@super-protocol/swarm-contracts-sdk 0.0.1-beta.1

package/dist/mjs/certificates/ocsp.js

@@ -0,0 +1,290 @@
+import _ from 'lodash';
+import forge from 'node-forge';
+import * as pkijs from 'pkijs';
+import * as asn1js from 'asn1js';
+import axios from 'axios';
+import { CertID, OCSPRequest, Request, TBSRequest } from '@peculiar/asn1-ocsp';
+import { OctetString, AsnSerializer, AsnParser } from '@peculiar/asn1-schema';
+import { AlgorithmIdentifier, Extensions, Extension } from '@peculiar/asn1-x509';
+import { OID_AUTHORITY_INFORMATION_ACCESS_EXTENSION, OID_OCSP_ACCESS_METHOD, OID_OCSP_ISSUER_ACCESS_METHOD, } from '../constants.js';
+import { CertificatesHelper } from './helper.js';
+import { CryptoKeysTransformer, OcspCertStatus, constants, helpers, } from '../index.js';
+import { ExtendedKeyUsage } from '@peculiar/x509';
+import { tryWithInterval } from '../utils/helpers/tryWithInterval.js';
+const DEFAULT_REVOCATION_DATE = new Date('1970-01-01T00:00:00Z');
+export class OCSPHelper {
+    static async getOCSPResponseFromCerts(certs, ca, oidsToCheck = []) {
+        const ocspRequestsData = certs
+            .map(OCSPHelper.getOCSPRequestData)
+            .filter(Boolean);
+        if (!ocspRequestsData.length) {
+            return [];
+        }
+        const groupByOcspUrl = _.groupBy(ocspRequestsData, 'ocspUrl');
+        const getOcspResponseParams = Object.entries(groupByOcspUrl).map(([ocspUrl, certParams]) => ({
+            ocspUrl,
+            certsWithIssuer: certParams.map(({ certWithKeyIdent, issuerCertUrl }) => ({
+                cert: certWithKeyIdent.cert,
+                issuerCertUrl,
+                issuerCert: CertificatesHelper.getIssuer(certWithKeyIdent, [...certs, ...ca])?.cert,
+            })),
+            ca: ca.map((certWithKeyIdent) => certWithKeyIdent.cert),
+            oidsToCheck,
+        }));
+        const ocspResponseResults = await Promise.allSettled(getOcspResponseParams.map((params) => OCSPHelper.getOCSPResponse(params)));
+        const rejectedOCSPResponses = ocspResponseResults
+            .filter(helpers.isRejected)
+            .map((result) => result.reason);
+        if (rejectedOCSPResponses.length) {
+            throw new Error(`Can't get valid OCSP responses for some of certificates (reasons=${rejectedOCSPResponses.join(';\n')})`);
+        }
+        return ocspResponseResults.filter(helpers.isFulfilled).map((result) => result.value);
+    }
+    static async generateOCSPResponse(params) {
+        const ocspBasicResp = new pkijs.BasicOCSPResponse();
+        const { issuerPem: issuerCertPem, caCertsPem, certs, privateKey, nonce } = params;
+        const { certs: issuerCertsPem } = CertificatesHelper.extractCAFromChain(`${issuerCertPem}\n${caCertsPem || ''}`);
+        const issuerCert = CertificatesHelper.toPkiCerts(issuerCertPem)[0];
+        ocspBasicResp.tbsResponseData.responderID = issuerCert.subject;
+        ocspBasicResp.tbsResponseData.producedAt = new Date();
+        ocspBasicResp.certs = CertificatesHelper.toPkiCerts(issuerCertsPem);
+        for (const certData of certs) {
+            const { serialNumber, status, issuerKeyHash, issuerNameHash, hashAlgorithm, revocationDate } = certData;
+            const certID = new pkijs.CertID({
+                hashAlgorithm: new pkijs.AlgorithmIdentifier({
+                    algorithmId: hashAlgorithm,
+                    algorithmParams: new asn1js.Null(),
+                }),
+                issuerNameHash: new asn1js.OctetString({ valueHex: issuerNameHash }),
+                issuerKeyHash: new asn1js.OctetString({ valueHex: issuerKeyHash }),
+                serialNumber: new asn1js.Integer({ valueHex: serialNumber }),
+            });
+            const response = new pkijs.SingleResponse({
+                certID,
+            });
+            switch (status) {
+                case OcspCertStatus.OK:
+                case OcspCertStatus.Unknown:
+                    response.certStatus = new asn1js.Primitive({
+                        idBlock: {
+                            tagClass: 3,
+                            tagNumber: status,
+                        },
+                    });
+                    break;
+                case OcspCertStatus.Revoked:
+                    response.certStatus = new asn1js.Constructed({
+                        idBlock: {
+                            tagClass: 3,
+                            tagNumber: status,
+                            isConstructed: true,
+                        },
+                        value: [
+                            new asn1js.GeneralizedTime({
+                                valueDate: revocationDate || DEFAULT_REVOCATION_DATE,
+                            }),
+                        ],
+                    });
+                    break;
+                default:
+                    throw new Error(`Unknown OCSP certificate status: ${status}`);
+            }
+            response.thisUpdate = new Date();
+            ocspBasicResp.tbsResponseData.responses.push(response);
+        }
+        if (nonce) {
+            ocspBasicResp.tbsResponseData.responseExtensions = [
+                new pkijs.Extension({
+                    extnID: constants.OID_OCSP_NONCE,
+                    extnValue: nonce,
+                }),
+            ];
+        }
+        const privateCryptoKey = await CryptoKeysTransformer.pkcs8PemToCryptoKey(privateKey);
+        await ocspBasicResp.sign(privateCryptoKey, 'SHA-256');
+        const ocspBasicRespRaw = ocspBasicResp.toSchema().toBER(false);
+        const ocspResp = new pkijs.OCSPResponse({
+            responseStatus: new asn1js.Enumerated({ value: 0 }), // success
+            responseBytes: new pkijs.ResponseBytes({
+                responseType: pkijs.id_PKIX_OCSP_Basic,
+                response: new asn1js.OctetString({ valueHex: ocspBasicRespRaw }),
+            }),
+        });
+        return ocspResp.toSchema().toBER();
+    }
+    static parseOCSPRequest(ocspRequestBinary) {
+        const ocspRequest = AsnParser.parse(ocspRequestBinary, OCSPRequest);
+        const certRequests = ocspRequest.tbsRequest.requestList.map((request) => {
+            const reqCert = {
+                hashAlgorithm: request.reqCert.hashAlgorithm.algorithm,
+                issuerNameHash: Buffer.from(request.reqCert.issuerNameHash.buffer),
+                issuerKeyHash: Buffer.from(request.reqCert.issuerKeyHash.buffer),
+                serialNumber: request.reqCert.serialNumber,
+            };
+            const extensionsToCheck = request.singleRequestExtensions?.map((ext) => ({
+                oid: ext.extnID,
+                value: Buffer.from(ext.extnValue.buffer),
+            })) || [];
+            return { ...reqCert, extensionsToCheck };
+        });
+        const nonceExtension = ocspRequest.tbsRequest.requestExtensions?.find((ext) => ext.extnID === constants.OID_OCSP_NONCE);
+        const nonce = nonceExtension && nonceExtension.extnValue.buffer;
+        return { certRequests, nonce };
+    }
+    static canCertSignOCSPResponse(cert, certsWithIssuer) {
+        if (certsWithIssuer.length &&
+            certsWithIssuer.every((certWithIssuer) => cert.toString() === certWithIssuer.issuerCert?.toString())) {
+            return true;
+        }
+        const extKeysUsage = cert.extensions?.find((ext) => ext.extnID === forge.pki.oids['extKeyUsage']);
+        if (!extKeysUsage) {
+            return false;
+        }
+        return Boolean(extKeysUsage.parsedValue.keyPurposes.find((usage) => usage === ExtendedKeyUsage.ocspSigning));
+    }
+    static getOCSPRequestData(certWithKeyIdent) {
+        const authorityExtension = CertificatesHelper.getExtensionValue(certWithKeyIdent.cert, OID_AUTHORITY_INFORMATION_ACCESS_EXTENSION);
+        if (!authorityExtension) {
+            return;
+        }
+        const extensionValue = pkijs.ExtensionValueFactory.fromBER(OID_AUTHORITY_INFORMATION_ACCESS_EXTENSION, authorityExtension);
+        const ocspUrl = extensionValue.accessDescriptions.find((desc) => desc.accessMethod === OID_OCSP_ACCESS_METHOD)?.accessLocation.value;
+        const issuerCertUrl = extensionValue.accessDescriptions.find((desc) => desc.accessMethod === OID_OCSP_ISSUER_ACCESS_METHOD)?.accessLocation.value;
+        if (!ocspUrl) {
+            return;
+        }
+        return { ocspUrl, issuerCertUrl, certWithKeyIdent };
+    }
+    static async getOCSPResponse(params) {
+        const { ocspUrl, certsWithIssuer, ca, oidsToCheck } = params;
+        const requestList = [];
+        const issuerCertificates = [];
+        const addIssuerCertIfNotExists = (cert) => {
+            if (!issuerCertificates.some((c) => c.subject.isEqual(cert.subject))) {
+                issuerCertificates.push(cert);
+            }
+        };
+        for (const certWithIssuer of certsWithIssuer) {
+            if (!certWithIssuer.issuerCert && certWithIssuer.issuerCertUrl) {
+                const issuerCertRaw = await CertificatesHelper.downloadCertWithCache(certWithIssuer.issuerCertUrl);
+                certWithIssuer.issuerCert = pkijs.Certificate.fromBER(issuerCertRaw);
+            }
+            if (!certWithIssuer.issuerCert) {
+                throw new Error(`No issuer certificate found for OCSP request for ${certWithIssuer.cert.subject}`);
+            }
+            addIssuerCertIfNotExists(certWithIssuer.issuerCert);
+            addIssuerCertIfNotExists(certWithIssuer.cert);
+            const certID = new pkijs.CertID();
+            await certID.createForCertificate(certWithIssuer.cert, {
+                hashAlgorithm: 'SHA-1',
+                issuerCertificate: certWithIssuer.issuerCert,
+            });
+            const request = new Request({
+                reqCert: new CertID({
+                    hashAlgorithm: new AlgorithmIdentifier({
+                        algorithm: certID.hashAlgorithm.algorithmId,
+                    }),
+                    issuerNameHash: new OctetString().fromASN(certID.issuerNameHash),
+                    issuerKeyHash: new OctetString().fromASN(certID.issuerKeyHash),
+                    serialNumber: certID.serialNumber.valueBlock.valueHex,
+                }),
+            });
+            const extensionsToCheck = OCSPHelper.getCertExtensionsToCheck(certWithIssuer.cert, oidsToCheck);
+            if (extensionsToCheck.length) {
+                request.singleRequestExtensions = new Extensions(extensionsToCheck.map((ext) => new Extension({ extnID: ext.oid, extnValue: new OctetString(ext.value) })));
+            }
+            requestList.push(request);
+        }
+        const reqNonce = OCSPHelper.getNonceForRequest();
+        const ocspReq = new OCSPRequest({
+            tbsRequest: new TBSRequest({
+                requestList,
+                requestExtensions: new Extensions([
+                    new Extension({
+                        extnID: constants.OID_OCSP_NONCE,
+                        extnValue: new OctetString(reqNonce),
+                    }),
+                ]),
+            }),
+        });
+        const ocspBasicResp = await OCSPHelper.sendOCSPRequest(ocspUrl, ocspReq);
+        const respNonce = await OCSPHelper.getNonceFromResponse(ocspBasicResp);
+        if (respNonce && Buffer.compare(reqNonce, respNonce) !== 0) {
+            throw new Error(`OCSP nonces from request and response do not match`);
+        }
+        if (!ocspBasicResp.certs?.length) {
+            ocspBasicResp.certs = issuerCertificates;
+        }
+        const certsWithKeyIdentifier = await Promise.all(ocspBasicResp.certs.map(async (cert) => {
+            let keyIdentifier = cert.extensions
+                ?.find((ext) => ext.extnID === forge.pki.oids['subjectKeyIdentifier'])
+                ?.parsedValue.valueBlock.toBER();
+            if (!keyIdentifier) {
+                keyIdentifier = await cert.getKeyHash();
+            }
+            return {
+                cert,
+                keyIdentifier: Buffer.from(keyIdentifier),
+            };
+        }));
+        const signers = certsWithKeyIdentifier.filter(({ cert, keyIdentifier }) => cert.subject.isEqual(ocspBasicResp.tbsResponseData.responderID) ||
+            (ocspBasicResp.tbsResponseData?.responderID?.valueBlock &&
+                Buffer.compare(keyIdentifier, Buffer.from(ocspBasicResp.tbsResponseData?.responderID?.valueBlock?.toBER())) === 0));
+        if (!signers.length) {
+            throw new Error('No OCSP signer certificate found');
+        }
+        if (signers.length > 1) {
+            throw new Error('Prohibited attempt to replace OCSP signer');
+        }
+        const signerChain = CertificatesHelper.buildChain(signers[0], [
+            ...ocspBasicResp.certs,
+            ...issuerCertificates,
+        ]);
+        ocspBasicResp.certs = signerChain.map((certWithKeyIdentifiers) => certWithKeyIdentifiers.cert);
+        const isSignerValid = OCSPHelper.canCertSignOCSPResponse(signers[0].cert, params.certsWithIssuer);
+        if (!isSignerValid) {
+            throw new Error('OCSP signer certificate does not have the OCSP signing extended key usage');
+        }
+        const isValid = await ocspBasicResp.verify({ trustedCerts: ca });
+        if (!isValid) {
+            throw new Error('OCSP response verification failed');
+        }
+        return ocspBasicResp;
+    }
+    static async sendOCSPRequest(ocspUrl, ocspReq) {
+        const ocspResponse = await tryWithInterval({
+            handler: async () => await axios(ocspUrl, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/ocsp-request',
+                },
+                responseType: 'arraybuffer',
+                data: AsnSerializer.serialize(ocspReq),
+            }),
+            retryInterval: 1000,
+            retryMax: 3,
+        });
+        const ocspRespSimpl = pkijs.OCSPResponse.fromBER(ocspResponse.data);
+        if (!ocspRespSimpl.responseBytes) {
+            throw new Error('"No "ResponseBytes" in the OCSP Response - nothing to verify');
+        }
+        const ocspBasicResp = pkijs.BasicOCSPResponse.fromBER(ocspRespSimpl.responseBytes.response.valueBlock.valueHexView);
+        return ocspBasicResp;
+    }
+    static getNonceForRequest() {
+        return pkijs.getRandomValues(new Uint8Array(32));
+    }
+    static getNonceFromResponse(ocspBasicResp) {
+        const nonceExtension = ocspBasicResp.tbsResponseData?.responseExtensions?.find((extension) => extension.extnID === constants.OID_OCSP_NONCE);
+        return nonceExtension && Buffer.from(nonceExtension.extnValue.valueBlock.valueHex);
+    }
+    static getCertExtensionsToCheck(cert, oidsToCheck) {
+        return oidsToCheck
+            .map((oid) => {
+            const value = CertificatesHelper.getExtensionValue(cert, oid);
+            return { oid, value };
+        })
+            .filter((ext) => Boolean(ext.value));
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoib2NzcC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9jZXJ0aWZpY2F0ZXMvb2NzcC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLENBQUMsTUFBTSxRQUFRLENBQUM7QUFDdkIsT0FBTyxLQUFLLE1BQU0sWUFBWSxDQUFDO0FBQy9CLE9BQU8sS0FBSyxLQUFLLE1BQU0sT0FBTyxDQUFDO0FBQy9CLE9BQU8sS0FBSyxNQUFNLE1BQU0sUUFBUSxDQUFDO0FBQ2pDLE9BQU8sS0FBSyxNQUFNLE9BQU8sQ0FBQztBQUMxQixPQUFPLEVBQUUsTUFBTSxFQUFFLFdBQVcsRUFBRSxPQUFPLEVBQUUsVUFBVSxFQUFFLE1BQU0scUJBQXFCLENBQUM7QUFDL0UsT0FBTyxFQUFFLFdBQVcsRUFBRSxhQUFhLEVBQUUsU0FBUyxFQUFFLE1BQU0sdUJBQXVCLENBQUM7QUFDOUUsT0FBTyxFQUFFLG1CQUFtQixFQUFFLFVBQVUsRUFBRSxTQUFTLEVBQUUsTUFBTSxxQkFBcUIsQ0FBQztBQUNqRixPQUFPLEVBQ0wsMENBQTBDLEVBQzFDLHNCQUFzQixFQUN0Qiw2QkFBNkIsR0FDOUIsTUFBTSxpQkFBaUIsQ0FBQztBQUN6QixPQUFPLEVBQUUsa0JBQWtCLEVBQUUsTUFBTSxhQUFhLENBQUM7QUFDakQsT0FBTyxFQUVMLHFCQUFxQixFQUdyQixjQUFjLEVBRWQsU0FBUyxFQUNULE9BQU8sR0FDUixNQUFNLGFBQWEsQ0FBQztBQUNyQixPQUFPLEVBQUUsZ0JBQWdCLEVBQUUsTUFBTSxnQkFBZ0IsQ0FBQztBQUNsRCxPQUFPLEVBQUUsZUFBZSxFQUFFLE1BQU0scUNBQXFDLENBQUM7QUFtQnRFLE1BQU0sdUJBQXVCLEdBQUcsSUFBSSxJQUFJLENBQUMsc0JBQXNCLENBQUMsQ0FBQztBQUVqRSxNQUFNLE9BQU8sVUFBVTtJQUNyQixNQUFNLENBQUMsS0FBSyxDQUFDLHdCQUF3QixDQUNuQyxLQUErQixFQUMvQixFQUE0QixFQUM1QixjQUF3QixFQUFFO1FBRTFCLE1BQU0sZ0JBQWdCLEdBQUcsS0FBSzthQUMzQixHQUFHLENBQUMsVUFBVSxDQUFDLGtCQUFrQixDQUFDO2FBQ2xDLE1BQU0sQ0FBQyxPQUFPLENBQXNCLENBQUM7UUFDeEMsSUFBSSxDQUFDLGdCQUFnQixDQUFDLE1BQU0sRUFBRSxDQUFDO1lBQzdCLE9BQU8sRUFBRSxDQUFDO1FBQ1osQ0FBQztRQUVELE1BQU0sY0FBYyxHQUFHLENBQUMsQ0FBQyxPQUFPLENBQUMsZ0JBQWdCLEVBQUUsU0FBUyxDQUFDLENBQUM7UUFDOUQsTUFBTSxxQkFBcUIsR0FBNEIsTUFBTSxDQUFDLE9BQU8sQ0FBQyxjQUFjLENBQUMsQ0FBQyxHQUFHLENBQ3ZGLENBQUMsQ0FBQyxPQUFPLEVBQUUsVUFBVSxDQUFDLEVBQUUsRUFBRSxDQUFDLENBQUM7WUFDMUIsT0FBTztZQUNQLGVBQWUsRUFBRSxVQUFVLENBQUMsR0FBRyxDQUFDLENBQUMsRUFBRSxnQkFBZ0IsRUFBRSxhQUFhLEVBQUUsRUFBRSxFQUFFLENBQUMsQ0FBQztnQkFDeEUsSUFBSSxFQUFFLGdCQUFnQixDQUFDLElBQUk7Z0JBQzNCLGFBQWE7Z0JBQ2IsVUFBVSxFQUFFLGtCQUFrQixDQUFDLFNBQVMsQ0FBQyxnQkFBZ0IsRUFBRSxDQUFDLEdBQUcsS0FBSyxFQUFFLEdBQUcsRUFBRSxDQUFDLENBQUMsRUFBRSxJQUFJO2FBQ3BGLENBQUMsQ0FBQztZQUNILEVBQUUsRUFBRSxFQUFFLENBQUMsR0FBRyxDQUFDLENBQUMsZ0JBQWdCLEVBQUUsRUFBRSxDQUFDLGdCQUFnQixDQUFDLElBQUksQ0FBQztZQUN2RCxXQUFXO1NBQ1osQ0FBQyxDQUNILENBQUM7UUFFRixNQUFNLG1CQUFtQixHQUFHLE1BQU0sT0FBTyxDQUFDLFVBQVUsQ0FDbEQscUJBQXFCLENBQUMsR0FBRyxDQUFDLENBQUMsTUFBTSxFQUFFLEVBQUUsQ0FBQyxVQUFVLENBQUMsZUFBZSxDQUFDLE1BQU0sQ0FBQyxDQUFDLENBQzFFLENBQUM7UUFFRixNQUFNLHFCQUFxQixHQUFHLG1CQUFtQjthQUM5QyxNQUFNLENBQUMsT0FBTyxDQUFDLFVBQVUsQ0FBQzthQUMxQixHQUFHLENBQUMsQ0FBQyxNQUFNLEVBQUUsRUFBRSxDQUFDLE1BQU0sQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUNsQyxJQUFJLHFCQUFxQixDQUFDLE1BQU0sRUFBRSxDQUFDO1lBQ2pDLE1BQU0sSUFBSSxLQUFLLENBQ2Isb0VBQW9FLHFCQUFxQixDQUFDLElBQUksQ0FBQyxLQUFLLENBQUMsR0FBRyxDQUN6RyxDQUFDO1FBQ0osQ0FBQztRQUVELE9BQU8sbUJBQW1CLENBQUMsTUFBTSxDQUFDLE9BQU8sQ0FBQyxXQUFXLENBQUMsQ0FBQyxHQUFHLENBQUMsQ0FBQyxNQUFNLEVBQUUsRUFBRSxDQUFDLE1BQU0sQ0FBQyxLQUFLLENBQUMsQ0FBQztJQUN2RixDQUFDO0lBRUQsTUFBTSxDQUFDLEtBQUssQ0FBQyxvQkFBb0IsQ0FBQyxNQUFrQztRQUNsRSxNQUFNLGFBQWEsR0FBRyxJQUFJLEtBQUssQ0FBQyxpQkFBaUIsRUFBRSxDQUFDO1FBQ3BELE1BQU0sRUFBRSxTQUFTLEVBQUUsYUFBYSxFQUFFLFVBQVUsRUFBRSxLQUFLLEVBQUUsVUFBVSxFQUFFLEtBQUssRUFBRSxHQUFHLE1BQU0sQ0FBQztRQUNsRixNQUFNLEVBQUUsS0FBSyxFQUFFLGNBQWMsRUFBRSxHQUFHLGtCQUFrQixDQUFDLGtCQUFrQixDQUNyRSxHQUFHLGFBQWEsS0FBSyxVQUFVLElBQUksRUFBRSxFQUFFLENBQ3hDLENBQUM7UUFDRixNQUFNLFVBQVUsR0FBRyxrQkFBa0IsQ0FBQyxVQUFVLENBQUMsYUFBYSxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFFbkUsYUFBYSxDQUFDLGVBQWUsQ0FBQyxXQUFXLEdBQUcsVUFBVSxDQUFDLE9BQU8sQ0FBQztRQUMvRCxhQUFhLENBQUMsZUFBZSxDQUFDLFVBQVUsR0FBRyxJQUFJLElBQUksRUFBRSxDQUFDO1FBQ3RELGFBQWEsQ0FBQyxLQUFLLEdBQUcsa0JBQWtCLENBQUMsVUFBVSxDQUFDLGNBQWMsQ0FBQyxDQUFDO1FBRXBFLEtBQUssTUFBTSxRQUFRLElBQUksS0FBSyxFQUFFLENBQUM7WUFDN0IsTUFBTSxFQUFFLFlBQVksRUFBRSxNQUFNLEVBQUUsYUFBYSxFQUFFLGNBQWMsRUFBRSxhQUFhLEVBQUUsY0FBYyxFQUFFLEdBQzFGLFFBQVEsQ0FBQztZQUNYLE1BQU0sTUFBTSxHQUFHLElBQUksS0FBSyxDQUFDLE1BQU0sQ0FBQztnQkFDOUIsYUFBYSxFQUFFLElBQUksS0FBSyxDQUFDLG1CQUFtQixDQUFDO29CQUMzQyxXQUFXLEVBQUUsYUFBYTtvQkFDMUIsZUFBZSxFQUFFLElBQUksTUFBTSxDQUFDLElBQUksRUFBRTtpQkFDbkMsQ0FBQztnQkFDRixjQUFjLEVBQUUsSUFBSSxNQUFNLENBQUMsV0FBVyxDQUFDLEVBQUUsUUFBUSxFQUFFLGNBQWMsRUFBRSxDQUFDO2dCQUNwRSxhQUFhLEVBQUUsSUFBSSxNQUFNLENBQUMsV0FBVyxDQUFDLEVBQUUsUUFBUSxFQUFFLGFBQWEsRUFBRSxDQUFDO2dCQUNsRSxZQUFZLEVBQUUsSUFBSSxNQUFNLENBQUMsT0FBTyxDQUFDLEVBQUUsUUFBUSxFQUFFLFlBQVksRUFBRSxDQUFDO2FBQzdELENBQUMsQ0FBQztZQUVILE1BQU0sUUFBUSxHQUFHLElBQUksS0FBSyxDQUFDLGNBQWMsQ0FBQztnQkFDeEMsTUFBTTthQUNQLENBQUMsQ0FBQztZQUVILFFBQVEsTUFBTSxFQUFFLENBQUM7Z0JBQ2YsS0FBSyxjQUFjLENBQUMsRUFBRSxDQUFDO2dCQUN2QixLQUFLLGNBQWMsQ0FBQyxPQUFPO29CQUN6QixRQUFRLENBQUMsVUFBVSxHQUFHLElBQUksTUFBTSxDQUFDLFNBQVMsQ0FBQzt3QkFDekMsT0FBTyxFQUFFOzRCQUNQLFFBQVEsRUFBRSxDQUFDOzRCQUNYLFNBQVMsRUFBRSxNQUFNO3lCQUNsQjtxQkFDRixDQUFDLENBQUM7b0JBQ0gsTUFBTTtnQkFDUixLQUFLLGNBQWMsQ0FBQyxPQUFPO29CQUN6QixRQUFRLENBQUMsVUFBVSxHQUFHLElBQUksTUFBTSxDQUFDLFdBQVcsQ0FBQzt3QkFDM0MsT0FBTyxFQUFFOzRCQUNQLFFBQVEsRUFBRSxDQUFDOzRCQUNYLFNBQVMsRUFBRSxNQUFNOzRCQUNqQixhQUFhLEVBQUUsSUFBSTt5QkFDcEI7d0JBQ0QsS0FBSyxFQUFFOzRCQUNMLElBQUksTUFBTSxDQUFDLGVBQWUsQ0FBQztnQ0FDekIsU0FBUyxFQUFFLGNBQWMsSUFBSSx1QkFBdUI7NkJBQ3JELENBQUM7eUJBQ0g7cUJBQ0YsQ0FBQyxDQUFDO29CQUNILE1BQU07Z0JBQ1I7b0JBQ0UsTUFBTSxJQUFJLEtBQUssQ0FBQyxvQ0FBb0MsTUFBTSxFQUFFLENBQUMsQ0FBQztZQUNsRSxDQUFDO1lBRUQsUUFBUSxDQUFDLFVBQVUsR0FBRyxJQUFJLElBQUksRUFBRSxDQUFDO1lBQ2pDLGFBQWEsQ0FBQyxlQUFlLENBQUMsU0FBUyxDQUFDLElBQUksQ0FBQyxRQUFRLENBQUMsQ0FBQztRQUN6RCxDQUFDO1FBRUQsSUFBSSxLQUFLLEVBQUUsQ0FBQztZQUNWLGFBQWEsQ0FBQyxlQUFlLENBQUMsa0JBQWtCLEdBQUc7Z0JBQ2pELElBQUksS0FBSyxDQUFDLFNBQVMsQ0FBQztvQkFDbEIsTUFBTSxFQUFFLFNBQVMsQ0FBQyxjQUFjO29CQUNoQyxTQUFTLEVBQUUsS0FBSztpQkFDakIsQ0FBQzthQUNILENBQUM7UUFDSixDQUFDO1FBRUQsTUFBTSxnQkFBZ0IsR0FBRyxNQUFNLHFCQUFxQixDQUFDLG1CQUFtQixDQUFDLFVBQVUsQ0FBQyxDQUFDO1FBQ3JGLE1BQU0sYUFBYSxDQUFDLElBQUksQ0FBQyxnQkFBZ0IsRUFBRSxTQUFTLENBQUMsQ0FBQztRQUV0RCxNQUFNLGdCQUFnQixHQUFHLGFBQWEsQ0FBQyxRQUFRLEVBQUUsQ0FBQyxLQUFLLENBQUMsS0FBSyxDQUFDLENBQUM7UUFFL0QsTUFBTSxRQUFRLEdBQUcsSUFBSSxLQUFLLENBQUMsWUFBWSxDQUFDO1lBQ3RDLGNBQWMsRUFBRSxJQUFJLE1BQU0sQ0FBQyxVQUFVLENBQUMsRUFBRSxLQUFLLEVBQUUsQ0FBQyxFQUFFLENBQUMsRUFBRSxVQUFVO1lBQy9ELGFBQWEsRUFBRSxJQUFJLEtBQUssQ0FBQyxhQUFhLENBQUM7Z0JBQ3JDLFlBQVksRUFBRSxLQUFLLENBQUMsa0JBQWtCO2dCQUN0QyxRQUFRLEVBQUUsSUFBSSxNQUFNLENBQUMsV0FBVyxDQUFDLEVBQUUsUUFBUSxFQUFFLGdCQUFnQixFQUFFLENBQUM7YUFDakUsQ0FBQztTQUNILENBQUMsQ0FBQztRQUVILE9BQU8sUUFBUSxDQUFDLFFBQVEsRUFBRSxDQUFDLEtBQUssRUFBRSxDQUFDO0lBQ3JDLENBQUM7SUFFRCxNQUFNLENBQUMsZ0JBQWdCLENBQUMsaUJBQThCO1FBQ3BELE1BQU0sV0FBVyxHQUFHLFNBQVMsQ0FBQyxLQUFLLENBQUMsaUJBQWlCLEVBQUUsV0FBVyxDQUFDLENBQUM7UUFDcEUsTUFBTSxZQUFZLEdBQUcsV0FBVyxDQUFDLFVBQVUsQ0FBQyxXQUFXLENBQUMsR0FBRyxDQUFDLENBQUMsT0FBTyxFQUFFLEVBQUU7WUFDdEUsTUFBTSxPQUFPLEdBQUc7Z0JBQ2QsYUFBYSxFQUFFLE9BQU8sQ0FBQyxPQUFPLENBQUMsYUFBYSxDQUFDLFNBQVM7Z0JBQ3RELGNBQWMsRUFBRSxNQUFNLENBQUMsSUFBSSxDQUFDLE9BQU8sQ0FBQyxPQUFPLENBQUMsY0FBYyxDQUFDLE1BQU0sQ0FBQztnQkFDbEUsYUFBYSxFQUFFLE1BQU0sQ0FBQyxJQUFJLENBQUMsT0FBTyxDQUFDLE9BQU8sQ0FBQyxhQUFhLENBQUMsTUFBTSxDQUFDO2dCQUNoRSxZQUFZLEVBQUUsT0FBTyxDQUFDLE9BQU8sQ0FBQyxZQUFZO2FBQzNDLENBQUM7WUFFRixNQUFNLGlCQUFpQixHQUNyQixPQUFPLENBQUMsdUJBQXVCLEVBQUUsR0FBRyxDQUFDLENBQUMsR0FBRyxFQUFFLEVBQUUsQ0FBQyxDQUFDO2dCQUM3QyxHQUFHLEVBQUUsR0FBRyxDQUFDLE1BQU07Z0JBQ2YsS0FBSyxFQUFFLE1BQU0sQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLFNBQVMsQ0FBQyxNQUFNLENBQUM7YUFDekMsQ0FBQyxDQUFDLElBQUksRUFBRSxDQUFDO1lBRVosT0FBTyxFQUFFLEdBQUcsT0FBTyxFQUFFLGlCQUFpQixFQUFFLENBQUM7UUFDM0MsQ0FBQyxDQUFDLENBQUM7UUFFSCxNQUFNLGNBQWMsR0FBRyxXQUFXLENBQUMsVUFBVSxDQUFDLGlCQUFpQixFQUFFLElBQUksQ0FDbkUsQ0FBQyxHQUFHLEVBQUUsRUFBRSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEtBQUssU0FBUyxDQUFDLGNBQWMsQ0FDakQsQ0FBQztRQUNGLE1BQU0sS0FBSyxHQUFHLGNBQWMsSUFBSSxjQUFjLENBQUMsU0FBUyxDQUFDLE1BQU0sQ0FBQztRQUVoRSxPQUFPLEVBQUUsWUFBWSxFQUFFLEtBQUssRUFBRSxDQUFDO0lBQ2pDLENBQUM7SUFFTyxNQUFNLENBQUMsdUJBQXVCLENBQ3BDLElBQXVCLEVBQ3ZCLGVBQXlEO1FBRXpELElBQ0UsZUFBZSxDQUFDLE1BQU07WUFDdEIsZUFBZSxDQUFDLEtBQUssQ0FDbkIsQ0FBQyxjQUFjLEVBQUUsRUFBRSxDQUFDLElBQUksQ0FBQyxRQUFRLEVBQUUsS0FBSyxjQUFjLENBQUMsVUFBVSxFQUFFLFFBQVEsRUFBRSxDQUM5RSxFQUNELENBQUM7WUFDRCxPQUFPLElBQUksQ0FBQztRQUNkLENBQUM7UUFFRCxNQUFNLFlBQVksR0FBRyxJQUFJLENBQUMsVUFBVSxFQUFFLElBQUksQ0FDeEMsQ0FBQyxHQUFHLEVBQUUsRUFBRSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEtBQUssS0FBSyxDQUFDLEdBQUcsQ0FBQyxJQUFJLENBQUMsYUFBYSxDQUFDLENBQ3RELENBQUM7UUFDRixJQUFJLENBQUMsWUFBWSxFQUFFLENBQUM7WUFDbEIsT0FBTyxLQUFLLENBQUM7UUFDZixDQUFDO1FBRUQsT0FBTyxPQUFPLENBQ1osWUFBWSxDQUFDLFdBQVcsQ0FBQyxXQUFXLENBQUMsSUFBSSxDQUN2QyxDQUFDLEtBQWEsRUFBRSxFQUFFLENBQUMsS0FBSyxLQUFLLGdCQUFnQixDQUFDLFdBQVcsQ0FDMUQsQ0FDRixDQUFDO0lBQ0osQ0FBQztJQUVPLE1BQU0sQ0FBQyxrQkFBa0IsQ0FDL0IsZ0JBQXdDO1FBRXhDLE1BQU0sa0JBQWtCLEdBQUcsa0JBQWtCLENBQUMsaUJBQWlCLENBQzdELGdCQUFnQixDQUFDLElBQUksRUFDckIsMENBQTBDLENBQzNDLENBQUM7UUFDRixJQUFJLENBQUMsa0JBQWtCLEVBQUUsQ0FBQztZQUN4QixPQUFPO1FBQ1QsQ0FBQztRQUVELE1BQU0sY0FBYyxHQUFHLEtBQUssQ0FBQyxxQkFBcUIsQ0FBQyxPQUFPLENBQ3hELDBDQUEwQyxFQUMxQyxrQkFBa0IsQ0FDRSxDQUFDO1FBRXZCLE1BQU0sT0FBTyxHQUFHLGNBQWMsQ0FBQyxrQkFBa0IsQ0FBQyxJQUFJLENBQ3BELENBQUMsSUFBSSxFQUFFLEVBQUUsQ0FBQyxJQUFJLENBQUMsWUFBWSxLQUFLLHNCQUFzQixDQUN2RCxFQUFFLGNBQWMsQ0FBQyxLQUFLLENBQUM7UUFFeEIsTUFBTSxhQUFhLEdBQUcsY0FBYyxDQUFDLGtCQUFrQixDQUFDLElBQUksQ0FDMUQsQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUFDLElBQUksQ0FBQyxZQUFZLEtBQUssNkJBQTZCLENBQzlELEVBQUUsY0FBYyxDQUFDLEtBQUssQ0FBQztRQUV4QixJQUFJLENBQUMsT0FBTyxFQUFFLENBQUM7WUFDYixPQUFPO1FBQ1QsQ0FBQztRQUVELE9BQU8sRUFBRSxPQUFPLEVBQUUsYUFBYSxFQUFFLGdCQUFnQixFQUFFLENBQUM7SUFDdEQsQ0FBQztJQUVPLE1BQU0sQ0FBQyxLQUFLLENBQUMsZUFBZSxDQUNsQyxNQUE2QjtRQUU3QixNQUFNLEVBQUUsT0FBTyxFQUFFLGVBQWUsRUFBRSxFQUFFLEVBQUUsV0FBVyxFQUFFLEdBQUcsTUFBTSxDQUFDO1FBQzdELE1BQU0sV0FBVyxHQUFjLEVBQUUsQ0FBQztRQUNsQyxNQUFNLGtCQUFrQixHQUF3QixFQUFFLENBQUM7UUFFbkQsTUFBTSx3QkFBd0IsR0FBRyxDQUFDLElBQXVCLEVBQVEsRUFBRTtZQUNqRSxJQUFJLENBQUMsa0JBQWtCLENBQUMsSUFBSSxDQUFDLENBQUMsQ0FBQyxFQUFFLEVBQUUsQ0FBQyxDQUFDLENBQUMsT0FBTyxDQUFDLE9BQU8sQ0FBQyxJQUFJLENBQUMsT0FBTyxDQUFDLENBQUMsRUFBRSxDQUFDO2dCQUNyRSxrQkFBa0IsQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLENBQUM7WUFDaEMsQ0FBQztRQUNILENBQUMsQ0FBQztRQUNGLEtBQUssTUFBTSxjQUFjLElBQUksZUFBZSxFQUFFLENBQUM7WUFDN0MsSUFBSSxDQUFDLGNBQWMsQ0FBQyxVQUFVLElBQUksY0FBYyxDQUFDLGFBQWEsRUFBRSxDQUFDO2dCQUMvRCxNQUFNLGFBQWEsR0FBRyxNQUFNLGtCQUFrQixDQUFDLHFCQUFxQixDQUNsRSxjQUFjLENBQUMsYUFBYSxDQUM3QixDQUFDO2dCQUNGLGNBQWMsQ0FBQyxVQUFVLEdBQUcsS0FBSyxDQUFDLFdBQVcsQ0FBQyxPQUFPLENBQUMsYUFBYSxDQUFDLENBQUM7WUFDdkUsQ0FBQztZQUNELElBQUksQ0FBQyxjQUFjLENBQUMsVUFBVSxFQUFFLENBQUM7Z0JBQy9CLE1BQU0sSUFBSSxLQUFLLENBQ2Isb0RBQW9ELGNBQWMsQ0FBQyxJQUFJLENBQUMsT0FBTyxFQUFFLENBQ2xGLENBQUM7WUFDSixDQUFDO1lBRUQsd0JBQXdCLENBQUMsY0FBYyxDQUFDLFVBQVUsQ0FBQyxDQUFDO1lBQ3BELHdCQUF3QixDQUFDLGNBQWMsQ0FBQyxJQUFJLENBQUMsQ0FBQztZQUU5QyxNQUFNLE1BQU0sR0FBRyxJQUFJLEtBQUssQ0FBQyxNQUFNLEVBQUUsQ0FBQztZQUNsQyxNQUFNLE1BQU0sQ0FBQyxvQkFBb0IsQ0FBQyxjQUFjLENBQUMsSUFBSSxFQUFFO2dCQUNyRCxhQUFhLEVBQUUsT0FBTztnQkFDdEIsaUJBQWlCLEVBQUUsY0FBYyxDQUFDLFVBQVU7YUFDN0MsQ0FBQyxDQUFDO1lBRUgsTUFBTSxPQUFPLEdBQUcsSUFBSSxPQUFPLENBQUM7Z0JBQzFCLE9BQU8sRUFBRSxJQUFJLE1BQU0sQ0FBQztvQkFDbEIsYUFBYSxFQUFFLElBQUksbUJBQW1CLENBQUM7d0JBQ3JDLFNBQVMsRUFBRSxNQUFNLENBQUMsYUFBYSxDQUFDLFdBQVc7cUJBQzVDLENBQUM7b0JBQ0YsY0FBYyxFQUFFLElBQUksV0FBVyxFQUFFLENBQUMsT0FBTyxDQUFDLE1BQU0sQ0FBQyxjQUFjLENBQUM7b0JBQ2hFLGFBQWEsRUFBRSxJQUFJLFdBQVcsRUFBRSxDQUFDLE9BQU8sQ0FBQyxNQUFNLENBQUMsYUFBYSxDQUFDO29CQUM5RCxZQUFZLEVBQUUsTUFBTSxDQUFDLFlBQVksQ0FBQyxVQUFVLENBQUMsUUFBUTtpQkFDdEQsQ0FBQzthQUNILENBQUMsQ0FBQztZQUVILE1BQU0saUJBQWlCLEdBQUcsVUFBVSxDQUFDLHdCQUF3QixDQUMzRCxjQUFjLENBQUMsSUFBSSxFQUNuQixXQUFXLENBQ1osQ0FBQztZQUNGLElBQUksaUJBQWlCLENBQUMsTUFBTSxFQUFFLENBQUM7Z0JBQzdCLE9BQU8sQ0FBQyx1QkFBdUIsR0FBRyxJQUFJLFVBQVUsQ0FDOUMsaUJBQWlCLENBQUMsR0FBRyxDQUNuQixDQUFDLEdBQUcsRUFBRSxFQUFFLENBQUMsSUFBSSxTQUFTLENBQUMsRUFBRSxNQUFNLEVBQUUsR0FBRyxDQUFDLEdBQUcsRUFBRSxTQUFTLEVBQUUsSUFBSSxXQUFXLENBQUMsR0FBRyxDQUFDLEtBQUssQ0FBQyxFQUFFLENBQUMsQ0FDbkYsQ0FDRixDQUFDO1lBQ0osQ0FBQztZQUVELFdBQVcsQ0FBQyxJQUFJLENBQUMsT0FBTyxDQUFDLENBQUM7UUFDNUIsQ0FBQztRQUVELE1BQU0sUUFBUSxHQUFHLFVBQVUsQ0FBQyxrQkFBa0IsRUFBRSxDQUFDO1FBQ2pELE1BQU0sT0FBTyxHQUFHLElBQUksV0FBVyxDQUFDO1lBQzlCLFVBQVUsRUFBRSxJQUFJLFVBQVUsQ0FBQztnQkFDekIsV0FBVztnQkFDWCxpQkFBaUIsRUFBRSxJQUFJLFVBQVUsQ0FBQztvQkFDaEMsSUFBSSxTQUFTLENBQUM7d0JBQ1osTUFBTSxFQUFFLFNBQVMsQ0FBQyxjQUFjO3dCQUNoQyxTQUFTLEVBQUUsSUFBSSxXQUFXLENBQUMsUUFBUSxDQUFDO3FCQUNyQyxDQUFDO2lCQUNILENBQUM7YUFDSCxDQUFDO1NBQ0gsQ0FBQyxDQUFDO1FBRUgsTUFBTSxhQUFhLEdBQUcsTUFBTSxVQUFVLENBQUMsZUFBZSxDQUFDLE9BQU8sRUFBRSxPQUFPLENBQUMsQ0FBQztRQUV6RSxNQUFNLFNBQVMsR0FBRyxNQUFNLFVBQVUsQ0FBQyxvQkFBb0IsQ0FBQyxhQUFhLENBQUMsQ0FBQztRQUN2RSxJQUFJLFNBQVMsSUFBSSxNQUFNLENBQUMsT0FBTyxDQUFDLFFBQVEsRUFBRSxTQUFTLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQztZQUMzRCxNQUFNLElBQUksS0FBSyxDQUFDLG9EQUFvRCxDQUFDLENBQUM7UUFDeEUsQ0FBQztRQUVELElBQUksQ0FBQyxhQUFhLENBQUMsS0FBSyxFQUFFLE1BQU0sRUFBRSxDQUFDO1lBQ2pDLGFBQWEsQ0FBQyxLQUFLLEdBQUcsa0JBQWtCLENBQUM7UUFDM0MsQ0FBQztRQUVELE1BQU0sc0JBQXNCLEdBQUcsTUFBTSxPQUFPLENBQUMsR0FBRyxDQUM5QyxhQUFhLENBQUMsS0FBSyxDQUFDLEdBQUcsQ0FBQyxLQUFLLEVBQUUsSUFBSSxFQUFFLEVBQUU7WUFDckMsSUFBSSxhQUFhLEdBQUcsSUFBSSxDQUFDLFVBQVU7Z0JBQ2pDLEVBQUUsSUFBSSxDQUFDLENBQUMsR0FBRyxFQUFFLEVBQUUsQ0FBQyxHQUFHLENBQUMsTUFBTSxLQUFLLEtBQUssQ0FBQyxHQUFHLENBQUMsSUFBSSxDQUFDLHNCQUFzQixDQUFDLENBQUM7Z0JBQ3RFLEVBQUUsV0FBVyxDQUFDLFVBQVUsQ0FBQyxLQUFLLEVBQTZCLENBQUM7WUFDOUQsSUFBSSxDQUFDLGFBQWEsRUFBRSxDQUFDO2dCQUNuQixhQUFhLEdBQUcsTUFBTSxJQUFJLENBQUMsVUFBVSxFQUFFLENBQUM7WUFDMUMsQ0FBQztZQUVELE9BQU87Z0JBQ0wsSUFBSTtnQkFDSixhQUFhLEVBQUUsTUFBTSxDQUFDLElBQUksQ0FBQyxhQUFhLENBQUM7YUFDMUMsQ0FBQztRQUNKLENBQUMsQ0FBQyxDQUNILENBQUM7UUFFRixNQUFNLE9BQU8sR0FBRyxzQkFBc0IsQ0FBQyxNQUFNLENBQzNDLENBQUMsRUFBRSxJQUFJLEVBQUUsYUFBYSxFQUFFLEVBQUUsRUFBRSxDQUMxQixJQUFJLENBQUMsT0FBTyxDQUFDLE9BQU8sQ0FBQyxhQUFhLENBQUMsZUFBZSxDQUFDLFdBQVcsQ0FBQztZQUMvRCxDQUFDLGFBQWEsQ0FBQyxlQUFlLEVBQUUsV0FBVyxFQUFFLFVBQVU7Z0JBQ3JELE1BQU0sQ0FBQyxPQUFPLENBQ1osYUFBYSxFQUNiLE1BQU0sQ0FBQyxJQUFJLENBQUMsYUFBYSxDQUFDLGVBQWUsRUFBRSxXQUFXLEVBQUUsVUFBVSxFQUFFLEtBQUssRUFBRSxDQUFDLENBQzdFLEtBQUssQ0FBQyxDQUFDLENBQ2IsQ0FBQztRQUNGLElBQUksQ0FBQyxPQUFPLENBQUMsTUFBTSxFQUFFLENBQUM7WUFDcEIsTUFBTSxJQUFJLEtBQUssQ0FBQyxrQ0FBa0MsQ0FBQyxDQUFDO1FBQ3RELENBQUM7UUFDRCxJQUFJLE9BQU8sQ0FBQyxNQUFNLEdBQUcsQ0FBQyxFQUFFLENBQUM7WUFDdkIsTUFBTSxJQUFJLEtBQUssQ0FBQywyQ0FBMkMsQ0FBQyxDQUFDO1FBQy9ELENBQUM7UUFFRCxNQUFNLFdBQVcsR0FBRyxrQkFBa0IsQ0FBQyxVQUFVLENBQUMsT0FBTyxDQUFDLENBQUMsQ0FBQyxFQUFFO1lBQzVELEdBQUcsYUFBYSxDQUFDLEtBQUs7WUFDdEIsR0FBRyxrQkFBa0I7U0FDdEIsQ0FBQyxDQUFDO1FBQ0gsYUFBYSxDQUFDLEtBQUssR0FBRyxXQUFXLENBQUMsR0FBRyxDQUFDLENBQUMsc0JBQXNCLEVBQUUsRUFBRSxDQUFDLHNCQUFzQixDQUFDLElBQUksQ0FBQyxDQUFDO1FBRS9GLE1BQU0sYUFBYSxHQUFHLFVBQVUsQ0FBQyx1QkFBdUIsQ0FDdEQsT0FBTyxDQUFDLENBQUMsQ0FBQyxDQUFDLElBQUksRUFDZixNQUFNLENBQUMsZUFBZSxDQUN2QixDQUFDO1FBQ0YsSUFBSSxDQUFDLGFBQWEsRUFBRSxDQUFDO1lBQ25CLE1BQU0sSUFBSSxLQUFLLENBQUMsMkVBQTJFLENBQUMsQ0FBQztRQUMvRixDQUFDO1FBRUQsTUFBTSxPQUFPLEdBQUcsTUFBTSxhQUFhLENBQUMsTUFBTSxDQUFDLEVBQUUsWUFBWSxFQUFFLEVBQUUsRUFBRSxDQUFDLENBQUM7UUFDakUsSUFBSSxDQUFDLE9BQU8sRUFBRSxDQUFDO1lBQ2IsTUFBTSxJQUFJLEtBQUssQ0FBQyxtQ0FBbUMsQ0FBQyxDQUFDO1FBQ3ZELENBQUM7UUFFRCxPQUFPLGFBQWEsQ0FBQztJQUN2QixDQUFDO0lBRU8sTUFBTSxDQUFDLEtBQUssQ0FBQyxlQUFlLENBQ2xDLE9BQWUsRUFDZixPQUFvQjtRQUVwQixNQUFNLFlBQVksR0FBRyxNQUFNLGVBQWUsQ0FBQztZQUN6QyxPQUFPLEVBQUUsS0FBSyxJQUFJLEVBQUUsQ0FDbEIsTUFBTSxLQUFLLENBQUMsT0FBTyxFQUFFO2dCQUNuQixNQUFNLEVBQUUsTUFBTTtnQkFDZCxPQUFPLEVBQUU7b0JBQ1AsY0FBYyxFQUFFLDBCQUEwQjtpQkFDM0M7Z0JBQ0QsWUFBWSxFQUFFLGFBQWE7Z0JBQzNCLElBQUksRUFBRSxhQUFhLENBQUMsU0FBUyxDQUFDLE9BQU8sQ0FBQzthQUN2QyxDQUFDO1lBQ0osYUFBYSxFQUFFLElBQUk7WUFDbkIsUUFBUSxFQUFFLENBQUM7U0FDWixDQUFDLENBQUM7UUFFSCxNQUFNLGFBQWEsR0FBRyxLQUFLLENBQUMsWUFBWSxDQUFDLE9BQU8sQ0FBQyxZQUFZLENBQUMsSUFBSSxDQUFDLENBQUM7UUFDcEUsSUFBSSxDQUFDLGFBQWEsQ0FBQyxhQUFhLEVBQUUsQ0FBQztZQUNqQyxNQUFNLElBQUksS0FBSyxDQUFDLDhEQUE4RCxDQUFDLENBQUM7UUFDbEYsQ0FBQztRQUVELE1BQU0sYUFBYSxHQUFHLEtBQUssQ0FBQyxpQkFBaUIsQ0FBQyxPQUFPLENBQ25ELGFBQWEsQ0FBQyxhQUFhLENBQUMsUUFBUSxDQUFDLFVBQVUsQ0FBQyxZQUFZLENBQzdELENBQUM7UUFFRixPQUFPLGFBQWEsQ0FBQztJQUN2QixDQUFDO0lBRU8sTUFBTSxDQUFDLGtCQUFrQjtRQUMvQixPQUFPLEtBQUssQ0FBQyxlQUFlLENBQUMsSUFBSSxVQUFVLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQztJQUNuRCxDQUFDO0lBRU8sTUFBTSxDQUFDLG9CQUFvQixDQUFDLGFBQXNDO1FBQ3hFLE1BQU0sY0FBYyxHQUFHLGFBQWEsQ0FBQyxlQUFlLEVBQUUsa0JBQWtCLEVBQUUsSUFBSSxDQUM1RSxDQUFDLFNBQVMsRUFBRSxFQUFFLENBQUMsU0FBUyxDQUFDLE1BQU0sS0FBSyxTQUFTLENBQUMsY0FBYyxDQUM3RCxDQUFDO1FBQ0YsT0FBTyxjQUFjLElBQUksTUFBTSxDQUFDLElBQUksQ0FBQyxjQUFjLENBQUMsU0FBUyxDQUFDLFVBQVUsQ0FBQyxRQUFRLENBQUMsQ0FBQztJQUNyRixDQUFDO0lBRU8sTUFBTSxDQUFDLHdCQUF3QixDQUNyQyxJQUF1QixFQUN2QixXQUFxQjtRQUVyQixPQUFPLFdBQVc7YUFDZixHQUFHLENBQUMsQ0FBQyxHQUFHLEVBQUUsRUFBRTtZQUNYLE1BQU0sS0FBSyxHQUFHLGtCQUFrQixDQUFDLGlCQUFpQixDQUFDLElBQUksRUFBRSxHQUFHLENBQUMsQ0FBQztZQUU5RCxPQUFPLEVBQUUsR0FBRyxFQUFFLEtBQUssRUFBRSxDQUFDO1FBQ3hCLENBQUMsQ0FBQzthQUNELE1BQU0sQ0FBQyxDQUFDLEdBQUcsRUFBRSxFQUFFLENBQUMsT0FBTyxDQUFDLEdBQUcsQ0FBQyxLQUFLLENBQUMsQ0FBc0IsQ0FBQztJQUM5RCxDQUFDO0NBQ0YifQ==

package/dist/mjs/certificates/serializer.d.ts

@@ -0,0 +1,13 @@
+import { BufferedChunkedX509Cert } from './types.js';
+import { ChunkedX509Cert } from '@super-protocol/dto-js';
+export declare const BLOCKCHAIN_CERT_TBS_PARTS: string[];
+export declare class CertificateSerializer {
+    static serializeCertChain(certChainPem: string): string;
+    static deserializeCertChain(input: string): string;
+    static isSerializedCertChain(certChainBase64: string): boolean;
+    static serializeForBlockchain(certPem: string): ChunkedX509Cert;
+    static deserializeFromBlockchain(blockchainCert: ChunkedX509Cert): string;
+    private static removeLeadingZerosIfNeeded;
+    private static getPart;
+    static chunkedToBufferedChunkedX509Cert(blockchainCert: ChunkedX509Cert): BufferedChunkedX509Cert;
+}

package/dist/mjs/certificates/serializer.js

@@ -0,0 +1,135 @@
+import forge from 'node-forge';
+import _ from 'lodash';
+import { CertificateBinarySplitter, CertificateNonOidParts } from './binary-splitter.js';
+import { CertificatesHelper } from './helper.js';
+import { OID_CUSTOM_EXTENSION_USER_DATA } from '../constants.js';
+import { OID_CUSTOM_EXTENSION_CHALLENGE_COMMON_ID, OID_CUSTOM_EXTENSION_CHALLENGE_ID, } from '@super-protocol/pki-common';
+import { fromBlockchainHex, fromBlockchainHexOptional, toBlockchainHex } from '../utils/helper.js';
+const CERTS_CHAIN_DELIMITER = ';';
+const CERTS_SERIALIZATION_PREFIX = 'certs:';
+export const BLOCKCHAIN_CERT_TBS_PARTS = [
+    'serialNumber',
+    'expirationDate',
+    'publicKey',
+    'ca',
+    'userData',
+    'mrEnclave',
+    'mrSigner',
+];
+export class CertificateSerializer {
+    static serializeCertChain(certChainPem) {
+        const certsDer = CertificatesHelper.pemChainToDer(certChainPem);
+        return `${CERTS_SERIALIZATION_PREFIX}${certsDer.map((cert) => Buffer.from(cert).toString('base64')).join(CERTS_CHAIN_DELIMITER)}`;
+    }
+    static deserializeCertChain(input) {
+        if (!input.startsWith(CERTS_SERIALIZATION_PREFIX)) {
+            throw new Error(`Missing prefix "${CERTS_SERIALIZATION_PREFIX}" in input`);
+        }
+        const certsDer = input
+            .split(CERTS_SERIALIZATION_PREFIX)[1]
+            ?.split(CERTS_CHAIN_DELIMITER)
+            ?.map((cert) => Buffer.from(cert, 'base64'));
+        return CertificatesHelper.derChainToPem(certsDer);
+    }
+    static isSerializedCertChain(certChainBase64) {
+        return certChainBase64.startsWith(CERTS_SERIALIZATION_PREFIX);
+    }
+    static serializeForBlockchain(certPem) {
+        const certAlgorithm = CertificatesHelper.getCertPublicKeyAlgorithm(certPem);
+        if (certAlgorithm.name !== 'ECDSA' || certAlgorithm.namedCurve !== 'K-256') {
+            throw new Error(`Unsupported certificate algorithm: ${certAlgorithm.name}${certAlgorithm.namedCurve ? `with curve ${certAlgorithm.namedCurve}` : ''}. Only ECDSA with secp256k1 curve is supported.`);
+        }
+        const certDer = CertificatesHelper.pemToDer(certPem);
+        const parts = new CertificateBinarySplitter(certDer).split([
+            CertificateNonOidParts.SERIAL_NUMBER,
+            CertificateNonOidParts.SIGNATURE,
+            CertificateNonOidParts.NOT_AFTER,
+            CertificateNonOidParts.SUBJECT_PUBLIC_KEY_INFO,
+        ], [
+            forge.pki.oids['basicConstraints'],
+            OID_CUSTOM_EXTENSION_USER_DATA,
+            OID_CUSTOM_EXTENSION_CHALLENGE_ID,
+            OID_CUSTOM_EXTENSION_CHALLENGE_COMMON_ID,
+        ]);
+        const [nonSerializedParts, serializedParts] = _.partition(parts, (part) => part instanceof Uint8Array);
+        const expirationDate = CertificateSerializer.getPart(serializedParts, 'notAfter');
+        const serial = CertificateSerializer.getPart(serializedParts, 'serialNumber');
+        const publicKey = CertificateSerializer.getPart(serializedParts, 'publicKey');
+        const ca = CertificateSerializer.getPart(serializedParts, forge.pki.oids['basicConstraints']);
+        const userData = CertificateSerializer.getPart(serializedParts, OID_CUSTOM_EXTENSION_USER_DATA, false);
+        const mrEnclave = CertificateSerializer.getPart(serializedParts, OID_CUSTOM_EXTENSION_CHALLENGE_ID, false);
+        const mrSigner = CertificateSerializer.getPart(serializedParts, OID_CUSTOM_EXTENSION_CHALLENGE_COMMON_ID, false);
+        const signature = CertificateSerializer.getPart(serializedParts, 'signature');
+        if (serializedParts.length !== 0) {
+            throw new Error(`Unexpected serialized parts found in certificate: ${serializedParts.map((part) => part.name || part.oid).join(', ')}`);
+        }
+        return {
+            nonSerializedParts: nonSerializedParts.map(toBlockchainHex),
+            expirationDate: toBlockchainHex(expirationDate.value),
+            ca: toBlockchainHex(ca.value),
+            userData: toBlockchainHex(userData?.value),
+            serialNumber: toBlockchainHex(serial.value),
+            signature: toBlockchainHex(signature.value),
+            publicKey: toBlockchainHex(publicKey.value),
+            mrEnclave: toBlockchainHex(mrEnclave?.value),
+            mrSigner: toBlockchainHex(mrSigner?.value),
+        };
+    }
+    static deserializeFromBlockchain(blockchainCert) {
+        const data = CertificateSerializer.chunkedToBufferedChunkedX509Cert(blockchainCert);
+        const bufferParts = [];
+        bufferParts.push(Buffer.from(data.nonSerializedParts[0]));
+        bufferParts.push(Buffer.from(data.nonSerializedParts[1]));
+        let partIndex = 2;
+        for (const field of BLOCKCHAIN_CERT_TBS_PARTS) {
+            const value = data[field];
+            if (value) {
+                bufferParts.push(Buffer.from(value));
+                if (partIndex < data.nonSerializedParts.length) {
+                    bufferParts.push(Buffer.from(data.nonSerializedParts[partIndex++]));
+                }
+            }
+        }
+        // adding signature part
+        // we need to left exactly one non-serialized part (bytes r and s values)
+        for (; partIndex < data.nonSerializedParts.length - 1; partIndex++) {
+            bufferParts.push(Buffer.from(data.nonSerializedParts[partIndex]));
+        }
+        const rValue = data.signature.slice(0, 32);
+        bufferParts.push(Buffer.from(CertificateSerializer.removeLeadingZerosIfNeeded(rValue)));
+        if (partIndex < data.nonSerializedParts.length) {
+            bufferParts.push(Buffer.from(data.nonSerializedParts[partIndex++]));
+        }
+        const sValue = data.signature.slice(32, 64);
+        bufferParts.push(Buffer.from(CertificateSerializer.removeLeadingZerosIfNeeded(sValue)));
+        const certDer = Buffer.concat(bufferParts);
+        return CertificatesHelper.derToPem(certDer);
+    }
+    static removeLeadingZerosIfNeeded(value) {
+        if (value[0] !== 0 || (value[0] === 0 && value[1] > 127)) {
+            return value;
+        }
+        return value.slice(1);
+    }
+    static getPart(parts, nameOrOid, mandatory = true) {
+        const part = _.remove(parts, (part) => part.name === nameOrOid || part.oid === nameOrOid)[0];
+        if (!part && mandatory) {
+            throw new Error(`Part with name or OID "${nameOrOid}" not found in certificate`);
+        }
+        return part;
+    }
+    static chunkedToBufferedChunkedX509Cert(blockchainCert) {
+        return {
+            nonSerializedParts: blockchainCert.nonSerializedParts.map((part) => fromBlockchainHex(part)),
+            expirationDate: fromBlockchainHex(blockchainCert.expirationDate),
+            ca: fromBlockchainHex(blockchainCert.ca),
+            userData: fromBlockchainHexOptional(blockchainCert.userData),
+            publicKey: fromBlockchainHex(blockchainCert.publicKey),
+            serialNumber: fromBlockchainHex(blockchainCert.serialNumber),
+            mrEnclave: fromBlockchainHexOptional(blockchainCert.mrEnclave),
+            mrSigner: fromBlockchainHexOptional(blockchainCert.mrSigner),
+            signature: fromBlockchainHex(blockchainCert.signature),
+        };
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2VyaWFsaXplci5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9jZXJ0aWZpY2F0ZXMvc2VyaWFsaXplci50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLEtBQUssTUFBTSxZQUFZLENBQUM7QUFDL0IsT0FBTyxDQUFDLE1BQU0sUUFBUSxDQUFDO0FBQ3ZCLE9BQU8sRUFBRSx5QkFBeUIsRUFBRSxzQkFBc0IsRUFBRSxNQUFNLHNCQUFzQixDQUFDO0FBQ3pGLE9BQU8sRUFBRSxrQkFBa0IsRUFBRSxNQUFNLGFBQWEsQ0FBQztBQUNqRCxPQUFPLEVBQUUsOEJBQThCLEVBQUUsTUFBTSxpQkFBaUIsQ0FBQztBQUNqRSxPQUFPLEVBQ0wsd0NBQXdDLEVBQ3hDLGlDQUFpQyxHQUNsQyxNQUFNLDRCQUE0QixDQUFDO0FBR3BDLE9BQU8sRUFBRSxpQkFBaUIsRUFBRSx5QkFBeUIsRUFBRSxlQUFlLEVBQUUsTUFBTSxvQkFBb0IsQ0FBQztBQUVuRyxNQUFNLHFCQUFxQixHQUFHLEdBQUcsQ0FBQztBQUNsQyxNQUFNLDBCQUEwQixHQUFHLFFBQVEsQ0FBQztBQUU1QyxNQUFNLENBQUMsTUFBTSx5QkFBeUIsR0FBRztJQUN2QyxjQUFjO0lBQ2QsZ0JBQWdCO0lBQ2hCLFdBQVc7SUFDWCxJQUFJO0lBQ0osVUFBVTtJQUNWLFdBQVc7SUFDWCxVQUFVO0NBQ1gsQ0FBQztBQUVGLE1BQU0sT0FBTyxxQkFBcUI7SUFDaEMsTUFBTSxDQUFDLGtCQUFrQixDQUFDLFlBQW9CO1FBQzVDLE1BQU0sUUFBUSxHQUFHLGtCQUFrQixDQUFDLGFBQWEsQ0FBQyxZQUFZLENBQUMsQ0FBQztRQUVoRSxPQUFPLEdBQUcsMEJBQTBCLEdBQUcsUUFBUSxDQUFDLEdBQUcsQ0FBQyxDQUFDLElBQUksRUFBRSxFQUFFLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsQ0FBQyxRQUFRLENBQUMsUUFBUSxDQUFDLENBQUMsQ0FBQyxJQUFJLENBQUMscUJBQXFCLENBQUMsRUFBRSxDQUFDO0lBQ3BJLENBQUM7SUFFRCxNQUFNLENBQUMsb0JBQW9CLENBQUMsS0FBYTtRQUN2QyxJQUFJLENBQUMsS0FBSyxDQUFDLFVBQVUsQ0FBQywwQkFBMEIsQ0FBQyxFQUFFLENBQUM7WUFDbEQsTUFBTSxJQUFJLEtBQUssQ0FBQyxtQkFBbUIsMEJBQTBCLFlBQVksQ0FBQyxDQUFDO1FBQzdFLENBQUM7UUFFRCxNQUFNLFFBQVEsR0FBRyxLQUFLO2FBQ25CLEtBQUssQ0FBQywwQkFBMEIsQ0FBQyxDQUFDLENBQUMsQ0FBQztZQUNyQyxFQUFFLEtBQUssQ0FBQyxxQkFBcUIsQ0FBQztZQUM5QixFQUFFLEdBQUcsQ0FBQyxDQUFDLElBQUksRUFBRSxFQUFFLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxJQUFJLEVBQUUsUUFBUSxDQUFDLENBQUMsQ0FBQztRQUMvQyxPQUFPLGtCQUFrQixDQUFDLGFBQWEsQ0FBQyxRQUFRLENBQUMsQ0FBQztJQUNwRCxDQUFDO0lBRUQsTUFBTSxDQUFDLHFCQUFxQixDQUFDLGVBQXVCO1FBQ2xELE9BQU8sZUFBZSxDQUFDLFVBQVUsQ0FBQywwQkFBMEIsQ0FBQyxDQUFDO0lBQ2hFLENBQUM7SUFFRCxNQUFNLENBQUMsc0JBQXNCLENBQUMsT0FBZTtRQUMzQyxNQUFNLGFBQWEsR0FBRyxrQkFBa0IsQ0FBQyx5QkFBeUIsQ0FBQyxPQUFPLENBQUMsQ0FBQztRQUM1RSxJQUFJLGFBQWEsQ0FBQyxJQUFJLEtBQUssT0FBTyxJQUFJLGFBQWEsQ0FBQyxVQUFVLEtBQUssT0FBTyxFQUFFLENBQUM7WUFDM0UsTUFBTSxJQUFJLEtBQUssQ0FDYixzQ0FBc0MsYUFBYSxDQUFDLElBQUksR0FBRyxhQUFhLENBQUMsVUFBVSxDQUFDLENBQUMsQ0FBQyxjQUFjLGFBQWEsQ0FBQyxVQUFVLEVBQUUsQ0FBQyxDQUFDLENBQUMsRUFBRSxpREFBaUQsQ0FDckwsQ0FBQztRQUNKLENBQUM7UUFFRCxNQUFNLE9BQU8sR0FBRyxrQkFBa0IsQ0FBQyxRQUFRLENBQUMsT0FBTyxDQUFDLENBQUM7UUFFckQsTUFBTSxLQUFLLEdBQUcsSUFBSSx5QkFBeUIsQ0FBQyxPQUFPLENBQUMsQ0FBQyxLQUFLLENBQ3hEO1lBQ0Usc0JBQXNCLENBQUMsYUFBYTtZQUNwQyxzQkFBc0IsQ0FBQyxTQUFTO1lBQ2hDLHNCQUFzQixDQUFDLFNBQVM7WUFDaEMsc0JBQXNCLENBQUMsdUJBQXVCO1NBQy9DLEVBQ0Q7WUFDRSxLQUFLLENBQUMsR0FBRyxDQUFDLElBQUksQ0FBQyxrQkFBa0IsQ0FBQztZQUNsQyw4QkFBOEI7WUFDOUIsaUNBQWlDO1lBQ2pDLHdDQUF3QztTQUN6QyxDQUNGLENBQUM7UUFFRixNQUFNLENBQUMsa0JBQWtCLEVBQUUsZUFBZSxDQUFDLEdBQUcsQ0FBQyxDQUFDLFNBQVMsQ0FDdkQsS0FBSyxFQUNMLENBQUMsSUFBSSxFQUFFLEVBQUUsQ0FBQyxJQUFJLFlBQVksVUFBVSxDQUNELENBQUM7UUFFdEMsTUFBTSxjQUFjLEdBQUcscUJBQXFCLENBQUMsT0FBTyxDQUFDLGVBQWUsRUFBRSxVQUFVLENBQUMsQ0FBQztRQUNsRixNQUFNLE1BQU0sR0FBRyxxQkFBcUIsQ0FBQyxPQUFPLENBQUMsZUFBZSxFQUFFLGNBQWMsQ0FBQyxDQUFDO1FBQzlFLE1BQU0sU0FBUyxHQUFHLHFCQUFxQixDQUFDLE9BQU8sQ0FBQyxlQUFlLEVBQUUsV0FBVyxDQUFDLENBQUM7UUFDOUUsTUFBTSxFQUFFLEdBQUcscUJBQXFCLENBQUMsT0FBTyxDQUFDLGVBQWUsRUFBRSxLQUFLLENBQUMsR0FBRyxDQUFDLElBQUksQ0FBQyxrQkFBa0IsQ0FBQyxDQUFDLENBQUM7UUFDOUYsTUFBTSxRQUFRLEdBQUcscUJBQXFCLENBQUMsT0FBTyxDQUM1QyxlQUFlLEVBQ2YsOEJBQThCLEVBQzlCLEtBQUssQ0FDTixDQUFDO1FBQ0YsTUFBTSxTQUFTLEdBQUcscUJBQXFCLENBQUMsT0FBTyxDQUM3QyxlQUFlLEVBQ2YsaUNBQWlDLEVBQ2pDLEtBQUssQ0FDTixDQUFDO1FBQ0YsTUFBTSxRQUFRLEdBQUcscUJBQXFCLENBQUMsT0FBTyxDQUM1QyxlQUFlLEVBQ2Ysd0NBQXdDLEVBQ3hDLEtBQUssQ0FDTixDQUFDO1FBQ0YsTUFBTSxTQUFTLEdBQUcscUJBQXFCLENBQUMsT0FBTyxDQUFDLGVBQWUsRUFBRSxXQUFXLENBQUMsQ0FBQztRQUU5RSxJQUFJLGVBQWUsQ0FBQyxNQUFNLEtBQUssQ0FBQyxFQUFFLENBQUM7WUFDakMsTUFBTSxJQUFJLEtBQUssQ0FDYixxREFBcUQsZUFBZSxDQUFDLEdBQUcsQ0FBQyxDQUFDLElBQUksRUFBRSxFQUFFLENBQUMsSUFBSSxDQUFDLElBQUksSUFBSSxJQUFJLENBQUMsR0FBRyxDQUFDLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxFQUFFLENBQ3ZILENBQUM7UUFDSixDQUFDO1FBRUQsT0FBTztZQUNMLGtCQUFrQixFQUFFLGtCQUFrQixDQUFDLEdBQUcsQ0FBQyxlQUFlLENBQUM7WUFDM0QsY0FBYyxFQUFFLGVBQWUsQ0FBQyxjQUFjLENBQUMsS0FBSyxDQUFDO1lBQ3JELEVBQUUsRUFBRSxlQUFlLENBQUMsRUFBRSxDQUFDLEtBQUssQ0FBQztZQUM3QixRQUFRLEVBQUUsZUFBZSxDQUFDLFFBQVEsRUFBRSxLQUFLLENBQUM7WUFDMUMsWUFBWSxFQUFFLGVBQWUsQ0FBQyxNQUFNLENBQUMsS0FBSyxDQUFDO1lBQzNDLFNBQVMsRUFBRSxlQUFlLENBQUMsU0FBUyxDQUFDLEtBQUssQ0FBQztZQUMzQyxTQUFTLEVBQUUsZUFBZSxDQUFDLFNBQVMsQ0FBQyxLQUFLLENBQUM7WUFDM0MsU0FBUyxFQUFFLGVBQWUsQ0FBQyxTQUFTLEVBQUUsS0FBSyxDQUFDO1lBQzVDLFFBQVEsRUFBRSxlQUFlLENBQUMsUUFBUSxFQUFFLEtBQUssQ0FBQztTQUMzQyxDQUFDO0lBQ0osQ0FBQztJQUVELE1BQU0sQ0FBQyx5QkFBeUIsQ0FBQyxjQUErQjtRQUM5RCxNQUFNLElBQUksR0FBRyxxQkFBcUIsQ0FBQyxnQ0FBZ0MsQ0FBQyxjQUFjLENBQUMsQ0FBQztRQUVwRixNQUFNLFdBQVcsR0FBYSxFQUFFLENBQUM7UUFFakMsV0FBVyxDQUFDLElBQUksQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxrQkFBa0IsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDMUQsV0FBVyxDQUFDLElBQUksQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxrQkFBa0IsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFFMUQsSUFBSSxTQUFTLEdBQUcsQ0FBQyxDQUFDO1FBRWxCLEtBQUssTUFBTSxLQUFLLElBQUkseUJBQXlCLEVBQUUsQ0FBQztZQUM5QyxNQUFNLEtBQUssR0FBRyxJQUFJLENBQUMsS0FBMEIsQ0FBQyxDQUFDO1lBQy9DLElBQUksS0FBSyxFQUFFLENBQUM7Z0JBQ1YsV0FBVyxDQUFDLElBQUksQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLEtBQW1CLENBQUMsQ0FBQyxDQUFDO2dCQUNuRCxJQUFJLFNBQVMsR0FBRyxJQUFJLENBQUMsa0JBQWtCLENBQUMsTUFBTSxFQUFFLENBQUM7b0JBQy9DLFdBQVcsQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsa0JBQWtCLENBQUMsU0FBUyxFQUFFLENBQUMsQ0FBQyxDQUFDLENBQUM7Z0JBQ3RFLENBQUM7WUFDSCxDQUFDO1FBQ0gsQ0FBQztRQUVELHdCQUF3QjtRQUN4Qix5RUFBeUU7UUFDekUsT0FBTyxTQUFTLEdBQUcsSUFBSSxDQUFDLGtCQUFrQixDQUFDLE1BQU0sR0FBRyxDQUFDLEVBQUUsU0FBUyxFQUFFLEVBQUUsQ0FBQztZQUNuRSxXQUFXLENBQUMsSUFBSSxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLGtCQUFrQixDQUFDLFNBQVMsQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUNwRSxDQUFDO1FBRUQsTUFBTSxNQUFNLEdBQUcsSUFBSSxDQUFDLFNBQVMsQ0FBQyxLQUFLLENBQUMsQ0FBQyxFQUFFLEVBQUUsQ0FBQyxDQUFDO1FBQzNDLFdBQVcsQ0FBQyxJQUFJLENBQ2QsTUFBTSxDQUFDLElBQUksQ0FBQyxxQkFBcUIsQ0FBQywwQkFBMEIsQ0FBQyxNQUFvQixDQUFDLENBQUMsQ0FDcEYsQ0FBQztRQUNGLElBQUksU0FBUyxHQUFHLElBQUksQ0FBQyxrQkFBa0IsQ0FBQyxNQUFNLEVBQUUsQ0FBQztZQUMvQyxXQUFXLENBQUMsSUFBSSxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLGtCQUFrQixDQUFDLFNBQVMsRUFBRSxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQ3RFLENBQUM7UUFDRCxNQUFNLE1BQU0sR0FBRyxJQUFJLENBQUMsU0FBUyxDQUFDLEtBQUssQ0FBQyxFQUFFLEVBQUUsRUFBRSxDQUFDLENBQUM7UUFDNUMsV0FBVyxDQUFDLElBQUksQ0FDZCxNQUFNLENBQUMsSUFBSSxDQUFDLHFCQUFxQixDQUFDLDBCQUEwQixDQUFDLE1BQW9CLENBQUMsQ0FBQyxDQUNwRixDQUFDO1FBRUYsTUFBTSxPQUFPLEdBQUcsTUFBTSxDQUFDLE1BQU0sQ0FBQyxXQUFXLENBQUMsQ0FBQztRQUMzQyxPQUFPLGtCQUFrQixDQUFDLFFBQVEsQ0FBQyxPQUFPLENBQUMsQ0FBQztJQUM5QyxDQUFDO0lBRU8sTUFBTSxDQUFDLDBCQUEwQixDQUFDLEtBQWlCO1FBQ3pELElBQUksS0FBSyxDQUFDLENBQUMsQ0FBQyxLQUFLLENBQUMsSUFBSSxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsS0FBSyxDQUFDLElBQUksS0FBSyxDQUFDLENBQUMsQ0FBQyxHQUFHLEdBQUcsQ0FBQyxFQUFFLENBQUM7WUFDekQsT0FBTyxLQUFLLENBQUM7UUFDZixDQUFDO1FBRUQsT0FBTyxLQUFLLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxDQUFDO0lBQ3hCLENBQUM7SUFFTyxNQUFNLENBQUMsT0FBTyxDQUNwQixLQUF1QixFQUN2QixTQUFpQixFQUNqQixTQUFTLEdBQUcsSUFBSTtRQUVoQixNQUFNLElBQUksR0FBRyxDQUFDLENBQUMsTUFBTSxDQUFDLEtBQUssRUFBRSxDQUFDLElBQUksRUFBRSxFQUFFLENBQUMsSUFBSSxDQUFDLElBQUksS0FBSyxTQUFTLElBQUksSUFBSSxDQUFDLEdBQUcsS0FBSyxTQUFTLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUM3RixJQUFJLENBQUMsSUFBSSxJQUFJLFNBQVMsRUFBRSxDQUFDO1lBQ3ZCLE1BQU0sSUFBSSxLQUFLLENBQUMsMEJBQTBCLFNBQVMsNEJBQTRCLENBQUMsQ0FBQztRQUNuRixDQUFDO1FBRUQsT0FBTyxJQUFJLENBQUM7SUFDZCxDQUFDO0lBRUQsTUFBTSxDQUFDLGdDQUFnQyxDQUNyQyxjQUErQjtRQUUvQixPQUFPO1lBQ0wsa0JBQWtCLEVBQUUsY0FBYyxDQUFDLGtCQUFrQixDQUFDLEdBQUcsQ0FBQyxDQUFDLElBQUksRUFBRSxFQUFFLENBQUMsaUJBQWlCLENBQUMsSUFBSSxDQUFDLENBQUM7WUFDNUYsY0FBYyxFQUFFLGlCQUFpQixDQUFDLGNBQWMsQ0FBQyxjQUFjLENBQUM7WUFDaEUsRUFBRSxFQUFFLGlCQUFpQixDQUFDLGNBQWMsQ0FBQyxFQUFFLENBQUM7WUFDeEMsUUFBUSxFQUFFLHlCQUF5QixDQUFDLGNBQWMsQ0FBQyxRQUFRLENBQUM7WUFDNUQsU0FBUyxFQUFFLGlCQUFpQixDQUFDLGNBQWMsQ0FBQyxTQUFTLENBQUM7WUFDdEQsWUFBWSxFQUFFLGlCQUFpQixDQUFDLGNBQWMsQ0FBQyxZQUFZLENBQUM7WUFDNUQsU0FBUyxFQUFFLHlCQUF5QixDQUFDLGNBQWMsQ0FBQyxTQUFTLENBQUM7WUFDOUQsUUFBUSxFQUFFLHlCQUF5QixDQUFDLGNBQWMsQ0FBQyxRQUFRLENBQUM7WUFDNUQsU0FBUyxFQUFFLGlCQUFpQixDQUFDLGNBQWMsQ0FBQyxTQUFTLENBQUM7U0FDdkQsQ0FBQztJQUNKLENBQUM7Q0FDRiJ9

package/dist/mjs/certificates/setup-crypto.d.ts

@@ -0,0 +1,3 @@
+import * as webcrypto from '@peculiar/webcrypto';
+declare const cryptoProvider: webcrypto.Crypto;
+export { cryptoProvider };

package/dist/mjs/certificates/setup-crypto.js

@@ -0,0 +1,22 @@
+import * as x509 from '@peculiar/x509';
+import * as webcrypto from '@peculiar/webcrypto';
+import * as pkijs from 'pkijs';
+const cryptoProvider = new webcrypto.Crypto();
+x509.cryptoProvider.set(cryptoProvider);
+pkijs.setEngine('Node', new pkijs.CryptoEngine({ name: 'Node', crypto: cryptoProvider }));
+pkijs.ECNamedCurves.register('K-256', '1.3.132.0.10', 32);
+const originGetAlgorithmByOIDFn = pkijs.CryptoEngine.prototype.getAlgorithmByOID;
+function getAlgorithmByOID(oid, safety, target) {
+    if (oid === '1.3.132.0.10') {
+        return {
+            name: 'K-256',
+        };
+    }
+    return originGetAlgorithmByOIDFn(oid, safety, target);
+}
+pkijs.CryptoEngine.prototype.getAlgorithmByOID = getAlgorithmByOID;
+x509.PemConverter.isPem = (data) => {
+    return typeof data === 'string' && data.startsWith('-----BEGIN');
+};
+export { cryptoProvider };
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2V0dXAtY3J5cHRvLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2NlcnRpZmljYXRlcy9zZXR1cC1jcnlwdG8udHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxLQUFLLElBQUksTUFBTSxnQkFBZ0IsQ0FBQztBQUN2QyxPQUFPLEtBQUssU0FBUyxNQUFNLHFCQUFxQixDQUFDO0FBQ2pELE9BQU8sS0FBSyxLQUFLLE1BQU0sT0FBTyxDQUFDO0FBRS9CLE1BQU0sY0FBYyxHQUFHLElBQUksU0FBUyxDQUFDLE1BQU0sRUFBRSxDQUFDO0FBRTlDLElBQUksQ0FBQyxjQUFjLENBQUMsR0FBRyxDQUFDLGNBQWMsQ0FBQyxDQUFDO0FBRXhDLEtBQUssQ0FBQyxTQUFTLENBQUMsTUFBTSxFQUFFLElBQUksS0FBSyxDQUFDLFlBQVksQ0FBQyxFQUFFLElBQUksRUFBRSxNQUFNLEVBQUUsTUFBTSxFQUFFLGNBQWMsRUFBRSxDQUFDLENBQUMsQ0FBQztBQUUxRixLQUFLLENBQUMsYUFBYSxDQUFDLFFBQVEsQ0FBQyxPQUFPLEVBQUUsY0FBYyxFQUFFLEVBQUUsQ0FBQyxDQUFDO0FBRTFELE1BQU0seUJBQXlCLEdBQUcsS0FBSyxDQUFDLFlBQVksQ0FBQyxTQUFTLENBQUMsaUJBQWlCLENBQUM7QUFDakYsU0FBUyxpQkFBaUIsQ0FBQyxHQUFXLEVBQUUsTUFBZ0IsRUFBRSxNQUFlO0lBQ3ZFLElBQUksR0FBRyxLQUFLLGNBQWMsRUFBRSxDQUFDO1FBQzNCLE9BQU87WUFDTCxJQUFJLEVBQUUsT0FBTztTQUNkLENBQUM7SUFDSixDQUFDO0lBRUQsT0FBTyx5QkFBeUIsQ0FBQyxHQUFHLEVBQUUsTUFBTSxFQUFFLE1BQU0sQ0FBQyxDQUFDO0FBQ3hELENBQUM7QUFDRCxLQUFLLENBQUMsWUFBWSxDQUFDLFNBQVMsQ0FBQyxpQkFBaUIsR0FBRyxpQkFBaUIsQ0FBQztBQUVuRSxJQUFJLENBQUMsWUFBWSxDQUFDLEtBQUssR0FBRyxDQUFDLElBQVksRUFBa0IsRUFBRTtJQUN6RCxPQUFPLE9BQU8sSUFBSSxLQUFLLFFBQVEsSUFBSSxJQUFJLENBQUMsVUFBVSxDQUFDLFlBQVksQ0FBQyxDQUFDO0FBQ25FLENBQUMsQ0FBQztBQUVGLE9BQU8sRUFBRSxjQUFjLEVBQUUsQ0FBQyJ9

package/dist/mjs/certificates/types.d.ts

@@ -0,0 +1,122 @@
+/// <reference types="node" />
+import type { Certificate } from 'pkijs';
+export type ValidateCertChainResult = {
+    isValid: boolean;
+    errorMessage?: string;
+};
+export type SignatureAlgorithm = 'RSASSA-PKCS1-SHA256' | 'ECDSA-secp256k1-SHA256' | 'ECDSA-P-256-SHA256';
+export type AlgorithmObj = {
+    name: string;
+    namedCurve?: string;
+    hash?: {
+        name: string;
+    };
+};
+export type CustomExtension = {
+    oid: string;
+    value: Buffer;
+};
+export type CertificatePrincipal = {
+    country?: string;
+    stateName?: string;
+    localityName?: string;
+    organization?: string;
+    organizationalUnit?: string;
+    commonName: string;
+};
+export type PemOrCryptoKeys = {
+    /**
+     * spki format for PEM
+     */
+    publicKey: string | CryptoKey;
+    /**
+     * pkcs8 format for PEM
+     */
+    privateKey: string | CryptoKey;
+};
+export type GenerateCertParams = PemOrCryptoKeys & {
+    subject: CertificatePrincipal | string;
+    issuer: CertificatePrincipal | string;
+    notAfter: Date;
+    dnsNames?: string[];
+    ca?: boolean;
+    ocspSigning?: boolean;
+    ocspExtension?: {
+        ocspUrl: string;
+        issuerCertUrl?: string;
+    };
+    customExtensions?: CustomExtension[];
+};
+export type GenerateCsrParams = PemOrCryptoKeys & {
+    subject: CertificatePrincipal | string;
+    dnsNames?: string[];
+    customExtensions?: CustomExtension[];
+};
+export type ParsedCsr = {
+    publicKey: CryptoKey;
+    subject: string;
+    extensions: CustomExtension[];
+    dnsNames?: string[];
+};
+export type ParsedCert = {
+    serialNumberHex: string;
+    publicKey: CryptoKey;
+    subject: string;
+    issuer: string;
+    notBefore: Date;
+    notAfter: Date;
+    extensions: CustomExtension[];
+    dnsNames?: string[];
+    authorityKeyIdentifier?: string;
+    subjectKeyIdentifier?: string;
+};
+export type BufferedChunkedX509Cert = {
+    nonSerializedParts: Uint8Array[];
+    expirationDate: Uint8Array;
+    ca: Uint8Array;
+    userData?: Uint8Array;
+    serialNumber: Uint8Array;
+    signature: Uint8Array;
+    publicKey: Uint8Array;
+    mrEnclave?: Uint8Array;
+    mrSigner?: Uint8Array;
+};
+export type CertBinaryItem = {
+    name: string;
+    oid?: string;
+    value: Uint8Array;
+};
+export type OcspCertData = {
+    issuerNameHash: ArrayBuffer;
+    issuerKeyHash: ArrayBuffer;
+    serialNumber: ArrayBuffer;
+    extensionsToCheck: CustomExtension[];
+    hashAlgorithm: string;
+};
+export type ParsedOcspRequest = {
+    certRequests: OcspCertData[];
+    nonce?: ArrayBuffer;
+};
+export declare enum OcspCertStatus {
+    OK = 0,
+    Revoked = 1,
+    Unknown = 2
+}
+export type GenerateOcspResponseParams = {
+    issuerPem: string;
+    caCertsPem?: string;
+    certs: Array<Omit<OcspCertData, 'extensionsToCheck'> & {
+        status: OcspCertStatus;
+        revocationDate?: Date;
+    }>;
+    privateKey: string;
+    nonce?: ArrayBuffer;
+};
+export type KeyIdentifier = {
+    isEqual(other: KeyIdentifier): boolean;
+};
+export type CertWithKeyIdentifiers = {
+    cert: Certificate;
+    authorityKeyIdentifier?: KeyIdentifier;
+    subjectKeyIdentifier?: KeyIdentifier;
+};

package/dist/mjs/certificates/types.js

@@ -0,0 +1,7 @@
+export var OcspCertStatus;
+(function (OcspCertStatus) {
+    OcspCertStatus[OcspCertStatus["OK"] = 0] = "OK";
+    OcspCertStatus[OcspCertStatus["Revoked"] = 1] = "Revoked";
+    OcspCertStatus[OcspCertStatus["Unknown"] = 2] = "Unknown";
+})(OcspCertStatus || (OcspCertStatus = {}));
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidHlwZXMuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvY2VydGlmaWNhdGVzL3R5cGVzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQW9IQSxNQUFNLENBQU4sSUFBWSxjQUlYO0FBSkQsV0FBWSxjQUFjO0lBQ3hCLCtDQUFNLENBQUE7SUFDTix5REFBVyxDQUFBO0lBQ1gseURBQVcsQ0FBQTtBQUNiLENBQUMsRUFKVyxjQUFjLEtBQWQsY0FBYyxRQUl6QiJ9

package/dist/mjs/config.d.ts

@@ -0,0 +1,3 @@
+export declare const config: {
+    TLB_CACHE_SIZE: number;
+};

package/dist/mjs/config.js

@@ -0,0 +1,4 @@
+export const config = {
+    TLB_CACHE_SIZE: 100,
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY29uZmlnLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vc3JjL2NvbmZpZy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxNQUFNLENBQUMsTUFBTSxNQUFNLEdBQUc7SUFDcEIsY0FBYyxFQUFFLEdBQUc7Q0FDcEIsQ0FBQyJ9