node-opcua-crypto 5.0.0 → 5.2.0

package/dist/{source/index.js → chunk-ERHE4VFS.cjs}

@@ -1,114 +1,13 @@
-"use strict";
-var __create = Object.create;
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
+"use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _interopRequireWildcard(obj) { if (obj && obj.__esModule) { return obj; } else { var newObj = {}; if (obj != null) { for (var key in obj) { if (Object.prototype.hasOwnProperty.call(obj, key)) { newObj[key] = obj[key]; } } } newObj.default = obj; return newObj; } } function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } function _nullishCoalesce(lhs, rhsFn) { if (lhs != null) { return lhs; } else { return rhsFn(); } } function _optionalChain(ops) { let lastAccessLHS = undefined; let value = ops[0]; let i = 1; while (i < ops.length) { const op = ops[i]; const fn = ops[i + 1]; i += 2; if ((op === 'optionalAccess' || op === 'optionalCall') && value == null) { return undefined; } if (op === 'access' || op === 'optionalAccess') { lastAccessLHS = value; value = fn(value); } else if (op === 'call' || op === 'optionalCall') { value = fn((...args) => value.call(lastAccessLHS, ...args)); lastAccessLHS = undefined; } } return value; }var __defProp = Object.defineProperty;
 var __export = (target, all) => {
   for (var name in all)
     __defProp(target, name, { get: all[name], enumerable: true });
 };
-var __copyProps = (to, from, except, desc) => {
-  if (from && typeof from === "object" || typeof from === "function") {
-    for (let key of __getOwnPropNames(from))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
-  }
-  return to;
-};
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  // If the importer is in node compatibility mode or this is not an ESM
-  // file that has been converted to a CommonJS file using a Babel-
-  // compatible transform (i.e. "__esModule" has not been set), then set
-  // "default" to the CommonJS "module.exports" for node compatibility.
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-
-// source/index.ts
-var source_exports = {};
-__export(source_exports, {
-  CertificatePurpose: () => CertificatePurpose,
-  PaddingAlgorithm: () => PaddingAlgorithm,
-  RSA_PKCS1_OAEP_PADDING: () => RSA_PKCS1_OAEP_PADDING,
-  RSA_PKCS1_PADDING: () => RSA_PKCS1_PADDING,
-  Subject: () => Subject,
-  _coercePrivateKey: () => _coercePrivateKey,
-  asn1: () => asn1,
-  certificateMatchesPrivateKey: () => certificateMatchesPrivateKey,
-  coerceCertificate: () => coerceCertificate,
-  coerceCertificatePem: () => coerceCertificatePem,
-  coercePEMorDerToPrivateKey: () => coercePEMorDerToPrivateKey,
-  coercePrivateKeyPem: () => coercePrivateKeyPem,
-  coercePublicKeyPem: () => coercePublicKeyPem,
-  coerceRsaPublicKeyPem: () => coerceRsaPublicKeyPem,
-  combine_der: () => combine_der,
-  computeDerivedKeys: () => computeDerivedKeys,
-  computePaddingFooter: () => computePaddingFooter,
-  convertPEMtoDER: () => convertPEMtoDER,
-  createCertificateSigningRequest: () => createCertificateSigningRequest,
-  createPrivateKeyFromNodeJSCrypto: () => createPrivateKeyFromNodeJSCrypto,
-  createSelfSignedCertificate: () => createSelfSignedCertificate,
-  decryptBufferWithDerivedKeys: () => decryptBufferWithDerivedKeys,
-  derToPrivateKey: () => derToPrivateKey,
-  encryptBufferWithDerivedKeys: () => encryptBufferWithDerivedKeys,
-  exploreAsn1: () => exploreAsn1,
-  exploreCertificate: () => exploreCertificate,
-  exploreCertificateInfo: () => exploreCertificateInfo,
-  exploreCertificateRevocationList: () => exploreCertificateRevocationList,
-  exploreCertificateSigningRequest: () => exploreCertificateSigningRequest,
-  explorePrivateKey: () => explorePrivateKey,
-  extractPublicKeyFromCertificate: () => extractPublicKeyFromCertificate,
-  extractPublicKeyFromCertificateSync: () => extractPublicKeyFromCertificateSync,
-  generateKeyPair: () => generateKeyPair,
-  generatePrivateKey: () => generatePrivateKey,
-  hexDump: () => hexDump,
-  identifyPemType: () => identifyPemType,
-  isKeyObject: () => isKeyObject,
-  makeMessageChunkSignature: () => makeMessageChunkSignature,
-  makeMessageChunkSignatureWithDerivedKeys: () => makeMessageChunkSignatureWithDerivedKeys,
-  makePrivateKeyFromPem: () => makePrivateKeyFromPem,
-  makePrivateKeyThumbPrint: () => makePrivateKeyThumbPrint,
-  makePseudoRandomBuffer: () => makePseudoRandomBuffer,
-  makeSHA1Thumbprint: () => makeSHA1Thumbprint,
-  pemToPrivateKey: () => pemToPrivateKey,
-  privateDecrypt: () => privateDecrypt,
-  privateDecrypt_long: () => privateDecrypt_long,
-  privateDecrypt_native: () => privateDecrypt_native,
-  privateKeyToPEM: () => privateKeyToPEM,
-  publicEncrypt: () => publicEncrypt,
-  publicEncrypt_long: () => publicEncrypt_long,
-  publicEncrypt_native: () => publicEncrypt_native,
-  publicKeyAndPrivateKeyMatches: () => publicKeyAndPrivateKeyMatches,
-  readCertificationRequestInfo: () => readCertificationRequestInfo,
-  readExtension: () => readExtension,
-  readNameForCrl: () => readNameForCrl,
-  readTbsCertificate: () => readTbsCertificate,
-  reduceLength: () => reduceLength,
-  removePadding: () => removePadding,
-  removeTrailingLF: () => removeTrailingLF,
-  rsaLengthPrivateKey: () => rsaLengthPrivateKey,
-  rsaLengthPublicKey: () => rsaLengthPublicKey,
-  rsaLengthRsaPublicKey: () => rsaLengthRsaPublicKey,
-  split_der: () => split_der,
-  toPem: () => toPem,
-  toPem2: () => toPem2,
-  verifyCertificateChain: () => verifyCertificateChain,
-  verifyCertificateOrClrSignature: () => verifyCertificateOrClrSignature,
-  verifyCertificateRevocationListSignature: () => verifyCertificateRevocationListSignature,
-  verifyCertificateSignature: () => verifyCertificateSignature,
-  verifyChunkSignature: () => verifyChunkSignature,
-  verifyChunkSignatureWithDerivedKeys: () => verifyChunkSignatureWithDerivedKeys,
-  verifyMessageChunkSignature: () => verifyMessageChunkSignature
-});
-module.exports = __toCommonJS(source_exports);
 
 // source/common.ts
-var import_node_crypto = __toESM(require("crypto"));
-var KeyObjectOrig = import_node_crypto.default.KeyObject;
-var { createPrivateKey: createPrivateKeyFromNodeJSCrypto } = import_node_crypto.default;
+var _crypto2 = require('crypto'); var _crypto3 = _interopRequireDefault(_crypto2);
+var KeyObjectOrig = _crypto3.default.KeyObject;
+var { createPrivateKey: createPrivateKeyFromNodeJSCrypto } = _crypto3.default;
 function isKeyObject(mayBeKeyObject) {
   if (KeyObjectOrig) {
     return mayBeKeyObject instanceof KeyObjectOrig;
@@ -124,10 +23,10 @@ var CertificatePurpose = /* @__PURE__ */ ((CertificatePurpose2) => {
 })(CertificatePurpose || {});
 
 // source/crypto_explore_certificate.ts
-var import_node_assert4 = __toESM(require("assert"));
+var _assert = require('assert'); var _assert2 = _interopRequireDefault(_assert);
 
 // source/asn1.ts
-var import_node_assert = __toESM(require("assert"));
+
 
 // source/oid_map.ts
 var oid_map = {
@@ -501,12 +400,12 @@ function parseBitString(buffer, start, end, maxLength) {
       s += b >> j & 1 ? "1" : "0";
     }
     skip = 0;
-    (0, import_node_assert.default)(s.length <= maxLength);
+    _assert2.default.call(void 0, s.length <= maxLength);
   }
   return intro + s;
 }
 function readBitString(buffer, block) {
-  (0, import_node_assert.default)(block.tag === 3 /* BIT_STRING */);
+  _assert2.default.call(void 0, block.tag === 3 /* BIT_STRING */);
   const data = getBlock(buffer, block);
   const ignore_bits = data.readUInt8(0);
   return {
@@ -524,9 +423,9 @@ function formatBuffer2DigitHexWithColum(buffer) {
   return value.join(":").toUpperCase().replace(/^(00:)*/, "");
 }
 function readOctetString(buffer, block) {
-  (0, import_node_assert.default)(block.tag === 4 /* OCTET_STRING */);
+  _assert2.default.call(void 0, block.tag === 4 /* OCTET_STRING */);
   const tag = readTag(buffer, block.position);
-  (0, import_node_assert.default)(tag.tag === 4 /* OCTET_STRING */);
+  _assert2.default.call(void 0, tag.tag === 4 /* OCTET_STRING */);
   const nbBytes = tag.length;
   const pos = tag.position;
   const b = buffer.subarray(pos, pos + nbBytes);
@@ -564,11 +463,11 @@ function parseOID(buffer, start, end) {
       bits = 0;
     }
   }
-  (0, import_node_assert.default)(bits === 0);
+  _assert2.default.call(void 0, bits === 0);
   return s;
 }
 function readObjectIdentifier(buffer, block) {
-  (0, import_node_assert.default)(block.tag === 6 /* OBJECT_IDENTIFIER */);
+  _assert2.default.call(void 0, block.tag === 6 /* OBJECT_IDENTIFIER */);
   const b = buffer.subarray(block.position, block.position + block.length);
   const oid = parseOID(b, 0, block.length);
   return {
@@ -596,17 +495,17 @@ function readSignatureValue(buffer, block) {
   return readSignatureValueBin(buffer, block).toString("hex");
 }
 function readLongIntegerValue(buffer, block) {
-  (0, import_node_assert.default)(block.tag === 2 /* INTEGER */, "expecting a INTEGER tag");
+  _assert2.default.call(void 0, block.tag === 2 /* INTEGER */, "expecting a INTEGER tag");
   const pos = block.position;
   const nbBytes = block.length;
   const buf = buffer.subarray(pos, pos + nbBytes);
   return buf;
 }
 function readIntegerValue(buffer, block) {
-  (0, import_node_assert.default)(block.tag === 2 /* INTEGER */, "expecting a INTEGER tag");
+  _assert2.default.call(void 0, block.tag === 2 /* INTEGER */, "expecting a INTEGER tag");
   let pos = block.position;
   const nbBytes = block.length;
-  (0, import_node_assert.default)(nbBytes < 4);
+  _assert2.default.call(void 0, nbBytes < 4);
   let value = 0;
   for (let i = 0; i < nbBytes; i++) {
     value = value * 256 + buffer.readUInt8(pos);
@@ -615,10 +514,10 @@ function readIntegerValue(buffer, block) {
   return value;
 }
 function readBooleanValue(buffer, block) {
-  (0, import_node_assert.default)(block.tag === 1 /* BOOLEAN */, `expecting a BOOLEAN tag. got ${TagType[block.tag]}`);
+  _assert2.default.call(void 0, block.tag === 1 /* BOOLEAN */, `expecting a BOOLEAN tag. got ${TagType[block.tag]}`);
   const pos = block.position;
   const nbBytes = block.length;
-  (0, import_node_assert.default)(nbBytes < 4);
+  _assert2.default.call(void 0, nbBytes < 4);
   const value = !!buffer.readUInt8(pos);
   return value;
 }
@@ -686,10 +585,16 @@ function readTime(buffer, block) {
 }
 
 // source/crypto_utils.ts
-var import_node_assert2 = __toESM(require("assert"));
-var import_node_constants = __toESM(require("constants"));
-var import_node_crypto2 = require("crypto");
-var import_jsrsasign = __toESM(require("jsrsasign"));
+
+var _constants = require('constants'); var _constants2 = _interopRequireDefault(_constants);
+
+
+
+
+
+
+
+
 
 // source/buffer_utils.ts
 var createFastUninitializedBuffer = Buffer.allocUnsafe ? Buffer.allocUnsafe : (size) => {
@@ -706,9 +611,9 @@ function hexy(buffer, { width, format } = {}) {
   const regexTwos = new RegExp(`.{1,${2}}`, "g");
   let fullHex = buffer.toString("hex");
   if (format === "twos") {
-    fullHex = fullHex.match(regexTwos)?.join(" ") || "";
+    fullHex = _optionalChain([fullHex, 'access', _ => _.match, 'call', _2 => _2(regexTwos), 'optionalAccess', _3 => _3.join, 'call', _4 => _4(" ")]) || "";
   }
-  return fullHex.match(regex)?.join("\n") || "";
+  return _optionalChain([fullHex, 'access', _5 => _5.match, 'call', _6 => _6(regex), 'optionalAccess', _7 => _7.join, 'call', _8 => _8("\n")]) || "";
 }
 
 // source/crypto_utils.ts
@@ -726,14 +631,14 @@ function removeTrailingLF(str) {
   return tmp;
 }
 function toPem(raw_key, pem) {
-  (0, import_node_assert2.default)(raw_key, "expecting a key");
-  (0, import_node_assert2.default)(typeof pem === "string");
+  _assert2.default.call(void 0, raw_key, "expecting a key");
+  _assert2.default.call(void 0, typeof pem === "string");
   let pemType = identifyPemType(raw_key);
   if (pemType) {
     return Buffer.isBuffer(raw_key) ? removeTrailingLF(raw_key.toString("utf8")) : removeTrailingLF(raw_key);
   } else {
     pemType = pem;
-    (0, import_node_assert2.default)(["CERTIFICATE REQUEST", "CERTIFICATE", "RSA PRIVATE KEY", "PUBLIC KEY", "X509 CRL"].indexOf(pemType) >= 0);
+    _assert2.default.call(void 0, ["CERTIFICATE REQUEST", "CERTIFICATE", "RSA PRIVATE KEY", "PUBLIC KEY", "X509 CRL"].indexOf(pemType) >= 0);
     let b = raw_key.toString("base64");
     let str = `-----BEGIN ${pemType}-----
 `;
@@ -775,34 +680,34 @@ function hexDump(buffer, width) {
   }
 }
 function makeMessageChunkSignature(chunk, options) {
-  const signer = (0, import_node_crypto2.createSign)(options.algorithm);
+  const signer = _crypto2.createSign.call(void 0, options.algorithm);
   signer.update(chunk);
   const signature = signer.sign(options.privateKey.hidden);
-  (0, import_node_assert2.default)(!options.signatureLength || signature.length === options.signatureLength);
+  _assert2.default.call(void 0, !options.signatureLength || signature.length === options.signatureLength);
   return signature;
 }
 function verifyMessageChunkSignature(blockToVerify, signature, options) {
-  const verify = (0, import_node_crypto2.createVerify)(options.algorithm);
+  const verify = _crypto2.createVerify.call(void 0, options.algorithm);
   verify.update(blockToVerify);
   return verify.verify(options.publicKey, signature);
 }
 function makeSHA1Thumbprint(buffer) {
-  return (0, import_node_crypto2.createHash)("sha1").update(buffer).digest();
+  return _crypto2.createHash.call(void 0, "sha1").update(buffer).digest();
 }
-var RSA_PKCS1_OAEP_PADDING = import_node_constants.default.RSA_PKCS1_OAEP_PADDING;
-var RSA_PKCS1_PADDING = import_node_constants.default.RSA_PKCS1_PADDING;
+var RSA_PKCS1_OAEP_PADDING = _constants2.default.RSA_PKCS1_OAEP_PADDING;
+var RSA_PKCS1_PADDING = _constants2.default.RSA_PKCS1_PADDING;
 var PaddingAlgorithm = /* @__PURE__ */ ((PaddingAlgorithm2) => {
   PaddingAlgorithm2[PaddingAlgorithm2["RSA_PKCS1_OAEP_PADDING"] = 4] = "RSA_PKCS1_OAEP_PADDING";
   PaddingAlgorithm2[PaddingAlgorithm2["RSA_PKCS1_PADDING"] = 1] = "RSA_PKCS1_PADDING";
   return PaddingAlgorithm2;
 })(PaddingAlgorithm || {});
-(0, import_node_assert2.default)(4 /* RSA_PKCS1_OAEP_PADDING */ === import_node_constants.default.RSA_PKCS1_OAEP_PADDING);
-(0, import_node_assert2.default)(1 /* RSA_PKCS1_PADDING */ === import_node_constants.default.RSA_PKCS1_PADDING);
+_assert2.default.call(void 0, 4 /* RSA_PKCS1_OAEP_PADDING */ === _constants2.default.RSA_PKCS1_OAEP_PADDING);
+_assert2.default.call(void 0, 1 /* RSA_PKCS1_PADDING */ === _constants2.default.RSA_PKCS1_PADDING);
 function publicEncrypt_native(buffer, publicKey, algorithm) {
   if (algorithm === void 0) {
     algorithm = 4 /* RSA_PKCS1_OAEP_PADDING */;
   }
-  return (0, import_node_crypto2.publicEncrypt)(
+  return _crypto2.publicEncrypt.call(void 0, 
     {
       key: publicKey,
       padding: algorithm
@@ -815,7 +720,7 @@ function privateDecrypt_native(buffer, privateKey, algorithm) {
     algorithm = 4 /* RSA_PKCS1_OAEP_PADDING */;
   }
   try {
-    return (0, import_node_crypto2.privateDecrypt)(
+    return _crypto2.privateDecrypt.call(void 0, 
       {
         key: privateKey.hidden,
         padding: algorithm
@@ -874,14 +779,14 @@ function coerceCertificatePem(certificate) {
   if (Buffer.isBuffer(certificate)) {
     certificate = toPem(certificate, "CERTIFICATE");
   }
-  (0, import_node_assert2.default)(typeof certificate === "string");
+  _assert2.default.call(void 0, typeof certificate === "string");
   return certificate;
 }
 function extractPublicKeyFromCertificateSync(certificate) {
   certificate = coerceCertificatePem(certificate);
-  const key = import_jsrsasign.default.KEYUTIL.getKey(certificate);
-  const publicKeyAsPem = import_jsrsasign.default.KEYUTIL.getPEM(key);
-  (0, import_node_assert2.default)(typeof publicKeyAsPem === "string");
+  const publicKeyObject = _crypto2.createPublicKey.call(void 0, certificate);
+  const publicKeyAsPem = publicKeyObject.export({ format: "pem", type: "spki" }).toString();
+  _assert2.default.call(void 0, typeof publicKeyAsPem === "string");
   return publicKeyAsPem;
 }
 function extractPublicKeyFromCertificate(certificate, callback) {
@@ -898,17 +803,17 @@ function extractPublicKeyFromCertificate(certificate, callback) {
 }
 
 // source/directory_name.ts
-var import_node_assert3 = __toESM(require("assert"));
+
 function readDirectoryName(buffer, block) {
   const set_blocks = readStruct(buffer, block);
   const names = {};
   for (const set_block of set_blocks) {
-    (0, import_node_assert3.default)(set_block.tag === 49);
+    _assert2.default.call(void 0, set_block.tag === 49);
     const blocks = readStruct(buffer, set_block);
-    (0, import_node_assert3.default)(blocks.length === 1);
-    (0, import_node_assert3.default)(blocks[0].tag === 48);
+    _assert2.default.call(void 0, blocks.length === 1);
+    _assert2.default.call(void 0, blocks[0].tag === 48);
     const sequenceBlock = readStruct(buffer, blocks[0]);
-    (0, import_node_assert3.default)(sequenceBlock.length === 2);
+    _assert2.default.call(void 0, sequenceBlock.length === 2);
     const type = readObjectIdentifier(buffer, sequenceBlock[0]);
     names[type.name] = readValue(buffer, sequenceBlock[1]);
   }
@@ -1033,7 +938,7 @@ function _readGeneralNames(buffer, block) {
   }
   const n = {};
   for (const block2 of blocks) {
-    (0, import_node_assert4.default)((block2.tag & 128) === 128);
+    _assert2.default.call(void 0, (block2.tag & 128) === 128);
     const t2 = block2.tag & 127;
     const type = _data[t2];
     if (!type) {
@@ -1093,7 +998,7 @@ function readKeyUsage(_oid, buffer) {
   };
 }
 function readExtKeyUsage(oid, buffer) {
-  (0, import_node_assert4.default)(oid === "2.5.29.37");
+  _assert2.default.call(void 0, oid === "2.5.29.37");
   const block_info = readTag(buffer, 0);
   const inner_blocks = readStruct(buffer, block_info);
   const extKeyUsage = {
@@ -1123,7 +1028,7 @@ function _readSubjectPublicKey(buffer) {
 function readExtension(buffer, block) {
   const inner_blocks = readStruct(buffer, block);
   if (inner_blocks.length === 3) {
-    (0, import_node_assert4.default)(inner_blocks[1].tag === 1 /* BOOLEAN */);
+    _assert2.default.call(void 0, inner_blocks[1].tag === 1 /* BOOLEAN */);
     inner_blocks[1] = inner_blocks[2];
   }
   const identifier = readObjectIdentifier(buffer, inner_blocks[0]);
@@ -1160,7 +1065,7 @@ function readExtension(buffer, block) {
   };
 }
 function _readExtensions(buffer, block) {
-  (0, import_node_assert4.default)(block.tag === 163);
+  _assert2.default.call(void 0, block.tag === 163);
   let inner_blocks = readStruct(buffer, block);
   inner_blocks = readStruct(buffer, inner_blocks[0]);
   const extensions = inner_blocks.map((block2) => readExtension(buffer, block2));
@@ -1238,7 +1143,7 @@ function readTbsCertificate(buffer, block) {
         break;
       }
       default: {
-        (0, import_node_assert4.default)(what_type === "ecPublicKey");
+        _assert2.default.call(void 0, what_type === "ecPublicKey");
         subjectPublicKeyInfo = _readSubjectECCPublicKeyInfo(buffer, blocks[6]);
         break;
       }
@@ -1264,7 +1169,7 @@ function readTbsCertificate(buffer, block) {
   };
 }
 function exploreCertificate(certificate) {
-  (0, import_node_assert4.default)(Buffer.isBuffer(certificate));
+  _assert2.default.call(void 0, Buffer.isBuffer(certificate));
   const certificate_priv = certificate;
   if (!certificate_priv._exploreCertificate_cache) {
     const block_info = readTag(certificate, 0);
@@ -1294,239 +1199,14 @@ function combine_der(certificates) {
     let sum = 0;
     b.forEach((block) => {
       const block_info = readTag(block, 0);
-      (0, import_node_assert4.default)(block_info.position + block_info.length === block.length);
+      _assert2.default.call(void 0, block_info.position + block_info.length === block.length);
       sum += block.length;
     });
-    (0, import_node_assert4.default)(sum === cert.length);
+    _assert2.default.call(void 0, sum === cert.length);
   }
   return Buffer.concat(certificates);
 }
 
-// source/crypto_utils2.ts
-var import_node_assert5 = __toESM(require("assert"));
-var import_jsrsasign2 = __toESM(require("jsrsasign"));
-function rsaLengthPrivateKey(key) {
-  const keyPem = typeof key.hidden === "string" ? key.hidden : key.hidden.export({ type: "pkcs1", format: "pem" }).toString();
-  const a = import_jsrsasign2.default.KEYUTIL.getKey(keyPem);
-  return a.n.toString(16).length / 2;
-}
-function toPem2(raw_key, pem) {
-  if (raw_key.hidden) {
-    return toPem2(raw_key.hidden, pem);
-  }
-  (0, import_node_assert5.default)(raw_key, "expecting a key");
-  (0, import_node_assert5.default)(typeof pem === "string");
-  if (isKeyObject(raw_key)) {
-    const _raw_key = raw_key;
-    if (pem === "RSA PRIVATE KEY") {
-      return removeTrailingLF(_raw_key.export({ format: "pem", type: "pkcs1" }).toString());
-    } else if (pem === "PRIVATE KEY") {
-      return removeTrailingLF(_raw_key.export({ format: "pem", type: "pkcs8" }).toString());
-    } else {
-      throw new Error("Unsupported case!");
-    }
-  }
-  return toPem(raw_key, pem);
-}
-function coercePrivateKeyPem(privateKey) {
-  return toPem2(privateKey, "PRIVATE KEY");
-}
-function coercePublicKeyPem(publicKey) {
-  if (isKeyObject(publicKey)) {
-    return publicKey.export({ format: "pem", type: "spki" }).toString();
-  }
-  (0, import_node_assert5.default)(typeof publicKey === "string");
-  return publicKey;
-}
-function coerceRsaPublicKeyPem(publicKey) {
-  if (isKeyObject(publicKey)) {
-    return publicKey.export({ format: "pem", type: "spki" }).toString();
-  }
-  (0, import_node_assert5.default)(typeof publicKey === "string");
-  return publicKey;
-}
-function rsaLengthPublicKey(key) {
-  key = coercePublicKeyPem(key);
-  (0, import_node_assert5.default)(typeof key === "string");
-  const a = import_jsrsasign2.default.KEYUTIL.getKey(key);
-  return a.n.toString(16).length / 2;
-}
-function rsaLengthRsaPublicKey(key) {
-  key = coerceRsaPublicKeyPem(key);
-  (0, import_node_assert5.default)(typeof key === "string");
-  const a = import_jsrsasign2.default.KEYUTIL.getKey(key);
-  return a.n.toString(16).length / 2;
-}
-
-// source/derived_keys.ts
-var import_node_assert7 = __toESM(require("assert"));
-var import_node_crypto3 = require("crypto");
-
-// source/explore_certificate.ts
-var import_node_assert6 = __toESM(require("assert"));
-function coerceCertificate(certificate) {
-  if (typeof certificate === "string") {
-    certificate = convertPEMtoDER(certificate);
-  }
-  (0, import_node_assert6.default)(Buffer.isBuffer(certificate));
-  return certificate;
-}
-function exploreCertificateInfo(certificate) {
-  certificate = coerceCertificate(certificate);
-  const certInfo = exploreCertificate(certificate);
-  const data = {
-    publicKeyLength: certInfo.tbsCertificate.subjectPublicKeyInfo.keyLength,
-    notBefore: certInfo.tbsCertificate.validity.notBefore,
-    notAfter: certInfo.tbsCertificate.validity.notAfter,
-    publicKey: certInfo.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey,
-    subject: certInfo.tbsCertificate.subject
-  };
-  if (!(data.publicKeyLength === 512 || data.publicKeyLength === 384 || data.publicKeyLength === 256 || data.publicKeyLength === 128)) {
-    throw new Error(`Invalid public key length (expecting 128,256,384 or 512): ${data.publicKeyLength}`);
-  }
-  return data;
-}
-
-// source/derived_keys.ts
-function HMAC_HASH(sha1or256, secret, message) {
-  return (0, import_node_crypto3.createHmac)(sha1or256, secret).update(message).digest();
-}
-function plus(buf1, buf2) {
-  return Buffer.concat([buf1, buf2]);
-}
-function makePseudoRandomBuffer(secret, seed, minLength, sha1or256) {
-  (0, import_node_assert7.default)(Buffer.isBuffer(seed));
-  (0, import_node_assert7.default)(sha1or256 === "SHA1" || sha1or256 === "SHA256");
-  const a = [];
-  a[0] = seed;
-  let index = 1;
-  let p_hash = createFastUninitializedBuffer(0);
-  while (p_hash.length <= minLength) {
-    a[index] = HMAC_HASH(sha1or256, secret, a[index - 1]);
-    p_hash = plus(p_hash, HMAC_HASH(sha1or256, secret, plus(a[index], seed)));
-    index += 1;
-  }
-  return p_hash.subarray(0, minLength);
-}
-function computeDerivedKeys(secret, seed, options) {
-  (0, import_node_assert7.default)(Number.isFinite(options.signatureLength));
-  (0, import_node_assert7.default)(Number.isFinite(options.encryptingKeyLength));
-  (0, import_node_assert7.default)(Number.isFinite(options.encryptingBlockSize));
-  (0, import_node_assert7.default)(typeof options.algorithm === "string");
-  options.sha1or256 = options.sha1or256 || "SHA1";
-  (0, import_node_assert7.default)(typeof options.sha1or256 === "string");
-  const offset1 = options.signingKeyLength;
-  const offset2 = offset1 + options.encryptingKeyLength;
-  const minLength = offset2 + options.encryptingBlockSize;
-  const buf = makePseudoRandomBuffer(secret, seed, minLength, options.sha1or256);
-  return {
-    signatureLength: options.signatureLength,
-    signingKeyLength: options.signingKeyLength,
-    encryptingKeyLength: options.encryptingKeyLength,
-    encryptingBlockSize: options.encryptingBlockSize,
-    algorithm: options.algorithm,
-    sha1or256: options.sha1or256,
-    signingKey: buf.subarray(0, offset1),
-    encryptingKey: buf.subarray(offset1, offset2),
-    initializationVector: buf.subarray(offset2, minLength)
-  };
-}
-function reduceLength(buffer, byteToRemove) {
-  return buffer.subarray(0, buffer.length - byteToRemove);
-}
-function removePadding(buffer) {
-  const nbPaddingBytes = buffer.readUInt8(buffer.length - 1) + 1;
-  return reduceLength(buffer, nbPaddingBytes);
-}
-function verifyChunkSignature(chunk, options) {
-  (0, import_node_assert7.default)(Buffer.isBuffer(chunk));
-  let signatureLength = options.signatureLength || 0;
-  if (signatureLength === 0) {
-    const cert = exploreCertificateInfo(options.publicKey);
-    signatureLength = cert.publicKeyLength || 0;
-  }
-  const block_to_verify = chunk.subarray(0, chunk.length - signatureLength);
-  const signature = chunk.subarray(chunk.length - signatureLength);
-  return verifyMessageChunkSignature(block_to_verify, signature, options);
-}
-function computePaddingFooter(buffer, derivedKeys) {
-  (0, import_node_assert7.default)(Object.hasOwn(derivedKeys, "encryptingBlockSize"));
-  const paddingSize = derivedKeys.encryptingBlockSize - (buffer.length + 1) % derivedKeys.encryptingBlockSize;
-  const padding = createFastUninitializedBuffer(paddingSize + 1);
-  padding.fill(paddingSize);
-  return padding;
-}
-function derivedKeys_algorithm(derivedKeys) {
-  (0, import_node_assert7.default)(Object.hasOwn(derivedKeys, "algorithm"));
-  const algorithm = derivedKeys.algorithm || "aes-128-cbc";
-  (0, import_node_assert7.default)(algorithm === "aes-128-cbc" || algorithm === "aes-256-cbc");
-  return algorithm;
-}
-function encryptBufferWithDerivedKeys(buffer, derivedKeys) {
-  const algorithm = derivedKeys_algorithm(derivedKeys);
-  const key = derivedKeys.encryptingKey;
-  const initVector = derivedKeys.initializationVector;
-  const cipher = (0, import_node_crypto3.createCipheriv)(algorithm, key, initVector);
-  cipher.setAutoPadding(false);
-  const encrypted_chunks = [];
-  encrypted_chunks.push(cipher.update(buffer));
-  encrypted_chunks.push(cipher.final());
-  return Buffer.concat(encrypted_chunks);
-}
-function decryptBufferWithDerivedKeys(buffer, derivedKeys) {
-  const algorithm = derivedKeys_algorithm(derivedKeys);
-  const key = derivedKeys.encryptingKey;
-  const initVector = derivedKeys.initializationVector;
-  const cipher = (0, import_node_crypto3.createDecipheriv)(algorithm, key, initVector);
-  cipher.setAutoPadding(false);
-  const decrypted_chunks = [];
-  decrypted_chunks.push(cipher.update(buffer));
-  decrypted_chunks.push(cipher.final());
-  return Buffer.concat(decrypted_chunks);
-}
-function makeMessageChunkSignatureWithDerivedKeys(message, derivedKeys) {
-  (0, import_node_assert7.default)(Buffer.isBuffer(message));
-  (0, import_node_assert7.default)(Buffer.isBuffer(derivedKeys.signingKey));
-  (0, import_node_assert7.default)(typeof derivedKeys.sha1or256 === "string");
-  (0, import_node_assert7.default)(derivedKeys.sha1or256 === "SHA1" || derivedKeys.sha1or256 === "SHA256");
-  const signature = (0, import_node_crypto3.createHmac)(derivedKeys.sha1or256, derivedKeys.signingKey).update(message).digest();
-  (0, import_node_assert7.default)(signature.length === derivedKeys.signatureLength);
-  return signature;
-}
-function verifyChunkSignatureWithDerivedKeys(chunk, derivedKeys) {
-  const message = chunk.subarray(0, chunk.length - derivedKeys.signatureLength);
-  const expectedSignature = chunk.subarray(chunk.length - derivedKeys.signatureLength);
-  const computedSignature = makeMessageChunkSignatureWithDerivedKeys(message, derivedKeys);
-  return computedSignature.toString("hex") === expectedSignature.toString("hex");
-}
-
-// source/explore_asn1.ts
-function t(tag) {
-  return TagType[tag];
-}
-function bi(blockInfo, depth) {
-  const indent = "  ".repeat(depth);
-  const hl = blockInfo.position - blockInfo.start;
-  return `${blockInfo.start.toString().padStart(5, " ")}:d=${depth} hl=${hl.toString().padEnd(3, " ")}  l=${blockInfo.length.toString().padStart(6, " ")} ${blockInfo.tag.toString(16).padEnd(2, " ")} ${indent} ${t(blockInfo.tag)}`;
-}
-function exploreAsn1(buffer) {
-  console.log(hexDump(buffer));
-  function dump(offset, depth) {
-    const blockInfo = readTag(buffer, offset);
-    dumpBlock(blockInfo, depth);
-    function dumpBlock(blockInfo2, depth2) {
-      console.log(bi(blockInfo2, depth2));
-      if (blockInfo2.tag === 48 /* SEQUENCE */ || blockInfo2.tag === 49 /* SET */ || blockInfo2.tag >= 160 /* CONTEXT_SPECIFIC0 */) {
-        const blocks = readStruct(buffer, blockInfo2);
-        for (const block of blocks) {
-          dumpBlock(block, depth2 + 1);
-        }
-      }
-    }
-  }
-  dump(0, 0);
-}
-
 // source/explore_certificate_revocation_list.ts
 function readNameForCrl(buffer, block) {
   return readDirectoryName(buffer, block);
@@ -1587,6 +1267,137 @@ function exploreCertificateRevocationList(crl) {
   return { tbsCertList, signatureAlgorithm, signatureValue };
 }
 
+// source/verify_certificate_signature.ts
+
+function verifyCertificateOrClrSignature(certificateOrCrl, parentCertificate) {
+  const block_info = readTag(certificateOrCrl, 0);
+  const blocks = readStruct(certificateOrCrl, block_info);
+  const bufferToBeSigned = certificateOrCrl.subarray(block_info.position, blocks[1].position - 2);
+  const signatureAlgorithm = readAlgorithmIdentifier(certificateOrCrl, blocks[1]);
+  const signatureValue = readSignatureValueBin(certificateOrCrl, blocks[2]);
+  const p = split_der(parentCertificate)[0];
+  const certPem = toPem(p, "CERTIFICATE");
+  const verify = _crypto2.createVerify.call(void 0, signatureAlgorithm.identifier);
+  verify.update(bufferToBeSigned);
+  verify.end();
+  return verify.verify(certPem, signatureValue);
+}
+function verifyCertificateSignature(certificate, parentCertificate) {
+  return verifyCertificateOrClrSignature(certificate, parentCertificate);
+}
+function verifyCertificateRevocationListSignature(certificateRevocationList, parentCertificate) {
+  return verifyCertificateOrClrSignature(certificateRevocationList, parentCertificate);
+}
+async function verifyCertificateChain(certificateChain) {
+  for (let index = 1; index < certificateChain.length; index++) {
+    const cert = certificateChain[index - 1];
+    const certParent = certificateChain[index];
+    const certParentInfo = exploreCertificate(certParent);
+    const keyUsage = _optionalChain([certParentInfo, 'access', _9 => _9.tbsCertificate, 'access', _10 => _10.extensions, 'optionalAccess', _11 => _11.keyUsage]);
+    if (!keyUsage || !keyUsage.keyCertSign) {
+      return {
+        status: "BadCertificateIssuerUseNotAllowed",
+        reason: "One of the certificate in the chain has not keyUsage set for Certificate Signing"
+      };
+    }
+    const parentSignChild = verifyCertificateSignature(cert, certParent);
+    if (!parentSignChild) {
+      return {
+        status: "BadCertificateInvalid",
+        reason: "One of the certificate in the chain is not signing the previous certificate"
+      };
+    }
+    const certInfo = exploreCertificate(cert);
+    if (!certInfo.tbsCertificate.extensions) {
+      return {
+        status: "BadCertificateInvalid",
+        reason: "Cannot find X409 Extension 3 in certificate"
+      };
+    }
+    if (!certParentInfo.tbsCertificate.extensions || !certInfo.tbsCertificate.extensions.authorityKeyIdentifier) {
+      return {
+        status: "BadCertificateInvalid",
+        reason: "Cannot find X409 Extension 3 in certificate (parent)"
+      };
+    }
+    if (certParentInfo.tbsCertificate.extensions.subjectKeyIdentifier !== certInfo.tbsCertificate.extensions.authorityKeyIdentifier.keyIdentifier) {
+      return {
+        status: "BadCertificateInvalid",
+        reason: "subjectKeyIdentifier authorityKeyIdentifier in child certificate do not match subjectKeyIdentifier of parent certificate"
+      };
+    }
+  }
+  return {
+    status: "Good",
+    reason: `certificate chain is valid(length = ${certificateChain.length})`
+  };
+}
+
+// source/crl_utils.ts
+function isCrlIssuedByCertificate(crl, certificate) {
+  const crlInfo = exploreCertificateRevocationList(crl);
+  const certInfo = exploreCertificate(certificate);
+  return crlInfo.tbsCertList.issuerFingerprint === certInfo.tbsCertificate.subjectFingerPrint;
+}
+function verifyCrlIssuedByCertificate(crl, certificate) {
+  if (!isCrlIssuedByCertificate(crl, certificate)) {
+    return false;
+  }
+  return verifyCertificateRevocationListSignature(crl, certificate);
+}
+
+// source/explore_asn1.ts
+function t(tag) {
+  return TagType[tag];
+}
+function bi(blockInfo, depth) {
+  const indent = "  ".repeat(depth);
+  const hl = blockInfo.position - blockInfo.start;
+  return `${blockInfo.start.toString().padStart(5, " ")}:d=${depth} hl=${hl.toString().padEnd(3, " ")}  l=${blockInfo.length.toString().padStart(6, " ")} ${blockInfo.tag.toString(16).padEnd(2, " ")} ${indent} ${t(blockInfo.tag)}`;
+}
+function exploreAsn1(buffer) {
+  console.log(hexDump(buffer));
+  function dump(offset, depth) {
+    const blockInfo = readTag(buffer, offset);
+    dumpBlock(blockInfo, depth);
+    function dumpBlock(blockInfo2, depth2) {
+      console.log(bi(blockInfo2, depth2));
+      if (blockInfo2.tag === 48 /* SEQUENCE */ || blockInfo2.tag === 49 /* SET */ || blockInfo2.tag >= 160 /* CONTEXT_SPECIFIC0 */) {
+        const blocks = readStruct(buffer, blockInfo2);
+        for (const block of blocks) {
+          dumpBlock(block, depth2 + 1);
+        }
+      }
+    }
+  }
+  dump(0, 0);
+}
+
+// source/explore_certificate.ts
+
+function coerceCertificate(certificate) {
+  if (typeof certificate === "string") {
+    certificate = convertPEMtoDER(certificate);
+  }
+  _assert2.default.call(void 0, Buffer.isBuffer(certificate));
+  return certificate;
+}
+function exploreCertificateInfo(certificate) {
+  certificate = coerceCertificate(certificate);
+  const certInfo = exploreCertificate(certificate);
+  const data = {
+    publicKeyLength: certInfo.tbsCertificate.subjectPublicKeyInfo.keyLength,
+    notBefore: certInfo.tbsCertificate.validity.notBefore,
+    notAfter: certInfo.tbsCertificate.validity.notAfter,
+    publicKey: certInfo.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey,
+    subject: certInfo.tbsCertificate.subject
+  };
+  if (!(data.publicKeyLength === 512 || data.publicKeyLength === 384 || data.publicKeyLength === 256 || data.publicKeyLength === 128)) {
+    throw new Error(`Invalid public key length (expecting 128,256,384 or 512): ${data.publicKeyLength}`);
+  }
+  return data;
+}
+
 // source/explore_certificate_signing_request.ts
 function _readExtensionRequest(buffer) {
   const block = readTag(buffer, 0);
@@ -1712,39 +1523,76 @@ function explorePrivateKey(privateKey2) {
   };
 }
 
-// source/make_private_key_from_pem.ts
-function makePrivateKeyFromPem(privateKeyInPem) {
-  return { hidden: privateKeyInPem };
-}
-
-// source/make_private_key_thumbprint.ts
-function makePrivateKeyThumbPrint(_privateKey) {
-  return Buffer.alloc(0);
-}
-
-// source/public_private_match.ts
-function publicKeyAndPrivateKeyMatches(certificate, privateKey) {
-  const i = exploreCertificate(certificate);
-  const j = explorePrivateKey(privateKey);
-  const modulus1 = i.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.modulus;
-  const modulus2 = j.modulus;
-  if (modulus1.length !== modulus2.length) {
-    return false;
+// source/identify_der.ts
+function identifyDERContent(buffer) {
+  if (!Buffer.isBuffer(buffer) || buffer.length < 2) {
+    return "Unknown";
+  }
+  try {
+    const outer = readTag(buffer, 0);
+    if (outer.tag !== 48 /* SEQUENCE */) {
+      return "Unknown";
+    }
+    const outerEnd = outer.position + outer.length;
+    if (outerEnd < buffer.length) {
+      const next = readTag(buffer, outerEnd);
+      if (next.tag === 48 /* SEQUENCE */) {
+        return "X509CertificateChain";
+      }
+    }
+    const blocks = readStruct(buffer, outer);
+    if (blocks.length < 2) {
+      return "Unknown";
+    }
+    if (blocks[0].tag === 2 /* INTEGER */) {
+      const versionByte = buffer[blocks[0].position];
+      if (blocks[0].length === 1 && versionByte === 3) {
+        return "PKCS12";
+      }
+      if (blocks[0].length === 1 && versionByte === 0) {
+        return "PrivateKey";
+      }
+    }
+    if (blocks[0].tag !== 48 /* SEQUENCE */) {
+      return "Unknown";
+    }
+    const tbsBlocks = readStruct(buffer, blocks[0]);
+    if (tbsBlocks.length === 0) {
+      return "Unknown";
+    }
+    if (tbsBlocks[0].tag === 160 /* CONTEXT_SPECIFIC0 */) {
+      return "X509Certificate";
+    }
+    if (tbsBlocks[0].tag === 2 /* INTEGER */) {
+      const intLen = tbsBlocks[0].length;
+      const intVal = intLen === 1 ? buffer[tbsBlocks[0].position] : -1;
+      if (intVal === 0 && tbsBlocks.length >= 4) {
+        if (tbsBlocks[3].tag === 160 /* CONTEXT_SPECIFIC0 */) {
+          return "CertificateSigningRequest";
+        }
+      }
+      if (intVal === 1 && tbsBlocks.length >= 4) {
+        const tag3 = tbsBlocks[3].tag;
+        if (tag3 === 23 /* UTCTime */ || tag3 === 24 /* GeneralizedTime */) {
+          return "CertificateRevocationList";
+        }
+      }
+      if (tbsBlocks.length >= 6) {
+        if (tbsBlocks[3].tag === 48 /* SEQUENCE */) {
+          return "X509Certificate";
+        }
+      }
+    }
+    if (tbsBlocks[0].tag === 48 /* SEQUENCE */ && tbsBlocks.length >= 3) {
+      const tag2 = tbsBlocks[2].tag;
+      if (tag2 === 23 /* UTCTime */ || tag2 === 24 /* GeneralizedTime */) {
+        return "CertificateRevocationList";
+      }
+    }
+    return "Unknown";
+  } catch (e2) {
+    return "Unknown";
   }
-  return modulus1.toString("hex") === modulus2.toString("hex");
-}
-function certificateMatchesPrivateKeyPEM(certificate, privateKey, blockSize) {
-  const initialBuffer = Buffer.from("Lorem Ipsum");
-  const encryptedBuffer = publicEncrypt_long(initialBuffer, certificate, blockSize);
-  const decryptedBuffer = privateDecrypt_long(encryptedBuffer, privateKey, blockSize);
-  const finalString = decryptedBuffer.toString("utf-8");
-  return initialBuffer.toString("utf-8") === finalString;
-}
-function certificateMatchesPrivateKey(certificate, privateKey) {
-  const e = explorePrivateKey(privateKey);
-  const blockSize = e.modulus.length;
-  const certificatePEM = toPem(certificate, "CERTIFICATE");
-  return certificateMatchesPrivateKeyPEM(certificatePEM, privateKey, blockSize);
 }
 
 // source/subject.ts
@@ -1768,6 +1616,13 @@ var unquote2 = (str) => {
   return m ? m[1] : str;
 };
 var Subject = class _Subject {
+  
+  
+  
+  
+  
+  
+  
   constructor(options) {
     if (typeof options === "string") {
       options = _Subject.parse(options);
@@ -1831,87 +1686,21 @@ var Subject = class _Subject {
   toString() {
     const t2 = this.toStringForOPCUA();
     return t2 ? `/${t2}` : t2;
-  }
-};
-
-// source/verify_certificate_signature.ts
-var import_node_crypto4 = require("crypto");
-function verifyCertificateOrClrSignature(certificateOrCrl, parentCertificate) {
-  const block_info = readTag(certificateOrCrl, 0);
-  const blocks = readStruct(certificateOrCrl, block_info);
-  const bufferToBeSigned = certificateOrCrl.subarray(block_info.position, blocks[1].position - 2);
-  const signatureAlgorithm = readAlgorithmIdentifier(certificateOrCrl, blocks[1]);
-  const signatureValue = readSignatureValueBin(certificateOrCrl, blocks[2]);
-  const p = split_der(parentCertificate)[0];
-  const certPem = toPem(p, "CERTIFICATE");
-  const verify = (0, import_node_crypto4.createVerify)(signatureAlgorithm.identifier);
-  verify.update(bufferToBeSigned);
-  verify.end();
-  return verify.verify(certPem, signatureValue);
-}
-function verifyCertificateSignature(certificate, parentCertificate) {
-  return verifyCertificateOrClrSignature(certificate, parentCertificate);
-}
-function verifyCertificateRevocationListSignature(certificateRevocationList, parentCertificate) {
-  return verifyCertificateOrClrSignature(certificateRevocationList, parentCertificate);
-}
-async function verifyCertificateChain(certificateChain) {
-  for (let index = 1; index < certificateChain.length; index++) {
-    const cert = certificateChain[index - 1];
-    const certParent = certificateChain[index];
-    const certParentInfo = exploreCertificate(certParent);
-    const keyUsage = certParentInfo.tbsCertificate.extensions?.keyUsage;
-    if (!keyUsage || !keyUsage.keyCertSign) {
-      return {
-        status: "BadCertificateIssuerUseNotAllowed",
-        reason: "One of the certificate in the chain has not keyUsage set for Certificate Signing"
-      };
-    }
-    const parentSignChild = verifyCertificateSignature(cert, certParent);
-    if (!parentSignChild) {
-      return {
-        status: "BadCertificateInvalid",
-        reason: "One of the certificate in the chain is not signing the previous certificate"
-      };
-    }
-    const certInfo = exploreCertificate(cert);
-    if (!certInfo.tbsCertificate.extensions) {
-      return {
-        status: "BadCertificateInvalid",
-        reason: "Cannot find X409 Extension 3 in certificate"
-      };
-    }
-    if (!certParentInfo.tbsCertificate.extensions || !certInfo.tbsCertificate.extensions.authorityKeyIdentifier) {
-      return {
-        status: "BadCertificateInvalid",
-        reason: "Cannot find X409 Extension 3 in certificate (parent)"
-      };
-    }
-    if (certParentInfo.tbsCertificate.extensions.subjectKeyIdentifier !== certInfo.tbsCertificate.extensions.authorityKeyIdentifier.keyIdentifier) {
-      return {
-        status: "BadCertificateInvalid",
-        reason: "subjectKeyIdentifier authorityKeyIdentifier in child certificate do not match subjectKeyIdentifier of parent certificate"
-      };
-    }
-  }
-  return {
-    status: "Good",
-    reason: `certificate chain is valid(length = ${certificateChain.length})`
-  };
-}
+  }
+};
 
 // source/x509/_crypto.ts
-var import_node_crypto5 = __toESM(require("crypto"));
-var import_webcrypto = require("@peculiar/webcrypto");
-var x509 = __toESM(require("@peculiar/x509"));
-var x5092 = __toESM(require("@peculiar/x509"));
+
+var _webcrypto = require('@peculiar/webcrypto');
+var _x509 = require('@peculiar/x509'); var x509 = _interopRequireWildcard(_x509); var x5092 = _interopRequireWildcard(_x509);
+
 var doDebug3 = false;
 var _crypto;
 var ignoreCrypto = process.env.IGNORE_SUBTLE_FROM_CRYPTO;
 if (typeof window === "undefined") {
-  _crypto = import_node_crypto5.default;
-  if (!_crypto?.subtle || ignoreCrypto) {
-    _crypto = new import_webcrypto.Crypto();
+  _crypto = _crypto3.default;
+  if (!_optionalChain([_crypto, 'optionalAccess', _12 => _12.subtle]) || ignoreCrypto) {
+    _crypto = new (0, _webcrypto.Crypto)();
     doDebug3 && console.warn("using @peculiar/webcrypto");
   } else {
     doDebug3 && console.warn("using nodejs crypto (native)");
@@ -1923,7 +1712,7 @@ if (typeof window === "undefined") {
   x509.cryptoProvider.set(crypto);
 }
 function getCrypto() {
-  return _crypto || crypto || import_node_crypto5.default;
+  return _crypto || crypto || _crypto3.default;
 }
 
 // source/x509/create_key_pair.ts
@@ -2079,10 +1868,10 @@ async function createCertificateSigningRequest({
     publicKey
   };
   const alternativeNameExtensions = [];
-  for (const d of dns ?? []) {
+  for (const d of _nullishCoalesce(dns, () => ( []))) {
     alternativeNameExtensions.push({ type: "dns", value: d });
   }
-  for (const d of ip ?? []) {
+  for (const d of _nullishCoalesce(ip, () => ( []))) {
     alternativeNameExtensions.push({ type: "ip", value: d });
   }
   if (applicationUri) {
@@ -3723,7 +3512,7 @@ var OctetString = class extends BaseBlock {
             this.valueBlock.value = [asn.result];
           }
         }
-      } catch {
+      } catch (e3) {
       }
     }
     return super.fromBER(inputBuffer, inputOffset, inputLength);
@@ -3812,7 +3601,7 @@ var LocalBitStringValueBlock = class extends HexBlock(LocalConstructedValueBlock
             this.value = [asn.result];
           }
         }
-      } catch {
+      } catch (e4) {
       }
     }
     this.valueHexView = intBuffer.subarray(1);
@@ -6033,7 +5822,7 @@ var AsnParser = class {
       return elementsToProcess.filter((el) => el && el.valueBlock).map((el) => {
         try {
           return converter.fromASN(el);
-        } catch {
+        } catch (e5) {
           return void 0;
         }
       }).filter((v) => v !== void 0);
@@ -6041,7 +5830,7 @@ var AsnParser = class {
       return elementsToProcess.filter((el) => el && el.valueBlock).map((el) => {
         try {
           return this.fromASN(el, schemaItem.type);
-        } catch {
+        } catch (e6) {
           return void 0;
         }
       }).filter((v) => v !== void 0);
@@ -6422,83 +6211,298 @@ async function createSelfSignedCertificate({
   return { cert: cert.toString("pem"), der: cert };
 }
 
+// source/crypto_utils2.ts
+
+
+function rsaLengthPrivateKey(key) {
+  const keyPem = typeof key.hidden === "string" ? key.hidden : key.hidden.export({ type: "pkcs1", format: "pem" }).toString();
+  const keyObject = _crypto2.createPrivateKey.call(void 0, keyPem);
+  const modulusLength = _optionalChain([keyObject, 'access', _13 => _13.asymmetricKeyDetails, 'optionalAccess', _14 => _14.modulusLength]);
+  _assert2.default.call(void 0, modulusLength, "Cannot determine modulus length from private key");
+  return modulusLength / 8;
+}
+function toPem2(raw_key, pem) {
+  if (raw_key.hidden) {
+    return toPem2(raw_key.hidden, pem);
+  }
+  _assert2.default.call(void 0, raw_key, "expecting a key");
+  _assert2.default.call(void 0, typeof pem === "string");
+  if (isKeyObject(raw_key)) {
+    const _raw_key = raw_key;
+    if (pem === "RSA PRIVATE KEY") {
+      return removeTrailingLF(_raw_key.export({ format: "pem", type: "pkcs1" }).toString());
+    } else if (pem === "PRIVATE KEY") {
+      return removeTrailingLF(_raw_key.export({ format: "pem", type: "pkcs8" }).toString());
+    } else {
+      throw new Error("Unsupported case!");
+    }
+  }
+  return toPem(raw_key, pem);
+}
+function coercePrivateKeyPem(privateKey) {
+  return toPem2(privateKey, "PRIVATE KEY");
+}
+function coercePublicKeyPem(publicKey) {
+  if (isKeyObject(publicKey)) {
+    return publicKey.export({ format: "pem", type: "spki" }).toString();
+  }
+  _assert2.default.call(void 0, typeof publicKey === "string");
+  return publicKey;
+}
+function coerceRsaPublicKeyPem(publicKey) {
+  if (isKeyObject(publicKey)) {
+    return publicKey.export({ format: "pem", type: "spki" }).toString();
+  }
+  _assert2.default.call(void 0, typeof publicKey === "string");
+  return publicKey;
+}
+function rsaLengthPublicKey(key) {
+  key = coercePublicKeyPem(key);
+  _assert2.default.call(void 0, typeof key === "string");
+  const keyObject = _crypto2.createPublicKey.call(void 0, key);
+  const modulusLength = _optionalChain([keyObject, 'access', _15 => _15.asymmetricKeyDetails, 'optionalAccess', _16 => _16.modulusLength]);
+  _assert2.default.call(void 0, modulusLength, "Cannot determine modulus length from public key");
+  return modulusLength / 8;
+}
+function rsaLengthRsaPublicKey(key) {
+  key = coerceRsaPublicKeyPem(key);
+  _assert2.default.call(void 0, typeof key === "string");
+  const keyObject = _crypto2.createPublicKey.call(void 0, key);
+  const modulusLength = _optionalChain([keyObject, 'access', _17 => _17.asymmetricKeyDetails, 'optionalAccess', _18 => _18.modulusLength]);
+  _assert2.default.call(void 0, modulusLength, "Cannot determine modulus length from public key");
+  return modulusLength / 8;
+}
+
+// source/derived_keys.ts
+
+
+function HMAC_HASH(sha1or256, secret, message) {
+  return _crypto2.createHmac.call(void 0, sha1or256, secret).update(message).digest();
+}
+function plus(buf1, buf2) {
+  return Buffer.concat([buf1, buf2]);
+}
+function makePseudoRandomBuffer(secret, seed, minLength, sha1or256) {
+  _assert2.default.call(void 0, Buffer.isBuffer(seed));
+  _assert2.default.call(void 0, sha1or256 === "SHA1" || sha1or256 === "SHA256");
+  const a = [];
+  a[0] = seed;
+  let index = 1;
+  let p_hash = createFastUninitializedBuffer(0);
+  while (p_hash.length <= minLength) {
+    a[index] = HMAC_HASH(sha1or256, secret, a[index - 1]);
+    p_hash = plus(p_hash, HMAC_HASH(sha1or256, secret, plus(a[index], seed)));
+    index += 1;
+  }
+  return p_hash.subarray(0, minLength);
+}
+function computeDerivedKeys(secret, seed, options) {
+  _assert2.default.call(void 0, Number.isFinite(options.signatureLength));
+  _assert2.default.call(void 0, Number.isFinite(options.encryptingKeyLength));
+  _assert2.default.call(void 0, Number.isFinite(options.encryptingBlockSize));
+  _assert2.default.call(void 0, typeof options.algorithm === "string");
+  options.sha1or256 = options.sha1or256 || "SHA1";
+  _assert2.default.call(void 0, typeof options.sha1or256 === "string");
+  const offset1 = options.signingKeyLength;
+  const offset2 = offset1 + options.encryptingKeyLength;
+  const minLength = offset2 + options.encryptingBlockSize;
+  const buf = makePseudoRandomBuffer(secret, seed, minLength, options.sha1or256);
+  return {
+    signatureLength: options.signatureLength,
+    signingKeyLength: options.signingKeyLength,
+    encryptingKeyLength: options.encryptingKeyLength,
+    encryptingBlockSize: options.encryptingBlockSize,
+    algorithm: options.algorithm,
+    sha1or256: options.sha1or256,
+    signingKey: buf.subarray(0, offset1),
+    encryptingKey: buf.subarray(offset1, offset2),
+    initializationVector: buf.subarray(offset2, minLength)
+  };
+}
+function reduceLength(buffer, byteToRemove) {
+  return buffer.subarray(0, buffer.length - byteToRemove);
+}
+function removePadding(buffer) {
+  const nbPaddingBytes = buffer.readUInt8(buffer.length - 1) + 1;
+  return reduceLength(buffer, nbPaddingBytes);
+}
+function verifyChunkSignature(chunk, options) {
+  _assert2.default.call(void 0, Buffer.isBuffer(chunk));
+  let signatureLength = options.signatureLength || 0;
+  if (signatureLength === 0) {
+    const cert = exploreCertificateInfo(options.publicKey);
+    signatureLength = cert.publicKeyLength || 0;
+  }
+  const block_to_verify = chunk.subarray(0, chunk.length - signatureLength);
+  const signature = chunk.subarray(chunk.length - signatureLength);
+  return verifyMessageChunkSignature(block_to_verify, signature, options);
+}
+function computePaddingFooter(buffer, derivedKeys) {
+  _assert2.default.call(void 0, Object.hasOwn(derivedKeys, "encryptingBlockSize"));
+  const paddingSize = derivedKeys.encryptingBlockSize - (buffer.length + 1) % derivedKeys.encryptingBlockSize;
+  const padding = createFastUninitializedBuffer(paddingSize + 1);
+  padding.fill(paddingSize);
+  return padding;
+}
+function derivedKeys_algorithm(derivedKeys) {
+  _assert2.default.call(void 0, Object.hasOwn(derivedKeys, "algorithm"));
+  const algorithm = derivedKeys.algorithm || "aes-128-cbc";
+  _assert2.default.call(void 0, algorithm === "aes-128-cbc" || algorithm === "aes-256-cbc");
+  return algorithm;
+}
+function encryptBufferWithDerivedKeys(buffer, derivedKeys) {
+  const algorithm = derivedKeys_algorithm(derivedKeys);
+  const key = derivedKeys.encryptingKey;
+  const initVector = derivedKeys.initializationVector;
+  const cipher = _crypto2.createCipheriv.call(void 0, algorithm, key, initVector);
+  cipher.setAutoPadding(false);
+  const encrypted_chunks = [];
+  encrypted_chunks.push(cipher.update(buffer));
+  encrypted_chunks.push(cipher.final());
+  return Buffer.concat(encrypted_chunks);
+}
+function decryptBufferWithDerivedKeys(buffer, derivedKeys) {
+  const algorithm = derivedKeys_algorithm(derivedKeys);
+  const key = derivedKeys.encryptingKey;
+  const initVector = derivedKeys.initializationVector;
+  const cipher = _crypto2.createDecipheriv.call(void 0, algorithm, key, initVector);
+  cipher.setAutoPadding(false);
+  const decrypted_chunks = [];
+  decrypted_chunks.push(cipher.update(buffer));
+  decrypted_chunks.push(cipher.final());
+  return Buffer.concat(decrypted_chunks);
+}
+function makeMessageChunkSignatureWithDerivedKeys(message, derivedKeys) {
+  _assert2.default.call(void 0, Buffer.isBuffer(message));
+  _assert2.default.call(void 0, Buffer.isBuffer(derivedKeys.signingKey));
+  _assert2.default.call(void 0, typeof derivedKeys.sha1or256 === "string");
+  _assert2.default.call(void 0, derivedKeys.sha1or256 === "SHA1" || derivedKeys.sha1or256 === "SHA256");
+  const signature = _crypto2.createHmac.call(void 0, derivedKeys.sha1or256, derivedKeys.signingKey).update(message).digest();
+  _assert2.default.call(void 0, signature.length === derivedKeys.signatureLength);
+  return signature;
+}
+function verifyChunkSignatureWithDerivedKeys(chunk, derivedKeys) {
+  const message = chunk.subarray(0, chunk.length - derivedKeys.signatureLength);
+  const expectedSignature = chunk.subarray(chunk.length - derivedKeys.signatureLength);
+  const computedSignature = makeMessageChunkSignatureWithDerivedKeys(message, derivedKeys);
+  return computedSignature.toString("hex") === expectedSignature.toString("hex");
+}
+
+// source/make_private_key_from_pem.ts
+function makePrivateKeyFromPem(privateKeyInPem) {
+  return { hidden: privateKeyInPem };
+}
+
+// source/make_private_key_thumbprint.ts
+function makePrivateKeyThumbPrint(_privateKey) {
+  return Buffer.alloc(0);
+}
+
+// source/public_private_match.ts
+function publicKeyAndPrivateKeyMatches(certificate, privateKey) {
+  const i = exploreCertificate(certificate);
+  const j = explorePrivateKey(privateKey);
+  const modulus1 = i.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.modulus;
+  const modulus2 = j.modulus;
+  if (modulus1.length !== modulus2.length) {
+    return false;
+  }
+  return modulus1.toString("hex") === modulus2.toString("hex");
+}
+function certificateMatchesPrivateKeyPEM(certificate, privateKey, blockSize) {
+  const initialBuffer = Buffer.from("Lorem Ipsum");
+  const encryptedBuffer = publicEncrypt_long(initialBuffer, certificate, blockSize);
+  const decryptedBuffer = privateDecrypt_long(encryptedBuffer, privateKey, blockSize);
+  const finalString = decryptedBuffer.toString("utf-8");
+  return initialBuffer.toString("utf-8") === finalString;
+}
+function certificateMatchesPrivateKey(certificate, privateKey) {
+  const e = explorePrivateKey(privateKey);
+  const blockSize = e.modulus.length;
+  const certificatePEM = toPem(certificate, "CERTIFICATE");
+  return certificateMatchesPrivateKeyPEM(certificatePEM, privateKey, blockSize);
+}
+
 // source/index_web.ts
 var asn1 = { readDirectoryName, readTag, readStruct, readAlgorithmIdentifier, readSignatureValueBin };
-// Annotate the CommonJS export names for ESM import in node:
-0 && (module.exports = {
-  CertificatePurpose,
-  PaddingAlgorithm,
-  RSA_PKCS1_OAEP_PADDING,
-  RSA_PKCS1_PADDING,
-  Subject,
-  _coercePrivateKey,
-  asn1,
-  certificateMatchesPrivateKey,
-  coerceCertificate,
-  coerceCertificatePem,
-  coercePEMorDerToPrivateKey,
-  coercePrivateKeyPem,
-  coercePublicKeyPem,
-  coerceRsaPublicKeyPem,
-  combine_der,
-  computeDerivedKeys,
-  computePaddingFooter,
-  convertPEMtoDER,
-  createCertificateSigningRequest,
-  createPrivateKeyFromNodeJSCrypto,
-  createSelfSignedCertificate,
-  decryptBufferWithDerivedKeys,
-  derToPrivateKey,
-  encryptBufferWithDerivedKeys,
-  exploreAsn1,
-  exploreCertificate,
-  exploreCertificateInfo,
-  exploreCertificateRevocationList,
-  exploreCertificateSigningRequest,
-  explorePrivateKey,
-  extractPublicKeyFromCertificate,
-  extractPublicKeyFromCertificateSync,
-  generateKeyPair,
-  generatePrivateKey,
-  hexDump,
-  identifyPemType,
-  isKeyObject,
-  makeMessageChunkSignature,
-  makeMessageChunkSignatureWithDerivedKeys,
-  makePrivateKeyFromPem,
-  makePrivateKeyThumbPrint,
-  makePseudoRandomBuffer,
-  makeSHA1Thumbprint,
-  pemToPrivateKey,
-  privateDecrypt,
-  privateDecrypt_long,
-  privateDecrypt_native,
-  privateKeyToPEM,
-  publicEncrypt,
-  publicEncrypt_long,
-  publicEncrypt_native,
-  publicKeyAndPrivateKeyMatches,
-  readCertificationRequestInfo,
-  readExtension,
-  readNameForCrl,
-  readTbsCertificate,
-  reduceLength,
-  removePadding,
-  removeTrailingLF,
-  rsaLengthPrivateKey,
-  rsaLengthPublicKey,
-  rsaLengthRsaPublicKey,
-  split_der,
-  toPem,
-  toPem2,
-  verifyCertificateChain,
-  verifyCertificateOrClrSignature,
-  verifyCertificateRevocationListSignature,
-  verifyCertificateSignature,
-  verifyChunkSignature,
-  verifyChunkSignatureWithDerivedKeys,
-  verifyMessageChunkSignature
-});
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+exports.createPrivateKeyFromNodeJSCrypto = createPrivateKeyFromNodeJSCrypto; exports.isKeyObject = isKeyObject; exports.CertificatePurpose = CertificatePurpose; exports.identifyPemType = identifyPemType; exports.removeTrailingLF = removeTrailingLF; exports.toPem = toPem; exports.convertPEMtoDER = convertPEMtoDER; exports.hexDump = hexDump; exports.makeMessageChunkSignature = makeMessageChunkSignature; exports.verifyMessageChunkSignature = verifyMessageChunkSignature; exports.makeSHA1Thumbprint = makeSHA1Thumbprint; exports.RSA_PKCS1_OAEP_PADDING = RSA_PKCS1_OAEP_PADDING; exports.RSA_PKCS1_PADDING = RSA_PKCS1_PADDING; exports.PaddingAlgorithm = PaddingAlgorithm; exports.publicEncrypt_native = publicEncrypt_native; exports.privateDecrypt_native = privateDecrypt_native; exports.publicEncrypt = publicEncrypt; exports.privateDecrypt = privateDecrypt; exports.publicEncrypt_long = publicEncrypt_long; exports.privateDecrypt_long = privateDecrypt_long; exports.coerceCertificatePem = coerceCertificatePem; exports.extractPublicKeyFromCertificateSync = extractPublicKeyFromCertificateSync; exports.extractPublicKeyFromCertificate = extractPublicKeyFromCertificate; exports.readExtension = readExtension; exports.readTbsCertificate = readTbsCertificate; exports.exploreCertificate = exploreCertificate; exports.split_der = split_der; exports.combine_der = combine_der; exports.readNameForCrl = readNameForCrl; exports.exploreCertificateRevocationList = exploreCertificateRevocationList; exports.verifyCertificateOrClrSignature = verifyCertificateOrClrSignature; exports.verifyCertificateSignature = verifyCertificateSignature; exports.verifyCertificateRevocationListSignature = verifyCertificateRevocationListSignature; exports.verifyCertificateChain = verifyCertificateChain; exports.isCrlIssuedByCertificate = isCrlIssuedByCertificate; exports.verifyCrlIssuedByCertificate = verifyCrlIssuedByCertificate; exports.exploreAsn1 = exploreAsn1; exports.coerceCertificate = coerceCertificate; exports.exploreCertificateInfo = exploreCertificateInfo; exports.readCertificationRequestInfo = readCertificationRequestInfo; exports.exploreCertificateSigningRequest = exploreCertificateSigningRequest; exports.explorePrivateKey = explorePrivateKey; exports.identifyDERContent = identifyDERContent; exports.Subject = Subject; exports.generateKeyPair = generateKeyPair; exports.generatePrivateKey = generatePrivateKey; exports.privateKeyToPEM = privateKeyToPEM; exports.derToPrivateKey = derToPrivateKey; exports.pemToPrivateKey = pemToPrivateKey; exports.coercePEMorDerToPrivateKey = coercePEMorDerToPrivateKey; exports._coercePrivateKey = _coercePrivateKey; exports.createCertificateSigningRequest = createCertificateSigningRequest; exports.createSelfSignedCertificate = createSelfSignedCertificate; exports.rsaLengthPrivateKey = rsaLengthPrivateKey; exports.toPem2 = toPem2; exports.coercePrivateKeyPem = coercePrivateKeyPem; exports.coercePublicKeyPem = coercePublicKeyPem; exports.coerceRsaPublicKeyPem = coerceRsaPublicKeyPem; exports.rsaLengthPublicKey = rsaLengthPublicKey; exports.rsaLengthRsaPublicKey = rsaLengthRsaPublicKey; exports.makePseudoRandomBuffer = makePseudoRandomBuffer; exports.computeDerivedKeys = computeDerivedKeys; exports.reduceLength = reduceLength; exports.removePadding = removePadding; exports.verifyChunkSignature = verifyChunkSignature; exports.computePaddingFooter = computePaddingFooter; exports.encryptBufferWithDerivedKeys = encryptBufferWithDerivedKeys; exports.decryptBufferWithDerivedKeys = decryptBufferWithDerivedKeys; exports.makeMessageChunkSignatureWithDerivedKeys = makeMessageChunkSignatureWithDerivedKeys; exports.verifyChunkSignatureWithDerivedKeys = verifyChunkSignatureWithDerivedKeys; exports.makePrivateKeyFromPem = makePrivateKeyFromPem; exports.makePrivateKeyThumbPrint = makePrivateKeyThumbPrint; exports.publicKeyAndPrivateKeyMatches = publicKeyAndPrivateKeyMatches; exports.certificateMatchesPrivateKey = certificateMatchesPrivateKey; exports.asn1 = asn1;
 /*! Bundled license information:
 
 pvtsutils/build/index.es.js:
@@ -6567,4 +6571,4 @@ asn1js/build/index.es.js:
    * 
    *)
 */
-//# sourceMappingURL=index.js.map
+//# sourceMappingURL=chunk-ERHE4VFS.cjs.map