node-opcua-crypto 4.10.0 → 4.12.0

package/dist/{chunk-46EEAYVO.mjs → chunk-LHUQUHQQ.mjs}

@@ -17,24 +17,6 @@ var getFilename = () => fileURLToPath(import.meta.url);
 var getDirname = () => path.dirname(getFilename());
 var __dirname = /* @__PURE__ */ getDirname();
 
-// source/common.ts
-import __crypto from "crypto";
-var KeyObjectOrig = __crypto.KeyObject;
-var { createPrivateKey: createPrivateKeyFromNodeJSCrypto } = __crypto;
-function isKeyObject(mayBeKeyObject) {
-  if (KeyObjectOrig) {
-    return mayBeKeyObject instanceof KeyObjectOrig;
-  }
-  return typeof mayBeKeyObject === "object" && typeof mayBeKeyObject.type === "string";
-}
-var CertificatePurpose = /* @__PURE__ */ ((CertificatePurpose2) => {
-  CertificatePurpose2[CertificatePurpose2["NotSpecified"] = 0] = "NotSpecified";
-  CertificatePurpose2[CertificatePurpose2["ForCertificateAuthority"] = 1] = "ForCertificateAuthority";
-  CertificatePurpose2[CertificatePurpose2["ForApplication"] = 2] = "ForApplication";
-  CertificatePurpose2[CertificatePurpose2["ForUserAuthentication"] = 3] = "ForUserAuthentication";
-  return CertificatePurpose2;
-})(CertificatePurpose || {});
-
 // source/asn1.ts
 import assert from "assert";
 
@@ -341,33 +323,33 @@ var oid_map = {
 };
 
 // source/asn1.ts
-var TagType = /* @__PURE__ */ ((TagType3) => {
-  TagType3[TagType3["BOOLEAN"] = 1] = "BOOLEAN";
-  TagType3[TagType3["INTEGER"] = 2] = "INTEGER";
-  TagType3[TagType3["BIT_STRING"] = 3] = "BIT_STRING";
-  TagType3[TagType3["OCTET_STRING"] = 4] = "OCTET_STRING";
-  TagType3[TagType3["NULL"] = 5] = "NULL";
-  TagType3[TagType3["OBJECT_IDENTIFIER"] = 6] = "OBJECT_IDENTIFIER";
-  TagType3[TagType3["UTF8String"] = 12] = "UTF8String";
-  TagType3[TagType3["NumericString"] = 18] = "NumericString";
-  TagType3[TagType3["PrintableString"] = 19] = "PrintableString";
-  TagType3[TagType3["TeletexString"] = 20] = "TeletexString";
-  TagType3[TagType3["IA5String"] = 22] = "IA5String";
-  TagType3[TagType3["UTCTime"] = 23] = "UTCTime";
-  TagType3[TagType3["GeneralizedTime"] = 24] = "GeneralizedTime";
-  TagType3[TagType3["GraphicString"] = 25] = "GraphicString";
-  TagType3[TagType3["VisibleString"] = 26] = "VisibleString";
-  TagType3[TagType3["GeneralString"] = 27] = "GeneralString";
-  TagType3[TagType3["UniversalString"] = 28] = "UniversalString";
-  TagType3[TagType3["BMPString"] = 30] = "BMPString";
-  TagType3[TagType3["SEQUENCE"] = 48] = "SEQUENCE";
-  TagType3[TagType3["SET"] = 49] = "SET";
-  TagType3[TagType3["CONTEXT_SPECIFIC0"] = 160] = "CONTEXT_SPECIFIC0";
-  TagType3[TagType3["CONTEXT_SPECIFIC1"] = 161] = "CONTEXT_SPECIFIC1";
-  TagType3[TagType3["CONTEXT_SPECIFIC2"] = 162] = "CONTEXT_SPECIFIC2";
-  TagType3[TagType3["CONTEXT_SPECIFIC3"] = 163] = "CONTEXT_SPECIFIC3";
-  TagType3[TagType3["A4"] = 164] = "A4";
-  return TagType3;
+var TagType = /* @__PURE__ */ ((TagType2) => {
+  TagType2[TagType2["BOOLEAN"] = 1] = "BOOLEAN";
+  TagType2[TagType2["INTEGER"] = 2] = "INTEGER";
+  TagType2[TagType2["BIT_STRING"] = 3] = "BIT_STRING";
+  TagType2[TagType2["OCTET_STRING"] = 4] = "OCTET_STRING";
+  TagType2[TagType2["NULL"] = 5] = "NULL";
+  TagType2[TagType2["OBJECT_IDENTIFIER"] = 6] = "OBJECT_IDENTIFIER";
+  TagType2[TagType2["UTF8String"] = 12] = "UTF8String";
+  TagType2[TagType2["NumericString"] = 18] = "NumericString";
+  TagType2[TagType2["PrintableString"] = 19] = "PrintableString";
+  TagType2[TagType2["TeletexString"] = 20] = "TeletexString";
+  TagType2[TagType2["IA5String"] = 22] = "IA5String";
+  TagType2[TagType2["UTCTime"] = 23] = "UTCTime";
+  TagType2[TagType2["GeneralizedTime"] = 24] = "GeneralizedTime";
+  TagType2[TagType2["GraphicString"] = 25] = "GraphicString";
+  TagType2[TagType2["VisibleString"] = 26] = "VisibleString";
+  TagType2[TagType2["GeneralString"] = 27] = "GeneralString";
+  TagType2[TagType2["UniversalString"] = 28] = "UniversalString";
+  TagType2[TagType2["BMPString"] = 30] = "BMPString";
+  TagType2[TagType2["SEQUENCE"] = 48] = "SEQUENCE";
+  TagType2[TagType2["SET"] = 49] = "SET";
+  TagType2[TagType2["CONTEXT_SPECIFIC0"] = 160] = "CONTEXT_SPECIFIC0";
+  TagType2[TagType2["CONTEXT_SPECIFIC1"] = 161] = "CONTEXT_SPECIFIC1";
+  TagType2[TagType2["CONTEXT_SPECIFIC2"] = 162] = "CONTEXT_SPECIFIC2";
+  TagType2[TagType2["CONTEXT_SPECIFIC3"] = 163] = "CONTEXT_SPECIFIC3";
+  TagType2[TagType2["A4"] = 164] = "A4";
+  return TagType2;
 })(TagType || {});
 function readTag(buf, pos) {
   const start = pos;
@@ -388,7 +370,7 @@ function readTag(buf, pos) {
   }
   return { start, tag, position: pos, length };
 }
-function _readStruct(buf, blockInfo) {
+function readStruct(buf, blockInfo) {
   const length = blockInfo.length;
   let cursor = blockInfo.position;
   const end = blockInfo.position + length;
@@ -413,9 +395,9 @@ function parseBitString(buffer, start, end, maxLength) {
   }
   return intro + s;
 }
-function _readBitString(buffer, block) {
+function readBitString(buffer, block) {
   assert(block.tag === 3 /* BIT_STRING */);
-  const data = _getBlock(buffer, block);
+  const data = getBlock(buffer, block);
   const ignore_bits = data.readUInt8(0);
   return {
     lengthInBits: data.length * 8 - ignore_bits,
@@ -431,7 +413,7 @@ function formatBuffer2DigitHexWithColum(buffer) {
   }
   return value.join(":").toUpperCase().replace(/^(00:)*/, "");
 }
-function _readOctetString(buffer, block) {
+function readOctetString(buffer, block) {
   assert(block.tag === 4 /* OCTET_STRING */);
   const tag = readTag(buffer, block.position);
   assert(tag.tag === 4 /* OCTET_STRING */);
@@ -440,19 +422,19 @@ function _readOctetString(buffer, block) {
   const b = buffer.subarray(pos, pos + nbBytes);
   return b;
 }
-function _getBlock(buffer, block) {
+function getBlock(buffer, block) {
   const start = block.position;
   const end = block.position + block.length;
   return buffer.subarray(start, end);
 }
-function _readIntegerAsByteString(buffer, block) {
-  return _getBlock(buffer, block);
+function readIntegerAsByteString(buffer, block) {
+  return getBlock(buffer, block);
 }
-function _readListOfInteger(buffer) {
+function readListOfInteger(buffer) {
   const block = readTag(buffer, 0);
-  const inner_blocks = _readStruct(buffer, block);
+  const inner_blocks = readStruct(buffer, block);
   return inner_blocks.map((innerBlock) => {
-    return _readIntegerAsByteString(buffer, innerBlock);
+    return readIntegerAsByteString(buffer, innerBlock);
   });
 }
 function parseOID(buffer, start, end) {
@@ -475,7 +457,7 @@ function parseOID(buffer, start, end) {
   assert(bits === 0);
   return s;
 }
-function _readObjectIdentifier(buffer, block) {
+function readObjectIdentifier(buffer, block) {
   assert(block.tag === 6 /* OBJECT_IDENTIFIER */);
   const b = buffer.subarray(block.position, block.position + block.length);
   const oid = parseOID(b, 0, block.length);
@@ -484,33 +466,33 @@ function _readObjectIdentifier(buffer, block) {
     name: oid_map[oid] ? oid_map[oid].d : oid
   };
 }
-function _readAlgorithmIdentifier(buffer, block) {
-  const inner_blocks = _readStruct(buffer, block);
+function readAlgorithmIdentifier(buffer, block) {
+  const inner_blocks = readStruct(buffer, block);
   return {
-    identifier: _readObjectIdentifier(buffer, inner_blocks[0]).name
+    identifier: readObjectIdentifier(buffer, inner_blocks[0]).name
   };
 }
-function _readECCAlgorithmIdentifier(buffer, block) {
-  const inner_blocks = _readStruct(buffer, block);
+function readECCAlgorithmIdentifier(buffer, block) {
+  const inner_blocks = readStruct(buffer, block);
   return {
-    identifier: _readObjectIdentifier(buffer, inner_blocks[1]).name
+    identifier: readObjectIdentifier(buffer, inner_blocks[1]).name
     // difference with RSA as algorithm is second element of nested block
   };
 }
-function _readSignatureValueBin(buffer, block) {
-  return _readBitString(buffer, block).data;
+function readSignatureValueBin(buffer, block) {
+  return readBitString(buffer, block).data;
 }
-function _readSignatureValue(buffer, block) {
-  return _readSignatureValueBin(buffer, block).toString("hex");
+function readSignatureValue(buffer, block) {
+  return readSignatureValueBin(buffer, block).toString("hex");
 }
-function _readLongIntegerValue(buffer, block) {
+function readLongIntegerValue(buffer, block) {
   assert(block.tag === 2 /* INTEGER */, "expecting a INTEGER tag");
   const pos = block.position;
   const nbBytes = block.length;
   const buf = buffer.subarray(pos, pos + nbBytes);
   return buf;
 }
-function _readIntegerValue(buffer, block) {
+function readIntegerValue(buffer, block) {
   assert(block.tag === 2 /* INTEGER */, "expecting a INTEGER tag");
   let pos = block.position;
   const nbBytes = block.length;
@@ -522,7 +504,7 @@ function _readIntegerValue(buffer, block) {
   }
   return value;
 }
-function _readBooleanValue(buffer, block) {
+function readBooleanValue(buffer, block) {
   assert(block.tag === 1 /* BOOLEAN */, "expecting a BOOLEAN tag. got " + TagType[block.tag]);
   const pos = block.position;
   const nbBytes = block.length;
@@ -530,9 +512,9 @@ function _readBooleanValue(buffer, block) {
   const value = buffer.readUInt8(pos) ? true : false;
   return value;
 }
-function _readVersionValue(buffer, block) {
+function readVersionValue(buffer, block) {
   block = readTag(buffer, block.position);
-  return _readIntegerValue(buffer, block);
+  return readIntegerValue(buffer, block);
 }
 function convertGeneralizedTime(str) {
   const year = parseInt(str.substr(0, 4), 10);
@@ -544,7 +526,7 @@ function convertGeneralizedTime(str) {
   return new Date(Date.UTC(year, month, day, hours, mins, secs));
 }
 function _readBMPString(buffer, block) {
-  const strBuff = _getBlock(buffer, block);
+  const strBuff = getBlock(buffer, block);
   let str = "";
   for (let i = 0; i < strBuff.length; i += 2) {
     const word = strBuff.readUInt16BE(i);
@@ -562,10 +544,10 @@ function convertUTCTime(str) {
   year += year >= 50 ? 1900 : 2e3;
   return new Date(Date.UTC(year, month, day, hours, mins, secs));
 }
-function _readValue(buffer, block) {
+function readValue(buffer, block) {
   switch (block.tag) {
     case 1 /* BOOLEAN */:
-      return _readBooleanValue(buffer, block);
+      return readBooleanValue(buffer, block);
     case 30 /* BMPString */:
       return _readBMPString(buffer, block);
     case 19 /* PrintableString */:
@@ -573,50 +555,29 @@ function _readValue(buffer, block) {
     case 12 /* UTF8String */:
     case 18 /* NumericString */:
     case 22 /* IA5String */:
-      return _getBlock(buffer, block).toString("ascii");
+      return getBlock(buffer, block).toString("ascii");
     case 23 /* UTCTime */:
-      return convertUTCTime(_getBlock(buffer, block).toString("ascii"));
+      return convertUTCTime(getBlock(buffer, block).toString("ascii"));
     case 24 /* GeneralizedTime */:
-      return convertGeneralizedTime(_getBlock(buffer, block).toString("ascii"));
+      return convertGeneralizedTime(getBlock(buffer, block).toString("ascii"));
     default:
       throw new Error("Invalid tag 0x" + block.tag.toString(16));
   }
 }
-function compactDirectoryName(d) {
-  return JSON.stringify(d);
-}
-function _readDirectoryName(buffer, block) {
-  const set_blocks = _readStruct(buffer, block);
-  const names = {};
-  for (const set_block of set_blocks) {
-    assert(set_block.tag === 49);
-    const blocks = _readStruct(buffer, set_block);
-    assert(blocks.length === 1);
-    assert(blocks[0].tag === 48);
-    const sequenceBlock = _readStruct(buffer, blocks[0]);
-    assert(sequenceBlock.length === 2);
-    const type = _readObjectIdentifier(buffer, sequenceBlock[0]);
-    names[type.name] = _readValue(buffer, sequenceBlock[1]);
-  }
-  return names;
-}
-function _findBlockAtIndex(blocks, index) {
+function findBlockAtIndex(blocks, index) {
   const tmp = blocks.filter((b) => b.tag === 160 + index || b.tag === 128 + index);
   if (tmp.length === 0) {
     return null;
   }
   return tmp[0];
 }
-function _readTime(buffer, block) {
-  return _readValue(buffer, block);
+function readTime(buffer, block) {
+  return readValue(buffer, block);
 }
 
-// source/crypto_explore_certificate.ts
-import assert3 from "assert";
-
 // source/crypto_utils.ts
 import constants from "constants";
-import assert2 from "assert";
+import assert4 from "assert";
 import {
   createHash,
   createSign,
@@ -631,197 +592,35 @@ var createFastUninitializedBuffer = Buffer.allocUnsafe ? Buffer.allocUnsafe : (s
   return new Buffer(size);
 };
 
-// source/crypto_utils.ts
-import jsrsasign from "jsrsasign";
-var { hexy } = pkg_hexy;
-var PEM_REGEX = /^(-----BEGIN (.*)-----\r?\n([/+=a-zA-Z0-9\r\n]*)\r?\n-----END \2-----\r?\n?)/gm;
-var PEM_TYPE_REGEX = /^(-----BEGIN (.*)-----)/m;
-function identifyPemType(rawKey) {
-  if (rawKey instanceof Buffer) {
-    rawKey = rawKey.toString("utf8");
-  }
-  const match = PEM_TYPE_REGEX.exec(rawKey);
-  return !match ? void 0 : match[2];
-}
-function removeTrailingLF(str) {
-  const tmp = str.replace(/(\r|\n)+$/m, "").replace(/\r\n/gm, "\n");
-  return tmp;
-}
-function toPem(raw_key, pem) {
-  assert2(raw_key, "expecting a key");
-  assert2(typeof pem === "string");
-  let pemType = identifyPemType(raw_key);
-  if (pemType) {
-    return raw_key instanceof Buffer ? removeTrailingLF(raw_key.toString("utf8")) : removeTrailingLF(raw_key);
-  } else {
-    pemType = pem;
-    assert2(["CERTIFICATE REQUEST", "CERTIFICATE", "RSA PRIVATE KEY", "PUBLIC KEY", "X509 CRL"].indexOf(pemType) >= 0);
-    let b = raw_key.toString("base64");
-    let str = "-----BEGIN " + pemType + "-----\n";
-    while (b.length) {
-      str += b.substring(0, 64) + "\n";
-      b = b.substring(64);
-    }
-    str += "-----END " + pemType + "-----";
-    return str;
-  }
-}
-function convertPEMtoDER(raw_key) {
-  let match;
-  let pemType;
-  let base64str;
-  const parts = [];
-  PEM_REGEX.lastIndex = 0;
-  while ((match = PEM_REGEX.exec(raw_key)) !== null) {
-    pemType = match[2];
-    base64str = match[3];
-    base64str = base64str.replace(/\r?\n/g, "");
-    parts.push(Buffer.from(base64str, "base64"));
-  }
-  return combine_der(parts);
-}
-function hexDump(buffer, width) {
-  if (!buffer) {
-    return "<>";
-  }
-  width = width || 32;
-  if (buffer.length > 1024) {
-    return hexy(buffer.subarray(0, 1024), { width, format: "twos" }) + "\n .... ( " + buffer.length + ")";
-  } else {
-    return hexy(buffer, { width, format: "twos" });
-  }
-}
-function makeMessageChunkSignature(chunk, options) {
-  const signer = createSign(options.algorithm);
-  signer.update(chunk);
-  const signature = signer.sign(options.privateKey.hidden);
-  assert2(!options.signatureLength || signature.length === options.signatureLength);
-  return signature;
-}
-function verifyMessageChunkSignature(blockToVerify, signature, options) {
-  const verify = createVerify(options.algorithm);
-  verify.update(blockToVerify);
-  return verify.verify(options.publicKey, signature);
-}
-function makeSHA1Thumbprint(buffer) {
-  return createHash("sha1").update(buffer).digest();
-}
-var RSA_PKCS1_OAEP_PADDING = constants.RSA_PKCS1_OAEP_PADDING;
-var RSA_PKCS1_PADDING = constants.RSA_PKCS1_PADDING;
-var PaddingAlgorithm = /* @__PURE__ */ ((PaddingAlgorithm2) => {
-  PaddingAlgorithm2[PaddingAlgorithm2["RSA_PKCS1_OAEP_PADDING"] = 4] = "RSA_PKCS1_OAEP_PADDING";
-  PaddingAlgorithm2[PaddingAlgorithm2["RSA_PKCS1_PADDING"] = 1] = "RSA_PKCS1_PADDING";
-  return PaddingAlgorithm2;
-})(PaddingAlgorithm || {});
-assert2(4 /* RSA_PKCS1_OAEP_PADDING */ === constants.RSA_PKCS1_OAEP_PADDING);
-assert2(1 /* RSA_PKCS1_PADDING */ === constants.RSA_PKCS1_PADDING);
-function publicEncrypt_native(buffer, publicKey, algorithm) {
-  if (algorithm === void 0) {
-    algorithm = 4 /* RSA_PKCS1_OAEP_PADDING */;
-  }
-  return publicEncrypt1(
-    {
-      key: publicKey,
-      padding: algorithm
-    },
-    buffer
-  );
-}
-function privateDecrypt_native(buffer, privateKey, algorithm) {
-  if (algorithm === void 0) {
-    algorithm = 4 /* RSA_PKCS1_OAEP_PADDING */;
-  }
-  try {
-    return privateDecrypt1(
-      {
-        key: privateKey.hidden,
-        padding: algorithm
-      },
-      buffer
-    );
-  } catch (err) {
-    return Buffer.alloc(1);
-  }
-}
-var publicEncrypt = publicEncrypt_native;
-var privateDecrypt = privateDecrypt_native;
-function publicEncrypt_long(buffer, publicKey, blockSize, padding, paddingAlgorithm) {
-  if (paddingAlgorithm === void 0) {
-    paddingAlgorithm = 4 /* RSA_PKCS1_OAEP_PADDING */;
-  }
-  if (paddingAlgorithm === RSA_PKCS1_PADDING) {
-    padding = padding || 11;
-    if (padding !== 11) throw new Error("padding should be 11");
-  } else if (paddingAlgorithm === RSA_PKCS1_OAEP_PADDING) {
-    padding = padding || 42;
-    if (padding !== 42) throw new Error("padding should be 42");
-  } else {
-    throw new Error("Invalid padding algorithm " + paddingAlgorithm);
-  }
-  const chunk_size = blockSize - padding;
-  const nbBlocks = Math.ceil(buffer.length / chunk_size);
-  const outputBuffer = createFastUninitializedBuffer(nbBlocks * blockSize);
-  for (let i = 0; i < nbBlocks; i++) {
-    const currentBlock = buffer.subarray(chunk_size * i, chunk_size * (i + 1));
-    const encrypted_chunk = publicEncrypt(currentBlock, publicKey, paddingAlgorithm);
-    if (encrypted_chunk.length !== blockSize) {
-      throw new Error(`publicEncrypt_long unexpected chunk length ${encrypted_chunk.length}  expecting ${blockSize}`);
-    }
-    encrypted_chunk.copy(outputBuffer, i * blockSize);
-  }
-  return outputBuffer;
-}
-function privateDecrypt_long(buffer, privateKey, blockSize, paddingAlgorithm) {
-  paddingAlgorithm = paddingAlgorithm || RSA_PKCS1_OAEP_PADDING;
-  if (paddingAlgorithm !== RSA_PKCS1_PADDING && paddingAlgorithm !== RSA_PKCS1_OAEP_PADDING) {
-    throw new Error("Invalid padding algorithm " + paddingAlgorithm);
-  }
-  const nbBlocks = Math.ceil(buffer.length / blockSize);
-  const outputBuffer = createFastUninitializedBuffer(nbBlocks * blockSize);
-  let total_length = 0;
-  for (let i = 0; i < nbBlocks; i++) {
-    const currentBlock = buffer.subarray(blockSize * i, Math.min(blockSize * (i + 1), buffer.length));
-    const decrypted_buf = privateDecrypt(currentBlock, privateKey, paddingAlgorithm);
-    decrypted_buf.copy(outputBuffer, total_length);
-    total_length += decrypted_buf.length;
-  }
-  return outputBuffer.subarray(0, total_length);
-}
-function coerceCertificatePem(certificate) {
-  if (certificate instanceof Buffer) {
-    certificate = toPem(certificate, "CERTIFICATE");
-  }
-  assert2(typeof certificate === "string");
-  return certificate;
-}
-function extractPublicKeyFromCertificateSync(certificate) {
-  certificate = coerceCertificatePem(certificate);
-  const key = jsrsasign.KEYUTIL.getKey(certificate);
-  const publicKeyAsPem = jsrsasign.KEYUTIL.getPEM(key);
-  assert2(typeof publicKeyAsPem === "string");
-  return publicKeyAsPem;
-}
-function extractPublicKeyFromCertificate(certificate, callback) {
-  let err1 = null;
-  let keyPem;
-  try {
-    keyPem = extractPublicKeyFromCertificateSync(certificate);
-  } catch (err) {
-    err1 = err;
+// source/crypto_explore_certificate.ts
+import assert3 from "assert";
+
+// source/directory_name.ts
+import assert2 from "assert";
+function readDirectoryName(buffer, block) {
+  const set_blocks = readStruct(buffer, block);
+  const names = {};
+  for (const set_block of set_blocks) {
+    assert2(set_block.tag === 49);
+    const blocks = readStruct(buffer, set_block);
+    assert2(blocks.length === 1);
+    assert2(blocks[0].tag === 48);
+    const sequenceBlock = readStruct(buffer, blocks[0]);
+    assert2(sequenceBlock.length === 2);
+    const type = readObjectIdentifier(buffer, sequenceBlock[0]);
+    names[type.name] = readValue(buffer, sequenceBlock[1]);
   }
-  setImmediate(() => {
-    callback(err1, keyPem);
-  });
+  return names;
 }
 
 // source/crypto_explore_certificate.ts
 var doDebug = false;
 function _readAttributeTypeAndValue(buffer, block) {
-  let inner_blocks = _readStruct(buffer, block);
-  inner_blocks = _readStruct(buffer, inner_blocks[0]);
+  let inner_blocks = readStruct(buffer, block);
+  inner_blocks = readStruct(buffer, inner_blocks[0]);
   const data = {
-    identifier: _readObjectIdentifier(buffer, inner_blocks[0]).name,
-    value: _readValue(buffer, inner_blocks[1])
+    identifier: readObjectIdentifier(buffer, inner_blocks[0]).name,
+    value: readValue(buffer, inner_blocks[1])
   };
   const result = {};
   for (const [key, value] of Object.entries(data)) {
@@ -830,7 +629,7 @@ function _readAttributeTypeAndValue(buffer, block) {
   return result;
 }
 function _readRelativeDistinguishedName(buffer, block) {
-  const inner_blocks = _readStruct(buffer, block);
+  const inner_blocks = readStruct(buffer, block);
   const data = inner_blocks.map((block2) => _readAttributeTypeAndValue(buffer, block2));
   const result = {};
   for (const e of data) {
@@ -842,64 +641,64 @@ function _readName(buffer, block) {
   return _readRelativeDistinguishedName(buffer, block);
 }
 function _readValidity(buffer, block) {
-  const inner_blocks = _readStruct(buffer, block);
+  const inner_blocks = readStruct(buffer, block);
   return {
-    notBefore: _readTime(buffer, inner_blocks[0]),
-    notAfter: _readTime(buffer, inner_blocks[1])
+    notBefore: readTime(buffer, inner_blocks[0]),
+    notAfter: readTime(buffer, inner_blocks[1])
   };
 }
 function _readAuthorityKeyIdentifier(buffer) {
   const block_info = readTag(buffer, 0);
-  const blocks = _readStruct(buffer, block_info);
-  const keyIdentifier_block = _findBlockAtIndex(blocks, 0);
-  const authorityCertIssuer_block = _findBlockAtIndex(blocks, 1);
-  const authorityCertSerialNumber_block = _findBlockAtIndex(blocks, 2);
+  const blocks = readStruct(buffer, block_info);
+  const keyIdentifier_block = findBlockAtIndex(blocks, 0);
+  const authorityCertIssuer_block = findBlockAtIndex(blocks, 1);
+  const authorityCertSerialNumber_block = findBlockAtIndex(blocks, 2);
   function _readAuthorityCertIssuer(block) {
-    const inner_blocks = _readStruct(buffer, block);
-    const directoryName_block = _findBlockAtIndex(inner_blocks, 4);
+    const inner_blocks = readStruct(buffer, block);
+    const directoryName_block = findBlockAtIndex(inner_blocks, 4);
     if (directoryName_block) {
-      const a = _readStruct(buffer, directoryName_block);
-      return _readDirectoryName(buffer, a[0]);
+      const a = readStruct(buffer, directoryName_block);
+      return readDirectoryName(buffer, a[0]);
     } else {
       throw new Error("Invalid _readAuthorityCertIssuer");
     }
   }
   function _readAuthorityCertIssuerFingerPrint(block) {
-    const inner_blocks = _readStruct(buffer, block);
-    const directoryName_block = _findBlockAtIndex(inner_blocks, 4);
+    const inner_blocks = readStruct(buffer, block);
+    const directoryName_block = findBlockAtIndex(inner_blocks, 4);
     if (!directoryName_block) {
       return "";
     }
-    const a = _readStruct(buffer, directoryName_block);
+    const a = readStruct(buffer, directoryName_block);
     if (a.length < 1) {
       return "";
     }
-    return directoryName_block ? formatBuffer2DigitHexWithColum(makeSHA1Thumbprint(_getBlock(buffer, a[0]))) : "";
+    return directoryName_block ? formatBuffer2DigitHexWithColum(makeSHA1Thumbprint(getBlock(buffer, a[0]))) : "";
   }
   const authorityCertIssuer = authorityCertIssuer_block ? _readAuthorityCertIssuer(authorityCertIssuer_block) : null;
   const authorityCertIssuerFingerPrint = authorityCertIssuer_block ? _readAuthorityCertIssuerFingerPrint(authorityCertIssuer_block) : "";
   return {
     authorityCertIssuer,
     authorityCertIssuerFingerPrint,
-    serial: authorityCertSerialNumber_block ? formatBuffer2DigitHexWithColum(_getBlock(buffer, authorityCertSerialNumber_block)) : null,
+    serial: authorityCertSerialNumber_block ? formatBuffer2DigitHexWithColum(getBlock(buffer, authorityCertSerialNumber_block)) : null,
     // can be null for self-signed cert
-    keyIdentifier: keyIdentifier_block ? formatBuffer2DigitHexWithColum(_getBlock(buffer, keyIdentifier_block)) : null
+    keyIdentifier: keyIdentifier_block ? formatBuffer2DigitHexWithColum(getBlock(buffer, keyIdentifier_block)) : null
     // can be null for self-signed certf
   };
 }
 function readBasicConstraint2_5_29_19(buffer, block) {
   const block_info = readTag(buffer, 0);
-  const inner_blocks = _readStruct(buffer, block_info).slice(0, 2);
+  const inner_blocks = readStruct(buffer, block_info).slice(0, 2);
   let cA = false;
   let pathLengthConstraint = 0;
   let breakControl = 0;
   for (const inner_block of inner_blocks) {
     switch (inner_block.tag) {
       case 1 /* BOOLEAN */:
-        cA = _readBooleanValue(buffer, inner_block);
+        cA = readBooleanValue(buffer, inner_block);
         break;
       case 2 /* INTEGER */:
-        pathLengthConstraint = _readIntegerValue(buffer, inner_block);
+        pathLengthConstraint = readIntegerValue(buffer, inner_block);
         breakControl = 1;
         break;
     }
@@ -921,7 +720,7 @@ function _readGeneralNames(buffer, block) {
     8: { name: "registeredID", type: "OBJECT_IDENTIFIER" },
     32: { name: "otherName", type: "AnotherName" }
   };
-  const blocks = _readStruct(buffer, block);
+  const blocks = readStruct(buffer, block);
   function _readFromType(buffer2, block2, type) {
     switch (type) {
       case "IA5String":
@@ -933,19 +732,19 @@ function _readGeneralNames(buffer, block) {
   const n = {};
   for (const block2 of blocks) {
     assert3((block2.tag & 128) === 128);
-    const t = block2.tag & 127;
-    const type = _data[t];
+    const t2 = block2.tag & 127;
+    const type = _data[t2];
     if (!type) {
-      console.log("_readGeneralNames: INVALID TYPE => " + t + " 0x" + t.toString(16));
+      console.log("_readGeneralNames: INVALID TYPE => " + t2 + " 0x" + t2.toString(16));
       continue;
     }
-    if (t == 32) {
+    if (t2 == 32) {
       n[type.name] = n[type.name] || [];
-      const blocks2 = _readStruct(buffer, block2);
-      const name = _readObjectIdentifier(buffer, blocks2[0]).name;
-      const buf = _getBlock(buffer, blocks2[1]);
+      const blocks2 = readStruct(buffer, block2);
+      const name = readObjectIdentifier(buffer, blocks2[0]).name;
+      const buf = getBlock(buffer, blocks2[1]);
       const b = readTag(buf, 0);
-      const nn = _readValue(buf, b);
+      const nn = readValue(buf, b);
       const data = {
         identifier: name,
         value: nn
@@ -994,7 +793,7 @@ function readKeyUsage(oid, buffer) {
 function readExtKeyUsage(oid, buffer) {
   assert3(oid === "2.5.29.37");
   const block_info = readTag(buffer, 0);
-  const inner_blocks = _readStruct(buffer, block_info);
+  const inner_blocks = readStruct(buffer, block_info);
   const extKeyUsage = {
     serverAuth: false,
     clientAuth: false,
@@ -1007,30 +806,30 @@ function readExtKeyUsage(oid, buffer) {
     ocspSigning: false
   };
   for (const block of inner_blocks) {
-    const identifier = _readObjectIdentifier(buffer, block);
+    const identifier = readObjectIdentifier(buffer, block);
     extKeyUsage[identifier.name] = true;
   }
   return extKeyUsage;
 }
 function _readSubjectPublicKey(buffer) {
   const block_info = readTag(buffer, 0);
-  const blocks = _readStruct(buffer, block_info);
+  const blocks = readStruct(buffer, block_info);
   return {
     modulus: buffer.subarray(blocks[0].position + 1, blocks[0].position + blocks[0].length)
   };
 }
-function _readExtension(buffer, block) {
-  const inner_blocks = _readStruct(buffer, block);
+function readExtension(buffer, block) {
+  const inner_blocks = readStruct(buffer, block);
   if (inner_blocks.length === 3) {
     assert3(inner_blocks[1].tag === 1 /* BOOLEAN */);
     inner_blocks[1] = inner_blocks[2];
   }
-  const identifier = _readObjectIdentifier(buffer, inner_blocks[0]);
-  const buf = _getBlock(buffer, inner_blocks[1]);
+  const identifier = readObjectIdentifier(buffer, inner_blocks[0]);
+  const buf = getBlock(buffer, inner_blocks[1]);
   let value = null;
   switch (identifier.name) {
     case "subjectKeyIdentifier":
-      value = formatBuffer2DigitHexWithColum(_readOctetString(buffer, inner_blocks[1]));
+      value = formatBuffer2DigitHexWithColum(readOctetString(buffer, inner_blocks[1]));
       break;
     case "subjectAltName":
       value = _readSubjectAltNames(buf);
@@ -1060,9 +859,9 @@ function _readExtension(buffer, block) {
 }
 function _readExtensions(buffer, block) {
   assert3(block.tag === 163);
-  let inner_blocks = _readStruct(buffer, block);
-  inner_blocks = _readStruct(buffer, inner_blocks[0]);
-  const extensions = inner_blocks.map((block2) => _readExtension(buffer, block2));
+  let inner_blocks = readStruct(buffer, block);
+  inner_blocks = readStruct(buffer, inner_blocks[0]);
+  const extensions = inner_blocks.map((block2) => readExtension(buffer, block2));
   const result = {};
   for (const e of extensions) {
     result[e.identifier.name] = e.value;
@@ -1070,11 +869,11 @@ function _readExtensions(buffer, block) {
   return result;
 }
 function _readSubjectPublicKeyInfo(buffer, block) {
-  const inner_blocks = _readStruct(buffer, block);
-  const algorithm = _readAlgorithmIdentifier(buffer, inner_blocks[0]);
-  const subjectPublicKey = _readBitString(buffer, inner_blocks[1]);
+  const inner_blocks = readStruct(buffer, block);
+  const algorithm = readAlgorithmIdentifier(buffer, inner_blocks[0]);
+  const subjectPublicKey = readBitString(buffer, inner_blocks[1]);
   const data = subjectPublicKey.data;
-  const values = _readListOfInteger(data);
+  const values = readListOfInteger(data);
   return {
     algorithm: algorithm.identifier,
     keyLength: values[0].length - 1,
@@ -1084,9 +883,9 @@ function _readSubjectPublicKeyInfo(buffer, block) {
   };
 }
 function _readSubjectECCPublicKeyInfo(buffer, block) {
-  const inner_blocks = _readStruct(buffer, block);
-  const algorithm = _readECCAlgorithmIdentifier(buffer, inner_blocks[0]);
-  const subjectPublicKey = _readBitString(buffer, inner_blocks[1]);
+  const inner_blocks = readStruct(buffer, block);
+  const algorithm = readECCAlgorithmIdentifier(buffer, inner_blocks[0]);
+  const subjectPublicKey = readBitString(buffer, inner_blocks[1]);
   const data = subjectPublicKey.data;
   return {
     algorithm: algorithm.identifier,
@@ -1097,33 +896,33 @@ function _readSubjectECCPublicKeyInfo(buffer, block) {
   };
 }
 function readTbsCertificate(buffer, block) {
-  const blocks = _readStruct(buffer, block);
+  const blocks = readStruct(buffer, block);
   let version, serialNumber, signature, issuer, validity, subject, subjectFingerPrint, extensions;
   let subjectPublicKeyInfo;
   if (blocks.length === 6) {
     version = 1;
-    serialNumber = formatBuffer2DigitHexWithColum(_readLongIntegerValue(buffer, blocks[0]));
-    signature = _readAlgorithmIdentifier(buffer, blocks[1]);
+    serialNumber = formatBuffer2DigitHexWithColum(readLongIntegerValue(buffer, blocks[0]));
+    signature = readAlgorithmIdentifier(buffer, blocks[1]);
     issuer = _readName(buffer, blocks[2]);
     validity = _readValidity(buffer, blocks[3]);
     subject = _readName(buffer, blocks[4]);
-    subjectFingerPrint = formatBuffer2DigitHexWithColum(makeSHA1Thumbprint(_getBlock(buffer, blocks[4])));
+    subjectFingerPrint = formatBuffer2DigitHexWithColum(makeSHA1Thumbprint(getBlock(buffer, blocks[4])));
     subjectPublicKeyInfo = _readSubjectPublicKeyInfo(buffer, blocks[5]);
     extensions = null;
   } else {
-    const version_block = _findBlockAtIndex(blocks, 0);
+    const version_block = findBlockAtIndex(blocks, 0);
     if (!version_block) {
       throw new Error("cannot find version block");
     }
-    version = _readVersionValue(buffer, version_block) + 1;
-    serialNumber = formatBuffer2DigitHexWithColum(_readLongIntegerValue(buffer, blocks[1]));
-    signature = _readAlgorithmIdentifier(buffer, blocks[2]);
+    version = readVersionValue(buffer, version_block) + 1;
+    serialNumber = formatBuffer2DigitHexWithColum(readLongIntegerValue(buffer, blocks[1]));
+    signature = readAlgorithmIdentifier(buffer, blocks[2]);
     issuer = _readName(buffer, blocks[3]);
     validity = _readValidity(buffer, blocks[4]);
     subject = _readName(buffer, blocks[5]);
-    subjectFingerPrint = formatBuffer2DigitHexWithColum(makeSHA1Thumbprint(_getBlock(buffer, blocks[5])));
-    const inner_block = _readStruct(buffer, blocks[6]);
-    const what_type = _readAlgorithmIdentifier(buffer, inner_block[0]).identifier;
+    subjectFingerPrint = formatBuffer2DigitHexWithColum(makeSHA1Thumbprint(getBlock(buffer, blocks[5])));
+    const inner_block = readStruct(buffer, blocks[6]);
+    const what_type = readAlgorithmIdentifier(buffer, inner_block[0]).identifier;
     switch (what_type) {
       case "rsaEncryption": {
         subjectPublicKeyInfo = _readSubjectPublicKeyInfo(buffer, blocks[6]);
@@ -1135,7 +934,7 @@ function readTbsCertificate(buffer, block) {
         break;
       }
     }
-    const extensionBlock = _findBlockAtIndex(blocks, 3);
+    const extensionBlock = findBlockAtIndex(blocks, 3);
     if (!extensionBlock) {
       doDebug && console.log("X509 certificate is invalid : cannot find extension block version =" + version_block);
       extensions = null;
@@ -1159,11 +958,11 @@ function exploreCertificate(certificate) {
   assert3(certificate instanceof Buffer);
   if (!certificate._exploreCertificate_cache) {
     const block_info = readTag(certificate, 0);
-    const blocks = _readStruct(certificate, block_info);
+    const blocks = readStruct(certificate, block_info);
     certificate._exploreCertificate_cache = {
       tbsCertificate: readTbsCertificate(certificate, blocks[0]),
-      signatureAlgorithm: _readAlgorithmIdentifier(certificate, blocks[1]),
-      signatureValue: _readSignatureValue(certificate, blocks[2])
+      signatureAlgorithm: readAlgorithmIdentifier(certificate, blocks[1]),
+      signatureValue: readSignatureValue(certificate, blocks[2])
     };
   }
   return certificate._exploreCertificate_cache;
@@ -1193,34 +992,394 @@ function combine_der(certificates) {
   return Buffer.concat(certificates);
 }
 
-// source/explore_certificate.ts
-import assert4 from "assert";
-function coerceCertificate(certificate) {
-  if (typeof certificate === "string") {
-    certificate = convertPEMtoDER(certificate);
+// source/crypto_utils.ts
+import jsrsasign from "jsrsasign";
+var { hexy } = pkg_hexy;
+var PEM_REGEX = /^(-----BEGIN (.*)-----\r?\n([/+=a-zA-Z0-9\r\n]*)\r?\n-----END \2-----\r?\n?)/gm;
+var PEM_TYPE_REGEX = /^(-----BEGIN (.*)-----)/m;
+function identifyPemType(rawKey) {
+  if (rawKey instanceof Buffer) {
+    rawKey = rawKey.toString("utf8");
   }
-  assert4(certificate instanceof Buffer);
-  return certificate;
+  const match = PEM_TYPE_REGEX.exec(rawKey);
+  return !match ? void 0 : match[2];
 }
-function exploreCertificateInfo(certificate) {
-  certificate = coerceCertificate(certificate);
-  const certInfo = exploreCertificate(certificate);
-  const data = {
-    publicKeyLength: certInfo.tbsCertificate.subjectPublicKeyInfo.keyLength,
-    notBefore: certInfo.tbsCertificate.validity.notBefore,
-    notAfter: certInfo.tbsCertificate.validity.notAfter,
-    publicKey: certInfo.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey,
-    subject: certInfo.tbsCertificate.subject
-  };
-  if (!(data.publicKeyLength === 512 || data.publicKeyLength === 384 || data.publicKeyLength === 256 || data.publicKeyLength === 128)) {
-    throw new Error("Invalid public key length (expecting 128,256,384 or 512)" + data.publicKeyLength);
+function removeTrailingLF(str) {
+  const tmp = str.replace(/(\r|\n)+$/m, "").replace(/\r\n/gm, "\n");
+  return tmp;
+}
+function toPem(raw_key, pem) {
+  assert4(raw_key, "expecting a key");
+  assert4(typeof pem === "string");
+  let pemType = identifyPemType(raw_key);
+  if (pemType) {
+    return raw_key instanceof Buffer ? removeTrailingLF(raw_key.toString("utf8")) : removeTrailingLF(raw_key);
+  } else {
+    pemType = pem;
+    assert4(["CERTIFICATE REQUEST", "CERTIFICATE", "RSA PRIVATE KEY", "PUBLIC KEY", "X509 CRL"].indexOf(pemType) >= 0);
+    let b = raw_key.toString("base64");
+    let str = "-----BEGIN " + pemType + "-----\n";
+    while (b.length) {
+      str += b.substring(0, 64) + "\n";
+      b = b.substring(64);
+    }
+    str += "-----END " + pemType + "-----";
+    return str;
   }
-  return data;
 }
-
-// source/derived_keys.ts
+function convertPEMtoDER(raw_key) {
+  let match;
+  let pemType;
+  let base64str;
+  const parts = [];
+  PEM_REGEX.lastIndex = 0;
+  while ((match = PEM_REGEX.exec(raw_key)) !== null) {
+    pemType = match[2];
+    base64str = match[3];
+    base64str = base64str.replace(/\r?\n/g, "");
+    parts.push(Buffer.from(base64str, "base64"));
+  }
+  return combine_der(parts);
+}
+function hexDump(buffer, width) {
+  if (!buffer) {
+    return "<>";
+  }
+  width = width || 32;
+  if (buffer.length > 1024) {
+    return hexy(buffer.subarray(0, 1024), { width, format: "twos" }) + "\n .... ( " + buffer.length + ")";
+  } else {
+    return hexy(buffer, { width, format: "twos" });
+  }
+}
+function makeMessageChunkSignature(chunk, options) {
+  const signer = createSign(options.algorithm);
+  signer.update(chunk);
+  const signature = signer.sign(options.privateKey.hidden);
+  assert4(!options.signatureLength || signature.length === options.signatureLength);
+  return signature;
+}
+function verifyMessageChunkSignature(blockToVerify, signature, options) {
+  const verify = createVerify(options.algorithm);
+  verify.update(blockToVerify);
+  return verify.verify(options.publicKey, signature);
+}
+function makeSHA1Thumbprint(buffer) {
+  return createHash("sha1").update(buffer).digest();
+}
+var RSA_PKCS1_OAEP_PADDING = constants.RSA_PKCS1_OAEP_PADDING;
+var RSA_PKCS1_PADDING = constants.RSA_PKCS1_PADDING;
+var PaddingAlgorithm = /* @__PURE__ */ ((PaddingAlgorithm2) => {
+  PaddingAlgorithm2[PaddingAlgorithm2["RSA_PKCS1_OAEP_PADDING"] = 4] = "RSA_PKCS1_OAEP_PADDING";
+  PaddingAlgorithm2[PaddingAlgorithm2["RSA_PKCS1_PADDING"] = 1] = "RSA_PKCS1_PADDING";
+  return PaddingAlgorithm2;
+})(PaddingAlgorithm || {});
+assert4(4 /* RSA_PKCS1_OAEP_PADDING */ === constants.RSA_PKCS1_OAEP_PADDING);
+assert4(1 /* RSA_PKCS1_PADDING */ === constants.RSA_PKCS1_PADDING);
+function publicEncrypt_native(buffer, publicKey, algorithm) {
+  if (algorithm === void 0) {
+    algorithm = 4 /* RSA_PKCS1_OAEP_PADDING */;
+  }
+  return publicEncrypt1(
+    {
+      key: publicKey,
+      padding: algorithm
+    },
+    buffer
+  );
+}
+function privateDecrypt_native(buffer, privateKey, algorithm) {
+  if (algorithm === void 0) {
+    algorithm = 4 /* RSA_PKCS1_OAEP_PADDING */;
+  }
+  try {
+    return privateDecrypt1(
+      {
+        key: privateKey.hidden,
+        padding: algorithm
+      },
+      buffer
+    );
+  } catch (err) {
+    return Buffer.alloc(1);
+  }
+}
+var publicEncrypt = publicEncrypt_native;
+var privateDecrypt = privateDecrypt_native;
+function publicEncrypt_long(buffer, publicKey, blockSize, padding, paddingAlgorithm) {
+  if (paddingAlgorithm === void 0) {
+    paddingAlgorithm = 4 /* RSA_PKCS1_OAEP_PADDING */;
+  }
+  if (paddingAlgorithm === RSA_PKCS1_PADDING) {
+    padding = padding || 11;
+    if (padding !== 11) throw new Error("padding should be 11");
+  } else if (paddingAlgorithm === RSA_PKCS1_OAEP_PADDING) {
+    padding = padding || 42;
+    if (padding !== 42) throw new Error("padding should be 42");
+  } else {
+    throw new Error("Invalid padding algorithm " + paddingAlgorithm);
+  }
+  const chunk_size = blockSize - padding;
+  const nbBlocks = Math.ceil(buffer.length / chunk_size);
+  const outputBuffer = createFastUninitializedBuffer(nbBlocks * blockSize);
+  for (let i = 0; i < nbBlocks; i++) {
+    const currentBlock = buffer.subarray(chunk_size * i, chunk_size * (i + 1));
+    const encrypted_chunk = publicEncrypt(currentBlock, publicKey, paddingAlgorithm);
+    if (encrypted_chunk.length !== blockSize) {
+      throw new Error(`publicEncrypt_long unexpected chunk length ${encrypted_chunk.length}  expecting ${blockSize}`);
+    }
+    encrypted_chunk.copy(outputBuffer, i * blockSize);
+  }
+  return outputBuffer;
+}
+function privateDecrypt_long(buffer, privateKey, blockSize, paddingAlgorithm) {
+  paddingAlgorithm = paddingAlgorithm || RSA_PKCS1_OAEP_PADDING;
+  if (paddingAlgorithm !== RSA_PKCS1_PADDING && paddingAlgorithm !== RSA_PKCS1_OAEP_PADDING) {
+    throw new Error("Invalid padding algorithm " + paddingAlgorithm);
+  }
+  const nbBlocks = Math.ceil(buffer.length / blockSize);
+  const outputBuffer = createFastUninitializedBuffer(nbBlocks * blockSize);
+  let total_length = 0;
+  for (let i = 0; i < nbBlocks; i++) {
+    const currentBlock = buffer.subarray(blockSize * i, Math.min(blockSize * (i + 1), buffer.length));
+    const decrypted_buf = privateDecrypt(currentBlock, privateKey, paddingAlgorithm);
+    decrypted_buf.copy(outputBuffer, total_length);
+    total_length += decrypted_buf.length;
+  }
+  return outputBuffer.subarray(0, total_length);
+}
+function coerceCertificatePem(certificate) {
+  if (certificate instanceof Buffer) {
+    certificate = toPem(certificate, "CERTIFICATE");
+  }
+  assert4(typeof certificate === "string");
+  return certificate;
+}
+function extractPublicKeyFromCertificateSync(certificate) {
+  certificate = coerceCertificatePem(certificate);
+  const key = jsrsasign.KEYUTIL.getKey(certificate);
+  const publicKeyAsPem = jsrsasign.KEYUTIL.getPEM(key);
+  assert4(typeof publicKeyAsPem === "string");
+  return publicKeyAsPem;
+}
+function extractPublicKeyFromCertificate(certificate, callback) {
+  let err1 = null;
+  let keyPem;
+  try {
+    keyPem = extractPublicKeyFromCertificateSync(certificate);
+  } catch (err) {
+    err1 = err;
+  }
+  setImmediate(() => {
+    callback(err1, keyPem);
+  });
+}
+
+// source/explore_private_key.ts
+function f(buffer, b) {
+  return buffer.subarray(b.position + 1, b.position + b.length);
+}
+var doDebug2 = !!process.env.DEBUG;
+function explorePrivateKey(privateKey2) {
+  const privateKey1 = privateKey2.hidden;
+  const privateKey = typeof privateKey1 === "string" ? convertPEMtoDER(privateKey1) : privateKey1.export({ format: "der", type: "pkcs1" });
+  const block_info = readTag(privateKey, 0);
+  const blocks = readStruct(privateKey, block_info);
+  if (blocks.length === 9) {
+    const version2 = f(privateKey, blocks[0]);
+    const modulus2 = f(privateKey, blocks[1]);
+    const publicExponent2 = f(privateKey, blocks[2]);
+    const privateExponent2 = f(privateKey, blocks[3]);
+    const prime12 = f(privateKey, blocks[4]);
+    const prime22 = f(privateKey, blocks[5]);
+    const exponent12 = f(privateKey, blocks[6]);
+    const exponent22 = f(privateKey, blocks[7]);
+    return {
+      version: version2,
+      modulus: modulus2,
+      publicExponent: publicExponent2,
+      privateExponent: privateExponent2,
+      prime1: prime12,
+      prime2: prime22,
+      exponent1: exponent12,
+      exponent2: exponent22
+    };
+  }
+  if (doDebug2) {
+    console.log("-------------------- private key:");
+    console.log(block_info);
+    console.log(
+      blocks.map((b2) => ({
+        tag: TagType[b2.tag] + " 0x" + b2.tag.toString(16),
+        l: b2.length,
+        p: b2.position,
+        buff: privateKey.subarray(b2.position, b2.position + b2.length).toString("hex")
+      }))
+    );
+  }
+  const b = blocks[2];
+  const bb = privateKey.subarray(b.position, b.position + b.length);
+  const block_info1 = readTag(bb, 0);
+  const blocks1 = readStruct(bb, block_info1);
+  if (doDebug2) {
+    console.log(
+      blocks1.map((b2) => ({
+        tag: TagType[b2.tag] + " 0x" + b2.tag.toString(16),
+        l: b2.length,
+        p: b2.position,
+        buff: bb.subarray(b2.position, b2.position + b2.length).toString("hex")
+      }))
+    );
+  }
+  const version = f(bb, blocks1[0]);
+  const modulus = f(bb, blocks1[1]);
+  const publicExponent = f(bb, blocks1[2]);
+  const privateExponent = f(bb, blocks1[3]);
+  const prime1 = f(bb, blocks1[4]);
+  const prime2 = f(bb, blocks1[5]);
+  const exponent1 = f(bb, blocks1[6]);
+  const exponent2 = f(bb, blocks1[7]);
+  return {
+    version,
+    modulus,
+    publicExponent,
+    privateExponent,
+    prime1,
+    prime2,
+    exponent1,
+    exponent2
+  };
+}
+
+// source/public_private_match.ts
+function publicKeyAndPrivateKeyMatches(certificate, privateKey) {
+  const i = exploreCertificate(certificate);
+  const j = explorePrivateKey(privateKey);
+  const modulus1 = i.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.modulus;
+  const modulus2 = j.modulus;
+  if (modulus1.length != modulus2.length) {
+    return false;
+  }
+  return modulus1.toString("hex") === modulus2.toString("hex");
+}
+function certificateMatchesPrivateKeyPEM(certificate, privateKey, blockSize) {
+  const initialBuffer = Buffer.from("Lorem Ipsum");
+  const encryptedBuffer = publicEncrypt_long(initialBuffer, certificate, blockSize);
+  const decryptedBuffer = privateDecrypt_long(encryptedBuffer, privateKey, blockSize);
+  const finalString = decryptedBuffer.toString("utf-8");
+  return initialBuffer.toString("utf-8") === finalString;
+}
+function certificateMatchesPrivateKey(certificate, privateKey) {
+  const e = explorePrivateKey(privateKey);
+  const blockSize = e.modulus.length;
+  const certificatePEM = toPem(certificate, "CERTIFICATE");
+  return certificateMatchesPrivateKeyPEM(certificatePEM, privateKey, blockSize);
+}
+
+// source/common.ts
+import __crypto from "crypto";
+var KeyObjectOrig = __crypto.KeyObject;
+var { createPrivateKey: createPrivateKeyFromNodeJSCrypto } = __crypto;
+function isKeyObject(mayBeKeyObject) {
+  if (KeyObjectOrig) {
+    return mayBeKeyObject instanceof KeyObjectOrig;
+  }
+  return typeof mayBeKeyObject === "object" && typeof mayBeKeyObject.type === "string";
+}
+var CertificatePurpose = /* @__PURE__ */ ((CertificatePurpose2) => {
+  CertificatePurpose2[CertificatePurpose2["NotSpecified"] = 0] = "NotSpecified";
+  CertificatePurpose2[CertificatePurpose2["ForCertificateAuthority"] = 1] = "ForCertificateAuthority";
+  CertificatePurpose2[CertificatePurpose2["ForApplication"] = 2] = "ForApplication";
+  CertificatePurpose2[CertificatePurpose2["ForUserAuthentication"] = 3] = "ForUserAuthentication";
+  return CertificatePurpose2;
+})(CertificatePurpose || {});
+
+// source/crypto_utils2.ts
 import assert5 from "assert";
+import jsrsasign2 from "jsrsasign";
+function rsaLengthPrivateKey(key) {
+  const keyPem = typeof key.hidden === "string" ? key.hidden : key.hidden.export({ type: "pkcs1", format: "pem" }).toString();
+  const a = jsrsasign2.KEYUTIL.getKey(keyPem);
+  return a.n.toString(16).length / 2;
+}
+function toPem2(raw_key, pem) {
+  if (raw_key.hidden) {
+    return toPem2(raw_key.hidden, pem);
+  }
+  assert5(raw_key, "expecting a key");
+  assert5(typeof pem === "string");
+  if (isKeyObject(raw_key)) {
+    const _raw_key = raw_key;
+    if (pem === "RSA PRIVATE KEY") {
+      return removeTrailingLF(_raw_key.export({ format: "pem", type: "pkcs1" }).toString());
+    } else if (pem === "PRIVATE KEY") {
+      return removeTrailingLF(_raw_key.export({ format: "pem", type: "pkcs8" }).toString());
+    } else {
+      throw new Error("Unsupported case!");
+    }
+  }
+  return toPem(raw_key, pem);
+}
+function coercePrivateKeyPem(privateKey) {
+  return toPem2(privateKey, "PRIVATE KEY");
+}
+function coercePublicKeyPem(publicKey) {
+  if (isKeyObject(publicKey)) {
+    return publicKey.export({ format: "pem", type: "spki" }).toString();
+  }
+  assert5(typeof publicKey === "string");
+  return publicKey;
+}
+function coerceRsaPublicKeyPem(publicKey) {
+  if (isKeyObject(publicKey)) {
+    return publicKey.export({ format: "pem", type: "spki" }).toString();
+  }
+  assert5(typeof publicKey === "string");
+  return publicKey;
+}
+function rsaLengthPublicKey(key) {
+  key = coercePublicKeyPem(key);
+  assert5(typeof key === "string");
+  const a = jsrsasign2.KEYUTIL.getKey(key);
+  return a.n.toString(16).length / 2;
+}
+function rsaLengthRsaPublicKey(key) {
+  key = coerceRsaPublicKeyPem(key);
+  assert5(typeof key === "string");
+  const a = jsrsasign2.KEYUTIL.getKey(key);
+  return a.n.toString(16).length / 2;
+}
+
+// source/derived_keys.ts
+import assert7 from "assert";
 import { createCipheriv, createDecipheriv, createHmac } from "crypto";
+
+// source/explore_certificate.ts
+import assert6 from "assert";
+function coerceCertificate(certificate) {
+  if (typeof certificate === "string") {
+    certificate = convertPEMtoDER(certificate);
+  }
+  assert6(certificate instanceof Buffer);
+  return certificate;
+}
+function exploreCertificateInfo(certificate) {
+  certificate = coerceCertificate(certificate);
+  const certInfo = exploreCertificate(certificate);
+  const data = {
+    publicKeyLength: certInfo.tbsCertificate.subjectPublicKeyInfo.keyLength,
+    notBefore: certInfo.tbsCertificate.validity.notBefore,
+    notAfter: certInfo.tbsCertificate.validity.notAfter,
+    publicKey: certInfo.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey,
+    subject: certInfo.tbsCertificate.subject
+  };
+  if (!(data.publicKeyLength === 512 || data.publicKeyLength === 384 || data.publicKeyLength === 256 || data.publicKeyLength === 128)) {
+    throw new Error("Invalid public key length (expecting 128,256,384 or 512)" + data.publicKeyLength);
+  }
+  return data;
+}
+
+// source/derived_keys.ts
 function HMAC_HASH(sha1or256, secret, message) {
   return createHmac(sha1or256, secret).update(message).digest();
 }
@@ -1228,8 +1387,8 @@ function plus(buf1, buf2) {
   return Buffer.concat([buf1, buf2]);
 }
 function makePseudoRandomBuffer(secret, seed, minLength, sha1or256) {
-  assert5(seed instanceof Buffer);
-  assert5(sha1or256 === "SHA1" || sha1or256 === "SHA256");
+  assert7(seed instanceof Buffer);
+  assert7(sha1or256 === "SHA1" || sha1or256 === "SHA256");
   const a = [];
   a[0] = seed;
   let index = 1;
@@ -1242,12 +1401,12 @@ function makePseudoRandomBuffer(secret, seed, minLength, sha1or256) {
   return p_hash.subarray(0, minLength);
 }
 function computeDerivedKeys(secret, seed, options) {
-  assert5(Number.isFinite(options.signatureLength));
-  assert5(Number.isFinite(options.encryptingKeyLength));
-  assert5(Number.isFinite(options.encryptingBlockSize));
-  assert5(typeof options.algorithm === "string");
+  assert7(Number.isFinite(options.signatureLength));
+  assert7(Number.isFinite(options.encryptingKeyLength));
+  assert7(Number.isFinite(options.encryptingBlockSize));
+  assert7(typeof options.algorithm === "string");
   options.sha1or256 = options.sha1or256 || "SHA1";
-  assert5(typeof options.sha1or256 === "string");
+  assert7(typeof options.sha1or256 === "string");
   const offset1 = options.signingKeyLength;
   const offset2 = offset1 + options.encryptingKeyLength;
   const minLength = offset2 + options.encryptingBlockSize;
@@ -1272,7 +1431,7 @@ function removePadding(buffer) {
   return reduceLength(buffer, nbPaddingBytes);
 }
 function verifyChunkSignature(chunk, options) {
-  assert5(chunk instanceof Buffer);
+  assert7(chunk instanceof Buffer);
   let signatureLength = options.signatureLength || 0;
   if (signatureLength === 0) {
     const cert = exploreCertificateInfo(options.publicKey);
@@ -1283,16 +1442,16 @@ function verifyChunkSignature(chunk, options) {
   return verifyMessageChunkSignature(block_to_verify, signature, options);
 }
 function computePaddingFooter(buffer, derivedKeys) {
-  assert5(Object.prototype.hasOwnProperty.call(derivedKeys, "encryptingBlockSize"));
+  assert7(Object.prototype.hasOwnProperty.call(derivedKeys, "encryptingBlockSize"));
   const paddingSize = derivedKeys.encryptingBlockSize - (buffer.length + 1) % derivedKeys.encryptingBlockSize;
   const padding = createFastUninitializedBuffer(paddingSize + 1);
   padding.fill(paddingSize);
   return padding;
 }
 function derivedKeys_algorithm(derivedKeys) {
-  assert5(Object.prototype.hasOwnProperty.call(derivedKeys, "algorithm"));
+  assert7(Object.prototype.hasOwnProperty.call(derivedKeys, "algorithm"));
   const algorithm = derivedKeys.algorithm || "aes-128-cbc";
-  assert5(algorithm === "aes-128-cbc" || algorithm === "aes-256-cbc");
+  assert7(algorithm === "aes-128-cbc" || algorithm === "aes-256-cbc");
   return algorithm;
 }
 function encryptBufferWithDerivedKeys(buffer, derivedKeys) {
@@ -1304,199 +1463,104 @@ function encryptBufferWithDerivedKeys(buffer, derivedKeys) {
   const encrypted_chunks = [];
   encrypted_chunks.push(cipher.update(buffer));
   encrypted_chunks.push(cipher.final());
-  return Buffer.concat(encrypted_chunks);
-}
-function decryptBufferWithDerivedKeys(buffer, derivedKeys) {
-  const algorithm = derivedKeys_algorithm(derivedKeys);
-  const key = derivedKeys.encryptingKey;
-  const initVector = derivedKeys.initializationVector;
-  const cipher = createDecipheriv(algorithm, key, initVector);
-  cipher.setAutoPadding(false);
-  const decrypted_chunks = [];
-  decrypted_chunks.push(cipher.update(buffer));
-  decrypted_chunks.push(cipher.final());
-  return Buffer.concat(decrypted_chunks);
-}
-function makeMessageChunkSignatureWithDerivedKeys(message, derivedKeys) {
-  assert5(message instanceof Buffer);
-  assert5(derivedKeys.signingKey instanceof Buffer);
-  assert5(typeof derivedKeys.sha1or256 === "string");
-  assert5(derivedKeys.sha1or256 === "SHA1" || derivedKeys.sha1or256 === "SHA256");
-  const signature = createHmac(derivedKeys.sha1or256, derivedKeys.signingKey).update(message).digest();
-  assert5(signature.length === derivedKeys.signatureLength);
-  return signature;
-}
-function verifyChunkSignatureWithDerivedKeys(chunk, derivedKeys) {
-  const message = chunk.subarray(0, chunk.length - derivedKeys.signatureLength);
-  const expectedSignature = chunk.subarray(chunk.length - derivedKeys.signatureLength);
-  const computedSignature = makeMessageChunkSignatureWithDerivedKeys(message, derivedKeys);
-  return computedSignature.toString("hex") === expectedSignature.toString("hex");
-}
-
-// source/crypto_utils2.ts
-import assert6 from "assert";
-import jsrsasign2 from "jsrsasign";
-function rsaLengthPrivateKey(key) {
-  const keyPem = typeof key.hidden === "string" ? key.hidden : key.hidden.export({ type: "pkcs1", format: "pem" }).toString();
-  const a = jsrsasign2.KEYUTIL.getKey(keyPem);
-  return a.n.toString(16).length / 2;
-}
-function toPem2(raw_key, pem) {
-  if (raw_key.hidden) {
-    return toPem2(raw_key.hidden, pem);
-  }
-  assert6(raw_key, "expecting a key");
-  assert6(typeof pem === "string");
-  if (isKeyObject(raw_key)) {
-    const _raw_key = raw_key;
-    if (pem === "RSA PRIVATE KEY") {
-      return removeTrailingLF(_raw_key.export({ format: "pem", type: "pkcs1" }).toString());
-    } else if (pem === "PRIVATE KEY") {
-      return removeTrailingLF(_raw_key.export({ format: "pem", type: "pkcs8" }).toString());
-    } else {
-      throw new Error("Unsupported case!");
-    }
-  }
-  return toPem(raw_key, pem);
-}
-function coercePrivateKeyPem(privateKey) {
-  return toPem2(privateKey, "PRIVATE KEY");
-}
-function coercePublicKeyPem(publicKey) {
-  if (isKeyObject(publicKey)) {
-    return publicKey.export({ format: "pem", type: "spki" }).toString();
-  }
-  assert6(typeof publicKey === "string");
-  return publicKey;
-}
-function coerceRsaPublicKeyPem(publicKey) {
-  if (isKeyObject(publicKey)) {
-    return publicKey.export({ format: "pem", type: "spki" }).toString();
-  }
-  assert6(typeof publicKey === "string");
-  return publicKey;
-}
-function rsaLengthPublicKey(key) {
-  key = coercePublicKeyPem(key);
-  assert6(typeof key === "string");
-  const a = jsrsasign2.KEYUTIL.getKey(key);
-  return a.n.toString(16).length / 2;
-}
-function rsaLengthRsaPublicKey(key) {
-  key = coerceRsaPublicKeyPem(key);
-  assert6(typeof key === "string");
-  const a = jsrsasign2.KEYUTIL.getKey(key);
-  return a.n.toString(16).length / 2;
+  return Buffer.concat(encrypted_chunks);
 }
-
-// source/verify_certificate_signature.ts
-import { createVerify as createVerify2 } from "crypto";
-function verifyCertificateOrClrSignature(certificateOrCrl, parentCertificate) {
-  const block_info = readTag(certificateOrCrl, 0);
-  const blocks = _readStruct(certificateOrCrl, block_info);
-  const bufferToBeSigned = certificateOrCrl.subarray(block_info.position, blocks[1].position - 2);
-  const signatureAlgorithm = _readAlgorithmIdentifier(certificateOrCrl, blocks[1]);
-  const signatureValue = _readSignatureValueBin(certificateOrCrl, blocks[2]);
-  const p = split_der(parentCertificate)[0];
-  const certPem = toPem(p, "CERTIFICATE");
-  const verify = createVerify2(signatureAlgorithm.identifier);
-  verify.update(bufferToBeSigned);
-  verify.end();
-  return verify.verify(certPem, signatureValue);
+function decryptBufferWithDerivedKeys(buffer, derivedKeys) {
+  const algorithm = derivedKeys_algorithm(derivedKeys);
+  const key = derivedKeys.encryptingKey;
+  const initVector = derivedKeys.initializationVector;
+  const cipher = createDecipheriv(algorithm, key, initVector);
+  cipher.setAutoPadding(false);
+  const decrypted_chunks = [];
+  decrypted_chunks.push(cipher.update(buffer));
+  decrypted_chunks.push(cipher.final());
+  return Buffer.concat(decrypted_chunks);
 }
-function verifyCertificateSignature(certificate, parentCertificate) {
-  return verifyCertificateOrClrSignature(certificate, parentCertificate);
+function makeMessageChunkSignatureWithDerivedKeys(message, derivedKeys) {
+  assert7(message instanceof Buffer);
+  assert7(derivedKeys.signingKey instanceof Buffer);
+  assert7(typeof derivedKeys.sha1or256 === "string");
+  assert7(derivedKeys.sha1or256 === "SHA1" || derivedKeys.sha1or256 === "SHA256");
+  const signature = createHmac(derivedKeys.sha1or256, derivedKeys.signingKey).update(message).digest();
+  assert7(signature.length === derivedKeys.signatureLength);
+  return signature;
 }
-function verifyCertificateRevocationListSignature(certificateRevocationList, parentCertificate) {
-  return verifyCertificateOrClrSignature(certificateRevocationList, parentCertificate);
+function verifyChunkSignatureWithDerivedKeys(chunk, derivedKeys) {
+  const message = chunk.subarray(0, chunk.length - derivedKeys.signatureLength);
+  const expectedSignature = chunk.subarray(chunk.length - derivedKeys.signatureLength);
+  const computedSignature = makeMessageChunkSignatureWithDerivedKeys(message, derivedKeys);
+  return computedSignature.toString("hex") === expectedSignature.toString("hex");
 }
-async function verifyCertificateChain(certificateChain) {
-  for (let index = 1; index < certificateChain.length; index++) {
-    const cert = certificateChain[index - 1];
-    const certParent = certificateChain[index];
-    const certParentInfo = exploreCertificate(certParent);
-    const keyUsage = certParentInfo.tbsCertificate.extensions.keyUsage;
-    if (!keyUsage.keyCertSign) {
-      return {
-        status: "BadCertificateIssuerUseNotAllowed",
-        reason: "One of the certificate in the chain has not keyUsage set for Certificate Signing"
-      };
-    }
-    const parentSignChild = verifyCertificateSignature(cert, certParent);
-    if (!parentSignChild) {
-      return {
-        status: "BadCertificateInvalid",
-        reason: "One of the certificate in the chain is not signing the previous certificate"
-      };
-    }
-    const certInfo = exploreCertificate(cert);
-    if (!certInfo.tbsCertificate.extensions) {
-      return {
-        status: "BadCertificateInvalid",
-        reason: "Cannot find X409 Extension 3 in certificate"
-      };
-    }
-    if (!certParentInfo.tbsCertificate.extensions || !certInfo.tbsCertificate.extensions.authorityKeyIdentifier) {
-      return {
-        status: "BadCertificateInvalid",
-        reason: "Cannot find X409 Extension 3 in certificate (parent)"
-      };
-    }
-    if (certParentInfo.tbsCertificate.extensions.subjectKeyIdentifier !== certInfo.tbsCertificate.extensions.authorityKeyIdentifier.keyIdentifier) {
-      return {
-        status: "BadCertificateInvalid",
-        reason: "subjectKeyIdentifier authorityKeyIdentifier in child certificate do not match subjectKeyIdentifier of parent certificate"
-      };
+
+// source/explore_asn1.ts
+function t(tag) {
+  return TagType[tag];
+}
+function bi(blockInfo, depth) {
+  const indent = "  ".repeat(depth);
+  const hl = blockInfo.position - blockInfo.start;
+  return `${blockInfo.start.toString().padStart(5, " ")}:d=${depth} hl=${hl.toString().padEnd(3, " ")}  l=${blockInfo.length.toString().padStart(6, " ")} ${blockInfo.tag.toString(16).padEnd(2, " ")} ${indent} ${t(blockInfo.tag)}`;
+}
+function exploreAsn1(buffer) {
+  console.log(hexDump(buffer));
+  function dump(offset, depth) {
+    const blockInfo = readTag(buffer, offset);
+    dumpBlock(blockInfo, depth);
+    function dumpBlock(blockInfo2, depth2) {
+      console.log(bi(blockInfo2, depth2));
+      if (blockInfo2.tag === 48 /* SEQUENCE */ || blockInfo2.tag === 49 /* SET */ || blockInfo2.tag >= 160 /* CONTEXT_SPECIFIC0 */) {
+        const blocks = readStruct(buffer, blockInfo2);
+        for (const block of blocks) {
+          dumpBlock(block, depth2 + 1);
+        }
+      }
     }
   }
-  return {
-    status: "Good",
-    reason: `certificate chain is valid(length = ${certificateChain.length})`
-  };
+  dump(0, 0);
 }
 
 // source/explore_certificate_revocation_list.ts
 function readNameForCrl(buffer, block) {
-  return _readDirectoryName(buffer, block);
+  return readDirectoryName(buffer, block);
 }
 function _readTbsCertList(buffer, blockInfo) {
-  const blocks = _readStruct(buffer, blockInfo);
+  const blocks = readStruct(buffer, blockInfo);
   const hasOptionalVersion = blocks[0].tag === 2 /* INTEGER */;
   if (hasOptionalVersion) {
-    const version = _readIntegerValue(buffer, blocks[0]);
-    const signature = _readAlgorithmIdentifier(buffer, blocks[1]);
+    const version = readIntegerValue(buffer, blocks[0]);
+    const signature = readAlgorithmIdentifier(buffer, blocks[1]);
     const issuer = readNameForCrl(buffer, blocks[2]);
-    const issuerFingerprint = formatBuffer2DigitHexWithColum(makeSHA1Thumbprint(_getBlock(buffer, blocks[2])));
-    const thisUpdate = _readTime(buffer, blocks[3]);
-    const nextUpdate = _readTime(buffer, blocks[4]);
+    const issuerFingerprint = formatBuffer2DigitHexWithColum(makeSHA1Thumbprint(getBlock(buffer, blocks[2])));
+    const thisUpdate = readTime(buffer, blocks[3]);
+    const nextUpdate = readTime(buffer, blocks[4]);
     const revokedCertificates = [];
     if (blocks[5] && blocks[5].tag < 128) {
-      const list = _readStruct(buffer, blocks[5]);
+      const list = readStruct(buffer, blocks[5]);
       for (const r of list) {
-        const rr = _readStruct(buffer, r);
-        const userCertificate = formatBuffer2DigitHexWithColum(_readLongIntegerValue(buffer, rr[0]));
-        const revocationDate = _readTime(buffer, rr[1]);
+        const rr = readStruct(buffer, r);
+        const userCertificate = formatBuffer2DigitHexWithColum(readLongIntegerValue(buffer, rr[0]));
+        const revocationDate = readTime(buffer, rr[1]);
         revokedCertificates.push({
           revocationDate,
           userCertificate
         });
       }
     }
-    const ext0 = _findBlockAtIndex(blocks, 0);
+    const ext0 = findBlockAtIndex(blocks, 0);
     return { issuer, issuerFingerprint, thisUpdate, nextUpdate, signature, revokedCertificates };
   } else {
-    const signature = _readAlgorithmIdentifier(buffer, blocks[0]);
+    const signature = readAlgorithmIdentifier(buffer, blocks[0]);
     const issuer = readNameForCrl(buffer, blocks[1]);
-    const issuerFingerprint = formatBuffer2DigitHexWithColum(makeSHA1Thumbprint(_getBlock(buffer, blocks[1])));
-    const thisUpdate = _readTime(buffer, blocks[2]);
-    const nextUpdate = _readTime(buffer, blocks[3]);
+    const issuerFingerprint = formatBuffer2DigitHexWithColum(makeSHA1Thumbprint(getBlock(buffer, blocks[1])));
+    const thisUpdate = readTime(buffer, blocks[2]);
+    const nextUpdate = readTime(buffer, blocks[3]);
     const revokedCertificates = [];
     if (blocks[4] && blocks[4].tag < 128) {
-      const list = _readStruct(buffer, blocks[4]);
+      const list = readStruct(buffer, blocks[4]);
       for (const r of list) {
-        const rr = _readStruct(buffer, r);
-        const userCertificate = formatBuffer2DigitHexWithColum(_readLongIntegerValue(buffer, rr[0]));
-        const revocationDate = _readTime(buffer, rr[1]);
+        const rr = readStruct(buffer, r);
+        const userCertificate = formatBuffer2DigitHexWithColum(readLongIntegerValue(buffer, rr[0]));
+        const revocationDate = readTime(buffer, rr[1]);
         revokedCertificates.push({
           revocationDate,
           userCertificate
@@ -1508,18 +1572,18 @@ function _readTbsCertList(buffer, blockInfo) {
 }
 function exploreCertificateRevocationList(crl) {
   const blockInfo = readTag(crl, 0);
-  const blocks = _readStruct(crl, blockInfo);
+  const blocks = readStruct(crl, blockInfo);
   const tbsCertList = _readTbsCertList(crl, blocks[0]);
-  const signatureAlgorithm = _readAlgorithmIdentifier(crl, blocks[1]);
-  const signatureValue = _readSignatureValueBin(crl, blocks[2]);
+  const signatureAlgorithm = readAlgorithmIdentifier(crl, blocks[1]);
+  const signatureValue = readSignatureValueBin(crl, blocks[2]);
   return { tbsCertList, signatureAlgorithm, signatureValue };
 }
 
 // source/explore_certificate_signing_request.ts
 function _readExtensionRequest(buffer) {
   const block = readTag(buffer, 0);
-  const inner_blocks = _readStruct(buffer, block);
-  const extensions = inner_blocks.map((block1) => _readExtension(buffer, block1));
+  const inner_blocks = readStruct(buffer, block);
+  const extensions = inner_blocks.map((block1) => readExtension(buffer, block1));
   const result = {};
   for (const e of extensions) {
     result[e.identifier.name] = e.value;
@@ -1528,204 +1592,39 @@ function _readExtensionRequest(buffer) {
   return { basicConstraints, keyUsage, subjectAltName };
 }
 function readCertificationRequestInfo(buffer, block) {
-  const blocks = _readStruct(buffer, block);
+  const blocks = readStruct(buffer, block);
   if (blocks.length === 4) {
-    const extensionRequestBlock = _findBlockAtIndex(blocks, 0);
+    const extensionRequestBlock = findBlockAtIndex(blocks, 0);
     if (!extensionRequestBlock) {
       throw new Error("cannot find extensionRequest block");
     }
-    const blocks1 = _readStruct(buffer, extensionRequestBlock);
-    const blocks2 = _readStruct(buffer, blocks1[0]);
-    const identifier = _readObjectIdentifier(buffer, blocks2[0]);
+    const blocks1 = readStruct(buffer, extensionRequestBlock);
+    const blocks2 = readStruct(buffer, blocks1[0]);
+    const identifier = readObjectIdentifier(buffer, blocks2[0]);
     if (identifier.name !== "extensionRequest") {
       throw new Error(" Cannot find extension Request in ASN1 block");
     }
-    const buf = _getBlock(buffer, blocks2[1]);
+    const buf = getBlock(buffer, blocks2[1]);
     const extensionRequest = _readExtensionRequest(buf);
-    return { extensionRequest };
-  }
-  throw new Error("Invalid CSR or ");
-}
-function exploreCertificateSigningRequest(crl) {
-  const blockInfo = readTag(crl, 0);
-  const blocks = _readStruct(crl, blockInfo);
-  const csrInfo = readCertificationRequestInfo(crl, blocks[0]);
-  return csrInfo;
-}
-
-// source/explore_private_key.ts
-function f(buffer, b) {
-  return buffer.subarray(b.position + 1, b.position + b.length);
-}
-var doDebug2 = !!process.env.DEBUG;
-function explorePrivateKey(privateKey2) {
-  const privateKey1 = privateKey2.hidden;
-  const privateKey = typeof privateKey1 === "string" ? convertPEMtoDER(privateKey1) : privateKey1.export({ format: "der", type: "pkcs1" });
-  const block_info = readTag(privateKey, 0);
-  const blocks = _readStruct(privateKey, block_info);
-  if (blocks.length === 9) {
-    const version2 = f(privateKey, blocks[0]);
-    const modulus2 = f(privateKey, blocks[1]);
-    const publicExponent2 = f(privateKey, blocks[2]);
-    const privateExponent2 = f(privateKey, blocks[3]);
-    const prime12 = f(privateKey, blocks[4]);
-    const prime22 = f(privateKey, blocks[5]);
-    const exponent12 = f(privateKey, blocks[6]);
-    const exponent22 = f(privateKey, blocks[7]);
-    return {
-      version: version2,
-      modulus: modulus2,
-      publicExponent: publicExponent2,
-      privateExponent: privateExponent2,
-      prime1: prime12,
-      prime2: prime22,
-      exponent1: exponent12,
-      exponent2: exponent22
-    };
-  }
-  if (doDebug2) {
-    console.log("-------------------- private key:");
-    console.log(block_info);
-    console.log(
-      blocks.map((b2) => ({
-        tag: TagType[b2.tag] + " 0x" + b2.tag.toString(16),
-        l: b2.length,
-        p: b2.position,
-        buff: privateKey.subarray(b2.position, b2.position + b2.length).toString("hex")
-      }))
-    );
-  }
-  const b = blocks[2];
-  const bb = privateKey.subarray(b.position, b.position + b.length);
-  const block_info1 = readTag(bb, 0);
-  const blocks1 = _readStruct(bb, block_info1);
-  if (doDebug2) {
-    console.log(
-      blocks1.map((b2) => ({
-        tag: TagType[b2.tag] + " 0x" + b2.tag.toString(16),
-        l: b2.length,
-        p: b2.position,
-        buff: bb.subarray(b2.position, b2.position + b2.length).toString("hex")
-      }))
-    );
-  }
-  const version = f(bb, blocks1[0]);
-  const modulus = f(bb, blocks1[1]);
-  const publicExponent = f(bb, blocks1[2]);
-  const privateExponent = f(bb, blocks1[3]);
-  const prime1 = f(bb, blocks1[4]);
-  const prime2 = f(bb, blocks1[5]);
-  const exponent1 = f(bb, blocks1[6]);
-  const exponent2 = f(bb, blocks1[7]);
-  return {
-    version,
-    modulus,
-    publicExponent,
-    privateExponent,
-    prime1,
-    prime2,
-    exponent1,
-    exponent2
-  };
-}
-
-// source/public_private_match.ts
-function publicKeyAndPrivateKeyMatches(certificate, privateKey) {
-  const i = exploreCertificate(certificate);
-  const j = explorePrivateKey(privateKey);
-  const modulus1 = i.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.modulus;
-  const modulus2 = j.modulus;
-  if (modulus1.length != modulus2.length) {
-    return false;
-  }
-  return modulus1.toString("hex") === modulus2.toString("hex");
-}
-function certificateMatchesPrivateKeyPEM(certificate, privateKey, blockSize) {
-  const initialBuffer = Buffer.from("Lorem Ipsum");
-  const encryptedBuffer = publicEncrypt_long(initialBuffer, certificate, blockSize);
-  const decryptedBuffer = privateDecrypt_long(encryptedBuffer, privateKey, blockSize);
-  const finalString = decryptedBuffer.toString("utf-8");
-  return initialBuffer.toString("utf-8") === finalString;
-}
-function certificateMatchesPrivateKey(certificate, privateKey) {
-  const e = explorePrivateKey(privateKey);
-  const blockSize = e.modulus.length;
-  const certificatePEM = toPem(certificate, "CERTIFICATE");
-  return certificateMatchesPrivateKeyPEM(certificatePEM, privateKey, blockSize);
-}
-
-// source/x509/_crypto.ts
-import * as x509 from "@peculiar/x509";
-import { Crypto as PeculiarWebCrypto } from "@peculiar/webcrypto";
-import nativeCrypto from "crypto";
-import * as x5092 from "@peculiar/x509";
-var doDebug3 = false;
-var _crypto;
-var ignoreCrypto = process.env.IGNORE_SUBTLE_FROM_CRYPTO;
-if (typeof window === "undefined") {
-  _crypto = nativeCrypto;
-  if (!_crypto?.subtle || ignoreCrypto) {
-    _crypto = new PeculiarWebCrypto();
-    doDebug3 && console.warn("using @peculiar/webcrypto");
-  } else {
-    doDebug3 && console.warn("using nodejs crypto (native)");
-  }
-  x509.cryptoProvider.set(_crypto);
-} else {
-  doDebug3 && console.warn("using browser crypto (native)");
-  _crypto = crypto;
-  x509.cryptoProvider.set(crypto);
-}
-function getCrypto() {
-  return _crypto || crypto || __require("crypto");
-}
-
-// source/x509/create_key_pair.ts
-async function generateKeyPair(modulusLength = 2048) {
-  const crypto3 = getCrypto();
-  const alg = {
-    name: "RSASSA-PKCS1-v1_5",
-    hash: { name: "SHA-256" },
-    publicExponent: new Uint8Array([1, 0, 1]),
-    modulusLength
-  };
-  const keys = await crypto3.subtle.generateKey(alg, true, ["sign", "verify"]);
-  return keys;
-}
-async function generatePrivateKey(modulusLength = 2048) {
-  return (await generateKeyPair(modulusLength)).privateKey;
-}
-async function privateKeyToPEM(privateKey) {
-  const crypto3 = getCrypto();
-  const privDer = await crypto3.subtle.exportKey("pkcs8", privateKey);
-  const privPem = x5092.PemConverter.encode(privDer, "PRIVATE KEY");
-  return { privPem, privDer };
-}
-async function derToPrivateKey(privDer) {
-  const crypto3 = getCrypto();
-  return await crypto3.subtle.importKey(
-    "pkcs8",
-    privDer,
-    {
-      name: "RSASSA-PKCS1-v1_5",
-      hash: { name: "SHA-256" }
-    },
-    true,
-    [
-      "sign"
-      // "encrypt",
-      // "decrypt",
-      // "verify",
-      //    "wrapKey",
-      //    "unwrapKey",
-      //    "deriveKey",
-      //    "deriveBits"
-    ]
-  );
+    return { extensionRequest };
+  }
+  throw new Error("Invalid CSR or ");
 }
-async function pemToPrivateKey(pem) {
-  const privDer = x5092.PemConverter.decode(pem);
-  return derToPrivateKey(privDer[0]);
+function exploreCertificateSigningRequest(crl) {
+  const blockInfo = readTag(crl, 0);
+  const blocks = readStruct(crl, blockInfo);
+  const csrInfo = readCertificationRequestInfo(crl, blocks[0]);
+  return csrInfo;
+}
+
+// source/make_private_key_from_pem.ts
+function makePrivateKeyFromPem(privateKeyInPem) {
+  return { hidden: privateKeyInPem };
+}
+
+// source/make_private_key_thumbprint.ts
+function makePrivateKeyThumbPrint(privateKey) {
+  return Buffer.alloc(0);
 }
 
 // source/subject.ts
@@ -1810,11 +1709,180 @@ var Subject = class _Subject {
     return this.toStringInternal("/");
   }
   toString() {
-    const t = this.toStringForOPCUA();
-    return t ? "/" + t : t;
+    const t2 = this.toStringForOPCUA();
+    return t2 ? "/" + t2 : t2;
   }
 };
 
+// source/verify_certificate_signature.ts
+import { createVerify as createVerify2 } from "crypto";
+function verifyCertificateOrClrSignature(certificateOrCrl, parentCertificate) {
+  const block_info = readTag(certificateOrCrl, 0);
+  const blocks = readStruct(certificateOrCrl, block_info);
+  const bufferToBeSigned = certificateOrCrl.subarray(block_info.position, blocks[1].position - 2);
+  const signatureAlgorithm = readAlgorithmIdentifier(certificateOrCrl, blocks[1]);
+  const signatureValue = readSignatureValueBin(certificateOrCrl, blocks[2]);
+  const p = split_der(parentCertificate)[0];
+  const certPem = toPem(p, "CERTIFICATE");
+  const verify = createVerify2(signatureAlgorithm.identifier);
+  verify.update(bufferToBeSigned);
+  verify.end();
+  return verify.verify(certPem, signatureValue);
+}
+function verifyCertificateSignature(certificate, parentCertificate) {
+  return verifyCertificateOrClrSignature(certificate, parentCertificate);
+}
+function verifyCertificateRevocationListSignature(certificateRevocationList, parentCertificate) {
+  return verifyCertificateOrClrSignature(certificateRevocationList, parentCertificate);
+}
+async function verifyCertificateChain(certificateChain) {
+  for (let index = 1; index < certificateChain.length; index++) {
+    const cert = certificateChain[index - 1];
+    const certParent = certificateChain[index];
+    const certParentInfo = exploreCertificate(certParent);
+    const keyUsage = certParentInfo.tbsCertificate.extensions.keyUsage;
+    if (!keyUsage.keyCertSign) {
+      return {
+        status: "BadCertificateIssuerUseNotAllowed",
+        reason: "One of the certificate in the chain has not keyUsage set for Certificate Signing"
+      };
+    }
+    const parentSignChild = verifyCertificateSignature(cert, certParent);
+    if (!parentSignChild) {
+      return {
+        status: "BadCertificateInvalid",
+        reason: "One of the certificate in the chain is not signing the previous certificate"
+      };
+    }
+    const certInfo = exploreCertificate(cert);
+    if (!certInfo.tbsCertificate.extensions) {
+      return {
+        status: "BadCertificateInvalid",
+        reason: "Cannot find X409 Extension 3 in certificate"
+      };
+    }
+    if (!certParentInfo.tbsCertificate.extensions || !certInfo.tbsCertificate.extensions.authorityKeyIdentifier) {
+      return {
+        status: "BadCertificateInvalid",
+        reason: "Cannot find X409 Extension 3 in certificate (parent)"
+      };
+    }
+    if (certParentInfo.tbsCertificate.extensions.subjectKeyIdentifier !== certInfo.tbsCertificate.extensions.authorityKeyIdentifier.keyIdentifier) {
+      return {
+        status: "BadCertificateInvalid",
+        reason: "subjectKeyIdentifier authorityKeyIdentifier in child certificate do not match subjectKeyIdentifier of parent certificate"
+      };
+    }
+  }
+  return {
+    status: "Good",
+    reason: `certificate chain is valid(length = ${certificateChain.length})`
+  };
+}
+
+// source/x509/_crypto.ts
+import * as x509 from "@peculiar/x509";
+import { Crypto as PeculiarWebCrypto } from "@peculiar/webcrypto";
+import nativeCrypto from "crypto";
+import * as x5092 from "@peculiar/x509";
+var doDebug3 = false;
+var _crypto;
+var ignoreCrypto = process.env.IGNORE_SUBTLE_FROM_CRYPTO;
+if (typeof window === "undefined") {
+  _crypto = nativeCrypto;
+  if (!_crypto?.subtle || ignoreCrypto) {
+    _crypto = new PeculiarWebCrypto();
+    doDebug3 && console.warn("using @peculiar/webcrypto");
+  } else {
+    doDebug3 && console.warn("using nodejs crypto (native)");
+  }
+  x509.cryptoProvider.set(_crypto);
+} else {
+  doDebug3 && console.warn("using browser crypto (native)");
+  _crypto = crypto;
+  x509.cryptoProvider.set(crypto);
+}
+function getCrypto() {
+  return _crypto || crypto || __require("crypto");
+}
+
+// source/x509/create_key_pair.ts
+async function generateKeyPair(modulusLength = 2048) {
+  const crypto3 = getCrypto();
+  const alg = {
+    name: "RSASSA-PKCS1-v1_5",
+    hash: { name: "SHA-256" },
+    publicExponent: new Uint8Array([1, 0, 1]),
+    modulusLength
+  };
+  const keys = await crypto3.subtle.generateKey(alg, true, ["sign", "verify"]);
+  return keys;
+}
+async function generatePrivateKey(modulusLength = 2048) {
+  return (await generateKeyPair(modulusLength)).privateKey;
+}
+async function privateKeyToPEM(privateKey) {
+  const crypto3 = getCrypto();
+  const privDer = await crypto3.subtle.exportKey("pkcs8", privateKey);
+  const privPem = x5092.PemConverter.encode(privDer, "PRIVATE KEY");
+  return { privPem, privDer };
+}
+async function derToPrivateKey(privDer) {
+  const crypto3 = getCrypto();
+  return await crypto3.subtle.importKey(
+    "pkcs8",
+    privDer,
+    {
+      name: "RSASSA-PKCS1-v1_5",
+      hash: { name: "SHA-256" }
+    },
+    true,
+    [
+      "sign"
+      // "encrypt",
+      // "decrypt",
+      // "verify",
+      //    "wrapKey",
+      //    "unwrapKey",
+      //    "deriveKey",
+      //    "deriveBits"
+    ]
+  );
+}
+async function pemToPrivateKey(pem) {
+  const privDer = x5092.PemConverter.decode(pem);
+  return derToPrivateKey(privDer[0]);
+}
+
+// source/x509/coerce_private_key.ts
+var crypto2 = getCrypto();
+var doDebug4 = false;
+function coercePEMorDerToPrivateKey(privateKeyInDerOrPem) {
+  if (typeof privateKeyInDerOrPem === "string") {
+    const hidden = createPrivateKeyFromNodeJSCrypto(privateKeyInDerOrPem);
+    return { hidden };
+  }
+  throw new Error("not implemented");
+}
+async function _coercePrivateKey(privateKey) {
+  const KeyObject4 = crypto2.KeyObject;
+  if (privateKey instanceof Buffer) {
+    const privateKey1 = await derToPrivateKey(privateKey);
+    return KeyObject4.from(privateKey1);
+  } else if (typeof privateKey === "string") {
+    try {
+      const privateKey1 = await pemToPrivateKey(privateKey);
+      return KeyObject4.from(privateKey1);
+    } catch (err) {
+      doDebug4 && console.log(privateKey);
+      throw err;
+    }
+  } else if (privateKey instanceof KeyObject4) {
+    return privateKey;
+  }
+  throw new Error("Invalid privateKey");
+}
+
 // source/x509/_get_attributes.ts
 var keyUsageApplication = x5092.KeyUsageFlags.keyEncipherment | x5092.KeyUsageFlags.nonRepudiation | x5092.KeyUsageFlags.dataEncipherment | x5092.KeyUsageFlags.keyCertSign | x5092.KeyUsageFlags.digitalSignature;
 var keyUsageCA = x5092.KeyUsageFlags.keyCertSign | x5092.KeyUsageFlags.cRLSign;
@@ -5356,11 +5424,11 @@ function compareSchema(root, inputData, inputSchema) {
     };
   }
   if (inputSchema.primitiveSchema && VALUE_HEX_VIEW in inputData.valueBlock) {
-    const asn1 = localFromBER(inputData.valueBlock.valueHexView);
-    if (asn1.offset === -1) {
+    const asn12 = localFromBER(inputData.valueBlock.valueHexView);
+    if (asn12.offset === -1) {
       const _result = {
         verified: false,
-        result: asn1.result
+        result: asn12.result
       };
       if (inputSchema.name) {
         inputSchema.name = inputSchema.name.replace(/^\s+|\s+$/g, EMPTY_STRING);
@@ -5371,7 +5439,7 @@ function compareSchema(root, inputData, inputSchema) {
       }
       return _result;
     }
-    return compareSchema(root, asn1.result, inputSchema.primitiveSchema);
+    return compareSchema(root, asn12.result, inputSchema.primitiveSchema);
   }
   return {
     verified: true,
@@ -5385,14 +5453,14 @@ function verifySchema(inputBuffer, inputSchema) {
       result: { error: "Wrong ASN.1 schema type" }
     };
   }
-  const asn1 = localFromBER(BufferSourceConverter.toUint8Array(inputBuffer));
-  if (asn1.offset === -1) {
+  const asn12 = localFromBER(BufferSourceConverter.toUint8Array(inputBuffer));
+  if (asn12.offset === -1) {
     return {
       verified: false,
-      result: asn1.result
+      result: asn12.result
     };
   }
-  return compareSchema(asn1.result, asn1.result, inputSchema);
+  return compareSchema(asn12.result, asn12.result, inputSchema);
 }
 
 // ../../node_modules/@peculiar/asn1-schema/build/es2015/enums.js
@@ -6080,70 +6148,12 @@ async function createSelfSignedCertificate({
   return { cert: cert.toString("pem"), der: cert };
 }
 
-// source/x509/coerce_private_key.ts
-var crypto2 = getCrypto();
-var doDebug4 = false;
-function coercePEMorDerToPrivateKey(privateKeyInDerOrPem) {
-  if (typeof privateKeyInDerOrPem === "string") {
-    const hidden = createPrivateKeyFromNodeJSCrypto(privateKeyInDerOrPem);
-    return { hidden };
-  }
-  throw new Error("not implemented");
-}
-async function _coercePrivateKey(privateKey) {
-  const KeyObject4 = crypto2.KeyObject;
-  if (privateKey instanceof Buffer) {
-    const privateKey1 = await derToPrivateKey(privateKey);
-    return KeyObject4.from(privateKey1);
-  } else if (typeof privateKey === "string") {
-    try {
-      const privateKey1 = await pemToPrivateKey(privateKey);
-      return KeyObject4.from(privateKey1);
-    } catch (err) {
-      doDebug4 && console.log(privateKey);
-      throw err;
-    }
-  } else if (privateKey instanceof KeyObject4) {
-    return privateKey;
-  }
-  throw new Error("Invalid privateKey");
-}
-
-// source/make_private_key_from_pem.ts
-function makePrivateKeyFromPem(privateKeyInPem) {
-  return { hidden: privateKeyInPem };
-}
+// source/index_web.ts
+var asn1 = { readDirectoryName, readTag, readStruct, readAlgorithmIdentifier, readSignatureValueBin };
 
 export {
   __dirname,
-  createPrivateKeyFromNodeJSCrypto,
-  isKeyObject,
-  CertificatePurpose,
-  TagType,
-  readTag,
-  _readStruct,
-  parseBitString,
-  _readBitString,
-  formatBuffer2DigitHexWithColum,
-  _readOctetString,
-  _getBlock,
-  _readIntegerAsByteString,
-  _readListOfInteger,
-  _readObjectIdentifier,
-  _readAlgorithmIdentifier,
-  _readECCAlgorithmIdentifier,
-  _readSignatureValueBin,
-  _readSignatureValue,
-  _readLongIntegerValue,
-  _readIntegerValue,
-  _readBooleanValue,
-  _readVersionValue,
-  _readValue,
-  compactDirectoryName,
-  _readDirectoryName,
-  _findBlockAtIndex,
-  _readTime,
-  _readExtension,
+  readExtension,
   readTbsCertificate,
   exploreCertificate,
   split_der,
@@ -6168,6 +6178,19 @@ export {
   coerceCertificatePem,
   extractPublicKeyFromCertificateSync,
   extractPublicKeyFromCertificate,
+  explorePrivateKey,
+  publicKeyAndPrivateKeyMatches,
+  certificateMatchesPrivateKey,
+  createPrivateKeyFromNodeJSCrypto,
+  isKeyObject,
+  CertificatePurpose,
+  rsaLengthPrivateKey,
+  toPem2,
+  coercePrivateKeyPem,
+  coercePublicKeyPem,
+  coerceRsaPublicKeyPem,
+  rsaLengthPublicKey,
+  rsaLengthRsaPublicKey,
   coerceCertificate,
   exploreCertificateInfo,
   makePseudoRandomBuffer,
@@ -6180,35 +6203,28 @@ export {
   decryptBufferWithDerivedKeys,
   makeMessageChunkSignatureWithDerivedKeys,
   verifyChunkSignatureWithDerivedKeys,
-  rsaLengthPrivateKey,
-  toPem2,
-  coercePrivateKeyPem,
-  coercePublicKeyPem,
-  coerceRsaPublicKeyPem,
-  rsaLengthPublicKey,
-  rsaLengthRsaPublicKey,
-  verifyCertificateOrClrSignature,
-  verifyCertificateSignature,
-  verifyCertificateRevocationListSignature,
-  verifyCertificateChain,
+  exploreAsn1,
   readNameForCrl,
   exploreCertificateRevocationList,
   readCertificationRequestInfo,
   exploreCertificateSigningRequest,
-  explorePrivateKey,
-  publicKeyAndPrivateKeyMatches,
-  certificateMatchesPrivateKey,
+  makePrivateKeyFromPem,
+  makePrivateKeyThumbPrint,
+  Subject,
+  verifyCertificateOrClrSignature,
+  verifyCertificateSignature,
+  verifyCertificateRevocationListSignature,
+  verifyCertificateChain,
   generateKeyPair,
   generatePrivateKey,
   privateKeyToPEM,
   derToPrivateKey,
   pemToPrivateKey,
-  Subject,
-  createCertificateSigningRequest,
-  createSelfSignedCertificate,
   coercePEMorDerToPrivateKey,
   _coercePrivateKey,
-  makePrivateKeyFromPem
+  createCertificateSigningRequest,
+  createSelfSignedCertificate,
+  asn1
 };
 /*! Bundled license information:
 
@@ -6278,4 +6294,4 @@ asn1js/build/index.es.js:
    * 
    *)
 */
-//# sourceMappingURL=chunk-46EEAYVO.mjs.map
+//# sourceMappingURL=chunk-LHUQUHQQ.mjs.map