sm-crypto-v2 1.8.0 → 1.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,3784 @@
1
+ "use strict";
2
+ function _array_like_to_array(arr, len) {
3
+ if (len == null || len > arr.length) len = arr.length;
4
+ for(var i = 0, arr2 = new Array(len); i < len; i++)arr2[i] = arr[i];
5
+ return arr2;
6
+ }
7
+ function _array_with_holes(arr) {
8
+ if (Array.isArray(arr)) return arr;
9
+ }
10
+ function _array_without_holes(arr) {
11
+ if (Array.isArray(arr)) return _array_like_to_array(arr);
12
+ }
13
+ function _assert_this_initialized(self) {
14
+ if (self === void 0) {
15
+ throw new ReferenceError("this hasn't been initialised - super() hasn't been called");
16
+ }
17
+ return self;
18
+ }
19
+ function asyncGeneratorStep(gen, resolve, reject, _next, _throw, key, arg) {
20
+ try {
21
+ var info = gen[key](arg);
22
+ var value = info.value;
23
+ } catch (error) {
24
+ reject(error);
25
+ return;
26
+ }
27
+ if (info.done) {
28
+ resolve(value);
29
+ } else {
30
+ Promise.resolve(value).then(_next, _throw);
31
+ }
32
+ }
33
+ function _async_to_generator(fn) {
34
+ return function() {
35
+ var self = this, args = arguments;
36
+ return new Promise(function(resolve, reject) {
37
+ var gen = fn.apply(self, args);
38
+ function _next(value) {
39
+ asyncGeneratorStep(gen, resolve, reject, _next, _throw, "next", value);
40
+ }
41
+ function _throw(err) {
42
+ asyncGeneratorStep(gen, resolve, reject, _next, _throw, "throw", err);
43
+ }
44
+ _next(undefined);
45
+ });
46
+ };
47
+ }
48
+ function _class_call_check(instance, Constructor) {
49
+ if (!(instance instanceof Constructor)) {
50
+ throw new TypeError("Cannot call a class as a function");
51
+ }
52
+ }
53
+ function _construct(Parent, args, Class) {
54
+ if (_is_native_reflect_construct()) {
55
+ _construct = Reflect.construct;
56
+ } else {
57
+ _construct = function construct(Parent, args, Class) {
58
+ var a = [
59
+ null
60
+ ];
61
+ a.push.apply(a, args);
62
+ var Constructor = Function.bind.apply(Parent, a);
63
+ var instance = new Constructor();
64
+ if (Class) _set_prototype_of(instance, Class.prototype);
65
+ return instance;
66
+ };
67
+ }
68
+ return _construct.apply(null, arguments);
69
+ }
70
+ function _defineProperties(target, props) {
71
+ for(var i = 0; i < props.length; i++){
72
+ var descriptor = props[i];
73
+ descriptor.enumerable = descriptor.enumerable || false;
74
+ descriptor.configurable = true;
75
+ if ("value" in descriptor) descriptor.writable = true;
76
+ Object.defineProperty(target, descriptor.key, descriptor);
77
+ }
78
+ }
79
+ function _create_class(Constructor, protoProps, staticProps) {
80
+ if (protoProps) _defineProperties(Constructor.prototype, protoProps);
81
+ if (staticProps) _defineProperties(Constructor, staticProps);
82
+ return Constructor;
83
+ }
84
+ function _define_property(obj, key, value) {
85
+ if (key in obj) {
86
+ Object.defineProperty(obj, key, {
87
+ value: value,
88
+ enumerable: true,
89
+ configurable: true,
90
+ writable: true
91
+ });
92
+ } else {
93
+ obj[key] = value;
94
+ }
95
+ return obj;
96
+ }
97
+ function _get_prototype_of(o) {
98
+ _get_prototype_of = Object.setPrototypeOf ? Object.getPrototypeOf : function getPrototypeOf(o) {
99
+ return o.__proto__ || Object.getPrototypeOf(o);
100
+ };
101
+ return _get_prototype_of(o);
102
+ }
103
+ function _inherits(subClass, superClass) {
104
+ if (typeof superClass !== "function" && superClass !== null) {
105
+ throw new TypeError("Super expression must either be null or a function");
106
+ }
107
+ subClass.prototype = Object.create(superClass && superClass.prototype, {
108
+ constructor: {
109
+ value: subClass,
110
+ writable: true,
111
+ configurable: true
112
+ }
113
+ });
114
+ if (superClass) _set_prototype_of(subClass, superClass);
115
+ }
116
+ function _instanceof(left, right) {
117
+ if (right != null && typeof Symbol !== "undefined" && right[Symbol.hasInstance]) {
118
+ return !!right[Symbol.hasInstance](left);
119
+ } else {
120
+ return left instanceof right;
121
+ }
122
+ }
123
+ function _is_native_function(fn) {
124
+ return Function.toString.call(fn).indexOf("[native code]") !== -1;
125
+ }
126
+ function _iterable_to_array(iter) {
127
+ if (typeof Symbol !== "undefined" && iter[Symbol.iterator] != null || iter["@@iterator"] != null) return Array.from(iter);
128
+ }
129
+ function _iterable_to_array_limit(arr, i) {
130
+ var _i = arr == null ? null : typeof Symbol !== "undefined" && arr[Symbol.iterator] || arr["@@iterator"];
131
+ if (_i == null) return;
132
+ var _arr = [];
133
+ var _n = true;
134
+ var _d = false;
135
+ var _s, _e;
136
+ try {
137
+ for(_i = _i.call(arr); !(_n = (_s = _i.next()).done); _n = true){
138
+ _arr.push(_s.value);
139
+ if (i && _arr.length === i) break;
140
+ }
141
+ } catch (err) {
142
+ _d = true;
143
+ _e = err;
144
+ } finally{
145
+ try {
146
+ if (!_n && _i["return"] != null) _i["return"]();
147
+ } finally{
148
+ if (_d) throw _e;
149
+ }
150
+ }
151
+ return _arr;
152
+ }
153
+ function _non_iterable_rest() {
154
+ throw new TypeError("Invalid attempt to destructure non-iterable instance.\\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.");
155
+ }
156
+ function _non_iterable_spread() {
157
+ throw new TypeError("Invalid attempt to spread non-iterable instance.\\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.");
158
+ }
159
+ function _object_spread(target) {
160
+ for(var i = 1; i < arguments.length; i++){
161
+ var source = arguments[i] != null ? arguments[i] : {};
162
+ var ownKeys = Object.keys(source);
163
+ if (typeof Object.getOwnPropertySymbols === "function") {
164
+ ownKeys = ownKeys.concat(Object.getOwnPropertySymbols(source).filter(function(sym) {
165
+ return Object.getOwnPropertyDescriptor(source, sym).enumerable;
166
+ }));
167
+ }
168
+ ownKeys.forEach(function(key) {
169
+ _define_property(target, key, source[key]);
170
+ });
171
+ }
172
+ return target;
173
+ }
174
+ function ownKeys(object, enumerableOnly) {
175
+ var keys = Object.keys(object);
176
+ if (Object.getOwnPropertySymbols) {
177
+ var symbols = Object.getOwnPropertySymbols(object);
178
+ if (enumerableOnly) {
179
+ symbols = symbols.filter(function(sym) {
180
+ return Object.getOwnPropertyDescriptor(object, sym).enumerable;
181
+ });
182
+ }
183
+ keys.push.apply(keys, symbols);
184
+ }
185
+ return keys;
186
+ }
187
+ function _object_spread_props(target, source) {
188
+ source = source != null ? source : {};
189
+ if (Object.getOwnPropertyDescriptors) {
190
+ Object.defineProperties(target, Object.getOwnPropertyDescriptors(source));
191
+ } else {
192
+ ownKeys(Object(source)).forEach(function(key) {
193
+ Object.defineProperty(target, key, Object.getOwnPropertyDescriptor(source, key));
194
+ });
195
+ }
196
+ return target;
197
+ }
198
+ function _possible_constructor_return(self, call) {
199
+ if (call && (_type_of(call) === "object" || typeof call === "function")) {
200
+ return call;
201
+ }
202
+ return _assert_this_initialized(self);
203
+ }
204
+ function _set_prototype_of(o, p) {
205
+ _set_prototype_of = Object.setPrototypeOf || function setPrototypeOf(o, p) {
206
+ o.__proto__ = p;
207
+ return o;
208
+ };
209
+ return _set_prototype_of(o, p);
210
+ }
211
+ function _sliced_to_array(arr, i) {
212
+ return _array_with_holes(arr) || _iterable_to_array_limit(arr, i) || _unsupported_iterable_to_array(arr, i) || _non_iterable_rest();
213
+ }
214
+ function _to_consumable_array(arr) {
215
+ return _array_without_holes(arr) || _iterable_to_array(arr) || _unsupported_iterable_to_array(arr) || _non_iterable_spread();
216
+ }
217
+ function _type_of(obj) {
218
+ "@swc/helpers - typeof";
219
+ return obj && typeof Symbol !== "undefined" && obj.constructor === Symbol ? "symbol" : typeof obj;
220
+ }
221
+ function _unsupported_iterable_to_array(o, minLen) {
222
+ if (!o) return;
223
+ if (typeof o === "string") return _array_like_to_array(o, minLen);
224
+ var n = Object.prototype.toString.call(o).slice(8, -1);
225
+ if (n === "Object" && o.constructor) n = o.constructor.name;
226
+ if (n === "Map" || n === "Set") return Array.from(n);
227
+ if (n === "Arguments" || /^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(n)) return _array_like_to_array(o, minLen);
228
+ }
229
+ function _wrap_native_super(Class) {
230
+ var _cache = typeof Map === "function" ? new Map() : undefined;
231
+ _wrap_native_super = function wrapNativeSuper(Class) {
232
+ if (Class === null || !_is_native_function(Class)) return Class;
233
+ if (typeof Class !== "function") {
234
+ throw new TypeError("Super expression must either be null or a function");
235
+ }
236
+ if (typeof _cache !== "undefined") {
237
+ if (_cache.has(Class)) return _cache.get(Class);
238
+ _cache.set(Class, Wrapper);
239
+ }
240
+ function Wrapper() {
241
+ return _construct(Class, arguments, _get_prototype_of(this).constructor);
242
+ }
243
+ Wrapper.prototype = Object.create(Class.prototype, {
244
+ constructor: {
245
+ value: Wrapper,
246
+ enumerable: false,
247
+ writable: true,
248
+ configurable: true
249
+ }
250
+ });
251
+ return _set_prototype_of(Wrapper, Class);
252
+ };
253
+ return _wrap_native_super(Class);
254
+ }
255
+ function _is_native_reflect_construct() {
256
+ if (typeof Reflect === "undefined" || !Reflect.construct) return false;
257
+ if (Reflect.construct.sham) return false;
258
+ if (typeof Proxy === "function") return true;
259
+ try {
260
+ Boolean.prototype.valueOf.call(Reflect.construct(Boolean, [], function() {}));
261
+ return true;
262
+ } catch (e) {
263
+ return false;
264
+ }
265
+ }
266
+ function _create_super(Derived) {
267
+ var hasNativeReflectConstruct = _is_native_reflect_construct();
268
+ return function _createSuperInternal() {
269
+ var Super = _get_prototype_of(Derived), result;
270
+ if (hasNativeReflectConstruct) {
271
+ var NewTarget = _get_prototype_of(this).constructor;
272
+ result = Reflect.construct(Super, arguments, NewTarget);
273
+ } else {
274
+ result = Super.apply(this, arguments);
275
+ }
276
+ return _possible_constructor_return(this, result);
277
+ };
278
+ }
279
+ function _ts_generator(thisArg, body) {
280
+ var f, y, t, g, _ = {
281
+ label: 0,
282
+ sent: function() {
283
+ if (t[0] & 1) throw t[1];
284
+ return t[1];
285
+ },
286
+ trys: [],
287
+ ops: []
288
+ };
289
+ return g = {
290
+ next: verb(0),
291
+ "throw": verb(1),
292
+ "return": verb(2)
293
+ }, typeof Symbol === "function" && (g[Symbol.iterator] = function() {
294
+ return this;
295
+ }), g;
296
+ function verb(n) {
297
+ return function(v) {
298
+ return step([
299
+ n,
300
+ v
301
+ ]);
302
+ };
303
+ }
304
+ function step(op) {
305
+ if (f) throw new TypeError("Generator is already executing.");
306
+ while(_)try {
307
+ if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
308
+ if (y = 0, t) op = [
309
+ op[0] & 2,
310
+ t.value
311
+ ];
312
+ switch(op[0]){
313
+ case 0:
314
+ case 1:
315
+ t = op;
316
+ break;
317
+ case 4:
318
+ _.label++;
319
+ return {
320
+ value: op[1],
321
+ done: false
322
+ };
323
+ case 5:
324
+ _.label++;
325
+ y = op[1];
326
+ op = [
327
+ 0
328
+ ];
329
+ continue;
330
+ case 7:
331
+ op = _.ops.pop();
332
+ _.trys.pop();
333
+ continue;
334
+ default:
335
+ if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) {
336
+ _ = 0;
337
+ continue;
338
+ }
339
+ if (op[0] === 3 && (!t || op[1] > t[0] && op[1] < t[3])) {
340
+ _.label = op[1];
341
+ break;
342
+ }
343
+ if (op[0] === 6 && _.label < t[1]) {
344
+ _.label = t[1];
345
+ t = op;
346
+ break;
347
+ }
348
+ if (t && _.label < t[2]) {
349
+ _.label = t[2];
350
+ _.ops.push(op);
351
+ break;
352
+ }
353
+ if (t[2]) _.ops.pop();
354
+ _.trys.pop();
355
+ continue;
356
+ }
357
+ op = body.call(thisArg, _);
358
+ } catch (e) {
359
+ op = [
360
+ 6,
361
+ e
362
+ ];
363
+ y = 0;
364
+ } finally{
365
+ f = t = 0;
366
+ }
367
+ if (op[0] & 5) throw op[1];
368
+ return {
369
+ value: op[0] ? op[1] : void 0,
370
+ done: true
371
+ };
372
+ }
373
+ }
374
+ var __create = Object.create;
375
+ var __defProp = Object.defineProperty;
376
+ var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
377
+ var __getOwnPropNames = Object.getOwnPropertyNames;
378
+ var __getProtoOf = Object.getPrototypeOf;
379
+ var __hasOwnProp = Object.prototype.hasOwnProperty;
380
+ var __defNormalProp = function(obj, key, value) {
381
+ return key in obj ? __defProp(obj, key, {
382
+ enumerable: true,
383
+ configurable: true,
384
+ writable: true,
385
+ value: value
386
+ }) : obj[key] = value;
387
+ };
388
+ var __export = function(target, all) {
389
+ for(var name in all)__defProp(target, name, {
390
+ get: all[name],
391
+ enumerable: true
392
+ });
393
+ };
394
+ var __copyProps = function(to, from, except, desc) {
395
+ if (from && typeof from === "object" || typeof from === "function") {
396
+ var _iteratorNormalCompletion = true, _didIteratorError = false, _iteratorError = undefined;
397
+ try {
398
+ var _loop = function() {
399
+ var key = _step.value;
400
+ if (!__hasOwnProp.call(to, key) && key !== except) __defProp(to, key, {
401
+ get: function() {
402
+ return from[key];
403
+ },
404
+ enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
405
+ });
406
+ };
407
+ for(var _iterator = __getOwnPropNames(from)[Symbol.iterator](), _step; !(_iteratorNormalCompletion = (_step = _iterator.next()).done); _iteratorNormalCompletion = true)_loop();
408
+ } catch (err) {
409
+ _didIteratorError = true;
410
+ _iteratorError = err;
411
+ } finally{
412
+ try {
413
+ if (!_iteratorNormalCompletion && _iterator.return != null) {
414
+ _iterator.return();
415
+ }
416
+ } finally{
417
+ if (_didIteratorError) {
418
+ throw _iteratorError;
419
+ }
420
+ }
421
+ }
422
+ }
423
+ return to;
424
+ };
425
+ var __toESM = function(mod2, isNodeMode, target) {
426
+ return target = mod2 != null ? __create(__getProtoOf(mod2)) : {}, __copyProps(// If the importer is in node compatibility mode or this is not an ESM
427
+ // file that has been converted to a CommonJS file using a Babel-
428
+ // compatible transform (i.e. "__esModule" has not been set), then set
429
+ // "default" to the CommonJS "module.exports" for node compatibility.
430
+ isNodeMode || !mod2 || !mod2.__esModule ? __defProp(target, "default", {
431
+ value: mod2,
432
+ enumerable: true
433
+ }) : target, mod2);
434
+ };
435
+ var __toCommonJS = function(mod2) {
436
+ return __copyProps(__defProp({}, "__esModule", {
437
+ value: true
438
+ }), mod2);
439
+ };
440
+ var __publicField = function(obj, key, value) {
441
+ __defNormalProp(obj, (typeof key === "undefined" ? "undefined" : _type_of(key)) !== "symbol" ? key + "" : key, value);
442
+ return value;
443
+ };
444
+ // src/index.ts
445
+ var src_exports = {};
446
+ __export(src_exports, {
447
+ sm2: function() {
448
+ return sm2_exports;
449
+ },
450
+ sm3: function() {
451
+ return sm32;
452
+ },
453
+ sm4: function() {
454
+ return sm4_exports;
455
+ }
456
+ });
457
+ module.exports = __toCommonJS(src_exports);
458
+ // src/sm2/index.ts
459
+ var sm2_exports = {};
460
+ __export(sm2_exports, {
461
+ EmptyArray: function() {
462
+ return EmptyArray;
463
+ },
464
+ arrayToHex: function() {
465
+ return arrayToHex;
466
+ },
467
+ arrayToUtf8: function() {
468
+ return arrayToUtf8;
469
+ },
470
+ calculateSharedKey: function() {
471
+ return calculateSharedKey;
472
+ },
473
+ comparePublicKeyHex: function() {
474
+ return comparePublicKeyHex;
475
+ },
476
+ compressPublicKeyHex: function() {
477
+ return compressPublicKeyHex;
478
+ },
479
+ doDecrypt: function() {
480
+ return doDecrypt;
481
+ },
482
+ doEncrypt: function() {
483
+ return doEncrypt;
484
+ },
485
+ doSignature: function() {
486
+ return doSignature;
487
+ },
488
+ doVerifySignature: function() {
489
+ return doVerifySignature;
490
+ },
491
+ generateKeyPairHex: function() {
492
+ return generateKeyPairHex;
493
+ },
494
+ getHash: function() {
495
+ return getHash;
496
+ },
497
+ getPoint: function() {
498
+ return getPoint;
499
+ },
500
+ getPublicKeyFromPrivateKey: function() {
501
+ return getPublicKeyFromPrivateKey;
502
+ },
503
+ getZ: function() {
504
+ return getZ;
505
+ },
506
+ hexToArray: function() {
507
+ return hexToArray;
508
+ },
509
+ initRNGPool: function() {
510
+ return initRNGPool;
511
+ },
512
+ leftPad: function() {
513
+ return leftPad;
514
+ },
515
+ precomputePublicKey: function() {
516
+ return precomputePublicKey;
517
+ },
518
+ utf8ToHex: function() {
519
+ return utf8ToHex;
520
+ },
521
+ verifyPublicKey: function() {
522
+ return verifyPublicKey;
523
+ }
524
+ });
525
+ // node_modules/.pnpm/@noble+curves@1.1.0/node_modules/@noble/curves/esm/abstract/utils.js
526
+ var utils_exports = {};
527
+ __export(utils_exports, {
528
+ bitGet: function() {
529
+ return bitGet;
530
+ },
531
+ bitLen: function() {
532
+ return bitLen;
533
+ },
534
+ bitMask: function() {
535
+ return bitMask;
536
+ },
537
+ bitSet: function() {
538
+ return bitSet;
539
+ },
540
+ bytesToHex: function() {
541
+ return bytesToHex;
542
+ },
543
+ bytesToNumberBE: function() {
544
+ return bytesToNumberBE;
545
+ },
546
+ bytesToNumberLE: function() {
547
+ return bytesToNumberLE;
548
+ },
549
+ concatBytes: function() {
550
+ return concatBytes;
551
+ },
552
+ createHmacDrbg: function() {
553
+ return createHmacDrbg;
554
+ },
555
+ ensureBytes: function() {
556
+ return ensureBytes;
557
+ },
558
+ equalBytes: function() {
559
+ return equalBytes;
560
+ },
561
+ hexToBytes: function() {
562
+ return hexToBytes;
563
+ },
564
+ hexToNumber: function() {
565
+ return hexToNumber;
566
+ },
567
+ numberToBytesBE: function() {
568
+ return numberToBytesBE;
569
+ },
570
+ numberToBytesLE: function() {
571
+ return numberToBytesLE;
572
+ },
573
+ numberToHexUnpadded: function() {
574
+ return numberToHexUnpadded;
575
+ },
576
+ numberToVarBytesBE: function() {
577
+ return numberToVarBytesBE;
578
+ },
579
+ utf8ToBytes: function() {
580
+ return utf8ToBytes;
581
+ },
582
+ validateObject: function() {
583
+ return validateObject;
584
+ }
585
+ });
586
+ var _0n = BigInt(0);
587
+ var _1n = BigInt(1);
588
+ var _2n = BigInt(2);
589
+ var u8a = function(a) {
590
+ return _instanceof(a, Uint8Array);
591
+ };
592
+ var hexes = Array.from({
593
+ length: 256
594
+ }, function(v, i) {
595
+ return i.toString(16).padStart(2, "0");
596
+ });
597
+ function bytesToHex(bytes) {
598
+ if (!u8a(bytes)) throw new Error("Uint8Array expected");
599
+ var hex = "";
600
+ for(var i = 0; i < bytes.length; i++){
601
+ hex += hexes[bytes[i]];
602
+ }
603
+ return hex;
604
+ }
605
+ function numberToHexUnpadded(num) {
606
+ var hex = num.toString(16);
607
+ return hex.length & 1 ? "0".concat(hex) : hex;
608
+ }
609
+ function hexToNumber(hex) {
610
+ if (typeof hex !== "string") throw new Error("hex string expected, got " + (typeof hex === "undefined" ? "undefined" : _type_of(hex)));
611
+ return BigInt(hex === "" ? "0" : "0x".concat(hex));
612
+ }
613
+ function hexToBytes(hex) {
614
+ if (typeof hex !== "string") throw new Error("hex string expected, got " + (typeof hex === "undefined" ? "undefined" : _type_of(hex)));
615
+ var len = hex.length;
616
+ if (len % 2) throw new Error("padded hex string expected, got unpadded hex of length " + len);
617
+ var array = new Uint8Array(len / 2);
618
+ for(var i = 0; i < array.length; i++){
619
+ var j = i * 2;
620
+ var hexByte = hex.slice(j, j + 2);
621
+ var byte = Number.parseInt(hexByte, 16);
622
+ if (Number.isNaN(byte) || byte < 0) throw new Error("Invalid byte sequence");
623
+ array[i] = byte;
624
+ }
625
+ return array;
626
+ }
627
+ function bytesToNumberBE(bytes) {
628
+ return hexToNumber(bytesToHex(bytes));
629
+ }
630
+ function bytesToNumberLE(bytes) {
631
+ if (!u8a(bytes)) throw new Error("Uint8Array expected");
632
+ return hexToNumber(bytesToHex(Uint8Array.from(bytes).reverse()));
633
+ }
634
+ function numberToBytesBE(n, len) {
635
+ return hexToBytes(n.toString(16).padStart(len * 2, "0"));
636
+ }
637
+ function numberToBytesLE(n, len) {
638
+ return numberToBytesBE(n, len).reverse();
639
+ }
640
+ function numberToVarBytesBE(n) {
641
+ return hexToBytes(numberToHexUnpadded(n));
642
+ }
643
+ function ensureBytes(title, hex, expectedLength) {
644
+ var res;
645
+ if (typeof hex === "string") {
646
+ try {
647
+ res = hexToBytes(hex);
648
+ } catch (e) {
649
+ throw new Error("".concat(title, ' must be valid hex string, got "').concat(hex, '". Cause: ').concat(e));
650
+ }
651
+ } else if (u8a(hex)) {
652
+ res = Uint8Array.from(hex);
653
+ } else {
654
+ throw new Error("".concat(title, " must be hex string or Uint8Array"));
655
+ }
656
+ var len = res.length;
657
+ if (typeof expectedLength === "number" && len !== expectedLength) throw new Error("".concat(title, " expected ").concat(expectedLength, " bytes, got ").concat(len));
658
+ return res;
659
+ }
660
+ function concatBytes() {
661
+ for(var _len = arguments.length, arrays = new Array(_len), _key = 0; _key < _len; _key++){
662
+ arrays[_key] = arguments[_key];
663
+ }
664
+ var r = new Uint8Array(arrays.reduce(function(sum, a) {
665
+ return sum + a.length;
666
+ }, 0));
667
+ var pad = 0;
668
+ arrays.forEach(function(a) {
669
+ if (!u8a(a)) throw new Error("Uint8Array expected");
670
+ r.set(a, pad);
671
+ pad += a.length;
672
+ });
673
+ return r;
674
+ }
675
+ function equalBytes(b1, b2) {
676
+ if (b1.length !== b2.length) return false;
677
+ for(var i = 0; i < b1.length; i++)if (b1[i] !== b2[i]) return false;
678
+ return true;
679
+ }
680
+ function utf8ToBytes(str) {
681
+ if (typeof str !== "string") throw new Error("utf8ToBytes expected string, got ".concat(typeof str === "undefined" ? "undefined" : _type_of(str)));
682
+ return new Uint8Array(new TextEncoder().encode(str));
683
+ }
684
+ function bitLen(n) {
685
+ var len;
686
+ for(len = 0; n > _0n; n >>= _1n, len += 1);
687
+ return len;
688
+ }
689
+ function bitGet(n, pos) {
690
+ return n >> BigInt(pos) & _1n;
691
+ }
692
+ var bitSet = function(n, pos, value) {
693
+ return n | (value ? _1n : _0n) << BigInt(pos);
694
+ };
695
+ var bitMask = function(n) {
696
+ return (_2n << BigInt(n - 1)) - _1n;
697
+ };
698
+ var u8n = function(data) {
699
+ return new Uint8Array(data);
700
+ };
701
+ var u8fr = function(arr) {
702
+ return Uint8Array.from(arr);
703
+ };
704
+ function createHmacDrbg(hashLen, qByteLen, hmacFn) {
705
+ if (typeof hashLen !== "number" || hashLen < 2) throw new Error("hashLen must be a number");
706
+ if (typeof qByteLen !== "number" || qByteLen < 2) throw new Error("qByteLen must be a number");
707
+ if (typeof hmacFn !== "function") throw new Error("hmacFn must be a function");
708
+ var v = u8n(hashLen);
709
+ var k = u8n(hashLen);
710
+ var i = 0;
711
+ var reset = function() {
712
+ v.fill(1);
713
+ k.fill(0);
714
+ i = 0;
715
+ };
716
+ var h = function() {
717
+ for(var _len = arguments.length, b = new Array(_len), _key = 0; _key < _len; _key++){
718
+ b[_key] = arguments[_key];
719
+ }
720
+ return hmacFn.apply(void 0, [
721
+ k,
722
+ v
723
+ ].concat(_to_consumable_array(b)));
724
+ };
725
+ var reseed = function() {
726
+ var seed = arguments.length > 0 && arguments[0] !== void 0 ? arguments[0] : u8n();
727
+ k = h(u8fr([
728
+ 0
729
+ ]), seed);
730
+ v = h();
731
+ if (seed.length === 0) return;
732
+ k = h(u8fr([
733
+ 1
734
+ ]), seed);
735
+ v = h();
736
+ };
737
+ var gen = function() {
738
+ if (i++ >= 1e3) throw new Error("drbg: tried 1000 values");
739
+ var len = 0;
740
+ var out = [];
741
+ while(len < qByteLen){
742
+ v = h();
743
+ var sl = v.slice();
744
+ out.push(sl);
745
+ len += v.length;
746
+ }
747
+ return concatBytes.apply(void 0, _to_consumable_array(out));
748
+ };
749
+ var genUntil = function(seed, pred) {
750
+ reset();
751
+ reseed(seed);
752
+ var res = void 0;
753
+ while(!(res = pred(gen())))reseed();
754
+ reset();
755
+ return res;
756
+ };
757
+ return genUntil;
758
+ }
759
+ var validatorFns = {
760
+ bigint: function(val) {
761
+ return (typeof val === "undefined" ? "undefined" : _type_of(val)) === "bigint";
762
+ },
763
+ function: function(val) {
764
+ return typeof val === "function";
765
+ },
766
+ boolean: function(val) {
767
+ return typeof val === "boolean";
768
+ },
769
+ string: function(val) {
770
+ return typeof val === "string";
771
+ },
772
+ isSafeInteger: function(val) {
773
+ return Number.isSafeInteger(val);
774
+ },
775
+ array: function(val) {
776
+ return Array.isArray(val);
777
+ },
778
+ field: function(val, object) {
779
+ return object.Fp.isValid(val);
780
+ },
781
+ hash: function(val) {
782
+ return typeof val === "function" && Number.isSafeInteger(val.outputLen);
783
+ }
784
+ };
785
+ function validateObject(object, validators) {
786
+ var optValidators = arguments.length > 2 && arguments[2] !== void 0 ? arguments[2] : {};
787
+ var checkField = function(fieldName, type, isOptional) {
788
+ var checkVal = validatorFns[type];
789
+ if (typeof checkVal !== "function") throw new Error('Invalid validator "'.concat(type, '", expected function'));
790
+ var val = object[fieldName];
791
+ if (isOptional && val === void 0) return;
792
+ if (!checkVal(val, object)) {
793
+ throw new Error("Invalid param ".concat(String(fieldName), "=").concat(val, " (").concat(typeof val === "undefined" ? "undefined" : _type_of(val), "), expected ").concat(type));
794
+ }
795
+ };
796
+ var _iteratorNormalCompletion = true, _didIteratorError = false, _iteratorError = undefined;
797
+ try {
798
+ for(var _iterator = Object.entries(validators)[Symbol.iterator](), _step; !(_iteratorNormalCompletion = (_step = _iterator.next()).done); _iteratorNormalCompletion = true){
799
+ var _step_value = _sliced_to_array(_step.value, 2), fieldName = _step_value[0], type = _step_value[1];
800
+ checkField(fieldName, type, false);
801
+ }
802
+ } catch (err) {
803
+ _didIteratorError = true;
804
+ _iteratorError = err;
805
+ } finally{
806
+ try {
807
+ if (!_iteratorNormalCompletion && _iterator.return != null) {
808
+ _iterator.return();
809
+ }
810
+ } finally{
811
+ if (_didIteratorError) {
812
+ throw _iteratorError;
813
+ }
814
+ }
815
+ }
816
+ var _iteratorNormalCompletion1 = true, _didIteratorError1 = false, _iteratorError1 = undefined;
817
+ try {
818
+ for(var _iterator1 = Object.entries(optValidators)[Symbol.iterator](), _step1; !(_iteratorNormalCompletion1 = (_step1 = _iterator1.next()).done); _iteratorNormalCompletion1 = true){
819
+ var _step_value1 = _sliced_to_array(_step1.value, 2), fieldName1 = _step_value1[0], type1 = _step_value1[1];
820
+ checkField(fieldName1, type1, true);
821
+ }
822
+ } catch (err) {
823
+ _didIteratorError1 = true;
824
+ _iteratorError1 = err;
825
+ } finally{
826
+ try {
827
+ if (!_iteratorNormalCompletion1 && _iterator1.return != null) {
828
+ _iterator1.return();
829
+ }
830
+ } finally{
831
+ if (_didIteratorError1) {
832
+ throw _iteratorError1;
833
+ }
834
+ }
835
+ }
836
+ return object;
837
+ }
838
+ // src/sm2/bn.ts
839
+ var ZERO = BigInt(0);
840
+ var ONE = BigInt(1);
841
+ var TWO = BigInt(2);
842
+ var THREE = BigInt(3);
843
+ // src/sm2/asn1.ts
844
+ function bigintToValue(bigint) {
845
+ var h = bigint.toString(16);
846
+ if (h[0] !== "-") {
847
+ if (h.length % 2 === 1) h = "0" + h;
848
+ else if (!h.match(/^[0-7]/)) h = "00" + h;
849
+ } else {
850
+ h = h.substring(1);
851
+ var len = h.length;
852
+ if (len % 2 === 1) len += 1;
853
+ else if (!h.match(/^[0-7]/)) len += 2;
854
+ var maskString = "";
855
+ for(var i = 0; i < len; i++)maskString += "f";
856
+ var mask = hexToNumber(maskString);
857
+ var output = (mask ^ bigint) + ONE;
858
+ h = output.toString(16).replace(/^-/, "");
859
+ }
860
+ return h;
861
+ }
862
+ var ASN1Object = /*#__PURE__*/ function() {
863
+ function ASN1Object() {
864
+ var tlv = arguments.length > 0 && arguments[0] !== void 0 ? arguments[0] : null, t = arguments.length > 1 && arguments[1] !== void 0 ? arguments[1] : "00", l = arguments.length > 2 && arguments[2] !== void 0 ? arguments[2] : "00", v = arguments.length > 3 && arguments[3] !== void 0 ? arguments[3] : "";
865
+ _class_call_check(this, ASN1Object);
866
+ this.tlv = tlv;
867
+ this.t = t;
868
+ this.l = l;
869
+ this.v = v;
870
+ }
871
+ _create_class(ASN1Object, [
872
+ {
873
+ /**
874
+ * 获取 der 编码比特流16进制串
875
+ */ key: "getEncodedHex",
876
+ value: function getEncodedHex() {
877
+ if (!this.tlv) {
878
+ this.v = this.getValue();
879
+ this.l = this.getLength();
880
+ this.tlv = this.t + this.l + this.v;
881
+ }
882
+ return this.tlv;
883
+ }
884
+ },
885
+ {
886
+ key: "getLength",
887
+ value: function getLength() {
888
+ var n = this.v.length / 2;
889
+ var nHex = n.toString(16);
890
+ if (nHex.length % 2 === 1) nHex = "0" + nHex;
891
+ if (n < 128) {
892
+ return nHex;
893
+ } else {
894
+ var head = 128 + nHex.length / 2;
895
+ return head.toString(16) + nHex;
896
+ }
897
+ }
898
+ },
899
+ {
900
+ key: "getValue",
901
+ value: function getValue() {
902
+ return "";
903
+ }
904
+ }
905
+ ]);
906
+ return ASN1Object;
907
+ }();
908
+ var DERInteger = /*#__PURE__*/ function(ASN1Object) {
909
+ _inherits(DERInteger, ASN1Object);
910
+ var _super = _create_super(DERInteger);
911
+ function DERInteger(bigint) {
912
+ _class_call_check(this, DERInteger);
913
+ var _this;
914
+ _this = _super.call(this);
915
+ _this.t = "02";
916
+ if (bigint) _this.v = bigintToValue(bigint);
917
+ return _this;
918
+ }
919
+ _create_class(DERInteger, [
920
+ {
921
+ key: "getValue",
922
+ value: function getValue() {
923
+ return this.v;
924
+ }
925
+ }
926
+ ]);
927
+ return DERInteger;
928
+ }(ASN1Object);
929
+ var DEROctetString = /*#__PURE__*/ function(ASN1Object) {
930
+ _inherits(DEROctetString, ASN1Object);
931
+ var _super = _create_super(DEROctetString);
932
+ function DEROctetString(s) {
933
+ _class_call_check(this, DEROctetString);
934
+ var _this;
935
+ _this = _super.call(this);
936
+ _this.s = s;
937
+ __publicField(_assert_this_initialized(_this), "hV", "");
938
+ _this.t = "04";
939
+ if (s) _this.v = s.toLowerCase();
940
+ return _this;
941
+ }
942
+ _create_class(DEROctetString, [
943
+ {
944
+ key: "getValue",
945
+ value: function getValue() {
946
+ return this.v;
947
+ }
948
+ }
949
+ ]);
950
+ return DEROctetString;
951
+ }(ASN1Object);
952
+ var DERSequence = /*#__PURE__*/ function(ASN1Object) {
953
+ _inherits(DERSequence, ASN1Object);
954
+ var _super = _create_super(DERSequence);
955
+ function DERSequence(asn1Array) {
956
+ _class_call_check(this, DERSequence);
957
+ var _this;
958
+ _this = _super.call(this);
959
+ _this.asn1Array = asn1Array;
960
+ __publicField(_assert_this_initialized(_this), "t", "30");
961
+ return _this;
962
+ }
963
+ _create_class(DERSequence, [
964
+ {
965
+ key: "getValue",
966
+ value: function getValue() {
967
+ this.v = this.asn1Array.map(function(asn1Object) {
968
+ return asn1Object.getEncodedHex();
969
+ }).join("");
970
+ return this.v;
971
+ }
972
+ }
973
+ ]);
974
+ return DERSequence;
975
+ }(ASN1Object);
976
+ function getLenOfL(str, start) {
977
+ if (+str[start + 2] < 8) return 1;
978
+ var encoded = str.slice(start + 2, start + 6);
979
+ var headHex = encoded.slice(0, 2);
980
+ var head = parseInt(headHex, 16);
981
+ var nHexLength = (head - 128) * 2;
982
+ return nHexLength;
983
+ }
984
+ function getL(str, start) {
985
+ var len = getLenOfL(str, start);
986
+ var l = str.substring(start + 2, start + 2 + len * 2);
987
+ if (!l) return -1;
988
+ var bigint = +l[0] < 8 ? hexToNumber(l) : hexToNumber(l.substring(2));
989
+ return +bigint.toString();
990
+ }
991
+ function getStartOfV(str, start) {
992
+ var len = getLenOfL(str, start);
993
+ return start + (len + 1) * 2;
994
+ }
995
+ function encodeDer(r, s) {
996
+ var derR = new DERInteger(r);
997
+ var derS = new DERInteger(s);
998
+ var derSeq = new DERSequence([
999
+ derR,
1000
+ derS
1001
+ ]);
1002
+ return derSeq.getEncodedHex();
1003
+ }
1004
+ function encodeEnc(x2, y, hash, cipher) {
1005
+ var derX = new DERInteger(x2);
1006
+ var derY = new DERInteger(y);
1007
+ var derHash = new DEROctetString(hash);
1008
+ var derCipher = new DEROctetString(cipher);
1009
+ var derSeq = new DERSequence([
1010
+ derX,
1011
+ derY,
1012
+ derHash,
1013
+ derCipher
1014
+ ]);
1015
+ return derSeq.getEncodedHex();
1016
+ }
1017
+ function decodeDer(input) {
1018
+ var start = getStartOfV(input, 0);
1019
+ var vIndexR = getStartOfV(input, start);
1020
+ var lR = getL(input, start);
1021
+ var vR = input.substring(vIndexR, vIndexR + lR * 2);
1022
+ var nextStart = vIndexR + vR.length;
1023
+ var vIndexS = getStartOfV(input, nextStart);
1024
+ var lS = getL(input, nextStart);
1025
+ var vS = input.substring(vIndexS, vIndexS + lS * 2);
1026
+ var r = hexToNumber(vR);
1027
+ var s = hexToNumber(vS);
1028
+ return {
1029
+ r: r,
1030
+ s: s
1031
+ };
1032
+ }
1033
+ function decodeEnc(input) {
1034
+ var extractSequence = function extractSequence(input2, start2) {
1035
+ var vIndex = getStartOfV(input2, start2);
1036
+ var length = getL(input2, start2);
1037
+ var value = input2.substring(vIndex, vIndex + length * 2);
1038
+ var nextStart = vIndex + value.length;
1039
+ return {
1040
+ value: value,
1041
+ nextStart: nextStart
1042
+ };
1043
+ };
1044
+ var start = getStartOfV(input, 0);
1045
+ var _extractSequence = extractSequence(input, start), vR = _extractSequence.value, startS = _extractSequence.nextStart;
1046
+ var _extractSequence1 = extractSequence(input, startS), vS = _extractSequence1.value, startHash = _extractSequence1.nextStart;
1047
+ var _extractSequence2 = extractSequence(input, startHash), hash = _extractSequence2.value, startCipher = _extractSequence2.nextStart;
1048
+ var _extractSequence3 = extractSequence(input, startCipher), cipher = _extractSequence3.value;
1049
+ var x2 = hexToNumber(vR);
1050
+ var y = hexToNumber(vS);
1051
+ return {
1052
+ x: x2,
1053
+ y: y,
1054
+ hash: hash,
1055
+ cipher: cipher
1056
+ };
1057
+ }
1058
+ // node_modules/.pnpm/@noble+curves@1.1.0/node_modules/@noble/curves/esm/abstract/modular.js
1059
+ var _0n2 = BigInt(0);
1060
+ var _1n2 = BigInt(1);
1061
+ var _2n2 = BigInt(2);
1062
+ var _3n = BigInt(3);
1063
+ var _4n = BigInt(4);
1064
+ var _5n = BigInt(5);
1065
+ var _8n = BigInt(8);
1066
+ var _9n = BigInt(9);
1067
+ var _16n = BigInt(16);
1068
+ function mod(a, b) {
1069
+ var result = a % b;
1070
+ return result >= _0n2 ? result : b + result;
1071
+ }
1072
+ function pow(num, power, modulo) {
1073
+ if (modulo <= _0n2 || power < _0n2) throw new Error("Expected power/modulo > 0");
1074
+ if (modulo === _1n2) return _0n2;
1075
+ var res = _1n2;
1076
+ while(power > _0n2){
1077
+ if (power & _1n2) res = res * num % modulo;
1078
+ num = num * num % modulo;
1079
+ power >>= _1n2;
1080
+ }
1081
+ return res;
1082
+ }
1083
+ function invert(number, modulo) {
1084
+ if (number === _0n2 || modulo <= _0n2) {
1085
+ throw new Error("invert: expected positive integers, got n=".concat(number, " mod=").concat(modulo));
1086
+ }
1087
+ var a = mod(number, modulo);
1088
+ var b = modulo;
1089
+ var x2 = _0n2, y = _1n2, u = _1n2, v = _0n2;
1090
+ while(a !== _0n2){
1091
+ var q = b / a;
1092
+ var r = b % a;
1093
+ var m = x2 - u * q;
1094
+ var n = y - v * q;
1095
+ b = a, a = r, x2 = u, y = v, u = m, v = n;
1096
+ }
1097
+ var gcd = b;
1098
+ if (gcd !== _1n2) throw new Error("invert: does not exist");
1099
+ return mod(x2, modulo);
1100
+ }
1101
+ function tonelliShanks(P) {
1102
+ var legendreC = (P - _1n2) / _2n2;
1103
+ var Q, S, Z;
1104
+ for(Q = P - _1n2, S = 0; Q % _2n2 === _0n2; Q /= _2n2, S++);
1105
+ for(Z = _2n2; Z < P && pow(Z, legendreC, P) !== P - _1n2; Z++);
1106
+ if (S === 1) {
1107
+ var p1div4 = (P + _1n2) / _4n;
1108
+ return function tonelliFast(Fp, n) {
1109
+ var root = Fp.pow(n, p1div4);
1110
+ if (!Fp.eql(Fp.sqr(root), n)) throw new Error("Cannot find square root");
1111
+ return root;
1112
+ };
1113
+ }
1114
+ var Q1div2 = (Q + _1n2) / _2n2;
1115
+ return function tonelliSlow(Fp, n) {
1116
+ if (Fp.pow(n, legendreC) === Fp.neg(Fp.ONE)) throw new Error("Cannot find square root");
1117
+ var r = S;
1118
+ var g = Fp.pow(Fp.mul(Fp.ONE, Z), Q);
1119
+ var x2 = Fp.pow(n, Q1div2);
1120
+ var b = Fp.pow(n, Q);
1121
+ while(!Fp.eql(b, Fp.ONE)){
1122
+ if (Fp.eql(b, Fp.ZERO)) return Fp.ZERO;
1123
+ var m = 1;
1124
+ for(var t2 = Fp.sqr(b); m < r; m++){
1125
+ if (Fp.eql(t2, Fp.ONE)) break;
1126
+ t2 = Fp.sqr(t2);
1127
+ }
1128
+ var ge = Fp.pow(g, _1n2 << BigInt(r - m - 1));
1129
+ g = Fp.sqr(ge);
1130
+ x2 = Fp.mul(x2, ge);
1131
+ b = Fp.mul(b, g);
1132
+ r = m;
1133
+ }
1134
+ return x2;
1135
+ };
1136
+ }
1137
+ function FpSqrt(P) {
1138
+ if (P % _4n === _3n) {
1139
+ var p1div4 = (P + _1n2) / _4n;
1140
+ return function sqrt3mod4(Fp, n) {
1141
+ var root = Fp.pow(n, p1div4);
1142
+ if (!Fp.eql(Fp.sqr(root), n)) throw new Error("Cannot find square root");
1143
+ return root;
1144
+ };
1145
+ }
1146
+ if (P % _8n === _5n) {
1147
+ var c1 = (P - _5n) / _8n;
1148
+ return function sqrt5mod8(Fp, n) {
1149
+ var n2 = Fp.mul(n, _2n2);
1150
+ var v = Fp.pow(n2, c1);
1151
+ var nv = Fp.mul(n, v);
1152
+ var i = Fp.mul(Fp.mul(nv, _2n2), v);
1153
+ var root = Fp.mul(nv, Fp.sub(i, Fp.ONE));
1154
+ if (!Fp.eql(Fp.sqr(root), n)) throw new Error("Cannot find square root");
1155
+ return root;
1156
+ };
1157
+ }
1158
+ if (P % _16n === _9n) {}
1159
+ return tonelliShanks(P);
1160
+ }
1161
+ var FIELD_FIELDS = [
1162
+ "create",
1163
+ "isValid",
1164
+ "is0",
1165
+ "neg",
1166
+ "inv",
1167
+ "sqrt",
1168
+ "sqr",
1169
+ "eql",
1170
+ "add",
1171
+ "sub",
1172
+ "mul",
1173
+ "pow",
1174
+ "div",
1175
+ "addN",
1176
+ "subN",
1177
+ "mulN",
1178
+ "sqrN"
1179
+ ];
1180
+ function validateField(field2) {
1181
+ var initial = {
1182
+ ORDER: "bigint",
1183
+ MASK: "bigint",
1184
+ BYTES: "isSafeInteger",
1185
+ BITS: "isSafeInteger"
1186
+ };
1187
+ var opts = FIELD_FIELDS.reduce(function(map, val) {
1188
+ map[val] = "function";
1189
+ return map;
1190
+ }, initial);
1191
+ return validateObject(field2, opts);
1192
+ }
1193
+ function FpPow(f, num, power) {
1194
+ if (power < _0n2) throw new Error("Expected power > 0");
1195
+ if (power === _0n2) return f.ONE;
1196
+ if (power === _1n2) return num;
1197
+ var p = f.ONE;
1198
+ var d = num;
1199
+ while(power > _0n2){
1200
+ if (power & _1n2) p = f.mul(p, d);
1201
+ d = f.sqr(d);
1202
+ power >>= _1n2;
1203
+ }
1204
+ return p;
1205
+ }
1206
+ function FpInvertBatch(f, nums) {
1207
+ var tmp2 = new Array(nums.length);
1208
+ var lastMultiplied = nums.reduce(function(acc, num, i) {
1209
+ if (f.is0(num)) return acc;
1210
+ tmp2[i] = acc;
1211
+ return f.mul(acc, num);
1212
+ }, f.ONE);
1213
+ var inverted = f.inv(lastMultiplied);
1214
+ nums.reduceRight(function(acc, num, i) {
1215
+ if (f.is0(num)) return acc;
1216
+ tmp2[i] = f.mul(acc, tmp2[i]);
1217
+ return f.mul(acc, num);
1218
+ }, inverted);
1219
+ return tmp2;
1220
+ }
1221
+ function nLength(n, nBitLength) {
1222
+ var _nBitLength = nBitLength !== void 0 ? nBitLength : n.toString(2).length;
1223
+ var nByteLength = Math.ceil(_nBitLength / 8);
1224
+ return {
1225
+ nBitLength: _nBitLength,
1226
+ nByteLength: nByteLength
1227
+ };
1228
+ }
1229
+ function Field(ORDER, bitLen2) {
1230
+ var isLE2 = arguments.length > 2 && arguments[2] !== void 0 ? arguments[2] : false, redef = arguments.length > 3 && arguments[3] !== void 0 ? arguments[3] : {};
1231
+ if (ORDER <= _0n2) throw new Error("Expected Fp ORDER > 0, got ".concat(ORDER));
1232
+ var _nLength = nLength(ORDER, bitLen2), BITS = _nLength.nBitLength, BYTES = _nLength.nByteLength;
1233
+ if (BYTES > 2048) throw new Error("Field lengths over 2048 bytes are not supported");
1234
+ var sqrtP = FpSqrt(ORDER);
1235
+ var f = Object.freeze({
1236
+ ORDER: ORDER,
1237
+ BITS: BITS,
1238
+ BYTES: BYTES,
1239
+ MASK: bitMask(BITS),
1240
+ ZERO: _0n2,
1241
+ ONE: _1n2,
1242
+ create: function(num) {
1243
+ return mod(num, ORDER);
1244
+ },
1245
+ isValid: function(num) {
1246
+ if ((typeof num === "undefined" ? "undefined" : _type_of(num)) !== "bigint") throw new Error("Invalid field element: expected bigint, got ".concat(typeof num === "undefined" ? "undefined" : _type_of(num)));
1247
+ return _0n2 <= num && num < ORDER;
1248
+ },
1249
+ is0: function(num) {
1250
+ return num === _0n2;
1251
+ },
1252
+ isOdd: function(num) {
1253
+ return (num & _1n2) === _1n2;
1254
+ },
1255
+ neg: function(num) {
1256
+ return mod(-num, ORDER);
1257
+ },
1258
+ eql: function(lhs, rhs) {
1259
+ return lhs === rhs;
1260
+ },
1261
+ sqr: function(num) {
1262
+ return mod(num * num, ORDER);
1263
+ },
1264
+ add: function(lhs, rhs) {
1265
+ return mod(lhs + rhs, ORDER);
1266
+ },
1267
+ sub: function(lhs, rhs) {
1268
+ return mod(lhs - rhs, ORDER);
1269
+ },
1270
+ mul: function(lhs, rhs) {
1271
+ return mod(lhs * rhs, ORDER);
1272
+ },
1273
+ pow: function(num, power) {
1274
+ return FpPow(f, num, power);
1275
+ },
1276
+ div: function(lhs, rhs) {
1277
+ return mod(lhs * invert(rhs, ORDER), ORDER);
1278
+ },
1279
+ // Same as above, but doesn't normalize
1280
+ sqrN: function(num) {
1281
+ return num * num;
1282
+ },
1283
+ addN: function(lhs, rhs) {
1284
+ return lhs + rhs;
1285
+ },
1286
+ subN: function(lhs, rhs) {
1287
+ return lhs - rhs;
1288
+ },
1289
+ mulN: function(lhs, rhs) {
1290
+ return lhs * rhs;
1291
+ },
1292
+ inv: function(num) {
1293
+ return invert(num, ORDER);
1294
+ },
1295
+ sqrt: redef.sqrt || function(n) {
1296
+ return sqrtP(f, n);
1297
+ },
1298
+ invertBatch: function(lst) {
1299
+ return FpInvertBatch(f, lst);
1300
+ },
1301
+ // TODO: do we really need constant cmov?
1302
+ // We don't have const-time bigints anyway, so probably will be not very useful
1303
+ cmov: function(a, b, c) {
1304
+ return c ? b : a;
1305
+ },
1306
+ toBytes: function(num) {
1307
+ return isLE2 ? numberToBytesLE(num, BYTES) : numberToBytesBE(num, BYTES);
1308
+ },
1309
+ fromBytes: function(bytes) {
1310
+ if (bytes.length !== BYTES) throw new Error("Fp.fromBytes: expected ".concat(BYTES, ", got ").concat(bytes.length));
1311
+ return isLE2 ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);
1312
+ }
1313
+ });
1314
+ return Object.freeze(f);
1315
+ }
1316
+ function hashToPrivateScalar(hash, groupOrder) {
1317
+ var isLE2 = arguments.length > 2 && arguments[2] !== void 0 ? arguments[2] : false;
1318
+ hash = ensureBytes("privateHash", hash);
1319
+ var hashLen = hash.length;
1320
+ var minLen = nLength(groupOrder).nByteLength + 8;
1321
+ if (minLen < 24 || hashLen < minLen || hashLen > 1024) throw new Error("hashToPrivateScalar: expected ".concat(minLen, "-1024 bytes of input, got ").concat(hashLen));
1322
+ var num = isLE2 ? bytesToNumberLE(hash) : bytesToNumberBE(hash);
1323
+ return mod(num, groupOrder - _1n2) + _1n2;
1324
+ }
1325
+ // node_modules/.pnpm/@noble+curves@1.1.0/node_modules/@noble/curves/esm/abstract/curve.js
1326
+ var _0n3 = BigInt(0);
1327
+ var _1n3 = BigInt(1);
1328
+ function wNAF(c, bits) {
1329
+ var constTimeNegate = function(condition, item) {
1330
+ var neg = item.negate();
1331
+ return condition ? neg : item;
1332
+ };
1333
+ var opts = function(W) {
1334
+ var windows = Math.ceil(bits / W) + 1;
1335
+ var windowSize = Math.pow(2, W - 1);
1336
+ return {
1337
+ windows: windows,
1338
+ windowSize: windowSize
1339
+ };
1340
+ };
1341
+ return {
1342
+ constTimeNegate: constTimeNegate,
1343
+ // non-const time multiplication ladder
1344
+ unsafeLadder: function unsafeLadder(elm, n) {
1345
+ var p = c.ZERO;
1346
+ var d = elm;
1347
+ while(n > _0n3){
1348
+ if (n & _1n3) p = p.add(d);
1349
+ d = d.double();
1350
+ n >>= _1n3;
1351
+ }
1352
+ return p;
1353
+ },
1354
+ /**
1355
+ * Creates a wNAF precomputation window. Used for caching.
1356
+ * Default window size is set by `utils.precompute()` and is equal to 8.
1357
+ * Number of precomputed points depends on the curve size:
1358
+ * 2^(𝑊−1) * (Math.ceil(𝑛 / 𝑊) + 1), where:
1359
+ * - 𝑊 is the window size
1360
+ * - 𝑛 is the bitlength of the curve order.
1361
+ * For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
1362
+ * @returns precomputed point tables flattened to a single array
1363
+ */ precomputeWindow: function precomputeWindow(elm, W) {
1364
+ var _opts = opts(W), windows = _opts.windows, windowSize = _opts.windowSize;
1365
+ var points = [];
1366
+ var p = elm;
1367
+ var base = p;
1368
+ for(var window = 0; window < windows; window++){
1369
+ base = p;
1370
+ points.push(base);
1371
+ for(var i = 1; i < windowSize; i++){
1372
+ base = base.add(p);
1373
+ points.push(base);
1374
+ }
1375
+ p = base.double();
1376
+ }
1377
+ return points;
1378
+ },
1379
+ /**
1380
+ * Implements ec multiplication using precomputed tables and w-ary non-adjacent form.
1381
+ * @param W window size
1382
+ * @param precomputes precomputed tables
1383
+ * @param n scalar (we don't check here, but should be less than curve order)
1384
+ * @returns real and fake (for const-time) points
1385
+ */ wNAF: function wNAF(W, precomputes, n) {
1386
+ var _opts = opts(W), windows = _opts.windows, windowSize = _opts.windowSize;
1387
+ var p = c.ZERO;
1388
+ var f = c.BASE;
1389
+ var mask = BigInt(Math.pow(2, W) - 1);
1390
+ var maxNumber = Math.pow(2, W);
1391
+ var shiftBy = BigInt(W);
1392
+ for(var window = 0; window < windows; window++){
1393
+ var offset = window * windowSize;
1394
+ var wbits = Number(n & mask);
1395
+ n >>= shiftBy;
1396
+ if (wbits > windowSize) {
1397
+ wbits -= maxNumber;
1398
+ n += _1n3;
1399
+ }
1400
+ var offset1 = offset;
1401
+ var offset2 = offset + Math.abs(wbits) - 1;
1402
+ var cond1 = window % 2 !== 0;
1403
+ var cond2 = wbits < 0;
1404
+ if (wbits === 0) {
1405
+ f = f.add(constTimeNegate(cond1, precomputes[offset1]));
1406
+ } else {
1407
+ p = p.add(constTimeNegate(cond2, precomputes[offset2]));
1408
+ }
1409
+ }
1410
+ return {
1411
+ p: p,
1412
+ f: f
1413
+ };
1414
+ },
1415
+ wNAFCached: function wNAFCached(P, precomputesMap, n, transform) {
1416
+ var W = P._WINDOW_SIZE || 1;
1417
+ var comp = precomputesMap.get(P);
1418
+ if (!comp) {
1419
+ comp = this.precomputeWindow(P, W);
1420
+ if (W !== 1) {
1421
+ precomputesMap.set(P, transform(comp));
1422
+ }
1423
+ }
1424
+ return this.wNAF(W, comp, n);
1425
+ }
1426
+ };
1427
+ }
1428
+ function validateBasic(curve) {
1429
+ validateField(curve.Fp);
1430
+ validateObject(curve, {
1431
+ n: "bigint",
1432
+ h: "bigint",
1433
+ Gx: "field",
1434
+ Gy: "field"
1435
+ }, {
1436
+ nBitLength: "isSafeInteger",
1437
+ nByteLength: "isSafeInteger"
1438
+ });
1439
+ return Object.freeze(_object_spread({}, nLength(curve.n, curve.nBitLength), curve, {
1440
+ p: curve.Fp.ORDER
1441
+ }));
1442
+ }
1443
+ // node_modules/.pnpm/@noble+curves@1.1.0/node_modules/@noble/curves/esm/abstract/weierstrass.js
1444
+ function validatePointOpts(curve) {
1445
+ var opts = validateBasic(curve);
1446
+ validateObject(opts, {
1447
+ a: "field",
1448
+ b: "field"
1449
+ }, {
1450
+ allowedPrivateKeyLengths: "array",
1451
+ wrapPrivateKey: "boolean",
1452
+ isTorsionFree: "function",
1453
+ clearCofactor: "function",
1454
+ allowInfinityPoint: "boolean",
1455
+ fromBytes: "function",
1456
+ toBytes: "function"
1457
+ });
1458
+ var endo = opts.endo, Fp = opts.Fp, a = opts.a;
1459
+ if (endo) {
1460
+ if (!Fp.eql(a, Fp.ZERO)) {
1461
+ throw new Error("Endomorphism can only be defined for Koblitz curves that have a=0");
1462
+ }
1463
+ if (typeof endo !== "object" || _type_of(endo.beta) !== "bigint" || typeof endo.splitScalar !== "function") {
1464
+ throw new Error("Expected endomorphism with beta: bigint and splitScalar: function");
1465
+ }
1466
+ }
1467
+ return Object.freeze(_object_spread({}, opts));
1468
+ }
1469
+ var b2n = utils_exports.bytesToNumberBE, h2b = utils_exports.hexToBytes;
1470
+ var DER = {
1471
+ // asn.1 DER encoding utils
1472
+ Err: /*#__PURE__*/ function(Error1) {
1473
+ _inherits(DERErr, Error1);
1474
+ var _super = _create_super(DERErr);
1475
+ function DERErr() {
1476
+ var m = arguments.length > 0 && arguments[0] !== void 0 ? arguments[0] : "";
1477
+ _class_call_check(this, DERErr);
1478
+ return _super.call(this, m);
1479
+ }
1480
+ return DERErr;
1481
+ }(_wrap_native_super(Error)),
1482
+ _parseInt: function _parseInt(data) {
1483
+ var E = DER.Err;
1484
+ if (data.length < 2 || data[0] !== 2) throw new E("Invalid signature integer tag");
1485
+ var len = data[1];
1486
+ var res = data.subarray(2, len + 2);
1487
+ if (!len || res.length !== len) throw new E("Invalid signature integer: wrong length");
1488
+ if (res[0] & 128) throw new E("Invalid signature integer: negative");
1489
+ if (res[0] === 0 && !(res[1] & 128)) throw new E("Invalid signature integer: unnecessary leading zero");
1490
+ return {
1491
+ d: b2n(res),
1492
+ l: data.subarray(len + 2)
1493
+ };
1494
+ },
1495
+ toSig: function toSig(hex) {
1496
+ var E = DER.Err;
1497
+ var data = typeof hex === "string" ? h2b(hex) : hex;
1498
+ if (!_instanceof(data, Uint8Array)) throw new Error("ui8a expected");
1499
+ var l = data.length;
1500
+ if (l < 2 || data[0] != 48) throw new E("Invalid signature tag");
1501
+ if (data[1] !== l - 2) throw new E("Invalid signature: incorrect length");
1502
+ var _DER__parseInt = DER._parseInt(data.subarray(2)), r = _DER__parseInt.d, sBytes = _DER__parseInt.l;
1503
+ var _DER__parseInt1 = DER._parseInt(sBytes), s = _DER__parseInt1.d, rBytesLeft = _DER__parseInt1.l;
1504
+ if (rBytesLeft.length) throw new E("Invalid signature: left bytes after parsing");
1505
+ return {
1506
+ r: r,
1507
+ s: s
1508
+ };
1509
+ },
1510
+ hexFromSig: function hexFromSig(sig) {
1511
+ var slice = function(s2) {
1512
+ return Number.parseInt(s2[0], 16) & 8 ? "00" + s2 : s2;
1513
+ };
1514
+ var h = function(num) {
1515
+ var hex = num.toString(16);
1516
+ return hex.length & 1 ? "0".concat(hex) : hex;
1517
+ };
1518
+ var s = slice(h(sig.s));
1519
+ var r = slice(h(sig.r));
1520
+ var shl = s.length / 2;
1521
+ var rhl = r.length / 2;
1522
+ var sl = h(shl);
1523
+ var rl = h(rhl);
1524
+ return "30".concat(h(rhl + shl + 4), "02").concat(rl).concat(r, "02").concat(sl).concat(s);
1525
+ }
1526
+ };
1527
+ var _0n4 = BigInt(0);
1528
+ var _1n4 = BigInt(1);
1529
+ var _2n3 = BigInt(2);
1530
+ var _3n2 = BigInt(3);
1531
+ var _4n2 = BigInt(4);
1532
+ function weierstrassPoints(opts) {
1533
+ var weierstrassEquation = function weierstrassEquation(x2) {
1534
+ var a = CURVE.a, b = CURVE.b;
1535
+ var x22 = Fp.sqr(x2);
1536
+ var x3 = Fp.mul(x22, x2);
1537
+ return Fp.add(Fp.add(x3, Fp.mul(x2, a)), b);
1538
+ };
1539
+ var isWithinCurveOrder = function isWithinCurveOrder(num) {
1540
+ return (typeof num === "undefined" ? "undefined" : _type_of(num)) === "bigint" && _0n4 < num && num < CURVE.n;
1541
+ };
1542
+ var assertGE = function assertGE(num) {
1543
+ if (!isWithinCurveOrder(num)) throw new Error("Expected valid bigint: 0 < bigint < curve.n");
1544
+ };
1545
+ var normPrivateKeyToScalar = function normPrivateKeyToScalar(key) {
1546
+ var lengths = CURVE.allowedPrivateKeyLengths, nByteLength = CURVE.nByteLength, wrapPrivateKey = CURVE.wrapPrivateKey, n = CURVE.n;
1547
+ if (lengths && (typeof key === "undefined" ? "undefined" : _type_of(key)) !== "bigint") {
1548
+ if (_instanceof(key, Uint8Array)) key = bytesToHex(key);
1549
+ if (typeof key !== "string" || !lengths.includes(key.length)) throw new Error("Invalid key");
1550
+ key = key.padStart(nByteLength * 2, "0");
1551
+ }
1552
+ var num;
1553
+ try {
1554
+ num = (typeof key === "undefined" ? "undefined" : _type_of(key)) === "bigint" ? key : bytesToNumberBE(ensureBytes("private key", key, nByteLength));
1555
+ } catch (error) {
1556
+ throw new Error("private key must be ".concat(nByteLength, " bytes, hex or bigint, not ").concat(typeof key === "undefined" ? "undefined" : _type_of(key)));
1557
+ }
1558
+ if (wrapPrivateKey) num = mod(num, n);
1559
+ assertGE(num);
1560
+ return num;
1561
+ };
1562
+ var assertPrjPoint = function assertPrjPoint(other) {
1563
+ if (!_instanceof(other, Point)) throw new Error("ProjectivePoint expected");
1564
+ };
1565
+ var CURVE = validatePointOpts(opts);
1566
+ var Fp = CURVE.Fp;
1567
+ var toBytes2 = CURVE.toBytes || function(c, point, isCompressed) {
1568
+ var a = point.toAffine();
1569
+ return concatBytes(Uint8Array.from([
1570
+ 4
1571
+ ]), Fp.toBytes(a.x), Fp.toBytes(a.y));
1572
+ };
1573
+ var fromBytes = CURVE.fromBytes || function(bytes) {
1574
+ var tail = bytes.subarray(1);
1575
+ var x2 = Fp.fromBytes(tail.subarray(0, Fp.BYTES));
1576
+ var y = Fp.fromBytes(tail.subarray(Fp.BYTES, 2 * Fp.BYTES));
1577
+ return {
1578
+ x: x2,
1579
+ y: y
1580
+ };
1581
+ };
1582
+ if (!Fp.eql(Fp.sqr(CURVE.Gy), weierstrassEquation(CURVE.Gx))) throw new Error("bad generator point: equation left != right");
1583
+ var pointPrecomputes = /* @__PURE__ */ new Map();
1584
+ var Point = /*#__PURE__*/ function() {
1585
+ function Point(px, py, pz) {
1586
+ _class_call_check(this, Point);
1587
+ this.px = px;
1588
+ this.py = py;
1589
+ this.pz = pz;
1590
+ if (px == null || !Fp.isValid(px)) throw new Error("x required");
1591
+ if (py == null || !Fp.isValid(py)) throw new Error("y required");
1592
+ if (pz == null || !Fp.isValid(pz)) throw new Error("z required");
1593
+ }
1594
+ _create_class(Point, [
1595
+ {
1596
+ key: "x",
1597
+ get: function get() {
1598
+ return this.toAffine().x;
1599
+ }
1600
+ },
1601
+ {
1602
+ key: "y",
1603
+ get: function get() {
1604
+ return this.toAffine().y;
1605
+ }
1606
+ },
1607
+ {
1608
+ // "Private method", don't use it directly
1609
+ key: "_setWindowSize",
1610
+ value: function _setWindowSize(windowSize) {
1611
+ this._WINDOW_SIZE = windowSize;
1612
+ pointPrecomputes.delete(this);
1613
+ }
1614
+ },
1615
+ {
1616
+ // A point on curve is valid if it conforms to equation.
1617
+ key: "assertValidity",
1618
+ value: function assertValidity() {
1619
+ if (this.is0()) {
1620
+ if (CURVE.allowInfinityPoint) return;
1621
+ throw new Error("bad point: ZERO");
1622
+ }
1623
+ var _this_toAffine = this.toAffine(), x2 = _this_toAffine.x, y = _this_toAffine.y;
1624
+ if (!Fp.isValid(x2) || !Fp.isValid(y)) throw new Error("bad point: x or y not FE");
1625
+ var left = Fp.sqr(y);
1626
+ var right = weierstrassEquation(x2);
1627
+ if (!Fp.eql(left, right)) throw new Error("bad point: equation left != right");
1628
+ if (!this.isTorsionFree()) throw new Error("bad point: not in prime-order subgroup");
1629
+ }
1630
+ },
1631
+ {
1632
+ key: "hasEvenY",
1633
+ value: function hasEvenY() {
1634
+ var y = this.toAffine().y;
1635
+ if (Fp.isOdd) return !Fp.isOdd(y);
1636
+ throw new Error("Field doesn't support isOdd");
1637
+ }
1638
+ },
1639
+ {
1640
+ /**
1641
+ * Compare one point to another.
1642
+ */ key: "equals",
1643
+ value: function equals(other) {
1644
+ assertPrjPoint(other);
1645
+ var _this = this, X1 = _this.px, Y1 = _this.py, Z1 = _this.pz;
1646
+ var X2 = other.px, Y2 = other.py, Z2 = other.pz;
1647
+ var U1 = Fp.eql(Fp.mul(X1, Z2), Fp.mul(X2, Z1));
1648
+ var U2 = Fp.eql(Fp.mul(Y1, Z2), Fp.mul(Y2, Z1));
1649
+ return U1 && U2;
1650
+ }
1651
+ },
1652
+ {
1653
+ /**
1654
+ * Flips point to one corresponding to (x, -y) in Affine coordinates.
1655
+ */ key: "negate",
1656
+ value: function negate() {
1657
+ return new Point(this.px, Fp.neg(this.py), this.pz);
1658
+ }
1659
+ },
1660
+ {
1661
+ // Renes-Costello-Batina exception-free doubling formula.
1662
+ // There is 30% faster Jacobian formula, but it is not complete.
1663
+ // https://eprint.iacr.org/2015/1060, algorithm 3
1664
+ // Cost: 8M + 3S + 3*a + 2*b3 + 15add.
1665
+ key: "double",
1666
+ value: function double() {
1667
+ var a = CURVE.a, b = CURVE.b;
1668
+ var b3 = Fp.mul(b, _3n2);
1669
+ var _this = this, X1 = _this.px, Y1 = _this.py, Z1 = _this.pz;
1670
+ var X3 = Fp.ZERO, Y3 = Fp.ZERO, Z3 = Fp.ZERO;
1671
+ var t0 = Fp.mul(X1, X1);
1672
+ var t1 = Fp.mul(Y1, Y1);
1673
+ var t2 = Fp.mul(Z1, Z1);
1674
+ var t3 = Fp.mul(X1, Y1);
1675
+ t3 = Fp.add(t3, t3);
1676
+ Z3 = Fp.mul(X1, Z1);
1677
+ Z3 = Fp.add(Z3, Z3);
1678
+ X3 = Fp.mul(a, Z3);
1679
+ Y3 = Fp.mul(b3, t2);
1680
+ Y3 = Fp.add(X3, Y3);
1681
+ X3 = Fp.sub(t1, Y3);
1682
+ Y3 = Fp.add(t1, Y3);
1683
+ Y3 = Fp.mul(X3, Y3);
1684
+ X3 = Fp.mul(t3, X3);
1685
+ Z3 = Fp.mul(b3, Z3);
1686
+ t2 = Fp.mul(a, t2);
1687
+ t3 = Fp.sub(t0, t2);
1688
+ t3 = Fp.mul(a, t3);
1689
+ t3 = Fp.add(t3, Z3);
1690
+ Z3 = Fp.add(t0, t0);
1691
+ t0 = Fp.add(Z3, t0);
1692
+ t0 = Fp.add(t0, t2);
1693
+ t0 = Fp.mul(t0, t3);
1694
+ Y3 = Fp.add(Y3, t0);
1695
+ t2 = Fp.mul(Y1, Z1);
1696
+ t2 = Fp.add(t2, t2);
1697
+ t0 = Fp.mul(t2, t3);
1698
+ X3 = Fp.sub(X3, t0);
1699
+ Z3 = Fp.mul(t2, t1);
1700
+ Z3 = Fp.add(Z3, Z3);
1701
+ Z3 = Fp.add(Z3, Z3);
1702
+ return new Point(X3, Y3, Z3);
1703
+ }
1704
+ },
1705
+ {
1706
+ // Renes-Costello-Batina exception-free addition formula.
1707
+ // There is 30% faster Jacobian formula, but it is not complete.
1708
+ // https://eprint.iacr.org/2015/1060, algorithm 1
1709
+ // Cost: 12M + 0S + 3*a + 3*b3 + 23add.
1710
+ key: "add",
1711
+ value: function add(other) {
1712
+ assertPrjPoint(other);
1713
+ var _this = this, X1 = _this.px, Y1 = _this.py, Z1 = _this.pz;
1714
+ var X2 = other.px, Y2 = other.py, Z2 = other.pz;
1715
+ var X3 = Fp.ZERO, Y3 = Fp.ZERO, Z3 = Fp.ZERO;
1716
+ var a = CURVE.a;
1717
+ var b3 = Fp.mul(CURVE.b, _3n2);
1718
+ var t0 = Fp.mul(X1, X2);
1719
+ var t1 = Fp.mul(Y1, Y2);
1720
+ var t2 = Fp.mul(Z1, Z2);
1721
+ var t3 = Fp.add(X1, Y1);
1722
+ var t4 = Fp.add(X2, Y2);
1723
+ t3 = Fp.mul(t3, t4);
1724
+ t4 = Fp.add(t0, t1);
1725
+ t3 = Fp.sub(t3, t4);
1726
+ t4 = Fp.add(X1, Z1);
1727
+ var t5 = Fp.add(X2, Z2);
1728
+ t4 = Fp.mul(t4, t5);
1729
+ t5 = Fp.add(t0, t2);
1730
+ t4 = Fp.sub(t4, t5);
1731
+ t5 = Fp.add(Y1, Z1);
1732
+ X3 = Fp.add(Y2, Z2);
1733
+ t5 = Fp.mul(t5, X3);
1734
+ X3 = Fp.add(t1, t2);
1735
+ t5 = Fp.sub(t5, X3);
1736
+ Z3 = Fp.mul(a, t4);
1737
+ X3 = Fp.mul(b3, t2);
1738
+ Z3 = Fp.add(X3, Z3);
1739
+ X3 = Fp.sub(t1, Z3);
1740
+ Z3 = Fp.add(t1, Z3);
1741
+ Y3 = Fp.mul(X3, Z3);
1742
+ t1 = Fp.add(t0, t0);
1743
+ t1 = Fp.add(t1, t0);
1744
+ t2 = Fp.mul(a, t2);
1745
+ t4 = Fp.mul(b3, t4);
1746
+ t1 = Fp.add(t1, t2);
1747
+ t2 = Fp.sub(t0, t2);
1748
+ t2 = Fp.mul(a, t2);
1749
+ t4 = Fp.add(t4, t2);
1750
+ t0 = Fp.mul(t1, t4);
1751
+ Y3 = Fp.add(Y3, t0);
1752
+ t0 = Fp.mul(t5, t4);
1753
+ X3 = Fp.mul(t3, X3);
1754
+ X3 = Fp.sub(X3, t0);
1755
+ t0 = Fp.mul(t3, t1);
1756
+ Z3 = Fp.mul(t5, Z3);
1757
+ Z3 = Fp.add(Z3, t0);
1758
+ return new Point(X3, Y3, Z3);
1759
+ }
1760
+ },
1761
+ {
1762
+ key: "subtract",
1763
+ value: function subtract(other) {
1764
+ return this.add(other.negate());
1765
+ }
1766
+ },
1767
+ {
1768
+ key: "is0",
1769
+ value: function is0() {
1770
+ return this.equals(Point.ZERO);
1771
+ }
1772
+ },
1773
+ {
1774
+ key: "wNAF",
1775
+ value: function wNAF(n) {
1776
+ return wnaf.wNAFCached(this, pointPrecomputes, n, function(comp) {
1777
+ var toInv = Fp.invertBatch(comp.map(function(p) {
1778
+ return p.pz;
1779
+ }));
1780
+ return comp.map(function(p, i) {
1781
+ return p.toAffine(toInv[i]);
1782
+ }).map(Point.fromAffine);
1783
+ });
1784
+ }
1785
+ },
1786
+ {
1787
+ /**
1788
+ * Non-constant-time multiplication. Uses double-and-add algorithm.
1789
+ * It's faster, but should only be used when you don't care about
1790
+ * an exposed private key e.g. sig verification, which works over *public* keys.
1791
+ */ key: "multiplyUnsafe",
1792
+ value: function multiplyUnsafe(n) {
1793
+ var I = Point.ZERO;
1794
+ if (n === _0n4) return I;
1795
+ assertGE(n);
1796
+ if (n === _1n4) return this;
1797
+ var endo = CURVE.endo;
1798
+ if (!endo) return wnaf.unsafeLadder(this, n);
1799
+ var _endo_splitScalar = endo.splitScalar(n), k1neg = _endo_splitScalar.k1neg, k1 = _endo_splitScalar.k1, k2neg = _endo_splitScalar.k2neg, k2 = _endo_splitScalar.k2;
1800
+ var k1p = I;
1801
+ var k2p = I;
1802
+ var d = this;
1803
+ while(k1 > _0n4 || k2 > _0n4){
1804
+ if (k1 & _1n4) k1p = k1p.add(d);
1805
+ if (k2 & _1n4) k2p = k2p.add(d);
1806
+ d = d.double();
1807
+ k1 >>= _1n4;
1808
+ k2 >>= _1n4;
1809
+ }
1810
+ if (k1neg) k1p = k1p.negate();
1811
+ if (k2neg) k2p = k2p.negate();
1812
+ k2p = new Point(Fp.mul(k2p.px, endo.beta), k2p.py, k2p.pz);
1813
+ return k1p.add(k2p);
1814
+ }
1815
+ },
1816
+ {
1817
+ /**
1818
+ * Constant time multiplication.
1819
+ * Uses wNAF method. Windowed method may be 10% faster,
1820
+ * but takes 2x longer to generate and consumes 2x memory.
1821
+ * Uses precomputes when available.
1822
+ * Uses endomorphism for Koblitz curves.
1823
+ * @param scalar by which the point would be multiplied
1824
+ * @returns New point
1825
+ */ key: "multiply",
1826
+ value: function multiply(scalar) {
1827
+ assertGE(scalar);
1828
+ var n = scalar;
1829
+ var point, fake;
1830
+ var endo = CURVE.endo;
1831
+ if (endo) {
1832
+ var _endo_splitScalar = endo.splitScalar(n), k1neg = _endo_splitScalar.k1neg, k1 = _endo_splitScalar.k1, k2neg = _endo_splitScalar.k2neg, k2 = _endo_splitScalar.k2;
1833
+ var _this_wNAF = this.wNAF(k1), k1p = _this_wNAF.p, f1p = _this_wNAF.f;
1834
+ var _this_wNAF1 = this.wNAF(k2), k2p = _this_wNAF1.p, f2p = _this_wNAF1.f;
1835
+ k1p = wnaf.constTimeNegate(k1neg, k1p);
1836
+ k2p = wnaf.constTimeNegate(k2neg, k2p);
1837
+ k2p = new Point(Fp.mul(k2p.px, endo.beta), k2p.py, k2p.pz);
1838
+ point = k1p.add(k2p);
1839
+ fake = f1p.add(f2p);
1840
+ } else {
1841
+ var _this_wNAF2 = this.wNAF(n), p = _this_wNAF2.p, f = _this_wNAF2.f;
1842
+ point = p;
1843
+ fake = f;
1844
+ }
1845
+ return Point.normalizeZ([
1846
+ point,
1847
+ fake
1848
+ ])[0];
1849
+ }
1850
+ },
1851
+ {
1852
+ /**
1853
+ * Efficiently calculate `aP + bQ`. Unsafe, can expose private key, if used incorrectly.
1854
+ * Not using Strauss-Shamir trick: precomputation tables are faster.
1855
+ * The trick could be useful if both P and Q are not G (not in our case).
1856
+ * @returns non-zero affine point
1857
+ */ key: "multiplyAndAddUnsafe",
1858
+ value: function multiplyAndAddUnsafe(Q, a, b) {
1859
+ var G = Point.BASE;
1860
+ var mul = function(P, a2) {
1861
+ return a2 === _0n4 || a2 === _1n4 || !P.equals(G) ? P.multiplyUnsafe(a2) : P.multiply(a2);
1862
+ };
1863
+ var sum = mul(this, a).add(mul(Q, b));
1864
+ return sum.is0() ? void 0 : sum;
1865
+ }
1866
+ },
1867
+ {
1868
+ // Converts Projective point to affine (x, y) coordinates.
1869
+ // Can accept precomputed Z^-1 - for example, from invertBatch.
1870
+ // (x, y, z) ∋ (x=x/z, y=y/z)
1871
+ key: "toAffine",
1872
+ value: function toAffine(iz) {
1873
+ var _this = this, x2 = _this.px, y = _this.py, z = _this.pz;
1874
+ var is0 = this.is0();
1875
+ if (iz == null) iz = is0 ? Fp.ONE : Fp.inv(z);
1876
+ var ax = Fp.mul(x2, iz);
1877
+ var ay = Fp.mul(y, iz);
1878
+ var zz = Fp.mul(z, iz);
1879
+ if (is0) return {
1880
+ x: Fp.ZERO,
1881
+ y: Fp.ZERO
1882
+ };
1883
+ if (!Fp.eql(zz, Fp.ONE)) throw new Error("invZ was invalid");
1884
+ return {
1885
+ x: ax,
1886
+ y: ay
1887
+ };
1888
+ }
1889
+ },
1890
+ {
1891
+ key: "isTorsionFree",
1892
+ value: function isTorsionFree() {
1893
+ var cofactor = CURVE.h, isTorsionFree = CURVE.isTorsionFree;
1894
+ if (cofactor === _1n4) return true;
1895
+ if (isTorsionFree) return isTorsionFree(Point, this);
1896
+ throw new Error("isTorsionFree() has not been declared for the elliptic curve");
1897
+ }
1898
+ },
1899
+ {
1900
+ key: "clearCofactor",
1901
+ value: function clearCofactor() {
1902
+ var cofactor = CURVE.h, clearCofactor = CURVE.clearCofactor;
1903
+ if (cofactor === _1n4) return this;
1904
+ if (clearCofactor) return clearCofactor(Point, this);
1905
+ return this.multiplyUnsafe(CURVE.h);
1906
+ }
1907
+ },
1908
+ {
1909
+ key: "toRawBytes",
1910
+ value: function toRawBytes() {
1911
+ var isCompressed = arguments.length > 0 && arguments[0] !== void 0 ? arguments[0] : true;
1912
+ this.assertValidity();
1913
+ return toBytes2(Point, this, isCompressed);
1914
+ }
1915
+ },
1916
+ {
1917
+ key: "toHex",
1918
+ value: function toHex() {
1919
+ var isCompressed = arguments.length > 0 && arguments[0] !== void 0 ? arguments[0] : true;
1920
+ return bytesToHex(this.toRawBytes(isCompressed));
1921
+ }
1922
+ }
1923
+ ], [
1924
+ {
1925
+ key: "fromAffine",
1926
+ value: // Does not validate if the point is on-curve.
1927
+ // Use fromHex instead, or call assertValidity() later.
1928
+ function fromAffine(p) {
1929
+ var _ref = p || {}, x2 = _ref.x, y = _ref.y;
1930
+ if (!p || !Fp.isValid(x2) || !Fp.isValid(y)) throw new Error("invalid affine point");
1931
+ if (_instanceof(p, Point)) throw new Error("projective point not allowed");
1932
+ var is0 = function(i) {
1933
+ return Fp.eql(i, Fp.ZERO);
1934
+ };
1935
+ if (is0(x2) && is0(y)) return Point.ZERO;
1936
+ return new Point(x2, y, Fp.ONE);
1937
+ }
1938
+ },
1939
+ {
1940
+ key: "normalizeZ",
1941
+ value: /**
1942
+ * Takes a bunch of Projective Points but executes only one
1943
+ * inversion on all of them. Inversion is very slow operation,
1944
+ * so this improves performance massively.
1945
+ * Optimization: converts a list of projective points to a list of identical points with Z=1.
1946
+ */ function normalizeZ(points) {
1947
+ var toInv = Fp.invertBatch(points.map(function(p) {
1948
+ return p.pz;
1949
+ }));
1950
+ return points.map(function(p, i) {
1951
+ return p.toAffine(toInv[i]);
1952
+ }).map(Point.fromAffine);
1953
+ }
1954
+ },
1955
+ {
1956
+ key: "fromHex",
1957
+ value: /**
1958
+ * Converts hash string or Uint8Array to Point.
1959
+ * @param hex short/long ECDSA hex
1960
+ */ function fromHex(hex) {
1961
+ var P = Point.fromAffine(fromBytes(ensureBytes("pointHex", hex)));
1962
+ P.assertValidity();
1963
+ return P;
1964
+ }
1965
+ },
1966
+ {
1967
+ key: "fromPrivateKey",
1968
+ value: // Multiplies generator point by privateKey.
1969
+ function fromPrivateKey(privateKey) {
1970
+ return Point.BASE.multiply(normPrivateKeyToScalar(privateKey));
1971
+ }
1972
+ }
1973
+ ]);
1974
+ return Point;
1975
+ }();
1976
+ Point.BASE = new Point(CURVE.Gx, CURVE.Gy, Fp.ONE);
1977
+ Point.ZERO = new Point(Fp.ZERO, Fp.ONE, Fp.ZERO);
1978
+ var _bits = CURVE.nBitLength;
1979
+ var wnaf = wNAF(Point, CURVE.endo ? Math.ceil(_bits / 2) : _bits);
1980
+ return {
1981
+ CURVE: CURVE,
1982
+ ProjectivePoint: Point,
1983
+ normPrivateKeyToScalar: normPrivateKeyToScalar,
1984
+ weierstrassEquation: weierstrassEquation,
1985
+ isWithinCurveOrder: isWithinCurveOrder
1986
+ };
1987
+ }
1988
+ function validateOpts(curve) {
1989
+ var opts = validateBasic(curve);
1990
+ validateObject(opts, {
1991
+ hash: "hash",
1992
+ hmac: "function",
1993
+ randomBytes: "function"
1994
+ }, {
1995
+ bits2int: "function",
1996
+ bits2int_modN: "function",
1997
+ lowS: "boolean"
1998
+ });
1999
+ return Object.freeze(_object_spread({
2000
+ lowS: true
2001
+ }, opts));
2002
+ }
2003
+ function weierstrass(curveDef) {
2004
+ var isValidFieldElement = function isValidFieldElement(num) {
2005
+ return _0n4 < num && num < Fp.ORDER;
2006
+ };
2007
+ var modN = function modN(a) {
2008
+ return mod(a, CURVE_ORDER);
2009
+ };
2010
+ var invN = function invN(a) {
2011
+ return invert(a, CURVE_ORDER);
2012
+ };
2013
+ var isBiggerThanHalfOrder = function isBiggerThanHalfOrder(number) {
2014
+ var HALF = CURVE_ORDER >> _1n4;
2015
+ return number > HALF;
2016
+ };
2017
+ var normalizeS = function normalizeS(s) {
2018
+ return isBiggerThanHalfOrder(s) ? modN(-s) : s;
2019
+ };
2020
+ var getPublicKey = function getPublicKey(privateKey) {
2021
+ var isCompressed = arguments.length > 1 && arguments[1] !== void 0 ? arguments[1] : true;
2022
+ return Point.fromPrivateKey(privateKey).toRawBytes(isCompressed);
2023
+ };
2024
+ var isProbPub = function isProbPub(item) {
2025
+ var arr = _instanceof(item, Uint8Array);
2026
+ var str = typeof item === "string";
2027
+ var len = (arr || str) && item.length;
2028
+ if (arr) return len === compressedLen || len === uncompressedLen;
2029
+ if (str) return len === 2 * compressedLen || len === 2 * uncompressedLen;
2030
+ if (_instanceof(item, Point)) return true;
2031
+ return false;
2032
+ };
2033
+ var getSharedSecret = function getSharedSecret(privateA, publicB) {
2034
+ var isCompressed = arguments.length > 2 && arguments[2] !== void 0 ? arguments[2] : true;
2035
+ if (isProbPub(privateA)) throw new Error("first arg must be private key");
2036
+ if (!isProbPub(publicB)) throw new Error("second arg must be public key");
2037
+ var b = Point.fromHex(publicB);
2038
+ return b.multiply(normPrivateKeyToScalar(privateA)).toRawBytes(isCompressed);
2039
+ };
2040
+ var int2octets = function int2octets(num) {
2041
+ if ((typeof num === "undefined" ? "undefined" : _type_of(num)) !== "bigint") throw new Error("bigint expected");
2042
+ if (!(_0n4 <= num && num < ORDER_MASK)) throw new Error("bigint expected < 2^".concat(CURVE.nBitLength));
2043
+ return numberToBytesBE(num, CURVE.nByteLength);
2044
+ };
2045
+ var prepSig = function prepSig(msgHash, privateKey) {
2046
+ var opts = arguments.length > 2 && arguments[2] !== void 0 ? arguments[2] : defaultSigOpts;
2047
+ if ([
2048
+ "recovered",
2049
+ "canonical"
2050
+ ].some(function(k) {
2051
+ return k in opts;
2052
+ })) throw new Error("sign() legacy options not supported");
2053
+ var hash = CURVE.hash, randomBytes2 = CURVE.randomBytes;
2054
+ var lowS = opts.lowS, prehash = opts.prehash, ent = opts.extraEntropy;
2055
+ if (lowS == null) lowS = true;
2056
+ msgHash = ensureBytes("msgHash", msgHash);
2057
+ if (prehash) msgHash = ensureBytes("prehashed msgHash", hash(msgHash));
2058
+ var h1int = bits2int_modN(msgHash);
2059
+ var d = normPrivateKeyToScalar(privateKey);
2060
+ var seedArgs = [
2061
+ int2octets(d),
2062
+ int2octets(h1int)
2063
+ ];
2064
+ if (ent != null) {
2065
+ var e = ent === true ? randomBytes2(Fp.BYTES) : ent;
2066
+ seedArgs.push(ensureBytes("extraEntropy", e, Fp.BYTES));
2067
+ }
2068
+ var seed = concatBytes.apply(void 0, _to_consumable_array(seedArgs));
2069
+ var m = h1int;
2070
+ function k2sig(kBytes) {
2071
+ var k = bits2int(kBytes);
2072
+ if (!isWithinCurveOrder(k)) return;
2073
+ var ik = invN(k);
2074
+ var q = Point.BASE.multiply(k).toAffine();
2075
+ var r = modN(q.x);
2076
+ if (r === _0n4) return;
2077
+ var s = modN(ik * modN(m + r * d));
2078
+ if (s === _0n4) return;
2079
+ var recovery = (q.x === r ? 0 : 2) | Number(q.y & _1n4);
2080
+ var normS = s;
2081
+ if (lowS && isBiggerThanHalfOrder(s)) {
2082
+ normS = normalizeS(s);
2083
+ recovery ^= 1;
2084
+ }
2085
+ return new Signature(r, normS, recovery);
2086
+ }
2087
+ return {
2088
+ seed: seed,
2089
+ k2sig: k2sig
2090
+ };
2091
+ };
2092
+ var sign = function sign(msgHash, privKey) {
2093
+ var opts = arguments.length > 2 && arguments[2] !== void 0 ? arguments[2] : defaultSigOpts;
2094
+ var _prepSig = prepSig(msgHash, privKey, opts), seed = _prepSig.seed, k2sig = _prepSig.k2sig;
2095
+ var C = CURVE;
2096
+ var drbg = createHmacDrbg(C.hash.outputLen, C.nByteLength, C.hmac);
2097
+ return drbg(seed, k2sig);
2098
+ };
2099
+ var verify = function verify(signature, msgHash, publicKey) {
2100
+ var opts = arguments.length > 3 && arguments[3] !== void 0 ? arguments[3] : defaultVerOpts;
2101
+ var _Point_BASE_multiplyAndAddUnsafe;
2102
+ var sg = signature;
2103
+ msgHash = ensureBytes("msgHash", msgHash);
2104
+ publicKey = ensureBytes("publicKey", publicKey);
2105
+ if ("strict" in opts) throw new Error("options.strict was renamed to lowS");
2106
+ var lowS = opts.lowS, prehash = opts.prehash;
2107
+ var _sig = void 0;
2108
+ var P;
2109
+ try {
2110
+ if (typeof sg === "string" || _instanceof(sg, Uint8Array)) {
2111
+ try {
2112
+ _sig = Signature.fromDER(sg);
2113
+ } catch (derError) {
2114
+ if (!_instanceof(derError, DER.Err)) throw derError;
2115
+ _sig = Signature.fromCompact(sg);
2116
+ }
2117
+ } else if (typeof sg === "object" && _type_of(sg.r) === "bigint" && _type_of(sg.s) === "bigint") {
2118
+ var r2 = sg.r, s2 = sg.s;
2119
+ _sig = new Signature(r2, s2);
2120
+ } else {
2121
+ throw new Error("PARSE");
2122
+ }
2123
+ P = Point.fromHex(publicKey);
2124
+ } catch (error) {
2125
+ if (error.message === "PARSE") throw new Error("signature must be Signature instance, Uint8Array or hex string");
2126
+ return false;
2127
+ }
2128
+ if (lowS && _sig.hasHighS()) return false;
2129
+ if (prehash) msgHash = CURVE.hash(msgHash);
2130
+ var r = _sig.r, s = _sig.s;
2131
+ var h = bits2int_modN(msgHash);
2132
+ var is = invN(s);
2133
+ var u1 = modN(h * is);
2134
+ var u2 = modN(r * is);
2135
+ var R = (_Point_BASE_multiplyAndAddUnsafe = Point.BASE.multiplyAndAddUnsafe(P, u1, u2)) === null || _Point_BASE_multiplyAndAddUnsafe === void 0 ? void 0 : _Point_BASE_multiplyAndAddUnsafe.toAffine();
2136
+ if (!R) return false;
2137
+ var v = modN(R.x);
2138
+ return v === r;
2139
+ };
2140
+ var CURVE = validateOpts(curveDef);
2141
+ var Fp = CURVE.Fp, CURVE_ORDER = CURVE.n;
2142
+ var compressedLen = Fp.BYTES + 1;
2143
+ var uncompressedLen = 2 * Fp.BYTES + 1;
2144
+ var _weierstrassPoints = weierstrassPoints(_object_spread_props(_object_spread({}, CURVE), {
2145
+ toBytes: function toBytes(c, point, isCompressed) {
2146
+ var a = point.toAffine();
2147
+ var x2 = Fp.toBytes(a.x);
2148
+ var cat = concatBytes;
2149
+ if (isCompressed) {
2150
+ return cat(Uint8Array.from([
2151
+ point.hasEvenY() ? 2 : 3
2152
+ ]), x2);
2153
+ } else {
2154
+ return cat(Uint8Array.from([
2155
+ 4
2156
+ ]), x2, Fp.toBytes(a.y));
2157
+ }
2158
+ },
2159
+ fromBytes: function fromBytes(bytes) {
2160
+ var len = bytes.length;
2161
+ var head = bytes[0];
2162
+ var tail = bytes.subarray(1);
2163
+ if (len === compressedLen && (head === 2 || head === 3)) {
2164
+ var x2 = bytesToNumberBE(tail);
2165
+ if (!isValidFieldElement(x2)) throw new Error("Point is not on curve");
2166
+ var y2 = weierstrassEquation(x2);
2167
+ var y = Fp.sqrt(y2);
2168
+ var isYOdd = (y & _1n4) === _1n4;
2169
+ var isHeadOdd = (head & 1) === 1;
2170
+ if (isHeadOdd !== isYOdd) y = Fp.neg(y);
2171
+ return {
2172
+ x: x2,
2173
+ y: y
2174
+ };
2175
+ } else if (len === uncompressedLen && head === 4) {
2176
+ var x21 = Fp.fromBytes(tail.subarray(0, Fp.BYTES));
2177
+ var y1 = Fp.fromBytes(tail.subarray(Fp.BYTES, 2 * Fp.BYTES));
2178
+ return {
2179
+ x: x21,
2180
+ y: y1
2181
+ };
2182
+ } else {
2183
+ throw new Error("Point of length ".concat(len, " was invalid. Expected ").concat(compressedLen, " compressed bytes or ").concat(uncompressedLen, " uncompressed bytes"));
2184
+ }
2185
+ }
2186
+ })), Point = _weierstrassPoints.ProjectivePoint, normPrivateKeyToScalar = _weierstrassPoints.normPrivateKeyToScalar, weierstrassEquation = _weierstrassPoints.weierstrassEquation, isWithinCurveOrder = _weierstrassPoints.isWithinCurveOrder;
2187
+ var numToNByteStr = function(num) {
2188
+ return bytesToHex(numberToBytesBE(num, CURVE.nByteLength));
2189
+ };
2190
+ var slcNum = function(b, from, to) {
2191
+ return bytesToNumberBE(b.slice(from, to));
2192
+ };
2193
+ var Signature = /*#__PURE__*/ function() {
2194
+ function Signature(r, s, recovery) {
2195
+ _class_call_check(this, Signature);
2196
+ this.r = r;
2197
+ this.s = s;
2198
+ this.recovery = recovery;
2199
+ this.assertValidity();
2200
+ }
2201
+ _create_class(Signature, [
2202
+ {
2203
+ key: "assertValidity",
2204
+ value: function assertValidity() {
2205
+ if (!isWithinCurveOrder(this.r)) throw new Error("r must be 0 < r < CURVE.n");
2206
+ if (!isWithinCurveOrder(this.s)) throw new Error("s must be 0 < s < CURVE.n");
2207
+ }
2208
+ },
2209
+ {
2210
+ key: "addRecoveryBit",
2211
+ value: function addRecoveryBit(recovery) {
2212
+ return new Signature(this.r, this.s, recovery);
2213
+ }
2214
+ },
2215
+ {
2216
+ key: "recoverPublicKey",
2217
+ value: function recoverPublicKey(msgHash) {
2218
+ var _this = this, r = _this.r, s = _this.s, rec = _this.recovery;
2219
+ var h = bits2int_modN(ensureBytes("msgHash", msgHash));
2220
+ if (rec == null || ![
2221
+ 0,
2222
+ 1,
2223
+ 2,
2224
+ 3
2225
+ ].includes(rec)) throw new Error("recovery id invalid");
2226
+ var radj = rec === 2 || rec === 3 ? r + CURVE.n : r;
2227
+ if (radj >= Fp.ORDER) throw new Error("recovery id 2 or 3 invalid");
2228
+ var prefix = (rec & 1) === 0 ? "02" : "03";
2229
+ var R = Point.fromHex(prefix + numToNByteStr(radj));
2230
+ var ir = invN(radj);
2231
+ var u1 = modN(-h * ir);
2232
+ var u2 = modN(s * ir);
2233
+ var Q = Point.BASE.multiplyAndAddUnsafe(R, u1, u2);
2234
+ if (!Q) throw new Error("point at infinify");
2235
+ Q.assertValidity();
2236
+ return Q;
2237
+ }
2238
+ },
2239
+ {
2240
+ // Signatures should be low-s, to prevent malleability.
2241
+ key: "hasHighS",
2242
+ value: function hasHighS() {
2243
+ return isBiggerThanHalfOrder(this.s);
2244
+ }
2245
+ },
2246
+ {
2247
+ key: "normalizeS",
2248
+ value: function normalizeS() {
2249
+ return this.hasHighS() ? new Signature(this.r, modN(-this.s), this.recovery) : this;
2250
+ }
2251
+ },
2252
+ {
2253
+ // DER-encoded
2254
+ key: "toDERRawBytes",
2255
+ value: function toDERRawBytes() {
2256
+ return hexToBytes(this.toDERHex());
2257
+ }
2258
+ },
2259
+ {
2260
+ key: "toDERHex",
2261
+ value: function toDERHex() {
2262
+ return DER.hexFromSig({
2263
+ r: this.r,
2264
+ s: this.s
2265
+ });
2266
+ }
2267
+ },
2268
+ {
2269
+ // padded bytes of r, then padded bytes of s
2270
+ key: "toCompactRawBytes",
2271
+ value: function toCompactRawBytes() {
2272
+ return hexToBytes(this.toCompactHex());
2273
+ }
2274
+ },
2275
+ {
2276
+ key: "toCompactHex",
2277
+ value: function toCompactHex() {
2278
+ return numToNByteStr(this.r) + numToNByteStr(this.s);
2279
+ }
2280
+ }
2281
+ ], [
2282
+ {
2283
+ key: "fromCompact",
2284
+ value: // pair (bytes of r, bytes of s)
2285
+ function fromCompact(hex) {
2286
+ var l = CURVE.nByteLength;
2287
+ hex = ensureBytes("compactSignature", hex, l * 2);
2288
+ return new Signature(slcNum(hex, 0, l), slcNum(hex, l, 2 * l));
2289
+ }
2290
+ },
2291
+ {
2292
+ key: "fromDER",
2293
+ value: // DER encoded ECDSA signature
2294
+ // https://bitcoin.stackexchange.com/questions/57644/what-are-the-parts-of-a-bitcoin-transaction-input-script
2295
+ function fromDER(hex) {
2296
+ var _DER_toSig = DER.toSig(ensureBytes("DER", hex)), r = _DER_toSig.r, s = _DER_toSig.s;
2297
+ return new Signature(r, s);
2298
+ }
2299
+ }
2300
+ ]);
2301
+ return Signature;
2302
+ }();
2303
+ var utils = {
2304
+ isValidPrivateKey: function isValidPrivateKey(privateKey) {
2305
+ try {
2306
+ normPrivateKeyToScalar(privateKey);
2307
+ return true;
2308
+ } catch (error) {
2309
+ return false;
2310
+ }
2311
+ },
2312
+ normPrivateKeyToScalar: normPrivateKeyToScalar,
2313
+ /**
2314
+ * Produces cryptographically secure private key from random of size (nBitLength+64)
2315
+ * as per FIPS 186 B.4.1 with modulo bias being neglible.
2316
+ */ randomPrivateKey: function() {
2317
+ var rand = CURVE.randomBytes(Fp.BYTES + 8);
2318
+ var num = hashToPrivateScalar(rand, CURVE_ORDER);
2319
+ return numberToBytesBE(num, CURVE.nByteLength);
2320
+ },
2321
+ /**
2322
+ * Creates precompute table for an arbitrary EC point. Makes point "cached".
2323
+ * Allows to massively speed-up `point.multiply(scalar)`.
2324
+ * @returns cached point
2325
+ * @example
2326
+ * const fast = utils.precompute(8, ProjectivePoint.fromHex(someonesPubKey));
2327
+ * fast.multiply(privKey); // much faster ECDH now
2328
+ */ precompute: function precompute() {
2329
+ var windowSize = arguments.length > 0 && arguments[0] !== void 0 ? arguments[0] : 8, point = arguments.length > 1 && arguments[1] !== void 0 ? arguments[1] : Point.BASE;
2330
+ point._setWindowSize(windowSize);
2331
+ point.multiply(BigInt(3));
2332
+ return point;
2333
+ }
2334
+ };
2335
+ var bits2int = CURVE.bits2int || function(bytes) {
2336
+ var num = bytesToNumberBE(bytes);
2337
+ var delta = bytes.length * 8 - CURVE.nBitLength;
2338
+ return delta > 0 ? num >> BigInt(delta) : num;
2339
+ };
2340
+ var bits2int_modN = CURVE.bits2int_modN || function(bytes) {
2341
+ return modN(bits2int(bytes));
2342
+ };
2343
+ var ORDER_MASK = bitMask(CURVE.nBitLength);
2344
+ var defaultSigOpts = {
2345
+ lowS: CURVE.lowS,
2346
+ prehash: false
2347
+ };
2348
+ var defaultVerOpts = {
2349
+ lowS: CURVE.lowS,
2350
+ prehash: false
2351
+ };
2352
+ Point.BASE._setWindowSize(8);
2353
+ return {
2354
+ CURVE: CURVE,
2355
+ getPublicKey: getPublicKey,
2356
+ getSharedSecret: getSharedSecret,
2357
+ sign: sign,
2358
+ verify: verify,
2359
+ ProjectivePoint: Point,
2360
+ Signature: Signature,
2361
+ utils: utils
2362
+ };
2363
+ }
2364
+ // src/sm2/rng.ts
2365
+ var DEFAULT_PRNG_POOL_SIZE = 16384;
2366
+ var prngPool = new Uint8Array(0);
2367
+ var _syncCrypto;
2368
+ function initRNGPool() {
2369
+ return _initRNGPool.apply(this, arguments);
2370
+ }
2371
+ function _initRNGPool() {
2372
+ _initRNGPool = _async_to_generator(function() {
2373
+ var crypto, array, error;
2374
+ return _ts_generator(this, function(_state) {
2375
+ switch(_state.label){
2376
+ case 0:
2377
+ if ("crypto" in globalThis) {
2378
+ _syncCrypto = globalThis.crypto;
2379
+ return [
2380
+ 2
2381
+ ];
2382
+ }
2383
+ if (prngPool.length > DEFAULT_PRNG_POOL_SIZE / 2) return [
2384
+ 2
2385
+ ];
2386
+ if (!("wx" in globalThis && "getRandomValues" in globalThis.wx)) return [
2387
+ 3,
2388
+ 2
2389
+ ];
2390
+ return [
2391
+ 4,
2392
+ new Promise(function(r) {
2393
+ wx.getRandomValues({
2394
+ length: DEFAULT_PRNG_POOL_SIZE,
2395
+ success: function success(res) {
2396
+ r(new Uint8Array(res.randomValues));
2397
+ }
2398
+ });
2399
+ })
2400
+ ];
2401
+ case 1:
2402
+ prngPool = _state.sent();
2403
+ return [
2404
+ 3,
2405
+ 7
2406
+ ];
2407
+ case 2:
2408
+ _state.trys.push([
2409
+ 2,
2410
+ 6,
2411
+ ,
2412
+ 7
2413
+ ]);
2414
+ if (!globalThis.crypto) return [
2415
+ 3,
2416
+ 3
2417
+ ];
2418
+ _syncCrypto = globalThis.crypto;
2419
+ return [
2420
+ 3,
2421
+ 5
2422
+ ];
2423
+ case 3:
2424
+ return [
2425
+ 4,
2426
+ Promise.resolve().then(function() {
2427
+ return __toESM(require(/* webpackIgnore: true */ "crypto"));
2428
+ })
2429
+ ];
2430
+ case 4:
2431
+ crypto = _state.sent();
2432
+ _syncCrypto = crypto.webcrypto;
2433
+ _state.label = 5;
2434
+ case 5:
2435
+ array = new Uint8Array(DEFAULT_PRNG_POOL_SIZE);
2436
+ _syncCrypto.getRandomValues(array);
2437
+ prngPool = array;
2438
+ return [
2439
+ 3,
2440
+ 7
2441
+ ];
2442
+ case 6:
2443
+ error = _state.sent();
2444
+ throw new Error("no available csprng, abort.");
2445
+ case 7:
2446
+ return [
2447
+ 2
2448
+ ];
2449
+ }
2450
+ });
2451
+ });
2452
+ return _initRNGPool.apply(this, arguments);
2453
+ }
2454
+ initRNGPool();
2455
+ function consumePool(length) {
2456
+ if (prngPool.length > length) {
2457
+ var prng = prngPool.slice(0, length);
2458
+ prngPool = prngPool.slice(length);
2459
+ initRNGPool();
2460
+ return prng;
2461
+ } else {
2462
+ throw new Error("random number pool is not ready or insufficient, prevent getting too long random values or too often.");
2463
+ }
2464
+ }
2465
+ function randomBytes() {
2466
+ var length = arguments.length > 0 && arguments[0] !== void 0 ? arguments[0] : 0;
2467
+ var array = new Uint8Array(length);
2468
+ if (_syncCrypto) {
2469
+ return _syncCrypto.getRandomValues(array);
2470
+ } else {
2471
+ var result = consumePool(length);
2472
+ return result;
2473
+ }
2474
+ }
2475
+ // src/sm3/utils.ts
2476
+ var u8a2 = function(a) {
2477
+ return _instanceof(a, Uint8Array);
2478
+ };
2479
+ var createView = function(arr) {
2480
+ return new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
2481
+ };
2482
+ var isLE = new Uint8Array(new Uint32Array([
2483
+ 287454020
2484
+ ]).buffer)[0] === 68;
2485
+ if (!isLE) throw new Error("Non little-endian hardware is not supported");
2486
+ var hexes2 = Array.from({
2487
+ length: 256
2488
+ }, function(v, i) {
2489
+ return i.toString(16).padStart(2, "0");
2490
+ });
2491
+ function bytesToHex2(bytes) {
2492
+ if (!u8a2(bytes)) throw new Error("Uint8Array expected");
2493
+ var hex = "";
2494
+ for(var i = 0; i < bytes.length; i++){
2495
+ hex += hexes2[bytes[i]];
2496
+ }
2497
+ return hex;
2498
+ }
2499
+ function utf8ToBytes2(str) {
2500
+ if (typeof str !== "string") throw new Error("utf8ToBytes expected string, got ".concat(typeof str === "undefined" ? "undefined" : _type_of(str)));
2501
+ return new Uint8Array(new TextEncoder().encode(str));
2502
+ }
2503
+ function toBytes(data) {
2504
+ if (typeof data === "string") data = utf8ToBytes2(data);
2505
+ if (!u8a2(data)) throw new Error("expected Uint8Array, got ".concat(typeof data === "undefined" ? "undefined" : _type_of(data)));
2506
+ return data;
2507
+ }
2508
+ var Hash = /*#__PURE__*/ function() {
2509
+ function Hash() {
2510
+ _class_call_check(this, Hash);
2511
+ }
2512
+ _create_class(Hash, [
2513
+ {
2514
+ // Safe version that clones internal state
2515
+ key: "clone",
2516
+ value: function clone() {
2517
+ return this._cloneInto();
2518
+ }
2519
+ }
2520
+ ]);
2521
+ return Hash;
2522
+ }();
2523
+ function wrapConstructor(hashCons) {
2524
+ var hashC = function(msg) {
2525
+ return hashCons().update(toBytes(msg)).digest();
2526
+ };
2527
+ var tmp2 = hashCons();
2528
+ hashC.outputLen = tmp2.outputLen;
2529
+ hashC.blockLen = tmp2.blockLen;
2530
+ hashC.create = function() {
2531
+ return hashCons();
2532
+ };
2533
+ return hashC;
2534
+ }
2535
+ // src/sm2/sm3.ts
2536
+ var BoolA = function(A, B, C) {
2537
+ return A & B | A & C | B & C;
2538
+ };
2539
+ var BoolB = function(A, B, C) {
2540
+ return A ^ B ^ C;
2541
+ };
2542
+ var BoolC = function(A, B, C) {
2543
+ return A & B | ~A & C;
2544
+ };
2545
+ function setBigUint64(view, byteOffset, value, isLE2) {
2546
+ if (typeof view.setBigUint64 === "function") return view.setBigUint64(byteOffset, value, isLE2);
2547
+ var _32n = BigInt(32);
2548
+ var _u32_max = BigInt(4294967295);
2549
+ var wh = Number(value >> _32n & _u32_max);
2550
+ var wl = Number(value & _u32_max);
2551
+ var h = isLE2 ? 4 : 0;
2552
+ var l = isLE2 ? 0 : 4;
2553
+ view.setUint32(byteOffset + h, wh, isLE2);
2554
+ view.setUint32(byteOffset + l, wl, isLE2);
2555
+ }
2556
+ function rotl(x2, n) {
2557
+ var s = n & 31;
2558
+ return x2 << s | x2 >>> 32 - s;
2559
+ }
2560
+ function P0(X) {
2561
+ return X ^ rotl(X, 9) ^ rotl(X, 17);
2562
+ }
2563
+ function P1(X) {
2564
+ return X ^ rotl(X, 15) ^ rotl(X, 23);
2565
+ }
2566
+ var SHA2 = /*#__PURE__*/ function(Hash) {
2567
+ _inherits(SHA2, Hash);
2568
+ var _super = _create_super(SHA2);
2569
+ function SHA2(blockLen, outputLen, padOffset, isLE2) {
2570
+ _class_call_check(this, SHA2);
2571
+ var _this;
2572
+ _this = _super.call(this);
2573
+ _this.blockLen = blockLen;
2574
+ _this.outputLen = outputLen;
2575
+ _this.padOffset = padOffset;
2576
+ _this.isLE = isLE2;
2577
+ // For partial updates less than block size
2578
+ __publicField(_assert_this_initialized(_this), "buffer");
2579
+ __publicField(_assert_this_initialized(_this), "view");
2580
+ __publicField(_assert_this_initialized(_this), "finished", false);
2581
+ __publicField(_assert_this_initialized(_this), "length", 0);
2582
+ __publicField(_assert_this_initialized(_this), "pos", 0);
2583
+ __publicField(_assert_this_initialized(_this), "destroyed", false);
2584
+ _this.buffer = new Uint8Array(blockLen);
2585
+ _this.view = createView(_this.buffer);
2586
+ return _this;
2587
+ }
2588
+ _create_class(SHA2, [
2589
+ {
2590
+ key: "update",
2591
+ value: function update(data) {
2592
+ var _this = this, view = _this.view, buffer = _this.buffer, blockLen = _this.blockLen;
2593
+ data = toBytes(data);
2594
+ var len = data.length;
2595
+ for(var pos = 0; pos < len;){
2596
+ var take = Math.min(blockLen - this.pos, len - pos);
2597
+ if (take === blockLen) {
2598
+ var dataView = createView(data);
2599
+ for(; blockLen <= len - pos; pos += blockLen)this.process(dataView, pos);
2600
+ continue;
2601
+ }
2602
+ buffer.set(data.subarray(pos, pos + take), this.pos);
2603
+ this.pos += take;
2604
+ pos += take;
2605
+ if (this.pos === blockLen) {
2606
+ this.process(view, 0);
2607
+ this.pos = 0;
2608
+ }
2609
+ }
2610
+ this.length += data.length;
2611
+ this.roundClean();
2612
+ return this;
2613
+ }
2614
+ },
2615
+ {
2616
+ key: "digestInto",
2617
+ value: function digestInto(out) {
2618
+ this.finished = true;
2619
+ var _this = this, buffer = _this.buffer, view = _this.view, blockLen = _this.blockLen, isLE2 = _this.isLE;
2620
+ var pos = this.pos;
2621
+ buffer[pos++] = 128;
2622
+ this.buffer.subarray(pos).fill(0);
2623
+ if (this.padOffset > blockLen - pos) {
2624
+ this.process(view, 0);
2625
+ pos = 0;
2626
+ }
2627
+ for(var i = pos; i < blockLen; i++)buffer[i] = 0;
2628
+ setBigUint64(view, blockLen - 8, BigInt(this.length * 8), isLE2);
2629
+ this.process(view, 0);
2630
+ var oview = createView(out);
2631
+ var len = this.outputLen;
2632
+ if (len % 4) throw new Error("_sha2: outputLen should be aligned to 32bit");
2633
+ var outLen = len / 4;
2634
+ var state = this.get();
2635
+ if (outLen > state.length) throw new Error("_sha2: outputLen bigger than state");
2636
+ for(var i1 = 0; i1 < outLen; i1++)oview.setUint32(4 * i1, state[i1], isLE2);
2637
+ }
2638
+ },
2639
+ {
2640
+ key: "digest",
2641
+ value: function digest() {
2642
+ var _this = this, buffer = _this.buffer, outputLen = _this.outputLen;
2643
+ this.digestInto(buffer);
2644
+ var res = buffer.slice(0, outputLen);
2645
+ this.destroy();
2646
+ return res;
2647
+ }
2648
+ },
2649
+ {
2650
+ key: "_cloneInto",
2651
+ value: function _cloneInto(to) {
2652
+ var _to;
2653
+ to || (to = new this.constructor());
2654
+ (_to = to).set.apply(_to, _to_consumable_array(this.get()));
2655
+ var _this = this, blockLen = _this.blockLen, buffer = _this.buffer, length = _this.length, finished = _this.finished, destroyed = _this.destroyed, pos = _this.pos;
2656
+ to.length = length;
2657
+ to.pos = pos;
2658
+ to.finished = finished;
2659
+ to.destroyed = destroyed;
2660
+ if (length % blockLen) to.buffer.set(buffer);
2661
+ return to;
2662
+ }
2663
+ }
2664
+ ]);
2665
+ return SHA2;
2666
+ }(Hash);
2667
+ var IV = new Uint32Array([
2668
+ 1937774191,
2669
+ 1226093241,
2670
+ 388252375,
2671
+ 3666478592,
2672
+ 2842636476,
2673
+ 372324522,
2674
+ 3817729613,
2675
+ 2969243214
2676
+ ]);
2677
+ var SM3_W = new Uint32Array(68);
2678
+ var SM3_M = new Uint32Array(64);
2679
+ var T1 = 2043430169;
2680
+ var T2 = 2055708042;
2681
+ var SM3 = /*#__PURE__*/ function(SHA2) {
2682
+ _inherits(SM3, SHA2);
2683
+ var _super = _create_super(SM3);
2684
+ function SM3() {
2685
+ _class_call_check(this, SM3);
2686
+ var _this;
2687
+ _this = _super.call(this, 64, 32, 8, false);
2688
+ // We cannot use array here since array allows indexing by variable
2689
+ // which means optimizer/compiler cannot use registers.
2690
+ __publicField(_assert_this_initialized(_this), "A", IV[0] | 0);
2691
+ __publicField(_assert_this_initialized(_this), "B", IV[1] | 0);
2692
+ __publicField(_assert_this_initialized(_this), "C", IV[2] | 0);
2693
+ __publicField(_assert_this_initialized(_this), "D", IV[3] | 0);
2694
+ __publicField(_assert_this_initialized(_this), "E", IV[4] | 0);
2695
+ __publicField(_assert_this_initialized(_this), "F", IV[5] | 0);
2696
+ __publicField(_assert_this_initialized(_this), "G", IV[6] | 0);
2697
+ __publicField(_assert_this_initialized(_this), "H", IV[7] | 0);
2698
+ return _this;
2699
+ }
2700
+ _create_class(SM3, [
2701
+ {
2702
+ key: "get",
2703
+ value: function get() {
2704
+ var _this = this, A = _this.A, B = _this.B, C = _this.C, D = _this.D, E = _this.E, F = _this.F, G = _this.G, H = _this.H;
2705
+ return [
2706
+ A,
2707
+ B,
2708
+ C,
2709
+ D,
2710
+ E,
2711
+ F,
2712
+ G,
2713
+ H
2714
+ ];
2715
+ }
2716
+ },
2717
+ {
2718
+ // prettier-ignore
2719
+ key: "set",
2720
+ value: function set(A, B, C, D, E, F, G, H) {
2721
+ this.A = A | 0;
2722
+ this.B = B | 0;
2723
+ this.C = C | 0;
2724
+ this.D = D | 0;
2725
+ this.E = E | 0;
2726
+ this.F = F | 0;
2727
+ this.G = G | 0;
2728
+ this.H = H | 0;
2729
+ }
2730
+ },
2731
+ {
2732
+ key: "process",
2733
+ value: function process(view, offset) {
2734
+ for(var i = 0; i < 16; i++, offset += 4)SM3_W[i] = view.getUint32(offset, false);
2735
+ for(var i1 = 16; i1 < 68; i1++){
2736
+ SM3_W[i1] = P1(SM3_W[i1 - 16] ^ SM3_W[i1 - 9] ^ rotl(SM3_W[i1 - 3], 15)) ^ rotl(SM3_W[i1 - 13], 7) ^ SM3_W[i1 - 6];
2737
+ }
2738
+ for(var i2 = 0; i2 < 64; i2++){
2739
+ SM3_M[i2] = SM3_W[i2] ^ SM3_W[i2 + 4];
2740
+ }
2741
+ var _this = this, A = _this.A, B = _this.B, C = _this.C, D = _this.D, E = _this.E, F = _this.F, G = _this.G, H = _this.H;
2742
+ for(var j = 0; j < 64; j++){
2743
+ var small = j >= 0 && j <= 15;
2744
+ var T = small ? T1 : T2;
2745
+ var SS1 = rotl(rotl(A, 12) + E + rotl(T, j), 7);
2746
+ var SS2 = SS1 ^ rotl(A, 12);
2747
+ var TT1 = (small ? BoolB(A, B, C) : BoolA(A, B, C)) + D + SS2 + SM3_M[j] | 0;
2748
+ var TT2 = (small ? BoolB(E, F, G) : BoolC(E, F, G)) + H + SS1 + SM3_W[j] | 0;
2749
+ D = C;
2750
+ C = rotl(B, 9);
2751
+ B = A;
2752
+ A = TT1;
2753
+ H = G;
2754
+ G = rotl(F, 19);
2755
+ F = E;
2756
+ E = P0(TT2);
2757
+ }
2758
+ A = A ^ this.A | 0;
2759
+ B = B ^ this.B | 0;
2760
+ C = C ^ this.C | 0;
2761
+ D = D ^ this.D | 0;
2762
+ E = E ^ this.E | 0;
2763
+ F = F ^ this.F | 0;
2764
+ G = G ^ this.G | 0;
2765
+ H = H ^ this.H | 0;
2766
+ this.set(A, B, C, D, E, F, G, H);
2767
+ }
2768
+ },
2769
+ {
2770
+ key: "roundClean",
2771
+ value: function roundClean() {
2772
+ SM3_W.fill(0);
2773
+ }
2774
+ },
2775
+ {
2776
+ key: "destroy",
2777
+ value: function destroy() {
2778
+ this.set(0, 0, 0, 0, 0, 0, 0, 0);
2779
+ this.buffer.fill(0);
2780
+ }
2781
+ }
2782
+ ]);
2783
+ return SM3;
2784
+ }(SHA2);
2785
+ var sm3 = wrapConstructor(function() {
2786
+ return new SM3();
2787
+ });
2788
+ // src/sm2/hmac.ts
2789
+ var HMAC = /*#__PURE__*/ function(Hash) {
2790
+ _inherits(HMAC, Hash);
2791
+ var _super = _create_super(HMAC);
2792
+ function HMAC(hash, _key) {
2793
+ _class_call_check(this, HMAC);
2794
+ var _this;
2795
+ _this = _super.call(this);
2796
+ __publicField(_assert_this_initialized(_this), "oHash");
2797
+ __publicField(_assert_this_initialized(_this), "iHash");
2798
+ __publicField(_assert_this_initialized(_this), "blockLen");
2799
+ __publicField(_assert_this_initialized(_this), "outputLen");
2800
+ __publicField(_assert_this_initialized(_this), "finished", false);
2801
+ __publicField(_assert_this_initialized(_this), "destroyed", false);
2802
+ var key = toBytes(_key);
2803
+ _this.iHash = hash.create();
2804
+ if (typeof _this.iHash.update !== "function") throw new Error("Expected instance of class which extends utils.Hash");
2805
+ _this.blockLen = _this.iHash.blockLen;
2806
+ _this.outputLen = _this.iHash.outputLen;
2807
+ var blockLen = _this.blockLen;
2808
+ var pad = new Uint8Array(blockLen);
2809
+ pad.set(key.length > blockLen ? hash.create().update(key).digest() : key);
2810
+ for(var i = 0; i < pad.length; i++)pad[i] ^= 54;
2811
+ _this.iHash.update(pad);
2812
+ _this.oHash = hash.create();
2813
+ for(var i1 = 0; i1 < pad.length; i1++)pad[i1] ^= 54 ^ 92;
2814
+ _this.oHash.update(pad);
2815
+ pad.fill(0);
2816
+ return _this;
2817
+ }
2818
+ _create_class(HMAC, [
2819
+ {
2820
+ key: "update",
2821
+ value: function update(buf) {
2822
+ this.iHash.update(buf);
2823
+ return this;
2824
+ }
2825
+ },
2826
+ {
2827
+ key: "digestInto",
2828
+ value: function digestInto(out) {
2829
+ this.finished = true;
2830
+ this.iHash.digestInto(out);
2831
+ this.oHash.update(out);
2832
+ this.oHash.digestInto(out);
2833
+ this.destroy();
2834
+ }
2835
+ },
2836
+ {
2837
+ key: "digest",
2838
+ value: function digest() {
2839
+ var out = new Uint8Array(this.oHash.outputLen);
2840
+ this.digestInto(out);
2841
+ return out;
2842
+ }
2843
+ },
2844
+ {
2845
+ key: "_cloneInto",
2846
+ value: function _cloneInto(to) {
2847
+ to || (to = Object.create(Object.getPrototypeOf(this), {}));
2848
+ var _this = this, oHash = _this.oHash, iHash = _this.iHash, finished = _this.finished, destroyed = _this.destroyed, blockLen = _this.blockLen, outputLen = _this.outputLen;
2849
+ to = to;
2850
+ to.finished = finished;
2851
+ to.destroyed = destroyed;
2852
+ to.blockLen = blockLen;
2853
+ to.outputLen = outputLen;
2854
+ to.oHash = oHash._cloneInto(to.oHash);
2855
+ to.iHash = iHash._cloneInto(to.iHash);
2856
+ return to;
2857
+ }
2858
+ },
2859
+ {
2860
+ key: "destroy",
2861
+ value: function destroy() {
2862
+ this.destroyed = true;
2863
+ this.oHash.destroy();
2864
+ this.iHash.destroy();
2865
+ }
2866
+ }
2867
+ ]);
2868
+ return HMAC;
2869
+ }(Hash);
2870
+ var hmac = function(hash, key, message) {
2871
+ return new HMAC(hash, key).update(message).digest();
2872
+ };
2873
+ hmac.create = function(hash, key) {
2874
+ return new HMAC(hash, key);
2875
+ };
2876
+ // src/sm2/ec.ts
2877
+ var sm2Fp = Field(BigInt("115792089210356248756420345214020892766250353991924191454421193933289684991999"));
2878
+ var sm2Curve = weierstrass({
2879
+ // sm2: short weierstrass.
2880
+ a: BigInt("115792089210356248756420345214020892766250353991924191454421193933289684991996"),
2881
+ b: BigInt("18505919022281880113072981827955639221458448578012075254857346196103069175443"),
2882
+ Fp: sm2Fp,
2883
+ h: ONE,
2884
+ n: BigInt("115792089210356248756420345214020892766061623724957744567843809356293439045923"),
2885
+ Gx: BigInt("22963146547237050559479531362550074578802567295341616970375194840604139615431"),
2886
+ Gy: BigInt("85132369209828568825618990617112496413088388631904505083283536607588877201568"),
2887
+ hash: sm3,
2888
+ hmac: function(key) {
2889
+ for(var _len = arguments.length, msgs = new Array(_len > 1 ? _len - 1 : 0), _key = 1; _key < _len; _key++){
2890
+ msgs[_key - 1] = arguments[_key];
2891
+ }
2892
+ return hmac(sm3, key, concatBytes.apply(void 0, _to_consumable_array(msgs)));
2893
+ },
2894
+ randomBytes: randomBytes
2895
+ });
2896
+ var field = Field(BigInt(sm2Curve.CURVE.n));
2897
+ // src/sm2/utils.ts
2898
+ function generateKeyPairHex(str) {
2899
+ var privateKey = str ? numberToBytesBE(mod(BigInt(str), ONE) + ONE, 32) : sm2Curve.utils.randomPrivateKey();
2900
+ var publicKey = sm2Curve.getPublicKey(privateKey, false);
2901
+ var privPad = leftPad(bytesToHex(privateKey), 64);
2902
+ var pubPad = leftPad(bytesToHex(publicKey), 64);
2903
+ return {
2904
+ privateKey: privPad,
2905
+ publicKey: pubPad
2906
+ };
2907
+ }
2908
+ function compressPublicKeyHex(s) {
2909
+ if (s.length !== 130) throw new Error("Invalid public key to compress");
2910
+ var len = (s.length - 2) / 2;
2911
+ var xHex = s.substring(2, 2 + len);
2912
+ var y = hexToNumber(s.substring(len + 2, len + len + 2));
2913
+ var prefix = "03";
2914
+ if (mod(y, TWO) === ZERO) prefix = "02";
2915
+ return prefix + xHex;
2916
+ }
2917
+ function utf8ToHex(input) {
2918
+ input = decodeURIComponent(encodeURIComponent(input));
2919
+ var length = input.length;
2920
+ var words = new Uint32Array((length >>> 2) + 1);
2921
+ for(var i = 0; i < length; i++){
2922
+ words[i >>> 2] |= (input.charCodeAt(i) & 255) << 24 - i % 4 * 8;
2923
+ }
2924
+ var hexChars = [];
2925
+ for(var i1 = 0; i1 < length; i1++){
2926
+ var bite = words[i1 >>> 2] >>> 24 - i1 % 4 * 8 & 255;
2927
+ hexChars.push((bite >>> 4).toString(16));
2928
+ hexChars.push((bite & 15).toString(16));
2929
+ }
2930
+ return hexChars.join("");
2931
+ }
2932
+ function leftPad(input, num) {
2933
+ if (input.length >= num) return input;
2934
+ return new Array(num - input.length + 1).join("0") + input;
2935
+ }
2936
+ function arrayToHex(arr) {
2937
+ return arr.map(function(item) {
2938
+ var hex = item.toString(16);
2939
+ return hex.length === 1 ? "0" + hex : hex;
2940
+ }).join("");
2941
+ }
2942
+ function arrayToUtf8(arr) {
2943
+ var str = [];
2944
+ for(var i = 0, len = arr.length; i < len; i++){
2945
+ if (arr[i] >= 240 && arr[i] <= 247) {
2946
+ str.push(String.fromCodePoint(((arr[i] & 7) << 18) + ((arr[i + 1] & 63) << 12) + ((arr[i + 2] & 63) << 6) + (arr[i + 3] & 63)));
2947
+ i += 3;
2948
+ } else if (arr[i] >= 224 && arr[i] <= 239) {
2949
+ str.push(String.fromCodePoint(((arr[i] & 15) << 12) + ((arr[i + 1] & 63) << 6) + (arr[i + 2] & 63)));
2950
+ i += 2;
2951
+ } else if (arr[i] >= 192 && arr[i] <= 223) {
2952
+ str.push(String.fromCodePoint(((arr[i] & 31) << 6) + (arr[i + 1] & 63)));
2953
+ i++;
2954
+ } else {
2955
+ str.push(String.fromCodePoint(arr[i]));
2956
+ }
2957
+ }
2958
+ return str.join("");
2959
+ }
2960
+ function hexToArray(hexStr) {
2961
+ var hexStrLength = hexStr.length;
2962
+ if (hexStrLength % 2 !== 0) {
2963
+ hexStr = leftPad(hexStr, hexStrLength + 1);
2964
+ }
2965
+ hexStrLength = hexStr.length;
2966
+ var wordLength = hexStrLength / 2;
2967
+ var words = new Uint8Array(wordLength);
2968
+ for(var i = 0; i < wordLength; i++){
2969
+ words[i] = parseInt(hexStr.substring(i * 2, i * 2 + 2), 16);
2970
+ }
2971
+ return words;
2972
+ }
2973
+ function verifyPublicKey(publicKey) {
2974
+ var point = sm2Curve.ProjectivePoint.fromHex(publicKey);
2975
+ if (!point) return false;
2976
+ try {
2977
+ point.assertValidity();
2978
+ return true;
2979
+ } catch (error) {
2980
+ return false;
2981
+ }
2982
+ }
2983
+ function comparePublicKeyHex(publicKey1, publicKey2) {
2984
+ var point1 = sm2Curve.ProjectivePoint.fromHex(publicKey1);
2985
+ if (!point1) return false;
2986
+ var point2 = sm2Curve.ProjectivePoint.fromHex(publicKey2);
2987
+ if (!point2) return false;
2988
+ return point1.equals(point2);
2989
+ }
2990
+ // src/sm2/kx.ts
2991
+ var wPow2 = hexToNumber("80000000000000000000000000000000");
2992
+ var wPow2Sub1 = hexToNumber("7fffffffffffffffffffffffffffffff");
2993
+ function hkdf(z, keylen) {
2994
+ var msg = new Uint8Array(keylen);
2995
+ var ct = 1;
2996
+ var offset = 0;
2997
+ var t = EmptyArray;
2998
+ var ctShift = new Uint8Array(4);
2999
+ var nextT = function() {
3000
+ ctShift[0] = ct >> 24 & 255;
3001
+ ctShift[1] = ct >> 16 & 255;
3002
+ ctShift[2] = ct >> 8 & 255;
3003
+ ctShift[3] = ct & 255;
3004
+ t = sm3(concatBytes(z, ctShift));
3005
+ ct++;
3006
+ offset = 0;
3007
+ };
3008
+ nextT();
3009
+ for(var i = 0, len = msg.length; i < len; i++){
3010
+ if (offset === t.length) nextT();
3011
+ msg[i] = t[offset++] & 255;
3012
+ }
3013
+ return msg;
3014
+ }
3015
+ function calculateSharedKey(keypairA, ephemeralKeypairA, publicKeyB, ephemeralPublicKeyB, sharedKeyLength) {
3016
+ var isRecipient = arguments.length > 5 && arguments[5] !== void 0 ? arguments[5] : false, idA = arguments.length > 6 && arguments[6] !== void 0 ? arguments[6] : "1234567812345678", idB = arguments.length > 7 && arguments[7] !== void 0 ? arguments[7] : "1234567812345678";
3017
+ var RA = sm2Curve.ProjectivePoint.fromHex(ephemeralKeypairA.publicKey);
3018
+ var RB = sm2Curve.ProjectivePoint.fromHex(ephemeralPublicKeyB);
3019
+ var PB = sm2Curve.ProjectivePoint.fromHex(publicKeyB);
3020
+ var ZA = getZ(keypairA.publicKey, idA);
3021
+ var ZB = getZ(publicKeyB, idB);
3022
+ if (isRecipient) {
3023
+ var ref;
3024
+ ref = [
3025
+ ZB,
3026
+ ZA
3027
+ ], ZA = ref[0], ZB = ref[1], ref;
3028
+ }
3029
+ var rA = hexToNumber(ephemeralKeypairA.privateKey);
3030
+ var dA = hexToNumber(keypairA.privateKey);
3031
+ var x1 = RA.x;
3032
+ var x1_ = wPow2 + (x1 & wPow2Sub1);
3033
+ var tA = field.add(dA, field.mulN(x1_, rA));
3034
+ var x2 = RB.x;
3035
+ var x2_ = field.add(wPow2, x2 & wPow2Sub1);
3036
+ var U = RB.multiply(x2_).add(PB).multiply(tA);
3037
+ var xU = hexToArray(leftPad(numberToHexUnpadded(U.x), 64));
3038
+ var yU = hexToArray(leftPad(numberToHexUnpadded(U.y), 64));
3039
+ var KA = hkdf(concatBytes(xU, yU, ZA, ZB), sharedKeyLength);
3040
+ return KA;
3041
+ }
3042
+ // src/sm2/index.ts
3043
+ var C1C2C3 = 0;
3044
+ var EmptyArray = new Uint8Array();
3045
+ function doEncrypt(msg, publicKey) {
3046
+ var cipherMode = arguments.length > 2 && arguments[2] !== void 0 ? arguments[2] : 1, options = arguments.length > 3 ? arguments[3] : void 0;
3047
+ var msgArr = typeof msg === "string" ? hexToArray(utf8ToHex(msg)) : Uint8Array.from(msg);
3048
+ var publicKeyPoint = typeof publicKey === "string" ? sm2Curve.ProjectivePoint.fromHex(publicKey) : publicKey;
3049
+ var keypair = generateKeyPairHex();
3050
+ var k = hexToNumber(keypair.privateKey);
3051
+ var c1 = keypair.publicKey;
3052
+ if (c1.length > 128) c1 = c1.substring(c1.length - 128);
3053
+ var p = publicKeyPoint.multiply(k);
3054
+ var x2 = hexToArray(leftPad(numberToHexUnpadded(p.x), 64));
3055
+ var y2 = hexToArray(leftPad(numberToHexUnpadded(p.y), 64));
3056
+ var c3 = bytesToHex2(sm3(concatBytes(x2, msgArr, y2)));
3057
+ xorCipherStream(x2, y2, msgArr);
3058
+ var c2 = bytesToHex2(msgArr);
3059
+ if (options === null || options === void 0 ? void 0 : options.asn1) {
3060
+ var point = sm2Curve.ProjectivePoint.fromHex(keypair.publicKey);
3061
+ var encode = cipherMode === C1C2C3 ? encodeEnc(point.x, point.y, c2, c3) : encodeEnc(point.x, point.y, c3, c2);
3062
+ return encode;
3063
+ }
3064
+ return cipherMode === C1C2C3 ? c1 + c2 + c3 : c1 + c3 + c2;
3065
+ }
3066
+ function xorCipherStream(x2, y2, msg) {
3067
+ var ct = 1;
3068
+ var offset = 0;
3069
+ var t = EmptyArray;
3070
+ var ctShift = new Uint8Array(4);
3071
+ var nextT = function() {
3072
+ ctShift[0] = ct >> 24 & 255;
3073
+ ctShift[1] = ct >> 16 & 255;
3074
+ ctShift[2] = ct >> 8 & 255;
3075
+ ctShift[3] = ct & 255;
3076
+ t = sm3(concatBytes(x2, y2, ctShift));
3077
+ ct++;
3078
+ offset = 0;
3079
+ };
3080
+ nextT();
3081
+ for(var i = 0, len = msg.length; i < len; i++){
3082
+ if (offset === t.length) nextT();
3083
+ msg[i] ^= t[offset++] & 255;
3084
+ }
3085
+ }
3086
+ function doDecrypt(encryptData, privateKey) {
3087
+ var cipherMode = arguments.length > 2 && arguments[2] !== void 0 ? arguments[2] : 1, _ref = arguments.length > 3 && arguments[3] !== void 0 ? arguments[3] : {}, _ref_output = _ref.output, output = _ref_output === void 0 ? "string" : _ref_output, _ref_asn1 = _ref.asn1, asn1 = _ref_asn1 === void 0 ? false : _ref_asn1;
3088
+ var privateKeyInteger = hexToNumber(privateKey);
3089
+ var c1;
3090
+ var c2;
3091
+ var c3;
3092
+ if (asn1) {
3093
+ var _decodeEnc = decodeEnc(encryptData), x3 = _decodeEnc.x, y = _decodeEnc.y, cipher = _decodeEnc.cipher, hash = _decodeEnc.hash;
3094
+ c1 = sm2Curve.ProjectivePoint.fromAffine({
3095
+ x: x3,
3096
+ y: y
3097
+ });
3098
+ c3 = hash;
3099
+ c2 = cipher;
3100
+ if (cipherMode === C1C2C3) {
3101
+ var ref;
3102
+ ref = [
3103
+ c3,
3104
+ c2
3105
+ ], c2 = ref[0], c3 = ref[1], ref;
3106
+ }
3107
+ } else {
3108
+ c1 = sm2Curve.ProjectivePoint.fromHex("04" + encryptData.substring(0, 128));
3109
+ c3 = encryptData.substring(128, 128 + 64);
3110
+ c2 = encryptData.substring(128 + 64);
3111
+ if (cipherMode === C1C2C3) {
3112
+ c3 = encryptData.substring(encryptData.length - 64);
3113
+ c2 = encryptData.substring(128, encryptData.length - 64);
3114
+ }
3115
+ }
3116
+ var msg = hexToArray(c2);
3117
+ var p = c1.multiply(privateKeyInteger);
3118
+ var x2 = hexToArray(leftPad(numberToHexUnpadded(p.x), 64));
3119
+ var y2 = hexToArray(leftPad(numberToHexUnpadded(p.y), 64));
3120
+ xorCipherStream(x2, y2, msg);
3121
+ var checkC3 = arrayToHex(Array.from(sm3(concatBytes(x2, msg, y2))));
3122
+ if (checkC3 === c3.toLowerCase()) {
3123
+ return output === "array" ? msg : arrayToUtf8(msg);
3124
+ } else {
3125
+ return output === "array" ? [] : "";
3126
+ }
3127
+ }
3128
+ function doSignature(msg, privateKey) {
3129
+ var options = arguments.length > 2 && arguments[2] !== void 0 ? arguments[2] : {};
3130
+ var pointPool = options.pointPool, der = options.der, hash = options.hash, publicKey = options.publicKey, userId = options.userId;
3131
+ var hashHex = typeof msg === "string" ? utf8ToHex(msg) : arrayToHex(Array.from(msg));
3132
+ if (hash) {
3133
+ publicKey = publicKey || getPublicKeyFromPrivateKey(privateKey);
3134
+ hashHex = getHash(hashHex, publicKey, userId);
3135
+ }
3136
+ var dA = hexToNumber(privateKey);
3137
+ var e = hexToNumber(hashHex);
3138
+ var k = null;
3139
+ var r = null;
3140
+ var s = null;
3141
+ do {
3142
+ do {
3143
+ var point = void 0;
3144
+ if (pointPool && pointPool.length) {
3145
+ point = pointPool.pop();
3146
+ } else {
3147
+ point = getPoint();
3148
+ }
3149
+ k = point.k;
3150
+ r = field.add(e, point.x1);
3151
+ }while (r === ZERO || r + k === sm2Curve.CURVE.n);
3152
+ s = field.mul(field.inv(field.addN(dA, ONE)), field.subN(k, field.mulN(r, dA)));
3153
+ }while (s === ZERO);
3154
+ if (der) return encodeDer(r, s);
3155
+ return leftPad(numberToHexUnpadded(r), 64) + leftPad(numberToHexUnpadded(s), 64);
3156
+ }
3157
+ function doVerifySignature(msg, signHex, publicKey) {
3158
+ var options = arguments.length > 3 && arguments[3] !== void 0 ? arguments[3] : {};
3159
+ var hashHex;
3160
+ var hash = options.hash, der = options.der, userId = options.userId;
3161
+ var publicKeyHex = typeof publicKey === "string" ? publicKey : publicKey.toHex(false);
3162
+ if (hash) {
3163
+ hashHex = getHash(typeof msg === "string" ? utf8ToHex(msg) : msg, publicKeyHex, userId);
3164
+ } else {
3165
+ hashHex = typeof msg === "string" ? utf8ToHex(msg) : arrayToHex(Array.from(msg));
3166
+ }
3167
+ var r;
3168
+ var s;
3169
+ if (der) {
3170
+ var decodeDerObj = decodeDer(signHex);
3171
+ r = decodeDerObj.r;
3172
+ s = decodeDerObj.s;
3173
+ } else {
3174
+ r = hexToNumber(signHex.substring(0, 64));
3175
+ s = hexToNumber(signHex.substring(64));
3176
+ }
3177
+ var PA = typeof publicKey === "string" ? sm2Curve.ProjectivePoint.fromHex(publicKey) : publicKey;
3178
+ var e = hexToNumber(hashHex);
3179
+ var t = field.add(r, s);
3180
+ if (t === ZERO) return false;
3181
+ var x1y1 = sm2Curve.ProjectivePoint.BASE.multiply(s).add(PA.multiply(t));
3182
+ var R = field.add(e, x1y1.x);
3183
+ return r === R;
3184
+ }
3185
+ function getZ(publicKey) {
3186
+ var userId = arguments.length > 1 && arguments[1] !== void 0 ? arguments[1] : "1234567812345678";
3187
+ userId = utf8ToHex(userId);
3188
+ var a = leftPad(numberToHexUnpadded(sm2Curve.CURVE.a), 64);
3189
+ var b = leftPad(numberToHexUnpadded(sm2Curve.CURVE.b), 64);
3190
+ var gx = leftPad(numberToHexUnpadded(sm2Curve.ProjectivePoint.BASE.x), 64);
3191
+ var gy = leftPad(numberToHexUnpadded(sm2Curve.ProjectivePoint.BASE.y), 64);
3192
+ var px;
3193
+ var py;
3194
+ if (publicKey.length === 128) {
3195
+ px = publicKey.substring(0, 64);
3196
+ py = publicKey.substring(64, 128);
3197
+ } else {
3198
+ var point = sm2Curve.ProjectivePoint.fromHex(publicKey);
3199
+ px = leftPad(numberToHexUnpadded(point.x), 64);
3200
+ py = leftPad(numberToHexUnpadded(point.y), 64);
3201
+ }
3202
+ var data = hexToArray(userId + a + b + gx + gy + px + py);
3203
+ var entl = userId.length * 4;
3204
+ var z = sm3(concatBytes(new Uint8Array([
3205
+ entl >> 8 & 255,
3206
+ entl & 255
3207
+ ]), data));
3208
+ return z;
3209
+ }
3210
+ function getHash(hashHex, publicKey) {
3211
+ var userId = arguments.length > 2 && arguments[2] !== void 0 ? arguments[2] : "1234567812345678";
3212
+ var z = getZ(publicKey, userId);
3213
+ return bytesToHex2(sm3(concatBytes(z, typeof hashHex === "string" ? hexToArray(hashHex) : hashHex)));
3214
+ }
3215
+ function precomputePublicKey(publicKey, windowSize) {
3216
+ var point = sm2Curve.ProjectivePoint.fromHex(publicKey);
3217
+ return sm2Curve.utils.precompute(windowSize, point);
3218
+ }
3219
+ function getPublicKeyFromPrivateKey(privateKey) {
3220
+ var pubKey = sm2Curve.getPublicKey(privateKey, false);
3221
+ var pubPad = leftPad(bytesToHex(pubKey), 64);
3222
+ return pubPad;
3223
+ }
3224
+ function getPoint() {
3225
+ var keypair = generateKeyPairHex();
3226
+ var PA = sm2Curve.ProjectivePoint.fromHex(keypair.publicKey);
3227
+ var k = hexToNumber(keypair.privateKey);
3228
+ return _object_spread_props(_object_spread({}, keypair), {
3229
+ k: k,
3230
+ x1: PA.x
3231
+ });
3232
+ }
3233
+ // src/sm3/index.ts
3234
+ function utf8ToArray(str) {
3235
+ var arr = [];
3236
+ for(var i = 0, len = str.length; i < len; i++){
3237
+ var point = str.codePointAt(i);
3238
+ if (point <= 127) {
3239
+ arr.push(point);
3240
+ } else if (point <= 2047) {
3241
+ arr.push(192 | point >>> 6);
3242
+ arr.push(128 | point & 63);
3243
+ } else if (point <= 55295 || point >= 57344 && point <= 65535) {
3244
+ arr.push(224 | point >>> 12);
3245
+ arr.push(128 | point >>> 6 & 63);
3246
+ arr.push(128 | point & 63);
3247
+ } else if (point >= 65536 && point <= 1114111) {
3248
+ i++;
3249
+ arr.push(240 | point >>> 18 & 28);
3250
+ arr.push(128 | point >>> 12 & 63);
3251
+ arr.push(128 | point >>> 6 & 63);
3252
+ arr.push(128 | point & 63);
3253
+ } else {
3254
+ arr.push(point);
3255
+ throw new Error("input is not supported");
3256
+ }
3257
+ }
3258
+ return new Uint8Array(arr);
3259
+ }
3260
+ function sm32(input, options) {
3261
+ input = typeof input === "string" ? utf8ToArray(input) : input;
3262
+ if (options) {
3263
+ var mode = options.mode || "hmac";
3264
+ if (mode !== "hmac") throw new Error("invalid mode");
3265
+ var key = options.key;
3266
+ if (!key) throw new Error("invalid key");
3267
+ key = typeof key === "string" ? hexToArray(key) : key;
3268
+ return bytesToHex2(hmac(sm3, key, input));
3269
+ }
3270
+ return bytesToHex2(sm3(input));
3271
+ }
3272
+ // src/sm4/index.ts
3273
+ var sm4_exports = {};
3274
+ __export(sm4_exports, {
3275
+ decrypt: function() {
3276
+ return decrypt;
3277
+ },
3278
+ encrypt: function() {
3279
+ return encrypt;
3280
+ },
3281
+ sm4: function() {
3282
+ return sm4;
3283
+ }
3284
+ });
3285
+ var DECRYPT = 0;
3286
+ var ROUND = 32;
3287
+ var BLOCK = 16;
3288
+ var Sbox = Uint8Array.from([
3289
+ 214,
3290
+ 144,
3291
+ 233,
3292
+ 254,
3293
+ 204,
3294
+ 225,
3295
+ 61,
3296
+ 183,
3297
+ 22,
3298
+ 182,
3299
+ 20,
3300
+ 194,
3301
+ 40,
3302
+ 251,
3303
+ 44,
3304
+ 5,
3305
+ 43,
3306
+ 103,
3307
+ 154,
3308
+ 118,
3309
+ 42,
3310
+ 190,
3311
+ 4,
3312
+ 195,
3313
+ 170,
3314
+ 68,
3315
+ 19,
3316
+ 38,
3317
+ 73,
3318
+ 134,
3319
+ 6,
3320
+ 153,
3321
+ 156,
3322
+ 66,
3323
+ 80,
3324
+ 244,
3325
+ 145,
3326
+ 239,
3327
+ 152,
3328
+ 122,
3329
+ 51,
3330
+ 84,
3331
+ 11,
3332
+ 67,
3333
+ 237,
3334
+ 207,
3335
+ 172,
3336
+ 98,
3337
+ 228,
3338
+ 179,
3339
+ 28,
3340
+ 169,
3341
+ 201,
3342
+ 8,
3343
+ 232,
3344
+ 149,
3345
+ 128,
3346
+ 223,
3347
+ 148,
3348
+ 250,
3349
+ 117,
3350
+ 143,
3351
+ 63,
3352
+ 166,
3353
+ 71,
3354
+ 7,
3355
+ 167,
3356
+ 252,
3357
+ 243,
3358
+ 115,
3359
+ 23,
3360
+ 186,
3361
+ 131,
3362
+ 89,
3363
+ 60,
3364
+ 25,
3365
+ 230,
3366
+ 133,
3367
+ 79,
3368
+ 168,
3369
+ 104,
3370
+ 107,
3371
+ 129,
3372
+ 178,
3373
+ 113,
3374
+ 100,
3375
+ 218,
3376
+ 139,
3377
+ 248,
3378
+ 235,
3379
+ 15,
3380
+ 75,
3381
+ 112,
3382
+ 86,
3383
+ 157,
3384
+ 53,
3385
+ 30,
3386
+ 36,
3387
+ 14,
3388
+ 94,
3389
+ 99,
3390
+ 88,
3391
+ 209,
3392
+ 162,
3393
+ 37,
3394
+ 34,
3395
+ 124,
3396
+ 59,
3397
+ 1,
3398
+ 33,
3399
+ 120,
3400
+ 135,
3401
+ 212,
3402
+ 0,
3403
+ 70,
3404
+ 87,
3405
+ 159,
3406
+ 211,
3407
+ 39,
3408
+ 82,
3409
+ 76,
3410
+ 54,
3411
+ 2,
3412
+ 231,
3413
+ 160,
3414
+ 196,
3415
+ 200,
3416
+ 158,
3417
+ 234,
3418
+ 191,
3419
+ 138,
3420
+ 210,
3421
+ 64,
3422
+ 199,
3423
+ 56,
3424
+ 181,
3425
+ 163,
3426
+ 247,
3427
+ 242,
3428
+ 206,
3429
+ 249,
3430
+ 97,
3431
+ 21,
3432
+ 161,
3433
+ 224,
3434
+ 174,
3435
+ 93,
3436
+ 164,
3437
+ 155,
3438
+ 52,
3439
+ 26,
3440
+ 85,
3441
+ 173,
3442
+ 147,
3443
+ 50,
3444
+ 48,
3445
+ 245,
3446
+ 140,
3447
+ 177,
3448
+ 227,
3449
+ 29,
3450
+ 246,
3451
+ 226,
3452
+ 46,
3453
+ 130,
3454
+ 102,
3455
+ 202,
3456
+ 96,
3457
+ 192,
3458
+ 41,
3459
+ 35,
3460
+ 171,
3461
+ 13,
3462
+ 83,
3463
+ 78,
3464
+ 111,
3465
+ 213,
3466
+ 219,
3467
+ 55,
3468
+ 69,
3469
+ 222,
3470
+ 253,
3471
+ 142,
3472
+ 47,
3473
+ 3,
3474
+ 255,
3475
+ 106,
3476
+ 114,
3477
+ 109,
3478
+ 108,
3479
+ 91,
3480
+ 81,
3481
+ 141,
3482
+ 27,
3483
+ 175,
3484
+ 146,
3485
+ 187,
3486
+ 221,
3487
+ 188,
3488
+ 127,
3489
+ 17,
3490
+ 217,
3491
+ 92,
3492
+ 65,
3493
+ 31,
3494
+ 16,
3495
+ 90,
3496
+ 216,
3497
+ 10,
3498
+ 193,
3499
+ 49,
3500
+ 136,
3501
+ 165,
3502
+ 205,
3503
+ 123,
3504
+ 189,
3505
+ 45,
3506
+ 116,
3507
+ 208,
3508
+ 18,
3509
+ 184,
3510
+ 229,
3511
+ 180,
3512
+ 176,
3513
+ 137,
3514
+ 105,
3515
+ 151,
3516
+ 74,
3517
+ 12,
3518
+ 150,
3519
+ 119,
3520
+ 126,
3521
+ 101,
3522
+ 185,
3523
+ 241,
3524
+ 9,
3525
+ 197,
3526
+ 110,
3527
+ 198,
3528
+ 132,
3529
+ 24,
3530
+ 240,
3531
+ 125,
3532
+ 236,
3533
+ 58,
3534
+ 220,
3535
+ 77,
3536
+ 32,
3537
+ 121,
3538
+ 238,
3539
+ 95,
3540
+ 62,
3541
+ 215,
3542
+ 203,
3543
+ 57,
3544
+ 72
3545
+ ]);
3546
+ var CK = new Uint32Array([
3547
+ 462357,
3548
+ 472066609,
3549
+ 943670861,
3550
+ 1415275113,
3551
+ 1886879365,
3552
+ 2358483617,
3553
+ 2830087869,
3554
+ 3301692121,
3555
+ 3773296373,
3556
+ 4228057617,
3557
+ 404694573,
3558
+ 876298825,
3559
+ 1347903077,
3560
+ 1819507329,
3561
+ 2291111581,
3562
+ 2762715833,
3563
+ 3234320085,
3564
+ 3705924337,
3565
+ 4177462797,
3566
+ 337322537,
3567
+ 808926789,
3568
+ 1280531041,
3569
+ 1752135293,
3570
+ 2223739545,
3571
+ 2695343797,
3572
+ 3166948049,
3573
+ 3638552301,
3574
+ 4110090761,
3575
+ 269950501,
3576
+ 741554753,
3577
+ 1213159005,
3578
+ 1684763257
3579
+ ]);
3580
+ function byteSub(a) {
3581
+ return (Sbox[a >>> 24 & 255] & 255) << 24 | (Sbox[a >>> 16 & 255] & 255) << 16 | (Sbox[a >>> 8 & 255] & 255) << 8 | Sbox[a & 255] & 255;
3582
+ }
3583
+ var x = new Uint32Array(4);
3584
+ var tmp = new Uint32Array(4);
3585
+ function sms4Crypt(input, output, roundKey) {
3586
+ var x0 = 0, x1 = 0, x2 = 0, x3 = 0, tmp0 = 0, tmp1 = 0, tmp2 = 0, tmp3 = 0;
3587
+ tmp0 = input[0] & 255;
3588
+ tmp1 = input[1] & 255;
3589
+ tmp2 = input[2] & 255;
3590
+ tmp3 = input[3] & 255;
3591
+ x0 = tmp0 << 24 | tmp1 << 16 | tmp2 << 8 | tmp3;
3592
+ tmp0 = input[4] & 255;
3593
+ tmp1 = input[5] & 255;
3594
+ tmp2 = input[6] & 255;
3595
+ tmp3 = input[7] & 255;
3596
+ x1 = tmp0 << 24 | tmp1 << 16 | tmp2 << 8 | tmp3;
3597
+ tmp0 = input[8] & 255;
3598
+ tmp1 = input[9] & 255;
3599
+ tmp2 = input[10] & 255;
3600
+ tmp3 = input[11] & 255;
3601
+ x2 = tmp0 << 24 | tmp1 << 16 | tmp2 << 8 | tmp3;
3602
+ tmp0 = input[12] & 255;
3603
+ tmp1 = input[13] & 255;
3604
+ tmp2 = input[14] & 255;
3605
+ tmp3 = input[15] & 255;
3606
+ x3 = tmp0 << 24 | tmp1 << 16 | tmp2 << 8 | tmp3;
3607
+ for(var r = 0; r < 32; r += 4){
3608
+ tmp0 = x1 ^ x2 ^ x3 ^ roundKey[r];
3609
+ tmp0 = byteSub(tmp0);
3610
+ x0 ^= tmp0 ^ (tmp0 << 2 | tmp0 >>> 30) ^ (tmp0 << 10 | tmp0 >>> 22) ^ (tmp0 << 18 | tmp0 >>> 14) ^ (tmp0 << 24 | tmp0 >>> 8);
3611
+ tmp1 = x2 ^ x3 ^ x0 ^ roundKey[r + 1];
3612
+ tmp1 = byteSub(tmp1);
3613
+ x1 ^= tmp1 ^ (tmp1 << 2 | tmp1 >>> 30) ^ (tmp1 << 10 | tmp1 >>> 22) ^ (tmp1 << 18 | tmp1 >>> 14) ^ (tmp1 << 24 | tmp1 >>> 8);
3614
+ tmp2 = x3 ^ x0 ^ x1 ^ roundKey[r + 2];
3615
+ tmp2 = byteSub(tmp2);
3616
+ x2 ^= tmp2 ^ (tmp2 << 2 | tmp2 >>> 30) ^ (tmp2 << 10 | tmp2 >>> 22) ^ (tmp2 << 18 | tmp2 >>> 14) ^ (tmp2 << 24 | tmp2 >>> 8);
3617
+ tmp3 = x0 ^ x1 ^ x2 ^ roundKey[r + 3];
3618
+ tmp3 = byteSub(tmp3);
3619
+ x3 ^= tmp3 ^ (tmp3 << 2 | tmp3 >>> 30) ^ (tmp3 << 10 | tmp3 >>> 22) ^ (tmp3 << 18 | tmp3 >>> 14) ^ (tmp3 << 24 | tmp3 >>> 8);
3620
+ }
3621
+ output[0] = x3 >>> 24 & 255;
3622
+ output[1] = x3 >>> 16 & 255;
3623
+ output[2] = x3 >>> 8 & 255;
3624
+ output[3] = x3 & 255;
3625
+ output[4] = x2 >>> 24 & 255;
3626
+ output[5] = x2 >>> 16 & 255;
3627
+ output[6] = x2 >>> 8 & 255;
3628
+ output[7] = x2 & 255;
3629
+ output[8] = x1 >>> 24 & 255;
3630
+ output[9] = x1 >>> 16 & 255;
3631
+ output[10] = x1 >>> 8 & 255;
3632
+ output[11] = x1 & 255;
3633
+ output[12] = x0 >>> 24 & 255;
3634
+ output[13] = x0 >>> 16 & 255;
3635
+ output[14] = x0 >>> 8 & 255;
3636
+ output[15] = x0 & 255;
3637
+ }
3638
+ function sms4KeyExt(key, roundKey, cryptFlag) {
3639
+ var x0 = 0, x1 = 0, x2 = 0, x3 = 0, mid = 0;
3640
+ x0 = (key[0] & 255) << 24 | (key[1] & 255) << 16 | (key[2] & 255) << 8 | key[3] & 255;
3641
+ x1 = (key[4] & 255) << 24 | (key[5] & 255) << 16 | (key[6] & 255) << 8 | key[7] & 255;
3642
+ x2 = (key[8] & 255) << 24 | (key[9] & 255) << 16 | (key[10] & 255) << 8 | key[11] & 255;
3643
+ x3 = (key[12] & 255) << 24 | (key[13] & 255) << 16 | (key[14] & 255) << 8 | key[15] & 255;
3644
+ x0 ^= 2746333894;
3645
+ x1 ^= 1453994832;
3646
+ x2 ^= 1736282519;
3647
+ x3 ^= 2993693404;
3648
+ for(var r = 0; r < 32; r += 4){
3649
+ mid = x1 ^ x2 ^ x3 ^ CK[r + 0];
3650
+ mid = byteSub(mid);
3651
+ x0 ^= mid ^ (mid << 13 | mid >>> 19) ^ (mid << 23 | mid >>> 9);
3652
+ roundKey[r + 0] = x0;
3653
+ mid = x2 ^ x3 ^ x0 ^ CK[r + 1];
3654
+ mid = byteSub(mid);
3655
+ x1 ^= mid ^ (mid << 13 | mid >>> 19) ^ (mid << 23 | mid >>> 9);
3656
+ roundKey[r + 1] = x1;
3657
+ mid = x3 ^ x0 ^ x1 ^ CK[r + 2];
3658
+ mid = byteSub(mid);
3659
+ x2 ^= mid ^ (mid << 13 | mid >>> 19) ^ (mid << 23 | mid >>> 9);
3660
+ roundKey[r + 2] = x2;
3661
+ mid = x0 ^ x1 ^ x2 ^ CK[r + 3];
3662
+ mid = byteSub(mid);
3663
+ x3 ^= mid ^ (mid << 13 | mid >>> 19) ^ (mid << 23 | mid >>> 9);
3664
+ roundKey[r + 3] = x3;
3665
+ }
3666
+ if (cryptFlag === DECRYPT) {
3667
+ for(var r1 = 0; r1 < 16; r1++){
3668
+ var ref;
3669
+ ref = [
3670
+ roundKey[31 - r1],
3671
+ roundKey[r1]
3672
+ ], roundKey[r1] = ref[0], roundKey[31 - r1] = ref[1], ref;
3673
+ }
3674
+ }
3675
+ }
3676
+ var blockOutput = new Uint8Array(16);
3677
+ function sm4(inArray, key, cryptFlag) {
3678
+ var options = arguments.length > 3 && arguments[3] !== void 0 ? arguments[3] : {};
3679
+ var _options_padding = options.padding, padding = _options_padding === void 0 ? "pkcs#7" : _options_padding, mode = options.mode, _options_iv = options.iv, iv = _options_iv === void 0 ? new Uint8Array(16) : _options_iv, output = options.output;
3680
+ if (mode === "cbc") {
3681
+ if (typeof iv === "string") iv = hexToArray(iv);
3682
+ if (iv.length !== 128 / 8) {
3683
+ throw new Error("iv is invalid");
3684
+ }
3685
+ }
3686
+ if (typeof key === "string") key = hexToArray(key);
3687
+ if (key.length !== 128 / 8) {
3688
+ throw new Error("key is invalid");
3689
+ }
3690
+ if (typeof inArray === "string") {
3691
+ if (cryptFlag !== DECRYPT) {
3692
+ inArray = utf8ToArray(inArray);
3693
+ } else {
3694
+ inArray = hexToArray(inArray);
3695
+ }
3696
+ } else {
3697
+ inArray = Uint8Array.from(inArray);
3698
+ }
3699
+ if ((padding === "pkcs#5" || padding === "pkcs#7") && cryptFlag !== DECRYPT) {
3700
+ var paddingCount = BLOCK - inArray.length % BLOCK;
3701
+ var newArray = new Uint8Array(inArray.length + paddingCount);
3702
+ newArray.set(inArray, 0);
3703
+ for(var i = 0; i < paddingCount; i++)newArray[inArray.length + i] = paddingCount;
3704
+ inArray = newArray;
3705
+ }
3706
+ var roundKey = new Uint32Array(ROUND);
3707
+ sms4KeyExt(key, roundKey, cryptFlag);
3708
+ var outArray = new Uint8Array(inArray.length);
3709
+ var lastVector = iv;
3710
+ var restLen = inArray.length;
3711
+ var point = 0;
3712
+ while(restLen >= BLOCK){
3713
+ var input = inArray.subarray(point, point + 16);
3714
+ if (mode === "cbc") {
3715
+ for(var i1 = 0; i1 < BLOCK; i1++){
3716
+ if (cryptFlag !== DECRYPT) {
3717
+ input[i1] ^= lastVector[i1];
3718
+ }
3719
+ }
3720
+ }
3721
+ sms4Crypt(input, blockOutput, roundKey);
3722
+ for(var i2 = 0; i2 < BLOCK; i2++){
3723
+ if (mode === "cbc") {
3724
+ if (cryptFlag === DECRYPT) {
3725
+ blockOutput[i2] ^= lastVector[i2];
3726
+ }
3727
+ }
3728
+ outArray[point + i2] = blockOutput[i2];
3729
+ }
3730
+ if (mode === "cbc") {
3731
+ if (cryptFlag !== DECRYPT) {
3732
+ lastVector = blockOutput;
3733
+ } else {
3734
+ lastVector = input;
3735
+ }
3736
+ }
3737
+ restLen -= BLOCK;
3738
+ point += BLOCK;
3739
+ }
3740
+ if ((padding === "pkcs#5" || padding === "pkcs#7") && cryptFlag === DECRYPT) {
3741
+ var len = outArray.length;
3742
+ var paddingCount1 = outArray[len - 1];
3743
+ for(var i3 = 1; i3 <= paddingCount1; i3++){
3744
+ if (outArray[len - i3] !== paddingCount1) throw new Error("padding is invalid");
3745
+ }
3746
+ outArray = outArray.slice(0, len - paddingCount1);
3747
+ }
3748
+ if (output !== "array") {
3749
+ if (cryptFlag !== DECRYPT) {
3750
+ return bytesToHex2(outArray);
3751
+ } else {
3752
+ return arrayToUtf8(outArray);
3753
+ }
3754
+ } else {
3755
+ return outArray;
3756
+ }
3757
+ }
3758
+ function encrypt(inArray, key) {
3759
+ var options = arguments.length > 2 && arguments[2] !== void 0 ? arguments[2] : {};
3760
+ return sm4(inArray, key, 1, options);
3761
+ }
3762
+ function decrypt(inArray, key) {
3763
+ var options = arguments.length > 2 && arguments[2] !== void 0 ? arguments[2] : {};
3764
+ return sm4(inArray, key, 0, options);
3765
+ }
3766
+ // Annotate the CommonJS export names for ESM import in node:
3767
+ 0 && (module.exports = {
3768
+ sm2: sm2,
3769
+ sm3: sm3,
3770
+ sm4: sm4
3771
+ }); /*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */ /*! Bundled license information:
3772
+
3773
+ @noble/curves/esm/abstract/utils.js:
3774
+ (*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
3775
+
3776
+ @noble/curves/esm/abstract/modular.js:
3777
+ (*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
3778
+
3779
+ @noble/curves/esm/abstract/curve.js:
3780
+ (*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
3781
+
3782
+ @noble/curves/esm/abstract/weierstrass.js:
3783
+ (*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
3784
+ */