npm - node-opcua-pki - Versions diffs - 6.7.1 → 6.7.2 - Mend

node-opcua-pki 6.7.1 → 6.7.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/bin/pki.mjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../../lib/misc/applicationurn.ts","../../lib/misc/hostname.ts","../../lib/toolbox/config.ts","../../lib/toolbox/debug.ts","../../lib/toolbox/common2.ts","../../lib/toolbox/display.ts","../../lib/toolbox/without_openssl/create_certificate_signing_request.ts","../../lib/toolbox/common.ts","../../lib/toolbox/without_openssl/create_self_signed_certificate.ts","../../lib/toolbox/without_openssl/index.ts","../../lib/pki/templates/simple_config_template.cnf.ts","../../lib/pki/certificate_manager.ts","../../lib/toolbox/index.ts","../../lib/toolbox/with_openssl/_env.ts","../../lib/misc/subject.ts","../../lib/toolbox/with_openssl/install_prerequisite.ts","../../lib/toolbox/with_openssl/execute_openssl.ts","../../lib/toolbox/with_openssl/toolbox.ts","../../lib/toolbox/with_openssl/create_certificate_signing_request.ts","../../lib/toolbox/with_openssl/index.ts","../../lib/ca/templates/ca_config_template.cnf.ts","../../lib/ca/certificate_authority.ts","../../lib/ca/crypto_create_CA.ts","../../bin/pki.ts"],"sourcesContent":["// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua-pki\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2014-2026 - Etienne Rossignon - etienne.rossignon (at) gadz.org\n// Copyright (c) 2022-2026 - Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n//\n// This project is licensed under the terms of the MIT license.\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated\n// documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the\n// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to\n// permit persons to whom the Software is furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the\n// Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE\n// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\n// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR\n// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n// ---------------------------------------------------------------------------------------------------------------------\nimport assert from \"node:assert\";\nimport { createHash } from \"node:crypto\";\n\nexport function makeApplicationUrn(hostname: string, suffix: string): string {\n // beware : Openssl doesn't support urn with length greater than 64 !!\n // sometimes hostname length could be too long ...\n // application urn length must not exceed 64 car. to comply with openssl\n // see cryptoCA\n let hostnameHash = hostname;\n if (hostnameHash.length + 7 + suffix.length >= 64) {\n // we need to reduce the applicationUrn side => let's take\n // a portion of the hostname hash.\n hostnameHash = createHash(\"md5\").update(hostname).digest(\"hex\").substring(0, 16);\n }\n\n const applicationUrn = `urn:${hostnameHash}:${suffix}`;\n assert(applicationUrn.length <= 64);\n return applicationUrn;\n}\n","/*\n @module node-opcua-hostname\n /\nimport dns from \"node:dns\";\nimport os from \"node:os\";\nimport { promisify } from \"node:util\";\n\nfunction trim(str: string, length?: number): string {\n if (!length) {\n return str;\n }\n return str.substring(0, Math.min(str.length, length));\n}\n\nfunction fqdn(callback: (err: Error \| null, fqdn?: string) => void) {\n const uqdn = os.hostname();\n\n dns.lookup(uqdn, { hints: dns.ADDRCONFIG }, (err1: Error \| null, ip: string) => {\n if (err1) {\n return callback(err1);\n }\n\n dns.lookupService(ip, 0, (err2: Error \| null, _fqdn: string) => {\n if (err2) {\n return callback(err2);\n }\n _fqdn = _fqdn.replace(\".localdomain\", \"\");\n callback(null, _fqdn);\n });\n });\n}\n\nlet _fullyQualifiedDomainNameInCache: string \| undefined;\n\n/\n extract FullyQualifiedDomainName of this computer\n /\nexport async function extractFullyQualifiedDomainName(): Promise<string> {\n if (_fullyQualifiedDomainNameInCache) {\n return _fullyQualifiedDomainNameInCache;\n }\n if (process.platform === \"win32\") {\n // http://serverfault.com/a/73643/251863\n const env = process.env;\n _fullyQualifiedDomainNameInCache =\n env.COMPUTERNAME + (env.USERDNSDOMAIN && env.USERDNSDOMAIN?.length > 0 ? `.${env.USERDNSDOMAIN as string}` : \"\");\n } else {\n try {\n _fullyQualifiedDomainNameInCache = await promisify(fqdn)();\n if (_fullyQualifiedDomainNameInCache === \"localhost\") {\n throw new Error(\"localhost not expected\");\n }\n if (/sethostname/.test(_fullyQualifiedDomainNameInCache as string)) {\n throw new Error(\"Detecting fqdn on windows !!!\");\n }\n } catch (_err) {\n // fall back to old method\n _fullyQualifiedDomainNameInCache = os.hostname();\n }\n }\n return _fullyQualifiedDomainNameInCache as string;\n}\n\nexport async function prepareFQDN() {\n _fullyQualifiedDomainNameInCache = await extractFullyQualifiedDomainName();\n}\n\nexport function getFullyQualifiedDomainName(optional_max_length?: number) {\n if (!_fullyQualifiedDomainNameInCache) {\n throw new Error(\"FullyQualifiedDomainName computation is not completed yet\");\n }\n return _fullyQualifiedDomainNameInCache ? trim(_fullyQualifiedDomainNameInCache, optional_max_length) : \"%FQDN%\";\n}\n\nexport function getHostname() {\n return os.hostname();\n}\n\nexport function resolveFullyQualifiedDomainName(str: string): string {\n if (!_fullyQualifiedDomainNameInCache) {\n throw new Error(\"FullyQualifiedDomainName computation is not completed yet\");\n }\n str = str.replace(\"%FQDN%\", _fullyQualifiedDomainNameInCache);\n str = str.replace(\"{FQDN}\", _fullyQualifiedDomainNameInCache);\n str = str.replace(\"{hostname}\", getHostname());\n return str;\n}\n// note : under windows ... echo %COMPUTERNAME%.%USERDNSDOMAIN%\nprepareFQDN();\n","// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua-pki\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2014-2026 - Etienne Rossignon - etienne.rossignon (at) gadz.org\n// Copyright (c) 2022-2026 - Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n//\n// This project is licensed under the terms of the MIT license.\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated\n// documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the\n// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to\n// permit persons to whom the Software is furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the\n// Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE\n// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\n// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR\n// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n// ---------------------------------------------------------------------------------------------------------------------\nexport const g_config = {\n opensslVersion: \"unset\",\n silent: process.env.VERBOSE ? !process.env.VERBOSE : true,\n force: false\n};\n","// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua-pki\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2014-2026 - Etienne Rossignon - etienne.rossignon (at) gadz.org\n// Copyright (c) 2022-2026 - Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n//\n// This project is licensed under the terms of the MIT license.\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated\n// documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the\n// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to\n// permit persons to whom the Software is furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the\n// Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE\n// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\n// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR\n// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n// ---------------------------------------------------------------------------------------------------------------------\nexport const doDebug = process.env.NODEOPCUAPKIDEBUG \|\| false;\nexport const displayError = true;\nexport const displayDebug = !!process.env.NODEOPCUAPKIDEBUG \|\| false;\n// tslint:disable-next-line:no-empty\nexport function debugLog(...args: unknown[]) {\n // istanbul ignore next\n if (displayDebug) {\n console.log.apply(null, args);\n }\n}\nexport function warningLog(...args: unknown[]) {\n console.log.apply(null, args);\n}\n","// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua-pki\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2014-2026 - Etienne Rossignon - etienne.rossignon (at) gadz.org\n// Copyright (c) 2022-2026 - Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n//\n// This project is licensed under the terms of the MIT license.\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated\n// documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the\n// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to\n// permit persons to whom the Software is furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the\n// Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE\n// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\n// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR\n// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n// ---------------------------------------------------------------------------------------------------------------------\n\nimport assert from \"node:assert\";\nimport fs from \"node:fs\";\nimport path from \"node:path\";\n\nimport chalk from \"chalk\";\n\nimport { g_config } from \"./config\";\n\nimport { debugLog, warningLog } from \"./debug\";\n\nexport function certificateFileExist(certificateFile: string): boolean {\n // istanbul ignore next\n if (fs.existsSync(certificateFile) && !g_config.force) {\n warningLog(\n chalk.yellow(\" certificate \") + chalk.cyan(certificateFile) + chalk.yellow(\" already exists => do not overwrite\")\n );\n return false;\n }\n return true;\n}\n\nexport function mkdirRecursiveSync(folder: string): void {\n if (!fs.existsSync(folder)) {\n // istanbul ignore next\n debugLog(chalk.white(\" .. constructing \"), folder);\n fs.mkdirSync(folder, { recursive: true });\n }\n}\n\nexport function makePath(folderName: string, filename?: string): string {\n let s: string;\n if (filename) {\n s = path.join(path.normalize(folderName), filename);\n } else {\n assert(folderName);\n s = folderName;\n }\n s = s.replace(/\\\\/g, \"/\");\n return s;\n}\n","// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua-pki\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2014-2026 - Etienne Rossignon - etienne.rossignon (at) gadz.org\n// Copyright (c) 2022-2026 - Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n//\n// This project is licensed under the terms of the MIT license.\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated\n// documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the\n// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to\n// permit persons to whom the Software is furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the\n// Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE\n// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\n// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR\n// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n// ---------------------------------------------------------------------------------------------------------------------\nimport chalk from \"chalk\";\nimport { g_config } from \"./config\";\nimport { warningLog } from \"./debug\";\n\n// istanbul ignore next\nexport function displayChapter(str: string) {\n const l = \" \";\n warningLog(`${chalk.bgWhite(l)} `);\n str = ` ${str}${l}`.substring(0, l.length);\n warningLog(chalk.bgWhite.cyan(str));\n warningLog(`${chalk.bgWhite(l)} `);\n}\n\nexport function displayTitle(str: string) {\n // istanbul ignore next\n if (!g_config.silent) {\n warningLog(\"\");\n warningLog(chalk.yellowBright(str));\n warningLog(chalk.yellow(new Array(str.length + 1).join(\"=\")), \"\\n\");\n }\n}\n\nexport function displaySubtitle(str: string) {\n // istanbul ignore next\n if (!g_config.silent) {\n warningLog(\"\");\n warningLog(` ${chalk.yellowBright(str)}`);\n warningLog(` ${chalk.white(new Array(str.length + 1).join(\"-\"))}`, \"\\n\");\n }\n}\nexport function display(str: string) {\n // istanbul ignore next\n if (!g_config.silent) {\n warningLog(` ${str}`);\n }\n}\n","// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua-pki\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2022-2026 Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n//\n// This project is licensed under the terms of the MIT license.\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated\n// documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the\n// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to\n// permit persons to whom the Software is furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the\n// Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE\n// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\n// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR\n// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n// ---------------------------------------------------------------------------------------------------------------------\nimport assert from \"node:assert\";\nimport fs from \"node:fs\";\nimport { createCertificateSigningRequest, pemToPrivateKey, Subject } from \"node-opcua-crypto\";\nimport type { CreateCertificateSigningRequestWithConfigOptions } from \"../common\";\nimport { display, displaySubtitle } from \"../display\";\n\n/\n create a certificate signing request\n /\nexport async function createCertificateSigningRequestAsync(\n certificateSigningRequestFilename: string,\n params: CreateCertificateSigningRequestWithConfigOptions\n): Promise<void> {\n assert(params);\n assert(params.rootDir);\n assert(params.configFile);\n assert(params.privateKey);\n assert(typeof params.privateKey === \"string\");\n assert(fs.existsSync(params.privateKey), `Private key must exist${params.privateKey}`);\n\n // assert(fs.existsSync(params.configFile), \"config file must exist \" + params.configFile);\n assert(fs.existsSync(params.rootDir), \"RootDir key must exist\");\n assert(typeof certificateSigningRequestFilename === \"string\");\n\n const subject = params.subject ? new Subject(params.subject).toString() : undefined;\n displaySubtitle(\"- Creating a Certificate Signing Request with subtile\");\n\n const privateKeyPem = await fs.promises.readFile(params.privateKey, \"utf-8\");\n const privateKey = await pemToPrivateKey(privateKeyPem);\n\n const { csr } = await createCertificateSigningRequest({\n privateKey,\n dns: params.dns,\n ip: params.ip,\n subject,\n applicationUri: params.applicationUri,\n purpose: params.purpose\n });\n await fs.promises.writeFile(certificateSigningRequestFilename, csr, \"utf-8\");\n\n display(`- privateKey ${params.privateKey}`);\n display(`- certificateSigningRequestFilename ${certificateSigningRequestFilename}`);\n\n // to verify that the CSR is correct:\n // openssl req -in ./tmp/without_openssl.csr -noout -verify\n}\n","// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua-pki\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2014-2026 - Etienne Rossignon - etienne.rossignon (at) gadz.org\n// Copyright (c) 2022-2026 - Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n//\n// This project is licensed under the terms of the MIT license.\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated\n// documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the\n// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to\n// permit persons to whom the Software is furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the\n// Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE\n// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\n// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR\n// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n// ---------------------------------------------------------------------------------------------------------------------\nimport assert from \"node:assert\";\n\n/* RSA key size in bits. /\nexport type KeySize = 1024 \| 2048 \| 3072 \| 4096;\n/* Hex-encoded SHA-1 certificate thumbprint. /\nexport type Thumbprint = string;\n/* A filesystem path to a file. /\nexport type Filename = string;\n/* Status of a certificate in the trust store. /\nexport type CertificateStatus = \"unknown\" \| \"trusted\" \| \"rejected\";\n\nimport type { CertificatePurpose } from \"node-opcua-crypto\";\nimport type { SubjectOptions } from \"../misc/subject\";\n\n/\n @deprecated Use {@link KeySize} instead.\n /\nexport type KeyLength = 1024 \| 2048 \| 3072 \| 4096;\n\nexport function quote(str?: string): string {\n return `\"${str \|\| \"\"}\"`;\n}\n\n/\n Subject Alternative Name (SAN) parameters for certificate\n * generation.\n /\nexport interface ProcessAltNamesParam {\n /* DNS host names to include in the SAN extension. /\n dns?: string[];\n /* IP addresses to include in the SAN extension. /\n ip?: string[];\n /* OPC UA application URI for the SAN extension. /\n applicationUri?: string;\n}\n\n/\n Options for creating a Certificate Signing Request (CSR).\n /\nexport interface CreateCertificateSigningRequestOptions extends ProcessAltNamesParam {\n /* X.500 subject for the certificate. /\n subject?: SubjectOptions \| string;\n}\n\n/\n Extended CSR options that include filesystem paths and\n * certificate purpose — used internally by the OpenSSL toolbox.\n /\nexport interface CreateCertificateSigningRequestWithConfigOptions extends CreateCertificateSigningRequestOptions {\n /* Root directory of the PKI store. /\n rootDir: Filename;\n /* Path to the OpenSSL configuration file. /\n configFile: Filename;\n /* Path to the private key file. /\n privateKey: Filename;\n /* Intended purpose of the certificate. /\n purpose: CertificatePurpose;\n}\n\n/\n Validity period parameters for certificate generation.\n /\nexport interface StartDateEndDateParam {\n /* Certificate \"Not Before\" date. Defaults to now. /\n startDate?: Date;\n /* Certificate \"Not After\" date (computed from validity). /\n endDate?: Date;\n /* Number of days the certificate is valid. @defaultValue 365 /\n validity?: number;\n}\n\n/\n Parameters for creating a self-signed certificate.\n /\nexport interface CreateSelfSignCertificateParam extends ProcessAltNamesParam, StartDateEndDateParam {\n /* X.500 subject for the certificate. /\n subject?: SubjectOptions \| string;\n}\n\n/\n Extended self-signed certificate options that include\n * filesystem paths and purpose — used internally.\n /\nexport interface CreateSelfSignCertificateWithConfigParam extends CreateSelfSignCertificateParam {\n /* Root directory of the PKI store. /\n rootDir: Filename;\n /* Path to the OpenSSL configuration file. /\n configFile: Filename;\n /* Path to the private key file. /\n privateKey: Filename;\n /* Intended purpose of the certificate. /\n purpose: CertificatePurpose;\n}\n\n/\n General-purpose parameters passed to CA operations such as\n * {@link CertificateAuthority.signCertificateRequest} and\n * {@link CertificateAuthority.revokeCertificate}.\n /\nexport interface Params extends ProcessAltNamesParam, StartDateEndDateParam {\n /* X.500 subject for the certificate. /\n subject?: SubjectOptions \| string;\n\n /* Path to the private key file. /\n privateKey?: string;\n /* Path to the OpenSSL configuration file. /\n configFile?: string;\n /* Root directory of the PKI store. /\n rootDir?: string;\n\n /* Output filename for the generated certificate. /\n outputFile?: string;\n /* CRL revocation reason (e.g. `\"keyCompromise\"`). /\n reason?: string;\n}\n\nexport function adjustDate(params: StartDateEndDateParam) {\n assert(params instanceof Object);\n params.startDate = params.startDate \|\| new Date();\n assert(params.startDate instanceof Date);\n\n params.validity = params.validity \|\| 365; // one year\n\n params.endDate = new Date(params.startDate.getTime());\n params.endDate.setDate(params.startDate.getDate() + params.validity);\n\n // params.endDate = x509Date(endDate);\n // params.startDate = x509Date(startDate);\n\n assert(params.endDate instanceof Date);\n assert(params.startDate instanceof Date);\n\n // // istanbul ignore next\n // if (!g_config.silent) {\n // warningLog(\" start Date \", params.startDate.toUTCString(), x509Date(params.startDate));\n // warningLog(\" end Date \", params.endDate.toUTCString(), x509Date(params.endDate));\n // }\n}\n\nexport function adjustApplicationUri(params: Params) {\n const applicationUri = params.applicationUri \|\| \"\";\n if (applicationUri.length > 200) {\n throw new Error(`Openssl doesn't support urn with length greater than 200${applicationUri}`);\n }\n}\n","// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua-pki\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2022-2026 Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n//\n// This project is licensed under the terms of the MIT license.\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated\n// documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the\n// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to\n// permit persons to whom the Software is furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the\n// Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE\n// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\n// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR\n// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n// ---------------------------------------------------------------------------------------------------------------------\nimport assert from \"node:assert\";\nimport fs from \"node:fs\";\n\nimport {\n CertificatePurpose,\n createSelfSignedCertificate as createSelfSignedCertificate1,\n pemToPrivateKey,\n Subject\n} from \"node-opcua-crypto\";\nimport { adjustDate, type CreateSelfSignCertificateWithConfigParam } from \"../common\";\nimport { displayTitle } from \"../display\";\n\nexport async function createSelfSignedCertificateAsync(\n certificate: string,\n params: CreateSelfSignCertificateWithConfigParam\n): Promise<void> {\n params.purpose = params.purpose \|\| CertificatePurpose.ForApplication;\n assert(params.purpose, \"Please provide a Certificate Purpose\");\n /\n note: due to a limitation of openssl ,\n * it is not possible to control the startDate of the certificate validity\n * to achieve this the certificateAuthority tool shall be used.\n /\n assert(fs.existsSync(params.configFile));\n assert(fs.existsSync(params.rootDir));\n assert(fs.existsSync(params.privateKey));\n if (!params.subject) {\n throw Error(\"Missing subject\");\n }\n\n assert(typeof params.applicationUri === \"string\");\n assert(Array.isArray(params.dns));\n\n // xx no key size in self-signed assert(params.keySize == 2048 \|\| params.keySize == 4096);\n\n // processAltNames(params);\n adjustDate(params);\n assert(Object.prototype.hasOwnProperty.call(params, \"validity\"));\n\n let subject: Subject \| string = new Subject(params.subject);\n subject = subject.toString();\n\n // xx const certificateRequestFilename = certificate + \".csr\";\n const purpose = params.purpose;\n\n displayTitle(\"Generate a certificate request\");\n\n const privateKeyPem = await fs.promises.readFile(params.privateKey, \"utf-8\");\n const privateKey = await pemToPrivateKey(privateKeyPem);\n\n const { cert } = await createSelfSignedCertificate1({\n privateKey,\n notBefore: params.startDate,\n notAfter: params.endDate,\n validity: params.validity,\n dns: params.dns,\n ip: params.ip,\n subject,\n applicationUri: params.applicationUri,\n purpose\n });\n await fs.promises.writeFile(certificate, cert, \"utf-8\");\n}\n\nexport async function createSelfSignedCertificate(\n certificate: string,\n params: CreateSelfSignCertificateWithConfigParam\n): Promise<void> {\n await createSelfSignedCertificateAsync(certificate, params);\n}\n","// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua-pki\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2014-2026 - Etienne Rossignon - etienne.rossignon (at) gadz.org\n// Copyright (c) 2022-2026 - Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n//\n// This project is licensed under the terms of the MIT license.\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated\n// documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the\n// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to\n// permit persons to whom the Software is furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the\n// Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE\n// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\n// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR\n// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport from \"./create_certificate_signing_request\";\nexport * from \"./create_self_signed_certificate\";\n","const config =\n \"##################################################################################################\\n\" +\n \"## SIMPLE OPENSSL CONFIG FILE FOR SELF-SIGNED CERTIFICATE GENERATION\\n\" +\n \"################################################################################################################\\n\" +\n \"\\n\" +\n \"distinguished_name = req_distinguished_name\\n\" +\n \"default_md = sha1\\n\" +\n \"\\n\" +\n \"default_md = sha256 # The default digest algorithm\\n\" +\n \"\\n\" +\n \"[ v3_ca ]\\n\" +\n \"subjectKeyIdentifier = hash\\n\" +\n \"authorityKeyIdentifier = keyid:always,issuer:always\\n\" +\n \"\\n\" +\n \"# authorityKeyIdentifier = keyid\\n\" +\n \"basicConstraints = CA:TRUE\\n\" +\n \"keyUsage = critical, cRLSign, keyCertSign\\n\" +\n 'nsComment = \"Self-signed Certificate for CA generated by Node-OPCUA Certificate utility\"\\n' +\n \"#nsCertType = sslCA, emailCA\\n\" +\n \"#subjectAltName = email:copy\\n\" +\n \"#issuerAltName = issuer:copy\\n\" +\n \"#obj = DER:02:03\\n\" +\n \"# crlDistributionPoints = @crl_info\\n\" +\n \"# [ crl_info ]\\n\" +\n \"# URI.0 = http://localhost:8900/crl.pem\\n\" +\n \"subjectAltName = $ENV::ALTNAME\\n\" +\n \"\\n\" +\n \"[ req ]\\n\" +\n \"days = 390\\n\" +\n \"req_extensions = v3_req\\n\" +\n \"x509_extensions = v3_ca\\n\" +\n \"\\n\" +\n \"[v3_req]\\n\" +\n \"basicConstraints = CA:false\\n\" +\n \"keyUsage = critical, cRLSign, keyCertSign\\n\" +\n \"subjectAltName = $ENV::ALTNAME\\n\" +\n \"\\n\" +\n \"[ v3_ca_signed]\\n\" +\n \"subjectKeyIdentifier = hash\\n\" +\n \"authorityKeyIdentifier = keyid,issuer\\n\" +\n \"basicConstraints = critical, CA:FALSE\\n\" +\n \"keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign\\n\" +\n \"extendedKeyUsage = clientAuth,serverAuth \\n\" +\n 'nsComment = \"certificate generated by Node-OPCUA Certificate utility and signed by a CA\"\\n' +\n \"subjectAltName = $ENV::ALTNAME\\n\" +\n \"[ v3_selfsigned]\\n\" +\n \"subjectKeyIdentifier = hash\\n\" +\n \"authorityKeyIdentifier = keyid,issuer\\n\" +\n \"basicConstraints = critical, CA:FALSE\\n\" +\n \"keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign\\n\" +\n \"extendedKeyUsage = clientAuth,serverAuth \\n\" +\n 'nsComment = \"Self-signed certificate generated by Node-OPCUA Certificate utility\"\\n' +\n \"subjectAltName = $ENV::ALTNAME\\n\" +\n \"[ req_distinguished_name ]\\n\" +\n \"countryName = Country Name (2 letter code)\\n\" +\n \"countryName_default = FR\\n\" +\n \"countryName_min = 2\\n\" +\n \"countryName_max = 2\\n\" +\n \"# stateOrProvinceName = State or Province Name (full name)\\n\" +\n \"# stateOrProvinceName_default = Ile de France\\n\" +\n \"# localityName = Locality Name (city, district)\\n\" +\n \"# localityName_default = Paris\\n\" +\n \"organizationName = Organization Name (company)\\n\" +\n \"organizationName_default = NodeOPCUA\\n\" +\n \"# organizationalUnitName = Organizational Unit Name (department, division)\\n\" +\n \"# organizationalUnitName_default = R&D\\n\" +\n \"commonName = Common Name (hostname, FQDN, IP, or your name)\\n\" +\n \"commonName_max = 256\\n\" +\n \"commonName_default = NodeOPCUA\\n\" +\n \"# emailAddress = Email Address\\n\" +\n \"# emailAddress_max = 40\\n\" +\n \"# emailAddress_default = node-opcua (at) node-opcua (dot) com\\n\" +\n \"subjectAltName = $ENV::ALTNAME\";\n\nexport default config;\n","// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua-pki — CertificateManager\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2014-2026 - Etienne Rossignon - etienne.rossignon (at) gadz.org\n// Copyright (c) 2022-2026 - Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n// This project is licensed under the terms of the MIT license.\n// ---------------------------------------------------------------------------------------------------------------------\n\nimport { EventEmitter } from \"node:events\";\nimport fs from \"node:fs\";\nimport path from \"node:path\";\nimport { withLock } from \"@ster5/global-mutex\";\nimport chalk from \"chalk\";\nimport chokidar, { type FSWatcher as ChokidarFSWatcher } from \"chokidar\";\nimport {\n type Certificate,\n type CertificateInternals,\n type CertificateRevocationList,\n type CertificateRevocationListInfo,\n type DER,\n exploreCertificate,\n exploreCertificateInfo,\n exploreCertificateRevocationList,\n generatePrivateKeyFile,\n makeSHA1Thumbprint,\n readCertificate,\n readCertificateAsync,\n readCertificateRevocationList,\n split_der,\n toPem,\n verifyCertificateChain,\n verifyCertificateSignature\n} from \"node-opcua-crypto\";\n\nimport type { SubjectOptions } from \"../misc/subject\";\nimport type {\n CertificateStatus,\n CreateSelfSignCertificateParam,\n CreateSelfSignCertificateWithConfigParam,\n Filename,\n KeySize,\n Thumbprint\n} from \"../toolbox/common\";\nimport { makePath, mkdirRecursiveSync } from \"../toolbox/common2\";\nimport { debugLog, warningLog } from \"../toolbox/debug\";\nimport { createCertificateSigningRequestAsync, createSelfSignedCertificate } from \"../toolbox/without_openssl\";\n\nimport _simple_config_template from \"./templates/simple_config_template.cnf\";\n\n/*\n \n * a minimalist config file for openssl that allows\n * self-signed certificate to be generated.\n \n /\nconst configurationFileSimpleTemplate: string = _simple_config_template;\nconst fsWriteFile = fs.promises.writeFile;\n\ninterface Entry {\n certificate: Certificate;\n filename: string;\n /** Lazily cached result of `exploreCertificate(certificate)`. /\n info?: CertificateInternals;\n}\n\n/* Return the cached `info` or compute and cache it. /\nfunction getOrComputeInfo(entry: Entry): CertificateInternals {\n if (!entry.info) {\n entry.info = exploreCertificateCached(entry.certificate);\n }\n return entry.info;\n}\n\n/\n Module-level LRU cache for `exploreCertificate()` results.\n \n During a single `verifyCertificate()` flow the same certificate\n * buffer can be parsed 4-6 times across different helper functions.\n * This cache deduplicates the ASN.1 DER parsing by keying on the\n * SHA-1 thumbprint of the certificate buffer.\n \n The cache is deliberately small (8 entries) so it covers the\n * \"same-cert-in-one-verification-flow\" case without unbounded\n * memory growth.\n /\nconst EXPLORE_CACHE_MAX = 8;\nconst _exploreCache = new Map<string, CertificateInternals>();\n\nfunction exploreCertificateCached(certificate: Certificate): CertificateInternals {\n const key = makeSHA1Thumbprint(certificate).toString(\"hex\");\n const cached = _exploreCache.get(key);\n if (cached) {\n // Move to end (most-recently-used)\n _exploreCache.delete(key);\n _exploreCache.set(key, cached);\n return cached;\n }\n const info = exploreCertificate(certificate);\n _exploreCache.set(key, info);\n if (_exploreCache.size > EXPLORE_CACHE_MAX) {\n // Evict oldest (first key in insertion order)\n const oldest = _exploreCache.keys().next().value;\n if (oldest) _exploreCache.delete(oldest);\n }\n return info;\n}\ninterface CRLEntry {\n crlInfo: CertificateRevocationListInfo;\n filename: string;\n}\ninterface CRLData {\n serialNumbers: { [key: string]: Date };\n crls: CRLEntry[];\n}\ninterface Thumbs {\n trusted: Map<string, Entry>;\n rejected: Map<string, Entry>;\n issuers: {\n certs: Map<string, Entry>;\n };\n /* key = subjectFingerPrint of issuer certificate /\n crl: Map<string, CRLData>;\n /* key = subjectFingerPrint of issuer certificate /\n issuersCrl: Map<string, CRLData>;\n}\n\n/\n Identifies which PKI sub-store a certificate event originated from.\n /\nexport type CertificateStore = \"trusted\" \| \"rejected\" \| \"issuersCerts\";\n\n/\n Identifies which PKI sub-store a CRL event originated from.\n /\nexport type CrlStore = \"crl\" \| \"issuersCrl\";\n\n/\n Events emitted by {@link CertificateManager} when the\n * file-system watchers detect certificate or CRL changes.\n /\nexport interface CertificateManagerEvents {\n /* A certificate file was added to a store. /\n certificateAdded: (event: { store: CertificateStore; certificate: Certificate; fingerprint: string; filename: string }) => void;\n /* A certificate file was removed from a store. /\n certificateRemoved: (event: { store: CertificateStore; fingerprint: string; filename: string }) => void;\n /* A certificate file was modified in a store. /\n certificateChange: (event: {\n store: CertificateStore;\n certificate: Certificate;\n fingerprint: string;\n filename: string;\n }) => void;\n /* A CRL file was added. /\n crlAdded: (event: { store: CrlStore; filename: string }) => void;\n /* A CRL file was removed. /\n crlRemoved: (event: { store: CrlStore; filename: string }) => void;\n}\n\n/\n Options for creating a {@link CertificateManager}.\n /\nexport interface CertificateManagerOptions {\n /\n RSA key size for generated private keys.\n * @defaultValue 2048\n /\n keySize?: KeySize;\n /* Filesystem path where the PKI directory structure is stored. /\n location: string;\n}\n\n/\n Parameters for {@link createSelfSignedCertificate}.\n * All fields from {@link CreateSelfSignCertificateParam} are required.\n /\nexport interface CreateSelfSignCertificateParam1 extends CreateSelfSignCertificateParam {\n /\n Output path for the certificate.\n * @defaultValue `\"own/certs/self_signed_certificate.pem\"`\n /\n outputFile?: Filename;\n /* X.500 subject for the certificate. /\n subject: SubjectOptions \| string;\n /* OPC UA application URI for the SAN extension. /\n applicationUri: string;\n /* DNS host names to include in the SAN extension. /\n dns: string[];\n /* Certificate \"Not Before\" date. /\n startDate: Date;\n /* Number of days the certificate is valid. /\n validity: number;\n}\n\n/\n Options to fine-tune certificate verification behaviour.\n * Passed to {@link CertificateManager.verifyCertificate}.\n \n Without any options, `verifyCertificate` is strict: only\n * certificates that are explicitly present in the trusted store\n * will return {@link VerificationStatus.Good}. Unknown or\n * rejected certificates return\n * {@link VerificationStatus.BadCertificateUntrusted} even when\n * their issuer chain is valid.\n \n Set {@link acceptCertificateWithValidIssuerChain} to `true`\n * to accept certificates whose issuer chain validates against\n * a trusted CA — even if the leaf certificate itself is not\n * in the trusted store.\n /\nexport interface VerifyCertificateOptions {\n /* Accept certificates whose \"Not After\" date has passed. /\n acceptOutdatedCertificate?: boolean;\n /* Accept issuer certificates whose \"Not After\" date has passed. /\n acceptOutDatedIssuerCertificate?: boolean;\n /* Do not fail when a CRL is missing for an issuer. /\n ignoreMissingRevocationList?: boolean;\n /* Accept certificates whose \"Not Before\" date is in the future. /\n acceptPendingCertificate?: boolean;\n /\n Accept a certificate that is not in the trusted store when\n * its issuer (CA) certificate is trusted, the signature is\n * valid, and the certificate does not appear in the CRL.\n \n When `false` (the default), only certificates explicitly\n * placed in the trusted store are accepted — this is the\n * same behaviour as {@link CertificateManager.isCertificateTrusted}.\n \n @defaultValue false\n /\n acceptCertificateWithValidIssuerChain?: boolean;\n}\n\n/\n OPC UA certificate verification status codes.\n \n These mirror the OPC UA `StatusCode` values for certificate\n * validation results.\n /\nexport enum VerificationStatus {\n /* The certificate provided as a parameter is not valid. /\n BadCertificateInvalid = \"BadCertificateInvalid\",\n /* An error occurred verifying security. /\n BadSecurityChecksFailed = \"BadSecurityChecksFailed\",\n /* The certificate does not meet the requirements of the security policy. /\n BadCertificatePolicyCheckFailed = \"BadCertificatePolicyCheckFailed\",\n /* The certificate has expired or is not yet valid. /\n BadCertificateTimeInvalid = \"BadCertificateTimeInvalid\",\n /* An issuer certificate has expired or is not yet valid. /\n BadCertificateIssuerTimeInvalid = \"BadCertificateIssuerTimeInvalid\",\n /* The HostName used to connect to a server does not match a HostName in the certificate. /\n BadCertificateHostNameInvalid = \"BadCertificateHostNameInvalid\",\n /* The URI specified in the ApplicationDescription does not match the URI in the certificate. /\n BadCertificateUriInvalid = \"BadCertificateUriInvalid\",\n /* The certificate may not be used for the requested operation. /\n BadCertificateUseNotAllowed = \"BadCertificateUseNotAllowed\",\n /* The issuer certificate may not be used for the requested operation. /\n BadCertificateIssuerUseNotAllowed = \"BadCertificateIssuerUseNotAllowed\",\n /* The certificate is not trusted. /\n BadCertificateUntrusted = \"BadCertificateUntrusted\",\n /* It was not possible to determine if the certificate has been revoked. /\n BadCertificateRevocationUnknown = \"BadCertificateRevocationUnknown\",\n /* It was not possible to determine if the issuer certificate has been revoked. /\n BadCertificateIssuerRevocationUnknown = \"BadCertificateIssuerRevocationUnknown\",\n /* The certificate has been revoked. /\n BadCertificateRevoked = \"BadCertificateRevoked\",\n /* The issuer certificate has been revoked. /\n BadCertificateIssuerRevoked = \"BadCertificateIssuerRevoked\",\n /* The certificate chain is incomplete. /\n BadCertificateChainIncomplete = \"BadCertificateChainIncomplete\",\n\n /* Validation OK. /\n Good = \"Good\"\n}\n\nfunction makeFingerprint(certificate: Certificate \| CertificateRevocationList): string {\n // When the buffer contains a certificate chain (multiple\n // concatenated DER structures), the thumbprint must be\n // computed on the leaf certificate only (first element).\n const chain = split_der(certificate);\n return makeSHA1Thumbprint(chain[0]).toString(\"hex\");\n}\nfunction short(stringToShorten: string) {\n return stringToShorten.substring(0, 10);\n}\n// biome-ignore lint/suspicious/noControlCharactersInRegex: we need to filter control characters\nconst forbiddenChars = /[\\x00-\\x1F<>:\"/\\\\\|?]/g;\nfunction buildIdealCertificateName(certificate: Certificate): string {\n const fingerprint = makeFingerprint(certificate);\n try {\n const commonName = exploreCertificateCached(certificate).tbsCertificate.subject.commonName \|\| \"\";\n // commonName may contain invalid characters for a filename such as / or \\ or :\n // that we need to replace with a valid character.\n // replace / or \\ or : with _\n const sanitizedCommonName = commonName.replace(forbiddenChars, \"_\");\n return `${sanitizedCommonName}[${fingerprint}]`;\n } catch (_err) {\n // make be certificate is incorrect !\n return `invalid_certificate_[${fingerprint}]`;\n }\n}\nfunction findMatchingIssuerKey(entries: Entry[], wantedIssuerKey: string): Entry[] {\n return entries.filter((entry) => {\n const info = getOrComputeInfo(entry);\n return info.tbsCertificate.extensions && info.tbsCertificate.extensions.subjectKeyIdentifier === wantedIssuerKey;\n });\n}\n\nfunction isSelfSigned2(info: CertificateInternals): boolean {\n return (\n info.tbsCertificate.extensions?.subjectKeyIdentifier ===\n info.tbsCertificate.extensions?.authorityKeyIdentifier?.keyIdentifier\n );\n}\n\nfunction isSelfSigned3(certificate: Buffer): boolean {\n const info = exploreCertificateCached(certificate);\n return isSelfSigned2(info);\n}\n\n/*\n Find the issuer certificate for a given certificate within\n * a provided certificate chain.\n \n @param certificate - the DER-encoded certificate whose issuer to find\n * @param chain - candidate issuer certificates to search\n * @returns the matching issuer certificate, or `null` if not found\n /\nexport function findIssuerCertificateInChain(certificate: Certificate, chain: Certificate[]): Certificate \| null {\n if (!certificate) {\n return null;\n }\n const certInfo = exploreCertificateCached(certificate);\n\n // istanbul ignore next\n if (isSelfSigned2(certInfo)) {\n // the certificate is self signed so is it's own issuer.\n return certificate;\n }\n const wantedIssuerKey = certInfo.tbsCertificate.extensions?.authorityKeyIdentifier?.keyIdentifier;\n\n // istanbul ignore next\n if (!wantedIssuerKey) {\n // Certificate has no extension 3 ! the certificate might have been generated by an old system\n debugLog(\"Certificate has no extension 3\");\n return null;\n }\n const potentialIssuers = chain.filter((c) => {\n const info = exploreCertificateCached(c);\n return info.tbsCertificate.extensions && info.tbsCertificate.extensions.subjectKeyIdentifier === wantedIssuerKey;\n });\n\n if (potentialIssuers.length === 1) {\n return potentialIssuers[0];\n }\n if (potentialIssuers.length > 1) {\n debugLog(\"findIssuerCertificateInChain: certificate is not self-signed but has several issuers\");\n return potentialIssuers[0];\n }\n return null;\n}\n\n/\n Lifecycle state of a {@link CertificateManager} instance.\n /\nexport enum CertificateManagerState {\n Uninitialized = 0,\n Initializing = 1,\n Initialized = 2,\n Disposing = 3,\n Disposed = 4\n}\n/\n Manages a GDS-compliant PKI directory structure for an OPC UA\n * application.\n \n The PKI store layout follows the OPC UA specification:\n \n ```\n * <location>/\n * ├── own/\n * │ ├── certs/ Own certificate(s)\n * │ └── private/ Own private key\n * ├── trusted/\n * │ ├── certs/ Trusted peer certificates\n * │ └── crl/ CRLs for trusted certs\n * ├── rejected/ Untrusted / rejected certificates\n * └── issuers/\n * ├── certs/ CA (issuer) certificates\n * └── crl/ CRLs for issuer certificates\n * ```\n \n File-system watchers keep the in-memory indexes in sync with\n * on-disk changes. Call {@link dispose} when the instance is no\n * longer needed to release watchers and allow the process to\n * exit cleanly.\n \n ## Environment Variables\n \n - `OPCUA_PKI_USE_POLLING` — set to `\"true\"` to use\n * polling-based file watching instead of native OS events.\n * Useful for NFS, CIFS, Docker volumes, or other remote /\n * virtual file systems where native events are unreliable.\n \n - `OPCUA_PKI_POLLING_INTERVAL` — polling interval in\n * milliseconds (only effective when polling is enabled).\n * Clamped to the range [100, 600 000]. Defaults to\n * {@link folderPollingInterval} (5 000 ms).\n \n @example\n * ```ts\n * const cm = new CertificateManager({ location: \"/var/pki\" });\n * await cm.initialize();\n * const status = await cm.verifyCertificate(cert);\n * await cm.dispose();\n * ```\n /\nexport class CertificateManager extends EventEmitter {\n // ── Global instance registry ─────────────────────────────────\n // Tracks all initialized CertificateManager instances so their\n // file watchers can be closed automatically on process exit,\n // even if the consumer forgets to call dispose().\n static #activeInstances = new Set<CertificateManager>();\n static #cleanupInstalled = false;\n\n static #installProcessCleanup(): void {\n if (CertificateManager.#cleanupInstalled) return;\n CertificateManager.#cleanupInstalled = true;\n\n const closeDanglingWatchers = () => {\n for (const cm of CertificateManager.#activeInstances) {\n for (const w of cm.#watchers) {\n try {\n w.close();\n } catch {\n / best-effort /\n }\n }\n cm.#watchers.splice(0);\n cm.state = CertificateManagerState.Disposed;\n }\n CertificateManager.#activeInstances.clear();\n };\n\n // beforeExit fires when the event loop has no more work.\n // If persistent:false works correctly on watchers, they\n // won't prevent this event from firing.\n process.on(\"beforeExit\", closeDanglingWatchers);\n\n // Also handle external termination signals so watchers\n // are cleaned up before the process exits.\n for (const signal of [\"SIGINT\", \"SIGTERM\"] as const) {\n process.once(signal, () => {\n closeDanglingWatchers();\n process.exit();\n });\n }\n }\n\n /\n Dispose all active CertificateManager instances,\n * closing their file watchers and freeing resources.\n \n This is mainly useful in test tear-down to ensure the\n * Node.js process can exit cleanly.\n /\n public static async disposeAll(): Promise<void> {\n const instances = [...CertificateManager.#activeInstances];\n await Promise.all(instances.map((cm) => CertificateManager.prototype.dispose.call(cm)));\n }\n\n /\n Assert that all CertificateManager instances have been\n * properly disposed. Throws an Error listing the locations\n * of any leaked instances.\n \n Intended for use in test `afterAll()` / `afterEach()`\n * hooks to catch missing `dispose()` calls early.\n \n @example\n * ```ts\n * after(() => {\n * CertificateManager.checkAllDisposed();\n * });\n * ```\n /\n public static checkAllDisposed(): void {\n if (CertificateManager.#activeInstances.size === 0) return;\n const locations = [...CertificateManager.#activeInstances].map((cm) => cm.rootDir);\n throw new Error(\n `${CertificateManager.#activeInstances.size} CertificateManager instance(s) not disposed:\\n - ${locations.join(\"\\n - \")}`\n );\n }\n // ─────────────────────────────────────────────────────────────\n\n /\n When `true` (the default), any certificate that is not\n * already in the trusted or rejected store is automatically\n * written to the rejected folder the first time it is seen.\n /\n public untrustUnknownCertificate = true;\n /* Current lifecycle state of this instance. /\n public state: CertificateManagerState = CertificateManagerState.Uninitialized;\n /* @deprecated Use {@link folderPollingInterval} instead (typo fix). /\n public folderPoolingInterval = 5000;\n\n /* Interval in milliseconds for file-system polling (when enabled). /\n public get folderPollingInterval(): number {\n return this.folderPoolingInterval;\n }\n public set folderPollingInterval(value: number) {\n this.folderPoolingInterval = value;\n }\n\n /* RSA key size used when generating the private key. /\n public readonly keySize: KeySize;\n readonly #location: string;\n readonly #watchers: fs.FSWatcher[] = [];\n readonly #pendingUnrefs: Set<() => void> = new Set();\n #readCertificatesCalled = false;\n readonly #filenameToHash = new Map<string, string>();\n #initializingPromise?: Promise<void>;\n\n readonly #thumbs: Thumbs = {\n rejected: new Map(),\n trusted: new Map(),\n issuers: {\n certs: new Map()\n },\n crl: new Map(),\n issuersCrl: new Map()\n };\n\n /\n Create a new CertificateManager.\n \n The constructor creates the root directory if it does not\n * exist but does not initialise the PKI store — call\n * {@link initialize} before using any other method.\n \n @param options - configuration options\n /\n constructor(options: CertificateManagerOptions) {\n super();\n options.keySize = options.keySize \|\| 2048;\n if (!options.location) {\n throw new Error(\"CertificateManager: missing 'location' option\");\n }\n\n this.#location = makePath(options.location, \"\");\n this.keySize = options.keySize;\n\n mkdirRecursiveSync(options.location);\n\n if (!fs.existsSync(this.#location)) {\n throw new Error(`CertificateManager cannot access location ${this.#location}`);\n }\n }\n\n /* Path to the OpenSSL configuration file. /\n get configFile() {\n return path.join(this.rootDir, \"own/openssl.cnf\");\n }\n\n /* Root directory of the PKI store. /\n get rootDir() {\n return this.#location;\n }\n\n /* Path to the private key file (`own/private/private_key.pem`). /\n get privateKey() {\n return path.join(this.rootDir, \"own/private/private_key.pem\");\n }\n\n /* Path to the OpenSSL random seed file. /\n get randomFile() {\n return path.join(this.rootDir, \"./random.rnd\");\n }\n\n /\n Move a certificate to the rejected store.\n * If the certificate was previously trusted, it will be removed from the trusted folder.\n * @param certificate - the DER-encoded certificate\n /\n public async rejectCertificate(certificate: Certificate): Promise<void> {\n await this.#moveCertificate(certificate, \"rejected\");\n }\n\n /\n Move a certificate to the trusted store.\n * If the certificate was previously rejected, it will be removed from the rejected folder.\n * @param certificate - the DER-encoded certificate\n /\n public async trustCertificate(certificate: Certificate): Promise<void> {\n await this.#moveCertificate(certificate, \"trusted\");\n }\n\n /* Path to the rejected certificates folder. /\n public get rejectedFolder(): string {\n return path.join(this.rootDir, \"rejected\");\n }\n /* Path to the trusted certificates folder. /\n public get trustedFolder(): string {\n return path.join(this.rootDir, \"trusted/certs\");\n }\n /* Path to the trusted CRL folder. /\n public get crlFolder(): string {\n return path.join(this.rootDir, \"trusted/crl\");\n }\n /* Path to the issuer (CA) certificates folder. /\n public get issuersCertFolder(): string {\n return path.join(this.rootDir, \"issuers/certs\");\n }\n /* Path to the issuer CRL folder. /\n public get issuersCrlFolder(): string {\n return path.join(this.rootDir, \"issuers/crl\");\n }\n /* Path to the own certificate folder. /\n public get ownCertFolder(): string {\n return path.join(this.rootDir, \"own/certs\");\n }\n public get ownPrivateFolder(): string {\n return path.join(this.rootDir, \"own/private\");\n }\n\n /\n Check if a certificate is in the trusted store.\n * If the certificate is unknown and `untrustUnknownCertificate` is set,\n * it will be written to the rejected folder.\n * @param certificate - the DER-encoded certificate\n * @returns `\"Good\"` if trusted, `\"BadCertificateUntrusted\"` if rejected/unknown,\n * or `\"BadCertificateInvalid\"` if the certificate cannot be parsed.\n /\n public async isCertificateTrusted(certificate: Certificate): Promise<string> {\n const fingerprint = makeFingerprint(certificate) as Thumbprint;\n\n if (this.#thumbs.trusted.has(fingerprint)) {\n return \"Good\";\n }\n\n if (!this.#thumbs.rejected.has(fingerprint)) {\n if (!this.untrustUnknownCertificate) {\n return \"Good\";\n }\n // Verify structure before writing — don't persist invalid data\n try {\n exploreCertificateInfo(certificate);\n } catch (_err) {\n return \"BadCertificateInvalid\";\n }\n const filename = path.join(this.rejectedFolder, `${buildIdealCertificateName(certificate)}.pem`);\n debugLog(\"certificate has never been seen before and is now rejected (untrusted) \", filename);\n await fsWriteFile(filename, toPem(certificate, \"CERTIFICATE\"));\n this.#thumbs.rejected.set(fingerprint, { certificate, filename });\n }\n return \"BadCertificateUntrusted\";\n }\n async #innerVerifyCertificateAsync(\n certificate: Certificate,\n _isIssuer: boolean,\n level: number,\n options: VerifyCertificateOptions\n ): Promise<VerificationStatus> {\n if (level >= 5) {\n // maximum level of certificate in chain reached !\n return VerificationStatus.BadSecurityChecksFailed;\n }\n const chain = split_der(certificate);\n debugLog(\"NB CERTIFICATE IN CHAIN = \", chain.length);\n const info = exploreCertificateCached(chain[0]);\n\n let hasValidIssuer = false;\n let hasTrustedIssuer = false;\n // check if certificate is attached to a issuer\n const hasIssuerKey = info.tbsCertificate.extensions?.authorityKeyIdentifier?.keyIdentifier;\n debugLog(\"Certificate as an Issuer Key\", hasIssuerKey);\n\n if (hasIssuerKey) {\n const isSelfSigned = isSelfSigned2(info);\n\n debugLog(\"Is the Certificate self-signed ?\", isSelfSigned);\n if (!isSelfSigned) {\n debugLog(\n \"Is issuer found in the list of know issuers ?\",\n \"\\n subjectKeyIdentifier = \",\n info.tbsCertificate.extensions?.subjectKeyIdentifier,\n \"\\n authorityKeyIdentifier = \",\n info.tbsCertificate.extensions?.authorityKeyIdentifier?.keyIdentifier\n );\n let issuerCertificate = await this.findIssuerCertificate(chain[0]);\n if (!issuerCertificate) {\n // the issuer has not been found in the list of trusted certificate\n // may be the issuer certificate is in the chain itself ?\n issuerCertificate = findIssuerCertificateInChain(chain[0], chain);\n if (!issuerCertificate) {\n debugLog(\n \" the issuer has not been found in the chain itself nor in the issuer.cert list => the chain is incomplete!\"\n );\n return VerificationStatus.BadCertificateChainIncomplete;\n }\n debugLog(\" the issuer certificate has been found in the chain itself ! the chain is complete !\");\n } else {\n debugLog(\" the issuer certificate has been found in the issuer.cert folder !\");\n }\n const issuerStatus = await this.#innerVerifyCertificateAsync(issuerCertificate, true, level + 1, options);\n if (issuerStatus === VerificationStatus.BadCertificateRevocationUnknown) {\n // the issuer must have a CRL available .... !\n return VerificationStatus.BadCertificateIssuerRevocationUnknown;\n }\n if (issuerStatus === VerificationStatus.BadCertificateIssuerRevocationUnknown) {\n // the issuer must have a CRL available .... !\n return VerificationStatus.BadCertificateIssuerRevocationUnknown;\n }\n if (issuerStatus === VerificationStatus.BadCertificateTimeInvalid) {\n if (!options \|\| !options.acceptOutDatedIssuerCertificate) {\n // the issuer must have valid dates ....\n return VerificationStatus.BadCertificateIssuerTimeInvalid;\n }\n }\n if (issuerStatus === VerificationStatus.BadCertificateUntrusted) {\n debugLog(\"warning issuerStatus = \", issuerStatus.toString(), \"the issuer certificate is not trusted\");\n // return VerificationStatus.BadSecurityChecksFailed;\n }\n\n if (issuerStatus !== VerificationStatus.Good && issuerStatus !== VerificationStatus.BadCertificateUntrusted) {\n // if the issuer has other issue => let's drop!\n return VerificationStatus.BadSecurityChecksFailed;\n }\n // verify that certificate was signed by issuer\n const isCertificateSignatureOK = verifyCertificateSignature(certificate, issuerCertificate);\n if (!isCertificateSignatureOK) {\n debugLog(\" the certificate was not signed by the issuer as it claim to be ! Danger\");\n return VerificationStatus.BadSecurityChecksFailed;\n }\n hasValidIssuer = true;\n\n // let detected if our certificate is in the revocation list\n let revokedStatus = await this.isCertificateRevoked(certificate);\n if (revokedStatus === VerificationStatus.BadCertificateRevocationUnknown) {\n if (options?.ignoreMissingRevocationList) {\n // continue as if the certificate was not revoked\n revokedStatus = VerificationStatus.Good;\n }\n }\n if (revokedStatus !== VerificationStatus.Good) {\n // certificate is revoked !!!\n debugLog(\"revokedStatus\", revokedStatus);\n return revokedStatus;\n }\n\n // let check if the issuer is explicitly trusted\n const issuerTrustedStatus = await this.#checkRejectedOrTrusted(issuerCertificate);\n debugLog(\"issuerTrustedStatus\", issuerTrustedStatus);\n\n if (issuerTrustedStatus === \"unknown\") {\n hasTrustedIssuer = false;\n } else if (issuerTrustedStatus === \"trusted\") {\n hasTrustedIssuer = true;\n } else if (issuerTrustedStatus === \"rejected\") {\n // we should never get there: this should have been detected before !!!\n return VerificationStatus.BadSecurityChecksFailed;\n }\n } else {\n // verify that certificate was signed by issuer (self in this case)\n const isCertificateSignatureOK = verifyCertificateSignature(certificate, certificate);\n if (!isCertificateSignatureOK) {\n debugLog(\"Self-signed Certificate signature is not valid\");\n return VerificationStatus.BadSecurityChecksFailed;\n }\n const revokedStatus = await this.isCertificateRevoked(certificate);\n debugLog(\"revokedStatus of self signed certificate:\", revokedStatus);\n }\n }\n\n const status = await this.#checkRejectedOrTrusted(certificate);\n if (status === \"rejected\") {\n if (!(options.acceptCertificateWithValidIssuerChain && hasValidIssuer && hasTrustedIssuer)) {\n return VerificationStatus.BadCertificateUntrusted;\n }\n }\n const _c2 = chain[1] ? exploreCertificateInfo(chain[1]) : \"non\";\n debugLog(\"chain[1] info=\", _c2);\n\n // Has SoftwareCertificate passed its issue date and has it not expired ?\n // check dates\n const certificateInfo = exploreCertificateInfo(certificate);\n const now = new Date();\n\n let isTimeInvalid = false;\n // check that certificate is active\n if (certificateInfo.notBefore.getTime() > now.getTime()) {\n // certificate is not active yet\n debugLog(\n `${chalk.red(\"certificate is invalid : certificate is not active yet !\")} not before date =${certificateInfo.notBefore}`\n );\n if (!options.acceptPendingCertificate) {\n isTimeInvalid = true;\n }\n }\n\n // check that certificate has not expired\n if (certificateInfo.notAfter.getTime() <= now.getTime()) {\n // certificate is obsolete\n debugLog(\n `${chalk.red(\"certificate is invalid : certificate has expired !\")} not after date =${certificateInfo.notAfter}`\n );\n if (!options.acceptOutdatedCertificate) {\n isTimeInvalid = true;\n }\n }\n if (status === \"trusted\") {\n return isTimeInvalid ? VerificationStatus.BadCertificateTimeInvalid : VerificationStatus.Good;\n }\n // status should be \"unknown\" or \"rejected\" (bypassed) at this point\n if (hasIssuerKey) {\n if (!hasTrustedIssuer) {\n return VerificationStatus.BadCertificateUntrusted;\n }\n if (!hasValidIssuer) {\n return VerificationStatus.BadCertificateUntrusted;\n }\n if (!options.acceptCertificateWithValidIssuerChain) {\n // strict mode: the leaf cert is not in the trusted store\n return VerificationStatus.BadCertificateUntrusted;\n }\n return isTimeInvalid ? VerificationStatus.BadCertificateTimeInvalid : VerificationStatus.Good;\n } else {\n return VerificationStatus.BadCertificateUntrusted;\n }\n }\n\n /\n Internal verification hook called by {@link verifyCertificate}.\n \n Subclasses can override this to inject additional validation\n * logic (e.g. application-level policy checks) while still\n * delegating to the default chain/CRL/trust verification.\n \n @param certificate - the DER-encoded certificate to verify\n * @param options - verification options forwarded from the\n * public API\n * @returns the verification status code\n /\n protected async verifyCertificateAsync(\n certificate: Certificate,\n options: VerifyCertificateOptions\n ): Promise<VerificationStatus> {\n const status1 = await this.#innerVerifyCertificateAsync(certificate, false, 0, options);\n return status1;\n }\n\n /\n Verify a certificate against the PKI trust store.\n \n This performs a full validation including trust status,\n * issuer chain, CRL revocation checks, and time validity.\n \n @param certificate - the DER-encoded certificate to verify\n * @param options - optional flags to relax validation rules\n * @returns the verification status code\n /\n public async verifyCertificate(certificate: Certificate, options?: VerifyCertificateOptions): Promise<VerificationStatus> {\n // Is the signature on the SoftwareCertificate valid .?\n if (!certificate) {\n // missing certificate\n return VerificationStatus.BadSecurityChecksFailed;\n }\n try {\n const status = await this.verifyCertificateAsync(certificate, options \|\| {});\n return status;\n } catch (error) {\n warningLog(`verifyCertificate error: ${(error as Error).message}`);\n return VerificationStatus.BadCertificateInvalid;\n }\n }\n\n /\n Initialize the PKI directory structure, generate the\n * private key (if missing), and start file-system watchers.\n \n This method is idempotent — subsequent calls are no-ops.\n * It must be called before any certificate operations.\n /\n public async initialize(): Promise<void> {\n if (this.state !== CertificateManagerState.Uninitialized) {\n return;\n }\n this.state = CertificateManagerState.Initializing;\n this.#initializingPromise = this.#initialize();\n await this.#initializingPromise;\n this.#initializingPromise = undefined;\n this.state = CertificateManagerState.Initialized;\n\n // Register for automatic cleanup on process exit\n CertificateManager.#activeInstances.add(this);\n CertificateManager.#installProcessCleanup();\n }\n async #initialize(): Promise<void> {\n this.state = CertificateManagerState.Initializing;\n const pkiDir = this.#location;\n mkdirRecursiveSync(pkiDir);\n mkdirRecursiveSync(path.join(pkiDir, \"own\"));\n mkdirRecursiveSync(path.join(pkiDir, \"own/certs\"));\n mkdirRecursiveSync(path.join(pkiDir, \"own/private\"));\n mkdirRecursiveSync(path.join(pkiDir, \"rejected\"));\n mkdirRecursiveSync(path.join(pkiDir, \"trusted\"));\n mkdirRecursiveSync(path.join(pkiDir, \"trusted/certs\"));\n mkdirRecursiveSync(path.join(pkiDir, \"trusted/crl\"));\n\n mkdirRecursiveSync(path.join(pkiDir, \"issuers\"));\n mkdirRecursiveSync(path.join(pkiDir, \"issuers/certs\")); // contains Trusted CA certificates\n mkdirRecursiveSync(path.join(pkiDir, \"issuers/crl\")); // contains CRL of revoked CA certificates\n\n if (!fs.existsSync(this.configFile) \|\| !fs.existsSync(this.privateKey)) {\n return await this.withLock2(async () => {\n if (this.state === CertificateManagerState.Disposing \|\| this.state === CertificateManagerState.Disposed) {\n return;\n }\n\n if (!fs.existsSync(this.configFile)) {\n fs.writeFileSync(this.configFile, configurationFileSimpleTemplate);\n }\n // note : openssl 1.1.1 has a bug that causes a failure if\n // random file cannot be found. (should be fixed in 1.1.1.a)\n // if this issue become important we may have to consider checking that rndFile exists and recreate\n // it if not . this could be achieved with the command :\n // \"openssl rand -writerand ${this.randomFile}\"\n //\n // cf: https://github.com/node-opcua/node-opcua/issues/554\n\n if (!fs.existsSync(this.privateKey)) {\n debugLog(\"generating private key ...\");\n // setEnv(\"RANDFILE\", this.randomFile);\n await generatePrivateKeyFile(this.privateKey, this.keySize);\n await this.#readCertificates();\n } else {\n // debugLog(\" initialize : private key already exists ... skipping\");\n await this.#readCertificates();\n }\n });\n } else {\n await this.#readCertificates();\n }\n }\n\n /\n Dispose of the CertificateManager, releasing file watchers\n * and other resources. The instance should not be used after\n * calling this method.\n /\n public async dispose(): Promise<void> {\n if (this.state === CertificateManagerState.Disposing) {\n throw new Error(\"Already disposing\");\n }\n\n if (this.state === CertificateManagerState.Uninitialized) {\n this.state = CertificateManagerState.Disposed;\n return;\n }\n\n // Wait for initialization to complete before disposing\n if (this.state === CertificateManagerState.Initializing) {\n if (this.#initializingPromise) {\n await this.#initializingPromise;\n }\n }\n\n try {\n this.state = CertificateManagerState.Disposing;\n // Ensure all fs.watch handles are unref'd even if\n // chokidar hasn't reached \"ready\" yet.\n for (const unreff of this.#pendingUnrefs) {\n unreff();\n }\n this.#pendingUnrefs.clear();\n await Promise.all(this.#watchers.map((w) => w.close()));\n this.#watchers.forEach((w) => {\n w.removeAllListeners();\n });\n this.#watchers.splice(0);\n } finally {\n this.state = CertificateManagerState.Disposed;\n CertificateManager.#activeInstances.delete(this);\n }\n }\n\n /\n Force a full re-scan of all PKI folders, rebuilding\n * the in-memory `_thumbs` index from scratch.\n \n Call this after external processes have modified the\n * PKI folders (e.g. via `writeTrustList` or CLI tools)\n * to ensure the CertificateManager sees the latest\n * state without waiting for file-system events.\n /\n public async reloadCertificates(): Promise<void> {\n // Close existing watchers\n await Promise.all(this.#watchers.map((w) => w.close()));\n for (const w of this.#watchers) {\n w.removeAllListeners();\n }\n this.#watchers.splice(0);\n\n // Clear in-memory indexes\n this.#thumbs.rejected.clear();\n this.#thumbs.trusted.clear();\n this.#thumbs.issuers.certs.clear();\n this.#thumbs.crl.clear();\n this.#thumbs.issuersCrl.clear();\n this.#filenameToHash.clear();\n\n // Re-scan all folders\n this.#readCertificatesCalled = false;\n await this.#readCertificates();\n }\n\n protected async withLock2<T>(action: () => Promise<T>): Promise<T> {\n const lockFileName = path.join(this.rootDir, \"mutex\");\n return withLock<T>({ fileToLock: lockFileName }, async () => {\n return await action();\n });\n }\n /\n Create a self-signed certificate for this PKI's private key.\n \n The certificate is written to `params.outputFile` or\n * `own/certs/self_signed_certificate.pem` by default.\n \n @param params - certificate parameters (subject, SANs,\n * validity, etc.)\n /\n public async createSelfSignedCertificate(params: CreateSelfSignCertificateParam1): Promise<void> {\n if (typeof params.applicationUri !== \"string\") {\n throw new Error(\"createSelfSignedCertificate: expecting applicationUri to be a string\");\n }\n if (!fs.existsSync(this.privateKey)) {\n throw new Error(`Cannot find private key ${this.privateKey}`);\n }\n let certificateFilename = path.join(this.rootDir, \"own/certs/self_signed_certificate.pem\");\n certificateFilename = params.outputFile \|\| certificateFilename;\n\n const _params = params as unknown as CreateSelfSignCertificateWithConfigParam;\n _params.rootDir = this.rootDir;\n _params.configFile = this.configFile;\n _params.privateKey = this.privateKey;\n\n _params.subject = params.subject \|\| \"CN=FIXME\";\n await this.withLock2(async () => {\n await createSelfSignedCertificate(certificateFilename, _params);\n });\n }\n\n /\n Create a Certificate Signing Request (CSR) using this\n * PKI's private key and configuration.\n \n The CSR file is written to `own/certs/` with a timestamped\n * filename.\n \n @param params - CSR parameters (subject, SANs)\n * @returns the filesystem path to the generated CSR file\n /\n public async createCertificateRequest(params: CreateSelfSignCertificateParam): Promise<Filename> {\n if (!params) {\n throw new Error(\"params is required\");\n }\n const _params = params as CreateSelfSignCertificateWithConfigParam;\n if (Object.prototype.hasOwnProperty.call(_params, \"rootDir\")) {\n throw new Error(\"rootDir should not be specified \");\n }\n _params.rootDir = path.resolve(this.rootDir);\n _params.configFile = path.resolve(this.configFile);\n _params.privateKey = path.resolve(this.privateKey);\n\n return await this.withLock2<string>(async () => {\n // compose a file name for the request\n const now = new Date();\n const today = `${now.toISOString().slice(0, 10)}_${now.getTime()}`;\n const certificateSigningRequestFilename = path.join(this.rootDir, \"own/certs\", `certificate_${today}.csr`);\n await createCertificateSigningRequestAsync(certificateSigningRequestFilename, _params);\n return certificateSigningRequestFilename;\n });\n }\n\n /\n Add a CA (issuer) certificate to the issuers store.\n * If the certificate is already present, this is a no-op.\n * @param certificate - the DER-encoded CA certificate\n * @param validate - if `true`, verify the certificate before adding\n * @param addInTrustList - if `true`, also add to the trusted store\n * @returns `VerificationStatus.Good` on success\n /\n public async addIssuer(certificate: DER, validate = false, addInTrustList = false): Promise<VerificationStatus> {\n if (validate) {\n const status = await this.verifyCertificate(certificate);\n if (status !== VerificationStatus.Good && status !== VerificationStatus.BadCertificateUntrusted) {\n return status;\n }\n }\n const pemCertificate = toPem(certificate, \"CERTIFICATE\");\n const fingerprint = makeFingerprint(certificate);\n if (this.#thumbs.issuers.certs.has(fingerprint)) {\n // already in .. simply ignore\n return VerificationStatus.Good;\n }\n // write certificate\n const filename = path.join(this.issuersCertFolder, `issuer_${buildIdealCertificateName(certificate)}.pem`);\n await fs.promises.writeFile(filename, pemCertificate, \"ascii\");\n\n // first time seen, let's save it.\n this.#thumbs.issuers.certs.set(fingerprint, { certificate, filename });\n\n if (addInTrustList) {\n // add certificate in the trust list as well\n await this.trustCertificate(certificate);\n }\n\n return VerificationStatus.Good;\n }\n\n /\n Add a CRL to the certificate manager.\n * @param crl - the CRL to add\n * @param target - \"issuers\" (default) writes to issuers/crl, \"trusted\" writes to trusted/crl\n /\n public async addRevocationList(\n crl: CertificateRevocationList,\n target: \"issuers\" \| \"trusted\" = \"issuers\"\n ): Promise<VerificationStatus> {\n return await this.withLock2<VerificationStatus>(async () => {\n try {\n const index = target === \"trusted\" ? this.#thumbs.crl : this.#thumbs.issuersCrl;\n const folder = target === \"trusted\" ? this.crlFolder : this.issuersCrlFolder;\n\n const crlInfo = exploreCertificateRevocationList(crl);\n const key = crlInfo.tbsCertList.issuerFingerprint;\n if (!index.has(key)) {\n index.set(key, { crls: [], serialNumbers: {} });\n }\n const pemCertificate = toPem(crl, \"X509 CRL\");\n const filename = path.join(folder, `crl_${buildIdealCertificateName(crl)}.pem`);\n await fs.promises.writeFile(filename, pemCertificate, \"ascii\");\n\n await this.#onCrlFileAdded(index, filename);\n\n await this.#waitAndCheckCRLProcessingStatus();\n\n return VerificationStatus.Good;\n } catch (err) {\n debugLog(err);\n return VerificationStatus.BadSecurityChecksFailed;\n }\n });\n }\n\n /\n Remove all CRL files from the specified folder(s) and clear the\n * corresponding in-memory index.\n * @param target - \"issuers\" clears issuers/crl, \"trusted\" clears\n * trusted/crl, \"all\" clears both.\n /\n public async clearRevocationLists(target: \"issuers\" \| \"trusted\" \| \"all\"): Promise<void> {\n const clearFolder = async (folder: string, index: Map<string, CRLData>) => {\n try {\n const files = await fs.promises.readdir(folder);\n for (const file of files) {\n const ext = path.extname(file).toLowerCase();\n if (ext === \".crl\" \|\| ext === \".pem\" \|\| ext === \".der\") {\n await fs.promises.unlink(path.join(folder, file));\n }\n }\n } catch (err: unknown) {\n if ((err as NodeJS.ErrnoException).code !== \"ENOENT\") {\n throw err;\n }\n }\n index.clear();\n };\n\n if (target === \"issuers\" \|\| target === \"all\") {\n await clearFolder(this.issuersCrlFolder, this.#thumbs.issuersCrl);\n }\n if (target === \"trusted\" \|\| target === \"all\") {\n await clearFolder(this.crlFolder, this.#thumbs.crl);\n }\n }\n\n /\n Check whether an issuer certificate with the given thumbprint\n * is already registered.\n * @param thumbprint - hex-encoded SHA-1 thumbprint (lowercase)\n /\n public async hasIssuer(thumbprint: string): Promise<boolean> {\n await this.#readCertificates();\n const normalized = thumbprint.toLowerCase();\n return this.#thumbs.issuers.certs.has(normalized);\n }\n\n /\n Remove a trusted certificate identified by its SHA-1 thumbprint.\n * Deletes the file on disk and removes the entry from the\n * in-memory index.\n * @param thumbprint - hex-encoded SHA-1 thumbprint (lowercase)\n * @returns the removed certificate buffer, or `null` if not found\n /\n public async removeTrustedCertificate(thumbprint: string): Promise<Certificate \| null> {\n await this.#readCertificates();\n const normalized = thumbprint.toLowerCase();\n const entry = this.#thumbs.trusted.get(normalized);\n if (!entry) {\n return null;\n }\n try {\n await fs.promises.unlink(entry.filename);\n } catch (err: unknown) {\n if ((err as NodeJS.ErrnoException).code !== \"ENOENT\") {\n throw err;\n }\n }\n this.#thumbs.trusted.delete(normalized);\n return entry.certificate;\n }\n\n /\n Remove an issuer certificate identified by its SHA-1 thumbprint.\n * Deletes the file on disk and removes the entry from the\n * in-memory index.\n * @param thumbprint - hex-encoded SHA-1 thumbprint (lowercase)\n * @returns the removed certificate buffer, or `null` if not found\n /\n public async removeIssuer(thumbprint: string): Promise<Certificate \| null> {\n await this.#readCertificates();\n const normalized = thumbprint.toLowerCase();\n const entry = this.#thumbs.issuers.certs.get(normalized);\n if (!entry) {\n return null;\n }\n try {\n await fs.promises.unlink(entry.filename);\n } catch (err: unknown) {\n if ((err as NodeJS.ErrnoException).code !== \"ENOENT\") {\n throw err;\n }\n }\n this.#thumbs.issuers.certs.delete(normalized);\n return entry.certificate;\n }\n\n /\n Remove all CRL files that were issued by the given CA certificate\n * from the specified folder (or both).\n * @param issuerCertificate - the CA certificate whose CRLs to remove\n * @param target - \"issuers\", \"trusted\", or \"all\" (default \"all\")\n /\n public async removeRevocationListsForIssuer(\n issuerCertificate: Certificate,\n target: \"issuers\" \| \"trusted\" \| \"all\" = \"all\"\n ): Promise<void> {\n const issuerInfo = exploreCertificateCached(issuerCertificate);\n const issuerFingerprint = issuerInfo.tbsCertificate.subjectFingerPrint;\n\n const processIndex = async (index: Map<string, CRLData>) => {\n const crlData = index.get(issuerFingerprint);\n if (!crlData) return;\n for (const crlEntry of crlData.crls) {\n try {\n await fs.promises.unlink(crlEntry.filename);\n } catch (err: unknown) {\n if ((err as NodeJS.ErrnoException).code !== \"ENOENT\") {\n throw err;\n }\n }\n }\n index.delete(issuerFingerprint);\n };\n\n if (target === \"issuers\" \|\| target === \"all\") {\n await processIndex(this.#thumbs.issuersCrl);\n }\n if (target === \"trusted\" \|\| target === \"all\") {\n await processIndex(this.#thumbs.crl);\n }\n }\n\n /\n Validate a certificate (optionally with its chain) and add\n * the leaf certificate to the trusted store.\n \n The certificate buffer may contain a single certificate or a\n * full chain (leaf + issuer certificates concatenated in DER).\n * Only the leaf certificate is added to the trusted store.\n \n When the chain contains issuer certificates, this method\n * verifies that each issuer is already registered via\n * {@link addIssuer} before trusting the leaf.\n \n If one of the certificates in the chain is not registered in the issuers store,\n * the leaf certificate will be rejected.\n \n @param certificateChain - DER-encoded certificate or chain\n * @returns `VerificationStatus.Good` on success, or an error\n * status indicating why the certificate was rejected.\n /\n public async addTrustedCertificateFromChain(certificateChain: Certificate): Promise<VerificationStatus> {\n const certificates = split_der(certificateChain);\n const leafCertificate = certificates[0];\n\n // Structural validation — can we parse it?\n try {\n exploreCertificateCached(leafCertificate);\n } catch (_err) {\n return VerificationStatus.BadCertificateInvalid;\n }\n\n // Lightweight chain validation — verify the certificate\n // structure and signature without trust-store side-effects\n const result = await verifyCertificateChain([leafCertificate]);\n if (result.status !== \"Good\") {\n return VerificationStatus.BadCertificateInvalid;\n }\n\n // If a chain was provided, verify that every issuer in the\n // chain is already registered in the issuers store.\n // if one of the certificates in the chain is not registered in the issuers store,\n // the certificate will be rejected.\n if (certificates.length > 1) {\n // Re-scan the issuers folder to pick up certificates\n // added directly to disk (e.g. by GDS push or external\n // tooling) that the file-system watcher may not have\n // delivered yet.\n await this.#scanCertFolder(this.issuersCertFolder, this.#thumbs.issuers.certs);\n for (const issuerCert of certificates.slice(1)) {\n const thumbprint = makeFingerprint(issuerCert);\n if (!(await this.hasIssuer(thumbprint))) {\n // this issuer certificate is not registered in the issuers store\n // reject the leaf certificate\n return VerificationStatus.BadCertificateChainIncomplete;\n }\n }\n }\n\n // All checks passed — trust the leaf certificate\n await this.trustCertificate(leafCertificate);\n return VerificationStatus.Good;\n }\n\n /\n Check whether an issuer certificate is still needed by any\n * certificate in the trusted store.\n \n This is used before removing an issuer to ensure that\n * doing so would not break the chain of any trusted\n * certificate.\n \n @param issuerCertificate - the CA certificate to check\n * @returns `true` if at least one trusted certificate was\n * signed by this issuer.\n /\n public async isIssuerInUseByTrustedCertificate(issuerCertificate: Certificate): Promise<boolean> {\n await this.#readCertificates();\n for (const entry of this.#thumbs.trusted.values()) {\n if (!entry.certificate) continue;\n try {\n if (verifyCertificateSignature(entry.certificate, issuerCertificate)) {\n return true;\n }\n } catch (_err) {\n // Skip certificates that can't be verified\n }\n }\n return false;\n }\n\n /\n find the issuer certificate among the trusted issuer certificates.\n \n The findIssuerCertificate method is an asynchronous method that attempts to find\n * the issuer certificate for a given certificate from the list of issuer certificate declared in the PKI\n \n - If the certificate is self-signed, it returns the certificate itself.\n \n - If the certificate has no extension 3, it is assumed to be generated by an old system, and a null value is returned.\n \n - the method checks both issuer and trusted certificates and returns the appropriate issuercertificate,\n * if found. If multiple matching certificates are found, a warning is logged to the console.\n \n /\n public async findIssuerCertificate(certificate: Certificate): Promise<Certificate \| null> {\n const certInfo = exploreCertificateCached(certificate);\n\n if (isSelfSigned2(certInfo)) {\n // the certificate is self signed so is it's own issuer.\n return certificate;\n }\n\n const wantedIssuerKey = certInfo.tbsCertificate.extensions?.authorityKeyIdentifier?.keyIdentifier;\n\n if (!wantedIssuerKey) {\n // Certificate has no extension 3 ! the certificate might have been generated by an old system\n debugLog(\"Certificate has no extension 3\");\n return null;\n }\n\n const issuerCertificates = [...this.#thumbs.issuers.certs.values()];\n\n const selectedIssuerCertificates = findMatchingIssuerKey(issuerCertificates, wantedIssuerKey);\n\n if (selectedIssuerCertificates.length > 0) {\n if (selectedIssuerCertificates.length > 1) {\n warningLog(\"Warning more than one issuer certificate exists with subjectKeyIdentifier \", wantedIssuerKey);\n }\n return selectedIssuerCertificates[0].certificate \|\| null;\n }\n // check also in trusted list\n const trustedCertificates = [...this.#thumbs.trusted.values()];\n const selectedTrustedCertificates = findMatchingIssuerKey(trustedCertificates, wantedIssuerKey);\n\n if (selectedTrustedCertificates.length > 1) {\n warningLog(\n \"Warning more than one certificate exists with subjectKeyIdentifier in trusted certificate list \",\n wantedIssuerKey,\n selectedTrustedCertificates.length\n );\n }\n return selectedTrustedCertificates.length > 0 ? selectedTrustedCertificates[0].certificate : null;\n }\n\n /*\n \n * check if the certificate explicitly appear in the trust list, the reject list or none.\n * In case of being in the reject and trusted list at the same time is consider: rejected.\n * @internal\n * @private\n /\n async #checkRejectedOrTrusted(certificate: Buffer): Promise<CertificateStatus> {\n const fingerprint = makeFingerprint(certificate);\n\n debugLog(\"#checkRejectedOrTrusted fingerprint \", short(fingerprint));\n\n await this.#readCertificates();\n\n if (this.#thumbs.rejected.has(fingerprint)) {\n return \"rejected\";\n }\n if (this.#thumbs.trusted.has(fingerprint)) {\n return \"trusted\";\n }\n return \"unknown\";\n }\n\n async #moveCertificate(certificate: Certificate, newStatus: CertificateStatus) {\n await this.withLock2(async () => {\n const fingerprint = makeFingerprint(certificate);\n\n let status = await this.#checkRejectedOrTrusted(certificate);\n if (status === \"unknown\") {\n // # unknown mean rejected\n const pem = toPem(certificate, \"CERTIFICATE\");\n const filename = path.join(this.rejectedFolder, `${buildIdealCertificateName(certificate)}.pem`);\n await fs.promises.writeFile(filename, pem);\n this.#thumbs.rejected.set(fingerprint, { certificate, filename });\n status = \"rejected\";\n }\n\n debugLog(\"#moveCertificate\", fingerprint.substring(0, 10), \"from\", status, \"to\", newStatus);\n\n if (status !== \"rejected\" && status !== \"trusted\") {\n throw new Error(`#moveCertificate: unexpected status '${status}' for certificate ${fingerprint.substring(0, 10)}`);\n }\n\n if (status !== newStatus) {\n const indexSrc = status === \"rejected\" ? this.#thumbs.rejected : this.#thumbs.trusted;\n const srcEntry = indexSrc.get(fingerprint);\n\n if (!srcEntry) {\n debugLog(\" cannot find certificate \", fingerprint.substring(0, 10), \" in\", status);\n throw new Error(`#moveCertificate: certificate ${fingerprint.substring(0, 10)} not found in ${status} index`);\n }\n const destFolder = newStatus === \"trusted\" ? this.trustedFolder : this.rejectedFolder;\n const certificateDest = path.join(destFolder, path.basename(srcEntry.filename));\n\n debugLog(\"#moveCertificate\", fingerprint.substring(0, 10), \"old name\", srcEntry.filename);\n debugLog(\"#moveCertificate\", fingerprint.substring(0, 10), \"new name\", certificateDest);\n await fs.promises.rename(srcEntry.filename, certificateDest);\n indexSrc.delete(fingerprint);\n const indexDest = newStatus === \"trusted\" ? this.#thumbs.trusted : this.#thumbs.rejected;\n indexDest.set(fingerprint, { certificate, filename: certificateDest });\n }\n });\n }\n #findAssociatedCRLs(issuerCertificate: Certificate): CRLData \| null {\n const issuerCertificateInfo = exploreCertificateCached(issuerCertificate);\n const key = issuerCertificateInfo.tbsCertificate.subjectFingerPrint;\n return this.#thumbs.issuersCrl.get(key) ?? this.#thumbs.crl.get(key) ?? null;\n }\n\n /\n Check whether a certificate has been revoked by its issuer's CRL.\n \n - Self-signed certificates are never considered revoked.\n * - If no `issuerCertificate` is provided, the method attempts\n * to find it via {@link findIssuerCertificate}.\n \n @param certificate - the DER-encoded certificate to check\n * @param issuerCertificate - optional issuer certificate; looked\n * up automatically when omitted\n * @returns `Good` if not revoked, `BadCertificateRevoked` if the\n * serial number appears in a CRL,\n * `BadCertificateRevocationUnknown` if no CRL is available,\n * or `BadCertificateChainIncomplete` if the issuer cannot be\n * found.\n /\n public async isCertificateRevoked(\n certificate: Certificate,\n issuerCertificate?: Certificate \| null\n ): Promise<VerificationStatus> {\n if (isSelfSigned3(certificate)) {\n return VerificationStatus.Good;\n }\n\n if (!issuerCertificate) {\n issuerCertificate = await this.findIssuerCertificate(certificate);\n }\n if (!issuerCertificate) {\n return VerificationStatus.BadCertificateChainIncomplete;\n }\n const crls = this.#findAssociatedCRLs(issuerCertificate);\n\n if (!crls) {\n return VerificationStatus.BadCertificateRevocationUnknown;\n }\n const certInfo = exploreCertificateCached(certificate);\n const serialNumber =\n certInfo.tbsCertificate.serialNumber \|\| certInfo.tbsCertificate.extensions?.authorityKeyIdentifier?.serial \|\| \"\";\n\n const key = certInfo.tbsCertificate.extensions?.authorityKeyIdentifier?.authorityCertIssuerFingerPrint \|\| \"<unknown>\";\n const crl2 = this.#thumbs.crl.get(key) ?? null;\n\n if (crls.serialNumbers[serialNumber] \|\| crl2?.serialNumbers[serialNumber]) {\n return VerificationStatus.BadCertificateRevoked;\n }\n return VerificationStatus.Good;\n }\n\n #pendingCrlToProcess = 0;\n #onCrlProcessWaiters: (() => void)[] = [];\n #queue: { index: Map<string, CRLData>; filename: string }[] = [];\n #onCrlFileAdded(index: Map<string, CRLData>, filename: string) {\n this.#queue.push({ index, filename });\n this.#pendingCrlToProcess += 1;\n if (this.#pendingCrlToProcess === 1) {\n this.#processNextCrl();\n }\n }\n async #processNextCrl() {\n try {\n const nextCRL = this.#queue.shift();\n if (!nextCRL) return;\n const { index, filename } = nextCRL;\n const crl = await readCertificateRevocationList(filename);\n const crlInfo = exploreCertificateRevocationList(crl);\n debugLog(chalk.cyan(\"add CRL in folder \"), filename);\n const fingerprint = crlInfo.tbsCertList.issuerFingerprint;\n if (!index.has(fingerprint)) {\n index.set(fingerprint, { crls: [], serialNumbers: {} });\n }\n const data = index.get(fingerprint) \|\| { crls: [], serialNumbers: {} };\n data.crls.push({ crlInfo, filename });\n\n // now inject serial numbers\n for (const revokedCertificate of crlInfo.tbsCertList.revokedCertificates) {\n const serialNumber = revokedCertificate.userCertificate;\n if (!data.serialNumbers[serialNumber]) {\n data.serialNumbers[serialNumber] = revokedCertificate.revocationDate;\n }\n }\n debugLog(chalk.cyan(\"CRL\"), fingerprint, \"serial numbers = \", Object.keys(data.serialNumbers));\n } catch (err) {\n debugLog(\"CRL filename error =\");\n debugLog(err);\n }\n this.#pendingCrlToProcess -= 1;\n if (this.#pendingCrlToProcess === 0) {\n for (const waiter of this.#onCrlProcessWaiters) {\n waiter();\n }\n this.#onCrlProcessWaiters.length = 0;\n } else {\n this.#processNextCrl();\n }\n }\n async #readCertificates(): Promise<void> {\n if (this.#readCertificatesCalled) {\n return;\n }\n this.#readCertificatesCalled = true;\n\n // Chokidar configuration choices:\n //\n // usePolling: false (default)\n // Use native OS file-system events (inotify on Linux,\n // FSEvents on macOS, ReadDirectoryChangesW on Windows)\n // for near-real-time detection of cert/CRL additions\n // and removals. This is significantly faster than\n // polling (milliseconds vs seconds).\n //\n // Set OPCUA_PKI_USE_POLLING=true to revert to polling\n // for environments where native events are unreliable\n // (NFS, CIFS, Docker volumes, or other remote/virtual\n // file systems).\n //\n // persistent: false\n // Watchers do NOT keep the Node.js event loop alive.\n // This prevents the process from hanging if the\n // CertificateManager is not properly disposed. The\n // trade-off is that watchers stop receiving events if\n // there are no other active handles — acceptable since\n // CertificateManager always runs alongside a server.\n //\n // awaitWriteFinish: not set\n // Certificate and CRL files are small (typically < 5 KB)\n // and written atomically (fs.writeFile). No need to\n // wait for write stabilization, which would add a 2s+\n // delay before the in-memory index is updated.\n //\n const usePolling = process.env.OPCUA_PKI_USE_POLLING === \"true\";\n const envInterval = process.env.OPCUA_PKI_POLLING_INTERVAL\n ? parseInt(process.env.OPCUA_PKI_POLLING_INTERVAL, 10)\n : undefined;\n const pollingInterval = Math.min(10 60 * 1000, Math.max(100, envInterval ?? this.folderPollingInterval));\n const chokidarOptions = {\n usePolling,\n ...(usePolling ? { interval: pollingInterval } : {}),\n persistent: false\n };\n\n // Workaround for chokidar v4 not propagating persistent:false\n // to the underlying fs.watch() handles. Without this, undisposed\n // CertificateManager instances block process exit. We intercept\n // fs.watch() during watcher creation to capture every native\n // handle, then .unref() them once chokidar emits \"ready\".\n // The interception stays active until \"ready\" fires, because\n // on Linux chokidar may create fs.watch handles asynchronously\n // as it discovers subdirectories.\n const createUnreffedWatcher = (folder: string) => {\n const capturedHandles: fs.FSWatcher[] = [];\n const origWatch = fs.watch;\n fs.watch = ((...args: Parameters<typeof fs.watch>) => {\n const handle = origWatch.apply(fs, args);\n capturedHandles.push(handle);\n return handle;\n }) as typeof fs.watch;\n const w = chokidar.watch(folder, chokidarOptions);\n const unreffAll = () => {\n fs.watch = origWatch;\n for (const h of capturedHandles) {\n h.unref();\n }\n };\n return { w, capturedHandles, unreffAll };\n };\n\n // ── Phase 1: Async scan ─────────────────────────────────\n // Populate the in-memory indexes by reading existing\n // files. Uses async readdir/stat to yield the event loop\n // between files. All 5 folders are scanned in parallel.\n await Promise.all([\n this.#scanCertFolder(this.trustedFolder, this.#thumbs.trusted),\n this.#scanCertFolder(this.issuersCertFolder, this.#thumbs.issuers.certs),\n this.#scanCertFolder(this.rejectedFolder, this.#thumbs.rejected),\n this.#scanCrlFolder(this.crlFolder, this.#thumbs.crl),\n this.#scanCrlFolder(this.issuersCrlFolder, this.#thumbs.issuersCrl)\n ]);\n\n // ── Phase 2: Deferred file watchers ─────────────────────\n // Start chokidar watchers in the background. We do NOT\n // await \"ready\" so initialize() returns immediately after\n // the sync scan. Chokidar will re-discover existing files\n // (harmless Map overwrites) then watch for live changes.\n this.#startWatcher(this.trustedFolder, this.#thumbs.trusted, createUnreffedWatcher, \"trusted\");\n this.#startWatcher(this.issuersCertFolder, this.#thumbs.issuers.certs, createUnreffedWatcher, \"issuersCerts\");\n this.#startWatcher(this.rejectedFolder, this.#thumbs.rejected, createUnreffedWatcher, \"rejected\");\n this.#startCrlWatcher(this.crlFolder, this.#thumbs.crl, createUnreffedWatcher, \"crl\");\n this.#startCrlWatcher(this.issuersCrlFolder, this.#thumbs.issuersCrl, createUnreffedWatcher, \"issuersCrl\");\n }\n\n /*\n Scan a certificate folder and populate the in-memory index.\n * Uses async readdir/stat to yield the event loop between\n * file reads, preventing main-loop stalls with large folders.\n /\n async #scanCertFolder(folder: string, index: Map<string, Entry>): Promise<void> {\n if (!fs.existsSync(folder)) return;\n const files = await fs.promises.readdir(folder);\n for (const file of files) {\n const filename = path.join(folder, file);\n try {\n const stat = await fs.promises.stat(filename);\n if (!stat.isFile()) continue;\n const certificate = await readCertificateAsync(filename);\n const info = exploreCertificateCached(certificate);\n const fingerprint = makeFingerprint(certificate);\n index.set(fingerprint, { certificate, filename, info });\n this.#filenameToHash.set(filename, fingerprint);\n } catch (err) {\n debugLog(`scanCertFolder: skipping ${filename}`, err);\n }\n }\n }\n\n /\n Scan a CRL folder and populate the in-memory CRL index.\n /\n async #scanCrlFolder(folder: string, index: Map<string, CRLData>): Promise<void> {\n if (!fs.existsSync(folder)) return;\n const files = await fs.promises.readdir(folder);\n for (const file of files) {\n const filename = path.join(folder, file);\n try {\n const stat = await fs.promises.stat(filename);\n if (!stat.isFile()) continue;\n this.#onCrlFileAdded(index, filename);\n } catch (err) {\n debugLog(`scanCrlFolder: skipping ${filename}`, err);\n }\n }\n await this.#waitAndCheckCRLProcessingStatus();\n }\n\n /\n Start a chokidar watcher for a CRL folder.\n * Non-blocking — does NOT await \"ready\".\n /\n #startCrlWatcher(\n folder: string,\n index: Map<string, CRLData>,\n createUnreffedWatcher: (folder: string) => { w: ChokidarFSWatcher; unreffAll: () => void },\n store: CrlStore\n ): void {\n const { w, unreffAll } = createUnreffedWatcher(folder);\n let ready = false;\n\n w.on(\"unlink\", (filename: string) => {\n for (const [key, data] of index.entries()) {\n data.crls = data.crls.filter((c) => c.filename !== filename);\n if (data.crls.length === 0) {\n index.delete(key);\n }\n }\n if (ready) {\n this.emit(\"crlRemoved\", { store, filename });\n }\n });\n w.on(\"add\", (filename: string) => {\n if (ready) {\n this.#onCrlFileAdded(index, filename);\n this.emit(\"crlAdded\", { store, filename });\n }\n });\n w.on(\"change\", (changedPath: string) => {\n debugLog(\"change in folder \", folder, changedPath);\n });\n this.#watchers.push(w as unknown as fs.FSWatcher);\n this.#pendingUnrefs.add(unreffAll);\n w.on(\"ready\", () => {\n ready = true;\n this.#pendingUnrefs.delete(unreffAll);\n unreffAll();\n });\n }\n\n /\n Start a chokidar watcher for a certificate folder.\n * Non-blocking — does NOT await \"ready\".\n /\n #startWatcher(\n folder: string,\n index: Map<string, Entry>,\n createUnreffedWatcher: (folder: string) => { w: ChokidarFSWatcher; unreffAll: () => void },\n store: CertificateStore\n ): void {\n const { w, unreffAll } = createUnreffedWatcher(folder);\n let ready = false;\n w.on(\"unlink\", (filename: string) => {\n debugLog(chalk.cyan(`unlink in folder ${folder}`), filename);\n const h = this.#filenameToHash.get(filename);\n if (h && index.has(h)) {\n index.delete(h);\n this.emit(\"certificateRemoved\", { store, fingerprint: h, filename });\n }\n });\n w.on(\"add\", (filename: string) => {\n debugLog(chalk.cyan(`add in folder ${folder}`), filename);\n try {\n const certificate = readCertificate(filename);\n const info = exploreCertificateCached(certificate);\n const fingerprint = makeFingerprint(certificate);\n\n const isNew = !index.has(fingerprint);\n index.set(fingerprint, { certificate, filename, info });\n this.#filenameToHash.set(filename, fingerprint);\n\n debugLog(\n chalk.magenta(\"CERT\"),\n info.tbsCertificate.subjectFingerPrint,\n info.tbsCertificate.serialNumber,\n info.tbsCertificate.extensions?.authorityKeyIdentifier?.authorityCertIssuerFingerPrint\n );\n if (ready \|\| isNew) {\n this.emit(\"certificateAdded\", { store, certificate, fingerprint, filename });\n }\n } catch (err) {\n debugLog(`Walk files in folder ${folder} with file ${filename}`);\n debugLog(err);\n }\n });\n w.on(\"change\", (changedPath: string) => {\n debugLog(chalk.cyan(`change in folder ${folder}`), changedPath);\n try {\n const certificate = readCertificate(changedPath);\n const newFingerprint = makeFingerprint(certificate);\n const oldHash = this.#filenameToHash.get(changedPath);\n if (oldHash && oldHash !== newFingerprint) {\n index.delete(oldHash);\n }\n index.set(newFingerprint, { certificate, filename: changedPath, info: exploreCertificateCached(certificate) });\n this.#filenameToHash.set(changedPath, newFingerprint);\n this.emit(\"certificateChange\", { store, certificate, fingerprint: newFingerprint, filename: changedPath });\n } catch (err) {\n debugLog(`change event: failed to re-read ${changedPath}`, err);\n }\n });\n this.#watchers.push(w as unknown as fs.FSWatcher);\n this.#pendingUnrefs.add(unreffAll);\n w.on(\"ready\", () => {\n ready = true;\n this.#pendingUnrefs.delete(unreffAll);\n unreffAll();\n debugLog(\"ready\");\n debugLog([...index.keys()].map((k) => k.substring(0, 10)));\n });\n }\n\n // make sure that all crls have been processed.\n async #waitAndCheckCRLProcessingStatus(): Promise<void> {\n return new Promise((resolve, _reject) => {\n if (this.#pendingCrlToProcess === 0) {\n setImmediate(resolve);\n return;\n }\n this.#onCrlProcessWaiters.push(resolve);\n });\n }\n}\n","// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua-pki\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2014-2026 - Etienne Rossignon - etienne.rossignon (at) gadz.org\n// Copyright (c) 2022-2026 - Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n//\n// This project is licensed under the terms of the MIT license.\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated\n// documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the\n// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to\n// permit persons to whom the Software is furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the\n// Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE\n// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\n// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR\n// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n// ---------------------------------------------------------------------------------------------------------------------\nexport from \"./common\";\nexport * from \"./common2\";\nexport * from \"./config\";\nexport * from \"./debug\";\nexport * from \"./display\";\n","// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua-pki\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2014-2026 - Etienne Rossignon - etienne.rossignon (at) gadz.org\n// Copyright (c) 2022-2026 - Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n//\n// This project is licensed under the terms of the MIT license.\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated\n// documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the\n// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to\n// permit persons to whom the Software is furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the\n// Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE\n// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\n// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR\n// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n// ---------------------------------------------------------------------------------------------------------------------\nimport type { ProcessAltNamesParam } from \"../common\";\nimport { g_config } from \"../config\";\nimport { warningLog } from \"../debug\";\n\nexport const exportedEnvVars: Record<string, string> = {};\n\nexport function setEnv(varName: string, value: string): void {\n // istanbul ignore next\n if (!g_config.silent) {\n warningLog(` set ${varName}=${value}`);\n }\n exportedEnvVars[varName] = value;\n\n if ([\"OPENSSL_CONF\"].indexOf(varName) >= 0) {\n process.env[varName] = value;\n }\n if ([\"RANDFILE\"].indexOf(varName) >= 0) {\n process.env[varName] = value;\n }\n}\n\nexport function hasEnv(varName: string): boolean {\n return Object.prototype.hasOwnProperty.call(exportedEnvVars, varName);\n}\nexport function getEnv(varName: string): string {\n return exportedEnvVars[varName];\n}\n\nexport function getEnvironmentVarNames(): { key: string; pattern: string }[] {\n return Object.keys(exportedEnvVars).map((varName: string) => {\n return { key: varName, pattern: `\\\\$ENV\\\\:\\\\:${varName}` };\n });\n}\n\nexport function processAltNames(params: ProcessAltNamesParam) {\n params.dns = params.dns \|\| [];\n params.ip = params.ip \|\| [];\n\n // construct subjectAtlName\n let subjectAltName: string[] = [];\n subjectAltName.push(`URI:${params.applicationUri}`);\n subjectAltName = ([] as string[]).concat(\n subjectAltName,\n params.dns.map((d: string) => `DNS:${d}`)\n );\n subjectAltName = ([] as string[]).concat(\n subjectAltName,\n params.ip.map((d: string) => `IP:${d}`)\n );\n const subjectAltNameString = subjectAltName.join(\", \");\n setEnv(\"ALTNAME\", subjectAltNameString);\n}\n","export type { SubjectOptions } from \"node-opcua-crypto\";\nexport { Subject } from \"node-opcua-crypto\";\n","// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua-pki\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2014-2026 - Etienne Rossignon - etienne.rossignon (at) gadz.org\n// Copyright (c) 2022-2026 - Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n//\n// This project is licensed under the terms of the MIT license.\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated\n// documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the\n// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to\n// permit persons to whom the Software is furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the\n// Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE\n// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\n// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR\n// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n// ---------------------------------------------------------------------------------------------------------------------\n// tslint:disable:no-console\n// tslint:disable:no-shadowed-variable\n\nimport child_process from \"node:child_process\";\nimport fs from \"node:fs\";\nimport os from \"node:os\";\nimport path from \"node:path\";\nimport type { Readable } from \"node:stream\";\nimport url from \"node:url\";\n\nimport byline from \"byline\";\nimport chalk from \"chalk\";\nimport ProgressBar from \"progress\";\nimport wget from \"wget-improved-2\";\nimport yauzl from \"yauzl\";\n\nimport { warningLog } from \"../debug\";\n\nconst doDebug = process.env.NODEOPCUAPKIDEBUG \|\| false;\n\ndeclare interface ProxyOptions {\n host: string;\n port: number;\n localAddress?: string;\n proxyAuth?: string;\n headers?: Record<string, string>;\n protocol: string; // \"https\" \| \"http\"\n}\ndeclare interface WgetOptions {\n gunzip?: boolean;\n proxy?: ProxyOptions;\n}\n\ndeclare interface WgetInterface {\n download(url: string, outputFilename: string, options: WgetOptions): NodeJS.EventEmitter;\n}\n\ninterface ExecuteResult {\n exitCode: number;\n output: string;\n}\n\nfunction makeOptions(): WgetOptions {\n const proxy =\n process.env.HTTPS_PROXY \|\| process.env.https_proxy \|\| process.env.HTTP_PROXY \|\| process.env.http_proxy \|\| undefined;\n if (proxy) {\n const a = new url.URL(proxy);\n const auth = a.username ? `${a.username}:${a.password}` : undefined;\n\n const options: WgetOptions = {\n proxy: {\n port: a.port ? parseInt(a.port, 10) : 80,\n protocol: a.protocol.replace(\":\", \"\"),\n host: a.hostname ?? \"\",\n proxyAuth: auth\n }\n };\n warningLog(chalk.green(\"- using proxy \"), proxy);\n warningLog(options);\n return options;\n }\n return {};\n}\n\nasync function execute(cmd: string, cwd?: string): Promise<ExecuteResult> {\n let output = \"\";\n\n // xx cwd = cwd ? {cwd: cwd} : {};\n const options = {\n cwd,\n windowsHide: true\n };\n\n return await new Promise<ExecuteResult>((resolve, reject) => {\n const child = child_process.exec(\n cmd,\n options,\n (err: child_process.ExecException \| null /, stdout: string, stderr: string/) => {\n const exitCode = err === null ? 0 : err.code \|\| 1;\n if (err) reject(err);\n else {\n resolve({ exitCode, output });\n }\n }\n );\n\n const stream1 = byline(child.stdout as Readable);\n stream1.on(\"data\", (line: string) => {\n output += `${line}\\n`;\n // istanbul ignore next\n if (doDebug) {\n process.stdout.write(` stdout ${chalk.yellow(line)}\\n`);\n }\n });\n });\n}\n\nfunction quote(str: string): string {\n return `\"${str.replace(/\\\\/g, \"/\")}\"`;\n}\n\nfunction is_expected_openssl_version(strVersion: string): boolean {\n return !!strVersion.match(/OpenSSL 1\|3/);\n}\n\nasync function getopensslExecPath(): Promise<string> {\n let result1: ExecuteResult \| undefined;\n try {\n result1 = await execute(\"which openssl\");\n } catch (err) {\n warningLog(\"warning: \", (err as Error).message);\n throw new Error(\"Cannot find openssl\");\n }\n\n const exitCode = result1?.exitCode;\n const output = result1?.output;\n\n if (exitCode !== 0) {\n warningLog(chalk.yellow(\" it seems that \") + chalk.cyan(\"openssl\") + chalk.yellow(\" is not installed on your computer \"));\n warningLog(chalk.yellow(\"Please install it before running this programs\"));\n throw new Error(\"Cannot find openssl\");\n }\n const opensslExecPath = output.replace(/\\n\\r/g, \"\").trim();\n return opensslExecPath;\n}\nexport async function check_system_openssl_version(): Promise<string> {\n const opensslExecPath = await getopensslExecPath();\n\n // tslint:disable-next-line:variable-name\n const q_opensslExecPath = quote(opensslExecPath);\n\n // istanbul ignore next\n if (doDebug) {\n warningLog(` OpenSSL found in : ${chalk.yellow(opensslExecPath)}`);\n }\n // ------------------------ now verify that openssl version is the correct one\n const result = await execute(`${q_opensslExecPath} version`);\n\n const exitCode = result?.exitCode;\n const output = result?.output;\n\n const version = output.trim();\n\n const versionOK = exitCode === 0 && is_expected_openssl_version(version);\n if (!versionOK) {\n let message =\n chalk.whiteBright(\"Warning !!!!!!!!!!!! \") +\n \"\\nyour version of openssl is \" +\n version +\n \". It doesn't match the expected version\";\n\n if (process.platform === \"darwin\") {\n message +=\n chalk.cyan(\"\\nplease refer to :\") +\n chalk.yellow(\" https://github.com/node-opcua/node-opcua/\" + \"wiki/installing-node-opcua-or-node-red-on-MacOS\");\n }\n\n console.log(message);\n }\n return output;\n}\n\nasync function install_and_check_win32_openssl_version(): Promise<string> {\n const downloadFolder = path.join(os.tmpdir(), \".\");\n\n function get_openssl_folder_win32(): string {\n if (process.env.LOCALAPPDATA) {\n const userProgramFolder = path.join(process.env.LOCALAPPDATA, \"Programs\");\n if (fs.existsSync(userProgramFolder)) {\n return path.join(userProgramFolder, \"openssl\");\n }\n }\n return path.join(process.cwd(), \"openssl\");\n }\n\n function get_openssl_exec_path_win32(): string {\n const opensslFolder = get_openssl_folder_win32();\n return path.join(opensslFolder, \"openssl.exe\");\n }\n\n async function check_openssl_win32(): Promise<{ opensslOk?: boolean; version?: string }> {\n const opensslExecPath = get_openssl_exec_path_win32();\n\n const exists = fs.existsSync(opensslExecPath);\n if (!exists) {\n warningLog(\"checking presence of \", opensslExecPath);\n warningLog(chalk.red(\" cannot find file \") + opensslExecPath);\n return {\n opensslOk: false,\n version: `cannot find file ${opensslExecPath}`\n };\n } else {\n // tslint:disable-next-line:variable-name\n const q_openssl_exe_path = quote(opensslExecPath);\n const cwd = \".\";\n\n const { exitCode, output } = await execute(`${q_openssl_exe_path} version`, cwd);\n const version = output.trim();\n // istanbul ignore next\n\n if (doDebug) {\n warningLog(\" Version = \", version);\n }\n return {\n opensslOk: exitCode === 0 && is_expected_openssl_version(version),\n version\n };\n }\n }\n\n /*\n detect whether windows OS is a 64 bits or 32 bits\n * http://ss64.com/nt/syntax-64bit.html\n * http://blogs.msdn.com/b/david.wang/archive/2006/03/26/howto-detect-process-bitness.aspx\n * @return {number}\n /\n function win32or64(): 32 \| 64 {\n if (process.env.PROCESSOR_ARCHITECTURE === \"x86\" && process.env.PROCESSOR_ARCHITEW6432) {\n return 64;\n }\n\n if (process.env.PROCESSOR_ARCHITECTURE === \"AMD64\") {\n return 64;\n }\n\n // check if we are running node x32 on a x64 arch\n if (process.env.CURRENT_CPU === \"x64\") {\n return 64;\n }\n return 32;\n }\n\n async function download_openssl(): Promise<{ downloadedFile: string }> {\n // const url = (win32or64() === 64 )\n // ? \"http://indy.fulgan.com/SSL/openssl-1.0.2o-x64_86-win64.zip\"\n // : \"http://indy.fulgan.com/SSL/openssl-1.0.2o-i386-win32.zip\"\n // ;\n const url =\n win32or64() === 64\n ? \"https://github.com/node-opcua/node-opcua-pki/releases/download/2.14.2/openssl-1.0.2u-x64_86-win64.zip\"\n : \"https://github.com/node-opcua/node-opcua-pki/releases/download/2.14.2/openssl-1.0.2u-i386-win32.zip\";\n // the zip file\n const outputFilename = path.join(downloadFolder, path.basename(url));\n\n warningLog(`downloading ${chalk.yellow(url)} to ${outputFilename}`);\n\n if (fs.existsSync(outputFilename)) {\n return { downloadedFile: outputFilename };\n }\n const options = makeOptions();\n const bar = new ProgressBar(chalk.cyan(\"[:bar]\") + chalk.cyan(\" :percent \") + chalk.white(\":etas\"), {\n complete: \"=\",\n incomplete: \" \",\n total: 100,\n width: 100\n });\n\n return await new Promise((resolve, reject) => {\n const download = wget.download(url, outputFilename, options);\n download.on(\"error\", (err: Error) => {\n warningLog(err);\n setImmediate(() => {\n reject(err);\n });\n });\n download.on(\"end\", (output: string) => {\n // istanbul ignore next\n if (doDebug) {\n warningLog(output);\n }\n // warningLog(\"done ...\");\n resolve({ downloadedFile: outputFilename });\n });\n download.on(\"progress\", (progress: number) => {\n bar.update(progress);\n });\n });\n }\n\n async function unzip_openssl(zipFilename: string) {\n const opensslFolder = get_openssl_folder_win32();\n\n const zipFile = await new Promise<yauzl.ZipFile>((resolve, reject) => {\n yauzl.open(zipFilename, { lazyEntries: true }, (err?: Error \| null, zipfile?: yauzl.ZipFile) => {\n if (err) {\n reject(err);\n } else {\n if (!zipfile) {\n reject(new Error(\"zipfile is null\"));\n } else {\n resolve(zipfile);\n }\n }\n });\n });\n\n zipFile.readEntry();\n\n await new Promise<void>((resolve, reject) => {\n zipFile.on(\"end\", (err?: Error) => {\n setImmediate(() => {\n // istanbul ignore next\n if (doDebug) {\n warningLog(\"unzip done\");\n }\n if (err) {\n reject(err);\n } else {\n resolve();\n }\n });\n });\n\n zipFile.on(\"entry\", (entry: yauzl.Entry) => {\n zipFile.openReadStream(entry, (err?: Error \| null, readStream?: Readable) => {\n if (err) {\n return reject(err);\n }\n\n const file = path.join(opensslFolder, entry.fileName);\n\n // istanbul ignore next\n if (doDebug) {\n warningLog(\" unzipping :\", file);\n }\n\n const writeStream = fs.createWriteStream(file, \"binary\");\n // ensure parent directory exists\n readStream?.pipe(writeStream);\n\n writeStream.on(\"close\", () => {\n zipFile.readEntry();\n });\n });\n });\n });\n }\n\n const opensslFolder = get_openssl_folder_win32();\n const opensslExecPath = get_openssl_exec_path_win32();\n\n if (!fs.existsSync(opensslFolder)) {\n // istanbul ignore next\n if (doDebug) {\n warningLog(\"creating openssl_folder\", opensslFolder);\n }\n fs.mkdirSync(opensslFolder);\n }\n\n const { opensslOk, version: _version } = await check_openssl_win32();\n\n if (!opensslOk) {\n warningLog(chalk.yellow(\"openssl seems to be missing and need to be installed\"));\n const { downloadedFile } = await download_openssl();\n\n // istanbul ignore next\n if (doDebug) {\n warningLog(\"deflating \", chalk.yellow(downloadedFile));\n }\n await unzip_openssl(downloadedFile);\n\n const opensslExists = !!fs.existsSync(opensslExecPath);\n\n // istanbul ignore next\n if (doDebug) {\n warningLog(\"verifying \", opensslExists, opensslExists ? chalk.green(\"OK \") : chalk.red(\" Error\"), opensslExecPath);\n }\n\n const _opensslExecPath2 = await check_openssl_win32();\n return opensslExecPath;\n } else {\n // istanbul ignore next\n if (doDebug) {\n warningLog(chalk.green(\"openssl is already installed and have the expected version.\"));\n }\n return opensslExecPath;\n }\n}\n\n/\n \n * return path to the openssl executable\n /\nexport async function install_prerequisite(): Promise<string> {\n // istanbul ignore else\n if (process.platform !== \"win32\") {\n return await check_system_openssl_version();\n } else {\n return await install_and_check_win32_openssl_version();\n }\n}\n\nexport async function get_openssl_exec_path(): Promise<string> {\n if (process.platform === \"win32\") {\n const opensslExecPath = await install_prerequisite();\n if (!fs.existsSync(opensslExecPath)) {\n throw new Error(`internal error cannot find ${opensslExecPath}`);\n }\n return opensslExecPath;\n } else {\n return \"openssl\";\n }\n}\n","/ eslint-disable @typescript-eslint/no-explicit-any /\n// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua-pki\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2014-2026 - Etienne Rossignon - etienne.rossignon (at) gadz.org\n// Copyright (c) 2022-2026 - Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n//\n// This project is licensed under the terms of the MIT license.\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated\n// documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the\n// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to\n// permit persons to whom the Software is furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the\n// Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE\n// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\n// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR\n// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n// ---------------------------------------------------------------------------------------------------------------------\n// tslint:disable:no-console\n// tslint:disable:no-shadowed-variable\n\nimport assert from \"node:assert\";\nimport child_process from \"node:child_process\";\nimport fs from \"node:fs\";\nimport os from \"node:os\";\nimport byline from \"byline\";\nimport chalk from \"chalk\";\nimport { quote } from \"../common\";\nimport { makePath } from \"../common2\";\nimport { g_config } from \"../config\";\nimport { debugLog, displayError, doDebug, warningLog } from \"../debug\";\nimport { setEnv } from \"./_env\";\nimport { get_openssl_exec_path } from \"./install_prerequisite\";\n\n// tslint:disable-next-line:variable-name\n\nlet opensslPath: string \| undefined; // not initialized\n\nconst n = makePath;\n\nexport interface ExecuteOptions {\n cwd?: string;\n hideErrorMessage?: boolean;\n}\n\nexport async function execute(cmd: string, options: ExecuteOptions): Promise<string> {\n const from = new Error();\n\n options.cwd = options.cwd \|\| process.cwd();\n\n // istanbul ignore next\n if (!g_config.silent) {\n warningLog(chalk.cyan(\" CWD \"), options.cwd);\n }\n\n const outputs: string[] = [];\n\n return await new Promise((resolve, reject) => {\n const child = child_process.exec(\n cmd,\n {\n cwd: options.cwd,\n windowsHide: true\n },\n (err: child_process.ExecException \| null) => {\n // istanbul ignore next\n if (err) {\n if (!options.hideErrorMessage) {\n const fence = \"###########################################\";\n console.error(chalk.bgWhiteBright.redBright(`${fence} OPENSSL ERROR ${fence}`));\n console.error(chalk.bgWhiteBright.redBright(`CWD = ${options.cwd}`));\n console.error(chalk.bgWhiteBright.redBright(err.message));\n console.error(chalk.bgWhiteBright.redBright(`${fence} OPENSSL ERROR ${fence}`));\n\n console.error(from.stack);\n }\n reject(new Error(err.message));\n return;\n }\n resolve(outputs.join(\"\"));\n }\n );\n\n if (child.stdout) {\n const stream2 = byline(child.stdout);\n stream2.on(\"data\", (line: string) => {\n outputs.push(`${line}\\n`);\n });\n if (!g_config.silent) {\n stream2.on(\"data\", (line: string) => {\n line = line.toString();\n if (doDebug) {\n process.stdout.write(`${chalk.white(\" stdout \") + chalk.whiteBright(line)}\\n`);\n }\n });\n }\n }\n\n // istanbul ignore next\n if (!g_config.silent) {\n if (child.stderr) {\n const stream1 = byline(child.stderr);\n stream1.on(\"data\", (line: string) => {\n line = line.toString();\n if (displayError) {\n process.stdout.write(`${chalk.white(\" stderr \") + chalk.red(line)}\\n`);\n }\n });\n }\n }\n });\n}\n\nexport async function find_openssl(): Promise<string> {\n return await get_openssl_exec_path();\n}\n\nexport async function ensure_openssl_installed(): Promise<void> {\n if (!opensslPath) {\n opensslPath = await find_openssl();\n const outputs = await execute_openssl(\"version\", { cwd: \".\" });\n g_config.opensslVersion = outputs.trim();\n if (doDebug) {\n warningLog(\"OpenSSL version : \", g_config.opensslVersion);\n }\n }\n}\n\nexport async function executeOpensslAsync(cmd: string, options: ExecuteOpenSSLOptions): Promise<string> {\n return await execute_openssl(cmd, options);\n}\n\nexport async function execute_openssl_no_failure(cmd: string, options: ExecuteOpenSSLOptions) {\n options = options \|\| {};\n options.hideErrorMessage = true;\n try {\n return await execute_openssl(cmd, options);\n } catch (err) {\n debugLog(\" (ignored error = ERROR : )\", (err as Error).message);\n }\n}\n\nfunction getTempFolder(): string {\n return os.tmpdir();\n}\n\nexport interface ExecuteOpenSSLOptions extends ExecuteOptions {\n openssl_conf?: string;\n}\n\nexport async function execute_openssl(cmd: string, options: ExecuteOpenSSLOptions): Promise<string> {\n debugLog(\"execute_openssl\", cmd, options);\n const empty_config_file = n(getTempFolder(), \"empty_config.cnf\");\n if (!fs.existsSync(empty_config_file)) {\n await fs.promises.writeFile(empty_config_file, \"# empty config file\");\n }\n\n options = options \|\| {};\n options.openssl_conf = options.openssl_conf \|\| empty_config_file; // \"!! OPEN SLL CONF NOT DEFINED BAD FILE !!\";\n assert(options.openssl_conf);\n setEnv(\"OPENSSL_CONF\", options.openssl_conf);\n\n // istanbul ignore next\n if (!g_config.silent) {\n warningLog(chalk.cyan(\" OPENSSL_CONF\"), process.env.OPENSSL_CONF);\n warningLog(chalk.cyan(\" RANDFILE \"), process.env.RANDFILE);\n warningLog(chalk.cyan(\" CMD openssl \"), chalk.cyanBright(cmd));\n }\n await ensure_openssl_installed();\n return await execute(`${quote(opensslPath)} ${cmd}`, options);\n}\n","/ eslint-disable @typescript-eslint/no-explicit-any /\n// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua-pki\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2014-2026 - Etienne Rossignon - etienne.rossignon (at) gadz.org\n// Copyright (c) 2022-2026 - Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n//\n// This project is licensed under the terms of the MIT license.\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated\n// documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the\n// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to\n// permit persons to whom the Software is furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the\n// Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE\n// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\n// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR\n// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n// ---------------------------------------------------------------------------------------------------------------------\n// tslint:disable:no-console\n// tslint:disable:no-shadowed-variable\n\nimport assert from \"node:assert\";\n\nimport fs from \"node:fs\";\nimport path from \"node:path\";\n\nimport type { Filename } from \"../common\";\nimport { quote } from \"../common\";\nimport { makePath } from \"../common2\";\nimport { g_config } from \"../config\";\nimport { getEnv, getEnvironmentVarNames } from \"./_env\";\nimport { type ExecuteOptions, execute_openssl } from \"./execute_openssl\";\n\nfunction openssl_require2DigitYearInDate() {\n // istanbul ignore next\n if (!g_config.opensslVersion) {\n throw new Error(\n \"openssl_require2DigitYearInDate : openssl version is not known:\" + \" please call ensure_openssl_installed()\"\n );\n }\n return g_config.opensslVersion.match(/OpenSSL 0\\.9/);\n}\n\ng_config.opensslVersion = \"\";\n\nlet _counter = 0;\n\nexport function generateStaticConfig(configPath: string, options?: ExecuteOptions) {\n const prePath = options?.cwd \|\| \"\";\n\n const originalFilename = !path.isAbsolute(configPath) ? path.join(prePath, configPath) : configPath;\n let staticConfig = fs.readFileSync(originalFilename, { encoding: \"utf8\" });\n for (const envVar of getEnvironmentVarNames()) {\n staticConfig = staticConfig.replace(new RegExp(envVar.pattern, \"gi\"), getEnv(envVar.key));\n }\n const staticConfigPath = `${configPath}.${process.pid}-${_counter++}.tmp`;\n const temporaryConfigPath = !path.isAbsolute(configPath) ? path.join(prePath, staticConfigPath) : staticConfigPath;\n fs.writeFileSync(temporaryConfigPath, staticConfig);\n if (options?.cwd) {\n return path.relative(options.cwd, temporaryConfigPath);\n } else {\n return temporaryConfigPath;\n }\n}\n\nconst q = quote;\nconst n = makePath;\n\n/\n calculate the public key from private key\n * openssl rsa -pubout -in private_key.pem\n \n @method getPublicKeyFromPrivateKey\n * @param privateKeyFilename: the existing file with the private key\n * @param publicKeyFilename: the file where to store the public key\n /\nexport async function getPublicKeyFromPrivateKey(privateKeyFilename: string, publicKeyFilename: string): Promise<void> {\n assert(fs.existsSync(privateKeyFilename));\n await execute_openssl(`rsa -pubout -in ${q(n(privateKeyFilename))} -out ${q(n(publicKeyFilename))}`, {});\n}\n\n/\n extract public key from a certificate\n * openssl x509 -pubkey -in certificate.pem -nottext\n \n @method getPublicKeyFromCertificate\n * @param certificateFilename\n * @param publicKeyFilename\n /\nexport async function getPublicKeyFromCertificate(certificateFilename: string, publicKeyFilename: string) {\n assert(fs.existsSync(certificateFilename));\n await execute_openssl(`x509 -pubkey -in ${q(n(certificateFilename))} > ${q(n(publicKeyFilename))}`, {});\n}\nexport function x509Date(date?: Date): string {\n date = date \|\| new Date();\n const Y = date.getUTCFullYear();\n const M = date.getUTCMonth() + 1;\n const D = date.getUTCDate();\n const h = date.getUTCHours();\n const m = date.getUTCMinutes();\n const s = date.getUTCSeconds();\n\n function w(s: string \| number, l: number): string {\n return `${s}`.padStart(l, \"0\");\n }\n\n if (openssl_require2DigitYearInDate()) {\n // for example: on MacOS , where openssl 0.98 is installed by default\n return `${w(Y, 2) + w(M, 2) + w(D, 2) + w(h, 2) + w(m, 2) + w(s, 2)}Z`;\n } else {\n // for instance when openssl version is greater than 1.0.0\n return `${w(Y, 4) + w(M, 2) + w(D, 2) + w(h, 2) + w(m, 2) + w(s, 2)}Z`;\n }\n}\n\n/\n @param certificate - the certificate file in PEM format, file must exist\n /\nexport async function dumpCertificate(certificate: Filename): Promise<string> {\n assert(fs.existsSync(certificate));\n return await execute_openssl(`x509 -in ${q(n(certificate))} -text -noout`, {});\n}\n\nexport async function toDer(certificatePem: string): Promise<string> {\n assert(fs.existsSync(certificatePem));\n const certificateDer = certificatePem.replace(\".pem\", \".der\");\n return await execute_openssl(`x509 -outform der -in ${certificatePem} -out ${certificateDer}`, {});\n}\n\nexport async function fingerprint(certificatePem: string): Promise<string> {\n // openssl x509 -in my_certificate.pem -hash -dates -noout -fingerprint\n assert(fs.existsSync(certificatePem));\n return await execute_openssl(`x509 -fingerprint -noout -in ${certificatePem}`, {});\n}\n","/ eslint-disable @typescript-eslint/no-explicit-any /\n// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua-pki\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2014-2026 - Etienne Rossignon - etienne.rossignon (at) gadz.org\n// Copyright (c) 2022-2026 - Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n//\n// This project is licensed under the terms of the MIT license.\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated\n// documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the\n// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to\n// permit persons to whom the Software is furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the\n// Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE\n// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\n// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR\n// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n// ---------------------------------------------------------------------------------------------------------------------\n// tslint:disable:no-console\n// tslint:disable:no-shadowed-variable\n\nimport assert from \"node:assert\";\nimport fs from \"node:fs\";\nimport path from \"node:path\";\n\nimport { Subject } from \"../../misc/subject\";\nimport { type CreateCertificateSigningRequestWithConfigOptions, quote } from \"../common\";\nimport { makePath } from \"../common2\";\nimport { displaySubtitle } from \"../display\";\nimport { processAltNames } from \"./_env\";\nimport { execute_openssl } from \"./execute_openssl\";\nimport { generateStaticConfig } from \"./toolbox\";\n\nconst q = quote;\nconst n = makePath;\n\n/\n create a certificate signing request\n /\nexport async function createCertificateSigningRequestWithOpenSSL(\n certificateSigningRequestFilename: string,\n params: CreateCertificateSigningRequestWithConfigOptions\n): Promise<void> {\n assert(params);\n assert(params.rootDir);\n assert(params.configFile);\n assert(params.privateKey);\n assert(typeof params.privateKey === \"string\");\n assert(fs.existsSync(params.configFile), `config file must exist ${params.configFile}`);\n assert(fs.existsSync(params.privateKey), `Private key must exist${params.privateKey}`);\n assert(fs.existsSync(params.rootDir), \"RootDir key must exist\");\n assert(typeof certificateSigningRequestFilename === \"string\");\n\n // note : this openssl command requires a config file\n processAltNames(params);\n const configFile = generateStaticConfig(params.configFile, { cwd: params.rootDir });\n\n const options = { cwd: params.rootDir, openssl_conf: path.relative(params.rootDir, configFile) };\n\n const configOption = ` -config ${q(n(configFile))}`;\n\n const subject = params.subject ? new Subject(params.subject).toString() : undefined;\n // process.env.OPENSSL_CONF =\"\";\n const subjectOptions = subject ? ` -subj \"${subject}\"` : \"\";\n\n displaySubtitle(\"- Creating a Certificate Signing Request with openssl\");\n await execute_openssl(\n \"req -new\" +\n \" -sha256 \" +\n \" -batch \" +\n \" -text \" +\n configOption +\n \" -key \" +\n q(n(params.privateKey)) +\n subjectOptions +\n \" -out \" +\n q(n(certificateSigningRequestFilename)),\n options\n );\n}\n","// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua-pki\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2014-2026 - Etienne Rossignon - etienne.rossignon (at) gadz.org\n// Copyright (c) 2022-2026 - Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n//\n// This project is licensed under the terms of the MIT license.\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated\n// documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the\n// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to\n// permit persons to whom the Software is furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the\n// Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE\n// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\n// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR\n// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n// ---------------------------------------------------------------------------------------------------------------------\nimport exp from \"node:constants\";\n\nconst _exp = exp;\n\nexport from \"./_env\";\nexport * from \"./create_certificate_signing_request\";\nexport * from \"./execute_openssl\";\nexport * from \"./install_prerequisite\";\nexport * from \"./toolbox\";\n","const config =\n \"#.........DO NOT MODIFY BY HAND .........................\\n\" +\n \"[ ca ]\\n\" +\n \"default_ca = CA_default\\n\" +\n \"[ CA_default ]\\n\" +\n \"dir = %%ROOT_FOLDER%% # the main CA folder\\n\" +\n \"certs = $dir/certs # where to store certificates\\n\" +\n \"new_certs_dir = $dir/certs #\\n\" +\n \"database = $dir/index.txt # the certificate database\\n\" +\n \"serial = $dir/serial # the serial number counter\\n\" +\n \"certificate = $dir/public/cacert.pem # The root CA certificate\\n\" +\n \"private_key = $dir/private/cakey.pem # the CA private key\\n\" +\n \"x509_extensions = usr_cert #\\n\" +\n \"default_days = 3650 # default validity : 10 years\\n\" +\n \"\\n\" +\n \"# default_md = sha1\\n\" +\n \"\\n\" +\n \"default_md = sha256 # The default digest algorithm\\n\" +\n \"\\n\" +\n \"preserve = no\\n\" +\n \"policy = policy_match\\n\" +\n \"# randfile = $dir/random.rnd\\n\" +\n \"# default_startdate = YYMMDDHHMMSSZ\\n\" +\n \"# default_enddate = YYMMDDHHMMSSZ\\n\" +\n \"crl_dir = $dir/crl\\n\" +\n \"crl_extensions = crl_ext\\n\" +\n \"crl = $dir/revocation_list.crl # the Revocation list\\n\" +\n \"crlnumber = $dir/crlnumber # CRL number file\\n\" +\n \"default_crl_days = 30\\n\" +\n \"default_crl_hours = 24\\n\" +\n \"#msie_hack\\n\" +\n \"\\n\" +\n \"[ policy_match ]\\n\" +\n \"countryName = optional\\n\" +\n \"stateOrProvinceName = optional\\n\" +\n \"localityName = optional\\n\" +\n \"organizationName = optional\\n\" +\n \"organizationalUnitName = optional\\n\" +\n \"commonName = optional\\n\" +\n \"emailAddress = optional\\n\" +\n \"\\n\" +\n \"[ req ]\\n\" +\n \"default_bits = 4096 # Size of keys\\n\" +\n \"default_keyfile = key.pem # name of generated keys\\n\" +\n \"distinguished_name = req_distinguished_name\\n\" +\n \"attributes = req_attributes\\n\" +\n \"x509_extensions = v3_ca\\n\" +\n \"#input_password\\n\" +\n \"#output_password\\n\" +\n \"string_mask = nombstr # permitted characters\\n\" +\n \"req_extensions = v3_req\\n\" +\n \"\\n\" +\n \"[ req_distinguished_name ]\\n\" +\n \"\\n\" +\n \"#0 countryName = Country Name (2 letter code)\\n\" +\n \"# countryName_default = FR\\n\" +\n \"# countryName_min = 2\\n\" +\n \"# countryName_max = 2\\n\" +\n \"# stateOrProvinceName = State or Province Name (full name)\\n\" +\n \"# stateOrProvinceName_default = Ile de France\\n\" +\n \"# localityName = Locality Name (city, district)\\n\" +\n \"# localityName_default = Paris\\n\" +\n \"organizationName = Organization Name (company)\\n\" +\n \"organizationName_default = NodeOPCUA\\n\" +\n \"# organizationalUnitName = Organizational Unit Name (department, division)\\n\" +\n \"# organizationalUnitName_default = R&D\\n\" +\n \"commonName = Common Name (hostname, FQDN, IP, or your name)\\n\" +\n \"commonName_max = 256\\n\" +\n \"commonName_default = NodeOPCUA\\n\" +\n \"# emailAddress = Email Address\\n\" +\n \"# emailAddress_max = 40\\n\" +\n \"# emailAddress_default = node-opcua (at) node-opcua (dot) com\\n\" +\n \"\\n\" +\n \"[ req_attributes ]\\n\" +\n \"#challengePassword = A challenge password\\n\" +\n \"#challengePassword_min = 4\\n\" +\n \"#challengePassword_max = 20\\n\" +\n \"#unstructuredName = An optional company name\\n\" +\n \"[ usr_cert ]\\n\" +\n \"basicConstraints = critical, CA:FALSE\\n\" +\n \"subjectKeyIdentifier = hash\\n\" +\n \"authorityKeyIdentifier = keyid,issuer:always\\n\" +\n \"#authorityKeyIdentifier = keyid\\n\" +\n \"subjectAltName = $ENV::ALTNAME\\n\" +\n \"# issuerAltName = issuer:copy\\n\" +\n \"nsComment = ''OpenSSL Generated Certificate''\\n\" +\n \"#nsCertType = client, email, objsign for ''everything including object signing''\\n\" +\n \"#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem\\n\" +\n \"#nsBaseUrl =\\n\" +\n \"#nsRenewalUrl =\\n\" +\n \"#nsCaPolicyUrl =\\n\" +\n \"#nsSslServerName =\\n\" +\n \"keyUsage = critical, digitalSignature, nonRepudiation,\" +\n \" keyEncipherment, dataEncipherment, keyAgreement, keyCertSign\\n\" +\n \"extendedKeyUsage = critical,serverAuth ,clientAuth\\n\" +\n \"\\n\" +\n \"[ v3_req ]\\n\" +\n \"basicConstraints = critical, CA:FALSE\\n\" +\n \"keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement\\n\" +\n \"extendedKeyUsage = critical,serverAuth ,clientAuth\\n\" +\n \"subjectAltName = $ENV::ALTNAME\\n\" +\n 'nsComment = \"CA Generated by Node-OPCUA Certificate utility using openssl\"\\n' +\n \"[ v3_ca ]\\n\" +\n \"subjectKeyIdentifier = hash\\n\" +\n \"authorityKeyIdentifier = keyid:always,issuer:always\\n\" +\n \"# authorityKeyIdentifier = keyid\\n\" +\n \"basicConstraints = CA:TRUE\\n\" +\n \"keyUsage = critical, cRLSign, keyCertSign\\n\" +\n 'nsComment = \"CA Certificate generated by Node-OPCUA Certificate utility using openssl\"\\n' +\n \"#nsCertType = sslCA, emailCA\\n\" +\n \"#subjectAltName = email:copy\\n\" +\n \"#issuerAltName = issuer:copy\\n\" +\n \"#obj = DER:02:03\\n\" +\n \"crlDistributionPoints = @crl_info\\n\" +\n \"[ crl_info ]\\n\" +\n \"URI.0 = http://localhost:8900/crl.pem\\n\" +\n \"[ v3_selfsigned]\\n\" +\n \"basicConstraints = critical, CA:FALSE\\n\" +\n \"keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement\\n\" +\n \"extendedKeyUsage = critical,serverAuth ,clientAuth\\n\" +\n 'nsComment = \"Self-signed certificate, generated by NodeOPCUA\"\\n' +\n \"subjectAltName = $ENV::ALTNAME\\n\" +\n \"\\n\" +\n \"[ crl_ext ]\\n\" +\n \"#issuerAltName = issuer:copy\\n\" +\n \"authorityKeyIdentifier = keyid:always,issuer:always\\n\" +\n \"#authorityInfoAccess = @issuer_info\";\n\nexport default config;\n","// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2014-2026 - Etienne Rossignon - etienne.rossignon (at) gadz.org\n// Copyright (c) 2022-2026 - Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n//\n// This project is licensed under the terms of the MIT license.\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated\n// documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the\n// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to\n// permit persons to whom the Software is furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the\n// Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE\n// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\n// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR\n// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n// ---------------------------------------------------------------------------------------------------------------------\n// tslint:disable:no-shadowed-variable\nimport assert from \"node:assert\";\nimport fs from \"node:fs\";\nimport path from \"node:path\";\nimport chalk from \"chalk\";\nimport {\n exploreCertificateSigningRequest,\n generatePrivateKeyFile,\n readCertificateSigningRequest,\n Subject,\n type SubjectOptions\n} from \"node-opcua-crypto\";\n\nimport {\n adjustApplicationUri,\n adjustDate,\n certificateFileExist,\n debugLog,\n displaySubtitle,\n displayTitle,\n type Filename,\n type KeySize,\n makePath,\n mkdirRecursiveSync,\n type Params,\n type ProcessAltNamesParam,\n quote\n} from \"../toolbox\";\n\nimport {\n type ExecuteOpenSSLOptions,\n type ExecuteOptions,\n ensure_openssl_installed,\n execute_openssl,\n execute_openssl_no_failure,\n generateStaticConfig,\n processAltNames,\n setEnv,\n x509Date\n} from \"../toolbox/with_openssl\";\n\n/** Default X.500 subject used when no custom subject is provided. /\nexport const defaultSubject = \"/C=FR/ST=IDF/L=Paris/O=Local NODE-OPCUA Certificate Authority/CN=NodeOPCUA-CA\";\n\nimport _ca_config_template from \"./templates/ca_config_template.cnf\";\n\n// tslint:disable-next-line:variable-name\nexport const configurationFileTemplate: string = _ca_config_template;\n\nconst config = {\n certificateDir: \"INVALID\",\n forceCA: false,\n pkiDir: \"INVALID\"\n};\n\nconst n = makePath;\nconst q = quote;\n\n// convert 'c07b9179' to \"192.123.145.121\"\nfunction octetStringToIpAddress(a: string) {\n return (\n parseInt(a.substring(0, 2), 16).toString() +\n \".\" +\n parseInt(a.substring(2, 4), 16).toString() +\n \".\" +\n parseInt(a.substring(4, 6), 16).toString() +\n \".\" +\n parseInt(a.substring(6, 8), 16).toString()\n );\n}\nassert(octetStringToIpAddress(\"c07b9179\") === \"192.123.145.121\");\nasync function construct_CertificateAuthority(certificateAuthority: CertificateAuthority): Promise<void> {\n // create the CA directory store\n // create the CA directory store\n //\n // PKI/CA\n // \|\n // +-+> private\n // \|\n // +-+> public\n // \|\n // +-+> certs\n // \|\n // +-+> crl\n // \|\n // +-+> conf\n // \|\n // +-f: serial\n // +-f: crlNumber\n // +-f: index.txt\n //\n\n const subject = certificateAuthority.subject;\n\n const caRootDir = path.resolve(certificateAuthority.rootDir);\n\n async function make_folders() {\n mkdirRecursiveSync(caRootDir);\n mkdirRecursiveSync(path.join(caRootDir, \"private\"));\n mkdirRecursiveSync(path.join(caRootDir, \"public\"));\n // xx execute(\"chmod 700 private\");\n mkdirRecursiveSync(path.join(caRootDir, \"certs\"));\n mkdirRecursiveSync(path.join(caRootDir, \"crl\"));\n mkdirRecursiveSync(path.join(caRootDir, \"conf\"));\n }\n await make_folders();\n\n async function construct_default_files() {\n const serial = path.join(caRootDir, \"serial\");\n if (!fs.existsSync(serial)) {\n await fs.promises.writeFile(serial, \"1000\");\n }\n\n const crlNumber = path.join(caRootDir, \"crlnumber\");\n if (!fs.existsSync(crlNumber)) {\n await fs.promises.writeFile(crlNumber, \"1000\");\n }\n\n const indexFile = path.join(caRootDir, \"index.txt\");\n if (!fs.existsSync(indexFile)) {\n await fs.promises.writeFile(indexFile, \"\");\n }\n }\n\n await construct_default_files();\n\n if (fs.existsSync(path.join(caRootDir, \"private/cakey.pem\")) && !config.forceCA) {\n // certificate already exists => do not overwrite\n debugLog(\"CA private key already exists ... skipping\");\n return;\n }\n\n // tslint:disable:no-empty\n displayTitle(\"Create Certificate Authority (CA)\");\n\n const indexFileAttr = path.join(caRootDir, \"index.txt.attr\");\n if (!fs.existsSync(indexFileAttr)) {\n await fs.promises.writeFile(indexFileAttr, \"unique_subject = no\");\n }\n\n const caConfigFile = certificateAuthority.configFile;\n if (1 \|\| !fs.existsSync(caConfigFile)) {\n let data = configurationFileTemplate; // inlineText(configurationFile);\n data = makePath(data.replace(/%%ROOT_FOLDER%%/, caRootDir));\n\n await fs.promises.writeFile(caConfigFile, data);\n }\n\n // http://www.akadia.com/services/ssh_test_certificate.html\n const subjectOpt = ` -subj \"${subject.toString()}\" `;\n processAltNames({} as Params);\n\n const options = { cwd: caRootDir };\n const configFile = generateStaticConfig(\"conf/caconfig.cnf\", options);\n const configOption = ` -config ${q(n(configFile))}`;\n\n const keySize = certificateAuthority.keySize;\n\n const privateKeyFilename = path.join(caRootDir, \"private/cakey.pem\");\n const csrFilename = path.join(caRootDir, \"private/cakey.csr\");\n\n displayTitle(`Generate the CA private Key - ${keySize}`);\n // The first step is to create your RSA Private Key.\n // This key is a 1025,2048,3072 or 2038 bit RSA key which is encrypted using\n // Triple-DES and stored in a PEM format so that it is readable as ASCII text.\n await generatePrivateKeyFile(privateKeyFilename, keySize);\n displayTitle(\"Generate a certificate request for the CA key\");\n // Once the private key is generated a Certificate Signing Request can be generated.\n // The CSR is then used in one of two ways. Ideally, the CSR will be sent to a Certificate Authority, such as\n // Thawte or Verisign who will verify the identity of the requestor and issue a signed certificate.\n // The second option is to self-sign the CSR, which will be demonstrated in the next section\n await execute_openssl(\n \"req -new\" +\n \" -sha256 \" +\n \" -text \" +\n \" -extensions v3_ca\" +\n configOption +\n \" -key \" +\n q(n(privateKeyFilename)) +\n \" -out \" +\n q(n(csrFilename)) +\n \" \" +\n subjectOpt,\n options\n );\n\n // xx // Step 3: Remove Passphrase from Key\n // xx execute(\"cp private/cakey.pem private/cakey.pem.org\");\n // xx execute(openssl_path + \" rsa -in private/cakey.pem.org -out private/cakey.pem -passin pass:\"+paraphrase);\n\n displayTitle(\"Generate CA Certificate (self-signed)\");\n await execute_openssl(\n \" x509 -sha256 -req -days 3650 \" +\n \" -text \" +\n \" -extensions v3_ca\" +\n \" -extfile \" +\n q(n(configFile)) +\n \" -in private/cakey.csr \" +\n \" -signkey \" +\n q(n(privateKeyFilename)) +\n \" -out public/cacert.pem\",\n options\n );\n displaySubtitle(\"generate initial CRL (Certificate Revocation List)\");\n await regenerateCrl(certificateAuthority.revocationList, configOption, options);\n displayTitle(\"Create Certificate Authority (CA) ---> DONE\");\n}\n\nasync function regenerateCrl(revocationList: string, configOption: string, options: ExecuteOpenSSLOptions) {\n // produce a CRL in PEM format\n displaySubtitle(\"regenerate CRL (Certificate Revocation List)\");\n await execute_openssl(`ca -gencrl ${configOption} -out crl/revocation_list.crl`, options);\n await execute_openssl(\"crl \" + \" -in crl/revocation_list.crl -out crl/revocation_list.der \" + \" -outform der\", options);\n\n displaySubtitle(\"Display (Certificate Revocation List)\");\n await execute_openssl(`crl -in ${q(n(revocationList))} -text -noout`, options);\n}\n\n/\n Options for creating a {@link CertificateAuthority}.\n /\nexport interface CertificateAuthorityOptions {\n /* RSA key size for the CA private key. /\n keySize: KeySize;\n /* Filesystem path where the CA directory structure is stored. /\n location: string;\n /\n X.500 subject for the CA certificate.\n * Accepts a slash-delimited string (e.g. `\"/CN=My CA/O=Acme\"`) or\n * a structured {@link SubjectOptions} object.\n \n @defaultValue {@link defaultSubject}\n /\n subject?: string \| SubjectOptions;\n}\n\n/\n An OpenSSL-based Certificate Authority (CA) that can create,\n * sign, and revoke X.509 certificates.\n \n The CA maintains a standard OpenSSL directory layout under\n * {@link CertificateAuthority.rootDir \| rootDir}:\n \n ```\n * <location>/\n * ├── conf/ OpenSSL configuration\n * ├── private/ CA private key (cakey.pem)\n * ├── public/ CA certificate (cacert.pem)\n * ├── certs/ Signed certificates\n * ├── crl/ Revocation lists\n * ├── serial Next serial number\n * ├── crlnumber Next CRL number\n * └── index.txt Certificate database\n * ```\n \n @example\n * ```ts\n * const ca = new CertificateAuthority({\n * keySize: 2048,\n * location: \"/var/pki/CA\"\n * });\n * await ca.initialize();\n * ```\n /\nexport class CertificateAuthority {\n /* RSA key size used when generating the CA private key. /\n public readonly keySize: KeySize;\n /* Root filesystem path of the CA directory structure. /\n public readonly location: string;\n /* X.500 subject of the CA certificate. /\n public readonly subject: Subject;\n\n constructor(options: CertificateAuthorityOptions) {\n assert(Object.prototype.hasOwnProperty.call(options, \"location\"));\n assert(Object.prototype.hasOwnProperty.call(options, \"keySize\"));\n this.location = options.location;\n this.keySize = options.keySize \|\| 2048;\n this.subject = new Subject(options.subject \|\| defaultSubject);\n }\n\n /* Absolute path to the CA root directory (alias for {@link location}). /\n public get rootDir() {\n return this.location;\n }\n\n /* Path to the OpenSSL configuration file (`conf/caconfig.cnf`). /\n public get configFile() {\n return path.normalize(path.join(this.rootDir, \"./conf/caconfig.cnf\"));\n }\n\n /* Path to the CA certificate in PEM format (`public/cacert.pem`). /\n public get caCertificate() {\n // the Certificate Authority Certificate\n return makePath(this.rootDir, \"./public/cacert.pem\");\n }\n\n /\n Path to the current Certificate Revocation List in DER format.\n * (`crl/revocation_list.der`)\n /\n public get revocationListDER() {\n return makePath(this.rootDir, \"./crl/revocation_list.der\");\n }\n\n /\n Path to the current Certificate Revocation List in PEM format.\n * (`crl/revocation_list.crl`)\n /\n public get revocationList() {\n return makePath(this.rootDir, \"./crl/revocation_list.crl\");\n }\n\n /\n Path to the concatenated CA certificate + CRL file.\n * Used by OpenSSL for CRL-based verification.\n /\n public get caCertificateWithCrl() {\n return makePath(this.rootDir, \"./public/cacertificate_with_crl.pem\");\n }\n\n /\n Initialize the CA directory structure, generate the CA\n * private key and self-signed certificate if they do not\n * already exist.\n /\n public async initialize(): Promise<void> {\n await construct_CertificateAuthority(this);\n }\n\n /\n Rebuild the combined CA certificate + CRL file.\n \n This concatenates the CA certificate with the current\n * revocation list so that OpenSSL can verify certificates\n * with CRL checking enabled.\n /\n public async constructCACertificateWithCRL(): Promise<void> {\n const cacertWithCRL = this.caCertificateWithCrl;\n\n // note : in order to check if the certificate is revoked,\n // you need to specify -crl_check and have both the CA cert and the (applicable) CRL in your trust store.\n // There are two ways to do that:\n // 1. concatenate cacert.pem and crl.pem into one file and use that for -CAfile.\n // 2. use some linked\n // ( from http://security.stackexchange.com/a/58305/59982)\n\n if (fs.existsSync(this.revocationList)) {\n await fs.promises.writeFile(\n cacertWithCRL,\n fs.readFileSync(this.caCertificate, \"utf8\") + fs.readFileSync(this.revocationList, \"utf8\")\n );\n } else {\n // there is no revocation list yet\n await fs.promises.writeFile(cacertWithCRL, fs.readFileSync(this.caCertificate));\n }\n }\n\n /\n Append the CA certificate to a signed certificate file,\n * creating a PEM certificate chain.\n \n @param certificate - path to the certificate file to extend\n /\n public async constructCertificateChain(certificate: Filename): Promise<void> {\n assert(fs.existsSync(certificate));\n assert(fs.existsSync(this.caCertificate));\n\n debugLog(chalk.yellow(\" certificate file :\"), chalk.cyan(certificate));\n // append\n await fs.promises.writeFile(\n certificate,\n (await fs.promises.readFile(certificate, \"utf8\")) + (await fs.promises.readFile(this.caCertificate, \"utf8\"))\n // + fs.readFileSync(this.revocationList)\n );\n }\n\n /\n Create a self-signed certificate using OpenSSL.\n \n @param certificateFile - output path for the signed certificate\n * @param privateKey - path to the private key file\n * @param params - certificate parameters (subject, validity, SANs)\n /\n public async createSelfSignedCertificate(certificateFile: Filename, privateKey: Filename, params: Params): Promise<void> {\n assert(typeof privateKey === \"string\");\n assert(fs.existsSync(privateKey));\n\n if (!certificateFileExist(certificateFile)) {\n return;\n }\n\n adjustDate(params);\n adjustApplicationUri(params);\n processAltNames(params);\n\n const csrFile = `${certificateFile}_csr`;\n assert(csrFile);\n const configFile = generateStaticConfig(this.configFile, { cwd: this.rootDir });\n\n const options = {\n cwd: this.rootDir,\n openssl_conf: makePath(configFile)\n };\n\n const configOption = \"\";\n\n const subject = params.subject ? new Subject(params.subject).toString() : \"\";\n const subjectOptions = subject && subject.length > 1 ? ` -subj ${subject} ` : \"\";\n\n displaySubtitle(\"- the certificate signing request\");\n await execute_openssl(\n \"req \" +\n \" -new -sha256 -text \" +\n configOption +\n subjectOptions +\n \" -batch -key \" +\n q(n(privateKey)) +\n \" -out \" +\n q(n(csrFile)),\n options\n );\n\n displaySubtitle(\"- creating the self-signed certificate\");\n await execute_openssl(\n \"ca \" +\n \" -selfsign \" +\n \" -keyfile \" +\n q(n(privateKey)) +\n \" -startdate \" +\n x509Date(params.startDate) +\n \" -enddate \" +\n x509Date(params.endDate) +\n \" -batch -out \" +\n q(n(certificateFile)) +\n \" -in \" +\n q(n(csrFile)),\n options\n );\n\n displaySubtitle(\"- dump the certificate for a check\");\n\n await execute_openssl(`x509 -in ${q(n(certificateFile))} -dates -fingerprint -purpose -noout`, {});\n\n displaySubtitle(\"- verify self-signed certificate\");\n await execute_openssl_no_failure(`verify -verbose -CAfile ${q(n(certificateFile))} ${q(n(certificateFile))}`, options);\n\n await fs.promises.unlink(csrFile);\n }\n\n /\n Revoke a certificate and regenerate the CRL.\n \n @param certificate - path to the certificate file to revoke\n * @param params - revocation parameters\n * @param params.reason - CRL reason code\n * (default `\"keyCompromise\"`)\n /\n public async revokeCertificate(certificate: Filename, params: Params): Promise<void> {\n const crlReasons = [\n \"unspecified\",\n \"keyCompromise\",\n \"CACompromise\",\n \"affiliationChanged\",\n \"superseded\",\n \"cessationOfOperation\",\n \"certificateHold\",\n \"removeFromCRL\"\n ];\n\n const configFile = generateStaticConfig(\"conf/caconfig.cnf\", { cwd: this.rootDir });\n\n const options = {\n cwd: this.rootDir,\n openssl_conf: makePath(configFile)\n };\n\n setEnv(\"ALTNAME\", \"\");\n const randomFile = path.join(this.rootDir, \"random.rnd\");\n setEnv(\"RANDFILE\", randomFile);\n\n // // tslint:disable-next-line:no-string-literal\n // if (!fs.existsSync((process.env as any)[\"OPENSSL_CONF\"])) {\n // throw new Error(\"Cannot find OPENSSL_CONF\");\n // }\n\n const configOption = ` -config ${q(n(configFile))}`;\n\n const reason = params.reason \|\| \"keyCompromise\";\n assert(crlReasons.indexOf(reason) >= 0);\n\n displayTitle(`Revoking certificate ${certificate}`);\n\n displaySubtitle(\"Revoke certificate\");\n\n await execute_openssl_no_failure(`ca -verbose ${configOption} -revoke ${q(certificate)} -crl_reason ${reason}`, options);\n // regenerate CRL (Certificate Revocation List)\n await regenerateCrl(this.revocationList, configOption, options);\n\n displaySubtitle(\"Verify that certificate is revoked\");\n\n await execute_openssl_no_failure(\n \"verify -verbose\" +\n // configOption +\n \" -CRLfile \" +\n q(n(this.revocationList)) +\n \" -CAfile \" +\n q(n(this.caCertificate)) +\n \" -crl_check \" +\n q(n(certificate)),\n options\n );\n\n // produce CRL in DER format\n displaySubtitle(\"Produce CRL in DER form \");\n await execute_openssl(`crl -in ${q(n(this.revocationList))} -out crl/revocation_list.der -outform der`, options);\n // produce CRL in PEM format with text\n displaySubtitle(\"Produce CRL in PEM form \");\n\n await execute_openssl(`crl -in ${q(n(this.revocationList))} -out crl/revocation_list.pem -outform pem -text `, options);\n }\n\n /\n Sign a Certificate Signing Request (CSR) with this CA.\n \n The signed certificate is written to `certificate`, and the\n * CA certificate chain plus CRL are appended to form a\n * complete certificate chain.\n \n @param certificate - output path for the signed certificate\n * @param certificateSigningRequestFilename - path to the CSR\n * @param params1 - signing parameters (validity, dates, SANs)\n * @returns the path to the signed certificate\n /\n public async signCertificateRequest(\n certificate: Filename,\n certificateSigningRequestFilename: Filename,\n params1: Params\n ): Promise<Filename> {\n await ensure_openssl_installed();\n assert(fs.existsSync(certificateSigningRequestFilename));\n if (!certificateFileExist(certificate)) {\n return \"\";\n }\n adjustDate(params1);\n adjustApplicationUri(params1);\n processAltNames(params1);\n\n const options: ExecuteOptions = { cwd: this.rootDir };\n\n // note :\n // subjectAltName is not copied across\n // see https://github.com/openssl/openssl/issues/10458\n const csr = await readCertificateSigningRequest(certificateSigningRequestFilename);\n const csrInfo = exploreCertificateSigningRequest(csr);\n\n const applicationUri = csrInfo.extensionRequest.subjectAltName.uniformResourceIdentifier\n ? csrInfo.extensionRequest.subjectAltName.uniformResourceIdentifier[0]\n : undefined;\n if (typeof applicationUri !== \"string\") {\n throw new Error(\"Cannot find applicationUri in CSR\");\n }\n\n const dns = csrInfo.extensionRequest.subjectAltName.dNSName \|\| [];\n let ip = csrInfo.extensionRequest.subjectAltName.iPAddress \|\| [];\n ip = ip.map(octetStringToIpAddress);\n\n const params: ProcessAltNamesParam = {\n applicationUri,\n dns,\n ip\n };\n\n processAltNames(params);\n\n const configFile = generateStaticConfig(\"conf/caconfig.cnf\", options);\n\n displaySubtitle(\"- then we ask the authority to sign the certificate signing request\");\n\n const configOption = ` -config ${configFile}`;\n await execute_openssl(\n \"ca \" +\n configOption +\n \" -startdate \" +\n x509Date(params1.startDate) +\n \" -enddate \" +\n x509Date(params1.endDate) +\n \" -batch -out \" +\n q(n(certificate)) +\n \" -in \" +\n q(n(certificateSigningRequestFilename)),\n options\n );\n\n displaySubtitle(\"- dump the certificate for a check\");\n await execute_openssl(`x509 -in ${q(n(certificate))} -dates -fingerprint -purpose -noout`, options);\n\n displaySubtitle(\"- construct CA certificate with CRL\");\n await this.constructCACertificateWithCRL();\n\n // construct certificate chain\n // concatenate certificate with CA Certificate and revocation list\n displaySubtitle(\"- construct certificate chain\");\n await this.constructCertificateChain(certificate);\n // todo\n displaySubtitle(\"- verify certificate against the root CA\");\n await this.verifyCertificate(certificate);\n\n return certificate;\n }\n\n /\n Verify a certificate against this CA.\n \n @param certificate - path to the certificate file to verify\n /\n public async verifyCertificate(certificate: Filename): Promise<void> {\n // openssl verify crashes on windows! we cannot use it reliably\n // istanbul ignore next\n const isImplemented = false;\n\n // istanbul ignore next\n if (isImplemented) {\n const options = { cwd: this.rootDir };\n const configFile = generateStaticConfig(\"conf/caconfig.cnf\", options);\n\n setEnv(\"OPENSSL_CONF\", makePath(configFile));\n const _configOption = ` -config ${configFile}`;\n _configOption;\n await execute_openssl_no_failure(\n `verify -verbose -CAfile ${q(n(this.caCertificateWithCrl))} ${q(n(certificate))}`,\n options\n );\n }\n }\n}\n","/ eslint-disable @typescript-eslint/no-unused-vars /\n// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2014-2026 - Etienne Rossignon - etienne.rossignon (at) gadz.org\n// Copyright (c) 2022-2026 - Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n//\n// This project is licensed under the terms of the MIT license.\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated\n// documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the\n// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to\n// permit persons to whom the Software is furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the\n// Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE\n// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\n// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR\n// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n// ---------------------------------------------------------------------------------------------------------------------\n// Error.stackTraceLimit = Infinity;\n// tslint:disable:variable-name\n// tslint:disable:no-console\n// tslint:disable:object-literal-sort-keys\n// tslint:disable:no-shadowed-variable\n\nimport assert from \"node:assert\";\nimport fs from \"node:fs\";\nimport { createRequire } from \"node:module\";\nimport os from \"node:os\";\nimport path from \"node:path\";\nimport chalk from \"chalk\";\nimport { CertificatePurpose, generatePrivateKeyFile, Subject, type SubjectOptions } from \"node-opcua-crypto\";\n\nimport { makeApplicationUrn } from \"../misc/applicationurn\";\nimport { extractFullyQualifiedDomainName, getFullyQualifiedDomainName } from \"../misc/hostname\";\nimport { CertificateManager, type CreateSelfSignCertificateParam1 } from \"../pki/certificate_manager\";\nimport {\n type CreateCertificateSigningRequestWithConfigOptions,\n debugLog,\n displayChapter,\n displaySubtitle,\n displayTitle,\n type Filename,\n g_config,\n type KeySize,\n makePath,\n mkdirRecursiveSync,\n warningLog\n} from \"../toolbox\";\nimport {\n createCertificateSigningRequestWithOpenSSL,\n dumpCertificate,\n ensure_openssl_installed,\n fingerprint,\n getPublicKeyFromPrivateKey,\n setEnv,\n toDer\n} from \"../toolbox/with_openssl\";\nimport { CertificateAuthority, defaultSubject } from \"./certificate_authority\";\n\nconst epilog = \"Copyright (c) sterfive - node-opcua - 2017-2026\";\n\n// ------------------------------------------------- some useful dates\nfunction get_offset_date(date: Date, nbDays: number): Date {\n const d = new Date(date.getTime());\n d.setDate(d.getDate() + nbDays);\n return d;\n}\n\nconst today = new Date();\nconst yesterday = get_offset_date(today, -1);\nconst two_years_ago = get_offset_date(today, -2 365);\nconst next_year = get_offset_date(today, 365);\n\ninterface LocalConfig {\n CAFolder?: string;\n PKIFolder?: string;\n\n keySize?: KeySize;\n\n subject?: SubjectOptions \| string;\n\n certificateDir?: Filename;\n\n privateKey?: Filename;\n\n applicationUri?: string;\n\n outputFile?: string;\n\n altNames?: string[];\n dns?: string[];\n ip?: string[];\n\n startDate?: Date;\n validity?: number;\n}\n\nlet gLocalConfig: LocalConfig = {};\n\nlet g_certificateAuthority: CertificateAuthority; // the Certificate Authority\n\n/**\n \n \n prerequisites :\n * g_config.CAFolder : the folder of the CA\n /\nasync function construct_CertificateAuthority(subject: string) {\n // verify that g_config file has been loaded\n assert(typeof gLocalConfig.CAFolder === \"string\", \"expecting a CAFolder in config\");\n assert(typeof gLocalConfig.keySize === \"number\", \"expecting a keySize in config\");\n\n if (!g_certificateAuthority) {\n g_certificateAuthority = new CertificateAuthority({\n keySize: gLocalConfig.keySize,\n location: gLocalConfig.CAFolder,\n subject\n });\n await g_certificateAuthority.initialize();\n }\n}\n\nlet certificateManager: CertificateManager; // the Certificate Manager\n/*\n \n \n prerequisites :\n * g_config.PKIFolder : the folder of the PKI\n /\nasync function construct_CertificateManager() {\n assert(typeof gLocalConfig.PKIFolder === \"string\", \"expecting a PKIFolder in config\");\n\n if (!certificateManager) {\n certificateManager = new CertificateManager({\n keySize: gLocalConfig.keySize,\n location: gLocalConfig.PKIFolder\n });\n await certificateManager.initialize();\n }\n}\n\nfunction _displayConfig(config: { [key: string]: { toString: () => string } }) {\n function w(str: string, l: number): string {\n return `${str} `.substring(0, l);\n }\n\n warningLog(chalk.yellow(\" configuration = \"));\n\n for (const [key, value] of Object.entries(config)) {\n warningLog(` ${chalk.yellow(w(key, 30))} : ${chalk.cyan(value.toString())}`);\n }\n}\n\nfunction default_template_content(): string {\n // istanbul ignore next\n if ((process as unknown as { pkg?: { entrypoint: string } }).pkg?.entrypoint) {\n // we are using PKG compiled package !\n\n // warningLog(\"___filename\", __filename);\n // warningLog(\"__dirname\", __dirname);\n // warningLog(\"process.pkg.entrypoint\", (process as unknown as IReadConfigurationOpts).pkg.entrypoint);\n const a = fs.readFileSync(path.join(__dirname, \"../../bin/pki_config.example.js\"), \"utf8\");\n return a;\n }\n function find_default_config_template() {\n const rootFolder = find_module_root_folder();\n\n // Note: we use a hardcoded config filename here because after tsup bundling,\n // __filename points to the bundle file (e.g., \"index.mjs\") rather than the\n // original source file, making dynamic name construction unreliable.\n const configName = \"pki_config.example.js\";\n\n let default_config_template = path.join(rootFolder, \"bin\", configName);\n\n if (!fs.existsSync(default_config_template)) {\n default_config_template = path.join(__dirname, \"..\", configName);\n\n if (!fs.existsSync(default_config_template)) {\n default_config_template = path.join(__dirname, `../bin/${configName}`);\n }\n }\n return default_config_template;\n }\n const default_config_template = find_default_config_template();\n assert(fs.existsSync(default_config_template));\n const default_config_template_content = fs.readFileSync(default_config_template, \"utf8\");\n return default_config_template_content;\n}\n\n/\n \n /\nfunction find_module_root_folder() {\n let rootFolder = path.join(__dirname);\n\n for (let i = 0; i < 4; i++) {\n if (fs.existsSync(path.join(rootFolder, \"package.json\"))) {\n return rootFolder;\n }\n rootFolder = path.join(rootFolder, \"..\");\n }\n\n assert(fs.existsSync(path.join(rootFolder, \"package.json\")), \"root folder must have a package.json file\");\n return rootFolder;\n}\n\ninterface IReadConfigurationOpts {\n root: string;\n silent?: boolean;\n subject?: string;\n CAFolder?: string;\n PKIFolder?: string;\n privateKey?: string;\n applicationUri?: string;\n output?: string;\n altNames?: string;\n dns?: string;\n ip?: string;\n keySize?: KeySize;\n validity?: number;\n}\n\n/ eslint complexity:off, max-statements:off /\nasync function readConfiguration(argv: IReadConfigurationOpts) {\n if (argv.silent) {\n g_config.silent = true;\n } else {\n g_config.silent = false;\n }\n\n const fqdn = await extractFullyQualifiedDomainName();\n const hostname = os.hostname();\n let certificateDir: string;\n\n function performSubstitution(str: string): string {\n str = str.replace(\"{CWD}\", process.cwd());\n if (certificateDir) {\n str = str.replace(\"{root}\", certificateDir);\n }\n if (gLocalConfig?.PKIFolder) {\n str = str.replace(\"{PKIFolder}\", gLocalConfig.PKIFolder);\n }\n str = str.replace(\"{hostname}\", hostname);\n str = str.replace(\"%FQDN%\", fqdn);\n return str;\n }\n\n function prepare(file: Filename): Filename {\n const tmp = path.resolve(performSubstitution(file));\n return makePath(tmp);\n }\n\n // ------------------------------------------------------------------------------------------------------------\n certificateDir = argv.root;\n assert(typeof certificateDir === \"string\");\n\n certificateDir = prepare(certificateDir);\n mkdirRecursiveSync(certificateDir);\n assert(fs.existsSync(certificateDir));\n\n // ------------------------------------------------------------------------------------------------------------\n const default_config = path.join(certificateDir, \"config.js\");\n\n if (!fs.existsSync(default_config)) {\n // copy\n debugLog(chalk.yellow(\" Creating default g_config file \"), chalk.cyan(default_config));\n const default_config_template_content = default_template_content();\n fs.writeFileSync(default_config, default_config_template_content);\n } else {\n debugLog(chalk.yellow(\" using g_config file \"), chalk.cyan(default_config));\n }\n if (!fs.existsSync(default_config)) {\n debugLog(chalk.redBright(\" cannot find config file \", default_config));\n }\n\n // see http://stackoverflow.com/questions/94445/using-openssl-what-does-unable-to-write-random-state-mean\n // set random file to be random.rnd in the same folder as the g_config file\n const defaultRandomFile = path.join(path.dirname(default_config), \"random.rnd\");\n setEnv(\"RANDFILE\", defaultRandomFile);\n\n / eslint global-require: 0/\n const _require = createRequire(__filename);\n gLocalConfig = _require(default_config);\n\n gLocalConfig.subject = new Subject(gLocalConfig.subject \|\| \"\");\n\n // if subject is provided on the command line , it has hight priority\n if (argv.subject) {\n gLocalConfig.subject = new Subject(argv.subject);\n }\n\n // istanbul ignore next\n if (!gLocalConfig.subject.commonName) {\n throw new Error(\"subject must have a Common Name\");\n }\n\n gLocalConfig.certificateDir = certificateDir;\n\n // ------------------------------------------------------------------------------------------------------------\n let CAFolder = argv.CAFolder \|\| path.join(certificateDir, \"CA\");\n CAFolder = prepare(CAFolder);\n gLocalConfig.CAFolder = CAFolder;\n\n // ------------------------------------------------------------------------------------------------------------\n gLocalConfig.PKIFolder = path.join(gLocalConfig.certificateDir, \"PKI\");\n if (argv.PKIFolder) {\n gLocalConfig.PKIFolder = prepare(argv.PKIFolder);\n }\n gLocalConfig.PKIFolder = prepare(gLocalConfig.PKIFolder);\n if (argv.privateKey) {\n gLocalConfig.privateKey = prepare(argv.privateKey);\n }\n\n if (argv.applicationUri) {\n gLocalConfig.applicationUri = performSubstitution(argv.applicationUri);\n }\n\n if (argv.output) {\n gLocalConfig.outputFile = argv.output;\n }\n\n gLocalConfig.altNames = [];\n if (argv.altNames) {\n gLocalConfig.altNames = argv.altNames.split(\";\");\n }\n gLocalConfig.dns = [getFullyQualifiedDomainName()];\n if (argv.dns) {\n gLocalConfig.dns = argv.dns.split(\",\").map(performSubstitution);\n }\n gLocalConfig.ip = [];\n if (argv.ip) {\n gLocalConfig.ip = argv.ip.split(\",\");\n }\n if (argv.keySize) {\n const v = argv.keySize;\n if (v !== 1024 && v !== 2048 && v !== 3072 && v !== 4096) {\n throw new Error(`invalid keysize specified ${v} should be 1024,2048,3072 or 4096`);\n }\n gLocalConfig.keySize = argv.keySize;\n }\n\n if (argv.validity) {\n gLocalConfig.validity = argv.validity;\n }\n // xx displayConfig(g_config);\n // ------------------------------------------------------------------------------------------------------------\n}\n\nasync function createDefaultCertificate(\n base_name: string,\n prefix: string,\n key_length: KeySize,\n applicationUri: string,\n dev: boolean\n) {\n // possible key length in bits\n assert(key_length === 1024 \|\| key_length === 2048 \|\| key_length === 3072 \|\| key_length === 4096);\n\n const private_key_file = makePath(base_name, `${prefix}key_${key_length}.pem`);\n const public_key_file = makePath(base_name, `${prefix}public_key_${key_length}.pub`);\n const certificate_file = makePath(base_name, `${prefix}cert_${key_length}.pem`);\n const certificate_file_outofdate = makePath(base_name, `${prefix}cert_${key_length}_outofdate.pem`);\n const certificate_file_not_active_yet = makePath(base_name, `${prefix}cert_${key_length}_not_active_yet.pem`);\n const certificate_revoked = makePath(base_name, `${prefix}cert_${key_length}_revoked.pem`);\n const self_signed_certificate_file = makePath(base_name, `${prefix}selfsigned_cert_${key_length}.pem`);\n\n const fqdn = getFullyQualifiedDomainName();\n const hostname = os.hostname();\n const dns: string[] = [\n // for conformance reason, localhost shall not be present in the DNS field of COP\n // FORBIDEN \"localhost\",\n getFullyQualifiedDomainName()\n ];\n if (hostname !== fqdn) {\n dns.push(hostname);\n }\n\n const ip: string[] = [];\n\n async function createCertificateIfNotExist(\n certificate: Filename,\n private_key: Filename,\n applicationUri: string,\n startDate: Date,\n validity: number\n ): Promise<string> {\n // istanbul ignore next\n if (fs.existsSync(certificate)) {\n warningLog(chalk.yellow(\" certificate\"), chalk.cyan(certificate), chalk.yellow(\" already exists => skipping\"));\n return \"\";\n } else {\n return await createCertificate(certificate, private_key, applicationUri, startDate, validity);\n }\n }\n\n async function createCertificate(\n certificate: Filename,\n privateKey: Filename,\n applicationUri: string,\n startDate: Date,\n validity: number\n ): Promise<string> {\n const certificateSigningRequestFile = `${certificate}.csr`;\n\n const configFile = makePath(base_name, \"../certificates/PKI/own/openssl.cnf\");\n\n const dns = [os.hostname()];\n const ip = [\"127.0.0.1\"];\n\n const params: CreateCertificateSigningRequestWithConfigOptions = {\n applicationUri,\n privateKey,\n rootDir: \".\",\n configFile,\n dns,\n ip,\n purpose: CertificatePurpose.ForApplication\n };\n\n // create CSR\n await createCertificateSigningRequestWithOpenSSL(certificateSigningRequestFile, params);\n\n return await g_certificateAuthority.signCertificateRequest(certificate, certificateSigningRequestFile, {\n applicationUri,\n dns,\n ip,\n startDate,\n validity\n });\n }\n\n async function createSelfSignedCertificate(\n certificate: Filename,\n private_key: Filename,\n applicationUri: string,\n startDate: Date,\n validity: number\n ) {\n await g_certificateAuthority.createSelfSignedCertificate(certificate, private_key, {\n applicationUri,\n dns,\n ip,\n startDate,\n validity\n });\n }\n\n async function revoke_certificate(certificate: Filename) {\n await g_certificateAuthority.revokeCertificate(certificate, {});\n }\n\n async function createPrivateKeyIfNotExist(privateKey: Filename, keyLength: KeySize) {\n if (fs.existsSync(privateKey)) {\n warningLog(chalk.yellow(\" privateKey\"), chalk.cyan(privateKey), chalk.yellow(\" already exists => skipping\"));\n return;\n } else {\n await generatePrivateKeyFile(privateKey, keyLength);\n }\n }\n\n displaySubtitle(` create private key :${private_key_file}`);\n\n await createPrivateKeyIfNotExist(private_key_file, key_length);\n displaySubtitle(` extract public key ${public_key_file} from private key `);\n await getPublicKeyFromPrivateKey(private_key_file, public_key_file);\n displaySubtitle(` create Certificate ${certificate_file}`);\n\n await createCertificateIfNotExist(certificate_file, private_key_file, applicationUri, yesterday, 365);\n\n displaySubtitle(` create self signed Certificate ${self_signed_certificate_file}`);\n\n if (fs.existsSync(self_signed_certificate_file)) {\n // self_signed certificate already exists\n return;\n }\n await createSelfSignedCertificate(self_signed_certificate_file, private_key_file, applicationUri, yesterday, 365);\n\n if (dev) {\n await createCertificateIfNotExist(certificate_file_outofdate, private_key_file, applicationUri, two_years_ago, 365);\n\n await createCertificateIfNotExist(certificate_file_not_active_yet, private_key_file, applicationUri, next_year, 365);\n\n if (!fs.existsSync(certificate_revoked)) {\n // self_signed certificate already exists\n const certificate = await createCertificateIfNotExist(\n certificate_revoked,\n private_key_file,\n `${applicationUri}Revoked`, // make sure we used a uniq URI here\n yesterday,\n 365\n );\n warningLog(\" certificate to revoke => \", certificate);\n revoke_certificate(certificate_revoked);\n }\n }\n}\n\nasync function wrap(func: () => Promise<void>) {\n try {\n await func();\n } catch (err) {\n console.log((err as Error).message);\n }\n}\n\nasync function create_default_certificates(dev: boolean) {\n assert(gLocalConfig);\n const base_name = gLocalConfig.certificateDir \|\| \"\";\n assert(fs.existsSync(base_name));\n\n let clientURN: string;\n let serverURN: string;\n let discoveryServerURN: string;\n wrap(async () => {\n await extractFullyQualifiedDomainName();\n const hostname = os.hostname();\n const fqdn = getFullyQualifiedDomainName();\n warningLog(chalk.yellow(\" hostname = \"), chalk.cyan(hostname));\n warningLog(chalk.yellow(\" fqdn = \"), chalk.cyan(fqdn));\n clientURN = makeApplicationUrn(hostname, \"NodeOPCUA-Client\");\n serverURN = makeApplicationUrn(hostname, \"NodeOPCUA-Server\");\n discoveryServerURN = makeApplicationUrn(hostname, \"NodeOPCUA-DiscoveryServer\");\n\n displayTitle(\"Create Application Certificate for Server & its private key\");\n await createDefaultCertificate(base_name, \"client_\", 1024, clientURN, dev);\n await createDefaultCertificate(base_name, \"client_\", 2048, clientURN, dev);\n await createDefaultCertificate(base_name, \"client_\", 3072, clientURN, dev);\n await createDefaultCertificate(base_name, \"client_\", 4096, clientURN, dev);\n\n displayTitle(\"Create Application Certificate for Client & its private key\");\n await createDefaultCertificate(base_name, \"server_\", 1024, serverURN, dev);\n await createDefaultCertificate(base_name, \"server_\", 2048, serverURN, dev);\n await createDefaultCertificate(base_name, \"server_\", 3072, serverURN, dev);\n await createDefaultCertificate(base_name, \"server_\", 4096, serverURN, dev);\n\n displayTitle(\"Create Application Certificate for DiscoveryServer & its private key\");\n await createDefaultCertificate(base_name, \"discoveryServer_\", 1024, discoveryServerURN, dev);\n await createDefaultCertificate(base_name, \"discoveryServer_\", 2048, discoveryServerURN, dev);\n await createDefaultCertificate(base_name, \"discoveryServer_\", 3072, discoveryServerURN, dev);\n await createDefaultCertificate(base_name, \"discoveryServer_\", 4096, discoveryServerURN, dev);\n });\n}\n\nasync function createDefaultCertificates(dev: boolean) {\n await construct_CertificateAuthority(\"\");\n await construct_CertificateManager();\n await create_default_certificates(dev);\n}\n\nimport commandLineArgs from \"command-line-args\";\nimport commandLineUsage from \"command-line-usage\";\n\nconst commonOptions = [\n {\n name: \"root\",\n alias: \"r\",\n type: String,\n defaultValue: \"{CWD}/certificates\",\n description: \"the location of the Certificate folder\"\n },\n {\n name: \"CAFolder\",\n alias: \"c\",\n type: String,\n defaultValue: \"{root}/CA\",\n description: \"the location of the Certificate Authority folder\"\n },\n { name: \"PKIFolder\", type: String, defaultValue: \"{root}/PKI\", description: \"the location of the Public Key Infrastructure\" },\n { name: \"silent\", type: Boolean, defaultValue: false, description: \"minimize output\" },\n {\n name: \"privateKey\",\n alias: \"p\",\n type: String,\n defaultValue: \"{PKIFolder}/own/private_key.pem\",\n description: \"the private key to use to generate certificate\"\n },\n {\n name: \"keySize\",\n alias: \"k\",\n type: Number,\n defaultValue: 2048,\n description: \"the private key size in bits (1024\|2048\|3072\|4096)\"\n },\n { name: \"help\", alias: \"h\", type: Boolean, description: \"display this help\" }\n];\n\nfunction getOptions(names: string[]) {\n return commonOptions.filter((o) => names.includes(o.name) \|\| o.name === \"help\" \|\| o.name === \"silent\");\n}\n\nfunction showHelp(command: string, description: string, options: Record<string, unknown>[], usage?: string) {\n const sections = [\n {\n header: `Command: ${command}`,\n content: description\n },\n {\n header: \"Usage\",\n content: usage \|\| `$0 ${command} [options]`\n },\n {\n header: \"Options\",\n optionList: options\n }\n ];\n console.log(commandLineUsage(sections));\n}\n\nexport async function main(argumentsList: string \| string[]) {\n const mainDefinitions = [{ name: \"command\", defaultOption: true }];\n let mainOptions: commandLineArgs.CommandLineOptions;\n try {\n mainOptions = commandLineArgs(mainDefinitions, { argv: argumentsList as string[], stopAtFirstUnknown: true });\n } catch (err) {\n console.log((err as Error).message);\n return;\n }\n\n const argv = mainOptions._unknown \|\| [];\n const command = mainOptions.command;\n\n if (!command \|\| command === \"help\") {\n console.log(\n commandLineUsage([\n {\n header: \"node-opcua-pki\",\n content: `PKI management for node-opcua\\n\\n${epilog}`\n },\n {\n header: \"Commands\",\n content: [\n { name: \"demo\", summary: \"create default certificate for node-opcua demos\" },\n { name: \"createCA\", summary: \"create a Certificate Authority\" },\n { name: \"createPKI\", summary: \"create a Public Key Infrastructure\" },\n { name: \"certificate\", summary: \"create a new certificate\" },\n { name: \"revoke <certificateFile>\", summary: \"revoke a existing certificate\" },\n { name: \"csr\", summary: \"create a certificate signing request\" },\n { name: \"sign\", summary: \"validate a certificate signing request and generate a certificate\" },\n { name: \"dump <certificateFile>\", summary: \"display a certificate\" },\n { name: \"toder <pemCertificate>\", summary: \"convert a certificate to a DER format with finger print\" },\n { name: \"fingerprint <certificateFile>\", summary: \"print the certificate fingerprint\" },\n { name: \"version\", summary: \"display the version number\" }\n ]\n }\n ])\n );\n return;\n }\n\n if (command === \"version\") {\n const rootFolder = find_module_root_folder();\n const pkg = JSON.parse(fs.readFileSync(path.join(rootFolder, \"package.json\"), \"utf-8\"));\n console.log(pkg.version);\n return;\n }\n\n if (command === \"demo\") {\n const optionsDef = [\n ...getOptions([\"root\", \"silent\"]),\n { name: \"dev\", type: Boolean, description: \"create all sort of fancy certificates for dev testing purposes\" },\n { name: \"clean\", type: Boolean, description: \"Purge existing directory [use with care!]\" }\n ];\n const local_argv = commandLineArgs(optionsDef, { argv });\n if (local_argv.help)\n return showHelp(\n \"demo\",\n \"create default certificate for node-opcua demos\",\n optionsDef,\n \"$0 demo [--dev] [--silent] [--clean]\"\n );\n\n await wrap(async () => {\n await ensure_openssl_installed();\n displayChapter(\"Create Demo certificates\");\n displayTitle(\"reading configuration\");\n await readConfiguration(local_argv as unknown as IReadConfigurationOpts);\n if (local_argv.clean) {\n displayTitle(\"Cleaning old certificates\");\n assert(gLocalConfig);\n const certificateDir = gLocalConfig.certificateDir \|\| \"\";\n const files = await fs.promises.readdir(certificateDir);\n for (const file of files) {\n if (file.includes(\".pem\") \|\| file.includes(\".pub\")) {\n await fs.promises.unlink(path.join(certificateDir, file));\n }\n }\n mkdirRecursiveSync(certificateDir);\n }\n displayTitle(\"create certificates\");\n await createDefaultCertificates(local_argv.dev);\n displayChapter(\"Demo certificates CREATED\");\n });\n return;\n }\n\n if (command === \"createCA\") {\n const optionsDef = [\n ...getOptions([\"root\", \"CAFolder\", \"keySize\", \"silent\"]),\n { name: \"subject\", type: String, defaultValue: defaultSubject, description: \"the CA certificate subject\" }\n ];\n const local_argv = commandLineArgs(optionsDef, { argv });\n if (local_argv.help) return showHelp(\"createCA\", \"create a Certificate Authority\", optionsDef);\n\n await wrap(async () => {\n await ensure_openssl_installed();\n await readConfiguration(local_argv as unknown as IReadConfigurationOpts);\n await construct_CertificateAuthority(local_argv.subject);\n });\n return;\n }\n\n if (command === \"createPKI\") {\n const optionsDef = getOptions([\"root\", \"PKIFolder\", \"keySize\", \"silent\"]);\n const local_argv = commandLineArgs(optionsDef, { argv });\n if (local_argv.help) return showHelp(\"createPKI\", \"create a Public Key Infrastructure\", optionsDef);\n\n await wrap(async () => {\n await readConfiguration(local_argv as unknown as IReadConfigurationOpts);\n await construct_CertificateManager();\n });\n return;\n }\n\n if (command === \"certificate\") {\n const optionsDef = [\n ...getOptions([\"root\", \"CAFolder\", \"PKIFolder\", \"privateKey\", \"silent\"]),\n {\n name: \"applicationUri\",\n alias: \"a\",\n type: String,\n defaultValue: \"urn:{hostname}:Node-OPCUA-Server\",\n description: \"the application URI\"\n },\n {\n name: \"output\",\n alias: \"o\",\n type: String,\n defaultValue: \"my_certificate.pem\",\n description: \"the name of the generated certificate =>\"\n },\n {\n name: \"selfSigned\",\n alias: \"s\",\n type: Boolean,\n defaultValue: false,\n description: \"if true, certificate will be self-signed\"\n },\n { name: \"validity\", alias: \"v\", type: Number, description: \"the certificate validity in days\" },\n {\n name: \"dns\",\n type: String,\n defaultValue: \"{hostname}\",\n description: \"the list of valid domain name (comma separated)\"\n },\n { name: \"ip\", type: String, defaultValue: \"\", description: \"the list of valid IPs (comma separated)\" },\n {\n name: \"subject\",\n type: String,\n defaultValue: \"\",\n description: \"the certificate subject ( for instance C=FR/ST=Centre/L=Orleans/O=SomeOrganization/CN=Hello )\"\n }\n ];\n const local_argv = commandLineArgs(optionsDef, { argv });\n if (local_argv.help \|\| !local_argv.applicationUri \|\| !local_argv.output)\n return showHelp(\"certificate\", \"create a new certificate\", optionsDef);\n\n async function command_certificate(local_argv: IReadConfigurationOpts) {\n const selfSigned = !!(local_argv as unknown as { selfSigned?: boolean }).selfSigned;\n if (!selfSigned) {\n await command_full_certificate(local_argv);\n } else {\n await command_selfsigned_certificate(local_argv);\n }\n }\n\n async function command_selfsigned_certificate(local_argv: IReadConfigurationOpts) {\n const _fqdn = await extractFullyQualifiedDomainName();\n await readConfiguration(local_argv);\n await construct_CertificateManager();\n\n displaySubtitle(` create self signed Certificate ${gLocalConfig.outputFile}`);\n let subject =\n local_argv.subject && local_argv.subject.length > 1 ? new Subject(local_argv.subject) : gLocalConfig.subject \|\| \"\";\n\n subject = JSON.parse(JSON.stringify(subject));\n\n const params: CreateSelfSignCertificateParam1 = {\n applicationUri: gLocalConfig.applicationUri \|\| \"\",\n dns: gLocalConfig.dns \|\| [],\n ip: gLocalConfig.ip \|\| [],\n outputFile: gLocalConfig.outputFile \|\| \"self_signed_certificate.pem\",\n startDate: gLocalConfig.startDate \|\| new Date(),\n subject,\n validity: gLocalConfig.validity \|\| 365\n };\n\n await certificateManager.createSelfSignedCertificate(params);\n }\n\n async function command_full_certificate(local_argv: IReadConfigurationOpts) {\n await readConfiguration(local_argv);\n await construct_CertificateManager();\n await construct_CertificateAuthority(\"\");\n assert(fs.existsSync(gLocalConfig.CAFolder \|\| \"\"), \" CA folder must exist\");\n gLocalConfig.privateKey = undefined; // use PKI private key\n // create a Certificate Request from the certificate Manager\n\n gLocalConfig.subject = local_argv.subject && local_argv.subject.length > 1 ? local_argv.subject : gLocalConfig.subject;\n\n const csr_file = await certificateManager.createCertificateRequest(\n gLocalConfig as Parameters<typeof certificateManager.createCertificateRequest>[0]\n );\n if (!csr_file) {\n return;\n }\n warningLog(\" csr_file = \", csr_file);\n const certificate = csr_file.replace(\".csr\", \".pem\");\n\n if (fs.existsSync(certificate)) {\n throw new Error(` File ${certificate} already exist`);\n }\n await g_certificateAuthority.signCertificateRequest(\n certificate,\n csr_file,\n gLocalConfig as Parameters<typeof g_certificateAuthority.signCertificateRequest>[2]\n );\n\n assert(typeof gLocalConfig.outputFile === \"string\");\n fs.writeFileSync(gLocalConfig.outputFile \|\| \"\", fs.readFileSync(certificate, \"ascii\"));\n }\n\n await wrap(async () => await command_certificate(local_argv as unknown as IReadConfigurationOpts));\n return;\n }\n\n if (command === \"revoke\") {\n const optionsDef = [{ name: \"certificateFile\", type: String, defaultOption: true }, ...getOptions([\"root\", \"CAFolder\"])];\n const local_argv = commandLineArgs(optionsDef, { argv });\n if (local_argv.help \|\| !local_argv.certificateFile)\n return showHelp(\n \"revoke <certificateFile>\",\n \"revoke a existing certificate\",\n optionsDef,\n \"$0 revoke my_certificate.pem\"\n );\n\n async function revoke_certificate(certificate: Filename) {\n await g_certificateAuthority.revokeCertificate(certificate, {});\n }\n\n await wrap(async () => {\n const certificate = path.resolve(local_argv.certificateFile);\n warningLog(chalk.yellow(\" Certificate to revoke : \"), chalk.cyan(certificate));\n if (!fs.existsSync(certificate)) {\n throw new Error(`cannot find certificate to revoke ${certificate}`);\n }\n await readConfiguration(local_argv as unknown as IReadConfigurationOpts);\n await construct_CertificateAuthority(\"\");\n await revoke_certificate(certificate);\n warningLog(\"done ... \");\n warningLog(\" crl = \", g_certificateAuthority.revocationList);\n warningLog(\"\\nyou should now publish the new Certificate Revocation List\");\n });\n return;\n }\n\n if (command === \"csr\") {\n const optionsDef = [\n ...getOptions([\"root\", \"PKIFolder\", \"privateKey\", \"silent\"]),\n {\n name: \"applicationUri\",\n alias: \"a\",\n type: String,\n defaultValue: \"urn:{hostname}:Node-OPCUA-Server\",\n description: \"the application URI\"\n },\n {\n name: \"output\",\n alias: \"o\",\n type: String,\n defaultValue: \"my_certificate_signing_request.csr\",\n description: \"the name of the generated signing_request\"\n },\n {\n name: \"dns\",\n type: String,\n defaultValue: \"{hostname}\",\n description: \"the list of valid domain name (comma separated)\"\n },\n { name: \"ip\", type: String, defaultValue: \"\", description: \"the list of valid IPs (comma separated)\" },\n {\n name: \"subject\",\n type: String,\n defaultValue: \"/CN=Certificate\",\n description: \"the certificate subject ( for instance /C=FR/ST=Centre/L=Orleans/O=SomeOrganization/CN=Hello )\"\n }\n ];\n const local_argv = commandLineArgs(optionsDef, { argv });\n if (local_argv.help) return showHelp(\"csr\", \"create a certificate signing request\", optionsDef);\n\n await wrap(async () => {\n await readConfiguration(local_argv as unknown as IReadConfigurationOpts);\n if (!fs.existsSync(gLocalConfig.PKIFolder \|\| \"\")) {\n warningLog(\"PKI folder must exist\");\n }\n await construct_CertificateManager();\n if (!gLocalConfig.outputFile \|\| fs.existsSync(gLocalConfig.outputFile)) {\n throw new Error(` File ${gLocalConfig.outputFile} already exist`);\n }\n gLocalConfig.privateKey = undefined; // use PKI private key\n // create a Certificate Request from the certificate Manager\n\n gLocalConfig.subject = local_argv.subject && local_argv.subject.length > 1 ? local_argv.subject : gLocalConfig.subject;\n\n const internal_csr_file = await certificateManager.createCertificateRequest(\n gLocalConfig as Parameters<typeof certificateManager.createCertificateRequest>[0]\n );\n if (!internal_csr_file) {\n return;\n }\n if (!gLocalConfig.outputFile) {\n warningLog(\"please specify a output file\");\n return;\n }\n const csr = await fs.promises.readFile(internal_csr_file, \"utf-8\");\n fs.writeFileSync(gLocalConfig.outputFile \|\| \"\", csr, \"utf-8\");\n\n warningLog(\"Subject = \", gLocalConfig.subject);\n warningLog(\"applicationUri = \", gLocalConfig.applicationUri);\n warningLog(\"altNames = \", gLocalConfig.altNames);\n warningLog(\"dns = \", gLocalConfig.dns);\n warningLog(\"ip = \", gLocalConfig.ip);\n\n warningLog(\"CSR file = \", gLocalConfig.outputFile);\n });\n return;\n }\n\n if (command === \"sign\") {\n const optionsDef = [\n ...getOptions([\"root\", \"CAFolder\", \"silent\"]),\n { name: \"csr\", alias: \"i\", type: String, defaultValue: \"my_certificate_signing_request.csr\", description: \"the csr\" },\n {\n name: \"output\",\n alias: \"o\",\n type: String,\n defaultValue: \"my_certificate.pem\",\n description: \"the name of the generated certificate\"\n },\n { name: \"validity\", alias: \"v\", type: Number, defaultValue: 365, description: \"the certificate validity in days\" }\n ];\n const local_argv = commandLineArgs(optionsDef, { argv });\n if (local_argv.help \|\| !local_argv.csr \|\| !local_argv.output)\n return showHelp(\"sign\", \"validate a certificate signing request and generate a certificate\", optionsDef);\n\n await wrap(async () => {\n await readConfiguration(local_argv as unknown as IReadConfigurationOpts);\n if (!fs.existsSync(gLocalConfig.CAFolder \|\| \"\")) {\n throw new Error(`CA folder must exist:${gLocalConfig.CAFolder}`);\n }\n await construct_CertificateAuthority(\"\");\n const csr_file: string = path.resolve((local_argv as unknown as { csr?: string }).csr \|\| \"\");\n if (!fs.existsSync(csr_file)) {\n throw new Error(`Certificate signing request doesn't exist: ${csr_file}`);\n }\n const certificate = path.resolve(local_argv.output \|\| csr_file.replace(\".csr\", \".pem\"));\n if (fs.existsSync(certificate)) {\n throw new Error(` File ${certificate} already exist`);\n }\n\n await g_certificateAuthority.signCertificateRequest(\n certificate,\n csr_file,\n gLocalConfig as Parameters<typeof g_certificateAuthority.signCertificateRequest>[2]\n );\n\n assert(typeof gLocalConfig.outputFile === \"string\");\n fs.writeFileSync(gLocalConfig.outputFile \|\| \"\", fs.readFileSync(certificate, \"ascii\"));\n });\n return;\n }\n\n if (command === \"dump\") {\n const optionsDef = [\n { name: \"certificateFile\", type: String, defaultOption: true },\n { name: \"help\", alias: \"h\", type: Boolean }\n ];\n const local_argv = commandLineArgs(optionsDef, { argv });\n if (local_argv.help \|\| !local_argv.certificateFile)\n return showHelp(\"dump <certificateFile>\", \"display a certificate\", optionsDef);\n\n await wrap(async () => {\n const data = await dumpCertificate(local_argv.certificateFile);\n warningLog(data);\n });\n return;\n }\n\n if (command === \"toder\") {\n const optionsDef = [\n { name: \"pemCertificate\", type: String, defaultOption: true },\n { name: \"help\", alias: \"h\", type: Boolean }\n ];\n const local_argv = commandLineArgs(optionsDef, { argv });\n if (local_argv.help \|\| !local_argv.pemCertificate)\n return showHelp(\"toder <pemCertificate>\", \"convert a certificate to a DER format with finger print\", optionsDef);\n\n await wrap(async () => {\n await toDer(local_argv.pemCertificate);\n });\n return;\n }\n\n if (command === \"fingerprint\") {\n const optionsDef = [\n { name: \"certificateFile\", type: String, defaultOption: true },\n { name: \"help\", alias: \"h\", type: Boolean }\n ];\n const local_argv = commandLineArgs(optionsDef, { argv });\n if (local_argv.help \|\| !local_argv.certificateFile)\n return showHelp(\"fingerprint <certificateFile>\", \"print the certificate fingerprint\", optionsDef);\n\n await wrap(async () => {\n const certificate = local_argv.certificateFile;\n const data = await fingerprint(certificate);\n if (!data) return;\n const s = data.split(\"=\")[1].split(\":\").join(\"\").trim();\n warningLog(s);\n });\n return;\n }\n\n console.log(`Unknown command: ${command}`);\n}\n","#!/usr/bin/env node\nimport { main as pki_main } from \"../lib/ca/crypto_create_CA\";\n\npki_main(process.argv.splice(2));\n"],"mappings":";;;;;;;;;;AAsBA,OAAO,YAAY;AACnB,SAAS,kBAAkB;AAEpB,SAAS,mBAAmB,UAAkB,QAAwB;AAKzE,MAAI,eAAe;AACnB,MAAI,aAAa,SAAS,IAAI,OAAO,UAAU,IAAI;AAG/C,mBAAe,WAAW,KAAK,EAAE,OAAO,QAAQ,EAAE,OAAO,KAAK,EAAE,UAAU,GAAG,EAAE;AAAA,EACnF;AAEA,QAAM,iBAAiB,OAAO,YAAY,IAAI,MAAM;AACpD,SAAO,eAAe,UAAU,EAAE;AAClC,SAAO;AACX;AAxCA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACGA,OAAO,SAAS;AAChB,OAAO,QAAQ;AACf,SAAS,iBAAiB;AAE1B,SAAS,KAAK,KAAa,QAAyB;AAChD,MAAI,CAAC,QAAQ;AACT,WAAO;AAAA,EACX;AACA,SAAO,IAAI,UAAU,GAAG,KAAK,IAAI,IAAI,QAAQ,MAAM,CAAC;AACxD;AAEA,SAAS,KAAK,UAAsD;AAChE,QAAM,OAAO,GAAG,SAAS;AAEzB,MAAI,OAAO,MAAM,EAAE,OAAO,IAAI,WAAW,GAAG,CAAC,MAAoB,OAAe;AAC5E,QAAI,MAAM;AACN,aAAO,SAAS,IAAI;AAAA,IACxB;AAEA,QAAI,cAAc,IAAI,GAAG,CAAC,MAAoB,UAAkB;AAC5D,UAAI,MAAM;AACN,eAAO,SAAS,IAAI;AAAA,MACxB;AACA,cAAQ,MAAM,QAAQ,gBAAgB,EAAE;AACxC,eAAS,MAAM,KAAK;AAAA,IACxB,CAAC;AAAA,EACL,CAAC;AACL;AAOA,eAAsB,kCAAmD;AACrE,MAAI,kCAAkC;AAClC,WAAO;AAAA,EACX;AACA,MAAI,QAAQ,aAAa,SAAS;AAE9B,UAAM,MAAM,QAAQ;AACpB,uCACI,IAAI,gBAAgB,IAAI,iBAAiB,IAAI,eAAe,SAAS,IAAI,IAAI,IAAI,aAAuB,KAAK;AAAA,EACrH,OAAO;AACH,QAAI;AACA,yCAAmC,MAAM,UAAU,IAAI,EAAE;AACzD,UAAI,qCAAqC,aAAa;AAClD,cAAM,IAAI,MAAM,wBAAwB;AAAA,MAC5C;AACA,UAAI,cAAc,KAAK,gCAA0C,GAAG;AAChE,cAAM,IAAI,MAAM,gCAAgC;AAAA,MACpD;AAAA,IACJ,SAAS,MAAM;AAEX,yCAAmC,GAAG,SAAS;AAAA,IACnD;AAAA,EACJ;AACA,SAAO;AACX;AAEA,eAAsB,cAAc;AAChC,qCAAmC,MAAM,gCAAgC;AAC7E;AAEO,SAAS,4BAA4B,qBAA8B;AACtE,MAAI,CAAC,kCAAkC;AACnC,UAAM,IAAI,MAAM,2DAA2D;AAAA,EAC/E;AACA,SAAO,mCAAmC,KAAK,kCAAkC,mBAAmB,IAAI;AAC5G;AAxEA,IAgCI;AAhCJ;AAAA;AAAA;AAAA;AAwFA,gBAAY;AAAA;AAAA;;;ACxFZ,IAsBa;AAtBb;AAAA;AAAA;AAAA;AAsBO,IAAM,WAAW;AAAA,MACpB,gBAAgB;AAAA,MAChB,QAAQ,QAAQ,IAAI,UAAU,CAAC,QAAQ,IAAI,UAAU;AAAA,MACrD,OAAO;AAAA,IACX;AAAA;AAAA;;;ACAO,SAAS,YAAY,MAAiB;AAEzC,MAAI,cAAc;AACd,YAAQ,IAAI,MAAM,MAAM,IAAI;AAAA,EAChC;AACJ;AACO,SAAS,cAAc,MAAiB;AAC3C,UAAQ,IAAI,MAAM,MAAM,IAAI;AAChC;AAlCA,IAsBa,SACA,cACA;AAxBb;AAAA;AAAA;AAAA;AAsBO,IAAM,UAAU,QAAQ,IAAI,qBAAqB;AACjD,IAAM,eAAe;AACrB,IAAM,eAAe,CAAC,CAAC,QAAQ,IAAI,qBAAqB;AAAA;AAAA;;;ACD/D,OAAOA,aAAY;AACnB,OAAO,QAAQ;AACf,OAAO,UAAU;AAEjB,OAAO,WAAW;AAMX,SAAS,qBAAqB,iBAAkC;AAEnE,MAAI,GAAG,WAAW,eAAe,KAAK,CAAC,SAAS,OAAO;AACnD;AAAA,MACI,MAAM,OAAO,sBAAsB,IAAI,MAAM,KAAK,eAAe,IAAI,MAAM,OAAO,qCAAqC;AAAA,IAC3H;AACA,WAAO;AAAA,EACX;AACA,SAAO;AACX;AAEO,SAAS,mBAAmB,QAAsB;AACrD,MAAI,CAAC,GAAG,WAAW,MAAM,GAAG;AAExB,aAAS,MAAM,MAAM,mBAAmB,GAAG,MAAM;AACjD,OAAG,UAAU,QAAQ,EAAE,WAAW,KAAK,CAAC;AAAA,EAC5C;AACJ;AAEO,SAAS,SAAS,YAAoB,UAA2B;AACpE,MAAI;AACJ,MAAI,UAAU;AACV,QAAI,KAAK,KAAK,KAAK,UAAU,UAAU,GAAG,QAAQ;AAAA,EACtD,OAAO;AACH,IAAAA,QAAO,UAAU;AACjB,QAAI;AAAA,EACR;AACA,MAAI,EAAE,QAAQ,OAAO,GAAG;AACxB,SAAO;AACX;AA9DA;AAAA;AAAA;AAAA;AA6BA;AAEA;AAAA;AAAA;;;ACTA,OAAOC,YAAW;AAKX,SAAS,eAAe,KAAa;AACxC,QAAM,IAAI;AACV,aAAW,GAAGA,OAAM,QAAQ,CAAC,CAAC,GAAG;AACjC,QAAM,WAAW,GAAG,GAAG,CAAC,GAAG,UAAU,GAAG,EAAE,MAAM;AAChD,aAAWA,OAAM,QAAQ,KAAK,GAAG,CAAC;AAClC,aAAW,GAAGA,OAAM,QAAQ,CAAC,CAAC,GAAG;AACrC;AAEO,SAAS,aAAa,KAAa;AAEtC,MAAI,CAAC,SAAS,QAAQ;AAClB,eAAW,EAAE;AACb,eAAWA,OAAM,aAAa,GAAG,CAAC;AAClC,eAAWA,OAAM,OAAO,IAAI,MAAM,IAAI,SAAS,CAAC,EAAE,KAAK,GAAG,CAAC,GAAG,IAAI;AAAA,EACtE;AACJ;AAEO,SAAS,gBAAgB,KAAa;AAEzC,MAAI,CAAC,SAAS,QAAQ;AAClB,eAAW,EAAE;AACb,eAAW,OAAOA,OAAM,aAAa,GAAG,CAAC,EAAE;AAC3C,eAAW,OAAOA,OAAM,MAAM,IAAI,MAAM,IAAI,SAAS,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC,IAAI,IAAI;AAAA,EAC9E;AACJ;AACO,SAAS,QAAQ,KAAa;AAEjC,MAAI,CAAC,SAAS,QAAQ;AAClB,eAAW,UAAU,GAAG,EAAE;AAAA,EAC9B;AACJ;AAzDA;AAAA;AAAA;AAAA;AAuBA;AACA;AAAA;AAAA;;;ACHA,OAAOC,aAAY;AACnB,OAAOC,SAAQ;AACf,SAAS,iCAAiC,iBAAiB,eAAe;AAO1E,eAAsB,qCAClB,mCACA,QACa;AACb,EAAAD,QAAO,MAAM;AACb,EAAAA,QAAO,OAAO,OAAO;AACrB,EAAAA,QAAO,OAAO,UAAU;AACxB,EAAAA,QAAO,OAAO,UAAU;AACxB,EAAAA,QAAO,OAAO,OAAO,eAAe,QAAQ;AAC5C,EAAAA,QAAOC,IAAG,WAAW,OAAO,UAAU,GAAG,yBAAyB,OAAO,UAAU,EAAE;AAGrF,EAAAD,QAAOC,IAAG,WAAW,OAAO,OAAO,GAAG,wBAAwB;AAC9D,EAAAD,QAAO,OAAO,sCAAsC,QAAQ;AAE5D,QAAM,UAAU,OAAO,UAAU,IAAI,QAAQ,OAAO,OAAO,EAAE,SAAS,IAAI;AAC1E,kBAAgB,uDAAuD;AAEvE,QAAM,gBAAgB,MAAMC,IAAG,SAAS,SAAS,OAAO,YAAY,OAAO;AAC3E,QAAM,aAAa,MAAM,gBAAgB,aAAa;AAEtD,QAAM,EAAE,IAAI,IAAI,MAAM,gCAAgC;AAAA,IAClD;AAAA,IACA,KAAK,OAAO;AAAA,IACZ,IAAI,OAAO;AAAA,IACX;AAAA,IACA,gBAAgB,OAAO;AAAA,IACvB,SAAS,OAAO;AAAA,EACpB,CAAC;AACD,QAAMA,IAAG,SAAS,UAAU,mCAAmC,KAAK,OAAO;AAE3E,UAAQ,gBAAgB,OAAO,UAAU,EAAE;AAC3C,UAAQ,uCAAuC,iCAAiC,EAAE;AAItF;AAlEA;AAAA;AAAA;AAAA;AAyBA;AAAA;AAAA;;;ACHA,OAAOC,aAAY;AAmBZ,SAAS,MAAM,KAAsB;AACxC,SAAO,IAAI,OAAO,EAAE;AACxB;AA+FO,SAAS,WAAW,QAA+B;AACtD,EAAAA,QAAO,kBAAkB,MAAM;AAC/B,SAAO,YAAY,OAAO,aAAa,oBAAI,KAAK;AAChD,EAAAA,QAAO,OAAO,qBAAqB,IAAI;AAEvC,SAAO,WAAW,OAAO,YAAY;AAErC,SAAO,UAAU,IAAI,KAAK,OAAO,UAAU,QAAQ,CAAC;AACpD,SAAO,QAAQ,QAAQ,OAAO,UAAU,QAAQ,IAAI,OAAO,QAAQ;AAKnE,EAAAA,QAAO,OAAO,mBAAmB,IAAI;AACrC,EAAAA,QAAO,OAAO,qBAAqB,IAAI;AAO3C;AAEO,SAAS,qBAAqB,QAAgB;AACjD,QAAM,iBAAiB,OAAO,kBAAkB;AAChD,MAAI,eAAe,SAAS,KAAK;AAC7B,UAAM,IAAI,MAAM,2DAA2D,cAAc,EAAE;AAAA,EAC/F;AACJ;AAtKA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACqBA,OAAOC,aAAY;AACnB,OAAOC,SAAQ;AAEf;AAAA,EACI;AAAA,EACA,+BAA+B;AAAA,EAC/B,mBAAAC;AAAA,EACA,WAAAC;AAAA,OACG;AAIP,eAAsB,iCAClB,aACA,QACa;AACb,SAAO,UAAU,OAAO,WAAW,mBAAmB;AACtD,EAAAH,QAAO,OAAO,SAAS,sCAAsC;AAM7D,EAAAA,QAAOC,IAAG,WAAW,OAAO,UAAU,CAAC;AACvC,EAAAD,QAAOC,IAAG,WAAW,OAAO,OAAO,CAAC;AACpC,EAAAD,QAAOC,IAAG,WAAW,OAAO,UAAU,CAAC;AACvC,MAAI,CAAC,OAAO,SAAS;AACjB,UAAM,MAAM,iBAAiB;AAAA,EACjC;AAEA,EAAAD,QAAO,OAAO,OAAO,mBAAmB,QAAQ;AAChD,EAAAA,QAAO,MAAM,QAAQ,OAAO,GAAG,CAAC;AAKhC,aAAW,MAAM;AACjB,EAAAA,QAAO,OAAO,UAAU,eAAe,KAAK,QAAQ,UAAU,CAAC;AAE/D,MAAI,UAA4B,IAAIG,SAAQ,OAAO,OAAO;AAC1D,YAAU,QAAQ,SAAS;AAG3B,QAAM,UAAU,OAAO;AAEvB,eAAa,gCAAgC;AAE7C,QAAM,gBAAgB,MAAMF,IAAG,SAAS,SAAS,OAAO,YAAY,OAAO;AAC3E,QAAM,aAAa,MAAMC,iBAAgB,aAAa;AAEtD,QAAM,EAAE,KAAK,IAAI,MAAM,6BAA6B;AAAA,IAChD;AAAA,IACA,WAAW,OAAO;AAAA,IAClB,UAAU,OAAO;AAAA,IACjB,UAAU,OAAO;AAAA,IACjB,KAAK,OAAO;AAAA,IACZ,IAAI,OAAO;AAAA,IACX;AAAA,IACA,gBAAgB,OAAO;AAAA,IACvB;AAAA,EACJ,CAAC;AACD,QAAMD,IAAG,SAAS,UAAU,aAAa,MAAM,OAAO;AAC1D;AAEA,eAAsB,4BAClB,aACA,QACa;AACb,QAAM,iCAAiC,aAAa,MAAM;AAC9D;AA1FA;AAAA;AAAA;AAAA;AA8BA;AACA;AAAA;AAAA;;;AC/BA;AAAA;AAAA;AAAA;AAuBA;AACA;AAAA;AAAA;;;ACxBA,IAAM,QA0EC;AA1EP;AAAA;AAAA;AAAA;AAAA,IAAM,SACF;AAyEJ,IAAO,qCAAQ;AAAA;AAAA;;;ACjEf,SAAS,oBAAoB;AAC7B,OAAOG,SAAQ;AACf,OAAOC,WAAU;AACjB,SAAS,gBAAgB;AACzB,OAAOC,YAAW;AAClB,OAAO,cAAuD;AAC9D;AAAA,EAMI;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACG;AAkCP,SAAS,iBAAiB,OAAoC;AAC1D,MAAI,CAAC,MAAM,MAAM;AACb,UAAM,OAAO,yBAAyB,MAAM,WAAW;AAAA,EAC3D;AACA,SAAO,MAAM;AACjB;AAiBA,SAAS,yBAAyB,aAAgD;AAC9E,QAAM,MAAM,mBAAmB,WAAW,EAAE,SAAS,KAAK;AAC1D,QAAM,SAAS,cAAc,IAAI,GAAG;AACpC,MAAI,QAAQ;AAER,kBAAc,OAAO,GAAG;AACxB,kBAAc,IAAI,KAAK,MAAM;AAC7B,WAAO;AAAA,EACX;AACA,QAAM,OAAO,mBAAmB,WAAW;AAC3C,gBAAc,IAAI,KAAK,IAAI;AAC3B,MAAI,cAAc,OAAO,mBAAmB;AAExC,UAAM,SAAS,cAAc,KAAK,EAAE,KAAK,EAAE;AAC3C,QAAI,OAAQ,eAAc,OAAO,MAAM;AAAA,EAC3C;AACA,SAAO;AACX;AAyKA,SAAS,gBAAgB,aAA8D;AAInF,QAAM,QAAQ,UAAU,WAAW;AACnC,SAAO,mBAAmB,MAAM,CAAC,CAAC,EAAE,SAAS,KAAK;AACtD;AACA,SAAS,MAAM,iBAAyB;AACpC,SAAO,gBAAgB,UAAU,GAAG,EAAE;AAC1C;AAGA,SAAS,0BAA0B,aAAkC;AACjE,QAAMC,eAAc,gBAAgB,WAAW;AAC/C,MAAI;AACA,UAAM,aAAa,yBAAyB,WAAW,EAAE,eAAe,QAAQ,cAAc;AAI9F,UAAM,sBAAsB,WAAW,QAAQ,gBAAgB,GAAG;AAClE,WAAO,GAAG,mBAAmB,IAAIA,YAAW;AAAA,EAChD,SAAS,MAAM;AAEX,WAAO,wBAAwBA,YAAW;AAAA,EAC9C;AACJ;AACA,SAAS,sBAAsB,SAAkB,iBAAkC;AAC/E,SAAO,QAAQ,OAAO,CAAC,UAAU;AAC7B,UAAM,OAAO,iBAAiB,KAAK;AACnC,WAAO,KAAK,eAAe,cAAc,KAAK,eAAe,WAAW,yBAAyB;AAAA,EACrG,CAAC;AACL;AAEA,SAAS,cAAc,MAAqC;AACxD,SACI,KAAK,eAAe,YAAY,yBAChC,KAAK,eAAe,YAAY,wBAAwB;AAEhE;AAEA,SAAS,cAAc,aAA8B;AACjD,QAAM,OAAO,yBAAyB,WAAW;AACjD,SAAO,cAAc,IAAI;AAC7B;AAUO,SAAS,6BAA6B,aAA0B,OAA0C;AAC7G,MAAI,CAAC,aAAa;AACd,WAAO;AAAA,EACX;AACA,QAAM,WAAW,yBAAyB,WAAW;AAGrD,MAAI,cAAc,QAAQ,GAAG;AAEzB,WAAO;AAAA,EACX;AACA,QAAM,kBAAkB,SAAS,eAAe,YAAY,wBAAwB;AAGpF,MAAI,CAAC,iBAAiB;AAElB,aAAS,gCAAgC;AACzC,WAAO;AAAA,EACX;AACA,QAAM,mBAAmB,MAAM,OAAO,CAAC,MAAM;AACzC,UAAM,OAAO,yBAAyB,CAAC;AACvC,WAAO,KAAK,eAAe,cAAc,KAAK,eAAe,WAAW,yBAAyB;AAAA,EACrG,CAAC;AAED,MAAI,iBAAiB,WAAW,GAAG;AAC/B,WAAO,iBAAiB,CAAC;AAAA,EAC7B;AACA,MAAI,iBAAiB,SAAS,GAAG;AAC7B,aAAS,sFAAsF;AAC/F,WAAO,iBAAiB,CAAC;AAAA,EAC7B;AACA,SAAO;AACX;AAxWA,IAwDM,iCACA,aA6BA,mBACA,eAuMA,gBAmIO;AAjab;AAAA;AAAA;AAAA;AA4CA;AACA;AACA;AAEA;AAQA,IAAM,kCAA0C;AAChD,IAAM,cAAcH,IAAG,SAAS;AA6BhC,IAAM,oBAAoB;AAC1B,IAAM,gBAAgB,oBAAI,IAAkC;AAuM5D,IAAM,iBAAiB;AAmIhB,IAAM,qBAAN,MAAM,4BAA2B,aAAa;AAAA;AAAA;AAAA;AAAA;AAAA,MAKjD,OAAO,mBAAmB,oBAAI,IAAwB;AAAA,MACtD,OAAO,oBAAoB;AAAA,MAE3B,OAAO,yBAA+B;AAClC,YAAI,oBAAmB,kBAAmB;AAC1C,4BAAmB,oBAAoB;AAEvC,cAAM,wBAAwB,MAAM;AAChC,qBAAW,MAAM,oBAAmB,kBAAkB;AAClD,uBAAW,KAAK,GAAG,WAAW;AAC1B,kBAAI;AACA,kBAAE,MAAM;AAAA,cACZ,QAAQ;AAAA,cAER;AAAA,YACJ;AACA,eAAG,UAAU,OAAO,CAAC;AACrB,eAAG,QAAQ;AAAA,UACf;AACA,8BAAmB,iBAAiB,MAAM;AAAA,QAC9C;AAKA,gBAAQ,GAAG,cAAc,qBAAqB;AAI9C,mBAAW,UAAU,CAAC,UAAU,SAAS,GAAY;AACjD,kBAAQ,KAAK,QAAQ,MAAM;AACvB,kCAAsB;AACtB,oBAAQ,KAAK;AAAA,UACjB,CAAC;AAAA,QACL;AAAA,MACJ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MASA,aAAoB,aAA4B;AAC5C,cAAM,YAAY,CAAC,GAAG,oBAAmB,gBAAgB;AACzD,cAAM,QAAQ,IAAI,UAAU,IAAI,CAAC,OAAO,oBAAmB,UAAU,QAAQ,KAAK,EAAE,CAAC,CAAC;AAAA,MAC1F;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAiBA,OAAc,mBAAyB;AACnC,YAAI,oBAAmB,iBAAiB,SAAS,EAAG;AACpD,cAAM,YAAY,CAAC,GAAG,oBAAmB,gBAAgB,EAAE,IAAI,CAAC,OAAO,GAAG,OAAO;AACjF,cAAM,IAAI;AAAA,UACN,GAAG,oBAAmB,iBAAiB,IAAI;AAAA,MAAsD,UAAU,KAAK,QAAQ,CAAC;AAAA,QAC7H;AAAA,MACJ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAQO,4BAA4B;AAAA;AAAA,MAE5B,QAAiC;AAAA;AAAA,MAEjC,wBAAwB;AAAA;AAAA,MAG/B,IAAW,wBAAgC;AACvC,eAAO,KAAK;AAAA,MAChB;AAAA,MACA,IAAW,sBAAsB,OAAe;AAC5C,aAAK,wBAAwB;AAAA,MACjC;AAAA;AAAA,MAGgB;AAAA,MACP;AAAA,MACA,YAA4B,CAAC;AAAA,MAC7B,iBAAkC,oBAAI,IAAI;AAAA,MACnD,0BAA0B;AAAA,MACjB,kBAAkB,oBAAI,IAAoB;AAAA,MACnD;AAAA,MAES,UAAkB;AAAA,QACvB,UAAU,oBAAI,IAAI;AAAA,QAClB,SAAS,oBAAI,IAAI;AAAA,QACjB,SAAS;AAAA,UACL,OAAO,oBAAI,IAAI;AAAA,QACnB;AAAA,QACA,KAAK,oBAAI,IAAI;AAAA,QACb,YAAY,oBAAI,IAAI;AAAA,MACxB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAWA,YAAY,SAAoC;AAC5C,cAAM;AACN,gBAAQ,UAAU,QAAQ,WAAW;AACrC,YAAI,CAAC,QAAQ,UAAU;AACnB,gBAAM,IAAI,MAAM,+CAA+C;AAAA,QACnE;AAEA,aAAK,YAAY,SAAS,QAAQ,UAAU,EAAE;AAC9C,aAAK,UAAU,QAAQ;AAEvB,2BAAmB,QAAQ,QAAQ;AAEnC,YAAI,CAACA,IAAG,WAAW,KAAK,SAAS,GAAG;AAChC,gBAAM,IAAI,MAAM,6CAA6C,KAAK,SAAS,EAAE;AAAA,QACjF;AAAA,MACJ;AAAA;AAAA,MAGA,IAAI,aAAa;AACb,eAAOC,MAAK,KAAK,KAAK,SAAS,iBAAiB;AAAA,MACpD;AAAA;AAAA,MAGA,IAAI,UAAU;AACV,eAAO,KAAK;AAAA,MAChB;AAAA;AAAA,MAGA,IAAI,aAAa;AACb,eAAOA,MAAK,KAAK,KAAK,SAAS,6BAA6B;AAAA,MAChE;AAAA;AAAA,MAGA,IAAI,aAAa;AACb,eAAOA,MAAK,KAAK,KAAK,SAAS,cAAc;AAAA,MACjD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAOA,MAAa,kBAAkB,aAAyC;AACpE,cAAM,KAAK,iBAAiB,aAAa,UAAU;AAAA,MACvD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAOA,MAAa,iBAAiB,aAAyC;AACnE,cAAM,KAAK,iBAAiB,aAAa,SAAS;AAAA,MACtD;AAAA;AAAA,MAGA,IAAW,iBAAyB;AAChC,eAAOA,MAAK,KAAK,KAAK,SAAS,UAAU;AAAA,MAC7C;AAAA;AAAA,MAEA,IAAW,gBAAwB;AAC/B,eAAOA,MAAK,KAAK,KAAK,SAAS,eAAe;AAAA,MAClD;AAAA;AAAA,MAEA,IAAW,YAAoB;AAC3B,eAAOA,MAAK,KAAK,KAAK,SAAS,aAAa;AAAA,MAChD;AAAA;AAAA,MAEA,IAAW,oBAA4B;AACnC,eAAOA,MAAK,KAAK,KAAK,SAAS,eAAe;AAAA,MAClD;AAAA;AAAA,MAEA,IAAW,mBAA2B;AAClC,eAAOA,MAAK,KAAK,KAAK,SAAS,aAAa;AAAA,MAChD;AAAA;AAAA,MAEA,IAAW,gBAAwB;AAC/B,eAAOA,MAAK,KAAK,KAAK,SAAS,WAAW;AAAA,MAC9C;AAAA,MACA,IAAW,mBAA2B;AAClC,eAAOA,MAAK,KAAK,KAAK,SAAS,aAAa;AAAA,MAChD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAUA,MAAa,qBAAqB,aAA2C;AACzE,cAAME,eAAc,gBAAgB,WAAW;AAE/C,YAAI,KAAK,QAAQ,QAAQ,IAAIA,YAAW,GAAG;AACvC,iBAAO;AAAA,QACX;AAEA,YAAI,CAAC,KAAK,QAAQ,SAAS,IAAIA,YAAW,GAAG;AACzC,cAAI,CAAC,KAAK,2BAA2B;AACjC,mBAAO;AAAA,UACX;AAEA,cAAI;AACA,mCAAuB,WAAW;AAAA,UACtC,SAAS,MAAM;AACX,mBAAO;AAAA,UACX;AACA,gBAAM,WAAWF,MAAK,KAAK,KAAK,gBAAgB,GAAG,0BAA0B,WAAW,CAAC,MAAM;AAC/F,mBAAS,2EAA2E,QAAQ;AAC5F,gBAAM,YAAY,UAAU,MAAM,aAAa,aAAa,CAAC;AAC7D,eAAK,QAAQ,SAAS,IAAIE,cAAa,EAAE,aAAa,SAAS,CAAC;AAAA,QACpE;AACA,eAAO;AAAA,MACX;AAAA,MACA,MAAM,6BACF,aACA,WACA,OACA,SAC2B;AAC3B,YAAI,SAAS,GAAG;AAEZ,iBAAO;AAAA,QACX;AACA,cAAM,QAAQ,UAAU,WAAW;AACnC,iBAAS,8BAA8B,MAAM,MAAM;AACnD,cAAM,OAAO,yBAAyB,MAAM,CAAC,CAAC;AAE9C,YAAI,iBAAiB;AACrB,YAAI,mBAAmB;AAEvB,cAAM,eAAe,KAAK,eAAe,YAAY,wBAAwB;AAC7E,iBAAS,gCAAgC,YAAY;AAErD,YAAI,cAAc;AACd,gBAAM,eAAe,cAAc,IAAI;AAEvC,mBAAS,qCAAqC,YAAY;AAC1D,cAAI,CAAC,cAAc;AACf;AAAA,cACI;AAAA,cACA;AAAA,cACA,KAAK,eAAe,YAAY;AAAA,cAChC;AAAA,cACA,KAAK,eAAe,YAAY,wBAAwB;AAAA,YAC5D;AACA,gBAAI,oBAAoB,MAAM,KAAK,sBAAsB,MAAM,CAAC,CAAC;AACjE,gBAAI,CAAC,mBAAmB;AAGpB,kCAAoB,6BAA6B,MAAM,CAAC,GAAG,KAAK;AAChE,kBAAI,CAAC,mBAAmB;AACpB;AAAA,kBACI;AAAA,gBACJ;AACA,uBAAO;AAAA,cACX;AACA,uBAAS,sFAAsF;AAAA,YACnG,OAAO;AACH,uBAAS,oEAAoE;AAAA,YACjF;AACA,kBAAM,eAAe,MAAM,KAAK,6BAA6B,mBAAmB,MAAM,QAAQ,GAAG,OAAO;AACxG,gBAAI,iBAAiB,yEAAoD;AAErE,qBAAO;AAAA,YACX;AACA,gBAAI,iBAAiB,qFAA0D;AAE3E,qBAAO;AAAA,YACX;AACA,gBAAI,iBAAiB,6DAA8C;AAC/D,kBAAI,CAAC,WAAW,CAAC,QAAQ,iCAAiC;AAEtD,uBAAO;AAAA,cACX;AAAA,YACJ;AACA,gBAAI,iBAAiB,yDAA4C;AAC7D,uBAAS,2BAA2B,aAAa,SAAS,GAAG,uCAAuC;AAAA,YAExG;AAEA,gBAAI,iBAAiB,qBAA2B,iBAAiB,yDAA4C;AAEzG,qBAAO;AAAA,YACX;AAEA,kBAAM,2BAA2B,2BAA2B,aAAa,iBAAiB;AAC1F,gBAAI,CAAC,0BAA0B;AAC3B,uBAAS,0EAA0E;AACnF,qBAAO;AAAA,YACX;AACA,6BAAiB;AAGjB,gBAAI,gBAAgB,MAAM,KAAK,qBAAqB,WAAW;AAC/D,gBAAI,kBAAkB,yEAAoD;AACtE,kBAAI,SAAS,6BAA6B;AAEtC,gCAAgB;AAAA,cACpB;AAAA,YACJ;AACA,gBAAI,kBAAkB,mBAAyB;AAE3C,uBAAS,iBAAiB,aAAa;AACvC,qBAAO;AAAA,YACX;AAGA,kBAAM,sBAAsB,MAAM,KAAK,wBAAwB,iBAAiB;AAChF,qBAAS,uBAAuB,mBAAmB;AAEnD,gBAAI,wBAAwB,WAAW;AACnC,iCAAmB;AAAA,YACvB,WAAW,wBAAwB,WAAW;AAC1C,iCAAmB;AAAA,YACvB,WAAW,wBAAwB,YAAY;AAE3C,qBAAO;AAAA,YACX;AAAA,UACJ,OAAO;AAEH,kBAAM,2BAA2B,2BAA2B,aAAa,WAAW;AACpF,gBAAI,CAAC,0BAA0B;AAC3B,uBAAS,gDAAgD;AACzD,qBAAO;AAAA,YACX;AACA,kBAAM,gBAAgB,MAAM,KAAK,qBAAqB,WAAW;AACjE,qBAAS,6CAA6C,aAAa;AAAA,UACvE;AAAA,QACJ;AAEA,cAAM,SAAS,MAAM,KAAK,wBAAwB,WAAW;AAC7D,YAAI,WAAW,YAAY;AACvB,cAAI,EAAE,QAAQ,yCAAyC,kBAAkB,mBAAmB;AACxF,mBAAO;AAAA,UACX;AAAA,QACJ;AACA,cAAM,MAAM,MAAM,CAAC,IAAI,uBAAuB,MAAM,CAAC,CAAC,IAAI;AAC1D,iBAAS,kBAAkB,GAAG;AAI9B,cAAM,kBAAkB,uBAAuB,WAAW;AAC1D,cAAM,MAAM,oBAAI,KAAK;AAErB,YAAI,gBAAgB;AAEpB,YAAI,gBAAgB,UAAU,QAAQ,IAAI,IAAI,QAAQ,GAAG;AAErD;AAAA,YACI,GAAGD,OAAM,IAAI,0DAA0D,CAAC,qBAAqB,gBAAgB,SAAS;AAAA,UAC1H;AACA,cAAI,CAAC,QAAQ,0BAA0B;AACnC,4BAAgB;AAAA,UACpB;AAAA,QACJ;AAGA,YAAI,gBAAgB,SAAS,QAAQ,KAAK,IAAI,QAAQ,GAAG;AAErD;AAAA,YACI,GAAGA,OAAM,IAAI,oDAAoD,CAAC,oBAAoB,gBAAgB,QAAQ;AAAA,UAClH;AACA,cAAI,CAAC,QAAQ,2BAA2B;AACpC,4BAAgB;AAAA,UACpB;AAAA,QACJ;AACA,YAAI,WAAW,WAAW;AACtB,iBAAO,gBAAgB,8DAA+C;AAAA,QAC1E;AAEA,YAAI,cAAc;AACd,cAAI,CAAC,kBAAkB;AACnB,mBAAO;AAAA,UACX;AACA,cAAI,CAAC,gBAAgB;AACjB,mBAAO;AAAA,UACX;AACA,cAAI,CAAC,QAAQ,uCAAuC;AAEhD,mBAAO;AAAA,UACX;AACA,iBAAO,gBAAgB,8DAA+C;AAAA,QAC1E,OAAO;AACH,iBAAO;AAAA,QACX;AAAA,MACJ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAcA,MAAgB,uBACZ,aACA,SAC2B;AAC3B,cAAM,UAAU,MAAM,KAAK,6BAA6B,aAAa,OAAO,GAAG,OAAO;AACtF,eAAO;AAAA,MACX;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAYA,MAAa,kBAAkB,aAA0B,SAAiE;AAEtH,YAAI,CAAC,aAAa;AAEd,iBAAO;AAAA,QACX;AACA,YAAI;AACA,gBAAM,SAAS,MAAM,KAAK,uBAAuB,aAAa,WAAW,CAAC,CAAC;AAC3E,iBAAO;AAAA,QACX,SAAS,OAAO;AACZ,qBAAW,4BAA6B,MAAgB,OAAO,EAAE;AACjE,iBAAO;AAAA,QACX;AAAA,MACJ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MASA,MAAa,aAA4B;AACrC,YAAI,KAAK,UAAU,uBAAuC;AACtD;AAAA,QACJ;AACA,aAAK,QAAQ;AACb,aAAK,uBAAuB,KAAK,YAAY;AAC7C,cAAM,KAAK;AACX,aAAK,uBAAuB;AAC5B,aAAK,QAAQ;AAGb,4BAAmB,iBAAiB,IAAI,IAAI;AAC5C,4BAAmB,uBAAuB;AAAA,MAC9C;AAAA,MACA,MAAM,cAA6B;AAC/B,aAAK,QAAQ;AACb,cAAM,SAAS,KAAK;AACpB,2BAAmB,MAAM;AACzB,2BAAmBD,MAAK,KAAK,QAAQ,KAAK,CAAC;AAC3C,2BAAmBA,MAAK,KAAK,QAAQ,WAAW,CAAC;AACjD,2BAAmBA,MAAK,KAAK,QAAQ,aAAa,CAAC;AACnD,2BAAmBA,MAAK,KAAK,QAAQ,UAAU,CAAC;AAChD,2BAAmBA,MAAK,KAAK,QAAQ,SAAS,CAAC;AAC/C,2BAAmBA,MAAK,KAAK,QAAQ,eAAe,CAAC;AACrD,2BAAmBA,MAAK,KAAK,QAAQ,aAAa,CAAC;AAEnD,2BAAmBA,MAAK,KAAK,QAAQ,SAAS,CAAC;AAC/C,2BAAmBA,MAAK,KAAK,QAAQ,eAAe,CAAC;AACrD,2BAAmBA,MAAK,KAAK,QAAQ,aAAa,CAAC;AAEnD,YAAI,CAACD,IAAG,WAAW,KAAK,UAAU,KAAK,CAACA,IAAG,WAAW,KAAK,UAAU,GAAG;AACpE,iBAAO,MAAM,KAAK,UAAU,YAAY;AACpC,gBAAI,KAAK,UAAU,qBAAqC,KAAK,UAAU,kBAAkC;AACrG;AAAA,YACJ;AAEA,gBAAI,CAACA,IAAG,WAAW,KAAK,UAAU,GAAG;AACjC,cAAAA,IAAG,cAAc,KAAK,YAAY,+BAA+B;AAAA,YACrE;AASA,gBAAI,CAACA,IAAG,WAAW,KAAK,UAAU,GAAG;AACjC,uBAAS,4BAA4B;AAErC,oBAAM,uBAAuB,KAAK,YAAY,KAAK,OAAO;AAC1D,oBAAM,KAAK,kBAAkB;AAAA,YACjC,OAAO;AAEH,oBAAM,KAAK,kBAAkB;AAAA,YACjC;AAAA,UACJ,CAAC;AAAA,QACL,OAAO;AACH,gBAAM,KAAK,kBAAkB;AAAA,QACjC;AAAA,MACJ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAOA,MAAa,UAAyB;AAClC,YAAI,KAAK,UAAU,mBAAmC;AAClD,gBAAM,IAAI,MAAM,mBAAmB;AAAA,QACvC;AAEA,YAAI,KAAK,UAAU,uBAAuC;AACtD,eAAK,QAAQ;AACb;AAAA,QACJ;AAGA,YAAI,KAAK,UAAU,sBAAsC;AACrD,cAAI,KAAK,sBAAsB;AAC3B,kBAAM,KAAK;AAAA,UACf;AAAA,QACJ;AAEA,YAAI;AACA,eAAK,QAAQ;AAGb,qBAAW,UAAU,KAAK,gBAAgB;AACtC,mBAAO;AAAA,UACX;AACA,eAAK,eAAe,MAAM;AAC1B,gBAAM,QAAQ,IAAI,KAAK,UAAU,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AACtD,eAAK,UAAU,QAAQ,CAAC,MAAM;AAC1B,cAAE,mBAAmB;AAAA,UACzB,CAAC;AACD,eAAK,UAAU,OAAO,CAAC;AAAA,QAC3B,UAAE;AACE,eAAK,QAAQ;AACb,8BAAmB,iBAAiB,OAAO,IAAI;AAAA,QACnD;AAAA,MACJ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAWA,MAAa,qBAAoC;AAE7C,cAAM,QAAQ,IAAI,KAAK,UAAU,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AACtD,mBAAW,KAAK,KAAK,WAAW;AAC5B,YAAE,mBAAmB;AAAA,QACzB;AACA,aAAK,UAAU,OAAO,CAAC;AAGvB,aAAK,QAAQ,SAAS,MAAM;AAC5B,aAAK,QAAQ,QAAQ,MAAM;AAC3B,aAAK,QAAQ,QAAQ,MAAM,MAAM;AACjC,aAAK,QAAQ,IAAI,MAAM;AACvB,aAAK,QAAQ,WAAW,MAAM;AAC9B,aAAK,gBAAgB,MAAM;AAG3B,aAAK,0BAA0B;AAC/B,cAAM,KAAK,kBAAkB;AAAA,MACjC;AAAA,MAEA,MAAgB,UAAa,QAAsC;AAC/D,cAAM,eAAeC,MAAK,KAAK,KAAK,SAAS,OAAO;AACpD,eAAO,SAAY,EAAE,YAAY,aAAa,GAAG,YAAY;AACzD,iBAAO,MAAM,OAAO;AAAA,QACxB,CAAC;AAAA,MACL;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAUA,MAAa,4BAA4B,QAAwD;AAC7F,YAAI,OAAO,OAAO,mBAAmB,UAAU;AAC3C,gBAAM,IAAI,MAAM,sEAAsE;AAAA,QAC1F;AACA,YAAI,CAACD,IAAG,WAAW,KAAK,UAAU,GAAG;AACjC,gBAAM,IAAI,MAAM,2BAA2B,KAAK,UAAU,EAAE;AAAA,QAChE;AACA,YAAI,sBAAsBC,MAAK,KAAK,KAAK,SAAS,uCAAuC;AACzF,8BAAsB,OAAO,cAAc;AAE3C,cAAM,UAAU;AAChB,gBAAQ,UAAU,KAAK;AACvB,gBAAQ,aAAa,KAAK;AAC1B,gBAAQ,aAAa,KAAK;AAE1B,gBAAQ,UAAU,OAAO,WAAW;AACpC,cAAM,KAAK,UAAU,YAAY;AAC7B,gBAAM,4BAA4B,qBAAqB,OAAO;AAAA,QAClE,CAAC;AAAA,MACL;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAYA,MAAa,yBAAyB,QAA2D;AAC7F,YAAI,CAAC,QAAQ;AACT,gBAAM,IAAI,MAAM,oBAAoB;AAAA,QACxC;AACA,cAAM,UAAU;AAChB,YAAI,OAAO,UAAU,eAAe,KAAK,SAAS,SAAS,GAAG;AAC1D,gBAAM,IAAI,MAAM,kCAAkC;AAAA,QACtD;AACA,gBAAQ,UAAUA,MAAK,QAAQ,KAAK,OAAO;AAC3C,gBAAQ,aAAaA,MAAK,QAAQ,KAAK,UAAU;AACjD,gBAAQ,aAAaA,MAAK,QAAQ,KAAK,UAAU;AAEjD,eAAO,MAAM,KAAK,UAAkB,YAAY;AAE5C,gBAAM,MAAM,oBAAI,KAAK;AACrB,gBAAMG,SAAQ,GAAG,IAAI,YAAY,EAAE,MAAM,GAAG,EAAE,CAAC,IAAI,IAAI,QAAQ,CAAC;AAChE,gBAAM,oCAAoCH,MAAK,KAAK,KAAK,SAAS,aAAa,eAAeG,MAAK,MAAM;AACzG,gBAAM,qCAAqC,mCAAmC,OAAO;AACrF,iBAAO;AAAA,QACX,CAAC;AAAA,MACL;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAUA,MAAa,UAAU,aAAkB,WAAW,OAAO,iBAAiB,OAAoC;AAC5G,YAAI,UAAU;AACV,gBAAM,SAAS,MAAM,KAAK,kBAAkB,WAAW;AACvD,cAAI,WAAW,qBAA2B,WAAW,yDAA4C;AAC7F,mBAAO;AAAA,UACX;AAAA,QACJ;AACA,cAAM,iBAAiB,MAAM,aAAa,aAAa;AACvD,cAAMD,eAAc,gBAAgB,WAAW;AAC/C,YAAI,KAAK,QAAQ,QAAQ,MAAM,IAAIA,YAAW,GAAG;AAE7C,iBAAO;AAAA,QACX;AAEA,cAAM,WAAWF,MAAK,KAAK,KAAK,mBAAmB,UAAU,0BAA0B,WAAW,CAAC,MAAM;AACzG,cAAMD,IAAG,SAAS,UAAU,UAAU,gBAAgB,OAAO;AAG7D,aAAK,QAAQ,QAAQ,MAAM,IAAIG,cAAa,EAAE,aAAa,SAAS,CAAC;AAErE,YAAI,gBAAgB;AAEhB,gBAAM,KAAK,iBAAiB,WAAW;AAAA,QAC3C;AAEA,eAAO;AAAA,MACX;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAOA,MAAa,kBACT,KACA,SAAgC,WACL;AAC3B,eAAO,MAAM,KAAK,UAA8B,YAAY;AACxD,cAAI;AACA,kBAAM,QAAQ,WAAW,YAAY,KAAK,QAAQ,MAAM,KAAK,QAAQ;AACrE,kBAAM,SAAS,WAAW,YAAY,KAAK,YAAY,KAAK;AAE5D,kBAAM,UAAU,iCAAiC,GAAG;AACpD,kBAAM,MAAM,QAAQ,YAAY;AAChC,gBAAI,CAAC,MAAM,IAAI,GAAG,GAAG;AACjB,oBAAM,IAAI,KAAK,EAAE,MAAM,CAAC,GAAG,eAAe,CAAC,EAAE,CAAC;AAAA,YAClD;AACA,kBAAM,iBAAiB,MAAM,KAAK,UAAU;AAC5C,kBAAM,WAAWF,MAAK,KAAK,QAAQ,OAAO,0BAA0B,GAAG,CAAC,MAAM;AAC9E,kBAAMD,IAAG,SAAS,UAAU,UAAU,gBAAgB,OAAO;AAE7D,kBAAM,KAAK,gBAAgB,OAAO,QAAQ;AAE1C,kBAAM,KAAK,iCAAiC;AAE5C,mBAAO;AAAA,UACX,SAAS,KAAK;AACV,qBAAS,GAAG;AACZ,mBAAO;AAAA,UACX;AAAA,QACJ,CAAC;AAAA,MACL;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAQA,MAAa,qBAAqB,QAAsD;AACpF,cAAM,cAAc,OAAO,QAAgB,UAAgC;AACvE,cAAI;AACA,kBAAM,QAAQ,MAAMA,IAAG,SAAS,QAAQ,MAAM;AAC9C,uBAAW,QAAQ,OAAO;AACtB,oBAAM,MAAMC,MAAK,QAAQ,IAAI,EAAE,YAAY;AAC3C,kBAAI,QAAQ,UAAU,QAAQ,UAAU,QAAQ,QAAQ;AACpD,sBAAMD,IAAG,SAAS,OAAOC,MAAK,KAAK,QAAQ,IAAI,CAAC;AAAA,cACpD;AAAA,YACJ;AAAA,UACJ,SAAS,KAAc;AACnB,gBAAK,IAA8B,SAAS,UAAU;AAClD,oBAAM;AAAA,YACV;AAAA,UACJ;AACA,gBAAM,MAAM;AAAA,QAChB;AAEA,YAAI,WAAW,aAAa,WAAW,OAAO;AAC1C,gBAAM,YAAY,KAAK,kBAAkB,KAAK,QAAQ,UAAU;AAAA,QACpE;AACA,YAAI,WAAW,aAAa,WAAW,OAAO;AAC1C,gBAAM,YAAY,KAAK,WAAW,KAAK,QAAQ,GAAG;AAAA,QACtD;AAAA,MACJ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAOA,MAAa,UAAU,YAAsC;AACzD,cAAM,KAAK,kBAAkB;AAC7B,cAAM,aAAa,WAAW,YAAY;AAC1C,eAAO,KAAK,QAAQ,QAAQ,MAAM,IAAI,UAAU;AAAA,MACpD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MASA,MAAa,yBAAyB,YAAiD;AACnF,cAAM,KAAK,kBAAkB;AAC7B,cAAM,aAAa,WAAW,YAAY;AAC1C,cAAM,QAAQ,KAAK,QAAQ,QAAQ,IAAI,UAAU;AACjD,YAAI,CAAC,OAAO;AACR,iBAAO;AAAA,QACX;AACA,YAAI;AACA,gBAAMD,IAAG,SAAS,OAAO,MAAM,QAAQ;AAAA,QAC3C,SAAS,KAAc;AACnB,cAAK,IAA8B,SAAS,UAAU;AAClD,kBAAM;AAAA,UACV;AAAA,QACJ;AACA,aAAK,QAAQ,QAAQ,OAAO,UAAU;AACtC,eAAO,MAAM;AAAA,MACjB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MASA,MAAa,aAAa,YAAiD;AACvE,cAAM,KAAK,kBAAkB;AAC7B,cAAM,aAAa,WAAW,YAAY;AAC1C,cAAM,QAAQ,KAAK,QAAQ,QAAQ,MAAM,IAAI,UAAU;AACvD,YAAI,CAAC,OAAO;AACR,iBAAO;AAAA,QACX;AACA,YAAI;AACA,gBAAMA,IAAG,SAAS,OAAO,MAAM,QAAQ;AAAA,QAC3C,SAAS,KAAc;AACnB,cAAK,IAA8B,SAAS,UAAU;AAClD,kBAAM;AAAA,UACV;AAAA,QACJ;AACA,aAAK,QAAQ,QAAQ,MAAM,OAAO,UAAU;AAC5C,eAAO,MAAM;AAAA,MACjB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAQA,MAAa,+BACT,mBACA,SAAwC,OAC3B;AACb,cAAM,aAAa,yBAAyB,iBAAiB;AAC7D,cAAM,oBAAoB,WAAW,eAAe;AAEpD,cAAM,eAAe,OAAO,UAAgC;AACxD,gBAAM,UAAU,MAAM,IAAI,iBAAiB;AAC3C,cAAI,CAAC,QAAS;AACd,qBAAW,YAAY,QAAQ,MAAM;AACjC,gBAAI;AACA,oBAAMA,IAAG,SAAS,OAAO,SAAS,QAAQ;AAAA,YAC9C,SAAS,KAAc;AACnB,kBAAK,IAA8B,SAAS,UAAU;AAClD,sBAAM;AAAA,cACV;AAAA,YACJ;AAAA,UACJ;AACA,gBAAM,OAAO,iBAAiB;AAAA,QAClC;AAEA,YAAI,WAAW,aAAa,WAAW,OAAO;AAC1C,gBAAM,aAAa,KAAK,QAAQ,UAAU;AAAA,QAC9C;AACA,YAAI,WAAW,aAAa,WAAW,OAAO;AAC1C,gBAAM,aAAa,KAAK,QAAQ,GAAG;AAAA,QACvC;AAAA,MACJ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAqBA,MAAa,+BAA+B,kBAA4D;AACpG,cAAM,eAAe,UAAU,gBAAgB;AAC/C,cAAM,kBAAkB,aAAa,CAAC;AAGtC,YAAI;AACA,mCAAyB,eAAe;AAAA,QAC5C,SAAS,MAAM;AACX,iBAAO;AAAA,QACX;AAIA,cAAM,SAAS,MAAM,uBAAuB,CAAC,eAAe,CAAC;AAC7D,YAAI,OAAO,WAAW,QAAQ;AAC1B,iBAAO;AAAA,QACX;AAMA,YAAI,aAAa,SAAS,GAAG;AAKzB,gBAAM,KAAK,gBAAgB,KAAK,mBAAmB,KAAK,QAAQ,QAAQ,KAAK;AAC7E,qBAAW,cAAc,aAAa,MAAM,CAAC,GAAG;AAC5C,kBAAM,aAAa,gBAAgB,UAAU;AAC7C,gBAAI,CAAE,MAAM,KAAK,UAAU,UAAU,GAAI;AAGrC,qBAAO;AAAA,YACX;AAAA,UACJ;AAAA,QACJ;AAGA,cAAM,KAAK,iBAAiB,eAAe;AAC3C,eAAO;AAAA,MACX;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAcA,MAAa,kCAAkC,mBAAkD;AAC7F,cAAM,KAAK,kBAAkB;AAC7B,mBAAW,SAAS,KAAK,QAAQ,QAAQ,OAAO,GAAG;AAC/C,cAAI,CAAC,MAAM,YAAa;AACxB,cAAI;AACA,gBAAI,2BAA2B,MAAM,aAAa,iBAAiB,GAAG;AAClE,qBAAO;AAAA,YACX;AAAA,UACJ,SAAS,MAAM;AAAA,UAEf;AAAA,QACJ;AACA,eAAO;AAAA,MACX;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAgBA,MAAa,sBAAsB,aAAuD;AACtF,cAAM,WAAW,yBAAyB,WAAW;AAErD,YAAI,cAAc,QAAQ,GAAG;AAEzB,iBAAO;AAAA,QACX;AAEA,cAAM,kBAAkB,SAAS,eAAe,YAAY,wBAAwB;AAEpF,YAAI,CAAC,iBAAiB;AAElB,mBAAS,gCAAgC;AACzC,iBAAO;AAAA,QACX;AAEA,cAAM,qBAAqB,CAAC,GAAG,KAAK,QAAQ,QAAQ,MAAM,OAAO,CAAC;AAElE,cAAM,6BAA6B,sBAAsB,oBAAoB,eAAe;AAE5F,YAAI,2BAA2B,SAAS,GAAG;AACvC,cAAI,2BAA2B,SAAS,GAAG;AACvC,uBAAW,8EAA8E,eAAe;AAAA,UAC5G;AACA,iBAAO,2BAA2B,CAAC,EAAE,eAAe;AAAA,QACxD;AAEA,cAAM,sBAAsB,CAAC,GAAG,KAAK,QAAQ,QAAQ,OAAO,CAAC;AAC7D,cAAM,8BAA8B,sBAAsB,qBAAqB,eAAe;AAE9F,YAAI,4BAA4B,SAAS,GAAG;AACxC;AAAA,YACI;AAAA,YACA;AAAA,YACA,4BAA4B;AAAA,UAChC;AAAA,QACJ;AACA,eAAO,4BAA4B,SAAS,IAAI,4BAA4B,CAAC,EAAE,cAAc;AAAA,MACjG;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MASA,MAAM,wBAAwB,aAAiD;AAC3E,cAAMG,eAAc,gBAAgB,WAAW;AAE/C,iBAAS,wCAAwC,MAAMA,YAAW,CAAC;AAEnE,cAAM,KAAK,kBAAkB;AAE7B,YAAI,KAAK,QAAQ,SAAS,IAAIA,YAAW,GAAG;AACxC,iBAAO;AAAA,QACX;AACA,YAAI,KAAK,QAAQ,QAAQ,IAAIA,YAAW,GAAG;AACvC,iBAAO;AAAA,QACX;AACA,eAAO;AAAA,MACX;AAAA,MAEA,MAAM,iBAAiB,aAA0B,WAA8B;AAC3E,cAAM,KAAK,UAAU,YAAY;AAC7B,gBAAMA,eAAc,gBAAgB,WAAW;AAE/C,cAAI,SAAS,MAAM,KAAK,wBAAwB,WAAW;AAC3D,cAAI,WAAW,WAAW;AAEtB,kBAAM,MAAM,MAAM,aAAa,aAAa;AAC5C,kBAAM,WAAWF,MAAK,KAAK,KAAK,gBAAgB,GAAG,0BAA0B,WAAW,CAAC,MAAM;AAC/F,kBAAMD,IAAG,SAAS,UAAU,UAAU,GAAG;AACzC,iBAAK,QAAQ,SAAS,IAAIG,cAAa,EAAE,aAAa,SAAS,CAAC;AAChE,qBAAS;AAAA,UACb;AAEA,mBAAS,oBAAoBA,aAAY,UAAU,GAAG,EAAE,GAAG,QAAQ,QAAQ,MAAM,SAAS;AAE1F,cAAI,WAAW,cAAc,WAAW,WAAW;AAC/C,kBAAM,IAAI,MAAM,wCAAwC,MAAM,qBAAqBA,aAAY,UAAU,GAAG,EAAE,CAAC,EAAE;AAAA,UACrH;AAEA,cAAI,WAAW,WAAW;AACtB,kBAAM,WAAW,WAAW,aAAa,KAAK,QAAQ,WAAW,KAAK,QAAQ;AAC9E,kBAAM,WAAW,SAAS,IAAIA,YAAW;AAEzC,gBAAI,CAAC,UAAU;AACX,uBAAS,6BAA6BA,aAAY,UAAU,GAAG,EAAE,GAAG,OAAO,MAAM;AACjF,oBAAM,IAAI,MAAM,iCAAiCA,aAAY,UAAU,GAAG,EAAE,CAAC,iBAAiB,MAAM,QAAQ;AAAA,YAChH;AACA,kBAAM,aAAa,cAAc,YAAY,KAAK,gBAAgB,KAAK;AACvE,kBAAM,kBAAkBF,MAAK,KAAK,YAAYA,MAAK,SAAS,SAAS,QAAQ,CAAC;AAE9E,qBAAS,oBAAoBE,aAAY,UAAU,GAAG,EAAE,GAAG,YAAY,SAAS,QAAQ;AACxF,qBAAS,oBAAoBA,aAAY,UAAU,GAAG,EAAE,GAAG,YAAY,eAAe;AACtF,kBAAMH,IAAG,SAAS,OAAO,SAAS,UAAU,eAAe;AAC3D,qBAAS,OAAOG,YAAW;AAC3B,kBAAM,YAAY,cAAc,YAAY,KAAK,QAAQ,UAAU,KAAK,QAAQ;AAChF,sBAAU,IAAIA,cAAa,EAAE,aAAa,UAAU,gBAAgB,CAAC;AAAA,UACzE;AAAA,QACJ,CAAC;AAAA,MACL;AAAA,MACA,oBAAoB,mBAAgD;AAChE,cAAM,wBAAwB,yBAAyB,iBAAiB;AACxE,cAAM,MAAM,sBAAsB,eAAe;AACjD,eAAO,KAAK,QAAQ,WAAW,IAAI,GAAG,KAAK,KAAK,QAAQ,IAAI,IAAI,GAAG,KAAK;AAAA,MAC5E;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAkBA,MAAa,qBACT,aACA,mBAC2B;AAC3B,YAAI,cAAc,WAAW,GAAG;AAC5B,iBAAO;AAAA,QACX;AAEA,YAAI,CAAC,mBAAmB;AACpB,8BAAoB,MAAM,KAAK,sBAAsB,WAAW;AAAA,QACpE;AACA,YAAI,CAAC,mBAAmB;AACpB,iBAAO;AAAA,QACX;AACA,cAAM,OAAO,KAAK,oBAAoB,iBAAiB;AAEvD,YAAI,CAAC,MAAM;AACP,iBAAO;AAAA,QACX;AACA,cAAM,WAAW,yBAAyB,WAAW;AACrD,cAAM,eACF,SAAS,eAAe,gBAAgB,SAAS,eAAe,YAAY,wBAAwB,UAAU;AAElH,cAAM,MAAM,SAAS,eAAe,YAAY,wBAAwB,kCAAkC;AAC1G,cAAM,OAAO,KAAK,QAAQ,IAAI,IAAI,GAAG,KAAK;AAE1C,YAAI,KAAK,cAAc,YAAY,KAAK,MAAM,cAAc,YAAY,GAAG;AACvE,iBAAO;AAAA,QACX;AACA,eAAO;AAAA,MACX;AAAA,MAEA,uBAAuB;AAAA,MACvB,uBAAuC,CAAC;AAAA,MACxC,SAA8D,CAAC;AAAA,MAC/D,gBAAgB,OAA6B,UAAkB;AAC3D,aAAK,OAAO,KAAK,EAAE,OAAO,SAAS,CAAC;AACpC,aAAK,wBAAwB;AAC7B,YAAI,KAAK,yBAAyB,GAAG;AACjC,eAAK,gBAAgB;AAAA,QACzB;AAAA,MACJ;AAAA,MACA,MAAM,kBAAkB;AACpB,YAAI;AACA,gBAAM,UAAU,KAAK,OAAO,MAAM;AAClC,cAAI,CAAC,QAAS;AACd,gBAAM,EAAE,OAAO,SAAS,IAAI;AAC5B,gBAAM,MAAM,MAAM,8BAA8B,QAAQ;AACxD,gBAAM,UAAU,iCAAiC,GAAG;AACpD,mBAASD,OAAM,KAAK,oBAAoB,GAAG,QAAQ;AACnD,gBAAMC,eAAc,QAAQ,YAAY;AACxC,cAAI,CAAC,MAAM,IAAIA,YAAW,GAAG;AACzB,kBAAM,IAAIA,cAAa,EAAE,MAAM,CAAC,GAAG,eAAe,CAAC,EAAE,CAAC;AAAA,UAC1D;AACA,gBAAM,OAAO,MAAM,IAAIA,YAAW,KAAK,EAAE,MAAM,CAAC,GAAG,eAAe,CAAC,EAAE;AACrE,eAAK,KAAK,KAAK,EAAE,SAAS,SAAS,CAAC;AAGpC,qBAAW,sBAAsB,QAAQ,YAAY,qBAAqB;AACtE,kBAAM,eAAe,mBAAmB;AACxC,gBAAI,CAAC,KAAK,cAAc,YAAY,GAAG;AACnC,mBAAK,cAAc,YAAY,IAAI,mBAAmB;AAAA,YAC1D;AAAA,UACJ;AACA,mBAASD,OAAM,KAAK,KAAK,GAAGC,cAAa,qBAAqB,OAAO,KAAK,KAAK,aAAa,CAAC;AAAA,QACjG,SAAS,KAAK;AACV,mBAAS,sBAAsB;AAC/B,mBAAS,GAAG;AAAA,QAChB;AACA,aAAK,wBAAwB;AAC7B,YAAI,KAAK,yBAAyB,GAAG;AACjC,qBAAW,UAAU,KAAK,sBAAsB;AAC5C,mBAAO;AAAA,UACX;AACA,eAAK,qBAAqB,SAAS;AAAA,QACvC,OAAO;AACH,eAAK,gBAAgB;AAAA,QACzB;AAAA,MACJ;AAAA,MACA,MAAM,oBAAmC;AACrC,YAAI,KAAK,yBAAyB;AAC9B;AAAA,QACJ;AACA,aAAK,0BAA0B;AA8B/B,cAAM,aAAa,QAAQ,IAAI,0BAA0B;AACzD,cAAM,cAAc,QAAQ,IAAI,6BAC1B,SAAS,QAAQ,IAAI,4BAA4B,EAAE,IACnD;AACN,cAAM,kBAAkB,KAAK,IAAI,KAAK,KAAK,KAAM,KAAK,IAAI,KAAK,eAAe,KAAK,qBAAqB,CAAC;AACzG,cAAM,kBAAkB;AAAA,UACpB;AAAA,UACA,GAAI,aAAa,EAAE,UAAU,gBAAgB,IAAI,CAAC;AAAA,UAClD,YAAY;AAAA,QAChB;AAUA,cAAM,wBAAwB,CAAC,WAAmB;AAC9C,gBAAM,kBAAkC,CAAC;AACzC,gBAAM,YAAYH,IAAG;AACrB,UAAAA,IAAG,SAAS,IAAI,SAAsC;AAClD,kBAAM,SAAS,UAAU,MAAMA,KAAI,IAAI;AACvC,4BAAgB,KAAK,MAAM;AAC3B,mBAAO;AAAA,UACX;AACA,gBAAM,IAAI,SAAS,MAAM,QAAQ,eAAe;AAChD,gBAAM,YAAY,MAAM;AACpB,YAAAA,IAAG,QAAQ;AACX,uBAAW,KAAK,iBAAiB;AAC7B,gBAAE,MAAM;AAAA,YACZ;AAAA,UACJ;AACA,iBAAO,EAAE,GAAG,iBAAiB,UAAU;AAAA,QAC3C;AAMA,cAAM,QAAQ,IAAI;AAAA,UACd,KAAK,gBAAgB,KAAK,eAAe,KAAK,QAAQ,OAAO;AAAA,UAC7D,KAAK,gBAAgB,KAAK,mBAAmB,KAAK,QAAQ,QAAQ,KAAK;AAAA,UACvE,KAAK,gBAAgB,KAAK,gBAAgB,KAAK,QAAQ,QAAQ;AAAA,UAC/D,KAAK,eAAe,KAAK,WAAW,KAAK,QAAQ,GAAG;AAAA,UACpD,KAAK,eAAe,KAAK,kBAAkB,KAAK,QAAQ,UAAU;AAAA,QACtE,CAAC;AAOD,aAAK,cAAc,KAAK,eAAe,KAAK,QAAQ,SAAS,uBAAuB,SAAS;AAC7F,aAAK,cAAc,KAAK,mBAAmB,KAAK,QAAQ,QAAQ,OAAO,uBAAuB,cAAc;AAC5G,aAAK,cAAc,KAAK,gBAAgB,KAAK,QAAQ,UAAU,uBAAuB,UAAU;AAChG,aAAK,iBAAiB,KAAK,WAAW,KAAK,QAAQ,KAAK,uBAAuB,KAAK;AACpF,aAAK,iBAAiB,KAAK,kBAAkB,KAAK,QAAQ,YAAY,uBAAuB,YAAY;AAAA,MAC7G;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAOA,MAAM,gBAAgB,QAAgB,OAA0C;AAC5E,YAAI,CAACA,IAAG,WAAW,MAAM,EAAG;AAC5B,cAAM,QAAQ,MAAMA,IAAG,SAAS,QAAQ,MAAM;AAC9C,mBAAW,QAAQ,OAAO;AACtB,gBAAM,WAAWC,MAAK,KAAK,QAAQ,IAAI;AACvC,cAAI;AACA,kBAAM,OAAO,MAAMD,IAAG,SAAS,KAAK,QAAQ;AAC5C,gBAAI,CAAC,KAAK,OAAO,EAAG;AACpB,kBAAM,cAAc,MAAM,qBAAqB,QAAQ;AACvD,kBAAM,OAAO,yBAAyB,WAAW;AACjD,kBAAMG,eAAc,gBAAgB,WAAW;AAC/C,kBAAM,IAAIA,cAAa,EAAE,aAAa,UAAU,KAAK,CAAC;AACtD,iBAAK,gBAAgB,IAAI,UAAUA,YAAW;AAAA,UAClD,SAAS,KAAK;AACV,qBAAS,4BAA4B,QAAQ,IAAI,GAAG;AAAA,UACxD;AAAA,QACJ;AAAA,MACJ;AAAA;AAAA;AAAA;AAAA,MAKA,MAAM,eAAe,QAAgB,OAA4C;AAC7E,YAAI,CAACH,IAAG,WAAW,MAAM,EAAG;AAC5B,cAAM,QAAQ,MAAMA,IAAG,SAAS,QAAQ,MAAM;AAC9C,mBAAW,QAAQ,OAAO;AACtB,gBAAM,WAAWC,MAAK,KAAK,QAAQ,IAAI;AACvC,cAAI;AACA,kBAAM,OAAO,MAAMD,IAAG,SAAS,KAAK,QAAQ;AAC5C,gBAAI,CAAC,KAAK,OAAO,EAAG;AACpB,iBAAK,gBAAgB,OAAO,QAAQ;AAAA,UACxC,SAAS,KAAK;AACV,qBAAS,2BAA2B,QAAQ,IAAI,GAAG;AAAA,UACvD;AAAA,QACJ;AACA,cAAM,KAAK,iCAAiC;AAAA,MAChD;AAAA;AAAA;AAAA;AAAA;AAAA,MAMA,iBACI,QACA,OACA,uBACA,OACI;AACJ,cAAM,EAAE,GAAG,UAAU,IAAI,sBAAsB,MAAM;AACrD,YAAI,QAAQ;AAEZ,UAAE,GAAG,UAAU,CAAC,aAAqB;AACjC,qBAAW,CAAC,KAAK,IAAI,KAAK,MAAM,QAAQ,GAAG;AACvC,iBAAK,OAAO,KAAK,KAAK,OAAO,CAAC,MAAM,EAAE,aAAa,QAAQ;AAC3D,gBAAI,KAAK,KAAK,WAAW,GAAG;AACxB,oBAAM,OAAO,GAAG;AAAA,YACpB;AAAA,UACJ;AACA,cAAI,OAAO;AACP,iBAAK,KAAK,cAAc,EAAE,OAAO,SAAS,CAAC;AAAA,UAC/C;AAAA,QACJ,CAAC;AACD,UAAE,GAAG,OAAO,CAAC,aAAqB;AAC9B,cAAI,OAAO;AACP,iBAAK,gBAAgB,OAAO,QAAQ;AACpC,iBAAK,KAAK,YAAY,EAAE,OAAO,SAAS,CAAC;AAAA,UAC7C;AAAA,QACJ,CAAC;AACD,UAAE,GAAG,UAAU,CAAC,gBAAwB;AACpC,mBAAS,qBAAqB,QAAQ,WAAW;AAAA,QACrD,CAAC;AACD,aAAK,UAAU,KAAK,CAA4B;AAChD,aAAK,eAAe,IAAI,SAAS;AACjC,UAAE,GAAG,SAAS,MAAM;AAChB,kBAAQ;AACR,eAAK,eAAe,OAAO,SAAS;AACpC,oBAAU;AAAA,QACd,CAAC;AAAA,MACL;AAAA;AAAA;AAAA;AAAA;AAAA,MAMA,cACI,QACA,OACA,uBACA,OACI;AACJ,cAAM,EAAE,GAAG,UAAU,IAAI,sBAAsB,MAAM;AACrD,YAAI,QAAQ;AACZ,UAAE,GAAG,UAAU,CAAC,aAAqB;AACjC,mBAASE,OAAM,KAAK,oBAAoB,MAAM,EAAE,GAAG,QAAQ;AAC3D,gBAAM,IAAI,KAAK,gBAAgB,IAAI,QAAQ;AAC3C,cAAI,KAAK,MAAM,IAAI,CAAC,GAAG;AACnB,kBAAM,OAAO,CAAC;AACd,iBAAK,KAAK,sBAAsB,EAAE,OAAO,aAAa,GAAG,SAAS,CAAC;AAAA,UACvE;AAAA,QACJ,CAAC;AACD,UAAE,GAAG,OAAO,CAAC,aAAqB;AAC9B,mBAASA,OAAM,KAAK,iBAAiB,MAAM,EAAE,GAAG,QAAQ;AACxD,cAAI;AACA,kBAAM,cAAc,gBAAgB,QAAQ;AAC5C,kBAAM,OAAO,yBAAyB,WAAW;AACjD,kBAAMC,eAAc,gBAAgB,WAAW;AAE/C,kBAAM,QAAQ,CAAC,MAAM,IAAIA,YAAW;AACpC,kBAAM,IAAIA,cAAa,EAAE,aAAa,UAAU,KAAK,CAAC;AACtD,iBAAK,gBAAgB,IAAI,UAAUA,YAAW;AAE9C;AAAA,cACID,OAAM,QAAQ,MAAM;AAAA,cACpB,KAAK,eAAe;AAAA,cACpB,KAAK,eAAe;AAAA,cACpB,KAAK,eAAe,YAAY,wBAAwB;AAAA,YAC5D;AACA,gBAAI,SAAS,OAAO;AAChB,mBAAK,KAAK,oBAAoB,EAAE,OAAO,aAAa,aAAAC,cAAa,SAAS,CAAC;AAAA,YAC/E;AAAA,UACJ,SAAS,KAAK;AACV,qBAAS,wBAAwB,MAAM,cAAc,QAAQ,EAAE;AAC/D,qBAAS,GAAG;AAAA,UAChB;AAAA,QACJ,CAAC;AACD,UAAE,GAAG,UAAU,CAAC,gBAAwB;AACpC,mBAASD,OAAM,KAAK,oBAAoB,MAAM,EAAE,GAAG,WAAW;AAC9D,cAAI;AACA,kBAAM,cAAc,gBAAgB,WAAW;AAC/C,kBAAM,iBAAiB,gBAAgB,WAAW;AAClD,kBAAM,UAAU,KAAK,gBAAgB,IAAI,WAAW;AACpD,gBAAI,WAAW,YAAY,gBAAgB;AACvC,oBAAM,OAAO,OAAO;AAAA,YACxB;AACA,kBAAM,IAAI,gBAAgB,EAAE,aAAa,UAAU,aAAa,MAAM,yBAAyB,WAAW,EAAE,CAAC;AAC7G,iBAAK,gBAAgB,IAAI,aAAa,cAAc;AACpD,iBAAK,KAAK,qBAAqB,EAAE,OAAO,aAAa,aAAa,gBAAgB,UAAU,YAAY,CAAC;AAAA,UAC7G,SAAS,KAAK;AACV,qBAAS,mCAAmC,WAAW,IAAI,GAAG;AAAA,UAClE;AAAA,QACJ,CAAC;AACD,aAAK,UAAU,KAAK,CAA4B;AAChD,aAAK,eAAe,IAAI,SAAS;AACjC,UAAE,GAAG,SAAS,MAAM;AAChB,kBAAQ;AACR,eAAK,eAAe,OAAO,SAAS;AACpC,oBAAU;AACV,mBAAS,OAAO;AAChB,mBAAS,CAAC,GAAG,MAAM,KAAK,CAAC,EAAE,IAAI,CAAC,MAAM,EAAE,UAAU,GAAG,EAAE,CAAC,CAAC;AAAA,QAC7D,CAAC;AAAA,MACL;AAAA;AAAA,MAGA,MAAM,mCAAkD;AACpD,eAAO,IAAI,QAAQ,CAAC,SAAS,YAAY;AACrC,cAAI,KAAK,yBAAyB,GAAG;AACjC,yBAAa,OAAO;AACpB;AAAA,UACJ;AACA,eAAK,qBAAqB,KAAK,OAAO;AAAA,QAC1C,CAAC;AAAA,MACL;AAAA,IACJ;AAAA;AAAA;;;AC7zDA;AAAA;AAAA;AAAA;AAsBA;AACA;AACA;AACA;AACA;AAAA;AAAA;;;ACEO,SAAS,OAAO,SAAiB,OAAqB;AAEzD,MAAI,CAAC,SAAS,QAAQ;AAClB,eAAW,iBAAiB,OAAO,IAAI,KAAK,EAAE;AAAA,EAClD;AACA,kBAAgB,OAAO,IAAI;AAE3B,MAAI,CAAC,cAAc,EAAE,QAAQ,OAAO,KAAK,GAAG;AACxC,YAAQ,IAAI,OAAO,IAAI;AAAA,EAC3B;AACA,MAAI,CAAC,UAAU,EAAE,QAAQ,OAAO,KAAK,GAAG;AACpC,YAAQ,IAAI,OAAO,IAAI;AAAA,EAC3B;AACJ;AAKO,SAAS,OAAO,SAAyB;AAC5C,SAAO,gBAAgB,OAAO;AAClC;AAEO,SAAS,yBAA6D;AACzE,SAAO,OAAO,KAAK,eAAe,EAAE,IAAI,CAAC,YAAoB;AACzD,WAAO,EAAE,KAAK,SAAS,SAAS,eAAe,OAAO,GAAG;AAAA,EAC7D,CAAC;AACL;AAEO,SAAS,gBAAgB,QAA8B;AAC1D,SAAO,MAAM,OAAO,OAAO,CAAC;AAC5B,SAAO,KAAK,OAAO,MAAM,CAAC;AAG1B,MAAI,iBAA2B,CAAC;AAChC,iBAAe,KAAK,OAAO,OAAO,cAAc,EAAE;AAClD,mBAAkB,CAAC,EAAe;AAAA,IAC9B;AAAA,IACA,OAAO,IAAI,IAAI,CAAC,MAAc,OAAO,CAAC,EAAE;AAAA,EAC5C;AACA,mBAAkB,CAAC,EAAe;AAAA,IAC9B;AAAA,IACA,OAAO,GAAG,IAAI,CAAC,MAAc,MAAM,CAAC,EAAE;AAAA,EAC1C;AACA,QAAM,uBAAuB,eAAe,KAAK,IAAI;AACrD,SAAO,WAAW,oBAAoB;AAC1C;AAzEA,IA0Ba;AA1Bb;AAAA;AAAA;AAAA;AAuBA;AACA;AAEO,IAAM,kBAA0C,CAAC;AAAA;AAAA;;;ACzBxD,SAAS,WAAAG,gBAAe;AADxB;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACyBA,OAAO,mBAAmB;AAC1B,OAAOC,SAAQ;AACf,OAAOC,SAAQ;AACf,OAAOC,WAAU;AAEjB,OAAO,SAAS;AAEhB,OAAO,YAAY;AACnB,OAAOC,YAAW;AAClB,OAAO,iBAAiB;AACxB,OAAO,UAAU;AACjB,OAAO,WAAW;AA4BlB,SAAS,cAA2B;AAChC,QAAM,QACF,QAAQ,IAAI,eAAe,QAAQ,IAAI,eAAe,QAAQ,IAAI,cAAc,QAAQ,IAAI,cAAc;AAC9G,MAAI,OAAO;AACP,UAAM,IAAI,IAAI,IAAI,IAAI,KAAK;AAC3B,UAAM,OAAO,EAAE,WAAW,GAAG,EAAE,QAAQ,IAAI,EAAE,QAAQ,KAAK;AAE1D,UAAM,UAAuB;AAAA,MACzB,OAAO;AAAA,QACH,MAAM,EAAE,OAAO,SAAS,EAAE,MAAM,EAAE,IAAI;AAAA,QACtC,UAAU,EAAE,SAAS,QAAQ,KAAK,EAAE;AAAA,QACpC,MAAM,EAAE,YAAY;AAAA,QACpB,WAAW;AAAA,MACf;AAAA,IACJ;AACA,eAAWA,OAAM,MAAM,gBAAgB,GAAG,KAAK;AAC/C,eAAW,OAAO;AAClB,WAAO;AAAA,EACX;AACA,SAAO,CAAC;AACZ;AAEA,eAAe,QAAQ,KAAa,KAAsC;AACtE,MAAI,SAAS;AAGb,QAAM,UAAU;AAAA,IACZ;AAAA,IACA,aAAa;AAAA,EACjB;AAEA,SAAO,MAAM,IAAI,QAAuB,CAAC,SAAS,WAAW;AACzD,UAAM,QAAQ,cAAc;AAAA,MACxB;AAAA,MACA;AAAA,MACA,CAAC,QAAiF;AAC9E,cAAM,WAAW,QAAQ,OAAO,IAAI,IAAI,QAAQ;AAChD,YAAI,IAAK,QAAO,GAAG;AAAA,aACd;AACD,kBAAQ,EAAE,UAAU,OAAO,CAAC;AAAA,QAChC;AAAA,MACJ;AAAA,IACJ;AAEA,UAAM,UAAU,OAAO,MAAM,MAAkB;AAC/C,YAAQ,GAAG,QAAQ,CAAC,SAAiB;AACjC,gBAAU,GAAG,IAAI;AAAA;AAEjB,UAAIC,UAAS;AACT,gBAAQ,OAAO,MAAM,kBAAkBD,OAAM,OAAO,IAAI,CAAC;AAAA,CAAI;AAAA,MACjE;AAAA,IACJ,CAAC;AAAA,EACL,CAAC;AACL;AAEA,SAASE,OAAM,KAAqB;AAChC,SAAO,IAAI,IAAI,QAAQ,OAAO,GAAG,CAAC;AACtC;AAEA,SAAS,4BAA4B,YAA6B;AAC9D,SAAO,CAAC,CAAC,WAAW,MAAM,aAAa;AAC3C;AAEA,eAAe,qBAAsC;AACjD,MAAI;AACJ,MAAI;AACA,cAAU,MAAM,QAAQ,eAAe;AAAA,EAC3C,SAAS,KAAK;AACV,eAAW,aAAc,IAAc,OAAO;AAC9C,UAAM,IAAI,MAAM,qBAAqB;AAAA,EACzC;AAEA,QAAM,WAAW,SAAS;AAC1B,QAAM,SAAS,SAAS;AAExB,MAAI,aAAa,GAAG;AAChB,eAAWF,OAAM,OAAO,iBAAiB,IAAIA,OAAM,KAAK,SAAS,IAAIA,OAAM,OAAO,qCAAqC,CAAC;AACxH,eAAWA,OAAM,OAAO,gDAAgD,CAAC;AACzE,UAAM,IAAI,MAAM,qBAAqB;AAAA,EACzC;AACA,QAAM,kBAAkB,OAAO,QAAQ,SAAS,EAAE,EAAE,KAAK;AACzD,SAAO;AACX;AACA,eAAsB,+BAAgD;AAClE,QAAM,kBAAkB,MAAM,mBAAmB;AAGjD,QAAM,oBAAoBE,OAAM,eAAe;AAG/C,MAAID,UAAS;AACT,eAAW,oCAAoCD,OAAM,OAAO,eAAe,CAAC,EAAE;AAAA,EAClF;AAEA,QAAM,SAAS,MAAM,QAAQ,GAAG,iBAAiB,UAAU;AAE3D,QAAM,WAAW,QAAQ;AACzB,QAAM,SAAS,QAAQ;AAEvB,QAAM,UAAU,OAAO,KAAK;AAE5B,QAAM,YAAY,aAAa,KAAK,4BAA4B,OAAO;AACvE,MAAI,CAAC,WAAW;AACZ,QAAI,UACAA,OAAM,YAAY,uBAAuB,IACzC,kCACA,UACA;AAEJ,QAAI,QAAQ,aAAa,UAAU;AAC/B,iBACIA,OAAM,KAAK,qBAAqB,IAChCA,OAAM,OAAO,2FAAgG;AAAA,IACrH;AAEA,YAAQ,IAAI,OAAO;AAAA,EACvB;AACA,SAAO;AACX;AAEA,eAAe,0CAA2D;AACtE,QAAM,iBAAiBD,MAAK,KAAKD,IAAG,OAAO,GAAG,GAAG;AAEjD,WAAS,2BAAmC;AACxC,QAAI,QAAQ,IAAI,cAAc;AAC1B,YAAM,oBAAoBC,MAAK,KAAK,QAAQ,IAAI,cAAc,UAAU;AACxE,UAAIF,IAAG,WAAW,iBAAiB,GAAG;AAClC,eAAOE,MAAK,KAAK,mBAAmB,SAAS;AAAA,MACjD;AAAA,IACJ;AACA,WAAOA,MAAK,KAAK,QAAQ,IAAI,GAAG,SAAS;AAAA,EAC7C;AAEA,WAAS,8BAAsC;AAC3C,UAAMI,iBAAgB,yBAAyB;AAC/C,WAAOJ,MAAK,KAAKI,gBAAe,aAAa;AAAA,EACjD;AAEA,iBAAe,sBAA0E;AACrF,UAAMC,mBAAkB,4BAA4B;AAEpD,UAAM,SAASP,IAAG,WAAWO,gBAAe;AAC5C,QAAI,CAAC,QAAQ;AACT,iBAAW,yBAAyBA,gBAAe;AACnD,iBAAWJ,OAAM,IAAI,oBAAoB,IAAII,gBAAe;AAC5D,aAAO;AAAA,QACH,WAAW;AAAA,QACX,SAAS,oBAAoBA,gBAAe;AAAA,MAChD;AAAA,IACJ,OAAO;AAEH,YAAM,qBAAqBF,OAAME,gBAAe;AAChD,YAAM,MAAM;AAEZ,YAAM,EAAE,UAAU,OAAO,IAAI,MAAM,QAAQ,GAAG,kBAAkB,YAAY,GAAG;AAC/E,YAAM,UAAU,OAAO,KAAK;AAG5B,UAAIH,UAAS;AACT,mBAAW,eAAe,OAAO;AAAA,MACrC;AACA,aAAO;AAAA,QACH,WAAW,aAAa,KAAK,4BAA4B,OAAO;AAAA,QAChE;AAAA,MACJ;AAAA,IACJ;AAAA,EACJ;AAQA,WAAS,YAAqB;AAC1B,QAAI,QAAQ,IAAI,2BAA2B,SAAS,QAAQ,IAAI,wBAAwB;AACpF,aAAO;AAAA,IACX;AAEA,QAAI,QAAQ,IAAI,2BAA2B,SAAS;AAChD,aAAO;AAAA,IACX;AAGA,QAAI,QAAQ,IAAI,gBAAgB,OAAO;AACnC,aAAO;AAAA,IACX;AACA,WAAO;AAAA,EACX;AAEA,iBAAe,mBAAwD;AAKnE,UAAMI,OACF,UAAU,MAAM,KACV,0GACA;AAEV,UAAM,iBAAiBN,MAAK,KAAK,gBAAgBA,MAAK,SAASM,IAAG,CAAC;AAEnE,eAAW,eAAeL,OAAM,OAAOK,IAAG,CAAC,OAAO,cAAc,EAAE;AAElE,QAAIR,IAAG,WAAW,cAAc,GAAG;AAC/B,aAAO,EAAE,gBAAgB,eAAe;AAAA,IAC5C;AACA,UAAM,UAAU,YAAY;AAC5B,UAAM,MAAM,IAAI,YAAYG,OAAM,KAAK,QAAQ,IAAIA,OAAM,KAAK,YAAY,IAAIA,OAAM,MAAM,OAAO,GAAG;AAAA,MAChG,UAAU;AAAA,MACV,YAAY;AAAA,MACZ,OAAO;AAAA,MACP,OAAO;AAAA,IACX,CAAC;AAED,WAAO,MAAM,IAAI,QAAQ,CAAC,SAAS,WAAW;AAC1C,YAAM,WAAW,KAAK,SAASK,MAAK,gBAAgB,OAAO;AAC3D,eAAS,GAAG,SAAS,CAAC,QAAe;AACjC,mBAAW,GAAG;AACd,qBAAa,MAAM;AACf,iBAAO,GAAG;AAAA,QACd,CAAC;AAAA,MACL,CAAC;AACD,eAAS,GAAG,OAAO,CAAC,WAAmB;AAEnC,YAAIJ,UAAS;AACT,qBAAW,MAAM;AAAA,QACrB;AAEA,gBAAQ,EAAE,gBAAgB,eAAe,CAAC;AAAA,MAC9C,CAAC;AACD,eAAS,GAAG,YAAY,CAAC,aAAqB;AAC1C,YAAI,OAAO,QAAQ;AAAA,MACvB,CAAC;AAAA,IACL,CAAC;AAAA,EACL;AAEA,iBAAe,cAAc,aAAqB;AAC9C,UAAME,iBAAgB,yBAAyB;AAE/C,UAAM,UAAU,MAAM,IAAI,QAAuB,CAAC,SAAS,WAAW;AAClE,YAAM,KAAK,aAAa,EAAE,aAAa,KAAK,GAAG,CAAC,KAAoB,YAA4B;AAC5F,YAAI,KAAK;AACL,iBAAO,GAAG;AAAA,QACd,OAAO;AACH,cAAI,CAAC,SAAS;AACV,mBAAO,IAAI,MAAM,iBAAiB,CAAC;AAAA,UACvC,OAAO;AACH,oBAAQ,OAAO;AAAA,UACnB;AAAA,QACJ;AAAA,MACJ,CAAC;AAAA,IACL,CAAC;AAED,YAAQ,UAAU;AAElB,UAAM,IAAI,QAAc,CAAC,SAAS,WAAW;AACzC,cAAQ,GAAG,OAAO,CAAC,QAAgB;AAC/B,qBAAa,MAAM;AAEf,cAAIF,UAAS;AACT,uBAAW,YAAY;AAAA,UAC3B;AACA,cAAI,KAAK;AACL,mBAAO,GAAG;AAAA,UACd,OAAO;AACH,oBAAQ;AAAA,UACZ;AAAA,QACJ,CAAC;AAAA,MACL,CAAC;AAED,cAAQ,GAAG,SAAS,CAAC,UAAuB;AACxC,gBAAQ,eAAe,OAAO,CAAC,KAAoB,eAA0B;AACzE,cAAI,KAAK;AACL,mBAAO,OAAO,GAAG;AAAA,UACrB;AAEA,gBAAM,OAAOF,MAAK,KAAKI,gBAAe,MAAM,QAAQ;AAGpD,cAAIF,UAAS;AACT,uBAAW,gBAAgB,IAAI;AAAA,UACnC;AAEA,gBAAM,cAAcJ,IAAG,kBAAkB,MAAM,QAAQ;AAEvD,sBAAY,KAAK,WAAW;AAE5B,sBAAY,GAAG,SAAS,MAAM;AAC1B,oBAAQ,UAAU;AAAA,UACtB,CAAC;AAAA,QACL,CAAC;AAAA,MACL,CAAC;AAAA,IACL,CAAC;AAAA,EACL;AAEA,QAAM,gBAAgB,yBAAyB;AAC/C,QAAM,kBAAkB,4BAA4B;AAEpD,MAAI,CAACA,IAAG,WAAW,aAAa,GAAG;AAE/B,QAAII,UAAS;AACT,iBAAW,2BAA2B,aAAa;AAAA,IACvD;AACA,IAAAJ,IAAG,UAAU,aAAa;AAAA,EAC9B;AAEA,QAAM,EAAE,WAAW,SAAS,SAAS,IAAI,MAAM,oBAAoB;AAEnE,MAAI,CAAC,WAAW;AACZ,eAAWG,OAAM,OAAO,sDAAsD,CAAC;AAC/E,UAAM,EAAE,eAAe,IAAI,MAAM,iBAAiB;AAGlD,QAAIC,UAAS;AACT,iBAAW,cAAcD,OAAM,OAAO,cAAc,CAAC;AAAA,IACzD;AACA,UAAM,cAAc,cAAc;AAElC,UAAM,gBAAgB,CAAC,CAACH,IAAG,WAAW,eAAe;AAGrD,QAAII,UAAS;AACT,iBAAW,cAAc,eAAe,gBAAgBD,OAAM,MAAM,KAAK,IAAIA,OAAM,IAAI,QAAQ,GAAG,eAAe;AAAA,IACrH;AAEA,UAAM,oBAAoB,MAAM,oBAAoB;AACpD,WAAO;AAAA,EACX,OAAO;AAEH,QAAIC,UAAS;AACT,iBAAWD,OAAM,MAAM,6DAA6D,CAAC;AAAA,IACzF;AACA,WAAO;AAAA,EACX;AACJ;AAMA,eAAsB,uBAAwC;AAE1D,MAAI,QAAQ,aAAa,SAAS;AAC9B,WAAO,MAAM,6BAA6B;AAAA,EAC9C,OAAO;AACH,WAAO,MAAM,wCAAwC;AAAA,EACzD;AACJ;AAEA,eAAsB,wBAAyC;AAC3D,MAAI,QAAQ,aAAa,SAAS;AAC9B,UAAM,kBAAkB,MAAM,qBAAqB;AACnD,QAAI,CAACH,IAAG,WAAW,eAAe,GAAG;AACjC,YAAM,IAAI,MAAM,8BAA8B,eAAe,EAAE;AAAA,IACnE;AACA,WAAO;AAAA,EACX,OAAO;AACH,WAAO;AAAA,EACX;AACJ;AAxaA,IAwCMI;AAxCN;AAAA;AAAA;AAAA;AAsCA;AAEA,IAAMA,WAAU,QAAQ,IAAI,qBAAqB;AAAA;AAAA;;;ACdjD,OAAOK,aAAY;AACnB,OAAOC,oBAAmB;AAC1B,OAAOC,SAAQ;AACf,OAAOC,SAAQ;AACf,OAAOC,aAAY;AACnB,OAAOC,YAAW;AAmBlB,eAAsBC,SAAQ,KAAa,SAA0C;AACjF,QAAM,OAAO,IAAI,MAAM;AAEvB,UAAQ,MAAM,QAAQ,OAAO,QAAQ,IAAI;AAGzC,MAAI,CAAC,SAAS,QAAQ;AAClB,eAAWD,OAAM,KAAK,gCAAgC,GAAG,QAAQ,GAAG;AAAA,EACxE;AAEA,QAAM,UAAoB,CAAC;AAE3B,SAAO,MAAM,IAAI,QAAQ,CAAC,SAAS,WAAW;AAC1C,UAAM,QAAQJ,eAAc;AAAA,MACxB;AAAA,MACA;AAAA,QACI,KAAK,QAAQ;AAAA,QACb,aAAa;AAAA,MACjB;AAAA,MACA,CAAC,QAA4C;AAEzC,YAAI,KAAK;AACL,cAAI,CAAC,QAAQ,kBAAkB;AAC3B,kBAAM,QAAQ;AACd,oBAAQ,MAAMI,OAAM,cAAc,UAAU,GAAG,KAAK,kBAAkB,KAAK,EAAE,CAAC;AAC9E,oBAAQ,MAAMA,OAAM,cAAc,UAAU,SAAS,QAAQ,GAAG,EAAE,CAAC;AACnE,oBAAQ,MAAMA,OAAM,cAAc,UAAU,IAAI,OAAO,CAAC;AACxD,oBAAQ,MAAMA,OAAM,cAAc,UAAU,GAAG,KAAK,kBAAkB,KAAK,EAAE,CAAC;AAE9E,oBAAQ,MAAM,KAAK,KAAK;AAAA,UAC5B;AACA,iBAAO,IAAI,MAAM,IAAI,OAAO,CAAC;AAC7B;AAAA,QACJ;AACA,gBAAQ,QAAQ,KAAK,EAAE,CAAC;AAAA,MAC5B;AAAA,IACJ;AAEA,QAAI,MAAM,QAAQ;AACd,YAAM,UAAUD,QAAO,MAAM,MAAM;AACnC,cAAQ,GAAG,QAAQ,CAAC,SAAiB;AACjC,gBAAQ,KAAK,GAAG,IAAI;AAAA,CAAI;AAAA,MAC5B,CAAC;AACD,UAAI,CAAC,SAAS,QAAQ;AAClB,gBAAQ,GAAG,QAAQ,CAAC,SAAiB;AACjC,iBAAO,KAAK,SAAS;AACrB,cAAI,SAAS;AACT,oBAAQ,OAAO,MAAM,GAAGC,OAAM,MAAM,iBAAiB,IAAIA,OAAM,YAAY,IAAI,CAAC;AAAA,CAAI;AAAA,UACxF;AAAA,QACJ,CAAC;AAAA,MACL;AAAA,IACJ;AAGA,QAAI,CAAC,SAAS,QAAQ;AAClB,UAAI,MAAM,QAAQ;AACd,cAAM,UAAUD,QAAO,MAAM,MAAM;AACnC,gBAAQ,GAAG,QAAQ,CAAC,SAAiB;AACjC,iBAAO,KAAK,SAAS;AACrB,cAAI,cAAc;AACd,oBAAQ,OAAO,MAAM,GAAGC,OAAM,MAAM,iBAAiB,IAAIA,OAAM,IAAI,IAAI,CAAC;AAAA,CAAI;AAAA,UAChF;AAAA,QACJ,CAAC;AAAA,MACL;AAAA,IACJ;AAAA,EACJ,CAAC;AACL;AAEA,eAAsB,eAAgC;AAClD,SAAO,MAAM,sBAAsB;AACvC;AAEA,eAAsB,2BAA0C;AAC5D,MAAI,CAAC,aAAa;AACd,kBAAc,MAAM,aAAa;AACjC,UAAM,UAAU,MAAM,gBAAgB,WAAW,EAAE,KAAK,IAAI,CAAC;AAC7D,aAAS,iBAAiB,QAAQ,KAAK;AACvC,QAAI,SAAS;AACT,iBAAW,sBAAsB,SAAS,cAAc;AAAA,IAC5D;AAAA,EACJ;AACJ;AAMA,eAAsB,2BAA2B,KAAa,SAAgC;AAC1F,YAAU,WAAW,CAAC;AACtB,UAAQ,mBAAmB;AAC3B,MAAI;AACA,WAAO,MAAM,gBAAgB,KAAK,OAAO;AAAA,EAC7C,SAAS,KAAK;AACV,aAAS,gCAAiC,IAAc,OAAO;AAAA,EACnE;AACJ;AAEA,SAAS,gBAAwB;AAC7B,SAAOF,IAAG,OAAO;AACrB;AAMA,eAAsB,gBAAgB,KAAa,SAAiD;AAChG,WAAS,mBAAmB,KAAK,OAAO;AACxC,QAAM,oBAAoB,EAAE,cAAc,GAAG,kBAAkB;AAC/D,MAAI,CAACD,IAAG,WAAW,iBAAiB,GAAG;AACnC,UAAMA,IAAG,SAAS,UAAU,mBAAmB,qBAAqB;AAAA,EACxE;AAEA,YAAU,WAAW,CAAC;AACtB,UAAQ,eAAe,QAAQ,gBAAgB;AAC/C,EAAAF,QAAO,QAAQ,YAAY;AAC3B,SAAO,gBAAgB,QAAQ,YAAY;AAG3C,MAAI,CAAC,SAAS,QAAQ;AAClB,eAAWK,OAAM,KAAK,gCAAgC,GAAG,QAAQ,IAAI,YAAY;AACjF,eAAWA,OAAM,KAAK,gCAAgC,GAAG,QAAQ,IAAI,QAAQ;AAC7E,eAAWA,OAAM,KAAK,wCAAwC,GAAGA,OAAM,WAAW,GAAG,CAAC;AAAA,EAC1F;AACA,QAAM,yBAAyB;AAC/B,SAAO,MAAMC,SAAQ,GAAG,MAAM,WAAW,CAAC,IAAI,GAAG,IAAI,OAAO;AAChE;AA/KA,IAyCI,aAEE;AA3CN;AAAA;AAAA;AAAA;AAgCA;AACA;AACA;AACA;AACA;AACA;AAMA,IAAM,IAAI;AAAA;AAAA;;;ACjBV,OAAOC,aAAY;AAEnB,OAAOC,SAAQ;AACf,OAAOC,WAAU;AASjB,SAAS,kCAAkC;AAEvC,MAAI,CAAC,SAAS,gBAAgB;AAC1B,UAAM,IAAI;AAAA,MACN;AAAA,IACJ;AAAA,EACJ;AACA,SAAO,SAAS,eAAe,MAAM,cAAc;AACvD;AAMO,SAAS,qBAAqB,YAAoB,SAA0B;AAC/E,QAAM,UAAU,SAAS,OAAO;AAEhC,QAAM,mBAAmB,CAACA,MAAK,WAAW,UAAU,IAAIA,MAAK,KAAK,SAAS,UAAU,IAAI;AACzF,MAAI,eAAeD,IAAG,aAAa,kBAAkB,EAAE,UAAU,OAAO,CAAC;AACzE,aAAW,UAAU,uBAAuB,GAAG;AAC3C,mBAAe,aAAa,QAAQ,IAAI,OAAO,OAAO,SAAS,IAAI,GAAG,OAAO,OAAO,GAAG,CAAC;AAAA,EAC5F;AACA,QAAM,mBAAmB,GAAG,UAAU,IAAI,QAAQ,GAAG,IAAI,UAAU;AACnE,QAAM,sBAAsB,CAACC,MAAK,WAAW,UAAU,IAAIA,MAAK,KAAK,SAAS,gBAAgB,IAAI;AAClG,EAAAD,IAAG,cAAc,qBAAqB,YAAY;AAClD,MAAI,SAAS,KAAK;AACd,WAAOC,MAAK,SAAS,QAAQ,KAAK,mBAAmB;AAAA,EACzD,OAAO;AACH,WAAO;AAAA,EACX;AACJ;AAaA,eAAsB,2BAA2B,oBAA4B,mBAA0C;AACnH,EAAAF,QAAOC,IAAG,WAAW,kBAAkB,CAAC;AACxC,QAAM,gBAAgB,mBAAmB,EAAEE,GAAE,kBAAkB,CAAC,CAAC,SAAS,EAAEA,GAAE,iBAAiB,CAAC,CAAC,IAAI,CAAC,CAAC;AAC3G;AAcO,SAAS,SAAS,MAAqB;AAC1C,SAAO,QAAQ,oBAAI,KAAK;AACxB,QAAM,IAAI,KAAK,eAAe;AAC9B,QAAM,IAAI,KAAK,YAAY,IAAI;AAC/B,QAAM,IAAI,KAAK,WAAW;AAC1B,QAAM,IAAI,KAAK,YAAY;AAC3B,QAAM,IAAI,KAAK,cAAc;AAC7B,QAAM,IAAI,KAAK,cAAc;AAE7B,WAAS,EAAEC,IAAoB,GAAmB;AAC9C,WAAO,GAAGA,EAAC,GAAG,SAAS,GAAG,GAAG;AAAA,EACjC;AAEA,MAAI,gCAAgC,GAAG;AAEnC,WAAO,GAAG,EAAE,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;AAAA,EACvE,OAAO;AAEH,WAAO,GAAG,EAAE,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;AAAA,EACvE;AACJ;AAKA,eAAsB,gBAAgB,aAAwC;AAC1E,EAAAJ,QAAOC,IAAG,WAAW,WAAW,CAAC;AACjC,SAAO,MAAM,gBAAgB,aAAa,EAAEE,GAAE,WAAW,CAAC,CAAC,kBAAkB,CAAC,CAAC;AACnF;AAEA,eAAsB,MAAM,gBAAyC;AACjE,EAAAH,QAAOC,IAAG,WAAW,cAAc,CAAC;AACpC,QAAM,iBAAiB,eAAe,QAAQ,QAAQ,MAAM;AAC5D,SAAO,MAAM,gBAAgB,4BAA4B,cAAc,SAAS,cAAc,IAAI,CAAC,CAAC;AACxG;AAEA,eAAsB,YAAY,gBAAyC;AAEvE,EAAAD,QAAOC,IAAG,WAAW,cAAc,CAAC;AACpC,SAAO,MAAM,gBAAgB,oCAAoC,cAAc,IAAI,CAAC,CAAC;AACzF;AA1IA,IAkDI,UAoBE,GACAE;AAvEN,IAAAE,gBAAA;AAAA;AAAA;AAAA;AAgCA;AACA;AACA;AACA;AACA;AAYA,aAAS,iBAAiB;AAE1B,IAAI,WAAW;AAoBf,IAAM,IAAI;AACV,IAAMF,KAAI;AAAA;AAAA;;;AC7CV,OAAOG,aAAY;AACnB,OAAOC,SAAQ;AACf,OAAOC,WAAU;AAgBjB,eAAsB,2CAClB,mCACA,QACa;AACb,EAAAF,QAAO,MAAM;AACb,EAAAA,QAAO,OAAO,OAAO;AACrB,EAAAA,QAAO,OAAO,UAAU;AACxB,EAAAA,QAAO,OAAO,UAAU;AACxB,EAAAA,QAAO,OAAO,OAAO,eAAe,QAAQ;AAC5C,EAAAA,QAAOC,IAAG,WAAW,OAAO,UAAU,GAAG,0BAA0B,OAAO,UAAU,EAAE;AACtF,EAAAD,QAAOC,IAAG,WAAW,OAAO,UAAU,GAAG,yBAAyB,OAAO,UAAU,EAAE;AACrF,EAAAD,QAAOC,IAAG,WAAW,OAAO,OAAO,GAAG,wBAAwB;AAC9D,EAAAD,QAAO,OAAO,sCAAsC,QAAQ;AAG5D,kBAAgB,MAAM;AACtB,QAAM,aAAa,qBAAqB,OAAO,YAAY,EAAE,KAAK,OAAO,QAAQ,CAAC;AAElF,QAAM,UAAU,EAAE,KAAK,OAAO,SAAS,cAAcE,MAAK,SAAS,OAAO,SAAS,UAAU,EAAE;AAE/F,QAAM,eAAe,YAAYC,GAAEC,GAAE,UAAU,CAAC,CAAC;AAEjD,QAAM,UAAU,OAAO,UAAU,IAAIC,SAAQ,OAAO,OAAO,EAAE,SAAS,IAAI;AAE1E,QAAM,iBAAiB,UAAU,WAAW,OAAO,MAAM;AAEzD,kBAAgB,uDAAuD;AACvE,QAAM;AAAA,IACF,sCAII,eACA,WACAF,GAAEC,GAAE,OAAO,UAAU,CAAC,IACtB,iBACA,WACAD,GAAEC,GAAE,iCAAiC,CAAC;AAAA,IAC1C;AAAA,EACJ;AACJ;AApFA,IAsCMD,IACAC;AAvCN,IAAAE,2CAAA;AAAA;AAAA;AAAA;AA8BA;AACA;AACA;AACA;AACA;AACA;AACA,IAAAC;AAEA,IAAMJ,KAAI;AACV,IAAMC,KAAI;AAAA;AAAA;;;ACjBV,OAAO,SAAS;AAtBhB;AAAA;AAAA;AAAA;AA0BA;AACA,IAAAI;AACA;AACA;AACA,IAAAC;AAAA;AAAA;;;AC9BA,IAAMC,SAgIC;AAhIP;AAAA;AAAA;AAAA;AAAA,IAAMA,UACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AA+HJ,IAAO,iCAAQA;AAAA;AAAA;;;ACzGf,OAAOC,aAAY;AACnB,OAAOC,SAAQ;AACf,OAAOC,WAAU;AACjB,OAAOC,YAAW;AAClB;AAAA,EACI;AAAA,EACA,0BAAAC;AAAA,EACA;AAAA,EACA,WAAAC;AAAA,OAEG;AAgDP,SAAS,uBAAuB,GAAW;AACvC,SACI,SAAS,EAAE,UAAU,GAAG,CAAC,GAAG,EAAE,EAAE,SAAS,IACzC,MACA,SAAS,EAAE,UAAU,GAAG,CAAC,GAAG,EAAE,EAAE,SAAS,IACzC,MACA,SAAS,EAAE,UAAU,GAAG,CAAC,GAAG,EAAE,EAAE,SAAS,IACzC,MACA,SAAS,EAAE,UAAU,GAAG,CAAC,GAAG,EAAE,EAAE,SAAS;AAEjD;AAEA,eAAe,+BAA+B,sBAA2D;AAqBrG,QAAM,UAAU,qBAAqB;AAErC,QAAM,YAAYH,MAAK,QAAQ,qBAAqB,OAAO;AAE3D,iBAAe,eAAe;AAC1B,uBAAmB,SAAS;AAC5B,uBAAmBA,MAAK,KAAK,WAAW,SAAS,CAAC;AAClD,uBAAmBA,MAAK,KAAK,WAAW,QAAQ,CAAC;AAEjD,uBAAmBA,MAAK,KAAK,WAAW,OAAO,CAAC;AAChD,uBAAmBA,MAAK,KAAK,WAAW,KAAK,CAAC;AAC9C,uBAAmBA,MAAK,KAAK,WAAW,MAAM,CAAC;AAAA,EACnD;AACA,QAAM,aAAa;AAEnB,iBAAe,0BAA0B;AACrC,UAAM,SAASA,MAAK,KAAK,WAAW,QAAQ;AAC5C,QAAI,CAACD,IAAG,WAAW,MAAM,GAAG;AACxB,YAAMA,IAAG,SAAS,UAAU,QAAQ,MAAM;AAAA,IAC9C;AAEA,UAAM,YAAYC,MAAK,KAAK,WAAW,WAAW;AAClD,QAAI,CAACD,IAAG,WAAW,SAAS,GAAG;AAC3B,YAAMA,IAAG,SAAS,UAAU,WAAW,MAAM;AAAA,IACjD;AAEA,UAAM,YAAYC,MAAK,KAAK,WAAW,WAAW;AAClD,QAAI,CAACD,IAAG,WAAW,SAAS,GAAG;AAC3B,YAAMA,IAAG,SAAS,UAAU,WAAW,EAAE;AAAA,IAC7C;AAAA,EACJ;AAEA,QAAM,wBAAwB;AAE9B,MAAIA,IAAG,WAAWC,MAAK,KAAK,WAAW,mBAAmB,CAAC,KAAK,CAACI,QAAO,SAAS;AAE7E,aAAS,4CAA4C;AACrD;AAAA,EACJ;AAGA,eAAa,mCAAmC;AAEhD,QAAM,gBAAgBJ,MAAK,KAAK,WAAW,gBAAgB;AAC3D,MAAI,CAACD,IAAG,WAAW,aAAa,GAAG;AAC/B,UAAMA,IAAG,SAAS,UAAU,eAAe,qBAAqB;AAAA,EACpE;AAEA,QAAM,eAAe,qBAAqB;AAC1C,MAAI,GAAmC;AACnC,QAAI,OAAO;AACX,WAAO,SAAS,KAAK,QAAQ,mBAAmB,SAAS,CAAC;AAE1D,UAAMA,IAAG,SAAS,UAAU,cAAc,IAAI;AAAA,EAClD;AAGA,QAAM,aAAa,WAAW,QAAQ,SAAS,CAAC;AAChD,kBAAgB,CAAC,CAAW;AAE5B,QAAM,UAAU,EAAE,KAAK,UAAU;AACjC,QAAM,aAAa,qBAAqB,qBAAqB,OAAO;AACpE,QAAM,eAAe,YAAYM,GAAEC,GAAE,UAAU,CAAC,CAAC;AAEjD,QAAM,UAAU,qBAAqB;AAErC,QAAM,qBAAqBN,MAAK,KAAK,WAAW,mBAAmB;AACnE,QAAM,cAAcA,MAAK,KAAK,WAAW,mBAAmB;AAE5D,eAAa,iCAAiC,OAAO,EAAE;AAIvD,QAAME,wBAAuB,oBAAoB,OAAO;AACxD,eAAa,+CAA+C;AAK5D,QAAM;AAAA,IACF,+CAII,eACA,WACAG,GAAEC,GAAE,kBAAkB,CAAC,IACvB,WACAD,GAAEC,GAAE,WAAW,CAAC,IAChB,MACA;AAAA,IACJ;AAAA,EACJ;AAMA,eAAa,uCAAuC;AACpD,QAAM;AAAA,IACF,sEAIID,GAAEC,GAAE,UAAU,CAAC,IACf,sCAEAD,GAAEC,GAAE,kBAAkB,CAAC,IACvB;AAAA,IACJ;AAAA,EACJ;AACA,kBAAgB,oDAAoD;AACpE,QAAM,cAAc,qBAAqB,gBAAgB,cAAc,OAAO;AAC9E,eAAa,6CAA6C;AAC9D;AAEA,eAAe,cAAc,gBAAwB,cAAsB,SAAgC;AAEvG,kBAAgB,8CAA8C;AAC9D,QAAM,gBAAgB,cAAc,YAAY,iCAAiC,OAAO;AACxF,QAAM,gBAAgB,iFAA2F,OAAO;AAExH,kBAAgB,uCAAuC;AACvD,QAAM,gBAAgB,YAAYD,GAAEC,GAAE,cAAc,CAAC,CAAC,kBAAkB,OAAO;AACnF;AA9OA,IAgEa,gBAKA,2BAEPF,SAMAE,IACAD,IAgNO;AA9Rb;AAAA;AAAA;AAAA;AAmCA;AAgBA;AAeA;AAFO,IAAM,iBAAiB;AAKvB,IAAM,4BAAoC;AAEjD,IAAMD,UAAS;AAAA,MACX,gBAAgB;AAAA,MAChB,SAAS;AAAA,MACT,QAAQ;AAAA,IACZ;AAEA,IAAME,KAAI;AACV,IAAMD,KAAI;AAcV,IAAAP,QAAO,uBAAuB,UAAU,MAAM,iBAAiB;AAkMxD,IAAM,uBAAN,MAA2B;AAAA;AAAA,MAEd;AAAA;AAAA,MAEA;AAAA;AAAA,MAEA;AAAA,MAEhB,YAAY,SAAsC;AAC9C,QAAAA,QAAO,OAAO,UAAU,eAAe,KAAK,SAAS,UAAU,CAAC;AAChE,QAAAA,QAAO,OAAO,UAAU,eAAe,KAAK,SAAS,SAAS,CAAC;AAC/D,aAAK,WAAW,QAAQ;AACxB,aAAK,UAAU,QAAQ,WAAW;AAClC,aAAK,UAAU,IAAIK,SAAQ,QAAQ,WAAW,cAAc;AAAA,MAChE;AAAA;AAAA,MAGA,IAAW,UAAU;AACjB,eAAO,KAAK;AAAA,MAChB;AAAA;AAAA,MAGA,IAAW,aAAa;AACpB,eAAOH,MAAK,UAAUA,MAAK,KAAK,KAAK,SAAS,qBAAqB,CAAC;AAAA,MACxE;AAAA;AAAA,MAGA,IAAW,gBAAgB;AAEvB,eAAO,SAAS,KAAK,SAAS,qBAAqB;AAAA,MACvD;AAAA;AAAA;AAAA;AAAA;AAAA,MAMA,IAAW,oBAAoB;AAC3B,eAAO,SAAS,KAAK,SAAS,2BAA2B;AAAA,MAC7D;AAAA;AAAA;AAAA;AAAA;AAAA,MAMA,IAAW,iBAAiB;AACxB,eAAO,SAAS,KAAK,SAAS,2BAA2B;AAAA,MAC7D;AAAA;AAAA;AAAA;AAAA;AAAA,MAMA,IAAW,uBAAuB;AAC9B,eAAO,SAAS,KAAK,SAAS,qCAAqC;AAAA,MACvE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAOA,MAAa,aAA4B;AACrC,cAAM,+BAA+B,IAAI;AAAA,MAC7C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MASA,MAAa,gCAA+C;AACxD,cAAM,gBAAgB,KAAK;AAS3B,YAAID,IAAG,WAAW,KAAK,cAAc,GAAG;AACpC,gBAAMA,IAAG,SAAS;AAAA,YACd;AAAA,YACAA,IAAG,aAAa,KAAK,eAAe,MAAM,IAAIA,IAAG,aAAa,KAAK,gBAAgB,MAAM;AAAA,UAC7F;AAAA,QACJ,OAAO;AAEH,gBAAMA,IAAG,SAAS,UAAU,eAAeA,IAAG,aAAa,KAAK,aAAa,CAAC;AAAA,QAClF;AAAA,MACJ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAQA,MAAa,0BAA0B,aAAsC;AACzE,QAAAD,QAAOC,IAAG,WAAW,WAAW,CAAC;AACjC,QAAAD,QAAOC,IAAG,WAAW,KAAK,aAAa,CAAC;AAExC,iBAASE,OAAM,OAAO,4BAA4B,GAAGA,OAAM,KAAK,WAAW,CAAC;AAE5E,cAAMF,IAAG,SAAS;AAAA,UACd;AAAA,UACC,MAAMA,IAAG,SAAS,SAAS,aAAa,MAAM,IAAM,MAAMA,IAAG,SAAS,SAAS,KAAK,eAAe,MAAM;AAAA;AAAA,QAE9G;AAAA,MACJ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MASA,MAAa,4BAA4B,iBAA2B,YAAsB,QAA+B;AACrH,QAAAD,QAAO,OAAO,eAAe,QAAQ;AACrC,QAAAA,QAAOC,IAAG,WAAW,UAAU,CAAC;AAEhC,YAAI,CAAC,qBAAqB,eAAe,GAAG;AACxC;AAAA,QACJ;AAEA,mBAAW,MAAM;AACjB,6BAAqB,MAAM;AAC3B,wBAAgB,MAAM;AAEtB,cAAM,UAAU,GAAG,eAAe;AAClC,QAAAD,QAAO,OAAO;AACd,cAAM,aAAa,qBAAqB,KAAK,YAAY,EAAE,KAAK,KAAK,QAAQ,CAAC;AAE9E,cAAM,UAAU;AAAA,UACZ,KAAK,KAAK;AAAA,UACV,cAAc,SAAS,UAAU;AAAA,QACrC;AAEA,cAAM,eAAe;AAErB,cAAM,UAAU,OAAO,UAAU,IAAIK,SAAQ,OAAO,OAAO,EAAE,SAAS,IAAI;AAC1E,cAAM,iBAAiB,WAAW,QAAQ,SAAS,IAAI,UAAU,OAAO,MAAM;AAE9E,wBAAgB,mCAAmC;AACnD,cAAM;AAAA,UACF,6BAEI,eACA,iBACA,kBACAE,GAAEC,GAAE,UAAU,CAAC,IACf,WACAD,GAAEC,GAAE,OAAO,CAAC;AAAA,UAChB;AAAA,QACJ;AAEA,wBAAgB,wCAAwC;AACxD,cAAM;AAAA,UACF,6BAGID,GAAEC,GAAE,UAAU,CAAC,IACf,iBACA,SAAS,OAAO,SAAS,IACzB,eACA,SAAS,OAAO,OAAO,IACvB,kBACAD,GAAEC,GAAE,eAAe,CAAC,IACpB,UACAD,GAAEC,GAAE,OAAO,CAAC;AAAA,UAChB;AAAA,QACJ;AAEA,wBAAgB,oCAAoC;AAEpD,cAAM,gBAAgB,YAAYD,GAAEC,GAAE,eAAe,CAAC,CAAC,yCAAyC,CAAC,CAAC;AAElG,wBAAgB,kCAAkC;AAClD,cAAM,2BAA2B,2BAA2BD,GAAEC,GAAE,eAAe,CAAC,CAAC,IAAID,GAAEC,GAAE,eAAe,CAAC,CAAC,IAAI,OAAO;AAErH,cAAMP,IAAG,SAAS,OAAO,OAAO;AAAA,MACpC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAUA,MAAa,kBAAkB,aAAuB,QAA+B;AACjF,cAAM,aAAa;AAAA,UACf;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,QACJ;AAEA,cAAM,aAAa,qBAAqB,qBAAqB,EAAE,KAAK,KAAK,QAAQ,CAAC;AAElF,cAAM,UAAU;AAAA,UACZ,KAAK,KAAK;AAAA,UACV,cAAc,SAAS,UAAU;AAAA,QACrC;AAEA,eAAO,WAAW,EAAE;AACpB,cAAM,aAAaC,MAAK,KAAK,KAAK,SAAS,YAAY;AACvD,eAAO,YAAY,UAAU;AAO7B,cAAM,eAAe,YAAYK,GAAEC,GAAE,UAAU,CAAC,CAAC;AAEjD,cAAM,SAAS,OAAO,UAAU;AAChC,QAAAR,QAAO,WAAW,QAAQ,MAAM,KAAK,CAAC;AAEtC,qBAAa,yBAAyB,WAAW,EAAE;AAEnD,wBAAgB,oBAAoB;AAEpC,cAAM,2BAA2B,eAAe,YAAY,YAAYO,GAAE,WAAW,CAAC,gBAAgB,MAAM,IAAI,OAAO;AAEvH,cAAM,cAAc,KAAK,gBAAgB,cAAc,OAAO;AAE9D,wBAAgB,oCAAoC;AAEpD,cAAM;AAAA,UACF,8BAGIA,GAAEC,GAAE,KAAK,cAAc,CAAC,IACxB,cACAD,GAAEC,GAAE,KAAK,aAAa,CAAC,IACvB,iBACAD,GAAEC,GAAE,WAAW,CAAC;AAAA,UACpB;AAAA,QACJ;AAGA,wBAAgB,0BAA0B;AAC1C,cAAM,gBAAgB,YAAYD,GAAEC,GAAE,KAAK,cAAc,CAAC,CAAC,+CAA+C,OAAO;AAEjH,wBAAgB,0BAA0B;AAE1C,cAAM,gBAAgB,YAAYD,GAAEC,GAAE,KAAK,cAAc,CAAC,CAAC,sDAAsD,OAAO;AAAA,MAC5H;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAcA,MAAa,uBACT,aACA,mCACA,SACiB;AACjB,cAAM,yBAAyB;AAC/B,QAAAR,QAAOC,IAAG,WAAW,iCAAiC,CAAC;AACvD,YAAI,CAAC,qBAAqB,WAAW,GAAG;AACpC,iBAAO;AAAA,QACX;AACA,mBAAW,OAAO;AAClB,6BAAqB,OAAO;AAC5B,wBAAgB,OAAO;AAEvB,cAAM,UAA0B,EAAE,KAAK,KAAK,QAAQ;AAKpD,cAAM,MAAM,MAAM,8BAA8B,iCAAiC;AACjF,cAAM,UAAU,iCAAiC,GAAG;AAEpD,cAAM,iBAAiB,QAAQ,iBAAiB,eAAe,4BACzD,QAAQ,iBAAiB,eAAe,0BAA0B,CAAC,IACnE;AACN,YAAI,OAAO,mBAAmB,UAAU;AACpC,gBAAM,IAAI,MAAM,mCAAmC;AAAA,QACvD;AAEA,cAAMQ,OAAM,QAAQ,iBAAiB,eAAe,WAAW,CAAC;AAChE,YAAI,KAAK,QAAQ,iBAAiB,eAAe,aAAa,CAAC;AAC/D,aAAK,GAAG,IAAI,sBAAsB;AAElC,cAAM,SAA+B;AAAA,UACjC;AAAA,UACA,KAAAA;AAAA,UACA;AAAA,QACJ;AAEA,wBAAgB,MAAM;AAEtB,cAAM,aAAa,qBAAqB,qBAAqB,OAAO;AAEpE,wBAAgB,qEAAqE;AAErF,cAAM,eAAe,YAAY,UAAU;AAC3C,cAAM;AAAA,UACF,QACI,eACA,iBACA,SAAS,QAAQ,SAAS,IAC1B,eACA,SAAS,QAAQ,OAAO,IACxB,kBACAF,GAAEC,GAAE,WAAW,CAAC,IAChB,UACAD,GAAEC,GAAE,iCAAiC,CAAC;AAAA,UAC1C;AAAA,QACJ;AAEA,wBAAgB,oCAAoC;AACpD,cAAM,gBAAgB,YAAYD,GAAEC,GAAE,WAAW,CAAC,CAAC,yCAAyC,OAAO;AAEnG,wBAAgB,qCAAqC;AACrD,cAAM,KAAK,8BAA8B;AAIzC,wBAAgB,+BAA+B;AAC/C,cAAM,KAAK,0BAA0B,WAAW;AAEhD,wBAAgB,0CAA0C;AAC1D,cAAM,KAAK,kBAAkB,WAAW;AAExC,eAAO;AAAA,MACX;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAOA,MAAa,kBAAkB,aAAsC;AAGjE,cAAM,gBAAgB;AAGtB,YAAI,eAAe;AACf,gBAAM,UAAU,EAAE,KAAK,KAAK,QAAQ;AACpC,gBAAM,aAAa,qBAAqB,qBAAqB,OAAO;AAEpE,iBAAO,gBAAgB,SAAS,UAAU,CAAC;AAC3C,gBAAM,gBAAgB,YAAY,UAAU;AAC5C;AACA,gBAAM;AAAA,YACF,4BAA4BD,GAAEC,GAAE,KAAK,oBAAoB,CAAC,CAAC,IAAID,GAAEC,GAAE,WAAW,CAAC,CAAC;AAAA,YAChF;AAAA,UACJ;AAAA,QACJ;AAAA,MACJ;AAAA,IACJ;AAAA;AAAA;;;ACnnBA,OAAOE,cAAY;AACnB,OAAOC,UAAQ;AACf,SAAS,qBAAqB;AAC9B,OAAOC,SAAQ;AACf,OAAOC,WAAU;AACjB,OAAOC,YAAW;AAClB,SAAS,sBAAAC,qBAAoB,0BAAAC,yBAAwB,WAAAC,gBAAoC;AAugBzF,OAAO,qBAAqB;AAC5B,OAAO,sBAAsB;AAxe7B,SAAS,gBAAgB,MAAY,QAAsB;AACvD,QAAM,IAAI,IAAI,KAAK,KAAK,QAAQ,CAAC;AACjC,IAAE,QAAQ,EAAE,QAAQ,IAAI,MAAM;AAC9B,SAAO;AACX;AAyCA,eAAeC,gCAA+B,SAAiB;AAE3D,EAAAR,SAAO,OAAO,aAAa,aAAa,UAAU,gCAAgC;AAClF,EAAAA,SAAO,OAAO,aAAa,YAAY,UAAU,+BAA+B;AAEhF,MAAI,CAAC,wBAAwB;AACzB,6BAAyB,IAAI,qBAAqB;AAAA,MAC9C,SAAS,aAAa;AAAA,MACtB,UAAU,aAAa;AAAA,MACvB;AAAA,IACJ,CAAC;AACD,UAAM,uBAAuB,WAAW;AAAA,EAC5C;AACJ;AASA,eAAe,+BAA+B;AAC1C,EAAAA,SAAO,OAAO,aAAa,cAAc,UAAU,iCAAiC;AAEpF,MAAI,CAAC,oBAAoB;AACrB,yBAAqB,IAAI,mBAAmB;AAAA,MACxC,SAAS,aAAa;AAAA,MACtB,UAAU,aAAa;AAAA,IAC3B,CAAC;AACD,UAAM,mBAAmB,WAAW;AAAA,EACxC;AACJ;AAcA,SAAS,2BAAmC;AAExC,MAAK,QAAwD,KAAK,YAAY;AAM1E,UAAM,IAAIC,KAAG,aAAaE,MAAK,KAAK,WAAW,iCAAiC,GAAG,MAAM;AACzF,WAAO;AAAA,EACX;AACA,WAAS,+BAA+B;AACpC,UAAM,aAAa,wBAAwB;AAK3C,UAAM,aAAa;AAEnB,QAAIM,2BAA0BN,MAAK,KAAK,YAAY,OAAO,UAAU;AAErE,QAAI,CAACF,KAAG,WAAWQ,wBAAuB,GAAG;AACzC,MAAAA,2BAA0BN,MAAK,KAAK,WAAW,MAAM,UAAU;AAE/D,UAAI,CAACF,KAAG,WAAWQ,wBAAuB,GAAG;AACzC,QAAAA,2BAA0BN,MAAK,KAAK,WAAW,UAAU,UAAU,EAAE;AAAA,MACzE;AAAA,IACJ;AACA,WAAOM;AAAA,EACX;AACA,QAAM,0BAA0B,6BAA6B;AAC7D,EAAAT,SAAOC,KAAG,WAAW,uBAAuB,CAAC;AAC7C,QAAM,kCAAkCA,KAAG,aAAa,yBAAyB,MAAM;AACvF,SAAO;AACX;AAKA,SAAS,0BAA0B;AAC/B,MAAI,aAAaE,MAAK,KAAK,SAAS;AAEpC,WAAS,IAAI,GAAG,IAAI,GAAG,KAAK;AACxB,QAAIF,KAAG,WAAWE,MAAK,KAAK,YAAY,cAAc,CAAC,GAAG;AACtD,aAAO;AAAA,IACX;AACA,iBAAaA,MAAK,KAAK,YAAY,IAAI;AAAA,EAC3C;AAEA,EAAAH,SAAOC,KAAG,WAAWE,MAAK,KAAK,YAAY,cAAc,CAAC,GAAG,2CAA2C;AACxG,SAAO;AACX;AAmBA,eAAe,kBAAkB,MAA8B;AAC3D,MAAI,KAAK,QAAQ;AACb,aAAS,SAAS;AAAA,EACtB,OAAO;AACH,aAAS,SAAS;AAAA,EACtB;AAEA,QAAMO,QAAO,MAAM,gCAAgC;AACnD,QAAM,WAAWR,IAAG,SAAS;AAC7B,MAAI;AAEJ,WAAS,oBAAoB,KAAqB;AAC9C,UAAM,IAAI,QAAQ,SAAS,QAAQ,IAAI,CAAC;AACxC,QAAI,gBAAgB;AAChB,YAAM,IAAI,QAAQ,UAAU,cAAc;AAAA,IAC9C;AACA,QAAI,cAAc,WAAW;AACzB,YAAM,IAAI,QAAQ,eAAe,aAAa,SAAS;AAAA,IAC3D;AACA,UAAM,IAAI,QAAQ,cAAc,QAAQ;AACxC,UAAM,IAAI,QAAQ,UAAUQ,KAAI;AAChC,WAAO;AAAA,EACX;AAEA,WAAS,QAAQ,MAA0B;AACvC,UAAM,MAAMP,MAAK,QAAQ,oBAAoB,IAAI,CAAC;AAClD,WAAO,SAAS,GAAG;AAAA,EACvB;AAGA,mBAAiB,KAAK;AACtB,EAAAH,SAAO,OAAO,mBAAmB,QAAQ;AAEzC,mBAAiB,QAAQ,cAAc;AACvC,qBAAmB,cAAc;AACjC,EAAAA,SAAOC,KAAG,WAAW,cAAc,CAAC;AAGpC,QAAM,iBAAiBE,MAAK,KAAK,gBAAgB,WAAW;AAE5D,MAAI,CAACF,KAAG,WAAW,cAAc,GAAG;AAEhC,aAASG,OAAM,OAAO,kCAAkC,GAAGA,OAAM,KAAK,cAAc,CAAC;AACrF,UAAM,kCAAkC,yBAAyB;AACjE,IAAAH,KAAG,cAAc,gBAAgB,+BAA+B;AAAA,EACpE,OAAO;AACH,aAASG,OAAM,OAAO,wBAAwB,GAAGA,OAAM,KAAK,cAAc,CAAC;AAAA,EAC/E;AACA,MAAI,CAACH,KAAG,WAAW,cAAc,GAAG;AAChC,aAASG,OAAM,UAAU,6BAA6B,cAAc,CAAC;AAAA,EACzE;AAIA,QAAM,oBAAoBD,MAAK,KAAKA,MAAK,QAAQ,cAAc,GAAG,YAAY;AAC9E,SAAO,YAAY,iBAAiB;AAGpC,QAAM,WAAW,cAAc,UAAU;AACzC,iBAAe,SAAS,cAAc;AAEtC,eAAa,UAAU,IAAII,SAAQ,aAAa,WAAW,EAAE;AAG7D,MAAI,KAAK,SAAS;AACd,iBAAa,UAAU,IAAIA,SAAQ,KAAK,OAAO;AAAA,EACnD;AAGA,MAAI,CAAC,aAAa,QAAQ,YAAY;AAClC,UAAM,IAAI,MAAM,iCAAiC;AAAA,EACrD;AAEA,eAAa,iBAAiB;AAG9B,MAAI,WAAW,KAAK,YAAYJ,MAAK,KAAK,gBAAgB,IAAI;AAC9D,aAAW,QAAQ,QAAQ;AAC3B,eAAa,WAAW;AAGxB,eAAa,YAAYA,MAAK,KAAK,aAAa,gBAAgB,KAAK;AACrE,MAAI,KAAK,WAAW;AAChB,iBAAa,YAAY,QAAQ,KAAK,SAAS;AAAA,EACnD;AACA,eAAa,YAAY,QAAQ,aAAa,SAAS;AACvD,MAAI,KAAK,YAAY;AACjB,iBAAa,aAAa,QAAQ,KAAK,UAAU;AAAA,EACrD;AAEA,MAAI,KAAK,gBAAgB;AACrB,iBAAa,iBAAiB,oBAAoB,KAAK,cAAc;AAAA,EACzE;AAEA,MAAI,KAAK,QAAQ;AACb,iBAAa,aAAa,KAAK;AAAA,EACnC;AAEA,eAAa,WAAW,CAAC;AACzB,MAAI,KAAK,UAAU;AACf,iBAAa,WAAW,KAAK,SAAS,MAAM,GAAG;AAAA,EACnD;AACA,eAAa,MAAM,CAAC,4BAA4B,CAAC;AACjD,MAAI,KAAK,KAAK;AACV,iBAAa,MAAM,KAAK,IAAI,MAAM,GAAG,EAAE,IAAI,mBAAmB;AAAA,EAClE;AACA,eAAa,KAAK,CAAC;AACnB,MAAI,KAAK,IAAI;AACT,iBAAa,KAAK,KAAK,GAAG,MAAM,GAAG;AAAA,EACvC;AACA,MAAI,KAAK,SAAS;AACd,UAAM,IAAI,KAAK;AACf,QAAI,MAAM,QAAQ,MAAM,QAAQ,MAAM,QAAQ,MAAM,MAAM;AACtD,YAAM,IAAI,MAAM,6BAA6B,CAAC,mCAAmC;AAAA,IACrF;AACA,iBAAa,UAAU,KAAK;AAAA,EAChC;AAEA,MAAI,KAAK,UAAU;AACf,iBAAa,WAAW,KAAK;AAAA,EACjC;AAGJ;AAEA,eAAe,yBACX,WACA,QACA,YACA,gBACA,KACF;AAEE,EAAAH,SAAO,eAAe,QAAQ,eAAe,QAAQ,eAAe,QAAQ,eAAe,IAAI;AAE/F,QAAM,mBAAmB,SAAS,WAAW,GAAG,MAAM,OAAO,UAAU,MAAM;AAC7E,QAAM,kBAAkB,SAAS,WAAW,GAAG,MAAM,cAAc,UAAU,MAAM;AACnF,QAAM,mBAAmB,SAAS,WAAW,GAAG,MAAM,QAAQ,UAAU,MAAM;AAC9E,QAAM,6BAA6B,SAAS,WAAW,GAAG,MAAM,QAAQ,UAAU,gBAAgB;AAClG,QAAM,kCAAkC,SAAS,WAAW,GAAG,MAAM,QAAQ,UAAU,qBAAqB;AAC5G,QAAM,sBAAsB,SAAS,WAAW,GAAG,MAAM,QAAQ,UAAU,cAAc;AACzF,QAAM,+BAA+B,SAAS,WAAW,GAAG,MAAM,mBAAmB,UAAU,MAAM;AAErG,QAAMU,QAAO,4BAA4B;AACzC,QAAM,WAAWR,IAAG,SAAS;AAC7B,QAAMS,OAAgB;AAAA;AAAA;AAAA,IAGlB,4BAA4B;AAAA,EAChC;AACA,MAAI,aAAaD,OAAM;AACnB,IAAAC,KAAI,KAAK,QAAQ;AAAA,EACrB;AAEA,QAAM,KAAe,CAAC;AAEtB,iBAAe,4BACX,aACA,aACAC,iBACA,WACA,UACe;AAEf,QAAIX,KAAG,WAAW,WAAW,GAAG;AAC5B,iBAAWG,OAAM,OAAO,sBAAsB,GAAGA,OAAM,KAAK,WAAW,GAAGA,OAAM,OAAO,6BAA6B,CAAC;AACrH,aAAO;AAAA,IACX,OAAO;AACH,aAAO,MAAM,kBAAkB,aAAa,aAAaQ,iBAAgB,WAAW,QAAQ;AAAA,IAChG;AAAA,EACJ;AAEA,iBAAe,kBACX,aACA,YACAA,iBACA,WACA,UACe;AACf,UAAM,gCAAgC,GAAG,WAAW;AAEpD,UAAM,aAAa,SAAS,WAAW,qCAAqC;AAE5E,UAAMD,OAAM,CAACT,IAAG,SAAS,CAAC;AAC1B,UAAMW,MAAK,CAAC,WAAW;AAEvB,UAAM,SAA2D;AAAA,MAC7D,gBAAAD;AAAA,MACA;AAAA,MACA,SAAS;AAAA,MACT;AAAA,MACA,KAAAD;AAAA,MACA,IAAAE;AAAA,MACA,SAASR,oBAAmB;AAAA,IAChC;AAGA,UAAM,2CAA2C,+BAA+B,MAAM;AAEtF,WAAO,MAAM,uBAAuB,uBAAuB,aAAa,+BAA+B;AAAA,MACnG,gBAAAO;AAAA,MACA,KAAAD;AAAA,MACA,IAAAE;AAAA,MACA;AAAA,MACA;AAAA,IACJ,CAAC;AAAA,EACL;AAEA,iBAAeC,6BACX,aACA,aACAF,iBACA,WACA,UACF;AACE,UAAM,uBAAuB,4BAA4B,aAAa,aAAa;AAAA,MAC/E,gBAAAA;AAAA,MACA,KAAAD;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACJ,CAAC;AAAA,EACL;AAEA,iBAAe,mBAAmB,aAAuB;AACrD,UAAM,uBAAuB,kBAAkB,aAAa,CAAC,CAAC;AAAA,EAClE;AAEA,iBAAe,2BAA2B,YAAsB,WAAoB;AAChF,QAAIV,KAAG,WAAW,UAAU,GAAG;AAC3B,iBAAWG,OAAM,OAAO,qBAAqB,GAAGA,OAAM,KAAK,UAAU,GAAGA,OAAM,OAAO,6BAA6B,CAAC;AACnH;AAAA,IACJ,OAAO;AACH,YAAME,wBAAuB,YAAY,SAAS;AAAA,IACtD;AAAA,EACJ;AAEA,kBAAgB,wBAAwB,gBAAgB,EAAE;AAE1D,QAAM,2BAA2B,kBAAkB,UAAU;AAC7D,kBAAgB,uBAAuB,eAAe,oBAAoB;AAC1E,QAAM,2BAA2B,kBAAkB,eAAe;AAClE,kBAAgB,uBAAuB,gBAAgB,EAAE;AAEzD,QAAM,4BAA4B,kBAAkB,kBAAkB,gBAAgB,WAAW,GAAG;AAEpG,kBAAgB,mCAAmC,4BAA4B,EAAE;AAEjF,MAAIL,KAAG,WAAW,4BAA4B,GAAG;AAE7C;AAAA,EACJ;AACA,QAAMa,6BAA4B,8BAA8B,kBAAkB,gBAAgB,WAAW,GAAG;AAEhH,MAAI,KAAK;AACL,UAAM,4BAA4B,4BAA4B,kBAAkB,gBAAgB,eAAe,GAAG;AAElH,UAAM,4BAA4B,iCAAiC,kBAAkB,gBAAgB,WAAW,GAAG;AAEnH,QAAI,CAACb,KAAG,WAAW,mBAAmB,GAAG;AAErC,YAAM,cAAc,MAAM;AAAA,QACtB;AAAA,QACA;AAAA,QACA,GAAG,cAAc;AAAA;AAAA,QACjB;AAAA,QACA;AAAA,MACJ;AACA,iBAAW,8BAA8B,WAAW;AACpD,yBAAmB,mBAAmB;AAAA,IAC1C;AAAA,EACJ;AACJ;AAEA,eAAe,KAAK,MAA2B;AAC3C,MAAI;AACA,UAAM,KAAK;AAAA,EACf,SAAS,KAAK;AACV,YAAQ,IAAK,IAAc,OAAO;AAAA,EACtC;AACJ;AAEA,eAAe,4BAA4B,KAAc;AACrD,EAAAD,SAAO,YAAY;AACnB,QAAM,YAAY,aAAa,kBAAkB;AACjD,EAAAA,SAAOC,KAAG,WAAW,SAAS,CAAC;AAE/B,MAAI;AACJ,MAAI;AACJ,MAAI;AACJ,OAAK,YAAY;AACb,UAAM,gCAAgC;AACtC,UAAM,WAAWC,IAAG,SAAS;AAC7B,UAAMQ,QAAO,4BAA4B;AACzC,eAAWN,OAAM,OAAO,kBAAkB,GAAGA,OAAM,KAAK,QAAQ,CAAC;AACjE,eAAWA,OAAM,OAAO,kBAAkB,GAAGA,OAAM,KAAKM,KAAI,CAAC;AAC7D,gBAAY,mBAAmB,UAAU,kBAAkB;AAC3D,gBAAY,mBAAmB,UAAU,kBAAkB;AAC3D,yBAAqB,mBAAmB,UAAU,2BAA2B;AAE7E,iBAAa,8DAA8D;AAC3E,UAAM,yBAAyB,WAAW,WAAW,MAAM,WAAW,GAAG;AACzE,UAAM,yBAAyB,WAAW,WAAW,MAAM,WAAW,GAAG;AACzE,UAAM,yBAAyB,WAAW,WAAW,MAAM,WAAW,GAAG;AACzE,UAAM,yBAAyB,WAAW,WAAW,MAAM,WAAW,GAAG;AAEzE,iBAAa,8DAA8D;AAC3E,UAAM,yBAAyB,WAAW,WAAW,MAAM,WAAW,GAAG;AACzE,UAAM,yBAAyB,WAAW,WAAW,MAAM,WAAW,GAAG;AACzE,UAAM,yBAAyB,WAAW,WAAW,MAAM,WAAW,GAAG;AACzE,UAAM,yBAAyB,WAAW,WAAW,MAAM,WAAW,GAAG;AAEzE,iBAAa,uEAAuE;AACpF,UAAM,yBAAyB,WAAW,oBAAoB,MAAM,oBAAoB,GAAG;AAC3F,UAAM,yBAAyB,WAAW,oBAAoB,MAAM,oBAAoB,GAAG;AAC3F,UAAM,yBAAyB,WAAW,oBAAoB,MAAM,oBAAoB,GAAG;AAC3F,UAAM,yBAAyB,WAAW,oBAAoB,MAAM,oBAAoB,GAAG;AAAA,EAC/F,CAAC;AACL;AAEA,eAAe,0BAA0B,KAAc;AACnD,QAAMF,gCAA+B,EAAE;AACvC,QAAM,6BAA6B;AACnC,QAAM,4BAA4B,GAAG;AACzC;AAuCA,SAAS,WAAW,OAAiB;AACjC,SAAO,cAAc,OAAO,CAAC,MAAM,MAAM,SAAS,EAAE,IAAI,KAAK,EAAE,SAAS,UAAU,EAAE,SAAS,QAAQ;AACzG;AAEA,SAAS,SAAS,SAAiB,aAAqB,SAAoC,OAAgB;AACxG,QAAM,WAAW;AAAA,IACb;AAAA,MACI,QAAQ,YAAY,OAAO;AAAA,MAC3B,SAAS;AAAA,IACb;AAAA,IACA;AAAA,MACI,QAAQ;AAAA,MACR,SAAS,SAAS,MAAM,OAAO;AAAA,IACnC;AAAA,IACA;AAAA,MACI,QAAQ;AAAA,MACR,YAAY;AAAA,IAChB;AAAA,EACJ;AACA,UAAQ,IAAI,iBAAiB,QAAQ,CAAC;AAC1C;AAEA,eAAsB,KAAK,eAAkC;AACzD,QAAM,kBAAkB,CAAC,EAAE,MAAM,WAAW,eAAe,KAAK,CAAC;AACjE,MAAI;AACJ,MAAI;AACA,kBAAc,gBAAgB,iBAAiB,EAAE,MAAM,eAA2B,oBAAoB,KAAK,CAAC;AAAA,EAChH,SAAS,KAAK;AACV,YAAQ,IAAK,IAAc,OAAO;AAClC;AAAA,EACJ;AAEA,QAAM,OAAO,YAAY,YAAY,CAAC;AACtC,QAAM,UAAU,YAAY;AAE5B,MAAI,CAAC,WAAW,YAAY,QAAQ;AAChC,YAAQ;AAAA,MACJ,iBAAiB;AAAA,QACb;AAAA,UACI,QAAQ;AAAA,UACR,SAAS;AAAA;AAAA,EAAoC,MAAM;AAAA,QACvD;AAAA,QACA;AAAA,UACI,QAAQ;AAAA,UACR,SAAS;AAAA,YACL,EAAE,MAAM,QAAQ,SAAS,kDAAkD;AAAA,YAC3E,EAAE,MAAM,YAAY,SAAS,iCAAiC;AAAA,YAC9D,EAAE,MAAM,aAAa,SAAS,qCAAqC;AAAA,YACnE,EAAE,MAAM,eAAe,SAAS,2BAA2B;AAAA,YAC3D,EAAE,MAAM,4BAA4B,SAAS,gCAAgC;AAAA,YAC7E,EAAE,MAAM,OAAO,SAAS,uCAAuC;AAAA,YAC/D,EAAE,MAAM,QAAQ,SAAS,oEAAoE;AAAA,YAC7F,EAAE,MAAM,0BAA0B,SAAS,wBAAwB;AAAA,YACnE,EAAE,MAAM,0BAA0B,SAAS,0DAA0D;AAAA,YACrG,EAAE,MAAM,iCAAiC,SAAS,oCAAoC;AAAA,YACtF,EAAE,MAAM,WAAW,SAAS,6BAA6B;AAAA,UAC7D;AAAA,QACJ;AAAA,MACJ,CAAC;AAAA,IACL;AACA;AAAA,EACJ;AAEA,MAAI,YAAY,WAAW;AACvB,UAAM,aAAa,wBAAwB;AAC3C,UAAM,MAAM,KAAK,MAAMP,KAAG,aAAaE,MAAK,KAAK,YAAY,cAAc,GAAG,OAAO,CAAC;AACtF,YAAQ,IAAI,IAAI,OAAO;AACvB;AAAA,EACJ;AAEA,MAAI,YAAY,QAAQ;AACpB,UAAM,aAAa;AAAA,MACf,GAAG,WAAW,CAAC,QAAQ,QAAQ,CAAC;AAAA,MAChC,EAAE,MAAM,OAAO,MAAM,SAAS,aAAa,iEAAiE;AAAA,MAC5G,EAAE,MAAM,SAAS,MAAM,SAAS,aAAa,4CAA4C;AAAA,IAC7F;AACA,UAAM,aAAa,gBAAgB,YAAY,EAAE,KAAK,CAAC;AACvD,QAAI,WAAW;AACX,aAAO;AAAA,QACH;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACJ;AAEJ,UAAM,KAAK,YAAY;AACnB,YAAM,yBAAyB;AAC/B,qBAAe,0BAA0B;AACzC,mBAAa,uBAAuB;AACpC,YAAM,kBAAkB,UAA+C;AACvE,UAAI,WAAW,OAAO;AAClB,qBAAa,2BAA2B;AACxC,QAAAH,SAAO,YAAY;AACnB,cAAM,iBAAiB,aAAa,kBAAkB;AACtD,cAAM,QAAQ,MAAMC,KAAG,SAAS,QAAQ,cAAc;AACtD,mBAAW,QAAQ,OAAO;AACtB,cAAI,KAAK,SAAS,MAAM,KAAK,KAAK,SAAS,MAAM,GAAG;AAChD,kBAAMA,KAAG,SAAS,OAAOE,MAAK,KAAK,gBAAgB,IAAI,CAAC;AAAA,UAC5D;AAAA,QACJ;AACA,2BAAmB,cAAc;AAAA,MACrC;AACA,mBAAa,qBAAqB;AAClC,YAAM,0BAA0B,WAAW,GAAG;AAC9C,qBAAe,4BAA4B;AAAA,IAC/C,CAAC;AACD;AAAA,EACJ;AAEA,MAAI,YAAY,YAAY;AACxB,UAAM,aAAa;AAAA,MACf,GAAG,WAAW,CAAC,QAAQ,YAAY,WAAW,QAAQ,CAAC;AAAA,MACvD,EAAE,MAAM,WAAW,MAAM,QAAQ,cAAc,gBAAgB,aAAa,6BAA6B;AAAA,IAC7G;AACA,UAAM,aAAa,gBAAgB,YAAY,EAAE,KAAK,CAAC;AACvD,QAAI,WAAW,KAAM,QAAO,SAAS,YAAY,kCAAkC,UAAU;AAE7F,UAAM,KAAK,YAAY;AACnB,YAAM,yBAAyB;AAC/B,YAAM,kBAAkB,UAA+C;AACvE,YAAMK,gCAA+B,WAAW,OAAO;AAAA,IAC3D,CAAC;AACD;AAAA,EACJ;AAEA,MAAI,YAAY,aAAa;AACzB,UAAM,aAAa,WAAW,CAAC,QAAQ,aAAa,WAAW,QAAQ,CAAC;AACxE,UAAM,aAAa,gBAAgB,YAAY,EAAE,KAAK,CAAC;AACvD,QAAI,WAAW,KAAM,QAAO,SAAS,aAAa,sCAAsC,UAAU;AAElG,UAAM,KAAK,YAAY;AACnB,YAAM,kBAAkB,UAA+C;AACvE,YAAM,6BAA6B;AAAA,IACvC,CAAC;AACD;AAAA,EACJ;AAEA,MAAI,YAAY,eAAe;AAC3B,UAAM,aAAa;AAAA,MACf,GAAG,WAAW,CAAC,QAAQ,YAAY,aAAa,cAAc,QAAQ,CAAC;AAAA,MACvE;AAAA,QACI,MAAM;AAAA,QACN,OAAO;AAAA,QACP,MAAM;AAAA,QACN,cAAc;AAAA,QACd,aAAa;AAAA,MACjB;AAAA,MACA;AAAA,QACI,MAAM;AAAA,QACN,OAAO;AAAA,QACP,MAAM;AAAA,QACN,cAAc;AAAA,QACd,aAAa;AAAA,MACjB;AAAA,MACA;AAAA,QACI,MAAM;AAAA,QACN,OAAO;AAAA,QACP,MAAM;AAAA,QACN,cAAc;AAAA,QACd,aAAa;AAAA,MACjB;AAAA,MACA,EAAE,MAAM,YAAY,OAAO,KAAK,MAAM,QAAQ,aAAa,mCAAmC;AAAA,MAC9F;AAAA,QACI,MAAM;AAAA,QACN,MAAM;AAAA,QACN,cAAc;AAAA,QACd,aAAa;AAAA,MACjB;AAAA,MACA,EAAE,MAAM,MAAM,MAAM,QAAQ,cAAc,IAAI,aAAa,0CAA0C;AAAA,MACrG;AAAA,QACI,MAAM;AAAA,QACN,MAAM;AAAA,QACN,cAAc;AAAA,QACd,aAAa;AAAA,MACjB;AAAA,IACJ;AACA,UAAM,aAAa,gBAAgB,YAAY,EAAE,KAAK,CAAC;AACvD,QAAI,WAAW,QAAQ,CAAC,WAAW,kBAAkB,CAAC,WAAW;AAC7D,aAAO,SAAS,eAAe,4BAA4B,UAAU;AAEzE,mBAAe,oBAAoBO,aAAoC;AACnE,YAAM,aAAa,CAAC,CAAEA,YAAmD;AACzE,UAAI,CAAC,YAAY;AACb,cAAM,yBAAyBA,WAAU;AAAA,MAC7C,OAAO;AACH,cAAM,+BAA+BA,WAAU;AAAA,MACnD;AAAA,IACJ;AAEA,mBAAe,+BAA+BA,aAAoC;AAC9E,YAAM,QAAQ,MAAM,gCAAgC;AACpD,YAAM,kBAAkBA,WAAU;AAClC,YAAM,6BAA6B;AAEnC,sBAAgB,mCAAmC,aAAa,UAAU,EAAE;AAC5E,UAAI,UACAA,YAAW,WAAWA,YAAW,QAAQ,SAAS,IAAI,IAAIR,SAAQQ,YAAW,OAAO,IAAI,aAAa,WAAW;AAEpH,gBAAU,KAAK,MAAM,KAAK,UAAU,OAAO,CAAC;AAE5C,YAAM,SAA0C;AAAA,QAC5C,gBAAgB,aAAa,kBAAkB;AAAA,QAC/C,KAAK,aAAa,OAAO,CAAC;AAAA,QAC1B,IAAI,aAAa,MAAM,CAAC;AAAA,QACxB,YAAY,aAAa,cAAc;AAAA,QACvC,WAAW,aAAa,aAAa,oBAAI,KAAK;AAAA,QAC9C;AAAA,QACA,UAAU,aAAa,YAAY;AAAA,MACvC;AAEA,YAAM,mBAAmB,4BAA4B,MAAM;AAAA,IAC/D;AAEA,mBAAe,yBAAyBA,aAAoC;AACxE,YAAM,kBAAkBA,WAAU;AAClC,YAAM,6BAA6B;AACnC,YAAMP,gCAA+B,EAAE;AACvC,MAAAR,SAAOC,KAAG,WAAW,aAAa,YAAY,EAAE,GAAG,uBAAuB;AAC1E,mBAAa,aAAa;AAG1B,mBAAa,UAAUc,YAAW,WAAWA,YAAW,QAAQ,SAAS,IAAIA,YAAW,UAAU,aAAa;AAE/G,YAAM,WAAW,MAAM,mBAAmB;AAAA,QACtC;AAAA,MACJ;AACA,UAAI,CAAC,UAAU;AACX;AAAA,MACJ;AACA,iBAAW,gBAAgB,QAAQ;AACnC,YAAM,cAAc,SAAS,QAAQ,QAAQ,MAAM;AAEnD,UAAId,KAAG,WAAW,WAAW,GAAG;AAC5B,cAAM,IAAI,MAAM,SAAS,WAAW,gBAAgB;AAAA,MACxD;AACA,YAAM,uBAAuB;AAAA,QACzB;AAAA,QACA;AAAA,QACA;AAAA,MACJ;AAEA,MAAAD,SAAO,OAAO,aAAa,eAAe,QAAQ;AAClD,MAAAC,KAAG,cAAc,aAAa,cAAc,IAAIA,KAAG,aAAa,aAAa,OAAO,CAAC;AAAA,IACzF;AAEA,UAAM,KAAK,YAAY,MAAM,oBAAoB,UAA+C,CAAC;AACjG;AAAA,EACJ;AAEA,MAAI,YAAY,UAAU;AACtB,UAAM,aAAa,CAAC,EAAE,MAAM,mBAAmB,MAAM,QAAQ,eAAe,KAAK,GAAG,GAAG,WAAW,CAAC,QAAQ,UAAU,CAAC,CAAC;AACvH,UAAM,aAAa,gBAAgB,YAAY,EAAE,KAAK,CAAC;AACvD,QAAI,WAAW,QAAQ,CAAC,WAAW;AAC/B,aAAO;AAAA,QACH;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACJ;AAEJ,mBAAe,mBAAmB,aAAuB;AACrD,YAAM,uBAAuB,kBAAkB,aAAa,CAAC,CAAC;AAAA,IAClE;AAEA,UAAM,KAAK,YAAY;AACnB,YAAM,cAAcE,MAAK,QAAQ,WAAW,eAAe;AAC3D,iBAAWC,OAAM,OAAO,2BAA2B,GAAGA,OAAM,KAAK,WAAW,CAAC;AAC7E,UAAI,CAACH,KAAG,WAAW,WAAW,GAAG;AAC7B,cAAM,IAAI,MAAM,qCAAqC,WAAW,EAAE;AAAA,MACtE;AACA,YAAM,kBAAkB,UAA+C;AACvE,YAAMO,gCAA+B,EAAE;AACvC,YAAM,mBAAmB,WAAW;AACpC,iBAAW,WAAW;AACtB,iBAAW,YAAY,uBAAuB,cAAc;AAC5D,iBAAW,8DAA8D;AAAA,IAC7E,CAAC;AACD;AAAA,EACJ;AAEA,MAAI,YAAY,OAAO;AACnB,UAAM,aAAa;AAAA,MACf,GAAG,WAAW,CAAC,QAAQ,aAAa,cAAc,QAAQ,CAAC;AAAA,MAC3D;AAAA,QACI,MAAM;AAAA,QACN,OAAO;AAAA,QACP,MAAM;AAAA,QACN,cAAc;AAAA,QACd,aAAa;AAAA,MACjB;AAAA,MACA;AAAA,QACI,MAAM;AAAA,QACN,OAAO;AAAA,QACP,MAAM;AAAA,QACN,cAAc;AAAA,QACd,aAAa;AAAA,MACjB;AAAA,MACA;AAAA,QACI,MAAM;AAAA,QACN,MAAM;AAAA,QACN,cAAc;AAAA,QACd,aAAa;AAAA,MACjB;AAAA,MACA,EAAE,MAAM,MAAM,MAAM,QAAQ,cAAc,IAAI,aAAa,0CAA0C;AAAA,MACrG;AAAA,QACI,MAAM;AAAA,QACN,MAAM;AAAA,QACN,cAAc;AAAA,QACd,aAAa;AAAA,MACjB;AAAA,IACJ;AACA,UAAM,aAAa,gBAAgB,YAAY,EAAE,KAAK,CAAC;AACvD,QAAI,WAAW,KAAM,QAAO,SAAS,OAAO,wCAAwC,UAAU;AAE9F,UAAM,KAAK,YAAY;AACnB,YAAM,kBAAkB,UAA+C;AACvE,UAAI,CAACP,KAAG,WAAW,aAAa,aAAa,EAAE,GAAG;AAC9C,mBAAW,uBAAuB;AAAA,MACtC;AACA,YAAM,6BAA6B;AACnC,UAAI,CAAC,aAAa,cAAcA,KAAG,WAAW,aAAa,UAAU,GAAG;AACpE,cAAM,IAAI,MAAM,SAAS,aAAa,UAAU,gBAAgB;AAAA,MACpE;AACA,mBAAa,aAAa;AAG1B,mBAAa,UAAU,WAAW,WAAW,WAAW,QAAQ,SAAS,IAAI,WAAW,UAAU,aAAa;AAE/G,YAAM,oBAAoB,MAAM,mBAAmB;AAAA,QAC/C;AAAA,MACJ;AACA,UAAI,CAAC,mBAAmB;AACpB;AAAA,MACJ;AACA,UAAI,CAAC,aAAa,YAAY;AAC1B,mBAAW,8BAA8B;AACzC;AAAA,MACJ;AACA,YAAM,MAAM,MAAMA,KAAG,SAAS,SAAS,mBAAmB,OAAO;AACjE,MAAAA,KAAG,cAAc,aAAa,cAAc,IAAI,KAAK,OAAO;AAE5D,iBAAW,qBAAqB,aAAa,OAAO;AACpD,iBAAW,qBAAqB,aAAa,cAAc;AAC3D,iBAAW,qBAAqB,aAAa,QAAQ;AACrD,iBAAW,qBAAqB,aAAa,GAAG;AAChD,iBAAW,qBAAqB,aAAa,EAAE;AAE/C,iBAAW,eAAe,aAAa,UAAU;AAAA,IACrD,CAAC;AACD;AAAA,EACJ;AAEA,MAAI,YAAY,QAAQ;AACpB,UAAM,aAAa;AAAA,MACf,GAAG,WAAW,CAAC,QAAQ,YAAY,QAAQ,CAAC;AAAA,MAC5C,EAAE,MAAM,OAAO,OAAO,KAAK,MAAM,QAAQ,cAAc,sCAAsC,aAAa,UAAU;AAAA,MACpH;AAAA,QACI,MAAM;AAAA,QACN,OAAO;AAAA,QACP,MAAM;AAAA,QACN,cAAc;AAAA,QACd,aAAa;AAAA,MACjB;AAAA,MACA,EAAE,MAAM,YAAY,OAAO,KAAK,MAAM,QAAQ,cAAc,KAAK,aAAa,mCAAmC;AAAA,IACrH;AACA,UAAM,aAAa,gBAAgB,YAAY,EAAE,KAAK,CAAC;AACvD,QAAI,WAAW,QAAQ,CAAC,WAAW,OAAO,CAAC,WAAW;AAClD,aAAO,SAAS,QAAQ,qEAAqE,UAAU;AAE3G,UAAM,KAAK,YAAY;AACnB,YAAM,kBAAkB,UAA+C;AACvE,UAAI,CAACA,KAAG,WAAW,aAAa,YAAY,EAAE,GAAG;AAC7C,cAAM,IAAI,MAAM,wBAAwB,aAAa,QAAQ,EAAE;AAAA,MACnE;AACA,YAAMO,gCAA+B,EAAE;AACvC,YAAM,WAAmBL,MAAK,QAAS,WAA2C,OAAO,EAAE;AAC3F,UAAI,CAACF,KAAG,WAAW,QAAQ,GAAG;AAC1B,cAAM,IAAI,MAAM,8CAA8C,QAAQ,EAAE;AAAA,MAC5E;AACA,YAAM,cAAcE,MAAK,QAAQ,WAAW,UAAU,SAAS,QAAQ,QAAQ,MAAM,CAAC;AACtF,UAAIF,KAAG,WAAW,WAAW,GAAG;AAC5B,cAAM,IAAI,MAAM,SAAS,WAAW,gBAAgB;AAAA,MACxD;AAEA,YAAM,uBAAuB;AAAA,QACzB;AAAA,QACA;AAAA,QACA;AAAA,MACJ;AAEA,MAAAD,SAAO,OAAO,aAAa,eAAe,QAAQ;AAClD,MAAAC,KAAG,cAAc,aAAa,cAAc,IAAIA,KAAG,aAAa,aAAa,OAAO,CAAC;AAAA,IACzF,CAAC;AACD;AAAA,EACJ;AAEA,MAAI,YAAY,QAAQ;AACpB,UAAM,aAAa;AAAA,MACf,EAAE,MAAM,mBAAmB,MAAM,QAAQ,eAAe,KAAK;AAAA,MAC7D,EAAE,MAAM,QAAQ,OAAO,KAAK,MAAM,QAAQ;AAAA,IAC9C;AACA,UAAM,aAAa,gBAAgB,YAAY,EAAE,KAAK,CAAC;AACvD,QAAI,WAAW,QAAQ,CAAC,WAAW;AAC/B,aAAO,SAAS,0BAA0B,yBAAyB,UAAU;AAEjF,UAAM,KAAK,YAAY;AACnB,YAAM,OAAO,MAAM,gBAAgB,WAAW,eAAe;AAC7D,iBAAW,IAAI;AAAA,IACnB,CAAC;AACD;AAAA,EACJ;AAEA,MAAI,YAAY,SAAS;AACrB,UAAM,aAAa;AAAA,MACf,EAAE,MAAM,kBAAkB,MAAM,QAAQ,eAAe,KAAK;AAAA,MAC5D,EAAE,MAAM,QAAQ,OAAO,KAAK,MAAM,QAAQ;AAAA,IAC9C;AACA,UAAM,aAAa,gBAAgB,YAAY,EAAE,KAAK,CAAC;AACvD,QAAI,WAAW,QAAQ,CAAC,WAAW;AAC/B,aAAO,SAAS,0BAA0B,2DAA2D,UAAU;AAEnH,UAAM,KAAK,YAAY;AACnB,YAAM,MAAM,WAAW,cAAc;AAAA,IACzC,CAAC;AACD;AAAA,EACJ;AAEA,MAAI,YAAY,eAAe;AAC3B,UAAM,aAAa;AAAA,MACf,EAAE,MAAM,mBAAmB,MAAM,QAAQ,eAAe,KAAK;AAAA,MAC7D,EAAE,MAAM,QAAQ,OAAO,KAAK,MAAM,QAAQ;AAAA,IAC9C;AACA,UAAM,aAAa,gBAAgB,YAAY,EAAE,KAAK,CAAC;AACvD,QAAI,WAAW,QAAQ,CAAC,WAAW;AAC/B,aAAO,SAAS,iCAAiC,qCAAqC,UAAU;AAEpG,UAAM,KAAK,YAAY;AACnB,YAAM,cAAc,WAAW;AAC/B,YAAM,OAAO,MAAM,YAAY,WAAW;AAC1C,UAAI,CAAC,KAAM;AACX,YAAM,IAAI,KAAK,MAAM,GAAG,EAAE,CAAC,EAAE,MAAM,GAAG,EAAE,KAAK,EAAE,EAAE,KAAK;AACtD,iBAAW,CAAC;AAAA,IAChB,CAAC;AACD;AAAA,EACJ;AAEA,UAAQ,IAAI,oBAAoB,OAAO,EAAE;AAC7C;AA9gCA,IAgEM,QASA,OACA,WACA,eACA,WA0BF,cAEA,wBAuBA,oBA8aE;AA7iBN;AAAA;AAAA;AAAA;AAqCA;AACA;AACA;AACA;AAaA;AASA;AAEA,IAAM,SAAS;AASf,IAAM,QAAQ,oBAAI,KAAK;AACvB,IAAM,YAAY,gBAAgB,OAAO,EAAE;AAC3C,IAAM,gBAAgB,gBAAgB,OAAO,KAAK,GAAG;AACrD,IAAM,YAAY,gBAAgB,OAAO,GAAG;AA0B5C,IAAI,eAA4B,CAAC;AAucjC,IAAM,gBAAgB;AAAA,MAClB;AAAA,QACI,MAAM;AAAA,QACN,OAAO;AAAA,QACP,MAAM;AAAA,QACN,cAAc;AAAA,QACd,aAAa;AAAA,MACjB;AAAA,MACA;AAAA,QACI,MAAM;AAAA,QACN,OAAO;AAAA,QACP,MAAM;AAAA,QACN,cAAc;AAAA,QACd,aAAa;AAAA,MACjB;AAAA,MACA,EAAE,MAAM,aAAa,MAAM,QAAQ,cAAc,cAAc,aAAa,gDAAgD;AAAA,MAC5H,EAAE,MAAM,UAAU,MAAM,SAAS,cAAc,OAAO,aAAa,kBAAkB;AAAA,MACrF;AAAA,QACI,MAAM;AAAA,QACN,OAAO;AAAA,QACP,MAAM;AAAA,QACN,cAAc;AAAA,QACd,aAAa;AAAA,MACjB;AAAA,MACA;AAAA,QACI,MAAM;AAAA,QACN,OAAO;AAAA,QACP,MAAM;AAAA,QACN,cAAc;AAAA,QACd,aAAa;AAAA,MACjB;AAAA,MACA,EAAE,MAAM,QAAQ,OAAO,KAAK,MAAM,SAAS,aAAa,oBAAoB;AAAA,IAChF;AAAA;AAAA;;;AC7kBA;AAAA;AAAA;AACA;AAEA,SAAS,QAAQ,KAAK,OAAO,CAAC,CAAC;AAAA;AAAA;","names":["assert","chalk","assert","fs","assert","assert","fs","pemToPrivateKey","Subject","fs","path","chalk","fingerprint","today","Subject","fs","os","path","chalk","doDebug","quote","opensslFolder","opensslExecPath","url","assert","child_process","fs","os","byline","chalk","execute","assert","fs","path","n","s","init_toolbox","assert","fs","path","q","n","Subject","init_create_certificate_signing_request","init_toolbox","init_create_certificate_signing_request","init_toolbox","config","assert","fs","path","chalk","generatePrivateKeyFile","Subject","config","q","n","dns","assert","fs","os","path","chalk","CertificatePurpose","generatePrivateKeyFile","Subject","construct_CertificateAuthority","default_config_template","fqdn","dns","applicationUri","ip","createSelfSignedCertificate","local_argv"]}
1	+ {"version":3,"sources":["../../lib/misc/applicationurn.ts","../../lib/misc/hostname.ts","../../lib/toolbox/config.ts","../../lib/toolbox/debug.ts","../../lib/toolbox/common2.ts","../../lib/toolbox/display.ts","../../lib/toolbox/without_openssl/create_certificate_signing_request.ts","../../lib/toolbox/common.ts","../../lib/toolbox/without_openssl/create_self_signed_certificate.ts","../../lib/toolbox/without_openssl/index.ts","../../lib/pki/templates/simple_config_template.cnf.ts","../../lib/pki/certificate_manager.ts","../../lib/toolbox/index.ts","../../lib/toolbox/with_openssl/_env.ts","../../lib/misc/subject.ts","../../lib/toolbox/with_openssl/install_prerequisite.ts","../../lib/toolbox/with_openssl/execute_openssl.ts","../../lib/toolbox/with_openssl/toolbox.ts","../../lib/toolbox/with_openssl/create_certificate_signing_request.ts","../../lib/toolbox/with_openssl/index.ts","../../lib/ca/templates/ca_config_template.cnf.ts","../../lib/ca/certificate_authority.ts","../../lib/ca/crypto_create_CA.ts","../../bin/pki.ts"],"sourcesContent":["// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua-pki\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2014-2026 - Etienne Rossignon - etienne.rossignon (at) gadz.org\n// Copyright (c) 2022-2026 - Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n//\n// This project is licensed under the terms of the MIT license.\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated\n// documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the\n// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to\n// permit persons to whom the Software is furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the\n// Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE\n// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\n// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR\n// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n// ---------------------------------------------------------------------------------------------------------------------\nimport assert from \"node:assert\";\nimport { createHash } from \"node:crypto\";\n\nexport function makeApplicationUrn(hostname: string, suffix: string): string {\n // beware : Openssl doesn't support urn with length greater than 64 !!\n // sometimes hostname length could be too long ...\n // application urn length must not exceed 64 car. to comply with openssl\n // see cryptoCA\n let hostnameHash = hostname;\n if (hostnameHash.length + 7 + suffix.length >= 64) {\n // we need to reduce the applicationUrn side => let's take\n // a portion of the hostname hash.\n hostnameHash = createHash(\"md5\").update(hostname).digest(\"hex\").substring(0, 16);\n }\n\n const applicationUrn = `urn:${hostnameHash}:${suffix}`;\n assert(applicationUrn.length <= 64);\n return applicationUrn;\n}\n","/*\n @module node-opcua-hostname\n /\nimport dns from \"node:dns\";\nimport os from \"node:os\";\nimport { promisify } from \"node:util\";\n\nfunction trim(str: string, length?: number): string {\n if (!length) {\n return str;\n }\n return str.substring(0, Math.min(str.length, length));\n}\n\nfunction fqdn(callback: (err: Error \| null, fqdn?: string) => void) {\n const uqdn = os.hostname();\n\n dns.lookup(uqdn, { hints: dns.ADDRCONFIG }, (err1: Error \| null, ip: string) => {\n if (err1) {\n return callback(err1);\n }\n\n dns.lookupService(ip, 0, (err2: Error \| null, _fqdn: string) => {\n if (err2) {\n return callback(err2);\n }\n _fqdn = _fqdn.replace(\".localdomain\", \"\");\n callback(null, _fqdn);\n });\n });\n}\n\nlet _fullyQualifiedDomainNameInCache: string \| undefined;\n\n/\n extract FullyQualifiedDomainName of this computer\n /\nexport async function extractFullyQualifiedDomainName(): Promise<string> {\n if (_fullyQualifiedDomainNameInCache) {\n return _fullyQualifiedDomainNameInCache;\n }\n if (process.platform === \"win32\") {\n // http://serverfault.com/a/73643/251863\n const env = process.env;\n _fullyQualifiedDomainNameInCache =\n env.COMPUTERNAME + (env.USERDNSDOMAIN && env.USERDNSDOMAIN?.length > 0 ? `.${env.USERDNSDOMAIN as string}` : \"\");\n } else {\n try {\n _fullyQualifiedDomainNameInCache = await promisify(fqdn)();\n if (_fullyQualifiedDomainNameInCache === \"localhost\") {\n throw new Error(\"localhost not expected\");\n }\n if (/sethostname/.test(_fullyQualifiedDomainNameInCache as string)) {\n throw new Error(\"Detecting fqdn on windows !!!\");\n }\n } catch (_err) {\n // fall back to old method\n _fullyQualifiedDomainNameInCache = os.hostname();\n }\n }\n return _fullyQualifiedDomainNameInCache as string;\n}\n\nexport async function prepareFQDN() {\n _fullyQualifiedDomainNameInCache = await extractFullyQualifiedDomainName();\n}\n\nexport function getFullyQualifiedDomainName(optional_max_length?: number) {\n if (!_fullyQualifiedDomainNameInCache) {\n throw new Error(\"FullyQualifiedDomainName computation is not completed yet\");\n }\n return _fullyQualifiedDomainNameInCache ? trim(_fullyQualifiedDomainNameInCache, optional_max_length) : \"%FQDN%\";\n}\n\nexport function getHostname() {\n return os.hostname();\n}\n\nexport function resolveFullyQualifiedDomainName(str: string): string {\n if (!_fullyQualifiedDomainNameInCache) {\n throw new Error(\"FullyQualifiedDomainName computation is not completed yet\");\n }\n str = str.replace(\"%FQDN%\", _fullyQualifiedDomainNameInCache);\n str = str.replace(\"{FQDN}\", _fullyQualifiedDomainNameInCache);\n str = str.replace(\"{hostname}\", getHostname());\n return str;\n}\n// note : under windows ... echo %COMPUTERNAME%.%USERDNSDOMAIN%\nprepareFQDN();\n","// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua-pki\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2014-2026 - Etienne Rossignon - etienne.rossignon (at) gadz.org\n// Copyright (c) 2022-2026 - Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n//\n// This project is licensed under the terms of the MIT license.\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated\n// documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the\n// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to\n// permit persons to whom the Software is furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the\n// Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE\n// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\n// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR\n// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n// ---------------------------------------------------------------------------------------------------------------------\nexport const g_config = {\n opensslVersion: \"unset\",\n silent: process.env.VERBOSE ? !process.env.VERBOSE : true,\n force: false\n};\n","// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua-pki\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2014-2026 - Etienne Rossignon - etienne.rossignon (at) gadz.org\n// Copyright (c) 2022-2026 - Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n//\n// This project is licensed under the terms of the MIT license.\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated\n// documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the\n// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to\n// permit persons to whom the Software is furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the\n// Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE\n// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\n// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR\n// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n// ---------------------------------------------------------------------------------------------------------------------\nexport const doDebug = process.env.NODEOPCUAPKIDEBUG \|\| false;\nexport const displayError = true;\nexport const displayDebug = !!process.env.NODEOPCUAPKIDEBUG \|\| false;\n// tslint:disable-next-line:no-empty\nexport function debugLog(...args: unknown[]) {\n // istanbul ignore next\n if (displayDebug) {\n console.log.apply(null, args);\n }\n}\nexport function warningLog(...args: unknown[]) {\n console.log.apply(null, args);\n}\n","// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua-pki\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2014-2026 - Etienne Rossignon - etienne.rossignon (at) gadz.org\n// Copyright (c) 2022-2026 - Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n//\n// This project is licensed under the terms of the MIT license.\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated\n// documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the\n// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to\n// permit persons to whom the Software is furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the\n// Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE\n// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\n// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR\n// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n// ---------------------------------------------------------------------------------------------------------------------\n\nimport assert from \"node:assert\";\nimport fs from \"node:fs\";\nimport path from \"node:path\";\n\nimport chalk from \"chalk\";\n\nimport { g_config } from \"./config\";\n\nimport { debugLog, warningLog } from \"./debug\";\n\nexport function certificateFileExist(certificateFile: string): boolean {\n // istanbul ignore next\n if (fs.existsSync(certificateFile) && !g_config.force) {\n warningLog(\n chalk.yellow(\" certificate \") + chalk.cyan(certificateFile) + chalk.yellow(\" already exists => do not overwrite\")\n );\n return false;\n }\n return true;\n}\n\nexport function mkdirRecursiveSync(folder: string): void {\n if (!fs.existsSync(folder)) {\n // istanbul ignore next\n debugLog(chalk.white(\" .. constructing \"), folder);\n fs.mkdirSync(folder, { recursive: true });\n }\n}\n\nexport function makePath(folderName: string, filename?: string): string {\n let s: string;\n if (filename) {\n s = path.join(path.normalize(folderName), filename);\n } else {\n assert(folderName);\n s = folderName;\n }\n s = s.replace(/\\\\/g, \"/\");\n return s;\n}\n","// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua-pki\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2014-2026 - Etienne Rossignon - etienne.rossignon (at) gadz.org\n// Copyright (c) 2022-2026 - Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n//\n// This project is licensed under the terms of the MIT license.\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated\n// documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the\n// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to\n// permit persons to whom the Software is furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the\n// Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE\n// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\n// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR\n// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n// ---------------------------------------------------------------------------------------------------------------------\nimport chalk from \"chalk\";\nimport { g_config } from \"./config\";\nimport { warningLog } from \"./debug\";\n\n// istanbul ignore next\nexport function displayChapter(str: string) {\n const l = \" \";\n warningLog(`${chalk.bgWhite(l)} `);\n str = ` ${str}${l}`.substring(0, l.length);\n warningLog(chalk.bgWhite.cyan(str));\n warningLog(`${chalk.bgWhite(l)} `);\n}\n\nexport function displayTitle(str: string) {\n // istanbul ignore next\n if (!g_config.silent) {\n warningLog(\"\");\n warningLog(chalk.yellowBright(str));\n warningLog(chalk.yellow(new Array(str.length + 1).join(\"=\")), \"\\n\");\n }\n}\n\nexport function displaySubtitle(str: string) {\n // istanbul ignore next\n if (!g_config.silent) {\n warningLog(\"\");\n warningLog(` ${chalk.yellowBright(str)}`);\n warningLog(` ${chalk.white(new Array(str.length + 1).join(\"-\"))}`, \"\\n\");\n }\n}\nexport function display(str: string) {\n // istanbul ignore next\n if (!g_config.silent) {\n warningLog(` ${str}`);\n }\n}\n","// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua-pki\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2022-2026 Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n//\n// This project is licensed under the terms of the MIT license.\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated\n// documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the\n// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to\n// permit persons to whom the Software is furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the\n// Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE\n// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\n// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR\n// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n// ---------------------------------------------------------------------------------------------------------------------\nimport assert from \"node:assert\";\nimport fs from \"node:fs\";\nimport { createCertificateSigningRequest, pemToPrivateKey, Subject } from \"node-opcua-crypto\";\nimport type { CreateCertificateSigningRequestWithConfigOptions } from \"../common\";\nimport { display, displaySubtitle } from \"../display\";\n\n/\n create a certificate signing request\n /\nexport async function createCertificateSigningRequestAsync(\n certificateSigningRequestFilename: string,\n params: CreateCertificateSigningRequestWithConfigOptions\n): Promise<void> {\n assert(params);\n assert(params.rootDir);\n assert(params.configFile);\n assert(params.privateKey);\n assert(typeof params.privateKey === \"string\");\n assert(fs.existsSync(params.privateKey), `Private key must exist${params.privateKey}`);\n\n // assert(fs.existsSync(params.configFile), \"config file must exist \" + params.configFile);\n assert(fs.existsSync(params.rootDir), \"RootDir key must exist\");\n assert(typeof certificateSigningRequestFilename === \"string\");\n\n const subject = params.subject ? new Subject(params.subject).toString() : undefined;\n displaySubtitle(\"- Creating a Certificate Signing Request with subtile\");\n\n const privateKeyPem = await fs.promises.readFile(params.privateKey, \"utf-8\");\n const privateKey = await pemToPrivateKey(privateKeyPem);\n\n const { csr } = await createCertificateSigningRequest({\n privateKey,\n dns: params.dns,\n ip: params.ip,\n subject,\n applicationUri: params.applicationUri,\n purpose: params.purpose\n });\n await fs.promises.writeFile(certificateSigningRequestFilename, csr, \"utf-8\");\n\n display(`- privateKey ${params.privateKey}`);\n display(`- certificateSigningRequestFilename ${certificateSigningRequestFilename}`);\n\n // to verify that the CSR is correct:\n // openssl req -in ./tmp/without_openssl.csr -noout -verify\n}\n","// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua-pki\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2014-2026 - Etienne Rossignon - etienne.rossignon (at) gadz.org\n// Copyright (c) 2022-2026 - Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n//\n// This project is licensed under the terms of the MIT license.\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated\n// documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the\n// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to\n// permit persons to whom the Software is furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the\n// Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE\n// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\n// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR\n// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n// ---------------------------------------------------------------------------------------------------------------------\nimport assert from \"node:assert\";\n\n/* RSA key size in bits. /\nexport type KeySize = 1024 \| 2048 \| 3072 \| 4096;\n/* Hex-encoded SHA-1 certificate thumbprint. /\nexport type Thumbprint = string;\n/* A filesystem path to a file. /\nexport type Filename = string;\n/* Status of a certificate in the trust store. /\nexport type CertificateStatus = \"unknown\" \| \"trusted\" \| \"rejected\";\n\nimport type { CertificatePurpose } from \"node-opcua-crypto\";\nimport type { SubjectOptions } from \"../misc/subject\";\n\n/\n @deprecated Use {@link KeySize} instead.\n /\nexport type KeyLength = 1024 \| 2048 \| 3072 \| 4096;\n\nexport function quote(str?: string): string {\n return `\"${str \|\| \"\"}\"`;\n}\n\n/\n Subject Alternative Name (SAN) parameters for certificate\n * generation.\n /\nexport interface ProcessAltNamesParam {\n /* DNS host names to include in the SAN extension. /\n dns?: string[];\n /* IP addresses to include in the SAN extension. /\n ip?: string[];\n /* OPC UA application URI for the SAN extension. /\n applicationUri?: string;\n}\n\n/\n Options for creating a Certificate Signing Request (CSR).\n /\nexport interface CreateCertificateSigningRequestOptions extends ProcessAltNamesParam {\n /* X.500 subject for the certificate. /\n subject?: SubjectOptions \| string;\n}\n\n/\n Extended CSR options that include filesystem paths and\n * certificate purpose — used internally by the OpenSSL toolbox.\n /\nexport interface CreateCertificateSigningRequestWithConfigOptions extends CreateCertificateSigningRequestOptions {\n /* Root directory of the PKI store. /\n rootDir: Filename;\n /* Path to the OpenSSL configuration file. /\n configFile: Filename;\n /* Path to the private key file. /\n privateKey: Filename;\n /* Intended purpose of the certificate. /\n purpose: CertificatePurpose;\n}\n\n/\n Validity period parameters for certificate generation.\n /\nexport interface StartDateEndDateParam {\n /* Certificate \"Not Before\" date. Defaults to now. /\n startDate?: Date;\n /* Certificate \"Not After\" date (computed from validity). /\n endDate?: Date;\n /* Number of days the certificate is valid. @defaultValue 365 /\n validity?: number;\n}\n\n/\n Parameters for creating a self-signed certificate.\n /\nexport interface CreateSelfSignCertificateParam extends ProcessAltNamesParam, StartDateEndDateParam {\n /* X.500 subject for the certificate. /\n subject?: SubjectOptions \| string;\n}\n\n/\n Extended self-signed certificate options that include\n * filesystem paths and purpose — used internally.\n /\nexport interface CreateSelfSignCertificateWithConfigParam extends CreateSelfSignCertificateParam {\n /* Root directory of the PKI store. /\n rootDir: Filename;\n /* Path to the OpenSSL configuration file. /\n configFile: Filename;\n /* Path to the private key file. /\n privateKey: Filename;\n /* Intended purpose of the certificate. /\n purpose: CertificatePurpose;\n}\n\n/\n General-purpose parameters passed to CA operations such as\n * {@link CertificateAuthority.signCertificateRequest} and\n * {@link CertificateAuthority.revokeCertificate}.\n /\nexport interface Params extends ProcessAltNamesParam, StartDateEndDateParam {\n /* X.500 subject for the certificate. /\n subject?: SubjectOptions \| string;\n\n /* Path to the private key file. /\n privateKey?: string;\n /* Path to the OpenSSL configuration file. /\n configFile?: string;\n /* Root directory of the PKI store. /\n rootDir?: string;\n\n /* Output filename for the generated certificate. /\n outputFile?: string;\n /* CRL revocation reason (e.g. `\"keyCompromise\"`). /\n reason?: string;\n}\n\nexport function adjustDate(params: StartDateEndDateParam) {\n assert(params instanceof Object);\n params.startDate = params.startDate \|\| new Date();\n assert(params.startDate instanceof Date);\n\n params.validity = params.validity \|\| 365; // one year\n\n params.endDate = new Date(params.startDate.getTime());\n params.endDate.setDate(params.startDate.getDate() + params.validity);\n\n // params.endDate = x509Date(endDate);\n // params.startDate = x509Date(startDate);\n\n assert(params.endDate instanceof Date);\n assert(params.startDate instanceof Date);\n\n // // istanbul ignore next\n // if (!g_config.silent) {\n // warningLog(\" start Date \", params.startDate.toUTCString(), x509Date(params.startDate));\n // warningLog(\" end Date \", params.endDate.toUTCString(), x509Date(params.endDate));\n // }\n}\n\nexport function adjustApplicationUri(params: Params) {\n const applicationUri = params.applicationUri \|\| \"\";\n if (applicationUri.length > 200) {\n throw new Error(`Openssl doesn't support urn with length greater than 200${applicationUri}`);\n }\n}\n","// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua-pki\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2022-2026 Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n//\n// This project is licensed under the terms of the MIT license.\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated\n// documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the\n// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to\n// permit persons to whom the Software is furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the\n// Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE\n// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\n// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR\n// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n// ---------------------------------------------------------------------------------------------------------------------\nimport assert from \"node:assert\";\nimport fs from \"node:fs\";\n\nimport {\n CertificatePurpose,\n createSelfSignedCertificate as createSelfSignedCertificate1,\n pemToPrivateKey,\n Subject\n} from \"node-opcua-crypto\";\nimport { adjustDate, type CreateSelfSignCertificateWithConfigParam } from \"../common\";\nimport { displayTitle } from \"../display\";\n\nexport async function createSelfSignedCertificateAsync(\n certificate: string,\n params: CreateSelfSignCertificateWithConfigParam\n): Promise<void> {\n params.purpose = params.purpose \|\| CertificatePurpose.ForApplication;\n assert(params.purpose, \"Please provide a Certificate Purpose\");\n /\n note: due to a limitation of openssl ,\n * it is not possible to control the startDate of the certificate validity\n * to achieve this the certificateAuthority tool shall be used.\n /\n assert(fs.existsSync(params.configFile));\n assert(fs.existsSync(params.rootDir));\n assert(fs.existsSync(params.privateKey));\n if (!params.subject) {\n throw Error(\"Missing subject\");\n }\n\n assert(typeof params.applicationUri === \"string\");\n assert(Array.isArray(params.dns));\n\n // xx no key size in self-signed assert(params.keySize == 2048 \|\| params.keySize == 4096);\n\n // processAltNames(params);\n adjustDate(params);\n assert(Object.prototype.hasOwnProperty.call(params, \"validity\"));\n\n let subject: Subject \| string = new Subject(params.subject);\n subject = subject.toString();\n\n // xx const certificateRequestFilename = certificate + \".csr\";\n const purpose = params.purpose;\n\n displayTitle(\"Generate a certificate request\");\n\n const privateKeyPem = await fs.promises.readFile(params.privateKey, \"utf-8\");\n const privateKey = await pemToPrivateKey(privateKeyPem);\n\n const { cert } = await createSelfSignedCertificate1({\n privateKey,\n notBefore: params.startDate,\n notAfter: params.endDate,\n validity: params.validity,\n dns: params.dns,\n ip: params.ip,\n subject,\n applicationUri: params.applicationUri,\n purpose\n });\n await fs.promises.writeFile(certificate, cert, \"utf-8\");\n}\n\nexport async function createSelfSignedCertificate(\n certificate: string,\n params: CreateSelfSignCertificateWithConfigParam\n): Promise<void> {\n await createSelfSignedCertificateAsync(certificate, params);\n}\n","// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua-pki\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2014-2026 - Etienne Rossignon - etienne.rossignon (at) gadz.org\n// Copyright (c) 2022-2026 - Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n//\n// This project is licensed under the terms of the MIT license.\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated\n// documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the\n// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to\n// permit persons to whom the Software is furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the\n// Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE\n// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\n// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR\n// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport from \"./create_certificate_signing_request\";\nexport * from \"./create_self_signed_certificate\";\n","const config =\n \"##################################################################################################\\n\" +\n \"## SIMPLE OPENSSL CONFIG FILE FOR SELF-SIGNED CERTIFICATE GENERATION\\n\" +\n \"################################################################################################################\\n\" +\n \"\\n\" +\n \"distinguished_name = req_distinguished_name\\n\" +\n \"default_md = sha1\\n\" +\n \"\\n\" +\n \"default_md = sha256 # The default digest algorithm\\n\" +\n \"\\n\" +\n \"[ v3_ca ]\\n\" +\n \"subjectKeyIdentifier = hash\\n\" +\n \"authorityKeyIdentifier = keyid:always,issuer:always\\n\" +\n \"\\n\" +\n \"# authorityKeyIdentifier = keyid\\n\" +\n \"basicConstraints = CA:TRUE\\n\" +\n \"keyUsage = critical, cRLSign, keyCertSign\\n\" +\n 'nsComment = \"Self-signed Certificate for CA generated by Node-OPCUA Certificate utility\"\\n' +\n \"#nsCertType = sslCA, emailCA\\n\" +\n \"#subjectAltName = email:copy\\n\" +\n \"#issuerAltName = issuer:copy\\n\" +\n \"#obj = DER:02:03\\n\" +\n \"# crlDistributionPoints = @crl_info\\n\" +\n \"# [ crl_info ]\\n\" +\n \"# URI.0 = http://localhost:8900/crl.pem\\n\" +\n \"subjectAltName = $ENV::ALTNAME\\n\" +\n \"\\n\" +\n \"[ req ]\\n\" +\n \"days = 390\\n\" +\n \"req_extensions = v3_req\\n\" +\n \"x509_extensions = v3_ca\\n\" +\n \"\\n\" +\n \"[v3_req]\\n\" +\n \"basicConstraints = CA:false\\n\" +\n \"keyUsage = critical, cRLSign, keyCertSign\\n\" +\n \"subjectAltName = $ENV::ALTNAME\\n\" +\n \"\\n\" +\n \"[ v3_ca_signed]\\n\" +\n \"subjectKeyIdentifier = hash\\n\" +\n \"authorityKeyIdentifier = keyid,issuer\\n\" +\n \"basicConstraints = critical, CA:FALSE\\n\" +\n \"keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign\\n\" +\n \"extendedKeyUsage = clientAuth,serverAuth \\n\" +\n 'nsComment = \"certificate generated by Node-OPCUA Certificate utility and signed by a CA\"\\n' +\n \"subjectAltName = $ENV::ALTNAME\\n\" +\n \"[ v3_selfsigned]\\n\" +\n \"subjectKeyIdentifier = hash\\n\" +\n \"authorityKeyIdentifier = keyid,issuer\\n\" +\n \"basicConstraints = critical, CA:FALSE\\n\" +\n \"keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign\\n\" +\n \"extendedKeyUsage = clientAuth,serverAuth \\n\" +\n 'nsComment = \"Self-signed certificate generated by Node-OPCUA Certificate utility\"\\n' +\n \"subjectAltName = $ENV::ALTNAME\\n\" +\n \"[ req_distinguished_name ]\\n\" +\n \"countryName = Country Name (2 letter code)\\n\" +\n \"countryName_default = FR\\n\" +\n \"countryName_min = 2\\n\" +\n \"countryName_max = 2\\n\" +\n \"# stateOrProvinceName = State or Province Name (full name)\\n\" +\n \"# stateOrProvinceName_default = Ile de France\\n\" +\n \"# localityName = Locality Name (city, district)\\n\" +\n \"# localityName_default = Paris\\n\" +\n \"organizationName = Organization Name (company)\\n\" +\n \"organizationName_default = NodeOPCUA\\n\" +\n \"# organizationalUnitName = Organizational Unit Name (department, division)\\n\" +\n \"# organizationalUnitName_default = R&D\\n\" +\n \"commonName = Common Name (hostname, FQDN, IP, or your name)\\n\" +\n \"commonName_max = 256\\n\" +\n \"commonName_default = NodeOPCUA\\n\" +\n \"# emailAddress = Email Address\\n\" +\n \"# emailAddress_max = 40\\n\" +\n \"# emailAddress_default = node-opcua (at) node-opcua (dot) com\\n\" +\n \"subjectAltName = $ENV::ALTNAME\";\n\nexport default config;\n","// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua-pki — CertificateManager\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2014-2026 - Etienne Rossignon - etienne.rossignon (at) gadz.org\n// Copyright (c) 2022-2026 - Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n// This project is licensed under the terms of the MIT license.\n// ---------------------------------------------------------------------------------------------------------------------\n\nimport { EventEmitter } from \"node:events\";\nimport fs from \"node:fs\";\nimport path from \"node:path\";\nimport { withLock } from \"@ster5/global-mutex\";\nimport chalk from \"chalk\";\nimport chokidar, { type FSWatcher as ChokidarFSWatcher } from \"chokidar\";\nimport {\n type Certificate,\n type CertificateInternals,\n type CertificateRevocationList,\n type CertificateRevocationListInfo,\n type DER,\n exploreCertificate,\n exploreCertificateInfo,\n exploreCertificateRevocationList,\n generatePrivateKeyFile,\n makeSHA1Thumbprint,\n readCertificate,\n readCertificateAsync,\n readCertificateRevocationList,\n split_der,\n toPem,\n verifyCertificateChain,\n verifyCertificateSignature\n} from \"node-opcua-crypto\";\n\nimport type { SubjectOptions } from \"../misc/subject\";\nimport type {\n CertificateStatus,\n CreateSelfSignCertificateParam,\n CreateSelfSignCertificateWithConfigParam,\n Filename,\n KeySize,\n Thumbprint\n} from \"../toolbox/common\";\nimport { makePath, mkdirRecursiveSync } from \"../toolbox/common2\";\nimport { debugLog, warningLog } from \"../toolbox/debug\";\nimport { createCertificateSigningRequestAsync, createSelfSignedCertificate } from \"../toolbox/without_openssl\";\n\nimport _simple_config_template from \"./templates/simple_config_template.cnf\";\n\n/*\n \n * a minimalist config file for openssl that allows\n * self-signed certificate to be generated.\n \n /\nconst configurationFileSimpleTemplate: string = _simple_config_template;\nconst fsWriteFile = fs.promises.writeFile;\n\ninterface Entry {\n certificate: Certificate;\n filename: string;\n /** Lazily cached result of `exploreCertificate(certificate)`. /\n info?: CertificateInternals;\n}\n\n/* Return the cached `info` or compute and cache it. /\nfunction getOrComputeInfo(entry: Entry): CertificateInternals {\n if (!entry.info) {\n entry.info = exploreCertificateCached(entry.certificate);\n }\n return entry.info;\n}\n\n/\n Module-level LRU cache for `exploreCertificate()` results.\n \n During a single `verifyCertificate()` flow the same certificate\n * buffer can be parsed 4-6 times across different helper functions.\n * This cache deduplicates the ASN.1 DER parsing by keying on the\n * SHA-1 thumbprint of the certificate buffer.\n \n The cache is deliberately small (8 entries) so it covers the\n * \"same-cert-in-one-verification-flow\" case without unbounded\n * memory growth.\n /\nconst EXPLORE_CACHE_MAX = 8;\nconst _exploreCache = new Map<string, CertificateInternals>();\n\nfunction exploreCertificateCached(certificate: Certificate): CertificateInternals {\n const key = makeSHA1Thumbprint(certificate).toString(\"hex\");\n const cached = _exploreCache.get(key);\n if (cached) {\n // Move to end (most-recently-used)\n _exploreCache.delete(key);\n _exploreCache.set(key, cached);\n return cached;\n }\n const info = exploreCertificate(certificate);\n _exploreCache.set(key, info);\n if (_exploreCache.size > EXPLORE_CACHE_MAX) {\n // Evict oldest (first key in insertion order)\n const oldest = _exploreCache.keys().next().value;\n if (oldest) _exploreCache.delete(oldest);\n }\n return info;\n}\ninterface CRLEntry {\n crlInfo: CertificateRevocationListInfo;\n filename: string;\n}\ninterface CRLData {\n serialNumbers: { [key: string]: Date };\n crls: CRLEntry[];\n}\ninterface Thumbs {\n trusted: Map<string, Entry>;\n rejected: Map<string, Entry>;\n issuers: {\n certs: Map<string, Entry>;\n };\n /* key = subjectFingerPrint of issuer certificate /\n crl: Map<string, CRLData>;\n /* key = subjectFingerPrint of issuer certificate /\n issuersCrl: Map<string, CRLData>;\n}\n\n/\n Identifies which PKI sub-store a certificate event originated from.\n /\nexport type CertificateStore = \"trusted\" \| \"rejected\" \| \"issuersCerts\";\n\n/\n Identifies which PKI sub-store a CRL event originated from.\n /\nexport type CrlStore = \"crl\" \| \"issuersCrl\";\n\n/\n Events emitted by {@link CertificateManager} when the\n * file-system watchers detect certificate or CRL changes.\n /\nexport interface CertificateManagerEvents {\n /* A certificate file was added to a store. /\n certificateAdded: (event: { store: CertificateStore; certificate: Certificate; fingerprint: string; filename: string }) => void;\n /* A certificate file was removed from a store. /\n certificateRemoved: (event: { store: CertificateStore; fingerprint: string; filename: string }) => void;\n /* A certificate file was modified in a store. /\n certificateChange: (event: {\n store: CertificateStore;\n certificate: Certificate;\n fingerprint: string;\n filename: string;\n }) => void;\n /* A CRL file was added. /\n crlAdded: (event: { store: CrlStore; filename: string }) => void;\n /* A CRL file was removed. /\n crlRemoved: (event: { store: CrlStore; filename: string }) => void;\n}\n\n/\n Options for creating a {@link CertificateManager}.\n /\nexport interface CertificateManagerOptions {\n /\n RSA key size for generated private keys.\n * @defaultValue 2048\n /\n keySize?: KeySize;\n /* Filesystem path where the PKI directory structure is stored. /\n location: string;\n}\n\n/\n Parameters for {@link createSelfSignedCertificate}.\n * All fields from {@link CreateSelfSignCertificateParam} are required.\n /\nexport interface CreateSelfSignCertificateParam1 extends CreateSelfSignCertificateParam {\n /\n Output path for the certificate.\n * @defaultValue `\"own/certs/self_signed_certificate.pem\"`\n /\n outputFile?: Filename;\n /* X.500 subject for the certificate. /\n subject: SubjectOptions \| string;\n /* OPC UA application URI for the SAN extension. /\n applicationUri: string;\n /* DNS host names to include in the SAN extension. /\n dns: string[];\n /* Certificate \"Not Before\" date. /\n startDate: Date;\n /* Number of days the certificate is valid. /\n validity: number;\n}\n\n/\n Options to fine-tune certificate verification behaviour.\n * Passed to {@link CertificateManager.verifyCertificate}.\n \n Without any options, `verifyCertificate` is strict: only\n * certificates that are explicitly present in the trusted store\n * will return {@link VerificationStatus.Good}. Unknown or\n * rejected certificates return\n * {@link VerificationStatus.BadCertificateUntrusted} even when\n * their issuer chain is valid.\n \n Set {@link acceptCertificateWithValidIssuerChain} to `true`\n * to accept certificates whose issuer chain validates against\n * a trusted CA — even if the leaf certificate itself is not\n * in the trusted store.\n /\nexport interface VerifyCertificateOptions {\n /* Accept certificates whose \"Not After\" date has passed. /\n acceptOutdatedCertificate?: boolean;\n /* Accept issuer certificates whose \"Not After\" date has passed. /\n acceptOutDatedIssuerCertificate?: boolean;\n /* Do not fail when a CRL is missing for an issuer. /\n ignoreMissingRevocationList?: boolean;\n /* Accept certificates whose \"Not Before\" date is in the future. /\n acceptPendingCertificate?: boolean;\n /\n Accept a certificate that is not in the trusted store when\n * its issuer (CA) certificate is trusted, the signature is\n * valid, and the certificate does not appear in the CRL.\n \n When `false` (the default), only certificates explicitly\n * placed in the trusted store are accepted — this is the\n * same behaviour as {@link CertificateManager.isCertificateTrusted}.\n \n @defaultValue false\n /\n acceptCertificateWithValidIssuerChain?: boolean;\n}\n\n/\n OPC UA certificate verification status codes.\n \n These mirror the OPC UA `StatusCode` values for certificate\n * validation results.\n /\nexport enum VerificationStatus {\n /* The certificate provided as a parameter is not valid. /\n BadCertificateInvalid = \"BadCertificateInvalid\",\n /* An error occurred verifying security. /\n BadSecurityChecksFailed = \"BadSecurityChecksFailed\",\n /* The certificate does not meet the requirements of the security policy. /\n BadCertificatePolicyCheckFailed = \"BadCertificatePolicyCheckFailed\",\n /* The certificate has expired or is not yet valid. /\n BadCertificateTimeInvalid = \"BadCertificateTimeInvalid\",\n /* An issuer certificate has expired or is not yet valid. /\n BadCertificateIssuerTimeInvalid = \"BadCertificateIssuerTimeInvalid\",\n /* The HostName used to connect to a server does not match a HostName in the certificate. /\n BadCertificateHostNameInvalid = \"BadCertificateHostNameInvalid\",\n /* The URI specified in the ApplicationDescription does not match the URI in the certificate. /\n BadCertificateUriInvalid = \"BadCertificateUriInvalid\",\n /* The certificate may not be used for the requested operation. /\n BadCertificateUseNotAllowed = \"BadCertificateUseNotAllowed\",\n /* The issuer certificate may not be used for the requested operation. /\n BadCertificateIssuerUseNotAllowed = \"BadCertificateIssuerUseNotAllowed\",\n /* The certificate is not trusted. /\n BadCertificateUntrusted = \"BadCertificateUntrusted\",\n /* It was not possible to determine if the certificate has been revoked. /\n BadCertificateRevocationUnknown = \"BadCertificateRevocationUnknown\",\n /* It was not possible to determine if the issuer certificate has been revoked. /\n BadCertificateIssuerRevocationUnknown = \"BadCertificateIssuerRevocationUnknown\",\n /* The certificate has been revoked. /\n BadCertificateRevoked = \"BadCertificateRevoked\",\n /* The issuer certificate has been revoked. /\n BadCertificateIssuerRevoked = \"BadCertificateIssuerRevoked\",\n /* The certificate chain is incomplete. /\n BadCertificateChainIncomplete = \"BadCertificateChainIncomplete\",\n\n /* Validation OK. /\n Good = \"Good\"\n}\n\nfunction makeFingerprint(certificate: Certificate \| CertificateRevocationList): string {\n // When the buffer contains a certificate chain (multiple\n // concatenated DER structures), the thumbprint must be\n // computed on the leaf certificate only (first element).\n const chain = split_der(certificate);\n return makeSHA1Thumbprint(chain[0]).toString(\"hex\");\n}\nfunction short(stringToShorten: string) {\n return stringToShorten.substring(0, 10);\n}\n// biome-ignore lint/suspicious/noControlCharactersInRegex: we need to filter control characters\nconst forbiddenChars = /[\\x00-\\x1F<>:\"/\\\\\|?]/g;\nfunction buildIdealCertificateName(certificate: Certificate): string {\n const fingerprint = makeFingerprint(certificate);\n try {\n const commonName = exploreCertificateCached(certificate).tbsCertificate.subject.commonName \|\| \"\";\n // commonName may contain invalid characters for a filename such as / or \\ or :\n // that we need to replace with a valid character.\n // replace / or \\ or : with _\n const sanitizedCommonName = commonName.replace(forbiddenChars, \"_\");\n return `${sanitizedCommonName}[${fingerprint}]`;\n } catch (_err) {\n // make be certificate is incorrect !\n return `invalid_certificate_[${fingerprint}]`;\n }\n}\nfunction findMatchingIssuerKey(entries: Entry[], wantedIssuerKey: string): Entry[] {\n return entries.filter((entry) => {\n const info = getOrComputeInfo(entry);\n return info.tbsCertificate.extensions && info.tbsCertificate.extensions.subjectKeyIdentifier === wantedIssuerKey;\n });\n}\n\nfunction isSelfSigned2(info: CertificateInternals): boolean {\n return (\n info.tbsCertificate.extensions?.subjectKeyIdentifier ===\n info.tbsCertificate.extensions?.authorityKeyIdentifier?.keyIdentifier\n );\n}\n\nfunction isSelfSigned3(certificate: Buffer): boolean {\n const info = exploreCertificateCached(certificate);\n return isSelfSigned2(info);\n}\n\n/*\n Find the issuer certificate for a given certificate within\n * a provided certificate chain.\n \n @param certificate - the DER-encoded certificate whose issuer to find\n * @param chain - candidate issuer certificates to search\n * @returns the matching issuer certificate, or `null` if not found\n /\nexport function findIssuerCertificateInChain(certificate: Certificate, chain: Certificate[]): Certificate \| null {\n if (!certificate) {\n return null;\n }\n const certInfo = exploreCertificateCached(certificate);\n\n // istanbul ignore next\n if (isSelfSigned2(certInfo)) {\n // the certificate is self signed so is it's own issuer.\n return certificate;\n }\n const wantedIssuerKey = certInfo.tbsCertificate.extensions?.authorityKeyIdentifier?.keyIdentifier;\n\n // istanbul ignore next\n if (!wantedIssuerKey) {\n // Certificate has no extension 3 ! the certificate might have been generated by an old system\n debugLog(\"Certificate has no extension 3\");\n return null;\n }\n const potentialIssuers = chain.filter((c) => {\n const info = exploreCertificateCached(c);\n return info.tbsCertificate.extensions && info.tbsCertificate.extensions.subjectKeyIdentifier === wantedIssuerKey;\n });\n\n if (potentialIssuers.length === 1) {\n return potentialIssuers[0];\n }\n if (potentialIssuers.length > 1) {\n debugLog(\"findIssuerCertificateInChain: certificate is not self-signed but has several issuers\");\n return potentialIssuers[0];\n }\n return null;\n}\n\n/\n Lifecycle state of a {@link CertificateManager} instance.\n /\nexport enum CertificateManagerState {\n Uninitialized = 0,\n Initializing = 1,\n Initialized = 2,\n Disposing = 3,\n Disposed = 4\n}\n/\n Manages a GDS-compliant PKI directory structure for an OPC UA\n * application.\n \n The PKI store layout follows the OPC UA specification:\n \n ```\n * <location>/\n * ├── own/\n * │ ├── certs/ Own certificate(s)\n * │ └── private/ Own private key\n * ├── trusted/\n * │ ├── certs/ Trusted peer certificates\n * │ └── crl/ CRLs for trusted certs\n * ├── rejected/ Untrusted / rejected certificates\n * └── issuers/\n * ├── certs/ CA (issuer) certificates\n * └── crl/ CRLs for issuer certificates\n * ```\n \n File-system watchers keep the in-memory indexes in sync with\n * on-disk changes. Call {@link dispose} when the instance is no\n * longer needed to release watchers and allow the process to\n * exit cleanly.\n \n ## Environment Variables\n \n - `OPCUA_PKI_USE_POLLING` — set to `\"true\"` to use\n * polling-based file watching instead of native OS events.\n * Useful for NFS, CIFS, Docker volumes, or other remote /\n * virtual file systems where native events are unreliable.\n \n - `OPCUA_PKI_POLLING_INTERVAL` — polling interval in\n * milliseconds (only effective when polling is enabled).\n * Clamped to the range [100, 600 000]. Defaults to\n * {@link folderPollingInterval} (5 000 ms).\n \n @example\n * ```ts\n * const cm = new CertificateManager({ location: \"/var/pki\" });\n * await cm.initialize();\n * const status = await cm.verifyCertificate(cert);\n * await cm.dispose();\n * ```\n /\nexport class CertificateManager extends EventEmitter {\n // ── Global instance registry ─────────────────────────────────\n // Tracks all initialized CertificateManager instances so their\n // file watchers can be closed automatically on process exit,\n // even if the consumer forgets to call dispose().\n static #activeInstances = new Set<CertificateManager>();\n static #cleanupInstalled = false;\n\n static #installProcessCleanup(): void {\n if (CertificateManager.#cleanupInstalled) return;\n CertificateManager.#cleanupInstalled = true;\n\n const closeDanglingWatchers = () => {\n for (const cm of CertificateManager.#activeInstances) {\n for (const w of cm.#watchers) {\n try {\n w.close();\n } catch {\n / best-effort /\n }\n }\n cm.#watchers.splice(0);\n cm.state = CertificateManagerState.Disposed;\n }\n CertificateManager.#activeInstances.clear();\n };\n\n // beforeExit fires when the event loop has no more work.\n // If persistent:false works correctly on watchers, they\n // won't prevent this event from firing.\n process.on(\"beforeExit\", closeDanglingWatchers);\n\n // Also handle external termination signals so watchers\n // are cleaned up before the process exits.\n for (const signal of [\"SIGINT\", \"SIGTERM\"] as const) {\n process.once(signal, () => {\n closeDanglingWatchers();\n process.exit();\n });\n }\n }\n\n /\n Dispose all active CertificateManager instances,\n * closing their file watchers and freeing resources.\n \n This is mainly useful in test tear-down to ensure the\n * Node.js process can exit cleanly.\n /\n public static async disposeAll(): Promise<void> {\n const instances = [...CertificateManager.#activeInstances];\n await Promise.all(instances.map((cm) => CertificateManager.prototype.dispose.call(cm)));\n }\n\n /\n Assert that all CertificateManager instances have been\n * properly disposed. Throws an Error listing the locations\n * of any leaked instances.\n \n Intended for use in test `afterAll()` / `afterEach()`\n * hooks to catch missing `dispose()` calls early.\n \n @example\n * ```ts\n * after(() => {\n * CertificateManager.checkAllDisposed();\n * });\n * ```\n /\n public static checkAllDisposed(): void {\n if (CertificateManager.#activeInstances.size === 0) return;\n const locations = [...CertificateManager.#activeInstances].map((cm) => cm.rootDir);\n throw new Error(\n `${CertificateManager.#activeInstances.size} CertificateManager instance(s) not disposed:\\n - ${locations.join(\"\\n - \")}`\n );\n }\n // ─────────────────────────────────────────────────────────────\n\n /\n When `true` (the default), any certificate that is not\n * already in the trusted or rejected store is automatically\n * written to the rejected folder the first time it is seen.\n /\n public untrustUnknownCertificate = true;\n /* Current lifecycle state of this instance. /\n public state: CertificateManagerState = CertificateManagerState.Uninitialized;\n /* @deprecated Use {@link folderPollingInterval} instead (typo fix). /\n public folderPoolingInterval = 5000;\n\n /* Interval in milliseconds for file-system polling (when enabled). /\n public get folderPollingInterval(): number {\n return this.folderPoolingInterval;\n }\n public set folderPollingInterval(value: number) {\n this.folderPoolingInterval = value;\n }\n\n /* RSA key size used when generating the private key. /\n public readonly keySize: KeySize;\n readonly #location: string;\n readonly #watchers: fs.FSWatcher[] = [];\n readonly #pendingUnrefs: Set<() => void> = new Set();\n #readCertificatesCalled = false;\n readonly #filenameToHash = new Map<string, string>();\n #initializingPromise?: Promise<void>;\n\n readonly #thumbs: Thumbs = {\n rejected: new Map(),\n trusted: new Map(),\n issuers: {\n certs: new Map()\n },\n crl: new Map(),\n issuersCrl: new Map()\n };\n\n /\n Create a new CertificateManager.\n \n The constructor creates the root directory if it does not\n * exist but does not initialise the PKI store — call\n * {@link initialize} before using any other method.\n \n @param options - configuration options\n /\n constructor(options: CertificateManagerOptions) {\n super();\n options.keySize = options.keySize \|\| 2048;\n if (!options.location) {\n throw new Error(\"CertificateManager: missing 'location' option\");\n }\n\n this.#location = makePath(options.location, \"\");\n this.keySize = options.keySize;\n\n mkdirRecursiveSync(options.location);\n\n if (!fs.existsSync(this.#location)) {\n throw new Error(`CertificateManager cannot access location ${this.#location}`);\n }\n }\n\n /* Path to the OpenSSL configuration file. /\n get configFile() {\n return path.join(this.rootDir, \"own/openssl.cnf\");\n }\n\n /* Root directory of the PKI store. /\n get rootDir() {\n return this.#location;\n }\n\n /* Path to the private key file (`own/private/private_key.pem`). /\n get privateKey() {\n return path.join(this.rootDir, \"own/private/private_key.pem\");\n }\n\n /* Path to the OpenSSL random seed file. /\n get randomFile() {\n return path.join(this.rootDir, \"./random.rnd\");\n }\n\n /\n Move a certificate to the rejected store.\n * If the certificate was previously trusted, it will be removed from the trusted folder.\n * @param certificate - the DER-encoded certificate\n /\n public async rejectCertificate(certificate: Certificate): Promise<void> {\n await this.#moveCertificate(certificate, \"rejected\");\n }\n\n /\n Move a certificate to the trusted store.\n * If the certificate was previously rejected, it will be removed from the rejected folder.\n * @param certificate - the DER-encoded certificate\n /\n public async trustCertificate(certificate: Certificate): Promise<void> {\n await this.#moveCertificate(certificate, \"trusted\");\n }\n\n /* Path to the rejected certificates folder. /\n public get rejectedFolder(): string {\n return path.join(this.rootDir, \"rejected\");\n }\n /* Path to the trusted certificates folder. /\n public get trustedFolder(): string {\n return path.join(this.rootDir, \"trusted/certs\");\n }\n /* Path to the trusted CRL folder. /\n public get crlFolder(): string {\n return path.join(this.rootDir, \"trusted/crl\");\n }\n /* Path to the issuer (CA) certificates folder. /\n public get issuersCertFolder(): string {\n return path.join(this.rootDir, \"issuers/certs\");\n }\n /* Path to the issuer CRL folder. /\n public get issuersCrlFolder(): string {\n return path.join(this.rootDir, \"issuers/crl\");\n }\n /* Path to the own certificate folder. /\n public get ownCertFolder(): string {\n return path.join(this.rootDir, \"own/certs\");\n }\n public get ownPrivateFolder(): string {\n return path.join(this.rootDir, \"own/private\");\n }\n\n /\n Check if a certificate is in the trusted store.\n * If the certificate is unknown and `untrustUnknownCertificate` is set,\n * it will be written to the rejected folder.\n * @param certificate - the DER-encoded certificate\n * @returns `\"Good\"` if trusted, `\"BadCertificateUntrusted\"` if rejected/unknown,\n * or `\"BadCertificateInvalid\"` if the certificate cannot be parsed.\n /\n public async isCertificateTrusted(certificate: Certificate): Promise<string> {\n const fingerprint = makeFingerprint(certificate) as Thumbprint;\n\n if (this.#thumbs.trusted.has(fingerprint)) {\n return \"Good\";\n }\n\n if (!this.#thumbs.rejected.has(fingerprint)) {\n if (!this.untrustUnknownCertificate) {\n return \"Good\";\n }\n // Verify structure before writing — don't persist invalid data\n try {\n exploreCertificateInfo(certificate);\n } catch (_err) {\n return \"BadCertificateInvalid\";\n }\n const filename = path.join(this.rejectedFolder, `${buildIdealCertificateName(certificate)}.pem`);\n debugLog(\"certificate has never been seen before and is now rejected (untrusted) \", filename);\n await fsWriteFile(filename, toPem(certificate, \"CERTIFICATE\"));\n this.#thumbs.rejected.set(fingerprint, { certificate, filename });\n }\n return \"BadCertificateUntrusted\";\n }\n async #innerVerifyCertificateAsync(\n certificate: Certificate,\n _isIssuer: boolean,\n level: number,\n options: VerifyCertificateOptions\n ): Promise<VerificationStatus> {\n if (level >= 5) {\n // maximum level of certificate in chain reached !\n return VerificationStatus.BadSecurityChecksFailed;\n }\n const chain = split_der(certificate);\n debugLog(\"NB CERTIFICATE IN CHAIN = \", chain.length);\n const info = exploreCertificateCached(chain[0]);\n\n let hasValidIssuer = false;\n let hasTrustedIssuer = false;\n // check if certificate is attached to a issuer\n const hasIssuerKey = info.tbsCertificate.extensions?.authorityKeyIdentifier?.keyIdentifier;\n debugLog(\"Certificate as an Issuer Key\", hasIssuerKey);\n\n if (hasIssuerKey) {\n const isSelfSigned = isSelfSigned2(info);\n\n debugLog(\"Is the Certificate self-signed ?\", isSelfSigned);\n if (!isSelfSigned) {\n debugLog(\n \"Is issuer found in the list of know issuers ?\",\n \"\\n subjectKeyIdentifier = \",\n info.tbsCertificate.extensions?.subjectKeyIdentifier,\n \"\\n authorityKeyIdentifier = \",\n info.tbsCertificate.extensions?.authorityKeyIdentifier?.keyIdentifier\n );\n let issuerCertificate = await this.findIssuerCertificate(chain[0]);\n if (!issuerCertificate) {\n // the issuer has not been found in the list of trusted certificate\n // may be the issuer certificate is in the chain itself ?\n issuerCertificate = findIssuerCertificateInChain(chain[0], chain);\n if (!issuerCertificate) {\n debugLog(\n \" the issuer has not been found in the chain itself nor in the issuer.cert list => the chain is incomplete!\"\n );\n return VerificationStatus.BadCertificateChainIncomplete;\n }\n debugLog(\" the issuer certificate has been found in the chain itself ! the chain is complete !\");\n } else {\n debugLog(\" the issuer certificate has been found in the issuer.cert folder !\");\n }\n const issuerStatus = await this.#innerVerifyCertificateAsync(issuerCertificate, true, level + 1, options);\n if (issuerStatus === VerificationStatus.BadCertificateRevocationUnknown) {\n // the issuer must have a CRL available .... !\n return VerificationStatus.BadCertificateIssuerRevocationUnknown;\n }\n if (issuerStatus === VerificationStatus.BadCertificateIssuerRevocationUnknown) {\n // the issuer must have a CRL available .... !\n return VerificationStatus.BadCertificateIssuerRevocationUnknown;\n }\n if (issuerStatus === VerificationStatus.BadCertificateTimeInvalid) {\n if (!options \|\| !options.acceptOutDatedIssuerCertificate) {\n // the issuer must have valid dates ....\n return VerificationStatus.BadCertificateIssuerTimeInvalid;\n }\n }\n if (issuerStatus === VerificationStatus.BadCertificateUntrusted) {\n debugLog(\"warning issuerStatus = \", issuerStatus.toString(), \"the issuer certificate is not trusted\");\n // return VerificationStatus.BadSecurityChecksFailed;\n }\n\n if (issuerStatus !== VerificationStatus.Good && issuerStatus !== VerificationStatus.BadCertificateUntrusted) {\n // if the issuer has other issue => let's drop!\n return VerificationStatus.BadSecurityChecksFailed;\n }\n // verify that certificate was signed by issuer\n const isCertificateSignatureOK = verifyCertificateSignature(certificate, issuerCertificate);\n if (!isCertificateSignatureOK) {\n debugLog(\" the certificate was not signed by the issuer as it claim to be ! Danger\");\n return VerificationStatus.BadSecurityChecksFailed;\n }\n hasValidIssuer = true;\n\n // let detected if our certificate is in the revocation list\n let revokedStatus = await this.isCertificateRevoked(certificate);\n if (revokedStatus === VerificationStatus.BadCertificateRevocationUnknown) {\n if (options?.ignoreMissingRevocationList) {\n // continue as if the certificate was not revoked\n revokedStatus = VerificationStatus.Good;\n }\n }\n if (revokedStatus !== VerificationStatus.Good) {\n // certificate is revoked !!!\n debugLog(\"revokedStatus\", revokedStatus);\n return revokedStatus;\n }\n\n // let check if the issuer is explicitly trusted\n const issuerTrustedStatus = await this.#checkRejectedOrTrusted(issuerCertificate);\n debugLog(\"issuerTrustedStatus\", issuerTrustedStatus);\n\n if (issuerTrustedStatus === \"unknown\") {\n hasTrustedIssuer = false;\n } else if (issuerTrustedStatus === \"trusted\") {\n hasTrustedIssuer = true;\n } else if (issuerTrustedStatus === \"rejected\") {\n // we should never get there: this should have been detected before !!!\n return VerificationStatus.BadSecurityChecksFailed;\n }\n } else {\n // verify that certificate was signed by issuer (self in this case)\n const isCertificateSignatureOK = verifyCertificateSignature(certificate, certificate);\n if (!isCertificateSignatureOK) {\n debugLog(\"Self-signed Certificate signature is not valid\");\n return VerificationStatus.BadSecurityChecksFailed;\n }\n const revokedStatus = await this.isCertificateRevoked(certificate);\n debugLog(\"revokedStatus of self signed certificate:\", revokedStatus);\n }\n }\n\n const status = await this.#checkRejectedOrTrusted(certificate);\n if (status === \"rejected\") {\n if (!(options.acceptCertificateWithValidIssuerChain && hasValidIssuer && hasTrustedIssuer)) {\n return VerificationStatus.BadCertificateUntrusted;\n }\n }\n const _c2 = chain[1] ? exploreCertificateInfo(chain[1]) : \"non\";\n debugLog(\"chain[1] info=\", _c2);\n\n // Has SoftwareCertificate passed its issue date and has it not expired ?\n // check dates\n const certificateInfo = exploreCertificateInfo(certificate);\n const now = new Date();\n\n let isTimeInvalid = false;\n // check that certificate is active\n if (certificateInfo.notBefore.getTime() > now.getTime()) {\n // certificate is not active yet\n debugLog(\n `${chalk.red(\"certificate is invalid : certificate is not active yet !\")} not before date =${certificateInfo.notBefore}`\n );\n if (!options.acceptPendingCertificate) {\n isTimeInvalid = true;\n }\n }\n\n // check that certificate has not expired\n if (certificateInfo.notAfter.getTime() <= now.getTime()) {\n // certificate is obsolete\n debugLog(\n `${chalk.red(\"certificate is invalid : certificate has expired !\")} not after date =${certificateInfo.notAfter}`\n );\n if (!options.acceptOutdatedCertificate) {\n isTimeInvalid = true;\n }\n }\n if (status === \"trusted\") {\n return isTimeInvalid ? VerificationStatus.BadCertificateTimeInvalid : VerificationStatus.Good;\n }\n // status should be \"unknown\" or \"rejected\" (bypassed) at this point\n if (hasIssuerKey) {\n if (!hasTrustedIssuer) {\n return VerificationStatus.BadCertificateUntrusted;\n }\n if (!hasValidIssuer) {\n return VerificationStatus.BadCertificateUntrusted;\n }\n if (!options.acceptCertificateWithValidIssuerChain) {\n // strict mode: the leaf cert is not in the trusted store\n return VerificationStatus.BadCertificateUntrusted;\n }\n return isTimeInvalid ? VerificationStatus.BadCertificateTimeInvalid : VerificationStatus.Good;\n } else {\n return VerificationStatus.BadCertificateUntrusted;\n }\n }\n\n /\n Internal verification hook called by {@link verifyCertificate}.\n \n Subclasses can override this to inject additional validation\n * logic (e.g. application-level policy checks) while still\n * delegating to the default chain/CRL/trust verification.\n \n @param certificate - the DER-encoded certificate to verify\n * @param options - verification options forwarded from the\n * public API\n * @returns the verification status code\n /\n protected async verifyCertificateAsync(\n certificate: Certificate,\n options: VerifyCertificateOptions\n ): Promise<VerificationStatus> {\n const status1 = await this.#innerVerifyCertificateAsync(certificate, false, 0, options);\n return status1;\n }\n\n /\n Verify a certificate against the PKI trust store.\n \n This performs a full validation including trust status,\n * issuer chain, CRL revocation checks, and time validity.\n \n @param certificate - the DER-encoded certificate to verify\n * @param options - optional flags to relax validation rules\n * @returns the verification status code\n /\n public async verifyCertificate(certificate: Certificate, options?: VerifyCertificateOptions): Promise<VerificationStatus> {\n // Is the signature on the SoftwareCertificate valid .?\n if (!certificate) {\n // missing certificate\n return VerificationStatus.BadSecurityChecksFailed;\n }\n try {\n const status = await this.verifyCertificateAsync(certificate, options \|\| {});\n return status;\n } catch (error) {\n warningLog(`verifyCertificate error: ${(error as Error).message}`);\n return VerificationStatus.BadCertificateInvalid;\n }\n }\n\n /\n Initialize the PKI directory structure, generate the\n * private key (if missing), and start file-system watchers.\n \n This method is idempotent — subsequent calls are no-ops.\n * It must be called before any certificate operations.\n /\n public async initialize(): Promise<void> {\n if (this.state !== CertificateManagerState.Uninitialized) {\n return;\n }\n this.state = CertificateManagerState.Initializing;\n this.#initializingPromise = this.#initialize();\n await this.#initializingPromise;\n this.#initializingPromise = undefined;\n this.state = CertificateManagerState.Initialized;\n\n // Register for automatic cleanup on process exit\n CertificateManager.#activeInstances.add(this);\n CertificateManager.#installProcessCleanup();\n }\n async #initialize(): Promise<void> {\n this.state = CertificateManagerState.Initializing;\n const pkiDir = this.#location;\n mkdirRecursiveSync(pkiDir);\n mkdirRecursiveSync(path.join(pkiDir, \"own\"));\n mkdirRecursiveSync(path.join(pkiDir, \"own/certs\"));\n mkdirRecursiveSync(path.join(pkiDir, \"own/private\"));\n mkdirRecursiveSync(path.join(pkiDir, \"rejected\"));\n mkdirRecursiveSync(path.join(pkiDir, \"trusted\"));\n mkdirRecursiveSync(path.join(pkiDir, \"trusted/certs\"));\n mkdirRecursiveSync(path.join(pkiDir, \"trusted/crl\"));\n\n mkdirRecursiveSync(path.join(pkiDir, \"issuers\"));\n mkdirRecursiveSync(path.join(pkiDir, \"issuers/certs\")); // contains Trusted CA certificates\n mkdirRecursiveSync(path.join(pkiDir, \"issuers/crl\")); // contains CRL of revoked CA certificates\n\n if (!fs.existsSync(this.configFile) \|\| !fs.existsSync(this.privateKey)) {\n return await this.withLock2(async () => {\n if (this.state === CertificateManagerState.Disposing \|\| this.state === CertificateManagerState.Disposed) {\n return;\n }\n\n if (!fs.existsSync(this.configFile)) {\n fs.writeFileSync(this.configFile, configurationFileSimpleTemplate);\n }\n // note : openssl 1.1.1 has a bug that causes a failure if\n // random file cannot be found. (should be fixed in 1.1.1.a)\n // if this issue become important we may have to consider checking that rndFile exists and recreate\n // it if not . this could be achieved with the command :\n // \"openssl rand -writerand ${this.randomFile}\"\n //\n // cf: https://github.com/node-opcua/node-opcua/issues/554\n\n if (!fs.existsSync(this.privateKey)) {\n debugLog(\"generating private key ...\");\n // setEnv(\"RANDFILE\", this.randomFile);\n await generatePrivateKeyFile(this.privateKey, this.keySize);\n await this.#readCertificates();\n } else {\n // debugLog(\" initialize : private key already exists ... skipping\");\n await this.#readCertificates();\n }\n });\n } else {\n await this.#readCertificates();\n }\n }\n\n /\n Dispose of the CertificateManager, releasing file watchers\n * and other resources. The instance should not be used after\n * calling this method.\n /\n public async dispose(): Promise<void> {\n if (this.state === CertificateManagerState.Disposing) {\n throw new Error(\"Already disposing\");\n }\n\n if (this.state === CertificateManagerState.Uninitialized) {\n this.state = CertificateManagerState.Disposed;\n return;\n }\n\n // Wait for initialization to complete before disposing\n if (this.state === CertificateManagerState.Initializing) {\n if (this.#initializingPromise) {\n await this.#initializingPromise;\n }\n }\n\n try {\n this.state = CertificateManagerState.Disposing;\n // Ensure all fs.watch handles are unref'd even if\n // chokidar hasn't reached \"ready\" yet.\n for (const unreff of this.#pendingUnrefs) {\n unreff();\n }\n this.#pendingUnrefs.clear();\n await Promise.all(this.#watchers.map((w) => w.close()));\n this.#watchers.forEach((w) => {\n w.removeAllListeners();\n });\n this.#watchers.splice(0);\n } finally {\n this.state = CertificateManagerState.Disposed;\n CertificateManager.#activeInstances.delete(this);\n }\n }\n\n /\n Force a full re-scan of all PKI folders, rebuilding\n * the in-memory `_thumbs` index from scratch.\n \n Call this after external processes have modified the\n * PKI folders (e.g. via `writeTrustList` or CLI tools)\n * to ensure the CertificateManager sees the latest\n * state without waiting for file-system events.\n /\n public async reloadCertificates(): Promise<void> {\n // Close existing watchers\n await Promise.all(this.#watchers.map((w) => w.close()));\n for (const w of this.#watchers) {\n w.removeAllListeners();\n }\n this.#watchers.splice(0);\n\n // Clear in-memory indexes\n this.#thumbs.rejected.clear();\n this.#thumbs.trusted.clear();\n this.#thumbs.issuers.certs.clear();\n this.#thumbs.crl.clear();\n this.#thumbs.issuersCrl.clear();\n this.#filenameToHash.clear();\n\n // Re-scan all folders\n this.#readCertificatesCalled = false;\n await this.#readCertificates();\n }\n\n protected async withLock2<T>(action: () => Promise<T>): Promise<T> {\n const lockFileName = path.join(this.rootDir, \"mutex\");\n return withLock<T>({ fileToLock: lockFileName }, async () => {\n return await action();\n });\n }\n /\n Create a self-signed certificate for this PKI's private key.\n \n The certificate is written to `params.outputFile` or\n * `own/certs/self_signed_certificate.pem` by default.\n \n @param params - certificate parameters (subject, SANs,\n * validity, etc.)\n /\n public async createSelfSignedCertificate(params: CreateSelfSignCertificateParam1): Promise<void> {\n if (typeof params.applicationUri !== \"string\") {\n throw new Error(\"createSelfSignedCertificate: expecting applicationUri to be a string\");\n }\n if (!fs.existsSync(this.privateKey)) {\n throw new Error(`Cannot find private key ${this.privateKey}`);\n }\n let certificateFilename = path.join(this.rootDir, \"own/certs/self_signed_certificate.pem\");\n certificateFilename = params.outputFile \|\| certificateFilename;\n\n const _params = params as unknown as CreateSelfSignCertificateWithConfigParam;\n _params.rootDir = this.rootDir;\n _params.configFile = this.configFile;\n _params.privateKey = this.privateKey;\n\n _params.subject = params.subject \|\| \"CN=FIXME\";\n await this.withLock2(async () => {\n await createSelfSignedCertificate(certificateFilename, _params);\n });\n }\n\n /\n Create a Certificate Signing Request (CSR) using this\n * PKI's private key and configuration.\n \n The CSR file is written to `own/certs/` with a timestamped\n * filename.\n \n @param params - CSR parameters (subject, SANs)\n * @returns the filesystem path to the generated CSR file\n /\n public async createCertificateRequest(params: CreateSelfSignCertificateParam): Promise<Filename> {\n if (!params) {\n throw new Error(\"params is required\");\n }\n const _params = params as CreateSelfSignCertificateWithConfigParam;\n if (Object.prototype.hasOwnProperty.call(_params, \"rootDir\")) {\n throw new Error(\"rootDir should not be specified \");\n }\n _params.rootDir = path.resolve(this.rootDir);\n _params.configFile = path.resolve(this.configFile);\n _params.privateKey = path.resolve(this.privateKey);\n\n return await this.withLock2<string>(async () => {\n // compose a file name for the request\n const now = new Date();\n const today = `${now.toISOString().slice(0, 10)}_${now.getTime()}`;\n const certificateSigningRequestFilename = path.join(this.rootDir, \"own/certs\", `certificate_${today}.csr`);\n await createCertificateSigningRequestAsync(certificateSigningRequestFilename, _params);\n return certificateSigningRequestFilename;\n });\n }\n\n /\n Add a CA (issuer) certificate to the issuers store.\n * If the certificate is already present, this is a no-op.\n * @param certificate - the DER-encoded CA certificate\n * @param validate - if `true`, verify the certificate before adding\n * @param addInTrustList - if `true`, also add to the trusted store\n * @returns `VerificationStatus.Good` on success\n /\n public async addIssuer(certificate: DER, validate = false, addInTrustList = false): Promise<VerificationStatus> {\n if (validate) {\n const status = await this.verifyCertificate(certificate);\n if (status !== VerificationStatus.Good && status !== VerificationStatus.BadCertificateUntrusted) {\n return status;\n }\n }\n const pemCertificate = toPem(certificate, \"CERTIFICATE\");\n const fingerprint = makeFingerprint(certificate);\n if (this.#thumbs.issuers.certs.has(fingerprint)) {\n // already in .. simply ignore\n return VerificationStatus.Good;\n }\n // write certificate\n const filename = path.join(this.issuersCertFolder, `issuer_${buildIdealCertificateName(certificate)}.pem`);\n await fs.promises.writeFile(filename, pemCertificate, \"ascii\");\n\n // first time seen, let's save it.\n this.#thumbs.issuers.certs.set(fingerprint, { certificate, filename });\n\n if (addInTrustList) {\n // add certificate in the trust list as well\n await this.trustCertificate(certificate);\n }\n\n return VerificationStatus.Good;\n }\n\n /\n Add a CRL to the certificate manager.\n * @param crl - the CRL to add\n * @param target - \"issuers\" (default) writes to issuers/crl, \"trusted\" writes to trusted/crl\n /\n public async addRevocationList(\n crl: CertificateRevocationList,\n target: \"issuers\" \| \"trusted\" = \"issuers\"\n ): Promise<VerificationStatus> {\n return await this.withLock2<VerificationStatus>(async () => {\n try {\n const index = target === \"trusted\" ? this.#thumbs.crl : this.#thumbs.issuersCrl;\n const folder = target === \"trusted\" ? this.crlFolder : this.issuersCrlFolder;\n\n const crlInfo = exploreCertificateRevocationList(crl);\n const key = crlInfo.tbsCertList.issuerFingerprint;\n if (!index.has(key)) {\n index.set(key, { crls: [], serialNumbers: {} });\n }\n const pemCertificate = toPem(crl, \"X509 CRL\");\n const filename = path.join(folder, `crl_${buildIdealCertificateName(crl)}.pem`);\n await fs.promises.writeFile(filename, pemCertificate, \"ascii\");\n\n await this.#onCrlFileAdded(index, filename);\n\n await this.#waitAndCheckCRLProcessingStatus();\n\n return VerificationStatus.Good;\n } catch (err) {\n debugLog(err);\n return VerificationStatus.BadSecurityChecksFailed;\n }\n });\n }\n\n /\n Remove all CRL files from the specified folder(s) and clear the\n * corresponding in-memory index.\n * @param target - \"issuers\" clears issuers/crl, \"trusted\" clears\n * trusted/crl, \"all\" clears both.\n /\n public async clearRevocationLists(target: \"issuers\" \| \"trusted\" \| \"all\"): Promise<void> {\n const clearFolder = async (folder: string, index: Map<string, CRLData>) => {\n try {\n const files = await fs.promises.readdir(folder);\n for (const file of files) {\n const ext = path.extname(file).toLowerCase();\n if (ext === \".crl\" \|\| ext === \".pem\" \|\| ext === \".der\") {\n await fs.promises.unlink(path.join(folder, file));\n }\n }\n } catch (err: unknown) {\n if ((err as NodeJS.ErrnoException).code !== \"ENOENT\") {\n throw err;\n }\n }\n index.clear();\n };\n\n if (target === \"issuers\" \|\| target === \"all\") {\n await clearFolder(this.issuersCrlFolder, this.#thumbs.issuersCrl);\n }\n if (target === \"trusted\" \|\| target === \"all\") {\n await clearFolder(this.crlFolder, this.#thumbs.crl);\n }\n }\n\n /\n Check whether an issuer certificate with the given thumbprint\n * is already registered.\n * @param thumbprint - hex-encoded SHA-1 thumbprint (lowercase)\n /\n public async hasIssuer(thumbprint: string): Promise<boolean> {\n await this.#readCertificates();\n const normalized = thumbprint.toLowerCase();\n return this.#thumbs.issuers.certs.has(normalized);\n }\n\n /\n Remove a trusted certificate identified by its SHA-1 thumbprint.\n * Deletes the file on disk and removes the entry from the\n * in-memory index.\n * @param thumbprint - hex-encoded SHA-1 thumbprint (lowercase)\n * @returns the removed certificate buffer, or `null` if not found\n /\n public async removeTrustedCertificate(thumbprint: string): Promise<Certificate \| null> {\n await this.#readCertificates();\n const normalized = thumbprint.toLowerCase();\n const entry = this.#thumbs.trusted.get(normalized);\n if (!entry) {\n return null;\n }\n try {\n await fs.promises.unlink(entry.filename);\n } catch (err: unknown) {\n if ((err as NodeJS.ErrnoException).code !== \"ENOENT\") {\n throw err;\n }\n }\n this.#thumbs.trusted.delete(normalized);\n return entry.certificate;\n }\n\n /\n Remove an issuer certificate identified by its SHA-1 thumbprint.\n * Deletes the file on disk and removes the entry from the\n * in-memory index.\n * @param thumbprint - hex-encoded SHA-1 thumbprint (lowercase)\n * @returns the removed certificate buffer, or `null` if not found\n /\n public async removeIssuer(thumbprint: string): Promise<Certificate \| null> {\n await this.#readCertificates();\n const normalized = thumbprint.toLowerCase();\n const entry = this.#thumbs.issuers.certs.get(normalized);\n if (!entry) {\n return null;\n }\n try {\n await fs.promises.unlink(entry.filename);\n } catch (err: unknown) {\n if ((err as NodeJS.ErrnoException).code !== \"ENOENT\") {\n throw err;\n }\n }\n this.#thumbs.issuers.certs.delete(normalized);\n return entry.certificate;\n }\n\n /\n Remove all CRL files that were issued by the given CA certificate\n * from the specified folder (or both).\n * @param issuerCertificate - the CA certificate whose CRLs to remove\n * @param target - \"issuers\", \"trusted\", or \"all\" (default \"all\")\n /\n public async removeRevocationListsForIssuer(\n issuerCertificate: Certificate,\n target: \"issuers\" \| \"trusted\" \| \"all\" = \"all\"\n ): Promise<void> {\n const issuerInfo = exploreCertificateCached(issuerCertificate);\n const issuerFingerprint = issuerInfo.tbsCertificate.subjectFingerPrint;\n\n const processIndex = async (index: Map<string, CRLData>) => {\n const crlData = index.get(issuerFingerprint);\n if (!crlData) return;\n for (const crlEntry of crlData.crls) {\n try {\n await fs.promises.unlink(crlEntry.filename);\n } catch (err: unknown) {\n if ((err as NodeJS.ErrnoException).code !== \"ENOENT\") {\n throw err;\n }\n }\n }\n index.delete(issuerFingerprint);\n };\n\n if (target === \"issuers\" \|\| target === \"all\") {\n await processIndex(this.#thumbs.issuersCrl);\n }\n if (target === \"trusted\" \|\| target === \"all\") {\n await processIndex(this.#thumbs.crl);\n }\n }\n\n /\n Validate a certificate (optionally with its chain) and add\n * the leaf certificate to the trusted store.\n \n The certificate buffer may contain a single certificate or a\n * full chain (leaf + issuer certificates concatenated in DER).\n * Only the leaf certificate is added to the trusted store.\n \n When the chain contains issuer certificates, this method\n * verifies that each issuer is already registered via\n * {@link addIssuer} before trusting the leaf.\n \n If one of the certificates in the chain is not registered in the issuers store,\n * the leaf certificate will be rejected.\n \n @param certificateChain - DER-encoded certificate or chain\n * @returns `VerificationStatus.Good` on success, or an error\n * status indicating why the certificate was rejected.\n /\n public async addTrustedCertificateFromChain(certificateChain: Certificate): Promise<VerificationStatus> {\n const certificates = split_der(certificateChain);\n const leafCertificate = certificates[0];\n\n // Structural validation — can we parse it?\n try {\n exploreCertificateCached(leafCertificate);\n } catch (_err) {\n return VerificationStatus.BadCertificateInvalid;\n }\n\n // Lightweight chain validation — verify the certificate\n // structure and signature without trust-store side-effects\n const result = await verifyCertificateChain([leafCertificate]);\n if (result.status !== \"Good\") {\n return VerificationStatus.BadCertificateInvalid;\n }\n\n // If a chain was provided, verify that every issuer in the\n // chain is already registered in the issuers store.\n // if one of the certificates in the chain is not registered in the issuers store,\n // the certificate will be rejected.\n if (certificates.length > 1) {\n // Re-scan the issuers folder to pick up certificates\n // added directly to disk (e.g. by GDS push or external\n // tooling) that the file-system watcher may not have\n // delivered yet.\n await this.#scanCertFolder(this.issuersCertFolder, this.#thumbs.issuers.certs);\n for (const issuerCert of certificates.slice(1)) {\n const thumbprint = makeFingerprint(issuerCert);\n if (!(await this.hasIssuer(thumbprint))) {\n // this issuer certificate is not registered in the issuers store\n // reject the leaf certificate\n return VerificationStatus.BadCertificateChainIncomplete;\n }\n }\n }\n\n // All checks passed — trust the leaf certificate\n await this.trustCertificate(leafCertificate);\n return VerificationStatus.Good;\n }\n\n /\n Check whether an issuer certificate is still needed by any\n * certificate in the trusted store.\n \n This is used before removing an issuer to ensure that\n * doing so would not break the chain of any trusted\n * certificate.\n \n @param issuerCertificate - the CA certificate to check\n * @returns `true` if at least one trusted certificate was\n * signed by this issuer.\n /\n public async isIssuerInUseByTrustedCertificate(issuerCertificate: Certificate): Promise<boolean> {\n await this.#readCertificates();\n for (const entry of this.#thumbs.trusted.values()) {\n if (!entry.certificate) continue;\n try {\n if (verifyCertificateSignature(entry.certificate, issuerCertificate)) {\n return true;\n }\n } catch (_err) {\n // Skip certificates that can't be verified\n }\n }\n return false;\n }\n\n /\n find the issuer certificate among the trusted issuer certificates.\n \n The findIssuerCertificate method is an asynchronous method that attempts to find\n * the issuer certificate for a given certificate from the list of issuer certificate declared in the PKI\n \n - If the certificate is self-signed, it returns the certificate itself.\n \n - If the certificate has no extension 3, it is assumed to be generated by an old system, and a null value is returned.\n \n - the method checks both issuer and trusted certificates and returns the appropriate issuercertificate,\n * if found. If multiple matching certificates are found, a warning is logged to the console.\n \n /\n public async findIssuerCertificate(certificate: Certificate): Promise<Certificate \| null> {\n const certInfo = exploreCertificateCached(certificate);\n\n if (isSelfSigned2(certInfo)) {\n // the certificate is self signed so is it's own issuer.\n return certificate;\n }\n\n const wantedIssuerKey = certInfo.tbsCertificate.extensions?.authorityKeyIdentifier?.keyIdentifier;\n\n if (!wantedIssuerKey) {\n // Certificate has no extension 3 ! the certificate might have been generated by an old system\n debugLog(\"Certificate has no extension 3\");\n return null;\n }\n\n const issuerCertificates = [...this.#thumbs.issuers.certs.values()];\n\n const selectedIssuerCertificates = findMatchingIssuerKey(issuerCertificates, wantedIssuerKey);\n\n if (selectedIssuerCertificates.length > 0) {\n if (selectedIssuerCertificates.length > 1) {\n warningLog(\"Warning more than one issuer certificate exists with subjectKeyIdentifier \", wantedIssuerKey);\n }\n return selectedIssuerCertificates[0].certificate \|\| null;\n }\n // check also in trusted list\n const trustedCertificates = [...this.#thumbs.trusted.values()];\n const selectedTrustedCertificates = findMatchingIssuerKey(trustedCertificates, wantedIssuerKey);\n\n if (selectedTrustedCertificates.length > 1) {\n warningLog(\n \"Warning more than one certificate exists with subjectKeyIdentifier in trusted certificate list \",\n wantedIssuerKey,\n selectedTrustedCertificates.length\n );\n }\n return selectedTrustedCertificates.length > 0 ? selectedTrustedCertificates[0].certificate : null;\n }\n\n /*\n \n * check if the certificate explicitly appear in the trust list, the reject list or none.\n * In case of being in the reject and trusted list at the same time is consider: rejected.\n * @internal\n * @private\n /\n async #checkRejectedOrTrusted(certificate: Buffer): Promise<CertificateStatus> {\n const fingerprint = makeFingerprint(certificate);\n\n debugLog(\"#checkRejectedOrTrusted fingerprint \", short(fingerprint));\n\n await this.#readCertificates();\n\n if (this.#thumbs.rejected.has(fingerprint)) {\n return \"rejected\";\n }\n if (this.#thumbs.trusted.has(fingerprint)) {\n return \"trusted\";\n }\n return \"unknown\";\n }\n\n async #moveCertificate(certificate: Certificate, newStatus: CertificateStatus) {\n await this.withLock2(async () => {\n const fingerprint = makeFingerprint(certificate);\n\n let status = await this.#checkRejectedOrTrusted(certificate);\n if (status === \"unknown\") {\n // # unknown mean rejected\n const pem = toPem(certificate, \"CERTIFICATE\");\n const filename = path.join(this.rejectedFolder, `${buildIdealCertificateName(certificate)}.pem`);\n await fs.promises.writeFile(filename, pem);\n this.#thumbs.rejected.set(fingerprint, { certificate, filename });\n status = \"rejected\";\n }\n\n debugLog(\"#moveCertificate\", fingerprint.substring(0, 10), \"from\", status, \"to\", newStatus);\n\n if (status !== \"rejected\" && status !== \"trusted\") {\n throw new Error(`#moveCertificate: unexpected status '${status}' for certificate ${fingerprint.substring(0, 10)}`);\n }\n\n if (status !== newStatus) {\n const indexSrc = status === \"rejected\" ? this.#thumbs.rejected : this.#thumbs.trusted;\n const srcEntry = indexSrc.get(fingerprint);\n\n if (!srcEntry) {\n debugLog(\" cannot find certificate \", fingerprint.substring(0, 10), \" in\", status);\n throw new Error(`#moveCertificate: certificate ${fingerprint.substring(0, 10)} not found in ${status} index`);\n }\n const destFolder = newStatus === \"trusted\" ? this.trustedFolder : this.rejectedFolder;\n const certificateDest = path.join(destFolder, path.basename(srcEntry.filename));\n\n debugLog(\"#moveCertificate\", fingerprint.substring(0, 10), \"old name\", srcEntry.filename);\n debugLog(\"#moveCertificate\", fingerprint.substring(0, 10), \"new name\", certificateDest);\n await fs.promises.rename(srcEntry.filename, certificateDest);\n indexSrc.delete(fingerprint);\n const indexDest = newStatus === \"trusted\" ? this.#thumbs.trusted : this.#thumbs.rejected;\n indexDest.set(fingerprint, { certificate, filename: certificateDest });\n }\n });\n }\n #findAssociatedCRLs(issuerCertificate: Certificate): CRLData \| null {\n const issuerCertificateInfo = exploreCertificateCached(issuerCertificate);\n const key = issuerCertificateInfo.tbsCertificate.subjectFingerPrint;\n return this.#thumbs.issuersCrl.get(key) ?? this.#thumbs.crl.get(key) ?? null;\n }\n\n /\n Check whether a certificate has been revoked by its issuer's CRL.\n \n - Self-signed certificates are never considered revoked.\n * - If no `issuerCertificate` is provided, the method attempts\n * to find it via {@link findIssuerCertificate}.\n \n @param certificate - the DER-encoded certificate to check\n * @param issuerCertificate - optional issuer certificate; looked\n * up automatically when omitted\n * @returns `Good` if not revoked, `BadCertificateRevoked` if the\n * serial number appears in a CRL,\n * `BadCertificateRevocationUnknown` if no CRL is available,\n * or `BadCertificateChainIncomplete` if the issuer cannot be\n * found.\n /\n public async isCertificateRevoked(\n certificate: Certificate,\n issuerCertificate?: Certificate \| null\n ): Promise<VerificationStatus> {\n if (isSelfSigned3(certificate)) {\n return VerificationStatus.Good;\n }\n\n if (!issuerCertificate) {\n issuerCertificate = await this.findIssuerCertificate(certificate);\n }\n if (!issuerCertificate) {\n return VerificationStatus.BadCertificateChainIncomplete;\n }\n const crls = this.#findAssociatedCRLs(issuerCertificate);\n\n if (!crls) {\n return VerificationStatus.BadCertificateRevocationUnknown;\n }\n const certInfo = exploreCertificateCached(certificate);\n const serialNumber =\n certInfo.tbsCertificate.serialNumber \|\| certInfo.tbsCertificate.extensions?.authorityKeyIdentifier?.serial \|\| \"\";\n\n const key = certInfo.tbsCertificate.extensions?.authorityKeyIdentifier?.authorityCertIssuerFingerPrint \|\| \"<unknown>\";\n const crl2 = this.#thumbs.crl.get(key) ?? null;\n\n if (crls.serialNumbers[serialNumber] \|\| crl2?.serialNumbers[serialNumber]) {\n return VerificationStatus.BadCertificateRevoked;\n }\n return VerificationStatus.Good;\n }\n\n #pendingCrlToProcess = 0;\n #onCrlProcessWaiters: (() => void)[] = [];\n #queue: { index: Map<string, CRLData>; filename: string }[] = [];\n #onCrlFileAdded(index: Map<string, CRLData>, filename: string) {\n this.#queue.push({ index, filename });\n this.#pendingCrlToProcess += 1;\n if (this.#pendingCrlToProcess === 1) {\n this.#processNextCrl();\n }\n }\n async #processNextCrl() {\n try {\n const nextCRL = this.#queue.shift();\n if (!nextCRL) return;\n const { index, filename } = nextCRL;\n const crl = await readCertificateRevocationList(filename);\n const crlInfo = exploreCertificateRevocationList(crl);\n debugLog(chalk.cyan(\"add CRL in folder \"), filename);\n const fingerprint = crlInfo.tbsCertList.issuerFingerprint;\n if (!index.has(fingerprint)) {\n index.set(fingerprint, { crls: [], serialNumbers: {} });\n }\n const data = index.get(fingerprint) \|\| { crls: [], serialNumbers: {} };\n data.crls.push({ crlInfo, filename });\n\n // now inject serial numbers\n for (const revokedCertificate of crlInfo.tbsCertList.revokedCertificates) {\n const serialNumber = revokedCertificate.userCertificate;\n if (!data.serialNumbers[serialNumber]) {\n data.serialNumbers[serialNumber] = revokedCertificate.revocationDate;\n }\n }\n debugLog(chalk.cyan(\"CRL\"), fingerprint, \"serial numbers = \", Object.keys(data.serialNumbers));\n } catch (err) {\n debugLog(\"CRL filename error =\");\n debugLog(err);\n }\n this.#pendingCrlToProcess -= 1;\n if (this.#pendingCrlToProcess === 0) {\n for (const waiter of this.#onCrlProcessWaiters) {\n waiter();\n }\n this.#onCrlProcessWaiters.length = 0;\n } else {\n this.#processNextCrl();\n }\n }\n async #readCertificates(): Promise<void> {\n if (this.#readCertificatesCalled) {\n return;\n }\n this.#readCertificatesCalled = true;\n\n // Chokidar configuration choices:\n //\n // usePolling: false (default)\n // Use native OS file-system events (inotify on Linux,\n // FSEvents on macOS, ReadDirectoryChangesW on Windows)\n // for near-real-time detection of cert/CRL additions\n // and removals. This is significantly faster than\n // polling (milliseconds vs seconds).\n //\n // Set OPCUA_PKI_USE_POLLING=true to revert to polling\n // for environments where native events are unreliable\n // (NFS, CIFS, Docker volumes, or other remote/virtual\n // file systems).\n //\n // persistent: false\n // Watchers do NOT keep the Node.js event loop alive.\n // This prevents the process from hanging if the\n // CertificateManager is not properly disposed. The\n // trade-off is that watchers stop receiving events if\n // there are no other active handles — acceptable since\n // CertificateManager always runs alongside a server.\n //\n // awaitWriteFinish: not set\n // Certificate and CRL files are small (typically < 5 KB)\n // and written atomically (fs.writeFile). No need to\n // wait for write stabilization, which would add a 2s+\n // delay before the in-memory index is updated.\n //\n const usePolling = process.env.OPCUA_PKI_USE_POLLING === \"true\";\n const envInterval = process.env.OPCUA_PKI_POLLING_INTERVAL\n ? parseInt(process.env.OPCUA_PKI_POLLING_INTERVAL, 10)\n : undefined;\n const pollingInterval = Math.min(10 60 * 1000, Math.max(100, envInterval ?? this.folderPollingInterval));\n const chokidarOptions = {\n usePolling,\n ...(usePolling ? { interval: pollingInterval } : {}),\n persistent: false\n };\n\n // Workaround for two chokidar v4 bugs with persistent:false:\n //\n // 1. Chokidar does not propagate persistent:false to the\n // underlying fs.watch() handles. Without .unref(), an\n // undisposed CertificateManager blocks process exit.\n //\n // 2. Chokidar does not register an 'error' handler on\n // fs.watch when persistent:false (handler.js l.160-168).\n // On Windows + Node < 22, the native handle fires EPERM\n // when the watched directory is removed, which becomes\n // an uncaught exception that crashes the process.\n //\n // We install a single shared fs.watch() interception BEFORE\n // creating all 5 watchers. Every captured handle gets both\n // an error handler (fix #2) and is later .unref()'d (fix #1).\n //\n // The interception stays active until ALL watchers have\n // emitted \"ready\" — chokidar creates fs.watch handles\n // asynchronously during directory scanning, so we must keep\n // the interception alive until that completes.\n const allCapturedHandles: fs.FSWatcher[] = [];\n const origWatch = fs.watch;\n let watcherReadyCount = 0;\n const totalWatchers = 5;\n\n fs.watch = ((...args: Parameters<typeof fs.watch>) => {\n const handle = origWatch.apply(fs, args);\n handle.setMaxListeners(handle.getMaxListeners() + 1);\n handle.on(\"error\", () => {\n /* swallow – watched directory was removed /\n });\n allCapturedHandles.push(handle);\n return handle;\n }) as typeof fs.watch;\n\n const createUnreffedWatcher = (folder: string) => {\n const startIdx = allCapturedHandles.length;\n const w = chokidar.watch(folder, chokidarOptions);\n const unreffAll = () => {\n // Unref only handles created for THIS watcher\n for (let i = startIdx; i < allCapturedHandles.length; i++) {\n allCapturedHandles[i].unref();\n }\n // Restore fs.watch once ALL watchers are ready\n watcherReadyCount++;\n if (watcherReadyCount >= totalWatchers) {\n fs.watch = origWatch;\n }\n };\n return { w, capturedHandles: allCapturedHandles.slice(startIdx), unreffAll };\n };\n\n // ── Phase 1: Async scan ─────────────────────────────────\n // Populate the in-memory indexes by reading existing\n // files. Uses async readdir/stat to yield the event loop\n // between files. All 5 folders are scanned in parallel.\n await Promise.all([\n this.#scanCertFolder(this.trustedFolder, this.#thumbs.trusted),\n this.#scanCertFolder(this.issuersCertFolder, this.#thumbs.issuers.certs),\n this.#scanCertFolder(this.rejectedFolder, this.#thumbs.rejected),\n this.#scanCrlFolder(this.crlFolder, this.#thumbs.crl),\n this.#scanCrlFolder(this.issuersCrlFolder, this.#thumbs.issuersCrl)\n ]);\n\n // ── Phase 2: Deferred file watchers ─────────────────────\n // Start chokidar watchers in the background. We do NOT\n // await \"ready\" so initialize() returns immediately after\n // the sync scan. Chokidar will re-discover existing files\n // (harmless Map overwrites) then watch for live changes.\n this.#startWatcher(this.trustedFolder, this.#thumbs.trusted, createUnreffedWatcher, \"trusted\");\n this.#startWatcher(this.issuersCertFolder, this.#thumbs.issuers.certs, createUnreffedWatcher, \"issuersCerts\");\n this.#startWatcher(this.rejectedFolder, this.#thumbs.rejected, createUnreffedWatcher, \"rejected\");\n this.#startCrlWatcher(this.crlFolder, this.#thumbs.crl, createUnreffedWatcher, \"crl\");\n this.#startCrlWatcher(this.issuersCrlFolder, this.#thumbs.issuersCrl, createUnreffedWatcher, \"issuersCrl\");\n }\n\n /\n Scan a certificate folder and populate the in-memory index.\n * Uses async readdir/stat to yield the event loop between\n * file reads, preventing main-loop stalls with large folders.\n /\n async #scanCertFolder(folder: string, index: Map<string, Entry>): Promise<void> {\n if (!fs.existsSync(folder)) return;\n const files = await fs.promises.readdir(folder);\n for (const file of files) {\n const filename = path.join(folder, file);\n try {\n const stat = await fs.promises.stat(filename);\n if (!stat.isFile()) continue;\n const certificate = await readCertificateAsync(filename);\n const info = exploreCertificateCached(certificate);\n const fingerprint = makeFingerprint(certificate);\n index.set(fingerprint, { certificate, filename, info });\n this.#filenameToHash.set(filename, fingerprint);\n } catch (err) {\n debugLog(`scanCertFolder: skipping ${filename}`, err);\n }\n }\n }\n\n /\n Scan a CRL folder and populate the in-memory CRL index.\n /\n async #scanCrlFolder(folder: string, index: Map<string, CRLData>): Promise<void> {\n if (!fs.existsSync(folder)) return;\n const files = await fs.promises.readdir(folder);\n for (const file of files) {\n const filename = path.join(folder, file);\n try {\n const stat = await fs.promises.stat(filename);\n if (!stat.isFile()) continue;\n this.#onCrlFileAdded(index, filename);\n } catch (err) {\n debugLog(`scanCrlFolder: skipping ${filename}`, err);\n }\n }\n await this.#waitAndCheckCRLProcessingStatus();\n }\n\n /\n Start a chokidar watcher for a CRL folder.\n * Non-blocking — does NOT await \"ready\".\n /\n #startCrlWatcher(\n folder: string,\n index: Map<string, CRLData>,\n createUnreffedWatcher: (folder: string) => { w: ChokidarFSWatcher; unreffAll: () => void },\n store: CrlStore\n ): void {\n const { w, unreffAll } = createUnreffedWatcher(folder);\n w.on(\"error\", (err: unknown) => {\n debugLog(`chokidar CRL watcher error on ${folder}:`, err);\n });\n let ready = false;\n\n w.on(\"unlink\", (filename: string) => {\n for (const [key, data] of index.entries()) {\n data.crls = data.crls.filter((c) => c.filename !== filename);\n if (data.crls.length === 0) {\n index.delete(key);\n }\n }\n if (ready) {\n this.emit(\"crlRemoved\", { store, filename });\n }\n });\n w.on(\"add\", (filename: string) => {\n if (ready) {\n this.#onCrlFileAdded(index, filename);\n this.emit(\"crlAdded\", { store, filename });\n }\n });\n w.on(\"change\", (changedPath: string) => {\n debugLog(\"change in folder \", folder, changedPath);\n });\n this.#watchers.push(w as unknown as fs.FSWatcher);\n this.#pendingUnrefs.add(unreffAll);\n w.on(\"ready\", () => {\n ready = true;\n this.#pendingUnrefs.delete(unreffAll);\n unreffAll();\n });\n }\n\n /\n Start a chokidar watcher for a certificate folder.\n * Non-blocking — does NOT await \"ready\".\n /\n #startWatcher(\n folder: string,\n index: Map<string, Entry>,\n createUnreffedWatcher: (folder: string) => { w: ChokidarFSWatcher; unreffAll: () => void },\n store: CertificateStore\n ): void {\n const { w, unreffAll } = createUnreffedWatcher(folder);\n w.on(\"error\", (err: unknown) => {\n debugLog(`chokidar cert watcher error on ${folder}:`, err);\n });\n let ready = false;\n w.on(\"unlink\", (filename: string) => {\n debugLog(chalk.cyan(`unlink in folder ${folder}`), filename);\n const h = this.#filenameToHash.get(filename);\n if (h && index.has(h)) {\n index.delete(h);\n this.emit(\"certificateRemoved\", { store, fingerprint: h, filename });\n }\n });\n w.on(\"add\", (filename: string) => {\n debugLog(chalk.cyan(`add in folder ${folder}`), filename);\n try {\n const certificate = readCertificate(filename);\n const info = exploreCertificateCached(certificate);\n const fingerprint = makeFingerprint(certificate);\n\n const isNew = !index.has(fingerprint);\n index.set(fingerprint, { certificate, filename, info });\n this.#filenameToHash.set(filename, fingerprint);\n\n debugLog(\n chalk.magenta(\"CERT\"),\n info.tbsCertificate.subjectFingerPrint,\n info.tbsCertificate.serialNumber,\n info.tbsCertificate.extensions?.authorityKeyIdentifier?.authorityCertIssuerFingerPrint\n );\n if (ready \|\| isNew) {\n this.emit(\"certificateAdded\", { store, certificate, fingerprint, filename });\n }\n } catch (err) {\n debugLog(`Walk files in folder ${folder} with file ${filename}`);\n debugLog(err);\n }\n });\n w.on(\"change\", (changedPath: string) => {\n debugLog(chalk.cyan(`change in folder ${folder}`), changedPath);\n try {\n const certificate = readCertificate(changedPath);\n const newFingerprint = makeFingerprint(certificate);\n const oldHash = this.#filenameToHash.get(changedPath);\n if (oldHash && oldHash !== newFingerprint) {\n index.delete(oldHash);\n }\n index.set(newFingerprint, { certificate, filename: changedPath, info: exploreCertificateCached(certificate) });\n this.#filenameToHash.set(changedPath, newFingerprint);\n this.emit(\"certificateChange\", { store, certificate, fingerprint: newFingerprint, filename: changedPath });\n } catch (err) {\n debugLog(`change event: failed to re-read ${changedPath}`, err);\n }\n });\n this.#watchers.push(w as unknown as fs.FSWatcher);\n this.#pendingUnrefs.add(unreffAll);\n w.on(\"ready\", () => {\n ready = true;\n this.#pendingUnrefs.delete(unreffAll);\n unreffAll();\n debugLog(\"ready\");\n debugLog([...index.keys()].map((k) => k.substring(0, 10)));\n });\n }\n\n // make sure that all crls have been processed.\n async #waitAndCheckCRLProcessingStatus(): Promise<void> {\n return new Promise((resolve, _reject) => {\n if (this.#pendingCrlToProcess === 0) {\n setImmediate(resolve);\n return;\n }\n this.#onCrlProcessWaiters.push(resolve);\n });\n }\n}\n","// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua-pki\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2014-2026 - Etienne Rossignon - etienne.rossignon (at) gadz.org\n// Copyright (c) 2022-2026 - Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n//\n// This project is licensed under the terms of the MIT license.\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated\n// documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the\n// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to\n// permit persons to whom the Software is furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the\n// Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE\n// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\n// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR\n// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n// ---------------------------------------------------------------------------------------------------------------------\nexport from \"./common\";\nexport * from \"./common2\";\nexport * from \"./config\";\nexport * from \"./debug\";\nexport * from \"./display\";\n","// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua-pki\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2014-2026 - Etienne Rossignon - etienne.rossignon (at) gadz.org\n// Copyright (c) 2022-2026 - Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n//\n// This project is licensed under the terms of the MIT license.\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated\n// documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the\n// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to\n// permit persons to whom the Software is furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the\n// Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE\n// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\n// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR\n// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n// ---------------------------------------------------------------------------------------------------------------------\nimport type { ProcessAltNamesParam } from \"../common\";\nimport { g_config } from \"../config\";\nimport { warningLog } from \"../debug\";\n\nexport const exportedEnvVars: Record<string, string> = {};\n\nexport function setEnv(varName: string, value: string): void {\n // istanbul ignore next\n if (!g_config.silent) {\n warningLog(` set ${varName}=${value}`);\n }\n exportedEnvVars[varName] = value;\n\n if ([\"OPENSSL_CONF\"].indexOf(varName) >= 0) {\n process.env[varName] = value;\n }\n if ([\"RANDFILE\"].indexOf(varName) >= 0) {\n process.env[varName] = value;\n }\n}\n\nexport function hasEnv(varName: string): boolean {\n return Object.prototype.hasOwnProperty.call(exportedEnvVars, varName);\n}\nexport function getEnv(varName: string): string {\n return exportedEnvVars[varName];\n}\n\nexport function getEnvironmentVarNames(): { key: string; pattern: string }[] {\n return Object.keys(exportedEnvVars).map((varName: string) => {\n return { key: varName, pattern: `\\\\$ENV\\\\:\\\\:${varName}` };\n });\n}\n\nexport function processAltNames(params: ProcessAltNamesParam) {\n params.dns = params.dns \|\| [];\n params.ip = params.ip \|\| [];\n\n // construct subjectAtlName\n let subjectAltName: string[] = [];\n subjectAltName.push(`URI:${params.applicationUri}`);\n subjectAltName = ([] as string[]).concat(\n subjectAltName,\n params.dns.map((d: string) => `DNS:${d}`)\n );\n subjectAltName = ([] as string[]).concat(\n subjectAltName,\n params.ip.map((d: string) => `IP:${d}`)\n );\n const subjectAltNameString = subjectAltName.join(\", \");\n setEnv(\"ALTNAME\", subjectAltNameString);\n}\n","export type { SubjectOptions } from \"node-opcua-crypto\";\nexport { Subject } from \"node-opcua-crypto\";\n","// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua-pki\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2014-2026 - Etienne Rossignon - etienne.rossignon (at) gadz.org\n// Copyright (c) 2022-2026 - Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n//\n// This project is licensed under the terms of the MIT license.\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated\n// documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the\n// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to\n// permit persons to whom the Software is furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the\n// Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE\n// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\n// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR\n// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n// ---------------------------------------------------------------------------------------------------------------------\n// tslint:disable:no-console\n// tslint:disable:no-shadowed-variable\n\nimport child_process from \"node:child_process\";\nimport fs from \"node:fs\";\nimport os from \"node:os\";\nimport path from \"node:path\";\nimport type { Readable } from \"node:stream\";\nimport url from \"node:url\";\n\nimport byline from \"byline\";\nimport chalk from \"chalk\";\nimport ProgressBar from \"progress\";\nimport wget from \"wget-improved-2\";\nimport yauzl from \"yauzl\";\n\nimport { warningLog } from \"../debug\";\n\nconst doDebug = process.env.NODEOPCUAPKIDEBUG \|\| false;\n\ndeclare interface ProxyOptions {\n host: string;\n port: number;\n localAddress?: string;\n proxyAuth?: string;\n headers?: Record<string, string>;\n protocol: string; // \"https\" \| \"http\"\n}\ndeclare interface WgetOptions {\n gunzip?: boolean;\n proxy?: ProxyOptions;\n}\n\ndeclare interface WgetInterface {\n download(url: string, outputFilename: string, options: WgetOptions): NodeJS.EventEmitter;\n}\n\ninterface ExecuteResult {\n exitCode: number;\n output: string;\n}\n\nfunction makeOptions(): WgetOptions {\n const proxy =\n process.env.HTTPS_PROXY \|\| process.env.https_proxy \|\| process.env.HTTP_PROXY \|\| process.env.http_proxy \|\| undefined;\n if (proxy) {\n const a = new url.URL(proxy);\n const auth = a.username ? `${a.username}:${a.password}` : undefined;\n\n const options: WgetOptions = {\n proxy: {\n port: a.port ? parseInt(a.port, 10) : 80,\n protocol: a.protocol.replace(\":\", \"\"),\n host: a.hostname ?? \"\",\n proxyAuth: auth\n }\n };\n warningLog(chalk.green(\"- using proxy \"), proxy);\n warningLog(options);\n return options;\n }\n return {};\n}\n\nasync function execute(cmd: string, cwd?: string): Promise<ExecuteResult> {\n let output = \"\";\n\n // xx cwd = cwd ? {cwd: cwd} : {};\n const options = {\n cwd,\n windowsHide: true\n };\n\n return await new Promise<ExecuteResult>((resolve, reject) => {\n const child = child_process.exec(\n cmd,\n options,\n (err: child_process.ExecException \| null /, stdout: string, stderr: string/) => {\n const exitCode = err === null ? 0 : err.code \|\| 1;\n if (err) reject(err);\n else {\n resolve({ exitCode, output });\n }\n }\n );\n\n const stream1 = byline(child.stdout as Readable);\n stream1.on(\"data\", (line: string) => {\n output += `${line}\\n`;\n // istanbul ignore next\n if (doDebug) {\n process.stdout.write(` stdout ${chalk.yellow(line)}\\n`);\n }\n });\n });\n}\n\nfunction quote(str: string): string {\n return `\"${str.replace(/\\\\/g, \"/\")}\"`;\n}\n\nfunction is_expected_openssl_version(strVersion: string): boolean {\n return !!strVersion.match(/OpenSSL 1\|3/);\n}\n\nasync function getopensslExecPath(): Promise<string> {\n let result1: ExecuteResult \| undefined;\n try {\n result1 = await execute(\"which openssl\");\n } catch (err) {\n warningLog(\"warning: \", (err as Error).message);\n throw new Error(\"Cannot find openssl\");\n }\n\n const exitCode = result1?.exitCode;\n const output = result1?.output;\n\n if (exitCode !== 0) {\n warningLog(chalk.yellow(\" it seems that \") + chalk.cyan(\"openssl\") + chalk.yellow(\" is not installed on your computer \"));\n warningLog(chalk.yellow(\"Please install it before running this programs\"));\n throw new Error(\"Cannot find openssl\");\n }\n const opensslExecPath = output.replace(/\\n\\r/g, \"\").trim();\n return opensslExecPath;\n}\nexport async function check_system_openssl_version(): Promise<string> {\n const opensslExecPath = await getopensslExecPath();\n\n // tslint:disable-next-line:variable-name\n const q_opensslExecPath = quote(opensslExecPath);\n\n // istanbul ignore next\n if (doDebug) {\n warningLog(` OpenSSL found in : ${chalk.yellow(opensslExecPath)}`);\n }\n // ------------------------ now verify that openssl version is the correct one\n const result = await execute(`${q_opensslExecPath} version`);\n\n const exitCode = result?.exitCode;\n const output = result?.output;\n\n const version = output.trim();\n\n const versionOK = exitCode === 0 && is_expected_openssl_version(version);\n if (!versionOK) {\n let message =\n chalk.whiteBright(\"Warning !!!!!!!!!!!! \") +\n \"\\nyour version of openssl is \" +\n version +\n \". It doesn't match the expected version\";\n\n if (process.platform === \"darwin\") {\n message +=\n chalk.cyan(\"\\nplease refer to :\") +\n chalk.yellow(\" https://github.com/node-opcua/node-opcua/\" + \"wiki/installing-node-opcua-or-node-red-on-MacOS\");\n }\n\n console.log(message);\n }\n return output;\n}\n\nasync function install_and_check_win32_openssl_version(): Promise<string> {\n const downloadFolder = path.join(os.tmpdir(), \".\");\n\n function get_openssl_folder_win32(): string {\n if (process.env.LOCALAPPDATA) {\n const userProgramFolder = path.join(process.env.LOCALAPPDATA, \"Programs\");\n if (fs.existsSync(userProgramFolder)) {\n return path.join(userProgramFolder, \"openssl\");\n }\n }\n return path.join(process.cwd(), \"openssl\");\n }\n\n function get_openssl_exec_path_win32(): string {\n const opensslFolder = get_openssl_folder_win32();\n return path.join(opensslFolder, \"openssl.exe\");\n }\n\n async function check_openssl_win32(): Promise<{ opensslOk?: boolean; version?: string }> {\n const opensslExecPath = get_openssl_exec_path_win32();\n\n const exists = fs.existsSync(opensslExecPath);\n if (!exists) {\n warningLog(\"checking presence of \", opensslExecPath);\n warningLog(chalk.red(\" cannot find file \") + opensslExecPath);\n return {\n opensslOk: false,\n version: `cannot find file ${opensslExecPath}`\n };\n } else {\n // tslint:disable-next-line:variable-name\n const q_openssl_exe_path = quote(opensslExecPath);\n const cwd = \".\";\n\n const { exitCode, output } = await execute(`${q_openssl_exe_path} version`, cwd);\n const version = output.trim();\n // istanbul ignore next\n\n if (doDebug) {\n warningLog(\" Version = \", version);\n }\n return {\n opensslOk: exitCode === 0 && is_expected_openssl_version(version),\n version\n };\n }\n }\n\n /*\n detect whether windows OS is a 64 bits or 32 bits\n * http://ss64.com/nt/syntax-64bit.html\n * http://blogs.msdn.com/b/david.wang/archive/2006/03/26/howto-detect-process-bitness.aspx\n * @return {number}\n /\n function win32or64(): 32 \| 64 {\n if (process.env.PROCESSOR_ARCHITECTURE === \"x86\" && process.env.PROCESSOR_ARCHITEW6432) {\n return 64;\n }\n\n if (process.env.PROCESSOR_ARCHITECTURE === \"AMD64\") {\n return 64;\n }\n\n // check if we are running node x32 on a x64 arch\n if (process.env.CURRENT_CPU === \"x64\") {\n return 64;\n }\n return 32;\n }\n\n async function download_openssl(): Promise<{ downloadedFile: string }> {\n // const url = (win32or64() === 64 )\n // ? \"http://indy.fulgan.com/SSL/openssl-1.0.2o-x64_86-win64.zip\"\n // : \"http://indy.fulgan.com/SSL/openssl-1.0.2o-i386-win32.zip\"\n // ;\n const url =\n win32or64() === 64\n ? \"https://github.com/node-opcua/node-opcua-pki/releases/download/2.14.2/openssl-1.0.2u-x64_86-win64.zip\"\n : \"https://github.com/node-opcua/node-opcua-pki/releases/download/2.14.2/openssl-1.0.2u-i386-win32.zip\";\n // the zip file\n const outputFilename = path.join(downloadFolder, path.basename(url));\n\n warningLog(`downloading ${chalk.yellow(url)} to ${outputFilename}`);\n\n if (fs.existsSync(outputFilename)) {\n return { downloadedFile: outputFilename };\n }\n const options = makeOptions();\n const bar = new ProgressBar(chalk.cyan(\"[:bar]\") + chalk.cyan(\" :percent \") + chalk.white(\":etas\"), {\n complete: \"=\",\n incomplete: \" \",\n total: 100,\n width: 100\n });\n\n return await new Promise((resolve, reject) => {\n const download = wget.download(url, outputFilename, options);\n download.on(\"error\", (err: Error) => {\n warningLog(err);\n setImmediate(() => {\n reject(err);\n });\n });\n download.on(\"end\", (output: string) => {\n // istanbul ignore next\n if (doDebug) {\n warningLog(output);\n }\n // warningLog(\"done ...\");\n resolve({ downloadedFile: outputFilename });\n });\n download.on(\"progress\", (progress: number) => {\n bar.update(progress);\n });\n });\n }\n\n async function unzip_openssl(zipFilename: string) {\n const opensslFolder = get_openssl_folder_win32();\n\n const zipFile = await new Promise<yauzl.ZipFile>((resolve, reject) => {\n yauzl.open(zipFilename, { lazyEntries: true }, (err?: Error \| null, zipfile?: yauzl.ZipFile) => {\n if (err) {\n reject(err);\n } else {\n if (!zipfile) {\n reject(new Error(\"zipfile is null\"));\n } else {\n resolve(zipfile);\n }\n }\n });\n });\n\n zipFile.readEntry();\n\n await new Promise<void>((resolve, reject) => {\n zipFile.on(\"end\", (err?: Error) => {\n setImmediate(() => {\n // istanbul ignore next\n if (doDebug) {\n warningLog(\"unzip done\");\n }\n if (err) {\n reject(err);\n } else {\n resolve();\n }\n });\n });\n\n zipFile.on(\"entry\", (entry: yauzl.Entry) => {\n zipFile.openReadStream(entry, (err?: Error \| null, readStream?: Readable) => {\n if (err) {\n return reject(err);\n }\n\n const file = path.join(opensslFolder, entry.fileName);\n\n // istanbul ignore next\n if (doDebug) {\n warningLog(\" unzipping :\", file);\n }\n\n const writeStream = fs.createWriteStream(file, \"binary\");\n // ensure parent directory exists\n readStream?.pipe(writeStream);\n\n writeStream.on(\"close\", () => {\n zipFile.readEntry();\n });\n });\n });\n });\n }\n\n const opensslFolder = get_openssl_folder_win32();\n const opensslExecPath = get_openssl_exec_path_win32();\n\n if (!fs.existsSync(opensslFolder)) {\n // istanbul ignore next\n if (doDebug) {\n warningLog(\"creating openssl_folder\", opensslFolder);\n }\n fs.mkdirSync(opensslFolder);\n }\n\n const { opensslOk, version: _version } = await check_openssl_win32();\n\n if (!opensslOk) {\n warningLog(chalk.yellow(\"openssl seems to be missing and need to be installed\"));\n const { downloadedFile } = await download_openssl();\n\n // istanbul ignore next\n if (doDebug) {\n warningLog(\"deflating \", chalk.yellow(downloadedFile));\n }\n await unzip_openssl(downloadedFile);\n\n const opensslExists = !!fs.existsSync(opensslExecPath);\n\n // istanbul ignore next\n if (doDebug) {\n warningLog(\"verifying \", opensslExists, opensslExists ? chalk.green(\"OK \") : chalk.red(\" Error\"), opensslExecPath);\n }\n\n const _opensslExecPath2 = await check_openssl_win32();\n return opensslExecPath;\n } else {\n // istanbul ignore next\n if (doDebug) {\n warningLog(chalk.green(\"openssl is already installed and have the expected version.\"));\n }\n return opensslExecPath;\n }\n}\n\n/\n \n * return path to the openssl executable\n /\nexport async function install_prerequisite(): Promise<string> {\n // istanbul ignore else\n if (process.platform !== \"win32\") {\n return await check_system_openssl_version();\n } else {\n return await install_and_check_win32_openssl_version();\n }\n}\n\nexport async function get_openssl_exec_path(): Promise<string> {\n if (process.platform === \"win32\") {\n const opensslExecPath = await install_prerequisite();\n if (!fs.existsSync(opensslExecPath)) {\n throw new Error(`internal error cannot find ${opensslExecPath}`);\n }\n return opensslExecPath;\n } else {\n return \"openssl\";\n }\n}\n","/ eslint-disable @typescript-eslint/no-explicit-any /\n// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua-pki\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2014-2026 - Etienne Rossignon - etienne.rossignon (at) gadz.org\n// Copyright (c) 2022-2026 - Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n//\n// This project is licensed under the terms of the MIT license.\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated\n// documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the\n// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to\n// permit persons to whom the Software is furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the\n// Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE\n// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\n// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR\n// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n// ---------------------------------------------------------------------------------------------------------------------\n// tslint:disable:no-console\n// tslint:disable:no-shadowed-variable\n\nimport assert from \"node:assert\";\nimport child_process from \"node:child_process\";\nimport fs from \"node:fs\";\nimport os from \"node:os\";\nimport byline from \"byline\";\nimport chalk from \"chalk\";\nimport { quote } from \"../common\";\nimport { makePath } from \"../common2\";\nimport { g_config } from \"../config\";\nimport { debugLog, displayError, doDebug, warningLog } from \"../debug\";\nimport { setEnv } from \"./_env\";\nimport { get_openssl_exec_path } from \"./install_prerequisite\";\n\n// tslint:disable-next-line:variable-name\n\nlet opensslPath: string \| undefined; // not initialized\n\nconst n = makePath;\n\nexport interface ExecuteOptions {\n cwd?: string;\n hideErrorMessage?: boolean;\n}\n\nexport async function execute(cmd: string, options: ExecuteOptions): Promise<string> {\n const from = new Error();\n\n options.cwd = options.cwd \|\| process.cwd();\n\n // istanbul ignore next\n if (!g_config.silent) {\n warningLog(chalk.cyan(\" CWD \"), options.cwd);\n }\n\n const outputs: string[] = [];\n\n return await new Promise((resolve, reject) => {\n const child = child_process.exec(\n cmd,\n {\n cwd: options.cwd,\n windowsHide: true\n },\n (err: child_process.ExecException \| null) => {\n // istanbul ignore next\n if (err) {\n if (!options.hideErrorMessage) {\n const fence = \"###########################################\";\n console.error(chalk.bgWhiteBright.redBright(`${fence} OPENSSL ERROR ${fence}`));\n console.error(chalk.bgWhiteBright.redBright(`CWD = ${options.cwd}`));\n console.error(chalk.bgWhiteBright.redBright(err.message));\n console.error(chalk.bgWhiteBright.redBright(`${fence} OPENSSL ERROR ${fence}`));\n\n console.error(from.stack);\n }\n reject(new Error(err.message));\n return;\n }\n resolve(outputs.join(\"\"));\n }\n );\n\n if (child.stdout) {\n const stream2 = byline(child.stdout);\n stream2.on(\"data\", (line: string) => {\n outputs.push(`${line}\\n`);\n });\n if (!g_config.silent) {\n stream2.on(\"data\", (line: string) => {\n line = line.toString();\n if (doDebug) {\n process.stdout.write(`${chalk.white(\" stdout \") + chalk.whiteBright(line)}\\n`);\n }\n });\n }\n }\n\n // istanbul ignore next\n if (!g_config.silent) {\n if (child.stderr) {\n const stream1 = byline(child.stderr);\n stream1.on(\"data\", (line: string) => {\n line = line.toString();\n if (displayError) {\n process.stdout.write(`${chalk.white(\" stderr \") + chalk.red(line)}\\n`);\n }\n });\n }\n }\n });\n}\n\nexport async function find_openssl(): Promise<string> {\n return await get_openssl_exec_path();\n}\n\nexport async function ensure_openssl_installed(): Promise<void> {\n if (!opensslPath) {\n opensslPath = await find_openssl();\n const outputs = await execute_openssl(\"version\", { cwd: \".\" });\n g_config.opensslVersion = outputs.trim();\n if (doDebug) {\n warningLog(\"OpenSSL version : \", g_config.opensslVersion);\n }\n }\n}\n\nexport async function executeOpensslAsync(cmd: string, options: ExecuteOpenSSLOptions): Promise<string> {\n return await execute_openssl(cmd, options);\n}\n\nexport async function execute_openssl_no_failure(cmd: string, options: ExecuteOpenSSLOptions) {\n options = options \|\| {};\n options.hideErrorMessage = true;\n try {\n return await execute_openssl(cmd, options);\n } catch (err) {\n debugLog(\" (ignored error = ERROR : )\", (err as Error).message);\n }\n}\n\nfunction getTempFolder(): string {\n return os.tmpdir();\n}\n\nexport interface ExecuteOpenSSLOptions extends ExecuteOptions {\n openssl_conf?: string;\n}\n\nexport async function execute_openssl(cmd: string, options: ExecuteOpenSSLOptions): Promise<string> {\n debugLog(\"execute_openssl\", cmd, options);\n const empty_config_file = n(getTempFolder(), \"empty_config.cnf\");\n if (!fs.existsSync(empty_config_file)) {\n await fs.promises.writeFile(empty_config_file, \"# empty config file\");\n }\n\n options = options \|\| {};\n options.openssl_conf = options.openssl_conf \|\| empty_config_file; // \"!! OPEN SLL CONF NOT DEFINED BAD FILE !!\";\n assert(options.openssl_conf);\n setEnv(\"OPENSSL_CONF\", options.openssl_conf);\n\n // istanbul ignore next\n if (!g_config.silent) {\n warningLog(chalk.cyan(\" OPENSSL_CONF\"), process.env.OPENSSL_CONF);\n warningLog(chalk.cyan(\" RANDFILE \"), process.env.RANDFILE);\n warningLog(chalk.cyan(\" CMD openssl \"), chalk.cyanBright(cmd));\n }\n await ensure_openssl_installed();\n return await execute(`${quote(opensslPath)} ${cmd}`, options);\n}\n","/ eslint-disable @typescript-eslint/no-explicit-any /\n// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua-pki\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2014-2026 - Etienne Rossignon - etienne.rossignon (at) gadz.org\n// Copyright (c) 2022-2026 - Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n//\n// This project is licensed under the terms of the MIT license.\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated\n// documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the\n// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to\n// permit persons to whom the Software is furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the\n// Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE\n// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\n// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR\n// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n// ---------------------------------------------------------------------------------------------------------------------\n// tslint:disable:no-console\n// tslint:disable:no-shadowed-variable\n\nimport assert from \"node:assert\";\n\nimport fs from \"node:fs\";\nimport path from \"node:path\";\n\nimport type { Filename } from \"../common\";\nimport { quote } from \"../common\";\nimport { makePath } from \"../common2\";\nimport { g_config } from \"../config\";\nimport { getEnv, getEnvironmentVarNames } from \"./_env\";\nimport { type ExecuteOptions, execute_openssl } from \"./execute_openssl\";\n\nfunction openssl_require2DigitYearInDate() {\n // istanbul ignore next\n if (!g_config.opensslVersion) {\n throw new Error(\n \"openssl_require2DigitYearInDate : openssl version is not known:\" + \" please call ensure_openssl_installed()\"\n );\n }\n return g_config.opensslVersion.match(/OpenSSL 0\\.9/);\n}\n\ng_config.opensslVersion = \"\";\n\nlet _counter = 0;\n\nexport function generateStaticConfig(configPath: string, options?: ExecuteOptions) {\n const prePath = options?.cwd \|\| \"\";\n\n const originalFilename = !path.isAbsolute(configPath) ? path.join(prePath, configPath) : configPath;\n let staticConfig = fs.readFileSync(originalFilename, { encoding: \"utf8\" });\n for (const envVar of getEnvironmentVarNames()) {\n staticConfig = staticConfig.replace(new RegExp(envVar.pattern, \"gi\"), getEnv(envVar.key));\n }\n const staticConfigPath = `${configPath}.${process.pid}-${_counter++}.tmp`;\n const temporaryConfigPath = !path.isAbsolute(configPath) ? path.join(prePath, staticConfigPath) : staticConfigPath;\n fs.writeFileSync(temporaryConfigPath, staticConfig);\n if (options?.cwd) {\n return path.relative(options.cwd, temporaryConfigPath);\n } else {\n return temporaryConfigPath;\n }\n}\n\nconst q = quote;\nconst n = makePath;\n\n/\n calculate the public key from private key\n * openssl rsa -pubout -in private_key.pem\n \n @method getPublicKeyFromPrivateKey\n * @param privateKeyFilename: the existing file with the private key\n * @param publicKeyFilename: the file where to store the public key\n /\nexport async function getPublicKeyFromPrivateKey(privateKeyFilename: string, publicKeyFilename: string): Promise<void> {\n assert(fs.existsSync(privateKeyFilename));\n await execute_openssl(`rsa -pubout -in ${q(n(privateKeyFilename))} -out ${q(n(publicKeyFilename))}`, {});\n}\n\n/\n extract public key from a certificate\n * openssl x509 -pubkey -in certificate.pem -nottext\n \n @method getPublicKeyFromCertificate\n * @param certificateFilename\n * @param publicKeyFilename\n /\nexport async function getPublicKeyFromCertificate(certificateFilename: string, publicKeyFilename: string) {\n assert(fs.existsSync(certificateFilename));\n await execute_openssl(`x509 -pubkey -in ${q(n(certificateFilename))} > ${q(n(publicKeyFilename))}`, {});\n}\nexport function x509Date(date?: Date): string {\n date = date \|\| new Date();\n const Y = date.getUTCFullYear();\n const M = date.getUTCMonth() + 1;\n const D = date.getUTCDate();\n const h = date.getUTCHours();\n const m = date.getUTCMinutes();\n const s = date.getUTCSeconds();\n\n function w(s: string \| number, l: number): string {\n return `${s}`.padStart(l, \"0\");\n }\n\n if (openssl_require2DigitYearInDate()) {\n // for example: on MacOS , where openssl 0.98 is installed by default\n return `${w(Y, 2) + w(M, 2) + w(D, 2) + w(h, 2) + w(m, 2) + w(s, 2)}Z`;\n } else {\n // for instance when openssl version is greater than 1.0.0\n return `${w(Y, 4) + w(M, 2) + w(D, 2) + w(h, 2) + w(m, 2) + w(s, 2)}Z`;\n }\n}\n\n/\n @param certificate - the certificate file in PEM format, file must exist\n /\nexport async function dumpCertificate(certificate: Filename): Promise<string> {\n assert(fs.existsSync(certificate));\n return await execute_openssl(`x509 -in ${q(n(certificate))} -text -noout`, {});\n}\n\nexport async function toDer(certificatePem: string): Promise<string> {\n assert(fs.existsSync(certificatePem));\n const certificateDer = certificatePem.replace(\".pem\", \".der\");\n return await execute_openssl(`x509 -outform der -in ${certificatePem} -out ${certificateDer}`, {});\n}\n\nexport async function fingerprint(certificatePem: string): Promise<string> {\n // openssl x509 -in my_certificate.pem -hash -dates -noout -fingerprint\n assert(fs.existsSync(certificatePem));\n return await execute_openssl(`x509 -fingerprint -noout -in ${certificatePem}`, {});\n}\n","/ eslint-disable @typescript-eslint/no-explicit-any /\n// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua-pki\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2014-2026 - Etienne Rossignon - etienne.rossignon (at) gadz.org\n// Copyright (c) 2022-2026 - Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n//\n// This project is licensed under the terms of the MIT license.\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated\n// documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the\n// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to\n// permit persons to whom the Software is furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the\n// Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE\n// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\n// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR\n// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n// ---------------------------------------------------------------------------------------------------------------------\n// tslint:disable:no-console\n// tslint:disable:no-shadowed-variable\n\nimport assert from \"node:assert\";\nimport fs from \"node:fs\";\nimport path from \"node:path\";\n\nimport { Subject } from \"../../misc/subject\";\nimport { type CreateCertificateSigningRequestWithConfigOptions, quote } from \"../common\";\nimport { makePath } from \"../common2\";\nimport { displaySubtitle } from \"../display\";\nimport { processAltNames } from \"./_env\";\nimport { execute_openssl } from \"./execute_openssl\";\nimport { generateStaticConfig } from \"./toolbox\";\n\nconst q = quote;\nconst n = makePath;\n\n/\n create a certificate signing request\n /\nexport async function createCertificateSigningRequestWithOpenSSL(\n certificateSigningRequestFilename: string,\n params: CreateCertificateSigningRequestWithConfigOptions\n): Promise<void> {\n assert(params);\n assert(params.rootDir);\n assert(params.configFile);\n assert(params.privateKey);\n assert(typeof params.privateKey === \"string\");\n assert(fs.existsSync(params.configFile), `config file must exist ${params.configFile}`);\n assert(fs.existsSync(params.privateKey), `Private key must exist${params.privateKey}`);\n assert(fs.existsSync(params.rootDir), \"RootDir key must exist\");\n assert(typeof certificateSigningRequestFilename === \"string\");\n\n // note : this openssl command requires a config file\n processAltNames(params);\n const configFile = generateStaticConfig(params.configFile, { cwd: params.rootDir });\n\n const options = { cwd: params.rootDir, openssl_conf: path.relative(params.rootDir, configFile) };\n\n const configOption = ` -config ${q(n(configFile))}`;\n\n const subject = params.subject ? new Subject(params.subject).toString() : undefined;\n // process.env.OPENSSL_CONF =\"\";\n const subjectOptions = subject ? ` -subj \"${subject}\"` : \"\";\n\n displaySubtitle(\"- Creating a Certificate Signing Request with openssl\");\n await execute_openssl(\n \"req -new\" +\n \" -sha256 \" +\n \" -batch \" +\n \" -text \" +\n configOption +\n \" -key \" +\n q(n(params.privateKey)) +\n subjectOptions +\n \" -out \" +\n q(n(certificateSigningRequestFilename)),\n options\n );\n}\n","// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua-pki\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2014-2026 - Etienne Rossignon - etienne.rossignon (at) gadz.org\n// Copyright (c) 2022-2026 - Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n//\n// This project is licensed under the terms of the MIT license.\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated\n// documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the\n// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to\n// permit persons to whom the Software is furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the\n// Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE\n// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\n// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR\n// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n// ---------------------------------------------------------------------------------------------------------------------\nimport exp from \"node:constants\";\n\nconst _exp = exp;\n\nexport from \"./_env\";\nexport * from \"./create_certificate_signing_request\";\nexport * from \"./execute_openssl\";\nexport * from \"./install_prerequisite\";\nexport * from \"./toolbox\";\n","const config =\n \"#.........DO NOT MODIFY BY HAND .........................\\n\" +\n \"[ ca ]\\n\" +\n \"default_ca = CA_default\\n\" +\n \"[ CA_default ]\\n\" +\n \"dir = %%ROOT_FOLDER%% # the main CA folder\\n\" +\n \"certs = $dir/certs # where to store certificates\\n\" +\n \"new_certs_dir = $dir/certs #\\n\" +\n \"database = $dir/index.txt # the certificate database\\n\" +\n \"serial = $dir/serial # the serial number counter\\n\" +\n \"certificate = $dir/public/cacert.pem # The root CA certificate\\n\" +\n \"private_key = $dir/private/cakey.pem # the CA private key\\n\" +\n \"x509_extensions = usr_cert #\\n\" +\n \"default_days = 3650 # default validity : 10 years\\n\" +\n \"\\n\" +\n \"# default_md = sha1\\n\" +\n \"\\n\" +\n \"default_md = sha256 # The default digest algorithm\\n\" +\n \"\\n\" +\n \"preserve = no\\n\" +\n \"policy = policy_match\\n\" +\n \"# randfile = $dir/random.rnd\\n\" +\n \"# default_startdate = YYMMDDHHMMSSZ\\n\" +\n \"# default_enddate = YYMMDDHHMMSSZ\\n\" +\n \"crl_dir = $dir/crl\\n\" +\n \"crl_extensions = crl_ext\\n\" +\n \"crl = $dir/revocation_list.crl # the Revocation list\\n\" +\n \"crlnumber = $dir/crlnumber # CRL number file\\n\" +\n \"default_crl_days = 30\\n\" +\n \"default_crl_hours = 24\\n\" +\n \"#msie_hack\\n\" +\n \"\\n\" +\n \"[ policy_match ]\\n\" +\n \"countryName = optional\\n\" +\n \"stateOrProvinceName = optional\\n\" +\n \"localityName = optional\\n\" +\n \"organizationName = optional\\n\" +\n \"organizationalUnitName = optional\\n\" +\n \"commonName = optional\\n\" +\n \"emailAddress = optional\\n\" +\n \"\\n\" +\n \"[ req ]\\n\" +\n \"default_bits = 4096 # Size of keys\\n\" +\n \"default_keyfile = key.pem # name of generated keys\\n\" +\n \"distinguished_name = req_distinguished_name\\n\" +\n \"attributes = req_attributes\\n\" +\n \"x509_extensions = v3_ca\\n\" +\n \"#input_password\\n\" +\n \"#output_password\\n\" +\n \"string_mask = nombstr # permitted characters\\n\" +\n \"req_extensions = v3_req\\n\" +\n \"\\n\" +\n \"[ req_distinguished_name ]\\n\" +\n \"\\n\" +\n \"#0 countryName = Country Name (2 letter code)\\n\" +\n \"# countryName_default = FR\\n\" +\n \"# countryName_min = 2\\n\" +\n \"# countryName_max = 2\\n\" +\n \"# stateOrProvinceName = State or Province Name (full name)\\n\" +\n \"# stateOrProvinceName_default = Ile de France\\n\" +\n \"# localityName = Locality Name (city, district)\\n\" +\n \"# localityName_default = Paris\\n\" +\n \"organizationName = Organization Name (company)\\n\" +\n \"organizationName_default = NodeOPCUA\\n\" +\n \"# organizationalUnitName = Organizational Unit Name (department, division)\\n\" +\n \"# organizationalUnitName_default = R&D\\n\" +\n \"commonName = Common Name (hostname, FQDN, IP, or your name)\\n\" +\n \"commonName_max = 256\\n\" +\n \"commonName_default = NodeOPCUA\\n\" +\n \"# emailAddress = Email Address\\n\" +\n \"# emailAddress_max = 40\\n\" +\n \"# emailAddress_default = node-opcua (at) node-opcua (dot) com\\n\" +\n \"\\n\" +\n \"[ req_attributes ]\\n\" +\n \"#challengePassword = A challenge password\\n\" +\n \"#challengePassword_min = 4\\n\" +\n \"#challengePassword_max = 20\\n\" +\n \"#unstructuredName = An optional company name\\n\" +\n \"[ usr_cert ]\\n\" +\n \"basicConstraints = critical, CA:FALSE\\n\" +\n \"subjectKeyIdentifier = hash\\n\" +\n \"authorityKeyIdentifier = keyid,issuer:always\\n\" +\n \"#authorityKeyIdentifier = keyid\\n\" +\n \"subjectAltName = $ENV::ALTNAME\\n\" +\n \"# issuerAltName = issuer:copy\\n\" +\n \"nsComment = ''OpenSSL Generated Certificate''\\n\" +\n \"#nsCertType = client, email, objsign for ''everything including object signing''\\n\" +\n \"#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem\\n\" +\n \"#nsBaseUrl =\\n\" +\n \"#nsRenewalUrl =\\n\" +\n \"#nsCaPolicyUrl =\\n\" +\n \"#nsSslServerName =\\n\" +\n \"keyUsage = critical, digitalSignature, nonRepudiation,\" +\n \" keyEncipherment, dataEncipherment, keyAgreement, keyCertSign\\n\" +\n \"extendedKeyUsage = critical,serverAuth ,clientAuth\\n\" +\n \"\\n\" +\n \"[ v3_req ]\\n\" +\n \"basicConstraints = critical, CA:FALSE\\n\" +\n \"keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement\\n\" +\n \"extendedKeyUsage = critical,serverAuth ,clientAuth\\n\" +\n \"subjectAltName = $ENV::ALTNAME\\n\" +\n 'nsComment = \"CA Generated by Node-OPCUA Certificate utility using openssl\"\\n' +\n \"[ v3_ca ]\\n\" +\n \"subjectKeyIdentifier = hash\\n\" +\n \"authorityKeyIdentifier = keyid:always,issuer:always\\n\" +\n \"# authorityKeyIdentifier = keyid\\n\" +\n \"basicConstraints = CA:TRUE\\n\" +\n \"keyUsage = critical, cRLSign, keyCertSign\\n\" +\n 'nsComment = \"CA Certificate generated by Node-OPCUA Certificate utility using openssl\"\\n' +\n \"#nsCertType = sslCA, emailCA\\n\" +\n \"#subjectAltName = email:copy\\n\" +\n \"#issuerAltName = issuer:copy\\n\" +\n \"#obj = DER:02:03\\n\" +\n \"crlDistributionPoints = @crl_info\\n\" +\n \"[ crl_info ]\\n\" +\n \"URI.0 = http://localhost:8900/crl.pem\\n\" +\n \"[ v3_selfsigned]\\n\" +\n \"basicConstraints = critical, CA:FALSE\\n\" +\n \"keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement\\n\" +\n \"extendedKeyUsage = critical,serverAuth ,clientAuth\\n\" +\n 'nsComment = \"Self-signed certificate, generated by NodeOPCUA\"\\n' +\n \"subjectAltName = $ENV::ALTNAME\\n\" +\n \"\\n\" +\n \"[ crl_ext ]\\n\" +\n \"#issuerAltName = issuer:copy\\n\" +\n \"authorityKeyIdentifier = keyid:always,issuer:always\\n\" +\n \"#authorityInfoAccess = @issuer_info\";\n\nexport default config;\n","// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2014-2026 - Etienne Rossignon - etienne.rossignon (at) gadz.org\n// Copyright (c) 2022-2026 - Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n//\n// This project is licensed under the terms of the MIT license.\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated\n// documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the\n// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to\n// permit persons to whom the Software is furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the\n// Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE\n// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\n// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR\n// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n// ---------------------------------------------------------------------------------------------------------------------\n// tslint:disable:no-shadowed-variable\nimport assert from \"node:assert\";\nimport fs from \"node:fs\";\nimport path from \"node:path\";\nimport chalk from \"chalk\";\nimport {\n exploreCertificateSigningRequest,\n generatePrivateKeyFile,\n readCertificateSigningRequest,\n Subject,\n type SubjectOptions\n} from \"node-opcua-crypto\";\n\nimport {\n adjustApplicationUri,\n adjustDate,\n certificateFileExist,\n debugLog,\n displaySubtitle,\n displayTitle,\n type Filename,\n type KeySize,\n makePath,\n mkdirRecursiveSync,\n type Params,\n type ProcessAltNamesParam,\n quote\n} from \"../toolbox\";\n\nimport {\n type ExecuteOpenSSLOptions,\n type ExecuteOptions,\n ensure_openssl_installed,\n execute_openssl,\n execute_openssl_no_failure,\n generateStaticConfig,\n processAltNames,\n setEnv,\n x509Date\n} from \"../toolbox/with_openssl\";\n\n/** Default X.500 subject used when no custom subject is provided. /\nexport const defaultSubject = \"/C=FR/ST=IDF/L=Paris/O=Local NODE-OPCUA Certificate Authority/CN=NodeOPCUA-CA\";\n\nimport _ca_config_template from \"./templates/ca_config_template.cnf\";\n\n// tslint:disable-next-line:variable-name\nexport const configurationFileTemplate: string = _ca_config_template;\n\nconst config = {\n certificateDir: \"INVALID\",\n forceCA: false,\n pkiDir: \"INVALID\"\n};\n\nconst n = makePath;\nconst q = quote;\n\n// convert 'c07b9179' to \"192.123.145.121\"\nfunction octetStringToIpAddress(a: string) {\n return (\n parseInt(a.substring(0, 2), 16).toString() +\n \".\" +\n parseInt(a.substring(2, 4), 16).toString() +\n \".\" +\n parseInt(a.substring(4, 6), 16).toString() +\n \".\" +\n parseInt(a.substring(6, 8), 16).toString()\n );\n}\nassert(octetStringToIpAddress(\"c07b9179\") === \"192.123.145.121\");\nasync function construct_CertificateAuthority(certificateAuthority: CertificateAuthority): Promise<void> {\n // create the CA directory store\n // create the CA directory store\n //\n // PKI/CA\n // \|\n // +-+> private\n // \|\n // +-+> public\n // \|\n // +-+> certs\n // \|\n // +-+> crl\n // \|\n // +-+> conf\n // \|\n // +-f: serial\n // +-f: crlNumber\n // +-f: index.txt\n //\n\n const subject = certificateAuthority.subject;\n\n const caRootDir = path.resolve(certificateAuthority.rootDir);\n\n async function make_folders() {\n mkdirRecursiveSync(caRootDir);\n mkdirRecursiveSync(path.join(caRootDir, \"private\"));\n mkdirRecursiveSync(path.join(caRootDir, \"public\"));\n // xx execute(\"chmod 700 private\");\n mkdirRecursiveSync(path.join(caRootDir, \"certs\"));\n mkdirRecursiveSync(path.join(caRootDir, \"crl\"));\n mkdirRecursiveSync(path.join(caRootDir, \"conf\"));\n }\n await make_folders();\n\n async function construct_default_files() {\n const serial = path.join(caRootDir, \"serial\");\n if (!fs.existsSync(serial)) {\n await fs.promises.writeFile(serial, \"1000\");\n }\n\n const crlNumber = path.join(caRootDir, \"crlnumber\");\n if (!fs.existsSync(crlNumber)) {\n await fs.promises.writeFile(crlNumber, \"1000\");\n }\n\n const indexFile = path.join(caRootDir, \"index.txt\");\n if (!fs.existsSync(indexFile)) {\n await fs.promises.writeFile(indexFile, \"\");\n }\n }\n\n await construct_default_files();\n\n if (fs.existsSync(path.join(caRootDir, \"private/cakey.pem\")) && !config.forceCA) {\n // certificate already exists => do not overwrite\n debugLog(\"CA private key already exists ... skipping\");\n return;\n }\n\n // tslint:disable:no-empty\n displayTitle(\"Create Certificate Authority (CA)\");\n\n const indexFileAttr = path.join(caRootDir, \"index.txt.attr\");\n if (!fs.existsSync(indexFileAttr)) {\n await fs.promises.writeFile(indexFileAttr, \"unique_subject = no\");\n }\n\n const caConfigFile = certificateAuthority.configFile;\n if (1 \|\| !fs.existsSync(caConfigFile)) {\n let data = configurationFileTemplate; // inlineText(configurationFile);\n data = makePath(data.replace(/%%ROOT_FOLDER%%/, caRootDir));\n\n await fs.promises.writeFile(caConfigFile, data);\n }\n\n // http://www.akadia.com/services/ssh_test_certificate.html\n const subjectOpt = ` -subj \"${subject.toString()}\" `;\n processAltNames({} as Params);\n\n const options = { cwd: caRootDir };\n const configFile = generateStaticConfig(\"conf/caconfig.cnf\", options);\n const configOption = ` -config ${q(n(configFile))}`;\n\n const keySize = certificateAuthority.keySize;\n\n const privateKeyFilename = path.join(caRootDir, \"private/cakey.pem\");\n const csrFilename = path.join(caRootDir, \"private/cakey.csr\");\n\n displayTitle(`Generate the CA private Key - ${keySize}`);\n // The first step is to create your RSA Private Key.\n // This key is a 1025,2048,3072 or 2038 bit RSA key which is encrypted using\n // Triple-DES and stored in a PEM format so that it is readable as ASCII text.\n await generatePrivateKeyFile(privateKeyFilename, keySize);\n displayTitle(\"Generate a certificate request for the CA key\");\n // Once the private key is generated a Certificate Signing Request can be generated.\n // The CSR is then used in one of two ways. Ideally, the CSR will be sent to a Certificate Authority, such as\n // Thawte or Verisign who will verify the identity of the requestor and issue a signed certificate.\n // The second option is to self-sign the CSR, which will be demonstrated in the next section\n await execute_openssl(\n \"req -new\" +\n \" -sha256 \" +\n \" -text \" +\n \" -extensions v3_ca\" +\n configOption +\n \" -key \" +\n q(n(privateKeyFilename)) +\n \" -out \" +\n q(n(csrFilename)) +\n \" \" +\n subjectOpt,\n options\n );\n\n // xx // Step 3: Remove Passphrase from Key\n // xx execute(\"cp private/cakey.pem private/cakey.pem.org\");\n // xx execute(openssl_path + \" rsa -in private/cakey.pem.org -out private/cakey.pem -passin pass:\"+paraphrase);\n\n displayTitle(\"Generate CA Certificate (self-signed)\");\n await execute_openssl(\n \" x509 -sha256 -req -days 3650 \" +\n \" -text \" +\n \" -extensions v3_ca\" +\n \" -extfile \" +\n q(n(configFile)) +\n \" -in private/cakey.csr \" +\n \" -signkey \" +\n q(n(privateKeyFilename)) +\n \" -out public/cacert.pem\",\n options\n );\n displaySubtitle(\"generate initial CRL (Certificate Revocation List)\");\n await regenerateCrl(certificateAuthority.revocationList, configOption, options);\n displayTitle(\"Create Certificate Authority (CA) ---> DONE\");\n}\n\nasync function regenerateCrl(revocationList: string, configOption: string, options: ExecuteOpenSSLOptions) {\n // produce a CRL in PEM format\n displaySubtitle(\"regenerate CRL (Certificate Revocation List)\");\n await execute_openssl(`ca -gencrl ${configOption} -out crl/revocation_list.crl`, options);\n await execute_openssl(\"crl \" + \" -in crl/revocation_list.crl -out crl/revocation_list.der \" + \" -outform der\", options);\n\n displaySubtitle(\"Display (Certificate Revocation List)\");\n await execute_openssl(`crl -in ${q(n(revocationList))} -text -noout`, options);\n}\n\n/\n Options for creating a {@link CertificateAuthority}.\n /\nexport interface CertificateAuthorityOptions {\n /* RSA key size for the CA private key. /\n keySize: KeySize;\n /* Filesystem path where the CA directory structure is stored. /\n location: string;\n /\n X.500 subject for the CA certificate.\n * Accepts a slash-delimited string (e.g. `\"/CN=My CA/O=Acme\"`) or\n * a structured {@link SubjectOptions} object.\n \n @defaultValue {@link defaultSubject}\n /\n subject?: string \| SubjectOptions;\n}\n\n/\n An OpenSSL-based Certificate Authority (CA) that can create,\n * sign, and revoke X.509 certificates.\n \n The CA maintains a standard OpenSSL directory layout under\n * {@link CertificateAuthority.rootDir \| rootDir}:\n \n ```\n * <location>/\n * ├── conf/ OpenSSL configuration\n * ├── private/ CA private key (cakey.pem)\n * ├── public/ CA certificate (cacert.pem)\n * ├── certs/ Signed certificates\n * ├── crl/ Revocation lists\n * ├── serial Next serial number\n * ├── crlnumber Next CRL number\n * └── index.txt Certificate database\n * ```\n \n @example\n * ```ts\n * const ca = new CertificateAuthority({\n * keySize: 2048,\n * location: \"/var/pki/CA\"\n * });\n * await ca.initialize();\n * ```\n /\nexport class CertificateAuthority {\n /* RSA key size used when generating the CA private key. /\n public readonly keySize: KeySize;\n /* Root filesystem path of the CA directory structure. /\n public readonly location: string;\n /* X.500 subject of the CA certificate. /\n public readonly subject: Subject;\n\n constructor(options: CertificateAuthorityOptions) {\n assert(Object.prototype.hasOwnProperty.call(options, \"location\"));\n assert(Object.prototype.hasOwnProperty.call(options, \"keySize\"));\n this.location = options.location;\n this.keySize = options.keySize \|\| 2048;\n this.subject = new Subject(options.subject \|\| defaultSubject);\n }\n\n /* Absolute path to the CA root directory (alias for {@link location}). /\n public get rootDir() {\n return this.location;\n }\n\n /* Path to the OpenSSL configuration file (`conf/caconfig.cnf`). /\n public get configFile() {\n return path.normalize(path.join(this.rootDir, \"./conf/caconfig.cnf\"));\n }\n\n /* Path to the CA certificate in PEM format (`public/cacert.pem`). /\n public get caCertificate() {\n // the Certificate Authority Certificate\n return makePath(this.rootDir, \"./public/cacert.pem\");\n }\n\n /\n Path to the current Certificate Revocation List in DER format.\n * (`crl/revocation_list.der`)\n /\n public get revocationListDER() {\n return makePath(this.rootDir, \"./crl/revocation_list.der\");\n }\n\n /\n Path to the current Certificate Revocation List in PEM format.\n * (`crl/revocation_list.crl`)\n /\n public get revocationList() {\n return makePath(this.rootDir, \"./crl/revocation_list.crl\");\n }\n\n /\n Path to the concatenated CA certificate + CRL file.\n * Used by OpenSSL for CRL-based verification.\n /\n public get caCertificateWithCrl() {\n return makePath(this.rootDir, \"./public/cacertificate_with_crl.pem\");\n }\n\n /\n Initialize the CA directory structure, generate the CA\n * private key and self-signed certificate if they do not\n * already exist.\n /\n public async initialize(): Promise<void> {\n await construct_CertificateAuthority(this);\n }\n\n /\n Rebuild the combined CA certificate + CRL file.\n \n This concatenates the CA certificate with the current\n * revocation list so that OpenSSL can verify certificates\n * with CRL checking enabled.\n /\n public async constructCACertificateWithCRL(): Promise<void> {\n const cacertWithCRL = this.caCertificateWithCrl;\n\n // note : in order to check if the certificate is revoked,\n // you need to specify -crl_check and have both the CA cert and the (applicable) CRL in your trust store.\n // There are two ways to do that:\n // 1. concatenate cacert.pem and crl.pem into one file and use that for -CAfile.\n // 2. use some linked\n // ( from http://security.stackexchange.com/a/58305/59982)\n\n if (fs.existsSync(this.revocationList)) {\n await fs.promises.writeFile(\n cacertWithCRL,\n fs.readFileSync(this.caCertificate, \"utf8\") + fs.readFileSync(this.revocationList, \"utf8\")\n );\n } else {\n // there is no revocation list yet\n await fs.promises.writeFile(cacertWithCRL, fs.readFileSync(this.caCertificate));\n }\n }\n\n /\n Append the CA certificate to a signed certificate file,\n * creating a PEM certificate chain.\n \n @param certificate - path to the certificate file to extend\n /\n public async constructCertificateChain(certificate: Filename): Promise<void> {\n assert(fs.existsSync(certificate));\n assert(fs.existsSync(this.caCertificate));\n\n debugLog(chalk.yellow(\" certificate file :\"), chalk.cyan(certificate));\n // append\n await fs.promises.writeFile(\n certificate,\n (await fs.promises.readFile(certificate, \"utf8\")) + (await fs.promises.readFile(this.caCertificate, \"utf8\"))\n // + fs.readFileSync(this.revocationList)\n );\n }\n\n /\n Create a self-signed certificate using OpenSSL.\n \n @param certificateFile - output path for the signed certificate\n * @param privateKey - path to the private key file\n * @param params - certificate parameters (subject, validity, SANs)\n /\n public async createSelfSignedCertificate(certificateFile: Filename, privateKey: Filename, params: Params): Promise<void> {\n assert(typeof privateKey === \"string\");\n assert(fs.existsSync(privateKey));\n\n if (!certificateFileExist(certificateFile)) {\n return;\n }\n\n adjustDate(params);\n adjustApplicationUri(params);\n processAltNames(params);\n\n const csrFile = `${certificateFile}_csr`;\n assert(csrFile);\n const configFile = generateStaticConfig(this.configFile, { cwd: this.rootDir });\n\n const options = {\n cwd: this.rootDir,\n openssl_conf: makePath(configFile)\n };\n\n const configOption = \"\";\n\n const subject = params.subject ? new Subject(params.subject).toString() : \"\";\n const subjectOptions = subject && subject.length > 1 ? ` -subj ${subject} ` : \"\";\n\n displaySubtitle(\"- the certificate signing request\");\n await execute_openssl(\n \"req \" +\n \" -new -sha256 -text \" +\n configOption +\n subjectOptions +\n \" -batch -key \" +\n q(n(privateKey)) +\n \" -out \" +\n q(n(csrFile)),\n options\n );\n\n displaySubtitle(\"- creating the self-signed certificate\");\n await execute_openssl(\n \"ca \" +\n \" -selfsign \" +\n \" -keyfile \" +\n q(n(privateKey)) +\n \" -startdate \" +\n x509Date(params.startDate) +\n \" -enddate \" +\n x509Date(params.endDate) +\n \" -batch -out \" +\n q(n(certificateFile)) +\n \" -in \" +\n q(n(csrFile)),\n options\n );\n\n displaySubtitle(\"- dump the certificate for a check\");\n\n await execute_openssl(`x509 -in ${q(n(certificateFile))} -dates -fingerprint -purpose -noout`, {});\n\n displaySubtitle(\"- verify self-signed certificate\");\n await execute_openssl_no_failure(`verify -verbose -CAfile ${q(n(certificateFile))} ${q(n(certificateFile))}`, options);\n\n await fs.promises.unlink(csrFile);\n }\n\n /\n Revoke a certificate and regenerate the CRL.\n \n @param certificate - path to the certificate file to revoke\n * @param params - revocation parameters\n * @param params.reason - CRL reason code\n * (default `\"keyCompromise\"`)\n /\n public async revokeCertificate(certificate: Filename, params: Params): Promise<void> {\n const crlReasons = [\n \"unspecified\",\n \"keyCompromise\",\n \"CACompromise\",\n \"affiliationChanged\",\n \"superseded\",\n \"cessationOfOperation\",\n \"certificateHold\",\n \"removeFromCRL\"\n ];\n\n const configFile = generateStaticConfig(\"conf/caconfig.cnf\", { cwd: this.rootDir });\n\n const options = {\n cwd: this.rootDir,\n openssl_conf: makePath(configFile)\n };\n\n setEnv(\"ALTNAME\", \"\");\n const randomFile = path.join(this.rootDir, \"random.rnd\");\n setEnv(\"RANDFILE\", randomFile);\n\n // // tslint:disable-next-line:no-string-literal\n // if (!fs.existsSync((process.env as any)[\"OPENSSL_CONF\"])) {\n // throw new Error(\"Cannot find OPENSSL_CONF\");\n // }\n\n const configOption = ` -config ${q(n(configFile))}`;\n\n const reason = params.reason \|\| \"keyCompromise\";\n assert(crlReasons.indexOf(reason) >= 0);\n\n displayTitle(`Revoking certificate ${certificate}`);\n\n displaySubtitle(\"Revoke certificate\");\n\n await execute_openssl_no_failure(`ca -verbose ${configOption} -revoke ${q(certificate)} -crl_reason ${reason}`, options);\n // regenerate CRL (Certificate Revocation List)\n await regenerateCrl(this.revocationList, configOption, options);\n\n displaySubtitle(\"Verify that certificate is revoked\");\n\n await execute_openssl_no_failure(\n \"verify -verbose\" +\n // configOption +\n \" -CRLfile \" +\n q(n(this.revocationList)) +\n \" -CAfile \" +\n q(n(this.caCertificate)) +\n \" -crl_check \" +\n q(n(certificate)),\n options\n );\n\n // produce CRL in DER format\n displaySubtitle(\"Produce CRL in DER form \");\n await execute_openssl(`crl -in ${q(n(this.revocationList))} -out crl/revocation_list.der -outform der`, options);\n // produce CRL in PEM format with text\n displaySubtitle(\"Produce CRL in PEM form \");\n\n await execute_openssl(`crl -in ${q(n(this.revocationList))} -out crl/revocation_list.pem -outform pem -text `, options);\n }\n\n /\n Sign a Certificate Signing Request (CSR) with this CA.\n \n The signed certificate is written to `certificate`, and the\n * CA certificate chain plus CRL are appended to form a\n * complete certificate chain.\n \n @param certificate - output path for the signed certificate\n * @param certificateSigningRequestFilename - path to the CSR\n * @param params1 - signing parameters (validity, dates, SANs)\n * @returns the path to the signed certificate\n /\n public async signCertificateRequest(\n certificate: Filename,\n certificateSigningRequestFilename: Filename,\n params1: Params\n ): Promise<Filename> {\n await ensure_openssl_installed();\n assert(fs.existsSync(certificateSigningRequestFilename));\n if (!certificateFileExist(certificate)) {\n return \"\";\n }\n adjustDate(params1);\n adjustApplicationUri(params1);\n processAltNames(params1);\n\n const options: ExecuteOptions = { cwd: this.rootDir };\n\n // note :\n // subjectAltName is not copied across\n // see https://github.com/openssl/openssl/issues/10458\n const csr = await readCertificateSigningRequest(certificateSigningRequestFilename);\n const csrInfo = exploreCertificateSigningRequest(csr);\n\n const applicationUri = csrInfo.extensionRequest.subjectAltName.uniformResourceIdentifier\n ? csrInfo.extensionRequest.subjectAltName.uniformResourceIdentifier[0]\n : undefined;\n if (typeof applicationUri !== \"string\") {\n throw new Error(\"Cannot find applicationUri in CSR\");\n }\n\n const dns = csrInfo.extensionRequest.subjectAltName.dNSName \|\| [];\n let ip = csrInfo.extensionRequest.subjectAltName.iPAddress \|\| [];\n ip = ip.map(octetStringToIpAddress);\n\n const params: ProcessAltNamesParam = {\n applicationUri,\n dns,\n ip\n };\n\n processAltNames(params);\n\n const configFile = generateStaticConfig(\"conf/caconfig.cnf\", options);\n\n displaySubtitle(\"- then we ask the authority to sign the certificate signing request\");\n\n const configOption = ` -config ${configFile}`;\n await execute_openssl(\n \"ca \" +\n configOption +\n \" -startdate \" +\n x509Date(params1.startDate) +\n \" -enddate \" +\n x509Date(params1.endDate) +\n \" -batch -out \" +\n q(n(certificate)) +\n \" -in \" +\n q(n(certificateSigningRequestFilename)),\n options\n );\n\n displaySubtitle(\"- dump the certificate for a check\");\n await execute_openssl(`x509 -in ${q(n(certificate))} -dates -fingerprint -purpose -noout`, options);\n\n displaySubtitle(\"- construct CA certificate with CRL\");\n await this.constructCACertificateWithCRL();\n\n // construct certificate chain\n // concatenate certificate with CA Certificate and revocation list\n displaySubtitle(\"- construct certificate chain\");\n await this.constructCertificateChain(certificate);\n // todo\n displaySubtitle(\"- verify certificate against the root CA\");\n await this.verifyCertificate(certificate);\n\n return certificate;\n }\n\n /\n Verify a certificate against this CA.\n \n @param certificate - path to the certificate file to verify\n /\n public async verifyCertificate(certificate: Filename): Promise<void> {\n // openssl verify crashes on windows! we cannot use it reliably\n // istanbul ignore next\n const isImplemented = false;\n\n // istanbul ignore next\n if (isImplemented) {\n const options = { cwd: this.rootDir };\n const configFile = generateStaticConfig(\"conf/caconfig.cnf\", options);\n\n setEnv(\"OPENSSL_CONF\", makePath(configFile));\n const _configOption = ` -config ${configFile}`;\n _configOption;\n await execute_openssl_no_failure(\n `verify -verbose -CAfile ${q(n(this.caCertificateWithCrl))} ${q(n(certificate))}`,\n options\n );\n }\n }\n}\n","/ eslint-disable @typescript-eslint/no-unused-vars /\n// ---------------------------------------------------------------------------------------------------------------------\n// node-opcua\n// ---------------------------------------------------------------------------------------------------------------------\n// Copyright (c) 2014-2026 - Etienne Rossignon - etienne.rossignon (at) gadz.org\n// Copyright (c) 2022-2026 - Sterfive.com\n// ---------------------------------------------------------------------------------------------------------------------\n//\n// This project is licensed under the terms of the MIT license.\n//\n// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated\n// documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the\n// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to\n// permit persons to whom the Software is furnished to do so, subject to the following conditions:\n//\n// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the\n// Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE\n// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\n// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR\n// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n// ---------------------------------------------------------------------------------------------------------------------\n// Error.stackTraceLimit = Infinity;\n// tslint:disable:variable-name\n// tslint:disable:no-console\n// tslint:disable:object-literal-sort-keys\n// tslint:disable:no-shadowed-variable\n\nimport assert from \"node:assert\";\nimport fs from \"node:fs\";\nimport { createRequire } from \"node:module\";\nimport os from \"node:os\";\nimport path from \"node:path\";\nimport chalk from \"chalk\";\nimport { CertificatePurpose, generatePrivateKeyFile, Subject, type SubjectOptions } from \"node-opcua-crypto\";\n\nimport { makeApplicationUrn } from \"../misc/applicationurn\";\nimport { extractFullyQualifiedDomainName, getFullyQualifiedDomainName } from \"../misc/hostname\";\nimport { CertificateManager, type CreateSelfSignCertificateParam1 } from \"../pki/certificate_manager\";\nimport {\n type CreateCertificateSigningRequestWithConfigOptions,\n debugLog,\n displayChapter,\n displaySubtitle,\n displayTitle,\n type Filename,\n g_config,\n type KeySize,\n makePath,\n mkdirRecursiveSync,\n warningLog\n} from \"../toolbox\";\nimport {\n createCertificateSigningRequestWithOpenSSL,\n dumpCertificate,\n ensure_openssl_installed,\n fingerprint,\n getPublicKeyFromPrivateKey,\n setEnv,\n toDer\n} from \"../toolbox/with_openssl\";\nimport { CertificateAuthority, defaultSubject } from \"./certificate_authority\";\n\nconst epilog = \"Copyright (c) sterfive - node-opcua - 2017-2026\";\n\n// ------------------------------------------------- some useful dates\nfunction get_offset_date(date: Date, nbDays: number): Date {\n const d = new Date(date.getTime());\n d.setDate(d.getDate() + nbDays);\n return d;\n}\n\nconst today = new Date();\nconst yesterday = get_offset_date(today, -1);\nconst two_years_ago = get_offset_date(today, -2 365);\nconst next_year = get_offset_date(today, 365);\n\ninterface LocalConfig {\n CAFolder?: string;\n PKIFolder?: string;\n\n keySize?: KeySize;\n\n subject?: SubjectOptions \| string;\n\n certificateDir?: Filename;\n\n privateKey?: Filename;\n\n applicationUri?: string;\n\n outputFile?: string;\n\n altNames?: string[];\n dns?: string[];\n ip?: string[];\n\n startDate?: Date;\n validity?: number;\n}\n\nlet gLocalConfig: LocalConfig = {};\n\nlet g_certificateAuthority: CertificateAuthority; // the Certificate Authority\n\n/**\n \n \n prerequisites :\n * g_config.CAFolder : the folder of the CA\n /\nasync function construct_CertificateAuthority(subject: string) {\n // verify that g_config file has been loaded\n assert(typeof gLocalConfig.CAFolder === \"string\", \"expecting a CAFolder in config\");\n assert(typeof gLocalConfig.keySize === \"number\", \"expecting a keySize in config\");\n\n if (!g_certificateAuthority) {\n g_certificateAuthority = new CertificateAuthority({\n keySize: gLocalConfig.keySize,\n location: gLocalConfig.CAFolder,\n subject\n });\n await g_certificateAuthority.initialize();\n }\n}\n\nlet certificateManager: CertificateManager; // the Certificate Manager\n/*\n \n \n prerequisites :\n * g_config.PKIFolder : the folder of the PKI\n /\nasync function construct_CertificateManager() {\n assert(typeof gLocalConfig.PKIFolder === \"string\", \"expecting a PKIFolder in config\");\n\n if (!certificateManager) {\n certificateManager = new CertificateManager({\n keySize: gLocalConfig.keySize,\n location: gLocalConfig.PKIFolder\n });\n await certificateManager.initialize();\n }\n}\n\nfunction _displayConfig(config: { [key: string]: { toString: () => string } }) {\n function w(str: string, l: number): string {\n return `${str} `.substring(0, l);\n }\n\n warningLog(chalk.yellow(\" configuration = \"));\n\n for (const [key, value] of Object.entries(config)) {\n warningLog(` ${chalk.yellow(w(key, 30))} : ${chalk.cyan(value.toString())}`);\n }\n}\n\nfunction default_template_content(): string {\n // istanbul ignore next\n if ((process as unknown as { pkg?: { entrypoint: string } }).pkg?.entrypoint) {\n // we are using PKG compiled package !\n\n // warningLog(\"___filename\", __filename);\n // warningLog(\"__dirname\", __dirname);\n // warningLog(\"process.pkg.entrypoint\", (process as unknown as IReadConfigurationOpts).pkg.entrypoint);\n const a = fs.readFileSync(path.join(__dirname, \"../../bin/pki_config.example.js\"), \"utf8\");\n return a;\n }\n function find_default_config_template() {\n const rootFolder = find_module_root_folder();\n\n // Note: we use a hardcoded config filename here because after tsup bundling,\n // __filename points to the bundle file (e.g., \"index.mjs\") rather than the\n // original source file, making dynamic name construction unreliable.\n const configName = \"pki_config.example.js\";\n\n let default_config_template = path.join(rootFolder, \"bin\", configName);\n\n if (!fs.existsSync(default_config_template)) {\n default_config_template = path.join(__dirname, \"..\", configName);\n\n if (!fs.existsSync(default_config_template)) {\n default_config_template = path.join(__dirname, `../bin/${configName}`);\n }\n }\n return default_config_template;\n }\n const default_config_template = find_default_config_template();\n assert(fs.existsSync(default_config_template));\n const default_config_template_content = fs.readFileSync(default_config_template, \"utf8\");\n return default_config_template_content;\n}\n\n/\n \n /\nfunction find_module_root_folder() {\n let rootFolder = path.join(__dirname);\n\n for (let i = 0; i < 4; i++) {\n if (fs.existsSync(path.join(rootFolder, \"package.json\"))) {\n return rootFolder;\n }\n rootFolder = path.join(rootFolder, \"..\");\n }\n\n assert(fs.existsSync(path.join(rootFolder, \"package.json\")), \"root folder must have a package.json file\");\n return rootFolder;\n}\n\ninterface IReadConfigurationOpts {\n root: string;\n silent?: boolean;\n subject?: string;\n CAFolder?: string;\n PKIFolder?: string;\n privateKey?: string;\n applicationUri?: string;\n output?: string;\n altNames?: string;\n dns?: string;\n ip?: string;\n keySize?: KeySize;\n validity?: number;\n}\n\n/ eslint complexity:off, max-statements:off /\nasync function readConfiguration(argv: IReadConfigurationOpts) {\n if (argv.silent) {\n g_config.silent = true;\n } else {\n g_config.silent = false;\n }\n\n const fqdn = await extractFullyQualifiedDomainName();\n const hostname = os.hostname();\n let certificateDir: string;\n\n function performSubstitution(str: string): string {\n str = str.replace(\"{CWD}\", process.cwd());\n if (certificateDir) {\n str = str.replace(\"{root}\", certificateDir);\n }\n if (gLocalConfig?.PKIFolder) {\n str = str.replace(\"{PKIFolder}\", gLocalConfig.PKIFolder);\n }\n str = str.replace(\"{hostname}\", hostname);\n str = str.replace(\"%FQDN%\", fqdn);\n return str;\n }\n\n function prepare(file: Filename): Filename {\n const tmp = path.resolve(performSubstitution(file));\n return makePath(tmp);\n }\n\n // ------------------------------------------------------------------------------------------------------------\n certificateDir = argv.root;\n assert(typeof certificateDir === \"string\");\n\n certificateDir = prepare(certificateDir);\n mkdirRecursiveSync(certificateDir);\n assert(fs.existsSync(certificateDir));\n\n // ------------------------------------------------------------------------------------------------------------\n const default_config = path.join(certificateDir, \"config.js\");\n\n if (!fs.existsSync(default_config)) {\n // copy\n debugLog(chalk.yellow(\" Creating default g_config file \"), chalk.cyan(default_config));\n const default_config_template_content = default_template_content();\n fs.writeFileSync(default_config, default_config_template_content);\n } else {\n debugLog(chalk.yellow(\" using g_config file \"), chalk.cyan(default_config));\n }\n if (!fs.existsSync(default_config)) {\n debugLog(chalk.redBright(\" cannot find config file \", default_config));\n }\n\n // see http://stackoverflow.com/questions/94445/using-openssl-what-does-unable-to-write-random-state-mean\n // set random file to be random.rnd in the same folder as the g_config file\n const defaultRandomFile = path.join(path.dirname(default_config), \"random.rnd\");\n setEnv(\"RANDFILE\", defaultRandomFile);\n\n / eslint global-require: 0/\n const _require = createRequire(__filename);\n gLocalConfig = _require(default_config);\n\n gLocalConfig.subject = new Subject(gLocalConfig.subject \|\| \"\");\n\n // if subject is provided on the command line , it has hight priority\n if (argv.subject) {\n gLocalConfig.subject = new Subject(argv.subject);\n }\n\n // istanbul ignore next\n if (!gLocalConfig.subject.commonName) {\n throw new Error(\"subject must have a Common Name\");\n }\n\n gLocalConfig.certificateDir = certificateDir;\n\n // ------------------------------------------------------------------------------------------------------------\n let CAFolder = argv.CAFolder \|\| path.join(certificateDir, \"CA\");\n CAFolder = prepare(CAFolder);\n gLocalConfig.CAFolder = CAFolder;\n\n // ------------------------------------------------------------------------------------------------------------\n gLocalConfig.PKIFolder = path.join(gLocalConfig.certificateDir, \"PKI\");\n if (argv.PKIFolder) {\n gLocalConfig.PKIFolder = prepare(argv.PKIFolder);\n }\n gLocalConfig.PKIFolder = prepare(gLocalConfig.PKIFolder);\n if (argv.privateKey) {\n gLocalConfig.privateKey = prepare(argv.privateKey);\n }\n\n if (argv.applicationUri) {\n gLocalConfig.applicationUri = performSubstitution(argv.applicationUri);\n }\n\n if (argv.output) {\n gLocalConfig.outputFile = argv.output;\n }\n\n gLocalConfig.altNames = [];\n if (argv.altNames) {\n gLocalConfig.altNames = argv.altNames.split(\";\");\n }\n gLocalConfig.dns = [getFullyQualifiedDomainName()];\n if (argv.dns) {\n gLocalConfig.dns = argv.dns.split(\",\").map(performSubstitution);\n }\n gLocalConfig.ip = [];\n if (argv.ip) {\n gLocalConfig.ip = argv.ip.split(\",\");\n }\n if (argv.keySize) {\n const v = argv.keySize;\n if (v !== 1024 && v !== 2048 && v !== 3072 && v !== 4096) {\n throw new Error(`invalid keysize specified ${v} should be 1024,2048,3072 or 4096`);\n }\n gLocalConfig.keySize = argv.keySize;\n }\n\n if (argv.validity) {\n gLocalConfig.validity = argv.validity;\n }\n // xx displayConfig(g_config);\n // ------------------------------------------------------------------------------------------------------------\n}\n\nasync function createDefaultCertificate(\n base_name: string,\n prefix: string,\n key_length: KeySize,\n applicationUri: string,\n dev: boolean\n) {\n // possible key length in bits\n assert(key_length === 1024 \|\| key_length === 2048 \|\| key_length === 3072 \|\| key_length === 4096);\n\n const private_key_file = makePath(base_name, `${prefix}key_${key_length}.pem`);\n const public_key_file = makePath(base_name, `${prefix}public_key_${key_length}.pub`);\n const certificate_file = makePath(base_name, `${prefix}cert_${key_length}.pem`);\n const certificate_file_outofdate = makePath(base_name, `${prefix}cert_${key_length}_outofdate.pem`);\n const certificate_file_not_active_yet = makePath(base_name, `${prefix}cert_${key_length}_not_active_yet.pem`);\n const certificate_revoked = makePath(base_name, `${prefix}cert_${key_length}_revoked.pem`);\n const self_signed_certificate_file = makePath(base_name, `${prefix}selfsigned_cert_${key_length}.pem`);\n\n const fqdn = getFullyQualifiedDomainName();\n const hostname = os.hostname();\n const dns: string[] = [\n // for conformance reason, localhost shall not be present in the DNS field of COP\n // FORBIDEN \"localhost\",\n getFullyQualifiedDomainName()\n ];\n if (hostname !== fqdn) {\n dns.push(hostname);\n }\n\n const ip: string[] = [];\n\n async function createCertificateIfNotExist(\n certificate: Filename,\n private_key: Filename,\n applicationUri: string,\n startDate: Date,\n validity: number\n ): Promise<string> {\n // istanbul ignore next\n if (fs.existsSync(certificate)) {\n warningLog(chalk.yellow(\" certificate\"), chalk.cyan(certificate), chalk.yellow(\" already exists => skipping\"));\n return \"\";\n } else {\n return await createCertificate(certificate, private_key, applicationUri, startDate, validity);\n }\n }\n\n async function createCertificate(\n certificate: Filename,\n privateKey: Filename,\n applicationUri: string,\n startDate: Date,\n validity: number\n ): Promise<string> {\n const certificateSigningRequestFile = `${certificate}.csr`;\n\n const configFile = makePath(base_name, \"../certificates/PKI/own/openssl.cnf\");\n\n const dns = [os.hostname()];\n const ip = [\"127.0.0.1\"];\n\n const params: CreateCertificateSigningRequestWithConfigOptions = {\n applicationUri,\n privateKey,\n rootDir: \".\",\n configFile,\n dns,\n ip,\n purpose: CertificatePurpose.ForApplication\n };\n\n // create CSR\n await createCertificateSigningRequestWithOpenSSL(certificateSigningRequestFile, params);\n\n return await g_certificateAuthority.signCertificateRequest(certificate, certificateSigningRequestFile, {\n applicationUri,\n dns,\n ip,\n startDate,\n validity\n });\n }\n\n async function createSelfSignedCertificate(\n certificate: Filename,\n private_key: Filename,\n applicationUri: string,\n startDate: Date,\n validity: number\n ) {\n await g_certificateAuthority.createSelfSignedCertificate(certificate, private_key, {\n applicationUri,\n dns,\n ip,\n startDate,\n validity\n });\n }\n\n async function revoke_certificate(certificate: Filename) {\n await g_certificateAuthority.revokeCertificate(certificate, {});\n }\n\n async function createPrivateKeyIfNotExist(privateKey: Filename, keyLength: KeySize) {\n if (fs.existsSync(privateKey)) {\n warningLog(chalk.yellow(\" privateKey\"), chalk.cyan(privateKey), chalk.yellow(\" already exists => skipping\"));\n return;\n } else {\n await generatePrivateKeyFile(privateKey, keyLength);\n }\n }\n\n displaySubtitle(` create private key :${private_key_file}`);\n\n await createPrivateKeyIfNotExist(private_key_file, key_length);\n displaySubtitle(` extract public key ${public_key_file} from private key `);\n await getPublicKeyFromPrivateKey(private_key_file, public_key_file);\n displaySubtitle(` create Certificate ${certificate_file}`);\n\n await createCertificateIfNotExist(certificate_file, private_key_file, applicationUri, yesterday, 365);\n\n displaySubtitle(` create self signed Certificate ${self_signed_certificate_file}`);\n\n if (fs.existsSync(self_signed_certificate_file)) {\n // self_signed certificate already exists\n return;\n }\n await createSelfSignedCertificate(self_signed_certificate_file, private_key_file, applicationUri, yesterday, 365);\n\n if (dev) {\n await createCertificateIfNotExist(certificate_file_outofdate, private_key_file, applicationUri, two_years_ago, 365);\n\n await createCertificateIfNotExist(certificate_file_not_active_yet, private_key_file, applicationUri, next_year, 365);\n\n if (!fs.existsSync(certificate_revoked)) {\n // self_signed certificate already exists\n const certificate = await createCertificateIfNotExist(\n certificate_revoked,\n private_key_file,\n `${applicationUri}Revoked`, // make sure we used a uniq URI here\n yesterday,\n 365\n );\n warningLog(\" certificate to revoke => \", certificate);\n revoke_certificate(certificate_revoked);\n }\n }\n}\n\nasync function wrap(func: () => Promise<void>) {\n try {\n await func();\n } catch (err) {\n console.log((err as Error).message);\n }\n}\n\nasync function create_default_certificates(dev: boolean) {\n assert(gLocalConfig);\n const base_name = gLocalConfig.certificateDir \|\| \"\";\n assert(fs.existsSync(base_name));\n\n let clientURN: string;\n let serverURN: string;\n let discoveryServerURN: string;\n wrap(async () => {\n await extractFullyQualifiedDomainName();\n const hostname = os.hostname();\n const fqdn = getFullyQualifiedDomainName();\n warningLog(chalk.yellow(\" hostname = \"), chalk.cyan(hostname));\n warningLog(chalk.yellow(\" fqdn = \"), chalk.cyan(fqdn));\n clientURN = makeApplicationUrn(hostname, \"NodeOPCUA-Client\");\n serverURN = makeApplicationUrn(hostname, \"NodeOPCUA-Server\");\n discoveryServerURN = makeApplicationUrn(hostname, \"NodeOPCUA-DiscoveryServer\");\n\n displayTitle(\"Create Application Certificate for Server & its private key\");\n await createDefaultCertificate(base_name, \"client_\", 1024, clientURN, dev);\n await createDefaultCertificate(base_name, \"client_\", 2048, clientURN, dev);\n await createDefaultCertificate(base_name, \"client_\", 3072, clientURN, dev);\n await createDefaultCertificate(base_name, \"client_\", 4096, clientURN, dev);\n\n displayTitle(\"Create Application Certificate for Client & its private key\");\n await createDefaultCertificate(base_name, \"server_\", 1024, serverURN, dev);\n await createDefaultCertificate(base_name, \"server_\", 2048, serverURN, dev);\n await createDefaultCertificate(base_name, \"server_\", 3072, serverURN, dev);\n await createDefaultCertificate(base_name, \"server_\", 4096, serverURN, dev);\n\n displayTitle(\"Create Application Certificate for DiscoveryServer & its private key\");\n await createDefaultCertificate(base_name, \"discoveryServer_\", 1024, discoveryServerURN, dev);\n await createDefaultCertificate(base_name, \"discoveryServer_\", 2048, discoveryServerURN, dev);\n await createDefaultCertificate(base_name, \"discoveryServer_\", 3072, discoveryServerURN, dev);\n await createDefaultCertificate(base_name, \"discoveryServer_\", 4096, discoveryServerURN, dev);\n });\n}\n\nasync function createDefaultCertificates(dev: boolean) {\n await construct_CertificateAuthority(\"\");\n await construct_CertificateManager();\n await create_default_certificates(dev);\n}\n\nimport commandLineArgs from \"command-line-args\";\nimport commandLineUsage from \"command-line-usage\";\n\nconst commonOptions = [\n {\n name: \"root\",\n alias: \"r\",\n type: String,\n defaultValue: \"{CWD}/certificates\",\n description: \"the location of the Certificate folder\"\n },\n {\n name: \"CAFolder\",\n alias: \"c\",\n type: String,\n defaultValue: \"{root}/CA\",\n description: \"the location of the Certificate Authority folder\"\n },\n { name: \"PKIFolder\", type: String, defaultValue: \"{root}/PKI\", description: \"the location of the Public Key Infrastructure\" },\n { name: \"silent\", type: Boolean, defaultValue: false, description: \"minimize output\" },\n {\n name: \"privateKey\",\n alias: \"p\",\n type: String,\n defaultValue: \"{PKIFolder}/own/private_key.pem\",\n description: \"the private key to use to generate certificate\"\n },\n {\n name: \"keySize\",\n alias: \"k\",\n type: Number,\n defaultValue: 2048,\n description: \"the private key size in bits (1024\|2048\|3072\|4096)\"\n },\n { name: \"help\", alias: \"h\", type: Boolean, description: \"display this help\" }\n];\n\nfunction getOptions(names: string[]) {\n return commonOptions.filter((o) => names.includes(o.name) \|\| o.name === \"help\" \|\| o.name === \"silent\");\n}\n\nfunction showHelp(command: string, description: string, options: Record<string, unknown>[], usage?: string) {\n const sections = [\n {\n header: `Command: ${command}`,\n content: description\n },\n {\n header: \"Usage\",\n content: usage \|\| `$0 ${command} [options]`\n },\n {\n header: \"Options\",\n optionList: options\n }\n ];\n console.log(commandLineUsage(sections));\n}\n\nexport async function main(argumentsList: string \| string[]) {\n const mainDefinitions = [{ name: \"command\", defaultOption: true }];\n let mainOptions: commandLineArgs.CommandLineOptions;\n try {\n mainOptions = commandLineArgs(mainDefinitions, { argv: argumentsList as string[], stopAtFirstUnknown: true });\n } catch (err) {\n console.log((err as Error).message);\n return;\n }\n\n const argv = mainOptions._unknown \|\| [];\n const command = mainOptions.command;\n\n if (!command \|\| command === \"help\") {\n console.log(\n commandLineUsage([\n {\n header: \"node-opcua-pki\",\n content: `PKI management for node-opcua\\n\\n${epilog}`\n },\n {\n header: \"Commands\",\n content: [\n { name: \"demo\", summary: \"create default certificate for node-opcua demos\" },\n { name: \"createCA\", summary: \"create a Certificate Authority\" },\n { name: \"createPKI\", summary: \"create a Public Key Infrastructure\" },\n { name: \"certificate\", summary: \"create a new certificate\" },\n { name: \"revoke <certificateFile>\", summary: \"revoke a existing certificate\" },\n { name: \"csr\", summary: \"create a certificate signing request\" },\n { name: \"sign\", summary: \"validate a certificate signing request and generate a certificate\" },\n { name: \"dump <certificateFile>\", summary: \"display a certificate\" },\n { name: \"toder <pemCertificate>\", summary: \"convert a certificate to a DER format with finger print\" },\n { name: \"fingerprint <certificateFile>\", summary: \"print the certificate fingerprint\" },\n { name: \"version\", summary: \"display the version number\" }\n ]\n }\n ])\n );\n return;\n }\n\n if (command === \"version\") {\n const rootFolder = find_module_root_folder();\n const pkg = JSON.parse(fs.readFileSync(path.join(rootFolder, \"package.json\"), \"utf-8\"));\n console.log(pkg.version);\n return;\n }\n\n if (command === \"demo\") {\n const optionsDef = [\n ...getOptions([\"root\", \"silent\"]),\n { name: \"dev\", type: Boolean, description: \"create all sort of fancy certificates for dev testing purposes\" },\n { name: \"clean\", type: Boolean, description: \"Purge existing directory [use with care!]\" }\n ];\n const local_argv = commandLineArgs(optionsDef, { argv });\n if (local_argv.help)\n return showHelp(\n \"demo\",\n \"create default certificate for node-opcua demos\",\n optionsDef,\n \"$0 demo [--dev] [--silent] [--clean]\"\n );\n\n await wrap(async () => {\n await ensure_openssl_installed();\n displayChapter(\"Create Demo certificates\");\n displayTitle(\"reading configuration\");\n await readConfiguration(local_argv as unknown as IReadConfigurationOpts);\n if (local_argv.clean) {\n displayTitle(\"Cleaning old certificates\");\n assert(gLocalConfig);\n const certificateDir = gLocalConfig.certificateDir \|\| \"\";\n const files = await fs.promises.readdir(certificateDir);\n for (const file of files) {\n if (file.includes(\".pem\") \|\| file.includes(\".pub\")) {\n await fs.promises.unlink(path.join(certificateDir, file));\n }\n }\n mkdirRecursiveSync(certificateDir);\n }\n displayTitle(\"create certificates\");\n await createDefaultCertificates(local_argv.dev);\n displayChapter(\"Demo certificates CREATED\");\n });\n return;\n }\n\n if (command === \"createCA\") {\n const optionsDef = [\n ...getOptions([\"root\", \"CAFolder\", \"keySize\", \"silent\"]),\n { name: \"subject\", type: String, defaultValue: defaultSubject, description: \"the CA certificate subject\" }\n ];\n const local_argv = commandLineArgs(optionsDef, { argv });\n if (local_argv.help) return showHelp(\"createCA\", \"create a Certificate Authority\", optionsDef);\n\n await wrap(async () => {\n await ensure_openssl_installed();\n await readConfiguration(local_argv as unknown as IReadConfigurationOpts);\n await construct_CertificateAuthority(local_argv.subject);\n });\n return;\n }\n\n if (command === \"createPKI\") {\n const optionsDef = getOptions([\"root\", \"PKIFolder\", \"keySize\", \"silent\"]);\n const local_argv = commandLineArgs(optionsDef, { argv });\n if (local_argv.help) return showHelp(\"createPKI\", \"create a Public Key Infrastructure\", optionsDef);\n\n await wrap(async () => {\n await readConfiguration(local_argv as unknown as IReadConfigurationOpts);\n await construct_CertificateManager();\n });\n return;\n }\n\n if (command === \"certificate\") {\n const optionsDef = [\n ...getOptions([\"root\", \"CAFolder\", \"PKIFolder\", \"privateKey\", \"silent\"]),\n {\n name: \"applicationUri\",\n alias: \"a\",\n type: String,\n defaultValue: \"urn:{hostname}:Node-OPCUA-Server\",\n description: \"the application URI\"\n },\n {\n name: \"output\",\n alias: \"o\",\n type: String,\n defaultValue: \"my_certificate.pem\",\n description: \"the name of the generated certificate =>\"\n },\n {\n name: \"selfSigned\",\n alias: \"s\",\n type: Boolean,\n defaultValue: false,\n description: \"if true, certificate will be self-signed\"\n },\n { name: \"validity\", alias: \"v\", type: Number, description: \"the certificate validity in days\" },\n {\n name: \"dns\",\n type: String,\n defaultValue: \"{hostname}\",\n description: \"the list of valid domain name (comma separated)\"\n },\n { name: \"ip\", type: String, defaultValue: \"\", description: \"the list of valid IPs (comma separated)\" },\n {\n name: \"subject\",\n type: String,\n defaultValue: \"\",\n description: \"the certificate subject ( for instance C=FR/ST=Centre/L=Orleans/O=SomeOrganization/CN=Hello )\"\n }\n ];\n const local_argv = commandLineArgs(optionsDef, { argv });\n if (local_argv.help \|\| !local_argv.applicationUri \|\| !local_argv.output)\n return showHelp(\"certificate\", \"create a new certificate\", optionsDef);\n\n async function command_certificate(local_argv: IReadConfigurationOpts) {\n const selfSigned = !!(local_argv as unknown as { selfSigned?: boolean }).selfSigned;\n if (!selfSigned) {\n await command_full_certificate(local_argv);\n } else {\n await command_selfsigned_certificate(local_argv);\n }\n }\n\n async function command_selfsigned_certificate(local_argv: IReadConfigurationOpts) {\n const _fqdn = await extractFullyQualifiedDomainName();\n await readConfiguration(local_argv);\n await construct_CertificateManager();\n\n displaySubtitle(` create self signed Certificate ${gLocalConfig.outputFile}`);\n let subject =\n local_argv.subject && local_argv.subject.length > 1 ? new Subject(local_argv.subject) : gLocalConfig.subject \|\| \"\";\n\n subject = JSON.parse(JSON.stringify(subject));\n\n const params: CreateSelfSignCertificateParam1 = {\n applicationUri: gLocalConfig.applicationUri \|\| \"\",\n dns: gLocalConfig.dns \|\| [],\n ip: gLocalConfig.ip \|\| [],\n outputFile: gLocalConfig.outputFile \|\| \"self_signed_certificate.pem\",\n startDate: gLocalConfig.startDate \|\| new Date(),\n subject,\n validity: gLocalConfig.validity \|\| 365\n };\n\n await certificateManager.createSelfSignedCertificate(params);\n }\n\n async function command_full_certificate(local_argv: IReadConfigurationOpts) {\n await readConfiguration(local_argv);\n await construct_CertificateManager();\n await construct_CertificateAuthority(\"\");\n assert(fs.existsSync(gLocalConfig.CAFolder \|\| \"\"), \" CA folder must exist\");\n gLocalConfig.privateKey = undefined; // use PKI private key\n // create a Certificate Request from the certificate Manager\n\n gLocalConfig.subject = local_argv.subject && local_argv.subject.length > 1 ? local_argv.subject : gLocalConfig.subject;\n\n const csr_file = await certificateManager.createCertificateRequest(\n gLocalConfig as Parameters<typeof certificateManager.createCertificateRequest>[0]\n );\n if (!csr_file) {\n return;\n }\n warningLog(\" csr_file = \", csr_file);\n const certificate = csr_file.replace(\".csr\", \".pem\");\n\n if (fs.existsSync(certificate)) {\n throw new Error(` File ${certificate} already exist`);\n }\n await g_certificateAuthority.signCertificateRequest(\n certificate,\n csr_file,\n gLocalConfig as Parameters<typeof g_certificateAuthority.signCertificateRequest>[2]\n );\n\n assert(typeof gLocalConfig.outputFile === \"string\");\n fs.writeFileSync(gLocalConfig.outputFile \|\| \"\", fs.readFileSync(certificate, \"ascii\"));\n }\n\n await wrap(async () => await command_certificate(local_argv as unknown as IReadConfigurationOpts));\n return;\n }\n\n if (command === \"revoke\") {\n const optionsDef = [{ name: \"certificateFile\", type: String, defaultOption: true }, ...getOptions([\"root\", \"CAFolder\"])];\n const local_argv = commandLineArgs(optionsDef, { argv });\n if (local_argv.help \|\| !local_argv.certificateFile)\n return showHelp(\n \"revoke <certificateFile>\",\n \"revoke a existing certificate\",\n optionsDef,\n \"$0 revoke my_certificate.pem\"\n );\n\n async function revoke_certificate(certificate: Filename) {\n await g_certificateAuthority.revokeCertificate(certificate, {});\n }\n\n await wrap(async () => {\n const certificate = path.resolve(local_argv.certificateFile);\n warningLog(chalk.yellow(\" Certificate to revoke : \"), chalk.cyan(certificate));\n if (!fs.existsSync(certificate)) {\n throw new Error(`cannot find certificate to revoke ${certificate}`);\n }\n await readConfiguration(local_argv as unknown as IReadConfigurationOpts);\n await construct_CertificateAuthority(\"\");\n await revoke_certificate(certificate);\n warningLog(\"done ... \");\n warningLog(\" crl = \", g_certificateAuthority.revocationList);\n warningLog(\"\\nyou should now publish the new Certificate Revocation List\");\n });\n return;\n }\n\n if (command === \"csr\") {\n const optionsDef = [\n ...getOptions([\"root\", \"PKIFolder\", \"privateKey\", \"silent\"]),\n {\n name: \"applicationUri\",\n alias: \"a\",\n type: String,\n defaultValue: \"urn:{hostname}:Node-OPCUA-Server\",\n description: \"the application URI\"\n },\n {\n name: \"output\",\n alias: \"o\",\n type: String,\n defaultValue: \"my_certificate_signing_request.csr\",\n description: \"the name of the generated signing_request\"\n },\n {\n name: \"dns\",\n type: String,\n defaultValue: \"{hostname}\",\n description: \"the list of valid domain name (comma separated)\"\n },\n { name: \"ip\", type: String, defaultValue: \"\", description: \"the list of valid IPs (comma separated)\" },\n {\n name: \"subject\",\n type: String,\n defaultValue: \"/CN=Certificate\",\n description: \"the certificate subject ( for instance /C=FR/ST=Centre/L=Orleans/O=SomeOrganization/CN=Hello )\"\n }\n ];\n const local_argv = commandLineArgs(optionsDef, { argv });\n if (local_argv.help) return showHelp(\"csr\", \"create a certificate signing request\", optionsDef);\n\n await wrap(async () => {\n await readConfiguration(local_argv as unknown as IReadConfigurationOpts);\n if (!fs.existsSync(gLocalConfig.PKIFolder \|\| \"\")) {\n warningLog(\"PKI folder must exist\");\n }\n await construct_CertificateManager();\n if (!gLocalConfig.outputFile \|\| fs.existsSync(gLocalConfig.outputFile)) {\n throw new Error(` File ${gLocalConfig.outputFile} already exist`);\n }\n gLocalConfig.privateKey = undefined; // use PKI private key\n // create a Certificate Request from the certificate Manager\n\n gLocalConfig.subject = local_argv.subject && local_argv.subject.length > 1 ? local_argv.subject : gLocalConfig.subject;\n\n const internal_csr_file = await certificateManager.createCertificateRequest(\n gLocalConfig as Parameters<typeof certificateManager.createCertificateRequest>[0]\n );\n if (!internal_csr_file) {\n return;\n }\n if (!gLocalConfig.outputFile) {\n warningLog(\"please specify a output file\");\n return;\n }\n const csr = await fs.promises.readFile(internal_csr_file, \"utf-8\");\n fs.writeFileSync(gLocalConfig.outputFile \|\| \"\", csr, \"utf-8\");\n\n warningLog(\"Subject = \", gLocalConfig.subject);\n warningLog(\"applicationUri = \", gLocalConfig.applicationUri);\n warningLog(\"altNames = \", gLocalConfig.altNames);\n warningLog(\"dns = \", gLocalConfig.dns);\n warningLog(\"ip = \", gLocalConfig.ip);\n\n warningLog(\"CSR file = \", gLocalConfig.outputFile);\n });\n return;\n }\n\n if (command === \"sign\") {\n const optionsDef = [\n ...getOptions([\"root\", \"CAFolder\", \"silent\"]),\n { name: \"csr\", alias: \"i\", type: String, defaultValue: \"my_certificate_signing_request.csr\", description: \"the csr\" },\n {\n name: \"output\",\n alias: \"o\",\n type: String,\n defaultValue: \"my_certificate.pem\",\n description: \"the name of the generated certificate\"\n },\n { name: \"validity\", alias: \"v\", type: Number, defaultValue: 365, description: \"the certificate validity in days\" }\n ];\n const local_argv = commandLineArgs(optionsDef, { argv });\n if (local_argv.help \|\| !local_argv.csr \|\| !local_argv.output)\n return showHelp(\"sign\", \"validate a certificate signing request and generate a certificate\", optionsDef);\n\n await wrap(async () => {\n await readConfiguration(local_argv as unknown as IReadConfigurationOpts);\n if (!fs.existsSync(gLocalConfig.CAFolder \|\| \"\")) {\n throw new Error(`CA folder must exist:${gLocalConfig.CAFolder}`);\n }\n await construct_CertificateAuthority(\"\");\n const csr_file: string = path.resolve((local_argv as unknown as { csr?: string }).csr \|\| \"\");\n if (!fs.existsSync(csr_file)) {\n throw new Error(`Certificate signing request doesn't exist: ${csr_file}`);\n }\n const certificate = path.resolve(local_argv.output \|\| csr_file.replace(\".csr\", \".pem\"));\n if (fs.existsSync(certificate)) {\n throw new Error(` File ${certificate} already exist`);\n }\n\n await g_certificateAuthority.signCertificateRequest(\n certificate,\n csr_file,\n gLocalConfig as Parameters<typeof g_certificateAuthority.signCertificateRequest>[2]\n );\n\n assert(typeof gLocalConfig.outputFile === \"string\");\n fs.writeFileSync(gLocalConfig.outputFile \|\| \"\", fs.readFileSync(certificate, \"ascii\"));\n });\n return;\n }\n\n if (command === \"dump\") {\n const optionsDef = [\n { name: \"certificateFile\", type: String, defaultOption: true },\n { name: \"help\", alias: \"h\", type: Boolean }\n ];\n const local_argv = commandLineArgs(optionsDef, { argv });\n if (local_argv.help \|\| !local_argv.certificateFile)\n return showHelp(\"dump <certificateFile>\", \"display a certificate\", optionsDef);\n\n await wrap(async () => {\n const data = await dumpCertificate(local_argv.certificateFile);\n warningLog(data);\n });\n return;\n }\n\n if (command === \"toder\") {\n const optionsDef = [\n { name: \"pemCertificate\", type: String, defaultOption: true },\n { name: \"help\", alias: \"h\", type: Boolean }\n ];\n const local_argv = commandLineArgs(optionsDef, { argv });\n if (local_argv.help \|\| !local_argv.pemCertificate)\n return showHelp(\"toder <pemCertificate>\", \"convert a certificate to a DER format with finger print\", optionsDef);\n\n await wrap(async () => {\n await toDer(local_argv.pemCertificate);\n });\n return;\n }\n\n if (command === \"fingerprint\") {\n const optionsDef = [\n { name: \"certificateFile\", type: String, defaultOption: true },\n { name: \"help\", alias: \"h\", type: Boolean }\n ];\n const local_argv = commandLineArgs(optionsDef, { argv });\n if (local_argv.help \|\| !local_argv.certificateFile)\n return showHelp(\"fingerprint <certificateFile>\", \"print the certificate fingerprint\", optionsDef);\n\n await wrap(async () => {\n const certificate = local_argv.certificateFile;\n const data = await fingerprint(certificate);\n if (!data) return;\n const s = data.split(\"=\")[1].split(\":\").join(\"\").trim();\n warningLog(s);\n });\n return;\n }\n\n console.log(`Unknown command: ${command}`);\n}\n","#!/usr/bin/env node\nimport { main as pki_main } from \"../lib/ca/crypto_create_CA\";\n\npki_main(process.argv.splice(2));\n"],"mappings":";;;;;;;;;;AAsBA,OAAO,YAAY;AACnB,SAAS,kBAAkB;AAEpB,SAAS,mBAAmB,UAAkB,QAAwB;AAKzE,MAAI,eAAe;AACnB,MAAI,aAAa,SAAS,IAAI,OAAO,UAAU,IAAI;AAG/C,mBAAe,WAAW,KAAK,EAAE,OAAO,QAAQ,EAAE,OAAO,KAAK,EAAE,UAAU,GAAG,EAAE;AAAA,EACnF;AAEA,QAAM,iBAAiB,OAAO,YAAY,IAAI,MAAM;AACpD,SAAO,eAAe,UAAU,EAAE;AAClC,SAAO;AACX;AAxCA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACGA,OAAO,SAAS;AAChB,OAAO,QAAQ;AACf,SAAS,iBAAiB;AAE1B,SAAS,KAAK,KAAa,QAAyB;AAChD,MAAI,CAAC,QAAQ;AACT,WAAO;AAAA,EACX;AACA,SAAO,IAAI,UAAU,GAAG,KAAK,IAAI,IAAI,QAAQ,MAAM,CAAC;AACxD;AAEA,SAAS,KAAK,UAAsD;AAChE,QAAM,OAAO,GAAG,SAAS;AAEzB,MAAI,OAAO,MAAM,EAAE,OAAO,IAAI,WAAW,GAAG,CAAC,MAAoB,OAAe;AAC5E,QAAI,MAAM;AACN,aAAO,SAAS,IAAI;AAAA,IACxB;AAEA,QAAI,cAAc,IAAI,GAAG,CAAC,MAAoB,UAAkB;AAC5D,UAAI,MAAM;AACN,eAAO,SAAS,IAAI;AAAA,MACxB;AACA,cAAQ,MAAM,QAAQ,gBAAgB,EAAE;AACxC,eAAS,MAAM,KAAK;AAAA,IACxB,CAAC;AAAA,EACL,CAAC;AACL;AAOA,eAAsB,kCAAmD;AACrE,MAAI,kCAAkC;AAClC,WAAO;AAAA,EACX;AACA,MAAI,QAAQ,aAAa,SAAS;AAE9B,UAAM,MAAM,QAAQ;AACpB,uCACI,IAAI,gBAAgB,IAAI,iBAAiB,IAAI,eAAe,SAAS,IAAI,IAAI,IAAI,aAAuB,KAAK;AAAA,EACrH,OAAO;AACH,QAAI;AACA,yCAAmC,MAAM,UAAU,IAAI,EAAE;AACzD,UAAI,qCAAqC,aAAa;AAClD,cAAM,IAAI,MAAM,wBAAwB;AAAA,MAC5C;AACA,UAAI,cAAc,KAAK,gCAA0C,GAAG;AAChE,cAAM,IAAI,MAAM,gCAAgC;AAAA,MACpD;AAAA,IACJ,SAAS,MAAM;AAEX,yCAAmC,GAAG,SAAS;AAAA,IACnD;AAAA,EACJ;AACA,SAAO;AACX;AAEA,eAAsB,cAAc;AAChC,qCAAmC,MAAM,gCAAgC;AAC7E;AAEO,SAAS,4BAA4B,qBAA8B;AACtE,MAAI,CAAC,kCAAkC;AACnC,UAAM,IAAI,MAAM,2DAA2D;AAAA,EAC/E;AACA,SAAO,mCAAmC,KAAK,kCAAkC,mBAAmB,IAAI;AAC5G;AAxEA,IAgCI;AAhCJ;AAAA;AAAA;AAAA;AAwFA,gBAAY;AAAA;AAAA;;;ACxFZ,IAsBa;AAtBb;AAAA;AAAA;AAAA;AAsBO,IAAM,WAAW;AAAA,MACpB,gBAAgB;AAAA,MAChB,QAAQ,QAAQ,IAAI,UAAU,CAAC,QAAQ,IAAI,UAAU;AAAA,MACrD,OAAO;AAAA,IACX;AAAA;AAAA;;;ACAO,SAAS,YAAY,MAAiB;AAEzC,MAAI,cAAc;AACd,YAAQ,IAAI,MAAM,MAAM,IAAI;AAAA,EAChC;AACJ;AACO,SAAS,cAAc,MAAiB;AAC3C,UAAQ,IAAI,MAAM,MAAM,IAAI;AAChC;AAlCA,IAsBa,SACA,cACA;AAxBb;AAAA;AAAA;AAAA;AAsBO,IAAM,UAAU,QAAQ,IAAI,qBAAqB;AACjD,IAAM,eAAe;AACrB,IAAM,eAAe,CAAC,CAAC,QAAQ,IAAI,qBAAqB;AAAA;AAAA;;;ACD/D,OAAOA,aAAY;AACnB,OAAO,QAAQ;AACf,OAAO,UAAU;AAEjB,OAAO,WAAW;AAMX,SAAS,qBAAqB,iBAAkC;AAEnE,MAAI,GAAG,WAAW,eAAe,KAAK,CAAC,SAAS,OAAO;AACnD;AAAA,MACI,MAAM,OAAO,sBAAsB,IAAI,MAAM,KAAK,eAAe,IAAI,MAAM,OAAO,qCAAqC;AAAA,IAC3H;AACA,WAAO;AAAA,EACX;AACA,SAAO;AACX;AAEO,SAAS,mBAAmB,QAAsB;AACrD,MAAI,CAAC,GAAG,WAAW,MAAM,GAAG;AAExB,aAAS,MAAM,MAAM,mBAAmB,GAAG,MAAM;AACjD,OAAG,UAAU,QAAQ,EAAE,WAAW,KAAK,CAAC;AAAA,EAC5C;AACJ;AAEO,SAAS,SAAS,YAAoB,UAA2B;AACpE,MAAI;AACJ,MAAI,UAAU;AACV,QAAI,KAAK,KAAK,KAAK,UAAU,UAAU,GAAG,QAAQ;AAAA,EACtD,OAAO;AACH,IAAAA,QAAO,UAAU;AACjB,QAAI;AAAA,EACR;AACA,MAAI,EAAE,QAAQ,OAAO,GAAG;AACxB,SAAO;AACX;AA9DA;AAAA;AAAA;AAAA;AA6BA;AAEA;AAAA;AAAA;;;ACTA,OAAOC,YAAW;AAKX,SAAS,eAAe,KAAa;AACxC,QAAM,IAAI;AACV,aAAW,GAAGA,OAAM,QAAQ,CAAC,CAAC,GAAG;AACjC,QAAM,WAAW,GAAG,GAAG,CAAC,GAAG,UAAU,GAAG,EAAE,MAAM;AAChD,aAAWA,OAAM,QAAQ,KAAK,GAAG,CAAC;AAClC,aAAW,GAAGA,OAAM,QAAQ,CAAC,CAAC,GAAG;AACrC;AAEO,SAAS,aAAa,KAAa;AAEtC,MAAI,CAAC,SAAS,QAAQ;AAClB,eAAW,EAAE;AACb,eAAWA,OAAM,aAAa,GAAG,CAAC;AAClC,eAAWA,OAAM,OAAO,IAAI,MAAM,IAAI,SAAS,CAAC,EAAE,KAAK,GAAG,CAAC,GAAG,IAAI;AAAA,EACtE;AACJ;AAEO,SAAS,gBAAgB,KAAa;AAEzC,MAAI,CAAC,SAAS,QAAQ;AAClB,eAAW,EAAE;AACb,eAAW,OAAOA,OAAM,aAAa,GAAG,CAAC,EAAE;AAC3C,eAAW,OAAOA,OAAM,MAAM,IAAI,MAAM,IAAI,SAAS,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC,IAAI,IAAI;AAAA,EAC9E;AACJ;AACO,SAAS,QAAQ,KAAa;AAEjC,MAAI,CAAC,SAAS,QAAQ;AAClB,eAAW,UAAU,GAAG,EAAE;AAAA,EAC9B;AACJ;AAzDA;AAAA;AAAA;AAAA;AAuBA;AACA;AAAA;AAAA;;;ACHA,OAAOC,aAAY;AACnB,OAAOC,SAAQ;AACf,SAAS,iCAAiC,iBAAiB,eAAe;AAO1E,eAAsB,qCAClB,mCACA,QACa;AACb,EAAAD,QAAO,MAAM;AACb,EAAAA,QAAO,OAAO,OAAO;AACrB,EAAAA,QAAO,OAAO,UAAU;AACxB,EAAAA,QAAO,OAAO,UAAU;AACxB,EAAAA,QAAO,OAAO,OAAO,eAAe,QAAQ;AAC5C,EAAAA,QAAOC,IAAG,WAAW,OAAO,UAAU,GAAG,yBAAyB,OAAO,UAAU,EAAE;AAGrF,EAAAD,QAAOC,IAAG,WAAW,OAAO,OAAO,GAAG,wBAAwB;AAC9D,EAAAD,QAAO,OAAO,sCAAsC,QAAQ;AAE5D,QAAM,UAAU,OAAO,UAAU,IAAI,QAAQ,OAAO,OAAO,EAAE,SAAS,IAAI;AAC1E,kBAAgB,uDAAuD;AAEvE,QAAM,gBAAgB,MAAMC,IAAG,SAAS,SAAS,OAAO,YAAY,OAAO;AAC3E,QAAM,aAAa,MAAM,gBAAgB,aAAa;AAEtD,QAAM,EAAE,IAAI,IAAI,MAAM,gCAAgC;AAAA,IAClD;AAAA,IACA,KAAK,OAAO;AAAA,IACZ,IAAI,OAAO;AAAA,IACX;AAAA,IACA,gBAAgB,OAAO;AAAA,IACvB,SAAS,OAAO;AAAA,EACpB,CAAC;AACD,QAAMA,IAAG,SAAS,UAAU,mCAAmC,KAAK,OAAO;AAE3E,UAAQ,gBAAgB,OAAO,UAAU,EAAE;AAC3C,UAAQ,uCAAuC,iCAAiC,EAAE;AAItF;AAlEA;AAAA;AAAA;AAAA;AAyBA;AAAA;AAAA;;;ACHA,OAAOC,aAAY;AAmBZ,SAAS,MAAM,KAAsB;AACxC,SAAO,IAAI,OAAO,EAAE;AACxB;AA+FO,SAAS,WAAW,QAA+B;AACtD,EAAAA,QAAO,kBAAkB,MAAM;AAC/B,SAAO,YAAY,OAAO,aAAa,oBAAI,KAAK;AAChD,EAAAA,QAAO,OAAO,qBAAqB,IAAI;AAEvC,SAAO,WAAW,OAAO,YAAY;AAErC,SAAO,UAAU,IAAI,KAAK,OAAO,UAAU,QAAQ,CAAC;AACpD,SAAO,QAAQ,QAAQ,OAAO,UAAU,QAAQ,IAAI,OAAO,QAAQ;AAKnE,EAAAA,QAAO,OAAO,mBAAmB,IAAI;AACrC,EAAAA,QAAO,OAAO,qBAAqB,IAAI;AAO3C;AAEO,SAAS,qBAAqB,QAAgB;AACjD,QAAM,iBAAiB,OAAO,kBAAkB;AAChD,MAAI,eAAe,SAAS,KAAK;AAC7B,UAAM,IAAI,MAAM,2DAA2D,cAAc,EAAE;AAAA,EAC/F;AACJ;AAtKA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACqBA,OAAOC,aAAY;AACnB,OAAOC,SAAQ;AAEf;AAAA,EACI;AAAA,EACA,+BAA+B;AAAA,EAC/B,mBAAAC;AAAA,EACA,WAAAC;AAAA,OACG;AAIP,eAAsB,iCAClB,aACA,QACa;AACb,SAAO,UAAU,OAAO,WAAW,mBAAmB;AACtD,EAAAH,QAAO,OAAO,SAAS,sCAAsC;AAM7D,EAAAA,QAAOC,IAAG,WAAW,OAAO,UAAU,CAAC;AACvC,EAAAD,QAAOC,IAAG,WAAW,OAAO,OAAO,CAAC;AACpC,EAAAD,QAAOC,IAAG,WAAW,OAAO,UAAU,CAAC;AACvC,MAAI,CAAC,OAAO,SAAS;AACjB,UAAM,MAAM,iBAAiB;AAAA,EACjC;AAEA,EAAAD,QAAO,OAAO,OAAO,mBAAmB,QAAQ;AAChD,EAAAA,QAAO,MAAM,QAAQ,OAAO,GAAG,CAAC;AAKhC,aAAW,MAAM;AACjB,EAAAA,QAAO,OAAO,UAAU,eAAe,KAAK,QAAQ,UAAU,CAAC;AAE/D,MAAI,UAA4B,IAAIG,SAAQ,OAAO,OAAO;AAC1D,YAAU,QAAQ,SAAS;AAG3B,QAAM,UAAU,OAAO;AAEvB,eAAa,gCAAgC;AAE7C,QAAM,gBAAgB,MAAMF,IAAG,SAAS,SAAS,OAAO,YAAY,OAAO;AAC3E,QAAM,aAAa,MAAMC,iBAAgB,aAAa;AAEtD,QAAM,EAAE,KAAK,IAAI,MAAM,6BAA6B;AAAA,IAChD;AAAA,IACA,WAAW,OAAO;AAAA,IAClB,UAAU,OAAO;AAAA,IACjB,UAAU,OAAO;AAAA,IACjB,KAAK,OAAO;AAAA,IACZ,IAAI,OAAO;AAAA,IACX;AAAA,IACA,gBAAgB,OAAO;AAAA,IACvB;AAAA,EACJ,CAAC;AACD,QAAMD,IAAG,SAAS,UAAU,aAAa,MAAM,OAAO;AAC1D;AAEA,eAAsB,4BAClB,aACA,QACa;AACb,QAAM,iCAAiC,aAAa,MAAM;AAC9D;AA1FA;AAAA;AAAA;AAAA;AA8BA;AACA;AAAA;AAAA;;;AC/BA;AAAA;AAAA;AAAA;AAuBA;AACA;AAAA;AAAA;;;ACxBA,IAAM,QA0EC;AA1EP;AAAA;AAAA;AAAA;AAAA,IAAM,SACF;AAyEJ,IAAO,qCAAQ;AAAA;AAAA;;;ACjEf,SAAS,oBAAoB;AAC7B,OAAOG,SAAQ;AACf,OAAOC,WAAU;AACjB,SAAS,gBAAgB;AACzB,OAAOC,YAAW;AAClB,OAAO,cAAuD;AAC9D;AAAA,EAMI;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACG;AAkCP,SAAS,iBAAiB,OAAoC;AAC1D,MAAI,CAAC,MAAM,MAAM;AACb,UAAM,OAAO,yBAAyB,MAAM,WAAW;AAAA,EAC3D;AACA,SAAO,MAAM;AACjB;AAiBA,SAAS,yBAAyB,aAAgD;AAC9E,QAAM,MAAM,mBAAmB,WAAW,EAAE,SAAS,KAAK;AAC1D,QAAM,SAAS,cAAc,IAAI,GAAG;AACpC,MAAI,QAAQ;AAER,kBAAc,OAAO,GAAG;AACxB,kBAAc,IAAI,KAAK,MAAM;AAC7B,WAAO;AAAA,EACX;AACA,QAAM,OAAO,mBAAmB,WAAW;AAC3C,gBAAc,IAAI,KAAK,IAAI;AAC3B,MAAI,cAAc,OAAO,mBAAmB;AAExC,UAAM,SAAS,cAAc,KAAK,EAAE,KAAK,EAAE;AAC3C,QAAI,OAAQ,eAAc,OAAO,MAAM;AAAA,EAC3C;AACA,SAAO;AACX;AAyKA,SAAS,gBAAgB,aAA8D;AAInF,QAAM,QAAQ,UAAU,WAAW;AACnC,SAAO,mBAAmB,MAAM,CAAC,CAAC,EAAE,SAAS,KAAK;AACtD;AACA,SAAS,MAAM,iBAAyB;AACpC,SAAO,gBAAgB,UAAU,GAAG,EAAE;AAC1C;AAGA,SAAS,0BAA0B,aAAkC;AACjE,QAAMC,eAAc,gBAAgB,WAAW;AAC/C,MAAI;AACA,UAAM,aAAa,yBAAyB,WAAW,EAAE,eAAe,QAAQ,cAAc;AAI9F,UAAM,sBAAsB,WAAW,QAAQ,gBAAgB,GAAG;AAClE,WAAO,GAAG,mBAAmB,IAAIA,YAAW;AAAA,EAChD,SAAS,MAAM;AAEX,WAAO,wBAAwBA,YAAW;AAAA,EAC9C;AACJ;AACA,SAAS,sBAAsB,SAAkB,iBAAkC;AAC/E,SAAO,QAAQ,OAAO,CAAC,UAAU;AAC7B,UAAM,OAAO,iBAAiB,KAAK;AACnC,WAAO,KAAK,eAAe,cAAc,KAAK,eAAe,WAAW,yBAAyB;AAAA,EACrG,CAAC;AACL;AAEA,SAAS,cAAc,MAAqC;AACxD,SACI,KAAK,eAAe,YAAY,yBAChC,KAAK,eAAe,YAAY,wBAAwB;AAEhE;AAEA,SAAS,cAAc,aAA8B;AACjD,QAAM,OAAO,yBAAyB,WAAW;AACjD,SAAO,cAAc,IAAI;AAC7B;AAUO,SAAS,6BAA6B,aAA0B,OAA0C;AAC7G,MAAI,CAAC,aAAa;AACd,WAAO;AAAA,EACX;AACA,QAAM,WAAW,yBAAyB,WAAW;AAGrD,MAAI,cAAc,QAAQ,GAAG;AAEzB,WAAO;AAAA,EACX;AACA,QAAM,kBAAkB,SAAS,eAAe,YAAY,wBAAwB;AAGpF,MAAI,CAAC,iBAAiB;AAElB,aAAS,gCAAgC;AACzC,WAAO;AAAA,EACX;AACA,QAAM,mBAAmB,MAAM,OAAO,CAAC,MAAM;AACzC,UAAM,OAAO,yBAAyB,CAAC;AACvC,WAAO,KAAK,eAAe,cAAc,KAAK,eAAe,WAAW,yBAAyB;AAAA,EACrG,CAAC;AAED,MAAI,iBAAiB,WAAW,GAAG;AAC/B,WAAO,iBAAiB,CAAC;AAAA,EAC7B;AACA,MAAI,iBAAiB,SAAS,GAAG;AAC7B,aAAS,sFAAsF;AAC/F,WAAO,iBAAiB,CAAC;AAAA,EAC7B;AACA,SAAO;AACX;AAxWA,IAwDM,iCACA,aA6BA,mBACA,eAuMA,gBAmIO;AAjab;AAAA;AAAA;AAAA;AA4CA;AACA;AACA;AAEA;AAQA,IAAM,kCAA0C;AAChD,IAAM,cAAcH,IAAG,SAAS;AA6BhC,IAAM,oBAAoB;AAC1B,IAAM,gBAAgB,oBAAI,IAAkC;AAuM5D,IAAM,iBAAiB;AAmIhB,IAAM,qBAAN,MAAM,4BAA2B,aAAa;AAAA;AAAA;AAAA;AAAA;AAAA,MAKjD,OAAO,mBAAmB,oBAAI,IAAwB;AAAA,MACtD,OAAO,oBAAoB;AAAA,MAE3B,OAAO,yBAA+B;AAClC,YAAI,oBAAmB,kBAAmB;AAC1C,4BAAmB,oBAAoB;AAEvC,cAAM,wBAAwB,MAAM;AAChC,qBAAW,MAAM,oBAAmB,kBAAkB;AAClD,uBAAW,KAAK,GAAG,WAAW;AAC1B,kBAAI;AACA,kBAAE,MAAM;AAAA,cACZ,QAAQ;AAAA,cAER;AAAA,YACJ;AACA,eAAG,UAAU,OAAO,CAAC;AACrB,eAAG,QAAQ;AAAA,UACf;AACA,8BAAmB,iBAAiB,MAAM;AAAA,QAC9C;AAKA,gBAAQ,GAAG,cAAc,qBAAqB;AAI9C,mBAAW,UAAU,CAAC,UAAU,SAAS,GAAY;AACjD,kBAAQ,KAAK,QAAQ,MAAM;AACvB,kCAAsB;AACtB,oBAAQ,KAAK;AAAA,UACjB,CAAC;AAAA,QACL;AAAA,MACJ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MASA,aAAoB,aAA4B;AAC5C,cAAM,YAAY,CAAC,GAAG,oBAAmB,gBAAgB;AACzD,cAAM,QAAQ,IAAI,UAAU,IAAI,CAAC,OAAO,oBAAmB,UAAU,QAAQ,KAAK,EAAE,CAAC,CAAC;AAAA,MAC1F;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAiBA,OAAc,mBAAyB;AACnC,YAAI,oBAAmB,iBAAiB,SAAS,EAAG;AACpD,cAAM,YAAY,CAAC,GAAG,oBAAmB,gBAAgB,EAAE,IAAI,CAAC,OAAO,GAAG,OAAO;AACjF,cAAM,IAAI;AAAA,UACN,GAAG,oBAAmB,iBAAiB,IAAI;AAAA,MAAsD,UAAU,KAAK,QAAQ,CAAC;AAAA,QAC7H;AAAA,MACJ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAQO,4BAA4B;AAAA;AAAA,MAE5B,QAAiC;AAAA;AAAA,MAEjC,wBAAwB;AAAA;AAAA,MAG/B,IAAW,wBAAgC;AACvC,eAAO,KAAK;AAAA,MAChB;AAAA,MACA,IAAW,sBAAsB,OAAe;AAC5C,aAAK,wBAAwB;AAAA,MACjC;AAAA;AAAA,MAGgB;AAAA,MACP;AAAA,MACA,YAA4B,CAAC;AAAA,MAC7B,iBAAkC,oBAAI,IAAI;AAAA,MACnD,0BAA0B;AAAA,MACjB,kBAAkB,oBAAI,IAAoB;AAAA,MACnD;AAAA,MAES,UAAkB;AAAA,QACvB,UAAU,oBAAI,IAAI;AAAA,QAClB,SAAS,oBAAI,IAAI;AAAA,QACjB,SAAS;AAAA,UACL,OAAO,oBAAI,IAAI;AAAA,QACnB;AAAA,QACA,KAAK,oBAAI,IAAI;AAAA,QACb,YAAY,oBAAI,IAAI;AAAA,MACxB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAWA,YAAY,SAAoC;AAC5C,cAAM;AACN,gBAAQ,UAAU,QAAQ,WAAW;AACrC,YAAI,CAAC,QAAQ,UAAU;AACnB,gBAAM,IAAI,MAAM,+CAA+C;AAAA,QACnE;AAEA,aAAK,YAAY,SAAS,QAAQ,UAAU,EAAE;AAC9C,aAAK,UAAU,QAAQ;AAEvB,2BAAmB,QAAQ,QAAQ;AAEnC,YAAI,CAACA,IAAG,WAAW,KAAK,SAAS,GAAG;AAChC,gBAAM,IAAI,MAAM,6CAA6C,KAAK,SAAS,EAAE;AAAA,QACjF;AAAA,MACJ;AAAA;AAAA,MAGA,IAAI,aAAa;AACb,eAAOC,MAAK,KAAK,KAAK,SAAS,iBAAiB;AAAA,MACpD;AAAA;AAAA,MAGA,IAAI,UAAU;AACV,eAAO,KAAK;AAAA,MAChB;AAAA;AAAA,MAGA,IAAI,aAAa;AACb,eAAOA,MAAK,KAAK,KAAK,SAAS,6BAA6B;AAAA,MAChE;AAAA;AAAA,MAGA,IAAI,aAAa;AACb,eAAOA,MAAK,KAAK,KAAK,SAAS,cAAc;AAAA,MACjD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAOA,MAAa,kBAAkB,aAAyC;AACpE,cAAM,KAAK,iBAAiB,aAAa,UAAU;AAAA,MACvD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAOA,MAAa,iBAAiB,aAAyC;AACnE,cAAM,KAAK,iBAAiB,aAAa,SAAS;AAAA,MACtD;AAAA;AAAA,MAGA,IAAW,iBAAyB;AAChC,eAAOA,MAAK,KAAK,KAAK,SAAS,UAAU;AAAA,MAC7C;AAAA;AAAA,MAEA,IAAW,gBAAwB;AAC/B,eAAOA,MAAK,KAAK,KAAK,SAAS,eAAe;AAAA,MAClD;AAAA;AAAA,MAEA,IAAW,YAAoB;AAC3B,eAAOA,MAAK,KAAK,KAAK,SAAS,aAAa;AAAA,MAChD;AAAA;AAAA,MAEA,IAAW,oBAA4B;AACnC,eAAOA,MAAK,KAAK,KAAK,SAAS,eAAe;AAAA,MAClD;AAAA;AAAA,MAEA,IAAW,mBAA2B;AAClC,eAAOA,MAAK,KAAK,KAAK,SAAS,aAAa;AAAA,MAChD;AAAA;AAAA,MAEA,IAAW,gBAAwB;AAC/B,eAAOA,MAAK,KAAK,KAAK,SAAS,WAAW;AAAA,MAC9C;AAAA,MACA,IAAW,mBAA2B;AAClC,eAAOA,MAAK,KAAK,KAAK,SAAS,aAAa;AAAA,MAChD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAUA,MAAa,qBAAqB,aAA2C;AACzE,cAAME,eAAc,gBAAgB,WAAW;AAE/C,YAAI,KAAK,QAAQ,QAAQ,IAAIA,YAAW,GAAG;AACvC,iBAAO;AAAA,QACX;AAEA,YAAI,CAAC,KAAK,QAAQ,SAAS,IAAIA,YAAW,GAAG;AACzC,cAAI,CAAC,KAAK,2BAA2B;AACjC,mBAAO;AAAA,UACX;AAEA,cAAI;AACA,mCAAuB,WAAW;AAAA,UACtC,SAAS,MAAM;AACX,mBAAO;AAAA,UACX;AACA,gBAAM,WAAWF,MAAK,KAAK,KAAK,gBAAgB,GAAG,0BAA0B,WAAW,CAAC,MAAM;AAC/F,mBAAS,2EAA2E,QAAQ;AAC5F,gBAAM,YAAY,UAAU,MAAM,aAAa,aAAa,CAAC;AAC7D,eAAK,QAAQ,SAAS,IAAIE,cAAa,EAAE,aAAa,SAAS,CAAC;AAAA,QACpE;AACA,eAAO;AAAA,MACX;AAAA,MACA,MAAM,6BACF,aACA,WACA,OACA,SAC2B;AAC3B,YAAI,SAAS,GAAG;AAEZ,iBAAO;AAAA,QACX;AACA,cAAM,QAAQ,UAAU,WAAW;AACnC,iBAAS,8BAA8B,MAAM,MAAM;AACnD,cAAM,OAAO,yBAAyB,MAAM,CAAC,CAAC;AAE9C,YAAI,iBAAiB;AACrB,YAAI,mBAAmB;AAEvB,cAAM,eAAe,KAAK,eAAe,YAAY,wBAAwB;AAC7E,iBAAS,gCAAgC,YAAY;AAErD,YAAI,cAAc;AACd,gBAAM,eAAe,cAAc,IAAI;AAEvC,mBAAS,qCAAqC,YAAY;AAC1D,cAAI,CAAC,cAAc;AACf;AAAA,cACI;AAAA,cACA;AAAA,cACA,KAAK,eAAe,YAAY;AAAA,cAChC;AAAA,cACA,KAAK,eAAe,YAAY,wBAAwB;AAAA,YAC5D;AACA,gBAAI,oBAAoB,MAAM,KAAK,sBAAsB,MAAM,CAAC,CAAC;AACjE,gBAAI,CAAC,mBAAmB;AAGpB,kCAAoB,6BAA6B,MAAM,CAAC,GAAG,KAAK;AAChE,kBAAI,CAAC,mBAAmB;AACpB;AAAA,kBACI;AAAA,gBACJ;AACA,uBAAO;AAAA,cACX;AACA,uBAAS,sFAAsF;AAAA,YACnG,OAAO;AACH,uBAAS,oEAAoE;AAAA,YACjF;AACA,kBAAM,eAAe,MAAM,KAAK,6BAA6B,mBAAmB,MAAM,QAAQ,GAAG,OAAO;AACxG,gBAAI,iBAAiB,yEAAoD;AAErE,qBAAO;AAAA,YACX;AACA,gBAAI,iBAAiB,qFAA0D;AAE3E,qBAAO;AAAA,YACX;AACA,gBAAI,iBAAiB,6DAA8C;AAC/D,kBAAI,CAAC,WAAW,CAAC,QAAQ,iCAAiC;AAEtD,uBAAO;AAAA,cACX;AAAA,YACJ;AACA,gBAAI,iBAAiB,yDAA4C;AAC7D,uBAAS,2BAA2B,aAAa,SAAS,GAAG,uCAAuC;AAAA,YAExG;AAEA,gBAAI,iBAAiB,qBAA2B,iBAAiB,yDAA4C;AAEzG,qBAAO;AAAA,YACX;AAEA,kBAAM,2BAA2B,2BAA2B,aAAa,iBAAiB;AAC1F,gBAAI,CAAC,0BAA0B;AAC3B,uBAAS,0EAA0E;AACnF,qBAAO;AAAA,YACX;AACA,6BAAiB;AAGjB,gBAAI,gBAAgB,MAAM,KAAK,qBAAqB,WAAW;AAC/D,gBAAI,kBAAkB,yEAAoD;AACtE,kBAAI,SAAS,6BAA6B;AAEtC,gCAAgB;AAAA,cACpB;AAAA,YACJ;AACA,gBAAI,kBAAkB,mBAAyB;AAE3C,uBAAS,iBAAiB,aAAa;AACvC,qBAAO;AAAA,YACX;AAGA,kBAAM,sBAAsB,MAAM,KAAK,wBAAwB,iBAAiB;AAChF,qBAAS,uBAAuB,mBAAmB;AAEnD,gBAAI,wBAAwB,WAAW;AACnC,iCAAmB;AAAA,YACvB,WAAW,wBAAwB,WAAW;AAC1C,iCAAmB;AAAA,YACvB,WAAW,wBAAwB,YAAY;AAE3C,qBAAO;AAAA,YACX;AAAA,UACJ,OAAO;AAEH,kBAAM,2BAA2B,2BAA2B,aAAa,WAAW;AACpF,gBAAI,CAAC,0BAA0B;AAC3B,uBAAS,gDAAgD;AACzD,qBAAO;AAAA,YACX;AACA,kBAAM,gBAAgB,MAAM,KAAK,qBAAqB,WAAW;AACjE,qBAAS,6CAA6C,aAAa;AAAA,UACvE;AAAA,QACJ;AAEA,cAAM,SAAS,MAAM,KAAK,wBAAwB,WAAW;AAC7D,YAAI,WAAW,YAAY;AACvB,cAAI,EAAE,QAAQ,yCAAyC,kBAAkB,mBAAmB;AACxF,mBAAO;AAAA,UACX;AAAA,QACJ;AACA,cAAM,MAAM,MAAM,CAAC,IAAI,uBAAuB,MAAM,CAAC,CAAC,IAAI;AAC1D,iBAAS,kBAAkB,GAAG;AAI9B,cAAM,kBAAkB,uBAAuB,WAAW;AAC1D,cAAM,MAAM,oBAAI,KAAK;AAErB,YAAI,gBAAgB;AAEpB,YAAI,gBAAgB,UAAU,QAAQ,IAAI,IAAI,QAAQ,GAAG;AAErD;AAAA,YACI,GAAGD,OAAM,IAAI,0DAA0D,CAAC,qBAAqB,gBAAgB,SAAS;AAAA,UAC1H;AACA,cAAI,CAAC,QAAQ,0BAA0B;AACnC,4BAAgB;AAAA,UACpB;AAAA,QACJ;AAGA,YAAI,gBAAgB,SAAS,QAAQ,KAAK,IAAI,QAAQ,GAAG;AAErD;AAAA,YACI,GAAGA,OAAM,IAAI,oDAAoD,CAAC,oBAAoB,gBAAgB,QAAQ;AAAA,UAClH;AACA,cAAI,CAAC,QAAQ,2BAA2B;AACpC,4BAAgB;AAAA,UACpB;AAAA,QACJ;AACA,YAAI,WAAW,WAAW;AACtB,iBAAO,gBAAgB,8DAA+C;AAAA,QAC1E;AAEA,YAAI,cAAc;AACd,cAAI,CAAC,kBAAkB;AACnB,mBAAO;AAAA,UACX;AACA,cAAI,CAAC,gBAAgB;AACjB,mBAAO;AAAA,UACX;AACA,cAAI,CAAC,QAAQ,uCAAuC;AAEhD,mBAAO;AAAA,UACX;AACA,iBAAO,gBAAgB,8DAA+C;AAAA,QAC1E,OAAO;AACH,iBAAO;AAAA,QACX;AAAA,MACJ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAcA,MAAgB,uBACZ,aACA,SAC2B;AAC3B,cAAM,UAAU,MAAM,KAAK,6BAA6B,aAAa,OAAO,GAAG,OAAO;AACtF,eAAO;AAAA,MACX;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAYA,MAAa,kBAAkB,aAA0B,SAAiE;AAEtH,YAAI,CAAC,aAAa;AAEd,iBAAO;AAAA,QACX;AACA,YAAI;AACA,gBAAM,SAAS,MAAM,KAAK,uBAAuB,aAAa,WAAW,CAAC,CAAC;AAC3E,iBAAO;AAAA,QACX,SAAS,OAAO;AACZ,qBAAW,4BAA6B,MAAgB,OAAO,EAAE;AACjE,iBAAO;AAAA,QACX;AAAA,MACJ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MASA,MAAa,aAA4B;AACrC,YAAI,KAAK,UAAU,uBAAuC;AACtD;AAAA,QACJ;AACA,aAAK,QAAQ;AACb,aAAK,uBAAuB,KAAK,YAAY;AAC7C,cAAM,KAAK;AACX,aAAK,uBAAuB;AAC5B,aAAK,QAAQ;AAGb,4BAAmB,iBAAiB,IAAI,IAAI;AAC5C,4BAAmB,uBAAuB;AAAA,MAC9C;AAAA,MACA,MAAM,cAA6B;AAC/B,aAAK,QAAQ;AACb,cAAM,SAAS,KAAK;AACpB,2BAAmB,MAAM;AACzB,2BAAmBD,MAAK,KAAK,QAAQ,KAAK,CAAC;AAC3C,2BAAmBA,MAAK,KAAK,QAAQ,WAAW,CAAC;AACjD,2BAAmBA,MAAK,KAAK,QAAQ,aAAa,CAAC;AACnD,2BAAmBA,MAAK,KAAK,QAAQ,UAAU,CAAC;AAChD,2BAAmBA,MAAK,KAAK,QAAQ,SAAS,CAAC;AAC/C,2BAAmBA,MAAK,KAAK,QAAQ,eAAe,CAAC;AACrD,2BAAmBA,MAAK,KAAK,QAAQ,aAAa,CAAC;AAEnD,2BAAmBA,MAAK,KAAK,QAAQ,SAAS,CAAC;AAC/C,2BAAmBA,MAAK,KAAK,QAAQ,eAAe,CAAC;AACrD,2BAAmBA,MAAK,KAAK,QAAQ,aAAa,CAAC;AAEnD,YAAI,CAACD,IAAG,WAAW,KAAK,UAAU,KAAK,CAACA,IAAG,WAAW,KAAK,UAAU,GAAG;AACpE,iBAAO,MAAM,KAAK,UAAU,YAAY;AACpC,gBAAI,KAAK,UAAU,qBAAqC,KAAK,UAAU,kBAAkC;AACrG;AAAA,YACJ;AAEA,gBAAI,CAACA,IAAG,WAAW,KAAK,UAAU,GAAG;AACjC,cAAAA,IAAG,cAAc,KAAK,YAAY,+BAA+B;AAAA,YACrE;AASA,gBAAI,CAACA,IAAG,WAAW,KAAK,UAAU,GAAG;AACjC,uBAAS,4BAA4B;AAErC,oBAAM,uBAAuB,KAAK,YAAY,KAAK,OAAO;AAC1D,oBAAM,KAAK,kBAAkB;AAAA,YACjC,OAAO;AAEH,oBAAM,KAAK,kBAAkB;AAAA,YACjC;AAAA,UACJ,CAAC;AAAA,QACL,OAAO;AACH,gBAAM,KAAK,kBAAkB;AAAA,QACjC;AAAA,MACJ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAOA,MAAa,UAAyB;AAClC,YAAI,KAAK,UAAU,mBAAmC;AAClD,gBAAM,IAAI,MAAM,mBAAmB;AAAA,QACvC;AAEA,YAAI,KAAK,UAAU,uBAAuC;AACtD,eAAK,QAAQ;AACb;AAAA,QACJ;AAGA,YAAI,KAAK,UAAU,sBAAsC;AACrD,cAAI,KAAK,sBAAsB;AAC3B,kBAAM,KAAK;AAAA,UACf;AAAA,QACJ;AAEA,YAAI;AACA,eAAK,QAAQ;AAGb,qBAAW,UAAU,KAAK,gBAAgB;AACtC,mBAAO;AAAA,UACX;AACA,eAAK,eAAe,MAAM;AAC1B,gBAAM,QAAQ,IAAI,KAAK,UAAU,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AACtD,eAAK,UAAU,QAAQ,CAAC,MAAM;AAC1B,cAAE,mBAAmB;AAAA,UACzB,CAAC;AACD,eAAK,UAAU,OAAO,CAAC;AAAA,QAC3B,UAAE;AACE,eAAK,QAAQ;AACb,8BAAmB,iBAAiB,OAAO,IAAI;AAAA,QACnD;AAAA,MACJ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAWA,MAAa,qBAAoC;AAE7C,cAAM,QAAQ,IAAI,KAAK,UAAU,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AACtD,mBAAW,KAAK,KAAK,WAAW;AAC5B,YAAE,mBAAmB;AAAA,QACzB;AACA,aAAK,UAAU,OAAO,CAAC;AAGvB,aAAK,QAAQ,SAAS,MAAM;AAC5B,aAAK,QAAQ,QAAQ,MAAM;AAC3B,aAAK,QAAQ,QAAQ,MAAM,MAAM;AACjC,aAAK,QAAQ,IAAI,MAAM;AACvB,aAAK,QAAQ,WAAW,MAAM;AAC9B,aAAK,gBAAgB,MAAM;AAG3B,aAAK,0BAA0B;AAC/B,cAAM,KAAK,kBAAkB;AAAA,MACjC;AAAA,MAEA,MAAgB,UAAa,QAAsC;AAC/D,cAAM,eAAeC,MAAK,KAAK,KAAK,SAAS,OAAO;AACpD,eAAO,SAAY,EAAE,YAAY,aAAa,GAAG,YAAY;AACzD,iBAAO,MAAM,OAAO;AAAA,QACxB,CAAC;AAAA,MACL;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAUA,MAAa,4BAA4B,QAAwD;AAC7F,YAAI,OAAO,OAAO,mBAAmB,UAAU;AAC3C,gBAAM,IAAI,MAAM,sEAAsE;AAAA,QAC1F;AACA,YAAI,CAACD,IAAG,WAAW,KAAK,UAAU,GAAG;AACjC,gBAAM,IAAI,MAAM,2BAA2B,KAAK,UAAU,EAAE;AAAA,QAChE;AACA,YAAI,sBAAsBC,MAAK,KAAK,KAAK,SAAS,uCAAuC;AACzF,8BAAsB,OAAO,cAAc;AAE3C,cAAM,UAAU;AAChB,gBAAQ,UAAU,KAAK;AACvB,gBAAQ,aAAa,KAAK;AAC1B,gBAAQ,aAAa,KAAK;AAE1B,gBAAQ,UAAU,OAAO,WAAW;AACpC,cAAM,KAAK,UAAU,YAAY;AAC7B,gBAAM,4BAA4B,qBAAqB,OAAO;AAAA,QAClE,CAAC;AAAA,MACL;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAYA,MAAa,yBAAyB,QAA2D;AAC7F,YAAI,CAAC,QAAQ;AACT,gBAAM,IAAI,MAAM,oBAAoB;AAAA,QACxC;AACA,cAAM,UAAU;AAChB,YAAI,OAAO,UAAU,eAAe,KAAK,SAAS,SAAS,GAAG;AAC1D,gBAAM,IAAI,MAAM,kCAAkC;AAAA,QACtD;AACA,gBAAQ,UAAUA,MAAK,QAAQ,KAAK,OAAO;AAC3C,gBAAQ,aAAaA,MAAK,QAAQ,KAAK,UAAU;AACjD,gBAAQ,aAAaA,MAAK,QAAQ,KAAK,UAAU;AAEjD,eAAO,MAAM,KAAK,UAAkB,YAAY;AAE5C,gBAAM,MAAM,oBAAI,KAAK;AACrB,gBAAMG,SAAQ,GAAG,IAAI,YAAY,EAAE,MAAM,GAAG,EAAE,CAAC,IAAI,IAAI,QAAQ,CAAC;AAChE,gBAAM,oCAAoCH,MAAK,KAAK,KAAK,SAAS,aAAa,eAAeG,MAAK,MAAM;AACzG,gBAAM,qCAAqC,mCAAmC,OAAO;AACrF,iBAAO;AAAA,QACX,CAAC;AAAA,MACL;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAUA,MAAa,UAAU,aAAkB,WAAW,OAAO,iBAAiB,OAAoC;AAC5G,YAAI,UAAU;AACV,gBAAM,SAAS,MAAM,KAAK,kBAAkB,WAAW;AACvD,cAAI,WAAW,qBAA2B,WAAW,yDAA4C;AAC7F,mBAAO;AAAA,UACX;AAAA,QACJ;AACA,cAAM,iBAAiB,MAAM,aAAa,aAAa;AACvD,cAAMD,eAAc,gBAAgB,WAAW;AAC/C,YAAI,KAAK,QAAQ,QAAQ,MAAM,IAAIA,YAAW,GAAG;AAE7C,iBAAO;AAAA,QACX;AAEA,cAAM,WAAWF,MAAK,KAAK,KAAK,mBAAmB,UAAU,0BAA0B,WAAW,CAAC,MAAM;AACzG,cAAMD,IAAG,SAAS,UAAU,UAAU,gBAAgB,OAAO;AAG7D,aAAK,QAAQ,QAAQ,MAAM,IAAIG,cAAa,EAAE,aAAa,SAAS,CAAC;AAErE,YAAI,gBAAgB;AAEhB,gBAAM,KAAK,iBAAiB,WAAW;AAAA,QAC3C;AAEA,eAAO;AAAA,MACX;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAOA,MAAa,kBACT,KACA,SAAgC,WACL;AAC3B,eAAO,MAAM,KAAK,UAA8B,YAAY;AACxD,cAAI;AACA,kBAAM,QAAQ,WAAW,YAAY,KAAK,QAAQ,MAAM,KAAK,QAAQ;AACrE,kBAAM,SAAS,WAAW,YAAY,KAAK,YAAY,KAAK;AAE5D,kBAAM,UAAU,iCAAiC,GAAG;AACpD,kBAAM,MAAM,QAAQ,YAAY;AAChC,gBAAI,CAAC,MAAM,IAAI,GAAG,GAAG;AACjB,oBAAM,IAAI,KAAK,EAAE,MAAM,CAAC,GAAG,eAAe,CAAC,EAAE,CAAC;AAAA,YAClD;AACA,kBAAM,iBAAiB,MAAM,KAAK,UAAU;AAC5C,kBAAM,WAAWF,MAAK,KAAK,QAAQ,OAAO,0BAA0B,GAAG,CAAC,MAAM;AAC9E,kBAAMD,IAAG,SAAS,UAAU,UAAU,gBAAgB,OAAO;AAE7D,kBAAM,KAAK,gBAAgB,OAAO,QAAQ;AAE1C,kBAAM,KAAK,iCAAiC;AAE5C,mBAAO;AAAA,UACX,SAAS,KAAK;AACV,qBAAS,GAAG;AACZ,mBAAO;AAAA,UACX;AAAA,QACJ,CAAC;AAAA,MACL;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAQA,MAAa,qBAAqB,QAAsD;AACpF,cAAM,cAAc,OAAO,QAAgB,UAAgC;AACvE,cAAI;AACA,kBAAM,QAAQ,MAAMA,IAAG,SAAS,QAAQ,MAAM;AAC9C,uBAAW,QAAQ,OAAO;AACtB,oBAAM,MAAMC,MAAK,QAAQ,IAAI,EAAE,YAAY;AAC3C,kBAAI,QAAQ,UAAU,QAAQ,UAAU,QAAQ,QAAQ;AACpD,sBAAMD,IAAG,SAAS,OAAOC,MAAK,KAAK,QAAQ,IAAI,CAAC;AAAA,cACpD;AAAA,YACJ;AAAA,UACJ,SAAS,KAAc;AACnB,gBAAK,IAA8B,SAAS,UAAU;AAClD,oBAAM;AAAA,YACV;AAAA,UACJ;AACA,gBAAM,MAAM;AAAA,QAChB;AAEA,YAAI,WAAW,aAAa,WAAW,OAAO;AAC1C,gBAAM,YAAY,KAAK,kBAAkB,KAAK,QAAQ,UAAU;AAAA,QACpE;AACA,YAAI,WAAW,aAAa,WAAW,OAAO;AAC1C,gBAAM,YAAY,KAAK,WAAW,KAAK,QAAQ,GAAG;AAAA,QACtD;AAAA,MACJ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAOA,MAAa,UAAU,YAAsC;AACzD,cAAM,KAAK,kBAAkB;AAC7B,cAAM,aAAa,WAAW,YAAY;AAC1C,eAAO,KAAK,QAAQ,QAAQ,MAAM,IAAI,UAAU;AAAA,MACpD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MASA,MAAa,yBAAyB,YAAiD;AACnF,cAAM,KAAK,kBAAkB;AAC7B,cAAM,aAAa,WAAW,YAAY;AAC1C,cAAM,QAAQ,KAAK,QAAQ,QAAQ,IAAI,UAAU;AACjD,YAAI,CAAC,OAAO;AACR,iBAAO;AAAA,QACX;AACA,YAAI;AACA,gBAAMD,IAAG,SAAS,OAAO,MAAM,QAAQ;AAAA,QAC3C,SAAS,KAAc;AACnB,cAAK,IAA8B,SAAS,UAAU;AAClD,kBAAM;AAAA,UACV;AAAA,QACJ;AACA,aAAK,QAAQ,QAAQ,OAAO,UAAU;AACtC,eAAO,MAAM;AAAA,MACjB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MASA,MAAa,aAAa,YAAiD;AACvE,cAAM,KAAK,kBAAkB;AAC7B,cAAM,aAAa,WAAW,YAAY;AAC1C,cAAM,QAAQ,KAAK,QAAQ,QAAQ,MAAM,IAAI,UAAU;AACvD,YAAI,CAAC,OAAO;AACR,iBAAO;AAAA,QACX;AACA,YAAI;AACA,gBAAMA,IAAG,SAAS,OAAO,MAAM,QAAQ;AAAA,QAC3C,SAAS,KAAc;AACnB,cAAK,IAA8B,SAAS,UAAU;AAClD,kBAAM;AAAA,UACV;AAAA,QACJ;AACA,aAAK,QAAQ,QAAQ,MAAM,OAAO,UAAU;AAC5C,eAAO,MAAM;AAAA,MACjB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAQA,MAAa,+BACT,mBACA,SAAwC,OAC3B;AACb,cAAM,aAAa,yBAAyB,iBAAiB;AAC7D,cAAM,oBAAoB,WAAW,eAAe;AAEpD,cAAM,eAAe,OAAO,UAAgC;AACxD,gBAAM,UAAU,MAAM,IAAI,iBAAiB;AAC3C,cAAI,CAAC,QAAS;AACd,qBAAW,YAAY,QAAQ,MAAM;AACjC,gBAAI;AACA,oBAAMA,IAAG,SAAS,OAAO,SAAS,QAAQ;AAAA,YAC9C,SAAS,KAAc;AACnB,kBAAK,IAA8B,SAAS,UAAU;AAClD,sBAAM;AAAA,cACV;AAAA,YACJ;AAAA,UACJ;AACA,gBAAM,OAAO,iBAAiB;AAAA,QAClC;AAEA,YAAI,WAAW,aAAa,WAAW,OAAO;AAC1C,gBAAM,aAAa,KAAK,QAAQ,UAAU;AAAA,QAC9C;AACA,YAAI,WAAW,aAAa,WAAW,OAAO;AAC1C,gBAAM,aAAa,KAAK,QAAQ,GAAG;AAAA,QACvC;AAAA,MACJ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAqBA,MAAa,+BAA+B,kBAA4D;AACpG,cAAM,eAAe,UAAU,gBAAgB;AAC/C,cAAM,kBAAkB,aAAa,CAAC;AAGtC,YAAI;AACA,mCAAyB,eAAe;AAAA,QAC5C,SAAS,MAAM;AACX,iBAAO;AAAA,QACX;AAIA,cAAM,SAAS,MAAM,uBAAuB,CAAC,eAAe,CAAC;AAC7D,YAAI,OAAO,WAAW,QAAQ;AAC1B,iBAAO;AAAA,QACX;AAMA,YAAI,aAAa,SAAS,GAAG;AAKzB,gBAAM,KAAK,gBAAgB,KAAK,mBAAmB,KAAK,QAAQ,QAAQ,KAAK;AAC7E,qBAAW,cAAc,aAAa,MAAM,CAAC,GAAG;AAC5C,kBAAM,aAAa,gBAAgB,UAAU;AAC7C,gBAAI,CAAE,MAAM,KAAK,UAAU,UAAU,GAAI;AAGrC,qBAAO;AAAA,YACX;AAAA,UACJ;AAAA,QACJ;AAGA,cAAM,KAAK,iBAAiB,eAAe;AAC3C,eAAO;AAAA,MACX;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAcA,MAAa,kCAAkC,mBAAkD;AAC7F,cAAM,KAAK,kBAAkB;AAC7B,mBAAW,SAAS,KAAK,QAAQ,QAAQ,OAAO,GAAG;AAC/C,cAAI,CAAC,MAAM,YAAa;AACxB,cAAI;AACA,gBAAI,2BAA2B,MAAM,aAAa,iBAAiB,GAAG;AAClE,qBAAO;AAAA,YACX;AAAA,UACJ,SAAS,MAAM;AAAA,UAEf;AAAA,QACJ;AACA,eAAO;AAAA,MACX;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAgBA,MAAa,sBAAsB,aAAuD;AACtF,cAAM,WAAW,yBAAyB,WAAW;AAErD,YAAI,cAAc,QAAQ,GAAG;AAEzB,iBAAO;AAAA,QACX;AAEA,cAAM,kBAAkB,SAAS,eAAe,YAAY,wBAAwB;AAEpF,YAAI,CAAC,iBAAiB;AAElB,mBAAS,gCAAgC;AACzC,iBAAO;AAAA,QACX;AAEA,cAAM,qBAAqB,CAAC,GAAG,KAAK,QAAQ,QAAQ,MAAM,OAAO,CAAC;AAElE,cAAM,6BAA6B,sBAAsB,oBAAoB,eAAe;AAE5F,YAAI,2BAA2B,SAAS,GAAG;AACvC,cAAI,2BAA2B,SAAS,GAAG;AACvC,uBAAW,8EAA8E,eAAe;AAAA,UAC5G;AACA,iBAAO,2BAA2B,CAAC,EAAE,eAAe;AAAA,QACxD;AAEA,cAAM,sBAAsB,CAAC,GAAG,KAAK,QAAQ,QAAQ,OAAO,CAAC;AAC7D,cAAM,8BAA8B,sBAAsB,qBAAqB,eAAe;AAE9F,YAAI,4BAA4B,SAAS,GAAG;AACxC;AAAA,YACI;AAAA,YACA;AAAA,YACA,4BAA4B;AAAA,UAChC;AAAA,QACJ;AACA,eAAO,4BAA4B,SAAS,IAAI,4BAA4B,CAAC,EAAE,cAAc;AAAA,MACjG;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MASA,MAAM,wBAAwB,aAAiD;AAC3E,cAAMG,eAAc,gBAAgB,WAAW;AAE/C,iBAAS,wCAAwC,MAAMA,YAAW,CAAC;AAEnE,cAAM,KAAK,kBAAkB;AAE7B,YAAI,KAAK,QAAQ,SAAS,IAAIA,YAAW,GAAG;AACxC,iBAAO;AAAA,QACX;AACA,YAAI,KAAK,QAAQ,QAAQ,IAAIA,YAAW,GAAG;AACvC,iBAAO;AAAA,QACX;AACA,eAAO;AAAA,MACX;AAAA,MAEA,MAAM,iBAAiB,aAA0B,WAA8B;AAC3E,cAAM,KAAK,UAAU,YAAY;AAC7B,gBAAMA,eAAc,gBAAgB,WAAW;AAE/C,cAAI,SAAS,MAAM,KAAK,wBAAwB,WAAW;AAC3D,cAAI,WAAW,WAAW;AAEtB,kBAAM,MAAM,MAAM,aAAa,aAAa;AAC5C,kBAAM,WAAWF,MAAK,KAAK,KAAK,gBAAgB,GAAG,0BAA0B,WAAW,CAAC,MAAM;AAC/F,kBAAMD,IAAG,SAAS,UAAU,UAAU,GAAG;AACzC,iBAAK,QAAQ,SAAS,IAAIG,cAAa,EAAE,aAAa,SAAS,CAAC;AAChE,qBAAS;AAAA,UACb;AAEA,mBAAS,oBAAoBA,aAAY,UAAU,GAAG,EAAE,GAAG,QAAQ,QAAQ,MAAM,SAAS;AAE1F,cAAI,WAAW,cAAc,WAAW,WAAW;AAC/C,kBAAM,IAAI,MAAM,wCAAwC,MAAM,qBAAqBA,aAAY,UAAU,GAAG,EAAE,CAAC,EAAE;AAAA,UACrH;AAEA,cAAI,WAAW,WAAW;AACtB,kBAAM,WAAW,WAAW,aAAa,KAAK,QAAQ,WAAW,KAAK,QAAQ;AAC9E,kBAAM,WAAW,SAAS,IAAIA,YAAW;AAEzC,gBAAI,CAAC,UAAU;AACX,uBAAS,6BAA6BA,aAAY,UAAU,GAAG,EAAE,GAAG,OAAO,MAAM;AACjF,oBAAM,IAAI,MAAM,iCAAiCA,aAAY,UAAU,GAAG,EAAE,CAAC,iBAAiB,MAAM,QAAQ;AAAA,YAChH;AACA,kBAAM,aAAa,cAAc,YAAY,KAAK,gBAAgB,KAAK;AACvE,kBAAM,kBAAkBF,MAAK,KAAK,YAAYA,MAAK,SAAS,SAAS,QAAQ,CAAC;AAE9E,qBAAS,oBAAoBE,aAAY,UAAU,GAAG,EAAE,GAAG,YAAY,SAAS,QAAQ;AACxF,qBAAS,oBAAoBA,aAAY,UAAU,GAAG,EAAE,GAAG,YAAY,eAAe;AACtF,kBAAMH,IAAG,SAAS,OAAO,SAAS,UAAU,eAAe;AAC3D,qBAAS,OAAOG,YAAW;AAC3B,kBAAM,YAAY,cAAc,YAAY,KAAK,QAAQ,UAAU,KAAK,QAAQ;AAChF,sBAAU,IAAIA,cAAa,EAAE,aAAa,UAAU,gBAAgB,CAAC;AAAA,UACzE;AAAA,QACJ,CAAC;AAAA,MACL;AAAA,MACA,oBAAoB,mBAAgD;AAChE,cAAM,wBAAwB,yBAAyB,iBAAiB;AACxE,cAAM,MAAM,sBAAsB,eAAe;AACjD,eAAO,KAAK,QAAQ,WAAW,IAAI,GAAG,KAAK,KAAK,QAAQ,IAAI,IAAI,GAAG,KAAK;AAAA,MAC5E;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAkBA,MAAa,qBACT,aACA,mBAC2B;AAC3B,YAAI,cAAc,WAAW,GAAG;AAC5B,iBAAO;AAAA,QACX;AAEA,YAAI,CAAC,mBAAmB;AACpB,8BAAoB,MAAM,KAAK,sBAAsB,WAAW;AAAA,QACpE;AACA,YAAI,CAAC,mBAAmB;AACpB,iBAAO;AAAA,QACX;AACA,cAAM,OAAO,KAAK,oBAAoB,iBAAiB;AAEvD,YAAI,CAAC,MAAM;AACP,iBAAO;AAAA,QACX;AACA,cAAM,WAAW,yBAAyB,WAAW;AACrD,cAAM,eACF,SAAS,eAAe,gBAAgB,SAAS,eAAe,YAAY,wBAAwB,UAAU;AAElH,cAAM,MAAM,SAAS,eAAe,YAAY,wBAAwB,kCAAkC;AAC1G,cAAM,OAAO,KAAK,QAAQ,IAAI,IAAI,GAAG,KAAK;AAE1C,YAAI,KAAK,cAAc,YAAY,KAAK,MAAM,cAAc,YAAY,GAAG;AACvE,iBAAO;AAAA,QACX;AACA,eAAO;AAAA,MACX;AAAA,MAEA,uBAAuB;AAAA,MACvB,uBAAuC,CAAC;AAAA,MACxC,SAA8D,CAAC;AAAA,MAC/D,gBAAgB,OAA6B,UAAkB;AAC3D,aAAK,OAAO,KAAK,EAAE,OAAO,SAAS,CAAC;AACpC,aAAK,wBAAwB;AAC7B,YAAI,KAAK,yBAAyB,GAAG;AACjC,eAAK,gBAAgB;AAAA,QACzB;AAAA,MACJ;AAAA,MACA,MAAM,kBAAkB;AACpB,YAAI;AACA,gBAAM,UAAU,KAAK,OAAO,MAAM;AAClC,cAAI,CAAC,QAAS;AACd,gBAAM,EAAE,OAAO,SAAS,IAAI;AAC5B,gBAAM,MAAM,MAAM,8BAA8B,QAAQ;AACxD,gBAAM,UAAU,iCAAiC,GAAG;AACpD,mBAASD,OAAM,KAAK,oBAAoB,GAAG,QAAQ;AACnD,gBAAMC,eAAc,QAAQ,YAAY;AACxC,cAAI,CAAC,MAAM,IAAIA,YAAW,GAAG;AACzB,kBAAM,IAAIA,cAAa,EAAE,MAAM,CAAC,GAAG,eAAe,CAAC,EAAE,CAAC;AAAA,UAC1D;AACA,gBAAM,OAAO,MAAM,IAAIA,YAAW,KAAK,EAAE,MAAM,CAAC,GAAG,eAAe,CAAC,EAAE;AACrE,eAAK,KAAK,KAAK,EAAE,SAAS,SAAS,CAAC;AAGpC,qBAAW,sBAAsB,QAAQ,YAAY,qBAAqB;AACtE,kBAAM,eAAe,mBAAmB;AACxC,gBAAI,CAAC,KAAK,cAAc,YAAY,GAAG;AACnC,mBAAK,cAAc,YAAY,IAAI,mBAAmB;AAAA,YAC1D;AAAA,UACJ;AACA,mBAASD,OAAM,KAAK,KAAK,GAAGC,cAAa,qBAAqB,OAAO,KAAK,KAAK,aAAa,CAAC;AAAA,QACjG,SAAS,KAAK;AACV,mBAAS,sBAAsB;AAC/B,mBAAS,GAAG;AAAA,QAChB;AACA,aAAK,wBAAwB;AAC7B,YAAI,KAAK,yBAAyB,GAAG;AACjC,qBAAW,UAAU,KAAK,sBAAsB;AAC5C,mBAAO;AAAA,UACX;AACA,eAAK,qBAAqB,SAAS;AAAA,QACvC,OAAO;AACH,eAAK,gBAAgB;AAAA,QACzB;AAAA,MACJ;AAAA,MACA,MAAM,oBAAmC;AACrC,YAAI,KAAK,yBAAyB;AAC9B;AAAA,QACJ;AACA,aAAK,0BAA0B;AA8B/B,cAAM,aAAa,QAAQ,IAAI,0BAA0B;AACzD,cAAM,cAAc,QAAQ,IAAI,6BAC1B,SAAS,QAAQ,IAAI,4BAA4B,EAAE,IACnD;AACN,cAAM,kBAAkB,KAAK,IAAI,KAAK,KAAK,KAAM,KAAK,IAAI,KAAK,eAAe,KAAK,qBAAqB,CAAC;AACzG,cAAM,kBAAkB;AAAA,UACpB;AAAA,UACA,GAAI,aAAa,EAAE,UAAU,gBAAgB,IAAI,CAAC;AAAA,UAClD,YAAY;AAAA,QAChB;AAsBA,cAAM,qBAAqC,CAAC;AAC5C,cAAM,YAAYH,IAAG;AACrB,YAAI,oBAAoB;AACxB,cAAM,gBAAgB;AAEtB,QAAAA,IAAG,SAAS,IAAI,SAAsC;AAClD,gBAAM,SAAS,UAAU,MAAMA,KAAI,IAAI;AACvC,iBAAO,gBAAgB,OAAO,gBAAgB,IAAI,CAAC;AACnD,iBAAO,GAAG,SAAS,MAAM;AAAA,UAEzB,CAAC;AACD,6BAAmB,KAAK,MAAM;AAC9B,iBAAO;AAAA,QACX;AAEA,cAAM,wBAAwB,CAAC,WAAmB;AAC9C,gBAAM,WAAW,mBAAmB;AACpC,gBAAM,IAAI,SAAS,MAAM,QAAQ,eAAe;AAChD,gBAAM,YAAY,MAAM;AAEpB,qBAAS,IAAI,UAAU,IAAI,mBAAmB,QAAQ,KAAK;AACvD,iCAAmB,CAAC,EAAE,MAAM;AAAA,YAChC;AAEA;AACA,gBAAI,qBAAqB,eAAe;AACpC,cAAAA,IAAG,QAAQ;AAAA,YACf;AAAA,UACJ;AACA,iBAAO,EAAE,GAAG,iBAAiB,mBAAmB,MAAM,QAAQ,GAAG,UAAU;AAAA,QAC/E;AAMA,cAAM,QAAQ,IAAI;AAAA,UACd,KAAK,gBAAgB,KAAK,eAAe,KAAK,QAAQ,OAAO;AAAA,UAC7D,KAAK,gBAAgB,KAAK,mBAAmB,KAAK,QAAQ,QAAQ,KAAK;AAAA,UACvE,KAAK,gBAAgB,KAAK,gBAAgB,KAAK,QAAQ,QAAQ;AAAA,UAC/D,KAAK,eAAe,KAAK,WAAW,KAAK,QAAQ,GAAG;AAAA,UACpD,KAAK,eAAe,KAAK,kBAAkB,KAAK,QAAQ,UAAU;AAAA,QACtE,CAAC;AAOD,aAAK,cAAc,KAAK,eAAe,KAAK,QAAQ,SAAS,uBAAuB,SAAS;AAC7F,aAAK,cAAc,KAAK,mBAAmB,KAAK,QAAQ,QAAQ,OAAO,uBAAuB,cAAc;AAC5G,aAAK,cAAc,KAAK,gBAAgB,KAAK,QAAQ,UAAU,uBAAuB,UAAU;AAChG,aAAK,iBAAiB,KAAK,WAAW,KAAK,QAAQ,KAAK,uBAAuB,KAAK;AACpF,aAAK,iBAAiB,KAAK,kBAAkB,KAAK,QAAQ,YAAY,uBAAuB,YAAY;AAAA,MAC7G;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAOA,MAAM,gBAAgB,QAAgB,OAA0C;AAC5E,YAAI,CAACA,IAAG,WAAW,MAAM,EAAG;AAC5B,cAAM,QAAQ,MAAMA,IAAG,SAAS,QAAQ,MAAM;AAC9C,mBAAW,QAAQ,OAAO;AACtB,gBAAM,WAAWC,MAAK,KAAK,QAAQ,IAAI;AACvC,cAAI;AACA,kBAAM,OAAO,MAAMD,IAAG,SAAS,KAAK,QAAQ;AAC5C,gBAAI,CAAC,KAAK,OAAO,EAAG;AACpB,kBAAM,cAAc,MAAM,qBAAqB,QAAQ;AACvD,kBAAM,OAAO,yBAAyB,WAAW;AACjD,kBAAMG,eAAc,gBAAgB,WAAW;AAC/C,kBAAM,IAAIA,cAAa,EAAE,aAAa,UAAU,KAAK,CAAC;AACtD,iBAAK,gBAAgB,IAAI,UAAUA,YAAW;AAAA,UAClD,SAAS,KAAK;AACV,qBAAS,4BAA4B,QAAQ,IAAI,GAAG;AAAA,UACxD;AAAA,QACJ;AAAA,MACJ;AAAA;AAAA;AAAA;AAAA,MAKA,MAAM,eAAe,QAAgB,OAA4C;AAC7E,YAAI,CAACH,IAAG,WAAW,MAAM,EAAG;AAC5B,cAAM,QAAQ,MAAMA,IAAG,SAAS,QAAQ,MAAM;AAC9C,mBAAW,QAAQ,OAAO;AACtB,gBAAM,WAAWC,MAAK,KAAK,QAAQ,IAAI;AACvC,cAAI;AACA,kBAAM,OAAO,MAAMD,IAAG,SAAS,KAAK,QAAQ;AAC5C,gBAAI,CAAC,KAAK,OAAO,EAAG;AACpB,iBAAK,gBAAgB,OAAO,QAAQ;AAAA,UACxC,SAAS,KAAK;AACV,qBAAS,2BAA2B,QAAQ,IAAI,GAAG;AAAA,UACvD;AAAA,QACJ;AACA,cAAM,KAAK,iCAAiC;AAAA,MAChD;AAAA;AAAA;AAAA;AAAA;AAAA,MAMA,iBACI,QACA,OACA,uBACA,OACI;AACJ,cAAM,EAAE,GAAG,UAAU,IAAI,sBAAsB,MAAM;AACrD,UAAE,GAAG,SAAS,CAAC,QAAiB;AAC5B,mBAAS,iCAAiC,MAAM,KAAK,GAAG;AAAA,QAC5D,CAAC;AACD,YAAI,QAAQ;AAEZ,UAAE,GAAG,UAAU,CAAC,aAAqB;AACjC,qBAAW,CAAC,KAAK,IAAI,KAAK,MAAM,QAAQ,GAAG;AACvC,iBAAK,OAAO,KAAK,KAAK,OAAO,CAAC,MAAM,EAAE,aAAa,QAAQ;AAC3D,gBAAI,KAAK,KAAK,WAAW,GAAG;AACxB,oBAAM,OAAO,GAAG;AAAA,YACpB;AAAA,UACJ;AACA,cAAI,OAAO;AACP,iBAAK,KAAK,cAAc,EAAE,OAAO,SAAS,CAAC;AAAA,UAC/C;AAAA,QACJ,CAAC;AACD,UAAE,GAAG,OAAO,CAAC,aAAqB;AAC9B,cAAI,OAAO;AACP,iBAAK,gBAAgB,OAAO,QAAQ;AACpC,iBAAK,KAAK,YAAY,EAAE,OAAO,SAAS,CAAC;AAAA,UAC7C;AAAA,QACJ,CAAC;AACD,UAAE,GAAG,UAAU,CAAC,gBAAwB;AACpC,mBAAS,qBAAqB,QAAQ,WAAW;AAAA,QACrD,CAAC;AACD,aAAK,UAAU,KAAK,CAA4B;AAChD,aAAK,eAAe,IAAI,SAAS;AACjC,UAAE,GAAG,SAAS,MAAM;AAChB,kBAAQ;AACR,eAAK,eAAe,OAAO,SAAS;AACpC,oBAAU;AAAA,QACd,CAAC;AAAA,MACL;AAAA;AAAA;AAAA;AAAA;AAAA,MAMA,cACI,QACA,OACA,uBACA,OACI;AACJ,cAAM,EAAE,GAAG,UAAU,IAAI,sBAAsB,MAAM;AACrD,UAAE,GAAG,SAAS,CAAC,QAAiB;AAC5B,mBAAS,kCAAkC,MAAM,KAAK,GAAG;AAAA,QAC7D,CAAC;AACD,YAAI,QAAQ;AACZ,UAAE,GAAG,UAAU,CAAC,aAAqB;AACjC,mBAASE,OAAM,KAAK,oBAAoB,MAAM,EAAE,GAAG,QAAQ;AAC3D,gBAAM,IAAI,KAAK,gBAAgB,IAAI,QAAQ;AAC3C,cAAI,KAAK,MAAM,IAAI,CAAC,GAAG;AACnB,kBAAM,OAAO,CAAC;AACd,iBAAK,KAAK,sBAAsB,EAAE,OAAO,aAAa,GAAG,SAAS,CAAC;AAAA,UACvE;AAAA,QACJ,CAAC;AACD,UAAE,GAAG,OAAO,CAAC,aAAqB;AAC9B,mBAASA,OAAM,KAAK,iBAAiB,MAAM,EAAE,GAAG,QAAQ;AACxD,cAAI;AACA,kBAAM,cAAc,gBAAgB,QAAQ;AAC5C,kBAAM,OAAO,yBAAyB,WAAW;AACjD,kBAAMC,eAAc,gBAAgB,WAAW;AAE/C,kBAAM,QAAQ,CAAC,MAAM,IAAIA,YAAW;AACpC,kBAAM,IAAIA,cAAa,EAAE,aAAa,UAAU,KAAK,CAAC;AACtD,iBAAK,gBAAgB,IAAI,UAAUA,YAAW;AAE9C;AAAA,cACID,OAAM,QAAQ,MAAM;AAAA,cACpB,KAAK,eAAe;AAAA,cACpB,KAAK,eAAe;AAAA,cACpB,KAAK,eAAe,YAAY,wBAAwB;AAAA,YAC5D;AACA,gBAAI,SAAS,OAAO;AAChB,mBAAK,KAAK,oBAAoB,EAAE,OAAO,aAAa,aAAAC,cAAa,SAAS,CAAC;AAAA,YAC/E;AAAA,UACJ,SAAS,KAAK;AACV,qBAAS,wBAAwB,MAAM,cAAc,QAAQ,EAAE;AAC/D,qBAAS,GAAG;AAAA,UAChB;AAAA,QACJ,CAAC;AACD,UAAE,GAAG,UAAU,CAAC,gBAAwB;AACpC,mBAASD,OAAM,KAAK,oBAAoB,MAAM,EAAE,GAAG,WAAW;AAC9D,cAAI;AACA,kBAAM,cAAc,gBAAgB,WAAW;AAC/C,kBAAM,iBAAiB,gBAAgB,WAAW;AAClD,kBAAM,UAAU,KAAK,gBAAgB,IAAI,WAAW;AACpD,gBAAI,WAAW,YAAY,gBAAgB;AACvC,oBAAM,OAAO,OAAO;AAAA,YACxB;AACA,kBAAM,IAAI,gBAAgB,EAAE,aAAa,UAAU,aAAa,MAAM,yBAAyB,WAAW,EAAE,CAAC;AAC7G,iBAAK,gBAAgB,IAAI,aAAa,cAAc;AACpD,iBAAK,KAAK,qBAAqB,EAAE,OAAO,aAAa,aAAa,gBAAgB,UAAU,YAAY,CAAC;AAAA,UAC7G,SAAS,KAAK;AACV,qBAAS,mCAAmC,WAAW,IAAI,GAAG;AAAA,UAClE;AAAA,QACJ,CAAC;AACD,aAAK,UAAU,KAAK,CAA4B;AAChD,aAAK,eAAe,IAAI,SAAS;AACjC,UAAE,GAAG,SAAS,MAAM;AAChB,kBAAQ;AACR,eAAK,eAAe,OAAO,SAAS;AACpC,oBAAU;AACV,mBAAS,OAAO;AAChB,mBAAS,CAAC,GAAG,MAAM,KAAK,CAAC,EAAE,IAAI,CAAC,MAAM,EAAE,UAAU,GAAG,EAAE,CAAC,CAAC;AAAA,QAC7D,CAAC;AAAA,MACL;AAAA;AAAA,MAGA,MAAM,mCAAkD;AACpD,eAAO,IAAI,QAAQ,CAAC,SAAS,YAAY;AACrC,cAAI,KAAK,yBAAyB,GAAG;AACjC,yBAAa,OAAO;AACpB;AAAA,UACJ;AACA,eAAK,qBAAqB,KAAK,OAAO;AAAA,QAC1C,CAAC;AAAA,MACL;AAAA,IACJ;AAAA;AAAA;;;AC71DA;AAAA;AAAA;AAAA;AAsBA;AACA;AACA;AACA;AACA;AAAA;AAAA;;;ACEO,SAAS,OAAO,SAAiB,OAAqB;AAEzD,MAAI,CAAC,SAAS,QAAQ;AAClB,eAAW,iBAAiB,OAAO,IAAI,KAAK,EAAE;AAAA,EAClD;AACA,kBAAgB,OAAO,IAAI;AAE3B,MAAI,CAAC,cAAc,EAAE,QAAQ,OAAO,KAAK,GAAG;AACxC,YAAQ,IAAI,OAAO,IAAI;AAAA,EAC3B;AACA,MAAI,CAAC,UAAU,EAAE,QAAQ,OAAO,KAAK,GAAG;AACpC,YAAQ,IAAI,OAAO,IAAI;AAAA,EAC3B;AACJ;AAKO,SAAS,OAAO,SAAyB;AAC5C,SAAO,gBAAgB,OAAO;AAClC;AAEO,SAAS,yBAA6D;AACzE,SAAO,OAAO,KAAK,eAAe,EAAE,IAAI,CAAC,YAAoB;AACzD,WAAO,EAAE,KAAK,SAAS,SAAS,eAAe,OAAO,GAAG;AAAA,EAC7D,CAAC;AACL;AAEO,SAAS,gBAAgB,QAA8B;AAC1D,SAAO,MAAM,OAAO,OAAO,CAAC;AAC5B,SAAO,KAAK,OAAO,MAAM,CAAC;AAG1B,MAAI,iBAA2B,CAAC;AAChC,iBAAe,KAAK,OAAO,OAAO,cAAc,EAAE;AAClD,mBAAkB,CAAC,EAAe;AAAA,IAC9B;AAAA,IACA,OAAO,IAAI,IAAI,CAAC,MAAc,OAAO,CAAC,EAAE;AAAA,EAC5C;AACA,mBAAkB,CAAC,EAAe;AAAA,IAC9B;AAAA,IACA,OAAO,GAAG,IAAI,CAAC,MAAc,MAAM,CAAC,EAAE;AAAA,EAC1C;AACA,QAAM,uBAAuB,eAAe,KAAK,IAAI;AACrD,SAAO,WAAW,oBAAoB;AAC1C;AAzEA,IA0Ba;AA1Bb;AAAA;AAAA;AAAA;AAuBA;AACA;AAEO,IAAM,kBAA0C,CAAC;AAAA;AAAA;;;ACzBxD,SAAS,WAAAG,gBAAe;AADxB;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACyBA,OAAO,mBAAmB;AAC1B,OAAOC,SAAQ;AACf,OAAOC,SAAQ;AACf,OAAOC,WAAU;AAEjB,OAAO,SAAS;AAEhB,OAAO,YAAY;AACnB,OAAOC,YAAW;AAClB,OAAO,iBAAiB;AACxB,OAAO,UAAU;AACjB,OAAO,WAAW;AA4BlB,SAAS,cAA2B;AAChC,QAAM,QACF,QAAQ,IAAI,eAAe,QAAQ,IAAI,eAAe,QAAQ,IAAI,cAAc,QAAQ,IAAI,cAAc;AAC9G,MAAI,OAAO;AACP,UAAM,IAAI,IAAI,IAAI,IAAI,KAAK;AAC3B,UAAM,OAAO,EAAE,WAAW,GAAG,EAAE,QAAQ,IAAI,EAAE,QAAQ,KAAK;AAE1D,UAAM,UAAuB;AAAA,MACzB,OAAO;AAAA,QACH,MAAM,EAAE,OAAO,SAAS,EAAE,MAAM,EAAE,IAAI;AAAA,QACtC,UAAU,EAAE,SAAS,QAAQ,KAAK,EAAE;AAAA,QACpC,MAAM,EAAE,YAAY;AAAA,QACpB,WAAW;AAAA,MACf;AAAA,IACJ;AACA,eAAWA,OAAM,MAAM,gBAAgB,GAAG,KAAK;AAC/C,eAAW,OAAO;AAClB,WAAO;AAAA,EACX;AACA,SAAO,CAAC;AACZ;AAEA,eAAe,QAAQ,KAAa,KAAsC;AACtE,MAAI,SAAS;AAGb,QAAM,UAAU;AAAA,IACZ;AAAA,IACA,aAAa;AAAA,EACjB;AAEA,SAAO,MAAM,IAAI,QAAuB,CAAC,SAAS,WAAW;AACzD,UAAM,QAAQ,cAAc;AAAA,MACxB;AAAA,MACA;AAAA,MACA,CAAC,QAAiF;AAC9E,cAAM,WAAW,QAAQ,OAAO,IAAI,IAAI,QAAQ;AAChD,YAAI,IAAK,QAAO,GAAG;AAAA,aACd;AACD,kBAAQ,EAAE,UAAU,OAAO,CAAC;AAAA,QAChC;AAAA,MACJ;AAAA,IACJ;AAEA,UAAM,UAAU,OAAO,MAAM,MAAkB;AAC/C,YAAQ,GAAG,QAAQ,CAAC,SAAiB;AACjC,gBAAU,GAAG,IAAI;AAAA;AAEjB,UAAIC,UAAS;AACT,gBAAQ,OAAO,MAAM,kBAAkBD,OAAM,OAAO,IAAI,CAAC;AAAA,CAAI;AAAA,MACjE;AAAA,IACJ,CAAC;AAAA,EACL,CAAC;AACL;AAEA,SAASE,OAAM,KAAqB;AAChC,SAAO,IAAI,IAAI,QAAQ,OAAO,GAAG,CAAC;AACtC;AAEA,SAAS,4BAA4B,YAA6B;AAC9D,SAAO,CAAC,CAAC,WAAW,MAAM,aAAa;AAC3C;AAEA,eAAe,qBAAsC;AACjD,MAAI;AACJ,MAAI;AACA,cAAU,MAAM,QAAQ,eAAe;AAAA,EAC3C,SAAS,KAAK;AACV,eAAW,aAAc,IAAc,OAAO;AAC9C,UAAM,IAAI,MAAM,qBAAqB;AAAA,EACzC;AAEA,QAAM,WAAW,SAAS;AAC1B,QAAM,SAAS,SAAS;AAExB,MAAI,aAAa,GAAG;AAChB,eAAWF,OAAM,OAAO,iBAAiB,IAAIA,OAAM,KAAK,SAAS,IAAIA,OAAM,OAAO,qCAAqC,CAAC;AACxH,eAAWA,OAAM,OAAO,gDAAgD,CAAC;AACzE,UAAM,IAAI,MAAM,qBAAqB;AAAA,EACzC;AACA,QAAM,kBAAkB,OAAO,QAAQ,SAAS,EAAE,EAAE,KAAK;AACzD,SAAO;AACX;AACA,eAAsB,+BAAgD;AAClE,QAAM,kBAAkB,MAAM,mBAAmB;AAGjD,QAAM,oBAAoBE,OAAM,eAAe;AAG/C,MAAID,UAAS;AACT,eAAW,oCAAoCD,OAAM,OAAO,eAAe,CAAC,EAAE;AAAA,EAClF;AAEA,QAAM,SAAS,MAAM,QAAQ,GAAG,iBAAiB,UAAU;AAE3D,QAAM,WAAW,QAAQ;AACzB,QAAM,SAAS,QAAQ;AAEvB,QAAM,UAAU,OAAO,KAAK;AAE5B,QAAM,YAAY,aAAa,KAAK,4BAA4B,OAAO;AACvE,MAAI,CAAC,WAAW;AACZ,QAAI,UACAA,OAAM,YAAY,uBAAuB,IACzC,kCACA,UACA;AAEJ,QAAI,QAAQ,aAAa,UAAU;AAC/B,iBACIA,OAAM,KAAK,qBAAqB,IAChCA,OAAM,OAAO,2FAAgG;AAAA,IACrH;AAEA,YAAQ,IAAI,OAAO;AAAA,EACvB;AACA,SAAO;AACX;AAEA,eAAe,0CAA2D;AACtE,QAAM,iBAAiBD,MAAK,KAAKD,IAAG,OAAO,GAAG,GAAG;AAEjD,WAAS,2BAAmC;AACxC,QAAI,QAAQ,IAAI,cAAc;AAC1B,YAAM,oBAAoBC,MAAK,KAAK,QAAQ,IAAI,cAAc,UAAU;AACxE,UAAIF,IAAG,WAAW,iBAAiB,GAAG;AAClC,eAAOE,MAAK,KAAK,mBAAmB,SAAS;AAAA,MACjD;AAAA,IACJ;AACA,WAAOA,MAAK,KAAK,QAAQ,IAAI,GAAG,SAAS;AAAA,EAC7C;AAEA,WAAS,8BAAsC;AAC3C,UAAMI,iBAAgB,yBAAyB;AAC/C,WAAOJ,MAAK,KAAKI,gBAAe,aAAa;AAAA,EACjD;AAEA,iBAAe,sBAA0E;AACrF,UAAMC,mBAAkB,4BAA4B;AAEpD,UAAM,SAASP,IAAG,WAAWO,gBAAe;AAC5C,QAAI,CAAC,QAAQ;AACT,iBAAW,yBAAyBA,gBAAe;AACnD,iBAAWJ,OAAM,IAAI,oBAAoB,IAAII,gBAAe;AAC5D,aAAO;AAAA,QACH,WAAW;AAAA,QACX,SAAS,oBAAoBA,gBAAe;AAAA,MAChD;AAAA,IACJ,OAAO;AAEH,YAAM,qBAAqBF,OAAME,gBAAe;AAChD,YAAM,MAAM;AAEZ,YAAM,EAAE,UAAU,OAAO,IAAI,MAAM,QAAQ,GAAG,kBAAkB,YAAY,GAAG;AAC/E,YAAM,UAAU,OAAO,KAAK;AAG5B,UAAIH,UAAS;AACT,mBAAW,eAAe,OAAO;AAAA,MACrC;AACA,aAAO;AAAA,QACH,WAAW,aAAa,KAAK,4BAA4B,OAAO;AAAA,QAChE;AAAA,MACJ;AAAA,IACJ;AAAA,EACJ;AAQA,WAAS,YAAqB;AAC1B,QAAI,QAAQ,IAAI,2BAA2B,SAAS,QAAQ,IAAI,wBAAwB;AACpF,aAAO;AAAA,IACX;AAEA,QAAI,QAAQ,IAAI,2BAA2B,SAAS;AAChD,aAAO;AAAA,IACX;AAGA,QAAI,QAAQ,IAAI,gBAAgB,OAAO;AACnC,aAAO;AAAA,IACX;AACA,WAAO;AAAA,EACX;AAEA,iBAAe,mBAAwD;AAKnE,UAAMI,OACF,UAAU,MAAM,KACV,0GACA;AAEV,UAAM,iBAAiBN,MAAK,KAAK,gBAAgBA,MAAK,SAASM,IAAG,CAAC;AAEnE,eAAW,eAAeL,OAAM,OAAOK,IAAG,CAAC,OAAO,cAAc,EAAE;AAElE,QAAIR,IAAG,WAAW,cAAc,GAAG;AAC/B,aAAO,EAAE,gBAAgB,eAAe;AAAA,IAC5C;AACA,UAAM,UAAU,YAAY;AAC5B,UAAM,MAAM,IAAI,YAAYG,OAAM,KAAK,QAAQ,IAAIA,OAAM,KAAK,YAAY,IAAIA,OAAM,MAAM,OAAO,GAAG;AAAA,MAChG,UAAU;AAAA,MACV,YAAY;AAAA,MACZ,OAAO;AAAA,MACP,OAAO;AAAA,IACX,CAAC;AAED,WAAO,MAAM,IAAI,QAAQ,CAAC,SAAS,WAAW;AAC1C,YAAM,WAAW,KAAK,SAASK,MAAK,gBAAgB,OAAO;AAC3D,eAAS,GAAG,SAAS,CAAC,QAAe;AACjC,mBAAW,GAAG;AACd,qBAAa,MAAM;AACf,iBAAO,GAAG;AAAA,QACd,CAAC;AAAA,MACL,CAAC;AACD,eAAS,GAAG,OAAO,CAAC,WAAmB;AAEnC,YAAIJ,UAAS;AACT,qBAAW,MAAM;AAAA,QACrB;AAEA,gBAAQ,EAAE,gBAAgB,eAAe,CAAC;AAAA,MAC9C,CAAC;AACD,eAAS,GAAG,YAAY,CAAC,aAAqB;AAC1C,YAAI,OAAO,QAAQ;AAAA,MACvB,CAAC;AAAA,IACL,CAAC;AAAA,EACL;AAEA,iBAAe,cAAc,aAAqB;AAC9C,UAAME,iBAAgB,yBAAyB;AAE/C,UAAM,UAAU,MAAM,IAAI,QAAuB,CAAC,SAAS,WAAW;AAClE,YAAM,KAAK,aAAa,EAAE,aAAa,KAAK,GAAG,CAAC,KAAoB,YAA4B;AAC5F,YAAI,KAAK;AACL,iBAAO,GAAG;AAAA,QACd,OAAO;AACH,cAAI,CAAC,SAAS;AACV,mBAAO,IAAI,MAAM,iBAAiB,CAAC;AAAA,UACvC,OAAO;AACH,oBAAQ,OAAO;AAAA,UACnB;AAAA,QACJ;AAAA,MACJ,CAAC;AAAA,IACL,CAAC;AAED,YAAQ,UAAU;AAElB,UAAM,IAAI,QAAc,CAAC,SAAS,WAAW;AACzC,cAAQ,GAAG,OAAO,CAAC,QAAgB;AAC/B,qBAAa,MAAM;AAEf,cAAIF,UAAS;AACT,uBAAW,YAAY;AAAA,UAC3B;AACA,cAAI,KAAK;AACL,mBAAO,GAAG;AAAA,UACd,OAAO;AACH,oBAAQ;AAAA,UACZ;AAAA,QACJ,CAAC;AAAA,MACL,CAAC;AAED,cAAQ,GAAG,SAAS,CAAC,UAAuB;AACxC,gBAAQ,eAAe,OAAO,CAAC,KAAoB,eAA0B;AACzE,cAAI,KAAK;AACL,mBAAO,OAAO,GAAG;AAAA,UACrB;AAEA,gBAAM,OAAOF,MAAK,KAAKI,gBAAe,MAAM,QAAQ;AAGpD,cAAIF,UAAS;AACT,uBAAW,gBAAgB,IAAI;AAAA,UACnC;AAEA,gBAAM,cAAcJ,IAAG,kBAAkB,MAAM,QAAQ;AAEvD,sBAAY,KAAK,WAAW;AAE5B,sBAAY,GAAG,SAAS,MAAM;AAC1B,oBAAQ,UAAU;AAAA,UACtB,CAAC;AAAA,QACL,CAAC;AAAA,MACL,CAAC;AAAA,IACL,CAAC;AAAA,EACL;AAEA,QAAM,gBAAgB,yBAAyB;AAC/C,QAAM,kBAAkB,4BAA4B;AAEpD,MAAI,CAACA,IAAG,WAAW,aAAa,GAAG;AAE/B,QAAII,UAAS;AACT,iBAAW,2BAA2B,aAAa;AAAA,IACvD;AACA,IAAAJ,IAAG,UAAU,aAAa;AAAA,EAC9B;AAEA,QAAM,EAAE,WAAW,SAAS,SAAS,IAAI,MAAM,oBAAoB;AAEnE,MAAI,CAAC,WAAW;AACZ,eAAWG,OAAM,OAAO,sDAAsD,CAAC;AAC/E,UAAM,EAAE,eAAe,IAAI,MAAM,iBAAiB;AAGlD,QAAIC,UAAS;AACT,iBAAW,cAAcD,OAAM,OAAO,cAAc,CAAC;AAAA,IACzD;AACA,UAAM,cAAc,cAAc;AAElC,UAAM,gBAAgB,CAAC,CAACH,IAAG,WAAW,eAAe;AAGrD,QAAII,UAAS;AACT,iBAAW,cAAc,eAAe,gBAAgBD,OAAM,MAAM,KAAK,IAAIA,OAAM,IAAI,QAAQ,GAAG,eAAe;AAAA,IACrH;AAEA,UAAM,oBAAoB,MAAM,oBAAoB;AACpD,WAAO;AAAA,EACX,OAAO;AAEH,QAAIC,UAAS;AACT,iBAAWD,OAAM,MAAM,6DAA6D,CAAC;AAAA,IACzF;AACA,WAAO;AAAA,EACX;AACJ;AAMA,eAAsB,uBAAwC;AAE1D,MAAI,QAAQ,aAAa,SAAS;AAC9B,WAAO,MAAM,6BAA6B;AAAA,EAC9C,OAAO;AACH,WAAO,MAAM,wCAAwC;AAAA,EACzD;AACJ;AAEA,eAAsB,wBAAyC;AAC3D,MAAI,QAAQ,aAAa,SAAS;AAC9B,UAAM,kBAAkB,MAAM,qBAAqB;AACnD,QAAI,CAACH,IAAG,WAAW,eAAe,GAAG;AACjC,YAAM,IAAI,MAAM,8BAA8B,eAAe,EAAE;AAAA,IACnE;AACA,WAAO;AAAA,EACX,OAAO;AACH,WAAO;AAAA,EACX;AACJ;AAxaA,IAwCMI;AAxCN;AAAA;AAAA;AAAA;AAsCA;AAEA,IAAMA,WAAU,QAAQ,IAAI,qBAAqB;AAAA;AAAA;;;ACdjD,OAAOK,aAAY;AACnB,OAAOC,oBAAmB;AAC1B,OAAOC,SAAQ;AACf,OAAOC,SAAQ;AACf,OAAOC,aAAY;AACnB,OAAOC,YAAW;AAmBlB,eAAsBC,SAAQ,KAAa,SAA0C;AACjF,QAAM,OAAO,IAAI,MAAM;AAEvB,UAAQ,MAAM,QAAQ,OAAO,QAAQ,IAAI;AAGzC,MAAI,CAAC,SAAS,QAAQ;AAClB,eAAWD,OAAM,KAAK,gCAAgC,GAAG,QAAQ,GAAG;AAAA,EACxE;AAEA,QAAM,UAAoB,CAAC;AAE3B,SAAO,MAAM,IAAI,QAAQ,CAAC,SAAS,WAAW;AAC1C,UAAM,QAAQJ,eAAc;AAAA,MACxB;AAAA,MACA;AAAA,QACI,KAAK,QAAQ;AAAA,QACb,aAAa;AAAA,MACjB;AAAA,MACA,CAAC,QAA4C;AAEzC,YAAI,KAAK;AACL,cAAI,CAAC,QAAQ,kBAAkB;AAC3B,kBAAM,QAAQ;AACd,oBAAQ,MAAMI,OAAM,cAAc,UAAU,GAAG,KAAK,kBAAkB,KAAK,EAAE,CAAC;AAC9E,oBAAQ,MAAMA,OAAM,cAAc,UAAU,SAAS,QAAQ,GAAG,EAAE,CAAC;AACnE,oBAAQ,MAAMA,OAAM,cAAc,UAAU,IAAI,OAAO,CAAC;AACxD,oBAAQ,MAAMA,OAAM,cAAc,UAAU,GAAG,KAAK,kBAAkB,KAAK,EAAE,CAAC;AAE9E,oBAAQ,MAAM,KAAK,KAAK;AAAA,UAC5B;AACA,iBAAO,IAAI,MAAM,IAAI,OAAO,CAAC;AAC7B;AAAA,QACJ;AACA,gBAAQ,QAAQ,KAAK,EAAE,CAAC;AAAA,MAC5B;AAAA,IACJ;AAEA,QAAI,MAAM,QAAQ;AACd,YAAM,UAAUD,QAAO,MAAM,MAAM;AACnC,cAAQ,GAAG,QAAQ,CAAC,SAAiB;AACjC,gBAAQ,KAAK,GAAG,IAAI;AAAA,CAAI;AAAA,MAC5B,CAAC;AACD,UAAI,CAAC,SAAS,QAAQ;AAClB,gBAAQ,GAAG,QAAQ,CAAC,SAAiB;AACjC,iBAAO,KAAK,SAAS;AACrB,cAAI,SAAS;AACT,oBAAQ,OAAO,MAAM,GAAGC,OAAM,MAAM,iBAAiB,IAAIA,OAAM,YAAY,IAAI,CAAC;AAAA,CAAI;AAAA,UACxF;AAAA,QACJ,CAAC;AAAA,MACL;AAAA,IACJ;AAGA,QAAI,CAAC,SAAS,QAAQ;AAClB,UAAI,MAAM,QAAQ;AACd,cAAM,UAAUD,QAAO,MAAM,MAAM;AACnC,gBAAQ,GAAG,QAAQ,CAAC,SAAiB;AACjC,iBAAO,KAAK,SAAS;AACrB,cAAI,cAAc;AACd,oBAAQ,OAAO,MAAM,GAAGC,OAAM,MAAM,iBAAiB,IAAIA,OAAM,IAAI,IAAI,CAAC;AAAA,CAAI;AAAA,UAChF;AAAA,QACJ,CAAC;AAAA,MACL;AAAA,IACJ;AAAA,EACJ,CAAC;AACL;AAEA,eAAsB,eAAgC;AAClD,SAAO,MAAM,sBAAsB;AACvC;AAEA,eAAsB,2BAA0C;AAC5D,MAAI,CAAC,aAAa;AACd,kBAAc,MAAM,aAAa;AACjC,UAAM,UAAU,MAAM,gBAAgB,WAAW,EAAE,KAAK,IAAI,CAAC;AAC7D,aAAS,iBAAiB,QAAQ,KAAK;AACvC,QAAI,SAAS;AACT,iBAAW,sBAAsB,SAAS,cAAc;AAAA,IAC5D;AAAA,EACJ;AACJ;AAMA,eAAsB,2BAA2B,KAAa,SAAgC;AAC1F,YAAU,WAAW,CAAC;AACtB,UAAQ,mBAAmB;AAC3B,MAAI;AACA,WAAO,MAAM,gBAAgB,KAAK,OAAO;AAAA,EAC7C,SAAS,KAAK;AACV,aAAS,gCAAiC,IAAc,OAAO;AAAA,EACnE;AACJ;AAEA,SAAS,gBAAwB;AAC7B,SAAOF,IAAG,OAAO;AACrB;AAMA,eAAsB,gBAAgB,KAAa,SAAiD;AAChG,WAAS,mBAAmB,KAAK,OAAO;AACxC,QAAM,oBAAoB,EAAE,cAAc,GAAG,kBAAkB;AAC/D,MAAI,CAACD,IAAG,WAAW,iBAAiB,GAAG;AACnC,UAAMA,IAAG,SAAS,UAAU,mBAAmB,qBAAqB;AAAA,EACxE;AAEA,YAAU,WAAW,CAAC;AACtB,UAAQ,eAAe,QAAQ,gBAAgB;AAC/C,EAAAF,QAAO,QAAQ,YAAY;AAC3B,SAAO,gBAAgB,QAAQ,YAAY;AAG3C,MAAI,CAAC,SAAS,QAAQ;AAClB,eAAWK,OAAM,KAAK,gCAAgC,GAAG,QAAQ,IAAI,YAAY;AACjF,eAAWA,OAAM,KAAK,gCAAgC,GAAG,QAAQ,IAAI,QAAQ;AAC7E,eAAWA,OAAM,KAAK,wCAAwC,GAAGA,OAAM,WAAW,GAAG,CAAC;AAAA,EAC1F;AACA,QAAM,yBAAyB;AAC/B,SAAO,MAAMC,SAAQ,GAAG,MAAM,WAAW,CAAC,IAAI,GAAG,IAAI,OAAO;AAChE;AA/KA,IAyCI,aAEE;AA3CN;AAAA;AAAA;AAAA;AAgCA;AACA;AACA;AACA;AACA;AACA;AAMA,IAAM,IAAI;AAAA;AAAA;;;ACjBV,OAAOC,aAAY;AAEnB,OAAOC,SAAQ;AACf,OAAOC,WAAU;AASjB,SAAS,kCAAkC;AAEvC,MAAI,CAAC,SAAS,gBAAgB;AAC1B,UAAM,IAAI;AAAA,MACN;AAAA,IACJ;AAAA,EACJ;AACA,SAAO,SAAS,eAAe,MAAM,cAAc;AACvD;AAMO,SAAS,qBAAqB,YAAoB,SAA0B;AAC/E,QAAM,UAAU,SAAS,OAAO;AAEhC,QAAM,mBAAmB,CAACA,MAAK,WAAW,UAAU,IAAIA,MAAK,KAAK,SAAS,UAAU,IAAI;AACzF,MAAI,eAAeD,IAAG,aAAa,kBAAkB,EAAE,UAAU,OAAO,CAAC;AACzE,aAAW,UAAU,uBAAuB,GAAG;AAC3C,mBAAe,aAAa,QAAQ,IAAI,OAAO,OAAO,SAAS,IAAI,GAAG,OAAO,OAAO,GAAG,CAAC;AAAA,EAC5F;AACA,QAAM,mBAAmB,GAAG,UAAU,IAAI,QAAQ,GAAG,IAAI,UAAU;AACnE,QAAM,sBAAsB,CAACC,MAAK,WAAW,UAAU,IAAIA,MAAK,KAAK,SAAS,gBAAgB,IAAI;AAClG,EAAAD,IAAG,cAAc,qBAAqB,YAAY;AAClD,MAAI,SAAS,KAAK;AACd,WAAOC,MAAK,SAAS,QAAQ,KAAK,mBAAmB;AAAA,EACzD,OAAO;AACH,WAAO;AAAA,EACX;AACJ;AAaA,eAAsB,2BAA2B,oBAA4B,mBAA0C;AACnH,EAAAF,QAAOC,IAAG,WAAW,kBAAkB,CAAC;AACxC,QAAM,gBAAgB,mBAAmB,EAAEE,GAAE,kBAAkB,CAAC,CAAC,SAAS,EAAEA,GAAE,iBAAiB,CAAC,CAAC,IAAI,CAAC,CAAC;AAC3G;AAcO,SAAS,SAAS,MAAqB;AAC1C,SAAO,QAAQ,oBAAI,KAAK;AACxB,QAAM,IAAI,KAAK,eAAe;AAC9B,QAAM,IAAI,KAAK,YAAY,IAAI;AAC/B,QAAM,IAAI,KAAK,WAAW;AAC1B,QAAM,IAAI,KAAK,YAAY;AAC3B,QAAM,IAAI,KAAK,cAAc;AAC7B,QAAM,IAAI,KAAK,cAAc;AAE7B,WAAS,EAAEC,IAAoB,GAAmB;AAC9C,WAAO,GAAGA,EAAC,GAAG,SAAS,GAAG,GAAG;AAAA,EACjC;AAEA,MAAI,gCAAgC,GAAG;AAEnC,WAAO,GAAG,EAAE,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;AAAA,EACvE,OAAO;AAEH,WAAO,GAAG,EAAE,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;AAAA,EACvE;AACJ;AAKA,eAAsB,gBAAgB,aAAwC;AAC1E,EAAAJ,QAAOC,IAAG,WAAW,WAAW,CAAC;AACjC,SAAO,MAAM,gBAAgB,aAAa,EAAEE,GAAE,WAAW,CAAC,CAAC,kBAAkB,CAAC,CAAC;AACnF;AAEA,eAAsB,MAAM,gBAAyC;AACjE,EAAAH,QAAOC,IAAG,WAAW,cAAc,CAAC;AACpC,QAAM,iBAAiB,eAAe,QAAQ,QAAQ,MAAM;AAC5D,SAAO,MAAM,gBAAgB,4BAA4B,cAAc,SAAS,cAAc,IAAI,CAAC,CAAC;AACxG;AAEA,eAAsB,YAAY,gBAAyC;AAEvE,EAAAD,QAAOC,IAAG,WAAW,cAAc,CAAC;AACpC,SAAO,MAAM,gBAAgB,oCAAoC,cAAc,IAAI,CAAC,CAAC;AACzF;AA1IA,IAkDI,UAoBE,GACAE;AAvEN,IAAAE,gBAAA;AAAA;AAAA;AAAA;AAgCA;AACA;AACA;AACA;AACA;AAYA,aAAS,iBAAiB;AAE1B,IAAI,WAAW;AAoBf,IAAM,IAAI;AACV,IAAMF,KAAI;AAAA;AAAA;;;AC7CV,OAAOG,aAAY;AACnB,OAAOC,SAAQ;AACf,OAAOC,WAAU;AAgBjB,eAAsB,2CAClB,mCACA,QACa;AACb,EAAAF,QAAO,MAAM;AACb,EAAAA,QAAO,OAAO,OAAO;AACrB,EAAAA,QAAO,OAAO,UAAU;AACxB,EAAAA,QAAO,OAAO,UAAU;AACxB,EAAAA,QAAO,OAAO,OAAO,eAAe,QAAQ;AAC5C,EAAAA,QAAOC,IAAG,WAAW,OAAO,UAAU,GAAG,0BAA0B,OAAO,UAAU,EAAE;AACtF,EAAAD,QAAOC,IAAG,WAAW,OAAO,UAAU,GAAG,yBAAyB,OAAO,UAAU,EAAE;AACrF,EAAAD,QAAOC,IAAG,WAAW,OAAO,OAAO,GAAG,wBAAwB;AAC9D,EAAAD,QAAO,OAAO,sCAAsC,QAAQ;AAG5D,kBAAgB,MAAM;AACtB,QAAM,aAAa,qBAAqB,OAAO,YAAY,EAAE,KAAK,OAAO,QAAQ,CAAC;AAElF,QAAM,UAAU,EAAE,KAAK,OAAO,SAAS,cAAcE,MAAK,SAAS,OAAO,SAAS,UAAU,EAAE;AAE/F,QAAM,eAAe,YAAYC,GAAEC,GAAE,UAAU,CAAC,CAAC;AAEjD,QAAM,UAAU,OAAO,UAAU,IAAIC,SAAQ,OAAO,OAAO,EAAE,SAAS,IAAI;AAE1E,QAAM,iBAAiB,UAAU,WAAW,OAAO,MAAM;AAEzD,kBAAgB,uDAAuD;AACvE,QAAM;AAAA,IACF,sCAII,eACA,WACAF,GAAEC,GAAE,OAAO,UAAU,CAAC,IACtB,iBACA,WACAD,GAAEC,GAAE,iCAAiC,CAAC;AAAA,IAC1C;AAAA,EACJ;AACJ;AApFA,IAsCMD,IACAC;AAvCN,IAAAE,2CAAA;AAAA;AAAA;AAAA;AA8BA;AACA;AACA;AACA;AACA;AACA;AACA,IAAAC;AAEA,IAAMJ,KAAI;AACV,IAAMC,KAAI;AAAA;AAAA;;;ACjBV,OAAO,SAAS;AAtBhB;AAAA;AAAA;AAAA;AA0BA;AACA,IAAAI;AACA;AACA;AACA,IAAAC;AAAA;AAAA;;;AC9BA,IAAMC,SAgIC;AAhIP;AAAA;AAAA;AAAA;AAAA,IAAMA,UACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AA+HJ,IAAO,iCAAQA;AAAA;AAAA;;;ACzGf,OAAOC,aAAY;AACnB,OAAOC,SAAQ;AACf,OAAOC,WAAU;AACjB,OAAOC,YAAW;AAClB;AAAA,EACI;AAAA,EACA,0BAAAC;AAAA,EACA;AAAA,EACA,WAAAC;AAAA,OAEG;AAgDP,SAAS,uBAAuB,GAAW;AACvC,SACI,SAAS,EAAE,UAAU,GAAG,CAAC,GAAG,EAAE,EAAE,SAAS,IACzC,MACA,SAAS,EAAE,UAAU,GAAG,CAAC,GAAG,EAAE,EAAE,SAAS,IACzC,MACA,SAAS,EAAE,UAAU,GAAG,CAAC,GAAG,EAAE,EAAE,SAAS,IACzC,MACA,SAAS,EAAE,UAAU,GAAG,CAAC,GAAG,EAAE,EAAE,SAAS;AAEjD;AAEA,eAAe,+BAA+B,sBAA2D;AAqBrG,QAAM,UAAU,qBAAqB;AAErC,QAAM,YAAYH,MAAK,QAAQ,qBAAqB,OAAO;AAE3D,iBAAe,eAAe;AAC1B,uBAAmB,SAAS;AAC5B,uBAAmBA,MAAK,KAAK,WAAW,SAAS,CAAC;AAClD,uBAAmBA,MAAK,KAAK,WAAW,QAAQ,CAAC;AAEjD,uBAAmBA,MAAK,KAAK,WAAW,OAAO,CAAC;AAChD,uBAAmBA,MAAK,KAAK,WAAW,KAAK,CAAC;AAC9C,uBAAmBA,MAAK,KAAK,WAAW,MAAM,CAAC;AAAA,EACnD;AACA,QAAM,aAAa;AAEnB,iBAAe,0BAA0B;AACrC,UAAM,SAASA,MAAK,KAAK,WAAW,QAAQ;AAC5C,QAAI,CAACD,IAAG,WAAW,MAAM,GAAG;AACxB,YAAMA,IAAG,SAAS,UAAU,QAAQ,MAAM;AAAA,IAC9C;AAEA,UAAM,YAAYC,MAAK,KAAK,WAAW,WAAW;AAClD,QAAI,CAACD,IAAG,WAAW,SAAS,GAAG;AAC3B,YAAMA,IAAG,SAAS,UAAU,WAAW,MAAM;AAAA,IACjD;AAEA,UAAM,YAAYC,MAAK,KAAK,WAAW,WAAW;AAClD,QAAI,CAACD,IAAG,WAAW,SAAS,GAAG;AAC3B,YAAMA,IAAG,SAAS,UAAU,WAAW,EAAE;AAAA,IAC7C;AAAA,EACJ;AAEA,QAAM,wBAAwB;AAE9B,MAAIA,IAAG,WAAWC,MAAK,KAAK,WAAW,mBAAmB,CAAC,KAAK,CAACI,QAAO,SAAS;AAE7E,aAAS,4CAA4C;AACrD;AAAA,EACJ;AAGA,eAAa,mCAAmC;AAEhD,QAAM,gBAAgBJ,MAAK,KAAK,WAAW,gBAAgB;AAC3D,MAAI,CAACD,IAAG,WAAW,aAAa,GAAG;AAC/B,UAAMA,IAAG,SAAS,UAAU,eAAe,qBAAqB;AAAA,EACpE;AAEA,QAAM,eAAe,qBAAqB;AAC1C,MAAI,GAAmC;AACnC,QAAI,OAAO;AACX,WAAO,SAAS,KAAK,QAAQ,mBAAmB,SAAS,CAAC;AAE1D,UAAMA,IAAG,SAAS,UAAU,cAAc,IAAI;AAAA,EAClD;AAGA,QAAM,aAAa,WAAW,QAAQ,SAAS,CAAC;AAChD,kBAAgB,CAAC,CAAW;AAE5B,QAAM,UAAU,EAAE,KAAK,UAAU;AACjC,QAAM,aAAa,qBAAqB,qBAAqB,OAAO;AACpE,QAAM,eAAe,YAAYM,GAAEC,GAAE,UAAU,CAAC,CAAC;AAEjD,QAAM,UAAU,qBAAqB;AAErC,QAAM,qBAAqBN,MAAK,KAAK,WAAW,mBAAmB;AACnE,QAAM,cAAcA,MAAK,KAAK,WAAW,mBAAmB;AAE5D,eAAa,iCAAiC,OAAO,EAAE;AAIvD,QAAME,wBAAuB,oBAAoB,OAAO;AACxD,eAAa,+CAA+C;AAK5D,QAAM;AAAA,IACF,+CAII,eACA,WACAG,GAAEC,GAAE,kBAAkB,CAAC,IACvB,WACAD,GAAEC,GAAE,WAAW,CAAC,IAChB,MACA;AAAA,IACJ;AAAA,EACJ;AAMA,eAAa,uCAAuC;AACpD,QAAM;AAAA,IACF,sEAIID,GAAEC,GAAE,UAAU,CAAC,IACf,sCAEAD,GAAEC,GAAE,kBAAkB,CAAC,IACvB;AAAA,IACJ;AAAA,EACJ;AACA,kBAAgB,oDAAoD;AACpE,QAAM,cAAc,qBAAqB,gBAAgB,cAAc,OAAO;AAC9E,eAAa,6CAA6C;AAC9D;AAEA,eAAe,cAAc,gBAAwB,cAAsB,SAAgC;AAEvG,kBAAgB,8CAA8C;AAC9D,QAAM,gBAAgB,cAAc,YAAY,iCAAiC,OAAO;AACxF,QAAM,gBAAgB,iFAA2F,OAAO;AAExH,kBAAgB,uCAAuC;AACvD,QAAM,gBAAgB,YAAYD,GAAEC,GAAE,cAAc,CAAC,CAAC,kBAAkB,OAAO;AACnF;AA9OA,IAgEa,gBAKA,2BAEPF,SAMAE,IACAD,IAgNO;AA9Rb;AAAA;AAAA;AAAA;AAmCA;AAgBA;AAeA;AAFO,IAAM,iBAAiB;AAKvB,IAAM,4BAAoC;AAEjD,IAAMD,UAAS;AAAA,MACX,gBAAgB;AAAA,MAChB,SAAS;AAAA,MACT,QAAQ;AAAA,IACZ;AAEA,IAAME,KAAI;AACV,IAAMD,KAAI;AAcV,IAAAP,QAAO,uBAAuB,UAAU,MAAM,iBAAiB;AAkMxD,IAAM,uBAAN,MAA2B;AAAA;AAAA,MAEd;AAAA;AAAA,MAEA;AAAA;AAAA,MAEA;AAAA,MAEhB,YAAY,SAAsC;AAC9C,QAAAA,QAAO,OAAO,UAAU,eAAe,KAAK,SAAS,UAAU,CAAC;AAChE,QAAAA,QAAO,OAAO,UAAU,eAAe,KAAK,SAAS,SAAS,CAAC;AAC/D,aAAK,WAAW,QAAQ;AACxB,aAAK,UAAU,QAAQ,WAAW;AAClC,aAAK,UAAU,IAAIK,SAAQ,QAAQ,WAAW,cAAc;AAAA,MAChE;AAAA;AAAA,MAGA,IAAW,UAAU;AACjB,eAAO,KAAK;AAAA,MAChB;AAAA;AAAA,MAGA,IAAW,aAAa;AACpB,eAAOH,MAAK,UAAUA,MAAK,KAAK,KAAK,SAAS,qBAAqB,CAAC;AAAA,MACxE;AAAA;AAAA,MAGA,IAAW,gBAAgB;AAEvB,eAAO,SAAS,KAAK,SAAS,qBAAqB;AAAA,MACvD;AAAA;AAAA;AAAA;AAAA;AAAA,MAMA,IAAW,oBAAoB;AAC3B,eAAO,SAAS,KAAK,SAAS,2BAA2B;AAAA,MAC7D;AAAA;AAAA;AAAA;AAAA;AAAA,MAMA,IAAW,iBAAiB;AACxB,eAAO,SAAS,KAAK,SAAS,2BAA2B;AAAA,MAC7D;AAAA;AAAA;AAAA;AAAA;AAAA,MAMA,IAAW,uBAAuB;AAC9B,eAAO,SAAS,KAAK,SAAS,qCAAqC;AAAA,MACvE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAOA,MAAa,aAA4B;AACrC,cAAM,+BAA+B,IAAI;AAAA,MAC7C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MASA,MAAa,gCAA+C;AACxD,cAAM,gBAAgB,KAAK;AAS3B,YAAID,IAAG,WAAW,KAAK,cAAc,GAAG;AACpC,gBAAMA,IAAG,SAAS;AAAA,YACd;AAAA,YACAA,IAAG,aAAa,KAAK,eAAe,MAAM,IAAIA,IAAG,aAAa,KAAK,gBAAgB,MAAM;AAAA,UAC7F;AAAA,QACJ,OAAO;AAEH,gBAAMA,IAAG,SAAS,UAAU,eAAeA,IAAG,aAAa,KAAK,aAAa,CAAC;AAAA,QAClF;AAAA,MACJ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAQA,MAAa,0BAA0B,aAAsC;AACzE,QAAAD,QAAOC,IAAG,WAAW,WAAW,CAAC;AACjC,QAAAD,QAAOC,IAAG,WAAW,KAAK,aAAa,CAAC;AAExC,iBAASE,OAAM,OAAO,4BAA4B,GAAGA,OAAM,KAAK,WAAW,CAAC;AAE5E,cAAMF,IAAG,SAAS;AAAA,UACd;AAAA,UACC,MAAMA,IAAG,SAAS,SAAS,aAAa,MAAM,IAAM,MAAMA,IAAG,SAAS,SAAS,KAAK,eAAe,MAAM;AAAA;AAAA,QAE9G;AAAA,MACJ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MASA,MAAa,4BAA4B,iBAA2B,YAAsB,QAA+B;AACrH,QAAAD,QAAO,OAAO,eAAe,QAAQ;AACrC,QAAAA,QAAOC,IAAG,WAAW,UAAU,CAAC;AAEhC,YAAI,CAAC,qBAAqB,eAAe,GAAG;AACxC;AAAA,QACJ;AAEA,mBAAW,MAAM;AACjB,6BAAqB,MAAM;AAC3B,wBAAgB,MAAM;AAEtB,cAAM,UAAU,GAAG,eAAe;AAClC,QAAAD,QAAO,OAAO;AACd,cAAM,aAAa,qBAAqB,KAAK,YAAY,EAAE,KAAK,KAAK,QAAQ,CAAC;AAE9E,cAAM,UAAU;AAAA,UACZ,KAAK,KAAK;AAAA,UACV,cAAc,SAAS,UAAU;AAAA,QACrC;AAEA,cAAM,eAAe;AAErB,cAAM,UAAU,OAAO,UAAU,IAAIK,SAAQ,OAAO,OAAO,EAAE,SAAS,IAAI;AAC1E,cAAM,iBAAiB,WAAW,QAAQ,SAAS,IAAI,UAAU,OAAO,MAAM;AAE9E,wBAAgB,mCAAmC;AACnD,cAAM;AAAA,UACF,6BAEI,eACA,iBACA,kBACAE,GAAEC,GAAE,UAAU,CAAC,IACf,WACAD,GAAEC,GAAE,OAAO,CAAC;AAAA,UAChB;AAAA,QACJ;AAEA,wBAAgB,wCAAwC;AACxD,cAAM;AAAA,UACF,6BAGID,GAAEC,GAAE,UAAU,CAAC,IACf,iBACA,SAAS,OAAO,SAAS,IACzB,eACA,SAAS,OAAO,OAAO,IACvB,kBACAD,GAAEC,GAAE,eAAe,CAAC,IACpB,UACAD,GAAEC,GAAE,OAAO,CAAC;AAAA,UAChB;AAAA,QACJ;AAEA,wBAAgB,oCAAoC;AAEpD,cAAM,gBAAgB,YAAYD,GAAEC,GAAE,eAAe,CAAC,CAAC,yCAAyC,CAAC,CAAC;AAElG,wBAAgB,kCAAkC;AAClD,cAAM,2BAA2B,2BAA2BD,GAAEC,GAAE,eAAe,CAAC,CAAC,IAAID,GAAEC,GAAE,eAAe,CAAC,CAAC,IAAI,OAAO;AAErH,cAAMP,IAAG,SAAS,OAAO,OAAO;AAAA,MACpC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAUA,MAAa,kBAAkB,aAAuB,QAA+B;AACjF,cAAM,aAAa;AAAA,UACf;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,QACJ;AAEA,cAAM,aAAa,qBAAqB,qBAAqB,EAAE,KAAK,KAAK,QAAQ,CAAC;AAElF,cAAM,UAAU;AAAA,UACZ,KAAK,KAAK;AAAA,UACV,cAAc,SAAS,UAAU;AAAA,QACrC;AAEA,eAAO,WAAW,EAAE;AACpB,cAAM,aAAaC,MAAK,KAAK,KAAK,SAAS,YAAY;AACvD,eAAO,YAAY,UAAU;AAO7B,cAAM,eAAe,YAAYK,GAAEC,GAAE,UAAU,CAAC,CAAC;AAEjD,cAAM,SAAS,OAAO,UAAU;AAChC,QAAAR,QAAO,WAAW,QAAQ,MAAM,KAAK,CAAC;AAEtC,qBAAa,yBAAyB,WAAW,EAAE;AAEnD,wBAAgB,oBAAoB;AAEpC,cAAM,2BAA2B,eAAe,YAAY,YAAYO,GAAE,WAAW,CAAC,gBAAgB,MAAM,IAAI,OAAO;AAEvH,cAAM,cAAc,KAAK,gBAAgB,cAAc,OAAO;AAE9D,wBAAgB,oCAAoC;AAEpD,cAAM;AAAA,UACF,8BAGIA,GAAEC,GAAE,KAAK,cAAc,CAAC,IACxB,cACAD,GAAEC,GAAE,KAAK,aAAa,CAAC,IACvB,iBACAD,GAAEC,GAAE,WAAW,CAAC;AAAA,UACpB;AAAA,QACJ;AAGA,wBAAgB,0BAA0B;AAC1C,cAAM,gBAAgB,YAAYD,GAAEC,GAAE,KAAK,cAAc,CAAC,CAAC,+CAA+C,OAAO;AAEjH,wBAAgB,0BAA0B;AAE1C,cAAM,gBAAgB,YAAYD,GAAEC,GAAE,KAAK,cAAc,CAAC,CAAC,sDAAsD,OAAO;AAAA,MAC5H;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAcA,MAAa,uBACT,aACA,mCACA,SACiB;AACjB,cAAM,yBAAyB;AAC/B,QAAAR,QAAOC,IAAG,WAAW,iCAAiC,CAAC;AACvD,YAAI,CAAC,qBAAqB,WAAW,GAAG;AACpC,iBAAO;AAAA,QACX;AACA,mBAAW,OAAO;AAClB,6BAAqB,OAAO;AAC5B,wBAAgB,OAAO;AAEvB,cAAM,UAA0B,EAAE,KAAK,KAAK,QAAQ;AAKpD,cAAM,MAAM,MAAM,8BAA8B,iCAAiC;AACjF,cAAM,UAAU,iCAAiC,GAAG;AAEpD,cAAM,iBAAiB,QAAQ,iBAAiB,eAAe,4BACzD,QAAQ,iBAAiB,eAAe,0BAA0B,CAAC,IACnE;AACN,YAAI,OAAO,mBAAmB,UAAU;AACpC,gBAAM,IAAI,MAAM,mCAAmC;AAAA,QACvD;AAEA,cAAMQ,OAAM,QAAQ,iBAAiB,eAAe,WAAW,CAAC;AAChE,YAAI,KAAK,QAAQ,iBAAiB,eAAe,aAAa,CAAC;AAC/D,aAAK,GAAG,IAAI,sBAAsB;AAElC,cAAM,SAA+B;AAAA,UACjC;AAAA,UACA,KAAAA;AAAA,UACA;AAAA,QACJ;AAEA,wBAAgB,MAAM;AAEtB,cAAM,aAAa,qBAAqB,qBAAqB,OAAO;AAEpE,wBAAgB,qEAAqE;AAErF,cAAM,eAAe,YAAY,UAAU;AAC3C,cAAM;AAAA,UACF,QACI,eACA,iBACA,SAAS,QAAQ,SAAS,IAC1B,eACA,SAAS,QAAQ,OAAO,IACxB,kBACAF,GAAEC,GAAE,WAAW,CAAC,IAChB,UACAD,GAAEC,GAAE,iCAAiC,CAAC;AAAA,UAC1C;AAAA,QACJ;AAEA,wBAAgB,oCAAoC;AACpD,cAAM,gBAAgB,YAAYD,GAAEC,GAAE,WAAW,CAAC,CAAC,yCAAyC,OAAO;AAEnG,wBAAgB,qCAAqC;AACrD,cAAM,KAAK,8BAA8B;AAIzC,wBAAgB,+BAA+B;AAC/C,cAAM,KAAK,0BAA0B,WAAW;AAEhD,wBAAgB,0CAA0C;AAC1D,cAAM,KAAK,kBAAkB,WAAW;AAExC,eAAO;AAAA,MACX;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAOA,MAAa,kBAAkB,aAAsC;AAGjE,cAAM,gBAAgB;AAGtB,YAAI,eAAe;AACf,gBAAM,UAAU,EAAE,KAAK,KAAK,QAAQ;AACpC,gBAAM,aAAa,qBAAqB,qBAAqB,OAAO;AAEpE,iBAAO,gBAAgB,SAAS,UAAU,CAAC;AAC3C,gBAAM,gBAAgB,YAAY,UAAU;AAC5C;AACA,gBAAM;AAAA,YACF,4BAA4BD,GAAEC,GAAE,KAAK,oBAAoB,CAAC,CAAC,IAAID,GAAEC,GAAE,WAAW,CAAC,CAAC;AAAA,YAChF;AAAA,UACJ;AAAA,QACJ;AAAA,MACJ;AAAA,IACJ;AAAA;AAAA;;;ACnnBA,OAAOE,cAAY;AACnB,OAAOC,UAAQ;AACf,SAAS,qBAAqB;AAC9B,OAAOC,SAAQ;AACf,OAAOC,WAAU;AACjB,OAAOC,YAAW;AAClB,SAAS,sBAAAC,qBAAoB,0BAAAC,yBAAwB,WAAAC,gBAAoC;AAugBzF,OAAO,qBAAqB;AAC5B,OAAO,sBAAsB;AAxe7B,SAAS,gBAAgB,MAAY,QAAsB;AACvD,QAAM,IAAI,IAAI,KAAK,KAAK,QAAQ,CAAC;AACjC,IAAE,QAAQ,EAAE,QAAQ,IAAI,MAAM;AAC9B,SAAO;AACX;AAyCA,eAAeC,gCAA+B,SAAiB;AAE3D,EAAAR,SAAO,OAAO,aAAa,aAAa,UAAU,gCAAgC;AAClF,EAAAA,SAAO,OAAO,aAAa,YAAY,UAAU,+BAA+B;AAEhF,MAAI,CAAC,wBAAwB;AACzB,6BAAyB,IAAI,qBAAqB;AAAA,MAC9C,SAAS,aAAa;AAAA,MACtB,UAAU,aAAa;AAAA,MACvB;AAAA,IACJ,CAAC;AACD,UAAM,uBAAuB,WAAW;AAAA,EAC5C;AACJ;AASA,eAAe,+BAA+B;AAC1C,EAAAA,SAAO,OAAO,aAAa,cAAc,UAAU,iCAAiC;AAEpF,MAAI,CAAC,oBAAoB;AACrB,yBAAqB,IAAI,mBAAmB;AAAA,MACxC,SAAS,aAAa;AAAA,MACtB,UAAU,aAAa;AAAA,IAC3B,CAAC;AACD,UAAM,mBAAmB,WAAW;AAAA,EACxC;AACJ;AAcA,SAAS,2BAAmC;AAExC,MAAK,QAAwD,KAAK,YAAY;AAM1E,UAAM,IAAIC,KAAG,aAAaE,MAAK,KAAK,WAAW,iCAAiC,GAAG,MAAM;AACzF,WAAO;AAAA,EACX;AACA,WAAS,+BAA+B;AACpC,UAAM,aAAa,wBAAwB;AAK3C,UAAM,aAAa;AAEnB,QAAIM,2BAA0BN,MAAK,KAAK,YAAY,OAAO,UAAU;AAErE,QAAI,CAACF,KAAG,WAAWQ,wBAAuB,GAAG;AACzC,MAAAA,2BAA0BN,MAAK,KAAK,WAAW,MAAM,UAAU;AAE/D,UAAI,CAACF,KAAG,WAAWQ,wBAAuB,GAAG;AACzC,QAAAA,2BAA0BN,MAAK,KAAK,WAAW,UAAU,UAAU,EAAE;AAAA,MACzE;AAAA,IACJ;AACA,WAAOM;AAAA,EACX;AACA,QAAM,0BAA0B,6BAA6B;AAC7D,EAAAT,SAAOC,KAAG,WAAW,uBAAuB,CAAC;AAC7C,QAAM,kCAAkCA,KAAG,aAAa,yBAAyB,MAAM;AACvF,SAAO;AACX;AAKA,SAAS,0BAA0B;AAC/B,MAAI,aAAaE,MAAK,KAAK,SAAS;AAEpC,WAAS,IAAI,GAAG,IAAI,GAAG,KAAK;AACxB,QAAIF,KAAG,WAAWE,MAAK,KAAK,YAAY,cAAc,CAAC,GAAG;AACtD,aAAO;AAAA,IACX;AACA,iBAAaA,MAAK,KAAK,YAAY,IAAI;AAAA,EAC3C;AAEA,EAAAH,SAAOC,KAAG,WAAWE,MAAK,KAAK,YAAY,cAAc,CAAC,GAAG,2CAA2C;AACxG,SAAO;AACX;AAmBA,eAAe,kBAAkB,MAA8B;AAC3D,MAAI,KAAK,QAAQ;AACb,aAAS,SAAS;AAAA,EACtB,OAAO;AACH,aAAS,SAAS;AAAA,EACtB;AAEA,QAAMO,QAAO,MAAM,gCAAgC;AACnD,QAAM,WAAWR,IAAG,SAAS;AAC7B,MAAI;AAEJ,WAAS,oBAAoB,KAAqB;AAC9C,UAAM,IAAI,QAAQ,SAAS,QAAQ,IAAI,CAAC;AACxC,QAAI,gBAAgB;AAChB,YAAM,IAAI,QAAQ,UAAU,cAAc;AAAA,IAC9C;AACA,QAAI,cAAc,WAAW;AACzB,YAAM,IAAI,QAAQ,eAAe,aAAa,SAAS;AAAA,IAC3D;AACA,UAAM,IAAI,QAAQ,cAAc,QAAQ;AACxC,UAAM,IAAI,QAAQ,UAAUQ,KAAI;AAChC,WAAO;AAAA,EACX;AAEA,WAAS,QAAQ,MAA0B;AACvC,UAAM,MAAMP,MAAK,QAAQ,oBAAoB,IAAI,CAAC;AAClD,WAAO,SAAS,GAAG;AAAA,EACvB;AAGA,mBAAiB,KAAK;AACtB,EAAAH,SAAO,OAAO,mBAAmB,QAAQ;AAEzC,mBAAiB,QAAQ,cAAc;AACvC,qBAAmB,cAAc;AACjC,EAAAA,SAAOC,KAAG,WAAW,cAAc,CAAC;AAGpC,QAAM,iBAAiBE,MAAK,KAAK,gBAAgB,WAAW;AAE5D,MAAI,CAACF,KAAG,WAAW,cAAc,GAAG;AAEhC,aAASG,OAAM,OAAO,kCAAkC,GAAGA,OAAM,KAAK,cAAc,CAAC;AACrF,UAAM,kCAAkC,yBAAyB;AACjE,IAAAH,KAAG,cAAc,gBAAgB,+BAA+B;AAAA,EACpE,OAAO;AACH,aAASG,OAAM,OAAO,wBAAwB,GAAGA,OAAM,KAAK,cAAc,CAAC;AAAA,EAC/E;AACA,MAAI,CAACH,KAAG,WAAW,cAAc,GAAG;AAChC,aAASG,OAAM,UAAU,6BAA6B,cAAc,CAAC;AAAA,EACzE;AAIA,QAAM,oBAAoBD,MAAK,KAAKA,MAAK,QAAQ,cAAc,GAAG,YAAY;AAC9E,SAAO,YAAY,iBAAiB;AAGpC,QAAM,WAAW,cAAc,UAAU;AACzC,iBAAe,SAAS,cAAc;AAEtC,eAAa,UAAU,IAAII,SAAQ,aAAa,WAAW,EAAE;AAG7D,MAAI,KAAK,SAAS;AACd,iBAAa,UAAU,IAAIA,SAAQ,KAAK,OAAO;AAAA,EACnD;AAGA,MAAI,CAAC,aAAa,QAAQ,YAAY;AAClC,UAAM,IAAI,MAAM,iCAAiC;AAAA,EACrD;AAEA,eAAa,iBAAiB;AAG9B,MAAI,WAAW,KAAK,YAAYJ,MAAK,KAAK,gBAAgB,IAAI;AAC9D,aAAW,QAAQ,QAAQ;AAC3B,eAAa,WAAW;AAGxB,eAAa,YAAYA,MAAK,KAAK,aAAa,gBAAgB,KAAK;AACrE,MAAI,KAAK,WAAW;AAChB,iBAAa,YAAY,QAAQ,KAAK,SAAS;AAAA,EACnD;AACA,eAAa,YAAY,QAAQ,aAAa,SAAS;AACvD,MAAI,KAAK,YAAY;AACjB,iBAAa,aAAa,QAAQ,KAAK,UAAU;AAAA,EACrD;AAEA,MAAI,KAAK,gBAAgB;AACrB,iBAAa,iBAAiB,oBAAoB,KAAK,cAAc;AAAA,EACzE;AAEA,MAAI,KAAK,QAAQ;AACb,iBAAa,aAAa,KAAK;AAAA,EACnC;AAEA,eAAa,WAAW,CAAC;AACzB,MAAI,KAAK,UAAU;AACf,iBAAa,WAAW,KAAK,SAAS,MAAM,GAAG;AAAA,EACnD;AACA,eAAa,MAAM,CAAC,4BAA4B,CAAC;AACjD,MAAI,KAAK,KAAK;AACV,iBAAa,MAAM,KAAK,IAAI,MAAM,GAAG,EAAE,IAAI,mBAAmB;AAAA,EAClE;AACA,eAAa,KAAK,CAAC;AACnB,MAAI,KAAK,IAAI;AACT,iBAAa,KAAK,KAAK,GAAG,MAAM,GAAG;AAAA,EACvC;AACA,MAAI,KAAK,SAAS;AACd,UAAM,IAAI,KAAK;AACf,QAAI,MAAM,QAAQ,MAAM,QAAQ,MAAM,QAAQ,MAAM,MAAM;AACtD,YAAM,IAAI,MAAM,6BAA6B,CAAC,mCAAmC;AAAA,IACrF;AACA,iBAAa,UAAU,KAAK;AAAA,EAChC;AAEA,MAAI,KAAK,UAAU;AACf,iBAAa,WAAW,KAAK;AAAA,EACjC;AAGJ;AAEA,eAAe,yBACX,WACA,QACA,YACA,gBACA,KACF;AAEE,EAAAH,SAAO,eAAe,QAAQ,eAAe,QAAQ,eAAe,QAAQ,eAAe,IAAI;AAE/F,QAAM,mBAAmB,SAAS,WAAW,GAAG,MAAM,OAAO,UAAU,MAAM;AAC7E,QAAM,kBAAkB,SAAS,WAAW,GAAG,MAAM,cAAc,UAAU,MAAM;AACnF,QAAM,mBAAmB,SAAS,WAAW,GAAG,MAAM,QAAQ,UAAU,MAAM;AAC9E,QAAM,6BAA6B,SAAS,WAAW,GAAG,MAAM,QAAQ,UAAU,gBAAgB;AAClG,QAAM,kCAAkC,SAAS,WAAW,GAAG,MAAM,QAAQ,UAAU,qBAAqB;AAC5G,QAAM,sBAAsB,SAAS,WAAW,GAAG,MAAM,QAAQ,UAAU,cAAc;AACzF,QAAM,+BAA+B,SAAS,WAAW,GAAG,MAAM,mBAAmB,UAAU,MAAM;AAErG,QAAMU,QAAO,4BAA4B;AACzC,QAAM,WAAWR,IAAG,SAAS;AAC7B,QAAMS,OAAgB;AAAA;AAAA;AAAA,IAGlB,4BAA4B;AAAA,EAChC;AACA,MAAI,aAAaD,OAAM;AACnB,IAAAC,KAAI,KAAK,QAAQ;AAAA,EACrB;AAEA,QAAM,KAAe,CAAC;AAEtB,iBAAe,4BACX,aACA,aACAC,iBACA,WACA,UACe;AAEf,QAAIX,KAAG,WAAW,WAAW,GAAG;AAC5B,iBAAWG,OAAM,OAAO,sBAAsB,GAAGA,OAAM,KAAK,WAAW,GAAGA,OAAM,OAAO,6BAA6B,CAAC;AACrH,aAAO;AAAA,IACX,OAAO;AACH,aAAO,MAAM,kBAAkB,aAAa,aAAaQ,iBAAgB,WAAW,QAAQ;AAAA,IAChG;AAAA,EACJ;AAEA,iBAAe,kBACX,aACA,YACAA,iBACA,WACA,UACe;AACf,UAAM,gCAAgC,GAAG,WAAW;AAEpD,UAAM,aAAa,SAAS,WAAW,qCAAqC;AAE5E,UAAMD,OAAM,CAACT,IAAG,SAAS,CAAC;AAC1B,UAAMW,MAAK,CAAC,WAAW;AAEvB,UAAM,SAA2D;AAAA,MAC7D,gBAAAD;AAAA,MACA;AAAA,MACA,SAAS;AAAA,MACT;AAAA,MACA,KAAAD;AAAA,MACA,IAAAE;AAAA,MACA,SAASR,oBAAmB;AAAA,IAChC;AAGA,UAAM,2CAA2C,+BAA+B,MAAM;AAEtF,WAAO,MAAM,uBAAuB,uBAAuB,aAAa,+BAA+B;AAAA,MACnG,gBAAAO;AAAA,MACA,KAAAD;AAAA,MACA,IAAAE;AAAA,MACA;AAAA,MACA;AAAA,IACJ,CAAC;AAAA,EACL;AAEA,iBAAeC,6BACX,aACA,aACAF,iBACA,WACA,UACF;AACE,UAAM,uBAAuB,4BAA4B,aAAa,aAAa;AAAA,MAC/E,gBAAAA;AAAA,MACA,KAAAD;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACJ,CAAC;AAAA,EACL;AAEA,iBAAe,mBAAmB,aAAuB;AACrD,UAAM,uBAAuB,kBAAkB,aAAa,CAAC,CAAC;AAAA,EAClE;AAEA,iBAAe,2BAA2B,YAAsB,WAAoB;AAChF,QAAIV,KAAG,WAAW,UAAU,GAAG;AAC3B,iBAAWG,OAAM,OAAO,qBAAqB,GAAGA,OAAM,KAAK,UAAU,GAAGA,OAAM,OAAO,6BAA6B,CAAC;AACnH;AAAA,IACJ,OAAO;AACH,YAAME,wBAAuB,YAAY,SAAS;AAAA,IACtD;AAAA,EACJ;AAEA,kBAAgB,wBAAwB,gBAAgB,EAAE;AAE1D,QAAM,2BAA2B,kBAAkB,UAAU;AAC7D,kBAAgB,uBAAuB,eAAe,oBAAoB;AAC1E,QAAM,2BAA2B,kBAAkB,eAAe;AAClE,kBAAgB,uBAAuB,gBAAgB,EAAE;AAEzD,QAAM,4BAA4B,kBAAkB,kBAAkB,gBAAgB,WAAW,GAAG;AAEpG,kBAAgB,mCAAmC,4BAA4B,EAAE;AAEjF,MAAIL,KAAG,WAAW,4BAA4B,GAAG;AAE7C;AAAA,EACJ;AACA,QAAMa,6BAA4B,8BAA8B,kBAAkB,gBAAgB,WAAW,GAAG;AAEhH,MAAI,KAAK;AACL,UAAM,4BAA4B,4BAA4B,kBAAkB,gBAAgB,eAAe,GAAG;AAElH,UAAM,4BAA4B,iCAAiC,kBAAkB,gBAAgB,WAAW,GAAG;AAEnH,QAAI,CAACb,KAAG,WAAW,mBAAmB,GAAG;AAErC,YAAM,cAAc,MAAM;AAAA,QACtB;AAAA,QACA;AAAA,QACA,GAAG,cAAc;AAAA;AAAA,QACjB;AAAA,QACA;AAAA,MACJ;AACA,iBAAW,8BAA8B,WAAW;AACpD,yBAAmB,mBAAmB;AAAA,IAC1C;AAAA,EACJ;AACJ;AAEA,eAAe,KAAK,MAA2B;AAC3C,MAAI;AACA,UAAM,KAAK;AAAA,EACf,SAAS,KAAK;AACV,YAAQ,IAAK,IAAc,OAAO;AAAA,EACtC;AACJ;AAEA,eAAe,4BAA4B,KAAc;AACrD,EAAAD,SAAO,YAAY;AACnB,QAAM,YAAY,aAAa,kBAAkB;AACjD,EAAAA,SAAOC,KAAG,WAAW,SAAS,CAAC;AAE/B,MAAI;AACJ,MAAI;AACJ,MAAI;AACJ,OAAK,YAAY;AACb,UAAM,gCAAgC;AACtC,UAAM,WAAWC,IAAG,SAAS;AAC7B,UAAMQ,QAAO,4BAA4B;AACzC,eAAWN,OAAM,OAAO,kBAAkB,GAAGA,OAAM,KAAK,QAAQ,CAAC;AACjE,eAAWA,OAAM,OAAO,kBAAkB,GAAGA,OAAM,KAAKM,KAAI,CAAC;AAC7D,gBAAY,mBAAmB,UAAU,kBAAkB;AAC3D,gBAAY,mBAAmB,UAAU,kBAAkB;AAC3D,yBAAqB,mBAAmB,UAAU,2BAA2B;AAE7E,iBAAa,8DAA8D;AAC3E,UAAM,yBAAyB,WAAW,WAAW,MAAM,WAAW,GAAG;AACzE,UAAM,yBAAyB,WAAW,WAAW,MAAM,WAAW,GAAG;AACzE,UAAM,yBAAyB,WAAW,WAAW,MAAM,WAAW,GAAG;AACzE,UAAM,yBAAyB,WAAW,WAAW,MAAM,WAAW,GAAG;AAEzE,iBAAa,8DAA8D;AAC3E,UAAM,yBAAyB,WAAW,WAAW,MAAM,WAAW,GAAG;AACzE,UAAM,yBAAyB,WAAW,WAAW,MAAM,WAAW,GAAG;AACzE,UAAM,yBAAyB,WAAW,WAAW,MAAM,WAAW,GAAG;AACzE,UAAM,yBAAyB,WAAW,WAAW,MAAM,WAAW,GAAG;AAEzE,iBAAa,uEAAuE;AACpF,UAAM,yBAAyB,WAAW,oBAAoB,MAAM,oBAAoB,GAAG;AAC3F,UAAM,yBAAyB,WAAW,oBAAoB,MAAM,oBAAoB,GAAG;AAC3F,UAAM,yBAAyB,WAAW,oBAAoB,MAAM,oBAAoB,GAAG;AAC3F,UAAM,yBAAyB,WAAW,oBAAoB,MAAM,oBAAoB,GAAG;AAAA,EAC/F,CAAC;AACL;AAEA,eAAe,0BAA0B,KAAc;AACnD,QAAMF,gCAA+B,EAAE;AACvC,QAAM,6BAA6B;AACnC,QAAM,4BAA4B,GAAG;AACzC;AAuCA,SAAS,WAAW,OAAiB;AACjC,SAAO,cAAc,OAAO,CAAC,MAAM,MAAM,SAAS,EAAE,IAAI,KAAK,EAAE,SAAS,UAAU,EAAE,SAAS,QAAQ;AACzG;AAEA,SAAS,SAAS,SAAiB,aAAqB,SAAoC,OAAgB;AACxG,QAAM,WAAW;AAAA,IACb;AAAA,MACI,QAAQ,YAAY,OAAO;AAAA,MAC3B,SAAS;AAAA,IACb;AAAA,IACA;AAAA,MACI,QAAQ;AAAA,MACR,SAAS,SAAS,MAAM,OAAO;AAAA,IACnC;AAAA,IACA;AAAA,MACI,QAAQ;AAAA,MACR,YAAY;AAAA,IAChB;AAAA,EACJ;AACA,UAAQ,IAAI,iBAAiB,QAAQ,CAAC;AAC1C;AAEA,eAAsB,KAAK,eAAkC;AACzD,QAAM,kBAAkB,CAAC,EAAE,MAAM,WAAW,eAAe,KAAK,CAAC;AACjE,MAAI;AACJ,MAAI;AACA,kBAAc,gBAAgB,iBAAiB,EAAE,MAAM,eAA2B,oBAAoB,KAAK,CAAC;AAAA,EAChH,SAAS,KAAK;AACV,YAAQ,IAAK,IAAc,OAAO;AAClC;AAAA,EACJ;AAEA,QAAM,OAAO,YAAY,YAAY,CAAC;AACtC,QAAM,UAAU,YAAY;AAE5B,MAAI,CAAC,WAAW,YAAY,QAAQ;AAChC,YAAQ;AAAA,MACJ,iBAAiB;AAAA,QACb;AAAA,UACI,QAAQ;AAAA,UACR,SAAS;AAAA;AAAA,EAAoC,MAAM;AAAA,QACvD;AAAA,QACA;AAAA,UACI,QAAQ;AAAA,UACR,SAAS;AAAA,YACL,EAAE,MAAM,QAAQ,SAAS,kDAAkD;AAAA,YAC3E,EAAE,MAAM,YAAY,SAAS,iCAAiC;AAAA,YAC9D,EAAE,MAAM,aAAa,SAAS,qCAAqC;AAAA,YACnE,EAAE,MAAM,eAAe,SAAS,2BAA2B;AAAA,YAC3D,EAAE,MAAM,4BAA4B,SAAS,gCAAgC;AAAA,YAC7E,EAAE,MAAM,OAAO,SAAS,uCAAuC;AAAA,YAC/D,EAAE,MAAM,QAAQ,SAAS,oEAAoE;AAAA,YAC7F,EAAE,MAAM,0BAA0B,SAAS,wBAAwB;AAAA,YACnE,EAAE,MAAM,0BAA0B,SAAS,0DAA0D;AAAA,YACrG,EAAE,MAAM,iCAAiC,SAAS,oCAAoC;AAAA,YACtF,EAAE,MAAM,WAAW,SAAS,6BAA6B;AAAA,UAC7D;AAAA,QACJ;AAAA,MACJ,CAAC;AAAA,IACL;AACA;AAAA,EACJ;AAEA,MAAI,YAAY,WAAW;AACvB,UAAM,aAAa,wBAAwB;AAC3C,UAAM,MAAM,KAAK,MAAMP,KAAG,aAAaE,MAAK,KAAK,YAAY,cAAc,GAAG,OAAO,CAAC;AACtF,YAAQ,IAAI,IAAI,OAAO;AACvB;AAAA,EACJ;AAEA,MAAI,YAAY,QAAQ;AACpB,UAAM,aAAa;AAAA,MACf,GAAG,WAAW,CAAC,QAAQ,QAAQ,CAAC;AAAA,MAChC,EAAE,MAAM,OAAO,MAAM,SAAS,aAAa,iEAAiE;AAAA,MAC5G,EAAE,MAAM,SAAS,MAAM,SAAS,aAAa,4CAA4C;AAAA,IAC7F;AACA,UAAM,aAAa,gBAAgB,YAAY,EAAE,KAAK,CAAC;AACvD,QAAI,WAAW;AACX,aAAO;AAAA,QACH;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACJ;AAEJ,UAAM,KAAK,YAAY;AACnB,YAAM,yBAAyB;AAC/B,qBAAe,0BAA0B;AACzC,mBAAa,uBAAuB;AACpC,YAAM,kBAAkB,UAA+C;AACvE,UAAI,WAAW,OAAO;AAClB,qBAAa,2BAA2B;AACxC,QAAAH,SAAO,YAAY;AACnB,cAAM,iBAAiB,aAAa,kBAAkB;AACtD,cAAM,QAAQ,MAAMC,KAAG,SAAS,QAAQ,cAAc;AACtD,mBAAW,QAAQ,OAAO;AACtB,cAAI,KAAK,SAAS,MAAM,KAAK,KAAK,SAAS,MAAM,GAAG;AAChD,kBAAMA,KAAG,SAAS,OAAOE,MAAK,KAAK,gBAAgB,IAAI,CAAC;AAAA,UAC5D;AAAA,QACJ;AACA,2BAAmB,cAAc;AAAA,MACrC;AACA,mBAAa,qBAAqB;AAClC,YAAM,0BAA0B,WAAW,GAAG;AAC9C,qBAAe,4BAA4B;AAAA,IAC/C,CAAC;AACD;AAAA,EACJ;AAEA,MAAI,YAAY,YAAY;AACxB,UAAM,aAAa;AAAA,MACf,GAAG,WAAW,CAAC,QAAQ,YAAY,WAAW,QAAQ,CAAC;AAAA,MACvD,EAAE,MAAM,WAAW,MAAM,QAAQ,cAAc,gBAAgB,aAAa,6BAA6B;AAAA,IAC7G;AACA,UAAM,aAAa,gBAAgB,YAAY,EAAE,KAAK,CAAC;AACvD,QAAI,WAAW,KAAM,QAAO,SAAS,YAAY,kCAAkC,UAAU;AAE7F,UAAM,KAAK,YAAY;AACnB,YAAM,yBAAyB;AAC/B,YAAM,kBAAkB,UAA+C;AACvE,YAAMK,gCAA+B,WAAW,OAAO;AAAA,IAC3D,CAAC;AACD;AAAA,EACJ;AAEA,MAAI,YAAY,aAAa;AACzB,UAAM,aAAa,WAAW,CAAC,QAAQ,aAAa,WAAW,QAAQ,CAAC;AACxE,UAAM,aAAa,gBAAgB,YAAY,EAAE,KAAK,CAAC;AACvD,QAAI,WAAW,KAAM,QAAO,SAAS,aAAa,sCAAsC,UAAU;AAElG,UAAM,KAAK,YAAY;AACnB,YAAM,kBAAkB,UAA+C;AACvE,YAAM,6BAA6B;AAAA,IACvC,CAAC;AACD;AAAA,EACJ;AAEA,MAAI,YAAY,eAAe;AAC3B,UAAM,aAAa;AAAA,MACf,GAAG,WAAW,CAAC,QAAQ,YAAY,aAAa,cAAc,QAAQ,CAAC;AAAA,MACvE;AAAA,QACI,MAAM;AAAA,QACN,OAAO;AAAA,QACP,MAAM;AAAA,QACN,cAAc;AAAA,QACd,aAAa;AAAA,MACjB;AAAA,MACA;AAAA,QACI,MAAM;AAAA,QACN,OAAO;AAAA,QACP,MAAM;AAAA,QACN,cAAc;AAAA,QACd,aAAa;AAAA,MACjB;AAAA,MACA;AAAA,QACI,MAAM;AAAA,QACN,OAAO;AAAA,QACP,MAAM;AAAA,QACN,cAAc;AAAA,QACd,aAAa;AAAA,MACjB;AAAA,MACA,EAAE,MAAM,YAAY,OAAO,KAAK,MAAM,QAAQ,aAAa,mCAAmC;AAAA,MAC9F;AAAA,QACI,MAAM;AAAA,QACN,MAAM;AAAA,QACN,cAAc;AAAA,QACd,aAAa;AAAA,MACjB;AAAA,MACA,EAAE,MAAM,MAAM,MAAM,QAAQ,cAAc,IAAI,aAAa,0CAA0C;AAAA,MACrG;AAAA,QACI,MAAM;AAAA,QACN,MAAM;AAAA,QACN,cAAc;AAAA,QACd,aAAa;AAAA,MACjB;AAAA,IACJ;AACA,UAAM,aAAa,gBAAgB,YAAY,EAAE,KAAK,CAAC;AACvD,QAAI,WAAW,QAAQ,CAAC,WAAW,kBAAkB,CAAC,WAAW;AAC7D,aAAO,SAAS,eAAe,4BAA4B,UAAU;AAEzE,mBAAe,oBAAoBO,aAAoC;AACnE,YAAM,aAAa,CAAC,CAAEA,YAAmD;AACzE,UAAI,CAAC,YAAY;AACb,cAAM,yBAAyBA,WAAU;AAAA,MAC7C,OAAO;AACH,cAAM,+BAA+BA,WAAU;AAAA,MACnD;AAAA,IACJ;AAEA,mBAAe,+BAA+BA,aAAoC;AAC9E,YAAM,QAAQ,MAAM,gCAAgC;AACpD,YAAM,kBAAkBA,WAAU;AAClC,YAAM,6BAA6B;AAEnC,sBAAgB,mCAAmC,aAAa,UAAU,EAAE;AAC5E,UAAI,UACAA,YAAW,WAAWA,YAAW,QAAQ,SAAS,IAAI,IAAIR,SAAQQ,YAAW,OAAO,IAAI,aAAa,WAAW;AAEpH,gBAAU,KAAK,MAAM,KAAK,UAAU,OAAO,CAAC;AAE5C,YAAM,SAA0C;AAAA,QAC5C,gBAAgB,aAAa,kBAAkB;AAAA,QAC/C,KAAK,aAAa,OAAO,CAAC;AAAA,QAC1B,IAAI,aAAa,MAAM,CAAC;AAAA,QACxB,YAAY,aAAa,cAAc;AAAA,QACvC,WAAW,aAAa,aAAa,oBAAI,KAAK;AAAA,QAC9C;AAAA,QACA,UAAU,aAAa,YAAY;AAAA,MACvC;AAEA,YAAM,mBAAmB,4BAA4B,MAAM;AAAA,IAC/D;AAEA,mBAAe,yBAAyBA,aAAoC;AACxE,YAAM,kBAAkBA,WAAU;AAClC,YAAM,6BAA6B;AACnC,YAAMP,gCAA+B,EAAE;AACvC,MAAAR,SAAOC,KAAG,WAAW,aAAa,YAAY,EAAE,GAAG,uBAAuB;AAC1E,mBAAa,aAAa;AAG1B,mBAAa,UAAUc,YAAW,WAAWA,YAAW,QAAQ,SAAS,IAAIA,YAAW,UAAU,aAAa;AAE/G,YAAM,WAAW,MAAM,mBAAmB;AAAA,QACtC;AAAA,MACJ;AACA,UAAI,CAAC,UAAU;AACX;AAAA,MACJ;AACA,iBAAW,gBAAgB,QAAQ;AACnC,YAAM,cAAc,SAAS,QAAQ,QAAQ,MAAM;AAEnD,UAAId,KAAG,WAAW,WAAW,GAAG;AAC5B,cAAM,IAAI,MAAM,SAAS,WAAW,gBAAgB;AAAA,MACxD;AACA,YAAM,uBAAuB;AAAA,QACzB;AAAA,QACA;AAAA,QACA;AAAA,MACJ;AAEA,MAAAD,SAAO,OAAO,aAAa,eAAe,QAAQ;AAClD,MAAAC,KAAG,cAAc,aAAa,cAAc,IAAIA,KAAG,aAAa,aAAa,OAAO,CAAC;AAAA,IACzF;AAEA,UAAM,KAAK,YAAY,MAAM,oBAAoB,UAA+C,CAAC;AACjG;AAAA,EACJ;AAEA,MAAI,YAAY,UAAU;AACtB,UAAM,aAAa,CAAC,EAAE,MAAM,mBAAmB,MAAM,QAAQ,eAAe,KAAK,GAAG,GAAG,WAAW,CAAC,QAAQ,UAAU,CAAC,CAAC;AACvH,UAAM,aAAa,gBAAgB,YAAY,EAAE,KAAK,CAAC;AACvD,QAAI,WAAW,QAAQ,CAAC,WAAW;AAC/B,aAAO;AAAA,QACH;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACJ;AAEJ,mBAAe,mBAAmB,aAAuB;AACrD,YAAM,uBAAuB,kBAAkB,aAAa,CAAC,CAAC;AAAA,IAClE;AAEA,UAAM,KAAK,YAAY;AACnB,YAAM,cAAcE,MAAK,QAAQ,WAAW,eAAe;AAC3D,iBAAWC,OAAM,OAAO,2BAA2B,GAAGA,OAAM,KAAK,WAAW,CAAC;AAC7E,UAAI,CAACH,KAAG,WAAW,WAAW,GAAG;AAC7B,cAAM,IAAI,MAAM,qCAAqC,WAAW,EAAE;AAAA,MACtE;AACA,YAAM,kBAAkB,UAA+C;AACvE,YAAMO,gCAA+B,EAAE;AACvC,YAAM,mBAAmB,WAAW;AACpC,iBAAW,WAAW;AACtB,iBAAW,YAAY,uBAAuB,cAAc;AAC5D,iBAAW,8DAA8D;AAAA,IAC7E,CAAC;AACD;AAAA,EACJ;AAEA,MAAI,YAAY,OAAO;AACnB,UAAM,aAAa;AAAA,MACf,GAAG,WAAW,CAAC,QAAQ,aAAa,cAAc,QAAQ,CAAC;AAAA,MAC3D;AAAA,QACI,MAAM;AAAA,QACN,OAAO;AAAA,QACP,MAAM;AAAA,QACN,cAAc;AAAA,QACd,aAAa;AAAA,MACjB;AAAA,MACA;AAAA,QACI,MAAM;AAAA,QACN,OAAO;AAAA,QACP,MAAM;AAAA,QACN,cAAc;AAAA,QACd,aAAa;AAAA,MACjB;AAAA,MACA;AAAA,QACI,MAAM;AAAA,QACN,MAAM;AAAA,QACN,cAAc;AAAA,QACd,aAAa;AAAA,MACjB;AAAA,MACA,EAAE,MAAM,MAAM,MAAM,QAAQ,cAAc,IAAI,aAAa,0CAA0C;AAAA,MACrG;AAAA,QACI,MAAM;AAAA,QACN,MAAM;AAAA,QACN,cAAc;AAAA,QACd,aAAa;AAAA,MACjB;AAAA,IACJ;AACA,UAAM,aAAa,gBAAgB,YAAY,EAAE,KAAK,CAAC;AACvD,QAAI,WAAW,KAAM,QAAO,SAAS,OAAO,wCAAwC,UAAU;AAE9F,UAAM,KAAK,YAAY;AACnB,YAAM,kBAAkB,UAA+C;AACvE,UAAI,CAACP,KAAG,WAAW,aAAa,aAAa,EAAE,GAAG;AAC9C,mBAAW,uBAAuB;AAAA,MACtC;AACA,YAAM,6BAA6B;AACnC,UAAI,CAAC,aAAa,cAAcA,KAAG,WAAW,aAAa,UAAU,GAAG;AACpE,cAAM,IAAI,MAAM,SAAS,aAAa,UAAU,gBAAgB;AAAA,MACpE;AACA,mBAAa,aAAa;AAG1B,mBAAa,UAAU,WAAW,WAAW,WAAW,QAAQ,SAAS,IAAI,WAAW,UAAU,aAAa;AAE/G,YAAM,oBAAoB,MAAM,mBAAmB;AAAA,QAC/C;AAAA,MACJ;AACA,UAAI,CAAC,mBAAmB;AACpB;AAAA,MACJ;AACA,UAAI,CAAC,aAAa,YAAY;AAC1B,mBAAW,8BAA8B;AACzC;AAAA,MACJ;AACA,YAAM,MAAM,MAAMA,KAAG,SAAS,SAAS,mBAAmB,OAAO;AACjE,MAAAA,KAAG,cAAc,aAAa,cAAc,IAAI,KAAK,OAAO;AAE5D,iBAAW,qBAAqB,aAAa,OAAO;AACpD,iBAAW,qBAAqB,aAAa,cAAc;AAC3D,iBAAW,qBAAqB,aAAa,QAAQ;AACrD,iBAAW,qBAAqB,aAAa,GAAG;AAChD,iBAAW,qBAAqB,aAAa,EAAE;AAE/C,iBAAW,eAAe,aAAa,UAAU;AAAA,IACrD,CAAC;AACD;AAAA,EACJ;AAEA,MAAI,YAAY,QAAQ;AACpB,UAAM,aAAa;AAAA,MACf,GAAG,WAAW,CAAC,QAAQ,YAAY,QAAQ,CAAC;AAAA,MAC5C,EAAE,MAAM,OAAO,OAAO,KAAK,MAAM,QAAQ,cAAc,sCAAsC,aAAa,UAAU;AAAA,MACpH;AAAA,QACI,MAAM;AAAA,QACN,OAAO;AAAA,QACP,MAAM;AAAA,QACN,cAAc;AAAA,QACd,aAAa;AAAA,MACjB;AAAA,MACA,EAAE,MAAM,YAAY,OAAO,KAAK,MAAM,QAAQ,cAAc,KAAK,aAAa,mCAAmC;AAAA,IACrH;AACA,UAAM,aAAa,gBAAgB,YAAY,EAAE,KAAK,CAAC;AACvD,QAAI,WAAW,QAAQ,CAAC,WAAW,OAAO,CAAC,WAAW;AAClD,aAAO,SAAS,QAAQ,qEAAqE,UAAU;AAE3G,UAAM,KAAK,YAAY;AACnB,YAAM,kBAAkB,UAA+C;AACvE,UAAI,CAACA,KAAG,WAAW,aAAa,YAAY,EAAE,GAAG;AAC7C,cAAM,IAAI,MAAM,wBAAwB,aAAa,QAAQ,EAAE;AAAA,MACnE;AACA,YAAMO,gCAA+B,EAAE;AACvC,YAAM,WAAmBL,MAAK,QAAS,WAA2C,OAAO,EAAE;AAC3F,UAAI,CAACF,KAAG,WAAW,QAAQ,GAAG;AAC1B,cAAM,IAAI,MAAM,8CAA8C,QAAQ,EAAE;AAAA,MAC5E;AACA,YAAM,cAAcE,MAAK,QAAQ,WAAW,UAAU,SAAS,QAAQ,QAAQ,MAAM,CAAC;AACtF,UAAIF,KAAG,WAAW,WAAW,GAAG;AAC5B,cAAM,IAAI,MAAM,SAAS,WAAW,gBAAgB;AAAA,MACxD;AAEA,YAAM,uBAAuB;AAAA,QACzB;AAAA,QACA;AAAA,QACA;AAAA,MACJ;AAEA,MAAAD,SAAO,OAAO,aAAa,eAAe,QAAQ;AAClD,MAAAC,KAAG,cAAc,aAAa,cAAc,IAAIA,KAAG,aAAa,aAAa,OAAO,CAAC;AAAA,IACzF,CAAC;AACD;AAAA,EACJ;AAEA,MAAI,YAAY,QAAQ;AACpB,UAAM,aAAa;AAAA,MACf,EAAE,MAAM,mBAAmB,MAAM,QAAQ,eAAe,KAAK;AAAA,MAC7D,EAAE,MAAM,QAAQ,OAAO,KAAK,MAAM,QAAQ;AAAA,IAC9C;AACA,UAAM,aAAa,gBAAgB,YAAY,EAAE,KAAK,CAAC;AACvD,QAAI,WAAW,QAAQ,CAAC,WAAW;AAC/B,aAAO,SAAS,0BAA0B,yBAAyB,UAAU;AAEjF,UAAM,KAAK,YAAY;AACnB,YAAM,OAAO,MAAM,gBAAgB,WAAW,eAAe;AAC7D,iBAAW,IAAI;AAAA,IACnB,CAAC;AACD;AAAA,EACJ;AAEA,MAAI,YAAY,SAAS;AACrB,UAAM,aAAa;AAAA,MACf,EAAE,MAAM,kBAAkB,MAAM,QAAQ,eAAe,KAAK;AAAA,MAC5D,EAAE,MAAM,QAAQ,OAAO,KAAK,MAAM,QAAQ;AAAA,IAC9C;AACA,UAAM,aAAa,gBAAgB,YAAY,EAAE,KAAK,CAAC;AACvD,QAAI,WAAW,QAAQ,CAAC,WAAW;AAC/B,aAAO,SAAS,0BAA0B,2DAA2D,UAAU;AAEnH,UAAM,KAAK,YAAY;AACnB,YAAM,MAAM,WAAW,cAAc;AAAA,IACzC,CAAC;AACD;AAAA,EACJ;AAEA,MAAI,YAAY,eAAe;AAC3B,UAAM,aAAa;AAAA,MACf,EAAE,MAAM,mBAAmB,MAAM,QAAQ,eAAe,KAAK;AAAA,MAC7D,EAAE,MAAM,QAAQ,OAAO,KAAK,MAAM,QAAQ;AAAA,IAC9C;AACA,UAAM,aAAa,gBAAgB,YAAY,EAAE,KAAK,CAAC;AACvD,QAAI,WAAW,QAAQ,CAAC,WAAW;AAC/B,aAAO,SAAS,iCAAiC,qCAAqC,UAAU;AAEpG,UAAM,KAAK,YAAY;AACnB,YAAM,cAAc,WAAW;AAC/B,YAAM,OAAO,MAAM,YAAY,WAAW;AAC1C,UAAI,CAAC,KAAM;AACX,YAAM,IAAI,KAAK,MAAM,GAAG,EAAE,CAAC,EAAE,MAAM,GAAG,EAAE,KAAK,EAAE,EAAE,KAAK;AACtD,iBAAW,CAAC;AAAA,IAChB,CAAC;AACD;AAAA,EACJ;AAEA,UAAQ,IAAI,oBAAoB,OAAO,EAAE;AAC7C;AA9gCA,IAgEM,QASA,OACA,WACA,eACA,WA0BF,cAEA,wBAuBA,oBA8aE;AA7iBN;AAAA;AAAA;AAAA;AAqCA;AACA;AACA;AACA;AAaA;AASA;AAEA,IAAM,SAAS;AASf,IAAM,QAAQ,oBAAI,KAAK;AACvB,IAAM,YAAY,gBAAgB,OAAO,EAAE;AAC3C,IAAM,gBAAgB,gBAAgB,OAAO,KAAK,GAAG;AACrD,IAAM,YAAY,gBAAgB,OAAO,GAAG;AA0B5C,IAAI,eAA4B,CAAC;AAucjC,IAAM,gBAAgB;AAAA,MAClB;AAAA,QACI,MAAM;AAAA,QACN,OAAO;AAAA,QACP,MAAM;AAAA,QACN,cAAc;AAAA,QACd,aAAa;AAAA,MACjB;AAAA,MACA;AAAA,QACI,MAAM;AAAA,QACN,OAAO;AAAA,QACP,MAAM;AAAA,QACN,cAAc;AAAA,QACd,aAAa;AAAA,MACjB;AAAA,MACA,EAAE,MAAM,aAAa,MAAM,QAAQ,cAAc,cAAc,aAAa,gDAAgD;AAAA,MAC5H,EAAE,MAAM,UAAU,MAAM,SAAS,cAAc,OAAO,aAAa,kBAAkB;AAAA,MACrF;AAAA,QACI,MAAM;AAAA,QACN,OAAO;AAAA,QACP,MAAM;AAAA,QACN,cAAc;AAAA,QACd,aAAa;AAAA,MACjB;AAAA,MACA;AAAA,QACI,MAAM;AAAA,QACN,OAAO;AAAA,QACP,MAAM;AAAA,QACN,cAAc;AAAA,QACd,aAAa;AAAA,MACjB;AAAA,MACA,EAAE,MAAM,QAAQ,OAAO,KAAK,MAAM,SAAS,aAAa,oBAAoB;AAAA,IAChF;AAAA;AAAA;;;AC7kBA;AAAA;AAAA;AACA;AAEA,SAAS,QAAQ,KAAK,OAAO,CAAC,CAAC;AAAA;AAAA;","names":["assert","chalk","assert","fs","assert","assert","fs","pemToPrivateKey","Subject","fs","path","chalk","fingerprint","today","Subject","fs","os","path","chalk","doDebug","quote","opensslFolder","opensslExecPath","url","assert","child_process","fs","os","byline","chalk","execute","assert","fs","path","n","s","init_toolbox","assert","fs","path","q","n","Subject","init_create_certificate_signing_request","init_toolbox","init_create_certificate_signing_request","init_toolbox","config","assert","fs","path","chalk","generatePrivateKeyFile","Subject","config","q","n","dns","assert","fs","os","path","chalk","CertificatePurpose","generatePrivateKeyFile","Subject","construct_CertificateAuthority","default_config_template","fqdn","dns","applicationUri","ip","createSelfSignedCertificate","local_argv"]}