tedious-fabric 1.0.0

package/lib/always-encrypted/keystore-provider-azure-key-vault.js

@@ -0,0 +1,247 @@
+"use strict";
+
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.ColumnEncryptionAzureKeyVaultProvider = void 0;
+var _identity = require("@azure/identity");
+var _keyvaultKeys = require("@azure/keyvault-keys");
+var _crypto = require("crypto");
+var _url = require("url");
+// This code is based on the `mssql-jdbc` library published under the conditions of MIT license.
+// Copyright (c) 2019 Microsoft Corporation
+
+class ColumnEncryptionAzureKeyVaultProvider {
+  constructor(clientId, clientKey, tenantId) {
+    this.name = 'AZURE_KEY_VAULT';
+    this.azureKeyVaultDomainName = 'vault.azure.net';
+    this.rsaEncryptionAlgorithmWithOAEPForAKV = 'RSA-OAEP';
+    this.firstVersion = Buffer.from([0x01]);
+    this.credentials = new _identity.ClientSecretCredential(tenantId, clientId, clientKey);
+  }
+  async decryptColumnEncryptionKey(masterKeyPath, encryptionAlgorithm, encryptedColumnEncryptionKey) {
+    if (!encryptedColumnEncryptionKey) {
+      throw new Error('Internal error. Encrypted column encryption key cannot be null.');
+    }
+    if (encryptedColumnEncryptionKey.length === 0) {
+      throw new Error('Internal error. Empty encrypted column encryption key specified.');
+    }
+    encryptionAlgorithm = this.validateEncryptionAlgorithm(encryptionAlgorithm);
+    const masterKey = await this.getMasterKey(masterKeyPath);
+    const keySizeInBytes = this.getAKVKeySize(masterKey);
+    const cryptoClient = this.createCryptoClient(masterKey);
+    if (encryptedColumnEncryptionKey[0] !== this.firstVersion[0]) {
+      throw new Error(`Specified encrypted column encryption key contains an invalid encryption algorithm version ${Buffer.from([encryptedColumnEncryptionKey[0]]).toString('hex')}. Expected version is ${Buffer.from([this.firstVersion[0]]).toString('hex')}.`);
+    }
+    let currentIndex = this.firstVersion.length;
+    const keyPathLength = encryptedColumnEncryptionKey.readInt16LE(currentIndex);
+    currentIndex += 2;
+    const cipherTextLength = encryptedColumnEncryptionKey.readInt16LE(currentIndex);
+    currentIndex += 2;
+    currentIndex += keyPathLength;
+    if (cipherTextLength !== keySizeInBytes) {
+      throw new Error(`The specified encrypted column encryption key's ciphertext length: ${cipherTextLength} does not match the ciphertext length: ${keySizeInBytes} when using column master key (Azure Key Vault key) in ${masterKeyPath}. The encrypted column encryption key may be corrupt, or the specified Azure Key Vault key path may be incorrect.`);
+    }
+    const signatureLength = encryptedColumnEncryptionKey.length - currentIndex - cipherTextLength;
+    if (signatureLength !== keySizeInBytes) {
+      throw new Error(`The specified encrypted column encryption key's signature length: ${signatureLength} does not match the signature length: ${keySizeInBytes} when using column master key (Azure Key Vault key) in ${masterKeyPath}. The encrypted column encryption key may be corrupt, or the specified Azure Key Vault key path may be incorrect.`);
+    }
+    const cipherText = Buffer.alloc(cipherTextLength);
+    encryptedColumnEncryptionKey.copy(cipherText, 0, currentIndex, currentIndex + cipherTextLength);
+    currentIndex += cipherTextLength;
+    const signature = Buffer.alloc(signatureLength);
+    encryptedColumnEncryptionKey.copy(signature, 0, currentIndex, currentIndex + signatureLength);
+    const hash = Buffer.alloc(encryptedColumnEncryptionKey.length - signature.length);
+    encryptedColumnEncryptionKey.copy(hash, 0, 0, encryptedColumnEncryptionKey.length - signature.length);
+    const messageDigest = (0, _crypto.createHash)('sha256');
+    messageDigest.update(hash);
+    const dataToVerify = messageDigest.digest();
+    if (!dataToVerify) {
+      throw new Error('Hash should not be null while decrypting encrypted column encryption key.');
+    }
+    const verifyKey = await cryptoClient.verify('RS256', dataToVerify, signature);
+    if (!verifyKey.result) {
+      throw new Error(`The specified encrypted column encryption key signature does not match the signature computed with the column master key (Asymmetric key in Azure Key Vault) in ${masterKeyPath}. The encrypted column encryption key may be corrupt, or the specified path may be incorrect.`);
+    }
+    const decryptedCEK = await this.azureKeyVaultUnWrap(cryptoClient, encryptionAlgorithm, cipherText);
+    return decryptedCEK;
+  }
+  async encryptColumnEncryptionKey(masterKeyPath, encryptionAlgorithm, columnEncryptionKey) {
+    if (!columnEncryptionKey) {
+      throw new Error('Column encryption key cannot be null.');
+    }
+    if (columnEncryptionKey.length === 0) {
+      throw new Error('Empty column encryption key specified.');
+    }
+    encryptionAlgorithm = this.validateEncryptionAlgorithm(encryptionAlgorithm);
+    const masterKey = await this.getMasterKey(masterKeyPath);
+    const keySizeInBytes = this.getAKVKeySize(masterKey);
+    const cryptoClient = this.createCryptoClient(masterKey);
+    const version = Buffer.from([this.firstVersion[0]]);
+    const masterKeyPathBytes = Buffer.from(masterKeyPath.toLowerCase(), 'utf8');
+    const keyPathLength = Buffer.alloc(2);
+    keyPathLength[0] = masterKeyPathBytes.length & 0xff;
+    keyPathLength[1] = masterKeyPathBytes.length >> 8 & 0xff;
+    const cipherText = await this.azureKeyVaultWrap(cryptoClient, encryptionAlgorithm, columnEncryptionKey);
+    const cipherTextLength = Buffer.alloc(2);
+    cipherTextLength[0] = cipherText.length & 0xff;
+    cipherTextLength[1] = cipherText.length >> 8 & 0xff;
+    if (cipherText.length !== keySizeInBytes) {
+      throw new Error('CipherText length does not match the RSA key size.');
+    }
+    const dataToHash = Buffer.alloc(version.length + keyPathLength.length + cipherTextLength.length + masterKeyPathBytes.length + cipherText.length);
+    let destinationPosition = version.length;
+    version.copy(dataToHash, 0, 0, version.length);
+    keyPathLength.copy(dataToHash, destinationPosition, 0, keyPathLength.length);
+    destinationPosition += keyPathLength.length;
+    cipherTextLength.copy(dataToHash, destinationPosition, 0, cipherTextLength.length);
+    destinationPosition += cipherTextLength.length;
+    masterKeyPathBytes.copy(dataToHash, destinationPosition, 0, masterKeyPathBytes.length);
+    destinationPosition += masterKeyPathBytes.length;
+    cipherText.copy(dataToHash, destinationPosition, 0, cipherText.length);
+    const messageDigest = (0, _crypto.createHash)('sha256');
+    messageDigest.update(dataToHash);
+    const dataToSign = messageDigest.digest();
+    const signedHash = await this.azureKeyVaultSignedHashedData(cryptoClient, dataToSign);
+    if (signedHash.length !== keySizeInBytes) {
+      throw new Error('Signed hash length does not match the RSA key size.');
+    }
+    const verifyKey = await cryptoClient.verify('RS256', dataToSign, signedHash);
+    if (!verifyKey.result) {
+      throw new Error('Invalid signature of the encrypted column encryption key computed.');
+    }
+    const encryptedColumnEncryptionKeyLength = version.length + cipherTextLength.length + keyPathLength.length + cipherText.length + masterKeyPathBytes.length + signedHash.length;
+    const encryptedColumnEncryptionKey = Buffer.alloc(encryptedColumnEncryptionKeyLength);
+    let currentIndex = 0;
+    version.copy(encryptedColumnEncryptionKey, currentIndex, 0, version.length);
+    currentIndex += version.length;
+    keyPathLength.copy(encryptedColumnEncryptionKey, currentIndex, 0, keyPathLength.length);
+    currentIndex += keyPathLength.length;
+    cipherTextLength.copy(encryptedColumnEncryptionKey, currentIndex, 0, cipherTextLength.length);
+    currentIndex += cipherTextLength.length;
+    masterKeyPathBytes.copy(encryptedColumnEncryptionKey, currentIndex, 0, masterKeyPathBytes.length);
+    currentIndex += masterKeyPathBytes.length;
+    cipherText.copy(encryptedColumnEncryptionKey, currentIndex, 0, cipherText.length);
+    currentIndex += cipherText.length;
+    signedHash.copy(encryptedColumnEncryptionKey, currentIndex, 0, signedHash.length);
+    return encryptedColumnEncryptionKey;
+  }
+  async getMasterKey(masterKeyPath) {
+    if (!masterKeyPath) {
+      throw new Error('Master key path cannot be null or undefined');
+    }
+    const keyParts = this.parsePath(masterKeyPath);
+    this.createKeyClient(keyParts.vaultUrl);
+    return await this.keyClient.getKey(keyParts.name, keyParts.version ? {
+      version: keyParts.version
+    } : {});
+  }
+  createKeyClient(keyVaultUrl) {
+    if (!keyVaultUrl) {
+      throw new Error('Cannot create key client with null or undefined keyVaultUrl');
+    }
+    if (!this.keyClient) {
+      this.url = keyVaultUrl;
+      this.keyClient = new _keyvaultKeys.KeyClient(keyVaultUrl, this.credentials);
+    }
+  }
+  createCryptoClient(masterKey) {
+    if (!masterKey) {
+      throw new Error('Cannot create CryptographyClient with null or undefined masterKey');
+    }
+    return new _keyvaultKeys.CryptographyClient(masterKey, this.credentials);
+  }
+  parsePath(masterKeyPath) {
+    if (!masterKeyPath || masterKeyPath.trim() === '') {
+      throw new Error('Azure Key Vault key path cannot be null.');
+    }
+    let baseUri;
+    try {
+      baseUri = (0, _url.parse)(masterKeyPath, true, true);
+    } catch {
+      throw new Error(`Invalid keys identifier: ${masterKeyPath}. Not a valid URI`);
+    }
+    if (!baseUri.hostname || !baseUri.hostname.toLowerCase().endsWith(this.azureKeyVaultDomainName)) {
+      throw new Error(`Invalid Azure Key Vault key path specified: ${masterKeyPath}.`);
+    }
+
+    // Path is of the form '/collection/name[/version]'
+    const segments = (baseUri.pathname || '').split('/');
+    if (segments.length !== 3 && segments.length !== 4) {
+      throw new Error(`Invalid keys identifier: ${masterKeyPath}. Bad number of segments: ${segments.length}`);
+    }
+    if ('keys' !== segments[1]) {
+      throw new Error(`Invalid keys identifier: ${masterKeyPath}. segment [1] should be "keys", found "${segments[1]}"`);
+    }
+    const vaultUrl = `${baseUri.protocol}//${baseUri.host}`;
+    const name = segments[2];
+    const version = segments.length === 4 ? segments[3] : undefined;
+    return {
+      vaultUrl,
+      name,
+      version
+    };
+  }
+  async azureKeyVaultSignedHashedData(cryptoClient, dataToSign) {
+    if (!cryptoClient) {
+      throw new Error('Azure KVS Crypto Client is not defined.');
+    }
+    const signedData = await cryptoClient.sign('RS256', dataToSign);
+    return Buffer.from(signedData.result);
+  }
+  async azureKeyVaultWrap(cryptoClient, encryptionAlgorithm, columnEncryptionKey) {
+    if (!cryptoClient) {
+      throw new Error('Azure KVS Crypto Client is not defined.');
+    }
+    if (!columnEncryptionKey) {
+      throw new Error('Column encryption key cannot be null.');
+    }
+    const wrappedKey = await cryptoClient.wrapKey(encryptionAlgorithm, columnEncryptionKey);
+    return Buffer.from(wrappedKey.result);
+  }
+  async azureKeyVaultUnWrap(cryptoClient, encryptionAlgorithm, encryptedColumnEncryptionKey) {
+    if (!cryptoClient) {
+      throw new Error('Azure KVS Crypto Client is not defined.');
+    }
+    if (!encryptionAlgorithm) {
+      throw new Error('Encryption Algorithm cannot be null or undefined');
+    }
+    if (!encryptedColumnEncryptionKey) {
+      throw new Error('Encrypted column encryption key cannot be null.');
+    }
+    if (encryptedColumnEncryptionKey.length === 0) {
+      throw new Error('Encrypted Column Encryption Key length should not be zero.');
+    }
+    const unwrappedKey = await cryptoClient.unwrapKey(encryptionAlgorithm, encryptedColumnEncryptionKey);
+    return Buffer.from(unwrappedKey.result);
+  }
+  getAKVKeySize(retrievedKey) {
+    if (!retrievedKey) {
+      throw new Error('Retrieved key cannot be null or undefined');
+    }
+    const key = retrievedKey.key;
+    if (!key) {
+      throw new Error(`Key does not exist ${retrievedKey.name}`);
+    }
+    const kty = key && key.kty && key.kty.toString().toUpperCase();
+    if (!kty || 'RSA'.localeCompare(kty, 'en') !== 0) {
+      throw new Error(`Cannot use a non-RSA key: ${kty}.`);
+    }
+    const keyLength = key && key.n && key.n.length;
+    return keyLength || 0;
+  }
+  validateEncryptionAlgorithm(encryptionAlgorithm) {
+    if (!encryptionAlgorithm) {
+      throw new Error('Key encryption algorithm cannot be null.');
+    }
+    if ('RSA_OAEP'.localeCompare(encryptionAlgorithm.toUpperCase(), 'en') === 0) {
+      encryptionAlgorithm = 'RSA-OAEP';
+    }
+    if (this.rsaEncryptionAlgorithmWithOAEPForAKV.localeCompare(encryptionAlgorithm.trim().toUpperCase(), 'en') !== 0) {
+      throw new Error(`Invalid key encryption algorithm specified: ${encryptionAlgorithm}. Expected value: ${this.rsaEncryptionAlgorithmWithOAEPForAKV}.`);
+    }
+    return encryptionAlgorithm;
+  }
+}
+exports.ColumnEncryptionAzureKeyVaultProvider = ColumnEncryptionAzureKeyVaultProvider;
+//# sourceMappingURL=data:application/json;charset=utf-8;base64,eyJ2ZXJzaW9uIjozLCJuYW1lcyI6WyJfaWRlbnRpdHkiLCJyZXF1aXJlIiwiX2tleXZhdWx0S2V5cyIsIl9jcnlwdG8iLCJfdXJsIiwiQ29sdW1uRW5jcnlwdGlvbkF6dXJlS2V5VmF1bHRQcm92aWRlciIsImNvbnN0cnVjdG9yIiwiY2xpZW50SWQiLCJjbGllbnRLZXkiLCJ0ZW5hbnRJZCIsIm5hbWUiLCJhenVyZUtleVZhdWx0RG9tYWluTmFtZSIsInJzYUVuY3J5cHRpb25BbGdvcml0aG1XaXRoT0FFUEZvckFLViIsImZpcnN0VmVyc2lvbiIsIkJ1ZmZlciIsImZyb20iLCJjcmVkZW50aWFscyIsIkNsaWVudFNlY3JldENyZWRlbnRpYWwiLCJkZWNyeXB0Q29sdW1uRW5jcnlwdGlvbktleSIsIm1hc3RlcktleVBhdGgiLCJlbmNyeXB0aW9uQWxnb3JpdGhtIiwiZW5jcnlwdGVkQ29sdW1uRW5jcnlwdGlvbktleSIsIkVycm9yIiwibGVuZ3RoIiwidmFsaWRhdGVFbmNyeXB0aW9uQWxnb3JpdGhtIiwibWFzdGVyS2V5IiwiZ2V0TWFzdGVyS2V5Iiwia2V5U2l6ZUluQnl0ZXMiLCJnZXRBS1ZLZXlTaXplIiwiY3J5cHRvQ2xpZW50IiwiY3JlYXRlQ3J5cHRvQ2xpZW50IiwidG9TdHJpbmciLCJjdXJyZW50SW5kZXgiLCJrZXlQYXRoTGVuZ3RoIiwicmVhZEludDE2TEUiLCJjaXBoZXJUZXh0TGVuZ3RoIiwic2lnbmF0dXJlTGVuZ3RoIiwiY2lwaGVyVGV4dCIsImFsbG9jIiwiY29weSIsInNpZ25hdHVyZSIsImhhc2giLCJtZXNzYWdlRGlnZXN0IiwiY3JlYXRlSGFzaCIsInVwZGF0ZSIsImRhdGFUb1ZlcmlmeSIsImRpZ2VzdCIsInZlcmlmeUtleSIsInZlcmlmeSIsInJlc3VsdCIsImRlY3J5cHRlZENFSyIsImF6dXJlS2V5VmF1bHRVbldyYXAiLCJlbmNyeXB0Q29sdW1uRW5jcnlwdGlvbktleSIsImNvbHVtbkVuY3J5cHRpb25LZXkiLCJ2ZXJzaW9uIiwibWFzdGVyS2V5UGF0aEJ5dGVzIiwidG9Mb3dlckNhc2UiLCJhenVyZUtleVZhdWx0V3JhcCIsImRhdGFUb0hhc2giLCJkZXN0aW5hdGlvblBvc2l0aW9uIiwiZGF0YVRvU2lnbiIsInNpZ25lZEhhc2giLCJhenVyZUtleVZhdWx0U2lnbmVkSGFzaGVkRGF0YSIsImVuY3J5cHRlZENvbHVtbkVuY3J5cHRpb25LZXlMZW5ndGgiLCJrZXlQYXJ0cyIsInBhcnNlUGF0aCIsImNyZWF0ZUtleUNsaWVudCIsInZhdWx0VXJsIiwia2V5Q2xpZW50IiwiZ2V0S2V5Iiwia2V5VmF1bHRVcmwiLCJ1cmwiLCJLZXlDbGllbnQiLCJDcnlwdG9ncmFwaHlDbGllbnQiLCJ0cmltIiwiYmFzZVVyaSIsInBhcnNlIiwiaG9zdG5hbWUiLCJlbmRzV2l0aCIsInNlZ21lbnRzIiwicGF0aG5hbWUiLCJzcGxpdCIsInByb3RvY29sIiwiaG9zdCIsInVuZGVmaW5lZCIsInNpZ25lZERhdGEiLCJzaWduIiwid3JhcHBlZEtleSIsIndyYXBLZXkiLCJ1bndyYXBwZWRLZXkiLCJ1bndyYXBLZXkiLCJyZXRyaWV2ZWRLZXkiLCJrZXkiLCJrdHkiLCJ0b1VwcGVyQ2FzZSIsImxvY2FsZUNvbXBhcmUiLCJrZXlMZW5ndGgiLCJuIiwiZXhwb3J0cyJdLCJzb3VyY2VzIjpbIi4uLy4uL3NyYy9hbHdheXMtZW5jcnlwdGVkL2tleXN0b3JlLXByb3ZpZGVyLWF6dXJlLWtleS12YXVsdC50cyJdLCJzb3VyY2VzQ29udGVudCI6WyIvLyBUaGlzIGNvZGUgaXMgYmFzZWQgb24gdGhlIGBtc3NxbC1qZGJjYCBsaWJyYXJ5IHB1Ymxpc2hlZCB1bmRlciB0aGUgY29uZGl0aW9ucyBvZiBNSVQgbGljZW5zZS5cbi8vIENvcHlyaWdodCAoYykgMjAxOSBNaWNyb3NvZnQgQ29ycG9yYXRpb25cblxuaW1wb3J0IHsgQ2xpZW50U2VjcmV0Q3JlZGVudGlhbCB9IGZyb20gJ0BhenVyZS9pZGVudGl0eSc7XG5pbXBvcnQgeyBDcnlwdG9ncmFwaHlDbGllbnQsIHR5cGUgS2V5V3JhcEFsZ29yaXRobSwgS2V5Q2xpZW50LCB0eXBlIEtleVZhdWx0S2V5IH0gZnJvbSAnQGF6dXJlL2tleXZhdWx0LWtleXMnO1xuaW1wb3J0IHsgY3JlYXRlSGFzaCB9IGZyb20gJ2NyeXB0byc7XG5pbXBvcnQgeyBwYXJzZSB9IGZyb20gJ3VybCc7XG5cbmludGVyZmFjZSBQYXJzZWRLZXlQYXRoIHtcbiAgdmF1bHRVcmw6IHN0cmluZztcbiAgbmFtZTogc3RyaW5nO1xuICB2ZXJzaW9uPzogc3RyaW5nIHwgdW5kZWZpbmVkO1xufVxuXG5leHBvcnQgY2xhc3MgQ29sdW1uRW5jcnlwdGlvbkF6dXJlS2V5VmF1bHRQcm92aWRlciB7XG4gIGRlY2xhcmUgcHVibGljIHJlYWRvbmx5IG5hbWU6IHN0cmluZztcbiAgZGVjbGFyZSBwcml2YXRlIHVybDogdW5kZWZpbmVkIHwgc3RyaW5nO1xuICBkZWNsYXJlIHByaXZhdGUgcmVhZG9ubHkgcnNhRW5jcnlwdGlvbkFsZ29yaXRobVdpdGhPQUVQRm9yQUtWOiBzdHJpbmc7XG4gIGRlY2xhcmUgcHJpdmF0ZSByZWFkb25seSBmaXJzdFZlcnNpb246IEJ1ZmZlcjtcbiAgZGVjbGFyZSBwcml2YXRlIGNyZWRlbnRpYWxzOiBDbGllbnRTZWNyZXRDcmVkZW50aWFsO1xuICBkZWNsYXJlIHByaXZhdGUgcmVhZG9ubHkgYXp1cmVLZXlWYXVsdERvbWFpbk5hbWU6IHN0cmluZztcbiAgZGVjbGFyZSBwcml2YXRlIGtleUNsaWVudDogdW5kZWZpbmVkIHwgS2V5Q2xpZW50O1xuXG4gIGNvbnN0cnVjdG9yKGNsaWVudElkOiBzdHJpbmcsIGNsaWVudEtleTogc3RyaW5nLCB0ZW5hbnRJZDogc3RyaW5nKSB7XG4gICAgdGhpcy5uYW1lID0gJ0FaVVJFX0tFWV9WQVVMVCc7XG4gICAgdGhpcy5henVyZUtleVZhdWx0RG9tYWluTmFtZSA9ICd2YXVsdC5henVyZS5uZXQnO1xuICAgIHRoaXMucnNhRW5jcnlwdGlvbkFsZ29yaXRobVdpdGhPQUVQRm9yQUtWID0gJ1JTQS1PQUVQJztcbiAgICB0aGlzLmZpcnN0VmVyc2lvbiA9IEJ1ZmZlci5mcm9tKFsweDAxXSk7XG4gICAgdGhpcy5jcmVkZW50aWFscyA9IG5ldyBDbGllbnRTZWNyZXRDcmVkZW50aWFsKHRlbmFudElkLCBjbGllbnRJZCwgY2xpZW50S2V5KTtcbiAgfVxuXG4gIGFzeW5jIGRlY3J5cHRDb2x1bW5FbmNyeXB0aW9uS2V5KG1hc3RlcktleVBhdGg6IHN0cmluZywgZW5jcnlwdGlvbkFsZ29yaXRobTogc3RyaW5nLCBlbmNyeXB0ZWRDb2x1bW5FbmNyeXB0aW9uS2V5OiBCdWZmZXIpOiBQcm9taXNlPEJ1ZmZlcj4ge1xuICAgIGlmICghZW5jcnlwdGVkQ29sdW1uRW5jcnlwdGlvbktleSkge1xuICAgICAgdGhyb3cgbmV3IEVycm9yKCdJbnRlcm5hbCBlcnJvci4gRW5jcnlwdGVkIGNvbHVtbiBlbmNyeXB0aW9uIGtleSBjYW5ub3QgYmUgbnVsbC4nKTtcbiAgICB9XG5cbiAgICBpZiAoZW5jcnlwdGVkQ29sdW1uRW5jcnlwdGlvbktleS5sZW5ndGggPT09IDApIHtcbiAgICAgIHRocm93IG5ldyBFcnJvcignSW50ZXJuYWwgZXJyb3IuIEVtcHR5IGVuY3J5cHRlZCBjb2x1bW4gZW5jcnlwdGlvbiBrZXkgc3BlY2lmaWVkLicpO1xuICAgIH1cblxuICAgIGVuY3J5cHRpb25BbGdvcml0aG0gPSB0aGlzLnZhbGlkYXRlRW5jcnlwdGlvbkFsZ29yaXRobShlbmNyeXB0aW9uQWxnb3JpdGhtKTtcblxuICAgIGNvbnN0IG1hc3RlcktleSA9IGF3YWl0IHRoaXMuZ2V0TWFzdGVyS2V5KG1hc3RlcktleVBhdGgpO1xuXG4gICAgY29uc3Qga2V5U2l6ZUluQnl0ZXMgPSB0aGlzLmdldEFLVktleVNpemUobWFzdGVyS2V5KTtcblxuICAgIGNvbnN0IGNyeXB0b0NsaWVudCA9IHRoaXMuY3JlYXRlQ3J5cHRvQ2xpZW50KG1hc3RlcktleSk7XG5cbiAgICBpZiAoZW5jcnlwdGVkQ29sdW1uRW5jcnlwdGlvbktleVswXSAhPT0gdGhpcy5maXJzdFZlcnNpb25bMF0pIHtcbiAgICAgIHRocm93IG5ldyBFcnJvcihgU3BlY2lmaWVkIGVuY3J5cHRlZCBjb2x1bW4gZW5jcnlwdGlvbiBrZXkgY29udGFpbnMgYW4gaW52YWxpZCBlbmNyeXB0aW9uIGFsZ29yaXRobSB2ZXJzaW9uICR7QnVmZmVyLmZyb20oW2VuY3J5cHRlZENvbHVtbkVuY3J5cHRpb25LZXlbMF1dKS50b1N0cmluZygnaGV4Jyl9LiBFeHBlY3RlZCB2ZXJzaW9uIGlzICR7QnVmZmVyLmZyb20oW3RoaXMuZmlyc3RWZXJzaW9uWzBdXSkudG9TdHJpbmcoJ2hleCcpfS5gKTtcbiAgICB9XG5cbiAgICBsZXQgY3VycmVudEluZGV4ID0gdGhpcy5maXJzdFZlcnNpb24ubGVuZ3RoO1xuICAgIGNvbnN0IGtleVBhdGhMZW5ndGg6IG51bWJlciA9IGVuY3J5cHRlZENvbHVtbkVuY3J5cHRpb25LZXkucmVhZEludDE2TEUoY3VycmVudEluZGV4KTtcblxuICAgIGN1cnJlbnRJbmRleCArPSAyO1xuXG4gICAgY29uc3QgY2lwaGVyVGV4dExlbmd0aDogbnVtYmVyID0gZW5jcnlwdGVkQ29sdW1uRW5jcnlwdGlvbktleS5yZWFkSW50MTZMRShjdXJyZW50SW5kZXgpO1xuXG4gICAgY3VycmVudEluZGV4ICs9IDI7XG5cbiAgICBjdXJyZW50SW5kZXggKz0ga2V5UGF0aExlbmd0aDtcblxuICAgIGlmIChjaXBoZXJUZXh0TGVuZ3RoICE9PSBrZXlTaXplSW5CeXRlcykge1xuICAgICAgdGhyb3cgbmV3IEVycm9yKGBUaGUgc3BlY2lmaWVkIGVuY3J5cHRlZCBjb2x1bW4gZW5jcnlwdGlvbiBrZXkncyBjaXBoZXJ0ZXh0IGxlbmd0aDogJHtjaXBoZXJUZXh0TGVuZ3RofSBkb2VzIG5vdCBtYXRjaCB0aGUgY2lwaGVydGV4dCBsZW5ndGg6ICR7a2V5U2l6ZUluQnl0ZXN9IHdoZW4gdXNpbmcgY29sdW1uIG1hc3RlciBrZXkgKEF6dXJlIEtleSBWYXVsdCBrZXkpIGluICR7bWFzdGVyS2V5UGF0aH0uIFRoZSBlbmNyeXB0ZWQgY29sdW1uIGVuY3J5cHRpb24ga2V5IG1heSBiZSBjb3JydXB0LCBvciB0aGUgc3BlY2lmaWVkIEF6dXJlIEtleSBWYXVsdCBrZXkgcGF0aCBtYXkgYmUgaW5jb3JyZWN0LmApO1xuICAgIH1cblxuICAgIGNvbnN0IHNpZ25hdHVyZUxlbmd0aDogbnVtYmVyID0gZW5jcnlwdGVkQ29sdW1uRW5jcnlwdGlvbktleS5sZW5ndGggLSBjdXJyZW50SW5kZXggLSBjaXBoZXJUZXh0TGVuZ3RoO1xuXG4gICAgaWYgKHNpZ25hdHVyZUxlbmd0aCAhPT0ga2V5U2l6ZUluQnl0ZXMpIHtcbiAgICAgIHRocm93IG5ldyBFcnJvcihgVGhlIHNwZWNpZmllZCBlbmNyeXB0ZWQgY29sdW1uIGVuY3J5cHRpb24ga2V5J3Mgc2lnbmF0dXJlIGxlbmd0aDogJHtzaWduYXR1cmVMZW5ndGh9IGRvZXMgbm90IG1hdGNoIHRoZSBzaWduYXR1cmUgbGVuZ3RoOiAke2tleVNpemVJbkJ5dGVzfSB3aGVuIHVzaW5nIGNvbHVtbiBtYXN0ZXIga2V5IChBenVyZSBLZXkgVmF1bHQga2V5KSBpbiAke21hc3RlcktleVBhdGh9LiBUaGUgZW5jcnlwdGVkIGNvbHVtbiBlbmNyeXB0aW9uIGtleSBtYXkgYmUgY29ycnVwdCwgb3IgdGhlIHNwZWNpZmllZCBBenVyZSBLZXkgVmF1bHQga2V5IHBhdGggbWF5IGJlIGluY29ycmVjdC5gKTtcbiAgICB9XG5cbiAgICBjb25zdCBjaXBoZXJUZXh0ID0gQnVmZmVyLmFsbG9jKGNpcGhlclRleHRMZW5ndGgpO1xuICAgIGVuY3J5cHRlZENvbHVtbkVuY3J5cHRpb25LZXkuY29weShjaXBoZXJUZXh0LCAwLCBjdXJyZW50SW5kZXgsIGN1cnJlbnRJbmRleCArIGNpcGhlclRleHRMZW5ndGgpO1xuICAgIGN1cnJlbnRJbmRleCArPSBjaXBoZXJUZXh0TGVuZ3RoO1xuXG4gICAgY29uc3Qgc2lnbmF0dXJlID0gQnVmZmVyLmFsbG9jKHNpZ25hdHVyZUxlbmd0aCk7XG4gICAgZW5jcnlwdGVkQ29sdW1uRW5jcnlwdGlvbktleS5jb3B5KHNpZ25hdHVyZSwgMCwgY3VycmVudEluZGV4LCBjdXJyZW50SW5kZXggKyBzaWduYXR1cmVMZW5ndGgpO1xuXG4gICAgY29uc3QgaGFzaCA9IEJ1ZmZlci5hbGxvYyhlbmNyeXB0ZWRDb2x1bW5FbmNyeXB0aW9uS2V5Lmxlbmd0aCAtIHNpZ25hdHVyZS5sZW5ndGgpO1xuICAgIGVuY3J5cHRlZENvbHVtbkVuY3J5cHRpb25LZXkuY29weShoYXNoLCAwLCAwLCBlbmNyeXB0ZWRDb2x1bW5FbmNyeXB0aW9uS2V5Lmxlbmd0aCAtIHNpZ25hdHVyZS5sZW5ndGgpO1xuXG4gICAgY29uc3QgbWVzc2FnZURpZ2VzdCA9IGNyZWF0ZUhhc2goJ3NoYTI1NicpO1xuICAgIG1lc3NhZ2VEaWdlc3QudXBkYXRlKGhhc2gpO1xuXG4gICAgY29uc3QgZGF0YVRvVmVyaWZ5OiBCdWZmZXIgPSBtZXNzYWdlRGlnZXN0LmRpZ2VzdCgpO1xuXG4gICAgaWYgKCFkYXRhVG9WZXJpZnkpIHtcbiAgICAgIHRocm93IG5ldyBFcnJvcignSGFzaCBzaG91bGQgbm90IGJlIG51bGwgd2hpbGUgZGVjcnlwdGluZyBlbmNyeXB0ZWQgY29sdW1uIGVuY3J5cHRpb24ga2V5LicpO1xuICAgIH1cblxuICAgIGNvbnN0IHZlcmlmeUtleSA9IGF3YWl0IGNyeXB0b0NsaWVudC52ZXJpZnkoJ1JTMjU2JywgZGF0YVRvVmVyaWZ5LCBzaWduYXR1cmUpO1xuICAgIGlmICghdmVyaWZ5S2V5LnJlc3VsdCkge1xuICAgICAgdGhyb3cgbmV3IEVycm9yKGBUaGUgc3BlY2lmaWVkIGVuY3J5cHRlZCBjb2x1bW4gZW5jcnlwdGlvbiBrZXkgc2lnbmF0dXJlIGRvZXMgbm90IG1hdGNoIHRoZSBzaWduYXR1cmUgY29tcHV0ZWQgd2l0aCB0aGUgY29sdW1uIG1hc3RlciBrZXkgKEFzeW1tZXRyaWMga2V5IGluIEF6dXJlIEtleSBWYXVsdCkgaW4gJHttYXN0ZXJLZXlQYXRofS4gVGhlIGVuY3J5cHRlZCBjb2x1bW4gZW5jcnlwdGlvbiBrZXkgbWF5IGJlIGNvcnJ1cHQsIG9yIHRoZSBzcGVjaWZpZWQgcGF0aCBtYXkgYmUgaW5jb3JyZWN0LmApO1xuICAgIH1cblxuICAgIGNvbnN0IGRlY3J5cHRlZENFSzogQnVmZmVyID0gYXdhaXQgdGhpcy5henVyZUtleVZhdWx0VW5XcmFwKGNyeXB0b0NsaWVudCwgZW5jcnlwdGlvbkFsZ29yaXRobSwgY2lwaGVyVGV4dCk7XG5cbiAgICByZXR1cm4gZGVjcnlwdGVkQ0VLO1xuICB9XG5cbiAgYXN5bmMgZW5jcnlwdENvbHVtbkVuY3J5cHRpb25LZXkobWFzdGVyS2V5UGF0aDogc3RyaW5nLCBlbmNyeXB0aW9uQWxnb3JpdGhtOiBzdHJpbmcsIGNvbHVtbkVuY3J5cHRpb25LZXk6IEJ1ZmZlcik6IFByb21pc2U8QnVmZmVyPiB7XG4gICAgaWYgKCFjb2x1bW5FbmNyeXB0aW9uS2V5KSB7XG4gICAgICB0aHJvdyBuZXcgRXJyb3IoJ0NvbHVtbiBlbmNyeXB0aW9uIGtleSBjYW5ub3QgYmUgbnVsbC4nKTtcbiAgICB9XG5cbiAgICBpZiAoY29sdW1uRW5jcnlwdGlvbktleS5sZW5ndGggPT09IDApIHtcbiAgICAgIHRocm93IG5ldyBFcnJvcignRW1wdHkgY29sdW1uIGVuY3J5cHRpb24ga2V5IHNwZWNpZmllZC4nKTtcbiAgICB9XG5cbiAgICBlbmNyeXB0aW9uQWxnb3JpdGhtID0gdGhpcy52YWxpZGF0ZUVuY3J5cHRpb25BbGdvcml0aG0oZW5jcnlwdGlvbkFsZ29yaXRobSk7XG5cbiAgICBjb25zdCBtYXN0ZXJLZXkgPSBhd2FpdCB0aGlzLmdldE1hc3RlcktleShtYXN0ZXJLZXlQYXRoKTtcblxuICAgIGNvbnN0IGtleVNpemVJbkJ5dGVzID0gdGhpcy5nZXRBS1ZLZXlTaXplKG1hc3RlcktleSk7XG5cbiAgICBjb25zdCBjcnlwdG9DbGllbnQgPSB0aGlzLmNyZWF0ZUNyeXB0b0NsaWVudChtYXN0ZXJLZXkpO1xuXG4gICAgY29uc3QgdmVyc2lvbiA9IEJ1ZmZlci5mcm9tKFt0aGlzLmZpcnN0VmVyc2lvblswXV0pO1xuXG4gICAgY29uc3QgbWFzdGVyS2V5UGF0aEJ5dGVzOiBCdWZmZXIgPSBCdWZmZXIuZnJvbShtYXN0ZXJLZXlQYXRoLnRvTG93ZXJDYXNlKCksICd1dGY4Jyk7XG5cbiAgICBjb25zdCBrZXlQYXRoTGVuZ3RoOiBCdWZmZXIgPSBCdWZmZXIuYWxsb2MoMik7XG5cbiAgICBrZXlQYXRoTGVuZ3RoWzBdID0gbWFzdGVyS2V5UGF0aEJ5dGVzLmxlbmd0aCAmIDB4ZmY7XG4gICAga2V5UGF0aExlbmd0aFsxXSA9IG1hc3RlcktleVBhdGhCeXRlcy5sZW5ndGggPj4gOCAmIDB4ZmY7XG5cbiAgICBjb25zdCBjaXBoZXJUZXh0OiBCdWZmZXIgPSBhd2FpdCB0aGlzLmF6dXJlS2V5VmF1bHRXcmFwKGNyeXB0b0NsaWVudCwgZW5jcnlwdGlvbkFsZ29yaXRobSwgY29sdW1uRW5jcnlwdGlvbktleSk7XG5cbiAgICBjb25zdCBjaXBoZXJUZXh0TGVuZ3RoOiBCdWZmZXIgPSBCdWZmZXIuYWxsb2MoMik7XG5cbiAgICBjaXBoZXJUZXh0TGVuZ3RoWzBdID0gY2lwaGVyVGV4dC5sZW5ndGggJiAweGZmO1xuICAgIGNpcGhlclRleHRMZW5ndGhbMV0gPSBjaXBoZXJUZXh0Lmxlbmd0aCA+PiA4ICYgMHhmZjtcblxuICAgIGlmIChjaXBoZXJUZXh0Lmxlbmd0aCAhPT0ga2V5U2l6ZUluQnl0ZXMpIHtcbiAgICAgIHRocm93IG5ldyBFcnJvcignQ2lwaGVyVGV4dCBsZW5ndGggZG9lcyBub3QgbWF0Y2ggdGhlIFJTQSBrZXkgc2l6ZS4nKTtcbiAgICB9XG5cbiAgICBjb25zdCBkYXRhVG9IYXNoOiBCdWZmZXIgPSBCdWZmZXIuYWxsb2ModmVyc2lvbi5sZW5ndGggKyBrZXlQYXRoTGVuZ3RoLmxlbmd0aCArIGNpcGhlclRleHRMZW5ndGgubGVuZ3RoICsgbWFzdGVyS2V5UGF0aEJ5dGVzLmxlbmd0aCArIGNpcGhlclRleHQubGVuZ3RoKTtcbiAgICBsZXQgZGVzdGluYXRpb25Qb3NpdGlvbjogbnVtYmVyID0gdmVyc2lvbi5sZW5ndGg7XG4gICAgdmVyc2lvbi5jb3B5KGRhdGFUb0hhc2gsIDAsIDAsIHZlcnNpb24ubGVuZ3RoKTtcblxuICAgIGtleVBhdGhMZW5ndGguY29weShkYXRhVG9IYXNoLCBkZXN0aW5hdGlvblBvc2l0aW9uLCAwLCBrZXlQYXRoTGVuZ3RoLmxlbmd0aCk7XG4gICAgZGVzdGluYXRpb25Qb3NpdGlvbiArPSBrZXlQYXRoTGVuZ3RoLmxlbmd0aDtcblxuICAgIGNpcGhlclRleHRMZW5ndGguY29weShkYXRhVG9IYXNoLCBkZXN0aW5hdGlvblBvc2l0aW9uLCAwLCBjaXBoZXJUZXh0TGVuZ3RoLmxlbmd0aCk7XG4gICAgZGVzdGluYXRpb25Qb3NpdGlvbiArPSBjaXBoZXJUZXh0TGVuZ3RoLmxlbmd0aDtcblxuICAgIG1hc3RlcktleVBhdGhCeXRlcy5jb3B5KGRhdGFUb0hhc2gsIGRlc3RpbmF0aW9uUG9zaXRpb24sIDAsIG1hc3RlcktleVBhdGhCeXRlcy5sZW5ndGgpO1xuICAgIGRlc3RpbmF0aW9uUG9zaXRpb24gKz0gbWFzdGVyS2V5UGF0aEJ5dGVzLmxlbmd0aDtcblxuICAgIGNpcGhlclRleHQuY29weShkYXRhVG9IYXNoLCBkZXN0aW5hdGlvblBvc2l0aW9uLCAwLCBjaXBoZXJUZXh0Lmxlbmd0aCk7XG5cbiAgICBjb25zdCBtZXNzYWdlRGlnZXN0ID0gY3JlYXRlSGFzaCgnc2hhMjU2Jyk7XG5cbiAgICBtZXNzYWdlRGlnZXN0LnVwZGF0ZShkYXRhVG9IYXNoKTtcblxuICAgIGNvbnN0IGRhdGFUb1NpZ246IEJ1ZmZlciA9IG1lc3NhZ2VEaWdlc3QuZGlnZXN0KCk7XG5cbiAgICBjb25zdCBzaWduZWRIYXNoOiBCdWZmZXIgPSBhd2FpdCB0aGlzLmF6dXJlS2V5VmF1bHRTaWduZWRIYXNoZWREYXRhKGNyeXB0b0NsaWVudCwgZGF0YVRvU2lnbik7XG4gICAgaWYgKHNpZ25lZEhhc2gubGVuZ3RoICE9PSBrZXlTaXplSW5CeXRlcykge1xuICAgICAgdGhyb3cgbmV3IEVycm9yKCdTaWduZWQgaGFzaCBsZW5ndGggZG9lcyBub3QgbWF0Y2ggdGhlIFJTQSBrZXkgc2l6ZS4nKTtcbiAgICB9XG5cbiAgICBjb25zdCB2ZXJpZnlLZXkgPSBhd2FpdCBjcnlwdG9DbGllbnQudmVyaWZ5KCdSUzI1NicsIGRhdGFUb1NpZ24sIHNpZ25lZEhhc2gpO1xuXG4gICAgaWYgKCF2ZXJpZnlLZXkucmVzdWx0KSB7XG4gICAgICB0aHJvdyBuZXcgRXJyb3IoJ0ludmFsaWQgc2lnbmF0dXJlIG9mIHRoZSBlbmNyeXB0ZWQgY29sdW1uIGVuY3J5cHRpb24ga2V5IGNvbXB1dGVkLicpO1xuICAgIH1cblxuICAgIGNvbnN0IGVuY3J5cHRlZENvbHVtbkVuY3J5cHRpb25LZXlMZW5ndGg6IG51bWJlciA9IHZlcnNpb24ubGVuZ3RoICsgY2lwaGVyVGV4dExlbmd0aC5sZW5ndGggKyBrZXlQYXRoTGVuZ3RoLmxlbmd0aCArIGNpcGhlclRleHQubGVuZ3RoICsgbWFzdGVyS2V5UGF0aEJ5dGVzLmxlbmd0aCArIHNpZ25lZEhhc2gubGVuZ3RoO1xuICAgIGNvbnN0IGVuY3J5cHRlZENvbHVtbkVuY3J5cHRpb25LZXk6IEJ1ZmZlciA9IEJ1ZmZlci5hbGxvYyhlbmNyeXB0ZWRDb2x1bW5FbmNyeXB0aW9uS2V5TGVuZ3RoKTtcblxuICAgIGxldCBjdXJyZW50SW5kZXggPSAwO1xuICAgIHZlcnNpb24uY29weShlbmNyeXB0ZWRDb2x1bW5FbmNyeXB0aW9uS2V5LCBjdXJyZW50SW5kZXgsIDAsIHZlcnNpb24ubGVuZ3RoKTtcbiAgICBjdXJyZW50SW5kZXggKz0gdmVyc2lvbi5sZW5ndGg7XG5cbiAgICBrZXlQYXRoTGVuZ3RoLmNvcHkoZW5jcnlwdGVkQ29sdW1uRW5jcnlwdGlvbktleSwgY3VycmVudEluZGV4LCAwLCBrZXlQYXRoTGVuZ3RoLmxlbmd0aCk7XG4gICAgY3VycmVudEluZGV4ICs9IGtleVBhdGhMZW5ndGgubGVuZ3RoO1xuXG4gICAgY2lwaGVyVGV4dExlbmd0aC5jb3B5KGVuY3J5cHRlZENvbHVtbkVuY3J5cHRpb25LZXksIGN1cnJlbnRJbmRleCwgMCwgY2lwaGVyVGV4dExlbmd0aC5sZW5ndGgpO1xuICAgIGN1cnJlbnRJbmRleCArPSBjaXBoZXJUZXh0TGVuZ3RoLmxlbmd0aDtcblxuICAgIG1hc3RlcktleVBhdGhCeXRlcy5jb3B5KGVuY3J5cHRlZENvbHVtbkVuY3J5cHRpb25LZXksIGN1cnJlbnRJbmRleCwgMCwgbWFzdGVyS2V5UGF0aEJ5dGVzLmxlbmd0aCk7XG4gICAgY3VycmVudEluZGV4ICs9IG1hc3RlcktleVBhdGhCeXRlcy5sZW5ndGg7XG5cbiAgICBjaXBoZXJUZXh0LmNvcHkoZW5jcnlwdGVkQ29sdW1uRW5jcnlwdGlvbktleSwgY3VycmVudEluZGV4LCAwLCBjaXBoZXJUZXh0Lmxlbmd0aCk7XG4gICAgY3VycmVudEluZGV4ICs9IGNpcGhlclRleHQubGVuZ3RoO1xuXG4gICAgc2lnbmVkSGFzaC5jb3B5KGVuY3J5cHRlZENvbHVtbkVuY3J5cHRpb25LZXksIGN1cnJlbnRJbmRleCwgMCwgc2lnbmVkSGFzaC5sZW5ndGgpO1xuXG4gICAgcmV0dXJuIGVuY3J5cHRlZENvbHVtbkVuY3J5cHRpb25LZXk7XG4gIH1cblxuICBwcml2YXRlIGFzeW5jIGdldE1hc3RlcktleShtYXN0ZXJLZXlQYXRoOiBzdHJpbmcpOiBQcm9taXNlPEtleVZhdWx0S2V5PiB7XG4gICAgaWYgKCFtYXN0ZXJLZXlQYXRoKSB7XG4gICAgICB0aHJvdyBuZXcgRXJyb3IoJ01hc3RlciBrZXkgcGF0aCBjYW5ub3QgYmUgbnVsbCBvciB1bmRlZmluZWQnKTtcbiAgICB9XG4gICAgY29uc3Qga2V5UGFydHMgPSB0aGlzLnBhcnNlUGF0aChtYXN0ZXJLZXlQYXRoKTtcblxuICAgIHRoaXMuY3JlYXRlS2V5Q2xpZW50KGtleVBhcnRzLnZhdWx0VXJsKTtcblxuICAgIHJldHVybiBhd2FpdCAodGhpcy5rZXlDbGllbnQgYXMgS2V5Q2xpZW50KS5nZXRLZXkoa2V5UGFydHMubmFtZSwga2V5UGFydHMudmVyc2lvbiA/IHsgdmVyc2lvbjoga2V5UGFydHMudmVyc2lvbiB9IDoge30pO1xuICB9XG5cbiAgcHJpdmF0ZSBjcmVhdGVLZXlDbGllbnQoa2V5VmF1bHRVcmw6IHN0cmluZyk6IHZvaWQge1xuICAgIGlmICgha2V5VmF1bHRVcmwpIHtcbiAgICAgIHRocm93IG5ldyBFcnJvcignQ2Fubm90IGNyZWF0ZSBrZXkgY2xpZW50IHdpdGggbnVsbCBvciB1bmRlZmluZWQga2V5VmF1bHRVcmwnKTtcbiAgICB9XG4gICAgaWYgKCF0aGlzLmtleUNsaWVudCkge1xuICAgICAgdGhpcy51cmwgPSBrZXlWYXVsdFVybDtcbiAgICAgIHRoaXMua2V5Q2xpZW50ID0gbmV3IEtleUNsaWVudChrZXlWYXVsdFVybCwgdGhpcy5jcmVkZW50aWFscyk7XG4gICAgfVxuICB9XG5cbiAgcHJpdmF0ZSBjcmVhdGVDcnlwdG9DbGllbnQobWFzdGVyS2V5OiBLZXlWYXVsdEtleSk6IENyeXB0b2dyYXBoeUNsaWVudCB7XG4gICAgaWYgKCFtYXN0ZXJLZXkpIHtcbiAgICAgIHRocm93IG5ldyBFcnJvcignQ2Fubm90IGNyZWF0ZSBDcnlwdG9ncmFwaHlDbGllbnQgd2l0aCBudWxsIG9yIHVuZGVmaW5lZCBtYXN0ZXJLZXknKTtcbiAgICB9XG4gICAgcmV0dXJuIG5ldyBDcnlwdG9ncmFwaHlDbGllbnQobWFzdGVyS2V5LCB0aGlzLmNyZWRlbnRpYWxzKTtcbiAgfVxuXG4gIHByaXZhdGUgcGFyc2VQYXRoKG1hc3RlcktleVBhdGg6IHN0cmluZyk6IFBhcnNlZEtleVBhdGgge1xuICAgIGlmICghbWFzdGVyS2V5UGF0aCB8fCBtYXN0ZXJLZXlQYXRoLnRyaW0oKSA9PT0gJycpIHtcbiAgICAgIHRocm93IG5ldyBFcnJvcignQXp1cmUgS2V5IFZhdWx0IGtleSBwYXRoIGNhbm5vdCBiZSBudWxsLicpO1xuICAgIH1cblxuICAgIGxldCBiYXNlVXJpO1xuICAgIHRyeSB7XG4gICAgICBiYXNlVXJpID0gcGFyc2UobWFzdGVyS2V5UGF0aCwgdHJ1ZSwgdHJ1ZSk7XG4gICAgfSBjYXRjaCB7XG4gICAgICB0aHJvdyBuZXcgRXJyb3IoYEludmFsaWQga2V5cyBpZGVudGlmaWVyOiAke21hc3RlcktleVBhdGh9LiBOb3QgYSB2YWxpZCBVUklgKTtcbiAgICB9XG5cbiAgICBpZiAoIWJhc2VVcmkuaG9zdG5hbWUgfHwgIWJhc2VVcmkuaG9zdG5hbWUudG9Mb3dlckNhc2UoKS5lbmRzV2l0aCh0aGlzLmF6dXJlS2V5VmF1bHREb21haW5OYW1lKSkge1xuICAgICAgdGhyb3cgbmV3IEVycm9yKGBJbnZhbGlkIEF6dXJlIEtleSBWYXVsdCBrZXkgcGF0aCBzcGVjaWZpZWQ6ICR7bWFzdGVyS2V5UGF0aH0uYCk7XG4gICAgfVxuXG4gICAgLy8gUGF0aCBpcyBvZiB0aGUgZm9ybSAnL2NvbGxlY3Rpb24vbmFtZVsvdmVyc2lvbl0nXG4gICAgY29uc3Qgc2VnbWVudHMgPSAoYmFzZVVyaS5wYXRobmFtZSB8fCAnJykuc3BsaXQoJy8nKTtcbiAgICBpZiAoc2VnbWVudHMubGVuZ3RoICE9PSAzICYmIHNlZ21lbnRzLmxlbmd0aCAhPT0gNCkge1xuICAgICAgdGhyb3cgbmV3IEVycm9yKFxuICAgICAgICBgSW52YWxpZCBrZXlzIGlkZW50aWZpZXI6ICR7bWFzdGVyS2V5UGF0aH0uIEJhZCBudW1iZXIgb2Ygc2VnbWVudHM6ICR7c2VnbWVudHMubGVuZ3RofWBcbiAgICAgICk7XG4gICAgfVxuXG4gICAgaWYgKCdrZXlzJyAhPT0gc2VnbWVudHNbMV0pIHtcbiAgICAgIHRocm93IG5ldyBFcnJvcihcbiAgICAgICAgYEludmFsaWQga2V5cyBpZGVudGlmaWVyOiAke21hc3RlcktleVBhdGh9LiBzZWdtZW50IFsxXSBzaG91bGQgYmUgXCJrZXlzXCIsIGZvdW5kIFwiJHtzZWdtZW50c1sxXX1cImBcbiAgICAgICk7XG4gICAgfVxuXG4gICAgY29uc3QgdmF1bHRVcmwgPSBgJHtiYXNlVXJpLnByb3RvY29sfS8vJHtiYXNlVXJpLmhvc3R9YDtcbiAgICBjb25zdCBuYW1lID0gc2VnbWVudHNbMl07XG4gICAgY29uc3QgdmVyc2lvbiA9IHNlZ21lbnRzLmxlbmd0aCA9PT0gNCA/IHNlZ21lbnRzWzNdIDogdW5kZWZpbmVkO1xuICAgIHJldHVybiB7XG4gICAgICB2YXVsdFVybCxcbiAgICAgIG5hbWUsXG4gICAgICB2ZXJzaW9uXG4gICAgfTtcbiAgfVxuXG4gIHByaXZhdGUgYXN5bmMgYXp1cmVLZXlWYXVsdFNpZ25lZEhhc2hlZERhdGEoY3J5cHRvQ2xpZW50OiBDcnlwdG9ncmFwaHlDbGllbnQsIGRhdGFUb1NpZ246IEJ1ZmZlcik6IFByb21pc2U8QnVmZmVyPiB7XG4gICAgaWYgKCFjcnlwdG9DbGllbnQpIHtcbiAgICAgIHRocm93IG5ldyBFcnJvcignQXp1cmUgS1ZTIENyeXB0byBDbGllbnQgaXMgbm90IGRlZmluZWQuJyk7XG4gICAgfVxuXG4gICAgY29uc3Qgc2lnbmVkRGF0YSA9IGF3YWl0IGNyeXB0b0NsaWVudC5zaWduKCdSUzI1NicsIGRhdGFUb1NpZ24pO1xuXG4gICAgcmV0dXJuIEJ1ZmZlci5mcm9tKHNpZ25lZERhdGEucmVzdWx0KTtcbiAgfVxuXG4gIHByaXZhdGUgYXN5bmMgYXp1cmVLZXlWYXVsdFdyYXAoY3J5cHRvQ2xpZW50OiBDcnlwdG9ncmFwaHlDbGllbnQsIGVuY3J5cHRpb25BbGdvcml0aG06IHN0cmluZywgY29sdW1uRW5jcnlwdGlvbktleTogQnVmZmVyKTogUHJvbWlzZTxCdWZmZXI+IHtcbiAgICBpZiAoIWNyeXB0b0NsaWVudCkge1xuICAgICAgdGhyb3cgbmV3IEVycm9yKCdBenVyZSBLVlMgQ3J5cHRvIENsaWVudCBpcyBub3QgZGVmaW5lZC4nKTtcbiAgICB9XG5cbiAgICBpZiAoIWNvbHVtbkVuY3J5cHRpb25LZXkpIHtcbiAgICAgIHRocm93IG5ldyBFcnJvcignQ29sdW1uIGVuY3J5cHRpb24ga2V5IGNhbm5vdCBiZSBudWxsLicpO1xuICAgIH1cblxuICAgIGNvbnN0IHdyYXBwZWRLZXkgPSBhd2FpdCBjcnlwdG9DbGllbnQud3JhcEtleShlbmNyeXB0aW9uQWxnb3JpdGhtIGFzIEtleVdyYXBBbGdvcml0aG0sIGNvbHVtbkVuY3J5cHRpb25LZXkpO1xuXG4gICAgcmV0dXJuIEJ1ZmZlci5mcm9tKHdyYXBwZWRLZXkucmVzdWx0KTtcbiAgfVxuXG4gIHByaXZhdGUgYXN5bmMgYXp1cmVLZXlWYXVsdFVuV3JhcChjcnlwdG9DbGllbnQ6IENyeXB0b2dyYXBoeUNsaWVudCwgZW5jcnlwdGlvbkFsZ29yaXRobTogc3RyaW5nLCBlbmNyeXB0ZWRDb2x1bW5FbmNyeXB0aW9uS2V5OiBCdWZmZXIpOiBQcm9taXNlPEJ1ZmZlcj4ge1xuICAgIGlmICghY3J5cHRvQ2xpZW50KSB7XG4gICAgICB0aHJvdyBuZXcgRXJyb3IoJ0F6dXJlIEtWUyBDcnlwdG8gQ2xpZW50IGlzIG5vdCBkZWZpbmVkLicpO1xuICAgIH1cblxuICAgIGlmICghZW5jcnlwdGlvbkFsZ29yaXRobSkge1xuICAgICAgdGhyb3cgbmV3IEVycm9yKCdFbmNyeXB0aW9uIEFsZ29yaXRobSBjYW5ub3QgYmUgbnVsbCBvciB1bmRlZmluZWQnKTtcbiAgICB9XG5cbiAgICBpZiAoIWVuY3J5cHRlZENvbHVtbkVuY3J5cHRpb25LZXkpIHtcbiAgICAgIHRocm93IG5ldyBFcnJvcignRW5jcnlwdGVkIGNvbHVtbiBlbmNyeXB0aW9uIGtleSBjYW5ub3QgYmUgbnVsbC4nKTtcbiAgICB9XG5cbiAgICBpZiAoZW5jcnlwdGVkQ29sdW1uRW5jcnlwdGlvbktleS5sZW5ndGggPT09IDApIHtcbiAgICAgIHRocm93IG5ldyBFcnJvcignRW5jcnlwdGVkIENvbHVtbiBFbmNyeXB0aW9uIEtleSBsZW5ndGggc2hvdWxkIG5vdCBiZSB6ZXJvLicpO1xuICAgIH1cblxuICAgIGNvbnN0IHVud3JhcHBlZEtleSA9IGF3YWl0IGNyeXB0b0NsaWVudC51bndyYXBLZXkoZW5jcnlwdGlvbkFsZ29yaXRobSBhcyBLZXlXcmFwQWxnb3JpdGhtLCBlbmNyeXB0ZWRDb2x1bW5FbmNyeXB0aW9uS2V5KTtcblxuICAgIHJldHVybiBCdWZmZXIuZnJvbSh1bndyYXBwZWRLZXkucmVzdWx0KTtcbiAgfVxuXG4gIHByaXZhdGUgZ2V0QUtWS2V5U2l6ZShyZXRyaWV2ZWRLZXk6IEtleVZhdWx0S2V5KTogbnVtYmVyIHtcbiAgICBpZiAoIXJldHJpZXZlZEtleSkge1xuICAgICAgdGhyb3cgbmV3IEVycm9yKCdSZXRyaWV2ZWQga2V5IGNhbm5vdCBiZSBudWxsIG9yIHVuZGVmaW5lZCcpO1xuICAgIH1cbiAgICBjb25zdCBrZXkgPSByZXRyaWV2ZWRLZXkua2V5O1xuXG4gICAgaWYgKCFrZXkpIHtcbiAgICAgIHRocm93IG5ldyBFcnJvcihgS2V5IGRvZXMgbm90IGV4aXN0ICR7cmV0cmlldmVkS2V5Lm5hbWV9YCk7XG4gICAgfVxuXG4gICAgY29uc3Qga3R5OiBzdHJpbmcgfCB1bmRlZmluZWQgPSBrZXkgJiYga2V5Lmt0eSAmJiBrZXkua3R5LnRvU3RyaW5nKCkudG9VcHBlckNhc2UoKTtcblxuICAgIGlmICgha3R5IHx8ICdSU0EnLmxvY2FsZUNvbXBhcmUoa3R5LCAnZW4nKSAhPT0gMCkge1xuICAgICAgdGhyb3cgbmV3IEVycm9yKGBDYW5ub3QgdXNlIGEgbm9uLVJTQSBrZXk6ICR7a3R5fS5gKTtcbiAgICB9XG5cbiAgICBjb25zdCBrZXlMZW5ndGggPSBrZXkgJiYga2V5Lm4gJiYga2V5Lm4ubGVuZ3RoO1xuXG4gICAgcmV0dXJuIGtleUxlbmd0aCB8fCAwO1xuICB9XG5cbiAgcHJpdmF0ZSB2YWxpZGF0ZUVuY3J5cHRpb25BbGdvcml0aG0oZW5jcnlwdGlvbkFsZ29yaXRobTogc3RyaW5nKTogc3RyaW5nIHtcbiAgICBpZiAoIWVuY3J5cHRpb25BbGdvcml0aG0pIHtcbiAgICAgIHRocm93IG5ldyBFcnJvcignS2V5IGVuY3J5cHRpb24gYWxnb3JpdGhtIGNhbm5vdCBiZSBudWxsLicpO1xuICAgIH1cblxuICAgIGlmICgnUlNBX09BRVAnLmxvY2FsZUNvbXBhcmUoZW5jcnlwdGlvbkFsZ29yaXRobS50b1VwcGVyQ2FzZSgpLCAnZW4nKSA9PT0gMCkge1xuICAgICAgZW5jcnlwdGlvbkFsZ29yaXRobSA9ICdSU0EtT0FFUCc7XG4gICAgfVxuXG4gICAgaWYgKHRoaXMucnNhRW5jcnlwdGlvbkFsZ29yaXRobVdpdGhPQUVQRm9yQUtWLmxvY2FsZUNvbXBhcmUoZW5jcnlwdGlvbkFsZ29yaXRobS50cmltKCkudG9VcHBlckNhc2UoKSwgJ2VuJykgIT09IDApIHtcbiAgICAgIHRocm93IG5ldyBFcnJvcihgSW52YWxpZCBrZXkgZW5jcnlwdGlvbiBhbGdvcml0aG0gc3BlY2lmaWVkOiAke2VuY3J5cHRpb25BbGdvcml0aG19LiBFeHBlY3RlZCB2YWx1ZTogJHt0aGlzLnJzYUVuY3J5cHRpb25BbGdvcml0aG1XaXRoT0FFUEZvckFLVn0uYCk7XG4gICAgfVxuXG4gICAgcmV0dXJuIGVuY3J5cHRpb25BbGdvcml0aG07XG4gIH1cbn1cbiJdLCJtYXBwaW5ncyI6Ijs7Ozs7O0FBR0EsSUFBQUEsU0FBQSxHQUFBQyxPQUFBO0FBQ0EsSUFBQUMsYUFBQSxHQUFBRCxPQUFBO0FBQ0EsSUFBQUUsT0FBQSxHQUFBRixPQUFBO0FBQ0EsSUFBQUcsSUFBQSxHQUFBSCxPQUFBO0FBTkE7QUFDQTs7QUFhTyxNQUFNSSxxQ0FBcUMsQ0FBQztFQVNqREMsV0FBV0EsQ0FBQ0MsUUFBZ0IsRUFBRUMsU0FBaUIsRUFBRUMsUUFBZ0IsRUFBRTtJQUNqRSxJQUFJLENBQUNDLElBQUksR0FBRyxpQkFBaUI7SUFDN0IsSUFBSSxDQUFDQyx1QkFBdUIsR0FBRyxpQkFBaUI7SUFDaEQsSUFBSSxDQUFDQyxvQ0FBb0MsR0FBRyxVQUFVO0lBQ3RELElBQUksQ0FBQ0MsWUFBWSxHQUFHQyxNQUFNLENBQUNDLElBQUksQ0FBQyxDQUFDLElBQUksQ0FBQyxDQUFDO0lBQ3ZDLElBQUksQ0FBQ0MsV0FBVyxHQUFHLElBQUlDLGdDQUFzQixDQUFDUixRQUFRLEVBQUVGLFFBQVEsRUFBRUMsU0FBUyxDQUFDO0VBQzlFO0VBRUEsTUFBTVUsMEJBQTBCQSxDQUFDQyxhQUFxQixFQUFFQyxtQkFBMkIsRUFBRUMsNEJBQW9DLEVBQW1CO0lBQzFJLElBQUksQ0FBQ0EsNEJBQTRCLEVBQUU7TUFDakMsTUFBTSxJQUFJQyxLQUFLLENBQUMsaUVBQWlFLENBQUM7SUFDcEY7SUFFQSxJQUFJRCw0QkFBNEIsQ0FBQ0UsTUFBTSxLQUFLLENBQUMsRUFBRTtNQUM3QyxNQUFNLElBQUlELEtBQUssQ0FBQyxrRUFBa0UsQ0FBQztJQUNyRjtJQUVBRixtQkFBbUIsR0FBRyxJQUFJLENBQUNJLDJCQUEyQixDQUFDSixtQkFBbUIsQ0FBQztJQUUzRSxNQUFNSyxTQUFTLEdBQUcsTUFBTSxJQUFJLENBQUNDLFlBQVksQ0FBQ1AsYUFBYSxDQUFDO0lBRXhELE1BQU1RLGNBQWMsR0FBRyxJQUFJLENBQUNDLGFBQWEsQ0FBQ0gsU0FBUyxDQUFDO0lBRXBELE1BQU1JLFlBQVksR0FBRyxJQUFJLENBQUNDLGtCQUFrQixDQUFDTCxTQUFTLENBQUM7SUFFdkQsSUFBSUosNEJBQTRCLENBQUMsQ0FBQyxDQUFDLEtBQUssSUFBSSxDQUFDUixZQUFZLENBQUMsQ0FBQyxDQUFDLEVBQUU7TUFDNUQsTUFBTSxJQUFJUyxLQUFLLENBQUMsOEZBQThGUixNQUFNLENBQUNDLElBQUksQ0FBQyxDQUFDTSw0QkFBNEIsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUNVLFFBQVEsQ0FBQyxLQUFLLENBQUMseUJBQXlCakIsTUFBTSxDQUFDQyxJQUFJLENBQUMsQ0FBQyxJQUFJLENBQUNGLFlBQVksQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUNrQixRQUFRLENBQUMsS0FBSyxDQUFDLEdBQUcsQ0FBQztJQUM5UDtJQUVBLElBQUlDLFlBQVksR0FBRyxJQUFJLENBQUNuQixZQUFZLENBQUNVLE1BQU07SUFDM0MsTUFBTVUsYUFBcUIsR0FBR1osNEJBQTRCLENBQUNhLFdBQVcsQ0FBQ0YsWUFBWSxDQUFDO0lBRXBGQSxZQUFZLElBQUksQ0FBQztJQUVqQixNQUFNRyxnQkFBd0IsR0FBR2QsNEJBQTRCLENBQUNhLFdBQVcsQ0FBQ0YsWUFBWSxDQUFDO0lBRXZGQSxZQUFZLElBQUksQ0FBQztJQUVqQkEsWUFBWSxJQUFJQyxhQUFhO0lBRTdCLElBQUlFLGdCQUFnQixLQUFLUixjQUFjLEVBQUU7TUFDdkMsTUFBTSxJQUFJTCxLQUFLLENBQUMsc0VBQXNFYSxnQkFBZ0IsMENBQTBDUixjQUFjLDBEQUEwRFIsYUFBYSxtSEFBbUgsQ0FBQztJQUMzVjtJQUVBLE1BQU1pQixlQUF1QixHQUFHZiw0QkFBNEIsQ0FBQ0UsTUFBTSxHQUFHUyxZQUFZLEdBQUdHLGdCQUFnQjtJQUVyRyxJQUFJQyxlQUFlLEtBQUtULGNBQWMsRUFBRTtNQUN0QyxNQUFNLElBQUlMLEtBQUssQ0FBQyxxRUFBcUVjLGVBQWUseUNBQXlDVCxjQUFjLDBEQUEwRFIsYUFBYSxtSEFBbUgsQ0FBQztJQUN4VjtJQUVBLE1BQU1rQixVQUFVLEdBQUd2QixNQUFNLENBQUN3QixLQUFLLENBQUNILGdCQUFnQixDQUFDO0lBQ2pEZCw0QkFBNEIsQ0FBQ2tCLElBQUksQ0FBQ0YsVUFBVSxFQUFFLENBQUMsRUFBRUwsWUFBWSxFQUFFQSxZQUFZLEdBQUdHLGdCQUFnQixDQUFDO0lBQy9GSCxZQUFZLElBQUlHLGdCQUFnQjtJQUVoQyxNQUFNSyxTQUFTLEdBQUcxQixNQUFNLENBQUN3QixLQUFLLENBQUNGLGVBQWUsQ0FBQztJQUMvQ2YsNEJBQTRCLENBQUNrQixJQUFJLENBQUNDLFNBQVMsRUFBRSxDQUFDLEVBQUVSLFlBQVksRUFBRUEsWUFBWSxHQUFHSSxlQUFlLENBQUM7SUFFN0YsTUFBTUssSUFBSSxHQUFHM0IsTUFBTSxDQUFDd0IsS0FBSyxDQUFDakIsNEJBQTRCLENBQUNFLE1BQU0sR0FBR2lCLFNBQVMsQ0FBQ2pCLE1BQU0sQ0FBQztJQUNqRkYsNEJBQTRCLENBQUNrQixJQUFJLENBQUNFLElBQUksRUFBRSxDQUFDLEVBQUUsQ0FBQyxFQUFFcEIsNEJBQTRCLENBQUNFLE1BQU0sR0FBR2lCLFNBQVMsQ0FBQ2pCLE1BQU0sQ0FBQztJQUVyRyxNQUFNbUIsYUFBYSxHQUFHLElBQUFDLGtCQUFVLEVBQUMsUUFBUSxDQUFDO0lBQzFDRCxhQUFhLENBQUNFLE1BQU0sQ0FBQ0gsSUFBSSxDQUFDO0lBRTFCLE1BQU1JLFlBQW9CLEdBQUdILGFBQWEsQ0FBQ0ksTUFBTSxDQUFDLENBQUM7SUFFbkQsSUFBSSxDQUFDRCxZQUFZLEVBQUU7TUFDakIsTUFBTSxJQUFJdkIsS0FBSyxDQUFDLDJFQUEyRSxDQUFDO0lBQzlGO0lBRUEsTUFBTXlCLFNBQVMsR0FBRyxNQUFNbEIsWUFBWSxDQUFDbUIsTUFBTSxDQUFDLE9BQU8sRUFBRUgsWUFBWSxFQUFFTCxTQUFTLENBQUM7SUFDN0UsSUFBSSxDQUFDTyxTQUFTLENBQUNFLE1BQU0sRUFBRTtNQUNyQixNQUFNLElBQUkzQixLQUFLLENBQUMsbUtBQW1LSCxhQUFhLCtGQUErRixDQUFDO0lBQ2xTO0lBRUEsTUFBTStCLFlBQW9CLEdBQUcsTUFBTSxJQUFJLENBQUNDLG1CQUFtQixDQUFDdEIsWUFBWSxFQUFFVCxtQkFBbUIsRUFBRWlCLFVBQVUsQ0FBQztJQUUxRyxPQUFPYSxZQUFZO0VBQ3JCO0VBRUEsTUFBTUUsMEJBQTBCQSxDQUFDakMsYUFBcUIsRUFBRUMsbUJBQTJCLEVBQUVpQyxtQkFBMkIsRUFBbUI7SUFDakksSUFBSSxDQUFDQSxtQkFBbUIsRUFBRTtNQUN4QixNQUFNLElBQUkvQixLQUFLLENBQUMsdUNBQXVDLENBQUM7SUFDMUQ7SUFFQSxJQUFJK0IsbUJBQW1CLENBQUM5QixNQUFNLEtBQUssQ0FBQyxFQUFFO01BQ3BDLE1BQU0sSUFBSUQsS0FBSyxDQUFDLHdDQUF3QyxDQUFDO0lBQzNEO0lBRUFGLG1CQUFtQixHQUFHLElBQUksQ0FBQ0ksMkJBQTJCLENBQUNKLG1CQUFtQixDQUFDO0lBRTNFLE1BQU1LLFNBQVMsR0FBRyxNQUFNLElBQUksQ0FBQ0MsWUFBWSxDQUFDUCxhQUFhLENBQUM7SUFFeEQsTUFBTVEsY0FBYyxHQUFHLElBQUksQ0FBQ0MsYUFBYSxDQUFDSCxTQUFTLENBQUM7SUFFcEQsTUFBTUksWUFBWSxHQUFHLElBQUksQ0FBQ0Msa0JBQWtCLENBQUNMLFNBQVMsQ0FBQztJQUV2RCxNQUFNNkIsT0FBTyxHQUFHeEMsTUFBTSxDQUFDQyxJQUFJLENBQUMsQ0FBQyxJQUFJLENBQUNGLFlBQVksQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDO0lBRW5ELE1BQU0wQyxrQkFBMEIsR0FBR3pDLE1BQU0sQ0FBQ0MsSUFBSSxDQUFDSSxhQUFhLENBQUNxQyxXQUFXLENBQUMsQ0FBQyxFQUFFLE1BQU0sQ0FBQztJQUVuRixNQUFNdkIsYUFBcUIsR0FBR25CLE1BQU0sQ0FBQ3dCLEtBQUssQ0FBQyxDQUFDLENBQUM7SUFFN0NMLGFBQWEsQ0FBQyxDQUFDLENBQUMsR0FBR3NCLGtCQUFrQixDQUFDaEMsTUFBTSxHQUFHLElBQUk7SUFDbkRVLGFBQWEsQ0FBQyxDQUFDLENBQUMsR0FBR3NCLGtCQUFrQixDQUFDaEMsTUFBTSxJQUFJLENBQUMsR0FBRyxJQUFJO0lBRXhELE1BQU1jLFVBQWtCLEdBQUcsTUFBTSxJQUFJLENBQUNvQixpQkFBaUIsQ0FBQzVCLFlBQVksRUFBRVQsbUJBQW1CLEVBQUVpQyxtQkFBbUIsQ0FBQztJQUUvRyxNQUFNbEIsZ0JBQXdCLEdBQUdyQixNQUFNLENBQUN3QixLQUFLLENBQUMsQ0FBQyxDQUFDO0lBRWhESCxnQkFBZ0IsQ0FBQyxDQUFDLENBQUMsR0FBR0UsVUFBVSxDQUFDZCxNQUFNLEdBQUcsSUFBSTtJQUM5Q1ksZ0JBQWdCLENBQUMsQ0FBQyxDQUFDLEdBQUdFLFVBQVUsQ0FBQ2QsTUFBTSxJQUFJLENBQUMsR0FBRyxJQUFJO0lBRW5ELElBQUljLFVBQVUsQ0FBQ2QsTUFBTSxLQUFLSSxjQUFjLEVBQUU7TUFDeEMsTUFBTSxJQUFJTCxLQUFLLENBQUMsb0RBQW9ELENBQUM7SUFDdkU7SUFFQSxNQUFNb0MsVUFBa0IsR0FBRzVDLE1BQU0sQ0FBQ3dCLEtBQUssQ0FBQ2dCLE9BQU8sQ0FBQy9CLE1BQU0sR0FBR1UsYUFBYSxDQUFDVixNQUFNLEdBQUdZLGdCQUFnQixDQUFDWixNQUFNLEdBQUdnQyxrQkFBa0IsQ0FBQ2hDLE1BQU0sR0FBR2MsVUFBVSxDQUFDZCxNQUFNLENBQUM7SUFDeEosSUFBSW9DLG1CQUEyQixHQUFHTCxPQUFPLENBQUMvQixNQUFNO0lBQ2hEK0IsT0FBTyxDQUFDZixJQUFJLENBQUNtQixVQUFVLEVBQUUsQ0FBQyxFQUFFLENBQUMsRUFBRUosT0FBTyxDQUFDL0IsTUFBTSxDQUFDO0lBRTlDVSxhQUFhLENBQUNNLElBQUksQ0FBQ21CLFVBQVUsRUFBRUMsbUJBQW1CLEVBQUUsQ0FBQyxFQUFFMUIsYUFBYSxDQUFDVixNQUFNLENBQUM7SUFDNUVvQyxtQkFBbUIsSUFBSTFCLGFBQWEsQ0FBQ1YsTUFBTTtJQUUzQ1ksZ0JBQWdCLENBQUNJLElBQUksQ0FBQ21CLFVBQVUsRUFBRUMsbUJBQW1CLEVBQUUsQ0FBQyxFQUFFeEIsZ0JBQWdCLENBQUNaLE1BQU0sQ0FBQztJQUNsRm9DLG1CQUFtQixJQUFJeEIsZ0JBQWdCLENBQUNaLE1BQU07SUFFOUNnQyxrQkFBa0IsQ0FBQ2hCLElBQUksQ0FBQ21CLFVBQVUsRUFBRUMsbUJBQW1CLEVBQUUsQ0FBQyxFQUFFSixrQkFBa0IsQ0FBQ2hDLE1BQU0sQ0FBQztJQUN0Rm9DLG1CQUFtQixJQUFJSixrQkFBa0IsQ0FBQ2hDLE1BQU07SUFFaERjLFVBQVUsQ0FBQ0UsSUFBSSxDQUFDbUIsVUFBVSxFQUFFQyxtQkFBbUIsRUFBRSxDQUFDLEVBQUV0QixVQUFVLENBQUNkLE1BQU0sQ0FBQztJQUV0RSxNQUFNbUIsYUFBYSxHQUFHLElBQUFDLGtCQUFVLEVBQUMsUUFBUSxDQUFDO0lBRTFDRCxhQUFhLENBQUNFLE1BQU0sQ0FBQ2MsVUFBVSxDQUFDO0lBRWhDLE1BQU1FLFVBQWtCLEdBQUdsQixhQUFhLENBQUNJLE1BQU0sQ0FBQyxDQUFDO0lBRWpELE1BQU1lLFVBQWtCLEdBQUcsTUFBTSxJQUFJLENBQUNDLDZCQUE2QixDQUFDakMsWUFBWSxFQUFFK0IsVUFBVSxDQUFDO0lBQzdGLElBQUlDLFVBQVUsQ0FBQ3RDLE1BQU0sS0FBS0ksY0FBYyxFQUFFO01BQ3hDLE1BQU0sSUFBSUwsS0FBSyxDQUFDLHFEQUFxRCxDQUFDO0lBQ3hFO0lBRUEsTUFBTXlCLFNBQVMsR0FBRyxNQUFNbEIsWUFBWSxDQUFDbUIsTUFBTSxDQUFDLE9BQU8sRUFBRVksVUFBVSxFQUFFQyxVQUFVLENBQUM7SUFFNUUsSUFBSSxDQUFDZCxTQUFTLENBQUNFLE1BQU0sRUFBRTtNQUNyQixNQUFNLElBQUkzQixLQUFLLENBQUMsb0VBQW9FLENBQUM7SUFDdkY7SUFFQSxNQUFNeUMsa0NBQTBDLEdBQUdULE9BQU8sQ0FBQy9CLE1BQU0sR0FBR1ksZ0JBQWdCLENBQUNaLE1BQU0sR0FBR1UsYUFBYSxDQUFDVixNQUFNLEdBQUdjLFVBQVUsQ0FBQ2QsTUFBTSxHQUFHZ0Msa0JBQWtCLENBQUNoQyxNQUFNLEdBQUdzQyxVQUFVLENBQUN0QyxNQUFNO0lBQ3RMLE1BQU1GLDRCQUFvQyxHQUFHUCxNQUFNLENBQUN3QixLQUFLLENBQUN5QixrQ0FBa0MsQ0FBQztJQUU3RixJQUFJL0IsWUFBWSxHQUFHLENBQUM7SUFDcEJzQixPQUFPLENBQUNmLElBQUksQ0FBQ2xCLDRCQUE0QixFQUFFVyxZQUFZLEVBQUUsQ0FBQyxFQUFFc0IsT0FBTyxDQUFDL0IsTUFBTSxDQUFDO0lBQzNFUyxZQUFZLElBQUlzQixPQUFPLENBQUMvQixNQUFNO0lBRTlCVSxhQUFhLENBQUNNLElBQUksQ0FBQ2xCLDRCQUE0QixFQUFFVyxZQUFZLEVBQUUsQ0FBQyxFQUFFQyxhQUFhLENBQUNWLE1BQU0sQ0FBQztJQUN2RlMsWUFBWSxJQUFJQyxhQUFhLENBQUNWLE1BQU07SUFFcENZLGdCQUFnQixDQUFDSSxJQUFJLENBQUNsQiw0QkFBNEIsRUFBRVcsWUFBWSxFQUFFLENBQUMsRUFBRUcsZ0JBQWdCLENBQUNaLE1BQU0sQ0FBQztJQUM3RlMsWUFBWSxJQUFJRyxnQkFBZ0IsQ0FBQ1osTUFBTTtJQUV2Q2dDLGtCQUFrQixDQUFDaEIsSUFBSSxDQUFDbEIsNEJBQTRCLEVBQUVXLFlBQVksRUFBRSxDQUFDLEVBQUV1QixrQkFBa0IsQ0FBQ2hDLE1BQU0sQ0FBQztJQUNqR1MsWUFBWSxJQUFJdUIsa0JBQWtCLENBQUNoQyxNQUFNO0lBRXpDYyxVQUFVLENBQUNFLElBQUksQ0FBQ2xCLDRCQUE0QixFQUFFVyxZQUFZLEVBQUUsQ0FBQyxFQUFFSyxVQUFVLENBQUNkLE1BQU0sQ0FBQztJQUNqRlMsWUFBWSxJQUFJSyxVQUFVLENBQUNkLE1BQU07SUFFakNzQyxVQUFVLENBQUN0QixJQUFJLENBQUNsQiw0QkFBNEIsRUFBRVcsWUFBWSxFQUFFLENBQUMsRUFBRTZCLFVBQVUsQ0FBQ3RDLE1BQU0sQ0FBQztJQUVqRixPQUFPRiw0QkFBNEI7RUFDckM7RUFFQSxNQUFjSyxZQUFZQSxDQUFDUCxhQUFxQixFQUF3QjtJQUN0RSxJQUFJLENBQUNBLGFBQWEsRUFBRTtNQUNsQixNQUFNLElBQUlHLEtBQUssQ0FBQyw2Q0FBNkMsQ0FBQztJQUNoRTtJQUNBLE1BQU0wQyxRQUFRLEdBQUcsSUFBSSxDQUFDQyxTQUFTLENBQUM5QyxhQUFhLENBQUM7SUFFOUMsSUFBSSxDQUFDK0MsZUFBZSxDQUFDRixRQUFRLENBQUNHLFFBQVEsQ0FBQztJQUV2QyxPQUFPLE1BQU8sSUFBSSxDQUFDQyxTQUFTLENBQWVDLE1BQU0sQ0FBQ0wsUUFBUSxDQUFDdEQsSUFBSSxFQUFFc0QsUUFBUSxDQUFDVixPQUFPLEdBQUc7TUFBRUEsT0FBTyxFQUFFVSxRQUFRLENBQUNWO0lBQVEsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDO0VBQ3pIO0VBRVFZLGVBQWVBLENBQUNJLFdBQW1CLEVBQVE7SUFDakQsSUFBSSxDQUFDQSxXQUFXLEVBQUU7TUFDaEIsTUFBTSxJQUFJaEQsS0FBSyxDQUFDLDZEQUE2RCxDQUFDO0lBQ2hGO0lBQ0EsSUFBSSxDQUFDLElBQUksQ0FBQzhDLFNBQVMsRUFBRTtNQUNuQixJQUFJLENBQUNHLEdBQUcsR0FBR0QsV0FBVztNQUN0QixJQUFJLENBQUNGLFNBQVMsR0FBRyxJQUFJSSx1QkFBUyxDQUFDRixXQUFXLEVBQUUsSUFBSSxDQUFDdEQsV0FBVyxDQUFDO0lBQy9EO0VBQ0Y7RUFFUWMsa0JBQWtCQSxDQUFDTCxTQUFzQixFQUFzQjtJQUNyRSxJQUFJLENBQUNBLFNBQVMsRUFBRTtNQUNkLE1BQU0sSUFBSUgsS0FBSyxDQUFDLG1FQUFtRSxDQUFDO0lBQ3RGO0lBQ0EsT0FBTyxJQUFJbUQsZ0NBQWtCLENBQUNoRCxTQUFTLEVBQUUsSUFBSSxDQUFDVCxXQUFXLENBQUM7RUFDNUQ7RUFFUWlELFNBQVNBLENBQUM5QyxhQUFxQixFQUFpQjtJQUN0RCxJQUFJLENBQUNBLGFBQWEsSUFBSUEsYUFBYSxDQUFDdUQsSUFBSSxDQUFDLENBQUMsS0FBSyxFQUFFLEVBQUU7TUFDakQsTUFBTSxJQUFJcEQsS0FBSyxDQUFDLDBDQUEwQyxDQUFDO0lBQzdEO0lBRUEsSUFBSXFELE9BQU87SUFDWCxJQUFJO01BQ0ZBLE9BQU8sR0FBRyxJQUFBQyxVQUFLLEVBQUN6RCxhQUFhLEVBQUUsSUFBSSxFQUFFLElBQUksQ0FBQztJQUM1QyxDQUFDLENBQUMsTUFBTTtNQUNOLE1BQU0sSUFBSUcsS0FBSyxDQUFDLDRCQUE0QkgsYUFBYSxtQkFBbUIsQ0FBQztJQUMvRTtJQUVBLElBQUksQ0FBQ3dELE9BQU8sQ0FBQ0UsUUFBUSxJQUFJLENBQUNGLE9BQU8sQ0FBQ0UsUUFBUSxDQUFDckIsV0FBVyxDQUFDLENBQUMsQ0FBQ3NCLFFBQVEsQ0FBQyxJQUFJLENBQUNuRSx1QkFBdUIsQ0FBQyxFQUFFO01BQy9GLE1BQU0sSUFBSVcsS0FBSyxDQUFDLCtDQUErQ0gsYUFBYSxHQUFHLENBQUM7SUFDbEY7O0lBRUE7SUFDQSxNQUFNNEQsUUFBUSxHQUFHLENBQUNKLE9BQU8sQ0FBQ0ssUUFBUSxJQUFJLEVBQUUsRUFBRUMsS0FBSyxDQUFDLEdBQUcsQ0FBQztJQUNwRCxJQUFJRixRQUFRLENBQUN4RCxNQUFNLEtBQUssQ0FBQyxJQUFJd0QsUUFBUSxDQUFDeEQsTUFBTSxLQUFLLENBQUMsRUFBRTtNQUNsRCxNQUFNLElBQUlELEtBQUssQ0FDYiw0QkFBNEJILGFBQWEsNkJBQTZCNEQsUUFBUSxDQUFDeEQsTUFBTSxFQUN2RixDQUFDO0lBQ0g7SUFFQSxJQUFJLE1BQU0sS0FBS3dELFFBQVEsQ0FBQyxDQUFDLENBQUMsRUFBRTtNQUMxQixNQUFNLElBQUl6RCxLQUFLLENBQ2IsNEJBQTRCSCxhQUFhLDBDQUEwQzRELFFBQVEsQ0FBQyxDQUFDLENBQUMsR0FDaEcsQ0FBQztJQUNIO0lBRUEsTUFBTVosUUFBUSxHQUFHLEdBQUdRLE9BQU8sQ0FBQ08sUUFBUSxLQUFLUCxPQUFPLENBQUNRLElBQUksRUFBRTtJQUN2RCxNQUFNekUsSUFBSSxHQUFHcUUsUUFBUSxDQUFDLENBQUMsQ0FBQztJQUN4QixNQUFNekIsT0FBTyxHQUFHeUIsUUFBUSxDQUFDeEQsTUFBTSxLQUFLLENBQUMsR0FBR3dELFFBQVEsQ0FBQyxDQUFDLENBQUMsR0FBR0ssU0FBUztJQUMvRCxPQUFPO01BQ0xqQixRQUFRO01BQ1J6RCxJQUFJO01BQ0o0QztJQUNGLENBQUM7RUFDSDtFQUVBLE1BQWNRLDZCQUE2QkEsQ0FBQ2pDLFlBQWdDLEVBQUUrQixVQUFrQixFQUFtQjtJQUNqSCxJQUFJLENBQUMvQixZQUFZLEVBQUU7TUFDakIsTUFBTSxJQUFJUCxLQUFLLENBQUMseUNBQXlDLENBQUM7SUFDNUQ7SUFFQSxNQUFNK0QsVUFBVSxHQUFHLE1BQU14RCxZQUFZLENBQUN5RCxJQUFJLENBQUMsT0FBTyxFQUFFMUIsVUFBVSxDQUFDO0lBRS9ELE9BQU85QyxNQUFNLENBQUNDLElBQUksQ0FBQ3NFLFVBQVUsQ0FBQ3BDLE1BQU0sQ0FBQztFQUN2QztFQUVBLE1BQWNRLGlCQUFpQkEsQ0FBQzVCLFlBQWdDLEVBQUVULG1CQUEyQixFQUFFaUMsbUJBQTJCLEVBQW1CO0lBQzNJLElBQUksQ0FBQ3hCLFlBQVksRUFBRTtNQUNqQixNQUFNLElBQUlQLEtBQUssQ0FBQyx5Q0FBeUMsQ0FBQztJQUM1RDtJQUVBLElBQUksQ0FBQytCLG1CQUFtQixFQUFFO01BQ3hCLE1BQU0sSUFBSS9CLEtBQUssQ0FBQyx1Q0FBdUMsQ0FBQztJQUMxRDtJQUVBLE1BQU1pRSxVQUFVLEdBQUcsTUFBTTFELFlBQVksQ0FBQzJELE9BQU8sQ0FBQ3BFLG1CQUFtQixFQUFzQmlDLG1CQUFtQixDQUFDO0lBRTNHLE9BQU92QyxNQUFNLENBQUNDLElBQUksQ0FBQ3dFLFVBQVUsQ0FBQ3RDLE1BQU0sQ0FBQztFQUN2QztFQUVBLE1BQWNFLG1CQUFtQkEsQ0FBQ3RCLFlBQWdDLEVBQUVULG1CQUEyQixFQUFFQyw0QkFBb0MsRUFBbUI7SUFDdEosSUFBSSxDQUFDUSxZQUFZLEVBQUU7TUFDakIsTUFBTSxJQUFJUCxLQUFLLENBQUMseUNBQXlDLENBQUM7SUFDNUQ7SUFFQSxJQUFJLENBQUNGLG1CQUFtQixFQUFFO01BQ3hCLE1BQU0sSUFBSUUsS0FBSyxDQUFDLGtEQUFrRCxDQUFDO0lBQ3JFO0lBRUEsSUFBSSxDQUFDRCw0QkFBNEIsRUFBRTtNQUNqQyxNQUFNLElBQUlDLEtBQUssQ0FBQyxpREFBaUQsQ0FBQztJQUNwRTtJQUVBLElBQUlELDRCQUE0QixDQUFDRSxNQUFNLEtBQUssQ0FBQyxFQUFFO01BQzdDLE1BQU0sSUFBSUQsS0FBSyxDQUFDLDREQUE0RCxDQUFDO0lBQy9FO0lBRUEsTUFBTW1FLFlBQVksR0FBRyxNQUFNNUQsWUFBWSxDQUFDNkQsU0FBUyxDQUFDdEUsbUJBQW1CLEVBQXNCQyw0QkFBNEIsQ0FBQztJQUV4SCxPQUFPUCxNQUFNLENBQUNDLElBQUksQ0FBQzBFLFlBQVksQ0FBQ3hDLE1BQU0sQ0FBQztFQUN6QztFQUVRckIsYUFBYUEsQ0FBQytELFlBQXlCLEVBQVU7SUFDdkQsSUFBSSxDQUFDQSxZQUFZLEVBQUU7TUFDakIsTUFBTSxJQUFJckUsS0FBSyxDQUFDLDJDQUEyQyxDQUFDO0lBQzlEO0lBQ0EsTUFBTXNFLEdBQUcsR0FBR0QsWUFBWSxDQUFDQyxHQUFHO0lBRTVCLElBQUksQ0FBQ0EsR0FBRyxFQUFFO01BQ1IsTUFBTSxJQUFJdEUsS0FBSyxDQUFDLHNCQUFzQnFFLFlBQVksQ0FBQ2pGLElBQUksRUFBRSxDQUFDO0lBQzVEO0lBRUEsTUFBTW1GLEdBQXVCLEdBQUdELEdBQUcsSUFBSUEsR0FBRyxDQUFDQyxHQUFHLElBQUlELEdBQUcsQ0FBQ0MsR0FBRyxDQUFDOUQsUUFBUSxDQUFDLENBQUMsQ0FBQytELFdBQVcsQ0FBQyxDQUFDO0lBRWxGLElBQUksQ0FBQ0QsR0FBRyxJQUFJLEtBQUssQ0FBQ0UsYUFBYSxDQUFDRixHQUFHLEVBQUUsSUFBSSxDQUFDLEtBQUssQ0FBQyxFQUFFO01BQ2hELE1BQU0sSUFBSXZFLEtBQUssQ0FBQyw2QkFBNkJ1RSxHQUFHLEdBQUcsQ0FBQztJQUN0RDtJQUVBLE1BQU1HLFNBQVMsR0FBR0osR0FBRyxJQUFJQSxHQUFHLENBQUNLLENBQUMsSUFBSUwsR0FBRyxDQUFDSyxDQUFDLENBQUMxRSxNQUFNO0lBRTlDLE9BQU95RSxTQUFTLElBQUksQ0FBQztFQUN2QjtFQUVReEUsMkJBQTJCQSxDQUFDSixtQkFBMkIsRUFBVTtJQUN2RSxJQUFJLENBQUNBLG1CQUFtQixFQUFFO01BQ3hCLE1BQU0sSUFBSUUsS0FBSyxDQUFDLDBDQUEwQyxDQUFDO0lBQzdEO0lBRUEsSUFBSSxVQUFVLENBQUN5RSxhQUFhLENBQUMzRSxtQkFBbUIsQ0FBQzBFLFdBQVcsQ0FBQyxDQUFDLEVBQUUsSUFBSSxDQUFDLEtBQUssQ0FBQyxFQUFFO01BQzNFMUUsbUJBQW1CLEdBQUcsVUFBVTtJQUNsQztJQUVBLElBQUksSUFBSSxDQUFDUixvQ0FBb0MsQ0FBQ21GLGFBQWEsQ0FBQzNFLG1CQUFtQixDQUFDc0QsSUFBSSxDQUFDLENBQUMsQ0FBQ29CLFdBQVcsQ0FBQyxDQUFDLEVBQUUsSUFBSSxDQUFDLEtBQUssQ0FBQyxFQUFFO01BQ2pILE1BQU0sSUFBSXhFLEtBQUssQ0FBQywrQ0FBK0NGLG1CQUFtQixxQkFBcUIsSUFBSSxDQUFDUixvQ0FBb0MsR0FBRyxDQUFDO0lBQ3RKO0lBRUEsT0FBT1EsbUJBQW1CO0VBQzVCO0FBQ0Y7QUFBQzhFLE9BQUEsQ0FBQTdGLHFDQUFBLEdBQUFBLHFDQUFBIiwiaWdub3JlTGlzdCI6W119

package/lib/always-encrypted/keystore-provider-azure-key-vault.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keystore-provider-azure-key-vault.js","names":["_identity","require","_keyvaultKeys","_crypto","_url","ColumnEncryptionAzureKeyVaultProvider","constructor","clientId","clientKey","tenantId","name","azureKeyVaultDomainName","rsaEncryptionAlgorithmWithOAEPForAKV","firstVersion","Buffer","from","credentials","ClientSecretCredential","decryptColumnEncryptionKey","masterKeyPath","encryptionAlgorithm","encryptedColumnEncryptionKey","Error","length","validateEncryptionAlgorithm","masterKey","getMasterKey","keySizeInBytes","getAKVKeySize","cryptoClient","createCryptoClient","toString","currentIndex","keyPathLength","readInt16LE","cipherTextLength","signatureLength","cipherText","alloc","copy","signature","hash","messageDigest","createHash","update","dataToVerify","digest","verifyKey","verify","result","decryptedCEK","azureKeyVaultUnWrap","encryptColumnEncryptionKey","columnEncryptionKey","version","masterKeyPathBytes","toLowerCase","azureKeyVaultWrap","dataToHash","destinationPosition","dataToSign","signedHash","azureKeyVaultSignedHashedData","encryptedColumnEncryptionKeyLength","keyParts","parsePath","createKeyClient","vaultUrl","keyClient","getKey","keyVaultUrl","url","KeyClient","CryptographyClient","trim","baseUri","parse","hostname","endsWith","segments","pathname","split","protocol","host","undefined","signedData","sign","wrappedKey","wrapKey","unwrappedKey","unwrapKey","retrievedKey","key","kty","toUpperCase","localeCompare","keyLength","n","exports"],"sources":["../../src/always-encrypted/keystore-provider-azure-key-vault.ts"],"sourcesContent":["// This code is based on the `mssql-jdbc` library published under the conditions of MIT license.\n// Copyright (c) 2019 Microsoft Corporation\n\nimport { ClientSecretCredential } from '@azure/identity';\nimport { CryptographyClient, type KeyWrapAlgorithm, KeyClient, type KeyVaultKey } from '@azure/keyvault-keys';\nimport { createHash } from 'crypto';\nimport { parse } from 'url';\n\ninterface ParsedKeyPath {\n  vaultUrl: string;\n  name: string;\n  version?: string | undefined;\n}\n\nexport class ColumnEncryptionAzureKeyVaultProvider {\n  declare public readonly name: string;\n  declare private url: undefined | string;\n  declare private readonly rsaEncryptionAlgorithmWithOAEPForAKV: string;\n  declare private readonly firstVersion: Buffer;\n  declare private credentials: ClientSecretCredential;\n  declare private readonly azureKeyVaultDomainName: string;\n  declare private keyClient: undefined | KeyClient;\n\n  constructor(clientId: string, clientKey: string, tenantId: string) {\n    this.name = 'AZURE_KEY_VAULT';\n    this.azureKeyVaultDomainName = 'vault.azure.net';\n    this.rsaEncryptionAlgorithmWithOAEPForAKV = 'RSA-OAEP';\n    this.firstVersion = Buffer.from([0x01]);\n    this.credentials = new ClientSecretCredential(tenantId, clientId, clientKey);\n  }\n\n  async decryptColumnEncryptionKey(masterKeyPath: string, encryptionAlgorithm: string, encryptedColumnEncryptionKey: Buffer): Promise<Buffer> {\n    if (!encryptedColumnEncryptionKey) {\n      throw new Error('Internal error. Encrypted column encryption key cannot be null.');\n    }\n\n    if (encryptedColumnEncryptionKey.length === 0) {\n      throw new Error('Internal error. Empty encrypted column encryption key specified.');\n    }\n\n    encryptionAlgorithm = this.validateEncryptionAlgorithm(encryptionAlgorithm);\n\n    const masterKey = await this.getMasterKey(masterKeyPath);\n\n    const keySizeInBytes = this.getAKVKeySize(masterKey);\n\n    const cryptoClient = this.createCryptoClient(masterKey);\n\n    if (encryptedColumnEncryptionKey[0] !== this.firstVersion[0]) {\n      throw new Error(`Specified encrypted column encryption key contains an invalid encryption algorithm version ${Buffer.from([encryptedColumnEncryptionKey[0]]).toString('hex')}. Expected version is ${Buffer.from([this.firstVersion[0]]).toString('hex')}.`);\n    }\n\n    let currentIndex = this.firstVersion.length;\n    const keyPathLength: number = encryptedColumnEncryptionKey.readInt16LE(currentIndex);\n\n    currentIndex += 2;\n\n    const cipherTextLength: number = encryptedColumnEncryptionKey.readInt16LE(currentIndex);\n\n    currentIndex += 2;\n\n    currentIndex += keyPathLength;\n\n    if (cipherTextLength !== keySizeInBytes) {\n      throw new Error(`The specified encrypted column encryption key's ciphertext length: ${cipherTextLength} does not match the ciphertext length: ${keySizeInBytes} when using column master key (Azure Key Vault key) in ${masterKeyPath}. The encrypted column encryption key may be corrupt, or the specified Azure Key Vault key path may be incorrect.`);\n    }\n\n    const signatureLength: number = encryptedColumnEncryptionKey.length - currentIndex - cipherTextLength;\n\n    if (signatureLength !== keySizeInBytes) {\n      throw new Error(`The specified encrypted column encryption key's signature length: ${signatureLength} does not match the signature length: ${keySizeInBytes} when using column master key (Azure Key Vault key) in ${masterKeyPath}. The encrypted column encryption key may be corrupt, or the specified Azure Key Vault key path may be incorrect.`);\n    }\n\n    const cipherText = Buffer.alloc(cipherTextLength);\n    encryptedColumnEncryptionKey.copy(cipherText, 0, currentIndex, currentIndex + cipherTextLength);\n    currentIndex += cipherTextLength;\n\n    const signature = Buffer.alloc(signatureLength);\n    encryptedColumnEncryptionKey.copy(signature, 0, currentIndex, currentIndex + signatureLength);\n\n    const hash = Buffer.alloc(encryptedColumnEncryptionKey.length - signature.length);\n    encryptedColumnEncryptionKey.copy(hash, 0, 0, encryptedColumnEncryptionKey.length - signature.length);\n\n    const messageDigest = createHash('sha256');\n    messageDigest.update(hash);\n\n    const dataToVerify: Buffer = messageDigest.digest();\n\n    if (!dataToVerify) {\n      throw new Error('Hash should not be null while decrypting encrypted column encryption key.');\n    }\n\n    const verifyKey = await cryptoClient.verify('RS256', dataToVerify, signature);\n    if (!verifyKey.result) {\n      throw new Error(`The specified encrypted column encryption key signature does not match the signature computed with the column master key (Asymmetric key in Azure Key Vault) in ${masterKeyPath}. The encrypted column encryption key may be corrupt, or the specified path may be incorrect.`);\n    }\n\n    const decryptedCEK: Buffer = await this.azureKeyVaultUnWrap(cryptoClient, encryptionAlgorithm, cipherText);\n\n    return decryptedCEK;\n  }\n\n  async encryptColumnEncryptionKey(masterKeyPath: string, encryptionAlgorithm: string, columnEncryptionKey: Buffer): Promise<Buffer> {\n    if (!columnEncryptionKey) {\n      throw new Error('Column encryption key cannot be null.');\n    }\n\n    if (columnEncryptionKey.length === 0) {\n      throw new Error('Empty column encryption key specified.');\n    }\n\n    encryptionAlgorithm = this.validateEncryptionAlgorithm(encryptionAlgorithm);\n\n    const masterKey = await this.getMasterKey(masterKeyPath);\n\n    const keySizeInBytes = this.getAKVKeySize(masterKey);\n\n    const cryptoClient = this.createCryptoClient(masterKey);\n\n    const version = Buffer.from([this.firstVersion[0]]);\n\n    const masterKeyPathBytes: Buffer = Buffer.from(masterKeyPath.toLowerCase(), 'utf8');\n\n    const keyPathLength: Buffer = Buffer.alloc(2);\n\n    keyPathLength[0] = masterKeyPathBytes.length & 0xff;\n    keyPathLength[1] = masterKeyPathBytes.length >> 8 & 0xff;\n\n    const cipherText: Buffer = await this.azureKeyVaultWrap(cryptoClient, encryptionAlgorithm, columnEncryptionKey);\n\n    const cipherTextLength: Buffer = Buffer.alloc(2);\n\n    cipherTextLength[0] = cipherText.length & 0xff;\n    cipherTextLength[1] = cipherText.length >> 8 & 0xff;\n\n    if (cipherText.length !== keySizeInBytes) {\n      throw new Error('CipherText length does not match the RSA key size.');\n    }\n\n    const dataToHash: Buffer = Buffer.alloc(version.length + keyPathLength.length + cipherTextLength.length + masterKeyPathBytes.length + cipherText.length);\n    let destinationPosition: number = version.length;\n    version.copy(dataToHash, 0, 0, version.length);\n\n    keyPathLength.copy(dataToHash, destinationPosition, 0, keyPathLength.length);\n    destinationPosition += keyPathLength.length;\n\n    cipherTextLength.copy(dataToHash, destinationPosition, 0, cipherTextLength.length);\n    destinationPosition += cipherTextLength.length;\n\n    masterKeyPathBytes.copy(dataToHash, destinationPosition, 0, masterKeyPathBytes.length);\n    destinationPosition += masterKeyPathBytes.length;\n\n    cipherText.copy(dataToHash, destinationPosition, 0, cipherText.length);\n\n    const messageDigest = createHash('sha256');\n\n    messageDigest.update(dataToHash);\n\n    const dataToSign: Buffer = messageDigest.digest();\n\n    const signedHash: Buffer = await this.azureKeyVaultSignedHashedData(cryptoClient, dataToSign);\n    if (signedHash.length !== keySizeInBytes) {\n      throw new Error('Signed hash length does not match the RSA key size.');\n    }\n\n    const verifyKey = await cryptoClient.verify('RS256', dataToSign, signedHash);\n\n    if (!verifyKey.result) {\n      throw new Error('Invalid signature of the encrypted column encryption key computed.');\n    }\n\n    const encryptedColumnEncryptionKeyLength: number = version.length + cipherTextLength.length + keyPathLength.length + cipherText.length + masterKeyPathBytes.length + signedHash.length;\n    const encryptedColumnEncryptionKey: Buffer = Buffer.alloc(encryptedColumnEncryptionKeyLength);\n\n    let currentIndex = 0;\n    version.copy(encryptedColumnEncryptionKey, currentIndex, 0, version.length);\n    currentIndex += version.length;\n\n    keyPathLength.copy(encryptedColumnEncryptionKey, currentIndex, 0, keyPathLength.length);\n    currentIndex += keyPathLength.length;\n\n    cipherTextLength.copy(encryptedColumnEncryptionKey, currentIndex, 0, cipherTextLength.length);\n    currentIndex += cipherTextLength.length;\n\n    masterKeyPathBytes.copy(encryptedColumnEncryptionKey, currentIndex, 0, masterKeyPathBytes.length);\n    currentIndex += masterKeyPathBytes.length;\n\n    cipherText.copy(encryptedColumnEncryptionKey, currentIndex, 0, cipherText.length);\n    currentIndex += cipherText.length;\n\n    signedHash.copy(encryptedColumnEncryptionKey, currentIndex, 0, signedHash.length);\n\n    return encryptedColumnEncryptionKey;\n  }\n\n  private async getMasterKey(masterKeyPath: string): Promise<KeyVaultKey> {\n    if (!masterKeyPath) {\n      throw new Error('Master key path cannot be null or undefined');\n    }\n    const keyParts = this.parsePath(masterKeyPath);\n\n    this.createKeyClient(keyParts.vaultUrl);\n\n    return await (this.keyClient as KeyClient).getKey(keyParts.name, keyParts.version ? { version: keyParts.version } : {});\n  }\n\n  private createKeyClient(keyVaultUrl: string): void {\n    if (!keyVaultUrl) {\n      throw new Error('Cannot create key client with null or undefined keyVaultUrl');\n    }\n    if (!this.keyClient) {\n      this.url = keyVaultUrl;\n      this.keyClient = new KeyClient(keyVaultUrl, this.credentials);\n    }\n  }\n\n  private createCryptoClient(masterKey: KeyVaultKey): CryptographyClient {\n    if (!masterKey) {\n      throw new Error('Cannot create CryptographyClient with null or undefined masterKey');\n    }\n    return new CryptographyClient(masterKey, this.credentials);\n  }\n\n  private parsePath(masterKeyPath: string): ParsedKeyPath {\n    if (!masterKeyPath || masterKeyPath.trim() === '') {\n      throw new Error('Azure Key Vault key path cannot be null.');\n    }\n\n    let baseUri;\n    try {\n      baseUri = parse(masterKeyPath, true, true);\n    } catch {\n      throw new Error(`Invalid keys identifier: ${masterKeyPath}. Not a valid URI`);\n    }\n\n    if (!baseUri.hostname || !baseUri.hostname.toLowerCase().endsWith(this.azureKeyVaultDomainName)) {\n      throw new Error(`Invalid Azure Key Vault key path specified: ${masterKeyPath}.`);\n    }\n\n    // Path is of the form '/collection/name[/version]'\n    const segments = (baseUri.pathname || '').split('/');\n    if (segments.length !== 3 && segments.length !== 4) {\n      throw new Error(\n        `Invalid keys identifier: ${masterKeyPath}. Bad number of segments: ${segments.length}`\n      );\n    }\n\n    if ('keys' !== segments[1]) {\n      throw new Error(\n        `Invalid keys identifier: ${masterKeyPath}. segment [1] should be \"keys\", found \"${segments[1]}\"`\n      );\n    }\n\n    const vaultUrl = `${baseUri.protocol}//${baseUri.host}`;\n    const name = segments[2];\n    const version = segments.length === 4 ? segments[3] : undefined;\n    return {\n      vaultUrl,\n      name,\n      version\n    };\n  }\n\n  private async azureKeyVaultSignedHashedData(cryptoClient: CryptographyClient, dataToSign: Buffer): Promise<Buffer> {\n    if (!cryptoClient) {\n      throw new Error('Azure KVS Crypto Client is not defined.');\n    }\n\n    const signedData = await cryptoClient.sign('RS256', dataToSign);\n\n    return Buffer.from(signedData.result);\n  }\n\n  private async azureKeyVaultWrap(cryptoClient: CryptographyClient, encryptionAlgorithm: string, columnEncryptionKey: Buffer): Promise<Buffer> {\n    if (!cryptoClient) {\n      throw new Error('Azure KVS Crypto Client is not defined.');\n    }\n\n    if (!columnEncryptionKey) {\n      throw new Error('Column encryption key cannot be null.');\n    }\n\n    const wrappedKey = await cryptoClient.wrapKey(encryptionAlgorithm as KeyWrapAlgorithm, columnEncryptionKey);\n\n    return Buffer.from(wrappedKey.result);\n  }\n\n  private async azureKeyVaultUnWrap(cryptoClient: CryptographyClient, encryptionAlgorithm: string, encryptedColumnEncryptionKey: Buffer): Promise<Buffer> {\n    if (!cryptoClient) {\n      throw new Error('Azure KVS Crypto Client is not defined.');\n    }\n\n    if (!encryptionAlgorithm) {\n      throw new Error('Encryption Algorithm cannot be null or undefined');\n    }\n\n    if (!encryptedColumnEncryptionKey) {\n      throw new Error('Encrypted column encryption key cannot be null.');\n    }\n\n    if (encryptedColumnEncryptionKey.length === 0) {\n      throw new Error('Encrypted Column Encryption Key length should not be zero.');\n    }\n\n    const unwrappedKey = await cryptoClient.unwrapKey(encryptionAlgorithm as KeyWrapAlgorithm, encryptedColumnEncryptionKey);\n\n    return Buffer.from(unwrappedKey.result);\n  }\n\n  private getAKVKeySize(retrievedKey: KeyVaultKey): number {\n    if (!retrievedKey) {\n      throw new Error('Retrieved key cannot be null or undefined');\n    }\n    const key = retrievedKey.key;\n\n    if (!key) {\n      throw new Error(`Key does not exist ${retrievedKey.name}`);\n    }\n\n    const kty: string | undefined = key && key.kty && key.kty.toString().toUpperCase();\n\n    if (!kty || 'RSA'.localeCompare(kty, 'en') !== 0) {\n      throw new Error(`Cannot use a non-RSA key: ${kty}.`);\n    }\n\n    const keyLength = key && key.n && key.n.length;\n\n    return keyLength || 0;\n  }\n\n  private validateEncryptionAlgorithm(encryptionAlgorithm: string): string {\n    if (!encryptionAlgorithm) {\n      throw new Error('Key encryption algorithm cannot be null.');\n    }\n\n    if ('RSA_OAEP'.localeCompare(encryptionAlgorithm.toUpperCase(), 'en') === 0) {\n      encryptionAlgorithm = 'RSA-OAEP';\n    }\n\n    if (this.rsaEncryptionAlgorithmWithOAEPForAKV.localeCompare(encryptionAlgorithm.trim().toUpperCase(), 'en') !== 0) {\n      throw new Error(`Invalid key encryption algorithm specified: ${encryptionAlgorithm}. Expected value: ${this.rsaEncryptionAlgorithmWithOAEPForAKV}.`);\n    }\n\n    return encryptionAlgorithm;\n  }\n}\n"],"mappings":";;;;;;AAGA,IAAAA,SAAA,GAAAC,OAAA;AACA,IAAAC,aAAA,GAAAD,OAAA;AACA,IAAAE,OAAA,GAAAF,OAAA;AACA,IAAAG,IAAA,GAAAH,OAAA;AANA;AACA;;AAaO,MAAMI,qCAAqC,CAAC;EASjDC,WAAWA,CAACC,QAAgB,EAAEC,SAAiB,EAAEC,QAAgB,EAAE;IACjE,IAAI,CAACC,IAAI,GAAG,iBAAiB;IAC7B,IAAI,CAACC,uBAAuB,GAAG,iBAAiB;IAChD,IAAI,CAACC,oCAAoC,GAAG,UAAU;IACtD,IAAI,CAACC,YAAY,GAAGC,MAAM,CAACC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC;IACvC,IAAI,CAACC,WAAW,GAAG,IAAIC,gCAAsB,CAACR,QAAQ,EAAEF,QAAQ,EAAEC,SAAS,CAAC;EAC9E;EAEA,MAAMU,0BAA0BA,CAACC,aAAqB,EAAEC,mBAA2B,EAAEC,4BAAoC,EAAmB;IAC1I,IAAI,CAACA,4BAA4B,EAAE;MACjC,MAAM,IAAIC,KAAK,CAAC,iEAAiE,CAAC;IACpF;IAEA,IAAID,4BAA4B,CAACE,MAAM,KAAK,CAAC,EAAE;MAC7C,MAAM,IAAID,KAAK,CAAC,kEAAkE,CAAC;IACrF;IAEAF,mBAAmB,GAAG,IAAI,CAACI,2BAA2B,CAACJ,mBAAmB,CAAC;IAE3E,MAAMK,SAAS,GAAG,MAAM,IAAI,CAACC,YAAY,CAACP,aAAa,CAAC;IAExD,MAAMQ,cAAc,GAAG,IAAI,CAACC,aAAa,CAACH,SAAS,CAAC;IAEpD,MAAMI,YAAY,GAAG,IAAI,CAACC,kBAAkB,CAACL,SAAS,CAAC;IAEvD,IAAIJ,4BAA4B,CAAC,CAAC,CAAC,KAAK,IAAI,CAACR,YAAY,CAAC,CAAC,CAAC,EAAE;MAC5D,MAAM,IAAIS,KAAK,CAAC,8FAA8FR,MAAM,CAACC,IAAI,CAAC,CAACM,4BAA4B,CAAC,CAAC,CAAC,CAAC,CAAC,CAACU,QAAQ,CAAC,KAAK,CAAC,yBAAyBjB,MAAM,CAACC,IAAI,CAAC,CAAC,IAAI,CAACF,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,CAACkB,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC;IAC9P;IAEA,IAAIC,YAAY,GAAG,IAAI,CAACnB,YAAY,CAACU,MAAM;IAC3C,MAAMU,aAAqB,GAAGZ,4BAA4B,CAACa,WAAW,CAACF,YAAY,CAAC;IAEpFA,YAAY,IAAI,CAAC;IAEjB,MAAMG,gBAAwB,GAAGd,4BAA4B,CAACa,WAAW,CAACF,YAAY,CAAC;IAEvFA,YAAY,IAAI,CAAC;IAEjBA,YAAY,IAAIC,aAAa;IAE7B,IAAIE,gBAAgB,KAAKR,cAAc,EAAE;MACvC,MAAM,IAAIL,KAAK,CAAC,sEAAsEa,gBAAgB,0CAA0CR,cAAc,0DAA0DR,aAAa,mHAAmH,CAAC;IAC3V;IAEA,MAAMiB,eAAuB,GAAGf,4BAA4B,CAACE,MAAM,GAAGS,YAAY,GAAGG,gBAAgB;IAErG,IAAIC,eAAe,KAAKT,cAAc,EAAE;MACtC,MAAM,IAAIL,KAAK,CAAC,qEAAqEc,eAAe,yCAAyCT,cAAc,0DAA0DR,aAAa,mHAAmH,CAAC;IACxV;IAEA,MAAMkB,UAAU,GAAGvB,MAAM,CAACwB,KAAK,CAACH,gBAAgB,CAAC;IACjDd,4BAA4B,CAACkB,IAAI,CAACF,UAAU,EAAE,CAAC,EAAEL,YAAY,EAAEA,YAAY,GAAGG,gBAAgB,CAAC;IAC/FH,YAAY,IAAIG,gBAAgB;IAEhC,MAAMK,SAAS,GAAG1B,MAAM,CAACwB,KAAK,CAACF,eAAe,CAAC;IAC/Cf,4BAA4B,CAACkB,IAAI,CAACC,SAAS,EAAE,CAAC,EAAER,YAAY,EAAEA,YAAY,GAAGI,eAAe,CAAC;IAE7F,MAAMK,IAAI,GAAG3B,MAAM,CAACwB,KAAK,CAACjB,4BAA4B,CAACE,MAAM,GAAGiB,SAAS,CAACjB,MAAM,CAAC;IACjFF,4BAA4B,CAACkB,IAAI,CAACE,IAAI,EAAE,CAAC,EAAE,CAAC,EAAEpB,4BAA4B,CAACE,MAAM,GAAGiB,SAAS,CAACjB,MAAM,CAAC;IAErG,MAAMmB,aAAa,GAAG,IAAAC,kBAAU,EAAC,QAAQ,CAAC;IAC1CD,aAAa,CAACE,MAAM,CAACH,IAAI,CAAC;IAE1B,MAAMI,YAAoB,GAAGH,aAAa,CAACI,MAAM,CAAC,CAAC;IAEnD,IAAI,CAACD,YAAY,EAAE;MACjB,MAAM,IAAIvB,KAAK,CAAC,2EAA2E,CAAC;IAC9F;IAEA,MAAMyB,SAAS,GAAG,MAAMlB,YAAY,CAACmB,MAAM,CAAC,OAAO,EAAEH,YAAY,EAAEL,SAAS,CAAC;IAC7E,IAAI,CAACO,SAAS,CAACE,MAAM,EAAE;MACrB,MAAM,IAAI3B,KAAK,CAAC,mKAAmKH,aAAa,+FAA+F,CAAC;IAClS;IAEA,MAAM+B,YAAoB,GAAG,MAAM,IAAI,CAACC,mBAAmB,CAACtB,YAAY,EAAET,mBAAmB,EAAEiB,UAAU,CAAC;IAE1G,OAAOa,YAAY;EACrB;EAEA,MAAME,0BAA0BA,CAACjC,aAAqB,EAAEC,mBAA2B,EAAEiC,mBAA2B,EAAmB;IACjI,IAAI,CAACA,mBAAmB,EAAE;MACxB,MAAM,IAAI/B,KAAK,CAAC,uCAAuC,CAAC;IAC1D;IAEA,IAAI+B,mBAAmB,CAAC9B,MAAM,KAAK,CAAC,EAAE;MACpC,MAAM,IAAID,KAAK,CAAC,wCAAwC,CAAC;IAC3D;IAEAF,mBAAmB,GAAG,IAAI,CAACI,2BAA2B,CAACJ,mBAAmB,CAAC;IAE3E,MAAMK,SAAS,GAAG,MAAM,IAAI,CAACC,YAAY,CAACP,aAAa,CAAC;IAExD,MAAMQ,cAAc,GAAG,IAAI,CAACC,aAAa,CAACH,SAAS,CAAC;IAEpD,MAAMI,YAAY,GAAG,IAAI,CAACC,kBAAkB,CAACL,SAAS,CAAC;IAEvD,MAAM6B,OAAO,GAAGxC,MAAM,CAACC,IAAI,CAAC,CAAC,IAAI,CAACF,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC;IAEnD,MAAM0C,kBAA0B,GAAGzC,MAAM,CAACC,IAAI,CAACI,aAAa,CAACqC,WAAW,CAAC,CAAC,EAAE,MAAM,CAAC;IAEnF,MAAMvB,aAAqB,GAAGnB,MAAM,CAACwB,KAAK,CAAC,CAAC,CAAC;IAE7CL,aAAa,CAAC,CAAC,CAAC,GAAGsB,kBAAkB,CAAChC,MAAM,GAAG,IAAI;IACnDU,aAAa,CAAC,CAAC,CAAC,GAAGsB,kBAAkB,CAAChC,MAAM,IAAI,CAAC,GAAG,IAAI;IAExD,MAAMc,UAAkB,GAAG,MAAM,IAAI,CAACoB,iBAAiB,CAAC5B,YAAY,EAAET,mBAAmB,EAAEiC,mBAAmB,CAAC;IAE/G,MAAMlB,gBAAwB,GAAGrB,MAAM,CAACwB,KAAK,CAAC,CAAC,CAAC;IAEhDH,gBAAgB,CAAC,CAAC,CAAC,GAAGE,UAAU,CAACd,MAAM,GAAG,IAAI;IAC9CY,gBAAgB,CAAC,CAAC,CAAC,GAAGE,UAAU,CAACd,MAAM,IAAI,CAAC,GAAG,IAAI;IAEnD,IAAIc,UAAU,CAACd,MAAM,KAAKI,cAAc,EAAE;MACxC,MAAM,IAAIL,KAAK,CAAC,oDAAoD,CAAC;IACvE;IAEA,MAAMoC,UAAkB,GAAG5C,MAAM,CAACwB,KAAK,CAACgB,OAAO,CAAC/B,MAAM,GAAGU,aAAa,CAACV,MAAM,GAAGY,gBAAgB,CAACZ,MAAM,GAAGgC,kBAAkB,CAAChC,MAAM,GAAGc,UAAU,CAACd,MAAM,CAAC;IACxJ,IAAIoC,mBAA2B,GAAGL,OAAO,CAAC/B,MAAM;IAChD+B,OAAO,CAACf,IAAI,CAACmB,UAAU,EAAE,CAAC,EAAE,CAAC,EAAEJ,OAAO,CAAC/B,MAAM,CAAC;IAE9CU,aAAa,CAACM,IAAI,CAACmB,UAAU,EAAEC,mBAAmB,EAAE,CAAC,EAAE1B,aAAa,CAACV,MAAM,CAAC;IAC5EoC,mBAAmB,IAAI1B,aAAa,CAACV,MAAM;IAE3CY,gBAAgB,CAACI,IAAI,CAACmB,UAAU,EAAEC,mBAAmB,EAAE,CAAC,EAAExB,gBAAgB,CAACZ,MAAM,CAAC;IAClFoC,mBAAmB,IAAIxB,gBAAgB,CAACZ,MAAM;IAE9CgC,kBAAkB,CAAChB,IAAI,CAACmB,UAAU,EAAEC,mBAAmB,EAAE,CAAC,EAAEJ,kBAAkB,CAAChC,MAAM,CAAC;IACtFoC,mBAAmB,IAAIJ,kBAAkB,CAAChC,MAAM;IAEhDc,UAAU,CAACE,IAAI,CAACmB,UAAU,EAAEC,mBAAmB,EAAE,CAAC,EAAEtB,UAAU,CAACd,MAAM,CAAC;IAEtE,MAAMmB,aAAa,GAAG,IAAAC,kBAAU,EAAC,QAAQ,CAAC;IAE1CD,aAAa,CAACE,MAAM,CAACc,UAAU,CAAC;IAEhC,MAAME,UAAkB,GAAGlB,aAAa,CAACI,MAAM,CAAC,CAAC;IAEjD,MAAMe,UAAkB,GAAG,MAAM,IAAI,CAACC,6BAA6B,CAACjC,YAAY,EAAE+B,UAAU,CAAC;IAC7F,IAAIC,UAAU,CAACtC,MAAM,KAAKI,cAAc,EAAE;MACxC,MAAM,IAAIL,KAAK,CAAC,qDAAqD,CAAC;IACxE;IAEA,MAAMyB,SAAS,GAAG,MAAMlB,YAAY,CAACmB,MAAM,CAAC,OAAO,EAAEY,UAAU,EAAEC,UAAU,CAAC;IAE5E,IAAI,CAACd,SAAS,CAACE,MAAM,EAAE;MACrB,MAAM,IAAI3B,KAAK,CAAC,oEAAoE,CAAC;IACvF;IAEA,MAAMyC,kCAA0C,GAAGT,OAAO,CAAC/B,MAAM,GAAGY,gBAAgB,CAACZ,MAAM,GAAGU,aAAa,CAACV,MAAM,GAAGc,UAAU,CAACd,MAAM,GAAGgC,kBAAkB,CAAChC,MAAM,GAAGsC,UAAU,CAACtC,MAAM;IACtL,MAAMF,4BAAoC,GAAGP,MAAM,CAACwB,KAAK,CAACyB,kCAAkC,CAAC;IAE7F,IAAI/B,YAAY,GAAG,CAAC;IACpBsB,OAAO,CAACf,IAAI,CAAClB,4BAA4B,EAAEW,YAAY,EAAE,CAAC,EAAEsB,OAAO,CAAC/B,MAAM,CAAC;IAC3ES,YAAY,IAAIsB,OAAO,CAAC/B,MAAM;IAE9BU,aAAa,CAACM,IAAI,CAAClB,4BAA4B,EAAEW,YAAY,EAAE,CAAC,EAAEC,aAAa,CAACV,MAAM,CAAC;IACvFS,YAAY,IAAIC,aAAa,CAACV,MAAM;IAEpCY,gBAAgB,CAACI,IAAI,CAAClB,4BAA4B,EAAEW,YAAY,EAAE,CAAC,EAAEG,gBAAgB,CAACZ,MAAM,CAAC;IAC7FS,YAAY,IAAIG,gBAAgB,CAACZ,MAAM;IAEvCgC,kBAAkB,CAAChB,IAAI,CAAClB,4BAA4B,EAAEW,YAAY,EAAE,CAAC,EAAEuB,kBAAkB,CAAChC,MAAM,CAAC;IACjGS,YAAY,IAAIuB,kBAAkB,CAAChC,MAAM;IAEzCc,UAAU,CAACE,IAAI,CAAClB,4BAA4B,EAAEW,YAAY,EAAE,CAAC,EAAEK,UAAU,CAACd,MAAM,CAAC;IACjFS,YAAY,IAAIK,UAAU,CAACd,MAAM;IAEjCsC,UAAU,CAACtB,IAAI,CAAClB,4BAA4B,EAAEW,YAAY,EAAE,CAAC,EAAE6B,UAAU,CAACtC,MAAM,CAAC;IAEjF,OAAOF,4BAA4B;EACrC;EAEA,MAAcK,YAAYA,CAACP,aAAqB,EAAwB;IACtE,IAAI,CAACA,aAAa,EAAE;MAClB,MAAM,IAAIG,KAAK,CAAC,6CAA6C,CAAC;IAChE;IACA,MAAM0C,QAAQ,GAAG,IAAI,CAACC,SAAS,CAAC9C,aAAa,CAAC;IAE9C,IAAI,CAAC+C,eAAe,CAACF,QAAQ,CAACG,QAAQ,CAAC;IAEvC,OAAO,MAAO,IAAI,CAACC,SAAS,CAAeC,MAAM,CAACL,QAAQ,CAACtD,IAAI,EAAEsD,QAAQ,CAACV,OAAO,GAAG;MAAEA,OAAO,EAAEU,QAAQ,CAACV;IAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;EACzH;EAEQY,eAAeA,CAACI,WAAmB,EAAQ;IACjD,IAAI,CAACA,WAAW,EAAE;MAChB,MAAM,IAAIhD,KAAK,CAAC,6DAA6D,CAAC;IAChF;IACA,IAAI,CAAC,IAAI,CAAC8C,SAAS,EAAE;MACnB,IAAI,CAACG,GAAG,GAAGD,WAAW;MACtB,IAAI,CAACF,SAAS,GAAG,IAAII,uBAAS,CAACF,WAAW,EAAE,IAAI,CAACtD,WAAW,CAAC;IAC/D;EACF;EAEQc,kBAAkBA,CAACL,SAAsB,EAAsB;IACrE,IAAI,CAACA,SAAS,EAAE;MACd,MAAM,IAAIH,KAAK,CAAC,mEAAmE,CAAC;IACtF;IACA,OAAO,IAAImD,gCAAkB,CAAChD,SAAS,EAAE,IAAI,CAACT,WAAW,CAAC;EAC5D;EAEQiD,SAASA,CAAC9C,aAAqB,EAAiB;IACtD,IAAI,CAACA,aAAa,IAAIA,aAAa,CAACuD,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE;MACjD,MAAM,IAAIpD,KAAK,CAAC,0CAA0C,CAAC;IAC7D;IAEA,IAAIqD,OAAO;IACX,IAAI;MACFA,OAAO,GAAG,IAAAC,UAAK,EAACzD,aAAa,EAAE,IAAI,EAAE,IAAI,CAAC;IAC5C,CAAC,CAAC,MAAM;MACN,MAAM,IAAIG,KAAK,CAAC,4BAA4BH,aAAa,mBAAmB,CAAC;IAC/E;IAEA,IAAI,CAACwD,OAAO,CAACE,QAAQ,IAAI,CAACF,OAAO,CAACE,QAAQ,CAACrB,WAAW,CAAC,CAAC,CAACsB,QAAQ,CAAC,IAAI,CAACnE,uBAAuB,CAAC,EAAE;MAC/F,MAAM,IAAIW,KAAK,CAAC,+CAA+CH,aAAa,GAAG,CAAC;IAClF;;IAEA;IACA,MAAM4D,QAAQ,GAAG,CAACJ,OAAO,CAACK,QAAQ,IAAI,EAAE,EAAEC,KAAK,CAAC,GAAG,CAAC;IACpD,IAAIF,QAAQ,CAACxD,MAAM,KAAK,CAAC,IAAIwD,QAAQ,CAACxD,MAAM,KAAK,CAAC,EAAE;MAClD,MAAM,IAAID,KAAK,CACb,4BAA4BH,aAAa,6BAA6B4D,QAAQ,CAACxD,MAAM,EACvF,CAAC;IACH;IAEA,IAAI,MAAM,KAAKwD,QAAQ,CAAC,CAAC,CAAC,EAAE;MAC1B,MAAM,IAAIzD,KAAK,CACb,4BAA4BH,aAAa,0CAA0C4D,QAAQ,CAAC,CAAC,CAAC,GAChG,CAAC;IACH;IAEA,MAAMZ,QAAQ,GAAG,GAAGQ,OAAO,CAACO,QAAQ,KAAKP,OAAO,CAACQ,IAAI,EAAE;IACvD,MAAMzE,IAAI,GAAGqE,QAAQ,CAAC,CAAC,CAAC;IACxB,MAAMzB,OAAO,GAAGyB,QAAQ,CAACxD,MAAM,KAAK,CAAC,GAAGwD,QAAQ,CAAC,CAAC,CAAC,GAAGK,SAAS;IAC/D,OAAO;MACLjB,QAAQ;MACRzD,IAAI;MACJ4C;IACF,CAAC;EACH;EAEA,MAAcQ,6BAA6BA,CAACjC,YAAgC,EAAE+B,UAAkB,EAAmB;IACjH,IAAI,CAAC/B,YAAY,EAAE;MACjB,MAAM,IAAIP,KAAK,CAAC,yCAAyC,CAAC;IAC5D;IAEA,MAAM+D,UAAU,GAAG,MAAMxD,YAAY,CAACyD,IAAI,CAAC,OAAO,EAAE1B,UAAU,CAAC;IAE/D,OAAO9C,MAAM,CAACC,IAAI,CAACsE,UAAU,CAACpC,MAAM,CAAC;EACvC;EAEA,MAAcQ,iBAAiBA,CAAC5B,YAAgC,EAAET,mBAA2B,EAAEiC,mBAA2B,EAAmB;IAC3I,IAAI,CAACxB,YAAY,EAAE;MACjB,MAAM,IAAIP,KAAK,CAAC,yCAAyC,CAAC;IAC5D;IAEA,IAAI,CAAC+B,mBAAmB,EAAE;MACxB,MAAM,IAAI/B,KAAK,CAAC,uCAAuC,CAAC;IAC1D;IAEA,MAAMiE,UAAU,GAAG,MAAM1D,YAAY,CAAC2D,OAAO,CAACpE,mBAAmB,EAAsBiC,mBAAmB,CAAC;IAE3G,OAAOvC,MAAM,CAACC,IAAI,CAACwE,UAAU,CAACtC,MAAM,CAAC;EACvC;EAEA,MAAcE,mBAAmBA,CAACtB,YAAgC,EAAET,mBAA2B,EAAEC,4BAAoC,EAAmB;IACtJ,IAAI,CAACQ,YAAY,EAAE;MACjB,MAAM,IAAIP,KAAK,CAAC,yCAAyC,CAAC;IAC5D;IAEA,IAAI,CAACF,mBAAmB,EAAE;MACxB,MAAM,IAAIE,KAAK,CAAC,kDAAkD,CAAC;IACrE;IAEA,IAAI,CAACD,4BAA4B,EAAE;MACjC,MAAM,IAAIC,KAAK,CAAC,iDAAiD,CAAC;IACpE;IAEA,IAAID,4BAA4B,CAACE,MAAM,KAAK,CAAC,EAAE;MAC7C,MAAM,IAAID,KAAK,CAAC,4DAA4D,CAAC;IAC/E;IAEA,MAAMmE,YAAY,GAAG,MAAM5D,YAAY,CAAC6D,SAAS,CAACtE,mBAAmB,EAAsBC,4BAA4B,CAAC;IAExH,OAAOP,MAAM,CAACC,IAAI,CAAC0E,YAAY,CAACxC,MAAM,CAAC;EACzC;EAEQrB,aAAaA,CAAC+D,YAAyB,EAAU;IACvD,IAAI,CAACA,YAAY,EAAE;MACjB,MAAM,IAAIrE,KAAK,CAAC,2CAA2C,CAAC;IAC9D;IACA,MAAMsE,GAAG,GAAGD,YAAY,CAACC,GAAG;IAE5B,IAAI,CAACA,GAAG,EAAE;MACR,MAAM,IAAItE,KAAK,CAAC,sBAAsBqE,YAAY,CAACjF,IAAI,EAAE,CAAC;IAC5D;IAEA,MAAMmF,GAAuB,GAAGD,GAAG,IAAIA,GAAG,CAACC,GAAG,IAAID,GAAG,CAACC,GAAG,CAAC9D,QAAQ,CAAC,CAAC,CAAC+D,WAAW,CAAC,CAAC;IAElF,IAAI,CAACD,GAAG,IAAI,KAAK,CAACE,aAAa,CAACF,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,EAAE;MAChD,MAAM,IAAIvE,KAAK,CAAC,6BAA6BuE,GAAG,GAAG,CAAC;IACtD;IAEA,MAAMG,SAAS,GAAGJ,GAAG,IAAIA,GAAG,CAACK,CAAC,IAAIL,GAAG,CAACK,CAAC,CAAC1E,MAAM;IAE9C,OAAOyE,SAAS,IAAI,CAAC;EACvB;EAEQxE,2BAA2BA,CAACJ,mBAA2B,EAAU;IACvE,IAAI,CAACA,mBAAmB,EAAE;MACxB,MAAM,IAAIE,KAAK,CAAC,0CAA0C,CAAC;IAC7D;IAEA,IAAI,UAAU,CAACyE,aAAa,CAAC3E,mBAAmB,CAAC0E,WAAW,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,EAAE;MAC3E1E,mBAAmB,GAAG,UAAU;IAClC;IAEA,IAAI,IAAI,CAACR,oCAAoC,CAACmF,aAAa,CAAC3E,mBAAmB,CAACsD,IAAI,CAAC,CAAC,CAACoB,WAAW,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,EAAE;MACjH,MAAM,IAAIxE,KAAK,CAAC,+CAA+CF,mBAAmB,qBAAqB,IAAI,CAACR,oCAAoC,GAAG,CAAC;IACtJ;IAEA,OAAOQ,mBAAmB;EAC5B;AACF;AAAC8E,OAAA,CAAA7F,qCAAA,GAAAA,qCAAA","ignoreList":[]}

package/lib/always-encrypted/symmetric-key-cache.js

@@ -0,0 +1,36 @@
+"use strict";
+
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.getKey = void 0;
+var _symmetricKey = _interopRequireDefault(require("./symmetric-key"));
+var _lruCache = _interopRequireDefault(require("lru-cache"));
+function _interopRequireDefault(e) { return e && e.__esModule ? e : { default: e }; }
+// This code is based on the `mssql-jdbc` library published under the conditions of MIT license.
+// Copyright (c) 2019 Microsoft Corporation
+
+const cache = new _lruCache.default(0);
+const getKey = async (keyInfo, options) => {
+  if (!options.trustedServerNameAE) {
+    throw new Error('Server name should not be null in getKey');
+  }
+  const serverName = options.trustedServerNameAE;
+  const keyLookupValue = `${serverName}:${Buffer.from(keyInfo.encryptedKey).toString('base64')}:${keyInfo.keyStoreName}`;
+  if (cache.has(keyLookupValue)) {
+    return cache.get(keyLookupValue);
+  } else {
+    const provider = options.encryptionKeyStoreProviders && options.encryptionKeyStoreProviders[keyInfo.keyStoreName];
+    if (!provider) {
+      throw new Error(`Failed to decrypt a column encryption key. Invalid key store provider name: ${keyInfo.keyStoreName}. A key store provider name must denote either a system key store provider or a registered custom key store provider. Valid (currently registered) custom key store provider names are: ${options.encryptionKeyStoreProviders}. Please verify key store provider information in column master key definitions in the database, and verify all custom key store providers used in your application are registered properly.`);
+    }
+    const plaintextKey = await provider.decryptColumnEncryptionKey(keyInfo.keyPath, keyInfo.algorithmName, keyInfo.encryptedKey);
+    const encryptionKey = new _symmetricKey.default(plaintextKey);
+    if (options.columnEncryptionKeyCacheTTL > 0) {
+      cache.set(keyLookupValue, encryptionKey, options.columnEncryptionKeyCacheTTL);
+    }
+    return encryptionKey;
+  }
+};
+exports.getKey = getKey;
+//# sourceMappingURL=data:application/json;charset=utf-8;base64,eyJ2ZXJzaW9uIjozLCJuYW1lcyI6WyJfc3ltbWV0cmljS2V5IiwiX2ludGVyb3BSZXF1aXJlRGVmYXVsdCIsInJlcXVpcmUiLCJfbHJ1Q2FjaGUiLCJlIiwiX19lc01vZHVsZSIsImRlZmF1bHQiLCJjYWNoZSIsIkxSVSIsImdldEtleSIsImtleUluZm8iLCJvcHRpb25zIiwidHJ1c3RlZFNlcnZlck5hbWVBRSIsIkVycm9yIiwic2VydmVyTmFtZSIsImtleUxvb2t1cFZhbHVlIiwiQnVmZmVyIiwiZnJvbSIsImVuY3J5cHRlZEtleSIsInRvU3RyaW5nIiwia2V5U3RvcmVOYW1lIiwiaGFzIiwiZ2V0IiwicHJvdmlkZXIiLCJlbmNyeXB0aW9uS2V5U3RvcmVQcm92aWRlcnMiLCJwbGFpbnRleHRLZXkiLCJkZWNyeXB0Q29sdW1uRW5jcnlwdGlvbktleSIsImtleVBhdGgiLCJhbGdvcml0aG1OYW1lIiwiZW5jcnlwdGlvbktleSIsIlN5bW1ldHJpY0tleSIsImNvbHVtbkVuY3J5cHRpb25LZXlDYWNoZVRUTCIsInNldCIsImV4cG9ydHMiXSwic291cmNlcyI6WyIuLi8uLi9zcmMvYWx3YXlzLWVuY3J5cHRlZC9zeW1tZXRyaWMta2V5LWNhY2hlLnRzIl0sInNvdXJjZXNDb250ZW50IjpbIi8vIFRoaXMgY29kZSBpcyBiYXNlZCBvbiB0aGUgYG1zc3FsLWpkYmNgIGxpYnJhcnkgcHVibGlzaGVkIHVuZGVyIHRoZSBjb25kaXRpb25zIG9mIE1JVCBsaWNlbnNlLlxuLy8gQ29weXJpZ2h0IChjKSAyMDE5IE1pY3Jvc29mdCBDb3Jwb3JhdGlvblxuXG5pbXBvcnQgeyB0eXBlIEVuY3J5cHRpb25LZXlJbmZvIH0gZnJvbSAnLi90eXBlcyc7XG5pbXBvcnQgU3ltbWV0cmljS2V5IGZyb20gJy4vc3ltbWV0cmljLWtleSc7XG5pbXBvcnQgeyB0eXBlIEludGVybmFsQ29ubmVjdGlvbk9wdGlvbnMgYXMgQ29ubmVjdGlvbk9wdGlvbnMgfSBmcm9tICcuLi9jb25uZWN0aW9uJztcbmltcG9ydCBMUlUgZnJvbSAnbHJ1LWNhY2hlJztcblxuY29uc3QgY2FjaGUgPSBuZXcgTFJVPHN0cmluZywgU3ltbWV0cmljS2V5PigwKTtcblxuZXhwb3J0IGNvbnN0IGdldEtleSA9IGFzeW5jIChrZXlJbmZvOiBFbmNyeXB0aW9uS2V5SW5mbywgb3B0aW9uczogQ29ubmVjdGlvbk9wdGlvbnMpOiBQcm9taXNlPFN5bW1ldHJpY0tleT4gPT4ge1xuICBpZiAoIW9wdGlvbnMudHJ1c3RlZFNlcnZlck5hbWVBRSkge1xuICAgIHRocm93IG5ldyBFcnJvcignU2VydmVyIG5hbWUgc2hvdWxkIG5vdCBiZSBudWxsIGluIGdldEtleScpO1xuICB9XG5cbiAgY29uc3Qgc2VydmVyTmFtZTogc3RyaW5nID0gb3B0aW9ucy50cnVzdGVkU2VydmVyTmFtZUFFO1xuXG4gIGNvbnN0IGtleUxvb2t1cFZhbHVlID0gYCR7c2VydmVyTmFtZX06JHtCdWZmZXIuZnJvbShrZXlJbmZvLmVuY3J5cHRlZEtleSkudG9TdHJpbmcoJ2Jhc2U2NCcpfToke2tleUluZm8ua2V5U3RvcmVOYW1lfWA7XG5cbiAgaWYgKGNhY2hlLmhhcyhrZXlMb29rdXBWYWx1ZSkpIHtcbiAgICByZXR1cm4gY2FjaGUuZ2V0KGtleUxvb2t1cFZhbHVlKSBhcyBTeW1tZXRyaWNLZXk7XG4gIH0gZWxzZSB7XG4gICAgY29uc3QgcHJvdmlkZXIgPSBvcHRpb25zLmVuY3J5cHRpb25LZXlTdG9yZVByb3ZpZGVycyAmJiBvcHRpb25zLmVuY3J5cHRpb25LZXlTdG9yZVByb3ZpZGVyc1trZXlJbmZvLmtleVN0b3JlTmFtZV07XG4gICAgaWYgKCFwcm92aWRlcikge1xuICAgICAgdGhyb3cgbmV3IEVycm9yKGBGYWlsZWQgdG8gZGVjcnlwdCBhIGNvbHVtbiBlbmNyeXB0aW9uIGtleS4gSW52YWxpZCBrZXkgc3RvcmUgcHJvdmlkZXIgbmFtZTogJHtrZXlJbmZvLmtleVN0b3JlTmFtZX0uIEEga2V5IHN0b3JlIHByb3ZpZGVyIG5hbWUgbXVzdCBkZW5vdGUgZWl0aGVyIGEgc3lzdGVtIGtleSBzdG9yZSBwcm92aWRlciBvciBhIHJlZ2lzdGVyZWQgY3VzdG9tIGtleSBzdG9yZSBwcm92aWRlci4gVmFsaWQgKGN1cnJlbnRseSByZWdpc3RlcmVkKSBjdXN0b20ga2V5IHN0b3JlIHByb3ZpZGVyIG5hbWVzIGFyZTogJHtvcHRpb25zLmVuY3J5cHRpb25LZXlTdG9yZVByb3ZpZGVyc30uIFBsZWFzZSB2ZXJpZnkga2V5IHN0b3JlIHByb3ZpZGVyIGluZm9ybWF0aW9uIGluIGNvbHVtbiBtYXN0ZXIga2V5IGRlZmluaXRpb25zIGluIHRoZSBkYXRhYmFzZSwgYW5kIHZlcmlmeSBhbGwgY3VzdG9tIGtleSBzdG9yZSBwcm92aWRlcnMgdXNlZCBpbiB5b3VyIGFwcGxpY2F0aW9uIGFyZSByZWdpc3RlcmVkIHByb3Blcmx5LmApO1xuICAgIH1cblxuICAgIGNvbnN0IHBsYWludGV4dEtleTogQnVmZmVyID0gYXdhaXQgcHJvdmlkZXIuZGVjcnlwdENvbHVtbkVuY3J5cHRpb25LZXkoa2V5SW5mby5rZXlQYXRoLCBrZXlJbmZvLmFsZ29yaXRobU5hbWUsIGtleUluZm8uZW5jcnlwdGVkS2V5KTtcblxuICAgIGNvbnN0IGVuY3J5cHRpb25LZXkgPSBuZXcgU3ltbWV0cmljS2V5KHBsYWludGV4dEtleSk7XG5cbiAgICBpZiAob3B0aW9ucy5jb2x1bW5FbmNyeXB0aW9uS2V5Q2FjaGVUVEwgPiAwKSB7XG4gICAgICBjYWNoZS5zZXQoa2V5TG9va3VwVmFsdWUsIGVuY3J5cHRpb25LZXksIG9wdGlvbnMuY29sdW1uRW5jcnlwdGlvbktleUNhY2hlVFRMKTtcbiAgICB9XG5cbiAgICByZXR1cm4gZW5jcnlwdGlvbktleTtcbiAgfVxufTtcbiJdLCJtYXBwaW5ncyI6Ijs7Ozs7O0FBSUEsSUFBQUEsYUFBQSxHQUFBQyxzQkFBQSxDQUFBQyxPQUFBO0FBRUEsSUFBQUMsU0FBQSxHQUFBRixzQkFBQSxDQUFBQyxPQUFBO0FBQTRCLFNBQUFELHVCQUFBRyxDQUFBLFdBQUFBLENBQUEsSUFBQUEsQ0FBQSxDQUFBQyxVQUFBLEdBQUFELENBQUEsS0FBQUUsT0FBQSxFQUFBRixDQUFBO0FBTjVCO0FBQ0E7O0FBT0EsTUFBTUcsS0FBSyxHQUFHLElBQUlDLGlCQUFHLENBQXVCLENBQUMsQ0FBQztBQUV2QyxNQUFNQyxNQUFNLEdBQUcsTUFBQUEsQ0FBT0MsT0FBMEIsRUFBRUMsT0FBMEIsS0FBNEI7RUFDN0csSUFBSSxDQUFDQSxPQUFPLENBQUNDLG1CQUFtQixFQUFFO0lBQ2hDLE1BQU0sSUFBSUMsS0FBSyxDQUFDLDBDQUEwQyxDQUFDO0VBQzdEO0VBRUEsTUFBTUMsVUFBa0IsR0FBR0gsT0FBTyxDQUFDQyxtQkFBbUI7RUFFdEQsTUFBTUcsY0FBYyxHQUFHLEdBQUdELFVBQVUsSUFBSUUsTUFBTSxDQUFDQyxJQUFJLENBQUNQLE9BQU8sQ0FBQ1EsWUFBWSxDQUFDLENBQUNDLFFBQVEsQ0FBQyxRQUFRLENBQUMsSUFBSVQsT0FBTyxDQUFDVSxZQUFZLEVBQUU7RUFFdEgsSUFBSWIsS0FBSyxDQUFDYyxHQUFHLENBQUNOLGNBQWMsQ0FBQyxFQUFFO0lBQzdCLE9BQU9SLEtBQUssQ0FBQ2UsR0FBRyxDQUFDUCxjQUFjLENBQUM7RUFDbEMsQ0FBQyxNQUFNO0lBQ0wsTUFBTVEsUUFBUSxHQUFHWixPQUFPLENBQUNhLDJCQUEyQixJQUFJYixPQUFPLENBQUNhLDJCQUEyQixDQUFDZCxPQUFPLENBQUNVLFlBQVksQ0FBQztJQUNqSCxJQUFJLENBQUNHLFFBQVEsRUFBRTtNQUNiLE1BQU0sSUFBSVYsS0FBSyxDQUFDLCtFQUErRUgsT0FBTyxDQUFDVSxZQUFZLDJMQUEyTFQsT0FBTyxDQUFDYSwyQkFBMkIsOExBQThMLENBQUM7SUFDbGhCO0lBRUEsTUFBTUMsWUFBb0IsR0FBRyxNQUFNRixRQUFRLENBQUNHLDBCQUEwQixDQUFDaEIsT0FBTyxDQUFDaUIsT0FBTyxFQUFFakIsT0FBTyxDQUFDa0IsYUFBYSxFQUFFbEIsT0FBTyxDQUFDUSxZQUFZLENBQUM7SUFFcEksTUFBTVcsYUFBYSxHQUFHLElBQUlDLHFCQUFZLENBQUNMLFlBQVksQ0FBQztJQUVwRCxJQUFJZCxPQUFPLENBQUNvQiwyQkFBMkIsR0FBRyxDQUFDLEVBQUU7TUFDM0N4QixLQUFLLENBQUN5QixHQUFHLENBQUNqQixjQUFjLEVBQUVjLGFBQWEsRUFBRWxCLE9BQU8sQ0FBQ29CLDJCQUEyQixDQUFDO0lBQy9FO0lBRUEsT0FBT0YsYUFBYTtFQUN0QjtBQUNGLENBQUM7QUFBQ0ksT0FBQSxDQUFBeEIsTUFBQSxHQUFBQSxNQUFBIiwiaWdub3JlTGlzdCI6W119

package/lib/always-encrypted/symmetric-key-cache.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"symmetric-key-cache.js","names":["_symmetricKey","_interopRequireDefault","require","_lruCache","e","__esModule","default","cache","LRU","getKey","keyInfo","options","trustedServerNameAE","Error","serverName","keyLookupValue","Buffer","from","encryptedKey","toString","keyStoreName","has","get","provider","encryptionKeyStoreProviders","plaintextKey","decryptColumnEncryptionKey","keyPath","algorithmName","encryptionKey","SymmetricKey","columnEncryptionKeyCacheTTL","set","exports"],"sources":["../../src/always-encrypted/symmetric-key-cache.ts"],"sourcesContent":["// This code is based on the `mssql-jdbc` library published under the conditions of MIT license.\n// Copyright (c) 2019 Microsoft Corporation\n\nimport { type EncryptionKeyInfo } from './types';\nimport SymmetricKey from './symmetric-key';\nimport { type InternalConnectionOptions as ConnectionOptions } from '../connection';\nimport LRU from 'lru-cache';\n\nconst cache = new LRU<string, SymmetricKey>(0);\n\nexport const getKey = async (keyInfo: EncryptionKeyInfo, options: ConnectionOptions): Promise<SymmetricKey> => {\n  if (!options.trustedServerNameAE) {\n    throw new Error('Server name should not be null in getKey');\n  }\n\n  const serverName: string = options.trustedServerNameAE;\n\n  const keyLookupValue = `${serverName}:${Buffer.from(keyInfo.encryptedKey).toString('base64')}:${keyInfo.keyStoreName}`;\n\n  if (cache.has(keyLookupValue)) {\n    return cache.get(keyLookupValue) as SymmetricKey;\n  } else {\n    const provider = options.encryptionKeyStoreProviders && options.encryptionKeyStoreProviders[keyInfo.keyStoreName];\n    if (!provider) {\n      throw new Error(`Failed to decrypt a column encryption key. Invalid key store provider name: ${keyInfo.keyStoreName}. A key store provider name must denote either a system key store provider or a registered custom key store provider. Valid (currently registered) custom key store provider names are: ${options.encryptionKeyStoreProviders}. Please verify key store provider information in column master key definitions in the database, and verify all custom key store providers used in your application are registered properly.`);\n    }\n\n    const plaintextKey: Buffer = await provider.decryptColumnEncryptionKey(keyInfo.keyPath, keyInfo.algorithmName, keyInfo.encryptedKey);\n\n    const encryptionKey = new SymmetricKey(plaintextKey);\n\n    if (options.columnEncryptionKeyCacheTTL > 0) {\n      cache.set(keyLookupValue, encryptionKey, options.columnEncryptionKeyCacheTTL);\n    }\n\n    return encryptionKey;\n  }\n};\n"],"mappings":";;;;;;AAIA,IAAAA,aAAA,GAAAC,sBAAA,CAAAC,OAAA;AAEA,IAAAC,SAAA,GAAAF,sBAAA,CAAAC,OAAA;AAA4B,SAAAD,uBAAAG,CAAA,WAAAA,CAAA,IAAAA,CAAA,CAAAC,UAAA,GAAAD,CAAA,KAAAE,OAAA,EAAAF,CAAA;AAN5B;AACA;;AAOA,MAAMG,KAAK,GAAG,IAAIC,iBAAG,CAAuB,CAAC,CAAC;AAEvC,MAAMC,MAAM,GAAG,MAAAA,CAAOC,OAA0B,EAAEC,OAA0B,KAA4B;EAC7G,IAAI,CAACA,OAAO,CAACC,mBAAmB,EAAE;IAChC,MAAM,IAAIC,KAAK,CAAC,0CAA0C,CAAC;EAC7D;EAEA,MAAMC,UAAkB,GAAGH,OAAO,CAACC,mBAAmB;EAEtD,MAAMG,cAAc,GAAG,GAAGD,UAAU,IAAIE,MAAM,CAACC,IAAI,CAACP,OAAO,CAACQ,YAAY,CAAC,CAACC,QAAQ,CAAC,QAAQ,CAAC,IAAIT,OAAO,CAACU,YAAY,EAAE;EAEtH,IAAIb,KAAK,CAACc,GAAG,CAACN,cAAc,CAAC,EAAE;IAC7B,OAAOR,KAAK,CAACe,GAAG,CAACP,cAAc,CAAC;EAClC,CAAC,MAAM;IACL,MAAMQ,QAAQ,GAAGZ,OAAO,CAACa,2BAA2B,IAAIb,OAAO,CAACa,2BAA2B,CAACd,OAAO,CAACU,YAAY,CAAC;IACjH,IAAI,CAACG,QAAQ,EAAE;MACb,MAAM,IAAIV,KAAK,CAAC,+EAA+EH,OAAO,CAACU,YAAY,2LAA2LT,OAAO,CAACa,2BAA2B,8LAA8L,CAAC;IAClhB;IAEA,MAAMC,YAAoB,GAAG,MAAMF,QAAQ,CAACG,0BAA0B,CAAChB,OAAO,CAACiB,OAAO,EAAEjB,OAAO,CAACkB,aAAa,EAAElB,OAAO,CAACQ,YAAY,CAAC;IAEpI,MAAMW,aAAa,GAAG,IAAIC,qBAAY,CAACL,YAAY,CAAC;IAEpD,IAAId,OAAO,CAACoB,2BAA2B,GAAG,CAAC,EAAE;MAC3CxB,KAAK,CAACyB,GAAG,CAACjB,cAAc,EAAEc,aAAa,EAAElB,OAAO,CAACoB,2BAA2B,CAAC;IAC/E;IAEA,OAAOF,aAAa;EACtB;AACF,CAAC;AAACI,OAAA,CAAAxB,MAAA,GAAAA,MAAA","ignoreList":[]}

package/lib/always-encrypted/symmetric-key.js

@@ -0,0 +1,25 @@
+"use strict";
+
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.default = exports.SymmetricKey = void 0;
+// This code is based on the `mssql-jdbc` library published under the conditions of MIT license.
+// Copyright (c) 2019 Microsoft Corporation
+
+class SymmetricKey {
+  constructor(rootKey) {
+    if (!rootKey) {
+      throw new Error('Column encryption key cannot be null.');
+    } else if (0 === rootKey.length) {
+      throw new Error('Empty column encryption key specified.');
+    }
+    this.rootKey = rootKey;
+  }
+  zeroOutKey() {
+    this.rootKey = Buffer.alloc(this.rootKey.length);
+  }
+}
+exports.SymmetricKey = SymmetricKey;
+var _default = exports.default = SymmetricKey;
+//# sourceMappingURL=data:application/json;charset=utf-8;base64,eyJ2ZXJzaW9uIjozLCJuYW1lcyI6WyJTeW1tZXRyaWNLZXkiLCJjb25zdHJ1Y3RvciIsInJvb3RLZXkiLCJFcnJvciIsImxlbmd0aCIsInplcm9PdXRLZXkiLCJCdWZmZXIiLCJhbGxvYyIsImV4cG9ydHMiLCJfZGVmYXVsdCIsImRlZmF1bHQiXSwic291cmNlcyI6WyIuLi8uLi9zcmMvYWx3YXlzLWVuY3J5cHRlZC9zeW1tZXRyaWMta2V5LnRzIl0sInNvdXJjZXNDb250ZW50IjpbIi8vIFRoaXMgY29kZSBpcyBiYXNlZCBvbiB0aGUgYG1zc3FsLWpkYmNgIGxpYnJhcnkgcHVibGlzaGVkIHVuZGVyIHRoZSBjb25kaXRpb25zIG9mIE1JVCBsaWNlbnNlLlxuLy8gQ29weXJpZ2h0IChjKSAyMDE5IE1pY3Jvc29mdCBDb3Jwb3JhdGlvblxuXG5leHBvcnQgY2xhc3MgU3ltbWV0cmljS2V5IHtcbiAgZGVjbGFyZSByb290S2V5OiBCdWZmZXI7XG5cbiAgY29uc3RydWN0b3Iocm9vdEtleTogQnVmZmVyKSB7XG4gICAgaWYgKCFyb290S2V5KSB7XG4gICAgICB0aHJvdyBuZXcgRXJyb3IoJ0NvbHVtbiBlbmNyeXB0aW9uIGtleSBjYW5ub3QgYmUgbnVsbC4nKTtcbiAgICB9IGVsc2UgaWYgKDAgPT09IHJvb3RLZXkubGVuZ3RoKSB7XG4gICAgICB0aHJvdyBuZXcgRXJyb3IoJ0VtcHR5IGNvbHVtbiBlbmNyeXB0aW9uIGtleSBzcGVjaWZpZWQuJyk7XG4gICAgfVxuICAgIHRoaXMucm9vdEtleSA9IHJvb3RLZXk7XG4gIH1cblxuICB6ZXJvT3V0S2V5KCkge1xuICAgIHRoaXMucm9vdEtleSA9IEJ1ZmZlci5hbGxvYyh0aGlzLnJvb3RLZXkubGVuZ3RoKTtcbiAgfVxufVxuZXhwb3J0IGRlZmF1bHQgU3ltbWV0cmljS2V5O1xuIl0sIm1hcHBpbmdzIjoiOzs7Ozs7QUFBQTtBQUNBOztBQUVPLE1BQU1BLFlBQVksQ0FBQztFQUd4QkMsV0FBV0EsQ0FBQ0MsT0FBZSxFQUFFO0lBQzNCLElBQUksQ0FBQ0EsT0FBTyxFQUFFO01BQ1osTUFBTSxJQUFJQyxLQUFLLENBQUMsdUNBQXVDLENBQUM7SUFDMUQsQ0FBQyxNQUFNLElBQUksQ0FBQyxLQUFLRCxPQUFPLENBQUNFLE1BQU0sRUFBRTtNQUMvQixNQUFNLElBQUlELEtBQUssQ0FBQyx3Q0FBd0MsQ0FBQztJQUMzRDtJQUNBLElBQUksQ0FBQ0QsT0FBTyxHQUFHQSxPQUFPO0VBQ3hCO0VBRUFHLFVBQVVBLENBQUEsRUFBRztJQUNYLElBQUksQ0FBQ0gsT0FBTyxHQUFHSSxNQUFNLENBQUNDLEtBQUssQ0FBQyxJQUFJLENBQUNMLE9BQU8sQ0FBQ0UsTUFBTSxDQUFDO0VBQ2xEO0FBQ0Y7QUFBQ0ksT0FBQSxDQUFBUixZQUFBLEdBQUFBLFlBQUE7QUFBQSxJQUFBUyxRQUFBLEdBQUFELE9BQUEsQ0FBQUUsT0FBQSxHQUNjVixZQUFZIiwiaWdub3JlTGlzdCI6W119

package/lib/always-encrypted/symmetric-key.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"symmetric-key.js","names":["SymmetricKey","constructor","rootKey","Error","length","zeroOutKey","Buffer","alloc","exports","_default","default"],"sources":["../../src/always-encrypted/symmetric-key.ts"],"sourcesContent":["// This code is based on the `mssql-jdbc` library published under the conditions of MIT license.\n// Copyright (c) 2019 Microsoft Corporation\n\nexport class SymmetricKey {\n  declare rootKey: Buffer;\n\n  constructor(rootKey: Buffer) {\n    if (!rootKey) {\n      throw new Error('Column encryption key cannot be null.');\n    } else if (0 === rootKey.length) {\n      throw new Error('Empty column encryption key specified.');\n    }\n    this.rootKey = rootKey;\n  }\n\n  zeroOutKey() {\n    this.rootKey = Buffer.alloc(this.rootKey.length);\n  }\n}\nexport default SymmetricKey;\n"],"mappings":";;;;;;AAAA;AACA;;AAEO,MAAMA,YAAY,CAAC;EAGxBC,WAAWA,CAACC,OAAe,EAAE;IAC3B,IAAI,CAACA,OAAO,EAAE;MACZ,MAAM,IAAIC,KAAK,CAAC,uCAAuC,CAAC;IAC1D,CAAC,MAAM,IAAI,CAAC,KAAKD,OAAO,CAACE,MAAM,EAAE;MAC/B,MAAM,IAAID,KAAK,CAAC,wCAAwC,CAAC;IAC3D;IACA,IAAI,CAACD,OAAO,GAAGA,OAAO;EACxB;EAEAG,UAAUA,CAAA,EAAG;IACX,IAAI,CAACH,OAAO,GAAGI,MAAM,CAACC,KAAK,CAAC,IAAI,CAACL,OAAO,CAACE,MAAM,CAAC;EAClD;AACF;AAACI,OAAA,CAAAR,YAAA,GAAAA,YAAA;AAAA,IAAAS,QAAA,GAAAD,OAAA,CAAAE,OAAA,GACcV,YAAY","ignoreList":[]}

package/lib/always-encrypted/types.d.ts

@@ -0,0 +1,73 @@
+import { CEKEntry } from './cek-entry';
+import { type BaseMetadata } from '../metadata-parser';
+export interface EncryptionKeyInfo {
+    encryptedKey: Buffer;
+    dbId: number;
+    keyId: number;
+    keyVersion: number;
+    mdVersion: Buffer;
+    keyPath: string;
+    keyStoreName: string;
+    algorithmName: string;
+}
+export declare enum SQLServerEncryptionType {
+    Deterministic = 1,
+    Randomized = 2,
+    PlainText = 0
+}
+export interface EncryptionAlgorithm {
+    encryptData: (plainText: Buffer) => Buffer;
+    decryptData: (cipherText: Buffer) => Buffer;
+}
+export interface CryptoMetadata {
+    cekEntry?: CEKEntry;
+    cipherAlgorithmId: number;
+    cipherAlgorithmName?: string;
+    normalizationRuleVersion: Buffer;
+    encryptionKeyInfo?: EncryptionKeyInfo;
+    ordinal: number;
+    encryptionType: SQLServerEncryptionType;
+    cipherAlgorithm?: EncryptionAlgorithm;
+    baseTypeInfo?: BaseMetadata;
+}
+export interface HashMap<T> {
+    [hash: string]: T;
+}
+export declare enum DescribeParameterEncryptionResultSet1 {
+    KeyOrdinal = 0,
+    DbId = 1,
+    KeyId = 2,
+    KeyVersion = 3,
+    KeyMdVersion = 4,
+    EncryptedKey = 5,
+    ProviderName = 6,
+    KeyPath = 7,
+    KeyEncryptionAlgorithm = 8
+}
+export declare enum DescribeParameterEncryptionResultSet2 {
+    ParameterOrdinal = 0,
+    ParameterName = 1,
+    ColumnEncryptionAlgorithm = 2,
+    ColumnEncrytionType = 3,
+    ColumnEncryptionKeyOrdinal = 4,
+    NormalizationRuleVersion = 5
+}
+export declare enum SQLServerStatementColumnEncryptionSetting {
+    /**
+     * if "Column Encryption Setting=Enabled" in the connection string, use Enabled. Otherwise, maps to Disabled.
+     */
+    UseConnectionSetting = 0,
+    /**
+     * Enables TCE for the command. Overrides the connection level setting for this command.
+     */
+    Enabled = 1,
+    /**
+     * Parameters will not be encrypted, only the ResultSet will be decrypted. This is an optimization for queries that
+     * do not pass any encrypted input parameters. Overrides the connection level setting for this command.
+     */
+    ResultSetOnly = 2,
+    /**
+     * Disables TCE for the command.Overrides the connection level setting for this command.
+     */
+    Disabled = 3
+}

package/lib/always-encrypted/types.js

@@ -0,0 +1,61 @@
+"use strict";
+
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.SQLServerStatementColumnEncryptionSetting = exports.SQLServerEncryptionType = exports.DescribeParameterEncryptionResultSet2 = exports.DescribeParameterEncryptionResultSet1 = void 0;
+// This code is based on the `mssql-jdbc` library published under the conditions of MIT license.
+// Copyright (c) 2019 Microsoft Corporation
+let SQLServerEncryptionType = exports.SQLServerEncryptionType = /*#__PURE__*/function (SQLServerEncryptionType) {
+  SQLServerEncryptionType[SQLServerEncryptionType["Deterministic"] = 1] = "Deterministic";
+  SQLServerEncryptionType[SQLServerEncryptionType["Randomized"] = 2] = "Randomized";
+  SQLServerEncryptionType[SQLServerEncryptionType["PlainText"] = 0] = "PlainText";
+  return SQLServerEncryptionType;
+}({});
+// Fields in the first resultset of "sp_describe_parameter_encryption"
+// We expect the server to return the fields in the resultset in the same order as mentioned below.
+// If the server changes the below order, then transparent parameter encryption will break.
+let DescribeParameterEncryptionResultSet1 = exports.DescribeParameterEncryptionResultSet1 = /*#__PURE__*/function (DescribeParameterEncryptionResultSet1) {
+  DescribeParameterEncryptionResultSet1[DescribeParameterEncryptionResultSet1["KeyOrdinal"] = 0] = "KeyOrdinal";
+  DescribeParameterEncryptionResultSet1[DescribeParameterEncryptionResultSet1["DbId"] = 1] = "DbId";
+  DescribeParameterEncryptionResultSet1[DescribeParameterEncryptionResultSet1["KeyId"] = 2] = "KeyId";
+  DescribeParameterEncryptionResultSet1[DescribeParameterEncryptionResultSet1["KeyVersion"] = 3] = "KeyVersion";
+  DescribeParameterEncryptionResultSet1[DescribeParameterEncryptionResultSet1["KeyMdVersion"] = 4] = "KeyMdVersion";
+  DescribeParameterEncryptionResultSet1[DescribeParameterEncryptionResultSet1["EncryptedKey"] = 5] = "EncryptedKey";
+  DescribeParameterEncryptionResultSet1[DescribeParameterEncryptionResultSet1["ProviderName"] = 6] = "ProviderName";
+  DescribeParameterEncryptionResultSet1[DescribeParameterEncryptionResultSet1["KeyPath"] = 7] = "KeyPath";
+  DescribeParameterEncryptionResultSet1[DescribeParameterEncryptionResultSet1["KeyEncryptionAlgorithm"] = 8] = "KeyEncryptionAlgorithm";
+  return DescribeParameterEncryptionResultSet1;
+}({}); // Fields in the second resultset of "sp_describe_parameter_encryption"
+// We expect the server to return the fields in the resultset in the same order as mentioned below.
+// If the server changes the below order, then transparent parameter encryption will break.
+let DescribeParameterEncryptionResultSet2 = exports.DescribeParameterEncryptionResultSet2 = /*#__PURE__*/function (DescribeParameterEncryptionResultSet2) {
+  DescribeParameterEncryptionResultSet2[DescribeParameterEncryptionResultSet2["ParameterOrdinal"] = 0] = "ParameterOrdinal";
+  DescribeParameterEncryptionResultSet2[DescribeParameterEncryptionResultSet2["ParameterName"] = 1] = "ParameterName";
+  DescribeParameterEncryptionResultSet2[DescribeParameterEncryptionResultSet2["ColumnEncryptionAlgorithm"] = 2] = "ColumnEncryptionAlgorithm";
+  DescribeParameterEncryptionResultSet2[DescribeParameterEncryptionResultSet2["ColumnEncrytionType"] = 3] = "ColumnEncrytionType";
+  DescribeParameterEncryptionResultSet2[DescribeParameterEncryptionResultSet2["ColumnEncryptionKeyOrdinal"] = 4] = "ColumnEncryptionKeyOrdinal";
+  DescribeParameterEncryptionResultSet2[DescribeParameterEncryptionResultSet2["NormalizationRuleVersion"] = 5] = "NormalizationRuleVersion";
+  return DescribeParameterEncryptionResultSet2;
+}({});
+let SQLServerStatementColumnEncryptionSetting = exports.SQLServerStatementColumnEncryptionSetting = /*#__PURE__*/function (SQLServerStatementColumnEncryptionSetting) {
+  /**
+   * if "Column Encryption Setting=Enabled" in the connection string, use Enabled. Otherwise, maps to Disabled.
+   */
+  SQLServerStatementColumnEncryptionSetting[SQLServerStatementColumnEncryptionSetting["UseConnectionSetting"] = 0] = "UseConnectionSetting";
+  /**
+   * Enables TCE for the command. Overrides the connection level setting for this command.
+   */
+  SQLServerStatementColumnEncryptionSetting[SQLServerStatementColumnEncryptionSetting["Enabled"] = 1] = "Enabled";
+  /**
+   * Parameters will not be encrypted, only the ResultSet will be decrypted. This is an optimization for queries that
+   * do not pass any encrypted input parameters. Overrides the connection level setting for this command.
+   */
+  SQLServerStatementColumnEncryptionSetting[SQLServerStatementColumnEncryptionSetting["ResultSetOnly"] = 2] = "ResultSetOnly";
+  /**
+   * Disables TCE for the command.Overrides the connection level setting for this command.
+   */
+  SQLServerStatementColumnEncryptionSetting[SQLServerStatementColumnEncryptionSetting["Disabled"] = 3] = "Disabled";
+  return SQLServerStatementColumnEncryptionSetting;
+}({});
+//# sourceMappingURL=data:application/json;charset=utf-8;base64,eyJ2ZXJzaW9uIjozLCJuYW1lcyI6WyJTUUxTZXJ2ZXJFbmNyeXB0aW9uVHlwZSIsImV4cG9ydHMiLCJEZXNjcmliZVBhcmFtZXRlckVuY3J5cHRpb25SZXN1bHRTZXQxIiwiRGVzY3JpYmVQYXJhbWV0ZXJFbmNyeXB0aW9uUmVzdWx0U2V0MiIsIlNRTFNlcnZlclN0YXRlbWVudENvbHVtbkVuY3J5cHRpb25TZXR0aW5nIl0sInNvdXJjZXMiOlsiLi4vLi4vc3JjL2Fsd2F5cy1lbmNyeXB0ZWQvdHlwZXMudHMiXSwic291cmNlc0NvbnRlbnQiOlsiLy8gVGhpcyBjb2RlIGlzIGJhc2VkIG9uIHRoZSBgbXNzcWwtamRiY2AgbGlicmFyeSBwdWJsaXNoZWQgdW5kZXIgdGhlIGNvbmRpdGlvbnMgb2YgTUlUIGxpY2Vuc2UuXG4vLyBDb3B5cmlnaHQgKGMpIDIwMTkgTWljcm9zb2Z0IENvcnBvcmF0aW9uXG5cbmltcG9ydCB7IENFS0VudHJ5IH0gZnJvbSAnLi9jZWstZW50cnknO1xuaW1wb3J0IHsgdHlwZSBCYXNlTWV0YWRhdGEgfSBmcm9tICcuLi9tZXRhZGF0YS1wYXJzZXInO1xuXG5leHBvcnQgaW50ZXJmYWNlIEVuY3J5cHRpb25LZXlJbmZvIHtcbiAgZW5jcnlwdGVkS2V5OiBCdWZmZXI7XG4gIGRiSWQ6IG51bWJlcjtcbiAga2V5SWQ6IG51bWJlcjtcbiAga2V5VmVyc2lvbjogbnVtYmVyO1xuICBtZFZlcnNpb246IEJ1ZmZlcjtcbiAga2V5UGF0aDogc3RyaW5nO1xuICBrZXlTdG9yZU5hbWU6IHN0cmluZztcbiAgYWxnb3JpdGhtTmFtZTogc3RyaW5nO1xufVxuXG5leHBvcnQgZW51bSBTUUxTZXJ2ZXJFbmNyeXB0aW9uVHlwZSB7XG4gIERldGVybWluaXN0aWMgPSAxLFxuICBSYW5kb21pemVkID0gMixcbiAgUGxhaW5UZXh0ID0gMCxcbn1cblxuZXhwb3J0IGludGVyZmFjZSBFbmNyeXB0aW9uQWxnb3JpdGhtIHtcbiAgZW5jcnlwdERhdGE6IChwbGFpblRleHQ6IEJ1ZmZlcikgPT4gQnVmZmVyO1xuICBkZWNyeXB0RGF0YTogKGNpcGhlclRleHQ6IEJ1ZmZlcikgPT4gQnVmZmVyO1xufVxuXG5leHBvcnQgaW50ZXJmYWNlIENyeXB0b01ldGFkYXRhIHtcbiAgY2VrRW50cnk/OiBDRUtFbnRyeTtcbiAgY2lwaGVyQWxnb3JpdGhtSWQ6IG51bWJlcjtcbiAgY2lwaGVyQWxnb3JpdGhtTmFtZT86IHN0cmluZztcbiAgbm9ybWFsaXphdGlvblJ1bGVWZXJzaW9uOiBCdWZmZXI7XG4gIGVuY3J5cHRpb25LZXlJbmZvPzogRW5jcnlwdGlvbktleUluZm87XG4gIG9yZGluYWw6IG51bWJlcjtcbiAgZW5jcnlwdGlvblR5cGU6IFNRTFNlcnZlckVuY3J5cHRpb25UeXBlO1xuICBjaXBoZXJBbGdvcml0aG0/OiBFbmNyeXB0aW9uQWxnb3JpdGhtO1xuICBiYXNlVHlwZUluZm8/OiBCYXNlTWV0YWRhdGE7XG59XG5cbmV4cG9ydCBpbnRlcmZhY2UgSGFzaE1hcDxUPiB7XG4gIFtoYXNoOiBzdHJpbmddOiBUO1xufVxuXG5cbi8vIEZpZWxkcyBpbiB0aGUgZmlyc3QgcmVzdWx0c2V0IG9mIFwic3BfZGVzY3JpYmVfcGFyYW1ldGVyX2VuY3J5cHRpb25cIlxuLy8gV2UgZXhwZWN0IHRoZSBzZXJ2ZXIgdG8gcmV0dXJuIHRoZSBmaWVsZHMgaW4gdGhlIHJlc3VsdHNldCBpbiB0aGUgc2FtZSBvcmRlciBhcyBtZW50aW9uZWQgYmVsb3cuXG4vLyBJZiB0aGUgc2VydmVyIGNoYW5nZXMgdGhlIGJlbG93IG9yZGVyLCB0aGVuIHRyYW5zcGFyZW50IHBhcmFtZXRlciBlbmNyeXB0aW9uIHdpbGwgYnJlYWsuXG5leHBvcnQgZW51bSBEZXNjcmliZVBhcmFtZXRlckVuY3J5cHRpb25SZXN1bHRTZXQxIHtcbiAgS2V5T3JkaW5hbCxcbiAgRGJJZCxcbiAgS2V5SWQsXG4gIEtleVZlcnNpb24sXG4gIEtleU1kVmVyc2lvbixcbiAgRW5jcnlwdGVkS2V5LFxuICBQcm92aWRlck5hbWUsXG4gIEtleVBhdGgsXG4gIEtleUVuY3J5cHRpb25BbGdvcml0aG1cbn1cblxuXG4vLyBGaWVsZHMgaW4gdGhlIHNlY29uZCByZXN1bHRzZXQgb2YgXCJzcF9kZXNjcmliZV9wYXJhbWV0ZXJfZW5jcnlwdGlvblwiXG4vLyBXZSBleHBlY3QgdGhlIHNlcnZlciB0byByZXR1cm4gdGhlIGZpZWxkcyBpbiB0aGUgcmVzdWx0c2V0IGluIHRoZSBzYW1lIG9yZGVyIGFzIG1lbnRpb25lZCBiZWxvdy5cbi8vIElmIHRoZSBzZXJ2ZXIgY2hhbmdlcyB0aGUgYmVsb3cgb3JkZXIsIHRoZW4gdHJhbnNwYXJlbnQgcGFyYW1ldGVyIGVuY3J5cHRpb24gd2lsbCBicmVhay5cbmV4cG9ydCBlbnVtIERlc2NyaWJlUGFyYW1ldGVyRW5jcnlwdGlvblJlc3VsdFNldDIge1xuICBQYXJhbWV0ZXJPcmRpbmFsLFxuICBQYXJhbWV0ZXJOYW1lLFxuICBDb2x1bW5FbmNyeXB0aW9uQWxnb3JpdGhtLFxuICBDb2x1bW5FbmNyeXRpb25UeXBlLFxuICBDb2x1bW5FbmNyeXB0aW9uS2V5T3JkaW5hbCxcbiAgTm9ybWFsaXphdGlvblJ1bGVWZXJzaW9uXG59XG5cbmV4cG9ydCBlbnVtIFNRTFNlcnZlclN0YXRlbWVudENvbHVtbkVuY3J5cHRpb25TZXR0aW5nIHtcbiAgLyoqXG4gICAqIGlmIFwiQ29sdW1uIEVuY3J5cHRpb24gU2V0dGluZz1FbmFibGVkXCIgaW4gdGhlIGNvbm5lY3Rpb24gc3RyaW5nLCB1c2UgRW5hYmxlZC4gT3RoZXJ3aXNlLCBtYXBzIHRvIERpc2FibGVkLlxuICAgKi9cbiAgVXNlQ29ubmVjdGlvblNldHRpbmcsXG4gIC8qKlxuICAgKiBFbmFibGVzIFRDRSBmb3IgdGhlIGNvbW1hbmQuIE92ZXJyaWRlcyB0aGUgY29ubmVjdGlvbiBsZXZlbCBzZXR0aW5nIGZvciB0aGlzIGNvbW1hbmQuXG4gICAqL1xuICBFbmFibGVkLFxuICAvKipcbiAgICogUGFyYW1ldGVycyB3aWxsIG5vdCBiZSBlbmNyeXB0ZWQsIG9ubHkgdGhlIFJlc3VsdFNldCB3aWxsIGJlIGRlY3J5cHRlZC4gVGhpcyBpcyBhbiBvcHRpbWl6YXRpb24gZm9yIHF1ZXJpZXMgdGhhdFxuICAgKiBkbyBub3QgcGFzcyBhbnkgZW5jcnlwdGVkIGlucHV0IHBhcmFtZXRlcnMuIE92ZXJyaWRlcyB0aGUgY29ubmVjdGlvbiBsZXZlbCBzZXR0aW5nIGZvciB0aGlzIGNvbW1hbmQuXG4gICAqL1xuICBSZXN1bHRTZXRPbmx5LFxuICAvKipcbiAgICogRGlzYWJsZXMgVENFIGZvciB0aGUgY29tbWFuZC5PdmVycmlkZXMgdGhlIGNvbm5lY3Rpb24gbGV2ZWwgc2V0dGluZyBmb3IgdGhpcyBjb21tYW5kLlxuICAgKi9cbiAgRGlzYWJsZWQsXG59XG4iXSwibWFwcGluZ3MiOiI7Ozs7OztBQUFBO0FBQ0E7QUFBQSxJQWdCWUEsdUJBQXVCLEdBQUFDLE9BQUEsQ0FBQUQsdUJBQUEsMEJBQXZCQSx1QkFBdUI7RUFBdkJBLHVCQUF1QixDQUF2QkEsdUJBQXVCO0VBQXZCQSx1QkFBdUIsQ0FBdkJBLHVCQUF1QjtFQUF2QkEsdUJBQXVCLENBQXZCQSx1QkFBdUI7RUFBQSxPQUF2QkEsdUJBQXVCO0FBQUE7QUE0Qm5DO0FBQ0E7QUFDQTtBQUFBLElBQ1lFLHFDQUFxQyxHQUFBRCxPQUFBLENBQUFDLHFDQUFBLDBCQUFyQ0EscUNBQXFDO0VBQXJDQSxxQ0FBcUMsQ0FBckNBLHFDQUFxQztFQUFyQ0EscUNBQXFDLENBQXJDQSxxQ0FBcUM7RUFBckNBLHFDQUFxQyxDQUFyQ0EscUNBQXFDO0VBQXJDQSxxQ0FBcUMsQ0FBckNBLHFDQUFxQztFQUFyQ0EscUNBQXFDLENBQXJDQSxxQ0FBcUM7RUFBckNBLHFDQUFxQyxDQUFyQ0EscUNBQXFDO0VBQXJDQSxxQ0FBcUMsQ0FBckNBLHFDQUFxQztFQUFyQ0EscUNBQXFDLENBQXJDQSxxQ0FBcUM7RUFBckNBLHFDQUFxQyxDQUFyQ0EscUNBQXFDO0VBQUEsT0FBckNBLHFDQUFxQztBQUFBLE9BYWpEO0FBQ0E7QUFDQTtBQUFBLElBQ1lDLHFDQUFxQyxHQUFBRixPQUFBLENBQUFFLHFDQUFBLDBCQUFyQ0EscUNBQXFDO0VBQXJDQSxxQ0FBcUMsQ0FBckNBLHFDQUFxQztFQUFyQ0EscUNBQXFDLENBQXJDQSxxQ0FBcUM7RUFBckNBLHFDQUFxQyxDQUFyQ0EscUNBQXFDO0VBQXJDQSxxQ0FBcUMsQ0FBckNBLHFDQUFxQztFQUFyQ0EscUNBQXFDLENBQXJDQSxxQ0FBcUM7RUFBckNBLHFDQUFxQyxDQUFyQ0EscUNBQXFDO0VBQUEsT0FBckNBLHFDQUFxQztBQUFBO0FBQUEsSUFTckNDLHlDQUF5QyxHQUFBSCxPQUFBLENBQUFHLHlDQUFBLDBCQUF6Q0EseUNBQXlDO0VBQ25EO0FBQ0Y7QUFDQTtFQUhZQSx5Q0FBeUMsQ0FBekNBLHlDQUF5QztFQUtuRDtBQUNGO0FBQ0E7RUFQWUEseUNBQXlDLENBQXpDQSx5Q0FBeUM7RUFTbkQ7QUFDRjtBQUNBO0FBQ0E7RUFaWUEseUNBQXlDLENBQXpDQSx5Q0FBeUM7RUFjbkQ7QUFDRjtBQUNBO0VBaEJZQSx5Q0FBeUMsQ0FBekNBLHlDQUF5QztFQUFBLE9BQXpDQSx5Q0FBeUM7QUFBQSIsImlnbm9yZUxpc3QiOltdfQ==