nlcurl 0.6.0 → 0.8.0

package/dist/tls/ct.js

@@ -0,0 +1,175 @@
+/** Hash algorithms used in Signed Certificate Timestamps. */
+export var SCTHashAlgorithm;
+(function (SCTHashAlgorithm) {
+    SCTHashAlgorithm[SCTHashAlgorithm["NONE"] = 0] = "NONE";
+    SCTHashAlgorithm[SCTHashAlgorithm["MD5"] = 1] = "MD5";
+    SCTHashAlgorithm[SCTHashAlgorithm["SHA1"] = 2] = "SHA1";
+    SCTHashAlgorithm[SCTHashAlgorithm["SHA224"] = 3] = "SHA224";
+    SCTHashAlgorithm[SCTHashAlgorithm["SHA256"] = 4] = "SHA256";
+    SCTHashAlgorithm[SCTHashAlgorithm["SHA384"] = 5] = "SHA384";
+    SCTHashAlgorithm[SCTHashAlgorithm["SHA512"] = 6] = "SHA512";
+})(SCTHashAlgorithm || (SCTHashAlgorithm = {}));
+/** Digital signature algorithms used in Signed Certificate Timestamps. */
+export var SCTSignatureAlgorithm;
+(function (SCTSignatureAlgorithm) {
+    SCTSignatureAlgorithm[SCTSignatureAlgorithm["ANONYMOUS"] = 0] = "ANONYMOUS";
+    SCTSignatureAlgorithm[SCTSignatureAlgorithm["RSA"] = 1] = "RSA";
+    SCTSignatureAlgorithm[SCTSignatureAlgorithm["DSA"] = 2] = "DSA";
+    SCTSignatureAlgorithm[SCTSignatureAlgorithm["ECDSA"] = 3] = "ECDSA";
+})(SCTSignatureAlgorithm || (SCTSignatureAlgorithm = {}));
+/** Signed Certificate Timestamp version identifiers. */
+export var SCTVersion;
+(function (SCTVersion) {
+    SCTVersion[SCTVersion["V1"] = 0] = "V1";
+})(SCTVersion || (SCTVersion = {}));
+/**
+ * Parse a serialized SCT list into individual SCT entries.
+ *
+ * @param {Buffer} data - TLS-encoded SCT list buffer.
+ * @returns {SCT[]} Array of parsed {@link SCT} objects.
+ */
+export function parseSCTList(data) {
+    if (data.length < 2)
+        return [];
+    const listLength = data.readUInt16BE(0);
+    if (listLength + 2 > data.length)
+        return [];
+    const scts = [];
+    let offset = 2;
+    const end = 2 + listLength;
+    while (offset + 2 <= end) {
+        const sctLength = data.readUInt16BE(offset);
+        offset += 2;
+        if (offset + sctLength > end)
+            break;
+        const sct = parseSingleSCT(data.subarray(offset, offset + sctLength));
+        if (sct)
+            scts.push(sct);
+        offset += sctLength;
+    }
+    return scts;
+}
+function parseSingleSCT(data) {
+    if (data.length < 1 + 32 + 8 + 2 + 2 + 2)
+        return null;
+    let offset = 0;
+    const version = data[offset];
+    if (version !== SCTVersion.V1)
+        return null;
+    offset += 1;
+    const logId = Buffer.from(data.subarray(offset, offset + 32));
+    offset += 32;
+    const timestampMs = Number(data.readBigUInt64BE(offset));
+    const timestamp = new Date(timestampMs);
+    offset += 8;
+    const extensionsLength = data.readUInt16BE(offset);
+    offset += 2;
+    const extensions = Buffer.from(data.subarray(offset, offset + extensionsLength));
+    offset += extensionsLength;
+    if (offset + 4 > data.length)
+        return null;
+    const hashAlgorithm = data[offset];
+    offset += 1;
+    const signatureAlgorithm = data[offset];
+    offset += 1;
+    const signatureLength = data.readUInt16BE(offset);
+    offset += 2;
+    if (offset + signatureLength > data.length)
+        return null;
+    const signature = Buffer.from(data.subarray(offset, offset + signatureLength));
+    return {
+        version,
+        logId,
+        timestamp,
+        extensions,
+        hashAlgorithm,
+        signatureAlgorithm,
+        signature,
+    };
+}
+/**
+ * Validate a set of SCTs for Certificate Transparency compliance.
+ *
+ * Deduplicates by log ID and requires at least two unique logs.
+ *
+ * @param {SCT[]} scts - Array of parsed SCTs.
+ * @returns {SCTValidationResult} Validation result with compliance status.
+ */
+export function validateSCTs(scts) {
+    const uniqueLogs = new Set();
+    const uniqueSCTs = [];
+    for (const sct of scts) {
+        const logIdHex = sct.logId.toString("hex");
+        if (!uniqueLogs.has(logIdHex)) {
+            uniqueLogs.add(logIdHex);
+            uniqueSCTs.push(sct);
+        }
+    }
+    return {
+        compliant: uniqueLogs.size >= 2,
+        sctCount: uniqueSCTs.length,
+        scts: uniqueSCTs,
+    };
+}
+/**
+ * Extract embedded SCTs from a TLS socket's peer certificate.
+ *
+ * @param {{ getPeerCertificate?: (detailed?: boolean) => { raw?: Buffer; serialNumber?: string } }} socket - Socket with a `getPeerCertificate` method.
+ * @returns {SCTValidationResult | undefined} Validation result, or `undefined` if SCTs cannot be extracted.
+ */
+export function extractSCTsFromSocket(socket) {
+    if (!socket.getPeerCertificate)
+        return undefined;
+    const cert = socket.getPeerCertificate(true);
+    if (!cert || !cert.raw)
+        return undefined;
+    const sctExtOid = Buffer.from([0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x04, 0x02]);
+    const extIdx = cert.raw.indexOf(sctExtOid);
+    if (extIdx === -1) {
+        return { compliant: false, sctCount: 0, scts: [] };
+    }
+    let offset = extIdx + sctExtOid.length;
+    if (offset < cert.raw.length && cert.raw[offset] === 0x01) {
+        offset += 3;
+    }
+    if (offset >= cert.raw.length || cert.raw[offset] !== 0x04) {
+        return { compliant: false, sctCount: 0, scts: [] };
+    }
+    offset++;
+    const result = readLength(cert.raw, offset);
+    if (result.value === -1)
+        return { compliant: false, sctCount: 0, scts: [] };
+    offset += result.bytesRead;
+    if (offset >= cert.raw.length || cert.raw[offset] !== 0x04) {
+        const scts = parseSCTList(cert.raw.subarray(offset));
+        const validation = validateSCTs(scts);
+        validation.source = "embedded";
+        return validation;
+    }
+    offset++;
+    const innerResult = readLength(cert.raw, offset);
+    if (innerResult.value === -1)
+        return { compliant: false, sctCount: 0, scts: [] };
+    offset += innerResult.bytesRead;
+    const sctData = cert.raw.subarray(offset, offset + innerResult.value);
+    const scts = parseSCTList(sctData);
+    const validation = validateSCTs(scts);
+    validation.source = "embedded";
+    return validation;
+}
+function readLength(buf, offset) {
+    if (offset >= buf.length)
+        return { value: -1, bytesRead: 0 };
+    const first = buf[offset];
+    if (first < 0x80)
+        return { value: first, bytesRead: 1 };
+    const numBytes = first & 0x7f;
+    if (numBytes === 0 || numBytes > 4 || offset + numBytes >= buf.length)
+        return { value: -1, bytesRead: 0 };
+    let value = 0;
+    for (let i = 0; i < numBytes; i++) {
+        value = (value << 8) | buf[offset + 1 + i];
+    }
+    return { value, bytesRead: 1 + numBytes };
+}
+//# sourceMappingURL=ct.js.map

package/dist/tls/ct.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ct.js","sourceRoot":"","sources":["../../src/tls/ct.ts"],"names":[],"mappings":"AAAA,6DAA6D;AAC7D,MAAM,CAAN,IAAY,gBAQX;AARD,WAAY,gBAAgB;IAC1B,uDAAQ,CAAA;IACR,qDAAO,CAAA;IACP,uDAAQ,CAAA;IACR,2DAAU,CAAA;IACV,2DAAU,CAAA;IACV,2DAAU,CAAA;IACV,2DAAU,CAAA;AACZ,CAAC,EARW,gBAAgB,KAAhB,gBAAgB,QAQ3B;AAED,0EAA0E;AAC1E,MAAM,CAAN,IAAY,qBAKX;AALD,WAAY,qBAAqB;IAC/B,2EAAa,CAAA;IACb,+DAAO,CAAA;IACP,+DAAO,CAAA;IACP,mEAAS,CAAA;AACX,CAAC,EALW,qBAAqB,KAArB,qBAAqB,QAKhC;AAED,wDAAwD;AACxD,MAAM,CAAN,IAAY,UAEX;AAFD,WAAY,UAAU;IACpB,uCAAM,CAAA;AACR,CAAC,EAFW,UAAU,KAAV,UAAU,QAErB;AAgCD;;;;;GAKG;AACH,MAAM,UAAU,YAAY,CAAC,IAAY;IACvC,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,EAAE,CAAC;IAE/B,MAAM,UAAU,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACxC,IAAI,UAAU,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM;QAAE,OAAO,EAAE,CAAC;IAE5C,MAAM,IAAI,GAAU,EAAE,CAAC;IACvB,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,MAAM,GAAG,GAAG,CAAC,GAAG,UAAU,CAAC;IAE3B,OAAO,MAAM,GAAG,CAAC,IAAI,GAAG,EAAE,CAAC;QACzB,MAAM,SAAS,GAAG,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;QAC5C,MAAM,IAAI,CAAC,CAAC;QAEZ,IAAI,MAAM,GAAG,SAAS,GAAG,GAAG;YAAE,MAAM;QAEpC,MAAM,GAAG,GAAG,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC,CAAC;QACtE,IAAI,GAAG;YAAE,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACxB,MAAM,IAAI,SAAS,CAAC;IACtB,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,cAAc,CAAC,IAAY;IAClC,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAEtD,IAAI,MAAM,GAAG,CAAC,CAAC;IAEf,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAgB,CAAC;IAC5C,IAAI,OAAO,KAAK,UAAU,CAAC,EAAE;QAAE,OAAO,IAAI,CAAC;IAC3C,MAAM,IAAI,CAAC,CAAC;IAEZ,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC;IAC9D,MAAM,IAAI,EAAE,CAAC;IAEb,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC;IACzD,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,WAAW,CAAC,CAAC;IACxC,MAAM,IAAI,CAAC,CAAC;IAEZ,MAAM,gBAAgB,GAAG,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IACnD,MAAM,IAAI,CAAC,CAAC;IACZ,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,gBAAgB,CAAC,CAAC,CAAC;IACjF,MAAM,IAAI,gBAAgB,CAAC;IAE3B,IAAI,MAAM,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAE1C,MAAM,aAAa,GAAG,IAAI,CAAC,MAAM,CAAsB,CAAC;IACxD,MAAM,IAAI,CAAC,CAAC;IACZ,MAAM,kBAAkB,GAAG,IAAI,CAAC,MAAM,CAA2B,CAAC;IAClE,MAAM,IAAI,CAAC,CAAC;IAEZ,MAAM,eAAe,GAAG,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IAClD,MAAM,IAAI,CAAC,CAAC;IAEZ,IAAI,MAAM,GAAG,eAAe,GAAG,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACxD,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,eAAe,CAAC,CAAC,CAAC;IAE/E,OAAO;QACL,OAAO;QACP,KAAK;QACL,SAAS;QACT,UAAU;QACV,aAAa;QACb,kBAAkB;QAClB,SAAS;KACV,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,YAAY,CAAC,IAAW;IACtC,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;IACrC,MAAM,UAAU,GAAU,EAAE,CAAC;IAC7B,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,QAAQ,GAAG,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAC3C,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC9B,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YACzB,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IAED,OAAO;QACL,SAAS,EAAE,UAAU,CAAC,IAAI,IAAI,CAAC;QAC/B,QAAQ,EAAE,UAAU,CAAC,MAAM;QAC3B,IAAI,EAAE,UAAU;KACjB,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,qBAAqB,CAAC,MAAgG;IACpI,IAAI,CAAC,MAAM,CAAC,kBAAkB;QAAE,OAAO,SAAS,CAAC;IAEjD,MAAM,IAAI,GAAG,MAAM,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC;IAC7C,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG;QAAE,OAAO,SAAS,CAAC;IAEzC,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;IACxG,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAE3C,IAAI,MAAM,KAAK,CAAC,CAAC,EAAE,CAAC;QAClB,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;IACrD,CAAC;IAED,IAAI,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC,MAAM,CAAC;IAEvC,IAAI,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,IAAI,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC;QAC1D,MAAM,IAAI,CAAC,CAAC;IACd,CAAC;IAED,IAAI,MAAM,IAAI,IAAI,CAAC,GAAG,CAAC,MAAM,IAAI,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC;QAC3D,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;IACrD,CAAC;IACD,MAAM,EAAE,CAAC;IACT,MAAM,MAAM,GAAG,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IAC5C,IAAI,MAAM,CAAC,KAAK,KAAK,CAAC,CAAC;QAAE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;IAC5E,MAAM,IAAI,MAAM,CAAC,SAAS,CAAC;IAE3B,IAAI,MAAM,IAAI,IAAI,CAAC,GAAG,CAAC,MAAM,IAAI,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC;QAC3D,MAAM,IAAI,GAAG,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;QACrD,MAAM,UAAU,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;QACtC,UAAU,CAAC,MAAM,GAAG,UAAU,CAAC;QAC/B,OAAO,UAAU,CAAC;IACpB,CAAC;IACD,MAAM,EAAE,CAAC;IACT,MAAM,WAAW,GAAG,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IACjD,IAAI,WAAW,CAAC,KAAK,KAAK,CAAC,CAAC;QAAE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;IACjF,MAAM,IAAI,WAAW,CAAC,SAAS,CAAC;IAEhC,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;IACtE,MAAM,IAAI,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;IACnC,MAAM,UAAU,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IACtC,UAAU,CAAC,MAAM,GAAG,UAAU,CAAC;IAC/B,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,UAAU,CAAC,GAAW,EAAE,MAAc;IAC7C,IAAI,MAAM,IAAI,GAAG,CAAC,MAAM;QAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,CAAC;IAC7D,MAAM,KAAK,GAAG,GAAG,CAAC,MAAM,CAAE,CAAC;IAC3B,IAAI,KAAK,GAAG,IAAI;QAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,EAAE,CAAC;IACxD,MAAM,QAAQ,GAAG,KAAK,GAAG,IAAI,CAAC;IAC9B,IAAI,QAAQ,KAAK,CAAC,IAAI,QAAQ,GAAG,CAAC,IAAI,MAAM,GAAG,QAAQ,IAAI,GAAG,CAAC,MAAM;QAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,CAAC;IAC1G,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,KAAK,GAAG,CAAC,KAAK,IAAI,CAAC,CAAC,GAAG,GAAG,CAAC,MAAM,GAAG,CAAC,GAAG,CAAC,CAAE,CAAC;IAC9C,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,GAAG,QAAQ,EAAE,CAAC;AAC5C,CAAC"}

package/dist/tls/early-data.d.ts

@@ -0,0 +1,45 @@
+/** Configuration for TLS 1.3 early data (0-RTT). */
+export interface EarlyDataConfig {
+    /** Enable early data transmission. */
+    enabled?: boolean;
+    /** Maximum early data payload size in bytes. */
+    maxSize?: number;
+    /** Restrict early data to safe (idempotent) HTTP methods only. */
+    safeOnly?: boolean;
+}
+/** Outcome of an early data (0-RTT) transmission attempt. */
+export interface EarlyDataResult {
+    /** Whether the server accepted the early data. */
+    accepted: boolean;
+    /** Whether early data transmission was attempted. */
+    attempted: boolean;
+    /** Number of bytes sent as early data. */
+    bytesSent: number;
+}
+/**
+ * Determine whether early data can be sent for the given HTTP method.
+ *
+ * @param {string} method - HTTP method string.
+ * @param {EarlyDataConfig} [config] - Early data configuration.
+ * @returns {boolean} `true` if early data is permitted.
+ */
+export declare function canSendEarlyData(method: string, config?: EarlyDataConfig): boolean;
+/**
+ * Prepare request data for 0-RTT transmission.
+ *
+ * @param {Buffer} requestData - Serialized request bytes.
+ * @param {EarlyDataConfig} [config] - Early data configuration.
+ * @returns {Buffer|null} Buffer to send as early data, or `null` if not applicable.
+ */
+export declare function prepareEarlyData(requestData: Buffer, config?: EarlyDataConfig): Buffer | null;
+/**
+ * Check whether the server accepted early data on a connected socket.
+ *
+ * @param {{ alpnProtocol?: string | false; earlyData?: boolean }} socket - Socket with optional `earlyData` flag.
+ * @returns {EarlyDataResult} Early data acceptance result.
+ */
+export declare function checkEarlyDataAccepted(socket: {
+    alpnProtocol?: string | false;
+    earlyData?: boolean;
+}): EarlyDataResult;
+//# sourceMappingURL=early-data.d.ts.map

package/dist/tls/early-data.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"early-data.d.ts","sourceRoot":"","sources":["../../src/tls/early-data.ts"],"names":[],"mappings":"AAEA,oDAAoD;AACpD,MAAM,WAAW,eAAe;IAC9B,sCAAsC;IACtC,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,gDAAgD;IAChD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,kEAAkE;IAClE,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED,6DAA6D;AAC7D,MAAM,WAAW,eAAe;IAC9B,kDAAkD;IAClD,QAAQ,EAAE,OAAO,CAAC;IAClB,qDAAqD;IACrD,SAAS,EAAE,OAAO,CAAC;IACnB,0CAA0C;IAC1C,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,eAAe,GAAG,OAAO,CAMlF;AAED;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAAC,WAAW,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,eAAe,GAAG,MAAM,GAAG,IAAI,CAO7F;AAED;;;;;GAKG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE;IAAE,YAAY,CAAC,EAAE,MAAM,GAAG,KAAK,CAAC;IAAC,SAAS,CAAC,EAAE,OAAO,CAAA;CAAE,GAAG,eAAe,CAOtH"}

package/dist/tls/early-data.js

@@ -0,0 +1,46 @@
+const SAFE_EARLY_DATA_METHODS = new Set(["GET", "HEAD", "OPTIONS"]);
+/**
+ * Determine whether early data can be sent for the given HTTP method.
+ *
+ * @param {string} method - HTTP method string.
+ * @param {EarlyDataConfig} [config] - Early data configuration.
+ * @returns {boolean} `true` if early data is permitted.
+ */
+export function canSendEarlyData(method, config) {
+    if (!config?.enabled)
+        return false;
+    if (config.safeOnly !== false && !SAFE_EARLY_DATA_METHODS.has(method.toUpperCase())) {
+        return false;
+    }
+    return true;
+}
+/**
+ * Prepare request data for 0-RTT transmission.
+ *
+ * @param {Buffer} requestData - Serialized request bytes.
+ * @param {EarlyDataConfig} [config] - Early data configuration.
+ * @returns {Buffer|null} Buffer to send as early data, or `null` if not applicable.
+ */
+export function prepareEarlyData(requestData, config) {
+    if (!config?.enabled)
+        return null;
+    const maxSize = config.maxSize ?? 16384;
+    if (requestData.length > maxSize)
+        return null;
+    return requestData;
+}
+/**
+ * Check whether the server accepted early data on a connected socket.
+ *
+ * @param {{ alpnProtocol?: string | false; earlyData?: boolean }} socket - Socket with optional `earlyData` flag.
+ * @returns {EarlyDataResult} Early data acceptance result.
+ */
+export function checkEarlyDataAccepted(socket) {
+    const accepted = socket.earlyData === true;
+    return {
+        accepted,
+        attempted: true,
+        bytesSent: 0,
+    };
+}
+//# sourceMappingURL=early-data.js.map

package/dist/tls/early-data.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"early-data.js","sourceRoot":"","sources":["../../src/tls/early-data.ts"],"names":[],"mappings":"AAAA,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC;AAsBpE;;;;;;GAMG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAc,EAAE,MAAwB;IACvE,IAAI,CAAC,MAAM,EAAE,OAAO;QAAE,OAAO,KAAK,CAAC;IACnC,IAAI,MAAM,CAAC,QAAQ,KAAK,KAAK,IAAI,CAAC,uBAAuB,CAAC,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QACpF,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,gBAAgB,CAAC,WAAmB,EAAE,MAAwB;IAC5E,IAAI,CAAC,MAAM,EAAE,OAAO;QAAE,OAAO,IAAI,CAAC;IAElC,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,KAAK,CAAC;IACxC,IAAI,WAAW,CAAC,MAAM,GAAG,OAAO;QAAE,OAAO,IAAI,CAAC;IAE9C,OAAO,WAAW,CAAC;AACrB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,sBAAsB,CAAC,MAA8D;IACnG,MAAM,QAAQ,GAAG,MAAM,CAAC,SAAS,KAAK,IAAI,CAAC;IAC3C,OAAO;QACL,QAAQ;QACR,SAAS,EAAE,IAAI;QACf,SAAS,EAAE,CAAC;KACb,CAAC;AACJ,CAAC"}

package/dist/tls/ech.d.ts

@@ -0,0 +1,130 @@
+/** Parsed individual Encrypted Client Hello configuration entry. */
+export interface ECHConfig {
+    /** ECH config version identifier. */
+    version: number;
+    /** Length of the configuration contents. */
+    length: number;
+    /** Raw configuration content bytes. */
+    contents: Buffer;
+    /** Public name (outer SNI) extracted from the config. */
+    publicName: string;
+}
+/** Complete parsed ECH configuration list with outer SNI. */
+export interface ECHParameters {
+    /** Raw serialized ECHConfigList buffer. */
+    echConfigList: Buffer;
+    /** Outer SNI derived from the first config's public name. */
+    outerSNI: string;
+    /** Individual ECH configuration entries. */
+    configs: ECHConfig[];
+}
+/** User-facing options for Encrypted Client Hello. */
+export interface ECHOptions {
+    /** Enable ECH support. */
+    enabled?: boolean;
+    /** Base64 or binary ECHConfigList. */
+    echConfigList?: string | Buffer;
+    /** Send a GREASE ECH extension when no real config is available. */
+    grease?: boolean;
+    /** Maximum number of ECH retry attempts. */
+    maxRetries?: number;
+}
+/**
+ * Parse a serialized ECHConfigList into structured parameters.
+ *
+ * @param {Buffer} data - Raw ECHConfigList buffer.
+ * @returns {ECHParameters|null} Parsed parameters, or `null` if the data is invalid.
+ */
+export declare function parseECHConfigList(data: Buffer): ECHParameters | null;
+/**
+ * Generate a GREASE Encrypted Client Hello extension payload.
+ *
+ * @returns {Buffer} Random GREASE ECH extension data.
+ */
+export declare function generateGreaseECH(): Buffer;
+/** Parsed HPKE key configuration from an ECHConfig entry. */
+export interface HpkeKeyConfig {
+    /** Configuration identifier byte. */
+    configId: number;
+    /** Key Encapsulation Mechanism identifier. */
+    kemId: number;
+    /** Receiver's public key bytes. */
+    publicKey: Buffer;
+    /** Supported KDF and AEAD cipher suite pairs. */
+    cipherSuites: Array<{
+        kdfId: number;
+        aeadId: number;
+    }>;
+}
+/**
+ * Parse the HPKE key configuration from ECHConfig contents.
+ *
+ * @param {Buffer} contents - Raw contents buffer of an ECHConfig entry.
+ * @returns {HpkeKeyConfig|null} Parsed HPKE key config, or `null` if malformed.
+ */
+export declare function parseHpkeKeyConfig(contents: Buffer): HpkeKeyConfig | null;
+/**
+ * Extract the maximum name length field from ECHConfig contents.
+ *
+ * @param {Buffer} contents - Raw ECHConfig contents.
+ * @returns {number} Maximum name length, or `0` if unparseable.
+ */
+export declare function getMaxNameLength(contents: Buffer): number;
+/**
+ * Build the outer ECH extension data for a ClientHello.
+ *
+ * @param {number} kdfId - KDF identifier.
+ * @param {number} aeadId - AEAD identifier.
+ * @param {number} configId - ECH config ID.
+ * @param {Buffer} enc - HPKE encapsulated key.
+ * @param {Buffer} payload - Encrypted inner ClientHello payload.
+ * @returns {Buffer} Serialized ECH outer extension bytes.
+ */
+export declare function buildECHOuterExtData(kdfId: number, aeadId: number, configId: number, enc: Buffer, payload: Buffer): Buffer;
+/** Parameters required to encrypt an inner ClientHello with ECH. */
+export interface ECHEncryptionParams {
+    /** Selected ECH configuration entry. */
+    config: ECHConfig;
+    /** Raw bytes of the selected configuration (including version and length). */
+    configRaw: Buffer;
+}
+/**
+ * Extract the first raw ECHConfig entry from a serialized ECHConfigList.
+ *
+ * @param {Buffer} echConfigList - Full serialized ECHConfigList buffer.
+ * @returns {Buffer | null} Raw config bytes, or `null` if the list is too short.
+ */
+export declare function extractFirstECHConfigRaw(echConfigList: Buffer): Buffer | null;
+/**
+ * Encrypt an inner ClientHello body using HPKE for Encrypted Client Hello.
+ *
+ * @param {Buffer} innerCHBody - Serialized inner ClientHello body.
+ * @param {Buffer} outerCHAAD - Additional authenticated data from the outer ClientHello.
+ * @param {ECHConfig} config - Parsed ECH configuration entry.
+ * @param {Buffer} configRaw - Raw bytes of the ECH configuration.
+ * @returns {{ extensionData: Buffer; enc: Buffer; kdfId: number; aeadId: number; configId: number }} Extension data, encapsulated key, and algorithm identifiers.
+ */
+export declare function echEncryptInner(innerCHBody: Buffer, outerCHAAD: Buffer, config: ECHConfig, configRaw: Buffer): {
+    extensionData: Buffer;
+    enc: Buffer;
+    kdfId: number;
+    aeadId: number;
+    configId: number;
+};
+/**
+ * Parse ECH retry configuration from a server's EncryptedExtensions.
+ *
+ * @param {Buffer} data - Serialized ECHConfigList from the retry_configs extension.
+ * @returns {ECHParameters | null} Parsed retry parameters, or `null` if invalid.
+ */
+export declare function parseECHRetryConfigs(data: Buffer): ECHParameters | null;
+/**
+ * Determine whether an ECH retry should be attempted.
+ *
+ * @param {number} retryCount - Number of retries already attempted.
+ * @param {number} maxRetries - Maximum allowed retries.
+ * @param {ECHParameters | null} retryConfigs - Retry ECH configs from the server.
+ * @returns {boolean} `true` if another retry is warranted.
+ */
+export declare function shouldRetryECH(retryCount: number, maxRetries: number, retryConfigs: ECHParameters | null): boolean;
+//# sourceMappingURL=ech.d.ts.map

package/dist/tls/ech.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ech.d.ts","sourceRoot":"","sources":["../../src/tls/ech.ts"],"names":[],"mappings":"AAEA,oEAAoE;AACpE,MAAM,WAAW,SAAS;IACxB,qCAAqC;IACrC,OAAO,EAAE,MAAM,CAAC;IAChB,4CAA4C;IAC5C,MAAM,EAAE,MAAM,CAAC;IACf,uCAAuC;IACvC,QAAQ,EAAE,MAAM,CAAC;IACjB,yDAAyD;IACzD,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,6DAA6D;AAC7D,MAAM,WAAW,aAAa;IAC5B,2CAA2C;IAC3C,aAAa,EAAE,MAAM,CAAC;IACtB,6DAA6D;IAC7D,QAAQ,EAAE,MAAM,CAAC;IACjB,4CAA4C;IAC5C,OAAO,EAAE,SAAS,EAAE,CAAC;CACtB;AAED,sDAAsD;AACtD,MAAM,WAAW,UAAU;IACzB,0BAA0B;IAC1B,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,sCAAsC;IACtC,aAAa,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAChC,oEAAoE;IACpE,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,4CAA4C;IAC5C,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,GAAG,aAAa,GAAG,IAAI,CAwCrE;AA4BD;;;;GAIG;AACH,wBAAgB,iBAAiB,IAAI,MAAM,CA0B1C;AAED,6DAA6D;AAC7D,MAAM,WAAW,aAAa;IAC5B,qCAAqC;IACrC,QAAQ,EAAE,MAAM,CAAC;IACjB,8CAA8C;IAC9C,KAAK,EAAE,MAAM,CAAC;IACd,mCAAmC;IACnC,SAAS,EAAE,MAAM,CAAC;IAClB,iDAAiD;IACjD,YAAY,EAAE,KAAK,CAAC;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACxD;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,aAAa,GAAG,IAAI,CAiCzE;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAiBzD;AA8HD;;;;;;;;;GASG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,CAkB1H;AAED,oEAAoE;AACpE,MAAM,WAAW,mBAAmB;IAClC,wCAAwC;IACxC,MAAM,EAAE,SAAS,CAAC;IAClB,8EAA8E;IAC9E,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CAAC,aAAa,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAU7E;AAED;;;;;;;;GAQG;AACH,wBAAgB,eAAe,CAAC,WAAW,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,GAAG;IAAE,aAAa,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,CAqBtM;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,aAAa,GAAG,IAAI,CAEvE;AAED;;;;;;;GAOG;AACH,wBAAgB,cAAc,CAAC,UAAU,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,YAAY,EAAE,aAAa,GAAG,IAAI,GAAG,OAAO,CAIlH"}