dan/jose
1
0
Fork 0
mirror of https://github.com/danbulant/jose synced 2026-05-25 04:51:47 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
jose/dist/browser/index.bundle.min.js
Filip Skokan f14ded02a5 chore(release): 4.2.0
2021-11-08 22:35:16 +01:00

4 lines
60 KiB
JavaScript
Raw Permalink Blame History

var tt=Object.defineProperty;var Ft=e=>tt(e,"__esModule",{value:!0});var rt=(e,t)=>{Ft(e);for(var r in t)tt(e,r,{get:t[r],enumerable:!0})};var y=new TextEncoder,v=new TextDecoder,Se=2**32;function C(...e){let t=e.reduce((i,{length:o})=>i+o,0),r=new Uint8Array(t),n=0;return e.forEach(i=>{r.set(i,n),n+=i.length}),r}function nt(e,t){return C(y.encode(e),new Uint8Array([0]),t)}function Me(e,t,r){if(t<0||t>=Se)throw new RangeError(`value must be >= 0 and <= ${Se-1}. Received ${t}`);e.set([t>>>24,t>>>16,t>>>8,t&255],r)}function Ae(e){let t=Math.floor(e/Se),r=e%Se,n=new Uint8Array(8);return Me(n,t,0),Me(n,r,4),n}function _e(e){let t=new Uint8Array(4);return Me(t,e),t}function ve(e){return C(_e(e.length),e)}async function it(e,t,r,n){let i=Math.ceil((r>>3)/32),o;for(let a=1;a<=i;a++){let s=new Uint8Array(4+t.length+n.length);s.set(_e(a)),s.set(t,4),s.set(n,4+t.length),o?o=C(o,await e("sha256",s)):o=await e("sha256",s)}return o=o.slice(0,r>>3),o}var se=e=>{let t=e;typeof t=="string"&&(t=y.encode(t));let r=32768,n=[];for(let i=0;i<t.length;i+=r)n.push(String.fromCharCode.apply(null,t.subarray(i,i+r)));return btoa(n.join(""))},w=e=>se(e).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_"),Ne=e=>new Uint8Array(atob(e).split("").map(t=>t.charCodeAt(0))),E=e=>{let t=e;t instanceof Uint8Array&&(t=v.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return Ne(t)}catch(r){throw new TypeError("The input to be decoded is not correctly encoded.")}};var ot={};rt(ot,{JOSEAlgNotAllowed:()=>G,JOSEError:()=>K,JOSENotSupported:()=>f,JWEDecryptionFailed:()=>M,JWEInvalid:()=>d,JWKInvalid:()=>xe,JWKSInvalid:()=>de,JWKSMultipleMatchingKeys:()=>Ce,JWKSNoMatchingKey:()=>Ke,JWKSTimeout:()=>He,JWSInvalid:()=>h,JWSSignatureVerificationFailed:()=>q,JWTClaimValidationFailed:()=>P,JWTExpired:()=>ce,JWTInvalid:()=>I});var K=class extends Error{constructor(t){var r;super(t);this.code="ERR_JOSE_GENERIC",this.name=this.constructor.name,(r=Error.captureStackTrace)===null||r===void 0||r.call(Error,this,this.constructor)}static get code(){return"ERR_JOSE_GENERIC"}},P=class extends K{constructor(t,r="unspecified",n="unspecified"){super(t);this.code="ERR_JWT_CLAIM_VALIDATION_FAILED",this.claim=r,this.reason=n}static get code(){return"ERR_JWT_CLAIM_VALIDATION_FAILED"}},ce=class extends K{constructor(t,r="unspecified",n="unspecified"){super(t);this.code="ERR_JWT_EXPIRED",this.claim=r,this.reason=n}static get code(){return"ERR_JWT_EXPIRED"}},G=class extends K{constructor(){super(...arguments);this.code="ERR_JOSE_ALG_NOT_ALLOWED"}static get code(){return"ERR_JOSE_ALG_NOT_ALLOWED"}},f=class extends K{constructor(){super(...arguments);this.code="ERR_JOSE_NOT_SUPPORTED"}static get code(){return"ERR_JOSE_NOT_SUPPORTED"}},M=class extends K{constructor(){super(...arguments);this.code="ERR_JWE_DECRYPTION_FAILED",this.message="decryption operation failed"}static get code(){return"ERR_JWE_DECRYPTION_FAILED"}},d=class extends K{constructor(){super(...arguments);this.code="ERR_JWE_INVALID"}static get code(){return"ERR_JWE_INVALID"}},h=class extends K{constructor(){super(...arguments);this.code="ERR_JWS_INVALID"}static get code(){return"ERR_JWS_INVALID"}},I=class extends K{constructor(){super(...arguments);this.code="ERR_JWT_INVALID"}static get code(){return"ERR_JWT_INVALID"}},xe=class extends K{constructor(){super(...arguments);this.code="ERR_JWK_INVALID"}static get code(){return"ERR_JWK_INVALID"}},de=class extends K{constructor(){super(...arguments);this.code="ERR_JWKS_INVALID"}static get code(){return"ERR_JWKS_INVALID"}},Ke=class extends K{constructor(){super(...arguments);this.code="ERR_JWKS_NO_MATCHING_KEY",this.message="no applicable key found in the JSON Web Key Set"}static get code(){return"ERR_JWKS_NO_MATCHING_KEY"}},Ce=class extends K{constructor(){super(...arguments);this.code="ERR_JWKS_MULTIPLE_MATCHING_KEYS",this.message="multiple matching keys found in the JSON Web Key Set"}static get code(){return"ERR_JWKS_MULTIPLE_MATCHING_KEYS"}},He=class extends K{constructor(){super(...arguments);this.code="ERR_JWKS_TIMEOUT",this.message="request timed out"}static get code(){return"ERR_JWKS_TIMEOUT"}},q=class extends K{constructor(){super(...arguments);this.code="ERR_JWS_SIGNATURE_VERIFICATION_FAILED",this.message="signature verification failed"}static get code(){return"ERR_JWS_SIGNATURE_VERIFICATION_FAILED"}};var u=crypto;function A(e){try{return e!=null&&typeof e.extractable=="boolean"&&typeof e.algorithm.name=="string"&&typeof e.type=="string"}catch(t){return!1}}var N=u.getRandomValues.bind(u);function Be(e){switch(e){case"A128CBC-HS256":return 128;case"A128GCM":return 96;case"A128GCMKW":return 96;case"A192CBC-HS384":return 128;case"A192GCM":return 96;case"A192GCMKW":return 96;case"A256CBC-HS512":return 128;case"A256GCM":return 96;case"A256GCMKW":return 96;default:throw new f(`Unsupported JWE Algorithm: ${e}`)}}var Pe=e=>N(new Uint8Array(Be(e)>>3));var zt=(e,t)=>{if(t.length<<3!==Be(e))throw new d("Invalid Initialization Vector length")},We=zt;var Yt=(e,t)=>{if(e.length<<3!==t)throw new d("Invalid Content Encryption Key length")},Z=Yt;var Xt=(e,t)=>{if(!(e instanceof Uint8Array))throw new TypeError("First argument must be a buffer");if(!(t instanceof Uint8Array))throw new TypeError("Second argument must be a buffer");if(e.length!==t.length)throw new TypeError("Input buffers must have the same length");let r=e.length,n=0,i=-1;for(;++i<r;)n|=e[i]^t[i];return n===0},at=Xt;function D(){return typeof WebSocketPair=="function"}function J(){try{return process.versions.node!==void 0}catch(e){return!1}}function H(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function T(e,t){return e.name===t}function Je(e){return parseInt(e.name.substr(4),10)}function qt(e){switch(e){case"ES256":return"P-256";case"ES384":return"P-384";case"ES512":return"P-521";default:throw new Error("unreachable")}}function st(e,t){if(t.length&&!t.some(r=>e.usages.includes(r))){let r="CryptoKey does not support this operation, its usages must include ";if(t.length>2){let n=t.pop();r+=`one of ${t.join(", ")}, or ${n}.`}else t.length===2?r+=`one of ${t[0]} or ${t[1]}.`:r+=`${t[0]}.`;throw new TypeError(r)}}function ct(e,t,...r){switch(t){case"HS256":case"HS384":case"HS512":{if(!T(e.algorithm,"HMAC"))throw H("HMAC");let n=parseInt(t.substr(2),10);if(Je(e.algorithm.hash)!==n)throw H(`SHA-${n}`,"algorithm.hash");break}case"RS256":case"RS384":case"RS512":{if(!T(e.algorithm,"RSASSA-PKCS1-v1_5"))throw H("RSASSA-PKCS1-v1_5");let n=parseInt(t.substr(2),10);if(Je(e.algorithm.hash)!==n)throw H(`SHA-${n}`,"algorithm.hash");break}case"PS256":case"PS384":case"PS512":{if(!T(e.algorithm,"RSA-PSS"))throw H("RSA-PSS");let n=parseInt(t.substr(2),10);if(Je(e.algorithm.hash)!==n)throw H(`SHA-${n}`,"algorithm.hash");break}case(J()&&"EdDSA"):{if(e.algorithm.name!=="NODE-ED25519"&&e.algorithm.name!=="NODE-ED448")throw H("NODE-ED25519 or NODE-ED448");break}case(D()&&"EdDSA"):{if(!T(e.algorithm,"NODE-ED25519"))throw H("NODE-ED25519");break}case"ES256":case"ES384":case"ES512":{if(!T(e.algorithm,"ECDSA"))throw H("ECDSA");let n=qt(t);if(e.algorithm.namedCurve!==n)throw H(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}st(e,r)}function j(e,t,...r){switch(t){case"A128GCM":case"A192GCM":case"A256GCM":{if(!T(e.algorithm,"AES-GCM"))throw H("AES-GCM");let n=parseInt(t.substr(1,3),10);if(e.algorithm.length!==n)throw H(n,"algorithm.length");break}case"A128KW":case"A192KW":case"A256KW":{if(!T(e.algorithm,"AES-KW"))throw H("AES-KW");let n=parseInt(t.substr(1,3),10);if(e.algorithm.length!==n)throw H(n,"algorithm.length");break}case"ECDH-ES":if(!T(e.algorithm,"ECDH"))throw H("ECDH");break;case"PBES2-HS256+A128KW":case"PBES2-HS384+A192KW":case"PBES2-HS512+A256KW":if(!T(e.algorithm,"PBKDF2"))throw H("PBKDF2");break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":{if(!T(e.algorithm,"RSA-OAEP"))throw H("RSA-OAEP");let n=parseInt(t.substr(9),10)||1;if(Je(e.algorithm.hash)!==n)throw H(`SHA-${n}`,"algorithm.hash");break}default:throw new TypeError("CryptoKey does not support this operation")}st(e,r)}var b=(e,...t)=>{let r="Key must be ";if(t.length>2){let n=t.pop();r+=`one of type ${t.join(", ")}, or ${n}.`}else t.length===2?r+=`one of type ${t[0]} or ${t[1]}.`:r+=`of type ${t[0]}.`;return e==null?r+=` Received ${e}`:typeof e=="function"&&e.name?r+=` Received function ${e.name}`:typeof e=="object"&&e!=null&&e.constructor&&e.constructor.name&&(r+=` Received an instance of ${e.constructor.name}`),r};async function Zt(e,t,r,n,i,o){if(!(t instanceof Uint8Array))throw new TypeError(b(t,"Uint8Array"));let a=parseInt(e.substr(1,3),10),s=await u.subtle.importKey("raw",t.subarray(a>>3),"AES-CBC",!1,["decrypt"]),c=await u.subtle.importKey("raw",t.subarray(0,a>>3),{hash:`SHA-${a<<1}`,name:"HMAC"},!1,["sign"]),l=C(o,n,r,Ae(o.length<<3)),p=new Uint8Array((await u.subtle.sign("HMAC",c,l)).slice(0,a>>3)),m;try{m=at(i,p)}catch(W){}if(!m)throw new M;let S;try{S=new Uint8Array(await u.subtle.decrypt({iv:n,name:"AES-CBC"},s,r))}catch(W){}if(!S)throw new M;return S}async function Qt(e,t,r,n,i,o){let a;t instanceof Uint8Array?a=await u.subtle.importKey("raw",t,"AES-GCM",!1,["decrypt"]):(j(t,e,"decrypt"),a=t);try{return new Uint8Array(await u.subtle.decrypt({additionalData:o,iv:n,name:"AES-GCM",tagLength:128},a,C(r,i)))}catch(s){throw new M}}var er=async(e,t,r,n,i,o)=>{if(!A(t)&&!(t instanceof Uint8Array))throw new TypeError(b(t,"CryptoKey","Uint8Array"));switch(We(e,n),e){case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":return t instanceof Uint8Array&&Z(t,parseInt(e.substr(-3),10)),Zt(e,t,r,n,i,o);case"A128GCM":case"A192GCM":case"A256GCM":return t instanceof Uint8Array&&Z(t,parseInt(e.substr(1,3),10)),Qt(e,t,r,n,i,o);default:throw new f("Unsupported JWE Content Encryption Algorithm")}},je=er;var dt=async()=>{throw new f('JWE "zip" (Compression Algorithm) Header Parameter is not supported by your javascript runtime. You need to use the `inflateRaw` decrypt option to provide Inflate Raw implementation.')},pt=async()=>{throw new f('JWE "zip" (Compression Algorithm) Header Parameter is not supported by your javascript runtime. You need to use the `deflateRaw` encrypt option to provide Deflate Raw implementation.')};var tr=(...e)=>{let t=e.filter(Boolean);if(t.length===0||t.length===1)return!0;let r;for(let n of t){let i=Object.keys(n);if(!r||r.size===0){r=new Set(i);continue}for(let o of i){if(r.has(o))return!1;r.add(o)}}return!0},R=tr;function rr(e){return typeof e=="object"&&e!==null}function g(e){if(!rr(e)||Object.prototype.toString.call(e)!=="[object Object]")return!1;if(Object.getPrototypeOf(e)===null)return!0;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t}var nr=[{hash:"SHA-256",name:"HMAC"},!0,["sign"]],Q=nr;function ut(e,t){if(e.algorithm.length!==parseInt(t.substr(1,3),10))throw new TypeError(`Invalid key size for alg: ${t}`)}function lt(e,t,r){if(A(e))return j(e,t,r),e;if(e instanceof Uint8Array)return u.subtle.importKey("raw",e,"AES-KW",!0,[r]);throw new TypeError(b(e,"CryptoKey","Uint8Array"))}var pe=async(e,t,r)=>{let n=await lt(t,e,"wrapKey");ut(n,e);let i=await u.subtle.importKey("raw",r,...Q);return new Uint8Array(await u.subtle.wrapKey("raw",i,n,"AES-KW"))},ue=async(e,t,r)=>{let n=await lt(t,e,"unwrapKey");ut(n,e);let i=await u.subtle.unwrapKey("raw",r,n,"AES-KW",...Q);return new Uint8Array(await u.subtle.exportKey("raw",i))};var ir=async(e,t)=>{let r=`SHA-${e.substr(-3)}`;return new Uint8Array(await u.subtle.digest(r,t))},De=ir;var Ie=async(e,t,r,n,i=new Uint8Array(0),o=new Uint8Array(0))=>{if(!A(e))throw new TypeError(b(e,"CryptoKey"));if(j(e,"ECDH-ES"),!A(t))throw new TypeError(b(t,"CryptoKey"));j(t,"ECDH-ES","deriveBits","deriveKey");let a=C(ve(y.encode(r)),ve(i),ve(o),_e(n));if(!t.usages.includes("deriveBits"))throw new TypeError('ECDH-ES private key "usages" must include "deriveBits"');let s=new Uint8Array(await u.subtle.deriveBits({name:"ECDH",public:e},t,Math.ceil(parseInt(t.algorithm.namedCurve.substr(-3),10)/8)<<3));return it(De,s,n,a)},ft=async e=>{if(!A(e))throw new TypeError(b(e,"CryptoKey"));return(await u.subtle.generateKey({name:"ECDH",namedCurve:e.algorithm.namedCurve},!0,["deriveBits"])).privateKey},Te=e=>{if(!A(e))throw new TypeError(b(e,"CryptoKey"));return["P-256","P-384","P-521"].includes(e.algorithm.namedCurve)};function Le(e){if(!(e instanceof Uint8Array)||e.length<8)throw new d("PBES2 Salt Input must be 8 or more octets")}function or(e,t){if(e instanceof Uint8Array)return u.subtle.importKey("raw",e,"PBKDF2",!1,["deriveBits"]);if(A(e))return j(e,t,"deriveBits","deriveKey"),e;throw new TypeError(b(e,"CryptoKey","Uint8Array"))}async function mt(e,t,r,n){Le(e);let i=nt(t,e),o=parseInt(t.substr(13,3),10),a={hash:`SHA-${t.substr(8,3)}`,iterations:r,name:"PBKDF2",salt:i},s={length:o,name:"AES-KW"},c=await or(n,t);if(c.usages.includes("deriveBits"))return new Uint8Array(await u.subtle.deriveBits(a,c,o));if(c.usages.includes("deriveKey"))return u.subtle.deriveKey(a,c,s,!1,["wrapKey","unwrapKey"]);throw new TypeError('PBKDF2 key "usages" must include "deriveBits" or "deriveKey"')}var ht=async(e,t,r,n=Math.floor(Math.random()*2049)+2048,i=N(new Uint8Array(16)))=>{let o=await mt(i,e,n,t);return{encryptedKey:await pe(e.substr(-6),o,r),p2c:n,p2s:w(i)}},yt=async(e,t,r,n,i)=>{let o=await mt(i,e,n,t);return ue(e.substr(-6),o,r)};function ee(e){switch(e){case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":return"RSA-OAEP";default:throw new f(`alg ${e} is not supported either by JOSE or your javascript runtime`)}}var V=(e,t)=>{if(e.startsWith("RS")||e.startsWith("PS")){let{modulusLength:r}=t.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}};var wt=async(e,t,r)=>{if(!A(t))throw new TypeError(b(t,"CryptoKey"));if(j(t,e,"encrypt","wrapKey"),V(e,t),t.usages.includes("encrypt"))return new Uint8Array(await u.subtle.encrypt(ee(e),t,r));if(t.usages.includes("wrapKey")){let n=await u.subtle.importKey("raw",r,...Q);return new Uint8Array(await u.subtle.wrapKey("raw",n,t,ee(e)))}throw new TypeError('RSA-OAEP key "usages" must include "encrypt" or "wrapKey" for this operation')},gt=async(e,t,r)=>{if(!A(t))throw new TypeError(b(t,"CryptoKey"));if(j(t,e,"decrypt","unwrapKey"),V(e,t),t.usages.includes("decrypt"))return new Uint8Array(await u.subtle.decrypt(ee(e),t,r));if(t.usages.includes("unwrapKey")){let n=await u.subtle.unwrapKey("raw",r,t,ee(e),...Q);return new Uint8Array(await u.subtle.exportKey("raw",n))}throw new TypeError('RSA-OAEP key "usages" must include "decrypt" or "unwrapKey" for this operation')};function le(e){switch(e){case"A128CBC-HS256":return 256;case"A192CBC-HS384":return 384;case"A256CBC-HS512":return 512;case"A128GCM":return 128;case"A192GCM":return 192;case"A256GCM":return 256;default:throw new f(`Unsupported JWE Algorithm: ${e}`)}}var O=e=>N(new Uint8Array(le(e)>>3));var Re=(e,t)=>{let r=(e.match(/.{1,64}/g)||[]).join(`
`);return`-----BEGIN ${t}-----
${r}
-----END ${t}-----`};var bt=async(e,t,r)=>{if(!A(r))throw new TypeError(b(r,"CryptoKey"));if(!r.extractable)throw new TypeError("CryptoKey is not extractable");if(r.type!==e)throw new TypeError(`key is not a ${e} key`);return Re(se(new Uint8Array(await u.subtle.exportKey(t,r))),`${e.toUpperCase()} KEY`)},Et=e=>bt("public","spki",e),St=e=>bt("private","pkcs8",e),At=e=>{let t=e.toString();switch(!0){case t.includes(new Uint8Array([6,7,42,134,72,206,61,2,1,6,8,42,134,72,206,61,3,1,7]).toString()):return"P-256";case t.includes(new Uint8Array([6,7,42,134,72,206,61,2,1,6,5,43,129,4,0,34]).toString()):return"P-384";case t.includes(new Uint8Array([6,7,42,134,72,206,61,2,1,6,5,43,129,4,0,35]).toString()):return"P-521";case((D()||J())&&t.includes(new Uint8Array([6,3,43,101,112]).toString())):return"Ed25519";case(J()&&t.includes(new Uint8Array([6,3,43,101,113]).toString())):return"Ed448";default:throw new f("Invalid or unsupported EC Key Curve or OKP Key Sub Type")}},_t=async(e,t,r,n,i)=>{var o;let a,s,c=new Uint8Array(atob(r.replace(e,"")).split("").map(p=>p.charCodeAt(0))),l=t==="spki";switch(n){case"PS256":case"PS384":case"PS512":a={name:"RSA-PSS",hash:`SHA-${n.substr(-3)}`},s=l?["verify"]:["sign"];break;case"RS256":case"RS384":case"RS512":a={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${n.substr(-3)}`},s=l?["verify"]:["sign"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":a={name:"RSA-OAEP",hash:`SHA-${parseInt(n.substr(-3),10)||1}`},s=l?["encrypt","wrapKey"]:["decrypt","unwrapKey"];break;case"ES256":a={name:"ECDSA",namedCurve:"P-256"},s=l?["verify"]:["sign"];break;case"ES384":a={name:"ECDSA",namedCurve:"P-384"},s=l?["verify"]:["sign"];break;case"ES512":a={name:"ECDSA",namedCurve:"P-521"},s=l?["verify"]:["sign"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":a={name:"ECDH",namedCurve:At(c)},s=l?[]:["deriveBits"];break;case((D()||J())&&"EdDSA"):let p=At(c).toUpperCase();a={name:`NODE-${p}`,namedCurve:`NODE-${p}`},s=l?["verify"]:["sign"];break;default:throw new f('Invalid or unsupported "alg" (Algorithm) value')}return u.subtle.importKey(t,c,a,(o=i==null?void 0:i.extractable)!==null&&o!==void 0?o:!1,s)},vt=(e,t,r)=>_t(/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g,"pkcs8",e,t,r),$e=(e,t,r)=>_t(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g,"spki",e,t,r);function ar(e){let t,r;switch(e.kty){case"oct":{switch(e.alg){case"HS256":case"HS384":case"HS512":t={name:"HMAC",hash:`SHA-${e.alg.substr(-3)}`},r=["sign","verify"];break;case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":throw new f(`${e.alg} keys cannot be imported as CryptoKey instances`);case"A128GCM":case"A192GCM":case"A256GCM":case"A128GCMKW":case"A192GCMKW":case"A256GCMKW":t={name:"AES-GCM"},r=["encrypt","decrypt"];break;case"A128KW":case"A192KW":case"A256KW":t={name:"AES-KW"},r=["wrapKey","unwrapKey"];break;case"PBES2-HS256+A128KW":case"PBES2-HS384+A192KW":case"PBES2-HS512+A256KW":t={name:"PBKDF2"},r=["deriveBits"];break;default:throw new f('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case"RSA":{switch(e.alg){case"PS256":case"PS384":case"PS512":t={name:"RSA-PSS",hash:`SHA-${e.alg.substr(-3)}`},r=e.d?["sign"]:["verify"];break;case"RS256":case"RS384":case"RS512":t={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.alg.substr(-3)}`},r=e.d?["sign"]:["verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":t={name:"RSA-OAEP",hash:`SHA-${parseInt(e.alg.substr(-3),10)||1}`},r=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new f('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case"EC":{switch(e.alg){case"ES256":t={name:"ECDSA",namedCurve:"P-256"},r=e.d?["sign"]:["verify"];break;case"ES384":t={name:"ECDSA",namedCurve:"P-384"},r=e.d?["sign"]:["verify"];break;case"ES512":t={name:"ECDSA",namedCurve:"P-521"},r=e.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new f('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case((D()||J())&&"OKP"):if(e.alg!=="EdDSA")throw new f('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');switch(e.crv){case"Ed25519":t={name:"NODE-ED25519",namedCurve:"NODE-ED25519"},r=e.d?["sign"]:["verify"];break;case(J()&&"Ed448"):t={name:"NODE-ED448",namedCurve:"NODE-ED448"},r=e.d?["sign"]:["verify"];break;default:throw new f('Invalid or unsupported JWK "crv" (Subtype of Key Pair) Parameter value')}break;default:throw new f('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return{algorithm:t,keyUsages:r}}var sr=async e=>{var t,r;let{algorithm:n,keyUsages:i}=ar(e),o=[n,(t=e.ext)!==null&&t!==void 0?t:!1,(r=e.key_ops)!==null&&r!==void 0?r:i];if(n.name==="PBKDF2")return u.subtle.importKey("raw",E(e.k),...o);let a={...e};return delete a.alg,u.subtle.importKey("jwk",a,...o)},Ge=sr;function xt(e){let t=[],r=0;for(;r<e.length;){let n=Kt(e.subarray(r));t.push(n),r+=n.byteLength}return t}function Kt(e){let t=0,r=e[0]&31;if(t++,r===31){for(r=0;e[t]>=128;)r=r*128+e[t]-128,t++;r=r*128+e[t]-128,t++}let n=0;if(e[t]<128)n=e[t],t++;else{let o=e[t]&127;t++,n=0;for(let a=0;a<o;a++)n=n*256+e[t],t++}if(n===128){for(n=0;e[t+n]!==0||e[t+n+1]!==0;)n++;let o=t+n+2;return{byteLength:o,contents:e.subarray(t,t+n),raw:e.subarray(0,o)}}let i=t+n;return{byteLength:i,contents:e.subarray(t,i),raw:e.subarray(0,i)}}function cr(e){let t=xt(xt(Kt(e).contents)[0].contents);return se(t[t[0].raw[0]===160?6:5].raw)}function dr(e){let t=e.replace(/(?:-----(?:BEGIN|END) CERTIFICATE-----|\s)/g,""),r=Ne(t);return Re(cr(r),"PUBLIC KEY")}async function pr(e,t,r){if(typeof e!="string"||e.indexOf("-----BEGIN PUBLIC KEY-----")!==0)throw new TypeError('"spki" must be SPKI formatted string');return $e(e,t,r)}async function ur(e,t,r){if(typeof e!="string"||e.indexOf("-----BEGIN CERTIFICATE-----")!==0)throw new TypeError('"x509" must be X.509 formatted string');let n=dr(e);return $e(n,t,r)}async function lr(e,t,r){if(typeof e!="string"||e.indexOf("-----BEGIN PRIVATE KEY-----")!==0)throw new TypeError('"pkcs8" must be PCKS8 formatted string');return vt(e,t,r)}async function F(e,t,r){if(!g(e))throw new TypeError("JWK must be an object");if(t||(t=e.alg),typeof t!="string"||!t)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');switch(e.kty){case"oct":if(typeof e.k!="string"||!e.k)throw new TypeError('missing "k" (Key Value) Parameter value');return r!=null||(r=e.ext!==!0),r?Ge({...e,alg:t,ext:!1}):E(e.k);case"RSA":if(e.oth!==void 0)throw new f('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');case"EC":case"OKP":return Ge({...e,alg:t});default:throw new f('Unsupported "kty" (Key Type) Parameter value')}}var Ve=e=>A(e),k=["CryptoKey"];var fr=e=>{if(!(e instanceof Uint8Array)){if(!Ve(e))throw new TypeError(b(e,...k,"Uint8Array"));if(e.type!=="secret")throw new TypeError(`${k.join(" or ")} instances for symmetric algorithms must be of type "secret"`)}},mr=(e,t)=>{if(!Ve(e))throw new TypeError(b(e,...k));if(e.type==="secret")throw new TypeError(`${k.join(" or ")} instances for asymmetric algorithms must not be of type "secret"`);if(t==="sign"&&e.type==="public")throw new TypeError(`${k.join(" or ")} instances for asymmetric algorithm signing must be of type "private"`);if(t==="decrypt"&&e.type==="public")throw new TypeError(`${k.join(" or ")} instances for asymmetric algorithm decryption must be of type "private"`);if(e.algorithm&&t==="verify"&&e.type==="private")throw new TypeError(`${k.join(" or ")} instances for asymmetric algorithm verifying must be of type "public"`);if(e.algorithm&&t==="encrypt"&&e.type==="private")throw new TypeError(`${k.join(" or ")} instances for asymmetric algorithm encryption must be of type "public"`)},hr=(e,t,r)=>{e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A\d{3}(?:GCM)?KW$/.test(e)?fr(t):mr(t,r)},B=hr;async function yr(e,t,r,n,i){if(!(r instanceof Uint8Array))throw new TypeError(b(r,"Uint8Array"));let o=parseInt(e.substr(1,3),10),a=await u.subtle.importKey("raw",r.subarray(o>>3),"AES-CBC",!1,["encrypt"]),s=await u.subtle.importKey("raw",r.subarray(0,o>>3),{hash:`SHA-${o<<1}`,name:"HMAC"},!1,["sign"]),c=new Uint8Array(await u.subtle.encrypt({iv:n,name:"AES-CBC"},a,t)),l=C(i,n,c,Ae(i.length<<3)),p=new Uint8Array((await u.subtle.sign("HMAC",s,l)).slice(0,o>>3));return{ciphertext:c,tag:p}}async function wr(e,t,r,n,i){let o;r instanceof Uint8Array?o=await u.subtle.importKey("raw",r,"AES-GCM",!1,["encrypt"]):(j(r,e,"encrypt"),o=r);let a=new Uint8Array(await u.subtle.encrypt({additionalData:i,iv:n,name:"AES-GCM",tagLength:128},o,t)),s=a.slice(-16);return{ciphertext:a.slice(0,-16),tag:s}}var gr=async(e,t,r,n,i)=>{if(!A(r)&&!(r instanceof Uint8Array))throw new TypeError(b(r,"CryptoKey","Uint8Array"));switch(We(e,n),e){case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":return r instanceof Uint8Array&&Z(r,parseInt(e.substr(-3),10)),yr(e,t,r,n,i);case"A128GCM":case"A192GCM":case"A256GCM":return r instanceof Uint8Array&&Z(r,parseInt(e.substr(1,3),10)),wr(e,t,r,n,i);default:throw new f("Unsupported JWE Content Encryption Algorithm")}},fe=gr;async function Ct(e,t,r,n){let i=e.substr(0,7);n||(n=Pe(i));let{ciphertext:o,tag:a}=await fe(i,r,t,n,new Uint8Array(0));return{encryptedKey:o,iv:w(n),tag:w(a)}}async function Ht(e,t,r,n,i){let o=e.substr(0,7);return je(o,t,r,n,i,new Uint8Array(0))}async function br(e,t,r,n){switch(B(e,t,"decrypt"),e){case"dir":{if(r!==void 0)throw new d("Encountered unexpected JWE Encrypted Key");return t}case"ECDH-ES":if(r!==void 0)throw new d("Encountered unexpected JWE Encrypted Key");case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{if(!g(n.epk))throw new d('JOSE Header "epk" (Ephemeral Public Key) missing or invalid');if(!Te(t))throw new f("ECDH-ES with the provided key is not allowed or not supported by your javascript runtime");let i=await F(n.epk,e),o,a;if(n.apu!==void 0){if(typeof n.apu!="string")throw new d('JOSE Header "apu" (Agreement PartyUInfo) invalid');o=E(n.apu)}if(n.apv!==void 0){if(typeof n.apv!="string")throw new d('JOSE Header "apv" (Agreement PartyVInfo) invalid');a=E(n.apv)}let s=await Ie(i,t,e==="ECDH-ES"?n.enc:e,parseInt(e.substr(-5,3),10)||le(n.enc),o,a);if(e==="ECDH-ES")return s;if(r===void 0)throw new d("JWE Encrypted Key missing");return ue(e.substr(-6),s,r)}case"RSA1_5":case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":{if(r===void 0)throw new d("JWE Encrypted Key missing");return gt(e,t,r)}case"PBES2-HS256+A128KW":case"PBES2-HS384+A192KW":case"PBES2-HS512+A256KW":{if(r===void 0)throw new d("JWE Encrypted Key missing");if(typeof n.p2c!="number")throw new d('JOSE Header "p2c" (PBES2 Count) missing or invalid');if(typeof n.p2s!="string")throw new d('JOSE Header "p2s" (PBES2 Salt) missing or invalid');return yt(e,t,r,n.p2c,E(n.p2s))}case"A128KW":case"A192KW":case"A256KW":{if(r===void 0)throw new d("JWE Encrypted Key missing");return ue(e,t,r)}case"A128GCMKW":case"A192GCMKW":case"A256GCMKW":{if(r===void 0)throw new d("JWE Encrypted Key missing");if(typeof n.iv!="string")throw new d('JOSE Header "iv" (Initialization Vector) missing or invalid');if(typeof n.tag!="string")throw new d('JOSE Header "tag" (Authentication Tag) missing or invalid');let i=E(n.iv),o=E(n.tag);return Ht(e,t,r,i,o)}default:throw new f('Invalid or unsupported "alg" (JWE Algorithm) header value')}}var Pt=br;function Er(e,t,r,n,i){if(i.crit!==void 0&&n.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!n||n.crit===void 0)return new Set;if(!Array.isArray(n.crit)||n.crit.length===0||n.crit.some(a=>typeof a!="string"||a.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let o;r!==void 0?o=new Map([...Object.entries(r),...t.entries()]):o=t;for(let a of n.crit){if(!o.has(a))throw new f(`Extension Header Parameter "${a}" is not recognized`);if(i[a]===void 0)throw new e(`Extension Header Parameter "${a}" is missing`);if(o.get(a)&&n[a]===void 0)throw new e(`Extension Header Parameter "${a}" MUST be integrity protected`)}return new Set(n.crit)}var U=Er;var Sr=(e,t)=>{if(t!==void 0&&(!Array.isArray(t)||t.some(r=>typeof r!="string")))throw new TypeError(`"${e}" option must be an array of strings`);if(!!t)return new Set(t)},me=Sr;async function he(e,t,r){var n;if(!g(e))throw new d("Flattened JWE must be an object");if(e.protected===void 0&&e.header===void 0&&e.unprotected===void 0)throw new d("JOSE Header missing");if(typeof e.iv!="string")throw new d("JWE Initialization Vector missing or incorrect type");if(typeof e.ciphertext!="string")throw new d("JWE Ciphertext missing or incorrect type");if(typeof e.tag!="string")throw new d("JWE Authentication Tag missing or incorrect type");if(e.protected!==void 0&&typeof e.protected!="string")throw new d("JWE Protected Header incorrect type");if(e.encrypted_key!==void 0&&typeof e.encrypted_key!="string")throw new d("JWE Encrypted Key incorrect type");if(e.aad!==void 0&&typeof e.aad!="string")throw new d("JWE AAD incorrect type");if(e.header!==void 0&&!g(e.header))throw new d("JWE Shared Unprotected Header incorrect type");if(e.unprotected!==void 0&&!g(e.unprotected))throw new d("JWE Per-Recipient Unprotected Header incorrect type");let i;if(e.protected){let Ee=E(e.protected);try{i=JSON.parse(v.decode(Ee))}catch(Vr){throw new d("JWE Protected Header is invalid")}}if(!R(i,e.header,e.unprotected))throw new d("JWE Protected, JWE Unprotected Header, and JWE Per-Recipient Unprotected Header Parameter names must be disjoint");let o={...i,...e.header,...e.unprotected};if(U(d,new Map,r==null?void 0:r.crit,i,o),o.zip!==void 0){if(!i||!i.zip)throw new d('JWE "zip" (Compression Algorithm) Header MUST be integrity protected');if(o.zip!=="DEF")throw new f('Unsupported JWE "zip" (Compression Algorithm) Header Parameter value')}let{alg:a,enc:s}=o;if(typeof a!="string"||!a)throw new d("missing JWE Algorithm (alg) in JWE Header");if(typeof s!="string"||!s)throw new d("missing JWE Encryption Algorithm (enc) in JWE Header");let c=r&&me("keyManagementAlgorithms",r.keyManagementAlgorithms),l=r&&me("contentEncryptionAlgorithms",r.contentEncryptionAlgorithms);if(c&&!c.has(a))throw new G('"alg" (Algorithm) Header Parameter not allowed');if(l&&!l.has(s))throw new G('"enc" (Encryption Algorithm) Header Parameter not allowed');let p;e.encrypted_key!==void 0&&(p=E(e.encrypted_key));let m=!1;typeof t=="function"&&(t=await t(i,e),m=!0);let S;try{S=await Pt(a,t,p,o)}catch(Ee){if(Ee instanceof TypeError)throw Ee;S=O(s)}let W=E(e.iv),x=E(e.tag),_=y.encode((n=e.protected)!==null&&n!==void 0?n:""),$;e.aad!==void 0?$=C(_,y.encode("."),y.encode(e.aad)):$=_;let be=await je(s,S,E(e.ciphertext),W,x,$);o.zip==="DEF"&&(be=await((r==null?void 0:r.inflateRaw)||dt)(be));let X={plaintext:be};return e.protected!==void 0&&(X.protectedHeader=i),e.aad!==void 0&&(X.additionalAuthenticatedData=E(e.aad)),e.unprotected!==void 0&&(X.sharedUnprotectedHeader=e.unprotected),e.header!==void 0&&(X.unprotectedHeader=e.header),m?{...X,key:t}:X}async function Fe(e,t,r){if(e instanceof Uint8Array&&(e=v.decode(e)),typeof e!="string")throw new d("Compact JWE must be a string or Uint8Array");let{0:n,1:i,2:o,3:a,4:s,length:c}=e.split(".");if(c!==5)throw new d("Invalid Compact JWE");let l=await he({ciphertext:a||void 0,iv:o||void 0,protected:n||void 0,tag:s||void 0,encrypted_key:i||void 0},t,r),p={plaintext:l.plaintext,protectedHeader:l.protectedHeader};return typeof t=="function"?{...p,key:l.key}:p}async function Ar(e,t,r){if(!g(e))throw new d("General JWE must be an object");if(!Array.isArray(e.recipients)||!e.recipients.every(g))throw new d("JWE Recipients missing or incorrect type");if(!e.recipients.length)throw new d("JWE Recipients has no members");for(let n of e.recipients)try{return await he({aad:e.aad,ciphertext:e.ciphertext,encrypted_key:n.encrypted_key,header:n.header,iv:e.iv,protected:e.protected,tag:e.tag,unprotected:e.unprotected},t,r)}catch(i){}throw new M}var _r=async e=>{if(e instanceof Uint8Array)return{kty:"oct",k:w(e)};if(!A(e))throw new TypeError(b(e,"CryptoKey","Uint8Array"));if(!e.extractable)throw new TypeError("non-extractable CryptoKey cannot be exported as a JWK");let{ext:t,key_ops:r,alg:n,use:i,...o}=await u.subtle.exportKey("jwk",e);return o},Wt=_r;async function vr(e){return Et(e)}async function xr(e){return St(e)}async function ze(e){return Wt(e)}async function Kr(e,t,r,n,i={}){let o,a,s;switch(B(e,r,"encrypt"),e){case"dir":{s=r;break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{if(!Te(r))throw new f("ECDH-ES with the provided key is not allowed or not supported by your javascript runtime");let{apu:c,apv:l}=i,{epk:p}=i;p||(p=await ft(r));let{x:m,y:S,crv:W,kty:x}=await ze(p),_=await Ie(r,p,e==="ECDH-ES"?t:e,parseInt(e.substr(-5,3),10)||le(t),c,l);if(a={epk:{x:m,y:S,crv:W,kty:x}},c&&(a.apu=w(c)),l&&(a.apv=w(l)),e==="ECDH-ES"){s=_;break}s=n||O(t);let $=e.substr(-6);o=await pe($,_,s);break}case"RSA1_5":case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":{s=n||O(t),o=await wt(e,r,s);break}case"PBES2-HS256+A128KW":case"PBES2-HS384+A192KW":case"PBES2-HS512+A256KW":{s=n||O(t);let{p2c:c,p2s:l}=i;({encryptedKey:o,...a}=await ht(e,r,s,c,l));break}case"A128KW":case"A192KW":case"A256KW":{s=n||O(t),o=await pe(e,r,s);break}case"A128GCMKW":case"A192GCMKW":case"A256GCMKW":{s=n||O(t);let{iv:c}=i;({encryptedKey:o,...a}=await Ct(e,r,s,c));break}default:throw new f('Invalid or unsupported "alg" (JWE Algorithm) header value')}return{cek:s,encryptedKey:o,parameters:a}}var Oe=Kr;var Ye=Symbol(),z=class{constructor(t){if(!(t instanceof Uint8Array))throw new TypeError("plaintext must be an instance of Uint8Array");this._plaintext=t}setKeyManagementParameters(t){if(this._keyManagementParameters)throw new TypeError("setKeyManagementParameters can only be called once");return this._keyManagementParameters=t,this}setProtectedHeader(t){if(this._protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this._protectedHeader=t,this}setSharedUnprotectedHeader(t){if(this._sharedUnprotectedHeader)throw new TypeError("setSharedUnprotectedHeader can only be called once");return this._sharedUnprotectedHeader=t,this}setUnprotectedHeader(t){if(this._unprotectedHeader)throw new TypeError("setUnprotectedHeader can only be called once");return this._unprotectedHeader=t,this}setAdditionalAuthenticatedData(t){return this._aad=t,this}setContentEncryptionKey(t){if(this._cek)throw new TypeError("setContentEncryptionKey can only be called once");return this._cek=t,this}setInitializationVector(t){if(this._iv)throw new TypeError("setInitializationVector can only be called once");return this._iv=t,this}async encrypt(t,r){if(!this._protectedHeader&&!this._unprotectedHeader&&!this._sharedUnprotectedHeader)throw new d("either setProtectedHeader, setUnprotectedHeader, or sharedUnprotectedHeader must be called before #encrypt()");if(!R(this._protectedHeader,this._unprotectedHeader,this._sharedUnprotectedHeader))throw new d("JWE Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint");let n={...this._protectedHeader,...this._unprotectedHeader,...this._sharedUnprotectedHeader};if(U(d,new Map,r==null?void 0:r.crit,this._protectedHeader,n),n.zip!==void 0){if(!this._protectedHeader||!this._protectedHeader.zip)throw new d('JWE "zip" (Compression Algorithm) Header MUST be integrity protected');if(n.zip!=="DEF")throw new f('Unsupported JWE "zip" (Compression Algorithm) Header Parameter value')}let{alg:i,enc:o}=n;if(typeof i!="string"||!i)throw new d('JWE "alg" (Algorithm) Header Parameter missing or invalid');if(typeof o!="string"||!o)throw new d('JWE "enc" (Encryption Algorithm) Header Parameter missing or invalid');let a;if(i==="dir"){if(this._cek)throw new TypeError("setContentEncryptionKey cannot be called when using Direct Encryption")}else if(i==="ECDH-ES"&&this._cek)throw new TypeError("setContentEncryptionKey cannot be called when using Direct Key Agreement");let s;{let x;({cek:s,encryptedKey:a,parameters:x}=await Oe(i,o,t,this._cek,this._keyManagementParameters)),x&&(r&&Ye in r?this._unprotectedHeader?this._unprotectedHeader={...this._unprotectedHeader,...x}:this.setUnprotectedHeader(x):this._protectedHeader?this._protectedHeader={...this._protectedHeader,...x}:this.setProtectedHeader(x))}this._iv||(this._iv=Pe(o));let c,l,p;this._protectedHeader?l=y.encode(w(JSON.stringify(this._protectedHeader))):l=y.encode(""),this._aad?(p=w(this._aad),c=C(l,y.encode("."),y.encode(p))):c=l;let m,S;if(n.zip==="DEF"){let x=await((r==null?void 0:r.deflateRaw)||pt)(this._plaintext);({ciphertext:m,tag:S}=await fe(o,x,s,this._iv,c))}else({ciphertext:m,tag:S}=await fe(o,this._plaintext,s,this._iv,c));let W={ciphertext:w(m),iv:w(this._iv),tag:w(S)};return a&&(W.encrypted_key=w(a)),p&&(W.aad=p),this._protectedHeader&&(W.protected=v.decode(l)),this._sharedUnprotectedHeader&&(W.unprotected=this._sharedUnprotectedHeader),this._unprotectedHeader&&(W.header=this._unprotectedHeader),W}};var te=new WeakMap,Jt=class{setUnprotectedHeader(t){if(this._unprotectedHeader)throw new TypeError("setUnprotectedHeader can only be called once");return this._unprotectedHeader=t,this}set _unprotectedHeader(t){te.get(this).unprotectedHeader=t}get _unprotectedHeader(){return te.get(this).unprotectedHeader}},jt=class{constructor(t){this._recipients=[],this._plaintext=t}addRecipient(t,r){let n=new Jt;return te.set(n,{key:t,options:{crit:r==null?void 0:r.crit}}),this._recipients.push(n),n}setProtectedHeader(t){if(this._protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this._protectedHeader=t,this}setSharedUnprotectedHeader(t){if(this._unprotectedHeader)throw new TypeError("setSharedUnprotectedHeader can only be called once");return this._unprotectedHeader=t,this}setAdditionalAuthenticatedData(t){return this._aad=t,this}async encrypt(t){var r,n;if(!this._recipients.length)throw new d("at least one recipient must be added");if(t={deflateRaw:t==null?void 0:t.deflateRaw},this._recipients.length===1){let{unprotectedHeader:s,options:c,key:l}=te.get(this._recipients[0]),p=await new z(this._plaintext).setAdditionalAuthenticatedData(this._aad).setProtectedHeader(this._protectedHeader).setSharedUnprotectedHeader(this._unprotectedHeader).setUnprotectedHeader(s).encrypt(l,{...c,...t}),m={ciphertext:p.ciphertext,iv:p.iv,recipients:[{}],tag:p.tag};return p.aad&&(m.aad=p.aad),p.protected&&(m.protected=p.protected),p.unprotected&&(m.unprotected=p.unprotected),p.encrypted_key&&(m.recipients[0].encrypted_key=p.encrypted_key),p.header&&(m.recipients[0].header=p.header),m}let i;for(let s=0;s<this._recipients.length;s++){let c=this._recipients[s],{unprotectedHeader:l,options:p}=te.get(c);if(!R(this._protectedHeader,this._unprotectedHeader,l))throw new d("JWE Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint");let m={...this._protectedHeader,...this._unprotectedHeader,...l},{alg:S}=m;if(typeof S!="string"||!S)throw new d('JWE "alg" (Algorithm) Header Parameter missing or invalid');if(S==="dir"||S==="ECDH-ES")throw new d('"dir" and "ECDH-ES" alg may only be used with a single recipient');if(typeof m.enc!="string"||!m.enc)throw new d('JWE "enc" (Encryption Algorithm) Header Parameter missing or invalid');if(!i)i=m.enc;else if(i!==m.enc)throw new d('JWE "enc" (Encryption Algorithm) Header Parameter must be the same for all recipients');if(U(d,new Map,p==null?void 0:p.crit,this._protectedHeader,m),m.zip!==void 0&&(!this._protectedHeader||!this._protectedHeader.zip))throw new d('JWE "zip" (Compression Algorithm) Header MUST be integrity protected')}let o=O(i),a={ciphertext:"",iv:"",recipients:[],tag:""};for(let s=0;s<this._recipients.length;s++){let c=this._recipients[s],l={};a.recipients.push(l);let{unprotectedHeader:p,options:m,key:S}=te.get(c);if(s===0){let _=await new z(this._plaintext).setAdditionalAuthenticatedData(this._aad).setContentEncryptionKey(o).setProtectedHeader(this._protectedHeader).setSharedUnprotectedHeader(this._unprotectedHeader).setUnprotectedHeader(p).encrypt(S,{...m,...t,[Ye]:!0});a.ciphertext=_.ciphertext,a.iv=_.iv,a.tag=_.tag,_.aad&&(a.aad=_.aad),_.protected&&(a.protected=_.protected),_.unprotected&&(a.unprotected=_.unprotected),l.encrypted_key=_.encrypted_key,_.header&&(l.header=_.header);continue}let{encryptedKey:W,parameters:x}=await Oe((p==null?void 0:p.alg)||((r=this._protectedHeader)===null||r===void 0?void 0:r.alg)||((n=this._unprotectedHeader)===null||n===void 0?void 0:n.alg),i,S,o);l.encrypted_key=w(W),(p||x)&&(l.header={...p,...x})}return a}};function ye(e,t){let r=parseInt(e.substr(-3),10);switch(e){case"HS256":case"HS384":case"HS512":return{hash:`SHA-${r}`,name:"HMAC"};case"PS256":case"PS384":case"PS512":return{hash:`SHA-${r}`,name:"RSA-PSS",saltLength:r>>3};case"RS256":case"RS384":case"RS512":return{hash:`SHA-${r}`,name:"RSASSA-PKCS1-v1_5"};case"ES256":case"ES384":case"ES512":return{hash:`SHA-${r}`,name:"ECDSA",namedCurve:t};case((D()||J())&&"EdDSA"):return{name:t,namedCurve:t};default:throw new f(`alg ${e} is not supported either by JOSE or your javascript runtime`)}}function we(e,t,r){if(A(t))return ct(t,e,r),t;if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(b(t,"CryptoKey"));return u.subtle.importKey("raw",t,{hash:`SHA-${e.substr(-3)}`,name:"HMAC"},!1,[r])}throw new TypeError(b(t,"CryptoKey","Uint8Array"))}var Cr=async(e,t,r,n)=>{let i=await we(e,t,"verify");V(e,i);let o=ye(e,i.algorithm.namedCurve);try{return await u.subtle.verify(o,i,r,n)}catch(a){return!1}},Dt=Cr;async function ge(e,t,r){var n;if(!g(e))throw new h("Flattened JWS must be an object");if(e.protected===void 0&&e.header===void 0)throw new h('Flattened JWS must have either of the "protected" or "header" members');if(e.protected!==void 0&&typeof e.protected!="string")throw new h("JWS Protected Header incorrect type");if(e.payload===void 0)throw new h("JWS Payload missing");if(typeof e.signature!="string")throw new h("JWS Signature missing or incorrect type");if(e.header!==void 0&&!g(e.header))throw new h("JWS Unprotected Header incorrect type");let i={};if(e.protected){let $=E(e.protected);try{i=JSON.parse(v.decode($))}catch(be){throw new h("JWS Protected Header is invalid")}}if(!R(i,e.header))throw new h("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let o={...i,...e.header},a=U(h,new Map([["b64",!0]]),r==null?void 0:r.crit,i,o),s=!0;if(a.has("b64")&&(s=i.b64,typeof s!="boolean"))throw new h('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:c}=o;if(typeof c!="string"||!c)throw new h('JWS "alg" (Algorithm) Header Parameter missing or invalid');let l=r&&me("algorithms",r.algorithms);if(l&&!l.has(c))throw new G('"alg" (Algorithm) Header Parameter not allowed');if(s){if(typeof e.payload!="string")throw new h("JWS Payload must be a string")}else if(typeof e.payload!="string"&&!(e.payload instanceof Uint8Array))throw new h("JWS Payload must be a string or an Uint8Array instance");let p=!1;typeof t=="function"&&(t=await t(i,e),p=!0),B(c,t,"verify");let m=C(y.encode((n=e.protected)!==null&&n!==void 0?n:""),y.encode("."),typeof e.payload=="string"?y.encode(e.payload):e.payload),S=E(e.signature);if(!await Dt(c,t,S,m))throw new q;let x;s?x=E(e.payload):typeof e.payload=="string"?x=y.encode(e.payload):x=e.payload;let _={payload:x};return e.protected!==void 0&&(_.protectedHeader=i),e.header!==void 0&&(_.unprotectedHeader=e.header),p?{..._,key:t}:_}async function Xe(e,t,r){if(e instanceof Uint8Array&&(e=v.decode(e)),typeof e!="string")throw new h("Compact JWS must be a string or Uint8Array");let{0:n,1:i,2:o,length:a}=e.split(".");if(a!==3)throw new h("Invalid Compact JWS");let s=await ge({payload:i||void 0,protected:n||void 0,signature:o||void 0},t,r),c={payload:s.payload,protectedHeader:s.protectedHeader};return typeof t=="function"?{...c,key:s.key}:c}async function Hr(e,t,r){if(!g(e))throw new h("General JWS must be an object");if(!Array.isArray(e.signatures)||!e.signatures.every(g))throw new h("JWS Signatures missing or incorrect type");for(let n of e.signatures)try{return await ge({header:n.header,payload:e.payload,protected:n.protected,signature:n.signature},t,r)}catch(i){}throw new q}var re=e=>Math.floor(e.getTime()/1e3);var It=60,Tt=It*60,qe=Tt*24,Pr=qe*7,Wr=qe*365.25,Jr=/^(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)$/i,ne=e=>{let t=Jr.exec(e);if(!t)throw new TypeError("Invalid time period format");let r=parseFloat(t[1]);switch(t[2].toLowerCase()){case"sec":case"secs":case"second":case"seconds":case"s":return Math.round(r);case"minute":case"minutes":case"min":case"mins":case"m":return Math.round(r*It);case"hour":case"hours":case"hr":case"hrs":case"h":return Math.round(r*Tt);case"day":case"days":case"d":return Math.round(r*qe);case"week":case"weeks":case"w":return Math.round(r*Pr);default:return Math.round(r*Wr)}};var Rt=e=>e.toLowerCase().replace(/^application\//,""),jr=(e,t)=>typeof e=="string"?t.includes(e):Array.isArray(e)?t.some(Set.prototype.has.bind(new Set(e))):!1,ie=(e,t,r={})=>{let{typ:n}=r;if(n&&(typeof e.typ!="string"||Rt(e.typ)!==Rt(n)))throw new P('unexpected "typ" JWT header value',"typ","check_failed");let i;try{i=JSON.parse(v.decode(t))}catch(m){}if(!g(i))throw new I("JWT Claims Set must be a top-level JSON object");let{issuer:o}=r;if(o&&!(Array.isArray(o)?o:[o]).includes(i.iss))throw new P('unexpected "iss" claim value',"iss","check_failed");let{subject:a}=r;if(a&&i.sub!==a)throw new P('unexpected "sub" claim value',"sub","check_failed");let{audience:s}=r;if(s&&!jr(i.aud,typeof s=="string"?[s]:s))throw new P('unexpected "aud" claim value',"aud","check_failed");let c;switch(typeof r.clockTolerance){case"string":c=ne(r.clockTolerance);break;case"number":c=r.clockTolerance;break;case"undefined":c=0;break;default:throw new TypeError("Invalid clockTolerance option type")}let{currentDate:l}=r,p=re(l||new Date);if(i.iat!==void 0||r.maxTokenAge){if(typeof i.iat!="number")throw new P('"iat" claim must be a number',"iat","invalid");if(i.exp===void 0&&i.iat>p+c)throw new P('"iat" claim timestamp check failed (it should be in the past)',"iat","check_failed")}if(i.nbf!==void 0){if(typeof i.nbf!="number")throw new P('"nbf" claim must be a number',"nbf","invalid");if(i.nbf>p+c)throw new P('"nbf" claim timestamp check failed',"nbf","check_failed")}if(i.exp!==void 0){if(typeof i.exp!="number")throw new P('"exp" claim must be a number',"exp","invalid");if(i.exp<=p-c)throw new ce('"exp" claim timestamp check failed',"exp","check_failed")}if(r.maxTokenAge){let m=p-i.iat,S=typeof r.maxTokenAge=="number"?r.maxTokenAge:ne(r.maxTokenAge);if(m-c>S)throw new ce('"iat" claim timestamp check failed (too far in the past)',"iat","check_failed");if(m<0-c)throw new P('"iat" claim timestamp check failed (it should be in the past)',"iat","check_failed")}return i};async function Dr(e,t,r){var n;let i=await Xe(e,t,r);if(((n=i.protectedHeader.crit)===null||n===void 0?void 0:n.includes("b64"))&&i.protectedHeader.b64===!1)throw new I("JWTs MUST NOT use unencoded payload");let a={payload:ie(i.protectedHeader,i.payload,r),protectedHeader:i.protectedHeader};return typeof t=="function"?{...a,key:i.key}:a}async function Ir(e,t,r){let n=await Fe(e,t,r),i=ie(n.protectedHeader,n.plaintext,r),{protectedHeader:o}=n;if(o.iss!==void 0&&o.iss!==i.iss)throw new P('replicated "iss" claim header parameter mismatch',"iss","mismatch");if(o.sub!==void 0&&o.sub!==i.sub)throw new P('replicated "sub" claim header parameter mismatch',"sub","mismatch");if(o.aud!==void 0&&JSON.stringify(o.aud)!==JSON.stringify(i.aud))throw new P('replicated "aud" claim header parameter mismatch',"aud","mismatch");let a={payload:i,protectedHeader:o};return typeof t=="function"?{...a,key:n.key}:a}var Ue=class{constructor(t){this._flattened=new z(t)}setContentEncryptionKey(t){return this._flattened.setContentEncryptionKey(t),this}setInitializationVector(t){return this._flattened.setInitializationVector(t),this}setProtectedHeader(t){return this._flattened.setProtectedHeader(t),this}setKeyManagementParameters(t){return this._flattened.setKeyManagementParameters(t),this}async encrypt(t,r){let n=await this._flattened.encrypt(t,r);return[n.protected,n.encrypted_key,n.iv,n.ciphertext,n.tag].join(".")}};var Tr=async(e,t,r)=>{let n=await we(e,t,"sign");V(e,n);let i=await u.subtle.sign(ye(e,n.algorithm.namedCurve),n,r);return new Uint8Array(i)},Ot=Tr;var oe=class{constructor(t){if(!(t instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");this._payload=t}setProtectedHeader(t){if(this._protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this._protectedHeader=t,this}setUnprotectedHeader(t){if(this._unprotectedHeader)throw new TypeError("setUnprotectedHeader can only be called once");return this._unprotectedHeader=t,this}async sign(t,r){if(!this._protectedHeader&&!this._unprotectedHeader)throw new h("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!R(this._protectedHeader,this._unprotectedHeader))throw new h("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let n={...this._protectedHeader,...this._unprotectedHeader},i=U(h,new Map([["b64",!0]]),r==null?void 0:r.crit,this._protectedHeader,n),o=!0;if(i.has("b64")&&(o=this._protectedHeader.b64,typeof o!="boolean"))throw new h('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:a}=n;if(typeof a!="string"||!a)throw new h('JWS "alg" (Algorithm) Header Parameter missing or invalid');B(a,t,"sign");let s=this._payload;o&&(s=y.encode(w(s)));let c;this._protectedHeader?c=y.encode(w(JSON.stringify(this._protectedHeader))):c=y.encode("");let l=C(c,y.encode("."),s),p=await Ot(a,t,l),m={signature:w(p),payload:""};return o&&(m.payload=v.decode(s)),this._unprotectedHeader&&(m.header=this._unprotectedHeader),this._protectedHeader&&(m.protected=v.decode(c)),m}};var ke=class{constructor(t){this._flattened=new oe(t)}setProtectedHeader(t){return this._flattened.setProtectedHeader(t),this}async sign(t,r){let n=await this._flattened.sign(t,r);if(n.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return`${n.protected}.${n.payload}.${n.signature}`}};var ae=new WeakMap,Ut=class{setProtectedHeader(t){if(this._protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this._protectedHeader=t,this}setUnprotectedHeader(t){if(this._unprotectedHeader)throw new TypeError("setUnprotectedHeader can only be called once");return this._unprotectedHeader=t,this}set _protectedHeader(t){ae.get(this).protectedHeader=t}get _protectedHeader(){return ae.get(this).protectedHeader}set _unprotectedHeader(t){ae.get(this).unprotectedHeader=t}get _unprotectedHeader(){return ae.get(this).unprotectedHeader}},kt=class{constructor(t){this._signatures=[],this._payload=t}addSignature(t,r){let n=new Ut;return ae.set(n,{key:t,options:r}),this._signatures.push(n),n}async sign(){if(!this._signatures.length)throw new h("at least one signature must be added");let t={signatures:[],payload:""},r=new Set;if(await Promise.all(this._signatures.map(async n=>{let{protectedHeader:i,unprotectedHeader:o,options:a,key:s}=ae.get(n),c=new oe(this._payload);i&&c.setProtectedHeader(i),o&&c.setUnprotectedHeader(o);let{payload:l,...p}=await c.sign(s,a);r.add(l),t.payload=l,t.signatures.push(p)})),r.size!==1)throw new h("inconsistent use of JWS Unencoded Payload Option (RFC7797)");return t}};var Y=class{constructor(t){if(!g(t))throw new TypeError("JWT Claims Set MUST be an object");this._payload=t}setIssuer(t){return this._payload={...this._payload,iss:t},this}setSubject(t){return this._payload={...this._payload,sub:t},this}setAudience(t){return this._payload={...this._payload,aud:t},this}setJti(t){return this._payload={...this._payload,jti:t},this}setNotBefore(t){return typeof t=="number"?this._payload={...this._payload,nbf:t}:this._payload={...this._payload,nbf:re(new Date)+ne(t)},this}setExpirationTime(t){return typeof t=="number"?this._payload={...this._payload,exp:t}:this._payload={...this._payload,exp:re(new Date)+ne(t)},this}setIssuedAt(t){return typeof t=="undefined"?this._payload={...this._payload,iat:re(new Date)}:this._payload={...this._payload,iat:t},this}};var Mt=class extends Y{setProtectedHeader(t){return this._protectedHeader=t,this}async sign(t,r){var n;let i=new ke(y.encode(JSON.stringify(this._payload)));if(i.setProtectedHeader(this._protectedHeader),Array.isArray((n=this._protectedHeader)===null||n===void 0?void 0:n.crit)&&this._protectedHeader.crit.includes("b64")&&this._protectedHeader.b64===!1)throw new I("JWTs MUST NOT use unencoded payload");return i.sign(t,r)}};var Nt=class extends Y{setProtectedHeader(t){if(this._protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this._protectedHeader=t,this}setKeyManagementParameters(t){if(this._keyManagementParameters)throw new TypeError("setKeyManagementParameters can only be called once");return this._keyManagementParameters=t,this}setContentEncryptionKey(t){if(this._cek)throw new TypeError("setContentEncryptionKey can only be called once");return this._cek=t,this}setInitializationVector(t){if(this._iv)throw new TypeError("setInitializationVector can only be called once");return this._iv=t,this}replicateIssuerAsHeader(){return this._replicateIssuerAsHeader=!0,this}replicateSubjectAsHeader(){return this._replicateSubjectAsHeader=!0,this}replicateAudienceAsHeader(){return this._replicateAudienceAsHeader=!0,this}async encrypt(t,r){let n=new Ue(y.encode(JSON.stringify(this._payload)));return this._replicateIssuerAsHeader&&(this._protectedHeader={...this._protectedHeader,iss:this._payload.iss}),this._replicateSubjectAsHeader&&(this._protectedHeader={...this._protectedHeader,sub:this._payload.sub}),this._replicateAudienceAsHeader&&(this._protectedHeader={...this._protectedHeader,aud:this._payload.aud}),n.setProtectedHeader(this._protectedHeader),this._iv&&n.setInitializationVector(this._iv),this._cek&&n.setContentEncryptionKey(this._cek),this._keyManagementParameters&&n.setKeyManagementParameters(this._keyManagementParameters),n.encrypt(t,r)}};var L=(e,t)=>{if(typeof e!="string"||!e)throw new xe(`${t} missing or invalid`)};async function Rr(e,t="sha256"){if(!g(e))throw new TypeError("JWK must be an object");let r;switch(e.kty){case"EC":L(e.crv,'"crv" (Curve) Parameter'),L(e.x,'"x" (X Coordinate) Parameter'),L(e.y,'"y" (Y Coordinate) Parameter'),r={crv:e.crv,kty:e.kty,x:e.x,y:e.y};break;case"OKP":L(e.crv,'"crv" (Subtype of Key Pair) Parameter'),L(e.x,'"x" (Public Key) Parameter'),r={crv:e.crv,kty:e.kty,x:e.x};break;case"RSA":L(e.e,'"e" (Exponent) Parameter'),L(e.n,'"n" (Modulus) Parameter'),r={e:e.e,kty:e.kty,n:e.n};break;case"oct":L(e.k,'"k" (Key Value) Parameter'),r={k:e.k,kty:e.kty};break;default:throw new f('"kty" (Key Type) Parameter missing or unsupported')}let n=y.encode(JSON.stringify(r));return w(await De(t,n))}async function Or(e,t){let r={...e,...t.header};if(!g(r.jwk))throw new h('"jwk" (JSON Web Key) Header Parameter must be a JSON object');let n=await F({...r.jwk,ext:!0},r.alg,!0);if(n instanceof Uint8Array||n.type!=="public")throw new h('"jwk" (JSON Web Key) Header Parameter must be a public key');return n}var Ur=async(e,t)=>{let r,n,i=!1;typeof AbortController=="function"&&(r=new AbortController,n=setTimeout(()=>{i=!0,r.abort()},t));let o=await fetch(e.href,{signal:r?r.signal:void 0,redirect:"manual",method:"GET",...D()?void 0:{referrerPolicy:"no-referrer",credentials:"omit",mode:"cors"}}).catch(a=>{throw i?new He:a});if(n!==void 0&&clearTimeout(n),o.status!==200)throw new K("Expected 200 OK from the JSON Web Key Set HTTP response");try{return await o.json()}catch(a){throw new K("Failed to parse the JSON Web Key Set HTTP response as JSON")}},Bt=Ur;function kr(e){switch(typeof e=="string"&&e.substr(0,2)){case"RS":case"PS":return"RSA";case"ES":return"EC";case"Ed":return"OKP";default:throw new f('Unsupported "alg" value for a JSON Web Key Set')}}function Mr(e){return g(e)}var Ze=class{constructor(t,r){if(this._cached=new WeakMap,!(t instanceof URL))throw new TypeError("url must be an instance of URL");this._url=new URL(t.href),this._options={agent:r==null?void 0:r.agent},this._timeoutDuration=typeof(r==null?void 0:r.timeoutDuration)=="number"?r==null?void 0:r.timeoutDuration:5e3,this._cooldownDuration=typeof(r==null?void 0:r.cooldownDuration)=="number"?r==null?void 0:r.cooldownDuration:3e4}coolingDown(){return this._cooldownStarted?Date.now()<this._cooldownStarted+this._cooldownDuration:!1}async getKey(t){this._jwks||await this.reload();let r=this._jwks.keys.filter(a=>{let s=a.kty===kr(t.alg);if(s&&typeof t.kid=="string"&&(s=t.kid===a.kid),s&&typeof a.alg=="string"&&(s=t.alg===a.alg),s&&typeof a.use=="string"&&(s=a.use==="sig"),s&&Array.isArray(a.key_ops)&&(s=a.key_ops.includes("verify")),s&&t.alg==="EdDSA"&&(s=a.crv==="Ed25519"||a.crv==="Ed448"),s)switch(t.alg){case"ES256":s=a.crv==="P-256";break;case"ES256K":s=a.crv==="secp256k1";break;case"ES384":s=a.crv==="P-384";break;case"ES512":s=a.crv==="P-521";break;default:}return s}),{0:n,length:i}=r;if(i===0){if(this.coolingDown()===!1)return await this.reload(),this.getKey(t);throw new Ke}else if(i!==1)throw new Ce;let o=this._cached.get(n)||this._cached.set(n,{}).get(n);if(o[t.alg]===void 0){let a=await F({...n,ext:!0},t.alg);if(a instanceof Uint8Array||a.type!=="public")throw new de("JSON Web Key Set members must be public keys");o[t.alg]=a}return o[t.alg]}async reload(){this._pendingFetch||(this._pendingFetch=Bt(this._url,this._timeoutDuration,this._options).then(t=>{if(typeof t!="object"||!t||!Array.isArray(t.keys)||!t.keys.every(Mr))throw new de("JSON Web Key Set malformed");this._jwks={keys:t.keys},this._cooldownStarted=Date.now(),this._pendingFetch=void 0}).catch(t=>{throw this._pendingFetch=void 0,t})),await this._pendingFetch}};function Nr(e,t){return Ze.prototype.getKey.bind(new Ze(e,t))}var Lt=class extends Y{encode(){let t=w(JSON.stringify({alg:"none"})),r=w(JSON.stringify(this._payload));return`${t}.${r}.`}static decode(t,r){if(typeof t!="string")throw new I("Unsecured JWT must be a string");let{0:n,1:i,2:o,length:a}=t.split(".");if(a!==3||o!=="")throw new I("Invalid Unsecured JWT");let s;try{if(s=JSON.parse(v.decode(E(n))),s.alg!=="none")throw new Error}catch(l){throw new I("Invalid Unsecured JWT")}return{payload:ie(s,E(i),r),header:s}}};var $t={};rt($t,{decode:()=>Qe,encode:()=>Br});var Br=w,Qe=E;function Lr(e){let t;if(typeof e=="string"){let r=e.split(".");(r.length===3||r.length===5)&&([t]=r)}else if(typeof e=="object"&&e)if("protected"in e)t=e.protected;else throw new TypeError("Token does not contain a Protected Header");try{if(typeof t!="string"||!t)throw new Error;let r=JSON.parse(v.decode(Qe(t)));if(!g(r))throw new Error;return r}catch(r){throw new TypeError("Invalid Token or Protected Header formatting")}}async function Gt(e,t){var r;let n,i,o;switch(e){case"HS256":case"HS384":case"HS512":n=parseInt(e.substr(-3),10),i={name:"HMAC",hash:`SHA-${n}`,length:n},o=["sign","verify"];break;case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":return n=parseInt(e.substr(-3),10),N(new Uint8Array(n>>3));case"A128KW":case"A192KW":case"A256KW":n=parseInt(e.substring(1,4),10),i={name:"AES-KW",length:n},o=["wrapKey","unwrapKey"];break;case"A128GCMKW":case"A192GCMKW":case"A256GCMKW":case"A128GCM":case"A192GCM":case"A256GCM":n=parseInt(e.substring(1,4),10),i={name:"AES-GCM",length:n},o=["encrypt","decrypt"];break;default:throw new f('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return u.subtle.generateKey(i,(r=t==null?void 0:t.extractable)!==null&&r!==void 0?r:!1,o)}function et(e){var t;let r=(t=e==null?void 0:e.modulusLength)!==null&&t!==void 0?t:2048;if(typeof r!="number"||r<2048)throw new f("Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used");return r}async function Vt(e,t){var r,n;let i,o;switch(e){case"PS256":case"PS384":case"PS512":i={name:"RSA-PSS",hash:`SHA-${e.substr(-3)}`,publicExponent:new Uint8Array([1,0,1]),modulusLength:et(t)},o=["sign","verify"];break;case"RS256":case"RS384":case"RS512":i={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.substr(-3)}`,publicExponent:new Uint8Array([1,0,1]),modulusLength:et(t)},o=["sign","verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":i={name:"RSA-OAEP",hash:`SHA-${parseInt(e.substr(-3),10)||1}`,publicExponent:new Uint8Array([1,0,1]),modulusLength:et(t)},o=["decrypt","unwrapKey","encrypt","wrapKey"];break;case"ES256":i={name:"ECDSA",namedCurve:"P-256"},o=["sign","verify"];break;case"ES384":i={name:"ECDSA",namedCurve:"P-384"},o=["sign","verify"];break;case"ES512":i={name:"ECDSA",namedCurve:"P-521"},o=["sign","verify"];break;case((D()||J())&&"EdDSA"):switch(t==null?void 0:t.crv){case void 0:case"Ed25519":i={name:"NODE-ED25519",namedCurve:"NODE-ED25519"},o=["sign","verify"];break;case(J()&&"Ed448"):i={name:"NODE-ED448",namedCurve:"NODE-ED448"},o=["sign","verify"];break;default:throw new f("Invalid or unsupported crv option provided, supported values are Ed25519 and Ed448")}break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":i={name:"ECDH",namedCurve:(r=t==null?void 0:t.crv)!==null&&r!==void 0?r:"P-256"},o=["deriveKey","deriveBits"];break;default:throw new f('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return u.subtle.generateKey(i,(n=t==null?void 0:t.extractable)!==null&&n!==void 0?n:!1,o)}async function $r(e,t){return Vt(e,t)}async function Gr(e,t){return Gt(e,t)}export{Ue as CompactEncrypt,ke as CompactSign,Or as EmbeddedJWK,Nt as EncryptJWT,z as FlattenedEncrypt,oe as FlattenedSign,jt as GeneralEncrypt,kt as GeneralSign,Mt as SignJWT,Lt as UnsecuredJWT,$t as base64url,Rr as calculateJwkThumbprint,Fe as compactDecrypt,Xe as compactVerify,Nr as createRemoteJWKSet,Lr as decodeProtectedHeader,ot as errors,ze as exportJWK,xr as exportPKCS8,vr as exportSPKI,he as flattenedDecrypt,ge as flattenedVerify,Ar as generalDecrypt,Hr as generalVerify,$r as generateKeyPair,Gr as generateSecret,F as importJWK,lr as importPKCS8,pr as importSPKI,ur as importX509,Ir as jwtDecrypt,Dr as jwtVerify};
Reference in a new issue View git blame Copy permalink