npm - @ripwords/myinvois-client - Versions diffs - 0.2.40 → 0.2.41 - Mend

@ripwords/myinvois-client 0.2.40 → 0.2.41

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (46) hide show

package/dist/{apiQueue-CrR6pgYn.js → apiQueue-CCrZMnMu.js} +11 -10
package/dist/{apiQueue-Dj0xtcGe.cjs → apiQueue-Djd7WlnV.cjs} +12 -11
package/dist/apiQueue-Djd7WlnV.cjs.map +1 -0
package/dist/index.cjs +2 -2
package/dist/index.cjs.map +1 -1
package/dist/index.js +2 -2
package/dist/index10.cjs +4 -195
package/dist/index11.cjs +22 -0
package/dist/index12.cjs +2 -24
package/dist/index13.cjs +3 -0
package/dist/index14.cjs +330 -0
package/dist/{index29.cjs.map → index14.cjs.map} +1 -1
package/dist/index15.cjs +189 -25
package/dist/index15.cjs.map +1 -1
package/dist/index16.cjs +53 -16
package/dist/index16.cjs.map +1 -1
package/dist/index17.cjs +532 -0
package/dist/index17.cjs.map +1 -0
package/dist/index18.cjs +187 -25
package/dist/index18.cjs.map +1 -1
package/dist/index19.cjs +0 -24
package/dist/index20.cjs +25 -0
package/dist/{index12.cjs.map → index20.cjs.map} +1 -1
package/dist/index23.cjs +28 -3
package/dist/index23.cjs.map +1 -0
package/dist/index24.cjs +21 -9
package/dist/index24.cjs.map +1 -1
package/dist/index25.cjs +0 -5
package/dist/index26.cjs +33 -21
package/dist/index26.cjs.map +1 -0
package/dist/index27.cjs +23 -2
package/dist/{index19.cjs.map → index27.cjs.map} +1 -1
package/dist/index28.cjs +0 -3
package/dist/index29.cjs +0 -330
package/dist/index30.cjs +0 -193
package/dist/index68.cts.map +1 -1
package/dist/index8.cjs +3 -61
package/dist/index9.cjs +9 -528
package/dist/index9.cjs.map +1 -1
package/dist/utils/apiQueue.d.ts +3 -1
package/dist/utils/apiQueue.js +1 -1
package/package.json +1 -1
package/dist/apiQueue-Dj0xtcGe.cjs.map +0 -1
package/dist/index10.cjs.map +0 -1
package/dist/index30.cjs.map +0 -1
package/dist/index8.cjs.map +0 -1

package/dist/index14.cjs CHANGED Viewed

@@ -0,0 +1,330 @@
+const require_chunk = require('./chunk-CUT6urMc.cjs');
+require('./formatIdValue-i67o4kyD.cjs');
+const require_document = require('./document-CCza2JPL.cjs');
+const crypto = require_chunk.__toESM(require("crypto"));
+//#region src/utils/signature-diagnostics.ts
+/**
+* Analyzes certificate for MyInvois compatibility issues
+*/
+function analyzeCertificateForDiagnostics(certificatePem) {
+	const issues = [];
+	const recommendations = [];
+	try {
+		const cert = new crypto.default.X509Certificate(certificatePem);
+		const certInfo = require_document.extractCertificateInfo(certificatePem);
+		const parseSubjectFields = (dn) => {
+			const fields = {};
+			dn.split("\n").forEach((line) => {
+				const trimmed = line.trim();
+				if (trimmed.includes("=")) {
+					const [key, ...valueParts] = trimmed.split("=");
+					if (key) fields[key.trim()] = valueParts.join("=").trim();
+				}
+			});
+			return fields;
+		};
+		const subjectFields = parseSubjectFields(cert.subject);
+		const organizationIdentifier = subjectFields["organizationIdentifier"] || subjectFields["2.5.4.97"];
+		const serialNumber = subjectFields["serialNumber"];
+		if (!organizationIdentifier) {
+			issues.push("DS311: Certificate missing organizationIdentifier field (TIN)");
+			recommendations.push("CRITICAL: Generate new certificate with organizationIdentifier matching your MyInvois TIN");
+			recommendations.push("Portal Error: \"Signer of invoice doesn't match the submitter of document. TIN doesn't match with the OI.\"");
+		} else if (organizationIdentifier.length < 10) {
+			issues.push("DS311: OrganizationIdentifier (TIN) appears too short - may cause submission rejection");
+			recommendations.push("Verify TIN format matches exactly what is registered in MyInvois");
+		}
+		if (!serialNumber) {
+			issues.push("DS312: Certificate missing serialNumber field (business registration)");
+			recommendations.push("CRITICAL: Generate new certificate with serialNumber matching your business registration");
+			recommendations.push("Portal Error: \"Submitter registration/identity number doesn't match with the certificate SERIALNUMBER.\"");
+		}
+		if (cert.issuer === cert.subject) {
+			issues.push("DS329: Self-signed certificate detected - will fail chain of trust validation");
+			recommendations.push("BLOCKING: Obtain certificate from MyInvois-approved CA:");
+			recommendations.push("• MSC Trustgate Sdn Bhd");
+			recommendations.push("• DigiCert Sdn Bhd");
+			recommendations.push("• Cybersign Asia Sdn Bhd");
+			recommendations.push("Portal Error: \"Certificate is not valid according to the chain of trust validation or has been issued by an untrusted certificate authority.\"");
+		} else {
+			const issuerName = cert.issuer.toLowerCase();
+			const approvedCAs = [
+				"msc trustgate",
+				"digicert",
+				"cybersign"
+			];
+			const isFromApprovedCA = approvedCAs.some((ca) => issuerName.includes(ca));
+			if (!isFromApprovedCA) {
+				issues.push("DS329: Certificate may not be from MyInvois-approved CA");
+				recommendations.push("Verify certificate was issued by an approved CA for MyInvois");
+			}
+		}
+		const rawIssuer = cert.issuer;
+		const normalizedIssuer = certInfo.issuerName;
+		const normalizedIssuerIssues = [
+			{
+				check: normalizedIssuer.includes("\n"),
+				issue: "Normalized issuer still contains newlines"
+			},
+			{
+				check: normalizedIssuer.includes("  "),
+				issue: "Normalized issuer contains double spaces"
+			},
+			{
+				check: /=\s+/.test(normalizedIssuer),
+				issue: "Normalized issuer has spaces after equals"
+			},
+			{
+				check: /\s+=/.test(normalizedIssuer),
+				issue: "Normalized issuer has spaces before equals"
+			},
+			{
+				check: normalizedIssuer.includes("\r"),
+				issue: "Normalized issuer contains carriage returns"
+			}
+		];
+		const hasActualFormatIssues = normalizedIssuerIssues.some(({ check, issue }) => {
+			if (check) {
+				issues.push(`DS326: ${issue} - will cause X509IssuerName mismatch`);
+				return true;
+			}
+			return false;
+		});
+		const hasRawIssuesButNormalizedOk = rawIssuer.includes("\n") && !normalizedIssuer.includes("\n");
+		if (hasActualFormatIssues) {
+			recommendations.push("CRITICAL: Fix issuer name normalization in signature generation");
+			recommendations.push("Portal Error: \"Certificate X509IssuerName doesn't match the X509IssuerName value provided in the signed properties section.\"");
+			recommendations.push("The normalization function is not properly formatting the issuer name");
+			recommendations.push("Debug: Check document.ts extractCertificateInfo() normalization logic");
+		} else if (hasRawIssuesButNormalizedOk) console.log("ℹ️  Note: Raw certificate issuer has newlines but normalization is handling them correctly");
+		const now = /* @__PURE__ */ new Date();
+		const validFrom = new Date(cert.validFrom);
+		const validTo = new Date(cert.validTo);
+		if (now < validFrom) {
+			issues.push("DS329: Certificate not yet valid (future start date)");
+			recommendations.push("Wait until certificate validity period begins");
+		}
+		if (now > validTo) {
+			issues.push("DS329: Certificate has expired");
+			recommendations.push("BLOCKING: Renew certificate - expired certificates are rejected");
+		}
+		try {
+			if (cert.keyUsage && !cert.keyUsage.includes("digital signature")) {
+				issues.push("DS333: Certificate lacks digitalSignature key usage");
+				recommendations.push("Generate new certificate with digitalSignature key usage enabled");
+			}
+		} catch {
+			console.log("Note: Could not check key usage extensions");
+		}
+		return {
+			organizationIdentifier,
+			serialNumber,
+			issuerName: certInfo.issuerName,
+			subjectName: certInfo.subjectName,
+			issues,
+			recommendations
+		};
+	} catch (error) {
+		issues.push(`Certificate parsing failed: ${error}`);
+		recommendations.push("Verify certificate format and validity");
+		return {
+			issuerName: "",
+			subjectName: "",
+			issues,
+			recommendations
+		};
+	}
+}
+/**
+* Analyzes signature generation for potential issues
+*/
+function analyzeSignatureForDiagnostics(invoices, certificatePem) {
+	const issues = [];
+	const recommendations = [];
+	try {
+		const documentDigest = require_document.calculateDocumentDigest(invoices);
+		const certificateDigest = require_document.calculateCertificateDigest(certificatePem);
+		const certInfo = require_document.extractCertificateInfo(certificatePem);
+		const signingTime = (/* @__PURE__ */ new Date()).toISOString();
+		const signedProperties = require_document.createSignedProperties(certificateDigest, signingTime, certInfo.issuerName, certInfo.serialNumber);
+		const signedPropertiesDigest = require_document.calculateSignedPropertiesDigest(signedProperties);
+		if (documentDigest.length === 0) {
+			issues.push("DS333: Document digest generation failed");
+			recommendations.push("CRITICAL: Verify document serialization excludes UBLExtensions/Signature");
+			recommendations.push("Portal Error: \"Document signature value is not a valid signature of the document digest using the public key of the certificate provided.\"");
+		}
+		if (certificateDigest.length === 0) {
+			issues.push("DS333: Certificate digest generation failed");
+			recommendations.push("CRITICAL: Verify certificate format and encoding");
+			recommendations.push("Certificate must be properly base64 encoded without headers/footers");
+		}
+		if (signedPropertiesDigest.length === 0) {
+			issues.push("DS333: Signed properties digest generation failed");
+			recommendations.push("CRITICAL: Verify signed properties structure and canonicalization");
+			recommendations.push("Check XML canonicalization (C14N) is applied correctly");
+		}
+		try {
+			const cert = new crypto.default.X509Certificate(certificatePem);
+			const publicKey = cert.publicKey;
+			const keyDetails = publicKey.asymmetricKeyDetails;
+			if (keyDetails) {
+				if (publicKey.asymmetricKeyType === "rsa" && keyDetails.modulusLength && keyDetails.modulusLength < 2048) {
+					issues.push("DS333: RSA key size too small (minimum 2048 bits required)");
+					recommendations.push("CRITICAL: Generate new certificate with RSA 2048+ bits");
+				}
+				const supportedKeyTypes = ["rsa", "ec"];
+				if (!supportedKeyTypes.includes(publicKey.asymmetricKeyType || "")) {
+					issues.push(`DS333: Unsupported key type: ${publicKey.asymmetricKeyType}`);
+					recommendations.push("CRITICAL: Use RSA or EC key types for MyInvois compatibility");
+				}
+			}
+			const certBuffer = Buffer.from(certificatePem.replace(/-----[^-]+-----/g, "").replace(/\s/g, ""), "base64");
+			if (certBuffer.length === 0) {
+				issues.push("DS333: Certificate encoding appears invalid");
+				recommendations.push("CRITICAL: Verify certificate is properly PEM encoded");
+			}
+		} catch (error) {
+			issues.push(`DS333: Certificate validation failed - ${error}`);
+			recommendations.push("CRITICAL: Verify certificate format and structure are valid");
+		}
+		const isValidBase64 = (str) => {
+			try {
+				return Buffer.from(str, "base64").toString("base64") === str;
+			} catch {
+				return false;
+			}
+		};
+		if (documentDigest && !isValidBase64(documentDigest)) {
+			issues.push("DS333: Document digest is not valid base64 format");
+			recommendations.push("Ensure digest is properly base64 encoded");
+		}
+		if (certificateDigest && !isValidBase64(certificateDigest)) {
+			issues.push("DS333: Certificate digest is not valid base64 format");
+			recommendations.push("Ensure certificate digest is properly base64 encoded");
+		}
+		if (signedPropertiesDigest && !isValidBase64(signedPropertiesDigest)) {
+			issues.push("DS333: Signed properties digest is not valid base64 format");
+			recommendations.push("Ensure signed properties digest is properly base64 encoded");
+		}
+		return {
+			documentDigest,
+			certificateDigest,
+			signedPropertiesDigest,
+			issues,
+			recommendations
+		};
+	} catch (error) {
+		issues.push(`Signature analysis failed: ${error}`);
+		recommendations.push("Review signature generation implementation");
+		return {
+			documentDigest: "",
+			certificateDigest: "",
+			signedPropertiesDigest: "",
+			issues,
+			recommendations
+		};
+	}
+}
+/**
+* Comprehensive signature diagnostics
+*/
+function diagnoseSignatureIssues(invoices, certificatePem) {
+	const certificateAnalysis = analyzeCertificateForDiagnostics(certificatePem);
+	const signatureAnalysis = analyzeSignatureForDiagnostics(invoices, certificatePem);
+	const certificateIssues = certificateAnalysis.issues.length;
+	const signatureIssues = signatureAnalysis.issues.length;
+	return {
+		certificateAnalysis,
+		signatureAnalysis,
+		summary: {
+			totalIssues: certificateIssues + signatureIssues,
+			certificateIssues,
+			signatureIssues
+		}
+	};
+}
+/**
+* Prints diagnostic results in a formatted way
+*/
+function printDiagnostics(result) {
+	console.log("\n🔍 MyInvois Signature Diagnostics Report");
+	console.log("=".repeat(60));
+	console.log("\n📜 CERTIFICATE ANALYSIS");
+	console.log("-".repeat(30));
+	console.log(`  Issuer: ${result.certificateAnalysis.issuerName}`);
+	console.log(`  Subject: ${result.certificateAnalysis.subjectName}`);
+	if (result.certificateAnalysis.organizationIdentifier) console.log(`  Organization ID (TIN): ${result.certificateAnalysis.organizationIdentifier}`);
+	if (result.certificateAnalysis.serialNumber) console.log(`  Serial Number: ${result.certificateAnalysis.serialNumber}`);
+	if (result.certificateAnalysis.issues.length > 0) {
+		console.log("\n  🚨 Certificate Issues:");
+		result.certificateAnalysis.issues.forEach((issue, index) => {
+			console.log(`    ${index + 1}. ${issue}`);
+		});
+	}
+	if (result.certificateAnalysis.recommendations.length > 0) {
+		console.log("\n  💡 Certificate Recommendations:");
+		result.certificateAnalysis.recommendations.forEach((rec, index) => {
+			console.log(`    ${index + 1}. ${rec}`);
+		});
+	}
+	console.log("\n🔐 SIGNATURE ANALYSIS");
+	console.log("-".repeat(30));
+	console.log(`  Document Digest: ${result.signatureAnalysis.documentDigest.substring(0, 32)}...`);
+	console.log(`  Certificate Digest: ${result.signatureAnalysis.certificateDigest.substring(0, 32)}...`);
+	console.log(`  Signed Properties Digest: ${result.signatureAnalysis.signedPropertiesDigest.substring(0, 32)}...`);
+	if (result.signatureAnalysis.issues.length > 0) {
+		console.log("\n  🚨 Signature Issues:");
+		result.signatureAnalysis.issues.forEach((issue, index) => {
+			console.log(`    ${index + 1}. ${issue}`);
+		});
+	}
+	if (result.signatureAnalysis.recommendations.length > 0) {
+		console.log("\n  💡 Signature Recommendations:");
+		result.signatureAnalysis.recommendations.forEach((rec, index) => {
+			console.log(`    ${index + 1}. ${rec}`);
+		});
+	}
+	console.log("\n📊 SUMMARY");
+	console.log("-".repeat(30));
+	console.log(`  Total Issues Found: ${result.summary.totalIssues}`);
+	console.log(`  Certificate Issues: ${result.summary.certificateIssues}`);
+	console.log(`  Signature Issues: ${result.summary.signatureIssues}`);
+	if (result.summary.totalIssues === 0) {
+		console.log("\n  ✅ No issues detected in current analysis");
+		console.log("  🎉 Certificate and signature implementation appear valid");
+	} else {
+		console.log("\n  ⚠️  Issues detected - review recommendations above");
+		const hasDS311 = result.certificateAnalysis.issues.some((issue) => issue.includes("DS311"));
+		const hasDS312 = result.certificateAnalysis.issues.some((issue) => issue.includes("DS312"));
+		const hasDS326 = result.certificateAnalysis.issues.some((issue) => issue.includes("DS326"));
+		const hasDS329 = result.certificateAnalysis.issues.some((issue) => issue.includes("DS329"));
+		const hasDS333 = result.signatureAnalysis.issues.some((issue) => issue.includes("DS333"));
+		console.log("\n  🎯 MYINVOIS PORTAL ERROR ANALYSIS:");
+		if (hasDS311) console.log("     ❌ DS311 - TIN mismatch between certificate and submitter");
+		if (hasDS312) console.log("     ❌ DS312 - Registration number mismatch with certificate");
+		if (hasDS326) console.log("     ❌ DS326 - X509IssuerName format inconsistency");
+		if (hasDS329) console.log("     ❌ DS329 - Certificate trust chain validation failure");
+		if (hasDS333) console.log("     ❌ DS333 - Document signature validation failure");
+		if (result.summary.certificateIssues > 0) {
+			console.log("\n  🚨 PRIMARY ACTION REQUIRED:");
+			console.log("     Certificate issues must be resolved first");
+			console.log("     Self-generated certificates cannot pass MyInvois validation");
+		}
+		if (result.summary.signatureIssues > 0) {
+			console.log("\n  ⚙️  SECONDARY ACTION:");
+			console.log("     Review and optimize signature implementation");
+		}
+		console.log("\n  📋 NEXT STEPS:");
+		console.log("     1. Address BLOCKING/CRITICAL issues first");
+		console.log("     2. Test with updated certificate/implementation");
+		console.log("     3. Re-run diagnostics to verify fixes");
+		console.log("     4. Submit test document to MyInvois portal");
+	}
+	console.log("\n" + "=".repeat(60));
+}
+//#endregion
+exports.diagnoseSignatureIssues = diagnoseSignatureIssues;
+exports.printDiagnostics = printDiagnostics;
+//# sourceMappingURL=index14.cjs.map

package/dist/{index29.cjs.map → index14.cjs.map} RENAMED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index29.cjs","names":["certificatePem: string","issues: string[]","recommendations: string[]","dn: string","fields: Record<string, string>","invoices: InvoiceV1_1[]","str: string","result: DiagnosticResult"],"sources":["../src/utils/signature-diagnostics.ts"],"sourcesContent":["import crypto from 'crypto'\nimport type { InvoiceV1_1 } from '../types'\nimport {\n extractCertificateInfo,\n calculateDocumentDigest,\n calculateSignedPropertiesDigest,\n createSignedProperties,\n calculateCertificateDigest,\n} from './document'\n\nexport interface CertificateAnalysisResult {\n organizationIdentifier?: string\n serialNumber?: string\n issuerName: string\n subjectName: string\n issues: string[]\n recommendations: string[]\n}\n\nexport interface SignatureAnalysisResult {\n documentDigest: string\n certificateDigest: string\n signedPropertiesDigest: string\n issues: string[]\n recommendations: string[]\n}\n\nexport interface DiagnosticResult {\n certificateAnalysis: CertificateAnalysisResult\n signatureAnalysis: SignatureAnalysisResult\n summary: {\n totalIssues: number\n certificateIssues: number\n signatureIssues: number\n }\n}\n\n/*\n Analyzes certificate for MyInvois compatibility issues\n /\nfunction analyzeCertificateForDiagnostics(\n certificatePem: string,\n): CertificateAnalysisResult {\n const issues: string[] = []\n const recommendations: string[] = []\n\n try {\n const cert = new crypto.X509Certificate(certificatePem)\n const certInfo = extractCertificateInfo(certificatePem)\n\n // Parse subject fields for MyInvois analysis\n const parseSubjectFields = (dn: string) => {\n const fields: Record<string, string> = {}\n dn.split('\\n').forEach(line => {\n const trimmed = line.trim()\n if (trimmed.includes('=')) {\n const [key, ...valueParts] = trimmed.split('=')\n if (key) {\n fields[key.trim()] = valueParts.join('=').trim()\n }\n }\n })\n return fields\n }\n\n const subjectFields = parseSubjectFields(cert.subject)\n const organizationIdentifier =\n subjectFields['organizationIdentifier'] \|\| subjectFields['2.5.4.97']\n const serialNumber = subjectFields['serialNumber']\n\n // DS311 - TIN Mismatch Analysis\n if (!organizationIdentifier) {\n issues.push(\n 'DS311: Certificate missing organizationIdentifier field (TIN)',\n )\n recommendations.push(\n 'CRITICAL: Generate new certificate with organizationIdentifier matching your MyInvois TIN',\n )\n recommendations.push(\n 'Portal Error: \"Signer of invoice doesn\\'t match the submitter of document. TIN doesn\\'t match with the OI.\"',\n )\n } else {\n // Additional TIN format validation\n if (organizationIdentifier.length < 10) {\n issues.push(\n 'DS311: OrganizationIdentifier (TIN) appears too short - may cause submission rejection',\n )\n recommendations.push(\n 'Verify TIN format matches exactly what is registered in MyInvois',\n )\n }\n }\n\n // DS312 - Registration Number Analysis\n if (!serialNumber) {\n issues.push(\n 'DS312: Certificate missing serialNumber field (business registration)',\n )\n recommendations.push(\n 'CRITICAL: Generate new certificate with serialNumber matching your business registration',\n )\n recommendations.push(\n 'Portal Error: \"Submitter registration/identity number doesn\\'t match with the certificate SERIALNUMBER.\"',\n )\n }\n\n // DS329 - Certificate Trust Analysis\n if (cert.issuer === cert.subject) {\n issues.push(\n 'DS329: Self-signed certificate detected - will fail chain of trust validation',\n )\n recommendations.push(\n 'BLOCKING: Obtain certificate from MyInvois-approved CA:',\n )\n recommendations.push('• MSC Trustgate Sdn Bhd')\n recommendations.push('• DigiCert Sdn Bhd')\n recommendations.push('• Cybersign Asia Sdn Bhd')\n recommendations.push(\n 'Portal Error: \"Certificate is not valid according to the chain of trust validation or has been issued by an untrusted certificate authority.\"',\n )\n } else {\n // Check if issuer looks like a known CA\n const issuerName = cert.issuer.toLowerCase()\n const approvedCAs = ['msc trustgate', 'digicert', 'cybersign']\n const isFromApprovedCA = approvedCAs.some(ca => issuerName.includes(ca))\n\n if (!isFromApprovedCA) {\n issues.push('DS329: Certificate may not be from MyInvois-approved CA')\n recommendations.push(\n 'Verify certificate was issued by an approved CA for MyInvois',\n )\n }\n }\n\n // DS326 - Issuer Name Format Analysis (Enhanced)\n const rawIssuer = cert.issuer\n const normalizedIssuer = certInfo.issuerName\n\n // Check for issues in the NORMALIZED issuer (these are actual problems)\n const normalizedIssuerIssues = [\n {\n check: normalizedIssuer.includes('\\n'),\n issue: 'Normalized issuer still contains newlines',\n },\n {\n check: normalizedIssuer.includes(' '),\n issue: 'Normalized issuer contains double spaces',\n },\n {\n check: /=\\s+/.test(normalizedIssuer),\n issue: 'Normalized issuer has spaces after equals',\n },\n {\n check: /\\s+=/.test(normalizedIssuer),\n issue: 'Normalized issuer has spaces before equals',\n },\n {\n check: normalizedIssuer.includes('\\r'),\n issue: 'Normalized issuer contains carriage returns',\n },\n ]\n\n // Only report actual issues in the normalized version that will cause portal errors\n const hasActualFormatIssues = normalizedIssuerIssues.some(\n ({ check, issue }) => {\n if (check) {\n issues.push(`DS326: ${issue} - will cause X509IssuerName mismatch`)\n return true\n }\n return false\n },\n )\n\n // Check if raw issuer has issues but normalized version is OK (informational)\n const hasRawIssuesButNormalizedOk =\n rawIssuer.includes('\\n') && !normalizedIssuer.includes('\\n')\n\n if (hasActualFormatIssues) {\n recommendations.push(\n 'CRITICAL: Fix issuer name normalization in signature generation',\n )\n recommendations.push(\n 'Portal Error: \"Certificate X509IssuerName doesn\\'t match the X509IssuerName value provided in the signed properties section.\"',\n )\n recommendations.push(\n 'The normalization function is not properly formatting the issuer name',\n )\n recommendations.push(\n 'Debug: Check document.ts extractCertificateInfo() normalization logic',\n )\n } else if (hasRawIssuesButNormalizedOk) {\n // This is informational - normalization is working correctly\n console.log(\n 'ℹ️ Note: Raw certificate issuer has newlines but normalization is handling them correctly',\n )\n }\n\n // Additional certificate validity checks\n const now = new Date()\n const validFrom = new Date(cert.validFrom)\n const validTo = new Date(cert.validTo)\n\n if (now < validFrom) {\n issues.push('DS329: Certificate not yet valid (future start date)')\n recommendations.push('Wait until certificate validity period begins')\n }\n\n if (now > validTo) {\n issues.push('DS329: Certificate has expired')\n recommendations.push(\n 'BLOCKING: Renew certificate - expired certificates are rejected',\n )\n }\n\n // Check certificate key usage (if available)\n try {\n if (cert.keyUsage && !cert.keyUsage.includes('digital signature')) {\n issues.push('DS333: Certificate lacks digitalSignature key usage')\n recommendations.push(\n 'Generate new certificate with digitalSignature key usage enabled',\n )\n }\n } catch {\n // Key usage might not be available in all certificates\n console.log('Note: Could not check key usage extensions')\n }\n\n return {\n organizationIdentifier,\n serialNumber,\n issuerName: certInfo.issuerName,\n subjectName: certInfo.subjectName,\n issues,\n recommendations,\n }\n } catch (error) {\n issues.push(`Certificate parsing failed: ${error}`)\n recommendations.push('Verify certificate format and validity')\n\n return {\n issuerName: '',\n subjectName: '',\n issues,\n recommendations,\n }\n }\n}\n\n/\n Analyzes signature generation for potential issues\n /\nfunction analyzeSignatureForDiagnostics(\n invoices: InvoiceV1_1[],\n certificatePem: string,\n): SignatureAnalysisResult {\n const issues: string[] = []\n const recommendations: string[] = []\n\n try {\n // Step 1: Document digest\n const documentDigest = calculateDocumentDigest(invoices)\n\n // Step 2: Certificate digest\n const certificateDigest = calculateCertificateDigest(certificatePem)\n\n // Step 3: Extract certificate info\n const certInfo = extractCertificateInfo(certificatePem)\n const signingTime = new Date().toISOString()\n\n // Step 4: Create signed properties\n const signedProperties = createSignedProperties(\n certificateDigest,\n signingTime,\n certInfo.issuerName,\n certInfo.serialNumber,\n )\n\n // Step 5: Signed properties digest\n const signedPropertiesDigest =\n calculateSignedPropertiesDigest(signedProperties)\n\n // DS333 - Document Signature Validation\n if (documentDigest.length === 0) {\n issues.push('DS333: Document digest generation failed')\n recommendations.push(\n 'CRITICAL: Verify document serialization excludes UBLExtensions/Signature',\n )\n recommendations.push(\n 'Portal Error: \"Document signature value is not a valid signature of the document digest using the public key of the certificate provided.\"',\n )\n }\n\n if (certificateDigest.length === 0) {\n issues.push('DS333: Certificate digest generation failed')\n recommendations.push('CRITICAL: Verify certificate format and encoding')\n recommendations.push(\n 'Certificate must be properly base64 encoded without headers/footers',\n )\n }\n\n if (signedPropertiesDigest.length === 0) {\n issues.push('DS333: Signed properties digest generation failed')\n recommendations.push(\n 'CRITICAL: Verify signed properties structure and canonicalization',\n )\n recommendations.push(\n 'Check XML canonicalization (C14N) is applied correctly',\n )\n }\n\n // Additional DS333 checks\n try {\n const cert = new crypto.X509Certificate(certificatePem)\n\n // Verify the certificate has the required algorithms for MyInvois\n const publicKey = cert.publicKey\n const keyDetails = publicKey.asymmetricKeyDetails\n\n if (keyDetails) {\n // Check if key size is adequate for RSA (minimum 2048 bits)\n if (\n publicKey.asymmetricKeyType === 'rsa' &&\n keyDetails.modulusLength &&\n keyDetails.modulusLength < 2048\n ) {\n issues.push(\n 'DS333: RSA key size too small (minimum 2048 bits required)',\n )\n recommendations.push(\n 'CRITICAL: Generate new certificate with RSA 2048+ bits',\n )\n }\n\n // Check supported key types\n const supportedKeyTypes = ['rsa', 'ec']\n if (!supportedKeyTypes.includes(publicKey.asymmetricKeyType \|\| '')) {\n issues.push(\n `DS333: Unsupported key type: ${publicKey.asymmetricKeyType}`,\n )\n recommendations.push(\n 'CRITICAL: Use RSA or EC key types for MyInvois compatibility',\n )\n }\n }\n\n // Test certificate format validity\n const certBuffer = Buffer.from(\n certificatePem.replace(/-----[^-]+-----/g, '').replace(/\\s/g, ''),\n 'base64',\n )\n if (certBuffer.length === 0) {\n issues.push('DS333: Certificate encoding appears invalid')\n recommendations.push(\n 'CRITICAL: Verify certificate is properly PEM encoded',\n )\n }\n } catch (error) {\n issues.push(`DS333: Certificate validation failed - ${error}`)\n recommendations.push(\n 'CRITICAL: Verify certificate format and structure are valid',\n )\n }\n\n // Validate digest formats (should be base64)\n const isValidBase64 = (str: string) => {\n try {\n return Buffer.from(str, 'base64').toString('base64') === str\n } catch {\n return false\n }\n }\n\n if (documentDigest && !isValidBase64(documentDigest)) {\n issues.push('DS333: Document digest is not valid base64 format')\n recommendations.push('Ensure digest is properly base64 encoded')\n }\n\n if (certificateDigest && !isValidBase64(certificateDigest)) {\n issues.push('DS333: Certificate digest is not valid base64 format')\n recommendations.push(\n 'Ensure certificate digest is properly base64 encoded',\n )\n }\n\n if (signedPropertiesDigest && !isValidBase64(signedPropertiesDigest)) {\n issues.push('DS333: Signed properties digest is not valid base64 format')\n recommendations.push(\n 'Ensure signed properties digest is properly base64 encoded',\n )\n }\n\n return {\n documentDigest,\n certificateDigest,\n signedPropertiesDigest,\n issues,\n recommendations,\n }\n } catch (error) {\n issues.push(`Signature analysis failed: ${error}`)\n recommendations.push('Review signature generation implementation')\n\n return {\n documentDigest: '',\n certificateDigest: '',\n signedPropertiesDigest: '',\n issues,\n recommendations,\n }\n }\n}\n\n/\n Comprehensive signature diagnostics\n /\nexport function diagnoseSignatureIssues(\n invoices: InvoiceV1_1[],\n certificatePem: string,\n): DiagnosticResult {\n const certificateAnalysis = analyzeCertificateForDiagnostics(certificatePem)\n const signatureAnalysis = analyzeSignatureForDiagnostics(\n invoices,\n certificatePem,\n )\n\n const certificateIssues = certificateAnalysis.issues.length\n const signatureIssues = signatureAnalysis.issues.length\n\n return {\n certificateAnalysis,\n signatureAnalysis,\n summary: {\n totalIssues: certificateIssues + signatureIssues,\n certificateIssues,\n signatureIssues,\n },\n }\n}\n\n/\n Prints diagnostic results in a formatted way\n */\nexport function printDiagnostics(result: DiagnosticResult): void {\n console.log('\\n🔍 MyInvois Signature Diagnostics Report')\n console.log('='.repeat(60))\n\n // Certificate Analysis\n console.log('\\n📜 CERTIFICATE ANALYSIS')\n console.log('-'.repeat(30))\n\n console.log(` Issuer: ${result.certificateAnalysis.issuerName}`)\n console.log(` Subject: ${result.certificateAnalysis.subjectName}`)\n\n if (result.certificateAnalysis.organizationIdentifier) {\n console.log(\n ` Organization ID (TIN): ${result.certificateAnalysis.organizationIdentifier}`,\n )\n }\n\n if (result.certificateAnalysis.serialNumber) {\n console.log(` Serial Number: ${result.certificateAnalysis.serialNumber}`)\n }\n\n if (result.certificateAnalysis.issues.length > 0) {\n console.log('\\n 🚨 Certificate Issues:')\n result.certificateAnalysis.issues.forEach((issue, index) => {\n console.log(` ${index + 1}. ${issue}`)\n })\n }\n\n if (result.certificateAnalysis.recommendations.length > 0) {\n console.log('\\n 💡 Certificate Recommendations:')\n result.certificateAnalysis.recommendations.forEach((rec, index) => {\n console.log(` ${index + 1}. ${rec}`)\n })\n }\n\n // Signature Analysis\n console.log('\\n🔐 SIGNATURE ANALYSIS')\n console.log('-'.repeat(30))\n\n console.log(\n ` Document Digest: ${result.signatureAnalysis.documentDigest.substring(0, 32)}...`,\n )\n console.log(\n ` Certificate Digest: ${result.signatureAnalysis.certificateDigest.substring(0, 32)}...`,\n )\n console.log(\n ` Signed Properties Digest: ${result.signatureAnalysis.signedPropertiesDigest.substring(0, 32)}...`,\n )\n\n if (result.signatureAnalysis.issues.length > 0) {\n console.log('\\n 🚨 Signature Issues:')\n result.signatureAnalysis.issues.forEach((issue, index) => {\n console.log(` ${index + 1}. ${issue}`)\n })\n }\n\n if (result.signatureAnalysis.recommendations.length > 0) {\n console.log('\\n 💡 Signature Recommendations:')\n result.signatureAnalysis.recommendations.forEach((rec, index) => {\n console.log(` ${index + 1}. ${rec}`)\n })\n }\n\n // Summary\n console.log('\\n📊 SUMMARY')\n console.log('-'.repeat(30))\n console.log(` Total Issues Found: ${result.summary.totalIssues}`)\n console.log(` Certificate Issues: ${result.summary.certificateIssues}`)\n console.log(` Signature Issues: ${result.summary.signatureIssues}`)\n\n if (result.summary.totalIssues === 0) {\n console.log('\\n ✅ No issues detected in current analysis')\n console.log(' 🎉 Certificate and signature implementation appear valid')\n } else {\n console.log('\\n ⚠️ Issues detected - review recommendations above')\n\n // Check for specific portal errors\n const hasDS311 = result.certificateAnalysis.issues.some(issue =>\n issue.includes('DS311'),\n )\n const hasDS312 = result.certificateAnalysis.issues.some(issue =>\n issue.includes('DS312'),\n )\n const hasDS326 = result.certificateAnalysis.issues.some(issue =>\n issue.includes('DS326'),\n )\n const hasDS329 = result.certificateAnalysis.issues.some(issue =>\n issue.includes('DS329'),\n )\n const hasDS333 = result.signatureAnalysis.issues.some(issue =>\n issue.includes('DS333'),\n )\n\n console.log('\\n 🎯 MYINVOIS PORTAL ERROR ANALYSIS:')\n\n if (hasDS311) {\n console.log(\n ' ❌ DS311 - TIN mismatch between certificate and submitter',\n )\n }\n\n if (hasDS312) {\n console.log(\n ' ❌ DS312 - Registration number mismatch with certificate',\n )\n }\n\n if (hasDS326) {\n console.log(' ❌ DS326 - X509IssuerName format inconsistency')\n }\n\n if (hasDS329) {\n console.log(' ❌ DS329 - Certificate trust chain validation failure')\n }\n\n if (hasDS333) {\n console.log(' ❌ DS333 - Document signature validation failure')\n }\n\n if (result.summary.certificateIssues > 0) {\n console.log('\\n 🚨 PRIMARY ACTION REQUIRED:')\n console.log(' Certificate issues must be resolved first')\n console.log(\n ' Self-generated certificates cannot pass MyInvois validation',\n )\n }\n\n if (result.summary.signatureIssues > 0) {\n console.log('\\n ⚙️ SECONDARY ACTION:')\n console.log(' Review and optimize signature implementation')\n }\n\n console.log('\\n 📋 NEXT STEPS:')\n console.log(' 1. Address BLOCKING/CRITICAL issues first')\n console.log(' 2. Test with updated certificate/implementation')\n console.log(' 3. Re-run diagnostics to verify fixes')\n console.log(' 4. Submit test document to MyInvois portal')\n }\n\n console.log('\\n' + '='.repeat(60))\n}\n"],"mappings":";;;;;;;;;AAwCA,SAAS,iCACPA,gBAC2B;CAC3B,MAAMC,SAAmB,CAAE;CAC3B,MAAMC,kBAA4B,CAAE;AAEpC,KAAI;EACF,MAAM,OAAO,IAAI,eAAO,gBAAgB;EACxC,MAAM,WAAW,wCAAuB,eAAe;EAGvD,MAAM,qBAAqB,CAACC,OAAe;GACzC,MAAMC,SAAiC,CAAE;AACzC,MAAG,MAAM,KAAK,CAAC,QAAQ,UAAQ;IAC7B,MAAM,UAAU,KAAK,MAAM;AAC3B,QAAI,QAAQ,SAAS,IAAI,EAAE;KACzB,MAAM,CAAC,KAAK,GAAG,WAAW,GAAG,QAAQ,MAAM,IAAI;AAC/C,SAAI,IACF,QAAO,IAAI,MAAM,IAAI,WAAW,KAAK,IAAI,CAAC,MAAM;IAEnD;GACF,EAAC;AACF,UAAO;EACR;EAED,MAAM,gBAAgB,mBAAmB,KAAK,QAAQ;EACtD,MAAM,yBACJ,cAAc,6BAA6B,cAAc;EAC3D,MAAM,eAAe,cAAc;AAGnC,OAAK,wBAAwB;AAC3B,UAAO,KACL,gEACD;AACD,mBAAgB,KACd,4FACD;AACD,mBAAgB,KACd,8GACD;EACF,WAEK,uBAAuB,SAAS,IAAI;AACtC,UAAO,KACL,yFACD;AACD,mBAAgB,KACd,mEACD;EACF;AAIH,OAAK,cAAc;AACjB,UAAO,KACL,wEACD;AACD,mBAAgB,KACd,2FACD;AACD,mBAAgB,KACd,4GACD;EACF;AAGD,MAAI,KAAK,WAAW,KAAK,SAAS;AAChC,UAAO,KACL,gFACD;AACD,mBAAgB,KACd,0DACD;AACD,mBAAgB,KAAK,0BAA0B;AAC/C,mBAAgB,KAAK,qBAAqB;AAC1C,mBAAgB,KAAK,2BAA2B;AAChD,mBAAgB,KACd,kJACD;EACF,OAAM;GAEL,MAAM,aAAa,KAAK,OAAO,aAAa;GAC5C,MAAM,cAAc;IAAC;IAAiB;IAAY;GAAY;GAC9D,MAAM,mBAAmB,YAAY,KAAK,QAAM,WAAW,SAAS,GAAG,CAAC;AAExE,QAAK,kBAAkB;AACrB,WAAO,KAAK,0DAA0D;AACtE,oBAAgB,KACd,+DACD;GACF;EACF;EAGD,MAAM,YAAY,KAAK;EACvB,MAAM,mBAAmB,SAAS;EAGlC,MAAM,yBAAyB;GAC7B;IACE,OAAO,iBAAiB,SAAS,KAAK;IACtC,OAAO;GACR;GACD;IACE,OAAO,iBAAiB,SAAS,KAAK;IACtC,OAAO;GACR;GACD;IACE,OAAO,OAAO,KAAK,iBAAiB;IACpC,OAAO;GACR;GACD;IACE,OAAO,OAAO,KAAK,iBAAiB;IACpC,OAAO;GACR;GACD;IACE,OAAO,iBAAiB,SAAS,KAAK;IACtC,OAAO;GACR;EACF;EAGD,MAAM,wBAAwB,uBAAuB,KACnD,CAAC,EAAE,OAAO,OAAO,KAAK;AACpB,OAAI,OAAO;AACT,WAAO,MAAM,SAAS,MAAM,uCAAuC;AACnE,WAAO;GACR;AACD,UAAO;EACR,EACF;EAGD,MAAM,8BACJ,UAAU,SAAS,KAAK,KAAK,iBAAiB,SAAS,KAAK;AAE9D,MAAI,uBAAuB;AACzB,mBAAgB,KACd,kEACD;AACD,mBAAgB,KACd,iIACD;AACD,mBAAgB,KACd,wEACD;AACD,mBAAgB,KACd,wEACD;EACF,WAAU,4BAET,SAAQ,IACN,6FACD;EAIH,MAAM,sBAAM,IAAI;EAChB,MAAM,YAAY,IAAI,KAAK,KAAK;EAChC,MAAM,UAAU,IAAI,KAAK,KAAK;AAE9B,MAAI,MAAM,WAAW;AACnB,UAAO,KAAK,uDAAuD;AACnE,mBAAgB,KAAK,gDAAgD;EACtE;AAED,MAAI,MAAM,SAAS;AACjB,UAAO,KAAK,iCAAiC;AAC7C,mBAAgB,KACd,kEACD;EACF;AAGD,MAAI;AACF,OAAI,KAAK,aAAa,KAAK,SAAS,SAAS,oBAAoB,EAAE;AACjE,WAAO,KAAK,sDAAsD;AAClE,oBAAgB,KACd,mEACD;GACF;EACF,QAAO;AAEN,WAAQ,IAAI,6CAA6C;EAC1D;AAED,SAAO;GACL;GACA;GACA,YAAY,SAAS;GACrB,aAAa,SAAS;GACtB;GACA;EACD;CACF,SAAQ,OAAO;AACd,SAAO,MAAM,8BAA8B,MAAM,EAAE;AACnD,kBAAgB,KAAK,yCAAyC;AAE9D,SAAO;GACL,YAAY;GACZ,aAAa;GACb;GACA;EACD;CACF;AACF;;;;AAKD,SAAS,+BACPC,UACAL,gBACyB;CACzB,MAAMC,SAAmB,CAAE;CAC3B,MAAMC,kBAA4B,CAAE;AAEpC,KAAI;EAEF,MAAM,iBAAiB,yCAAwB,SAAS;EAGxD,MAAM,oBAAoB,4CAA2B,eAAe;EAGpE,MAAM,WAAW,wCAAuB,eAAe;EACvD,MAAM,cAAc,qBAAI,QAAO,aAAa;EAG5C,MAAM,mBAAmB,wCACvB,mBACA,aACA,SAAS,YACT,SAAS,aACV;EAGD,MAAM,yBACJ,iDAAgC,iBAAiB;AAGnD,MAAI,eAAe,WAAW,GAAG;AAC/B,UAAO,KAAK,2CAA2C;AACvD,mBAAgB,KACd,2EACD;AACD,mBAAgB,KACd,+IACD;EACF;AAED,MAAI,kBAAkB,WAAW,GAAG;AAClC,UAAO,KAAK,8CAA8C;AAC1D,mBAAgB,KAAK,mDAAmD;AACxE,mBAAgB,KACd,sEACD;EACF;AAED,MAAI,uBAAuB,WAAW,GAAG;AACvC,UAAO,KAAK,oDAAoD;AAChE,mBAAgB,KACd,oEACD;AACD,mBAAgB,KACd,yDACD;EACF;AAGD,MAAI;GACF,MAAM,OAAO,IAAI,eAAO,gBAAgB;GAGxC,MAAM,YAAY,KAAK;GACvB,MAAM,aAAa,UAAU;AAE7B,OAAI,YAAY;AAEd,QACE,UAAU,sBAAsB,SAChC,WAAW,iBACX,WAAW,gBAAgB,MAC3B;AACA,YAAO,KACL,6DACD;AACD,qBAAgB,KACd,yDACD;IACF;IAGD,MAAM,oBAAoB,CAAC,OAAO,IAAK;AACvC,SAAK,kBAAkB,SAAS,UAAU,qBAAqB,GAAG,EAAE;AAClE,YAAO,MACJ,+BAA+B,UAAU,kBAAkB,EAC7D;AACD,qBAAgB,KACd,+DACD;IACF;GACF;GAGD,MAAM,aAAa,OAAO,KACxB,eAAe,QAAQ,oBAAoB,GAAG,CAAC,QAAQ,OAAO,GAAG,EACjE,SACD;AACD,OAAI,WAAW,WAAW,GAAG;AAC3B,WAAO,KAAK,8CAA8C;AAC1D,oBAAgB,KACd,uDACD;GACF;EACF,SAAQ,OAAO;AACd,UAAO,MAAM,yCAAyC,MAAM,EAAE;AAC9D,mBAAgB,KACd,8DACD;EACF;EAGD,MAAM,gBAAgB,CAACI,QAAgB;AACrC,OAAI;AACF,WAAO,OAAO,KAAK,KAAK,SAAS,CAAC,SAAS,SAAS,KAAK;GAC1D,QAAO;AACN,WAAO;GACR;EACF;AAED,MAAI,mBAAmB,cAAc,eAAe,EAAE;AACpD,UAAO,KAAK,oDAAoD;AAChE,mBAAgB,KAAK,2CAA2C;EACjE;AAED,MAAI,sBAAsB,cAAc,kBAAkB,EAAE;AAC1D,UAAO,KAAK,uDAAuD;AACnE,mBAAgB,KACd,uDACD;EACF;AAED,MAAI,2BAA2B,cAAc,uBAAuB,EAAE;AACpE,UAAO,KAAK,6DAA6D;AACzE,mBAAgB,KACd,6DACD;EACF;AAED,SAAO;GACL;GACA;GACA;GACA;GACA;EACD;CACF,SAAQ,OAAO;AACd,SAAO,MAAM,6BAA6B,MAAM,EAAE;AAClD,kBAAgB,KAAK,6CAA6C;AAElE,SAAO;GACL,gBAAgB;GAChB,mBAAmB;GACnB,wBAAwB;GACxB;GACA;EACD;CACF;AACF;;;;AAKD,SAAgB,wBACdD,UACAL,gBACkB;CAClB,MAAM,sBAAsB,iCAAiC,eAAe;CAC5E,MAAM,oBAAoB,+BACxB,UACA,eACD;CAED,MAAM,oBAAoB,oBAAoB,OAAO;CACrD,MAAM,kBAAkB,kBAAkB,OAAO;AAEjD,QAAO;EACL;EACA;EACA,SAAS;GACP,aAAa,oBAAoB;GACjC;GACA;EACD;CACF;AACF;;;;AAKD,SAAgB,iBAAiBO,QAAgC;AAC/D,SAAQ,IAAI,6CAA6C;AACzD,SAAQ,IAAI,IAAI,OAAO,GAAG,CAAC;AAG3B,SAAQ,IAAI,4BAA4B;AACxC,SAAQ,IAAI,IAAI,OAAO,GAAG,CAAC;AAE3B,SAAQ,KAAK,YAAY,OAAO,oBAAoB,WAAW,EAAE;AACjE,SAAQ,KAAK,aAAa,OAAO,oBAAoB,YAAY,EAAE;AAEnE,KAAI,OAAO,oBAAoB,uBAC7B,SAAQ,KACL,2BAA2B,OAAO,oBAAoB,uBAAuB,EAC/E;AAGH,KAAI,OAAO,oBAAoB,aAC7B,SAAQ,KAAK,mBAAmB,OAAO,oBAAoB,aAAa,EAAE;AAG5E,KAAI,OAAO,oBAAoB,OAAO,SAAS,GAAG;AAChD,UAAQ,IAAI,6BAA6B;AACzC,SAAO,oBAAoB,OAAO,QAAQ,CAAC,OAAO,UAAU;AAC1D,WAAQ,KAAK,MAAM,QAAQ,EAAE,IAAI,MAAM,EAAE;EAC1C,EAAC;CACH;AAED,KAAI,OAAO,oBAAoB,gBAAgB,SAAS,GAAG;AACzD,UAAQ,IAAI,sCAAsC;AAClD,SAAO,oBAAoB,gBAAgB,QAAQ,CAAC,KAAK,UAAU;AACjE,WAAQ,KAAK,MAAM,QAAQ,EAAE,IAAI,IAAI,EAAE;EACxC,EAAC;CACH;AAGD,SAAQ,IAAI,0BAA0B;AACtC,SAAQ,IAAI,IAAI,OAAO,GAAG,CAAC;AAE3B,SAAQ,KACL,qBAAqB,OAAO,kBAAkB,eAAe,UAAU,GAAG,GAAG,CAAC,KAChF;AACD,SAAQ,KACL,wBAAwB,OAAO,kBAAkB,kBAAkB,UAAU,GAAG,GAAG,CAAC,KACtF;AACD,SAAQ,KACL,8BAA8B,OAAO,kBAAkB,uBAAuB,UAAU,GAAG,GAAG,CAAC,KACjG;AAED,KAAI,OAAO,kBAAkB,OAAO,SAAS,GAAG;AAC9C,UAAQ,IAAI,2BAA2B;AACvC,SAAO,kBAAkB,OAAO,QAAQ,CAAC,OAAO,UAAU;AACxD,WAAQ,KAAK,MAAM,QAAQ,EAAE,IAAI,MAAM,EAAE;EAC1C,EAAC;CACH;AAED,KAAI,OAAO,kBAAkB,gBAAgB,SAAS,GAAG;AACvD,UAAQ,IAAI,oCAAoC;AAChD,SAAO,kBAAkB,gBAAgB,QAAQ,CAAC,KAAK,UAAU;AAC/D,WAAQ,KAAK,MAAM,QAAQ,EAAE,IAAI,IAAI,EAAE;EACxC,EAAC;CACH;AAGD,SAAQ,IAAI,eAAe;AAC3B,SAAQ,IAAI,IAAI,OAAO,GAAG,CAAC;AAC3B,SAAQ,KAAK,wBAAwB,OAAO,QAAQ,YAAY,EAAE;AAClE,SAAQ,KAAK,wBAAwB,OAAO,QAAQ,kBAAkB,EAAE;AACxE,SAAQ,KAAK,sBAAsB,OAAO,QAAQ,gBAAgB,EAAE;AAEpE,KAAI,OAAO,QAAQ,gBAAgB,GAAG;AACpC,UAAQ,IAAI,+CAA+C;AAC3D,UAAQ,IAAI,6DAA6D;CAC1E,OAAM;AACL,UAAQ,IAAI,yDAAyD;EAGrE,MAAM,WAAW,OAAO,oBAAoB,OAAO,KAAK,WACtD,MAAM,SAAS,QAAQ,CACxB;EACD,MAAM,WAAW,OAAO,oBAAoB,OAAO,KAAK,WACtD,MAAM,SAAS,QAAQ,CACxB;EACD,MAAM,WAAW,OAAO,oBAAoB,OAAO,KAAK,WACtD,MAAM,SAAS,QAAQ,CACxB;EACD,MAAM,WAAW,OAAO,oBAAoB,OAAO,KAAK,WACtD,MAAM,SAAS,QAAQ,CACxB;EACD,MAAM,WAAW,OAAO,kBAAkB,OAAO,KAAK,WACpD,MAAM,SAAS,QAAQ,CACxB;AAED,UAAQ,IAAI,yCAAyC;AAErD,MAAI,SACF,SAAQ,IACN,gEACD;AAGH,MAAI,SACF,SAAQ,IACN,+DACD;AAGH,MAAI,SACF,SAAQ,IAAI,qDAAqD;AAGnE,MAAI,SACF,SAAQ,IAAI,4DAA4D;AAG1E,MAAI,SACF,SAAQ,IAAI,uDAAuD;AAGrE,MAAI,OAAO,QAAQ,oBAAoB,GAAG;AACxC,WAAQ,IAAI,kCAAkC;AAC9C,WAAQ,IAAI,iDAAiD;AAC7D,WAAQ,IACN,mEACD;EACF;AAED,MAAI,OAAO,QAAQ,kBAAkB,GAAG;AACtC,WAAQ,IAAI,4BAA4B;AACxC,WAAQ,IAAI,oDAAoD;EACjE;AAED,UAAQ,IAAI,qBAAqB;AACjC,UAAQ,IAAI,iDAAiD;AAC7D,UAAQ,IAAI,uDAAuD;AACnE,UAAQ,IAAI,6CAA6C;AACzD,UAAQ,IAAI,kDAAkD;CAC/D;AAED,SAAQ,IAAI,OAAO,IAAI,OAAO,GAAG,CAAC;AACnC"}
1	+ {"version":3,"file":"index14.cjs","names":["certificatePem: string","issues: string[]","recommendations: string[]","dn: string","fields: Record<string, string>","invoices: InvoiceV1_1[]","str: string","result: DiagnosticResult"],"sources":["../src/utils/signature-diagnostics.ts"],"sourcesContent":["import crypto from 'crypto'\nimport type { InvoiceV1_1 } from '../types'\nimport {\n extractCertificateInfo,\n calculateDocumentDigest,\n calculateSignedPropertiesDigest,\n createSignedProperties,\n calculateCertificateDigest,\n} from './document'\n\nexport interface CertificateAnalysisResult {\n organizationIdentifier?: string\n serialNumber?: string\n issuerName: string\n subjectName: string\n issues: string[]\n recommendations: string[]\n}\n\nexport interface SignatureAnalysisResult {\n documentDigest: string\n certificateDigest: string\n signedPropertiesDigest: string\n issues: string[]\n recommendations: string[]\n}\n\nexport interface DiagnosticResult {\n certificateAnalysis: CertificateAnalysisResult\n signatureAnalysis: SignatureAnalysisResult\n summary: {\n totalIssues: number\n certificateIssues: number\n signatureIssues: number\n }\n}\n\n/*\n Analyzes certificate for MyInvois compatibility issues\n /\nfunction analyzeCertificateForDiagnostics(\n certificatePem: string,\n): CertificateAnalysisResult {\n const issues: string[] = []\n const recommendations: string[] = []\n\n try {\n const cert = new crypto.X509Certificate(certificatePem)\n const certInfo = extractCertificateInfo(certificatePem)\n\n // Parse subject fields for MyInvois analysis\n const parseSubjectFields = (dn: string) => {\n const fields: Record<string, string> = {}\n dn.split('\\n').forEach(line => {\n const trimmed = line.trim()\n if (trimmed.includes('=')) {\n const [key, ...valueParts] = trimmed.split('=')\n if (key) {\n fields[key.trim()] = valueParts.join('=').trim()\n }\n }\n })\n return fields\n }\n\n const subjectFields = parseSubjectFields(cert.subject)\n const organizationIdentifier =\n subjectFields['organizationIdentifier'] \|\| subjectFields['2.5.4.97']\n const serialNumber = subjectFields['serialNumber']\n\n // DS311 - TIN Mismatch Analysis\n if (!organizationIdentifier) {\n issues.push(\n 'DS311: Certificate missing organizationIdentifier field (TIN)',\n )\n recommendations.push(\n 'CRITICAL: Generate new certificate with organizationIdentifier matching your MyInvois TIN',\n )\n recommendations.push(\n 'Portal Error: \"Signer of invoice doesn\\'t match the submitter of document. TIN doesn\\'t match with the OI.\"',\n )\n } else {\n // Additional TIN format validation\n if (organizationIdentifier.length < 10) {\n issues.push(\n 'DS311: OrganizationIdentifier (TIN) appears too short - may cause submission rejection',\n )\n recommendations.push(\n 'Verify TIN format matches exactly what is registered in MyInvois',\n )\n }\n }\n\n // DS312 - Registration Number Analysis\n if (!serialNumber) {\n issues.push(\n 'DS312: Certificate missing serialNumber field (business registration)',\n )\n recommendations.push(\n 'CRITICAL: Generate new certificate with serialNumber matching your business registration',\n )\n recommendations.push(\n 'Portal Error: \"Submitter registration/identity number doesn\\'t match with the certificate SERIALNUMBER.\"',\n )\n }\n\n // DS329 - Certificate Trust Analysis\n if (cert.issuer === cert.subject) {\n issues.push(\n 'DS329: Self-signed certificate detected - will fail chain of trust validation',\n )\n recommendations.push(\n 'BLOCKING: Obtain certificate from MyInvois-approved CA:',\n )\n recommendations.push('• MSC Trustgate Sdn Bhd')\n recommendations.push('• DigiCert Sdn Bhd')\n recommendations.push('• Cybersign Asia Sdn Bhd')\n recommendations.push(\n 'Portal Error: \"Certificate is not valid according to the chain of trust validation or has been issued by an untrusted certificate authority.\"',\n )\n } else {\n // Check if issuer looks like a known CA\n const issuerName = cert.issuer.toLowerCase()\n const approvedCAs = ['msc trustgate', 'digicert', 'cybersign']\n const isFromApprovedCA = approvedCAs.some(ca => issuerName.includes(ca))\n\n if (!isFromApprovedCA) {\n issues.push('DS329: Certificate may not be from MyInvois-approved CA')\n recommendations.push(\n 'Verify certificate was issued by an approved CA for MyInvois',\n )\n }\n }\n\n // DS326 - Issuer Name Format Analysis (Enhanced)\n const rawIssuer = cert.issuer\n const normalizedIssuer = certInfo.issuerName\n\n // Check for issues in the NORMALIZED issuer (these are actual problems)\n const normalizedIssuerIssues = [\n {\n check: normalizedIssuer.includes('\\n'),\n issue: 'Normalized issuer still contains newlines',\n },\n {\n check: normalizedIssuer.includes(' '),\n issue: 'Normalized issuer contains double spaces',\n },\n {\n check: /=\\s+/.test(normalizedIssuer),\n issue: 'Normalized issuer has spaces after equals',\n },\n {\n check: /\\s+=/.test(normalizedIssuer),\n issue: 'Normalized issuer has spaces before equals',\n },\n {\n check: normalizedIssuer.includes('\\r'),\n issue: 'Normalized issuer contains carriage returns',\n },\n ]\n\n // Only report actual issues in the normalized version that will cause portal errors\n const hasActualFormatIssues = normalizedIssuerIssues.some(\n ({ check, issue }) => {\n if (check) {\n issues.push(`DS326: ${issue} - will cause X509IssuerName mismatch`)\n return true\n }\n return false\n },\n )\n\n // Check if raw issuer has issues but normalized version is OK (informational)\n const hasRawIssuesButNormalizedOk =\n rawIssuer.includes('\\n') && !normalizedIssuer.includes('\\n')\n\n if (hasActualFormatIssues) {\n recommendations.push(\n 'CRITICAL: Fix issuer name normalization in signature generation',\n )\n recommendations.push(\n 'Portal Error: \"Certificate X509IssuerName doesn\\'t match the X509IssuerName value provided in the signed properties section.\"',\n )\n recommendations.push(\n 'The normalization function is not properly formatting the issuer name',\n )\n recommendations.push(\n 'Debug: Check document.ts extractCertificateInfo() normalization logic',\n )\n } else if (hasRawIssuesButNormalizedOk) {\n // This is informational - normalization is working correctly\n console.log(\n 'ℹ️ Note: Raw certificate issuer has newlines but normalization is handling them correctly',\n )\n }\n\n // Additional certificate validity checks\n const now = new Date()\n const validFrom = new Date(cert.validFrom)\n const validTo = new Date(cert.validTo)\n\n if (now < validFrom) {\n issues.push('DS329: Certificate not yet valid (future start date)')\n recommendations.push('Wait until certificate validity period begins')\n }\n\n if (now > validTo) {\n issues.push('DS329: Certificate has expired')\n recommendations.push(\n 'BLOCKING: Renew certificate - expired certificates are rejected',\n )\n }\n\n // Check certificate key usage (if available)\n try {\n if (cert.keyUsage && !cert.keyUsage.includes('digital signature')) {\n issues.push('DS333: Certificate lacks digitalSignature key usage')\n recommendations.push(\n 'Generate new certificate with digitalSignature key usage enabled',\n )\n }\n } catch {\n // Key usage might not be available in all certificates\n console.log('Note: Could not check key usage extensions')\n }\n\n return {\n organizationIdentifier,\n serialNumber,\n issuerName: certInfo.issuerName,\n subjectName: certInfo.subjectName,\n issues,\n recommendations,\n }\n } catch (error) {\n issues.push(`Certificate parsing failed: ${error}`)\n recommendations.push('Verify certificate format and validity')\n\n return {\n issuerName: '',\n subjectName: '',\n issues,\n recommendations,\n }\n }\n}\n\n/\n Analyzes signature generation for potential issues\n /\nfunction analyzeSignatureForDiagnostics(\n invoices: InvoiceV1_1[],\n certificatePem: string,\n): SignatureAnalysisResult {\n const issues: string[] = []\n const recommendations: string[] = []\n\n try {\n // Step 1: Document digest\n const documentDigest = calculateDocumentDigest(invoices)\n\n // Step 2: Certificate digest\n const certificateDigest = calculateCertificateDigest(certificatePem)\n\n // Step 3: Extract certificate info\n const certInfo = extractCertificateInfo(certificatePem)\n const signingTime = new Date().toISOString()\n\n // Step 4: Create signed properties\n const signedProperties = createSignedProperties(\n certificateDigest,\n signingTime,\n certInfo.issuerName,\n certInfo.serialNumber,\n )\n\n // Step 5: Signed properties digest\n const signedPropertiesDigest =\n calculateSignedPropertiesDigest(signedProperties)\n\n // DS333 - Document Signature Validation\n if (documentDigest.length === 0) {\n issues.push('DS333: Document digest generation failed')\n recommendations.push(\n 'CRITICAL: Verify document serialization excludes UBLExtensions/Signature',\n )\n recommendations.push(\n 'Portal Error: \"Document signature value is not a valid signature of the document digest using the public key of the certificate provided.\"',\n )\n }\n\n if (certificateDigest.length === 0) {\n issues.push('DS333: Certificate digest generation failed')\n recommendations.push('CRITICAL: Verify certificate format and encoding')\n recommendations.push(\n 'Certificate must be properly base64 encoded without headers/footers',\n )\n }\n\n if (signedPropertiesDigest.length === 0) {\n issues.push('DS333: Signed properties digest generation failed')\n recommendations.push(\n 'CRITICAL: Verify signed properties structure and canonicalization',\n )\n recommendations.push(\n 'Check XML canonicalization (C14N) is applied correctly',\n )\n }\n\n // Additional DS333 checks\n try {\n const cert = new crypto.X509Certificate(certificatePem)\n\n // Verify the certificate has the required algorithms for MyInvois\n const publicKey = cert.publicKey\n const keyDetails = publicKey.asymmetricKeyDetails\n\n if (keyDetails) {\n // Check if key size is adequate for RSA (minimum 2048 bits)\n if (\n publicKey.asymmetricKeyType === 'rsa' &&\n keyDetails.modulusLength &&\n keyDetails.modulusLength < 2048\n ) {\n issues.push(\n 'DS333: RSA key size too small (minimum 2048 bits required)',\n )\n recommendations.push(\n 'CRITICAL: Generate new certificate with RSA 2048+ bits',\n )\n }\n\n // Check supported key types\n const supportedKeyTypes = ['rsa', 'ec']\n if (!supportedKeyTypes.includes(publicKey.asymmetricKeyType \|\| '')) {\n issues.push(\n `DS333: Unsupported key type: ${publicKey.asymmetricKeyType}`,\n )\n recommendations.push(\n 'CRITICAL: Use RSA or EC key types for MyInvois compatibility',\n )\n }\n }\n\n // Test certificate format validity\n const certBuffer = Buffer.from(\n certificatePem.replace(/-----[^-]+-----/g, '').replace(/\\s/g, ''),\n 'base64',\n )\n if (certBuffer.length === 0) {\n issues.push('DS333: Certificate encoding appears invalid')\n recommendations.push(\n 'CRITICAL: Verify certificate is properly PEM encoded',\n )\n }\n } catch (error) {\n issues.push(`DS333: Certificate validation failed - ${error}`)\n recommendations.push(\n 'CRITICAL: Verify certificate format and structure are valid',\n )\n }\n\n // Validate digest formats (should be base64)\n const isValidBase64 = (str: string) => {\n try {\n return Buffer.from(str, 'base64').toString('base64') === str\n } catch {\n return false\n }\n }\n\n if (documentDigest && !isValidBase64(documentDigest)) {\n issues.push('DS333: Document digest is not valid base64 format')\n recommendations.push('Ensure digest is properly base64 encoded')\n }\n\n if (certificateDigest && !isValidBase64(certificateDigest)) {\n issues.push('DS333: Certificate digest is not valid base64 format')\n recommendations.push(\n 'Ensure certificate digest is properly base64 encoded',\n )\n }\n\n if (signedPropertiesDigest && !isValidBase64(signedPropertiesDigest)) {\n issues.push('DS333: Signed properties digest is not valid base64 format')\n recommendations.push(\n 'Ensure signed properties digest is properly base64 encoded',\n )\n }\n\n return {\n documentDigest,\n certificateDigest,\n signedPropertiesDigest,\n issues,\n recommendations,\n }\n } catch (error) {\n issues.push(`Signature analysis failed: ${error}`)\n recommendations.push('Review signature generation implementation')\n\n return {\n documentDigest: '',\n certificateDigest: '',\n signedPropertiesDigest: '',\n issues,\n recommendations,\n }\n }\n}\n\n/\n Comprehensive signature diagnostics\n /\nexport function diagnoseSignatureIssues(\n invoices: InvoiceV1_1[],\n certificatePem: string,\n): DiagnosticResult {\n const certificateAnalysis = analyzeCertificateForDiagnostics(certificatePem)\n const signatureAnalysis = analyzeSignatureForDiagnostics(\n invoices,\n certificatePem,\n )\n\n const certificateIssues = certificateAnalysis.issues.length\n const signatureIssues = signatureAnalysis.issues.length\n\n return {\n certificateAnalysis,\n signatureAnalysis,\n summary: {\n totalIssues: certificateIssues + signatureIssues,\n certificateIssues,\n signatureIssues,\n },\n }\n}\n\n/\n Prints diagnostic results in a formatted way\n */\nexport function printDiagnostics(result: DiagnosticResult): void {\n console.log('\\n🔍 MyInvois Signature Diagnostics Report')\n console.log('='.repeat(60))\n\n // Certificate Analysis\n console.log('\\n📜 CERTIFICATE ANALYSIS')\n console.log('-'.repeat(30))\n\n console.log(` Issuer: ${result.certificateAnalysis.issuerName}`)\n console.log(` Subject: ${result.certificateAnalysis.subjectName}`)\n\n if (result.certificateAnalysis.organizationIdentifier) {\n console.log(\n ` Organization ID (TIN): ${result.certificateAnalysis.organizationIdentifier}`,\n )\n }\n\n if (result.certificateAnalysis.serialNumber) {\n console.log(` Serial Number: ${result.certificateAnalysis.serialNumber}`)\n }\n\n if (result.certificateAnalysis.issues.length > 0) {\n console.log('\\n 🚨 Certificate Issues:')\n result.certificateAnalysis.issues.forEach((issue, index) => {\n console.log(` ${index + 1}. ${issue}`)\n })\n }\n\n if (result.certificateAnalysis.recommendations.length > 0) {\n console.log('\\n 💡 Certificate Recommendations:')\n result.certificateAnalysis.recommendations.forEach((rec, index) => {\n console.log(` ${index + 1}. ${rec}`)\n })\n }\n\n // Signature Analysis\n console.log('\\n🔐 SIGNATURE ANALYSIS')\n console.log('-'.repeat(30))\n\n console.log(\n ` Document Digest: ${result.signatureAnalysis.documentDigest.substring(0, 32)}...`,\n )\n console.log(\n ` Certificate Digest: ${result.signatureAnalysis.certificateDigest.substring(0, 32)}...`,\n )\n console.log(\n ` Signed Properties Digest: ${result.signatureAnalysis.signedPropertiesDigest.substring(0, 32)}...`,\n )\n\n if (result.signatureAnalysis.issues.length > 0) {\n console.log('\\n 🚨 Signature Issues:')\n result.signatureAnalysis.issues.forEach((issue, index) => {\n console.log(` ${index + 1}. ${issue}`)\n })\n }\n\n if (result.signatureAnalysis.recommendations.length > 0) {\n console.log('\\n 💡 Signature Recommendations:')\n result.signatureAnalysis.recommendations.forEach((rec, index) => {\n console.log(` ${index + 1}. ${rec}`)\n })\n }\n\n // Summary\n console.log('\\n📊 SUMMARY')\n console.log('-'.repeat(30))\n console.log(` Total Issues Found: ${result.summary.totalIssues}`)\n console.log(` Certificate Issues: ${result.summary.certificateIssues}`)\n console.log(` Signature Issues: ${result.summary.signatureIssues}`)\n\n if (result.summary.totalIssues === 0) {\n console.log('\\n ✅ No issues detected in current analysis')\n console.log(' 🎉 Certificate and signature implementation appear valid')\n } else {\n console.log('\\n ⚠️ Issues detected - review recommendations above')\n\n // Check for specific portal errors\n const hasDS311 = result.certificateAnalysis.issues.some(issue =>\n issue.includes('DS311'),\n )\n const hasDS312 = result.certificateAnalysis.issues.some(issue =>\n issue.includes('DS312'),\n )\n const hasDS326 = result.certificateAnalysis.issues.some(issue =>\n issue.includes('DS326'),\n )\n const hasDS329 = result.certificateAnalysis.issues.some(issue =>\n issue.includes('DS329'),\n )\n const hasDS333 = result.signatureAnalysis.issues.some(issue =>\n issue.includes('DS333'),\n )\n\n console.log('\\n 🎯 MYINVOIS PORTAL ERROR ANALYSIS:')\n\n if (hasDS311) {\n console.log(\n ' ❌ DS311 - TIN mismatch between certificate and submitter',\n )\n }\n\n if (hasDS312) {\n console.log(\n ' ❌ DS312 - Registration number mismatch with certificate',\n )\n }\n\n if (hasDS326) {\n console.log(' ❌ DS326 - X509IssuerName format inconsistency')\n }\n\n if (hasDS329) {\n console.log(' ❌ DS329 - Certificate trust chain validation failure')\n }\n\n if (hasDS333) {\n console.log(' ❌ DS333 - Document signature validation failure')\n }\n\n if (result.summary.certificateIssues > 0) {\n console.log('\\n 🚨 PRIMARY ACTION REQUIRED:')\n console.log(' Certificate issues must be resolved first')\n console.log(\n ' Self-generated certificates cannot pass MyInvois validation',\n )\n }\n\n if (result.summary.signatureIssues > 0) {\n console.log('\\n ⚙️ SECONDARY ACTION:')\n console.log(' Review and optimize signature implementation')\n }\n\n console.log('\\n 📋 NEXT STEPS:')\n console.log(' 1. Address BLOCKING/CRITICAL issues first')\n console.log(' 2. Test with updated certificate/implementation')\n console.log(' 3. Re-run diagnostics to verify fixes')\n console.log(' 4. Submit test document to MyInvois portal')\n }\n\n console.log('\\n' + '='.repeat(60))\n}\n"],"mappings":";;;;;;;;;AAwCA,SAAS,iCACPA,gBAC2B;CAC3B,MAAMC,SAAmB,CAAE;CAC3B,MAAMC,kBAA4B,CAAE;AAEpC,KAAI;EACF,MAAM,OAAO,IAAI,eAAO,gBAAgB;EACxC,MAAM,WAAW,wCAAuB,eAAe;EAGvD,MAAM,qBAAqB,CAACC,OAAe;GACzC,MAAMC,SAAiC,CAAE;AACzC,MAAG,MAAM,KAAK,CAAC,QAAQ,UAAQ;IAC7B,MAAM,UAAU,KAAK,MAAM;AAC3B,QAAI,QAAQ,SAAS,IAAI,EAAE;KACzB,MAAM,CAAC,KAAK,GAAG,WAAW,GAAG,QAAQ,MAAM,IAAI;AAC/C,SAAI,IACF,QAAO,IAAI,MAAM,IAAI,WAAW,KAAK,IAAI,CAAC,MAAM;IAEnD;GACF,EAAC;AACF,UAAO;EACR;EAED,MAAM,gBAAgB,mBAAmB,KAAK,QAAQ;EACtD,MAAM,yBACJ,cAAc,6BAA6B,cAAc;EAC3D,MAAM,eAAe,cAAc;AAGnC,OAAK,wBAAwB;AAC3B,UAAO,KACL,gEACD;AACD,mBAAgB,KACd,4FACD;AACD,mBAAgB,KACd,8GACD;EACF,WAEK,uBAAuB,SAAS,IAAI;AACtC,UAAO,KACL,yFACD;AACD,mBAAgB,KACd,mEACD;EACF;AAIH,OAAK,cAAc;AACjB,UAAO,KACL,wEACD;AACD,mBAAgB,KACd,2FACD;AACD,mBAAgB,KACd,4GACD;EACF;AAGD,MAAI,KAAK,WAAW,KAAK,SAAS;AAChC,UAAO,KACL,gFACD;AACD,mBAAgB,KACd,0DACD;AACD,mBAAgB,KAAK,0BAA0B;AAC/C,mBAAgB,KAAK,qBAAqB;AAC1C,mBAAgB,KAAK,2BAA2B;AAChD,mBAAgB,KACd,kJACD;EACF,OAAM;GAEL,MAAM,aAAa,KAAK,OAAO,aAAa;GAC5C,MAAM,cAAc;IAAC;IAAiB;IAAY;GAAY;GAC9D,MAAM,mBAAmB,YAAY,KAAK,QAAM,WAAW,SAAS,GAAG,CAAC;AAExE,QAAK,kBAAkB;AACrB,WAAO,KAAK,0DAA0D;AACtE,oBAAgB,KACd,+DACD;GACF;EACF;EAGD,MAAM,YAAY,KAAK;EACvB,MAAM,mBAAmB,SAAS;EAGlC,MAAM,yBAAyB;GAC7B;IACE,OAAO,iBAAiB,SAAS,KAAK;IACtC,OAAO;GACR;GACD;IACE,OAAO,iBAAiB,SAAS,KAAK;IACtC,OAAO;GACR;GACD;IACE,OAAO,OAAO,KAAK,iBAAiB;IACpC,OAAO;GACR;GACD;IACE,OAAO,OAAO,KAAK,iBAAiB;IACpC,OAAO;GACR;GACD;IACE,OAAO,iBAAiB,SAAS,KAAK;IACtC,OAAO;GACR;EACF;EAGD,MAAM,wBAAwB,uBAAuB,KACnD,CAAC,EAAE,OAAO,OAAO,KAAK;AACpB,OAAI,OAAO;AACT,WAAO,MAAM,SAAS,MAAM,uCAAuC;AACnE,WAAO;GACR;AACD,UAAO;EACR,EACF;EAGD,MAAM,8BACJ,UAAU,SAAS,KAAK,KAAK,iBAAiB,SAAS,KAAK;AAE9D,MAAI,uBAAuB;AACzB,mBAAgB,KACd,kEACD;AACD,mBAAgB,KACd,iIACD;AACD,mBAAgB,KACd,wEACD;AACD,mBAAgB,KACd,wEACD;EACF,WAAU,4BAET,SAAQ,IACN,6FACD;EAIH,MAAM,sBAAM,IAAI;EAChB,MAAM,YAAY,IAAI,KAAK,KAAK;EAChC,MAAM,UAAU,IAAI,KAAK,KAAK;AAE9B,MAAI,MAAM,WAAW;AACnB,UAAO,KAAK,uDAAuD;AACnE,mBAAgB,KAAK,gDAAgD;EACtE;AAED,MAAI,MAAM,SAAS;AACjB,UAAO,KAAK,iCAAiC;AAC7C,mBAAgB,KACd,kEACD;EACF;AAGD,MAAI;AACF,OAAI,KAAK,aAAa,KAAK,SAAS,SAAS,oBAAoB,EAAE;AACjE,WAAO,KAAK,sDAAsD;AAClE,oBAAgB,KACd,mEACD;GACF;EACF,QAAO;AAEN,WAAQ,IAAI,6CAA6C;EAC1D;AAED,SAAO;GACL;GACA;GACA,YAAY,SAAS;GACrB,aAAa,SAAS;GACtB;GACA;EACD;CACF,SAAQ,OAAO;AACd,SAAO,MAAM,8BAA8B,MAAM,EAAE;AACnD,kBAAgB,KAAK,yCAAyC;AAE9D,SAAO;GACL,YAAY;GACZ,aAAa;GACb;GACA;EACD;CACF;AACF;;;;AAKD,SAAS,+BACPC,UACAL,gBACyB;CACzB,MAAMC,SAAmB,CAAE;CAC3B,MAAMC,kBAA4B,CAAE;AAEpC,KAAI;EAEF,MAAM,iBAAiB,yCAAwB,SAAS;EAGxD,MAAM,oBAAoB,4CAA2B,eAAe;EAGpE,MAAM,WAAW,wCAAuB,eAAe;EACvD,MAAM,cAAc,qBAAI,QAAO,aAAa;EAG5C,MAAM,mBAAmB,wCACvB,mBACA,aACA,SAAS,YACT,SAAS,aACV;EAGD,MAAM,yBACJ,iDAAgC,iBAAiB;AAGnD,MAAI,eAAe,WAAW,GAAG;AAC/B,UAAO,KAAK,2CAA2C;AACvD,mBAAgB,KACd,2EACD;AACD,mBAAgB,KACd,+IACD;EACF;AAED,MAAI,kBAAkB,WAAW,GAAG;AAClC,UAAO,KAAK,8CAA8C;AAC1D,mBAAgB,KAAK,mDAAmD;AACxE,mBAAgB,KACd,sEACD;EACF;AAED,MAAI,uBAAuB,WAAW,GAAG;AACvC,UAAO,KAAK,oDAAoD;AAChE,mBAAgB,KACd,oEACD;AACD,mBAAgB,KACd,yDACD;EACF;AAGD,MAAI;GACF,MAAM,OAAO,IAAI,eAAO,gBAAgB;GAGxC,MAAM,YAAY,KAAK;GACvB,MAAM,aAAa,UAAU;AAE7B,OAAI,YAAY;AAEd,QACE,UAAU,sBAAsB,SAChC,WAAW,iBACX,WAAW,gBAAgB,MAC3B;AACA,YAAO,KACL,6DACD;AACD,qBAAgB,KACd,yDACD;IACF;IAGD,MAAM,oBAAoB,CAAC,OAAO,IAAK;AACvC,SAAK,kBAAkB,SAAS,UAAU,qBAAqB,GAAG,EAAE;AAClE,YAAO,MACJ,+BAA+B,UAAU,kBAAkB,EAC7D;AACD,qBAAgB,KACd,+DACD;IACF;GACF;GAGD,MAAM,aAAa,OAAO,KACxB,eAAe,QAAQ,oBAAoB,GAAG,CAAC,QAAQ,OAAO,GAAG,EACjE,SACD;AACD,OAAI,WAAW,WAAW,GAAG;AAC3B,WAAO,KAAK,8CAA8C;AAC1D,oBAAgB,KACd,uDACD;GACF;EACF,SAAQ,OAAO;AACd,UAAO,MAAM,yCAAyC,MAAM,EAAE;AAC9D,mBAAgB,KACd,8DACD;EACF;EAGD,MAAM,gBAAgB,CAACI,QAAgB;AACrC,OAAI;AACF,WAAO,OAAO,KAAK,KAAK,SAAS,CAAC,SAAS,SAAS,KAAK;GAC1D,QAAO;AACN,WAAO;GACR;EACF;AAED,MAAI,mBAAmB,cAAc,eAAe,EAAE;AACpD,UAAO,KAAK,oDAAoD;AAChE,mBAAgB,KAAK,2CAA2C;EACjE;AAED,MAAI,sBAAsB,cAAc,kBAAkB,EAAE;AAC1D,UAAO,KAAK,uDAAuD;AACnE,mBAAgB,KACd,uDACD;EACF;AAED,MAAI,2BAA2B,cAAc,uBAAuB,EAAE;AACpE,UAAO,KAAK,6DAA6D;AACzE,mBAAgB,KACd,6DACD;EACF;AAED,SAAO;GACL;GACA;GACA;GACA;GACA;EACD;CACF,SAAQ,OAAO;AACd,SAAO,MAAM,6BAA6B,MAAM,EAAE;AAClD,kBAAgB,KAAK,6CAA6C;AAElE,SAAO;GACL,gBAAgB;GAChB,mBAAmB;GACnB,wBAAwB;GACxB;GACA;EACD;CACF;AACF;;;;AAKD,SAAgB,wBACdD,UACAL,gBACkB;CAClB,MAAM,sBAAsB,iCAAiC,eAAe;CAC5E,MAAM,oBAAoB,+BACxB,UACA,eACD;CAED,MAAM,oBAAoB,oBAAoB,OAAO;CACrD,MAAM,kBAAkB,kBAAkB,OAAO;AAEjD,QAAO;EACL;EACA;EACA,SAAS;GACP,aAAa,oBAAoB;GACjC;GACA;EACD;CACF;AACF;;;;AAKD,SAAgB,iBAAiBO,QAAgC;AAC/D,SAAQ,IAAI,6CAA6C;AACzD,SAAQ,IAAI,IAAI,OAAO,GAAG,CAAC;AAG3B,SAAQ,IAAI,4BAA4B;AACxC,SAAQ,IAAI,IAAI,OAAO,GAAG,CAAC;AAE3B,SAAQ,KAAK,YAAY,OAAO,oBAAoB,WAAW,EAAE;AACjE,SAAQ,KAAK,aAAa,OAAO,oBAAoB,YAAY,EAAE;AAEnE,KAAI,OAAO,oBAAoB,uBAC7B,SAAQ,KACL,2BAA2B,OAAO,oBAAoB,uBAAuB,EAC/E;AAGH,KAAI,OAAO,oBAAoB,aAC7B,SAAQ,KAAK,mBAAmB,OAAO,oBAAoB,aAAa,EAAE;AAG5E,KAAI,OAAO,oBAAoB,OAAO,SAAS,GAAG;AAChD,UAAQ,IAAI,6BAA6B;AACzC,SAAO,oBAAoB,OAAO,QAAQ,CAAC,OAAO,UAAU;AAC1D,WAAQ,KAAK,MAAM,QAAQ,EAAE,IAAI,MAAM,EAAE;EAC1C,EAAC;CACH;AAED,KAAI,OAAO,oBAAoB,gBAAgB,SAAS,GAAG;AACzD,UAAQ,IAAI,sCAAsC;AAClD,SAAO,oBAAoB,gBAAgB,QAAQ,CAAC,KAAK,UAAU;AACjE,WAAQ,KAAK,MAAM,QAAQ,EAAE,IAAI,IAAI,EAAE;EACxC,EAAC;CACH;AAGD,SAAQ,IAAI,0BAA0B;AACtC,SAAQ,IAAI,IAAI,OAAO,GAAG,CAAC;AAE3B,SAAQ,KACL,qBAAqB,OAAO,kBAAkB,eAAe,UAAU,GAAG,GAAG,CAAC,KAChF;AACD,SAAQ,KACL,wBAAwB,OAAO,kBAAkB,kBAAkB,UAAU,GAAG,GAAG,CAAC,KACtF;AACD,SAAQ,KACL,8BAA8B,OAAO,kBAAkB,uBAAuB,UAAU,GAAG,GAAG,CAAC,KACjG;AAED,KAAI,OAAO,kBAAkB,OAAO,SAAS,GAAG;AAC9C,UAAQ,IAAI,2BAA2B;AACvC,SAAO,kBAAkB,OAAO,QAAQ,CAAC,OAAO,UAAU;AACxD,WAAQ,KAAK,MAAM,QAAQ,EAAE,IAAI,MAAM,EAAE;EAC1C,EAAC;CACH;AAED,KAAI,OAAO,kBAAkB,gBAAgB,SAAS,GAAG;AACvD,UAAQ,IAAI,oCAAoC;AAChD,SAAO,kBAAkB,gBAAgB,QAAQ,CAAC,KAAK,UAAU;AAC/D,WAAQ,KAAK,MAAM,QAAQ,EAAE,IAAI,IAAI,EAAE;EACxC,EAAC;CACH;AAGD,SAAQ,IAAI,eAAe;AAC3B,SAAQ,IAAI,IAAI,OAAO,GAAG,CAAC;AAC3B,SAAQ,KAAK,wBAAwB,OAAO,QAAQ,YAAY,EAAE;AAClE,SAAQ,KAAK,wBAAwB,OAAO,QAAQ,kBAAkB,EAAE;AACxE,SAAQ,KAAK,sBAAsB,OAAO,QAAQ,gBAAgB,EAAE;AAEpE,KAAI,OAAO,QAAQ,gBAAgB,GAAG;AACpC,UAAQ,IAAI,+CAA+C;AAC3D,UAAQ,IAAI,6DAA6D;CAC1E,OAAM;AACL,UAAQ,IAAI,yDAAyD;EAGrE,MAAM,WAAW,OAAO,oBAAoB,OAAO,KAAK,WACtD,MAAM,SAAS,QAAQ,CACxB;EACD,MAAM,WAAW,OAAO,oBAAoB,OAAO,KAAK,WACtD,MAAM,SAAS,QAAQ,CACxB;EACD,MAAM,WAAW,OAAO,oBAAoB,OAAO,KAAK,WACtD,MAAM,SAAS,QAAQ,CACxB;EACD,MAAM,WAAW,OAAO,oBAAoB,OAAO,KAAK,WACtD,MAAM,SAAS,QAAQ,CACxB;EACD,MAAM,WAAW,OAAO,kBAAkB,OAAO,KAAK,WACpD,MAAM,SAAS,QAAQ,CACxB;AAED,UAAQ,IAAI,yCAAyC;AAErD,MAAI,SACF,SAAQ,IACN,gEACD;AAGH,MAAI,SACF,SAAQ,IACN,+DACD;AAGH,MAAI,SACF,SAAQ,IAAI,qDAAqD;AAGnE,MAAI,SACF,SAAQ,IAAI,4DAA4D;AAG1E,MAAI,SACF,SAAQ,IAAI,uDAAuD;AAGrE,MAAI,OAAO,QAAQ,oBAAoB,GAAG;AACxC,WAAQ,IAAI,kCAAkC;AAC9C,WAAQ,IAAI,iDAAiD;AAC7D,WAAQ,IACN,mEACD;EACF;AAED,MAAI,OAAO,QAAQ,kBAAkB,GAAG;AACtC,WAAQ,IAAI,4BAA4B;AACxC,WAAQ,IAAI,oDAAoD;EACjE;AAED,UAAQ,IAAI,qBAAqB;AACjC,UAAQ,IAAI,iDAAiD;AAC7D,UAAQ,IAAI,uDAAuD;AACnE,UAAQ,IAAI,6CAA6C;AACzD,UAAQ,IAAI,kDAAkD;CAC/D;AAED,SAAQ,IAAI,OAAO,IAAI,OAAO,GAAG,CAAC;AACnC"}