npm - @sphereon/ssi-sdk-ext.x509-utils - Versions diffs - 0.28.1-feature.esm.cjs.9 → 0.28.1-feature.jose.vcdm.20 - Mend

@sphereon/ssi-sdk-ext.x509-utils 0.28.1-feature.esm.cjs.9 → 0.28.1-feature.jose.vcdm.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/index.cjs +132 -106
package/dist/index.cjs.map +1 -1
package/dist/index.js +8 -7
package/dist/index.js.map +1 -1
package/package.json +4 -3
package/src/x509/rsa-key.ts +4 -3
package/src/x509/rsa-signer.ts +4 -5
package/src/x509/x509-utils.ts +4 -5
package/src/x509/x509-validator.ts +2 -3

package/dist/index.cjs CHANGED Viewed

@@ -1,11 +1,71 @@
-"use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } function _nullishCoalesce(lhs, rhsFn) { if (lhs != null) { return lhs; } else { return rhsFn(); } } async function _asyncNullishCoalesce(lhs, rhsFn) { if (lhs != null) { return lhs; } else { return await rhsFn(); } } function _optionalChain(ops) { let lastAccessLHS = undefined; let value = ops[0]; let i = 1; while (i < ops.length) { const op = ops[i]; const fn = ops[i + 1]; i += 2; if ((op === 'optionalAccess' || op === 'optionalCall') && value == null) { return undefined; } if (op === 'access' || op === 'optionalAccess') { lastAccessLHS = value; value = fn(value); } else if (op === 'call' || op === 'optionalCall') { value = fn((...args) => value.call(lastAccessLHS, ...args)); lastAccessLHS = undefined; } } return value; }var __defProp = Object.defineProperty;
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
-var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
-  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
-}) : x)(function(x) {
-  if (typeof require !== "undefined") return require.apply(this, arguments);
-  throw Error('Dynamic require of "' + x + '" is not supported');
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  JwkKeyUse: () => JwkKeyUse,
+  PEMToBinary: () => PEMToBinary,
+  PEMToDer: () => PEMToDer,
+  PEMToHex: () => PEMToHex,
+  PEMToJwk: () => PEMToJwk,
+  RSASigner: () => RSASigner,
+  SubjectAlternativeGeneralName: () => SubjectAlternativeGeneralName,
+  areCertificatesEqual: () => areCertificatesEqual,
+  assertCertificateMatchesClientIdScheme: () => assertCertificateMatchesClientIdScheme,
+  base64ToHex: () => base64ToHex,
+  cryptoSubtleImportRSAKey: () => cryptoSubtleImportRSAKey,
+  derToPEM: () => derToPEM,
+  generateRSAKeyAsPEM: () => generateRSAKeyAsPEM,
+  getCertificateInfo: () => getCertificateInfo,
+  getCertificateSubjectPublicKeyJWK: () => getCertificateSubjectPublicKeyJWK,
+  getIssuerDN: () => getIssuerDN,
+  getSubjectAlternativeNames: () => getSubjectAlternativeNames,
+  getSubjectDN: () => getSubjectDN,
+  getX509AlgorithmProvider: () => getX509AlgorithmProvider,
+  hexKeyFromPEMBasedJwk: () => hexKeyFromPEMBasedJwk,
+  hexToBase64: () => hexToBase64,
+  hexToPEM: () => hexToPEM,
+  jwkToPEM: () => jwkToPEM,
+  parseCertificate: () => parseCertificate,
+  pemCertChainTox5c: () => pemCertChainTox5c,
+  pemOrDerToX509Certificate: () => pemOrDerToX509Certificate,
+  privateKeyHexFromPEM: () => privateKeyHexFromPEM,
+  publicKeyHexFromPEM: () => publicKeyHexFromPEM,
+  signAlgorithmToSchemeAndHashAlg: () => signAlgorithmToSchemeAndHashAlg,
+  toKeyObject: () => toKeyObject,
+  validateCertificateChainMatchesClientIdScheme: () => validateCertificateChainMatchesClientIdScheme,
+  validateX509CertificateChain: () => validateX509CertificateChain,
+  x5cToPemCertChain: () => x5cToPemCertChain
 });
+module.exports = __toCommonJS(index_exports);
 // src/types/index.ts
 var JwkKeyUse = /* @__PURE__ */ function(JwkKeyUse2) {
@@ -15,7 +75,7 @@ var JwkKeyUse = /* @__PURE__ */ function(JwkKeyUse2) {
 }({});
 // src/x509/rsa-key.ts
-var _tostring = require('uint8arrays/to-string');
+var u8a2 = __toESM(require("uint8arrays"), 1);
 // src/x509/crypto.ts
 var globalCrypto = /* @__PURE__ */ __name((setGlobal, suppliedCrypto) => {
@@ -27,10 +87,10 @@ var globalCrypto = /* @__PURE__ */ __name((setGlobal, suppliedCrypto) => {
   } else if (typeof global.crypto !== "undefined") {
     webcrypto = global.crypto;
   } else {
-    if (typeof _optionalChain([global, 'access', _ => _.window, 'optionalAccess', _2 => _2.crypto, 'optionalAccess', _3 => _3.subtle]) !== "undefined") {
+    if (typeof global.window?.crypto?.subtle !== "undefined") {
       webcrypto = global.window.crypto;
     } else {
-      webcrypto = __require("crypto");
+      webcrypto = require("crypto");
     }
   }
   if (setGlobal) {
@@ -40,10 +100,10 @@ var globalCrypto = /* @__PURE__ */ __name((setGlobal, suppliedCrypto) => {
 }, "globalCrypto");
 // src/x509/x509-utils.ts
-var _pkijs = require('pkijs');
-var _fromstring = require('uint8arrays/from-string');
-var _keyto = require('@trust/keyto'); var _keyto2 = _interopRequireDefault(_keyto);
+var import_pkijs = require("pkijs");
+var u8a = __toESM(require("uint8arrays"), 1);
+var import_keyto = __toESM(require("@trust/keyto"), 1);
+var { fromString, toString } = u8a;
 function pemCertChainTox5c(cert, maxDepth) {
   if (!maxDepth) {
     maxDepth = 0;
@@ -73,16 +133,16 @@ __name(x5cToPemCertChain, "x5cToPemCertChain");
 var pemOrDerToX509Certificate = /* @__PURE__ */ __name((cert) => {
   let DER = typeof cert === "string" ? cert : void 0;
   if (typeof cert === "object" && !(cert instanceof Uint8Array)) {
-    return _pkijs.Certificate.fromBER(cert.rawData);
+    return import_pkijs.Certificate.fromBER(cert.rawData);
   } else if (typeof cert !== "string") {
-    return _pkijs.Certificate.fromBER(cert);
+    return import_pkijs.Certificate.fromBER(cert);
   } else if (cert.includes("CERTIFICATE")) {
     DER = PEMToDer(cert);
   }
   if (!DER) {
     throw Error("Invalid cert input value supplied. PEM, DER, Bytes and X509Certificate object are supported");
   }
-  return _pkijs.Certificate.fromBER(_fromstring.fromString.call(void 0, DER, "base64pad"));
+  return import_pkijs.Certificate.fromBER(fromString(DER, "base64pad"));
 }, "pemOrDerToX509Certificate");
 var areCertificatesEqual = /* @__PURE__ */ __name((cert1, cert2) => {
   return cert1.signatureValue.isEqual(cert2.signatureValue);
@@ -99,10 +159,10 @@ var toKeyObject = /* @__PURE__ */ __name((PEM, visibility = "public") => {
   };
 }, "toKeyObject");
 var jwkToPEM = /* @__PURE__ */ __name((jwk, visibility = "public") => {
-  return _keyto2.default.from(jwk, "jwk").toString("pem", visibility === "public" ? "public_pkcs8" : "private_pkcs8");
+  return import_keyto.default.from(jwk, "jwk").toString("pem", visibility === "public" ? "public_pkcs8" : "private_pkcs8");
 }, "jwkToPEM");
 var PEMToJwk = /* @__PURE__ */ __name((pem, visibility = "public") => {
-  return _keyto2.default.from(pem, "pem").toJwk(visibility);
+  return import_keyto.default.from(pem, "pem").toJwk(visibility);
 }, "PEMToJwk");
 var privateKeyHexFromPEM = /* @__PURE__ */ __name((PEM) => {
   return PEMToHex(PEM);
@@ -141,19 +201,19 @@ var PEMToHex = /* @__PURE__ */ __name((PEM, headerKey) => {
 }, "PEMToHex");
 function PEMToBinary(pem) {
   const pemContents = pem.replace(/^[^]*-----BEGIN [^-]+-----/, "").replace(/-----END [^-]+-----[^]*$/, "").replace(/\s/g, "");
-  return _fromstring.fromString.call(void 0, pemContents, "base64pad");
+  return fromString(pemContents, "base64pad");
 }
 __name(PEMToBinary, "PEMToBinary");
 var base64ToHex = /* @__PURE__ */ __name((input, inputEncoding) => {
   const base64NoNewlines = input.replace(/[^0-9A-Za-z_\-~\/+=]*/g, "");
-  return _tostring.toString.call(void 0, _fromstring.fromString.call(void 0, base64NoNewlines, inputEncoding ? inputEncoding : "base64pad"), "base16");
+  return toString(fromString(base64NoNewlines, inputEncoding ? inputEncoding : "base64pad"), "base16");
 }, "base64ToHex");
 var hexToBase64 = /* @__PURE__ */ __name((input, targetEncoding) => {
   let hex = typeof input === "string" ? input : input.toString(16);
   if (hex.length % 2 === 1) {
     hex = `0${hex}`;
   }
-  return _tostring.toString.call(void 0, _fromstring.fromString.call(void 0, hex, "base16"), targetEncoding ? targetEncoding : "base64pad");
+  return toString(fromString(hex, "base16"), targetEncoding ? targetEncoding : "base64pad");
 }, "hexToBase64");
 var hexToPEM = /* @__PURE__ */ __name((hex, type) => {
   const base64 = hexToBase64(hex, "base64pad");
@@ -174,7 +234,7 @@ function PEMToDer(pem) {
 }
 __name(PEMToDer, "PEMToDer");
 function derToPEM(cert, headerKey) {
-  const key = _nullishCoalesce(headerKey, () => ( "CERTIFICATE"));
+  const key = headerKey ?? "CERTIFICATE";
   if (cert.includes(key)) {
     return cert;
   }
@@ -190,6 +250,7 @@ ${matches.join("\n")}
 __name(derToPEM, "derToPEM");
 // src/x509/rsa-key.ts
+var { toString: toString2 } = u8a2;
 var usage = /* @__PURE__ */ __name((jwk) => {
   if (jwk.key_ops && jwk.key_ops.length > 0) {
     return jwk.key_ops;
@@ -207,13 +268,13 @@ var usage = /* @__PURE__ */ __name((jwk) => {
   }
   if (jwk.kty === "RSA") {
     if (jwk.d) {
-      return _optionalChain([jwk, 'access', _4 => _4.alg, 'optionalAccess', _5 => _5.toUpperCase, 'call', _6 => _6(), 'optionalAccess', _7 => _7.includes, 'call', _8 => _8("QAEP")]) ? [
+      return jwk.alg?.toUpperCase()?.includes("QAEP") ? [
         "encrypt"
       ] : [
         "sign"
       ];
     }
-    return _optionalChain([jwk, 'access', _9 => _9.alg, 'optionalAccess', _10 => _10.toUpperCase, 'call', _11 => _11(), 'optionalAccess', _12 => _12.includes, 'call', _13 => _13("QAEP")]) ? [
+    return jwk.alg?.toUpperCase()?.includes("QAEP") ? [
       "decrypt"
     ] : [
       "verify"
@@ -274,20 +335,20 @@ var generateRSAKeyAsPEM = /* @__PURE__ */ __name(async (scheme, hashAlgorithm, m
   const keypair = await globalCrypto(false).subtle.generateKey(params, true, keyUsage);
   const pkcs8 = await globalCrypto(false).subtle.exportKey("pkcs8", keypair.privateKey);
   const uint8Array = new Uint8Array(pkcs8);
-  return derToPEM(_tostring.toString.call(void 0, uint8Array, "base64pad"), "RSA PRIVATE KEY");
+  return derToPEM(toString2(uint8Array, "base64pad"), "RSA PRIVATE KEY");
 }, "generateRSAKeyAsPEM");
 // src/x509/rsa-signer.ts
+var u8a3 = __toESM(require("uint8arrays"), 1);
+var { fromString: fromString2, toString: toString3 } = u8a3;
 var RSASigner = class {
   static {
     __name(this, "RSASigner");
   }
+  hashAlgorithm;
+  jwk;
+  key;
+  scheme;
   /**
   *
   * @param key Either in PEM or JWK format (no raw hex keys here!)
@@ -295,12 +356,12 @@ var RSASigner = class {
   */
   constructor(key, opts) {
     if (typeof key === "string") {
-      this.jwk = PEMToJwk(key, _optionalChain([opts, 'optionalAccess', _14 => _14.visibility]));
+      this.jwk = PEMToJwk(key, opts?.visibility);
     } else {
       this.jwk = key;
     }
-    this.hashAlgorithm = _nullishCoalesce(_optionalChain([opts, 'optionalAccess', _15 => _15.hashAlgorithm]), () => ( "SHA-256"));
-    this.scheme = _nullishCoalesce(_optionalChain([opts, 'optionalAccess', _16 => _16.scheme]), () => ( "RSA-PSS"));
+    this.hashAlgorithm = opts?.hashAlgorithm ?? "SHA-256";
+    this.scheme = opts?.scheme ?? "RSA-PSS";
   }
   getImportParams() {
     if (this.scheme === "RSA-PSS") {
@@ -322,7 +383,7 @@ var RSASigner = class {
   }
   bufferToString(buf) {
     const uint8Array = new Uint8Array(buf);
-    return _tostring.toString.call(void 0, uint8Array, "base64url");
+    return toString3(uint8Array, "base64url");
   }
   async sign(data) {
     const input = data;
@@ -335,7 +396,7 @@ var RSASigner = class {
   }
   async verify(data, signature) {
     const jws = signature.includes(".") ? signature.split(".")[2] : signature;
-    const input = typeof data == "string" ? _fromstring.fromString.call(void 0, data, "utf-8") : data;
+    const input = typeof data == "string" ? fromString2(data, "utf-8") : data;
     let key = await this.getKey();
     if (!key.usages.includes("verify")) {
       const verifyJwk = {
@@ -346,27 +407,27 @@ var RSASigner = class {
       delete verifyJwk.key_ops;
       key = await cryptoSubtleImportRSAKey(verifyJwk, this.scheme, this.hashAlgorithm);
     }
-    const verificationResult = await globalCrypto(false).subtle.verify(this.getImportParams(), key, _fromstring.fromString.call(void 0, jws, "base64url"), input);
+    const verificationResult = await globalCrypto(false).subtle.verify(this.getImportParams(), key, fromString2(jws, "base64url"), input);
     return verificationResult;
   }
 };
 // src/x509/x509-validator.ts
-var _asn1schema = require('@peculiar/asn1-schema');
-var _asn1x509 = require('@peculiar/asn1-x509');
-var _x509 = require('@peculiar/x509');
-var _jsx509utils = require('js-x509-utils'); var _jsx509utils2 = _interopRequireDefault(_jsx509utils);
-var _tsyringe = require('tsyringe');
+var import_asn1_schema = require("@peculiar/asn1-schema");
+var import_asn1_x509 = require("@peculiar/asn1-x509");
+var import_x509 = require("@peculiar/x509");
+var import_js_x509_utils = __toESM(require("js-x509-utils"), 1);
+var import_pkijs2 = require("pkijs");
+var import_tsyringe = require("tsyringe");
+var u8a4 = __toESM(require("uint8arrays"), 1);
+var { fromString: fromString3, toString: toString4 } = u8a4;
 var defaultCryptoEngine = /* @__PURE__ */ __name(() => {
   const name = "crypto";
-  _pkijs.setEngine.call(void 0, name, new (0, _pkijs.CryptoEngine)({
+  (0, import_pkijs2.setEngine)(name, new import_pkijs2.CryptoEngine({
     name,
     crypto: globalCrypto(false)
   }));
-  return _pkijs.getCrypto.call(void 0, true);
+  return (0, import_pkijs2.getCrypto)(true);
 }, "defaultCryptoEngine");
 var getCertificateInfo = /* @__PURE__ */ __name(async (certificate, opts) => {
   let publicKeyJWK;
@@ -381,7 +442,7 @@ var getCertificateInfo = /* @__PURE__ */ __name(async (certificate, opts) => {
     subject: {
       dn: getSubjectDN(certificate),
       subjectAlternativeNames: getSubjectAlternativeNames(certificate, {
-        typeFilter: _optionalChain([opts, 'optionalAccess', _17 => _17.sanTypeFilter])
+        typeFilter: opts?.sanTypeFilter
       })
     },
     publicKeyJWK,
@@ -429,14 +490,14 @@ var validateX509CertificateChainImpl = /* @__PURE__ */ __name(async ({ reversed,
     ...chain
   ].reverse();
   const trustedCerts = trustedPEMs ? await Promise.all(trustedPEMs.map((raw) => parseCertificate(raw))) : void 0;
-  const blindlyTrusted = await _asyncNullishCoalesce((await Promise.all(blindlyTrustedAnchors.map((raw) => {
+  const blindlyTrusted = (await Promise.all(blindlyTrustedAnchors.map((raw) => {
     try {
       return parseCertificate(raw);
     } catch (e) {
       console.log(`Failed to parse blindly trusted certificate ${raw}. Error: ${e.message}`);
       return void 0;
     }
-  }))).filter((cert) => cert !== void 0), async () => ( []));
+  }))).filter((cert) => cert !== void 0) ?? [];
   const leafCert = x5cOrdereredChain[0];
   const chainLength = chain.length;
   var foundTrustAnchor = void 0;
@@ -451,7 +512,7 @@ var validateX509CertificateChainImpl = /* @__PURE__ */ __name(async ({ reversed,
         critical: false,
         message: `Certificate chain validation success as single cert if blindly trusted. WARNING: ONLY USE FOR TESTING PURPOSES.`,
         detailMessage: `Blindly trusted certificate ${blindlyTrustedCert.certificateInfo.subject.dn.DN} was found in the chain.`,
-        trustAnchor: _optionalChain([blindlyTrustedCert, 'optionalAccess', _18 => _18.certificateInfo]),
+        trustAnchor: blindlyTrustedCert?.certificateInfo,
         verificationTime,
         certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),
         ...client && {
@@ -477,7 +538,7 @@ var validateX509CertificateChainImpl = /* @__PURE__ */ __name(async ({ reversed,
           critical: true,
           certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),
           message: `Certificate chain validation failed for ${leafCert.certificateInfo.subject.dn.DN}.`,
-          detailMessage: `The certificate ${currentCert.certificateInfo.subject.dn.DN} with issuer ${currentCert.x509Certificate.issuer}, is not signed by the previous certificate ${_optionalChain([previousCert, 'optionalAccess', _19 => _19.certificateInfo, 'access', _20 => _20.subject, 'access', _21 => _21.dn, 'access', _22 => _22.DN])} with subject string ${_optionalChain([previousCert, 'optionalAccess', _23 => _23.x509Certificate, 'access', _24 => _24.subject])}.`,
+          detailMessage: `The certificate ${currentCert.certificateInfo.subject.dn.DN} with issuer ${currentCert.x509Certificate.issuer}, is not signed by the previous certificate ${previousCert?.certificateInfo.subject.dn.DN} with subject string ${previousCert?.x509Certificate.subject}.`,
           verificationTime,
           ...client && {
             client
@@ -487,8 +548,8 @@ var validateX509CertificateChainImpl = /* @__PURE__ */ __name(async ({ reversed,
     }
     const result = await currentCert.x509Certificate.verify({
       date: verificationTime,
-      publicKey: _optionalChain([previousCert, 'optionalAccess', _25 => _25.x509Certificate, 'optionalAccess', _26 => _26.publicKey])
-    }, _nullishCoalesce(_nullishCoalesce(_optionalChain([_pkijs.getCrypto.call(void 0, ), 'optionalAccess', _27 => _27.crypto]), () => ( crypto)), () => ( global.crypto)));
+      publicKey: previousCert?.x509Certificate?.publicKey
+    }, (0, import_pkijs2.getCrypto)()?.crypto ?? crypto ?? global.crypto);
     if (!result) {
       if (i == 0 && !reversed && !disallowReversedChain) {
         return await validateX509CertificateChainImpl({
@@ -513,14 +574,14 @@ var validateX509CertificateChainImpl = /* @__PURE__ */ __name(async ({ reversed,
         }
       };
     }
-    foundTrustAnchor = _nullishCoalesce(foundTrustAnchor, () => ( _optionalChain([trustedCerts, 'optionalAccess', _28 => _28.find, 'call', _29 => _29((trusted) => isSameCertificate(trusted.x509Certificate, currentCert.x509Certificate))])));
+    foundTrustAnchor = foundTrustAnchor ?? trustedCerts?.find((trusted) => isSameCertificate(trusted.x509Certificate, currentCert.x509Certificate));
     if (i === 0 && chainLength === 1 && allowSingleNoCAChainElement) {
       return {
         error: false,
         critical: false,
         message: `Certificate chain succeeded as allow single cert result is allowed: ${leafCert.certificateInfo.subject.dn.DN}.`,
         certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),
-        trustAnchor: _optionalChain([foundTrustAnchor, 'optionalAccess', _30 => _30.certificateInfo]),
+        trustAnchor: foundTrustAnchor?.certificateInfo,
         verificationTime,
         ...client && {
           client
@@ -528,14 +589,14 @@ var validateX509CertificateChainImpl = /* @__PURE__ */ __name(async ({ reversed,
       };
     }
   }
-  if (_optionalChain([foundTrustAnchor, 'optionalAccess', _31 => _31.certificateInfo]) || allowNoTrustAnchorsFound) {
+  if (foundTrustAnchor?.certificateInfo || allowNoTrustAnchorsFound) {
     return {
       error: false,
       critical: false,
       message: `Certificate chain was valid`,
       certificateChain: x5cOrdereredChain.map((cert) => cert.certificateInfo),
-      detailMessage: foundTrustAnchor ? `The leaf certificate ${leafCert.certificateInfo.subject.dn.DN} is part of a chain with trust anchor ${_optionalChain([foundTrustAnchor, 'optionalAccess', _32 => _32.certificateInfo, 'access', _33 => _33.subject, 'access', _34 => _34.dn, 'access', _35 => _35.DN])}.` : `The leaf certificate ${leafCert.certificateInfo.subject.dn.DN} and chain were valid, but no trust anchor has been found. Ignoring as user allowed (allowNoTrustAnchorsFound: ${allowNoTrustAnchorsFound}).)`,
-      trustAnchor: _optionalChain([foundTrustAnchor, 'optionalAccess', _36 => _36.certificateInfo]),
+      detailMessage: foundTrustAnchor ? `The leaf certificate ${leafCert.certificateInfo.subject.dn.DN} is part of a chain with trust anchor ${foundTrustAnchor?.certificateInfo.subject.dn.DN}.` : `The leaf certificate ${leafCert.certificateInfo.subject.dn.DN} and chain were valid, but no trust anchor has been found. Ignoring as user allowed (allowNoTrustAnchorsFound: ${allowNoTrustAnchorsFound}).)`,
+      trustAnchor: foundTrustAnchor?.certificateInfo,
       verificationTime,
       ...client && {
         client
@@ -557,13 +618,13 @@ var validateX509CertificateChainImpl = /* @__PURE__ */ __name(async ({ reversed,
 var isSameCertificate = /* @__PURE__ */ __name((cert1, cert2) => {
   return cert1.rawData.toString() === cert2.rawData.toString();
 }, "isSameCertificate");
-var algorithmProvider = _tsyringe.container.resolve(_x509.AlgorithmProvider);
+var algorithmProvider = import_tsyringe.container.resolve(import_x509.AlgorithmProvider);
 var getX509AlgorithmProvider = /* @__PURE__ */ __name(() => {
   return algorithmProvider;
 }, "getX509AlgorithmProvider");
 var parseCertificate = /* @__PURE__ */ __name(async (rawCert) => {
-  const x509Certificate = new (0, _x509.X509Certificate)(rawCert);
-  const publicKeyInfo = _asn1schema.AsnParser.parse(x509Certificate.publicKey.rawData, _asn1x509.SubjectPublicKeyInfo);
+  const x509Certificate = new import_x509.X509Certificate(rawCert);
+  const publicKeyInfo = import_asn1_schema.AsnParser.parse(x509Certificate.publicKey.rawData, import_asn1_x509.SubjectPublicKeyInfo);
   const publicKeyRaw = new Uint8Array(publicKeyInfo.subjectPublicKey);
   let publicKeyJwk = void 0;
   try {
@@ -612,7 +673,7 @@ var getSubjectDN = /* @__PURE__ */ __name((cert) => {
 var getDNObject = /* @__PURE__ */ __name((typesAndValues) => {
   const DN = {};
   for (const typeAndValue of typesAndValues) {
-    const type = _nullishCoalesce(rdnmap[typeAndValue.type], () => ( typeAndValue.type));
+    const type = rdnmap[typeAndValue.type] ?? typeAndValue.type;
     DN[type] = typeAndValue.value.getValue();
   }
   return DN;
@@ -621,22 +682,22 @@ var getDNString = /* @__PURE__ */ __name((typesAndValues) => {
   return Object.entries(getDNObject(typesAndValues)).map(([key, value]) => `${key}=${value}`).join(",");
 }, "getDNString");
 var getCertificateSubjectPublicKeyJWK = /* @__PURE__ */ __name(async (pemOrDerCert) => {
-  const pemOrDerStr = typeof pemOrDerCert === "string" ? _tostring.toString.call(void 0, _fromstring.fromString.call(void 0, pemOrDerCert, "base64pad"), "base64pad") : pemOrDerCert instanceof Uint8Array ? _tostring.toString.call(void 0, pemOrDerCert, "base64pad") : _tostring.toString.call(void 0, _fromstring.fromString.call(void 0, pemOrDerCert.toString("base64"), "base64pad"), "base64pad");
+  const pemOrDerStr = typeof pemOrDerCert === "string" ? toString4(fromString3(pemOrDerCert, "base64pad"), "base64pad") : pemOrDerCert instanceof Uint8Array ? toString4(pemOrDerCert, "base64pad") : toString4(fromString3(pemOrDerCert.toString("base64"), "base64pad"), "base64pad");
   const pem = derToPEM(pemOrDerStr);
   const certificate = pemOrDerToX509Certificate(pem);
   var jwk;
   try {
-    const subtle = _pkijs.getCrypto.call(void 0, true).subtle;
+    const subtle = (0, import_pkijs2.getCrypto)(true).subtle;
     const pk = await certificate.getPublicKey(void 0, defaultCryptoEngine());
     jwk = await subtle.exportKey("jwk", pk);
   } catch (error) {
-    console.log(`Error in primary get JWK from cert:`, _optionalChain([error, 'optionalAccess', _37 => _37.message]));
+    console.log(`Error in primary get JWK from cert:`, error?.message);
   }
   if (!jwk) {
     try {
-      jwk = await _jsx509utils2.default.toJwk(pem, "pem");
+      jwk = await import_js_x509_utils.default.toJwk(pem, "pem");
     } catch (error) {
-      console.log(`Error in secondary get JWK from cert as well:`, _optionalChain([error, 'optionalAccess', _38 => _38.message]));
+      console.log(`Error in secondary get JWK from cert as well:`, error?.message);
     }
   }
   if (!jwk) {
@@ -685,13 +746,13 @@ var validateCertificateChainMatchesClientIdScheme = /* @__PURE__ */ __name(async
 }, "validateCertificateChainMatchesClientIdScheme");
 var getSubjectAlternativeNames = /* @__PURE__ */ __name((certificate, opts) => {
   let typeFilter;
-  if (_optionalChain([opts, 'optionalAccess', _39 => _39.clientIdSchemeFilter])) {
+  if (opts?.clientIdSchemeFilter) {
     typeFilter = opts.clientIdSchemeFilter === "x509_san_dns" ? [
       2
     ] : [
       6
     ];
-  } else if (_optionalChain([opts, 'optionalAccess', _40 => _40.typeFilter])) {
+  } else if (opts?.typeFilter) {
     typeFilter = Array.isArray(opts.typeFilter) ? opts.typeFilter : [
       opts.typeFilter
     ];
@@ -701,7 +762,7 @@ var getSubjectAlternativeNames = /* @__PURE__ */ __name((certificate, opts) => {
       6
     ];
   }
-  const parsedValue = _optionalChain([certificate, 'access', _41 => _41.extensions, 'optionalAccess', _42 => _42.find, 'call', _43 => _43((ext) => ext.extnID === _pkijs.id_SubjectAltName), 'optionalAccess', _44 => _44.parsedValue]);
+  const parsedValue = certificate.extensions?.find((ext) => ext.extnID === import_pkijs2.id_SubjectAltName)?.parsedValue;
   if (!parsedValue) {
     return [];
   }
@@ -713,39 +774,4 @@ var getSubjectAlternativeNames = /* @__PURE__ */ __name((certificate, opts) => {
     };
   });
 }, "getSubjectAlternativeNames");
-exports.JwkKeyUse = JwkKeyUse; exports.PEMToBinary = PEMToBinary; exports.PEMToDer = PEMToDer; exports.PEMToHex = PEMToHex; exports.PEMToJwk = PEMToJwk; exports.RSASigner = RSASigner; exports.SubjectAlternativeGeneralName = SubjectAlternativeGeneralName; exports.areCertificatesEqual = areCertificatesEqual; exports.assertCertificateMatchesClientIdScheme = assertCertificateMatchesClientIdScheme; exports.base64ToHex = base64ToHex; exports.cryptoSubtleImportRSAKey = cryptoSubtleImportRSAKey; exports.derToPEM = derToPEM; exports.generateRSAKeyAsPEM = generateRSAKeyAsPEM; exports.getCertificateInfo = getCertificateInfo; exports.getCertificateSubjectPublicKeyJWK = getCertificateSubjectPublicKeyJWK; exports.getIssuerDN = getIssuerDN; exports.getSubjectAlternativeNames = getSubjectAlternativeNames; exports.getSubjectDN = getSubjectDN; exports.getX509AlgorithmProvider = getX509AlgorithmProvider; exports.hexKeyFromPEMBasedJwk = hexKeyFromPEMBasedJwk; exports.hexToBase64 = hexToBase64; exports.hexToPEM = hexToPEM; exports.jwkToPEM = jwkToPEM; exports.parseCertificate = parseCertificate; exports.pemCertChainTox5c = pemCertChainTox5c; exports.pemOrDerToX509Certificate = pemOrDerToX509Certificate; exports.privateKeyHexFromPEM = privateKeyHexFromPEM; exports.publicKeyHexFromPEM = publicKeyHexFromPEM; exports.signAlgorithmToSchemeAndHashAlg = signAlgorithmToSchemeAndHashAlg; exports.toKeyObject = toKeyObject; exports.validateCertificateChainMatchesClientIdScheme = validateCertificateChainMatchesClientIdScheme; exports.validateX509CertificateChain = validateX509CertificateChain; exports.x5cToPemCertChain = x5cToPemCertChain;
 //# sourceMappingURL=index.cjs.map