// npm/esm/_dnt.shims.js var dntGlobals = {}; var dntGlobalThis = createMergeProxy(globalThis, dntGlobals); function createMergeProxy(baseObj, extObj) { return new Proxy(baseObj, { get(_target, prop, _receiver) { if (prop in extObj) { return extObj[prop]; } else { return baseObj[prop]; } }, set(_target, prop, value) { if (prop in extObj) { delete extObj[prop]; } baseObj[prop] = value; return true; }, deleteProperty(_target, prop) { let success = false; if (prop in extObj) { delete extObj[prop]; success = true; } if (prop in baseObj) { delete baseObj[prop]; success = true; } return success; }, ownKeys(_target) { const baseKeys = Reflect.ownKeys(baseObj); const extKeys = Reflect.ownKeys(extObj); const extKeysSet = new Set(extKeys); return [...baseKeys.filter((k) => !extKeysSet.has(k)), ...extKeys]; }, defineProperty(_target, prop, desc) { if (prop in extObj) { delete extObj[prop]; } Reflect.defineProperty(baseObj, prop, desc); return true; }, getOwnPropertyDescriptor(_target, prop) { if (prop in extObj) { return Reflect.getOwnPropertyDescriptor(extObj, prop); } else { return Reflect.getOwnPropertyDescriptor(baseObj, prop); } }, has(_target, prop) { return prop in extObj || prop in baseObj; } }); } // npm/esm/core/src/errors.js var BaseError = class extends Error { constructor(e) { let message; if (e instanceof Error) { message = e.message; } else if (typeof e === "string") { message = e; } else { message = ""; } super(message); this.name = this.constructor.name; } }; var HpkeError = class extends BaseError { }; var InvalidParamError = class extends HpkeError { }; var ValidationError = class extends HpkeError { }; var SerializeError = class extends HpkeError { }; var DeserializeError = class extends HpkeError { }; var EncapError = class extends HpkeError { }; var DecapError = class extends HpkeError { }; var ExportError = class extends HpkeError { }; var SealError = class extends HpkeError { }; var OpenError = class extends HpkeError { }; var MessageLimitReachedError = class extends HpkeError { }; var DeriveKeyPairError = class extends HpkeError { }; var NotSupportedError = class extends HpkeError { }; // npm/esm/core/src/algorithm.js async function loadSubtleCrypto() { if (dntGlobalThis !== void 0 && globalThis.crypto !== void 0) { return globalThis.crypto.subtle; } try { const { webcrypto } = await import("crypto"); return webcrypto.subtle; } catch (e) { throw new NotSupportedError(e); } } var NativeAlgorithm = class { constructor() { Object.defineProperty(this, "_api", { enumerable: true, configurable: true, writable: true, value: void 0 }); } async _setup() { if (this._api !== void 0) { return; } this._api = await loadSubtleCrypto(); } }; // npm/esm/core/src/identifiers.js var Mode = { Base: 0, Psk: 1, Auth: 2, AuthPsk: 3 }; var Kem = { NotAssigned: 0, DhkemP256HkdfSha256: 16, DhkemP384HkdfSha384: 17, DhkemP521HkdfSha512: 18, DhkemSecp256k1HkdfSha256: 19, DhkemX25519HkdfSha256: 32, DhkemX448HkdfSha512: 33, HybridkemX25519Kyber768: 48 }; var KemId = Kem; var Kdf = { HkdfSha256: 1, HkdfSha384: 2, HkdfSha512: 3 }; var KdfId = Kdf; var Aead = { Aes128Gcm: 1, Aes256Gcm: 2, Chacha20Poly1305: 3, ExportOnly: 65535 }; var AeadId = Aead; // npm/esm/core/src/interfaces/aeadEncryptionContext.js var AEAD_USAGES = ["encrypt", "decrypt"]; // npm/esm/core/src/aeads/aesGcm.js var AesGcmContext = class extends NativeAlgorithm { constructor(key) { super(); Object.defineProperty(this, "_rawKey", { enumerable: true, configurable: true, writable: true, value: void 0 }); Object.defineProperty(this, "_key", { enumerable: true, configurable: true, writable: true, value: void 0 }); this._rawKey = key; } async seal(iv, data, aad) { await this._setupKey(); const alg = { name: "AES-GCM", iv, additionalData: aad }; const ct = await this._api.encrypt(alg, this._key, data); return ct; } async open(iv, data, aad) { await this._setupKey(); const alg = { name: "AES-GCM", iv, additionalData: aad }; const pt = await this._api.decrypt(alg, this._key, data); return pt; } async _setupKey() { if (this._key !== void 0) { return; } await this._setup(); const key = await this._importKey(this._rawKey); new Uint8Array(this._rawKey).fill(0); this._key = key; return; } async _importKey(key) { return await this._api.importKey("raw", key, { name: "AES-GCM" }, true, AEAD_USAGES); } }; var Aes128Gcm = class { constructor() { Object.defineProperty(this, "id", { enumerable: true, configurable: true, writable: true, value: AeadId.Aes128Gcm }); Object.defineProperty(this, "keySize", { enumerable: true, configurable: true, writable: true, value: 16 }); Object.defineProperty(this, "nonceSize", { enumerable: true, configurable: true, writable: true, value: 12 }); Object.defineProperty(this, "tagSize", { enumerable: true, configurable: true, writable: true, value: 16 }); } createEncryptionContext(key) { return new AesGcmContext(key); } }; var Aes256Gcm = class extends Aes128Gcm { constructor() { super(...arguments); Object.defineProperty(this, "id", { enumerable: true, configurable: true, writable: true, value: AeadId.Aes256Gcm }); Object.defineProperty(this, "keySize", { enumerable: true, configurable: true, writable: true, value: 32 }); Object.defineProperty(this, "nonceSize", { enumerable: true, configurable: true, writable: true, value: 12 }); Object.defineProperty(this, "tagSize", { enumerable: true, configurable: true, writable: true, value: 16 }); } }; // npm/esm/core/src/aeads/exportOnly.js var ExportOnly = class { constructor() { Object.defineProperty(this, "id", { enumerable: true, configurable: true, writable: true, value: AeadId.ExportOnly }); Object.defineProperty(this, "keySize", { enumerable: true, configurable: true, writable: true, value: 0 }); Object.defineProperty(this, "nonceSize", { enumerable: true, configurable: true, writable: true, value: 0 }); Object.defineProperty(this, "tagSize", { enumerable: true, configurable: true, writable: true, value: 0 }); } createEncryptionContext(_key) { throw new NotSupportedError("Export only"); } }; // npm/node_modules/@noble/ciphers/esm/_assert.js function number(n) { if (!Number.isSafeInteger(n) || n < 0) throw new Error(`positive integer expected, not ${n}`); } function bool(b) { if (typeof b !== "boolean") throw new Error(`boolean expected, not ${b}`); } function isBytes(a) { return a instanceof Uint8Array || a != null && typeof a === "object" && a.constructor.name === "Uint8Array"; } function bytes(b, ...lengths) { if (!isBytes(b)) throw new Error("Uint8Array expected"); if (lengths.length > 0 && !lengths.includes(b.length)) throw new Error(`Uint8Array expected of length ${lengths}, not of length=${b.length}`); } function exists(instance, checkFinished = true) { if (instance.destroyed) throw new Error("Hash instance has been destroyed"); if (checkFinished && instance.finished) throw new Error("Hash#digest() has already been called"); } function output(out, instance) { bytes(out); const min = instance.outputLen; if (out.length < min) { throw new Error(`digestInto() expects output buffer of length at least ${min}`); } } // npm/node_modules/@noble/ciphers/esm/utils.js var u32 = (arr) => new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4)); var createView = (arr) => new DataView(arr.buffer, arr.byteOffset, arr.byteLength); var isLE = new Uint8Array(new Uint32Array([287454020]).buffer)[0] === 68; if (!isLE) throw new Error("Non little-endian hardware is not supported"); function utf8ToBytes(str) { if (typeof str !== "string") throw new Error(`string expected, got ${typeof str}`); return new Uint8Array(new TextEncoder().encode(str)); } function toBytes(data) { if (typeof data === "string") data = utf8ToBytes(data); else if (isBytes(data)) data = data.slice(); else throw new Error(`Uint8Array expected, got ${typeof data}`); return data; } function checkOpts(defaults, opts) { if (opts == null || typeof opts !== "object") throw new Error("options must be defined"); const merged = Object.assign(defaults, opts); return merged; } function equalBytes(a, b) { if (a.length !== b.length) return false; let diff = 0; for (let i = 0; i < a.length; i++) diff |= a[i] ^ b[i]; return diff === 0; } var wrapCipher = /* @__NO_SIDE_EFFECTS__ */ (params, c) => { Object.assign(c, params); return c; }; function setBigUint64(view, byteOffset, value, isLE3) { if (typeof view.setBigUint64 === "function") return view.setBigUint64(byteOffset, value, isLE3); const _32n2 = BigInt(32); const _u32_max = BigInt(4294967295); const wh = Number(value >> _32n2 & _u32_max); const wl = Number(value & _u32_max); const h = isLE3 ? 4 : 0; const l = isLE3 ? 0 : 4; view.setUint32(byteOffset + h, wh, isLE3); view.setUint32(byteOffset + l, wl, isLE3); } // npm/node_modules/@noble/ciphers/esm/_poly1305.js var u8to16 = (a, i) => a[i++] & 255 | (a[i++] & 255) << 8; var Poly1305 = class { constructor(key) { this.blockLen = 16; this.outputLen = 16; this.buffer = new Uint8Array(16); this.r = new Uint16Array(10); this.h = new Uint16Array(10); this.pad = new Uint16Array(8); this.pos = 0; this.finished = false; key = toBytes(key); bytes(key, 32); const t0 = u8to16(key, 0); const t1 = u8to16(key, 2); const t2 = u8to16(key, 4); const t3 = u8to16(key, 6); const t4 = u8to16(key, 8); const t5 = u8to16(key, 10); const t6 = u8to16(key, 12); const t7 = u8to16(key, 14); this.r[0] = t0 & 8191; this.r[1] = (t0 >>> 13 | t1 << 3) & 8191; this.r[2] = (t1 >>> 10 | t2 << 6) & 7939; this.r[3] = (t2 >>> 7 | t3 << 9) & 8191; this.r[4] = (t3 >>> 4 | t4 << 12) & 255; this.r[5] = t4 >>> 1 & 8190; this.r[6] = (t4 >>> 14 | t5 << 2) & 8191; this.r[7] = (t5 >>> 11 | t6 << 5) & 8065; this.r[8] = (t6 >>> 8 | t7 << 8) & 8191; this.r[9] = t7 >>> 5 & 127; for (let i = 0; i < 8; i++) this.pad[i] = u8to16(key, 16 + 2 * i); } process(data, offset, isLast = false) { const hibit = isLast ? 0 : 1 << 11; const { h, r } = this; const r0 = r[0]; const r1 = r[1]; const r2 = r[2]; const r3 = r[3]; const r4 = r[4]; const r5 = r[5]; const r6 = r[6]; const r7 = r[7]; const r8 = r[8]; const r9 = r[9]; const t0 = u8to16(data, offset + 0); const t1 = u8to16(data, offset + 2); const t2 = u8to16(data, offset + 4); const t3 = u8to16(data, offset + 6); const t4 = u8to16(data, offset + 8); const t5 = u8to16(data, offset + 10); const t6 = u8to16(data, offset + 12); const t7 = u8to16(data, offset + 14); let h0 = h[0] + (t0 & 8191); let h1 = h[1] + ((t0 >>> 13 | t1 << 3) & 8191); let h2 = h[2] + ((t1 >>> 10 | t2 << 6) & 8191); let h3 = h[3] + ((t2 >>> 7 | t3 << 9) & 8191); let h4 = h[4] + ((t3 >>> 4 | t4 << 12) & 8191); let h5 = h[5] + (t4 >>> 1 & 8191); let h6 = h[6] + ((t4 >>> 14 | t5 << 2) & 8191); let h7 = h[7] + ((t5 >>> 11 | t6 << 5) & 8191); let h8 = h[8] + ((t6 >>> 8 | t7 << 8) & 8191); let h9 = h[9] + (t7 >>> 5 | hibit); let c = 0; let d0 = c + h0 * r0 + h1 * (5 * r9) + h2 * (5 * r8) + h3 * (5 * r7) + h4 * (5 * r6); c = d0 >>> 13; d0 &= 8191; d0 += h5 * (5 * r5) + h6 * (5 * r4) + h7 * (5 * r3) + h8 * (5 * r2) + h9 * (5 * r1); c += d0 >>> 13; d0 &= 8191; let d1 = c + h0 * r1 + h1 * r0 + h2 * (5 * r9) + h3 * (5 * r8) + h4 * (5 * r7); c = d1 >>> 13; d1 &= 8191; d1 += h5 * (5 * r6) + h6 * (5 * r5) + h7 * (5 * r4) + h8 * (5 * r3) + h9 * (5 * r2); c += d1 >>> 13; d1 &= 8191; let d2 = c + h0 * r2 + h1 * r1 + h2 * r0 + h3 * (5 * r9) + h4 * (5 * r8); c = d2 >>> 13; d2 &= 8191; d2 += h5 * (5 * r7) + h6 * (5 * r6) + h7 * (5 * r5) + h8 * (5 * r4) + h9 * (5 * r3); c += d2 >>> 13; d2 &= 8191; let d3 = c + h0 * r3 + h1 * r2 + h2 * r1 + h3 * r0 + h4 * (5 * r9); c = d3 >>> 13; d3 &= 8191; d3 += h5 * (5 * r8) + h6 * (5 * r7) + h7 * (5 * r6) + h8 * (5 * r5) + h9 * (5 * r4); c += d3 >>> 13; d3 &= 8191; let d4 = c + h0 * r4 + h1 * r3 + h2 * r2 + h3 * r1 + h4 * r0; c = d4 >>> 13; d4 &= 8191; d4 += h5 * (5 * r9) + h6 * (5 * r8) + h7 * (5 * r7) + h8 * (5 * r6) + h9 * (5 * r5); c += d4 >>> 13; d4 &= 8191; let d5 = c + h0 * r5 + h1 * r4 + h2 * r3 + h3 * r2 + h4 * r1; c = d5 >>> 13; d5 &= 8191; d5 += h5 * r0 + h6 * (5 * r9) + h7 * (5 * r8) + h8 * (5 * r7) + h9 * (5 * r6); c += d5 >>> 13; d5 &= 8191; let d6 = c + h0 * r6 + h1 * r5 + h2 * r4 + h3 * r3 + h4 * r2; c = d6 >>> 13; d6 &= 8191; d6 += h5 * r1 + h6 * r0 + h7 * (5 * r9) + h8 * (5 * r8) + h9 * (5 * r7); c += d6 >>> 13; d6 &= 8191; let d7 = c + h0 * r7 + h1 * r6 + h2 * r5 + h3 * r4 + h4 * r3; c = d7 >>> 13; d7 &= 8191; d7 += h5 * r2 + h6 * r1 + h7 * r0 + h8 * (5 * r9) + h9 * (5 * r8); c += d7 >>> 13; d7 &= 8191; let d8 = c + h0 * r8 + h1 * r7 + h2 * r6 + h3 * r5 + h4 * r4; c = d8 >>> 13; d8 &= 8191; d8 += h5 * r3 + h6 * r2 + h7 * r1 + h8 * r0 + h9 * (5 * r9); c += d8 >>> 13; d8 &= 8191; let d9 = c + h0 * r9 + h1 * r8 + h2 * r7 + h3 * r6 + h4 * r5; c = d9 >>> 13; d9 &= 8191; d9 += h5 * r4 + h6 * r3 + h7 * r2 + h8 * r1 + h9 * r0; c += d9 >>> 13; d9 &= 8191; c = (c << 2) + c | 0; c = c + d0 | 0; d0 = c & 8191; c = c >>> 13; d1 += c; h[0] = d0; h[1] = d1; h[2] = d2; h[3] = d3; h[4] = d4; h[5] = d5; h[6] = d6; h[7] = d7; h[8] = d8; h[9] = d9; } finalize() { const { h, pad } = this; const g = new Uint16Array(10); let c = h[1] >>> 13; h[1] &= 8191; for (let i = 2; i < 10; i++) { h[i] += c; c = h[i] >>> 13; h[i] &= 8191; } h[0] += c * 5; c = h[0] >>> 13; h[0] &= 8191; h[1] += c; c = h[1] >>> 13; h[1] &= 8191; h[2] += c; g[0] = h[0] + 5; c = g[0] >>> 13; g[0] &= 8191; for (let i = 1; i < 10; i++) { g[i] = h[i] + c; c = g[i] >>> 13; g[i] &= 8191; } g[9] -= 1 << 13; let mask = (c ^ 1) - 1; for (let i = 0; i < 10; i++) g[i] &= mask; mask = ~mask; for (let i = 0; i < 10; i++) h[i] = h[i] & mask | g[i]; h[0] = (h[0] | h[1] << 13) & 65535; h[1] = (h[1] >>> 3 | h[2] << 10) & 65535; h[2] = (h[2] >>> 6 | h[3] << 7) & 65535; h[3] = (h[3] >>> 9 | h[4] << 4) & 65535; h[4] = (h[4] >>> 12 | h[5] << 1 | h[6] << 14) & 65535; h[5] = (h[6] >>> 2 | h[7] << 11) & 65535; h[6] = (h[7] >>> 5 | h[8] << 8) & 65535; h[7] = (h[8] >>> 8 | h[9] << 5) & 65535; let f = h[0] + pad[0]; h[0] = f & 65535; for (let i = 1; i < 8; i++) { f = (h[i] + pad[i] | 0) + (f >>> 16) | 0; h[i] = f & 65535; } } update(data) { exists(this); const { buffer, blockLen } = this; data = toBytes(data); const len = data.length; for (let pos = 0; pos < len; ) { const take = Math.min(blockLen - this.pos, len - pos); if (take === blockLen) { for (; blockLen <= len - pos; pos += blockLen) this.process(data, pos); continue; } buffer.set(data.subarray(pos, pos + take), this.pos); this.pos += take; pos += take; if (this.pos === blockLen) { this.process(buffer, 0, false); this.pos = 0; } } return this; } destroy() { this.h.fill(0); this.r.fill(0); this.buffer.fill(0); this.pad.fill(0); } digestInto(out) { exists(this); output(out, this); this.finished = true; const { buffer, h } = this; let { pos } = this; if (pos) { buffer[pos++] = 1; for (; pos < 16; pos++) buffer[pos] = 0; this.process(buffer, 0, true); } this.finalize(); let opos = 0; for (let i = 0; i < 8; i++) { out[opos++] = h[i] >>> 0; out[opos++] = h[i] >>> 8; } return out; } digest() { const { buffer, outputLen } = this; this.digestInto(buffer); const res = buffer.slice(0, outputLen); this.destroy(); return res; } }; function wrapConstructorWithKey(hashCons) { const hashC = (msg, key) => hashCons(key).update(toBytes(msg)).digest(); const tmp = hashCons(new Uint8Array(32)); hashC.outputLen = tmp.outputLen; hashC.blockLen = tmp.blockLen; hashC.create = (key) => hashCons(key); return hashC; } var poly1305 = wrapConstructorWithKey((key) => new Poly1305(key)); // npm/node_modules/@noble/ciphers/esm/_arx.js var _utf8ToBytes = (str) => Uint8Array.from(str.split("").map((c) => c.charCodeAt(0))); var sigma16 = _utf8ToBytes("expand 16-byte k"); var sigma32 = _utf8ToBytes("expand 32-byte k"); var sigma16_32 = u32(sigma16); var sigma32_32 = u32(sigma32); var sigma = sigma32_32.slice(); function rotl(a, b) { return a << b | a >>> 32 - b; } function isAligned32(b) { return b.byteOffset % 4 === 0; } var BLOCK_LEN = 64; var BLOCK_LEN32 = 16; var MAX_COUNTER = 2 ** 32 - 1; var U32_EMPTY = new Uint32Array(); function runCipher(core, sigma2, key, nonce, data, output3, counter, rounds) { const len = data.length; const block = new Uint8Array(BLOCK_LEN); const b32 = u32(block); const isAligned = isAligned32(data) && isAligned32(output3); const d32 = isAligned ? u32(data) : U32_EMPTY; const o32 = isAligned ? u32(output3) : U32_EMPTY; for (let pos = 0; pos < len; counter++) { core(sigma2, key, nonce, b32, counter, rounds); if (counter >= MAX_COUNTER) throw new Error("arx: counter overflow"); const take = Math.min(BLOCK_LEN, len - pos); if (isAligned && take === BLOCK_LEN) { const pos32 = pos / 4; if (pos % 4 !== 0) throw new Error("arx: invalid block position"); for (let j = 0, posj; j < BLOCK_LEN32; j++) { posj = pos32 + j; o32[posj] = d32[posj] ^ b32[j]; } pos += BLOCK_LEN; continue; } for (let j = 0, posj; j < take; j++) { posj = pos + j; output3[posj] = data[posj] ^ block[j]; } pos += take; } } function createCipher(core, opts) { const { allowShortKeys, extendNonceFn, counterLength, counterRight, rounds } = checkOpts({ allowShortKeys: false, counterLength: 8, counterRight: false, rounds: 20 }, opts); if (typeof core !== "function") throw new Error("core must be a function"); number(counterLength); number(rounds); bool(counterRight); bool(allowShortKeys); return (key, nonce, data, output3, counter = 0) => { bytes(key); bytes(nonce); bytes(data); const len = data.length; if (!output3) output3 = new Uint8Array(len); bytes(output3); number(counter); if (counter < 0 || counter >= MAX_COUNTER) throw new Error("arx: counter overflow"); if (output3.length < len) throw new Error(`arx: output (${output3.length}) is shorter than data (${len})`); const toClean = []; let l = key.length, k, sigma2; if (l === 32) { k = key.slice(); toClean.push(k); sigma2 = sigma32_32; } else if (l === 16 && allowShortKeys) { k = new Uint8Array(32); k.set(key); k.set(key, 16); sigma2 = sigma16_32; toClean.push(k); } else { throw new Error(`arx: invalid 32-byte key, got length=${l}`); } if (!isAligned32(nonce)) { nonce = nonce.slice(); toClean.push(nonce); } const k32 = u32(k); if (extendNonceFn) { if (nonce.length !== 24) throw new Error(`arx: extended nonce must be 24 bytes`); extendNonceFn(sigma2, k32, u32(nonce.subarray(0, 16)), k32); nonce = nonce.subarray(16); } const nonceNcLen = 16 - counterLength; if (nonceNcLen !== nonce.length) throw new Error(`arx: nonce must be ${nonceNcLen} or 16 bytes`); if (nonceNcLen !== 12) { const nc = new Uint8Array(12); nc.set(nonce, counterRight ? 0 : 12 - nonce.length); nonce = nc; toClean.push(nonce); } const n32 = u32(nonce); runCipher(core, sigma2, k32, n32, data, output3, counter, rounds); while (toClean.length > 0) toClean.pop().fill(0); return output3; }; } // npm/node_modules/@noble/ciphers/esm/chacha.js function chachaCore(s, k, n, out, cnt, rounds = 20) { let y00 = s[0], y01 = s[1], y02 = s[2], y03 = s[3], y04 = k[0], y05 = k[1], y06 = k[2], y07 = k[3], y08 = k[4], y09 = k[5], y10 = k[6], y11 = k[7], y12 = cnt, y13 = n[0], y14 = n[1], y15 = n[2]; let x00 = y00, x01 = y01, x02 = y02, x03 = y03, x04 = y04, x05 = y05, x06 = y06, x07 = y07, x08 = y08, x09 = y09, x10 = y10, x11 = y11, x12 = y12, x13 = y13, x14 = y14, x15 = y15; for (let r = 0; r < rounds; r += 2) { x00 = x00 + x04 | 0; x12 = rotl(x12 ^ x00, 16); x08 = x08 + x12 | 0; x04 = rotl(x04 ^ x08, 12); x00 = x00 + x04 | 0; x12 = rotl(x12 ^ x00, 8); x08 = x08 + x12 | 0; x04 = rotl(x04 ^ x08, 7); x01 = x01 + x05 | 0; x13 = rotl(x13 ^ x01, 16); x09 = x09 + x13 | 0; x05 = rotl(x05 ^ x09, 12); x01 = x01 + x05 | 0; x13 = rotl(x13 ^ x01, 8); x09 = x09 + x13 | 0; x05 = rotl(x05 ^ x09, 7); x02 = x02 + x06 | 0; x14 = rotl(x14 ^ x02, 16); x10 = x10 + x14 | 0; x06 = rotl(x06 ^ x10, 12); x02 = x02 + x06 | 0; x14 = rotl(x14 ^ x02, 8); x10 = x10 + x14 | 0; x06 = rotl(x06 ^ x10, 7); x03 = x03 + x07 | 0; x15 = rotl(x15 ^ x03, 16); x11 = x11 + x15 | 0; x07 = rotl(x07 ^ x11, 12); x03 = x03 + x07 | 0; x15 = rotl(x15 ^ x03, 8); x11 = x11 + x15 | 0; x07 = rotl(x07 ^ x11, 7); x00 = x00 + x05 | 0; x15 = rotl(x15 ^ x00, 16); x10 = x10 + x15 | 0; x05 = rotl(x05 ^ x10, 12); x00 = x00 + x05 | 0; x15 = rotl(x15 ^ x00, 8); x10 = x10 + x15 | 0; x05 = rotl(x05 ^ x10, 7); x01 = x01 + x06 | 0; x12 = rotl(x12 ^ x01, 16); x11 = x11 + x12 | 0; x06 = rotl(x06 ^ x11, 12); x01 = x01 + x06 | 0; x12 = rotl(x12 ^ x01, 8); x11 = x11 + x12 | 0; x06 = rotl(x06 ^ x11, 7); x02 = x02 + x07 | 0; x13 = rotl(x13 ^ x02, 16); x08 = x08 + x13 | 0; x07 = rotl(x07 ^ x08, 12); x02 = x02 + x07 | 0; x13 = rotl(x13 ^ x02, 8); x08 = x08 + x13 | 0; x07 = rotl(x07 ^ x08, 7); x03 = x03 + x04 | 0; x14 = rotl(x14 ^ x03, 16); x09 = x09 + x14 | 0; x04 = rotl(x04 ^ x09, 12); x03 = x03 + x04 | 0; x14 = rotl(x14 ^ x03, 8); x09 = x09 + x14 | 0; x04 = rotl(x04 ^ x09, 7); } let oi = 0; out[oi++] = y00 + x00 | 0; out[oi++] = y01 + x01 | 0; out[oi++] = y02 + x02 | 0; out[oi++] = y03 + x03 | 0; out[oi++] = y04 + x04 | 0; out[oi++] = y05 + x05 | 0; out[oi++] = y06 + x06 | 0; out[oi++] = y07 + x07 | 0; out[oi++] = y08 + x08 | 0; out[oi++] = y09 + x09 | 0; out[oi++] = y10 + x10 | 0; out[oi++] = y11 + x11 | 0; out[oi++] = y12 + x12 | 0; out[oi++] = y13 + x13 | 0; out[oi++] = y14 + x14 | 0; out[oi++] = y15 + x15 | 0; } function hchacha(s, k, i, o32) { let x00 = s[0], x01 = s[1], x02 = s[2], x03 = s[3], x04 = k[0], x05 = k[1], x06 = k[2], x07 = k[3], x08 = k[4], x09 = k[5], x10 = k[6], x11 = k[7], x12 = i[0], x13 = i[1], x14 = i[2], x15 = i[3]; for (let r = 0; r < 20; r += 2) { x00 = x00 + x04 | 0; x12 = rotl(x12 ^ x00, 16); x08 = x08 + x12 | 0; x04 = rotl(x04 ^ x08, 12); x00 = x00 + x04 | 0; x12 = rotl(x12 ^ x00, 8); x08 = x08 + x12 | 0; x04 = rotl(x04 ^ x08, 7); x01 = x01 + x05 | 0; x13 = rotl(x13 ^ x01, 16); x09 = x09 + x13 | 0; x05 = rotl(x05 ^ x09, 12); x01 = x01 + x05 | 0; x13 = rotl(x13 ^ x01, 8); x09 = x09 + x13 | 0; x05 = rotl(x05 ^ x09, 7); x02 = x02 + x06 | 0; x14 = rotl(x14 ^ x02, 16); x10 = x10 + x14 | 0; x06 = rotl(x06 ^ x10, 12); x02 = x02 + x06 | 0; x14 = rotl(x14 ^ x02, 8); x10 = x10 + x14 | 0; x06 = rotl(x06 ^ x10, 7); x03 = x03 + x07 | 0; x15 = rotl(x15 ^ x03, 16); x11 = x11 + x15 | 0; x07 = rotl(x07 ^ x11, 12); x03 = x03 + x07 | 0; x15 = rotl(x15 ^ x03, 8); x11 = x11 + x15 | 0; x07 = rotl(x07 ^ x11, 7); x00 = x00 + x05 | 0; x15 = rotl(x15 ^ x00, 16); x10 = x10 + x15 | 0; x05 = rotl(x05 ^ x10, 12); x00 = x00 + x05 | 0; x15 = rotl(x15 ^ x00, 8); x10 = x10 + x15 | 0; x05 = rotl(x05 ^ x10, 7); x01 = x01 + x06 | 0; x12 = rotl(x12 ^ x01, 16); x11 = x11 + x12 | 0; x06 = rotl(x06 ^ x11, 12); x01 = x01 + x06 | 0; x12 = rotl(x12 ^ x01, 8); x11 = x11 + x12 | 0; x06 = rotl(x06 ^ x11, 7); x02 = x02 + x07 | 0; x13 = rotl(x13 ^ x02, 16); x08 = x08 + x13 | 0; x07 = rotl(x07 ^ x08, 12); x02 = x02 + x07 | 0; x13 = rotl(x13 ^ x02, 8); x08 = x08 + x13 | 0; x07 = rotl(x07 ^ x08, 7); x03 = x03 + x04 | 0; x14 = rotl(x14 ^ x03, 16); x09 = x09 + x14 | 0; x04 = rotl(x04 ^ x09, 12); x03 = x03 + x04 | 0; x14 = rotl(x14 ^ x03, 8); x09 = x09 + x14 | 0; x04 = rotl(x04 ^ x09, 7); } let oi = 0; o32[oi++] = x00; o32[oi++] = x01; o32[oi++] = x02; o32[oi++] = x03; o32[oi++] = x12; o32[oi++] = x13; o32[oi++] = x14; o32[oi++] = x15; } var chacha20 = /* @__PURE__ */ createCipher(chachaCore, { counterRight: false, counterLength: 4, allowShortKeys: false }); var xchacha20 = /* @__PURE__ */ createCipher(chachaCore, { counterRight: false, counterLength: 8, extendNonceFn: hchacha, allowShortKeys: false }); var ZEROS16 = /* @__PURE__ */ new Uint8Array(16); var updatePadded = (h, msg) => { h.update(msg); const left = msg.length % 16; if (left) h.update(ZEROS16.subarray(left)); }; var ZEROS32 = /* @__PURE__ */ new Uint8Array(32); function computeTag(fn, key, nonce, data, AAD) { const authKey = fn(key, nonce, ZEROS32); const h = poly1305.create(authKey); if (AAD) updatePadded(h, AAD); updatePadded(h, data); const num = new Uint8Array(16); const view = createView(num); setBigUint64(view, 0, BigInt(AAD ? AAD.length : 0), true); setBigUint64(view, 8, BigInt(data.length), true); h.update(num); const res = h.digest(); authKey.fill(0); return res; } var _poly1305_aead = (xorStream) => (key, nonce, AAD) => { const tagLength = 16; bytes(key, 32); bytes(nonce); return { encrypt: (plaintext, output3) => { const plength = plaintext.length; const clength = plength + tagLength; if (output3) { bytes(output3, clength); } else { output3 = new Uint8Array(clength); } xorStream(key, nonce, plaintext, output3, 1); const tag = computeTag(xorStream, key, nonce, output3.subarray(0, -tagLength), AAD); output3.set(tag, plength); return output3; }, decrypt: (ciphertext, output3) => { const clength = ciphertext.length; const plength = clength - tagLength; if (clength < tagLength) throw new Error(`encrypted data must be at least ${tagLength} bytes`); if (output3) { bytes(output3, plength); } else { output3 = new Uint8Array(plength); } const data = ciphertext.subarray(0, -tagLength); const passedTag = ciphertext.subarray(-tagLength); const tag = computeTag(xorStream, key, nonce, data, AAD); if (!equalBytes(passedTag, tag)) throw new Error("invalid tag"); xorStream(key, nonce, data, output3, 1); return output3; } }; }; var chacha20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 12, tagLength: 16 }, _poly1305_aead(chacha20)); var xchacha20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 24, tagLength: 16 }, _poly1305_aead(xchacha20)); // core/src/identifiers.ts var Aead2 = { Aes128Gcm: 1, Aes256Gcm: 2, Chacha20Poly1305: 3, ExportOnly: 65535 }; var AeadId2 = Aead2; // core/src/consts.ts var EMPTY = new Uint8Array(0); // core/src/exporterContext.ts var LABEL_SEC = new Uint8Array([115, 101, 99]); // core/src/cipherSuiteNative.ts var LABEL_BASE_NONCE = new Uint8Array([ 98, 97, 115, 101, 95, 110, 111, 110, 99, 101 ]); var LABEL_EXP = new Uint8Array([101, 120, 112]); var LABEL_INFO_HASH = new Uint8Array([ 105, 110, 102, 111, 95, 104, 97, 115, 104 ]); var LABEL_KEY = new Uint8Array([107, 101, 121]); var LABEL_PSK_ID_HASH = new Uint8Array([ 112, 115, 107, 95, 105, 100, 95, 104, 97, 115, 104 ]); var LABEL_SECRET = new Uint8Array([115, 101, 99, 114, 101, 116]); var SUITE_ID_HEADER_HPKE = new Uint8Array([ 72, 80, 75, 69, 0, 0, 0, 0, 0, 0 ]); // core/src/kdfs/hkdf.ts var HPKE_VERSION = new Uint8Array([72, 80, 75, 69, 45, 118, 49]); // core/src/interfaces/kemInterface.ts var SUITE_ID_HEADER_KEM = new Uint8Array([75, 69, 77, 0, 0]); // core/src/kems/dhkem.ts var LABEL_EAE_PRK = new Uint8Array([101, 97, 101, 95, 112, 114, 107]); var LABEL_SHARED_SECRET = new Uint8Array([ 115, 104, 97, 114, 101, 100, 95, 115, 101, 99, 114, 101, 116 ]); // core/src/interfaces/dhkemPrimitives.ts var LABEL_DKP_PRK = new Uint8Array([100, 107, 112, 95, 112, 114, 107]); var LABEL_SK = new Uint8Array([115, 107]); // core/src/kems/dhkemPrimitives/ec.ts var LABEL_CANDIDATE = new Uint8Array([ 99, 97, 110, 100, 105, 100, 97, 116, 101 ]); var ORDER_P_256 = new Uint8Array([ 255, 255, 255, 255, 0, 0, 0, 0, 255, 255, 255, 255, 255, 255, 255, 255, 188, 230, 250, 173, 167, 23, 158, 132, 243, 185, 202, 194, 252, 99, 37, 81 ]); var ORDER_P_384 = new Uint8Array([ 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 199, 99, 77, 129, 244, 55, 45, 223, 88, 26, 13, 178, 72, 176, 167, 122, 236, 236, 25, 106, 204, 197, 41, 115 ]); var ORDER_P_521 = new Uint8Array([ 1, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 250, 81, 134, 135, 131, 191, 47, 150, 107, 127, 204, 1, 72, 247, 9, 165, 208, 59, 181, 201, 184, 137, 156, 71, 174, 187, 111, 183, 30, 145, 56, 100, 9 ]); var PKCS8_ALG_ID_P_256 = new Uint8Array([ 48, 65, 2, 1, 0, 48, 19, 6, 7, 42, 134, 72, 206, 61, 2, 1, 6, 8, 42, 134, 72, 206, 61, 3, 1, 7, 4, 39, 48, 37, 2, 1, 1, 4, 32 ]); var PKCS8_ALG_ID_P_384 = new Uint8Array([ 48, 78, 2, 1, 0, 48, 16, 6, 7, 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 34, 4, 55, 48, 53, 2, 1, 1, 4, 48 ]); var PKCS8_ALG_ID_P_521 = new Uint8Array([ 48, 96, 2, 1, 0, 48, 16, 6, 7, 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 35, 4, 73, 48, 71, 2, 1, 1, 4, 66 ]); // npm/esm/x/chacha20poly1305/src/chacha20Poly1305.js var Chacha20Poly1305Context = class { constructor(key) { Object.defineProperty(this, "_key", { enumerable: true, configurable: true, writable: true, value: void 0 }); this._key = new Uint8Array(key); } async seal(iv, data, aad) { return await this._seal(iv, data, aad); } async open(iv, data, aad) { return await this._open(iv, data, aad); } _seal(iv, data, aad) { return new Promise((resolve) => { const ret = chacha20poly1305(this._key, new Uint8Array(iv), new Uint8Array(aad)).encrypt(new Uint8Array(data)); resolve(ret.buffer); }); } _open(iv, data, aad) { return new Promise((resolve) => { const ret = chacha20poly1305(this._key, new Uint8Array(iv), new Uint8Array(aad)).decrypt(new Uint8Array(data)); resolve(ret.buffer); }); } }; var Chacha20Poly1305 = class { constructor() { Object.defineProperty(this, "id", { enumerable: true, configurable: true, writable: true, value: AeadId2.Chacha20Poly1305 }); Object.defineProperty(this, "keySize", { enumerable: true, configurable: true, writable: true, value: 32 }); Object.defineProperty(this, "nonceSize", { enumerable: true, configurable: true, writable: true, value: 12 }); Object.defineProperty(this, "tagSize", { enumerable: true, configurable: true, writable: true, value: 16 }); } createEncryptionContext(key) { return new Chacha20Poly1305Context(key); } }; // npm/node_modules/@noble/hashes/esm/_assert.js function number2(n) { if (!Number.isSafeInteger(n) || n < 0) throw new Error(`positive integer expected, not ${n}`); } function isBytes2(a) { return a instanceof Uint8Array || a != null && typeof a === "object" && a.constructor.name === "Uint8Array"; } function bytes2(b, ...lengths) { if (!isBytes2(b)) throw new Error("Uint8Array expected"); if (lengths.length > 0 && !lengths.includes(b.length)) throw new Error(`Uint8Array expected of length ${lengths}, not of length=${b.length}`); } function hash(h) { if (typeof h !== "function" || typeof h.create !== "function") throw new Error("Hash should be wrapped by utils.wrapConstructor"); number2(h.outputLen); number2(h.blockLen); } function exists2(instance, checkFinished = true) { if (instance.destroyed) throw new Error("Hash instance has been destroyed"); if (checkFinished && instance.finished) throw new Error("Hash#digest() has already been called"); } function output2(out, instance) { bytes2(out); const min = instance.outputLen; if (out.length < min) { throw new Error(`digestInto() expects output buffer of length at least ${min}`); } } // npm/node_modules/@noble/hashes/esm/crypto.js var crypto = typeof globalThis === "object" && "crypto" in globalThis ? globalThis.crypto : void 0; // npm/node_modules/@noble/hashes/esm/utils.js var u322 = (arr) => new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4)); var createView2 = (arr) => new DataView(arr.buffer, arr.byteOffset, arr.byteLength); var rotr = (word, shift) => word << 32 - shift | word >>> shift; var isLE2 = new Uint8Array(new Uint32Array([287454020]).buffer)[0] === 68; var byteSwap = (word) => word << 24 & 4278190080 | word << 8 & 16711680 | word >>> 8 & 65280 | word >>> 24 & 255; function byteSwap32(arr) { for (let i = 0; i < arr.length; i++) { arr[i] = byteSwap(arr[i]); } } function utf8ToBytes2(str) { if (typeof str !== "string") throw new Error(`utf8ToBytes expected string, got ${typeof str}`); return new Uint8Array(new TextEncoder().encode(str)); } function toBytes2(data) { if (typeof data === "string") data = utf8ToBytes2(data); bytes2(data); return data; } function concatBytes(...arrays) { let sum = 0; for (let i = 0; i < arrays.length; i++) { const a = arrays[i]; bytes2(a); sum += a.length; } const res = new Uint8Array(sum); for (let i = 0, pad = 0; i < arrays.length; i++) { const a = arrays[i]; res.set(a, pad); pad += a.length; } return res; } var Hash = class { // Safe version that clones internal state clone() { return this._cloneInto(); } }; var toStr = {}.toString; function wrapConstructor(hashCons) { const hashC = (msg) => hashCons().update(toBytes2(msg)).digest(); const tmp = hashCons(); hashC.outputLen = tmp.outputLen; hashC.blockLen = tmp.blockLen; hashC.create = () => hashCons(); return hashC; } function wrapXOFConstructorWithOpts(hashCons) { const hashC = (msg, opts) => hashCons(opts).update(toBytes2(msg)).digest(); const tmp = hashCons({}); hashC.outputLen = tmp.outputLen; hashC.blockLen = tmp.blockLen; hashC.create = (opts) => hashCons(opts); return hashC; } function randomBytes(bytesLength = 32) { if (crypto && typeof crypto.getRandomValues === "function") { return crypto.getRandomValues(new Uint8Array(bytesLength)); } throw new Error("crypto.getRandomValues must be defined"); } // npm/node_modules/@noble/hashes/esm/hmac.js var HMAC = class extends Hash { constructor(hash2, _key) { super(); this.finished = false; this.destroyed = false; hash(hash2); const key = toBytes2(_key); this.iHash = hash2.create(); if (typeof this.iHash.update !== "function") throw new Error("Expected instance of class which extends utils.Hash"); this.blockLen = this.iHash.blockLen; this.outputLen = this.iHash.outputLen; const blockLen = this.blockLen; const pad = new Uint8Array(blockLen); pad.set(key.length > blockLen ? hash2.create().update(key).digest() : key); for (let i = 0; i < pad.length; i++) pad[i] ^= 54; this.iHash.update(pad); this.oHash = hash2.create(); for (let i = 0; i < pad.length; i++) pad[i] ^= 54 ^ 92; this.oHash.update(pad); pad.fill(0); } update(buf) { exists2(this); this.iHash.update(buf); return this; } digestInto(out) { exists2(this); bytes2(out, this.outputLen); this.finished = true; this.iHash.digestInto(out); this.oHash.update(out); this.oHash.digestInto(out); this.destroy(); } digest() { const out = new Uint8Array(this.oHash.outputLen); this.digestInto(out); return out; } _cloneInto(to) { to || (to = Object.create(Object.getPrototypeOf(this), {})); const { oHash, iHash, finished, destroyed, blockLen, outputLen } = this; to = to; to.finished = finished; to.destroyed = destroyed; to.blockLen = blockLen; to.outputLen = outputLen; to.oHash = oHash._cloneInto(to.oHash); to.iHash = iHash._cloneInto(to.iHash); return to; } destroy() { this.destroyed = true; this.oHash.destroy(); this.iHash.destroy(); } }; var hmac = (hash2, key, message) => new HMAC(hash2, key).update(message).digest(); hmac.create = (hash2, key) => new HMAC(hash2, key); // npm/node_modules/@noble/hashes/esm/_md.js function setBigUint642(view, byteOffset, value, isLE3) { if (typeof view.setBigUint64 === "function") return view.setBigUint64(byteOffset, value, isLE3); const _32n2 = BigInt(32); const _u32_max = BigInt(4294967295); const wh = Number(value >> _32n2 & _u32_max); const wl = Number(value & _u32_max); const h = isLE3 ? 4 : 0; const l = isLE3 ? 0 : 4; view.setUint32(byteOffset + h, wh, isLE3); view.setUint32(byteOffset + l, wl, isLE3); } var Chi = (a, b, c) => a & b ^ ~a & c; var Maj = (a, b, c) => a & b ^ a & c ^ b & c; var HashMD = class extends Hash { constructor(blockLen, outputLen, padOffset, isLE3) { super(); this.blockLen = blockLen; this.outputLen = outputLen; this.padOffset = padOffset; this.isLE = isLE3; this.finished = false; this.length = 0; this.pos = 0; this.destroyed = false; this.buffer = new Uint8Array(blockLen); this.view = createView2(this.buffer); } update(data) { exists2(this); const { view, buffer, blockLen } = this; data = toBytes2(data); const len = data.length; for (let pos = 0; pos < len; ) { const take = Math.min(blockLen - this.pos, len - pos); if (take === blockLen) { const dataView = createView2(data); for (; blockLen <= len - pos; pos += blockLen) this.process(dataView, pos); continue; } buffer.set(data.subarray(pos, pos + take), this.pos); this.pos += take; pos += take; if (this.pos === blockLen) { this.process(view, 0); this.pos = 0; } } this.length += data.length; this.roundClean(); return this; } digestInto(out) { exists2(this); output2(out, this); this.finished = true; const { buffer, view, blockLen, isLE: isLE3 } = this; let { pos } = this; buffer[pos++] = 128; this.buffer.subarray(pos).fill(0); if (this.padOffset > blockLen - pos) { this.process(view, 0); pos = 0; } for (let i = pos; i < blockLen; i++) buffer[i] = 0; setBigUint642(view, blockLen - 8, BigInt(this.length * 8), isLE3); this.process(view, 0); const oview = createView2(out); const len = this.outputLen; if (len % 4) throw new Error("_sha2: outputLen should be aligned to 32bit"); const outLen = len / 4; const state = this.get(); if (outLen > state.length) throw new Error("_sha2: outputLen bigger than state"); for (let i = 0; i < outLen; i++) oview.setUint32(4 * i, state[i], isLE3); } digest() { const { buffer, outputLen } = this; this.digestInto(buffer); const res = buffer.slice(0, outputLen); this.destroy(); return res; } _cloneInto(to) { to || (to = new this.constructor()); to.set(...this.get()); const { blockLen, buffer, length, finished, destroyed, pos } = this; to.length = length; to.pos = pos; to.finished = finished; to.destroyed = destroyed; if (length % blockLen) to.buffer.set(buffer); return to; } }; // npm/node_modules/@noble/hashes/esm/sha256.js var SHA256_K = /* @__PURE__ */ new Uint32Array([ 1116352408, 1899447441, 3049323471, 3921009573, 961987163, 1508970993, 2453635748, 2870763221, 3624381080, 310598401, 607225278, 1426881987, 1925078388, 2162078206, 2614888103, 3248222580, 3835390401, 4022224774, 264347078, 604807628, 770255983, 1249150122, 1555081692, 1996064986, 2554220882, 2821834349, 2952996808, 3210313671, 3336571891, 3584528711, 113926993, 338241895, 666307205, 773529912, 1294757372, 1396182291, 1695183700, 1986661051, 2177026350, 2456956037, 2730485921, 2820302411, 3259730800, 3345764771, 3516065817, 3600352804, 4094571909, 275423344, 430227734, 506948616, 659060556, 883997877, 958139571, 1322822218, 1537002063, 1747873779, 1955562222, 2024104815, 2227730452, 2361852424, 2428436474, 2756734187, 3204031479, 3329325298 ]); var SHA256_IV = /* @__PURE__ */ new Uint32Array([ 1779033703, 3144134277, 1013904242, 2773480762, 1359893119, 2600822924, 528734635, 1541459225 ]); var SHA256_W = /* @__PURE__ */ new Uint32Array(64); var SHA256 = class extends HashMD { constructor() { super(64, 32, 8, false); this.A = SHA256_IV[0] | 0; this.B = SHA256_IV[1] | 0; this.C = SHA256_IV[2] | 0; this.D = SHA256_IV[3] | 0; this.E = SHA256_IV[4] | 0; this.F = SHA256_IV[5] | 0; this.G = SHA256_IV[6] | 0; this.H = SHA256_IV[7] | 0; } get() { const { A, B, C, D, E, F, G, H } = this; return [A, B, C, D, E, F, G, H]; } // prettier-ignore set(A, B, C, D, E, F, G, H) { this.A = A | 0; this.B = B | 0; this.C = C | 0; this.D = D | 0; this.E = E | 0; this.F = F | 0; this.G = G | 0; this.H = H | 0; } process(view, offset) { for (let i = 0; i < 16; i++, offset += 4) SHA256_W[i] = view.getUint32(offset, false); for (let i = 16; i < 64; i++) { const W15 = SHA256_W[i - 15]; const W2 = SHA256_W[i - 2]; const s0 = rotr(W15, 7) ^ rotr(W15, 18) ^ W15 >>> 3; const s1 = rotr(W2, 17) ^ rotr(W2, 19) ^ W2 >>> 10; SHA256_W[i] = s1 + SHA256_W[i - 7] + s0 + SHA256_W[i - 16] | 0; } let { A, B, C, D, E, F, G, H } = this; for (let i = 0; i < 64; i++) { const sigma1 = rotr(E, 6) ^ rotr(E, 11) ^ rotr(E, 25); const T1 = H + sigma1 + Chi(E, F, G) + SHA256_K[i] + SHA256_W[i] | 0; const sigma0 = rotr(A, 2) ^ rotr(A, 13) ^ rotr(A, 22); const T2 = sigma0 + Maj(A, B, C) | 0; H = G; G = F; F = E; E = D + T1 | 0; D = C; C = B; B = A; A = T1 + T2 | 0; } A = A + this.A | 0; B = B + this.B | 0; C = C + this.C | 0; D = D + this.D | 0; E = E + this.E | 0; F = F + this.F | 0; G = G + this.G | 0; H = H + this.H | 0; this.set(A, B, C, D, E, F, G, H); } roundClean() { SHA256_W.fill(0); } destroy() { this.set(0, 0, 0, 0, 0, 0, 0, 0); this.buffer.fill(0); } }; var sha256 = /* @__PURE__ */ wrapConstructor(() => new SHA256()); // npm/esm/core/src/consts.js var INPUT_LENGTH_LIMIT2 = 8192; var MINIMUM_PSK_LENGTH2 = 32; var EMPTY2 = new Uint8Array(0); // npm/esm/core/src/kdfs/hkdf.js var HPKE_VERSION2 = new Uint8Array([72, 80, 75, 69, 45, 118, 49]); var HkdfNative = class extends NativeAlgorithm { constructor() { super(); Object.defineProperty(this, "id", { enumerable: true, configurable: true, writable: true, value: KdfId.HkdfSha256 }); Object.defineProperty(this, "hashSize", { enumerable: true, configurable: true, writable: true, value: 0 }); Object.defineProperty(this, "_suiteId", { enumerable: true, configurable: true, writable: true, value: EMPTY2 }); Object.defineProperty(this, "algHash", { enumerable: true, configurable: true, writable: true, value: { name: "HMAC", hash: "SHA-256", length: 256 } }); } init(suiteId) { this._suiteId = suiteId; } buildLabeledIkm(label, ikm) { this._checkInit(); const ret = new Uint8Array(7 + this._suiteId.byteLength + label.byteLength + ikm.byteLength); ret.set(HPKE_VERSION2, 0); ret.set(this._suiteId, 7); ret.set(label, 7 + this._suiteId.byteLength); ret.set(ikm, 7 + this._suiteId.byteLength + label.byteLength); return ret; } buildLabeledInfo(label, info, len) { this._checkInit(); const ret = new Uint8Array(9 + this._suiteId.byteLength + label.byteLength + info.byteLength); ret.set(new Uint8Array([0, len]), 0); ret.set(HPKE_VERSION2, 2); ret.set(this._suiteId, 9); ret.set(label, 9 + this._suiteId.byteLength); ret.set(info, 9 + this._suiteId.byteLength + label.byteLength); return ret; } async extract(salt, ikm) { await this._setup(); if (salt.byteLength === 0) { salt = new ArrayBuffer(this.hashSize); } if (salt.byteLength !== this.hashSize) { throw new InvalidParamError("The salt length must be the same as the hashSize"); } const key = await this._api.importKey("raw", salt, this.algHash, false, [ "sign" ]); return await this._api.sign("HMAC", key, ikm); } async expand(prk, info, len) { await this._setup(); const key = await this._api.importKey("raw", prk, this.algHash, false, [ "sign" ]); const okm = new ArrayBuffer(len); const p = new Uint8Array(okm); let prev = EMPTY2; const mid = new Uint8Array(info); const tail = new Uint8Array(1); if (len > 255 * this.hashSize) { throw new Error("Entropy limit reached"); } const tmp = new Uint8Array(this.hashSize + mid.length + 1); for (let i = 1, cur = 0; cur < p.length; i++) { tail[0] = i; tmp.set(prev, 0); tmp.set(mid, prev.length); tmp.set(tail, prev.length + mid.length); prev = new Uint8Array(await this._api.sign("HMAC", key, tmp.slice(0, prev.length + mid.length + 1))); if (p.length - cur >= prev.length) { p.set(prev, cur); cur += prev.length; } else { p.set(prev.slice(0, p.length - cur), cur); cur += p.length - cur; } } return okm; } async extractAndExpand(salt, ikm, info, len) { await this._setup(); const baseKey = await this._api.importKey("raw", ikm, "HKDF", false, ["deriveBits"]); return await this._api.deriveBits({ name: "HKDF", hash: this.algHash.hash, salt, info }, baseKey, len * 8); } async labeledExtract(salt, label, ikm) { return await this.extract(salt, this.buildLabeledIkm(label, ikm)); } async labeledExpand(prk, label, info, len) { return await this.expand(prk, this.buildLabeledInfo(label, info, len), len); } _checkInit() { if (this._suiteId === EMPTY2) { throw new Error("Not initialized. Call init()"); } } }; var HkdfSha256Native2 = class extends HkdfNative { constructor() { super(...arguments); Object.defineProperty(this, "id", { enumerable: true, configurable: true, writable: true, value: KdfId.HkdfSha256 }); Object.defineProperty(this, "hashSize", { enumerable: true, configurable: true, writable: true, value: 32 }); Object.defineProperty(this, "algHash", { enumerable: true, configurable: true, writable: true, value: { name: "HMAC", hash: "SHA-256", length: 256 } }); } }; var HkdfSha384Native2 = class extends HkdfNative { constructor() { super(...arguments); Object.defineProperty(this, "id", { enumerable: true, configurable: true, writable: true, value: KdfId.HkdfSha384 }); Object.defineProperty(this, "hashSize", { enumerable: true, configurable: true, writable: true, value: 48 }); Object.defineProperty(this, "algHash", { enumerable: true, configurable: true, writable: true, value: { name: "HMAC", hash: "SHA-384", length: 384 } }); } }; var HkdfSha512Native2 = class extends HkdfNative { constructor() { super(...arguments); Object.defineProperty(this, "id", { enumerable: true, configurable: true, writable: true, value: KdfId.HkdfSha512 }); Object.defineProperty(this, "hashSize", { enumerable: true, configurable: true, writable: true, value: 64 }); Object.defineProperty(this, "algHash", { enumerable: true, configurable: true, writable: true, value: { name: "HMAC", hash: "SHA-512", length: 512 } }); } }; // npm/esm/src/kdfs/hkdfSha256.js var HkdfSha2562 = class extends HkdfSha256Native2 { async extract(salt, ikm) { await this._setup(); if (salt.byteLength === 0) { salt = new ArrayBuffer(this.hashSize); } if (salt.byteLength !== this.hashSize) { return hmac(sha256, new Uint8Array(salt), new Uint8Array(ikm)); } const key = await this._api.importKey("raw", salt, this.algHash, false, [ "sign" ]); return await this._api.sign("HMAC", key, ikm); } }; // npm/node_modules/@noble/hashes/esm/_u64.js var U32_MASK64 = /* @__PURE__ */ BigInt(2 ** 32 - 1); var _32n = /* @__PURE__ */ BigInt(32); function fromBig(n, le = false) { if (le) return { h: Number(n & U32_MASK64), l: Number(n >> _32n & U32_MASK64) }; return { h: Number(n >> _32n & U32_MASK64) | 0, l: Number(n & U32_MASK64) | 0 }; } function split(lst, le = false) { let Ah = new Uint32Array(lst.length); let Al = new Uint32Array(lst.length); for (let i = 0; i < lst.length; i++) { const { h, l } = fromBig(lst[i], le); [Ah[i], Al[i]] = [h, l]; } return [Ah, Al]; } var toBig = (h, l) => BigInt(h >>> 0) << _32n | BigInt(l >>> 0); var shrSH = (h, _l, s) => h >>> s; var shrSL = (h, l, s) => h << 32 - s | l >>> s; var rotrSH = (h, l, s) => h >>> s | l << 32 - s; var rotrSL = (h, l, s) => h << 32 - s | l >>> s; var rotrBH = (h, l, s) => h << 64 - s | l >>> s - 32; var rotrBL = (h, l, s) => h >>> s - 32 | l << 64 - s; var rotr32H = (_h, l) => l; var rotr32L = (h, _l) => h; var rotlSH = (h, l, s) => h << s | l >>> 32 - s; var rotlSL = (h, l, s) => l << s | h >>> 32 - s; var rotlBH = (h, l, s) => l << s - 32 | h >>> 64 - s; var rotlBL = (h, l, s) => h << s - 32 | l >>> 64 - s; function add(Ah, Al, Bh, Bl) { const l = (Al >>> 0) + (Bl >>> 0); return { h: Ah + Bh + (l / 2 ** 32 | 0) | 0, l: l | 0 }; } var add3L = (Al, Bl, Cl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0); var add3H = (low, Ah, Bh, Ch) => Ah + Bh + Ch + (low / 2 ** 32 | 0) | 0; var add4L = (Al, Bl, Cl, Dl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0); var add4H = (low, Ah, Bh, Ch, Dh) => Ah + Bh + Ch + Dh + (low / 2 ** 32 | 0) | 0; var add5L = (Al, Bl, Cl, Dl, El) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0) + (El >>> 0); var add5H = (low, Ah, Bh, Ch, Dh, Eh) => Ah + Bh + Ch + Dh + Eh + (low / 2 ** 32 | 0) | 0; var u64 = { fromBig, split, toBig, shrSH, shrSL, rotrSH, rotrSL, rotrBH, rotrBL, rotr32H, rotr32L, rotlSH, rotlSL, rotlBH, rotlBL, add, add3L, add3H, add4L, add4H, add5H, add5L }; var u64_default = u64; // npm/node_modules/@noble/hashes/esm/sha512.js var [SHA512_Kh, SHA512_Kl] = /* @__PURE__ */ (() => u64_default.split([ "0x428a2f98d728ae22", "0x7137449123ef65cd", "0xb5c0fbcfec4d3b2f", "0xe9b5dba58189dbbc", "0x3956c25bf348b538", "0x59f111f1b605d019", "0x923f82a4af194f9b", "0xab1c5ed5da6d8118", "0xd807aa98a3030242", "0x12835b0145706fbe", "0x243185be4ee4b28c", "0x550c7dc3d5ffb4e2", "0x72be5d74f27b896f", "0x80deb1fe3b1696b1", "0x9bdc06a725c71235", "0xc19bf174cf692694", "0xe49b69c19ef14ad2", "0xefbe4786384f25e3", "0x0fc19dc68b8cd5b5", "0x240ca1cc77ac9c65", "0x2de92c6f592b0275", "0x4a7484aa6ea6e483", "0x5cb0a9dcbd41fbd4", "0x76f988da831153b5", "0x983e5152ee66dfab", "0xa831c66d2db43210", "0xb00327c898fb213f", "0xbf597fc7beef0ee4", "0xc6e00bf33da88fc2", "0xd5a79147930aa725", "0x06ca6351e003826f", "0x142929670a0e6e70", "0x27b70a8546d22ffc", "0x2e1b21385c26c926", "0x4d2c6dfc5ac42aed", "0x53380d139d95b3df", "0x650a73548baf63de", "0x766a0abb3c77b2a8", "0x81c2c92e47edaee6", "0x92722c851482353b", "0xa2bfe8a14cf10364", "0xa81a664bbc423001", "0xc24b8b70d0f89791", "0xc76c51a30654be30", "0xd192e819d6ef5218", "0xd69906245565a910", "0xf40e35855771202a", "0x106aa07032bbd1b8", "0x19a4c116b8d2d0c8", "0x1e376c085141ab53", "0x2748774cdf8eeb99", "0x34b0bcb5e19b48a8", "0x391c0cb3c5c95a63", "0x4ed8aa4ae3418acb", "0x5b9cca4f7763e373", "0x682e6ff3d6b2b8a3", "0x748f82ee5defb2fc", "0x78a5636f43172f60", "0x84c87814a1f0ab72", "0x8cc702081a6439ec", "0x90befffa23631e28", "0xa4506cebde82bde9", "0xbef9a3f7b2c67915", "0xc67178f2e372532b", "0xca273eceea26619c", "0xd186b8c721c0c207", "0xeada7dd6cde0eb1e", "0xf57d4f7fee6ed178", "0x06f067aa72176fba", "0x0a637dc5a2c898a6", "0x113f9804bef90dae", "0x1b710b35131c471b", "0x28db77f523047d84", "0x32caab7b40c72493", "0x3c9ebe0a15c9bebc", "0x431d67c49c100d4c", "0x4cc5d4becb3e42b6", "0x597f299cfc657e2a", "0x5fcb6fab3ad6faec", "0x6c44198c4a475817" ].map((n) => BigInt(n))))(); var SHA512_W_H = /* @__PURE__ */ new Uint32Array(80); var SHA512_W_L = /* @__PURE__ */ new Uint32Array(80); var SHA512 = class extends HashMD { constructor() { super(128, 64, 16, false); this.Ah = 1779033703 | 0; this.Al = 4089235720 | 0; this.Bh = 3144134277 | 0; this.Bl = 2227873595 | 0; this.Ch = 1013904242 | 0; this.Cl = 4271175723 | 0; this.Dh = 2773480762 | 0; this.Dl = 1595750129 | 0; this.Eh = 1359893119 | 0; this.El = 2917565137 | 0; this.Fh = 2600822924 | 0; this.Fl = 725511199 | 0; this.Gh = 528734635 | 0; this.Gl = 4215389547 | 0; this.Hh = 1541459225 | 0; this.Hl = 327033209 | 0; } // prettier-ignore get() { const { Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl } = this; return [Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl]; } // prettier-ignore set(Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl) { this.Ah = Ah | 0; this.Al = Al | 0; this.Bh = Bh | 0; this.Bl = Bl | 0; this.Ch = Ch | 0; this.Cl = Cl | 0; this.Dh = Dh | 0; this.Dl = Dl | 0; this.Eh = Eh | 0; this.El = El | 0; this.Fh = Fh | 0; this.Fl = Fl | 0; this.Gh = Gh | 0; this.Gl = Gl | 0; this.Hh = Hh | 0; this.Hl = Hl | 0; } process(view, offset) { for (let i = 0; i < 16; i++, offset += 4) { SHA512_W_H[i] = view.getUint32(offset); SHA512_W_L[i] = view.getUint32(offset += 4); } for (let i = 16; i < 80; i++) { const W15h = SHA512_W_H[i - 15] | 0; const W15l = SHA512_W_L[i - 15] | 0; const s0h = u64_default.rotrSH(W15h, W15l, 1) ^ u64_default.rotrSH(W15h, W15l, 8) ^ u64_default.shrSH(W15h, W15l, 7); const s0l = u64_default.rotrSL(W15h, W15l, 1) ^ u64_default.rotrSL(W15h, W15l, 8) ^ u64_default.shrSL(W15h, W15l, 7); const W2h = SHA512_W_H[i - 2] | 0; const W2l = SHA512_W_L[i - 2] | 0; const s1h = u64_default.rotrSH(W2h, W2l, 19) ^ u64_default.rotrBH(W2h, W2l, 61) ^ u64_default.shrSH(W2h, W2l, 6); const s1l = u64_default.rotrSL(W2h, W2l, 19) ^ u64_default.rotrBL(W2h, W2l, 61) ^ u64_default.shrSL(W2h, W2l, 6); const SUMl = u64_default.add4L(s0l, s1l, SHA512_W_L[i - 7], SHA512_W_L[i - 16]); const SUMh = u64_default.add4H(SUMl, s0h, s1h, SHA512_W_H[i - 7], SHA512_W_H[i - 16]); SHA512_W_H[i] = SUMh | 0; SHA512_W_L[i] = SUMl | 0; } let { Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl } = this; for (let i = 0; i < 80; i++) { const sigma1h = u64_default.rotrSH(Eh, El, 14) ^ u64_default.rotrSH(Eh, El, 18) ^ u64_default.rotrBH(Eh, El, 41); const sigma1l = u64_default.rotrSL(Eh, El, 14) ^ u64_default.rotrSL(Eh, El, 18) ^ u64_default.rotrBL(Eh, El, 41); const CHIh = Eh & Fh ^ ~Eh & Gh; const CHIl = El & Fl ^ ~El & Gl; const T1ll = u64_default.add5L(Hl, sigma1l, CHIl, SHA512_Kl[i], SHA512_W_L[i]); const T1h = u64_default.add5H(T1ll, Hh, sigma1h, CHIh, SHA512_Kh[i], SHA512_W_H[i]); const T1l = T1ll | 0; const sigma0h = u64_default.rotrSH(Ah, Al, 28) ^ u64_default.rotrBH(Ah, Al, 34) ^ u64_default.rotrBH(Ah, Al, 39); const sigma0l = u64_default.rotrSL(Ah, Al, 28) ^ u64_default.rotrBL(Ah, Al, 34) ^ u64_default.rotrBL(Ah, Al, 39); const MAJh = Ah & Bh ^ Ah & Ch ^ Bh & Ch; const MAJl = Al & Bl ^ Al & Cl ^ Bl & Cl; Hh = Gh | 0; Hl = Gl | 0; Gh = Fh | 0; Gl = Fl | 0; Fh = Eh | 0; Fl = El | 0; ({ h: Eh, l: El } = u64_default.add(Dh | 0, Dl | 0, T1h | 0, T1l | 0)); Dh = Ch | 0; Dl = Cl | 0; Ch = Bh | 0; Cl = Bl | 0; Bh = Ah | 0; Bl = Al | 0; const All = u64_default.add3L(T1l, sigma0l, MAJl); Ah = u64_default.add3H(All, T1h, sigma0h, MAJh); Al = All | 0; } ({ h: Ah, l: Al } = u64_default.add(this.Ah | 0, this.Al | 0, Ah | 0, Al | 0)); ({ h: Bh, l: Bl } = u64_default.add(this.Bh | 0, this.Bl | 0, Bh | 0, Bl | 0)); ({ h: Ch, l: Cl } = u64_default.add(this.Ch | 0, this.Cl | 0, Ch | 0, Cl | 0)); ({ h: Dh, l: Dl } = u64_default.add(this.Dh | 0, this.Dl | 0, Dh | 0, Dl | 0)); ({ h: Eh, l: El } = u64_default.add(this.Eh | 0, this.El | 0, Eh | 0, El | 0)); ({ h: Fh, l: Fl } = u64_default.add(this.Fh | 0, this.Fl | 0, Fh | 0, Fl | 0)); ({ h: Gh, l: Gl } = u64_default.add(this.Gh | 0, this.Gl | 0, Gh | 0, Gl | 0)); ({ h: Hh, l: Hl } = u64_default.add(this.Hh | 0, this.Hl | 0, Hh | 0, Hl | 0)); this.set(Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl); } roundClean() { SHA512_W_H.fill(0); SHA512_W_L.fill(0); } destroy() { this.buffer.fill(0); this.set(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0); } }; var SHA384 = class extends SHA512 { constructor() { super(); this.Ah = 3418070365 | 0; this.Al = 3238371032 | 0; this.Bh = 1654270250 | 0; this.Bl = 914150663 | 0; this.Ch = 2438529370 | 0; this.Cl = 812702999 | 0; this.Dh = 355462360 | 0; this.Dl = 4144912697 | 0; this.Eh = 1731405415 | 0; this.El = 4290775857 | 0; this.Fh = 2394180231 | 0; this.Fl = 1750603025 | 0; this.Gh = 3675008525 | 0; this.Gl = 1694076839 | 0; this.Hh = 1203062813 | 0; this.Hl = 3204075428 | 0; this.outputLen = 48; } }; var sha512 = /* @__PURE__ */ wrapConstructor(() => new SHA512()); var sha384 = /* @__PURE__ */ wrapConstructor(() => new SHA384()); // npm/esm/src/kdfs/hkdfSha384.js var HkdfSha3842 = class extends HkdfSha384Native2 { async extract(salt, ikm) { await this._setup(); if (salt.byteLength === 0) { salt = new ArrayBuffer(this.hashSize); } if (salt.byteLength !== this.hashSize) { return hmac(sha384, new Uint8Array(salt), new Uint8Array(ikm)); } const key = await this._api.importKey("raw", salt, this.algHash, false, [ "sign" ]); return await this._api.sign("HMAC", key, ikm); } }; // npm/esm/src/kdfs/hkdfSha512.js var HkdfSha5122 = class extends HkdfSha512Native2 { async extract(salt, ikm) { await this._setup(); if (salt.byteLength === 0) { salt = new ArrayBuffer(this.hashSize); } if (salt.byteLength !== this.hashSize) { return hmac(sha512, new Uint8Array(salt), new Uint8Array(ikm)); } const key = await this._api.importKey("raw", salt, this.algHash, false, [ "sign" ]); return await this._api.sign("HMAC", key, ikm); } }; // npm/esm/core/src/interfaces/kemInterface.js var SUITE_ID_HEADER_KEM2 = new Uint8Array([75, 69, 77, 0, 0]); // npm/esm/core/src/utils/misc.js var isCryptoKeyPair2 = (x) => typeof x === "object" && x !== null && typeof x.privateKey === "object" && typeof x.publicKey === "object"; function i2Osp2(n, w) { if (w <= 0) { throw new Error("i2Osp: too small size"); } if (n >= 256 ** w) { throw new Error("i2Osp: too large integer"); } const ret = new Uint8Array(w); for (let i = 0; i < w && n; i++) { ret[w - (i + 1)] = n % 256; n = n >> 8; } return ret; } function concat2(a, b) { const ret = new Uint8Array(a.length + b.length); ret.set(a, 0); ret.set(b, a.length); return ret; } function base64UrlToBytes2(v) { const base64 = v.replace(/-/g, "+").replace(/_/g, "/"); const byteString = atob(base64); const ret = new Uint8Array(byteString.length); for (let i = 0; i < byteString.length; i++) { ret[i] = byteString.charCodeAt(i); } return ret; } // npm/esm/core/src/kems/dhkem.js var LABEL_EAE_PRK2 = new Uint8Array([101, 97, 101, 95, 112, 114, 107]); var LABEL_SHARED_SECRET2 = new Uint8Array([ 115, 104, 97, 114, 101, 100, 95, 115, 101, 99, 114, 101, 116 ]); function concat3(a, b, c) { const ret = new Uint8Array(a.length + b.length + c.length); ret.set(a, 0); ret.set(b, a.length); ret.set(c, a.length + b.length); return ret; } var Dhkem2 = class { constructor(id, prim, kdf) { Object.defineProperty(this, "id", { enumerable: true, configurable: true, writable: true, value: void 0 }); Object.defineProperty(this, "secretSize", { enumerable: true, configurable: true, writable: true, value: 0 }); Object.defineProperty(this, "encSize", { enumerable: true, configurable: true, writable: true, value: 0 }); Object.defineProperty(this, "publicKeySize", { enumerable: true, configurable: true, writable: true, value: 0 }); Object.defineProperty(this, "privateKeySize", { enumerable: true, configurable: true, writable: true, value: 0 }); Object.defineProperty(this, "_prim", { enumerable: true, configurable: true, writable: true, value: void 0 }); Object.defineProperty(this, "_kdf", { enumerable: true, configurable: true, writable: true, value: void 0 }); this.id = id; this._prim = prim; this._kdf = kdf; const suiteId = new Uint8Array(SUITE_ID_HEADER_KEM2); suiteId.set(i2Osp2(this.id, 2), 3); this._kdf.init(suiteId); } async serializePublicKey(key) { return await this._prim.serializePublicKey(key); } async deserializePublicKey(key) { return await this._prim.deserializePublicKey(key); } async serializePrivateKey(key) { return await this._prim.serializePrivateKey(key); } async deserializePrivateKey(key) { return await this._prim.deserializePrivateKey(key); } async importKey(format, key, isPublic = true) { return await this._prim.importKey(format, key, isPublic); } async generateKeyPair() { return await this._prim.generateKeyPair(); } async deriveKeyPair(ikm) { if (ikm.byteLength > INPUT_LENGTH_LIMIT2) { throw new InvalidParamError("Too long ikm"); } return await this._prim.deriveKeyPair(ikm); } async encap(params) { let ke; if (params.ekm === void 0) { ke = await this.generateKeyPair(); } else if (isCryptoKeyPair2(params.ekm)) { ke = params.ekm; } else { ke = await this.deriveKeyPair(params.ekm); } const enc = await this._prim.serializePublicKey(ke.publicKey); const pkrm = await this._prim.serializePublicKey(params.recipientPublicKey); try { let dh; if (params.senderKey === void 0) { dh = new Uint8Array(await this._prim.dh(ke.privateKey, params.recipientPublicKey)); } else { const sks = isCryptoKeyPair2(params.senderKey) ? params.senderKey.privateKey : params.senderKey; const dh1 = new Uint8Array(await this._prim.dh(ke.privateKey, params.recipientPublicKey)); const dh2 = new Uint8Array(await this._prim.dh(sks, params.recipientPublicKey)); dh = concat2(dh1, dh2); } let kemContext; if (params.senderKey === void 0) { kemContext = concat2(new Uint8Array(enc), new Uint8Array(pkrm)); } else { const pks = isCryptoKeyPair2(params.senderKey) ? params.senderKey.publicKey : await this._prim.derivePublicKey(params.senderKey); const pksm = await this._prim.serializePublicKey(pks); kemContext = concat3(new Uint8Array(enc), new Uint8Array(pkrm), new Uint8Array(pksm)); } const sharedSecret = await this._generateSharedSecret(dh, kemContext); return { enc, sharedSecret }; } catch (e) { throw new EncapError(e); } } async decap(params) { const pke = await this._prim.deserializePublicKey(params.enc); const skr = isCryptoKeyPair2(params.recipientKey) ? params.recipientKey.privateKey : params.recipientKey; const pkr = isCryptoKeyPair2(params.recipientKey) ? params.recipientKey.publicKey : await this._prim.derivePublicKey(params.recipientKey); const pkrm = await this._prim.serializePublicKey(pkr); try { let dh; if (params.senderPublicKey === void 0) { dh = new Uint8Array(await this._prim.dh(skr, pke)); } else { const dh1 = new Uint8Array(await this._prim.dh(skr, pke)); const dh2 = new Uint8Array(await this._prim.dh(skr, params.senderPublicKey)); dh = concat2(dh1, dh2); } let kemContext; if (params.senderPublicKey === void 0) { kemContext = concat2(new Uint8Array(params.enc), new Uint8Array(pkrm)); } else { const pksm = await this._prim.serializePublicKey(params.senderPublicKey); kemContext = new Uint8Array(params.enc.byteLength + pkrm.byteLength + pksm.byteLength); kemContext.set(new Uint8Array(params.enc), 0); kemContext.set(new Uint8Array(pkrm), params.enc.byteLength); kemContext.set(new Uint8Array(pksm), params.enc.byteLength + pkrm.byteLength); } return await this._generateSharedSecret(dh, kemContext); } catch (e) { throw new DecapError(e); } } async _generateSharedSecret(dh, kemContext) { const labeledIkm = this._kdf.buildLabeledIkm(LABEL_EAE_PRK2, dh); const labeledInfo = this._kdf.buildLabeledInfo(LABEL_SHARED_SECRET2, kemContext, this.secretSize); return await this._kdf.extractAndExpand(EMPTY2, labeledIkm, labeledInfo, this.secretSize); } }; // npm/esm/core/src/interfaces/dhkemPrimitives.js var KEM_USAGES2 = ["deriveBits"]; var LABEL_DKP_PRK2 = new Uint8Array([100, 107, 112, 95, 112, 114, 107]); var LABEL_SK2 = new Uint8Array([115, 107]); // npm/esm/core/src/utils/bignum.js var Bignum2 = class { constructor(size) { Object.defineProperty(this, "_num", { enumerable: true, configurable: true, writable: true, value: void 0 }); this._num = new Uint8Array(size); } val() { return this._num; } reset() { this._num.fill(0); } set(src) { if (src.length !== this._num.length) { throw new Error("Bignum.set: invalid argument"); } this._num.set(src); } isZero() { for (let i = 0; i < this._num.length; i++) { if (this._num[i] !== 0) { return false; } } return true; } lessThan(v) { if (v.length !== this._num.length) { throw new Error("Bignum.lessThan: invalid argument"); } for (let i = 0; i < this._num.length; i++) { if (this._num[i] < v[i]) { return true; } if (this._num[i] > v[i]) { return false; } } return false; } }; // npm/esm/core/src/kems/dhkemPrimitives/ec.js var LABEL_CANDIDATE2 = new Uint8Array([ 99, 97, 110, 100, 105, 100, 97, 116, 101 ]); var ORDER_P_2562 = new Uint8Array([ 255, 255, 255, 255, 0, 0, 0, 0, 255, 255, 255, 255, 255, 255, 255, 255, 188, 230, 250, 173, 167, 23, 158, 132, 243, 185, 202, 194, 252, 99, 37, 81 ]); var ORDER_P_3842 = new Uint8Array([ 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 199, 99, 77, 129, 244, 55, 45, 223, 88, 26, 13, 178, 72, 176, 167, 122, 236, 236, 25, 106, 204, 197, 41, 115 ]); var ORDER_P_5212 = new Uint8Array([ 1, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 250, 81, 134, 135, 131, 191, 47, 150, 107, 127, 204, 1, 72, 247, 9, 165, 208, 59, 181, 201, 184, 137, 156, 71, 174, 187, 111, 183, 30, 145, 56, 100, 9 ]); var PKCS8_ALG_ID_P_2562 = new Uint8Array([ 48, 65, 2, 1, 0, 48, 19, 6, 7, 42, 134, 72, 206, 61, 2, 1, 6, 8, 42, 134, 72, 206, 61, 3, 1, 7, 4, 39, 48, 37, 2, 1, 1, 4, 32 ]); var PKCS8_ALG_ID_P_3842 = new Uint8Array([ 48, 78, 2, 1, 0, 48, 16, 6, 7, 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 34, 4, 55, 48, 53, 2, 1, 1, 4, 48 ]); var PKCS8_ALG_ID_P_5212 = new Uint8Array([ 48, 96, 2, 1, 0, 48, 16, 6, 7, 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 35, 4, 73, 48, 71, 2, 1, 1, 4, 66 ]); var Ec2 = class extends NativeAlgorithm { constructor(kem, hkdf) { super(); Object.defineProperty(this, "_hkdf", { enumerable: true, configurable: true, writable: true, value: void 0 }); Object.defineProperty(this, "_alg", { enumerable: true, configurable: true, writable: true, value: void 0 }); Object.defineProperty(this, "_nPk", { enumerable: true, configurable: true, writable: true, value: void 0 }); Object.defineProperty(this, "_nSk", { enumerable: true, configurable: true, writable: true, value: void 0 }); Object.defineProperty(this, "_nDh", { enumerable: true, configurable: true, writable: true, value: void 0 }); Object.defineProperty(this, "_order", { enumerable: true, configurable: true, writable: true, value: void 0 }); Object.defineProperty(this, "_bitmask", { enumerable: true, configurable: true, writable: true, value: void 0 }); Object.defineProperty(this, "_pkcs8AlgId", { enumerable: true, configurable: true, writable: true, value: void 0 }); this._hkdf = hkdf; switch (kem) { case KemId.DhkemP256HkdfSha256: this._alg = { name: "ECDH", namedCurve: "P-256" }; this._nPk = 65; this._nSk = 32; this._nDh = 32; this._order = ORDER_P_2562; this._bitmask = 255; this._pkcs8AlgId = PKCS8_ALG_ID_P_2562; break; case KemId.DhkemP384HkdfSha384: this._alg = { name: "ECDH", namedCurve: "P-384" }; this._nPk = 97; this._nSk = 48; this._nDh = 48; this._order = ORDER_P_3842; this._bitmask = 255; this._pkcs8AlgId = PKCS8_ALG_ID_P_3842; break; default: this._alg = { name: "ECDH", namedCurve: "P-521" }; this._nPk = 133; this._nSk = 66; this._nDh = 66; this._order = ORDER_P_5212; this._bitmask = 1; this._pkcs8AlgId = PKCS8_ALG_ID_P_5212; break; } } async serializePublicKey(key) { await this._setup(); try { return await this._api.exportKey("raw", key); } catch (e) { throw new SerializeError(e); } } async deserializePublicKey(key) { await this._setup(); try { return await this._importRawKey(key, true); } catch (e) { throw new DeserializeError(e); } } async serializePrivateKey(key) { await this._setup(); try { const jwk = await this._api.exportKey("jwk", key); if (!("d" in jwk)) { throw new Error("Not private key"); } return base64UrlToBytes2(jwk["d"]); } catch (e) { throw new SerializeError(e); } } async deserializePrivateKey(key) { await this._setup(); try { return await this._importRawKey(key, false); } catch (e) { throw new DeserializeError(e); } } async importKey(format, key, isPublic) { await this._setup(); try { if (format === "raw") { return await this._importRawKey(key, isPublic); } if (key instanceof ArrayBuffer) { throw new Error("Invalid jwk key format"); } return await this._importJWK(key, isPublic); } catch (e) { throw new DeserializeError(e); } } async generateKeyPair() { await this._setup(); try { return await this._api.generateKey(this._alg, true, KEM_USAGES2); } catch (e) { throw new NotSupportedError(e); } } async deriveKeyPair(ikm) { await this._setup(); try { const dkpPrk = await this._hkdf.labeledExtract(EMPTY2, LABEL_DKP_PRK2, new Uint8Array(ikm)); const bn = new Bignum2(this._nSk); for (let counter = 0; bn.isZero() || !bn.lessThan(this._order); counter++) { if (counter > 255) { throw new Error("Faild to derive a key pair"); } const bytes3 = new Uint8Array(await this._hkdf.labeledExpand(dkpPrk, LABEL_CANDIDATE2, i2Osp2(counter, 1), this._nSk)); bytes3[0] = bytes3[0] & this._bitmask; bn.set(bytes3); } const sk = await this._deserializePkcs8Key(bn.val()); bn.reset(); return { privateKey: sk, publicKey: await this.derivePublicKey(sk) }; } catch (e) { throw new DeriveKeyPairError(e); } } async derivePublicKey(key) { await this._setup(); try { const jwk = await this._api.exportKey("jwk", key); delete jwk["d"]; delete jwk["key_ops"]; return await this._api.importKey("jwk", jwk, this._alg, true, []); } catch (e) { throw new DeserializeError(e); } } async dh(sk, pk) { try { await this._setup(); const bits = await this._api.deriveBits({ name: "ECDH", public: pk }, sk, this._nDh * 8); return bits; } catch (e) { throw new SerializeError(e); } } async _importRawKey(key, isPublic) { if (isPublic && key.byteLength !== this._nPk) { throw new Error("Invalid public key for the ciphersuite"); } if (!isPublic && key.byteLength !== this._nSk) { throw new Error("Invalid private key for the ciphersuite"); } if (isPublic) { return await this._api.importKey("raw", key, this._alg, true, []); } return await this._deserializePkcs8Key(new Uint8Array(key)); } async _importJWK(key, isPublic) { if (typeof key.crv === "undefined" || key.crv !== this._alg.namedCurve) { throw new Error(`Invalid crv: ${key.crv}`); } if (isPublic) { if (typeof key.d !== "undefined") { throw new Error("Invalid key: `d` should not be set"); } return await this._api.importKey("jwk", key, this._alg, true, []); } if (typeof key.d === "undefined") { throw new Error("Invalid key: `d` not found"); } return await this._api.importKey("jwk", key, this._alg, true, KEM_USAGES2); } async _deserializePkcs8Key(k) { const pkcs8Key = new Uint8Array(this._pkcs8AlgId.length + k.length); pkcs8Key.set(this._pkcs8AlgId, 0); pkcs8Key.set(k, this._pkcs8AlgId.length); return await this._api.importKey("pkcs8", pkcs8Key, this._alg, true, KEM_USAGES2); } }; // npm/esm/src/kems/dhkemP256.js var DhkemP256HkdfSha2562 = class extends Dhkem2 { constructor() { const kdf = new HkdfSha2562(); const prim = new Ec2(KemId.DhkemP256HkdfSha256, kdf); super(KemId.DhkemP256HkdfSha256, prim, kdf); Object.defineProperty(this, "id", { enumerable: true, configurable: true, writable: true, value: KemId.DhkemP256HkdfSha256 }); Object.defineProperty(this, "secretSize", { enumerable: true, configurable: true, writable: true, value: 32 }); Object.defineProperty(this, "encSize", { enumerable: true, configurable: true, writable: true, value: 65 }); Object.defineProperty(this, "publicKeySize", { enumerable: true, configurable: true, writable: true, value: 65 }); Object.defineProperty(this, "privateKeySize", { enumerable: true, configurable: true, writable: true, value: 32 }); } }; // npm/esm/src/kems/dhkemP384.js var DhkemP384HkdfSha3842 = class extends Dhkem2 { constructor() { const kdf = new HkdfSha3842(); const prim = new Ec2(KemId.DhkemP384HkdfSha384, kdf); super(KemId.DhkemP384HkdfSha384, prim, kdf); Object.defineProperty(this, "id", { enumerable: true, configurable: true, writable: true, value: KemId.DhkemP384HkdfSha384 }); Object.defineProperty(this, "secretSize", { enumerable: true, configurable: true, writable: true, value: 48 }); Object.defineProperty(this, "encSize", { enumerable: true, configurable: true, writable: true, value: 97 }); Object.defineProperty(this, "publicKeySize", { enumerable: true, configurable: true, writable: true, value: 97 }); Object.defineProperty(this, "privateKeySize", { enumerable: true, configurable: true, writable: true, value: 48 }); } }; // npm/esm/src/kems/dhkemP521.js var DhkemP521HkdfSha5122 = class extends Dhkem2 { constructor() { const kdf = new HkdfSha5122(); const prim = new Ec2(KemId.DhkemP521HkdfSha512, kdf); super(KemId.DhkemP521HkdfSha512, prim, kdf); Object.defineProperty(this, "id", { enumerable: true, configurable: true, writable: true, value: KemId.DhkemP521HkdfSha512 }); Object.defineProperty(this, "secretSize", { enumerable: true, configurable: true, writable: true, value: 64 }); Object.defineProperty(this, "encSize", { enumerable: true, configurable: true, writable: true, value: 133 }); Object.defineProperty(this, "publicKeySize", { enumerable: true, configurable: true, writable: true, value: 133 }); Object.defineProperty(this, "privateKeySize", { enumerable: true, configurable: true, writable: true, value: 64 }); } }; // npm/node_modules/@noble/curves/esm/abstract/utils.js var _1n = /* @__PURE__ */ BigInt(1); var _2n = /* @__PURE__ */ BigInt(2); function isBytes3(a) { return a instanceof Uint8Array || a != null && typeof a === "object" && a.constructor.name === "Uint8Array"; } function abytes(item) { if (!isBytes3(item)) throw new Error("Uint8Array expected"); } var hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, "0")); function bytesToHex(bytes3) { abytes(bytes3); let hex = ""; for (let i = 0; i < bytes3.length; i++) { hex += hexes[bytes3[i]]; } return hex; } function hexToNumber(hex) { if (typeof hex !== "string") throw new Error("hex string expected, got " + typeof hex); return BigInt(hex === "" ? "0" : `0x${hex}`); } var asciis = { _0: 48, _9: 57, _A: 65, _F: 70, _a: 97, _f: 102 }; function asciiToBase16(char) { if (char >= asciis._0 && char <= asciis._9) return char - asciis._0; if (char >= asciis._A && char <= asciis._F) return char - (asciis._A - 10); if (char >= asciis._a && char <= asciis._f) return char - (asciis._a - 10); return; } function hexToBytes(hex) { if (typeof hex !== "string") throw new Error("hex string expected, got " + typeof hex); const hl = hex.length; const al = hl / 2; if (hl % 2) throw new Error("padded hex string expected, got unpadded hex of length " + hl); const array = new Uint8Array(al); for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) { const n1 = asciiToBase16(hex.charCodeAt(hi)); const n2 = asciiToBase16(hex.charCodeAt(hi + 1)); if (n1 === void 0 || n2 === void 0) { const char = hex[hi] + hex[hi + 1]; throw new Error('hex string expected, got non-hex character "' + char + '" at index ' + hi); } array[ai] = n1 * 16 + n2; } return array; } function bytesToNumberBE(bytes3) { return hexToNumber(bytesToHex(bytes3)); } function bytesToNumberLE(bytes3) { abytes(bytes3); return hexToNumber(bytesToHex(Uint8Array.from(bytes3).reverse())); } function numberToBytesBE(n, len) { return hexToBytes(n.toString(16).padStart(len * 2, "0")); } function numberToBytesLE(n, len) { return numberToBytesBE(n, len).reverse(); } function ensureBytes(title, hex, expectedLength) { let res; if (typeof hex === "string") { try { res = hexToBytes(hex); } catch (e) { throw new Error(`${title} must be valid hex string, got "${hex}". Cause: ${e}`); } } else if (isBytes3(hex)) { res = Uint8Array.from(hex); } else { throw new Error(`${title} must be hex string or Uint8Array`); } const len = res.length; if (typeof expectedLength === "number" && len !== expectedLength) throw new Error(`${title} expected ${expectedLength} bytes, got ${len}`); return res; } function concatBytes2(...arrays) { let sum = 0; for (let i = 0; i < arrays.length; i++) { const a = arrays[i]; abytes(a); sum += a.length; } const res = new Uint8Array(sum); for (let i = 0, pad = 0; i < arrays.length; i++) { const a = arrays[i]; res.set(a, pad); pad += a.length; } return res; } var bitMask = (n) => (_2n << BigInt(n - 1)) - _1n; var validatorFns = { bigint: (val) => typeof val === "bigint", function: (val) => typeof val === "function", boolean: (val) => typeof val === "boolean", string: (val) => typeof val === "string", stringOrUint8Array: (val) => typeof val === "string" || isBytes3(val), isSafeInteger: (val) => Number.isSafeInteger(val), array: (val) => Array.isArray(val), field: (val, object) => object.Fp.isValid(val), hash: (val) => typeof val === "function" && Number.isSafeInteger(val.outputLen) }; function validateObject(object, validators, optValidators = {}) { const checkField = (fieldName, type, isOptional) => { const checkVal = validatorFns[type]; if (typeof checkVal !== "function") throw new Error(`Invalid validator "${type}", expected function`); const val = object[fieldName]; if (isOptional && val === void 0) return; if (!checkVal(val, object)) { throw new Error(`Invalid param ${String(fieldName)}=${val} (${typeof val}), expected ${type}`); } }; for (const [fieldName, type] of Object.entries(validators)) checkField(fieldName, type, false); for (const [fieldName, type] of Object.entries(optValidators)) checkField(fieldName, type, true); return object; } // npm/node_modules/@noble/curves/esm/abstract/modular.js var _0n = BigInt(0); var _1n2 = BigInt(1); var _2n2 = BigInt(2); var _3n = BigInt(3); var _4n = BigInt(4); var _5n = BigInt(5); var _8n = BigInt(8); var _9n = BigInt(9); var _16n = BigInt(16); function mod(a, b) { const result = a % b; return result >= _0n ? result : b + result; } function pow(num, power, modulo) { if (modulo <= _0n || power < _0n) throw new Error("Expected power/modulo > 0"); if (modulo === _1n2) return _0n; let res = _1n2; while (power > _0n) { if (power & _1n2) res = res * num % modulo; num = num * num % modulo; power >>= _1n2; } return res; } function pow2(x, power, modulo) { let res = x; while (power-- > _0n) { res *= res; res %= modulo; } return res; } function invert(number3, modulo) { if (number3 === _0n || modulo <= _0n) { throw new Error(`invert: expected positive integers, got n=${number3} mod=${modulo}`); } let a = mod(number3, modulo); let b = modulo; let x = _0n, y = _1n2, u = _1n2, v = _0n; while (a !== _0n) { const q = b / a; const r = b % a; const m = x - u * q; const n = y - v * q; b = a, a = r, x = u, y = v, u = m, v = n; } const gcd = b; if (gcd !== _1n2) throw new Error("invert: does not exist"); return mod(x, modulo); } function tonelliShanks(P) { const legendreC = (P - _1n2) / _2n2; let Q, S, Z; for (Q = P - _1n2, S = 0; Q % _2n2 === _0n; Q /= _2n2, S++) ; for (Z = _2n2; Z < P && pow(Z, legendreC, P) !== P - _1n2; Z++) ; if (S === 1) { const p1div4 = (P + _1n2) / _4n; return function tonelliFast(Fp2, n) { const root = Fp2.pow(n, p1div4); if (!Fp2.eql(Fp2.sqr(root), n)) throw new Error("Cannot find square root"); return root; }; } const Q1div2 = (Q + _1n2) / _2n2; return function tonelliSlow(Fp2, n) { if (Fp2.pow(n, legendreC) === Fp2.neg(Fp2.ONE)) throw new Error("Cannot find square root"); let r = S; let g = Fp2.pow(Fp2.mul(Fp2.ONE, Z), Q); let x = Fp2.pow(n, Q1div2); let b = Fp2.pow(n, Q); while (!Fp2.eql(b, Fp2.ONE)) { if (Fp2.eql(b, Fp2.ZERO)) return Fp2.ZERO; let m = 1; for (let t2 = Fp2.sqr(b); m < r; m++) { if (Fp2.eql(t2, Fp2.ONE)) break; t2 = Fp2.sqr(t2); } const ge = Fp2.pow(g, _1n2 << BigInt(r - m - 1)); g = Fp2.sqr(ge); x = Fp2.mul(x, ge); b = Fp2.mul(b, g); r = m; } return x; }; } function FpSqrt(P) { if (P % _4n === _3n) { const p1div4 = (P + _1n2) / _4n; return function sqrt3mod4(Fp2, n) { const root = Fp2.pow(n, p1div4); if (!Fp2.eql(Fp2.sqr(root), n)) throw new Error("Cannot find square root"); return root; }; } if (P % _8n === _5n) { const c1 = (P - _5n) / _8n; return function sqrt5mod8(Fp2, n) { const n2 = Fp2.mul(n, _2n2); const v = Fp2.pow(n2, c1); const nv = Fp2.mul(n, v); const i = Fp2.mul(Fp2.mul(nv, _2n2), v); const root = Fp2.mul(nv, Fp2.sub(i, Fp2.ONE)); if (!Fp2.eql(Fp2.sqr(root), n)) throw new Error("Cannot find square root"); return root; }; } if (P % _16n === _9n) { } return tonelliShanks(P); } var FIELD_FIELDS = [ "create", "isValid", "is0", "neg", "inv", "sqrt", "sqr", "eql", "add", "sub", "mul", "pow", "div", "addN", "subN", "mulN", "sqrN" ]; function validateField(field) { const initial = { ORDER: "bigint", MASK: "bigint", BYTES: "isSafeInteger", BITS: "isSafeInteger" }; const opts = FIELD_FIELDS.reduce((map, val) => { map[val] = "function"; return map; }, initial); return validateObject(field, opts); } function FpPow(f, num, power) { if (power < _0n) throw new Error("Expected power > 0"); if (power === _0n) return f.ONE; if (power === _1n2) return num; let p = f.ONE; let d = num; while (power > _0n) { if (power & _1n2) p = f.mul(p, d); d = f.sqr(d); power >>= _1n2; } return p; } function FpInvertBatch(f, nums) { const tmp = new Array(nums.length); const lastMultiplied = nums.reduce((acc, num, i) => { if (f.is0(num)) return acc; tmp[i] = acc; return f.mul(acc, num); }, f.ONE); const inverted = f.inv(lastMultiplied); nums.reduceRight((acc, num, i) => { if (f.is0(num)) return acc; tmp[i] = f.mul(acc, tmp[i]); return f.mul(acc, num); }, inverted); return tmp; } function nLength(n, nBitLength) { const _nBitLength = nBitLength !== void 0 ? nBitLength : n.toString(2).length; const nByteLength = Math.ceil(_nBitLength / 8); return { nBitLength: _nBitLength, nByteLength }; } function Field(ORDER, bitLen, isLE3 = false, redef = {}) { if (ORDER <= _0n) throw new Error(`Expected Field ORDER > 0, got ${ORDER}`); const { nBitLength: BITS, nByteLength: BYTES } = nLength(ORDER, bitLen); if (BYTES > 2048) throw new Error("Field lengths over 2048 bytes are not supported"); const sqrtP = FpSqrt(ORDER); const f = Object.freeze({ ORDER, BITS, BYTES, MASK: bitMask(BITS), ZERO: _0n, ONE: _1n2, create: (num) => mod(num, ORDER), isValid: (num) => { if (typeof num !== "bigint") throw new Error(`Invalid field element: expected bigint, got ${typeof num}`); return _0n <= num && num < ORDER; }, is0: (num) => num === _0n, isOdd: (num) => (num & _1n2) === _1n2, neg: (num) => mod(-num, ORDER), eql: (lhs, rhs) => lhs === rhs, sqr: (num) => mod(num * num, ORDER), add: (lhs, rhs) => mod(lhs + rhs, ORDER), sub: (lhs, rhs) => mod(lhs - rhs, ORDER), mul: (lhs, rhs) => mod(lhs * rhs, ORDER), pow: (num, power) => FpPow(f, num, power), div: (lhs, rhs) => mod(lhs * invert(rhs, ORDER), ORDER), // Same as above, but doesn't normalize sqrN: (num) => num * num, addN: (lhs, rhs) => lhs + rhs, subN: (lhs, rhs) => lhs - rhs, mulN: (lhs, rhs) => lhs * rhs, inv: (num) => invert(num, ORDER), sqrt: redef.sqrt || ((n) => sqrtP(f, n)), invertBatch: (lst) => FpInvertBatch(f, lst), // TODO: do we really need constant cmov? // We don't have const-time bigints anyway, so probably will be not very useful cmov: (a, b, c) => c ? b : a, toBytes: (num) => isLE3 ? numberToBytesLE(num, BYTES) : numberToBytesBE(num, BYTES), fromBytes: (bytes3) => { if (bytes3.length !== BYTES) throw new Error(`Fp.fromBytes: expected ${BYTES}, got ${bytes3.length}`); return isLE3 ? bytesToNumberLE(bytes3) : bytesToNumberBE(bytes3); } }); return Object.freeze(f); } // npm/node_modules/@noble/curves/esm/abstract/curve.js var _0n2 = BigInt(0); var _1n3 = BigInt(1); function wNAF(c, bits) { const constTimeNegate = (condition, item) => { const neg = item.negate(); return condition ? neg : item; }; const opts = (W) => { const windows = Math.ceil(bits / W) + 1; const windowSize = 2 ** (W - 1); return { windows, windowSize }; }; return { constTimeNegate, // non-const time multiplication ladder unsafeLadder(elm, n) { let p = c.ZERO; let d = elm; while (n > _0n2) { if (n & _1n3) p = p.add(d); d = d.double(); n >>= _1n3; } return p; }, /** * Creates a wNAF precomputation window. Used for caching. * Default window size is set by `utils.precompute()` and is equal to 8. * Number of precomputed points depends on the curve size: * 2^(𝑊−1) * (Math.ceil(𝑛 / 𝑊) + 1), where: * - 𝑊 is the window size * - 𝑛 is the bitlength of the curve order. * For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224. * @returns precomputed point tables flattened to a single array */ precomputeWindow(elm, W) { const { windows, windowSize } = opts(W); const points = []; let p = elm; let base = p; for (let window = 0; window < windows; window++) { base = p; points.push(base); for (let i = 1; i < windowSize; i++) { base = base.add(p); points.push(base); } p = base.double(); } return points; }, /** * Implements ec multiplication using precomputed tables and w-ary non-adjacent form. * @param W window size * @param precomputes precomputed tables * @param n scalar (we don't check here, but should be less than curve order) * @returns real and fake (for const-time) points */ wNAF(W, precomputes, n) { const { windows, windowSize } = opts(W); let p = c.ZERO; let f = c.BASE; const mask = BigInt(2 ** W - 1); const maxNumber = 2 ** W; const shiftBy = BigInt(W); for (let window = 0; window < windows; window++) { const offset = window * windowSize; let wbits = Number(n & mask); n >>= shiftBy; if (wbits > windowSize) { wbits -= maxNumber; n += _1n3; } const offset1 = offset; const offset2 = offset + Math.abs(wbits) - 1; const cond1 = window % 2 !== 0; const cond2 = wbits < 0; if (wbits === 0) { f = f.add(constTimeNegate(cond1, precomputes[offset1])); } else { p = p.add(constTimeNegate(cond2, precomputes[offset2])); } } return { p, f }; }, wNAFCached(P, precomputesMap, n, transform) { const W = P._WINDOW_SIZE || 1; let comp = precomputesMap.get(P); if (!comp) { comp = this.precomputeWindow(P, W); if (W !== 1) { precomputesMap.set(P, transform(comp)); } } return this.wNAF(W, comp, n); } }; } function validateBasic(curve) { validateField(curve.Fp); validateObject(curve, { n: "bigint", h: "bigint", Gx: "field", Gy: "field" }, { nBitLength: "isSafeInteger", nByteLength: "isSafeInteger" }); return Object.freeze({ ...nLength(curve.n, curve.nBitLength), ...curve, ...{ p: curve.Fp.ORDER } }); } // npm/node_modules/@noble/curves/esm/abstract/edwards.js var _0n3 = BigInt(0); var _1n4 = BigInt(1); var _2n3 = BigInt(2); var _8n2 = BigInt(8); var VERIFY_DEFAULT = { zip215: true }; function validateOpts(curve) { const opts = validateBasic(curve); validateObject(curve, { hash: "function", a: "bigint", d: "bigint", randomBytes: "function" }, { adjustScalarBytes: "function", domain: "function", uvRatio: "function", mapToCurve: "function" }); return Object.freeze({ ...opts }); } function twistedEdwards(curveDef) { const CURVE = validateOpts(curveDef); const { Fp: Fp2, n: CURVE_ORDER, prehash, hash: cHash, randomBytes: randomBytes2, nByteLength, h: cofactor } = CURVE; const MASK = _2n3 << BigInt(nByteLength * 8) - _1n4; const modP = Fp2.create; const uvRatio2 = CURVE.uvRatio || ((u, v) => { try { return { isValid: true, value: Fp2.sqrt(u * Fp2.inv(v)) }; } catch (e) { return { isValid: false, value: _0n3 }; } }); const adjustScalarBytes3 = CURVE.adjustScalarBytes || ((bytes3) => bytes3); const domain = CURVE.domain || ((data, ctx, phflag) => { if (ctx.length || phflag) throw new Error("Contexts/pre-hash are not supported"); return data; }); const inBig = (n) => typeof n === "bigint" && _0n3 < n; const inRange = (n, max) => inBig(n) && inBig(max) && n < max; const in0MaskRange = (n) => n === _0n3 || inRange(n, MASK); function assertInRange(n, max) { if (inRange(n, max)) return n; throw new Error(`Expected valid scalar < ${max}, got ${typeof n} ${n}`); } function assertGE0(n) { return n === _0n3 ? n : assertInRange(n, CURVE_ORDER); } const pointPrecomputes = /* @__PURE__ */ new Map(); function isPoint(other) { if (!(other instanceof Point)) throw new Error("ExtendedPoint expected"); } class Point { constructor(ex, ey, ez, et) { this.ex = ex; this.ey = ey; this.ez = ez; this.et = et; if (!in0MaskRange(ex)) throw new Error("x required"); if (!in0MaskRange(ey)) throw new Error("y required"); if (!in0MaskRange(ez)) throw new Error("z required"); if (!in0MaskRange(et)) throw new Error("t required"); } get x() { return this.toAffine().x; } get y() { return this.toAffine().y; } static fromAffine(p) { if (p instanceof Point) throw new Error("extended point not allowed"); const { x, y } = p || {}; if (!in0MaskRange(x) || !in0MaskRange(y)) throw new Error("invalid affine point"); return new Point(x, y, _1n4, modP(x * y)); } static normalizeZ(points) { const toInv = Fp2.invertBatch(points.map((p) => p.ez)); return points.map((p, i) => p.toAffine(toInv[i])).map(Point.fromAffine); } // "Private method", don't use it directly _setWindowSize(windowSize) { this._WINDOW_SIZE = windowSize; pointPrecomputes.delete(this); } // Not required for fromHex(), which always creates valid points. // Could be useful for fromAffine(). assertValidity() { const { a, d } = CURVE; if (this.is0()) throw new Error("bad point: ZERO"); const { ex: X, ey: Y, ez: Z, et: T } = this; const X2 = modP(X * X); const Y2 = modP(Y * Y); const Z2 = modP(Z * Z); const Z4 = modP(Z2 * Z2); const aX2 = modP(X2 * a); const left = modP(Z2 * modP(aX2 + Y2)); const right = modP(Z4 + modP(d * modP(X2 * Y2))); if (left !== right) throw new Error("bad point: equation left != right (1)"); const XY = modP(X * Y); const ZT = modP(Z * T); if (XY !== ZT) throw new Error("bad point: equation left != right (2)"); } // Compare one point to another. equals(other) { isPoint(other); const { ex: X1, ey: Y1, ez: Z1 } = this; const { ex: X2, ey: Y2, ez: Z2 } = other; const X1Z2 = modP(X1 * Z2); const X2Z1 = modP(X2 * Z1); const Y1Z2 = modP(Y1 * Z2); const Y2Z1 = modP(Y2 * Z1); return X1Z2 === X2Z1 && Y1Z2 === Y2Z1; } is0() { return this.equals(Point.ZERO); } negate() { return new Point(modP(-this.ex), this.ey, this.ez, modP(-this.et)); } // Fast algo for doubling Extended Point. // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#doubling-dbl-2008-hwcd // Cost: 4M + 4S + 1*a + 6add + 1*2. double() { const { a } = CURVE; const { ex: X1, ey: Y1, ez: Z1 } = this; const A = modP(X1 * X1); const B = modP(Y1 * Y1); const C = modP(_2n3 * modP(Z1 * Z1)); const D = modP(a * A); const x1y1 = X1 + Y1; const E = modP(modP(x1y1 * x1y1) - A - B); const G2 = D + B; const F = G2 - C; const H = D - B; const X3 = modP(E * F); const Y3 = modP(G2 * H); const T3 = modP(E * H); const Z3 = modP(F * G2); return new Point(X3, Y3, Z3, T3); } // Fast algo for adding 2 Extended Points. // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#addition-add-2008-hwcd // Cost: 9M + 1*a + 1*d + 7add. add(other) { isPoint(other); const { a, d } = CURVE; const { ex: X1, ey: Y1, ez: Z1, et: T1 } = this; const { ex: X2, ey: Y2, ez: Z2, et: T2 } = other; if (a === BigInt(-1)) { const A2 = modP((Y1 - X1) * (Y2 + X2)); const B2 = modP((Y1 + X1) * (Y2 - X2)); const F2 = modP(B2 - A2); if (F2 === _0n3) return this.double(); const C2 = modP(Z1 * _2n3 * T2); const D2 = modP(T1 * _2n3 * Z2); const E2 = D2 + C2; const G3 = B2 + A2; const H2 = D2 - C2; const X32 = modP(E2 * F2); const Y32 = modP(G3 * H2); const T32 = modP(E2 * H2); const Z32 = modP(F2 * G3); return new Point(X32, Y32, Z32, T32); } const A = modP(X1 * X2); const B = modP(Y1 * Y2); const C = modP(T1 * d * T2); const D = modP(Z1 * Z2); const E = modP((X1 + Y1) * (X2 + Y2) - A - B); const F = D - C; const G2 = D + C; const H = modP(B - a * A); const X3 = modP(E * F); const Y3 = modP(G2 * H); const T3 = modP(E * H); const Z3 = modP(F * G2); return new Point(X3, Y3, Z3, T3); } subtract(other) { return this.add(other.negate()); } wNAF(n) { return wnaf.wNAFCached(this, pointPrecomputes, n, Point.normalizeZ); } // Constant-time multiplication. multiply(scalar) { const { p, f } = this.wNAF(assertInRange(scalar, CURVE_ORDER)); return Point.normalizeZ([p, f])[0]; } // Non-constant-time multiplication. Uses double-and-add algorithm. // It's faster, but should only be used when you don't care about // an exposed private key e.g. sig verification. // Does NOT allow scalars higher than CURVE.n. multiplyUnsafe(scalar) { let n = assertGE0(scalar); if (n === _0n3) return I; if (this.equals(I) || n === _1n4) return this; if (this.equals(G)) return this.wNAF(n).p; return wnaf.unsafeLadder(this, n); } // Checks if point is of small order. // If you add something to small order point, you will have "dirty" // point with torsion component. // Multiplies point by cofactor and checks if the result is 0. isSmallOrder() { return this.multiplyUnsafe(cofactor).is0(); } // Multiplies point by curve order and checks if the result is 0. // Returns `false` is the point is dirty. isTorsionFree() { return wnaf.unsafeLadder(this, CURVE_ORDER).is0(); } // Converts Extended point to default (x, y) coordinates. // Can accept precomputed Z^-1 - for example, from invertBatch. toAffine(iz) { const { ex: x, ey: y, ez: z } = this; const is0 = this.is0(); if (iz == null) iz = is0 ? _8n2 : Fp2.inv(z); const ax = modP(x * iz); const ay = modP(y * iz); const zz = modP(z * iz); if (is0) return { x: _0n3, y: _1n4 }; if (zz !== _1n4) throw new Error("invZ was invalid"); return { x: ax, y: ay }; } clearCofactor() { const { h: cofactor2 } = CURVE; if (cofactor2 === _1n4) return this; return this.multiplyUnsafe(cofactor2); } // Converts hash string or Uint8Array to Point. // Uses algo from RFC8032 5.1.3. static fromHex(hex, zip215 = false) { const { d, a } = CURVE; const len = Fp2.BYTES; hex = ensureBytes("pointHex", hex, len); const normed = hex.slice(); const lastByte = hex[len - 1]; normed[len - 1] = lastByte & ~128; const y = bytesToNumberLE(normed); if (y === _0n3) { } else { if (zip215) assertInRange(y, MASK); else assertInRange(y, Fp2.ORDER); } const y2 = modP(y * y); const u = modP(y2 - _1n4); const v = modP(d * y2 - a); let { isValid, value: x } = uvRatio2(u, v); if (!isValid) throw new Error("Point.fromHex: invalid y coordinate"); const isXOdd = (x & _1n4) === _1n4; const isLastByteOdd = (lastByte & 128) !== 0; if (!zip215 && x === _0n3 && isLastByteOdd) throw new Error("Point.fromHex: x=0 and x_0=1"); if (isLastByteOdd !== isXOdd) x = modP(-x); return Point.fromAffine({ x, y }); } static fromPrivateKey(privKey) { return getExtendedPublicKey(privKey).point; } toRawBytes() { const { x, y } = this.toAffine(); const bytes3 = numberToBytesLE(y, Fp2.BYTES); bytes3[bytes3.length - 1] |= x & _1n4 ? 128 : 0; return bytes3; } toHex() { return bytesToHex(this.toRawBytes()); } } Point.BASE = new Point(CURVE.Gx, CURVE.Gy, _1n4, modP(CURVE.Gx * CURVE.Gy)); Point.ZERO = new Point(_0n3, _1n4, _1n4, _0n3); const { BASE: G, ZERO: I } = Point; const wnaf = wNAF(Point, nByteLength * 8); function modN(a) { return mod(a, CURVE_ORDER); } function modN_LE(hash2) { return modN(bytesToNumberLE(hash2)); } function getExtendedPublicKey(key) { const len = nByteLength; key = ensureBytes("private key", key, len); const hashed = ensureBytes("hashed private key", cHash(key), 2 * len); const head = adjustScalarBytes3(hashed.slice(0, len)); const prefix = hashed.slice(len, 2 * len); const scalar = modN_LE(head); const point = G.multiply(scalar); const pointBytes = point.toRawBytes(); return { head, prefix, scalar, point, pointBytes }; } function getPublicKey(privKey) { return getExtendedPublicKey(privKey).pointBytes; } function hashDomainToScalar(context = new Uint8Array(), ...msgs) { const msg = concatBytes2(...msgs); return modN_LE(cHash(domain(msg, ensureBytes("context", context), !!prehash))); } function sign(msg, privKey, options = {}) { msg = ensureBytes("message", msg); if (prehash) msg = prehash(msg); const { prefix, scalar, pointBytes } = getExtendedPublicKey(privKey); const r = hashDomainToScalar(options.context, prefix, msg); const R = G.multiply(r).toRawBytes(); const k = hashDomainToScalar(options.context, R, pointBytes, msg); const s = modN(r + k * scalar); assertGE0(s); const res = concatBytes2(R, numberToBytesLE(s, Fp2.BYTES)); return ensureBytes("result", res, nByteLength * 2); } const verifyOpts = VERIFY_DEFAULT; function verify(sig, msg, publicKey, options = verifyOpts) { const { context, zip215 } = options; const len = Fp2.BYTES; sig = ensureBytes("signature", sig, 2 * len); msg = ensureBytes("message", msg); if (prehash) msg = prehash(msg); const s = bytesToNumberLE(sig.slice(len, 2 * len)); let A, R, SB; try { A = Point.fromHex(publicKey, zip215); R = Point.fromHex(sig.slice(0, len), zip215); SB = G.multiplyUnsafe(s); } catch (error) { return false; } if (!zip215 && A.isSmallOrder()) return false; const k = hashDomainToScalar(context, R.toRawBytes(), A.toRawBytes(), msg); const RkA = R.add(A.multiplyUnsafe(k)); return RkA.subtract(SB).clearCofactor().equals(Point.ZERO); } G._setWindowSize(8); const utils = { getExtendedPublicKey, // ed25519 private keys are uniform 32b. No need to check for modulo bias, like in secp256k1. randomPrivateKey: () => randomBytes2(Fp2.BYTES), /** * We're doing scalar multiplication (used in getPublicKey etc) with precomputed BASE_POINT * values. This slows down first getPublicKey() by milliseconds (see Speed section), * but allows to speed-up subsequent getPublicKey() calls up to 20x. * @param windowSize 2, 4, 8, 16 */ precompute(windowSize = 8, point = Point.BASE) { point._setWindowSize(windowSize); point.multiply(BigInt(3)); return point; } }; return { CURVE, getPublicKey, sign, verify, ExtendedPoint: Point, utils }; } // npm/node_modules/@noble/curves/esm/abstract/montgomery.js var _0n4 = BigInt(0); var _1n5 = BigInt(1); function validateOpts2(curve) { validateObject(curve, { a: "bigint" }, { montgomeryBits: "isSafeInteger", nByteLength: "isSafeInteger", adjustScalarBytes: "function", domain: "function", powPminus2: "function", Gu: "bigint" }); return Object.freeze({ ...curve }); } function montgomery(curveDef) { const CURVE = validateOpts2(curveDef); const { P } = CURVE; const modP = (n) => mod(n, P); const montgomeryBits = CURVE.montgomeryBits; const montgomeryBytes = Math.ceil(montgomeryBits / 8); const fieldLen = CURVE.nByteLength; const adjustScalarBytes3 = CURVE.adjustScalarBytes || ((bytes3) => bytes3); const powPminus2 = CURVE.powPminus2 || ((x) => pow(x, P - BigInt(2), P)); function cswap(swap, x_2, x_3) { const dummy = modP(swap * (x_2 - x_3)); x_2 = modP(x_2 - dummy); x_3 = modP(x_3 + dummy); return [x_2, x_3]; } function assertFieldElement(n) { if (typeof n === "bigint" && _0n4 <= n && n < P) return n; throw new Error("Expected valid scalar 0 < scalar < CURVE.P"); } const a24 = (CURVE.a - BigInt(2)) / BigInt(4); function montgomeryLadder(pointU, scalar) { const u = assertFieldElement(pointU); const k = assertFieldElement(scalar); const x_1 = u; let x_2 = _1n5; let z_2 = _0n4; let x_3 = u; let z_3 = _1n5; let swap = _0n4; let sw; for (let t = BigInt(montgomeryBits - 1); t >= _0n4; t--) { const k_t = k >> t & _1n5; swap ^= k_t; sw = cswap(swap, x_2, x_3); x_2 = sw[0]; x_3 = sw[1]; sw = cswap(swap, z_2, z_3); z_2 = sw[0]; z_3 = sw[1]; swap = k_t; const A = x_2 + z_2; const AA = modP(A * A); const B = x_2 - z_2; const BB = modP(B * B); const E = AA - BB; const C = x_3 + z_3; const D = x_3 - z_3; const DA = modP(D * A); const CB = modP(C * B); const dacb = DA + CB; const da_cb = DA - CB; x_3 = modP(dacb * dacb); z_3 = modP(x_1 * modP(da_cb * da_cb)); x_2 = modP(AA * BB); z_2 = modP(E * (AA + modP(a24 * E))); } sw = cswap(swap, x_2, x_3); x_2 = sw[0]; x_3 = sw[1]; sw = cswap(swap, z_2, z_3); z_2 = sw[0]; z_3 = sw[1]; const z2 = powPminus2(z_2); return modP(x_2 * z2); } function encodeUCoordinate(u) { return numberToBytesLE(modP(u), montgomeryBytes); } function decodeUCoordinate(uEnc) { const u = ensureBytes("u coordinate", uEnc, montgomeryBytes); if (fieldLen === 32) u[31] &= 127; return bytesToNumberLE(u); } function decodeScalar(n) { const bytes3 = ensureBytes("scalar", n); const len = bytes3.length; if (len !== montgomeryBytes && len !== fieldLen) throw new Error(`Expected ${montgomeryBytes} or ${fieldLen} bytes, got ${len}`); return bytesToNumberLE(adjustScalarBytes3(bytes3)); } function scalarMult(scalar, u) { const pointU = decodeUCoordinate(u); const _scalar = decodeScalar(scalar); const pu = montgomeryLadder(pointU, _scalar); if (pu === _0n4) throw new Error("Invalid private or public key received"); return encodeUCoordinate(pu); } const GuBytes = encodeUCoordinate(CURVE.Gu); function scalarMultBase(scalar) { return scalarMult(scalar, GuBytes); } return { scalarMult, scalarMultBase, getSharedSecret: (privateKey, publicKey) => scalarMult(privateKey, publicKey), getPublicKey: (privateKey) => scalarMultBase(privateKey), utils: { randomPrivateKey: () => CURVE.randomBytes(CURVE.nByteLength) }, GuBytes }; } // npm/node_modules/@noble/curves/esm/ed25519.js var ED25519_P = BigInt("57896044618658097711785492504343953926634992332820282019728792003956564819949"); var _0n5 = BigInt(0); var _1n6 = BigInt(1); var _2n4 = BigInt(2); var _3n2 = BigInt(3); var _5n2 = BigInt(5); var _8n3 = BigInt(8); function ed25519_pow_2_252_3(x) { const _10n = BigInt(10), _20n = BigInt(20), _40n = BigInt(40), _80n = BigInt(80); const P = ED25519_P; const x2 = x * x % P; const b2 = x2 * x % P; const b4 = pow2(b2, _2n4, P) * b2 % P; const b5 = pow2(b4, _1n6, P) * x % P; const b10 = pow2(b5, _5n2, P) * b5 % P; const b20 = pow2(b10, _10n, P) * b10 % P; const b40 = pow2(b20, _20n, P) * b20 % P; const b80 = pow2(b40, _40n, P) * b40 % P; const b160 = pow2(b80, _80n, P) * b80 % P; const b240 = pow2(b160, _80n, P) * b80 % P; const b250 = pow2(b240, _10n, P) * b10 % P; const pow_p_5_8 = pow2(b250, _2n4, P) * x % P; return { pow_p_5_8, b2 }; } function adjustScalarBytes(bytes3) { bytes3[0] &= 248; bytes3[31] &= 127; bytes3[31] |= 64; return bytes3; } var x25519 = /* @__PURE__ */ (() => montgomery({ P: ED25519_P, a: BigInt(486662), montgomeryBits: 255, // n is 253 bits nByteLength: 32, Gu: BigInt(9), powPminus2: (x) => { const P = ED25519_P; const { pow_p_5_8, b2 } = ed25519_pow_2_252_3(x); return mod(pow2(pow_p_5_8, _3n2, P) * b2, P); }, adjustScalarBytes, randomBytes }))(); // npm/esm/src/xCryptoKey.js var XCryptoKey = class { constructor(name, key, type, usages = []) { Object.defineProperty(this, "key", { enumerable: true, configurable: true, writable: true, value: void 0 }); Object.defineProperty(this, "type", { enumerable: true, configurable: true, writable: true, value: void 0 }); Object.defineProperty(this, "extractable", { enumerable: true, configurable: true, writable: true, value: true }); Object.defineProperty(this, "algorithm", { enumerable: true, configurable: true, writable: true, value: void 0 }); Object.defineProperty(this, "usages", { enumerable: true, configurable: true, writable: true, value: void 0 }); this.key = key; this.type = type; this.algorithm = { name }; this.usages = usages; if (type === "public") { this.usages = []; } } }; // npm/esm/src/kems/dhkemPrimitives/x25519.js var ALG_NAME = "X25519"; var X25519 = class { constructor(hkdf) { Object.defineProperty(this, "_hkdf", { enumerable: true, configurable: true, writable: true, value: void 0 }); Object.defineProperty(this, "_nPk", { enumerable: true, configurable: true, writable: true, value: void 0 }); Object.defineProperty(this, "_nSk", { enumerable: true, configurable: true, writable: true, value: void 0 }); this._hkdf = hkdf; this._nPk = 32; this._nSk = 32; } async serializePublicKey(key) { try { return await this._serializePublicKey(key); } catch (e) { throw new SerializeError(e); } } async deserializePublicKey(key) { try { return await this._importRawKey(key, true); } catch (e) { throw new DeserializeError(e); } } async serializePrivateKey(key) { try { return await this._serializePrivateKey(key); } catch (e) { throw new SerializeError(e); } } async deserializePrivateKey(key) { try { return await this._importRawKey(key, false); } catch (e) { throw new DeserializeError(e); } } async importKey(format, key, isPublic) { try { if (format === "raw") { return await this._importRawKey(key, isPublic); } if (key instanceof ArrayBuffer) { throw new Error("Invalid jwk key format"); } return await this._importJWK(key, isPublic); } catch (e) { throw new DeserializeError(e); } } async generateKeyPair() { try { const rawSk = x25519.utils.randomPrivateKey(); const sk = new XCryptoKey(ALG_NAME, rawSk, "private", KEM_USAGES2); const pk = await this.derivePublicKey(sk); return { publicKey: pk, privateKey: sk }; } catch (e) { throw new NotSupportedError(e); } } async deriveKeyPair(ikm) { try { const dkpPrk = await this._hkdf.labeledExtract(EMPTY2, LABEL_DKP_PRK2, new Uint8Array(ikm)); const rawSk = await this._hkdf.labeledExpand(dkpPrk, LABEL_SK2, EMPTY2, this._nSk); const sk = new XCryptoKey(ALG_NAME, new Uint8Array(rawSk), "private", KEM_USAGES2); return { privateKey: sk, publicKey: await this.derivePublicKey(sk) }; } catch (e) { throw new DeriveKeyPairError(e); } } async derivePublicKey(key) { try { return await this._derivePublicKey(key); } catch (e) { throw new DeserializeError(e); } } async dh(sk, pk) { try { return await this._dh(sk, pk); } catch (e) { throw new SerializeError(e); } } _serializePublicKey(k) { return new Promise((resolve) => { resolve(k.key.buffer); }); } _serializePrivateKey(k) { return new Promise((resolve) => { resolve(k.key.buffer); }); } _importRawKey(key, isPublic) { return new Promise((resolve, reject) => { if (isPublic && key.byteLength !== this._nPk) { reject(new Error("Invalid length of the key")); } if (!isPublic && key.byteLength !== this._nSk) { reject(new Error("Invalid length of the key")); } resolve(new XCryptoKey(ALG_NAME, new Uint8Array(key), isPublic ? "public" : "private", isPublic ? [] : KEM_USAGES2)); }); } _importJWK(key, isPublic) { return new Promise((resolve, reject) => { if (typeof key.kty === "undefined" || key.kty !== "OKP") { reject(new Error(`Invalid kty: ${key.kty}`)); } if (typeof key.crv === "undefined" || key.crv !== "X25519") { reject(new Error(`Invalid crv: ${key.crv}`)); } if (isPublic) { if (typeof key.d !== "undefined") { reject(new Error("Invalid key: `d` should not be set")); } if (typeof key.x === "undefined") { reject(new Error("Invalid key: `x` not found")); } resolve(new XCryptoKey(ALG_NAME, base64UrlToBytes2(key.x), "public")); } else { if (typeof key.d !== "string") { reject(new Error("Invalid key: `d` not found")); } resolve(new XCryptoKey(ALG_NAME, base64UrlToBytes2(key.d), "private", KEM_USAGES2)); } }); } _derivePublicKey(k) { return new Promise((resolve, reject) => { try { const pk = x25519.getPublicKey(k.key); resolve(new XCryptoKey(ALG_NAME, pk, "public")); } catch (e) { reject(e); } }); } _dh(sk, pk) { return new Promise((resolve, reject) => { try { resolve(x25519.getSharedSecret(sk.key, pk.key).buffer); } catch (e) { reject(e); } }); } }; // npm/esm/src/kems/dhkemX25519.js var DhkemX25519HkdfSha256 = class extends Dhkem2 { constructor() { const kdf = new HkdfSha2562(); super(KemId.DhkemX25519HkdfSha256, new X25519(kdf), kdf); Object.defineProperty(this, "id", { enumerable: true, configurable: true, writable: true, value: KemId.DhkemX25519HkdfSha256 }); Object.defineProperty(this, "secretSize", { enumerable: true, configurable: true, writable: true, value: 32 }); Object.defineProperty(this, "encSize", { enumerable: true, configurable: true, writable: true, value: 32 }); Object.defineProperty(this, "publicKeySize", { enumerable: true, configurable: true, writable: true, value: 32 }); Object.defineProperty(this, "privateKeySize", { enumerable: true, configurable: true, writable: true, value: 32 }); } }; // npm/node_modules/@noble/hashes/esm/sha3.js var SHA3_PI = []; var SHA3_ROTL = []; var _SHA3_IOTA = []; var _0n6 = /* @__PURE__ */ BigInt(0); var _1n7 = /* @__PURE__ */ BigInt(1); var _2n5 = /* @__PURE__ */ BigInt(2); var _7n = /* @__PURE__ */ BigInt(7); var _256n = /* @__PURE__ */ BigInt(256); var _0x71n = /* @__PURE__ */ BigInt(113); for (let round = 0, R = _1n7, x = 1, y = 0; round < 24; round++) { [x, y] = [y, (2 * x + 3 * y) % 5]; SHA3_PI.push(2 * (5 * y + x)); SHA3_ROTL.push((round + 1) * (round + 2) / 2 % 64); let t = _0n6; for (let j = 0; j < 7; j++) { R = (R << _1n7 ^ (R >> _7n) * _0x71n) % _256n; if (R & _2n5) t ^= _1n7 << (_1n7 << /* @__PURE__ */ BigInt(j)) - _1n7; } _SHA3_IOTA.push(t); } var [SHA3_IOTA_H, SHA3_IOTA_L] = /* @__PURE__ */ split(_SHA3_IOTA, true); var rotlH = (h, l, s) => s > 32 ? rotlBH(h, l, s) : rotlSH(h, l, s); var rotlL = (h, l, s) => s > 32 ? rotlBL(h, l, s) : rotlSL(h, l, s); function keccakP(s, rounds = 24) { const B = new Uint32Array(5 * 2); for (let round = 24 - rounds; round < 24; round++) { for (let x = 0; x < 10; x++) B[x] = s[x] ^ s[x + 10] ^ s[x + 20] ^ s[x + 30] ^ s[x + 40]; for (let x = 0; x < 10; x += 2) { const idx1 = (x + 8) % 10; const idx0 = (x + 2) % 10; const B0 = B[idx0]; const B1 = B[idx0 + 1]; const Th = rotlH(B0, B1, 1) ^ B[idx1]; const Tl = rotlL(B0, B1, 1) ^ B[idx1 + 1]; for (let y = 0; y < 50; y += 10) { s[x + y] ^= Th; s[x + y + 1] ^= Tl; } } let curH = s[2]; let curL = s[3]; for (let t = 0; t < 24; t++) { const shift = SHA3_ROTL[t]; const Th = rotlH(curH, curL, shift); const Tl = rotlL(curH, curL, shift); const PI = SHA3_PI[t]; curH = s[PI]; curL = s[PI + 1]; s[PI] = Th; s[PI + 1] = Tl; } for (let y = 0; y < 50; y += 10) { for (let x = 0; x < 10; x++) B[x] = s[y + x]; for (let x = 0; x < 10; x++) s[y + x] ^= ~B[(x + 2) % 10] & B[(x + 4) % 10]; } s[0] ^= SHA3_IOTA_H[round]; s[1] ^= SHA3_IOTA_L[round]; } B.fill(0); } var Keccak = class _Keccak extends Hash { // NOTE: we accept arguments in bytes instead of bits here. constructor(blockLen, suffix, outputLen, enableXOF = false, rounds = 24) { super(); this.blockLen = blockLen; this.suffix = suffix; this.outputLen = outputLen; this.enableXOF = enableXOF; this.rounds = rounds; this.pos = 0; this.posOut = 0; this.finished = false; this.destroyed = false; number2(outputLen); if (0 >= this.blockLen || this.blockLen >= 200) throw new Error("Sha3 supports only keccak-f1600 function"); this.state = new Uint8Array(200); this.state32 = u322(this.state); } keccak() { if (!isLE2) byteSwap32(this.state32); keccakP(this.state32, this.rounds); if (!isLE2) byteSwap32(this.state32); this.posOut = 0; this.pos = 0; } update(data) { exists2(this); const { blockLen, state } = this; data = toBytes2(data); const len = data.length; for (let pos = 0; pos < len; ) { const take = Math.min(blockLen - this.pos, len - pos); for (let i = 0; i < take; i++) state[this.pos++] ^= data[pos++]; if (this.pos === blockLen) this.keccak(); } return this; } finish() { if (this.finished) return; this.finished = true; const { state, suffix, pos, blockLen } = this; state[pos] ^= suffix; if ((suffix & 128) !== 0 && pos === blockLen - 1) this.keccak(); state[blockLen - 1] ^= 128; this.keccak(); } writeInto(out) { exists2(this, false); bytes2(out); this.finish(); const bufferOut = this.state; const { blockLen } = this; for (let pos = 0, len = out.length; pos < len; ) { if (this.posOut >= blockLen) this.keccak(); const take = Math.min(blockLen - this.posOut, len - pos); out.set(bufferOut.subarray(this.posOut, this.posOut + take), pos); this.posOut += take; pos += take; } return out; } xofInto(out) { if (!this.enableXOF) throw new Error("XOF is not possible for this instance"); return this.writeInto(out); } xof(bytes3) { number2(bytes3); return this.xofInto(new Uint8Array(bytes3)); } digestInto(out) { output2(out, this); if (this.finished) throw new Error("digest() was already called"); this.writeInto(out); this.destroy(); return out; } digest() { return this.digestInto(new Uint8Array(this.outputLen)); } destroy() { this.destroyed = true; this.state.fill(0); } _cloneInto(to) { const { blockLen, suffix, outputLen, rounds, enableXOF } = this; to || (to = new _Keccak(blockLen, suffix, outputLen, enableXOF, rounds)); to.state32.set(this.state32); to.pos = this.pos; to.posOut = this.posOut; to.finished = this.finished; to.rounds = rounds; to.suffix = suffix; to.outputLen = outputLen; to.enableXOF = enableXOF; to.destroyed = this.destroyed; return to; } }; var gen = (suffix, blockLen, outputLen) => wrapConstructor(() => new Keccak(blockLen, suffix, outputLen)); var sha3_224 = /* @__PURE__ */ gen(6, 144, 224 / 8); var sha3_256 = /* @__PURE__ */ gen(6, 136, 256 / 8); var sha3_384 = /* @__PURE__ */ gen(6, 104, 384 / 8); var sha3_512 = /* @__PURE__ */ gen(6, 72, 512 / 8); var keccak_224 = /* @__PURE__ */ gen(1, 144, 224 / 8); var keccak_256 = /* @__PURE__ */ gen(1, 136, 256 / 8); var keccak_384 = /* @__PURE__ */ gen(1, 104, 384 / 8); var keccak_512 = /* @__PURE__ */ gen(1, 72, 512 / 8); var genShake = (suffix, blockLen, outputLen) => wrapXOFConstructorWithOpts((opts = {}) => new Keccak(blockLen, suffix, opts.dkLen === void 0 ? outputLen : opts.dkLen, true)); var shake128 = /* @__PURE__ */ genShake(31, 168, 128 / 8); var shake256 = /* @__PURE__ */ genShake(31, 136, 256 / 8); // npm/node_modules/@noble/curves/esm/ed448.js var shake256_114 = wrapConstructor(() => shake256.create({ dkLen: 114 })); var shake256_64 = wrapConstructor(() => shake256.create({ dkLen: 64 })); var ed448P = BigInt("726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018365439"); var _1n8 = BigInt(1); var _2n6 = BigInt(2); var _3n3 = BigInt(3); var _4n2 = BigInt(4); var _11n = BigInt(11); var _22n = BigInt(22); var _44n = BigInt(44); var _88n = BigInt(88); var _223n = BigInt(223); function ed448_pow_Pminus3div4(x) { const P = ed448P; const b2 = x * x * x % P; const b3 = b2 * b2 * x % P; const b6 = pow2(b3, _3n3, P) * b3 % P; const b9 = pow2(b6, _3n3, P) * b3 % P; const b11 = pow2(b9, _2n6, P) * b2 % P; const b22 = pow2(b11, _11n, P) * b11 % P; const b44 = pow2(b22, _22n, P) * b22 % P; const b88 = pow2(b44, _44n, P) * b44 % P; const b176 = pow2(b88, _88n, P) * b88 % P; const b220 = pow2(b176, _44n, P) * b44 % P; const b222 = pow2(b220, _2n6, P) * b2 % P; const b223 = pow2(b222, _1n8, P) * x % P; return pow2(b223, _223n, P) * b222 % P; } function adjustScalarBytes2(bytes3) { bytes3[0] &= 252; bytes3[55] |= 128; bytes3[56] = 0; return bytes3; } function uvRatio(u, v) { const P = ed448P; const u2v = mod(u * u * v, P); const u3v = mod(u2v * u, P); const u5v3 = mod(u3v * u2v * v, P); const root = ed448_pow_Pminus3div4(u5v3); const x = mod(u3v * root, P); const x2 = mod(x * x, P); return { isValid: mod(x2 * v, P) === u, value: x }; } var Fp = Field(ed448P, 456, true); var ED448_DEF = { // Param: a a: BigInt(1), // -39081. Negative number is P - number d: BigInt("726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018326358"), // Finite field 𝔽p over which we'll do calculations; 2n**448n - 2n**224n - 1n Fp, // Subgroup order: how many points curve has; // 2n**446n - 13818066809895115352007386748515426880336692474882178609894547503885n n: BigInt("181709681073901722637330951972001133588410340171829515070372549795146003961539585716195755291692375963310293709091662304773755859649779"), // RFC 7748 has 56-byte keys, RFC 8032 has 57-byte keys nBitLength: 456, // Cofactor h: BigInt(4), // Base point (x, y) aka generator point Gx: BigInt("224580040295924300187604334099896036246789641632564134246125461686950415467406032909029192869357953282578032075146446173674602635247710"), Gy: BigInt("298819210078481492676017930443930673437544040154080242095928241372331506189835876003536878655418784733982303233503462500531545062832660"), // SHAKE256(dom4(phflag,context)||x, 114) hash: shake256_114, randomBytes, adjustScalarBytes: adjustScalarBytes2, // dom4 domain: (data, ctx, phflag) => { if (ctx.length > 255) throw new Error(`Context is too big: ${ctx.length}`); return concatBytes(utf8ToBytes2("SigEd448"), new Uint8Array([phflag ? 1 : 0, ctx.length]), ctx, data); }, uvRatio }; var ed448ph = /* @__PURE__ */ twistedEdwards({ ...ED448_DEF, prehash: shake256_64 }); var x448 = /* @__PURE__ */ (() => montgomery({ a: BigInt(156326), // RFC 7748 has 56-byte keys, RFC 8032 has 57-byte keys montgomeryBits: 448, nByteLength: 56, P: ed448P, Gu: BigInt(5), powPminus2: (x) => { const P = ed448P; const Pminus3div4 = ed448_pow_Pminus3div4(x); const Pminus3 = pow2(Pminus3div4, BigInt(2), P); return mod(Pminus3 * x, P); }, adjustScalarBytes: adjustScalarBytes2, randomBytes }))(); var ELL2_C1 = (Fp.ORDER - BigInt(3)) / BigInt(4); var ELL2_J = BigInt(156326); var ONE_MINUS_D = BigInt("39082"); var ONE_MINUS_TWO_D = BigInt("78163"); var SQRT_MINUS_D = BigInt("98944233647732219769177004876929019128417576295529901074099889598043702116001257856802131563896515373927712232092845883226922417596214"); var INVSQRT_MINUS_D = BigInt("315019913931389607337177038330951043522456072897266928557328499619017160722351061360252776265186336876723201881398623946864393857820716"); var MAX_448B = BigInt("0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"); // npm/esm/src/kems/dhkemPrimitives/x448.js var ALG_NAME2 = "X448"; var X448 = class { constructor(hkdf) { Object.defineProperty(this, "_hkdf", { enumerable: true, configurable: true, writable: true, value: void 0 }); Object.defineProperty(this, "_nPk", { enumerable: true, configurable: true, writable: true, value: void 0 }); Object.defineProperty(this, "_nSk", { enumerable: true, configurable: true, writable: true, value: void 0 }); this._hkdf = hkdf; this._nPk = 56; this._nSk = 56; } async serializePublicKey(key) { try { return await this._serializePublicKey(key); } catch (e) { throw new SerializeError(e); } } async deserializePublicKey(key) { try { return await this._importRawKey(key, true); } catch (e) { throw new DeserializeError(e); } } async serializePrivateKey(key) { try { return await this._serializePrivateKey(key); } catch (e) { throw new SerializeError(e); } } async deserializePrivateKey(key) { try { return await this._importRawKey(key, false); } catch (e) { throw new DeserializeError(e); } } async importKey(format, key, isPublic) { try { if (format === "raw") { return await this._importRawKey(key, isPublic); } if (key instanceof ArrayBuffer) { throw new Error("Invalid jwk key format"); } return await this._importJWK(key, isPublic); } catch (e) { throw new DeserializeError(e); } } async generateKeyPair() { try { const rawSk = x448.utils.randomPrivateKey(); const sk = new XCryptoKey(ALG_NAME2, rawSk, "private", KEM_USAGES2); const pk = await this.derivePublicKey(sk); return { publicKey: pk, privateKey: sk }; } catch (e) { throw new NotSupportedError(e); } } async deriveKeyPair(ikm) { try { const dkpPrk = await this._hkdf.labeledExtract(EMPTY2, LABEL_DKP_PRK2, new Uint8Array(ikm)); const rawSk = await this._hkdf.labeledExpand(dkpPrk, LABEL_SK2, EMPTY2, this._nSk); const sk = new XCryptoKey(ALG_NAME2, new Uint8Array(rawSk), "private", KEM_USAGES2); return { privateKey: sk, publicKey: await this.derivePublicKey(sk) }; } catch (e) { throw new DeriveKeyPairError(e); } } async derivePublicKey(key) { try { return await this._derivePublicKey(key); } catch (e) { throw new DeserializeError(e); } } async dh(sk, pk) { try { return await this._dh(sk, pk); } catch (e) { throw new SerializeError(e); } } _serializePublicKey(k) { return new Promise((resolve) => { resolve(k.key.buffer); }); } _serializePrivateKey(k) { return new Promise((resolve) => { resolve(k.key.buffer); }); } _importRawKey(key, isPublic) { return new Promise((resolve, reject) => { if (isPublic && key.byteLength !== this._nPk) { reject(new Error("Invalid length of the key")); } if (!isPublic && key.byteLength !== this._nSk) { reject(new Error("Invalid length of the key")); } resolve(new XCryptoKey(ALG_NAME2, new Uint8Array(key), isPublic ? "public" : "private", isPublic ? [] : KEM_USAGES2)); }); } _importJWK(key, isPublic) { return new Promise((resolve, reject) => { if (key.kty !== "OKP") { reject(new Error(`Invalid kty: ${key.kty}`)); } if (key.crv !== "X448") { reject(new Error(`Invalid crv: ${key.crv}`)); } if (isPublic) { if (typeof key.d !== "undefined") { reject(new Error("Invalid key: `d` should not be set")); } if (typeof key.x !== "string") { reject(new Error("Invalid key: `x` not found")); } resolve(new XCryptoKey(ALG_NAME2, base64UrlToBytes2(key.x), "public")); } else { if (typeof key.d !== "string") { reject(new Error("Invalid key: `d` not found")); } resolve(new XCryptoKey(ALG_NAME2, base64UrlToBytes2(key.d), "private", KEM_USAGES2)); } }); } _derivePublicKey(k) { return new Promise((resolve, reject) => { try { const pk = x448.getPublicKey(k.key); resolve(new XCryptoKey(ALG_NAME2, pk, "public")); } catch (e) { reject(e); } }); } _dh(sk, pk) { return new Promise((resolve, reject) => { try { resolve(x448.getSharedSecret(sk.key, pk.key).buffer); } catch (e) { reject(e); } }); } }; // npm/esm/src/kems/dhkemX448.js var DhkemX448HkdfSha512 = class extends Dhkem2 { constructor() { const kdf = new HkdfSha5122(); super(KemId.DhkemX448HkdfSha512, new X448(kdf), kdf); Object.defineProperty(this, "id", { enumerable: true, configurable: true, writable: true, value: KemId.DhkemX448HkdfSha512 }); Object.defineProperty(this, "secretSize", { enumerable: true, configurable: true, writable: true, value: 64 }); Object.defineProperty(this, "encSize", { enumerable: true, configurable: true, writable: true, value: 56 }); Object.defineProperty(this, "publicKeySize", { enumerable: true, configurable: true, writable: true, value: 56 }); Object.defineProperty(this, "privateKeySize", { enumerable: true, configurable: true, writable: true, value: 56 }); } }; // npm/esm/core/src/utils/emitNotSupported.js function emitNotSupported2() { return new Promise((_resolve, reject) => { reject(new NotSupportedError("Not supported")); }); } // npm/esm/core/src/exporterContext.js var LABEL_SEC2 = new Uint8Array([115, 101, 99]); var ExporterContextImpl2 = class { constructor(api, kdf, exporterSecret) { Object.defineProperty(this, "_api", { enumerable: true, configurable: true, writable: true, value: void 0 }); Object.defineProperty(this, "exporterSecret", { enumerable: true, configurable: true, writable: true, value: void 0 }); Object.defineProperty(this, "_kdf", { enumerable: true, configurable: true, writable: true, value: void 0 }); this._api = api; this._kdf = kdf; this.exporterSecret = exporterSecret; } async seal(_data, _aad) { return await emitNotSupported2(); } async open(_data, _aad) { return await emitNotSupported2(); } async export(exporterContext, len) { if (exporterContext.byteLength > INPUT_LENGTH_LIMIT2) { throw new InvalidParamError("Too long exporter context"); } try { return await this._kdf.labeledExpand(this.exporterSecret, LABEL_SEC2, new Uint8Array(exporterContext), len); } catch (e) { throw new ExportError(e); } } }; var RecipientExporterContextImpl2 = class extends ExporterContextImpl2 { }; var SenderExporterContextImpl2 = class extends ExporterContextImpl2 { constructor(api, kdf, exporterSecret, enc) { super(api, kdf, exporterSecret); Object.defineProperty(this, "enc", { enumerable: true, configurable: true, writable: true, value: void 0 }); this.enc = enc; return; } }; // npm/esm/core/src/encryptionContext.js function xor(a, b) { if (a.byteLength !== b.byteLength) { throw new Error("xor: different length inputs"); } const buf = new Uint8Array(a.byteLength); for (let i = 0; i < a.byteLength; i++) { buf[i] = a[i] ^ b[i]; } return buf; } var EncryptionContextImpl2 = class extends ExporterContextImpl2 { constructor(api, kdf, params) { super(api, kdf, params.exporterSecret); Object.defineProperty(this, "_aead", { enumerable: true, configurable: true, writable: true, value: void 0 }); Object.defineProperty(this, "_nK", { enumerable: true, configurable: true, writable: true, value: void 0 }); Object.defineProperty(this, "_nN", { enumerable: true, configurable: true, writable: true, value: void 0 }); Object.defineProperty(this, "_nT", { enumerable: true, configurable: true, writable: true, value: void 0 }); Object.defineProperty(this, "_ctx", { enumerable: true, configurable: true, writable: true, value: void 0 }); if (params.key === void 0 || params.baseNonce === void 0 || params.seq === void 0) { throw new Error("Required parameters are missing"); } this._aead = params.aead; this._nK = this._aead.keySize; this._nN = this._aead.nonceSize; this._nT = this._aead.tagSize; const key = this._aead.createEncryptionContext(params.key); this._ctx = { key, baseNonce: params.baseNonce, seq: params.seq }; } computeNonce(k) { const seqBytes = i2Osp2(k.seq, k.baseNonce.byteLength); return xor(k.baseNonce, seqBytes); } incrementSeq(k) { if (k.seq > Number.MAX_SAFE_INTEGER) { throw new MessageLimitReachedError("Message limit reached"); } k.seq += 1; return; } }; // npm/esm/core/src/recipientContext.js var RecipientContextImpl2 = class extends EncryptionContextImpl2 { async open(data, aad = EMPTY2) { let pt; try { pt = await this._ctx.key.open(this.computeNonce(this._ctx), data, aad); } catch (e) { throw new OpenError(e); } this.incrementSeq(this._ctx); return pt; } }; // npm/esm/core/src/senderContext.js var SenderContextImpl2 = class extends EncryptionContextImpl2 { constructor(api, kdf, params, enc) { super(api, kdf, params); Object.defineProperty(this, "enc", { enumerable: true, configurable: true, writable: true, value: void 0 }); this.enc = enc; } async seal(data, aad = EMPTY2) { let ct; try { ct = await this._ctx.key.seal(this.computeNonce(this._ctx), data, aad); } catch (e) { throw new SealError(e); } this.incrementSeq(this._ctx); return ct; } }; // npm/esm/core/src/cipherSuiteNative.js var LABEL_BASE_NONCE2 = new Uint8Array([ 98, 97, 115, 101, 95, 110, 111, 110, 99, 101 ]); var LABEL_EXP2 = new Uint8Array([101, 120, 112]); var LABEL_INFO_HASH2 = new Uint8Array([ 105, 110, 102, 111, 95, 104, 97, 115, 104 ]); var LABEL_KEY2 = new Uint8Array([107, 101, 121]); var LABEL_PSK_ID_HASH2 = new Uint8Array([ 112, 115, 107, 95, 105, 100, 95, 104, 97, 115, 104 ]); var LABEL_SECRET2 = new Uint8Array([115, 101, 99, 114, 101, 116]); var SUITE_ID_HEADER_HPKE2 = new Uint8Array([ 72, 80, 75, 69, 0, 0, 0, 0, 0, 0 ]); var CipherSuiteNative2 = class extends NativeAlgorithm { /** * @param params A set of parameters for building a cipher suite. * * If the error occurred, throws {@link InvalidParamError}. * * @throws {@link InvalidParamError} */ constructor(params) { super(); Object.defineProperty(this, "_kem", { enumerable: true, configurable: true, writable: true, value: void 0 }); Object.defineProperty(this, "_kdf", { enumerable: true, configurable: true, writable: true, value: void 0 }); Object.defineProperty(this, "_aead", { enumerable: true, configurable: true, writable: true, value: void 0 }); Object.defineProperty(this, "_suiteId", { enumerable: true, configurable: true, writable: true, value: void 0 }); if (typeof params.kem === "number") { throw new InvalidParamError("KemId cannot be used"); } this._kem = params.kem; if (typeof params.kdf === "number") { throw new InvalidParamError("KdfId cannot be used"); } this._kdf = params.kdf; if (typeof params.aead === "number") { throw new InvalidParamError("AeadId cannot be used"); } this._aead = params.aead; this._suiteId = new Uint8Array(SUITE_ID_HEADER_HPKE2); this._suiteId.set(i2Osp2(this._kem.id, 2), 4); this._suiteId.set(i2Osp2(this._kdf.id, 2), 6); this._suiteId.set(i2Osp2(this._aead.id, 2), 8); this._kdf.init(this._suiteId); } /** * Gets the KEM context of the ciphersuite. */ get kem() { return this._kem; } /** * Gets the KDF context of the ciphersuite. */ get kdf() { return this._kdf; } /** * Gets the AEAD context of the ciphersuite. */ get aead() { return this._aead; } /** * Creates an encryption context for a sender. * * If the error occurred, throws {@link DecapError} | {@link ValidationError}. * * @param params A set of parameters for the sender encryption context. * @returns A sender encryption context. * @throws {@link EncapError}, {@link ValidationError} */ async createSenderContext(params) { this._validateInputLength(params); await this._setup(); const dh = await this._kem.encap(params); let mode; if (params.psk !== void 0) { mode = params.senderKey !== void 0 ? Mode.AuthPsk : Mode.Psk; } else { mode = params.senderKey !== void 0 ? Mode.Auth : Mode.Base; } return await this._keyScheduleS(mode, dh.sharedSecret, dh.enc, params); } /** * Creates an encryption context for a recipient. * * If the error occurred, throws {@link DecapError} * | {@link DeserializeError} | {@link ValidationError}. * * @param params A set of parameters for the recipient encryption context. * @returns A recipient encryption context. * @throws {@link DecapError}, {@link DeserializeError}, {@link ValidationError} */ async createRecipientContext(params) { this._validateInputLength(params); await this._setup(); const sharedSecret = await this._kem.decap(params); let mode; if (params.psk !== void 0) { mode = params.senderPublicKey !== void 0 ? Mode.AuthPsk : Mode.Psk; } else { mode = params.senderPublicKey !== void 0 ? Mode.Auth : Mode.Base; } return await this._keyScheduleR(mode, sharedSecret, params); } /** * Encrypts a message to a recipient. * * If the error occurred, throws `EncapError` | `MessageLimitReachedError` | `SealError` | `ValidationError`. * * @param params A set of parameters for building a sender encryption context. * @param pt A plain text as bytes to be encrypted. * @param aad Additional authenticated data as bytes fed by an application. * @returns A cipher text and an encapsulated key as bytes. * @throws {@link EncapError}, {@link MessageLimitReachedError}, {@link SealError}, {@link ValidationError} */ async seal(params, pt, aad = EMPTY2) { const ctx = await this.createSenderContext(params); return { ct: await ctx.seal(pt, aad), enc: ctx.enc }; } /** * Decrypts a message from a sender. * * If the error occurred, throws `DecapError` | `DeserializeError` | `OpenError` | `ValidationError`. * * @param params A set of parameters for building a recipient encryption context. * @param ct An encrypted text as bytes to be decrypted. * @param aad Additional authenticated data as bytes fed by an application. * @returns A decrypted plain text as bytes. * @throws {@link DecapError}, {@link DeserializeError}, {@link OpenError}, {@link ValidationError} */ async open(params, ct, aad = EMPTY2) { const ctx = await this.createRecipientContext(params); return await ctx.open(ct, aad); } // private verifyPskInputs(mode: Mode, params: KeyScheduleParams) { // const gotPsk = (params.psk !== undefined); // const gotPskId = (params.psk !== undefined && params.psk.id.byteLength > 0); // if (gotPsk !== gotPskId) { // throw new Error('Inconsistent PSK inputs'); // } // if (gotPsk && (mode === Mode.Base || mode === Mode.Auth)) { // throw new Error('PSK input provided when not needed'); // } // if (!gotPsk && (mode === Mode.Psk || mode === Mode.AuthPsk)) { // throw new Error('Missing required PSK input'); // } // return; // } async _keySchedule(mode, sharedSecret, params) { const pskId = params.psk === void 0 ? EMPTY2 : new Uint8Array(params.psk.id); const pskIdHash = await this._kdf.labeledExtract(EMPTY2, LABEL_PSK_ID_HASH2, pskId); const info = params.info === void 0 ? EMPTY2 : new Uint8Array(params.info); const infoHash = await this._kdf.labeledExtract(EMPTY2, LABEL_INFO_HASH2, info); const keyScheduleContext = new Uint8Array(1 + pskIdHash.byteLength + infoHash.byteLength); keyScheduleContext.set(new Uint8Array([mode]), 0); keyScheduleContext.set(new Uint8Array(pskIdHash), 1); keyScheduleContext.set(new Uint8Array(infoHash), 1 + pskIdHash.byteLength); const psk = params.psk === void 0 ? EMPTY2 : new Uint8Array(params.psk.key); const ikm = this._kdf.buildLabeledIkm(LABEL_SECRET2, psk); const exporterSecretInfo = this._kdf.buildLabeledInfo(LABEL_EXP2, keyScheduleContext, this._kdf.hashSize); const exporterSecret = await this._kdf.extractAndExpand(sharedSecret, ikm, exporterSecretInfo, this._kdf.hashSize); if (this._aead.id === AeadId.ExportOnly) { return { aead: this._aead, exporterSecret }; } const keyInfo = this._kdf.buildLabeledInfo(LABEL_KEY2, keyScheduleContext, this._aead.keySize); const key = await this._kdf.extractAndExpand(sharedSecret, ikm, keyInfo, this._aead.keySize); const baseNonceInfo = this._kdf.buildLabeledInfo(LABEL_BASE_NONCE2, keyScheduleContext, this._aead.nonceSize); const baseNonce = await this._kdf.extractAndExpand(sharedSecret, ikm, baseNonceInfo, this._aead.nonceSize); return { aead: this._aead, exporterSecret, key, baseNonce: new Uint8Array(baseNonce), seq: 0 }; } async _keyScheduleS(mode, sharedSecret, enc, params) { const res = await this._keySchedule(mode, sharedSecret, params); if (res.key === void 0) { return new SenderExporterContextImpl2(this._api, this._kdf, res.exporterSecret, enc); } return new SenderContextImpl2(this._api, this._kdf, res, enc); } async _keyScheduleR(mode, sharedSecret, params) { const res = await this._keySchedule(mode, sharedSecret, params); if (res.key === void 0) { return new RecipientExporterContextImpl2(this._api, this._kdf, res.exporterSecret); } return new RecipientContextImpl2(this._api, this._kdf, res); } _validateInputLength(params) { if (params.info !== void 0 && params.info.byteLength > INPUT_LENGTH_LIMIT2) { throw new InvalidParamError("Too long info"); } if (params.psk !== void 0) { if (params.psk.key.byteLength < MINIMUM_PSK_LENGTH2) { throw new InvalidParamError(`PSK must have at least ${MINIMUM_PSK_LENGTH2} bytes`); } if (params.psk.key.byteLength > INPUT_LENGTH_LIMIT2) { throw new InvalidParamError("Too long psk.key"); } if (params.psk.id.byteLength > INPUT_LENGTH_LIMIT2) { throw new InvalidParamError("Too long psk.id"); } } return; } }; // npm/esm/src/cipherSuite.js var CipherSuite2 = class extends CipherSuiteNative2 { /** * @param params A set of parameters for building a cipher suite. * @throws {@link InvalidParamError} */ constructor(params) { if (typeof params.kem === "number") { switch (params.kem) { case KemId.DhkemP256HkdfSha256: params.kem = new DhkemP256HkdfSha2562(); break; case KemId.DhkemP384HkdfSha384: params.kem = new DhkemP384HkdfSha3842(); break; case KemId.DhkemP521HkdfSha512: params.kem = new DhkemP521HkdfSha5122(); break; case KemId.DhkemX25519HkdfSha256: params.kem = new DhkemX25519HkdfSha256(); break; case KemId.DhkemX448HkdfSha512: params.kem = new DhkemX448HkdfSha512(); break; default: throw new InvalidParamError(`The KEM (${params.kem}) cannot be specified by KemId. Use submodule for the KEM`); } } if (typeof params.kdf === "number") { switch (params.kdf) { case KdfId.HkdfSha256: params.kdf = new HkdfSha2562(); break; case KdfId.HkdfSha384: params.kdf = new HkdfSha3842(); break; default: params.kdf = new HkdfSha5122(); break; } } if (typeof params.aead === "number") { switch (params.aead) { case AeadId.Aes128Gcm: params.aead = new Aes128Gcm(); break; case AeadId.Aes256Gcm: params.aead = new Aes256Gcm(); break; case AeadId.Chacha20Poly1305: params.aead = new Chacha20Poly1305(); break; default: params.aead = new ExportOnly(); break; } } super(params); } /** * Generates a key pair for the cipher suite. * * If the error occurred, throws {@link NotSupportedError}. * * @deprecated Use {@link KemInterface.generateKeyPair} instead. * * @returns A key pair generated. * @throws {@link NotSupportedError} */ async generateKeyPair() { await this._setup(); return await this._kem.generateKeyPair(); } /** * Derives a key pair for the cipher suite in the manner * defined in [RFC9180 Section 7.1.3](https://www.rfc-editor.org/rfc/rfc9180.html#section-7.1.3). * * If the error occurred, throws {@link DeriveKeyPairError}. * * @deprecated Use {@link KemInterface.deriveKeyPair} instead. * * @param ikm A byte string of input keying material. The maximum length is 128 bytes. * @returns A key pair derived. * @throws {@link DeriveKeyPairError} */ async deriveKeyPair(ikm) { await this._setup(); return await this._kem.deriveKeyPair(ikm); } /** * Imports a public or private key and converts to a {@link CryptoKey}. * * Since key parameters for {@link createSenderContext} or {@link createRecipientContext} * are {@link CryptoKey} format, you have to use this function to convert provided keys * to {@link CryptoKey}. * * Basically, this is a thin wrapper function of * [SubtleCrypto.importKey](https://www.w3.org/TR/WebCryptoAPI/#dfn-SubtleCrypto-method-importKey). * * If the error occurred, throws {@link DeserializeError}. * * @deprecated Use {@link KemInterface.generateKeyPair} instead. * * @param format For now, `'raw'` and `'jwk'` are supported. * @param key A byte string of a raw key or A {@link JsonWebKey} object. * @param isPublic The indicator whether the provided key is a public key or not, which is used only for `'raw'` format. * @returns A public or private CryptoKey. * @throws {@link DeserializeError} */ async importKey(format, key, isPublic = true) { await this._setup(); return await this._kem.importKey(format, key, isPublic); } }; export { Aead, AeadId, BaseError, CipherSuite2 as CipherSuite, DecapError, DeriveKeyPairError, DeserializeError, EncapError, ExportError, HpkeError, InvalidParamError, Kdf, KdfId, Kem, KemId, MessageLimitReachedError, NotSupportedError, OpenError, SealError, SerializeError, ValidationError }; /*! Bundled license information: @noble/ciphers/esm/utils.js: (*! noble-ciphers - MIT License (c) 2023 Paul Miller (paulmillr.com) *) @noble/hashes/esm/utils.js: (*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) *) @noble/curves/esm/abstract/utils.js: (*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *) @noble/curves/esm/abstract/modular.js: (*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *) @noble/curves/esm/abstract/curve.js: (*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *) @noble/curves/esm/abstract/edwards.js: (*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *) @noble/curves/esm/abstract/montgomery.js: (*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *) @noble/curves/esm/ed25519.js: (*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *) @noble/curves/esm/ed448.js: (*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *) */