const reader = new SshReader(signature);
+        const algo = reader.readString();
+        const sigLength = reader.readUint32();
+        const sig = reader.readBytes(sigLength);
+        return { signature: sig, algo };
+    }
+    supportsCryptoKey(cryptoKey) {
+        return cryptoKey.algorithm.name === 'RSASSA-PKCS1-v1_5';
+    }
+    parsePublicKey(reader) {
+        const publicKeyExponent = reader.readBytes(reader.readUint32());
+        const publicKeyModulus = reader.readBytes(reader.readUint32());
+        const writer = new SshWriter();
+        writer.writeString('ssh-rsa');
+        writer.writeMpInt(publicKeyExponent);
+        writer.writeMpInt(publicKeyModulus);
+        return {
+            type: 'ssh-rsa',
+            keyData: writer.toUint8Array(),
+        };
+    }
+    writePublicKey(writer, publicKey) {
+        const publicKeyReader = new SshReader(publicKey.keyData);
+        publicKeyReader.readString();
+        const e = publicKeyReader.readMpInt();
+        const n = publicKeyReader.readMpInt();
+        writer.writeUint32(e.length);
+        writer.writeBytes(e);
+        writer.writeUint32(n.length);
+        writer.writeBytes(n);
+    }
+    getCertificateType() {
+        return 'ssh-rsa-cert-v01@openssh.com';
+    }
+    getSignatureAlgo() {
+        return this.hash === 'SHA-256' ? 'rsa-sha2-256' : 'rsa-sha2-512';
+    }
+}
+
+class EcdsaBinding {
+    curveName;
+    sshType;
+    namedCurve;
+    constructor(curveName, sshType, namedCurve) {
+        this.curveName = curveName;
+        this.sshType = sshType;
+        this.namedCurve = namedCurve;
+    }
+    getHashAlgorithm() {
+        switch (this.namedCurve) {
+            case 'P-256':
+                return 'SHA-256';
+            case 'P-384':
+                return 'SHA-384';
+            case 'P-521':
+                return 'SHA-512';
+            default:
+                return 'SHA-256';
+        }
+    }
+    getExpectedLength() {
+        switch (this.namedCurve) {
+            case 'P-256':
+                return 32;
+            case 'P-384':
+                return 48;
+            case 'P-521':
+                return 66;
+            default:
+                return 32;
+        }
+    }
+    getSignatureCoordLength() {
+        return this.getExpectedLength();
+    }
+    async importPublicSsh(params) {
+        const { blob, crypto } = params;
+        const reader = new SshReader(blob);
+        reader.readString();
+        const curve = reader.readString();
+        if (curve !== this.curveName) {
+            throw new InvalidKeyDataError(`ECDSA curve name ${curve}, expected ${this.curveName}`);
+        }
+        const q = reader.readMpInt();
+        const coordLength = Math.floor((q.length - 1) / 2);
+        const jwk = {
+            kty: 'EC',
+            crv: this.namedCurve,
+            x: buildExports.Convert.ToBase64Url(q.slice(1, 1 + coordLength)),
+            y: buildExports.Convert.ToBase64Url(q.slice(1 + coordLength)),
+        };
+        return crypto.subtle.importKey('jwk', jwk, {
+            name: 'ECDSA',
+            namedCurve: this.namedCurve,
+        }, true, ['verify']);
+    }
+    async exportPublicSsh(params) {
+        const { publicKey, crypto } = params;
+        const jwk = await crypto.subtle.exportKey('jwk', publicKey);
+        if (!jwk.x || !jwk.y) {
+            throw new InvalidKeyDataError('ECDSA JWK missing x or y parameters');
+        }
+        const x = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.x));
+        const y = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.y));
+        const q = new Uint8Array(1 + x.length + y.length);
+        q[0] = 0x04;
+        q.set(x, 1);
+        q.set(y, 1 + x.length);
+        const writer = new SshWriter();
+        writer.writeString(this.sshType);
+        writer.writeString(this.curveName);
+        writer.writeMpInt(q);
+        return writer.toUint8Array();
+    }
+    async importPublicSpki(params) {
+        const { spki, crypto } = params;
+        return crypto.subtle.importKey('spki', spki, {
+            name: 'ECDSA',
+            namedCurve: this.namedCurve,
+        }, true, ['verify']);
+    }
+    async exportPublicSpki(params) {
+        const { publicKey, crypto } = params;
+        const spki = await crypto.subtle.exportKey('spki', publicKey);
+        return buildExports.BufferSourceConverter.toUint8Array(spki);
+    }
+    async importPrivatePkcs8(params) {
+        const { pkcs8, crypto } = params;
+        return crypto.subtle.importKey('pkcs8', pkcs8, {
+            name: 'ECDSA',
+            namedCurve: this.namedCurve,
+        }, true, ['sign']);
+    }
+    async exportPrivatePkcs8(params) {
+        const { privateKey, crypto } = params;
+        const pkcs8 = await crypto.subtle.exportKey('pkcs8', privateKey);
+        return buildExports.BufferSourceConverter.toUint8Array(pkcs8);
+    }
+    async exportPrivateSsh(params) {
+        const { privateKey, crypto, jwk: providedJwk } = params;
+        const jwk = providedJwk || (await crypto.subtle.exportKey('jwk', privateKey));
+        if (!jwk.d || !jwk.x || !jwk.y) {
+            throw new InvalidKeyDataError('ECDSA private key JWK missing required parameters');
+        }
+        const x = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.x));
+        const y = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.y));
+        const d = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.d));
+        const publicPoint = new Uint8Array(1 + x.length + y.length);
+        publicPoint[0] = 0x04;
+        publicPoint.set(x, 1);
+        publicPoint.set(y, 1 + x.length);
+        const writer = new SshWriter();
+        writer.writeString(this.sshType);
+        writer.writeString(this.curveName);
+        writer.writeMpInt(publicPoint);
+        writer.writeMpInt(d);
+        return writer.toUint8Array();
+    }
+    async importPrivateSsh(params) {
+        const { sshKey, crypto } = params;
+        const base64Data = sshKey
+            .replace(/-----BEGIN OPENSSH PRIVATE KEY-----/, '')
+            .replace(/-----END OPENSSH PRIVATE KEY-----/, '')
+            .replace(/\s/g, '');
+        const binaryData = buildExports.Convert.FromBase64(base64Data);
+        const reader = new SshReader(buildExports.BufferSourceConverter.toUint8Array(binaryData));
+        const magic = reader.readBytes(15);
+        if (buildExports.Convert.ToHex(magic) !== '6f70656e7373682d6b65792d763100') {
+            throw new InvalidPrivateKeyFormatError('invalid magic string');
+        }
+        const _cipherName = reader.readString();
+        reader.readString();
+        reader.readString();
+        if (_cipherName !== 'none') {
+            throw new EncryptedKeyNotSupportedError(_cipherName);
+        }
+        const numKeys = reader.readUint32();
+        if (numKeys !== 1) {
+            throw new InvalidPrivateKeyFormatError('multiple keys not supported');
+        }
+        const publicKeyLength = reader.readUint32();
+        reader.readBytes(publicKeyLength);
+        const privateKeyLength = reader.readUint32();
+        const privateKeyData = reader.readBytes(privateKeyLength);
+        const privateReader = new SshReader(privateKeyData);
+        const checkint1 = privateReader.readUint32();
+        const checkint2 = privateReader.readUint32();
+        if (checkint1 !== checkint2) {
+            throw new InvalidPrivateKeyFormatError('invalid checkints');
+        }
+        privateReader.readString();
+        privateReader.readString();
+        const publicKeyPoint = privateReader.readMpInt();
+        const privateKeyValue = privateReader.readMpInt();
+        privateReader.readString();
+        if (publicKeyPoint[0] !== 0x04) {
+            throw new InvalidKeyDataError('invalid ECDSA public key point format');
+        }
+        const coordLength = Math.floor((publicKeyPoint.length - 1) / 2);
+        const x = publicKeyPoint.slice(1, 1 + coordLength);
+        const y = publicKeyPoint.slice(1 + coordLength);
+        const jwk = {
+            kty: 'EC',
+            crv: this.namedCurve,
+            x: buildExports.Convert.ToBase64Url(x),
+            y: buildExports.Convert.ToBase64Url(y),
+            d: buildExports.Convert.ToBase64Url(privateKeyValue),
+        };
+        return crypto.subtle.importKey('jwk', jwk, {
+            name: 'ECDSA',
+            namedCurve: this.namedCurve,
+        }, true, ['sign']);
+    }
+    async sign(params) {
+        const { privateKey, data, crypto, hash } = params;
+        const expectedHash = this.getHashAlgorithm();
+        if (hash && hash !== expectedHash) {
+            throw new InvalidKeyDataError(`ECDSA ${this.namedCurve} requires ${expectedHash}, got ${hash}`);
+        }
+        const signature = await crypto.subtle.sign({
+            name: 'ECDSA',
+            hash: expectedHash,
+        }, privateKey, data);
+        return buildExports.BufferSourceConverter.toUint8Array(signature);
+    }
+    async verify(params) {
+        const { publicKey, signature, data, crypto, hash } = params;
+        const expectedHash = this.getHashAlgorithm();
+        if (hash && hash !== expectedHash) {
+            throw new InvalidKeyDataError(`ECDSA ${this.namedCurve} requires ${expectedHash}, got ${hash}`);
+        }
+        return crypto.subtle.verify({
+            name: 'ECDSA',
+            hash: expectedHash,
+        }, publicKey, signature, data);
+    }
+    encodeSignature(params) {
+        const { signature, algo } = params;
+        if (algo.startsWith('ecdsa-sha2-')) {
+            const coordLength = this.getSignatureCoordLength();
+            const r = signature.subarray(0, coordLength);
+            const s = signature.subarray(coordLength);
+            const writer = new SshWriter();
+            writer.writeString(algo);
+            const sigWriter = new SshWriter();
+            sigWriter.writeMpInt(r, true);
+            sigWriter.writeMpInt(s, true);
+            const sigData = sigWriter.toUint8Array();
+            writer.writeUint32(sigData.length);
+            writer.writeBytes(sigData);
+            return writer.toUint8Array();
+        }
+        const writer = new SshWriter();
+        writer.writeString(algo);
+        writer.writeUint32(signature.byteLength);
+        writer.writeBytes(signature);
+        return writer.toUint8Array();
+    }
+    decodeSignature(params) {
+        const { signature } = params;
+        const reader = new SshReader(signature);
+        const algo = reader.readString();
+        const sigLength = reader.readUint32();
+        const sig = reader.readBytes(sigLength);
+        if (algo.startsWith('ecdsa-sha2-')) {
+            const sigReader = new SshReader(sig);
+            let r = sigReader.readMpInt();
+            let s = sigReader.readMpInt();
+            if (r[0] === 0x00 && r.length > 1 && (r[1] & 0x80) === 0) {
+                r = r.slice(1);
+            }
+            if (s[0] === 0x00 && s.length > 1 && (s[1] & 0x80) === 0) {
+                s = s.slice(1);
+            }
+            const expectedLength = this.getExpectedLength();
+            const rPadded = new Uint8Array(expectedLength);
+            const sPadded = new Uint8Array(expectedLength);
+            if (r.length <= expectedLength) {
+                rPadded.set(r, expectedLength - r.length);
+            }
+            else {
+                rPadded.set(r.slice(r.length - expectedLength), 0);
+            }
+            if (s.length <= expectedLength) {
+                sPadded.set(s, expectedLength - s.length);
+            }
+            else {
+                sPadded.set(s.slice(s.length - expectedLength), 0);
+            }
+            const rawSignature = new Uint8Array([...rPadded, ...sPadded]);
+            return { signature: rawSignature, algo };
+        }
+        return { signature: sig, algo };
+    }
+    supportsCryptoKey(cryptoKey) {
+        return (cryptoKey.algorithm.name === 'ECDSA' &&
+            cryptoKey.algorithm.namedCurve === this.namedCurve);
+    }
+    parsePublicKey(reader) {
+        const curveName = reader.readString();
+        if (curveName !== this.curveName) {
+            throw new InvalidKeyDataError(`ECDSA certificate curve name ${curveName}, expected ${this.curveName}`);
+        }
+        const publicKeyPoint = reader.readBytes(reader.readUint32());
+        const writer = new SshWriter();
+        writer.writeString(this.sshType);
+        writer.writeString(curveName);
+        writer.writeMpInt(publicKeyPoint);
+        return {
+            type: this.sshType,
+            keyData: writer.toUint8Array(),
+        };
+    }
+    writePublicKey(writer, publicKey) {
+        const publicKeyReader = new SshReader(publicKey.keyData);
+        publicKeyReader.readString();
+        const curveName = publicKeyReader.readString();
+        const publicPoint = publicKeyReader.readMpInt();
+        writer.writeString(curveName);
+        writer.writeUint32(publicPoint.length);
+        writer.writeBytes(publicPoint);
+    }
+    getCertificateType() {
+        return `${this.sshType}-cert-v01@openssh.com`;
+    }
+    getSignatureAlgo() {
+        return this.sshType;
+    }
+}
+const EcdsaP256Binding = new EcdsaBinding('nistp256', 'ecdsa-sha2-nistp256', 'P-256');
+const EcdsaP384Binding = new EcdsaBinding('nistp384', 'ecdsa-sha2-nistp384', 'P-384');
+const EcdsaP521Binding = new EcdsaBinding('nistp521', 'ecdsa-sha2-nistp521', 'P-521');
+
+class Ed25519Binding {
+    async importPublicSsh(params) {
+        const { blob, crypto } = params;
+        const reader = new SshReader(blob);
+        reader.readString();
+        const keyLength = reader.readUint32();
+        if (keyLength !== 32) {
+            throw new InvalidKeyDataError(`Ed25519 key length ${keyLength}, expected 32`);
+        }
+        const publicKeyBytes = reader.readBytes(keyLength);
+        return crypto.subtle.importKey('raw', publicKeyBytes, 'Ed25519', true, [
+            'verify',
+        ]);
+    }
+    async exportPublicSsh(params) {
+        const { publicKey, crypto } = params;
+        const jwk = await crypto.subtle.exportKey('jwk', publicKey);
+        if (!jwk.x) {
+            throw new InvalidKeyDataError('Ed25519 JWK missing x parameter');
+        }
+        const keyBytes = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.x));
+        const writer = new SshWriter();
+        writer.writeString('ssh-ed25519');
+        writer.writeUint32(keyBytes.length);
+        writer.writeBytes(keyBytes);
+        return writer.toUint8Array();
+    }
+    async importPublicSpki(params) {
+        const { spki, crypto } = params;
+        return crypto.subtle.importKey('spki', spki, 'Ed25519', true, ['verify']);
+    }
+    async exportPublicSpki(params) {
+        const { publicKey, crypto } = params;
+        const spki = await crypto.subtle.exportKey('spki', publicKey);
+        return buildExports.BufferSourceConverter.toUint8Array(spki);
+    }
+    async importPrivatePkcs8(params) {
+        const { pkcs8, crypto } = params;
+        return crypto.subtle.importKey('pkcs8', pkcs8, 'Ed25519', true, ['sign']);
+    }
+    async exportPrivatePkcs8(params) {
+        const { privateKey, crypto } = params;
+        const pkcs8 = await crypto.subtle.exportKey('pkcs8', privateKey);
+        return buildExports.BufferSourceConverter.toUint8Array(pkcs8);
+    }
+    async exportPrivateSsh(params) {
+        const { privateKey, crypto, jwk: providedJwk } = params;
+        const jwk = providedJwk || (await crypto.subtle.exportKey('jwk', privateKey));
+        if (!jwk.d || !jwk.x) {
+            throw new InvalidKeyDataError('Ed25519 private key JWK missing required parameters');
+        }
+        const privateBytes = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.d));
+        const publicBytes = new Uint8Array(buildExports.Convert.FromBase64Url(jwk.x));
+        const writer = new SshWriter();
+        writer.writeString('ssh-ed25519');
+        writer.writeUint32(publicBytes.length);
+        writer.writeBytes(publicBytes);
+        const privKeyPart = new Uint8Array(64);
+        privKeyPart.set(privateBytes, 0);
+        privKeyPart.set(publicBytes, 32);
+        writer.writeUint32(privKeyPart.length);
+        writer.writeBytes(privKeyPart);
+        return writer.toUint8Array();
+    }
+    async importPrivateSsh(params) {
+        const { sshKey, crypto } = params;
+        const base64Data = sshKey
+            .replace(/-----BEGIN OPENSSH PRIVATE KEY-----/, '')
+            .replace(/-----END OPENSSH PRIVATE KEY-----/, '')
+            .replace(/\s/g, '');
+        const binaryData = buildExports.Convert.FromBase64(base64Data);
+        const reader = new SshReader(buildExports.BufferSourceConverter.toUint8Array(binaryData));
+        const magic = reader.readBytes(15);
+        if (buildExports.Convert.ToHex(magic) !== '6f70656e7373682d6b65792d763100') {
+            throw new InvalidPrivateKeyFormatError('invalid magic string');
+        }
+        const _cipherName = reader.readString();
+        reader.readString();
+        reader.readString();
+        if (_cipherName !== 'none') {
+            throw new EncryptedKeyNotSupportedError(_cipherName);
+        }
+        const numKeys = reader.readUint32();
+        if (numKeys !== 1) {
+            throw new InvalidPrivateKeyFormatError('multiple keys not supported');
+        }
+        const publicKeyLength = reader.readUint32();
+        reader.readBytes(publicKeyLength);
+        const privateKeyLength = reader.readUint32();
+        const privateKeyData = reader.readBytes(privateKeyLength);
+        const privateReader = new SshReader(privateKeyData);
+        const checkint1 = privateReader.readUint32();
+        const checkint2 = privateReader.readUint32();
+        if (checkint1 !== checkint2) {
+            throw new InvalidPrivateKeyFormatError('invalid checkints');
+        }
+        privateReader.readString();
+        const pubKeyLength = privateReader.readUint32();
+        const _publicKeyBytes = privateReader.readBytes(pubKeyLength);
+        const privKeyLength = privateReader.readUint32();
+        const privateKeyBytes = privateReader.readBytes(privKeyLength);
+        privateReader.readString();
+        const privateKey = privateKeyBytes.slice(0, 32);
+        const jwk = {
+            kty: 'OKP',
+            crv: 'Ed25519',
+            d: buildExports.Convert.ToBase64Url(privateKey),
+            x: buildExports.Convert.ToBase64Url(_publicKeyBytes),
+        };
+        return crypto.subtle.importKey('jwk', jwk, 'Ed25519', true, ['sign']);
+    }
+    async sign(params) {
+        const { privateKey, data, crypto } = params;
+        const signature = await crypto.subtle.sign('Ed25519', privateKey, data);
+        return buildExports.BufferSourceConverter.toUint8Array(signature);
+    }
+    async verify(params) {
+        const { publicKey, signature, data, crypto } = params;
+        return crypto.subtle.verify('Ed25519', publicKey, signature, data);
+    }
+    encodeSignature(params) {
+        const { signature, algo } = params;
+        const sigBytes = new Uint8Array(signature);
+        const writer = new SshWriter();
+        writer.writeString(algo);
+        writer.writeUint32(sigBytes.length);
+        writer.writeBytes(sigBytes);
+        return writer.toUint8Array();
+    }
+    decodeSignature(params) {
+        const { signature } = params;
+        const reader = new SshReader(signature);
+        const algo = reader.readString();
+        const sigLength = reader.readUint32();
+        const sigBytes = reader.readBytes(sigLength);
+        return {
+            signature: sigBytes,
+            algo,
+        };
+    }
+    supportsCryptoKey(cryptoKey) {
+        return cryptoKey.algorithm.name === 'Ed25519';
+    }
+    parsePublicKey(reader) {
+        const publicKeyData = reader.readBytes(reader.readUint32());
+        const writer = new SshWriter();
+        writer.writeString('ssh-ed25519');
+        writer.writeUint32(publicKeyData.length);
+        writer.writeBytes(publicKeyData);
+        return {
+            type: 'ssh-ed25519',
+            keyData: writer.toUint8Array(),
+        };
+    }
+    writePublicKey(writer, publicKey) {
+        const publicKeyReader = new SshReader(publicKey.keyData);
+        publicKeyReader.readString();
+        const keyLength = publicKeyReader.readUint32();
+        const rawKeyData = publicKeyReader.readBytes(keyLength);
+        writer.writeUint32(rawKeyData.length);
+        writer.writeBytes(rawKeyData);
+    }
+    getCertificateType() {
+        return 'ssh-ed25519-cert-v01@openssh.com';
+    }
+    getSignatureAlgo() {
+        return 'ssh-ed25519';
+    }
+}
+
+const registry = new Map();
+class AlgorithmRegistry {
+    static get(name) {
+        const binding = registry.get(name);
+        if (!binding) {
+            throw new UnsupportedKeyTypeError(name, Array.from(registry.keys()));
+        }
+        return binding;
+    }
+    static register(name, binding) {
+        registry.set(name, binding);
+    }
+    static getSshTypeFromCryptoKey(cryptoKey) {
+        for (const [sshType, binding] of registry.entries()) {
+            if (binding.supportsCryptoKey(cryptoKey)) {
+                return sshType;
+            }
+        }
+        throw new UnsupportedKeyTypeError(cryptoKey.algorithm.name, Array.from(registry.keys()));
+    }
+    static certTypeToKeyType(certType) {
+        const mapping = {
+            'ssh-rsa-cert-v01@openssh.com': 'ssh-rsa',
+            'ssh-ed25519-cert-v01@openssh.com': 'ssh-ed25519',
+            'ecdsa-sha2-nistp256-cert-v01@openssh.com': 'ecdsa-sha2-nistp256',
+            'ecdsa-sha2-nistp384-cert-v01@openssh.com': 'ecdsa-sha2-nistp384',
+            'ecdsa-sha2-nistp521-cert-v01@openssh.com': 'ecdsa-sha2-nistp521',
+        };
+        return mapping[certType];
+    }
+    static getSupportedCertTypes() {
+        return Object.keys({
+            'ssh-rsa-cert-v01@openssh.com': 'ssh-rsa',
+            'ssh-ed25519-cert-v01@openssh.com': 'ssh-ed25519',
+            'ecdsa-sha2-nistp256-cert-v01@openssh.com': 'ecdsa-sha2-nistp256',
+            'ecdsa-sha2-nistp384-cert-v01@openssh.com': 'ecdsa-sha2-nistp384',
+            'ecdsa-sha2-nistp521-cert-v01@openssh.com': 'ecdsa-sha2-nistp521',
+        });
+    }
+}
+AlgorithmRegistry.register('ssh-ed25519', new Ed25519Binding());
+AlgorithmRegistry.register('ssh-rsa', new RsaBinding('SHA-256'));
+AlgorithmRegistry.register('rsa-sha2-256', new RsaBinding('SHA-256'));
+AlgorithmRegistry.register('rsa-sha2-512', new RsaBinding('SHA-512'));
+AlgorithmRegistry.register('ecdsa-sha2-nistp256', EcdsaP256Binding);
+AlgorithmRegistry.register('ecdsa-sha2-nistp384', EcdsaP384Binding);
+AlgorithmRegistry.register('ecdsa-sha2-nistp521', EcdsaP521Binding);
+
+function parsePublicKey(input) {
+    const parts = typeof input === 'string' ? input.trim().split(/\s+/) : null;
+    if (!parts || parts.length < 2) {
+        throw new InvalidFormatError('Invalid SSH public key format');
+    }
+    const type = parts[0];
+    const blob = new Uint8Array(buildExports.Convert.FromBase64(parts[1]));
+    const comment = parts.length > 2 ? parts.slice(2).join(' ') : undefined;
+    const reader = new SshReader(blob);
+    const blobType = reader.readString();
+    if (blobType !== type) {
+        throw new InvalidFormatError('Key type mismatch');
+    }
+    return {
+        type,
+        keyData: blob,
+        comment,
+    };
+}
+function serializePublicKey(blob) {
+    const base64 = buildExports.Convert.ToBase64(blob.keyData);
+    const parts = [blob.type, base64];
+    if (blob.comment) {
+        parts.push(blob.comment);
+    }
+    return parts.join(' ');
+}
+
+function parse(input) {
+    if (typeof input === 'string') {
+        const parts = input.trim().split(/\s+/);
+        if (parts.length < 2) {
+            throw new InvalidFormatError('SSH certificate string', 'type base64 [comment]');
+        }
+        const type = parts[0];
+        const blob = new Uint8Array(buildExports.Convert.FromBase64(parts[1]));
+        const comment = parts.length > 2 ? parts.slice(2).join(' ') : undefined;
+        const reader = new SshReader(blob);
+        const blobType = reader.readString();
+        if (blobType !== type) {
+            throw new InvalidFormatError(`certificate blob type ${blobType}`, `expected ${type}`);
+        }
+        return {
+            type,
+            keyData: blob,
+            comment,
+        };
+    }
+    else {
+        const reader = new SshReader(input);
+        const type = reader.readString();
+        const keyData = input.slice(reader.getOffset());
+        return {
+            type,
+            keyData,
+        };
+    }
+}
+function parseCertificateData(keyData) {
+    const reader = new SshReader(keyData);
+    const certType = reader.readString();
+    const nonce = reader.readBytes(reader.readUint32());
+    const mappedKeyType = AlgorithmRegistry.certTypeToKeyType(certType);
+    if (!mappedKeyType) {
+        throw new UnsupportedAlgorithmError(certType, AlgorithmRegistry.getSupportedCertTypes());
+    }
+    const binding = AlgorithmRegistry.get(mappedKeyType);
+    const publicKey = binding.parsePublicKey(reader);
+    const keyType = mappedKeyType;
+    const serial = reader.readUint64();
+    const typeValue = reader.readUint32();
+    const type = typeValue === 1 ? 'user' : 'host';
+    const keyId = reader.readString();
+    const principalsLength = reader.readUint32();
+    const principalsData = reader.readBytes(principalsLength);
+    const validPrincipals = [];
+    if (principalsData.length > 0) {
+        const principalsReader = new SshReader(principalsData);
+        while (principalsReader.getOffset() < principalsData.length) {
+            try {
+                const principal = principalsReader.readString();
+                validPrincipals.push(principal);
+            }
+            catch {
+                break;
+            }
+        }
+    }
+    const validAfter = reader.readUint64();
+    const validBefore = reader.readUint64();
+    const criticalOptions = {};
+    const criticalLength = reader.readUint32();
+    const criticalData = reader.readBytes(criticalLength);
+    if (criticalData.length > 0) {
+        const optionsReader = new SshReader(criticalData);
+        while (optionsReader.getOffset() < criticalData.length) {
+            try {
+                const name = optionsReader.readString();
+                const valueData = optionsReader.readBytes(optionsReader.readUint32());
+                const value = valueData.length === 0 ? '' : decoder.decode(valueData);
+                criticalOptions[name] = value;
+            }
+            catch {
+                break;
+            }
+        }
+    }
+    const extensions = {};
+    const extensionsLength = reader.readUint32();
+    const extensionsData = reader.readBytes(extensionsLength);
+    if (extensionsData.length > 0) {
+        const extReader = new SshReader(extensionsData);
+        while (extReader.getOffset() < extensionsData.length) {
+            try {
+                const name = extReader.readString();
+                const valueData = extReader.readBytes(extReader.readUint32());
+                const value = valueData.length === 0 ? '' : decoder.decode(valueData);
+                extensions[name] = value;
+            }
+            catch {
+                break;
+            }
+        }
+    }
+    const reservedLength = reader.readUint32();
+    const reserved = reader.readBytes(reservedLength);
+    const signatureKeyLength = reader.readUint32();
+    const signatureKeyData = reader.readBytes(signatureKeyLength);
+    const signatureKeyReader = new SshReader(signatureKeyData);
+    const signatureKeyType = signatureKeyReader.readString();
+    const signatureKey = {
+        type: signatureKeyType,
+        keyData: signatureKeyData,
+    };
+    const signatureLength = reader.readUint32();
+    const signature = reader.readBytes(signatureLength);
+    return {
+        nonce,
+        keyType,
+        publicKey,
+        serial,
+        type,
+        keyId,
+        validPrincipals,
+        validAfter,
+        validBefore,
+        criticalOptions,
+        extensions,
+        reserved,
+        signatureKey,
+        signature,
+    };
+}
+function serialize(cert) {
+    const base64 = buildExports.Convert.ToBase64(cert.keyData);
+    const parts = [cert.type, base64];
+    if (cert.comment) {
+        parts.push(cert.comment);
+    }
+    return parts.join(' ');
+}
+
+function parseSignature(data) {
+    const reader = new SshReader(data);
+    if (data.length >= 6 && new TextDecoder().decode(data.subarray(0, 6)) === 'SSHSIG') {
+        return parseSshSignatureFormat(reader);
+    }
+    else {
+        return parseLegacyFormat(reader);
+    }
+}
+function parseSshSignatureFormat(reader) {
+    const magicBytes = reader.readBytes(6);
+    const magic = new TextDecoder().decode(magicBytes);
+    if (magic !== 'SSHSIG') {
+        throw new InvalidFormatError(magic, 'SSHSIG');
+    }
+    const version = reader.readUint32();
+    const publicKeyLength = reader.readUint32();
+    const publicKey = reader.readBytes(publicKeyLength);
+    const namespace = reader.readString();
+    const reserved = reader.readString();
+    const hashAlgorithm = reader.readString();
+    const signatureLength = reader.readUint32();
+    const signatureData = reader.readBytes(signatureLength);
+    const sigReader = new SshReader(signatureData);
+    const algorithm = sigReader.readString();
+    const signatureLength2 = sigReader.readUint32();
+    const signature = sigReader.readBytes(signatureLength2);
+    return {
+        format: 'ssh-signature',
+        algorithm,
+        signature,
+        version,
+        publicKey,
+        namespace,
+        reserved,
+        hashAlgorithm,
+    };
+}
+function parseLegacyFormat(reader) {
+    const algorithm = reader.readString();
+    const signatureLength = reader.readUint32();
+    const signature = reader.readBytes(signatureLength);
+    return {
+        format: 'legacy',
+        algorithm,
+        signature,
+    };
+}
+function serializeSignature(blob) {
+    if (blob.format === 'ssh-signature') {
+        return serializeSshSignatureFormat(blob);
+    }
+    else {
+        return serializeLegacyFormat(blob);
+    }
+}
+function serializeSshSignatureFormat(blob) {
+    const writer = new SshWriter();
+    writer.writeBytes(new TextEncoder().encode('SSHSIG'));
+    writer.writeUint32(blob.version || 1);
+    if (blob.publicKey) {
+        writer.writeUint32(blob.publicKey.length);
+        writer.writeBytes(blob.publicKey);
+    }
+    else {
+        writer.writeUint32(0);
+    }
+    writer.writeString(blob.namespace || 'file');
+    writer.writeString(blob.reserved || '');
+    writer.writeString(blob.hashAlgorithm || 'sha512');
+    const sigWriter = new SshWriter();
+    sigWriter.writeString(blob.algorithm);
+    sigWriter.writeUint32(blob.signature.length);
+    sigWriter.writeBytes(blob.signature);
+    const sigData = sigWriter.toUint8Array();
+    writer.writeUint32(sigData.length);
+    writer.writeBytes(sigData);
+    return writer.toUint8Array();
+}
+function serializeLegacyFormat(blob) {
+    const writer = new SshWriter();
+    writer.writeString(blob.algorithm);
+    writer.writeUint32(blob.signature.length);
+    writer.writeBytes(blob.signature);
+    return writer.toUint8Array();
+}
+
+class SshObject {
+}
+
+class SshPublicKey extends SshObject {
+    static TYPE = 'public-key';
+    type = SshPublicKey.TYPE;
+    blob;
+    cachedCryptoKey;
+    constructor(blob) {
+        super();
+        this.blob = blob;
+    }
+    async getCryptoKey(crypto = getCrypto()) {
+        if (!this.cachedCryptoKey) {
+            const binding = AlgorithmRegistry.get(this.blob.type);
+            this.cachedCryptoKey = await binding.importPublicSsh({ blob: this.blob.keyData, crypto });
+        }
+        return this.cachedCryptoKey;
+    }
+    static async fromSSH(sshKey, crypto = getCrypto()) {
+        const blob = parsePublicKey(sshKey);
+        const binding = AlgorithmRegistry.get(blob.type);
+        await binding.importPublicSsh({ blob: blob.keyData, crypto });
+        return new SshPublicKey(blob);
+    }
+    static async fromSPKI(spki, type, crypto = getCrypto()) {
+        const binding = AlgorithmRegistry.get(type);
+        const cryptoKey = await binding.importPublicSpki({ spki, crypto });
+        const exported = await binding.exportPublicSsh({ publicKey: cryptoKey, crypto });
+        const blob = {
+            type,
+            keyData: exported,
+        };
+        return new SshPublicKey(blob);
+    }
+    static async fromWebCrypto(cryptoKey, type, crypto = getCrypto()) {
+        const sshType = type || AlgorithmRegistry.getSshTypeFromCryptoKey(cryptoKey);
+        const binding = AlgorithmRegistry.get(sshType);
+        const exported = await binding.exportPublicSsh({ publicKey: cryptoKey, crypto });
+        const blob = {
+            type: sshType,
+            keyData: exported,
+        };
+        return new SshPublicKey(blob);
+    }
+    async export(format = 'ssh', crypto = getCrypto()) {
+        if (format === 'ssh') {
+            return serializePublicKey(this.blob);
+        }
+        else if (format === 'spki') {
+            const cryptoKey = await this.getCryptoKey(crypto);
+            const binding = AlgorithmRegistry.get(this.blob.type);
+            const spki = await binding.exportPublicSpki({ publicKey: cryptoKey, crypto });
+            return new Uint8Array(spki);
+        }
+        throw new UnsupportedKeyTypeError(`Unsupported export format: ${format}`);
+    }
+    async toSSH() {
+        const result = await this.export('ssh');
+        return result;
+    }
+    async toSPKI() {
+        const result = await this.export('spki');
+        return result;
+    }
+    async toWebCrypto(crypto = getCrypto()) {
+        return this.getCryptoKey(crypto);
+    }
+    async verify(algorithm, signature, data, crypto = getCrypto()) {
+        const binding = AlgorithmRegistry.get(algorithm);
+        const cryptoKey = await this.toWebCrypto(crypto);
+        return binding.verify({
+            publicKey: cryptoKey,
+            signature,
+            data,
+            crypto,
+        });
+    }
+    get keyType() {
+        return this.blob.type;
+    }
+    get comment() {
+        return this.blob.comment;
+    }
+    getBlob() {
+        return { ...this.blob };
+    }
+    async thumbprint(algorithm = 'sha256', crypto = getCrypto()) {
+        const hashAlgorithm = algorithm === 'sha256' ? 'SHA-256' : 'SHA-512';
+        const data = this.blob.keyData;
+        const hash = await crypto.subtle.digest(hashAlgorithm, data);
+        return new Uint8Array(hash);
+    }
+}
+
+class SshSignature extends SshObject {
+    static TYPE = 'signature';
+    type = SshSignature.TYPE;
+    blob;
+    format;
+    algorithm;
+    signature;
+    version;
+    publicKey;
+    namespace;
+    reserved;
+    hashAlgorithm;
+    constructor(blob) {
+        super();
+        this.blob = blob;
+        this.format = blob.format;
+        this.algorithm = blob.algorithm;
+        this.signature = blob.signature;
+        this.version = blob.version;
+        this.namespace = blob.namespace;
+        this.reserved = blob.reserved;
+        this.hashAlgorithm = blob.hashAlgorithm;
+        if (blob.publicKey) {
+            const reader = new SshReader(blob.publicKey);
+            const type = reader.readString();
+            this.publicKey = new SshPublicKey({ type, keyData: blob.publicKey });
+        }
+    }
+    static parse(data) {
+        const blob = parseSignature(data);
+        return new SshSignature(blob);
+    }
+    static fromBlob(blob) {
+        return new SshSignature(blob);
+    }
+    static fromBase64(base64) {
+        const data = new Uint8Array(buildExports.Convert.FromBase64(base64));
+        return SshSignature.parse(data);
+    }
+    static fromText(text) {
+        const base64 = text
+            .replace(/-----BEGIN SSH SIGNATURE-----/, '')
+            .replace(/-----END SSH SIGNATURE-----/, '')
+            .replace(/[\r\n\s]/g, '');
+        return SshSignature.fromBase64(base64);
+    }
+    serialize() {
+        return serializeSignature(this.blob);
+    }
+    toBase64() {
+        return buildExports.Convert.ToBase64(this.serialize());
+    }
+    toText() {
+        const base64 = this.toBase64();
+        const lines = [];
+        for (let i = 0; i < base64.length; i += 70) {
+            lines.push(base64.substring(i, i + 70));
+        }
+        return ['-----BEGIN SSH SIGNATURE-----', ...lines, '-----END SSH SIGNATURE-----'].join('\n');
+    }
+    async toSSH() {
+        return this.toText();
+    }
+    async verify(data, publicKey) {
+        const binding = AlgorithmRegistry.get(this.algorithm);
+        const cryptoKey = await publicKey['getCryptoKey']();
+        const crypto = getCrypto();
+        let dataToVerify = data;
+        if (this.format === 'ssh-signature') {
+            const hashAlg = this.hashAlgorithm || 'sha512';
+            const namespace = this.namespace || 'file';
+            const reserved = this.reserved || '';
+            const hashAlgorithm = hashAlg === 'sha256' ? 'SHA-256' : 'SHA-512';
+            const messageHash = await crypto.subtle.digest(hashAlgorithm, data);
+            const messageHashBytes = new Uint8Array(messageHash);
+            const writer = new SshWriter();
+            writer.writeBytes(new TextEncoder().encode('SSHSIG'));
+            writer.writeString(namespace);
+            writer.writeString(reserved);
+            writer.writeString(hashAlg);
+            writer.writeUint32(messageHashBytes.length);
+            writer.writeBytes(messageHashBytes);
+            dataToVerify = writer.toUint8Array();
+        }
+        let hashAlgorithm;
+        if (this.algorithm === 'rsa-sha2-256') {
+            hashAlgorithm = 'SHA-256';
+        }
+        else if (this.algorithm === 'rsa-sha2-512') {
+            hashAlgorithm = 'SHA-512';
+        }
+        let signatureToVerify;
+        if (this.format === 'legacy' || this.format === 'ssh-signature') {
+            const sigWriter = new SshWriter();
+            sigWriter.writeString(this.algorithm);
+            sigWriter.writeUint32(this.signature.length);
+            sigWriter.writeBytes(this.signature);
+            const wireFormatSignature = sigWriter.toUint8Array();
+            const decodedSig = binding.decodeSignature({
+                signature: wireFormatSignature,
+            });
+            signatureToVerify = decodedSig.signature;
+        }
+        else {
+            signatureToVerify = this.signature;
+        }
+        return binding.verify({
+            publicKey: cryptoKey,
+            signature: signatureToVerify,
+            data: dataToVerify,
+            crypto,
+            hash: hashAlgorithm,
+        });
+    }
+    static fromLegacy(algorithm, signature) {
+        const binding = AlgorithmRegistry.get(algorithm);
+        const encodedSignature = binding.encodeSignature({
+            signature,
+            algo: algorithm,
+        });
+        const sigReader = new SshReader(encodedSignature);
+        sigReader.readString();
+        const sigLength = sigReader.readUint32();
+        const signatureData = sigReader.readBytes(sigLength);
+        return new SshSignature({
+            format: 'legacy',
+            algorithm,
+            signature: signatureData,
+        });
+    }
+    static fromSshSignature(algorithm, signature, options = {}) {
+        const blob = {
+            format: 'ssh-signature',
+            algorithm,
+            signature,
+            version: options.version || 1,
+            publicKey: options.publicKey ? options.publicKey.getBlob().keyData : undefined,
+            namespace: options.namespace || 'file',
+            reserved: options.reserved || '',
+            hashAlgorithm: options.hashAlgorithm || 'sha512',
+        };
+        return new SshSignature(blob);
+    }
+    static async sign(algorithm, privateKey, data, options = {}) {
+        const { format = 'legacy', namespace = 'file' } = options;
+        if (format === 'legacy') {
+            const rawSignature = await privateKey.sign(algorithm, data);
+            const algorithmUsed = algorithm || privateKey.keyType;
+            return SshSignature.fromLegacy(algorithmUsed, rawSignature);
+        }
+        else {
+            const signatureAlgorithm = algorithm;
+            const binding = AlgorithmRegistry.get(signatureAlgorithm);
+            const hashAlgorithm = algorithm === 'rsa-sha2-256' ? 'sha256' : 'sha512';
+            const publicKey = await privateKey.getPublicKey();
+            const crypto = getCrypto();
+            const webCryptoHashAlg = hashAlgorithm === 'sha256' ? 'SHA-256' : 'SHA-512';
+            const messageHash = await crypto.subtle.digest(webCryptoHashAlg, data);
+            const messageHashBytes = new Uint8Array(messageHash);
+            const writer = new SshWriter();
+            writer.writeBytes(new TextEncoder().encode('SSHSIG'));
+            writer.writeString(namespace);
+            writer.writeString('');
+            writer.writeString(hashAlgorithm);
+            writer.writeUint32(messageHashBytes.length);
+            writer.writeBytes(messageHashBytes);
+            const dataToSign = writer.toUint8Array();
+            const rawSignature = await privateKey.sign(signatureAlgorithm, dataToSign);
+            const encodedSignature = binding.encodeSignature({
+                signature: rawSignature,
+                algo: signatureAlgorithm,
+            });
+            const sigReader = new SshReader(encodedSignature);
+            sigReader.readString();
+            const sigLength = sigReader.readUint32();
+            const signatureData = sigReader.readBytes(sigLength);
+            return SshSignature.fromSshSignature(signatureAlgorithm, signatureData, {
+                namespace,
+                hashAlgorithm,
+                publicKey,
+            });
+        }
+    }
+}
+
+let SshCertificate$1 = class SshCertificate extends SshObject {
+    static TYPE = 'certificate';
+    type = SshCertificate.TYPE;
+    _blob;
+    data;
+    _validAfter;
+    _validBefore;
+    keyId;
+    principals;
+    certType;
+    serial;
+    validAfter;
+    validBefore;
+    publicKey;
+    signatureKey;
+    criticalOptions;
+    extensions;
+    constructor(blob) {
+        super();
+        this._blob = blob;
+        this.data = parseCertificateData(blob.keyData);
+        this._validAfter = this.data.validAfter;
+        this._validBefore = this.data.validBefore;
+        this.keyId = this.data.keyId;
+        this.principals = this.data.validPrincipals;
+        this.certType = this.data.type;
+        this.serial = this.data.serial;
+        this.validAfter = new Date(Number(this.data.validAfter) * 1000);
+        this.validBefore = new Date(Number(this.data.validBefore) * 1000);
+        this.publicKey = new SshPublicKey(this.data.publicKey);
+        this.signatureKey = new SshPublicKey(this.data.signatureKey);
+        this.criticalOptions = { ...this.data.criticalOptions };
+        this.extensions = { ...this.data.extensions };
+    }
+    static async fromSSH(text) {
+        const blob = parse(text);
+        return new SshCertificate(blob);
+    }
+    static async fromBlob(blob) {
+        return new SshCertificate(blob);
+    }
+    async toSSH() {
+        return serialize(this._blob);
+    }
+    toBlob() {
+        return { ...this._blob };
+    }
+    get blob() {
+        return this.toBlob();
+    }
+    validate(date = new Date()) {
+        const ts = BigInt(Math.floor(date.getTime() / 1000));
+        const after = this._validAfter;
+        const before = this._validBefore;
+        const INFINITY = 0xffffffffffffffffn;
+        const upper = before === INFINITY ? ts : before;
+        return ts >= after && ts <= upper;
+    }
+    async verify(caPublicKey, crypto = getCrypto()) {
+        const verifyKey = caPublicKey || this.signatureKey;
+        const signedData = this.getSignedData();
+        const sshSignature = SshSignature.parse(this.data.signature);
+        const binding = AlgorithmRegistry.get(sshSignature.algorithm);
+        const cryptoKey = await verifyKey.toWebCrypto(crypto);
+        return binding.verify({
+            publicKey: cryptoKey,
+            signature: sshSignature.signature,
+            data: signedData,
+            crypto,
+        });
+    }
+    getSignedData() {
+        const reader = new SshReader(this._blob.keyData);
+        reader.readString();
+        reader.readBytes(reader.readUint32());
+        if (this.data.keyType === 'ssh-ed25519') {
+            reader.readBytes(reader.readUint32());
+        }
+        else if (this.data.keyType === 'ssh-rsa') {
+            reader.readBytes(reader.readUint32());
+            reader.readBytes(reader.readUint32());
+        }
+        else if (this.data.keyType.startsWith('ecdsa-sha2-')) {
+            reader.readString();
+            reader.readBytes(reader.readUint32());
+        }
+        reader.readUint64();
+        reader.readUint32();
+        reader.readBytes(reader.readUint32());
+        reader.readBytes(reader.readUint32());
+        reader.readUint64();
+        reader.readUint64();
+        reader.readBytes(reader.readUint32());
+        reader.readBytes(reader.readUint32());
+        reader.readBytes(reader.readUint32());
+        reader.readBytes(reader.readUint32());
+        const signedDataEnd = reader.getOffset();
+        return this._blob.keyData.slice(0, signedDataEnd);
+    }
+};
+
+var __classPrivateFieldSet = (undefined && undefined.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (undefined && undefined.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var _SshCertificate_cert;
+class SshCertificate {
+    constructor(raw) {
+        _SshCertificate_cert.set(this, void 0);
+        const blob = parse(raw.trim());
+        // @ts-expect-error - SshCertificateType is not a constructor
+        __classPrivateFieldSet(this, _SshCertificate_cert, new SshCertificate$1(blob), "f");
+        this.notBefore = __classPrivateFieldGet(this, _SshCertificate_cert, "f").validAfter;
+        this.notAfter = __classPrivateFieldGet(this, _SshCertificate_cert, "f").validBefore;
+        this.validity = dateDiff(this.notBefore, this.notAfter);
+        this.type = [__classPrivateFieldGet(this, _SshCertificate_cert, "f").blob.type, __classPrivateFieldGet(this, _SshCertificate_cert, "f").certType, __classPrivateFieldGet(this, _SshCertificate_cert, "f").type].join(' ');
+        this.serialNumber = __classPrivateFieldGet(this, _SshCertificate_cert, "f").serial.toString();
+        this.keyId = __classPrivateFieldGet(this, _SshCertificate_cert, "f").keyId;
+        this.principals = __classPrivateFieldGet(this, _SshCertificate_cert, "f").principals;
+        this.extensions = __classPrivateFieldGet(this, _SshCertificate_cert, "f").extensions;
+        this.criticalOptions = __classPrivateFieldGet(this, _SshCertificate_cert, "f").criticalOptions;
+    }
+    async parseSignatureKey() {
+        const key = await __classPrivateFieldGet(this, _SshCertificate_cert, "f").signatureKey.toWebCrypto();
+        const blob = __classPrivateFieldGet(this, _SshCertificate_cert, "f").signatureKey.getBlob();
+        const thumbprint = await __classPrivateFieldGet(this, _SshCertificate_cert, "f").signatureKey.thumbprint('sha256');
+        this.signatureKey = {
+            algorithm: key.algorithm.name,
+            type: blob.type,
+            value: await __classPrivateFieldGet(this, _SshCertificate_cert, "f").signatureKey.toSSH(),
+            thumbprint: buildExports.Convert.ToBase64(thumbprint),
+        };
+    }
+    async parsePublicKey() {
+        const key = await __classPrivateFieldGet(this, _SshCertificate_cert, "f").publicKey.toWebCrypto();
+        const blob = __classPrivateFieldGet(this, _SshCertificate_cert, "f").publicKey.getBlob();
+        const thumbprint = await __classPrivateFieldGet(this, _SshCertificate_cert, "f").publicKey.thumbprint('sha256');
+        this.publicKey = {
+            algorithm: key.algorithm.name,
+            type: blob.type,
+            value: await __classPrivateFieldGet(this, _SshCertificate_cert, "f").publicKey.toSSH(),
+            thumbprint: buildExports.Convert.ToBase64(thumbprint),
+        };
+    }
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    async toString(_format = 'pem') {
+        return __classPrivateFieldGet(this, _SshCertificate_cert, "f").toSSH();
+    }
+}
+_SshCertificate_cert = new WeakMap();
+
 exports.ArchiveRevInfo = ArchiveRevInfo;
 exports.AsnArray = AsnArray;
 exports.AsnConvert = AsnConvert;
@@ -12739,6 +14386,7 @@ exports.RootOfTrust = RootOfTrust;
 exports.SemanticsInformation = SemanticsInformation;
 exports.SignedCertificateTimestamp = SignedCertificateTimestamp;
 exports.SignedData = SignedData;
+exports.SshCertificate = SshCertificate;
 exports.SubjectKeyIdentifier = SubjectKeyIdentifier;
 exports.Timestamp = Timestamp;
 exports.UserNotice = UserNotice;
@@ -12806,6 +14454,6 @@ exports.id_qcs_pkixQCSyntax_v2 = id_qcs_pkixQCSyntax_v2;
 exports.id_role = id_role;
 exports.id_rsaEncryption = id_rsaEncryption;
 exports.l10n = l10n;
-//# sourceMappingURL=certification_request-DISQwgjn.js.map
+//# sourceMappingURL=ssh_certificate-s3-rwdMT.js.map
 
-//# sourceMappingURL=certification_request-DISQwgjn.js.map
+//# sourceMappingURL=ssh_certificate-s3-rwdMT.js.map