Source code
Revision control
Copy as Markdown
Other Tools
// npm/esm/_dnt.shims.js
var dntGlobals = {};
var dntGlobalThis = createMergeProxy(globalThis, dntGlobals);
function createMergeProxy(baseObj, extObj) {
return new Proxy(baseObj, {
get(_target, prop, _receiver) {
if (prop in extObj) {
return extObj[prop];
} else {
return baseObj[prop];
}
},
set(_target, prop, value) {
if (prop in extObj) {
delete extObj[prop];
}
baseObj[prop] = value;
return true;
},
deleteProperty(_target, prop) {
let success = false;
if (prop in extObj) {
delete extObj[prop];
success = true;
}
if (prop in baseObj) {
delete baseObj[prop];
success = true;
}
return success;
},
ownKeys(_target) {
const baseKeys = Reflect.ownKeys(baseObj);
const extKeys = Reflect.ownKeys(extObj);
const extKeysSet = new Set(extKeys);
return [...baseKeys.filter((k) => !extKeysSet.has(k)), ...extKeys];
},
defineProperty(_target, prop, desc) {
if (prop in extObj) {
delete extObj[prop];
}
Reflect.defineProperty(baseObj, prop, desc);
return true;
},
getOwnPropertyDescriptor(_target, prop) {
if (prop in extObj) {
return Reflect.getOwnPropertyDescriptor(extObj, prop);
} else {
return Reflect.getOwnPropertyDescriptor(baseObj, prop);
}
},
has(_target, prop) {
return prop in extObj || prop in baseObj;
}
});
}
// npm/esm/core/src/errors.js
var BaseError = class extends Error {
constructor(e) {
let message;
if (e instanceof Error) {
message = e.message;
} else if (typeof e === "string") {
message = e;
} else {
message = "";
}
super(message);
this.name = this.constructor.name;
}
};
var HpkeError = class extends BaseError {
};
var InvalidParamError = class extends HpkeError {
};
var ValidationError = class extends HpkeError {
};
var SerializeError = class extends HpkeError {
};
var DeserializeError = class extends HpkeError {
};
var EncapError = class extends HpkeError {
};
var DecapError = class extends HpkeError {
};
var ExportError = class extends HpkeError {
};
var SealError = class extends HpkeError {
};
var OpenError = class extends HpkeError {
};
var MessageLimitReachedError = class extends HpkeError {
};
var DeriveKeyPairError = class extends HpkeError {
};
var NotSupportedError = class extends HpkeError {
};
// npm/esm/core/src/algorithm.js
async function loadSubtleCrypto() {
if (dntGlobalThis !== void 0 && globalThis.crypto !== void 0) {
return globalThis.crypto.subtle;
}
try {
const { webcrypto } = await import("crypto");
return webcrypto.subtle;
} catch (e) {
throw new NotSupportedError(e);
}
}
var NativeAlgorithm = class {
constructor() {
Object.defineProperty(this, "_api", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
}
async _setup() {
if (this._api !== void 0) {
return;
}
this._api = await loadSubtleCrypto();
}
};
// npm/esm/core/src/identifiers.js
var Mode = {
Base: 0,
Psk: 1,
Auth: 2,
AuthPsk: 3
};
var Kem = {
NotAssigned: 0,
DhkemP256HkdfSha256: 16,
DhkemP384HkdfSha384: 17,
DhkemP521HkdfSha512: 18,
DhkemSecp256k1HkdfSha256: 19,
DhkemX25519HkdfSha256: 32,
DhkemX448HkdfSha512: 33,
HybridkemX25519Kyber768: 48
};
var KemId = Kem;
var Kdf = {
HkdfSha256: 1,
HkdfSha384: 2,
HkdfSha512: 3
};
var KdfId = Kdf;
var Aead = {
Aes128Gcm: 1,
Aes256Gcm: 2,
Chacha20Poly1305: 3,
ExportOnly: 65535
};
var AeadId = Aead;
// npm/esm/core/src/interfaces/aeadEncryptionContext.js
var AEAD_USAGES = ["encrypt", "decrypt"];
// npm/esm/core/src/aeads/aesGcm.js
var AesGcmContext = class extends NativeAlgorithm {
constructor(key) {
super();
Object.defineProperty(this, "_rawKey", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
Object.defineProperty(this, "_key", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
this._rawKey = key;
}
async seal(iv, data, aad) {
await this._setupKey();
const alg = {
name: "AES-GCM",
iv,
additionalData: aad
};
const ct = await this._api.encrypt(alg, this._key, data);
return ct;
}
async open(iv, data, aad) {
await this._setupKey();
const alg = {
name: "AES-GCM",
iv,
additionalData: aad
};
const pt = await this._api.decrypt(alg, this._key, data);
return pt;
}
async _setupKey() {
if (this._key !== void 0) {
return;
}
await this._setup();
const key = await this._importKey(this._rawKey);
new Uint8Array(this._rawKey).fill(0);
this._key = key;
return;
}
async _importKey(key) {
return await this._api.importKey("raw", key, { name: "AES-GCM" }, true, AEAD_USAGES);
}
};
var Aes128Gcm = class {
constructor() {
Object.defineProperty(this, "id", {
enumerable: true,
configurable: true,
writable: true,
value: AeadId.Aes128Gcm
});
Object.defineProperty(this, "keySize", {
enumerable: true,
configurable: true,
writable: true,
value: 16
});
Object.defineProperty(this, "nonceSize", {
enumerable: true,
configurable: true,
writable: true,
value: 12
});
Object.defineProperty(this, "tagSize", {
enumerable: true,
configurable: true,
writable: true,
value: 16
});
}
createEncryptionContext(key) {
return new AesGcmContext(key);
}
};
var Aes256Gcm = class extends Aes128Gcm {
constructor() {
super(...arguments);
Object.defineProperty(this, "id", {
enumerable: true,
configurable: true,
writable: true,
value: AeadId.Aes256Gcm
});
Object.defineProperty(this, "keySize", {
enumerable: true,
configurable: true,
writable: true,
value: 32
});
Object.defineProperty(this, "nonceSize", {
enumerable: true,
configurable: true,
writable: true,
value: 12
});
Object.defineProperty(this, "tagSize", {
enumerable: true,
configurable: true,
writable: true,
value: 16
});
}
};
// npm/esm/core/src/aeads/exportOnly.js
var ExportOnly = class {
constructor() {
Object.defineProperty(this, "id", {
enumerable: true,
configurable: true,
writable: true,
value: AeadId.ExportOnly
});
Object.defineProperty(this, "keySize", {
enumerable: true,
configurable: true,
writable: true,
value: 0
});
Object.defineProperty(this, "nonceSize", {
enumerable: true,
configurable: true,
writable: true,
value: 0
});
Object.defineProperty(this, "tagSize", {
enumerable: true,
configurable: true,
writable: true,
value: 0
});
}
createEncryptionContext(_key) {
throw new NotSupportedError("Export only");
}
};
// npm/node_modules/@noble/ciphers/esm/_assert.js
function number(n) {
if (!Number.isSafeInteger(n) || n < 0)
throw new Error(`positive integer expected, not ${n}`);
}
function bool(b) {
if (typeof b !== "boolean")
throw new Error(`boolean expected, not ${b}`);
}
function isBytes(a) {
return a instanceof Uint8Array || a != null && typeof a === "object" && a.constructor.name === "Uint8Array";
}
function bytes(b, ...lengths) {
if (!isBytes(b))
throw new Error("Uint8Array expected");
if (lengths.length > 0 && !lengths.includes(b.length))
throw new Error(`Uint8Array expected of length ${lengths}, not of length=${b.length}`);
}
function exists(instance, checkFinished = true) {
if (instance.destroyed)
throw new Error("Hash instance has been destroyed");
if (checkFinished && instance.finished)
throw new Error("Hash#digest() has already been called");
}
function output(out, instance) {
bytes(out);
const min = instance.outputLen;
if (out.length < min) {
throw new Error(`digestInto() expects output buffer of length at least ${min}`);
}
}
// npm/node_modules/@noble/ciphers/esm/utils.js
var u32 = (arr) => new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4));
var createView = (arr) => new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
var isLE = new Uint8Array(new Uint32Array([287454020]).buffer)[0] === 68;
if (!isLE)
throw new Error("Non little-endian hardware is not supported");
function utf8ToBytes(str) {
if (typeof str !== "string")
throw new Error(`string expected, got ${typeof str}`);
return new Uint8Array(new TextEncoder().encode(str));
}
function toBytes(data) {
if (typeof data === "string")
data = utf8ToBytes(data);
else if (isBytes(data))
data = data.slice();
else
throw new Error(`Uint8Array expected, got ${typeof data}`);
return data;
}
function checkOpts(defaults, opts) {
if (opts == null || typeof opts !== "object")
throw new Error("options must be defined");
const merged = Object.assign(defaults, opts);
return merged;
}
function equalBytes(a, b) {
if (a.length !== b.length)
return false;
let diff = 0;
for (let i = 0; i < a.length; i++)
diff |= a[i] ^ b[i];
return diff === 0;
}
var wrapCipher = /* @__NO_SIDE_EFFECTS__ */ (params, c) => {
Object.assign(c, params);
return c;
};
function setBigUint64(view, byteOffset, value, isLE3) {
if (typeof view.setBigUint64 === "function")
return view.setBigUint64(byteOffset, value, isLE3);
const _32n2 = BigInt(32);
const _u32_max = BigInt(4294967295);
const wh = Number(value >> _32n2 & _u32_max);
const wl = Number(value & _u32_max);
const h = isLE3 ? 4 : 0;
const l = isLE3 ? 0 : 4;
view.setUint32(byteOffset + h, wh, isLE3);
view.setUint32(byteOffset + l, wl, isLE3);
}
// npm/node_modules/@noble/ciphers/esm/_poly1305.js
var u8to16 = (a, i) => a[i++] & 255 | (a[i++] & 255) << 8;
var Poly1305 = class {
constructor(key) {
this.blockLen = 16;
this.outputLen = 16;
this.buffer = new Uint8Array(16);
this.r = new Uint16Array(10);
this.h = new Uint16Array(10);
this.pad = new Uint16Array(8);
this.pos = 0;
this.finished = false;
key = toBytes(key);
bytes(key, 32);
const t0 = u8to16(key, 0);
const t1 = u8to16(key, 2);
const t2 = u8to16(key, 4);
const t3 = u8to16(key, 6);
const t4 = u8to16(key, 8);
const t5 = u8to16(key, 10);
const t6 = u8to16(key, 12);
const t7 = u8to16(key, 14);
this.r[0] = t0 & 8191;
this.r[1] = (t0 >>> 13 | t1 << 3) & 8191;
this.r[2] = (t1 >>> 10 | t2 << 6) & 7939;
this.r[3] = (t2 >>> 7 | t3 << 9) & 8191;
this.r[4] = (t3 >>> 4 | t4 << 12) & 255;
this.r[5] = t4 >>> 1 & 8190;
this.r[6] = (t4 >>> 14 | t5 << 2) & 8191;
this.r[7] = (t5 >>> 11 | t6 << 5) & 8065;
this.r[8] = (t6 >>> 8 | t7 << 8) & 8191;
this.r[9] = t7 >>> 5 & 127;
for (let i = 0; i < 8; i++)
this.pad[i] = u8to16(key, 16 + 2 * i);
}
process(data, offset, isLast = false) {
const hibit = isLast ? 0 : 1 << 11;
const { h, r } = this;
const r0 = r[0];
const r1 = r[1];
const r2 = r[2];
const r3 = r[3];
const r4 = r[4];
const r5 = r[5];
const r6 = r[6];
const r7 = r[7];
const r8 = r[8];
const r9 = r[9];
const t0 = u8to16(data, offset + 0);
const t1 = u8to16(data, offset + 2);
const t2 = u8to16(data, offset + 4);
const t3 = u8to16(data, offset + 6);
const t4 = u8to16(data, offset + 8);
const t5 = u8to16(data, offset + 10);
const t6 = u8to16(data, offset + 12);
const t7 = u8to16(data, offset + 14);
let h0 = h[0] + (t0 & 8191);
let h1 = h[1] + ((t0 >>> 13 | t1 << 3) & 8191);
let h2 = h[2] + ((t1 >>> 10 | t2 << 6) & 8191);
let h3 = h[3] + ((t2 >>> 7 | t3 << 9) & 8191);
let h4 = h[4] + ((t3 >>> 4 | t4 << 12) & 8191);
let h5 = h[5] + (t4 >>> 1 & 8191);
let h6 = h[6] + ((t4 >>> 14 | t5 << 2) & 8191);
let h7 = h[7] + ((t5 >>> 11 | t6 << 5) & 8191);
let h8 = h[8] + ((t6 >>> 8 | t7 << 8) & 8191);
let h9 = h[9] + (t7 >>> 5 | hibit);
let c = 0;
let d0 = c + h0 * r0 + h1 * (5 * r9) + h2 * (5 * r8) + h3 * (5 * r7) + h4 * (5 * r6);
c = d0 >>> 13;
d0 &= 8191;
d0 += h5 * (5 * r5) + h6 * (5 * r4) + h7 * (5 * r3) + h8 * (5 * r2) + h9 * (5 * r1);
c += d0 >>> 13;
d0 &= 8191;
let d1 = c + h0 * r1 + h1 * r0 + h2 * (5 * r9) + h3 * (5 * r8) + h4 * (5 * r7);
c = d1 >>> 13;
d1 &= 8191;
d1 += h5 * (5 * r6) + h6 * (5 * r5) + h7 * (5 * r4) + h8 * (5 * r3) + h9 * (5 * r2);
c += d1 >>> 13;
d1 &= 8191;
let d2 = c + h0 * r2 + h1 * r1 + h2 * r0 + h3 * (5 * r9) + h4 * (5 * r8);
c = d2 >>> 13;
d2 &= 8191;
d2 += h5 * (5 * r7) + h6 * (5 * r6) + h7 * (5 * r5) + h8 * (5 * r4) + h9 * (5 * r3);
c += d2 >>> 13;
d2 &= 8191;
let d3 = c + h0 * r3 + h1 * r2 + h2 * r1 + h3 * r0 + h4 * (5 * r9);
c = d3 >>> 13;
d3 &= 8191;
d3 += h5 * (5 * r8) + h6 * (5 * r7) + h7 * (5 * r6) + h8 * (5 * r5) + h9 * (5 * r4);
c += d3 >>> 13;
d3 &= 8191;
let d4 = c + h0 * r4 + h1 * r3 + h2 * r2 + h3 * r1 + h4 * r0;
c = d4 >>> 13;
d4 &= 8191;
d4 += h5 * (5 * r9) + h6 * (5 * r8) + h7 * (5 * r7) + h8 * (5 * r6) + h9 * (5 * r5);
c += d4 >>> 13;
d4 &= 8191;
let d5 = c + h0 * r5 + h1 * r4 + h2 * r3 + h3 * r2 + h4 * r1;
c = d5 >>> 13;
d5 &= 8191;
d5 += h5 * r0 + h6 * (5 * r9) + h7 * (5 * r8) + h8 * (5 * r7) + h9 * (5 * r6);
c += d5 >>> 13;
d5 &= 8191;
let d6 = c + h0 * r6 + h1 * r5 + h2 * r4 + h3 * r3 + h4 * r2;
c = d6 >>> 13;
d6 &= 8191;
d6 += h5 * r1 + h6 * r0 + h7 * (5 * r9) + h8 * (5 * r8) + h9 * (5 * r7);
c += d6 >>> 13;
d6 &= 8191;
let d7 = c + h0 * r7 + h1 * r6 + h2 * r5 + h3 * r4 + h4 * r3;
c = d7 >>> 13;
d7 &= 8191;
d7 += h5 * r2 + h6 * r1 + h7 * r0 + h8 * (5 * r9) + h9 * (5 * r8);
c += d7 >>> 13;
d7 &= 8191;
let d8 = c + h0 * r8 + h1 * r7 + h2 * r6 + h3 * r5 + h4 * r4;
c = d8 >>> 13;
d8 &= 8191;
d8 += h5 * r3 + h6 * r2 + h7 * r1 + h8 * r0 + h9 * (5 * r9);
c += d8 >>> 13;
d8 &= 8191;
let d9 = c + h0 * r9 + h1 * r8 + h2 * r7 + h3 * r6 + h4 * r5;
c = d9 >>> 13;
d9 &= 8191;
d9 += h5 * r4 + h6 * r3 + h7 * r2 + h8 * r1 + h9 * r0;
c += d9 >>> 13;
d9 &= 8191;
c = (c << 2) + c | 0;
c = c + d0 | 0;
d0 = c & 8191;
c = c >>> 13;
d1 += c;
h[0] = d0;
h[1] = d1;
h[2] = d2;
h[3] = d3;
h[4] = d4;
h[5] = d5;
h[6] = d6;
h[7] = d7;
h[8] = d8;
h[9] = d9;
}
finalize() {
const { h, pad } = this;
const g = new Uint16Array(10);
let c = h[1] >>> 13;
h[1] &= 8191;
for (let i = 2; i < 10; i++) {
h[i] += c;
c = h[i] >>> 13;
h[i] &= 8191;
}
h[0] += c * 5;
c = h[0] >>> 13;
h[0] &= 8191;
h[1] += c;
c = h[1] >>> 13;
h[1] &= 8191;
h[2] += c;
g[0] = h[0] + 5;
c = g[0] >>> 13;
g[0] &= 8191;
for (let i = 1; i < 10; i++) {
g[i] = h[i] + c;
c = g[i] >>> 13;
g[i] &= 8191;
}
g[9] -= 1 << 13;
let mask = (c ^ 1) - 1;
for (let i = 0; i < 10; i++)
g[i] &= mask;
mask = ~mask;
for (let i = 0; i < 10; i++)
h[i] = h[i] & mask | g[i];
h[0] = (h[0] | h[1] << 13) & 65535;
h[1] = (h[1] >>> 3 | h[2] << 10) & 65535;
h[2] = (h[2] >>> 6 | h[3] << 7) & 65535;
h[3] = (h[3] >>> 9 | h[4] << 4) & 65535;
h[4] = (h[4] >>> 12 | h[5] << 1 | h[6] << 14) & 65535;
h[5] = (h[6] >>> 2 | h[7] << 11) & 65535;
h[6] = (h[7] >>> 5 | h[8] << 8) & 65535;
h[7] = (h[8] >>> 8 | h[9] << 5) & 65535;
let f = h[0] + pad[0];
h[0] = f & 65535;
for (let i = 1; i < 8; i++) {
f = (h[i] + pad[i] | 0) + (f >>> 16) | 0;
h[i] = f & 65535;
}
}
update(data) {
exists(this);
const { buffer, blockLen } = this;
data = toBytes(data);
const len = data.length;
for (let pos = 0; pos < len; ) {
const take = Math.min(blockLen - this.pos, len - pos);
if (take === blockLen) {
for (; blockLen <= len - pos; pos += blockLen)
this.process(data, pos);
continue;
}
buffer.set(data.subarray(pos, pos + take), this.pos);
this.pos += take;
pos += take;
if (this.pos === blockLen) {
this.process(buffer, 0, false);
this.pos = 0;
}
}
return this;
}
destroy() {
this.h.fill(0);
this.r.fill(0);
this.buffer.fill(0);
this.pad.fill(0);
}
digestInto(out) {
exists(this);
output(out, this);
this.finished = true;
const { buffer, h } = this;
let { pos } = this;
if (pos) {
buffer[pos++] = 1;
for (; pos < 16; pos++)
buffer[pos] = 0;
this.process(buffer, 0, true);
}
this.finalize();
let opos = 0;
for (let i = 0; i < 8; i++) {
out[opos++] = h[i] >>> 0;
out[opos++] = h[i] >>> 8;
}
return out;
}
digest() {
const { buffer, outputLen } = this;
this.digestInto(buffer);
const res = buffer.slice(0, outputLen);
this.destroy();
return res;
}
};
function wrapConstructorWithKey(hashCons) {
const hashC = (msg, key) => hashCons(key).update(toBytes(msg)).digest();
const tmp = hashCons(new Uint8Array(32));
hashC.outputLen = tmp.outputLen;
hashC.blockLen = tmp.blockLen;
hashC.create = (key) => hashCons(key);
return hashC;
}
var poly1305 = wrapConstructorWithKey((key) => new Poly1305(key));
// npm/node_modules/@noble/ciphers/esm/_arx.js
var _utf8ToBytes = (str) => Uint8Array.from(str.split("").map((c) => c.charCodeAt(0)));
var sigma16 = _utf8ToBytes("expand 16-byte k");
var sigma32 = _utf8ToBytes("expand 32-byte k");
var sigma16_32 = u32(sigma16);
var sigma32_32 = u32(sigma32);
var sigma = sigma32_32.slice();
function rotl(a, b) {
return a << b | a >>> 32 - b;
}
function isAligned32(b) {
return b.byteOffset % 4 === 0;
}
var BLOCK_LEN = 64;
var BLOCK_LEN32 = 16;
var MAX_COUNTER = 2 ** 32 - 1;
var U32_EMPTY = new Uint32Array();
function runCipher(core, sigma2, key, nonce, data, output3, counter, rounds) {
const len = data.length;
const block = new Uint8Array(BLOCK_LEN);
const b32 = u32(block);
const isAligned = isAligned32(data) && isAligned32(output3);
const d32 = isAligned ? u32(data) : U32_EMPTY;
const o32 = isAligned ? u32(output3) : U32_EMPTY;
for (let pos = 0; pos < len; counter++) {
core(sigma2, key, nonce, b32, counter, rounds);
if (counter >= MAX_COUNTER)
throw new Error("arx: counter overflow");
const take = Math.min(BLOCK_LEN, len - pos);
if (isAligned && take === BLOCK_LEN) {
const pos32 = pos / 4;
if (pos % 4 !== 0)
throw new Error("arx: invalid block position");
for (let j = 0, posj; j < BLOCK_LEN32; j++) {
posj = pos32 + j;
o32[posj] = d32[posj] ^ b32[j];
}
pos += BLOCK_LEN;
continue;
}
for (let j = 0, posj; j < take; j++) {
posj = pos + j;
output3[posj] = data[posj] ^ block[j];
}
pos += take;
}
}
function createCipher(core, opts) {
const { allowShortKeys, extendNonceFn, counterLength, counterRight, rounds } = checkOpts({ allowShortKeys: false, counterLength: 8, counterRight: false, rounds: 20 }, opts);
if (typeof core !== "function")
throw new Error("core must be a function");
number(counterLength);
number(rounds);
bool(counterRight);
bool(allowShortKeys);
return (key, nonce, data, output3, counter = 0) => {
bytes(key);
bytes(nonce);
bytes(data);
const len = data.length;
if (!output3)
output3 = new Uint8Array(len);
bytes(output3);
number(counter);
if (counter < 0 || counter >= MAX_COUNTER)
throw new Error("arx: counter overflow");
if (output3.length < len)
throw new Error(`arx: output (${output3.length}) is shorter than data (${len})`);
const toClean = [];
let l = key.length, k, sigma2;
if (l === 32) {
k = key.slice();
toClean.push(k);
sigma2 = sigma32_32;
} else if (l === 16 && allowShortKeys) {
k = new Uint8Array(32);
k.set(key);
k.set(key, 16);
sigma2 = sigma16_32;
toClean.push(k);
} else {
throw new Error(`arx: invalid 32-byte key, got length=${l}`);
}
if (!isAligned32(nonce)) {
nonce = nonce.slice();
toClean.push(nonce);
}
const k32 = u32(k);
if (extendNonceFn) {
if (nonce.length !== 24)
throw new Error(`arx: extended nonce must be 24 bytes`);
extendNonceFn(sigma2, k32, u32(nonce.subarray(0, 16)), k32);
nonce = nonce.subarray(16);
}
const nonceNcLen = 16 - counterLength;
if (nonceNcLen !== nonce.length)
throw new Error(`arx: nonce must be ${nonceNcLen} or 16 bytes`);
if (nonceNcLen !== 12) {
const nc = new Uint8Array(12);
nc.set(nonce, counterRight ? 0 : 12 - nonce.length);
nonce = nc;
toClean.push(nonce);
}
const n32 = u32(nonce);
runCipher(core, sigma2, k32, n32, data, output3, counter, rounds);
while (toClean.length > 0)
toClean.pop().fill(0);
return output3;
};
}
// npm/node_modules/@noble/ciphers/esm/chacha.js
function chachaCore(s, k, n, out, cnt, rounds = 20) {
let y00 = s[0], y01 = s[1], y02 = s[2], y03 = s[3], y04 = k[0], y05 = k[1], y06 = k[2], y07 = k[3], y08 = k[4], y09 = k[5], y10 = k[6], y11 = k[7], y12 = cnt, y13 = n[0], y14 = n[1], y15 = n[2];
let x00 = y00, x01 = y01, x02 = y02, x03 = y03, x04 = y04, x05 = y05, x06 = y06, x07 = y07, x08 = y08, x09 = y09, x10 = y10, x11 = y11, x12 = y12, x13 = y13, x14 = y14, x15 = y15;
for (let r = 0; r < rounds; r += 2) {
x00 = x00 + x04 | 0;
x12 = rotl(x12 ^ x00, 16);
x08 = x08 + x12 | 0;
x04 = rotl(x04 ^ x08, 12);
x00 = x00 + x04 | 0;
x12 = rotl(x12 ^ x00, 8);
x08 = x08 + x12 | 0;
x04 = rotl(x04 ^ x08, 7);
x01 = x01 + x05 | 0;
x13 = rotl(x13 ^ x01, 16);
x09 = x09 + x13 | 0;
x05 = rotl(x05 ^ x09, 12);
x01 = x01 + x05 | 0;
x13 = rotl(x13 ^ x01, 8);
x09 = x09 + x13 | 0;
x05 = rotl(x05 ^ x09, 7);
x02 = x02 + x06 | 0;
x14 = rotl(x14 ^ x02, 16);
x10 = x10 + x14 | 0;
x06 = rotl(x06 ^ x10, 12);
x02 = x02 + x06 | 0;
x14 = rotl(x14 ^ x02, 8);
x10 = x10 + x14 | 0;
x06 = rotl(x06 ^ x10, 7);
x03 = x03 + x07 | 0;
x15 = rotl(x15 ^ x03, 16);
x11 = x11 + x15 | 0;
x07 = rotl(x07 ^ x11, 12);
x03 = x03 + x07 | 0;
x15 = rotl(x15 ^ x03, 8);
x11 = x11 + x15 | 0;
x07 = rotl(x07 ^ x11, 7);
x00 = x00 + x05 | 0;
x15 = rotl(x15 ^ x00, 16);
x10 = x10 + x15 | 0;
x05 = rotl(x05 ^ x10, 12);
x00 = x00 + x05 | 0;
x15 = rotl(x15 ^ x00, 8);
x10 = x10 + x15 | 0;
x05 = rotl(x05 ^ x10, 7);
x01 = x01 + x06 | 0;
x12 = rotl(x12 ^ x01, 16);
x11 = x11 + x12 | 0;
x06 = rotl(x06 ^ x11, 12);
x01 = x01 + x06 | 0;
x12 = rotl(x12 ^ x01, 8);
x11 = x11 + x12 | 0;
x06 = rotl(x06 ^ x11, 7);
x02 = x02 + x07 | 0;
x13 = rotl(x13 ^ x02, 16);
x08 = x08 + x13 | 0;
x07 = rotl(x07 ^ x08, 12);
x02 = x02 + x07 | 0;
x13 = rotl(x13 ^ x02, 8);
x08 = x08 + x13 | 0;
x07 = rotl(x07 ^ x08, 7);
x03 = x03 + x04 | 0;
x14 = rotl(x14 ^ x03, 16);
x09 = x09 + x14 | 0;
x04 = rotl(x04 ^ x09, 12);
x03 = x03 + x04 | 0;
x14 = rotl(x14 ^ x03, 8);
x09 = x09 + x14 | 0;
x04 = rotl(x04 ^ x09, 7);
}
let oi = 0;
out[oi++] = y00 + x00 | 0;
out[oi++] = y01 + x01 | 0;
out[oi++] = y02 + x02 | 0;
out[oi++] = y03 + x03 | 0;
out[oi++] = y04 + x04 | 0;
out[oi++] = y05 + x05 | 0;
out[oi++] = y06 + x06 | 0;
out[oi++] = y07 + x07 | 0;
out[oi++] = y08 + x08 | 0;
out[oi++] = y09 + x09 | 0;
out[oi++] = y10 + x10 | 0;
out[oi++] = y11 + x11 | 0;
out[oi++] = y12 + x12 | 0;
out[oi++] = y13 + x13 | 0;
out[oi++] = y14 + x14 | 0;
out[oi++] = y15 + x15 | 0;
}
function hchacha(s, k, i, o32) {
let x00 = s[0], x01 = s[1], x02 = s[2], x03 = s[3], x04 = k[0], x05 = k[1], x06 = k[2], x07 = k[3], x08 = k[4], x09 = k[5], x10 = k[6], x11 = k[7], x12 = i[0], x13 = i[1], x14 = i[2], x15 = i[3];
for (let r = 0; r < 20; r += 2) {
x00 = x00 + x04 | 0;
x12 = rotl(x12 ^ x00, 16);
x08 = x08 + x12 | 0;
x04 = rotl(x04 ^ x08, 12);
x00 = x00 + x04 | 0;
x12 = rotl(x12 ^ x00, 8);
x08 = x08 + x12 | 0;
x04 = rotl(x04 ^ x08, 7);
x01 = x01 + x05 | 0;
x13 = rotl(x13 ^ x01, 16);
x09 = x09 + x13 | 0;
x05 = rotl(x05 ^ x09, 12);
x01 = x01 + x05 | 0;
x13 = rotl(x13 ^ x01, 8);
x09 = x09 + x13 | 0;
x05 = rotl(x05 ^ x09, 7);
x02 = x02 + x06 | 0;
x14 = rotl(x14 ^ x02, 16);
x10 = x10 + x14 | 0;
x06 = rotl(x06 ^ x10, 12);
x02 = x02 + x06 | 0;
x14 = rotl(x14 ^ x02, 8);
x10 = x10 + x14 | 0;
x06 = rotl(x06 ^ x10, 7);
x03 = x03 + x07 | 0;
x15 = rotl(x15 ^ x03, 16);
x11 = x11 + x15 | 0;
x07 = rotl(x07 ^ x11, 12);
x03 = x03 + x07 | 0;
x15 = rotl(x15 ^ x03, 8);
x11 = x11 + x15 | 0;
x07 = rotl(x07 ^ x11, 7);
x00 = x00 + x05 | 0;
x15 = rotl(x15 ^ x00, 16);
x10 = x10 + x15 | 0;
x05 = rotl(x05 ^ x10, 12);
x00 = x00 + x05 | 0;
x15 = rotl(x15 ^ x00, 8);
x10 = x10 + x15 | 0;
x05 = rotl(x05 ^ x10, 7);
x01 = x01 + x06 | 0;
x12 = rotl(x12 ^ x01, 16);
x11 = x11 + x12 | 0;
x06 = rotl(x06 ^ x11, 12);
x01 = x01 + x06 | 0;
x12 = rotl(x12 ^ x01, 8);
x11 = x11 + x12 | 0;
x06 = rotl(x06 ^ x11, 7);
x02 = x02 + x07 | 0;
x13 = rotl(x13 ^ x02, 16);
x08 = x08 + x13 | 0;
x07 = rotl(x07 ^ x08, 12);
x02 = x02 + x07 | 0;
x13 = rotl(x13 ^ x02, 8);
x08 = x08 + x13 | 0;
x07 = rotl(x07 ^ x08, 7);
x03 = x03 + x04 | 0;
x14 = rotl(x14 ^ x03, 16);
x09 = x09 + x14 | 0;
x04 = rotl(x04 ^ x09, 12);
x03 = x03 + x04 | 0;
x14 = rotl(x14 ^ x03, 8);
x09 = x09 + x14 | 0;
x04 = rotl(x04 ^ x09, 7);
}
let oi = 0;
o32[oi++] = x00;
o32[oi++] = x01;
o32[oi++] = x02;
o32[oi++] = x03;
o32[oi++] = x12;
o32[oi++] = x13;
o32[oi++] = x14;
o32[oi++] = x15;
}
var chacha20 = /* @__PURE__ */ createCipher(chachaCore, {
counterRight: false,
counterLength: 4,
allowShortKeys: false
});
var xchacha20 = /* @__PURE__ */ createCipher(chachaCore, {
counterRight: false,
counterLength: 8,
extendNonceFn: hchacha,
allowShortKeys: false
});
var ZEROS16 = /* @__PURE__ */ new Uint8Array(16);
var updatePadded = (h, msg) => {
h.update(msg);
const left = msg.length % 16;
if (left)
h.update(ZEROS16.subarray(left));
};
var ZEROS32 = /* @__PURE__ */ new Uint8Array(32);
function computeTag(fn, key, nonce, data, AAD) {
const authKey = fn(key, nonce, ZEROS32);
const h = poly1305.create(authKey);
if (AAD)
updatePadded(h, AAD);
updatePadded(h, data);
const num = new Uint8Array(16);
const view = createView(num);
setBigUint64(view, 0, BigInt(AAD ? AAD.length : 0), true);
setBigUint64(view, 8, BigInt(data.length), true);
h.update(num);
const res = h.digest();
authKey.fill(0);
return res;
}
var _poly1305_aead = (xorStream) => (key, nonce, AAD) => {
const tagLength = 16;
bytes(key, 32);
bytes(nonce);
return {
encrypt: (plaintext, output3) => {
const plength = plaintext.length;
const clength = plength + tagLength;
if (output3) {
bytes(output3, clength);
} else {
output3 = new Uint8Array(clength);
}
xorStream(key, nonce, plaintext, output3, 1);
const tag = computeTag(xorStream, key, nonce, output3.subarray(0, -tagLength), AAD);
output3.set(tag, plength);
return output3;
},
decrypt: (ciphertext, output3) => {
const clength = ciphertext.length;
const plength = clength - tagLength;
if (clength < tagLength)
throw new Error(`encrypted data must be at least ${tagLength} bytes`);
if (output3) {
bytes(output3, plength);
} else {
output3 = new Uint8Array(plength);
}
const data = ciphertext.subarray(0, -tagLength);
const passedTag = ciphertext.subarray(-tagLength);
const tag = computeTag(xorStream, key, nonce, data, AAD);
if (!equalBytes(passedTag, tag))
throw new Error("invalid tag");
xorStream(key, nonce, data, output3, 1);
return output3;
}
};
};
var chacha20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 12, tagLength: 16 }, _poly1305_aead(chacha20));
var xchacha20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 24, tagLength: 16 }, _poly1305_aead(xchacha20));
// core/src/identifiers.ts
var Aead2 = {
Aes128Gcm: 1,
Aes256Gcm: 2,
Chacha20Poly1305: 3,
ExportOnly: 65535
};
var AeadId2 = Aead2;
// core/src/consts.ts
var EMPTY = new Uint8Array(0);
// core/src/exporterContext.ts
var LABEL_SEC = new Uint8Array([115, 101, 99]);
// core/src/cipherSuiteNative.ts
var LABEL_BASE_NONCE = new Uint8Array([
98,
97,
115,
101,
95,
110,
111,
110,
99,
101
]);
var LABEL_EXP = new Uint8Array([101, 120, 112]);
var LABEL_INFO_HASH = new Uint8Array([
105,
110,
102,
111,
95,
104,
97,
115,
104
]);
var LABEL_KEY = new Uint8Array([107, 101, 121]);
var LABEL_PSK_ID_HASH = new Uint8Array([
112,
115,
107,
95,
105,
100,
95,
104,
97,
115,
104
]);
var LABEL_SECRET = new Uint8Array([115, 101, 99, 114, 101, 116]);
var SUITE_ID_HEADER_HPKE = new Uint8Array([
72,
80,
75,
69,
0,
0,
0,
0,
0,
0
]);
// core/src/kdfs/hkdf.ts
var HPKE_VERSION = new Uint8Array([72, 80, 75, 69, 45, 118, 49]);
// core/src/interfaces/kemInterface.ts
var SUITE_ID_HEADER_KEM = new Uint8Array([75, 69, 77, 0, 0]);
// core/src/kems/dhkem.ts
var LABEL_EAE_PRK = new Uint8Array([101, 97, 101, 95, 112, 114, 107]);
var LABEL_SHARED_SECRET = new Uint8Array([
115,
104,
97,
114,
101,
100,
95,
115,
101,
99,
114,
101,
116
]);
// core/src/interfaces/dhkemPrimitives.ts
var LABEL_DKP_PRK = new Uint8Array([100, 107, 112, 95, 112, 114, 107]);
var LABEL_SK = new Uint8Array([115, 107]);
// core/src/kems/dhkemPrimitives/ec.ts
var LABEL_CANDIDATE = new Uint8Array([
99,
97,
110,
100,
105,
100,
97,
116,
101
]);
var ORDER_P_256 = new Uint8Array([
255,
255,
255,
255,
0,
0,
0,
0,
255,
255,
255,
255,
255,
255,
255,
255,
188,
230,
250,
173,
167,
23,
158,
132,
243,
185,
202,
194,
252,
99,
37,
81
]);
var ORDER_P_384 = new Uint8Array([
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
199,
99,
77,
129,
244,
55,
45,
223,
88,
26,
13,
178,
72,
176,
167,
122,
236,
236,
25,
106,
204,
197,
41,
115
]);
var ORDER_P_521 = new Uint8Array([
1,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
250,
81,
134,
135,
131,
191,
47,
150,
107,
127,
204,
1,
72,
247,
9,
165,
208,
59,
181,
201,
184,
137,
156,
71,
174,
187,
111,
183,
30,
145,
56,
100,
9
]);
var PKCS8_ALG_ID_P_256 = new Uint8Array([
48,
65,
2,
1,
0,
48,
19,
6,
7,
42,
134,
72,
206,
61,
2,
1,
6,
8,
42,
134,
72,
206,
61,
3,
1,
7,
4,
39,
48,
37,
2,
1,
1,
4,
32
]);
var PKCS8_ALG_ID_P_384 = new Uint8Array([
48,
78,
2,
1,
0,
48,
16,
6,
7,
42,
134,
72,
206,
61,
2,
1,
6,
5,
43,
129,
4,
0,
34,
4,
55,
48,
53,
2,
1,
1,
4,
48
]);
var PKCS8_ALG_ID_P_521 = new Uint8Array([
48,
96,
2,
1,
0,
48,
16,
6,
7,
42,
134,
72,
206,
61,
2,
1,
6,
5,
43,
129,
4,
0,
35,
4,
73,
48,
71,
2,
1,
1,
4,
66
]);
// npm/esm/x/chacha20poly1305/src/chacha20Poly1305.js
var Chacha20Poly1305Context = class {
constructor(key) {
Object.defineProperty(this, "_key", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
this._key = new Uint8Array(key);
}
async seal(iv, data, aad) {
return await this._seal(iv, data, aad);
}
async open(iv, data, aad) {
return await this._open(iv, data, aad);
}
_seal(iv, data, aad) {
return new Promise((resolve) => {
const ret = chacha20poly1305(this._key, new Uint8Array(iv), new Uint8Array(aad)).encrypt(new Uint8Array(data));
resolve(ret.buffer);
});
}
_open(iv, data, aad) {
return new Promise((resolve) => {
const ret = chacha20poly1305(this._key, new Uint8Array(iv), new Uint8Array(aad)).decrypt(new Uint8Array(data));
resolve(ret.buffer);
});
}
};
var Chacha20Poly1305 = class {
constructor() {
Object.defineProperty(this, "id", {
enumerable: true,
configurable: true,
writable: true,
value: AeadId2.Chacha20Poly1305
});
Object.defineProperty(this, "keySize", {
enumerable: true,
configurable: true,
writable: true,
value: 32
});
Object.defineProperty(this, "nonceSize", {
enumerable: true,
configurable: true,
writable: true,
value: 12
});
Object.defineProperty(this, "tagSize", {
enumerable: true,
configurable: true,
writable: true,
value: 16
});
}
createEncryptionContext(key) {
return new Chacha20Poly1305Context(key);
}
};
// npm/node_modules/@noble/hashes/esm/_assert.js
function number2(n) {
if (!Number.isSafeInteger(n) || n < 0)
throw new Error(`positive integer expected, not ${n}`);
}
function isBytes2(a) {
return a instanceof Uint8Array || a != null && typeof a === "object" && a.constructor.name === "Uint8Array";
}
function bytes2(b, ...lengths) {
if (!isBytes2(b))
throw new Error("Uint8Array expected");
if (lengths.length > 0 && !lengths.includes(b.length))
throw new Error(`Uint8Array expected of length ${lengths}, not of length=${b.length}`);
}
function hash(h) {
if (typeof h !== "function" || typeof h.create !== "function")
throw new Error("Hash should be wrapped by utils.wrapConstructor");
number2(h.outputLen);
number2(h.blockLen);
}
function exists2(instance, checkFinished = true) {
if (instance.destroyed)
throw new Error("Hash instance has been destroyed");
if (checkFinished && instance.finished)
throw new Error("Hash#digest() has already been called");
}
function output2(out, instance) {
bytes2(out);
const min = instance.outputLen;
if (out.length < min) {
throw new Error(`digestInto() expects output buffer of length at least ${min}`);
}
}
// npm/node_modules/@noble/hashes/esm/crypto.js
var crypto = typeof globalThis === "object" && "crypto" in globalThis ? globalThis.crypto : void 0;
// npm/node_modules/@noble/hashes/esm/utils.js
var u322 = (arr) => new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4));
var createView2 = (arr) => new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
var rotr = (word, shift) => word << 32 - shift | word >>> shift;
var isLE2 = new Uint8Array(new Uint32Array([287454020]).buffer)[0] === 68;
var byteSwap = (word) => word << 24 & 4278190080 | word << 8 & 16711680 | word >>> 8 & 65280 | word >>> 24 & 255;
function byteSwap32(arr) {
for (let i = 0; i < arr.length; i++) {
arr[i] = byteSwap(arr[i]);
}
}
function utf8ToBytes2(str) {
if (typeof str !== "string")
throw new Error(`utf8ToBytes expected string, got ${typeof str}`);
return new Uint8Array(new TextEncoder().encode(str));
}
function toBytes2(data) {
if (typeof data === "string")
data = utf8ToBytes2(data);
bytes2(data);
return data;
}
function concatBytes(...arrays) {
let sum = 0;
for (let i = 0; i < arrays.length; i++) {
const a = arrays[i];
bytes2(a);
sum += a.length;
}
const res = new Uint8Array(sum);
for (let i = 0, pad = 0; i < arrays.length; i++) {
const a = arrays[i];
res.set(a, pad);
pad += a.length;
}
return res;
}
var Hash = class {
// Safe version that clones internal state
clone() {
return this._cloneInto();
}
};
var toStr = {}.toString;
function wrapConstructor(hashCons) {
const hashC = (msg) => hashCons().update(toBytes2(msg)).digest();
const tmp = hashCons();
hashC.outputLen = tmp.outputLen;
hashC.blockLen = tmp.blockLen;
hashC.create = () => hashCons();
return hashC;
}
function wrapXOFConstructorWithOpts(hashCons) {
const hashC = (msg, opts) => hashCons(opts).update(toBytes2(msg)).digest();
const tmp = hashCons({});
hashC.outputLen = tmp.outputLen;
hashC.blockLen = tmp.blockLen;
hashC.create = (opts) => hashCons(opts);
return hashC;
}
function randomBytes(bytesLength = 32) {
if (crypto && typeof crypto.getRandomValues === "function") {
return crypto.getRandomValues(new Uint8Array(bytesLength));
}
throw new Error("crypto.getRandomValues must be defined");
}
// npm/node_modules/@noble/hashes/esm/hmac.js
var HMAC = class extends Hash {
constructor(hash2, _key) {
super();
this.finished = false;
this.destroyed = false;
hash(hash2);
const key = toBytes2(_key);
this.iHash = hash2.create();
if (typeof this.iHash.update !== "function")
throw new Error("Expected instance of class which extends utils.Hash");
this.blockLen = this.iHash.blockLen;
this.outputLen = this.iHash.outputLen;
const blockLen = this.blockLen;
const pad = new Uint8Array(blockLen);
pad.set(key.length > blockLen ? hash2.create().update(key).digest() : key);
for (let i = 0; i < pad.length; i++)
pad[i] ^= 54;
this.iHash.update(pad);
this.oHash = hash2.create();
for (let i = 0; i < pad.length; i++)
pad[i] ^= 54 ^ 92;
this.oHash.update(pad);
pad.fill(0);
}
update(buf) {
exists2(this);
this.iHash.update(buf);
return this;
}
digestInto(out) {
exists2(this);
bytes2(out, this.outputLen);
this.finished = true;
this.iHash.digestInto(out);
this.oHash.update(out);
this.oHash.digestInto(out);
this.destroy();
}
digest() {
const out = new Uint8Array(this.oHash.outputLen);
this.digestInto(out);
return out;
}
_cloneInto(to) {
to || (to = Object.create(Object.getPrototypeOf(this), {}));
const { oHash, iHash, finished, destroyed, blockLen, outputLen } = this;
to = to;
to.finished = finished;
to.destroyed = destroyed;
to.blockLen = blockLen;
to.outputLen = outputLen;
to.oHash = oHash._cloneInto(to.oHash);
to.iHash = iHash._cloneInto(to.iHash);
return to;
}
destroy() {
this.destroyed = true;
this.oHash.destroy();
this.iHash.destroy();
}
};
var hmac = (hash2, key, message) => new HMAC(hash2, key).update(message).digest();
hmac.create = (hash2, key) => new HMAC(hash2, key);
// npm/node_modules/@noble/hashes/esm/_md.js
function setBigUint642(view, byteOffset, value, isLE3) {
if (typeof view.setBigUint64 === "function")
return view.setBigUint64(byteOffset, value, isLE3);
const _32n2 = BigInt(32);
const _u32_max = BigInt(4294967295);
const wh = Number(value >> _32n2 & _u32_max);
const wl = Number(value & _u32_max);
const h = isLE3 ? 4 : 0;
const l = isLE3 ? 0 : 4;
view.setUint32(byteOffset + h, wh, isLE3);
view.setUint32(byteOffset + l, wl, isLE3);
}
var Chi = (a, b, c) => a & b ^ ~a & c;
var Maj = (a, b, c) => a & b ^ a & c ^ b & c;
var HashMD = class extends Hash {
constructor(blockLen, outputLen, padOffset, isLE3) {
super();
this.blockLen = blockLen;
this.outputLen = outputLen;
this.padOffset = padOffset;
this.isLE = isLE3;
this.finished = false;
this.length = 0;
this.pos = 0;
this.destroyed = false;
this.buffer = new Uint8Array(blockLen);
this.view = createView2(this.buffer);
}
update(data) {
exists2(this);
const { view, buffer, blockLen } = this;
data = toBytes2(data);
const len = data.length;
for (let pos = 0; pos < len; ) {
const take = Math.min(blockLen - this.pos, len - pos);
if (take === blockLen) {
const dataView = createView2(data);
for (; blockLen <= len - pos; pos += blockLen)
this.process(dataView, pos);
continue;
}
buffer.set(data.subarray(pos, pos + take), this.pos);
this.pos += take;
pos += take;
if (this.pos === blockLen) {
this.process(view, 0);
this.pos = 0;
}
}
this.length += data.length;
this.roundClean();
return this;
}
digestInto(out) {
exists2(this);
output2(out, this);
this.finished = true;
const { buffer, view, blockLen, isLE: isLE3 } = this;
let { pos } = this;
buffer[pos++] = 128;
this.buffer.subarray(pos).fill(0);
if (this.padOffset > blockLen - pos) {
this.process(view, 0);
pos = 0;
}
for (let i = pos; i < blockLen; i++)
buffer[i] = 0;
setBigUint642(view, blockLen - 8, BigInt(this.length * 8), isLE3);
this.process(view, 0);
const oview = createView2(out);
const len = this.outputLen;
if (len % 4)
throw new Error("_sha2: outputLen should be aligned to 32bit");
const outLen = len / 4;
const state = this.get();
if (outLen > state.length)
throw new Error("_sha2: outputLen bigger than state");
for (let i = 0; i < outLen; i++)
oview.setUint32(4 * i, state[i], isLE3);
}
digest() {
const { buffer, outputLen } = this;
this.digestInto(buffer);
const res = buffer.slice(0, outputLen);
this.destroy();
return res;
}
_cloneInto(to) {
to || (to = new this.constructor());
to.set(...this.get());
const { blockLen, buffer, length, finished, destroyed, pos } = this;
to.length = length;
to.pos = pos;
to.finished = finished;
to.destroyed = destroyed;
if (length % blockLen)
to.buffer.set(buffer);
return to;
}
};
// npm/node_modules/@noble/hashes/esm/sha256.js
var SHA256_K = /* @__PURE__ */ new Uint32Array([
1116352408,
1899447441,
3049323471,
3921009573,
961987163,
1508970993,
2453635748,
2870763221,
3624381080,
310598401,
607225278,
1426881987,
1925078388,
2162078206,
2614888103,
3248222580,
3835390401,
4022224774,
264347078,
604807628,
770255983,
1249150122,
1555081692,
1996064986,
2554220882,
2821834349,
2952996808,
3210313671,
3336571891,
3584528711,
113926993,
338241895,
666307205,
773529912,
1294757372,
1396182291,
1695183700,
1986661051,
2177026350,
2456956037,
2730485921,
2820302411,
3259730800,
3345764771,
3516065817,
3600352804,
4094571909,
275423344,
430227734,
506948616,
659060556,
883997877,
958139571,
1322822218,
1537002063,
1747873779,
1955562222,
2024104815,
2227730452,
2361852424,
2428436474,
2756734187,
3204031479,
3329325298
]);
var SHA256_IV = /* @__PURE__ */ new Uint32Array([
1779033703,
3144134277,
1013904242,
2773480762,
1359893119,
2600822924,
528734635,
1541459225
]);
var SHA256_W = /* @__PURE__ */ new Uint32Array(64);
var SHA256 = class extends HashMD {
constructor() {
super(64, 32, 8, false);
this.A = SHA256_IV[0] | 0;
this.B = SHA256_IV[1] | 0;
this.C = SHA256_IV[2] | 0;
this.D = SHA256_IV[3] | 0;
this.E = SHA256_IV[4] | 0;
this.F = SHA256_IV[5] | 0;
this.G = SHA256_IV[6] | 0;
this.H = SHA256_IV[7] | 0;
}
get() {
const { A, B, C, D, E, F, G, H } = this;
return [A, B, C, D, E, F, G, H];
}
// prettier-ignore
set(A, B, C, D, E, F, G, H) {
this.A = A | 0;
this.B = B | 0;
this.C = C | 0;
this.D = D | 0;
this.E = E | 0;
this.F = F | 0;
this.G = G | 0;
this.H = H | 0;
}
process(view, offset) {
for (let i = 0; i < 16; i++, offset += 4)
SHA256_W[i] = view.getUint32(offset, false);
for (let i = 16; i < 64; i++) {
const W15 = SHA256_W[i - 15];
const W2 = SHA256_W[i - 2];
const s0 = rotr(W15, 7) ^ rotr(W15, 18) ^ W15 >>> 3;
const s1 = rotr(W2, 17) ^ rotr(W2, 19) ^ W2 >>> 10;
SHA256_W[i] = s1 + SHA256_W[i - 7] + s0 + SHA256_W[i - 16] | 0;
}
let { A, B, C, D, E, F, G, H } = this;
for (let i = 0; i < 64; i++) {
const sigma1 = rotr(E, 6) ^ rotr(E, 11) ^ rotr(E, 25);
const T1 = H + sigma1 + Chi(E, F, G) + SHA256_K[i] + SHA256_W[i] | 0;
const sigma0 = rotr(A, 2) ^ rotr(A, 13) ^ rotr(A, 22);
const T2 = sigma0 + Maj(A, B, C) | 0;
H = G;
G = F;
F = E;
E = D + T1 | 0;
D = C;
C = B;
B = A;
A = T1 + T2 | 0;
}
A = A + this.A | 0;
B = B + this.B | 0;
C = C + this.C | 0;
D = D + this.D | 0;
E = E + this.E | 0;
F = F + this.F | 0;
G = G + this.G | 0;
H = H + this.H | 0;
this.set(A, B, C, D, E, F, G, H);
}
roundClean() {
SHA256_W.fill(0);
}
destroy() {
this.set(0, 0, 0, 0, 0, 0, 0, 0);
this.buffer.fill(0);
}
};
var sha256 = /* @__PURE__ */ wrapConstructor(() => new SHA256());
// npm/esm/core/src/consts.js
var INPUT_LENGTH_LIMIT2 = 8192;
var MINIMUM_PSK_LENGTH2 = 32;
var EMPTY2 = new Uint8Array(0);
// npm/esm/core/src/kdfs/hkdf.js
var HPKE_VERSION2 = new Uint8Array([72, 80, 75, 69, 45, 118, 49]);
var HkdfNative = class extends NativeAlgorithm {
constructor() {
super();
Object.defineProperty(this, "id", {
enumerable: true,
configurable: true,
writable: true,
value: KdfId.HkdfSha256
});
Object.defineProperty(this, "hashSize", {
enumerable: true,
configurable: true,
writable: true,
value: 0
});
Object.defineProperty(this, "_suiteId", {
enumerable: true,
configurable: true,
writable: true,
value: EMPTY2
});
Object.defineProperty(this, "algHash", {
enumerable: true,
configurable: true,
writable: true,
value: {
name: "HMAC",
hash: "SHA-256",
length: 256
}
});
}
init(suiteId) {
this._suiteId = suiteId;
}
buildLabeledIkm(label, ikm) {
this._checkInit();
const ret = new Uint8Array(7 + this._suiteId.byteLength + label.byteLength + ikm.byteLength);
ret.set(HPKE_VERSION2, 0);
ret.set(this._suiteId, 7);
ret.set(label, 7 + this._suiteId.byteLength);
ret.set(ikm, 7 + this._suiteId.byteLength + label.byteLength);
return ret;
}
buildLabeledInfo(label, info, len) {
this._checkInit();
const ret = new Uint8Array(9 + this._suiteId.byteLength + label.byteLength + info.byteLength);
ret.set(new Uint8Array([0, len]), 0);
ret.set(HPKE_VERSION2, 2);
ret.set(this._suiteId, 9);
ret.set(label, 9 + this._suiteId.byteLength);
ret.set(info, 9 + this._suiteId.byteLength + label.byteLength);
return ret;
}
async extract(salt, ikm) {
await this._setup();
if (salt.byteLength === 0) {
salt = new ArrayBuffer(this.hashSize);
}
if (salt.byteLength !== this.hashSize) {
throw new InvalidParamError("The salt length must be the same as the hashSize");
}
const key = await this._api.importKey("raw", salt, this.algHash, false, [
"sign"
]);
return await this._api.sign("HMAC", key, ikm);
}
async expand(prk, info, len) {
await this._setup();
const key = await this._api.importKey("raw", prk, this.algHash, false, [
"sign"
]);
const okm = new ArrayBuffer(len);
const p = new Uint8Array(okm);
let prev = EMPTY2;
const mid = new Uint8Array(info);
const tail = new Uint8Array(1);
if (len > 255 * this.hashSize) {
throw new Error("Entropy limit reached");
}
const tmp = new Uint8Array(this.hashSize + mid.length + 1);
for (let i = 1, cur = 0; cur < p.length; i++) {
tail[0] = i;
tmp.set(prev, 0);
tmp.set(mid, prev.length);
tmp.set(tail, prev.length + mid.length);
prev = new Uint8Array(await this._api.sign("HMAC", key, tmp.slice(0, prev.length + mid.length + 1)));
if (p.length - cur >= prev.length) {
p.set(prev, cur);
cur += prev.length;
} else {
p.set(prev.slice(0, p.length - cur), cur);
cur += p.length - cur;
}
}
return okm;
}
async extractAndExpand(salt, ikm, info, len) {
await this._setup();
const baseKey = await this._api.importKey("raw", ikm, "HKDF", false, ["deriveBits"]);
return await this._api.deriveBits({
name: "HKDF",
hash: this.algHash.hash,
salt,
info
}, baseKey, len * 8);
}
async labeledExtract(salt, label, ikm) {
return await this.extract(salt, this.buildLabeledIkm(label, ikm));
}
async labeledExpand(prk, label, info, len) {
return await this.expand(prk, this.buildLabeledInfo(label, info, len), len);
}
_checkInit() {
if (this._suiteId === EMPTY2) {
throw new Error("Not initialized. Call init()");
}
}
};
var HkdfSha256Native2 = class extends HkdfNative {
constructor() {
super(...arguments);
Object.defineProperty(this, "id", {
enumerable: true,
configurable: true,
writable: true,
value: KdfId.HkdfSha256
});
Object.defineProperty(this, "hashSize", {
enumerable: true,
configurable: true,
writable: true,
value: 32
});
Object.defineProperty(this, "algHash", {
enumerable: true,
configurable: true,
writable: true,
value: {
name: "HMAC",
hash: "SHA-256",
length: 256
}
});
}
};
var HkdfSha384Native2 = class extends HkdfNative {
constructor() {
super(...arguments);
Object.defineProperty(this, "id", {
enumerable: true,
configurable: true,
writable: true,
value: KdfId.HkdfSha384
});
Object.defineProperty(this, "hashSize", {
enumerable: true,
configurable: true,
writable: true,
value: 48
});
Object.defineProperty(this, "algHash", {
enumerable: true,
configurable: true,
writable: true,
value: {
name: "HMAC",
hash: "SHA-384",
length: 384
}
});
}
};
var HkdfSha512Native2 = class extends HkdfNative {
constructor() {
super(...arguments);
Object.defineProperty(this, "id", {
enumerable: true,
configurable: true,
writable: true,
value: KdfId.HkdfSha512
});
Object.defineProperty(this, "hashSize", {
enumerable: true,
configurable: true,
writable: true,
value: 64
});
Object.defineProperty(this, "algHash", {
enumerable: true,
configurable: true,
writable: true,
value: {
name: "HMAC",
hash: "SHA-512",
length: 512
}
});
}
};
// npm/esm/src/kdfs/hkdfSha256.js
var HkdfSha2562 = class extends HkdfSha256Native2 {
async extract(salt, ikm) {
await this._setup();
if (salt.byteLength === 0) {
salt = new ArrayBuffer(this.hashSize);
}
if (salt.byteLength !== this.hashSize) {
return hmac(sha256, new Uint8Array(salt), new Uint8Array(ikm));
}
const key = await this._api.importKey("raw", salt, this.algHash, false, [
"sign"
]);
return await this._api.sign("HMAC", key, ikm);
}
};
// npm/node_modules/@noble/hashes/esm/_u64.js
var U32_MASK64 = /* @__PURE__ */ BigInt(2 ** 32 - 1);
var _32n = /* @__PURE__ */ BigInt(32);
function fromBig(n, le = false) {
if (le)
return { h: Number(n & U32_MASK64), l: Number(n >> _32n & U32_MASK64) };
return { h: Number(n >> _32n & U32_MASK64) | 0, l: Number(n & U32_MASK64) | 0 };
}
function split(lst, le = false) {
let Ah = new Uint32Array(lst.length);
let Al = new Uint32Array(lst.length);
for (let i = 0; i < lst.length; i++) {
const { h, l } = fromBig(lst[i], le);
[Ah[i], Al[i]] = [h, l];
}
return [Ah, Al];
}
var toBig = (h, l) => BigInt(h >>> 0) << _32n | BigInt(l >>> 0);
var shrSH = (h, _l, s) => h >>> s;
var shrSL = (h, l, s) => h << 32 - s | l >>> s;
var rotrSH = (h, l, s) => h >>> s | l << 32 - s;
var rotrSL = (h, l, s) => h << 32 - s | l >>> s;
var rotrBH = (h, l, s) => h << 64 - s | l >>> s - 32;
var rotrBL = (h, l, s) => h >>> s - 32 | l << 64 - s;
var rotr32H = (_h, l) => l;
var rotr32L = (h, _l) => h;
var rotlSH = (h, l, s) => h << s | l >>> 32 - s;
var rotlSL = (h, l, s) => l << s | h >>> 32 - s;
var rotlBH = (h, l, s) => l << s - 32 | h >>> 64 - s;
var rotlBL = (h, l, s) => h << s - 32 | l >>> 64 - s;
function add(Ah, Al, Bh, Bl) {
const l = (Al >>> 0) + (Bl >>> 0);
return { h: Ah + Bh + (l / 2 ** 32 | 0) | 0, l: l | 0 };
}
var add3L = (Al, Bl, Cl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0);
var add3H = (low, Ah, Bh, Ch) => Ah + Bh + Ch + (low / 2 ** 32 | 0) | 0;
var add4L = (Al, Bl, Cl, Dl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0);
var add4H = (low, Ah, Bh, Ch, Dh) => Ah + Bh + Ch + Dh + (low / 2 ** 32 | 0) | 0;
var add5L = (Al, Bl, Cl, Dl, El) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0) + (El >>> 0);
var add5H = (low, Ah, Bh, Ch, Dh, Eh) => Ah + Bh + Ch + Dh + Eh + (low / 2 ** 32 | 0) | 0;
var u64 = {
fromBig,
split,
toBig,
shrSH,
shrSL,
rotrSH,
rotrSL,
rotrBH,
rotrBL,
rotr32H,
rotr32L,
rotlSH,
rotlSL,
rotlBH,
rotlBL,
add,
add3L,
add3H,
add4L,
add4H,
add5H,
add5L
};
var u64_default = u64;
// npm/node_modules/@noble/hashes/esm/sha512.js
var [SHA512_Kh, SHA512_Kl] = /* @__PURE__ */ (() => u64_default.split([
"0x428a2f98d728ae22",
"0x7137449123ef65cd",
"0xb5c0fbcfec4d3b2f",
"0xe9b5dba58189dbbc",
"0x3956c25bf348b538",
"0x59f111f1b605d019",
"0x923f82a4af194f9b",
"0xab1c5ed5da6d8118",
"0xd807aa98a3030242",
"0x12835b0145706fbe",
"0x243185be4ee4b28c",
"0x550c7dc3d5ffb4e2",
"0x72be5d74f27b896f",
"0x80deb1fe3b1696b1",
"0x9bdc06a725c71235",
"0xc19bf174cf692694",
"0xe49b69c19ef14ad2",
"0xefbe4786384f25e3",
"0x0fc19dc68b8cd5b5",
"0x240ca1cc77ac9c65",
"0x2de92c6f592b0275",
"0x4a7484aa6ea6e483",
"0x5cb0a9dcbd41fbd4",
"0x76f988da831153b5",
"0x983e5152ee66dfab",
"0xa831c66d2db43210",
"0xb00327c898fb213f",
"0xbf597fc7beef0ee4",
"0xc6e00bf33da88fc2",
"0xd5a79147930aa725",
"0x06ca6351e003826f",
"0x142929670a0e6e70",
"0x27b70a8546d22ffc",
"0x2e1b21385c26c926",
"0x4d2c6dfc5ac42aed",
"0x53380d139d95b3df",
"0x650a73548baf63de",
"0x766a0abb3c77b2a8",
"0x81c2c92e47edaee6",
"0x92722c851482353b",
"0xa2bfe8a14cf10364",
"0xa81a664bbc423001",
"0xc24b8b70d0f89791",
"0xc76c51a30654be30",
"0xd192e819d6ef5218",
"0xd69906245565a910",
"0xf40e35855771202a",
"0x106aa07032bbd1b8",
"0x19a4c116b8d2d0c8",
"0x1e376c085141ab53",
"0x2748774cdf8eeb99",
"0x34b0bcb5e19b48a8",
"0x391c0cb3c5c95a63",
"0x4ed8aa4ae3418acb",
"0x5b9cca4f7763e373",
"0x682e6ff3d6b2b8a3",
"0x748f82ee5defb2fc",
"0x78a5636f43172f60",
"0x84c87814a1f0ab72",
"0x8cc702081a6439ec",
"0x90befffa23631e28",
"0xa4506cebde82bde9",
"0xbef9a3f7b2c67915",
"0xc67178f2e372532b",
"0xca273eceea26619c",
"0xd186b8c721c0c207",
"0xeada7dd6cde0eb1e",
"0xf57d4f7fee6ed178",
"0x06f067aa72176fba",
"0x0a637dc5a2c898a6",
"0x113f9804bef90dae",
"0x1b710b35131c471b",
"0x28db77f523047d84",
"0x32caab7b40c72493",
"0x3c9ebe0a15c9bebc",
"0x431d67c49c100d4c",
"0x4cc5d4becb3e42b6",
"0x597f299cfc657e2a",
"0x5fcb6fab3ad6faec",
"0x6c44198c4a475817"
].map((n) => BigInt(n))))();
var SHA512_W_H = /* @__PURE__ */ new Uint32Array(80);
var SHA512_W_L = /* @__PURE__ */ new Uint32Array(80);
var SHA512 = class extends HashMD {
constructor() {
super(128, 64, 16, false);
this.Ah = 1779033703 | 0;
this.Al = 4089235720 | 0;
this.Bh = 3144134277 | 0;
this.Bl = 2227873595 | 0;
this.Ch = 1013904242 | 0;
this.Cl = 4271175723 | 0;
this.Dh = 2773480762 | 0;
this.Dl = 1595750129 | 0;
this.Eh = 1359893119 | 0;
this.El = 2917565137 | 0;
this.Fh = 2600822924 | 0;
this.Fl = 725511199 | 0;
this.Gh = 528734635 | 0;
this.Gl = 4215389547 | 0;
this.Hh = 1541459225 | 0;
this.Hl = 327033209 | 0;
}
// prettier-ignore
get() {
const { Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl } = this;
return [Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl];
}
// prettier-ignore
set(Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl) {
this.Ah = Ah | 0;
this.Al = Al | 0;
this.Bh = Bh | 0;
this.Bl = Bl | 0;
this.Ch = Ch | 0;
this.Cl = Cl | 0;
this.Dh = Dh | 0;
this.Dl = Dl | 0;
this.Eh = Eh | 0;
this.El = El | 0;
this.Fh = Fh | 0;
this.Fl = Fl | 0;
this.Gh = Gh | 0;
this.Gl = Gl | 0;
this.Hh = Hh | 0;
this.Hl = Hl | 0;
}
process(view, offset) {
for (let i = 0; i < 16; i++, offset += 4) {
SHA512_W_H[i] = view.getUint32(offset);
SHA512_W_L[i] = view.getUint32(offset += 4);
}
for (let i = 16; i < 80; i++) {
const W15h = SHA512_W_H[i - 15] | 0;
const W15l = SHA512_W_L[i - 15] | 0;
const s0h = u64_default.rotrSH(W15h, W15l, 1) ^ u64_default.rotrSH(W15h, W15l, 8) ^ u64_default.shrSH(W15h, W15l, 7);
const s0l = u64_default.rotrSL(W15h, W15l, 1) ^ u64_default.rotrSL(W15h, W15l, 8) ^ u64_default.shrSL(W15h, W15l, 7);
const W2h = SHA512_W_H[i - 2] | 0;
const W2l = SHA512_W_L[i - 2] | 0;
const s1h = u64_default.rotrSH(W2h, W2l, 19) ^ u64_default.rotrBH(W2h, W2l, 61) ^ u64_default.shrSH(W2h, W2l, 6);
const s1l = u64_default.rotrSL(W2h, W2l, 19) ^ u64_default.rotrBL(W2h, W2l, 61) ^ u64_default.shrSL(W2h, W2l, 6);
const SUMl = u64_default.add4L(s0l, s1l, SHA512_W_L[i - 7], SHA512_W_L[i - 16]);
const SUMh = u64_default.add4H(SUMl, s0h, s1h, SHA512_W_H[i - 7], SHA512_W_H[i - 16]);
SHA512_W_H[i] = SUMh | 0;
SHA512_W_L[i] = SUMl | 0;
}
let { Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl } = this;
for (let i = 0; i < 80; i++) {
const sigma1h = u64_default.rotrSH(Eh, El, 14) ^ u64_default.rotrSH(Eh, El, 18) ^ u64_default.rotrBH(Eh, El, 41);
const sigma1l = u64_default.rotrSL(Eh, El, 14) ^ u64_default.rotrSL(Eh, El, 18) ^ u64_default.rotrBL(Eh, El, 41);
const CHIh = Eh & Fh ^ ~Eh & Gh;
const CHIl = El & Fl ^ ~El & Gl;
const T1ll = u64_default.add5L(Hl, sigma1l, CHIl, SHA512_Kl[i], SHA512_W_L[i]);
const T1h = u64_default.add5H(T1ll, Hh, sigma1h, CHIh, SHA512_Kh[i], SHA512_W_H[i]);
const T1l = T1ll | 0;
const sigma0h = u64_default.rotrSH(Ah, Al, 28) ^ u64_default.rotrBH(Ah, Al, 34) ^ u64_default.rotrBH(Ah, Al, 39);
const sigma0l = u64_default.rotrSL(Ah, Al, 28) ^ u64_default.rotrBL(Ah, Al, 34) ^ u64_default.rotrBL(Ah, Al, 39);
const MAJh = Ah & Bh ^ Ah & Ch ^ Bh & Ch;
const MAJl = Al & Bl ^ Al & Cl ^ Bl & Cl;
Hh = Gh | 0;
Hl = Gl | 0;
Gh = Fh | 0;
Gl = Fl | 0;
Fh = Eh | 0;
Fl = El | 0;
({ h: Eh, l: El } = u64_default.add(Dh | 0, Dl | 0, T1h | 0, T1l | 0));
Dh = Ch | 0;
Dl = Cl | 0;
Ch = Bh | 0;
Cl = Bl | 0;
Bh = Ah | 0;
Bl = Al | 0;
const All = u64_default.add3L(T1l, sigma0l, MAJl);
Ah = u64_default.add3H(All, T1h, sigma0h, MAJh);
Al = All | 0;
}
({ h: Ah, l: Al } = u64_default.add(this.Ah | 0, this.Al | 0, Ah | 0, Al | 0));
({ h: Bh, l: Bl } = u64_default.add(this.Bh | 0, this.Bl | 0, Bh | 0, Bl | 0));
({ h: Ch, l: Cl } = u64_default.add(this.Ch | 0, this.Cl | 0, Ch | 0, Cl | 0));
({ h: Dh, l: Dl } = u64_default.add(this.Dh | 0, this.Dl | 0, Dh | 0, Dl | 0));
({ h: Eh, l: El } = u64_default.add(this.Eh | 0, this.El | 0, Eh | 0, El | 0));
({ h: Fh, l: Fl } = u64_default.add(this.Fh | 0, this.Fl | 0, Fh | 0, Fl | 0));
({ h: Gh, l: Gl } = u64_default.add(this.Gh | 0, this.Gl | 0, Gh | 0, Gl | 0));
({ h: Hh, l: Hl } = u64_default.add(this.Hh | 0, this.Hl | 0, Hh | 0, Hl | 0));
this.set(Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl);
}
roundClean() {
SHA512_W_H.fill(0);
SHA512_W_L.fill(0);
}
destroy() {
this.buffer.fill(0);
this.set(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
}
};
var SHA384 = class extends SHA512 {
constructor() {
super();
this.Ah = 3418070365 | 0;
this.Al = 3238371032 | 0;
this.Bh = 1654270250 | 0;
this.Bl = 914150663 | 0;
this.Ch = 2438529370 | 0;
this.Cl = 812702999 | 0;
this.Dh = 355462360 | 0;
this.Dl = 4144912697 | 0;
this.Eh = 1731405415 | 0;
this.El = 4290775857 | 0;
this.Fh = 2394180231 | 0;
this.Fl = 1750603025 | 0;
this.Gh = 3675008525 | 0;
this.Gl = 1694076839 | 0;
this.Hh = 1203062813 | 0;
this.Hl = 3204075428 | 0;
this.outputLen = 48;
}
};
var sha512 = /* @__PURE__ */ wrapConstructor(() => new SHA512());
var sha384 = /* @__PURE__ */ wrapConstructor(() => new SHA384());
// npm/esm/src/kdfs/hkdfSha384.js
var HkdfSha3842 = class extends HkdfSha384Native2 {
async extract(salt, ikm) {
await this._setup();
if (salt.byteLength === 0) {
salt = new ArrayBuffer(this.hashSize);
}
if (salt.byteLength !== this.hashSize) {
return hmac(sha384, new Uint8Array(salt), new Uint8Array(ikm));
}
const key = await this._api.importKey("raw", salt, this.algHash, false, [
"sign"
]);
return await this._api.sign("HMAC", key, ikm);
}
};
// npm/esm/src/kdfs/hkdfSha512.js
var HkdfSha5122 = class extends HkdfSha512Native2 {
async extract(salt, ikm) {
await this._setup();
if (salt.byteLength === 0) {
salt = new ArrayBuffer(this.hashSize);
}
if (salt.byteLength !== this.hashSize) {
return hmac(sha512, new Uint8Array(salt), new Uint8Array(ikm));
}
const key = await this._api.importKey("raw", salt, this.algHash, false, [
"sign"
]);
return await this._api.sign("HMAC", key, ikm);
}
};
// npm/esm/core/src/interfaces/kemInterface.js
var SUITE_ID_HEADER_KEM2 = new Uint8Array([75, 69, 77, 0, 0]);
// npm/esm/core/src/utils/misc.js
var isCryptoKeyPair2 = (x) => typeof x === "object" && x !== null && typeof x.privateKey === "object" && typeof x.publicKey === "object";
function i2Osp2(n, w) {
if (w <= 0) {
throw new Error("i2Osp: too small size");
}
if (n >= 256 ** w) {
throw new Error("i2Osp: too large integer");
}
const ret = new Uint8Array(w);
for (let i = 0; i < w && n; i++) {
ret[w - (i + 1)] = n % 256;
n = n >> 8;
}
return ret;
}
function concat2(a, b) {
const ret = new Uint8Array(a.length + b.length);
ret.set(a, 0);
ret.set(b, a.length);
return ret;
}
function base64UrlToBytes2(v) {
const base64 = v.replace(/-/g, "+").replace(/_/g, "/");
const byteString = atob(base64);
const ret = new Uint8Array(byteString.length);
for (let i = 0; i < byteString.length; i++) {
ret[i] = byteString.charCodeAt(i);
}
return ret;
}
// npm/esm/core/src/kems/dhkem.js
var LABEL_EAE_PRK2 = new Uint8Array([101, 97, 101, 95, 112, 114, 107]);
var LABEL_SHARED_SECRET2 = new Uint8Array([
115,
104,
97,
114,
101,
100,
95,
115,
101,
99,
114,
101,
116
]);
function concat3(a, b, c) {
const ret = new Uint8Array(a.length + b.length + c.length);
ret.set(a, 0);
ret.set(b, a.length);
ret.set(c, a.length + b.length);
return ret;
}
var Dhkem2 = class {
constructor(id, prim, kdf) {
Object.defineProperty(this, "id", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
Object.defineProperty(this, "secretSize", {
enumerable: true,
configurable: true,
writable: true,
value: 0
});
Object.defineProperty(this, "encSize", {
enumerable: true,
configurable: true,
writable: true,
value: 0
});
Object.defineProperty(this, "publicKeySize", {
enumerable: true,
configurable: true,
writable: true,
value: 0
});
Object.defineProperty(this, "privateKeySize", {
enumerable: true,
configurable: true,
writable: true,
value: 0
});
Object.defineProperty(this, "_prim", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
Object.defineProperty(this, "_kdf", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
this.id = id;
this._prim = prim;
this._kdf = kdf;
const suiteId = new Uint8Array(SUITE_ID_HEADER_KEM2);
suiteId.set(i2Osp2(this.id, 2), 3);
this._kdf.init(suiteId);
}
async serializePublicKey(key) {
return await this._prim.serializePublicKey(key);
}
async deserializePublicKey(key) {
return await this._prim.deserializePublicKey(key);
}
async serializePrivateKey(key) {
return await this._prim.serializePrivateKey(key);
}
async deserializePrivateKey(key) {
return await this._prim.deserializePrivateKey(key);
}
async importKey(format, key, isPublic = true) {
return await this._prim.importKey(format, key, isPublic);
}
async generateKeyPair() {
return await this._prim.generateKeyPair();
}
async deriveKeyPair(ikm) {
if (ikm.byteLength > INPUT_LENGTH_LIMIT2) {
throw new InvalidParamError("Too long ikm");
}
return await this._prim.deriveKeyPair(ikm);
}
async encap(params) {
let ke;
if (params.ekm === void 0) {
ke = await this.generateKeyPair();
} else if (isCryptoKeyPair2(params.ekm)) {
ke = params.ekm;
} else {
ke = await this.deriveKeyPair(params.ekm);
}
const enc = await this._prim.serializePublicKey(ke.publicKey);
const pkrm = await this._prim.serializePublicKey(params.recipientPublicKey);
try {
let dh;
if (params.senderKey === void 0) {
dh = new Uint8Array(await this._prim.dh(ke.privateKey, params.recipientPublicKey));
} else {
const sks = isCryptoKeyPair2(params.senderKey) ? params.senderKey.privateKey : params.senderKey;
const dh1 = new Uint8Array(await this._prim.dh(ke.privateKey, params.recipientPublicKey));
const dh2 = new Uint8Array(await this._prim.dh(sks, params.recipientPublicKey));
dh = concat2(dh1, dh2);
}
let kemContext;
if (params.senderKey === void 0) {
kemContext = concat2(new Uint8Array(enc), new Uint8Array(pkrm));
} else {
const pks = isCryptoKeyPair2(params.senderKey) ? params.senderKey.publicKey : await this._prim.derivePublicKey(params.senderKey);
const pksm = await this._prim.serializePublicKey(pks);
kemContext = concat3(new Uint8Array(enc), new Uint8Array(pkrm), new Uint8Array(pksm));
}
const sharedSecret = await this._generateSharedSecret(dh, kemContext);
return {
enc,
sharedSecret
};
} catch (e) {
throw new EncapError(e);
}
}
async decap(params) {
const pke = await this._prim.deserializePublicKey(params.enc);
const skr = isCryptoKeyPair2(params.recipientKey) ? params.recipientKey.privateKey : params.recipientKey;
const pkr = isCryptoKeyPair2(params.recipientKey) ? params.recipientKey.publicKey : await this._prim.derivePublicKey(params.recipientKey);
const pkrm = await this._prim.serializePublicKey(pkr);
try {
let dh;
if (params.senderPublicKey === void 0) {
dh = new Uint8Array(await this._prim.dh(skr, pke));
} else {
const dh1 = new Uint8Array(await this._prim.dh(skr, pke));
const dh2 = new Uint8Array(await this._prim.dh(skr, params.senderPublicKey));
dh = concat2(dh1, dh2);
}
let kemContext;
if (params.senderPublicKey === void 0) {
kemContext = concat2(new Uint8Array(params.enc), new Uint8Array(pkrm));
} else {
const pksm = await this._prim.serializePublicKey(params.senderPublicKey);
kemContext = new Uint8Array(params.enc.byteLength + pkrm.byteLength + pksm.byteLength);
kemContext.set(new Uint8Array(params.enc), 0);
kemContext.set(new Uint8Array(pkrm), params.enc.byteLength);
kemContext.set(new Uint8Array(pksm), params.enc.byteLength + pkrm.byteLength);
}
return await this._generateSharedSecret(dh, kemContext);
} catch (e) {
throw new DecapError(e);
}
}
async _generateSharedSecret(dh, kemContext) {
const labeledIkm = this._kdf.buildLabeledIkm(LABEL_EAE_PRK2, dh);
const labeledInfo = this._kdf.buildLabeledInfo(LABEL_SHARED_SECRET2, kemContext, this.secretSize);
return await this._kdf.extractAndExpand(EMPTY2, labeledIkm, labeledInfo, this.secretSize);
}
};
// npm/esm/core/src/interfaces/dhkemPrimitives.js
var KEM_USAGES2 = ["deriveBits"];
var LABEL_DKP_PRK2 = new Uint8Array([100, 107, 112, 95, 112, 114, 107]);
var LABEL_SK2 = new Uint8Array([115, 107]);
// npm/esm/core/src/utils/bignum.js
var Bignum2 = class {
constructor(size) {
Object.defineProperty(this, "_num", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
this._num = new Uint8Array(size);
}
val() {
return this._num;
}
reset() {
this._num.fill(0);
}
set(src) {
if (src.length !== this._num.length) {
throw new Error("Bignum.set: invalid argument");
}
this._num.set(src);
}
isZero() {
for (let i = 0; i < this._num.length; i++) {
if (this._num[i] !== 0) {
return false;
}
}
return true;
}
lessThan(v) {
if (v.length !== this._num.length) {
throw new Error("Bignum.lessThan: invalid argument");
}
for (let i = 0; i < this._num.length; i++) {
if (this._num[i] < v[i]) {
return true;
}
if (this._num[i] > v[i]) {
return false;
}
}
return false;
}
};
// npm/esm/core/src/kems/dhkemPrimitives/ec.js
var LABEL_CANDIDATE2 = new Uint8Array([
99,
97,
110,
100,
105,
100,
97,
116,
101
]);
var ORDER_P_2562 = new Uint8Array([
255,
255,
255,
255,
0,
0,
0,
0,
255,
255,
255,
255,
255,
255,
255,
255,
188,
230,
250,
173,
167,
23,
158,
132,
243,
185,
202,
194,
252,
99,
37,
81
]);
var ORDER_P_3842 = new Uint8Array([
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
199,
99,
77,
129,
244,
55,
45,
223,
88,
26,
13,
178,
72,
176,
167,
122,
236,
236,
25,
106,
204,
197,
41,
115
]);
var ORDER_P_5212 = new Uint8Array([
1,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
255,
250,
81,
134,
135,
131,
191,
47,
150,
107,
127,
204,
1,
72,
247,
9,
165,
208,
59,
181,
201,
184,
137,
156,
71,
174,
187,
111,
183,
30,
145,
56,
100,
9
]);
var PKCS8_ALG_ID_P_2562 = new Uint8Array([
48,
65,
2,
1,
0,
48,
19,
6,
7,
42,
134,
72,
206,
61,
2,
1,
6,
8,
42,
134,
72,
206,
61,
3,
1,
7,
4,
39,
48,
37,
2,
1,
1,
4,
32
]);
var PKCS8_ALG_ID_P_3842 = new Uint8Array([
48,
78,
2,
1,
0,
48,
16,
6,
7,
42,
134,
72,
206,
61,
2,
1,
6,
5,
43,
129,
4,
0,
34,
4,
55,
48,
53,
2,
1,
1,
4,
48
]);
var PKCS8_ALG_ID_P_5212 = new Uint8Array([
48,
96,
2,
1,
0,
48,
16,
6,
7,
42,
134,
72,
206,
61,
2,
1,
6,
5,
43,
129,
4,
0,
35,
4,
73,
48,
71,
2,
1,
1,
4,
66
]);
var Ec2 = class extends NativeAlgorithm {
constructor(kem, hkdf) {
super();
Object.defineProperty(this, "_hkdf", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
Object.defineProperty(this, "_alg", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
Object.defineProperty(this, "_nPk", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
Object.defineProperty(this, "_nSk", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
Object.defineProperty(this, "_nDh", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
Object.defineProperty(this, "_order", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
Object.defineProperty(this, "_bitmask", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
Object.defineProperty(this, "_pkcs8AlgId", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
this._hkdf = hkdf;
switch (kem) {
case KemId.DhkemP256HkdfSha256:
this._alg = { name: "ECDH", namedCurve: "P-256" };
this._nPk = 65;
this._nSk = 32;
this._nDh = 32;
this._order = ORDER_P_2562;
this._bitmask = 255;
this._pkcs8AlgId = PKCS8_ALG_ID_P_2562;
break;
case KemId.DhkemP384HkdfSha384:
this._alg = { name: "ECDH", namedCurve: "P-384" };
this._nPk = 97;
this._nSk = 48;
this._nDh = 48;
this._order = ORDER_P_3842;
this._bitmask = 255;
this._pkcs8AlgId = PKCS8_ALG_ID_P_3842;
break;
default:
this._alg = { name: "ECDH", namedCurve: "P-521" };
this._nPk = 133;
this._nSk = 66;
this._nDh = 66;
this._order = ORDER_P_5212;
this._bitmask = 1;
this._pkcs8AlgId = PKCS8_ALG_ID_P_5212;
break;
}
}
async serializePublicKey(key) {
await this._setup();
try {
return await this._api.exportKey("raw", key);
} catch (e) {
throw new SerializeError(e);
}
}
async deserializePublicKey(key) {
await this._setup();
try {
return await this._importRawKey(key, true);
} catch (e) {
throw new DeserializeError(e);
}
}
async serializePrivateKey(key) {
await this._setup();
try {
const jwk = await this._api.exportKey("jwk", key);
if (!("d" in jwk)) {
throw new Error("Not private key");
}
return base64UrlToBytes2(jwk["d"]);
} catch (e) {
throw new SerializeError(e);
}
}
async deserializePrivateKey(key) {
await this._setup();
try {
return await this._importRawKey(key, false);
} catch (e) {
throw new DeserializeError(e);
}
}
async importKey(format, key, isPublic) {
await this._setup();
try {
if (format === "raw") {
return await this._importRawKey(key, isPublic);
}
if (key instanceof ArrayBuffer) {
throw new Error("Invalid jwk key format");
}
return await this._importJWK(key, isPublic);
} catch (e) {
throw new DeserializeError(e);
}
}
async generateKeyPair() {
await this._setup();
try {
return await this._api.generateKey(this._alg, true, KEM_USAGES2);
} catch (e) {
throw new NotSupportedError(e);
}
}
async deriveKeyPair(ikm) {
await this._setup();
try {
const dkpPrk = await this._hkdf.labeledExtract(EMPTY2, LABEL_DKP_PRK2, new Uint8Array(ikm));
const bn = new Bignum2(this._nSk);
for (let counter = 0; bn.isZero() || !bn.lessThan(this._order); counter++) {
if (counter > 255) {
throw new Error("Faild to derive a key pair");
}
const bytes3 = new Uint8Array(await this._hkdf.labeledExpand(dkpPrk, LABEL_CANDIDATE2, i2Osp2(counter, 1), this._nSk));
bytes3[0] = bytes3[0] & this._bitmask;
bn.set(bytes3);
}
const sk = await this._deserializePkcs8Key(bn.val());
bn.reset();
return {
privateKey: sk,
publicKey: await this.derivePublicKey(sk)
};
} catch (e) {
throw new DeriveKeyPairError(e);
}
}
async derivePublicKey(key) {
await this._setup();
try {
const jwk = await this._api.exportKey("jwk", key);
delete jwk["d"];
delete jwk["key_ops"];
return await this._api.importKey("jwk", jwk, this._alg, true, []);
} catch (e) {
throw new DeserializeError(e);
}
}
async dh(sk, pk) {
try {
await this._setup();
const bits = await this._api.deriveBits({
name: "ECDH",
public: pk
}, sk, this._nDh * 8);
return bits;
} catch (e) {
throw new SerializeError(e);
}
}
async _importRawKey(key, isPublic) {
if (isPublic && key.byteLength !== this._nPk) {
throw new Error("Invalid public key for the ciphersuite");
}
if (!isPublic && key.byteLength !== this._nSk) {
throw new Error("Invalid private key for the ciphersuite");
}
if (isPublic) {
return await this._api.importKey("raw", key, this._alg, true, []);
}
return await this._deserializePkcs8Key(new Uint8Array(key));
}
async _importJWK(key, isPublic) {
if (typeof key.crv === "undefined" || key.crv !== this._alg.namedCurve) {
throw new Error(`Invalid crv: ${key.crv}`);
}
if (isPublic) {
if (typeof key.d !== "undefined") {
throw new Error("Invalid key: `d` should not be set");
}
return await this._api.importKey("jwk", key, this._alg, true, []);
}
if (typeof key.d === "undefined") {
throw new Error("Invalid key: `d` not found");
}
return await this._api.importKey("jwk", key, this._alg, true, KEM_USAGES2);
}
async _deserializePkcs8Key(k) {
const pkcs8Key = new Uint8Array(this._pkcs8AlgId.length + k.length);
pkcs8Key.set(this._pkcs8AlgId, 0);
pkcs8Key.set(k, this._pkcs8AlgId.length);
return await this._api.importKey("pkcs8", pkcs8Key, this._alg, true, KEM_USAGES2);
}
};
// npm/esm/src/kems/dhkemP256.js
var DhkemP256HkdfSha2562 = class extends Dhkem2 {
constructor() {
const kdf = new HkdfSha2562();
const prim = new Ec2(KemId.DhkemP256HkdfSha256, kdf);
super(KemId.DhkemP256HkdfSha256, prim, kdf);
Object.defineProperty(this, "id", {
enumerable: true,
configurable: true,
writable: true,
value: KemId.DhkemP256HkdfSha256
});
Object.defineProperty(this, "secretSize", {
enumerable: true,
configurable: true,
writable: true,
value: 32
});
Object.defineProperty(this, "encSize", {
enumerable: true,
configurable: true,
writable: true,
value: 65
});
Object.defineProperty(this, "publicKeySize", {
enumerable: true,
configurable: true,
writable: true,
value: 65
});
Object.defineProperty(this, "privateKeySize", {
enumerable: true,
configurable: true,
writable: true,
value: 32
});
}
};
// npm/esm/src/kems/dhkemP384.js
var DhkemP384HkdfSha3842 = class extends Dhkem2 {
constructor() {
const kdf = new HkdfSha3842();
const prim = new Ec2(KemId.DhkemP384HkdfSha384, kdf);
super(KemId.DhkemP384HkdfSha384, prim, kdf);
Object.defineProperty(this, "id", {
enumerable: true,
configurable: true,
writable: true,
value: KemId.DhkemP384HkdfSha384
});
Object.defineProperty(this, "secretSize", {
enumerable: true,
configurable: true,
writable: true,
value: 48
});
Object.defineProperty(this, "encSize", {
enumerable: true,
configurable: true,
writable: true,
value: 97
});
Object.defineProperty(this, "publicKeySize", {
enumerable: true,
configurable: true,
writable: true,
value: 97
});
Object.defineProperty(this, "privateKeySize", {
enumerable: true,
configurable: true,
writable: true,
value: 48
});
}
};
// npm/esm/src/kems/dhkemP521.js
var DhkemP521HkdfSha5122 = class extends Dhkem2 {
constructor() {
const kdf = new HkdfSha5122();
const prim = new Ec2(KemId.DhkemP521HkdfSha512, kdf);
super(KemId.DhkemP521HkdfSha512, prim, kdf);
Object.defineProperty(this, "id", {
enumerable: true,
configurable: true,
writable: true,
value: KemId.DhkemP521HkdfSha512
});
Object.defineProperty(this, "secretSize", {
enumerable: true,
configurable: true,
writable: true,
value: 64
});
Object.defineProperty(this, "encSize", {
enumerable: true,
configurable: true,
writable: true,
value: 133
});
Object.defineProperty(this, "publicKeySize", {
enumerable: true,
configurable: true,
writable: true,
value: 133
});
Object.defineProperty(this, "privateKeySize", {
enumerable: true,
configurable: true,
writable: true,
value: 64
});
}
};
// npm/node_modules/@noble/curves/esm/abstract/utils.js
var _1n = /* @__PURE__ */ BigInt(1);
var _2n = /* @__PURE__ */ BigInt(2);
function isBytes3(a) {
return a instanceof Uint8Array || a != null && typeof a === "object" && a.constructor.name === "Uint8Array";
}
function abytes(item) {
if (!isBytes3(item))
throw new Error("Uint8Array expected");
}
var hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, "0"));
function bytesToHex(bytes3) {
abytes(bytes3);
let hex = "";
for (let i = 0; i < bytes3.length; i++) {
hex += hexes[bytes3[i]];
}
return hex;
}
function hexToNumber(hex) {
if (typeof hex !== "string")
throw new Error("hex string expected, got " + typeof hex);
return BigInt(hex === "" ? "0" : `0x${hex}`);
}
var asciis = { _0: 48, _9: 57, _A: 65, _F: 70, _a: 97, _f: 102 };
function asciiToBase16(char) {
if (char >= asciis._0 && char <= asciis._9)
return char - asciis._0;
if (char >= asciis._A && char <= asciis._F)
return char - (asciis._A - 10);
if (char >= asciis._a && char <= asciis._f)
return char - (asciis._a - 10);
return;
}
function hexToBytes(hex) {
if (typeof hex !== "string")
throw new Error("hex string expected, got " + typeof hex);
const hl = hex.length;
const al = hl / 2;
if (hl % 2)
throw new Error("padded hex string expected, got unpadded hex of length " + hl);
const array = new Uint8Array(al);
for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) {
const n1 = asciiToBase16(hex.charCodeAt(hi));
const n2 = asciiToBase16(hex.charCodeAt(hi + 1));
if (n1 === void 0 || n2 === void 0) {
const char = hex[hi] + hex[hi + 1];
throw new Error('hex string expected, got non-hex character "' + char + '" at index ' + hi);
}
array[ai] = n1 * 16 + n2;
}
return array;
}
function bytesToNumberBE(bytes3) {
return hexToNumber(bytesToHex(bytes3));
}
function bytesToNumberLE(bytes3) {
abytes(bytes3);
return hexToNumber(bytesToHex(Uint8Array.from(bytes3).reverse()));
}
function numberToBytesBE(n, len) {
return hexToBytes(n.toString(16).padStart(len * 2, "0"));
}
function numberToBytesLE(n, len) {
return numberToBytesBE(n, len).reverse();
}
function ensureBytes(title, hex, expectedLength) {
let res;
if (typeof hex === "string") {
try {
res = hexToBytes(hex);
} catch (e) {
throw new Error(`${title} must be valid hex string, got "${hex}". Cause: ${e}`);
}
} else if (isBytes3(hex)) {
res = Uint8Array.from(hex);
} else {
throw new Error(`${title} must be hex string or Uint8Array`);
}
const len = res.length;
if (typeof expectedLength === "number" && len !== expectedLength)
throw new Error(`${title} expected ${expectedLength} bytes, got ${len}`);
return res;
}
function concatBytes2(...arrays) {
let sum = 0;
for (let i = 0; i < arrays.length; i++) {
const a = arrays[i];
abytes(a);
sum += a.length;
}
const res = new Uint8Array(sum);
for (let i = 0, pad = 0; i < arrays.length; i++) {
const a = arrays[i];
res.set(a, pad);
pad += a.length;
}
return res;
}
var bitMask = (n) => (_2n << BigInt(n - 1)) - _1n;
var validatorFns = {
bigint: (val) => typeof val === "bigint",
function: (val) => typeof val === "function",
boolean: (val) => typeof val === "boolean",
string: (val) => typeof val === "string",
stringOrUint8Array: (val) => typeof val === "string" || isBytes3(val),
isSafeInteger: (val) => Number.isSafeInteger(val),
array: (val) => Array.isArray(val),
field: (val, object) => object.Fp.isValid(val),
hash: (val) => typeof val === "function" && Number.isSafeInteger(val.outputLen)
};
function validateObject(object, validators, optValidators = {}) {
const checkField = (fieldName, type, isOptional) => {
const checkVal = validatorFns[type];
if (typeof checkVal !== "function")
throw new Error(`Invalid validator "${type}", expected function`);
const val = object[fieldName];
if (isOptional && val === void 0)
return;
if (!checkVal(val, object)) {
throw new Error(`Invalid param ${String(fieldName)}=${val} (${typeof val}), expected ${type}`);
}
};
for (const [fieldName, type] of Object.entries(validators))
checkField(fieldName, type, false);
for (const [fieldName, type] of Object.entries(optValidators))
checkField(fieldName, type, true);
return object;
}
// npm/node_modules/@noble/curves/esm/abstract/modular.js
var _0n = BigInt(0);
var _1n2 = BigInt(1);
var _2n2 = BigInt(2);
var _3n = BigInt(3);
var _4n = BigInt(4);
var _5n = BigInt(5);
var _8n = BigInt(8);
var _9n = BigInt(9);
var _16n = BigInt(16);
function mod(a, b) {
const result = a % b;
return result >= _0n ? result : b + result;
}
function pow(num, power, modulo) {
if (modulo <= _0n || power < _0n)
throw new Error("Expected power/modulo > 0");
if (modulo === _1n2)
return _0n;
let res = _1n2;
while (power > _0n) {
if (power & _1n2)
res = res * num % modulo;
num = num * num % modulo;
power >>= _1n2;
}
return res;
}
function pow2(x, power, modulo) {
let res = x;
while (power-- > _0n) {
res *= res;
res %= modulo;
}
return res;
}
function invert(number3, modulo) {
if (number3 === _0n || modulo <= _0n) {
throw new Error(`invert: expected positive integers, got n=${number3} mod=${modulo}`);
}
let a = mod(number3, modulo);
let b = modulo;
let x = _0n, y = _1n2, u = _1n2, v = _0n;
while (a !== _0n) {
const q = b / a;
const r = b % a;
const m = x - u * q;
const n = y - v * q;
b = a, a = r, x = u, y = v, u = m, v = n;
}
const gcd = b;
if (gcd !== _1n2)
throw new Error("invert: does not exist");
return mod(x, modulo);
}
function tonelliShanks(P) {
const legendreC = (P - _1n2) / _2n2;
let Q, S, Z;
for (Q = P - _1n2, S = 0; Q % _2n2 === _0n; Q /= _2n2, S++)
;
for (Z = _2n2; Z < P && pow(Z, legendreC, P) !== P - _1n2; Z++)
;
if (S === 1) {
const p1div4 = (P + _1n2) / _4n;
return function tonelliFast(Fp2, n) {
const root = Fp2.pow(n, p1div4);
if (!Fp2.eql(Fp2.sqr(root), n))
throw new Error("Cannot find square root");
return root;
};
}
const Q1div2 = (Q + _1n2) / _2n2;
return function tonelliSlow(Fp2, n) {
if (Fp2.pow(n, legendreC) === Fp2.neg(Fp2.ONE))
throw new Error("Cannot find square root");
let r = S;
let g = Fp2.pow(Fp2.mul(Fp2.ONE, Z), Q);
let x = Fp2.pow(n, Q1div2);
let b = Fp2.pow(n, Q);
while (!Fp2.eql(b, Fp2.ONE)) {
if (Fp2.eql(b, Fp2.ZERO))
return Fp2.ZERO;
let m = 1;
for (let t2 = Fp2.sqr(b); m < r; m++) {
if (Fp2.eql(t2, Fp2.ONE))
break;
t2 = Fp2.sqr(t2);
}
const ge = Fp2.pow(g, _1n2 << BigInt(r - m - 1));
g = Fp2.sqr(ge);
x = Fp2.mul(x, ge);
b = Fp2.mul(b, g);
r = m;
}
return x;
};
}
function FpSqrt(P) {
if (P % _4n === _3n) {
const p1div4 = (P + _1n2) / _4n;
return function sqrt3mod4(Fp2, n) {
const root = Fp2.pow(n, p1div4);
if (!Fp2.eql(Fp2.sqr(root), n))
throw new Error("Cannot find square root");
return root;
};
}
if (P % _8n === _5n) {
const c1 = (P - _5n) / _8n;
return function sqrt5mod8(Fp2, n) {
const n2 = Fp2.mul(n, _2n2);
const v = Fp2.pow(n2, c1);
const nv = Fp2.mul(n, v);
const i = Fp2.mul(Fp2.mul(nv, _2n2), v);
const root = Fp2.mul(nv, Fp2.sub(i, Fp2.ONE));
if (!Fp2.eql(Fp2.sqr(root), n))
throw new Error("Cannot find square root");
return root;
};
}
if (P % _16n === _9n) {
}
return tonelliShanks(P);
}
var FIELD_FIELDS = [
"create",
"isValid",
"is0",
"neg",
"inv",
"sqrt",
"sqr",
"eql",
"add",
"sub",
"mul",
"pow",
"div",
"addN",
"subN",
"mulN",
"sqrN"
];
function validateField(field) {
const initial = {
ORDER: "bigint",
MASK: "bigint",
BYTES: "isSafeInteger",
BITS: "isSafeInteger"
};
const opts = FIELD_FIELDS.reduce((map, val) => {
map[val] = "function";
return map;
}, initial);
return validateObject(field, opts);
}
function FpPow(f, num, power) {
if (power < _0n)
throw new Error("Expected power > 0");
if (power === _0n)
return f.ONE;
if (power === _1n2)
return num;
let p = f.ONE;
let d = num;
while (power > _0n) {
if (power & _1n2)
p = f.mul(p, d);
d = f.sqr(d);
power >>= _1n2;
}
return p;
}
function FpInvertBatch(f, nums) {
const tmp = new Array(nums.length);
const lastMultiplied = nums.reduce((acc, num, i) => {
if (f.is0(num))
return acc;
tmp[i] = acc;
return f.mul(acc, num);
}, f.ONE);
const inverted = f.inv(lastMultiplied);
nums.reduceRight((acc, num, i) => {
if (f.is0(num))
return acc;
tmp[i] = f.mul(acc, tmp[i]);
return f.mul(acc, num);
}, inverted);
return tmp;
}
function nLength(n, nBitLength) {
const _nBitLength = nBitLength !== void 0 ? nBitLength : n.toString(2).length;
const nByteLength = Math.ceil(_nBitLength / 8);
return { nBitLength: _nBitLength, nByteLength };
}
function Field(ORDER, bitLen, isLE3 = false, redef = {}) {
if (ORDER <= _0n)
throw new Error(`Expected Field ORDER > 0, got ${ORDER}`);
const { nBitLength: BITS, nByteLength: BYTES } = nLength(ORDER, bitLen);
if (BYTES > 2048)
throw new Error("Field lengths over 2048 bytes are not supported");
const sqrtP = FpSqrt(ORDER);
const f = Object.freeze({
ORDER,
BITS,
BYTES,
MASK: bitMask(BITS),
ZERO: _0n,
ONE: _1n2,
create: (num) => mod(num, ORDER),
isValid: (num) => {
if (typeof num !== "bigint")
throw new Error(`Invalid field element: expected bigint, got ${typeof num}`);
return _0n <= num && num < ORDER;
},
is0: (num) => num === _0n,
isOdd: (num) => (num & _1n2) === _1n2,
neg: (num) => mod(-num, ORDER),
eql: (lhs, rhs) => lhs === rhs,
sqr: (num) => mod(num * num, ORDER),
add: (lhs, rhs) => mod(lhs + rhs, ORDER),
sub: (lhs, rhs) => mod(lhs - rhs, ORDER),
mul: (lhs, rhs) => mod(lhs * rhs, ORDER),
pow: (num, power) => FpPow(f, num, power),
div: (lhs, rhs) => mod(lhs * invert(rhs, ORDER), ORDER),
// Same as above, but doesn't normalize
sqrN: (num) => num * num,
addN: (lhs, rhs) => lhs + rhs,
subN: (lhs, rhs) => lhs - rhs,
mulN: (lhs, rhs) => lhs * rhs,
inv: (num) => invert(num, ORDER),
sqrt: redef.sqrt || ((n) => sqrtP(f, n)),
invertBatch: (lst) => FpInvertBatch(f, lst),
// TODO: do we really need constant cmov?
// We don't have const-time bigints anyway, so probably will be not very useful
cmov: (a, b, c) => c ? b : a,
toBytes: (num) => isLE3 ? numberToBytesLE(num, BYTES) : numberToBytesBE(num, BYTES),
fromBytes: (bytes3) => {
if (bytes3.length !== BYTES)
throw new Error(`Fp.fromBytes: expected ${BYTES}, got ${bytes3.length}`);
return isLE3 ? bytesToNumberLE(bytes3) : bytesToNumberBE(bytes3);
}
});
return Object.freeze(f);
}
// npm/node_modules/@noble/curves/esm/abstract/curve.js
var _0n2 = BigInt(0);
var _1n3 = BigInt(1);
function wNAF(c, bits) {
const constTimeNegate = (condition, item) => {
const neg = item.negate();
return condition ? neg : item;
};
const opts = (W) => {
const windows = Math.ceil(bits / W) + 1;
const windowSize = 2 ** (W - 1);
return { windows, windowSize };
};
return {
constTimeNegate,
// non-const time multiplication ladder
unsafeLadder(elm, n) {
let p = c.ZERO;
let d = elm;
while (n > _0n2) {
if (n & _1n3)
p = p.add(d);
d = d.double();
n >>= _1n3;
}
return p;
},
/**
* Creates a wNAF precomputation window. Used for caching.
* Default window size is set by `utils.precompute()` and is equal to 8.
* Number of precomputed points depends on the curve size:
* 2^(𝑊−1) * (Math.ceil(𝑛 / 𝑊) + 1), where:
* - 𝑊 is the window size
* - 𝑛 is the bitlength of the curve order.
* For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
* @returns precomputed point tables flattened to a single array
*/
precomputeWindow(elm, W) {
const { windows, windowSize } = opts(W);
const points = [];
let p = elm;
let base = p;
for (let window = 0; window < windows; window++) {
base = p;
points.push(base);
for (let i = 1; i < windowSize; i++) {
base = base.add(p);
points.push(base);
}
p = base.double();
}
return points;
},
/**
* Implements ec multiplication using precomputed tables and w-ary non-adjacent form.
* @param W window size
* @param precomputes precomputed tables
* @param n scalar (we don't check here, but should be less than curve order)
* @returns real and fake (for const-time) points
*/
wNAF(W, precomputes, n) {
const { windows, windowSize } = opts(W);
let p = c.ZERO;
let f = c.BASE;
const mask = BigInt(2 ** W - 1);
const maxNumber = 2 ** W;
const shiftBy = BigInt(W);
for (let window = 0; window < windows; window++) {
const offset = window * windowSize;
let wbits = Number(n & mask);
n >>= shiftBy;
if (wbits > windowSize) {
wbits -= maxNumber;
n += _1n3;
}
const offset1 = offset;
const offset2 = offset + Math.abs(wbits) - 1;
const cond1 = window % 2 !== 0;
const cond2 = wbits < 0;
if (wbits === 0) {
f = f.add(constTimeNegate(cond1, precomputes[offset1]));
} else {
p = p.add(constTimeNegate(cond2, precomputes[offset2]));
}
}
return { p, f };
},
wNAFCached(P, precomputesMap, n, transform) {
const W = P._WINDOW_SIZE || 1;
let comp = precomputesMap.get(P);
if (!comp) {
comp = this.precomputeWindow(P, W);
if (W !== 1) {
precomputesMap.set(P, transform(comp));
}
}
return this.wNAF(W, comp, n);
}
};
}
function validateBasic(curve) {
validateField(curve.Fp);
validateObject(curve, {
n: "bigint",
h: "bigint",
Gx: "field",
Gy: "field"
}, {
nBitLength: "isSafeInteger",
nByteLength: "isSafeInteger"
});
return Object.freeze({
...nLength(curve.n, curve.nBitLength),
...curve,
...{ p: curve.Fp.ORDER }
});
}
// npm/node_modules/@noble/curves/esm/abstract/edwards.js
var _0n3 = BigInt(0);
var _1n4 = BigInt(1);
var _2n3 = BigInt(2);
var _8n2 = BigInt(8);
var VERIFY_DEFAULT = { zip215: true };
function validateOpts(curve) {
const opts = validateBasic(curve);
validateObject(curve, {
hash: "function",
a: "bigint",
d: "bigint",
randomBytes: "function"
}, {
adjustScalarBytes: "function",
domain: "function",
uvRatio: "function",
mapToCurve: "function"
});
return Object.freeze({ ...opts });
}
function twistedEdwards(curveDef) {
const CURVE = validateOpts(curveDef);
const { Fp: Fp2, n: CURVE_ORDER, prehash, hash: cHash, randomBytes: randomBytes2, nByteLength, h: cofactor } = CURVE;
const MASK = _2n3 << BigInt(nByteLength * 8) - _1n4;
const modP = Fp2.create;
const uvRatio2 = CURVE.uvRatio || ((u, v) => {
try {
return { isValid: true, value: Fp2.sqrt(u * Fp2.inv(v)) };
} catch (e) {
return { isValid: false, value: _0n3 };
}
});
const adjustScalarBytes3 = CURVE.adjustScalarBytes || ((bytes3) => bytes3);
const domain = CURVE.domain || ((data, ctx, phflag) => {
if (ctx.length || phflag)
throw new Error("Contexts/pre-hash are not supported");
return data;
});
const inBig = (n) => typeof n === "bigint" && _0n3 < n;
const inRange = (n, max) => inBig(n) && inBig(max) && n < max;
const in0MaskRange = (n) => n === _0n3 || inRange(n, MASK);
function assertInRange(n, max) {
if (inRange(n, max))
return n;
throw new Error(`Expected valid scalar < ${max}, got ${typeof n} ${n}`);
}
function assertGE0(n) {
return n === _0n3 ? n : assertInRange(n, CURVE_ORDER);
}
const pointPrecomputes = /* @__PURE__ */ new Map();
function isPoint(other) {
if (!(other instanceof Point))
throw new Error("ExtendedPoint expected");
}
class Point {
constructor(ex, ey, ez, et) {
this.ex = ex;
this.ey = ey;
this.ez = ez;
this.et = et;
if (!in0MaskRange(ex))
throw new Error("x required");
if (!in0MaskRange(ey))
throw new Error("y required");
if (!in0MaskRange(ez))
throw new Error("z required");
if (!in0MaskRange(et))
throw new Error("t required");
}
get x() {
return this.toAffine().x;
}
get y() {
return this.toAffine().y;
}
static fromAffine(p) {
if (p instanceof Point)
throw new Error("extended point not allowed");
const { x, y } = p || {};
if (!in0MaskRange(x) || !in0MaskRange(y))
throw new Error("invalid affine point");
return new Point(x, y, _1n4, modP(x * y));
}
static normalizeZ(points) {
const toInv = Fp2.invertBatch(points.map((p) => p.ez));
return points.map((p, i) => p.toAffine(toInv[i])).map(Point.fromAffine);
}
// "Private method", don't use it directly
_setWindowSize(windowSize) {
this._WINDOW_SIZE = windowSize;
pointPrecomputes.delete(this);
}
// Not required for fromHex(), which always creates valid points.
// Could be useful for fromAffine().
assertValidity() {
const { a, d } = CURVE;
if (this.is0())
throw new Error("bad point: ZERO");
const { ex: X, ey: Y, ez: Z, et: T } = this;
const X2 = modP(X * X);
const Y2 = modP(Y * Y);
const Z2 = modP(Z * Z);
const Z4 = modP(Z2 * Z2);
const aX2 = modP(X2 * a);
const left = modP(Z2 * modP(aX2 + Y2));
const right = modP(Z4 + modP(d * modP(X2 * Y2)));
if (left !== right)
throw new Error("bad point: equation left != right (1)");
const XY = modP(X * Y);
const ZT = modP(Z * T);
if (XY !== ZT)
throw new Error("bad point: equation left != right (2)");
}
// Compare one point to another.
equals(other) {
isPoint(other);
const { ex: X1, ey: Y1, ez: Z1 } = this;
const { ex: X2, ey: Y2, ez: Z2 } = other;
const X1Z2 = modP(X1 * Z2);
const X2Z1 = modP(X2 * Z1);
const Y1Z2 = modP(Y1 * Z2);
const Y2Z1 = modP(Y2 * Z1);
return X1Z2 === X2Z1 && Y1Z2 === Y2Z1;
}
is0() {
return this.equals(Point.ZERO);
}
negate() {
return new Point(modP(-this.ex), this.ey, this.ez, modP(-this.et));
}
// Fast algo for doubling Extended Point.
// Cost: 4M + 4S + 1*a + 6add + 1*2.
double() {
const { a } = CURVE;
const { ex: X1, ey: Y1, ez: Z1 } = this;
const A = modP(X1 * X1);
const B = modP(Y1 * Y1);
const C = modP(_2n3 * modP(Z1 * Z1));
const D = modP(a * A);
const x1y1 = X1 + Y1;
const E = modP(modP(x1y1 * x1y1) - A - B);
const G2 = D + B;
const F = G2 - C;
const H = D - B;
const X3 = modP(E * F);
const Y3 = modP(G2 * H);
const T3 = modP(E * H);
const Z3 = modP(F * G2);
return new Point(X3, Y3, Z3, T3);
}
// Fast algo for adding 2 Extended Points.
// Cost: 9M + 1*a + 1*d + 7add.
add(other) {
isPoint(other);
const { a, d } = CURVE;
const { ex: X1, ey: Y1, ez: Z1, et: T1 } = this;
const { ex: X2, ey: Y2, ez: Z2, et: T2 } = other;
if (a === BigInt(-1)) {
const A2 = modP((Y1 - X1) * (Y2 + X2));
const B2 = modP((Y1 + X1) * (Y2 - X2));
const F2 = modP(B2 - A2);
if (F2 === _0n3)
return this.double();
const C2 = modP(Z1 * _2n3 * T2);
const D2 = modP(T1 * _2n3 * Z2);
const E2 = D2 + C2;
const G3 = B2 + A2;
const H2 = D2 - C2;
const X32 = modP(E2 * F2);
const Y32 = modP(G3 * H2);
const T32 = modP(E2 * H2);
const Z32 = modP(F2 * G3);
return new Point(X32, Y32, Z32, T32);
}
const A = modP(X1 * X2);
const B = modP(Y1 * Y2);
const C = modP(T1 * d * T2);
const D = modP(Z1 * Z2);
const E = modP((X1 + Y1) * (X2 + Y2) - A - B);
const F = D - C;
const G2 = D + C;
const H = modP(B - a * A);
const X3 = modP(E * F);
const Y3 = modP(G2 * H);
const T3 = modP(E * H);
const Z3 = modP(F * G2);
return new Point(X3, Y3, Z3, T3);
}
subtract(other) {
return this.add(other.negate());
}
wNAF(n) {
return wnaf.wNAFCached(this, pointPrecomputes, n, Point.normalizeZ);
}
// Constant-time multiplication.
multiply(scalar) {
const { p, f } = this.wNAF(assertInRange(scalar, CURVE_ORDER));
return Point.normalizeZ([p, f])[0];
}
// Non-constant-time multiplication. Uses double-and-add algorithm.
// It's faster, but should only be used when you don't care about
// an exposed private key e.g. sig verification.
// Does NOT allow scalars higher than CURVE.n.
multiplyUnsafe(scalar) {
let n = assertGE0(scalar);
if (n === _0n3)
return I;
if (this.equals(I) || n === _1n4)
return this;
if (this.equals(G))
return this.wNAF(n).p;
return wnaf.unsafeLadder(this, n);
}
// Checks if point is of small order.
// If you add something to small order point, you will have "dirty"
// point with torsion component.
// Multiplies point by cofactor and checks if the result is 0.
isSmallOrder() {
return this.multiplyUnsafe(cofactor).is0();
}
// Multiplies point by curve order and checks if the result is 0.
// Returns `false` is the point is dirty.
isTorsionFree() {
return wnaf.unsafeLadder(this, CURVE_ORDER).is0();
}
// Converts Extended point to default (x, y) coordinates.
// Can accept precomputed Z^-1 - for example, from invertBatch.
toAffine(iz) {
const { ex: x, ey: y, ez: z } = this;
const is0 = this.is0();
if (iz == null)
iz = is0 ? _8n2 : Fp2.inv(z);
const ax = modP(x * iz);
const ay = modP(y * iz);
const zz = modP(z * iz);
if (is0)
return { x: _0n3, y: _1n4 };
if (zz !== _1n4)
throw new Error("invZ was invalid");
return { x: ax, y: ay };
}
clearCofactor() {
const { h: cofactor2 } = CURVE;
if (cofactor2 === _1n4)
return this;
return this.multiplyUnsafe(cofactor2);
}
// Converts hash string or Uint8Array to Point.
// Uses algo from RFC8032 5.1.3.
static fromHex(hex, zip215 = false) {
const { d, a } = CURVE;
const len = Fp2.BYTES;
hex = ensureBytes("pointHex", hex, len);
const normed = hex.slice();
const lastByte = hex[len - 1];
normed[len - 1] = lastByte & ~128;
const y = bytesToNumberLE(normed);
if (y === _0n3) {
} else {
if (zip215)
assertInRange(y, MASK);
else
assertInRange(y, Fp2.ORDER);
}
const y2 = modP(y * y);
const u = modP(y2 - _1n4);
const v = modP(d * y2 - a);
let { isValid, value: x } = uvRatio2(u, v);
if (!isValid)
throw new Error("Point.fromHex: invalid y coordinate");
const isXOdd = (x & _1n4) === _1n4;
const isLastByteOdd = (lastByte & 128) !== 0;
if (!zip215 && x === _0n3 && isLastByteOdd)
throw new Error("Point.fromHex: x=0 and x_0=1");
if (isLastByteOdd !== isXOdd)
x = modP(-x);
return Point.fromAffine({ x, y });
}
static fromPrivateKey(privKey) {
return getExtendedPublicKey(privKey).point;
}
toRawBytes() {
const { x, y } = this.toAffine();
const bytes3 = numberToBytesLE(y, Fp2.BYTES);
bytes3[bytes3.length - 1] |= x & _1n4 ? 128 : 0;
return bytes3;
}
toHex() {
return bytesToHex(this.toRawBytes());
}
}
Point.BASE = new Point(CURVE.Gx, CURVE.Gy, _1n4, modP(CURVE.Gx * CURVE.Gy));
Point.ZERO = new Point(_0n3, _1n4, _1n4, _0n3);
const { BASE: G, ZERO: I } = Point;
const wnaf = wNAF(Point, nByteLength * 8);
function modN(a) {
return mod(a, CURVE_ORDER);
}
function modN_LE(hash2) {
return modN(bytesToNumberLE(hash2));
}
function getExtendedPublicKey(key) {
const len = nByteLength;
key = ensureBytes("private key", key, len);
const hashed = ensureBytes("hashed private key", cHash(key), 2 * len);
const head = adjustScalarBytes3(hashed.slice(0, len));
const prefix = hashed.slice(len, 2 * len);
const scalar = modN_LE(head);
const point = G.multiply(scalar);
const pointBytes = point.toRawBytes();
return { head, prefix, scalar, point, pointBytes };
}
function getPublicKey(privKey) {
return getExtendedPublicKey(privKey).pointBytes;
}
function hashDomainToScalar(context = new Uint8Array(), ...msgs) {
const msg = concatBytes2(...msgs);
return modN_LE(cHash(domain(msg, ensureBytes("context", context), !!prehash)));
}
function sign(msg, privKey, options = {}) {
msg = ensureBytes("message", msg);
if (prehash)
msg = prehash(msg);
const { prefix, scalar, pointBytes } = getExtendedPublicKey(privKey);
const r = hashDomainToScalar(options.context, prefix, msg);
const R = G.multiply(r).toRawBytes();
const k = hashDomainToScalar(options.context, R, pointBytes, msg);
const s = modN(r + k * scalar);
assertGE0(s);
const res = concatBytes2(R, numberToBytesLE(s, Fp2.BYTES));
return ensureBytes("result", res, nByteLength * 2);
}
const verifyOpts = VERIFY_DEFAULT;
function verify(sig, msg, publicKey, options = verifyOpts) {
const { context, zip215 } = options;
const len = Fp2.BYTES;
sig = ensureBytes("signature", sig, 2 * len);
msg = ensureBytes("message", msg);
if (prehash)
msg = prehash(msg);
const s = bytesToNumberLE(sig.slice(len, 2 * len));
let A, R, SB;
try {
A = Point.fromHex(publicKey, zip215);
R = Point.fromHex(sig.slice(0, len), zip215);
SB = G.multiplyUnsafe(s);
} catch (error) {
return false;
}
if (!zip215 && A.isSmallOrder())
return false;
const k = hashDomainToScalar(context, R.toRawBytes(), A.toRawBytes(), msg);
const RkA = R.add(A.multiplyUnsafe(k));
return RkA.subtract(SB).clearCofactor().equals(Point.ZERO);
}
G._setWindowSize(8);
const utils = {
getExtendedPublicKey,
// ed25519 private keys are uniform 32b. No need to check for modulo bias, like in secp256k1.
randomPrivateKey: () => randomBytes2(Fp2.BYTES),
/**
* We're doing scalar multiplication (used in getPublicKey etc) with precomputed BASE_POINT
* values. This slows down first getPublicKey() by milliseconds (see Speed section),
* but allows to speed-up subsequent getPublicKey() calls up to 20x.
* @param windowSize 2, 4, 8, 16
*/
precompute(windowSize = 8, point = Point.BASE) {
point._setWindowSize(windowSize);
point.multiply(BigInt(3));
return point;
}
};
return {
CURVE,
getPublicKey,
sign,
verify,
ExtendedPoint: Point,
utils
};
}
// npm/node_modules/@noble/curves/esm/abstract/montgomery.js
var _0n4 = BigInt(0);
var _1n5 = BigInt(1);
function validateOpts2(curve) {
validateObject(curve, {
a: "bigint"
}, {
montgomeryBits: "isSafeInteger",
nByteLength: "isSafeInteger",
adjustScalarBytes: "function",
domain: "function",
powPminus2: "function",
Gu: "bigint"
});
return Object.freeze({ ...curve });
}
function montgomery(curveDef) {
const CURVE = validateOpts2(curveDef);
const { P } = CURVE;
const modP = (n) => mod(n, P);
const montgomeryBits = CURVE.montgomeryBits;
const montgomeryBytes = Math.ceil(montgomeryBits / 8);
const fieldLen = CURVE.nByteLength;
const adjustScalarBytes3 = CURVE.adjustScalarBytes || ((bytes3) => bytes3);
const powPminus2 = CURVE.powPminus2 || ((x) => pow(x, P - BigInt(2), P));
function cswap(swap, x_2, x_3) {
const dummy = modP(swap * (x_2 - x_3));
x_2 = modP(x_2 - dummy);
x_3 = modP(x_3 + dummy);
return [x_2, x_3];
}
function assertFieldElement(n) {
if (typeof n === "bigint" && _0n4 <= n && n < P)
return n;
throw new Error("Expected valid scalar 0 < scalar < CURVE.P");
}
const a24 = (CURVE.a - BigInt(2)) / BigInt(4);
function montgomeryLadder(pointU, scalar) {
const u = assertFieldElement(pointU);
const k = assertFieldElement(scalar);
const x_1 = u;
let x_2 = _1n5;
let z_2 = _0n4;
let x_3 = u;
let z_3 = _1n5;
let swap = _0n4;
let sw;
for (let t = BigInt(montgomeryBits - 1); t >= _0n4; t--) {
const k_t = k >> t & _1n5;
swap ^= k_t;
sw = cswap(swap, x_2, x_3);
x_2 = sw[0];
x_3 = sw[1];
sw = cswap(swap, z_2, z_3);
z_2 = sw[0];
z_3 = sw[1];
swap = k_t;
const A = x_2 + z_2;
const AA = modP(A * A);
const B = x_2 - z_2;
const BB = modP(B * B);
const E = AA - BB;
const C = x_3 + z_3;
const D = x_3 - z_3;
const DA = modP(D * A);
const CB = modP(C * B);
const dacb = DA + CB;
const da_cb = DA - CB;
x_3 = modP(dacb * dacb);
z_3 = modP(x_1 * modP(da_cb * da_cb));
x_2 = modP(AA * BB);
z_2 = modP(E * (AA + modP(a24 * E)));
}
sw = cswap(swap, x_2, x_3);
x_2 = sw[0];
x_3 = sw[1];
sw = cswap(swap, z_2, z_3);
z_2 = sw[0];
z_3 = sw[1];
const z2 = powPminus2(z_2);
return modP(x_2 * z2);
}
function encodeUCoordinate(u) {
return numberToBytesLE(modP(u), montgomeryBytes);
}
function decodeUCoordinate(uEnc) {
const u = ensureBytes("u coordinate", uEnc, montgomeryBytes);
if (fieldLen === 32)
u[31] &= 127;
return bytesToNumberLE(u);
}
function decodeScalar(n) {
const bytes3 = ensureBytes("scalar", n);
const len = bytes3.length;
if (len !== montgomeryBytes && len !== fieldLen)
throw new Error(`Expected ${montgomeryBytes} or ${fieldLen} bytes, got ${len}`);
return bytesToNumberLE(adjustScalarBytes3(bytes3));
}
function scalarMult(scalar, u) {
const pointU = decodeUCoordinate(u);
const _scalar = decodeScalar(scalar);
const pu = montgomeryLadder(pointU, _scalar);
if (pu === _0n4)
throw new Error("Invalid private or public key received");
return encodeUCoordinate(pu);
}
const GuBytes = encodeUCoordinate(CURVE.Gu);
function scalarMultBase(scalar) {
return scalarMult(scalar, GuBytes);
}
return {
scalarMult,
scalarMultBase,
getSharedSecret: (privateKey, publicKey) => scalarMult(privateKey, publicKey),
getPublicKey: (privateKey) => scalarMultBase(privateKey),
utils: { randomPrivateKey: () => CURVE.randomBytes(CURVE.nByteLength) },
GuBytes
};
}
// npm/node_modules/@noble/curves/esm/ed25519.js
var ED25519_P = BigInt("57896044618658097711785492504343953926634992332820282019728792003956564819949");
var _0n5 = BigInt(0);
var _1n6 = BigInt(1);
var _2n4 = BigInt(2);
var _3n2 = BigInt(3);
var _5n2 = BigInt(5);
var _8n3 = BigInt(8);
function ed25519_pow_2_252_3(x) {
const _10n = BigInt(10), _20n = BigInt(20), _40n = BigInt(40), _80n = BigInt(80);
const P = ED25519_P;
const x2 = x * x % P;
const b2 = x2 * x % P;
const b4 = pow2(b2, _2n4, P) * b2 % P;
const b5 = pow2(b4, _1n6, P) * x % P;
const b10 = pow2(b5, _5n2, P) * b5 % P;
const b20 = pow2(b10, _10n, P) * b10 % P;
const b40 = pow2(b20, _20n, P) * b20 % P;
const b80 = pow2(b40, _40n, P) * b40 % P;
const b160 = pow2(b80, _80n, P) * b80 % P;
const b240 = pow2(b160, _80n, P) * b80 % P;
const b250 = pow2(b240, _10n, P) * b10 % P;
const pow_p_5_8 = pow2(b250, _2n4, P) * x % P;
return { pow_p_5_8, b2 };
}
function adjustScalarBytes(bytes3) {
bytes3[0] &= 248;
bytes3[31] &= 127;
bytes3[31] |= 64;
return bytes3;
}
var x25519 = /* @__PURE__ */ (() => montgomery({
P: ED25519_P,
a: BigInt(486662),
montgomeryBits: 255,
// n is 253 bits
nByteLength: 32,
Gu: BigInt(9),
powPminus2: (x) => {
const P = ED25519_P;
const { pow_p_5_8, b2 } = ed25519_pow_2_252_3(x);
return mod(pow2(pow_p_5_8, _3n2, P) * b2, P);
},
adjustScalarBytes,
randomBytes
}))();
// npm/esm/src/xCryptoKey.js
var XCryptoKey = class {
constructor(name, key, type, usages = []) {
Object.defineProperty(this, "key", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
Object.defineProperty(this, "type", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
Object.defineProperty(this, "extractable", {
enumerable: true,
configurable: true,
writable: true,
value: true
});
Object.defineProperty(this, "algorithm", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
Object.defineProperty(this, "usages", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
this.key = key;
this.type = type;
this.algorithm = { name };
this.usages = usages;
if (type === "public") {
this.usages = [];
}
}
};
// npm/esm/src/kems/dhkemPrimitives/x25519.js
var ALG_NAME = "X25519";
var X25519 = class {
constructor(hkdf) {
Object.defineProperty(this, "_hkdf", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
Object.defineProperty(this, "_nPk", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
Object.defineProperty(this, "_nSk", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
this._hkdf = hkdf;
this._nPk = 32;
this._nSk = 32;
}
async serializePublicKey(key) {
try {
return await this._serializePublicKey(key);
} catch (e) {
throw new SerializeError(e);
}
}
async deserializePublicKey(key) {
try {
return await this._importRawKey(key, true);
} catch (e) {
throw new DeserializeError(e);
}
}
async serializePrivateKey(key) {
try {
return await this._serializePrivateKey(key);
} catch (e) {
throw new SerializeError(e);
}
}
async deserializePrivateKey(key) {
try {
return await this._importRawKey(key, false);
} catch (e) {
throw new DeserializeError(e);
}
}
async importKey(format, key, isPublic) {
try {
if (format === "raw") {
return await this._importRawKey(key, isPublic);
}
if (key instanceof ArrayBuffer) {
throw new Error("Invalid jwk key format");
}
return await this._importJWK(key, isPublic);
} catch (e) {
throw new DeserializeError(e);
}
}
async generateKeyPair() {
try {
const rawSk = x25519.utils.randomPrivateKey();
const sk = new XCryptoKey(ALG_NAME, rawSk, "private", KEM_USAGES2);
const pk = await this.derivePublicKey(sk);
return { publicKey: pk, privateKey: sk };
} catch (e) {
throw new NotSupportedError(e);
}
}
async deriveKeyPair(ikm) {
try {
const dkpPrk = await this._hkdf.labeledExtract(EMPTY2, LABEL_DKP_PRK2, new Uint8Array(ikm));
const rawSk = await this._hkdf.labeledExpand(dkpPrk, LABEL_SK2, EMPTY2, this._nSk);
const sk = new XCryptoKey(ALG_NAME, new Uint8Array(rawSk), "private", KEM_USAGES2);
return {
privateKey: sk,
publicKey: await this.derivePublicKey(sk)
};
} catch (e) {
throw new DeriveKeyPairError(e);
}
}
async derivePublicKey(key) {
try {
return await this._derivePublicKey(key);
} catch (e) {
throw new DeserializeError(e);
}
}
async dh(sk, pk) {
try {
return await this._dh(sk, pk);
} catch (e) {
throw new SerializeError(e);
}
}
_serializePublicKey(k) {
return new Promise((resolve) => {
resolve(k.key.buffer);
});
}
_serializePrivateKey(k) {
return new Promise((resolve) => {
resolve(k.key.buffer);
});
}
_importRawKey(key, isPublic) {
return new Promise((resolve, reject) => {
if (isPublic && key.byteLength !== this._nPk) {
reject(new Error("Invalid length of the key"));
}
if (!isPublic && key.byteLength !== this._nSk) {
reject(new Error("Invalid length of the key"));
}
resolve(new XCryptoKey(ALG_NAME, new Uint8Array(key), isPublic ? "public" : "private", isPublic ? [] : KEM_USAGES2));
});
}
_importJWK(key, isPublic) {
return new Promise((resolve, reject) => {
if (typeof key.kty === "undefined" || key.kty !== "OKP") {
reject(new Error(`Invalid kty: ${key.kty}`));
}
if (typeof key.crv === "undefined" || key.crv !== "X25519") {
reject(new Error(`Invalid crv: ${key.crv}`));
}
if (isPublic) {
if (typeof key.d !== "undefined") {
reject(new Error("Invalid key: `d` should not be set"));
}
if (typeof key.x === "undefined") {
reject(new Error("Invalid key: `x` not found"));
}
resolve(new XCryptoKey(ALG_NAME, base64UrlToBytes2(key.x), "public"));
} else {
if (typeof key.d !== "string") {
reject(new Error("Invalid key: `d` not found"));
}
resolve(new XCryptoKey(ALG_NAME, base64UrlToBytes2(key.d), "private", KEM_USAGES2));
}
});
}
_derivePublicKey(k) {
return new Promise((resolve, reject) => {
try {
const pk = x25519.getPublicKey(k.key);
resolve(new XCryptoKey(ALG_NAME, pk, "public"));
} catch (e) {
reject(e);
}
});
}
_dh(sk, pk) {
return new Promise((resolve, reject) => {
try {
resolve(x25519.getSharedSecret(sk.key, pk.key).buffer);
} catch (e) {
reject(e);
}
});
}
};
// npm/esm/src/kems/dhkemX25519.js
var DhkemX25519HkdfSha256 = class extends Dhkem2 {
constructor() {
const kdf = new HkdfSha2562();
super(KemId.DhkemX25519HkdfSha256, new X25519(kdf), kdf);
Object.defineProperty(this, "id", {
enumerable: true,
configurable: true,
writable: true,
value: KemId.DhkemX25519HkdfSha256
});
Object.defineProperty(this, "secretSize", {
enumerable: true,
configurable: true,
writable: true,
value: 32
});
Object.defineProperty(this, "encSize", {
enumerable: true,
configurable: true,
writable: true,
value: 32
});
Object.defineProperty(this, "publicKeySize", {
enumerable: true,
configurable: true,
writable: true,
value: 32
});
Object.defineProperty(this, "privateKeySize", {
enumerable: true,
configurable: true,
writable: true,
value: 32
});
}
};
// npm/node_modules/@noble/hashes/esm/sha3.js
var SHA3_PI = [];
var SHA3_ROTL = [];
var _SHA3_IOTA = [];
var _0n6 = /* @__PURE__ */ BigInt(0);
var _1n7 = /* @__PURE__ */ BigInt(1);
var _2n5 = /* @__PURE__ */ BigInt(2);
var _7n = /* @__PURE__ */ BigInt(7);
var _256n = /* @__PURE__ */ BigInt(256);
var _0x71n = /* @__PURE__ */ BigInt(113);
for (let round = 0, R = _1n7, x = 1, y = 0; round < 24; round++) {
[x, y] = [y, (2 * x + 3 * y) % 5];
SHA3_PI.push(2 * (5 * y + x));
SHA3_ROTL.push((round + 1) * (round + 2) / 2 % 64);
let t = _0n6;
for (let j = 0; j < 7; j++) {
R = (R << _1n7 ^ (R >> _7n) * _0x71n) % _256n;
if (R & _2n5)
t ^= _1n7 << (_1n7 << /* @__PURE__ */ BigInt(j)) - _1n7;
}
_SHA3_IOTA.push(t);
}
var [SHA3_IOTA_H, SHA3_IOTA_L] = /* @__PURE__ */ split(_SHA3_IOTA, true);
var rotlH = (h, l, s) => s > 32 ? rotlBH(h, l, s) : rotlSH(h, l, s);
var rotlL = (h, l, s) => s > 32 ? rotlBL(h, l, s) : rotlSL(h, l, s);
function keccakP(s, rounds = 24) {
const B = new Uint32Array(5 * 2);
for (let round = 24 - rounds; round < 24; round++) {
for (let x = 0; x < 10; x++)
B[x] = s[x] ^ s[x + 10] ^ s[x + 20] ^ s[x + 30] ^ s[x + 40];
for (let x = 0; x < 10; x += 2) {
const idx1 = (x + 8) % 10;
const idx0 = (x + 2) % 10;
const B0 = B[idx0];
const B1 = B[idx0 + 1];
const Th = rotlH(B0, B1, 1) ^ B[idx1];
const Tl = rotlL(B0, B1, 1) ^ B[idx1 + 1];
for (let y = 0; y < 50; y += 10) {
s[x + y] ^= Th;
s[x + y + 1] ^= Tl;
}
}
let curH = s[2];
let curL = s[3];
for (let t = 0; t < 24; t++) {
const shift = SHA3_ROTL[t];
const Th = rotlH(curH, curL, shift);
const Tl = rotlL(curH, curL, shift);
const PI = SHA3_PI[t];
curH = s[PI];
curL = s[PI + 1];
s[PI] = Th;
s[PI + 1] = Tl;
}
for (let y = 0; y < 50; y += 10) {
for (let x = 0; x < 10; x++)
B[x] = s[y + x];
for (let x = 0; x < 10; x++)
s[y + x] ^= ~B[(x + 2) % 10] & B[(x + 4) % 10];
}
s[0] ^= SHA3_IOTA_H[round];
s[1] ^= SHA3_IOTA_L[round];
}
B.fill(0);
}
var Keccak = class _Keccak extends Hash {
// NOTE: we accept arguments in bytes instead of bits here.
constructor(blockLen, suffix, outputLen, enableXOF = false, rounds = 24) {
super();
this.blockLen = blockLen;
this.suffix = suffix;
this.outputLen = outputLen;
this.enableXOF = enableXOF;
this.rounds = rounds;
this.pos = 0;
this.posOut = 0;
this.finished = false;
this.destroyed = false;
number2(outputLen);
if (0 >= this.blockLen || this.blockLen >= 200)
throw new Error("Sha3 supports only keccak-f1600 function");
this.state = new Uint8Array(200);
this.state32 = u322(this.state);
}
keccak() {
if (!isLE2)
byteSwap32(this.state32);
keccakP(this.state32, this.rounds);
if (!isLE2)
byteSwap32(this.state32);
this.posOut = 0;
this.pos = 0;
}
update(data) {
exists2(this);
const { blockLen, state } = this;
data = toBytes2(data);
const len = data.length;
for (let pos = 0; pos < len; ) {
const take = Math.min(blockLen - this.pos, len - pos);
for (let i = 0; i < take; i++)
state[this.pos++] ^= data[pos++];
if (this.pos === blockLen)
this.keccak();
}
return this;
}
finish() {
if (this.finished)
return;
this.finished = true;
const { state, suffix, pos, blockLen } = this;
state[pos] ^= suffix;
if ((suffix & 128) !== 0 && pos === blockLen - 1)
this.keccak();
state[blockLen - 1] ^= 128;
this.keccak();
}
writeInto(out) {
exists2(this, false);
bytes2(out);
this.finish();
const bufferOut = this.state;
const { blockLen } = this;
for (let pos = 0, len = out.length; pos < len; ) {
if (this.posOut >= blockLen)
this.keccak();
const take = Math.min(blockLen - this.posOut, len - pos);
out.set(bufferOut.subarray(this.posOut, this.posOut + take), pos);
this.posOut += take;
pos += take;
}
return out;
}
xofInto(out) {
if (!this.enableXOF)
throw new Error("XOF is not possible for this instance");
return this.writeInto(out);
}
xof(bytes3) {
number2(bytes3);
return this.xofInto(new Uint8Array(bytes3));
}
digestInto(out) {
output2(out, this);
if (this.finished)
throw new Error("digest() was already called");
this.writeInto(out);
this.destroy();
return out;
}
digest() {
return this.digestInto(new Uint8Array(this.outputLen));
}
destroy() {
this.destroyed = true;
this.state.fill(0);
}
_cloneInto(to) {
const { blockLen, suffix, outputLen, rounds, enableXOF } = this;
to || (to = new _Keccak(blockLen, suffix, outputLen, enableXOF, rounds));
to.state32.set(this.state32);
to.pos = this.pos;
to.posOut = this.posOut;
to.finished = this.finished;
to.rounds = rounds;
to.suffix = suffix;
to.outputLen = outputLen;
to.enableXOF = enableXOF;
to.destroyed = this.destroyed;
return to;
}
};
var gen = (suffix, blockLen, outputLen) => wrapConstructor(() => new Keccak(blockLen, suffix, outputLen));
var sha3_224 = /* @__PURE__ */ gen(6, 144, 224 / 8);
var sha3_256 = /* @__PURE__ */ gen(6, 136, 256 / 8);
var sha3_384 = /* @__PURE__ */ gen(6, 104, 384 / 8);
var sha3_512 = /* @__PURE__ */ gen(6, 72, 512 / 8);
var keccak_224 = /* @__PURE__ */ gen(1, 144, 224 / 8);
var keccak_256 = /* @__PURE__ */ gen(1, 136, 256 / 8);
var keccak_384 = /* @__PURE__ */ gen(1, 104, 384 / 8);
var keccak_512 = /* @__PURE__ */ gen(1, 72, 512 / 8);
var genShake = (suffix, blockLen, outputLen) => wrapXOFConstructorWithOpts((opts = {}) => new Keccak(blockLen, suffix, opts.dkLen === void 0 ? outputLen : opts.dkLen, true));
var shake128 = /* @__PURE__ */ genShake(31, 168, 128 / 8);
var shake256 = /* @__PURE__ */ genShake(31, 136, 256 / 8);
// npm/node_modules/@noble/curves/esm/ed448.js
var shake256_114 = wrapConstructor(() => shake256.create({ dkLen: 114 }));
var shake256_64 = wrapConstructor(() => shake256.create({ dkLen: 64 }));
var ed448P = BigInt("726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018365439");
var _1n8 = BigInt(1);
var _2n6 = BigInt(2);
var _3n3 = BigInt(3);
var _4n2 = BigInt(4);
var _11n = BigInt(11);
var _22n = BigInt(22);
var _44n = BigInt(44);
var _88n = BigInt(88);
var _223n = BigInt(223);
function ed448_pow_Pminus3div4(x) {
const P = ed448P;
const b2 = x * x * x % P;
const b3 = b2 * b2 * x % P;
const b6 = pow2(b3, _3n3, P) * b3 % P;
const b9 = pow2(b6, _3n3, P) * b3 % P;
const b11 = pow2(b9, _2n6, P) * b2 % P;
const b22 = pow2(b11, _11n, P) * b11 % P;
const b44 = pow2(b22, _22n, P) * b22 % P;
const b88 = pow2(b44, _44n, P) * b44 % P;
const b176 = pow2(b88, _88n, P) * b88 % P;
const b220 = pow2(b176, _44n, P) * b44 % P;
const b222 = pow2(b220, _2n6, P) * b2 % P;
const b223 = pow2(b222, _1n8, P) * x % P;
return pow2(b223, _223n, P) * b222 % P;
}
function adjustScalarBytes2(bytes3) {
bytes3[0] &= 252;
bytes3[55] |= 128;
bytes3[56] = 0;
return bytes3;
}
function uvRatio(u, v) {
const P = ed448P;
const u2v = mod(u * u * v, P);
const u3v = mod(u2v * u, P);
const u5v3 = mod(u3v * u2v * v, P);
const root = ed448_pow_Pminus3div4(u5v3);
const x = mod(u3v * root, P);
const x2 = mod(x * x, P);
return { isValid: mod(x2 * v, P) === u, value: x };
}
var Fp = Field(ed448P, 456, true);
var ED448_DEF = {
// Param: a
a: BigInt(1),
// -39081. Negative number is P - number
d: BigInt("726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018326358"),
// Finite field 𝔽p over which we'll do calculations; 2n**448n - 2n**224n - 1n
Fp,
// Subgroup order: how many points curve has;
// 2n**446n - 13818066809895115352007386748515426880336692474882178609894547503885n
n: BigInt("181709681073901722637330951972001133588410340171829515070372549795146003961539585716195755291692375963310293709091662304773755859649779"),
// RFC 7748 has 56-byte keys, RFC 8032 has 57-byte keys
nBitLength: 456,
// Cofactor
h: BigInt(4),
// Base point (x, y) aka generator point
Gx: BigInt("224580040295924300187604334099896036246789641632564134246125461686950415467406032909029192869357953282578032075146446173674602635247710"),
Gy: BigInt("298819210078481492676017930443930673437544040154080242095928241372331506189835876003536878655418784733982303233503462500531545062832660"),
// SHAKE256(dom4(phflag,context)||x, 114)
hash: shake256_114,
randomBytes,
adjustScalarBytes: adjustScalarBytes2,
// dom4
domain: (data, ctx, phflag) => {
if (ctx.length > 255)
throw new Error(`Context is too big: ${ctx.length}`);
return concatBytes(utf8ToBytes2("SigEd448"), new Uint8Array([phflag ? 1 : 0, ctx.length]), ctx, data);
},
uvRatio
};
var ed448ph = /* @__PURE__ */ twistedEdwards({ ...ED448_DEF, prehash: shake256_64 });
var x448 = /* @__PURE__ */ (() => montgomery({
a: BigInt(156326),
// RFC 7748 has 56-byte keys, RFC 8032 has 57-byte keys
montgomeryBits: 448,
nByteLength: 56,
P: ed448P,
Gu: BigInt(5),
powPminus2: (x) => {
const P = ed448P;
const Pminus3div4 = ed448_pow_Pminus3div4(x);
const Pminus3 = pow2(Pminus3div4, BigInt(2), P);
return mod(Pminus3 * x, P);
},
adjustScalarBytes: adjustScalarBytes2,
randomBytes
}))();
var ELL2_C1 = (Fp.ORDER - BigInt(3)) / BigInt(4);
var ELL2_J = BigInt(156326);
var ONE_MINUS_D = BigInt("39082");
var ONE_MINUS_TWO_D = BigInt("78163");
var SQRT_MINUS_D = BigInt("98944233647732219769177004876929019128417576295529901074099889598043702116001257856802131563896515373927712232092845883226922417596214");
var INVSQRT_MINUS_D = BigInt("315019913931389607337177038330951043522456072897266928557328499619017160722351061360252776265186336876723201881398623946864393857820716");
var MAX_448B = BigInt("0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff");
// npm/esm/src/kems/dhkemPrimitives/x448.js
var ALG_NAME2 = "X448";
var X448 = class {
constructor(hkdf) {
Object.defineProperty(this, "_hkdf", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
Object.defineProperty(this, "_nPk", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
Object.defineProperty(this, "_nSk", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
this._hkdf = hkdf;
this._nPk = 56;
this._nSk = 56;
}
async serializePublicKey(key) {
try {
return await this._serializePublicKey(key);
} catch (e) {
throw new SerializeError(e);
}
}
async deserializePublicKey(key) {
try {
return await this._importRawKey(key, true);
} catch (e) {
throw new DeserializeError(e);
}
}
async serializePrivateKey(key) {
try {
return await this._serializePrivateKey(key);
} catch (e) {
throw new SerializeError(e);
}
}
async deserializePrivateKey(key) {
try {
return await this._importRawKey(key, false);
} catch (e) {
throw new DeserializeError(e);
}
}
async importKey(format, key, isPublic) {
try {
if (format === "raw") {
return await this._importRawKey(key, isPublic);
}
if (key instanceof ArrayBuffer) {
throw new Error("Invalid jwk key format");
}
return await this._importJWK(key, isPublic);
} catch (e) {
throw new DeserializeError(e);
}
}
async generateKeyPair() {
try {
const rawSk = x448.utils.randomPrivateKey();
const sk = new XCryptoKey(ALG_NAME2, rawSk, "private", KEM_USAGES2);
const pk = await this.derivePublicKey(sk);
return { publicKey: pk, privateKey: sk };
} catch (e) {
throw new NotSupportedError(e);
}
}
async deriveKeyPair(ikm) {
try {
const dkpPrk = await this._hkdf.labeledExtract(EMPTY2, LABEL_DKP_PRK2, new Uint8Array(ikm));
const rawSk = await this._hkdf.labeledExpand(dkpPrk, LABEL_SK2, EMPTY2, this._nSk);
const sk = new XCryptoKey(ALG_NAME2, new Uint8Array(rawSk), "private", KEM_USAGES2);
return {
privateKey: sk,
publicKey: await this.derivePublicKey(sk)
};
} catch (e) {
throw new DeriveKeyPairError(e);
}
}
async derivePublicKey(key) {
try {
return await this._derivePublicKey(key);
} catch (e) {
throw new DeserializeError(e);
}
}
async dh(sk, pk) {
try {
return await this._dh(sk, pk);
} catch (e) {
throw new SerializeError(e);
}
}
_serializePublicKey(k) {
return new Promise((resolve) => {
resolve(k.key.buffer);
});
}
_serializePrivateKey(k) {
return new Promise((resolve) => {
resolve(k.key.buffer);
});
}
_importRawKey(key, isPublic) {
return new Promise((resolve, reject) => {
if (isPublic && key.byteLength !== this._nPk) {
reject(new Error("Invalid length of the key"));
}
if (!isPublic && key.byteLength !== this._nSk) {
reject(new Error("Invalid length of the key"));
}
resolve(new XCryptoKey(ALG_NAME2, new Uint8Array(key), isPublic ? "public" : "private", isPublic ? [] : KEM_USAGES2));
});
}
_importJWK(key, isPublic) {
return new Promise((resolve, reject) => {
if (key.kty !== "OKP") {
reject(new Error(`Invalid kty: ${key.kty}`));
}
if (key.crv !== "X448") {
reject(new Error(`Invalid crv: ${key.crv}`));
}
if (isPublic) {
if (typeof key.d !== "undefined") {
reject(new Error("Invalid key: `d` should not be set"));
}
if (typeof key.x !== "string") {
reject(new Error("Invalid key: `x` not found"));
}
resolve(new XCryptoKey(ALG_NAME2, base64UrlToBytes2(key.x), "public"));
} else {
if (typeof key.d !== "string") {
reject(new Error("Invalid key: `d` not found"));
}
resolve(new XCryptoKey(ALG_NAME2, base64UrlToBytes2(key.d), "private", KEM_USAGES2));
}
});
}
_derivePublicKey(k) {
return new Promise((resolve, reject) => {
try {
const pk = x448.getPublicKey(k.key);
resolve(new XCryptoKey(ALG_NAME2, pk, "public"));
} catch (e) {
reject(e);
}
});
}
_dh(sk, pk) {
return new Promise((resolve, reject) => {
try {
resolve(x448.getSharedSecret(sk.key, pk.key).buffer);
} catch (e) {
reject(e);
}
});
}
};
// npm/esm/src/kems/dhkemX448.js
var DhkemX448HkdfSha512 = class extends Dhkem2 {
constructor() {
const kdf = new HkdfSha5122();
super(KemId.DhkemX448HkdfSha512, new X448(kdf), kdf);
Object.defineProperty(this, "id", {
enumerable: true,
configurable: true,
writable: true,
value: KemId.DhkemX448HkdfSha512
});
Object.defineProperty(this, "secretSize", {
enumerable: true,
configurable: true,
writable: true,
value: 64
});
Object.defineProperty(this, "encSize", {
enumerable: true,
configurable: true,
writable: true,
value: 56
});
Object.defineProperty(this, "publicKeySize", {
enumerable: true,
configurable: true,
writable: true,
value: 56
});
Object.defineProperty(this, "privateKeySize", {
enumerable: true,
configurable: true,
writable: true,
value: 56
});
}
};
// npm/esm/core/src/utils/emitNotSupported.js
function emitNotSupported2() {
return new Promise((_resolve, reject) => {
reject(new NotSupportedError("Not supported"));
});
}
// npm/esm/core/src/exporterContext.js
var LABEL_SEC2 = new Uint8Array([115, 101, 99]);
var ExporterContextImpl2 = class {
constructor(api, kdf, exporterSecret) {
Object.defineProperty(this, "_api", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
Object.defineProperty(this, "exporterSecret", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
Object.defineProperty(this, "_kdf", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
this._api = api;
this._kdf = kdf;
this.exporterSecret = exporterSecret;
}
async seal(_data, _aad) {
return await emitNotSupported2();
}
async open(_data, _aad) {
return await emitNotSupported2();
}
async export(exporterContext, len) {
if (exporterContext.byteLength > INPUT_LENGTH_LIMIT2) {
throw new InvalidParamError("Too long exporter context");
}
try {
return await this._kdf.labeledExpand(this.exporterSecret, LABEL_SEC2, new Uint8Array(exporterContext), len);
} catch (e) {
throw new ExportError(e);
}
}
};
var RecipientExporterContextImpl2 = class extends ExporterContextImpl2 {
};
var SenderExporterContextImpl2 = class extends ExporterContextImpl2 {
constructor(api, kdf, exporterSecret, enc) {
super(api, kdf, exporterSecret);
Object.defineProperty(this, "enc", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
this.enc = enc;
return;
}
};
// npm/esm/core/src/encryptionContext.js
function xor(a, b) {
if (a.byteLength !== b.byteLength) {
throw new Error("xor: different length inputs");
}
const buf = new Uint8Array(a.byteLength);
for (let i = 0; i < a.byteLength; i++) {
buf[i] = a[i] ^ b[i];
}
return buf;
}
var EncryptionContextImpl2 = class extends ExporterContextImpl2 {
constructor(api, kdf, params) {
super(api, kdf, params.exporterSecret);
Object.defineProperty(this, "_aead", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
Object.defineProperty(this, "_nK", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
Object.defineProperty(this, "_nN", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
Object.defineProperty(this, "_nT", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
Object.defineProperty(this, "_ctx", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
if (params.key === void 0 || params.baseNonce === void 0 || params.seq === void 0) {
throw new Error("Required parameters are missing");
}
this._aead = params.aead;
this._nK = this._aead.keySize;
this._nN = this._aead.nonceSize;
this._nT = this._aead.tagSize;
const key = this._aead.createEncryptionContext(params.key);
this._ctx = {
key,
baseNonce: params.baseNonce,
seq: params.seq
};
}
computeNonce(k) {
const seqBytes = i2Osp2(k.seq, k.baseNonce.byteLength);
return xor(k.baseNonce, seqBytes);
}
incrementSeq(k) {
if (k.seq > Number.MAX_SAFE_INTEGER) {
throw new MessageLimitReachedError("Message limit reached");
}
k.seq += 1;
return;
}
};
// npm/esm/core/src/recipientContext.js
var RecipientContextImpl2 = class extends EncryptionContextImpl2 {
async open(data, aad = EMPTY2) {
let pt;
try {
pt = await this._ctx.key.open(this.computeNonce(this._ctx), data, aad);
} catch (e) {
throw new OpenError(e);
}
this.incrementSeq(this._ctx);
return pt;
}
};
// npm/esm/core/src/senderContext.js
var SenderContextImpl2 = class extends EncryptionContextImpl2 {
constructor(api, kdf, params, enc) {
super(api, kdf, params);
Object.defineProperty(this, "enc", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
this.enc = enc;
}
async seal(data, aad = EMPTY2) {
let ct;
try {
ct = await this._ctx.key.seal(this.computeNonce(this._ctx), data, aad);
} catch (e) {
throw new SealError(e);
}
this.incrementSeq(this._ctx);
return ct;
}
};
// npm/esm/core/src/cipherSuiteNative.js
var LABEL_BASE_NONCE2 = new Uint8Array([
98,
97,
115,
101,
95,
110,
111,
110,
99,
101
]);
var LABEL_EXP2 = new Uint8Array([101, 120, 112]);
var LABEL_INFO_HASH2 = new Uint8Array([
105,
110,
102,
111,
95,
104,
97,
115,
104
]);
var LABEL_KEY2 = new Uint8Array([107, 101, 121]);
var LABEL_PSK_ID_HASH2 = new Uint8Array([
112,
115,
107,
95,
105,
100,
95,
104,
97,
115,
104
]);
var LABEL_SECRET2 = new Uint8Array([115, 101, 99, 114, 101, 116]);
var SUITE_ID_HEADER_HPKE2 = new Uint8Array([
72,
80,
75,
69,
0,
0,
0,
0,
0,
0
]);
var CipherSuiteNative2 = class extends NativeAlgorithm {
/**
* @param params A set of parameters for building a cipher suite.
*
* If the error occurred, throws {@link InvalidParamError}.
*
* @throws {@link InvalidParamError}
*/
constructor(params) {
super();
Object.defineProperty(this, "_kem", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
Object.defineProperty(this, "_kdf", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
Object.defineProperty(this, "_aead", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
Object.defineProperty(this, "_suiteId", {
enumerable: true,
configurable: true,
writable: true,
value: void 0
});
if (typeof params.kem === "number") {
throw new InvalidParamError("KemId cannot be used");
}
this._kem = params.kem;
if (typeof params.kdf === "number") {
throw new InvalidParamError("KdfId cannot be used");
}
this._kdf = params.kdf;
if (typeof params.aead === "number") {
throw new InvalidParamError("AeadId cannot be used");
}
this._aead = params.aead;
this._suiteId = new Uint8Array(SUITE_ID_HEADER_HPKE2);
this._suiteId.set(i2Osp2(this._kem.id, 2), 4);
this._suiteId.set(i2Osp2(this._kdf.id, 2), 6);
this._suiteId.set(i2Osp2(this._aead.id, 2), 8);
this._kdf.init(this._suiteId);
}
/**
* Gets the KEM context of the ciphersuite.
*/
get kem() {
return this._kem;
}
/**
* Gets the KDF context of the ciphersuite.
*/
get kdf() {
return this._kdf;
}
/**
* Gets the AEAD context of the ciphersuite.
*/
get aead() {
return this._aead;
}
/**
* Creates an encryption context for a sender.
*
* If the error occurred, throws {@link DecapError} | {@link ValidationError}.
*
* @param params A set of parameters for the sender encryption context.
* @returns A sender encryption context.
* @throws {@link EncapError}, {@link ValidationError}
*/
async createSenderContext(params) {
this._validateInputLength(params);
await this._setup();
const dh = await this._kem.encap(params);
let mode;
if (params.psk !== void 0) {
mode = params.senderKey !== void 0 ? Mode.AuthPsk : Mode.Psk;
} else {
mode = params.senderKey !== void 0 ? Mode.Auth : Mode.Base;
}
return await this._keyScheduleS(mode, dh.sharedSecret, dh.enc, params);
}
/**
* Creates an encryption context for a recipient.
*
* If the error occurred, throws {@link DecapError}
* | {@link DeserializeError} | {@link ValidationError}.
*
* @param params A set of parameters for the recipient encryption context.
* @returns A recipient encryption context.
* @throws {@link DecapError}, {@link DeserializeError}, {@link ValidationError}
*/
async createRecipientContext(params) {
this._validateInputLength(params);
await this._setup();
const sharedSecret = await this._kem.decap(params);
let mode;
if (params.psk !== void 0) {
mode = params.senderPublicKey !== void 0 ? Mode.AuthPsk : Mode.Psk;
} else {
mode = params.senderPublicKey !== void 0 ? Mode.Auth : Mode.Base;
}
return await this._keyScheduleR(mode, sharedSecret, params);
}
/**
* Encrypts a message to a recipient.
*
* If the error occurred, throws `EncapError` | `MessageLimitReachedError` | `SealError` | `ValidationError`.
*
* @param params A set of parameters for building a sender encryption context.
* @param pt A plain text as bytes to be encrypted.
* @param aad Additional authenticated data as bytes fed by an application.
* @returns A cipher text and an encapsulated key as bytes.
* @throws {@link EncapError}, {@link MessageLimitReachedError}, {@link SealError}, {@link ValidationError}
*/
async seal(params, pt, aad = EMPTY2) {
const ctx = await this.createSenderContext(params);
return {
ct: await ctx.seal(pt, aad),
enc: ctx.enc
};
}
/**
* Decrypts a message from a sender.
*
* If the error occurred, throws `DecapError` | `DeserializeError` | `OpenError` | `ValidationError`.
*
* @param params A set of parameters for building a recipient encryption context.
* @param ct An encrypted text as bytes to be decrypted.
* @param aad Additional authenticated data as bytes fed by an application.
* @returns A decrypted plain text as bytes.
* @throws {@link DecapError}, {@link DeserializeError}, {@link OpenError}, {@link ValidationError}
*/
async open(params, ct, aad = EMPTY2) {
const ctx = await this.createRecipientContext(params);
return await ctx.open(ct, aad);
}
// private verifyPskInputs(mode: Mode, params: KeyScheduleParams) {
// const gotPsk = (params.psk !== undefined);
// const gotPskId = (params.psk !== undefined && params.psk.id.byteLength > 0);
// if (gotPsk !== gotPskId) {
// throw new Error('Inconsistent PSK inputs');
// }
// if (gotPsk && (mode === Mode.Base || mode === Mode.Auth)) {
// throw new Error('PSK input provided when not needed');
// }
// if (!gotPsk && (mode === Mode.Psk || mode === Mode.AuthPsk)) {
// throw new Error('Missing required PSK input');
// }
// return;
// }
async _keySchedule(mode, sharedSecret, params) {
const pskId = params.psk === void 0 ? EMPTY2 : new Uint8Array(params.psk.id);
const pskIdHash = await this._kdf.labeledExtract(EMPTY2, LABEL_PSK_ID_HASH2, pskId);
const info = params.info === void 0 ? EMPTY2 : new Uint8Array(params.info);
const infoHash = await this._kdf.labeledExtract(EMPTY2, LABEL_INFO_HASH2, info);
const keyScheduleContext = new Uint8Array(1 + pskIdHash.byteLength + infoHash.byteLength);
keyScheduleContext.set(new Uint8Array([mode]), 0);
keyScheduleContext.set(new Uint8Array(pskIdHash), 1);
keyScheduleContext.set(new Uint8Array(infoHash), 1 + pskIdHash.byteLength);
const psk = params.psk === void 0 ? EMPTY2 : new Uint8Array(params.psk.key);
const ikm = this._kdf.buildLabeledIkm(LABEL_SECRET2, psk);
const exporterSecretInfo = this._kdf.buildLabeledInfo(LABEL_EXP2, keyScheduleContext, this._kdf.hashSize);
const exporterSecret = await this._kdf.extractAndExpand(sharedSecret, ikm, exporterSecretInfo, this._kdf.hashSize);
if (this._aead.id === AeadId.ExportOnly) {
return { aead: this._aead, exporterSecret };
}
const keyInfo = this._kdf.buildLabeledInfo(LABEL_KEY2, keyScheduleContext, this._aead.keySize);
const key = await this._kdf.extractAndExpand(sharedSecret, ikm, keyInfo, this._aead.keySize);
const baseNonceInfo = this._kdf.buildLabeledInfo(LABEL_BASE_NONCE2, keyScheduleContext, this._aead.nonceSize);
const baseNonce = await this._kdf.extractAndExpand(sharedSecret, ikm, baseNonceInfo, this._aead.nonceSize);
return {
aead: this._aead,
exporterSecret,
key,
baseNonce: new Uint8Array(baseNonce),
seq: 0
};
}
async _keyScheduleS(mode, sharedSecret, enc, params) {
const res = await this._keySchedule(mode, sharedSecret, params);
if (res.key === void 0) {
return new SenderExporterContextImpl2(this._api, this._kdf, res.exporterSecret, enc);
}
return new SenderContextImpl2(this._api, this._kdf, res, enc);
}
async _keyScheduleR(mode, sharedSecret, params) {
const res = await this._keySchedule(mode, sharedSecret, params);
if (res.key === void 0) {
return new RecipientExporterContextImpl2(this._api, this._kdf, res.exporterSecret);
}
return new RecipientContextImpl2(this._api, this._kdf, res);
}
_validateInputLength(params) {
if (params.info !== void 0 && params.info.byteLength > INPUT_LENGTH_LIMIT2) {
throw new InvalidParamError("Too long info");
}
if (params.psk !== void 0) {
if (params.psk.key.byteLength < MINIMUM_PSK_LENGTH2) {
throw new InvalidParamError(`PSK must have at least ${MINIMUM_PSK_LENGTH2} bytes`);
}
if (params.psk.key.byteLength > INPUT_LENGTH_LIMIT2) {
throw new InvalidParamError("Too long psk.key");
}
if (params.psk.id.byteLength > INPUT_LENGTH_LIMIT2) {
throw new InvalidParamError("Too long psk.id");
}
}
return;
}
};
// npm/esm/src/cipherSuite.js
var CipherSuite2 = class extends CipherSuiteNative2 {
/**
* @param params A set of parameters for building a cipher suite.
* @throws {@link InvalidParamError}
*/
constructor(params) {
if (typeof params.kem === "number") {
switch (params.kem) {
case KemId.DhkemP256HkdfSha256:
params.kem = new DhkemP256HkdfSha2562();
break;
case KemId.DhkemP384HkdfSha384:
params.kem = new DhkemP384HkdfSha3842();
break;
case KemId.DhkemP521HkdfSha512:
params.kem = new DhkemP521HkdfSha5122();
break;
case KemId.DhkemX25519HkdfSha256:
params.kem = new DhkemX25519HkdfSha256();
break;
case KemId.DhkemX448HkdfSha512:
params.kem = new DhkemX448HkdfSha512();
break;
default:
throw new InvalidParamError(`The KEM (${params.kem}) cannot be specified by KemId. Use submodule for the KEM`);
}
}
if (typeof params.kdf === "number") {
switch (params.kdf) {
case KdfId.HkdfSha256:
params.kdf = new HkdfSha2562();
break;
case KdfId.HkdfSha384:
params.kdf = new HkdfSha3842();
break;
default:
params.kdf = new HkdfSha5122();
break;
}
}
if (typeof params.aead === "number") {
switch (params.aead) {
case AeadId.Aes128Gcm:
params.aead = new Aes128Gcm();
break;
case AeadId.Aes256Gcm:
params.aead = new Aes256Gcm();
break;
case AeadId.Chacha20Poly1305:
params.aead = new Chacha20Poly1305();
break;
default:
params.aead = new ExportOnly();
break;
}
}
super(params);
}
/**
* Generates a key pair for the cipher suite.
*
* If the error occurred, throws {@link NotSupportedError}.
*
* @deprecated Use {@link KemInterface.generateKeyPair} instead.
*
* @returns A key pair generated.
* @throws {@link NotSupportedError}
*/
async generateKeyPair() {
await this._setup();
return await this._kem.generateKeyPair();
}
/**
* Derives a key pair for the cipher suite in the manner
*
* If the error occurred, throws {@link DeriveKeyPairError}.
*
* @deprecated Use {@link KemInterface.deriveKeyPair} instead.
*
* @param ikm A byte string of input keying material. The maximum length is 128 bytes.
* @returns A key pair derived.
* @throws {@link DeriveKeyPairError}
*/
async deriveKeyPair(ikm) {
await this._setup();
return await this._kem.deriveKeyPair(ikm);
}
/**
* Imports a public or private key and converts to a {@link CryptoKey}.
*
* Since key parameters for {@link createSenderContext} or {@link createRecipientContext}
* are {@link CryptoKey} format, you have to use this function to convert provided keys
* to {@link CryptoKey}.
*
* Basically, this is a thin wrapper function of
*
* If the error occurred, throws {@link DeserializeError}.
*
* @deprecated Use {@link KemInterface.generateKeyPair} instead.
*
* @param format For now, `'raw'` and `'jwk'` are supported.
* @param key A byte string of a raw key or A {@link JsonWebKey} object.
* @param isPublic The indicator whether the provided key is a public key or not, which is used only for `'raw'` format.
* @returns A public or private CryptoKey.
* @throws {@link DeserializeError}
*/
async importKey(format, key, isPublic = true) {
await this._setup();
return await this._kem.importKey(format, key, isPublic);
}
};
export {
Aead,
AeadId,
BaseError,
CipherSuite2 as CipherSuite,
DecapError,
DeriveKeyPairError,
DeserializeError,
EncapError,
ExportError,
HpkeError,
InvalidParamError,
Kdf,
KdfId,
Kem,
KemId,
MessageLimitReachedError,
NotSupportedError,
OpenError,
SealError,
SerializeError,
ValidationError
};
/*! Bundled license information:
@noble/ciphers/esm/utils.js:
(*! noble-ciphers - MIT License (c) 2023 Paul Miller (paulmillr.com) *)
@noble/hashes/esm/utils.js:
(*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
@noble/curves/esm/abstract/utils.js:
(*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
@noble/curves/esm/abstract/modular.js:
(*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
@noble/curves/esm/abstract/curve.js:
(*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
@noble/curves/esm/abstract/edwards.js:
(*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
@noble/curves/esm/abstract/montgomery.js:
(*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
@noble/curves/esm/ed25519.js:
(*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
@noble/curves/esm/ed448.js:
(*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
*/