hpke.js (155595B)
1 // npm/esm/_dnt.shims.js 2 var dntGlobals = {}; 3 var dntGlobalThis = createMergeProxy(globalThis, dntGlobals); 4 function createMergeProxy(baseObj, extObj) { 5 return new Proxy(baseObj, { 6 get(_target, prop, _receiver) { 7 if (prop in extObj) { 8 return extObj[prop]; 9 } else { 10 return baseObj[prop]; 11 } 12 }, 13 set(_target, prop, value) { 14 if (prop in extObj) { 15 delete extObj[prop]; 16 } 17 baseObj[prop] = value; 18 return true; 19 }, 20 deleteProperty(_target, prop) { 21 let success = false; 22 if (prop in extObj) { 23 delete extObj[prop]; 24 success = true; 25 } 26 if (prop in baseObj) { 27 delete baseObj[prop]; 28 success = true; 29 } 30 return success; 31 }, 32 ownKeys(_target) { 33 const baseKeys = Reflect.ownKeys(baseObj); 34 const extKeys = Reflect.ownKeys(extObj); 35 const extKeysSet = new Set(extKeys); 36 return [...baseKeys.filter((k) => !extKeysSet.has(k)), ...extKeys]; 37 }, 38 defineProperty(_target, prop, desc) { 39 if (prop in extObj) { 40 delete extObj[prop]; 41 } 42 Reflect.defineProperty(baseObj, prop, desc); 43 return true; 44 }, 45 getOwnPropertyDescriptor(_target, prop) { 46 if (prop in extObj) { 47 return Reflect.getOwnPropertyDescriptor(extObj, prop); 48 } else { 49 return Reflect.getOwnPropertyDescriptor(baseObj, prop); 50 } 51 }, 52 has(_target, prop) { 53 return prop in extObj || prop in baseObj; 54 } 55 }); 56 } 57 58 // npm/esm/core/src/errors.js 59 var BaseError = class extends Error { 60 constructor(e) { 61 let message; 62 if (e instanceof Error) { 63 message = e.message; 64 } else if (typeof e === "string") { 65 message = e; 66 } else { 67 message = ""; 68 } 69 super(message); 70 this.name = this.constructor.name; 71 } 72 }; 73 var HpkeError = class extends BaseError { 74 }; 75 var InvalidParamError = class extends HpkeError { 76 }; 77 var ValidationError = class extends HpkeError { 78 }; 79 var SerializeError = class extends HpkeError { 80 }; 81 var DeserializeError = class extends HpkeError { 82 }; 83 var EncapError = class extends HpkeError { 84 }; 85 var DecapError = class extends HpkeError { 86 }; 87 var ExportError = class extends HpkeError { 88 }; 89 var SealError = class extends HpkeError { 90 }; 91 var OpenError = class extends HpkeError { 92 }; 93 var MessageLimitReachedError = class extends HpkeError { 94 }; 95 var DeriveKeyPairError = class extends HpkeError { 96 }; 97 var NotSupportedError = class extends HpkeError { 98 }; 99 100 // npm/esm/core/src/algorithm.js 101 async function loadSubtleCrypto() { 102 if (dntGlobalThis !== void 0 && globalThis.crypto !== void 0) { 103 return globalThis.crypto.subtle; 104 } 105 try { 106 const { webcrypto } = await import("crypto"); 107 return webcrypto.subtle; 108 } catch (e) { 109 throw new NotSupportedError(e); 110 } 111 } 112 var NativeAlgorithm = class { 113 constructor() { 114 Object.defineProperty(this, "_api", { 115 enumerable: true, 116 configurable: true, 117 writable: true, 118 value: void 0 119 }); 120 } 121 async _setup() { 122 if (this._api !== void 0) { 123 return; 124 } 125 this._api = await loadSubtleCrypto(); 126 } 127 }; 128 129 // npm/esm/core/src/identifiers.js 130 var Mode = { 131 Base: 0, 132 Psk: 1, 133 Auth: 2, 134 AuthPsk: 3 135 }; 136 var Kem = { 137 NotAssigned: 0, 138 DhkemP256HkdfSha256: 16, 139 DhkemP384HkdfSha384: 17, 140 DhkemP521HkdfSha512: 18, 141 DhkemSecp256k1HkdfSha256: 19, 142 DhkemX25519HkdfSha256: 32, 143 DhkemX448HkdfSha512: 33, 144 HybridkemX25519Kyber768: 48 145 }; 146 var KemId = Kem; 147 var Kdf = { 148 HkdfSha256: 1, 149 HkdfSha384: 2, 150 HkdfSha512: 3 151 }; 152 var KdfId = Kdf; 153 var Aead = { 154 Aes128Gcm: 1, 155 Aes256Gcm: 2, 156 Chacha20Poly1305: 3, 157 ExportOnly: 65535 158 }; 159 var AeadId = Aead; 160 161 // npm/esm/core/src/interfaces/aeadEncryptionContext.js 162 var AEAD_USAGES = ["encrypt", "decrypt"]; 163 164 // npm/esm/core/src/aeads/aesGcm.js 165 var AesGcmContext = class extends NativeAlgorithm { 166 constructor(key) { 167 super(); 168 Object.defineProperty(this, "_rawKey", { 169 enumerable: true, 170 configurable: true, 171 writable: true, 172 value: void 0 173 }); 174 Object.defineProperty(this, "_key", { 175 enumerable: true, 176 configurable: true, 177 writable: true, 178 value: void 0 179 }); 180 this._rawKey = key; 181 } 182 async seal(iv, data, aad) { 183 await this._setupKey(); 184 const alg = { 185 name: "AES-GCM", 186 iv, 187 additionalData: aad 188 }; 189 const ct = await this._api.encrypt(alg, this._key, data); 190 return ct; 191 } 192 async open(iv, data, aad) { 193 await this._setupKey(); 194 const alg = { 195 name: "AES-GCM", 196 iv, 197 additionalData: aad 198 }; 199 const pt = await this._api.decrypt(alg, this._key, data); 200 return pt; 201 } 202 async _setupKey() { 203 if (this._key !== void 0) { 204 return; 205 } 206 await this._setup(); 207 const key = await this._importKey(this._rawKey); 208 new Uint8Array(this._rawKey).fill(0); 209 this._key = key; 210 return; 211 } 212 async _importKey(key) { 213 return await this._api.importKey("raw", key, { name: "AES-GCM" }, true, AEAD_USAGES); 214 } 215 }; 216 var Aes128Gcm = class { 217 constructor() { 218 Object.defineProperty(this, "id", { 219 enumerable: true, 220 configurable: true, 221 writable: true, 222 value: AeadId.Aes128Gcm 223 }); 224 Object.defineProperty(this, "keySize", { 225 enumerable: true, 226 configurable: true, 227 writable: true, 228 value: 16 229 }); 230 Object.defineProperty(this, "nonceSize", { 231 enumerable: true, 232 configurable: true, 233 writable: true, 234 value: 12 235 }); 236 Object.defineProperty(this, "tagSize", { 237 enumerable: true, 238 configurable: true, 239 writable: true, 240 value: 16 241 }); 242 } 243 createEncryptionContext(key) { 244 return new AesGcmContext(key); 245 } 246 }; 247 var Aes256Gcm = class extends Aes128Gcm { 248 constructor() { 249 super(...arguments); 250 Object.defineProperty(this, "id", { 251 enumerable: true, 252 configurable: true, 253 writable: true, 254 value: AeadId.Aes256Gcm 255 }); 256 Object.defineProperty(this, "keySize", { 257 enumerable: true, 258 configurable: true, 259 writable: true, 260 value: 32 261 }); 262 Object.defineProperty(this, "nonceSize", { 263 enumerable: true, 264 configurable: true, 265 writable: true, 266 value: 12 267 }); 268 Object.defineProperty(this, "tagSize", { 269 enumerable: true, 270 configurable: true, 271 writable: true, 272 value: 16 273 }); 274 } 275 }; 276 277 // npm/esm/core/src/aeads/exportOnly.js 278 var ExportOnly = class { 279 constructor() { 280 Object.defineProperty(this, "id", { 281 enumerable: true, 282 configurable: true, 283 writable: true, 284 value: AeadId.ExportOnly 285 }); 286 Object.defineProperty(this, "keySize", { 287 enumerable: true, 288 configurable: true, 289 writable: true, 290 value: 0 291 }); 292 Object.defineProperty(this, "nonceSize", { 293 enumerable: true, 294 configurable: true, 295 writable: true, 296 value: 0 297 }); 298 Object.defineProperty(this, "tagSize", { 299 enumerable: true, 300 configurable: true, 301 writable: true, 302 value: 0 303 }); 304 } 305 createEncryptionContext(_key) { 306 throw new NotSupportedError("Export only"); 307 } 308 }; 309 310 // npm/node_modules/@noble/ciphers/esm/_assert.js 311 function number(n) { 312 if (!Number.isSafeInteger(n) || n < 0) 313 throw new Error(`positive integer expected, not ${n}`); 314 } 315 function bool(b) { 316 if (typeof b !== "boolean") 317 throw new Error(`boolean expected, not ${b}`); 318 } 319 function isBytes(a) { 320 return a instanceof Uint8Array || a != null && typeof a === "object" && a.constructor.name === "Uint8Array"; 321 } 322 function bytes(b, ...lengths) { 323 if (!isBytes(b)) 324 throw new Error("Uint8Array expected"); 325 if (lengths.length > 0 && !lengths.includes(b.length)) 326 throw new Error(`Uint8Array expected of length ${lengths}, not of length=${b.length}`); 327 } 328 function exists(instance, checkFinished = true) { 329 if (instance.destroyed) 330 throw new Error("Hash instance has been destroyed"); 331 if (checkFinished && instance.finished) 332 throw new Error("Hash#digest() has already been called"); 333 } 334 function output(out, instance) { 335 bytes(out); 336 const min = instance.outputLen; 337 if (out.length < min) { 338 throw new Error(`digestInto() expects output buffer of length at least ${min}`); 339 } 340 } 341 342 // npm/node_modules/@noble/ciphers/esm/utils.js 343 var u32 = (arr) => new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4)); 344 var createView = (arr) => new DataView(arr.buffer, arr.byteOffset, arr.byteLength); 345 var isLE = new Uint8Array(new Uint32Array([287454020]).buffer)[0] === 68; 346 if (!isLE) 347 throw new Error("Non little-endian hardware is not supported"); 348 function utf8ToBytes(str) { 349 if (typeof str !== "string") 350 throw new Error(`string expected, got ${typeof str}`); 351 return new Uint8Array(new TextEncoder().encode(str)); 352 } 353 function toBytes(data) { 354 if (typeof data === "string") 355 data = utf8ToBytes(data); 356 else if (isBytes(data)) 357 data = data.slice(); 358 else 359 throw new Error(`Uint8Array expected, got ${typeof data}`); 360 return data; 361 } 362 function checkOpts(defaults, opts) { 363 if (opts == null || typeof opts !== "object") 364 throw new Error("options must be defined"); 365 const merged = Object.assign(defaults, opts); 366 return merged; 367 } 368 function equalBytes(a, b) { 369 if (a.length !== b.length) 370 return false; 371 let diff = 0; 372 for (let i = 0; i < a.length; i++) 373 diff |= a[i] ^ b[i]; 374 return diff === 0; 375 } 376 var wrapCipher = /* @__NO_SIDE_EFFECTS__ */ (params, c) => { 377 Object.assign(c, params); 378 return c; 379 }; 380 function setBigUint64(view, byteOffset, value, isLE3) { 381 if (typeof view.setBigUint64 === "function") 382 return view.setBigUint64(byteOffset, value, isLE3); 383 const _32n2 = BigInt(32); 384 const _u32_max = BigInt(4294967295); 385 const wh = Number(value >> _32n2 & _u32_max); 386 const wl = Number(value & _u32_max); 387 const h = isLE3 ? 4 : 0; 388 const l = isLE3 ? 0 : 4; 389 view.setUint32(byteOffset + h, wh, isLE3); 390 view.setUint32(byteOffset + l, wl, isLE3); 391 } 392 393 // npm/node_modules/@noble/ciphers/esm/_poly1305.js 394 var u8to16 = (a, i) => a[i++] & 255 | (a[i++] & 255) << 8; 395 var Poly1305 = class { 396 constructor(key) { 397 this.blockLen = 16; 398 this.outputLen = 16; 399 this.buffer = new Uint8Array(16); 400 this.r = new Uint16Array(10); 401 this.h = new Uint16Array(10); 402 this.pad = new Uint16Array(8); 403 this.pos = 0; 404 this.finished = false; 405 key = toBytes(key); 406 bytes(key, 32); 407 const t0 = u8to16(key, 0); 408 const t1 = u8to16(key, 2); 409 const t2 = u8to16(key, 4); 410 const t3 = u8to16(key, 6); 411 const t4 = u8to16(key, 8); 412 const t5 = u8to16(key, 10); 413 const t6 = u8to16(key, 12); 414 const t7 = u8to16(key, 14); 415 this.r[0] = t0 & 8191; 416 this.r[1] = (t0 >>> 13 | t1 << 3) & 8191; 417 this.r[2] = (t1 >>> 10 | t2 << 6) & 7939; 418 this.r[3] = (t2 >>> 7 | t3 << 9) & 8191; 419 this.r[4] = (t3 >>> 4 | t4 << 12) & 255; 420 this.r[5] = t4 >>> 1 & 8190; 421 this.r[6] = (t4 >>> 14 | t5 << 2) & 8191; 422 this.r[7] = (t5 >>> 11 | t6 << 5) & 8065; 423 this.r[8] = (t6 >>> 8 | t7 << 8) & 8191; 424 this.r[9] = t7 >>> 5 & 127; 425 for (let i = 0; i < 8; i++) 426 this.pad[i] = u8to16(key, 16 + 2 * i); 427 } 428 process(data, offset, isLast = false) { 429 const hibit = isLast ? 0 : 1 << 11; 430 const { h, r } = this; 431 const r0 = r[0]; 432 const r1 = r[1]; 433 const r2 = r[2]; 434 const r3 = r[3]; 435 const r4 = r[4]; 436 const r5 = r[5]; 437 const r6 = r[6]; 438 const r7 = r[7]; 439 const r8 = r[8]; 440 const r9 = r[9]; 441 const t0 = u8to16(data, offset + 0); 442 const t1 = u8to16(data, offset + 2); 443 const t2 = u8to16(data, offset + 4); 444 const t3 = u8to16(data, offset + 6); 445 const t4 = u8to16(data, offset + 8); 446 const t5 = u8to16(data, offset + 10); 447 const t6 = u8to16(data, offset + 12); 448 const t7 = u8to16(data, offset + 14); 449 let h0 = h[0] + (t0 & 8191); 450 let h1 = h[1] + ((t0 >>> 13 | t1 << 3) & 8191); 451 let h2 = h[2] + ((t1 >>> 10 | t2 << 6) & 8191); 452 let h3 = h[3] + ((t2 >>> 7 | t3 << 9) & 8191); 453 let h4 = h[4] + ((t3 >>> 4 | t4 << 12) & 8191); 454 let h5 = h[5] + (t4 >>> 1 & 8191); 455 let h6 = h[6] + ((t4 >>> 14 | t5 << 2) & 8191); 456 let h7 = h[7] + ((t5 >>> 11 | t6 << 5) & 8191); 457 let h8 = h[8] + ((t6 >>> 8 | t7 << 8) & 8191); 458 let h9 = h[9] + (t7 >>> 5 | hibit); 459 let c = 0; 460 let d0 = c + h0 * r0 + h1 * (5 * r9) + h2 * (5 * r8) + h3 * (5 * r7) + h4 * (5 * r6); 461 c = d0 >>> 13; 462 d0 &= 8191; 463 d0 += h5 * (5 * r5) + h6 * (5 * r4) + h7 * (5 * r3) + h8 * (5 * r2) + h9 * (5 * r1); 464 c += d0 >>> 13; 465 d0 &= 8191; 466 let d1 = c + h0 * r1 + h1 * r0 + h2 * (5 * r9) + h3 * (5 * r8) + h4 * (5 * r7); 467 c = d1 >>> 13; 468 d1 &= 8191; 469 d1 += h5 * (5 * r6) + h6 * (5 * r5) + h7 * (5 * r4) + h8 * (5 * r3) + h9 * (5 * r2); 470 c += d1 >>> 13; 471 d1 &= 8191; 472 let d2 = c + h0 * r2 + h1 * r1 + h2 * r0 + h3 * (5 * r9) + h4 * (5 * r8); 473 c = d2 >>> 13; 474 d2 &= 8191; 475 d2 += h5 * (5 * r7) + h6 * (5 * r6) + h7 * (5 * r5) + h8 * (5 * r4) + h9 * (5 * r3); 476 c += d2 >>> 13; 477 d2 &= 8191; 478 let d3 = c + h0 * r3 + h1 * r2 + h2 * r1 + h3 * r0 + h4 * (5 * r9); 479 c = d3 >>> 13; 480 d3 &= 8191; 481 d3 += h5 * (5 * r8) + h6 * (5 * r7) + h7 * (5 * r6) + h8 * (5 * r5) + h9 * (5 * r4); 482 c += d3 >>> 13; 483 d3 &= 8191; 484 let d4 = c + h0 * r4 + h1 * r3 + h2 * r2 + h3 * r1 + h4 * r0; 485 c = d4 >>> 13; 486 d4 &= 8191; 487 d4 += h5 * (5 * r9) + h6 * (5 * r8) + h7 * (5 * r7) + h8 * (5 * r6) + h9 * (5 * r5); 488 c += d4 >>> 13; 489 d4 &= 8191; 490 let d5 = c + h0 * r5 + h1 * r4 + h2 * r3 + h3 * r2 + h4 * r1; 491 c = d5 >>> 13; 492 d5 &= 8191; 493 d5 += h5 * r0 + h6 * (5 * r9) + h7 * (5 * r8) + h8 * (5 * r7) + h9 * (5 * r6); 494 c += d5 >>> 13; 495 d5 &= 8191; 496 let d6 = c + h0 * r6 + h1 * r5 + h2 * r4 + h3 * r3 + h4 * r2; 497 c = d6 >>> 13; 498 d6 &= 8191; 499 d6 += h5 * r1 + h6 * r0 + h7 * (5 * r9) + h8 * (5 * r8) + h9 * (5 * r7); 500 c += d6 >>> 13; 501 d6 &= 8191; 502 let d7 = c + h0 * r7 + h1 * r6 + h2 * r5 + h3 * r4 + h4 * r3; 503 c = d7 >>> 13; 504 d7 &= 8191; 505 d7 += h5 * r2 + h6 * r1 + h7 * r0 + h8 * (5 * r9) + h9 * (5 * r8); 506 c += d7 >>> 13; 507 d7 &= 8191; 508 let d8 = c + h0 * r8 + h1 * r7 + h2 * r6 + h3 * r5 + h4 * r4; 509 c = d8 >>> 13; 510 d8 &= 8191; 511 d8 += h5 * r3 + h6 * r2 + h7 * r1 + h8 * r0 + h9 * (5 * r9); 512 c += d8 >>> 13; 513 d8 &= 8191; 514 let d9 = c + h0 * r9 + h1 * r8 + h2 * r7 + h3 * r6 + h4 * r5; 515 c = d9 >>> 13; 516 d9 &= 8191; 517 d9 += h5 * r4 + h6 * r3 + h7 * r2 + h8 * r1 + h9 * r0; 518 c += d9 >>> 13; 519 d9 &= 8191; 520 c = (c << 2) + c | 0; 521 c = c + d0 | 0; 522 d0 = c & 8191; 523 c = c >>> 13; 524 d1 += c; 525 h[0] = d0; 526 h[1] = d1; 527 h[2] = d2; 528 h[3] = d3; 529 h[4] = d4; 530 h[5] = d5; 531 h[6] = d6; 532 h[7] = d7; 533 h[8] = d8; 534 h[9] = d9; 535 } 536 finalize() { 537 const { h, pad } = this; 538 const g = new Uint16Array(10); 539 let c = h[1] >>> 13; 540 h[1] &= 8191; 541 for (let i = 2; i < 10; i++) { 542 h[i] += c; 543 c = h[i] >>> 13; 544 h[i] &= 8191; 545 } 546 h[0] += c * 5; 547 c = h[0] >>> 13; 548 h[0] &= 8191; 549 h[1] += c; 550 c = h[1] >>> 13; 551 h[1] &= 8191; 552 h[2] += c; 553 g[0] = h[0] + 5; 554 c = g[0] >>> 13; 555 g[0] &= 8191; 556 for (let i = 1; i < 10; i++) { 557 g[i] = h[i] + c; 558 c = g[i] >>> 13; 559 g[i] &= 8191; 560 } 561 g[9] -= 1 << 13; 562 let mask = (c ^ 1) - 1; 563 for (let i = 0; i < 10; i++) 564 g[i] &= mask; 565 mask = ~mask; 566 for (let i = 0; i < 10; i++) 567 h[i] = h[i] & mask | g[i]; 568 h[0] = (h[0] | h[1] << 13) & 65535; 569 h[1] = (h[1] >>> 3 | h[2] << 10) & 65535; 570 h[2] = (h[2] >>> 6 | h[3] << 7) & 65535; 571 h[3] = (h[3] >>> 9 | h[4] << 4) & 65535; 572 h[4] = (h[4] >>> 12 | h[5] << 1 | h[6] << 14) & 65535; 573 h[5] = (h[6] >>> 2 | h[7] << 11) & 65535; 574 h[6] = (h[7] >>> 5 | h[8] << 8) & 65535; 575 h[7] = (h[8] >>> 8 | h[9] << 5) & 65535; 576 let f = h[0] + pad[0]; 577 h[0] = f & 65535; 578 for (let i = 1; i < 8; i++) { 579 f = (h[i] + pad[i] | 0) + (f >>> 16) | 0; 580 h[i] = f & 65535; 581 } 582 } 583 update(data) { 584 exists(this); 585 const { buffer, blockLen } = this; 586 data = toBytes(data); 587 const len = data.length; 588 for (let pos = 0; pos < len; ) { 589 const take = Math.min(blockLen - this.pos, len - pos); 590 if (take === blockLen) { 591 for (; blockLen <= len - pos; pos += blockLen) 592 this.process(data, pos); 593 continue; 594 } 595 buffer.set(data.subarray(pos, pos + take), this.pos); 596 this.pos += take; 597 pos += take; 598 if (this.pos === blockLen) { 599 this.process(buffer, 0, false); 600 this.pos = 0; 601 } 602 } 603 return this; 604 } 605 destroy() { 606 this.h.fill(0); 607 this.r.fill(0); 608 this.buffer.fill(0); 609 this.pad.fill(0); 610 } 611 digestInto(out) { 612 exists(this); 613 output(out, this); 614 this.finished = true; 615 const { buffer, h } = this; 616 let { pos } = this; 617 if (pos) { 618 buffer[pos++] = 1; 619 for (; pos < 16; pos++) 620 buffer[pos] = 0; 621 this.process(buffer, 0, true); 622 } 623 this.finalize(); 624 let opos = 0; 625 for (let i = 0; i < 8; i++) { 626 out[opos++] = h[i] >>> 0; 627 out[opos++] = h[i] >>> 8; 628 } 629 return out; 630 } 631 digest() { 632 const { buffer, outputLen } = this; 633 this.digestInto(buffer); 634 const res = buffer.slice(0, outputLen); 635 this.destroy(); 636 return res; 637 } 638 }; 639 function wrapConstructorWithKey(hashCons) { 640 const hashC = (msg, key) => hashCons(key).update(toBytes(msg)).digest(); 641 const tmp = hashCons(new Uint8Array(32)); 642 hashC.outputLen = tmp.outputLen; 643 hashC.blockLen = tmp.blockLen; 644 hashC.create = (key) => hashCons(key); 645 return hashC; 646 } 647 var poly1305 = wrapConstructorWithKey((key) => new Poly1305(key)); 648 649 // npm/node_modules/@noble/ciphers/esm/_arx.js 650 var _utf8ToBytes = (str) => Uint8Array.from(str.split("").map((c) => c.charCodeAt(0))); 651 var sigma16 = _utf8ToBytes("expand 16-byte k"); 652 var sigma32 = _utf8ToBytes("expand 32-byte k"); 653 var sigma16_32 = u32(sigma16); 654 var sigma32_32 = u32(sigma32); 655 var sigma = sigma32_32.slice(); 656 function rotl(a, b) { 657 return a << b | a >>> 32 - b; 658 } 659 function isAligned32(b) { 660 return b.byteOffset % 4 === 0; 661 } 662 var BLOCK_LEN = 64; 663 var BLOCK_LEN32 = 16; 664 var MAX_COUNTER = 2 ** 32 - 1; 665 var U32_EMPTY = new Uint32Array(); 666 function runCipher(core, sigma2, key, nonce, data, output3, counter, rounds) { 667 const len = data.length; 668 const block = new Uint8Array(BLOCK_LEN); 669 const b32 = u32(block); 670 const isAligned = isAligned32(data) && isAligned32(output3); 671 const d32 = isAligned ? u32(data) : U32_EMPTY; 672 const o32 = isAligned ? u32(output3) : U32_EMPTY; 673 for (let pos = 0; pos < len; counter++) { 674 core(sigma2, key, nonce, b32, counter, rounds); 675 if (counter >= MAX_COUNTER) 676 throw new Error("arx: counter overflow"); 677 const take = Math.min(BLOCK_LEN, len - pos); 678 if (isAligned && take === BLOCK_LEN) { 679 const pos32 = pos / 4; 680 if (pos % 4 !== 0) 681 throw new Error("arx: invalid block position"); 682 for (let j = 0, posj; j < BLOCK_LEN32; j++) { 683 posj = pos32 + j; 684 o32[posj] = d32[posj] ^ b32[j]; 685 } 686 pos += BLOCK_LEN; 687 continue; 688 } 689 for (let j = 0, posj; j < take; j++) { 690 posj = pos + j; 691 output3[posj] = data[posj] ^ block[j]; 692 } 693 pos += take; 694 } 695 } 696 function createCipher(core, opts) { 697 const { allowShortKeys, extendNonceFn, counterLength, counterRight, rounds } = checkOpts({ allowShortKeys: false, counterLength: 8, counterRight: false, rounds: 20 }, opts); 698 if (typeof core !== "function") 699 throw new Error("core must be a function"); 700 number(counterLength); 701 number(rounds); 702 bool(counterRight); 703 bool(allowShortKeys); 704 return (key, nonce, data, output3, counter = 0) => { 705 bytes(key); 706 bytes(nonce); 707 bytes(data); 708 const len = data.length; 709 if (!output3) 710 output3 = new Uint8Array(len); 711 bytes(output3); 712 number(counter); 713 if (counter < 0 || counter >= MAX_COUNTER) 714 throw new Error("arx: counter overflow"); 715 if (output3.length < len) 716 throw new Error(`arx: output (${output3.length}) is shorter than data (${len})`); 717 const toClean = []; 718 let l = key.length, k, sigma2; 719 if (l === 32) { 720 k = key.slice(); 721 toClean.push(k); 722 sigma2 = sigma32_32; 723 } else if (l === 16 && allowShortKeys) { 724 k = new Uint8Array(32); 725 k.set(key); 726 k.set(key, 16); 727 sigma2 = sigma16_32; 728 toClean.push(k); 729 } else { 730 throw new Error(`arx: invalid 32-byte key, got length=${l}`); 731 } 732 if (!isAligned32(nonce)) { 733 nonce = nonce.slice(); 734 toClean.push(nonce); 735 } 736 const k32 = u32(k); 737 if (extendNonceFn) { 738 if (nonce.length !== 24) 739 throw new Error(`arx: extended nonce must be 24 bytes`); 740 extendNonceFn(sigma2, k32, u32(nonce.subarray(0, 16)), k32); 741 nonce = nonce.subarray(16); 742 } 743 const nonceNcLen = 16 - counterLength; 744 if (nonceNcLen !== nonce.length) 745 throw new Error(`arx: nonce must be ${nonceNcLen} or 16 bytes`); 746 if (nonceNcLen !== 12) { 747 const nc = new Uint8Array(12); 748 nc.set(nonce, counterRight ? 0 : 12 - nonce.length); 749 nonce = nc; 750 toClean.push(nonce); 751 } 752 const n32 = u32(nonce); 753 runCipher(core, sigma2, k32, n32, data, output3, counter, rounds); 754 while (toClean.length > 0) 755 toClean.pop().fill(0); 756 return output3; 757 }; 758 } 759 760 // npm/node_modules/@noble/ciphers/esm/chacha.js 761 function chachaCore(s, k, n, out, cnt, rounds = 20) { 762 let y00 = s[0], y01 = s[1], y02 = s[2], y03 = s[3], y04 = k[0], y05 = k[1], y06 = k[2], y07 = k[3], y08 = k[4], y09 = k[5], y10 = k[6], y11 = k[7], y12 = cnt, y13 = n[0], y14 = n[1], y15 = n[2]; 763 let x00 = y00, x01 = y01, x02 = y02, x03 = y03, x04 = y04, x05 = y05, x06 = y06, x07 = y07, x08 = y08, x09 = y09, x10 = y10, x11 = y11, x12 = y12, x13 = y13, x14 = y14, x15 = y15; 764 for (let r = 0; r < rounds; r += 2) { 765 x00 = x00 + x04 | 0; 766 x12 = rotl(x12 ^ x00, 16); 767 x08 = x08 + x12 | 0; 768 x04 = rotl(x04 ^ x08, 12); 769 x00 = x00 + x04 | 0; 770 x12 = rotl(x12 ^ x00, 8); 771 x08 = x08 + x12 | 0; 772 x04 = rotl(x04 ^ x08, 7); 773 x01 = x01 + x05 | 0; 774 x13 = rotl(x13 ^ x01, 16); 775 x09 = x09 + x13 | 0; 776 x05 = rotl(x05 ^ x09, 12); 777 x01 = x01 + x05 | 0; 778 x13 = rotl(x13 ^ x01, 8); 779 x09 = x09 + x13 | 0; 780 x05 = rotl(x05 ^ x09, 7); 781 x02 = x02 + x06 | 0; 782 x14 = rotl(x14 ^ x02, 16); 783 x10 = x10 + x14 | 0; 784 x06 = rotl(x06 ^ x10, 12); 785 x02 = x02 + x06 | 0; 786 x14 = rotl(x14 ^ x02, 8); 787 x10 = x10 + x14 | 0; 788 x06 = rotl(x06 ^ x10, 7); 789 x03 = x03 + x07 | 0; 790 x15 = rotl(x15 ^ x03, 16); 791 x11 = x11 + x15 | 0; 792 x07 = rotl(x07 ^ x11, 12); 793 x03 = x03 + x07 | 0; 794 x15 = rotl(x15 ^ x03, 8); 795 x11 = x11 + x15 | 0; 796 x07 = rotl(x07 ^ x11, 7); 797 x00 = x00 + x05 | 0; 798 x15 = rotl(x15 ^ x00, 16); 799 x10 = x10 + x15 | 0; 800 x05 = rotl(x05 ^ x10, 12); 801 x00 = x00 + x05 | 0; 802 x15 = rotl(x15 ^ x00, 8); 803 x10 = x10 + x15 | 0; 804 x05 = rotl(x05 ^ x10, 7); 805 x01 = x01 + x06 | 0; 806 x12 = rotl(x12 ^ x01, 16); 807 x11 = x11 + x12 | 0; 808 x06 = rotl(x06 ^ x11, 12); 809 x01 = x01 + x06 | 0; 810 x12 = rotl(x12 ^ x01, 8); 811 x11 = x11 + x12 | 0; 812 x06 = rotl(x06 ^ x11, 7); 813 x02 = x02 + x07 | 0; 814 x13 = rotl(x13 ^ x02, 16); 815 x08 = x08 + x13 | 0; 816 x07 = rotl(x07 ^ x08, 12); 817 x02 = x02 + x07 | 0; 818 x13 = rotl(x13 ^ x02, 8); 819 x08 = x08 + x13 | 0; 820 x07 = rotl(x07 ^ x08, 7); 821 x03 = x03 + x04 | 0; 822 x14 = rotl(x14 ^ x03, 16); 823 x09 = x09 + x14 | 0; 824 x04 = rotl(x04 ^ x09, 12); 825 x03 = x03 + x04 | 0; 826 x14 = rotl(x14 ^ x03, 8); 827 x09 = x09 + x14 | 0; 828 x04 = rotl(x04 ^ x09, 7); 829 } 830 let oi = 0; 831 out[oi++] = y00 + x00 | 0; 832 out[oi++] = y01 + x01 | 0; 833 out[oi++] = y02 + x02 | 0; 834 out[oi++] = y03 + x03 | 0; 835 out[oi++] = y04 + x04 | 0; 836 out[oi++] = y05 + x05 | 0; 837 out[oi++] = y06 + x06 | 0; 838 out[oi++] = y07 + x07 | 0; 839 out[oi++] = y08 + x08 | 0; 840 out[oi++] = y09 + x09 | 0; 841 out[oi++] = y10 + x10 | 0; 842 out[oi++] = y11 + x11 | 0; 843 out[oi++] = y12 + x12 | 0; 844 out[oi++] = y13 + x13 | 0; 845 out[oi++] = y14 + x14 | 0; 846 out[oi++] = y15 + x15 | 0; 847 } 848 function hchacha(s, k, i, o32) { 849 let x00 = s[0], x01 = s[1], x02 = s[2], x03 = s[3], x04 = k[0], x05 = k[1], x06 = k[2], x07 = k[3], x08 = k[4], x09 = k[5], x10 = k[6], x11 = k[7], x12 = i[0], x13 = i[1], x14 = i[2], x15 = i[3]; 850 for (let r = 0; r < 20; r += 2) { 851 x00 = x00 + x04 | 0; 852 x12 = rotl(x12 ^ x00, 16); 853 x08 = x08 + x12 | 0; 854 x04 = rotl(x04 ^ x08, 12); 855 x00 = x00 + x04 | 0; 856 x12 = rotl(x12 ^ x00, 8); 857 x08 = x08 + x12 | 0; 858 x04 = rotl(x04 ^ x08, 7); 859 x01 = x01 + x05 | 0; 860 x13 = rotl(x13 ^ x01, 16); 861 x09 = x09 + x13 | 0; 862 x05 = rotl(x05 ^ x09, 12); 863 x01 = x01 + x05 | 0; 864 x13 = rotl(x13 ^ x01, 8); 865 x09 = x09 + x13 | 0; 866 x05 = rotl(x05 ^ x09, 7); 867 x02 = x02 + x06 | 0; 868 x14 = rotl(x14 ^ x02, 16); 869 x10 = x10 + x14 | 0; 870 x06 = rotl(x06 ^ x10, 12); 871 x02 = x02 + x06 | 0; 872 x14 = rotl(x14 ^ x02, 8); 873 x10 = x10 + x14 | 0; 874 x06 = rotl(x06 ^ x10, 7); 875 x03 = x03 + x07 | 0; 876 x15 = rotl(x15 ^ x03, 16); 877 x11 = x11 + x15 | 0; 878 x07 = rotl(x07 ^ x11, 12); 879 x03 = x03 + x07 | 0; 880 x15 = rotl(x15 ^ x03, 8); 881 x11 = x11 + x15 | 0; 882 x07 = rotl(x07 ^ x11, 7); 883 x00 = x00 + x05 | 0; 884 x15 = rotl(x15 ^ x00, 16); 885 x10 = x10 + x15 | 0; 886 x05 = rotl(x05 ^ x10, 12); 887 x00 = x00 + x05 | 0; 888 x15 = rotl(x15 ^ x00, 8); 889 x10 = x10 + x15 | 0; 890 x05 = rotl(x05 ^ x10, 7); 891 x01 = x01 + x06 | 0; 892 x12 = rotl(x12 ^ x01, 16); 893 x11 = x11 + x12 | 0; 894 x06 = rotl(x06 ^ x11, 12); 895 x01 = x01 + x06 | 0; 896 x12 = rotl(x12 ^ x01, 8); 897 x11 = x11 + x12 | 0; 898 x06 = rotl(x06 ^ x11, 7); 899 x02 = x02 + x07 | 0; 900 x13 = rotl(x13 ^ x02, 16); 901 x08 = x08 + x13 | 0; 902 x07 = rotl(x07 ^ x08, 12); 903 x02 = x02 + x07 | 0; 904 x13 = rotl(x13 ^ x02, 8); 905 x08 = x08 + x13 | 0; 906 x07 = rotl(x07 ^ x08, 7); 907 x03 = x03 + x04 | 0; 908 x14 = rotl(x14 ^ x03, 16); 909 x09 = x09 + x14 | 0; 910 x04 = rotl(x04 ^ x09, 12); 911 x03 = x03 + x04 | 0; 912 x14 = rotl(x14 ^ x03, 8); 913 x09 = x09 + x14 | 0; 914 x04 = rotl(x04 ^ x09, 7); 915 } 916 let oi = 0; 917 o32[oi++] = x00; 918 o32[oi++] = x01; 919 o32[oi++] = x02; 920 o32[oi++] = x03; 921 o32[oi++] = x12; 922 o32[oi++] = x13; 923 o32[oi++] = x14; 924 o32[oi++] = x15; 925 } 926 var chacha20 = /* @__PURE__ */ createCipher(chachaCore, { 927 counterRight: false, 928 counterLength: 4, 929 allowShortKeys: false 930 }); 931 var xchacha20 = /* @__PURE__ */ createCipher(chachaCore, { 932 counterRight: false, 933 counterLength: 8, 934 extendNonceFn: hchacha, 935 allowShortKeys: false 936 }); 937 var ZEROS16 = /* @__PURE__ */ new Uint8Array(16); 938 var updatePadded = (h, msg) => { 939 h.update(msg); 940 const left = msg.length % 16; 941 if (left) 942 h.update(ZEROS16.subarray(left)); 943 }; 944 var ZEROS32 = /* @__PURE__ */ new Uint8Array(32); 945 function computeTag(fn, key, nonce, data, AAD) { 946 const authKey = fn(key, nonce, ZEROS32); 947 const h = poly1305.create(authKey); 948 if (AAD) 949 updatePadded(h, AAD); 950 updatePadded(h, data); 951 const num = new Uint8Array(16); 952 const view = createView(num); 953 setBigUint64(view, 0, BigInt(AAD ? AAD.length : 0), true); 954 setBigUint64(view, 8, BigInt(data.length), true); 955 h.update(num); 956 const res = h.digest(); 957 authKey.fill(0); 958 return res; 959 } 960 var _poly1305_aead = (xorStream) => (key, nonce, AAD) => { 961 const tagLength = 16; 962 bytes(key, 32); 963 bytes(nonce); 964 return { 965 encrypt: (plaintext, output3) => { 966 const plength = plaintext.length; 967 const clength = plength + tagLength; 968 if (output3) { 969 bytes(output3, clength); 970 } else { 971 output3 = new Uint8Array(clength); 972 } 973 xorStream(key, nonce, plaintext, output3, 1); 974 const tag = computeTag(xorStream, key, nonce, output3.subarray(0, -tagLength), AAD); 975 output3.set(tag, plength); 976 return output3; 977 }, 978 decrypt: (ciphertext, output3) => { 979 const clength = ciphertext.length; 980 const plength = clength - tagLength; 981 if (clength < tagLength) 982 throw new Error(`encrypted data must be at least ${tagLength} bytes`); 983 if (output3) { 984 bytes(output3, plength); 985 } else { 986 output3 = new Uint8Array(plength); 987 } 988 const data = ciphertext.subarray(0, -tagLength); 989 const passedTag = ciphertext.subarray(-tagLength); 990 const tag = computeTag(xorStream, key, nonce, data, AAD); 991 if (!equalBytes(passedTag, tag)) 992 throw new Error("invalid tag"); 993 xorStream(key, nonce, data, output3, 1); 994 return output3; 995 } 996 }; 997 }; 998 var chacha20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 12, tagLength: 16 }, _poly1305_aead(chacha20)); 999 var xchacha20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 24, tagLength: 16 }, _poly1305_aead(xchacha20)); 1000 1001 // core/src/identifiers.ts 1002 var Aead2 = { 1003 Aes128Gcm: 1, 1004 Aes256Gcm: 2, 1005 Chacha20Poly1305: 3, 1006 ExportOnly: 65535 1007 }; 1008 var AeadId2 = Aead2; 1009 1010 // core/src/consts.ts 1011 var EMPTY = new Uint8Array(0); 1012 1013 // core/src/exporterContext.ts 1014 var LABEL_SEC = new Uint8Array([115, 101, 99]); 1015 1016 // core/src/cipherSuiteNative.ts 1017 var LABEL_BASE_NONCE = new Uint8Array([ 1018 98, 1019 97, 1020 115, 1021 101, 1022 95, 1023 110, 1024 111, 1025 110, 1026 99, 1027 101 1028 ]); 1029 var LABEL_EXP = new Uint8Array([101, 120, 112]); 1030 var LABEL_INFO_HASH = new Uint8Array([ 1031 105, 1032 110, 1033 102, 1034 111, 1035 95, 1036 104, 1037 97, 1038 115, 1039 104 1040 ]); 1041 var LABEL_KEY = new Uint8Array([107, 101, 121]); 1042 var LABEL_PSK_ID_HASH = new Uint8Array([ 1043 112, 1044 115, 1045 107, 1046 95, 1047 105, 1048 100, 1049 95, 1050 104, 1051 97, 1052 115, 1053 104 1054 ]); 1055 var LABEL_SECRET = new Uint8Array([115, 101, 99, 114, 101, 116]); 1056 var SUITE_ID_HEADER_HPKE = new Uint8Array([ 1057 72, 1058 80, 1059 75, 1060 69, 1061 0, 1062 0, 1063 0, 1064 0, 1065 0, 1066 0 1067 ]); 1068 1069 // core/src/kdfs/hkdf.ts 1070 var HPKE_VERSION = new Uint8Array([72, 80, 75, 69, 45, 118, 49]); 1071 1072 // core/src/interfaces/kemInterface.ts 1073 var SUITE_ID_HEADER_KEM = new Uint8Array([75, 69, 77, 0, 0]); 1074 1075 // core/src/kems/dhkem.ts 1076 var LABEL_EAE_PRK = new Uint8Array([101, 97, 101, 95, 112, 114, 107]); 1077 var LABEL_SHARED_SECRET = new Uint8Array([ 1078 115, 1079 104, 1080 97, 1081 114, 1082 101, 1083 100, 1084 95, 1085 115, 1086 101, 1087 99, 1088 114, 1089 101, 1090 116 1091 ]); 1092 1093 // core/src/interfaces/dhkemPrimitives.ts 1094 var LABEL_DKP_PRK = new Uint8Array([100, 107, 112, 95, 112, 114, 107]); 1095 var LABEL_SK = new Uint8Array([115, 107]); 1096 1097 // core/src/kems/dhkemPrimitives/ec.ts 1098 var LABEL_CANDIDATE = new Uint8Array([ 1099 99, 1100 97, 1101 110, 1102 100, 1103 105, 1104 100, 1105 97, 1106 116, 1107 101 1108 ]); 1109 var ORDER_P_256 = new Uint8Array([ 1110 255, 1111 255, 1112 255, 1113 255, 1114 0, 1115 0, 1116 0, 1117 0, 1118 255, 1119 255, 1120 255, 1121 255, 1122 255, 1123 255, 1124 255, 1125 255, 1126 188, 1127 230, 1128 250, 1129 173, 1130 167, 1131 23, 1132 158, 1133 132, 1134 243, 1135 185, 1136 202, 1137 194, 1138 252, 1139 99, 1140 37, 1141 81 1142 ]); 1143 var ORDER_P_384 = new Uint8Array([ 1144 255, 1145 255, 1146 255, 1147 255, 1148 255, 1149 255, 1150 255, 1151 255, 1152 255, 1153 255, 1154 255, 1155 255, 1156 255, 1157 255, 1158 255, 1159 255, 1160 255, 1161 255, 1162 255, 1163 255, 1164 255, 1165 255, 1166 255, 1167 255, 1168 199, 1169 99, 1170 77, 1171 129, 1172 244, 1173 55, 1174 45, 1175 223, 1176 88, 1177 26, 1178 13, 1179 178, 1180 72, 1181 176, 1182 167, 1183 122, 1184 236, 1185 236, 1186 25, 1187 106, 1188 204, 1189 197, 1190 41, 1191 115 1192 ]); 1193 var ORDER_P_521 = new Uint8Array([ 1194 1, 1195 255, 1196 255, 1197 255, 1198 255, 1199 255, 1200 255, 1201 255, 1202 255, 1203 255, 1204 255, 1205 255, 1206 255, 1207 255, 1208 255, 1209 255, 1210 255, 1211 255, 1212 255, 1213 255, 1214 255, 1215 255, 1216 255, 1217 255, 1218 255, 1219 255, 1220 255, 1221 255, 1222 255, 1223 255, 1224 255, 1225 255, 1226 255, 1227 250, 1228 81, 1229 134, 1230 135, 1231 131, 1232 191, 1233 47, 1234 150, 1235 107, 1236 127, 1237 204, 1238 1, 1239 72, 1240 247, 1241 9, 1242 165, 1243 208, 1244 59, 1245 181, 1246 201, 1247 184, 1248 137, 1249 156, 1250 71, 1251 174, 1252 187, 1253 111, 1254 183, 1255 30, 1256 145, 1257 56, 1258 100, 1259 9 1260 ]); 1261 var PKCS8_ALG_ID_P_256 = new Uint8Array([ 1262 48, 1263 65, 1264 2, 1265 1, 1266 0, 1267 48, 1268 19, 1269 6, 1270 7, 1271 42, 1272 134, 1273 72, 1274 206, 1275 61, 1276 2, 1277 1, 1278 6, 1279 8, 1280 42, 1281 134, 1282 72, 1283 206, 1284 61, 1285 3, 1286 1, 1287 7, 1288 4, 1289 39, 1290 48, 1291 37, 1292 2, 1293 1, 1294 1, 1295 4, 1296 32 1297 ]); 1298 var PKCS8_ALG_ID_P_384 = new Uint8Array([ 1299 48, 1300 78, 1301 2, 1302 1, 1303 0, 1304 48, 1305 16, 1306 6, 1307 7, 1308 42, 1309 134, 1310 72, 1311 206, 1312 61, 1313 2, 1314 1, 1315 6, 1316 5, 1317 43, 1318 129, 1319 4, 1320 0, 1321 34, 1322 4, 1323 55, 1324 48, 1325 53, 1326 2, 1327 1, 1328 1, 1329 4, 1330 48 1331 ]); 1332 var PKCS8_ALG_ID_P_521 = new Uint8Array([ 1333 48, 1334 96, 1335 2, 1336 1, 1337 0, 1338 48, 1339 16, 1340 6, 1341 7, 1342 42, 1343 134, 1344 72, 1345 206, 1346 61, 1347 2, 1348 1, 1349 6, 1350 5, 1351 43, 1352 129, 1353 4, 1354 0, 1355 35, 1356 4, 1357 73, 1358 48, 1359 71, 1360 2, 1361 1, 1362 1, 1363 4, 1364 66 1365 ]); 1366 1367 // npm/esm/x/chacha20poly1305/src/chacha20Poly1305.js 1368 var Chacha20Poly1305Context = class { 1369 constructor(key) { 1370 Object.defineProperty(this, "_key", { 1371 enumerable: true, 1372 configurable: true, 1373 writable: true, 1374 value: void 0 1375 }); 1376 this._key = new Uint8Array(key); 1377 } 1378 async seal(iv, data, aad) { 1379 return await this._seal(iv, data, aad); 1380 } 1381 async open(iv, data, aad) { 1382 return await this._open(iv, data, aad); 1383 } 1384 _seal(iv, data, aad) { 1385 return new Promise((resolve) => { 1386 const ret = chacha20poly1305(this._key, new Uint8Array(iv), new Uint8Array(aad)).encrypt(new Uint8Array(data)); 1387 resolve(ret.buffer); 1388 }); 1389 } 1390 _open(iv, data, aad) { 1391 return new Promise((resolve) => { 1392 const ret = chacha20poly1305(this._key, new Uint8Array(iv), new Uint8Array(aad)).decrypt(new Uint8Array(data)); 1393 resolve(ret.buffer); 1394 }); 1395 } 1396 }; 1397 var Chacha20Poly1305 = class { 1398 constructor() { 1399 Object.defineProperty(this, "id", { 1400 enumerable: true, 1401 configurable: true, 1402 writable: true, 1403 value: AeadId2.Chacha20Poly1305 1404 }); 1405 Object.defineProperty(this, "keySize", { 1406 enumerable: true, 1407 configurable: true, 1408 writable: true, 1409 value: 32 1410 }); 1411 Object.defineProperty(this, "nonceSize", { 1412 enumerable: true, 1413 configurable: true, 1414 writable: true, 1415 value: 12 1416 }); 1417 Object.defineProperty(this, "tagSize", { 1418 enumerable: true, 1419 configurable: true, 1420 writable: true, 1421 value: 16 1422 }); 1423 } 1424 createEncryptionContext(key) { 1425 return new Chacha20Poly1305Context(key); 1426 } 1427 }; 1428 1429 // npm/node_modules/@noble/hashes/esm/_assert.js 1430 function number2(n) { 1431 if (!Number.isSafeInteger(n) || n < 0) 1432 throw new Error(`positive integer expected, not ${n}`); 1433 } 1434 function isBytes2(a) { 1435 return a instanceof Uint8Array || a != null && typeof a === "object" && a.constructor.name === "Uint8Array"; 1436 } 1437 function bytes2(b, ...lengths) { 1438 if (!isBytes2(b)) 1439 throw new Error("Uint8Array expected"); 1440 if (lengths.length > 0 && !lengths.includes(b.length)) 1441 throw new Error(`Uint8Array expected of length ${lengths}, not of length=${b.length}`); 1442 } 1443 function hash(h) { 1444 if (typeof h !== "function" || typeof h.create !== "function") 1445 throw new Error("Hash should be wrapped by utils.wrapConstructor"); 1446 number2(h.outputLen); 1447 number2(h.blockLen); 1448 } 1449 function exists2(instance, checkFinished = true) { 1450 if (instance.destroyed) 1451 throw new Error("Hash instance has been destroyed"); 1452 if (checkFinished && instance.finished) 1453 throw new Error("Hash#digest() has already been called"); 1454 } 1455 function output2(out, instance) { 1456 bytes2(out); 1457 const min = instance.outputLen; 1458 if (out.length < min) { 1459 throw new Error(`digestInto() expects output buffer of length at least ${min}`); 1460 } 1461 } 1462 1463 // npm/node_modules/@noble/hashes/esm/crypto.js 1464 var crypto = typeof globalThis === "object" && "crypto" in globalThis ? globalThis.crypto : void 0; 1465 1466 // npm/node_modules/@noble/hashes/esm/utils.js 1467 var u322 = (arr) => new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4)); 1468 var createView2 = (arr) => new DataView(arr.buffer, arr.byteOffset, arr.byteLength); 1469 var rotr = (word, shift) => word << 32 - shift | word >>> shift; 1470 var isLE2 = new Uint8Array(new Uint32Array([287454020]).buffer)[0] === 68; 1471 var byteSwap = (word) => word << 24 & 4278190080 | word << 8 & 16711680 | word >>> 8 & 65280 | word >>> 24 & 255; 1472 function byteSwap32(arr) { 1473 for (let i = 0; i < arr.length; i++) { 1474 arr[i] = byteSwap(arr[i]); 1475 } 1476 } 1477 function utf8ToBytes2(str) { 1478 if (typeof str !== "string") 1479 throw new Error(`utf8ToBytes expected string, got ${typeof str}`); 1480 return new Uint8Array(new TextEncoder().encode(str)); 1481 } 1482 function toBytes2(data) { 1483 if (typeof data === "string") 1484 data = utf8ToBytes2(data); 1485 bytes2(data); 1486 return data; 1487 } 1488 function concatBytes(...arrays) { 1489 let sum = 0; 1490 for (let i = 0; i < arrays.length; i++) { 1491 const a = arrays[i]; 1492 bytes2(a); 1493 sum += a.length; 1494 } 1495 const res = new Uint8Array(sum); 1496 for (let i = 0, pad = 0; i < arrays.length; i++) { 1497 const a = arrays[i]; 1498 res.set(a, pad); 1499 pad += a.length; 1500 } 1501 return res; 1502 } 1503 var Hash = class { 1504 // Safe version that clones internal state 1505 clone() { 1506 return this._cloneInto(); 1507 } 1508 }; 1509 var toStr = {}.toString; 1510 function wrapConstructor(hashCons) { 1511 const hashC = (msg) => hashCons().update(toBytes2(msg)).digest(); 1512 const tmp = hashCons(); 1513 hashC.outputLen = tmp.outputLen; 1514 hashC.blockLen = tmp.blockLen; 1515 hashC.create = () => hashCons(); 1516 return hashC; 1517 } 1518 function wrapXOFConstructorWithOpts(hashCons) { 1519 const hashC = (msg, opts) => hashCons(opts).update(toBytes2(msg)).digest(); 1520 const tmp = hashCons({}); 1521 hashC.outputLen = tmp.outputLen; 1522 hashC.blockLen = tmp.blockLen; 1523 hashC.create = (opts) => hashCons(opts); 1524 return hashC; 1525 } 1526 function randomBytes(bytesLength = 32) { 1527 if (crypto && typeof crypto.getRandomValues === "function") { 1528 return crypto.getRandomValues(new Uint8Array(bytesLength)); 1529 } 1530 throw new Error("crypto.getRandomValues must be defined"); 1531 } 1532 1533 // npm/node_modules/@noble/hashes/esm/hmac.js 1534 var HMAC = class extends Hash { 1535 constructor(hash2, _key) { 1536 super(); 1537 this.finished = false; 1538 this.destroyed = false; 1539 hash(hash2); 1540 const key = toBytes2(_key); 1541 this.iHash = hash2.create(); 1542 if (typeof this.iHash.update !== "function") 1543 throw new Error("Expected instance of class which extends utils.Hash"); 1544 this.blockLen = this.iHash.blockLen; 1545 this.outputLen = this.iHash.outputLen; 1546 const blockLen = this.blockLen; 1547 const pad = new Uint8Array(blockLen); 1548 pad.set(key.length > blockLen ? hash2.create().update(key).digest() : key); 1549 for (let i = 0; i < pad.length; i++) 1550 pad[i] ^= 54; 1551 this.iHash.update(pad); 1552 this.oHash = hash2.create(); 1553 for (let i = 0; i < pad.length; i++) 1554 pad[i] ^= 54 ^ 92; 1555 this.oHash.update(pad); 1556 pad.fill(0); 1557 } 1558 update(buf) { 1559 exists2(this); 1560 this.iHash.update(buf); 1561 return this; 1562 } 1563 digestInto(out) { 1564 exists2(this); 1565 bytes2(out, this.outputLen); 1566 this.finished = true; 1567 this.iHash.digestInto(out); 1568 this.oHash.update(out); 1569 this.oHash.digestInto(out); 1570 this.destroy(); 1571 } 1572 digest() { 1573 const out = new Uint8Array(this.oHash.outputLen); 1574 this.digestInto(out); 1575 return out; 1576 } 1577 _cloneInto(to) { 1578 to || (to = Object.create(Object.getPrototypeOf(this), {})); 1579 const { oHash, iHash, finished, destroyed, blockLen, outputLen } = this; 1580 to = to; 1581 to.finished = finished; 1582 to.destroyed = destroyed; 1583 to.blockLen = blockLen; 1584 to.outputLen = outputLen; 1585 to.oHash = oHash._cloneInto(to.oHash); 1586 to.iHash = iHash._cloneInto(to.iHash); 1587 return to; 1588 } 1589 destroy() { 1590 this.destroyed = true; 1591 this.oHash.destroy(); 1592 this.iHash.destroy(); 1593 } 1594 }; 1595 var hmac = (hash2, key, message) => new HMAC(hash2, key).update(message).digest(); 1596 hmac.create = (hash2, key) => new HMAC(hash2, key); 1597 1598 // npm/node_modules/@noble/hashes/esm/_md.js 1599 function setBigUint642(view, byteOffset, value, isLE3) { 1600 if (typeof view.setBigUint64 === "function") 1601 return view.setBigUint64(byteOffset, value, isLE3); 1602 const _32n2 = BigInt(32); 1603 const _u32_max = BigInt(4294967295); 1604 const wh = Number(value >> _32n2 & _u32_max); 1605 const wl = Number(value & _u32_max); 1606 const h = isLE3 ? 4 : 0; 1607 const l = isLE3 ? 0 : 4; 1608 view.setUint32(byteOffset + h, wh, isLE3); 1609 view.setUint32(byteOffset + l, wl, isLE3); 1610 } 1611 var Chi = (a, b, c) => a & b ^ ~a & c; 1612 var Maj = (a, b, c) => a & b ^ a & c ^ b & c; 1613 var HashMD = class extends Hash { 1614 constructor(blockLen, outputLen, padOffset, isLE3) { 1615 super(); 1616 this.blockLen = blockLen; 1617 this.outputLen = outputLen; 1618 this.padOffset = padOffset; 1619 this.isLE = isLE3; 1620 this.finished = false; 1621 this.length = 0; 1622 this.pos = 0; 1623 this.destroyed = false; 1624 this.buffer = new Uint8Array(blockLen); 1625 this.view = createView2(this.buffer); 1626 } 1627 update(data) { 1628 exists2(this); 1629 const { view, buffer, blockLen } = this; 1630 data = toBytes2(data); 1631 const len = data.length; 1632 for (let pos = 0; pos < len; ) { 1633 const take = Math.min(blockLen - this.pos, len - pos); 1634 if (take === blockLen) { 1635 const dataView = createView2(data); 1636 for (; blockLen <= len - pos; pos += blockLen) 1637 this.process(dataView, pos); 1638 continue; 1639 } 1640 buffer.set(data.subarray(pos, pos + take), this.pos); 1641 this.pos += take; 1642 pos += take; 1643 if (this.pos === blockLen) { 1644 this.process(view, 0); 1645 this.pos = 0; 1646 } 1647 } 1648 this.length += data.length; 1649 this.roundClean(); 1650 return this; 1651 } 1652 digestInto(out) { 1653 exists2(this); 1654 output2(out, this); 1655 this.finished = true; 1656 const { buffer, view, blockLen, isLE: isLE3 } = this; 1657 let { pos } = this; 1658 buffer[pos++] = 128; 1659 this.buffer.subarray(pos).fill(0); 1660 if (this.padOffset > blockLen - pos) { 1661 this.process(view, 0); 1662 pos = 0; 1663 } 1664 for (let i = pos; i < blockLen; i++) 1665 buffer[i] = 0; 1666 setBigUint642(view, blockLen - 8, BigInt(this.length * 8), isLE3); 1667 this.process(view, 0); 1668 const oview = createView2(out); 1669 const len = this.outputLen; 1670 if (len % 4) 1671 throw new Error("_sha2: outputLen should be aligned to 32bit"); 1672 const outLen = len / 4; 1673 const state = this.get(); 1674 if (outLen > state.length) 1675 throw new Error("_sha2: outputLen bigger than state"); 1676 for (let i = 0; i < outLen; i++) 1677 oview.setUint32(4 * i, state[i], isLE3); 1678 } 1679 digest() { 1680 const { buffer, outputLen } = this; 1681 this.digestInto(buffer); 1682 const res = buffer.slice(0, outputLen); 1683 this.destroy(); 1684 return res; 1685 } 1686 _cloneInto(to) { 1687 to || (to = new this.constructor()); 1688 to.set(...this.get()); 1689 const { blockLen, buffer, length, finished, destroyed, pos } = this; 1690 to.length = length; 1691 to.pos = pos; 1692 to.finished = finished; 1693 to.destroyed = destroyed; 1694 if (length % blockLen) 1695 to.buffer.set(buffer); 1696 return to; 1697 } 1698 }; 1699 1700 // npm/node_modules/@noble/hashes/esm/sha256.js 1701 var SHA256_K = /* @__PURE__ */ new Uint32Array([ 1702 1116352408, 1703 1899447441, 1704 3049323471, 1705 3921009573, 1706 961987163, 1707 1508970993, 1708 2453635748, 1709 2870763221, 1710 3624381080, 1711 310598401, 1712 607225278, 1713 1426881987, 1714 1925078388, 1715 2162078206, 1716 2614888103, 1717 3248222580, 1718 3835390401, 1719 4022224774, 1720 264347078, 1721 604807628, 1722 770255983, 1723 1249150122, 1724 1555081692, 1725 1996064986, 1726 2554220882, 1727 2821834349, 1728 2952996808, 1729 3210313671, 1730 3336571891, 1731 3584528711, 1732 113926993, 1733 338241895, 1734 666307205, 1735 773529912, 1736 1294757372, 1737 1396182291, 1738 1695183700, 1739 1986661051, 1740 2177026350, 1741 2456956037, 1742 2730485921, 1743 2820302411, 1744 3259730800, 1745 3345764771, 1746 3516065817, 1747 3600352804, 1748 4094571909, 1749 275423344, 1750 430227734, 1751 506948616, 1752 659060556, 1753 883997877, 1754 958139571, 1755 1322822218, 1756 1537002063, 1757 1747873779, 1758 1955562222, 1759 2024104815, 1760 2227730452, 1761 2361852424, 1762 2428436474, 1763 2756734187, 1764 3204031479, 1765 3329325298 1766 ]); 1767 var SHA256_IV = /* @__PURE__ */ new Uint32Array([ 1768 1779033703, 1769 3144134277, 1770 1013904242, 1771 2773480762, 1772 1359893119, 1773 2600822924, 1774 528734635, 1775 1541459225 1776 ]); 1777 var SHA256_W = /* @__PURE__ */ new Uint32Array(64); 1778 var SHA256 = class extends HashMD { 1779 constructor() { 1780 super(64, 32, 8, false); 1781 this.A = SHA256_IV[0] | 0; 1782 this.B = SHA256_IV[1] | 0; 1783 this.C = SHA256_IV[2] | 0; 1784 this.D = SHA256_IV[3] | 0; 1785 this.E = SHA256_IV[4] | 0; 1786 this.F = SHA256_IV[5] | 0; 1787 this.G = SHA256_IV[6] | 0; 1788 this.H = SHA256_IV[7] | 0; 1789 } 1790 get() { 1791 const { A, B, C, D, E, F, G, H } = this; 1792 return [A, B, C, D, E, F, G, H]; 1793 } 1794 // prettier-ignore 1795 set(A, B, C, D, E, F, G, H) { 1796 this.A = A | 0; 1797 this.B = B | 0; 1798 this.C = C | 0; 1799 this.D = D | 0; 1800 this.E = E | 0; 1801 this.F = F | 0; 1802 this.G = G | 0; 1803 this.H = H | 0; 1804 } 1805 process(view, offset) { 1806 for (let i = 0; i < 16; i++, offset += 4) 1807 SHA256_W[i] = view.getUint32(offset, false); 1808 for (let i = 16; i < 64; i++) { 1809 const W15 = SHA256_W[i - 15]; 1810 const W2 = SHA256_W[i - 2]; 1811 const s0 = rotr(W15, 7) ^ rotr(W15, 18) ^ W15 >>> 3; 1812 const s1 = rotr(W2, 17) ^ rotr(W2, 19) ^ W2 >>> 10; 1813 SHA256_W[i] = s1 + SHA256_W[i - 7] + s0 + SHA256_W[i - 16] | 0; 1814 } 1815 let { A, B, C, D, E, F, G, H } = this; 1816 for (let i = 0; i < 64; i++) { 1817 const sigma1 = rotr(E, 6) ^ rotr(E, 11) ^ rotr(E, 25); 1818 const T1 = H + sigma1 + Chi(E, F, G) + SHA256_K[i] + SHA256_W[i] | 0; 1819 const sigma0 = rotr(A, 2) ^ rotr(A, 13) ^ rotr(A, 22); 1820 const T2 = sigma0 + Maj(A, B, C) | 0; 1821 H = G; 1822 G = F; 1823 F = E; 1824 E = D + T1 | 0; 1825 D = C; 1826 C = B; 1827 B = A; 1828 A = T1 + T2 | 0; 1829 } 1830 A = A + this.A | 0; 1831 B = B + this.B | 0; 1832 C = C + this.C | 0; 1833 D = D + this.D | 0; 1834 E = E + this.E | 0; 1835 F = F + this.F | 0; 1836 G = G + this.G | 0; 1837 H = H + this.H | 0; 1838 this.set(A, B, C, D, E, F, G, H); 1839 } 1840 roundClean() { 1841 SHA256_W.fill(0); 1842 } 1843 destroy() { 1844 this.set(0, 0, 0, 0, 0, 0, 0, 0); 1845 this.buffer.fill(0); 1846 } 1847 }; 1848 var sha256 = /* @__PURE__ */ wrapConstructor(() => new SHA256()); 1849 1850 // npm/esm/core/src/consts.js 1851 var INPUT_LENGTH_LIMIT2 = 8192; 1852 var MINIMUM_PSK_LENGTH2 = 32; 1853 var EMPTY2 = new Uint8Array(0); 1854 1855 // npm/esm/core/src/kdfs/hkdf.js 1856 var HPKE_VERSION2 = new Uint8Array([72, 80, 75, 69, 45, 118, 49]); 1857 var HkdfNative = class extends NativeAlgorithm { 1858 constructor() { 1859 super(); 1860 Object.defineProperty(this, "id", { 1861 enumerable: true, 1862 configurable: true, 1863 writable: true, 1864 value: KdfId.HkdfSha256 1865 }); 1866 Object.defineProperty(this, "hashSize", { 1867 enumerable: true, 1868 configurable: true, 1869 writable: true, 1870 value: 0 1871 }); 1872 Object.defineProperty(this, "_suiteId", { 1873 enumerable: true, 1874 configurable: true, 1875 writable: true, 1876 value: EMPTY2 1877 }); 1878 Object.defineProperty(this, "algHash", { 1879 enumerable: true, 1880 configurable: true, 1881 writable: true, 1882 value: { 1883 name: "HMAC", 1884 hash: "SHA-256", 1885 length: 256 1886 } 1887 }); 1888 } 1889 init(suiteId) { 1890 this._suiteId = suiteId; 1891 } 1892 buildLabeledIkm(label, ikm) { 1893 this._checkInit(); 1894 const ret = new Uint8Array(7 + this._suiteId.byteLength + label.byteLength + ikm.byteLength); 1895 ret.set(HPKE_VERSION2, 0); 1896 ret.set(this._suiteId, 7); 1897 ret.set(label, 7 + this._suiteId.byteLength); 1898 ret.set(ikm, 7 + this._suiteId.byteLength + label.byteLength); 1899 return ret; 1900 } 1901 buildLabeledInfo(label, info, len) { 1902 this._checkInit(); 1903 const ret = new Uint8Array(9 + this._suiteId.byteLength + label.byteLength + info.byteLength); 1904 ret.set(new Uint8Array([0, len]), 0); 1905 ret.set(HPKE_VERSION2, 2); 1906 ret.set(this._suiteId, 9); 1907 ret.set(label, 9 + this._suiteId.byteLength); 1908 ret.set(info, 9 + this._suiteId.byteLength + label.byteLength); 1909 return ret; 1910 } 1911 async extract(salt, ikm) { 1912 await this._setup(); 1913 if (salt.byteLength === 0) { 1914 salt = new ArrayBuffer(this.hashSize); 1915 } 1916 if (salt.byteLength !== this.hashSize) { 1917 throw new InvalidParamError("The salt length must be the same as the hashSize"); 1918 } 1919 const key = await this._api.importKey("raw", salt, this.algHash, false, [ 1920 "sign" 1921 ]); 1922 return await this._api.sign("HMAC", key, ikm); 1923 } 1924 async expand(prk, info, len) { 1925 await this._setup(); 1926 const key = await this._api.importKey("raw", prk, this.algHash, false, [ 1927 "sign" 1928 ]); 1929 const okm = new ArrayBuffer(len); 1930 const p = new Uint8Array(okm); 1931 let prev = EMPTY2; 1932 const mid = new Uint8Array(info); 1933 const tail = new Uint8Array(1); 1934 if (len > 255 * this.hashSize) { 1935 throw new Error("Entropy limit reached"); 1936 } 1937 const tmp = new Uint8Array(this.hashSize + mid.length + 1); 1938 for (let i = 1, cur = 0; cur < p.length; i++) { 1939 tail[0] = i; 1940 tmp.set(prev, 0); 1941 tmp.set(mid, prev.length); 1942 tmp.set(tail, prev.length + mid.length); 1943 prev = new Uint8Array(await this._api.sign("HMAC", key, tmp.slice(0, prev.length + mid.length + 1))); 1944 if (p.length - cur >= prev.length) { 1945 p.set(prev, cur); 1946 cur += prev.length; 1947 } else { 1948 p.set(prev.slice(0, p.length - cur), cur); 1949 cur += p.length - cur; 1950 } 1951 } 1952 return okm; 1953 } 1954 async extractAndExpand(salt, ikm, info, len) { 1955 await this._setup(); 1956 const baseKey = await this._api.importKey("raw", ikm, "HKDF", false, ["deriveBits"]); 1957 return await this._api.deriveBits({ 1958 name: "HKDF", 1959 hash: this.algHash.hash, 1960 salt, 1961 info 1962 }, baseKey, len * 8); 1963 } 1964 async labeledExtract(salt, label, ikm) { 1965 return await this.extract(salt, this.buildLabeledIkm(label, ikm)); 1966 } 1967 async labeledExpand(prk, label, info, len) { 1968 return await this.expand(prk, this.buildLabeledInfo(label, info, len), len); 1969 } 1970 _checkInit() { 1971 if (this._suiteId === EMPTY2) { 1972 throw new Error("Not initialized. Call init()"); 1973 } 1974 } 1975 }; 1976 var HkdfSha256Native2 = class extends HkdfNative { 1977 constructor() { 1978 super(...arguments); 1979 Object.defineProperty(this, "id", { 1980 enumerable: true, 1981 configurable: true, 1982 writable: true, 1983 value: KdfId.HkdfSha256 1984 }); 1985 Object.defineProperty(this, "hashSize", { 1986 enumerable: true, 1987 configurable: true, 1988 writable: true, 1989 value: 32 1990 }); 1991 Object.defineProperty(this, "algHash", { 1992 enumerable: true, 1993 configurable: true, 1994 writable: true, 1995 value: { 1996 name: "HMAC", 1997 hash: "SHA-256", 1998 length: 256 1999 } 2000 }); 2001 } 2002 }; 2003 var HkdfSha384Native2 = class extends HkdfNative { 2004 constructor() { 2005 super(...arguments); 2006 Object.defineProperty(this, "id", { 2007 enumerable: true, 2008 configurable: true, 2009 writable: true, 2010 value: KdfId.HkdfSha384 2011 }); 2012 Object.defineProperty(this, "hashSize", { 2013 enumerable: true, 2014 configurable: true, 2015 writable: true, 2016 value: 48 2017 }); 2018 Object.defineProperty(this, "algHash", { 2019 enumerable: true, 2020 configurable: true, 2021 writable: true, 2022 value: { 2023 name: "HMAC", 2024 hash: "SHA-384", 2025 length: 384 2026 } 2027 }); 2028 } 2029 }; 2030 var HkdfSha512Native2 = class extends HkdfNative { 2031 constructor() { 2032 super(...arguments); 2033 Object.defineProperty(this, "id", { 2034 enumerable: true, 2035 configurable: true, 2036 writable: true, 2037 value: KdfId.HkdfSha512 2038 }); 2039 Object.defineProperty(this, "hashSize", { 2040 enumerable: true, 2041 configurable: true, 2042 writable: true, 2043 value: 64 2044 }); 2045 Object.defineProperty(this, "algHash", { 2046 enumerable: true, 2047 configurable: true, 2048 writable: true, 2049 value: { 2050 name: "HMAC", 2051 hash: "SHA-512", 2052 length: 512 2053 } 2054 }); 2055 } 2056 }; 2057 2058 // npm/esm/src/kdfs/hkdfSha256.js 2059 var HkdfSha2562 = class extends HkdfSha256Native2 { 2060 async extract(salt, ikm) { 2061 await this._setup(); 2062 if (salt.byteLength === 0) { 2063 salt = new ArrayBuffer(this.hashSize); 2064 } 2065 if (salt.byteLength !== this.hashSize) { 2066 return hmac(sha256, new Uint8Array(salt), new Uint8Array(ikm)); 2067 } 2068 const key = await this._api.importKey("raw", salt, this.algHash, false, [ 2069 "sign" 2070 ]); 2071 return await this._api.sign("HMAC", key, ikm); 2072 } 2073 }; 2074 2075 // npm/node_modules/@noble/hashes/esm/_u64.js 2076 var U32_MASK64 = /* @__PURE__ */ BigInt(2 ** 32 - 1); 2077 var _32n = /* @__PURE__ */ BigInt(32); 2078 function fromBig(n, le = false) { 2079 if (le) 2080 return { h: Number(n & U32_MASK64), l: Number(n >> _32n & U32_MASK64) }; 2081 return { h: Number(n >> _32n & U32_MASK64) | 0, l: Number(n & U32_MASK64) | 0 }; 2082 } 2083 function split(lst, le = false) { 2084 let Ah = new Uint32Array(lst.length); 2085 let Al = new Uint32Array(lst.length); 2086 for (let i = 0; i < lst.length; i++) { 2087 const { h, l } = fromBig(lst[i], le); 2088 [Ah[i], Al[i]] = [h, l]; 2089 } 2090 return [Ah, Al]; 2091 } 2092 var toBig = (h, l) => BigInt(h >>> 0) << _32n | BigInt(l >>> 0); 2093 var shrSH = (h, _l, s) => h >>> s; 2094 var shrSL = (h, l, s) => h << 32 - s | l >>> s; 2095 var rotrSH = (h, l, s) => h >>> s | l << 32 - s; 2096 var rotrSL = (h, l, s) => h << 32 - s | l >>> s; 2097 var rotrBH = (h, l, s) => h << 64 - s | l >>> s - 32; 2098 var rotrBL = (h, l, s) => h >>> s - 32 | l << 64 - s; 2099 var rotr32H = (_h, l) => l; 2100 var rotr32L = (h, _l) => h; 2101 var rotlSH = (h, l, s) => h << s | l >>> 32 - s; 2102 var rotlSL = (h, l, s) => l << s | h >>> 32 - s; 2103 var rotlBH = (h, l, s) => l << s - 32 | h >>> 64 - s; 2104 var rotlBL = (h, l, s) => h << s - 32 | l >>> 64 - s; 2105 function add(Ah, Al, Bh, Bl) { 2106 const l = (Al >>> 0) + (Bl >>> 0); 2107 return { h: Ah + Bh + (l / 2 ** 32 | 0) | 0, l: l | 0 }; 2108 } 2109 var add3L = (Al, Bl, Cl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0); 2110 var add3H = (low, Ah, Bh, Ch) => Ah + Bh + Ch + (low / 2 ** 32 | 0) | 0; 2111 var add4L = (Al, Bl, Cl, Dl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0); 2112 var add4H = (low, Ah, Bh, Ch, Dh) => Ah + Bh + Ch + Dh + (low / 2 ** 32 | 0) | 0; 2113 var add5L = (Al, Bl, Cl, Dl, El) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0) + (El >>> 0); 2114 var add5H = (low, Ah, Bh, Ch, Dh, Eh) => Ah + Bh + Ch + Dh + Eh + (low / 2 ** 32 | 0) | 0; 2115 var u64 = { 2116 fromBig, 2117 split, 2118 toBig, 2119 shrSH, 2120 shrSL, 2121 rotrSH, 2122 rotrSL, 2123 rotrBH, 2124 rotrBL, 2125 rotr32H, 2126 rotr32L, 2127 rotlSH, 2128 rotlSL, 2129 rotlBH, 2130 rotlBL, 2131 add, 2132 add3L, 2133 add3H, 2134 add4L, 2135 add4H, 2136 add5H, 2137 add5L 2138 }; 2139 var u64_default = u64; 2140 2141 // npm/node_modules/@noble/hashes/esm/sha512.js 2142 var [SHA512_Kh, SHA512_Kl] = /* @__PURE__ */ (() => u64_default.split([ 2143 "0x428a2f98d728ae22", 2144 "0x7137449123ef65cd", 2145 "0xb5c0fbcfec4d3b2f", 2146 "0xe9b5dba58189dbbc", 2147 "0x3956c25bf348b538", 2148 "0x59f111f1b605d019", 2149 "0x923f82a4af194f9b", 2150 "0xab1c5ed5da6d8118", 2151 "0xd807aa98a3030242", 2152 "0x12835b0145706fbe", 2153 "0x243185be4ee4b28c", 2154 "0x550c7dc3d5ffb4e2", 2155 "0x72be5d74f27b896f", 2156 "0x80deb1fe3b1696b1", 2157 "0x9bdc06a725c71235", 2158 "0xc19bf174cf692694", 2159 "0xe49b69c19ef14ad2", 2160 "0xefbe4786384f25e3", 2161 "0x0fc19dc68b8cd5b5", 2162 "0x240ca1cc77ac9c65", 2163 "0x2de92c6f592b0275", 2164 "0x4a7484aa6ea6e483", 2165 "0x5cb0a9dcbd41fbd4", 2166 "0x76f988da831153b5", 2167 "0x983e5152ee66dfab", 2168 "0xa831c66d2db43210", 2169 "0xb00327c898fb213f", 2170 "0xbf597fc7beef0ee4", 2171 "0xc6e00bf33da88fc2", 2172 "0xd5a79147930aa725", 2173 "0x06ca6351e003826f", 2174 "0x142929670a0e6e70", 2175 "0x27b70a8546d22ffc", 2176 "0x2e1b21385c26c926", 2177 "0x4d2c6dfc5ac42aed", 2178 "0x53380d139d95b3df", 2179 "0x650a73548baf63de", 2180 "0x766a0abb3c77b2a8", 2181 "0x81c2c92e47edaee6", 2182 "0x92722c851482353b", 2183 "0xa2bfe8a14cf10364", 2184 "0xa81a664bbc423001", 2185 "0xc24b8b70d0f89791", 2186 "0xc76c51a30654be30", 2187 "0xd192e819d6ef5218", 2188 "0xd69906245565a910", 2189 "0xf40e35855771202a", 2190 "0x106aa07032bbd1b8", 2191 "0x19a4c116b8d2d0c8", 2192 "0x1e376c085141ab53", 2193 "0x2748774cdf8eeb99", 2194 "0x34b0bcb5e19b48a8", 2195 "0x391c0cb3c5c95a63", 2196 "0x4ed8aa4ae3418acb", 2197 "0x5b9cca4f7763e373", 2198 "0x682e6ff3d6b2b8a3", 2199 "0x748f82ee5defb2fc", 2200 "0x78a5636f43172f60", 2201 "0x84c87814a1f0ab72", 2202 "0x8cc702081a6439ec", 2203 "0x90befffa23631e28", 2204 "0xa4506cebde82bde9", 2205 "0xbef9a3f7b2c67915", 2206 "0xc67178f2e372532b", 2207 "0xca273eceea26619c", 2208 "0xd186b8c721c0c207", 2209 "0xeada7dd6cde0eb1e", 2210 "0xf57d4f7fee6ed178", 2211 "0x06f067aa72176fba", 2212 "0x0a637dc5a2c898a6", 2213 "0x113f9804bef90dae", 2214 "0x1b710b35131c471b", 2215 "0x28db77f523047d84", 2216 "0x32caab7b40c72493", 2217 "0x3c9ebe0a15c9bebc", 2218 "0x431d67c49c100d4c", 2219 "0x4cc5d4becb3e42b6", 2220 "0x597f299cfc657e2a", 2221 "0x5fcb6fab3ad6faec", 2222 "0x6c44198c4a475817" 2223 ].map((n) => BigInt(n))))(); 2224 var SHA512_W_H = /* @__PURE__ */ new Uint32Array(80); 2225 var SHA512_W_L = /* @__PURE__ */ new Uint32Array(80); 2226 var SHA512 = class extends HashMD { 2227 constructor() { 2228 super(128, 64, 16, false); 2229 this.Ah = 1779033703 | 0; 2230 this.Al = 4089235720 | 0; 2231 this.Bh = 3144134277 | 0; 2232 this.Bl = 2227873595 | 0; 2233 this.Ch = 1013904242 | 0; 2234 this.Cl = 4271175723 | 0; 2235 this.Dh = 2773480762 | 0; 2236 this.Dl = 1595750129 | 0; 2237 this.Eh = 1359893119 | 0; 2238 this.El = 2917565137 | 0; 2239 this.Fh = 2600822924 | 0; 2240 this.Fl = 725511199 | 0; 2241 this.Gh = 528734635 | 0; 2242 this.Gl = 4215389547 | 0; 2243 this.Hh = 1541459225 | 0; 2244 this.Hl = 327033209 | 0; 2245 } 2246 // prettier-ignore 2247 get() { 2248 const { Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl } = this; 2249 return [Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl]; 2250 } 2251 // prettier-ignore 2252 set(Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl) { 2253 this.Ah = Ah | 0; 2254 this.Al = Al | 0; 2255 this.Bh = Bh | 0; 2256 this.Bl = Bl | 0; 2257 this.Ch = Ch | 0; 2258 this.Cl = Cl | 0; 2259 this.Dh = Dh | 0; 2260 this.Dl = Dl | 0; 2261 this.Eh = Eh | 0; 2262 this.El = El | 0; 2263 this.Fh = Fh | 0; 2264 this.Fl = Fl | 0; 2265 this.Gh = Gh | 0; 2266 this.Gl = Gl | 0; 2267 this.Hh = Hh | 0; 2268 this.Hl = Hl | 0; 2269 } 2270 process(view, offset) { 2271 for (let i = 0; i < 16; i++, offset += 4) { 2272 SHA512_W_H[i] = view.getUint32(offset); 2273 SHA512_W_L[i] = view.getUint32(offset += 4); 2274 } 2275 for (let i = 16; i < 80; i++) { 2276 const W15h = SHA512_W_H[i - 15] | 0; 2277 const W15l = SHA512_W_L[i - 15] | 0; 2278 const s0h = u64_default.rotrSH(W15h, W15l, 1) ^ u64_default.rotrSH(W15h, W15l, 8) ^ u64_default.shrSH(W15h, W15l, 7); 2279 const s0l = u64_default.rotrSL(W15h, W15l, 1) ^ u64_default.rotrSL(W15h, W15l, 8) ^ u64_default.shrSL(W15h, W15l, 7); 2280 const W2h = SHA512_W_H[i - 2] | 0; 2281 const W2l = SHA512_W_L[i - 2] | 0; 2282 const s1h = u64_default.rotrSH(W2h, W2l, 19) ^ u64_default.rotrBH(W2h, W2l, 61) ^ u64_default.shrSH(W2h, W2l, 6); 2283 const s1l = u64_default.rotrSL(W2h, W2l, 19) ^ u64_default.rotrBL(W2h, W2l, 61) ^ u64_default.shrSL(W2h, W2l, 6); 2284 const SUMl = u64_default.add4L(s0l, s1l, SHA512_W_L[i - 7], SHA512_W_L[i - 16]); 2285 const SUMh = u64_default.add4H(SUMl, s0h, s1h, SHA512_W_H[i - 7], SHA512_W_H[i - 16]); 2286 SHA512_W_H[i] = SUMh | 0; 2287 SHA512_W_L[i] = SUMl | 0; 2288 } 2289 let { Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl } = this; 2290 for (let i = 0; i < 80; i++) { 2291 const sigma1h = u64_default.rotrSH(Eh, El, 14) ^ u64_default.rotrSH(Eh, El, 18) ^ u64_default.rotrBH(Eh, El, 41); 2292 const sigma1l = u64_default.rotrSL(Eh, El, 14) ^ u64_default.rotrSL(Eh, El, 18) ^ u64_default.rotrBL(Eh, El, 41); 2293 const CHIh = Eh & Fh ^ ~Eh & Gh; 2294 const CHIl = El & Fl ^ ~El & Gl; 2295 const T1ll = u64_default.add5L(Hl, sigma1l, CHIl, SHA512_Kl[i], SHA512_W_L[i]); 2296 const T1h = u64_default.add5H(T1ll, Hh, sigma1h, CHIh, SHA512_Kh[i], SHA512_W_H[i]); 2297 const T1l = T1ll | 0; 2298 const sigma0h = u64_default.rotrSH(Ah, Al, 28) ^ u64_default.rotrBH(Ah, Al, 34) ^ u64_default.rotrBH(Ah, Al, 39); 2299 const sigma0l = u64_default.rotrSL(Ah, Al, 28) ^ u64_default.rotrBL(Ah, Al, 34) ^ u64_default.rotrBL(Ah, Al, 39); 2300 const MAJh = Ah & Bh ^ Ah & Ch ^ Bh & Ch; 2301 const MAJl = Al & Bl ^ Al & Cl ^ Bl & Cl; 2302 Hh = Gh | 0; 2303 Hl = Gl | 0; 2304 Gh = Fh | 0; 2305 Gl = Fl | 0; 2306 Fh = Eh | 0; 2307 Fl = El | 0; 2308 ({ h: Eh, l: El } = u64_default.add(Dh | 0, Dl | 0, T1h | 0, T1l | 0)); 2309 Dh = Ch | 0; 2310 Dl = Cl | 0; 2311 Ch = Bh | 0; 2312 Cl = Bl | 0; 2313 Bh = Ah | 0; 2314 Bl = Al | 0; 2315 const All = u64_default.add3L(T1l, sigma0l, MAJl); 2316 Ah = u64_default.add3H(All, T1h, sigma0h, MAJh); 2317 Al = All | 0; 2318 } 2319 ({ h: Ah, l: Al } = u64_default.add(this.Ah | 0, this.Al | 0, Ah | 0, Al | 0)); 2320 ({ h: Bh, l: Bl } = u64_default.add(this.Bh | 0, this.Bl | 0, Bh | 0, Bl | 0)); 2321 ({ h: Ch, l: Cl } = u64_default.add(this.Ch | 0, this.Cl | 0, Ch | 0, Cl | 0)); 2322 ({ h: Dh, l: Dl } = u64_default.add(this.Dh | 0, this.Dl | 0, Dh | 0, Dl | 0)); 2323 ({ h: Eh, l: El } = u64_default.add(this.Eh | 0, this.El | 0, Eh | 0, El | 0)); 2324 ({ h: Fh, l: Fl } = u64_default.add(this.Fh | 0, this.Fl | 0, Fh | 0, Fl | 0)); 2325 ({ h: Gh, l: Gl } = u64_default.add(this.Gh | 0, this.Gl | 0, Gh | 0, Gl | 0)); 2326 ({ h: Hh, l: Hl } = u64_default.add(this.Hh | 0, this.Hl | 0, Hh | 0, Hl | 0)); 2327 this.set(Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl); 2328 } 2329 roundClean() { 2330 SHA512_W_H.fill(0); 2331 SHA512_W_L.fill(0); 2332 } 2333 destroy() { 2334 this.buffer.fill(0); 2335 this.set(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0); 2336 } 2337 }; 2338 var SHA384 = class extends SHA512 { 2339 constructor() { 2340 super(); 2341 this.Ah = 3418070365 | 0; 2342 this.Al = 3238371032 | 0; 2343 this.Bh = 1654270250 | 0; 2344 this.Bl = 914150663 | 0; 2345 this.Ch = 2438529370 | 0; 2346 this.Cl = 812702999 | 0; 2347 this.Dh = 355462360 | 0; 2348 this.Dl = 4144912697 | 0; 2349 this.Eh = 1731405415 | 0; 2350 this.El = 4290775857 | 0; 2351 this.Fh = 2394180231 | 0; 2352 this.Fl = 1750603025 | 0; 2353 this.Gh = 3675008525 | 0; 2354 this.Gl = 1694076839 | 0; 2355 this.Hh = 1203062813 | 0; 2356 this.Hl = 3204075428 | 0; 2357 this.outputLen = 48; 2358 } 2359 }; 2360 var sha512 = /* @__PURE__ */ wrapConstructor(() => new SHA512()); 2361 var sha384 = /* @__PURE__ */ wrapConstructor(() => new SHA384()); 2362 2363 // npm/esm/src/kdfs/hkdfSha384.js 2364 var HkdfSha3842 = class extends HkdfSha384Native2 { 2365 async extract(salt, ikm) { 2366 await this._setup(); 2367 if (salt.byteLength === 0) { 2368 salt = new ArrayBuffer(this.hashSize); 2369 } 2370 if (salt.byteLength !== this.hashSize) { 2371 return hmac(sha384, new Uint8Array(salt), new Uint8Array(ikm)); 2372 } 2373 const key = await this._api.importKey("raw", salt, this.algHash, false, [ 2374 "sign" 2375 ]); 2376 return await this._api.sign("HMAC", key, ikm); 2377 } 2378 }; 2379 2380 // npm/esm/src/kdfs/hkdfSha512.js 2381 var HkdfSha5122 = class extends HkdfSha512Native2 { 2382 async extract(salt, ikm) { 2383 await this._setup(); 2384 if (salt.byteLength === 0) { 2385 salt = new ArrayBuffer(this.hashSize); 2386 } 2387 if (salt.byteLength !== this.hashSize) { 2388 return hmac(sha512, new Uint8Array(salt), new Uint8Array(ikm)); 2389 } 2390 const key = await this._api.importKey("raw", salt, this.algHash, false, [ 2391 "sign" 2392 ]); 2393 return await this._api.sign("HMAC", key, ikm); 2394 } 2395 }; 2396 2397 // npm/esm/core/src/interfaces/kemInterface.js 2398 var SUITE_ID_HEADER_KEM2 = new Uint8Array([75, 69, 77, 0, 0]); 2399 2400 // npm/esm/core/src/utils/misc.js 2401 var isCryptoKeyPair2 = (x) => typeof x === "object" && x !== null && typeof x.privateKey === "object" && typeof x.publicKey === "object"; 2402 function i2Osp2(n, w) { 2403 if (w <= 0) { 2404 throw new Error("i2Osp: too small size"); 2405 } 2406 if (n >= 256 ** w) { 2407 throw new Error("i2Osp: too large integer"); 2408 } 2409 const ret = new Uint8Array(w); 2410 for (let i = 0; i < w && n; i++) { 2411 ret[w - (i + 1)] = n % 256; 2412 n = n >> 8; 2413 } 2414 return ret; 2415 } 2416 function concat2(a, b) { 2417 const ret = new Uint8Array(a.length + b.length); 2418 ret.set(a, 0); 2419 ret.set(b, a.length); 2420 return ret; 2421 } 2422 function base64UrlToBytes2(v) { 2423 const base64 = v.replace(/-/g, "+").replace(/_/g, "/"); 2424 const byteString = atob(base64); 2425 const ret = new Uint8Array(byteString.length); 2426 for (let i = 0; i < byteString.length; i++) { 2427 ret[i] = byteString.charCodeAt(i); 2428 } 2429 return ret; 2430 } 2431 2432 // npm/esm/core/src/kems/dhkem.js 2433 var LABEL_EAE_PRK2 = new Uint8Array([101, 97, 101, 95, 112, 114, 107]); 2434 var LABEL_SHARED_SECRET2 = new Uint8Array([ 2435 115, 2436 104, 2437 97, 2438 114, 2439 101, 2440 100, 2441 95, 2442 115, 2443 101, 2444 99, 2445 114, 2446 101, 2447 116 2448 ]); 2449 function concat3(a, b, c) { 2450 const ret = new Uint8Array(a.length + b.length + c.length); 2451 ret.set(a, 0); 2452 ret.set(b, a.length); 2453 ret.set(c, a.length + b.length); 2454 return ret; 2455 } 2456 var Dhkem2 = class { 2457 constructor(id, prim, kdf) { 2458 Object.defineProperty(this, "id", { 2459 enumerable: true, 2460 configurable: true, 2461 writable: true, 2462 value: void 0 2463 }); 2464 Object.defineProperty(this, "secretSize", { 2465 enumerable: true, 2466 configurable: true, 2467 writable: true, 2468 value: 0 2469 }); 2470 Object.defineProperty(this, "encSize", { 2471 enumerable: true, 2472 configurable: true, 2473 writable: true, 2474 value: 0 2475 }); 2476 Object.defineProperty(this, "publicKeySize", { 2477 enumerable: true, 2478 configurable: true, 2479 writable: true, 2480 value: 0 2481 }); 2482 Object.defineProperty(this, "privateKeySize", { 2483 enumerable: true, 2484 configurable: true, 2485 writable: true, 2486 value: 0 2487 }); 2488 Object.defineProperty(this, "_prim", { 2489 enumerable: true, 2490 configurable: true, 2491 writable: true, 2492 value: void 0 2493 }); 2494 Object.defineProperty(this, "_kdf", { 2495 enumerable: true, 2496 configurable: true, 2497 writable: true, 2498 value: void 0 2499 }); 2500 this.id = id; 2501 this._prim = prim; 2502 this._kdf = kdf; 2503 const suiteId = new Uint8Array(SUITE_ID_HEADER_KEM2); 2504 suiteId.set(i2Osp2(this.id, 2), 3); 2505 this._kdf.init(suiteId); 2506 } 2507 async serializePublicKey(key) { 2508 return await this._prim.serializePublicKey(key); 2509 } 2510 async deserializePublicKey(key) { 2511 return await this._prim.deserializePublicKey(key); 2512 } 2513 async serializePrivateKey(key) { 2514 return await this._prim.serializePrivateKey(key); 2515 } 2516 async deserializePrivateKey(key) { 2517 return await this._prim.deserializePrivateKey(key); 2518 } 2519 async importKey(format, key, isPublic = true) { 2520 return await this._prim.importKey(format, key, isPublic); 2521 } 2522 async generateKeyPair() { 2523 return await this._prim.generateKeyPair(); 2524 } 2525 async deriveKeyPair(ikm) { 2526 if (ikm.byteLength > INPUT_LENGTH_LIMIT2) { 2527 throw new InvalidParamError("Too long ikm"); 2528 } 2529 return await this._prim.deriveKeyPair(ikm); 2530 } 2531 async encap(params) { 2532 let ke; 2533 if (params.ekm === void 0) { 2534 ke = await this.generateKeyPair(); 2535 } else if (isCryptoKeyPair2(params.ekm)) { 2536 ke = params.ekm; 2537 } else { 2538 ke = await this.deriveKeyPair(params.ekm); 2539 } 2540 const enc = await this._prim.serializePublicKey(ke.publicKey); 2541 const pkrm = await this._prim.serializePublicKey(params.recipientPublicKey); 2542 try { 2543 let dh; 2544 if (params.senderKey === void 0) { 2545 dh = new Uint8Array(await this._prim.dh(ke.privateKey, params.recipientPublicKey)); 2546 } else { 2547 const sks = isCryptoKeyPair2(params.senderKey) ? params.senderKey.privateKey : params.senderKey; 2548 const dh1 = new Uint8Array(await this._prim.dh(ke.privateKey, params.recipientPublicKey)); 2549 const dh2 = new Uint8Array(await this._prim.dh(sks, params.recipientPublicKey)); 2550 dh = concat2(dh1, dh2); 2551 } 2552 let kemContext; 2553 if (params.senderKey === void 0) { 2554 kemContext = concat2(new Uint8Array(enc), new Uint8Array(pkrm)); 2555 } else { 2556 const pks = isCryptoKeyPair2(params.senderKey) ? params.senderKey.publicKey : await this._prim.derivePublicKey(params.senderKey); 2557 const pksm = await this._prim.serializePublicKey(pks); 2558 kemContext = concat3(new Uint8Array(enc), new Uint8Array(pkrm), new Uint8Array(pksm)); 2559 } 2560 const sharedSecret = await this._generateSharedSecret(dh, kemContext); 2561 return { 2562 enc, 2563 sharedSecret 2564 }; 2565 } catch (e) { 2566 throw new EncapError(e); 2567 } 2568 } 2569 async decap(params) { 2570 const pke = await this._prim.deserializePublicKey(params.enc); 2571 const skr = isCryptoKeyPair2(params.recipientKey) ? params.recipientKey.privateKey : params.recipientKey; 2572 const pkr = isCryptoKeyPair2(params.recipientKey) ? params.recipientKey.publicKey : await this._prim.derivePublicKey(params.recipientKey); 2573 const pkrm = await this._prim.serializePublicKey(pkr); 2574 try { 2575 let dh; 2576 if (params.senderPublicKey === void 0) { 2577 dh = new Uint8Array(await this._prim.dh(skr, pke)); 2578 } else { 2579 const dh1 = new Uint8Array(await this._prim.dh(skr, pke)); 2580 const dh2 = new Uint8Array(await this._prim.dh(skr, params.senderPublicKey)); 2581 dh = concat2(dh1, dh2); 2582 } 2583 let kemContext; 2584 if (params.senderPublicKey === void 0) { 2585 kemContext = concat2(new Uint8Array(params.enc), new Uint8Array(pkrm)); 2586 } else { 2587 const pksm = await this._prim.serializePublicKey(params.senderPublicKey); 2588 kemContext = new Uint8Array(params.enc.byteLength + pkrm.byteLength + pksm.byteLength); 2589 kemContext.set(new Uint8Array(params.enc), 0); 2590 kemContext.set(new Uint8Array(pkrm), params.enc.byteLength); 2591 kemContext.set(new Uint8Array(pksm), params.enc.byteLength + pkrm.byteLength); 2592 } 2593 return await this._generateSharedSecret(dh, kemContext); 2594 } catch (e) { 2595 throw new DecapError(e); 2596 } 2597 } 2598 async _generateSharedSecret(dh, kemContext) { 2599 const labeledIkm = this._kdf.buildLabeledIkm(LABEL_EAE_PRK2, dh); 2600 const labeledInfo = this._kdf.buildLabeledInfo(LABEL_SHARED_SECRET2, kemContext, this.secretSize); 2601 return await this._kdf.extractAndExpand(EMPTY2, labeledIkm, labeledInfo, this.secretSize); 2602 } 2603 }; 2604 2605 // npm/esm/core/src/interfaces/dhkemPrimitives.js 2606 var KEM_USAGES2 = ["deriveBits"]; 2607 var LABEL_DKP_PRK2 = new Uint8Array([100, 107, 112, 95, 112, 114, 107]); 2608 var LABEL_SK2 = new Uint8Array([115, 107]); 2609 2610 // npm/esm/core/src/utils/bignum.js 2611 var Bignum2 = class { 2612 constructor(size) { 2613 Object.defineProperty(this, "_num", { 2614 enumerable: true, 2615 configurable: true, 2616 writable: true, 2617 value: void 0 2618 }); 2619 this._num = new Uint8Array(size); 2620 } 2621 val() { 2622 return this._num; 2623 } 2624 reset() { 2625 this._num.fill(0); 2626 } 2627 set(src) { 2628 if (src.length !== this._num.length) { 2629 throw new Error("Bignum.set: invalid argument"); 2630 } 2631 this._num.set(src); 2632 } 2633 isZero() { 2634 for (let i = 0; i < this._num.length; i++) { 2635 if (this._num[i] !== 0) { 2636 return false; 2637 } 2638 } 2639 return true; 2640 } 2641 lessThan(v) { 2642 if (v.length !== this._num.length) { 2643 throw new Error("Bignum.lessThan: invalid argument"); 2644 } 2645 for (let i = 0; i < this._num.length; i++) { 2646 if (this._num[i] < v[i]) { 2647 return true; 2648 } 2649 if (this._num[i] > v[i]) { 2650 return false; 2651 } 2652 } 2653 return false; 2654 } 2655 }; 2656 2657 // npm/esm/core/src/kems/dhkemPrimitives/ec.js 2658 var LABEL_CANDIDATE2 = new Uint8Array([ 2659 99, 2660 97, 2661 110, 2662 100, 2663 105, 2664 100, 2665 97, 2666 116, 2667 101 2668 ]); 2669 var ORDER_P_2562 = new Uint8Array([ 2670 255, 2671 255, 2672 255, 2673 255, 2674 0, 2675 0, 2676 0, 2677 0, 2678 255, 2679 255, 2680 255, 2681 255, 2682 255, 2683 255, 2684 255, 2685 255, 2686 188, 2687 230, 2688 250, 2689 173, 2690 167, 2691 23, 2692 158, 2693 132, 2694 243, 2695 185, 2696 202, 2697 194, 2698 252, 2699 99, 2700 37, 2701 81 2702 ]); 2703 var ORDER_P_3842 = new Uint8Array([ 2704 255, 2705 255, 2706 255, 2707 255, 2708 255, 2709 255, 2710 255, 2711 255, 2712 255, 2713 255, 2714 255, 2715 255, 2716 255, 2717 255, 2718 255, 2719 255, 2720 255, 2721 255, 2722 255, 2723 255, 2724 255, 2725 255, 2726 255, 2727 255, 2728 199, 2729 99, 2730 77, 2731 129, 2732 244, 2733 55, 2734 45, 2735 223, 2736 88, 2737 26, 2738 13, 2739 178, 2740 72, 2741 176, 2742 167, 2743 122, 2744 236, 2745 236, 2746 25, 2747 106, 2748 204, 2749 197, 2750 41, 2751 115 2752 ]); 2753 var ORDER_P_5212 = new Uint8Array([ 2754 1, 2755 255, 2756 255, 2757 255, 2758 255, 2759 255, 2760 255, 2761 255, 2762 255, 2763 255, 2764 255, 2765 255, 2766 255, 2767 255, 2768 255, 2769 255, 2770 255, 2771 255, 2772 255, 2773 255, 2774 255, 2775 255, 2776 255, 2777 255, 2778 255, 2779 255, 2780 255, 2781 255, 2782 255, 2783 255, 2784 255, 2785 255, 2786 255, 2787 250, 2788 81, 2789 134, 2790 135, 2791 131, 2792 191, 2793 47, 2794 150, 2795 107, 2796 127, 2797 204, 2798 1, 2799 72, 2800 247, 2801 9, 2802 165, 2803 208, 2804 59, 2805 181, 2806 201, 2807 184, 2808 137, 2809 156, 2810 71, 2811 174, 2812 187, 2813 111, 2814 183, 2815 30, 2816 145, 2817 56, 2818 100, 2819 9 2820 ]); 2821 var PKCS8_ALG_ID_P_2562 = new Uint8Array([ 2822 48, 2823 65, 2824 2, 2825 1, 2826 0, 2827 48, 2828 19, 2829 6, 2830 7, 2831 42, 2832 134, 2833 72, 2834 206, 2835 61, 2836 2, 2837 1, 2838 6, 2839 8, 2840 42, 2841 134, 2842 72, 2843 206, 2844 61, 2845 3, 2846 1, 2847 7, 2848 4, 2849 39, 2850 48, 2851 37, 2852 2, 2853 1, 2854 1, 2855 4, 2856 32 2857 ]); 2858 var PKCS8_ALG_ID_P_3842 = new Uint8Array([ 2859 48, 2860 78, 2861 2, 2862 1, 2863 0, 2864 48, 2865 16, 2866 6, 2867 7, 2868 42, 2869 134, 2870 72, 2871 206, 2872 61, 2873 2, 2874 1, 2875 6, 2876 5, 2877 43, 2878 129, 2879 4, 2880 0, 2881 34, 2882 4, 2883 55, 2884 48, 2885 53, 2886 2, 2887 1, 2888 1, 2889 4, 2890 48 2891 ]); 2892 var PKCS8_ALG_ID_P_5212 = new Uint8Array([ 2893 48, 2894 96, 2895 2, 2896 1, 2897 0, 2898 48, 2899 16, 2900 6, 2901 7, 2902 42, 2903 134, 2904 72, 2905 206, 2906 61, 2907 2, 2908 1, 2909 6, 2910 5, 2911 43, 2912 129, 2913 4, 2914 0, 2915 35, 2916 4, 2917 73, 2918 48, 2919 71, 2920 2, 2921 1, 2922 1, 2923 4, 2924 66 2925 ]); 2926 var Ec2 = class extends NativeAlgorithm { 2927 constructor(kem, hkdf) { 2928 super(); 2929 Object.defineProperty(this, "_hkdf", { 2930 enumerable: true, 2931 configurable: true, 2932 writable: true, 2933 value: void 0 2934 }); 2935 Object.defineProperty(this, "_alg", { 2936 enumerable: true, 2937 configurable: true, 2938 writable: true, 2939 value: void 0 2940 }); 2941 Object.defineProperty(this, "_nPk", { 2942 enumerable: true, 2943 configurable: true, 2944 writable: true, 2945 value: void 0 2946 }); 2947 Object.defineProperty(this, "_nSk", { 2948 enumerable: true, 2949 configurable: true, 2950 writable: true, 2951 value: void 0 2952 }); 2953 Object.defineProperty(this, "_nDh", { 2954 enumerable: true, 2955 configurable: true, 2956 writable: true, 2957 value: void 0 2958 }); 2959 Object.defineProperty(this, "_order", { 2960 enumerable: true, 2961 configurable: true, 2962 writable: true, 2963 value: void 0 2964 }); 2965 Object.defineProperty(this, "_bitmask", { 2966 enumerable: true, 2967 configurable: true, 2968 writable: true, 2969 value: void 0 2970 }); 2971 Object.defineProperty(this, "_pkcs8AlgId", { 2972 enumerable: true, 2973 configurable: true, 2974 writable: true, 2975 value: void 0 2976 }); 2977 this._hkdf = hkdf; 2978 switch (kem) { 2979 case KemId.DhkemP256HkdfSha256: 2980 this._alg = { name: "ECDH", namedCurve: "P-256" }; 2981 this._nPk = 65; 2982 this._nSk = 32; 2983 this._nDh = 32; 2984 this._order = ORDER_P_2562; 2985 this._bitmask = 255; 2986 this._pkcs8AlgId = PKCS8_ALG_ID_P_2562; 2987 break; 2988 case KemId.DhkemP384HkdfSha384: 2989 this._alg = { name: "ECDH", namedCurve: "P-384" }; 2990 this._nPk = 97; 2991 this._nSk = 48; 2992 this._nDh = 48; 2993 this._order = ORDER_P_3842; 2994 this._bitmask = 255; 2995 this._pkcs8AlgId = PKCS8_ALG_ID_P_3842; 2996 break; 2997 default: 2998 this._alg = { name: "ECDH", namedCurve: "P-521" }; 2999 this._nPk = 133; 3000 this._nSk = 66; 3001 this._nDh = 66; 3002 this._order = ORDER_P_5212; 3003 this._bitmask = 1; 3004 this._pkcs8AlgId = PKCS8_ALG_ID_P_5212; 3005 break; 3006 } 3007 } 3008 async serializePublicKey(key) { 3009 await this._setup(); 3010 try { 3011 return await this._api.exportKey("raw", key); 3012 } catch (e) { 3013 throw new SerializeError(e); 3014 } 3015 } 3016 async deserializePublicKey(key) { 3017 await this._setup(); 3018 try { 3019 return await this._importRawKey(key, true); 3020 } catch (e) { 3021 throw new DeserializeError(e); 3022 } 3023 } 3024 async serializePrivateKey(key) { 3025 await this._setup(); 3026 try { 3027 const jwk = await this._api.exportKey("jwk", key); 3028 if (!("d" in jwk)) { 3029 throw new Error("Not private key"); 3030 } 3031 return base64UrlToBytes2(jwk["d"]); 3032 } catch (e) { 3033 throw new SerializeError(e); 3034 } 3035 } 3036 async deserializePrivateKey(key) { 3037 await this._setup(); 3038 try { 3039 return await this._importRawKey(key, false); 3040 } catch (e) { 3041 throw new DeserializeError(e); 3042 } 3043 } 3044 async importKey(format, key, isPublic) { 3045 await this._setup(); 3046 try { 3047 if (format === "raw") { 3048 return await this._importRawKey(key, isPublic); 3049 } 3050 if (key instanceof ArrayBuffer) { 3051 throw new Error("Invalid jwk key format"); 3052 } 3053 return await this._importJWK(key, isPublic); 3054 } catch (e) { 3055 throw new DeserializeError(e); 3056 } 3057 } 3058 async generateKeyPair() { 3059 await this._setup(); 3060 try { 3061 return await this._api.generateKey(this._alg, true, KEM_USAGES2); 3062 } catch (e) { 3063 throw new NotSupportedError(e); 3064 } 3065 } 3066 async deriveKeyPair(ikm) { 3067 await this._setup(); 3068 try { 3069 const dkpPrk = await this._hkdf.labeledExtract(EMPTY2, LABEL_DKP_PRK2, new Uint8Array(ikm)); 3070 const bn = new Bignum2(this._nSk); 3071 for (let counter = 0; bn.isZero() || !bn.lessThan(this._order); counter++) { 3072 if (counter > 255) { 3073 throw new Error("Faild to derive a key pair"); 3074 } 3075 const bytes3 = new Uint8Array(await this._hkdf.labeledExpand(dkpPrk, LABEL_CANDIDATE2, i2Osp2(counter, 1), this._nSk)); 3076 bytes3[0] = bytes3[0] & this._bitmask; 3077 bn.set(bytes3); 3078 } 3079 const sk = await this._deserializePkcs8Key(bn.val()); 3080 bn.reset(); 3081 return { 3082 privateKey: sk, 3083 publicKey: await this.derivePublicKey(sk) 3084 }; 3085 } catch (e) { 3086 throw new DeriveKeyPairError(e); 3087 } 3088 } 3089 async derivePublicKey(key) { 3090 await this._setup(); 3091 try { 3092 const jwk = await this._api.exportKey("jwk", key); 3093 delete jwk["d"]; 3094 delete jwk["key_ops"]; 3095 return await this._api.importKey("jwk", jwk, this._alg, true, []); 3096 } catch (e) { 3097 throw new DeserializeError(e); 3098 } 3099 } 3100 async dh(sk, pk) { 3101 try { 3102 await this._setup(); 3103 const bits = await this._api.deriveBits({ 3104 name: "ECDH", 3105 public: pk 3106 }, sk, this._nDh * 8); 3107 return bits; 3108 } catch (e) { 3109 throw new SerializeError(e); 3110 } 3111 } 3112 async _importRawKey(key, isPublic) { 3113 if (isPublic && key.byteLength !== this._nPk) { 3114 throw new Error("Invalid public key for the ciphersuite"); 3115 } 3116 if (!isPublic && key.byteLength !== this._nSk) { 3117 throw new Error("Invalid private key for the ciphersuite"); 3118 } 3119 if (isPublic) { 3120 return await this._api.importKey("raw", key, this._alg, true, []); 3121 } 3122 return await this._deserializePkcs8Key(new Uint8Array(key)); 3123 } 3124 async _importJWK(key, isPublic) { 3125 if (typeof key.crv === "undefined" || key.crv !== this._alg.namedCurve) { 3126 throw new Error(`Invalid crv: ${key.crv}`); 3127 } 3128 if (isPublic) { 3129 if (typeof key.d !== "undefined") { 3130 throw new Error("Invalid key: `d` should not be set"); 3131 } 3132 return await this._api.importKey("jwk", key, this._alg, true, []); 3133 } 3134 if (typeof key.d === "undefined") { 3135 throw new Error("Invalid key: `d` not found"); 3136 } 3137 return await this._api.importKey("jwk", key, this._alg, true, KEM_USAGES2); 3138 } 3139 async _deserializePkcs8Key(k) { 3140 const pkcs8Key = new Uint8Array(this._pkcs8AlgId.length + k.length); 3141 pkcs8Key.set(this._pkcs8AlgId, 0); 3142 pkcs8Key.set(k, this._pkcs8AlgId.length); 3143 return await this._api.importKey("pkcs8", pkcs8Key, this._alg, true, KEM_USAGES2); 3144 } 3145 }; 3146 3147 // npm/esm/src/kems/dhkemP256.js 3148 var DhkemP256HkdfSha2562 = class extends Dhkem2 { 3149 constructor() { 3150 const kdf = new HkdfSha2562(); 3151 const prim = new Ec2(KemId.DhkemP256HkdfSha256, kdf); 3152 super(KemId.DhkemP256HkdfSha256, prim, kdf); 3153 Object.defineProperty(this, "id", { 3154 enumerable: true, 3155 configurable: true, 3156 writable: true, 3157 value: KemId.DhkemP256HkdfSha256 3158 }); 3159 Object.defineProperty(this, "secretSize", { 3160 enumerable: true, 3161 configurable: true, 3162 writable: true, 3163 value: 32 3164 }); 3165 Object.defineProperty(this, "encSize", { 3166 enumerable: true, 3167 configurable: true, 3168 writable: true, 3169 value: 65 3170 }); 3171 Object.defineProperty(this, "publicKeySize", { 3172 enumerable: true, 3173 configurable: true, 3174 writable: true, 3175 value: 65 3176 }); 3177 Object.defineProperty(this, "privateKeySize", { 3178 enumerable: true, 3179 configurable: true, 3180 writable: true, 3181 value: 32 3182 }); 3183 } 3184 }; 3185 3186 // npm/esm/src/kems/dhkemP384.js 3187 var DhkemP384HkdfSha3842 = class extends Dhkem2 { 3188 constructor() { 3189 const kdf = new HkdfSha3842(); 3190 const prim = new Ec2(KemId.DhkemP384HkdfSha384, kdf); 3191 super(KemId.DhkemP384HkdfSha384, prim, kdf); 3192 Object.defineProperty(this, "id", { 3193 enumerable: true, 3194 configurable: true, 3195 writable: true, 3196 value: KemId.DhkemP384HkdfSha384 3197 }); 3198 Object.defineProperty(this, "secretSize", { 3199 enumerable: true, 3200 configurable: true, 3201 writable: true, 3202 value: 48 3203 }); 3204 Object.defineProperty(this, "encSize", { 3205 enumerable: true, 3206 configurable: true, 3207 writable: true, 3208 value: 97 3209 }); 3210 Object.defineProperty(this, "publicKeySize", { 3211 enumerable: true, 3212 configurable: true, 3213 writable: true, 3214 value: 97 3215 }); 3216 Object.defineProperty(this, "privateKeySize", { 3217 enumerable: true, 3218 configurable: true, 3219 writable: true, 3220 value: 48 3221 }); 3222 } 3223 }; 3224 3225 // npm/esm/src/kems/dhkemP521.js 3226 var DhkemP521HkdfSha5122 = class extends Dhkem2 { 3227 constructor() { 3228 const kdf = new HkdfSha5122(); 3229 const prim = new Ec2(KemId.DhkemP521HkdfSha512, kdf); 3230 super(KemId.DhkemP521HkdfSha512, prim, kdf); 3231 Object.defineProperty(this, "id", { 3232 enumerable: true, 3233 configurable: true, 3234 writable: true, 3235 value: KemId.DhkemP521HkdfSha512 3236 }); 3237 Object.defineProperty(this, "secretSize", { 3238 enumerable: true, 3239 configurable: true, 3240 writable: true, 3241 value: 64 3242 }); 3243 Object.defineProperty(this, "encSize", { 3244 enumerable: true, 3245 configurable: true, 3246 writable: true, 3247 value: 133 3248 }); 3249 Object.defineProperty(this, "publicKeySize", { 3250 enumerable: true, 3251 configurable: true, 3252 writable: true, 3253 value: 133 3254 }); 3255 Object.defineProperty(this, "privateKeySize", { 3256 enumerable: true, 3257 configurable: true, 3258 writable: true, 3259 value: 64 3260 }); 3261 } 3262 }; 3263 3264 // npm/node_modules/@noble/curves/esm/abstract/utils.js 3265 var _1n = /* @__PURE__ */ BigInt(1); 3266 var _2n = /* @__PURE__ */ BigInt(2); 3267 function isBytes3(a) { 3268 return a instanceof Uint8Array || a != null && typeof a === "object" && a.constructor.name === "Uint8Array"; 3269 } 3270 function abytes(item) { 3271 if (!isBytes3(item)) 3272 throw new Error("Uint8Array expected"); 3273 } 3274 var hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, "0")); 3275 function bytesToHex(bytes3) { 3276 abytes(bytes3); 3277 let hex = ""; 3278 for (let i = 0; i < bytes3.length; i++) { 3279 hex += hexes[bytes3[i]]; 3280 } 3281 return hex; 3282 } 3283 function hexToNumber(hex) { 3284 if (typeof hex !== "string") 3285 throw new Error("hex string expected, got " + typeof hex); 3286 return BigInt(hex === "" ? "0" : `0x${hex}`); 3287 } 3288 var asciis = { _0: 48, _9: 57, _A: 65, _F: 70, _a: 97, _f: 102 }; 3289 function asciiToBase16(char) { 3290 if (char >= asciis._0 && char <= asciis._9) 3291 return char - asciis._0; 3292 if (char >= asciis._A && char <= asciis._F) 3293 return char - (asciis._A - 10); 3294 if (char >= asciis._a && char <= asciis._f) 3295 return char - (asciis._a - 10); 3296 return; 3297 } 3298 function hexToBytes(hex) { 3299 if (typeof hex !== "string") 3300 throw new Error("hex string expected, got " + typeof hex); 3301 const hl = hex.length; 3302 const al = hl / 2; 3303 if (hl % 2) 3304 throw new Error("padded hex string expected, got unpadded hex of length " + hl); 3305 const array = new Uint8Array(al); 3306 for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) { 3307 const n1 = asciiToBase16(hex.charCodeAt(hi)); 3308 const n2 = asciiToBase16(hex.charCodeAt(hi + 1)); 3309 if (n1 === void 0 || n2 === void 0) { 3310 const char = hex[hi] + hex[hi + 1]; 3311 throw new Error('hex string expected, got non-hex character "' + char + '" at index ' + hi); 3312 } 3313 array[ai] = n1 * 16 + n2; 3314 } 3315 return array; 3316 } 3317 function bytesToNumberBE(bytes3) { 3318 return hexToNumber(bytesToHex(bytes3)); 3319 } 3320 function bytesToNumberLE(bytes3) { 3321 abytes(bytes3); 3322 return hexToNumber(bytesToHex(Uint8Array.from(bytes3).reverse())); 3323 } 3324 function numberToBytesBE(n, len) { 3325 return hexToBytes(n.toString(16).padStart(len * 2, "0")); 3326 } 3327 function numberToBytesLE(n, len) { 3328 return numberToBytesBE(n, len).reverse(); 3329 } 3330 function ensureBytes(title, hex, expectedLength) { 3331 let res; 3332 if (typeof hex === "string") { 3333 try { 3334 res = hexToBytes(hex); 3335 } catch (e) { 3336 throw new Error(`${title} must be valid hex string, got "${hex}". Cause: ${e}`); 3337 } 3338 } else if (isBytes3(hex)) { 3339 res = Uint8Array.from(hex); 3340 } else { 3341 throw new Error(`${title} must be hex string or Uint8Array`); 3342 } 3343 const len = res.length; 3344 if (typeof expectedLength === "number" && len !== expectedLength) 3345 throw new Error(`${title} expected ${expectedLength} bytes, got ${len}`); 3346 return res; 3347 } 3348 function concatBytes2(...arrays) { 3349 let sum = 0; 3350 for (let i = 0; i < arrays.length; i++) { 3351 const a = arrays[i]; 3352 abytes(a); 3353 sum += a.length; 3354 } 3355 const res = new Uint8Array(sum); 3356 for (let i = 0, pad = 0; i < arrays.length; i++) { 3357 const a = arrays[i]; 3358 res.set(a, pad); 3359 pad += a.length; 3360 } 3361 return res; 3362 } 3363 var bitMask = (n) => (_2n << BigInt(n - 1)) - _1n; 3364 var validatorFns = { 3365 bigint: (val) => typeof val === "bigint", 3366 function: (val) => typeof val === "function", 3367 boolean: (val) => typeof val === "boolean", 3368 string: (val) => typeof val === "string", 3369 stringOrUint8Array: (val) => typeof val === "string" || isBytes3(val), 3370 isSafeInteger: (val) => Number.isSafeInteger(val), 3371 array: (val) => Array.isArray(val), 3372 field: (val, object) => object.Fp.isValid(val), 3373 hash: (val) => typeof val === "function" && Number.isSafeInteger(val.outputLen) 3374 }; 3375 function validateObject(object, validators, optValidators = {}) { 3376 const checkField = (fieldName, type, isOptional) => { 3377 const checkVal = validatorFns[type]; 3378 if (typeof checkVal !== "function") 3379 throw new Error(`Invalid validator "${type}", expected function`); 3380 const val = object[fieldName]; 3381 if (isOptional && val === void 0) 3382 return; 3383 if (!checkVal(val, object)) { 3384 throw new Error(`Invalid param ${String(fieldName)}=${val} (${typeof val}), expected ${type}`); 3385 } 3386 }; 3387 for (const [fieldName, type] of Object.entries(validators)) 3388 checkField(fieldName, type, false); 3389 for (const [fieldName, type] of Object.entries(optValidators)) 3390 checkField(fieldName, type, true); 3391 return object; 3392 } 3393 3394 // npm/node_modules/@noble/curves/esm/abstract/modular.js 3395 var _0n = BigInt(0); 3396 var _1n2 = BigInt(1); 3397 var _2n2 = BigInt(2); 3398 var _3n = BigInt(3); 3399 var _4n = BigInt(4); 3400 var _5n = BigInt(5); 3401 var _8n = BigInt(8); 3402 var _9n = BigInt(9); 3403 var _16n = BigInt(16); 3404 function mod(a, b) { 3405 const result = a % b; 3406 return result >= _0n ? result : b + result; 3407 } 3408 function pow(num, power, modulo) { 3409 if (modulo <= _0n || power < _0n) 3410 throw new Error("Expected power/modulo > 0"); 3411 if (modulo === _1n2) 3412 return _0n; 3413 let res = _1n2; 3414 while (power > _0n) { 3415 if (power & _1n2) 3416 res = res * num % modulo; 3417 num = num * num % modulo; 3418 power >>= _1n2; 3419 } 3420 return res; 3421 } 3422 function pow2(x, power, modulo) { 3423 let res = x; 3424 while (power-- > _0n) { 3425 res *= res; 3426 res %= modulo; 3427 } 3428 return res; 3429 } 3430 function invert(number3, modulo) { 3431 if (number3 === _0n || modulo <= _0n) { 3432 throw new Error(`invert: expected positive integers, got n=${number3} mod=${modulo}`); 3433 } 3434 let a = mod(number3, modulo); 3435 let b = modulo; 3436 let x = _0n, y = _1n2, u = _1n2, v = _0n; 3437 while (a !== _0n) { 3438 const q = b / a; 3439 const r = b % a; 3440 const m = x - u * q; 3441 const n = y - v * q; 3442 b = a, a = r, x = u, y = v, u = m, v = n; 3443 } 3444 const gcd = b; 3445 if (gcd !== _1n2) 3446 throw new Error("invert: does not exist"); 3447 return mod(x, modulo); 3448 } 3449 function tonelliShanks(P) { 3450 const legendreC = (P - _1n2) / _2n2; 3451 let Q, S, Z; 3452 for (Q = P - _1n2, S = 0; Q % _2n2 === _0n; Q /= _2n2, S++) 3453 ; 3454 for (Z = _2n2; Z < P && pow(Z, legendreC, P) !== P - _1n2; Z++) 3455 ; 3456 if (S === 1) { 3457 const p1div4 = (P + _1n2) / _4n; 3458 return function tonelliFast(Fp2, n) { 3459 const root = Fp2.pow(n, p1div4); 3460 if (!Fp2.eql(Fp2.sqr(root), n)) 3461 throw new Error("Cannot find square root"); 3462 return root; 3463 }; 3464 } 3465 const Q1div2 = (Q + _1n2) / _2n2; 3466 return function tonelliSlow(Fp2, n) { 3467 if (Fp2.pow(n, legendreC) === Fp2.neg(Fp2.ONE)) 3468 throw new Error("Cannot find square root"); 3469 let r = S; 3470 let g = Fp2.pow(Fp2.mul(Fp2.ONE, Z), Q); 3471 let x = Fp2.pow(n, Q1div2); 3472 let b = Fp2.pow(n, Q); 3473 while (!Fp2.eql(b, Fp2.ONE)) { 3474 if (Fp2.eql(b, Fp2.ZERO)) 3475 return Fp2.ZERO; 3476 let m = 1; 3477 for (let t2 = Fp2.sqr(b); m < r; m++) { 3478 if (Fp2.eql(t2, Fp2.ONE)) 3479 break; 3480 t2 = Fp2.sqr(t2); 3481 } 3482 const ge = Fp2.pow(g, _1n2 << BigInt(r - m - 1)); 3483 g = Fp2.sqr(ge); 3484 x = Fp2.mul(x, ge); 3485 b = Fp2.mul(b, g); 3486 r = m; 3487 } 3488 return x; 3489 }; 3490 } 3491 function FpSqrt(P) { 3492 if (P % _4n === _3n) { 3493 const p1div4 = (P + _1n2) / _4n; 3494 return function sqrt3mod4(Fp2, n) { 3495 const root = Fp2.pow(n, p1div4); 3496 if (!Fp2.eql(Fp2.sqr(root), n)) 3497 throw new Error("Cannot find square root"); 3498 return root; 3499 }; 3500 } 3501 if (P % _8n === _5n) { 3502 const c1 = (P - _5n) / _8n; 3503 return function sqrt5mod8(Fp2, n) { 3504 const n2 = Fp2.mul(n, _2n2); 3505 const v = Fp2.pow(n2, c1); 3506 const nv = Fp2.mul(n, v); 3507 const i = Fp2.mul(Fp2.mul(nv, _2n2), v); 3508 const root = Fp2.mul(nv, Fp2.sub(i, Fp2.ONE)); 3509 if (!Fp2.eql(Fp2.sqr(root), n)) 3510 throw new Error("Cannot find square root"); 3511 return root; 3512 }; 3513 } 3514 if (P % _16n === _9n) { 3515 } 3516 return tonelliShanks(P); 3517 } 3518 var FIELD_FIELDS = [ 3519 "create", 3520 "isValid", 3521 "is0", 3522 "neg", 3523 "inv", 3524 "sqrt", 3525 "sqr", 3526 "eql", 3527 "add", 3528 "sub", 3529 "mul", 3530 "pow", 3531 "div", 3532 "addN", 3533 "subN", 3534 "mulN", 3535 "sqrN" 3536 ]; 3537 function validateField(field) { 3538 const initial = { 3539 ORDER: "bigint", 3540 MASK: "bigint", 3541 BYTES: "isSafeInteger", 3542 BITS: "isSafeInteger" 3543 }; 3544 const opts = FIELD_FIELDS.reduce((map, val) => { 3545 map[val] = "function"; 3546 return map; 3547 }, initial); 3548 return validateObject(field, opts); 3549 } 3550 function FpPow(f, num, power) { 3551 if (power < _0n) 3552 throw new Error("Expected power > 0"); 3553 if (power === _0n) 3554 return f.ONE; 3555 if (power === _1n2) 3556 return num; 3557 let p = f.ONE; 3558 let d = num; 3559 while (power > _0n) { 3560 if (power & _1n2) 3561 p = f.mul(p, d); 3562 d = f.sqr(d); 3563 power >>= _1n2; 3564 } 3565 return p; 3566 } 3567 function FpInvertBatch(f, nums) { 3568 const tmp = new Array(nums.length); 3569 const lastMultiplied = nums.reduce((acc, num, i) => { 3570 if (f.is0(num)) 3571 return acc; 3572 tmp[i] = acc; 3573 return f.mul(acc, num); 3574 }, f.ONE); 3575 const inverted = f.inv(lastMultiplied); 3576 nums.reduceRight((acc, num, i) => { 3577 if (f.is0(num)) 3578 return acc; 3579 tmp[i] = f.mul(acc, tmp[i]); 3580 return f.mul(acc, num); 3581 }, inverted); 3582 return tmp; 3583 } 3584 function nLength(n, nBitLength) { 3585 const _nBitLength = nBitLength !== void 0 ? nBitLength : n.toString(2).length; 3586 const nByteLength = Math.ceil(_nBitLength / 8); 3587 return { nBitLength: _nBitLength, nByteLength }; 3588 } 3589 function Field(ORDER, bitLen, isLE3 = false, redef = {}) { 3590 if (ORDER <= _0n) 3591 throw new Error(`Expected Field ORDER > 0, got ${ORDER}`); 3592 const { nBitLength: BITS, nByteLength: BYTES } = nLength(ORDER, bitLen); 3593 if (BYTES > 2048) 3594 throw new Error("Field lengths over 2048 bytes are not supported"); 3595 const sqrtP = FpSqrt(ORDER); 3596 const f = Object.freeze({ 3597 ORDER, 3598 BITS, 3599 BYTES, 3600 MASK: bitMask(BITS), 3601 ZERO: _0n, 3602 ONE: _1n2, 3603 create: (num) => mod(num, ORDER), 3604 isValid: (num) => { 3605 if (typeof num !== "bigint") 3606 throw new Error(`Invalid field element: expected bigint, got ${typeof num}`); 3607 return _0n <= num && num < ORDER; 3608 }, 3609 is0: (num) => num === _0n, 3610 isOdd: (num) => (num & _1n2) === _1n2, 3611 neg: (num) => mod(-num, ORDER), 3612 eql: (lhs, rhs) => lhs === rhs, 3613 sqr: (num) => mod(num * num, ORDER), 3614 add: (lhs, rhs) => mod(lhs + rhs, ORDER), 3615 sub: (lhs, rhs) => mod(lhs - rhs, ORDER), 3616 mul: (lhs, rhs) => mod(lhs * rhs, ORDER), 3617 pow: (num, power) => FpPow(f, num, power), 3618 div: (lhs, rhs) => mod(lhs * invert(rhs, ORDER), ORDER), 3619 // Same as above, but doesn't normalize 3620 sqrN: (num) => num * num, 3621 addN: (lhs, rhs) => lhs + rhs, 3622 subN: (lhs, rhs) => lhs - rhs, 3623 mulN: (lhs, rhs) => lhs * rhs, 3624 inv: (num) => invert(num, ORDER), 3625 sqrt: redef.sqrt || ((n) => sqrtP(f, n)), 3626 invertBatch: (lst) => FpInvertBatch(f, lst), 3627 // TODO: do we really need constant cmov? 3628 // We don't have const-time bigints anyway, so probably will be not very useful 3629 cmov: (a, b, c) => c ? b : a, 3630 toBytes: (num) => isLE3 ? numberToBytesLE(num, BYTES) : numberToBytesBE(num, BYTES), 3631 fromBytes: (bytes3) => { 3632 if (bytes3.length !== BYTES) 3633 throw new Error(`Fp.fromBytes: expected ${BYTES}, got ${bytes3.length}`); 3634 return isLE3 ? bytesToNumberLE(bytes3) : bytesToNumberBE(bytes3); 3635 } 3636 }); 3637 return Object.freeze(f); 3638 } 3639 3640 // npm/node_modules/@noble/curves/esm/abstract/curve.js 3641 var _0n2 = BigInt(0); 3642 var _1n3 = BigInt(1); 3643 function wNAF(c, bits) { 3644 const constTimeNegate = (condition, item) => { 3645 const neg = item.negate(); 3646 return condition ? neg : item; 3647 }; 3648 const opts = (W) => { 3649 const windows = Math.ceil(bits / W) + 1; 3650 const windowSize = 2 ** (W - 1); 3651 return { windows, windowSize }; 3652 }; 3653 return { 3654 constTimeNegate, 3655 // non-const time multiplication ladder 3656 unsafeLadder(elm, n) { 3657 let p = c.ZERO; 3658 let d = elm; 3659 while (n > _0n2) { 3660 if (n & _1n3) 3661 p = p.add(d); 3662 d = d.double(); 3663 n >>= _1n3; 3664 } 3665 return p; 3666 }, 3667 /** 3668 * Creates a wNAF precomputation window. Used for caching. 3669 * Default window size is set by `utils.precompute()` and is equal to 8. 3670 * Number of precomputed points depends on the curve size: 3671 * 2^(𝑊−1) * (Math.ceil(𝑛 / 𝑊) + 1), where: 3672 * - 𝑊 is the window size 3673 * - 𝑛 is the bitlength of the curve order. 3674 * For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224. 3675 * @returns precomputed point tables flattened to a single array 3676 */ 3677 precomputeWindow(elm, W) { 3678 const { windows, windowSize } = opts(W); 3679 const points = []; 3680 let p = elm; 3681 let base = p; 3682 for (let window = 0; window < windows; window++) { 3683 base = p; 3684 points.push(base); 3685 for (let i = 1; i < windowSize; i++) { 3686 base = base.add(p); 3687 points.push(base); 3688 } 3689 p = base.double(); 3690 } 3691 return points; 3692 }, 3693 /** 3694 * Implements ec multiplication using precomputed tables and w-ary non-adjacent form. 3695 * @param W window size 3696 * @param precomputes precomputed tables 3697 * @param n scalar (we don't check here, but should be less than curve order) 3698 * @returns real and fake (for const-time) points 3699 */ 3700 wNAF(W, precomputes, n) { 3701 const { windows, windowSize } = opts(W); 3702 let p = c.ZERO; 3703 let f = c.BASE; 3704 const mask = BigInt(2 ** W - 1); 3705 const maxNumber = 2 ** W; 3706 const shiftBy = BigInt(W); 3707 for (let window = 0; window < windows; window++) { 3708 const offset = window * windowSize; 3709 let wbits = Number(n & mask); 3710 n >>= shiftBy; 3711 if (wbits > windowSize) { 3712 wbits -= maxNumber; 3713 n += _1n3; 3714 } 3715 const offset1 = offset; 3716 const offset2 = offset + Math.abs(wbits) - 1; 3717 const cond1 = window % 2 !== 0; 3718 const cond2 = wbits < 0; 3719 if (wbits === 0) { 3720 f = f.add(constTimeNegate(cond1, precomputes[offset1])); 3721 } else { 3722 p = p.add(constTimeNegate(cond2, precomputes[offset2])); 3723 } 3724 } 3725 return { p, f }; 3726 }, 3727 wNAFCached(P, precomputesMap, n, transform) { 3728 const W = P._WINDOW_SIZE || 1; 3729 let comp = precomputesMap.get(P); 3730 if (!comp) { 3731 comp = this.precomputeWindow(P, W); 3732 if (W !== 1) { 3733 precomputesMap.set(P, transform(comp)); 3734 } 3735 } 3736 return this.wNAF(W, comp, n); 3737 } 3738 }; 3739 } 3740 function validateBasic(curve) { 3741 validateField(curve.Fp); 3742 validateObject(curve, { 3743 n: "bigint", 3744 h: "bigint", 3745 Gx: "field", 3746 Gy: "field" 3747 }, { 3748 nBitLength: "isSafeInteger", 3749 nByteLength: "isSafeInteger" 3750 }); 3751 return Object.freeze({ 3752 ...nLength(curve.n, curve.nBitLength), 3753 ...curve, 3754 ...{ p: curve.Fp.ORDER } 3755 }); 3756 } 3757 3758 // npm/node_modules/@noble/curves/esm/abstract/edwards.js 3759 var _0n3 = BigInt(0); 3760 var _1n4 = BigInt(1); 3761 var _2n3 = BigInt(2); 3762 var _8n2 = BigInt(8); 3763 var VERIFY_DEFAULT = { zip215: true }; 3764 function validateOpts(curve) { 3765 const opts = validateBasic(curve); 3766 validateObject(curve, { 3767 hash: "function", 3768 a: "bigint", 3769 d: "bigint", 3770 randomBytes: "function" 3771 }, { 3772 adjustScalarBytes: "function", 3773 domain: "function", 3774 uvRatio: "function", 3775 mapToCurve: "function" 3776 }); 3777 return Object.freeze({ ...opts }); 3778 } 3779 function twistedEdwards(curveDef) { 3780 const CURVE = validateOpts(curveDef); 3781 const { Fp: Fp2, n: CURVE_ORDER, prehash, hash: cHash, randomBytes: randomBytes2, nByteLength, h: cofactor } = CURVE; 3782 const MASK = _2n3 << BigInt(nByteLength * 8) - _1n4; 3783 const modP = Fp2.create; 3784 const uvRatio2 = CURVE.uvRatio || ((u, v) => { 3785 try { 3786 return { isValid: true, value: Fp2.sqrt(u * Fp2.inv(v)) }; 3787 } catch (e) { 3788 return { isValid: false, value: _0n3 }; 3789 } 3790 }); 3791 const adjustScalarBytes3 = CURVE.adjustScalarBytes || ((bytes3) => bytes3); 3792 const domain = CURVE.domain || ((data, ctx, phflag) => { 3793 if (ctx.length || phflag) 3794 throw new Error("Contexts/pre-hash are not supported"); 3795 return data; 3796 }); 3797 const inBig = (n) => typeof n === "bigint" && _0n3 < n; 3798 const inRange = (n, max) => inBig(n) && inBig(max) && n < max; 3799 const in0MaskRange = (n) => n === _0n3 || inRange(n, MASK); 3800 function assertInRange(n, max) { 3801 if (inRange(n, max)) 3802 return n; 3803 throw new Error(`Expected valid scalar < ${max}, got ${typeof n} ${n}`); 3804 } 3805 function assertGE0(n) { 3806 return n === _0n3 ? n : assertInRange(n, CURVE_ORDER); 3807 } 3808 const pointPrecomputes = /* @__PURE__ */ new Map(); 3809 function isPoint(other) { 3810 if (!(other instanceof Point)) 3811 throw new Error("ExtendedPoint expected"); 3812 } 3813 class Point { 3814 constructor(ex, ey, ez, et) { 3815 this.ex = ex; 3816 this.ey = ey; 3817 this.ez = ez; 3818 this.et = et; 3819 if (!in0MaskRange(ex)) 3820 throw new Error("x required"); 3821 if (!in0MaskRange(ey)) 3822 throw new Error("y required"); 3823 if (!in0MaskRange(ez)) 3824 throw new Error("z required"); 3825 if (!in0MaskRange(et)) 3826 throw new Error("t required"); 3827 } 3828 get x() { 3829 return this.toAffine().x; 3830 } 3831 get y() { 3832 return this.toAffine().y; 3833 } 3834 static fromAffine(p) { 3835 if (p instanceof Point) 3836 throw new Error("extended point not allowed"); 3837 const { x, y } = p || {}; 3838 if (!in0MaskRange(x) || !in0MaskRange(y)) 3839 throw new Error("invalid affine point"); 3840 return new Point(x, y, _1n4, modP(x * y)); 3841 } 3842 static normalizeZ(points) { 3843 const toInv = Fp2.invertBatch(points.map((p) => p.ez)); 3844 return points.map((p, i) => p.toAffine(toInv[i])).map(Point.fromAffine); 3845 } 3846 // "Private method", don't use it directly 3847 _setWindowSize(windowSize) { 3848 this._WINDOW_SIZE = windowSize; 3849 pointPrecomputes.delete(this); 3850 } 3851 // Not required for fromHex(), which always creates valid points. 3852 // Could be useful for fromAffine(). 3853 assertValidity() { 3854 const { a, d } = CURVE; 3855 if (this.is0()) 3856 throw new Error("bad point: ZERO"); 3857 const { ex: X, ey: Y, ez: Z, et: T } = this; 3858 const X2 = modP(X * X); 3859 const Y2 = modP(Y * Y); 3860 const Z2 = modP(Z * Z); 3861 const Z4 = modP(Z2 * Z2); 3862 const aX2 = modP(X2 * a); 3863 const left = modP(Z2 * modP(aX2 + Y2)); 3864 const right = modP(Z4 + modP(d * modP(X2 * Y2))); 3865 if (left !== right) 3866 throw new Error("bad point: equation left != right (1)"); 3867 const XY = modP(X * Y); 3868 const ZT = modP(Z * T); 3869 if (XY !== ZT) 3870 throw new Error("bad point: equation left != right (2)"); 3871 } 3872 // Compare one point to another. 3873 equals(other) { 3874 isPoint(other); 3875 const { ex: X1, ey: Y1, ez: Z1 } = this; 3876 const { ex: X2, ey: Y2, ez: Z2 } = other; 3877 const X1Z2 = modP(X1 * Z2); 3878 const X2Z1 = modP(X2 * Z1); 3879 const Y1Z2 = modP(Y1 * Z2); 3880 const Y2Z1 = modP(Y2 * Z1); 3881 return X1Z2 === X2Z1 && Y1Z2 === Y2Z1; 3882 } 3883 is0() { 3884 return this.equals(Point.ZERO); 3885 } 3886 negate() { 3887 return new Point(modP(-this.ex), this.ey, this.ez, modP(-this.et)); 3888 } 3889 // Fast algo for doubling Extended Point. 3890 // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#doubling-dbl-2008-hwcd 3891 // Cost: 4M + 4S + 1*a + 6add + 1*2. 3892 double() { 3893 const { a } = CURVE; 3894 const { ex: X1, ey: Y1, ez: Z1 } = this; 3895 const A = modP(X1 * X1); 3896 const B = modP(Y1 * Y1); 3897 const C = modP(_2n3 * modP(Z1 * Z1)); 3898 const D = modP(a * A); 3899 const x1y1 = X1 + Y1; 3900 const E = modP(modP(x1y1 * x1y1) - A - B); 3901 const G2 = D + B; 3902 const F = G2 - C; 3903 const H = D - B; 3904 const X3 = modP(E * F); 3905 const Y3 = modP(G2 * H); 3906 const T3 = modP(E * H); 3907 const Z3 = modP(F * G2); 3908 return new Point(X3, Y3, Z3, T3); 3909 } 3910 // Fast algo for adding 2 Extended Points. 3911 // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#addition-add-2008-hwcd 3912 // Cost: 9M + 1*a + 1*d + 7add. 3913 add(other) { 3914 isPoint(other); 3915 const { a, d } = CURVE; 3916 const { ex: X1, ey: Y1, ez: Z1, et: T1 } = this; 3917 const { ex: X2, ey: Y2, ez: Z2, et: T2 } = other; 3918 if (a === BigInt(-1)) { 3919 const A2 = modP((Y1 - X1) * (Y2 + X2)); 3920 const B2 = modP((Y1 + X1) * (Y2 - X2)); 3921 const F2 = modP(B2 - A2); 3922 if (F2 === _0n3) 3923 return this.double(); 3924 const C2 = modP(Z1 * _2n3 * T2); 3925 const D2 = modP(T1 * _2n3 * Z2); 3926 const E2 = D2 + C2; 3927 const G3 = B2 + A2; 3928 const H2 = D2 - C2; 3929 const X32 = modP(E2 * F2); 3930 const Y32 = modP(G3 * H2); 3931 const T32 = modP(E2 * H2); 3932 const Z32 = modP(F2 * G3); 3933 return new Point(X32, Y32, Z32, T32); 3934 } 3935 const A = modP(X1 * X2); 3936 const B = modP(Y1 * Y2); 3937 const C = modP(T1 * d * T2); 3938 const D = modP(Z1 * Z2); 3939 const E = modP((X1 + Y1) * (X2 + Y2) - A - B); 3940 const F = D - C; 3941 const G2 = D + C; 3942 const H = modP(B - a * A); 3943 const X3 = modP(E * F); 3944 const Y3 = modP(G2 * H); 3945 const T3 = modP(E * H); 3946 const Z3 = modP(F * G2); 3947 return new Point(X3, Y3, Z3, T3); 3948 } 3949 subtract(other) { 3950 return this.add(other.negate()); 3951 } 3952 wNAF(n) { 3953 return wnaf.wNAFCached(this, pointPrecomputes, n, Point.normalizeZ); 3954 } 3955 // Constant-time multiplication. 3956 multiply(scalar) { 3957 const { p, f } = this.wNAF(assertInRange(scalar, CURVE_ORDER)); 3958 return Point.normalizeZ([p, f])[0]; 3959 } 3960 // Non-constant-time multiplication. Uses double-and-add algorithm. 3961 // It's faster, but should only be used when you don't care about 3962 // an exposed private key e.g. sig verification. 3963 // Does NOT allow scalars higher than CURVE.n. 3964 multiplyUnsafe(scalar) { 3965 let n = assertGE0(scalar); 3966 if (n === _0n3) 3967 return I; 3968 if (this.equals(I) || n === _1n4) 3969 return this; 3970 if (this.equals(G)) 3971 return this.wNAF(n).p; 3972 return wnaf.unsafeLadder(this, n); 3973 } 3974 // Checks if point is of small order. 3975 // If you add something to small order point, you will have "dirty" 3976 // point with torsion component. 3977 // Multiplies point by cofactor and checks if the result is 0. 3978 isSmallOrder() { 3979 return this.multiplyUnsafe(cofactor).is0(); 3980 } 3981 // Multiplies point by curve order and checks if the result is 0. 3982 // Returns `false` is the point is dirty. 3983 isTorsionFree() { 3984 return wnaf.unsafeLadder(this, CURVE_ORDER).is0(); 3985 } 3986 // Converts Extended point to default (x, y) coordinates. 3987 // Can accept precomputed Z^-1 - for example, from invertBatch. 3988 toAffine(iz) { 3989 const { ex: x, ey: y, ez: z } = this; 3990 const is0 = this.is0(); 3991 if (iz == null) 3992 iz = is0 ? _8n2 : Fp2.inv(z); 3993 const ax = modP(x * iz); 3994 const ay = modP(y * iz); 3995 const zz = modP(z * iz); 3996 if (is0) 3997 return { x: _0n3, y: _1n4 }; 3998 if (zz !== _1n4) 3999 throw new Error("invZ was invalid"); 4000 return { x: ax, y: ay }; 4001 } 4002 clearCofactor() { 4003 const { h: cofactor2 } = CURVE; 4004 if (cofactor2 === _1n4) 4005 return this; 4006 return this.multiplyUnsafe(cofactor2); 4007 } 4008 // Converts hash string or Uint8Array to Point. 4009 // Uses algo from RFC8032 5.1.3. 4010 static fromHex(hex, zip215 = false) { 4011 const { d, a } = CURVE; 4012 const len = Fp2.BYTES; 4013 hex = ensureBytes("pointHex", hex, len); 4014 const normed = hex.slice(); 4015 const lastByte = hex[len - 1]; 4016 normed[len - 1] = lastByte & ~128; 4017 const y = bytesToNumberLE(normed); 4018 if (y === _0n3) { 4019 } else { 4020 if (zip215) 4021 assertInRange(y, MASK); 4022 else 4023 assertInRange(y, Fp2.ORDER); 4024 } 4025 const y2 = modP(y * y); 4026 const u = modP(y2 - _1n4); 4027 const v = modP(d * y2 - a); 4028 let { isValid, value: x } = uvRatio2(u, v); 4029 if (!isValid) 4030 throw new Error("Point.fromHex: invalid y coordinate"); 4031 const isXOdd = (x & _1n4) === _1n4; 4032 const isLastByteOdd = (lastByte & 128) !== 0; 4033 if (!zip215 && x === _0n3 && isLastByteOdd) 4034 throw new Error("Point.fromHex: x=0 and x_0=1"); 4035 if (isLastByteOdd !== isXOdd) 4036 x = modP(-x); 4037 return Point.fromAffine({ x, y }); 4038 } 4039 static fromPrivateKey(privKey) { 4040 return getExtendedPublicKey(privKey).point; 4041 } 4042 toRawBytes() { 4043 const { x, y } = this.toAffine(); 4044 const bytes3 = numberToBytesLE(y, Fp2.BYTES); 4045 bytes3[bytes3.length - 1] |= x & _1n4 ? 128 : 0; 4046 return bytes3; 4047 } 4048 toHex() { 4049 return bytesToHex(this.toRawBytes()); 4050 } 4051 } 4052 Point.BASE = new Point(CURVE.Gx, CURVE.Gy, _1n4, modP(CURVE.Gx * CURVE.Gy)); 4053 Point.ZERO = new Point(_0n3, _1n4, _1n4, _0n3); 4054 const { BASE: G, ZERO: I } = Point; 4055 const wnaf = wNAF(Point, nByteLength * 8); 4056 function modN(a) { 4057 return mod(a, CURVE_ORDER); 4058 } 4059 function modN_LE(hash2) { 4060 return modN(bytesToNumberLE(hash2)); 4061 } 4062 function getExtendedPublicKey(key) { 4063 const len = nByteLength; 4064 key = ensureBytes("private key", key, len); 4065 const hashed = ensureBytes("hashed private key", cHash(key), 2 * len); 4066 const head = adjustScalarBytes3(hashed.slice(0, len)); 4067 const prefix = hashed.slice(len, 2 * len); 4068 const scalar = modN_LE(head); 4069 const point = G.multiply(scalar); 4070 const pointBytes = point.toRawBytes(); 4071 return { head, prefix, scalar, point, pointBytes }; 4072 } 4073 function getPublicKey(privKey) { 4074 return getExtendedPublicKey(privKey).pointBytes; 4075 } 4076 function hashDomainToScalar(context = new Uint8Array(), ...msgs) { 4077 const msg = concatBytes2(...msgs); 4078 return modN_LE(cHash(domain(msg, ensureBytes("context", context), !!prehash))); 4079 } 4080 function sign(msg, privKey, options = {}) { 4081 msg = ensureBytes("message", msg); 4082 if (prehash) 4083 msg = prehash(msg); 4084 const { prefix, scalar, pointBytes } = getExtendedPublicKey(privKey); 4085 const r = hashDomainToScalar(options.context, prefix, msg); 4086 const R = G.multiply(r).toRawBytes(); 4087 const k = hashDomainToScalar(options.context, R, pointBytes, msg); 4088 const s = modN(r + k * scalar); 4089 assertGE0(s); 4090 const res = concatBytes2(R, numberToBytesLE(s, Fp2.BYTES)); 4091 return ensureBytes("result", res, nByteLength * 2); 4092 } 4093 const verifyOpts = VERIFY_DEFAULT; 4094 function verify(sig, msg, publicKey, options = verifyOpts) { 4095 const { context, zip215 } = options; 4096 const len = Fp2.BYTES; 4097 sig = ensureBytes("signature", sig, 2 * len); 4098 msg = ensureBytes("message", msg); 4099 if (prehash) 4100 msg = prehash(msg); 4101 const s = bytesToNumberLE(sig.slice(len, 2 * len)); 4102 let A, R, SB; 4103 try { 4104 A = Point.fromHex(publicKey, zip215); 4105 R = Point.fromHex(sig.slice(0, len), zip215); 4106 SB = G.multiplyUnsafe(s); 4107 } catch (error) { 4108 return false; 4109 } 4110 if (!zip215 && A.isSmallOrder()) 4111 return false; 4112 const k = hashDomainToScalar(context, R.toRawBytes(), A.toRawBytes(), msg); 4113 const RkA = R.add(A.multiplyUnsafe(k)); 4114 return RkA.subtract(SB).clearCofactor().equals(Point.ZERO); 4115 } 4116 G._setWindowSize(8); 4117 const utils = { 4118 getExtendedPublicKey, 4119 // ed25519 private keys are uniform 32b. No need to check for modulo bias, like in secp256k1. 4120 randomPrivateKey: () => randomBytes2(Fp2.BYTES), 4121 /** 4122 * We're doing scalar multiplication (used in getPublicKey etc) with precomputed BASE_POINT 4123 * values. This slows down first getPublicKey() by milliseconds (see Speed section), 4124 * but allows to speed-up subsequent getPublicKey() calls up to 20x. 4125 * @param windowSize 2, 4, 8, 16 4126 */ 4127 precompute(windowSize = 8, point = Point.BASE) { 4128 point._setWindowSize(windowSize); 4129 point.multiply(BigInt(3)); 4130 return point; 4131 } 4132 }; 4133 return { 4134 CURVE, 4135 getPublicKey, 4136 sign, 4137 verify, 4138 ExtendedPoint: Point, 4139 utils 4140 }; 4141 } 4142 4143 // npm/node_modules/@noble/curves/esm/abstract/montgomery.js 4144 var _0n4 = BigInt(0); 4145 var _1n5 = BigInt(1); 4146 function validateOpts2(curve) { 4147 validateObject(curve, { 4148 a: "bigint" 4149 }, { 4150 montgomeryBits: "isSafeInteger", 4151 nByteLength: "isSafeInteger", 4152 adjustScalarBytes: "function", 4153 domain: "function", 4154 powPminus2: "function", 4155 Gu: "bigint" 4156 }); 4157 return Object.freeze({ ...curve }); 4158 } 4159 function montgomery(curveDef) { 4160 const CURVE = validateOpts2(curveDef); 4161 const { P } = CURVE; 4162 const modP = (n) => mod(n, P); 4163 const montgomeryBits = CURVE.montgomeryBits; 4164 const montgomeryBytes = Math.ceil(montgomeryBits / 8); 4165 const fieldLen = CURVE.nByteLength; 4166 const adjustScalarBytes3 = CURVE.adjustScalarBytes || ((bytes3) => bytes3); 4167 const powPminus2 = CURVE.powPminus2 || ((x) => pow(x, P - BigInt(2), P)); 4168 function cswap(swap, x_2, x_3) { 4169 const dummy = modP(swap * (x_2 - x_3)); 4170 x_2 = modP(x_2 - dummy); 4171 x_3 = modP(x_3 + dummy); 4172 return [x_2, x_3]; 4173 } 4174 function assertFieldElement(n) { 4175 if (typeof n === "bigint" && _0n4 <= n && n < P) 4176 return n; 4177 throw new Error("Expected valid scalar 0 < scalar < CURVE.P"); 4178 } 4179 const a24 = (CURVE.a - BigInt(2)) / BigInt(4); 4180 function montgomeryLadder(pointU, scalar) { 4181 const u = assertFieldElement(pointU); 4182 const k = assertFieldElement(scalar); 4183 const x_1 = u; 4184 let x_2 = _1n5; 4185 let z_2 = _0n4; 4186 let x_3 = u; 4187 let z_3 = _1n5; 4188 let swap = _0n4; 4189 let sw; 4190 for (let t = BigInt(montgomeryBits - 1); t >= _0n4; t--) { 4191 const k_t = k >> t & _1n5; 4192 swap ^= k_t; 4193 sw = cswap(swap, x_2, x_3); 4194 x_2 = sw[0]; 4195 x_3 = sw[1]; 4196 sw = cswap(swap, z_2, z_3); 4197 z_2 = sw[0]; 4198 z_3 = sw[1]; 4199 swap = k_t; 4200 const A = x_2 + z_2; 4201 const AA = modP(A * A); 4202 const B = x_2 - z_2; 4203 const BB = modP(B * B); 4204 const E = AA - BB; 4205 const C = x_3 + z_3; 4206 const D = x_3 - z_3; 4207 const DA = modP(D * A); 4208 const CB = modP(C * B); 4209 const dacb = DA + CB; 4210 const da_cb = DA - CB; 4211 x_3 = modP(dacb * dacb); 4212 z_3 = modP(x_1 * modP(da_cb * da_cb)); 4213 x_2 = modP(AA * BB); 4214 z_2 = modP(E * (AA + modP(a24 * E))); 4215 } 4216 sw = cswap(swap, x_2, x_3); 4217 x_2 = sw[0]; 4218 x_3 = sw[1]; 4219 sw = cswap(swap, z_2, z_3); 4220 z_2 = sw[0]; 4221 z_3 = sw[1]; 4222 const z2 = powPminus2(z_2); 4223 return modP(x_2 * z2); 4224 } 4225 function encodeUCoordinate(u) { 4226 return numberToBytesLE(modP(u), montgomeryBytes); 4227 } 4228 function decodeUCoordinate(uEnc) { 4229 const u = ensureBytes("u coordinate", uEnc, montgomeryBytes); 4230 if (fieldLen === 32) 4231 u[31] &= 127; 4232 return bytesToNumberLE(u); 4233 } 4234 function decodeScalar(n) { 4235 const bytes3 = ensureBytes("scalar", n); 4236 const len = bytes3.length; 4237 if (len !== montgomeryBytes && len !== fieldLen) 4238 throw new Error(`Expected ${montgomeryBytes} or ${fieldLen} bytes, got ${len}`); 4239 return bytesToNumberLE(adjustScalarBytes3(bytes3)); 4240 } 4241 function scalarMult(scalar, u) { 4242 const pointU = decodeUCoordinate(u); 4243 const _scalar = decodeScalar(scalar); 4244 const pu = montgomeryLadder(pointU, _scalar); 4245 if (pu === _0n4) 4246 throw new Error("Invalid private or public key received"); 4247 return encodeUCoordinate(pu); 4248 } 4249 const GuBytes = encodeUCoordinate(CURVE.Gu); 4250 function scalarMultBase(scalar) { 4251 return scalarMult(scalar, GuBytes); 4252 } 4253 return { 4254 scalarMult, 4255 scalarMultBase, 4256 getSharedSecret: (privateKey, publicKey) => scalarMult(privateKey, publicKey), 4257 getPublicKey: (privateKey) => scalarMultBase(privateKey), 4258 utils: { randomPrivateKey: () => CURVE.randomBytes(CURVE.nByteLength) }, 4259 GuBytes 4260 }; 4261 } 4262 4263 // npm/node_modules/@noble/curves/esm/ed25519.js 4264 var ED25519_P = BigInt("57896044618658097711785492504343953926634992332820282019728792003956564819949"); 4265 var _0n5 = BigInt(0); 4266 var _1n6 = BigInt(1); 4267 var _2n4 = BigInt(2); 4268 var _3n2 = BigInt(3); 4269 var _5n2 = BigInt(5); 4270 var _8n3 = BigInt(8); 4271 function ed25519_pow_2_252_3(x) { 4272 const _10n = BigInt(10), _20n = BigInt(20), _40n = BigInt(40), _80n = BigInt(80); 4273 const P = ED25519_P; 4274 const x2 = x * x % P; 4275 const b2 = x2 * x % P; 4276 const b4 = pow2(b2, _2n4, P) * b2 % P; 4277 const b5 = pow2(b4, _1n6, P) * x % P; 4278 const b10 = pow2(b5, _5n2, P) * b5 % P; 4279 const b20 = pow2(b10, _10n, P) * b10 % P; 4280 const b40 = pow2(b20, _20n, P) * b20 % P; 4281 const b80 = pow2(b40, _40n, P) * b40 % P; 4282 const b160 = pow2(b80, _80n, P) * b80 % P; 4283 const b240 = pow2(b160, _80n, P) * b80 % P; 4284 const b250 = pow2(b240, _10n, P) * b10 % P; 4285 const pow_p_5_8 = pow2(b250, _2n4, P) * x % P; 4286 return { pow_p_5_8, b2 }; 4287 } 4288 function adjustScalarBytes(bytes3) { 4289 bytes3[0] &= 248; 4290 bytes3[31] &= 127; 4291 bytes3[31] |= 64; 4292 return bytes3; 4293 } 4294 var x25519 = /* @__PURE__ */ (() => montgomery({ 4295 P: ED25519_P, 4296 a: BigInt(486662), 4297 montgomeryBits: 255, 4298 // n is 253 bits 4299 nByteLength: 32, 4300 Gu: BigInt(9), 4301 powPminus2: (x) => { 4302 const P = ED25519_P; 4303 const { pow_p_5_8, b2 } = ed25519_pow_2_252_3(x); 4304 return mod(pow2(pow_p_5_8, _3n2, P) * b2, P); 4305 }, 4306 adjustScalarBytes, 4307 randomBytes 4308 }))(); 4309 4310 // npm/esm/src/xCryptoKey.js 4311 var XCryptoKey = class { 4312 constructor(name, key, type, usages = []) { 4313 Object.defineProperty(this, "key", { 4314 enumerable: true, 4315 configurable: true, 4316 writable: true, 4317 value: void 0 4318 }); 4319 Object.defineProperty(this, "type", { 4320 enumerable: true, 4321 configurable: true, 4322 writable: true, 4323 value: void 0 4324 }); 4325 Object.defineProperty(this, "extractable", { 4326 enumerable: true, 4327 configurable: true, 4328 writable: true, 4329 value: true 4330 }); 4331 Object.defineProperty(this, "algorithm", { 4332 enumerable: true, 4333 configurable: true, 4334 writable: true, 4335 value: void 0 4336 }); 4337 Object.defineProperty(this, "usages", { 4338 enumerable: true, 4339 configurable: true, 4340 writable: true, 4341 value: void 0 4342 }); 4343 this.key = key; 4344 this.type = type; 4345 this.algorithm = { name }; 4346 this.usages = usages; 4347 if (type === "public") { 4348 this.usages = []; 4349 } 4350 } 4351 }; 4352 4353 // npm/esm/src/kems/dhkemPrimitives/x25519.js 4354 var ALG_NAME = "X25519"; 4355 var X25519 = class { 4356 constructor(hkdf) { 4357 Object.defineProperty(this, "_hkdf", { 4358 enumerable: true, 4359 configurable: true, 4360 writable: true, 4361 value: void 0 4362 }); 4363 Object.defineProperty(this, "_nPk", { 4364 enumerable: true, 4365 configurable: true, 4366 writable: true, 4367 value: void 0 4368 }); 4369 Object.defineProperty(this, "_nSk", { 4370 enumerable: true, 4371 configurable: true, 4372 writable: true, 4373 value: void 0 4374 }); 4375 this._hkdf = hkdf; 4376 this._nPk = 32; 4377 this._nSk = 32; 4378 } 4379 async serializePublicKey(key) { 4380 try { 4381 return await this._serializePublicKey(key); 4382 } catch (e) { 4383 throw new SerializeError(e); 4384 } 4385 } 4386 async deserializePublicKey(key) { 4387 try { 4388 return await this._importRawKey(key, true); 4389 } catch (e) { 4390 throw new DeserializeError(e); 4391 } 4392 } 4393 async serializePrivateKey(key) { 4394 try { 4395 return await this._serializePrivateKey(key); 4396 } catch (e) { 4397 throw new SerializeError(e); 4398 } 4399 } 4400 async deserializePrivateKey(key) { 4401 try { 4402 return await this._importRawKey(key, false); 4403 } catch (e) { 4404 throw new DeserializeError(e); 4405 } 4406 } 4407 async importKey(format, key, isPublic) { 4408 try { 4409 if (format === "raw") { 4410 return await this._importRawKey(key, isPublic); 4411 } 4412 if (key instanceof ArrayBuffer) { 4413 throw new Error("Invalid jwk key format"); 4414 } 4415 return await this._importJWK(key, isPublic); 4416 } catch (e) { 4417 throw new DeserializeError(e); 4418 } 4419 } 4420 async generateKeyPair() { 4421 try { 4422 const rawSk = x25519.utils.randomPrivateKey(); 4423 const sk = new XCryptoKey(ALG_NAME, rawSk, "private", KEM_USAGES2); 4424 const pk = await this.derivePublicKey(sk); 4425 return { publicKey: pk, privateKey: sk }; 4426 } catch (e) { 4427 throw new NotSupportedError(e); 4428 } 4429 } 4430 async deriveKeyPair(ikm) { 4431 try { 4432 const dkpPrk = await this._hkdf.labeledExtract(EMPTY2, LABEL_DKP_PRK2, new Uint8Array(ikm)); 4433 const rawSk = await this._hkdf.labeledExpand(dkpPrk, LABEL_SK2, EMPTY2, this._nSk); 4434 const sk = new XCryptoKey(ALG_NAME, new Uint8Array(rawSk), "private", KEM_USAGES2); 4435 return { 4436 privateKey: sk, 4437 publicKey: await this.derivePublicKey(sk) 4438 }; 4439 } catch (e) { 4440 throw new DeriveKeyPairError(e); 4441 } 4442 } 4443 async derivePublicKey(key) { 4444 try { 4445 return await this._derivePublicKey(key); 4446 } catch (e) { 4447 throw new DeserializeError(e); 4448 } 4449 } 4450 async dh(sk, pk) { 4451 try { 4452 return await this._dh(sk, pk); 4453 } catch (e) { 4454 throw new SerializeError(e); 4455 } 4456 } 4457 _serializePublicKey(k) { 4458 return new Promise((resolve) => { 4459 resolve(k.key.buffer); 4460 }); 4461 } 4462 _serializePrivateKey(k) { 4463 return new Promise((resolve) => { 4464 resolve(k.key.buffer); 4465 }); 4466 } 4467 _importRawKey(key, isPublic) { 4468 return new Promise((resolve, reject) => { 4469 if (isPublic && key.byteLength !== this._nPk) { 4470 reject(new Error("Invalid length of the key")); 4471 } 4472 if (!isPublic && key.byteLength !== this._nSk) { 4473 reject(new Error("Invalid length of the key")); 4474 } 4475 resolve(new XCryptoKey(ALG_NAME, new Uint8Array(key), isPublic ? "public" : "private", isPublic ? [] : KEM_USAGES2)); 4476 }); 4477 } 4478 _importJWK(key, isPublic) { 4479 return new Promise((resolve, reject) => { 4480 if (typeof key.kty === "undefined" || key.kty !== "OKP") { 4481 reject(new Error(`Invalid kty: ${key.kty}`)); 4482 } 4483 if (typeof key.crv === "undefined" || key.crv !== "X25519") { 4484 reject(new Error(`Invalid crv: ${key.crv}`)); 4485 } 4486 if (isPublic) { 4487 if (typeof key.d !== "undefined") { 4488 reject(new Error("Invalid key: `d` should not be set")); 4489 } 4490 if (typeof key.x === "undefined") { 4491 reject(new Error("Invalid key: `x` not found")); 4492 } 4493 resolve(new XCryptoKey(ALG_NAME, base64UrlToBytes2(key.x), "public")); 4494 } else { 4495 if (typeof key.d !== "string") { 4496 reject(new Error("Invalid key: `d` not found")); 4497 } 4498 resolve(new XCryptoKey(ALG_NAME, base64UrlToBytes2(key.d), "private", KEM_USAGES2)); 4499 } 4500 }); 4501 } 4502 _derivePublicKey(k) { 4503 return new Promise((resolve, reject) => { 4504 try { 4505 const pk = x25519.getPublicKey(k.key); 4506 resolve(new XCryptoKey(ALG_NAME, pk, "public")); 4507 } catch (e) { 4508 reject(e); 4509 } 4510 }); 4511 } 4512 _dh(sk, pk) { 4513 return new Promise((resolve, reject) => { 4514 try { 4515 resolve(x25519.getSharedSecret(sk.key, pk.key).buffer); 4516 } catch (e) { 4517 reject(e); 4518 } 4519 }); 4520 } 4521 }; 4522 4523 // npm/esm/src/kems/dhkemX25519.js 4524 var DhkemX25519HkdfSha256 = class extends Dhkem2 { 4525 constructor() { 4526 const kdf = new HkdfSha2562(); 4527 super(KemId.DhkemX25519HkdfSha256, new X25519(kdf), kdf); 4528 Object.defineProperty(this, "id", { 4529 enumerable: true, 4530 configurable: true, 4531 writable: true, 4532 value: KemId.DhkemX25519HkdfSha256 4533 }); 4534 Object.defineProperty(this, "secretSize", { 4535 enumerable: true, 4536 configurable: true, 4537 writable: true, 4538 value: 32 4539 }); 4540 Object.defineProperty(this, "encSize", { 4541 enumerable: true, 4542 configurable: true, 4543 writable: true, 4544 value: 32 4545 }); 4546 Object.defineProperty(this, "publicKeySize", { 4547 enumerable: true, 4548 configurable: true, 4549 writable: true, 4550 value: 32 4551 }); 4552 Object.defineProperty(this, "privateKeySize", { 4553 enumerable: true, 4554 configurable: true, 4555 writable: true, 4556 value: 32 4557 }); 4558 } 4559 }; 4560 4561 // npm/node_modules/@noble/hashes/esm/sha3.js 4562 var SHA3_PI = []; 4563 var SHA3_ROTL = []; 4564 var _SHA3_IOTA = []; 4565 var _0n6 = /* @__PURE__ */ BigInt(0); 4566 var _1n7 = /* @__PURE__ */ BigInt(1); 4567 var _2n5 = /* @__PURE__ */ BigInt(2); 4568 var _7n = /* @__PURE__ */ BigInt(7); 4569 var _256n = /* @__PURE__ */ BigInt(256); 4570 var _0x71n = /* @__PURE__ */ BigInt(113); 4571 for (let round = 0, R = _1n7, x = 1, y = 0; round < 24; round++) { 4572 [x, y] = [y, (2 * x + 3 * y) % 5]; 4573 SHA3_PI.push(2 * (5 * y + x)); 4574 SHA3_ROTL.push((round + 1) * (round + 2) / 2 % 64); 4575 let t = _0n6; 4576 for (let j = 0; j < 7; j++) { 4577 R = (R << _1n7 ^ (R >> _7n) * _0x71n) % _256n; 4578 if (R & _2n5) 4579 t ^= _1n7 << (_1n7 << /* @__PURE__ */ BigInt(j)) - _1n7; 4580 } 4581 _SHA3_IOTA.push(t); 4582 } 4583 var [SHA3_IOTA_H, SHA3_IOTA_L] = /* @__PURE__ */ split(_SHA3_IOTA, true); 4584 var rotlH = (h, l, s) => s > 32 ? rotlBH(h, l, s) : rotlSH(h, l, s); 4585 var rotlL = (h, l, s) => s > 32 ? rotlBL(h, l, s) : rotlSL(h, l, s); 4586 function keccakP(s, rounds = 24) { 4587 const B = new Uint32Array(5 * 2); 4588 for (let round = 24 - rounds; round < 24; round++) { 4589 for (let x = 0; x < 10; x++) 4590 B[x] = s[x] ^ s[x + 10] ^ s[x + 20] ^ s[x + 30] ^ s[x + 40]; 4591 for (let x = 0; x < 10; x += 2) { 4592 const idx1 = (x + 8) % 10; 4593 const idx0 = (x + 2) % 10; 4594 const B0 = B[idx0]; 4595 const B1 = B[idx0 + 1]; 4596 const Th = rotlH(B0, B1, 1) ^ B[idx1]; 4597 const Tl = rotlL(B0, B1, 1) ^ B[idx1 + 1]; 4598 for (let y = 0; y < 50; y += 10) { 4599 s[x + y] ^= Th; 4600 s[x + y + 1] ^= Tl; 4601 } 4602 } 4603 let curH = s[2]; 4604 let curL = s[3]; 4605 for (let t = 0; t < 24; t++) { 4606 const shift = SHA3_ROTL[t]; 4607 const Th = rotlH(curH, curL, shift); 4608 const Tl = rotlL(curH, curL, shift); 4609 const PI = SHA3_PI[t]; 4610 curH = s[PI]; 4611 curL = s[PI + 1]; 4612 s[PI] = Th; 4613 s[PI + 1] = Tl; 4614 } 4615 for (let y = 0; y < 50; y += 10) { 4616 for (let x = 0; x < 10; x++) 4617 B[x] = s[y + x]; 4618 for (let x = 0; x < 10; x++) 4619 s[y + x] ^= ~B[(x + 2) % 10] & B[(x + 4) % 10]; 4620 } 4621 s[0] ^= SHA3_IOTA_H[round]; 4622 s[1] ^= SHA3_IOTA_L[round]; 4623 } 4624 B.fill(0); 4625 } 4626 var Keccak = class _Keccak extends Hash { 4627 // NOTE: we accept arguments in bytes instead of bits here. 4628 constructor(blockLen, suffix, outputLen, enableXOF = false, rounds = 24) { 4629 super(); 4630 this.blockLen = blockLen; 4631 this.suffix = suffix; 4632 this.outputLen = outputLen; 4633 this.enableXOF = enableXOF; 4634 this.rounds = rounds; 4635 this.pos = 0; 4636 this.posOut = 0; 4637 this.finished = false; 4638 this.destroyed = false; 4639 number2(outputLen); 4640 if (0 >= this.blockLen || this.blockLen >= 200) 4641 throw new Error("Sha3 supports only keccak-f1600 function"); 4642 this.state = new Uint8Array(200); 4643 this.state32 = u322(this.state); 4644 } 4645 keccak() { 4646 if (!isLE2) 4647 byteSwap32(this.state32); 4648 keccakP(this.state32, this.rounds); 4649 if (!isLE2) 4650 byteSwap32(this.state32); 4651 this.posOut = 0; 4652 this.pos = 0; 4653 } 4654 update(data) { 4655 exists2(this); 4656 const { blockLen, state } = this; 4657 data = toBytes2(data); 4658 const len = data.length; 4659 for (let pos = 0; pos < len; ) { 4660 const take = Math.min(blockLen - this.pos, len - pos); 4661 for (let i = 0; i < take; i++) 4662 state[this.pos++] ^= data[pos++]; 4663 if (this.pos === blockLen) 4664 this.keccak(); 4665 } 4666 return this; 4667 } 4668 finish() { 4669 if (this.finished) 4670 return; 4671 this.finished = true; 4672 const { state, suffix, pos, blockLen } = this; 4673 state[pos] ^= suffix; 4674 if ((suffix & 128) !== 0 && pos === blockLen - 1) 4675 this.keccak(); 4676 state[blockLen - 1] ^= 128; 4677 this.keccak(); 4678 } 4679 writeInto(out) { 4680 exists2(this, false); 4681 bytes2(out); 4682 this.finish(); 4683 const bufferOut = this.state; 4684 const { blockLen } = this; 4685 for (let pos = 0, len = out.length; pos < len; ) { 4686 if (this.posOut >= blockLen) 4687 this.keccak(); 4688 const take = Math.min(blockLen - this.posOut, len - pos); 4689 out.set(bufferOut.subarray(this.posOut, this.posOut + take), pos); 4690 this.posOut += take; 4691 pos += take; 4692 } 4693 return out; 4694 } 4695 xofInto(out) { 4696 if (!this.enableXOF) 4697 throw new Error("XOF is not possible for this instance"); 4698 return this.writeInto(out); 4699 } 4700 xof(bytes3) { 4701 number2(bytes3); 4702 return this.xofInto(new Uint8Array(bytes3)); 4703 } 4704 digestInto(out) { 4705 output2(out, this); 4706 if (this.finished) 4707 throw new Error("digest() was already called"); 4708 this.writeInto(out); 4709 this.destroy(); 4710 return out; 4711 } 4712 digest() { 4713 return this.digestInto(new Uint8Array(this.outputLen)); 4714 } 4715 destroy() { 4716 this.destroyed = true; 4717 this.state.fill(0); 4718 } 4719 _cloneInto(to) { 4720 const { blockLen, suffix, outputLen, rounds, enableXOF } = this; 4721 to || (to = new _Keccak(blockLen, suffix, outputLen, enableXOF, rounds)); 4722 to.state32.set(this.state32); 4723 to.pos = this.pos; 4724 to.posOut = this.posOut; 4725 to.finished = this.finished; 4726 to.rounds = rounds; 4727 to.suffix = suffix; 4728 to.outputLen = outputLen; 4729 to.enableXOF = enableXOF; 4730 to.destroyed = this.destroyed; 4731 return to; 4732 } 4733 }; 4734 var gen = (suffix, blockLen, outputLen) => wrapConstructor(() => new Keccak(blockLen, suffix, outputLen)); 4735 var sha3_224 = /* @__PURE__ */ gen(6, 144, 224 / 8); 4736 var sha3_256 = /* @__PURE__ */ gen(6, 136, 256 / 8); 4737 var sha3_384 = /* @__PURE__ */ gen(6, 104, 384 / 8); 4738 var sha3_512 = /* @__PURE__ */ gen(6, 72, 512 / 8); 4739 var keccak_224 = /* @__PURE__ */ gen(1, 144, 224 / 8); 4740 var keccak_256 = /* @__PURE__ */ gen(1, 136, 256 / 8); 4741 var keccak_384 = /* @__PURE__ */ gen(1, 104, 384 / 8); 4742 var keccak_512 = /* @__PURE__ */ gen(1, 72, 512 / 8); 4743 var genShake = (suffix, blockLen, outputLen) => wrapXOFConstructorWithOpts((opts = {}) => new Keccak(blockLen, suffix, opts.dkLen === void 0 ? outputLen : opts.dkLen, true)); 4744 var shake128 = /* @__PURE__ */ genShake(31, 168, 128 / 8); 4745 var shake256 = /* @__PURE__ */ genShake(31, 136, 256 / 8); 4746 4747 // npm/node_modules/@noble/curves/esm/ed448.js 4748 var shake256_114 = wrapConstructor(() => shake256.create({ dkLen: 114 })); 4749 var shake256_64 = wrapConstructor(() => shake256.create({ dkLen: 64 })); 4750 var ed448P = BigInt("726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018365439"); 4751 var _1n8 = BigInt(1); 4752 var _2n6 = BigInt(2); 4753 var _3n3 = BigInt(3); 4754 var _4n2 = BigInt(4); 4755 var _11n = BigInt(11); 4756 var _22n = BigInt(22); 4757 var _44n = BigInt(44); 4758 var _88n = BigInt(88); 4759 var _223n = BigInt(223); 4760 function ed448_pow_Pminus3div4(x) { 4761 const P = ed448P; 4762 const b2 = x * x * x % P; 4763 const b3 = b2 * b2 * x % P; 4764 const b6 = pow2(b3, _3n3, P) * b3 % P; 4765 const b9 = pow2(b6, _3n3, P) * b3 % P; 4766 const b11 = pow2(b9, _2n6, P) * b2 % P; 4767 const b22 = pow2(b11, _11n, P) * b11 % P; 4768 const b44 = pow2(b22, _22n, P) * b22 % P; 4769 const b88 = pow2(b44, _44n, P) * b44 % P; 4770 const b176 = pow2(b88, _88n, P) * b88 % P; 4771 const b220 = pow2(b176, _44n, P) * b44 % P; 4772 const b222 = pow2(b220, _2n6, P) * b2 % P; 4773 const b223 = pow2(b222, _1n8, P) * x % P; 4774 return pow2(b223, _223n, P) * b222 % P; 4775 } 4776 function adjustScalarBytes2(bytes3) { 4777 bytes3[0] &= 252; 4778 bytes3[55] |= 128; 4779 bytes3[56] = 0; 4780 return bytes3; 4781 } 4782 function uvRatio(u, v) { 4783 const P = ed448P; 4784 const u2v = mod(u * u * v, P); 4785 const u3v = mod(u2v * u, P); 4786 const u5v3 = mod(u3v * u2v * v, P); 4787 const root = ed448_pow_Pminus3div4(u5v3); 4788 const x = mod(u3v * root, P); 4789 const x2 = mod(x * x, P); 4790 return { isValid: mod(x2 * v, P) === u, value: x }; 4791 } 4792 var Fp = Field(ed448P, 456, true); 4793 var ED448_DEF = { 4794 // Param: a 4795 a: BigInt(1), 4796 // -39081. Negative number is P - number 4797 d: BigInt("726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018326358"), 4798 // Finite field 𝔽p over which we'll do calculations; 2n**448n - 2n**224n - 1n 4799 Fp, 4800 // Subgroup order: how many points curve has; 4801 // 2n**446n - 13818066809895115352007386748515426880336692474882178609894547503885n 4802 n: BigInt("181709681073901722637330951972001133588410340171829515070372549795146003961539585716195755291692375963310293709091662304773755859649779"), 4803 // RFC 7748 has 56-byte keys, RFC 8032 has 57-byte keys 4804 nBitLength: 456, 4805 // Cofactor 4806 h: BigInt(4), 4807 // Base point (x, y) aka generator point 4808 Gx: BigInt("224580040295924300187604334099896036246789641632564134246125461686950415467406032909029192869357953282578032075146446173674602635247710"), 4809 Gy: BigInt("298819210078481492676017930443930673437544040154080242095928241372331506189835876003536878655418784733982303233503462500531545062832660"), 4810 // SHAKE256(dom4(phflag,context)||x, 114) 4811 hash: shake256_114, 4812 randomBytes, 4813 adjustScalarBytes: adjustScalarBytes2, 4814 // dom4 4815 domain: (data, ctx, phflag) => { 4816 if (ctx.length > 255) 4817 throw new Error(`Context is too big: ${ctx.length}`); 4818 return concatBytes(utf8ToBytes2("SigEd448"), new Uint8Array([phflag ? 1 : 0, ctx.length]), ctx, data); 4819 }, 4820 uvRatio 4821 }; 4822 var ed448ph = /* @__PURE__ */ twistedEdwards({ ...ED448_DEF, prehash: shake256_64 }); 4823 var x448 = /* @__PURE__ */ (() => montgomery({ 4824 a: BigInt(156326), 4825 // RFC 7748 has 56-byte keys, RFC 8032 has 57-byte keys 4826 montgomeryBits: 448, 4827 nByteLength: 56, 4828 P: ed448P, 4829 Gu: BigInt(5), 4830 powPminus2: (x) => { 4831 const P = ed448P; 4832 const Pminus3div4 = ed448_pow_Pminus3div4(x); 4833 const Pminus3 = pow2(Pminus3div4, BigInt(2), P); 4834 return mod(Pminus3 * x, P); 4835 }, 4836 adjustScalarBytes: adjustScalarBytes2, 4837 randomBytes 4838 }))(); 4839 var ELL2_C1 = (Fp.ORDER - BigInt(3)) / BigInt(4); 4840 var ELL2_J = BigInt(156326); 4841 var ONE_MINUS_D = BigInt("39082"); 4842 var ONE_MINUS_TWO_D = BigInt("78163"); 4843 var SQRT_MINUS_D = BigInt("98944233647732219769177004876929019128417576295529901074099889598043702116001257856802131563896515373927712232092845883226922417596214"); 4844 var INVSQRT_MINUS_D = BigInt("315019913931389607337177038330951043522456072897266928557328499619017160722351061360252776265186336876723201881398623946864393857820716"); 4845 var MAX_448B = BigInt("0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"); 4846 4847 // npm/esm/src/kems/dhkemPrimitives/x448.js 4848 var ALG_NAME2 = "X448"; 4849 var X448 = class { 4850 constructor(hkdf) { 4851 Object.defineProperty(this, "_hkdf", { 4852 enumerable: true, 4853 configurable: true, 4854 writable: true, 4855 value: void 0 4856 }); 4857 Object.defineProperty(this, "_nPk", { 4858 enumerable: true, 4859 configurable: true, 4860 writable: true, 4861 value: void 0 4862 }); 4863 Object.defineProperty(this, "_nSk", { 4864 enumerable: true, 4865 configurable: true, 4866 writable: true, 4867 value: void 0 4868 }); 4869 this._hkdf = hkdf; 4870 this._nPk = 56; 4871 this._nSk = 56; 4872 } 4873 async serializePublicKey(key) { 4874 try { 4875 return await this._serializePublicKey(key); 4876 } catch (e) { 4877 throw new SerializeError(e); 4878 } 4879 } 4880 async deserializePublicKey(key) { 4881 try { 4882 return await this._importRawKey(key, true); 4883 } catch (e) { 4884 throw new DeserializeError(e); 4885 } 4886 } 4887 async serializePrivateKey(key) { 4888 try { 4889 return await this._serializePrivateKey(key); 4890 } catch (e) { 4891 throw new SerializeError(e); 4892 } 4893 } 4894 async deserializePrivateKey(key) { 4895 try { 4896 return await this._importRawKey(key, false); 4897 } catch (e) { 4898 throw new DeserializeError(e); 4899 } 4900 } 4901 async importKey(format, key, isPublic) { 4902 try { 4903 if (format === "raw") { 4904 return await this._importRawKey(key, isPublic); 4905 } 4906 if (key instanceof ArrayBuffer) { 4907 throw new Error("Invalid jwk key format"); 4908 } 4909 return await this._importJWK(key, isPublic); 4910 } catch (e) { 4911 throw new DeserializeError(e); 4912 } 4913 } 4914 async generateKeyPair() { 4915 try { 4916 const rawSk = x448.utils.randomPrivateKey(); 4917 const sk = new XCryptoKey(ALG_NAME2, rawSk, "private", KEM_USAGES2); 4918 const pk = await this.derivePublicKey(sk); 4919 return { publicKey: pk, privateKey: sk }; 4920 } catch (e) { 4921 throw new NotSupportedError(e); 4922 } 4923 } 4924 async deriveKeyPair(ikm) { 4925 try { 4926 const dkpPrk = await this._hkdf.labeledExtract(EMPTY2, LABEL_DKP_PRK2, new Uint8Array(ikm)); 4927 const rawSk = await this._hkdf.labeledExpand(dkpPrk, LABEL_SK2, EMPTY2, this._nSk); 4928 const sk = new XCryptoKey(ALG_NAME2, new Uint8Array(rawSk), "private", KEM_USAGES2); 4929 return { 4930 privateKey: sk, 4931 publicKey: await this.derivePublicKey(sk) 4932 }; 4933 } catch (e) { 4934 throw new DeriveKeyPairError(e); 4935 } 4936 } 4937 async derivePublicKey(key) { 4938 try { 4939 return await this._derivePublicKey(key); 4940 } catch (e) { 4941 throw new DeserializeError(e); 4942 } 4943 } 4944 async dh(sk, pk) { 4945 try { 4946 return await this._dh(sk, pk); 4947 } catch (e) { 4948 throw new SerializeError(e); 4949 } 4950 } 4951 _serializePublicKey(k) { 4952 return new Promise((resolve) => { 4953 resolve(k.key.buffer); 4954 }); 4955 } 4956 _serializePrivateKey(k) { 4957 return new Promise((resolve) => { 4958 resolve(k.key.buffer); 4959 }); 4960 } 4961 _importRawKey(key, isPublic) { 4962 return new Promise((resolve, reject) => { 4963 if (isPublic && key.byteLength !== this._nPk) { 4964 reject(new Error("Invalid length of the key")); 4965 } 4966 if (!isPublic && key.byteLength !== this._nSk) { 4967 reject(new Error("Invalid length of the key")); 4968 } 4969 resolve(new XCryptoKey(ALG_NAME2, new Uint8Array(key), isPublic ? "public" : "private", isPublic ? [] : KEM_USAGES2)); 4970 }); 4971 } 4972 _importJWK(key, isPublic) { 4973 return new Promise((resolve, reject) => { 4974 if (key.kty !== "OKP") { 4975 reject(new Error(`Invalid kty: ${key.kty}`)); 4976 } 4977 if (key.crv !== "X448") { 4978 reject(new Error(`Invalid crv: ${key.crv}`)); 4979 } 4980 if (isPublic) { 4981 if (typeof key.d !== "undefined") { 4982 reject(new Error("Invalid key: `d` should not be set")); 4983 } 4984 if (typeof key.x !== "string") { 4985 reject(new Error("Invalid key: `x` not found")); 4986 } 4987 resolve(new XCryptoKey(ALG_NAME2, base64UrlToBytes2(key.x), "public")); 4988 } else { 4989 if (typeof key.d !== "string") { 4990 reject(new Error("Invalid key: `d` not found")); 4991 } 4992 resolve(new XCryptoKey(ALG_NAME2, base64UrlToBytes2(key.d), "private", KEM_USAGES2)); 4993 } 4994 }); 4995 } 4996 _derivePublicKey(k) { 4997 return new Promise((resolve, reject) => { 4998 try { 4999 const pk = x448.getPublicKey(k.key); 5000 resolve(new XCryptoKey(ALG_NAME2, pk, "public")); 5001 } catch (e) { 5002 reject(e); 5003 } 5004 }); 5005 } 5006 _dh(sk, pk) { 5007 return new Promise((resolve, reject) => { 5008 try { 5009 resolve(x448.getSharedSecret(sk.key, pk.key).buffer); 5010 } catch (e) { 5011 reject(e); 5012 } 5013 }); 5014 } 5015 }; 5016 5017 // npm/esm/src/kems/dhkemX448.js 5018 var DhkemX448HkdfSha512 = class extends Dhkem2 { 5019 constructor() { 5020 const kdf = new HkdfSha5122(); 5021 super(KemId.DhkemX448HkdfSha512, new X448(kdf), kdf); 5022 Object.defineProperty(this, "id", { 5023 enumerable: true, 5024 configurable: true, 5025 writable: true, 5026 value: KemId.DhkemX448HkdfSha512 5027 }); 5028 Object.defineProperty(this, "secretSize", { 5029 enumerable: true, 5030 configurable: true, 5031 writable: true, 5032 value: 64 5033 }); 5034 Object.defineProperty(this, "encSize", { 5035 enumerable: true, 5036 configurable: true, 5037 writable: true, 5038 value: 56 5039 }); 5040 Object.defineProperty(this, "publicKeySize", { 5041 enumerable: true, 5042 configurable: true, 5043 writable: true, 5044 value: 56 5045 }); 5046 Object.defineProperty(this, "privateKeySize", { 5047 enumerable: true, 5048 configurable: true, 5049 writable: true, 5050 value: 56 5051 }); 5052 } 5053 }; 5054 5055 // npm/esm/core/src/utils/emitNotSupported.js 5056 function emitNotSupported2() { 5057 return new Promise((_resolve, reject) => { 5058 reject(new NotSupportedError("Not supported")); 5059 }); 5060 } 5061 5062 // npm/esm/core/src/exporterContext.js 5063 var LABEL_SEC2 = new Uint8Array([115, 101, 99]); 5064 var ExporterContextImpl2 = class { 5065 constructor(api, kdf, exporterSecret) { 5066 Object.defineProperty(this, "_api", { 5067 enumerable: true, 5068 configurable: true, 5069 writable: true, 5070 value: void 0 5071 }); 5072 Object.defineProperty(this, "exporterSecret", { 5073 enumerable: true, 5074 configurable: true, 5075 writable: true, 5076 value: void 0 5077 }); 5078 Object.defineProperty(this, "_kdf", { 5079 enumerable: true, 5080 configurable: true, 5081 writable: true, 5082 value: void 0 5083 }); 5084 this._api = api; 5085 this._kdf = kdf; 5086 this.exporterSecret = exporterSecret; 5087 } 5088 async seal(_data, _aad) { 5089 return await emitNotSupported2(); 5090 } 5091 async open(_data, _aad) { 5092 return await emitNotSupported2(); 5093 } 5094 async export(exporterContext, len) { 5095 if (exporterContext.byteLength > INPUT_LENGTH_LIMIT2) { 5096 throw new InvalidParamError("Too long exporter context"); 5097 } 5098 try { 5099 return await this._kdf.labeledExpand(this.exporterSecret, LABEL_SEC2, new Uint8Array(exporterContext), len); 5100 } catch (e) { 5101 throw new ExportError(e); 5102 } 5103 } 5104 }; 5105 var RecipientExporterContextImpl2 = class extends ExporterContextImpl2 { 5106 }; 5107 var SenderExporterContextImpl2 = class extends ExporterContextImpl2 { 5108 constructor(api, kdf, exporterSecret, enc) { 5109 super(api, kdf, exporterSecret); 5110 Object.defineProperty(this, "enc", { 5111 enumerable: true, 5112 configurable: true, 5113 writable: true, 5114 value: void 0 5115 }); 5116 this.enc = enc; 5117 return; 5118 } 5119 }; 5120 5121 // npm/esm/core/src/encryptionContext.js 5122 function xor(a, b) { 5123 if (a.byteLength !== b.byteLength) { 5124 throw new Error("xor: different length inputs"); 5125 } 5126 const buf = new Uint8Array(a.byteLength); 5127 for (let i = 0; i < a.byteLength; i++) { 5128 buf[i] = a[i] ^ b[i]; 5129 } 5130 return buf; 5131 } 5132 var EncryptionContextImpl2 = class extends ExporterContextImpl2 { 5133 constructor(api, kdf, params) { 5134 super(api, kdf, params.exporterSecret); 5135 Object.defineProperty(this, "_aead", { 5136 enumerable: true, 5137 configurable: true, 5138 writable: true, 5139 value: void 0 5140 }); 5141 Object.defineProperty(this, "_nK", { 5142 enumerable: true, 5143 configurable: true, 5144 writable: true, 5145 value: void 0 5146 }); 5147 Object.defineProperty(this, "_nN", { 5148 enumerable: true, 5149 configurable: true, 5150 writable: true, 5151 value: void 0 5152 }); 5153 Object.defineProperty(this, "_nT", { 5154 enumerable: true, 5155 configurable: true, 5156 writable: true, 5157 value: void 0 5158 }); 5159 Object.defineProperty(this, "_ctx", { 5160 enumerable: true, 5161 configurable: true, 5162 writable: true, 5163 value: void 0 5164 }); 5165 if (params.key === void 0 || params.baseNonce === void 0 || params.seq === void 0) { 5166 throw new Error("Required parameters are missing"); 5167 } 5168 this._aead = params.aead; 5169 this._nK = this._aead.keySize; 5170 this._nN = this._aead.nonceSize; 5171 this._nT = this._aead.tagSize; 5172 const key = this._aead.createEncryptionContext(params.key); 5173 this._ctx = { 5174 key, 5175 baseNonce: params.baseNonce, 5176 seq: params.seq 5177 }; 5178 } 5179 computeNonce(k) { 5180 const seqBytes = i2Osp2(k.seq, k.baseNonce.byteLength); 5181 return xor(k.baseNonce, seqBytes); 5182 } 5183 incrementSeq(k) { 5184 if (k.seq > Number.MAX_SAFE_INTEGER) { 5185 throw new MessageLimitReachedError("Message limit reached"); 5186 } 5187 k.seq += 1; 5188 return; 5189 } 5190 }; 5191 5192 // npm/esm/core/src/recipientContext.js 5193 var RecipientContextImpl2 = class extends EncryptionContextImpl2 { 5194 async open(data, aad = EMPTY2) { 5195 let pt; 5196 try { 5197 pt = await this._ctx.key.open(this.computeNonce(this._ctx), data, aad); 5198 } catch (e) { 5199 throw new OpenError(e); 5200 } 5201 this.incrementSeq(this._ctx); 5202 return pt; 5203 } 5204 }; 5205 5206 // npm/esm/core/src/senderContext.js 5207 var SenderContextImpl2 = class extends EncryptionContextImpl2 { 5208 constructor(api, kdf, params, enc) { 5209 super(api, kdf, params); 5210 Object.defineProperty(this, "enc", { 5211 enumerable: true, 5212 configurable: true, 5213 writable: true, 5214 value: void 0 5215 }); 5216 this.enc = enc; 5217 } 5218 async seal(data, aad = EMPTY2) { 5219 let ct; 5220 try { 5221 ct = await this._ctx.key.seal(this.computeNonce(this._ctx), data, aad); 5222 } catch (e) { 5223 throw new SealError(e); 5224 } 5225 this.incrementSeq(this._ctx); 5226 return ct; 5227 } 5228 }; 5229 5230 // npm/esm/core/src/cipherSuiteNative.js 5231 var LABEL_BASE_NONCE2 = new Uint8Array([ 5232 98, 5233 97, 5234 115, 5235 101, 5236 95, 5237 110, 5238 111, 5239 110, 5240 99, 5241 101 5242 ]); 5243 var LABEL_EXP2 = new Uint8Array([101, 120, 112]); 5244 var LABEL_INFO_HASH2 = new Uint8Array([ 5245 105, 5246 110, 5247 102, 5248 111, 5249 95, 5250 104, 5251 97, 5252 115, 5253 104 5254 ]); 5255 var LABEL_KEY2 = new Uint8Array([107, 101, 121]); 5256 var LABEL_PSK_ID_HASH2 = new Uint8Array([ 5257 112, 5258 115, 5259 107, 5260 95, 5261 105, 5262 100, 5263 95, 5264 104, 5265 97, 5266 115, 5267 104 5268 ]); 5269 var LABEL_SECRET2 = new Uint8Array([115, 101, 99, 114, 101, 116]); 5270 var SUITE_ID_HEADER_HPKE2 = new Uint8Array([ 5271 72, 5272 80, 5273 75, 5274 69, 5275 0, 5276 0, 5277 0, 5278 0, 5279 0, 5280 0 5281 ]); 5282 var CipherSuiteNative2 = class extends NativeAlgorithm { 5283 /** 5284 * @param params A set of parameters for building a cipher suite. 5285 * 5286 * If the error occurred, throws {@link InvalidParamError}. 5287 * 5288 * @throws {@link InvalidParamError} 5289 */ 5290 constructor(params) { 5291 super(); 5292 Object.defineProperty(this, "_kem", { 5293 enumerable: true, 5294 configurable: true, 5295 writable: true, 5296 value: void 0 5297 }); 5298 Object.defineProperty(this, "_kdf", { 5299 enumerable: true, 5300 configurable: true, 5301 writable: true, 5302 value: void 0 5303 }); 5304 Object.defineProperty(this, "_aead", { 5305 enumerable: true, 5306 configurable: true, 5307 writable: true, 5308 value: void 0 5309 }); 5310 Object.defineProperty(this, "_suiteId", { 5311 enumerable: true, 5312 configurable: true, 5313 writable: true, 5314 value: void 0 5315 }); 5316 if (typeof params.kem === "number") { 5317 throw new InvalidParamError("KemId cannot be used"); 5318 } 5319 this._kem = params.kem; 5320 if (typeof params.kdf === "number") { 5321 throw new InvalidParamError("KdfId cannot be used"); 5322 } 5323 this._kdf = params.kdf; 5324 if (typeof params.aead === "number") { 5325 throw new InvalidParamError("AeadId cannot be used"); 5326 } 5327 this._aead = params.aead; 5328 this._suiteId = new Uint8Array(SUITE_ID_HEADER_HPKE2); 5329 this._suiteId.set(i2Osp2(this._kem.id, 2), 4); 5330 this._suiteId.set(i2Osp2(this._kdf.id, 2), 6); 5331 this._suiteId.set(i2Osp2(this._aead.id, 2), 8); 5332 this._kdf.init(this._suiteId); 5333 } 5334 /** 5335 * Gets the KEM context of the ciphersuite. 5336 */ 5337 get kem() { 5338 return this._kem; 5339 } 5340 /** 5341 * Gets the KDF context of the ciphersuite. 5342 */ 5343 get kdf() { 5344 return this._kdf; 5345 } 5346 /** 5347 * Gets the AEAD context of the ciphersuite. 5348 */ 5349 get aead() { 5350 return this._aead; 5351 } 5352 /** 5353 * Creates an encryption context for a sender. 5354 * 5355 * If the error occurred, throws {@link DecapError} | {@link ValidationError}. 5356 * 5357 * @param params A set of parameters for the sender encryption context. 5358 * @returns A sender encryption context. 5359 * @throws {@link EncapError}, {@link ValidationError} 5360 */ 5361 async createSenderContext(params) { 5362 this._validateInputLength(params); 5363 await this._setup(); 5364 const dh = await this._kem.encap(params); 5365 let mode; 5366 if (params.psk !== void 0) { 5367 mode = params.senderKey !== void 0 ? Mode.AuthPsk : Mode.Psk; 5368 } else { 5369 mode = params.senderKey !== void 0 ? Mode.Auth : Mode.Base; 5370 } 5371 return await this._keyScheduleS(mode, dh.sharedSecret, dh.enc, params); 5372 } 5373 /** 5374 * Creates an encryption context for a recipient. 5375 * 5376 * If the error occurred, throws {@link DecapError} 5377 * | {@link DeserializeError} | {@link ValidationError}. 5378 * 5379 * @param params A set of parameters for the recipient encryption context. 5380 * @returns A recipient encryption context. 5381 * @throws {@link DecapError}, {@link DeserializeError}, {@link ValidationError} 5382 */ 5383 async createRecipientContext(params) { 5384 this._validateInputLength(params); 5385 await this._setup(); 5386 const sharedSecret = await this._kem.decap(params); 5387 let mode; 5388 if (params.psk !== void 0) { 5389 mode = params.senderPublicKey !== void 0 ? Mode.AuthPsk : Mode.Psk; 5390 } else { 5391 mode = params.senderPublicKey !== void 0 ? Mode.Auth : Mode.Base; 5392 } 5393 return await this._keyScheduleR(mode, sharedSecret, params); 5394 } 5395 /** 5396 * Encrypts a message to a recipient. 5397 * 5398 * If the error occurred, throws `EncapError` | `MessageLimitReachedError` | `SealError` | `ValidationError`. 5399 * 5400 * @param params A set of parameters for building a sender encryption context. 5401 * @param pt A plain text as bytes to be encrypted. 5402 * @param aad Additional authenticated data as bytes fed by an application. 5403 * @returns A cipher text and an encapsulated key as bytes. 5404 * @throws {@link EncapError}, {@link MessageLimitReachedError}, {@link SealError}, {@link ValidationError} 5405 */ 5406 async seal(params, pt, aad = EMPTY2) { 5407 const ctx = await this.createSenderContext(params); 5408 return { 5409 ct: await ctx.seal(pt, aad), 5410 enc: ctx.enc 5411 }; 5412 } 5413 /** 5414 * Decrypts a message from a sender. 5415 * 5416 * If the error occurred, throws `DecapError` | `DeserializeError` | `OpenError` | `ValidationError`. 5417 * 5418 * @param params A set of parameters for building a recipient encryption context. 5419 * @param ct An encrypted text as bytes to be decrypted. 5420 * @param aad Additional authenticated data as bytes fed by an application. 5421 * @returns A decrypted plain text as bytes. 5422 * @throws {@link DecapError}, {@link DeserializeError}, {@link OpenError}, {@link ValidationError} 5423 */ 5424 async open(params, ct, aad = EMPTY2) { 5425 const ctx = await this.createRecipientContext(params); 5426 return await ctx.open(ct, aad); 5427 } 5428 // private verifyPskInputs(mode: Mode, params: KeyScheduleParams) { 5429 // const gotPsk = (params.psk !== undefined); 5430 // const gotPskId = (params.psk !== undefined && params.psk.id.byteLength > 0); 5431 // if (gotPsk !== gotPskId) { 5432 // throw new Error('Inconsistent PSK inputs'); 5433 // } 5434 // if (gotPsk && (mode === Mode.Base || mode === Mode.Auth)) { 5435 // throw new Error('PSK input provided when not needed'); 5436 // } 5437 // if (!gotPsk && (mode === Mode.Psk || mode === Mode.AuthPsk)) { 5438 // throw new Error('Missing required PSK input'); 5439 // } 5440 // return; 5441 // } 5442 async _keySchedule(mode, sharedSecret, params) { 5443 const pskId = params.psk === void 0 ? EMPTY2 : new Uint8Array(params.psk.id); 5444 const pskIdHash = await this._kdf.labeledExtract(EMPTY2, LABEL_PSK_ID_HASH2, pskId); 5445 const info = params.info === void 0 ? EMPTY2 : new Uint8Array(params.info); 5446 const infoHash = await this._kdf.labeledExtract(EMPTY2, LABEL_INFO_HASH2, info); 5447 const keyScheduleContext = new Uint8Array(1 + pskIdHash.byteLength + infoHash.byteLength); 5448 keyScheduleContext.set(new Uint8Array([mode]), 0); 5449 keyScheduleContext.set(new Uint8Array(pskIdHash), 1); 5450 keyScheduleContext.set(new Uint8Array(infoHash), 1 + pskIdHash.byteLength); 5451 const psk = params.psk === void 0 ? EMPTY2 : new Uint8Array(params.psk.key); 5452 const ikm = this._kdf.buildLabeledIkm(LABEL_SECRET2, psk); 5453 const exporterSecretInfo = this._kdf.buildLabeledInfo(LABEL_EXP2, keyScheduleContext, this._kdf.hashSize); 5454 const exporterSecret = await this._kdf.extractAndExpand(sharedSecret, ikm, exporterSecretInfo, this._kdf.hashSize); 5455 if (this._aead.id === AeadId.ExportOnly) { 5456 return { aead: this._aead, exporterSecret }; 5457 } 5458 const keyInfo = this._kdf.buildLabeledInfo(LABEL_KEY2, keyScheduleContext, this._aead.keySize); 5459 const key = await this._kdf.extractAndExpand(sharedSecret, ikm, keyInfo, this._aead.keySize); 5460 const baseNonceInfo = this._kdf.buildLabeledInfo(LABEL_BASE_NONCE2, keyScheduleContext, this._aead.nonceSize); 5461 const baseNonce = await this._kdf.extractAndExpand(sharedSecret, ikm, baseNonceInfo, this._aead.nonceSize); 5462 return { 5463 aead: this._aead, 5464 exporterSecret, 5465 key, 5466 baseNonce: new Uint8Array(baseNonce), 5467 seq: 0 5468 }; 5469 } 5470 async _keyScheduleS(mode, sharedSecret, enc, params) { 5471 const res = await this._keySchedule(mode, sharedSecret, params); 5472 if (res.key === void 0) { 5473 return new SenderExporterContextImpl2(this._api, this._kdf, res.exporterSecret, enc); 5474 } 5475 return new SenderContextImpl2(this._api, this._kdf, res, enc); 5476 } 5477 async _keyScheduleR(mode, sharedSecret, params) { 5478 const res = await this._keySchedule(mode, sharedSecret, params); 5479 if (res.key === void 0) { 5480 return new RecipientExporterContextImpl2(this._api, this._kdf, res.exporterSecret); 5481 } 5482 return new RecipientContextImpl2(this._api, this._kdf, res); 5483 } 5484 _validateInputLength(params) { 5485 if (params.info !== void 0 && params.info.byteLength > INPUT_LENGTH_LIMIT2) { 5486 throw new InvalidParamError("Too long info"); 5487 } 5488 if (params.psk !== void 0) { 5489 if (params.psk.key.byteLength < MINIMUM_PSK_LENGTH2) { 5490 throw new InvalidParamError(`PSK must have at least ${MINIMUM_PSK_LENGTH2} bytes`); 5491 } 5492 if (params.psk.key.byteLength > INPUT_LENGTH_LIMIT2) { 5493 throw new InvalidParamError("Too long psk.key"); 5494 } 5495 if (params.psk.id.byteLength > INPUT_LENGTH_LIMIT2) { 5496 throw new InvalidParamError("Too long psk.id"); 5497 } 5498 } 5499 return; 5500 } 5501 }; 5502 5503 // npm/esm/src/cipherSuite.js 5504 var CipherSuite2 = class extends CipherSuiteNative2 { 5505 /** 5506 * @param params A set of parameters for building a cipher suite. 5507 * @throws {@link InvalidParamError} 5508 */ 5509 constructor(params) { 5510 if (typeof params.kem === "number") { 5511 switch (params.kem) { 5512 case KemId.DhkemP256HkdfSha256: 5513 params.kem = new DhkemP256HkdfSha2562(); 5514 break; 5515 case KemId.DhkemP384HkdfSha384: 5516 params.kem = new DhkemP384HkdfSha3842(); 5517 break; 5518 case KemId.DhkemP521HkdfSha512: 5519 params.kem = new DhkemP521HkdfSha5122(); 5520 break; 5521 case KemId.DhkemX25519HkdfSha256: 5522 params.kem = new DhkemX25519HkdfSha256(); 5523 break; 5524 case KemId.DhkemX448HkdfSha512: 5525 params.kem = new DhkemX448HkdfSha512(); 5526 break; 5527 default: 5528 throw new InvalidParamError(`The KEM (${params.kem}) cannot be specified by KemId. Use submodule for the KEM`); 5529 } 5530 } 5531 if (typeof params.kdf === "number") { 5532 switch (params.kdf) { 5533 case KdfId.HkdfSha256: 5534 params.kdf = new HkdfSha2562(); 5535 break; 5536 case KdfId.HkdfSha384: 5537 params.kdf = new HkdfSha3842(); 5538 break; 5539 default: 5540 params.kdf = new HkdfSha5122(); 5541 break; 5542 } 5543 } 5544 if (typeof params.aead === "number") { 5545 switch (params.aead) { 5546 case AeadId.Aes128Gcm: 5547 params.aead = new Aes128Gcm(); 5548 break; 5549 case AeadId.Aes256Gcm: 5550 params.aead = new Aes256Gcm(); 5551 break; 5552 case AeadId.Chacha20Poly1305: 5553 params.aead = new Chacha20Poly1305(); 5554 break; 5555 default: 5556 params.aead = new ExportOnly(); 5557 break; 5558 } 5559 } 5560 super(params); 5561 } 5562 /** 5563 * Generates a key pair for the cipher suite. 5564 * 5565 * If the error occurred, throws {@link NotSupportedError}. 5566 * 5567 * @deprecated Use {@link KemInterface.generateKeyPair} instead. 5568 * 5569 * @returns A key pair generated. 5570 * @throws {@link NotSupportedError} 5571 */ 5572 async generateKeyPair() { 5573 await this._setup(); 5574 return await this._kem.generateKeyPair(); 5575 } 5576 /** 5577 * Derives a key pair for the cipher suite in the manner 5578 * defined in [RFC9180 Section 7.1.3](https://www.rfc-editor.org/rfc/rfc9180.html#section-7.1.3). 5579 * 5580 * If the error occurred, throws {@link DeriveKeyPairError}. 5581 * 5582 * @deprecated Use {@link KemInterface.deriveKeyPair} instead. 5583 * 5584 * @param ikm A byte string of input keying material. The maximum length is 128 bytes. 5585 * @returns A key pair derived. 5586 * @throws {@link DeriveKeyPairError} 5587 */ 5588 async deriveKeyPair(ikm) { 5589 await this._setup(); 5590 return await this._kem.deriveKeyPair(ikm); 5591 } 5592 /** 5593 * Imports a public or private key and converts to a {@link CryptoKey}. 5594 * 5595 * Since key parameters for {@link createSenderContext} or {@link createRecipientContext} 5596 * are {@link CryptoKey} format, you have to use this function to convert provided keys 5597 * to {@link CryptoKey}. 5598 * 5599 * Basically, this is a thin wrapper function of 5600 * [SubtleCrypto.importKey](https://www.w3.org/TR/WebCryptoAPI/#dfn-SubtleCrypto-method-importKey). 5601 * 5602 * If the error occurred, throws {@link DeserializeError}. 5603 * 5604 * @deprecated Use {@link KemInterface.generateKeyPair} instead. 5605 * 5606 * @param format For now, `'raw'` and `'jwk'` are supported. 5607 * @param key A byte string of a raw key or A {@link JsonWebKey} object. 5608 * @param isPublic The indicator whether the provided key is a public key or not, which is used only for `'raw'` format. 5609 * @returns A public or private CryptoKey. 5610 * @throws {@link DeserializeError} 5611 */ 5612 async importKey(format, key, isPublic = true) { 5613 await this._setup(); 5614 return await this._kem.importKey(format, key, isPublic); 5615 } 5616 }; 5617 export { 5618 Aead, 5619 AeadId, 5620 BaseError, 5621 CipherSuite2 as CipherSuite, 5622 DecapError, 5623 DeriveKeyPairError, 5624 DeserializeError, 5625 EncapError, 5626 ExportError, 5627 HpkeError, 5628 InvalidParamError, 5629 Kdf, 5630 KdfId, 5631 Kem, 5632 KemId, 5633 MessageLimitReachedError, 5634 NotSupportedError, 5635 OpenError, 5636 SealError, 5637 SerializeError, 5638 ValidationError 5639 }; 5640 /*! Bundled license information: 5641 5642 @noble/ciphers/esm/utils.js: 5643 (*! noble-ciphers - MIT License (c) 2023 Paul Miller (paulmillr.com) *) 5644 5645 @noble/hashes/esm/utils.js: 5646 (*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) *) 5647 5648 @noble/curves/esm/abstract/utils.js: 5649 (*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *) 5650 5651 @noble/curves/esm/abstract/modular.js: 5652 (*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *) 5653 5654 @noble/curves/esm/abstract/curve.js: 5655 (*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *) 5656 5657 @noble/curves/esm/abstract/edwards.js: 5658 (*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *) 5659 5660 @noble/curves/esm/abstract/montgomery.js: 5661 (*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *) 5662 5663 @noble/curves/esm/ed25519.js: 5664 (*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *) 5665 5666 @noble/curves/esm/ed448.js: 5667 (*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *) 5668 */