@sphereon/ssi-sdk-ext.key-utils 0.28.0 → 0.28.1-feature.esm.cjs.11

package/dist/index.cjs

@@ -0,0 +1,1219 @@
+"use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _interopRequireWildcard(obj) { if (obj && obj.__esModule) { return obj; } else { var newObj = {}; if (obj != null) { for (var key in obj) { if (Object.prototype.hasOwnProperty.call(obj, key)) { newObj[key] = obj[key]; } } } newObj.default = obj; return newObj; } } function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } function _nullishCoalesce(lhs, rhsFn) { if (lhs != null) { return lhs; } else { return rhsFn(); } } function _optionalChain(ops) { let lastAccessLHS = undefined; let value = ops[0]; let i = 1; while (i < ops.length) { const op = ops[i]; const fn = ops[i + 1]; i += 2; if ((op === 'optionalAccess' || op === 'optionalCall') && value == null) { return undefined; } if (op === 'access' || op === 'optionalAccess') { lastAccessLHS = value; value = fn(value); } else if (op === 'call' || op === 'optionalCall') { value = fn((...args) => value.call(lastAccessLHS, ...args)); lastAccessLHS = undefined; } } return value; }var __defProp = Object.defineProperty;
+var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
+
+// src/functions.ts
+var _random = require('@ethersproject/random');
+var _bls12381 = require('@noble/curves/bls12-381');
+var _ed25519 = require('@noble/curves/ed25519');
+var _p256 = require('@noble/curves/p256');
+var _p384 = require('@noble/curves/p384');
+var _p521 = require('@noble/curves/p521');
+var _secp256k1 = require('@noble/curves/secp256k1');
+var _sha256 = require('@noble/hashes/sha256');
+var _sha512 = require('@noble/hashes/sha512');
+var _ssisdkextx509utils = require('@sphereon/ssi-sdk-ext.x509-utils');
+var _ssitypes = require('@sphereon/ssi-types');
+var _ed255193 = require('@stablelib/ed25519');
+var _debug = require('debug'); var _debug2 = _interopRequireDefault(_debug);
+var _elliptic = require('elliptic'); var _elliptic2 = _interopRequireDefault(_elliptic);
+var _rsajs = require('micro-rsa-dsa-dh/rsa.js'); var rsa = _interopRequireWildcard(_rsajs);
+var _uint8arrays = require('uint8arrays'); var u8a2 = _interopRequireWildcard(_uint8arrays); var u8a = _interopRequireWildcard(_uint8arrays);
+
+// src/digest-methods.ts
+
+
+
+var { fromString, toString, SupportedEncodings } = u8a;
+var digestMethodParams = /* @__PURE__ */ __name((hashAlgorithm) => {
+  if (hashAlgorithm === "SHA-256") {
+    return {
+      hashAlgorithm: "SHA-256",
+      digestMethod: sha256DigestMethod,
+      hash: _sha256.sha256
+    };
+  } else if (hashAlgorithm === "SHA-384") {
+    return {
+      hashAlgorithm: "SHA-384",
+      digestMethod: sha384DigestMethod,
+      hash: _sha512.sha384
+    };
+  } else {
+    return {
+      hashAlgorithm: "SHA-512",
+      digestMethod: sha512DigestMethod,
+      hash: _sha512.sha512
+    };
+  }
+}, "digestMethodParams");
+var shaHasher = /* @__PURE__ */ __name((input, alg) => {
+  const hashAlgorithm = alg.includes("384") ? "SHA-384" : alg.includes("512") ? "SHA-512" : "SHA-256";
+  return digestMethodParams(hashAlgorithm).hash(typeof input === "string" ? fromString(input, "utf-8") : new Uint8Array(input));
+}, "shaHasher");
+var sha256DigestMethod = /* @__PURE__ */ __name((input, encoding = "base16") => {
+  return toString(_sha256.sha256.call(void 0, fromString(input, "utf-8")), encoding);
+}, "sha256DigestMethod");
+var sha384DigestMethod = /* @__PURE__ */ __name((input, encoding = "base16") => {
+  return toString(_sha512.sha384.call(void 0, fromString(input, "utf-8")), encoding);
+}, "sha384DigestMethod");
+var sha512DigestMethod = /* @__PURE__ */ __name((input, encoding = "base16") => {
+  return toString(_sha512.sha512.call(void 0, fromString(input, "utf-8")), encoding);
+}, "sha512DigestMethod");
+
+// src/jwk-jcs.ts
+var _webencoding = require('web-encoding');
+var textEncoder = new (0, _webencoding.TextEncoder)();
+var textDecoder = new (0, _webencoding.TextDecoder)();
+function check(value, description, optional = false) {
+  if (optional && !value) {
+    return;
+  }
+  if (typeof value !== "string" || !value) {
+    throw new Error(`${description} missing or invalid`);
+  }
+}
+__name(check, "check");
+function assertObject(value) {
+  if (!value || typeof value !== "object") {
+    throw new Error("Value must be an object");
+  }
+}
+__name(assertObject, "assertObject");
+function validateJwk(jwk, opts) {
+  assertObject(jwk);
+  const { crvOptional = false } = _nullishCoalesce(opts, () => ( {}));
+  check(jwk.kty, '"kty" (Key Type) Parameter', false);
+  switch (jwk.kty) {
+    /**
+    * @see https://www.rfc-editor.org/rfc/rfc7518#section-6.2.1
+    */
+    case "EC":
+      check(jwk.crv, '"crv" (Curve) Parameter', crvOptional);
+      check(jwk.x, '"x" (X Coordinate) Parameter');
+      check(jwk.y, '"y" (Y Coordinate) Parameter');
+      break;
+    /**
+    * @see https://www.rfc-editor.org/rfc/rfc8037#section-2
+    */
+    case "OKP":
+      check(jwk.crv, '"crv" (Subtype of Key Pair) Parameter', crvOptional);
+      check(jwk.x, '"x" (Public Key) Parameter');
+      break;
+    /**
+    * @see https://www.rfc-editor.org/rfc/rfc7518#section-6.3.1
+    */
+    case "RSA":
+      check(jwk.e, '"e" (Exponent) Parameter');
+      check(jwk.n, '"n" (Modulus) Parameter');
+      break;
+    default:
+      throw new Error('"kty" (Key Type) Parameter missing or unsupported');
+  }
+}
+__name(validateJwk, "validateJwk");
+function minimalJwk(jwk) {
+  switch (jwk.kty) {
+    case "EC":
+      return {
+        ...jwk.crv && {
+          crv: jwk.crv
+        },
+        kty: jwk.kty,
+        x: jwk.x,
+        y: jwk.y
+      };
+    case "OKP":
+      return {
+        ...jwk.crv && {
+          crv: jwk.crv
+        },
+        kty: jwk.kty,
+        x: jwk.x
+      };
+    case "RSA":
+      return {
+        e: jwk.e,
+        kty: jwk.kty,
+        n: jwk.n
+      };
+  }
+  throw Error(`Unsupported key type (kty) provided: ${jwk.kty}`);
+}
+__name(minimalJwk, "minimalJwk");
+function jwkJcsEncode(jwk) {
+  validateJwk(jwk);
+  const strippedJwk = minimalJwk(jwk);
+  return textEncoder.encode(jcsCanonicalize(strippedJwk));
+}
+__name(jwkJcsEncode, "jwkJcsEncode");
+function jwkJcsDecode(bytes) {
+  const jwk = JSON.parse(textDecoder.decode(bytes));
+  validateJwk(jwk);
+  if (JSON.stringify(jwk) !== jcsCanonicalize(minimalJwk(jwk))) {
+    throw new Error("The JWK embedded in the DID is not correctly formatted");
+  }
+  return jwk;
+}
+__name(jwkJcsDecode, "jwkJcsDecode");
+function jcsCanonicalize(object) {
+  let buffer = "";
+  serialize(object);
+  return buffer;
+  function serialize(object2) {
+    if (object2 === null || typeof object2 !== "object" || object2.toJSON != null) {
+      buffer += JSON.stringify(object2);
+    } else if (Array.isArray(object2)) {
+      buffer += "[";
+      let next = false;
+      object2.forEach((element) => {
+        if (next) {
+          buffer += ",";
+        }
+        next = true;
+        serialize(element);
+      });
+      buffer += "]";
+    } else {
+      buffer += "{";
+      let next = false;
+      Object.keys(object2).sort().forEach((property) => {
+        if (next) {
+          buffer += ",";
+        }
+        next = true;
+        buffer += JSON.stringify(property);
+        buffer += ":";
+        serialize(object2[property]);
+      });
+      buffer += "}";
+    }
+  }
+  __name(serialize, "serialize");
+}
+__name(jcsCanonicalize, "jcsCanonicalize");
+
+// src/types/key-util-types.ts
+var JWK_JCS_PUB_NAME = "jwk_jcs-pub";
+var JWK_JCS_PUB_PREFIX = 60241;
+var Key = /* @__PURE__ */ function(Key2) {
+  Key2["Ed25519"] = "Ed25519";
+  Key2["Secp256k1"] = "Secp256k1";
+  Key2["Secp256r1"] = "Secp256r1";
+  return Key2;
+}({});
+var JwkKeyUse = /* @__PURE__ */ function(JwkKeyUse2) {
+  JwkKeyUse2["Encryption"] = "enc";
+  JwkKeyUse2["Signature"] = "sig";
+  return JwkKeyUse2;
+}({});
+var SIG_KEY_ALGS = [
+  "ES256",
+  "ES384",
+  "ES512",
+  "EdDSA",
+  "ES256K",
+  "Ed25519",
+  "Secp256k1",
+  "Secp256r1",
+  "Bls12381G1",
+  "Bls12381G2"
+];
+var ENC_KEY_ALGS = [
+  "X25519",
+  "ECDH_ES_A256KW",
+  "RSA_OAEP_256"
+];
+
+// src/functions.ts
+var { fromString: fromString2, toString: toString2 } = u8a2;
+var logger = _ssitypes.Loggers.DEFAULT.get("sphereon:key-utils");
+var getKms = /* @__PURE__ */ __name(async (context, kms) => {
+  if (kms) {
+    return kms;
+  }
+  if (!context.agent.availableMethods().includes("keyManagerGetDefaultKeyManagementSystem")) {
+    throw Error("Cannot determine default KMS if not provided and a non Sphereon Key Manager is being used");
+  }
+  return context.agent.keyManagerGetDefaultKeyManagementSystem();
+}, "getKms");
+var generatePrivateKeyHex = /* @__PURE__ */ __name(async (type) => {
+  switch (type) {
+    case "Ed25519": {
+      const keyPairEd25519 = _ed255193.generateKeyPair.call(void 0, );
+      return toString2(keyPairEd25519.secretKey, "base16");
+    }
+    // The Secp256 types use the same method to generate the key
+    case "Secp256r1":
+    case "Secp256k1": {
+      const privateBytes = _random.randomBytes.call(void 0, 32);
+      return toString2(privateBytes, "base16");
+    }
+    case "RSA": {
+      const pem = await _ssisdkextx509utils.generateRSAKeyAsPEM.call(void 0, "RSA-PSS", "SHA-256", 2048);
+      return _ssisdkextx509utils.privateKeyHexFromPEM.call(void 0, pem);
+    }
+    default:
+      throw Error(`not_supported: Key type ${type} not yet supported for this did:jwk implementation`);
+  }
+}, "generatePrivateKeyHex");
+var keyMetaAlgorithmsFromKeyType = /* @__PURE__ */ __name((type) => {
+  switch (type) {
+    case "Ed25519":
+      return [
+        "Ed25519",
+        "EdDSA"
+      ];
+    case "ES256K":
+    case "Secp256k1":
+      return [
+        "ES256K",
+        "ES256K-R",
+        "eth_signTransaction",
+        "eth_signTypedData",
+        "eth_signMessage",
+        "eth_rawSign"
+      ];
+    case "Secp256r1":
+      return [
+        "ES256"
+      ];
+    case "X25519":
+      return [
+        "ECDH",
+        "ECDH-ES",
+        "ECDH-1PU"
+      ];
+    case "RSA":
+      return [
+        "RS256",
+        "RS512",
+        "PS256",
+        "PS512"
+      ];
+  }
+  return [
+    type
+  ];
+}, "keyMetaAlgorithmsFromKeyType");
+async function importProvidedOrGeneratedKey(args, context) {
+  const type = _nullishCoalesce(_nullishCoalesce(_nullishCoalesce(_optionalChain([args, 'access', _ => _.options, 'optionalAccess', _2 => _2.type]), () => ( _optionalChain([args, 'access', _3 => _3.options, 'optionalAccess', _4 => _4.key, 'optionalAccess', _5 => _5.type]))), () => ( _optionalChain([args, 'access', _6 => _6.options, 'optionalAccess', _7 => _7.keyType]))), () => ( "Secp256r1"));
+  const key = _optionalChain([args, 'optionalAccess', _8 => _8.options, 'optionalAccess', _9 => _9.key]);
+  if (_optionalChain([args, 'access', _10 => _10.options, 'optionalAccess', _11 => _11.x509]) && key) {
+    key.meta = {
+      ...key.meta,
+      x509: {
+        ...args.options.x509,
+        ..._optionalChain([key, 'access', _12 => _12.meta, 'optionalAccess', _13 => _13.x509])
+      }
+    };
+  }
+  if (args.options && _optionalChain([args, 'access', _14 => _14.options, 'optionalAccess', _15 => _15.use]) === JwkKeyUse.Encryption && !ENC_KEY_ALGS.includes(type)) {
+    throw new Error(`${type} keys are not valid for encryption`);
+  }
+  let privateKeyHex = void 0;
+  if (key) {
+    privateKeyHex = _nullishCoalesce(key.privateKeyHex, () => ( _optionalChain([key, 'access', _16 => _16.meta, 'optionalAccess', _17 => _17.x509, 'optionalAccess', _18 => _18.privateKeyHex])));
+    if ((!privateKeyHex || privateKeyHex.trim() === "") && _optionalChain([key, 'optionalAccess', _19 => _19.meta, 'optionalAccess', _20 => _20.x509, 'optionalAccess', _21 => _21.privateKeyPEM])) {
+      privateKeyHex = _ssisdkextx509utils.privateKeyHexFromPEM.call(void 0, key.meta.x509.privateKeyPEM);
+    }
+  }
+  if (privateKeyHex) {
+    return context.agent.keyManagerImport({
+      ...key,
+      kms: args.kms,
+      type,
+      privateKeyHex
+    });
+  }
+  return context.agent.keyManagerCreate({
+    type,
+    kms: args.kms,
+    meta: {
+      ..._optionalChain([key, 'optionalAccess', _22 => _22.meta]),
+      algorithms: keyMetaAlgorithmsFromKeyType(type),
+      keyAlias: args.alias
+    }
+  });
+}
+__name(importProvidedOrGeneratedKey, "importProvidedOrGeneratedKey");
+var calculateJwkThumbprintForKey = /* @__PURE__ */ __name((args) => {
+  const { key } = args;
+  const jwk = key.publicKeyHex ? toJwk(key.publicKeyHex, key.type, {
+    key,
+    isPrivateKey: false
+  }) : "privateKeyHex" in key && key.privateKeyHex ? toJwk(key.privateKeyHex, key.type, {
+    isPrivateKey: true
+  }) : void 0;
+  if (!jwk) {
+    throw Error(`Could not determine jwk from key ${key.kid}`);
+  }
+  return calculateJwkThumbprint({
+    jwk,
+    digestAlgorithm: args.digestAlgorithm
+  });
+}, "calculateJwkThumbprintForKey");
+var assertJwkClaimPresent = /* @__PURE__ */ __name((value, description) => {
+  if (typeof value !== "string" || !value) {
+    throw new Error(`${description} missing or invalid`);
+  }
+}, "assertJwkClaimPresent");
+var toBase64url = /* @__PURE__ */ __name((input) => toString2(fromString2(input), "base64url"), "toBase64url");
+var calculateJwkThumbprint = /* @__PURE__ */ __name((args) => {
+  const { digestAlgorithm = "sha256" } = args;
+  const jwk = sanitizedJwk(args.jwk);
+  let components;
+  switch (jwk.kty) {
+    case "EC":
+      assertJwkClaimPresent(jwk.crv, '"crv" (Curve) Parameter');
+      assertJwkClaimPresent(jwk.x, '"x" (X Coordinate) Parameter');
+      assertJwkClaimPresent(jwk.y, '"y" (Y Coordinate) Parameter');
+      components = {
+        crv: jwk.crv,
+        kty: jwk.kty,
+        x: jwk.x,
+        y: jwk.y
+      };
+      break;
+    case "OKP":
+      assertJwkClaimPresent(jwk.crv, '"crv" (Subtype of Key Pair) Parameter');
+      assertJwkClaimPresent(jwk.x, '"x" (Public Key) Parameter');
+      components = {
+        crv: jwk.crv,
+        kty: jwk.kty,
+        x: jwk.x
+      };
+      break;
+    case "RSA":
+      assertJwkClaimPresent(jwk.e, '"e" (Exponent) Parameter');
+      assertJwkClaimPresent(jwk.n, '"n" (Modulus) Parameter');
+      components = {
+        e: jwk.e,
+        kty: jwk.kty,
+        n: jwk.n
+      };
+      break;
+    case "oct":
+      assertJwkClaimPresent(jwk.k, '"k" (Key Value) Parameter');
+      components = {
+        k: jwk.k,
+        kty: jwk.kty
+      };
+      break;
+    default:
+      throw new Error('"kty" (Key Type) Parameter missing or unsupported');
+  }
+  const data = JSON.stringify(components);
+  return digestAlgorithm === "sha512" ? digestMethodParams("SHA-512").digestMethod(data, "base64url") : digestMethodParams("SHA-256").digestMethod(data, "base64url");
+}, "calculateJwkThumbprint");
+var toJwkFromKey = /* @__PURE__ */ __name((key, opts) => {
+  const isPrivateKey = "privateKeyHex" in key;
+  return toJwk(key.publicKeyHex, key.type, {
+    ...opts,
+    key,
+    isPrivateKey
+  });
+}, "toJwkFromKey");
+var toJwk = /* @__PURE__ */ __name((publicKeyHex, type, opts) => {
+  const { key, noKidThumbprint = false } = _nullishCoalesce(opts, () => ( {}));
+  if (key && key.publicKeyHex !== publicKeyHex && _optionalChain([opts, 'optionalAccess', _23 => _23.isPrivateKey]) !== true) {
+    throw Error(`Provided key with id ${key.kid}, has a different public key hex ${key.publicKeyHex} than supplied public key ${publicKeyHex}`);
+  }
+  let jwk;
+  switch (type) {
+    case "Ed25519":
+      jwk = toEd25519OrX25519Jwk(publicKeyHex, {
+        ...opts,
+        crv: _ssitypes.JoseCurve.Ed25519
+      });
+      break;
+    case "X25519":
+      jwk = toEd25519OrX25519Jwk(publicKeyHex, {
+        ...opts,
+        crv: _ssitypes.JoseCurve.X25519
+      });
+      break;
+    case "Secp256k1":
+      jwk = toSecp256k1Jwk(publicKeyHex, opts);
+      break;
+    case "Secp256r1":
+      jwk = toSecp256r1Jwk(publicKeyHex, opts);
+      break;
+    case "RSA":
+      jwk = toRSAJwk(publicKeyHex, opts);
+      break;
+    default:
+      throw new Error(`not_supported: Key type ${type} not yet supported for this did:jwk implementation`);
+  }
+  if (!jwk.kid && !noKidThumbprint) {
+    jwk["kid"] = calculateJwkThumbprint({
+      jwk
+    });
+  }
+  return sanitizedJwk(jwk);
+}, "toJwk");
+var jwkToRawHexKey = /* @__PURE__ */ __name(async (jwk) => {
+  jwk = sanitizedJwk(jwk);
+  if (jwk.kty === "RSA") {
+    return rsaJwkToRawHexKey(jwk);
+  } else if (jwk.kty === "EC") {
+    return ecJwkToRawHexKey(jwk);
+  } else if (jwk.kty === "OKP") {
+    return okpJwkToRawHexKey(jwk);
+  } else if (jwk.kty === "oct") {
+    return octJwkToRawHexKey(jwk);
+  } else {
+    throw new Error(`Unsupported key type: ${jwk.kty}`);
+  }
+}, "jwkToRawHexKey");
+function rsaJwkToRawHexKey(jwk) {
+  jwk = sanitizedJwk(jwk);
+  if (!jwk.n || !jwk.e) {
+    throw new Error("RSA JWK must contain 'n' and 'e' properties.");
+  }
+  const modulus = fromString2(jwk.n.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, ""), "base64url");
+  const exponent = fromString2(jwk.e.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, ""), "base64url");
+  return toString2(modulus, "hex") + toString2(exponent, "hex");
+}
+__name(rsaJwkToRawHexKey, "rsaJwkToRawHexKey");
+function ecJwkToRawHexKey(jwk) {
+  jwk = sanitizedJwk(jwk);
+  if (!jwk.x || !jwk.y) {
+    throw new Error("EC JWK must contain 'x' and 'y' properties.");
+  }
+  const x = fromString2(jwk.x.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, ""), "base64url");
+  const y = fromString2(jwk.y.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, ""), "base64url");
+  return "04" + toString2(x, "hex") + toString2(y, "hex");
+}
+__name(ecJwkToRawHexKey, "ecJwkToRawHexKey");
+function okpJwkToRawHexKey(jwk) {
+  jwk = sanitizedJwk(jwk);
+  if (!jwk.x) {
+    throw new Error("OKP JWK must contain 'x' property.");
+  }
+  const x = fromString2(jwk.x.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, ""), "base64url");
+  return toString2(x, "hex");
+}
+__name(okpJwkToRawHexKey, "okpJwkToRawHexKey");
+function octJwkToRawHexKey(jwk) {
+  jwk = sanitizedJwk(jwk);
+  if (!jwk.k) {
+    throw new Error("Octet JWK must contain 'k' property.");
+  }
+  const key = fromString2(jwk.k.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, ""), "base64url");
+  return toString2(key, "hex");
+}
+__name(octJwkToRawHexKey, "octJwkToRawHexKey");
+var jwkDetermineUse = /* @__PURE__ */ __name((type, suppliedUse) => {
+  return suppliedUse ? suppliedUse : SIG_KEY_ALGS.includes(type) ? JwkKeyUse.Signature : ENC_KEY_ALGS.includes(type) ? JwkKeyUse.Encryption : void 0;
+}, "jwkDetermineUse");
+var assertProperKeyLength = /* @__PURE__ */ __name((keyHex, expectedKeyLength) => {
+  if (Array.isArray(expectedKeyLength)) {
+    if (!expectedKeyLength.includes(keyHex.length)) {
+      throw Error(`Invalid key length. Needs to be a hex string with length from ${JSON.stringify(expectedKeyLength)} instead of ${keyHex.length}. Input: ${keyHex}`);
+    }
+  } else if (keyHex.length !== expectedKeyLength) {
+    throw Error(`Invalid key length. Needs to be a hex string with length ${expectedKeyLength} instead of ${keyHex.length}. Input: ${keyHex}`);
+  }
+}, "assertProperKeyLength");
+var toSecp256k1Jwk = /* @__PURE__ */ __name((keyHex, opts) => {
+  const { use } = _nullishCoalesce(opts, () => ( {}));
+  logger.debug(`toSecp256k1Jwk keyHex: ${keyHex}, length: ${keyHex.length}`);
+  if (_optionalChain([opts, 'optionalAccess', _24 => _24.isPrivateKey])) {
+    assertProperKeyLength(keyHex, [
+      64
+    ]);
+  } else {
+    assertProperKeyLength(keyHex, [
+      66,
+      130
+    ]);
+  }
+  const secp256k12 = new _elliptic2.default.ec("secp256k1");
+  const keyBytes = fromString2(keyHex, "base16");
+  const keyPair = _optionalChain([opts, 'optionalAccess', _25 => _25.isPrivateKey]) ? secp256k12.keyFromPrivate(keyBytes) : secp256k12.keyFromPublic(keyBytes);
+  const pubPoint = keyPair.getPublic();
+  return sanitizedJwk({
+    alg: _ssitypes.JoseSignatureAlgorithm.ES256K,
+    ...use !== void 0 && {
+      use
+    },
+    kty: _ssitypes.JwkKeyType.EC,
+    crv: _ssitypes.JoseCurve.secp256k1,
+    x: _ssisdkextx509utils.hexToBase64.call(void 0, pubPoint.getX().toString("hex"), "base64url"),
+    y: _ssisdkextx509utils.hexToBase64.call(void 0, pubPoint.getY().toString("hex"), "base64url"),
+    ..._optionalChain([opts, 'optionalAccess', _26 => _26.isPrivateKey]) && {
+      d: _ssisdkextx509utils.hexToBase64.call(void 0, keyPair.getPrivate("hex"), "base64url")
+    }
+  });
+}, "toSecp256k1Jwk");
+var toSecp256r1Jwk = /* @__PURE__ */ __name((keyHex, opts) => {
+  const { use } = _nullishCoalesce(opts, () => ( {}));
+  logger.debug(`toSecp256r1Jwk keyHex: ${keyHex}, length: ${keyHex.length}`);
+  if (_optionalChain([opts, 'optionalAccess', _27 => _27.isPrivateKey])) {
+    assertProperKeyLength(keyHex, [
+      64
+    ]);
+  } else {
+    assertProperKeyLength(keyHex, [
+      66,
+      130
+    ]);
+  }
+  const secp256r1 = new _elliptic2.default.ec("p256");
+  const keyBytes = fromString2(keyHex, "base16");
+  logger.debug(`keyBytes length: ${keyBytes}`);
+  const keyPair = _optionalChain([opts, 'optionalAccess', _28 => _28.isPrivateKey]) ? secp256r1.keyFromPrivate(keyBytes) : secp256r1.keyFromPublic(keyBytes);
+  const pubPoint = keyPair.getPublic();
+  return sanitizedJwk({
+    alg: _ssitypes.JoseSignatureAlgorithm.ES256,
+    ...use !== void 0 && {
+      use
+    },
+    kty: _ssitypes.JwkKeyType.EC,
+    crv: _ssitypes.JoseCurve.P_256,
+    x: _ssisdkextx509utils.hexToBase64.call(void 0, pubPoint.getX().toString("hex"), "base64url"),
+    y: _ssisdkextx509utils.hexToBase64.call(void 0, pubPoint.getY().toString("hex"), "base64url"),
+    ..._optionalChain([opts, 'optionalAccess', _29 => _29.isPrivateKey]) && {
+      d: _ssisdkextx509utils.hexToBase64.call(void 0, keyPair.getPrivate("hex"), "base64url")
+    }
+  });
+}, "toSecp256r1Jwk");
+var toEd25519OrX25519Jwk = /* @__PURE__ */ __name((publicKeyHex, opts) => {
+  assertProperKeyLength(publicKeyHex, 64);
+  const { use } = _nullishCoalesce(opts, () => ( {}));
+  return sanitizedJwk({
+    alg: _ssitypes.JoseSignatureAlgorithm.EdDSA,
+    ...use !== void 0 && {
+      use
+    },
+    kty: _ssitypes.JwkKeyType.OKP,
+    crv: _nullishCoalesce(_optionalChain([opts, 'optionalAccess', _30 => _30.crv]), () => ( _ssitypes.JoseCurve.Ed25519)),
+    x: _ssisdkextx509utils.hexToBase64.call(void 0, publicKeyHex, "base64url")
+  });
+}, "toEd25519OrX25519Jwk");
+var toRSAJwk = /* @__PURE__ */ __name((publicKeyHex, opts) => {
+  const meta = _optionalChain([opts, 'optionalAccess', _31 => _31.key, 'optionalAccess', _32 => _32.meta]);
+  if (_optionalChain([meta, 'optionalAccess', _33 => _33.publicKeyJwk]) || _optionalChain([meta, 'optionalAccess', _34 => _34.publicKeyPEM])) {
+    if (_optionalChain([meta, 'optionalAccess', _35 => _35.publicKeyJwk])) {
+      return meta.publicKeyJwk;
+    }
+    const publicKeyPEM = _nullishCoalesce(_optionalChain([meta, 'optionalAccess', _36 => _36.publicKeyPEM]), () => ( _ssisdkextx509utils.hexToPEM.call(void 0, publicKeyHex, "public")));
+    return _ssisdkextx509utils.PEMToJwk.call(void 0, publicKeyPEM, "public");
+  }
+  const exponent = publicKeyHex.slice(-5);
+  const modulus = publicKeyHex.slice(0, -5);
+  return sanitizedJwk({
+    kty: "RSA",
+    n: _ssisdkextx509utils.hexToBase64.call(void 0, modulus, "base64url"),
+    e: _ssisdkextx509utils.hexToBase64.call(void 0, exponent, "base64url")
+  });
+}, "toRSAJwk");
+var padLeft = /* @__PURE__ */ __name((args) => {
+  const { data } = args;
+  const size = _nullishCoalesce(args.size, () => ( 32));
+  const padString = _nullishCoalesce(args.padString, () => ( "0"));
+  if (data.length >= size) {
+    return data;
+  }
+  if (padString && padString.length === 0) {
+    throw Error(`Pad string needs to have at least a length of 1`);
+  }
+  const length = padString.length;
+  return padString.repeat((size - data.length) / length) + data;
+}, "padLeft");
+var OID = {
+  [0]: new Uint8Array([
+    6,
+    7,
+    42,
+    134,
+    72,
+    206,
+    61,
+    2,
+    1
+  ]),
+  [1]: new Uint8Array([
+    6,
+    8,
+    42,
+    134,
+    72,
+    206,
+    61,
+    3,
+    1,
+    7
+  ]),
+  [2]: new Uint8Array([
+    6,
+    3,
+    43,
+    101,
+    112
+  ])
+};
+var compareUint8Arrays = /* @__PURE__ */ __name((a, b) => {
+  if (a.length !== b.length) {
+    return false;
+  }
+  for (let i = 0; i < a.length; i++) {
+    if (a[i] !== b[i]) {
+      return false;
+    }
+  }
+  return true;
+}, "compareUint8Arrays");
+var findSubarray = /* @__PURE__ */ __name((haystack, needle) => {
+  for (let i = 0; i <= haystack.length - needle.length; i++) {
+    if (compareUint8Arrays(haystack.subarray(i, i + needle.length), needle)) {
+      return i;
+    }
+  }
+  return -1;
+}, "findSubarray");
+var getTargetOID = /* @__PURE__ */ __name((keyType) => {
+  switch (keyType) {
+    case "Secp256k1":
+      return OID[0];
+    case "Secp256r1":
+      return OID[1];
+    case "Ed25519":
+      return OID[2];
+    default:
+      throw new Error(`Unsupported key type: ${keyType}`);
+  }
+}, "getTargetOID");
+var isAsn1Der = /* @__PURE__ */ __name((key) => key[0] === 48, "isAsn1Der");
+var asn1DerToRawPublicKey = /* @__PURE__ */ __name((derKey, keyType) => {
+  if (!isAsn1Der(derKey)) {
+    throw new Error("Invalid DER encoding: Expected to start with sequence tag");
+  }
+  let index = 2;
+  if (derKey[1] & 128) {
+    const lengthBytesCount = derKey[1] & 127;
+    index += lengthBytesCount;
+  }
+  const targetOid = getTargetOID(keyType);
+  const oidIndex = findSubarray(derKey, targetOid);
+  if (oidIndex === -1) {
+    throw new Error(`OID for ${keyType} not found in DER encoding`);
+  }
+  index = oidIndex + targetOid.length;
+  while (index < derKey.length && derKey[index] !== 3) {
+    index++;
+  }
+  if (index >= derKey.length) {
+    throw new Error("Invalid DER encoding: Bit string not found");
+  }
+  index += 2;
+  index++;
+  return derKey.slice(index);
+}, "asn1DerToRawPublicKey");
+var isRawCompressedPublicKey = /* @__PURE__ */ __name((key) => key.length === 33 && (key[0] === 2 || key[0] === 3), "isRawCompressedPublicKey");
+var toRawCompressedHexPublicKey = /* @__PURE__ */ __name((rawPublicKey, keyType) => {
+  if (isRawCompressedPublicKey(rawPublicKey)) {
+    return hexStringFromUint8Array(rawPublicKey);
+  }
+  if (keyType === "Secp256k1" || keyType === "Secp256r1") {
+    if (rawPublicKey[0] === 4 && rawPublicKey.length === 65) {
+      const xCoordinate = rawPublicKey.slice(1, 33);
+      const yCoordinate = rawPublicKey.slice(33);
+      const prefix = new Uint8Array([
+        yCoordinate[31] % 2 === 0 ? 2 : 3
+      ]);
+      const resultKey = hexStringFromUint8Array(new Uint8Array([
+        ...prefix,
+        ...xCoordinate
+      ]));
+      logger.debug(`converted public key ${hexStringFromUint8Array(rawPublicKey)} to ${resultKey}`);
+      return resultKey;
+    }
+    return toString2(rawPublicKey, "base16");
+  } else if (keyType === "Ed25519") {
+    return toString2(rawPublicKey, "base16");
+  }
+  throw new Error(`Unsupported key type: ${keyType}`);
+}, "toRawCompressedHexPublicKey");
+var hexStringFromUint8Array = /* @__PURE__ */ __name((value) => toString2(value, "base16"), "hexStringFromUint8Array");
+var signatureAlgorithmFromKey = /* @__PURE__ */ __name(async (args) => {
+  const { key } = args;
+  return signatureAlgorithmFromKeyType({
+    type: key.type
+  });
+}, "signatureAlgorithmFromKey");
+var signatureAlgorithmFromKeyType = /* @__PURE__ */ __name((args) => {
+  const { type } = args;
+  switch (type) {
+    case "Ed25519":
+    case "X25519":
+      return _ssitypes.JoseSignatureAlgorithm.EdDSA;
+    case "Secp256r1":
+      return _ssitypes.JoseSignatureAlgorithm.ES256;
+    case "Secp384r1":
+      return _ssitypes.JoseSignatureAlgorithm.ES384;
+    case "Secp521r1":
+      return _ssitypes.JoseSignatureAlgorithm.ES512;
+    case "Secp256k1":
+      return _ssitypes.JoseSignatureAlgorithm.ES256K;
+    default:
+      throw new Error(`Key type '${type}' not supported`);
+  }
+}, "signatureAlgorithmFromKeyType");
+var keyTypeFromCryptographicSuite = /* @__PURE__ */ __name((args) => {
+  const { crv, kty, alg } = args;
+  switch (alg) {
+    case "RSASSA-PSS":
+    case "RS256":
+    case "RS384":
+    case "RS512":
+    case "PS256":
+    case "PS384":
+    case "PS512":
+      return "RSA";
+  }
+  switch (crv) {
+    case "EdDSA":
+    case "Ed25519":
+    case "Ed25519Signature2018":
+    case "Ed25519Signature2020":
+    case "JcsEd25519Signature2020":
+      return "Ed25519";
+    case "JsonWebSignature2020":
+    case "ES256":
+    case "ECDSA":
+    case "P-256":
+      return "Secp256r1";
+    case "ES384":
+    case "P-384":
+      return "Secp384r1";
+    case "ES512":
+    case "P-521":
+      return "Secp521r1";
+    case "EcdsaSecp256k1Signature2019":
+    case "secp256k1":
+    case "ES256K":
+      return "Secp256k1";
+  }
+  if (kty) {
+    return kty;
+  }
+  throw new Error(`Cryptographic suite '${crv}' not supported`);
+}, "keyTypeFromCryptographicSuite");
+function removeNulls(obj) {
+  Object.keys(obj).forEach((key) => {
+    if (obj[key] && typeof obj[key] === "object") removeNulls(obj[key]);
+    else if (obj[key] == null) delete obj[key];
+  });
+  return obj;
+}
+__name(removeNulls, "removeNulls");
+var globalCrypto = /* @__PURE__ */ __name((setGlobal, suppliedCrypto) => {
+  let webcrypto;
+  if (typeof suppliedCrypto !== "undefined") {
+    webcrypto = suppliedCrypto;
+  } else if (typeof crypto !== "undefined") {
+    webcrypto = crypto;
+  } else if (typeof global.crypto !== "undefined") {
+    webcrypto = global.crypto;
+  } else {
+    if (typeof _optionalChain([global, 'access', _37 => _37.window, 'optionalAccess', _38 => _38.crypto, 'optionalAccess', _39 => _39.subtle]) !== "undefined") {
+      webcrypto = global.window.crypto;
+    } else {
+      webcrypto = Promise.resolve().then(() => _interopRequireWildcard(require("crypto")));
+    }
+  }
+  if (setGlobal) {
+    global.crypto = webcrypto;
+  }
+  return webcrypto;
+}, "globalCrypto");
+var sanitizedJwk = /* @__PURE__ */ __name((input) => {
+  const inputJwk = typeof input["toJsonDTO"] === "function" ? input["toJsonDTO"]() : {
+    ...input
+  };
+  const jwk = {
+    ...inputJwk,
+    ...inputJwk.x && {
+      x: base64ToBase64Url(inputJwk.x)
+    },
+    ...inputJwk.y && {
+      y: base64ToBase64Url(inputJwk.y)
+    },
+    ...inputJwk.d && {
+      d: base64ToBase64Url(inputJwk.d)
+    },
+    ...inputJwk.n && {
+      n: base64ToBase64Url(inputJwk.n)
+    },
+    ...inputJwk.e && {
+      e: base64ToBase64Url(inputJwk.e)
+    },
+    ...inputJwk.k && {
+      k: base64ToBase64Url(inputJwk.k)
+    }
+  };
+  return removeNulls(jwk);
+}, "sanitizedJwk");
+var base64ToBase64Url = /* @__PURE__ */ __name((input) => {
+  return input.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}, "base64ToBase64Url");
+async function verifyRawSignature({ data, signature, key: inputKey, opts }) {
+  function jwkPropertyToBigInt(jwkProp) {
+    const byteArray = fromString2(jwkProp, "base64url");
+    const hex = toString2(byteArray, "hex");
+    return BigInt(`0x${hex}`);
+  }
+  __name(jwkPropertyToBigInt, "jwkPropertyToBigInt");
+  try {
+    _debug2.default.call(void 0, `verifyRawSignature for: ${inputKey}`);
+    const jwk = sanitizedJwk(inputKey);
+    validateJwk(jwk, {
+      crvOptional: true
+    });
+    const keyType = keyTypeFromCryptographicSuite({
+      crv: jwk.crv,
+      kty: jwk.kty,
+      alg: jwk.alg
+    });
+    const publicKeyHex = await jwkToRawHexKey(jwk);
+    switch (keyType) {
+      case "Secp256k1":
+        return _secp256k1.secp256k1.verify(signature, data, publicKeyHex, {
+          format: "compact",
+          prehash: true
+        });
+      case "Secp256r1":
+        return _p256.p256.verify(signature, data, publicKeyHex, {
+          format: "compact",
+          prehash: true
+        });
+      case "Secp384r1":
+        return _p384.p384.verify(signature, data, publicKeyHex, {
+          format: "compact",
+          prehash: true
+        });
+      case "Secp521r1":
+        return _p521.p521.verify(signature, data, publicKeyHex, {
+          format: "compact",
+          prehash: true
+        });
+      case "Ed25519":
+        return _ed25519.ed25519.verify(signature, data, fromString2(publicKeyHex, "hex"));
+      case "Bls12381G1":
+      case "Bls12381G2":
+        return _bls12381.bls12_381.verify(signature, data, fromString2(publicKeyHex, "hex"));
+      case "RSA": {
+        const signatureAlgorithm = _nullishCoalesce(_nullishCoalesce(_optionalChain([opts, 'optionalAccess', _40 => _40.signatureAlg]), () => ( jwk.alg)), () => ( _ssitypes.JoseSignatureAlgorithm.PS256));
+        const hashAlg = signatureAlgorithm === (_ssitypes.JoseSignatureAlgorithm.RS512 || _ssitypes.JoseSignatureAlgorithm.PS512) ? _sha512.sha512 : signatureAlgorithm === (_ssitypes.JoseSignatureAlgorithm.RS384 || _ssitypes.JoseSignatureAlgorithm.PS384) ? _sha512.sha384 : _sha256.sha256;
+        switch (signatureAlgorithm) {
+          case _ssitypes.JoseSignatureAlgorithm.RS256:
+            return rsa.PKCS1_SHA256.verify({
+              n: jwkPropertyToBigInt(jwk.n),
+              e: jwkPropertyToBigInt(jwk.e)
+            }, data, signature);
+          case _ssitypes.JoseSignatureAlgorithm.RS384:
+            return rsa.PKCS1_SHA384.verify({
+              n: jwkPropertyToBigInt(jwk.n),
+              e: jwkPropertyToBigInt(jwk.e)
+            }, data, signature);
+          case _ssitypes.JoseSignatureAlgorithm.RS512:
+            return rsa.PKCS1_SHA512.verify({
+              n: jwkPropertyToBigInt(jwk.n),
+              e: jwkPropertyToBigInt(jwk.e)
+            }, data, signature);
+          case _ssitypes.JoseSignatureAlgorithm.PS256:
+          case _ssitypes.JoseSignatureAlgorithm.PS384:
+          case _ssitypes.JoseSignatureAlgorithm.PS512:
+            return rsa.PSS(hashAlg, rsa.mgf1(hashAlg)).verify({
+              n: jwkPropertyToBigInt(jwk.n),
+              e: jwkPropertyToBigInt(jwk.e)
+            }, data, signature);
+        }
+      }
+    }
+    throw Error(`Unsupported key type for signature validation: ${keyType}`);
+  } catch (error) {
+    logger.error(`Error: ${error}`);
+    throw error;
+  }
+}
+__name(verifyRawSignature, "verifyRawSignature");
+
+// src/conversion.ts
+
+function coseKeyToJwk(coseKey) {
+  const { x5chain, key_ops, crv, alg, baseIV, kty, ...rest } = coseKey;
+  return removeNulls({
+    ...rest,
+    kty: coseToJoseKty(kty),
+    ...crv && {
+      crv: coseToJoseCurve(crv)
+    },
+    ...key_ops && {
+      key_ops: key_ops.map(coseToJoseKeyOperation)
+    },
+    ...alg && {
+      alg: coseToJoseSignatureAlg(alg)
+    },
+    ...baseIV && {
+      iv: baseIV
+    },
+    ...x5chain && {
+      x5c: x5chain
+    }
+  });
+}
+__name(coseKeyToJwk, "coseKeyToJwk");
+function jwkToCoseKey(jwk) {
+  const { x5c, key_ops, crv, alg, iv, kty, ...rest } = jwk;
+  return removeNulls({
+    ...rest,
+    kty: joseToCoseKty(kty),
+    ...crv && {
+      crv: joseToCoseCurve(crv)
+    },
+    ...key_ops && {
+      key_ops: key_ops.map(joseToCoseKeyOperation)
+    },
+    ...alg && {
+      alg: joseToCoseSignatureAlg(alg)
+    },
+    ...iv && {
+      baseIV: iv
+    },
+    ...x5c && {
+      x5chain: x5c
+    }
+  });
+}
+__name(jwkToCoseKey, "jwkToCoseKey");
+function coseToJoseKty(kty) {
+  switch (kty) {
+    case _ssitypes.ICoseKeyType.EC2:
+      return _ssitypes.JwkKeyType.EC;
+    case _ssitypes.ICoseKeyType.RSA:
+      return _ssitypes.JwkKeyType.RSA;
+    case _ssitypes.ICoseKeyType.Symmetric:
+      return _ssitypes.JwkKeyType.oct;
+    case _ssitypes.ICoseKeyType.OKP:
+      return _ssitypes.JwkKeyType.OKP;
+    default:
+      throw Error(`Key type ${kty} not supported in JWA`);
+  }
+}
+__name(coseToJoseKty, "coseToJoseKty");
+function joseToCoseKty(kty) {
+  switch (kty) {
+    case "EC":
+      return _ssitypes.ICoseKeyType.EC2;
+    case "RSA":
+      return _ssitypes.ICoseKeyType.RSA;
+    case "oct":
+      return _ssitypes.ICoseKeyType.Symmetric;
+    case "OKP":
+      return _ssitypes.ICoseKeyType.OKP;
+    default:
+      throw Error(`Key type ${kty} not supported in Cose`);
+  }
+}
+__name(joseToCoseKty, "joseToCoseKty");
+function coseToJoseSignatureAlg(coseAlg) {
+  switch (coseAlg) {
+    case _ssitypes.ICoseSignatureAlgorithm.ES256K:
+      return _ssitypes.JoseSignatureAlgorithm.ES256K;
+    case _ssitypes.ICoseSignatureAlgorithm.ES256:
+      return _ssitypes.JoseSignatureAlgorithm.ES256;
+    case _ssitypes.ICoseSignatureAlgorithm.ES384:
+      return _ssitypes.JoseSignatureAlgorithm.ES384;
+    case _ssitypes.ICoseSignatureAlgorithm.ES512:
+      return _ssitypes.JoseSignatureAlgorithm.ES512;
+    case _ssitypes.ICoseSignatureAlgorithm.PS256:
+      return _ssitypes.JoseSignatureAlgorithm.PS256;
+    case _ssitypes.ICoseSignatureAlgorithm.PS384:
+      return _ssitypes.JoseSignatureAlgorithm.PS384;
+    case _ssitypes.ICoseSignatureAlgorithm.PS512:
+      return _ssitypes.JoseSignatureAlgorithm.PS512;
+    case _ssitypes.ICoseSignatureAlgorithm.HS256:
+      return _ssitypes.JoseSignatureAlgorithm.HS256;
+    case _ssitypes.ICoseSignatureAlgorithm.HS384:
+      return _ssitypes.JoseSignatureAlgorithm.HS384;
+    case _ssitypes.ICoseSignatureAlgorithm.HS512:
+      return _ssitypes.JoseSignatureAlgorithm.HS512;
+    case _ssitypes.ICoseSignatureAlgorithm.EdDSA:
+      return _ssitypes.JoseSignatureAlgorithm.EdDSA;
+    default:
+      throw Error(`Signature algorithm ${coseAlg} not supported in Jose`);
+  }
+}
+__name(coseToJoseSignatureAlg, "coseToJoseSignatureAlg");
+function joseToCoseSignatureAlg(joseAlg) {
+  switch (joseAlg) {
+    case (_ssitypes.JoseSignatureAlgorithm.ES256K, "ES256K"):
+      return _ssitypes.ICoseSignatureAlgorithm.ES256K;
+    case (_ssitypes.JoseSignatureAlgorithm.ES256, "ES256"):
+      return _ssitypes.ICoseSignatureAlgorithm.ES256;
+    case (_ssitypes.JoseSignatureAlgorithm.ES384, "ES384"):
+      return _ssitypes.ICoseSignatureAlgorithm.ES384;
+    case (_ssitypes.JoseSignatureAlgorithm.ES512, "ES512"):
+      return _ssitypes.ICoseSignatureAlgorithm.ES512;
+    case (_ssitypes.JoseSignatureAlgorithm.PS256, "PS256"):
+      return _ssitypes.ICoseSignatureAlgorithm.PS256;
+    case (_ssitypes.JoseSignatureAlgorithm.PS384, "PS384"):
+      return _ssitypes.ICoseSignatureAlgorithm.PS384;
+    case (_ssitypes.JoseSignatureAlgorithm.PS512, "PS512"):
+      return _ssitypes.ICoseSignatureAlgorithm.PS512;
+    case (_ssitypes.JoseSignatureAlgorithm.HS256, "HS256"):
+      return _ssitypes.ICoseSignatureAlgorithm.HS256;
+    case (_ssitypes.JoseSignatureAlgorithm.HS384, "HS384"):
+      return _ssitypes.ICoseSignatureAlgorithm.HS384;
+    case (_ssitypes.JoseSignatureAlgorithm.HS512, "HS512"):
+      return _ssitypes.ICoseSignatureAlgorithm.HS512;
+    case (_ssitypes.JoseSignatureAlgorithm.EdDSA, "EdDSA"):
+      return _ssitypes.ICoseSignatureAlgorithm.EdDSA;
+    default:
+      throw Error(`Signature algorithm ${joseAlg} not supported in Cose`);
+  }
+}
+__name(joseToCoseSignatureAlg, "joseToCoseSignatureAlg");
+function joseToCoseKeyOperation(keyOp) {
+  switch (keyOp) {
+    case (_ssitypes.JoseKeyOperation.SIGN, "sign"):
+      return _ssitypes.ICoseKeyOperation.SIGN;
+    case (_ssitypes.JoseKeyOperation.VERIFY, "verify"):
+      return _ssitypes.ICoseKeyOperation.VERIFY;
+    case (_ssitypes.JoseKeyOperation.ENCRYPT, "encrypt"):
+      return _ssitypes.ICoseKeyOperation.ENCRYPT;
+    case (_ssitypes.JoseKeyOperation.DECRYPT, "decrypt"):
+      return _ssitypes.ICoseKeyOperation.DECRYPT;
+    case (_ssitypes.JoseKeyOperation.WRAP_KEY, "wrapKey"):
+      return _ssitypes.ICoseKeyOperation.WRAP_KEY;
+    case (_ssitypes.JoseKeyOperation.UNWRAP_KEY, "unwrapKey"):
+      return _ssitypes.ICoseKeyOperation.UNWRAP_KEY;
+    case (_ssitypes.JoseKeyOperation.DERIVE_KEY, "deriveKey"):
+      return _ssitypes.ICoseKeyOperation.DERIVE_KEY;
+    case (_ssitypes.JoseKeyOperation.DERIVE_BITS, "deriveBits"):
+      return _ssitypes.ICoseKeyOperation.DERIVE_BITS;
+    default:
+      throw Error(`Key operation ${keyOp} not supported in Cose`);
+  }
+}
+__name(joseToCoseKeyOperation, "joseToCoseKeyOperation");
+function coseToJoseKeyOperation(keyOp) {
+  switch (keyOp) {
+    case _ssitypes.ICoseKeyOperation.SIGN:
+      return _ssitypes.JoseKeyOperation.SIGN;
+    case _ssitypes.ICoseKeyOperation.VERIFY:
+      return _ssitypes.JoseKeyOperation.VERIFY;
+    case _ssitypes.ICoseKeyOperation.ENCRYPT:
+      return _ssitypes.JoseKeyOperation.ENCRYPT;
+    case _ssitypes.ICoseKeyOperation.DECRYPT:
+      return _ssitypes.JoseKeyOperation.DECRYPT;
+    case _ssitypes.ICoseKeyOperation.WRAP_KEY:
+      return _ssitypes.JoseKeyOperation.WRAP_KEY;
+    case _ssitypes.ICoseKeyOperation.UNWRAP_KEY:
+      return _ssitypes.JoseKeyOperation.UNWRAP_KEY;
+    case _ssitypes.ICoseKeyOperation.DERIVE_KEY:
+      return _ssitypes.JoseKeyOperation.DERIVE_KEY;
+    case _ssitypes.ICoseKeyOperation.DERIVE_BITS:
+      return _ssitypes.JoseKeyOperation.DERIVE_BITS;
+    default:
+      throw Error(`Key operation ${keyOp} not supported in Jose`);
+  }
+}
+__name(coseToJoseKeyOperation, "coseToJoseKeyOperation");
+function joseToCoseCurve(curve) {
+  switch (curve) {
+    case (_ssitypes.JoseCurve.P_256, "P-256"):
+      return _ssitypes.ICoseCurve.P_256;
+    case (_ssitypes.JoseCurve.P_384, "P-384"):
+      return _ssitypes.ICoseCurve.P_384;
+    case (_ssitypes.JoseCurve.P_521, "P-521"):
+      return _ssitypes.ICoseCurve.P_521;
+    case (_ssitypes.JoseCurve.X25519, "X25519"):
+      return _ssitypes.ICoseCurve.X25519;
+    case (_ssitypes.JoseCurve.X448, "X448"):
+      return _ssitypes.ICoseCurve.X448;
+    case (_ssitypes.JoseCurve.Ed25519, "Ed25519"):
+      return _ssitypes.ICoseCurve.Ed25519;
+    case (_ssitypes.JoseCurve.Ed448, "Ed448"):
+      return _ssitypes.ICoseCurve.Ed448;
+    case (_ssitypes.JoseCurve.secp256k1, "secp256k1"):
+      return _ssitypes.ICoseCurve.secp256k1;
+    default:
+      throw Error(`Curve ${curve} not supported in Cose`);
+  }
+}
+__name(joseToCoseCurve, "joseToCoseCurve");
+function coseToJoseCurve(curve) {
+  switch (curve) {
+    case _ssitypes.ICoseCurve.P_256:
+      return _ssitypes.JoseCurve.P_256;
+    case _ssitypes.ICoseCurve.P_384:
+      return _ssitypes.JoseCurve.P_384;
+    case _ssitypes.ICoseCurve.P_521:
+      return _ssitypes.JoseCurve.P_521;
+    case _ssitypes.ICoseCurve.X25519:
+      return _ssitypes.JoseCurve.X25519;
+    case _ssitypes.ICoseCurve.X448:
+      return _ssitypes.JoseCurve.X448;
+    case _ssitypes.ICoseCurve.Ed25519:
+      return _ssitypes.JoseCurve.Ed25519;
+    case _ssitypes.ICoseCurve.Ed448:
+      return _ssitypes.JoseCurve.Ed448;
+    case _ssitypes.ICoseCurve.secp256k1:
+      return _ssitypes.JoseCurve.secp256k1;
+    default:
+      throw Error(`Curve ${curve} not supported in Jose`);
+  }
+}
+__name(coseToJoseCurve, "coseToJoseCurve");
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+exports.ENC_KEY_ALGS = ENC_KEY_ALGS; exports.JWK_JCS_PUB_NAME = JWK_JCS_PUB_NAME; exports.JWK_JCS_PUB_PREFIX = JWK_JCS_PUB_PREFIX; exports.JwkKeyUse = JwkKeyUse; exports.Key = Key; exports.SIG_KEY_ALGS = SIG_KEY_ALGS; exports.asn1DerToRawPublicKey = asn1DerToRawPublicKey; exports.calculateJwkThumbprint = calculateJwkThumbprint; exports.calculateJwkThumbprintForKey = calculateJwkThumbprintForKey; exports.coseKeyToJwk = coseKeyToJwk; exports.coseToJoseCurve = coseToJoseCurve; exports.coseToJoseKeyOperation = coseToJoseKeyOperation; exports.coseToJoseKty = coseToJoseKty; exports.coseToJoseSignatureAlg = coseToJoseSignatureAlg; exports.digestMethodParams = digestMethodParams; exports.generatePrivateKeyHex = generatePrivateKeyHex; exports.getKms = getKms; exports.globalCrypto = globalCrypto; exports.hexStringFromUint8Array = hexStringFromUint8Array; exports.importProvidedOrGeneratedKey = importProvidedOrGeneratedKey; exports.isAsn1Der = isAsn1Der; exports.isRawCompressedPublicKey = isRawCompressedPublicKey; exports.jcsCanonicalize = jcsCanonicalize; exports.joseToCoseCurve = joseToCoseCurve; exports.joseToCoseKeyOperation = joseToCoseKeyOperation; exports.joseToCoseKty = joseToCoseKty; exports.joseToCoseSignatureAlg = joseToCoseSignatureAlg; exports.jwkDetermineUse = jwkDetermineUse; exports.jwkJcsDecode = jwkJcsDecode; exports.jwkJcsEncode = jwkJcsEncode; exports.jwkToCoseKey = jwkToCoseKey; exports.jwkToRawHexKey = jwkToRawHexKey; exports.keyTypeFromCryptographicSuite = keyTypeFromCryptographicSuite; exports.logger = logger; exports.minimalJwk = minimalJwk; exports.padLeft = padLeft; exports.removeNulls = removeNulls; exports.sanitizedJwk = sanitizedJwk; exports.shaHasher = shaHasher; exports.signatureAlgorithmFromKey = signatureAlgorithmFromKey; exports.signatureAlgorithmFromKeyType = signatureAlgorithmFromKeyType; exports.toBase64url = toBase64url; exports.toJwk = toJwk; exports.toJwkFromKey = toJwkFromKey; exports.toRawCompressedHexPublicKey = toRawCompressedHexPublicKey; exports.validateJwk = validateJwk; exports.verifyRawSignature = verifyRawSignature;
+//# sourceMappingURL=index.cjs.map