micro509 0.1.0

package/dist/x509/parse.d.ts

@@ -0,0 +1,377 @@
+import { NameFieldKey } from "./name.js";
+import { AuthorityInformationAccess, BasicConstraints, CertificatePolicies, DistributionPointReason, ExtendedKeyUsage, GeneralName, GeneralSubtree, InhibitAnyPolicy, KeyUsage, NameConstraints, ParsedNameConstraintForm, PolicyConstraints, PolicyMappings, SubjectAltName } from "./extensions.js";
+import { ParsedBitFlags } from "../internal/x509/extension-bits.js";
+
+//#region src/x509/parse.d.ts
+/**
+* A single decoded name attribute from an X.501 RelativeDistinguishedName.
+*
+* RFC 5280 / X.501 call this structure an `AttributeTypeAndValue`.
+*
+* @see {@link https://datatracker.ietf.org/doc/html/rfc5280#appendix-A.1 RFC 5280 Appendix A.1}
+*/
+interface ParsedNameAttribute {
+  /** Dotted-decimal OID of the attribute type (e.g. `"2.5.4.3"` for CN). */
+  readonly oid: string;
+  /** Friendly key when the OID maps to a well-known field (CN, O, etc.). */
+  readonly key?: NameFieldKey;
+  /** ASN.1 tag of the value encoding (UTF8String = 0x0c, PrintableString = 0x13, etc.). */
+  readonly valueTag: number;
+  /** Decoded string content of the attribute value. */
+  readonly value: string;
+}
+/**
+* An X.501 Distinguished Name decoded from an issuer or subject field.
+*
+* Provides three views of the same data: ordered RDNs, a flat attribute
+* list, and a convenience key-value map for well-known fields.
+*/
+interface ParsedName {
+  /** Hex-encoded DER of the complete Name SEQUENCE, usable for byte-exact comparisons. */
+  readonly derHex: string;
+  /** Ordered list of RelativeDistinguishedNames, preserving multi-valued RDN structure. */
+  readonly rdns: readonly ParsedRelativeDistinguishedName[];
+  /** Flat list of every attribute across all RDNs, in encounter order. */
+  readonly attributes: readonly ParsedNameAttribute[];
+  /** First-occurrence map of well-known fields (CN, O, OU, etc.) for quick lookups. */
+  readonly values: Partial<Record<NameFieldKey, string>>;
+}
+/** A single RelativeDistinguishedName SET from an X.501 Name. */
+interface ParsedRelativeDistinguishedName {
+  /** Hex-encoded DER of this RDN SET element. */
+  readonly derHex: string;
+  /** Attributes within this RDN (usually one, but multi-valued RDNs are legal). */
+  readonly attributes: readonly ParsedNameAttribute[];
+  /** First-occurrence map of well-known fields within this RDN. */
+  readonly values: Partial<Record<NameFieldKey, string>>;
+}
+/**
+* The name component of a CRL Distribution Point (RFC 5280 §4.2.1.13).
+* Exactly one of `fullName` or `relativeName` will be present.
+*/
+interface ParsedDistributionPointName {
+  /** Absolute GeneralName(s) identifying the distribution point. */
+  readonly fullName?: readonly GeneralName[];
+  /** Name relative to the CRL issuer's distinguished name. */
+  readonly relativeName?: ParsedRelativeDistinguishedName;
+}
+/** A decoded DistributionPoint from the CRL Distribution Points extension. */
+interface ParsedDistributionPoint {
+  /** Where to fetch the CRL — a fullName URI or relativeName. */
+  readonly distributionPoint?: ParsedDistributionPointName;
+  /** Revocation reason subset this distribution point covers. Absent means all reasons. */
+  readonly reasons?: ParsedBitFlags<DistributionPointReason>;
+  /** Entity that signed the CRL, when different from the certificate issuer. */
+  readonly crlIssuer?: readonly GeneralName[];
+}
+/**
+* Decoded Issuing Distribution Point CRL extension (RFC 5280 §5.2.5).
+* Constrains which certificates a CRL covers (scope, reasons, indirection).
+*/
+interface ParsedIssuingDistributionPoint {
+  /** Where to fetch this CRL, if specified. */
+  readonly distributionPoint?: ParsedDistributionPointName;
+  /** When true, this CRL only covers end-entity certificates. Default false. */
+  readonly onlyContainsUserCerts?: boolean;
+  /** When true, this CRL only covers CA certificates. Default false. */
+  readonly onlyContainsCACerts?: boolean;
+  /** Limits the CRL to these revocation reasons. Absent means all reasons. */
+  readonly onlySomeReasons?: ParsedBitFlags<DistributionPointReason>;
+  /** When true, this CRL may contain entries from CAs other than the issuer. Default false. */
+  readonly indirectCrl?: boolean;
+  /** When true, this CRL only covers attribute certificates. Default false. */
+  readonly onlyContainsAttributeCerts?: boolean;
+}
+/** A raw X.509v3 extension before type-specific decoding. */
+interface ParsedExtension {
+  /** Dotted-decimal OID identifying this extension. */
+  readonly oid: string;
+  /** Whether a validator MUST reject the certificate if it cannot process this extension. */
+  readonly critical: boolean;
+  /** DER-encoded OCTET STRING payload (extnValue). */
+  readonly valueDer: Uint8Array;
+  /** Hex-encoded form of `valueDer` for display and comparison. */
+  readonly valueHex: string;
+}
+/**
+* User-supplied decoder for a single extension OID.
+*
+* Register with {@linkcode ParseOptions.decoders} or {@linkcode ParseOptions.decoderMap}
+* to decode custom extensions during parsing.
+*/
+interface ExtensionDecoder<TValue> {
+  /** OID this decoder handles. */
+  readonly oid: string;
+  /** Decode the raw {@linkcode ParsedExtension} into a typed value. */
+  decode(extension: ParsedExtension): TValue;
+}
+/**
+* Identity helper that narrows the type of a custom {@linkcode ExtensionDecoder} literal.
+*
+* @param decoder Decoder definition to return unchanged.
+* @returns The same decoder, properly typed.
+*/
+declare function defineExtensionDecoder<TValue>(decoder: ExtensionDecoder<TValue>): ExtensionDecoder<TValue>;
+/**
+* Identity helper that narrows the type of a custom {@linkcode ExtensionDecoderMap} literal.
+*
+* @param decoderMap Map of named decoders to return unchanged.
+* @returns The same map, properly typed.
+*/
+declare function defineExtensionDecoderMap<TMap extends ExtensionDecoderMap>(decoderMap: TMap): TMap;
+/** String-keyed map of {@linkcode ExtensionDecoder}s, used with {@linkcode ParseOptions.decoderMap}. */
+type ExtensionDecoderMap = Record<string, ExtensionDecoder<unknown>>;
+/** Inferred result type when decoding extensions via an {@linkcode ExtensionDecoderMap}. */
+type DecodedExtensionMap<TMap extends ExtensionDecoderMap> = { [TKey in keyof TMap]?: TMap[TKey] extends ExtensionDecoder<infer TValue> ? DecodedExtensionValue<TValue> : never };
+/** A successfully decoded extension value paired with its OID and criticality. */
+interface DecodedExtensionValue<TValue> {
+  /** Dotted-decimal OID of the decoded extension. */
+  readonly oid: string;
+  /** Whether the extension was marked critical in the certificate. */
+  readonly critical: boolean;
+  /** Typed value produced by the {@linkcode ExtensionDecoder}. */
+  readonly value: TValue;
+}
+/**
+* Options for {@linkcode parseCertificateDer}, {@linkcode parseCertificatePem},
+* and CSR parse functions.
+*
+* Supply custom extension decoders to have their results included in the parsed output alongside
+* the built-in extensions.
+*/
+interface ParseOptions<TMap extends ExtensionDecoderMap = Record<never, never>> {
+  /** Array of decoders; decoded values appear in `decodedExtensions`. */
+  readonly decoders?: readonly ExtensionDecoder<unknown>[];
+  /** Named decoder map; decoded values appear in `decodedExtensionMap` keyed by map key. */
+  readonly decoderMap?: TMap;
+}
+/**
+* A fully decoded X.509 certificate.
+*
+* Built-in extensions (basicConstraints, keyUsage, etc.) are decoded into
+* typed fields automatically.\
+* Supply {@linkcode ParseOptions} to also decode custom extensions.
+*/
+interface ParsedCertificate<TMap extends ExtensionDecoderMap = Record<never, never>> {
+  /** Complete DER encoding of the certificate (copied from the input). */
+  readonly der: Uint8Array;
+  /** X.509 version number (1, 2, or 3). Almost always 3. */
+  readonly version: number;
+  /** Hex-encoded serial number assigned by the issuing CA. */
+  readonly serialNumberHex: string;
+  /** DER encoding of the TBSCertificate, used for signature verification. */
+  readonly tbsCertificateDer: Uint8Array;
+  /** DER encoding of the SubjectPublicKeyInfo, used for key import. */
+  readonly subjectPublicKeyInfoDer: Uint8Array;
+  /** Raw signature bytes (BIT STRING content, padding removed). */
+  readonly signatureValue: Uint8Array;
+  /** Distinguished name of the certificate issuer. */
+  readonly issuer: ParsedName;
+  /** Distinguished name of the certificate subject. */
+  readonly subject: ParsedName;
+  /** Start of the certificate validity period. */
+  readonly notBefore: Date;
+  /** End of the certificate validity period. */
+  readonly notAfter: Date;
+  /** OID of the algorithm used to sign this certificate (e.g. `"1.2.840.113549.1.1.11"` for SHA-256 with RSA). */
+  readonly signatureAlgorithmOid: string;
+  /** Human-readable signature algorithm name (e.g. `"ECDSA with SHA-256"`). */
+  readonly signatureAlgorithmName: string;
+  /** DER-encoded parameters for the signature algorithm. Absent for algorithms with no parameters. */
+  readonly signatureAlgorithmParametersDer?: Uint8Array;
+  /** OID of the subject's public key algorithm (e.g. `"1.2.840.10045.2.1"` for EC). */
+  readonly publicKeyAlgorithmOid: string;
+  /** Human-readable public key algorithm name (e.g. `"EC P-256"`). */
+  readonly publicKeyAlgorithmName: string;
+  /** DER-encoded parameters for the public key algorithm. Absent when implicit. */
+  readonly publicKeyAlgorithmParametersDer?: Uint8Array;
+  /** OID of the named curve or other key sub-parameter, when present. */
+  readonly publicKeyParametersOid?: string;
+  /** All extensions as raw {@linkcode ParsedExtension}s, in certificate order. */
+  readonly extensions: readonly ParsedExtension[];
+  /** Decoded Basic Constraints (RFC 5280 §4.2.1.9). */
+  readonly basicConstraints?: BasicConstraints;
+  /** Decoded Key Usage bit flags (RFC 5280 §4.2.1.3). */
+  readonly keyUsage?: ParsedBitFlags<KeyUsage>;
+  /** Decoded Extended Key Usage purposes (RFC 5280 §4.2.1.12). */
+  readonly extendedKeyUsage?: readonly ExtendedKeyUsage[];
+  /** Decoded Subject Alternative Names (RFC 5280 §4.2.1.6). */
+  readonly subjectAltNames?: readonly SubjectAltName[];
+  /** Decoded Name Constraints (RFC 5280 §4.2.1.10). */
+  readonly nameConstraints?: NameConstraints<ParsedNameConstraintForm>;
+  /** Decoded Certificate Policies (RFC 5280 §4.2.1.4). */
+  readonly certificatePolicies?: CertificatePolicies;
+  /** Decoded Policy Mappings (RFC 5280 §4.2.1.5). */
+  readonly policyMappings?: PolicyMappings;
+  /** Decoded Policy Constraints (RFC 5280 §4.2.1.11). */
+  readonly policyConstraints?: PolicyConstraints;
+  /** Decoded Inhibit anyPolicy (RFC 5280 §4.2.1.14). */
+  readonly inhibitAnyPolicy?: InhibitAnyPolicy;
+  /** Decoded Authority Information Access — OCSP and CA Issuer URIs (RFC 5280 §4.2.2.1). */
+  readonly authorityInfoAccess?: readonly AuthorityInformationAccess[];
+  /** Decoded CRL Distribution Points (RFC 5280 §4.2.1.13). */
+  readonly crlDistributionPoints?: readonly ParsedDistributionPoint[];
+  /** Custom-decoded extensions from {@linkcode ParseOptions.decoders}. */
+  readonly decodedExtensions?: readonly DecodedExtensionValue<unknown>[];
+  /** Custom-decoded extensions from {@linkcode ParseOptions.decoderMap}, keyed by map key. */
+  readonly decodedExtensionMap?: DecodedExtensionMap<TMap>;
+  /** Hex-encoded Subject Key Identifier (RFC 5280 §4.2.1.2). */
+  readonly subjectKeyIdentifier?: string;
+  /** Hex-encoded Authority Key Identifier (RFC 5280 §4.2.1.1). */
+  readonly authorityKeyIdentifier?: string;
+}
+/**
+* A fully decoded PKCS#10 Certificate Signing Request.
+*
+* Extension fields mirror {@linkcode ParsedCertificate} but come from the
+* CSR's extensionRequest attribute rather than the v3 extensions block.
+*/
+interface ParsedCertificateSigningRequest<TMap extends ExtensionDecoderMap = Record<never, never>> {
+  /** PKCS#10 version number (always 1). */
+  readonly version: number;
+  /** DER encoding of the CertificationRequestInfo, used for signature verification. */
+  readonly certificationRequestInfoDer: Uint8Array;
+  /** DER encoding of the SubjectPublicKeyInfo. */
+  readonly subjectPublicKeyInfoDer: Uint8Array;
+  /** Raw signature bytes (BIT STRING content, padding removed). */
+  readonly signatureValue: Uint8Array;
+  /** Distinguished name the requester wants on the certificate. */
+  readonly subject: ParsedName;
+  /** OID of the algorithm used to sign this CSR. */
+  readonly signatureAlgorithmOid: string;
+  /** Human-readable signature algorithm name (e.g. `"ECDSA with SHA-256"`). */
+  readonly signatureAlgorithmName: string;
+  /** DER-encoded parameters for the signature algorithm. Absent for algorithms with no parameters. */
+  readonly signatureAlgorithmParametersDer?: Uint8Array;
+  /** OID of the subject's public key algorithm. */
+  readonly publicKeyAlgorithmOid: string;
+  /** Human-readable public key algorithm name (e.g. `"EC P-256"`). */
+  readonly publicKeyAlgorithmName: string;
+  /** DER-encoded parameters for the public key algorithm. */
+  readonly publicKeyAlgorithmParametersDer?: Uint8Array;
+  /** OID of the named curve or other key sub-parameter, when present. */
+  readonly publicKeyParametersOid?: string;
+  /** All requested extensions as raw {@linkcode ParsedExtension}s. */
+  readonly requestedExtensions: readonly ParsedExtension[];
+  /** Decoded Basic Constraints from the extensionRequest attribute. */
+  readonly basicConstraints?: BasicConstraints;
+  /** Decoded Key Usage from the extensionRequest attribute. */
+  readonly keyUsage?: ParsedBitFlags<KeyUsage>;
+  /** Decoded Extended Key Usage from the extensionRequest attribute. */
+  readonly extendedKeyUsage?: readonly ExtendedKeyUsage[];
+  /** Decoded Subject Alternative Names from the extensionRequest attribute. */
+  readonly subjectAltNames?: readonly SubjectAltName[];
+  /** Decoded Name Constraints from the extensionRequest attribute. */
+  readonly nameConstraints?: NameConstraints<ParsedNameConstraintForm>;
+  /** Decoded Certificate Policies from the extensionRequest attribute. */
+  readonly certificatePolicies?: CertificatePolicies;
+  /** Decoded Policy Mappings from the extensionRequest attribute. */
+  readonly policyMappings?: PolicyMappings;
+  /** Decoded Policy Constraints from the extensionRequest attribute. */
+  readonly policyConstraints?: PolicyConstraints;
+  /** Decoded Inhibit anyPolicy from the extensionRequest attribute. */
+  readonly inhibitAnyPolicy?: InhibitAnyPolicy;
+  /** Decoded Authority Information Access from the extensionRequest attribute. */
+  readonly authorityInfoAccess?: readonly AuthorityInformationAccess[];
+  /** Decoded CRL Distribution Points from the extensionRequest attribute. */
+  readonly crlDistributionPoints?: readonly ParsedDistributionPoint[];
+  /** Custom-decoded extensions from {@linkcode ParseOptions.decoders}. */
+  readonly decodedExtensions?: readonly DecodedExtensionValue<unknown>[];
+  /** Custom-decoded extensions from {@linkcode ParseOptions.decoderMap}. */
+  readonly decodedExtensionMap?: DecodedExtensionMap<TMap>;
+}
+/**
+* Decode a DER-encoded X.509 certificate into a {@linkcode ParsedCertificate}.
+*
+* All built-in extensions (basicConstraints, keyUsage, subjectAltNames, etc.)
+* are decoded automatically.\
+* Pass {@linkcode ParseOptions} to also decode custom extensions.
+*
+* @example
+* ```ts
+* import { parseCertificateDer } from 'micro509';
+*
+* const cert = parseCertificateDer(derBytes);
+* console.log(cert.subject.values.commonName); // "example.com"
+* console.log(cert.keyUsage);                  // ["digitalSignature", "keyEncipherment"]
+* ```
+*
+* @param der Raw DER bytes of an X.509 certificate.
+* @param options Custom extension decoders to apply during parsing.
+*/
+declare function parseCertificateDer<TMap extends ExtensionDecoderMap = Record<never, never>>(der: Uint8Array, options?: ParseOptions<TMap>): ParsedCertificate<TMap>;
+/**
+* Decode a PEM-encoded X.509 certificate into a {@linkcode ParsedCertificate}.
+*
+* Expects a single `-----BEGIN CERTIFICATE-----` block. For bundles
+* containing multiple certificates, use {@linkcode parseCertificateChainPem}.
+*
+* @example
+* ```ts
+* import { parseCertificatePem } from 'micro509';
+*
+* const cert = parseCertificatePem(pemString);
+* console.log(cert.issuer.values.organization); // "Let's Encrypt"
+* console.log(cert.notAfter);          // Date
+* ```
+*
+* @param pem PEM string with a CERTIFICATE block.
+* @param options Custom extension decoders to apply during parsing.
+*/
+declare function parseCertificatePem<TMap extends ExtensionDecoderMap = Record<never, never>>(pem: string, options?: ParseOptions<TMap>): ParsedCertificate<TMap>;
+/**
+* Decode a PEM bundle containing one or more certificates.
+*
+* Non-CERTIFICATE blocks (e.g. private keys) are silently skipped.
+*
+* @param pemBundle PEM text that may contain multiple CERTIFICATE blocks.
+* @param options Custom extension decoders to apply during parsing.
+*/
+declare function parseCertificateChainPem<TMap extends ExtensionDecoderMap = Record<never, never>>(pemBundle: string, options?: ParseOptions<TMap>): readonly ParsedCertificate<TMap>[];
+/**
+* Decode a DER-encoded PKCS#10 CSR into a {@linkcode ParsedCertificateSigningRequest}.
+*
+* @param der Raw DER bytes of a PKCS#10 certificate signing request.
+* @param options Custom extension decoders to apply during parsing.
+*/
+declare function parseCertificateSigningRequestDer<TMap extends ExtensionDecoderMap = Record<never, never>>(der: Uint8Array, options?: ParseOptions<TMap>): ParsedCertificateSigningRequest<TMap>;
+/**
+* Decode a PEM-encoded PKCS#10 CSR into a {@linkcode ParsedCertificateSigningRequest}.
+*
+* @param pem PEM string with a CERTIFICATE REQUEST block.
+* @param options Custom extension decoders to apply during parsing.
+*/
+declare function parseCertificateSigningRequestPem<TMap extends ExtensionDecoderMap = Record<never, never>>(pem: string, options?: ParseOptions<TMap>): ParsedCertificateSigningRequest<TMap>;
+/**
+* Find a raw extension by OID within a parsed extension list.
+*
+* @param extensions Extension list from a {@linkcode ParsedCertificate} or CSR.
+* @param oid Dotted-decimal OID to look up.
+* @returns The matching extension, or `undefined` if not present.
+*/
+declare function findExtension(extensions: readonly ParsedExtension[], oid: string): ParsedExtension | undefined;
+/**
+* Decode a single extension using a custom {@linkcode ExtensionDecoder}.
+*
+* @param extensions Extension list to search.
+* @param decoder Decoder whose OID will be matched.
+* @returns The decoded value, or `undefined` if the extension is absent.
+*/
+declare function decodeExtension<TValue>(extensions: readonly ParsedExtension[], decoder: ExtensionDecoder<TValue>): TValue | undefined;
+/**
+* Decode all matching extensions using an array of {@linkcode ExtensionDecoder}s.
+*
+* @param extensions Extension list to search.
+* @param decoders Decoders to apply. Only matching OIDs produce output.
+*/
+declare function decodeExtensions(extensions: readonly ParsedExtension[], decoders: readonly ExtensionDecoder<unknown>[]): readonly DecodedExtensionValue<unknown>[];
+/**
+* Decode all matching extensions using a named {@linkcode ExtensionDecoderMap}.
+*
+* @param extensions Extension list to search.
+* @param decoderMap Named decoders. Results are keyed by the same map keys.
+*/
+declare function decodeExtensionMap<TMap extends ExtensionDecoderMap>(extensions: readonly ParsedExtension[], decoderMap: TMap): DecodedExtensionMap<TMap>;
+//#endregion
+export { DecodedExtensionMap, DecodedExtensionValue, ExtensionDecoder, ExtensionDecoderMap, ParseOptions, type ParsedBitFlags, ParsedCertificate, ParsedCertificateSigningRequest, ParsedDistributionPoint, ParsedDistributionPointName, ParsedExtension, ParsedIssuingDistributionPoint, ParsedName, ParsedNameAttribute, ParsedRelativeDistinguishedName, decodeExtension, decodeExtensionMap, decodeExtensions, defineExtensionDecoder, defineExtensionDecoderMap, findExtension, parseCertificateChainPem, parseCertificateDer, parseCertificatePem, parseCertificateSigningRequestDer, parseCertificateSigningRequestPem };
+//# sourceMappingURL=parse.d.ts.map

package/dist/x509/parse.js

@@ -0,0 +1,2 @@
+import{encodeLength as e,readElement as t,readRootElement as n,readSequenceChildren as r}from"../internal/asn1/der.js";import{childrenOf as i,decodeBoolean as a,decodeIntegerNumber as o,decodeNonNegativeIntegerNumber as s,decodeObjectIdentifier as c,decodeString as l,extractBitStringValue as u,parseTime as d,requireElement as f,toHex as p}from"../internal/asn1/asn1.js";import{OIDS as m}from"../internal/asn1/oids.js";import{pemDecode as h,splitPemBlocks as g}from"../pem/pem.js";import{describePublicKeyAlgorithm as _,describeSignatureAlgorithm as v}from"../internal/crypto/algorithm-names.js";import{decodeIpAddress as y}from"../internal/shared/ip.js";import{parseDistributionPointReasonFlagsContent as b,parseKeyUsageExtension as x}from"../internal/x509/extension-bits.js";import{nameFieldKeyFromOid as S}from"../internal/x509/name-fields.js";import{parseAuthorityInfoAccessMethodOid as C,parseExtendedKeyUsageOid as w}from"./extensions.js";import{decodeAndApplyKnownExtension as T}from"../internal/x509/extension-registry.js";const E=new TextDecoder;function D(e){return e}function O(e){return e}function k(e,t){let n=r(e,{maxDepth:64});if(n.length!==3)throw Error(`Malformed Certificate`);let a=f(n[0],`TBSCertificate`),s=f(n[1],`signatureAlgorithm`),c=f(n[2],`signatureValue`),l=i(e,a),d=0,m=1,h=l[d];if(h?.tag===160){let t=i(e,h),n=f(t[0],`version INTEGER`);if(t.length!==1||n.tag!==2)throw Error(`version must use INTEGER`);if(m=o(n.value)+1,m<1||m>3)throw Error(`Unsupported certificate version: ${String(m)}`);d+=1}let g=f(l[d],`serialNumber`);if(g.tag!==2)throw Error(`serialNumber must use INTEGER`);let y=f(l[d+1],`TBSCertificate signature`),b=f(l[d+2],`issuer`),x=f(l[d+3],`validity`),S=f(l[d+4],`subject`),C=f(l[d+5],`subjectPublicKeyInfo`),w=d+6,T=l[w];if(T?.tag===129){if(m<2)throw Error(`issuerUniqueID requires certificate version 2 or 3`);$(T.value,`issuerUniqueID`),w+=1}let E=l[w];if(E?.tag===130){if(m<2)throw Error(`subjectUniqueID requires certificate version 2 or 3`);$(E.value,`subjectUniqueID`),w+=1}let D=l[w]?.tag===163?l[w]:void 0;if(D!==void 0){if(m!==3)throw Error(`extensions require certificate version 3`);w+=1}if(w!==l.length)throw Error(`Unsupported TBSCertificate field tag: ${String(f(l[w],`TBSCertificate field`).tag)}`);let O=ne(e,D),k=ae(e,x),A=U(e,C),j=W(e,y),M=W(e,s);G(j,M);let N=t?.decoders===void 0?void 0:R(O.all,t.decoders),P=t?.decoderMap===void 0?void 0:z(O.all,t.decoderMap);return{der:new Uint8Array(e),version:m,serialNumberHex:p(g.value),tbsCertificateDer:e.slice(a.start-a.headerLength,a.end),subjectPublicKeyInfoDer:e.slice(C.start-C.headerLength,C.end),signatureValue:u(c),issuer:V(e,b),subject:V(e,S),notBefore:k.notBefore,notAfter:k.notAfter,signatureAlgorithmOid:M.oid,signatureAlgorithmName:v(M.oid,M.parametersDer),...M.parametersDer===void 0?{}:{signatureAlgorithmParametersDer:M.parametersDer},publicKeyAlgorithmOid:A.oid,publicKeyAlgorithmName:_(A.oid,A.parametersOid),...A.parametersDer===void 0?{}:{publicKeyAlgorithmParametersDer:A.parametersDer},...A.parametersOid===void 0?{}:{publicKeyParametersOid:A.parametersOid},extensions:O.all,...O.basicConstraints===void 0?{}:{basicConstraints:O.basicConstraints},...O.keyUsage===void 0?{}:{keyUsage:O.keyUsage},...O.extendedKeyUsage===void 0?{}:{extendedKeyUsage:O.extendedKeyUsage},...O.subjectAltNames===void 0?{}:{subjectAltNames:O.subjectAltNames},...O.nameConstraints===void 0?{}:{nameConstraints:O.nameConstraints},...O.certificatePolicies===void 0?{}:{certificatePolicies:O.certificatePolicies},...O.policyMappings===void 0?{}:{policyMappings:O.policyMappings},...O.policyConstraints===void 0?{}:{policyConstraints:O.policyConstraints},...O.inhibitAnyPolicy===void 0?{}:{inhibitAnyPolicy:O.inhibitAnyPolicy},...O.authorityInfoAccess===void 0?{}:{authorityInfoAccess:O.authorityInfoAccess},...O.crlDistributionPoints===void 0?{}:{crlDistributionPoints:O.crlDistributionPoints},...N===void 0?{}:{decodedExtensions:N},...P===void 0?{}:{decodedExtensionMap:P},...O.subjectKeyIdentifier===void 0?{}:{subjectKeyIdentifier:O.subjectKeyIdentifier},...O.authorityKeyIdentifier===void 0?{}:{authorityKeyIdentifier:O.authorityKeyIdentifier}}}function A(e,t){return k(h(`CERTIFICATE`,e),t)}function j(e,t){return typeof e==`string`?F(e,t):[k(new Uint8Array(e),t)]}function M(e,t){return typeof e==`string`?A(e,t):I(e)?e:k(new Uint8Array(e),t)}function N(e,t){return F(e,t)}function P(e,t){let n=r(e,{maxDepth:64});if(n.length!==3)throw Error(`Malformed CertificationRequest`);let a=f(n[0],`CertificationRequestInfo`),s=f(n[1],`signatureAlgorithm`),c=f(n[2],`signatureValue`),l=i(e,a);if(l.length<3||l.length>4)throw Error(`Malformed CertificationRequestInfo`);let d=f(l[0],`version`);if(d.tag!==2)throw Error(`version must use INTEGER`);let p=o(d.value)+1;if(p!==1)throw Error(`Unsupported CertificationRequestInfo version: ${String(p)}`);let m=f(l[1],`subject`),h=f(l[2],`subjectPublicKeyInfo`),g=l[3];if(g!==void 0&&g.tag!==160)throw Error(`CertificationRequestInfo attributes must use [0]`);let y=re(e,g),b=U(e,h),x=W(e,s),S=t?.decoders===void 0?void 0:R(y.all,t.decoders),C=t?.decoderMap===void 0?void 0:z(y.all,t.decoderMap);return{version:p,certificationRequestInfoDer:e.slice(a.start-a.headerLength,a.end),subjectPublicKeyInfoDer:e.slice(h.start-h.headerLength,h.end),signatureValue:u(c),subject:V(e,m),signatureAlgorithmOid:x.oid,signatureAlgorithmName:v(x.oid,x.parametersDer),...x.parametersDer===void 0?{}:{signatureAlgorithmParametersDer:x.parametersDer},publicKeyAlgorithmOid:b.oid,publicKeyAlgorithmName:_(b.oid,b.parametersOid),...b.parametersDer===void 0?{}:{publicKeyAlgorithmParametersDer:b.parametersDer},...b.parametersOid===void 0?{}:{publicKeyParametersOid:b.parametersOid},requestedExtensions:y.all,...y.basicConstraints===void 0?{}:{basicConstraints:y.basicConstraints},...y.keyUsage===void 0?{}:{keyUsage:y.keyUsage},...y.extendedKeyUsage===void 0?{}:{extendedKeyUsage:y.extendedKeyUsage},...y.subjectAltNames===void 0?{}:{subjectAltNames:y.subjectAltNames},...y.nameConstraints===void 0?{}:{nameConstraints:y.nameConstraints},...y.certificatePolicies===void 0?{}:{certificatePolicies:y.certificatePolicies},...y.policyMappings===void 0?{}:{policyMappings:y.policyMappings},...y.policyConstraints===void 0?{}:{policyConstraints:y.policyConstraints},...y.inhibitAnyPolicy===void 0?{}:{inhibitAnyPolicy:y.inhibitAnyPolicy},...y.authorityInfoAccess===void 0?{}:{authorityInfoAccess:y.authorityInfoAccess},...y.crlDistributionPoints===void 0?{}:{crlDistributionPoints:y.crlDistributionPoints},...S===void 0?{}:{decodedExtensions:S},...C===void 0?{}:{decodedExtensionMap:C}}}function F(e,t){return g(e).filter(e=>e.label===`CERTIFICATE`).map(e=>k(e.bytes,t))}function I(e){return`subjectPublicKeyInfoDer`in e}function ee(e,t){return P(h(`CERTIFICATE REQUEST`,e),t)}function L(e,t){return e.find(e=>e.oid===t)}function te(e,t){let n=L(e,t.oid);if(n!==void 0)return t.decode(n)}function R(e,t){let n=[];for(let r of t){let t=L(e,r.oid);t!==void 0&&n.push({oid:t.oid,critical:t.critical,value:r.decode(t)})}return n}function z(e,t){let n={};for(let r in t){let i=t[r];if(i===void 0)continue;let a=L(e,i.oid);a!==void 0&&(n={...n,[r]:{oid:a.oid,critical:a.critical,value:i.decode(a)}})}return n}function ne(e,t){return t===void 0?{all:[]}:B(e,f(i(e,t)[0],`extensions sequence`),`certificate`)}function re(e,t){if(t===void 0)return{all:[]};if(t.tag!==160)throw Error(`CertificationRequestInfo attributes must use [0]`);let n;for(let r of i(e,t)){let t=i(e,r);if(t.length!==2)throw Error(`Malformed CSR attribute`);if(c(f(t[0],`attribute OID`).value)!==m.extensionRequest)continue;if(n!==void 0)throw Error(`extensionRequest attribute must not repeat`);let a=f(t[1],`attribute values`);if(a.tag!==49)throw Error(`extensionRequest attribute values must use SET`);let o=i(e,a);if(o.length!==1)throw Error(`extensionRequest attribute must contain exactly one value`);n=B(e,f(o[0],`requested extensions`),`csr`)}return n??{all:[]}}function B(e,t,n){let r=[],o={},s=new Set;for(let l of i(e,t)){let t=i(e,l);if(t.length<2||t.length>3)throw Error(`Malformed Extension`);let u=c(f(t[0],`extension OID`).value);if(s.has(u))throw Error(`Duplicate extension OID: ${u}`);s.add(u);let d=1,m=!1,h=t[d];h?.tag===1&&(m=a(h.value),d+=1);let g=f(t[d],`extension value`);if(g.tag!==4||d!==t.length-1)throw Error(`Extension value must use OCTET STRING`);r.push({oid:u,critical:m,valueDer:new Uint8Array(g.value),valueHex:p(g.value)}),T(n,u,o,g.value)}return{all:r,...o}}function V(e,t){let n=[],r=[],a={};for(let o of i(e,t)){let t=H(e,o);n.push(t);for(let e of t.attributes)r.push(e),e.key!==void 0&&a[e.key]===void 0&&(a[e.key]=e.value)}return{derHex:p(e.slice(t.start-t.headerLength,t.end)),rdns:n,attributes:r,values:a}}function ie(e,t){return H(e,t)}function H(e,t){let n=[],r={};for(let a of i(e,t)){let t=i(e,a),o=c(f(t[0],`name OID`).value),s=f(t[1],`name value`),u=S(o),d=l(s.tag,s.value),p=u===void 0?{oid:o,valueTag:s.tag,value:d}:{oid:o,key:u,valueTag:s.tag,value:d};n.push(p),u!==void 0&&r[u]===void 0&&(r[u]=d)}return{derHex:p(e.slice(t.start-t.headerLength,t.end)),attributes:n,values:r}}function ae(e,t){let n=i(e,t);return{notBefore:d(f(n[0],`notBefore`)),notAfter:d(f(n[1],`notAfter`))}}function U(e,t){if(t.tag!==48)throw Error(`SubjectPublicKeyInfo must use SEQUENCE`);let n=i(e,t);if(n.length!==2)throw Error(`SubjectPublicKeyInfo must contain algorithm and subjectPublicKey`);let r=f(n[0],`SPKI algorithm`);if(r.tag!==48)throw Error(`SubjectPublicKeyInfo algorithm must use SEQUENCE`);let a=W(e,r);return u(f(n[1],`subjectPublicKey BIT STRING`)),a}function W(e,t){let n=i(e,t);if(n.length===0||n.length>2)throw Error(`Malformed AlgorithmIdentifier`);let r=c(f(n[0],`algorithm OID`).value),a=n[1];if(a===void 0)return{oid:r};let o=e.slice(a.start-a.headerLength,a.end);return a?.tag===6?{oid:r,parametersDer:o,parametersOid:c(a.value)}:{oid:r,parametersDer:o}}function G(e,t){if(e.oid!==t.oid||!K(e.parametersDer,t.parametersDer))throw Error(`Certificate signatureAlgorithm must match TBSCertificate signature`)}function K(e,t){if(e===void 0||t===void 0)return e===t;if(e.length!==t.length)return!1;for(let n=0;n<e.length;n+=1)if(e[n]!==t[n])return!1;return!0}function q(e){let t=n(e,{maxDepth:64});if(t.tag!==48)throw Error(`basicConstraints must use SEQUENCE`);let r=i(e,t),o=!1,c,l=!1,u=!1;for(let e of r){if(e.tag===1){if(l)throw Error(`basicConstraints cA must not repeat`);if(u)throw Error(`basicConstraints cA must precede pathLength`);l=!0,o=a(e.value);continue}if(e.tag===2){if(u)throw Error(`basicConstraints pathLength must not repeat`);u=!0,c=s(e.value,`basicConstraints pathLength`);continue}throw Error(`Unsupported basicConstraints field tag: ${String(e.tag)}`)}if(c!==void 0&&o!==!0)throw Error(`basicConstraints pathLength requires cA = true`);return c===void 0?{ca:o}:{ca:o,pathLength:c}}function oe(e){return x(e)}function se(e){return i(e,f(n(e,{maxDepth:64}),`extendedKeyUsage sequence`)).map(e=>w(c(e.value)))}function ce(e){let t=i(e,f(n(e,{maxDepth:64}),`certificatePolicies sequence`));if(t.length===0)throw Error(`certificatePolicies must not be empty`);return t.map(t=>le(e,t))}function le(e,t){let n=i(e,t),r=c(f(n[0],`policyIdentifier`).value),a=n[1];if(n.length>2)throw Error(`policyInformation has unexpected trailing fields`);if(a===void 0)return{policyIdentifier:r};let o=i(e,a);if(o.length===0)throw Error(`policyQualifiers must not be empty`);return{policyIdentifier:r,policyQualifiers:o.map(t=>ue(e,t))}}function ue(e,t){let n=i(e,t),r=c(f(n[0],`policyQualifierId`).value),a=f(n[1],`policyQualifier`);if(n.length>2)throw Error(`policyQualifierInfo has unexpected trailing fields`);if(r===m.cpsPolicyQualifier){if(a.tag!==22)throw Error(`cps policy qualifier must use IA5String`);return{type:`cps`,uri:l(a.tag,a.value)}}return r===m.userNoticePolicyQualifier?{type:`userNotice`,...J(e,a)}:{type:`oid`,oid:r,qualifierDer:e.slice(a.start-a.headerLength,a.end)}}function J(e,t){let n=i(e,t),r,a;for(let t of n){if(t.tag===48){if(r!==void 0)throw Error(`userNotice must not contain multiple noticeRef values`);r=de(e,t);continue}if(a!==void 0)throw Error(`userNotice must not contain multiple explicitText values`);a=Q(t)}return{...r===void 0?{}:{noticeRef:r},...a===void 0?{}:{explicitText:a}}}function de(e,t){if(t.tag!==48)throw Error(`noticeRef must use SEQUENCE`);let n=i(e,t),r=Q(f(n[0],`noticeRef organization`)),a=f(n[1],`noticeRef noticeNumbers`);if(n.length>2)throw Error(`noticeRef has unexpected trailing fields`);return{organization:r,noticeNumbers:fe(e,a)}}function fe(e,t){if(t.tag!==48)throw Error(`noticeRef noticeNumbers must use SEQUENCE`);let n=i(e,t);if(n.length===0)throw Error(`noticeRef noticeNumbers must not be empty`);return n.map(e=>{if(e.tag!==2)throw Error(`noticeRef noticeNumber must use INTEGER`);return s(e.value,`noticeRef noticeNumber`)})}function pe(e){let t=i(e,f(n(e,{maxDepth:64}),`policyMappings sequence`));if(t.length===0)throw Error(`policyMappings must not be empty`);return t.map(t=>{let n=i(e,t),r=c(f(n[0],`policyMappings issuerDomainPolicy`).value),a=c(f(n[1],`policyMappings subjectDomainPolicy`).value);if(n.length>2)throw Error(`policyMappings entry has unexpected trailing fields`);if(r===m.anyPolicy||a===m.anyPolicy)throw Error(`policyMappings must not use anyPolicy`);return{issuerDomainPolicy:r,subjectDomainPolicy:a}})}function me(e){let t=f(n(e,{maxDepth:64}),`policyConstraints sequence`),r,a;for(let n of i(e,t)){if(n.tag===128){if(r!==void 0)throw Error(`policyConstraints must not repeat requireExplicitPolicy`);r=s(n.value,`policyConstraints requireExplicitPolicy`);continue}if(n.tag===129){if(a!==void 0)throw Error(`policyConstraints must not repeat inhibitPolicyMapping`);a=s(n.value,`policyConstraints inhibitPolicyMapping`);continue}throw Error(`Unsupported policyConstraints field tag: ${n.tag}`)}if(r===void 0&&a===void 0)throw Error(`policyConstraints must set requireExplicitPolicy or inhibitPolicyMapping`);return{...r===void 0?{}:{requireExplicitPolicy:r},...a===void 0?{}:{inhibitPolicyMapping:a}}}function he(e){let t=f(n(e,{maxDepth:64}),`inhibitAnyPolicy integer`);if(t.tag!==2)throw Error(`inhibitAnyPolicy must be an INTEGER`);return{skipCerts:s(t.value,`inhibitAnyPolicy skipCerts`)}}function ge(e){return i(e,f(n(e,{maxDepth:64}),`subjectAltName sequence`)).map(t=>Y(e,t))}function _e(e){let t=f(n(e,{maxDepth:64}),`authorityInfoAccess sequence`);if(t.tag!==48)throw Error(`authorityInfoAccess must use SEQUENCE`);let r=i(e,t);if(r.length===0)throw Error(`authorityInfoAccess must not be empty`);return r.map(t=>{if(t.tag!==48)throw Error(`authorityInfoAccess entry must use SEQUENCE`);let n=i(e,t);if(n.length!==2)throw Error(`authorityInfoAccess entry must contain method and location only`);let r=f(n[0],`authorityInfoAccess method`),a=f(n[1],`authorityInfoAccess location`);if(r.tag!==6)throw Error(`authorityInfoAccess method must use OBJECT IDENTIFIER`);if(a.tag!==134)throw Error(`Unsupported authorityInfoAccess location tag: ${a.tag}`);return{method:C(c(r.value)),uri:E.decode(a.value)}})}function ve(e){let t=f(n(e,{maxDepth:64}),`CRLDistributionPoints sequence`);if(t.tag!==48)throw Error(`CRLDistributionPoints must use SEQUENCE`);let r=i(e,t);if(r.length===0)throw Error(`CRLDistributionPoints must not be empty`);let a=[];for(let t of r)a.push(ye(e,t));return a}function ye(e,t){if(t.tag!==48)throw Error(`DistributionPoint must use SEQUENCE`);let n,r,a;for(let o of i(e,t))if(o.tag===160){if(n!==void 0)throw Error(`DistributionPoint distributionPoint must not repeat`);n=be(e,o)}else if(o.tag===129){if(r!==void 0)throw Error(`DistributionPoint reasons must not repeat`);r=b(o.value)}else if(o.tag===162){if(a!==void 0)throw Error(`DistributionPoint crlIssuer must not repeat`);a=xe(e,o)}else throw Error(`Unsupported DistributionPoint field tag: ${String(o.tag)}`);if(n===void 0&&a===void 0)throw Error(`DistributionPoint must include distributionPoint or crlIssuer`);return{...n===void 0?{}:{distributionPoint:n},...r===void 0?{}:{reasons:r},...a===void 0?{}:{crlIssuer:a}}}function be(e,t){let n=i(e,t);if(n.length!==1)throw Error(`distributionPointName must contain exactly one choice`);let r=f(n[0],`distributionPointName`);if(r.tag===160){let t=i(e,r);if(t.length===0)throw Error(`distributionPointName fullName must not be empty`);for(let e of t)if((e.tag&192)!=128)throw Error(`distributionPointName fullName must contain GeneralName entries`);return{fullName:t.map(t=>Y(e,t))}}if(r.tag===161)return{relativeName:ie(e,r)};throw Error(`Unsupported distributionPointName tag: ${r.tag}`)}function xe(e,t){let n=i(e,t);if(n.length===0)throw Error(`GeneralNames must not be empty`);for(let e of n)if((e.tag&192)!=128)throw Error(`GeneralNames must contain GeneralName entries`);return n.map(t=>Y(e,t))}function Y(e,t){switch(t.tag){case 160:{let n=Se(e,t);return n===void 0?{type:`unknown`,tag:t.tag,value:e.slice(t.start,t.end)}:n}case 129:return{type:`email`,value:E.decode(t.value)};case 130:return{type:`dns`,value:E.decode(t.value)};case 134:return{type:`uri`,value:E.decode(t.value)};case 135:return{type:`ip`,value:y(t.value)};case 164:return{type:`directoryName`,derHex:p(Z(t,e))};default:return{type:`unknown`,tag:t.tag,value:e.slice(t.start,t.end)}}}function Se(e,t){let n=i(e,t);if(n.length!==1)throw Error(`otherName must contain exactly one SEQUENCE`);let r=i(e,f(n[0],`otherName sequence`));if(r.length!==2)throw Error(`otherName must contain exactly type-id and value`);let a=f(r[0],`otherName type-id`),o=f(r[1],`otherName value`);if(c(a.value)!==m.idOnDnsSrv)return;if(o.tag!==160)throw Error(`SRV-ID otherName value must use explicit [0]`);let s=i(e,o);if(s.length!==1)throw Error(`SRV-ID otherName value must contain exactly one IA5String`);let u=f(s[0],`SRV-ID IA5String`);if(u.tag!==22)throw Error(`SRV-ID otherName value must be an IA5String`);return{type:`srv`,value:l(u.tag,u.value)}}function Ce(e){let t=f(n(e,{maxDepth:64,allowOpaqueConstructedTags:[160,163,165]}),`nameConstraints sequence`);if(t.tag!==48)throw Error(`nameConstraints must use SEQUENCE`);let r,a;for(let n of i(e,t))if(n.tag===160){if(r!==void 0)throw Error(`nameConstraints permittedSubtrees must not repeat`);r=X(e,n)}else if(n.tag===161){if(a!==void 0)throw Error(`nameConstraints excludedSubtrees must not repeat`);a=X(e,n)}else throw Error(`Unsupported nameConstraints field tag: ${String(n.tag)}`);return{...r===void 0?{}:{permittedSubtrees:r},...a===void 0?{}:{excludedSubtrees:a}}}function X(e,t){let n=[],r=i(e,t);if(r.length===0)throw Error(`name constraints GeneralSubtrees must not be empty`);for(let t of r){if(t.tag!==48)throw Error(`name constraints GeneralSubtree must use SEQUENCE`);let r=i(e,t),a=r[0];if(a===void 0)throw Error(`name constraints GeneralSubtree base is required`);let o=!1;for(let e=1;e<r.length;e+=1){let t=r[e];if(t!==void 0)if(t.tag===128){if(o)throw Error(`name constraints GeneralSubtree minimum must not repeat`);if(o=!0,s(t.value,`name constraints GeneralSubtree minimum`)!==0)throw Error(`name constraints GeneralSubtree minimum must be 0`)}else if(t.tag===129)throw Error(`name constraints GeneralSubtree maximum is not supported`);else throw Error(`Unsupported name constraints GeneralSubtree field tag: ${String(t.tag)}`)}let c=we(e,a);c!==void 0&&n.push({base:c})}return n}function we(e,t){switch(t.tag){case 160:return{type:`otherName`,value:new Uint8Array(t.value)};case 129:return{type:`email`,value:E.decode(t.value)};case 130:return{type:`dns`,value:E.decode(t.value)};case 163:return{type:`x400Address`,value:new Uint8Array(t.value)};case 134:return{type:`uri`,value:E.decode(t.value)};case 135:if(t.value.length===8)return{type:`ip`,addressBytes:t.value.slice(0,4),maskBytes:t.value.slice(4,8)};if(t.value.length===32)return{type:`ip`,addressBytes:t.value.slice(0,16),maskBytes:t.value.slice(16,32)};throw Error(`Invalid IP name constraint: expected 8 (IPv4) or 32 (IPv6) bytes, got ${String(t.value.length)}`);case 164:return{type:`directoryName`,derHex:p(Z(t,e))};case 165:return{type:`ediPartyName`,value:new Uint8Array(t.value)};case 136:return{type:`registeredID`,value:c(t.value)}}throw Error(`Unsupported name constraint GeneralName tag: ${String(t.tag)}`)}function Z(t,n){if(t.value.length>0&&t.value[0]===48)return new Uint8Array(t.value);let r=e(t.value.length),i=new Uint8Array(1+r.length+t.value.length);return i[0]=48,i.set(r,1),i.set(t.value,1+r.length),i}function Q(e){switch(e.tag){case 12:case 22:case 26:return E.decode(e.value);case 30:return Te(e.value);default:throw Error(`Unsupported DisplayText tag: ${e.tag}`)}}function Te(e){if(e.length%2!=0)throw Error(`Invalid BMPString length`);let t=``;for(let n=0;n<e.length;n+=2){let r=e[n],i=e[n+1];if(r===void 0||i===void 0)throw Error(`Invalid BMPString content`);t+=String.fromCharCode(r<<8|i)}return t}function Ee(e){let n=f(t(e,0),`authorityKeyIdentifier sequence`);if(n.end!==e.length)throw Error(`Trailing data after DER element`);let r,a=!1,o=!1,s=-1,c=n.start;for(;c<n.end;){let l=t(e,c);if(l.end>n.end)throw Error(`DER child exceeds parent length`);if(l.tag===128){if(r!==void 0)throw Error(`authorityKeyIdentifier keyIdentifier must not repeat`);if(s>=0)throw Error(`authorityKeyIdentifier fields must preserve DER order`);r=p(l.value),s=0}else if(l.tag===161){if(a)throw Error(`authorityKeyIdentifier authorityCertIssuer must not repeat`);if(s>=1)throw Error(`authorityKeyIdentifier fields must preserve DER order`);let t=i(e,l);if(t.length===0)throw Error(`authorityKeyIdentifier authorityCertIssuer must contain GeneralName entries`);for(let n of t){if((n.tag&192)!=128)throw Error(`authorityKeyIdentifier authorityCertIssuer must contain GeneralName entries`);Y(e,n)}a=!0,s=1}else if(l.tag===130){if(o)throw Error(`authorityKeyIdentifier authorityCertSerialNumber must not repeat`);if(s>=2||!a)throw Error(`authorityKeyIdentifier fields must preserve DER order`);De(l.value,`authorityKeyIdentifier authorityCertSerialNumber`),o=!0,s=2}else throw Error(`Unsupported authorityKeyIdentifier field tag: ${String(l.tag)}`);c=l.end}if(c!==n.end)throw Error(`Malformed DER sequence`);if(a!==o)throw Error(`authorityKeyIdentifier authorityCertIssuer and authorityCertSerialNumber must appear together`);return r}function De(e,t){let n=e[0];if(n===void 0)throw Error(`${t} must not be empty`);if(n&128)throw Error(`${t} must be non-negative`);if(e.length>1&&n===0&&!((e[1]??0)&128))throw Error(`${t} must use minimal encoding`)}function $(e,t){let n=e[0];if(n===void 0||n>7)throw Error(`${t} must use BIT STRING encoding`);let r=e.slice(1);if(r.length===0){if(n!==0)throw Error(`${t} must use BIT STRING encoding`);return}if(n===0)return;let i=r[r.length-1];if(i===void 0)throw Error(`${t} must use BIT STRING encoding`);if(i&(1<<n)-1)throw Error(`${t} BIT STRING must not set padding bits`)}export{te as decodeExtension,z as decodeExtensionMap,R as decodeExtensions,D as defineExtensionDecoder,O as defineExtensionDecoderMap,L as findExtension,_e as parseAuthorityInfoAccess,Ee as parseAuthorityKeyIdentifier,q as parseBasicConstraints,N as parseCertificateChainPem,k as parseCertificateDer,M as parseCertificateFromSource,A as parseCertificatePem,ce as parseCertificatePolicies,P as parseCertificateSigningRequestDer,ee as parseCertificateSigningRequestPem,j as parseCertificatesFromSource,ve as parseCrlDistributionPoints,se as parseExtendedKeyUsage,he as parseInhibitAnyPolicy,oe as parseKeyUsage,Ce as parseNameConstraints,me as parsePolicyConstraints,pe as parsePolicyMappings,ge as parseSubjectAltNames};
+//# sourceMappingURL=parse.js.map