@sphereon/ssi-sdk-ext.x509-utils 0.28.1-feature.esm.cjs.8 → 0.28.1-feature.jose.vcdm.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. package/dist/index.cjs +17 -16
  2. package/dist/index.cjs.map +1 -1
  3. package/dist/index.js +8 -7
  4. package/dist/index.js.map +1 -1
  5. package/package.json +4 -3
  6. package/src/x509/rsa-key.ts +4 -3
  7. package/src/x509/rsa-signer.ts +4 -5
  8. package/src/x509/x509-utils.ts +4 -5
  9. package/src/x509/x509-validator.ts +2 -3
package/dist/index.cjs CHANGED
@@ -75,7 +75,7 @@ var JwkKeyUse = /* @__PURE__ */ function(JwkKeyUse2) {
75
75
  }({});
76
76
 
77
77
  // src/x509/rsa-key.ts
78
- var import_to_string2 = require("uint8arrays/to-string");
78
+ var u8a2 = __toESM(require("uint8arrays"), 1);
79
79
 
80
80
  // src/x509/crypto.ts
81
81
  var globalCrypto = /* @__PURE__ */ __name((setGlobal, suppliedCrypto) => {
@@ -101,9 +101,9 @@ var globalCrypto = /* @__PURE__ */ __name((setGlobal, suppliedCrypto) => {
101
101
 
102
102
  // src/x509/x509-utils.ts
103
103
  var import_pkijs = require("pkijs");
104
- var import_from_string = require("uint8arrays/from-string");
105
- var import_to_string = require("uint8arrays/to-string");
104
+ var u8a = __toESM(require("uint8arrays"), 1);
106
105
  var import_keyto = __toESM(require("@trust/keyto"), 1);
106
+ var { fromString, toString } = u8a;
107
107
  function pemCertChainTox5c(cert, maxDepth) {
108
108
  if (!maxDepth) {
109
109
  maxDepth = 0;
@@ -142,7 +142,7 @@ var pemOrDerToX509Certificate = /* @__PURE__ */ __name((cert) => {
142
142
  if (!DER) {
143
143
  throw Error("Invalid cert input value supplied. PEM, DER, Bytes and X509Certificate object are supported");
144
144
  }
145
- return import_pkijs.Certificate.fromBER((0, import_from_string.fromString)(DER, "base64pad"));
145
+ return import_pkijs.Certificate.fromBER(fromString(DER, "base64pad"));
146
146
  }, "pemOrDerToX509Certificate");
147
147
  var areCertificatesEqual = /* @__PURE__ */ __name((cert1, cert2) => {
148
148
  return cert1.signatureValue.isEqual(cert2.signatureValue);
@@ -201,19 +201,19 @@ var PEMToHex = /* @__PURE__ */ __name((PEM, headerKey) => {
201
201
  }, "PEMToHex");
202
202
  function PEMToBinary(pem) {
203
203
  const pemContents = pem.replace(/^[^]*-----BEGIN [^-]+-----/, "").replace(/-----END [^-]+-----[^]*$/, "").replace(/\s/g, "");
204
- return (0, import_from_string.fromString)(pemContents, "base64pad");
204
+ return fromString(pemContents, "base64pad");
205
205
  }
206
206
  __name(PEMToBinary, "PEMToBinary");
207
207
  var base64ToHex = /* @__PURE__ */ __name((input, inputEncoding) => {
208
208
  const base64NoNewlines = input.replace(/[^0-9A-Za-z_\-~\/+=]*/g, "");
209
- return (0, import_to_string.toString)((0, import_from_string.fromString)(base64NoNewlines, inputEncoding ? inputEncoding : "base64pad"), "base16");
209
+ return toString(fromString(base64NoNewlines, inputEncoding ? inputEncoding : "base64pad"), "base16");
210
210
  }, "base64ToHex");
211
211
  var hexToBase64 = /* @__PURE__ */ __name((input, targetEncoding) => {
212
212
  let hex = typeof input === "string" ? input : input.toString(16);
213
213
  if (hex.length % 2 === 1) {
214
214
  hex = `0${hex}`;
215
215
  }
216
- return (0, import_to_string.toString)((0, import_from_string.fromString)(hex, "base16"), targetEncoding ? targetEncoding : "base64pad");
216
+ return toString(fromString(hex, "base16"), targetEncoding ? targetEncoding : "base64pad");
217
217
  }, "hexToBase64");
218
218
  var hexToPEM = /* @__PURE__ */ __name((hex, type) => {
219
219
  const base64 = hexToBase64(hex, "base64pad");
@@ -250,6 +250,7 @@ ${matches.join("\n")}
250
250
  __name(derToPEM, "derToPEM");
251
251
 
252
252
  // src/x509/rsa-key.ts
253
+ var { toString: toString2 } = u8a2;
253
254
  var usage = /* @__PURE__ */ __name((jwk) => {
254
255
  if (jwk.key_ops && jwk.key_ops.length > 0) {
255
256
  return jwk.key_ops;
@@ -334,12 +335,12 @@ var generateRSAKeyAsPEM = /* @__PURE__ */ __name(async (scheme, hashAlgorithm, m
334
335
  const keypair = await globalCrypto(false).subtle.generateKey(params, true, keyUsage);
335
336
  const pkcs8 = await globalCrypto(false).subtle.exportKey("pkcs8", keypair.privateKey);
336
337
  const uint8Array = new Uint8Array(pkcs8);
337
- return derToPEM((0, import_to_string2.toString)(uint8Array, "base64pad"), "RSA PRIVATE KEY");
338
+ return derToPEM(toString2(uint8Array, "base64pad"), "RSA PRIVATE KEY");
338
339
  }, "generateRSAKeyAsPEM");
339
340
 
340
341
  // src/x509/rsa-signer.ts
341
- var import_from_string2 = require("uint8arrays/from-string");
342
- var import_to_string3 = require("uint8arrays/to-string");
342
+ var u8a3 = __toESM(require("uint8arrays"), 1);
343
+ var { fromString: fromString2, toString: toString3 } = u8a3;
343
344
  var RSASigner = class {
344
345
  static {
345
346
  __name(this, "RSASigner");
@@ -382,7 +383,7 @@ var RSASigner = class {
382
383
  }
383
384
  bufferToString(buf) {
384
385
  const uint8Array = new Uint8Array(buf);
385
- return (0, import_to_string3.toString)(uint8Array, "base64url");
386
+ return toString3(uint8Array, "base64url");
386
387
  }
387
388
  async sign(data) {
388
389
  const input = data;
@@ -395,7 +396,7 @@ var RSASigner = class {
395
396
  }
396
397
  async verify(data, signature) {
397
398
  const jws = signature.includes(".") ? signature.split(".")[2] : signature;
398
- const input = typeof data == "string" ? (0, import_from_string2.fromString)(data, "utf-8") : data;
399
+ const input = typeof data == "string" ? fromString2(data, "utf-8") : data;
399
400
  let key = await this.getKey();
400
401
  if (!key.usages.includes("verify")) {
401
402
  const verifyJwk = {
@@ -406,7 +407,7 @@ var RSASigner = class {
406
407
  delete verifyJwk.key_ops;
407
408
  key = await cryptoSubtleImportRSAKey(verifyJwk, this.scheme, this.hashAlgorithm);
408
409
  }
409
- const verificationResult = await globalCrypto(false).subtle.verify(this.getImportParams(), key, (0, import_from_string2.fromString)(jws, "base64url"), input);
410
+ const verificationResult = await globalCrypto(false).subtle.verify(this.getImportParams(), key, fromString2(jws, "base64url"), input);
410
411
  return verificationResult;
411
412
  }
412
413
  };
@@ -418,8 +419,8 @@ var import_x509 = require("@peculiar/x509");
418
419
  var import_js_x509_utils = __toESM(require("js-x509-utils"), 1);
419
420
  var import_pkijs2 = require("pkijs");
420
421
  var import_tsyringe = require("tsyringe");
421
- var import_from_string3 = require("uint8arrays/from-string");
422
- var import_to_string4 = require("uint8arrays/to-string");
422
+ var u8a4 = __toESM(require("uint8arrays"), 1);
423
+ var { fromString: fromString3, toString: toString4 } = u8a4;
423
424
  var defaultCryptoEngine = /* @__PURE__ */ __name(() => {
424
425
  const name = "crypto";
425
426
  (0, import_pkijs2.setEngine)(name, new import_pkijs2.CryptoEngine({
@@ -681,7 +682,7 @@ var getDNString = /* @__PURE__ */ __name((typesAndValues) => {
681
682
  return Object.entries(getDNObject(typesAndValues)).map(([key, value]) => `${key}=${value}`).join(",");
682
683
  }, "getDNString");
683
684
  var getCertificateSubjectPublicKeyJWK = /* @__PURE__ */ __name(async (pemOrDerCert) => {
684
- const pemOrDerStr = typeof pemOrDerCert === "string" ? (0, import_to_string4.toString)((0, import_from_string3.fromString)(pemOrDerCert, "base64pad"), "base64pad") : pemOrDerCert instanceof Uint8Array ? (0, import_to_string4.toString)(pemOrDerCert, "base64pad") : (0, import_to_string4.toString)((0, import_from_string3.fromString)(pemOrDerCert.toString("base64"), "base64pad"), "base64pad");
685
+ const pemOrDerStr = typeof pemOrDerCert === "string" ? toString4(fromString3(pemOrDerCert, "base64pad"), "base64pad") : pemOrDerCert instanceof Uint8Array ? toString4(pemOrDerCert, "base64pad") : toString4(fromString3(pemOrDerCert.toString("base64"), "base64pad"), "base64pad");
685
686
  const pem = derToPEM(pemOrDerStr);
686
687
  const certificate = pemOrDerToX509Certificate(pem);
687
688
  var jwk;
package/dist/index.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/index.ts","../src/types/index.ts","../src/x509/rsa-key.ts","../src/x509/crypto.ts","../src/x509/x509-utils.ts","../src/x509/rsa-signer.ts","../src/x509/x509-validator.ts"],"sourcesContent":["/**\n *\n * @packageDocumentation\n */\nexport * from './types'\nexport * from './x509'\n","export enum JwkKeyUse {\n Encryption = 'enc',\n Signature = 'sig',\n}\n\nexport type HashAlgorithm = 'SHA-256' | 'SHA-512'\n\nexport type KeyVisibility = 'public' | 'private'\n\nexport interface X509Opts {\n cn?: string // The certificate Common Name. Will be used as the KID for the private key. Uses alias if not provided.\n privateKeyPEM?: string // Optional as you also need to provide it in hex format, but advisable to use it\n certificatePEM?: string // Optional, as long as the certificate then is part of the certificateChainPEM\n certificateChainURL?: string // Certificate chain URL. If used this is where the certificateChainPEM will be hosted/found.\n certificateChainPEM?: string // Base64 (not url!) encoded DER certificate chain. Please provide even if certificateChainURL is used!\n}\n","// @ts-ignore\nimport { KeyUsage, CryptoKey, RsaHashedImportParams, RsaHashedKeyGenParams } from 'node'\n\n// @ts-ignore\nimport { toString } from 'uint8arrays/to-string'\nimport { HashAlgorithm } from '../types'\nimport { globalCrypto } from './crypto'\n\nimport { derToPEM } from './x509-utils'\nimport { JsonWebKey } from '@sphereon/ssi-types'\n\nexport type RSASignatureSchemes = 'RSASSA-PKCS1-V1_5' | 'RSA-PSS'\n\nexport type RSAEncryptionSchemes = 'RSAES-PKCS-v1_5 ' | 'RSAES-OAEP'\n\nconst usage = (jwk: JsonWebKey): KeyUsage[] => {\n if (jwk.key_ops && jwk.key_ops.length > 0) {\n return jwk.key_ops as KeyUsage[]\n }\n if (jwk.use) {\n const usages: KeyUsage[] = []\n if (jwk.use.includes('sig')) {\n usages.push('sign', 'verify')\n } else if (jwk.use.includes('enc')) {\n usages.push('encrypt', 'decrypt')\n }\n if (usages.length > 0) {\n return usages\n }\n }\n if (jwk.kty === 'RSA') {\n if (jwk.d) {\n return jwk.alg?.toUpperCase()?.includes('QAEP') ? ['encrypt'] : ['sign']\n }\n return jwk.alg?.toUpperCase()?.includes('QAEP') ? ['decrypt'] : ['verify']\n }\n // \"decrypt\" | \"deriveBits\" | \"deriveKey\" | \"encrypt\" | \"sign\" | \"unwrapKey\" | \"verify\" | \"wrapKey\";\n return jwk.d && jwk.kty !== 'RSA' ? ['sign', 'decrypt', 'verify', 'encrypt'] : ['verify']\n}\n\nexport const signAlgorithmToSchemeAndHashAlg = (signingAlg: string) => {\n const alg = signingAlg.toUpperCase()\n let scheme: RSAEncryptionSchemes | RSASignatureSchemes\n if (alg.startsWith('RS')) {\n scheme = 'RSASSA-PKCS1-V1_5'\n } else if (alg.startsWith('PS')) {\n scheme = 'RSA-PSS'\n } else {\n throw Error(`Invalid signing algorithm supplied ${signingAlg}`)\n }\n\n const hashAlgorithm = `SHA-${alg.substring(2)}` as HashAlgorithm\n return { scheme, hashAlgorithm }\n}\n\nexport const cryptoSubtleImportRSAKey = async (\n jwk: JsonWebKey,\n scheme: RSAEncryptionSchemes | RSASignatureSchemes,\n hashAlgorithm?: HashAlgorithm\n): Promise<CryptoKey> => {\n const hashName = hashAlgorithm ? hashAlgorithm : jwk.alg ? `SHA-${jwk.alg.substring(2)}` : 'SHA-256'\n\n const importParams: RsaHashedImportParams = { name: scheme, hash: hashName }\n return await globalCrypto(false).subtle.importKey('jwk', jwk as JsonWebKey, importParams, false, usage(jwk))\n}\n\nexport const generateRSAKeyAsPEM = async (\n scheme: RSAEncryptionSchemes | RSASignatureSchemes,\n hashAlgorithm?: HashAlgorithm,\n modulusLength?: number\n): Promise<string> => {\n const hashName = hashAlgorithm ? hashAlgorithm : 'SHA-256'\n\n const params: RsaHashedKeyGenParams = {\n name: scheme,\n hash: hashName,\n modulusLength: modulusLength ? modulusLength : 2048,\n publicExponent: new Uint8Array([1, 0, 1]),\n }\n const keyUsage: KeyUsage[] = scheme === 'RSA-PSS' || scheme === 'RSASSA-PKCS1-V1_5' ? ['sign', 'verify'] : ['encrypt', 'decrypt']\n\n const keypair = await globalCrypto(false).subtle.generateKey(params, true, keyUsage)\n const pkcs8 = await globalCrypto(false).subtle.exportKey('pkcs8', keypair.privateKey)\n\n const uint8Array = new Uint8Array(pkcs8)\n return derToPEM(toString(uint8Array, 'base64pad'), 'RSA PRIVATE KEY')\n}\n","import { webcrypto } from 'node:crypto'\nexport const globalCrypto = (setGlobal: boolean, suppliedCrypto?: webcrypto.Crypto): webcrypto.Crypto => {\n let webcrypto: webcrypto.Crypto\n if (typeof suppliedCrypto !== 'undefined') {\n webcrypto = suppliedCrypto\n } else if (typeof crypto !== 'undefined') {\n webcrypto = crypto\n } else if (typeof global.crypto !== 'undefined') {\n webcrypto = global.crypto\n } else {\n // @ts-ignore\n if (typeof global.window?.crypto?.subtle !== 'undefined') {\n // @ts-ignore\n webcrypto = global.window.crypto\n } else {\n // @ts-ignore\n webcrypto = require('crypto') as webcrypto.Crypto\n }\n }\n if (setGlobal) {\n global.crypto = webcrypto\n }\n\n return webcrypto\n}\n","import { X509Certificate } from '@peculiar/x509'\nimport { Certificate } from 'pkijs'\n// @ts-ignore\nimport { fromString } from 'uint8arrays/from-string'\n// @ts-ignore\nimport { toString } from 'uint8arrays/to-string'\n// @ts-ignore\nimport keyto from '@trust/keyto'\nimport { KeyVisibility } from '../types'\n\nimport { JsonWebKey } from '@sphereon/ssi-types'\n// Based on (MIT licensed):\n// https://github.com/hildjj/node-posh/blob/master/lib/index.js\nexport function pemCertChainTox5c(cert: string, maxDepth?: number): string[] {\n if (!maxDepth) {\n maxDepth = 0\n }\n /*\n * Convert a PEM-encoded certificate to the version used in the x5c element\n * of a [JSON Web Key](http://tools.ietf.org/html/draft-ietf-jose-json-web-key).\n *\n * `cert` PEM-encoded certificate chain\n * `maxdepth` The maximum number of certificates to use from the chain.\n */\n\n const intermediate = cert\n .replace(/-----[^\\n]+\\n?/gm, ',')\n .replace(/\\n/g, '')\n .replace(/\\r/g, '')\n let x5c = intermediate.split(',').filter(function (c) {\n return c.length > 0\n })\n if (maxDepth > 0) {\n x5c = x5c.splice(0, maxDepth)\n }\n return x5c\n}\n\nexport function x5cToPemCertChain(x5c: string[], maxDepth?: number): string {\n if (!maxDepth) {\n maxDepth = 0\n }\n const length = maxDepth === 0 ? x5c.length : Math.min(maxDepth, x5c.length)\n let pem = ''\n for (let i = 0; i < length; i++) {\n pem += derToPEM(x5c[i], 'CERTIFICATE')\n }\n return pem\n}\n\nexport const pemOrDerToX509Certificate = (cert: string | Uint8Array | X509Certificate): Certificate => {\n let DER: string | undefined = typeof cert === 'string' ? cert : undefined\n if (typeof cert === 'object' && !(cert instanceof Uint8Array)) {\n // X509Certificate object\n return Certificate.fromBER(cert.rawData)\n } else if (typeof cert !== 'string') {\n return Certificate.fromBER(cert)\n } else if (cert.includes('CERTIFICATE')) {\n DER = PEMToDer(cert)\n }\n if (!DER) {\n throw Error('Invalid cert input value supplied. PEM, DER, Bytes and X509Certificate object are supported')\n }\n return Certificate.fromBER(fromString(DER, 'base64pad'))\n}\n\nexport const areCertificatesEqual = (cert1: Certificate, cert2: Certificate): boolean => {\n return cert1.signatureValue.isEqual(cert2.signatureValue)\n}\n\nexport const toKeyObject = (PEM: string, visibility: KeyVisibility = 'public') => {\n const jwk = PEMToJwk(PEM, visibility)\n const keyVisibility: KeyVisibility = jwk.d ? 'private' : 'public'\n const keyHex = keyVisibility === 'private' ? privateKeyHexFromPEM(PEM) : publicKeyHexFromPEM(PEM)\n\n return {\n pem: hexToPEM(keyHex, visibility),\n jwk,\n keyHex,\n keyType: keyVisibility,\n }\n}\n\nexport const jwkToPEM = (jwk: JsonWebKey, visibility: KeyVisibility = 'public'): string => {\n return keyto.from(jwk, 'jwk').toString('pem', visibility === 'public' ? 'public_pkcs8' : 'private_pkcs8')\n}\n\nexport const PEMToJwk = (pem: string, visibility: KeyVisibility = 'public'): JsonWebKey => {\n return keyto.from(pem, 'pem').toJwk(visibility)\n}\nexport const privateKeyHexFromPEM = (PEM: string) => {\n return PEMToHex(PEM)\n}\n\nexport const hexKeyFromPEMBasedJwk = (jwk: JsonWebKey, visibility: KeyVisibility = 'public'): string => {\n if (visibility === 'private') {\n return privateKeyHexFromPEM(jwkToPEM(jwk, 'private'))\n } else {\n return publicKeyHexFromPEM(jwkToPEM(jwk, 'public'))\n }\n}\n\nexport const publicKeyHexFromPEM = (PEM: string) => {\n const hex = PEMToHex(PEM)\n if (PEM.includes('CERTIFICATE')) {\n throw Error('Cannot directly deduce public Key from PEM Certificate yet')\n } else if (!PEM.includes('PRIVATE')) {\n return hex\n }\n const publicJwk = PEMToJwk(PEM, 'public')\n const publicPEM = jwkToPEM(publicJwk, 'public')\n return PEMToHex(publicPEM)\n}\n\nexport const PEMToHex = (PEM: string, headerKey?: string): string => {\n if (PEM.indexOf('-----BEGIN ') == -1) {\n throw Error(`PEM header not found: ${headerKey}`)\n }\n\n let strippedPem: string\n if (headerKey) {\n strippedPem = PEM.replace(new RegExp('^[^]*-----BEGIN ' + headerKey + '-----'), '')\n strippedPem = strippedPem.replace(new RegExp('-----END ' + headerKey + '-----[^]*$'), '')\n } else {\n strippedPem = PEM.replace(/^[^]*-----BEGIN [^-]+-----/, '')\n strippedPem = strippedPem.replace(/-----END [^-]+-----[^]*$/, '')\n }\n return base64ToHex(strippedPem, 'base64pad')\n}\n\nexport function PEMToBinary(pem: string): Uint8Array {\n const pemContents = pem\n .replace(/^[^]*-----BEGIN [^-]+-----/, '')\n .replace(/-----END [^-]+-----[^]*$/, '')\n .replace(/\\s/g, '')\n\n return fromString(pemContents, 'base64pad')\n}\n\n/**\n * Converts a base64 encoded string to hex string, removing any non-base64 characters, including newlines\n * @param input The input in base64, with optional newlines\n * @param inputEncoding\n */\nexport const base64ToHex = (input: string, inputEncoding?: 'base64' | 'base64pad' | 'base64url' | 'base64urlpad') => {\n const base64NoNewlines = input.replace(/[^0-9A-Za-z_\\-~\\/+=]*/g, '')\n return toString(fromString(base64NoNewlines, inputEncoding ? inputEncoding : 'base64pad'), 'base16')\n}\n\nexport const hexToBase64 = (input: number | object | string, targetEncoding?: 'base64' | 'base64pad' | 'base64url' | 'base64urlpad'): string => {\n let hex = typeof input === 'string' ? input : input.toString(16)\n if (hex.length % 2 === 1) {\n hex = `0${hex}`\n }\n return toString(fromString(hex, 'base16'), targetEncoding ? targetEncoding : 'base64pad')\n}\n\nexport const hexToPEM = (hex: string, type: KeyVisibility): string => {\n const base64 = hexToBase64(hex, 'base64pad')\n const headerKey = type === 'private' ? 'RSA PRIVATE KEY' : 'PUBLIC KEY'\n if (type === 'private') {\n const pem = derToPEM(base64, headerKey)\n try {\n PEMToJwk(pem) // We only use it to test the private key\n return pem\n } catch (error) {\n return derToPEM(base64, 'PRIVATE KEY')\n }\n }\n return derToPEM(base64, headerKey)\n}\n\nexport function PEMToDer(pem: string): string {\n return pem.replace(/(-----(BEGIN|END) CERTIFICATE-----|[\\n\\r])/g, '')\n}\n\nexport function derToPEM(cert: string, headerKey?: 'PUBLIC KEY' | 'RSA PRIVATE KEY' | 'PRIVATE KEY' | 'CERTIFICATE'): string {\n const key = headerKey ?? 'CERTIFICATE'\n if (cert.includes(key)) {\n // Was already in PEM it seems\n return cert\n }\n const matches = cert.match(/.{1,64}/g)\n if (!matches) {\n throw Error('Invalid cert input value supplied')\n }\n return `-----BEGIN ${key}-----\\n${matches.join('\\n')}\\n-----END ${key}-----\\n`\n}\n","// @ts-ignore\nimport { fromString } from 'uint8arrays/from-string'\n// @ts-ignore\nimport { toString } from 'uint8arrays/to-string'\nimport { HashAlgorithm, KeyVisibility } from '../types'\nimport { globalCrypto } from './crypto'\nimport { cryptoSubtleImportRSAKey, RSAEncryptionSchemes, RSASignatureSchemes } from './rsa-key'\nimport { PEMToJwk } from './x509-utils'\nimport { JsonWebKey } from '@sphereon/ssi-types'\n// @ts-ignore\nimport { CryptoKey, RsaPssParams, AlgorithmIdentifier } from 'node'\nexport class RSASigner {\n private readonly hashAlgorithm: HashAlgorithm\n private readonly jwk: JsonWebKey\n\n private key: CryptoKey | undefined\n private readonly scheme: RSAEncryptionSchemes | RSASignatureSchemes\n\n /**\n *\n * @param key Either in PEM or JWK format (no raw hex keys here!)\n * @param opts The algorithm and signature/encryption schemes\n */\n constructor(\n key: string | JsonWebKey,\n opts?: { hashAlgorithm?: HashAlgorithm; scheme?: RSAEncryptionSchemes | RSASignatureSchemes; visibility?: KeyVisibility }\n ) {\n if (typeof key === 'string') {\n this.jwk = PEMToJwk(key, opts?.visibility)\n } else {\n this.jwk = key\n }\n\n this.hashAlgorithm = opts?.hashAlgorithm ?? 'SHA-256'\n this.scheme = opts?.scheme ?? 'RSA-PSS'\n }\n\n private getImportParams(): AlgorithmIdentifier | RsaPssParams {\n if (this.scheme === 'RSA-PSS') {\n return { name: this.scheme, saltLength: 32 }\n }\n return { name: this.scheme /*, hash: this.hashAlgorithm*/ }\n }\n\n private async getKey(): Promise<CryptoKey> {\n if (!this.key) {\n this.key = await cryptoSubtleImportRSAKey(this.jwk, this.scheme, this.hashAlgorithm)\n }\n return this.key\n }\n\n private bufferToString(buf: ArrayBuffer) {\n const uint8Array = new Uint8Array(buf)\n return toString(uint8Array, 'base64url') // Needs to be base64url for JsonWebSignature2020. Don't change!\n }\n\n public async sign(data: Uint8Array): Promise<string> {\n const input = data\n const key = await this.getKey()\n const signature = this.bufferToString(await globalCrypto(false).subtle.sign(this.getImportParams(), key, input))\n if (!signature) {\n throw Error('Could not sign input data')\n }\n\n // base64url signature\n return signature\n }\n\n public async verify(data: string | Uint8Array, signature: string): Promise<boolean> {\n const jws = signature.includes('.') ? signature.split('.')[2] : signature\n\n const input = typeof data == 'string' ? fromString(data, 'utf-8') : data\n\n let key = await this.getKey()\n if (!key.usages.includes('verify')) {\n const verifyJwk = { ...this.jwk }\n delete verifyJwk.d\n delete verifyJwk.use\n delete verifyJwk.key_ops\n key = await cryptoSubtleImportRSAKey(verifyJwk, this.scheme, this.hashAlgorithm)\n }\n const verificationResult = await globalCrypto(false).subtle.verify(this.getImportParams(), key, fromString(jws, 'base64url'), input)\n return verificationResult\n }\n}\n","import { AsnParser } from '@peculiar/asn1-schema'\nimport { SubjectPublicKeyInfo } from '@peculiar/asn1-x509'\nimport { AlgorithmProvider, X509Certificate } from '@peculiar/x509'\n// import {calculateJwkThumbprint} from \"@sphereon/ssi-sdk-ext.key-utils\";\nimport { JWK } from '@sphereon/ssi-types'\nimport x509 from 'js-x509-utils'\nimport { AltName, AttributeTypeAndValue, Certificate, CryptoEngine, getCrypto, id_SubjectAltName, setEngine } from 'pkijs'\nimport { container } from 'tsyringe'\n// @ts-ignore\nimport { fromString } from 'uint8arrays/from-string'\n// @ts-ignore\nimport { toString } from 'uint8arrays/to-string'\nimport { globalCrypto } from './crypto'\nimport { areCertificatesEqual, derToPEM, pemOrDerToX509Certificate } from './x509-utils'\n\nexport type DNInfo = {\n DN: string\n attributes: Record<string, string>\n}\n\nexport type CertificateInfo = {\n certificate?: any // We need to fix the schema generator for this to be Certificate(Json) from pkijs\n notBefore: Date\n notAfter: Date\n publicKeyJWK?: any\n issuer: {\n dn: DNInfo\n }\n subject: {\n dn: DNInfo\n subjectAlternativeNames: SubjectAlternativeName[]\n }\n}\n\nexport type X509ValidationResult = {\n error: boolean\n critical: boolean\n message: string\n detailMessage?: string\n verificationTime: Date\n certificateChain?: Array<CertificateInfo>\n trustAnchor?: CertificateInfo\n client?: {\n // In case client id and scheme were passed in we return them for easy access. It means they are validated\n clientId: string\n clientIdScheme: ClientIdScheme\n }\n}\n\nconst defaultCryptoEngine = () => {\n const name = 'crypto'\n setEngine(name, new CryptoEngine({ name, crypto: globalCrypto(false) }))\n return getCrypto(true)\n}\n\nexport const getCertificateInfo = async (\n certificate: Certificate,\n opts?: {\n sanTypeFilter: SubjectAlternativeGeneralName | SubjectAlternativeGeneralName[]\n }\n): Promise<CertificateInfo> => {\n let publicKeyJWK: JWK | undefined\n try {\n publicKeyJWK = (await getCertificateSubjectPublicKeyJWK(certificate)) as JWK\n } catch (e) {}\n return {\n issuer: { dn: getIssuerDN(certificate) },\n subject: {\n dn: getSubjectDN(certificate),\n subjectAlternativeNames: getSubjectAlternativeNames(certificate, { typeFilter: opts?.sanTypeFilter }),\n },\n publicKeyJWK,\n notBefore: certificate.notBefore.value,\n notAfter: certificate.notAfter.value,\n // certificate\n } satisfies CertificateInfo\n}\n\nexport type X509CertificateChainValidationOpts = {\n // If no trust anchor is found, but the chain itself checks out, allow. (defaults to false:)\n allowNoTrustAnchorsFound?: boolean\n\n // Trust the supplied root from the chain, when no anchors are being passed in.\n trustRootWhenNoAnchors?: boolean\n // Do not perform a chain validation check if the chain only has a single value. This means only the certificate itself will be validated. No chain checks for CA certs will be performed. Only used when the cert has no issuer\n allowSingleNoCAChainElement?: boolean\n // WARNING: Do not use in production\n // Similar to regular trust anchors, but no validation is performed whatsoever. Do not use in production settings! Can be handy with self generated certificates as we perform many validations, making it hard to test with self-signed certs. Only applied in case a chain with 1 element is passed in to really make sure people do not abuse this option\n blindlyTrustedAnchors?: string[]\n\n disallowReversedChain?: boolean\n\n client?: {\n // If provided both are required. Validates the leaf certificate against the clientId and scheme\n clientId: string\n clientIdScheme: ClientIdScheme\n }\n}\n\nexport const validateX509CertificateChain = async ({\n chain: pemOrDerChain,\n trustAnchors,\n verificationTime = new Date(),\n opts = {\n // If no trust anchor is found, but the chain itself checks out, allow. (defaults to false:)\n allowNoTrustAnchorsFound: false,\n trustRootWhenNoAnchors: false,\n allowSingleNoCAChainElement: true,\n blindlyTrustedAnchors: [],\n disallowReversedChain: false,\n },\n}: {\n chain: (Uint8Array | string)[]\n trustAnchors?: string[]\n verificationTime?: Date\n opts?: X509CertificateChainValidationOpts\n}): Promise<X509ValidationResult> => {\n // We allow 1 reversal. We reverse by default as the implementation expects the root ca first, whilst x5c is the opposite. Reversed becomes true if the impl reverses the chain\n return await validateX509CertificateChainImpl({\n reversed: false,\n chain: [...pemOrDerChain].reverse(),\n trustAnchors,\n verificationTime,\n opts,\n })\n}\nconst validateX509CertificateChainImpl = async ({\n reversed,\n chain: pemOrDerChain,\n trustAnchors,\n verificationTime: verifyAt,\n opts,\n}: {\n reversed: boolean\n chain: (Uint8Array | string)[]\n trustAnchors?: string[]\n verificationTime: Date | string // string for REST API\n opts: X509CertificateChainValidationOpts\n}): Promise<X509ValidationResult> => {\n const verificationTime: Date = typeof verifyAt === 'string' ? new Date(verifyAt) : verifyAt\n const {\n allowNoTrustAnchorsFound = false,\n trustRootWhenNoAnchors = false,\n allowSingleNoCAChainElement = true,\n blindlyTrustedAnchors = [],\n disallowReversedChain = false,\n client,\n } = opts\n const trustedPEMs = trustRootWhenNoAnchors && !trustAnchors ? [pemOrDerChain[pemOrDerChain.length - 1]] : trustAnchors\n\n if (pemOrDerChain.length === 0) {\n return {\n error: true,\n critical: true,\n message: 'Certificate chain in DER or PEM format must not be empty',\n verificationTime,\n }\n }\n defaultCryptoEngine()\n\n // x5c always starts with the leaf cert at index 0 and then the cas. Our internal pkijs service expects it the other way around. Before calling this function the change has been revered\n const chain = await Promise.all(pemOrDerChain.map((raw) => parseCertificate(raw)))\n const x5cOrdereredChain = reversed ? [...chain] : [...chain].reverse()\n\n const trustedCerts = trustedPEMs ? await Promise.all(trustedPEMs.map((raw) => parseCertificate(raw))) : undefined\n const blindlyTrusted =\n (\n await Promise.all(\n blindlyTrustedAnchors.map((raw) => {\n try {\n return parseCertificate(raw)\n } catch (e) {\n // @ts-ignore\n console.log(`Failed to parse blindly trusted certificate ${raw}. Error: ${e.message}`)\n return undefined\n }\n })\n )\n ).filter((cert): cert is ParsedCertificate => cert !== undefined) ?? []\n const leafCert = x5cOrdereredChain[0]\n\n const chainLength = chain.length\n var foundTrustAnchor: ParsedCertificate | undefined = undefined\n for (let i = 0; i < chainLength; i++) {\n const currentCert = chain[i]\n const previousCert = i > 0 ? chain[i - 1] : undefined\n const blindlyTrustedCert = blindlyTrusted.find((trusted) => areCertificatesEqual(trusted.certificate, currentCert.certificate))\n if (blindlyTrustedCert) {\n console.log(`Certificate chain validation success as single cert if blindly trusted. WARNING: ONLY USE FOR TESTING PURPOSES.`)\n return {\n error: false,\n critical: false,\n message: `Certificate chain validation success as single cert if blindly trusted. WARNING: ONLY USE FOR TESTING PURPOSES.`,\n detailMessage: `Blindly trusted certificate ${blindlyTrustedCert.certificateInfo.subject.dn.DN} was found in the chain.`,\n trustAnchor: blindlyTrustedCert?.certificateInfo,\n verificationTime,\n certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),\n ...(client && { client }),\n }\n }\n if (previousCert) {\n if (currentCert.x509Certificate.issuer !== previousCert.x509Certificate.subject) {\n if (!reversed && !disallowReversedChain) {\n return await validateX509CertificateChainImpl({\n reversed: true,\n chain: [...pemOrDerChain].reverse(),\n opts,\n verificationTime,\n trustAnchors,\n })\n }\n return {\n error: true,\n critical: true,\n certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),\n message: `Certificate chain validation failed for ${leafCert.certificateInfo.subject.dn.DN}.`,\n detailMessage: `The certificate ${currentCert.certificateInfo.subject.dn.DN} with issuer ${currentCert.x509Certificate.issuer}, is not signed by the previous certificate ${previousCert?.certificateInfo.subject.dn.DN} with subject string ${previousCert?.x509Certificate.subject}.`,\n verificationTime,\n ...(client && { client }),\n }\n }\n }\n const result = await currentCert.x509Certificate.verify(\n {\n date: verificationTime,\n publicKey: previousCert?.x509Certificate?.publicKey,\n },\n getCrypto()?.crypto ?? crypto ?? global.crypto\n )\n if (!result) {\n // First cert needs to be self signed\n if (i == 0 && !reversed && !disallowReversedChain) {\n return await validateX509CertificateChainImpl({\n reversed: true,\n chain: [...pemOrDerChain].reverse(),\n opts,\n verificationTime,\n trustAnchors,\n })\n }\n\n return {\n error: true,\n critical: true,\n message: `Certificate chain validation failed for ${leafCert.certificateInfo.subject.dn.DN}.`,\n certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),\n detailMessage: `Verification of the certificate ${currentCert.certificateInfo.subject.dn.DN} with issuer ${\n currentCert.x509Certificate.issuer\n } failed. Public key: ${JSON.stringify(currentCert.certificateInfo.publicKeyJWK)}.`,\n verificationTime,\n ...(client && { client }),\n }\n }\n\n foundTrustAnchor = foundTrustAnchor ?? trustedCerts?.find((trusted) => isSameCertificate(trusted.x509Certificate, currentCert.x509Certificate))\n\n if (i === 0 && chainLength === 1 && allowSingleNoCAChainElement) {\n return {\n error: false,\n critical: false,\n message: `Certificate chain succeeded as allow single cert result is allowed: ${leafCert.certificateInfo.subject.dn.DN}.`,\n certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),\n trustAnchor: foundTrustAnchor?.certificateInfo,\n verificationTime,\n ...(client && { client }),\n }\n }\n }\n\n if (foundTrustAnchor?.certificateInfo || allowNoTrustAnchorsFound) {\n return {\n error: false,\n critical: false,\n message: `Certificate chain was valid`,\n certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),\n detailMessage: foundTrustAnchor\n ? `The leaf certificate ${leafCert.certificateInfo.subject.dn.DN} is part of a chain with trust anchor ${foundTrustAnchor?.certificateInfo.subject.dn.DN}.`\n : `The leaf certificate ${leafCert.certificateInfo.subject.dn.DN} and chain were valid, but no trust anchor has been found. Ignoring as user allowed (allowNoTrustAnchorsFound: ${allowNoTrustAnchorsFound}).)`,\n trustAnchor: foundTrustAnchor?.certificateInfo,\n verificationTime,\n ...(client && { client }),\n }\n }\n\n return {\n error: true,\n critical: true,\n message: `Certificate chain validation failed for ${leafCert.certificateInfo.subject.dn.DN}.`,\n certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),\n detailMessage: `No trust anchor was found in the chain. between (intermediate) CA ${\n x5cOrdereredChain[chain.length - 1].certificateInfo.subject.dn.DN\n } and leaf ${x5cOrdereredChain[0].certificateInfo.subject.dn.DN}.`,\n verificationTime,\n ...(client && { client }),\n }\n}\n\nconst isSameCertificate = (cert1: X509Certificate, cert2: X509Certificate): boolean => {\n return cert1.rawData.toString() === cert2.rawData.toString()\n}\n\nconst algorithmProvider: AlgorithmProvider = container.resolve(AlgorithmProvider)\nexport const getX509AlgorithmProvider = (): AlgorithmProvider => {\n return algorithmProvider\n}\n\nexport type ParsedCertificate = {\n publicKeyInfo: SubjectPublicKeyInfo\n publicKeyJwk?: JWK\n publicKeyRaw: Uint8Array\n // @ts-ignore\n publicKeyAlgorithm: Algorithm\n certificateInfo: CertificateInfo\n certificate: Certificate\n x509Certificate: X509Certificate\n}\n\nexport const parseCertificate = async (rawCert: string | Uint8Array): Promise<ParsedCertificate> => {\n const x509Certificate = new X509Certificate(rawCert)\n const publicKeyInfo = AsnParser.parse(x509Certificate.publicKey.rawData, SubjectPublicKeyInfo)\n const publicKeyRaw = new Uint8Array(publicKeyInfo.subjectPublicKey)\n let publicKeyJwk: JWK | undefined = undefined\n try {\n publicKeyJwk = (await getCertificateSubjectPublicKeyJWK(new Uint8Array(x509Certificate.rawData))) as JWK\n } catch (e: any) {\n console.error(e.message)\n }\n const certificate = pemOrDerToX509Certificate(rawCert)\n const certificateInfo = await getCertificateInfo(certificate)\n const publicKeyAlgorithm = getX509AlgorithmProvider().toWebAlgorithm(publicKeyInfo.algorithm)\n return {\n publicKeyAlgorithm,\n publicKeyInfo,\n publicKeyJwk,\n publicKeyRaw,\n certificateInfo,\n certificate,\n x509Certificate,\n }\n}\n/*\n\n/!**\n *\n * @param pemOrDerChain The order must be that the Certs signing another cert must come one after another. So first the signing cert, then any cert signing that cert and so on\n * @param trustedPEMs\n * @param verificationTime\n * @param opts\n *!/\nexport const validateX509CertificateChainOrg = async ({\n chain: pemOrDerChain,\n trustAnchors,\n verificationTime = new Date(),\n opts = {\n trustRootWhenNoAnchors: false,\n allowSingleNoCAChainElement: true,\n blindlyTrustedAnchors: [],\n },\n }: {\n chain: (Uint8Array | string)[]\n trustAnchors?: string[]\n verificationTime?: Date\n opts?: X509CertificateChainValidationOpts\n}): Promise<X509ValidationResult> => {\n const {\n trustRootWhenNoAnchors = false,\n allowSingleNoCAChainElement = true,\n blindlyTrustedAnchors = [],\n client\n } = opts\n const trustedPEMs = trustRootWhenNoAnchors && !trustAnchors ? [pemOrDerChain[pemOrDerChain.length - 1]] : trustAnchors\n\n if (pemOrDerChain.length === 0) {\n return {\n error: true,\n critical: true,\n message: 'Certificate chain in DER or PEM format must not be empty',\n verificationTime,\n }\n }\n\n // x5c always starts with the leaf cert at index 0 and then the cas. Our internal pkijs service expects it the other way around\n const certs = pemOrDerChain.map(pemOrDerToX509Certificate).reverse()\n const trustedCerts = trustedPEMs ? trustedPEMs.map(pemOrDerToX509Certificate) : undefined\n defaultCryptoEngine()\n\n if (pemOrDerChain.length === 1) {\n const singleCert = typeof pemOrDerChain[0] === 'string' ? pemOrDerChain[0] : u8a.toString(pemOrDerChain[0], 'base64pad')\n const cert = pemOrDerToX509Certificate(singleCert)\n if (client) {\n const validation = await validateCertificateChainMatchesClientIdScheme(cert, client.clientId, client.clientIdScheme)\n if (validation.error) {\n return validation\n }\n }\n if (blindlyTrustedAnchors.includes(singleCert)) {\n console.log(`Certificate chain validation success as single cert if blindly trusted. WARNING: ONLY USE FOR TESTING PURPOSES.`)\n return {\n error: false,\n critical: true,\n message: `Certificate chain validation success as single cert if blindly trusted. WARNING: ONLY USE FOR TESTING PURPOSES.`,\n verificationTime,\n certificateChain: [await getCertificateInfo(cert)],\n ...(client && {client}),\n }\n }\n if (allowSingleNoCAChainElement) {\n const subjectDN = getSubjectDN(cert).DN\n if (!getIssuerDN(cert).DN || getIssuerDN(cert).DN === subjectDN) {\n const passed = await cert.verify()\n return {\n error: !passed,\n critical: true,\n message: `Certificate chain validation for ${subjectDN}: ${passed ? 'successful' : 'failed'}.`,\n verificationTime,\n certificateChain: [await getCertificateInfo(cert)],\n ...(client && {client}),\n }\n }\n }\n }\n\n const validationEngine = new CertificateChainValidationEngine({\n certs /!*crls: [crl1], ocsps: [ocsp1], *!/,\n checkDate: verificationTime,\n trustedCerts,\n })\n\n try {\n const verification = await validationEngine.verify()\n if (!verification.result || !verification.certificatePath) {\n return {\n error: true,\n critical: true,\n message: verification.resultMessage !== '' ? verification.resultMessage : `Certificate chain validation failed.`,\n verificationTime,\n ...(client && {client}),\n }\n }\n const certPath = verification.certificatePath\n if (client) {\n const clientIdValidation = await validateCertificateChainMatchesClientIdScheme(certs[0], client.clientId, client.clientIdScheme)\n if (clientIdValidation.error) {\n return clientIdValidation\n }\n }\n let certInfos: Array<CertificateInfo> | undefined\n\n for (const certificate of certPath) {\n try {\n certInfos?.push(await getCertificateInfo(certificate))\n } catch (e: any) {\n console.log(`Error getting certificate info ${e.message}`)\n }\n }\n\n\n return {\n error: false,\n critical: false,\n message: `Certificate chain was valid`,\n verificationTime,\n certificateChain: certInfos,\n ...(client && {client}),\n }\n } catch (error: any) {\n return {\n error: true,\n critical: true,\n message: `Certificate chain was invalid, ${error.message ?? '<unknown error>'}`,\n verificationTime,\n ...(client && {client}),\n }\n }\n}\n*/\n\nconst rdnmap: Record<string, string> = {\n '2.5.4.6': 'C',\n '2.5.4.10': 'O',\n '2.5.4.11': 'OU',\n '2.5.4.3': 'CN',\n '2.5.4.7': 'L',\n '2.5.4.8': 'ST',\n '2.5.4.12': 'T',\n '2.5.4.42': 'GN',\n '2.5.4.43': 'I',\n '2.5.4.4': 'SN',\n '1.2.840.113549.1.9.1': 'E-mail',\n}\n\nexport const getIssuerDN = (cert: Certificate): DNInfo => {\n return {\n DN: getDNString(cert.issuer.typesAndValues),\n attributes: getDNObject(cert.issuer.typesAndValues),\n }\n}\n\nexport const getSubjectDN = (cert: Certificate): DNInfo => {\n return {\n DN: getDNString(cert.subject.typesAndValues),\n attributes: getDNObject(cert.subject.typesAndValues),\n }\n}\n\nconst getDNObject = (typesAndValues: AttributeTypeAndValue[]): Record<string, string> => {\n const DN: Record<string, string> = {}\n for (const typeAndValue of typesAndValues) {\n const type = rdnmap[typeAndValue.type] ?? typeAndValue.type\n DN[type] = typeAndValue.value.getValue()\n }\n return DN\n}\nconst getDNString = (typesAndValues: AttributeTypeAndValue[]): string => {\n return Object.entries(getDNObject(typesAndValues))\n .map(([key, value]) => `${key}=${value}`)\n .join(',')\n}\n\nexport const getCertificateSubjectPublicKeyJWK = async (pemOrDerCert: string | Uint8Array | Certificate): Promise<JWK> => {\n const pemOrDerStr =\n typeof pemOrDerCert === 'string'\n ? toString(fromString(pemOrDerCert, 'base64pad'), 'base64pad')\n : pemOrDerCert instanceof Uint8Array\n ? toString(pemOrDerCert, 'base64pad')\n : toString(fromString(pemOrDerCert.toString('base64'), 'base64pad'), 'base64pad')\n const pem = derToPEM(pemOrDerStr)\n const certificate = pemOrDerToX509Certificate(pem)\n var jwk: JWK | undefined\n try {\n const subtle = getCrypto(true).subtle\n const pk = await certificate.getPublicKey(undefined, defaultCryptoEngine())\n jwk = (await subtle.exportKey('jwk', pk)) as JWK | undefined\n } catch (error: any) {\n console.log(`Error in primary get JWK from cert:`, error?.message)\n }\n if (!jwk) {\n try {\n jwk = (await x509.toJwk(pem, 'pem')) as JWK\n } catch (error: any) {\n console.log(`Error in secondary get JWK from cert as well:`, error?.message)\n }\n }\n if (!jwk) {\n throw Error(`Failed to get JWK from certificate ${pem}`)\n }\n return jwk\n}\n\n/**\n * otherName [0] OtherName,\n * rfc822Name [1] IA5String,\n * dNSName [2] IA5String,\n * x400Address [3] ORAddress,\n * directoryName [4] Name,\n * ediPartyName [5] EDIPartyName,\n * uniformResourceIdentifier [6] IA5String,\n * iPAddress [7] OCTET STRING,\n * registeredID [8] OBJECT IDENTIFIER }\n */\nexport enum SubjectAlternativeGeneralName {\n rfc822Name = 1, // email\n dnsName = 2,\n uniformResourceIdentifier = 6,\n ipAddress = 7,\n}\n\nexport interface SubjectAlternativeName {\n value: string\n type: SubjectAlternativeGeneralName\n}\n\nexport type ClientIdScheme = 'x509_san_dns' | 'x509_san_uri'\n\nexport const assertCertificateMatchesClientIdScheme = (certificate: Certificate, clientId: string, clientIdScheme: ClientIdScheme): void => {\n const sans = getSubjectAlternativeNames(certificate, { clientIdSchemeFilter: clientIdScheme })\n const clientIdMatches = sans.find((san) => san.value === clientId)\n if (!clientIdMatches) {\n throw Error(\n `Client id scheme ${clientIdScheme} used had no matching subject alternative names in certificate with DN ${\n getSubjectDN(certificate).DN\n }. SANS: ${sans.map((san) => san.value).join(',')}`\n )\n }\n}\n\nexport const validateCertificateChainMatchesClientIdScheme = async (\n certificate: Certificate,\n clientId: string,\n clientIdScheme: ClientIdScheme\n): Promise<X509ValidationResult> => {\n const result = {\n error: true,\n critical: true,\n message: `Client Id ${clientId} was not present in certificate using scheme ${clientIdScheme}`,\n client: {\n clientId,\n clientIdScheme,\n },\n certificateChain: [await getCertificateInfo(certificate)],\n verificationTime: new Date(),\n }\n try {\n assertCertificateMatchesClientIdScheme(certificate, clientId, clientIdScheme)\n } catch (error) {\n return result\n }\n result.error = false\n result.message = `Client Id ${clientId} was present in certificate using scheme ${clientIdScheme}`\n return result\n}\n\nexport const getSubjectAlternativeNames = (\n certificate: Certificate,\n opts?: {\n typeFilter?: SubjectAlternativeGeneralName | SubjectAlternativeGeneralName[]\n // When a clientIdchemeFilter is passed in it will always override the above type filter\n clientIdSchemeFilter?: ClientIdScheme\n }\n): SubjectAlternativeName[] => {\n let typeFilter: SubjectAlternativeGeneralName[]\n if (opts?.clientIdSchemeFilter) {\n typeFilter =\n opts.clientIdSchemeFilter === 'x509_san_dns'\n ? [SubjectAlternativeGeneralName.dnsName]\n : [SubjectAlternativeGeneralName.uniformResourceIdentifier]\n } else if (opts?.typeFilter) {\n typeFilter = Array.isArray(opts.typeFilter) ? opts.typeFilter : [opts.typeFilter]\n } else {\n typeFilter = [SubjectAlternativeGeneralName.dnsName, SubjectAlternativeGeneralName.uniformResourceIdentifier]\n }\n const parsedValue = certificate.extensions?.find((ext) => ext.extnID === id_SubjectAltName)?.parsedValue as AltName\n if (!parsedValue) {\n return []\n }\n const altNames = parsedValue.toJSON().altNames\n return altNames\n .filter((altName) => typeFilter.includes(altName.type))\n .map((altName) => {\n return { type: altName.type, value: altName.value } satisfies SubjectAlternativeName\n })\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACAO,IAAKA,YAAAA,yBAAAA,YAAAA;;;SAAAA;;;;ACIZ,IAAAC,oBAAyB;;;ACHlB,IAAMC,eAAe,wBAACC,WAAoBC,mBAAAA;AAC/C,MAAIC;AACJ,MAAI,OAAOD,mBAAmB,aAAa;AACzCC,gBAAYD;EACd,WAAW,OAAOE,WAAW,aAAa;AACxCD,gBAAYC;EACd,WAAW,OAAOC,OAAOD,WAAW,aAAa;AAC/CD,gBAAYE,OAAOD;EACrB,OAAO;AAEL,QAAI,OAAOC,OAAOC,QAAQF,QAAQG,WAAW,aAAa;AAExDJ,kBAAYE,OAAOC,OAAOF;IAC5B,OAAO;AAELD,kBAAYK,QAAQ,QAAA;IACtB;EACF;AACA,MAAIP,WAAW;AACbI,WAAOD,SAASD;EAClB;AAEA,SAAOA;AACT,GAvB4B;;;ACA5B,mBAA4B;AAE5B,yBAA2B;AAE3B,uBAAyB;AAEzB,mBAAkB;AAMX,SAASM,kBAAkBC,MAAcC,UAAiB;AAC/D,MAAI,CAACA,UAAU;AACbA,eAAW;EACb;AASA,QAAMC,eAAeF,KAClBG,QAAQ,oBAAoB,GAAA,EAC5BA,QAAQ,OAAO,EAAA,EACfA,QAAQ,OAAO,EAAA;AAClB,MAAIC,MAAMF,aAAaG,MAAM,GAAA,EAAKC,OAAO,SAAUC,GAAC;AAClD,WAAOA,EAAEC,SAAS;EACpB,CAAA;AACA,MAAIP,WAAW,GAAG;AAChBG,UAAMA,IAAIK,OAAO,GAAGR,QAAAA;EACtB;AACA,SAAOG;AACT;AAvBgBL;AAyBT,SAASW,kBAAkBN,KAAeH,UAAiB;AAChE,MAAI,CAACA,UAAU;AACbA,eAAW;EACb;AACA,QAAMO,SAASP,aAAa,IAAIG,IAAII,SAASG,KAAKC,IAAIX,UAAUG,IAAII,MAAM;AAC1E,MAAIK,MAAM;AACV,WAASC,IAAI,GAAGA,IAAIN,QAAQM,KAAK;AAC/BD,WAAOE,SAASX,IAAIU,CAAAA,GAAI,aAAA;EAC1B;AACA,SAAOD;AACT;AAVgBH;AAYT,IAAMM,4BAA4B,wBAAChB,SAAAA;AACxC,MAAIiB,MAA0B,OAAOjB,SAAS,WAAWA,OAAOkB;AAChE,MAAI,OAAOlB,SAAS,YAAY,EAAEA,gBAAgBmB,aAAa;AAE7D,WAAOC,yBAAYC,QAAQrB,KAAKsB,OAAO;EACzC,WAAW,OAAOtB,SAAS,UAAU;AACnC,WAAOoB,yBAAYC,QAAQrB,IAAAA;EAC7B,WAAWA,KAAKuB,SAAS,aAAA,GAAgB;AACvCN,UAAMO,SAASxB,IAAAA;EACjB;AACA,MAAI,CAACiB,KAAK;AACR,UAAMQ,MAAM,6FAAA;EACd;AACA,SAAOL,yBAAYC,YAAQK,+BAAWT,KAAK,WAAA,CAAA;AAC7C,GAdyC;AAgBlC,IAAMU,uBAAuB,wBAACC,OAAoBC,UAAAA;AACvD,SAAOD,MAAME,eAAeC,QAAQF,MAAMC,cAAc;AAC1D,GAFoC;AAI7B,IAAME,cAAc,wBAACC,KAAaC,aAA4B,aAAQ;AAC3E,QAAMC,MAAMC,SAASH,KAAKC,UAAAA;AAC1B,QAAMG,gBAA+BF,IAAIG,IAAI,YAAY;AACzD,QAAMC,SAASF,kBAAkB,YAAYG,qBAAqBP,GAAAA,IAAOQ,oBAAoBR,GAAAA;AAE7F,SAAO;IACLpB,KAAK6B,SAASH,QAAQL,UAAAA;IACtBC;IACAI;IACAI,SAASN;EACX;AACF,GAX2B;AAapB,IAAMO,WAAW,wBAACT,KAAiBD,aAA4B,aAAQ;AAC5E,SAAOW,aAAAA,QAAMC,KAAKX,KAAK,KAAA,EAAOY,SAAS,OAAOb,eAAe,WAAW,iBAAiB,eAAA;AAC3F,GAFwB;AAIjB,IAAME,WAAW,wBAACvB,KAAaqB,aAA4B,aAAQ;AACxE,SAAOW,aAAAA,QAAMC,KAAKjC,KAAK,KAAA,EAAOmC,MAAMd,UAAAA;AACtC,GAFwB;AAGjB,IAAMM,uBAAuB,wBAACP,QAAAA;AACnC,SAAOgB,SAAShB,GAAAA;AAClB,GAFoC;AAI7B,IAAMiB,wBAAwB,wBAACf,KAAiBD,aAA4B,aAAQ;AACzF,MAAIA,eAAe,WAAW;AAC5B,WAAOM,qBAAqBI,SAAST,KAAK,SAAA,CAAA;EAC5C,OAAO;AACL,WAAOM,oBAAoBG,SAAST,KAAK,QAAA,CAAA;EAC3C;AACF,GANqC;AAQ9B,IAAMM,sBAAsB,wBAACR,QAAAA;AAClC,QAAMkB,MAAMF,SAAShB,GAAAA;AACrB,MAAIA,IAAIV,SAAS,aAAA,GAAgB;AAC/B,UAAME,MAAM,4DAAA;EACd,WAAW,CAACQ,IAAIV,SAAS,SAAA,GAAY;AACnC,WAAO4B;EACT;AACA,QAAMC,YAAYhB,SAASH,KAAK,QAAA;AAChC,QAAMoB,YAAYT,SAASQ,WAAW,QAAA;AACtC,SAAOH,SAASI,SAAAA;AAClB,GAVmC;AAY5B,IAAMJ,WAAW,wBAAChB,KAAaqB,cAAAA;AACpC,MAAIrB,IAAIsB,QAAQ,aAAA,KAAkB,IAAI;AACpC,UAAM9B,MAAM,yBAAyB6B,SAAAA,EAAW;EAClD;AAEA,MAAIE;AACJ,MAAIF,WAAW;AACbE,kBAAcvB,IAAI9B,QAAQ,IAAIsD,OAAO,qBAAqBH,YAAY,OAAA,GAAU,EAAA;AAChFE,kBAAcA,YAAYrD,QAAQ,IAAIsD,OAAO,cAAcH,YAAY,YAAA,GAAe,EAAA;EACxF,OAAO;AACLE,kBAAcvB,IAAI9B,QAAQ,8BAA8B,EAAA;AACxDqD,kBAAcA,YAAYrD,QAAQ,4BAA4B,EAAA;EAChE;AACA,SAAOuD,YAAYF,aAAa,WAAA;AAClC,GAdwB;AAgBjB,SAASG,YAAY9C,KAAW;AACrC,QAAM+C,cAAc/C,IACjBV,QAAQ,8BAA8B,EAAA,EACtCA,QAAQ,4BAA4B,EAAA,EACpCA,QAAQ,OAAO,EAAA;AAElB,aAAOuB,+BAAWkC,aAAa,WAAA;AACjC;AAPgBD;AAcT,IAAMD,cAAc,wBAACG,OAAeC,kBAAAA;AACzC,QAAMC,mBAAmBF,MAAM1D,QAAQ,0BAA0B,EAAA;AACjE,aAAO4C,+BAASrB,+BAAWqC,kBAAkBD,gBAAgBA,gBAAgB,WAAA,GAAc,QAAA;AAC7F,GAH2B;AAKpB,IAAME,cAAc,wBAACH,OAAiCI,mBAAAA;AAC3D,MAAId,MAAM,OAAOU,UAAU,WAAWA,QAAQA,MAAMd,SAAS,EAAA;AAC7D,MAAII,IAAI3C,SAAS,MAAM,GAAG;AACxB2C,UAAM,IAAIA,GAAAA;EACZ;AACA,aAAOJ,+BAASrB,+BAAWyB,KAAK,QAAA,GAAWc,iBAAiBA,iBAAiB,WAAA;AAC/E,GAN2B;AAQpB,IAAMvB,WAAW,wBAACS,KAAae,SAAAA;AACpC,QAAMC,SAASH,YAAYb,KAAK,WAAA;AAChC,QAAMG,YAAYY,SAAS,YAAY,oBAAoB;AAC3D,MAAIA,SAAS,WAAW;AACtB,UAAMrD,MAAME,SAASoD,QAAQb,SAAAA;AAC7B,QAAI;AACFlB,eAASvB,GAAAA;AACT,aAAOA;IACT,SAASuD,OAAO;AACd,aAAOrD,SAASoD,QAAQ,aAAA;IAC1B;EACF;AACA,SAAOpD,SAASoD,QAAQb,SAAAA;AAC1B,GAbwB;AAejB,SAAS9B,SAASX,KAAW;AAClC,SAAOA,IAAIV,QAAQ,+CAA+C,EAAA;AACpE;AAFgBqB;AAIT,SAAST,SAASf,MAAcsD,WAA4E;AACjH,QAAMe,MAAMf,aAAa;AACzB,MAAItD,KAAKuB,SAAS8C,GAAAA,GAAM;AAEtB,WAAOrE;EACT;AACA,QAAMsE,UAAUtE,KAAKuE,MAAM,UAAA;AAC3B,MAAI,CAACD,SAAS;AACZ,UAAM7C,MAAM,mCAAA;EACd;AACA,SAAO,cAAc4C,GAAAA;EAAaC,QAAQE,KAAK,IAAA,CAAA;WAAmBH,GAAAA;;AACpE;AAXgBtD;;;AFjKhB,IAAM0D,QAAQ,wBAACC,QAAAA;AACb,MAAIA,IAAIC,WAAWD,IAAIC,QAAQC,SAAS,GAAG;AACzC,WAAOF,IAAIC;EACb;AACA,MAAID,IAAIG,KAAK;AACX,UAAMC,SAAqB,CAAA;AAC3B,QAAIJ,IAAIG,IAAIE,SAAS,KAAA,GAAQ;AAC3BD,aAAOE,KAAK,QAAQ,QAAA;IACtB,WAAWN,IAAIG,IAAIE,SAAS,KAAA,GAAQ;AAClCD,aAAOE,KAAK,WAAW,SAAA;IACzB;AACA,QAAIF,OAAOF,SAAS,GAAG;AACrB,aAAOE;IACT;EACF;AACA,MAAIJ,IAAIO,QAAQ,OAAO;AACrB,QAAIP,IAAIQ,GAAG;AACT,aAAOR,IAAIS,KAAKC,YAAAA,GAAeL,SAAS,MAAA,IAAU;QAAC;UAAa;QAAC;;IACnE;AACA,WAAOL,IAAIS,KAAKC,YAAAA,GAAeL,SAAS,MAAA,IAAU;MAAC;QAAa;MAAC;;EACnE;AAEA,SAAOL,IAAIQ,KAAKR,IAAIO,QAAQ,QAAQ;IAAC;IAAQ;IAAW;IAAU;MAAa;IAAC;;AAClF,GAvBc;AAyBP,IAAMI,kCAAkC,wBAACC,eAAAA;AAC9C,QAAMH,MAAMG,WAAWF,YAAW;AAClC,MAAIG;AACJ,MAAIJ,IAAIK,WAAW,IAAA,GAAO;AACxBD,aAAS;EACX,WAAWJ,IAAIK,WAAW,IAAA,GAAO;AAC/BD,aAAS;EACX,OAAO;AACL,UAAME,MAAM,sCAAsCH,UAAAA,EAAY;EAChE;AAEA,QAAMI,gBAAgB,OAAOP,IAAIQ,UAAU,CAAA,CAAA;AAC3C,SAAO;IAAEJ;IAAQG;EAAc;AACjC,GAb+C;AAexC,IAAME,2BAA2B,8BACtClB,KACAa,QACAG,kBAAAA;AAEA,QAAMG,WAAWH,gBAAgBA,gBAAgBhB,IAAIS,MAAM,OAAOT,IAAIS,IAAIQ,UAAU,CAAA,CAAA,KAAO;AAE3F,QAAMG,eAAsC;IAAEC,MAAMR;IAAQS,MAAMH;EAAS;AAC3E,SAAO,MAAMI,aAAa,KAAA,EAAOC,OAAOC,UAAU,OAAOzB,KAAmBoB,cAAc,OAAOrB,MAAMC,GAAAA,CAAAA;AACzG,GATwC;AAWjC,IAAM0B,sBAAsB,8BACjCb,QACAG,eACAW,kBAAAA;AAEA,QAAMR,WAAWH,gBAAgBA,gBAAgB;AAEjD,QAAMY,SAAgC;IACpCP,MAAMR;IACNS,MAAMH;IACNQ,eAAeA,gBAAgBA,gBAAgB;IAC/CE,gBAAgB,IAAIC,WAAW;MAAC;MAAG;MAAG;KAAE;EAC1C;AACA,QAAMC,WAAuBlB,WAAW,aAAaA,WAAW,sBAAsB;IAAC;IAAQ;MAAY;IAAC;IAAW;;AAEvH,QAAMmB,UAAU,MAAMT,aAAa,KAAA,EAAOC,OAAOS,YAAYL,QAAQ,MAAMG,QAAAA;AAC3E,QAAMG,QAAQ,MAAMX,aAAa,KAAA,EAAOC,OAAOW,UAAU,SAASH,QAAQI,UAAU;AAEpF,QAAMC,aAAa,IAAIP,WAAWI,KAAAA;AAClC,SAAOI,aAASC,4BAASF,YAAY,WAAA,GAAc,iBAAA;AACrD,GApBmC;;;AGjEnC,IAAAG,sBAA2B;AAE3B,IAAAC,oBAAyB;AAQlB,IAAMC,YAAN,MAAMA;EAXb,OAWaA;;;EACMC;EACAC;EAETC;EACSC;;;;;;EAOjBC,YACEF,KACAG,MACA;AACA,QAAI,OAAOH,QAAQ,UAAU;AAC3B,WAAKD,MAAMK,SAASJ,KAAKG,MAAME,UAAAA;IACjC,OAAO;AACL,WAAKN,MAAMC;IACb;AAEA,SAAKF,gBAAgBK,MAAML,iBAAiB;AAC5C,SAAKG,SAASE,MAAMF,UAAU;EAChC;EAEQK,kBAAsD;AAC5D,QAAI,KAAKL,WAAW,WAAW;AAC7B,aAAO;QAAEM,MAAM,KAAKN;QAAQO,YAAY;MAAG;IAC7C;AACA,WAAO;MAAED,MAAM,KAAKN;;IAAsC;EAC5D;EAEA,MAAcQ,SAA6B;AACzC,QAAI,CAAC,KAAKT,KAAK;AACb,WAAKA,MAAM,MAAMU,yBAAyB,KAAKX,KAAK,KAAKE,QAAQ,KAAKH,aAAa;IACrF;AACA,WAAO,KAAKE;EACd;EAEQW,eAAeC,KAAkB;AACvC,UAAMC,aAAa,IAAIC,WAAWF,GAAAA;AAClC,eAAOG,4BAASF,YAAY,WAAA;EAC9B;EAEA,MAAaG,KAAKC,MAAmC;AACnD,UAAMC,QAAQD;AACd,UAAMjB,MAAM,MAAM,KAAKS,OAAM;AAC7B,UAAMU,YAAY,KAAKR,eAAe,MAAMS,aAAa,KAAA,EAAOC,OAAOL,KAAK,KAAKV,gBAAe,GAAIN,KAAKkB,KAAAA,CAAAA;AACzG,QAAI,CAACC,WAAW;AACd,YAAMG,MAAM,2BAAA;IACd;AAGA,WAAOH;EACT;EAEA,MAAaI,OAAON,MAA2BE,WAAqC;AAClF,UAAMK,MAAML,UAAUM,SAAS,GAAA,IAAON,UAAUO,MAAM,GAAA,EAAK,CAAA,IAAKP;AAEhE,UAAMD,QAAQ,OAAOD,QAAQ,eAAWU,gCAAWV,MAAM,OAAA,IAAWA;AAEpE,QAAIjB,MAAM,MAAM,KAAKS,OAAM;AAC3B,QAAI,CAACT,IAAI4B,OAAOH,SAAS,QAAA,GAAW;AAClC,YAAMI,YAAY;QAAE,GAAG,KAAK9B;MAAI;AAChC,aAAO8B,UAAUC;AACjB,aAAOD,UAAUE;AACjB,aAAOF,UAAUG;AACjBhC,YAAM,MAAMU,yBAAyBmB,WAAW,KAAK5B,QAAQ,KAAKH,aAAa;IACjF;AACA,UAAMmC,qBAAqB,MAAMb,aAAa,KAAA,EAAOC,OAAOE,OAAO,KAAKjB,gBAAe,GAAIN,SAAK2B,gCAAWH,KAAK,WAAA,GAAcN,KAAAA;AAC9H,WAAOe;EACT;AACF;;;ACpFA,yBAA0B;AAC1B,uBAAqC;AACrC,kBAAmD;AAGnD,2BAAiB;AACjB,IAAAC,gBAAmH;AACnH,sBAA0B;AAE1B,IAAAC,sBAA2B;AAE3B,IAAAC,oBAAyB;AAsCzB,IAAMC,sBAAsB,6BAAA;AAC1B,QAAMC,OAAO;AACbC,+BAAUD,MAAM,IAAIE,2BAAa;IAAEF;IAAMG,QAAQC,aAAa,KAAA;EAAO,CAAA,CAAA;AACrE,aAAOC,yBAAU,IAAA;AACnB,GAJ4B;AAMrB,IAAMC,qBAAqB,8BAChCC,aACAC,SAAAA;AAIA,MAAIC;AACJ,MAAI;AACFA,mBAAgB,MAAMC,kCAAkCH,WAAAA;EAC1D,SAASI,GAAG;EAAC;AACb,SAAO;IACLC,QAAQ;MAAEC,IAAIC,YAAYP,WAAAA;IAAa;IACvCQ,SAAS;MACPF,IAAIG,aAAaT,WAAAA;MACjBU,yBAAyBC,2BAA2BX,aAAa;QAAEY,YAAYX,MAAMY;MAAc,CAAA;IACrG;IACAX;IACAY,WAAWd,YAAYc,UAAUC;IACjCC,UAAUhB,YAAYgB,SAASD;EAEjC;AACF,GArBkC;AA4C3B,IAAME,+BAA+B,8BAAO,EACjDC,OAAOC,eACPC,cACAC,mBAAmB,oBAAIC,KAAAA,GACvBrB,OAAO;;EAELsB,0BAA0B;EAC1BC,wBAAwB;EACxBC,6BAA6B;EAC7BC,uBAAuB,CAAA;EACvBC,uBAAuB;AACzB,EAAC,MAMF;AAEC,SAAO,MAAMC,iCAAiC;IAC5CC,UAAU;IACVX,OAAO;SAAIC;MAAeW,QAAO;IACjCV;IACAC;IACApB;EACF,CAAA;AACF,GA1B4C;AA2B5C,IAAM2B,mCAAmC,8BAAO,EAC9CC,UACAX,OAAOC,eACPC,cACAC,kBAAkBU,UAClB9B,KAAI,MAOL;AACC,QAAMoB,mBAAyB,OAAOU,aAAa,WAAW,IAAIT,KAAKS,QAAAA,IAAYA;AACnF,QAAM,EACJR,2BAA2B,OAC3BC,yBAAyB,OACzBC,8BAA8B,MAC9BC,wBAAwB,CAAA,GACxBC,wBAAwB,OACxBK,OAAM,IACJ/B;AACJ,QAAMgC,cAAcT,0BAA0B,CAACJ,eAAe;IAACD,cAAcA,cAAce,SAAS,CAAA;MAAMd;AAE1G,MAAID,cAAce,WAAW,GAAG;AAC9B,WAAO;MACLC,OAAO;MACPC,UAAU;MACVC,SAAS;MACThB;IACF;EACF;AACA7B,sBAAAA;AAGA,QAAM0B,QAAQ,MAAMoB,QAAQC,IAAIpB,cAAcqB,IAAI,CAACC,QAAQC,iBAAiBD,GAAAA,CAAAA,CAAAA;AAC5E,QAAME,oBAAoBd,WAAW;OAAIX;MAAS;OAAIA;IAAOY,QAAO;AAEpE,QAAMc,eAAeX,cAAc,MAAMK,QAAQC,IAAIN,YAAYO,IAAI,CAACC,QAAQC,iBAAiBD,GAAAA,CAAAA,CAAAA,IAASI;AACxG,QAAMC,kBAEF,MAAMR,QAAQC,IACZb,sBAAsBc,IAAI,CAACC,QAAAA;AACzB,QAAI;AACF,aAAOC,iBAAiBD,GAAAA;IAC1B,SAASrC,GAAG;AAEV2C,cAAQC,IAAI,+CAA+CP,GAAAA,YAAerC,EAAEiC,OAAO,EAAE;AACrF,aAAOQ;IACT;EACF,CAAA,CAAA,GAEFI,OAAO,CAACC,SAAoCA,SAASL,MAAAA,KAAc,CAAA;AACvE,QAAMM,WAAWR,kBAAkB,CAAA;AAEnC,QAAMS,cAAclC,MAAMgB;AAC1B,MAAImB,mBAAkDR;AACtD,WAASS,IAAI,GAAGA,IAAIF,aAAaE,KAAK;AACpC,UAAMC,cAAcrC,MAAMoC,CAAAA;AAC1B,UAAME,eAAeF,IAAI,IAAIpC,MAAMoC,IAAI,CAAA,IAAKT;AAC5C,UAAMY,qBAAqBX,eAAeY,KAAK,CAACC,YAAYC,qBAAqBD,QAAQ3D,aAAauD,YAAYvD,WAAW,CAAA;AAC7H,QAAIyD,oBAAoB;AACtBV,cAAQC,IAAI,iHAAiH;AAC7H,aAAO;QACLb,OAAO;QACPC,UAAU;QACVC,SAAS;QACTwB,eAAe,+BAA+BJ,mBAAmBK,gBAAgBtD,QAAQF,GAAGyD,EAAE;QAC9FC,aAAaP,oBAAoBK;QACjCzC;QACA4C,kBAAkBtB,kBAAkBH,IAAI,CAACU,SAASA,KAAKY,eAAe;QACtE,GAAI9B,UAAU;UAAEA;QAAO;MACzB;IACF;AACA,QAAIwB,cAAc;AAChB,UAAID,YAAYW,gBAAgB7D,WAAWmD,aAAaU,gBAAgB1D,SAAS;AAC/E,YAAI,CAACqB,YAAY,CAACF,uBAAuB;AACvC,iBAAO,MAAMC,iCAAiC;YAC5CC,UAAU;YACVX,OAAO;iBAAIC;cAAeW,QAAO;YACjC7B;YACAoB;YACAD;UACF,CAAA;QACF;AACA,eAAO;UACLe,OAAO;UACPC,UAAU;UACV6B,kBAAkBtB,kBAAkBH,IAAI,CAACU,SAASA,KAAKY,eAAe;UACtEzB,SAAS,2CAA2Cc,SAASW,gBAAgBtD,QAAQF,GAAGyD,EAAE;UAC1FF,eAAe,mBAAmBN,YAAYO,gBAAgBtD,QAAQF,GAAGyD,EAAE,gBAAgBR,YAAYW,gBAAgB7D,MAAM,+CAA+CmD,cAAcM,gBAAgBtD,QAAQF,GAAGyD,EAAAA,wBAA0BP,cAAcU,gBAAgB1D,OAAAA;UAC7Qa;UACA,GAAIW,UAAU;YAAEA;UAAO;QACzB;MACF;IACF;AACA,UAAMmC,SAAS,MAAMZ,YAAYW,gBAAgBE,OAC/C;MACEC,MAAMhD;MACNiD,WAAWd,cAAcU,iBAAiBI;IAC5C,OACAxE,yBAAAA,GAAaF,UAAUA,UAAU2E,OAAO3E,MAAM;AAEhD,QAAI,CAACuE,QAAQ;AAEX,UAAIb,KAAK,KAAK,CAACzB,YAAY,CAACF,uBAAuB;AACjD,eAAO,MAAMC,iCAAiC;UAC5CC,UAAU;UACVX,OAAO;eAAIC;YAAeW,QAAO;UACjC7B;UACAoB;UACAD;QACF,CAAA;MACF;AAEA,aAAO;QACLe,OAAO;QACPC,UAAU;QACVC,SAAS,2CAA2Cc,SAASW,gBAAgBtD,QAAQF,GAAGyD,EAAE;QAC1FE,kBAAkBtB,kBAAkBH,IAAI,CAACU,SAASA,KAAKY,eAAe;QACtED,eAAe,mCAAmCN,YAAYO,gBAAgBtD,QAAQF,GAAGyD,EAAE,gBACzFR,YAAYW,gBAAgB7D,MAAM,wBACZmE,KAAKC,UAAUlB,YAAYO,gBAAgB5D,YAAY,CAAA;QAC/EmB;QACA,GAAIW,UAAU;UAAEA;QAAO;MACzB;IACF;AAEAqB,uBAAmBA,oBAAoBT,cAAcc,KAAK,CAACC,YAAYe,kBAAkBf,QAAQO,iBAAiBX,YAAYW,eAAe,CAAA;AAE7I,QAAIZ,MAAM,KAAKF,gBAAgB,KAAK3B,6BAA6B;AAC/D,aAAO;QACLU,OAAO;QACPC,UAAU;QACVC,SAAS,uEAAuEc,SAASW,gBAAgBtD,QAAQF,GAAGyD,EAAE;QACtHE,kBAAkBtB,kBAAkBH,IAAI,CAACU,SAASA,KAAKY,eAAe;QACtEE,aAAaX,kBAAkBS;QAC/BzC;QACA,GAAIW,UAAU;UAAEA;QAAO;MACzB;IACF;EACF;AAEA,MAAIqB,kBAAkBS,mBAAmBvC,0BAA0B;AACjE,WAAO;MACLY,OAAO;MACPC,UAAU;MACVC,SAAS;MACT4B,kBAAkBtB,kBAAkBH,IAAI,CAACU,SAASA,KAAKY,eAAe;MACtED,eAAeR,mBACX,wBAAwBF,SAASW,gBAAgBtD,QAAQF,GAAGyD,EAAE,yCAAyCV,kBAAkBS,gBAAgBtD,QAAQF,GAAGyD,EAAAA,MACpJ,wBAAwBZ,SAASW,gBAAgBtD,QAAQF,GAAGyD,EAAE,kHAAkHxC,wBAAAA;MACpLyC,aAAaX,kBAAkBS;MAC/BzC;MACA,GAAIW,UAAU;QAAEA;MAAO;IACzB;EACF;AAEA,SAAO;IACLG,OAAO;IACPC,UAAU;IACVC,SAAS,2CAA2Cc,SAASW,gBAAgBtD,QAAQF,GAAGyD,EAAE;IAC1FE,kBAAkBtB,kBAAkBH,IAAI,CAACU,SAASA,KAAKY,eAAe;IACtED,eAAe,qEACblB,kBAAkBzB,MAAMgB,SAAS,CAAA,EAAG4B,gBAAgBtD,QAAQF,GAAGyD,EAAE,aACtDpB,kBAAkB,CAAA,EAAGmB,gBAAgBtD,QAAQF,GAAGyD,EAAE;IAC/D1C;IACA,GAAIW,UAAU;MAAEA;IAAO;EACzB;AACF,GAzKyC;AA2KzC,IAAM0C,oBAAoB,wBAACC,OAAwBC,UAAAA;AACjD,SAAOD,MAAME,QAAQC,SAAQ,MAAOF,MAAMC,QAAQC,SAAQ;AAC5D,GAF0B;AAI1B,IAAMC,oBAAuCC,0BAAUC,QAAQC,6BAAAA;AACxD,IAAMC,2BAA2B,6BAAA;AACtC,SAAOJ;AACT,GAFwC;AAejC,IAAMrC,mBAAmB,8BAAO0C,YAAAA;AACrC,QAAMlB,kBAAkB,IAAImB,4BAAgBD,OAAAA;AAC5C,QAAME,gBAAgBC,6BAAUC,MAAMtB,gBAAgBI,UAAUO,SAASY,qCAAAA;AACzE,QAAMC,eAAe,IAAIC,WAAWL,cAAcM,gBAAgB;AAClE,MAAIC,eAAgChD;AACpC,MAAI;AACFgD,mBAAgB,MAAM1F,kCAAkC,IAAIwF,WAAWzB,gBAAgBW,OAAO,CAAA;EAChG,SAASzE,GAAQ;AACf2C,YAAQZ,MAAM/B,EAAEiC,OAAO;EACzB;AACA,QAAMrC,cAAc8F,0BAA0BV,OAAAA;AAC9C,QAAMtB,kBAAkB,MAAM/D,mBAAmBC,WAAAA;AACjD,QAAM+F,qBAAqBZ,yBAAAA,EAA2Ba,eAAeV,cAAcW,SAAS;AAC5F,SAAO;IACLF;IACAT;IACAO;IACAH;IACA5B;IACA9D;IACAkE;EACF;AACF,GAtBgC;AAgKhC,IAAMgC,SAAiC;EACrC,WAAW;EACX,YAAY;EACZ,YAAY;EACZ,WAAW;EACX,WAAW;EACX,WAAW;EACX,YAAY;EACZ,YAAY;EACZ,YAAY;EACZ,WAAW;EACX,wBAAwB;AAC1B;AAEO,IAAM3F,cAAc,wBAAC2C,SAAAA;AAC1B,SAAO;IACLa,IAAIoC,YAAYjD,KAAK7C,OAAO+F,cAAc;IAC1CC,YAAYC,YAAYpD,KAAK7C,OAAO+F,cAAc;EACpD;AACF,GAL2B;AAOpB,IAAM3F,eAAe,wBAACyC,SAAAA;AAC3B,SAAO;IACLa,IAAIoC,YAAYjD,KAAK1C,QAAQ4F,cAAc;IAC3CC,YAAYC,YAAYpD,KAAK1C,QAAQ4F,cAAc;EACrD;AACF,GAL4B;AAO5B,IAAME,cAAc,wBAACF,mBAAAA;AACnB,QAAMrC,KAA6B,CAAC;AACpC,aAAWwC,gBAAgBH,gBAAgB;AACzC,UAAMI,OAAON,OAAOK,aAAaC,IAAI,KAAKD,aAAaC;AACvDzC,OAAGyC,IAAAA,IAAQD,aAAaxF,MAAM0F,SAAQ;EACxC;AACA,SAAO1C;AACT,GAPoB;AAQpB,IAAMoC,cAAc,wBAACC,mBAAAA;AACnB,SAAOM,OAAOC,QAAQL,YAAYF,cAAAA,CAAAA,EAC/B5D,IAAI,CAAC,CAACoE,KAAK7F,KAAAA,MAAW,GAAG6F,GAAAA,IAAO7F,KAAAA,EAAO,EACvC8F,KAAK,GAAA;AACV,GAJoB;AAMb,IAAM1G,oCAAoC,8BAAO2G,iBAAAA;AACtD,QAAMC,cACJ,OAAOD,iBAAiB,eACpBhC,gCAASkC,gCAAWF,cAAc,WAAA,GAAc,WAAA,IAChDA,wBAAwBnB,iBACxBb,4BAASgC,cAAc,WAAA,QACvBhC,gCAASkC,gCAAWF,aAAahC,SAAS,QAAA,GAAW,WAAA,GAAc,WAAA;AACzE,QAAMmC,MAAMC,SAASH,WAAAA;AACrB,QAAM/G,cAAc8F,0BAA0BmB,GAAAA;AAC9C,MAAIE;AACJ,MAAI;AACF,UAAMC,aAAStH,yBAAU,IAAA,EAAMsH;AAC/B,UAAMC,KAAK,MAAMrH,YAAYsH,aAAazE,QAAWrD,oBAAAA,CAAAA;AACrD2H,UAAO,MAAMC,OAAOG,UAAU,OAAOF,EAAAA;EACvC,SAASlF,OAAY;AACnBY,YAAQC,IAAI,uCAAuCb,OAAOE,OAAAA;EAC5D;AACA,MAAI,CAAC8E,KAAK;AACR,QAAI;AACFA,YAAO,MAAMK,qBAAAA,QAAKC,MAAMR,KAAK,KAAA;IAC/B,SAAS9E,OAAY;AACnBY,cAAQC,IAAI,iDAAiDb,OAAOE,OAAAA;IACtE;EACF;AACA,MAAI,CAAC8E,KAAK;AACR,UAAMO,MAAM,sCAAsCT,GAAAA,EAAK;EACzD;AACA,SAAOE;AACT,GA5BiD;AAyC1C,IAAKQ,gCAAAA,yBAAAA,gCAAAA;;;;;SAAAA;;AAcL,IAAMC,yCAAyC,wBAAC5H,aAA0B6H,UAAkBC,mBAAAA;AACjG,QAAMC,OAAOpH,2BAA2BX,aAAa;IAAEgI,sBAAsBF;EAAe,CAAA;AAC5F,QAAMG,kBAAkBF,KAAKrE,KAAK,CAACwE,QAAQA,IAAInH,UAAU8G,QAAAA;AACzD,MAAI,CAACI,iBAAiB;AACpB,UAAMP,MACJ,oBAAoBI,cAAAA,0EAClBrH,aAAaT,WAAAA,EAAa+D,EAAE,WACnBgE,KAAKvF,IAAI,CAAC0F,QAAQA,IAAInH,KAAK,EAAE8F,KAAK,GAAA,CAAA,EAAM;EAEvD;AACF,GAVsD;AAY/C,IAAMsB,gDAAgD,8BAC3DnI,aACA6H,UACAC,mBAAAA;AAEA,QAAM3D,SAAS;IACbhC,OAAO;IACPC,UAAU;IACVC,SAAS,aAAawF,QAAAA,gDAAwDC,cAAAA;IAC9E9F,QAAQ;MACN6F;MACAC;IACF;IACA7D,kBAAkB;MAAC,MAAMlE,mBAAmBC,WAAAA;;IAC5CqB,kBAAkB,oBAAIC,KAAAA;EACxB;AACA,MAAI;AACFsG,2CAAuC5H,aAAa6H,UAAUC,cAAAA;EAChE,SAAS3F,OAAO;AACd,WAAOgC;EACT;AACAA,SAAOhC,QAAQ;AACfgC,SAAO9B,UAAU,aAAawF,QAAAA,4CAAoDC,cAAAA;AAClF,SAAO3D;AACT,GAxB6D;AA0BtD,IAAMxD,6BAA6B,wBACxCX,aACAC,SAAAA;AAMA,MAAIW;AACJ,MAAIX,MAAM+H,sBAAsB;AAC9BpH,iBACEX,KAAK+H,yBAAyB,iBAC1B;;QACA;;;EACR,WAAW/H,MAAMW,YAAY;AAC3BA,iBAAawH,MAAMC,QAAQpI,KAAKW,UAAU,IAAIX,KAAKW,aAAa;MAACX,KAAKW;;EACxE,OAAO;AACLA,iBAAa;;;;EACf;AACA,QAAM0H,cAActI,YAAYuI,YAAY7E,KAAK,CAAC8E,QAAQA,IAAIC,WAAWC,+BAAAA,GAAoBJ;AAC7F,MAAI,CAACA,aAAa;AAChB,WAAO,CAAA;EACT;AACA,QAAMK,WAAWL,YAAYM,OAAM,EAAGD;AACtC,SAAOA,SACJ1F,OAAO,CAAC4F,YAAYjI,WAAWkI,SAASD,QAAQrC,IAAI,CAAA,EACpDhE,IAAI,CAACqG,YAAAA;AACJ,WAAO;MAAErC,MAAMqC,QAAQrC;MAAMzF,OAAO8H,QAAQ9H;IAAM;EACpD,CAAA;AACJ,GA7B0C;","names":["JwkKeyUse","import_to_string","globalCrypto","setGlobal","suppliedCrypto","webcrypto","crypto","global","window","subtle","require","pemCertChainTox5c","cert","maxDepth","intermediate","replace","x5c","split","filter","c","length","splice","x5cToPemCertChain","Math","min","pem","i","derToPEM","pemOrDerToX509Certificate","DER","undefined","Uint8Array","Certificate","fromBER","rawData","includes","PEMToDer","Error","fromString","areCertificatesEqual","cert1","cert2","signatureValue","isEqual","toKeyObject","PEM","visibility","jwk","PEMToJwk","keyVisibility","d","keyHex","privateKeyHexFromPEM","publicKeyHexFromPEM","hexToPEM","keyType","jwkToPEM","keyto","from","toString","toJwk","PEMToHex","hexKeyFromPEMBasedJwk","hex","publicJwk","publicPEM","headerKey","indexOf","strippedPem","RegExp","base64ToHex","PEMToBinary","pemContents","input","inputEncoding","base64NoNewlines","hexToBase64","targetEncoding","type","base64","error","key","matches","match","join","usage","jwk","key_ops","length","use","usages","includes","push","kty","d","alg","toUpperCase","signAlgorithmToSchemeAndHashAlg","signingAlg","scheme","startsWith","Error","hashAlgorithm","substring","cryptoSubtleImportRSAKey","hashName","importParams","name","hash","globalCrypto","subtle","importKey","generateRSAKeyAsPEM","modulusLength","params","publicExponent","Uint8Array","keyUsage","keypair","generateKey","pkcs8","exportKey","privateKey","uint8Array","derToPEM","toString","import_from_string","import_to_string","RSASigner","hashAlgorithm","jwk","key","scheme","constructor","opts","PEMToJwk","visibility","getImportParams","name","saltLength","getKey","cryptoSubtleImportRSAKey","bufferToString","buf","uint8Array","Uint8Array","toString","sign","data","input","signature","globalCrypto","subtle","Error","verify","jws","includes","split","fromString","usages","verifyJwk","d","use","key_ops","verificationResult","import_pkijs","import_from_string","import_to_string","defaultCryptoEngine","name","setEngine","CryptoEngine","crypto","globalCrypto","getCrypto","getCertificateInfo","certificate","opts","publicKeyJWK","getCertificateSubjectPublicKeyJWK","e","issuer","dn","getIssuerDN","subject","getSubjectDN","subjectAlternativeNames","getSubjectAlternativeNames","typeFilter","sanTypeFilter","notBefore","value","notAfter","validateX509CertificateChain","chain","pemOrDerChain","trustAnchors","verificationTime","Date","allowNoTrustAnchorsFound","trustRootWhenNoAnchors","allowSingleNoCAChainElement","blindlyTrustedAnchors","disallowReversedChain","validateX509CertificateChainImpl","reversed","reverse","verifyAt","client","trustedPEMs","length","error","critical","message","Promise","all","map","raw","parseCertificate","x5cOrdereredChain","trustedCerts","undefined","blindlyTrusted","console","log","filter","cert","leafCert","chainLength","foundTrustAnchor","i","currentCert","previousCert","blindlyTrustedCert","find","trusted","areCertificatesEqual","detailMessage","certificateInfo","DN","trustAnchor","certificateChain","x509Certificate","result","verify","date","publicKey","global","JSON","stringify","isSameCertificate","cert1","cert2","rawData","toString","algorithmProvider","container","resolve","AlgorithmProvider","getX509AlgorithmProvider","rawCert","X509Certificate","publicKeyInfo","AsnParser","parse","SubjectPublicKeyInfo","publicKeyRaw","Uint8Array","subjectPublicKey","publicKeyJwk","pemOrDerToX509Certificate","publicKeyAlgorithm","toWebAlgorithm","algorithm","rdnmap","getDNString","typesAndValues","attributes","getDNObject","typeAndValue","type","getValue","Object","entries","key","join","pemOrDerCert","pemOrDerStr","fromString","pem","derToPEM","jwk","subtle","pk","getPublicKey","exportKey","x509","toJwk","Error","SubjectAlternativeGeneralName","assertCertificateMatchesClientIdScheme","clientId","clientIdScheme","sans","clientIdSchemeFilter","clientIdMatches","san","validateCertificateChainMatchesClientIdScheme","Array","isArray","parsedValue","extensions","ext","extnID","id_SubjectAltName","altNames","toJSON","altName","includes"]}
1
+ {"version":3,"sources":["../src/index.ts","../src/types/index.ts","../src/x509/rsa-key.ts","../src/x509/crypto.ts","../src/x509/x509-utils.ts","../src/x509/rsa-signer.ts","../src/x509/x509-validator.ts"],"sourcesContent":["/**\n *\n * @packageDocumentation\n */\nexport * from './types'\nexport * from './x509'\n","export enum JwkKeyUse {\n Encryption = 'enc',\n Signature = 'sig',\n}\n\nexport type HashAlgorithm = 'SHA-256' | 'SHA-512'\n\nexport type KeyVisibility = 'public' | 'private'\n\nexport interface X509Opts {\n cn?: string // The certificate Common Name. Will be used as the KID for the private key. Uses alias if not provided.\n privateKeyPEM?: string // Optional as you also need to provide it in hex format, but advisable to use it\n certificatePEM?: string // Optional, as long as the certificate then is part of the certificateChainPEM\n certificateChainURL?: string // Certificate chain URL. If used this is where the certificateChainPEM will be hosted/found.\n certificateChainPEM?: string // Base64 (not url!) encoded DER certificate chain. Please provide even if certificateChainURL is used!\n}\n","// @ts-ignore\nimport { KeyUsage, CryptoKey, RsaHashedImportParams, RsaHashedKeyGenParams } from 'node'\n\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { toString } = u8a\nimport type { HashAlgorithm } from '../types'\nimport { globalCrypto } from './crypto'\n\nimport { derToPEM } from './x509-utils'\nimport type { JsonWebKey } from '@sphereon/ssi-types'\n\nexport type RSASignatureSchemes = 'RSASSA-PKCS1-V1_5' | 'RSA-PSS'\n\nexport type RSAEncryptionSchemes = 'RSAES-PKCS-v1_5 ' | 'RSAES-OAEP'\n\nconst usage = (jwk: JsonWebKey): KeyUsage[] => {\n if (jwk.key_ops && jwk.key_ops.length > 0) {\n return jwk.key_ops as KeyUsage[]\n }\n if (jwk.use) {\n const usages: KeyUsage[] = []\n if (jwk.use.includes('sig')) {\n usages.push('sign', 'verify')\n } else if (jwk.use.includes('enc')) {\n usages.push('encrypt', 'decrypt')\n }\n if (usages.length > 0) {\n return usages\n }\n }\n if (jwk.kty === 'RSA') {\n if (jwk.d) {\n return jwk.alg?.toUpperCase()?.includes('QAEP') ? ['encrypt'] : ['sign']\n }\n return jwk.alg?.toUpperCase()?.includes('QAEP') ? ['decrypt'] : ['verify']\n }\n // \"decrypt\" | \"deriveBits\" | \"deriveKey\" | \"encrypt\" | \"sign\" | \"unwrapKey\" | \"verify\" | \"wrapKey\";\n return jwk.d && jwk.kty !== 'RSA' ? ['sign', 'decrypt', 'verify', 'encrypt'] : ['verify']\n}\n\nexport const signAlgorithmToSchemeAndHashAlg = (signingAlg: string) => {\n const alg = signingAlg.toUpperCase()\n let scheme: RSAEncryptionSchemes | RSASignatureSchemes\n if (alg.startsWith('RS')) {\n scheme = 'RSASSA-PKCS1-V1_5'\n } else if (alg.startsWith('PS')) {\n scheme = 'RSA-PSS'\n } else {\n throw Error(`Invalid signing algorithm supplied ${signingAlg}`)\n }\n\n const hashAlgorithm = `SHA-${alg.substring(2)}` as HashAlgorithm\n return { scheme, hashAlgorithm }\n}\n\nexport const cryptoSubtleImportRSAKey = async (\n jwk: JsonWebKey,\n scheme: RSAEncryptionSchemes | RSASignatureSchemes,\n hashAlgorithm?: HashAlgorithm\n): Promise<CryptoKey> => {\n const hashName = hashAlgorithm ? hashAlgorithm : jwk.alg ? `SHA-${jwk.alg.substring(2)}` : 'SHA-256'\n\n const importParams: RsaHashedImportParams = { name: scheme, hash: hashName }\n return await globalCrypto(false).subtle.importKey('jwk', jwk as JsonWebKey, importParams, false, usage(jwk))\n}\n\nexport const generateRSAKeyAsPEM = async (\n scheme: RSAEncryptionSchemes | RSASignatureSchemes,\n hashAlgorithm?: HashAlgorithm,\n modulusLength?: number\n): Promise<string> => {\n const hashName = hashAlgorithm ? hashAlgorithm : 'SHA-256'\n\n const params: RsaHashedKeyGenParams = {\n name: scheme,\n hash: hashName,\n modulusLength: modulusLength ? modulusLength : 2048,\n publicExponent: new Uint8Array([1, 0, 1]),\n }\n const keyUsage: KeyUsage[] = scheme === 'RSA-PSS' || scheme === 'RSASSA-PKCS1-V1_5' ? ['sign', 'verify'] : ['encrypt', 'decrypt']\n\n const keypair = await globalCrypto(false).subtle.generateKey(params, true, keyUsage)\n const pkcs8 = await globalCrypto(false).subtle.exportKey('pkcs8', keypair.privateKey)\n\n const uint8Array = new Uint8Array(pkcs8)\n return derToPEM(toString(uint8Array, 'base64pad'), 'RSA PRIVATE KEY')\n}\n","import { webcrypto } from 'node:crypto'\nexport const globalCrypto = (setGlobal: boolean, suppliedCrypto?: webcrypto.Crypto): webcrypto.Crypto => {\n let webcrypto: webcrypto.Crypto\n if (typeof suppliedCrypto !== 'undefined') {\n webcrypto = suppliedCrypto\n } else if (typeof crypto !== 'undefined') {\n webcrypto = crypto\n } else if (typeof global.crypto !== 'undefined') {\n webcrypto = global.crypto\n } else {\n // @ts-ignore\n if (typeof global.window?.crypto?.subtle !== 'undefined') {\n // @ts-ignore\n webcrypto = global.window.crypto\n } else {\n // @ts-ignore\n webcrypto = require('crypto') as webcrypto.Crypto\n }\n }\n if (setGlobal) {\n global.crypto = webcrypto\n }\n\n return webcrypto\n}\n","import { X509Certificate } from '@peculiar/x509'\nimport { Certificate } from 'pkijs'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { fromString, toString } = u8a\n// @ts-ignore\nimport keyto from '@trust/keyto'\nimport type { KeyVisibility } from '../types'\n\nimport type { JsonWebKey } from '@sphereon/ssi-types'\n// Based on (MIT licensed):\n// https://github.com/hildjj/node-posh/blob/master/lib/index.js\nexport function pemCertChainTox5c(cert: string, maxDepth?: number): string[] {\n if (!maxDepth) {\n maxDepth = 0\n }\n /*\n * Convert a PEM-encoded certificate to the version used in the x5c element\n * of a [JSON Web Key](http://tools.ietf.org/html/draft-ietf-jose-json-web-key).\n *\n * `cert` PEM-encoded certificate chain\n * `maxdepth` The maximum number of certificates to use from the chain.\n */\n\n const intermediate = cert\n .replace(/-----[^\\n]+\\n?/gm, ',')\n .replace(/\\n/g, '')\n .replace(/\\r/g, '')\n let x5c = intermediate.split(',').filter(function (c) {\n return c.length > 0\n })\n if (maxDepth > 0) {\n x5c = x5c.splice(0, maxDepth)\n }\n return x5c\n}\n\nexport function x5cToPemCertChain(x5c: string[], maxDepth?: number): string {\n if (!maxDepth) {\n maxDepth = 0\n }\n const length = maxDepth === 0 ? x5c.length : Math.min(maxDepth, x5c.length)\n let pem = ''\n for (let i = 0; i < length; i++) {\n pem += derToPEM(x5c[i], 'CERTIFICATE')\n }\n return pem\n}\n\nexport const pemOrDerToX509Certificate = (cert: string | Uint8Array | X509Certificate): Certificate => {\n let DER: string | undefined = typeof cert === 'string' ? cert : undefined\n if (typeof cert === 'object' && !(cert instanceof Uint8Array)) {\n // X509Certificate object\n return Certificate.fromBER(cert.rawData)\n } else if (typeof cert !== 'string') {\n return Certificate.fromBER(cert)\n } else if (cert.includes('CERTIFICATE')) {\n DER = PEMToDer(cert)\n }\n if (!DER) {\n throw Error('Invalid cert input value supplied. PEM, DER, Bytes and X509Certificate object are supported')\n }\n return Certificate.fromBER(fromString(DER, 'base64pad'))\n}\n\nexport const areCertificatesEqual = (cert1: Certificate, cert2: Certificate): boolean => {\n return cert1.signatureValue.isEqual(cert2.signatureValue)\n}\n\nexport const toKeyObject = (PEM: string, visibility: KeyVisibility = 'public') => {\n const jwk = PEMToJwk(PEM, visibility)\n const keyVisibility: KeyVisibility = jwk.d ? 'private' : 'public'\n const keyHex = keyVisibility === 'private' ? privateKeyHexFromPEM(PEM) : publicKeyHexFromPEM(PEM)\n\n return {\n pem: hexToPEM(keyHex, visibility),\n jwk,\n keyHex,\n keyType: keyVisibility,\n }\n}\n\nexport const jwkToPEM = (jwk: JsonWebKey, visibility: KeyVisibility = 'public'): string => {\n return keyto.from(jwk, 'jwk').toString('pem', visibility === 'public' ? 'public_pkcs8' : 'private_pkcs8')\n}\n\nexport const PEMToJwk = (pem: string, visibility: KeyVisibility = 'public'): JsonWebKey => {\n return keyto.from(pem, 'pem').toJwk(visibility)\n}\nexport const privateKeyHexFromPEM = (PEM: string) => {\n return PEMToHex(PEM)\n}\n\nexport const hexKeyFromPEMBasedJwk = (jwk: JsonWebKey, visibility: KeyVisibility = 'public'): string => {\n if (visibility === 'private') {\n return privateKeyHexFromPEM(jwkToPEM(jwk, 'private'))\n } else {\n return publicKeyHexFromPEM(jwkToPEM(jwk, 'public'))\n }\n}\n\nexport const publicKeyHexFromPEM = (PEM: string) => {\n const hex = PEMToHex(PEM)\n if (PEM.includes('CERTIFICATE')) {\n throw Error('Cannot directly deduce public Key from PEM Certificate yet')\n } else if (!PEM.includes('PRIVATE')) {\n return hex\n }\n const publicJwk = PEMToJwk(PEM, 'public')\n const publicPEM = jwkToPEM(publicJwk, 'public')\n return PEMToHex(publicPEM)\n}\n\nexport const PEMToHex = (PEM: string, headerKey?: string): string => {\n if (PEM.indexOf('-----BEGIN ') == -1) {\n throw Error(`PEM header not found: ${headerKey}`)\n }\n\n let strippedPem: string\n if (headerKey) {\n strippedPem = PEM.replace(new RegExp('^[^]*-----BEGIN ' + headerKey + '-----'), '')\n strippedPem = strippedPem.replace(new RegExp('-----END ' + headerKey + '-----[^]*$'), '')\n } else {\n strippedPem = PEM.replace(/^[^]*-----BEGIN [^-]+-----/, '')\n strippedPem = strippedPem.replace(/-----END [^-]+-----[^]*$/, '')\n }\n return base64ToHex(strippedPem, 'base64pad')\n}\n\nexport function PEMToBinary(pem: string): Uint8Array {\n const pemContents = pem\n .replace(/^[^]*-----BEGIN [^-]+-----/, '')\n .replace(/-----END [^-]+-----[^]*$/, '')\n .replace(/\\s/g, '')\n\n return fromString(pemContents, 'base64pad')\n}\n\n/**\n * Converts a base64 encoded string to hex string, removing any non-base64 characters, including newlines\n * @param input The input in base64, with optional newlines\n * @param inputEncoding\n */\nexport const base64ToHex = (input: string, inputEncoding?: 'base64' | 'base64pad' | 'base64url' | 'base64urlpad') => {\n const base64NoNewlines = input.replace(/[^0-9A-Za-z_\\-~\\/+=]*/g, '')\n return toString(fromString(base64NoNewlines, inputEncoding ? inputEncoding : 'base64pad'), 'base16')\n}\n\nexport const hexToBase64 = (input: number | object | string, targetEncoding?: 'base64' | 'base64pad' | 'base64url' | 'base64urlpad'): string => {\n let hex = typeof input === 'string' ? input : input.toString(16)\n if (hex.length % 2 === 1) {\n hex = `0${hex}`\n }\n return toString(fromString(hex, 'base16'), targetEncoding ? targetEncoding : 'base64pad')\n}\n\nexport const hexToPEM = (hex: string, type: KeyVisibility): string => {\n const base64 = hexToBase64(hex, 'base64pad')\n const headerKey = type === 'private' ? 'RSA PRIVATE KEY' : 'PUBLIC KEY'\n if (type === 'private') {\n const pem = derToPEM(base64, headerKey)\n try {\n PEMToJwk(pem) // We only use it to test the private key\n return pem\n } catch (error) {\n return derToPEM(base64, 'PRIVATE KEY')\n }\n }\n return derToPEM(base64, headerKey)\n}\n\nexport function PEMToDer(pem: string): string {\n return pem.replace(/(-----(BEGIN|END) CERTIFICATE-----|[\\n\\r])/g, '')\n}\n\nexport function derToPEM(cert: string, headerKey?: 'PUBLIC KEY' | 'RSA PRIVATE KEY' | 'PRIVATE KEY' | 'CERTIFICATE'): string {\n const key = headerKey ?? 'CERTIFICATE'\n if (cert.includes(key)) {\n // Was already in PEM it seems\n return cert\n }\n const matches = cert.match(/.{1,64}/g)\n if (!matches) {\n throw Error('Invalid cert input value supplied')\n }\n return `-----BEGIN ${key}-----\\n${matches.join('\\n')}\\n-----END ${key}-----\\n`\n}\n","// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { fromString, toString } = u8a\nimport type { HashAlgorithm, KeyVisibility } from '../types'\nimport { globalCrypto } from './crypto'\nimport { cryptoSubtleImportRSAKey, RSAEncryptionSchemes, RSASignatureSchemes } from './rsa-key'\nimport { PEMToJwk } from './x509-utils'\nimport type { JsonWebKey } from '@sphereon/ssi-types'\n// @ts-ignore\nimport { CryptoKey, RsaPssParams, AlgorithmIdentifier } from 'node'\nexport class RSASigner {\n private readonly hashAlgorithm: HashAlgorithm\n private readonly jwk: JsonWebKey\n\n private key: CryptoKey | undefined\n private readonly scheme: RSAEncryptionSchemes | RSASignatureSchemes\n\n /**\n *\n * @param key Either in PEM or JWK format (no raw hex keys here!)\n * @param opts The algorithm and signature/encryption schemes\n */\n constructor(\n key: string | JsonWebKey,\n opts?: { hashAlgorithm?: HashAlgorithm; scheme?: RSAEncryptionSchemes | RSASignatureSchemes; visibility?: KeyVisibility }\n ) {\n if (typeof key === 'string') {\n this.jwk = PEMToJwk(key, opts?.visibility)\n } else {\n this.jwk = key\n }\n\n this.hashAlgorithm = opts?.hashAlgorithm ?? 'SHA-256'\n this.scheme = opts?.scheme ?? 'RSA-PSS'\n }\n\n private getImportParams(): AlgorithmIdentifier | RsaPssParams {\n if (this.scheme === 'RSA-PSS') {\n return { name: this.scheme, saltLength: 32 }\n }\n return { name: this.scheme /*, hash: this.hashAlgorithm*/ }\n }\n\n private async getKey(): Promise<CryptoKey> {\n if (!this.key) {\n this.key = await cryptoSubtleImportRSAKey(this.jwk, this.scheme, this.hashAlgorithm)\n }\n return this.key\n }\n\n private bufferToString(buf: ArrayBuffer) {\n const uint8Array = new Uint8Array(buf)\n return toString(uint8Array, 'base64url') // Needs to be base64url for JsonWebSignature2020. Don't change!\n }\n\n public async sign(data: Uint8Array): Promise<string> {\n const input = data\n const key = await this.getKey()\n const signature = this.bufferToString(await globalCrypto(false).subtle.sign(this.getImportParams(), key, input))\n if (!signature) {\n throw Error('Could not sign input data')\n }\n\n // base64url signature\n return signature\n }\n\n public async verify(data: string | Uint8Array, signature: string): Promise<boolean> {\n const jws = signature.includes('.') ? signature.split('.')[2] : signature\n\n const input = typeof data == 'string' ? fromString(data, 'utf-8') : data\n\n let key = await this.getKey()\n if (!key.usages.includes('verify')) {\n const verifyJwk = { ...this.jwk }\n delete verifyJwk.d\n delete verifyJwk.use\n delete verifyJwk.key_ops\n key = await cryptoSubtleImportRSAKey(verifyJwk, this.scheme, this.hashAlgorithm)\n }\n const verificationResult = await globalCrypto(false).subtle.verify(this.getImportParams(), key, fromString(jws, 'base64url'), input)\n return verificationResult\n }\n}\n","import { AsnParser } from '@peculiar/asn1-schema'\nimport { SubjectPublicKeyInfo } from '@peculiar/asn1-x509'\nimport { AlgorithmProvider, X509Certificate } from '@peculiar/x509'\n// import {calculateJwkThumbprint} from \"@sphereon/ssi-sdk-ext.key-utils\";\nimport { JWK } from '@sphereon/ssi-types'\nimport x509 from 'js-x509-utils'\nimport { AltName, AttributeTypeAndValue, Certificate, CryptoEngine, getCrypto, id_SubjectAltName, setEngine } from 'pkijs'\nimport { container } from 'tsyringe'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { fromString, toString } = u8a\nimport { globalCrypto } from './crypto'\nimport { areCertificatesEqual, derToPEM, pemOrDerToX509Certificate } from './x509-utils'\n\nexport type DNInfo = {\n DN: string\n attributes: Record<string, string>\n}\n\nexport type CertificateInfo = {\n certificate?: any // We need to fix the schema generator for this to be Certificate(Json) from pkijs\n notBefore: Date\n notAfter: Date\n publicKeyJWK?: any\n issuer: {\n dn: DNInfo\n }\n subject: {\n dn: DNInfo\n subjectAlternativeNames: SubjectAlternativeName[]\n }\n}\n\nexport type X509ValidationResult = {\n error: boolean\n critical: boolean\n message: string\n detailMessage?: string\n verificationTime: Date\n certificateChain?: Array<CertificateInfo>\n trustAnchor?: CertificateInfo\n client?: {\n // In case client id and scheme were passed in we return them for easy access. It means they are validated\n clientId: string\n clientIdScheme: ClientIdScheme\n }\n}\n\nconst defaultCryptoEngine = () => {\n const name = 'crypto'\n setEngine(name, new CryptoEngine({ name, crypto: globalCrypto(false) }))\n return getCrypto(true)\n}\n\nexport const getCertificateInfo = async (\n certificate: Certificate,\n opts?: {\n sanTypeFilter: SubjectAlternativeGeneralName | SubjectAlternativeGeneralName[]\n }\n): Promise<CertificateInfo> => {\n let publicKeyJWK: JWK | undefined\n try {\n publicKeyJWK = (await getCertificateSubjectPublicKeyJWK(certificate)) as JWK\n } catch (e) {}\n return {\n issuer: { dn: getIssuerDN(certificate) },\n subject: {\n dn: getSubjectDN(certificate),\n subjectAlternativeNames: getSubjectAlternativeNames(certificate, { typeFilter: opts?.sanTypeFilter }),\n },\n publicKeyJWK,\n notBefore: certificate.notBefore.value,\n notAfter: certificate.notAfter.value,\n // certificate\n } satisfies CertificateInfo\n}\n\nexport type X509CertificateChainValidationOpts = {\n // If no trust anchor is found, but the chain itself checks out, allow. (defaults to false:)\n allowNoTrustAnchorsFound?: boolean\n\n // Trust the supplied root from the chain, when no anchors are being passed in.\n trustRootWhenNoAnchors?: boolean\n // Do not perform a chain validation check if the chain only has a single value. This means only the certificate itself will be validated. No chain checks for CA certs will be performed. Only used when the cert has no issuer\n allowSingleNoCAChainElement?: boolean\n // WARNING: Do not use in production\n // Similar to regular trust anchors, but no validation is performed whatsoever. Do not use in production settings! Can be handy with self generated certificates as we perform many validations, making it hard to test with self-signed certs. Only applied in case a chain with 1 element is passed in to really make sure people do not abuse this option\n blindlyTrustedAnchors?: string[]\n\n disallowReversedChain?: boolean\n\n client?: {\n // If provided both are required. Validates the leaf certificate against the clientId and scheme\n clientId: string\n clientIdScheme: ClientIdScheme\n }\n}\n\nexport const validateX509CertificateChain = async ({\n chain: pemOrDerChain,\n trustAnchors,\n verificationTime = new Date(),\n opts = {\n // If no trust anchor is found, but the chain itself checks out, allow. (defaults to false:)\n allowNoTrustAnchorsFound: false,\n trustRootWhenNoAnchors: false,\n allowSingleNoCAChainElement: true,\n blindlyTrustedAnchors: [],\n disallowReversedChain: false,\n },\n}: {\n chain: (Uint8Array | string)[]\n trustAnchors?: string[]\n verificationTime?: Date\n opts?: X509CertificateChainValidationOpts\n}): Promise<X509ValidationResult> => {\n // We allow 1 reversal. We reverse by default as the implementation expects the root ca first, whilst x5c is the opposite. Reversed becomes true if the impl reverses the chain\n return await validateX509CertificateChainImpl({\n reversed: false,\n chain: [...pemOrDerChain].reverse(),\n trustAnchors,\n verificationTime,\n opts,\n })\n}\nconst validateX509CertificateChainImpl = async ({\n reversed,\n chain: pemOrDerChain,\n trustAnchors,\n verificationTime: verifyAt,\n opts,\n}: {\n reversed: boolean\n chain: (Uint8Array | string)[]\n trustAnchors?: string[]\n verificationTime: Date | string // string for REST API\n opts: X509CertificateChainValidationOpts\n}): Promise<X509ValidationResult> => {\n const verificationTime: Date = typeof verifyAt === 'string' ? new Date(verifyAt) : verifyAt\n const {\n allowNoTrustAnchorsFound = false,\n trustRootWhenNoAnchors = false,\n allowSingleNoCAChainElement = true,\n blindlyTrustedAnchors = [],\n disallowReversedChain = false,\n client,\n } = opts\n const trustedPEMs = trustRootWhenNoAnchors && !trustAnchors ? [pemOrDerChain[pemOrDerChain.length - 1]] : trustAnchors\n\n if (pemOrDerChain.length === 0) {\n return {\n error: true,\n critical: true,\n message: 'Certificate chain in DER or PEM format must not be empty',\n verificationTime,\n }\n }\n defaultCryptoEngine()\n\n // x5c always starts with the leaf cert at index 0 and then the cas. Our internal pkijs service expects it the other way around. Before calling this function the change has been revered\n const chain = await Promise.all(pemOrDerChain.map((raw) => parseCertificate(raw)))\n const x5cOrdereredChain = reversed ? [...chain] : [...chain].reverse()\n\n const trustedCerts = trustedPEMs ? await Promise.all(trustedPEMs.map((raw) => parseCertificate(raw))) : undefined\n const blindlyTrusted =\n (\n await Promise.all(\n blindlyTrustedAnchors.map((raw) => {\n try {\n return parseCertificate(raw)\n } catch (e) {\n // @ts-ignore\n console.log(`Failed to parse blindly trusted certificate ${raw}. Error: ${e.message}`)\n return undefined\n }\n })\n )\n ).filter((cert): cert is ParsedCertificate => cert !== undefined) ?? []\n const leafCert = x5cOrdereredChain[0]\n\n const chainLength = chain.length\n var foundTrustAnchor: ParsedCertificate | undefined = undefined\n for (let i = 0; i < chainLength; i++) {\n const currentCert = chain[i]\n const previousCert = i > 0 ? chain[i - 1] : undefined\n const blindlyTrustedCert = blindlyTrusted.find((trusted) => areCertificatesEqual(trusted.certificate, currentCert.certificate))\n if (blindlyTrustedCert) {\n console.log(`Certificate chain validation success as single cert if blindly trusted. WARNING: ONLY USE FOR TESTING PURPOSES.`)\n return {\n error: false,\n critical: false,\n message: `Certificate chain validation success as single cert if blindly trusted. WARNING: ONLY USE FOR TESTING PURPOSES.`,\n detailMessage: `Blindly trusted certificate ${blindlyTrustedCert.certificateInfo.subject.dn.DN} was found in the chain.`,\n trustAnchor: blindlyTrustedCert?.certificateInfo,\n verificationTime,\n certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),\n ...(client && { client }),\n }\n }\n if (previousCert) {\n if (currentCert.x509Certificate.issuer !== previousCert.x509Certificate.subject) {\n if (!reversed && !disallowReversedChain) {\n return await validateX509CertificateChainImpl({\n reversed: true,\n chain: [...pemOrDerChain].reverse(),\n opts,\n verificationTime,\n trustAnchors,\n })\n }\n return {\n error: true,\n critical: true,\n certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),\n message: `Certificate chain validation failed for ${leafCert.certificateInfo.subject.dn.DN}.`,\n detailMessage: `The certificate ${currentCert.certificateInfo.subject.dn.DN} with issuer ${currentCert.x509Certificate.issuer}, is not signed by the previous certificate ${previousCert?.certificateInfo.subject.dn.DN} with subject string ${previousCert?.x509Certificate.subject}.`,\n verificationTime,\n ...(client && { client }),\n }\n }\n }\n const result = await currentCert.x509Certificate.verify(\n {\n date: verificationTime,\n publicKey: previousCert?.x509Certificate?.publicKey,\n },\n getCrypto()?.crypto ?? crypto ?? global.crypto\n )\n if (!result) {\n // First cert needs to be self signed\n if (i == 0 && !reversed && !disallowReversedChain) {\n return await validateX509CertificateChainImpl({\n reversed: true,\n chain: [...pemOrDerChain].reverse(),\n opts,\n verificationTime,\n trustAnchors,\n })\n }\n\n return {\n error: true,\n critical: true,\n message: `Certificate chain validation failed for ${leafCert.certificateInfo.subject.dn.DN}.`,\n certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),\n detailMessage: `Verification of the certificate ${currentCert.certificateInfo.subject.dn.DN} with issuer ${\n currentCert.x509Certificate.issuer\n } failed. Public key: ${JSON.stringify(currentCert.certificateInfo.publicKeyJWK)}.`,\n verificationTime,\n ...(client && { client }),\n }\n }\n\n foundTrustAnchor = foundTrustAnchor ?? trustedCerts?.find((trusted) => isSameCertificate(trusted.x509Certificate, currentCert.x509Certificate))\n\n if (i === 0 && chainLength === 1 && allowSingleNoCAChainElement) {\n return {\n error: false,\n critical: false,\n message: `Certificate chain succeeded as allow single cert result is allowed: ${leafCert.certificateInfo.subject.dn.DN}.`,\n certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),\n trustAnchor: foundTrustAnchor?.certificateInfo,\n verificationTime,\n ...(client && { client }),\n }\n }\n }\n\n if (foundTrustAnchor?.certificateInfo || allowNoTrustAnchorsFound) {\n return {\n error: false,\n critical: false,\n message: `Certificate chain was valid`,\n certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),\n detailMessage: foundTrustAnchor\n ? `The leaf certificate ${leafCert.certificateInfo.subject.dn.DN} is part of a chain with trust anchor ${foundTrustAnchor?.certificateInfo.subject.dn.DN}.`\n : `The leaf certificate ${leafCert.certificateInfo.subject.dn.DN} and chain were valid, but no trust anchor has been found. Ignoring as user allowed (allowNoTrustAnchorsFound: ${allowNoTrustAnchorsFound}).)`,\n trustAnchor: foundTrustAnchor?.certificateInfo,\n verificationTime,\n ...(client && { client }),\n }\n }\n\n return {\n error: true,\n critical: true,\n message: `Certificate chain validation failed for ${leafCert.certificateInfo.subject.dn.DN}.`,\n certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),\n detailMessage: `No trust anchor was found in the chain. between (intermediate) CA ${\n x5cOrdereredChain[chain.length - 1].certificateInfo.subject.dn.DN\n } and leaf ${x5cOrdereredChain[0].certificateInfo.subject.dn.DN}.`,\n verificationTime,\n ...(client && { client }),\n }\n}\n\nconst isSameCertificate = (cert1: X509Certificate, cert2: X509Certificate): boolean => {\n return cert1.rawData.toString() === cert2.rawData.toString()\n}\n\nconst algorithmProvider: AlgorithmProvider = container.resolve(AlgorithmProvider)\nexport const getX509AlgorithmProvider = (): AlgorithmProvider => {\n return algorithmProvider\n}\n\nexport type ParsedCertificate = {\n publicKeyInfo: SubjectPublicKeyInfo\n publicKeyJwk?: JWK\n publicKeyRaw: Uint8Array\n // @ts-ignore\n publicKeyAlgorithm: Algorithm\n certificateInfo: CertificateInfo\n certificate: Certificate\n x509Certificate: X509Certificate\n}\n\nexport const parseCertificate = async (rawCert: string | Uint8Array): Promise<ParsedCertificate> => {\n const x509Certificate = new X509Certificate(rawCert)\n const publicKeyInfo = AsnParser.parse(x509Certificate.publicKey.rawData, SubjectPublicKeyInfo)\n const publicKeyRaw = new Uint8Array(publicKeyInfo.subjectPublicKey)\n let publicKeyJwk: JWK | undefined = undefined\n try {\n publicKeyJwk = (await getCertificateSubjectPublicKeyJWK(new Uint8Array(x509Certificate.rawData))) as JWK\n } catch (e: any) {\n console.error(e.message)\n }\n const certificate = pemOrDerToX509Certificate(rawCert)\n const certificateInfo = await getCertificateInfo(certificate)\n const publicKeyAlgorithm = getX509AlgorithmProvider().toWebAlgorithm(publicKeyInfo.algorithm)\n return {\n publicKeyAlgorithm,\n publicKeyInfo,\n publicKeyJwk,\n publicKeyRaw,\n certificateInfo,\n certificate,\n x509Certificate,\n }\n}\n/*\n\n/!**\n *\n * @param pemOrDerChain The order must be that the Certs signing another cert must come one after another. So first the signing cert, then any cert signing that cert and so on\n * @param trustedPEMs\n * @param verificationTime\n * @param opts\n *!/\nexport const validateX509CertificateChainOrg = async ({\n chain: pemOrDerChain,\n trustAnchors,\n verificationTime = new Date(),\n opts = {\n trustRootWhenNoAnchors: false,\n allowSingleNoCAChainElement: true,\n blindlyTrustedAnchors: [],\n },\n }: {\n chain: (Uint8Array | string)[]\n trustAnchors?: string[]\n verificationTime?: Date\n opts?: X509CertificateChainValidationOpts\n}): Promise<X509ValidationResult> => {\n const {\n trustRootWhenNoAnchors = false,\n allowSingleNoCAChainElement = true,\n blindlyTrustedAnchors = [],\n client\n } = opts\n const trustedPEMs = trustRootWhenNoAnchors && !trustAnchors ? [pemOrDerChain[pemOrDerChain.length - 1]] : trustAnchors\n\n if (pemOrDerChain.length === 0) {\n return {\n error: true,\n critical: true,\n message: 'Certificate chain in DER or PEM format must not be empty',\n verificationTime,\n }\n }\n\n // x5c always starts with the leaf cert at index 0 and then the cas. Our internal pkijs service expects it the other way around\n const certs = pemOrDerChain.map(pemOrDerToX509Certificate).reverse()\n const trustedCerts = trustedPEMs ? trustedPEMs.map(pemOrDerToX509Certificate) : undefined\n defaultCryptoEngine()\n\n if (pemOrDerChain.length === 1) {\n const singleCert = typeof pemOrDerChain[0] === 'string' ? pemOrDerChain[0] : u8a.toString(pemOrDerChain[0], 'base64pad')\n const cert = pemOrDerToX509Certificate(singleCert)\n if (client) {\n const validation = await validateCertificateChainMatchesClientIdScheme(cert, client.clientId, client.clientIdScheme)\n if (validation.error) {\n return validation\n }\n }\n if (blindlyTrustedAnchors.includes(singleCert)) {\n console.log(`Certificate chain validation success as single cert if blindly trusted. WARNING: ONLY USE FOR TESTING PURPOSES.`)\n return {\n error: false,\n critical: true,\n message: `Certificate chain validation success as single cert if blindly trusted. WARNING: ONLY USE FOR TESTING PURPOSES.`,\n verificationTime,\n certificateChain: [await getCertificateInfo(cert)],\n ...(client && {client}),\n }\n }\n if (allowSingleNoCAChainElement) {\n const subjectDN = getSubjectDN(cert).DN\n if (!getIssuerDN(cert).DN || getIssuerDN(cert).DN === subjectDN) {\n const passed = await cert.verify()\n return {\n error: !passed,\n critical: true,\n message: `Certificate chain validation for ${subjectDN}: ${passed ? 'successful' : 'failed'}.`,\n verificationTime,\n certificateChain: [await getCertificateInfo(cert)],\n ...(client && {client}),\n }\n }\n }\n }\n\n const validationEngine = new CertificateChainValidationEngine({\n certs /!*crls: [crl1], ocsps: [ocsp1], *!/,\n checkDate: verificationTime,\n trustedCerts,\n })\n\n try {\n const verification = await validationEngine.verify()\n if (!verification.result || !verification.certificatePath) {\n return {\n error: true,\n critical: true,\n message: verification.resultMessage !== '' ? verification.resultMessage : `Certificate chain validation failed.`,\n verificationTime,\n ...(client && {client}),\n }\n }\n const certPath = verification.certificatePath\n if (client) {\n const clientIdValidation = await validateCertificateChainMatchesClientIdScheme(certs[0], client.clientId, client.clientIdScheme)\n if (clientIdValidation.error) {\n return clientIdValidation\n }\n }\n let certInfos: Array<CertificateInfo> | undefined\n\n for (const certificate of certPath) {\n try {\n certInfos?.push(await getCertificateInfo(certificate))\n } catch (e: any) {\n console.log(`Error getting certificate info ${e.message}`)\n }\n }\n\n\n return {\n error: false,\n critical: false,\n message: `Certificate chain was valid`,\n verificationTime,\n certificateChain: certInfos,\n ...(client && {client}),\n }\n } catch (error: any) {\n return {\n error: true,\n critical: true,\n message: `Certificate chain was invalid, ${error.message ?? '<unknown error>'}`,\n verificationTime,\n ...(client && {client}),\n }\n }\n}\n*/\n\nconst rdnmap: Record<string, string> = {\n '2.5.4.6': 'C',\n '2.5.4.10': 'O',\n '2.5.4.11': 'OU',\n '2.5.4.3': 'CN',\n '2.5.4.7': 'L',\n '2.5.4.8': 'ST',\n '2.5.4.12': 'T',\n '2.5.4.42': 'GN',\n '2.5.4.43': 'I',\n '2.5.4.4': 'SN',\n '1.2.840.113549.1.9.1': 'E-mail',\n}\n\nexport const getIssuerDN = (cert: Certificate): DNInfo => {\n return {\n DN: getDNString(cert.issuer.typesAndValues),\n attributes: getDNObject(cert.issuer.typesAndValues),\n }\n}\n\nexport const getSubjectDN = (cert: Certificate): DNInfo => {\n return {\n DN: getDNString(cert.subject.typesAndValues),\n attributes: getDNObject(cert.subject.typesAndValues),\n }\n}\n\nconst getDNObject = (typesAndValues: AttributeTypeAndValue[]): Record<string, string> => {\n const DN: Record<string, string> = {}\n for (const typeAndValue of typesAndValues) {\n const type = rdnmap[typeAndValue.type] ?? typeAndValue.type\n DN[type] = typeAndValue.value.getValue()\n }\n return DN\n}\nconst getDNString = (typesAndValues: AttributeTypeAndValue[]): string => {\n return Object.entries(getDNObject(typesAndValues))\n .map(([key, value]) => `${key}=${value}`)\n .join(',')\n}\n\nexport const getCertificateSubjectPublicKeyJWK = async (pemOrDerCert: string | Uint8Array | Certificate): Promise<JWK> => {\n const pemOrDerStr =\n typeof pemOrDerCert === 'string'\n ? toString(fromString(pemOrDerCert, 'base64pad'), 'base64pad')\n : pemOrDerCert instanceof Uint8Array\n ? toString(pemOrDerCert, 'base64pad')\n : toString(fromString(pemOrDerCert.toString('base64'), 'base64pad'), 'base64pad')\n const pem = derToPEM(pemOrDerStr)\n const certificate = pemOrDerToX509Certificate(pem)\n var jwk: JWK | undefined\n try {\n const subtle = getCrypto(true).subtle\n const pk = await certificate.getPublicKey(undefined, defaultCryptoEngine())\n jwk = (await subtle.exportKey('jwk', pk)) as JWK | undefined\n } catch (error: any) {\n console.log(`Error in primary get JWK from cert:`, error?.message)\n }\n if (!jwk) {\n try {\n jwk = (await x509.toJwk(pem, 'pem')) as JWK\n } catch (error: any) {\n console.log(`Error in secondary get JWK from cert as well:`, error?.message)\n }\n }\n if (!jwk) {\n throw Error(`Failed to get JWK from certificate ${pem}`)\n }\n return jwk\n}\n\n/**\n * otherName [0] OtherName,\n * rfc822Name [1] IA5String,\n * dNSName [2] IA5String,\n * x400Address [3] ORAddress,\n * directoryName [4] Name,\n * ediPartyName [5] EDIPartyName,\n * uniformResourceIdentifier [6] IA5String,\n * iPAddress [7] OCTET STRING,\n * registeredID [8] OBJECT IDENTIFIER }\n */\nexport enum SubjectAlternativeGeneralName {\n rfc822Name = 1, // email\n dnsName = 2,\n uniformResourceIdentifier = 6,\n ipAddress = 7,\n}\n\nexport interface SubjectAlternativeName {\n value: string\n type: SubjectAlternativeGeneralName\n}\n\nexport type ClientIdScheme = 'x509_san_dns' | 'x509_san_uri'\n\nexport const assertCertificateMatchesClientIdScheme = (certificate: Certificate, clientId: string, clientIdScheme: ClientIdScheme): void => {\n const sans = getSubjectAlternativeNames(certificate, { clientIdSchemeFilter: clientIdScheme })\n const clientIdMatches = sans.find((san) => san.value === clientId)\n if (!clientIdMatches) {\n throw Error(\n `Client id scheme ${clientIdScheme} used had no matching subject alternative names in certificate with DN ${\n getSubjectDN(certificate).DN\n }. SANS: ${sans.map((san) => san.value).join(',')}`\n )\n }\n}\n\nexport const validateCertificateChainMatchesClientIdScheme = async (\n certificate: Certificate,\n clientId: string,\n clientIdScheme: ClientIdScheme\n): Promise<X509ValidationResult> => {\n const result = {\n error: true,\n critical: true,\n message: `Client Id ${clientId} was not present in certificate using scheme ${clientIdScheme}`,\n client: {\n clientId,\n clientIdScheme,\n },\n certificateChain: [await getCertificateInfo(certificate)],\n verificationTime: new Date(),\n }\n try {\n assertCertificateMatchesClientIdScheme(certificate, clientId, clientIdScheme)\n } catch (error) {\n return result\n }\n result.error = false\n result.message = `Client Id ${clientId} was present in certificate using scheme ${clientIdScheme}`\n return result\n}\n\nexport const getSubjectAlternativeNames = (\n certificate: Certificate,\n opts?: {\n typeFilter?: SubjectAlternativeGeneralName | SubjectAlternativeGeneralName[]\n // When a clientIdchemeFilter is passed in it will always override the above type filter\n clientIdSchemeFilter?: ClientIdScheme\n }\n): SubjectAlternativeName[] => {\n let typeFilter: SubjectAlternativeGeneralName[]\n if (opts?.clientIdSchemeFilter) {\n typeFilter =\n opts.clientIdSchemeFilter === 'x509_san_dns'\n ? [SubjectAlternativeGeneralName.dnsName]\n : [SubjectAlternativeGeneralName.uniformResourceIdentifier]\n } else if (opts?.typeFilter) {\n typeFilter = Array.isArray(opts.typeFilter) ? opts.typeFilter : [opts.typeFilter]\n } else {\n typeFilter = [SubjectAlternativeGeneralName.dnsName, SubjectAlternativeGeneralName.uniformResourceIdentifier]\n }\n const parsedValue = certificate.extensions?.find((ext) => ext.extnID === id_SubjectAltName)?.parsedValue as AltName\n if (!parsedValue) {\n return []\n }\n const altNames = parsedValue.toJSON().altNames\n return altNames\n .filter((altName) => typeFilter.includes(altName.type))\n .map((altName) => {\n return { type: altName.type, value: altName.value } satisfies SubjectAlternativeName\n })\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACAO,IAAKA,YAAAA,yBAAAA,YAAAA;;;SAAAA;;;;ACIZ,IAAAC,OAAqB;;;ACHd,IAAMC,eAAe,wBAACC,WAAoBC,mBAAAA;AAC/C,MAAIC;AACJ,MAAI,OAAOD,mBAAmB,aAAa;AACzCC,gBAAYD;EACd,WAAW,OAAOE,WAAW,aAAa;AACxCD,gBAAYC;EACd,WAAW,OAAOC,OAAOD,WAAW,aAAa;AAC/CD,gBAAYE,OAAOD;EACrB,OAAO;AAEL,QAAI,OAAOC,OAAOC,QAAQF,QAAQG,WAAW,aAAa;AAExDJ,kBAAYE,OAAOC,OAAOF;IAC5B,OAAO;AAELD,kBAAYK,QAAQ,QAAA;IACtB;EACF;AACA,MAAIP,WAAW;AACbI,WAAOD,SAASD;EAClB;AAEA,SAAOA;AACT,GAvB4B;;;ACA5B,mBAA4B;AAE5B,UAAqB;AAGrB,mBAAkB;AAFlB,IAAM,EAAEM,YAAYC,SAAQ,IAAKC;AAQ1B,SAASC,kBAAkBC,MAAcC,UAAiB;AAC/D,MAAI,CAACA,UAAU;AACbA,eAAW;EACb;AASA,QAAMC,eAAeF,KAClBG,QAAQ,oBAAoB,GAAA,EAC5BA,QAAQ,OAAO,EAAA,EACfA,QAAQ,OAAO,EAAA;AAClB,MAAIC,MAAMF,aAAaG,MAAM,GAAA,EAAKC,OAAO,SAAUC,GAAC;AAClD,WAAOA,EAAEC,SAAS;EACpB,CAAA;AACA,MAAIP,WAAW,GAAG;AAChBG,UAAMA,IAAIK,OAAO,GAAGR,QAAAA;EACtB;AACA,SAAOG;AACT;AAvBgBL;AAyBT,SAASW,kBAAkBN,KAAeH,UAAiB;AAChE,MAAI,CAACA,UAAU;AACbA,eAAW;EACb;AACA,QAAMO,SAASP,aAAa,IAAIG,IAAII,SAASG,KAAKC,IAAIX,UAAUG,IAAII,MAAM;AAC1E,MAAIK,MAAM;AACV,WAASC,IAAI,GAAGA,IAAIN,QAAQM,KAAK;AAC/BD,WAAOE,SAASX,IAAIU,CAAAA,GAAI,aAAA;EAC1B;AACA,SAAOD;AACT;AAVgBH;AAYT,IAAMM,4BAA4B,wBAAChB,SAAAA;AACxC,MAAIiB,MAA0B,OAAOjB,SAAS,WAAWA,OAAOkB;AAChE,MAAI,OAAOlB,SAAS,YAAY,EAAEA,gBAAgBmB,aAAa;AAE7D,WAAOC,yBAAYC,QAAQrB,KAAKsB,OAAO;EACzC,WAAW,OAAOtB,SAAS,UAAU;AACnC,WAAOoB,yBAAYC,QAAQrB,IAAAA;EAC7B,WAAWA,KAAKuB,SAAS,aAAA,GAAgB;AACvCN,UAAMO,SAASxB,IAAAA;EACjB;AACA,MAAI,CAACiB,KAAK;AACR,UAAMQ,MAAM,6FAAA;EACd;AACA,SAAOL,yBAAYC,QAAQzB,WAAWqB,KAAK,WAAA,CAAA;AAC7C,GAdyC;AAgBlC,IAAMS,uBAAuB,wBAACC,OAAoBC,UAAAA;AACvD,SAAOD,MAAME,eAAeC,QAAQF,MAAMC,cAAc;AAC1D,GAFoC;AAI7B,IAAME,cAAc,wBAACC,KAAaC,aAA4B,aAAQ;AAC3E,QAAMC,MAAMC,SAASH,KAAKC,UAAAA;AAC1B,QAAMG,gBAA+BF,IAAIG,IAAI,YAAY;AACzD,QAAMC,SAASF,kBAAkB,YAAYG,qBAAqBP,GAAAA,IAAOQ,oBAAoBR,GAAAA;AAE7F,SAAO;IACLnB,KAAK4B,SAASH,QAAQL,UAAAA;IACtBC;IACAI;IACAI,SAASN;EACX;AACF,GAX2B;AAapB,IAAMO,WAAW,wBAACT,KAAiBD,aAA4B,aAAQ;AAC5E,SAAOW,aAAAA,QAAMC,KAAKX,KAAK,KAAA,EAAOrC,SAAS,OAAOoC,eAAe,WAAW,iBAAiB,eAAA;AAC3F,GAFwB;AAIjB,IAAME,WAAW,wBAACtB,KAAaoB,aAA4B,aAAQ;AACxE,SAAOW,aAAAA,QAAMC,KAAKhC,KAAK,KAAA,EAAOiC,MAAMb,UAAAA;AACtC,GAFwB;AAGjB,IAAMM,uBAAuB,wBAACP,QAAAA;AACnC,SAAOe,SAASf,GAAAA;AAClB,GAFoC;AAI7B,IAAMgB,wBAAwB,wBAACd,KAAiBD,aAA4B,aAAQ;AACzF,MAAIA,eAAe,WAAW;AAC5B,WAAOM,qBAAqBI,SAAST,KAAK,SAAA,CAAA;EAC5C,OAAO;AACL,WAAOM,oBAAoBG,SAAST,KAAK,QAAA,CAAA;EAC3C;AACF,GANqC;AAQ9B,IAAMM,sBAAsB,wBAACR,QAAAA;AAClC,QAAMiB,MAAMF,SAASf,GAAAA;AACrB,MAAIA,IAAIT,SAAS,aAAA,GAAgB;AAC/B,UAAME,MAAM,4DAAA;EACd,WAAW,CAACO,IAAIT,SAAS,SAAA,GAAY;AACnC,WAAO0B;EACT;AACA,QAAMC,YAAYf,SAASH,KAAK,QAAA;AAChC,QAAMmB,YAAYR,SAASO,WAAW,QAAA;AACtC,SAAOH,SAASI,SAAAA;AAClB,GAVmC;AAY5B,IAAMJ,WAAW,wBAACf,KAAaoB,cAAAA;AACpC,MAAIpB,IAAIqB,QAAQ,aAAA,KAAkB,IAAI;AACpC,UAAM5B,MAAM,yBAAyB2B,SAAAA,EAAW;EAClD;AAEA,MAAIE;AACJ,MAAIF,WAAW;AACbE,kBAActB,IAAI7B,QAAQ,IAAIoD,OAAO,qBAAqBH,YAAY,OAAA,GAAU,EAAA;AAChFE,kBAAcA,YAAYnD,QAAQ,IAAIoD,OAAO,cAAcH,YAAY,YAAA,GAAe,EAAA;EACxF,OAAO;AACLE,kBAActB,IAAI7B,QAAQ,8BAA8B,EAAA;AACxDmD,kBAAcA,YAAYnD,QAAQ,4BAA4B,EAAA;EAChE;AACA,SAAOqD,YAAYF,aAAa,WAAA;AAClC,GAdwB;AAgBjB,SAASG,YAAY5C,KAAW;AACrC,QAAM6C,cAAc7C,IACjBV,QAAQ,8BAA8B,EAAA,EACtCA,QAAQ,4BAA4B,EAAA,EACpCA,QAAQ,OAAO,EAAA;AAElB,SAAOP,WAAW8D,aAAa,WAAA;AACjC;AAPgBD;AAcT,IAAMD,cAAc,wBAACG,OAAeC,kBAAAA;AACzC,QAAMC,mBAAmBF,MAAMxD,QAAQ,0BAA0B,EAAA;AACjE,SAAON,SAASD,WAAWiE,kBAAkBD,gBAAgBA,gBAAgB,WAAA,GAAc,QAAA;AAC7F,GAH2B;AAKpB,IAAME,cAAc,wBAACH,OAAiCI,mBAAAA;AAC3D,MAAId,MAAM,OAAOU,UAAU,WAAWA,QAAQA,MAAM9D,SAAS,EAAA;AAC7D,MAAIoD,IAAIzC,SAAS,MAAM,GAAG;AACxByC,UAAM,IAAIA,GAAAA;EACZ;AACA,SAAOpD,SAASD,WAAWqD,KAAK,QAAA,GAAWc,iBAAiBA,iBAAiB,WAAA;AAC/E,GAN2B;AAQpB,IAAMtB,WAAW,wBAACQ,KAAae,SAAAA;AACpC,QAAMC,SAASH,YAAYb,KAAK,WAAA;AAChC,QAAMG,YAAYY,SAAS,YAAY,oBAAoB;AAC3D,MAAIA,SAAS,WAAW;AACtB,UAAMnD,MAAME,SAASkD,QAAQb,SAAAA;AAC7B,QAAI;AACFjB,eAAStB,GAAAA;AACT,aAAOA;IACT,SAASqD,OAAO;AACd,aAAOnD,SAASkD,QAAQ,aAAA;IAC1B;EACF;AACA,SAAOlD,SAASkD,QAAQb,SAAAA;AAC1B,GAbwB;AAejB,SAAS5B,SAASX,KAAW;AAClC,SAAOA,IAAIV,QAAQ,+CAA+C,EAAA;AACpE;AAFgBqB;AAIT,SAAST,SAASf,MAAcoD,WAA4E;AACjH,QAAMe,MAAMf,aAAa;AACzB,MAAIpD,KAAKuB,SAAS4C,GAAAA,GAAM;AAEtB,WAAOnE;EACT;AACA,QAAMoE,UAAUpE,KAAKqE,MAAM,UAAA;AAC3B,MAAI,CAACD,SAAS;AACZ,UAAM3C,MAAM,mCAAA;EACd;AACA,SAAO,cAAc0C,GAAAA;EAAaC,QAAQE,KAAK,IAAA,CAAA;WAAmBH,GAAAA;;AACpE;AAXgBpD;;;AF1KhB,IAAM,EAAEwD,UAAAA,UAAQ,IAAKC;AAWrB,IAAMC,QAAQ,wBAACC,QAAAA;AACb,MAAIA,IAAIC,WAAWD,IAAIC,QAAQC,SAAS,GAAG;AACzC,WAAOF,IAAIC;EACb;AACA,MAAID,IAAIG,KAAK;AACX,UAAMC,SAAqB,CAAA;AAC3B,QAAIJ,IAAIG,IAAIE,SAAS,KAAA,GAAQ;AAC3BD,aAAOE,KAAK,QAAQ,QAAA;IACtB,WAAWN,IAAIG,IAAIE,SAAS,KAAA,GAAQ;AAClCD,aAAOE,KAAK,WAAW,SAAA;IACzB;AACA,QAAIF,OAAOF,SAAS,GAAG;AACrB,aAAOE;IACT;EACF;AACA,MAAIJ,IAAIO,QAAQ,OAAO;AACrB,QAAIP,IAAIQ,GAAG;AACT,aAAOR,IAAIS,KAAKC,YAAAA,GAAeL,SAAS,MAAA,IAAU;QAAC;UAAa;QAAC;;IACnE;AACA,WAAOL,IAAIS,KAAKC,YAAAA,GAAeL,SAAS,MAAA,IAAU;MAAC;QAAa;MAAC;;EACnE;AAEA,SAAOL,IAAIQ,KAAKR,IAAIO,QAAQ,QAAQ;IAAC;IAAQ;IAAW;IAAU;MAAa;IAAC;;AAClF,GAvBc;AAyBP,IAAMI,kCAAkC,wBAACC,eAAAA;AAC9C,QAAMH,MAAMG,WAAWF,YAAW;AAClC,MAAIG;AACJ,MAAIJ,IAAIK,WAAW,IAAA,GAAO;AACxBD,aAAS;EACX,WAAWJ,IAAIK,WAAW,IAAA,GAAO;AAC/BD,aAAS;EACX,OAAO;AACL,UAAME,MAAM,sCAAsCH,UAAAA,EAAY;EAChE;AAEA,QAAMI,gBAAgB,OAAOP,IAAIQ,UAAU,CAAA,CAAA;AAC3C,SAAO;IAAEJ;IAAQG;EAAc;AACjC,GAb+C;AAexC,IAAME,2BAA2B,8BACtClB,KACAa,QACAG,kBAAAA;AAEA,QAAMG,WAAWH,gBAAgBA,gBAAgBhB,IAAIS,MAAM,OAAOT,IAAIS,IAAIQ,UAAU,CAAA,CAAA,KAAO;AAE3F,QAAMG,eAAsC;IAAEC,MAAMR;IAAQS,MAAMH;EAAS;AAC3E,SAAO,MAAMI,aAAa,KAAA,EAAOC,OAAOC,UAAU,OAAOzB,KAAmBoB,cAAc,OAAOrB,MAAMC,GAAAA,CAAAA;AACzG,GATwC;AAWjC,IAAM0B,sBAAsB,8BACjCb,QACAG,eACAW,kBAAAA;AAEA,QAAMR,WAAWH,gBAAgBA,gBAAgB;AAEjD,QAAMY,SAAgC;IACpCP,MAAMR;IACNS,MAAMH;IACNQ,eAAeA,gBAAgBA,gBAAgB;IAC/CE,gBAAgB,IAAIC,WAAW;MAAC;MAAG;MAAG;KAAE;EAC1C;AACA,QAAMC,WAAuBlB,WAAW,aAAaA,WAAW,sBAAsB;IAAC;IAAQ;MAAY;IAAC;IAAW;;AAEvH,QAAMmB,UAAU,MAAMT,aAAa,KAAA,EAAOC,OAAOS,YAAYL,QAAQ,MAAMG,QAAAA;AAC3E,QAAMG,QAAQ,MAAMX,aAAa,KAAA,EAAOC,OAAOW,UAAU,SAASH,QAAQI,UAAU;AAEpF,QAAMC,aAAa,IAAIP,WAAWI,KAAAA;AAClC,SAAOI,SAASzC,UAASwC,YAAY,WAAA,GAAc,iBAAA;AACrD,GApBmC;;;AGlEnC,IAAAE,OAAqB;AACrB,IAAM,EAAEC,YAAAA,aAAYC,UAAAA,UAAQ,IAAKC;AAQ1B,IAAMC,YAAN,MAAMA;EAVb,OAUaA;;;EACMC;EACAC;EAETC;EACSC;;;;;;EAOjBC,YACEF,KACAG,MACA;AACA,QAAI,OAAOH,QAAQ,UAAU;AAC3B,WAAKD,MAAMK,SAASJ,KAAKG,MAAME,UAAAA;IACjC,OAAO;AACL,WAAKN,MAAMC;IACb;AAEA,SAAKF,gBAAgBK,MAAML,iBAAiB;AAC5C,SAAKG,SAASE,MAAMF,UAAU;EAChC;EAEQK,kBAAsD;AAC5D,QAAI,KAAKL,WAAW,WAAW;AAC7B,aAAO;QAAEM,MAAM,KAAKN;QAAQO,YAAY;MAAG;IAC7C;AACA,WAAO;MAAED,MAAM,KAAKN;;IAAsC;EAC5D;EAEA,MAAcQ,SAA6B;AACzC,QAAI,CAAC,KAAKT,KAAK;AACb,WAAKA,MAAM,MAAMU,yBAAyB,KAAKX,KAAK,KAAKE,QAAQ,KAAKH,aAAa;IACrF;AACA,WAAO,KAAKE;EACd;EAEQW,eAAeC,KAAkB;AACvC,UAAMC,aAAa,IAAIC,WAAWF,GAAAA;AAClC,WAAOjB,UAASkB,YAAY,WAAA;EAC9B;EAEA,MAAaE,KAAKC,MAAmC;AACnD,UAAMC,QAAQD;AACd,UAAMhB,MAAM,MAAM,KAAKS,OAAM;AAC7B,UAAMS,YAAY,KAAKP,eAAe,MAAMQ,aAAa,KAAA,EAAOC,OAAOL,KAAK,KAAKT,gBAAe,GAAIN,KAAKiB,KAAAA,CAAAA;AACzG,QAAI,CAACC,WAAW;AACd,YAAMG,MAAM,2BAAA;IACd;AAGA,WAAOH;EACT;EAEA,MAAaI,OAAON,MAA2BE,WAAqC;AAClF,UAAMK,MAAML,UAAUM,SAAS,GAAA,IAAON,UAAUO,MAAM,GAAA,EAAK,CAAA,IAAKP;AAEhE,UAAMD,QAAQ,OAAOD,QAAQ,WAAWtB,YAAWsB,MAAM,OAAA,IAAWA;AAEpE,QAAIhB,MAAM,MAAM,KAAKS,OAAM;AAC3B,QAAI,CAACT,IAAI0B,OAAOF,SAAS,QAAA,GAAW;AAClC,YAAMG,YAAY;QAAE,GAAG,KAAK5B;MAAI;AAChC,aAAO4B,UAAUC;AACjB,aAAOD,UAAUE;AACjB,aAAOF,UAAUG;AACjB9B,YAAM,MAAMU,yBAAyBiB,WAAW,KAAK1B,QAAQ,KAAKH,aAAa;IACjF;AACA,UAAMiC,qBAAqB,MAAMZ,aAAa,KAAA,EAAOC,OAAOE,OAAO,KAAKhB,gBAAe,GAAIN,KAAKN,YAAW6B,KAAK,WAAA,GAAcN,KAAAA;AAC9H,WAAOc;EACT;AACF;;;ACnFA,yBAA0B;AAC1B,uBAAqC;AACrC,kBAAmD;AAGnD,2BAAiB;AACjB,IAAAC,gBAAmH;AACnH,sBAA0B;AAE1B,IAAAC,OAAqB;AACrB,IAAM,EAAEC,YAAAA,aAAYC,UAAAA,UAAQ,IAAKC;AAsCjC,IAAMC,sBAAsB,6BAAA;AAC1B,QAAMC,OAAO;AACbC,+BAAUD,MAAM,IAAIE,2BAAa;IAAEF;IAAMG,QAAQC,aAAa,KAAA;EAAO,CAAA,CAAA;AACrE,aAAOC,yBAAU,IAAA;AACnB,GAJ4B;AAMrB,IAAMC,qBAAqB,8BAChCC,aACAC,SAAAA;AAIA,MAAIC;AACJ,MAAI;AACFA,mBAAgB,MAAMC,kCAAkCH,WAAAA;EAC1D,SAASI,GAAG;EAAC;AACb,SAAO;IACLC,QAAQ;MAAEC,IAAIC,YAAYP,WAAAA;IAAa;IACvCQ,SAAS;MACPF,IAAIG,aAAaT,WAAAA;MACjBU,yBAAyBC,2BAA2BX,aAAa;QAAEY,YAAYX,MAAMY;MAAc,CAAA;IACrG;IACAX;IACAY,WAAWd,YAAYc,UAAUC;IACjCC,UAAUhB,YAAYgB,SAASD;EAEjC;AACF,GArBkC;AA4C3B,IAAME,+BAA+B,8BAAO,EACjDC,OAAOC,eACPC,cACAC,mBAAmB,oBAAIC,KAAAA,GACvBrB,OAAO;;EAELsB,0BAA0B;EAC1BC,wBAAwB;EACxBC,6BAA6B;EAC7BC,uBAAuB,CAAA;EACvBC,uBAAuB;AACzB,EAAC,MAMF;AAEC,SAAO,MAAMC,iCAAiC;IAC5CC,UAAU;IACVX,OAAO;SAAIC;MAAeW,QAAO;IACjCV;IACAC;IACApB;EACF,CAAA;AACF,GA1B4C;AA2B5C,IAAM2B,mCAAmC,8BAAO,EAC9CC,UACAX,OAAOC,eACPC,cACAC,kBAAkBU,UAClB9B,KAAI,MAOL;AACC,QAAMoB,mBAAyB,OAAOU,aAAa,WAAW,IAAIT,KAAKS,QAAAA,IAAYA;AACnF,QAAM,EACJR,2BAA2B,OAC3BC,yBAAyB,OACzBC,8BAA8B,MAC9BC,wBAAwB,CAAA,GACxBC,wBAAwB,OACxBK,OAAM,IACJ/B;AACJ,QAAMgC,cAAcT,0BAA0B,CAACJ,eAAe;IAACD,cAAcA,cAAce,SAAS,CAAA;MAAMd;AAE1G,MAAID,cAAce,WAAW,GAAG;AAC9B,WAAO;MACLC,OAAO;MACPC,UAAU;MACVC,SAAS;MACThB;IACF;EACF;AACA7B,sBAAAA;AAGA,QAAM0B,QAAQ,MAAMoB,QAAQC,IAAIpB,cAAcqB,IAAI,CAACC,QAAQC,iBAAiBD,GAAAA,CAAAA,CAAAA;AAC5E,QAAME,oBAAoBd,WAAW;OAAIX;MAAS;OAAIA;IAAOY,QAAO;AAEpE,QAAMc,eAAeX,cAAc,MAAMK,QAAQC,IAAIN,YAAYO,IAAI,CAACC,QAAQC,iBAAiBD,GAAAA,CAAAA,CAAAA,IAASI;AACxG,QAAMC,kBAEF,MAAMR,QAAQC,IACZb,sBAAsBc,IAAI,CAACC,QAAAA;AACzB,QAAI;AACF,aAAOC,iBAAiBD,GAAAA;IAC1B,SAASrC,GAAG;AAEV2C,cAAQC,IAAI,+CAA+CP,GAAAA,YAAerC,EAAEiC,OAAO,EAAE;AACrF,aAAOQ;IACT;EACF,CAAA,CAAA,GAEFI,OAAO,CAACC,SAAoCA,SAASL,MAAAA,KAAc,CAAA;AACvE,QAAMM,WAAWR,kBAAkB,CAAA;AAEnC,QAAMS,cAAclC,MAAMgB;AAC1B,MAAImB,mBAAkDR;AACtD,WAASS,IAAI,GAAGA,IAAIF,aAAaE,KAAK;AACpC,UAAMC,cAAcrC,MAAMoC,CAAAA;AAC1B,UAAME,eAAeF,IAAI,IAAIpC,MAAMoC,IAAI,CAAA,IAAKT;AAC5C,UAAMY,qBAAqBX,eAAeY,KAAK,CAACC,YAAYC,qBAAqBD,QAAQ3D,aAAauD,YAAYvD,WAAW,CAAA;AAC7H,QAAIyD,oBAAoB;AACtBV,cAAQC,IAAI,iHAAiH;AAC7H,aAAO;QACLb,OAAO;QACPC,UAAU;QACVC,SAAS;QACTwB,eAAe,+BAA+BJ,mBAAmBK,gBAAgBtD,QAAQF,GAAGyD,EAAE;QAC9FC,aAAaP,oBAAoBK;QACjCzC;QACA4C,kBAAkBtB,kBAAkBH,IAAI,CAACU,SAASA,KAAKY,eAAe;QACtE,GAAI9B,UAAU;UAAEA;QAAO;MACzB;IACF;AACA,QAAIwB,cAAc;AAChB,UAAID,YAAYW,gBAAgB7D,WAAWmD,aAAaU,gBAAgB1D,SAAS;AAC/E,YAAI,CAACqB,YAAY,CAACF,uBAAuB;AACvC,iBAAO,MAAMC,iCAAiC;YAC5CC,UAAU;YACVX,OAAO;iBAAIC;cAAeW,QAAO;YACjC7B;YACAoB;YACAD;UACF,CAAA;QACF;AACA,eAAO;UACLe,OAAO;UACPC,UAAU;UACV6B,kBAAkBtB,kBAAkBH,IAAI,CAACU,SAASA,KAAKY,eAAe;UACtEzB,SAAS,2CAA2Cc,SAASW,gBAAgBtD,QAAQF,GAAGyD,EAAE;UAC1FF,eAAe,mBAAmBN,YAAYO,gBAAgBtD,QAAQF,GAAGyD,EAAE,gBAAgBR,YAAYW,gBAAgB7D,MAAM,+CAA+CmD,cAAcM,gBAAgBtD,QAAQF,GAAGyD,EAAAA,wBAA0BP,cAAcU,gBAAgB1D,OAAAA;UAC7Qa;UACA,GAAIW,UAAU;YAAEA;UAAO;QACzB;MACF;IACF;AACA,UAAMmC,SAAS,MAAMZ,YAAYW,gBAAgBE,OAC/C;MACEC,MAAMhD;MACNiD,WAAWd,cAAcU,iBAAiBI;IAC5C,OACAxE,yBAAAA,GAAaF,UAAUA,UAAU2E,OAAO3E,MAAM;AAEhD,QAAI,CAACuE,QAAQ;AAEX,UAAIb,KAAK,KAAK,CAACzB,YAAY,CAACF,uBAAuB;AACjD,eAAO,MAAMC,iCAAiC;UAC5CC,UAAU;UACVX,OAAO;eAAIC;YAAeW,QAAO;UACjC7B;UACAoB;UACAD;QACF,CAAA;MACF;AAEA,aAAO;QACLe,OAAO;QACPC,UAAU;QACVC,SAAS,2CAA2Cc,SAASW,gBAAgBtD,QAAQF,GAAGyD,EAAE;QAC1FE,kBAAkBtB,kBAAkBH,IAAI,CAACU,SAASA,KAAKY,eAAe;QACtED,eAAe,mCAAmCN,YAAYO,gBAAgBtD,QAAQF,GAAGyD,EAAE,gBACzFR,YAAYW,gBAAgB7D,MAAM,wBACZmE,KAAKC,UAAUlB,YAAYO,gBAAgB5D,YAAY,CAAA;QAC/EmB;QACA,GAAIW,UAAU;UAAEA;QAAO;MACzB;IACF;AAEAqB,uBAAmBA,oBAAoBT,cAAcc,KAAK,CAACC,YAAYe,kBAAkBf,QAAQO,iBAAiBX,YAAYW,eAAe,CAAA;AAE7I,QAAIZ,MAAM,KAAKF,gBAAgB,KAAK3B,6BAA6B;AAC/D,aAAO;QACLU,OAAO;QACPC,UAAU;QACVC,SAAS,uEAAuEc,SAASW,gBAAgBtD,QAAQF,GAAGyD,EAAE;QACtHE,kBAAkBtB,kBAAkBH,IAAI,CAACU,SAASA,KAAKY,eAAe;QACtEE,aAAaX,kBAAkBS;QAC/BzC;QACA,GAAIW,UAAU;UAAEA;QAAO;MACzB;IACF;EACF;AAEA,MAAIqB,kBAAkBS,mBAAmBvC,0BAA0B;AACjE,WAAO;MACLY,OAAO;MACPC,UAAU;MACVC,SAAS;MACT4B,kBAAkBtB,kBAAkBH,IAAI,CAACU,SAASA,KAAKY,eAAe;MACtED,eAAeR,mBACX,wBAAwBF,SAASW,gBAAgBtD,QAAQF,GAAGyD,EAAE,yCAAyCV,kBAAkBS,gBAAgBtD,QAAQF,GAAGyD,EAAAA,MACpJ,wBAAwBZ,SAASW,gBAAgBtD,QAAQF,GAAGyD,EAAE,kHAAkHxC,wBAAAA;MACpLyC,aAAaX,kBAAkBS;MAC/BzC;MACA,GAAIW,UAAU;QAAEA;MAAO;IACzB;EACF;AAEA,SAAO;IACLG,OAAO;IACPC,UAAU;IACVC,SAAS,2CAA2Cc,SAASW,gBAAgBtD,QAAQF,GAAGyD,EAAE;IAC1FE,kBAAkBtB,kBAAkBH,IAAI,CAACU,SAASA,KAAKY,eAAe;IACtED,eAAe,qEACblB,kBAAkBzB,MAAMgB,SAAS,CAAA,EAAG4B,gBAAgBtD,QAAQF,GAAGyD,EAAE,aACtDpB,kBAAkB,CAAA,EAAGmB,gBAAgBtD,QAAQF,GAAGyD,EAAE;IAC/D1C;IACA,GAAIW,UAAU;MAAEA;IAAO;EACzB;AACF,GAzKyC;AA2KzC,IAAM0C,oBAAoB,wBAACC,OAAwBC,UAAAA;AACjD,SAAOD,MAAME,QAAQvF,SAAQ,MAAOsF,MAAMC,QAAQvF,SAAQ;AAC5D,GAF0B;AAI1B,IAAMwF,oBAAuCC,0BAAUC,QAAQC,6BAAAA;AACxD,IAAMC,2BAA2B,6BAAA;AACtC,SAAOJ;AACT,GAFwC;AAejC,IAAMpC,mBAAmB,8BAAOyC,YAAAA;AACrC,QAAMjB,kBAAkB,IAAIkB,4BAAgBD,OAAAA;AAC5C,QAAME,gBAAgBC,6BAAUC,MAAMrB,gBAAgBI,UAAUO,SAASW,qCAAAA;AACzE,QAAMC,eAAe,IAAIC,WAAWL,cAAcM,gBAAgB;AAClE,MAAIC,eAAgC/C;AACpC,MAAI;AACF+C,mBAAgB,MAAMzF,kCAAkC,IAAIuF,WAAWxB,gBAAgBW,OAAO,CAAA;EAChG,SAASzE,GAAQ;AACf2C,YAAQZ,MAAM/B,EAAEiC,OAAO;EACzB;AACA,QAAMrC,cAAc6F,0BAA0BV,OAAAA;AAC9C,QAAMrB,kBAAkB,MAAM/D,mBAAmBC,WAAAA;AACjD,QAAM8F,qBAAqBZ,yBAAAA,EAA2Ba,eAAeV,cAAcW,SAAS;AAC5F,SAAO;IACLF;IACAT;IACAO;IACAH;IACA3B;IACA9D;IACAkE;EACF;AACF,GAtBgC;AAgKhC,IAAM+B,SAAiC;EACrC,WAAW;EACX,YAAY;EACZ,YAAY;EACZ,WAAW;EACX,WAAW;EACX,WAAW;EACX,YAAY;EACZ,YAAY;EACZ,YAAY;EACZ,WAAW;EACX,wBAAwB;AAC1B;AAEO,IAAM1F,cAAc,wBAAC2C,SAAAA;AAC1B,SAAO;IACLa,IAAImC,YAAYhD,KAAK7C,OAAO8F,cAAc;IAC1CC,YAAYC,YAAYnD,KAAK7C,OAAO8F,cAAc;EACpD;AACF,GAL2B;AAOpB,IAAM1F,eAAe,wBAACyC,SAAAA;AAC3B,SAAO;IACLa,IAAImC,YAAYhD,KAAK1C,QAAQ2F,cAAc;IAC3CC,YAAYC,YAAYnD,KAAK1C,QAAQ2F,cAAc;EACrD;AACF,GAL4B;AAO5B,IAAME,cAAc,wBAACF,mBAAAA;AACnB,QAAMpC,KAA6B,CAAC;AACpC,aAAWuC,gBAAgBH,gBAAgB;AACzC,UAAMI,OAAON,OAAOK,aAAaC,IAAI,KAAKD,aAAaC;AACvDxC,OAAGwC,IAAAA,IAAQD,aAAavF,MAAMyF,SAAQ;EACxC;AACA,SAAOzC;AACT,GAPoB;AAQpB,IAAMmC,cAAc,wBAACC,mBAAAA;AACnB,SAAOM,OAAOC,QAAQL,YAAYF,cAAAA,CAAAA,EAC/B3D,IAAI,CAAC,CAACmE,KAAK5F,KAAAA,MAAW,GAAG4F,GAAAA,IAAO5F,KAAAA,EAAO,EACvC6F,KAAK,GAAA;AACV,GAJoB;AAMb,IAAMzG,oCAAoC,8BAAO0G,iBAAAA;AACtD,QAAMC,cACJ,OAAOD,iBAAiB,WACpBvH,UAASD,YAAWwH,cAAc,WAAA,GAAc,WAAA,IAChDA,wBAAwBnB,aACxBpG,UAASuH,cAAc,WAAA,IACvBvH,UAASD,YAAWwH,aAAavH,SAAS,QAAA,GAAW,WAAA,GAAc,WAAA;AACzE,QAAMyH,MAAMC,SAASF,WAAAA;AACrB,QAAM9G,cAAc6F,0BAA0BkB,GAAAA;AAC9C,MAAIE;AACJ,MAAI;AACF,UAAMC,aAASpH,yBAAU,IAAA,EAAMoH;AAC/B,UAAMC,KAAK,MAAMnH,YAAYoH,aAAavE,QAAWrD,oBAAAA,CAAAA;AACrDyH,UAAO,MAAMC,OAAOG,UAAU,OAAOF,EAAAA;EACvC,SAAShF,OAAY;AACnBY,YAAQC,IAAI,uCAAuCb,OAAOE,OAAAA;EAC5D;AACA,MAAI,CAAC4E,KAAK;AACR,QAAI;AACFA,YAAO,MAAMK,qBAAAA,QAAKC,MAAMR,KAAK,KAAA;IAC/B,SAAS5E,OAAY;AACnBY,cAAQC,IAAI,iDAAiDb,OAAOE,OAAAA;IACtE;EACF;AACA,MAAI,CAAC4E,KAAK;AACR,UAAMO,MAAM,sCAAsCT,GAAAA,EAAK;EACzD;AACA,SAAOE;AACT,GA5BiD;AAyC1C,IAAKQ,gCAAAA,yBAAAA,gCAAAA;;;;;SAAAA;;AAcL,IAAMC,yCAAyC,wBAAC1H,aAA0B2H,UAAkBC,mBAAAA;AACjG,QAAMC,OAAOlH,2BAA2BX,aAAa;IAAE8H,sBAAsBF;EAAe,CAAA;AAC5F,QAAMG,kBAAkBF,KAAKnE,KAAK,CAACsE,QAAQA,IAAIjH,UAAU4G,QAAAA;AACzD,MAAI,CAACI,iBAAiB;AACpB,UAAMP,MACJ,oBAAoBI,cAAAA,0EAClBnH,aAAaT,WAAAA,EAAa+D,EAAE,WACnB8D,KAAKrF,IAAI,CAACwF,QAAQA,IAAIjH,KAAK,EAAE6F,KAAK,GAAA,CAAA,EAAM;EAEvD;AACF,GAVsD;AAY/C,IAAMqB,gDAAgD,8BAC3DjI,aACA2H,UACAC,mBAAAA;AAEA,QAAMzD,SAAS;IACbhC,OAAO;IACPC,UAAU;IACVC,SAAS,aAAasF,QAAAA,gDAAwDC,cAAAA;IAC9E5F,QAAQ;MACN2F;MACAC;IACF;IACA3D,kBAAkB;MAAC,MAAMlE,mBAAmBC,WAAAA;;IAC5CqB,kBAAkB,oBAAIC,KAAAA;EACxB;AACA,MAAI;AACFoG,2CAAuC1H,aAAa2H,UAAUC,cAAAA;EAChE,SAASzF,OAAO;AACd,WAAOgC;EACT;AACAA,SAAOhC,QAAQ;AACfgC,SAAO9B,UAAU,aAAasF,QAAAA,4CAAoDC,cAAAA;AAClF,SAAOzD;AACT,GAxB6D;AA0BtD,IAAMxD,6BAA6B,wBACxCX,aACAC,SAAAA;AAMA,MAAIW;AACJ,MAAIX,MAAM6H,sBAAsB;AAC9BlH,iBACEX,KAAK6H,yBAAyB,iBAC1B;;QACA;;;EACR,WAAW7H,MAAMW,YAAY;AAC3BA,iBAAasH,MAAMC,QAAQlI,KAAKW,UAAU,IAAIX,KAAKW,aAAa;MAACX,KAAKW;;EACxE,OAAO;AACLA,iBAAa;;;;EACf;AACA,QAAMwH,cAAcpI,YAAYqI,YAAY3E,KAAK,CAAC4E,QAAQA,IAAIC,WAAWC,+BAAAA,GAAoBJ;AAC7F,MAAI,CAACA,aAAa;AAChB,WAAO,CAAA;EACT;AACA,QAAMK,WAAWL,YAAYM,OAAM,EAAGD;AACtC,SAAOA,SACJxF,OAAO,CAAC0F,YAAY/H,WAAWgI,SAASD,QAAQpC,IAAI,CAAA,EACpD/D,IAAI,CAACmG,YAAAA;AACJ,WAAO;MAAEpC,MAAMoC,QAAQpC;MAAMxF,OAAO4H,QAAQ5H;IAAM;EACpD,CAAA;AACJ,GA7B0C;","names":["JwkKeyUse","u8a","globalCrypto","setGlobal","suppliedCrypto","webcrypto","crypto","global","window","subtle","require","fromString","toString","u8a","pemCertChainTox5c","cert","maxDepth","intermediate","replace","x5c","split","filter","c","length","splice","x5cToPemCertChain","Math","min","pem","i","derToPEM","pemOrDerToX509Certificate","DER","undefined","Uint8Array","Certificate","fromBER","rawData","includes","PEMToDer","Error","areCertificatesEqual","cert1","cert2","signatureValue","isEqual","toKeyObject","PEM","visibility","jwk","PEMToJwk","keyVisibility","d","keyHex","privateKeyHexFromPEM","publicKeyHexFromPEM","hexToPEM","keyType","jwkToPEM","keyto","from","toJwk","PEMToHex","hexKeyFromPEMBasedJwk","hex","publicJwk","publicPEM","headerKey","indexOf","strippedPem","RegExp","base64ToHex","PEMToBinary","pemContents","input","inputEncoding","base64NoNewlines","hexToBase64","targetEncoding","type","base64","error","key","matches","match","join","toString","u8a","usage","jwk","key_ops","length","use","usages","includes","push","kty","d","alg","toUpperCase","signAlgorithmToSchemeAndHashAlg","signingAlg","scheme","startsWith","Error","hashAlgorithm","substring","cryptoSubtleImportRSAKey","hashName","importParams","name","hash","globalCrypto","subtle","importKey","generateRSAKeyAsPEM","modulusLength","params","publicExponent","Uint8Array","keyUsage","keypair","generateKey","pkcs8","exportKey","privateKey","uint8Array","derToPEM","u8a","fromString","toString","u8a","RSASigner","hashAlgorithm","jwk","key","scheme","constructor","opts","PEMToJwk","visibility","getImportParams","name","saltLength","getKey","cryptoSubtleImportRSAKey","bufferToString","buf","uint8Array","Uint8Array","sign","data","input","signature","globalCrypto","subtle","Error","verify","jws","includes","split","usages","verifyJwk","d","use","key_ops","verificationResult","import_pkijs","u8a","fromString","toString","u8a","defaultCryptoEngine","name","setEngine","CryptoEngine","crypto","globalCrypto","getCrypto","getCertificateInfo","certificate","opts","publicKeyJWK","getCertificateSubjectPublicKeyJWK","e","issuer","dn","getIssuerDN","subject","getSubjectDN","subjectAlternativeNames","getSubjectAlternativeNames","typeFilter","sanTypeFilter","notBefore","value","notAfter","validateX509CertificateChain","chain","pemOrDerChain","trustAnchors","verificationTime","Date","allowNoTrustAnchorsFound","trustRootWhenNoAnchors","allowSingleNoCAChainElement","blindlyTrustedAnchors","disallowReversedChain","validateX509CertificateChainImpl","reversed","reverse","verifyAt","client","trustedPEMs","length","error","critical","message","Promise","all","map","raw","parseCertificate","x5cOrdereredChain","trustedCerts","undefined","blindlyTrusted","console","log","filter","cert","leafCert","chainLength","foundTrustAnchor","i","currentCert","previousCert","blindlyTrustedCert","find","trusted","areCertificatesEqual","detailMessage","certificateInfo","DN","trustAnchor","certificateChain","x509Certificate","result","verify","date","publicKey","global","JSON","stringify","isSameCertificate","cert1","cert2","rawData","algorithmProvider","container","resolve","AlgorithmProvider","getX509AlgorithmProvider","rawCert","X509Certificate","publicKeyInfo","AsnParser","parse","SubjectPublicKeyInfo","publicKeyRaw","Uint8Array","subjectPublicKey","publicKeyJwk","pemOrDerToX509Certificate","publicKeyAlgorithm","toWebAlgorithm","algorithm","rdnmap","getDNString","typesAndValues","attributes","getDNObject","typeAndValue","type","getValue","Object","entries","key","join","pemOrDerCert","pemOrDerStr","pem","derToPEM","jwk","subtle","pk","getPublicKey","exportKey","x509","toJwk","Error","SubjectAlternativeGeneralName","assertCertificateMatchesClientIdScheme","clientId","clientIdScheme","sans","clientIdSchemeFilter","clientIdMatches","san","validateCertificateChainMatchesClientIdScheme","Array","isArray","parsedValue","extensions","ext","extnID","id_SubjectAltName","altNames","toJSON","altName","includes"]}
package/dist/index.js CHANGED
@@ -15,7 +15,7 @@ var JwkKeyUse = /* @__PURE__ */ function(JwkKeyUse2) {
15
15
  }({});
16
16
 
17
17
  // src/x509/rsa-key.ts
18
- import { toString as toString2 } from "uint8arrays/to-string";
18
+ import * as u8a2 from "uint8arrays";
19
19
 
20
20
  // src/x509/crypto.ts
21
21
  var globalCrypto = /* @__PURE__ */ __name((setGlobal, suppliedCrypto) => {
@@ -41,9 +41,9 @@ var globalCrypto = /* @__PURE__ */ __name((setGlobal, suppliedCrypto) => {
41
41
 
42
42
  // src/x509/x509-utils.ts
43
43
  import { Certificate } from "pkijs";
44
- import { fromString } from "uint8arrays/from-string";
45
- import { toString } from "uint8arrays/to-string";
44
+ import * as u8a from "uint8arrays";
46
45
  import keyto from "@trust/keyto";
46
+ var { fromString, toString } = u8a;
47
47
  function pemCertChainTox5c(cert, maxDepth) {
48
48
  if (!maxDepth) {
49
49
  maxDepth = 0;
@@ -190,6 +190,7 @@ ${matches.join("\n")}
190
190
  __name(derToPEM, "derToPEM");
191
191
 
192
192
  // src/x509/rsa-key.ts
193
+ var { toString: toString2 } = u8a2;
193
194
  var usage = /* @__PURE__ */ __name((jwk) => {
194
195
  if (jwk.key_ops && jwk.key_ops.length > 0) {
195
196
  return jwk.key_ops;
@@ -278,8 +279,8 @@ var generateRSAKeyAsPEM = /* @__PURE__ */ __name(async (scheme, hashAlgorithm, m
278
279
  }, "generateRSAKeyAsPEM");
279
280
 
280
281
  // src/x509/rsa-signer.ts
281
- import { fromString as fromString2 } from "uint8arrays/from-string";
282
- import { toString as toString3 } from "uint8arrays/to-string";
282
+ import * as u8a3 from "uint8arrays";
283
+ var { fromString: fromString2, toString: toString3 } = u8a3;
283
284
  var RSASigner = class {
284
285
  static {
285
286
  __name(this, "RSASigner");
@@ -358,8 +359,8 @@ import { AlgorithmProvider, X509Certificate } from "@peculiar/x509";
358
359
  import x509 from "js-x509-utils";
359
360
  import { CryptoEngine, getCrypto, id_SubjectAltName, setEngine } from "pkijs";
360
361
  import { container } from "tsyringe";
361
- import { fromString as fromString3 } from "uint8arrays/from-string";
362
- import { toString as toString4 } from "uint8arrays/to-string";
362
+ import * as u8a4 from "uint8arrays";
363
+ var { fromString: fromString3, toString: toString4 } = u8a4;
363
364
  var defaultCryptoEngine = /* @__PURE__ */ __name(() => {
364
365
  const name = "crypto";
365
366
  setEngine(name, new CryptoEngine({
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/types/index.ts","../src/x509/rsa-key.ts","../src/x509/crypto.ts","../src/x509/x509-utils.ts","../src/x509/rsa-signer.ts","../src/x509/x509-validator.ts"],"sourcesContent":["export enum JwkKeyUse {\n Encryption = 'enc',\n Signature = 'sig',\n}\n\nexport type HashAlgorithm = 'SHA-256' | 'SHA-512'\n\nexport type KeyVisibility = 'public' | 'private'\n\nexport interface X509Opts {\n cn?: string // The certificate Common Name. Will be used as the KID for the private key. Uses alias if not provided.\n privateKeyPEM?: string // Optional as you also need to provide it in hex format, but advisable to use it\n certificatePEM?: string // Optional, as long as the certificate then is part of the certificateChainPEM\n certificateChainURL?: string // Certificate chain URL. If used this is where the certificateChainPEM will be hosted/found.\n certificateChainPEM?: string // Base64 (not url!) encoded DER certificate chain. Please provide even if certificateChainURL is used!\n}\n","// @ts-ignore\nimport { KeyUsage, CryptoKey, RsaHashedImportParams, RsaHashedKeyGenParams } from 'node'\n\n// @ts-ignore\nimport { toString } from 'uint8arrays/to-string'\nimport { HashAlgorithm } from '../types'\nimport { globalCrypto } from './crypto'\n\nimport { derToPEM } from './x509-utils'\nimport { JsonWebKey } from '@sphereon/ssi-types'\n\nexport type RSASignatureSchemes = 'RSASSA-PKCS1-V1_5' | 'RSA-PSS'\n\nexport type RSAEncryptionSchemes = 'RSAES-PKCS-v1_5 ' | 'RSAES-OAEP'\n\nconst usage = (jwk: JsonWebKey): KeyUsage[] => {\n if (jwk.key_ops && jwk.key_ops.length > 0) {\n return jwk.key_ops as KeyUsage[]\n }\n if (jwk.use) {\n const usages: KeyUsage[] = []\n if (jwk.use.includes('sig')) {\n usages.push('sign', 'verify')\n } else if (jwk.use.includes('enc')) {\n usages.push('encrypt', 'decrypt')\n }\n if (usages.length > 0) {\n return usages\n }\n }\n if (jwk.kty === 'RSA') {\n if (jwk.d) {\n return jwk.alg?.toUpperCase()?.includes('QAEP') ? ['encrypt'] : ['sign']\n }\n return jwk.alg?.toUpperCase()?.includes('QAEP') ? ['decrypt'] : ['verify']\n }\n // \"decrypt\" | \"deriveBits\" | \"deriveKey\" | \"encrypt\" | \"sign\" | \"unwrapKey\" | \"verify\" | \"wrapKey\";\n return jwk.d && jwk.kty !== 'RSA' ? ['sign', 'decrypt', 'verify', 'encrypt'] : ['verify']\n}\n\nexport const signAlgorithmToSchemeAndHashAlg = (signingAlg: string) => {\n const alg = signingAlg.toUpperCase()\n let scheme: RSAEncryptionSchemes | RSASignatureSchemes\n if (alg.startsWith('RS')) {\n scheme = 'RSASSA-PKCS1-V1_5'\n } else if (alg.startsWith('PS')) {\n scheme = 'RSA-PSS'\n } else {\n throw Error(`Invalid signing algorithm supplied ${signingAlg}`)\n }\n\n const hashAlgorithm = `SHA-${alg.substring(2)}` as HashAlgorithm\n return { scheme, hashAlgorithm }\n}\n\nexport const cryptoSubtleImportRSAKey = async (\n jwk: JsonWebKey,\n scheme: RSAEncryptionSchemes | RSASignatureSchemes,\n hashAlgorithm?: HashAlgorithm\n): Promise<CryptoKey> => {\n const hashName = hashAlgorithm ? hashAlgorithm : jwk.alg ? `SHA-${jwk.alg.substring(2)}` : 'SHA-256'\n\n const importParams: RsaHashedImportParams = { name: scheme, hash: hashName }\n return await globalCrypto(false).subtle.importKey('jwk', jwk as JsonWebKey, importParams, false, usage(jwk))\n}\n\nexport const generateRSAKeyAsPEM = async (\n scheme: RSAEncryptionSchemes | RSASignatureSchemes,\n hashAlgorithm?: HashAlgorithm,\n modulusLength?: number\n): Promise<string> => {\n const hashName = hashAlgorithm ? hashAlgorithm : 'SHA-256'\n\n const params: RsaHashedKeyGenParams = {\n name: scheme,\n hash: hashName,\n modulusLength: modulusLength ? modulusLength : 2048,\n publicExponent: new Uint8Array([1, 0, 1]),\n }\n const keyUsage: KeyUsage[] = scheme === 'RSA-PSS' || scheme === 'RSASSA-PKCS1-V1_5' ? ['sign', 'verify'] : ['encrypt', 'decrypt']\n\n const keypair = await globalCrypto(false).subtle.generateKey(params, true, keyUsage)\n const pkcs8 = await globalCrypto(false).subtle.exportKey('pkcs8', keypair.privateKey)\n\n const uint8Array = new Uint8Array(pkcs8)\n return derToPEM(toString(uint8Array, 'base64pad'), 'RSA PRIVATE KEY')\n}\n","import { webcrypto } from 'node:crypto'\nexport const globalCrypto = (setGlobal: boolean, suppliedCrypto?: webcrypto.Crypto): webcrypto.Crypto => {\n let webcrypto: webcrypto.Crypto\n if (typeof suppliedCrypto !== 'undefined') {\n webcrypto = suppliedCrypto\n } else if (typeof crypto !== 'undefined') {\n webcrypto = crypto\n } else if (typeof global.crypto !== 'undefined') {\n webcrypto = global.crypto\n } else {\n // @ts-ignore\n if (typeof global.window?.crypto?.subtle !== 'undefined') {\n // @ts-ignore\n webcrypto = global.window.crypto\n } else {\n // @ts-ignore\n webcrypto = require('crypto') as webcrypto.Crypto\n }\n }\n if (setGlobal) {\n global.crypto = webcrypto\n }\n\n return webcrypto\n}\n","import { X509Certificate } from '@peculiar/x509'\nimport { Certificate } from 'pkijs'\n// @ts-ignore\nimport { fromString } from 'uint8arrays/from-string'\n// @ts-ignore\nimport { toString } from 'uint8arrays/to-string'\n// @ts-ignore\nimport keyto from '@trust/keyto'\nimport { KeyVisibility } from '../types'\n\nimport { JsonWebKey } from '@sphereon/ssi-types'\n// Based on (MIT licensed):\n// https://github.com/hildjj/node-posh/blob/master/lib/index.js\nexport function pemCertChainTox5c(cert: string, maxDepth?: number): string[] {\n if (!maxDepth) {\n maxDepth = 0\n }\n /*\n * Convert a PEM-encoded certificate to the version used in the x5c element\n * of a [JSON Web Key](http://tools.ietf.org/html/draft-ietf-jose-json-web-key).\n *\n * `cert` PEM-encoded certificate chain\n * `maxdepth` The maximum number of certificates to use from the chain.\n */\n\n const intermediate = cert\n .replace(/-----[^\\n]+\\n?/gm, ',')\n .replace(/\\n/g, '')\n .replace(/\\r/g, '')\n let x5c = intermediate.split(',').filter(function (c) {\n return c.length > 0\n })\n if (maxDepth > 0) {\n x5c = x5c.splice(0, maxDepth)\n }\n return x5c\n}\n\nexport function x5cToPemCertChain(x5c: string[], maxDepth?: number): string {\n if (!maxDepth) {\n maxDepth = 0\n }\n const length = maxDepth === 0 ? x5c.length : Math.min(maxDepth, x5c.length)\n let pem = ''\n for (let i = 0; i < length; i++) {\n pem += derToPEM(x5c[i], 'CERTIFICATE')\n }\n return pem\n}\n\nexport const pemOrDerToX509Certificate = (cert: string | Uint8Array | X509Certificate): Certificate => {\n let DER: string | undefined = typeof cert === 'string' ? cert : undefined\n if (typeof cert === 'object' && !(cert instanceof Uint8Array)) {\n // X509Certificate object\n return Certificate.fromBER(cert.rawData)\n } else if (typeof cert !== 'string') {\n return Certificate.fromBER(cert)\n } else if (cert.includes('CERTIFICATE')) {\n DER = PEMToDer(cert)\n }\n if (!DER) {\n throw Error('Invalid cert input value supplied. PEM, DER, Bytes and X509Certificate object are supported')\n }\n return Certificate.fromBER(fromString(DER, 'base64pad'))\n}\n\nexport const areCertificatesEqual = (cert1: Certificate, cert2: Certificate): boolean => {\n return cert1.signatureValue.isEqual(cert2.signatureValue)\n}\n\nexport const toKeyObject = (PEM: string, visibility: KeyVisibility = 'public') => {\n const jwk = PEMToJwk(PEM, visibility)\n const keyVisibility: KeyVisibility = jwk.d ? 'private' : 'public'\n const keyHex = keyVisibility === 'private' ? privateKeyHexFromPEM(PEM) : publicKeyHexFromPEM(PEM)\n\n return {\n pem: hexToPEM(keyHex, visibility),\n jwk,\n keyHex,\n keyType: keyVisibility,\n }\n}\n\nexport const jwkToPEM = (jwk: JsonWebKey, visibility: KeyVisibility = 'public'): string => {\n return keyto.from(jwk, 'jwk').toString('pem', visibility === 'public' ? 'public_pkcs8' : 'private_pkcs8')\n}\n\nexport const PEMToJwk = (pem: string, visibility: KeyVisibility = 'public'): JsonWebKey => {\n return keyto.from(pem, 'pem').toJwk(visibility)\n}\nexport const privateKeyHexFromPEM = (PEM: string) => {\n return PEMToHex(PEM)\n}\n\nexport const hexKeyFromPEMBasedJwk = (jwk: JsonWebKey, visibility: KeyVisibility = 'public'): string => {\n if (visibility === 'private') {\n return privateKeyHexFromPEM(jwkToPEM(jwk, 'private'))\n } else {\n return publicKeyHexFromPEM(jwkToPEM(jwk, 'public'))\n }\n}\n\nexport const publicKeyHexFromPEM = (PEM: string) => {\n const hex = PEMToHex(PEM)\n if (PEM.includes('CERTIFICATE')) {\n throw Error('Cannot directly deduce public Key from PEM Certificate yet')\n } else if (!PEM.includes('PRIVATE')) {\n return hex\n }\n const publicJwk = PEMToJwk(PEM, 'public')\n const publicPEM = jwkToPEM(publicJwk, 'public')\n return PEMToHex(publicPEM)\n}\n\nexport const PEMToHex = (PEM: string, headerKey?: string): string => {\n if (PEM.indexOf('-----BEGIN ') == -1) {\n throw Error(`PEM header not found: ${headerKey}`)\n }\n\n let strippedPem: string\n if (headerKey) {\n strippedPem = PEM.replace(new RegExp('^[^]*-----BEGIN ' + headerKey + '-----'), '')\n strippedPem = strippedPem.replace(new RegExp('-----END ' + headerKey + '-----[^]*$'), '')\n } else {\n strippedPem = PEM.replace(/^[^]*-----BEGIN [^-]+-----/, '')\n strippedPem = strippedPem.replace(/-----END [^-]+-----[^]*$/, '')\n }\n return base64ToHex(strippedPem, 'base64pad')\n}\n\nexport function PEMToBinary(pem: string): Uint8Array {\n const pemContents = pem\n .replace(/^[^]*-----BEGIN [^-]+-----/, '')\n .replace(/-----END [^-]+-----[^]*$/, '')\n .replace(/\\s/g, '')\n\n return fromString(pemContents, 'base64pad')\n}\n\n/**\n * Converts a base64 encoded string to hex string, removing any non-base64 characters, including newlines\n * @param input The input in base64, with optional newlines\n * @param inputEncoding\n */\nexport const base64ToHex = (input: string, inputEncoding?: 'base64' | 'base64pad' | 'base64url' | 'base64urlpad') => {\n const base64NoNewlines = input.replace(/[^0-9A-Za-z_\\-~\\/+=]*/g, '')\n return toString(fromString(base64NoNewlines, inputEncoding ? inputEncoding : 'base64pad'), 'base16')\n}\n\nexport const hexToBase64 = (input: number | object | string, targetEncoding?: 'base64' | 'base64pad' | 'base64url' | 'base64urlpad'): string => {\n let hex = typeof input === 'string' ? input : input.toString(16)\n if (hex.length % 2 === 1) {\n hex = `0${hex}`\n }\n return toString(fromString(hex, 'base16'), targetEncoding ? targetEncoding : 'base64pad')\n}\n\nexport const hexToPEM = (hex: string, type: KeyVisibility): string => {\n const base64 = hexToBase64(hex, 'base64pad')\n const headerKey = type === 'private' ? 'RSA PRIVATE KEY' : 'PUBLIC KEY'\n if (type === 'private') {\n const pem = derToPEM(base64, headerKey)\n try {\n PEMToJwk(pem) // We only use it to test the private key\n return pem\n } catch (error) {\n return derToPEM(base64, 'PRIVATE KEY')\n }\n }\n return derToPEM(base64, headerKey)\n}\n\nexport function PEMToDer(pem: string): string {\n return pem.replace(/(-----(BEGIN|END) CERTIFICATE-----|[\\n\\r])/g, '')\n}\n\nexport function derToPEM(cert: string, headerKey?: 'PUBLIC KEY' | 'RSA PRIVATE KEY' | 'PRIVATE KEY' | 'CERTIFICATE'): string {\n const key = headerKey ?? 'CERTIFICATE'\n if (cert.includes(key)) {\n // Was already in PEM it seems\n return cert\n }\n const matches = cert.match(/.{1,64}/g)\n if (!matches) {\n throw Error('Invalid cert input value supplied')\n }\n return `-----BEGIN ${key}-----\\n${matches.join('\\n')}\\n-----END ${key}-----\\n`\n}\n","// @ts-ignore\nimport { fromString } from 'uint8arrays/from-string'\n// @ts-ignore\nimport { toString } from 'uint8arrays/to-string'\nimport { HashAlgorithm, KeyVisibility } from '../types'\nimport { globalCrypto } from './crypto'\nimport { cryptoSubtleImportRSAKey, RSAEncryptionSchemes, RSASignatureSchemes } from './rsa-key'\nimport { PEMToJwk } from './x509-utils'\nimport { JsonWebKey } from '@sphereon/ssi-types'\n// @ts-ignore\nimport { CryptoKey, RsaPssParams, AlgorithmIdentifier } from 'node'\nexport class RSASigner {\n private readonly hashAlgorithm: HashAlgorithm\n private readonly jwk: JsonWebKey\n\n private key: CryptoKey | undefined\n private readonly scheme: RSAEncryptionSchemes | RSASignatureSchemes\n\n /**\n *\n * @param key Either in PEM or JWK format (no raw hex keys here!)\n * @param opts The algorithm and signature/encryption schemes\n */\n constructor(\n key: string | JsonWebKey,\n opts?: { hashAlgorithm?: HashAlgorithm; scheme?: RSAEncryptionSchemes | RSASignatureSchemes; visibility?: KeyVisibility }\n ) {\n if (typeof key === 'string') {\n this.jwk = PEMToJwk(key, opts?.visibility)\n } else {\n this.jwk = key\n }\n\n this.hashAlgorithm = opts?.hashAlgorithm ?? 'SHA-256'\n this.scheme = opts?.scheme ?? 'RSA-PSS'\n }\n\n private getImportParams(): AlgorithmIdentifier | RsaPssParams {\n if (this.scheme === 'RSA-PSS') {\n return { name: this.scheme, saltLength: 32 }\n }\n return { name: this.scheme /*, hash: this.hashAlgorithm*/ }\n }\n\n private async getKey(): Promise<CryptoKey> {\n if (!this.key) {\n this.key = await cryptoSubtleImportRSAKey(this.jwk, this.scheme, this.hashAlgorithm)\n }\n return this.key\n }\n\n private bufferToString(buf: ArrayBuffer) {\n const uint8Array = new Uint8Array(buf)\n return toString(uint8Array, 'base64url') // Needs to be base64url for JsonWebSignature2020. Don't change!\n }\n\n public async sign(data: Uint8Array): Promise<string> {\n const input = data\n const key = await this.getKey()\n const signature = this.bufferToString(await globalCrypto(false).subtle.sign(this.getImportParams(), key, input))\n if (!signature) {\n throw Error('Could not sign input data')\n }\n\n // base64url signature\n return signature\n }\n\n public async verify(data: string | Uint8Array, signature: string): Promise<boolean> {\n const jws = signature.includes('.') ? signature.split('.')[2] : signature\n\n const input = typeof data == 'string' ? fromString(data, 'utf-8') : data\n\n let key = await this.getKey()\n if (!key.usages.includes('verify')) {\n const verifyJwk = { ...this.jwk }\n delete verifyJwk.d\n delete verifyJwk.use\n delete verifyJwk.key_ops\n key = await cryptoSubtleImportRSAKey(verifyJwk, this.scheme, this.hashAlgorithm)\n }\n const verificationResult = await globalCrypto(false).subtle.verify(this.getImportParams(), key, fromString(jws, 'base64url'), input)\n return verificationResult\n }\n}\n","import { AsnParser } from '@peculiar/asn1-schema'\nimport { SubjectPublicKeyInfo } from '@peculiar/asn1-x509'\nimport { AlgorithmProvider, X509Certificate } from '@peculiar/x509'\n// import {calculateJwkThumbprint} from \"@sphereon/ssi-sdk-ext.key-utils\";\nimport { JWK } from '@sphereon/ssi-types'\nimport x509 from 'js-x509-utils'\nimport { AltName, AttributeTypeAndValue, Certificate, CryptoEngine, getCrypto, id_SubjectAltName, setEngine } from 'pkijs'\nimport { container } from 'tsyringe'\n// @ts-ignore\nimport { fromString } from 'uint8arrays/from-string'\n// @ts-ignore\nimport { toString } from 'uint8arrays/to-string'\nimport { globalCrypto } from './crypto'\nimport { areCertificatesEqual, derToPEM, pemOrDerToX509Certificate } from './x509-utils'\n\nexport type DNInfo = {\n DN: string\n attributes: Record<string, string>\n}\n\nexport type CertificateInfo = {\n certificate?: any // We need to fix the schema generator for this to be Certificate(Json) from pkijs\n notBefore: Date\n notAfter: Date\n publicKeyJWK?: any\n issuer: {\n dn: DNInfo\n }\n subject: {\n dn: DNInfo\n subjectAlternativeNames: SubjectAlternativeName[]\n }\n}\n\nexport type X509ValidationResult = {\n error: boolean\n critical: boolean\n message: string\n detailMessage?: string\n verificationTime: Date\n certificateChain?: Array<CertificateInfo>\n trustAnchor?: CertificateInfo\n client?: {\n // In case client id and scheme were passed in we return them for easy access. It means they are validated\n clientId: string\n clientIdScheme: ClientIdScheme\n }\n}\n\nconst defaultCryptoEngine = () => {\n const name = 'crypto'\n setEngine(name, new CryptoEngine({ name, crypto: globalCrypto(false) }))\n return getCrypto(true)\n}\n\nexport const getCertificateInfo = async (\n certificate: Certificate,\n opts?: {\n sanTypeFilter: SubjectAlternativeGeneralName | SubjectAlternativeGeneralName[]\n }\n): Promise<CertificateInfo> => {\n let publicKeyJWK: JWK | undefined\n try {\n publicKeyJWK = (await getCertificateSubjectPublicKeyJWK(certificate)) as JWK\n } catch (e) {}\n return {\n issuer: { dn: getIssuerDN(certificate) },\n subject: {\n dn: getSubjectDN(certificate),\n subjectAlternativeNames: getSubjectAlternativeNames(certificate, { typeFilter: opts?.sanTypeFilter }),\n },\n publicKeyJWK,\n notBefore: certificate.notBefore.value,\n notAfter: certificate.notAfter.value,\n // certificate\n } satisfies CertificateInfo\n}\n\nexport type X509CertificateChainValidationOpts = {\n // If no trust anchor is found, but the chain itself checks out, allow. (defaults to false:)\n allowNoTrustAnchorsFound?: boolean\n\n // Trust the supplied root from the chain, when no anchors are being passed in.\n trustRootWhenNoAnchors?: boolean\n // Do not perform a chain validation check if the chain only has a single value. This means only the certificate itself will be validated. No chain checks for CA certs will be performed. Only used when the cert has no issuer\n allowSingleNoCAChainElement?: boolean\n // WARNING: Do not use in production\n // Similar to regular trust anchors, but no validation is performed whatsoever. Do not use in production settings! Can be handy with self generated certificates as we perform many validations, making it hard to test with self-signed certs. Only applied in case a chain with 1 element is passed in to really make sure people do not abuse this option\n blindlyTrustedAnchors?: string[]\n\n disallowReversedChain?: boolean\n\n client?: {\n // If provided both are required. Validates the leaf certificate against the clientId and scheme\n clientId: string\n clientIdScheme: ClientIdScheme\n }\n}\n\nexport const validateX509CertificateChain = async ({\n chain: pemOrDerChain,\n trustAnchors,\n verificationTime = new Date(),\n opts = {\n // If no trust anchor is found, but the chain itself checks out, allow. (defaults to false:)\n allowNoTrustAnchorsFound: false,\n trustRootWhenNoAnchors: false,\n allowSingleNoCAChainElement: true,\n blindlyTrustedAnchors: [],\n disallowReversedChain: false,\n },\n}: {\n chain: (Uint8Array | string)[]\n trustAnchors?: string[]\n verificationTime?: Date\n opts?: X509CertificateChainValidationOpts\n}): Promise<X509ValidationResult> => {\n // We allow 1 reversal. We reverse by default as the implementation expects the root ca first, whilst x5c is the opposite. Reversed becomes true if the impl reverses the chain\n return await validateX509CertificateChainImpl({\n reversed: false,\n chain: [...pemOrDerChain].reverse(),\n trustAnchors,\n verificationTime,\n opts,\n })\n}\nconst validateX509CertificateChainImpl = async ({\n reversed,\n chain: pemOrDerChain,\n trustAnchors,\n verificationTime: verifyAt,\n opts,\n}: {\n reversed: boolean\n chain: (Uint8Array | string)[]\n trustAnchors?: string[]\n verificationTime: Date | string // string for REST API\n opts: X509CertificateChainValidationOpts\n}): Promise<X509ValidationResult> => {\n const verificationTime: Date = typeof verifyAt === 'string' ? new Date(verifyAt) : verifyAt\n const {\n allowNoTrustAnchorsFound = false,\n trustRootWhenNoAnchors = false,\n allowSingleNoCAChainElement = true,\n blindlyTrustedAnchors = [],\n disallowReversedChain = false,\n client,\n } = opts\n const trustedPEMs = trustRootWhenNoAnchors && !trustAnchors ? [pemOrDerChain[pemOrDerChain.length - 1]] : trustAnchors\n\n if (pemOrDerChain.length === 0) {\n return {\n error: true,\n critical: true,\n message: 'Certificate chain in DER or PEM format must not be empty',\n verificationTime,\n }\n }\n defaultCryptoEngine()\n\n // x5c always starts with the leaf cert at index 0 and then the cas. Our internal pkijs service expects it the other way around. Before calling this function the change has been revered\n const chain = await Promise.all(pemOrDerChain.map((raw) => parseCertificate(raw)))\n const x5cOrdereredChain = reversed ? [...chain] : [...chain].reverse()\n\n const trustedCerts = trustedPEMs ? await Promise.all(trustedPEMs.map((raw) => parseCertificate(raw))) : undefined\n const blindlyTrusted =\n (\n await Promise.all(\n blindlyTrustedAnchors.map((raw) => {\n try {\n return parseCertificate(raw)\n } catch (e) {\n // @ts-ignore\n console.log(`Failed to parse blindly trusted certificate ${raw}. Error: ${e.message}`)\n return undefined\n }\n })\n )\n ).filter((cert): cert is ParsedCertificate => cert !== undefined) ?? []\n const leafCert = x5cOrdereredChain[0]\n\n const chainLength = chain.length\n var foundTrustAnchor: ParsedCertificate | undefined = undefined\n for (let i = 0; i < chainLength; i++) {\n const currentCert = chain[i]\n const previousCert = i > 0 ? chain[i - 1] : undefined\n const blindlyTrustedCert = blindlyTrusted.find((trusted) => areCertificatesEqual(trusted.certificate, currentCert.certificate))\n if (blindlyTrustedCert) {\n console.log(`Certificate chain validation success as single cert if blindly trusted. WARNING: ONLY USE FOR TESTING PURPOSES.`)\n return {\n error: false,\n critical: false,\n message: `Certificate chain validation success as single cert if blindly trusted. WARNING: ONLY USE FOR TESTING PURPOSES.`,\n detailMessage: `Blindly trusted certificate ${blindlyTrustedCert.certificateInfo.subject.dn.DN} was found in the chain.`,\n trustAnchor: blindlyTrustedCert?.certificateInfo,\n verificationTime,\n certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),\n ...(client && { client }),\n }\n }\n if (previousCert) {\n if (currentCert.x509Certificate.issuer !== previousCert.x509Certificate.subject) {\n if (!reversed && !disallowReversedChain) {\n return await validateX509CertificateChainImpl({\n reversed: true,\n chain: [...pemOrDerChain].reverse(),\n opts,\n verificationTime,\n trustAnchors,\n })\n }\n return {\n error: true,\n critical: true,\n certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),\n message: `Certificate chain validation failed for ${leafCert.certificateInfo.subject.dn.DN}.`,\n detailMessage: `The certificate ${currentCert.certificateInfo.subject.dn.DN} with issuer ${currentCert.x509Certificate.issuer}, is not signed by the previous certificate ${previousCert?.certificateInfo.subject.dn.DN} with subject string ${previousCert?.x509Certificate.subject}.`,\n verificationTime,\n ...(client && { client }),\n }\n }\n }\n const result = await currentCert.x509Certificate.verify(\n {\n date: verificationTime,\n publicKey: previousCert?.x509Certificate?.publicKey,\n },\n getCrypto()?.crypto ?? crypto ?? global.crypto\n )\n if (!result) {\n // First cert needs to be self signed\n if (i == 0 && !reversed && !disallowReversedChain) {\n return await validateX509CertificateChainImpl({\n reversed: true,\n chain: [...pemOrDerChain].reverse(),\n opts,\n verificationTime,\n trustAnchors,\n })\n }\n\n return {\n error: true,\n critical: true,\n message: `Certificate chain validation failed for ${leafCert.certificateInfo.subject.dn.DN}.`,\n certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),\n detailMessage: `Verification of the certificate ${currentCert.certificateInfo.subject.dn.DN} with issuer ${\n currentCert.x509Certificate.issuer\n } failed. Public key: ${JSON.stringify(currentCert.certificateInfo.publicKeyJWK)}.`,\n verificationTime,\n ...(client && { client }),\n }\n }\n\n foundTrustAnchor = foundTrustAnchor ?? trustedCerts?.find((trusted) => isSameCertificate(trusted.x509Certificate, currentCert.x509Certificate))\n\n if (i === 0 && chainLength === 1 && allowSingleNoCAChainElement) {\n return {\n error: false,\n critical: false,\n message: `Certificate chain succeeded as allow single cert result is allowed: ${leafCert.certificateInfo.subject.dn.DN}.`,\n certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),\n trustAnchor: foundTrustAnchor?.certificateInfo,\n verificationTime,\n ...(client && { client }),\n }\n }\n }\n\n if (foundTrustAnchor?.certificateInfo || allowNoTrustAnchorsFound) {\n return {\n error: false,\n critical: false,\n message: `Certificate chain was valid`,\n certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),\n detailMessage: foundTrustAnchor\n ? `The leaf certificate ${leafCert.certificateInfo.subject.dn.DN} is part of a chain with trust anchor ${foundTrustAnchor?.certificateInfo.subject.dn.DN}.`\n : `The leaf certificate ${leafCert.certificateInfo.subject.dn.DN} and chain were valid, but no trust anchor has been found. Ignoring as user allowed (allowNoTrustAnchorsFound: ${allowNoTrustAnchorsFound}).)`,\n trustAnchor: foundTrustAnchor?.certificateInfo,\n verificationTime,\n ...(client && { client }),\n }\n }\n\n return {\n error: true,\n critical: true,\n message: `Certificate chain validation failed for ${leafCert.certificateInfo.subject.dn.DN}.`,\n certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),\n detailMessage: `No trust anchor was found in the chain. between (intermediate) CA ${\n x5cOrdereredChain[chain.length - 1].certificateInfo.subject.dn.DN\n } and leaf ${x5cOrdereredChain[0].certificateInfo.subject.dn.DN}.`,\n verificationTime,\n ...(client && { client }),\n }\n}\n\nconst isSameCertificate = (cert1: X509Certificate, cert2: X509Certificate): boolean => {\n return cert1.rawData.toString() === cert2.rawData.toString()\n}\n\nconst algorithmProvider: AlgorithmProvider = container.resolve(AlgorithmProvider)\nexport const getX509AlgorithmProvider = (): AlgorithmProvider => {\n return algorithmProvider\n}\n\nexport type ParsedCertificate = {\n publicKeyInfo: SubjectPublicKeyInfo\n publicKeyJwk?: JWK\n publicKeyRaw: Uint8Array\n // @ts-ignore\n publicKeyAlgorithm: Algorithm\n certificateInfo: CertificateInfo\n certificate: Certificate\n x509Certificate: X509Certificate\n}\n\nexport const parseCertificate = async (rawCert: string | Uint8Array): Promise<ParsedCertificate> => {\n const x509Certificate = new X509Certificate(rawCert)\n const publicKeyInfo = AsnParser.parse(x509Certificate.publicKey.rawData, SubjectPublicKeyInfo)\n const publicKeyRaw = new Uint8Array(publicKeyInfo.subjectPublicKey)\n let publicKeyJwk: JWK | undefined = undefined\n try {\n publicKeyJwk = (await getCertificateSubjectPublicKeyJWK(new Uint8Array(x509Certificate.rawData))) as JWK\n } catch (e: any) {\n console.error(e.message)\n }\n const certificate = pemOrDerToX509Certificate(rawCert)\n const certificateInfo = await getCertificateInfo(certificate)\n const publicKeyAlgorithm = getX509AlgorithmProvider().toWebAlgorithm(publicKeyInfo.algorithm)\n return {\n publicKeyAlgorithm,\n publicKeyInfo,\n publicKeyJwk,\n publicKeyRaw,\n certificateInfo,\n certificate,\n x509Certificate,\n }\n}\n/*\n\n/!**\n *\n * @param pemOrDerChain The order must be that the Certs signing another cert must come one after another. So first the signing cert, then any cert signing that cert and so on\n * @param trustedPEMs\n * @param verificationTime\n * @param opts\n *!/\nexport const validateX509CertificateChainOrg = async ({\n chain: pemOrDerChain,\n trustAnchors,\n verificationTime = new Date(),\n opts = {\n trustRootWhenNoAnchors: false,\n allowSingleNoCAChainElement: true,\n blindlyTrustedAnchors: [],\n },\n }: {\n chain: (Uint8Array | string)[]\n trustAnchors?: string[]\n verificationTime?: Date\n opts?: X509CertificateChainValidationOpts\n}): Promise<X509ValidationResult> => {\n const {\n trustRootWhenNoAnchors = false,\n allowSingleNoCAChainElement = true,\n blindlyTrustedAnchors = [],\n client\n } = opts\n const trustedPEMs = trustRootWhenNoAnchors && !trustAnchors ? [pemOrDerChain[pemOrDerChain.length - 1]] : trustAnchors\n\n if (pemOrDerChain.length === 0) {\n return {\n error: true,\n critical: true,\n message: 'Certificate chain in DER or PEM format must not be empty',\n verificationTime,\n }\n }\n\n // x5c always starts with the leaf cert at index 0 and then the cas. Our internal pkijs service expects it the other way around\n const certs = pemOrDerChain.map(pemOrDerToX509Certificate).reverse()\n const trustedCerts = trustedPEMs ? trustedPEMs.map(pemOrDerToX509Certificate) : undefined\n defaultCryptoEngine()\n\n if (pemOrDerChain.length === 1) {\n const singleCert = typeof pemOrDerChain[0] === 'string' ? pemOrDerChain[0] : u8a.toString(pemOrDerChain[0], 'base64pad')\n const cert = pemOrDerToX509Certificate(singleCert)\n if (client) {\n const validation = await validateCertificateChainMatchesClientIdScheme(cert, client.clientId, client.clientIdScheme)\n if (validation.error) {\n return validation\n }\n }\n if (blindlyTrustedAnchors.includes(singleCert)) {\n console.log(`Certificate chain validation success as single cert if blindly trusted. WARNING: ONLY USE FOR TESTING PURPOSES.`)\n return {\n error: false,\n critical: true,\n message: `Certificate chain validation success as single cert if blindly trusted. WARNING: ONLY USE FOR TESTING PURPOSES.`,\n verificationTime,\n certificateChain: [await getCertificateInfo(cert)],\n ...(client && {client}),\n }\n }\n if (allowSingleNoCAChainElement) {\n const subjectDN = getSubjectDN(cert).DN\n if (!getIssuerDN(cert).DN || getIssuerDN(cert).DN === subjectDN) {\n const passed = await cert.verify()\n return {\n error: !passed,\n critical: true,\n message: `Certificate chain validation for ${subjectDN}: ${passed ? 'successful' : 'failed'}.`,\n verificationTime,\n certificateChain: [await getCertificateInfo(cert)],\n ...(client && {client}),\n }\n }\n }\n }\n\n const validationEngine = new CertificateChainValidationEngine({\n certs /!*crls: [crl1], ocsps: [ocsp1], *!/,\n checkDate: verificationTime,\n trustedCerts,\n })\n\n try {\n const verification = await validationEngine.verify()\n if (!verification.result || !verification.certificatePath) {\n return {\n error: true,\n critical: true,\n message: verification.resultMessage !== '' ? verification.resultMessage : `Certificate chain validation failed.`,\n verificationTime,\n ...(client && {client}),\n }\n }\n const certPath = verification.certificatePath\n if (client) {\n const clientIdValidation = await validateCertificateChainMatchesClientIdScheme(certs[0], client.clientId, client.clientIdScheme)\n if (clientIdValidation.error) {\n return clientIdValidation\n }\n }\n let certInfos: Array<CertificateInfo> | undefined\n\n for (const certificate of certPath) {\n try {\n certInfos?.push(await getCertificateInfo(certificate))\n } catch (e: any) {\n console.log(`Error getting certificate info ${e.message}`)\n }\n }\n\n\n return {\n error: false,\n critical: false,\n message: `Certificate chain was valid`,\n verificationTime,\n certificateChain: certInfos,\n ...(client && {client}),\n }\n } catch (error: any) {\n return {\n error: true,\n critical: true,\n message: `Certificate chain was invalid, ${error.message ?? '<unknown error>'}`,\n verificationTime,\n ...(client && {client}),\n }\n }\n}\n*/\n\nconst rdnmap: Record<string, string> = {\n '2.5.4.6': 'C',\n '2.5.4.10': 'O',\n '2.5.4.11': 'OU',\n '2.5.4.3': 'CN',\n '2.5.4.7': 'L',\n '2.5.4.8': 'ST',\n '2.5.4.12': 'T',\n '2.5.4.42': 'GN',\n '2.5.4.43': 'I',\n '2.5.4.4': 'SN',\n '1.2.840.113549.1.9.1': 'E-mail',\n}\n\nexport const getIssuerDN = (cert: Certificate): DNInfo => {\n return {\n DN: getDNString(cert.issuer.typesAndValues),\n attributes: getDNObject(cert.issuer.typesAndValues),\n }\n}\n\nexport const getSubjectDN = (cert: Certificate): DNInfo => {\n return {\n DN: getDNString(cert.subject.typesAndValues),\n attributes: getDNObject(cert.subject.typesAndValues),\n }\n}\n\nconst getDNObject = (typesAndValues: AttributeTypeAndValue[]): Record<string, string> => {\n const DN: Record<string, string> = {}\n for (const typeAndValue of typesAndValues) {\n const type = rdnmap[typeAndValue.type] ?? typeAndValue.type\n DN[type] = typeAndValue.value.getValue()\n }\n return DN\n}\nconst getDNString = (typesAndValues: AttributeTypeAndValue[]): string => {\n return Object.entries(getDNObject(typesAndValues))\n .map(([key, value]) => `${key}=${value}`)\n .join(',')\n}\n\nexport const getCertificateSubjectPublicKeyJWK = async (pemOrDerCert: string | Uint8Array | Certificate): Promise<JWK> => {\n const pemOrDerStr =\n typeof pemOrDerCert === 'string'\n ? toString(fromString(pemOrDerCert, 'base64pad'), 'base64pad')\n : pemOrDerCert instanceof Uint8Array\n ? toString(pemOrDerCert, 'base64pad')\n : toString(fromString(pemOrDerCert.toString('base64'), 'base64pad'), 'base64pad')\n const pem = derToPEM(pemOrDerStr)\n const certificate = pemOrDerToX509Certificate(pem)\n var jwk: JWK | undefined\n try {\n const subtle = getCrypto(true).subtle\n const pk = await certificate.getPublicKey(undefined, defaultCryptoEngine())\n jwk = (await subtle.exportKey('jwk', pk)) as JWK | undefined\n } catch (error: any) {\n console.log(`Error in primary get JWK from cert:`, error?.message)\n }\n if (!jwk) {\n try {\n jwk = (await x509.toJwk(pem, 'pem')) as JWK\n } catch (error: any) {\n console.log(`Error in secondary get JWK from cert as well:`, error?.message)\n }\n }\n if (!jwk) {\n throw Error(`Failed to get JWK from certificate ${pem}`)\n }\n return jwk\n}\n\n/**\n * otherName [0] OtherName,\n * rfc822Name [1] IA5String,\n * dNSName [2] IA5String,\n * x400Address [3] ORAddress,\n * directoryName [4] Name,\n * ediPartyName [5] EDIPartyName,\n * uniformResourceIdentifier [6] IA5String,\n * iPAddress [7] OCTET STRING,\n * registeredID [8] OBJECT IDENTIFIER }\n */\nexport enum SubjectAlternativeGeneralName {\n rfc822Name = 1, // email\n dnsName = 2,\n uniformResourceIdentifier = 6,\n ipAddress = 7,\n}\n\nexport interface SubjectAlternativeName {\n value: string\n type: SubjectAlternativeGeneralName\n}\n\nexport type ClientIdScheme = 'x509_san_dns' | 'x509_san_uri'\n\nexport const assertCertificateMatchesClientIdScheme = (certificate: Certificate, clientId: string, clientIdScheme: ClientIdScheme): void => {\n const sans = getSubjectAlternativeNames(certificate, { clientIdSchemeFilter: clientIdScheme })\n const clientIdMatches = sans.find((san) => san.value === clientId)\n if (!clientIdMatches) {\n throw Error(\n `Client id scheme ${clientIdScheme} used had no matching subject alternative names in certificate with DN ${\n getSubjectDN(certificate).DN\n }. SANS: ${sans.map((san) => san.value).join(',')}`\n )\n }\n}\n\nexport const validateCertificateChainMatchesClientIdScheme = async (\n certificate: Certificate,\n clientId: string,\n clientIdScheme: ClientIdScheme\n): Promise<X509ValidationResult> => {\n const result = {\n error: true,\n critical: true,\n message: `Client Id ${clientId} was not present in certificate using scheme ${clientIdScheme}`,\n client: {\n clientId,\n clientIdScheme,\n },\n certificateChain: [await getCertificateInfo(certificate)],\n verificationTime: new Date(),\n }\n try {\n assertCertificateMatchesClientIdScheme(certificate, clientId, clientIdScheme)\n } catch (error) {\n return result\n }\n result.error = false\n result.message = `Client Id ${clientId} was present in certificate using scheme ${clientIdScheme}`\n return result\n}\n\nexport const getSubjectAlternativeNames = (\n certificate: Certificate,\n opts?: {\n typeFilter?: SubjectAlternativeGeneralName | SubjectAlternativeGeneralName[]\n // When a clientIdchemeFilter is passed in it will always override the above type filter\n clientIdSchemeFilter?: ClientIdScheme\n }\n): SubjectAlternativeName[] => {\n let typeFilter: SubjectAlternativeGeneralName[]\n if (opts?.clientIdSchemeFilter) {\n typeFilter =\n opts.clientIdSchemeFilter === 'x509_san_dns'\n ? [SubjectAlternativeGeneralName.dnsName]\n : [SubjectAlternativeGeneralName.uniformResourceIdentifier]\n } else if (opts?.typeFilter) {\n typeFilter = Array.isArray(opts.typeFilter) ? opts.typeFilter : [opts.typeFilter]\n } else {\n typeFilter = [SubjectAlternativeGeneralName.dnsName, SubjectAlternativeGeneralName.uniformResourceIdentifier]\n }\n const parsedValue = certificate.extensions?.find((ext) => ext.extnID === id_SubjectAltName)?.parsedValue as AltName\n if (!parsedValue) {\n return []\n }\n const altNames = parsedValue.toJSON().altNames\n return altNames\n .filter((altName) => typeFilter.includes(altName.type))\n .map((altName) => {\n return { type: altName.type, value: altName.value } satisfies SubjectAlternativeName\n })\n}\n"],"mappings":";;;;;;;;;;AAAO,IAAKA,YAAAA,yBAAAA,YAAAA;;;SAAAA;;;;ACIZ,SAASC,YAAAA,iBAAgB;;;ACHlB,IAAMC,eAAe,wBAACC,WAAoBC,mBAAAA;AAC/C,MAAIC;AACJ,MAAI,OAAOD,mBAAmB,aAAa;AACzCC,gBAAYD;EACd,WAAW,OAAOE,WAAW,aAAa;AACxCD,gBAAYC;EACd,WAAW,OAAOC,OAAOD,WAAW,aAAa;AAC/CD,gBAAYE,OAAOD;EACrB,OAAO;AAEL,QAAI,OAAOC,OAAOC,QAAQF,QAAQG,WAAW,aAAa;AAExDJ,kBAAYE,OAAOC,OAAOF;IAC5B,OAAO;AAELD,kBAAYK,UAAQ,QAAA;IACtB;EACF;AACA,MAAIP,WAAW;AACbI,WAAOD,SAASD;EAClB;AAEA,SAAOA;AACT,GAvB4B;;;ACA5B,SAASM,mBAAmB;AAE5B,SAASC,kBAAkB;AAE3B,SAASC,gBAAgB;AAEzB,OAAOC,WAAW;AAMX,SAASC,kBAAkBC,MAAcC,UAAiB;AAC/D,MAAI,CAACA,UAAU;AACbA,eAAW;EACb;AASA,QAAMC,eAAeF,KAClBG,QAAQ,oBAAoB,GAAA,EAC5BA,QAAQ,OAAO,EAAA,EACfA,QAAQ,OAAO,EAAA;AAClB,MAAIC,MAAMF,aAAaG,MAAM,GAAA,EAAKC,OAAO,SAAUC,GAAC;AAClD,WAAOA,EAAEC,SAAS;EACpB,CAAA;AACA,MAAIP,WAAW,GAAG;AAChBG,UAAMA,IAAIK,OAAO,GAAGR,QAAAA;EACtB;AACA,SAAOG;AACT;AAvBgBL;AAyBT,SAASW,kBAAkBN,KAAeH,UAAiB;AAChE,MAAI,CAACA,UAAU;AACbA,eAAW;EACb;AACA,QAAMO,SAASP,aAAa,IAAIG,IAAII,SAASG,KAAKC,IAAIX,UAAUG,IAAII,MAAM;AAC1E,MAAIK,MAAM;AACV,WAASC,IAAI,GAAGA,IAAIN,QAAQM,KAAK;AAC/BD,WAAOE,SAASX,IAAIU,CAAAA,GAAI,aAAA;EAC1B;AACA,SAAOD;AACT;AAVgBH;AAYT,IAAMM,4BAA4B,wBAAChB,SAAAA;AACxC,MAAIiB,MAA0B,OAAOjB,SAAS,WAAWA,OAAOkB;AAChE,MAAI,OAAOlB,SAAS,YAAY,EAAEA,gBAAgBmB,aAAa;AAE7D,WAAOC,YAAYC,QAAQrB,KAAKsB,OAAO;EACzC,WAAW,OAAOtB,SAAS,UAAU;AACnC,WAAOoB,YAAYC,QAAQrB,IAAAA;EAC7B,WAAWA,KAAKuB,SAAS,aAAA,GAAgB;AACvCN,UAAMO,SAASxB,IAAAA;EACjB;AACA,MAAI,CAACiB,KAAK;AACR,UAAMQ,MAAM,6FAAA;EACd;AACA,SAAOL,YAAYC,QAAQK,WAAWT,KAAK,WAAA,CAAA;AAC7C,GAdyC;AAgBlC,IAAMU,uBAAuB,wBAACC,OAAoBC,UAAAA;AACvD,SAAOD,MAAME,eAAeC,QAAQF,MAAMC,cAAc;AAC1D,GAFoC;AAI7B,IAAME,cAAc,wBAACC,KAAaC,aAA4B,aAAQ;AAC3E,QAAMC,MAAMC,SAASH,KAAKC,UAAAA;AAC1B,QAAMG,gBAA+BF,IAAIG,IAAI,YAAY;AACzD,QAAMC,SAASF,kBAAkB,YAAYG,qBAAqBP,GAAAA,IAAOQ,oBAAoBR,GAAAA;AAE7F,SAAO;IACLpB,KAAK6B,SAASH,QAAQL,UAAAA;IACtBC;IACAI;IACAI,SAASN;EACX;AACF,GAX2B;AAapB,IAAMO,WAAW,wBAACT,KAAiBD,aAA4B,aAAQ;AAC5E,SAAOW,MAAMC,KAAKX,KAAK,KAAA,EAAOY,SAAS,OAAOb,eAAe,WAAW,iBAAiB,eAAA;AAC3F,GAFwB;AAIjB,IAAME,WAAW,wBAACvB,KAAaqB,aAA4B,aAAQ;AACxE,SAAOW,MAAMC,KAAKjC,KAAK,KAAA,EAAOmC,MAAMd,UAAAA;AACtC,GAFwB;AAGjB,IAAMM,uBAAuB,wBAACP,QAAAA;AACnC,SAAOgB,SAAShB,GAAAA;AAClB,GAFoC;AAI7B,IAAMiB,wBAAwB,wBAACf,KAAiBD,aAA4B,aAAQ;AACzF,MAAIA,eAAe,WAAW;AAC5B,WAAOM,qBAAqBI,SAAST,KAAK,SAAA,CAAA;EAC5C,OAAO;AACL,WAAOM,oBAAoBG,SAAST,KAAK,QAAA,CAAA;EAC3C;AACF,GANqC;AAQ9B,IAAMM,sBAAsB,wBAACR,QAAAA;AAClC,QAAMkB,MAAMF,SAAShB,GAAAA;AACrB,MAAIA,IAAIV,SAAS,aAAA,GAAgB;AAC/B,UAAME,MAAM,4DAAA;EACd,WAAW,CAACQ,IAAIV,SAAS,SAAA,GAAY;AACnC,WAAO4B;EACT;AACA,QAAMC,YAAYhB,SAASH,KAAK,QAAA;AAChC,QAAMoB,YAAYT,SAASQ,WAAW,QAAA;AACtC,SAAOH,SAASI,SAAAA;AAClB,GAVmC;AAY5B,IAAMJ,WAAW,wBAAChB,KAAaqB,cAAAA;AACpC,MAAIrB,IAAIsB,QAAQ,aAAA,KAAkB,IAAI;AACpC,UAAM9B,MAAM,yBAAyB6B,SAAAA,EAAW;EAClD;AAEA,MAAIE;AACJ,MAAIF,WAAW;AACbE,kBAAcvB,IAAI9B,QAAQ,IAAIsD,OAAO,qBAAqBH,YAAY,OAAA,GAAU,EAAA;AAChFE,kBAAcA,YAAYrD,QAAQ,IAAIsD,OAAO,cAAcH,YAAY,YAAA,GAAe,EAAA;EACxF,OAAO;AACLE,kBAAcvB,IAAI9B,QAAQ,8BAA8B,EAAA;AACxDqD,kBAAcA,YAAYrD,QAAQ,4BAA4B,EAAA;EAChE;AACA,SAAOuD,YAAYF,aAAa,WAAA;AAClC,GAdwB;AAgBjB,SAASG,YAAY9C,KAAW;AACrC,QAAM+C,cAAc/C,IACjBV,QAAQ,8BAA8B,EAAA,EACtCA,QAAQ,4BAA4B,EAAA,EACpCA,QAAQ,OAAO,EAAA;AAElB,SAAOuB,WAAWkC,aAAa,WAAA;AACjC;AAPgBD;AAcT,IAAMD,cAAc,wBAACG,OAAeC,kBAAAA;AACzC,QAAMC,mBAAmBF,MAAM1D,QAAQ,0BAA0B,EAAA;AACjE,SAAO4C,SAASrB,WAAWqC,kBAAkBD,gBAAgBA,gBAAgB,WAAA,GAAc,QAAA;AAC7F,GAH2B;AAKpB,IAAME,cAAc,wBAACH,OAAiCI,mBAAAA;AAC3D,MAAId,MAAM,OAAOU,UAAU,WAAWA,QAAQA,MAAMd,SAAS,EAAA;AAC7D,MAAII,IAAI3C,SAAS,MAAM,GAAG;AACxB2C,UAAM,IAAIA,GAAAA;EACZ;AACA,SAAOJ,SAASrB,WAAWyB,KAAK,QAAA,GAAWc,iBAAiBA,iBAAiB,WAAA;AAC/E,GAN2B;AAQpB,IAAMvB,WAAW,wBAACS,KAAae,SAAAA;AACpC,QAAMC,SAASH,YAAYb,KAAK,WAAA;AAChC,QAAMG,YAAYY,SAAS,YAAY,oBAAoB;AAC3D,MAAIA,SAAS,WAAW;AACtB,UAAMrD,MAAME,SAASoD,QAAQb,SAAAA;AAC7B,QAAI;AACFlB,eAASvB,GAAAA;AACT,aAAOA;IACT,SAASuD,OAAO;AACd,aAAOrD,SAASoD,QAAQ,aAAA;IAC1B;EACF;AACA,SAAOpD,SAASoD,QAAQb,SAAAA;AAC1B,GAbwB;AAejB,SAAS9B,SAASX,KAAW;AAClC,SAAOA,IAAIV,QAAQ,+CAA+C,EAAA;AACpE;AAFgBqB;AAIT,SAAST,SAASf,MAAcsD,WAA4E;AACjH,QAAMe,MAAMf,aAAa;AACzB,MAAItD,KAAKuB,SAAS8C,GAAAA,GAAM;AAEtB,WAAOrE;EACT;AACA,QAAMsE,UAAUtE,KAAKuE,MAAM,UAAA;AAC3B,MAAI,CAACD,SAAS;AACZ,UAAM7C,MAAM,mCAAA;EACd;AACA,SAAO,cAAc4C,GAAAA;EAAaC,QAAQE,KAAK,IAAA,CAAA;WAAmBH,GAAAA;;AACpE;AAXgBtD;;;AFjKhB,IAAM0D,QAAQ,wBAACC,QAAAA;AACb,MAAIA,IAAIC,WAAWD,IAAIC,QAAQC,SAAS,GAAG;AACzC,WAAOF,IAAIC;EACb;AACA,MAAID,IAAIG,KAAK;AACX,UAAMC,SAAqB,CAAA;AAC3B,QAAIJ,IAAIG,IAAIE,SAAS,KAAA,GAAQ;AAC3BD,aAAOE,KAAK,QAAQ,QAAA;IACtB,WAAWN,IAAIG,IAAIE,SAAS,KAAA,GAAQ;AAClCD,aAAOE,KAAK,WAAW,SAAA;IACzB;AACA,QAAIF,OAAOF,SAAS,GAAG;AACrB,aAAOE;IACT;EACF;AACA,MAAIJ,IAAIO,QAAQ,OAAO;AACrB,QAAIP,IAAIQ,GAAG;AACT,aAAOR,IAAIS,KAAKC,YAAAA,GAAeL,SAAS,MAAA,IAAU;QAAC;UAAa;QAAC;;IACnE;AACA,WAAOL,IAAIS,KAAKC,YAAAA,GAAeL,SAAS,MAAA,IAAU;MAAC;QAAa;MAAC;;EACnE;AAEA,SAAOL,IAAIQ,KAAKR,IAAIO,QAAQ,QAAQ;IAAC;IAAQ;IAAW;IAAU;MAAa;IAAC;;AAClF,GAvBc;AAyBP,IAAMI,kCAAkC,wBAACC,eAAAA;AAC9C,QAAMH,MAAMG,WAAWF,YAAW;AAClC,MAAIG;AACJ,MAAIJ,IAAIK,WAAW,IAAA,GAAO;AACxBD,aAAS;EACX,WAAWJ,IAAIK,WAAW,IAAA,GAAO;AAC/BD,aAAS;EACX,OAAO;AACL,UAAME,MAAM,sCAAsCH,UAAAA,EAAY;EAChE;AAEA,QAAMI,gBAAgB,OAAOP,IAAIQ,UAAU,CAAA,CAAA;AAC3C,SAAO;IAAEJ;IAAQG;EAAc;AACjC,GAb+C;AAexC,IAAME,2BAA2B,8BACtClB,KACAa,QACAG,kBAAAA;AAEA,QAAMG,WAAWH,gBAAgBA,gBAAgBhB,IAAIS,MAAM,OAAOT,IAAIS,IAAIQ,UAAU,CAAA,CAAA,KAAO;AAE3F,QAAMG,eAAsC;IAAEC,MAAMR;IAAQS,MAAMH;EAAS;AAC3E,SAAO,MAAMI,aAAa,KAAA,EAAOC,OAAOC,UAAU,OAAOzB,KAAmBoB,cAAc,OAAOrB,MAAMC,GAAAA,CAAAA;AACzG,GATwC;AAWjC,IAAM0B,sBAAsB,8BACjCb,QACAG,eACAW,kBAAAA;AAEA,QAAMR,WAAWH,gBAAgBA,gBAAgB;AAEjD,QAAMY,SAAgC;IACpCP,MAAMR;IACNS,MAAMH;IACNQ,eAAeA,gBAAgBA,gBAAgB;IAC/CE,gBAAgB,IAAIC,WAAW;MAAC;MAAG;MAAG;KAAE;EAC1C;AACA,QAAMC,WAAuBlB,WAAW,aAAaA,WAAW,sBAAsB;IAAC;IAAQ;MAAY;IAAC;IAAW;;AAEvH,QAAMmB,UAAU,MAAMT,aAAa,KAAA,EAAOC,OAAOS,YAAYL,QAAQ,MAAMG,QAAAA;AAC3E,QAAMG,QAAQ,MAAMX,aAAa,KAAA,EAAOC,OAAOW,UAAU,SAASH,QAAQI,UAAU;AAEpF,QAAMC,aAAa,IAAIP,WAAWI,KAAAA;AAClC,SAAOI,SAASC,UAASF,YAAY,WAAA,GAAc,iBAAA;AACrD,GApBmC;;;AGjEnC,SAASG,cAAAA,mBAAkB;AAE3B,SAASC,YAAAA,iBAAgB;AAQlB,IAAMC,YAAN,MAAMA;EAXb,OAWaA;;;EACMC;EACAC;EAETC;EACSC;;;;;;EAOjBC,YACEF,KACAG,MACA;AACA,QAAI,OAAOH,QAAQ,UAAU;AAC3B,WAAKD,MAAMK,SAASJ,KAAKG,MAAME,UAAAA;IACjC,OAAO;AACL,WAAKN,MAAMC;IACb;AAEA,SAAKF,gBAAgBK,MAAML,iBAAiB;AAC5C,SAAKG,SAASE,MAAMF,UAAU;EAChC;EAEQK,kBAAsD;AAC5D,QAAI,KAAKL,WAAW,WAAW;AAC7B,aAAO;QAAEM,MAAM,KAAKN;QAAQO,YAAY;MAAG;IAC7C;AACA,WAAO;MAAED,MAAM,KAAKN;;IAAsC;EAC5D;EAEA,MAAcQ,SAA6B;AACzC,QAAI,CAAC,KAAKT,KAAK;AACb,WAAKA,MAAM,MAAMU,yBAAyB,KAAKX,KAAK,KAAKE,QAAQ,KAAKH,aAAa;IACrF;AACA,WAAO,KAAKE;EACd;EAEQW,eAAeC,KAAkB;AACvC,UAAMC,aAAa,IAAIC,WAAWF,GAAAA;AAClC,WAAOG,UAASF,YAAY,WAAA;EAC9B;EAEA,MAAaG,KAAKC,MAAmC;AACnD,UAAMC,QAAQD;AACd,UAAMjB,MAAM,MAAM,KAAKS,OAAM;AAC7B,UAAMU,YAAY,KAAKR,eAAe,MAAMS,aAAa,KAAA,EAAOC,OAAOL,KAAK,KAAKV,gBAAe,GAAIN,KAAKkB,KAAAA,CAAAA;AACzG,QAAI,CAACC,WAAW;AACd,YAAMG,MAAM,2BAAA;IACd;AAGA,WAAOH;EACT;EAEA,MAAaI,OAAON,MAA2BE,WAAqC;AAClF,UAAMK,MAAML,UAAUM,SAAS,GAAA,IAAON,UAAUO,MAAM,GAAA,EAAK,CAAA,IAAKP;AAEhE,UAAMD,QAAQ,OAAOD,QAAQ,WAAWU,YAAWV,MAAM,OAAA,IAAWA;AAEpE,QAAIjB,MAAM,MAAM,KAAKS,OAAM;AAC3B,QAAI,CAACT,IAAI4B,OAAOH,SAAS,QAAA,GAAW;AAClC,YAAMI,YAAY;QAAE,GAAG,KAAK9B;MAAI;AAChC,aAAO8B,UAAUC;AACjB,aAAOD,UAAUE;AACjB,aAAOF,UAAUG;AACjBhC,YAAM,MAAMU,yBAAyBmB,WAAW,KAAK5B,QAAQ,KAAKH,aAAa;IACjF;AACA,UAAMmC,qBAAqB,MAAMb,aAAa,KAAA,EAAOC,OAAOE,OAAO,KAAKjB,gBAAe,GAAIN,KAAK2B,YAAWH,KAAK,WAAA,GAAcN,KAAAA;AAC9H,WAAOe;EACT;AACF;;;ACpFA,SAASC,iBAAiB;AAC1B,SAASC,4BAA4B;AACrC,SAASC,mBAAmBC,uBAAuB;AAGnD,OAAOC,UAAU;AACjB,SAAsDC,cAAcC,WAAWC,mBAAmBC,iBAAiB;AACnH,SAASC,iBAAiB;AAE1B,SAASC,cAAAA,mBAAkB;AAE3B,SAASC,YAAAA,iBAAgB;AAsCzB,IAAMC,sBAAsB,6BAAA;AAC1B,QAAMC,OAAO;AACbC,YAAUD,MAAM,IAAIE,aAAa;IAAEF;IAAMG,QAAQC,aAAa,KAAA;EAAO,CAAA,CAAA;AACrE,SAAOC,UAAU,IAAA;AACnB,GAJ4B;AAMrB,IAAMC,qBAAqB,8BAChCC,aACAC,SAAAA;AAIA,MAAIC;AACJ,MAAI;AACFA,mBAAgB,MAAMC,kCAAkCH,WAAAA;EAC1D,SAASI,GAAG;EAAC;AACb,SAAO;IACLC,QAAQ;MAAEC,IAAIC,YAAYP,WAAAA;IAAa;IACvCQ,SAAS;MACPF,IAAIG,aAAaT,WAAAA;MACjBU,yBAAyBC,2BAA2BX,aAAa;QAAEY,YAAYX,MAAMY;MAAc,CAAA;IACrG;IACAX;IACAY,WAAWd,YAAYc,UAAUC;IACjCC,UAAUhB,YAAYgB,SAASD;EAEjC;AACF,GArBkC;AA4C3B,IAAME,+BAA+B,8BAAO,EACjDC,OAAOC,eACPC,cACAC,mBAAmB,oBAAIC,KAAAA,GACvBrB,OAAO;;EAELsB,0BAA0B;EAC1BC,wBAAwB;EACxBC,6BAA6B;EAC7BC,uBAAuB,CAAA;EACvBC,uBAAuB;AACzB,EAAC,MAMF;AAEC,SAAO,MAAMC,iCAAiC;IAC5CC,UAAU;IACVX,OAAO;SAAIC;MAAeW,QAAO;IACjCV;IACAC;IACApB;EACF,CAAA;AACF,GA1B4C;AA2B5C,IAAM2B,mCAAmC,8BAAO,EAC9CC,UACAX,OAAOC,eACPC,cACAC,kBAAkBU,UAClB9B,KAAI,MAOL;AACC,QAAMoB,mBAAyB,OAAOU,aAAa,WAAW,IAAIT,KAAKS,QAAAA,IAAYA;AACnF,QAAM,EACJR,2BAA2B,OAC3BC,yBAAyB,OACzBC,8BAA8B,MAC9BC,wBAAwB,CAAA,GACxBC,wBAAwB,OACxBK,OAAM,IACJ/B;AACJ,QAAMgC,cAAcT,0BAA0B,CAACJ,eAAe;IAACD,cAAcA,cAAce,SAAS,CAAA;MAAMd;AAE1G,MAAID,cAAce,WAAW,GAAG;AAC9B,WAAO;MACLC,OAAO;MACPC,UAAU;MACVC,SAAS;MACThB;IACF;EACF;AACA7B,sBAAAA;AAGA,QAAM0B,QAAQ,MAAMoB,QAAQC,IAAIpB,cAAcqB,IAAI,CAACC,QAAQC,iBAAiBD,GAAAA,CAAAA,CAAAA;AAC5E,QAAME,oBAAoBd,WAAW;OAAIX;MAAS;OAAIA;IAAOY,QAAO;AAEpE,QAAMc,eAAeX,cAAc,MAAMK,QAAQC,IAAIN,YAAYO,IAAI,CAACC,QAAQC,iBAAiBD,GAAAA,CAAAA,CAAAA,IAASI;AACxG,QAAMC,kBAEF,MAAMR,QAAQC,IACZb,sBAAsBc,IAAI,CAACC,QAAAA;AACzB,QAAI;AACF,aAAOC,iBAAiBD,GAAAA;IAC1B,SAASrC,GAAG;AAEV2C,cAAQC,IAAI,+CAA+CP,GAAAA,YAAerC,EAAEiC,OAAO,EAAE;AACrF,aAAOQ;IACT;EACF,CAAA,CAAA,GAEFI,OAAO,CAACC,SAAoCA,SAASL,MAAAA,KAAc,CAAA;AACvE,QAAMM,WAAWR,kBAAkB,CAAA;AAEnC,QAAMS,cAAclC,MAAMgB;AAC1B,MAAImB,mBAAkDR;AACtD,WAASS,IAAI,GAAGA,IAAIF,aAAaE,KAAK;AACpC,UAAMC,cAAcrC,MAAMoC,CAAAA;AAC1B,UAAME,eAAeF,IAAI,IAAIpC,MAAMoC,IAAI,CAAA,IAAKT;AAC5C,UAAMY,qBAAqBX,eAAeY,KAAK,CAACC,YAAYC,qBAAqBD,QAAQ3D,aAAauD,YAAYvD,WAAW,CAAA;AAC7H,QAAIyD,oBAAoB;AACtBV,cAAQC,IAAI,iHAAiH;AAC7H,aAAO;QACLb,OAAO;QACPC,UAAU;QACVC,SAAS;QACTwB,eAAe,+BAA+BJ,mBAAmBK,gBAAgBtD,QAAQF,GAAGyD,EAAE;QAC9FC,aAAaP,oBAAoBK;QACjCzC;QACA4C,kBAAkBtB,kBAAkBH,IAAI,CAACU,SAASA,KAAKY,eAAe;QACtE,GAAI9B,UAAU;UAAEA;QAAO;MACzB;IACF;AACA,QAAIwB,cAAc;AAChB,UAAID,YAAYW,gBAAgB7D,WAAWmD,aAAaU,gBAAgB1D,SAAS;AAC/E,YAAI,CAACqB,YAAY,CAACF,uBAAuB;AACvC,iBAAO,MAAMC,iCAAiC;YAC5CC,UAAU;YACVX,OAAO;iBAAIC;cAAeW,QAAO;YACjC7B;YACAoB;YACAD;UACF,CAAA;QACF;AACA,eAAO;UACLe,OAAO;UACPC,UAAU;UACV6B,kBAAkBtB,kBAAkBH,IAAI,CAACU,SAASA,KAAKY,eAAe;UACtEzB,SAAS,2CAA2Cc,SAASW,gBAAgBtD,QAAQF,GAAGyD,EAAE;UAC1FF,eAAe,mBAAmBN,YAAYO,gBAAgBtD,QAAQF,GAAGyD,EAAE,gBAAgBR,YAAYW,gBAAgB7D,MAAM,+CAA+CmD,cAAcM,gBAAgBtD,QAAQF,GAAGyD,EAAAA,wBAA0BP,cAAcU,gBAAgB1D,OAAAA;UAC7Qa;UACA,GAAIW,UAAU;YAAEA;UAAO;QACzB;MACF;IACF;AACA,UAAMmC,SAAS,MAAMZ,YAAYW,gBAAgBE,OAC/C;MACEC,MAAMhD;MACNiD,WAAWd,cAAcU,iBAAiBI;IAC5C,GACAxE,UAAAA,GAAaF,UAAUA,UAAU2E,OAAO3E,MAAM;AAEhD,QAAI,CAACuE,QAAQ;AAEX,UAAIb,KAAK,KAAK,CAACzB,YAAY,CAACF,uBAAuB;AACjD,eAAO,MAAMC,iCAAiC;UAC5CC,UAAU;UACVX,OAAO;eAAIC;YAAeW,QAAO;UACjC7B;UACAoB;UACAD;QACF,CAAA;MACF;AAEA,aAAO;QACLe,OAAO;QACPC,UAAU;QACVC,SAAS,2CAA2Cc,SAASW,gBAAgBtD,QAAQF,GAAGyD,EAAE;QAC1FE,kBAAkBtB,kBAAkBH,IAAI,CAACU,SAASA,KAAKY,eAAe;QACtED,eAAe,mCAAmCN,YAAYO,gBAAgBtD,QAAQF,GAAGyD,EAAE,gBACzFR,YAAYW,gBAAgB7D,MAAM,wBACZmE,KAAKC,UAAUlB,YAAYO,gBAAgB5D,YAAY,CAAA;QAC/EmB;QACA,GAAIW,UAAU;UAAEA;QAAO;MACzB;IACF;AAEAqB,uBAAmBA,oBAAoBT,cAAcc,KAAK,CAACC,YAAYe,kBAAkBf,QAAQO,iBAAiBX,YAAYW,eAAe,CAAA;AAE7I,QAAIZ,MAAM,KAAKF,gBAAgB,KAAK3B,6BAA6B;AAC/D,aAAO;QACLU,OAAO;QACPC,UAAU;QACVC,SAAS,uEAAuEc,SAASW,gBAAgBtD,QAAQF,GAAGyD,EAAE;QACtHE,kBAAkBtB,kBAAkBH,IAAI,CAACU,SAASA,KAAKY,eAAe;QACtEE,aAAaX,kBAAkBS;QAC/BzC;QACA,GAAIW,UAAU;UAAEA;QAAO;MACzB;IACF;EACF;AAEA,MAAIqB,kBAAkBS,mBAAmBvC,0BAA0B;AACjE,WAAO;MACLY,OAAO;MACPC,UAAU;MACVC,SAAS;MACT4B,kBAAkBtB,kBAAkBH,IAAI,CAACU,SAASA,KAAKY,eAAe;MACtED,eAAeR,mBACX,wBAAwBF,SAASW,gBAAgBtD,QAAQF,GAAGyD,EAAE,yCAAyCV,kBAAkBS,gBAAgBtD,QAAQF,GAAGyD,EAAAA,MACpJ,wBAAwBZ,SAASW,gBAAgBtD,QAAQF,GAAGyD,EAAE,kHAAkHxC,wBAAAA;MACpLyC,aAAaX,kBAAkBS;MAC/BzC;MACA,GAAIW,UAAU;QAAEA;MAAO;IACzB;EACF;AAEA,SAAO;IACLG,OAAO;IACPC,UAAU;IACVC,SAAS,2CAA2Cc,SAASW,gBAAgBtD,QAAQF,GAAGyD,EAAE;IAC1FE,kBAAkBtB,kBAAkBH,IAAI,CAACU,SAASA,KAAKY,eAAe;IACtED,eAAe,qEACblB,kBAAkBzB,MAAMgB,SAAS,CAAA,EAAG4B,gBAAgBtD,QAAQF,GAAGyD,EAAE,aACtDpB,kBAAkB,CAAA,EAAGmB,gBAAgBtD,QAAQF,GAAGyD,EAAE;IAC/D1C;IACA,GAAIW,UAAU;MAAEA;IAAO;EACzB;AACF,GAzKyC;AA2KzC,IAAM0C,oBAAoB,wBAACC,OAAwBC,UAAAA;AACjD,SAAOD,MAAME,QAAQC,SAAQ,MAAOF,MAAMC,QAAQC,SAAQ;AAC5D,GAF0B;AAI1B,IAAMC,oBAAuCC,UAAUC,QAAQC,iBAAAA;AACxD,IAAMC,2BAA2B,6BAAA;AACtC,SAAOJ;AACT,GAFwC;AAejC,IAAMrC,mBAAmB,8BAAO0C,YAAAA;AACrC,QAAMlB,kBAAkB,IAAImB,gBAAgBD,OAAAA;AAC5C,QAAME,gBAAgBC,UAAUC,MAAMtB,gBAAgBI,UAAUO,SAASY,oBAAAA;AACzE,QAAMC,eAAe,IAAIC,WAAWL,cAAcM,gBAAgB;AAClE,MAAIC,eAAgChD;AACpC,MAAI;AACFgD,mBAAgB,MAAM1F,kCAAkC,IAAIwF,WAAWzB,gBAAgBW,OAAO,CAAA;EAChG,SAASzE,GAAQ;AACf2C,YAAQZ,MAAM/B,EAAEiC,OAAO;EACzB;AACA,QAAMrC,cAAc8F,0BAA0BV,OAAAA;AAC9C,QAAMtB,kBAAkB,MAAM/D,mBAAmBC,WAAAA;AACjD,QAAM+F,qBAAqBZ,yBAAAA,EAA2Ba,eAAeV,cAAcW,SAAS;AAC5F,SAAO;IACLF;IACAT;IACAO;IACAH;IACA5B;IACA9D;IACAkE;EACF;AACF,GAtBgC;AAgKhC,IAAMgC,SAAiC;EACrC,WAAW;EACX,YAAY;EACZ,YAAY;EACZ,WAAW;EACX,WAAW;EACX,WAAW;EACX,YAAY;EACZ,YAAY;EACZ,YAAY;EACZ,WAAW;EACX,wBAAwB;AAC1B;AAEO,IAAM3F,cAAc,wBAAC2C,SAAAA;AAC1B,SAAO;IACLa,IAAIoC,YAAYjD,KAAK7C,OAAO+F,cAAc;IAC1CC,YAAYC,YAAYpD,KAAK7C,OAAO+F,cAAc;EACpD;AACF,GAL2B;AAOpB,IAAM3F,eAAe,wBAACyC,SAAAA;AAC3B,SAAO;IACLa,IAAIoC,YAAYjD,KAAK1C,QAAQ4F,cAAc;IAC3CC,YAAYC,YAAYpD,KAAK1C,QAAQ4F,cAAc;EACrD;AACF,GAL4B;AAO5B,IAAME,cAAc,wBAACF,mBAAAA;AACnB,QAAMrC,KAA6B,CAAC;AACpC,aAAWwC,gBAAgBH,gBAAgB;AACzC,UAAMI,OAAON,OAAOK,aAAaC,IAAI,KAAKD,aAAaC;AACvDzC,OAAGyC,IAAAA,IAAQD,aAAaxF,MAAM0F,SAAQ;EACxC;AACA,SAAO1C;AACT,GAPoB;AAQpB,IAAMoC,cAAc,wBAACC,mBAAAA;AACnB,SAAOM,OAAOC,QAAQL,YAAYF,cAAAA,CAAAA,EAC/B5D,IAAI,CAAC,CAACoE,KAAK7F,KAAAA,MAAW,GAAG6F,GAAAA,IAAO7F,KAAAA,EAAO,EACvC8F,KAAK,GAAA;AACV,GAJoB;AAMb,IAAM1G,oCAAoC,8BAAO2G,iBAAAA;AACtD,QAAMC,cACJ,OAAOD,iBAAiB,WACpBhC,UAASkC,YAAWF,cAAc,WAAA,GAAc,WAAA,IAChDA,wBAAwBnB,aACxBb,UAASgC,cAAc,WAAA,IACvBhC,UAASkC,YAAWF,aAAahC,SAAS,QAAA,GAAW,WAAA,GAAc,WAAA;AACzE,QAAMmC,MAAMC,SAASH,WAAAA;AACrB,QAAM/G,cAAc8F,0BAA0BmB,GAAAA;AAC9C,MAAIE;AACJ,MAAI;AACF,UAAMC,SAAStH,UAAU,IAAA,EAAMsH;AAC/B,UAAMC,KAAK,MAAMrH,YAAYsH,aAAazE,QAAWrD,oBAAAA,CAAAA;AACrD2H,UAAO,MAAMC,OAAOG,UAAU,OAAOF,EAAAA;EACvC,SAASlF,OAAY;AACnBY,YAAQC,IAAI,uCAAuCb,OAAOE,OAAAA;EAC5D;AACA,MAAI,CAAC8E,KAAK;AACR,QAAI;AACFA,YAAO,MAAMK,KAAKC,MAAMR,KAAK,KAAA;IAC/B,SAAS9E,OAAY;AACnBY,cAAQC,IAAI,iDAAiDb,OAAOE,OAAAA;IACtE;EACF;AACA,MAAI,CAAC8E,KAAK;AACR,UAAMO,MAAM,sCAAsCT,GAAAA,EAAK;EACzD;AACA,SAAOE;AACT,GA5BiD;AAyC1C,IAAKQ,gCAAAA,yBAAAA,gCAAAA;;;;;SAAAA;;AAcL,IAAMC,yCAAyC,wBAAC5H,aAA0B6H,UAAkBC,mBAAAA;AACjG,QAAMC,OAAOpH,2BAA2BX,aAAa;IAAEgI,sBAAsBF;EAAe,CAAA;AAC5F,QAAMG,kBAAkBF,KAAKrE,KAAK,CAACwE,QAAQA,IAAInH,UAAU8G,QAAAA;AACzD,MAAI,CAACI,iBAAiB;AACpB,UAAMP,MACJ,oBAAoBI,cAAAA,0EAClBrH,aAAaT,WAAAA,EAAa+D,EAAE,WACnBgE,KAAKvF,IAAI,CAAC0F,QAAQA,IAAInH,KAAK,EAAE8F,KAAK,GAAA,CAAA,EAAM;EAEvD;AACF,GAVsD;AAY/C,IAAMsB,gDAAgD,8BAC3DnI,aACA6H,UACAC,mBAAAA;AAEA,QAAM3D,SAAS;IACbhC,OAAO;IACPC,UAAU;IACVC,SAAS,aAAawF,QAAAA,gDAAwDC,cAAAA;IAC9E9F,QAAQ;MACN6F;MACAC;IACF;IACA7D,kBAAkB;MAAC,MAAMlE,mBAAmBC,WAAAA;;IAC5CqB,kBAAkB,oBAAIC,KAAAA;EACxB;AACA,MAAI;AACFsG,2CAAuC5H,aAAa6H,UAAUC,cAAAA;EAChE,SAAS3F,OAAO;AACd,WAAOgC;EACT;AACAA,SAAOhC,QAAQ;AACfgC,SAAO9B,UAAU,aAAawF,QAAAA,4CAAoDC,cAAAA;AAClF,SAAO3D;AACT,GAxB6D;AA0BtD,IAAMxD,6BAA6B,wBACxCX,aACAC,SAAAA;AAMA,MAAIW;AACJ,MAAIX,MAAM+H,sBAAsB;AAC9BpH,iBACEX,KAAK+H,yBAAyB,iBAC1B;;QACA;;;EACR,WAAW/H,MAAMW,YAAY;AAC3BA,iBAAawH,MAAMC,QAAQpI,KAAKW,UAAU,IAAIX,KAAKW,aAAa;MAACX,KAAKW;;EACxE,OAAO;AACLA,iBAAa;;;;EACf;AACA,QAAM0H,cAActI,YAAYuI,YAAY7E,KAAK,CAAC8E,QAAQA,IAAIC,WAAWC,iBAAAA,GAAoBJ;AAC7F,MAAI,CAACA,aAAa;AAChB,WAAO,CAAA;EACT;AACA,QAAMK,WAAWL,YAAYM,OAAM,EAAGD;AACtC,SAAOA,SACJ1F,OAAO,CAAC4F,YAAYjI,WAAWkI,SAASD,QAAQrC,IAAI,CAAA,EACpDhE,IAAI,CAACqG,YAAAA;AACJ,WAAO;MAAErC,MAAMqC,QAAQrC;MAAMzF,OAAO8H,QAAQ9H;IAAM;EACpD,CAAA;AACJ,GA7B0C;","names":["JwkKeyUse","toString","globalCrypto","setGlobal","suppliedCrypto","webcrypto","crypto","global","window","subtle","require","Certificate","fromString","toString","keyto","pemCertChainTox5c","cert","maxDepth","intermediate","replace","x5c","split","filter","c","length","splice","x5cToPemCertChain","Math","min","pem","i","derToPEM","pemOrDerToX509Certificate","DER","undefined","Uint8Array","Certificate","fromBER","rawData","includes","PEMToDer","Error","fromString","areCertificatesEqual","cert1","cert2","signatureValue","isEqual","toKeyObject","PEM","visibility","jwk","PEMToJwk","keyVisibility","d","keyHex","privateKeyHexFromPEM","publicKeyHexFromPEM","hexToPEM","keyType","jwkToPEM","keyto","from","toString","toJwk","PEMToHex","hexKeyFromPEMBasedJwk","hex","publicJwk","publicPEM","headerKey","indexOf","strippedPem","RegExp","base64ToHex","PEMToBinary","pemContents","input","inputEncoding","base64NoNewlines","hexToBase64","targetEncoding","type","base64","error","key","matches","match","join","usage","jwk","key_ops","length","use","usages","includes","push","kty","d","alg","toUpperCase","signAlgorithmToSchemeAndHashAlg","signingAlg","scheme","startsWith","Error","hashAlgorithm","substring","cryptoSubtleImportRSAKey","hashName","importParams","name","hash","globalCrypto","subtle","importKey","generateRSAKeyAsPEM","modulusLength","params","publicExponent","Uint8Array","keyUsage","keypair","generateKey","pkcs8","exportKey","privateKey","uint8Array","derToPEM","toString","fromString","toString","RSASigner","hashAlgorithm","jwk","key","scheme","constructor","opts","PEMToJwk","visibility","getImportParams","name","saltLength","getKey","cryptoSubtleImportRSAKey","bufferToString","buf","uint8Array","Uint8Array","toString","sign","data","input","signature","globalCrypto","subtle","Error","verify","jws","includes","split","fromString","usages","verifyJwk","d","use","key_ops","verificationResult","AsnParser","SubjectPublicKeyInfo","AlgorithmProvider","X509Certificate","x509","CryptoEngine","getCrypto","id_SubjectAltName","setEngine","container","fromString","toString","defaultCryptoEngine","name","setEngine","CryptoEngine","crypto","globalCrypto","getCrypto","getCertificateInfo","certificate","opts","publicKeyJWK","getCertificateSubjectPublicKeyJWK","e","issuer","dn","getIssuerDN","subject","getSubjectDN","subjectAlternativeNames","getSubjectAlternativeNames","typeFilter","sanTypeFilter","notBefore","value","notAfter","validateX509CertificateChain","chain","pemOrDerChain","trustAnchors","verificationTime","Date","allowNoTrustAnchorsFound","trustRootWhenNoAnchors","allowSingleNoCAChainElement","blindlyTrustedAnchors","disallowReversedChain","validateX509CertificateChainImpl","reversed","reverse","verifyAt","client","trustedPEMs","length","error","critical","message","Promise","all","map","raw","parseCertificate","x5cOrdereredChain","trustedCerts","undefined","blindlyTrusted","console","log","filter","cert","leafCert","chainLength","foundTrustAnchor","i","currentCert","previousCert","blindlyTrustedCert","find","trusted","areCertificatesEqual","detailMessage","certificateInfo","DN","trustAnchor","certificateChain","x509Certificate","result","verify","date","publicKey","global","JSON","stringify","isSameCertificate","cert1","cert2","rawData","toString","algorithmProvider","container","resolve","AlgorithmProvider","getX509AlgorithmProvider","rawCert","X509Certificate","publicKeyInfo","AsnParser","parse","SubjectPublicKeyInfo","publicKeyRaw","Uint8Array","subjectPublicKey","publicKeyJwk","pemOrDerToX509Certificate","publicKeyAlgorithm","toWebAlgorithm","algorithm","rdnmap","getDNString","typesAndValues","attributes","getDNObject","typeAndValue","type","getValue","Object","entries","key","join","pemOrDerCert","pemOrDerStr","fromString","pem","derToPEM","jwk","subtle","pk","getPublicKey","exportKey","x509","toJwk","Error","SubjectAlternativeGeneralName","assertCertificateMatchesClientIdScheme","clientId","clientIdScheme","sans","clientIdSchemeFilter","clientIdMatches","san","validateCertificateChainMatchesClientIdScheme","Array","isArray","parsedValue","extensions","ext","extnID","id_SubjectAltName","altNames","toJSON","altName","includes"]}
1
+ {"version":3,"sources":["../src/types/index.ts","../src/x509/rsa-key.ts","../src/x509/crypto.ts","../src/x509/x509-utils.ts","../src/x509/rsa-signer.ts","../src/x509/x509-validator.ts"],"sourcesContent":["export enum JwkKeyUse {\n Encryption = 'enc',\n Signature = 'sig',\n}\n\nexport type HashAlgorithm = 'SHA-256' | 'SHA-512'\n\nexport type KeyVisibility = 'public' | 'private'\n\nexport interface X509Opts {\n cn?: string // The certificate Common Name. Will be used as the KID for the private key. Uses alias if not provided.\n privateKeyPEM?: string // Optional as you also need to provide it in hex format, but advisable to use it\n certificatePEM?: string // Optional, as long as the certificate then is part of the certificateChainPEM\n certificateChainURL?: string // Certificate chain URL. If used this is where the certificateChainPEM will be hosted/found.\n certificateChainPEM?: string // Base64 (not url!) encoded DER certificate chain. Please provide even if certificateChainURL is used!\n}\n","// @ts-ignore\nimport { KeyUsage, CryptoKey, RsaHashedImportParams, RsaHashedKeyGenParams } from 'node'\n\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { toString } = u8a\nimport type { HashAlgorithm } from '../types'\nimport { globalCrypto } from './crypto'\n\nimport { derToPEM } from './x509-utils'\nimport type { JsonWebKey } from '@sphereon/ssi-types'\n\nexport type RSASignatureSchemes = 'RSASSA-PKCS1-V1_5' | 'RSA-PSS'\n\nexport type RSAEncryptionSchemes = 'RSAES-PKCS-v1_5 ' | 'RSAES-OAEP'\n\nconst usage = (jwk: JsonWebKey): KeyUsage[] => {\n if (jwk.key_ops && jwk.key_ops.length > 0) {\n return jwk.key_ops as KeyUsage[]\n }\n if (jwk.use) {\n const usages: KeyUsage[] = []\n if (jwk.use.includes('sig')) {\n usages.push('sign', 'verify')\n } else if (jwk.use.includes('enc')) {\n usages.push('encrypt', 'decrypt')\n }\n if (usages.length > 0) {\n return usages\n }\n }\n if (jwk.kty === 'RSA') {\n if (jwk.d) {\n return jwk.alg?.toUpperCase()?.includes('QAEP') ? ['encrypt'] : ['sign']\n }\n return jwk.alg?.toUpperCase()?.includes('QAEP') ? ['decrypt'] : ['verify']\n }\n // \"decrypt\" | \"deriveBits\" | \"deriveKey\" | \"encrypt\" | \"sign\" | \"unwrapKey\" | \"verify\" | \"wrapKey\";\n return jwk.d && jwk.kty !== 'RSA' ? ['sign', 'decrypt', 'verify', 'encrypt'] : ['verify']\n}\n\nexport const signAlgorithmToSchemeAndHashAlg = (signingAlg: string) => {\n const alg = signingAlg.toUpperCase()\n let scheme: RSAEncryptionSchemes | RSASignatureSchemes\n if (alg.startsWith('RS')) {\n scheme = 'RSASSA-PKCS1-V1_5'\n } else if (alg.startsWith('PS')) {\n scheme = 'RSA-PSS'\n } else {\n throw Error(`Invalid signing algorithm supplied ${signingAlg}`)\n }\n\n const hashAlgorithm = `SHA-${alg.substring(2)}` as HashAlgorithm\n return { scheme, hashAlgorithm }\n}\n\nexport const cryptoSubtleImportRSAKey = async (\n jwk: JsonWebKey,\n scheme: RSAEncryptionSchemes | RSASignatureSchemes,\n hashAlgorithm?: HashAlgorithm\n): Promise<CryptoKey> => {\n const hashName = hashAlgorithm ? hashAlgorithm : jwk.alg ? `SHA-${jwk.alg.substring(2)}` : 'SHA-256'\n\n const importParams: RsaHashedImportParams = { name: scheme, hash: hashName }\n return await globalCrypto(false).subtle.importKey('jwk', jwk as JsonWebKey, importParams, false, usage(jwk))\n}\n\nexport const generateRSAKeyAsPEM = async (\n scheme: RSAEncryptionSchemes | RSASignatureSchemes,\n hashAlgorithm?: HashAlgorithm,\n modulusLength?: number\n): Promise<string> => {\n const hashName = hashAlgorithm ? hashAlgorithm : 'SHA-256'\n\n const params: RsaHashedKeyGenParams = {\n name: scheme,\n hash: hashName,\n modulusLength: modulusLength ? modulusLength : 2048,\n publicExponent: new Uint8Array([1, 0, 1]),\n }\n const keyUsage: KeyUsage[] = scheme === 'RSA-PSS' || scheme === 'RSASSA-PKCS1-V1_5' ? ['sign', 'verify'] : ['encrypt', 'decrypt']\n\n const keypair = await globalCrypto(false).subtle.generateKey(params, true, keyUsage)\n const pkcs8 = await globalCrypto(false).subtle.exportKey('pkcs8', keypair.privateKey)\n\n const uint8Array = new Uint8Array(pkcs8)\n return derToPEM(toString(uint8Array, 'base64pad'), 'RSA PRIVATE KEY')\n}\n","import { webcrypto } from 'node:crypto'\nexport const globalCrypto = (setGlobal: boolean, suppliedCrypto?: webcrypto.Crypto): webcrypto.Crypto => {\n let webcrypto: webcrypto.Crypto\n if (typeof suppliedCrypto !== 'undefined') {\n webcrypto = suppliedCrypto\n } else if (typeof crypto !== 'undefined') {\n webcrypto = crypto\n } else if (typeof global.crypto !== 'undefined') {\n webcrypto = global.crypto\n } else {\n // @ts-ignore\n if (typeof global.window?.crypto?.subtle !== 'undefined') {\n // @ts-ignore\n webcrypto = global.window.crypto\n } else {\n // @ts-ignore\n webcrypto = require('crypto') as webcrypto.Crypto\n }\n }\n if (setGlobal) {\n global.crypto = webcrypto\n }\n\n return webcrypto\n}\n","import { X509Certificate } from '@peculiar/x509'\nimport { Certificate } from 'pkijs'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { fromString, toString } = u8a\n// @ts-ignore\nimport keyto from '@trust/keyto'\nimport type { KeyVisibility } from '../types'\n\nimport type { JsonWebKey } from '@sphereon/ssi-types'\n// Based on (MIT licensed):\n// https://github.com/hildjj/node-posh/blob/master/lib/index.js\nexport function pemCertChainTox5c(cert: string, maxDepth?: number): string[] {\n if (!maxDepth) {\n maxDepth = 0\n }\n /*\n * Convert a PEM-encoded certificate to the version used in the x5c element\n * of a [JSON Web Key](http://tools.ietf.org/html/draft-ietf-jose-json-web-key).\n *\n * `cert` PEM-encoded certificate chain\n * `maxdepth` The maximum number of certificates to use from the chain.\n */\n\n const intermediate = cert\n .replace(/-----[^\\n]+\\n?/gm, ',')\n .replace(/\\n/g, '')\n .replace(/\\r/g, '')\n let x5c = intermediate.split(',').filter(function (c) {\n return c.length > 0\n })\n if (maxDepth > 0) {\n x5c = x5c.splice(0, maxDepth)\n }\n return x5c\n}\n\nexport function x5cToPemCertChain(x5c: string[], maxDepth?: number): string {\n if (!maxDepth) {\n maxDepth = 0\n }\n const length = maxDepth === 0 ? x5c.length : Math.min(maxDepth, x5c.length)\n let pem = ''\n for (let i = 0; i < length; i++) {\n pem += derToPEM(x5c[i], 'CERTIFICATE')\n }\n return pem\n}\n\nexport const pemOrDerToX509Certificate = (cert: string | Uint8Array | X509Certificate): Certificate => {\n let DER: string | undefined = typeof cert === 'string' ? cert : undefined\n if (typeof cert === 'object' && !(cert instanceof Uint8Array)) {\n // X509Certificate object\n return Certificate.fromBER(cert.rawData)\n } else if (typeof cert !== 'string') {\n return Certificate.fromBER(cert)\n } else if (cert.includes('CERTIFICATE')) {\n DER = PEMToDer(cert)\n }\n if (!DER) {\n throw Error('Invalid cert input value supplied. PEM, DER, Bytes and X509Certificate object are supported')\n }\n return Certificate.fromBER(fromString(DER, 'base64pad'))\n}\n\nexport const areCertificatesEqual = (cert1: Certificate, cert2: Certificate): boolean => {\n return cert1.signatureValue.isEqual(cert2.signatureValue)\n}\n\nexport const toKeyObject = (PEM: string, visibility: KeyVisibility = 'public') => {\n const jwk = PEMToJwk(PEM, visibility)\n const keyVisibility: KeyVisibility = jwk.d ? 'private' : 'public'\n const keyHex = keyVisibility === 'private' ? privateKeyHexFromPEM(PEM) : publicKeyHexFromPEM(PEM)\n\n return {\n pem: hexToPEM(keyHex, visibility),\n jwk,\n keyHex,\n keyType: keyVisibility,\n }\n}\n\nexport const jwkToPEM = (jwk: JsonWebKey, visibility: KeyVisibility = 'public'): string => {\n return keyto.from(jwk, 'jwk').toString('pem', visibility === 'public' ? 'public_pkcs8' : 'private_pkcs8')\n}\n\nexport const PEMToJwk = (pem: string, visibility: KeyVisibility = 'public'): JsonWebKey => {\n return keyto.from(pem, 'pem').toJwk(visibility)\n}\nexport const privateKeyHexFromPEM = (PEM: string) => {\n return PEMToHex(PEM)\n}\n\nexport const hexKeyFromPEMBasedJwk = (jwk: JsonWebKey, visibility: KeyVisibility = 'public'): string => {\n if (visibility === 'private') {\n return privateKeyHexFromPEM(jwkToPEM(jwk, 'private'))\n } else {\n return publicKeyHexFromPEM(jwkToPEM(jwk, 'public'))\n }\n}\n\nexport const publicKeyHexFromPEM = (PEM: string) => {\n const hex = PEMToHex(PEM)\n if (PEM.includes('CERTIFICATE')) {\n throw Error('Cannot directly deduce public Key from PEM Certificate yet')\n } else if (!PEM.includes('PRIVATE')) {\n return hex\n }\n const publicJwk = PEMToJwk(PEM, 'public')\n const publicPEM = jwkToPEM(publicJwk, 'public')\n return PEMToHex(publicPEM)\n}\n\nexport const PEMToHex = (PEM: string, headerKey?: string): string => {\n if (PEM.indexOf('-----BEGIN ') == -1) {\n throw Error(`PEM header not found: ${headerKey}`)\n }\n\n let strippedPem: string\n if (headerKey) {\n strippedPem = PEM.replace(new RegExp('^[^]*-----BEGIN ' + headerKey + '-----'), '')\n strippedPem = strippedPem.replace(new RegExp('-----END ' + headerKey + '-----[^]*$'), '')\n } else {\n strippedPem = PEM.replace(/^[^]*-----BEGIN [^-]+-----/, '')\n strippedPem = strippedPem.replace(/-----END [^-]+-----[^]*$/, '')\n }\n return base64ToHex(strippedPem, 'base64pad')\n}\n\nexport function PEMToBinary(pem: string): Uint8Array {\n const pemContents = pem\n .replace(/^[^]*-----BEGIN [^-]+-----/, '')\n .replace(/-----END [^-]+-----[^]*$/, '')\n .replace(/\\s/g, '')\n\n return fromString(pemContents, 'base64pad')\n}\n\n/**\n * Converts a base64 encoded string to hex string, removing any non-base64 characters, including newlines\n * @param input The input in base64, with optional newlines\n * @param inputEncoding\n */\nexport const base64ToHex = (input: string, inputEncoding?: 'base64' | 'base64pad' | 'base64url' | 'base64urlpad') => {\n const base64NoNewlines = input.replace(/[^0-9A-Za-z_\\-~\\/+=]*/g, '')\n return toString(fromString(base64NoNewlines, inputEncoding ? inputEncoding : 'base64pad'), 'base16')\n}\n\nexport const hexToBase64 = (input: number | object | string, targetEncoding?: 'base64' | 'base64pad' | 'base64url' | 'base64urlpad'): string => {\n let hex = typeof input === 'string' ? input : input.toString(16)\n if (hex.length % 2 === 1) {\n hex = `0${hex}`\n }\n return toString(fromString(hex, 'base16'), targetEncoding ? targetEncoding : 'base64pad')\n}\n\nexport const hexToPEM = (hex: string, type: KeyVisibility): string => {\n const base64 = hexToBase64(hex, 'base64pad')\n const headerKey = type === 'private' ? 'RSA PRIVATE KEY' : 'PUBLIC KEY'\n if (type === 'private') {\n const pem = derToPEM(base64, headerKey)\n try {\n PEMToJwk(pem) // We only use it to test the private key\n return pem\n } catch (error) {\n return derToPEM(base64, 'PRIVATE KEY')\n }\n }\n return derToPEM(base64, headerKey)\n}\n\nexport function PEMToDer(pem: string): string {\n return pem.replace(/(-----(BEGIN|END) CERTIFICATE-----|[\\n\\r])/g, '')\n}\n\nexport function derToPEM(cert: string, headerKey?: 'PUBLIC KEY' | 'RSA PRIVATE KEY' | 'PRIVATE KEY' | 'CERTIFICATE'): string {\n const key = headerKey ?? 'CERTIFICATE'\n if (cert.includes(key)) {\n // Was already in PEM it seems\n return cert\n }\n const matches = cert.match(/.{1,64}/g)\n if (!matches) {\n throw Error('Invalid cert input value supplied')\n }\n return `-----BEGIN ${key}-----\\n${matches.join('\\n')}\\n-----END ${key}-----\\n`\n}\n","// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { fromString, toString } = u8a\nimport type { HashAlgorithm, KeyVisibility } from '../types'\nimport { globalCrypto } from './crypto'\nimport { cryptoSubtleImportRSAKey, RSAEncryptionSchemes, RSASignatureSchemes } from './rsa-key'\nimport { PEMToJwk } from './x509-utils'\nimport type { JsonWebKey } from '@sphereon/ssi-types'\n// @ts-ignore\nimport { CryptoKey, RsaPssParams, AlgorithmIdentifier } from 'node'\nexport class RSASigner {\n private readonly hashAlgorithm: HashAlgorithm\n private readonly jwk: JsonWebKey\n\n private key: CryptoKey | undefined\n private readonly scheme: RSAEncryptionSchemes | RSASignatureSchemes\n\n /**\n *\n * @param key Either in PEM or JWK format (no raw hex keys here!)\n * @param opts The algorithm and signature/encryption schemes\n */\n constructor(\n key: string | JsonWebKey,\n opts?: { hashAlgorithm?: HashAlgorithm; scheme?: RSAEncryptionSchemes | RSASignatureSchemes; visibility?: KeyVisibility }\n ) {\n if (typeof key === 'string') {\n this.jwk = PEMToJwk(key, opts?.visibility)\n } else {\n this.jwk = key\n }\n\n this.hashAlgorithm = opts?.hashAlgorithm ?? 'SHA-256'\n this.scheme = opts?.scheme ?? 'RSA-PSS'\n }\n\n private getImportParams(): AlgorithmIdentifier | RsaPssParams {\n if (this.scheme === 'RSA-PSS') {\n return { name: this.scheme, saltLength: 32 }\n }\n return { name: this.scheme /*, hash: this.hashAlgorithm*/ }\n }\n\n private async getKey(): Promise<CryptoKey> {\n if (!this.key) {\n this.key = await cryptoSubtleImportRSAKey(this.jwk, this.scheme, this.hashAlgorithm)\n }\n return this.key\n }\n\n private bufferToString(buf: ArrayBuffer) {\n const uint8Array = new Uint8Array(buf)\n return toString(uint8Array, 'base64url') // Needs to be base64url for JsonWebSignature2020. Don't change!\n }\n\n public async sign(data: Uint8Array): Promise<string> {\n const input = data\n const key = await this.getKey()\n const signature = this.bufferToString(await globalCrypto(false).subtle.sign(this.getImportParams(), key, input))\n if (!signature) {\n throw Error('Could not sign input data')\n }\n\n // base64url signature\n return signature\n }\n\n public async verify(data: string | Uint8Array, signature: string): Promise<boolean> {\n const jws = signature.includes('.') ? signature.split('.')[2] : signature\n\n const input = typeof data == 'string' ? fromString(data, 'utf-8') : data\n\n let key = await this.getKey()\n if (!key.usages.includes('verify')) {\n const verifyJwk = { ...this.jwk }\n delete verifyJwk.d\n delete verifyJwk.use\n delete verifyJwk.key_ops\n key = await cryptoSubtleImportRSAKey(verifyJwk, this.scheme, this.hashAlgorithm)\n }\n const verificationResult = await globalCrypto(false).subtle.verify(this.getImportParams(), key, fromString(jws, 'base64url'), input)\n return verificationResult\n }\n}\n","import { AsnParser } from '@peculiar/asn1-schema'\nimport { SubjectPublicKeyInfo } from '@peculiar/asn1-x509'\nimport { AlgorithmProvider, X509Certificate } from '@peculiar/x509'\n// import {calculateJwkThumbprint} from \"@sphereon/ssi-sdk-ext.key-utils\";\nimport { JWK } from '@sphereon/ssi-types'\nimport x509 from 'js-x509-utils'\nimport { AltName, AttributeTypeAndValue, Certificate, CryptoEngine, getCrypto, id_SubjectAltName, setEngine } from 'pkijs'\nimport { container } from 'tsyringe'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { fromString, toString } = u8a\nimport { globalCrypto } from './crypto'\nimport { areCertificatesEqual, derToPEM, pemOrDerToX509Certificate } from './x509-utils'\n\nexport type DNInfo = {\n DN: string\n attributes: Record<string, string>\n}\n\nexport type CertificateInfo = {\n certificate?: any // We need to fix the schema generator for this to be Certificate(Json) from pkijs\n notBefore: Date\n notAfter: Date\n publicKeyJWK?: any\n issuer: {\n dn: DNInfo\n }\n subject: {\n dn: DNInfo\n subjectAlternativeNames: SubjectAlternativeName[]\n }\n}\n\nexport type X509ValidationResult = {\n error: boolean\n critical: boolean\n message: string\n detailMessage?: string\n verificationTime: Date\n certificateChain?: Array<CertificateInfo>\n trustAnchor?: CertificateInfo\n client?: {\n // In case client id and scheme were passed in we return them for easy access. It means they are validated\n clientId: string\n clientIdScheme: ClientIdScheme\n }\n}\n\nconst defaultCryptoEngine = () => {\n const name = 'crypto'\n setEngine(name, new CryptoEngine({ name, crypto: globalCrypto(false) }))\n return getCrypto(true)\n}\n\nexport const getCertificateInfo = async (\n certificate: Certificate,\n opts?: {\n sanTypeFilter: SubjectAlternativeGeneralName | SubjectAlternativeGeneralName[]\n }\n): Promise<CertificateInfo> => {\n let publicKeyJWK: JWK | undefined\n try {\n publicKeyJWK = (await getCertificateSubjectPublicKeyJWK(certificate)) as JWK\n } catch (e) {}\n return {\n issuer: { dn: getIssuerDN(certificate) },\n subject: {\n dn: getSubjectDN(certificate),\n subjectAlternativeNames: getSubjectAlternativeNames(certificate, { typeFilter: opts?.sanTypeFilter }),\n },\n publicKeyJWK,\n notBefore: certificate.notBefore.value,\n notAfter: certificate.notAfter.value,\n // certificate\n } satisfies CertificateInfo\n}\n\nexport type X509CertificateChainValidationOpts = {\n // If no trust anchor is found, but the chain itself checks out, allow. (defaults to false:)\n allowNoTrustAnchorsFound?: boolean\n\n // Trust the supplied root from the chain, when no anchors are being passed in.\n trustRootWhenNoAnchors?: boolean\n // Do not perform a chain validation check if the chain only has a single value. This means only the certificate itself will be validated. No chain checks for CA certs will be performed. Only used when the cert has no issuer\n allowSingleNoCAChainElement?: boolean\n // WARNING: Do not use in production\n // Similar to regular trust anchors, but no validation is performed whatsoever. Do not use in production settings! Can be handy with self generated certificates as we perform many validations, making it hard to test with self-signed certs. Only applied in case a chain with 1 element is passed in to really make sure people do not abuse this option\n blindlyTrustedAnchors?: string[]\n\n disallowReversedChain?: boolean\n\n client?: {\n // If provided both are required. Validates the leaf certificate against the clientId and scheme\n clientId: string\n clientIdScheme: ClientIdScheme\n }\n}\n\nexport const validateX509CertificateChain = async ({\n chain: pemOrDerChain,\n trustAnchors,\n verificationTime = new Date(),\n opts = {\n // If no trust anchor is found, but the chain itself checks out, allow. (defaults to false:)\n allowNoTrustAnchorsFound: false,\n trustRootWhenNoAnchors: false,\n allowSingleNoCAChainElement: true,\n blindlyTrustedAnchors: [],\n disallowReversedChain: false,\n },\n}: {\n chain: (Uint8Array | string)[]\n trustAnchors?: string[]\n verificationTime?: Date\n opts?: X509CertificateChainValidationOpts\n}): Promise<X509ValidationResult> => {\n // We allow 1 reversal. We reverse by default as the implementation expects the root ca first, whilst x5c is the opposite. Reversed becomes true if the impl reverses the chain\n return await validateX509CertificateChainImpl({\n reversed: false,\n chain: [...pemOrDerChain].reverse(),\n trustAnchors,\n verificationTime,\n opts,\n })\n}\nconst validateX509CertificateChainImpl = async ({\n reversed,\n chain: pemOrDerChain,\n trustAnchors,\n verificationTime: verifyAt,\n opts,\n}: {\n reversed: boolean\n chain: (Uint8Array | string)[]\n trustAnchors?: string[]\n verificationTime: Date | string // string for REST API\n opts: X509CertificateChainValidationOpts\n}): Promise<X509ValidationResult> => {\n const verificationTime: Date = typeof verifyAt === 'string' ? new Date(verifyAt) : verifyAt\n const {\n allowNoTrustAnchorsFound = false,\n trustRootWhenNoAnchors = false,\n allowSingleNoCAChainElement = true,\n blindlyTrustedAnchors = [],\n disallowReversedChain = false,\n client,\n } = opts\n const trustedPEMs = trustRootWhenNoAnchors && !trustAnchors ? [pemOrDerChain[pemOrDerChain.length - 1]] : trustAnchors\n\n if (pemOrDerChain.length === 0) {\n return {\n error: true,\n critical: true,\n message: 'Certificate chain in DER or PEM format must not be empty',\n verificationTime,\n }\n }\n defaultCryptoEngine()\n\n // x5c always starts with the leaf cert at index 0 and then the cas. Our internal pkijs service expects it the other way around. Before calling this function the change has been revered\n const chain = await Promise.all(pemOrDerChain.map((raw) => parseCertificate(raw)))\n const x5cOrdereredChain = reversed ? [...chain] : [...chain].reverse()\n\n const trustedCerts = trustedPEMs ? await Promise.all(trustedPEMs.map((raw) => parseCertificate(raw))) : undefined\n const blindlyTrusted =\n (\n await Promise.all(\n blindlyTrustedAnchors.map((raw) => {\n try {\n return parseCertificate(raw)\n } catch (e) {\n // @ts-ignore\n console.log(`Failed to parse blindly trusted certificate ${raw}. Error: ${e.message}`)\n return undefined\n }\n })\n )\n ).filter((cert): cert is ParsedCertificate => cert !== undefined) ?? []\n const leafCert = x5cOrdereredChain[0]\n\n const chainLength = chain.length\n var foundTrustAnchor: ParsedCertificate | undefined = undefined\n for (let i = 0; i < chainLength; i++) {\n const currentCert = chain[i]\n const previousCert = i > 0 ? chain[i - 1] : undefined\n const blindlyTrustedCert = blindlyTrusted.find((trusted) => areCertificatesEqual(trusted.certificate, currentCert.certificate))\n if (blindlyTrustedCert) {\n console.log(`Certificate chain validation success as single cert if blindly trusted. WARNING: ONLY USE FOR TESTING PURPOSES.`)\n return {\n error: false,\n critical: false,\n message: `Certificate chain validation success as single cert if blindly trusted. WARNING: ONLY USE FOR TESTING PURPOSES.`,\n detailMessage: `Blindly trusted certificate ${blindlyTrustedCert.certificateInfo.subject.dn.DN} was found in the chain.`,\n trustAnchor: blindlyTrustedCert?.certificateInfo,\n verificationTime,\n certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),\n ...(client && { client }),\n }\n }\n if (previousCert) {\n if (currentCert.x509Certificate.issuer !== previousCert.x509Certificate.subject) {\n if (!reversed && !disallowReversedChain) {\n return await validateX509CertificateChainImpl({\n reversed: true,\n chain: [...pemOrDerChain].reverse(),\n opts,\n verificationTime,\n trustAnchors,\n })\n }\n return {\n error: true,\n critical: true,\n certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),\n message: `Certificate chain validation failed for ${leafCert.certificateInfo.subject.dn.DN}.`,\n detailMessage: `The certificate ${currentCert.certificateInfo.subject.dn.DN} with issuer ${currentCert.x509Certificate.issuer}, is not signed by the previous certificate ${previousCert?.certificateInfo.subject.dn.DN} with subject string ${previousCert?.x509Certificate.subject}.`,\n verificationTime,\n ...(client && { client }),\n }\n }\n }\n const result = await currentCert.x509Certificate.verify(\n {\n date: verificationTime,\n publicKey: previousCert?.x509Certificate?.publicKey,\n },\n getCrypto()?.crypto ?? crypto ?? global.crypto\n )\n if (!result) {\n // First cert needs to be self signed\n if (i == 0 && !reversed && !disallowReversedChain) {\n return await validateX509CertificateChainImpl({\n reversed: true,\n chain: [...pemOrDerChain].reverse(),\n opts,\n verificationTime,\n trustAnchors,\n })\n }\n\n return {\n error: true,\n critical: true,\n message: `Certificate chain validation failed for ${leafCert.certificateInfo.subject.dn.DN}.`,\n certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),\n detailMessage: `Verification of the certificate ${currentCert.certificateInfo.subject.dn.DN} with issuer ${\n currentCert.x509Certificate.issuer\n } failed. Public key: ${JSON.stringify(currentCert.certificateInfo.publicKeyJWK)}.`,\n verificationTime,\n ...(client && { client }),\n }\n }\n\n foundTrustAnchor = foundTrustAnchor ?? trustedCerts?.find((trusted) => isSameCertificate(trusted.x509Certificate, currentCert.x509Certificate))\n\n if (i === 0 && chainLength === 1 && allowSingleNoCAChainElement) {\n return {\n error: false,\n critical: false,\n message: `Certificate chain succeeded as allow single cert result is allowed: ${leafCert.certificateInfo.subject.dn.DN}.`,\n certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),\n trustAnchor: foundTrustAnchor?.certificateInfo,\n verificationTime,\n ...(client && { client }),\n }\n }\n }\n\n if (foundTrustAnchor?.certificateInfo || allowNoTrustAnchorsFound) {\n return {\n error: false,\n critical: false,\n message: `Certificate chain was valid`,\n certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),\n detailMessage: foundTrustAnchor\n ? `The leaf certificate ${leafCert.certificateInfo.subject.dn.DN} is part of a chain with trust anchor ${foundTrustAnchor?.certificateInfo.subject.dn.DN}.`\n : `The leaf certificate ${leafCert.certificateInfo.subject.dn.DN} and chain were valid, but no trust anchor has been found. Ignoring as user allowed (allowNoTrustAnchorsFound: ${allowNoTrustAnchorsFound}).)`,\n trustAnchor: foundTrustAnchor?.certificateInfo,\n verificationTime,\n ...(client && { client }),\n }\n }\n\n return {\n error: true,\n critical: true,\n message: `Certificate chain validation failed for ${leafCert.certificateInfo.subject.dn.DN}.`,\n certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),\n detailMessage: `No trust anchor was found in the chain. between (intermediate) CA ${\n x5cOrdereredChain[chain.length - 1].certificateInfo.subject.dn.DN\n } and leaf ${x5cOrdereredChain[0].certificateInfo.subject.dn.DN}.`,\n verificationTime,\n ...(client && { client }),\n }\n}\n\nconst isSameCertificate = (cert1: X509Certificate, cert2: X509Certificate): boolean => {\n return cert1.rawData.toString() === cert2.rawData.toString()\n}\n\nconst algorithmProvider: AlgorithmProvider = container.resolve(AlgorithmProvider)\nexport const getX509AlgorithmProvider = (): AlgorithmProvider => {\n return algorithmProvider\n}\n\nexport type ParsedCertificate = {\n publicKeyInfo: SubjectPublicKeyInfo\n publicKeyJwk?: JWK\n publicKeyRaw: Uint8Array\n // @ts-ignore\n publicKeyAlgorithm: Algorithm\n certificateInfo: CertificateInfo\n certificate: Certificate\n x509Certificate: X509Certificate\n}\n\nexport const parseCertificate = async (rawCert: string | Uint8Array): Promise<ParsedCertificate> => {\n const x509Certificate = new X509Certificate(rawCert)\n const publicKeyInfo = AsnParser.parse(x509Certificate.publicKey.rawData, SubjectPublicKeyInfo)\n const publicKeyRaw = new Uint8Array(publicKeyInfo.subjectPublicKey)\n let publicKeyJwk: JWK | undefined = undefined\n try {\n publicKeyJwk = (await getCertificateSubjectPublicKeyJWK(new Uint8Array(x509Certificate.rawData))) as JWK\n } catch (e: any) {\n console.error(e.message)\n }\n const certificate = pemOrDerToX509Certificate(rawCert)\n const certificateInfo = await getCertificateInfo(certificate)\n const publicKeyAlgorithm = getX509AlgorithmProvider().toWebAlgorithm(publicKeyInfo.algorithm)\n return {\n publicKeyAlgorithm,\n publicKeyInfo,\n publicKeyJwk,\n publicKeyRaw,\n certificateInfo,\n certificate,\n x509Certificate,\n }\n}\n/*\n\n/!**\n *\n * @param pemOrDerChain The order must be that the Certs signing another cert must come one after another. So first the signing cert, then any cert signing that cert and so on\n * @param trustedPEMs\n * @param verificationTime\n * @param opts\n *!/\nexport const validateX509CertificateChainOrg = async ({\n chain: pemOrDerChain,\n trustAnchors,\n verificationTime = new Date(),\n opts = {\n trustRootWhenNoAnchors: false,\n allowSingleNoCAChainElement: true,\n blindlyTrustedAnchors: [],\n },\n }: {\n chain: (Uint8Array | string)[]\n trustAnchors?: string[]\n verificationTime?: Date\n opts?: X509CertificateChainValidationOpts\n}): Promise<X509ValidationResult> => {\n const {\n trustRootWhenNoAnchors = false,\n allowSingleNoCAChainElement = true,\n blindlyTrustedAnchors = [],\n client\n } = opts\n const trustedPEMs = trustRootWhenNoAnchors && !trustAnchors ? [pemOrDerChain[pemOrDerChain.length - 1]] : trustAnchors\n\n if (pemOrDerChain.length === 0) {\n return {\n error: true,\n critical: true,\n message: 'Certificate chain in DER or PEM format must not be empty',\n verificationTime,\n }\n }\n\n // x5c always starts with the leaf cert at index 0 and then the cas. Our internal pkijs service expects it the other way around\n const certs = pemOrDerChain.map(pemOrDerToX509Certificate).reverse()\n const trustedCerts = trustedPEMs ? trustedPEMs.map(pemOrDerToX509Certificate) : undefined\n defaultCryptoEngine()\n\n if (pemOrDerChain.length === 1) {\n const singleCert = typeof pemOrDerChain[0] === 'string' ? pemOrDerChain[0] : u8a.toString(pemOrDerChain[0], 'base64pad')\n const cert = pemOrDerToX509Certificate(singleCert)\n if (client) {\n const validation = await validateCertificateChainMatchesClientIdScheme(cert, client.clientId, client.clientIdScheme)\n if (validation.error) {\n return validation\n }\n }\n if (blindlyTrustedAnchors.includes(singleCert)) {\n console.log(`Certificate chain validation success as single cert if blindly trusted. WARNING: ONLY USE FOR TESTING PURPOSES.`)\n return {\n error: false,\n critical: true,\n message: `Certificate chain validation success as single cert if blindly trusted. WARNING: ONLY USE FOR TESTING PURPOSES.`,\n verificationTime,\n certificateChain: [await getCertificateInfo(cert)],\n ...(client && {client}),\n }\n }\n if (allowSingleNoCAChainElement) {\n const subjectDN = getSubjectDN(cert).DN\n if (!getIssuerDN(cert).DN || getIssuerDN(cert).DN === subjectDN) {\n const passed = await cert.verify()\n return {\n error: !passed,\n critical: true,\n message: `Certificate chain validation for ${subjectDN}: ${passed ? 'successful' : 'failed'}.`,\n verificationTime,\n certificateChain: [await getCertificateInfo(cert)],\n ...(client && {client}),\n }\n }\n }\n }\n\n const validationEngine = new CertificateChainValidationEngine({\n certs /!*crls: [crl1], ocsps: [ocsp1], *!/,\n checkDate: verificationTime,\n trustedCerts,\n })\n\n try {\n const verification = await validationEngine.verify()\n if (!verification.result || !verification.certificatePath) {\n return {\n error: true,\n critical: true,\n message: verification.resultMessage !== '' ? verification.resultMessage : `Certificate chain validation failed.`,\n verificationTime,\n ...(client && {client}),\n }\n }\n const certPath = verification.certificatePath\n if (client) {\n const clientIdValidation = await validateCertificateChainMatchesClientIdScheme(certs[0], client.clientId, client.clientIdScheme)\n if (clientIdValidation.error) {\n return clientIdValidation\n }\n }\n let certInfos: Array<CertificateInfo> | undefined\n\n for (const certificate of certPath) {\n try {\n certInfos?.push(await getCertificateInfo(certificate))\n } catch (e: any) {\n console.log(`Error getting certificate info ${e.message}`)\n }\n }\n\n\n return {\n error: false,\n critical: false,\n message: `Certificate chain was valid`,\n verificationTime,\n certificateChain: certInfos,\n ...(client && {client}),\n }\n } catch (error: any) {\n return {\n error: true,\n critical: true,\n message: `Certificate chain was invalid, ${error.message ?? '<unknown error>'}`,\n verificationTime,\n ...(client && {client}),\n }\n }\n}\n*/\n\nconst rdnmap: Record<string, string> = {\n '2.5.4.6': 'C',\n '2.5.4.10': 'O',\n '2.5.4.11': 'OU',\n '2.5.4.3': 'CN',\n '2.5.4.7': 'L',\n '2.5.4.8': 'ST',\n '2.5.4.12': 'T',\n '2.5.4.42': 'GN',\n '2.5.4.43': 'I',\n '2.5.4.4': 'SN',\n '1.2.840.113549.1.9.1': 'E-mail',\n}\n\nexport const getIssuerDN = (cert: Certificate): DNInfo => {\n return {\n DN: getDNString(cert.issuer.typesAndValues),\n attributes: getDNObject(cert.issuer.typesAndValues),\n }\n}\n\nexport const getSubjectDN = (cert: Certificate): DNInfo => {\n return {\n DN: getDNString(cert.subject.typesAndValues),\n attributes: getDNObject(cert.subject.typesAndValues),\n }\n}\n\nconst getDNObject = (typesAndValues: AttributeTypeAndValue[]): Record<string, string> => {\n const DN: Record<string, string> = {}\n for (const typeAndValue of typesAndValues) {\n const type = rdnmap[typeAndValue.type] ?? typeAndValue.type\n DN[type] = typeAndValue.value.getValue()\n }\n return DN\n}\nconst getDNString = (typesAndValues: AttributeTypeAndValue[]): string => {\n return Object.entries(getDNObject(typesAndValues))\n .map(([key, value]) => `${key}=${value}`)\n .join(',')\n}\n\nexport const getCertificateSubjectPublicKeyJWK = async (pemOrDerCert: string | Uint8Array | Certificate): Promise<JWK> => {\n const pemOrDerStr =\n typeof pemOrDerCert === 'string'\n ? toString(fromString(pemOrDerCert, 'base64pad'), 'base64pad')\n : pemOrDerCert instanceof Uint8Array\n ? toString(pemOrDerCert, 'base64pad')\n : toString(fromString(pemOrDerCert.toString('base64'), 'base64pad'), 'base64pad')\n const pem = derToPEM(pemOrDerStr)\n const certificate = pemOrDerToX509Certificate(pem)\n var jwk: JWK | undefined\n try {\n const subtle = getCrypto(true).subtle\n const pk = await certificate.getPublicKey(undefined, defaultCryptoEngine())\n jwk = (await subtle.exportKey('jwk', pk)) as JWK | undefined\n } catch (error: any) {\n console.log(`Error in primary get JWK from cert:`, error?.message)\n }\n if (!jwk) {\n try {\n jwk = (await x509.toJwk(pem, 'pem')) as JWK\n } catch (error: any) {\n console.log(`Error in secondary get JWK from cert as well:`, error?.message)\n }\n }\n if (!jwk) {\n throw Error(`Failed to get JWK from certificate ${pem}`)\n }\n return jwk\n}\n\n/**\n * otherName [0] OtherName,\n * rfc822Name [1] IA5String,\n * dNSName [2] IA5String,\n * x400Address [3] ORAddress,\n * directoryName [4] Name,\n * ediPartyName [5] EDIPartyName,\n * uniformResourceIdentifier [6] IA5String,\n * iPAddress [7] OCTET STRING,\n * registeredID [8] OBJECT IDENTIFIER }\n */\nexport enum SubjectAlternativeGeneralName {\n rfc822Name = 1, // email\n dnsName = 2,\n uniformResourceIdentifier = 6,\n ipAddress = 7,\n}\n\nexport interface SubjectAlternativeName {\n value: string\n type: SubjectAlternativeGeneralName\n}\n\nexport type ClientIdScheme = 'x509_san_dns' | 'x509_san_uri'\n\nexport const assertCertificateMatchesClientIdScheme = (certificate: Certificate, clientId: string, clientIdScheme: ClientIdScheme): void => {\n const sans = getSubjectAlternativeNames(certificate, { clientIdSchemeFilter: clientIdScheme })\n const clientIdMatches = sans.find((san) => san.value === clientId)\n if (!clientIdMatches) {\n throw Error(\n `Client id scheme ${clientIdScheme} used had no matching subject alternative names in certificate with DN ${\n getSubjectDN(certificate).DN\n }. SANS: ${sans.map((san) => san.value).join(',')}`\n )\n }\n}\n\nexport const validateCertificateChainMatchesClientIdScheme = async (\n certificate: Certificate,\n clientId: string,\n clientIdScheme: ClientIdScheme\n): Promise<X509ValidationResult> => {\n const result = {\n error: true,\n critical: true,\n message: `Client Id ${clientId} was not present in certificate using scheme ${clientIdScheme}`,\n client: {\n clientId,\n clientIdScheme,\n },\n certificateChain: [await getCertificateInfo(certificate)],\n verificationTime: new Date(),\n }\n try {\n assertCertificateMatchesClientIdScheme(certificate, clientId, clientIdScheme)\n } catch (error) {\n return result\n }\n result.error = false\n result.message = `Client Id ${clientId} was present in certificate using scheme ${clientIdScheme}`\n return result\n}\n\nexport const getSubjectAlternativeNames = (\n certificate: Certificate,\n opts?: {\n typeFilter?: SubjectAlternativeGeneralName | SubjectAlternativeGeneralName[]\n // When a clientIdchemeFilter is passed in it will always override the above type filter\n clientIdSchemeFilter?: ClientIdScheme\n }\n): SubjectAlternativeName[] => {\n let typeFilter: SubjectAlternativeGeneralName[]\n if (opts?.clientIdSchemeFilter) {\n typeFilter =\n opts.clientIdSchemeFilter === 'x509_san_dns'\n ? [SubjectAlternativeGeneralName.dnsName]\n : [SubjectAlternativeGeneralName.uniformResourceIdentifier]\n } else if (opts?.typeFilter) {\n typeFilter = Array.isArray(opts.typeFilter) ? opts.typeFilter : [opts.typeFilter]\n } else {\n typeFilter = [SubjectAlternativeGeneralName.dnsName, SubjectAlternativeGeneralName.uniformResourceIdentifier]\n }\n const parsedValue = certificate.extensions?.find((ext) => ext.extnID === id_SubjectAltName)?.parsedValue as AltName\n if (!parsedValue) {\n return []\n }\n const altNames = parsedValue.toJSON().altNames\n return altNames\n .filter((altName) => typeFilter.includes(altName.type))\n .map((altName) => {\n return { type: altName.type, value: altName.value } satisfies SubjectAlternativeName\n })\n}\n"],"mappings":";;;;;;;;;;AAAO,IAAKA,YAAAA,yBAAAA,YAAAA;;;SAAAA;;;;ACIZ,YAAYC,UAAS;;;ACHd,IAAMC,eAAe,wBAACC,WAAoBC,mBAAAA;AAC/C,MAAIC;AACJ,MAAI,OAAOD,mBAAmB,aAAa;AACzCC,gBAAYD;EACd,WAAW,OAAOE,WAAW,aAAa;AACxCD,gBAAYC;EACd,WAAW,OAAOC,OAAOD,WAAW,aAAa;AAC/CD,gBAAYE,OAAOD;EACrB,OAAO;AAEL,QAAI,OAAOC,OAAOC,QAAQF,QAAQG,WAAW,aAAa;AAExDJ,kBAAYE,OAAOC,OAAOF;IAC5B,OAAO;AAELD,kBAAYK,UAAQ,QAAA;IACtB;EACF;AACA,MAAIP,WAAW;AACbI,WAAOD,SAASD;EAClB;AAEA,SAAOA;AACT,GAvB4B;;;ACA5B,SAASM,mBAAmB;AAE5B,YAAYC,SAAS;AAGrB,OAAOC,WAAW;AAFlB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAQ1B,SAASC,kBAAkBC,MAAcC,UAAiB;AAC/D,MAAI,CAACA,UAAU;AACbA,eAAW;EACb;AASA,QAAMC,eAAeF,KAClBG,QAAQ,oBAAoB,GAAA,EAC5BA,QAAQ,OAAO,EAAA,EACfA,QAAQ,OAAO,EAAA;AAClB,MAAIC,MAAMF,aAAaG,MAAM,GAAA,EAAKC,OAAO,SAAUC,GAAC;AAClD,WAAOA,EAAEC,SAAS;EACpB,CAAA;AACA,MAAIP,WAAW,GAAG;AAChBG,UAAMA,IAAIK,OAAO,GAAGR,QAAAA;EACtB;AACA,SAAOG;AACT;AAvBgBL;AAyBT,SAASW,kBAAkBN,KAAeH,UAAiB;AAChE,MAAI,CAACA,UAAU;AACbA,eAAW;EACb;AACA,QAAMO,SAASP,aAAa,IAAIG,IAAII,SAASG,KAAKC,IAAIX,UAAUG,IAAII,MAAM;AAC1E,MAAIK,MAAM;AACV,WAASC,IAAI,GAAGA,IAAIN,QAAQM,KAAK;AAC/BD,WAAOE,SAASX,IAAIU,CAAAA,GAAI,aAAA;EAC1B;AACA,SAAOD;AACT;AAVgBH;AAYT,IAAMM,4BAA4B,wBAAChB,SAAAA;AACxC,MAAIiB,MAA0B,OAAOjB,SAAS,WAAWA,OAAOkB;AAChE,MAAI,OAAOlB,SAAS,YAAY,EAAEA,gBAAgBmB,aAAa;AAE7D,WAAOC,YAAYC,QAAQrB,KAAKsB,OAAO;EACzC,WAAW,OAAOtB,SAAS,UAAU;AACnC,WAAOoB,YAAYC,QAAQrB,IAAAA;EAC7B,WAAWA,KAAKuB,SAAS,aAAA,GAAgB;AACvCN,UAAMO,SAASxB,IAAAA;EACjB;AACA,MAAI,CAACiB,KAAK;AACR,UAAMQ,MAAM,6FAAA;EACd;AACA,SAAOL,YAAYC,QAAQzB,WAAWqB,KAAK,WAAA,CAAA;AAC7C,GAdyC;AAgBlC,IAAMS,uBAAuB,wBAACC,OAAoBC,UAAAA;AACvD,SAAOD,MAAME,eAAeC,QAAQF,MAAMC,cAAc;AAC1D,GAFoC;AAI7B,IAAME,cAAc,wBAACC,KAAaC,aAA4B,aAAQ;AAC3E,QAAMC,MAAMC,SAASH,KAAKC,UAAAA;AAC1B,QAAMG,gBAA+BF,IAAIG,IAAI,YAAY;AACzD,QAAMC,SAASF,kBAAkB,YAAYG,qBAAqBP,GAAAA,IAAOQ,oBAAoBR,GAAAA;AAE7F,SAAO;IACLnB,KAAK4B,SAASH,QAAQL,UAAAA;IACtBC;IACAI;IACAI,SAASN;EACX;AACF,GAX2B;AAapB,IAAMO,WAAW,wBAACT,KAAiBD,aAA4B,aAAQ;AAC5E,SAAOW,MAAMC,KAAKX,KAAK,KAAA,EAAOrC,SAAS,OAAOoC,eAAe,WAAW,iBAAiB,eAAA;AAC3F,GAFwB;AAIjB,IAAME,WAAW,wBAACtB,KAAaoB,aAA4B,aAAQ;AACxE,SAAOW,MAAMC,KAAKhC,KAAK,KAAA,EAAOiC,MAAMb,UAAAA;AACtC,GAFwB;AAGjB,IAAMM,uBAAuB,wBAACP,QAAAA;AACnC,SAAOe,SAASf,GAAAA;AAClB,GAFoC;AAI7B,IAAMgB,wBAAwB,wBAACd,KAAiBD,aAA4B,aAAQ;AACzF,MAAIA,eAAe,WAAW;AAC5B,WAAOM,qBAAqBI,SAAST,KAAK,SAAA,CAAA;EAC5C,OAAO;AACL,WAAOM,oBAAoBG,SAAST,KAAK,QAAA,CAAA;EAC3C;AACF,GANqC;AAQ9B,IAAMM,sBAAsB,wBAACR,QAAAA;AAClC,QAAMiB,MAAMF,SAASf,GAAAA;AACrB,MAAIA,IAAIT,SAAS,aAAA,GAAgB;AAC/B,UAAME,MAAM,4DAAA;EACd,WAAW,CAACO,IAAIT,SAAS,SAAA,GAAY;AACnC,WAAO0B;EACT;AACA,QAAMC,YAAYf,SAASH,KAAK,QAAA;AAChC,QAAMmB,YAAYR,SAASO,WAAW,QAAA;AACtC,SAAOH,SAASI,SAAAA;AAClB,GAVmC;AAY5B,IAAMJ,WAAW,wBAACf,KAAaoB,cAAAA;AACpC,MAAIpB,IAAIqB,QAAQ,aAAA,KAAkB,IAAI;AACpC,UAAM5B,MAAM,yBAAyB2B,SAAAA,EAAW;EAClD;AAEA,MAAIE;AACJ,MAAIF,WAAW;AACbE,kBAActB,IAAI7B,QAAQ,IAAIoD,OAAO,qBAAqBH,YAAY,OAAA,GAAU,EAAA;AAChFE,kBAAcA,YAAYnD,QAAQ,IAAIoD,OAAO,cAAcH,YAAY,YAAA,GAAe,EAAA;EACxF,OAAO;AACLE,kBAActB,IAAI7B,QAAQ,8BAA8B,EAAA;AACxDmD,kBAAcA,YAAYnD,QAAQ,4BAA4B,EAAA;EAChE;AACA,SAAOqD,YAAYF,aAAa,WAAA;AAClC,GAdwB;AAgBjB,SAASG,YAAY5C,KAAW;AACrC,QAAM6C,cAAc7C,IACjBV,QAAQ,8BAA8B,EAAA,EACtCA,QAAQ,4BAA4B,EAAA,EACpCA,QAAQ,OAAO,EAAA;AAElB,SAAOP,WAAW8D,aAAa,WAAA;AACjC;AAPgBD;AAcT,IAAMD,cAAc,wBAACG,OAAeC,kBAAAA;AACzC,QAAMC,mBAAmBF,MAAMxD,QAAQ,0BAA0B,EAAA;AACjE,SAAON,SAASD,WAAWiE,kBAAkBD,gBAAgBA,gBAAgB,WAAA,GAAc,QAAA;AAC7F,GAH2B;AAKpB,IAAME,cAAc,wBAACH,OAAiCI,mBAAAA;AAC3D,MAAId,MAAM,OAAOU,UAAU,WAAWA,QAAQA,MAAM9D,SAAS,EAAA;AAC7D,MAAIoD,IAAIzC,SAAS,MAAM,GAAG;AACxByC,UAAM,IAAIA,GAAAA;EACZ;AACA,SAAOpD,SAASD,WAAWqD,KAAK,QAAA,GAAWc,iBAAiBA,iBAAiB,WAAA;AAC/E,GAN2B;AAQpB,IAAMtB,WAAW,wBAACQ,KAAae,SAAAA;AACpC,QAAMC,SAASH,YAAYb,KAAK,WAAA;AAChC,QAAMG,YAAYY,SAAS,YAAY,oBAAoB;AAC3D,MAAIA,SAAS,WAAW;AACtB,UAAMnD,MAAME,SAASkD,QAAQb,SAAAA;AAC7B,QAAI;AACFjB,eAAStB,GAAAA;AACT,aAAOA;IACT,SAASqD,OAAO;AACd,aAAOnD,SAASkD,QAAQ,aAAA;IAC1B;EACF;AACA,SAAOlD,SAASkD,QAAQb,SAAAA;AAC1B,GAbwB;AAejB,SAAS5B,SAASX,KAAW;AAClC,SAAOA,IAAIV,QAAQ,+CAA+C,EAAA;AACpE;AAFgBqB;AAIT,SAAST,SAASf,MAAcoD,WAA4E;AACjH,QAAMe,MAAMf,aAAa;AACzB,MAAIpD,KAAKuB,SAAS4C,GAAAA,GAAM;AAEtB,WAAOnE;EACT;AACA,QAAMoE,UAAUpE,KAAKqE,MAAM,UAAA;AAC3B,MAAI,CAACD,SAAS;AACZ,UAAM3C,MAAM,mCAAA;EACd;AACA,SAAO,cAAc0C,GAAAA;EAAaC,QAAQE,KAAK,IAAA,CAAA;WAAmBH,GAAAA;;AACpE;AAXgBpD;;;AF1KhB,IAAM,EAAEwD,UAAAA,UAAQ,IAAKC;AAWrB,IAAMC,QAAQ,wBAACC,QAAAA;AACb,MAAIA,IAAIC,WAAWD,IAAIC,QAAQC,SAAS,GAAG;AACzC,WAAOF,IAAIC;EACb;AACA,MAAID,IAAIG,KAAK;AACX,UAAMC,SAAqB,CAAA;AAC3B,QAAIJ,IAAIG,IAAIE,SAAS,KAAA,GAAQ;AAC3BD,aAAOE,KAAK,QAAQ,QAAA;IACtB,WAAWN,IAAIG,IAAIE,SAAS,KAAA,GAAQ;AAClCD,aAAOE,KAAK,WAAW,SAAA;IACzB;AACA,QAAIF,OAAOF,SAAS,GAAG;AACrB,aAAOE;IACT;EACF;AACA,MAAIJ,IAAIO,QAAQ,OAAO;AACrB,QAAIP,IAAIQ,GAAG;AACT,aAAOR,IAAIS,KAAKC,YAAAA,GAAeL,SAAS,MAAA,IAAU;QAAC;UAAa;QAAC;;IACnE;AACA,WAAOL,IAAIS,KAAKC,YAAAA,GAAeL,SAAS,MAAA,IAAU;MAAC;QAAa;MAAC;;EACnE;AAEA,SAAOL,IAAIQ,KAAKR,IAAIO,QAAQ,QAAQ;IAAC;IAAQ;IAAW;IAAU;MAAa;IAAC;;AAClF,GAvBc;AAyBP,IAAMI,kCAAkC,wBAACC,eAAAA;AAC9C,QAAMH,MAAMG,WAAWF,YAAW;AAClC,MAAIG;AACJ,MAAIJ,IAAIK,WAAW,IAAA,GAAO;AACxBD,aAAS;EACX,WAAWJ,IAAIK,WAAW,IAAA,GAAO;AAC/BD,aAAS;EACX,OAAO;AACL,UAAME,MAAM,sCAAsCH,UAAAA,EAAY;EAChE;AAEA,QAAMI,gBAAgB,OAAOP,IAAIQ,UAAU,CAAA,CAAA;AAC3C,SAAO;IAAEJ;IAAQG;EAAc;AACjC,GAb+C;AAexC,IAAME,2BAA2B,8BACtClB,KACAa,QACAG,kBAAAA;AAEA,QAAMG,WAAWH,gBAAgBA,gBAAgBhB,IAAIS,MAAM,OAAOT,IAAIS,IAAIQ,UAAU,CAAA,CAAA,KAAO;AAE3F,QAAMG,eAAsC;IAAEC,MAAMR;IAAQS,MAAMH;EAAS;AAC3E,SAAO,MAAMI,aAAa,KAAA,EAAOC,OAAOC,UAAU,OAAOzB,KAAmBoB,cAAc,OAAOrB,MAAMC,GAAAA,CAAAA;AACzG,GATwC;AAWjC,IAAM0B,sBAAsB,8BACjCb,QACAG,eACAW,kBAAAA;AAEA,QAAMR,WAAWH,gBAAgBA,gBAAgB;AAEjD,QAAMY,SAAgC;IACpCP,MAAMR;IACNS,MAAMH;IACNQ,eAAeA,gBAAgBA,gBAAgB;IAC/CE,gBAAgB,IAAIC,WAAW;MAAC;MAAG;MAAG;KAAE;EAC1C;AACA,QAAMC,WAAuBlB,WAAW,aAAaA,WAAW,sBAAsB;IAAC;IAAQ;MAAY;IAAC;IAAW;;AAEvH,QAAMmB,UAAU,MAAMT,aAAa,KAAA,EAAOC,OAAOS,YAAYL,QAAQ,MAAMG,QAAAA;AAC3E,QAAMG,QAAQ,MAAMX,aAAa,KAAA,EAAOC,OAAOW,UAAU,SAASH,QAAQI,UAAU;AAEpF,QAAMC,aAAa,IAAIP,WAAWI,KAAAA;AAClC,SAAOI,SAASzC,UAASwC,YAAY,WAAA,GAAc,iBAAA;AACrD,GApBmC;;;AGlEnC,YAAYE,UAAS;AACrB,IAAM,EAAEC,YAAAA,aAAYC,UAAAA,UAAQ,IAAKC;AAQ1B,IAAMC,YAAN,MAAMA;EAVb,OAUaA;;;EACMC;EACAC;EAETC;EACSC;;;;;;EAOjBC,YACEF,KACAG,MACA;AACA,QAAI,OAAOH,QAAQ,UAAU;AAC3B,WAAKD,MAAMK,SAASJ,KAAKG,MAAME,UAAAA;IACjC,OAAO;AACL,WAAKN,MAAMC;IACb;AAEA,SAAKF,gBAAgBK,MAAML,iBAAiB;AAC5C,SAAKG,SAASE,MAAMF,UAAU;EAChC;EAEQK,kBAAsD;AAC5D,QAAI,KAAKL,WAAW,WAAW;AAC7B,aAAO;QAAEM,MAAM,KAAKN;QAAQO,YAAY;MAAG;IAC7C;AACA,WAAO;MAAED,MAAM,KAAKN;;IAAsC;EAC5D;EAEA,MAAcQ,SAA6B;AACzC,QAAI,CAAC,KAAKT,KAAK;AACb,WAAKA,MAAM,MAAMU,yBAAyB,KAAKX,KAAK,KAAKE,QAAQ,KAAKH,aAAa;IACrF;AACA,WAAO,KAAKE;EACd;EAEQW,eAAeC,KAAkB;AACvC,UAAMC,aAAa,IAAIC,WAAWF,GAAAA;AAClC,WAAOjB,UAASkB,YAAY,WAAA;EAC9B;EAEA,MAAaE,KAAKC,MAAmC;AACnD,UAAMC,QAAQD;AACd,UAAMhB,MAAM,MAAM,KAAKS,OAAM;AAC7B,UAAMS,YAAY,KAAKP,eAAe,MAAMQ,aAAa,KAAA,EAAOC,OAAOL,KAAK,KAAKT,gBAAe,GAAIN,KAAKiB,KAAAA,CAAAA;AACzG,QAAI,CAACC,WAAW;AACd,YAAMG,MAAM,2BAAA;IACd;AAGA,WAAOH;EACT;EAEA,MAAaI,OAAON,MAA2BE,WAAqC;AAClF,UAAMK,MAAML,UAAUM,SAAS,GAAA,IAAON,UAAUO,MAAM,GAAA,EAAK,CAAA,IAAKP;AAEhE,UAAMD,QAAQ,OAAOD,QAAQ,WAAWtB,YAAWsB,MAAM,OAAA,IAAWA;AAEpE,QAAIhB,MAAM,MAAM,KAAKS,OAAM;AAC3B,QAAI,CAACT,IAAI0B,OAAOF,SAAS,QAAA,GAAW;AAClC,YAAMG,YAAY;QAAE,GAAG,KAAK5B;MAAI;AAChC,aAAO4B,UAAUC;AACjB,aAAOD,UAAUE;AACjB,aAAOF,UAAUG;AACjB9B,YAAM,MAAMU,yBAAyBiB,WAAW,KAAK1B,QAAQ,KAAKH,aAAa;IACjF;AACA,UAAMiC,qBAAqB,MAAMZ,aAAa,KAAA,EAAOC,OAAOE,OAAO,KAAKhB,gBAAe,GAAIN,KAAKN,YAAW6B,KAAK,WAAA,GAAcN,KAAAA;AAC9H,WAAOc;EACT;AACF;;;ACnFA,SAASC,iBAAiB;AAC1B,SAASC,4BAA4B;AACrC,SAASC,mBAAmBC,uBAAuB;AAGnD,OAAOC,UAAU;AACjB,SAAsDC,cAAcC,WAAWC,mBAAmBC,iBAAiB;AACnH,SAASC,iBAAiB;AAE1B,YAAYC,UAAS;AACrB,IAAM,EAAEC,YAAAA,aAAYC,UAAAA,UAAQ,IAAKC;AAsCjC,IAAMC,sBAAsB,6BAAA;AAC1B,QAAMC,OAAO;AACbC,YAAUD,MAAM,IAAIE,aAAa;IAAEF;IAAMG,QAAQC,aAAa,KAAA;EAAO,CAAA,CAAA;AACrE,SAAOC,UAAU,IAAA;AACnB,GAJ4B;AAMrB,IAAMC,qBAAqB,8BAChCC,aACAC,SAAAA;AAIA,MAAIC;AACJ,MAAI;AACFA,mBAAgB,MAAMC,kCAAkCH,WAAAA;EAC1D,SAASI,GAAG;EAAC;AACb,SAAO;IACLC,QAAQ;MAAEC,IAAIC,YAAYP,WAAAA;IAAa;IACvCQ,SAAS;MACPF,IAAIG,aAAaT,WAAAA;MACjBU,yBAAyBC,2BAA2BX,aAAa;QAAEY,YAAYX,MAAMY;MAAc,CAAA;IACrG;IACAX;IACAY,WAAWd,YAAYc,UAAUC;IACjCC,UAAUhB,YAAYgB,SAASD;EAEjC;AACF,GArBkC;AA4C3B,IAAME,+BAA+B,8BAAO,EACjDC,OAAOC,eACPC,cACAC,mBAAmB,oBAAIC,KAAAA,GACvBrB,OAAO;;EAELsB,0BAA0B;EAC1BC,wBAAwB;EACxBC,6BAA6B;EAC7BC,uBAAuB,CAAA;EACvBC,uBAAuB;AACzB,EAAC,MAMF;AAEC,SAAO,MAAMC,iCAAiC;IAC5CC,UAAU;IACVX,OAAO;SAAIC;MAAeW,QAAO;IACjCV;IACAC;IACApB;EACF,CAAA;AACF,GA1B4C;AA2B5C,IAAM2B,mCAAmC,8BAAO,EAC9CC,UACAX,OAAOC,eACPC,cACAC,kBAAkBU,UAClB9B,KAAI,MAOL;AACC,QAAMoB,mBAAyB,OAAOU,aAAa,WAAW,IAAIT,KAAKS,QAAAA,IAAYA;AACnF,QAAM,EACJR,2BAA2B,OAC3BC,yBAAyB,OACzBC,8BAA8B,MAC9BC,wBAAwB,CAAA,GACxBC,wBAAwB,OACxBK,OAAM,IACJ/B;AACJ,QAAMgC,cAAcT,0BAA0B,CAACJ,eAAe;IAACD,cAAcA,cAAce,SAAS,CAAA;MAAMd;AAE1G,MAAID,cAAce,WAAW,GAAG;AAC9B,WAAO;MACLC,OAAO;MACPC,UAAU;MACVC,SAAS;MACThB;IACF;EACF;AACA7B,sBAAAA;AAGA,QAAM0B,QAAQ,MAAMoB,QAAQC,IAAIpB,cAAcqB,IAAI,CAACC,QAAQC,iBAAiBD,GAAAA,CAAAA,CAAAA;AAC5E,QAAME,oBAAoBd,WAAW;OAAIX;MAAS;OAAIA;IAAOY,QAAO;AAEpE,QAAMc,eAAeX,cAAc,MAAMK,QAAQC,IAAIN,YAAYO,IAAI,CAACC,QAAQC,iBAAiBD,GAAAA,CAAAA,CAAAA,IAASI;AACxG,QAAMC,kBAEF,MAAMR,QAAQC,IACZb,sBAAsBc,IAAI,CAACC,QAAAA;AACzB,QAAI;AACF,aAAOC,iBAAiBD,GAAAA;IAC1B,SAASrC,GAAG;AAEV2C,cAAQC,IAAI,+CAA+CP,GAAAA,YAAerC,EAAEiC,OAAO,EAAE;AACrF,aAAOQ;IACT;EACF,CAAA,CAAA,GAEFI,OAAO,CAACC,SAAoCA,SAASL,MAAAA,KAAc,CAAA;AACvE,QAAMM,WAAWR,kBAAkB,CAAA;AAEnC,QAAMS,cAAclC,MAAMgB;AAC1B,MAAImB,mBAAkDR;AACtD,WAASS,IAAI,GAAGA,IAAIF,aAAaE,KAAK;AACpC,UAAMC,cAAcrC,MAAMoC,CAAAA;AAC1B,UAAME,eAAeF,IAAI,IAAIpC,MAAMoC,IAAI,CAAA,IAAKT;AAC5C,UAAMY,qBAAqBX,eAAeY,KAAK,CAACC,YAAYC,qBAAqBD,QAAQ3D,aAAauD,YAAYvD,WAAW,CAAA;AAC7H,QAAIyD,oBAAoB;AACtBV,cAAQC,IAAI,iHAAiH;AAC7H,aAAO;QACLb,OAAO;QACPC,UAAU;QACVC,SAAS;QACTwB,eAAe,+BAA+BJ,mBAAmBK,gBAAgBtD,QAAQF,GAAGyD,EAAE;QAC9FC,aAAaP,oBAAoBK;QACjCzC;QACA4C,kBAAkBtB,kBAAkBH,IAAI,CAACU,SAASA,KAAKY,eAAe;QACtE,GAAI9B,UAAU;UAAEA;QAAO;MACzB;IACF;AACA,QAAIwB,cAAc;AAChB,UAAID,YAAYW,gBAAgB7D,WAAWmD,aAAaU,gBAAgB1D,SAAS;AAC/E,YAAI,CAACqB,YAAY,CAACF,uBAAuB;AACvC,iBAAO,MAAMC,iCAAiC;YAC5CC,UAAU;YACVX,OAAO;iBAAIC;cAAeW,QAAO;YACjC7B;YACAoB;YACAD;UACF,CAAA;QACF;AACA,eAAO;UACLe,OAAO;UACPC,UAAU;UACV6B,kBAAkBtB,kBAAkBH,IAAI,CAACU,SAASA,KAAKY,eAAe;UACtEzB,SAAS,2CAA2Cc,SAASW,gBAAgBtD,QAAQF,GAAGyD,EAAE;UAC1FF,eAAe,mBAAmBN,YAAYO,gBAAgBtD,QAAQF,GAAGyD,EAAE,gBAAgBR,YAAYW,gBAAgB7D,MAAM,+CAA+CmD,cAAcM,gBAAgBtD,QAAQF,GAAGyD,EAAAA,wBAA0BP,cAAcU,gBAAgB1D,OAAAA;UAC7Qa;UACA,GAAIW,UAAU;YAAEA;UAAO;QACzB;MACF;IACF;AACA,UAAMmC,SAAS,MAAMZ,YAAYW,gBAAgBE,OAC/C;MACEC,MAAMhD;MACNiD,WAAWd,cAAcU,iBAAiBI;IAC5C,GACAxE,UAAAA,GAAaF,UAAUA,UAAU2E,OAAO3E,MAAM;AAEhD,QAAI,CAACuE,QAAQ;AAEX,UAAIb,KAAK,KAAK,CAACzB,YAAY,CAACF,uBAAuB;AACjD,eAAO,MAAMC,iCAAiC;UAC5CC,UAAU;UACVX,OAAO;eAAIC;YAAeW,QAAO;UACjC7B;UACAoB;UACAD;QACF,CAAA;MACF;AAEA,aAAO;QACLe,OAAO;QACPC,UAAU;QACVC,SAAS,2CAA2Cc,SAASW,gBAAgBtD,QAAQF,GAAGyD,EAAE;QAC1FE,kBAAkBtB,kBAAkBH,IAAI,CAACU,SAASA,KAAKY,eAAe;QACtED,eAAe,mCAAmCN,YAAYO,gBAAgBtD,QAAQF,GAAGyD,EAAE,gBACzFR,YAAYW,gBAAgB7D,MAAM,wBACZmE,KAAKC,UAAUlB,YAAYO,gBAAgB5D,YAAY,CAAA;QAC/EmB;QACA,GAAIW,UAAU;UAAEA;QAAO;MACzB;IACF;AAEAqB,uBAAmBA,oBAAoBT,cAAcc,KAAK,CAACC,YAAYe,kBAAkBf,QAAQO,iBAAiBX,YAAYW,eAAe,CAAA;AAE7I,QAAIZ,MAAM,KAAKF,gBAAgB,KAAK3B,6BAA6B;AAC/D,aAAO;QACLU,OAAO;QACPC,UAAU;QACVC,SAAS,uEAAuEc,SAASW,gBAAgBtD,QAAQF,GAAGyD,EAAE;QACtHE,kBAAkBtB,kBAAkBH,IAAI,CAACU,SAASA,KAAKY,eAAe;QACtEE,aAAaX,kBAAkBS;QAC/BzC;QACA,GAAIW,UAAU;UAAEA;QAAO;MACzB;IACF;EACF;AAEA,MAAIqB,kBAAkBS,mBAAmBvC,0BAA0B;AACjE,WAAO;MACLY,OAAO;MACPC,UAAU;MACVC,SAAS;MACT4B,kBAAkBtB,kBAAkBH,IAAI,CAACU,SAASA,KAAKY,eAAe;MACtED,eAAeR,mBACX,wBAAwBF,SAASW,gBAAgBtD,QAAQF,GAAGyD,EAAE,yCAAyCV,kBAAkBS,gBAAgBtD,QAAQF,GAAGyD,EAAAA,MACpJ,wBAAwBZ,SAASW,gBAAgBtD,QAAQF,GAAGyD,EAAE,kHAAkHxC,wBAAAA;MACpLyC,aAAaX,kBAAkBS;MAC/BzC;MACA,GAAIW,UAAU;QAAEA;MAAO;IACzB;EACF;AAEA,SAAO;IACLG,OAAO;IACPC,UAAU;IACVC,SAAS,2CAA2Cc,SAASW,gBAAgBtD,QAAQF,GAAGyD,EAAE;IAC1FE,kBAAkBtB,kBAAkBH,IAAI,CAACU,SAASA,KAAKY,eAAe;IACtED,eAAe,qEACblB,kBAAkBzB,MAAMgB,SAAS,CAAA,EAAG4B,gBAAgBtD,QAAQF,GAAGyD,EAAE,aACtDpB,kBAAkB,CAAA,EAAGmB,gBAAgBtD,QAAQF,GAAGyD,EAAE;IAC/D1C;IACA,GAAIW,UAAU;MAAEA;IAAO;EACzB;AACF,GAzKyC;AA2KzC,IAAM0C,oBAAoB,wBAACC,OAAwBC,UAAAA;AACjD,SAAOD,MAAME,QAAQvF,SAAQ,MAAOsF,MAAMC,QAAQvF,SAAQ;AAC5D,GAF0B;AAI1B,IAAMwF,oBAAuCC,UAAUC,QAAQC,iBAAAA;AACxD,IAAMC,2BAA2B,6BAAA;AACtC,SAAOJ;AACT,GAFwC;AAejC,IAAMpC,mBAAmB,8BAAOyC,YAAAA;AACrC,QAAMjB,kBAAkB,IAAIkB,gBAAgBD,OAAAA;AAC5C,QAAME,gBAAgBC,UAAUC,MAAMrB,gBAAgBI,UAAUO,SAASW,oBAAAA;AACzE,QAAMC,eAAe,IAAIC,WAAWL,cAAcM,gBAAgB;AAClE,MAAIC,eAAgC/C;AACpC,MAAI;AACF+C,mBAAgB,MAAMzF,kCAAkC,IAAIuF,WAAWxB,gBAAgBW,OAAO,CAAA;EAChG,SAASzE,GAAQ;AACf2C,YAAQZ,MAAM/B,EAAEiC,OAAO;EACzB;AACA,QAAMrC,cAAc6F,0BAA0BV,OAAAA;AAC9C,QAAMrB,kBAAkB,MAAM/D,mBAAmBC,WAAAA;AACjD,QAAM8F,qBAAqBZ,yBAAAA,EAA2Ba,eAAeV,cAAcW,SAAS;AAC5F,SAAO;IACLF;IACAT;IACAO;IACAH;IACA3B;IACA9D;IACAkE;EACF;AACF,GAtBgC;AAgKhC,IAAM+B,SAAiC;EACrC,WAAW;EACX,YAAY;EACZ,YAAY;EACZ,WAAW;EACX,WAAW;EACX,WAAW;EACX,YAAY;EACZ,YAAY;EACZ,YAAY;EACZ,WAAW;EACX,wBAAwB;AAC1B;AAEO,IAAM1F,cAAc,wBAAC2C,SAAAA;AAC1B,SAAO;IACLa,IAAImC,YAAYhD,KAAK7C,OAAO8F,cAAc;IAC1CC,YAAYC,YAAYnD,KAAK7C,OAAO8F,cAAc;EACpD;AACF,GAL2B;AAOpB,IAAM1F,eAAe,wBAACyC,SAAAA;AAC3B,SAAO;IACLa,IAAImC,YAAYhD,KAAK1C,QAAQ2F,cAAc;IAC3CC,YAAYC,YAAYnD,KAAK1C,QAAQ2F,cAAc;EACrD;AACF,GAL4B;AAO5B,IAAME,cAAc,wBAACF,mBAAAA;AACnB,QAAMpC,KAA6B,CAAC;AACpC,aAAWuC,gBAAgBH,gBAAgB;AACzC,UAAMI,OAAON,OAAOK,aAAaC,IAAI,KAAKD,aAAaC;AACvDxC,OAAGwC,IAAAA,IAAQD,aAAavF,MAAMyF,SAAQ;EACxC;AACA,SAAOzC;AACT,GAPoB;AAQpB,IAAMmC,cAAc,wBAACC,mBAAAA;AACnB,SAAOM,OAAOC,QAAQL,YAAYF,cAAAA,CAAAA,EAC/B3D,IAAI,CAAC,CAACmE,KAAK5F,KAAAA,MAAW,GAAG4F,GAAAA,IAAO5F,KAAAA,EAAO,EACvC6F,KAAK,GAAA;AACV,GAJoB;AAMb,IAAMzG,oCAAoC,8BAAO0G,iBAAAA;AACtD,QAAMC,cACJ,OAAOD,iBAAiB,WACpBvH,UAASD,YAAWwH,cAAc,WAAA,GAAc,WAAA,IAChDA,wBAAwBnB,aACxBpG,UAASuH,cAAc,WAAA,IACvBvH,UAASD,YAAWwH,aAAavH,SAAS,QAAA,GAAW,WAAA,GAAc,WAAA;AACzE,QAAMyH,MAAMC,SAASF,WAAAA;AACrB,QAAM9G,cAAc6F,0BAA0BkB,GAAAA;AAC9C,MAAIE;AACJ,MAAI;AACF,UAAMC,SAASpH,UAAU,IAAA,EAAMoH;AAC/B,UAAMC,KAAK,MAAMnH,YAAYoH,aAAavE,QAAWrD,oBAAAA,CAAAA;AACrDyH,UAAO,MAAMC,OAAOG,UAAU,OAAOF,EAAAA;EACvC,SAAShF,OAAY;AACnBY,YAAQC,IAAI,uCAAuCb,OAAOE,OAAAA;EAC5D;AACA,MAAI,CAAC4E,KAAK;AACR,QAAI;AACFA,YAAO,MAAMK,KAAKC,MAAMR,KAAK,KAAA;IAC/B,SAAS5E,OAAY;AACnBY,cAAQC,IAAI,iDAAiDb,OAAOE,OAAAA;IACtE;EACF;AACA,MAAI,CAAC4E,KAAK;AACR,UAAMO,MAAM,sCAAsCT,GAAAA,EAAK;EACzD;AACA,SAAOE;AACT,GA5BiD;AAyC1C,IAAKQ,gCAAAA,yBAAAA,gCAAAA;;;;;SAAAA;;AAcL,IAAMC,yCAAyC,wBAAC1H,aAA0B2H,UAAkBC,mBAAAA;AACjG,QAAMC,OAAOlH,2BAA2BX,aAAa;IAAE8H,sBAAsBF;EAAe,CAAA;AAC5F,QAAMG,kBAAkBF,KAAKnE,KAAK,CAACsE,QAAQA,IAAIjH,UAAU4G,QAAAA;AACzD,MAAI,CAACI,iBAAiB;AACpB,UAAMP,MACJ,oBAAoBI,cAAAA,0EAClBnH,aAAaT,WAAAA,EAAa+D,EAAE,WACnB8D,KAAKrF,IAAI,CAACwF,QAAQA,IAAIjH,KAAK,EAAE6F,KAAK,GAAA,CAAA,EAAM;EAEvD;AACF,GAVsD;AAY/C,IAAMqB,gDAAgD,8BAC3DjI,aACA2H,UACAC,mBAAAA;AAEA,QAAMzD,SAAS;IACbhC,OAAO;IACPC,UAAU;IACVC,SAAS,aAAasF,QAAAA,gDAAwDC,cAAAA;IAC9E5F,QAAQ;MACN2F;MACAC;IACF;IACA3D,kBAAkB;MAAC,MAAMlE,mBAAmBC,WAAAA;;IAC5CqB,kBAAkB,oBAAIC,KAAAA;EACxB;AACA,MAAI;AACFoG,2CAAuC1H,aAAa2H,UAAUC,cAAAA;EAChE,SAASzF,OAAO;AACd,WAAOgC;EACT;AACAA,SAAOhC,QAAQ;AACfgC,SAAO9B,UAAU,aAAasF,QAAAA,4CAAoDC,cAAAA;AAClF,SAAOzD;AACT,GAxB6D;AA0BtD,IAAMxD,6BAA6B,wBACxCX,aACAC,SAAAA;AAMA,MAAIW;AACJ,MAAIX,MAAM6H,sBAAsB;AAC9BlH,iBACEX,KAAK6H,yBAAyB,iBAC1B;;QACA;;;EACR,WAAW7H,MAAMW,YAAY;AAC3BA,iBAAasH,MAAMC,QAAQlI,KAAKW,UAAU,IAAIX,KAAKW,aAAa;MAACX,KAAKW;;EACxE,OAAO;AACLA,iBAAa;;;;EACf;AACA,QAAMwH,cAAcpI,YAAYqI,YAAY3E,KAAK,CAAC4E,QAAQA,IAAIC,WAAWC,iBAAAA,GAAoBJ;AAC7F,MAAI,CAACA,aAAa;AAChB,WAAO,CAAA;EACT;AACA,QAAMK,WAAWL,YAAYM,OAAM,EAAGD;AACtC,SAAOA,SACJxF,OAAO,CAAC0F,YAAY/H,WAAWgI,SAASD,QAAQpC,IAAI,CAAA,EACpD/D,IAAI,CAACmG,YAAAA;AACJ,WAAO;MAAEpC,MAAMoC,QAAQpC;MAAMxF,OAAO4H,QAAQ5H;IAAM;EACpD,CAAA;AACJ,GA7B0C;","names":["JwkKeyUse","u8a","globalCrypto","setGlobal","suppliedCrypto","webcrypto","crypto","global","window","subtle","require","Certificate","u8a","keyto","fromString","toString","u8a","pemCertChainTox5c","cert","maxDepth","intermediate","replace","x5c","split","filter","c","length","splice","x5cToPemCertChain","Math","min","pem","i","derToPEM","pemOrDerToX509Certificate","DER","undefined","Uint8Array","Certificate","fromBER","rawData","includes","PEMToDer","Error","areCertificatesEqual","cert1","cert2","signatureValue","isEqual","toKeyObject","PEM","visibility","jwk","PEMToJwk","keyVisibility","d","keyHex","privateKeyHexFromPEM","publicKeyHexFromPEM","hexToPEM","keyType","jwkToPEM","keyto","from","toJwk","PEMToHex","hexKeyFromPEMBasedJwk","hex","publicJwk","publicPEM","headerKey","indexOf","strippedPem","RegExp","base64ToHex","PEMToBinary","pemContents","input","inputEncoding","base64NoNewlines","hexToBase64","targetEncoding","type","base64","error","key","matches","match","join","toString","u8a","usage","jwk","key_ops","length","use","usages","includes","push","kty","d","alg","toUpperCase","signAlgorithmToSchemeAndHashAlg","signingAlg","scheme","startsWith","Error","hashAlgorithm","substring","cryptoSubtleImportRSAKey","hashName","importParams","name","hash","globalCrypto","subtle","importKey","generateRSAKeyAsPEM","modulusLength","params","publicExponent","Uint8Array","keyUsage","keypair","generateKey","pkcs8","exportKey","privateKey","uint8Array","derToPEM","u8a","fromString","toString","u8a","RSASigner","hashAlgorithm","jwk","key","scheme","constructor","opts","PEMToJwk","visibility","getImportParams","name","saltLength","getKey","cryptoSubtleImportRSAKey","bufferToString","buf","uint8Array","Uint8Array","sign","data","input","signature","globalCrypto","subtle","Error","verify","jws","includes","split","usages","verifyJwk","d","use","key_ops","verificationResult","AsnParser","SubjectPublicKeyInfo","AlgorithmProvider","X509Certificate","x509","CryptoEngine","getCrypto","id_SubjectAltName","setEngine","container","u8a","fromString","toString","u8a","defaultCryptoEngine","name","setEngine","CryptoEngine","crypto","globalCrypto","getCrypto","getCertificateInfo","certificate","opts","publicKeyJWK","getCertificateSubjectPublicKeyJWK","e","issuer","dn","getIssuerDN","subject","getSubjectDN","subjectAlternativeNames","getSubjectAlternativeNames","typeFilter","sanTypeFilter","notBefore","value","notAfter","validateX509CertificateChain","chain","pemOrDerChain","trustAnchors","verificationTime","Date","allowNoTrustAnchorsFound","trustRootWhenNoAnchors","allowSingleNoCAChainElement","blindlyTrustedAnchors","disallowReversedChain","validateX509CertificateChainImpl","reversed","reverse","verifyAt","client","trustedPEMs","length","error","critical","message","Promise","all","map","raw","parseCertificate","x5cOrdereredChain","trustedCerts","undefined","blindlyTrusted","console","log","filter","cert","leafCert","chainLength","foundTrustAnchor","i","currentCert","previousCert","blindlyTrustedCert","find","trusted","areCertificatesEqual","detailMessage","certificateInfo","DN","trustAnchor","certificateChain","x509Certificate","result","verify","date","publicKey","global","JSON","stringify","isSameCertificate","cert1","cert2","rawData","algorithmProvider","container","resolve","AlgorithmProvider","getX509AlgorithmProvider","rawCert","X509Certificate","publicKeyInfo","AsnParser","parse","SubjectPublicKeyInfo","publicKeyRaw","Uint8Array","subjectPublicKey","publicKeyJwk","pemOrDerToX509Certificate","publicKeyAlgorithm","toWebAlgorithm","algorithm","rdnmap","getDNString","typesAndValues","attributes","getDNObject","typeAndValue","type","getValue","Object","entries","key","join","pemOrDerCert","pemOrDerStr","pem","derToPEM","jwk","subtle","pk","getPublicKey","exportKey","x509","toJwk","Error","SubjectAlternativeGeneralName","assertCertificateMatchesClientIdScheme","clientId","clientIdScheme","sans","clientIdSchemeFilter","clientIdMatches","san","validateCertificateChainMatchesClientIdScheme","Array","isArray","parsedValue","extensions","ext","extnID","id_SubjectAltName","altNames","toJSON","altName","includes"]}
package/package.json CHANGED
@@ -1,13 +1,14 @@
1
1
  {
2
2
  "name": "@sphereon/ssi-sdk-ext.x509-utils",
3
3
  "description": "Sphereon SSI-SDK plugin functions for X.509 Certificate handling.",
4
- "version": "0.28.1-feature.esm.cjs.8+4c162d1",
4
+ "version": "0.28.1-feature.jose.vcdm.19+2c20244",
5
5
  "source": "./src/index.ts",
6
6
  "type": "module",
7
7
  "main": "./dist/index.cjs",
8
8
  "module": "./dist/index.js",
9
9
  "types": "./dist/index.d.ts",
10
10
  "exports": {
11
+ "react-native": "./dist/index.js",
11
12
  "import": {
12
13
  "types": "./dist/index.d.ts",
13
14
  "import": "./dist/index.js"
@@ -24,7 +25,7 @@
24
25
  "@peculiar/asn1-schema": "^2.3.13",
25
26
  "@peculiar/asn1-x509": "^2.3.13",
26
27
  "@peculiar/x509": "^1.12.3",
27
- "@sphereon/ssi-types": "^0.33",
28
+ "@sphereon/ssi-types": "0.33.1-feature.jose.vcdm.56",
28
29
  "@trust/keyto": "^1.0.1",
29
30
  "debug": "^4.3.4",
30
31
  "js-x509-utils": "^1.0.7",
@@ -54,5 +55,5 @@
54
55
  "DID",
55
56
  "Veramo"
56
57
  ],
57
- "gitHead": "4c162d14577f462070adeea3e7ec5a443c324ee7"
58
+ "gitHead": "2c2024461b7732a2b9c6e6940cc399d5ca4626ac"
58
59
  }
package/src/x509/rsa-key.ts CHANGED
@@ -2,12 +2,13 @@
2
2
  import { KeyUsage, CryptoKey, RsaHashedImportParams, RsaHashedKeyGenParams } from 'node'
3
3
 
4
4
  // @ts-ignore
5
- import { toString } from 'uint8arrays/to-string'
6
- import { HashAlgorithm } from '../types'
5
+ import * as u8a from 'uint8arrays'
6
+ const { toString } = u8a
7
+ import type { HashAlgorithm } from '../types'
7
8
  import { globalCrypto } from './crypto'
8
9
 
9
10
  import { derToPEM } from './x509-utils'
10
- import { JsonWebKey } from '@sphereon/ssi-types'
11
+ import type { JsonWebKey } from '@sphereon/ssi-types'
11
12
 
12
13
  export type RSASignatureSchemes = 'RSASSA-PKCS1-V1_5' | 'RSA-PSS'
13
14
 
package/src/x509/rsa-signer.ts CHANGED
@@ -1,12 +1,11 @@
1
1
  // @ts-ignore
2
- import { fromString } from 'uint8arrays/from-string'
3
- // @ts-ignore
4
- import { toString } from 'uint8arrays/to-string'
5
- import { HashAlgorithm, KeyVisibility } from '../types'
2
+ import * as u8a from 'uint8arrays'
3
+ const { fromString, toString } = u8a
4
+ import type { HashAlgorithm, KeyVisibility } from '../types'
6
5
  import { globalCrypto } from './crypto'
7
6
  import { cryptoSubtleImportRSAKey, RSAEncryptionSchemes, RSASignatureSchemes } from './rsa-key'
8
7
  import { PEMToJwk } from './x509-utils'
9
- import { JsonWebKey } from '@sphereon/ssi-types'
8
+ import type { JsonWebKey } from '@sphereon/ssi-types'
10
9
  // @ts-ignore
11
10
  import { CryptoKey, RsaPssParams, AlgorithmIdentifier } from 'node'
12
11
  export class RSASigner {
package/src/x509/x509-utils.ts CHANGED
@@ -1,14 +1,13 @@
1
1
  import { X509Certificate } from '@peculiar/x509'
2
2
  import { Certificate } from 'pkijs'
3
3
  // @ts-ignore
4
- import { fromString } from 'uint8arrays/from-string'
5
- // @ts-ignore
6
- import { toString } from 'uint8arrays/to-string'
4
+ import * as u8a from 'uint8arrays'
5
+ const { fromString, toString } = u8a
7
6
  // @ts-ignore
8
7
  import keyto from '@trust/keyto'
9
- import { KeyVisibility } from '../types'
8
+ import type { KeyVisibility } from '../types'
10
9
 
11
- import { JsonWebKey } from '@sphereon/ssi-types'
10
+ import type { JsonWebKey } from '@sphereon/ssi-types'
12
11
  // Based on (MIT licensed):
13
12
  // https://github.com/hildjj/node-posh/blob/master/lib/index.js
14
13
  export function pemCertChainTox5c(cert: string, maxDepth?: number): string[] {
package/src/x509/x509-validator.ts CHANGED
@@ -7,9 +7,8 @@ import x509 from 'js-x509-utils'
7
7
  import { AltName, AttributeTypeAndValue, Certificate, CryptoEngine, getCrypto, id_SubjectAltName, setEngine } from 'pkijs'
8
8
  import { container } from 'tsyringe'
9
9
  // @ts-ignore
10
- import { fromString } from 'uint8arrays/from-string'
11
- // @ts-ignore
12
- import { toString } from 'uint8arrays/to-string'
10
+ import * as u8a from 'uint8arrays'
11
+ const { fromString, toString } = u8a
13
12
  import { globalCrypto } from './crypto'
14
13
  import { areCertificatesEqual, derToPEM, pemOrDerToX509Certificate } from './x509-utils'
15
14