@php-wasm/web 1.0.3 → 1.0.5

package/lib/tls/certificates.d.ts

@@ -0,0 +1,199 @@
+/**
+ * Generates an X.509 certificate from the given description.
+ *
+ * If the issuer key pair is provided, the certificate will be signed
+ * using the provided issuer's private key. Otherwise, the certificate
+ * will be self-signed.
+ *
+ * The code below is underdocumented. The following links may provide
+ * more clarity about X.509, ASN.1, DER, PEM, and other data formats
+ * this module encodes:
+ *
+ * * https://letsencrypt.org/docs/a-warm-welcome-to-asn1-and-der/
+ * * https://dev.to/wayofthepie/structure-of-an-ssl-x-509-certificate-16b
+ * * https://www.oss.com/asn1/resources/asn1-made-simple/asn1-quick-reference/asn1-tags.html
+ */
+export declare function generateCertificate(description: TBSCertificateDescription, issuerKeyPair?: CryptoKeyPair): Promise<GeneratedCertificate>;
+export declare function certificateToPEM(certificate: Uint8Array): string;
+export declare function privateKeyToPEM(privateKey: CryptoKey): Promise<string>;
+/**
+ * OIDs used in X.509 certificates.
+ *
+ * Source: https://oidref.com/
+ */
+declare const oids: {
+    readonly '1.2.840.113549.1.1.1': "rsaEncryption";
+    readonly '1.2.840.113549.1.1.4': "md5WithRSAEncryption";
+    readonly '1.2.840.113549.1.1.5': "sha1WithRSAEncryption";
+    readonly '1.2.840.113549.1.1.7': "RSAES-OAEP";
+    readonly '1.2.840.113549.1.1.8': "mgf1";
+    readonly '1.2.840.113549.1.1.9': "pSpecified";
+    readonly '1.2.840.113549.1.1.10': "RSASSA-PSS";
+    readonly '1.2.840.113549.1.1.11': "sha256WithRSAEncryption";
+    readonly '1.2.840.113549.1.1.12': "sha384WithRSAEncryption";
+    readonly '1.2.840.113549.1.1.13': "sha512WithRSAEncryption";
+    readonly '1.3.101.112': "EdDSA25519";
+    readonly '1.2.840.10040.4.3': "dsa-with-sha1";
+    readonly '1.3.14.3.2.7': "desCBC";
+    readonly '1.3.14.3.2.26': "sha1";
+    readonly '1.3.14.3.2.29': "sha1WithRSASignature";
+    readonly '2.16.840.1.101.3.4.2.1': "sha256";
+    readonly '2.16.840.1.101.3.4.2.2': "sha384";
+    readonly '2.16.840.1.101.3.4.2.3': "sha512";
+    readonly '2.16.840.1.101.3.4.2.4': "sha224";
+    readonly '2.16.840.1.101.3.4.2.5': "sha512-224";
+    readonly '2.16.840.1.101.3.4.2.6': "sha512-256";
+    readonly '1.2.840.113549.2.2': "md2";
+    readonly '1.2.840.113549.2.5': "md5";
+    readonly '1.2.840.113549.1.7.1': "data";
+    readonly '1.2.840.113549.1.7.2': "signedData";
+    readonly '1.2.840.113549.1.7.3': "envelopedData";
+    readonly '1.2.840.113549.1.7.4': "signedAndEnvelopedData";
+    readonly '1.2.840.113549.1.7.5': "digestedData";
+    readonly '1.2.840.113549.1.7.6': "encryptedData";
+    readonly '1.2.840.113549.1.9.1': "emailAddress";
+    readonly '1.2.840.113549.1.9.2': "unstructuredName";
+    readonly '1.2.840.113549.1.9.3': "contentType";
+    readonly '1.2.840.113549.1.9.4': "messageDigest";
+    readonly '1.2.840.113549.1.9.5': "signingTime";
+    readonly '1.2.840.113549.1.9.6': "counterSignature";
+    readonly '1.2.840.113549.1.9.7': "challengePassword";
+    readonly '1.2.840.113549.1.9.8': "unstructuredAddress";
+    readonly '1.2.840.113549.1.9.14': "extensionRequest";
+    readonly '1.2.840.113549.1.9.20': "friendlyName";
+    readonly '1.2.840.113549.1.9.21': "localKeyId";
+    readonly '1.2.840.113549.1.9.22.1': "x509Certificate";
+    readonly '1.2.840.113549.1.12.10.1.1': "keyBag";
+    readonly '1.2.840.113549.1.12.10.1.2': "pkcs8ShroudedKeyBag";
+    readonly '1.2.840.113549.1.12.10.1.3': "certBag";
+    readonly '1.2.840.113549.1.12.10.1.4': "crlBag";
+    readonly '1.2.840.113549.1.12.10.1.5': "secretBag";
+    readonly '1.2.840.113549.1.12.10.1.6': "safeContentsBag";
+    readonly '1.2.840.113549.1.5.13': "pkcs5PBES2";
+    readonly '1.2.840.113549.1.5.12': "pkcs5PBKDF2";
+    readonly '1.2.840.113549.1.12.1.1': "pbeWithSHAAnd128BitRC4";
+    readonly '1.2.840.113549.1.12.1.2': "pbeWithSHAAnd40BitRC4";
+    readonly '1.2.840.113549.1.12.1.3': "pbeWithSHAAnd3-KeyTripleDES-CBC";
+    readonly '1.2.840.113549.1.12.1.4': "pbeWithSHAAnd2-KeyTripleDES-CBC";
+    readonly '1.2.840.113549.1.12.1.5': "pbeWithSHAAnd128BitRC2-CBC";
+    readonly '1.2.840.113549.1.12.1.6': "pbewithSHAAnd40BitRC2-CBC";
+    readonly '1.2.840.113549.2.7': "hmacWithSHA1";
+    readonly '1.2.840.113549.2.8': "hmacWithSHA224";
+    readonly '1.2.840.113549.2.9': "hmacWithSHA256";
+    readonly '1.2.840.113549.2.10': "hmacWithSHA384";
+    readonly '1.2.840.113549.2.11': "hmacWithSHA512";
+    readonly '1.2.840.113549.3.7': "des-EDE3-CBC";
+    readonly '2.16.840.1.101.3.4.1.2': "aes128-CBC";
+    readonly '2.16.840.1.101.3.4.1.22': "aes192-CBC";
+    readonly '2.16.840.1.101.3.4.1.42': "aes256-CBC";
+    readonly '2.5.4.3': "commonName";
+    readonly '2.5.4.4': "surname";
+    readonly '2.5.4.5': "serialNumber";
+    readonly '2.5.4.6': "countryName";
+    readonly '2.5.4.7': "localityName";
+    readonly '2.5.4.8': "stateOrProvinceName";
+    readonly '2.5.4.9': "streetAddress";
+    readonly '2.5.4.10': "organizationName";
+    readonly '2.5.4.11': "organizationalUnitName";
+    readonly '2.5.4.12': "title";
+    readonly '2.5.4.13': "description";
+    readonly '2.5.4.15': "businessCategory";
+    readonly '2.5.4.17': "postalCode";
+    readonly '2.5.4.42': "givenName";
+    readonly '1.3.6.1.4.1.311.60.2.1.2': "jurisdictionOfIncorporationStateOrProvinceName";
+    readonly '1.3.6.1.4.1.311.60.2.1.3': "jurisdictionOfIncorporationCountryName";
+    readonly '2.16.840.1.113730.1.1': "nsCertType";
+    readonly '2.16.840.1.113730.1.13': "nsComment";
+    readonly '2.5.29.14': "subjectKeyIdentifier";
+    readonly '2.5.29.15': "keyUsage";
+    readonly '2.5.29.17': "subjectAltName";
+    readonly '2.5.29.18': "issuerAltName";
+    readonly '2.5.29.19': "basicConstraints";
+    readonly '2.5.29.31': "cRLDistributionPoints";
+    readonly '2.5.29.32': "certificatePolicies";
+    readonly '2.5.29.35': "authorityKeyIdentifier";
+    readonly '2.5.29.37': "extKeyUsage";
+    readonly '1.3.6.1.4.1.11129.2.4.2': "timestampList";
+    readonly '1.3.6.1.5.5.7.1.1': "authorityInfoAccess";
+    readonly '1.3.6.1.5.5.7.3.1': "serverAuth";
+    readonly '1.3.6.1.5.5.7.3.2': "clientAuth";
+    readonly '1.3.6.1.5.5.7.3.3': "codeSigning";
+    readonly '1.3.6.1.5.5.7.3.4': "emailProtection";
+    readonly '1.3.6.1.5.5.7.3.8': "timeStamping";
+};
+export interface DistinguishedName {
+    countryName?: string;
+    organizationName?: string;
+    commonName?: string;
+    localityName?: string;
+    stateOrProvinceName?: string;
+    streetAddress?: string;
+    postalCode?: string;
+    emailAddress?: string;
+    organizationalUnitName?: string;
+    title?: string;
+    description?: string;
+    businessCategory?: string;
+}
+export type Validity = {
+    notBefore: Date;
+    notAfter: Date;
+};
+export type OID = keyof typeof oids;
+export type OIDName = (typeof oids)[OID];
+export interface BasicConstraints {
+    ca: boolean;
+    pathLenConstraint?: number;
+}
+export interface KeyUsage {
+    digitalSignature?: boolean;
+    nonRepudiation?: boolean;
+    keyEncipherment?: boolean;
+    dataEncipherment?: boolean;
+    keyAgreement?: boolean;
+    keyCertSign?: boolean;
+    cRLSign?: boolean;
+    encipherOnly?: boolean;
+    decipherOnly?: boolean;
+}
+export interface ExtKeyUsage {
+    serverAuth?: boolean;
+    clientAuth?: boolean;
+    codeSigning?: boolean;
+    emailProtection?: boolean;
+    timeStamping?: boolean;
+}
+export interface NSCertType {
+    client?: boolean;
+    server?: boolean;
+    email?: boolean;
+    objsign?: boolean;
+    sslCA?: boolean;
+    emailCA?: boolean;
+    objCA?: boolean;
+}
+export interface SubjectAltNames {
+    dnsNames?: string[];
+    ipAddresses?: string[];
+}
+export interface TBSCertificateDescription {
+    version?: number;
+    serialNumber?: Uint8Array;
+    signatureAlgorithm?: OIDName;
+    issuer?: DistinguishedName;
+    validity?: Validity;
+    subject: DistinguishedName;
+    basicConstraints?: BasicConstraints;
+    keyUsage?: KeyUsage;
+    extKeyUsage?: ExtKeyUsage;
+    subjectAltNames?: SubjectAltNames;
+    nsCertType?: NSCertType;
+}
+export type TBSCertificate = Uint8Array;
+export type GeneratedCertificate = {
+    keyPair: CryptoKeyPair;
+    certificate: Uint8Array;
+    tbsDescription: TBSCertificateDescription;
+    tbsCertificate: TBSCertificate;
+};
+export {};

package/lib/tls/cipher-suites.d.ts

@@ -0,0 +1,210 @@
+/**
+ * TLS1 cipher suites sourced from OpenSSL:
+ *
+ * https://github.com/openssl/openssl/blob/36254fda37fe169e136079404a3c32aeea35cbd4/include/openssl/tls1.h#L371
+ */
+export declare const CipherSuites: {
+    readonly TLS1_CK_PSK_WITH_RC4_128_SHA: 138;
+    readonly TLS1_CK_PSK_WITH_3DES_EDE_CBC_SHA: 139;
+    readonly TLS1_CK_PSK_WITH_AES_128_CBC_SHA: 140;
+    readonly TLS1_CK_PSK_WITH_AES_256_CBC_SHA: 141;
+    readonly TLS1_CK_DHE_PSK_WITH_RC4_128_SHA: 142;
+    readonly TLS1_CK_DHE_PSK_WITH_3DES_EDE_CBC_SHA: 143;
+    readonly TLS1_CK_DHE_PSK_WITH_AES_128_CBC_SHA: 144;
+    readonly TLS1_CK_DHE_PSK_WITH_AES_256_CBC_SHA: 145;
+    readonly TLS1_CK_RSA_PSK_WITH_RC4_128_SHA: 146;
+    readonly TLS1_CK_RSA_PSK_WITH_3DES_EDE_CBC_SHA: 147;
+    readonly TLS1_CK_RSA_PSK_WITH_AES_128_CBC_SHA: 148;
+    readonly TLS1_CK_RSA_PSK_WITH_AES_256_CBC_SHA: 149;
+    readonly TLS1_CK_PSK_WITH_AES_128_GCM_SHA256: 168;
+    readonly TLS1_CK_PSK_WITH_AES_256_GCM_SHA384: 169;
+    readonly TLS1_CK_DHE_PSK_WITH_AES_128_GCM_SHA256: 170;
+    readonly TLS1_CK_DHE_PSK_WITH_AES_256_GCM_SHA384: 171;
+    readonly TLS1_CK_RSA_PSK_WITH_AES_128_GCM_SHA256: 172;
+    readonly TLS1_CK_RSA_PSK_WITH_AES_256_GCM_SHA384: 173;
+    readonly TLS1_CK_PSK_WITH_AES_128_CBC_SHA256: 174;
+    readonly TLS1_CK_PSK_WITH_AES_256_CBC_SHA384: 175;
+    readonly TLS1_CK_PSK_WITH_NULL_SHA256: 176;
+    readonly TLS1_CK_PSK_WITH_NULL_SHA384: 177;
+    readonly TLS1_CK_DHE_PSK_WITH_AES_128_CBC_SHA256: 178;
+    readonly TLS1_CK_DHE_PSK_WITH_AES_256_CBC_SHA384: 179;
+    readonly TLS1_CK_DHE_PSK_WITH_NULL_SHA256: 180;
+    readonly TLS1_CK_DHE_PSK_WITH_NULL_SHA384: 181;
+    readonly TLS1_CK_RSA_PSK_WITH_AES_128_CBC_SHA256: 182;
+    readonly TLS1_CK_RSA_PSK_WITH_AES_256_CBC_SHA384: 183;
+    readonly TLS1_CK_RSA_PSK_WITH_NULL_SHA256: 184;
+    readonly TLS1_CK_RSA_PSK_WITH_NULL_SHA384: 185;
+    readonly TLS1_CK_PSK_WITH_NULL_SHA: 44;
+    readonly TLS1_CK_DHE_PSK_WITH_NULL_SHA: 45;
+    readonly TLS1_CK_RSA_PSK_WITH_NULL_SHA: 46;
+    readonly TLS1_CK_RSA_WITH_AES_128_SHA: 47;
+    readonly TLS1_CK_DH_DSS_WITH_AES_128_SHA: 48;
+    readonly TLS1_CK_DH_RSA_WITH_AES_128_SHA: 49;
+    readonly TLS1_CK_DHE_DSS_WITH_AES_128_SHA: 50;
+    readonly TLS1_CK_DHE_RSA_WITH_AES_128_SHA: 51;
+    readonly TLS1_CK_ADH_WITH_AES_128_SHA: 52;
+    readonly TLS1_CK_RSA_WITH_AES_256_SHA: 53;
+    readonly TLS1_CK_DH_DSS_WITH_AES_256_SHA: 54;
+    readonly TLS1_CK_DH_RSA_WITH_AES_256_SHA: 55;
+    readonly TLS1_CK_DHE_DSS_WITH_AES_256_SHA: 56;
+    readonly TLS1_CK_DHE_RSA_WITH_AES_256_SHA: 57;
+    readonly TLS1_CK_ADH_WITH_AES_256_SHA: 58;
+    readonly TLS1_CK_RSA_WITH_NULL_SHA256: 59;
+    readonly TLS1_CK_RSA_WITH_AES_128_SHA256: 60;
+    readonly TLS1_CK_RSA_WITH_AES_256_SHA256: 61;
+    readonly TLS1_CK_DH_DSS_WITH_AES_128_SHA256: 62;
+    readonly TLS1_CK_DH_RSA_WITH_AES_128_SHA256: 63;
+    readonly TLS1_CK_DHE_DSS_WITH_AES_128_SHA256: 64;
+    readonly TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA: 65;
+    readonly TLS1_CK_DH_DSS_WITH_CAMELLIA_128_CBC_SHA: 66;
+    readonly TLS1_CK_DH_RSA_WITH_CAMELLIA_128_CBC_SHA: 67;
+    readonly TLS1_CK_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: 68;
+    readonly TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: 69;
+    readonly TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA: 70;
+    readonly TLS1_CK_DHE_RSA_WITH_AES_128_SHA256: 103;
+    readonly TLS1_CK_DH_DSS_WITH_AES_256_SHA256: 104;
+    readonly TLS1_CK_DH_RSA_WITH_AES_256_SHA256: 105;
+    readonly TLS1_CK_DHE_DSS_WITH_AES_256_SHA256: 106;
+    readonly TLS1_CK_DHE_RSA_WITH_AES_256_SHA256: 107;
+    readonly TLS1_CK_ADH_WITH_AES_128_SHA256: 108;
+    readonly TLS1_CK_ADH_WITH_AES_256_SHA256: 109;
+    readonly TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA: 132;
+    readonly TLS1_CK_DH_DSS_WITH_CAMELLIA_256_CBC_SHA: 133;
+    readonly TLS1_CK_DH_RSA_WITH_CAMELLIA_256_CBC_SHA: 134;
+    readonly TLS1_CK_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: 135;
+    readonly TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: 136;
+    readonly TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA: 137;
+    readonly TLS1_CK_RSA_WITH_SEED_SHA: 150;
+    readonly TLS1_CK_DH_DSS_WITH_SEED_SHA: 151;
+    readonly TLS1_CK_DH_RSA_WITH_SEED_SHA: 152;
+    readonly TLS1_CK_DHE_DSS_WITH_SEED_SHA: 153;
+    readonly TLS1_CK_DHE_RSA_WITH_SEED_SHA: 154;
+    readonly TLS1_CK_ADH_WITH_SEED_SHA: 155;
+    readonly TLS1_CK_RSA_WITH_AES_128_GCM_SHA256: 156;
+    readonly TLS1_CK_RSA_WITH_AES_256_GCM_SHA384: 157;
+    readonly TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256: 158;
+    readonly TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384: 159;
+    readonly TLS1_CK_DH_RSA_WITH_AES_128_GCM_SHA256: 160;
+    readonly TLS1_CK_DH_RSA_WITH_AES_256_GCM_SHA384: 161;
+    readonly TLS1_CK_DHE_DSS_WITH_AES_128_GCM_SHA256: 162;
+    readonly TLS1_CK_DHE_DSS_WITH_AES_256_GCM_SHA384: 163;
+    readonly TLS1_CK_DH_DSS_WITH_AES_128_GCM_SHA256: 164;
+    readonly TLS1_CK_DH_DSS_WITH_AES_256_GCM_SHA384: 165;
+    readonly TLS1_CK_ADH_WITH_AES_128_GCM_SHA256: 166;
+    readonly TLS1_CK_ADH_WITH_AES_256_GCM_SHA384: 167;
+    readonly TLS1_CK_RSA_WITH_AES_128_CCM: 49308;
+    readonly TLS1_CK_RSA_WITH_AES_256_CCM: 49309;
+    readonly TLS1_CK_DHE_RSA_WITH_AES_128_CCM: 49310;
+    readonly TLS1_CK_DHE_RSA_WITH_AES_256_CCM: 49311;
+    readonly TLS1_CK_RSA_WITH_AES_128_CCM_8: 49312;
+    readonly TLS1_CK_RSA_WITH_AES_256_CCM_8: 49313;
+    readonly TLS1_CK_DHE_RSA_WITH_AES_128_CCM_8: 49314;
+    readonly TLS1_CK_DHE_RSA_WITH_AES_256_CCM_8: 49315;
+    readonly TLS1_CK_PSK_WITH_AES_128_CCM: 49316;
+    readonly TLS1_CK_PSK_WITH_AES_256_CCM: 49317;
+    readonly TLS1_CK_DHE_PSK_WITH_AES_128_CCM: 49318;
+    readonly TLS1_CK_DHE_PSK_WITH_AES_256_CCM: 49319;
+    readonly TLS1_CK_PSK_WITH_AES_128_CCM_8: 49320;
+    readonly TLS1_CK_PSK_WITH_AES_256_CCM_8: 49321;
+    readonly TLS1_CK_DHE_PSK_WITH_AES_128_CCM_8: 49322;
+    readonly TLS1_CK_DHE_PSK_WITH_AES_256_CCM_8: 49323;
+    readonly TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CCM: 49324;
+    readonly TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CCM: 49325;
+    readonly TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CCM_8: 49326;
+    readonly TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CCM_8: 49327;
+    readonly TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA256: 186;
+    readonly TLS1_CK_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256: 187;
+    readonly TLS1_CK_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256: 188;
+    readonly TLS1_CK_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256: 189;
+    readonly TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: 190;
+    readonly TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA256: 191;
+    readonly TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA256: 192;
+    readonly TLS1_CK_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256: 193;
+    readonly TLS1_CK_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256: 194;
+    readonly TLS1_CK_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256: 195;
+    readonly TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256: 196;
+    readonly TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA256: 197;
+    readonly TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA: 49153;
+    readonly TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA: 49154;
+    readonly TLS1_CK_ECDH_ECDSA_WITH_DES_192_CBC3_SHA: 49155;
+    readonly TLS1_CK_ECDH_ECDSA_WITH_AES_128_CBC_SHA: 49156;
+    readonly TLS1_CK_ECDH_ECDSA_WITH_AES_256_CBC_SHA: 49157;
+    readonly TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA: 49158;
+    readonly TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA: 49159;
+    readonly TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA: 49160;
+    readonly TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: 49161;
+    readonly TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: 49162;
+    readonly TLS1_CK_ECDH_RSA_WITH_NULL_SHA: 49163;
+    readonly TLS1_CK_ECDH_RSA_WITH_RC4_128_SHA: 49164;
+    readonly TLS1_CK_ECDH_RSA_WITH_DES_192_CBC3_SHA: 49165;
+    readonly TLS1_CK_ECDH_RSA_WITH_AES_128_CBC_SHA: 49166;
+    readonly TLS1_CK_ECDH_RSA_WITH_AES_256_CBC_SHA: 49167;
+    readonly TLS1_CK_ECDHE_RSA_WITH_NULL_SHA: 49168;
+    readonly TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA: 49169;
+    readonly TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA: 49170;
+    readonly TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA: 49171;
+    readonly TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA: 49172;
+    readonly TLS1_CK_ECDH_anon_WITH_NULL_SHA: 49173;
+    readonly TLS1_CK_ECDH_anon_WITH_RC4_128_SHA: 49174;
+    readonly TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA: 49175;
+    readonly TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA: 49176;
+    readonly TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA: 49177;
+    readonly TLS1_CK_SRP_SHA_WITH_3DES_EDE_CBC_SHA: 49178;
+    readonly TLS1_CK_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA: 49179;
+    readonly TLS1_CK_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA: 49180;
+    readonly TLS1_CK_SRP_SHA_WITH_AES_128_CBC_SHA: 49181;
+    readonly TLS1_CK_SRP_SHA_RSA_WITH_AES_128_CBC_SHA: 49182;
+    readonly TLS1_CK_SRP_SHA_DSS_WITH_AES_128_CBC_SHA: 49183;
+    readonly TLS1_CK_SRP_SHA_WITH_AES_256_CBC_SHA: 49184;
+    readonly TLS1_CK_SRP_SHA_RSA_WITH_AES_256_CBC_SHA: 49185;
+    readonly TLS1_CK_SRP_SHA_DSS_WITH_AES_256_CBC_SHA: 49186;
+    readonly TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256: 49187;
+    readonly TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384: 49188;
+    readonly TLS1_CK_ECDH_ECDSA_WITH_AES_128_SHA256: 49189;
+    readonly TLS1_CK_ECDH_ECDSA_WITH_AES_256_SHA384: 49190;
+    readonly TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256: 49191;
+    readonly TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384: 49192;
+    readonly TLS1_CK_ECDH_RSA_WITH_AES_128_SHA256: 49193;
+    readonly TLS1_CK_ECDH_RSA_WITH_AES_256_SHA384: 49194;
+    readonly TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: 49195;
+    readonly TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: 49196;
+    readonly TLS1_CK_ECDH_ECDSA_WITH_AES_128_GCM_SHA256: 49197;
+    readonly TLS1_CK_ECDH_ECDSA_WITH_AES_256_GCM_SHA384: 49198;
+    readonly TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256: 49199;
+    readonly TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384: 49200;
+    readonly TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256: 49201;
+    readonly TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384: 49202;
+    readonly TLS1_CK_ECDHE_PSK_WITH_RC4_128_SHA: 49203;
+    readonly TLS1_CK_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA: 49204;
+    readonly TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA: 49205;
+    readonly TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA: 49206;
+    readonly TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA256: 49207;
+    readonly TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA384: 49208;
+    readonly TLS1_CK_ECDHE_PSK_WITH_NULL_SHA: 49209;
+    readonly TLS1_CK_ECDHE_PSK_WITH_NULL_SHA256: 49210;
+    readonly TLS1_CK_ECDHE_PSK_WITH_NULL_SHA384: 49211;
+    readonly TLS1_CK_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256: 49266;
+    readonly TLS1_CK_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384: 49267;
+    readonly TLS1_CK_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256: 49268;
+    readonly TLS1_CK_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384: 49269;
+    readonly TLS1_CK_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: 49270;
+    readonly TLS1_CK_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384: 49271;
+    readonly TLS1_CK_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256: 49272;
+    readonly TLS1_CK_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384: 49273;
+    readonly TLS1_CK_PSK_WITH_CAMELLIA_128_CBC_SHA256: 49300;
+    readonly TLS1_CK_PSK_WITH_CAMELLIA_256_CBC_SHA384: 49301;
+    readonly TLS1_CK_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256: 49302;
+    readonly TLS1_CK_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384: 49303;
+    readonly TLS1_CK_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256: 49304;
+    readonly TLS1_CK_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384: 49305;
+    readonly TLS1_CK_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256: 49306;
+    readonly TLS1_CK_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384: 49307;
+    readonly TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305: 52392;
+    readonly TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305: 52393;
+    readonly TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305: 52394;
+    readonly TLS1_CK_PSK_WITH_CHACHA20_POLY1305: 52395;
+    readonly TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305: 52396;
+    readonly TLS1_CK_DHE_PSK_WITH_CHACHA20_POLY1305: 52397;
+    readonly TLS1_CK_RSA_PSK_WITH_CHACHA20_POLY1305: 52398;
+};
+export declare const CipherSuitesNames: any;

package/lib/tls/extensions/0_server_name.d.ts

@@ -0,0 +1,33 @@
+/**
+ * TLS server_name extension
+ * https://www.rfc-editor.org/rfc/rfc6066.html
+ */
+export interface ServerNameList {
+    server_name_list: ServerName[];
+}
+export interface ServerName {
+    name_type: typeof ServerNameTypes;
+    name: {
+        host_name: string;
+    };
+}
+export declare const ServerNameTypes: {
+    readonly host_name: 0;
+};
+export type ServerNameType = (typeof ServerNameTypes)[keyof typeof ServerNameTypes];
+export declare const ServerNameNames: any;
+export declare class ServerNameExtension {
+    static decodeFromClient(data: Uint8Array): ServerNameList;
+    /**
+     * Encode the server_name extension
+     *
+     * +------------------------------------+
+     * | Extension Type (server_name) [2B]  |
+     * | 0x00 0x00                          |
+     * +------------------------------------+
+     * | Extension Length             [2B]  |
+     * | 0x00 0x00                          |
+     * +------------------------------------+
+     */
+    static encodeForClient(serverNames?: ServerNameList): Uint8Array;
+}

package/lib/tls/extensions/10_supported_groups.d.ts

@@ -0,0 +1,44 @@
+/**
+ * TLS supported_groups extension
+ * https://www.iana.org/go/rfc7919
+ * https://www.iana.org/go/rfc8422
+ */
+export declare const SupportedGroups: {
+    readonly secp256r1: 23;
+    readonly secp384r1: 24;
+    readonly secp521r1: 25;
+    readonly x25519: 29;
+    readonly x448: 30;
+};
+export declare const SupportedGroupsNames: any;
+export type SupportedGroup = keyof typeof SupportedGroups;
+export type ParsedSupportedGroups = (keyof typeof SupportedGroups)[];
+export declare class SupportedGroupsExtension {
+    /**
+     * +--------------------------------------------------+
+     * | Payload Length                            [2B]   |
+     * +--------------------------------------------------+
+     * | Supported Groups List Length              [2B]   |
+     * +--------------------------------------------------+
+     * | Supported Group 1                         [2B]   |
+     * +--------------------------------------------------+
+     * | Supported Group 2                         [2B]   |
+     * +--------------------------------------------------+
+     * | ...                                              |
+     * +--------------------------------------------------+
+     * | Supported Group n                         [2B]   |
+     * +--------------------------------------------------+
+     */
+    static decodeFromClient(data: Uint8Array): ParsedSupportedGroups;
+    /**
+     * +--------------------------------------------------+
+     * | Extension Type (supported_groups)         [2B]   |
+     * | 0x00 0x0A                                        |
+     * +--------------------------------------------------+
+     * | Extension Length                          [2B]   |
+     * +--------------------------------------------------+
+     * | Selected Group                            [2B]   |
+     * +--------------------------------------------------+
+     */
+    static encodeForClient(group: SupportedGroup): Uint8Array;
+}

package/lib/tls/extensions/11_ec_point_formats.d.ts

@@ -0,0 +1,45 @@
+/**
+ * TLS ec_point_formats extension
+ * https://www.rfc-editor.org/rfc/rfc4492#section-5.1.2
+ */
+export declare const ECPointFormats: {
+    readonly uncompressed: 0;
+    readonly ansiX962_compressed_prime: 1;
+    readonly ansiX962_compressed_char2: 2;
+};
+export type ECPointFormat = keyof typeof ECPointFormats;
+export declare const ECPointFormatNames: any;
+export type ParsedECPointFormats = (keyof typeof ECPointFormats)[];
+export declare class ECPointFormatsExtension {
+    /**
+     * +--------------------------------------------------+
+     * | Payload Length                            [2B]   |
+     * +--------------------------------------------------+
+     * | EC Point Formats Length                   [1B]   |
+     * +--------------------------------------------------+
+     * | EC Point Format 1                         [1B]   |
+     * +--------------------------------------------------+
+     * | EC Point Format 2                         [1B]   |
+     * +--------------------------------------------------+
+     * | ...                                              |
+     * +--------------------------------------------------+
+     * | EC Point Format n                         [1B]   |
+     * +--------------------------------------------------+
+     */
+    static decodeFromClient(data: Uint8Array): ParsedECPointFormats;
+    /**
+     * Encode the ec_point_formats extension
+     *
+     * +--------------------------------------------------+
+     * | Extension Type (ec_point_formats)         [2B]   |
+     * | 0x00 0x0B                                        |
+     * +--------------------------------------------------+
+     * | Body Length                               [2B]   |
+     * +--------------------------------------------------+
+     * | EC Point Format Length                    [1B]   |
+     * +--------------------------------------------------+
+     * | EC Point Format                           [1B]   |
+     * +--------------------------------------------------+
+     */
+    static encodeForClient(format: ECPointFormat): Uint8Array;
+}

package/lib/tls/extensions/13_signature_algorithms.d.ts

@@ -0,0 +1,74 @@
+/**
+ * TLS signature_algorithms extension
+ * https://www.rfc-editor.org/rfc/rfc8446.html#page-41
+ */
+/**
+ * A list of supported signature algorithms,
+ * one byte per algorithm.
+ */
+export type SignatureAlgorithms = Uint8Array;
+/**
+ * Signature algorithms from
+ * https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.1.4.1
+ */
+export declare const SignatureAlgorithms: {
+    anonymous: number;
+    rsa: number;
+    dsa: number;
+    ecdsa: number;
+};
+export type SignatureAlgorithm = keyof typeof SignatureAlgorithms;
+export declare const SignatureAlgorithmsNames: any;
+/**
+ * Hash algorithms from
+ * https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.1.4.1
+ */
+export declare const HashAlgorithms: {
+    none: number;
+    md5: number;
+    sha1: number;
+    sha224: number;
+    sha256: number;
+    sha384: number;
+    sha512: number;
+};
+export type HashAlgorithm = keyof typeof HashAlgorithms;
+export declare const HashAlgorithmsNames: any;
+export type ParsedSignatureAlgorithm = {
+    hash: HashAlgorithm;
+    algorithm: SignatureAlgorithm;
+};
+/**
+ * Handles the signature algorithms extension as defined in
+ * https://www.rfc-editor.org/rfc/rfc8446.html#page-41
+ */
+export declare class SignatureAlgorithmsExtension {
+    /**
+     * Binary layout:
+     *
+     * +------------------------------------+
+     * | Payload Length              [2B]   |
+     * +------------------------------------+
+     * | Hash Algorithm 1            [1B]   |
+     * | Signature Algorithm 1       [1B]   |
+     * +------------------------------------+
+     * | Hash Algorithm 2            [1B]   |
+     * | Signature Algorithm 2       [1B]   |
+     * +------------------------------------+
+     * | ...                                |
+     * +------------------------------------+
+     */
+    static decodeFromClient(data: Uint8Array): ParsedSignatureAlgorithm[];
+    /**
+     * +--------------------------------------------------+
+     * | Extension Type (signature_algorithms)     [2B]   |
+     * | 0x00 0x0D                                        |
+     * +--------------------------------------------------+
+     * | Body Length                               [2B]   |
+     * +--------------------------------------------------+
+     * | Hash Algorithm                            [1B]   |
+     * | Signature Algorithm                       [1B]   |
+     * +--------------------------------------------------+
+     */
+    static encodeforClient(hash: HashAlgorithm, algorithm: SignatureAlgorithm): Uint8Array;
+}

package/lib/tls/extensions/parse-extensions.d.ts

@@ -0,0 +1,66 @@
+import { ServerNameExtension, ServerNameList } from './0_server_name';
+import { ParsedSupportedGroups, SupportedGroupsExtension } from './10_supported_groups';
+import { ParsedECPointFormats, ECPointFormatsExtension } from './11_ec_point_formats';
+import { SignatureAlgorithms, SignatureAlgorithmsExtension } from './13_signature_algorithms';
+export declare const TLSExtensionsHandlers: {
+    readonly server_name: typeof ServerNameExtension;
+    readonly signature_algorithms: typeof SignatureAlgorithmsExtension;
+    readonly supported_groups: typeof SupportedGroupsExtension;
+    readonly ec_point_formats: typeof ECPointFormatsExtension;
+};
+export type SupportedTLSExtension = keyof typeof TLSExtensionsHandlers;
+export type ParsedExtension = {
+    type: 'server_name';
+    data: ServerNameList;
+    raw: Uint8Array;
+} | {
+    type: 'signature_algorithms';
+    data: SignatureAlgorithms;
+    raw: Uint8Array;
+} | {
+    type: 'ec_point_formats';
+    data: ParsedECPointFormats;
+    raw: Uint8Array;
+} | {
+    type: 'supported_groups';
+    data: ParsedSupportedGroups;
+    raw: Uint8Array;
+};
+/**
+ * The extensions in a ClientHello message are encoded as follows:
+ *
+ * struct {
+ *     ExtensionType extension_type;
+ *     opaque extension_data<0..2^16-1>;
+ * } Extension;
+ *
+ * The overall extensions structure is:
+ *
+ * Extension extensions<0..2^16-1>;
+ *
+ * This means:
+ * •	There's a 2-byte length field for the entire extensions block.
+ * •	Followed by zero or more individual extensions.
+ *
+ * Binary Data Layout
+ *
+ * +-----------------------------+
+ * | Extension 1 Type (2 bytes)  |
+ * +-----------------------------+
+ * | Extension 1 Length (2 bytes)|
+ * +-----------------------------+
+ * | Extension 1 Data (variable) |
+ * +-----------------------------+
+ * | Extension 2 Type (2 bytes)  |
+ * +-----------------------------+
+ * | Extension 2 Length (2 bytes)|
+ * +-----------------------------+
+ * | Extension 2 Data (variable) |
+ * +-----------------------------+
+ * | ... (more extensions)       |
+ * +-----------------------------+
+ *
+ * @param data
+ * @returns
+ */
+export declare function parseClientHelloExtensions(data: Uint8Array): ParsedExtension[];