edockit 0.4.0-dev.0 → 0.4.0

package/dist/identity-c9e5052e.js

@@ -0,0 +1,410 @@
+/*!
+ * MIT License
+ * Copyright (c) 2025 Edgars Jēkabsons, ZenomyTech SIA
+ */
+'use strict';
+
+var x509 = require('@peculiar/x509');
+var asn1Schema = require('@peculiar/asn1-schema');
+var asn1Ocsp = require('@peculiar/asn1-ocsp');
+var asn1X509 = require('@peculiar/asn1-x509');
+var normalize = require('./normalize-9626be7c.js');
+
+// src/core/revocation/ocsp.ts
+/**
+ * OID for Authority Information Access extension
+ */
+const id_pe_authorityInfoAccess = "1.3.6.1.5.5.7.1.1";
+/**
+ * SHA-1 algorithm identifier for OCSP
+ */
+const SHA1_OID = "1.3.14.3.2.26";
+/**
+ * Compute SHA-1 hash of data (cross-platform)
+ */
+async function computeSHA1(data) {
+    if (typeof crypto !== "undefined" && crypto.subtle) {
+        return crypto.subtle.digest("SHA-1", data);
+    }
+    // Node.js fallback
+    const nodeCrypto = require("crypto");
+    const hash = nodeCrypto.createHash("sha1");
+    hash.update(Buffer.from(data));
+    return hash.digest().buffer;
+}
+/**
+ * Extract OCSP responder URLs from certificate
+ * @param cert X509Certificate to extract OCSP URLs from
+ * @returns Array of OCSP responder URLs
+ */
+function extractOCSPUrls(cert) {
+    try {
+        const aiaExt = cert.getExtension(id_pe_authorityInfoAccess);
+        if (!aiaExt) {
+            return [];
+        }
+        // Get OCSP URLs from the extension
+        return aiaExt.ocsp.filter((gn) => gn.type === "url").map((gn) => gn.value);
+    }
+    catch {
+        return [];
+    }
+}
+/**
+ * Extract CA Issuers URLs from certificate (for fetching issuer cert)
+ * @param cert X509Certificate to extract URLs from
+ * @returns Array of CA Issuers URLs
+ */
+function extractCAIssuersUrls(cert) {
+    try {
+        const aiaExt = cert.getExtension(id_pe_authorityInfoAccess);
+        if (!aiaExt) {
+            return [];
+        }
+        return aiaExt.caIssuers.filter((gn) => gn.type === "url").map((gn) => gn.value);
+    }
+    catch {
+        return [];
+    }
+}
+/**
+ * Find issuer certificate from certificate chain
+ * @param cert Certificate to find issuer for
+ * @param chain Array of PEM-formatted certificates
+ * @returns Issuer certificate or null if not found
+ */
+function findIssuerInChain(cert, chain) {
+    const issuerName = cert.issuer;
+    for (const pemCert of chain) {
+        try {
+            const chainCert = new x509.X509Certificate(pemCert);
+            // Check if this cert's subject matches our cert's issuer
+            if (chainCert.subject === issuerName) {
+                return chainCert;
+            }
+        }
+        catch {
+            // Skip invalid certificates
+        }
+    }
+    return null;
+}
+/**
+ * Fetch issuer certificate from AIA extension
+ * @param cert Certificate to fetch issuer for
+ * @param timeout Timeout in ms
+ * @param proxyUrl Optional CORS proxy URL
+ * @returns Issuer certificate or null
+ */
+async function fetchIssuerFromAIA(cert, timeout = 5000, proxyUrl) {
+    const urls = extractCAIssuersUrls(cert);
+    for (const url of urls) {
+        try {
+            const result = await normalize.fetchIssuerCertificate(url, timeout, proxyUrl);
+            if (result.ok && result.data) {
+                // Try to parse as DER first, then PEM
+                try {
+                    return new x509.X509Certificate(result.data);
+                }
+                catch {
+                    // Try converting to PEM
+                    const pem = normalize.arrayBufferToPEM(result.data);
+                    return new x509.X509Certificate(pem);
+                }
+            }
+        }
+        catch {
+            // Try next URL
+        }
+    }
+    return null;
+}
+/**
+ * Build OCSP request for a certificate
+ * @param cert Certificate to check
+ * @param issuerCert Issuer certificate
+ * @returns DER-encoded OCSP request
+ */
+async function buildOCSPRequest(cert, issuerCert) {
+    // Get issuer name hash (SHA-1 of issuer's DN in DER)
+    // Parse the raw certificate to get the proper ASN.1 structures for serialization
+    const issuerCertAsn = asn1Schema.AsnParser.parse(issuerCert.rawData, asn1X509.Certificate);
+    const issuerNameDer = asn1Schema.AsnConvert.serialize(issuerCertAsn.tbsCertificate.subject);
+    const issuerNameHash = await computeSHA1(issuerNameDer);
+    // Get issuer key hash (SHA-1 of issuer's public key BIT STRING value, not the full SPKI)
+    const issuerKeyHash = await computeSHA1(issuerCertAsn.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey);
+    // Get certificate serial number
+    const serialNumber = normalize.hexToArrayBuffer(cert.serialNumber);
+    // Build CertID
+    const certId = new asn1Ocsp.CertID({
+        hashAlgorithm: new asn1X509.AlgorithmIdentifier({ algorithm: SHA1_OID }),
+        issuerNameHash: new asn1Schema.OctetString(issuerNameHash),
+        issuerKeyHash: new asn1Schema.OctetString(issuerKeyHash),
+        serialNumber: serialNumber,
+    });
+    // Build request
+    const request = new asn1Ocsp.Request({ reqCert: certId });
+    // Build TBS request
+    const tbsRequest = new asn1Ocsp.TBSRequest({
+        requestList: [request],
+    });
+    // Build OCSP request
+    const ocspRequest = new asn1Ocsp.OCSPRequest({ tbsRequest });
+    return asn1Schema.AsnConvert.serialize(ocspRequest);
+}
+/**
+ * Parse OCSP response and extract revocation status
+ * @param responseData DER-encoded OCSP response
+ * @returns Revocation result
+ */
+function parseOCSPResponse(responseData) {
+    const now = new Date();
+    try {
+        const response = asn1Schema.AsnConvert.parse(responseData, asn1Ocsp.OCSPResponse);
+        // Check response status
+        switch (response.responseStatus) {
+            case asn1Ocsp.OCSPResponseStatus.successful:
+                break;
+            case asn1Ocsp.OCSPResponseStatus.malformedRequest:
+                return {
+                    isValid: false,
+                    status: "error",
+                    method: "ocsp",
+                    reason: "OCSP responder returned: malformed request",
+                    checkedAt: now,
+                };
+            case asn1Ocsp.OCSPResponseStatus.internalError:
+                return {
+                    isValid: false,
+                    status: "error",
+                    method: "ocsp",
+                    reason: "OCSP responder returned: internal error",
+                    checkedAt: now,
+                };
+            case asn1Ocsp.OCSPResponseStatus.tryLater:
+                return {
+                    isValid: false,
+                    status: "unknown",
+                    method: "ocsp",
+                    reason: "OCSP responder returned: try later",
+                    checkedAt: now,
+                };
+            case asn1Ocsp.OCSPResponseStatus.sigRequired:
+                return {
+                    isValid: false,
+                    status: "error",
+                    method: "ocsp",
+                    reason: "OCSP responder requires signature",
+                    checkedAt: now,
+                };
+            case asn1Ocsp.OCSPResponseStatus.unauthorized:
+                return {
+                    isValid: false,
+                    status: "error",
+                    method: "ocsp",
+                    reason: "OCSP responder returned: unauthorized",
+                    checkedAt: now,
+                };
+            default:
+                return {
+                    isValid: false,
+                    status: "error",
+                    method: "ocsp",
+                    reason: `OCSP responder returned unknown status: ${response.responseStatus}`,
+                    checkedAt: now,
+                };
+        }
+        // Parse response bytes
+        if (!response.responseBytes) {
+            return {
+                isValid: false,
+                status: "error",
+                method: "ocsp",
+                reason: "OCSP response has no response bytes",
+                checkedAt: now,
+            };
+        }
+        // Parse BasicOCSPResponse
+        const basicResponse = asn1Schema.AsnConvert.parse(response.responseBytes.response.buffer, asn1Ocsp.BasicOCSPResponse);
+        // Get the first single response
+        const responses = basicResponse.tbsResponseData.responses;
+        if (!responses || responses.length === 0) {
+            return {
+                isValid: false,
+                status: "error",
+                method: "ocsp",
+                reason: "OCSP response contains no certificate status",
+                checkedAt: now,
+            };
+        }
+        const singleResponse = responses[0];
+        const certStatus = singleResponse.certStatus;
+        // Check certificate status
+        if (certStatus.good !== undefined) {
+            return {
+                isValid: true,
+                status: "good",
+                method: "ocsp",
+                checkedAt: now,
+            };
+        }
+        else if (certStatus.revoked) {
+            return {
+                isValid: false,
+                status: "revoked",
+                method: "ocsp",
+                reason: certStatus.revoked.revocationReason !== undefined
+                    ? `Certificate revoked (reason: ${certStatus.revoked.revocationReason})`
+                    : "Certificate revoked",
+                revokedAt: certStatus.revoked.revocationTime,
+                checkedAt: now,
+            };
+        }
+        else if (certStatus.unknown !== undefined) {
+            return {
+                isValid: false,
+                status: "unknown",
+                method: "ocsp",
+                reason: "OCSP responder does not know about this certificate",
+                checkedAt: now,
+            };
+        }
+        return {
+            isValid: false,
+            status: "error",
+            method: "ocsp",
+            reason: "Unexpected certificate status in OCSP response",
+            checkedAt: now,
+        };
+    }
+    catch (error) {
+        return {
+            isValid: false,
+            status: "error",
+            method: "ocsp",
+            reason: `Failed to parse OCSP response: ${error instanceof Error ? error.message : String(error)}`,
+            checkedAt: now,
+        };
+    }
+}
+/**
+ * Check certificate revocation via OCSP
+ * @param cert Certificate to check
+ * @param issuerCert Issuer certificate (optional, will try to find/fetch)
+ * @param options OCSP check options
+ * @returns Revocation result
+ */
+async function checkOCSP(cert, issuerCert, options = {}) {
+    const { timeout = 5000, certificateChain = [], proxyUrl } = options;
+    const now = new Date();
+    // Get OCSP URLs
+    const ocspUrls = extractOCSPUrls(cert);
+    if (ocspUrls.length === 0) {
+        return {
+            isValid: false,
+            status: "unknown",
+            method: "ocsp",
+            reason: "Certificate has no OCSP responder URL",
+            checkedAt: now,
+        };
+    }
+    // Try to find issuer certificate
+    let issuer = issuerCert;
+    if (!issuer) {
+        // Try certificate chain first
+        issuer = findIssuerInChain(cert, certificateChain);
+    }
+    if (!issuer) {
+        // Try AIA extension
+        issuer = await fetchIssuerFromAIA(cert, timeout, proxyUrl);
+    }
+    if (!issuer) {
+        return {
+            isValid: false,
+            status: "unknown",
+            method: "ocsp",
+            reason: "Could not find or fetch issuer certificate for OCSP",
+            checkedAt: now,
+        };
+    }
+    // Build OCSP request
+    let request;
+    try {
+        request = await buildOCSPRequest(cert, issuer);
+    }
+    catch (error) {
+        return {
+            isValid: false,
+            status: "error",
+            method: "ocsp",
+            reason: `Failed to build OCSP request: ${error instanceof Error ? error.message : String(error)}`,
+            checkedAt: now,
+        };
+    }
+    // Try each OCSP URL
+    for (const url of ocspUrls) {
+        try {
+            const result = await normalize.fetchOCSP(url, request, timeout, proxyUrl);
+            if (result.ok && result.data) {
+                return parseOCSPResponse(result.data);
+            }
+        }
+        catch {
+            // Try next URL
+        }
+    }
+    return {
+        isValid: false,
+        status: "error",
+        method: "ocsp",
+        reason: "All OCSP requests failed",
+        checkedAt: now,
+    };
+}
+
+const AUTHORITY_KEY_IDENTIFIER_OID = "2.5.29.35";
+const SUBJECT_KEY_IDENTIFIER_OID = "2.5.29.14";
+async function computeSha256Hex(input) {
+    const digest = await crypto.subtle.digest("SHA-256", input);
+    return normalize.arrayBufferToHex(digest);
+}
+function getAuthorityKeyIdentifierHex(certificate) {
+    const authorityKeyIdentifier = certificate.getExtension(AUTHORITY_KEY_IDENTIFIER_OID);
+    return normalize.normalizeKeyIdentifier(authorityKeyIdentifier?.keyId);
+}
+function getSubjectKeyIdentifierHex(certificate) {
+    const subjectKeyIdentifier = certificate.getExtension(SUBJECT_KEY_IDENTIFIER_OID);
+    return normalize.normalizeKeyIdentifier(subjectKeyIdentifier?.keyId);
+}
+async function extractIssuerIdentityFromCertificate(certificatePem, options = {}) {
+    const signerCertificate = new x509.X509Certificate(certificatePem);
+    let issuerCertificate = options.certificateChain && options.certificateChain.length > 0
+        ? findIssuerInChain(signerCertificate, options.certificateChain)
+        : null;
+    if (!issuerCertificate && options.fetchOptions) {
+        issuerCertificate = await fetchIssuerFromAIA(signerCertificate, options.fetchOptions.timeout, options.fetchOptions.proxyUrl);
+    }
+    return {
+        issuerSubjectDn: normalize.normalizeDistinguishedName(signerCertificate.issuer),
+        authorityKeyIdentifierHex: getAuthorityKeyIdentifierHex(signerCertificate),
+        issuerCertificate: issuerCertificate
+            ? {
+                subjectDn: normalize.normalizeDistinguishedName(issuerCertificate.subject),
+                spkiSha256Hex: await computeSha256Hex(issuerCertificate.publicKey.rawData),
+            }
+            : null,
+    };
+}
+async function extractCertificateIdentityFromCertificate(certificatePem) {
+    const certificate = new x509.X509Certificate(certificatePem);
+    return {
+        subjectDn: normalize.normalizeDistinguishedName(certificate.subject),
+        subjectKeyIdentifierHex: getSubjectKeyIdentifierHex(certificate),
+        spkiSha256Hex: await computeSha256Hex(certificate.publicKey.rawData),
+    };
+}
+
+exports.checkOCSP = checkOCSP;
+exports.extractCertificateIdentityFromCertificate = extractCertificateIdentityFromCertificate;
+exports.extractIssuerIdentityFromCertificate = extractIssuerIdentityFromCertificate;
+//# sourceMappingURL=identity-c9e5052e.js.map

package/dist/identity-c9e5052e.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity-c9e5052e.js","sources":["../src/core/revocation/ocsp.ts","../src/core/trustedlist/identity.ts"],"sourcesContent":[null,null],"names":["X509Certificate","fetchIssuerCertificate","arrayBufferToPEM","AsnParser","Certificate","AsnConvert","hexToArrayBuffer","CertID","AlgorithmIdentifier","OctetString","Request","TBSRequest","OCSPRequest","OCSPResponse","OCSPResponseStatus","BasicOCSPResponse","fetchOCSP","arrayBufferToHex","normalizeKeyIdentifier","normalizeDistinguishedName"],"mappings":";;;;;;;;;;;;AAAA;AAmBA;;AAEG;AACH,MAAM,yBAAyB,GAAG,mBAAmB,CAAC;AAEtD;;AAEG;AACH,MAAM,QAAQ,GAAG,eAAe,CAAC;AAEjC;;AAEG;AACH,eAAe,WAAW,CAAC,IAAiB,EAAA;IAC1C,IAAI,OAAO,MAAM,KAAK,WAAW,IAAI,MAAM,CAAC,MAAM,EAAE;QAClD,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;KAC5C;;AAED,IAAA,MAAM,UAAU,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IACrC,MAAM,IAAI,GAAG,UAAU,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IAC3C,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;AAC/B,IAAA,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC,MAAM,CAAC;AAC9B,CAAC;AAED;;;;AAIG;AACG,SAAU,eAAe,CAAC,IAAqB,EAAA;AACnD,IAAA,IAAI;QACF,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAC9B,yBAAyB,CACa,CAAC;QACzC,IAAI,CAAC,MAAM,EAAE;AACX,YAAA,OAAO,EAAE,CAAC;SACX;;AAGD,QAAA,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,IAAI,KAAK,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,KAAK,CAAC,CAAC;KAC5E;AAAC,IAAA,MAAM;AACN,QAAA,OAAO,EAAE,CAAC;KACX;AACH,CAAC;AAED;;;;AAIG;AACG,SAAU,oBAAoB,CAAC,IAAqB,EAAA;AACxD,IAAA,IAAI;QACF,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAC9B,yBAAyB,CACa,CAAC;QACzC,IAAI,CAAC,MAAM,EAAE;AACX,YAAA,OAAO,EAAE,CAAC;SACX;AAED,QAAA,OAAO,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,IAAI,KAAK,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,KAAK,CAAC,CAAC;KACjF;AAAC,IAAA,MAAM;AACN,QAAA,OAAO,EAAE,CAAC;KACX;AACH,CAAC;AAED;;;;;AAKG;AACa,SAAA,iBAAiB,CAAC,IAAqB,EAAE,KAAe,EAAA;AACtE,IAAA,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC;AAE/B,IAAA,KAAK,MAAM,OAAO,IAAI,KAAK,EAAE;AAC3B,QAAA,IAAI;AACF,YAAA,MAAM,SAAS,GAAG,IAAIA,oBAAe,CAAC,OAAO,CAAC,CAAC;;AAE/C,YAAA,IAAI,SAAS,CAAC,OAAO,KAAK,UAAU,EAAE;AACpC,gBAAA,OAAO,SAAS,CAAC;aAClB;SACF;AAAC,QAAA,MAAM;;SAEP;KACF;AAED,IAAA,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;AAMG;AACI,eAAe,kBAAkB,CACtC,IAAqB,EACrB,OAAA,GAAkB,IAAI,EACtB,QAAiB,EAAA;AAEjB,IAAA,MAAM,IAAI,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAC;AAExC,IAAA,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE;AACtB,QAAA,IAAI;YACF,MAAM,MAAM,GAAG,MAAMC,gCAAsB,CAAC,GAAG,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;YACpE,IAAI,MAAM,CAAC,EAAE,IAAI,MAAM,CAAC,IAAI,EAAE;;AAE5B,gBAAA,IAAI;AACF,oBAAA,OAAO,IAAID,oBAAe,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;iBACzC;AAAC,gBAAA,MAAM;;oBAEN,MAAM,GAAG,GAAGE,0BAAgB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;AAC1C,oBAAA,OAAO,IAAIF,oBAAe,CAAC,GAAG,CAAC,CAAC;iBACjC;aACF;SACF;AAAC,QAAA,MAAM;;SAEP;KACF;AAED,IAAA,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;AAKG;AACI,eAAe,gBAAgB,CACpC,IAAqB,EACrB,UAA2B,EAAA;;;AAI3B,IAAA,MAAM,aAAa,GAAGG,oBAAS,CAAC,KAAK,CAAC,UAAU,CAAC,OAAO,EAAEC,oBAAW,CAAC,CAAC;AACvE,IAAA,MAAM,aAAa,GAAGC,qBAAU,CAAC,SAAS,CAAC,aAAa,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;AACjF,IAAA,MAAM,cAAc,GAAG,MAAM,WAAW,CAAC,aAAa,CAAC,CAAC;;AAGxD,IAAA,MAAM,aAAa,GAAG,MAAM,WAAW,CACrC,aAAa,CAAC,cAAc,CAAC,oBAAoB,CAAC,gBAAgB,CACnE,CAAC;;IAGF,MAAM,YAAY,GAAGC,0BAAgB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;;AAGzD,IAAA,MAAM,MAAM,GAAG,IAAIC,eAAM,CAAC;QACxB,aAAa,EAAE,IAAIC,4BAAmB,CAAC,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC;AAC/D,QAAA,cAAc,EAAE,IAAIC,sBAAW,CAAC,cAAc,CAAC;AAC/C,QAAA,aAAa,EAAE,IAAIA,sBAAW,CAAC,aAAa,CAAC;AAC7C,QAAA,YAAY,EAAE,YAAY;AAC3B,KAAA,CAAC,CAAC;;IAGH,MAAM,OAAO,GAAG,IAAIC,gBAAO,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;;AAGjD,IAAA,MAAM,UAAU,GAAG,IAAIC,mBAAU,CAAC;QAChC,WAAW,EAAE,CAAC,OAAO,CAAC;AACvB,KAAA,CAAC,CAAC;;IAGH,MAAM,WAAW,GAAG,IAAIC,oBAAW,CAAC,EAAE,UAAU,EAAE,CAAC,CAAC;AAEpD,IAAA,OAAOP,qBAAU,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;AAC3C,CAAC;AAED;;;;AAIG;AACG,SAAU,iBAAiB,CAAC,YAAyB,EAAA;AACzD,IAAA,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;AAEvB,IAAA,IAAI;QACF,MAAM,QAAQ,GAAGA,qBAAU,CAAC,KAAK,CAAC,YAAY,EAAEQ,qBAAY,CAAC,CAAC;;AAG9D,QAAA,QAAQ,QAAQ,CAAC,cAAc;YAC7B,KAAKC,2BAAkB,CAAC,UAAU;gBAChC,MAAM;YACR,KAAKA,2BAAkB,CAAC,gBAAgB;gBACtC,OAAO;AACL,oBAAA,OAAO,EAAE,KAAK;AACd,oBAAA,MAAM,EAAE,OAAO;AACf,oBAAA,MAAM,EAAE,MAAM;AACd,oBAAA,MAAM,EAAE,4CAA4C;AACpD,oBAAA,SAAS,EAAE,GAAG;iBACf,CAAC;YACJ,KAAKA,2BAAkB,CAAC,aAAa;gBACnC,OAAO;AACL,oBAAA,OAAO,EAAE,KAAK;AACd,oBAAA,MAAM,EAAE,OAAO;AACf,oBAAA,MAAM,EAAE,MAAM;AACd,oBAAA,MAAM,EAAE,yCAAyC;AACjD,oBAAA,SAAS,EAAE,GAAG;iBACf,CAAC;YACJ,KAAKA,2BAAkB,CAAC,QAAQ;gBAC9B,OAAO;AACL,oBAAA,OAAO,EAAE,KAAK;AACd,oBAAA,MAAM,EAAE,SAAS;AACjB,oBAAA,MAAM,EAAE,MAAM;AACd,oBAAA,MAAM,EAAE,oCAAoC;AAC5C,oBAAA,SAAS,EAAE,GAAG;iBACf,CAAC;YACJ,KAAKA,2BAAkB,CAAC,WAAW;gBACjC,OAAO;AACL,oBAAA,OAAO,EAAE,KAAK;AACd,oBAAA,MAAM,EAAE,OAAO;AACf,oBAAA,MAAM,EAAE,MAAM;AACd,oBAAA,MAAM,EAAE,mCAAmC;AAC3C,oBAAA,SAAS,EAAE,GAAG;iBACf,CAAC;YACJ,KAAKA,2BAAkB,CAAC,YAAY;gBAClC,OAAO;AACL,oBAAA,OAAO,EAAE,KAAK;AACd,oBAAA,MAAM,EAAE,OAAO;AACf,oBAAA,MAAM,EAAE,MAAM;AACd,oBAAA,MAAM,EAAE,uCAAuC;AAC/C,oBAAA,SAAS,EAAE,GAAG;iBACf,CAAC;AACJ,YAAA;gBACE,OAAO;AACL,oBAAA,OAAO,EAAE,KAAK;AACd,oBAAA,MAAM,EAAE,OAAO;AACf,oBAAA,MAAM,EAAE,MAAM;AACd,oBAAA,MAAM,EAAE,CAAA,wCAAA,EAA2C,QAAQ,CAAC,cAAc,CAAE,CAAA;AAC5E,oBAAA,SAAS,EAAE,GAAG;iBACf,CAAC;SACL;;AAGD,QAAA,IAAI,CAAC,QAAQ,CAAC,aAAa,EAAE;YAC3B,OAAO;AACL,gBAAA,OAAO,EAAE,KAAK;AACd,gBAAA,MAAM,EAAE,OAAO;AACf,gBAAA,MAAM,EAAE,MAAM;AACd,gBAAA,MAAM,EAAE,qCAAqC;AAC7C,gBAAA,SAAS,EAAE,GAAG;aACf,CAAC;SACH;;AAGD,QAAA,MAAM,aAAa,GAAGT,qBAAU,CAAC,KAAK,CACpC,QAAQ,CAAC,aAAa,CAAC,QAAQ,CAAC,MAAM,EACtCU,0BAAiB,CAClB,CAAC;;AAGF,QAAA,MAAM,SAAS,GAAG,aAAa,CAAC,eAAe,CAAC,SAAS,CAAC;QAC1D,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE;YACxC,OAAO;AACL,gBAAA,OAAO,EAAE,KAAK;AACd,gBAAA,MAAM,EAAE,OAAO;AACf,gBAAA,MAAM,EAAE,MAAM;AACd,gBAAA,MAAM,EAAE,8CAA8C;AACtD,gBAAA,SAAS,EAAE,GAAG;aACf,CAAC;SACH;AAED,QAAA,MAAM,cAAc,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;AACpC,QAAA,MAAM,UAAU,GAAG,cAAc,CAAC,UAAU,CAAC;;AAG7C,QAAA,IAAI,UAAU,CAAC,IAAI,KAAK,SAAS,EAAE;YACjC,OAAO;AACL,gBAAA,OAAO,EAAE,IAAI;AACb,gBAAA,MAAM,EAAE,MAAM;AACd,gBAAA,MAAM,EAAE,MAAM;AACd,gBAAA,SAAS,EAAE,GAAG;aACf,CAAC;SACH;AAAM,aAAA,IAAI,UAAU,CAAC,OAAO,EAAE;YAC7B,OAAO;AACL,gBAAA,OAAO,EAAE,KAAK;AACd,gBAAA,MAAM,EAAE,SAAS;AACjB,gBAAA,MAAM,EAAE,MAAM;AACd,gBAAA,MAAM,EACJ,UAAU,CAAC,OAAO,CAAC,gBAAgB,KAAK,SAAS;AAC/C,sBAAE,CAAgC,6BAAA,EAAA,UAAU,CAAC,OAAO,CAAC,gBAAgB,CAAG,CAAA,CAAA;AACxE,sBAAE,qBAAqB;AAC3B,gBAAA,SAAS,EAAE,UAAU,CAAC,OAAO,CAAC,cAAc;AAC5C,gBAAA,SAAS,EAAE,GAAG;aACf,CAAC;SACH;AAAM,aAAA,IAAI,UAAU,CAAC,OAAO,KAAK,SAAS,EAAE;YAC3C,OAAO;AACL,gBAAA,OAAO,EAAE,KAAK;AACd,gBAAA,MAAM,EAAE,SAAS;AACjB,gBAAA,MAAM,EAAE,MAAM;AACd,gBAAA,MAAM,EAAE,qDAAqD;AAC7D,gBAAA,SAAS,EAAE,GAAG;aACf,CAAC;SACH;QAED,OAAO;AACL,YAAA,OAAO,EAAE,KAAK;AACd,YAAA,MAAM,EAAE,OAAO;AACf,YAAA,MAAM,EAAE,MAAM;AACd,YAAA,MAAM,EAAE,gDAAgD;AACxD,YAAA,SAAS,EAAE,GAAG;SACf,CAAC;KACH;IAAC,OAAO,KAAK,EAAE;QACd,OAAO;AACL,YAAA,OAAO,EAAE,KAAK;AACd,YAAA,MAAM,EAAE,OAAO;AACf,YAAA,MAAM,EAAE,MAAM;AACd,YAAA,MAAM,EAAE,CAAkC,+BAAA,EAAA,KAAK,YAAY,KAAK,GAAG,KAAK,CAAC,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,CAAE,CAAA;AAClG,YAAA,SAAS,EAAE,GAAG;SACf,CAAC;KACH;AACH,CAAC;AAED;;;;;;AAMG;AACI,eAAe,SAAS,CAC7B,IAAqB,EACrB,UAAkC,EAClC,OAAA,GAAgF,EAAE,EAAA;AAElF,IAAA,MAAM,EAAE,OAAO,GAAG,IAAI,EAAE,gBAAgB,GAAG,EAAE,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;AACpE,IAAA,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;;AAGvB,IAAA,MAAM,QAAQ,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;AACvC,IAAA,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE;QACzB,OAAO;AACL,YAAA,OAAO,EAAE,KAAK;AACd,YAAA,MAAM,EAAE,SAAS;AACjB,YAAA,MAAM,EAAE,MAAM;AACd,YAAA,MAAM,EAAE,uCAAuC;AAC/C,YAAA,SAAS,EAAE,GAAG;SACf,CAAC;KACH;;IAGD,IAAI,MAAM,GAAG,UAAU,CAAC;IACxB,IAAI,CAAC,MAAM,EAAE;;AAEX,QAAA,MAAM,GAAG,iBAAiB,CAAC,IAAI,EAAE,gBAAgB,CAAC,CAAC;KACpD;IACD,IAAI,CAAC,MAAM,EAAE;;QAEX,MAAM,GAAG,MAAM,kBAAkB,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;KAC5D;IACD,IAAI,CAAC,MAAM,EAAE;QACX,OAAO;AACL,YAAA,OAAO,EAAE,KAAK;AACd,YAAA,MAAM,EAAE,SAAS;AACjB,YAAA,MAAM,EAAE,MAAM;AACd,YAAA,MAAM,EAAE,qDAAqD;AAC7D,YAAA,SAAS,EAAE,GAAG;SACf,CAAC;KACH;;AAGD,IAAA,IAAI,OAAoB,CAAC;AACzB,IAAA,IAAI;QACF,OAAO,GAAG,MAAM,gBAAgB,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;KAChD;IAAC,OAAO,KAAK,EAAE;QACd,OAAO;AACL,YAAA,OAAO,EAAE,KAAK;AACd,YAAA,MAAM,EAAE,OAAO;AACf,YAAA,MAAM,EAAE,MAAM;AACd,YAAA,MAAM,EAAE,CAAiC,8BAAA,EAAA,KAAK,YAAY,KAAK,GAAG,KAAK,CAAC,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,CAAE,CAAA;AACjG,YAAA,SAAS,EAAE,GAAG;SACf,CAAC;KACH;;AAGD,IAAA,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE;AAC1B,QAAA,IAAI;AACF,YAAA,MAAM,MAAM,GAAG,MAAMC,mBAAS,CAAC,GAAG,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;YAChE,IAAI,MAAM,CAAC,EAAE,IAAI,MAAM,CAAC,IAAI,EAAE;AAC5B,gBAAA,OAAO,iBAAiB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;aACvC;SACF;AAAC,QAAA,MAAM;;SAEP;KACF;IAED,OAAO;AACL,QAAA,OAAO,EAAE,KAAK;AACd,QAAA,MAAM,EAAE,OAAO;AACf,QAAA,MAAM,EAAE,MAAM;AACd,QAAA,MAAM,EAAE,0BAA0B;AAClC,QAAA,SAAS,EAAE,GAAG;KACf,CAAC;AACJ;;ACpZA,MAAM,4BAA4B,GAAG,WAAW,CAAC;AACjD,MAAM,0BAA0B,GAAG,WAAW,CAAC;AAO/C,eAAe,gBAAgB,CAAC,KAAkB,EAAA;AAChD,IAAA,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;AAC5D,IAAA,OAAOC,0BAAgB,CAAC,MAAM,CAAC,CAAC;AAClC,CAAC;AAED,SAAS,4BAA4B,CAAC,WAA4B,EAAA;IAChE,MAAM,sBAAsB,GAAG,WAAW,CAAC,YAAY,CACrD,4BAA4B,CACa,CAAC;AAE5C,IAAA,OAAOC,gCAAsB,CAAC,sBAAsB,EAAE,KAAK,CAAC,CAAC;AAC/D,CAAC;AAED,SAAS,0BAA0B,CAAC,WAA4B,EAAA;IAC9D,MAAM,oBAAoB,GAAG,WAAW,CAAC,YAAY,CACnD,0BAA0B,CACa,CAAC;AAE1C,IAAA,OAAOA,gCAAsB,CAAC,oBAAoB,EAAE,KAAK,CAAC,CAAC;AAC7D,CAAC;AAEM,eAAe,oCAAoC,CACxD,cAAsB,EACtB,UAAwC,EAAE,EAAA;AAE1C,IAAA,MAAM,iBAAiB,GAAG,IAAIlB,oBAAe,CAAC,cAAc,CAAC,CAAC;AAC9D,IAAA,IAAI,iBAAiB,GACnB,OAAO,CAAC,gBAAgB,IAAI,OAAO,CAAC,gBAAgB,CAAC,MAAM,GAAG,CAAC;UAC3D,iBAAiB,CAAC,iBAAiB,EAAE,OAAO,CAAC,gBAAgB,CAAC;UAC9D,IAAI,CAAC;AAEX,IAAA,IAAI,CAAC,iBAAiB,IAAI,OAAO,CAAC,YAAY,EAAE;AAC9C,QAAA,iBAAiB,GAAG,MAAM,kBAAkB,CAC1C,iBAAiB,EACjB,OAAO,CAAC,YAAY,CAAC,OAAO,EAC5B,OAAO,CAAC,YAAY,CAAC,QAAQ,CAC9B,CAAC;KACH;IAED,OAAO;AACL,QAAA,eAAe,EAAEmB,oCAA0B,CAAC,iBAAiB,CAAC,MAAM,CAAC;AACrE,QAAA,yBAAyB,EAAE,4BAA4B,CAAC,iBAAiB,CAAC;AAC1E,QAAA,iBAAiB,EAAE,iBAAiB;AAClC,cAAE;AACE,gBAAA,SAAS,EAAEA,oCAA0B,CAAC,iBAAiB,CAAC,OAAO,CAAC;gBAChE,aAAa,EAAE,MAAM,gBAAgB,CAAC,iBAAiB,CAAC,SAAS,CAAC,OAAO,CAAC;AAC3E,aAAA;AACH,cAAE,IAAI;KACT,CAAC;AACJ,CAAC;AAEM,eAAe,yCAAyC,CAC7D,cAAsB,EAAA;AAEtB,IAAA,MAAM,WAAW,GAAG,IAAInB,oBAAe,CAAC,cAAc,CAAC,CAAC;IAExD,OAAO;AACL,QAAA,SAAS,EAAEmB,oCAA0B,CAAC,WAAW,CAAC,OAAO,CAAC;AAC1D,QAAA,uBAAuB,EAAE,0BAA0B,CAAC,WAAW,CAAC;QAChE,aAAa,EAAE,MAAM,gBAAgB,CAAC,WAAW,CAAC,SAAS,CAAC,OAAO,CAAC;KACrE,CAAC;AACJ;;;;;;"}