nlcurl 0.6.0 → 0.8.0

package/dist/tls/ech.js

@@ -0,0 +1,353 @@
+import { randomBytes, createHmac, createCipheriv, generateKeyPairSync, diffieHellman, createPrivateKey, createPublicKey } from "node:crypto";
+/**
+ * Parse a serialized ECHConfigList into structured parameters.
+ *
+ * @param {Buffer} data - Raw ECHConfigList buffer.
+ * @returns {ECHParameters|null} Parsed parameters, or `null` if the data is invalid.
+ */
+export function parseECHConfigList(data) {
+    if (data.length < 4)
+        return null;
+    const totalLength = data.readUInt16BE(0);
+    if (totalLength + 2 > data.length)
+        return null;
+    const configs = [];
+    let offset = 2;
+    while (offset + 4 <= 2 + totalLength) {
+        const version = data.readUInt16BE(offset);
+        offset += 2;
+        const configLength = data.readUInt16BE(offset);
+        offset += 2;
+        if (offset + configLength > 2 + totalLength)
+            break;
+        const contents = data.subarray(offset, offset + configLength);
+        const publicName = extractPublicName(contents);
+        configs.push({
+            version,
+            length: configLength,
+            contents,
+            publicName,
+        });
+        offset += configLength;
+    }
+    if (configs.length === 0)
+        return null;
+    const outerSNI = configs[0].publicName;
+    return {
+        echConfigList: data,
+        outerSNI,
+        configs,
+    };
+}
+function extractPublicName(contents) {
+    if (contents.length < 7)
+        return "";
+    let offset = 0;
+    offset += 1;
+    offset += 2;
+    if (offset + 2 > contents.length)
+        return "";
+    const pkLen = contents.readUInt16BE(offset);
+    offset += 2 + pkLen;
+    if (offset + 2 > contents.length)
+        return "";
+    const csLen = contents.readUInt16BE(offset);
+    offset += 2 + csLen;
+    if (offset >= contents.length)
+        return "";
+    offset += 1;
+    if (offset >= contents.length)
+        return "";
+    const nameLen = contents[offset];
+    offset += 1;
+    if (offset + nameLen > contents.length)
+        return "";
+    return contents.subarray(offset, offset + nameLen).toString("ascii");
+}
+/**
+ * Generate a GREASE Encrypted Client Hello extension payload.
+ *
+ * @returns {Buffer} Random GREASE ECH extension data.
+ */
+export function generateGreaseECH() {
+    const payloadLen = 128 + Math.floor(Math.random() * 64);
+    const buf = Buffer.alloc(1 + 4 + 1 + 2 + 32 + 2 + payloadLen);
+    let offset = 0;
+    buf[offset++] = 0x00;
+    buf.writeUInt16BE(0x0001, offset);
+    offset += 2;
+    buf.writeUInt16BE(0x0001, offset);
+    offset += 2;
+    buf[offset++] = randomBytes(1)[0];
+    const enc = randomBytes(32);
+    buf.writeUInt16BE(32, offset);
+    offset += 2;
+    enc.copy(buf, offset);
+    offset += 32;
+    const payload = randomBytes(payloadLen);
+    buf.writeUInt16BE(payloadLen, offset);
+    offset += 2;
+    payload.copy(buf, offset);
+    return buf;
+}
+/**
+ * Parse the HPKE key configuration from ECHConfig contents.
+ *
+ * @param {Buffer} contents - Raw contents buffer of an ECHConfig entry.
+ * @returns {HpkeKeyConfig|null} Parsed HPKE key config, or `null` if malformed.
+ */
+export function parseHpkeKeyConfig(contents) {
+    if (contents.length < 7)
+        return null;
+    let offset = 0;
+    const configId = contents[offset];
+    offset += 1;
+    const kemId = contents.readUInt16BE(offset);
+    offset += 2;
+    if (offset + 2 > contents.length)
+        return null;
+    const pkLen = contents.readUInt16BE(offset);
+    offset += 2;
+    if (offset + pkLen > contents.length)
+        return null;
+    const publicKey = Buffer.from(contents.subarray(offset, offset + pkLen));
+    offset += pkLen;
+    if (offset + 2 > contents.length)
+        return null;
+    const csLen = contents.readUInt16BE(offset);
+    offset += 2;
+    const cipherSuites = [];
+    const csEnd = offset + csLen;
+    while (offset + 4 <= csEnd) {
+        const kdfId = contents.readUInt16BE(offset);
+        offset += 2;
+        const aeadId = contents.readUInt16BE(offset);
+        offset += 2;
+        cipherSuites.push({ kdfId, aeadId });
+    }
+    return { configId, kemId, publicKey, cipherSuites };
+}
+/**
+ * Extract the maximum name length field from ECHConfig contents.
+ *
+ * @param {Buffer} contents - Raw ECHConfig contents.
+ * @returns {number} Maximum name length, or `0` if unparseable.
+ */
+export function getMaxNameLength(contents) {
+    if (contents.length < 7)
+        return 0;
+    let offset = 0;
+    offset += 1;
+    offset += 2;
+    if (offset + 2 > contents.length)
+        return 0;
+    const pkLen = contents.readUInt16BE(offset);
+    offset += 2 + pkLen;
+    if (offset + 2 > contents.length)
+        return 0;
+    const csLen = contents.readUInt16BE(offset);
+    offset += 2 + csLen;
+    if (offset >= contents.length)
+        return 0;
+    return contents[offset];
+}
+function hpkeHkdfExtract(salt, ikm) {
+    const s = salt.length === 0 ? Buffer.alloc(32) : salt;
+    return Buffer.from(createHmac("sha256", s).update(ikm).digest());
+}
+function hpkeHkdfExpand(prk, info, length) {
+    const N = Math.ceil(length / 32);
+    const okm = Buffer.alloc(N * 32);
+    let T = Buffer.alloc(0);
+    for (let i = 1; i <= N; i++) {
+        const hmac = createHmac("sha256", prk);
+        hmac.update(T);
+        hmac.update(info);
+        hmac.update(Buffer.from([i]));
+        T = Buffer.from(hmac.digest());
+        T.copy(okm, (i - 1) * 32);
+    }
+    return okm.subarray(0, length);
+}
+function labeledExtract(suiteId, salt, label, ikm) {
+    const hpkeV1 = Buffer.from("HPKE-v1", "ascii");
+    const labelBuf = Buffer.from(label, "ascii");
+    const labeledIkm = Buffer.concat([hpkeV1, suiteId, labelBuf, ikm]);
+    return hpkeHkdfExtract(salt, labeledIkm);
+}
+function labeledExpand(suiteId, prk, label, info, length) {
+    const hpkeV1 = Buffer.from("HPKE-v1", "ascii");
+    const labelBuf = Buffer.from(label, "ascii");
+    const lenBuf = Buffer.alloc(2);
+    lenBuf.writeUInt16BE(length);
+    const labeledInfo = Buffer.concat([lenBuf, hpkeV1, suiteId, labelBuf, info]);
+    return hpkeHkdfExpand(prk, labeledInfo, length);
+}
+function buildX25519PKCS8(raw) {
+    return Buffer.concat([Buffer.from([0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x6e, 0x04, 0x22, 0x04, 0x20]), raw]);
+}
+function buildX25519SPKI(raw) {
+    return Buffer.concat([Buffer.from([0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x6e, 0x03, 0x21, 0x00]), raw]);
+}
+function dhkemX25519Encap(pkR) {
+    const kp = generateKeyPairSync("x25519");
+    const pkEDer = Buffer.from(kp.publicKey.export({ type: "spki", format: "der" }));
+    const skEDer = Buffer.from(kp.privateKey.export({ type: "pkcs8", format: "der" }));
+    const pkE = Buffer.from(pkEDer.subarray(pkEDer.length - 32));
+    const skE = Buffer.from(skEDer.subarray(skEDer.length - 32));
+    const privKey = createPrivateKey({ key: buildX25519PKCS8(skE), format: "der", type: "pkcs8" });
+    const pubKey = createPublicKey({ key: buildX25519SPKI(pkR), format: "der", type: "spki" });
+    const dh = Buffer.from(diffieHellman({ privateKey: privKey, publicKey: pubKey }));
+    const enc = Buffer.from(pkE);
+    const kemContext = Buffer.concat([enc, pkR]);
+    const kemSuiteId = Buffer.from([0x4b, 0x45, 0x4d, 0x00, 0x20]);
+    const prk = labeledExtract(kemSuiteId, Buffer.alloc(0), "shared_secret", dh);
+    const sharedSecret = labeledExpand(kemSuiteId, prk, "shared_secret", kemContext, 32);
+    return { sharedSecret, enc };
+}
+function aeadParams(aeadId) {
+    switch (aeadId) {
+        case 0x0001:
+            return { Nk: 16, Nn: 12 };
+        case 0x0002:
+            return { Nk: 32, Nn: 12 };
+        case 0x0003:
+            return { Nk: 32, Nn: 12 };
+        default:
+            throw new Error(`Unsupported HPKE AEAD: 0x${aeadId.toString(16)}`);
+    }
+}
+function aeadAlgorithm(aeadId) {
+    switch (aeadId) {
+        case 0x0001:
+            return "aes-128-gcm";
+        case 0x0002:
+            return "aes-256-gcm";
+        case 0x0003:
+            return "chacha20-poly1305";
+        default:
+            throw new Error(`Unsupported HPKE AEAD: 0x${aeadId.toString(16)}`);
+    }
+}
+function hpkeKeyScheduleS(kemId, kdfId, aeadId, sharedSecret, info) {
+    const suiteId = Buffer.alloc(10);
+    suiteId.write("HPKE", 0, "ascii");
+    suiteId.writeUInt16BE(kemId, 4);
+    suiteId.writeUInt16BE(kdfId, 6);
+    suiteId.writeUInt16BE(aeadId, 8);
+    const { Nk, Nn } = aeadParams(aeadId);
+    const pskIdHash = labeledExtract(suiteId, Buffer.alloc(0), "psk_id_hash", Buffer.alloc(0));
+    const infoHash = labeledExtract(suiteId, Buffer.alloc(0), "info_hash", info);
+    const ksContext = Buffer.concat([Buffer.from([0x00]), pskIdHash, infoHash]);
+    const secret = labeledExtract(suiteId, sharedSecret, "secret", Buffer.alloc(0));
+    const key = labeledExpand(suiteId, secret, "key", ksContext, Nk);
+    const baseNonce = labeledExpand(suiteId, secret, "base_nonce", ksContext, Nn);
+    return { key, baseNonce };
+}
+function hpkeSeal(key, baseNonce, aad, plaintext, aeadId) {
+    const alg = aeadAlgorithm(aeadId);
+    const cipher = createCipheriv(alg, key, baseNonce, { authTagLength: 16 });
+    cipher.setAAD(aad);
+    const encrypted = cipher.update(plaintext);
+    const final = cipher.final();
+    const tag = cipher.getAuthTag();
+    return Buffer.concat([encrypted, final, tag]);
+}
+/**
+ * Build the outer ECH extension data for a ClientHello.
+ *
+ * @param {number} kdfId - KDF identifier.
+ * @param {number} aeadId - AEAD identifier.
+ * @param {number} configId - ECH config ID.
+ * @param {Buffer} enc - HPKE encapsulated key.
+ * @param {Buffer} payload - Encrypted inner ClientHello payload.
+ * @returns {Buffer} Serialized ECH outer extension bytes.
+ */
+export function buildECHOuterExtData(kdfId, aeadId, configId, enc, payload) {
+    const len = 1 + 2 + 2 + 1 + 2 + enc.length + 2 + payload.length;
+    const buf = Buffer.alloc(len);
+    let off = 0;
+    buf[off++] = 0x00;
+    buf.writeUInt16BE(kdfId, off);
+    off += 2;
+    buf.writeUInt16BE(aeadId, off);
+    off += 2;
+    buf[off++] = configId;
+    buf.writeUInt16BE(enc.length, off);
+    off += 2;
+    enc.copy(buf, off);
+    off += enc.length;
+    buf.writeUInt16BE(payload.length, off);
+    off += 2;
+    payload.copy(buf, off);
+    return buf;
+}
+/**
+ * Extract the first raw ECHConfig entry from a serialized ECHConfigList.
+ *
+ * @param {Buffer} echConfigList - Full serialized ECHConfigList buffer.
+ * @returns {Buffer | null} Raw config bytes, or `null` if the list is too short.
+ */
+export function extractFirstECHConfigRaw(echConfigList) {
+    if (echConfigList.length < 6)
+        return null;
+    const totalLength = echConfigList.readUInt16BE(0);
+    if (totalLength + 2 > echConfigList.length)
+        return null;
+    const _version = echConfigList.readUInt16BE(2);
+    const configLength = echConfigList.readUInt16BE(4);
+    if (6 + configLength > echConfigList.length)
+        return null;
+    return Buffer.from(echConfigList.subarray(2, 6 + configLength));
+}
+/**
+ * Encrypt an inner ClientHello body using HPKE for Encrypted Client Hello.
+ *
+ * @param {Buffer} innerCHBody - Serialized inner ClientHello body.
+ * @param {Buffer} outerCHAAD - Additional authenticated data from the outer ClientHello.
+ * @param {ECHConfig} config - Parsed ECH configuration entry.
+ * @param {Buffer} configRaw - Raw bytes of the ECH configuration.
+ * @returns {{ extensionData: Buffer; enc: Buffer; kdfId: number; aeadId: number; configId: number }} Extension data, encapsulated key, and algorithm identifiers.
+ */
+export function echEncryptInner(innerCHBody, outerCHAAD, config, configRaw) {
+    const hpkeConfig = parseHpkeKeyConfig(config.contents);
+    if (!hpkeConfig)
+        throw new Error("Invalid ECHConfig: cannot parse HPKE key config");
+    if (hpkeConfig.kemId !== 0x0020) {
+        throw new Error(`Unsupported KEM: 0x${hpkeConfig.kemId.toString(16)} (only DHKEM(X25519, HKDF-SHA256) = 0x0020)`);
+    }
+    const suite = hpkeConfig.cipherSuites.find((cs) => cs.kdfId === 0x0001 && (cs.aeadId === 0x0001 || cs.aeadId === 0x0003));
+    if (!suite)
+        throw new Error("No supported HPKE cipher suite in ECHConfig");
+    const hpkeInfo = Buffer.concat([Buffer.from("tls ech\x00", "ascii"), configRaw]);
+    const { sharedSecret, enc } = dhkemX25519Encap(hpkeConfig.publicKey);
+    const { key, baseNonce } = hpkeKeyScheduleS(hpkeConfig.kemId, suite.kdfId, suite.aeadId, sharedSecret, hpkeInfo);
+    const payload = hpkeSeal(key, baseNonce, outerCHAAD, innerCHBody, suite.aeadId);
+    const extensionData = buildECHOuterExtData(suite.kdfId, suite.aeadId, hpkeConfig.configId, enc, payload);
+    return { extensionData, enc, kdfId: suite.kdfId, aeadId: suite.aeadId, configId: hpkeConfig.configId };
+}
+/**
+ * Parse ECH retry configuration from a server's EncryptedExtensions.
+ *
+ * @param {Buffer} data - Serialized ECHConfigList from the retry_configs extension.
+ * @returns {ECHParameters | null} Parsed retry parameters, or `null` if invalid.
+ */
+export function parseECHRetryConfigs(data) {
+    return parseECHConfigList(data);
+}
+/**
+ * Determine whether an ECH retry should be attempted.
+ *
+ * @param {number} retryCount - Number of retries already attempted.
+ * @param {number} maxRetries - Maximum allowed retries.
+ * @param {ECHParameters | null} retryConfigs - Retry ECH configs from the server.
+ * @returns {boolean} `true` if another retry is warranted.
+ */
+export function shouldRetryECH(retryCount, maxRetries, retryConfigs) {
+    if (retryCount >= maxRetries)
+        return false;
+    if (!retryConfigs || retryConfigs.configs.length === 0)
+        return false;
+    return true;
+}
+//# sourceMappingURL=ech.js.map

package/dist/tls/ech.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ech.js","sourceRoot":"","sources":["../../src/tls/ech.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,cAAc,EAAE,mBAAmB,EAAE,aAAa,EAAE,gBAAgB,EAAE,eAAe,EAAuB,MAAM,aAAa,CAAC;AAoClK;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAAC,IAAY;IAC7C,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAEjC,MAAM,WAAW,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACzC,IAAI,WAAW,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAE/C,MAAM,OAAO,GAAgB,EAAE,CAAC;IAChC,IAAI,MAAM,GAAG,CAAC,CAAC;IAEf,OAAO,MAAM,GAAG,CAAC,IAAI,CAAC,GAAG,WAAW,EAAE,CAAC;QACrC,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;QAC1C,MAAM,IAAI,CAAC,CAAC;QACZ,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;QAC/C,MAAM,IAAI,CAAC,CAAC;QAEZ,IAAI,MAAM,GAAG,YAAY,GAAG,CAAC,GAAG,WAAW;YAAE,MAAM;QAEnD,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,YAAY,CAAC,CAAC;QAE9D,MAAM,UAAU,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;QAE/C,OAAO,CAAC,IAAI,CAAC;YACX,OAAO;YACP,MAAM,EAAE,YAAY;YACpB,QAAQ;YACR,UAAU;SACX,CAAC,CAAC;QAEH,MAAM,IAAI,YAAY,CAAC;IACzB,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAEtC,MAAM,QAAQ,GAAG,OAAO,CAAC,CAAC,CAAE,CAAC,UAAU,CAAC;IAExC,OAAO;QACL,aAAa,EAAE,IAAI;QACnB,QAAQ;QACR,OAAO;KACR,CAAC;AACJ,CAAC;AAED,SAAS,iBAAiB,CAAC,QAAgB;IACzC,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,EAAE,CAAC;IAEnC,IAAI,MAAM,GAAG,CAAC,CAAC;IAEf,MAAM,IAAI,CAAC,CAAC;IACZ,MAAM,IAAI,CAAC,CAAC;IACZ,IAAI,MAAM,GAAG,CAAC,GAAG,QAAQ,CAAC,MAAM;QAAE,OAAO,EAAE,CAAC;IAC5C,MAAM,KAAK,GAAG,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IAC5C,MAAM,IAAI,CAAC,GAAG,KAAK,CAAC;IAEpB,IAAI,MAAM,GAAG,CAAC,GAAG,QAAQ,CAAC,MAAM;QAAE,OAAO,EAAE,CAAC;IAC5C,MAAM,KAAK,GAAG,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IAC5C,MAAM,IAAI,CAAC,GAAG,KAAK,CAAC;IAEpB,IAAI,MAAM,IAAI,QAAQ,CAAC,MAAM;QAAE,OAAO,EAAE,CAAC;IACzC,MAAM,IAAI,CAAC,CAAC;IAEZ,IAAI,MAAM,IAAI,QAAQ,CAAC,MAAM;QAAE,OAAO,EAAE,CAAC;IACzC,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,CAAE,CAAC;IAClC,MAAM,IAAI,CAAC,CAAC;IAEZ,IAAI,MAAM,GAAG,OAAO,GAAG,QAAQ,CAAC,MAAM;QAAE,OAAO,EAAE,CAAC;IAClD,OAAO,QAAQ,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;AACvE,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,iBAAiB;IAC/B,MAAM,UAAU,GAAG,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;IACxD,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,UAAU,CAAC,CAAC;IAC9D,IAAI,MAAM,GAAG,CAAC,CAAC;IAEf,GAAG,CAAC,MAAM,EAAE,CAAC,GAAG,IAAI,CAAC;IAErB,GAAG,CAAC,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAClC,MAAM,IAAI,CAAC,CAAC;IACZ,GAAG,CAAC,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAClC,MAAM,IAAI,CAAC,CAAC;IAEZ,GAAG,CAAC,MAAM,EAAE,CAAC,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,CAAE,CAAC;IAEnC,MAAM,GAAG,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAC5B,GAAG,CAAC,aAAa,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;IAC9B,MAAM,IAAI,CAAC,CAAC;IACZ,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IACtB,MAAM,IAAI,EAAE,CAAC;IAEb,MAAM,OAAO,GAAG,WAAW,CAAC,UAAU,CAAC,CAAC;IACxC,GAAG,CAAC,aAAa,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IACtC,MAAM,IAAI,CAAC,CAAC;IACZ,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IAE1B,OAAO,GAAG,CAAC;AACb,CAAC;AAcD;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAAC,QAAgB;IACjD,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAErC,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,MAAM,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAE,CAAC;IACnC,MAAM,IAAI,CAAC,CAAC;IAEZ,MAAM,KAAK,GAAG,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IAC5C,MAAM,IAAI,CAAC,CAAC;IAEZ,IAAI,MAAM,GAAG,CAAC,GAAG,QAAQ,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAC9C,MAAM,KAAK,GAAG,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IAC5C,MAAM,IAAI,CAAC,CAAC;IAEZ,IAAI,MAAM,GAAG,KAAK,GAAG,QAAQ,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAClD,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,KAAK,CAAC,CAAC,CAAC;IACzE,MAAM,IAAI,KAAK,CAAC;IAEhB,IAAI,MAAM,GAAG,CAAC,GAAG,QAAQ,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAC9C,MAAM,KAAK,GAAG,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IAC5C,MAAM,IAAI,CAAC,CAAC;IAEZ,MAAM,YAAY,GAA6C,EAAE,CAAC;IAClE,MAAM,KAAK,GAAG,MAAM,GAAG,KAAK,CAAC;IAC7B,OAAO,MAAM,GAAG,CAAC,IAAI,KAAK,EAAE,CAAC;QAC3B,MAAM,KAAK,GAAG,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;QAC5C,MAAM,IAAI,CAAC,CAAC;QACZ,MAAM,MAAM,GAAG,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;QAC7C,MAAM,IAAI,CAAC,CAAC;QACZ,YAAY,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;IACvC,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,SAAS,EAAE,YAAY,EAAE,CAAC;AACtD,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAAC,QAAgB;IAC/C,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,CAAC,CAAC;IAElC,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,MAAM,IAAI,CAAC,CAAC;IACZ,MAAM,IAAI,CAAC,CAAC;IAEZ,IAAI,MAAM,GAAG,CAAC,GAAG,QAAQ,CAAC,MAAM;QAAE,OAAO,CAAC,CAAC;IAC3C,MAAM,KAAK,GAAG,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IAC5C,MAAM,IAAI,CAAC,GAAG,KAAK,CAAC;IAEpB,IAAI,MAAM,GAAG,CAAC,GAAG,QAAQ,CAAC,MAAM;QAAE,OAAO,CAAC,CAAC;IAC3C,MAAM,KAAK,GAAG,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IAC5C,MAAM,IAAI,CAAC,GAAG,KAAK,CAAC;IAEpB,IAAI,MAAM,IAAI,QAAQ,CAAC,MAAM;QAAE,OAAO,CAAC,CAAC;IACxC,OAAO,QAAQ,CAAC,MAAM,CAAE,CAAC;AAC3B,CAAC;AAED,SAAS,eAAe,CAAC,IAAY,EAAE,GAAW;IAChD,MAAM,CAAC,GAAG,IAAI,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACtD,OAAO,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;AACnE,CAAC;AAED,SAAS,cAAc,CAAC,GAAW,EAAE,IAAY,EAAE,MAAc;IAC/D,MAAM,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;IACjC,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;IACjC,IAAI,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACxB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC5B,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QACvC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACf,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAClB,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAC9B,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;QAC/B,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;IAC5B,CAAC;IACD,OAAO,GAAG,CAAC,QAAQ,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;AACjC,CAAC;AAED,SAAS,cAAc,CAAC,OAAe,EAAE,IAAY,EAAE,KAAa,EAAE,GAAW;IAC/E,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IAC/C,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IAC7C,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,CAAC,CAAC,CAAC;IACnE,OAAO,eAAe,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;AAC3C,CAAC;AAED,SAAS,aAAa,CAAC,OAAe,EAAE,GAAW,EAAE,KAAa,EAAE,IAAY,EAAE,MAAc;IAC9F,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IAC/C,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IAC7C,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC/B,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;IAC7B,MAAM,WAAW,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC,CAAC;IAC7E,OAAO,cAAc,CAAC,GAAG,EAAE,WAAW,EAAE,MAAM,CAAC,CAAC;AAClD,CAAC;AAED,SAAS,gBAAgB,CAAC,GAAW;IACnC,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;AAC7I,CAAC;AAED,SAAS,eAAe,CAAC,GAAW;IAClC,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;AACrH,CAAC;AAED,SAAS,gBAAgB,CAAC,GAAW;IACnC,MAAM,EAAE,GAAG,mBAAmB,CAAC,QAAQ,CAAC,CAAC;IACzC,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;IACjF,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;IACnF,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC;IAC7D,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC;IAE7D,MAAM,OAAO,GAAG,gBAAgB,CAAC,EAAE,GAAG,EAAE,gBAAgB,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;IAC/F,MAAM,MAAM,GAAG,eAAe,CAAC,EAAE,GAAG,EAAE,eAAe,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;IAC3F,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE,UAAU,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC;IAElF,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC7B,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC;IAE7C,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;IAE/D,MAAM,GAAG,GAAG,cAAc,CAAC,UAAU,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,eAAe,EAAE,EAAE,CAAC,CAAC;IAC7E,MAAM,YAAY,GAAG,aAAa,CAAC,UAAU,EAAE,GAAG,EAAE,eAAe,EAAE,UAAU,EAAE,EAAE,CAAC,CAAC;IAErF,OAAO,EAAE,YAAY,EAAE,GAAG,EAAE,CAAC;AAC/B,CAAC;AAED,SAAS,UAAU,CAAC,MAAc;IAChC,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,MAAM;YACT,OAAO,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC;QAC5B,KAAK,MAAM;YACT,OAAO,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC;QAC5B,KAAK,MAAM;YACT,OAAO,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC;QAC5B;YACE,MAAM,IAAI,KAAK,CAAC,4BAA4B,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;IACvE,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,MAAc;IACnC,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,MAAM;YACT,OAAO,aAAa,CAAC;QACvB,KAAK,MAAM;YACT,OAAO,aAAa,CAAC;QACvB,KAAK,MAAM;YACT,OAAO,mBAAmB,CAAC;QAC7B;YACE,MAAM,IAAI,KAAK,CAAC,4BAA4B,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;IACvE,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAa,EAAE,KAAa,EAAE,MAAc,EAAE,YAAoB,EAAE,IAAY;IACxG,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACjC,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,OAAO,CAAC,CAAC;IAClC,OAAO,CAAC,aAAa,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAChC,OAAO,CAAC,aAAa,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAChC,OAAO,CAAC,aAAa,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IAEjC,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;IAEtC,MAAM,SAAS,GAAG,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3F,MAAM,QAAQ,GAAG,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,CAAC;IAE7E,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAC;IAE5E,MAAM,MAAM,GAAG,cAAc,CAAC,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAEhF,MAAM,GAAG,GAAG,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;IACjE,MAAM,SAAS,GAAG,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;IAE9E,OAAO,EAAE,GAAG,EAAE,SAAS,EAAE,CAAC;AAC5B,CAAC;AAED,SAAS,QAAQ,CAAC,GAAW,EAAE,SAAiB,EAAE,GAAW,EAAE,SAAiB,EAAE,MAAc;IAC9F,MAAM,GAAG,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IAClC,MAAM,MAAM,GAAG,cAAc,CAAC,GAAqB,EAAE,GAAG,EAAE,SAAS,EAAE,EAAE,aAAa,EAAE,EAAE,EAAE,CAAC,CAAC;IAC5F,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACnB,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAC3C,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,EAAE,CAAC;IAC7B,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAChC,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC,CAAC;AAChD,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,oBAAoB,CAAC,KAAa,EAAE,MAAc,EAAE,QAAgB,EAAE,GAAW,EAAE,OAAe;IAChH,MAAM,GAAG,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,MAAM,GAAG,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC;IAChE,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC9B,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,GAAG,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC;IAClB,GAAG,CAAC,aAAa,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAC9B,GAAG,IAAI,CAAC,CAAC;IACT,GAAG,CAAC,aAAa,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC/B,GAAG,IAAI,CAAC,CAAC;IACT,GAAG,CAAC,GAAG,EAAE,CAAC,GAAG,QAAQ,CAAC;IACtB,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IACnC,GAAG,IAAI,CAAC,CAAC;IACT,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACnB,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC;IAClB,GAAG,CAAC,aAAa,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IACvC,GAAG,IAAI,CAAC,CAAC;IACT,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACvB,OAAO,GAAG,CAAC;AACb,CAAC;AAUD;;;;;GAKG;AACH,MAAM,UAAU,wBAAwB,CAAC,aAAqB;IAC5D,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAC1C,MAAM,WAAW,GAAG,aAAa,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAClD,IAAI,WAAW,GAAG,CAAC,GAAG,aAAa,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAExD,MAAM,QAAQ,GAAG,aAAa,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC/C,MAAM,YAAY,GAAG,aAAa,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACnD,IAAI,CAAC,GAAG,YAAY,GAAG,aAAa,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAEzD,OAAO,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,GAAG,YAAY,CAAC,CAAC,CAAC;AAClE,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,eAAe,CAAC,WAAmB,EAAE,UAAkB,EAAE,MAAiB,EAAE,SAAiB;IAC3G,MAAM,UAAU,GAAG,kBAAkB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACvD,IAAI,CAAC,UAAU;QAAE,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;IAEpF,IAAI,UAAU,CAAC,KAAK,KAAK,MAAM,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,sBAAsB,UAAU,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC,6CAA6C,CAAC,CAAC;IACpH,CAAC;IAED,MAAM,KAAK,GAAG,UAAU,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,KAAK,KAAK,MAAM,IAAI,CAAC,EAAE,CAAC,MAAM,KAAK,MAAM,IAAI,EAAE,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC;IAC1H,IAAI,CAAC,KAAK;QAAE,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;IAE3E,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE,OAAO,CAAC,EAAE,SAAS,CAAC,CAAC,CAAC;IAEjF,MAAM,EAAE,YAAY,EAAE,GAAG,EAAE,GAAG,gBAAgB,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;IACrE,MAAM,EAAE,GAAG,EAAE,SAAS,EAAE,GAAG,gBAAgB,CAAC,UAAU,CAAC,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,KAAK,CAAC,MAAM,EAAE,YAAY,EAAE,QAAQ,CAAC,CAAC;IAEjH,MAAM,OAAO,GAAG,QAAQ,CAAC,GAAG,EAAE,SAAS,EAAE,UAAU,EAAE,WAAW,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAEhF,MAAM,aAAa,GAAG,oBAAoB,CAAC,KAAK,CAAC,KAAK,EAAE,KAAK,CAAC,MAAM,EAAE,UAAU,CAAC,QAAQ,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;IAEzG,OAAO,EAAE,aAAa,EAAE,GAAG,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE,QAAQ,EAAE,UAAU,CAAC,QAAQ,EAAE,CAAC;AACzG,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAAC,IAAY;IAC/C,OAAO,kBAAkB,CAAC,IAAI,CAAC,CAAC;AAClC,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,cAAc,CAAC,UAAkB,EAAE,UAAkB,EAAE,YAAkC;IACvG,IAAI,UAAU,IAAI,UAAU;QAAE,OAAO,KAAK,CAAC;IAC3C,IAAI,CAAC,YAAY,IAAI,YAAY,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACrE,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/tls/keylog.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Return the SSLKEYLOGFILE path from the environment or explicit override.
+ *
+ * @returns {string|undefined} File path string, or `undefined` if not configured.
+ */
+export declare function getKeylogFile(): string | undefined;
+/**
+ * Append a single NSS key-log line to the SSLKEYLOGFILE.
+ *
+ * @param {string} line - Key-log line without trailing newline.
+ */
+export declare function writeKeylogLine(line: string): void;
+/**
+ * Log a TLS master secret in NSS key-log format.
+ *
+ * @param {Buffer} clientRandom - 32-byte client random from the handshake.
+ * @param {Buffer} masterSecret - Derived master secret.
+ */
+export declare function logMasterSecret(clientRandom: Buffer, masterSecret: Buffer): void;
+/**
+ * Log a TLS 1.3 traffic secret in NSS key-log format.
+ *
+ * @param {string} label - Secret label (e.g. `"CLIENT_HANDSHAKE_TRAFFIC_SECRET"`).
+ * @param {Buffer} clientRandom - 32-byte client random.
+ * @param {Buffer} secret - Derived traffic secret.
+ */
+export declare function logTrafficSecret(label: string, clientRandom: Buffer, secret: Buffer): void;
+/**
+ * Explicitly set or clear the SSLKEYLOGFILE path.
+ *
+ * @param {string|undefined} path - File path, or `undefined` to disable key logging.
+ */
+export declare function setKeylogFile(path: string | undefined): void;
+//# sourceMappingURL=keylog.d.ts.map

package/dist/tls/keylog.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keylog.d.ts","sourceRoot":"","sources":["../../src/tls/keylog.ts"],"names":[],"mappings":"AAOA;;;;GAIG;AACH,wBAAgB,aAAa,IAAI,MAAM,GAAG,SAAS,CAMlD;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,CAWlD;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,YAAY,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,IAAI,CAEhF;AAED;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAE1F;AAED;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,CAG5D"}

package/dist/tls/keylog.js

@@ -0,0 +1,64 @@
+import { appendFileSync, existsSync } from "node:fs";
+import { dirname } from "node:path";
+import { mkdirSync } from "node:fs";
+let _keylogFile;
+let _initialized = false;
+/**
+ * Return the SSLKEYLOGFILE path from the environment or explicit override.
+ *
+ * @returns {string|undefined} File path string, or `undefined` if not configured.
+ */
+export function getKeylogFile() {
+    if (!_initialized) {
+        _initialized = true;
+        _keylogFile = process.env["SSLKEYLOGFILE"];
+    }
+    return _keylogFile;
+}
+/**
+ * Append a single NSS key-log line to the SSLKEYLOGFILE.
+ *
+ * @param {string} line - Key-log line without trailing newline.
+ */
+export function writeKeylogLine(line) {
+    const file = getKeylogFile();
+    if (!file)
+        return;
+    try {
+        const dir = dirname(file);
+        if (!existsSync(dir)) {
+            mkdirSync(dir, { recursive: true });
+        }
+        appendFileSync(file, line + "\n", { encoding: "utf-8" });
+    }
+    catch { }
+}
+/**
+ * Log a TLS master secret in NSS key-log format.
+ *
+ * @param {Buffer} clientRandom - 32-byte client random from the handshake.
+ * @param {Buffer} masterSecret - Derived master secret.
+ */
+export function logMasterSecret(clientRandom, masterSecret) {
+    writeKeylogLine(`CLIENT_RANDOM ${clientRandom.toString("hex")} ${masterSecret.toString("hex")}`);
+}
+/**
+ * Log a TLS 1.3 traffic secret in NSS key-log format.
+ *
+ * @param {string} label - Secret label (e.g. `"CLIENT_HANDSHAKE_TRAFFIC_SECRET"`).
+ * @param {Buffer} clientRandom - 32-byte client random.
+ * @param {Buffer} secret - Derived traffic secret.
+ */
+export function logTrafficSecret(label, clientRandom, secret) {
+    writeKeylogLine(`${label} ${clientRandom.toString("hex")} ${secret.toString("hex")}`);
+}
+/**
+ * Explicitly set or clear the SSLKEYLOGFILE path.
+ *
+ * @param {string|undefined} path - File path, or `undefined` to disable key logging.
+ */
+export function setKeylogFile(path) {
+    _keylogFile = path;
+    _initialized = true;
+}
+//# sourceMappingURL=keylog.js.map

package/dist/tls/keylog.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keylog.js","sourceRoot":"","sources":["../../src/tls/keylog.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrD,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAEpC,IAAI,WAA+B,CAAC;AACpC,IAAI,YAAY,GAAG,KAAK,CAAC;AAEzB;;;;GAIG;AACH,MAAM,UAAU,aAAa;IAC3B,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,YAAY,GAAG,IAAI,CAAC;QACpB,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IAC7C,CAAC;IACD,OAAO,WAAW,CAAC;AACrB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,eAAe,CAAC,IAAY;IAC1C,MAAM,IAAI,GAAG,aAAa,EAAE,CAAC;IAC7B,IAAI,CAAC,IAAI;QAAE,OAAO;IAElB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;QAC1B,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACrB,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACtC,CAAC;QACD,cAAc,CAAC,IAAI,EAAE,IAAI,GAAG,IAAI,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;IAC3D,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;AACZ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAAC,YAAoB,EAAE,YAAoB;IACxE,eAAe,CAAC,iBAAiB,YAAY,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,YAAY,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;AACnG,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAAa,EAAE,YAAoB,EAAE,MAAc;IAClF,eAAe,CAAC,GAAG,KAAK,IAAI,YAAY,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;AACxF,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,aAAa,CAAC,IAAwB;IACpD,WAAW,GAAG,IAAI,CAAC;IACnB,YAAY,GAAG,IAAI,CAAC;AACtB,CAAC"}

package/dist/tls/node-engine.d.ts

@@ -1,22 +1,23 @@
 import type { ITLSEngine, TLSConnectOptions, TLSSocket } from "./types.js";
 import type { BrowserProfile } from "../fingerprints/types.js";
-/**
- * TLS engine that delegates to Node.js’s built-in `tls` module. Provides
- * standard TLS connectivity with optional browser-profile cipher and curve
- * configuration, but does not reproduce the exact ClientHello byte sequence
- * of a real browser. Use {@link StealthTLSEngine} when full fingerprint
- * fidelity is required.
- */
+import { TLSSessionCache } from "./session-cache.js";
+/** TLS engine backed by Node.js native `tls` module. */
 export declare class NodeTLSEngine implements ITLSEngine {
+    private readonly sessionCache;
     /**
-     * Establishes a TLS connection to the given host and port using Node.js’s
-     * native `tls.connect()`. When a `profile` is supplied the cipher list,
-     * ECDH curves, and signature algorithms are overridden to match that profile.
+     * Create a Node.js TLS engine.
      *
-     * @param {TLSConnectOptions} options  - Connection parameters.
-     * @param {BrowserProfile}    [profile] - Optional browser profile to apply cipher/curve overrides.
-     * @returns {Promise<TLSSocket>} Resolves with the connected TLS duplex stream.
-     * @throws {TLSError} If the handshake fails, times out, or the connection is aborted.
+     * @param {TLSSessionCache} [sessionCache] - Optional session ticket cache for resumption.
+     */
+    constructor(sessionCache?: TLSSessionCache);
+    /** Return the session ticket cache used by this engine. */
+    getSessionCache(): TLSSessionCache;
+    /**
+     * Connect to a remote host over TLS using Node.js built-in facilities.
+     *
+     * @param {TLSConnectOptions} options - TLS connection options.
+     * @param {BrowserProfile} [profile] - Optional browser profile for cipher and curve ordering.
+     * @returns {Promise<TLSSocket>} Connected TLS socket.
      */
     connect(options: TLSConnectOptions, profile?: BrowserProfile): Promise<TLSSocket>;
 }

package/dist/tls/node-engine.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"node-engine.d.ts","sourceRoot":"","sources":["../../src/tls/node-engine.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAE,iBAAiB,EAAqB,SAAS,EAAE,MAAM,YAAY,CAAC;AAC9F,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAmF/D;;;;;;GAMG;AACH,qBAAa,aAAc,YAAW,UAAU;IAC9C;;;;;;;;;OASG;IACG,OAAO,CAAC,OAAO,EAAE,iBAAiB,EAAE,OAAO,CAAC,EAAE,cAAc,GAAG,OAAO,CAAC,SAAS,CAAC;CAiHxF"}
+{"version":3,"file":"node-engine.d.ts","sourceRoot":"","sources":["../../src/tls/node-engine.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,UAAU,EAAE,iBAAiB,EAAqB,SAAS,EAAE,MAAM,YAAY,CAAC;AAC9F,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAG/D,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAmFrD,wDAAwD;AACxD,qBAAa,aAAc,YAAW,UAAU;IAC9C,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAkB;IAE/C;;;;OAIG;gBACS,YAAY,CAAC,EAAE,eAAe;IAI1C,2DAA2D;IAC3D,eAAe,IAAI,eAAe;IAIlC;;;;;;OAMG;IACG,OAAO,CAAC,OAAO,EAAE,iBAAiB,EAAE,OAAO,CAAC,EAAE,cAAc,GAAG,OAAO,CAAC,SAAS,CAAC;CAuJxF"}

package/dist/tls/node-engine.js

@@ -1,6 +1,9 @@
 import * as tls from "node:tls";
 import { CipherSuite, NamedGroup, SignatureScheme } from "./constants.js";
 import { TLSError } from "../core/errors.js";
+import { TLSSessionCache } from "./session-cache.js";
+import { verifyPinnedPublicKey } from "./pin-verification.js";
+import { getKeylogFile, writeKeylogLine } from "./keylog.js";
 const CIPHER_NAME = new Map([
     [CipherSuite.TLS_AES_128_GCM_SHA256, "TLS_AES_128_GCM_SHA256"],
     [CipherSuite.TLS_AES_256_GCM_SHA384, "TLS_AES_256_GCM_SHA384"],
@@ -76,23 +79,27 @@ function buildSigalgs(algs) {
         .filter((n) => n !== undefined)
         .join(":");
 }
-/**
- * TLS engine that delegates to Node.js’s built-in `tls` module. Provides
- * standard TLS connectivity with optional browser-profile cipher and curve
- * configuration, but does not reproduce the exact ClientHello byte sequence
- * of a real browser. Use {@link StealthTLSEngine} when full fingerprint
- * fidelity is required.
- */
+/** TLS engine backed by Node.js native `tls` module. */
 export class NodeTLSEngine {
+    sessionCache;
     /**
-     * Establishes a TLS connection to the given host and port using Node.js’s
-     * native `tls.connect()`. When a `profile` is supplied the cipher list,
-     * ECDH curves, and signature algorithms are overridden to match that profile.
+     * Create a Node.js TLS engine.
      *
-     * @param {TLSConnectOptions} options  - Connection parameters.
-     * @param {BrowserProfile}    [profile] - Optional browser profile to apply cipher/curve overrides.
-     * @returns {Promise<TLSSocket>} Resolves with the connected TLS duplex stream.
-     * @throws {TLSError} If the handshake fails, times out, or the connection is aborted.
+     * @param {TLSSessionCache} [sessionCache] - Optional session ticket cache for resumption.
+     */
+    constructor(sessionCache) {
+        this.sessionCache = sessionCache ?? new TLSSessionCache();
+    }
+    /** Return the session ticket cache used by this engine. */
+    getSessionCache() {
+        return this.sessionCache;
+    }
+    /**
+     * Connect to a remote host over TLS using Node.js built-in facilities.
+     *
+     * @param {TLSConnectOptions} options - TLS connection options.
+     * @param {BrowserProfile} [profile] - Optional browser profile for cipher and curve ordering.
+     * @returns {Promise<TLSSocket>} Connected TLS socket.
      */
     async connect(options, profile) {
         return new Promise((resolve, reject) => {
@@ -123,6 +130,9 @@ export class NodeTLSEngine {
             if (options.ca) {
                 tlsOpts.ca = options.ca;
             }
+            if (options.echConfigList) {
+                tlsOpts["encryptedClientHello"] = options.echConfigList;
+            }
             if (profile) {
                 const { ciphers, ciphersuites } = buildCipherString(profile.tls.cipherSuites);
                 tlsOpts.ciphers = ciphers;
@@ -134,8 +144,21 @@ export class NodeTLSEngine {
             if (options.socket) {
                 tlsOpts.socket = options.socket;
             }
+            if (getKeylogFile()) {
+                tlsOpts["enableTrace"] = false;
+            }
+            const origin = `${options.servername ?? options.host}:${options.port}`;
+            const cached = this.sessionCache.get(origin);
+            if (cached) {
+                tlsOpts.session = cached.ticket;
+            }
             const timeoutMs = options.timeout ?? 30_000;
             const socket = tls.connect(tlsOpts);
+            if (getKeylogFile()) {
+                socket.on("keylog", (line) => {
+                    writeKeylogLine(line.toString("ascii").trimEnd());
+                });
+            }
             let settled = false;
             let timer;
             if (timeoutMs > 0) {
@@ -169,13 +192,30 @@ export class NodeTLSEngine {
                 settled = true;
                 if (timer)
                     clearTimeout(timer);
+                if (options.pinnedPublicKey) {
+                    try {
+                        const peerCert = socket.getPeerCertificate(true);
+                        if (peerCert && peerCert.raw) {
+                            verifyPinnedPublicKey(peerCert.raw, options.pinnedPublicKey);
+                        }
+                    }
+                    catch (err) {
+                        socket.destroy();
+                        reject(err instanceof Error ? err : new TLSError(String(err)));
+                        return;
+                    }
+                }
                 const cipher = socket.getCipher();
                 const proto = socket.getProtocol();
                 const connectionInfo = {
                     version: proto ?? "unknown",
                     alpnProtocol: socket.alpnProtocol || null,
                     cipher: cipher?.name ?? "unknown",
+                    resumed: socket.isSessionReused(),
                 };
+                socket.on("session", (session) => {
+                    this.sessionCache.set(origin, session, undefined, socket.alpnProtocol || undefined);
+                });
                 const tlsSocket = Object.assign(socket, {
                     connectionInfo,
                     destroyTLS() {