micro509 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (115) hide show
  1. package/LICENSE +22 -0
  2. package/README.md +220 -0
  3. package/dist/index.d.ts +21 -0
  4. package/dist/index.js +1 -0
  5. package/dist/internal/asn1/asn1.js +2 -0
  6. package/dist/internal/asn1/asn1.js.map +1 -0
  7. package/dist/internal/asn1/der.js +2 -0
  8. package/dist/internal/asn1/der.js.map +1 -0
  9. package/dist/internal/asn1/oids.js +2 -0
  10. package/dist/internal/asn1/oids.js.map +1 -0
  11. package/dist/internal/crypto/algorithm-names.js +2 -0
  12. package/dist/internal/crypto/algorithm-names.js.map +1 -0
  13. package/dist/internal/crypto/ecdsa.js +2 -0
  14. package/dist/internal/crypto/ecdsa.js.map +1 -0
  15. package/dist/internal/crypto/hash.js +2 -0
  16. package/dist/internal/crypto/hash.js.map +1 -0
  17. package/dist/internal/crypto/pbes2.d.ts +23 -0
  18. package/dist/internal/crypto/pbes2.js +2 -0
  19. package/dist/internal/crypto/pbes2.js.map +1 -0
  20. package/dist/internal/crypto/rsa-pss.js +2 -0
  21. package/dist/internal/crypto/rsa-pss.js.map +1 -0
  22. package/dist/internal/crypto/sig-verify.js +2 -0
  23. package/dist/internal/crypto/sig-verify.js.map +1 -0
  24. package/dist/internal/crypto/signing.d.ts +16 -0
  25. package/dist/internal/crypto/signing.js +2 -0
  26. package/dist/internal/crypto/signing.js.map +1 -0
  27. package/dist/internal/crypto/webcrypto.js +2 -0
  28. package/dist/internal/crypto/webcrypto.js.map +1 -0
  29. package/dist/internal/shared/base64.js +2 -0
  30. package/dist/internal/shared/base64.js.map +1 -0
  31. package/dist/internal/shared/dn.js +2 -0
  32. package/dist/internal/shared/dn.js.map +1 -0
  33. package/dist/internal/shared/ip.js +2 -0
  34. package/dist/internal/shared/ip.js.map +1 -0
  35. package/dist/internal/verify/name-constraints-engine.js +2 -0
  36. package/dist/internal/verify/name-constraints-engine.js.map +1 -0
  37. package/dist/internal/verify/policy-engine.js +2 -0
  38. package/dist/internal/verify/policy-engine.js.map +1 -0
  39. package/dist/internal/verify/verify-path.js +2 -0
  40. package/dist/internal/verify/verify-path.js.map +1 -0
  41. package/dist/internal/x509/extension-bits.d.ts +18 -0
  42. package/dist/internal/x509/extension-bits.js +2 -0
  43. package/dist/internal/x509/extension-bits.js.map +1 -0
  44. package/dist/internal/x509/extension-registry.js +2 -0
  45. package/dist/internal/x509/extension-registry.js.map +1 -0
  46. package/dist/internal/x509/name-fields.js +2 -0
  47. package/dist/internal/x509/name-fields.js.map +1 -0
  48. package/dist/keys/keys.d.ts +431 -0
  49. package/dist/keys/keys.js +5 -0
  50. package/dist/keys/keys.js.map +1 -0
  51. package/dist/keys.d.ts +3 -0
  52. package/dist/keys.js +1 -0
  53. package/dist/pem/pem.d.ts +56 -0
  54. package/dist/pem/pem.js +6 -0
  55. package/dist/pem/pem.js.map +1 -0
  56. package/dist/pem.d.ts +2 -0
  57. package/dist/pem.js +1 -0
  58. package/dist/pkcs/pfx.d.ts +177 -0
  59. package/dist/pkcs/pfx.js +2 -0
  60. package/dist/pkcs/pfx.js.map +1 -0
  61. package/dist/pkcs/pkcs12-mac.d.ts +41 -0
  62. package/dist/pkcs/pkcs12-mac.js +2 -0
  63. package/dist/pkcs/pkcs12-mac.js.map +1 -0
  64. package/dist/pkcs/pkcs7.d.ts +131 -0
  65. package/dist/pkcs/pkcs7.js +2 -0
  66. package/dist/pkcs/pkcs7.js.map +1 -0
  67. package/dist/pkcs.d.ts +5 -0
  68. package/dist/pkcs.js +1 -0
  69. package/dist/result/result.d.ts +68 -0
  70. package/dist/result/result.js +2 -0
  71. package/dist/result/result.js.map +1 -0
  72. package/dist/result.d.ts +2 -0
  73. package/dist/result.js +1 -0
  74. package/dist/revocation/chain.d.ts +180 -0
  75. package/dist/revocation/chain.js +2 -0
  76. package/dist/revocation/chain.js.map +1 -0
  77. package/dist/revocation/crl.d.ts +316 -0
  78. package/dist/revocation/crl.js +2 -0
  79. package/dist/revocation/crl.js.map +1 -0
  80. package/dist/revocation/ocsp.d.ts +332 -0
  81. package/dist/revocation/ocsp.js +2 -0
  82. package/dist/revocation/ocsp.js.map +1 -0
  83. package/dist/revocation/revocation.d.ts +168 -0
  84. package/dist/revocation/revocation.js +2 -0
  85. package/dist/revocation/revocation.js.map +1 -0
  86. package/dist/revocation.d.ts +5 -0
  87. package/dist/revocation.js +1 -0
  88. package/dist/verify/identity.d.ts +129 -0
  89. package/dist/verify/identity.js +2 -0
  90. package/dist/verify/identity.js.map +1 -0
  91. package/dist/verify/name-constraints.d.ts +18 -0
  92. package/dist/verify/policy.d.ts +39 -0
  93. package/dist/verify/verify.d.ts +404 -0
  94. package/dist/verify/verify.js +2 -0
  95. package/dist/verify/verify.js.map +1 -0
  96. package/dist/verify.d.ts +5 -0
  97. package/dist/verify.js +1 -0
  98. package/dist/x509/certificate.d.ts +191 -0
  99. package/dist/x509/certificate.js +2 -0
  100. package/dist/x509/certificate.js.map +1 -0
  101. package/dist/x509/csr.d.ts +55 -0
  102. package/dist/x509/csr.js +2 -0
  103. package/dist/x509/csr.js.map +1 -0
  104. package/dist/x509/extensions.d.ts +550 -0
  105. package/dist/x509/extensions.js +2 -0
  106. package/dist/x509/extensions.js.map +1 -0
  107. package/dist/x509/name.d.ts +140 -0
  108. package/dist/x509/name.js +2 -0
  109. package/dist/x509/name.js.map +1 -0
  110. package/dist/x509/parse.d.ts +377 -0
  111. package/dist/x509/parse.js +2 -0
  112. package/dist/x509/parse.js.map +1 -0
  113. package/dist/x509.d.ts +8 -0
  114. package/dist/x509.js +1 -0
  115. package/package.json +153 -0
package/dist/x509/parse.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"parse.js","names":["derSource"],"sources":["../../src/x509/parse.ts"],"sourcesContent":["/**\n * Certificate and CSR parse boundary.\n *\n * Decodes DER and PEM inputs into typed {@linkcode ParsedCertificate} and\n * {@linkcode ParsedCertificateSigningRequest} structures.\\\n * Includes an extension-decoder framework for callers that need richer metadata beyond the built-in\n * extensions.\n *\n * @module\n */\n\nimport {\n\tchildrenOf,\n\tdecodeBoolean,\n\tdecodeIntegerNumber,\n\tdecodeNonNegativeIntegerNumber,\n\tdecodeObjectIdentifier,\n\tdecodeString,\n\textractBitStringValue,\n\tparseTime,\n\trequireElement,\n\ttoHex,\n} from '#micro509/internal/asn1/asn1.ts';\nimport type { DerElement } from '#micro509/internal/asn1/der.ts';\nimport {\n\tDEFAULT_MAX_DER_DEPTH,\n\tencodeLength,\n\treadElement,\n\treadRootElement,\n\treadSequenceChildren,\n} from '#micro509/internal/asn1/der.ts';\nimport { OIDS } from '#micro509/internal/asn1/oids.ts';\nimport {\n\tdescribePublicKeyAlgorithm,\n\tdescribeSignatureAlgorithm,\n} from '#micro509/internal/crypto/algorithm-names.ts';\nimport { decodeIpAddress } from '#micro509/internal/shared/ip.ts';\nimport {\n\ttype ParsedBitFlags,\n\tparseDistributionPointReasonFlagsContent,\n\tparseKeyUsageExtension,\n} from '#micro509/internal/x509/extension-bits.ts';\nimport {\n\tdecodeAndApplyKnownExtension,\n\ttype KnownParsedExtensionAccumulator,\n\ttype MutableKnownParsedExtensionAccumulator,\n} from '#micro509/internal/x509/extension-registry.ts';\nimport { pemDecode, splitPemBlocks } from '#micro509/pem/pem.ts';\nimport type {\n\tAuthorityInformationAccess,\n\tBasicConstraints,\n\tCertificatePolicies,\n\tDistributionPointReason,\n\tExtendedKeyUsage,\n\tGeneralName,\n\tGeneralSubtree,\n\tInhibitAnyPolicy,\n\tKeyUsage,\n\tNameConstraints,\n\tParsedNameConstraintForm,\n\tPolicyConstraints,\n\tPolicyMappings,\n\tSubjectAltName,\n} from './extensions.ts';\nimport { parseAuthorityInfoAccessMethodOid, parseExtendedKeyUsageOid } from './extensions.ts';\nimport { type NameFieldKey, nameFieldKeyFromOid } from './name.ts';\n\nexport type { ParsedBitFlags } from '#micro509/internal/x509/extension-bits.ts';\nexport type {\n\tAuthorityInformationAccess,\n\tBasicConstraints,\n\tCertificatePolicies,\n\tDistributionPointReason,\n\tExtendedKeyUsage,\n\tGeneralName,\n\tGeneralSubtree,\n\tInhibitAnyPolicy,\n\tKeyUsage,\n\tNameConstraints,\n\tParsedNameConstraintForm,\n\tPolicyConstraints,\n\tPolicyMappings,\n\tSubjectAltName,\n} from './extensions.ts';\nexport type { NameFieldKey } from './name.ts';\n\n/** Shared UTF-8 decoder for IA5String / UTF8String values. */\nconst textDecoder = new TextDecoder();\n\n/**\n * A single decoded name attribute from an X.501 RelativeDistinguishedName.\n *\n * RFC 5280 / X.501 call this structure an `AttributeTypeAndValue`.\n *\n * @see {@link https://datatracker.ietf.org/doc/html/rfc5280#appendix-A.1 RFC 5280 Appendix A.1}\n */\nexport interface ParsedNameAttribute {\n\t/** Dotted-decimal OID of the attribute type (e.g. `\"2.5.4.3\"` for CN). */\n\treadonly oid: string;\n\t/** Friendly key when the OID maps to a well-known field (CN, O, etc.). */\n\treadonly key?: NameFieldKey;\n\t/** ASN.1 tag of the value encoding (UTF8String = 0x0c, PrintableString = 0x13, etc.). */\n\treadonly valueTag: number;\n\t/** Decoded string content of the attribute value. */\n\treadonly value: string;\n}\n\n/**\n * An X.501 Distinguished Name decoded from an issuer or subject field.\n *\n * Provides three views of the same data: ordered RDNs, a flat attribute\n * list, and a convenience key-value map for well-known fields.\n */\nexport interface ParsedName {\n\t/** Hex-encoded DER of the complete Name SEQUENCE, usable for byte-exact comparisons. */\n\treadonly derHex: string;\n\t/** Ordered list of RelativeDistinguishedNames, preserving multi-valued RDN structure. */\n\treadonly rdns: readonly ParsedRelativeDistinguishedName[];\n\t/** Flat list of every attribute across all RDNs, in encounter order. */\n\treadonly attributes: readonly ParsedNameAttribute[];\n\t/** First-occurrence map of well-known fields (CN, O, OU, etc.) for quick lookups. */\n\treadonly values: Partial<Record<NameFieldKey, string>>;\n}\n\n/** A single RelativeDistinguishedName SET from an X.501 Name. */\nexport interface ParsedRelativeDistinguishedName {\n\t/** Hex-encoded DER of this RDN SET element. */\n\treadonly derHex: string;\n\t/** Attributes within this RDN (usually one, but multi-valued RDNs are legal). */\n\treadonly attributes: readonly ParsedNameAttribute[];\n\t/** First-occurrence map of well-known fields within this RDN. */\n\treadonly values: Partial<Record<NameFieldKey, string>>;\n}\n\n/**\n * The name component of a CRL Distribution Point (RFC 5280 §4.2.1.13).\n * Exactly one of `fullName` or `relativeName` will be present.\n */\nexport interface ParsedDistributionPointName {\n\t/** Absolute GeneralName(s) identifying the distribution point. */\n\treadonly fullName?: readonly GeneralName[];\n\t/** Name relative to the CRL issuer's distinguished name. */\n\treadonly relativeName?: ParsedRelativeDistinguishedName;\n}\n\n/** A decoded DistributionPoint from the CRL Distribution Points extension. */\nexport interface ParsedDistributionPoint {\n\t/** Where to fetch the CRL — a fullName URI or relativeName. */\n\treadonly distributionPoint?: ParsedDistributionPointName;\n\t/** Revocation reason subset this distribution point covers. Absent means all reasons. */\n\treadonly reasons?: ParsedBitFlags<DistributionPointReason>;\n\t/** Entity that signed the CRL, when different from the certificate issuer. */\n\treadonly crlIssuer?: readonly GeneralName[];\n}\n\n/**\n * Decoded Issuing Distribution Point CRL extension (RFC 5280 §5.2.5).\n * Constrains which certificates a CRL covers (scope, reasons, indirection).\n */\nexport interface ParsedIssuingDistributionPoint {\n\t/** Where to fetch this CRL, if specified. */\n\treadonly distributionPoint?: ParsedDistributionPointName;\n\t/** When true, this CRL only covers end-entity certificates. Default false. */\n\treadonly onlyContainsUserCerts?: boolean;\n\t/** When true, this CRL only covers CA certificates. Default false. */\n\treadonly onlyContainsCACerts?: boolean;\n\t/** Limits the CRL to these revocation reasons. Absent means all reasons. */\n\treadonly onlySomeReasons?: ParsedBitFlags<DistributionPointReason>;\n\t/** When true, this CRL may contain entries from CAs other than the issuer. Default false. */\n\treadonly indirectCrl?: boolean;\n\t/** When true, this CRL only covers attribute certificates. Default false. */\n\treadonly onlyContainsAttributeCerts?: boolean;\n}\n\n/** A raw X.509v3 extension before type-specific decoding. */\nexport interface ParsedExtension {\n\t/** Dotted-decimal OID identifying this extension. */\n\treadonly oid: string;\n\t/** Whether a validator MUST reject the certificate if it cannot process this extension. */\n\treadonly critical: boolean;\n\t/** DER-encoded OCTET STRING payload (extnValue). */\n\treadonly valueDer: Uint8Array;\n\t/** Hex-encoded form of `valueDer` for display and comparison. */\n\treadonly valueHex: string;\n}\n\n/**\n * User-supplied decoder for a single extension OID.\n *\n * Register with {@linkcode ParseOptions.decoders} or {@linkcode ParseOptions.decoderMap}\n * to decode custom extensions during parsing.\n */\nexport interface ExtensionDecoder<TValue> {\n\t/** OID this decoder handles. */\n\treadonly oid: string;\n\t/** Decode the raw {@linkcode ParsedExtension} into a typed value. */\n\tdecode(extension: ParsedExtension): TValue;\n}\n\n/**\n * Identity helper that narrows the type of a custom {@linkcode ExtensionDecoder} literal.\n *\n * @param decoder Decoder definition to return unchanged.\n * @returns The same decoder, properly typed.\n */\nexport function defineExtensionDecoder<TValue>(\n\tdecoder: ExtensionDecoder<TValue>,\n): ExtensionDecoder<TValue> {\n\treturn decoder;\n}\n\n/**\n * Identity helper that narrows the type of a custom {@linkcode ExtensionDecoderMap} literal.\n *\n * @param decoderMap Map of named decoders to return unchanged.\n * @returns The same map, properly typed.\n */\nexport function defineExtensionDecoderMap<TMap extends ExtensionDecoderMap>(\n\tdecoderMap: TMap,\n): TMap {\n\treturn decoderMap;\n}\n\n/** String-keyed map of {@linkcode ExtensionDecoder}s, used with {@linkcode ParseOptions.decoderMap}. */\nexport type ExtensionDecoderMap = Record<string, ExtensionDecoder<unknown>>;\n\n/** Inferred result type when decoding extensions via an {@linkcode ExtensionDecoderMap}. */\nexport type DecodedExtensionMap<TMap extends ExtensionDecoderMap> = {\n\t[TKey in keyof TMap]?: TMap[TKey] extends ExtensionDecoder<infer TValue>\n\t\t? DecodedExtensionValue<TValue>\n\t\t: never;\n};\n\n/** A successfully decoded extension value paired with its OID and criticality. */\nexport interface DecodedExtensionValue<TValue> {\n\t/** Dotted-decimal OID of the decoded extension. */\n\treadonly oid: string;\n\t/** Whether the extension was marked critical in the certificate. */\n\treadonly critical: boolean;\n\t/** Typed value produced by the {@linkcode ExtensionDecoder}. */\n\treadonly value: TValue;\n}\n\n/**\n * Options for {@linkcode parseCertificateDer}, {@linkcode parseCertificatePem},\n * and CSR parse functions.\n *\n * Supply custom extension decoders to have their results included in the parsed output alongside\n * the built-in extensions.\n */\nexport interface ParseOptions<TMap extends ExtensionDecoderMap = Record<never, never>> {\n\t/** Array of decoders; decoded values appear in `decodedExtensions`. */\n\treadonly decoders?: readonly ExtensionDecoder<unknown>[];\n\t/** Named decoder map; decoded values appear in `decodedExtensionMap` keyed by map key. */\n\treadonly decoderMap?: TMap;\n}\n\n/**\n * A fully decoded X.509 certificate.\n *\n * Built-in extensions (basicConstraints, keyUsage, etc.) are decoded into\n * typed fields automatically.\\\n * Supply {@linkcode ParseOptions} to also decode custom extensions.\n */\nexport interface ParsedCertificate<TMap extends ExtensionDecoderMap = Record<never, never>> {\n\t/** Complete DER encoding of the certificate (copied from the input). */\n\treadonly der: Uint8Array;\n\t/** X.509 version number (1, 2, or 3). Almost always 3. */\n\treadonly version: number;\n\t/** Hex-encoded serial number assigned by the issuing CA. */\n\treadonly serialNumberHex: string;\n\t/** DER encoding of the TBSCertificate, used for signature verification. */\n\treadonly tbsCertificateDer: Uint8Array;\n\t/** DER encoding of the SubjectPublicKeyInfo, used for key import. */\n\treadonly subjectPublicKeyInfoDer: Uint8Array;\n\t/** Raw signature bytes (BIT STRING content, padding removed). */\n\treadonly signatureValue: Uint8Array;\n\t/** Distinguished name of the certificate issuer. */\n\treadonly issuer: ParsedName;\n\t/** Distinguished name of the certificate subject. */\n\treadonly subject: ParsedName;\n\t/** Start of the certificate validity period. */\n\treadonly notBefore: Date;\n\t/** End of the certificate validity period. */\n\treadonly notAfter: Date;\n\t/** OID of the algorithm used to sign this certificate (e.g. `\"1.2.840.113549.1.1.11\"` for SHA-256 with RSA). */\n\treadonly signatureAlgorithmOid: string;\n\t/** Human-readable signature algorithm name (e.g. `\"ECDSA with SHA-256\"`). */\n\treadonly signatureAlgorithmName: string;\n\t/** DER-encoded parameters for the signature algorithm. Absent for algorithms with no parameters. */\n\treadonly signatureAlgorithmParametersDer?: Uint8Array;\n\t/** OID of the subject's public key algorithm (e.g. `\"1.2.840.10045.2.1\"` for EC). */\n\treadonly publicKeyAlgorithmOid: string;\n\t/** Human-readable public key algorithm name (e.g. `\"EC P-256\"`). */\n\treadonly publicKeyAlgorithmName: string;\n\t/** DER-encoded parameters for the public key algorithm. Absent when implicit. */\n\treadonly publicKeyAlgorithmParametersDer?: Uint8Array;\n\t/** OID of the named curve or other key sub-parameter, when present. */\n\treadonly publicKeyParametersOid?: string;\n\t/** All extensions as raw {@linkcode ParsedExtension}s, in certificate order. */\n\treadonly extensions: readonly ParsedExtension[];\n\t/** Decoded Basic Constraints (RFC 5280 §4.2.1.9). */\n\treadonly basicConstraints?: BasicConstraints;\n\t/** Decoded Key Usage bit flags (RFC 5280 §4.2.1.3). */\n\treadonly keyUsage?: ParsedBitFlags<KeyUsage>;\n\t/** Decoded Extended Key Usage purposes (RFC 5280 §4.2.1.12). */\n\treadonly extendedKeyUsage?: readonly ExtendedKeyUsage[];\n\t/** Decoded Subject Alternative Names (RFC 5280 §4.2.1.6). */\n\treadonly subjectAltNames?: readonly SubjectAltName[];\n\t/** Decoded Name Constraints (RFC 5280 §4.2.1.10). */\n\treadonly nameConstraints?: NameConstraints<ParsedNameConstraintForm>;\n\t/** Decoded Certificate Policies (RFC 5280 §4.2.1.4). */\n\treadonly certificatePolicies?: CertificatePolicies;\n\t/** Decoded Policy Mappings (RFC 5280 §4.2.1.5). */\n\treadonly policyMappings?: PolicyMappings;\n\t/** Decoded Policy Constraints (RFC 5280 §4.2.1.11). */\n\treadonly policyConstraints?: PolicyConstraints;\n\t/** Decoded Inhibit anyPolicy (RFC 5280 §4.2.1.14). */\n\treadonly inhibitAnyPolicy?: InhibitAnyPolicy;\n\t/** Decoded Authority Information Access — OCSP and CA Issuer URIs (RFC 5280 §4.2.2.1). */\n\treadonly authorityInfoAccess?: readonly AuthorityInformationAccess[];\n\t/** Decoded CRL Distribution Points (RFC 5280 §4.2.1.13). */\n\treadonly crlDistributionPoints?: readonly ParsedDistributionPoint[];\n\t/** Custom-decoded extensions from {@linkcode ParseOptions.decoders}. */\n\treadonly decodedExtensions?: readonly DecodedExtensionValue<unknown>[];\n\t/** Custom-decoded extensions from {@linkcode ParseOptions.decoderMap}, keyed by map key. */\n\treadonly decodedExtensionMap?: DecodedExtensionMap<TMap>;\n\t/** Hex-encoded Subject Key Identifier (RFC 5280 §4.2.1.2). */\n\treadonly subjectKeyIdentifier?: string;\n\t/** Hex-encoded Authority Key Identifier (RFC 5280 §4.2.1.1). */\n\treadonly authorityKeyIdentifier?: string;\n}\n\n/**\n * A fully decoded PKCS#10 Certificate Signing Request.\n *\n * Extension fields mirror {@linkcode ParsedCertificate} but come from the\n * CSR's extensionRequest attribute rather than the v3 extensions block.\n */\nexport interface ParsedCertificateSigningRequest<\n\tTMap extends ExtensionDecoderMap = Record<never, never>,\n> {\n\t/** PKCS#10 version number (always 1). */\n\treadonly version: number;\n\t/** DER encoding of the CertificationRequestInfo, used for signature verification. */\n\treadonly certificationRequestInfoDer: Uint8Array;\n\t/** DER encoding of the SubjectPublicKeyInfo. */\n\treadonly subjectPublicKeyInfoDer: Uint8Array;\n\t/** Raw signature bytes (BIT STRING content, padding removed). */\n\treadonly signatureValue: Uint8Array;\n\t/** Distinguished name the requester wants on the certificate. */\n\treadonly subject: ParsedName;\n\t/** OID of the algorithm used to sign this CSR. */\n\treadonly signatureAlgorithmOid: string;\n\t/** Human-readable signature algorithm name (e.g. `\"ECDSA with SHA-256\"`). */\n\treadonly signatureAlgorithmName: string;\n\t/** DER-encoded parameters for the signature algorithm. Absent for algorithms with no parameters. */\n\treadonly signatureAlgorithmParametersDer?: Uint8Array;\n\t/** OID of the subject's public key algorithm. */\n\treadonly publicKeyAlgorithmOid: string;\n\t/** Human-readable public key algorithm name (e.g. `\"EC P-256\"`). */\n\treadonly publicKeyAlgorithmName: string;\n\t/** DER-encoded parameters for the public key algorithm. */\n\treadonly publicKeyAlgorithmParametersDer?: Uint8Array;\n\t/** OID of the named curve or other key sub-parameter, when present. */\n\treadonly publicKeyParametersOid?: string;\n\t/** All requested extensions as raw {@linkcode ParsedExtension}s. */\n\treadonly requestedExtensions: readonly ParsedExtension[];\n\t/** Decoded Basic Constraints from the extensionRequest attribute. */\n\treadonly basicConstraints?: BasicConstraints;\n\t/** Decoded Key Usage from the extensionRequest attribute. */\n\treadonly keyUsage?: ParsedBitFlags<KeyUsage>;\n\t/** Decoded Extended Key Usage from the extensionRequest attribute. */\n\treadonly extendedKeyUsage?: readonly ExtendedKeyUsage[];\n\t/** Decoded Subject Alternative Names from the extensionRequest attribute. */\n\treadonly subjectAltNames?: readonly SubjectAltName[];\n\t/** Decoded Name Constraints from the extensionRequest attribute. */\n\treadonly nameConstraints?: NameConstraints<ParsedNameConstraintForm>;\n\t/** Decoded Certificate Policies from the extensionRequest attribute. */\n\treadonly certificatePolicies?: CertificatePolicies;\n\t/** Decoded Policy Mappings from the extensionRequest attribute. */\n\treadonly policyMappings?: PolicyMappings;\n\t/** Decoded Policy Constraints from the extensionRequest attribute. */\n\treadonly policyConstraints?: PolicyConstraints;\n\t/** Decoded Inhibit anyPolicy from the extensionRequest attribute. */\n\treadonly inhibitAnyPolicy?: InhibitAnyPolicy;\n\t/** Decoded Authority Information Access from the extensionRequest attribute. */\n\treadonly authorityInfoAccess?: readonly AuthorityInformationAccess[];\n\t/** Decoded CRL Distribution Points from the extensionRequest attribute. */\n\treadonly crlDistributionPoints?: readonly ParsedDistributionPoint[];\n\t/** Custom-decoded extensions from {@linkcode ParseOptions.decoders}. */\n\treadonly decodedExtensions?: readonly DecodedExtensionValue<unknown>[];\n\t/** Custom-decoded extensions from {@linkcode ParseOptions.decoderMap}. */\n\treadonly decodedExtensionMap?: DecodedExtensionMap<TMap>;\n}\n\n/**\n * Decode a DER-encoded X.509 certificate into a {@linkcode ParsedCertificate}.\n *\n * All built-in extensions (basicConstraints, keyUsage, subjectAltNames, etc.)\n * are decoded automatically.\\\n * Pass {@linkcode ParseOptions} to also decode custom extensions.\n *\n * @example\n * ```ts\n * import { parseCertificateDer } from 'micro509';\n *\n * const cert = parseCertificateDer(derBytes);\n * console.log(cert.subject.values.commonName); // \"example.com\"\n * console.log(cert.keyUsage); // [\"digitalSignature\", \"keyEncipherment\"]\n * ```\n *\n * @param der Raw DER bytes of an X.509 certificate.\n * @param options Custom extension decoders to apply during parsing.\n */\nexport function parseCertificateDer<TMap extends ExtensionDecoderMap = Record<never, never>>(\n\tder: Uint8Array,\n\toptions?: ParseOptions<TMap>,\n): ParsedCertificate<TMap> {\n\tconst topLevel = readSequenceChildren(der, { maxDepth: DEFAULT_MAX_DER_DEPTH });\n\tif (topLevel.length !== 3) {\n\t\tthrow new Error('Malformed Certificate');\n\t}\n\tconst tbsCertificate = requireElement(topLevel[0], 'TBSCertificate');\n\tconst signatureAlgorithm = requireElement(topLevel[1], 'signatureAlgorithm');\n\tconst signatureValue = requireElement(topLevel[2], 'signatureValue');\n\tconst tbsChildren = childrenOf(der, tbsCertificate);\n\n\tlet index = 0;\n\tlet version = 1;\n\tconst maybeVersion = tbsChildren[index];\n\tif (maybeVersion?.tag === 0xa0) {\n\t\tconst versionChildren = childrenOf(der, maybeVersion);\n\t\tconst versionElement = requireElement(versionChildren[0], 'version INTEGER');\n\t\tif (versionChildren.length !== 1 || versionElement.tag !== 0x02) {\n\t\t\tthrow new Error('version must use INTEGER');\n\t\t}\n\t\tversion = decodeIntegerNumber(versionElement.value) + 1;\n\t\tif (version < 1 || version > 3) {\n\t\t\tthrow new Error(`Unsupported certificate version: ${String(version)}`);\n\t\t}\n\t\tindex += 1;\n\t}\n\n\tconst serialNumber = requireElement(tbsChildren[index], 'serialNumber');\n\tif (serialNumber.tag !== 0x02) {\n\t\tthrow new Error('serialNumber must use INTEGER');\n\t}\n\tconst tbsSignatureAlgorithm = requireElement(tbsChildren[index + 1], 'TBSCertificate signature');\n\tconst issuer = requireElement(tbsChildren[index + 2], 'issuer');\n\tconst validity = requireElement(tbsChildren[index + 3], 'validity');\n\tconst subject = requireElement(tbsChildren[index + 4], 'subject');\n\tconst subjectPublicKeyInfo = requireElement(tbsChildren[index + 5], 'subjectPublicKeyInfo');\n\tlet cursor = index + 6;\n\tconst issuerUniqueIdElement = tbsChildren[cursor];\n\tif (issuerUniqueIdElement?.tag === 0x81) {\n\t\tif (version < 2) {\n\t\t\tthrow new Error('issuerUniqueID requires certificate version 2 or 3');\n\t\t}\n\t\tvalidateImplicitBitStringContent(issuerUniqueIdElement.value, 'issuerUniqueID');\n\t\tcursor += 1;\n\t}\n\tconst subjectUniqueIdElement = tbsChildren[cursor];\n\tif (subjectUniqueIdElement?.tag === 0x82) {\n\t\tif (version < 2) {\n\t\t\tthrow new Error('subjectUniqueID requires certificate version 2 or 3');\n\t\t}\n\t\tvalidateImplicitBitStringContent(subjectUniqueIdElement.value, 'subjectUniqueID');\n\t\tcursor += 1;\n\t}\n\tconst extensions = tbsChildren[cursor]?.tag === 0xa3 ? tbsChildren[cursor] : undefined;\n\tif (extensions !== undefined) {\n\t\tif (version !== 3) {\n\t\t\tthrow new Error('extensions require certificate version 3');\n\t\t}\n\t\tcursor += 1;\n\t}\n\tif (cursor !== tbsChildren.length) {\n\t\tthrow new Error(\n\t\t\t`Unsupported TBSCertificate field tag: ${String(requireElement(tbsChildren[cursor], 'TBSCertificate field').tag)}`,\n\t\t);\n\t}\n\tconst parsedExtensions = parseExtensionContainer(der, extensions);\n\tconst parsedValidity = parseValidity(der, validity);\n\tconst parsedSpki = parseSubjectPublicKeyInfo(der, subjectPublicKeyInfo);\n\tconst parsedTbsSignatureAlgorithm = parseAlgorithmIdentifier(der, tbsSignatureAlgorithm);\n\tconst parsedSignatureAlgorithm = parseAlgorithmIdentifier(der, signatureAlgorithm);\n\tassertMatchingCertificateSignatureAlgorithms(\n\t\tparsedTbsSignatureAlgorithm,\n\t\tparsedSignatureAlgorithm,\n\t);\n\tconst decodedExtensions =\n\t\toptions?.decoders === undefined\n\t\t\t? undefined\n\t\t\t: decodeExtensions(parsedExtensions.all, options.decoders);\n\tconst decodedExtensionMap =\n\t\toptions?.decoderMap === undefined\n\t\t\t? undefined\n\t\t\t: decodeExtensionMap(parsedExtensions.all, options.decoderMap);\n\n\treturn {\n\t\tder: new Uint8Array(der),\n\t\tversion,\n\t\tserialNumberHex: toHex(serialNumber.value),\n\t\ttbsCertificateDer: der.slice(\n\t\t\ttbsCertificate.start - tbsCertificate.headerLength,\n\t\t\ttbsCertificate.end,\n\t\t),\n\t\tsubjectPublicKeyInfoDer: der.slice(\n\t\t\tsubjectPublicKeyInfo.start - subjectPublicKeyInfo.headerLength,\n\t\t\tsubjectPublicKeyInfo.end,\n\t\t),\n\t\tsignatureValue: extractBitStringValue(signatureValue),\n\t\tissuer: parseName(der, issuer),\n\t\tsubject: parseName(der, subject),\n\t\tnotBefore: parsedValidity.notBefore,\n\t\tnotAfter: parsedValidity.notAfter,\n\t\tsignatureAlgorithmOid: parsedSignatureAlgorithm.oid,\n\t\tsignatureAlgorithmName: describeSignatureAlgorithm(\n\t\t\tparsedSignatureAlgorithm.oid,\n\t\t\tparsedSignatureAlgorithm.parametersDer,\n\t\t),\n\t\t...(parsedSignatureAlgorithm.parametersDer !== undefined\n\t\t\t? { signatureAlgorithmParametersDer: parsedSignatureAlgorithm.parametersDer }\n\t\t\t: {}),\n\t\tpublicKeyAlgorithmOid: parsedSpki.oid,\n\t\tpublicKeyAlgorithmName: describePublicKeyAlgorithm(parsedSpki.oid, parsedSpki.parametersOid),\n\t\t...(parsedSpki.parametersDer !== undefined\n\t\t\t? { publicKeyAlgorithmParametersDer: parsedSpki.parametersDer }\n\t\t\t: {}),\n\t\t...(parsedSpki.parametersOid !== undefined\n\t\t\t? { publicKeyParametersOid: parsedSpki.parametersOid }\n\t\t\t: {}),\n\t\textensions: parsedExtensions.all,\n\t\t...(parsedExtensions.basicConstraints !== undefined\n\t\t\t? { basicConstraints: parsedExtensions.basicConstraints }\n\t\t\t: {}),\n\t\t...(parsedExtensions.keyUsage !== undefined ? { keyUsage: parsedExtensions.keyUsage } : {}),\n\t\t...(parsedExtensions.extendedKeyUsage !== undefined\n\t\t\t? { extendedKeyUsage: parsedExtensions.extendedKeyUsage }\n\t\t\t: {}),\n\t\t...(parsedExtensions.subjectAltNames !== undefined\n\t\t\t? { subjectAltNames: parsedExtensions.subjectAltNames }\n\t\t\t: {}),\n\t\t...(parsedExtensions.nameConstraints !== undefined\n\t\t\t? { nameConstraints: parsedExtensions.nameConstraints }\n\t\t\t: {}),\n\t\t...(parsedExtensions.certificatePolicies !== undefined\n\t\t\t? { certificatePolicies: parsedExtensions.certificatePolicies }\n\t\t\t: {}),\n\t\t...(parsedExtensions.policyMappings !== undefined\n\t\t\t? { policyMappings: parsedExtensions.policyMappings }\n\t\t\t: {}),\n\t\t...(parsedExtensions.policyConstraints !== undefined\n\t\t\t? { policyConstraints: parsedExtensions.policyConstraints }\n\t\t\t: {}),\n\t\t...(parsedExtensions.inhibitAnyPolicy !== undefined\n\t\t\t? { inhibitAnyPolicy: parsedExtensions.inhibitAnyPolicy }\n\t\t\t: {}),\n\t\t...(parsedExtensions.authorityInfoAccess !== undefined\n\t\t\t? { authorityInfoAccess: parsedExtensions.authorityInfoAccess }\n\t\t\t: {}),\n\t\t...(parsedExtensions.crlDistributionPoints !== undefined\n\t\t\t? { crlDistributionPoints: parsedExtensions.crlDistributionPoints }\n\t\t\t: {}),\n\t\t...(decodedExtensions !== undefined ? { decodedExtensions } : {}),\n\t\t...(decodedExtensionMap !== undefined ? { decodedExtensionMap } : {}),\n\t\t...(parsedExtensions.subjectKeyIdentifier !== undefined\n\t\t\t? { subjectKeyIdentifier: parsedExtensions.subjectKeyIdentifier }\n\t\t\t: {}),\n\t\t...(parsedExtensions.authorityKeyIdentifier !== undefined\n\t\t\t? { authorityKeyIdentifier: parsedExtensions.authorityKeyIdentifier }\n\t\t\t: {}),\n\t};\n}\n\n/**\n * Decode a PEM-encoded X.509 certificate into a {@linkcode ParsedCertificate}.\n *\n * Expects a single `-----BEGIN CERTIFICATE-----` block. For bundles\n * containing multiple certificates, use {@linkcode parseCertificateChainPem}.\n *\n * @example\n * ```ts\n * import { parseCertificatePem } from 'micro509';\n *\n * const cert = parseCertificatePem(pemString);\n * console.log(cert.issuer.values.organization); // \"Let's Encrypt\"\n * console.log(cert.notAfter); // Date\n * ```\n *\n * @param pem PEM string with a CERTIFICATE block.\n * @param options Custom extension decoders to apply during parsing.\n */\nexport function parseCertificatePem<TMap extends ExtensionDecoderMap = Record<never, never>>(\n\tpem: string,\n\toptions?: ParseOptions<TMap>,\n): ParsedCertificate<TMap> {\n\treturn parseCertificateDer(pemDecode('CERTIFICATE', pem), options);\n}\n\n/** Normalizes a PEM bundle or single DER certificate source into parsed certificates. */\nexport function parseCertificatesFromSource<\n\tTMap extends ExtensionDecoderMap = Record<never, never>,\n>(source: string | Uint8Array, options?: ParseOptions<TMap>): readonly ParsedCertificate<TMap>[] {\n\treturn typeof source === 'string'\n\t\t? parseCertificatesFromPemBlocks(source, options)\n\t\t: [parseCertificateDer(new Uint8Array(source), options)];\n}\n\n/** Normalizes a PEM, DER, or already-parsed certificate source into one parsed certificate. */\nexport function parseCertificateFromSource<TMap extends ExtensionDecoderMap = Record<never, never>>(\n\tsource: ParsedCertificate<TMap> | string | Uint8Array,\n\toptions?: ParseOptions<TMap>,\n): ParsedCertificate<TMap> {\n\tif (typeof source === 'string') {\n\t\treturn parseCertificatePem(source, options);\n\t}\n\tif (hasParsedCertificateShape(source)) {\n\t\treturn source;\n\t}\n\tconst derSource: Uint8Array = source;\n\treturn parseCertificateDer(new Uint8Array(derSource), options);\n}\n\n/**\n * Decode a PEM bundle containing one or more certificates.\n *\n * Non-CERTIFICATE blocks (e.g. private keys) are silently skipped.\n *\n * @param pemBundle PEM text that may contain multiple CERTIFICATE blocks.\n * @param options Custom extension decoders to apply during parsing.\n */\nexport function parseCertificateChainPem<TMap extends ExtensionDecoderMap = Record<never, never>>(\n\tpemBundle: string,\n\toptions?: ParseOptions<TMap>,\n): readonly ParsedCertificate<TMap>[] {\n\treturn parseCertificatesFromPemBlocks(pemBundle, options);\n}\n\n/**\n * Decode a DER-encoded PKCS#10 CSR into a {@linkcode ParsedCertificateSigningRequest}.\n *\n * @param der Raw DER bytes of a PKCS#10 certificate signing request.\n * @param options Custom extension decoders to apply during parsing.\n */\nexport function parseCertificateSigningRequestDer<\n\tTMap extends ExtensionDecoderMap = Record<never, never>,\n>(der: Uint8Array, options?: ParseOptions<TMap>): ParsedCertificateSigningRequest<TMap> {\n\tconst topLevel = readSequenceChildren(der, { maxDepth: DEFAULT_MAX_DER_DEPTH });\n\tif (topLevel.length !== 3) {\n\t\tthrow new Error('Malformed CertificationRequest');\n\t}\n\tconst certificationRequestInfo = requireElement(topLevel[0], 'CertificationRequestInfo');\n\tconst signatureAlgorithm = requireElement(topLevel[1], 'signatureAlgorithm');\n\tconst signatureValue = requireElement(topLevel[2], 'signatureValue');\n\tconst criChildren = childrenOf(der, certificationRequestInfo);\n\tif (criChildren.length < 3 || criChildren.length > 4) {\n\t\tthrow new Error('Malformed CertificationRequestInfo');\n\t}\n\tconst versionElement = requireElement(criChildren[0], 'version');\n\tif (versionElement.tag !== 0x02) {\n\t\tthrow new Error('version must use INTEGER');\n\t}\n\tconst version = decodeIntegerNumber(versionElement.value) + 1;\n\tif (version !== 1) {\n\t\tthrow new Error(`Unsupported CertificationRequestInfo version: ${String(version)}`);\n\t}\n\tconst subject = requireElement(criChildren[1], 'subject');\n\tconst subjectPublicKeyInfo = requireElement(criChildren[2], 'subjectPublicKeyInfo');\n\tconst attributes = criChildren[3];\n\tif (attributes !== undefined && attributes.tag !== 0xa0) {\n\t\tthrow new Error('CertificationRequestInfo attributes must use [0]');\n\t}\n\tconst parsedExtensions = parseRequestedExtensions(der, attributes);\n\tconst parsedSpki = parseSubjectPublicKeyInfo(der, subjectPublicKeyInfo);\n\tconst parsedSignatureAlgorithm = parseAlgorithmIdentifier(der, signatureAlgorithm);\n\tconst decodedExtensions =\n\t\toptions?.decoders === undefined\n\t\t\t? undefined\n\t\t\t: decodeExtensions(parsedExtensions.all, options.decoders);\n\tconst decodedExtensionMap =\n\t\toptions?.decoderMap === undefined\n\t\t\t? undefined\n\t\t\t: decodeExtensionMap(parsedExtensions.all, options.decoderMap);\n\n\treturn {\n\t\tversion,\n\t\tcertificationRequestInfoDer: der.slice(\n\t\t\tcertificationRequestInfo.start - certificationRequestInfo.headerLength,\n\t\t\tcertificationRequestInfo.end,\n\t\t),\n\t\tsubjectPublicKeyInfoDer: der.slice(\n\t\t\tsubjectPublicKeyInfo.start - subjectPublicKeyInfo.headerLength,\n\t\t\tsubjectPublicKeyInfo.end,\n\t\t),\n\t\tsignatureValue: extractBitStringValue(signatureValue),\n\t\tsubject: parseName(der, subject),\n\t\tsignatureAlgorithmOid: parsedSignatureAlgorithm.oid,\n\t\tsignatureAlgorithmName: describeSignatureAlgorithm(\n\t\t\tparsedSignatureAlgorithm.oid,\n\t\t\tparsedSignatureAlgorithm.parametersDer,\n\t\t),\n\t\t...(parsedSignatureAlgorithm.parametersDer !== undefined\n\t\t\t? { signatureAlgorithmParametersDer: parsedSignatureAlgorithm.parametersDer }\n\t\t\t: {}),\n\t\tpublicKeyAlgorithmOid: parsedSpki.oid,\n\t\tpublicKeyAlgorithmName: describePublicKeyAlgorithm(parsedSpki.oid, parsedSpki.parametersOid),\n\t\t...(parsedSpki.parametersDer !== undefined\n\t\t\t? { publicKeyAlgorithmParametersDer: parsedSpki.parametersDer }\n\t\t\t: {}),\n\t\t...(parsedSpki.parametersOid !== undefined\n\t\t\t? { publicKeyParametersOid: parsedSpki.parametersOid }\n\t\t\t: {}),\n\t\trequestedExtensions: parsedExtensions.all,\n\t\t...(parsedExtensions.basicConstraints !== undefined\n\t\t\t? { basicConstraints: parsedExtensions.basicConstraints }\n\t\t\t: {}),\n\t\t...(parsedExtensions.keyUsage !== undefined ? { keyUsage: parsedExtensions.keyUsage } : {}),\n\t\t...(parsedExtensions.extendedKeyUsage !== undefined\n\t\t\t? { extendedKeyUsage: parsedExtensions.extendedKeyUsage }\n\t\t\t: {}),\n\t\t...(parsedExtensions.subjectAltNames !== undefined\n\t\t\t? { subjectAltNames: parsedExtensions.subjectAltNames }\n\t\t\t: {}),\n\t\t...(parsedExtensions.nameConstraints !== undefined\n\t\t\t? { nameConstraints: parsedExtensions.nameConstraints }\n\t\t\t: {}),\n\t\t...(parsedExtensions.certificatePolicies !== undefined\n\t\t\t? { certificatePolicies: parsedExtensions.certificatePolicies }\n\t\t\t: {}),\n\t\t...(parsedExtensions.policyMappings !== undefined\n\t\t\t? { policyMappings: parsedExtensions.policyMappings }\n\t\t\t: {}),\n\t\t...(parsedExtensions.policyConstraints !== undefined\n\t\t\t? { policyConstraints: parsedExtensions.policyConstraints }\n\t\t\t: {}),\n\t\t...(parsedExtensions.inhibitAnyPolicy !== undefined\n\t\t\t? { inhibitAnyPolicy: parsedExtensions.inhibitAnyPolicy }\n\t\t\t: {}),\n\t\t...(parsedExtensions.authorityInfoAccess !== undefined\n\t\t\t? { authorityInfoAccess: parsedExtensions.authorityInfoAccess }\n\t\t\t: {}),\n\t\t...(parsedExtensions.crlDistributionPoints !== undefined\n\t\t\t? { crlDistributionPoints: parsedExtensions.crlDistributionPoints }\n\t\t\t: {}),\n\t\t...(decodedExtensions !== undefined ? { decodedExtensions } : {}),\n\t\t...(decodedExtensionMap !== undefined ? { decodedExtensionMap } : {}),\n\t};\n}\n\nfunction parseCertificatesFromPemBlocks<TMap extends ExtensionDecoderMap = Record<never, never>>(\n\tpemBundle: string,\n\toptions?: ParseOptions<TMap>,\n): readonly ParsedCertificate<TMap>[] {\n\treturn splitPemBlocks(pemBundle)\n\t\t.filter((block) => block.label === 'CERTIFICATE')\n\t\t.map((block) => parseCertificateDer(block.bytes, options));\n}\n\nfunction hasParsedCertificateShape<TMap extends ExtensionDecoderMap = Record<never, never>>(\n\tvalue: ParsedCertificate<TMap> | Uint8Array,\n): value is ParsedCertificate<TMap> {\n\treturn 'subjectPublicKeyInfoDer' in value;\n}\n\n/**\n * Decode a PEM-encoded PKCS#10 CSR into a {@linkcode ParsedCertificateSigningRequest}.\n *\n * @param pem PEM string with a CERTIFICATE REQUEST block.\n * @param options Custom extension decoders to apply during parsing.\n */\nexport function parseCertificateSigningRequestPem<\n\tTMap extends ExtensionDecoderMap = Record<never, never>,\n>(pem: string, options?: ParseOptions<TMap>): ParsedCertificateSigningRequest<TMap> {\n\treturn parseCertificateSigningRequestDer(pemDecode('CERTIFICATE REQUEST', pem), options);\n}\n\n/**\n * Find a raw extension by OID within a parsed extension list.\n *\n * @param extensions Extension list from a {@linkcode ParsedCertificate} or CSR.\n * @param oid Dotted-decimal OID to look up.\n * @returns The matching extension, or `undefined` if not present.\n */\nexport function findExtension(\n\textensions: readonly ParsedExtension[],\n\toid: string,\n): ParsedExtension | undefined {\n\treturn extensions.find((extension) => extension.oid === oid);\n}\n\n/**\n * Decode a single extension using a custom {@linkcode ExtensionDecoder}.\n *\n * @param extensions Extension list to search.\n * @param decoder Decoder whose OID will be matched.\n * @returns The decoded value, or `undefined` if the extension is absent.\n */\nexport function decodeExtension<TValue>(\n\textensions: readonly ParsedExtension[],\n\tdecoder: ExtensionDecoder<TValue>,\n): TValue | undefined {\n\tconst extension = findExtension(extensions, decoder.oid);\n\tif (extension === undefined) {\n\t\treturn undefined;\n\t}\n\treturn decoder.decode(extension);\n}\n\n/**\n * Decode all matching extensions using an array of {@linkcode ExtensionDecoder}s.\n *\n * @param extensions Extension list to search.\n * @param decoders Decoders to apply. Only matching OIDs produce output.\n */\nexport function decodeExtensions(\n\textensions: readonly ParsedExtension[],\n\tdecoders: readonly ExtensionDecoder<unknown>[],\n): readonly DecodedExtensionValue<unknown>[] {\n\tconst decoded: DecodedExtensionValue<unknown>[] = [];\n\tfor (const decoder of decoders) {\n\t\tconst extension = findExtension(extensions, decoder.oid);\n\t\tif (extension === undefined) {\n\t\t\tcontinue;\n\t\t}\n\t\tdecoded.push({\n\t\t\toid: extension.oid,\n\t\t\tcritical: extension.critical,\n\t\t\tvalue: decoder.decode(extension),\n\t\t});\n\t}\n\treturn decoded;\n}\n\n/**\n * Decode all matching extensions using a named {@linkcode ExtensionDecoderMap}.\n *\n * @param extensions Extension list to search.\n * @param decoderMap Named decoders. Results are keyed by the same map keys.\n */\nexport function decodeExtensionMap<TMap extends ExtensionDecoderMap>(\n\textensions: readonly ParsedExtension[],\n\tdecoderMap: TMap,\n): DecodedExtensionMap<TMap> {\n\tlet decoded: DecodedExtensionMap<TMap> = {};\n\tfor (const key in decoderMap) {\n\t\tconst decoder = decoderMap[key];\n\t\tif (decoder === undefined) {\n\t\t\tcontinue;\n\t\t}\n\t\tconst extension = findExtension(extensions, decoder.oid);\n\t\tif (extension === undefined) {\n\t\t\tcontinue;\n\t\t}\n\t\tdecoded = {\n\t\t\t...decoded,\n\t\t\t[key]: {\n\t\t\t\toid: extension.oid,\n\t\t\t\tcritical: extension.critical,\n\t\t\t\tvalue: decoder.decode(extension),\n\t\t\t},\n\t\t};\n\t}\n\treturn decoded;\n}\n\n/** Aggregate of raw + decoded extensions produced during certificate/CSR parsing. */\ninterface ParsedExtensions extends KnownParsedExtensionAccumulator {\n\t/** Every extension as a raw {@linkcode ParsedExtension}, in wire order. */\n\treadonly all: readonly ParsedExtension[];\n}\n\n/** Decode the explicit [3] extensions wrapper from a TBSCertificate. */\nfunction parseExtensionContainer(\n\tsource: Uint8Array,\n\tcontainer: DerElement | undefined,\n): ParsedExtensions {\n\tif (container === undefined) {\n\t\treturn { all: [] };\n\t}\n\tconst sequenceElement = requireElement(childrenOf(source, container)[0], 'extensions sequence');\n\treturn parseExtensionSequence(source, sequenceElement, 'certificate');\n}\n\n/** Extract extensions from the CSR extensionRequest attribute. */\nfunction parseRequestedExtensions(\n\tsource: Uint8Array,\n\tattributes: DerElement | undefined,\n): ParsedExtensions {\n\tif (attributes === undefined) {\n\t\treturn { all: [] };\n\t}\n\tif (attributes.tag !== 0xa0) {\n\t\tthrow new Error('CertificationRequestInfo attributes must use [0]');\n\t}\n\tlet requestedExtensions: ParsedExtensions | undefined;\n\tfor (const attribute of childrenOf(source, attributes)) {\n\t\tconst attributeChildren = childrenOf(source, attribute);\n\t\tif (attributeChildren.length !== 2) {\n\t\t\tthrow new Error('Malformed CSR attribute');\n\t\t}\n\t\tconst oid = requireElement(attributeChildren[0], 'attribute OID');\n\t\tif (decodeObjectIdentifier(oid.value) !== OIDS.extensionRequest) {\n\t\t\tcontinue;\n\t\t}\n\t\tif (requestedExtensions !== undefined) {\n\t\t\tthrow new Error('extensionRequest attribute must not repeat');\n\t\t}\n\t\tconst valuesSet = requireElement(attributeChildren[1], 'attribute values');\n\t\tif (valuesSet.tag !== 0x31) {\n\t\t\tthrow new Error('extensionRequest attribute values must use SET');\n\t\t}\n\t\tconst values = childrenOf(source, valuesSet);\n\t\tif (values.length !== 1) {\n\t\t\tthrow new Error('extensionRequest attribute must contain exactly one value');\n\t\t}\n\t\tconst requested = requireElement(values[0], 'requested extensions');\n\t\trequestedExtensions = parseExtensionSequence(source, requested, 'csr');\n\t}\n\treturn requestedExtensions ?? { all: [] };\n}\n\n/** Walk a SEQUENCE OF Extension and decode each one, populating known-extension slots. */\nfunction parseExtensionSequence(\n\tsource: Uint8Array,\n\tsequenceElement: DerElement,\n\tcontext: 'certificate' | 'csr',\n): ParsedExtensions {\n\tconst parsed: ParsedExtension[] = [];\n\tconst knownParsed: MutableKnownParsedExtensionAccumulator = {};\n\tconst seenOids = new Set<string>();\n\n\tfor (const extension of childrenOf(source, sequenceElement)) {\n\t\tconst children = childrenOf(source, extension);\n\t\tif (children.length < 2 || children.length > 3) {\n\t\t\tthrow new Error('Malformed Extension');\n\t\t}\n\t\tconst oidElement = requireElement(children[0], 'extension OID');\n\t\tconst oid = decodeObjectIdentifier(oidElement.value);\n\t\tif (seenOids.has(oid)) {\n\t\t\tthrow new Error(`Duplicate extension OID: ${oid}`);\n\t\t}\n\t\tseenOids.add(oid);\n\t\tlet offset = 1;\n\t\tlet critical = false;\n\t\tconst maybeCritical = children[offset];\n\t\tif (maybeCritical?.tag === 0x01) {\n\t\t\tcritical = decodeBoolean(maybeCritical.value);\n\t\t\toffset += 1;\n\t\t}\n\t\tconst extnValue = requireElement(children[offset], 'extension value');\n\t\tif (extnValue.tag !== 0x04 || offset !== children.length - 1) {\n\t\t\tthrow new Error('Extension value must use OCTET STRING');\n\t\t}\n\t\tparsed.push({\n\t\t\toid,\n\t\t\tcritical,\n\t\t\tvalueDer: new Uint8Array(extnValue.value),\n\t\t\tvalueHex: toHex(extnValue.value),\n\t\t});\n\t\tdecodeAndApplyKnownExtension(context, oid, knownParsed, extnValue.value);\n\t}\n\n\treturn {\n\t\tall: parsed,\n\t\t...knownParsed,\n\t};\n}\n\n/** Decode an X.501 Name (issuer / subject) into a {@linkcode ParsedName}. */\nfunction parseName(source: Uint8Array, element: DerElement): ParsedName {\n\tconst rdns: ParsedRelativeDistinguishedName[] = [];\n\tconst attributes: ParsedNameAttribute[] = [];\n\tconst values: Partial<Record<NameFieldKey, string>> = {};\n\tfor (const setElement of childrenOf(source, element)) {\n\t\tconst rdn = parseNameAttributeSet(source, setElement);\n\t\trdns.push(rdn);\n\t\tfor (const attribute of rdn.attributes) {\n\t\t\tattributes.push(attribute);\n\t\t\tif (attribute.key !== undefined && values[attribute.key] === undefined) {\n\t\t\t\tvalues[attribute.key] = attribute.value;\n\t\t\t}\n\t\t}\n\t}\n\treturn {\n\t\tderHex: toHex(source.slice(element.start - element.headerLength, element.end)),\n\t\trdns,\n\t\tattributes,\n\t\tvalues,\n\t};\n}\n\n/** Decode a single RDN SET element. */\nfunction parseRelativeDistinguishedName(\n\tsource: Uint8Array,\n\telement: DerElement,\n): ParsedRelativeDistinguishedName {\n\treturn parseNameAttributeSet(source, element);\n}\n\n/** Decode the AttributeTypeAndValue pairs within a SET element. */\nfunction parseNameAttributeSet(\n\tsource: Uint8Array,\n\tsetElement: DerElement,\n): ParsedRelativeDistinguishedName {\n\tconst attributes: ParsedNameAttribute[] = [];\n\tconst values: Partial<Record<NameFieldKey, string>> = {};\n\tfor (const attributeSequence of childrenOf(source, setElement)) {\n\t\tconst parts = childrenOf(source, attributeSequence);\n\t\tconst oid = decodeObjectIdentifier(requireElement(parts[0], 'name OID').value);\n\t\tconst valueElement = requireElement(parts[1], 'name value');\n\t\tconst fieldKey = nameFieldKeyFromOid(oid);\n\t\tconst fieldValue = decodeString(valueElement.tag, valueElement.value);\n\t\tconst attribute: ParsedNameAttribute =\n\t\t\tfieldKey !== undefined\n\t\t\t\t? { oid, key: fieldKey, valueTag: valueElement.tag, value: fieldValue }\n\t\t\t\t: { oid, valueTag: valueElement.tag, value: fieldValue };\n\t\tattributes.push(attribute);\n\t\tif (fieldKey !== undefined && values[fieldKey] === undefined) {\n\t\t\tvalues[fieldKey] = fieldValue;\n\t\t}\n\t}\n\treturn {\n\t\tderHex: toHex(source.slice(setElement.start - setElement.headerLength, setElement.end)),\n\t\tattributes,\n\t\tvalues,\n\t};\n}\n\n/** Decode the Validity SEQUENCE into notBefore / notAfter Dates. */\nfunction parseValidity(\n\tsource: Uint8Array,\n\telement: DerElement,\n): {\n\treadonly notBefore: Date;\n\treadonly notAfter: Date;\n} {\n\tconst children = childrenOf(source, element);\n\treturn {\n\t\tnotBefore: parseTime(requireElement(children[0], 'notBefore')),\n\t\tnotAfter: parseTime(requireElement(children[1], 'notAfter')),\n\t};\n}\n\n/** Extract the algorithm identifier from a SubjectPublicKeyInfo SEQUENCE. */\nfunction parseSubjectPublicKeyInfo(\n\tsource: Uint8Array,\n\telement: DerElement,\n): ParsedAlgorithmIdentifier {\n\tif (element.tag !== 0x30) {\n\t\tthrow new Error('SubjectPublicKeyInfo must use SEQUENCE');\n\t}\n\tconst children = childrenOf(source, element);\n\tif (children.length !== 2) {\n\t\tthrow new Error('SubjectPublicKeyInfo must contain algorithm and subjectPublicKey');\n\t}\n\tconst algorithmElement = requireElement(children[0], 'SPKI algorithm');\n\tif (algorithmElement.tag !== 0x30) {\n\t\tthrow new Error('SubjectPublicKeyInfo algorithm must use SEQUENCE');\n\t}\n\tconst algorithm = parseAlgorithmIdentifier(source, algorithmElement);\n\textractBitStringValue(requireElement(children[1], 'subjectPublicKey BIT STRING'));\n\treturn algorithm;\n}\n\n/** Decoded AlgorithmIdentifier: OID plus optional DER parameters. */\ninterface ParsedAlgorithmIdentifier {\n\t/** Dotted-decimal algorithm OID. */\n\treadonly oid: string;\n\t/** Full DER of the parameters element, when present. */\n\treadonly parametersDer?: Uint8Array;\n\t/** Decoded OID when the parameters element is itself an OID (e.g. named curves). */\n\treadonly parametersOid?: string;\n}\n\n/** Decode an AlgorithmIdentifier SEQUENCE (OID + optional parameters). */\nfunction parseAlgorithmIdentifier(\n\tsource: Uint8Array,\n\telement: DerElement,\n): ParsedAlgorithmIdentifier {\n\tconst children = childrenOf(source, element);\n\tif (children.length === 0 || children.length > 2) {\n\t\tthrow new Error('Malformed AlgorithmIdentifier');\n\t}\n\tconst oid = decodeObjectIdentifier(requireElement(children[0], 'algorithm OID').value);\n\tconst parameters = children[1];\n\tif (parameters === undefined) {\n\t\treturn { oid };\n\t}\n\tconst parametersDer = source.slice(parameters.start - parameters.headerLength, parameters.end);\n\tif (parameters?.tag === 0x06) {\n\t\treturn { oid, parametersDer, parametersOid: decodeObjectIdentifier(parameters.value) };\n\t}\n\treturn { oid, parametersDer };\n}\n\nfunction assertMatchingCertificateSignatureAlgorithms(\n\ttbsSignatureAlgorithm: ParsedAlgorithmIdentifier,\n\tsignatureAlgorithm: ParsedAlgorithmIdentifier,\n): void {\n\tif (\n\t\ttbsSignatureAlgorithm.oid !== signatureAlgorithm.oid ||\n\t\t!optionalBytesEqual(tbsSignatureAlgorithm.parametersDer, signatureAlgorithm.parametersDer)\n\t) {\n\t\tthrow new Error('Certificate signatureAlgorithm must match TBSCertificate signature');\n\t}\n}\n\nfunction optionalBytesEqual(left: Uint8Array | undefined, right: Uint8Array | undefined): boolean {\n\tif (left === undefined || right === undefined) {\n\t\treturn left === right;\n\t}\n\tif (left.length !== right.length) {\n\t\treturn false;\n\t}\n\tfor (let index = 0; index < left.length; index += 1) {\n\t\tif (left[index] !== right[index]) {\n\t\t\treturn false;\n\t\t}\n\t}\n\treturn true;\n}\n\n/** @internal Decode the Basic Constraints extension value DER. */\nexport function parseBasicConstraints(bytes: Uint8Array): BasicConstraints {\n\tconst element = readRootElement(bytes, { maxDepth: DEFAULT_MAX_DER_DEPTH });\n\tif (element.tag !== 0x30) {\n\t\tthrow new Error('basicConstraints must use SEQUENCE');\n\t}\n\tconst children = childrenOf(bytes, element);\n\tlet ca = false;\n\tlet pathLength: number | undefined;\n\tlet sawCa = false;\n\tlet sawPathLength = false;\n\tfor (const child of children) {\n\t\tif (child.tag === 0x01) {\n\t\t\tif (sawCa) {\n\t\t\t\tthrow new Error('basicConstraints cA must not repeat');\n\t\t\t}\n\t\t\tif (sawPathLength) {\n\t\t\t\tthrow new Error('basicConstraints cA must precede pathLength');\n\t\t\t}\n\t\t\tsawCa = true;\n\t\t\tca = decodeBoolean(child.value);\n\t\t\tcontinue;\n\t\t}\n\t\tif (child.tag === 0x02) {\n\t\t\tif (sawPathLength) {\n\t\t\t\tthrow new Error('basicConstraints pathLength must not repeat');\n\t\t\t}\n\t\t\tsawPathLength = true;\n\t\t\tpathLength = decodeNonNegativeIntegerNumber(child.value, 'basicConstraints pathLength');\n\t\t\tcontinue;\n\t\t}\n\t\tthrow new Error(`Unsupported basicConstraints field tag: ${String(child.tag)}`);\n\t}\n\tif (pathLength !== undefined && ca !== true) {\n\t\tthrow new Error('basicConstraints pathLength requires cA = true');\n\t}\n\treturn pathLength !== undefined ? { ca, pathLength } : { ca };\n}\n\n/** @internal Decode the Key Usage BIT STRING extension value. */\nexport function parseKeyUsage(bytes: Uint8Array): ParsedBitFlags<KeyUsage> {\n\treturn parseKeyUsageExtension(bytes);\n}\n\n/** @internal Decode the Extended Key Usage SEQUENCE OF OIDs. */\nexport function parseExtendedKeyUsage(bytes: Uint8Array): readonly ExtendedKeyUsage[] {\n\tconst sequenceElement = requireElement(\n\t\treadRootElement(bytes, { maxDepth: DEFAULT_MAX_DER_DEPTH }),\n\t\t'extendedKeyUsage sequence',\n\t);\n\treturn childrenOf(bytes, sequenceElement).map((element) =>\n\t\tparseExtendedKeyUsageOid(decodeObjectIdentifier(element.value)),\n\t);\n}\n\n/** @internal Decode the Certificate Policies extension value. */\nexport function parseCertificatePolicies(bytes: Uint8Array): CertificatePolicies {\n\tconst sequenceElement = requireElement(\n\t\treadRootElement(bytes, { maxDepth: DEFAULT_MAX_DER_DEPTH }),\n\t\t'certificatePolicies sequence',\n\t);\n\tconst policyElements = childrenOf(bytes, sequenceElement);\n\tif (policyElements.length === 0) {\n\t\tthrow new Error('certificatePolicies must not be empty');\n\t}\n\treturn policyElements.map((policyElement) => parsePolicyInformation(bytes, policyElement));\n}\n\n/** Decode a single PolicyInformation SEQUENCE (OID + optional qualifiers). */\nfunction parsePolicyInformation(source: Uint8Array, element: DerElement) {\n\tconst children = childrenOf(source, element);\n\tconst policyIdentifier = decodeObjectIdentifier(\n\t\trequireElement(children[0], 'policyIdentifier').value,\n\t);\n\tconst qualifiersElement = children[1];\n\tif (children.length > 2) {\n\t\tthrow new Error('policyInformation has unexpected trailing fields');\n\t}\n\tif (qualifiersElement === undefined) {\n\t\treturn { policyIdentifier };\n\t}\n\tconst qualifiers = childrenOf(source, qualifiersElement);\n\tif (qualifiers.length === 0) {\n\t\tthrow new Error('policyQualifiers must not be empty');\n\t}\n\treturn {\n\t\tpolicyIdentifier,\n\t\tpolicyQualifiers: qualifiers.map((qualifierElement) =>\n\t\t\tparsePolicyQualifierInfo(source, qualifierElement),\n\t\t),\n\t};\n}\n\n/** Decode a PolicyQualifierInfo (CPS URI, UserNotice, or opaque OID). */\nfunction parsePolicyQualifierInfo(source: Uint8Array, element: DerElement) {\n\tconst children = childrenOf(source, element);\n\tconst qualifierId = decodeObjectIdentifier(\n\t\trequireElement(children[0], 'policyQualifierId').value,\n\t);\n\tconst qualifierValue = requireElement(children[1], 'policyQualifier');\n\tif (children.length > 2) {\n\t\tthrow new Error('policyQualifierInfo has unexpected trailing fields');\n\t}\n\tif (qualifierId === OIDS.cpsPolicyQualifier) {\n\t\tif (qualifierValue.tag !== 0x16) {\n\t\t\tthrow new Error('cps policy qualifier must use IA5String');\n\t\t}\n\t\treturn { type: 'cps' as const, uri: decodeString(qualifierValue.tag, qualifierValue.value) };\n\t}\n\tif (qualifierId === OIDS.userNoticePolicyQualifier) {\n\t\treturn {\n\t\t\ttype: 'userNotice' as const,\n\t\t\t...parseUserNoticePolicyQualifierInfo(source, qualifierValue),\n\t\t};\n\t}\n\treturn {\n\t\ttype: 'oid' as const,\n\t\toid: qualifierId,\n\t\tqualifierDer: source.slice(\n\t\t\tqualifierValue.start - qualifierValue.headerLength,\n\t\t\tqualifierValue.end,\n\t\t),\n\t};\n}\n\n/** Decode a UserNotice qualifier (optional noticeRef + optional explicitText). */\nfunction parseUserNoticePolicyQualifierInfo(\n\tsource: Uint8Array,\n\telement: DerElement,\n): {\n\treadonly noticeRef?: {\n\t\treadonly organization: string;\n\t\treadonly noticeNumbers: readonly number[];\n\t};\n\treadonly explicitText?: string;\n} {\n\tconst children = childrenOf(source, element);\n\tlet noticeRef:\n\t\t| {\n\t\t\t\treadonly organization: string;\n\t\t\t\treadonly noticeNumbers: readonly number[];\n\t\t }\n\t\t| undefined;\n\tlet explicitText: string | undefined;\n\tfor (const child of children) {\n\t\tif (child.tag === 0x30) {\n\t\t\tif (noticeRef !== undefined) {\n\t\t\t\tthrow new Error('userNotice must not contain multiple noticeRef values');\n\t\t\t}\n\t\t\tnoticeRef = parsePolicyNoticeReference(source, child);\n\t\t\tcontinue;\n\t\t}\n\t\tif (explicitText !== undefined) {\n\t\t\tthrow new Error('userNotice must not contain multiple explicitText values');\n\t\t}\n\t\texplicitText = parseDisplayText(child);\n\t}\n\treturn {\n\t\t...(noticeRef === undefined ? {} : { noticeRef }),\n\t\t...(explicitText === undefined ? {} : { explicitText }),\n\t};\n}\n\n/** Decode a NoticeReference (organization name + notice number list). */\nfunction parsePolicyNoticeReference(\n\tsource: Uint8Array,\n\telement: DerElement,\n): {\n\treadonly organization: string;\n\treadonly noticeNumbers: readonly number[];\n} {\n\tif (element.tag !== 0x30) {\n\t\tthrow new Error('noticeRef must use SEQUENCE');\n\t}\n\tconst children = childrenOf(source, element);\n\tconst organization = parseDisplayText(requireElement(children[0], 'noticeRef organization'));\n\tconst noticeNumbersElement = requireElement(children[1], 'noticeRef noticeNumbers');\n\tif (children.length > 2) {\n\t\tthrow new Error('noticeRef has unexpected trailing fields');\n\t}\n\treturn {\n\t\torganization,\n\t\tnoticeNumbers: parsePolicyNoticeNumbers(source, noticeNumbersElement),\n\t};\n}\n\n/** Decode a SEQUENCE OF INTEGER notice numbers. */\nfunction parsePolicyNoticeNumbers(source: Uint8Array, element: DerElement): readonly number[] {\n\tif (element.tag !== 0x30) {\n\t\tthrow new Error('noticeRef noticeNumbers must use SEQUENCE');\n\t}\n\tconst noticeNumberElements = childrenOf(source, element);\n\tif (noticeNumberElements.length === 0) {\n\t\tthrow new Error('noticeRef noticeNumbers must not be empty');\n\t}\n\treturn noticeNumberElements.map((noticeNumberElement) => {\n\t\tif (noticeNumberElement.tag !== 0x02) {\n\t\t\tthrow new Error('noticeRef noticeNumber must use INTEGER');\n\t\t}\n\t\treturn decodeNonNegativeIntegerNumber(noticeNumberElement.value, 'noticeRef noticeNumber');\n\t});\n}\n\n/** @internal Decode the Policy Mappings extension value. */\nexport function parsePolicyMappings(bytes: Uint8Array): PolicyMappings {\n\tconst sequenceElement = requireElement(\n\t\treadRootElement(bytes, { maxDepth: DEFAULT_MAX_DER_DEPTH }),\n\t\t'policyMappings sequence',\n\t);\n\tconst mappingElements = childrenOf(bytes, sequenceElement);\n\tif (mappingElements.length === 0) {\n\t\tthrow new Error('policyMappings must not be empty');\n\t}\n\treturn mappingElements.map((mappingElement) => {\n\t\tconst children = childrenOf(bytes, mappingElement);\n\t\tconst issuerDomainPolicy = decodeObjectIdentifier(\n\t\t\trequireElement(children[0], 'policyMappings issuerDomainPolicy').value,\n\t\t);\n\t\tconst subjectDomainPolicy = decodeObjectIdentifier(\n\t\t\trequireElement(children[1], 'policyMappings subjectDomainPolicy').value,\n\t\t);\n\t\tif (children.length > 2) {\n\t\t\tthrow new Error('policyMappings entry has unexpected trailing fields');\n\t\t}\n\t\tif (issuerDomainPolicy === OIDS.anyPolicy || subjectDomainPolicy === OIDS.anyPolicy) {\n\t\t\tthrow new Error('policyMappings must not use anyPolicy');\n\t\t}\n\t\treturn { issuerDomainPolicy, subjectDomainPolicy };\n\t});\n}\n\n/** @internal Decode the Policy Constraints extension value. */\nexport function parsePolicyConstraints(bytes: Uint8Array): PolicyConstraints {\n\tconst sequenceElement = requireElement(\n\t\treadRootElement(bytes, { maxDepth: DEFAULT_MAX_DER_DEPTH }),\n\t\t'policyConstraints sequence',\n\t);\n\tlet requireExplicitPolicy: number | undefined;\n\tlet inhibitPolicyMapping: number | undefined;\n\tfor (const child of childrenOf(bytes, sequenceElement)) {\n\t\tif (child.tag === 0x80) {\n\t\t\tif (requireExplicitPolicy !== undefined) {\n\t\t\t\tthrow new Error('policyConstraints must not repeat requireExplicitPolicy');\n\t\t\t}\n\t\t\trequireExplicitPolicy = decodeNonNegativeIntegerNumber(\n\t\t\t\tchild.value,\n\t\t\t\t'policyConstraints requireExplicitPolicy',\n\t\t\t);\n\t\t\tcontinue;\n\t\t}\n\t\tif (child.tag === 0x81) {\n\t\t\tif (inhibitPolicyMapping !== undefined) {\n\t\t\t\tthrow new Error('policyConstraints must not repeat inhibitPolicyMapping');\n\t\t\t}\n\t\t\tinhibitPolicyMapping = decodeNonNegativeIntegerNumber(\n\t\t\t\tchild.value,\n\t\t\t\t'policyConstraints inhibitPolicyMapping',\n\t\t\t);\n\t\t\tcontinue;\n\t\t}\n\t\tthrow new Error(`Unsupported policyConstraints field tag: ${child.tag}`);\n\t}\n\tif (requireExplicitPolicy === undefined && inhibitPolicyMapping === undefined) {\n\t\tthrow new Error('policyConstraints must set requireExplicitPolicy or inhibitPolicyMapping');\n\t}\n\treturn {\n\t\t...(requireExplicitPolicy === undefined ? {} : { requireExplicitPolicy }),\n\t\t...(inhibitPolicyMapping === undefined ? {} : { inhibitPolicyMapping }),\n\t};\n}\n\n/** @internal Decode the Inhibit anyPolicy extension (single INTEGER). */\nexport function parseInhibitAnyPolicy(bytes: Uint8Array): InhibitAnyPolicy {\n\tconst integerElement = requireElement(\n\t\treadRootElement(bytes, { maxDepth: DEFAULT_MAX_DER_DEPTH }),\n\t\t'inhibitAnyPolicy integer',\n\t);\n\tif (integerElement.tag !== 0x02) {\n\t\tthrow new Error('inhibitAnyPolicy must be an INTEGER');\n\t}\n\treturn {\n\t\tskipCerts: decodeNonNegativeIntegerNumber(integerElement.value, 'inhibitAnyPolicy skipCerts'),\n\t};\n}\n\n/** @internal Decode the Subject Alternative Names SEQUENCE OF GeneralName. */\nexport function parseSubjectAltNames(bytes: Uint8Array): readonly SubjectAltName[] {\n\tconst sequenceElement = requireElement(\n\t\treadRootElement(bytes, { maxDepth: DEFAULT_MAX_DER_DEPTH }),\n\t\t'subjectAltName sequence',\n\t);\n\treturn childrenOf(bytes, sequenceElement).map((element) => parseGeneralName(bytes, element));\n}\n\n/** @internal Decode the Authority Information Access extension value. */\nexport function parseAuthorityInfoAccess(bytes: Uint8Array): readonly AuthorityInformationAccess[] {\n\tconst sequenceElement = requireElement(\n\t\treadRootElement(bytes, { maxDepth: DEFAULT_MAX_DER_DEPTH }),\n\t\t'authorityInfoAccess sequence',\n\t);\n\tif (sequenceElement.tag !== 0x30) {\n\t\tthrow new Error('authorityInfoAccess must use SEQUENCE');\n\t}\n\tconst accessDescriptions = childrenOf(bytes, sequenceElement);\n\tif (accessDescriptions.length === 0) {\n\t\tthrow new Error('authorityInfoAccess must not be empty');\n\t}\n\treturn accessDescriptions.map((element) => {\n\t\tif (element.tag !== 0x30) {\n\t\t\tthrow new Error('authorityInfoAccess entry must use SEQUENCE');\n\t\t}\n\t\tconst children = childrenOf(bytes, element);\n\t\tif (children.length !== 2) {\n\t\t\tthrow new Error('authorityInfoAccess entry must contain method and location only');\n\t\t}\n\t\tconst method = requireElement(children[0], 'authorityInfoAccess method');\n\t\tconst location = requireElement(children[1], 'authorityInfoAccess location');\n\t\tif (method.tag !== 0x06) {\n\t\t\tthrow new Error('authorityInfoAccess method must use OBJECT IDENTIFIER');\n\t\t}\n\t\tif (location.tag !== 0x86) {\n\t\t\tthrow new Error(`Unsupported authorityInfoAccess location tag: ${location.tag}`);\n\t\t}\n\t\treturn {\n\t\t\tmethod: parseAuthorityInfoAccessMethodOid(decodeObjectIdentifier(method.value)),\n\t\t\turi: textDecoder.decode(location.value),\n\t\t};\n\t});\n}\n\n/** @internal Decode the CRL Distribution Points extension value. */\nexport function parseCrlDistributionPoints(bytes: Uint8Array): readonly ParsedDistributionPoint[] {\n\tconst sequenceElement = requireElement(\n\t\treadRootElement(bytes, { maxDepth: DEFAULT_MAX_DER_DEPTH }),\n\t\t'CRLDistributionPoints sequence',\n\t);\n\tif (sequenceElement.tag !== 0x30) {\n\t\tthrow new Error('CRLDistributionPoints must use SEQUENCE');\n\t}\n\tconst elements = childrenOf(bytes, sequenceElement);\n\tif (elements.length === 0) {\n\t\tthrow new Error('CRLDistributionPoints must not be empty');\n\t}\n\tconst points: ParsedDistributionPoint[] = [];\n\tfor (const distributionPoint of elements) {\n\t\tpoints.push(parseDistributionPoint(bytes, distributionPoint));\n\t}\n\treturn points;\n}\n\n/** Decode a single DistributionPoint SEQUENCE. */\nfunction parseDistributionPoint(source: Uint8Array, element: DerElement): ParsedDistributionPoint {\n\tif (element.tag !== 0x30) {\n\t\tthrow new Error('DistributionPoint must use SEQUENCE');\n\t}\n\tlet distributionPoint: ParsedDistributionPointName | undefined;\n\tlet reasons: ParsedBitFlags<DistributionPointReason> | undefined;\n\tlet crlIssuer: readonly GeneralName[] | undefined;\n\tfor (const child of childrenOf(source, element)) {\n\t\tif (child.tag === 0xa0) {\n\t\t\tif (distributionPoint !== undefined) {\n\t\t\t\tthrow new Error('DistributionPoint distributionPoint must not repeat');\n\t\t\t}\n\t\t\tdistributionPoint = parseDistributionPointName(source, child);\n\t\t} else if (child.tag === 0x81) {\n\t\t\tif (reasons !== undefined) {\n\t\t\t\tthrow new Error('DistributionPoint reasons must not repeat');\n\t\t\t}\n\t\t\treasons = parseDistributionPointReasonFlagsContent(child.value);\n\t\t} else if (child.tag === 0xa2) {\n\t\t\tif (crlIssuer !== undefined) {\n\t\t\t\tthrow new Error('DistributionPoint crlIssuer must not repeat');\n\t\t\t}\n\t\t\tcrlIssuer = parseGeneralNames(source, child);\n\t\t} else {\n\t\t\tthrow new Error(`Unsupported DistributionPoint field tag: ${String(child.tag)}`);\n\t\t}\n\t}\n\tif (distributionPoint === undefined && crlIssuer === undefined) {\n\t\tthrow new Error('DistributionPoint must include distributionPoint or crlIssuer');\n\t}\n\treturn {\n\t\t...(distributionPoint === undefined ? {} : { distributionPoint }),\n\t\t...(reasons === undefined ? {} : { reasons }),\n\t\t...(crlIssuer === undefined ? {} : { crlIssuer }),\n\t};\n}\n\n/** Decode a DistributionPointName (fullName or relativeName). */\nfunction parseDistributionPointName(\n\tsource: Uint8Array,\n\telement: DerElement,\n): ParsedDistributionPointName {\n\tconst children = childrenOf(source, element);\n\tif (children.length !== 1) {\n\t\tthrow new Error('distributionPointName must contain exactly one choice');\n\t}\n\tconst distributionPointName = requireElement(children[0], 'distributionPointName');\n\tif (distributionPointName.tag === 0xa0) {\n\t\tconst fullName = childrenOf(source, distributionPointName);\n\t\tif (fullName.length === 0) {\n\t\t\tthrow new Error('distributionPointName fullName must not be empty');\n\t\t}\n\t\tfor (const name of fullName) {\n\t\t\tif ((name.tag & 0xc0) !== 0x80) {\n\t\t\t\tthrow new Error('distributionPointName fullName must contain GeneralName entries');\n\t\t\t}\n\t\t}\n\t\treturn {\n\t\t\tfullName: fullName.map((name) => parseGeneralName(source, name)),\n\t\t};\n\t}\n\tif (distributionPointName.tag === 0xa1) {\n\t\treturn { relativeName: parseRelativeDistinguishedName(source, distributionPointName) };\n\t}\n\tthrow new Error(`Unsupported distributionPointName tag: ${distributionPointName.tag}`);\n}\n\n/** Decode a SEQUENCE OF GeneralName. */\nfunction parseGeneralNames(source: Uint8Array, element: DerElement): readonly GeneralName[] {\n\tconst names = childrenOf(source, element);\n\tif (names.length === 0) {\n\t\tthrow new Error('GeneralNames must not be empty');\n\t}\n\tfor (const name of names) {\n\t\tif ((name.tag & 0xc0) !== 0x80) {\n\t\t\tthrow new Error('GeneralNames must contain GeneralName entries');\n\t\t}\n\t}\n\treturn names.map((name) => parseGeneralName(source, name));\n}\n\n/** Decode a single GeneralName from its implicit context tag. */\nfunction parseGeneralName(source: Uint8Array, element: DerElement): GeneralName {\n\tswitch (element.tag) {\n\t\tcase 0xa0: {\n\t\t\tconst otherName = parseOtherName(source, element);\n\t\t\tif (otherName !== undefined) {\n\t\t\t\treturn otherName;\n\t\t\t}\n\t\t\treturn {\n\t\t\t\ttype: 'unknown' as const,\n\t\t\t\ttag: element.tag,\n\t\t\t\tvalue: source.slice(element.start, element.end),\n\t\t\t};\n\t\t}\n\t\tcase 0x81:\n\t\t\treturn { type: 'email' as const, value: textDecoder.decode(element.value) };\n\t\tcase 0x82:\n\t\t\treturn { type: 'dns' as const, value: textDecoder.decode(element.value) };\n\t\tcase 0x86:\n\t\t\treturn { type: 'uri' as const, value: textDecoder.decode(element.value) };\n\t\tcase 0x87:\n\t\t\treturn { type: 'ip' as const, value: decodeIpAddress(element.value) };\n\t\tcase 0xa4:\n\t\t\treturn {\n\t\t\t\ttype: 'directoryName' as const,\n\t\t\t\tderHex: toHex(rebuildDirectoryNameFromImplicit(element, source)),\n\t\t\t};\n\t\tdefault:\n\t\t\treturn {\n\t\t\t\ttype: 'unknown' as const,\n\t\t\t\ttag: element.tag,\n\t\t\t\tvalue: source.slice(element.start, element.end),\n\t\t\t};\n\t}\n}\n\n/** Attempt to decode an otherName [0] as a known type (currently only SRV-ID). */\nfunction parseOtherName(source: Uint8Array, element: DerElement): SubjectAltName | undefined {\n\tconst otherNameElements = childrenOf(source, element);\n\tif (otherNameElements.length !== 1) {\n\t\tthrow new Error('otherName must contain exactly one SEQUENCE');\n\t}\n\tconst otherNameSequence = requireElement(otherNameElements[0], 'otherName sequence');\n\tconst otherNameChildren = childrenOf(source, otherNameSequence);\n\tif (otherNameChildren.length !== 2) {\n\t\tthrow new Error('otherName must contain exactly type-id and value');\n\t}\n\tconst typeId = requireElement(otherNameChildren[0], 'otherName type-id');\n\tconst valueElement = requireElement(otherNameChildren[1], 'otherName value');\n\tconst typeIdOid = decodeObjectIdentifier(typeId.value);\n\tif (typeIdOid !== OIDS.idOnDnsSrv) {\n\t\treturn undefined;\n\t}\n\tif (valueElement.tag !== 0xa0) {\n\t\tthrow new Error('SRV-ID otherName value must use explicit [0]');\n\t}\n\tconst valueChildren = childrenOf(source, valueElement);\n\tif (valueChildren.length !== 1) {\n\t\tthrow new Error('SRV-ID otherName value must contain exactly one IA5String');\n\t}\n\tconst srvNameElement = requireElement(valueChildren[0], 'SRV-ID IA5String');\n\tif (srvNameElement.tag !== 0x16) {\n\t\tthrow new Error('SRV-ID otherName value must be an IA5String');\n\t}\n\treturn { type: 'srv', value: decodeString(srvNameElement.tag, srvNameElement.value) };\n}\n\n/** @internal Decode the Name Constraints extension value. */\nexport function parseNameConstraints(bytes: Uint8Array): NameConstraints<ParsedNameConstraintForm> {\n\tconst sequenceElement = requireElement(\n\t\treadRootElement(bytes, {\n\t\t\tmaxDepth: DEFAULT_MAX_DER_DEPTH,\n\t\t\tallowOpaqueConstructedTags: [0xa0, 0xa3, 0xa5],\n\t\t}),\n\t\t'nameConstraints sequence',\n\t);\n\tif (sequenceElement.tag !== 0x30) {\n\t\tthrow new Error('nameConstraints must use SEQUENCE');\n\t}\n\tlet permittedSubtrees: readonly GeneralSubtree<ParsedNameConstraintForm>[] | undefined;\n\tlet excludedSubtrees: readonly GeneralSubtree<ParsedNameConstraintForm>[] | undefined;\n\tfor (const child of childrenOf(bytes, sequenceElement)) {\n\t\tif (child.tag === 0xa0) {\n\t\t\tif (permittedSubtrees !== undefined) {\n\t\t\t\tthrow new Error('nameConstraints permittedSubtrees must not repeat');\n\t\t\t}\n\t\t\tpermittedSubtrees = parseGeneralSubtrees(bytes, child);\n\t\t} else if (child.tag === 0xa1) {\n\t\t\tif (excludedSubtrees !== undefined) {\n\t\t\t\tthrow new Error('nameConstraints excludedSubtrees must not repeat');\n\t\t\t}\n\t\t\texcludedSubtrees = parseGeneralSubtrees(bytes, child);\n\t\t} else {\n\t\t\tthrow new Error(`Unsupported nameConstraints field tag: ${String(child.tag)}`);\n\t\t}\n\t}\n\treturn {\n\t\t...(permittedSubtrees !== undefined ? { permittedSubtrees } : {}),\n\t\t...(excludedSubtrees !== undefined ? { excludedSubtrees } : {}),\n\t};\n}\n\n/** Decode a SEQUENCE OF GeneralSubtree from a permittedSubtrees or excludedSubtrees wrapper. */\nfunction parseGeneralSubtrees(\n\tsource: Uint8Array,\n\tcontainer: DerElement,\n): readonly GeneralSubtree<ParsedNameConstraintForm>[] {\n\tconst subtrees: GeneralSubtree<ParsedNameConstraintForm>[] = [];\n\tconst subtreeElements = childrenOf(source, container);\n\tif (subtreeElements.length === 0) {\n\t\tthrow new Error('name constraints GeneralSubtrees must not be empty');\n\t}\n\tfor (const subtreeElement of subtreeElements) {\n\t\tif (subtreeElement.tag !== 0x30) {\n\t\t\tthrow new Error('name constraints GeneralSubtree must use SEQUENCE');\n\t\t}\n\t\tconst children = childrenOf(source, subtreeElement);\n\t\tconst baseElement = children[0];\n\t\tif (baseElement === undefined) {\n\t\t\tthrow new Error('name constraints GeneralSubtree base is required');\n\t\t}\n\n\t\t// RFC 5280 §4.2.1.10: minimum MUST be zero (default), maximum\n\t\t// MUST be absent. Reject non-standard values.\n\t\tlet sawMinimum = false;\n\t\tfor (let i = 1; i < children.length; i += 1) {\n\t\t\tconst child = children[i];\n\t\t\tif (child === undefined) {\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tif (child.tag === 0x80) {\n\t\t\t\tif (sawMinimum) {\n\t\t\t\t\tthrow new Error('name constraints GeneralSubtree minimum must not repeat');\n\t\t\t\t}\n\t\t\t\tsawMinimum = true;\n\t\t\t\t// minimum [0] INTEGER — must be 0\n\t\t\t\tif (\n\t\t\t\t\tdecodeNonNegativeIntegerNumber(child.value, 'name constraints GeneralSubtree minimum') !==\n\t\t\t\t\t0\n\t\t\t\t) {\n\t\t\t\t\tthrow new Error('name constraints GeneralSubtree minimum must be 0');\n\t\t\t\t}\n\t\t\t} else if (child.tag === 0x81) {\n\t\t\t\t// maximum [1] INTEGER — must be absent\n\t\t\t\tthrow new Error('name constraints GeneralSubtree maximum is not supported');\n\t\t\t} else {\n\t\t\t\tthrow new Error(\n\t\t\t\t\t`Unsupported name constraints GeneralSubtree field tag: ${String(child.tag)}`,\n\t\t\t\t);\n\t\t\t}\n\t\t}\n\n\t\tconst form = parseNameConstraintGeneralName(source, baseElement);\n\t\tif (form !== undefined) {\n\t\t\tsubtrees.push({ base: form });\n\t\t}\n\t}\n\treturn subtrees;\n}\n\n/** Decode a GeneralName for use in name constraints (IP carries address+mask). */\nfunction parseNameConstraintGeneralName(\n\tsource: Uint8Array,\n\telement: DerElement,\n): ParsedNameConstraintForm | undefined {\n\tswitch (element.tag) {\n\t\tcase 0xa0:\n\t\t\treturn { type: 'otherName', value: new Uint8Array(element.value) };\n\t\tcase 0x81:\n\t\t\treturn { type: 'email', value: textDecoder.decode(element.value) };\n\t\tcase 0x82:\n\t\t\treturn { type: 'dns', value: textDecoder.decode(element.value) };\n\t\tcase 0xa3:\n\t\t\treturn { type: 'x400Address', value: new Uint8Array(element.value) };\n\t\tcase 0x86:\n\t\t\treturn { type: 'uri', value: textDecoder.decode(element.value) };\n\t\tcase 0x87: {\n\t\t\tif (element.value.length === 8) {\n\t\t\t\treturn {\n\t\t\t\t\ttype: 'ip',\n\t\t\t\t\taddressBytes: element.value.slice(0, 4),\n\t\t\t\t\tmaskBytes: element.value.slice(4, 8),\n\t\t\t\t};\n\t\t\t}\n\t\t\tif (element.value.length === 32) {\n\t\t\t\treturn {\n\t\t\t\t\ttype: 'ip',\n\t\t\t\t\taddressBytes: element.value.slice(0, 16),\n\t\t\t\t\tmaskBytes: element.value.slice(16, 32),\n\t\t\t\t};\n\t\t\t}\n\t\t\tthrow new Error(\n\t\t\t\t`Invalid IP name constraint: expected 8 (IPv4) or 32 (IPv6) bytes, got ${String(element.value.length)}`,\n\t\t\t);\n\t\t}\n\t\tcase 0xa4:\n\t\t\treturn {\n\t\t\t\ttype: 'directoryName',\n\t\t\t\tderHex: toHex(rebuildDirectoryNameFromImplicit(element, source)),\n\t\t\t};\n\t\tcase 0xa5:\n\t\t\treturn { type: 'ediPartyName', value: new Uint8Array(element.value) };\n\t\tcase 0x88:\n\t\t\treturn { type: 'registeredID', value: decodeObjectIdentifier(element.value) };\n\t}\n\tthrow new Error(`Unsupported name constraint GeneralName tag: ${String(element.tag)}`);\n}\n\n/**\n * Extracts the Name SEQUENCE from an implicitly-tagged directoryName [4].\n *\n * Handles two encoding styles found in the wild:\n * - Proper implicit: [4] replaces SEQUENCE tag, content is RDN SETs directly → wrap with 0x30\n * - Explicit-like: [4] wraps entire SEQUENCE, content starts with 0x30 → return content as-is\n */\nfunction rebuildDirectoryNameFromImplicit(element: DerElement, _source: Uint8Array): Uint8Array {\n\t// If content already starts with SEQUENCE tag, it's explicit-style encoding\n\tif (element.value.length > 0 && element.value[0] === 0x30) {\n\t\treturn new Uint8Array(element.value);\n\t}\n\t// Otherwise, wrap content with SEQUENCE tag (true implicit encoding)\n\tconst lengthEncoded = encodeLength(element.value.length);\n\tconst result = new Uint8Array(1 + lengthEncoded.length + element.value.length);\n\tresult[0] = 0x30;\n\tresult.set(lengthEncoded, 1);\n\tresult.set(element.value, 1 + lengthEncoded.length);\n\treturn result;\n}\n\n/** Decode a DisplayText (UTF8String, IA5String, VisibleString, or BMPString). */\nfunction parseDisplayText(element: DerElement): string {\n\tswitch (element.tag) {\n\t\tcase 0x0c:\n\t\tcase 0x16:\n\t\tcase 0x1a:\n\t\t\treturn textDecoder.decode(element.value);\n\t\tcase 0x1e:\n\t\t\treturn decodeBmpString(element.value);\n\t\tdefault:\n\t\t\tthrow new Error(`Unsupported DisplayText tag: ${element.tag}`);\n\t}\n}\n\n/** Decode a BMPString (UCS-2 big-endian) to a JS string. */\nfunction decodeBmpString(bytes: Uint8Array): string {\n\tif (bytes.length % 2 !== 0) {\n\t\tthrow new Error('Invalid BMPString length');\n\t}\n\tlet value = '';\n\tfor (let index = 0; index < bytes.length; index += 2) {\n\t\tconst left = bytes[index];\n\t\tconst right = bytes[index + 1];\n\t\tif (left === undefined || right === undefined) {\n\t\t\tthrow new Error('Invalid BMPString content');\n\t\t}\n\t\tvalue += String.fromCharCode((left << 8) | right);\n\t}\n\treturn value;\n}\n\n/** @internal Decode the Authority Key Identifier extension, returning the keyIdentifier hex or undefined. */\nexport function parseAuthorityKeyIdentifier(bytes: Uint8Array): string | undefined {\n\tconst sequenceElement = requireElement(readElement(bytes, 0), 'authorityKeyIdentifier sequence');\n\tif (sequenceElement.end !== bytes.length) {\n\t\tthrow new Error('Trailing data after DER element');\n\t}\n\tlet keyIdentifier: string | undefined;\n\tlet sawAuthorityCertIssuer = false;\n\tlet sawAuthorityCertSerialNumber = false;\n\tlet lastFieldOrder = -1;\n\tlet offset = sequenceElement.start;\n\twhile (offset < sequenceElement.end) {\n\t\tconst child = readElement(bytes, offset);\n\t\tif (child.end > sequenceElement.end) {\n\t\t\tthrow new Error('DER child exceeds parent length');\n\t\t}\n\t\tif (child.tag === 0x80) {\n\t\t\tif (keyIdentifier !== undefined) {\n\t\t\t\tthrow new Error('authorityKeyIdentifier keyIdentifier must not repeat');\n\t\t\t}\n\t\t\tif (lastFieldOrder >= 0) {\n\t\t\t\tthrow new Error('authorityKeyIdentifier fields must preserve DER order');\n\t\t\t}\n\t\t\tkeyIdentifier = toHex(child.value);\n\t\t\tlastFieldOrder = 0;\n\t\t} else if (child.tag === 0xa1) {\n\t\t\tif (sawAuthorityCertIssuer) {\n\t\t\t\tthrow new Error('authorityKeyIdentifier authorityCertIssuer must not repeat');\n\t\t\t}\n\t\t\tif (lastFieldOrder >= 1) {\n\t\t\t\tthrow new Error('authorityKeyIdentifier fields must preserve DER order');\n\t\t\t}\n\t\t\tconst issuerNames = childrenOf(bytes, child);\n\t\t\tif (issuerNames.length === 0) {\n\t\t\t\tthrow new Error(\n\t\t\t\t\t'authorityKeyIdentifier authorityCertIssuer must contain GeneralName entries',\n\t\t\t\t);\n\t\t\t}\n\t\t\tfor (const issuerName of issuerNames) {\n\t\t\t\tif ((issuerName.tag & 0xc0) !== 0x80) {\n\t\t\t\t\tthrow new Error(\n\t\t\t\t\t\t'authorityKeyIdentifier authorityCertIssuer must contain GeneralName entries',\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t\tparseGeneralName(bytes, issuerName);\n\t\t\t}\n\t\t\tsawAuthorityCertIssuer = true;\n\t\t\tlastFieldOrder = 1;\n\t\t} else if (child.tag === 0x82) {\n\t\t\tif (sawAuthorityCertSerialNumber) {\n\t\t\t\tthrow new Error('authorityKeyIdentifier authorityCertSerialNumber must not repeat');\n\t\t\t}\n\t\t\tif (lastFieldOrder >= 2 || !sawAuthorityCertIssuer) {\n\t\t\t\tthrow new Error('authorityKeyIdentifier fields must preserve DER order');\n\t\t\t}\n\t\t\tvalidateImplicitSerialNumberEncoding(\n\t\t\t\tchild.value,\n\t\t\t\t'authorityKeyIdentifier authorityCertSerialNumber',\n\t\t\t);\n\t\t\tsawAuthorityCertSerialNumber = true;\n\t\t\tlastFieldOrder = 2;\n\t\t} else {\n\t\t\tthrow new Error(`Unsupported authorityKeyIdentifier field tag: ${String(child.tag)}`);\n\t\t}\n\t\toffset = child.end;\n\t}\n\tif (offset !== sequenceElement.end) {\n\t\tthrow new Error('Malformed DER sequence');\n\t}\n\tif (sawAuthorityCertIssuer !== sawAuthorityCertSerialNumber) {\n\t\tthrow new Error(\n\t\t\t'authorityKeyIdentifier authorityCertIssuer and authorityCertSerialNumber must appear together',\n\t\t);\n\t}\n\treturn keyIdentifier;\n}\n\nfunction validateImplicitSerialNumberEncoding(bytes: Uint8Array, label: string): void {\n\tconst first = bytes[0];\n\tif (first === undefined) {\n\t\tthrow new Error(`${label} must not be empty`);\n\t}\n\tif ((first & 0x80) !== 0) {\n\t\tthrow new Error(`${label} must be non-negative`);\n\t}\n\tif (bytes.length > 1 && first === 0 && ((bytes[1] ?? 0) & 0x80) === 0) {\n\t\tthrow new Error(`${label} must use minimal encoding`);\n\t}\n}\n\nfunction validateImplicitBitStringContent(bytes: Uint8Array, label: string): void {\n\tconst unusedBits = bytes[0];\n\tif (unusedBits === undefined || unusedBits > 7) {\n\t\tthrow new Error(`${label} must use BIT STRING encoding`);\n\t}\n\tconst bitStringBytes = bytes.slice(1);\n\tif (bitStringBytes.length === 0) {\n\t\tif (unusedBits !== 0) {\n\t\t\tthrow new Error(`${label} must use BIT STRING encoding`);\n\t\t}\n\t\treturn;\n\t}\n\tif (unusedBits === 0) {\n\t\treturn;\n\t}\n\tconst lastByte = bitStringBytes[bitStringBytes.length - 1];\n\tif (lastByte === undefined) {\n\t\tthrow new Error(`${label} must use BIT STRING encoding`);\n\t}\n\tconst paddingMask = (1 << unusedBits) - 1;\n\tif ((lastByte & paddingMask) !== 0) {\n\t\tthrow new Error(`${label} BIT STRING must not set padding bits`);\n\t}\n}\n"],"mappings":"wgCAuFA,MAAM,EAAc,IAAI,YAsHxB,SAAgB,EACf,EAC2B,CAC3B,OAAO,CACR,CAQA,SAAgB,EACf,EACO,CACP,OAAO,CACR,CAkMA,SAAgB,EACf,EACA,EAC0B,CAC1B,IAAM,EAAW,EAAqB,EAAK,CAAE,SAAA,EAAgC,CAAC,EAC9E,GAAI,EAAS,SAAW,EACvB,MAAU,MAAM,uBAAuB,EAExC,IAAM,EAAiB,EAAe,EAAS,GAAI,gBAAgB,EAC7D,EAAqB,EAAe,EAAS,GAAI,oBAAoB,EACrE,EAAiB,EAAe,EAAS,GAAI,gBAAgB,EAC7D,EAAc,EAAW,EAAK,CAAc,EAE9C,EAAQ,EACR,EAAU,EACR,EAAe,EAAY,GACjC,GAAI,GAAc,MAAQ,IAAM,CAC/B,IAAM,EAAkB,EAAW,EAAK,CAAY,EAC9C,EAAiB,EAAe,EAAgB,GAAI,iBAAiB,EAC3E,GAAI,EAAgB,SAAW,GAAK,EAAe,MAAQ,EAC1D,MAAU,MAAM,0BAA0B,EAG3C,GADA,EAAU,EAAoB,EAAe,KAAK,EAAI,EAClD,EAAU,GAAK,EAAU,EAC5B,MAAU,MAAM,oCAAoC,OAAO,CAAO,GAAG,EAEtE,GAAS,CACV,CAEA,IAAM,EAAe,EAAe,EAAY,GAAQ,cAAc,EACtE,GAAI,EAAa,MAAQ,EACxB,MAAU,MAAM,+BAA+B,EAEhD,IAAM,EAAwB,EAAe,EAAY,EAAQ,GAAI,0BAA0B,EACzF,EAAS,EAAe,EAAY,EAAQ,GAAI,QAAQ,EACxD,EAAW,EAAe,EAAY,EAAQ,GAAI,UAAU,EAC5D,EAAU,EAAe,EAAY,EAAQ,GAAI,SAAS,EAC1D,EAAuB,EAAe,EAAY,EAAQ,GAAI,sBAAsB,EACtF,EAAS,EAAQ,EACf,EAAwB,EAAY,GAC1C,GAAI,GAAuB,MAAQ,IAAM,CACxC,GAAI,EAAU,EACb,MAAU,MAAM,oDAAoD,EAErE,EAAiC,EAAsB,MAAO,gBAAgB,EAC9E,GAAU,CACX,CACA,IAAM,EAAyB,EAAY,GAC3C,GAAI,GAAwB,MAAQ,IAAM,CACzC,GAAI,EAAU,EACb,MAAU,MAAM,qDAAqD,EAEtE,EAAiC,EAAuB,MAAO,iBAAiB,EAChF,GAAU,CACX,CACA,IAAM,EAAa,EAAY,EAAO,EAAE,MAAQ,IAAO,EAAY,GAAU,IAAA,GAC7E,GAAI,IAAe,IAAA,GAAW,CAC7B,GAAI,IAAY,EACf,MAAU,MAAM,0CAA0C,EAE3D,GAAU,CACX,CACA,GAAI,IAAW,EAAY,OAC1B,MAAU,MACT,yCAAyC,OAAO,EAAe,EAAY,GAAS,sBAAsB,CAAC,CAAC,GAAG,GAChH,EAED,IAAM,EAAmB,GAAwB,EAAK,CAAU,EAC1D,EAAiB,GAAc,EAAK,CAAQ,EAC5C,EAAa,EAA0B,EAAK,CAAoB,EAChE,EAA8B,EAAyB,EAAK,CAAqB,EACjF,EAA2B,EAAyB,EAAK,CAAkB,EACjF,EACC,EACA,CACD,EACA,IAAM,EACL,GAAS,WAAa,IAAA,GACnB,IAAA,GACA,EAAiB,EAAiB,IAAK,EAAQ,QAAQ,EACrD,EACL,GAAS,aAAe,IAAA,GACrB,IAAA,GACA,EAAmB,EAAiB,IAAK,EAAQ,UAAU,EAE/D,MAAO,CACN,IAAK,IAAI,WAAW,CAAG,EACvB,UACA,gBAAiB,EAAM,EAAa,KAAK,EACzC,kBAAmB,EAAI,MACtB,EAAe,MAAQ,EAAe,aACtC,EAAe,GAChB,EACA,wBAAyB,EAAI,MAC5B,EAAqB,MAAQ,EAAqB,aAClD,EAAqB,GACtB,EACA,eAAgB,EAAsB,CAAc,EACpD,OAAQ,EAAU,EAAK,CAAM,EAC7B,QAAS,EAAU,EAAK,CAAO,EAC/B,UAAW,EAAe,UAC1B,SAAU,EAAe,SACzB,sBAAuB,EAAyB,IAChD,uBAAwB,EACvB,EAAyB,IACzB,EAAyB,aAC1B,EACA,GAAI,EAAyB,gBAAkB,IAAA,GAE5C,CAAC,EADD,CAAE,gCAAiC,EAAyB,aAAc,EAE7E,sBAAuB,EAAW,IAClC,uBAAwB,EAA2B,EAAW,IAAK,EAAW,aAAa,EAC3F,GAAI,EAAW,gBAAkB,IAAA,GAE9B,CAAC,EADD,CAAE,gCAAiC,EAAW,aAAc,EAE/D,GAAI,EAAW,gBAAkB,IAAA,GAE9B,CAAC,EADD,CAAE,uBAAwB,EAAW,aAAc,EAEtD,WAAY,EAAiB,IAC7B,GAAI,EAAiB,mBAAqB,IAAA,GAEvC,CAAC,EADD,CAAE,iBAAkB,EAAiB,gBAAiB,EAEzD,GAAI,EAAiB,WAAa,IAAA,GAAsD,CAAC,EAA3C,CAAE,SAAU,EAAiB,QAAS,EACpF,GAAI,EAAiB,mBAAqB,IAAA,GAEvC,CAAC,EADD,CAAE,iBAAkB,EAAiB,gBAAiB,EAEzD,GAAI,EAAiB,kBAAoB,IAAA,GAEtC,CAAC,EADD,CAAE,gBAAiB,EAAiB,eAAgB,EAEvD,GAAI,EAAiB,kBAAoB,IAAA,GAEtC,CAAC,EADD,CAAE,gBAAiB,EAAiB,eAAgB,EAEvD,GAAI,EAAiB,sBAAwB,IAAA,GAE1C,CAAC,EADD,CAAE,oBAAqB,EAAiB,mBAAoB,EAE/D,GAAI,EAAiB,iBAAmB,IAAA,GAErC,CAAC,EADD,CAAE,eAAgB,EAAiB,cAAe,EAErD,GAAI,EAAiB,oBAAsB,IAAA,GAExC,CAAC,EADD,CAAE,kBAAmB,EAAiB,iBAAkB,EAE3D,GAAI,EAAiB,mBAAqB,IAAA,GAEvC,CAAC,EADD,CAAE,iBAAkB,EAAiB,gBAAiB,EAEzD,GAAI,EAAiB,sBAAwB,IAAA,GAE1C,CAAC,EADD,CAAE,oBAAqB,EAAiB,mBAAoB,EAE/D,GAAI,EAAiB,wBAA0B,IAAA,GAE5C,CAAC,EADD,CAAE,sBAAuB,EAAiB,qBAAsB,EAEnE,GAAI,IAAsB,IAAA,GAAoC,CAAC,EAAzB,CAAE,mBAAkB,EAC1D,GAAI,IAAwB,IAAA,GAAsC,CAAC,EAA3B,CAAE,qBAAoB,EAC9D,GAAI,EAAiB,uBAAyB,IAAA,GAE3C,CAAC,EADD,CAAE,qBAAsB,EAAiB,oBAAqB,EAEjE,GAAI,EAAiB,yBAA2B,IAAA,GAE7C,CAAC,EADD,CAAE,uBAAwB,EAAiB,sBAAuB,CAEtE,CACD,CAoBA,SAAgB,EACf,EACA,EAC0B,CAC1B,OAAO,EAAoB,EAAU,cAAe,CAAG,EAAG,CAAO,CAClE,CAGA,SAAgB,EAEd,EAA6B,EAAkE,CAChG,OAAO,OAAO,GAAW,SACtB,EAA+B,EAAQ,CAAO,EAC9C,CAAC,EAAoB,IAAI,WAAW,CAAM,EAAG,CAAO,CAAC,CACzD,CAGA,SAAgB,EACf,EACA,EAC0B,CAQ1B,OAPI,OAAO,GAAW,SACd,EAAoB,EAAQ,CAAO,EAEvC,EAA0B,CAAM,EAC5B,EAGD,EAAoB,IAAI,WAAWA,CAAS,EAAG,CAAO,CAC9D,CAUA,SAAgB,EACf,EACA,EACqC,CACrC,OAAO,EAA+B,EAAW,CAAO,CACzD,CAQA,SAAgB,EAEd,EAAiB,EAAqE,CACvF,IAAM,EAAW,EAAqB,EAAK,CAAE,SAAA,EAAgC,CAAC,EAC9E,GAAI,EAAS,SAAW,EACvB,MAAU,MAAM,gCAAgC,EAEjD,IAAM,EAA2B,EAAe,EAAS,GAAI,0BAA0B,EACjF,EAAqB,EAAe,EAAS,GAAI,oBAAoB,EACrE,EAAiB,EAAe,EAAS,GAAI,gBAAgB,EAC7D,EAAc,EAAW,EAAK,CAAwB,EAC5D,GAAI,EAAY,OAAS,GAAK,EAAY,OAAS,EAClD,MAAU,MAAM,oCAAoC,EAErD,IAAM,EAAiB,EAAe,EAAY,GAAI,SAAS,EAC/D,GAAI,EAAe,MAAQ,EAC1B,MAAU,MAAM,0BAA0B,EAE3C,IAAM,EAAU,EAAoB,EAAe,KAAK,EAAI,EAC5D,GAAI,IAAY,EACf,MAAU,MAAM,iDAAiD,OAAO,CAAO,GAAG,EAEnF,IAAM,EAAU,EAAe,EAAY,GAAI,SAAS,EAClD,EAAuB,EAAe,EAAY,GAAI,sBAAsB,EAC5E,EAAa,EAAY,GAC/B,GAAI,IAAe,IAAA,IAAa,EAAW,MAAQ,IAClD,MAAU,MAAM,kDAAkD,EAEnE,IAAM,EAAmB,GAAyB,EAAK,CAAU,EAC3D,EAAa,EAA0B,EAAK,CAAoB,EAChE,EAA2B,EAAyB,EAAK,CAAkB,EAC3E,EACL,GAAS,WAAa,IAAA,GACnB,IAAA,GACA,EAAiB,EAAiB,IAAK,EAAQ,QAAQ,EACrD,EACL,GAAS,aAAe,IAAA,GACrB,IAAA,GACA,EAAmB,EAAiB,IAAK,EAAQ,UAAU,EAE/D,MAAO,CACN,UACA,4BAA6B,EAAI,MAChC,EAAyB,MAAQ,EAAyB,aAC1D,EAAyB,GAC1B,EACA,wBAAyB,EAAI,MAC5B,EAAqB,MAAQ,EAAqB,aAClD,EAAqB,GACtB,EACA,eAAgB,EAAsB,CAAc,EACpD,QAAS,EAAU,EAAK,CAAO,EAC/B,sBAAuB,EAAyB,IAChD,uBAAwB,EACvB,EAAyB,IACzB,EAAyB,aAC1B,EACA,GAAI,EAAyB,gBAAkB,IAAA,GAE5C,CAAC,EADD,CAAE,gCAAiC,EAAyB,aAAc,EAE7E,sBAAuB,EAAW,IAClC,uBAAwB,EAA2B,EAAW,IAAK,EAAW,aAAa,EAC3F,GAAI,EAAW,gBAAkB,IAAA,GAE9B,CAAC,EADD,CAAE,gCAAiC,EAAW,aAAc,EAE/D,GAAI,EAAW,gBAAkB,IAAA,GAE9B,CAAC,EADD,CAAE,uBAAwB,EAAW,aAAc,EAEtD,oBAAqB,EAAiB,IACtC,GAAI,EAAiB,mBAAqB,IAAA,GAEvC,CAAC,EADD,CAAE,iBAAkB,EAAiB,gBAAiB,EAEzD,GAAI,EAAiB,WAAa,IAAA,GAAsD,CAAC,EAA3C,CAAE,SAAU,EAAiB,QAAS,EACpF,GAAI,EAAiB,mBAAqB,IAAA,GAEvC,CAAC,EADD,CAAE,iBAAkB,EAAiB,gBAAiB,EAEzD,GAAI,EAAiB,kBAAoB,IAAA,GAEtC,CAAC,EADD,CAAE,gBAAiB,EAAiB,eAAgB,EAEvD,GAAI,EAAiB,kBAAoB,IAAA,GAEtC,CAAC,EADD,CAAE,gBAAiB,EAAiB,eAAgB,EAEvD,GAAI,EAAiB,sBAAwB,IAAA,GAE1C,CAAC,EADD,CAAE,oBAAqB,EAAiB,mBAAoB,EAE/D,GAAI,EAAiB,iBAAmB,IAAA,GAErC,CAAC,EADD,CAAE,eAAgB,EAAiB,cAAe,EAErD,GAAI,EAAiB,oBAAsB,IAAA,GAExC,CAAC,EADD,CAAE,kBAAmB,EAAiB,iBAAkB,EAE3D,GAAI,EAAiB,mBAAqB,IAAA,GAEvC,CAAC,EADD,CAAE,iBAAkB,EAAiB,gBAAiB,EAEzD,GAAI,EAAiB,sBAAwB,IAAA,GAE1C,CAAC,EADD,CAAE,oBAAqB,EAAiB,mBAAoB,EAE/D,GAAI,EAAiB,wBAA0B,IAAA,GAE5C,CAAC,EADD,CAAE,sBAAuB,EAAiB,qBAAsB,EAEnE,GAAI,IAAsB,IAAA,GAAoC,CAAC,EAAzB,CAAE,mBAAkB,EAC1D,GAAI,IAAwB,IAAA,GAAsC,CAAC,EAA3B,CAAE,qBAAoB,CAC/D,CACD,CAEA,SAAS,EACR,EACA,EACqC,CACrC,OAAO,EAAe,CAAS,CAAC,CAC9B,OAAQ,GAAU,EAAM,QAAU,aAAa,CAAC,CAChD,IAAK,GAAU,EAAoB,EAAM,MAAO,CAAO,CAAC,CAC3D,CAEA,SAAS,EACR,EACmC,CACnC,MAAO,4BAA6B,CACrC,CAQA,SAAgB,GAEd,EAAa,EAAqE,CACnF,OAAO,EAAkC,EAAU,sBAAuB,CAAG,EAAG,CAAO,CACxF,CASA,SAAgB,EACf,EACA,EAC8B,CAC9B,OAAO,EAAW,KAAM,GAAc,EAAU,MAAQ,CAAG,CAC5D,CASA,SAAgB,GACf,EACA,EACqB,CACrB,IAAM,EAAY,EAAc,EAAY,EAAQ,GAAG,EACnD,OAAc,IAAA,GAGlB,OAAO,EAAQ,OAAO,CAAS,CAChC,CAQA,SAAgB,EACf,EACA,EAC4C,CAC5C,IAAM,EAA4C,CAAC,EACnD,IAAK,IAAM,KAAW,EAAU,CAC/B,IAAM,EAAY,EAAc,EAAY,EAAQ,GAAG,EACnD,IAAc,IAAA,IAGlB,EAAQ,KAAK,CACZ,IAAK,EAAU,IACf,SAAU,EAAU,SACpB,MAAO,EAAQ,OAAO,CAAS,CAChC,CAAC,CACF,CACA,OAAO,CACR,CAQA,SAAgB,EACf,EACA,EAC4B,CAC5B,IAAI,EAAqC,CAAC,EAC1C,IAAK,IAAM,KAAO,EAAY,CAC7B,IAAM,EAAU,EAAW,GAC3B,GAAI,IAAY,IAAA,GACf,SAED,IAAM,EAAY,EAAc,EAAY,EAAQ,GAAG,EACnD,IAAc,IAAA,KAGlB,EAAU,CACT,GAAG,GACF,GAAM,CACN,IAAK,EAAU,IACf,SAAU,EAAU,SACpB,MAAO,EAAQ,OAAO,CAAS,CAChC,CACD,EACD,CACA,OAAO,CACR,CASA,SAAS,GACR,EACA,EACmB,CAKnB,OAJI,IAAc,IAAA,GACV,CAAE,IAAK,CAAC,CAAE,EAGX,EAAuB,EADN,EAAe,EAAW,EAAQ,CAAS,CAAC,CAAC,GAAI,qBACrB,EAAG,aAAa,CACrE,CAGA,SAAS,GACR,EACA,EACmB,CACnB,GAAI,IAAe,IAAA,GAClB,MAAO,CAAE,IAAK,CAAC,CAAE,EAElB,GAAI,EAAW,MAAQ,IACtB,MAAU,MAAM,kDAAkD,EAEnE,IAAI,EACJ,IAAK,IAAM,KAAa,EAAW,EAAQ,CAAU,EAAG,CACvD,IAAM,EAAoB,EAAW,EAAQ,CAAS,EACtD,GAAI,EAAkB,SAAW,EAChC,MAAU,MAAM,yBAAyB,EAG1C,GAAI,EADQ,EAAe,EAAkB,GAAI,eACpB,CAAC,CAAC,KAAK,IAAM,EAAK,iBAC9C,SAED,GAAI,IAAwB,IAAA,GAC3B,MAAU,MAAM,4CAA4C,EAE7D,IAAM,EAAY,EAAe,EAAkB,GAAI,kBAAkB,EACzE,GAAI,EAAU,MAAQ,GACrB,MAAU,MAAM,gDAAgD,EAEjE,IAAM,EAAS,EAAW,EAAQ,CAAS,EAC3C,GAAI,EAAO,SAAW,EACrB,MAAU,MAAM,2DAA2D,EAG5E,EAAsB,EAAuB,EAD3B,EAAe,EAAO,GAAI,sBACiB,EAAG,KAAK,CACtE,CACA,OAAO,GAAuB,CAAE,IAAK,CAAC,CAAE,CACzC,CAGA,SAAS,EACR,EACA,EACA,EACmB,CACnB,IAAM,EAA4B,CAAC,EAC7B,EAAsD,CAAC,EACvD,EAAW,IAAI,IAErB,IAAK,IAAM,KAAa,EAAW,EAAQ,CAAe,EAAG,CAC5D,IAAM,EAAW,EAAW,EAAQ,CAAS,EAC7C,GAAI,EAAS,OAAS,GAAK,EAAS,OAAS,EAC5C,MAAU,MAAM,qBAAqB,EAGtC,IAAM,EAAM,EADO,EAAe,EAAS,GAAI,eACH,CAAC,CAAC,KAAK,EACnD,GAAI,EAAS,IAAI,CAAG,EACnB,MAAU,MAAM,4BAA4B,GAAK,EAElD,EAAS,IAAI,CAAG,EAChB,IAAI,EAAS,EACT,EAAW,GACT,EAAgB,EAAS,GAC3B,GAAe,MAAQ,IAC1B,EAAW,EAAc,EAAc,KAAK,EAC5C,GAAU,GAEX,IAAM,EAAY,EAAe,EAAS,GAAS,iBAAiB,EACpE,GAAI,EAAU,MAAQ,GAAQ,IAAW,EAAS,OAAS,EAC1D,MAAU,MAAM,uCAAuC,EAExD,EAAO,KAAK,CACX,MACA,WACA,SAAU,IAAI,WAAW,EAAU,KAAK,EACxC,SAAU,EAAM,EAAU,KAAK,CAChC,CAAC,EACD,EAA6B,EAAS,EAAK,EAAa,EAAU,KAAK,CACxE,CAEA,MAAO,CACN,IAAK,EACL,GAAG,CACJ,CACD,CAGA,SAAS,EAAU,EAAoB,EAAiC,CACvE,IAAM,EAA0C,CAAC,EAC3C,EAAoC,CAAC,EACrC,EAAgD,CAAC,EACvD,IAAK,IAAM,KAAc,EAAW,EAAQ,CAAO,EAAG,CACrD,IAAM,EAAM,EAAsB,EAAQ,CAAU,EACpD,EAAK,KAAK,CAAG,EACb,IAAK,IAAM,KAAa,EAAI,WAC3B,EAAW,KAAK,CAAS,EACrB,EAAU,MAAQ,IAAA,IAAa,EAAO,EAAU,OAAS,IAAA,KAC5D,EAAO,EAAU,KAAO,EAAU,MAGrC,CACA,MAAO,CACN,OAAQ,EAAM,EAAO,MAAM,EAAQ,MAAQ,EAAQ,aAAc,EAAQ,GAAG,CAAC,EAC7E,OACA,aACA,QACD,CACD,CAGA,SAAS,GACR,EACA,EACkC,CAClC,OAAO,EAAsB,EAAQ,CAAO,CAC7C,CAGA,SAAS,EACR,EACA,EACkC,CAClC,IAAM,EAAoC,CAAC,EACrC,EAAgD,CAAC,EACvD,IAAK,IAAM,KAAqB,EAAW,EAAQ,CAAU,EAAG,CAC/D,IAAM,EAAQ,EAAW,EAAQ,CAAiB,EAC5C,EAAM,EAAuB,EAAe,EAAM,GAAI,UAAU,CAAC,CAAC,KAAK,EACvE,EAAe,EAAe,EAAM,GAAI,YAAY,EACpD,EAAW,EAAoB,CAAG,EAClC,EAAa,EAAa,EAAa,IAAK,EAAa,KAAK,EAC9D,EACL,IAAa,IAAA,GAEV,CAAE,MAAK,SAAU,EAAa,IAAK,MAAO,CAAW,EADrD,CAAE,MAAK,IAAK,EAAU,SAAU,EAAa,IAAK,MAAO,CAAW,EAExE,EAAW,KAAK,CAAS,EACrB,IAAa,IAAA,IAAa,EAAO,KAAc,IAAA,KAClD,EAAO,GAAY,EAErB,CACA,MAAO,CACN,OAAQ,EAAM,EAAO,MAAM,EAAW,MAAQ,EAAW,aAAc,EAAW,GAAG,CAAC,EACtF,aACA,QACD,CACD,CAGA,SAAS,GACR,EACA,EAIC,CACD,IAAM,EAAW,EAAW,EAAQ,CAAO,EAC3C,MAAO,CACN,UAAW,EAAU,EAAe,EAAS,GAAI,WAAW,CAAC,EAC7D,SAAU,EAAU,EAAe,EAAS,GAAI,UAAU,CAAC,CAC5D,CACD,CAGA,SAAS,EACR,EACA,EAC4B,CAC5B,GAAI,EAAQ,MAAQ,GACnB,MAAU,MAAM,wCAAwC,EAEzD,IAAM,EAAW,EAAW,EAAQ,CAAO,EAC3C,GAAI,EAAS,SAAW,EACvB,MAAU,MAAM,kEAAkE,EAEnF,IAAM,EAAmB,EAAe,EAAS,GAAI,gBAAgB,EACrE,GAAI,EAAiB,MAAQ,GAC5B,MAAU,MAAM,kDAAkD,EAEnE,IAAM,EAAY,EAAyB,EAAQ,CAAgB,EAEnE,OADA,EAAsB,EAAe,EAAS,GAAI,6BAA6B,CAAC,EACzE,CACR,CAaA,SAAS,EACR,EACA,EAC4B,CAC5B,IAAM,EAAW,EAAW,EAAQ,CAAO,EAC3C,GAAI,EAAS,SAAW,GAAK,EAAS,OAAS,EAC9C,MAAU,MAAM,+BAA+B,EAEhD,IAAM,EAAM,EAAuB,EAAe,EAAS,GAAI,eAAe,CAAC,CAAC,KAAK,EAC/E,EAAa,EAAS,GAC5B,GAAI,IAAe,IAAA,GAClB,MAAO,CAAE,KAAI,EAEd,IAAM,EAAgB,EAAO,MAAM,EAAW,MAAQ,EAAW,aAAc,EAAW,GAAG,EAI7F,OAHI,GAAY,MAAQ,EAChB,CAAE,MAAK,gBAAe,cAAe,EAAuB,EAAW,KAAK,CAAE,EAE/E,CAAE,MAAK,eAAc,CAC7B,CAEA,SAAS,EACR,EACA,EACO,CACP,GACC,EAAsB,MAAQ,EAAmB,KACjD,CAAC,EAAmB,EAAsB,cAAe,EAAmB,aAAa,EAEzF,MAAU,MAAM,oEAAoE,CAEtF,CAEA,SAAS,EAAmB,EAA8B,EAAwC,CACjG,GAAI,IAAS,IAAA,IAAa,IAAU,IAAA,GACnC,OAAO,IAAS,EAEjB,GAAI,EAAK,SAAW,EAAM,OACzB,MAAO,GAER,IAAK,IAAI,EAAQ,EAAG,EAAQ,EAAK,OAAQ,GAAS,EACjD,GAAI,EAAK,KAAW,EAAM,GACzB,MAAO,GAGT,MAAO,EACR,CAGA,SAAgB,EAAsB,EAAqC,CAC1E,IAAM,EAAU,EAAgB,EAAO,CAAE,SAAA,EAAgC,CAAC,EAC1E,GAAI,EAAQ,MAAQ,GACnB,MAAU,MAAM,oCAAoC,EAErD,IAAM,EAAW,EAAW,EAAO,CAAO,EACtC,EAAK,GACL,EACA,EAAQ,GACR,EAAgB,GACpB,IAAK,IAAM,KAAS,EAAU,CAC7B,GAAI,EAAM,MAAQ,EAAM,CACvB,GAAI,EACH,MAAU,MAAM,qCAAqC,EAEtD,GAAI,EACH,MAAU,MAAM,6CAA6C,EAE9D,EAAQ,GACR,EAAK,EAAc,EAAM,KAAK,EAC9B,QACD,CACA,GAAI,EAAM,MAAQ,EAAM,CACvB,GAAI,EACH,MAAU,MAAM,6CAA6C,EAE9D,EAAgB,GAChB,EAAa,EAA+B,EAAM,MAAO,6BAA6B,EACtF,QACD,CACA,MAAU,MAAM,2CAA2C,OAAO,EAAM,GAAG,GAAG,CAC/E,CACA,GAAI,IAAe,IAAA,IAAa,IAAO,GACtC,MAAU,MAAM,gDAAgD,EAEjE,OAAO,IAAe,IAAA,GAAiC,CAAE,IAAG,EAA1B,CAAE,KAAI,YAAW,CACpD,CAGA,SAAgB,GAAc,EAA6C,CAC1E,OAAO,EAAuB,CAAK,CACpC,CAGA,SAAgB,GAAsB,EAAgD,CAKrF,OAAO,EAAW,EAJM,EACvB,EAAgB,EAAO,CAAE,SAAA,EAAgC,CAAC,EAC1D,2BAEsC,CAAC,CAAC,CAAC,IAAK,GAC9C,EAAyB,EAAuB,EAAQ,KAAK,CAAC,CAC/D,CACD,CAGA,SAAgB,GAAyB,EAAwC,CAKhF,IAAM,EAAiB,EAAW,EAJV,EACvB,EAAgB,EAAO,CAAE,SAAA,EAAgC,CAAC,EAC1D,8BAEsD,CAAC,EACxD,GAAI,EAAe,SAAW,EAC7B,MAAU,MAAM,uCAAuC,EAExD,OAAO,EAAe,IAAK,GAAkB,GAAuB,EAAO,CAAa,CAAC,CAC1F,CAGA,SAAS,GAAuB,EAAoB,EAAqB,CACxE,IAAM,EAAW,EAAW,EAAQ,CAAO,EACrC,EAAmB,EACxB,EAAe,EAAS,GAAI,kBAAkB,CAAC,CAAC,KACjD,EACM,EAAoB,EAAS,GACnC,GAAI,EAAS,OAAS,EACrB,MAAU,MAAM,kDAAkD,EAEnE,GAAI,IAAsB,IAAA,GACzB,MAAO,CAAE,kBAAiB,EAE3B,IAAM,EAAa,EAAW,EAAQ,CAAiB,EACvD,GAAI,EAAW,SAAW,EACzB,MAAU,MAAM,oCAAoC,EAErD,MAAO,CACN,mBACA,iBAAkB,EAAW,IAAK,GACjC,GAAyB,EAAQ,CAAgB,CAClD,CACD,CACD,CAGA,SAAS,GAAyB,EAAoB,EAAqB,CAC1E,IAAM,EAAW,EAAW,EAAQ,CAAO,EACrC,EAAc,EACnB,EAAe,EAAS,GAAI,mBAAmB,CAAC,CAAC,KAClD,EACM,EAAiB,EAAe,EAAS,GAAI,iBAAiB,EACpE,GAAI,EAAS,OAAS,EACrB,MAAU,MAAM,oDAAoD,EAErE,GAAI,IAAgB,EAAK,mBAAoB,CAC5C,GAAI,EAAe,MAAQ,GAC1B,MAAU,MAAM,yCAAyC,EAE1D,MAAO,CAAE,KAAM,MAAgB,IAAK,EAAa,EAAe,IAAK,EAAe,KAAK,CAAE,CAC5F,CAOA,OANI,IAAgB,EAAK,0BACjB,CACN,KAAM,aACN,GAAG,EAAmC,EAAQ,CAAc,CAC7D,EAEM,CACN,KAAM,MACN,IAAK,EACL,aAAc,EAAO,MACpB,EAAe,MAAQ,EAAe,aACtC,EAAe,GAChB,CACD,CACD,CAGA,SAAS,EACR,EACA,EAOC,CACD,IAAM,EAAW,EAAW,EAAQ,CAAO,EACvC,EAMA,EACJ,IAAK,IAAM,KAAS,EAAU,CAC7B,GAAI,EAAM,MAAQ,GAAM,CACvB,GAAI,IAAc,IAAA,GACjB,MAAU,MAAM,uDAAuD,EAExE,EAAY,GAA2B,EAAQ,CAAK,EACpD,QACD,CACA,GAAI,IAAiB,IAAA,GACpB,MAAU,MAAM,0DAA0D,EAE3E,EAAe,EAAiB,CAAK,CACtC,CACA,MAAO,CACN,GAAI,IAAc,IAAA,GAAY,CAAC,EAAI,CAAE,WAAU,EAC/C,GAAI,IAAiB,IAAA,GAAY,CAAC,EAAI,CAAE,cAAa,CACtD,CACD,CAGA,SAAS,GACR,EACA,EAIC,CACD,GAAI,EAAQ,MAAQ,GACnB,MAAU,MAAM,6BAA6B,EAE9C,IAAM,EAAW,EAAW,EAAQ,CAAO,EACrC,EAAe,EAAiB,EAAe,EAAS,GAAI,wBAAwB,CAAC,EACrF,EAAuB,EAAe,EAAS,GAAI,yBAAyB,EAClF,GAAI,EAAS,OAAS,EACrB,MAAU,MAAM,0CAA0C,EAE3D,MAAO,CACN,eACA,cAAe,GAAyB,EAAQ,CAAoB,CACrE,CACD,CAGA,SAAS,GAAyB,EAAoB,EAAwC,CAC7F,GAAI,EAAQ,MAAQ,GACnB,MAAU,MAAM,2CAA2C,EAE5D,IAAM,EAAuB,EAAW,EAAQ,CAAO,EACvD,GAAI,EAAqB,SAAW,EACnC,MAAU,MAAM,2CAA2C,EAE5D,OAAO,EAAqB,IAAK,GAAwB,CACxD,GAAI,EAAoB,MAAQ,EAC/B,MAAU,MAAM,yCAAyC,EAE1D,OAAO,EAA+B,EAAoB,MAAO,wBAAwB,CAC1F,CAAC,CACF,CAGA,SAAgB,GAAoB,EAAmC,CAKtE,IAAM,EAAkB,EAAW,EAJX,EACvB,EAAgB,EAAO,CAAE,SAAA,EAAgC,CAAC,EAC1D,yBAEuD,CAAC,EACzD,GAAI,EAAgB,SAAW,EAC9B,MAAU,MAAM,kCAAkC,EAEnD,OAAO,EAAgB,IAAK,GAAmB,CAC9C,IAAM,EAAW,EAAW,EAAO,CAAc,EAC3C,EAAqB,EAC1B,EAAe,EAAS,GAAI,mCAAmC,CAAC,CAAC,KAClE,EACM,EAAsB,EAC3B,EAAe,EAAS,GAAI,oCAAoC,CAAC,CAAC,KACnE,EACA,GAAI,EAAS,OAAS,EACrB,MAAU,MAAM,qDAAqD,EAEtE,GAAI,IAAuB,EAAK,WAAa,IAAwB,EAAK,UACzE,MAAU,MAAM,uCAAuC,EAExD,MAAO,CAAE,qBAAoB,qBAAoB,CAClD,CAAC,CACF,CAGA,SAAgB,GAAuB,EAAsC,CAC5E,IAAM,EAAkB,EACvB,EAAgB,EAAO,CAAE,SAAA,EAAgC,CAAC,EAC1D,4BACD,EACI,EACA,EACJ,IAAK,IAAM,KAAS,EAAW,EAAO,CAAe,EAAG,CACvD,GAAI,EAAM,MAAQ,IAAM,CACvB,GAAI,IAA0B,IAAA,GAC7B,MAAU,MAAM,yDAAyD,EAE1E,EAAwB,EACvB,EAAM,MACN,yCACD,EACA,QACD,CACA,GAAI,EAAM,MAAQ,IAAM,CACvB,GAAI,IAAyB,IAAA,GAC5B,MAAU,MAAM,wDAAwD,EAEzE,EAAuB,EACtB,EAAM,MACN,wCACD,EACA,QACD,CACA,MAAU,MAAM,4CAA4C,EAAM,KAAK,CACxE,CACA,GAAI,IAA0B,IAAA,IAAa,IAAyB,IAAA,GACnE,MAAU,MAAM,0EAA0E,EAE3F,MAAO,CACN,GAAI,IAA0B,IAAA,GAAY,CAAC,EAAI,CAAE,uBAAsB,EACvE,GAAI,IAAyB,IAAA,GAAY,CAAC,EAAI,CAAE,sBAAqB,CACtE,CACD,CAGA,SAAgB,GAAsB,EAAqC,CAC1E,IAAM,EAAiB,EACtB,EAAgB,EAAO,CAAE,SAAA,EAAgC,CAAC,EAC1D,0BACD,EACA,GAAI,EAAe,MAAQ,EAC1B,MAAU,MAAM,qCAAqC,EAEtD,MAAO,CACN,UAAW,EAA+B,EAAe,MAAO,4BAA4B,CAC7F,CACD,CAGA,SAAgB,GAAqB,EAA8C,CAKlF,OAAO,EAAW,EAJM,EACvB,EAAgB,EAAO,CAAE,SAAA,EAAgC,CAAC,EAC1D,yBAEsC,CAAC,CAAC,CAAC,IAAK,GAAY,EAAiB,EAAO,CAAO,CAAC,CAC5F,CAGA,SAAgB,GAAyB,EAA0D,CAClG,IAAM,EAAkB,EACvB,EAAgB,EAAO,CAAE,SAAA,EAAgC,CAAC,EAC1D,8BACD,EACA,GAAI,EAAgB,MAAQ,GAC3B,MAAU,MAAM,uCAAuC,EAExD,IAAM,EAAqB,EAAW,EAAO,CAAe,EAC5D,GAAI,EAAmB,SAAW,EACjC,MAAU,MAAM,uCAAuC,EAExD,OAAO,EAAmB,IAAK,GAAY,CAC1C,GAAI,EAAQ,MAAQ,GACnB,MAAU,MAAM,6CAA6C,EAE9D,IAAM,EAAW,EAAW,EAAO,CAAO,EAC1C,GAAI,EAAS,SAAW,EACvB,MAAU,MAAM,iEAAiE,EAElF,IAAM,EAAS,EAAe,EAAS,GAAI,4BAA4B,EACjE,EAAW,EAAe,EAAS,GAAI,8BAA8B,EAC3E,GAAI,EAAO,MAAQ,EAClB,MAAU,MAAM,uDAAuD,EAExE,GAAI,EAAS,MAAQ,IACpB,MAAU,MAAM,iDAAiD,EAAS,KAAK,EAEhF,MAAO,CACN,OAAQ,EAAkC,EAAuB,EAAO,KAAK,CAAC,EAC9E,IAAK,EAAY,OAAO,EAAS,KAAK,CACvC,CACD,CAAC,CACF,CAGA,SAAgB,GAA2B,EAAuD,CACjG,IAAM,EAAkB,EACvB,EAAgB,EAAO,CAAE,SAAA,EAAgC,CAAC,EAC1D,gCACD,EACA,GAAI,EAAgB,MAAQ,GAC3B,MAAU,MAAM,yCAAyC,EAE1D,IAAM,EAAW,EAAW,EAAO,CAAe,EAClD,GAAI,EAAS,SAAW,EACvB,MAAU,MAAM,yCAAyC,EAE1D,IAAM,EAAoC,CAAC,EAC3C,IAAK,IAAM,KAAqB,EAC/B,EAAO,KAAK,GAAuB,EAAO,CAAiB,CAAC,EAE7D,OAAO,CACR,CAGA,SAAS,GAAuB,EAAoB,EAA8C,CACjG,GAAI,EAAQ,MAAQ,GACnB,MAAU,MAAM,qCAAqC,EAEtD,IAAI,EACA,EACA,EACJ,IAAK,IAAM,KAAS,EAAW,EAAQ,CAAO,EAC7C,GAAI,EAAM,MAAQ,IAAM,CACvB,GAAI,IAAsB,IAAA,GACzB,MAAU,MAAM,qDAAqD,EAEtE,EAAoB,GAA2B,EAAQ,CAAK,CAC7D,MAAO,GAAI,EAAM,MAAQ,IAAM,CAC9B,GAAI,IAAY,IAAA,GACf,MAAU,MAAM,2CAA2C,EAE5D,EAAU,EAAyC,EAAM,KAAK,CAC/D,MAAO,GAAI,EAAM,MAAQ,IAAM,CAC9B,GAAI,IAAc,IAAA,GACjB,MAAU,MAAM,6CAA6C,EAE9D,EAAY,GAAkB,EAAQ,CAAK,CAC5C,MACC,MAAU,MAAM,4CAA4C,OAAO,EAAM,GAAG,GAAG,EAGjF,GAAI,IAAsB,IAAA,IAAa,IAAc,IAAA,GACpD,MAAU,MAAM,+DAA+D,EAEhF,MAAO,CACN,GAAI,IAAsB,IAAA,GAAY,CAAC,EAAI,CAAE,mBAAkB,EAC/D,GAAI,IAAY,IAAA,GAAY,CAAC,EAAI,CAAE,SAAQ,EAC3C,GAAI,IAAc,IAAA,GAAY,CAAC,EAAI,CAAE,WAAU,CAChD,CACD,CAGA,SAAS,GACR,EACA,EAC8B,CAC9B,IAAM,EAAW,EAAW,EAAQ,CAAO,EAC3C,GAAI,EAAS,SAAW,EACvB,MAAU,MAAM,uDAAuD,EAExE,IAAM,EAAwB,EAAe,EAAS,GAAI,uBAAuB,EACjF,GAAI,EAAsB,MAAQ,IAAM,CACvC,IAAM,EAAW,EAAW,EAAQ,CAAqB,EACzD,GAAI,EAAS,SAAW,EACvB,MAAU,MAAM,kDAAkD,EAEnE,IAAK,IAAM,KAAQ,EAClB,IAAK,EAAK,IAAM,MAAU,IACzB,MAAU,MAAM,iEAAiE,EAGnF,MAAO,CACN,SAAU,EAAS,IAAK,GAAS,EAAiB,EAAQ,CAAI,CAAC,CAChE,CACD,CACA,GAAI,EAAsB,MAAQ,IACjC,MAAO,CAAE,aAAc,GAA+B,EAAQ,CAAqB,CAAE,EAEtF,MAAU,MAAM,0CAA0C,EAAsB,KAAK,CACtF,CAGA,SAAS,GAAkB,EAAoB,EAA6C,CAC3F,IAAM,EAAQ,EAAW,EAAQ,CAAO,EACxC,GAAI,EAAM,SAAW,EACpB,MAAU,MAAM,gCAAgC,EAEjD,IAAK,IAAM,KAAQ,EAClB,IAAK,EAAK,IAAM,MAAU,IACzB,MAAU,MAAM,+CAA+C,EAGjE,OAAO,EAAM,IAAK,GAAS,EAAiB,EAAQ,CAAI,CAAC,CAC1D,CAGA,SAAS,EAAiB,EAAoB,EAAkC,CAC/E,OAAQ,EAAQ,IAAhB,CACC,IAAK,KAAM,CACV,IAAM,EAAY,GAAe,EAAQ,CAAO,EAIhD,OAHI,IAAc,IAAA,GAGX,CACN,KAAM,UACN,IAAK,EAAQ,IACb,MAAO,EAAO,MAAM,EAAQ,MAAO,EAAQ,GAAG,CAC/C,EANQ,CAOT,CACA,IAAK,KACJ,MAAO,CAAE,KAAM,QAAkB,MAAO,EAAY,OAAO,EAAQ,KAAK,CAAE,EAC3E,IAAK,KACJ,MAAO,CAAE,KAAM,MAAgB,MAAO,EAAY,OAAO,EAAQ,KAAK,CAAE,EACzE,IAAK,KACJ,MAAO,CAAE,KAAM,MAAgB,MAAO,EAAY,OAAO,EAAQ,KAAK,CAAE,EACzE,IAAK,KACJ,MAAO,CAAE,KAAM,KAAe,MAAO,EAAgB,EAAQ,KAAK,CAAE,EACrE,IAAK,KACJ,MAAO,CACN,KAAM,gBACN,OAAQ,EAAM,EAAiC,EAAS,CAAM,CAAC,CAChE,EACD,QACC,MAAO,CACN,KAAM,UACN,IAAK,EAAQ,IACb,MAAO,EAAO,MAAM,EAAQ,MAAO,EAAQ,GAAG,CAC/C,CACF,CACD,CAGA,SAAS,GAAe,EAAoB,EAAiD,CAC5F,IAAM,EAAoB,EAAW,EAAQ,CAAO,EACpD,GAAI,EAAkB,SAAW,EAChC,MAAU,MAAM,6CAA6C,EAG9D,IAAM,EAAoB,EAAW,EADX,EAAe,EAAkB,GAAI,oBACF,CAAC,EAC9D,GAAI,EAAkB,SAAW,EAChC,MAAU,MAAM,kDAAkD,EAEnE,IAAM,EAAS,EAAe,EAAkB,GAAI,mBAAmB,EACjE,EAAe,EAAe,EAAkB,GAAI,iBAAiB,EAE3E,GADkB,EAAuB,EAAO,KACpC,IAAM,EAAK,WACtB,OAED,GAAI,EAAa,MAAQ,IACxB,MAAU,MAAM,8CAA8C,EAE/D,IAAM,EAAgB,EAAW,EAAQ,CAAY,EACrD,GAAI,EAAc,SAAW,EAC5B,MAAU,MAAM,2DAA2D,EAE5E,IAAM,EAAiB,EAAe,EAAc,GAAI,kBAAkB,EAC1E,GAAI,EAAe,MAAQ,GAC1B,MAAU,MAAM,6CAA6C,EAE9D,MAAO,CAAE,KAAM,MAAO,MAAO,EAAa,EAAe,IAAK,EAAe,KAAK,CAAE,CACrF,CAGA,SAAgB,GAAqB,EAA8D,CAClG,IAAM,EAAkB,EACvB,EAAgB,EAAO,CACtB,SAAA,GACA,2BAA4B,CAAC,IAAM,IAAM,GAAI,CAC9C,CAAC,EACD,0BACD,EACA,GAAI,EAAgB,MAAQ,GAC3B,MAAU,MAAM,mCAAmC,EAEpD,IAAI,EACA,EACJ,IAAK,IAAM,KAAS,EAAW,EAAO,CAAe,EACpD,GAAI,EAAM,MAAQ,IAAM,CACvB,GAAI,IAAsB,IAAA,GACzB,MAAU,MAAM,mDAAmD,EAEpE,EAAoB,EAAqB,EAAO,CAAK,CACtD,MAAO,GAAI,EAAM,MAAQ,IAAM,CAC9B,GAAI,IAAqB,IAAA,GACxB,MAAU,MAAM,kDAAkD,EAEnE,EAAmB,EAAqB,EAAO,CAAK,CACrD,MACC,MAAU,MAAM,0CAA0C,OAAO,EAAM,GAAG,GAAG,EAG/E,MAAO,CACN,GAAI,IAAsB,IAAA,GAAoC,CAAC,EAAzB,CAAE,mBAAkB,EAC1D,GAAI,IAAqB,IAAA,GAAmC,CAAC,EAAxB,CAAE,kBAAiB,CACzD,CACD,CAGA,SAAS,EACR,EACA,EACsD,CACtD,IAAM,EAAuD,CAAC,EACxD,EAAkB,EAAW,EAAQ,CAAS,EACpD,GAAI,EAAgB,SAAW,EAC9B,MAAU,MAAM,oDAAoD,EAErE,IAAK,IAAM,KAAkB,EAAiB,CAC7C,GAAI,EAAe,MAAQ,GAC1B,MAAU,MAAM,mDAAmD,EAEpE,IAAM,EAAW,EAAW,EAAQ,CAAc,EAC5C,EAAc,EAAS,GAC7B,GAAI,IAAgB,IAAA,GACnB,MAAU,MAAM,kDAAkD,EAKnE,IAAI,EAAa,GACjB,IAAK,IAAI,EAAI,EAAG,EAAI,EAAS,OAAQ,GAAK,EAAG,CAC5C,IAAM,EAAQ,EAAS,GACnB,OAAU,IAAA,GAGd,GAAI,EAAM,MAAQ,IAAM,CACvB,GAAI,EACH,MAAU,MAAM,yDAAyD,EAI1E,GAFA,EAAa,GAGZ,EAA+B,EAAM,MAAO,yCAAyC,IACrF,EAEA,MAAU,MAAM,mDAAmD,CAErE,MAAO,GAAI,EAAM,MAAQ,IAExB,MAAU,MAAM,0DAA0D,OAE1E,MAAU,MACT,0DAA0D,OAAO,EAAM,GAAG,GAC3E,CAEF,CAEA,IAAM,EAAO,GAA+B,EAAQ,CAAW,EAC3D,IAAS,IAAA,IACZ,EAAS,KAAK,CAAE,KAAM,CAAK,CAAC,CAE9B,CACA,OAAO,CACR,CAGA,SAAS,GACR,EACA,EACuC,CACvC,OAAQ,EAAQ,IAAhB,CACC,IAAK,KACJ,MAAO,CAAE,KAAM,YAAa,MAAO,IAAI,WAAW,EAAQ,KAAK,CAAE,EAClE,IAAK,KACJ,MAAO,CAAE,KAAM,QAAS,MAAO,EAAY,OAAO,EAAQ,KAAK,CAAE,EAClE,IAAK,KACJ,MAAO,CAAE,KAAM,MAAO,MAAO,EAAY,OAAO,EAAQ,KAAK,CAAE,EAChE,IAAK,KACJ,MAAO,CAAE,KAAM,cAAe,MAAO,IAAI,WAAW,EAAQ,KAAK,CAAE,EACpE,IAAK,KACJ,MAAO,CAAE,KAAM,MAAO,MAAO,EAAY,OAAO,EAAQ,KAAK,CAAE,EAChE,IAAK,KACJ,GAAI,EAAQ,MAAM,SAAW,EAC5B,MAAO,CACN,KAAM,KACN,aAAc,EAAQ,MAAM,MAAM,EAAG,CAAC,EACtC,UAAW,EAAQ,MAAM,MAAM,EAAG,CAAC,CACpC,EAED,GAAI,EAAQ,MAAM,SAAW,GAC5B,MAAO,CACN,KAAM,KACN,aAAc,EAAQ,MAAM,MAAM,EAAG,EAAE,EACvC,UAAW,EAAQ,MAAM,MAAM,GAAI,EAAE,CACtC,EAED,MAAU,MACT,yEAAyE,OAAO,EAAQ,MAAM,MAAM,GACrG,EAED,IAAK,KACJ,MAAO,CACN,KAAM,gBACN,OAAQ,EAAM,EAAiC,EAAS,CAAM,CAAC,CAChE,EACD,IAAK,KACJ,MAAO,CAAE,KAAM,eAAgB,MAAO,IAAI,WAAW,EAAQ,KAAK,CAAE,EACrE,IAAK,KACJ,MAAO,CAAE,KAAM,eAAgB,MAAO,EAAuB,EAAQ,KAAK,CAAE,CAC9E,CACA,MAAU,MAAM,gDAAgD,OAAO,EAAQ,GAAG,GAAG,CACtF,CASA,SAAS,EAAiC,EAAqB,EAAiC,CAE/F,GAAI,EAAQ,MAAM,OAAS,GAAK,EAAQ,MAAM,KAAO,GACpD,OAAO,IAAI,WAAW,EAAQ,KAAK,EAGpC,IAAM,EAAgB,EAAa,EAAQ,MAAM,MAAM,EACjD,EAAS,IAAI,WAAW,EAAI,EAAc,OAAS,EAAQ,MAAM,MAAM,EAI7E,MAHA,GAAO,GAAK,GACZ,EAAO,IAAI,EAAe,CAAC,EAC3B,EAAO,IAAI,EAAQ,MAAO,EAAI,EAAc,MAAM,EAC3C,CACR,CAGA,SAAS,EAAiB,EAA6B,CACtD,OAAQ,EAAQ,IAAhB,CACC,IAAK,IACL,IAAK,IACL,IAAK,IACJ,OAAO,EAAY,OAAO,EAAQ,KAAK,EACxC,IAAK,IACJ,OAAO,GAAgB,EAAQ,KAAK,EACrC,QACC,MAAU,MAAM,gCAAgC,EAAQ,KAAK,CAC/D,CACD,CAGA,SAAS,GAAgB,EAA2B,CACnD,GAAI,EAAM,OAAS,GAAM,EACxB,MAAU,MAAM,0BAA0B,EAE3C,IAAI,EAAQ,GACZ,IAAK,IAAI,EAAQ,EAAG,EAAQ,EAAM,OAAQ,GAAS,EAAG,CACrD,IAAM,EAAO,EAAM,GACb,EAAQ,EAAM,EAAQ,GAC5B,GAAI,IAAS,IAAA,IAAa,IAAU,IAAA,GACnC,MAAU,MAAM,2BAA2B,EAE5C,GAAS,OAAO,aAAc,GAAQ,EAAK,CAAK,CACjD,CACA,OAAO,CACR,CAGA,SAAgB,GAA4B,EAAuC,CAClF,IAAM,EAAkB,EAAe,EAAY,EAAO,CAAC,EAAG,iCAAiC,EAC/F,GAAI,EAAgB,MAAQ,EAAM,OACjC,MAAU,MAAM,iCAAiC,EAElD,IAAI,EACA,EAAyB,GACzB,EAA+B,GAC/B,EAAiB,GACjB,EAAS,EAAgB,MAC7B,KAAO,EAAS,EAAgB,KAAK,CACpC,IAAM,EAAQ,EAAY,EAAO,CAAM,EACvC,GAAI,EAAM,IAAM,EAAgB,IAC/B,MAAU,MAAM,iCAAiC,EAElD,GAAI,EAAM,MAAQ,IAAM,CACvB,GAAI,IAAkB,IAAA,GACrB,MAAU,MAAM,sDAAsD,EAEvE,GAAI,GAAkB,EACrB,MAAU,MAAM,uDAAuD,EAExE,EAAgB,EAAM,EAAM,KAAK,EACjC,EAAiB,CAClB,MAAO,GAAI,EAAM,MAAQ,IAAM,CAC9B,GAAI,EACH,MAAU,MAAM,4DAA4D,EAE7E,GAAI,GAAkB,EACrB,MAAU,MAAM,uDAAuD,EAExE,IAAM,EAAc,EAAW,EAAO,CAAK,EAC3C,GAAI,EAAY,SAAW,EAC1B,MAAU,MACT,6EACD,EAED,IAAK,IAAM,KAAc,EAAa,CACrC,IAAK,EAAW,IAAM,MAAU,IAC/B,MAAU,MACT,6EACD,EAED,EAAiB,EAAO,CAAU,CACnC,CACA,EAAyB,GACzB,EAAiB,CAClB,MAAO,GAAI,EAAM,MAAQ,IAAM,CAC9B,GAAI,EACH,MAAU,MAAM,kEAAkE,EAEnF,GAAI,GAAkB,GAAK,CAAC,EAC3B,MAAU,MAAM,uDAAuD,EAExE,GACC,EAAM,MACN,kDACD,EACA,EAA+B,GAC/B,EAAiB,CAClB,MACC,MAAU,MAAM,iDAAiD,OAAO,EAAM,GAAG,GAAG,EAErF,EAAS,EAAM,GAChB,CACA,GAAI,IAAW,EAAgB,IAC9B,MAAU,MAAM,wBAAwB,EAEzC,GAAI,IAA2B,EAC9B,MAAU,MACT,+FACD,EAED,OAAO,CACR,CAEA,SAAS,GAAqC,EAAmB,EAAqB,CACrF,IAAM,EAAQ,EAAM,GACpB,GAAI,IAAU,IAAA,GACb,MAAU,MAAM,GAAG,EAAM,mBAAmB,EAE7C,GAAK,EAAQ,IACZ,MAAU,MAAM,GAAG,EAAM,sBAAsB,EAEhD,GAAI,EAAM,OAAS,GAAK,IAAU,GAAA,GAAO,EAAM,IAAM,GAAK,KACzD,MAAU,MAAM,GAAG,EAAM,2BAA2B,CAEtD,CAEA,SAAS,EAAiC,EAAmB,EAAqB,CACjF,IAAM,EAAa,EAAM,GACzB,GAAI,IAAe,IAAA,IAAa,EAAa,EAC5C,MAAU,MAAM,GAAG,EAAM,8BAA8B,EAExD,IAAM,EAAiB,EAAM,MAAM,CAAC,EACpC,GAAI,EAAe,SAAW,EAAG,CAChC,GAAI,IAAe,EAClB,MAAU,MAAM,GAAG,EAAM,8BAA8B,EAExD,MACD,CACA,GAAI,IAAe,EAClB,OAED,IAAM,EAAW,EAAe,EAAe,OAAS,GACxD,GAAI,IAAa,IAAA,GAChB,MAAU,MAAM,GAAG,EAAM,8BAA8B,EAGxD,GAAK,GADgB,GAAK,GAAc,EAEvC,MAAU,MAAM,GAAG,EAAM,sCAAsC,CAEjE"}
package/dist/x509.d.ts ADDED
@@ -0,0 +1,8 @@
1
+ import { NameAttribute, NameFieldKey, NameInput, NameObject, RelativeDistinguishedNameInput, encodeName, encodeRelativeDistinguishedName } from "./x509/name.js";
2
+ import { AuthorityInfoAccessMethod, AuthorityInformationAccess, BasicConstraints, CertificateExtensionsInput, CertificatePolicies, CpsPolicyQualifierInfo, CustomAuthorityInfoAccessMethod, CustomExtendedKeyUsage, CustomExtension, CustomPolicyQualifierInfo, DistributionPoint, DistributionPointName, DistributionPointReason, ExtendedKeyUsage, GeneralName, GeneralSubtree, InhibitAnyPolicy, IssuingDistributionPoint, IssuingDistributionPointBase, IssuingDistributionPointForAttributeCerts, IssuingDistributionPointForCaCerts, IssuingDistributionPointForUserCerts, KeyUsage, KnownAuthorityInfoAccessMethod, KnownExtendedKeyUsage, NameConstraintForm, NameConstraints, ParsedNameConstraintForm, PolicyConstraints, PolicyInformation, PolicyMapping, PolicyMappings, PolicyNoticeReference, PolicyQualifierInfo, SubjectAltName, UnsupportedNameConstraintForm, UserNoticePolicyQualifierInfo, buildCertificateExtensions, buildRequestedExtensions, encodeAuthorityInfoAccess, encodeBasicConstraints, encodeCertificatePolicies, encodeCrlDistributionPoints, encodeExtendedKeyUsage, encodeExtension, encodeInhibitAnyPolicy, encodeKeyUsage, encodeNameConstraints, encodePolicyConstraints, encodePolicyMappings, encodeSubjectAltName, getAuthorityInfoAccessMethodOid, getExtendedKeyUsageOid, parseAuthorityInfoAccessMethodOid, parseExtendedKeyUsageOid } from "./x509/extensions.js";
3
+ import { ParsedBitFlags } from "./internal/x509/extension-bits.js";
4
+ import { DecodedExtensionMap, DecodedExtensionValue, ExtensionDecoder, ExtensionDecoderMap, ParseOptions, ParsedCertificate, ParsedCertificateSigningRequest, ParsedDistributionPoint, ParsedDistributionPointName, ParsedExtension, ParsedIssuingDistributionPoint, ParsedName, ParsedNameAttribute, ParsedRelativeDistinguishedName, decodeExtension, decodeExtensionMap, decodeExtensions, defineExtensionDecoder, defineExtensionDecoderMap, findExtension, parseCertificateChainPem, parseCertificateDer, parseCertificatePem, parseCertificateSigningRequestDer, parseCertificateSigningRequestPem } from "./x509/parse.js";
5
+ import { SignatureProfileInput } from "./internal/crypto/signing.js";
6
+ import { CertificateMaterial, CreateCertificateInput, CreateSelfSignedCertificateInput, SelfSignedCertificateResult, ValidityInput, createCertificate, createSelfSignedCertificate } from "./x509/certificate.js";
7
+ import { CreateCsrInput, CsrMaterial, createCertificateSigningRequest } from "./x509/csr.js";
8
+ export { type AuthorityInfoAccessMethod, type AuthorityInformationAccess, type BasicConstraints, type CertificateExtensionsInput, type CertificateMaterial, type CertificatePolicies, type CpsPolicyQualifierInfo, type CreateCertificateInput, type CreateCsrInput, type CreateSelfSignedCertificateInput, type CsrMaterial, type CustomAuthorityInfoAccessMethod, type CustomExtendedKeyUsage, type CustomExtension, type CustomPolicyQualifierInfo, type DecodedExtensionMap, type DecodedExtensionValue, type DistributionPoint, type DistributionPointName, type DistributionPointReason, type ExtendedKeyUsage, type ExtensionDecoder, type ExtensionDecoderMap, type GeneralName, type GeneralSubtree, type InhibitAnyPolicy, type IssuingDistributionPoint, type IssuingDistributionPointBase, type IssuingDistributionPointForAttributeCerts, type IssuingDistributionPointForCaCerts, type IssuingDistributionPointForUserCerts, type KeyUsage, type KnownAuthorityInfoAccessMethod, type KnownExtendedKeyUsage, type NameAttribute, type NameConstraintForm, type NameConstraints, type NameFieldKey, type NameInput, type NameObject, type ParseOptions, type ParsedBitFlags, type ParsedCertificate, type ParsedCertificateSigningRequest, type ParsedDistributionPoint, type ParsedDistributionPointName, type ParsedExtension, type ParsedIssuingDistributionPoint, type ParsedName, type ParsedNameAttribute, type ParsedNameConstraintForm, type ParsedRelativeDistinguishedName, type PolicyConstraints, type PolicyInformation, type PolicyMapping, type PolicyMappings, type PolicyNoticeReference, type PolicyQualifierInfo, type RelativeDistinguishedNameInput, type SelfSignedCertificateResult, type SignatureProfileInput, type SubjectAltName, type UnsupportedNameConstraintForm, type UserNoticePolicyQualifierInfo, type ValidityInput, buildCertificateExtensions, buildRequestedExtensions, createCertificate, createCertificateSigningRequest, createSelfSignedCertificate, decodeExtension, decodeExtensionMap, decodeExtensions, defineExtensionDecoder, defineExtensionDecoderMap, encodeAuthorityInfoAccess, encodeBasicConstraints, encodeCertificatePolicies, encodeCrlDistributionPoints, encodeExtendedKeyUsage, encodeExtension, encodeInhibitAnyPolicy, encodeKeyUsage, encodeName, encodeNameConstraints, encodePolicyConstraints, encodePolicyMappings, encodeRelativeDistinguishedName, encodeSubjectAltName, findExtension, getAuthorityInfoAccessMethodOid, getExtendedKeyUsageOid, parseAuthorityInfoAccessMethodOid, parseCertificateChainPem, parseCertificateDer, parseCertificatePem, parseCertificateSigningRequestDer, parseCertificateSigningRequestPem, parseExtendedKeyUsageOid };
package/dist/x509.js ADDED
@@ -0,0 +1 @@
1
+ import{encodeName as e,encodeRelativeDistinguishedName as t}from"./x509/name.js";import{buildCertificateExtensions as n,buildRequestedExtensions as r,encodeAuthorityInfoAccess as i,encodeBasicConstraints as a,encodeCertificatePolicies as o,encodeCrlDistributionPoints as s,encodeExtendedKeyUsage as c,encodeExtension as l,encodeInhibitAnyPolicy as u,encodeKeyUsage as d,encodeNameConstraints as f,encodePolicyConstraints as p,encodePolicyMappings as m,encodeSubjectAltName as h,getAuthorityInfoAccessMethodOid as g,getExtendedKeyUsageOid as _,parseAuthorityInfoAccessMethodOid as v,parseExtendedKeyUsageOid as y}from"./x509/extensions.js";import{decodeExtension as b,decodeExtensionMap as x,decodeExtensions as S,defineExtensionDecoder as C,defineExtensionDecoderMap as w,findExtension as T,parseCertificateChainPem as E,parseCertificateDer as D,parseCertificatePem as O,parseCertificateSigningRequestDer as k,parseCertificateSigningRequestPem as A}from"./x509/parse.js";import{createCertificate as j,createSelfSignedCertificate as M}from"./x509/certificate.js";import{createCertificateSigningRequest as N}from"./x509/csr.js";export{n as buildCertificateExtensions,r as buildRequestedExtensions,j as createCertificate,N as createCertificateSigningRequest,M as createSelfSignedCertificate,b as decodeExtension,x as decodeExtensionMap,S as decodeExtensions,C as defineExtensionDecoder,w as defineExtensionDecoderMap,i as encodeAuthorityInfoAccess,a as encodeBasicConstraints,o as encodeCertificatePolicies,s as encodeCrlDistributionPoints,c as encodeExtendedKeyUsage,l as encodeExtension,u as encodeInhibitAnyPolicy,d as encodeKeyUsage,e as encodeName,f as encodeNameConstraints,p as encodePolicyConstraints,m as encodePolicyMappings,t as encodeRelativeDistinguishedName,h as encodeSubjectAltName,T as findExtension,g as getAuthorityInfoAccessMethodOid,_ as getExtendedKeyUsageOid,v as parseAuthorityInfoAccessMethodOid,E as parseCertificateChainPem,D as parseCertificateDer,O as parseCertificatePem,k as parseCertificateSigningRequestDer,A as parseCertificateSigningRequestPem,y as parseExtendedKeyUsageOid};
package/package.json ADDED
@@ -0,0 +1,153 @@
1
+ {
2
+ "name": "micro509",
3
+ "version": "0.1.0",
4
+ "description": "The zero-dependency TypeScript PKI toolkit for real certificate workflows.",
5
+ "keywords": [
6
+ "x509",
7
+ "certificate",
8
+ "csr",
9
+ "pem",
10
+ "der",
11
+ "jwk"
12
+ ],
13
+ "homepage": "https://micro509.kjanat.com",
14
+ "repository": {
15
+ "type": "git",
16
+ "url": "git+https://github.com/kjanat/ts-x509.git"
17
+ },
18
+ "license": "MIT",
19
+ "author": {
20
+ "name": "Kaj Kowalski",
21
+ "email": "info@kajkowalski.nl",
22
+ "url": "https://github.com/kjanat"
23
+ },
24
+ "sideEffects": false,
25
+ "type": "module",
26
+ "imports": {
27
+ "#micro509": "./src/index.ts",
28
+ "#micro509/*": "./src/*",
29
+ "#micro509/internal/*": "./src/internal/*"
30
+ },
31
+ "exports": {
32
+ ".": {
33
+ "bun": "./src/index.ts",
34
+ "default": "./dist/index.js"
35
+ },
36
+ "./keys": {
37
+ "bun": "./src/keys/index.ts",
38
+ "default": "./dist/keys.js"
39
+ },
40
+ "./pem": {
41
+ "bun": "./src/pem/index.ts",
42
+ "default": "./dist/pem.js"
43
+ },
44
+ "./pkcs": {
45
+ "bun": "./src/pkcs/index.ts",
46
+ "default": "./dist/pkcs.js"
47
+ },
48
+ "./result": {
49
+ "bun": "./src/result/index.ts",
50
+ "default": "./dist/result.js"
51
+ },
52
+ "./revocation": {
53
+ "bun": "./src/revocation/index.ts",
54
+ "default": "./dist/revocation.js"
55
+ },
56
+ "./verify": {
57
+ "bun": "./src/verify/index.ts",
58
+ "default": "./dist/verify.js"
59
+ },
60
+ "./x509": {
61
+ "bun": "./src/x509/index.ts",
62
+ "default": "./dist/x509.js"
63
+ },
64
+ "./package.json": "./package.json"
65
+ },
66
+ "types": "./dist/index.d.ts",
67
+ "files": [
68
+ "dist"
69
+ ],
70
+ "scripts": {
71
+ "bd": "tsdown --no-attw --no-publint --no-unused --no-report",
72
+ "build": "tsdown",
73
+ "docs:build": "rm -rf docs/deno 2>/dev/null; deno doc --html --output=docs/deno --name=micro509 src/**/index.ts",
74
+ "docs:lint": "rm -rf docs/deno 2>/dev/null; deno doc --html --output=docs/deno --name=micro509 --lint src/**/index.ts",
75
+ "fmt": "dprint fmt",
76
+ "lint": "bun lint:biome",
77
+ "lint:biome": "biome lint",
78
+ "lint:deno": "deno lint --rules-exclude=no-node-globals,require-await src",
79
+ "publish:jsr": "[[ -n $GITHUB_ACTIONS ]] && bunx --bun jsr publish || bunx --bun jsr publish --dry-run",
80
+ "site:api": "typedoc --gitRevision \"$(git branch --show-current)\"",
81
+ "site:build": "bun site:api && MICRO509_GIT_BRANCH=\"${GITHUB_REF_NAME:-$(git branch --show-current)}\" MICRO509_GIT_COMMIT=\"${GITHUB_SHA:-$(git rev-parse --short=7 HEAD)}\" bunx --bun vitepress build site",
82
+ "site:dev": "WATCH=true bun site:api & MICRO509_GIT_BRANCH=\"${GITHUB_REF_NAME:-$(git branch --show-current)}\" MICRO509_GIT_COMMIT=\"${GITHUB_SHA:-$(git rev-parse --short=7 HEAD)}\" bunx --bun vitepress dev site --host & wait",
83
+ "site:preview": "bun site:api && MICRO509_GIT_BRANCH=\"${GITHUB_REF_NAME:-$(git branch --show-current)}\" MICRO509_GIT_COMMIT=\"${GITHUB_SHA:-$(git rev-parse --short=7 HEAD)}\" bunx --bun vitepress preview site",
84
+ "test": "AGENT=1 bun test --coverage --concurrent",
85
+ "test:differential": "bun test test/differential.test.ts",
86
+ "test:pkits": "bun test test/pkits.test.ts",
87
+ "test:watch": "AGENT=1 bun test --watch --concurrent",
88
+ "typecheck": "tsgo --noEmit -p tsconfig.src.json && tsgo --noEmit -p tsconfig.other.json",
89
+ "typecheck:tsc": "tsc --noEmit -p tsconfig.src.json && tsc --noEmit -p tsconfig.other.json"
90
+ },
91
+ "devDependencies": {
92
+ "@arethetypeswrong/core": "^0.18.4",
93
+ "@biomejs/biome": "^2.5.1",
94
+ "@types/bun": "^1.3.14",
95
+ "@typescript/native-preview": "^7.0.0-dev.20260628.1",
96
+ "dprint": "^0.55.1",
97
+ "markdown-it-task-lists": "^2.1.1",
98
+ "oxc-minify": "^0.137.0",
99
+ "publint": "^0.3.21",
100
+ "tsdown": "^0.22.3",
101
+ "typedoc": "^0.28.19",
102
+ "typedoc-plugin-markdown": "^4.12.0",
103
+ "typedoc-vitepress-theme": "^1.1.3",
104
+ "typescript": "^6.0.3",
105
+ "unplugin-unused": "^0.5.7",
106
+ "vite-robots-txt": "^1.0.0",
107
+ "vite-svg-to-ico": "^3.1.6",
108
+ "vitepress": "1.6.4"
109
+ },
110
+ "packageManager": "bun@1.3.12",
111
+ "devEngines": {
112
+ "packageManager": [
113
+ {
114
+ "name": "bun",
115
+ "onFail": "download"
116
+ },
117
+ {
118
+ "name": "npm",
119
+ "version": ">=11"
120
+ }
121
+ ],
122
+ "runtime": [
123
+ {
124
+ "name": "node",
125
+ "version": ">=24"
126
+ },
127
+ {
128
+ "name": "bun",
129
+ "version": ">=1.3"
130
+ },
131
+ {
132
+ "name": "deno"
133
+ }
134
+ ]
135
+ },
136
+ "volta": {
137
+ "node": "25.9.0",
138
+ "npm": "11.12.1"
139
+ },
140
+ "publishConfig": {
141
+ "exports": {
142
+ ".": "./dist/index.js",
143
+ "./keys": "./dist/keys.js",
144
+ "./pem": "./dist/pem.js",
145
+ "./pkcs": "./dist/pkcs.js",
146
+ "./result": "./dist/result.js",
147
+ "./revocation": "./dist/revocation.js",
148
+ "./verify": "./dist/verify.js",
149
+ "./x509": "./dist/x509.js",
150
+ "./package.json": "./package.json"
151
+ }
152
+ }
153
+ }