node-opcua-crypto 5.1.0 → 5.3.0

package/dist/{chunk-ULG5CYBT.mjs → chunk-KCVNMSLI.js}

@@ -1353,79 +1353,40 @@ function verifyCrlIssuedByCertificate(crl, certificate) {
   return verifyCertificateRevocationListSignature(crl, certificate);
 }
 
-// source/crypto_utils2.ts
-import assert5 from "assert";
-import { createPrivateKey, createPublicKey as createPublicKey2 } from "crypto";
-function rsaLengthPrivateKey(key) {
-  const keyPem = typeof key.hidden === "string" ? key.hidden : key.hidden.export({ type: "pkcs1", format: "pem" }).toString();
-  const keyObject = createPrivateKey(keyPem);
-  const modulusLength = keyObject.asymmetricKeyDetails?.modulusLength;
-  assert5(modulusLength, "Cannot determine modulus length from private key");
-  return modulusLength / 8;
-}
-function toPem2(raw_key, pem) {
-  if (raw_key.hidden) {
-    return toPem2(raw_key.hidden, pem);
-  }
-  assert5(raw_key, "expecting a key");
-  assert5(typeof pem === "string");
-  if (isKeyObject(raw_key)) {
-    const _raw_key = raw_key;
-    if (pem === "RSA PRIVATE KEY") {
-      return removeTrailingLF(_raw_key.export({ format: "pem", type: "pkcs1" }).toString());
-    } else if (pem === "PRIVATE KEY") {
-      return removeTrailingLF(_raw_key.export({ format: "pem", type: "pkcs8" }).toString());
-    } else {
-      throw new Error("Unsupported case!");
-    }
-  }
-  return toPem(raw_key, pem);
-}
-function coercePrivateKeyPem(privateKey) {
-  return toPem2(privateKey, "PRIVATE KEY");
+// source/explore_asn1.ts
+function t(tag) {
+  return TagType[tag];
 }
-function coercePublicKeyPem(publicKey) {
-  if (isKeyObject(publicKey)) {
-    return publicKey.export({ format: "pem", type: "spki" }).toString();
-  }
-  assert5(typeof publicKey === "string");
-  return publicKey;
+function bi(blockInfo, depth) {
+  const indent = "  ".repeat(depth);
+  const hl = blockInfo.position - blockInfo.start;
+  return `${blockInfo.start.toString().padStart(5, " ")}:d=${depth} hl=${hl.toString().padEnd(3, " ")}  l=${blockInfo.length.toString().padStart(6, " ")} ${blockInfo.tag.toString(16).padEnd(2, " ")} ${indent} ${t(blockInfo.tag)}`;
 }
-function coerceRsaPublicKeyPem(publicKey) {
-  if (isKeyObject(publicKey)) {
-    return publicKey.export({ format: "pem", type: "spki" }).toString();
+function exploreAsn1(buffer) {
+  console.log(hexDump(buffer));
+  function dump(offset, depth) {
+    const blockInfo = readTag(buffer, offset);
+    dumpBlock(blockInfo, depth);
+    function dumpBlock(blockInfo2, depth2) {
+      console.log(bi(blockInfo2, depth2));
+      if (blockInfo2.tag === 48 /* SEQUENCE */ || blockInfo2.tag === 49 /* SET */ || blockInfo2.tag >= 160 /* CONTEXT_SPECIFIC0 */) {
+        const blocks = readStruct(buffer, blockInfo2);
+        for (const block of blocks) {
+          dumpBlock(block, depth2 + 1);
+        }
+      }
+    }
   }
-  assert5(typeof publicKey === "string");
-  return publicKey;
-}
-function rsaLengthPublicKey(key) {
-  key = coercePublicKeyPem(key);
-  assert5(typeof key === "string");
-  const keyObject = createPublicKey2(key);
-  const modulusLength = keyObject.asymmetricKeyDetails?.modulusLength;
-  assert5(modulusLength, "Cannot determine modulus length from public key");
-  return modulusLength / 8;
-}
-function rsaLengthRsaPublicKey(key) {
-  key = coerceRsaPublicKeyPem(key);
-  assert5(typeof key === "string");
-  const keyObject = createPublicKey2(key);
-  const modulusLength = keyObject.asymmetricKeyDetails?.modulusLength;
-  assert5(modulusLength, "Cannot determine modulus length from public key");
-  return modulusLength / 8;
+  dump(0, 0);
 }
 
-// source/derived_keys.ts
-import assert7 from "assert";
-import { createCipheriv, createDecipheriv, createHmac } from "crypto";
-
 // source/explore_certificate.ts
-import assert6 from "assert";
+import assert5 from "assert";
 function coerceCertificate(certificate) {
   if (typeof certificate === "string") {
     certificate = convertPEMtoDER(certificate);
   }
-  assert6(Buffer.isBuffer(certificate));
+  assert5(Buffer.isBuffer(certificate));
   return certificate;
 }
 function exploreCertificateInfo(certificate) {
@@ -1444,146 +1405,6 @@ function exploreCertificateInfo(certificate) {
   return data;
 }
 
-// source/derived_keys.ts
-function HMAC_HASH(sha1or256, secret, message) {
-  return createHmac(sha1or256, secret).update(message).digest();
-}
-function plus(buf1, buf2) {
-  return Buffer.concat([buf1, buf2]);
-}
-function makePseudoRandomBuffer(secret, seed, minLength, sha1or256) {
-  assert7(Buffer.isBuffer(seed));
-  assert7(sha1or256 === "SHA1" || sha1or256 === "SHA256");
-  const a = [];
-  a[0] = seed;
-  let index = 1;
-  let p_hash = createFastUninitializedBuffer(0);
-  while (p_hash.length <= minLength) {
-    a[index] = HMAC_HASH(sha1or256, secret, a[index - 1]);
-    p_hash = plus(p_hash, HMAC_HASH(sha1or256, secret, plus(a[index], seed)));
-    index += 1;
-  }
-  return p_hash.subarray(0, minLength);
-}
-function computeDerivedKeys(secret, seed, options) {
-  assert7(Number.isFinite(options.signatureLength));
-  assert7(Number.isFinite(options.encryptingKeyLength));
-  assert7(Number.isFinite(options.encryptingBlockSize));
-  assert7(typeof options.algorithm === "string");
-  options.sha1or256 = options.sha1or256 || "SHA1";
-  assert7(typeof options.sha1or256 === "string");
-  const offset1 = options.signingKeyLength;
-  const offset2 = offset1 + options.encryptingKeyLength;
-  const minLength = offset2 + options.encryptingBlockSize;
-  const buf = makePseudoRandomBuffer(secret, seed, minLength, options.sha1or256);
-  return {
-    signatureLength: options.signatureLength,
-    signingKeyLength: options.signingKeyLength,
-    encryptingKeyLength: options.encryptingKeyLength,
-    encryptingBlockSize: options.encryptingBlockSize,
-    algorithm: options.algorithm,
-    sha1or256: options.sha1or256,
-    signingKey: buf.subarray(0, offset1),
-    encryptingKey: buf.subarray(offset1, offset2),
-    initializationVector: buf.subarray(offset2, minLength)
-  };
-}
-function reduceLength(buffer, byteToRemove) {
-  return buffer.subarray(0, buffer.length - byteToRemove);
-}
-function removePadding(buffer) {
-  const nbPaddingBytes = buffer.readUInt8(buffer.length - 1) + 1;
-  return reduceLength(buffer, nbPaddingBytes);
-}
-function verifyChunkSignature(chunk, options) {
-  assert7(Buffer.isBuffer(chunk));
-  let signatureLength = options.signatureLength || 0;
-  if (signatureLength === 0) {
-    const cert = exploreCertificateInfo(options.publicKey);
-    signatureLength = cert.publicKeyLength || 0;
-  }
-  const block_to_verify = chunk.subarray(0, chunk.length - signatureLength);
-  const signature = chunk.subarray(chunk.length - signatureLength);
-  return verifyMessageChunkSignature(block_to_verify, signature, options);
-}
-function computePaddingFooter(buffer, derivedKeys) {
-  assert7(Object.hasOwn(derivedKeys, "encryptingBlockSize"));
-  const paddingSize = derivedKeys.encryptingBlockSize - (buffer.length + 1) % derivedKeys.encryptingBlockSize;
-  const padding = createFastUninitializedBuffer(paddingSize + 1);
-  padding.fill(paddingSize);
-  return padding;
-}
-function derivedKeys_algorithm(derivedKeys) {
-  assert7(Object.hasOwn(derivedKeys, "algorithm"));
-  const algorithm = derivedKeys.algorithm || "aes-128-cbc";
-  assert7(algorithm === "aes-128-cbc" || algorithm === "aes-256-cbc");
-  return algorithm;
-}
-function encryptBufferWithDerivedKeys(buffer, derivedKeys) {
-  const algorithm = derivedKeys_algorithm(derivedKeys);
-  const key = derivedKeys.encryptingKey;
-  const initVector = derivedKeys.initializationVector;
-  const cipher = createCipheriv(algorithm, key, initVector);
-  cipher.setAutoPadding(false);
-  const encrypted_chunks = [];
-  encrypted_chunks.push(cipher.update(buffer));
-  encrypted_chunks.push(cipher.final());
-  return Buffer.concat(encrypted_chunks);
-}
-function decryptBufferWithDerivedKeys(buffer, derivedKeys) {
-  const algorithm = derivedKeys_algorithm(derivedKeys);
-  const key = derivedKeys.encryptingKey;
-  const initVector = derivedKeys.initializationVector;
-  const cipher = createDecipheriv(algorithm, key, initVector);
-  cipher.setAutoPadding(false);
-  const decrypted_chunks = [];
-  decrypted_chunks.push(cipher.update(buffer));
-  decrypted_chunks.push(cipher.final());
-  return Buffer.concat(decrypted_chunks);
-}
-function makeMessageChunkSignatureWithDerivedKeys(message, derivedKeys) {
-  assert7(Buffer.isBuffer(message));
-  assert7(Buffer.isBuffer(derivedKeys.signingKey));
-  assert7(typeof derivedKeys.sha1or256 === "string");
-  assert7(derivedKeys.sha1or256 === "SHA1" || derivedKeys.sha1or256 === "SHA256");
-  const signature = createHmac(derivedKeys.sha1or256, derivedKeys.signingKey).update(message).digest();
-  assert7(signature.length === derivedKeys.signatureLength);
-  return signature;
-}
-function verifyChunkSignatureWithDerivedKeys(chunk, derivedKeys) {
-  const message = chunk.subarray(0, chunk.length - derivedKeys.signatureLength);
-  const expectedSignature = chunk.subarray(chunk.length - derivedKeys.signatureLength);
-  const computedSignature = makeMessageChunkSignatureWithDerivedKeys(message, derivedKeys);
-  return computedSignature.toString("hex") === expectedSignature.toString("hex");
-}
-
-// source/explore_asn1.ts
-function t(tag) {
-  return TagType[tag];
-}
-function bi(blockInfo, depth) {
-  const indent = "  ".repeat(depth);
-  const hl = blockInfo.position - blockInfo.start;
-  return `${blockInfo.start.toString().padStart(5, " ")}:d=${depth} hl=${hl.toString().padEnd(3, " ")}  l=${blockInfo.length.toString().padStart(6, " ")} ${blockInfo.tag.toString(16).padEnd(2, " ")} ${indent} ${t(blockInfo.tag)}`;
-}
-function exploreAsn1(buffer) {
-  console.log(hexDump(buffer));
-  function dump(offset, depth) {
-    const blockInfo = readTag(buffer, offset);
-    dumpBlock(blockInfo, depth);
-    function dumpBlock(blockInfo2, depth2) {
-      console.log(bi(blockInfo2, depth2));
-      if (blockInfo2.tag === 48 /* SEQUENCE */ || blockInfo2.tag === 49 /* SET */ || blockInfo2.tag >= 160 /* CONTEXT_SPECIFIC0 */) {
-        const blocks = readStruct(buffer, blockInfo2);
-        for (const block of blocks) {
-          dumpBlock(block, depth2 + 1);
-        }
-      }
-    }
-  }
-  dump(0, 0);
-}
-
 // source/explore_certificate_signing_request.ts
 function _readExtensionRequest(buffer) {
   const block = readTag(buffer, 0);
@@ -1709,39 +1530,76 @@ function explorePrivateKey(privateKey2) {
   };
 }
 
-// source/make_private_key_from_pem.ts
-function makePrivateKeyFromPem(privateKeyInPem) {
-  return { hidden: privateKeyInPem };
-}
-
-// source/make_private_key_thumbprint.ts
-function makePrivateKeyThumbPrint(_privateKey) {
-  return Buffer.alloc(0);
-}
-
-// source/public_private_match.ts
-function publicKeyAndPrivateKeyMatches(certificate, privateKey) {
-  const i = exploreCertificate(certificate);
-  const j = explorePrivateKey(privateKey);
-  const modulus1 = i.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.modulus;
-  const modulus2 = j.modulus;
-  if (modulus1.length !== modulus2.length) {
-    return false;
+// source/identify_der.ts
+function identifyDERContent(buffer) {
+  if (!Buffer.isBuffer(buffer) || buffer.length < 2) {
+    return "Unknown";
+  }
+  try {
+    const outer = readTag(buffer, 0);
+    if (outer.tag !== 48 /* SEQUENCE */) {
+      return "Unknown";
+    }
+    const outerEnd = outer.position + outer.length;
+    if (outerEnd < buffer.length) {
+      const next = readTag(buffer, outerEnd);
+      if (next.tag === 48 /* SEQUENCE */) {
+        return "X509CertificateChain";
+      }
+    }
+    const blocks = readStruct(buffer, outer);
+    if (blocks.length < 2) {
+      return "Unknown";
+    }
+    if (blocks[0].tag === 2 /* INTEGER */) {
+      const versionByte = buffer[blocks[0].position];
+      if (blocks[0].length === 1 && versionByte === 3) {
+        return "PKCS12";
+      }
+      if (blocks[0].length === 1 && versionByte === 0) {
+        return "PrivateKey";
+      }
+    }
+    if (blocks[0].tag !== 48 /* SEQUENCE */) {
+      return "Unknown";
+    }
+    const tbsBlocks = readStruct(buffer, blocks[0]);
+    if (tbsBlocks.length === 0) {
+      return "Unknown";
+    }
+    if (tbsBlocks[0].tag === 160 /* CONTEXT_SPECIFIC0 */) {
+      return "X509Certificate";
+    }
+    if (tbsBlocks[0].tag === 2 /* INTEGER */) {
+      const intLen = tbsBlocks[0].length;
+      const intVal = intLen === 1 ? buffer[tbsBlocks[0].position] : -1;
+      if (intVal === 0 && tbsBlocks.length >= 4) {
+        if (tbsBlocks[3].tag === 160 /* CONTEXT_SPECIFIC0 */) {
+          return "CertificateSigningRequest";
+        }
+      }
+      if (intVal === 1 && tbsBlocks.length >= 4) {
+        const tag3 = tbsBlocks[3].tag;
+        if (tag3 === 23 /* UTCTime */ || tag3 === 24 /* GeneralizedTime */) {
+          return "CertificateRevocationList";
+        }
+      }
+      if (tbsBlocks.length >= 6) {
+        if (tbsBlocks[3].tag === 48 /* SEQUENCE */) {
+          return "X509Certificate";
+        }
+      }
+    }
+    if (tbsBlocks[0].tag === 48 /* SEQUENCE */ && tbsBlocks.length >= 3) {
+      const tag2 = tbsBlocks[2].tag;
+      if (tag2 === 23 /* UTCTime */ || tag2 === 24 /* GeneralizedTime */) {
+        return "CertificateRevocationList";
+      }
+    }
+    return "Unknown";
+  } catch {
+    return "Unknown";
   }
-  return modulus1.toString("hex") === modulus2.toString("hex");
-}
-function certificateMatchesPrivateKeyPEM(certificate, privateKey, blockSize) {
-  const initialBuffer = Buffer.from("Lorem Ipsum");
-  const encryptedBuffer = publicEncrypt_long(initialBuffer, certificate, blockSize);
-  const decryptedBuffer = privateDecrypt_long(encryptedBuffer, privateKey, blockSize);
-  const finalString = decryptedBuffer.toString("utf-8");
-  return initialBuffer.toString("utf-8") === finalString;
-}
-function certificateMatchesPrivateKey(certificate, privateKey) {
-  const e = explorePrivateKey(privateKey);
-  const blockSize = e.modulus.length;
-  const certificatePEM = toPem(certificate, "CERTIFICATE");
-  return certificateMatchesPrivateKeyPEM(certificatePEM, privateKey, blockSize);
 }
 
 // source/subject.ts
@@ -1765,6 +1623,13 @@ var unquote2 = (str) => {
   return m ? m[1] : str;
 };
 var Subject = class _Subject {
+  commonName;
+  organization;
+  organizationalUnit;
+  locality;
+  state;
+  country;
+  domainComponent;
   constructor(options) {
     if (typeof options === "string") {
       options = _Subject.parse(options);
@@ -6353,6 +6218,218 @@ async function createSelfSignedCertificate({
   return { cert: cert.toString("pem"), der: cert };
 }
 
+// source/crypto_utils2.ts
+import assert6 from "assert";
+import { createPrivateKey, createPublicKey as createPublicKey2 } from "crypto";
+function rsaLengthPrivateKey(key) {
+  const keyPem = typeof key.hidden === "string" ? key.hidden : key.hidden.export({ type: "pkcs1", format: "pem" }).toString();
+  const keyObject = createPrivateKey(keyPem);
+  const modulusLength = keyObject.asymmetricKeyDetails?.modulusLength;
+  assert6(modulusLength, "Cannot determine modulus length from private key");
+  return modulusLength / 8;
+}
+function toPem2(raw_key, pem) {
+  if (raw_key.hidden) {
+    return toPem2(raw_key.hidden, pem);
+  }
+  assert6(raw_key, "expecting a key");
+  assert6(typeof pem === "string");
+  if (isKeyObject(raw_key)) {
+    const _raw_key = raw_key;
+    if (pem === "RSA PRIVATE KEY") {
+      return removeTrailingLF(_raw_key.export({ format: "pem", type: "pkcs1" }).toString());
+    } else if (pem === "PRIVATE KEY") {
+      return removeTrailingLF(_raw_key.export({ format: "pem", type: "pkcs8" }).toString());
+    } else {
+      throw new Error("Unsupported case!");
+    }
+  }
+  return toPem(raw_key, pem);
+}
+function coercePrivateKeyPem(privateKey) {
+  return toPem2(privateKey, "PRIVATE KEY");
+}
+function coercePublicKeyPem(publicKey) {
+  if (isKeyObject(publicKey)) {
+    return publicKey.export({ format: "pem", type: "spki" }).toString();
+  }
+  assert6(typeof publicKey === "string");
+  return publicKey;
+}
+function coerceRsaPublicKeyPem(publicKey) {
+  if (isKeyObject(publicKey)) {
+    return publicKey.export({ format: "pem", type: "spki" }).toString();
+  }
+  assert6(typeof publicKey === "string");
+  return publicKey;
+}
+function rsaLengthPublicKey(key) {
+  key = coercePublicKeyPem(key);
+  assert6(typeof key === "string");
+  const keyObject = createPublicKey2(key);
+  const modulusLength = keyObject.asymmetricKeyDetails?.modulusLength;
+  assert6(modulusLength, "Cannot determine modulus length from public key");
+  return modulusLength / 8;
+}
+function rsaLengthRsaPublicKey(key) {
+  key = coerceRsaPublicKeyPem(key);
+  assert6(typeof key === "string");
+  const keyObject = createPublicKey2(key);
+  const modulusLength = keyObject.asymmetricKeyDetails?.modulusLength;
+  assert6(modulusLength, "Cannot determine modulus length from public key");
+  return modulusLength / 8;
+}
+
+// source/derived_keys.ts
+import assert7 from "assert";
+import { createCipheriv, createDecipheriv, createHmac } from "crypto";
+function HMAC_HASH(sha1or256, secret, message) {
+  return createHmac(sha1or256, secret).update(message).digest();
+}
+function plus(buf1, buf2) {
+  return Buffer.concat([buf1, buf2]);
+}
+function makePseudoRandomBuffer(secret, seed, minLength, sha1or256) {
+  assert7(Buffer.isBuffer(seed));
+  assert7(sha1or256 === "SHA1" || sha1or256 === "SHA256");
+  const a = [];
+  a[0] = seed;
+  let index = 1;
+  let p_hash = createFastUninitializedBuffer(0);
+  while (p_hash.length <= minLength) {
+    a[index] = HMAC_HASH(sha1or256, secret, a[index - 1]);
+    p_hash = plus(p_hash, HMAC_HASH(sha1or256, secret, plus(a[index], seed)));
+    index += 1;
+  }
+  return p_hash.subarray(0, minLength);
+}
+function computeDerivedKeys(secret, seed, options) {
+  assert7(Number.isFinite(options.signatureLength));
+  assert7(Number.isFinite(options.encryptingKeyLength));
+  assert7(Number.isFinite(options.encryptingBlockSize));
+  assert7(typeof options.algorithm === "string");
+  options.sha1or256 = options.sha1or256 || "SHA1";
+  assert7(typeof options.sha1or256 === "string");
+  const offset1 = options.signingKeyLength;
+  const offset2 = offset1 + options.encryptingKeyLength;
+  const minLength = offset2 + options.encryptingBlockSize;
+  const buf = makePseudoRandomBuffer(secret, seed, minLength, options.sha1or256);
+  return {
+    signatureLength: options.signatureLength,
+    signingKeyLength: options.signingKeyLength,
+    encryptingKeyLength: options.encryptingKeyLength,
+    encryptingBlockSize: options.encryptingBlockSize,
+    algorithm: options.algorithm,
+    sha1or256: options.sha1or256,
+    signingKey: buf.subarray(0, offset1),
+    encryptingKey: buf.subarray(offset1, offset2),
+    initializationVector: buf.subarray(offset2, minLength)
+  };
+}
+function reduceLength(buffer, byteToRemove) {
+  return buffer.subarray(0, buffer.length - byteToRemove);
+}
+function removePadding(buffer) {
+  const nbPaddingBytes = buffer.readUInt8(buffer.length - 1) + 1;
+  return reduceLength(buffer, nbPaddingBytes);
+}
+function verifyChunkSignature(chunk, options) {
+  assert7(Buffer.isBuffer(chunk));
+  let signatureLength = options.signatureLength || 0;
+  if (signatureLength === 0) {
+    const cert = exploreCertificateInfo(options.publicKey);
+    signatureLength = cert.publicKeyLength || 0;
+  }
+  const block_to_verify = chunk.subarray(0, chunk.length - signatureLength);
+  const signature = chunk.subarray(chunk.length - signatureLength);
+  return verifyMessageChunkSignature(block_to_verify, signature, options);
+}
+function computePaddingFooter(buffer, derivedKeys) {
+  assert7(Object.hasOwn(derivedKeys, "encryptingBlockSize"));
+  const paddingSize = derivedKeys.encryptingBlockSize - (buffer.length + 1) % derivedKeys.encryptingBlockSize;
+  const padding = createFastUninitializedBuffer(paddingSize + 1);
+  padding.fill(paddingSize);
+  return padding;
+}
+function derivedKeys_algorithm(derivedKeys) {
+  assert7(Object.hasOwn(derivedKeys, "algorithm"));
+  const algorithm = derivedKeys.algorithm || "aes-128-cbc";
+  assert7(algorithm === "aes-128-cbc" || algorithm === "aes-256-cbc");
+  return algorithm;
+}
+function encryptBufferWithDerivedKeys(buffer, derivedKeys) {
+  const algorithm = derivedKeys_algorithm(derivedKeys);
+  const key = derivedKeys.encryptingKey;
+  const initVector = derivedKeys.initializationVector;
+  const cipher = createCipheriv(algorithm, key, initVector);
+  cipher.setAutoPadding(false);
+  const encrypted_chunks = [];
+  encrypted_chunks.push(cipher.update(buffer));
+  encrypted_chunks.push(cipher.final());
+  return Buffer.concat(encrypted_chunks);
+}
+function decryptBufferWithDerivedKeys(buffer, derivedKeys) {
+  const algorithm = derivedKeys_algorithm(derivedKeys);
+  const key = derivedKeys.encryptingKey;
+  const initVector = derivedKeys.initializationVector;
+  const cipher = createDecipheriv(algorithm, key, initVector);
+  cipher.setAutoPadding(false);
+  const decrypted_chunks = [];
+  decrypted_chunks.push(cipher.update(buffer));
+  decrypted_chunks.push(cipher.final());
+  return Buffer.concat(decrypted_chunks);
+}
+function makeMessageChunkSignatureWithDerivedKeys(message, derivedKeys) {
+  assert7(Buffer.isBuffer(message));
+  assert7(Buffer.isBuffer(derivedKeys.signingKey));
+  assert7(typeof derivedKeys.sha1or256 === "string");
+  assert7(derivedKeys.sha1or256 === "SHA1" || derivedKeys.sha1or256 === "SHA256");
+  const signature = createHmac(derivedKeys.sha1or256, derivedKeys.signingKey).update(message).digest();
+  assert7(signature.length === derivedKeys.signatureLength);
+  return signature;
+}
+function verifyChunkSignatureWithDerivedKeys(chunk, derivedKeys) {
+  const message = chunk.subarray(0, chunk.length - derivedKeys.signatureLength);
+  const expectedSignature = chunk.subarray(chunk.length - derivedKeys.signatureLength);
+  const computedSignature = makeMessageChunkSignatureWithDerivedKeys(message, derivedKeys);
+  return computedSignature.toString("hex") === expectedSignature.toString("hex");
+}
+
+// source/make_private_key_from_pem.ts
+function makePrivateKeyFromPem(privateKeyInPem) {
+  return { hidden: privateKeyInPem };
+}
+
+// source/make_private_key_thumbprint.ts
+function makePrivateKeyThumbPrint(_privateKey) {
+  return Buffer.alloc(0);
+}
+
+// source/public_private_match.ts
+function publicKeyAndPrivateKeyMatches(certificate, privateKey) {
+  const i = exploreCertificate(certificate);
+  const j = explorePrivateKey(privateKey);
+  const modulus1 = i.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.modulus;
+  const modulus2 = j.modulus;
+  if (modulus1.length !== modulus2.length) {
+    return false;
+  }
+  return modulus1.toString("hex") === modulus2.toString("hex");
+}
+function certificateMatchesPrivateKeyPEM(certificate, privateKey, blockSize) {
+  const initialBuffer = Buffer.from("Lorem Ipsum");
+  const encryptedBuffer = publicEncrypt_long(initialBuffer, certificate, blockSize);
+  const decryptedBuffer = privateDecrypt_long(encryptedBuffer, privateKey, blockSize);
+  const finalString = decryptedBuffer.toString("utf-8");
+  return initialBuffer.toString("utf-8") === finalString;
+}
+function certificateMatchesPrivateKey(certificate, privateKey) {
+  const e = explorePrivateKey(privateKey);
+  const blockSize = e.modulus.length;
+  const certificatePEM = toPem(certificate, "CERTIFICATE");
+  return certificateMatchesPrivateKeyPEM(certificatePEM, privateKey, blockSize);
+}
+
 // source/index_web.ts
 var asn1 = { readDirectoryName, readTag, readStruct, readAlgorithmIdentifier, readSignatureValueBin };
 
@@ -6394,6 +6471,23 @@ export {
   verifyCertificateChain,
   isCrlIssuedByCertificate,
   verifyCrlIssuedByCertificate,
+  exploreAsn1,
+  coerceCertificate,
+  exploreCertificateInfo,
+  readCertificationRequestInfo,
+  exploreCertificateSigningRequest,
+  explorePrivateKey,
+  identifyDERContent,
+  Subject,
+  generateKeyPair,
+  generatePrivateKey,
+  privateKeyToPEM,
+  derToPrivateKey,
+  pemToPrivateKey,
+  coercePEMorDerToPrivateKey,
+  _coercePrivateKey,
+  createCertificateSigningRequest,
+  createSelfSignedCertificate,
   rsaLengthPrivateKey,
   toPem2,
   coercePrivateKeyPem,
@@ -6401,8 +6495,6 @@ export {
   coerceRsaPublicKeyPem,
   rsaLengthPublicKey,
   rsaLengthRsaPublicKey,
-  coerceCertificate,
-  exploreCertificateInfo,
   makePseudoRandomBuffer,
   computeDerivedKeys,
   reduceLength,
@@ -6413,24 +6505,10 @@ export {
   decryptBufferWithDerivedKeys,
   makeMessageChunkSignatureWithDerivedKeys,
   verifyChunkSignatureWithDerivedKeys,
-  exploreAsn1,
-  readCertificationRequestInfo,
-  exploreCertificateSigningRequest,
-  explorePrivateKey,
   makePrivateKeyFromPem,
   makePrivateKeyThumbPrint,
   publicKeyAndPrivateKeyMatches,
   certificateMatchesPrivateKey,
-  Subject,
-  generateKeyPair,
-  generatePrivateKey,
-  privateKeyToPEM,
-  derToPrivateKey,
-  pemToPrivateKey,
-  coercePEMorDerToPrivateKey,
-  _coercePrivateKey,
-  createCertificateSigningRequest,
-  createSelfSignedCertificate,
   asn1
 };
 /*! Bundled license information:
@@ -6501,4 +6579,4 @@ asn1js/build/index.es.js:
    * 
    *)
 */
-//# sourceMappingURL=chunk-ULG5CYBT.mjs.map
+//# sourceMappingURL=chunk-KCVNMSLI.js.map