@sempdev/semp 0.4.3

package/dist/handshake/federation.js

@@ -0,0 +1,664 @@
+/**
+ * Federation handshake (server ↔ server) per HANDSHAKE.md §5.
+ *
+ * Two servers establish a federation session by exchanging four
+ * messages — symmetric in shape to the client handshake but with
+ * domain identity in plaintext on both sides plus a domain-proof
+ * verification step:
+ *
+ *   1. ServerInit (initiator → responder) carrying the initiator's
+ *      domain, ephemeral key, identity proof, and a {@link DomainProof}
+ *      that the responder verifies via DNS / certificate / well-known.
+ *   2. FederationResponse (responder → initiator) carrying the
+ *      responder's identity material, the {@link DomainVerificationResult},
+ *      negotiated capabilities, and the responder's
+ *      {@link FederationPolicy}.
+ *   3. FederationConfirm (initiator → responder) with the
+ *      confirmation hash and a {@link FederationAcceptance} block
+ *      stating whether the initiator accepts the policy.
+ *   4. FederationAccepted (responder → initiator) finalizing the
+ *      session and (optionally) issuing a resumption ticket.
+ *
+ * @module
+ */
+import { marshal as canonicalMarshal } from "../canonical/index.js";
+import { deriveSessionKeysWithResumption, newHKDFSHA512, x25519Agree, x25519PublicKey, } from "../crypto/index.js";
+import { fingerprint, publicKeyFromSeed, sign as ed25519Sign, verify as ed25519Verify, } from "../keys/index.js";
+import { confirmationHash } from "./confirm.js";
+import { HandshakeRejectedError } from "./driver.js";
+import { IdentityPrefix } from "./identity.js";
+import { HandshakePrefix, HandshakeVersion, } from "./messages.js";
+/** Wire-level discriminators (shared with the client handshake). */
+export const FederationMessageType = "SEMP_HANDSHAKE";
+/**
+ * Permissive verifier that accepts every proof. Tests / single-
+ * process deployments only — production MUST NOT use it.
+ */
+export class TrustingDomainVerifier {
+    async verify() {
+        return;
+    }
+}
+/**
+ * Decide which of two simultaneously-initiated federation handshakes
+ * proceeds per SESSION.md §2.5.2. Both peers agree on the winner
+ * without external coordination — lexicographic compare provides
+ * exactly this property.
+ *
+ * Returns the winning `session_id` (the one that proceeds).
+ */
+export function resolveCollision(idA, idB) {
+    return idA > idB ? idA : idB;
+}
+/** Default acceptor that accepts every policy (tests). */
+export const acceptAllPolicies = () => null;
+/**
+ * Stateful federation initiator. Mirror of `semp-go/handshake.Initiator`.
+ * Single-shot — discard after success or error.
+ */
+export class FederationInitiator {
+    cfg;
+    localDomainPub;
+    localDomainKeyId;
+    nonce = null;
+    ephPriv = null;
+    ephPub = null;
+    initCanonical = null;
+    respCanonical = null;
+    sessionId = "";
+    sessionKeys = null;
+    finalSession = null;
+    resumptionSecret = null;
+    resumeNonce = null;
+    constructor(cfg) {
+        if (cfg.suite !== "x25519-chacha20-poly1305") {
+            throw new Error(`handshake: federation initiator only supports baseline suite, got ${cfg.suite}`);
+        }
+        if (cfg.localDomain === "") {
+            throw new Error("handshake: federation initiator empty localDomain");
+        }
+        if (cfg.localServerID === "") {
+            throw new Error("handshake: federation initiator empty localServerID");
+        }
+        if (cfg.localDomainSeed.length === 0) {
+            throw new Error("handshake: federation initiator empty localDomainSeed");
+        }
+        if (cfg.peerDomain === "") {
+            throw new Error("handshake: federation initiator empty peerDomain");
+        }
+        this.cfg = cfg;
+        this.localDomainPub = publicKeyFromSeed(cfg.localDomainSeed);
+        this.localDomainKeyId = fingerprint(this.localDomainPub);
+        if (cfg.initiatorEphemeralPriv !== undefined) {
+            this.ephPriv = cfg.initiatorEphemeralPriv;
+        }
+        if (cfg.initiatorNonce !== undefined) {
+            this.nonce = cfg.initiatorNonce;
+        }
+    }
+    /** Build ServerInit bytes (message 1). */
+    init() {
+        if (this.initCanonical !== null) {
+            throw new Error("handshake: federation initiator init already called");
+        }
+        if (this.ephPriv === null) {
+            this.ephPriv = randomBytes(32);
+        }
+        this.ephPub = x25519PublicKey(this.ephPriv);
+        if (this.nonce === null) {
+            this.nonce = randomBytes(32);
+        }
+        const ephKeyId = fingerprint(this.ephPub);
+        // Inner identity proof: sig over eph_pub || nonce with SEMP-IDENTITY: prefix.
+        const innerInput = concat(new TextEncoder().encode(IdentityPrefix), concat(this.ephPub, this.nonce));
+        const innerSig = ed25519Sign(this.cfg.localDomainSeed, innerInput);
+        const msg = {
+            type: FederationMessageType,
+            step: "init",
+            party: "server",
+            version: HandshakeVersion,
+            nonce: base64Encode(this.nonce),
+            server_id: this.cfg.localServerID,
+            server_domain: this.cfg.localDomain,
+            server_ephemeral_key: {
+                algorithm: this.cfg.suite,
+                key: base64Encode(this.ephPub),
+                key_id: ephKeyId,
+            },
+            server_identity_proof: {
+                key_id: this.localDomainKeyId,
+                signature: base64Encode(innerSig),
+            },
+            domain_proof: this.cfg.domainProof,
+            capabilities: this.cfg.capabilities,
+            server_signature: "",
+            extensions: {},
+        };
+        msg.server_signature = signServerMessage(msg, this.cfg.localDomainSeed);
+        this.initCanonical = canonicalMarshal(msg);
+        return this.initCanonical;
+    }
+    /** Process FederationResponse (message 2) and produce FederationConfirm bytes. */
+    onResponse(data) {
+        if (this.initCanonical === null) {
+            throw new Error("handshake: onResponse before init");
+        }
+        if (this.ephPriv === null || this.nonce === null) {
+            throw new Error("handshake: federation initiator state missing");
+        }
+        const m = JSON.parse(new TextDecoder().decode(data));
+        if (m["step"] === "rejected") {
+            const rej = m;
+            throw new HandshakeRejectedError(rej.session_id, rej.reason_code, rej.reason);
+        }
+        if (m["type"] !== FederationMessageType ||
+            m["step"] !== "response" ||
+            m["party"] !== "server") {
+            throw new Error(`handshake: federation response type/step/party mismatch`);
+        }
+        const resp = m;
+        if (resp.server_domain !== this.cfg.peerDomain) {
+            throw new Error(`handshake: response server_domain ${JSON.stringify(resp.server_domain)} != configured peer ${JSON.stringify(this.cfg.peerDomain)}`);
+        }
+        if (resp.client_nonce !== base64Encode(this.nonce)) {
+            throw new Error("handshake: federation response client_nonce mismatch");
+        }
+        if (resp.domain_verification_result.status !== "verified") {
+            throw new Error(`handshake: peer rejected our domain proof: ${resp.domain_verification_result.detail ?? ""}`);
+        }
+        const peerDomainPub = this.cfg.peerDomainPubLookup(resp.server_domain);
+        if (!verifyServerMessage(resp, resp.server_signature, peerDomainPub)) {
+            throw new Error("handshake: federation response server_signature did not verify");
+        }
+        // Inner identity proof check.
+        const serverEphPub = base64Decode(resp.server_ephemeral_key.key);
+        const serverNonce = base64Decode(resp.server_nonce);
+        const innerInput = concat(new TextEncoder().encode(IdentityPrefix), concat(concat(serverEphPub, serverNonce), this.nonce));
+        const innerSig = base64Decode(resp.server_identity_proof.signature);
+        if (!ed25519Verify(peerDomainPub, innerSig, innerInput)) {
+            throw new Error("handshake: peer inner identity_signature did not verify");
+        }
+        const shared = x25519Agree(this.ephPriv, serverEphPub);
+        const kdf = newHKDFSHA512();
+        this.sessionKeys = deriveSessionKeysWithResumption(kdf, shared, this.nonce, serverNonce);
+        // Erase ephemeral private once shared secret is in hand.
+        this.ephPriv.fill(0);
+        this.ephPriv = null;
+        this.respCanonical = canonicalMarshal(resp);
+        const ch = confirmationHash(this.initCanonical, this.respCanonical);
+        const acceptor = this.cfg.policyAcceptor ?? acceptAllPolicies;
+        const reason = acceptor(resp.federation_policy);
+        const acceptance = reason === null
+            ? { accepted: true, policy_acknowledged: true }
+            : { accepted: false, policy_acknowledged: false, reason };
+        const confirm = {
+            type: FederationMessageType,
+            step: "confirm",
+            party: "server",
+            version: HandshakeVersion,
+            session_id: resp.session_id,
+            confirmation_hash: base64Encode(ch),
+            federation_acceptance: acceptance,
+            server_signature: "",
+            extensions: {},
+        };
+        confirm.server_signature = signServerMessage(confirm, this.cfg.localDomainSeed);
+        this.sessionId = resp.session_id;
+        return canonicalMarshal(confirm);
+    }
+    /** Process FederationAccepted (message 4) and finalize the session. */
+    onAccepted(data) {
+        if (this.sessionKeys === null) {
+            throw new Error("handshake: onAccepted before onResponse");
+        }
+        const m = JSON.parse(new TextDecoder().decode(data));
+        if (m["step"] === "rejected") {
+            const rej = m;
+            throw new HandshakeRejectedError(rej.session_id, rej.reason_code, rej.reason);
+        }
+        if (m["type"] !== FederationMessageType ||
+            m["step"] !== "accepted" ||
+            m["party"] !== "server") {
+            throw new Error("handshake: federation accepted type/step/party mismatch");
+        }
+        const acc = m;
+        if (acc.session_id !== this.sessionId) {
+            throw new Error("handshake: federation accepted session_id mismatch");
+        }
+        const peerDomainPub = this.cfg.peerDomainPubLookup(this.cfg.peerDomain);
+        if (!verifyServerMessage(acc, acc.server_signature, peerDomainPub)) {
+            throw new Error("handshake: federation accepted server_signature did not verify");
+        }
+        const ttl = acc.session_ttl > 0 ? acc.session_ttl : 3600;
+        this.finalSession = {
+            sessionId: acc.session_id,
+            sessionTTL: ttl,
+            keys: this.sessionKeys,
+            peerDomain: this.cfg.peerDomain,
+            ...(acc.resumption_ticket !== undefined
+                ? { resumptionTicket: acc.resumption_ticket }
+                : {}),
+            extensions: acc.extensions,
+        };
+    }
+    /** Final session populated by {@link onAccepted}. */
+    session() {
+        if (this.finalSession === null) {
+            throw new Error("handshake: federation session not yet established");
+        }
+        return this.finalSession;
+    }
+    /** Load `K_resumption` recovered from a prior session before {@link resume}. */
+    loadResumptionSecret(secret) {
+        if (secret.length === 0) {
+            throw new Error("handshake: empty resumption secret");
+        }
+        this.resumptionSecret = secret.slice();
+    }
+    /**
+     * Build a {@link FederationResume} bytes per §2.8.7. `ticket` is
+     * the opaque value from the prior FederationAccepted's
+     * `resumption_ticket.value` (already base64-decoded). Pass
+     * `peerConfigurationRevision = 0` to omit it.
+     */
+    resume(ticket, peerConfigurationRevision = 0) {
+        if (this.resumptionSecret === null) {
+            throw new Error("handshake: resume before loadResumptionSecret");
+        }
+        if (ticket.length === 0) {
+            throw new Error("handshake: empty federation resumption ticket");
+        }
+        if (this.resumeNonce === null) {
+            this.resumeNonce = randomBytes(32);
+        }
+        if (this.ephPriv === null) {
+            this.ephPriv = randomBytes(32);
+        }
+        this.ephPub = x25519PublicKey(this.ephPriv);
+        const ephKeyId = fingerprint(this.ephPub);
+        const out = {
+            type: FederationMessageType,
+            step: "resume",
+            party: "server",
+            version: HandshakeVersion,
+            nonce: base64Encode(this.resumeNonce),
+            server_id: this.cfg.localServerID,
+            server_domain: this.cfg.localDomain,
+            ...(peerConfigurationRevision > 0
+                ? { peer_configuration_revision: peerConfigurationRevision }
+                : {}),
+            resumption_ticket: base64Encode(ticket),
+            client_ephemeral_key: {
+                algorithm: this.cfg.suite,
+                key: base64Encode(this.ephPub),
+                key_id: ephKeyId,
+            },
+            transport: "websocket",
+            extensions: {},
+        };
+        return canonicalMarshal(out);
+    }
+    /**
+     * Process the responder's FederationAccepted in response to
+     * {@link resume} and derive resumed session keys per §2.8.3.
+     */
+    onResumeAccepted(data) {
+        if (this.resumptionSecret === null || this.resumeNonce === null) {
+            throw new Error("handshake: onResumeAccepted before resume");
+        }
+        if (this.ephPriv === null) {
+            throw new Error("handshake: federation resume ephemeral missing");
+        }
+        const m = JSON.parse(new TextDecoder().decode(data));
+        if (m["step"] === "rejected") {
+            const rej = m;
+            throw new HandshakeRejectedError(rej.session_id, rej.reason_code, rej.reason);
+        }
+        if (m["type"] !== FederationMessageType ||
+            m["step"] !== "accepted" ||
+            m["party"] !== "server") {
+            throw new Error("handshake: resumed federation accepted type/step/party mismatch");
+        }
+        const acc = m;
+        if (acc.server_ephemeral_key === undefined ||
+            acc.server_nonce === undefined ||
+            acc.resumption_ticket === undefined) {
+            throw new Error("handshake: resumed federation accepted missing server_ephemeral_key / server_nonce / resumption_ticket");
+        }
+        const peerDomainPub = this.cfg.peerDomainPubLookup(this.cfg.peerDomain);
+        if (!verifyServerMessage(acc, acc.server_signature, peerDomainPub)) {
+            throw new Error("handshake: resumed federation accepted server_signature did not verify");
+        }
+        const serverNonce = base64Decode(acc.server_nonce);
+        const serverEphPub = base64Decode(acc.server_ephemeral_key.key);
+        const ephShared = x25519Agree(this.ephPriv, serverEphPub);
+        this.ephPriv.fill(0);
+        this.ephPriv = null;
+        // K_resumption mixes into IKM per §2.8.3.
+        const ikm = concat(this.resumptionSecret, ephShared);
+        const kdf = newHKDFSHA512();
+        const resumed = deriveSessionKeysWithResumption(kdf, ikm, this.resumeNonce, serverNonce);
+        this.resumptionSecret.fill(0);
+        this.resumptionSecret = null;
+        const ttl = acc.session_ttl > 0 ? acc.session_ttl : 3600;
+        const sess = {
+            sessionId: acc.session_id,
+            sessionTTL: ttl,
+            keys: resumed,
+            peerDomain: this.cfg.peerDomain,
+            resumptionTicket: acc.resumption_ticket,
+            extensions: acc.extensions,
+        };
+        this.finalSession = sess;
+        return {
+            session: sess,
+            newTicket: base64Decode(acc.resumption_ticket.value),
+        };
+    }
+    /** Wipe in-memory secret state. */
+    erase() {
+        if (this.ephPriv !== null) {
+            this.ephPriv.fill(0);
+            this.ephPriv = null;
+        }
+        if (this.nonce !== null) {
+            this.nonce.fill(0);
+            this.nonce = null;
+        }
+        if (this.resumptionSecret !== null) {
+            this.resumptionSecret.fill(0);
+            this.resumptionSecret = null;
+        }
+        this.sessionKeys = null;
+    }
+}
+/**
+ * Stateful federation responder. Mirror of `semp-go/handshake.Responder`.
+ * Single-shot — discard after success or error.
+ */
+export class FederationResponder {
+    cfg;
+    localDomainPub;
+    localDomainKeyId;
+    verifier;
+    sessionTTL;
+    sessionId = "";
+    peerDomain = "";
+    peerNonce = null;
+    serverNonce = null;
+    respEphPriv = null;
+    initCanonical = null;
+    respCanonical = null;
+    sessionKeys = null;
+    finalSession = null;
+    constructor(cfg) {
+        if (cfg.suite !== "x25519-chacha20-poly1305") {
+            throw new Error(`handshake: federation responder only supports baseline suite, got ${cfg.suite}`);
+        }
+        if (cfg.localDomain === "") {
+            throw new Error("handshake: federation responder empty localDomain");
+        }
+        if (cfg.localDomainSeed.length === 0) {
+            throw new Error("handshake: federation responder empty localDomainSeed");
+        }
+        this.cfg = cfg;
+        this.localDomainPub = publicKeyFromSeed(cfg.localDomainSeed);
+        this.localDomainKeyId = fingerprint(this.localDomainPub);
+        this.verifier = cfg.verifier ?? new TrustingDomainVerifier();
+        this.sessionTTL = cfg.sessionTTL ?? 3600;
+    }
+    /**
+     * Process ServerInit (message 1) and produce FederationResponse
+     * bytes. Throws on signature, identity-proof, or domain-proof
+     * verification failure.
+     */
+    async onInit(data) {
+        if (this.initCanonical !== null) {
+            throw new Error("handshake: federation responder onInit called twice");
+        }
+        const m = JSON.parse(new TextDecoder().decode(data));
+        if (m["type"] !== FederationMessageType ||
+            m["step"] !== "init" ||
+            m["party"] !== "server") {
+            throw new Error("handshake: federation init type/step/party mismatch");
+        }
+        const init = m;
+        if (init.server_domain === "") {
+            throw new Error("handshake: empty initiator server_domain");
+        }
+        const peerDomainPub = this.cfg.peerDomainPubLookup(init.server_domain);
+        if (!verifyServerMessage(init, init.server_signature, peerDomainPub)) {
+            throw new Error("handshake: federation init server_signature did not verify");
+        }
+        // Inner identity proof: sig over eph_pub || nonce.
+        const clientEphPub = base64Decode(init.server_ephemeral_key.key);
+        const clientNonce = base64Decode(init.nonce);
+        const innerInput = concat(new TextEncoder().encode(IdentityPrefix), concat(clientEphPub, clientNonce));
+        const innerSig = base64Decode(init.server_identity_proof.signature);
+        if (!ed25519Verify(peerDomainPub, innerSig, innerInput)) {
+            throw new Error("handshake: federation init inner identity_signature did not verify");
+        }
+        // Domain-proof verification.
+        let result = {
+            status: "verified",
+            method: init.domain_proof.method,
+        };
+        try {
+            await this.verifier.verify(init.server_domain, init.domain_proof, init.nonce);
+        }
+        catch (err) {
+            const detail = err instanceof Error ? err.message : String(err);
+            result = {
+                status: "rejected",
+                method: init.domain_proof.method,
+                detail,
+            };
+            throw new Error(`handshake: federation domain proof verification failed: ${detail}`);
+        }
+        // Capability negotiation: pick the first mutually-supported suite.
+        const negotiated = pickSuite(init.capabilities.encryption_algorithms, this.cfg.capabilities.encryption_algorithms);
+        if (negotiated === undefined) {
+            throw new Error("handshake: federation no mutually supported suite");
+        }
+        if (negotiated !== this.cfg.suite) {
+            throw new Error(`handshake: federation negotiated suite ${negotiated} != responder suite ${this.cfg.suite}`);
+        }
+        this.respEphPriv = this.cfg.responderEphemeralPriv ?? randomBytes(32);
+        const respEphPub = x25519PublicKey(this.respEphPriv);
+        const respEphKeyId = fingerprint(respEphPub);
+        this.serverNonce = this.cfg.responderNonce ?? randomBytes(32);
+        this.sessionId = this.cfg.generateSessionId();
+        const shared = x25519Agree(this.respEphPriv, clientEphPub);
+        const kdf = newHKDFSHA512();
+        this.sessionKeys = deriveSessionKeysWithResumption(kdf, shared, clientNonce, this.serverNonce);
+        // Inner identity proof: sig over eph_pub || server_nonce || client_nonce.
+        const proofInput = concat(new TextEncoder().encode(IdentityPrefix), concat(concat(respEphPub, this.serverNonce), clientNonce));
+        const proofSig = ed25519Sign(this.cfg.localDomainSeed, proofInput);
+        const resp = {
+            type: FederationMessageType,
+            step: "response",
+            party: "server",
+            version: HandshakeVersion,
+            session_id: this.sessionId,
+            client_nonce: init.nonce,
+            server_nonce: base64Encode(this.serverNonce),
+            server_id: this.cfg.localServerID,
+            server_domain: this.cfg.localDomain,
+            server_ephemeral_key: {
+                algorithm: this.cfg.suite,
+                key: base64Encode(respEphPub),
+                key_id: respEphKeyId,
+            },
+            server_identity_proof: {
+                key_id: this.localDomainKeyId,
+                signature: base64Encode(proofSig),
+            },
+            domain_verification_result: result,
+            negotiated: {
+                encryption_algorithm: negotiated,
+                extensions: [],
+            },
+            federation_policy: this.cfg.policy,
+            server_signature: "",
+            extensions: {},
+        };
+        resp.server_signature = signServerMessage(resp, this.cfg.localDomainSeed);
+        this.peerDomain = init.server_domain;
+        this.peerNonce = clientNonce;
+        this.initCanonical = data;
+        this.respCanonical = canonicalMarshal(resp);
+        return this.respCanonical;
+    }
+    /**
+     * Process FederationConfirm (message 3) and produce
+     * FederationAccepted bytes (message 4). Throws if the initiator
+     * rejected the policy or the confirmation hash doesn't match.
+     */
+    onConfirm(data, opts = {}) {
+        if (this.initCanonical === null ||
+            this.respCanonical === null ||
+            this.sessionKeys === null) {
+            throw new Error("handshake: federation onConfirm before onInit");
+        }
+        const m = JSON.parse(new TextDecoder().decode(data));
+        if (m["type"] !== FederationMessageType ||
+            m["step"] !== "confirm" ||
+            m["party"] !== "server") {
+            throw new Error("handshake: federation confirm type/step/party mismatch");
+        }
+        const confirm = m;
+        if (confirm.session_id !== this.sessionId) {
+            throw new Error("handshake: federation confirm session_id mismatch");
+        }
+        const peerDomainPub = this.cfg.peerDomainPubLookup(this.peerDomain);
+        if (!verifyServerMessage(confirm, confirm.server_signature, peerDomainPub)) {
+            throw new Error("handshake: federation confirm server_signature did not verify");
+        }
+        const wantHash = confirmationHash(this.initCanonical, this.respCanonical);
+        const gotHash = base64Decode(confirm.confirmation_hash);
+        if (!constantTimeEqual(gotHash, wantHash)) {
+            throw new Error("handshake: federation confirmation hash mismatch");
+        }
+        if (!confirm.federation_acceptance.accepted) {
+            throw new Error(`handshake: federation initiator rejected our policy: ${confirm.federation_acceptance.reason ?? ""}`);
+        }
+        const ticket = opts.issueResumptionTicket?.(this.sessionKeys);
+        const acc = {
+            type: FederationMessageType,
+            step: "accepted",
+            party: "server",
+            version: HandshakeVersion,
+            session_id: this.sessionId,
+            status: "accepted",
+            session_ttl: this.sessionTTL,
+            ...(ticket !== undefined ? { resumption_ticket: ticket } : {}),
+            server_signature: "",
+            extensions: {},
+        };
+        acc.server_signature = signServerMessage(acc, this.cfg.localDomainSeed);
+        this.finalSession = {
+            sessionId: this.sessionId,
+            sessionTTL: this.sessionTTL,
+            keys: this.sessionKeys,
+            peerDomain: this.peerDomain,
+        };
+        if (this.respEphPriv !== null) {
+            this.respEphPriv.fill(0);
+            this.respEphPriv = null;
+        }
+        return canonicalMarshal(acc);
+    }
+    /** Final session populated by {@link onConfirm}. */
+    session() {
+        if (this.finalSession === null) {
+            throw new Error("handshake: federation responder session not yet established");
+        }
+        return this.finalSession;
+    }
+    /** Wipe in-memory secret state. */
+    erase() {
+        if (this.respEphPriv !== null) {
+            this.respEphPriv.fill(0);
+            this.respEphPriv = null;
+        }
+        if (this.peerNonce !== null) {
+            this.peerNonce.fill(0);
+            this.peerNonce = null;
+        }
+        if (this.serverNonce !== null) {
+            this.serverNonce.fill(0);
+            this.serverNonce = null;
+        }
+        this.sessionKeys = null;
+    }
+}
+// ---------------------------------------------------------------------------
+// Helpers
+function signServerMessage(msg, seed) {
+    const clone = JSON.parse(JSON.stringify(msg));
+    clone.server_signature = "";
+    const canonical = canonicalMarshal(clone);
+    const signingInput = concat(new TextEncoder().encode(HandshakePrefix), canonical);
+    return base64Encode(ed25519Sign(seed, signingInput));
+}
+function verifyServerMessage(msg, signatureB64, domainPub) {
+    if (signatureB64 === "") {
+        return false;
+    }
+    const clone = JSON.parse(JSON.stringify(msg));
+    clone["server_signature"] = "";
+    const canonical = canonicalMarshal(clone);
+    const signingInput = concat(new TextEncoder().encode(HandshakePrefix), canonical);
+    return ed25519Verify(domainPub, base64Decode(signatureB64), signingInput);
+}
+function pickSuite(offered, supported) {
+    for (const s of supported) {
+        if (offered.includes(s)) {
+            return s;
+        }
+    }
+    return undefined;
+}
+function constantTimeEqual(a, b) {
+    if (a.length !== b.length) {
+        return false;
+    }
+    let diff = 0;
+    for (let i = 0; i < a.length; i++) {
+        diff |= (a[i] ?? 0) ^ (b[i] ?? 0);
+    }
+    return diff === 0;
+}
+function randomBytes(n) {
+    const out = new Uint8Array(n);
+    globalThis.crypto.getRandomValues(out);
+    return out;
+}
+function concat(a, b) {
+    const out = new Uint8Array(a.length + b.length);
+    out.set(a, 0);
+    out.set(b, a.length);
+    return out;
+}
+function base64Encode(b) {
+    if (typeof Buffer !== "undefined") {
+        return Buffer.from(b).toString("base64");
+    }
+    let bin = "";
+    for (let i = 0; i < b.length; i++) {
+        bin += String.fromCharCode(b[i] ?? 0);
+    }
+    return btoa(bin);
+}
+function base64Decode(s) {
+    if (typeof Buffer !== "undefined") {
+        return new Uint8Array(Buffer.from(s, "base64"));
+    }
+    const bin = atob(s);
+    const out = new Uint8Array(bin.length);
+    for (let i = 0; i < bin.length; i++) {
+        out[i] = bin.charCodeAt(i);
+    }
+    return out;
+}
+//# sourceMappingURL=federation.js.map