@super-protocol/sdk-js 3.12.1-beta.2 → 3.13.0-beta.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/certificates/binary-splitter.d.ts +26 -0
- package/dist/cjs/certificates/binary-splitter.js +269 -0
- package/dist/cjs/certificates/generator.d.ts +38 -0
- package/dist/cjs/certificates/generator.js +248 -0
- package/dist/cjs/certificates/helper.d.ts +8 -4
- package/dist/cjs/certificates/helper.js +45 -17
- package/dist/cjs/certificates/index.d.ts +1 -0
- package/dist/cjs/certificates/index.js +2 -1
- package/dist/cjs/certificates/ocsp.d.ts +6 -1
- package/dist/cjs/certificates/ocsp.js +179 -23
- package/dist/cjs/certificates/serializer.d.ts +5 -0
- package/dist/cjs/certificates/serializer.js +98 -2
- package/dist/cjs/certificates/setup-crypto.d.ts +3 -0
- package/dist/cjs/certificates/setup-crypto.js +51 -0
- package/dist/cjs/certificates/testing-generate.d.ts +1 -0
- package/dist/cjs/certificates/testing-generate.js +115 -0
- package/dist/cjs/certificates/types.d.ts +107 -0
- package/dist/cjs/certificates/types.js +8 -1
- package/dist/cjs/connectors/BlockchainConnector.js +11 -8
- package/dist/cjs/connectors/BlockchainEventsListener.d.ts +4 -4
- package/dist/cjs/connectors/BlockchainEventsListener.js +9 -8
- package/dist/cjs/constants.d.ts +6 -1
- package/dist/cjs/constants.js +13 -5
- package/dist/cjs/index.d.ts +0 -2
- package/dist/cjs/index.js +3 -6
- package/dist/cjs/models/Offer.d.ts +1 -1
- package/dist/cjs/models/Offer.js +10 -3
- package/dist/cjs/models/Order.d.ts +1 -1
- package/dist/cjs/models/Order.js +21 -20
- package/dist/cjs/models/TeeOffer.d.ts +2 -2
- package/dist/cjs/models/TeeOffer.js +18 -3
- package/dist/cjs/proto/OrderReport.d.ts +206 -15
- package/dist/cjs/proto/OrderReport.js +169 -3
- package/dist/cjs/staticModels/ActiveOrders.d.ts +1 -1
- package/dist/cjs/staticModels/ActiveOrders.js +1 -1
- package/dist/cjs/staticModels/OfferResources.js +3 -4
- package/dist/cjs/staticModels/Offers.d.ts +3 -4
- package/dist/cjs/staticModels/Offers.js +16 -17
- package/dist/cjs/staticModels/OffersCommon.d.ts +18 -0
- package/dist/cjs/staticModels/OffersCommon.js +79 -0
- package/dist/cjs/staticModels/Orders.d.ts +6 -5
- package/dist/cjs/staticModels/Orders.js +96 -5
- package/dist/cjs/staticModels/SecretRequests.js +2 -3
- package/dist/cjs/staticModels/StaticModel.d.ts +14 -2
- package/dist/cjs/staticModels/StaticModel.js +90 -2
- package/dist/cjs/staticModels/SuperproToken.d.ts +26 -1
- package/dist/cjs/staticModels/SuperproToken.js +40 -1
- package/dist/cjs/staticModels/TeeOffers.d.ts +4 -4
- package/dist/cjs/staticModels/TeeOffers.js +17 -16
- package/dist/cjs/tee/OrderReportService.js +4 -2
- package/dist/cjs/tee/QuoteValidator.d.ts +3 -2
- package/dist/cjs/tee/QuoteValidator.js +5 -4
- package/dist/cjs/tee/TeeCertificateService.d.ts +1 -1
- package/dist/cjs/tee/TeeCertificateService.js +11 -14
- package/dist/cjs/tee/TeeSignatureVerifier.d.ts +6 -4
- package/dist/cjs/tee/TeeSignatureVerifier.js +60 -32
- package/dist/cjs/tee/types.d.ts +1 -1
- package/dist/cjs/types/Order.d.ts +28 -2
- package/dist/cjs/types/Order.js +23 -2
- package/dist/cjs/types/index.d.ts +0 -1
- package/dist/cjs/types/index.js +1 -2
- package/dist/cjs/utils/CryptoKeysTransformer.d.ts +4 -0
- package/dist/cjs/utils/CryptoKeysTransformer.js +50 -1
- package/dist/cjs/utils/NonceTracker.d.ts +1 -0
- package/dist/cjs/utils/NonceTracker.js +6 -2
- package/dist/cjs/utils/TxManager.d.ts +3 -0
- package/dist/cjs/utils/TxManager.js +88 -35
- package/dist/cjs/utils/helper.d.ts +11 -3
- package/dist/cjs/utils/helper.js +56 -12
- package/dist/cjs/utils/helpers/getRawRpc.d.ts +2 -0
- package/dist/cjs/utils/helpers/getRawRpc.js +19 -0
- package/dist/cjs/utils/helpers/index.d.ts +1 -0
- package/dist/cjs/utils/helpers/index.js +2 -1
- package/dist/cjs/utils/types.d.ts +14 -0
- package/dist/cjs/utils/types.js +3 -0
- package/dist/mjs/certificates/binary-splitter.d.ts +26 -0
- package/dist/mjs/certificates/binary-splitter.js +265 -0
- package/dist/mjs/certificates/generator.d.ts +38 -0
- package/dist/mjs/certificates/generator.js +241 -0
- package/dist/mjs/certificates/helper.d.ts +8 -4
- package/dist/mjs/certificates/helper.js +45 -17
- package/dist/mjs/certificates/index.d.ts +1 -0
- package/dist/mjs/certificates/index.js +2 -1
- package/dist/mjs/certificates/ocsp.d.ts +6 -1
- package/dist/mjs/certificates/ocsp.js +180 -24
- package/dist/mjs/certificates/serializer.d.ts +5 -0
- package/dist/mjs/certificates/serializer.js +94 -1
- package/dist/mjs/certificates/setup-crypto.d.ts +3 -0
- package/dist/mjs/certificates/setup-crypto.js +22 -0
- package/dist/mjs/certificates/testing-generate.d.ts +1 -0
- package/dist/mjs/certificates/testing-generate.js +110 -0
- package/dist/mjs/certificates/types.d.ts +107 -0
- package/dist/mjs/certificates/types.js +7 -2
- package/dist/mjs/connectors/BlockchainConnector.js +11 -8
- package/dist/mjs/connectors/BlockchainEventsListener.d.ts +4 -4
- package/dist/mjs/connectors/BlockchainEventsListener.js +9 -8
- package/dist/mjs/constants.d.ts +6 -1
- package/dist/mjs/constants.js +12 -4
- package/dist/mjs/index.d.ts +0 -2
- package/dist/mjs/index.js +1 -3
- package/dist/mjs/models/Offer.d.ts +1 -1
- package/dist/mjs/models/Offer.js +10 -3
- package/dist/mjs/models/Order.d.ts +1 -1
- package/dist/mjs/models/Order.js +22 -21
- package/dist/mjs/models/TeeOffer.d.ts +2 -2
- package/dist/mjs/models/TeeOffer.js +18 -3
- package/dist/mjs/proto/OrderReport.d.ts +206 -15
- package/dist/mjs/proto/OrderReport.js +168 -2
- package/dist/mjs/staticModels/ActiveOrders.d.ts +1 -1
- package/dist/mjs/staticModels/ActiveOrders.js +1 -1
- package/dist/mjs/staticModels/OfferResources.js +4 -5
- package/dist/mjs/staticModels/Offers.d.ts +3 -4
- package/dist/mjs/staticModels/Offers.js +16 -17
- package/dist/mjs/staticModels/OffersCommon.d.ts +18 -0
- package/dist/mjs/staticModels/OffersCommon.js +73 -0
- package/dist/mjs/staticModels/Orders.d.ts +6 -5
- package/dist/mjs/staticModels/Orders.js +98 -7
- package/dist/mjs/staticModels/SecretRequests.js +3 -4
- package/dist/mjs/staticModels/StaticModel.d.ts +14 -2
- package/dist/mjs/staticModels/StaticModel.js +90 -2
- package/dist/mjs/staticModels/SuperproToken.d.ts +26 -1
- package/dist/mjs/staticModels/SuperproToken.js +40 -1
- package/dist/mjs/staticModels/TeeOffers.d.ts +4 -4
- package/dist/mjs/staticModels/TeeOffers.js +17 -16
- package/dist/mjs/tee/OrderReportService.js +4 -2
- package/dist/mjs/tee/QuoteValidator.d.ts +3 -2
- package/dist/mjs/tee/QuoteValidator.js +5 -4
- package/dist/mjs/tee/TeeCertificateService.d.ts +1 -1
- package/dist/mjs/tee/TeeCertificateService.js +12 -15
- package/dist/mjs/tee/TeeSignatureVerifier.d.ts +6 -4
- package/dist/mjs/tee/TeeSignatureVerifier.js +59 -31
- package/dist/mjs/tee/types.d.ts +1 -1
- package/dist/mjs/types/Order.d.ts +28 -2
- package/dist/mjs/types/Order.js +21 -1
- package/dist/mjs/types/index.d.ts +0 -1
- package/dist/mjs/types/index.js +1 -2
- package/dist/mjs/utils/CryptoKeysTransformer.d.ts +4 -0
- package/dist/mjs/utils/CryptoKeysTransformer.js +50 -1
- package/dist/mjs/utils/NonceTracker.d.ts +1 -0
- package/dist/mjs/utils/NonceTracker.js +6 -2
- package/dist/mjs/utils/TxManager.d.ts +3 -0
- package/dist/mjs/utils/TxManager.js +89 -36
- package/dist/mjs/utils/helper.d.ts +11 -3
- package/dist/mjs/utils/helper.js +54 -12
- package/dist/mjs/utils/helpers/getRawRpc.d.ts +2 -0
- package/dist/mjs/utils/helpers/getRawRpc.js +15 -0
- package/dist/mjs/utils/helpers/index.d.ts +1 -0
- package/dist/mjs/utils/helpers/index.js +2 -1
- package/dist/mjs/utils/types.d.ts +14 -0
- package/dist/mjs/utils/types.js +2 -0
- package/package.json +7 -4
- package/readme.md +11 -0
- package/dist/cjs/contracts/Campaign.d.ts +0 -1036
- package/dist/cjs/contracts/Campaign.js +0 -1347
- package/dist/cjs/staticModels/Campaign.d.ts +0 -59
- package/dist/cjs/staticModels/Campaign.js +0 -248
- package/dist/cjs/types/Campaign.d.ts +0 -57
- package/dist/cjs/types/Campaign.js +0 -11
- package/dist/mjs/contracts/Campaign.d.ts +0 -1036
- package/dist/mjs/contracts/Campaign.js +0 -1344
- package/dist/mjs/staticModels/Campaign.d.ts +0 -59
- package/dist/mjs/staticModels/Campaign.js +0 -243
- package/dist/mjs/types/Campaign.d.ts +0 -57
- package/dist/mjs/types/Campaign.js +0 -8
|
@@ -31,29 +31,27 @@ const lodash_1 = __importDefault(require("lodash"));
|
|
|
31
31
|
const axios_1 = __importDefault(require("axios"));
|
|
32
32
|
const node_forge_1 = __importDefault(require("node-forge"));
|
|
33
33
|
const pkijs = __importStar(require("pkijs"));
|
|
34
|
+
const x509_1 = require("@peculiar/x509");
|
|
34
35
|
const memory_js_1 = require("../utils/cache/memory.js");
|
|
35
36
|
const ocsp_js_1 = require("./ocsp.js");
|
|
36
37
|
const crl_js_1 = require("./crl.js");
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
pkijs.setEngine('Node', new pkijs.CryptoEngine({ name: 'Node', crypto: crypto_1.webcrypto }));
|
|
46
|
-
}
|
|
47
|
-
}
|
|
38
|
+
require("./setup-crypto.js");
|
|
39
|
+
const pki_common_1 = require("@super-protocol/pki-common");
|
|
40
|
+
const oidsForOcspCheck = [
|
|
41
|
+
pki_common_1.OID_CUSTOM_EXTENSION_CHALLENGE_ID,
|
|
42
|
+
pki_common_1.OID_CUSTOM_EXTENSION_CHALLENGE_COMMON_ID,
|
|
43
|
+
pki_common_1.OID_CUSTOM_EXTENSION_NVIDIA_INFO_GPU,
|
|
44
|
+
pki_common_1.OID_CUSTOM_EXTENSION_CHALLENGE_CERTIFICATE_ID,
|
|
45
|
+
];
|
|
48
46
|
class CertificatesHelper {
|
|
49
47
|
static downloadedCertificateCache = (0, memory_js_1.createMemoryCache)();
|
|
50
|
-
static derToPem(data) {
|
|
48
|
+
static derToPem(data, type = 'CERTIFICATE') {
|
|
51
49
|
return node_forge_1.default.pem.encode({
|
|
52
50
|
contentDomain: null,
|
|
53
51
|
dekInfo: null,
|
|
54
52
|
headers: [],
|
|
55
53
|
procType: null,
|
|
56
|
-
type
|
|
54
|
+
type,
|
|
57
55
|
body: Buffer.from(data).toString('binary'),
|
|
58
56
|
});
|
|
59
57
|
}
|
|
@@ -85,12 +83,18 @@ class CertificatesHelper {
|
|
|
85
83
|
ca: toPemChain(splitCerts[1]),
|
|
86
84
|
};
|
|
87
85
|
}
|
|
86
|
+
static getIssuerBySubject(cert, certs) {
|
|
87
|
+
return certs.find((potentialIssuer) => cert.issuer.isEqual(potentialIssuer.subject));
|
|
88
|
+
}
|
|
88
89
|
static pemChainToDer(certsPem) {
|
|
89
90
|
const certs = CertificatesHelper.splitPemCerts(certsPem);
|
|
90
91
|
return certs.map((certPem) => CertificatesHelper.pemToDer(certPem));
|
|
91
92
|
}
|
|
92
93
|
static derChainToPem(certsDer) {
|
|
93
|
-
return certsDer
|
|
94
|
+
return certsDer
|
|
95
|
+
.map((cert) => CertificatesHelper.derToPem(cert))
|
|
96
|
+
.join('')
|
|
97
|
+
.trim();
|
|
94
98
|
}
|
|
95
99
|
static async downloadCertWithCache(url) {
|
|
96
100
|
const responseData = await CertificatesHelper.downloadedCertificateCache.wrap(url, async () => {
|
|
@@ -104,7 +108,9 @@ class CertificatesHelper {
|
|
|
104
108
|
return responseData;
|
|
105
109
|
}
|
|
106
110
|
static sortCertsFromLeafToRoot(certsPem) {
|
|
107
|
-
const allCerts =
|
|
111
|
+
const allCerts = typeof certsPem === 'string' || certsPem.every((cert) => typeof cert === 'string')
|
|
112
|
+
? CertificatesHelper.toPkiCerts(certsPem)
|
|
113
|
+
: certsPem;
|
|
108
114
|
const leafs = allCerts.filter((certToCheck) => !allCerts.some((certsToCheckWith) => certToCheck.subject.isEqual(certsToCheckWith.issuer)));
|
|
109
115
|
const buildChain = (leaf) => {
|
|
110
116
|
const chain = [leaf];
|
|
@@ -121,6 +127,16 @@ class CertificatesHelper {
|
|
|
121
127
|
const chains = leafs.map(buildChain).sort((one, two) => two.length - one.length);
|
|
122
128
|
return chains.flat();
|
|
123
129
|
}
|
|
130
|
+
static getCertPublicKeyAlgorithm(certPem) {
|
|
131
|
+
const cert = new x509_1.X509Certificate(certPem);
|
|
132
|
+
const publicKey = cert.publicKey;
|
|
133
|
+
return publicKey.algorithm;
|
|
134
|
+
}
|
|
135
|
+
static getCsrPublicKeyAlgorithm(csrPem) {
|
|
136
|
+
const csr = new x509_1.Pkcs10CertificateRequest(csrPem);
|
|
137
|
+
const publicKey = csr.publicKey;
|
|
138
|
+
return publicKey.algorithm;
|
|
139
|
+
}
|
|
124
140
|
static async validateCertChain(certsPem, caPem, options = {}) {
|
|
125
141
|
const { offline } = options;
|
|
126
142
|
// reverse() is needed because pkijs expects certificates to be ordered from root to leaf
|
|
@@ -130,7 +146,19 @@ class CertificatesHelper {
|
|
|
130
146
|
const crls = offline ? [] : await crl_js_1.CRLHelper.getCRLFromCerts(sortedCerts);
|
|
131
147
|
const ocspBaseResponses = offline
|
|
132
148
|
? []
|
|
133
|
-
: await ocsp_js_1.OCSPHelper.getOCSPResponseFromCerts(sortedCerts, ca);
|
|
149
|
+
: await ocsp_js_1.OCSPHelper.getOCSPResponseFromCerts(sortedCerts, ca, oidsForOcspCheck);
|
|
150
|
+
if (ocspBaseResponses.length) {
|
|
151
|
+
ocspBaseResponses.forEach((ocspResponse) => {
|
|
152
|
+
if (!ocspResponse.certs) {
|
|
153
|
+
throw new Error('OCSP response does not contain certs');
|
|
154
|
+
}
|
|
155
|
+
const ocspSigner = CertificatesHelper.sortCertsFromLeafToRoot(ocspResponse.certs)[0];
|
|
156
|
+
const isSignerValid = ocsp_js_1.OCSPHelper.canCertSignOCSPResponse(ocspSigner);
|
|
157
|
+
if (!isSignerValid) {
|
|
158
|
+
throw new Error('OCSP signer certificate does not have the OCSP signing extended key usage');
|
|
159
|
+
}
|
|
160
|
+
});
|
|
161
|
+
}
|
|
134
162
|
const chainEngine = new pkijs.CertificateChainValidationEngine({
|
|
135
163
|
certs: sortedCerts,
|
|
136
164
|
trustedCerts: ca,
|
|
@@ -174,4 +202,4 @@ class CertificatesHelper {
|
|
|
174
202
|
}
|
|
175
203
|
}
|
|
176
204
|
exports.CertificatesHelper = CertificatesHelper;
|
|
177
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
205
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaGVscGVyLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2NlcnRpZmljYXRlcy9oZWxwZXIudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7QUFBQSxvREFBdUI7QUFDdkIsa0RBQTBCO0FBQzFCLDREQUErQjtBQUMvQiw2Q0FBK0I7QUFDL0IseUNBQTJFO0FBQzNFLHdEQUE2RDtBQUU3RCx1Q0FBdUM7QUFDdkMscUNBQXFDO0FBQ3JDLDZCQUEyQjtBQUMzQiwyREFLb0M7QUFFcEMsTUFBTSxnQkFBZ0IsR0FBRztJQUN2Qiw4Q0FBaUM7SUFDakMscURBQXdDO0lBQ3hDLGlEQUFvQztJQUNwQywwREFBNkM7Q0FDOUMsQ0FBQztBQUVGLE1BQWEsa0JBQWtCO0lBQ3JCLE1BQU0sQ0FBQywwQkFBMEIsR0FBRyxJQUFBLDZCQUFpQixHQUFFLENBQUM7SUFFaEUsTUFBTSxDQUFDLFFBQVEsQ0FBQyxJQUFpQixFQUFFLE9BQWUsYUFBYTtRQUM3RCxPQUFPLG9CQUFLLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQztZQUN0QixhQUFhLEVBQUUsSUFBSTtZQUNuQixPQUFPLEVBQUUsSUFBSTtZQUNiLE9BQU8sRUFBRSxFQUFFO1lBQ1gsUUFBUSxFQUFFLElBQUk7WUFDZCxJQUFJO1lBQ0osSUFBSSxFQUFFLE1BQU0sQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLENBQUMsUUFBUSxDQUFDLFFBQVEsQ0FBQztTQUMzQyxDQUFDLENBQUM7SUFDTCxDQUFDO0lBRUQsTUFBTSxDQUFDLFFBQVEsQ0FBQyxPQUFlO1FBQzdCLE9BQU8sTUFBTSxDQUFDLElBQUksQ0FBQyxvQkFBSyxDQUFDLEdBQUcsQ0FBQyxRQUFRLENBQUMsT0FBTyxDQUFDLENBQUMsS0FBSyxFQUFFLEVBQUUsUUFBUSxDQUFDLENBQUM7SUFDcEUsQ0FBQztJQUVELE1BQU0sQ0FBQyxhQUFhLENBQUMsS0FBYTtRQUNoQyxNQUFNLFFBQVEsR0FBRyxpRUFBaUUsQ0FBQztRQUNuRixPQUFPLEtBQUssQ0FBQyxLQUFLLENBQUMsUUFBUSxDQUFDLElBQUksRUFBRSxDQUFDO0lBQ3JDLENBQUM7SUFFRCxNQUFNLENBQUMsU0FBUyxDQUFDLE9BQWU7UUFDOUIsTUFBTSxJQUFJLEdBQUcsb0JBQUssQ0FBQyxHQUFHLENBQUMsa0JBQWtCLENBQUMsT0FBTyxDQUFDLENBQUM7UUFDbkQsT0FBTyxJQUFJLENBQUMsT0FBTyxDQUFDLFVBQVUsQ0FBQyxJQUFJLENBQUMsQ0FBQyxTQUFTLEVBQUUsRUFBRSxDQUFDLFNBQVMsQ0FBQyxJQUFJLEtBQUssWUFBWSxDQUFDO1lBQ2pGLEVBQUUsS0FBZSxDQUFDO0lBQ3RCLENBQUM7SUFFRCxNQUFNLENBQUMsaUJBQWlCLENBQUMsU0FBcUMsRUFBRSxHQUFXO1FBQ3pFLE1BQU0sSUFBSSxHQUNSLE9BQU8sU0FBUyxLQUFLLFFBQVE7WUFDM0IsQ0FBQyxDQUFDLEtBQUssQ0FBQyxXQUFXLENBQUMsT0FBTyxDQUFDLGtCQUFrQixDQUFDLFFBQVEsQ0FBQyxTQUFTLENBQUMsQ0FBQztZQUNuRSxDQUFDLENBQUMsU0FBUyxDQUFDO1FBQ2hCLE1BQU0sU0FBUyxHQUFHLElBQUksQ0FBQyxVQUFVLEVBQUUsSUFBSSxDQUFDLENBQUMsR0FBRyxFQUFFLEVBQUUsQ0FBQyxHQUFHLENBQUMsTUFBTSxLQUFLLEdBQUcsQ0FBQyxDQUFDO1FBQ3JFLE9BQU8sU0FBUyxJQUFJLE1BQU0sQ0FBQyxJQUFJLENBQUMsU0FBUyxDQUFDLFNBQVMsQ0FBQyxVQUFVLENBQUMsS0FBSyxFQUFFLENBQUMsQ0FBQztJQUMxRSxDQUFDO0lBRUQsTUFBTSxDQUFDLGtCQUFrQixDQUFDLFFBQWdCO1FBQ3hDLE1BQU0sS0FBSyxHQUFHLGtCQUFrQixDQUFDLFVBQVUsQ0FBQyxRQUFRLENBQUMsQ0FBQztRQUN0RCxNQUFNLFVBQVUsR0FBRyxnQkFBQyxDQUFDLFNBQVMsQ0FBQyxLQUFLLEVBQUUsQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUFDLENBQUMsSUFBSSxDQUFDLE1BQU0sQ0FBQyxPQUFPLENBQUMsSUFBSSxDQUFDLE9BQU8sQ0FBQyxDQUFDLENBQUM7UUFFcEYsTUFBTSxVQUFVLEdBQUcsQ0FBQyxLQUEwQixFQUFVLEVBQUUsQ0FDeEQsS0FBSyxDQUFDLEdBQUcsQ0FBQyxDQUFDLElBQUksRUFBRSxFQUFFLENBQUMsa0JBQWtCLENBQUMsUUFBUSxDQUFDLElBQUksQ0FBQyxRQUFRLEVBQUUsQ0FBQyxLQUFLLEVBQUUsQ0FBQyxDQUFDLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxDQUFDO1FBRXZGLE9BQU87WUFDTCxLQUFLLEVBQUUsVUFBVSxDQUFDLFVBQVUsQ0FBQyxDQUFDLENBQUMsQ0FBQztZQUNoQyxFQUFFLEVBQUUsVUFBVSxDQUFDLFVBQVUsQ0FBQyxDQUFDLENBQUMsQ0FBQztTQUM5QixDQUFDO0lBQ0osQ0FBQztJQUVELE1BQU0sQ0FBQyxrQkFBa0IsQ0FDdkIsSUFBdUIsRUFDdkIsS0FBMEI7UUFFMUIsT0FBTyxLQUFLLENBQUMsSUFBSSxDQUFDLENBQUMsZUFBZSxFQUFFLEVBQUUsQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLE9BQU8sQ0FBQyxlQUFlLENBQUMsT0FBTyxDQUFDLENBQUMsQ0FBQztJQUN2RixDQUFDO0lBRUQsTUFBTSxDQUFDLGFBQWEsQ0FBQyxRQUFnQjtRQUNuQyxNQUFNLEtBQUssR0FBRyxrQkFBa0IsQ0FBQyxhQUFhLENBQUMsUUFBUSxDQUFDLENBQUM7UUFFekQsT0FBTyxLQUFLLENBQUMsR0FBRyxDQUFDLENBQUMsT0FBTyxFQUFFLEVBQUUsQ0FBQyxrQkFBa0IsQ0FBQyxRQUFRLENBQUMsT0FBTyxDQUFDLENBQUMsQ0FBQztJQUN0RSxDQUFDO0lBRUQsTUFBTSxDQUFDLGFBQWEsQ0FBQyxRQUFzQjtRQUN6QyxPQUFPLFFBQVE7YUFDWixHQUFHLENBQUMsQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUFDLGtCQUFrQixDQUFDLFFBQVEsQ0FBQyxJQUFJLENBQUMsQ0FBQzthQUNoRCxJQUFJLENBQUMsRUFBRSxDQUFDO2FBQ1IsSUFBSSxFQUFFLENBQUM7SUFDWixDQUFDO0lBRUQsTUFBTSxDQUFDLEtBQUssQ0FBQyxxQkFBcUIsQ0FBQyxHQUFXO1FBQzVDLE1BQU0sWUFBWSxHQUFHLE1BQU0sa0JBQWtCLENBQUMsMEJBQTBCLENBQUMsSUFBSSxDQUMzRSxHQUFHLEVBQ0gsS0FBSyxJQUFJLEVBQUU7WUFDVCxNQUFNLFFBQVEsR0FBRyxNQUFNLElBQUEsZUFBSyxFQUFDLEdBQUcsRUFBRTtnQkFDaEMsWUFBWSxFQUFFLGFBQWE7YUFDNUIsQ0FBQyxDQUFDO1lBQ0gsT0FBTyxRQUFRLEVBQUUsSUFBSSxDQUFDO1FBQ3hCLENBQUMsRUFDRDtZQUNFLEdBQUcsRUFBRSxDQUFDLEdBQUcsRUFBRSxHQUFHLElBQUksRUFBRSxPQUFPO1NBQzVCLENBQ0YsQ0FBQztRQUVGLE9BQU8sWUFBWSxDQUFDO0lBQ3RCLENBQUM7SUFFRCxNQUFNLENBQUMsdUJBQXVCLENBQzVCLFFBQWlEO1FBRWpELE1BQU0sUUFBUSxHQUNaLE9BQU8sUUFBUSxLQUFLLFFBQVEsSUFBSSxRQUFRLENBQUMsS0FBSyxDQUFDLENBQUMsSUFBSSxFQUFFLEVBQUUsQ0FBQyxPQUFPLElBQUksS0FBSyxRQUFRLENBQUM7WUFDaEYsQ0FBQyxDQUFDLGtCQUFrQixDQUFDLFVBQVUsQ0FBQyxRQUE2QixDQUFDO1lBQzlELENBQUMsQ0FBRSxRQUFnQyxDQUFDO1FBRXhDLE1BQU0sS0FBSyxHQUFHLFFBQVEsQ0FBQyxNQUFNLENBQzNCLENBQUMsV0FBVyxFQUFFLEVBQUUsQ0FDZCxDQUFDLFFBQVEsQ0FBQyxJQUFJLENBQUMsQ0FBQyxnQkFBZ0IsRUFBRSxFQUFFLENBQUMsV0FBVyxDQUFDLE9BQU8sQ0FBQyxPQUFPLENBQUMsZ0JBQWdCLENBQUMsTUFBTSxDQUFDLENBQUMsQ0FDN0YsQ0FBQztRQUVGLE1BQU0sVUFBVSxHQUFHLENBQUMsSUFBdUIsRUFBdUIsRUFBRTtZQUNsRSxNQUFNLEtBQUssR0FBRyxDQUFDLElBQUksQ0FBQyxDQUFDO1lBQ3JCLElBQUksV0FBVyxHQUFrQyxJQUFJLENBQUM7WUFFdEQsR0FBRyxDQUFDO2dCQUNGLFdBQVcsR0FBRyxRQUFRLENBQUMsSUFBSSxDQUN6QixDQUFDLGVBQWUsRUFBRSxFQUFFLENBQ2xCLFdBQVcsRUFBRSxNQUFNLENBQUMsT0FBTyxDQUFDLGVBQWUsQ0FBQyxPQUFPLENBQUM7b0JBQ3BELENBQUMsV0FBVyxDQUFDLE9BQU8sQ0FBQyxPQUFPLENBQUMsV0FBVyxDQUFDLE1BQU0sQ0FBQyxDQUNuRCxDQUFDO2dCQUVGLElBQUksV0FBVyxFQUFFLENBQUM7b0JBQ2hCLEtBQUssQ0FBQyxJQUFJLENBQUMsV0FBVyxDQUFDLENBQUM7Z0JBQzFCLENBQUM7WUFDSCxDQUFDLFFBQVEsV0FBVyxFQUFFO1lBRXRCLE9BQU8sS0FBSyxDQUFDO1FBQ2YsQ0FBQyxDQUFDO1FBRUYsTUFBTSxNQUFNLEdBQUcsS0FBSyxDQUFDLEdBQUcsQ0FBQyxVQUFVLENBQUMsQ0FBQyxJQUFJLENBQUMsQ0FBQyxHQUFHLEVBQUUsR0FBRyxFQUFFLEVBQUUsQ0FBQyxHQUFHLENBQUMsTUFBTSxHQUFHLEdBQUcsQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUNqRixPQUFPLE1BQU0sQ0FBQyxJQUFJLEVBQUUsQ0FBQztJQUN2QixDQUFDO0lBRUQsTUFBTSxDQUFDLHlCQUF5QixDQUFDLE9BQWU7UUFDOUMsTUFBTSxJQUFJLEdBQUcsSUFBSSxzQkFBZSxDQUFDLE9BQU8sQ0FBQyxDQUFDO1FBQzFDLE1BQU0sU0FBUyxHQUFHLElBQUksQ0FBQyxTQUFTLENBQUM7UUFDakMsT0FBTyxTQUFTLENBQUMsU0FBeUIsQ0FBQztJQUM3QyxDQUFDO0lBRUQsTUFBTSxDQUFDLHdCQUF3QixDQUFDLE1BQWM7UUFDNUMsTUFBTSxHQUFHLEdBQUcsSUFBSSwrQkFBd0IsQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUNqRCxNQUFNLFNBQVMsR0FBRyxHQUFHLENBQUMsU0FBUyxDQUFDO1FBQ2hDLE9BQU8sU0FBUyxDQUFDLFNBQXlCLENBQUM7SUFDN0MsQ0FBQztJQUVELE1BQU0sQ0FBQyxLQUFLLENBQUMsaUJBQWlCLENBQzVCLFFBQTJCLEVBQzNCLEtBQXdCLEVBQ3hCLFVBQWlDLEVBQUU7UUFFbkMsTUFBTSxFQUFFLE9BQU8sRUFBRSxHQUFHLE9BQU8sQ0FBQztRQUU1Qix5RkFBeUY7UUFDekYsTUFBTSxXQUFXLEdBQUcsa0JBQWtCLENBQUMsdUJBQXVCLENBQUMsUUFBUSxDQUFDLENBQUMsT0FBTyxFQUFFLENBQUM7UUFFbkYsTUFBTSxFQUFFLEdBQUcsa0JBQWtCLENBQUMsVUFBVSxDQUFDLEtBQUssQ0FBQyxDQUFDO1FBRWhELElBQUksQ0FBQztZQUNILE1BQU0sSUFBSSxHQUFHLE9BQU8sQ0FBQyxDQUFDLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQyxNQUFNLGtCQUFTLENBQUMsZUFBZSxDQUFDLFdBQVcsQ0FBQyxDQUFDO1lBQ3pFLE1BQU0saUJBQWlCLEdBQUcsT0FBTztnQkFDL0IsQ0FBQyxDQUFDLEVBQUU7Z0JBQ0osQ0FBQyxDQUFDLE1BQU0sb0JBQVUsQ0FBQyx3QkFBd0IsQ0FBQyxXQUFXLEVBQUUsRUFBRSxFQUFFLGdCQUFnQixDQUFDLENBQUM7WUFDakYsSUFBSSxpQkFBaUIsQ0FBQyxNQUFNLEVBQUUsQ0FBQztnQkFDN0IsaUJBQWlCLENBQUMsT0FBTyxDQUFDLENBQUMsWUFBWSxFQUFFLEVBQUU7b0JBQ3pDLElBQUksQ0FBQyxZQUFZLENBQUMsS0FBSyxFQUFFLENBQUM7d0JBQ3hCLE1BQU0sSUFBSSxLQUFLLENBQUMsc0NBQXNDLENBQUMsQ0FBQztvQkFDMUQsQ0FBQztvQkFDRCxNQUFNLFVBQVUsR0FBRyxrQkFBa0IsQ0FBQyx1QkFBdUIsQ0FBQyxZQUFZLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUM7b0JBQ3JGLE1BQU0sYUFBYSxHQUFHLG9CQUFVLENBQUMsdUJBQXVCLENBQUMsVUFBVSxDQUFDLENBQUM7b0JBQ3JFLElBQUksQ0FBQyxhQUFhLEVBQUUsQ0FBQzt3QkFDbkIsTUFBTSxJQUFJLEtBQUssQ0FDYiwyRUFBMkUsQ0FDNUUsQ0FBQztvQkFDSixDQUFDO2dCQUNILENBQUMsQ0FBQyxDQUFDO1lBQ0wsQ0FBQztZQUVELE1BQU0sV0FBVyxHQUFHLElBQUksS0FBSyxDQUFDLGdDQUFnQyxDQUFDO2dCQUM3RCxLQUFLLEVBQUUsV0FBVztnQkFDbEIsWUFBWSxFQUFFLEVBQUU7Z0JBQ2hCLEtBQUssRUFBRSxpQkFBaUI7Z0JBQ3hCLElBQUk7YUFDTCxDQUFDLENBQUM7WUFFSCxNQUFNLFlBQVksR0FBRyxNQUFNLFdBQVcsQ0FBQyxNQUFNLEVBQUUsQ0FBQztZQUNoRCxJQUFJLENBQUMsWUFBWSxDQUFDLE1BQU0sRUFBRSxDQUFDO2dCQUN6QixPQUFPO29CQUNMLE9BQU8sRUFBRSxLQUFLO29CQUNkLFlBQVksRUFBRSxZQUFZLENBQUMsYUFBYTtpQkFDekMsQ0FBQztZQUNKLENBQUM7WUFFRDs7Ozs7Ozs7ZUFRRztZQUNILE1BQU0sa0JBQWtCLEdBQUcsV0FBVyxDQUFDLEtBQUssQ0FBQyxDQUFDLElBQUksRUFBRSxFQUFFLENBQ3BELFlBQVksQ0FBQyxlQUFlLEVBQUUsSUFBSSxDQUFDLENBQUMsWUFBWSxFQUFFLEVBQUUsQ0FDbEQsWUFBWSxDQUFDLFlBQVksQ0FBQyxPQUFPLENBQUMsSUFBSSxDQUFDLFlBQVksQ0FBQyxDQUNyRCxDQUNGLENBQUM7WUFDRixJQUFJLENBQUMsa0JBQWtCLEVBQUUsQ0FBQztnQkFDeEIsTUFBTSxJQUFJLEtBQUssQ0FBQyw2Q0FBNkMsQ0FBQyxDQUFDO1lBQ2pFLENBQUM7WUFFRCxPQUFPO2dCQUNMLE9BQU8sRUFBRSxJQUFJO2FBQ2QsQ0FBQztRQUNKLENBQUM7UUFBQyxPQUFPLEdBQUcsRUFBRSxDQUFDO1lBQ2IsT0FBTztnQkFDTCxPQUFPLEVBQUUsS0FBSztnQkFDZCxZQUFZLEVBQUcsR0FBYSxDQUFDLE9BQU87YUFDckMsQ0FBQztRQUNKLENBQUM7SUFDSCxDQUFDO0lBRUQsTUFBTSxDQUFDLFVBQVUsQ0FBQyxLQUF3QjtRQUN4QyxNQUFNLFVBQVUsR0FBRyxLQUFLLENBQUMsT0FBTyxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLGtCQUFrQixDQUFDLGFBQWEsQ0FBQyxLQUFLLENBQUMsQ0FBQztRQUMxRixPQUFPLFVBQVUsQ0FBQyxHQUFHLENBQUMsQ0FBQyxPQUFPLEVBQUUsRUFBRSxDQUNoQyxLQUFLLENBQUMsV0FBVyxDQUFDLE9BQU8sQ0FBQyxrQkFBa0IsQ0FBQyxRQUFRLENBQUMsT0FBTyxDQUFDLENBQUMsQ0FDaEUsQ0FBQztJQUNKLENBQUM7O0FBek5ILGdEQTBOQyJ9
|
|
@@ -17,4 +17,5 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
17
17
|
__exportStar(require("./helper.js"), exports);
|
|
18
18
|
__exportStar(require("./types.js"), exports);
|
|
19
19
|
__exportStar(require("./serializer.js"), exports);
|
|
20
|
-
|
|
20
|
+
__exportStar(require("./generator.js"), exports);
|
|
21
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvY2VydGlmaWNhdGVzL2luZGV4LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7Ozs7Ozs7Ozs7Ozs7Ozs7QUFBQSw4Q0FBNEI7QUFDNUIsNkNBQTJCO0FBQzNCLGtEQUFnQztBQUNoQyxpREFBK0IifQ==
|
|
@@ -1,9 +1,14 @@
|
|
|
1
1
|
import * as pkijs from 'pkijs';
|
|
2
|
+
import { GenerateOcspResponseParams, ParsedOcspRequest } from '../index.js';
|
|
2
3
|
export declare class OCSPHelper {
|
|
3
|
-
static getOCSPResponseFromCerts(certs: pkijs.Certificate[], ca: pkijs.Certificate[]): Promise<pkijs.BasicOCSPResponse[]>;
|
|
4
|
+
static getOCSPResponseFromCerts(certs: pkijs.Certificate[], ca: pkijs.Certificate[], oidsToCheck?: string[]): Promise<pkijs.BasicOCSPResponse[]>;
|
|
5
|
+
static generateOCSPResponse(params: GenerateOcspResponseParams): Promise<ArrayBuffer>;
|
|
6
|
+
static parseOCSPRequest(ocspRequestBinary: ArrayBuffer): ParsedOcspRequest;
|
|
7
|
+
static canCertSignOCSPResponse(cert: pkijs.Certificate): boolean;
|
|
4
8
|
private static getOCSPRequestData;
|
|
5
9
|
private static getOCSPResponse;
|
|
6
10
|
private static sendOCSPRequest;
|
|
7
11
|
private static getNonceForRequest;
|
|
8
12
|
private static getNonceFromResponse;
|
|
13
|
+
private static getCertExtensionsToCheck;
|
|
9
14
|
}
|
|
@@ -27,21 +27,39 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
|
27
27
|
};
|
|
28
28
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
29
29
|
exports.OCSPHelper = void 0;
|
|
30
|
+
const lodash_1 = __importDefault(require("lodash"));
|
|
31
|
+
const node_forge_1 = __importDefault(require("node-forge"));
|
|
30
32
|
const pkijs = __importStar(require("pkijs"));
|
|
31
33
|
const asn1js = __importStar(require("asn1js"));
|
|
32
34
|
const axios_1 = __importDefault(require("axios"));
|
|
35
|
+
const asn1_ocsp_1 = require("@peculiar/asn1-ocsp");
|
|
36
|
+
const asn1_schema_1 = require("@peculiar/asn1-schema");
|
|
37
|
+
const asn1_x509_1 = require("@peculiar/asn1-x509");
|
|
33
38
|
const constants_js_1 = require("../constants.js");
|
|
34
39
|
const helper_js_1 = require("./helper.js");
|
|
35
40
|
const index_js_1 = require("../index.js");
|
|
41
|
+
const x509_1 = require("@peculiar/x509");
|
|
42
|
+
const DEFAULT_REVOCATION_DATE = new Date('1970-01-01T00:00:00Z');
|
|
36
43
|
class OCSPHelper {
|
|
37
|
-
static async getOCSPResponseFromCerts(certs, ca) {
|
|
44
|
+
static async getOCSPResponseFromCerts(certs, ca, oidsToCheck = []) {
|
|
38
45
|
const ocspRequestsData = certs
|
|
39
46
|
.map(OCSPHelper.getOCSPRequestData)
|
|
40
47
|
.filter(Boolean);
|
|
41
48
|
if (!ocspRequestsData.length) {
|
|
42
49
|
return [];
|
|
43
50
|
}
|
|
44
|
-
const
|
|
51
|
+
const groupByOcspUrl = lodash_1.default.groupBy(ocspRequestsData, 'ocspUrl');
|
|
52
|
+
const getOcspResponseParams = Object.entries(groupByOcspUrl).map(([ocspUrl, certParams]) => ({
|
|
53
|
+
ocspUrl,
|
|
54
|
+
certsWithIssuer: certParams.map(({ cert, issuerCertUrl }) => ({
|
|
55
|
+
cert,
|
|
56
|
+
issuerCertUrl,
|
|
57
|
+
issuerCert: helper_js_1.CertificatesHelper.getIssuerBySubject(cert, [...certs, ...ca]),
|
|
58
|
+
})),
|
|
59
|
+
ca,
|
|
60
|
+
oidsToCheck,
|
|
61
|
+
}));
|
|
62
|
+
const ocspResponseResults = await Promise.allSettled(getOcspResponseParams.map((params) => OCSPHelper.getOCSPResponse(params)));
|
|
45
63
|
const rejectedOCSPResponses = ocspResponseResults
|
|
46
64
|
.filter(index_js_1.helpers.isRejected)
|
|
47
65
|
.map((result) => result.reason);
|
|
@@ -50,6 +68,104 @@ class OCSPHelper {
|
|
|
50
68
|
}
|
|
51
69
|
return ocspResponseResults.filter(index_js_1.helpers.isFulfilled).map((result) => result.value);
|
|
52
70
|
}
|
|
71
|
+
static async generateOCSPResponse(params) {
|
|
72
|
+
const ocspBasicResp = new pkijs.BasicOCSPResponse();
|
|
73
|
+
const { issuerCertPem, caCertsPem, certs, privateKey, nonce } = params;
|
|
74
|
+
const { certs: issuerCertsPem } = helper_js_1.CertificatesHelper.extractCAFromChain(`${issuerCertPem}\n${caCertsPem}`);
|
|
75
|
+
const issuerCert = helper_js_1.CertificatesHelper.toPkiCerts(issuerCertPem)[0];
|
|
76
|
+
ocspBasicResp.tbsResponseData.responderID = issuerCert.subject;
|
|
77
|
+
ocspBasicResp.tbsResponseData.producedAt = new Date();
|
|
78
|
+
ocspBasicResp.certs = helper_js_1.CertificatesHelper.toPkiCerts(issuerCertsPem);
|
|
79
|
+
for (const certData of certs) {
|
|
80
|
+
const { serialNumber, status, issuerKeyHash, issuerNameHash, hashAlgorithm, revocationDate } = certData;
|
|
81
|
+
const certID = new pkijs.CertID({
|
|
82
|
+
hashAlgorithm: new pkijs.AlgorithmIdentifier({
|
|
83
|
+
algorithmId: hashAlgorithm,
|
|
84
|
+
algorithmParams: new asn1js.Null(),
|
|
85
|
+
}),
|
|
86
|
+
issuerNameHash: new asn1js.OctetString({ valueHex: issuerNameHash }),
|
|
87
|
+
issuerKeyHash: new asn1js.OctetString({ valueHex: issuerKeyHash }),
|
|
88
|
+
serialNumber: new asn1js.Integer({ valueHex: serialNumber }),
|
|
89
|
+
});
|
|
90
|
+
const response = new pkijs.SingleResponse({
|
|
91
|
+
certID,
|
|
92
|
+
});
|
|
93
|
+
switch (status) {
|
|
94
|
+
case index_js_1.OcspCertStatus.OK:
|
|
95
|
+
case index_js_1.OcspCertStatus.Unknown:
|
|
96
|
+
response.certStatus = new asn1js.Primitive({
|
|
97
|
+
idBlock: {
|
|
98
|
+
tagClass: 3,
|
|
99
|
+
tagNumber: status,
|
|
100
|
+
},
|
|
101
|
+
});
|
|
102
|
+
break;
|
|
103
|
+
case index_js_1.OcspCertStatus.Revoked:
|
|
104
|
+
response.certStatus = new asn1js.Constructed({
|
|
105
|
+
idBlock: {
|
|
106
|
+
tagClass: 3,
|
|
107
|
+
tagNumber: status,
|
|
108
|
+
isConstructed: true,
|
|
109
|
+
},
|
|
110
|
+
value: [
|
|
111
|
+
new asn1js.GeneralizedTime({
|
|
112
|
+
valueDate: revocationDate || DEFAULT_REVOCATION_DATE,
|
|
113
|
+
}),
|
|
114
|
+
],
|
|
115
|
+
});
|
|
116
|
+
break;
|
|
117
|
+
default:
|
|
118
|
+
throw new Error(`Unknown OCSP certificate status: ${status}`);
|
|
119
|
+
}
|
|
120
|
+
response.thisUpdate = new Date();
|
|
121
|
+
ocspBasicResp.tbsResponseData.responses.push(response);
|
|
122
|
+
}
|
|
123
|
+
if (nonce) {
|
|
124
|
+
ocspBasicResp.tbsResponseData.responseExtensions = [
|
|
125
|
+
new pkijs.Extension({
|
|
126
|
+
extnID: index_js_1.constants.OID_OCSP_NONCE,
|
|
127
|
+
extnValue: new asn1js.OctetString({ valueHex: nonce }).toBER(),
|
|
128
|
+
}),
|
|
129
|
+
];
|
|
130
|
+
}
|
|
131
|
+
const privateCryptoKey = await index_js_1.CryptoKeysTransformer.pkcs8PemToCryptoKey(privateKey);
|
|
132
|
+
await ocspBasicResp.sign(privateCryptoKey, 'SHA-256');
|
|
133
|
+
const ocspBasicRespRaw = ocspBasicResp.toSchema().toBER(false);
|
|
134
|
+
const ocspResp = new pkijs.OCSPResponse({
|
|
135
|
+
responseStatus: new asn1js.Enumerated({ value: 0 }), // success
|
|
136
|
+
responseBytes: new pkijs.ResponseBytes({
|
|
137
|
+
responseType: pkijs.id_PKIX_OCSP_Basic,
|
|
138
|
+
response: new asn1js.OctetString({ valueHex: ocspBasicRespRaw }),
|
|
139
|
+
}),
|
|
140
|
+
});
|
|
141
|
+
return ocspResp.toSchema().toBER();
|
|
142
|
+
}
|
|
143
|
+
static parseOCSPRequest(ocspRequestBinary) {
|
|
144
|
+
const ocspRequest = asn1_schema_1.AsnParser.parse(ocspRequestBinary, asn1_ocsp_1.OCSPRequest);
|
|
145
|
+
const certRequests = ocspRequest.tbsRequest.requestList.map((request) => {
|
|
146
|
+
const reqCert = {
|
|
147
|
+
hashAlgorithm: request.reqCert.hashAlgorithm.algorithm,
|
|
148
|
+
issuerNameHash: Buffer.from(request.reqCert.issuerNameHash.buffer),
|
|
149
|
+
issuerKeyHash: Buffer.from(request.reqCert.issuerKeyHash.buffer),
|
|
150
|
+
serialNumber: request.reqCert.serialNumber,
|
|
151
|
+
};
|
|
152
|
+
const extensionsToCheck = request.singleRequestExtensions?.map((ext) => ({
|
|
153
|
+
oid: ext.extnID,
|
|
154
|
+
value: Buffer.from(ext.extnValue.buffer),
|
|
155
|
+
})) || [];
|
|
156
|
+
return { ...reqCert, extensionsToCheck };
|
|
157
|
+
});
|
|
158
|
+
const nonceExtension = ocspRequest.tbsRequest.requestExtensions?.find((ext) => ext.extnID === index_js_1.constants.OID_OCSP_NONCE);
|
|
159
|
+
const nonce = nonceExtension && nonceExtension.extnValue.buffer;
|
|
160
|
+
return { certRequests, nonce };
|
|
161
|
+
}
|
|
162
|
+
static canCertSignOCSPResponse(cert) {
|
|
163
|
+
const extKeysUsage = cert.extensions?.find((ext) => ext.extnID === node_forge_1.default.pki.oids['extKeyUsage']);
|
|
164
|
+
if (!extKeysUsage) {
|
|
165
|
+
return false;
|
|
166
|
+
}
|
|
167
|
+
return Boolean(extKeysUsage.parsedValue.keyPurposes.find((usage) => usage === x509_1.ExtendedKeyUsage.ocspSigning));
|
|
168
|
+
}
|
|
53
169
|
static getOCSPRequestData(cert) {
|
|
54
170
|
const authorityExtension = helper_js_1.CertificatesHelper.getExtensionValue(cert, constants_js_1.OID_AUTHORITY_INFORMATION_ACCESS_EXTENSION);
|
|
55
171
|
if (!authorityExtension) {
|
|
@@ -58,28 +174,60 @@ class OCSPHelper {
|
|
|
58
174
|
const extensionValue = pkijs.ExtensionValueFactory.fromBER(constants_js_1.OID_AUTHORITY_INFORMATION_ACCESS_EXTENSION, authorityExtension);
|
|
59
175
|
const ocspUrl = extensionValue.accessDescriptions.find((desc) => desc.accessMethod === constants_js_1.OID_OCSP_ACCESS_METHOD)?.accessLocation.value;
|
|
60
176
|
const issuerCertUrl = extensionValue.accessDescriptions.find((desc) => desc.accessMethod === constants_js_1.OID_OCSP_ISSUER_ACCESS_METHOD)?.accessLocation.value;
|
|
61
|
-
if (!ocspUrl
|
|
62
|
-
// TODO: throw error?
|
|
177
|
+
if (!ocspUrl) {
|
|
63
178
|
return;
|
|
64
179
|
}
|
|
65
180
|
return { ocspUrl, issuerCertUrl, cert };
|
|
66
181
|
}
|
|
67
|
-
static async getOCSPResponse(
|
|
68
|
-
const { ocspUrl,
|
|
69
|
-
const
|
|
70
|
-
const
|
|
71
|
-
const
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
182
|
+
static async getOCSPResponse(params) {
|
|
183
|
+
const { ocspUrl, certsWithIssuer, ca, oidsToCheck } = params;
|
|
184
|
+
const requestList = [];
|
|
185
|
+
const issuerCertificates = [];
|
|
186
|
+
for (const { cert, issuerCert: issuerCertFromParams, issuerCertUrl } of certsWithIssuer) {
|
|
187
|
+
let issuerCertificate = issuerCertFromParams;
|
|
188
|
+
if (!issuerCertificate && issuerCertUrl) {
|
|
189
|
+
const issuerCertRaw = await helper_js_1.CertificatesHelper.downloadCertWithCache(issuerCertUrl);
|
|
190
|
+
issuerCertificate = pkijs.Certificate.fromBER(issuerCertRaw);
|
|
191
|
+
}
|
|
192
|
+
if (!issuerCertificate) {
|
|
193
|
+
throw new Error(`No issuer certificate found for OCSP request for ${cert.subject}`);
|
|
194
|
+
}
|
|
195
|
+
if (!issuerCertificates.some((cert) => cert.subject.isEqual(issuerCertificate.subject))) {
|
|
196
|
+
issuerCertificates.push(issuerCertificate);
|
|
197
|
+
}
|
|
198
|
+
const certID = new pkijs.CertID();
|
|
199
|
+
await certID.createForCertificate(cert, {
|
|
200
|
+
hashAlgorithm: 'SHA-256',
|
|
201
|
+
issuerCertificate,
|
|
202
|
+
});
|
|
203
|
+
const request = new asn1_ocsp_1.Request({
|
|
204
|
+
reqCert: new asn1_ocsp_1.CertID({
|
|
205
|
+
hashAlgorithm: new asn1_x509_1.AlgorithmIdentifier({
|
|
206
|
+
algorithm: certID.hashAlgorithm.algorithmId,
|
|
207
|
+
}),
|
|
208
|
+
issuerNameHash: new asn1_schema_1.OctetString().fromASN(certID.issuerNameHash),
|
|
209
|
+
issuerKeyHash: new asn1_schema_1.OctetString().fromASN(certID.issuerKeyHash),
|
|
210
|
+
serialNumber: certID.serialNumber.valueBlock.valueHex,
|
|
211
|
+
}),
|
|
212
|
+
});
|
|
213
|
+
const extensionsToCheck = OCSPHelper.getCertExtensionsToCheck(cert, oidsToCheck);
|
|
214
|
+
if (extensionsToCheck.length) {
|
|
215
|
+
request.singleRequestExtensions = new asn1_x509_1.Extensions(extensionsToCheck.map((ext) => new asn1_x509_1.Extension({ extnID: ext.oid, extnValue: new asn1_schema_1.OctetString(ext.value) })));
|
|
216
|
+
}
|
|
217
|
+
requestList.push(request);
|
|
218
|
+
}
|
|
76
219
|
const reqNonce = OCSPHelper.getNonceForRequest();
|
|
77
|
-
ocspReq
|
|
78
|
-
new
|
|
79
|
-
|
|
80
|
-
|
|
220
|
+
const ocspReq = new asn1_ocsp_1.OCSPRequest({
|
|
221
|
+
tbsRequest: new asn1_ocsp_1.TBSRequest({
|
|
222
|
+
requestList,
|
|
223
|
+
requestExtensions: new asn1_x509_1.Extensions([
|
|
224
|
+
new asn1_x509_1.Extension({
|
|
225
|
+
extnID: index_js_1.constants.OID_OCSP_NONCE,
|
|
226
|
+
extnValue: new asn1_schema_1.OctetString(reqNonce),
|
|
227
|
+
}),
|
|
228
|
+
]),
|
|
81
229
|
}),
|
|
82
|
-
|
|
230
|
+
});
|
|
83
231
|
const ocspBasicResp = await OCSPHelper.sendOCSPRequest(ocspUrl, ocspReq);
|
|
84
232
|
const respNonce = await OCSPHelper.getNonceFromResponse(ocspBasicResp);
|
|
85
233
|
if (respNonce && Buffer.compare(reqNonce, respNonce) !== 0) {
|
|
@@ -87,11 +235,11 @@ class OCSPHelper {
|
|
|
87
235
|
}
|
|
88
236
|
const trustedCerts = [];
|
|
89
237
|
if (!ocspBasicResp.certs) {
|
|
90
|
-
ocspBasicResp.certs =
|
|
238
|
+
ocspBasicResp.certs = issuerCertificates;
|
|
91
239
|
trustedCerts.push(...ca);
|
|
92
240
|
}
|
|
93
241
|
else {
|
|
94
|
-
trustedCerts.push(
|
|
242
|
+
trustedCerts.push(...issuerCertificates);
|
|
95
243
|
}
|
|
96
244
|
await ocspBasicResp.verify({ trustedCerts });
|
|
97
245
|
return ocspBasicResp;
|
|
@@ -103,7 +251,7 @@ class OCSPHelper {
|
|
|
103
251
|
'Content-Type': 'application/ocsp-request',
|
|
104
252
|
},
|
|
105
253
|
responseType: 'arraybuffer',
|
|
106
|
-
data:
|
|
254
|
+
data: asn1_schema_1.AsnSerializer.serialize(ocspReq),
|
|
107
255
|
});
|
|
108
256
|
const ocspRespSimpl = pkijs.OCSPResponse.fromBER(ocspResponse.data);
|
|
109
257
|
if (!ocspRespSimpl.responseBytes) {
|
|
@@ -117,8 +265,16 @@ class OCSPHelper {
|
|
|
117
265
|
}
|
|
118
266
|
static getNonceFromResponse(ocspBasicResp) {
|
|
119
267
|
const nonceExtension = ocspBasicResp.tbsResponseData?.responseExtensions?.find((extension) => extension.extnID === index_js_1.constants.OID_OCSP_NONCE);
|
|
120
|
-
return nonceExtension
|
|
268
|
+
return nonceExtension && Buffer.from(nonceExtension.parsedValue.valueBlock.valueHex);
|
|
269
|
+
}
|
|
270
|
+
static getCertExtensionsToCheck(cert, oidsToCheck) {
|
|
271
|
+
return oidsToCheck
|
|
272
|
+
.map((oid) => {
|
|
273
|
+
const value = helper_js_1.CertificatesHelper.getExtensionValue(cert, oid);
|
|
274
|
+
return { oid, value };
|
|
275
|
+
})
|
|
276
|
+
.filter((ext) => Boolean(ext.value));
|
|
121
277
|
}
|
|
122
278
|
}
|
|
123
279
|
exports.OCSPHelper = OCSPHelper;
|
|
124
|
-
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoib2NzcC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9jZXJ0aWZpY2F0ZXMvb2NzcC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7OztBQUFBLDZDQUErQjtBQUMvQiwrQ0FBaUM7QUFDakMsa0RBQTBCO0FBQzFCLGtEQUl5QjtBQUN6QiwyQ0FBaUQ7QUFDakQsMENBQWlEO0FBSWpELE1BQWEsVUFBVTtJQUNyQixNQUFNLENBQUMsS0FBSyxDQUFDLHdCQUF3QixDQUNuQyxLQUEwQixFQUMxQixFQUF1QjtRQUV2QixNQUFNLGdCQUFnQixHQUFHLEtBQUs7YUFDM0IsR0FBRyxDQUFDLFVBQVUsQ0FBQyxrQkFBa0IsQ0FBQzthQUNsQyxNQUFNLENBQUMsT0FBTyxDQUFzQixDQUFDO1FBRXhDLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxNQUFNLEVBQUUsQ0FBQztZQUM3QixPQUFPLEVBQUUsQ0FBQztRQUNaLENBQUM7UUFFRCxNQUFNLG1CQUFtQixHQUFHLE1BQU0sT0FBTyxDQUFDLFVBQVUsQ0FDbEQsZ0JBQWdCLENBQUMsR0FBRyxDQUFDLENBQUMsV0FBVyxFQUFFLEVBQUUsQ0FBQyxVQUFVLENBQUMsZUFBZSxDQUFDLFdBQVcsRUFBRSxFQUFFLENBQUMsQ0FBQyxDQUNuRixDQUFDO1FBRUYsTUFBTSxxQkFBcUIsR0FBRyxtQkFBbUI7YUFDOUMsTUFBTSxDQUFDLGtCQUFPLENBQUMsVUFBVSxDQUFDO2FBQzFCLEdBQUcsQ0FBQyxDQUFDLE1BQU0sRUFBRSxFQUFFLENBQUMsTUFBTSxDQUFDLE1BQU0sQ0FBQyxDQUFDO1FBQ2xDLElBQUkscUJBQXFCLENBQUMsTUFBTSxFQUFFLENBQUM7WUFDakMsTUFBTSxJQUFJLEtBQUssQ0FDYiwyREFBMkQscUJBQXFCLENBQUMsSUFBSSxDQUFDLEtBQUssQ0FBQyxHQUFHLENBQ2hHLENBQUM7UUFDSixDQUFDO1FBRUQsT0FBTyxtQkFBbUIsQ0FBQyxNQUFNLENBQUMsa0JBQU8sQ0FBQyxXQUFXLENBQUMsQ0FBQyxHQUFHLENBQUMsQ0FBQyxNQUFNLEVBQUUsRUFBRSxDQUFDLE1BQU0sQ0FBQyxLQUFLLENBQUMsQ0FBQztJQUN2RixDQUFDO0lBRU8sTUFBTSxDQUFDLGtCQUFrQixDQUFDLElBQXVCO1FBQ3ZELE1BQU0sa0JBQWtCLEdBQUcsOEJBQWtCLENBQUMsaUJBQWlCLENBQzdELElBQUksRUFDSix5REFBMEMsQ0FDM0MsQ0FBQztRQUNGLElBQUksQ0FBQyxrQkFBa0IsRUFBRSxDQUFDO1lBQ3hCLE9BQU87UUFDVCxDQUFDO1FBRUQsTUFBTSxjQUFjLEdBQUcsS0FBSyxDQUFDLHFCQUFxQixDQUFDLE9BQU8sQ0FDeEQseURBQTBDLEVBQzFDLGtCQUFrQixDQUNFLENBQUM7UUFFdkIsTUFBTSxPQUFPLEdBQUcsY0FBYyxDQUFDLGtCQUFrQixDQUFDLElBQUksQ0FDcEQsQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUFDLElBQUksQ0FBQyxZQUFZLEtBQUsscUNBQXNCLENBQ3ZELEVBQUUsY0FBYyxDQUFDLEtBQUssQ0FBQztRQUV4QixNQUFNLGFBQWEsR0FBRyxjQUFjLENBQUMsa0JBQWtCLENBQUMsSUFBSSxDQUMxRCxDQUFDLElBQUksRUFBRSxFQUFFLENBQUMsSUFBSSxDQUFDLFlBQVksS0FBSyw0Q0FBNkIsQ0FDOUQsRUFBRSxjQUFjLENBQUMsS0FBSyxDQUFDO1FBRXhCLElBQUksQ0FBQyxPQUFPLElBQUksQ0FBQyxhQUFhLEVBQUUsQ0FBQztZQUMvQixxQkFBcUI7WUFDckIsT0FBTztRQUNULENBQUM7UUFFRCxPQUFPLEVBQUUsT0FBTyxFQUFFLGFBQWEsRUFBRSxJQUFJLEVBQUUsQ0FBQztJQUMxQyxDQUFDO0lBRU8sTUFBTSxDQUFDLEtBQUssQ0FBQyxlQUFlLENBQ2xDLElBQXFCLEVBQ3JCLEVBQXVCO1FBRXZCLE1BQU0sRUFBRSxPQUFPLEVBQUUsYUFBYSxFQUFFLElBQUksRUFBRSxHQUFHLElBQUksQ0FBQztRQUM5QyxNQUFNLGFBQWEsR0FBRyxNQUFNLDhCQUFrQixDQUFDLHFCQUFxQixDQUFDLGFBQWEsQ0FBQyxDQUFDO1FBQ3BGLE1BQU0saUJBQWlCLEdBQUcsS0FBSyxDQUFDLFdBQVcsQ0FBQyxPQUFPLENBQUMsYUFBYSxDQUFDLENBQUM7UUFDbkUsTUFBTSxPQUFPLEdBQUcsSUFBSSxLQUFLLENBQUMsV0FBVyxFQUFFLENBQUM7UUFDeEMsTUFBTSxPQUFPLENBQUMsb0JBQW9CLENBQUMsSUFBSSxFQUFFO1lBQ3ZDLGFBQWEsRUFBRSxTQUFTO1lBQ3hCLGlCQUFpQjtTQUNsQixDQUFDLENBQUM7UUFDSCxNQUFNLFFBQVEsR0FBRyxVQUFVLENBQUMsa0JBQWtCLEVBQUUsQ0FBQztRQUNqRCxPQUFPLENBQUMsVUFBVSxDQUFDLGlCQUFpQixHQUFHO1lBQ3JDLElBQUksS0FBSyxDQUFDLFNBQVMsQ0FBQztnQkFDbEIsTUFBTSxFQUFFLG9CQUFTLENBQUMsY0FBYztnQkFDaEMsU0FBUyxFQUFFLElBQUksTUFBTSxDQUFDLFdBQVcsQ0FBQyxFQUFFLFFBQVEsRUFBRSxRQUFRLENBQUMsTUFBTSxFQUFFLENBQUMsQ0FBQyxLQUFLLEVBQUU7YUFDekUsQ0FBQztTQUNILENBQUM7UUFFRixNQUFNLGFBQWEsR0FBRyxNQUFNLFVBQVUsQ0FBQyxlQUFlLENBQUMsT0FBTyxFQUFFLE9BQU8sQ0FBQyxDQUFDO1FBRXpFLE1BQU0sU0FBUyxHQUFHLE1BQU0sVUFBVSxDQUFDLG9CQUFvQixDQUFDLGFBQWEsQ0FBQyxDQUFDO1FBQ3ZFLElBQUksU0FBUyxJQUFJLE1BQU0sQ0FBQyxPQUFPLENBQUMsUUFBUSxFQUFFLFNBQVMsQ0FBQyxLQUFLLENBQUMsRUFBRSxDQUFDO1lBQzNELE1BQU0sSUFBSSxLQUFLLENBQUMsb0RBQW9ELENBQUMsQ0FBQztRQUN4RSxDQUFDO1FBRUQsTUFBTSxZQUFZLEdBQXdCLEVBQUUsQ0FBQztRQUM3QyxJQUFJLENBQUMsYUFBYSxDQUFDLEtBQUssRUFBRSxDQUFDO1lBQ3pCLGFBQWEsQ0FBQyxLQUFLLEdBQUcsQ0FBQyxpQkFBaUIsQ0FBQyxDQUFDO1lBQzFDLFlBQVksQ0FBQyxJQUFJLENBQUMsR0FBRyxFQUFFLENBQUMsQ0FBQztRQUMzQixDQUFDO2FBQU0sQ0FBQztZQUNOLFlBQVksQ0FBQyxJQUFJLENBQUMsaUJBQWlCLENBQUMsQ0FBQztRQUN2QyxDQUFDO1FBRUQsTUFBTSxhQUFhLENBQUMsTUFBTSxDQUFDLEVBQUUsWUFBWSxFQUFFLENBQUMsQ0FBQztRQUM3QyxPQUFPLGFBQWEsQ0FBQztJQUN2QixDQUFDO0lBRU8sTUFBTSxDQUFDLEtBQUssQ0FBQyxlQUFlLENBQ2xDLE9BQWUsRUFDZixPQUEwQjtRQUUxQixNQUFNLFlBQVksR0FBRyxNQUFNLElBQUEsZUFBSyxFQUFDLE9BQU8sRUFBRTtZQUN4QyxNQUFNLEVBQUUsTUFBTTtZQUNkLE9BQU8sRUFBRTtnQkFDUCxjQUFjLEVBQUUsMEJBQTBCO2FBQzNDO1lBQ0QsWUFBWSxFQUFFLGFBQWE7WUFDM0IsSUFBSSxFQUFFLE9BQU8sQ0FBQyxRQUFRLENBQUMsSUFBSSxDQUFDLENBQUMsS0FBSyxFQUFFO1NBQ3JDLENBQUMsQ0FBQztRQUVILE1BQU0sYUFBYSxHQUFHLEtBQUssQ0FBQyxZQUFZLENBQUMsT0FBTyxDQUFDLFlBQVksQ0FBQyxJQUFJLENBQUMsQ0FBQztRQUNwRSxJQUFJLENBQUMsYUFBYSxDQUFDLGFBQWEsRUFBRSxDQUFDO1lBQ2pDLE1BQU0sSUFBSSxLQUFLLENBQUMsOERBQThELENBQUMsQ0FBQztRQUNsRixDQUFDO1FBRUQsTUFBTSxhQUFhLEdBQUcsS0FBSyxDQUFDLGlCQUFpQixDQUFDLE9BQU8sQ0FDbkQsYUFBYSxDQUFDLGFBQWEsQ0FBQyxRQUFRLENBQUMsVUFBVSxDQUFDLFlBQVksQ0FDN0QsQ0FBQztRQUVGLE9BQU8sYUFBYSxDQUFDO0lBQ3ZCLENBQUM7SUFFTyxNQUFNLENBQUMsa0JBQWtCO1FBQy9CLE9BQU8sS0FBSyxDQUFDLGVBQWUsQ0FBQyxJQUFJLFVBQVUsQ0FBQyxFQUFFLENBQUMsQ0FBQyxDQUFDO0lBQ25ELENBQUM7SUFFTyxNQUFNLENBQUMsb0JBQW9CLENBQ2pDLGFBQXNDO1FBRXRDLE1BQU0sY0FBYyxHQUFHLGFBQWEsQ0FBQyxlQUFlLEVBQUUsa0JBQWtCLEVBQUUsSUFBSSxDQUM1RSxDQUFDLFNBQVMsRUFBRSxFQUFFLENBQUMsU0FBUyxDQUFDLE1BQU0sS0FBSyxvQkFBUyxDQUFDLGNBQWMsQ0FDN0QsQ0FBQztRQUNGLE9BQU8sY0FBYyxFQUFFLFNBQVMsQ0FBQyxVQUFVLENBQUMsWUFBWSxDQUFDO0lBQzNELENBQUM7Q0FDRjtBQXZJRCxnQ0F1SUMifQ==
|
|
280
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoib2NzcC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9jZXJ0aWZpY2F0ZXMvb2NzcC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7OztBQUFBLG9EQUF1QjtBQUN2Qiw0REFBK0I7QUFDL0IsNkNBQStCO0FBQy9CLCtDQUFpQztBQUNqQyxrREFBMEI7QUFDMUIsbURBQStFO0FBQy9FLHVEQUE4RTtBQUM5RSxtREFBaUY7QUFDakYsa0RBSXlCO0FBQ3pCLDJDQUFpRDtBQUNqRCwwQ0FRcUI7QUFDckIseUNBQWtEO0FBZWxELE1BQU0sdUJBQXVCLEdBQUcsSUFBSSxJQUFJLENBQUMsc0JBQXNCLENBQUMsQ0FBQztBQUVqRSxNQUFhLFVBQVU7SUFDckIsTUFBTSxDQUFDLEtBQUssQ0FBQyx3QkFBd0IsQ0FDbkMsS0FBMEIsRUFDMUIsRUFBdUIsRUFDdkIsY0FBd0IsRUFBRTtRQUUxQixNQUFNLGdCQUFnQixHQUFHLEtBQUs7YUFDM0IsR0FBRyxDQUFDLFVBQVUsQ0FBQyxrQkFBa0IsQ0FBQzthQUNsQyxNQUFNLENBQUMsT0FBTyxDQUFzQixDQUFDO1FBQ3hDLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxNQUFNLEVBQUUsQ0FBQztZQUM3QixPQUFPLEVBQUUsQ0FBQztRQUNaLENBQUM7UUFFRCxNQUFNLGNBQWMsR0FBRyxnQkFBQyxDQUFDLE9BQU8sQ0FBQyxnQkFBZ0IsRUFBRSxTQUFTLENBQUMsQ0FBQztRQUM5RCxNQUFNLHFCQUFxQixHQUE0QixNQUFNLENBQUMsT0FBTyxDQUFDLGNBQWMsQ0FBQyxDQUFDLEdBQUcsQ0FDdkYsQ0FBQyxDQUFDLE9BQU8sRUFBRSxVQUFVLENBQUMsRUFBRSxFQUFFLENBQUMsQ0FBQztZQUMxQixPQUFPO1lBQ1AsZUFBZSxFQUFFLFVBQVUsQ0FBQyxHQUFHLENBQUMsQ0FBQyxFQUFFLElBQUksRUFBRSxhQUFhLEVBQUUsRUFBRSxFQUFFLENBQUMsQ0FBQztnQkFDNUQsSUFBSTtnQkFDSixhQUFhO2dCQUNiLFVBQVUsRUFBRSw4QkFBa0IsQ0FBQyxrQkFBa0IsQ0FBQyxJQUFJLEVBQUUsQ0FBQyxHQUFHLEtBQUssRUFBRSxHQUFHLEVBQUUsQ0FBQyxDQUFDO2FBQzNFLENBQUMsQ0FBQztZQUNILEVBQUU7WUFDRixXQUFXO1NBQ1osQ0FBQyxDQUNILENBQUM7UUFFRixNQUFNLG1CQUFtQixHQUFHLE1BQU0sT0FBTyxDQUFDLFVBQVUsQ0FDbEQscUJBQXFCLENBQUMsR0FBRyxDQUFDLENBQUMsTUFBTSxFQUFFLEVBQUUsQ0FBQyxVQUFVLENBQUMsZUFBZSxDQUFDLE1BQU0sQ0FBQyxDQUFDLENBQzFFLENBQUM7UUFFRixNQUFNLHFCQUFxQixHQUFHLG1CQUFtQjthQUM5QyxNQUFNLENBQUMsa0JBQU8sQ0FBQyxVQUFVLENBQUM7YUFDMUIsR0FBRyxDQUFDLENBQUMsTUFBTSxFQUFFLEVBQUUsQ0FBQyxNQUFNLENBQUMsTUFBTSxDQUFDLENBQUM7UUFDbEMsSUFBSSxxQkFBcUIsQ0FBQyxNQUFNLEVBQUUsQ0FBQztZQUNqQyxNQUFNLElBQUksS0FBSyxDQUNiLDJEQUEyRCxxQkFBcUIsQ0FBQyxJQUFJLENBQUMsS0FBSyxDQUFDLEdBQUcsQ0FDaEcsQ0FBQztRQUNKLENBQUM7UUFFRCxPQUFPLG1CQUFtQixDQUFDLE1BQU0sQ0FBQyxrQkFBTyxDQUFDLFdBQVcsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxDQUFDLE1BQU0sRUFBRSxFQUFFLENBQUMsTUFBTSxDQUFDLEtBQUssQ0FBQyxDQUFDO0lBQ3ZGLENBQUM7SUFFRCxNQUFNLENBQUMsS0FBSyxDQUFDLG9CQUFvQixDQUFDLE1BQWtDO1FBQ2xFLE1BQU0sYUFBYSxHQUFHLElBQUksS0FBSyxDQUFDLGlCQUFpQixFQUFFLENBQUM7UUFDcEQsTUFBTSxFQUFFLGFBQWEsRUFBRSxVQUFVLEVBQUUsS0FBSyxFQUFFLFVBQVUsRUFBRSxLQUFLLEVBQUUsR0FBRyxNQUFNLENBQUM7UUFDdkUsTUFBTSxFQUFFLEtBQUssRUFBRSxjQUFjLEVBQUUsR0FBRyw4QkFBa0IsQ0FBQyxrQkFBa0IsQ0FDckUsR0FBRyxhQUFhLEtBQUssVUFBVSxFQUFFLENBQ2xDLENBQUM7UUFDRixNQUFNLFVBQVUsR0FBRyw4QkFBa0IsQ0FBQyxVQUFVLENBQUMsYUFBYSxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFFbkUsYUFBYSxDQUFDLGVBQWUsQ0FBQyxXQUFXLEdBQUcsVUFBVSxDQUFDLE9BQU8sQ0FBQztRQUMvRCxhQUFhLENBQUMsZUFBZSxDQUFDLFVBQVUsR0FBRyxJQUFJLElBQUksRUFBRSxDQUFDO1FBQ3RELGFBQWEsQ0FBQyxLQUFLLEdBQUcsOEJBQWtCLENBQUMsVUFBVSxDQUFDLGNBQWMsQ0FBQyxDQUFDO1FBRXBFLEtBQUssTUFBTSxRQUFRLElBQUksS0FBSyxFQUFFLENBQUM7WUFDN0IsTUFBTSxFQUFFLFlBQVksRUFBRSxNQUFNLEVBQUUsYUFBYSxFQUFFLGNBQWMsRUFBRSxhQUFhLEVBQUUsY0FBYyxFQUFFLEdBQzFGLFFBQVEsQ0FBQztZQUNYLE1BQU0sTUFBTSxHQUFHLElBQUksS0FBSyxDQUFDLE1BQU0sQ0FBQztnQkFDOUIsYUFBYSxFQUFFLElBQUksS0FBSyxDQUFDLG1CQUFtQixDQUFDO29CQUMzQyxXQUFXLEVBQUUsYUFBYTtvQkFDMUIsZUFBZSxFQUFFLElBQUksTUFBTSxDQUFDLElBQUksRUFBRTtpQkFDbkMsQ0FBQztnQkFDRixjQUFjLEVBQUUsSUFBSSxNQUFNLENBQUMsV0FBVyxDQUFDLEVBQUUsUUFBUSxFQUFFLGNBQWMsRUFBRSxDQUFDO2dCQUNwRSxhQUFhLEVBQUUsSUFBSSxNQUFNLENBQUMsV0FBVyxDQUFDLEVBQUUsUUFBUSxFQUFFLGFBQWEsRUFBRSxDQUFDO2dCQUNsRSxZQUFZLEVBQUUsSUFBSSxNQUFNLENBQUMsT0FBTyxDQUFDLEVBQUUsUUFBUSxFQUFFLFlBQVksRUFBRSxDQUFDO2FBQzdELENBQUMsQ0FBQztZQUVILE1BQU0sUUFBUSxHQUFHLElBQUksS0FBSyxDQUFDLGNBQWMsQ0FBQztnQkFDeEMsTUFBTTthQUNQLENBQUMsQ0FBQztZQUVILFFBQVEsTUFBTSxFQUFFLENBQUM7Z0JBQ2YsS0FBSyx5QkFBYyxDQUFDLEVBQUUsQ0FBQztnQkFDdkIsS0FBSyx5QkFBYyxDQUFDLE9BQU87b0JBQ3pCLFFBQVEsQ0FBQyxVQUFVLEdBQUcsSUFBSSxNQUFNLENBQUMsU0FBUyxDQUFDO3dCQUN6QyxPQUFPLEVBQUU7NEJBQ1AsUUFBUSxFQUFFLENBQUM7NEJBQ1gsU0FBUyxFQUFFLE1BQU07eUJBQ2xCO3FCQUNGLENBQUMsQ0FBQztvQkFDSCxNQUFNO2dCQUNSLEtBQUsseUJBQWMsQ0FBQyxPQUFPO29CQUN6QixRQUFRLENBQUMsVUFBVSxHQUFHLElBQUksTUFBTSxDQUFDLFdBQVcsQ0FBQzt3QkFDM0MsT0FBTyxFQUFFOzRCQUNQLFFBQVEsRUFBRSxDQUFDOzRCQUNYLFNBQVMsRUFBRSxNQUFNOzRCQUNqQixhQUFhLEVBQUUsSUFBSTt5QkFDcEI7d0JBQ0QsS0FBSyxFQUFFOzRCQUNMLElBQUksTUFBTSxDQUFDLGVBQWUsQ0FBQztnQ0FDekIsU0FBUyxFQUFFLGNBQWMsSUFBSSx1QkFBdUI7NkJBQ3JELENBQUM7eUJBQ0g7cUJBQ0YsQ0FBQyxDQUFDO29CQUNILE1BQU07Z0JBQ1I7b0JBQ0UsTUFBTSxJQUFJLEtBQUssQ0FBQyxvQ0FBb0MsTUFBTSxFQUFFLENBQUMsQ0FBQztZQUNsRSxDQUFDO1lBRUQsUUFBUSxDQUFDLFVBQVUsR0FBRyxJQUFJLElBQUksRUFBRSxDQUFDO1lBQ2pDLGFBQWEsQ0FBQyxlQUFlLENBQUMsU0FBUyxDQUFDLElBQUksQ0FBQyxRQUFRLENBQUMsQ0FBQztRQUN6RCxDQUFDO1FBRUQsSUFBSSxLQUFLLEVBQUUsQ0FBQztZQUNWLGFBQWEsQ0FBQyxlQUFlLENBQUMsa0JBQWtCLEdBQUc7Z0JBQ2pELElBQUksS0FBSyxDQUFDLFNBQVMsQ0FBQztvQkFDbEIsTUFBTSxFQUFFLG9CQUFTLENBQUMsY0FBYztvQkFDaEMsU0FBUyxFQUFFLElBQUksTUFBTSxDQUFDLFdBQVcsQ0FBQyxFQUFFLFFBQVEsRUFBRSxLQUFLLEVBQUUsQ0FBQyxDQUFDLEtBQUssRUFBRTtpQkFDL0QsQ0FBQzthQUNILENBQUM7UUFDSixDQUFDO1FBRUQsTUFBTSxnQkFBZ0IsR0FBRyxNQUFNLGdDQUFxQixDQUFDLG1CQUFtQixDQUFDLFVBQVUsQ0FBQyxDQUFDO1FBQ3JGLE1BQU0sYUFBYSxDQUFDLElBQUksQ0FBQyxnQkFBZ0IsRUFBRSxTQUFTLENBQUMsQ0FBQztRQUV0RCxNQUFNLGdCQUFnQixHQUFHLGFBQWEsQ0FBQyxRQUFRLEVBQUUsQ0FBQyxLQUFLLENBQUMsS0FBSyxDQUFDLENBQUM7UUFFL0QsTUFBTSxRQUFRLEdBQUcsSUFBSSxLQUFLLENBQUMsWUFBWSxDQUFDO1lBQ3RDLGNBQWMsRUFBRSxJQUFJLE1BQU0sQ0FBQyxVQUFVLENBQUMsRUFBRSxLQUFLLEVBQUUsQ0FBQyxFQUFFLENBQUMsRUFBRSxVQUFVO1lBQy9ELGFBQWEsRUFBRSxJQUFJLEtBQUssQ0FBQyxhQUFhLENBQUM7Z0JBQ3JDLFlBQVksRUFBRSxLQUFLLENBQUMsa0JBQWtCO2dCQUN0QyxRQUFRLEVBQUUsSUFBSSxNQUFNLENBQUMsV0FBVyxDQUFDLEVBQUUsUUFBUSxFQUFFLGdCQUFnQixFQUFFLENBQUM7YUFDakUsQ0FBQztTQUNILENBQUMsQ0FBQztRQUVILE9BQU8sUUFBUSxDQUFDLFFBQVEsRUFBRSxDQUFDLEtBQUssRUFBRSxDQUFDO0lBQ3JDLENBQUM7SUFFRCxNQUFNLENBQUMsZ0JBQWdCLENBQUMsaUJBQThCO1FBQ3BELE1BQU0sV0FBVyxHQUFHLHVCQUFTLENBQUMsS0FBSyxDQUFDLGlCQUFpQixFQUFFLHVCQUFXLENBQUMsQ0FBQztRQUNwRSxNQUFNLFlBQVksR0FBRyxXQUFXLENBQUMsVUFBVSxDQUFDLFdBQVcsQ0FBQyxHQUFHLENBQUMsQ0FBQyxPQUFPLEVBQUUsRUFBRTtZQUN0RSxNQUFNLE9BQU8sR0FBRztnQkFDZCxhQUFhLEVBQUUsT0FBTyxDQUFDLE9BQU8sQ0FBQyxhQUFhLENBQUMsU0FBUztnQkFDdEQsY0FBYyxFQUFFLE1BQU0sQ0FBQyxJQUFJLENBQUMsT0FBTyxDQUFDLE9BQU8sQ0FBQyxjQUFjLENBQUMsTUFBTSxDQUFDO2dCQUNsRSxhQUFhLEVBQUUsTUFBTSxDQUFDLElBQUksQ0FBQyxPQUFPLENBQUMsT0FBTyxDQUFDLGFBQWEsQ0FBQyxNQUFNLENBQUM7Z0JBQ2hFLFlBQVksRUFBRSxPQUFPLENBQUMsT0FBTyxDQUFDLFlBQVk7YUFDM0MsQ0FBQztZQUVGLE1BQU0saUJBQWlCLEdBQ3JCLE9BQU8sQ0FBQyx1QkFBdUIsRUFBRSxHQUFHLENBQUMsQ0FBQyxHQUFHLEVBQUUsRUFBRSxDQUFDLENBQUM7Z0JBQzdDLEdBQUcsRUFBRSxHQUFHLENBQUMsTUFBTTtnQkFDZixLQUFLLEVBQUUsTUFBTSxDQUFDLElBQUksQ0FBQyxHQUFHLENBQUMsU0FBUyxDQUFDLE1BQU0sQ0FBQzthQUN6QyxDQUFDLENBQUMsSUFBSSxFQUFFLENBQUM7WUFFWixPQUFPLEVBQUUsR0FBRyxPQUFPLEVBQUUsaUJBQWlCLEVBQUUsQ0FBQztRQUMzQyxDQUFDLENBQUMsQ0FBQztRQUVILE1BQU0sY0FBYyxHQUFHLFdBQVcsQ0FBQyxVQUFVLENBQUMsaUJBQWlCLEVBQUUsSUFBSSxDQUNuRSxDQUFDLEdBQUcsRUFBRSxFQUFFLENBQUMsR0FBRyxDQUFDLE1BQU0sS0FBSyxvQkFBUyxDQUFDLGNBQWMsQ0FDakQsQ0FBQztRQUNGLE1BQU0sS0FBSyxHQUFHLGNBQWMsSUFBSSxjQUFjLENBQUMsU0FBUyxDQUFDLE1BQU0sQ0FBQztRQUVoRSxPQUFPLEVBQUUsWUFBWSxFQUFFLEtBQUssRUFBRSxDQUFDO0lBQ2pDLENBQUM7SUFFRCxNQUFNLENBQUMsdUJBQXVCLENBQUMsSUFBdUI7UUFDcEQsTUFBTSxZQUFZLEdBQUcsSUFBSSxDQUFDLFVBQVUsRUFBRSxJQUFJLENBQ3hDLENBQUMsR0FBRyxFQUFFLEVBQUUsQ0FBQyxHQUFHLENBQUMsTUFBTSxLQUFLLG9CQUFLLENBQUMsR0FBRyxDQUFDLElBQUksQ0FBQyxhQUFhLENBQUMsQ0FDdEQsQ0FBQztRQUNGLElBQUksQ0FBQyxZQUFZLEVBQUUsQ0FBQztZQUNsQixPQUFPLEtBQUssQ0FBQztRQUNmLENBQUM7UUFFRCxPQUFPLE9BQU8sQ0FDWixZQUFZLENBQUMsV0FBVyxDQUFDLFdBQVcsQ0FBQyxJQUFJLENBQ3ZDLENBQUMsS0FBYSxFQUFFLEVBQUUsQ0FBQyxLQUFLLEtBQUssdUJBQWdCLENBQUMsV0FBVyxDQUMxRCxDQUNGLENBQUM7SUFDSixDQUFDO0lBRU8sTUFBTSxDQUFDLGtCQUFrQixDQUFDLElBQXVCO1FBQ3ZELE1BQU0sa0JBQWtCLEdBQUcsOEJBQWtCLENBQUMsaUJBQWlCLENBQzdELElBQUksRUFDSix5REFBMEMsQ0FDM0MsQ0FBQztRQUNGLElBQUksQ0FBQyxrQkFBa0IsRUFBRSxDQUFDO1lBQ3hCLE9BQU87UUFDVCxDQUFDO1FBRUQsTUFBTSxjQUFjLEdBQUcsS0FBSyxDQUFDLHFCQUFxQixDQUFDLE9BQU8sQ0FDeEQseURBQTBDLEVBQzFDLGtCQUFrQixDQUNFLENBQUM7UUFFdkIsTUFBTSxPQUFPLEdBQUcsY0FBYyxDQUFDLGtCQUFrQixDQUFDLElBQUksQ0FDcEQsQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUFDLElBQUksQ0FBQyxZQUFZLEtBQUsscUNBQXNCLENBQ3ZELEVBQUUsY0FBYyxDQUFDLEtBQUssQ0FBQztRQUV4QixNQUFNLGFBQWEsR0FBRyxjQUFjLENBQUMsa0JBQWtCLENBQUMsSUFBSSxDQUMxRCxDQUFDLElBQUksRUFBRSxFQUFFLENBQUMsSUFBSSxDQUFDLFlBQVksS0FBSyw0Q0FBNkIsQ0FDOUQsRUFBRSxjQUFjLENBQUMsS0FBSyxDQUFDO1FBRXhCLElBQUksQ0FBQyxPQUFPLEVBQUUsQ0FBQztZQUNiLE9BQU87UUFDVCxDQUFDO1FBRUQsT0FBTyxFQUFFLE9BQU8sRUFBRSxhQUFhLEVBQUUsSUFBSSxFQUFFLENBQUM7SUFDMUMsQ0FBQztJQUVPLE1BQU0sQ0FBQyxLQUFLLENBQUMsZUFBZSxDQUNsQyxNQUE2QjtRQUU3QixNQUFNLEVBQUUsT0FBTyxFQUFFLGVBQWUsRUFBRSxFQUFFLEVBQUUsV0FBVyxFQUFFLEdBQUcsTUFBTSxDQUFDO1FBQzdELE1BQU0sV0FBVyxHQUFjLEVBQUUsQ0FBQztRQUNsQyxNQUFNLGtCQUFrQixHQUF3QixFQUFFLENBQUM7UUFDbkQsS0FBSyxNQUFNLEVBQUUsSUFBSSxFQUFFLFVBQVUsRUFBRSxvQkFBb0IsRUFBRSxhQUFhLEVBQUUsSUFBSSxlQUFlLEVBQUUsQ0FBQztZQUN4RixJQUFJLGlCQUFpQixHQUFHLG9CQUFvQixDQUFDO1lBQzdDLElBQUksQ0FBQyxpQkFBaUIsSUFBSSxhQUFhLEVBQUUsQ0FBQztnQkFDeEMsTUFBTSxhQUFhLEdBQUcsTUFBTSw4QkFBa0IsQ0FBQyxxQkFBcUIsQ0FBQyxhQUFhLENBQUMsQ0FBQztnQkFDcEYsaUJBQWlCLEdBQUcsS0FBSyxDQUFDLFdBQVcsQ0FBQyxPQUFPLENBQUMsYUFBYSxDQUFDLENBQUM7WUFDL0QsQ0FBQztZQUNELElBQUksQ0FBQyxpQkFBaUIsRUFBRSxDQUFDO2dCQUN2QixNQUFNLElBQUksS0FBSyxDQUFDLG9EQUFvRCxJQUFJLENBQUMsT0FBTyxFQUFFLENBQUMsQ0FBQztZQUN0RixDQUFDO1lBQ0QsSUFBSSxDQUFDLGtCQUFrQixDQUFDLElBQUksQ0FBQyxDQUFDLElBQUksRUFBRSxFQUFFLENBQUMsSUFBSSxDQUFDLE9BQU8sQ0FBQyxPQUFPLENBQUMsaUJBQWtCLENBQUMsT0FBTyxDQUFDLENBQUMsRUFBRSxDQUFDO2dCQUN6RixrQkFBa0IsQ0FBQyxJQUFJLENBQUMsaUJBQWlCLENBQUMsQ0FBQztZQUM3QyxDQUFDO1lBRUQsTUFBTSxNQUFNLEdBQUcsSUFBSSxLQUFLLENBQUMsTUFBTSxFQUFFLENBQUM7WUFDbEMsTUFBTSxNQUFNLENBQUMsb0JBQW9CLENBQUMsSUFBSSxFQUFFO2dCQUN0QyxhQUFhLEVBQUUsU0FBUztnQkFDeEIsaUJBQWlCO2FBQ2xCLENBQUMsQ0FBQztZQUVILE1BQU0sT0FBTyxHQUFHLElBQUksbUJBQU8sQ0FBQztnQkFDMUIsT0FBTyxFQUFFLElBQUksa0JBQU0sQ0FBQztvQkFDbEIsYUFBYSxFQUFFLElBQUksK0JBQW1CLENBQUM7d0JBQ3JDLFNBQVMsRUFBRSxNQUFNLENBQUMsYUFBYSxDQUFDLFdBQVc7cUJBQzVDLENBQUM7b0JBQ0YsY0FBYyxFQUFFLElBQUkseUJBQVcsRUFBRSxDQUFDLE9BQU8sQ0FBQyxNQUFNLENBQUMsY0FBYyxDQUFDO29CQUNoRSxhQUFhLEVBQUUsSUFBSSx5QkFBVyxFQUFFLENBQUMsT0FBTyxDQUFDLE1BQU0sQ0FBQyxhQUFhLENBQUM7b0JBQzlELFlBQVksRUFBRSxNQUFNLENBQUMsWUFBWSxDQUFDLFVBQVUsQ0FBQyxRQUFRO2lCQUN0RCxDQUFDO2FBQ0gsQ0FBQyxDQUFDO1lBRUgsTUFBTSxpQkFBaUIsR0FBRyxVQUFVLENBQUMsd0JBQXdCLENBQUMsSUFBSSxFQUFFLFdBQVcsQ0FBQyxDQUFDO1lBQ2pGLElBQUksaUJBQWlCLENBQUMsTUFBTSxFQUFFLENBQUM7Z0JBQzdCLE9BQU8sQ0FBQyx1QkFBdUIsR0FBRyxJQUFJLHNCQUFVLENBQzlDLGlCQUFpQixDQUFDLEdBQUcsQ0FDbkIsQ0FBQyxHQUFHLEVBQUUsRUFBRSxDQUFDLElBQUkscUJBQVMsQ0FBQyxFQUFFLE1BQU0sRUFBRSxHQUFHLENBQUMsR0FBRyxFQUFFLFNBQVMsRUFBRSxJQUFJLHlCQUFXLENBQUMsR0FBRyxDQUFDLEtBQUssQ0FBQyxFQUFFLENBQUMsQ0FDbkYsQ0FDRixDQUFDO1lBQ0osQ0FBQztZQUVELFdBQVcsQ0FBQyxJQUFJLENBQUMsT0FBTyxDQUFDLENBQUM7UUFDNUIsQ0FBQztRQUVELE1BQU0sUUFBUSxHQUFHLFVBQVUsQ0FBQyxrQkFBa0IsRUFBRSxDQUFDO1FBQ2pELE1BQU0sT0FBTyxHQUFHLElBQUksdUJBQVcsQ0FBQztZQUM5QixVQUFVLEVBQUUsSUFBSSxzQkFBVSxDQUFDO2dCQUN6QixXQUFXO2dCQUNYLGlCQUFpQixFQUFFLElBQUksc0JBQVUsQ0FBQztvQkFDaEMsSUFBSSxxQkFBUyxDQUFDO3dCQUNaLE1BQU0sRUFBRSxvQkFBUyxDQUFDLGNBQWM7d0JBQ2hDLFNBQVMsRUFBRSxJQUFJLHlCQUFXLENBQUMsUUFBUSxDQUFDO3FCQUNyQyxDQUFDO2lCQUNILENBQUM7YUFDSCxDQUFDO1NBQ0gsQ0FBQyxDQUFDO1FBRUgsTUFBTSxhQUFhLEdBQUcsTUFBTSxVQUFVLENBQUMsZUFBZSxDQUFDLE9BQU8sRUFBRSxPQUFPLENBQUMsQ0FBQztRQUV6RSxNQUFNLFNBQVMsR0FBRyxNQUFNLFVBQVUsQ0FBQyxvQkFBb0IsQ0FBQyxhQUFhLENBQUMsQ0FBQztRQUN2RSxJQUFJLFNBQVMsSUFBSSxNQUFNLENBQUMsT0FBTyxDQUFDLFFBQVEsRUFBRSxTQUFTLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQztZQUMzRCxNQUFNLElBQUksS0FBSyxDQUFDLG9EQUFvRCxDQUFDLENBQUM7UUFDeEUsQ0FBQztRQUVELE1BQU0sWUFBWSxHQUF3QixFQUFFLENBQUM7UUFDN0MsSUFBSSxDQUFDLGFBQWEsQ0FBQyxLQUFLLEVBQUUsQ0FBQztZQUN6QixhQUFhLENBQUMsS0FBSyxHQUFHLGtCQUFrQixDQUFDO1lBQ3pDLFlBQVksQ0FBQyxJQUFJLENBQUMsR0FBRyxFQUFFLENBQUMsQ0FBQztRQUMzQixDQUFDO2FBQU0sQ0FBQztZQUNOLFlBQVksQ0FBQyxJQUFJLENBQUMsR0FBRyxrQkFBa0IsQ0FBQyxDQUFDO1FBQzNDLENBQUM7UUFFRCxNQUFNLGFBQWEsQ0FBQyxNQUFNLENBQUMsRUFBRSxZQUFZLEVBQUUsQ0FBQyxDQUFDO1FBQzdDLE9BQU8sYUFBYSxDQUFDO0lBQ3ZCLENBQUM7SUFFTyxNQUFNLENBQUMsS0FBSyxDQUFDLGVBQWUsQ0FDbEMsT0FBZSxFQUNmLE9BQW9CO1FBRXBCLE1BQU0sWUFBWSxHQUFHLE1BQU0sSUFBQSxlQUFLLEVBQUMsT0FBTyxFQUFFO1lBQ3hDLE1BQU0sRUFBRSxNQUFNO1lBQ2QsT0FBTyxFQUFFO2dCQUNQLGNBQWMsRUFBRSwwQkFBMEI7YUFDM0M7WUFDRCxZQUFZLEVBQUUsYUFBYTtZQUMzQixJQUFJLEVBQUUsMkJBQWEsQ0FBQyxTQUFTLENBQUMsT0FBTyxDQUFDO1NBQ3ZDLENBQUMsQ0FBQztRQUVILE1BQU0sYUFBYSxHQUFHLEtBQUssQ0FBQyxZQUFZLENBQUMsT0FBTyxDQUFDLFlBQVksQ0FBQyxJQUFJLENBQUMsQ0FBQztRQUNwRSxJQUFJLENBQUMsYUFBYSxDQUFDLGFBQWEsRUFBRSxDQUFDO1lBQ2pDLE1BQU0sSUFBSSxLQUFLLENBQUMsOERBQThELENBQUMsQ0FBQztRQUNsRixDQUFDO1FBRUQsTUFBTSxhQUFhLEdBQUcsS0FBSyxDQUFDLGlCQUFpQixDQUFDLE9BQU8sQ0FDbkQsYUFBYSxDQUFDLGFBQWEsQ0FBQyxRQUFRLENBQUMsVUFBVSxDQUFDLFlBQVksQ0FDN0QsQ0FBQztRQUVGLE9BQU8sYUFBYSxDQUFDO0lBQ3ZCLENBQUM7SUFFTyxNQUFNLENBQUMsa0JBQWtCO1FBQy9CLE9BQU8sS0FBSyxDQUFDLGVBQWUsQ0FBQyxJQUFJLFVBQVUsQ0FBQyxFQUFFLENBQUMsQ0FBQyxDQUFDO0lBQ25ELENBQUM7SUFFTyxNQUFNLENBQUMsb0JBQW9CLENBQUMsYUFBc0M7UUFDeEUsTUFBTSxjQUFjLEdBQUcsYUFBYSxDQUFDLGVBQWUsRUFBRSxrQkFBa0IsRUFBRSxJQUFJLENBQzVFLENBQUMsU0FBUyxFQUFFLEVBQUUsQ0FBQyxTQUFTLENBQUMsTUFBTSxLQUFLLG9CQUFTLENBQUMsY0FBYyxDQUM3RCxDQUFDO1FBQ0YsT0FBTyxjQUFjLElBQUksTUFBTSxDQUFDLElBQUksQ0FBQyxjQUFjLENBQUMsV0FBVyxDQUFDLFVBQVUsQ0FBQyxRQUFRLENBQUMsQ0FBQztJQUN2RixDQUFDO0lBRU8sTUFBTSxDQUFDLHdCQUF3QixDQUNyQyxJQUF1QixFQUN2QixXQUFxQjtRQUVyQixPQUFPLFdBQVc7YUFDZixHQUFHLENBQUMsQ0FBQyxHQUFHLEVBQUUsRUFBRTtZQUNYLE1BQU0sS0FBSyxHQUFHLDhCQUFrQixDQUFDLGlCQUFpQixDQUFDLElBQUksRUFBRSxHQUFHLENBQUMsQ0FBQztZQUU5RCxPQUFPLEVBQUUsR0FBRyxFQUFFLEtBQUssRUFBRSxDQUFDO1FBQ3hCLENBQUMsQ0FBQzthQUNELE1BQU0sQ0FBQyxDQUFDLEdBQUcsRUFBRSxFQUFFLENBQUMsT0FBTyxDQUFDLEdBQUcsQ0FBQyxLQUFLLENBQUMsQ0FBc0IsQ0FBQztJQUM5RCxDQUFDO0NBQ0Y7QUF4VUQsZ0NBd1VDIn0=
|
|
@@ -1,5 +1,10 @@
|
|
|
1
|
+
import { BlockchainCert } from './types.js';
|
|
2
|
+
export declare const BLOCKCHAIN_CERT_TBS_PARTS: string[];
|
|
1
3
|
export declare class CertificateSerializer {
|
|
2
4
|
static serializeCertChain(certChainPem: string): string;
|
|
3
5
|
static deserializeCertChain(input: string): string;
|
|
4
6
|
static isSerializedCertChain(certChainBase64: string): boolean;
|
|
7
|
+
static serializeForBlockchain(certPem: string): BlockchainCert;
|
|
8
|
+
static deserializeFromBlockchain(data: BlockchainCert): string;
|
|
9
|
+
private static getPart;
|
|
5
10
|
}
|
|
@@ -1,9 +1,26 @@
|
|
|
1
1
|
"use strict";
|
|
2
|
+
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
3
|
+
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
|
+
};
|
|
2
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.CertificateSerializer = void 0;
|
|
6
|
+
exports.CertificateSerializer = exports.BLOCKCHAIN_CERT_TBS_PARTS = void 0;
|
|
7
|
+
const node_forge_1 = __importDefault(require("node-forge"));
|
|
8
|
+
const lodash_1 = __importDefault(require("lodash"));
|
|
9
|
+
const binary_splitter_js_1 = require("./binary-splitter.js");
|
|
4
10
|
const helper_js_1 = require("./helper.js");
|
|
11
|
+
const constants_js_1 = require("../constants.js");
|
|
12
|
+
const pki_common_1 = require("@super-protocol/pki-common");
|
|
5
13
|
const CERTS_CHAIN_DELIMITER = ';';
|
|
6
14
|
const CERTS_SERIALIZATION_PREFIX = 'certs:';
|
|
15
|
+
exports.BLOCKCHAIN_CERT_TBS_PARTS = [
|
|
16
|
+
'serialNumber',
|
|
17
|
+
'expirationDate',
|
|
18
|
+
'publicKey',
|
|
19
|
+
'ca',
|
|
20
|
+
'userData',
|
|
21
|
+
'mrEnclave',
|
|
22
|
+
'mrSigner',
|
|
23
|
+
];
|
|
7
24
|
class CertificateSerializer {
|
|
8
25
|
static serializeCertChain(certChainPem) {
|
|
9
26
|
const certsDer = helper_js_1.CertificatesHelper.pemChainToDer(certChainPem);
|
|
@@ -22,6 +39,85 @@ class CertificateSerializer {
|
|
|
22
39
|
static isSerializedCertChain(certChainBase64) {
|
|
23
40
|
return certChainBase64.startsWith(CERTS_SERIALIZATION_PREFIX);
|
|
24
41
|
}
|
|
42
|
+
static serializeForBlockchain(certPem) {
|
|
43
|
+
const certAlgorithm = helper_js_1.CertificatesHelper.getCertPublicKeyAlgorithm(certPem);
|
|
44
|
+
if (certAlgorithm.name !== 'ECDSA' || certAlgorithm.namedCurve !== 'K-256') {
|
|
45
|
+
throw new Error(`Unsupported certificate algorithm: ${certAlgorithm.name}${certAlgorithm.namedCurve ? `with curve ${certAlgorithm.namedCurve}` : ''}. Only ECDSA with secp256k1 curve is supported.`);
|
|
46
|
+
}
|
|
47
|
+
const certDer = helper_js_1.CertificatesHelper.pemToDer(certPem);
|
|
48
|
+
const parts = new binary_splitter_js_1.CertificateBinarySplitter(certDer).split([
|
|
49
|
+
binary_splitter_js_1.CertificateNonOidParts.SERIAL_NUMBER,
|
|
50
|
+
binary_splitter_js_1.CertificateNonOidParts.SIGNATURE,
|
|
51
|
+
binary_splitter_js_1.CertificateNonOidParts.NOT_AFTER,
|
|
52
|
+
binary_splitter_js_1.CertificateNonOidParts.SUBJECT_PUBLIC_KEY_INFO,
|
|
53
|
+
], [
|
|
54
|
+
node_forge_1.default.pki.oids['basicConstraints'],
|
|
55
|
+
constants_js_1.OID_CUSTOM_EXTENSION_USER_DATA,
|
|
56
|
+
pki_common_1.OID_CUSTOM_EXTENSION_CHALLENGE_ID,
|
|
57
|
+
pki_common_1.OID_CUSTOM_EXTENSION_CHALLENGE_COMMON_ID,
|
|
58
|
+
]);
|
|
59
|
+
const [nonSerializedParts, serializedParts] = lodash_1.default.partition(parts, (part) => part instanceof Uint8Array);
|
|
60
|
+
const expirationDate = CertificateSerializer.getPart(serializedParts, 'notAfter');
|
|
61
|
+
const serial = CertificateSerializer.getPart(serializedParts, 'serialNumber');
|
|
62
|
+
const publicKey = CertificateSerializer.getPart(serializedParts, 'publicKey');
|
|
63
|
+
const ca = CertificateSerializer.getPart(serializedParts, node_forge_1.default.pki.oids['basicConstraints']);
|
|
64
|
+
const userData = CertificateSerializer.getPart(serializedParts, constants_js_1.OID_CUSTOM_EXTENSION_USER_DATA, false);
|
|
65
|
+
const mrEnclave = CertificateSerializer.getPart(serializedParts, pki_common_1.OID_CUSTOM_EXTENSION_CHALLENGE_ID, false);
|
|
66
|
+
const mrSigner = CertificateSerializer.getPart(serializedParts, pki_common_1.OID_CUSTOM_EXTENSION_CHALLENGE_COMMON_ID, false);
|
|
67
|
+
const signature = CertificateSerializer.getPart(serializedParts, 'signature');
|
|
68
|
+
if (serializedParts.length !== 0) {
|
|
69
|
+
throw new Error(`Unexpected serialized parts found in certificate: ${serializedParts.map((part) => part.name || part.oid).join(', ')}`);
|
|
70
|
+
}
|
|
71
|
+
return {
|
|
72
|
+
nonSerializedParts,
|
|
73
|
+
expirationDate: expirationDate.value,
|
|
74
|
+
ca: ca.value,
|
|
75
|
+
userData: userData?.value,
|
|
76
|
+
serialNumber: serial.value,
|
|
77
|
+
signature: signature.value,
|
|
78
|
+
publicKey: publicKey.value,
|
|
79
|
+
mrEnclave: mrEnclave?.value,
|
|
80
|
+
mrSigner: mrSigner?.value,
|
|
81
|
+
};
|
|
82
|
+
}
|
|
83
|
+
static deserializeFromBlockchain(data) {
|
|
84
|
+
const bufferParts = [];
|
|
85
|
+
bufferParts.push(Buffer.from(data.nonSerializedParts[0]));
|
|
86
|
+
bufferParts.push(Buffer.from(data.nonSerializedParts[1]));
|
|
87
|
+
let partIndex = 2;
|
|
88
|
+
for (const field of exports.BLOCKCHAIN_CERT_TBS_PARTS) {
|
|
89
|
+
const value = data[field];
|
|
90
|
+
if (value) {
|
|
91
|
+
bufferParts.push(Buffer.from(value));
|
|
92
|
+
if (partIndex < data.nonSerializedParts.length) {
|
|
93
|
+
bufferParts.push(Buffer.from(data.nonSerializedParts[partIndex++]));
|
|
94
|
+
}
|
|
95
|
+
}
|
|
96
|
+
}
|
|
97
|
+
// adding signature part
|
|
98
|
+
// if no custom extensions, it is needed to add additional block with keyUsage extension
|
|
99
|
+
// if custom extension present - keyUsage extension will be a part of block before this custom extension
|
|
100
|
+
// 3 - because asn1 bytes between r and s values are 2 or 3 bytes long (2 for positive value, 3 for negative value)
|
|
101
|
+
if (data.nonSerializedParts[partIndex]?.byteLength > 3) {
|
|
102
|
+
bufferParts.push(Buffer.from(data.nonSerializedParts[partIndex++]));
|
|
103
|
+
}
|
|
104
|
+
const rValue = data.signature.slice(0, 32);
|
|
105
|
+
bufferParts.push(Buffer.from(rValue));
|
|
106
|
+
if (partIndex < data.nonSerializedParts.length) {
|
|
107
|
+
bufferParts.push(Buffer.from(data.nonSerializedParts[partIndex++]));
|
|
108
|
+
}
|
|
109
|
+
const sValue = data.signature.slice(32, 64);
|
|
110
|
+
bufferParts.push(Buffer.from(sValue));
|
|
111
|
+
const certDer = Buffer.concat(bufferParts);
|
|
112
|
+
return helper_js_1.CertificatesHelper.derToPem(certDer);
|
|
113
|
+
}
|
|
114
|
+
static getPart(parts, nameOrOid, mandatory = true) {
|
|
115
|
+
const part = lodash_1.default.remove(parts, (part) => part.name === nameOrOid || part.oid === nameOrOid)[0];
|
|
116
|
+
if (!part && mandatory) {
|
|
117
|
+
throw new Error(`Part with name or OID "${nameOrOid}" not found in certificate`);
|
|
118
|
+
}
|
|
119
|
+
return part;
|
|
120
|
+
}
|
|
25
121
|
}
|
|
26
122
|
exports.CertificateSerializer = CertificateSerializer;
|
|
27
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
123
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2VyaWFsaXplci5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9jZXJ0aWZpY2F0ZXMvc2VyaWFsaXplci50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7Ozs7QUFBQSw0REFBK0I7QUFDL0Isb0RBQXVCO0FBQ3ZCLDZEQUF5RjtBQUN6RiwyQ0FBaUQ7QUFDakQsa0RBQWlFO0FBQ2pFLDJEQUdvQztBQUdwQyxNQUFNLHFCQUFxQixHQUFHLEdBQUcsQ0FBQztBQUNsQyxNQUFNLDBCQUEwQixHQUFHLFFBQVEsQ0FBQztBQUUvQixRQUFBLHlCQUF5QixHQUFHO0lBQ3ZDLGNBQWM7SUFDZCxnQkFBZ0I7SUFDaEIsV0FBVztJQUNYLElBQUk7SUFDSixVQUFVO0lBQ1YsV0FBVztJQUNYLFVBQVU7Q0FDWCxDQUFDO0FBRUYsTUFBYSxxQkFBcUI7SUFDaEMsTUFBTSxDQUFDLGtCQUFrQixDQUFDLFlBQW9CO1FBQzVDLE1BQU0sUUFBUSxHQUFHLDhCQUFrQixDQUFDLGFBQWEsQ0FBQyxZQUFZLENBQUMsQ0FBQztRQUVoRSxPQUFPLEdBQUcsMEJBQTBCLEdBQUcsUUFBUSxDQUFDLEdBQUcsQ0FBQyxDQUFDLElBQUksRUFBRSxFQUFFLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsQ0FBQyxRQUFRLENBQUMsUUFBUSxDQUFDLENBQUMsQ0FBQyxJQUFJLENBQUMscUJBQXFCLENBQUMsRUFBRSxDQUFDO0lBQ3BJLENBQUM7SUFFRCxNQUFNLENBQUMsb0JBQW9CLENBQUMsS0FBYTtRQUN2QyxJQUFJLENBQUMsS0FBSyxDQUFDLFVBQVUsQ0FBQywwQkFBMEIsQ0FBQyxFQUFFLENBQUM7WUFDbEQsTUFBTSxJQUFJLEtBQUssQ0FBQyxtQkFBbUIsMEJBQTBCLFlBQVksQ0FBQyxDQUFDO1FBQzdFLENBQUM7UUFFRCxNQUFNLFFBQVEsR0FBRyxLQUFLO2FBQ25CLEtBQUssQ0FBQywwQkFBMEIsQ0FBQyxDQUFDLENBQUMsQ0FBQztZQUNyQyxFQUFFLEtBQUssQ0FBQyxxQkFBcUIsQ0FBQztZQUM5QixFQUFFLEdBQUcsQ0FBQyxDQUFDLElBQUksRUFBRSxFQUFFLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxJQUFJLEVBQUUsUUFBUSxDQUFDLENBQUMsQ0FBQztRQUMvQyxPQUFPLDhCQUFrQixDQUFDLGFBQWEsQ0FBQyxRQUFRLENBQUMsQ0FBQztJQUNwRCxDQUFDO0lBRUQsTUFBTSxDQUFDLHFCQUFxQixDQUFDLGVBQXVCO1FBQ2xELE9BQU8sZUFBZSxDQUFDLFVBQVUsQ0FBQywwQkFBMEIsQ0FBQyxDQUFDO0lBQ2hFLENBQUM7SUFFRCxNQUFNLENBQUMsc0JBQXNCLENBQUMsT0FBZTtRQUMzQyxNQUFNLGFBQWEsR0FBRyw4QkFBa0IsQ0FBQyx5QkFBeUIsQ0FBQyxPQUFPLENBQUMsQ0FBQztRQUM1RSxJQUFJLGFBQWEsQ0FBQyxJQUFJLEtBQUssT0FBTyxJQUFJLGFBQWEsQ0FBQyxVQUFVLEtBQUssT0FBTyxFQUFFLENBQUM7WUFDM0UsTUFBTSxJQUFJLEtBQUssQ0FDYixzQ0FBc0MsYUFBYSxDQUFDLElBQUksR0FBRyxhQUFhLENBQUMsVUFBVSxDQUFDLENBQUMsQ0FBQyxjQUFjLGFBQWEsQ0FBQyxVQUFVLEVBQUUsQ0FBQyxDQUFDLENBQUMsRUFBRSxpREFBaUQsQ0FDckwsQ0FBQztRQUNKLENBQUM7UUFFRCxNQUFNLE9BQU8sR0FBRyw4QkFBa0IsQ0FBQyxRQUFRLENBQUMsT0FBTyxDQUFDLENBQUM7UUFFckQsTUFBTSxLQUFLLEdBQUcsSUFBSSw4Q0FBeUIsQ0FBQyxPQUFPLENBQUMsQ0FBQyxLQUFLLENBQ3hEO1lBQ0UsMkNBQXNCLENBQUMsYUFBYTtZQUNwQywyQ0FBc0IsQ0FBQyxTQUFTO1lBQ2hDLDJDQUFzQixDQUFDLFNBQVM7WUFDaEMsMkNBQXNCLENBQUMsdUJBQXVCO1NBQy9DLEVBQ0Q7WUFDRSxvQkFBSyxDQUFDLEdBQUcsQ0FBQyxJQUFJLENBQUMsa0JBQWtCLENBQUM7WUFDbEMsNkNBQThCO1lBQzlCLDhDQUFpQztZQUNqQyxxREFBd0M7U0FDekMsQ0FDRixDQUFDO1FBRUYsTUFBTSxDQUFDLGtCQUFrQixFQUFFLGVBQWUsQ0FBQyxHQUFHLGdCQUFDLENBQUMsU0FBUyxDQUN2RCxLQUFLLEVBQ0wsQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUFDLElBQUksWUFBWSxVQUFVLENBQ0QsQ0FBQztRQUV0QyxNQUFNLGNBQWMsR0FBRyxxQkFBcUIsQ0FBQyxPQUFPLENBQUMsZUFBZSxFQUFFLFVBQVUsQ0FBQyxDQUFDO1FBQ2xGLE1BQU0sTUFBTSxHQUFHLHFCQUFxQixDQUFDLE9BQU8sQ0FBQyxlQUFlLEVBQUUsY0FBYyxDQUFDLENBQUM7UUFDOUUsTUFBTSxTQUFTLEdBQUcscUJBQXFCLENBQUMsT0FBTyxDQUFDLGVBQWUsRUFBRSxXQUFXLENBQUMsQ0FBQztRQUM5RSxNQUFNLEVBQUUsR0FBRyxxQkFBcUIsQ0FBQyxPQUFPLENBQUMsZUFBZSxFQUFFLG9CQUFLLENBQUMsR0FBRyxDQUFDLElBQUksQ0FBQyxrQkFBa0IsQ0FBQyxDQUFDLENBQUM7UUFDOUYsTUFBTSxRQUFRLEdBQUcscUJBQXFCLENBQUMsT0FBTyxDQUM1QyxlQUFlLEVBQ2YsNkNBQThCLEVBQzlCLEtBQUssQ0FDTixDQUFDO1FBQ0YsTUFBTSxTQUFTLEdBQUcscUJBQXFCLENBQUMsT0FBTyxDQUM3QyxlQUFlLEVBQ2YsOENBQWlDLEVBQ2pDLEtBQUssQ0FDTixDQUFDO1FBQ0YsTUFBTSxRQUFRLEdBQUcscUJBQXFCLENBQUMsT0FBTyxDQUM1QyxlQUFlLEVBQ2YscURBQXdDLEVBQ3hDLEtBQUssQ0FDTixDQUFDO1FBQ0YsTUFBTSxTQUFTLEdBQUcscUJBQXFCLENBQUMsT0FBTyxDQUFDLGVBQWUsRUFBRSxXQUFXLENBQUMsQ0FBQztRQUU5RSxJQUFJLGVBQWUsQ0FBQyxNQUFNLEtBQUssQ0FBQyxFQUFFLENBQUM7WUFDakMsTUFBTSxJQUFJLEtBQUssQ0FDYixxREFBcUQsZUFBZSxDQUFDLEdBQUcsQ0FBQyxDQUFDLElBQUksRUFBRSxFQUFFLENBQUMsSUFBSSxDQUFDLElBQUksSUFBSSxJQUFJLENBQUMsR0FBRyxDQUFDLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxFQUFFLENBQ3ZILENBQUM7UUFDSixDQUFDO1FBRUQsT0FBTztZQUNMLGtCQUFrQjtZQUNsQixjQUFjLEVBQUUsY0FBYyxDQUFDLEtBQUs7WUFDcEMsRUFBRSxFQUFFLEVBQUUsQ0FBQyxLQUFLO1lBQ1osUUFBUSxFQUFFLFFBQVEsRUFBRSxLQUFLO1lBQ3pCLFlBQVksRUFBRSxNQUFNLENBQUMsS0FBSztZQUMxQixTQUFTLEVBQUUsU0FBUyxDQUFDLEtBQUs7WUFDMUIsU0FBUyxFQUFFLFNBQVMsQ0FBQyxLQUFLO1lBQzFCLFNBQVMsRUFBRSxTQUFTLEVBQUUsS0FBSztZQUMzQixRQUFRLEVBQUUsUUFBUSxFQUFFLEtBQUs7U0FDMUIsQ0FBQztJQUNKLENBQUM7SUFFRCxNQUFNLENBQUMseUJBQXlCLENBQUMsSUFBb0I7UUFDbkQsTUFBTSxXQUFXLEdBQWEsRUFBRSxDQUFDO1FBRWpDLFdBQVcsQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsa0JBQWtCLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQzFELFdBQVcsQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsa0JBQWtCLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBRTFELElBQUksU0FBUyxHQUFHLENBQUMsQ0FBQztRQUVsQixLQUFLLE1BQU0sS0FBSyxJQUFJLGlDQUF5QixFQUFFLENBQUM7WUFDOUMsTUFBTSxLQUFLLEdBQUcsSUFBSSxDQUFDLEtBQTZCLENBQUMsQ0FBQztZQUNsRCxJQUFJLEtBQUssRUFBRSxDQUFDO2dCQUNWLFdBQVcsQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxLQUFtQixDQUFDLENBQUMsQ0FBQztnQkFDbkQsSUFBSSxTQUFTLEdBQUcsSUFBSSxDQUFDLGtCQUFrQixDQUFDLE1BQU0sRUFBRSxDQUFDO29CQUMvQyxXQUFXLENBQUMsSUFBSSxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLGtCQUFrQixDQUFDLFNBQVMsRUFBRSxDQUFDLENBQUMsQ0FBQyxDQUFDO2dCQUN0RSxDQUFDO1lBQ0gsQ0FBQztRQUNILENBQUM7UUFFRCx3QkFBd0I7UUFDeEIsd0ZBQXdGO1FBQ3hGLHdHQUF3RztRQUN4RyxtSEFBbUg7UUFDbkgsSUFBSSxJQUFJLENBQUMsa0JBQWtCLENBQUMsU0FBUyxDQUFDLEVBQUUsVUFBVSxHQUFHLENBQUMsRUFBRSxDQUFDO1lBQ3ZELFdBQVcsQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsa0JBQWtCLENBQUMsU0FBUyxFQUFFLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDdEUsQ0FBQztRQUVELE1BQU0sTUFBTSxHQUFHLElBQUksQ0FBQyxTQUFTLENBQUMsS0FBSyxDQUFDLENBQUMsRUFBRSxFQUFFLENBQUMsQ0FBQztRQUMzQyxXQUFXLENBQUMsSUFBSSxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsTUFBb0IsQ0FBQyxDQUFDLENBQUM7UUFDcEQsSUFBSSxTQUFTLEdBQUcsSUFBSSxDQUFDLGtCQUFrQixDQUFDLE1BQU0sRUFBRSxDQUFDO1lBQy9DLFdBQVcsQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsa0JBQWtCLENBQUMsU0FBUyxFQUFFLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDdEUsQ0FBQztRQUNELE1BQU0sTUFBTSxHQUFHLElBQUksQ0FBQyxTQUFTLENBQUMsS0FBSyxDQUFDLEVBQUUsRUFBRSxFQUFFLENBQUMsQ0FBQztRQUM1QyxXQUFXLENBQUMsSUFBSSxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsTUFBb0IsQ0FBQyxDQUFDLENBQUM7UUFFcEQsTUFBTSxPQUFPLEdBQUcsTUFBTSxDQUFDLE1BQU0sQ0FBQyxXQUFXLENBQUMsQ0FBQztRQUMzQyxPQUFPLDhCQUFrQixDQUFDLFFBQVEsQ0FBQyxPQUFPLENBQUMsQ0FBQztJQUM5QyxDQUFDO0lBRU8sTUFBTSxDQUFDLE9BQU8sQ0FDcEIsS0FBdUIsRUFDdkIsU0FBaUIsRUFDakIsU0FBUyxHQUFHLElBQUk7UUFFaEIsTUFBTSxJQUFJLEdBQUcsZ0JBQUMsQ0FBQyxNQUFNLENBQUMsS0FBSyxFQUFFLENBQUMsSUFBSSxFQUFFLEVBQUUsQ0FBQyxJQUFJLENBQUMsSUFBSSxLQUFLLFNBQVMsSUFBSSxJQUFJLENBQUMsR0FBRyxLQUFLLFNBQVMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQzdGLElBQUksQ0FBQyxJQUFJLElBQUksU0FBUyxFQUFFLENBQUM7WUFDdkIsTUFBTSxJQUFJLEtBQUssQ0FBQywwQkFBMEIsU0FBUyw0QkFBNEIsQ0FBQyxDQUFDO1FBQ25GLENBQUM7UUFFRCxPQUFPLElBQUksQ0FBQztJQUNkLENBQUM7Q0FDRjtBQS9JRCxzREErSUMifQ==
|