dan/jose
1
0
Fork 0
mirror of https://github.com/danbulant/jose synced 2026-05-25 04:51:47 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
jose/dist/browser/index.bundle.min.js
Filip Skokan f9e9c30d3c chore(release): 4.3.1
2021-11-11 22:10:41 +01:00

4 lines
60 KiB
JavaScript
Raw Permalink Blame History

var Qe=Object.defineProperty;var Gt=e=>Qe(e,"__esModule",{value:!0});var et=(e,t)=>{Gt(e);for(var r in t)Qe(e,r,{get:t[r],enumerable:!0})};var y=new TextEncoder,v=new TextDecoder,ge=2**32;function K(...e){let t=e.reduce((i,{length:o})=>i+o,0),r=new Uint8Array(t),n=0;return e.forEach(i=>{r.set(i,n),n+=i.length}),r}function tt(e,t){return K(y.encode(e),new Uint8Array([0]),t)}function Oe(e,t,r){if(t<0||t>=ge)throw new RangeError(`value must be >= 0 and <= ${ge-1}. Received ${t}`);e.set([t>>>24,t>>>16,t>>>8,t&255],r)}function Ee(e){let t=Math.floor(e/ge),r=e%ge,n=new Uint8Array(8);return Oe(n,t,0),Oe(n,r,4),n}function Se(e){let t=new Uint8Array(4);return Oe(t,e),t}function Ae(e){return K(Se(e.length),e)}async function rt(e,t,r,n){let i=Math.ceil((r>>3)/32),o;for(let a=1;a<=i;a++){let s=new Uint8Array(4+t.length+n.length);s.set(Se(a)),s.set(t,4),s.set(n,4+t.length),o?o=K(o,await e("sha256",s)):o=await e("sha256",s)}return o=o.slice(0,r>>3),o}var oe=e=>{let t=e;typeof t=="string"&&(t=y.encode(t));let r=32768,n=[];for(let i=0;i<t.length;i+=r)n.push(String.fromCharCode.apply(null,t.subarray(i,i+r)));return btoa(n.join(""))},w=e=>oe(e).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_"),Ue=e=>new Uint8Array(atob(e).split("").map(t=>t.charCodeAt(0))),A=e=>{let t=e;t instanceof Uint8Array&&(t=v.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return Ue(t)}catch(r){throw new TypeError("The input to be decoded is not correctly encoded.")}};var nt={};et(nt,{JOSEAlgNotAllowed:()=>G,JOSEError:()=>H,JOSENotSupported:()=>f,JWEDecryptionFailed:()=>M,JWEInvalid:()=>p,JWKInvalid:()=>_e,JWKSInvalid:()=>se,JWKSMultipleMatchingKeys:()=>xe,JWKSNoMatchingKey:()=>ve,JWKSTimeout:()=>He,JWSInvalid:()=>m,JWSSignatureVerificationFailed:()=>q,JWTClaimValidationFailed:()=>W,JWTExpired:()=>ae,JWTInvalid:()=>I});var H=class extends Error{constructor(t){var r;super(t);this.code="ERR_JOSE_GENERIC",this.name=this.constructor.name,(r=Error.captureStackTrace)===null||r===void 0||r.call(Error,this,this.constructor)}static get code(){return"ERR_JOSE_GENERIC"}},W=class extends H{constructor(t,r="unspecified",n="unspecified"){super(t);this.code="ERR_JWT_CLAIM_VALIDATION_FAILED",this.claim=r,this.reason=n}static get code(){return"ERR_JWT_CLAIM_VALIDATION_FAILED"}},ae=class extends H{constructor(t,r="unspecified",n="unspecified"){super(t);this.code="ERR_JWT_EXPIRED",this.claim=r,this.reason=n}static get code(){return"ERR_JWT_EXPIRED"}},G=class extends H{constructor(){super(...arguments);this.code="ERR_JOSE_ALG_NOT_ALLOWED"}static get code(){return"ERR_JOSE_ALG_NOT_ALLOWED"}},f=class extends H{constructor(){super(...arguments);this.code="ERR_JOSE_NOT_SUPPORTED"}static get code(){return"ERR_JOSE_NOT_SUPPORTED"}},M=class extends H{constructor(){super(...arguments);this.code="ERR_JWE_DECRYPTION_FAILED",this.message="decryption operation failed"}static get code(){return"ERR_JWE_DECRYPTION_FAILED"}},p=class extends H{constructor(){super(...arguments);this.code="ERR_JWE_INVALID"}static get code(){return"ERR_JWE_INVALID"}},m=class extends H{constructor(){super(...arguments);this.code="ERR_JWS_INVALID"}static get code(){return"ERR_JWS_INVALID"}},I=class extends H{constructor(){super(...arguments);this.code="ERR_JWT_INVALID"}static get code(){return"ERR_JWT_INVALID"}},_e=class extends H{constructor(){super(...arguments);this.code="ERR_JWK_INVALID"}static get code(){return"ERR_JWK_INVALID"}},se=class extends H{constructor(){super(...arguments);this.code="ERR_JWKS_INVALID"}static get code(){return"ERR_JWKS_INVALID"}},ve=class extends H{constructor(){super(...arguments);this.code="ERR_JWKS_NO_MATCHING_KEY",this.message="no applicable key found in the JSON Web Key Set"}static get code(){return"ERR_JWKS_NO_MATCHING_KEY"}},xe=class extends H{constructor(){super(...arguments);this.code="ERR_JWKS_MULTIPLE_MATCHING_KEYS",this.message="multiple matching keys found in the JSON Web Key Set"}static get code(){return"ERR_JWKS_MULTIPLE_MATCHING_KEYS"}},He=class extends H{constructor(){super(...arguments);this.code="ERR_JWKS_TIMEOUT",this.message="request timed out"}static get code(){return"ERR_JWKS_TIMEOUT"}},q=class extends H{constructor(){super(...arguments);this.code="ERR_JWS_SIGNATURE_VERIFICATION_FAILED",this.message="signature verification failed"}static get code(){return"ERR_JWS_SIGNATURE_VERIFICATION_FAILED"}};var u=crypto;function _(e){try{return e!=null&&typeof e.extractable=="boolean"&&typeof e.algorithm.name=="string"&&typeof e.type=="string"}catch(t){return!1}}var N=u.getRandomValues.bind(u);function Me(e){switch(e){case"A128GCM":case"A128GCMKW":case"A192GCM":case"A192GCMKW":case"A256GCM":case"A256GCMKW":return 96;case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":return 128;default:throw new f(`Unsupported JWE Algorithm: ${e}`)}}var Ke=e=>N(new Uint8Array(Me(e)>>3));var Vt=(e,t)=>{if(t.length<<3!==Me(e))throw new p("Invalid Initialization Vector length")},Ce=Vt;var Ft=(e,t)=>{if(e.length<<3!==t)throw new p("Invalid Content Encryption Key length")},Z=Ft;var zt=(e,t)=>{if(!(e instanceof Uint8Array))throw new TypeError("First argument must be a buffer");if(!(t instanceof Uint8Array))throw new TypeError("Second argument must be a buffer");if(e.length!==t.length)throw new TypeError("Input buffers must have the same length");let r=e.length,n=0,i=-1;for(;++i<r;)n|=e[i]^t[i];return n===0},it=zt;function D(){return typeof WebSocketPair=="function"}function J(){try{return process.versions.node!==void 0}catch(e){return!1}}function C(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function k(e,t){return e.name===t}function Pe(e){return parseInt(e.name.substr(4),10)}function Yt(e){switch(e){case"ES256":return"P-256";case"ES384":return"P-384";case"ES512":return"P-521";default:throw new Error("unreachable")}}function ot(e,t){if(t.length&&!t.some(r=>e.usages.includes(r))){let r="CryptoKey does not support this operation, its usages must include ";if(t.length>2){let n=t.pop();r+=`one of ${t.join(", ")}, or ${n}.`}else t.length===2?r+=`one of ${t[0]} or ${t[1]}.`:r+=`${t[0]}.`;throw new TypeError(r)}}function at(e,t,...r){switch(t){case"HS256":case"HS384":case"HS512":{if(!k(e.algorithm,"HMAC"))throw C("HMAC");let n=parseInt(t.substr(2),10);if(Pe(e.algorithm.hash)!==n)throw C(`SHA-${n}`,"algorithm.hash");break}case"RS256":case"RS384":case"RS512":{if(!k(e.algorithm,"RSASSA-PKCS1-v1_5"))throw C("RSASSA-PKCS1-v1_5");let n=parseInt(t.substr(2),10);if(Pe(e.algorithm.hash)!==n)throw C(`SHA-${n}`,"algorithm.hash");break}case"PS256":case"PS384":case"PS512":{if(!k(e.algorithm,"RSA-PSS"))throw C("RSA-PSS");let n=parseInt(t.substr(2),10);if(Pe(e.algorithm.hash)!==n)throw C(`SHA-${n}`,"algorithm.hash");break}case(J()&&"EdDSA"):{if(e.algorithm.name!=="NODE-ED25519"&&e.algorithm.name!=="NODE-ED448")throw C("NODE-ED25519 or NODE-ED448");break}case(D()&&"EdDSA"):{if(!k(e.algorithm,"NODE-ED25519"))throw C("NODE-ED25519");break}case"ES256":case"ES384":case"ES512":{if(!k(e.algorithm,"ECDSA"))throw C("ECDSA");let n=Yt(t);if(e.algorithm.namedCurve!==n)throw C(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}ot(e,r)}function j(e,t,...r){switch(t){case"A128GCM":case"A192GCM":case"A256GCM":{if(!k(e.algorithm,"AES-GCM"))throw C("AES-GCM");let n=parseInt(t.substr(1,3),10);if(e.algorithm.length!==n)throw C(n,"algorithm.length");break}case"A128KW":case"A192KW":case"A256KW":{if(!k(e.algorithm,"AES-KW"))throw C("AES-KW");let n=parseInt(t.substr(1,3),10);if(e.algorithm.length!==n)throw C(n,"algorithm.length");break}case"ECDH-ES":if(!k(e.algorithm,"ECDH"))throw C("ECDH");break;case"PBES2-HS256+A128KW":case"PBES2-HS384+A192KW":case"PBES2-HS512+A256KW":if(!k(e.algorithm,"PBKDF2"))throw C("PBKDF2");break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":{if(!k(e.algorithm,"RSA-OAEP"))throw C("RSA-OAEP");let n=parseInt(t.substr(9),10)||1;if(Pe(e.algorithm.hash)!==n)throw C(`SHA-${n}`,"algorithm.hash");break}default:throw new TypeError("CryptoKey does not support this operation")}ot(e,r)}var E=(e,...t)=>{let r="Key must be ";if(t.length>2){let n=t.pop();r+=`one of type ${t.join(", ")}, or ${n}.`}else t.length===2?r+=`one of type ${t[0]} or ${t[1]}.`:r+=`of type ${t[0]}.`;return e==null?r+=` Received ${e}`:typeof e=="function"&&e.name?r+=` Received function ${e.name}`:typeof e=="object"&&e!=null&&e.constructor&&e.constructor.name&&(r+=` Received an instance of ${e.constructor.name}`),r};var Ne=e=>_(e),h=["CryptoKey"];async function Xt(e,t,r,n,i,o){if(!(t instanceof Uint8Array))throw new TypeError(E(t,"Uint8Array"));let a=parseInt(e.substr(1,3),10),s=await u.subtle.importKey("raw",t.subarray(a>>3),"AES-CBC",!1,["decrypt"]),c=await u.subtle.importKey("raw",t.subarray(0,a>>3),{hash:`SHA-${a<<1}`,name:"HMAC"},!1,["sign"]),d=K(o,n,r,Ee(o.length<<3)),l=new Uint8Array((await u.subtle.sign("HMAC",c,d)).slice(0,a>>3)),g;try{g=it(i,l)}catch(S){}if(!g)throw new M;let x;try{x=new Uint8Array(await u.subtle.decrypt({iv:n,name:"AES-CBC"},s,r))}catch(S){}if(!x)throw new M;return x}async function qt(e,t,r,n,i,o){let a;t instanceof Uint8Array?a=await u.subtle.importKey("raw",t,"AES-GCM",!1,["decrypt"]):(j(t,e,"decrypt"),a=t);try{return new Uint8Array(await u.subtle.decrypt({additionalData:o,iv:n,name:"AES-GCM",tagLength:128},a,K(r,i)))}catch(s){throw new M}}var Zt=async(e,t,r,n,i,o)=>{if(!_(t)&&!(t instanceof Uint8Array))throw new TypeError(E(t,...h,"Uint8Array"));switch(Ce(e,n),e){case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":return t instanceof Uint8Array&&Z(t,parseInt(e.substr(-3),10)),Xt(e,t,r,n,i,o);case"A128GCM":case"A192GCM":case"A256GCM":return t instanceof Uint8Array&&Z(t,parseInt(e.substr(1,3),10)),qt(e,t,r,n,i,o);default:throw new f("Unsupported JWE Content Encryption Algorithm")}},We=Zt;var st=async()=>{throw new f('JWE "zip" (Compression Algorithm) Header Parameter is not supported by your javascript runtime. You need to use the `inflateRaw` decrypt option to provide Inflate Raw implementation.')},ct=async()=>{throw new f('JWE "zip" (Compression Algorithm) Header Parameter is not supported by your javascript runtime. You need to use the `deflateRaw` encrypt option to provide Deflate Raw implementation.')};var Qt=(...e)=>{let t=e.filter(Boolean);if(t.length===0||t.length===1)return!0;let r;for(let n of t){let i=Object.keys(n);if(!r||r.size===0){r=new Set(i);continue}for(let o of i){if(r.has(o))return!1;r.add(o)}}return!0},R=Qt;function er(e){return typeof e=="object"&&e!==null}function b(e){if(!er(e)||Object.prototype.toString.call(e)!=="[object Object]")return!1;if(Object.getPrototypeOf(e)===null)return!0;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t}var tr=[{hash:"SHA-256",name:"HMAC"},!0,["sign"]],Q=tr;function dt(e,t){if(e.algorithm.length!==parseInt(t.substr(1,3),10))throw new TypeError(`Invalid key size for alg: ${t}`)}function pt(e,t,r){if(_(e))return j(e,t,r),e;if(e instanceof Uint8Array)return u.subtle.importKey("raw",e,"AES-KW",!0,[r]);throw new TypeError(E(e,...h,"Uint8Array"))}var ce=async(e,t,r)=>{let n=await pt(t,e,"wrapKey");dt(n,e);let i=await u.subtle.importKey("raw",r,...Q);return new Uint8Array(await u.subtle.wrapKey("raw",i,n,"AES-KW"))},de=async(e,t,r)=>{let n=await pt(t,e,"unwrapKey");dt(n,e);let i=await u.subtle.unwrapKey("raw",r,n,"AES-KW",...Q);return new Uint8Array(await u.subtle.exportKey("raw",i))};var rr=async(e,t)=>{let r=`SHA-${e.substr(-3)}`;return new Uint8Array(await u.subtle.digest(r,t))},Je=rr;var je=async(e,t,r,n,i=new Uint8Array(0),o=new Uint8Array(0))=>{if(!_(e))throw new TypeError(E(e,...h));if(j(e,"ECDH-ES"),!_(t))throw new TypeError(E(t,...h));j(t,"ECDH-ES","deriveBits","deriveKey");let a=K(Ae(y.encode(r)),Ae(i),Ae(o),Se(n));if(!t.usages.includes("deriveBits"))throw new TypeError('ECDH-ES private key "usages" must include "deriveBits"');let s=new Uint8Array(await u.subtle.deriveBits({name:"ECDH",public:e},t,Math.ceil(parseInt(t.algorithm.namedCurve.substr(-3),10)/8)<<3));return rt(Je,s,n,a)},ut=async e=>{if(!_(e))throw new TypeError(E(e,...h));return(await u.subtle.generateKey({name:"ECDH",namedCurve:e.algorithm.namedCurve},!0,["deriveBits"])).privateKey},De=e=>{if(!_(e))throw new TypeError(E(e,...h));return["P-256","P-384","P-521"].includes(e.algorithm.namedCurve)};function Be(e){if(!(e instanceof Uint8Array)||e.length<8)throw new p("PBES2 Salt Input must be 8 or more octets")}function nr(e,t){if(e instanceof Uint8Array)return u.subtle.importKey("raw",e,"PBKDF2",!1,["deriveBits"]);if(_(e))return j(e,t,"deriveBits","deriveKey"),e;throw new TypeError(E(e,...h,"Uint8Array"))}async function lt(e,t,r,n){Be(e);let i=tt(t,e),o=parseInt(t.substr(13,3),10),a={hash:`SHA-${t.substr(8,3)}`,iterations:r,name:"PBKDF2",salt:i},s={length:o,name:"AES-KW"},c=await nr(n,t);if(c.usages.includes("deriveBits"))return new Uint8Array(await u.subtle.deriveBits(a,c,o));if(c.usages.includes("deriveKey"))return u.subtle.deriveKey(a,c,s,!1,["wrapKey","unwrapKey"]);throw new TypeError('PBKDF2 key "usages" must include "deriveBits" or "deriveKey"')}var ft=async(e,t,r,n=Math.floor(Math.random()*2049)+2048,i=N(new Uint8Array(16)))=>{let o=await lt(i,e,n,t);return{encryptedKey:await ce(e.substr(-6),o,r),p2c:n,p2s:w(i)}},mt=async(e,t,r,n,i)=>{let o=await lt(i,e,n,t);return de(e.substr(-6),o,r)};function ee(e){switch(e){case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":return"RSA-OAEP";default:throw new f(`alg ${e} is not supported either by JOSE or your javascript runtime`)}}var V=(e,t)=>{if(e.startsWith("RS")||e.startsWith("PS")){let{modulusLength:r}=t.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}};var ht=async(e,t,r)=>{if(!_(t))throw new TypeError(E(t,...h));if(j(t,e,"encrypt","wrapKey"),V(e,t),t.usages.includes("encrypt"))return new Uint8Array(await u.subtle.encrypt(ee(e),t,r));if(t.usages.includes("wrapKey")){let n=await u.subtle.importKey("raw",r,...Q);return new Uint8Array(await u.subtle.wrapKey("raw",n,t,ee(e)))}throw new TypeError('RSA-OAEP key "usages" must include "encrypt" or "wrapKey" for this operation')},yt=async(e,t,r)=>{if(!_(t))throw new TypeError(E(t,...h));if(j(t,e,"decrypt","unwrapKey"),V(e,t),t.usages.includes("decrypt"))return new Uint8Array(await u.subtle.decrypt(ee(e),t,r));if(t.usages.includes("unwrapKey")){let n=await u.subtle.unwrapKey("raw",r,t,ee(e),...Q);return new Uint8Array(await u.subtle.exportKey("raw",n))}throw new TypeError('RSA-OAEP key "usages" must include "decrypt" or "unwrapKey" for this operation')};function pe(e){switch(e){case"A128GCM":return 128;case"A192GCM":return 192;case"A256GCM":case"A128CBC-HS256":return 256;case"A192CBC-HS384":return 384;case"A256CBC-HS512":return 512;default:throw new f(`Unsupported JWE Algorithm: ${e}`)}}var O=e=>N(new Uint8Array(pe(e)>>3));var Ie=(e,t)=>{let r=(e.match(/.{1,64}/g)||[]).join(`
`);return`-----BEGIN ${t}-----
${r}
-----END ${t}-----`};var wt=async(e,t,r)=>{if(!_(r))throw new TypeError(E(r,...h));if(!r.extractable)throw new TypeError("CryptoKey is not extractable");if(r.type!==e)throw new TypeError(`key is not a ${e} key`);return Ie(oe(new Uint8Array(await u.subtle.exportKey(t,r))),`${e.toUpperCase()} KEY`)},bt=e=>wt("public","spki",e),gt=e=>wt("private","pkcs8",e),Et=e=>{let t=e.toString();switch(!0){case t.includes(new Uint8Array([6,7,42,134,72,206,61,2,1,6,8,42,134,72,206,61,3,1,7]).toString()):return"P-256";case t.includes(new Uint8Array([6,7,42,134,72,206,61,2,1,6,5,43,129,4,0,34]).toString()):return"P-384";case t.includes(new Uint8Array([6,7,42,134,72,206,61,2,1,6,5,43,129,4,0,35]).toString()):return"P-521";case((D()||J())&&t.includes(new Uint8Array([6,3,43,101,112]).toString())):return"Ed25519";case(J()&&t.includes(new Uint8Array([6,3,43,101,113]).toString())):return"Ed448";default:throw new f("Invalid or unsupported EC Key Curve or OKP Key Sub Type")}},St=async(e,t,r,n,i)=>{var o;let a,s,c=new Uint8Array(atob(r.replace(e,"")).split("").map(l=>l.charCodeAt(0))),d=t==="spki";switch(n){case"PS256":case"PS384":case"PS512":a={name:"RSA-PSS",hash:`SHA-${n.substr(-3)}`},s=d?["verify"]:["sign"];break;case"RS256":case"RS384":case"RS512":a={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${n.substr(-3)}`},s=d?["verify"]:["sign"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":a={name:"RSA-OAEP",hash:`SHA-${parseInt(n.substr(-3),10)||1}`},s=d?["encrypt","wrapKey"]:["decrypt","unwrapKey"];break;case"ES256":a={name:"ECDSA",namedCurve:"P-256"},s=d?["verify"]:["sign"];break;case"ES384":a={name:"ECDSA",namedCurve:"P-384"},s=d?["verify"]:["sign"];break;case"ES512":a={name:"ECDSA",namedCurve:"P-521"},s=d?["verify"]:["sign"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":a={name:"ECDH",namedCurve:Et(c)},s=d?[]:["deriveBits"];break;case((D()||J())&&"EdDSA"):let l=Et(c).toUpperCase();a={name:`NODE-${l}`,namedCurve:`NODE-${l}`},s=d?["verify"]:["sign"];break;default:throw new f('Invalid or unsupported "alg" (Algorithm) value')}return u.subtle.importKey(t,c,a,(o=i==null?void 0:i.extractable)!==null&&o!==void 0?o:!1,s)},At=(e,t,r)=>St(/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g,"pkcs8",e,t,r),Le=(e,t,r)=>St(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g,"spki",e,t,r);function ir(e){let t,r;switch(e.kty){case"oct":{switch(e.alg){case"HS256":case"HS384":case"HS512":t={name:"HMAC",hash:`SHA-${e.alg.substr(-3)}`},r=["sign","verify"];break;case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":throw new f(`${e.alg} keys cannot be imported as CryptoKey instances`);case"A128GCM":case"A192GCM":case"A256GCM":case"A128GCMKW":case"A192GCMKW":case"A256GCMKW":t={name:"AES-GCM"},r=["encrypt","decrypt"];break;case"A128KW":case"A192KW":case"A256KW":t={name:"AES-KW"},r=["wrapKey","unwrapKey"];break;case"PBES2-HS256+A128KW":case"PBES2-HS384+A192KW":case"PBES2-HS512+A256KW":t={name:"PBKDF2"},r=["deriveBits"];break;default:throw new f('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case"RSA":{switch(e.alg){case"PS256":case"PS384":case"PS512":t={name:"RSA-PSS",hash:`SHA-${e.alg.substr(-3)}`},r=e.d?["sign"]:["verify"];break;case"RS256":case"RS384":case"RS512":t={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.alg.substr(-3)}`},r=e.d?["sign"]:["verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":t={name:"RSA-OAEP",hash:`SHA-${parseInt(e.alg.substr(-3),10)||1}`},r=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new f('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case"EC":{switch(e.alg){case"ES256":t={name:"ECDSA",namedCurve:"P-256"},r=e.d?["sign"]:["verify"];break;case"ES384":t={name:"ECDSA",namedCurve:"P-384"},r=e.d?["sign"]:["verify"];break;case"ES512":t={name:"ECDSA",namedCurve:"P-521"},r=e.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new f('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case((D()||J())&&"OKP"):if(e.alg!=="EdDSA")throw new f('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');switch(e.crv){case"Ed25519":t={name:"NODE-ED25519",namedCurve:"NODE-ED25519"},r=e.d?["sign"]:["verify"];break;case(J()&&"Ed448"):t={name:"NODE-ED448",namedCurve:"NODE-ED448"},r=e.d?["sign"]:["verify"];break;default:throw new f('Invalid or unsupported JWK "crv" (Subtype of Key Pair) Parameter value')}break;default:throw new f('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return{algorithm:t,keyUsages:r}}var or=async e=>{var t,r;let{algorithm:n,keyUsages:i}=ir(e),o=[n,(t=e.ext)!==null&&t!==void 0?t:!1,(r=e.key_ops)!==null&&r!==void 0?r:i];if(n.name==="PBKDF2")return u.subtle.importKey("raw",A(e.k),...o);let a={...e};return delete a.alg,u.subtle.importKey("jwk",a,...o)},$e=or;function _t(e){let t=[],r=0;for(;r<e.length;){let n=vt(e.subarray(r));t.push(n),r+=n.byteLength}return t}function vt(e){let t=0,r=e[0]&31;if(t++,r===31){for(r=0;e[t]>=128;)r=r*128+e[t]-128,t++;r=r*128+e[t]-128,t++}let n=0;if(e[t]<128)n=e[t],t++;else{let o=e[t]&127;t++,n=0;for(let a=0;a<o;a++)n=n*256+e[t],t++}if(n===128){for(n=0;e[t+n]!==0||e[t+n+1]!==0;)n++;let o=t+n+2;return{byteLength:o,contents:e.subarray(t,t+n),raw:e.subarray(0,o)}}let i=t+n;return{byteLength:i,contents:e.subarray(t,i),raw:e.subarray(0,i)}}function ar(e){let t=_t(_t(vt(e).contents)[0].contents);return oe(t[t[0].raw[0]===160?6:5].raw)}function sr(e){let t=e.replace(/(?:-----(?:BEGIN|END) CERTIFICATE-----|\s)/g,""),r=Ue(t);return Ie(ar(r),"PUBLIC KEY")}async function cr(e,t,r){if(typeof e!="string"||e.indexOf("-----BEGIN PUBLIC KEY-----")!==0)throw new TypeError('"spki" must be SPKI formatted string');return Le(e,t,r)}async function dr(e,t,r){if(typeof e!="string"||e.indexOf("-----BEGIN CERTIFICATE-----")!==0)throw new TypeError('"x509" must be X.509 formatted string');let n=sr(e);return Le(n,t,r)}async function pr(e,t,r){if(typeof e!="string"||e.indexOf("-----BEGIN PRIVATE KEY-----")!==0)throw new TypeError('"pkcs8" must be PCKS8 formatted string');return At(e,t,r)}async function F(e,t,r){if(!b(e))throw new TypeError("JWK must be an object");if(t||(t=e.alg),typeof t!="string"||!t)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');switch(e.kty){case"oct":if(typeof e.k!="string"||!e.k)throw new TypeError('missing "k" (Key Value) Parameter value');return r!=null||(r=e.ext!==!0),r?$e({...e,alg:t,ext:!1}):A(e.k);case"RSA":if(e.oth!==void 0)throw new f('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');case"EC":case"OKP":return $e({...e,alg:t});default:throw new f('Unsupported "kty" (Key Type) Parameter value')}}var ur=e=>{if(!(e instanceof Uint8Array)){if(!Ne(e))throw new TypeError(E(e,...h,"Uint8Array"));if(e.type!=="secret")throw new TypeError(`${h.join(" or ")} instances for symmetric algorithms must be of type "secret"`)}},lr=(e,t)=>{if(!Ne(e))throw new TypeError(E(e,...h));if(e.type==="secret")throw new TypeError(`${h.join(" or ")} instances for asymmetric algorithms must not be of type "secret"`);if(t==="sign"&&e.type==="public")throw new TypeError(`${h.join(" or ")} instances for asymmetric algorithm signing must be of type "private"`);if(t==="decrypt"&&e.type==="public")throw new TypeError(`${h.join(" or ")} instances for asymmetric algorithm decryption must be of type "private"`);if(e.algorithm&&t==="verify"&&e.type==="private")throw new TypeError(`${h.join(" or ")} instances for asymmetric algorithm verifying must be of type "public"`);if(e.algorithm&&t==="encrypt"&&e.type==="private")throw new TypeError(`${h.join(" or ")} instances for asymmetric algorithm encryption must be of type "public"`)},fr=(e,t,r)=>{e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A\d{3}(?:GCM)?KW$/.test(e)?ur(t):lr(t,r)},B=fr;async function mr(e,t,r,n,i){if(!(r instanceof Uint8Array))throw new TypeError(E(r,"Uint8Array"));let o=parseInt(e.substr(1,3),10),a=await u.subtle.importKey("raw",r.subarray(o>>3),"AES-CBC",!1,["encrypt"]),s=await u.subtle.importKey("raw",r.subarray(0,o>>3),{hash:`SHA-${o<<1}`,name:"HMAC"},!1,["sign"]),c=new Uint8Array(await u.subtle.encrypt({iv:n,name:"AES-CBC"},a,t)),d=K(i,n,c,Ee(i.length<<3)),l=new Uint8Array((await u.subtle.sign("HMAC",s,d)).slice(0,o>>3));return{ciphertext:c,tag:l}}async function hr(e,t,r,n,i){let o;r instanceof Uint8Array?o=await u.subtle.importKey("raw",r,"AES-GCM",!1,["encrypt"]):(j(r,e,"encrypt"),o=r);let a=new Uint8Array(await u.subtle.encrypt({additionalData:i,iv:n,name:"AES-GCM",tagLength:128},o,t)),s=a.slice(-16);return{ciphertext:a.slice(0,-16),tag:s}}var yr=async(e,t,r,n,i)=>{if(!_(r)&&!(r instanceof Uint8Array))throw new TypeError(E(r,...h,"Uint8Array"));switch(Ce(e,n),e){case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":return r instanceof Uint8Array&&Z(r,parseInt(e.substr(-3),10)),mr(e,t,r,n,i);case"A128GCM":case"A192GCM":case"A256GCM":return r instanceof Uint8Array&&Z(r,parseInt(e.substr(1,3),10)),hr(e,t,r,n,i);default:throw new f("Unsupported JWE Content Encryption Algorithm")}},ue=yr;async function xt(e,t,r,n){let i=e.substr(0,7);n||(n=Ke(i));let{ciphertext:o,tag:a}=await ue(i,r,t,n,new Uint8Array(0));return{encryptedKey:o,iv:w(n),tag:w(a)}}async function Ht(e,t,r,n,i){let o=e.substr(0,7);return We(o,t,r,n,i,new Uint8Array(0))}async function wr(e,t,r,n){switch(B(e,t,"decrypt"),e){case"dir":{if(r!==void 0)throw new p("Encountered unexpected JWE Encrypted Key");return t}case"ECDH-ES":if(r!==void 0)throw new p("Encountered unexpected JWE Encrypted Key");case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{if(!b(n.epk))throw new p('JOSE Header "epk" (Ephemeral Public Key) missing or invalid');if(!De(t))throw new f("ECDH-ES with the provided key is not allowed or not supported by your javascript runtime");let i=await F(n.epk,e),o,a;if(n.apu!==void 0){if(typeof n.apu!="string")throw new p('JOSE Header "apu" (Agreement PartyUInfo) invalid');o=A(n.apu)}if(n.apv!==void 0){if(typeof n.apv!="string")throw new p('JOSE Header "apv" (Agreement PartyVInfo) invalid');a=A(n.apv)}let s=await je(i,t,e==="ECDH-ES"?n.enc:e,e==="ECDH-ES"?pe(n.enc):parseInt(e.substr(-5,3),10),o,a);if(e==="ECDH-ES")return s;if(r===void 0)throw new p("JWE Encrypted Key missing");return de(e.substr(-6),s,r)}case"RSA1_5":case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":{if(r===void 0)throw new p("JWE Encrypted Key missing");return yt(e,t,r)}case"PBES2-HS256+A128KW":case"PBES2-HS384+A192KW":case"PBES2-HS512+A256KW":{if(r===void 0)throw new p("JWE Encrypted Key missing");if(typeof n.p2c!="number")throw new p('JOSE Header "p2c" (PBES2 Count) missing or invalid');if(typeof n.p2s!="string")throw new p('JOSE Header "p2s" (PBES2 Salt) missing or invalid');return mt(e,t,r,n.p2c,A(n.p2s))}case"A128KW":case"A192KW":case"A256KW":{if(r===void 0)throw new p("JWE Encrypted Key missing");return de(e,t,r)}case"A128GCMKW":case"A192GCMKW":case"A256GCMKW":{if(r===void 0)throw new p("JWE Encrypted Key missing");if(typeof n.iv!="string")throw new p('JOSE Header "iv" (Initialization Vector) missing or invalid');if(typeof n.tag!="string")throw new p('JOSE Header "tag" (Authentication Tag) missing or invalid');let i=A(n.iv),o=A(n.tag);return Ht(e,t,r,i,o)}default:throw new f('Invalid or unsupported "alg" (JWE Algorithm) header value')}}var Kt=wr;function br(e,t,r,n,i){if(i.crit!==void 0&&n.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!n||n.crit===void 0)return new Set;if(!Array.isArray(n.crit)||n.crit.length===0||n.crit.some(a=>typeof a!="string"||a.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let o;r!==void 0?o=new Map([...Object.entries(r),...t.entries()]):o=t;for(let a of n.crit){if(!o.has(a))throw new f(`Extension Header Parameter "${a}" is not recognized`);if(i[a]===void 0)throw new e(`Extension Header Parameter "${a}" is missing`);if(o.get(a)&&n[a]===void 0)throw new e(`Extension Header Parameter "${a}" MUST be integrity protected`)}return new Set(n.crit)}var U=br;var gr=(e,t)=>{if(t!==void 0&&(!Array.isArray(t)||t.some(r=>typeof r!="string")))throw new TypeError(`"${e}" option must be an array of strings`);if(!!t)return new Set(t)},le=gr;async function fe(e,t,r){var n;if(!b(e))throw new p("Flattened JWE must be an object");if(e.protected===void 0&&e.header===void 0&&e.unprotected===void 0)throw new p("JOSE Header missing");if(typeof e.iv!="string")throw new p("JWE Initialization Vector missing or incorrect type");if(typeof e.ciphertext!="string")throw new p("JWE Ciphertext missing or incorrect type");if(typeof e.tag!="string")throw new p("JWE Authentication Tag missing or incorrect type");if(e.protected!==void 0&&typeof e.protected!="string")throw new p("JWE Protected Header incorrect type");if(e.encrypted_key!==void 0&&typeof e.encrypted_key!="string")throw new p("JWE Encrypted Key incorrect type");if(e.aad!==void 0&&typeof e.aad!="string")throw new p("JWE AAD incorrect type");if(e.header!==void 0&&!b(e.header))throw new p("JWE Shared Unprotected Header incorrect type");if(e.unprotected!==void 0&&!b(e.unprotected))throw new p("JWE Per-Recipient Unprotected Header incorrect type");let i;if(e.protected){let be=A(e.protected);try{i=JSON.parse(v.decode(be))}catch($r){throw new p("JWE Protected Header is invalid")}}if(!R(i,e.header,e.unprotected))throw new p("JWE Protected, JWE Unprotected Header, and JWE Per-Recipient Unprotected Header Parameter names must be disjoint");let o={...i,...e.header,...e.unprotected};if(U(p,new Map,r==null?void 0:r.crit,i,o),o.zip!==void 0){if(!i||!i.zip)throw new p('JWE "zip" (Compression Algorithm) Header MUST be integrity protected');if(o.zip!=="DEF")throw new f('Unsupported JWE "zip" (Compression Algorithm) Header Parameter value')}let{alg:a,enc:s}=o;if(typeof a!="string"||!a)throw new p("missing JWE Algorithm (alg) in JWE Header");if(typeof s!="string"||!s)throw new p("missing JWE Encryption Algorithm (enc) in JWE Header");let c=r&&le("keyManagementAlgorithms",r.keyManagementAlgorithms),d=r&&le("contentEncryptionAlgorithms",r.contentEncryptionAlgorithms);if(c&&!c.has(a))throw new G('"alg" (Algorithm) Header Parameter not allowed');if(d&&!d.has(s))throw new G('"enc" (Encryption Algorithm) Header Parameter not allowed');let l;e.encrypted_key!==void 0&&(l=A(e.encrypted_key));let g=!1;typeof t=="function"&&(t=await t(i,e),g=!0);let x;try{x=await Kt(a,t,l,o)}catch(be){if(be instanceof TypeError)throw be;x=O(s)}let S=A(e.iv),P=A(e.tag),T=y.encode((n=e.protected)!==null&&n!==void 0?n:""),$;e.aad!==void 0?$=K(T,y.encode("."),y.encode(e.aad)):$=T;let we=await We(s,x,A(e.ciphertext),S,P,$);o.zip==="DEF"&&(we=await((r==null?void 0:r.inflateRaw)||st)(we));let X={plaintext:we};return e.protected!==void 0&&(X.protectedHeader=i),e.aad!==void 0&&(X.additionalAuthenticatedData=A(e.aad)),e.unprotected!==void 0&&(X.sharedUnprotectedHeader=e.unprotected),e.header!==void 0&&(X.unprotectedHeader=e.header),g?{...X,key:t}:X}async function Ge(e,t,r){if(e instanceof Uint8Array&&(e=v.decode(e)),typeof e!="string")throw new p("Compact JWE must be a string or Uint8Array");let{0:n,1:i,2:o,3:a,4:s,length:c}=e.split(".");if(c!==5)throw new p("Invalid Compact JWE");let d=await fe({ciphertext:a||void 0,iv:o||void 0,protected:n||void 0,tag:s||void 0,encrypted_key:i||void 0},t,r),l={plaintext:d.plaintext,protectedHeader:d.protectedHeader};return typeof t=="function"?{...l,key:d.key}:l}async function Er(e,t,r){if(!b(e))throw new p("General JWE must be an object");if(!Array.isArray(e.recipients)||!e.recipients.every(b))throw new p("JWE Recipients missing or incorrect type");if(!e.recipients.length)throw new p("JWE Recipients has no members");for(let n of e.recipients)try{return await fe({aad:e.aad,ciphertext:e.ciphertext,encrypted_key:n.encrypted_key,header:n.header,iv:e.iv,protected:e.protected,tag:e.tag,unprotected:e.unprotected},t,r)}catch(i){}throw new M}var Sr=async e=>{if(e instanceof Uint8Array)return{kty:"oct",k:w(e)};if(!_(e))throw new TypeError(E(e,...h,"Uint8Array"));if(!e.extractable)throw new TypeError("non-extractable CryptoKey cannot be exported as a JWK");let{ext:t,key_ops:r,alg:n,use:i,...o}=await u.subtle.exportKey("jwk",e);return o},Ct=Sr;async function Ar(e){return bt(e)}async function _r(e){return gt(e)}async function Ve(e){return Ct(e)}async function vr(e,t,r,n,i={}){let o,a,s;switch(B(e,r,"encrypt"),e){case"dir":{s=r;break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{if(!De(r))throw new f("ECDH-ES with the provided key is not allowed or not supported by your javascript runtime");let{apu:c,apv:d}=i,{epk:l}=i;l||(l=await ut(r));let{x:g,y:x,crv:S,kty:P}=await Ve(l),T=await je(r,l,e==="ECDH-ES"?t:e,e==="ECDH-ES"?pe(t):parseInt(e.substr(-5,3),10),c,d);if(a={epk:{x:g,y:x,crv:S,kty:P}},c&&(a.apu=w(c)),d&&(a.apv=w(d)),e==="ECDH-ES"){s=T;break}s=n||O(t);let $=e.substr(-6);o=await ce($,T,s);break}case"RSA1_5":case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":{s=n||O(t),o=await ht(e,r,s);break}case"PBES2-HS256+A128KW":case"PBES2-HS384+A192KW":case"PBES2-HS512+A256KW":{s=n||O(t);let{p2c:c,p2s:d}=i;({encryptedKey:o,...a}=await ft(e,r,s,c,d));break}case"A128KW":case"A192KW":case"A256KW":{s=n||O(t),o=await ce(e,r,s);break}case"A128GCMKW":case"A192GCMKW":case"A256GCMKW":{s=n||O(t);let{iv:c}=i;({encryptedKey:o,...a}=await xt(e,r,s,c));break}default:throw new f('Invalid or unsupported "alg" (JWE Algorithm) header value')}return{cek:s,encryptedKey:o,parameters:a}}var Te=vr;var Fe=Symbol(),z=class{constructor(t){if(!(t instanceof Uint8Array))throw new TypeError("plaintext must be an instance of Uint8Array");this._plaintext=t}setKeyManagementParameters(t){if(this._keyManagementParameters)throw new TypeError("setKeyManagementParameters can only be called once");return this._keyManagementParameters=t,this}setProtectedHeader(t){if(this._protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this._protectedHeader=t,this}setSharedUnprotectedHeader(t){if(this._sharedUnprotectedHeader)throw new TypeError("setSharedUnprotectedHeader can only be called once");return this._sharedUnprotectedHeader=t,this}setUnprotectedHeader(t){if(this._unprotectedHeader)throw new TypeError("setUnprotectedHeader can only be called once");return this._unprotectedHeader=t,this}setAdditionalAuthenticatedData(t){return this._aad=t,this}setContentEncryptionKey(t){if(this._cek)throw new TypeError("setContentEncryptionKey can only be called once");return this._cek=t,this}setInitializationVector(t){if(this._iv)throw new TypeError("setInitializationVector can only be called once");return this._iv=t,this}async encrypt(t,r){if(!this._protectedHeader&&!this._unprotectedHeader&&!this._sharedUnprotectedHeader)throw new p("either setProtectedHeader, setUnprotectedHeader, or sharedUnprotectedHeader must be called before #encrypt()");if(!R(this._protectedHeader,this._unprotectedHeader,this._sharedUnprotectedHeader))throw new p("JWE Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint");let n={...this._protectedHeader,...this._unprotectedHeader,...this._sharedUnprotectedHeader};if(U(p,new Map,r==null?void 0:r.crit,this._protectedHeader,n),n.zip!==void 0){if(!this._protectedHeader||!this._protectedHeader.zip)throw new p('JWE "zip" (Compression Algorithm) Header MUST be integrity protected');if(n.zip!=="DEF")throw new f('Unsupported JWE "zip" (Compression Algorithm) Header Parameter value')}let{alg:i,enc:o}=n;if(typeof i!="string"||!i)throw new p('JWE "alg" (Algorithm) Header Parameter missing or invalid');if(typeof o!="string"||!o)throw new p('JWE "enc" (Encryption Algorithm) Header Parameter missing or invalid');let a;if(i==="dir"){if(this._cek)throw new TypeError("setContentEncryptionKey cannot be called when using Direct Encryption")}else if(i==="ECDH-ES"&&this._cek)throw new TypeError("setContentEncryptionKey cannot be called when using Direct Key Agreement");let s;{let P;({cek:s,encryptedKey:a,parameters:P}=await Te(i,o,t,this._cek,this._keyManagementParameters)),P&&(r&&Fe in r?this._unprotectedHeader?this._unprotectedHeader={...this._unprotectedHeader,...P}:this.setUnprotectedHeader(P):this._protectedHeader?this._protectedHeader={...this._protectedHeader,...P}:this.setProtectedHeader(P))}this._iv||(this._iv=Ke(o));let c,d,l;this._protectedHeader?d=y.encode(w(JSON.stringify(this._protectedHeader))):d=y.encode(""),this._aad?(l=w(this._aad),c=K(d,y.encode("."),y.encode(l))):c=d;let g,x;if(n.zip==="DEF"){let P=await((r==null?void 0:r.deflateRaw)||ct)(this._plaintext);({ciphertext:g,tag:x}=await ue(o,P,s,this._iv,c))}else({ciphertext:g,tag:x}=await ue(o,this._plaintext,s,this._iv,c));let S={ciphertext:w(g),iv:w(this._iv),tag:w(x)};return a&&(S.encrypted_key=w(a)),l&&(S.aad=l),this._protectedHeader&&(S.protected=v.decode(d)),this._sharedUnprotectedHeader&&(S.unprotected=this._sharedUnprotectedHeader),this._unprotectedHeader&&(S.header=this._unprotectedHeader),S}};var Pt=class{constructor(t,r,n){this.parent=t,this.key=r,this.options=n}setUnprotectedHeader(t){if(this.unprotectedHeader)throw new TypeError("setUnprotectedHeader can only be called once");return this.unprotectedHeader=t,this}addRecipient(...t){return this.parent.addRecipient(...t)}encrypt(...t){return this.parent.encrypt(...t)}done(){return this.parent}},Wt=class{constructor(t){this._recipients=[],this._plaintext=t}addRecipient(t,r){let n=new Pt(this,t,{crit:r==null?void 0:r.crit});return this._recipients.push(n),n}setProtectedHeader(t){if(this._protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this._protectedHeader=t,this}setSharedUnprotectedHeader(t){if(this._unprotectedHeader)throw new TypeError("setSharedUnprotectedHeader can only be called once");return this._unprotectedHeader=t,this}setAdditionalAuthenticatedData(t){return this._aad=t,this}async encrypt(t){var r,n,i;if(!this._recipients.length)throw new p("at least one recipient must be added");if(t={deflateRaw:t==null?void 0:t.deflateRaw},this._recipients.length===1){let[c]=this._recipients,d=await new z(this._plaintext).setAdditionalAuthenticatedData(this._aad).setProtectedHeader(this._protectedHeader).setSharedUnprotectedHeader(this._unprotectedHeader).setUnprotectedHeader(c.unprotectedHeader).encrypt(c.key,{...c.options,...t}),l={ciphertext:d.ciphertext,iv:d.iv,recipients:[{}],tag:d.tag};return d.aad&&(l.aad=d.aad),d.protected&&(l.protected=d.protected),d.unprotected&&(l.unprotected=d.unprotected),d.encrypted_key&&(l.recipients[0].encrypted_key=d.encrypted_key),d.header&&(l.recipients[0].header=d.header),l}let o;for(let c=0;c<this._recipients.length;c++){let d=this._recipients[c];if(!R(this._protectedHeader,this._unprotectedHeader,d.unprotectedHeader))throw new p("JWE Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint");let l={...this._protectedHeader,...this._unprotectedHeader,...d.unprotectedHeader},{alg:g}=l;if(typeof g!="string"||!g)throw new p('JWE "alg" (Algorithm) Header Parameter missing or invalid');if(g==="dir"||g==="ECDH-ES")throw new p('"dir" and "ECDH-ES" alg may only be used with a single recipient');if(typeof l.enc!="string"||!l.enc)throw new p('JWE "enc" (Encryption Algorithm) Header Parameter missing or invalid');if(!o)o=l.enc;else if(o!==l.enc)throw new p('JWE "enc" (Encryption Algorithm) Header Parameter must be the same for all recipients');if(U(p,new Map,d.options.crit,this._protectedHeader,l),l.zip!==void 0&&(!this._protectedHeader||!this._protectedHeader.zip))throw new p('JWE "zip" (Compression Algorithm) Header MUST be integrity protected')}let a=O(o),s={ciphertext:"",iv:"",recipients:[],tag:""};for(let c=0;c<this._recipients.length;c++){let d=this._recipients[c],l={};if(s.recipients.push(l),c===0){let S=await new z(this._plaintext).setAdditionalAuthenticatedData(this._aad).setContentEncryptionKey(a).setProtectedHeader(this._protectedHeader).setSharedUnprotectedHeader(this._unprotectedHeader).setUnprotectedHeader(d.unprotectedHeader).encrypt(d.key,{...d.options,...t,[Fe]:!0});s.ciphertext=S.ciphertext,s.iv=S.iv,s.tag=S.tag,S.aad&&(s.aad=S.aad),S.protected&&(s.protected=S.protected),S.unprotected&&(s.unprotected=S.unprotected),l.encrypted_key=S.encrypted_key,S.header&&(l.header=S.header);continue}let{encryptedKey:g,parameters:x}=await Te(((r=d.unprotectedHeader)===null||r===void 0?void 0:r.alg)||((n=this._protectedHeader)===null||n===void 0?void 0:n.alg)||((i=this._unprotectedHeader)===null||i===void 0?void 0:i.alg),o,d.key,a);l.encrypted_key=w(g),(d.unprotectedHeader||x)&&(l.header={...d.unprotectedHeader,...x})}return s}};function me(e,t){let r=parseInt(e.substr(-3),10);switch(e){case"HS256":case"HS384":case"HS512":return{hash:`SHA-${r}`,name:"HMAC"};case"PS256":case"PS384":case"PS512":return{hash:`SHA-${r}`,name:"RSA-PSS",saltLength:r>>3};case"RS256":case"RS384":case"RS512":return{hash:`SHA-${r}`,name:"RSASSA-PKCS1-v1_5"};case"ES256":case"ES384":case"ES512":return{hash:`SHA-${r}`,name:"ECDSA",namedCurve:t};case((D()||J())&&"EdDSA"):return{name:t,namedCurve:t};default:throw new f(`alg ${e} is not supported either by JOSE or your javascript runtime`)}}function he(e,t,r){if(_(t))return at(t,e,r),t;if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(E(t,...h));return u.subtle.importKey("raw",t,{hash:`SHA-${e.substr(-3)}`,name:"HMAC"},!1,[r])}throw new TypeError(E(t,...h,"Uint8Array"))}var xr=async(e,t,r,n)=>{let i=await he(e,t,"verify");V(e,i);let o=me(e,i.algorithm.namedCurve);try{return await u.subtle.verify(o,i,r,n)}catch(a){return!1}},Jt=xr;async function ye(e,t,r){var n;if(!b(e))throw new m("Flattened JWS must be an object");if(e.protected===void 0&&e.header===void 0)throw new m('Flattened JWS must have either of the "protected" or "header" members');if(e.protected!==void 0&&typeof e.protected!="string")throw new m("JWS Protected Header incorrect type");if(e.payload===void 0)throw new m("JWS Payload missing");if(typeof e.signature!="string")throw new m("JWS Signature missing or incorrect type");if(e.header!==void 0&&!b(e.header))throw new m("JWS Unprotected Header incorrect type");let i={};if(e.protected){let $=A(e.protected);try{i=JSON.parse(v.decode($))}catch(we){throw new m("JWS Protected Header is invalid")}}if(!R(i,e.header))throw new m("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let o={...i,...e.header},a=U(m,new Map([["b64",!0]]),r==null?void 0:r.crit,i,o),s=!0;if(a.has("b64")&&(s=i.b64,typeof s!="boolean"))throw new m('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:c}=o;if(typeof c!="string"||!c)throw new m('JWS "alg" (Algorithm) Header Parameter missing or invalid');let d=r&&le("algorithms",r.algorithms);if(d&&!d.has(c))throw new G('"alg" (Algorithm) Header Parameter not allowed');if(s){if(typeof e.payload!="string")throw new m("JWS Payload must be a string")}else if(typeof e.payload!="string"&&!(e.payload instanceof Uint8Array))throw new m("JWS Payload must be a string or an Uint8Array instance");let l=!1;typeof t=="function"&&(t=await t(i,e),l=!0),B(c,t,"verify");let g=K(y.encode((n=e.protected)!==null&&n!==void 0?n:""),y.encode("."),typeof e.payload=="string"?y.encode(e.payload):e.payload),x=A(e.signature);if(!await Jt(c,t,x,g))throw new q;let P;s?P=A(e.payload):typeof e.payload=="string"?P=y.encode(e.payload):P=e.payload;let T={payload:P};return e.protected!==void 0&&(T.protectedHeader=i),e.header!==void 0&&(T.unprotectedHeader=e.header),l?{...T,key:t}:T}async function ze(e,t,r){if(e instanceof Uint8Array&&(e=v.decode(e)),typeof e!="string")throw new m("Compact JWS must be a string or Uint8Array");let{0:n,1:i,2:o,length:a}=e.split(".");if(a!==3)throw new m("Invalid Compact JWS");let s=await ye({payload:i||void 0,protected:n||void 0,signature:o||void 0},t,r),c={payload:s.payload,protectedHeader:s.protectedHeader};return typeof t=="function"?{...c,key:s.key}:c}async function Hr(e,t,r){if(!b(e))throw new m("General JWS must be an object");if(!Array.isArray(e.signatures)||!e.signatures.every(b))throw new m("JWS Signatures missing or incorrect type");for(let n of e.signatures)try{return await ye({header:n.header,payload:e.payload,protected:n.protected,signature:n.signature},t,r)}catch(i){}throw new q}var te=e=>Math.floor(e.getTime()/1e3);var jt=60,Dt=jt*60,Ye=Dt*24,Kr=Ye*7,Cr=Ye*365.25,Pr=/^(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)$/i,re=e=>{let t=Pr.exec(e);if(!t)throw new TypeError("Invalid time period format");let r=parseFloat(t[1]);switch(t[2].toLowerCase()){case"sec":case"secs":case"second":case"seconds":case"s":return Math.round(r);case"minute":case"minutes":case"min":case"mins":case"m":return Math.round(r*jt);case"hour":case"hours":case"hr":case"hrs":case"h":return Math.round(r*Dt);case"day":case"days":case"d":return Math.round(r*Ye);case"week":case"weeks":case"w":return Math.round(r*Kr);default:return Math.round(r*Cr)}};var It=e=>e.toLowerCase().replace(/^application\//,""),Wr=(e,t)=>typeof e=="string"?t.includes(e):Array.isArray(e)?t.some(Set.prototype.has.bind(new Set(e))):!1,ne=(e,t,r={})=>{let{typ:n}=r;if(n&&(typeof e.typ!="string"||It(e.typ)!==It(n)))throw new W('unexpected "typ" JWT header value',"typ","check_failed");let i;try{i=JSON.parse(v.decode(t))}catch(g){}if(!b(i))throw new I("JWT Claims Set must be a top-level JSON object");let{issuer:o}=r;if(o&&!(Array.isArray(o)?o:[o]).includes(i.iss))throw new W('unexpected "iss" claim value',"iss","check_failed");let{subject:a}=r;if(a&&i.sub!==a)throw new W('unexpected "sub" claim value',"sub","check_failed");let{audience:s}=r;if(s&&!Wr(i.aud,typeof s=="string"?[s]:s))throw new W('unexpected "aud" claim value',"aud","check_failed");let c;switch(typeof r.clockTolerance){case"string":c=re(r.clockTolerance);break;case"number":c=r.clockTolerance;break;case"undefined":c=0;break;default:throw new TypeError("Invalid clockTolerance option type")}let{currentDate:d}=r,l=te(d||new Date);if(i.iat!==void 0||r.maxTokenAge){if(typeof i.iat!="number")throw new W('"iat" claim must be a number',"iat","invalid");if(i.exp===void 0&&i.iat>l+c)throw new W('"iat" claim timestamp check failed (it should be in the past)',"iat","check_failed")}if(i.nbf!==void 0){if(typeof i.nbf!="number")throw new W('"nbf" claim must be a number',"nbf","invalid");if(i.nbf>l+c)throw new W('"nbf" claim timestamp check failed',"nbf","check_failed")}if(i.exp!==void 0){if(typeof i.exp!="number")throw new W('"exp" claim must be a number',"exp","invalid");if(i.exp<=l-c)throw new ae('"exp" claim timestamp check failed',"exp","check_failed")}if(r.maxTokenAge){let g=l-i.iat,x=typeof r.maxTokenAge=="number"?r.maxTokenAge:re(r.maxTokenAge);if(g-c>x)throw new ae('"iat" claim timestamp check failed (too far in the past)',"iat","check_failed");if(g<0-c)throw new W('"iat" claim timestamp check failed (it should be in the past)',"iat","check_failed")}return i};async function Jr(e,t,r){var n;let i=await ze(e,t,r);if(((n=i.protectedHeader.crit)===null||n===void 0?void 0:n.includes("b64"))&&i.protectedHeader.b64===!1)throw new I("JWTs MUST NOT use unencoded payload");let a={payload:ne(i.protectedHeader,i.payload,r),protectedHeader:i.protectedHeader};return typeof t=="function"?{...a,key:i.key}:a}async function jr(e,t,r){let n=await Ge(e,t,r),i=ne(n.protectedHeader,n.plaintext,r),{protectedHeader:o}=n;if(o.iss!==void 0&&o.iss!==i.iss)throw new W('replicated "iss" claim header parameter mismatch',"iss","mismatch");if(o.sub!==void 0&&o.sub!==i.sub)throw new W('replicated "sub" claim header parameter mismatch',"sub","mismatch");if(o.aud!==void 0&&JSON.stringify(o.aud)!==JSON.stringify(i.aud))throw new W('replicated "aud" claim header parameter mismatch',"aud","mismatch");let a={payload:i,protectedHeader:o};return typeof t=="function"?{...a,key:n.key}:a}var ke=class{constructor(t){this._flattened=new z(t)}setContentEncryptionKey(t){return this._flattened.setContentEncryptionKey(t),this}setInitializationVector(t){return this._flattened.setInitializationVector(t),this}setProtectedHeader(t){return this._flattened.setProtectedHeader(t),this}setKeyManagementParameters(t){return this._flattened.setKeyManagementParameters(t),this}async encrypt(t,r){let n=await this._flattened.encrypt(t,r);return[n.protected,n.encrypted_key,n.iv,n.ciphertext,n.tag].join(".")}};var Dr=async(e,t,r)=>{let n=await he(e,t,"sign");V(e,n);let i=await u.subtle.sign(me(e,n.algorithm.namedCurve),n,r);return new Uint8Array(i)},Tt=Dr;var ie=class{constructor(t){if(!(t instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");this._payload=t}setProtectedHeader(t){if(this._protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this._protectedHeader=t,this}setUnprotectedHeader(t){if(this._unprotectedHeader)throw new TypeError("setUnprotectedHeader can only be called once");return this._unprotectedHeader=t,this}async sign(t,r){if(!this._protectedHeader&&!this._unprotectedHeader)throw new m("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!R(this._protectedHeader,this._unprotectedHeader))throw new m("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let n={...this._protectedHeader,...this._unprotectedHeader},i=U(m,new Map([["b64",!0]]),r==null?void 0:r.crit,this._protectedHeader,n),o=!0;if(i.has("b64")&&(o=this._protectedHeader.b64,typeof o!="boolean"))throw new m('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:a}=n;if(typeof a!="string"||!a)throw new m('JWS "alg" (Algorithm) Header Parameter missing or invalid');B(a,t,"sign");let s=this._payload;o&&(s=y.encode(w(s)));let c;this._protectedHeader?c=y.encode(w(JSON.stringify(this._protectedHeader))):c=y.encode("");let d=K(c,y.encode("."),s),l=await Tt(a,t,d),g={signature:w(l),payload:""};return o&&(g.payload=v.decode(s)),this._unprotectedHeader&&(g.header=this._unprotectedHeader),this._protectedHeader&&(g.protected=v.decode(c)),g}};var Re=class{constructor(t){this._flattened=new ie(t)}setProtectedHeader(t){return this._flattened.setProtectedHeader(t),this}async sign(t,r){let n=await this._flattened.sign(t,r);if(n.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return`${n.protected}.${n.payload}.${n.signature}`}};var kt=class{constructor(t,r,n){this.parent=t,this.key=r,this.options=n}setProtectedHeader(t){if(this.protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this.protectedHeader=t,this}setUnprotectedHeader(t){if(this.unprotectedHeader)throw new TypeError("setUnprotectedHeader can only be called once");return this.unprotectedHeader=t,this}addSignature(...t){return this.parent.addSignature(...t)}sign(...t){return this.parent.sign(...t)}done(){return this.parent}},Rt=class{constructor(t){this._signatures=[],this._payload=t}addSignature(t,r){let n=new kt(this,t,r);return this._signatures.push(n),n}async sign(){if(!this._signatures.length)throw new m("at least one signature must be added");let t={signatures:[],payload:""};for(let r=0;r<this._signatures.length;r++){let n=this._signatures[r],i=new ie(this._payload);i.setProtectedHeader(n.protectedHeader),i.setUnprotectedHeader(n.unprotectedHeader);let{payload:o,...a}=await i.sign(n.key,n.options);if(r===0)t.payload=o;else if(t.payload!==o)throw new m("inconsistent use of JWS Unencoded Payload Option (RFC7797)");t.signatures.push(a)}return t}};var Y=class{constructor(t){if(!b(t))throw new TypeError("JWT Claims Set MUST be an object");this._payload=t}setIssuer(t){return this._payload={...this._payload,iss:t},this}setSubject(t){return this._payload={...this._payload,sub:t},this}setAudience(t){return this._payload={...this._payload,aud:t},this}setJti(t){return this._payload={...this._payload,jti:t},this}setNotBefore(t){return typeof t=="number"?this._payload={...this._payload,nbf:t}:this._payload={...this._payload,nbf:te(new Date)+re(t)},this}setExpirationTime(t){return typeof t=="number"?this._payload={...this._payload,exp:t}:this._payload={...this._payload,exp:te(new Date)+re(t)},this}setIssuedAt(t){return typeof t=="undefined"?this._payload={...this._payload,iat:te(new Date)}:this._payload={...this._payload,iat:t},this}};var Ot=class extends Y{setProtectedHeader(t){return this._protectedHeader=t,this}async sign(t,r){var n;let i=new Re(y.encode(JSON.stringify(this._payload)));if(i.setProtectedHeader(this._protectedHeader),Array.isArray((n=this._protectedHeader)===null||n===void 0?void 0:n.crit)&&this._protectedHeader.crit.includes("b64")&&this._protectedHeader.b64===!1)throw new I("JWTs MUST NOT use unencoded payload");return i.sign(t,r)}};var Ut=class extends Y{setProtectedHeader(t){if(this._protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this._protectedHeader=t,this}setKeyManagementParameters(t){if(this._keyManagementParameters)throw new TypeError("setKeyManagementParameters can only be called once");return this._keyManagementParameters=t,this}setContentEncryptionKey(t){if(this._cek)throw new TypeError("setContentEncryptionKey can only be called once");return this._cek=t,this}setInitializationVector(t){if(this._iv)throw new TypeError("setInitializationVector can only be called once");return this._iv=t,this}replicateIssuerAsHeader(){return this._replicateIssuerAsHeader=!0,this}replicateSubjectAsHeader(){return this._replicateSubjectAsHeader=!0,this}replicateAudienceAsHeader(){return this._replicateAudienceAsHeader=!0,this}async encrypt(t,r){let n=new ke(y.encode(JSON.stringify(this._payload)));return this._replicateIssuerAsHeader&&(this._protectedHeader={...this._protectedHeader,iss:this._payload.iss}),this._replicateSubjectAsHeader&&(this._protectedHeader={...this._protectedHeader,sub:this._payload.sub}),this._replicateAudienceAsHeader&&(this._protectedHeader={...this._protectedHeader,aud:this._payload.aud}),n.setProtectedHeader(this._protectedHeader),this._iv&&n.setInitializationVector(this._iv),this._cek&&n.setContentEncryptionKey(this._cek),this._keyManagementParameters&&n.setKeyManagementParameters(this._keyManagementParameters),n.encrypt(t,r)}};var L=(e,t)=>{if(typeof e!="string"||!e)throw new _e(`${t} missing or invalid`)};async function Ir(e,t="sha256"){if(!b(e))throw new TypeError("JWK must be an object");let r;switch(e.kty){case"EC":L(e.crv,'"crv" (Curve) Parameter'),L(e.x,'"x" (X Coordinate) Parameter'),L(e.y,'"y" (Y Coordinate) Parameter'),r={crv:e.crv,kty:e.kty,x:e.x,y:e.y};break;case"OKP":L(e.crv,'"crv" (Subtype of Key Pair) Parameter'),L(e.x,'"x" (Public Key) Parameter'),r={crv:e.crv,kty:e.kty,x:e.x};break;case"RSA":L(e.e,'"e" (Exponent) Parameter'),L(e.n,'"n" (Modulus) Parameter'),r={e:e.e,kty:e.kty,n:e.n};break;case"oct":L(e.k,'"k" (Key Value) Parameter'),r={k:e.k,kty:e.kty};break;default:throw new f('"kty" (Key Type) Parameter missing or unsupported')}let n=y.encode(JSON.stringify(r));return w(await Je(t,n))}async function Tr(e,t){let r={...e,...t.header};if(!b(r.jwk))throw new m('"jwk" (JSON Web Key) Header Parameter must be a JSON object');let n=await F({...r.jwk,ext:!0},r.alg,!0);if(n instanceof Uint8Array||n.type!=="public")throw new m('"jwk" (JSON Web Key) Header Parameter must be a public key');return n}var kr=async(e,t)=>{let r,n,i=!1;typeof AbortController=="function"&&(r=new AbortController,n=setTimeout(()=>{i=!0,r.abort()},t));let o=await fetch(e.href,{signal:r?r.signal:void 0,redirect:"manual",method:"GET",...D()?void 0:{referrerPolicy:"no-referrer",credentials:"omit",mode:"cors"}}).catch(a=>{throw i?new He:a});if(n!==void 0&&clearTimeout(n),o.status!==200)throw new H("Expected 200 OK from the JSON Web Key Set HTTP response");try{return await o.json()}catch(a){throw new H("Failed to parse the JSON Web Key Set HTTP response as JSON")}},Mt=kr;function Rr(e){switch(typeof e=="string"&&e.substr(0,2)){case"RS":case"PS":return"RSA";case"ES":return"EC";case"Ed":return"OKP";default:throw new f('Unsupported "alg" value for a JSON Web Key Set')}}function Or(e){return b(e)}var Xe=class{constructor(t,r){if(this._cached=new WeakMap,!(t instanceof URL))throw new TypeError("url must be an instance of URL");this._url=new URL(t.href),this._options={agent:r==null?void 0:r.agent},this._timeoutDuration=typeof(r==null?void 0:r.timeoutDuration)=="number"?r==null?void 0:r.timeoutDuration:5e3,this._cooldownDuration=typeof(r==null?void 0:r.cooldownDuration)=="number"?r==null?void 0:r.cooldownDuration:3e4}coolingDown(){return this._cooldownStarted?Date.now()<this._cooldownStarted+this._cooldownDuration:!1}async getKey(t,r){let n={...t,...r.header};this._jwks||await this.reload();let i=this._jwks.keys.filter(c=>{let d=c.kty===Rr(n.alg);if(d&&typeof n.kid=="string"&&(d=n.kid===c.kid),d&&typeof c.alg=="string"&&(d=n.alg===c.alg),d&&typeof c.use=="string"&&(d=c.use==="sig"),d&&Array.isArray(c.key_ops)&&(d=c.key_ops.includes("verify")),d&&n.alg==="EdDSA"&&(d=c.crv==="Ed25519"||c.crv==="Ed448"),d)switch(n.alg){case"ES256":d=c.crv==="P-256";break;case"ES256K":d=c.crv==="secp256k1";break;case"ES384":d=c.crv==="P-384";break;case"ES512":d=c.crv==="P-521";break;default:}return d}),{0:o,length:a}=i;if(a===0){if(this.coolingDown()===!1)return await this.reload(),this.getKey(n,r);throw new ve}else if(a!==1)throw new xe;let s=this._cached.get(o)||this._cached.set(o,{}).get(o);if(s[n.alg]===void 0){let c=await F({...o,ext:!0},n.alg);if(c instanceof Uint8Array||c.type!=="public")throw new se("JSON Web Key Set members must be public keys");s[n.alg]=c}return s[n.alg]}async reload(){this._pendingFetch||(this._pendingFetch=Mt(this._url,this._timeoutDuration,this._options).then(t=>{if(typeof t!="object"||!t||!Array.isArray(t.keys)||!t.keys.every(Or))throw new se("JSON Web Key Set malformed");this._jwks={keys:t.keys},this._cooldownStarted=Date.now(),this._pendingFetch=void 0}).catch(t=>{throw this._pendingFetch=void 0,t})),await this._pendingFetch}};function Ur(e,t){return Xe.prototype.getKey.bind(new Xe(e,t))}var Nt=class extends Y{encode(){let t=w(JSON.stringify({alg:"none"})),r=w(JSON.stringify(this._payload));return`${t}.${r}.`}static decode(t,r){if(typeof t!="string")throw new I("Unsecured JWT must be a string");let{0:n,1:i,2:o,length:a}=t.split(".");if(a!==3||o!=="")throw new I("Invalid Unsecured JWT");let s;try{if(s=JSON.parse(v.decode(A(n))),s.alg!=="none")throw new Error}catch(d){throw new I("Invalid Unsecured JWT")}return{payload:ne(s,A(i),r),header:s}}};var Bt={};et(Bt,{decode:()=>qe,encode:()=>Mr});var Mr=w,qe=A;function Nr(e){let t;if(typeof e=="string"){let r=e.split(".");(r.length===3||r.length===5)&&([t]=r)}else if(typeof e=="object"&&e)if("protected"in e)t=e.protected;else throw new TypeError("Token does not contain a Protected Header");try{if(typeof t!="string"||!t)throw new Error;let r=JSON.parse(v.decode(qe(t)));if(!b(r))throw new Error;return r}catch(r){throw new TypeError("Invalid Token or Protected Header formatting")}}async function Lt(e,t){var r;let n,i,o;switch(e){case"HS256":case"HS384":case"HS512":n=parseInt(e.substr(-3),10),i={name:"HMAC",hash:`SHA-${n}`,length:n},o=["sign","verify"];break;case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":return n=parseInt(e.substr(-3),10),N(new Uint8Array(n>>3));case"A128KW":case"A192KW":case"A256KW":n=parseInt(e.substring(1,4),10),i={name:"AES-KW",length:n},o=["wrapKey","unwrapKey"];break;case"A128GCMKW":case"A192GCMKW":case"A256GCMKW":case"A128GCM":case"A192GCM":case"A256GCM":n=parseInt(e.substring(1,4),10),i={name:"AES-GCM",length:n},o=["encrypt","decrypt"];break;default:throw new f('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return u.subtle.generateKey(i,(r=t==null?void 0:t.extractable)!==null&&r!==void 0?r:!1,o)}function Ze(e){var t;let r=(t=e==null?void 0:e.modulusLength)!==null&&t!==void 0?t:2048;if(typeof r!="number"||r<2048)throw new f("Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used");return r}async function $t(e,t){var r,n;let i,o;switch(e){case"PS256":case"PS384":case"PS512":i={name:"RSA-PSS",hash:`SHA-${e.substr(-3)}`,publicExponent:new Uint8Array([1,0,1]),modulusLength:Ze(t)},o=["sign","verify"];break;case"RS256":case"RS384":case"RS512":i={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.substr(-3)}`,publicExponent:new Uint8Array([1,0,1]),modulusLength:Ze(t)},o=["sign","verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":i={name:"RSA-OAEP",hash:`SHA-${parseInt(e.substr(-3),10)||1}`,publicExponent:new Uint8Array([1,0,1]),modulusLength:Ze(t)},o=["decrypt","unwrapKey","encrypt","wrapKey"];break;case"ES256":i={name:"ECDSA",namedCurve:"P-256"},o=["sign","verify"];break;case"ES384":i={name:"ECDSA",namedCurve:"P-384"},o=["sign","verify"];break;case"ES512":i={name:"ECDSA",namedCurve:"P-521"},o=["sign","verify"];break;case((D()||J())&&"EdDSA"):switch(t==null?void 0:t.crv){case void 0:case"Ed25519":i={name:"NODE-ED25519",namedCurve:"NODE-ED25519"},o=["sign","verify"];break;case(J()&&"Ed448"):i={name:"NODE-ED448",namedCurve:"NODE-ED448"},o=["sign","verify"];break;default:throw new f("Invalid or unsupported crv option provided, supported values are Ed25519 and Ed448")}break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":i={name:"ECDH",namedCurve:(r=t==null?void 0:t.crv)!==null&&r!==void 0?r:"P-256"},o=["deriveKey","deriveBits"];break;default:throw new f('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return u.subtle.generateKey(i,(n=t==null?void 0:t.extractable)!==null&&n!==void 0?n:!1,o)}async function Br(e,t){return $t(e,t)}async function Lr(e,t){return Lt(e,t)}export{ke as CompactEncrypt,Re as CompactSign,Tr as EmbeddedJWK,Ut as EncryptJWT,z as FlattenedEncrypt,ie as FlattenedSign,Wt as GeneralEncrypt,Rt as GeneralSign,Ot as SignJWT,Nt as UnsecuredJWT,Bt as base64url,Ir as calculateJwkThumbprint,Ge as compactDecrypt,ze as compactVerify,Ur as createRemoteJWKSet,Nr as decodeProtectedHeader,nt as errors,Ve as exportJWK,_r as exportPKCS8,Ar as exportSPKI,fe as flattenedDecrypt,ye as flattenedVerify,Er as generalDecrypt,Hr as generalVerify,Br as generateKeyPair,Lr as generateSecret,F as importJWK,pr as importPKCS8,cr as importSPKI,dr as importX509,jr as jwtDecrypt,Jr as jwtVerify};
Reference in a new issue View git blame Copy permalink