@sphereon/ssi-sdk-ext.x509-utils 0.28.0 → 0.28.1-feature.esm.cjs.11

package/dist/index.cjs

@@ -0,0 +1,752 @@
+"use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _interopRequireWildcard(obj) { if (obj && obj.__esModule) { return obj; } else { var newObj = {}; if (obj != null) { for (var key in obj) { if (Object.prototype.hasOwnProperty.call(obj, key)) { newObj[key] = obj[key]; } } } newObj.default = obj; return newObj; } } function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } function _nullishCoalesce(lhs, rhsFn) { if (lhs != null) { return lhs; } else { return rhsFn(); } } async function _asyncNullishCoalesce(lhs, rhsFn) { if (lhs != null) { return lhs; } else { return await rhsFn(); } } function _optionalChain(ops) { let lastAccessLHS = undefined; let value = ops[0]; let i = 1; while (i < ops.length) { const op = ops[i]; const fn = ops[i + 1]; i += 2; if ((op === 'optionalAccess' || op === 'optionalCall') && value == null) { return undefined; } if (op === 'access' || op === 'optionalAccess') { lastAccessLHS = value; value = fn(value); } else if (op === 'call' || op === 'optionalCall') { value = fn((...args) => value.call(lastAccessLHS, ...args)); lastAccessLHS = undefined; } } return value; }var __defProp = Object.defineProperty;
+var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+
+// src/types/index.ts
+var JwkKeyUse = /* @__PURE__ */ function(JwkKeyUse2) {
+  JwkKeyUse2["Encryption"] = "enc";
+  JwkKeyUse2["Signature"] = "sig";
+  return JwkKeyUse2;
+}({});
+
+// src/x509/rsa-key.ts
+var _uint8arrays = require('uint8arrays'); var u8a2 = _interopRequireWildcard(_uint8arrays); var u8a = _interopRequireWildcard(_uint8arrays); var u8a3 = _interopRequireWildcard(_uint8arrays); var u8a4 = _interopRequireWildcard(_uint8arrays);
+
+// src/x509/crypto.ts
+var globalCrypto = /* @__PURE__ */ __name((setGlobal, suppliedCrypto) => {
+  let webcrypto;
+  if (typeof suppliedCrypto !== "undefined") {
+    webcrypto = suppliedCrypto;
+  } else if (typeof crypto !== "undefined") {
+    webcrypto = crypto;
+  } else if (typeof global.crypto !== "undefined") {
+    webcrypto = global.crypto;
+  } else {
+    if (typeof _optionalChain([global, 'access', _ => _.window, 'optionalAccess', _2 => _2.crypto, 'optionalAccess', _3 => _3.subtle]) !== "undefined") {
+      webcrypto = global.window.crypto;
+    } else {
+      webcrypto = __require("crypto");
+    }
+  }
+  if (setGlobal) {
+    global.crypto = webcrypto;
+  }
+  return webcrypto;
+}, "globalCrypto");
+
+// src/x509/x509-utils.ts
+var _pkijs = require('pkijs');
+
+var _keyto = require('@trust/keyto'); var _keyto2 = _interopRequireDefault(_keyto);
+var { fromString, toString } = u8a;
+function pemCertChainTox5c(cert, maxDepth) {
+  if (!maxDepth) {
+    maxDepth = 0;
+  }
+  const intermediate = cert.replace(/-----[^\n]+\n?/gm, ",").replace(/\n/g, "").replace(/\r/g, "");
+  let x5c = intermediate.split(",").filter(function(c) {
+    return c.length > 0;
+  });
+  if (maxDepth > 0) {
+    x5c = x5c.splice(0, maxDepth);
+  }
+  return x5c;
+}
+__name(pemCertChainTox5c, "pemCertChainTox5c");
+function x5cToPemCertChain(x5c, maxDepth) {
+  if (!maxDepth) {
+    maxDepth = 0;
+  }
+  const length = maxDepth === 0 ? x5c.length : Math.min(maxDepth, x5c.length);
+  let pem = "";
+  for (let i = 0; i < length; i++) {
+    pem += derToPEM(x5c[i], "CERTIFICATE");
+  }
+  return pem;
+}
+__name(x5cToPemCertChain, "x5cToPemCertChain");
+var pemOrDerToX509Certificate = /* @__PURE__ */ __name((cert) => {
+  let DER = typeof cert === "string" ? cert : void 0;
+  if (typeof cert === "object" && !(cert instanceof Uint8Array)) {
+    return _pkijs.Certificate.fromBER(cert.rawData);
+  } else if (typeof cert !== "string") {
+    return _pkijs.Certificate.fromBER(cert);
+  } else if (cert.includes("CERTIFICATE")) {
+    DER = PEMToDer(cert);
+  }
+  if (!DER) {
+    throw Error("Invalid cert input value supplied. PEM, DER, Bytes and X509Certificate object are supported");
+  }
+  return _pkijs.Certificate.fromBER(fromString(DER, "base64pad"));
+}, "pemOrDerToX509Certificate");
+var areCertificatesEqual = /* @__PURE__ */ __name((cert1, cert2) => {
+  return cert1.signatureValue.isEqual(cert2.signatureValue);
+}, "areCertificatesEqual");
+var toKeyObject = /* @__PURE__ */ __name((PEM, visibility = "public") => {
+  const jwk = PEMToJwk(PEM, visibility);
+  const keyVisibility = jwk.d ? "private" : "public";
+  const keyHex = keyVisibility === "private" ? privateKeyHexFromPEM(PEM) : publicKeyHexFromPEM(PEM);
+  return {
+    pem: hexToPEM(keyHex, visibility),
+    jwk,
+    keyHex,
+    keyType: keyVisibility
+  };
+}, "toKeyObject");
+var jwkToPEM = /* @__PURE__ */ __name((jwk, visibility = "public") => {
+  return _keyto2.default.from(jwk, "jwk").toString("pem", visibility === "public" ? "public_pkcs8" : "private_pkcs8");
+}, "jwkToPEM");
+var PEMToJwk = /* @__PURE__ */ __name((pem, visibility = "public") => {
+  return _keyto2.default.from(pem, "pem").toJwk(visibility);
+}, "PEMToJwk");
+var privateKeyHexFromPEM = /* @__PURE__ */ __name((PEM) => {
+  return PEMToHex(PEM);
+}, "privateKeyHexFromPEM");
+var hexKeyFromPEMBasedJwk = /* @__PURE__ */ __name((jwk, visibility = "public") => {
+  if (visibility === "private") {
+    return privateKeyHexFromPEM(jwkToPEM(jwk, "private"));
+  } else {
+    return publicKeyHexFromPEM(jwkToPEM(jwk, "public"));
+  }
+}, "hexKeyFromPEMBasedJwk");
+var publicKeyHexFromPEM = /* @__PURE__ */ __name((PEM) => {
+  const hex = PEMToHex(PEM);
+  if (PEM.includes("CERTIFICATE")) {
+    throw Error("Cannot directly deduce public Key from PEM Certificate yet");
+  } else if (!PEM.includes("PRIVATE")) {
+    return hex;
+  }
+  const publicJwk = PEMToJwk(PEM, "public");
+  const publicPEM = jwkToPEM(publicJwk, "public");
+  return PEMToHex(publicPEM);
+}, "publicKeyHexFromPEM");
+var PEMToHex = /* @__PURE__ */ __name((PEM, headerKey) => {
+  if (PEM.indexOf("-----BEGIN ") == -1) {
+    throw Error(`PEM header not found: ${headerKey}`);
+  }
+  let strippedPem;
+  if (headerKey) {
+    strippedPem = PEM.replace(new RegExp("^[^]*-----BEGIN " + headerKey + "-----"), "");
+    strippedPem = strippedPem.replace(new RegExp("-----END " + headerKey + "-----[^]*$"), "");
+  } else {
+    strippedPem = PEM.replace(/^[^]*-----BEGIN [^-]+-----/, "");
+    strippedPem = strippedPem.replace(/-----END [^-]+-----[^]*$/, "");
+  }
+  return base64ToHex(strippedPem, "base64pad");
+}, "PEMToHex");
+function PEMToBinary(pem) {
+  const pemContents = pem.replace(/^[^]*-----BEGIN [^-]+-----/, "").replace(/-----END [^-]+-----[^]*$/, "").replace(/\s/g, "");
+  return fromString(pemContents, "base64pad");
+}
+__name(PEMToBinary, "PEMToBinary");
+var base64ToHex = /* @__PURE__ */ __name((input, inputEncoding) => {
+  const base64NoNewlines = input.replace(/[^0-9A-Za-z_\-~\/+=]*/g, "");
+  return toString(fromString(base64NoNewlines, inputEncoding ? inputEncoding : "base64pad"), "base16");
+}, "base64ToHex");
+var hexToBase64 = /* @__PURE__ */ __name((input, targetEncoding) => {
+  let hex = typeof input === "string" ? input : input.toString(16);
+  if (hex.length % 2 === 1) {
+    hex = `0${hex}`;
+  }
+  return toString(fromString(hex, "base16"), targetEncoding ? targetEncoding : "base64pad");
+}, "hexToBase64");
+var hexToPEM = /* @__PURE__ */ __name((hex, type) => {
+  const base64 = hexToBase64(hex, "base64pad");
+  const headerKey = type === "private" ? "RSA PRIVATE KEY" : "PUBLIC KEY";
+  if (type === "private") {
+    const pem = derToPEM(base64, headerKey);
+    try {
+      PEMToJwk(pem);
+      return pem;
+    } catch (error) {
+      return derToPEM(base64, "PRIVATE KEY");
+    }
+  }
+  return derToPEM(base64, headerKey);
+}, "hexToPEM");
+function PEMToDer(pem) {
+  return pem.replace(/(-----(BEGIN|END) CERTIFICATE-----|[\n\r])/g, "");
+}
+__name(PEMToDer, "PEMToDer");
+function derToPEM(cert, headerKey) {
+  const key = _nullishCoalesce(headerKey, () => ( "CERTIFICATE"));
+  if (cert.includes(key)) {
+    return cert;
+  }
+  const matches = cert.match(/.{1,64}/g);
+  if (!matches) {
+    throw Error("Invalid cert input value supplied");
+  }
+  return `-----BEGIN ${key}-----
+${matches.join("\n")}
+-----END ${key}-----
+`;
+}
+__name(derToPEM, "derToPEM");
+
+// src/x509/rsa-key.ts
+var { toString: toString2 } = u8a2;
+var usage = /* @__PURE__ */ __name((jwk) => {
+  if (jwk.key_ops && jwk.key_ops.length > 0) {
+    return jwk.key_ops;
+  }
+  if (jwk.use) {
+    const usages = [];
+    if (jwk.use.includes("sig")) {
+      usages.push("sign", "verify");
+    } else if (jwk.use.includes("enc")) {
+      usages.push("encrypt", "decrypt");
+    }
+    if (usages.length > 0) {
+      return usages;
+    }
+  }
+  if (jwk.kty === "RSA") {
+    if (jwk.d) {
+      return _optionalChain([jwk, 'access', _4 => _4.alg, 'optionalAccess', _5 => _5.toUpperCase, 'call', _6 => _6(), 'optionalAccess', _7 => _7.includes, 'call', _8 => _8("QAEP")]) ? [
+        "encrypt"
+      ] : [
+        "sign"
+      ];
+    }
+    return _optionalChain([jwk, 'access', _9 => _9.alg, 'optionalAccess', _10 => _10.toUpperCase, 'call', _11 => _11(), 'optionalAccess', _12 => _12.includes, 'call', _13 => _13("QAEP")]) ? [
+      "decrypt"
+    ] : [
+      "verify"
+    ];
+  }
+  return jwk.d && jwk.kty !== "RSA" ? [
+    "sign",
+    "decrypt",
+    "verify",
+    "encrypt"
+  ] : [
+    "verify"
+  ];
+}, "usage");
+var signAlgorithmToSchemeAndHashAlg = /* @__PURE__ */ __name((signingAlg) => {
+  const alg = signingAlg.toUpperCase();
+  let scheme;
+  if (alg.startsWith("RS")) {
+    scheme = "RSASSA-PKCS1-V1_5";
+  } else if (alg.startsWith("PS")) {
+    scheme = "RSA-PSS";
+  } else {
+    throw Error(`Invalid signing algorithm supplied ${signingAlg}`);
+  }
+  const hashAlgorithm = `SHA-${alg.substring(2)}`;
+  return {
+    scheme,
+    hashAlgorithm
+  };
+}, "signAlgorithmToSchemeAndHashAlg");
+var cryptoSubtleImportRSAKey = /* @__PURE__ */ __name(async (jwk, scheme, hashAlgorithm) => {
+  const hashName = hashAlgorithm ? hashAlgorithm : jwk.alg ? `SHA-${jwk.alg.substring(2)}` : "SHA-256";
+  const importParams = {
+    name: scheme,
+    hash: hashName
+  };
+  return await globalCrypto(false).subtle.importKey("jwk", jwk, importParams, false, usage(jwk));
+}, "cryptoSubtleImportRSAKey");
+var generateRSAKeyAsPEM = /* @__PURE__ */ __name(async (scheme, hashAlgorithm, modulusLength) => {
+  const hashName = hashAlgorithm ? hashAlgorithm : "SHA-256";
+  const params = {
+    name: scheme,
+    hash: hashName,
+    modulusLength: modulusLength ? modulusLength : 2048,
+    publicExponent: new Uint8Array([
+      1,
+      0,
+      1
+    ])
+  };
+  const keyUsage = scheme === "RSA-PSS" || scheme === "RSASSA-PKCS1-V1_5" ? [
+    "sign",
+    "verify"
+  ] : [
+    "encrypt",
+    "decrypt"
+  ];
+  const keypair = await globalCrypto(false).subtle.generateKey(params, true, keyUsage);
+  const pkcs8 = await globalCrypto(false).subtle.exportKey("pkcs8", keypair.privateKey);
+  const uint8Array = new Uint8Array(pkcs8);
+  return derToPEM(toString2(uint8Array, "base64pad"), "RSA PRIVATE KEY");
+}, "generateRSAKeyAsPEM");
+
+// src/x509/rsa-signer.ts
+
+var { fromString: fromString2, toString: toString3 } = u8a3;
+var RSASigner = class {
+  static {
+    __name(this, "RSASigner");
+  }
+  
+  
+  
+  
+  /**
+  *
+  * @param key Either in PEM or JWK format (no raw hex keys here!)
+  * @param opts The algorithm and signature/encryption schemes
+  */
+  constructor(key, opts) {
+    if (typeof key === "string") {
+      this.jwk = PEMToJwk(key, _optionalChain([opts, 'optionalAccess', _14 => _14.visibility]));
+    } else {
+      this.jwk = key;
+    }
+    this.hashAlgorithm = _nullishCoalesce(_optionalChain([opts, 'optionalAccess', _15 => _15.hashAlgorithm]), () => ( "SHA-256"));
+    this.scheme = _nullishCoalesce(_optionalChain([opts, 'optionalAccess', _16 => _16.scheme]), () => ( "RSA-PSS"));
+  }
+  getImportParams() {
+    if (this.scheme === "RSA-PSS") {
+      return {
+        name: this.scheme,
+        saltLength: 32
+      };
+    }
+    return {
+      name: this.scheme
+      /*, hash: this.hashAlgorithm*/
+    };
+  }
+  async getKey() {
+    if (!this.key) {
+      this.key = await cryptoSubtleImportRSAKey(this.jwk, this.scheme, this.hashAlgorithm);
+    }
+    return this.key;
+  }
+  bufferToString(buf) {
+    const uint8Array = new Uint8Array(buf);
+    return toString3(uint8Array, "base64url");
+  }
+  async sign(data) {
+    const input = data;
+    const key = await this.getKey();
+    const signature = this.bufferToString(await globalCrypto(false).subtle.sign(this.getImportParams(), key, input));
+    if (!signature) {
+      throw Error("Could not sign input data");
+    }
+    return signature;
+  }
+  async verify(data, signature) {
+    const jws = signature.includes(".") ? signature.split(".")[2] : signature;
+    const input = typeof data == "string" ? fromString2(data, "utf-8") : data;
+    let key = await this.getKey();
+    if (!key.usages.includes("verify")) {
+      const verifyJwk = {
+        ...this.jwk
+      };
+      delete verifyJwk.d;
+      delete verifyJwk.use;
+      delete verifyJwk.key_ops;
+      key = await cryptoSubtleImportRSAKey(verifyJwk, this.scheme, this.hashAlgorithm);
+    }
+    const verificationResult = await globalCrypto(false).subtle.verify(this.getImportParams(), key, fromString2(jws, "base64url"), input);
+    return verificationResult;
+  }
+};
+
+// src/x509/x509-validator.ts
+var _asn1schema = require('@peculiar/asn1-schema');
+var _asn1x509 = require('@peculiar/asn1-x509');
+var _x509 = require('@peculiar/x509');
+var _jsx509utils = require('js-x509-utils'); var _jsx509utils2 = _interopRequireDefault(_jsx509utils);
+
+var _tsyringe = require('tsyringe');
+
+var { fromString: fromString3, toString: toString4 } = u8a4;
+var defaultCryptoEngine = /* @__PURE__ */ __name(() => {
+  const name = "crypto";
+  _pkijs.setEngine.call(void 0, name, new (0, _pkijs.CryptoEngine)({
+    name,
+    crypto: globalCrypto(false)
+  }));
+  return _pkijs.getCrypto.call(void 0, true);
+}, "defaultCryptoEngine");
+var getCertificateInfo = /* @__PURE__ */ __name(async (certificate, opts) => {
+  let publicKeyJWK;
+  try {
+    publicKeyJWK = await getCertificateSubjectPublicKeyJWK(certificate);
+  } catch (e) {
+  }
+  return {
+    issuer: {
+      dn: getIssuerDN(certificate)
+    },
+    subject: {
+      dn: getSubjectDN(certificate),
+      subjectAlternativeNames: getSubjectAlternativeNames(certificate, {
+        typeFilter: _optionalChain([opts, 'optionalAccess', _17 => _17.sanTypeFilter])
+      })
+    },
+    publicKeyJWK,
+    notBefore: certificate.notBefore.value,
+    notAfter: certificate.notAfter.value
+  };
+}, "getCertificateInfo");
+var validateX509CertificateChain = /* @__PURE__ */ __name(async ({ chain: pemOrDerChain, trustAnchors, verificationTime = /* @__PURE__ */ new Date(), opts = {
+  // If no trust anchor is found, but the chain itself checks out, allow. (defaults to false:)
+  allowNoTrustAnchorsFound: false,
+  trustRootWhenNoAnchors: false,
+  allowSingleNoCAChainElement: true,
+  blindlyTrustedAnchors: [],
+  disallowReversedChain: false
+} }) => {
+  return await validateX509CertificateChainImpl({
+    reversed: false,
+    chain: [
+      ...pemOrDerChain
+    ].reverse(),
+    trustAnchors,
+    verificationTime,
+    opts
+  });
+}, "validateX509CertificateChain");
+var validateX509CertificateChainImpl = /* @__PURE__ */ __name(async ({ reversed, chain: pemOrDerChain, trustAnchors, verificationTime: verifyAt, opts }) => {
+  const verificationTime = typeof verifyAt === "string" ? new Date(verifyAt) : verifyAt;
+  const { allowNoTrustAnchorsFound = false, trustRootWhenNoAnchors = false, allowSingleNoCAChainElement = true, blindlyTrustedAnchors = [], disallowReversedChain = false, client } = opts;
+  const trustedPEMs = trustRootWhenNoAnchors && !trustAnchors ? [
+    pemOrDerChain[pemOrDerChain.length - 1]
+  ] : trustAnchors;
+  if (pemOrDerChain.length === 0) {
+    return {
+      error: true,
+      critical: true,
+      message: "Certificate chain in DER or PEM format must not be empty",
+      verificationTime
+    };
+  }
+  defaultCryptoEngine();
+  const chain = await Promise.all(pemOrDerChain.map((raw) => parseCertificate(raw)));
+  const x5cOrdereredChain = reversed ? [
+    ...chain
+  ] : [
+    ...chain
+  ].reverse();
+  const trustedCerts = trustedPEMs ? await Promise.all(trustedPEMs.map((raw) => parseCertificate(raw))) : void 0;
+  const blindlyTrusted = await _asyncNullishCoalesce((await Promise.all(blindlyTrustedAnchors.map((raw) => {
+    try {
+      return parseCertificate(raw);
+    } catch (e) {
+      console.log(`Failed to parse blindly trusted certificate ${raw}. Error: ${e.message}`);
+      return void 0;
+    }
+  }))).filter((cert) => cert !== void 0), async () => ( []));
+  const leafCert = x5cOrdereredChain[0];
+  const chainLength = chain.length;
+  var foundTrustAnchor = void 0;
+  for (let i = 0; i < chainLength; i++) {
+    const currentCert = chain[i];
+    const previousCert = i > 0 ? chain[i - 1] : void 0;
+    const blindlyTrustedCert = blindlyTrusted.find((trusted) => areCertificatesEqual(trusted.certificate, currentCert.certificate));
+    if (blindlyTrustedCert) {
+      console.log(`Certificate chain validation success as single cert if blindly trusted. WARNING: ONLY USE FOR TESTING PURPOSES.`);
+      return {
+        error: false,
+        critical: false,
+        message: `Certificate chain validation success as single cert if blindly trusted. WARNING: ONLY USE FOR TESTING PURPOSES.`,
+        detailMessage: `Blindly trusted certificate ${blindlyTrustedCert.certificateInfo.subject.dn.DN} was found in the chain.`,
+        trustAnchor: _optionalChain([blindlyTrustedCert, 'optionalAccess', _18 => _18.certificateInfo]),
+        verificationTime,
+        certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),
+        ...client && {
+          client
+        }
+      };
+    }
+    if (previousCert) {
+      if (currentCert.x509Certificate.issuer !== previousCert.x509Certificate.subject) {
+        if (!reversed && !disallowReversedChain) {
+          return await validateX509CertificateChainImpl({
+            reversed: true,
+            chain: [
+              ...pemOrDerChain
+            ].reverse(),
+            opts,
+            verificationTime,
+            trustAnchors
+          });
+        }
+        return {
+          error: true,
+          critical: true,
+          certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),
+          message: `Certificate chain validation failed for ${leafCert.certificateInfo.subject.dn.DN}.`,
+          detailMessage: `The certificate ${currentCert.certificateInfo.subject.dn.DN} with issuer ${currentCert.x509Certificate.issuer}, is not signed by the previous certificate ${_optionalChain([previousCert, 'optionalAccess', _19 => _19.certificateInfo, 'access', _20 => _20.subject, 'access', _21 => _21.dn, 'access', _22 => _22.DN])} with subject string ${_optionalChain([previousCert, 'optionalAccess', _23 => _23.x509Certificate, 'access', _24 => _24.subject])}.`,
+          verificationTime,
+          ...client && {
+            client
+          }
+        };
+      }
+    }
+    const result = await currentCert.x509Certificate.verify({
+      date: verificationTime,
+      publicKey: _optionalChain([previousCert, 'optionalAccess', _25 => _25.x509Certificate, 'optionalAccess', _26 => _26.publicKey])
+    }, _nullishCoalesce(_nullishCoalesce(_optionalChain([_pkijs.getCrypto.call(void 0, ), 'optionalAccess', _27 => _27.crypto]), () => ( crypto)), () => ( global.crypto)));
+    if (!result) {
+      if (i == 0 && !reversed && !disallowReversedChain) {
+        return await validateX509CertificateChainImpl({
+          reversed: true,
+          chain: [
+            ...pemOrDerChain
+          ].reverse(),
+          opts,
+          verificationTime,
+          trustAnchors
+        });
+      }
+      return {
+        error: true,
+        critical: true,
+        message: `Certificate chain validation failed for ${leafCert.certificateInfo.subject.dn.DN}.`,
+        certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),
+        detailMessage: `Verification of the certificate ${currentCert.certificateInfo.subject.dn.DN} with issuer ${currentCert.x509Certificate.issuer} failed. Public key: ${JSON.stringify(currentCert.certificateInfo.publicKeyJWK)}.`,
+        verificationTime,
+        ...client && {
+          client
+        }
+      };
+    }
+    foundTrustAnchor = _nullishCoalesce(foundTrustAnchor, () => ( _optionalChain([trustedCerts, 'optionalAccess', _28 => _28.find, 'call', _29 => _29((trusted) => isSameCertificate(trusted.x509Certificate, currentCert.x509Certificate))])));
+    if (i === 0 && chainLength === 1 && allowSingleNoCAChainElement) {
+      return {
+        error: false,
+        critical: false,
+        message: `Certificate chain succeeded as allow single cert result is allowed: ${leafCert.certificateInfo.subject.dn.DN}.`,
+        certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),
+        trustAnchor: _optionalChain([foundTrustAnchor, 'optionalAccess', _30 => _30.certificateInfo]),
+        verificationTime,
+        ...client && {
+          client
+        }
+      };
+    }
+  }
+  if (_optionalChain([foundTrustAnchor, 'optionalAccess', _31 => _31.certificateInfo]) || allowNoTrustAnchorsFound) {
+    return {
+      error: false,
+      critical: false,
+      message: `Certificate chain was valid`,
+      certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),
+      detailMessage: foundTrustAnchor ? `The leaf certificate ${leafCert.certificateInfo.subject.dn.DN} is part of a chain with trust anchor ${_optionalChain([foundTrustAnchor, 'optionalAccess', _32 => _32.certificateInfo, 'access', _33 => _33.subject, 'access', _34 => _34.dn, 'access', _35 => _35.DN])}.` : `The leaf certificate ${leafCert.certificateInfo.subject.dn.DN} and chain were valid, but no trust anchor has been found. Ignoring as user allowed (allowNoTrustAnchorsFound: ${allowNoTrustAnchorsFound}).)`,
+      trustAnchor: _optionalChain([foundTrustAnchor, 'optionalAccess', _36 => _36.certificateInfo]),
+      verificationTime,
+      ...client && {
+        client
+      }
+    };
+  }
+  return {
+    error: true,
+    critical: true,
+    message: `Certificate chain validation failed for ${leafCert.certificateInfo.subject.dn.DN}.`,
+    certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),
+    detailMessage: `No trust anchor was found in the chain. between (intermediate) CA ${x5cOrdereredChain[chain.length - 1].certificateInfo.subject.dn.DN} and leaf ${x5cOrdereredChain[0].certificateInfo.subject.dn.DN}.`,
+    verificationTime,
+    ...client && {
+      client
+    }
+  };
+}, "validateX509CertificateChainImpl");
+var isSameCertificate = /* @__PURE__ */ __name((cert1, cert2) => {
+  return cert1.rawData.toString() === cert2.rawData.toString();
+}, "isSameCertificate");
+var algorithmProvider = _tsyringe.container.resolve(_x509.AlgorithmProvider);
+var getX509AlgorithmProvider = /* @__PURE__ */ __name(() => {
+  return algorithmProvider;
+}, "getX509AlgorithmProvider");
+var parseCertificate = /* @__PURE__ */ __name(async (rawCert) => {
+  const x509Certificate = new (0, _x509.X509Certificate)(rawCert);
+  const publicKeyInfo = _asn1schema.AsnParser.parse(x509Certificate.publicKey.rawData, _asn1x509.SubjectPublicKeyInfo);
+  const publicKeyRaw = new Uint8Array(publicKeyInfo.subjectPublicKey);
+  let publicKeyJwk = void 0;
+  try {
+    publicKeyJwk = await getCertificateSubjectPublicKeyJWK(new Uint8Array(x509Certificate.rawData));
+  } catch (e) {
+    console.error(e.message);
+  }
+  const certificate = pemOrDerToX509Certificate(rawCert);
+  const certificateInfo = await getCertificateInfo(certificate);
+  const publicKeyAlgorithm = getX509AlgorithmProvider().toWebAlgorithm(publicKeyInfo.algorithm);
+  return {
+    publicKeyAlgorithm,
+    publicKeyInfo,
+    publicKeyJwk,
+    publicKeyRaw,
+    certificateInfo,
+    certificate,
+    x509Certificate
+  };
+}, "parseCertificate");
+var rdnmap = {
+  "2.5.4.6": "C",
+  "2.5.4.10": "O",
+  "2.5.4.11": "OU",
+  "2.5.4.3": "CN",
+  "2.5.4.7": "L",
+  "2.5.4.8": "ST",
+  "2.5.4.12": "T",
+  "2.5.4.42": "GN",
+  "2.5.4.43": "I",
+  "2.5.4.4": "SN",
+  "1.2.840.113549.1.9.1": "E-mail"
+};
+var getIssuerDN = /* @__PURE__ */ __name((cert) => {
+  return {
+    DN: getDNString(cert.issuer.typesAndValues),
+    attributes: getDNObject(cert.issuer.typesAndValues)
+  };
+}, "getIssuerDN");
+var getSubjectDN = /* @__PURE__ */ __name((cert) => {
+  return {
+    DN: getDNString(cert.subject.typesAndValues),
+    attributes: getDNObject(cert.subject.typesAndValues)
+  };
+}, "getSubjectDN");
+var getDNObject = /* @__PURE__ */ __name((typesAndValues) => {
+  const DN = {};
+  for (const typeAndValue of typesAndValues) {
+    const type = _nullishCoalesce(rdnmap[typeAndValue.type], () => ( typeAndValue.type));
+    DN[type] = typeAndValue.value.getValue();
+  }
+  return DN;
+}, "getDNObject");
+var getDNString = /* @__PURE__ */ __name((typesAndValues) => {
+  return Object.entries(getDNObject(typesAndValues)).map(([key, value]) => `${key}=${value}`).join(",");
+}, "getDNString");
+var getCertificateSubjectPublicKeyJWK = /* @__PURE__ */ __name(async (pemOrDerCert) => {
+  const pemOrDerStr = typeof pemOrDerCert === "string" ? toString4(fromString3(pemOrDerCert, "base64pad"), "base64pad") : pemOrDerCert instanceof Uint8Array ? toString4(pemOrDerCert, "base64pad") : toString4(fromString3(pemOrDerCert.toString("base64"), "base64pad"), "base64pad");
+  const pem = derToPEM(pemOrDerStr);
+  const certificate = pemOrDerToX509Certificate(pem);
+  var jwk;
+  try {
+    const subtle = _pkijs.getCrypto.call(void 0, true).subtle;
+    const pk = await certificate.getPublicKey(void 0, defaultCryptoEngine());
+    jwk = await subtle.exportKey("jwk", pk);
+  } catch (error) {
+    console.log(`Error in primary get JWK from cert:`, _optionalChain([error, 'optionalAccess', _37 => _37.message]));
+  }
+  if (!jwk) {
+    try {
+      jwk = await _jsx509utils2.default.toJwk(pem, "pem");
+    } catch (error) {
+      console.log(`Error in secondary get JWK from cert as well:`, _optionalChain([error, 'optionalAccess', _38 => _38.message]));
+    }
+  }
+  if (!jwk) {
+    throw Error(`Failed to get JWK from certificate ${pem}`);
+  }
+  return jwk;
+}, "getCertificateSubjectPublicKeyJWK");
+var SubjectAlternativeGeneralName = /* @__PURE__ */ function(SubjectAlternativeGeneralName2) {
+  SubjectAlternativeGeneralName2[SubjectAlternativeGeneralName2["rfc822Name"] = 1] = "rfc822Name";
+  SubjectAlternativeGeneralName2[SubjectAlternativeGeneralName2["dnsName"] = 2] = "dnsName";
+  SubjectAlternativeGeneralName2[SubjectAlternativeGeneralName2["uniformResourceIdentifier"] = 6] = "uniformResourceIdentifier";
+  SubjectAlternativeGeneralName2[SubjectAlternativeGeneralName2["ipAddress"] = 7] = "ipAddress";
+  return SubjectAlternativeGeneralName2;
+}({});
+var assertCertificateMatchesClientIdScheme = /* @__PURE__ */ __name((certificate, clientId, clientIdScheme) => {
+  const sans = getSubjectAlternativeNames(certificate, {
+    clientIdSchemeFilter: clientIdScheme
+  });
+  const clientIdMatches = sans.find((san) => san.value === clientId);
+  if (!clientIdMatches) {
+    throw Error(`Client id scheme ${clientIdScheme} used had no matching subject alternative names in certificate with DN ${getSubjectDN(certificate).DN}. SANS: ${sans.map((san) => san.value).join(",")}`);
+  }
+}, "assertCertificateMatchesClientIdScheme");
+var validateCertificateChainMatchesClientIdScheme = /* @__PURE__ */ __name(async (certificate, clientId, clientIdScheme) => {
+  const result = {
+    error: true,
+    critical: true,
+    message: `Client Id ${clientId} was not present in certificate using scheme ${clientIdScheme}`,
+    client: {
+      clientId,
+      clientIdScheme
+    },
+    certificateChain: [
+      await getCertificateInfo(certificate)
+    ],
+    verificationTime: /* @__PURE__ */ new Date()
+  };
+  try {
+    assertCertificateMatchesClientIdScheme(certificate, clientId, clientIdScheme);
+  } catch (error) {
+    return result;
+  }
+  result.error = false;
+  result.message = `Client Id ${clientId} was present in certificate using scheme ${clientIdScheme}`;
+  return result;
+}, "validateCertificateChainMatchesClientIdScheme");
+var getSubjectAlternativeNames = /* @__PURE__ */ __name((certificate, opts) => {
+  let typeFilter;
+  if (_optionalChain([opts, 'optionalAccess', _39 => _39.clientIdSchemeFilter])) {
+    typeFilter = opts.clientIdSchemeFilter === "x509_san_dns" ? [
+      2
+    ] : [
+      6
+    ];
+  } else if (_optionalChain([opts, 'optionalAccess', _40 => _40.typeFilter])) {
+    typeFilter = Array.isArray(opts.typeFilter) ? opts.typeFilter : [
+      opts.typeFilter
+    ];
+  } else {
+    typeFilter = [
+      2,
+      6
+    ];
+  }
+  const parsedValue = _optionalChain([certificate, 'access', _41 => _41.extensions, 'optionalAccess', _42 => _42.find, 'call', _43 => _43((ext) => ext.extnID === _pkijs.id_SubjectAltName), 'optionalAccess', _44 => _44.parsedValue]);
+  if (!parsedValue) {
+    return [];
+  }
+  const altNames = parsedValue.toJSON().altNames;
+  return altNames.filter((altName) => typeFilter.includes(altName.type)).map((altName) => {
+    return {
+      type: altName.type,
+      value: altName.value
+    };
+  });
+}, "getSubjectAlternativeNames");
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+exports.JwkKeyUse = JwkKeyUse; exports.PEMToBinary = PEMToBinary; exports.PEMToDer = PEMToDer; exports.PEMToHex = PEMToHex; exports.PEMToJwk = PEMToJwk; exports.RSASigner = RSASigner; exports.SubjectAlternativeGeneralName = SubjectAlternativeGeneralName; exports.areCertificatesEqual = areCertificatesEqual; exports.assertCertificateMatchesClientIdScheme = assertCertificateMatchesClientIdScheme; exports.base64ToHex = base64ToHex; exports.cryptoSubtleImportRSAKey = cryptoSubtleImportRSAKey; exports.derToPEM = derToPEM; exports.generateRSAKeyAsPEM = generateRSAKeyAsPEM; exports.getCertificateInfo = getCertificateInfo; exports.getCertificateSubjectPublicKeyJWK = getCertificateSubjectPublicKeyJWK; exports.getIssuerDN = getIssuerDN; exports.getSubjectAlternativeNames = getSubjectAlternativeNames; exports.getSubjectDN = getSubjectDN; exports.getX509AlgorithmProvider = getX509AlgorithmProvider; exports.hexKeyFromPEMBasedJwk = hexKeyFromPEMBasedJwk; exports.hexToBase64 = hexToBase64; exports.hexToPEM = hexToPEM; exports.jwkToPEM = jwkToPEM; exports.parseCertificate = parseCertificate; exports.pemCertChainTox5c = pemCertChainTox5c; exports.pemOrDerToX509Certificate = pemOrDerToX509Certificate; exports.privateKeyHexFromPEM = privateKeyHexFromPEM; exports.publicKeyHexFromPEM = publicKeyHexFromPEM; exports.signAlgorithmToSchemeAndHashAlg = signAlgorithmToSchemeAndHashAlg; exports.toKeyObject = toKeyObject; exports.validateCertificateChainMatchesClientIdScheme = validateCertificateChainMatchesClientIdScheme; exports.validateX509CertificateChain = validateX509CertificateChain; exports.x5cToPemCertChain = x5cToPemCertChain;
+//# sourceMappingURL=index.cjs.map