better-auth 1.7.0-beta.2 → 1.7.0-beta.4

package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/pkcs7.mjs

@@ -0,0 +1,642 @@
+import { __commonJSMin } from "../../../../../../_virtual/_rolldown/runtime.mjs";
+import { require_forge } from "./forge.mjs";
+import { require_util } from "./util.mjs";
+import { require_aes } from "./aes.mjs";
+import { require_oids } from "./oids.mjs";
+import { require_asn1 } from "./asn1.mjs";
+import { require_pem } from "./pem.mjs";
+import { require_des } from "./des.mjs";
+import { require_random } from "./random.mjs";
+import { require_pkcs7asn1 } from "./pkcs7asn1.mjs";
+import { require_x509 } from "./x509.mjs";
+//#region ../../node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/pkcs7.js
+var require_pkcs7 = /* @__PURE__ */ __commonJSMin(((exports, module) => {
+	/**
+	* Javascript implementation of PKCS#7 v1.5.
+	*
+	* @author Stefan Siegl
+	* @author Dave Longley
+	*
+	* Copyright (c) 2012 Stefan Siegl <stesie@brokenpipe.de>
+	* Copyright (c) 2012-2015 Digital Bazaar, Inc.
+	*
+	* Currently this implementation only supports ContentType of EnvelopedData,
+	* EncryptedData, or SignedData at the root level. The top level elements may
+	* contain only a ContentInfo of ContentType Data, i.e. plain data. Further
+	* nesting is not (yet) supported.
+	*
+	* The Forge validators for PKCS #7's ASN.1 structures are available from
+	* a separate file pkcs7asn1.js, since those are referenced from other
+	* PKCS standards like PKCS #12.
+	*/
+	var forge = require_forge();
+	require_aes();
+	require_asn1();
+	require_des();
+	require_oids();
+	require_pem();
+	require_pkcs7asn1();
+	require_random();
+	require_util();
+	require_x509();
+	var asn1 = forge.asn1;
+	var p7 = module.exports = forge.pkcs7 = forge.pkcs7 || {};
+	/**
+	* Converts a PKCS#7 message from PEM format.
+	*
+	* @param pem the PEM-formatted PKCS#7 message.
+	*
+	* @return the PKCS#7 message.
+	*/
+	p7.messageFromPem = function(pem) {
+		var msg = forge.pem.decode(pem)[0];
+		if (msg.type !== "PKCS7") {
+			var error = /* @__PURE__ */ new Error("Could not convert PKCS#7 message from PEM; PEM header type is not \"PKCS#7\".");
+			error.headerType = msg.type;
+			throw error;
+		}
+		if (msg.procType && msg.procType.type === "ENCRYPTED") throw new Error("Could not convert PKCS#7 message from PEM; PEM is encrypted.");
+		var obj = asn1.fromDer(msg.body);
+		return p7.messageFromAsn1(obj);
+	};
+	/**
+	* Converts a PKCS#7 message to PEM format.
+	*
+	* @param msg The PKCS#7 message object
+	* @param maxline The maximum characters per line, defaults to 64.
+	*
+	* @return The PEM-formatted PKCS#7 message.
+	*/
+	p7.messageToPem = function(msg, maxline) {
+		var pemObj = {
+			type: "PKCS7",
+			body: asn1.toDer(msg.toAsn1()).getBytes()
+		};
+		return forge.pem.encode(pemObj, { maxline });
+	};
+	/**
+	* Converts a PKCS#7 message from an ASN.1 object.
+	*
+	* @param obj the ASN.1 representation of a ContentInfo.
+	*
+	* @return the PKCS#7 message.
+	*/
+	p7.messageFromAsn1 = function(obj) {
+		var capture = {};
+		var errors = [];
+		if (!asn1.validate(obj, p7.asn1.contentInfoValidator, capture, errors)) {
+			var error = /* @__PURE__ */ new Error("Cannot read PKCS#7 message. ASN.1 object is not an PKCS#7 ContentInfo.");
+			error.errors = errors;
+			throw error;
+		}
+		var contentType = asn1.derToOid(capture.contentType);
+		var msg;
+		switch (contentType) {
+			case forge.pki.oids.envelopedData:
+				msg = p7.createEnvelopedData();
+				break;
+			case forge.pki.oids.encryptedData:
+				msg = p7.createEncryptedData();
+				break;
+			case forge.pki.oids.signedData:
+				msg = p7.createSignedData();
+				break;
+			default: throw new Error("Cannot read PKCS#7 message. ContentType with OID " + contentType + " is not (yet) supported.");
+		}
+		msg.fromAsn1(capture.content.value[0]);
+		return msg;
+	};
+	p7.createSignedData = function() {
+		var msg = null;
+		msg = {
+			type: forge.pki.oids.signedData,
+			version: 1,
+			certificates: [],
+			crls: [],
+			signers: [],
+			digestAlgorithmIdentifiers: [],
+			contentInfo: null,
+			signerInfos: [],
+			fromAsn1: function(obj) {
+				_fromAsn1(msg, obj, p7.asn1.signedDataValidator);
+				msg.certificates = [];
+				msg.crls = [];
+				msg.digestAlgorithmIdentifiers = [];
+				msg.contentInfo = null;
+				msg.signerInfos = [];
+				if (msg.rawCapture.certificates) {
+					var certs = msg.rawCapture.certificates.value;
+					for (var i = 0; i < certs.length; ++i) msg.certificates.push(forge.pki.certificateFromAsn1(certs[i]));
+				}
+			},
+			toAsn1: function() {
+				if (!msg.contentInfo) msg.sign();
+				var certs = [];
+				for (var i = 0; i < msg.certificates.length; ++i) certs.push(forge.pki.certificateToAsn1(msg.certificates[i]));
+				var crls = [];
+				var signedData = asn1.create(asn1.Class.CONTEXT_SPECIFIC, 0, true, [asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [
+					asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false, asn1.integerToDer(msg.version).getBytes()),
+					asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SET, true, msg.digestAlgorithmIdentifiers),
+					msg.contentInfo
+				])]);
+				if (certs.length > 0) signedData.value[0].value.push(asn1.create(asn1.Class.CONTEXT_SPECIFIC, 0, true, certs));
+				if (crls.length > 0) signedData.value[0].value.push(asn1.create(asn1.Class.CONTEXT_SPECIFIC, 1, true, crls));
+				signedData.value[0].value.push(asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SET, true, msg.signerInfos));
+				return asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false, asn1.oidToDer(msg.type).getBytes()), signedData]);
+			},
+			addSigner: function(signer) {
+				var issuer = signer.issuer;
+				var serialNumber = signer.serialNumber;
+				if (signer.certificate) {
+					var cert = signer.certificate;
+					if (typeof cert === "string") cert = forge.pki.certificateFromPem(cert);
+					issuer = cert.issuer.attributes;
+					serialNumber = cert.serialNumber;
+				}
+				var key = signer.key;
+				if (!key) throw new Error("Could not add PKCS#7 signer; no private key specified.");
+				if (typeof key === "string") key = forge.pki.privateKeyFromPem(key);
+				var digestAlgorithm = signer.digestAlgorithm || forge.pki.oids.sha1;
+				switch (digestAlgorithm) {
+					case forge.pki.oids.sha1:
+					case forge.pki.oids.sha256:
+					case forge.pki.oids.sha384:
+					case forge.pki.oids.sha512:
+					case forge.pki.oids.md5: break;
+					default: throw new Error("Could not add PKCS#7 signer; unknown message digest algorithm: " + digestAlgorithm);
+				}
+				var authenticatedAttributes = signer.authenticatedAttributes || [];
+				if (authenticatedAttributes.length > 0) {
+					var contentType = false;
+					var messageDigest = false;
+					for (var i = 0; i < authenticatedAttributes.length; ++i) {
+						var attr = authenticatedAttributes[i];
+						if (!contentType && attr.type === forge.pki.oids.contentType) {
+							contentType = true;
+							if (messageDigest) break;
+							continue;
+						}
+						if (!messageDigest && attr.type === forge.pki.oids.messageDigest) {
+							messageDigest = true;
+							if (contentType) break;
+							continue;
+						}
+					}
+					if (!contentType || !messageDigest) throw new Error("Invalid signer.authenticatedAttributes. If signer.authenticatedAttributes is specified, then it must contain at least two attributes, PKCS #9 content-type and PKCS #9 message-digest.");
+				}
+				msg.signers.push({
+					key,
+					version: 1,
+					issuer,
+					serialNumber,
+					digestAlgorithm,
+					signatureAlgorithm: forge.pki.oids.rsaEncryption,
+					signature: null,
+					authenticatedAttributes,
+					unauthenticatedAttributes: []
+				});
+			},
+			sign: function(options) {
+				options = options || {};
+				if (typeof msg.content !== "object" || msg.contentInfo === null) {
+					msg.contentInfo = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false, asn1.oidToDer(forge.pki.oids.data).getBytes())]);
+					if ("content" in msg) {
+						var content;
+						if (msg.content instanceof forge.util.ByteBuffer) content = msg.content.bytes();
+						else if (typeof msg.content === "string") content = forge.util.encodeUtf8(msg.content);
+						if (options.detached) msg.detachedContent = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OCTETSTRING, false, content);
+						else msg.contentInfo.value.push(asn1.create(asn1.Class.CONTEXT_SPECIFIC, 0, true, [asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OCTETSTRING, false, content)]));
+					}
+				}
+				if (msg.signers.length === 0) return;
+				addSignerInfos(addDigestAlgorithmIds());
+			},
+			verify: function() {
+				throw new Error("PKCS#7 signature verification not yet implemented.");
+			},
+			addCertificate: function(cert) {
+				if (typeof cert === "string") cert = forge.pki.certificateFromPem(cert);
+				msg.certificates.push(cert);
+			},
+			addCertificateRevokationList: function(crl) {
+				throw new Error("PKCS#7 CRL support not yet implemented.");
+			}
+		};
+		return msg;
+		function addDigestAlgorithmIds() {
+			var mds = {};
+			for (var i = 0; i < msg.signers.length; ++i) {
+				var signer = msg.signers[i];
+				var oid = signer.digestAlgorithm;
+				if (!(oid in mds)) mds[oid] = forge.md[forge.pki.oids[oid]].create();
+				if (signer.authenticatedAttributes.length === 0) signer.md = mds[oid];
+				else signer.md = forge.md[forge.pki.oids[oid]].create();
+			}
+			msg.digestAlgorithmIdentifiers = [];
+			for (var oid in mds) msg.digestAlgorithmIdentifiers.push(asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false, asn1.oidToDer(oid).getBytes()), asn1.create(asn1.Class.UNIVERSAL, asn1.Type.NULL, false, "")]));
+			return mds;
+		}
+		function addSignerInfos(mds) {
+			var content;
+			if (msg.detachedContent) content = msg.detachedContent;
+			else {
+				content = msg.contentInfo.value[1];
+				content = content.value[0];
+			}
+			if (!content) throw new Error("Could not sign PKCS#7 message; there is no content to sign.");
+			var contentType = asn1.derToOid(msg.contentInfo.value[0].value);
+			var bytes = asn1.toDer(content);
+			bytes.getByte();
+			asn1.getBerValueLength(bytes);
+			bytes = bytes.getBytes();
+			for (var oid in mds) mds[oid].start().update(bytes);
+			var signingTime = /* @__PURE__ */ new Date();
+			for (var i = 0; i < msg.signers.length; ++i) {
+				var signer = msg.signers[i];
+				if (signer.authenticatedAttributes.length === 0) {
+					if (contentType !== forge.pki.oids.data) throw new Error("Invalid signer; authenticatedAttributes must be present when the ContentInfo content type is not PKCS#7 Data.");
+				} else {
+					signer.authenticatedAttributesAsn1 = asn1.create(asn1.Class.CONTEXT_SPECIFIC, 0, true, []);
+					var attrsAsn1 = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SET, true, []);
+					for (var ai = 0; ai < signer.authenticatedAttributes.length; ++ai) {
+						var attr = signer.authenticatedAttributes[ai];
+						if (attr.type === forge.pki.oids.messageDigest) attr.value = mds[signer.digestAlgorithm].digest();
+						else if (attr.type === forge.pki.oids.signingTime) {
+							if (!attr.value) attr.value = signingTime;
+						}
+						attrsAsn1.value.push(_attributeToAsn1(attr));
+						signer.authenticatedAttributesAsn1.value.push(_attributeToAsn1(attr));
+					}
+					bytes = asn1.toDer(attrsAsn1).getBytes();
+					signer.md.start().update(bytes);
+				}
+				signer.signature = signer.key.sign(signer.md, "RSASSA-PKCS1-V1_5");
+			}
+			msg.signerInfos = _signersToAsn1(msg.signers);
+		}
+	};
+	/**
+	* Creates an empty PKCS#7 message of type EncryptedData.
+	*
+	* @return the message.
+	*/
+	p7.createEncryptedData = function() {
+		var msg = null;
+		msg = {
+			type: forge.pki.oids.encryptedData,
+			version: 0,
+			encryptedContent: { algorithm: forge.pki.oids["aes256-CBC"] },
+			fromAsn1: function(obj) {
+				_fromAsn1(msg, obj, p7.asn1.encryptedDataValidator);
+			},
+			decrypt: function(key) {
+				if (key !== void 0) msg.encryptedContent.key = key;
+				_decryptContent(msg);
+			}
+		};
+		return msg;
+	};
+	/**
+	* Creates an empty PKCS#7 message of type EnvelopedData.
+	*
+	* @return the message.
+	*/
+	p7.createEnvelopedData = function() {
+		var msg = null;
+		msg = {
+			type: forge.pki.oids.envelopedData,
+			version: 0,
+			recipients: [],
+			encryptedContent: { algorithm: forge.pki.oids["aes256-CBC"] },
+			fromAsn1: function(obj) {
+				var capture = _fromAsn1(msg, obj, p7.asn1.envelopedDataValidator);
+				msg.recipients = _recipientsFromAsn1(capture.recipientInfos.value);
+			},
+			toAsn1: function() {
+				return asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false, asn1.oidToDer(msg.type).getBytes()), asn1.create(asn1.Class.CONTEXT_SPECIFIC, 0, true, [asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [
+					asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false, asn1.integerToDer(msg.version).getBytes()),
+					asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SET, true, _recipientsToAsn1(msg.recipients)),
+					asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, _encryptedContentToAsn1(msg.encryptedContent))
+				])])]);
+			},
+			findRecipient: function(cert) {
+				var sAttr = cert.issuer.attributes;
+				for (var i = 0; i < msg.recipients.length; ++i) {
+					var r = msg.recipients[i];
+					var rAttr = r.issuer;
+					if (r.serialNumber !== cert.serialNumber) continue;
+					if (rAttr.length !== sAttr.length) continue;
+					var match = true;
+					for (var j = 0; j < sAttr.length; ++j) if (rAttr[j].type !== sAttr[j].type || rAttr[j].value !== sAttr[j].value) {
+						match = false;
+						break;
+					}
+					if (match) return r;
+				}
+				return null;
+			},
+			decrypt: function(recipient, privKey) {
+				if (msg.encryptedContent.key === void 0 && recipient !== void 0 && privKey !== void 0) switch (recipient.encryptedContent.algorithm) {
+					case forge.pki.oids.rsaEncryption:
+					case forge.pki.oids.desCBC:
+						var key = privKey.decrypt(recipient.encryptedContent.content);
+						msg.encryptedContent.key = forge.util.createBuffer(key);
+						break;
+					default: throw new Error("Unsupported asymmetric cipher, OID " + recipient.encryptedContent.algorithm);
+				}
+				_decryptContent(msg);
+			},
+			addRecipient: function(cert) {
+				msg.recipients.push({
+					version: 0,
+					issuer: cert.issuer.attributes,
+					serialNumber: cert.serialNumber,
+					encryptedContent: {
+						algorithm: forge.pki.oids.rsaEncryption,
+						key: cert.publicKey
+					}
+				});
+			},
+			encrypt: function(key, cipher) {
+				if (msg.encryptedContent.content === void 0) {
+					cipher = cipher || msg.encryptedContent.algorithm;
+					key = key || msg.encryptedContent.key;
+					var keyLen, ivLen, ciphFn;
+					switch (cipher) {
+						case forge.pki.oids["aes128-CBC"]:
+							keyLen = 16;
+							ivLen = 16;
+							ciphFn = forge.aes.createEncryptionCipher;
+							break;
+						case forge.pki.oids["aes192-CBC"]:
+							keyLen = 24;
+							ivLen = 16;
+							ciphFn = forge.aes.createEncryptionCipher;
+							break;
+						case forge.pki.oids["aes256-CBC"]:
+							keyLen = 32;
+							ivLen = 16;
+							ciphFn = forge.aes.createEncryptionCipher;
+							break;
+						case forge.pki.oids["des-EDE3-CBC"]:
+							keyLen = 24;
+							ivLen = 8;
+							ciphFn = forge.des.createEncryptionCipher;
+							break;
+						default: throw new Error("Unsupported symmetric cipher, OID " + cipher);
+					}
+					if (key === void 0) key = forge.util.createBuffer(forge.random.getBytes(keyLen));
+					else if (key.length() != keyLen) throw new Error("Symmetric key has wrong length; got " + key.length() + " bytes, expected " + keyLen + ".");
+					msg.encryptedContent.algorithm = cipher;
+					msg.encryptedContent.key = key;
+					msg.encryptedContent.parameter = forge.util.createBuffer(forge.random.getBytes(ivLen));
+					var ciph = ciphFn(key);
+					ciph.start(msg.encryptedContent.parameter.copy());
+					ciph.update(msg.content);
+					if (!ciph.finish()) throw new Error("Symmetric encryption failed.");
+					msg.encryptedContent.content = ciph.output;
+				}
+				for (var i = 0; i < msg.recipients.length; ++i) {
+					var recipient = msg.recipients[i];
+					if (recipient.encryptedContent.content !== void 0) continue;
+					switch (recipient.encryptedContent.algorithm) {
+						case forge.pki.oids.rsaEncryption:
+							recipient.encryptedContent.content = recipient.encryptedContent.key.encrypt(msg.encryptedContent.key.data);
+							break;
+						default: throw new Error("Unsupported asymmetric cipher, OID " + recipient.encryptedContent.algorithm);
+					}
+				}
+			}
+		};
+		return msg;
+	};
+	/**
+	* Converts a single recipient from an ASN.1 object.
+	*
+	* @param obj the ASN.1 RecipientInfo.
+	*
+	* @return the recipient object.
+	*/
+	function _recipientFromAsn1(obj) {
+		var capture = {};
+		var errors = [];
+		if (!asn1.validate(obj, p7.asn1.recipientInfoValidator, capture, errors)) {
+			var error = /* @__PURE__ */ new Error("Cannot read PKCS#7 RecipientInfo. ASN.1 object is not an PKCS#7 RecipientInfo.");
+			error.errors = errors;
+			throw error;
+		}
+		return {
+			version: capture.version.charCodeAt(0),
+			issuer: forge.pki.RDNAttributesAsArray(capture.issuer),
+			serialNumber: forge.util.createBuffer(capture.serial).toHex(),
+			encryptedContent: {
+				algorithm: asn1.derToOid(capture.encAlgorithm),
+				parameter: capture.encParameter ? capture.encParameter.value : void 0,
+				content: capture.encKey
+			}
+		};
+	}
+	/**
+	* Converts a single recipient object to an ASN.1 object.
+	*
+	* @param obj the recipient object.
+	*
+	* @return the ASN.1 RecipientInfo.
+	*/
+	function _recipientToAsn1(obj) {
+		return asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [
+			asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false, asn1.integerToDer(obj.version).getBytes()),
+			asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [forge.pki.distinguishedNameToAsn1({ attributes: obj.issuer }), asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false, forge.util.hexToBytes(obj.serialNumber))]),
+			asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false, asn1.oidToDer(obj.encryptedContent.algorithm).getBytes()), asn1.create(asn1.Class.UNIVERSAL, asn1.Type.NULL, false, "")]),
+			asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OCTETSTRING, false, obj.encryptedContent.content)
+		]);
+	}
+	/**
+	* Map a set of RecipientInfo ASN.1 objects to recipient objects.
+	*
+	* @param infos an array of ASN.1 representations RecipientInfo (i.e. SET OF).
+	*
+	* @return an array of recipient objects.
+	*/
+	function _recipientsFromAsn1(infos) {
+		var ret = [];
+		for (var i = 0; i < infos.length; ++i) ret.push(_recipientFromAsn1(infos[i]));
+		return ret;
+	}
+	/**
+	* Map an array of recipient objects to ASN.1 RecipientInfo objects.
+	*
+	* @param recipients an array of recipientInfo objects.
+	*
+	* @return an array of ASN.1 RecipientInfos.
+	*/
+	function _recipientsToAsn1(recipients) {
+		var ret = [];
+		for (var i = 0; i < recipients.length; ++i) ret.push(_recipientToAsn1(recipients[i]));
+		return ret;
+	}
+	/**
+	* Converts a single signerInfo object to an ASN.1 object.
+	*
+	* @param obj the signerInfo object.
+	*
+	* @return the ASN.1 representation of a SignerInfo.
+	*/
+	function _signerToAsn1(obj) {
+		var rval = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [
+			asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false, asn1.integerToDer(obj.version).getBytes()),
+			asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [forge.pki.distinguishedNameToAsn1({ attributes: obj.issuer }), asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false, forge.util.hexToBytes(obj.serialNumber))]),
+			asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false, asn1.oidToDer(obj.digestAlgorithm).getBytes()), asn1.create(asn1.Class.UNIVERSAL, asn1.Type.NULL, false, "")])
+		]);
+		if (obj.authenticatedAttributesAsn1) rval.value.push(obj.authenticatedAttributesAsn1);
+		rval.value.push(asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false, asn1.oidToDer(obj.signatureAlgorithm).getBytes()), asn1.create(asn1.Class.UNIVERSAL, asn1.Type.NULL, false, "")]));
+		rval.value.push(asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OCTETSTRING, false, obj.signature));
+		if (obj.unauthenticatedAttributes.length > 0) {
+			var attrsAsn1 = asn1.create(asn1.Class.CONTEXT_SPECIFIC, 1, true, []);
+			for (var i = 0; i < obj.unauthenticatedAttributes.length; ++i) {
+				var attr = obj.unauthenticatedAttributes[i];
+				attrsAsn1.values.push(_attributeToAsn1(attr));
+			}
+			rval.value.push(attrsAsn1);
+		}
+		return rval;
+	}
+	/**
+	* Map an array of signer objects to ASN.1 objects.
+	*
+	* @param signers an array of signer objects.
+	*
+	* @return an array of ASN.1 SignerInfos.
+	*/
+	function _signersToAsn1(signers) {
+		var ret = [];
+		for (var i = 0; i < signers.length; ++i) ret.push(_signerToAsn1(signers[i]));
+		return ret;
+	}
+	/**
+	* Convert an attribute object to an ASN.1 Attribute.
+	*
+	* @param attr the attribute object.
+	*
+	* @return the ASN.1 Attribute.
+	*/
+	function _attributeToAsn1(attr) {
+		var value;
+		if (attr.type === forge.pki.oids.contentType) value = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false, asn1.oidToDer(attr.value).getBytes());
+		else if (attr.type === forge.pki.oids.messageDigest) value = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OCTETSTRING, false, attr.value.bytes());
+		else if (attr.type === forge.pki.oids.signingTime) {
+			var jan_1_1950 = /* @__PURE__ */ new Date("1950-01-01T00:00:00Z");
+			var jan_1_2050 = /* @__PURE__ */ new Date("2050-01-01T00:00:00Z");
+			var date = attr.value;
+			if (typeof date === "string") {
+				var timestamp = Date.parse(date);
+				if (!isNaN(timestamp)) date = new Date(timestamp);
+				else if (date.length === 13) date = asn1.utcTimeToDate(date);
+				else date = asn1.generalizedTimeToDate(date);
+			}
+			if (date >= jan_1_1950 && date < jan_1_2050) value = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.UTCTIME, false, asn1.dateToUtcTime(date));
+			else value = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.GENERALIZEDTIME, false, asn1.dateToGeneralizedTime(date));
+		}
+		return asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false, asn1.oidToDer(attr.type).getBytes()), asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SET, true, [value])]);
+	}
+	/**
+	* Map messages encrypted content to ASN.1 objects.
+	*
+	* @param ec The encryptedContent object of the message.
+	*
+	* @return ASN.1 representation of the encryptedContent object (SEQUENCE).
+	*/
+	function _encryptedContentToAsn1(ec) {
+		return [
+			asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false, asn1.oidToDer(forge.pki.oids.data).getBytes()),
+			asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false, asn1.oidToDer(ec.algorithm).getBytes()), !ec.parameter ? void 0 : asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OCTETSTRING, false, ec.parameter.getBytes())]),
+			asn1.create(asn1.Class.CONTEXT_SPECIFIC, 0, true, [asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OCTETSTRING, false, ec.content.getBytes())])
+		];
+	}
+	/**
+	* Reads the "common part" of an PKCS#7 content block (in ASN.1 format)
+	*
+	* This function reads the "common part" of the PKCS#7 content blocks
+	* EncryptedData and EnvelopedData, i.e. version number and symmetrically
+	* encrypted content block.
+	*
+	* The result of the ASN.1 validate and capture process is returned
+	* to allow the caller to extract further data, e.g. the list of recipients
+	* in case of a EnvelopedData object.
+	*
+	* @param msg the PKCS#7 object to read the data to.
+	* @param obj the ASN.1 representation of the content block.
+	* @param validator the ASN.1 structure validator object to use.
+	*
+	* @return the value map captured by validator object.
+	*/
+	function _fromAsn1(msg, obj, validator) {
+		var capture = {};
+		if (!asn1.validate(obj, validator, capture, [])) {
+			var error = /* @__PURE__ */ new Error("Cannot read PKCS#7 message. ASN.1 object is not a supported PKCS#7 message.");
+			error.errors = error;
+			throw error;
+		}
+		if (asn1.derToOid(capture.contentType) !== forge.pki.oids.data) throw new Error("Unsupported PKCS#7 message. Only wrapped ContentType Data supported.");
+		if (capture.encryptedContent) {
+			var content = "";
+			if (forge.util.isArray(capture.encryptedContent)) for (var i = 0; i < capture.encryptedContent.length; ++i) {
+				if (capture.encryptedContent[i].type !== asn1.Type.OCTETSTRING) throw new Error("Malformed PKCS#7 message, expecting encrypted content constructed of only OCTET STRING objects.");
+				content += capture.encryptedContent[i].value;
+			}
+			else content = capture.encryptedContent;
+			msg.encryptedContent = {
+				algorithm: asn1.derToOid(capture.encAlgorithm),
+				parameter: forge.util.createBuffer(capture.encParameter.value),
+				content: forge.util.createBuffer(content)
+			};
+		}
+		if (capture.content) {
+			var content = "";
+			if (forge.util.isArray(capture.content)) for (var i = 0; i < capture.content.length; ++i) {
+				if (capture.content[i].type !== asn1.Type.OCTETSTRING) throw new Error("Malformed PKCS#7 message, expecting content constructed of only OCTET STRING objects.");
+				content += capture.content[i].value;
+			}
+			else content = capture.content;
+			msg.content = forge.util.createBuffer(content);
+		}
+		msg.version = capture.version.charCodeAt(0);
+		msg.rawCapture = capture;
+		return capture;
+	}
+	/**
+	* Decrypt the symmetrically encrypted content block of the PKCS#7 message.
+	*
+	* Decryption is skipped in case the PKCS#7 message object already has a
+	* (decrypted) content attribute.  The algorithm, key and cipher parameters
+	* (probably the iv) are taken from the encryptedContent attribute of the
+	* message object.
+	*
+	* @param The PKCS#7 message object.
+	*/
+	function _decryptContent(msg) {
+		if (msg.encryptedContent.key === void 0) throw new Error("Symmetric key not available.");
+		if (msg.content === void 0) {
+			var ciph;
+			switch (msg.encryptedContent.algorithm) {
+				case forge.pki.oids["aes128-CBC"]:
+				case forge.pki.oids["aes192-CBC"]:
+				case forge.pki.oids["aes256-CBC"]:
+					ciph = forge.aes.createDecryptionCipher(msg.encryptedContent.key);
+					break;
+				case forge.pki.oids["desCBC"]:
+				case forge.pki.oids["des-EDE3-CBC"]:
+					ciph = forge.des.createDecryptionCipher(msg.encryptedContent.key);
+					break;
+				default: throw new Error("Unsupported symmetric cipher, OID " + msg.encryptedContent.algorithm);
+			}
+			ciph.start(msg.encryptedContent.parameter);
+			ciph.update(msg.encryptedContent.content);
+			if (!ciph.finish()) throw new Error("Symmetric decryption failed.");
+			msg.content = ciph.output;
+		}
+	}
+}));
+//#endregion
+export default require_pkcs7();
+export { require_pkcs7 };