{"mappings":"AQAA,IAAA,EAAe,OFCQ,IAAI,YACpB,MAAM,EAAU,IAAI,YDcd,EAAe,AAAC,IACzB,IAAM,EAAS,KAAK,GACd,EAAQ,IAAI,WAAW,EAAO,MAAM,EAC1C,IAAK,IAAI,EAAI,EAAG,EAAI,EAAO,MAAM,CAAE,IAC/B,CAAK,CAAC,EAAE,CAAG,EAAO,UAAU,CAAC,GAEjC,OAAO,CACX,CMvBO,OAAM,UAAkB,MAC3B,WAAW,MAAO,CACd,MAAO,kBACX,CACA,YAAY,CAAO,CAAE,CACjB,IAAI,EACJ,KAAK,CAAC,GACN,IAAI,CAAC,IAAI,CAAG,mBACZ,IAAI,CAAC,IAAI,CAAG,IAAI,CAAC,WAAW,CAAC,IAAI,CAChC,AAAkC,OAAlC,CAAA,EAAK,MAAM,iBAAgB,AAAhB,GAA+B,AAAO,KAAK,IAAZ,GAAyB,EAAG,IAAI,CAAC,MAAO,IAAI,CAAE,IAAI,CAAC,WAAW,CAC7G,CACJ,CAqEO,MAAM,UAAmB,EAC5B,aAAc,CACV,KAAK,IAAI,WACT,IAAI,CAAC,IAAI,CAAG,iBAChB,CACA,WAAW,MAAO,CACd,MAAO,iBACX,CACJ,CEvFe,AAAA,EAAO,eAAe,CAAC,IAAI,CAAC,G+BQhB,S8BPpB,MAAM,ErEsBS,AAAC,IACnB,IAAI,EAAU,EACV,aAAmB,YACnB,CAAA,EAAU,AAAA,EAAQ,MAAM,CAAC,EAD7B,EAGA,EAAU,EAAQ,OAAO,CAAC,KAAM,KAAK,OAAO,CAAC,KAAM,KAAK,OAAO,CAAC,MAAO,IACvE,GAAI,CACA,OAAO,EAAa,EACxB,CACA,MAAO,EAAI,CACP,MAAM,AAAI,UAAU,oDACxB,CACJ,GJiBA,AApCA,WACI,IAAM,EAAoB,IAAI,gBAAgB,OAAO,QAAQ,CAAC,MAAM,EAAE,GAAG,CAAC,YAE1E,GAAI,CAAC,EACD,OAGJ,IAAM,EAAU,A0EpBb,SAAmB,CAAG,MAUrB,EAOA,EAhBJ,GAAI,AAAe,UAAf,OAAO,EACP,MAAM,IAAI,EAAW,iEACzB,GAAM,CAAE,EAAG,CAAO,CAAA,OAAE,CAAM,CAAE,CAAG,EAAI,KAAK,CAAC,KACzC,GAAI,AAAW,IAAX,EACA,MAAM,IAAI,EAAW,4DACzB,GAAI,AAAW,IAAX,EACA,MAAM,IAAI,EAAW,eACzB,GAAI,CAAC,EACD,MAAM,IAAI,EAAW,+BAEzB,GAAI,CACA,EAAU,AAAA,EAAU,EACxB,CACA,MAAO,EAAI,CACP,MAAM,IAAI,EAAW,gDACzB,CAEA,GAAI,CACA,EAAS,KAAK,KAAK,CAAC,AAAA,EAAQ,MAAM,CAAC,GACvC,CACA,MAAO,EAAI,CACP,MAAM,IAAI,EAAW,8CACzB,CACA,GAAI,CAAC,ArDzBM,SAAkB,CAAK,EAClC,GAAI,CAHG,CAAA,AAAiB,UAAjB,OAGW,GAHkB,AAAU,OAG5B,CAHlB,GAG4B,AAA0C,oBAA1C,OAAO,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,GACvD,MAAO,CAAA,EAEX,GAAI,AAAiC,OAAjC,OAAO,cAAc,CAAC,GACtB,MAAO,CAAA,EAEX,IAAI,EAAQ,EACZ,KAAO,AAAiC,OAAjC,OAAO,cAAc,CAAC,IACzB,EAAQ,OAAO,cAAc,CAAC,GAElC,OAAO,OAAO,cAAc,CAAC,KAAW,CAC5C,EqDakB,GACV,MAAM,IAAI,EAAW,0BACzB,OAAO,CACX,E1EPmC,GAEzB,EAAY,SAAS,cAAc,CAAC,iBAEpC,EAAS,SAAS,aAAa,CAAC,MAItC,IAAK,IAAM,KAHX,EAAO,WAAW,CAAG,oBACrB,EAAU,MAAM,CAAC,GAEG,EAAS,CACzB,IAAM,EAAO,AAvBrB,SAAuB,CAAa,EAChC,IAAM,EAAO,SAAS,aAAa,CAAC,KAGpC,OAFA,EAAK,SAAS,CAAG,gBACjB,EAAK,WAAW,CAAG,CAAC,EAAE,EAAM,CAAC,CAAC,CACvB,CACX,EAkBmC,GACrB,EAAQ,AA/BtB,SAAyB,CAAmB,CAAE,CAAa,EACvD,IAAM,EAAQ,SAAS,aAAa,CAAC,KAGrC,OAFA,EAAM,SAAS,CAAG,iBAClB,EAAM,WAAW,CAAG,CAAC,EAAE,CAAO,CAAC,EAAM,CAAC,CAAC,CAChC,CACX,EA0BsC,EAAS,GACjC,EAAK,SAAS,aAAa,CAAC,MAClC,EAAU,MAAM,CAAC,GACjB,EAAU,MAAM,CAAC,GACjB,EAAU,MAAM,CAAC,EACrB,CACJ,IAcA,AAZA,WAGI,GAAI,CAFsB,IAAI,gBAAgB,OAAO,QAAQ,CAAC,MAAM,EAAE,GAAG,CAAC,YAElD,CACpB,SAAS,cAAc,CAAC,UAAU,KAAK,CAAC,OAAO,CAAG,OAClD,MACJ,CAEA,SAAS,cAAc,CAAC,SAAS,KAAK,CAAC,OAAO,CAAG,MACrD","sources":["","src/scripts/app.ts","node_modules/jose/dist/browser/index.js","node_modules/jose/dist/browser/jwe/compact/decrypt.js","node_modules/jose/dist/browser/jwe/flattened/decrypt.js","node_modules/jose/dist/browser/runtime/base64url.js","node_modules/jose/dist/browser/lib/buffer_utils.js","node_modules/jose/dist/browser/runtime/digest.js","node_modules/jose/dist/browser/runtime/webcrypto.js","node_modules/jose/dist/browser/runtime/decrypt.js","node_modules/jose/dist/browser/lib/check_iv_length.js","node_modules/jose/dist/browser/util/errors.js","node_modules/jose/dist/browser/lib/iv.js","node_modules/jose/dist/browser/runtime/random.js","node_modules/jose/dist/browser/runtime/check_cek_length.js","node_modules/jose/dist/browser/runtime/timing_safe_equal.js","node_modules/jose/dist/browser/lib/crypto_key.js","node_modules/jose/dist/browser/runtime/env.js","node_modules/jose/dist/browser/lib/invalid_key_input.js","node_modules/jose/dist/browser/runtime/is_key_like.js","node_modules/jose/dist/browser/runtime/zlib.js","node_modules/jose/dist/browser/lib/is_disjoint.js","node_modules/jose/dist/browser/lib/is_object.js","node_modules/jose/dist/browser/lib/decrypt_key_management.js","node_modules/jose/dist/browser/runtime/aeskw.js","node_modules/jose/dist/browser/runtime/bogus.js","node_modules/jose/dist/browser/runtime/ecdhes.js","node_modules/jose/dist/browser/runtime/pbes2kw.js","node_modules/jose/dist/browser/lib/check_p2s.js","node_modules/jose/dist/browser/runtime/rsaes.js","node_modules/jose/dist/browser/runtime/subtle_rsaes.js","node_modules/jose/dist/browser/runtime/check_key_length.js","node_modules/jose/dist/browser/lib/cek.js","node_modules/jose/dist/browser/key/import.js","node_modules/jose/dist/browser/runtime/asn1.js","node_modules/jose/dist/browser/lib/format_pem.js","node_modules/jose/dist/browser/runtime/jwk_to_key.js","node_modules/jose/dist/browser/lib/check_key_type.js","node_modules/jose/dist/browser/lib/aesgcmkw.js","node_modules/jose/dist/browser/runtime/encrypt.js","node_modules/jose/dist/browser/lib/validate_crit.js","node_modules/jose/dist/browser/lib/validate_algorithms.js","node_modules/jose/dist/browser/jwe/general/decrypt.js","node_modules/jose/dist/browser/jwe/general/encrypt.js","node_modules/jose/dist/browser/jwe/flattened/encrypt.js","node_modules/jose/dist/browser/lib/encrypt_key_management.js","node_modules/jose/dist/browser/key/export.js","node_modules/jose/dist/browser/runtime/key_to_jwk.js","node_modules/jose/dist/browser/jws/compact/verify.js","node_modules/jose/dist/browser/jws/flattened/verify.js","node_modules/jose/dist/browser/runtime/verify.js","node_modules/jose/dist/browser/runtime/subtle_dsa.js","node_modules/jose/dist/browser/runtime/get_sign_verify_key.js","node_modules/jose/dist/browser/jws/general/verify.js","node_modules/jose/dist/browser/jwt/verify.js","node_modules/jose/dist/browser/lib/jwt_claims_set.js","node_modules/jose/dist/browser/lib/epoch.js","node_modules/jose/dist/browser/lib/secs.js","node_modules/jose/dist/browser/jwt/decrypt.js","node_modules/jose/dist/browser/jwe/compact/encrypt.js","node_modules/jose/dist/browser/jws/compact/sign.js","node_modules/jose/dist/browser/jws/flattened/sign.js","node_modules/jose/dist/browser/runtime/sign.js","node_modules/jose/dist/browser/jws/general/sign.js","node_modules/jose/dist/browser/jwt/sign.js","node_modules/jose/dist/browser/jwt/produce.js","node_modules/jose/dist/browser/jwt/encrypt.js","node_modules/jose/dist/browser/jwk/thumbprint.js","node_modules/jose/dist/browser/jwk/embedded.js","node_modules/jose/dist/browser/jwks/local.js","node_modules/jose/dist/browser/jwks/remote.js","node_modules/jose/dist/browser/runtime/fetch_jwks.js","node_modules/jose/dist/browser/jwt/unsecured.js","node_modules/jose/dist/browser/util/decode_protected_header.js","node_modules/jose/dist/browser/util/base64url.js","node_modules/jose/dist/browser/util/decode_jwt.js","node_modules/jose/dist/browser/key/generate_key_pair.js","node_modules/jose/dist/browser/runtime/generate.js","node_modules/jose/dist/browser/key/generate_secret.js"],"sourcesContent":["var $3f0b33e7ccc65ae0$export$2e2bcd8739ae039 = crypto;\nconst $3f0b33e7ccc65ae0$export$600b5603bbac4c6 = (key)=>key instanceof CryptoKey;\n\n\nconst $491757e359519ceb$var$digest = async (algorithm, data)=>{\n const subtleDigest = `SHA-${algorithm.slice(-3)}`;\n return new Uint8Array(await (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.digest(subtleDigest, data));\n};\nvar $491757e359519ceb$export$2e2bcd8739ae039 = $491757e359519ceb$var$digest;\n\n\nconst $8c3dacf85b96b392$export$5486af06137bf21a = new TextEncoder();\nconst $8c3dacf85b96b392$export$124c96e6ce37090b = new TextDecoder();\nconst $8c3dacf85b96b392$var$MAX_INT32 = 2 ** 32;\nfunction $8c3dacf85b96b392$export$ee1b3e54f0441b22(...buffers) {\n const size = buffers.reduce((acc, { length: length })=>acc + length, 0);\n const buf = new Uint8Array(size);\n let i = 0;\n buffers.forEach((buffer)=>{\n buf.set(buffer, i);\n i += buffer.length;\n });\n return buf;\n}\nfunction $8c3dacf85b96b392$export$256d3ca12372f112(alg, p2sInput) {\n return $8c3dacf85b96b392$export$ee1b3e54f0441b22($8c3dacf85b96b392$export$5486af06137bf21a.encode(alg), new Uint8Array([\n 0\n ]), p2sInput);\n}\nfunction $8c3dacf85b96b392$var$writeUInt32BE(buf, value, offset) {\n if (value < 0 || value >= $8c3dacf85b96b392$var$MAX_INT32) throw new RangeError(`value must be >= 0 and <= ${$8c3dacf85b96b392$var$MAX_INT32 - 1}. Received ${value}`);\n buf.set([\n value >>> 24,\n value >>> 16,\n value >>> 8,\n value & 0xff\n ], offset);\n}\nfunction $8c3dacf85b96b392$export$e7b531e00a18fdd7(value) {\n const high = Math.floor(value / $8c3dacf85b96b392$var$MAX_INT32);\n const low = value % $8c3dacf85b96b392$var$MAX_INT32;\n const buf = new Uint8Array(8);\n $8c3dacf85b96b392$var$writeUInt32BE(buf, high, 0);\n $8c3dacf85b96b392$var$writeUInt32BE(buf, low, 4);\n return buf;\n}\nfunction $8c3dacf85b96b392$export$74c16dba6c885532(value) {\n const buf = new Uint8Array(4);\n $8c3dacf85b96b392$var$writeUInt32BE(buf, value);\n return buf;\n}\nfunction $8c3dacf85b96b392$export$c1498c4a3718d967(input) {\n return $8c3dacf85b96b392$export$ee1b3e54f0441b22($8c3dacf85b96b392$export$74c16dba6c885532(input.length), input);\n}\nasync function $8c3dacf85b96b392$export$67163693c21af44f(secret, bits, value) {\n const iterations = Math.ceil((bits >> 3) / 32);\n const res = new Uint8Array(iterations * 32);\n for(let iter = 0; iter < iterations; iter++){\n const buf = new Uint8Array(4 + secret.length + value.length);\n buf.set($8c3dacf85b96b392$export$74c16dba6c885532(iter + 1));\n buf.set(secret, 4);\n buf.set(value, 4 + secret.length);\n res.set(await (0, $491757e359519ceb$export$2e2bcd8739ae039)(\"sha256\", buf), iter * 32);\n }\n return res.slice(0, bits >> 3);\n}\n\n\nconst $54a6e0e463467b0a$export$8fb536984ec8b4d7 = (input)=>{\n let unencoded = input;\n if (typeof unencoded === \"string\") unencoded = (0, $8c3dacf85b96b392$export$5486af06137bf21a).encode(unencoded);\n const CHUNK_SIZE = 0x8000;\n const arr = [];\n for(let i = 0; i < unencoded.length; i += CHUNK_SIZE)arr.push(String.fromCharCode.apply(null, unencoded.subarray(i, i + CHUNK_SIZE)));\n return btoa(arr.join(\"\"));\n};\nconst $54a6e0e463467b0a$export$c564cdbbe6da493 = (input)=>{\n return $54a6e0e463467b0a$export$8fb536984ec8b4d7(input).replace(/=/g, \"\").replace(/\\+/g, \"-\").replace(/\\//g, \"_\");\n};\nconst $54a6e0e463467b0a$export$94fdf11bafc8de6b = (encoded)=>{\n const binary = atob(encoded);\n const bytes = new Uint8Array(binary.length);\n for(let i = 0; i < binary.length; i++)bytes[i] = binary.charCodeAt(i);\n return bytes;\n};\nconst $54a6e0e463467b0a$export$2f872c0f2117be69 = (input)=>{\n let encoded = input;\n if (encoded instanceof Uint8Array) encoded = (0, $8c3dacf85b96b392$export$124c96e6ce37090b).decode(encoded);\n encoded = encoded.replace(/-/g, \"+\").replace(/_/g, \"/\").replace(/\\s/g, \"\");\n try {\n return $54a6e0e463467b0a$export$94fdf11bafc8de6b(encoded);\n } catch (_a) {\n throw new TypeError(\"The input to be decoded is not correctly encoded.\");\n }\n};\n\n\n\nclass $599ac781534a947a$export$f754d6850d76bf87 extends Error {\n static get code() {\n return \"ERR_JOSE_GENERIC\";\n }\n constructor(message){\n var _a;\n super(message);\n this.code = \"ERR_JOSE_GENERIC\";\n this.name = this.constructor.name;\n (_a = Error.captureStackTrace) === null || _a === void 0 || _a.call(Error, this, this.constructor);\n }\n}\nclass $599ac781534a947a$export$f1e14efb908196e9 extends $599ac781534a947a$export$f754d6850d76bf87 {\n static get code() {\n return \"ERR_JWT_CLAIM_VALIDATION_FAILED\";\n }\n constructor(message, claim = \"unspecified\", reason = \"unspecified\"){\n super(message);\n this.code = \"ERR_JWT_CLAIM_VALIDATION_FAILED\";\n this.claim = claim;\n this.reason = reason;\n }\n}\nclass $599ac781534a947a$export$4b386bf852b7863d extends $599ac781534a947a$export$f754d6850d76bf87 {\n static get code() {\n return \"ERR_JWT_EXPIRED\";\n }\n constructor(message, claim = \"unspecified\", reason = \"unspecified\"){\n super(message);\n this.code = \"ERR_JWT_EXPIRED\";\n this.claim = claim;\n this.reason = reason;\n }\n}\nclass $599ac781534a947a$export$d51fd7fedeccc338 extends $599ac781534a947a$export$f754d6850d76bf87 {\n constructor(){\n super(...arguments);\n this.code = \"ERR_JOSE_ALG_NOT_ALLOWED\";\n }\n static get code() {\n return \"ERR_JOSE_ALG_NOT_ALLOWED\";\n }\n}\nclass $599ac781534a947a$export$19ddbcbf2016ab28 extends $599ac781534a947a$export$f754d6850d76bf87 {\n constructor(){\n super(...arguments);\n this.code = \"ERR_JOSE_NOT_SUPPORTED\";\n }\n static get code() {\n return \"ERR_JOSE_NOT_SUPPORTED\";\n }\n}\nclass $599ac781534a947a$export$1a57512ad9773b2a extends $599ac781534a947a$export$f754d6850d76bf87 {\n constructor(){\n super(...arguments);\n this.code = \"ERR_JWE_DECRYPTION_FAILED\";\n this.message = \"decryption operation failed\";\n }\n static get code() {\n return \"ERR_JWE_DECRYPTION_FAILED\";\n }\n}\nclass $599ac781534a947a$export$19f281f2275f6a15 extends $599ac781534a947a$export$f754d6850d76bf87 {\n constructor(){\n super(...arguments);\n this.code = \"ERR_JWE_INVALID\";\n }\n static get code() {\n return \"ERR_JWE_INVALID\";\n }\n}\nclass $599ac781534a947a$export$e838de724af3d116 extends $599ac781534a947a$export$f754d6850d76bf87 {\n constructor(){\n super(...arguments);\n this.code = \"ERR_JWS_INVALID\";\n }\n static get code() {\n return \"ERR_JWS_INVALID\";\n }\n}\nclass $599ac781534a947a$export$936b39ada0bbfceb extends $599ac781534a947a$export$f754d6850d76bf87 {\n constructor(){\n super(...arguments);\n this.code = \"ERR_JWT_INVALID\";\n }\n static get code() {\n return \"ERR_JWT_INVALID\";\n }\n}\nclass $599ac781534a947a$export$b3992e0f88fb07e3 extends $599ac781534a947a$export$f754d6850d76bf87 {\n constructor(){\n super(...arguments);\n this.code = \"ERR_JWK_INVALID\";\n }\n static get code() {\n return \"ERR_JWK_INVALID\";\n }\n}\nclass $599ac781534a947a$export$9b22c2a1e2403b8e extends $599ac781534a947a$export$f754d6850d76bf87 {\n constructor(){\n super(...arguments);\n this.code = \"ERR_JWKS_INVALID\";\n }\n static get code() {\n return \"ERR_JWKS_INVALID\";\n }\n}\nclass $599ac781534a947a$export$3d5ed1a538bed04e extends $599ac781534a947a$export$f754d6850d76bf87 {\n constructor(){\n super(...arguments);\n this.code = \"ERR_JWKS_NO_MATCHING_KEY\";\n this.message = \"no applicable key found in the JSON Web Key Set\";\n }\n static get code() {\n return \"ERR_JWKS_NO_MATCHING_KEY\";\n }\n}\nclass $599ac781534a947a$export$dc036de401a5c284 extends $599ac781534a947a$export$f754d6850d76bf87 {\n constructor(){\n super(...arguments);\n this.code = \"ERR_JWKS_MULTIPLE_MATCHING_KEYS\";\n this.message = \"multiple matching keys found in the JSON Web Key Set\";\n }\n static get code() {\n return \"ERR_JWKS_MULTIPLE_MATCHING_KEYS\";\n }\n}\nSymbol.asyncIterator;\nclass $599ac781534a947a$export$3f30acebf25c04e6 extends $599ac781534a947a$export$f754d6850d76bf87 {\n constructor(){\n super(...arguments);\n this.code = \"ERR_JWKS_TIMEOUT\";\n this.message = \"request timed out\";\n }\n static get code() {\n return \"ERR_JWKS_TIMEOUT\";\n }\n}\nclass $599ac781534a947a$export$c67a0218e7c50378 extends $599ac781534a947a$export$f754d6850d76bf87 {\n constructor(){\n super(...arguments);\n this.code = \"ERR_JWS_SIGNATURE_VERIFICATION_FAILED\";\n this.message = \"signature verification failed\";\n }\n static get code() {\n return \"ERR_JWS_SIGNATURE_VERIFICATION_FAILED\";\n }\n}\n\n\n\n\nvar $add6505a95ba3e92$export$2e2bcd8739ae039 = (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).getRandomValues.bind((0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039));\n\n\nfunction $da503c283075069a$export$db433e85ac514a95(alg) {\n switch(alg){\n case \"A128GCM\":\n case \"A128GCMKW\":\n case \"A192GCM\":\n case \"A192GCMKW\":\n case \"A256GCM\":\n case \"A256GCMKW\":\n return 96;\n case \"A128CBC-HS256\":\n case \"A192CBC-HS384\":\n case \"A256CBC-HS512\":\n return 128;\n default:\n throw new (0, $599ac781534a947a$export$19ddbcbf2016ab28)(`Unsupported JWE Algorithm: ${alg}`);\n }\n}\nvar $da503c283075069a$export$2e2bcd8739ae039 = (alg)=>(0, $add6505a95ba3e92$export$2e2bcd8739ae039)(new Uint8Array($da503c283075069a$export$db433e85ac514a95(alg) >> 3));\n\n\nconst $25dfb6cac6481cac$var$checkIvLength = (enc, iv)=>{\n if (iv.length << 3 !== (0, $da503c283075069a$export$db433e85ac514a95)(enc)) throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(\"Invalid Initialization Vector length\");\n};\nvar $25dfb6cac6481cac$export$2e2bcd8739ae039 = $25dfb6cac6481cac$var$checkIvLength;\n\n\n\nconst $49ddc742411ee52a$var$checkCekLength = (cek, expected)=>{\n const actual = cek.byteLength << 3;\n if (actual !== expected) throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(`Invalid Content Encryption Key length. Expected ${expected} bits, got ${actual} bits`);\n};\nvar $49ddc742411ee52a$export$2e2bcd8739ae039 = $49ddc742411ee52a$var$checkCekLength;\n\n\nconst $2d83d0a97460fa37$var$timingSafeEqual = (a, b)=>{\n if (!(a instanceof Uint8Array)) throw new TypeError(\"First argument must be a buffer\");\n if (!(b instanceof Uint8Array)) throw new TypeError(\"Second argument must be a buffer\");\n if (a.length !== b.length) throw new TypeError(\"Input buffers must have the same length\");\n const len = a.length;\n let out = 0;\n let i = -1;\n while(++i < len)out |= a[i] ^ b[i];\n return out === 0;\n};\nvar $2d83d0a97460fa37$export$2e2bcd8739ae039 = $2d83d0a97460fa37$var$timingSafeEqual;\n\n\n\n\nfunction $5852df024b41aa91$export$7b262397cadac19f() {\n return typeof WebSocketPair !== \"undefined\" || typeof navigator !== \"undefined\" && navigator.userAgent === \"Cloudflare-Workers\" || typeof EdgeRuntime !== \"undefined\" && EdgeRuntime === \"vercel\";\n}\n\n\nfunction $bd0b36fb17abf4f5$var$unusable(name, prop = \"algorithm.name\") {\n return new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);\n}\nfunction $bd0b36fb17abf4f5$var$isAlgorithm(algorithm, name) {\n return algorithm.name === name;\n}\nfunction $bd0b36fb17abf4f5$var$getHashLength(hash) {\n return parseInt(hash.name.slice(4), 10);\n}\nfunction $bd0b36fb17abf4f5$var$getNamedCurve(alg) {\n switch(alg){\n case \"ES256\":\n return \"P-256\";\n case \"ES384\":\n return \"P-384\";\n case \"ES512\":\n return \"P-521\";\n default:\n throw new Error(\"unreachable\");\n }\n}\nfunction $bd0b36fb17abf4f5$var$checkUsage(key, usages) {\n if (usages.length && !usages.some((expected)=>key.usages.includes(expected))) {\n let msg = \"CryptoKey does not support this operation, its usages must include \";\n if (usages.length > 2) {\n const last = usages.pop();\n msg += `one of ${usages.join(\", \")}, or ${last}.`;\n } else if (usages.length === 2) msg += `one of ${usages[0]} or ${usages[1]}.`;\n else msg += `${usages[0]}.`;\n throw new TypeError(msg);\n }\n}\nfunction $bd0b36fb17abf4f5$export$39a36029eee6729(key, alg, ...usages) {\n switch(alg){\n case \"HS256\":\n case \"HS384\":\n case \"HS512\":\n {\n if (!$bd0b36fb17abf4f5$var$isAlgorithm(key.algorithm, \"HMAC\")) throw $bd0b36fb17abf4f5$var$unusable(\"HMAC\");\n const expected = parseInt(alg.slice(2), 10);\n const actual = $bd0b36fb17abf4f5$var$getHashLength(key.algorithm.hash);\n if (actual !== expected) throw $bd0b36fb17abf4f5$var$unusable(`SHA-${expected}`, \"algorithm.hash\");\n break;\n }\n case \"RS256\":\n case \"RS384\":\n case \"RS512\":\n {\n if (!$bd0b36fb17abf4f5$var$isAlgorithm(key.algorithm, \"RSASSA-PKCS1-v1_5\")) throw $bd0b36fb17abf4f5$var$unusable(\"RSASSA-PKCS1-v1_5\");\n const expected = parseInt(alg.slice(2), 10);\n const actual = $bd0b36fb17abf4f5$var$getHashLength(key.algorithm.hash);\n if (actual !== expected) throw $bd0b36fb17abf4f5$var$unusable(`SHA-${expected}`, \"algorithm.hash\");\n break;\n }\n case \"PS256\":\n case \"PS384\":\n case \"PS512\":\n {\n if (!$bd0b36fb17abf4f5$var$isAlgorithm(key.algorithm, \"RSA-PSS\")) throw $bd0b36fb17abf4f5$var$unusable(\"RSA-PSS\");\n const expected = parseInt(alg.slice(2), 10);\n const actual = $bd0b36fb17abf4f5$var$getHashLength(key.algorithm.hash);\n if (actual !== expected) throw $bd0b36fb17abf4f5$var$unusable(`SHA-${expected}`, \"algorithm.hash\");\n break;\n }\n case \"EdDSA\":\n if (key.algorithm.name !== \"Ed25519\" && key.algorithm.name !== \"Ed448\") {\n if ((0, $5852df024b41aa91$export$7b262397cadac19f)()) {\n if ($bd0b36fb17abf4f5$var$isAlgorithm(key.algorithm, \"NODE-ED25519\")) break;\n throw $bd0b36fb17abf4f5$var$unusable(\"Ed25519, Ed448, or NODE-ED25519\");\n }\n throw $bd0b36fb17abf4f5$var$unusable(\"Ed25519 or Ed448\");\n }\n break;\n case \"ES256\":\n case \"ES384\":\n case \"ES512\":\n {\n if (!$bd0b36fb17abf4f5$var$isAlgorithm(key.algorithm, \"ECDSA\")) throw $bd0b36fb17abf4f5$var$unusable(\"ECDSA\");\n const expected = $bd0b36fb17abf4f5$var$getNamedCurve(alg);\n const actual = key.algorithm.namedCurve;\n if (actual !== expected) throw $bd0b36fb17abf4f5$var$unusable(expected, \"algorithm.namedCurve\");\n break;\n }\n default:\n throw new TypeError(\"CryptoKey does not support this operation\");\n }\n $bd0b36fb17abf4f5$var$checkUsage(key, usages);\n}\nfunction $bd0b36fb17abf4f5$export$41a67f89f6678b35(key, alg, ...usages) {\n switch(alg){\n case \"A128GCM\":\n case \"A192GCM\":\n case \"A256GCM\":\n {\n if (!$bd0b36fb17abf4f5$var$isAlgorithm(key.algorithm, \"AES-GCM\")) throw $bd0b36fb17abf4f5$var$unusable(\"AES-GCM\");\n const expected = parseInt(alg.slice(1, 4), 10);\n const actual = key.algorithm.length;\n if (actual !== expected) throw $bd0b36fb17abf4f5$var$unusable(expected, \"algorithm.length\");\n break;\n }\n case \"A128KW\":\n case \"A192KW\":\n case \"A256KW\":\n {\n if (!$bd0b36fb17abf4f5$var$isAlgorithm(key.algorithm, \"AES-KW\")) throw $bd0b36fb17abf4f5$var$unusable(\"AES-KW\");\n const expected = parseInt(alg.slice(1, 4), 10);\n const actual = key.algorithm.length;\n if (actual !== expected) throw $bd0b36fb17abf4f5$var$unusable(expected, \"algorithm.length\");\n break;\n }\n case \"ECDH\":\n switch(key.algorithm.name){\n case \"ECDH\":\n case \"X25519\":\n case \"X448\":\n break;\n default:\n throw $bd0b36fb17abf4f5$var$unusable(\"ECDH, X25519, or X448\");\n }\n break;\n case \"PBES2-HS256+A128KW\":\n case \"PBES2-HS384+A192KW\":\n case \"PBES2-HS512+A256KW\":\n if (!$bd0b36fb17abf4f5$var$isAlgorithm(key.algorithm, \"PBKDF2\")) throw $bd0b36fb17abf4f5$var$unusable(\"PBKDF2\");\n break;\n case \"RSA-OAEP\":\n case \"RSA-OAEP-256\":\n case \"RSA-OAEP-384\":\n case \"RSA-OAEP-512\":\n {\n if (!$bd0b36fb17abf4f5$var$isAlgorithm(key.algorithm, \"RSA-OAEP\")) throw $bd0b36fb17abf4f5$var$unusable(\"RSA-OAEP\");\n const expected = parseInt(alg.slice(9), 10) || 1;\n const actual = $bd0b36fb17abf4f5$var$getHashLength(key.algorithm.hash);\n if (actual !== expected) throw $bd0b36fb17abf4f5$var$unusable(`SHA-${expected}`, \"algorithm.hash\");\n break;\n }\n default:\n throw new TypeError(\"CryptoKey does not support this operation\");\n }\n $bd0b36fb17abf4f5$var$checkUsage(key, usages);\n}\n\n\nfunction $233e587bc0c17441$var$message(msg, actual, ...types) {\n if (types.length > 2) {\n const last = types.pop();\n msg += `one of type ${types.join(\", \")}, or ${last}.`;\n } else if (types.length === 2) msg += `one of type ${types[0]} or ${types[1]}.`;\n else msg += `of type ${types[0]}.`;\n if (actual == null) msg += ` Received ${actual}`;\n else if (typeof actual === \"function\" && actual.name) msg += ` Received function ${actual.name}`;\n else if (typeof actual === \"object\" && actual != null) {\n if (actual.constructor && actual.constructor.name) msg += ` Received an instance of ${actual.constructor.name}`;\n }\n return msg;\n}\nvar $233e587bc0c17441$export$2e2bcd8739ae039 = (actual, ...types)=>{\n return $233e587bc0c17441$var$message(\"Key must be \", actual, ...types);\n};\nfunction $233e587bc0c17441$export$e94f758d09bc1828(alg, actual, ...types) {\n return $233e587bc0c17441$var$message(`Key for the ${alg} algorithm must be `, actual, ...types);\n}\n\n\n\nvar $002bdc4a0215a55c$export$2e2bcd8739ae039 = (key)=>{\n return (0, $3f0b33e7ccc65ae0$export$600b5603bbac4c6)(key);\n};\nconst $002bdc4a0215a55c$export$b14ad400b1d09e0f = [\n \"CryptoKey\"\n];\n\n\nasync function $8e3c9f32bae103db$var$cbcDecrypt(enc, cek, ciphertext, iv, tag, aad) {\n if (!(cek instanceof Uint8Array)) throw new TypeError((0, $233e587bc0c17441$export$2e2bcd8739ae039)(cek, \"Uint8Array\"));\n const keySize = parseInt(enc.slice(1, 4), 10);\n const encKey = await (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.importKey(\"raw\", cek.subarray(keySize >> 3), \"AES-CBC\", false, [\n \"decrypt\"\n ]);\n const macKey = await (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.importKey(\"raw\", cek.subarray(0, keySize >> 3), {\n hash: `SHA-${keySize << 1}`,\n name: \"HMAC\"\n }, false, [\n \"sign\"\n ]);\n const macData = (0, $8c3dacf85b96b392$export$ee1b3e54f0441b22)(aad, iv, ciphertext, (0, $8c3dacf85b96b392$export$e7b531e00a18fdd7)(aad.length << 3));\n const expectedTag = new Uint8Array((await (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.sign(\"HMAC\", macKey, macData)).slice(0, keySize >> 3));\n let macCheckPassed;\n try {\n macCheckPassed = (0, $2d83d0a97460fa37$export$2e2bcd8739ae039)(tag, expectedTag);\n } catch (_a) {}\n if (!macCheckPassed) throw new (0, $599ac781534a947a$export$1a57512ad9773b2a)();\n let plaintext;\n try {\n plaintext = new Uint8Array(await (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.decrypt({\n iv: iv,\n name: \"AES-CBC\"\n }, encKey, ciphertext));\n } catch (_b) {}\n if (!plaintext) throw new (0, $599ac781534a947a$export$1a57512ad9773b2a)();\n return plaintext;\n}\nasync function $8e3c9f32bae103db$var$gcmDecrypt(enc, cek, ciphertext, iv, tag, aad) {\n let encKey;\n if (cek instanceof Uint8Array) encKey = await (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.importKey(\"raw\", cek, \"AES-GCM\", false, [\n \"decrypt\"\n ]);\n else {\n (0, $bd0b36fb17abf4f5$export$41a67f89f6678b35)(cek, enc, \"decrypt\");\n encKey = cek;\n }\n try {\n return new Uint8Array(await (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.decrypt({\n additionalData: aad,\n iv: iv,\n name: \"AES-GCM\",\n tagLength: 128\n }, encKey, (0, $8c3dacf85b96b392$export$ee1b3e54f0441b22)(ciphertext, tag)));\n } catch (_a) {\n throw new (0, $599ac781534a947a$export$1a57512ad9773b2a)();\n }\n}\nconst $8e3c9f32bae103db$var$decrypt = async (enc, cek, ciphertext, iv, tag, aad)=>{\n if (!(0, $3f0b33e7ccc65ae0$export$600b5603bbac4c6)(cek) && !(cek instanceof Uint8Array)) throw new TypeError((0, $233e587bc0c17441$export$2e2bcd8739ae039)(cek, ...(0, $002bdc4a0215a55c$export$b14ad400b1d09e0f), \"Uint8Array\"));\n (0, $25dfb6cac6481cac$export$2e2bcd8739ae039)(enc, iv);\n switch(enc){\n case \"A128CBC-HS256\":\n case \"A192CBC-HS384\":\n case \"A256CBC-HS512\":\n if (cek instanceof Uint8Array) (0, $49ddc742411ee52a$export$2e2bcd8739ae039)(cek, parseInt(enc.slice(-3), 10));\n return $8e3c9f32bae103db$var$cbcDecrypt(enc, cek, ciphertext, iv, tag, aad);\n case \"A128GCM\":\n case \"A192GCM\":\n case \"A256GCM\":\n if (cek instanceof Uint8Array) (0, $49ddc742411ee52a$export$2e2bcd8739ae039)(cek, parseInt(enc.slice(1, 4), 10));\n return $8e3c9f32bae103db$var$gcmDecrypt(enc, cek, ciphertext, iv, tag, aad);\n default:\n throw new (0, $599ac781534a947a$export$19ddbcbf2016ab28)(\"Unsupported JWE Content Encryption Algorithm\");\n }\n};\nvar $8e3c9f32bae103db$export$2e2bcd8739ae039 = $8e3c9f32bae103db$var$decrypt;\n\n\n\nconst $183cd4e96b76501e$export$cae1ce83fe4a1782 = async ()=>{\n throw new (0, $599ac781534a947a$export$19ddbcbf2016ab28)('JWE \"zip\" (Compression Algorithm) Header Parameter is not supported by your javascript runtime. You need to use the `inflateRaw` decrypt option to provide Inflate Raw implementation.');\n};\nconst $183cd4e96b76501e$export$2316623ecd1285ab = async ()=>{\n throw new (0, $599ac781534a947a$export$19ddbcbf2016ab28)('JWE \"zip\" (Compression Algorithm) Header Parameter is not supported by your javascript runtime. You need to use the `deflateRaw` encrypt option to provide Deflate Raw implementation.');\n};\n\n\n\nconst $751ed1ebc64f8b96$var$isDisjoint = (...headers)=>{\n const sources = headers.filter(Boolean);\n if (sources.length === 0 || sources.length === 1) return true;\n let acc;\n for (const header of sources){\n const parameters = Object.keys(header);\n if (!acc || acc.size === 0) {\n acc = new Set(parameters);\n continue;\n }\n for (const parameter of parameters){\n if (acc.has(parameter)) return false;\n acc.add(parameter);\n }\n }\n return true;\n};\nvar $751ed1ebc64f8b96$export$2e2bcd8739ae039 = $751ed1ebc64f8b96$var$isDisjoint;\n\n\nfunction $319a04fbce04ffdb$var$isObjectLike(value) {\n return typeof value === \"object\" && value !== null;\n}\nfunction $319a04fbce04ffdb$export$2e2bcd8739ae039(input) {\n if (!$319a04fbce04ffdb$var$isObjectLike(input) || Object.prototype.toString.call(input) !== \"[object Object]\") return false;\n if (Object.getPrototypeOf(input) === null) return true;\n let proto = input;\n while(Object.getPrototypeOf(proto) !== null)proto = Object.getPrototypeOf(proto);\n return Object.getPrototypeOf(input) === proto;\n}\n\n\nconst $4947afff5b50c769$var$bogusWebCrypto = [\n {\n hash: \"SHA-256\",\n name: \"HMAC\"\n },\n true,\n [\n \"sign\"\n ]\n];\nvar $4947afff5b50c769$export$2e2bcd8739ae039 = $4947afff5b50c769$var$bogusWebCrypto;\n\n\n\n\n\n\nfunction $224272b9dcd7f753$var$checkKeySize(key, alg) {\n if (key.algorithm.length !== parseInt(alg.slice(1, 4), 10)) throw new TypeError(`Invalid key size for alg: ${alg}`);\n}\nfunction $224272b9dcd7f753$var$getCryptoKey(key, alg, usage) {\n if ((0, $3f0b33e7ccc65ae0$export$600b5603bbac4c6)(key)) {\n (0, $bd0b36fb17abf4f5$export$41a67f89f6678b35)(key, alg, usage);\n return key;\n }\n if (key instanceof Uint8Array) return (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.importKey(\"raw\", key, \"AES-KW\", true, [\n usage\n ]);\n throw new TypeError((0, $233e587bc0c17441$export$2e2bcd8739ae039)(key, ...(0, $002bdc4a0215a55c$export$b14ad400b1d09e0f), \"Uint8Array\"));\n}\nconst $224272b9dcd7f753$export$4997ffc0176396a6 = async (alg, key, cek)=>{\n const cryptoKey = await $224272b9dcd7f753$var$getCryptoKey(key, alg, \"wrapKey\");\n $224272b9dcd7f753$var$checkKeySize(cryptoKey, alg);\n const cryptoKeyCek = await (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.importKey(\"raw\", cek, ...(0, $4947afff5b50c769$export$2e2bcd8739ae039));\n return new Uint8Array(await (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.wrapKey(\"raw\", cryptoKeyCek, cryptoKey, \"AES-KW\"));\n};\nconst $224272b9dcd7f753$export$debb760848ca95a = async (alg, key, encryptedKey)=>{\n const cryptoKey = await $224272b9dcd7f753$var$getCryptoKey(key, alg, \"unwrapKey\");\n $224272b9dcd7f753$var$checkKeySize(cryptoKey, alg);\n const cryptoKeyCek = await (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.unwrapKey(\"raw\", encryptedKey, cryptoKey, \"AES-KW\", ...(0, $4947afff5b50c769$export$2e2bcd8739ae039));\n return new Uint8Array(await (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.exportKey(\"raw\", cryptoKeyCek));\n};\n\n\n\n\n\n\n\nasync function $44ac2949c0fdd669$export$87770b6b245073b5(publicKey, privateKey, algorithm, keyLength, apu = new Uint8Array(0), apv = new Uint8Array(0)) {\n if (!(0, $3f0b33e7ccc65ae0$export$600b5603bbac4c6)(publicKey)) throw new TypeError((0, $233e587bc0c17441$export$2e2bcd8739ae039)(publicKey, ...(0, $002bdc4a0215a55c$export$b14ad400b1d09e0f)));\n (0, $bd0b36fb17abf4f5$export$41a67f89f6678b35)(publicKey, \"ECDH\");\n if (!(0, $3f0b33e7ccc65ae0$export$600b5603bbac4c6)(privateKey)) throw new TypeError((0, $233e587bc0c17441$export$2e2bcd8739ae039)(privateKey, ...(0, $002bdc4a0215a55c$export$b14ad400b1d09e0f)));\n (0, $bd0b36fb17abf4f5$export$41a67f89f6678b35)(privateKey, \"ECDH\", \"deriveBits\");\n const value = (0, $8c3dacf85b96b392$export$ee1b3e54f0441b22)((0, $8c3dacf85b96b392$export$c1498c4a3718d967)((0, $8c3dacf85b96b392$export$5486af06137bf21a).encode(algorithm)), (0, $8c3dacf85b96b392$export$c1498c4a3718d967)(apu), (0, $8c3dacf85b96b392$export$c1498c4a3718d967)(apv), (0, $8c3dacf85b96b392$export$74c16dba6c885532)(keyLength));\n let length;\n if (publicKey.algorithm.name === \"X25519\") length = 256;\n else if (publicKey.algorithm.name === \"X448\") length = 448;\n else length = Math.ceil(parseInt(publicKey.algorithm.namedCurve.substr(-3), 10) / 8) << 3;\n const sharedSecret = new Uint8Array(await (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.deriveBits({\n name: publicKey.algorithm.name,\n public: publicKey\n }, privateKey, length));\n return (0, $8c3dacf85b96b392$export$67163693c21af44f)(sharedSecret, keyLength, value);\n}\nasync function $44ac2949c0fdd669$export$1338dee8c889e310(key) {\n if (!(0, $3f0b33e7ccc65ae0$export$600b5603bbac4c6)(key)) throw new TypeError((0, $233e587bc0c17441$export$2e2bcd8739ae039)(key, ...(0, $002bdc4a0215a55c$export$b14ad400b1d09e0f)));\n return (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.generateKey(key.algorithm, true, [\n \"deriveBits\"\n ]);\n}\nfunction $44ac2949c0fdd669$export$f28ab77d793719b2(key) {\n if (!(0, $3f0b33e7ccc65ae0$export$600b5603bbac4c6)(key)) throw new TypeError((0, $233e587bc0c17441$export$2e2bcd8739ae039)(key, ...(0, $002bdc4a0215a55c$export$b14ad400b1d09e0f)));\n return [\n \"P-256\",\n \"P-384\",\n \"P-521\"\n ].includes(key.algorithm.namedCurve) || key.algorithm.name === \"X25519\" || key.algorithm.name === \"X448\";\n}\n\n\n\n\n\n\n\nfunction $6509599917539a0f$export$2e2bcd8739ae039(p2s) {\n if (!(p2s instanceof Uint8Array) || p2s.length < 8) throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(\"PBES2 Salt Input must be 8 or more octets\");\n}\n\n\n\n\n\n\nfunction $4c1ef315ddeae8f1$var$getCryptoKey(key, alg) {\n if (key instanceof Uint8Array) return (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.importKey(\"raw\", key, \"PBKDF2\", false, [\n \"deriveBits\"\n ]);\n if ((0, $3f0b33e7ccc65ae0$export$600b5603bbac4c6)(key)) {\n (0, $bd0b36fb17abf4f5$export$41a67f89f6678b35)(key, alg, \"deriveBits\", \"deriveKey\");\n return key;\n }\n throw new TypeError((0, $233e587bc0c17441$export$2e2bcd8739ae039)(key, ...(0, $002bdc4a0215a55c$export$b14ad400b1d09e0f), \"Uint8Array\"));\n}\nasync function $4c1ef315ddeae8f1$var$deriveKey(p2s, alg, p2c, key) {\n (0, $6509599917539a0f$export$2e2bcd8739ae039)(p2s);\n const salt = (0, $8c3dacf85b96b392$export$256d3ca12372f112)(alg, p2s);\n const keylen = parseInt(alg.slice(13, 16), 10);\n const subtleAlg = {\n hash: `SHA-${alg.slice(8, 11)}`,\n iterations: p2c,\n name: \"PBKDF2\",\n salt: salt\n };\n const wrapAlg = {\n length: keylen,\n name: \"AES-KW\"\n };\n const cryptoKey = await $4c1ef315ddeae8f1$var$getCryptoKey(key, alg);\n if (cryptoKey.usages.includes(\"deriveBits\")) return new Uint8Array(await (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.deriveBits(subtleAlg, cryptoKey, keylen));\n if (cryptoKey.usages.includes(\"deriveKey\")) return (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.deriveKey(subtleAlg, cryptoKey, wrapAlg, false, [\n \"wrapKey\",\n \"unwrapKey\"\n ]);\n throw new TypeError('PBKDF2 key \"usages\" must include \"deriveBits\" or \"deriveKey\"');\n}\nconst $4c1ef315ddeae8f1$export$5b0f6292f11d1d18 = async (alg, key, cek, p2c = 2048, p2s = (0, $add6505a95ba3e92$export$2e2bcd8739ae039)(new Uint8Array(16)))=>{\n const derived = await $4c1ef315ddeae8f1$var$deriveKey(p2s, alg, p2c, key);\n const encryptedKey = await (0, $224272b9dcd7f753$export$4997ffc0176396a6)(alg.slice(-6), derived, cek);\n return {\n encryptedKey: encryptedKey,\n p2c: p2c,\n p2s: (0, $54a6e0e463467b0a$export$c564cdbbe6da493)(p2s)\n };\n};\nconst $4c1ef315ddeae8f1$export$e85a0c9a1067c5d3 = async (alg, key, encryptedKey, p2c, p2s)=>{\n const derived = await $4c1ef315ddeae8f1$var$deriveKey(p2s, alg, p2c, key);\n return (0, $224272b9dcd7f753$export$debb760848ca95a)(alg.slice(-6), derived, encryptedKey);\n};\n\n\n\nfunction $46fa41cd273de294$export$2e2bcd8739ae039(alg) {\n switch(alg){\n case \"RSA-OAEP\":\n case \"RSA-OAEP-256\":\n case \"RSA-OAEP-384\":\n case \"RSA-OAEP-512\":\n return \"RSA-OAEP\";\n default:\n throw new (0, $599ac781534a947a$export$19ddbcbf2016ab28)(`alg ${alg} is not supported either by JOSE or your javascript runtime`);\n }\n}\n\n\n\n\n\nvar $2c8180cef663e103$export$2e2bcd8739ae039 = (alg, key)=>{\n if (alg.startsWith(\"RS\") || alg.startsWith(\"PS\")) {\n const { modulusLength: modulusLength } = key.algorithm;\n if (typeof modulusLength !== \"number\" || modulusLength < 2048) throw new TypeError(`${alg} requires key modulusLength to be 2048 bits or larger`);\n }\n};\n\n\n\n\nconst $a05561e091e16287$export$5b0f6292f11d1d18 = async (alg, key, cek)=>{\n if (!(0, $3f0b33e7ccc65ae0$export$600b5603bbac4c6)(key)) throw new TypeError((0, $233e587bc0c17441$export$2e2bcd8739ae039)(key, ...(0, $002bdc4a0215a55c$export$b14ad400b1d09e0f)));\n (0, $bd0b36fb17abf4f5$export$41a67f89f6678b35)(key, alg, \"encrypt\", \"wrapKey\");\n (0, $2c8180cef663e103$export$2e2bcd8739ae039)(alg, key);\n if (key.usages.includes(\"encrypt\")) return new Uint8Array(await (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.encrypt((0, $46fa41cd273de294$export$2e2bcd8739ae039)(alg), key, cek));\n if (key.usages.includes(\"wrapKey\")) {\n const cryptoKeyCek = await (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.importKey(\"raw\", cek, ...(0, $4947afff5b50c769$export$2e2bcd8739ae039));\n return new Uint8Array(await (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.wrapKey(\"raw\", cryptoKeyCek, key, (0, $46fa41cd273de294$export$2e2bcd8739ae039)(alg)));\n }\n throw new TypeError('RSA-OAEP key \"usages\" must include \"encrypt\" or \"wrapKey\" for this operation');\n};\nconst $a05561e091e16287$export$e85a0c9a1067c5d3 = async (alg, key, encryptedKey)=>{\n if (!(0, $3f0b33e7ccc65ae0$export$600b5603bbac4c6)(key)) throw new TypeError((0, $233e587bc0c17441$export$2e2bcd8739ae039)(key, ...(0, $002bdc4a0215a55c$export$b14ad400b1d09e0f)));\n (0, $bd0b36fb17abf4f5$export$41a67f89f6678b35)(key, alg, \"decrypt\", \"unwrapKey\");\n (0, $2c8180cef663e103$export$2e2bcd8739ae039)(alg, key);\n if (key.usages.includes(\"decrypt\")) return new Uint8Array(await (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.decrypt((0, $46fa41cd273de294$export$2e2bcd8739ae039)(alg), key, encryptedKey));\n if (key.usages.includes(\"unwrapKey\")) {\n const cryptoKeyCek = await (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.unwrapKey(\"raw\", encryptedKey, key, (0, $46fa41cd273de294$export$2e2bcd8739ae039)(alg), ...(0, $4947afff5b50c769$export$2e2bcd8739ae039));\n return new Uint8Array(await (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.exportKey(\"raw\", cryptoKeyCek));\n }\n throw new TypeError('RSA-OAEP key \"usages\" must include \"decrypt\" or \"unwrapKey\" for this operation');\n};\n\n\n\n\n\n\nfunction $723ad0955c3ec8bb$export$db433e85ac514a95(alg) {\n switch(alg){\n case \"A128GCM\":\n return 128;\n case \"A192GCM\":\n return 192;\n case \"A256GCM\":\n case \"A128CBC-HS256\":\n return 256;\n case \"A192CBC-HS384\":\n return 384;\n case \"A256CBC-HS512\":\n return 512;\n default:\n throw new (0, $599ac781534a947a$export$19ddbcbf2016ab28)(`Unsupported JWE Algorithm: ${alg}`);\n }\n}\nvar $723ad0955c3ec8bb$export$2e2bcd8739ae039 = (alg)=>(0, $add6505a95ba3e92$export$2e2bcd8739ae039)(new Uint8Array($723ad0955c3ec8bb$export$db433e85ac514a95(alg) >> 3));\n\n\n\n\n\n\n\nvar $9ffaef5451229e15$export$2e2bcd8739ae039 = (b64, descriptor)=>{\n const newlined = (b64.match(/.{1,64}/g) || []).join(\"\\n\");\n return `-----BEGIN ${descriptor}-----\\n${newlined}\\n-----END ${descriptor}-----`;\n};\n\n\n\n\nconst $b876728f20516af6$var$genericExport = async (keyType, keyFormat, key)=>{\n if (!(0, $3f0b33e7ccc65ae0$export$600b5603bbac4c6)(key)) throw new TypeError((0, $233e587bc0c17441$export$2e2bcd8739ae039)(key, ...(0, $002bdc4a0215a55c$export$b14ad400b1d09e0f)));\n if (!key.extractable) throw new TypeError(\"CryptoKey is not extractable\");\n if (key.type !== keyType) throw new TypeError(`key is not a ${keyType} key`);\n return (0, $9ffaef5451229e15$export$2e2bcd8739ae039)((0, $54a6e0e463467b0a$export$8fb536984ec8b4d7)(new Uint8Array(await (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.exportKey(keyFormat, key))), `${keyType.toUpperCase()} KEY`);\n};\nconst $b876728f20516af6$export$cfba7e924fe414ca = (key)=>{\n return $b876728f20516af6$var$genericExport(\"public\", \"spki\", key);\n};\nconst $b876728f20516af6$export$cac76a78a90b914d = (key)=>{\n return $b876728f20516af6$var$genericExport(\"private\", \"pkcs8\", key);\n};\nconst $b876728f20516af6$var$findOid = (keyData, oid, from = 0)=>{\n if (from === 0) {\n oid.unshift(oid.length);\n oid.unshift(0x06);\n }\n let i = keyData.indexOf(oid[0], from);\n if (i === -1) return false;\n const sub = keyData.subarray(i, i + oid.length);\n if (sub.length !== oid.length) return false;\n return sub.every((value, index)=>value === oid[index]) || $b876728f20516af6$var$findOid(keyData, oid, i + 1);\n};\nconst $b876728f20516af6$var$getNamedCurve = (keyData)=>{\n switch(true){\n case $b876728f20516af6$var$findOid(keyData, [\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x03,\n 0x01,\n 0x07\n ]):\n return \"P-256\";\n case $b876728f20516af6$var$findOid(keyData, [\n 0x2b,\n 0x81,\n 0x04,\n 0x00,\n 0x22\n ]):\n return \"P-384\";\n case $b876728f20516af6$var$findOid(keyData, [\n 0x2b,\n 0x81,\n 0x04,\n 0x00,\n 0x23\n ]):\n return \"P-521\";\n case $b876728f20516af6$var$findOid(keyData, [\n 0x2b,\n 0x65,\n 0x6e\n ]):\n return \"X25519\";\n case $b876728f20516af6$var$findOid(keyData, [\n 0x2b,\n 0x65,\n 0x6f\n ]):\n return \"X448\";\n case $b876728f20516af6$var$findOid(keyData, [\n 0x2b,\n 0x65,\n 0x70\n ]):\n return \"Ed25519\";\n case $b876728f20516af6$var$findOid(keyData, [\n 0x2b,\n 0x65,\n 0x71\n ]):\n return \"Ed448\";\n default:\n throw new (0, $599ac781534a947a$export$19ddbcbf2016ab28)(\"Invalid or unsupported EC Key Curve or OKP Key Sub Type\");\n }\n};\nconst $b876728f20516af6$var$genericImport = async (replace, keyFormat, pem, alg, options)=>{\n var _a, _b;\n let algorithm;\n let keyUsages;\n const keyData = new Uint8Array(atob(pem.replace(replace, \"\")).split(\"\").map((c)=>c.charCodeAt(0)));\n const isPublic = keyFormat === \"spki\";\n switch(alg){\n case \"PS256\":\n case \"PS384\":\n case \"PS512\":\n algorithm = {\n name: \"RSA-PSS\",\n hash: `SHA-${alg.slice(-3)}`\n };\n keyUsages = isPublic ? [\n \"verify\"\n ] : [\n \"sign\"\n ];\n break;\n case \"RS256\":\n case \"RS384\":\n case \"RS512\":\n algorithm = {\n name: \"RSASSA-PKCS1-v1_5\",\n hash: `SHA-${alg.slice(-3)}`\n };\n keyUsages = isPublic ? [\n \"verify\"\n ] : [\n \"sign\"\n ];\n break;\n case \"RSA-OAEP\":\n case \"RSA-OAEP-256\":\n case \"RSA-OAEP-384\":\n case \"RSA-OAEP-512\":\n algorithm = {\n name: \"RSA-OAEP\",\n hash: `SHA-${parseInt(alg.slice(-3), 10) || 1}`\n };\n keyUsages = isPublic ? [\n \"encrypt\",\n \"wrapKey\"\n ] : [\n \"decrypt\",\n \"unwrapKey\"\n ];\n break;\n case \"ES256\":\n algorithm = {\n name: \"ECDSA\",\n namedCurve: \"P-256\"\n };\n keyUsages = isPublic ? [\n \"verify\"\n ] : [\n \"sign\"\n ];\n break;\n case \"ES384\":\n algorithm = {\n name: \"ECDSA\",\n namedCurve: \"P-384\"\n };\n keyUsages = isPublic ? [\n \"verify\"\n ] : [\n \"sign\"\n ];\n break;\n case \"ES512\":\n algorithm = {\n name: \"ECDSA\",\n namedCurve: \"P-521\"\n };\n keyUsages = isPublic ? [\n \"verify\"\n ] : [\n \"sign\"\n ];\n break;\n case \"ECDH-ES\":\n case \"ECDH-ES+A128KW\":\n case \"ECDH-ES+A192KW\":\n case \"ECDH-ES+A256KW\":\n {\n const namedCurve = $b876728f20516af6$var$getNamedCurve(keyData);\n algorithm = namedCurve.startsWith(\"P-\") ? {\n name: \"ECDH\",\n namedCurve: namedCurve\n } : {\n name: namedCurve\n };\n keyUsages = isPublic ? [] : [\n \"deriveBits\"\n ];\n break;\n }\n case \"EdDSA\":\n algorithm = {\n name: $b876728f20516af6$var$getNamedCurve(keyData)\n };\n keyUsages = isPublic ? [\n \"verify\"\n ] : [\n \"sign\"\n ];\n break;\n default:\n throw new (0, $599ac781534a947a$export$19ddbcbf2016ab28)('Invalid or unsupported \"alg\" (Algorithm) value');\n }\n try {\n return await (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.importKey(keyFormat, keyData, algorithm, (_a = options === null || options === void 0 ? void 0 : options.extractable) !== null && _a !== void 0 ? _a : false, keyUsages);\n } catch (err) {\n if (algorithm.name === \"Ed25519\" && (err === null || err === void 0 ? void 0 : err.name) === \"NotSupportedError\" && (0, $5852df024b41aa91$export$7b262397cadac19f)()) {\n algorithm = {\n name: \"NODE-ED25519\",\n namedCurve: \"NODE-ED25519\"\n };\n return await (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.importKey(keyFormat, keyData, algorithm, (_b = options === null || options === void 0 ? void 0 : options.extractable) !== null && _b !== void 0 ? _b : false, keyUsages);\n }\n throw err;\n }\n};\nconst $b876728f20516af6$export$224b0a6339c7267f = (pem, alg, options)=>{\n return $b876728f20516af6$var$genericImport(/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\\s)/g, \"pkcs8\", pem, alg, options);\n};\nconst $b876728f20516af6$export$f9a3505cdaa1fb3e = (pem, alg, options)=>{\n return $b876728f20516af6$var$genericImport(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\\s)/g, \"spki\", pem, alg, options);\n};\nfunction $b876728f20516af6$var$getElement(seq) {\n let result = [];\n let next = 0;\n while(next < seq.length){\n let nextPart = $b876728f20516af6$var$parseElement(seq.subarray(next));\n result.push(nextPart);\n next += nextPart.byteLength;\n }\n return result;\n}\nfunction $b876728f20516af6$var$parseElement(bytes) {\n let position = 0;\n let tag = bytes[0] & 0x1f;\n position++;\n if (tag === 0x1f) {\n tag = 0;\n while(bytes[position] >= 0x80){\n tag = tag * 128 + bytes[position] - 0x80;\n position++;\n }\n tag = tag * 128 + bytes[position] - 0x80;\n position++;\n }\n let length = 0;\n if (bytes[position] < 0x80) {\n length = bytes[position];\n position++;\n } else if (length === 0x80) {\n length = 0;\n while(bytes[position + length] !== 0 || bytes[position + length + 1] !== 0){\n if (length > bytes.byteLength) throw new TypeError(\"invalid indefinite form length\");\n length++;\n }\n const byteLength = position + length + 2;\n return {\n byteLength: byteLength,\n contents: bytes.subarray(position, position + length),\n raw: bytes.subarray(0, byteLength)\n };\n } else {\n let numberOfDigits = bytes[position] & 0x7f;\n position++;\n length = 0;\n for(let i = 0; i < numberOfDigits; i++){\n length = length * 256 + bytes[position];\n position++;\n }\n }\n const byteLength = position + length;\n return {\n byteLength: byteLength,\n contents: bytes.subarray(position, byteLength),\n raw: bytes.subarray(0, byteLength)\n };\n}\nfunction $b876728f20516af6$var$spkiFromX509(buf) {\n const tbsCertificate = $b876728f20516af6$var$getElement($b876728f20516af6$var$getElement($b876728f20516af6$var$parseElement(buf).contents)[0].contents);\n return (0, $54a6e0e463467b0a$export$8fb536984ec8b4d7)(tbsCertificate[tbsCertificate[0].raw[0] === 0xa0 ? 6 : 5].raw);\n}\nfunction $b876728f20516af6$var$getSPKI(x509) {\n const pem = x509.replace(/(?:-----(?:BEGIN|END) CERTIFICATE-----|\\s)/g, \"\");\n const raw = (0, $54a6e0e463467b0a$export$94fdf11bafc8de6b)(pem);\n return (0, $9ffaef5451229e15$export$2e2bcd8739ae039)($b876728f20516af6$var$spkiFromX509(raw), \"PUBLIC KEY\");\n}\nconst $b876728f20516af6$export$ed788b6a8533858f = (pem, alg, options)=>{\n let spki;\n try {\n spki = $b876728f20516af6$var$getSPKI(pem);\n } catch (cause) {\n throw new TypeError(\"failed to parse the X.509 certificate\", {\n cause: cause\n });\n }\n return $b876728f20516af6$export$f9a3505cdaa1fb3e(spki, alg, options);\n};\n\n\n\n\n\n\nfunction $337343867c42a494$var$subtleMapping(jwk) {\n let algorithm;\n let keyUsages;\n switch(jwk.kty){\n case \"oct\":\n switch(jwk.alg){\n case \"HS256\":\n case \"HS384\":\n case \"HS512\":\n algorithm = {\n name: \"HMAC\",\n hash: `SHA-${jwk.alg.slice(-3)}`\n };\n keyUsages = [\n \"sign\",\n \"verify\"\n ];\n break;\n case \"A128CBC-HS256\":\n case \"A192CBC-HS384\":\n case \"A256CBC-HS512\":\n throw new (0, $599ac781534a947a$export$19ddbcbf2016ab28)(`${jwk.alg} keys cannot be imported as CryptoKey instances`);\n case \"A128GCM\":\n case \"A192GCM\":\n case \"A256GCM\":\n case \"A128GCMKW\":\n case \"A192GCMKW\":\n case \"A256GCMKW\":\n algorithm = {\n name: \"AES-GCM\"\n };\n keyUsages = [\n \"encrypt\",\n \"decrypt\"\n ];\n break;\n case \"A128KW\":\n case \"A192KW\":\n case \"A256KW\":\n algorithm = {\n name: \"AES-KW\"\n };\n keyUsages = [\n \"wrapKey\",\n \"unwrapKey\"\n ];\n break;\n case \"PBES2-HS256+A128KW\":\n case \"PBES2-HS384+A192KW\":\n case \"PBES2-HS512+A256KW\":\n algorithm = {\n name: \"PBKDF2\"\n };\n keyUsages = [\n \"deriveBits\"\n ];\n break;\n default:\n throw new (0, $599ac781534a947a$export$19ddbcbf2016ab28)('Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value');\n }\n break;\n case \"RSA\":\n switch(jwk.alg){\n case \"PS256\":\n case \"PS384\":\n case \"PS512\":\n algorithm = {\n name: \"RSA-PSS\",\n hash: `SHA-${jwk.alg.slice(-3)}`\n };\n keyUsages = jwk.d ? [\n \"sign\"\n ] : [\n \"verify\"\n ];\n break;\n case \"RS256\":\n case \"RS384\":\n case \"RS512\":\n algorithm = {\n name: \"RSASSA-PKCS1-v1_5\",\n hash: `SHA-${jwk.alg.slice(-3)}`\n };\n keyUsages = jwk.d ? [\n \"sign\"\n ] : [\n \"verify\"\n ];\n break;\n case \"RSA-OAEP\":\n case \"RSA-OAEP-256\":\n case \"RSA-OAEP-384\":\n case \"RSA-OAEP-512\":\n algorithm = {\n name: \"RSA-OAEP\",\n hash: `SHA-${parseInt(jwk.alg.slice(-3), 10) || 1}`\n };\n keyUsages = jwk.d ? [\n \"decrypt\",\n \"unwrapKey\"\n ] : [\n \"encrypt\",\n \"wrapKey\"\n ];\n break;\n default:\n throw new (0, $599ac781534a947a$export$19ddbcbf2016ab28)('Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value');\n }\n break;\n case \"EC\":\n switch(jwk.alg){\n case \"ES256\":\n algorithm = {\n name: \"ECDSA\",\n namedCurve: \"P-256\"\n };\n keyUsages = jwk.d ? [\n \"sign\"\n ] : [\n \"verify\"\n ];\n break;\n case \"ES384\":\n algorithm = {\n name: \"ECDSA\",\n namedCurve: \"P-384\"\n };\n keyUsages = jwk.d ? [\n \"sign\"\n ] : [\n \"verify\"\n ];\n break;\n case \"ES512\":\n algorithm = {\n name: \"ECDSA\",\n namedCurve: \"P-521\"\n };\n keyUsages = jwk.d ? [\n \"sign\"\n ] : [\n \"verify\"\n ];\n break;\n case \"ECDH-ES\":\n case \"ECDH-ES+A128KW\":\n case \"ECDH-ES+A192KW\":\n case \"ECDH-ES+A256KW\":\n algorithm = {\n name: \"ECDH\",\n namedCurve: jwk.crv\n };\n keyUsages = jwk.d ? [\n \"deriveBits\"\n ] : [];\n break;\n default:\n throw new (0, $599ac781534a947a$export$19ddbcbf2016ab28)('Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value');\n }\n break;\n case \"OKP\":\n switch(jwk.alg){\n case \"EdDSA\":\n algorithm = {\n name: jwk.crv\n };\n keyUsages = jwk.d ? [\n \"sign\"\n ] : [\n \"verify\"\n ];\n break;\n case \"ECDH-ES\":\n case \"ECDH-ES+A128KW\":\n case \"ECDH-ES+A192KW\":\n case \"ECDH-ES+A256KW\":\n algorithm = {\n name: jwk.crv\n };\n keyUsages = jwk.d ? [\n \"deriveBits\"\n ] : [];\n break;\n default:\n throw new (0, $599ac781534a947a$export$19ddbcbf2016ab28)('Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value');\n }\n break;\n default:\n throw new (0, $599ac781534a947a$export$19ddbcbf2016ab28)('Invalid or unsupported JWK \"kty\" (Key Type) Parameter value');\n }\n return {\n algorithm: algorithm,\n keyUsages: keyUsages\n };\n}\nconst $337343867c42a494$var$parse = async (jwk)=>{\n var _a, _b;\n if (!jwk.alg) throw new TypeError('\"alg\" argument is required when \"jwk.alg\" is not present');\n const { algorithm: algorithm, keyUsages: keyUsages } = $337343867c42a494$var$subtleMapping(jwk);\n const rest = [\n algorithm,\n (_a = jwk.ext) !== null && _a !== void 0 ? _a : false,\n (_b = jwk.key_ops) !== null && _b !== void 0 ? _b : keyUsages\n ];\n if (algorithm.name === \"PBKDF2\") return (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.importKey(\"raw\", (0, $54a6e0e463467b0a$export$2f872c0f2117be69)(jwk.k), ...rest);\n const keyData = {\n ...jwk\n };\n delete keyData.alg;\n delete keyData.use;\n try {\n return await (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.importKey(\"jwk\", keyData, ...rest);\n } catch (err) {\n if (algorithm.name === \"Ed25519\" && (err === null || err === void 0 ? void 0 : err.name) === \"NotSupportedError\" && (0, $5852df024b41aa91$export$7b262397cadac19f)()) {\n rest[0] = {\n name: \"NODE-ED25519\",\n namedCurve: \"NODE-ED25519\"\n };\n return await (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.importKey(\"jwk\", keyData, ...rest);\n }\n throw err;\n }\n};\nvar $337343867c42a494$export$2e2bcd8739ae039 = $337343867c42a494$var$parse;\n\n\n\n\nasync function $d3f3b992c534ed5a$export$7cdfc961c11d0266(spki, alg, options) {\n if (typeof spki !== \"string\" || spki.indexOf(\"-----BEGIN PUBLIC KEY-----\") !== 0) throw new TypeError('\"spki\" must be SPKI formatted string');\n return (0, $b876728f20516af6$export$f9a3505cdaa1fb3e)(spki, alg, options);\n}\nasync function $d3f3b992c534ed5a$export$948757ecbbf4a918(x509, alg, options) {\n if (typeof x509 !== \"string\" || x509.indexOf(\"-----BEGIN CERTIFICATE-----\") !== 0) throw new TypeError('\"x509\" must be X.509 formatted string');\n return (0, $b876728f20516af6$export$ed788b6a8533858f)(x509, alg, options);\n}\nasync function $d3f3b992c534ed5a$export$17f5e7f6d2848df5(pkcs8, alg, options) {\n if (typeof pkcs8 !== \"string\" || pkcs8.indexOf(\"-----BEGIN PRIVATE KEY-----\") !== 0) throw new TypeError('\"pkcs8\" must be PKCS#8 formatted string');\n return (0, $b876728f20516af6$export$224b0a6339c7267f)(pkcs8, alg, options);\n}\nasync function $d3f3b992c534ed5a$export$2b70d37b4d0b888b(jwk, alg, octAsKeyObject) {\n var _a;\n if (!(0, $319a04fbce04ffdb$export$2e2bcd8739ae039)(jwk)) throw new TypeError(\"JWK must be an object\");\n alg || (alg = jwk.alg);\n switch(jwk.kty){\n case \"oct\":\n if (typeof jwk.k !== \"string\" || !jwk.k) throw new TypeError('missing \"k\" (Key Value) Parameter value');\n octAsKeyObject !== null && octAsKeyObject !== void 0 ? octAsKeyObject : octAsKeyObject = jwk.ext !== true;\n if (octAsKeyObject) return (0, $337343867c42a494$export$2e2bcd8739ae039)({\n ...jwk,\n alg: alg,\n ext: (_a = jwk.ext) !== null && _a !== void 0 ? _a : false\n });\n return (0, $54a6e0e463467b0a$export$2f872c0f2117be69)(jwk.k);\n case \"RSA\":\n if (jwk.oth !== undefined) throw new (0, $599ac781534a947a$export$19ddbcbf2016ab28)('RSA JWK \"oth\" (Other Primes Info) Parameter value is not supported');\n case \"EC\":\n case \"OKP\":\n return (0, $337343867c42a494$export$2e2bcd8739ae039)({\n ...jwk,\n alg: alg\n });\n default:\n throw new (0, $599ac781534a947a$export$19ddbcbf2016ab28)('Unsupported \"kty\" (Key Type) Parameter value');\n }\n}\n\n\n\n\nconst $8a5b1565e0dee973$var$symmetricTypeCheck = (alg, key)=>{\n if (key instanceof Uint8Array) return;\n if (!(0, $002bdc4a0215a55c$export$2e2bcd8739ae039)(key)) throw new TypeError((0, $233e587bc0c17441$export$e94f758d09bc1828)(alg, key, ...(0, $002bdc4a0215a55c$export$b14ad400b1d09e0f), \"Uint8Array\"));\n if (key.type !== \"secret\") throw new TypeError(`${(0, $002bdc4a0215a55c$export$b14ad400b1d09e0f).join(\" or \")} instances for symmetric algorithms must be of type \"secret\"`);\n};\nconst $8a5b1565e0dee973$var$asymmetricTypeCheck = (alg, key, usage)=>{\n if (!(0, $002bdc4a0215a55c$export$2e2bcd8739ae039)(key)) throw new TypeError((0, $233e587bc0c17441$export$e94f758d09bc1828)(alg, key, ...(0, $002bdc4a0215a55c$export$b14ad400b1d09e0f)));\n if (key.type === \"secret\") throw new TypeError(`${(0, $002bdc4a0215a55c$export$b14ad400b1d09e0f).join(\" or \")} instances for asymmetric algorithms must not be of type \"secret\"`);\n if (usage === \"sign\" && key.type === \"public\") throw new TypeError(`${(0, $002bdc4a0215a55c$export$b14ad400b1d09e0f).join(\" or \")} instances for asymmetric algorithm signing must be of type \"private\"`);\n if (usage === \"decrypt\" && key.type === \"public\") throw new TypeError(`${(0, $002bdc4a0215a55c$export$b14ad400b1d09e0f).join(\" or \")} instances for asymmetric algorithm decryption must be of type \"private\"`);\n if (key.algorithm && usage === \"verify\" && key.type === \"private\") throw new TypeError(`${(0, $002bdc4a0215a55c$export$b14ad400b1d09e0f).join(\" or \")} instances for asymmetric algorithm verifying must be of type \"public\"`);\n if (key.algorithm && usage === \"encrypt\" && key.type === \"private\") throw new TypeError(`${(0, $002bdc4a0215a55c$export$b14ad400b1d09e0f).join(\" or \")} instances for asymmetric algorithm encryption must be of type \"public\"`);\n};\nconst $8a5b1565e0dee973$var$checkKeyType = (alg, key, usage)=>{\n const symmetric = alg.startsWith(\"HS\") || alg === \"dir\" || alg.startsWith(\"PBES2\") || /^A\\d{3}(?:GCM)?KW$/.test(alg);\n if (symmetric) $8a5b1565e0dee973$var$symmetricTypeCheck(alg, key);\n else $8a5b1565e0dee973$var$asymmetricTypeCheck(alg, key, usage);\n};\nvar $8a5b1565e0dee973$export$2e2bcd8739ae039 = $8a5b1565e0dee973$var$checkKeyType;\n\n\n\n\n\n\n\n\n\n\n\nasync function $ae680723017e3689$var$cbcEncrypt(enc, plaintext, cek, iv, aad) {\n if (!(cek instanceof Uint8Array)) throw new TypeError((0, $233e587bc0c17441$export$2e2bcd8739ae039)(cek, \"Uint8Array\"));\n const keySize = parseInt(enc.slice(1, 4), 10);\n const encKey = await (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.importKey(\"raw\", cek.subarray(keySize >> 3), \"AES-CBC\", false, [\n \"encrypt\"\n ]);\n const macKey = await (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.importKey(\"raw\", cek.subarray(0, keySize >> 3), {\n hash: `SHA-${keySize << 1}`,\n name: \"HMAC\"\n }, false, [\n \"sign\"\n ]);\n const ciphertext = new Uint8Array(await (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.encrypt({\n iv: iv,\n name: \"AES-CBC\"\n }, encKey, plaintext));\n const macData = (0, $8c3dacf85b96b392$export$ee1b3e54f0441b22)(aad, iv, ciphertext, (0, $8c3dacf85b96b392$export$e7b531e00a18fdd7)(aad.length << 3));\n const tag = new Uint8Array((await (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.sign(\"HMAC\", macKey, macData)).slice(0, keySize >> 3));\n return {\n ciphertext: ciphertext,\n tag: tag\n };\n}\nasync function $ae680723017e3689$var$gcmEncrypt(enc, plaintext, cek, iv, aad) {\n let encKey;\n if (cek instanceof Uint8Array) encKey = await (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.importKey(\"raw\", cek, \"AES-GCM\", false, [\n \"encrypt\"\n ]);\n else {\n (0, $bd0b36fb17abf4f5$export$41a67f89f6678b35)(cek, enc, \"encrypt\");\n encKey = cek;\n }\n const encrypted = new Uint8Array(await (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.encrypt({\n additionalData: aad,\n iv: iv,\n name: \"AES-GCM\",\n tagLength: 128\n }, encKey, plaintext));\n const tag = encrypted.slice(-16);\n const ciphertext = encrypted.slice(0, -16);\n return {\n ciphertext: ciphertext,\n tag: tag\n };\n}\nconst $ae680723017e3689$var$encrypt = async (enc, plaintext, cek, iv, aad)=>{\n if (!(0, $3f0b33e7ccc65ae0$export$600b5603bbac4c6)(cek) && !(cek instanceof Uint8Array)) throw new TypeError((0, $233e587bc0c17441$export$2e2bcd8739ae039)(cek, ...(0, $002bdc4a0215a55c$export$b14ad400b1d09e0f), \"Uint8Array\"));\n (0, $25dfb6cac6481cac$export$2e2bcd8739ae039)(enc, iv);\n switch(enc){\n case \"A128CBC-HS256\":\n case \"A192CBC-HS384\":\n case \"A256CBC-HS512\":\n if (cek instanceof Uint8Array) (0, $49ddc742411ee52a$export$2e2bcd8739ae039)(cek, parseInt(enc.slice(-3), 10));\n return $ae680723017e3689$var$cbcEncrypt(enc, plaintext, cek, iv, aad);\n case \"A128GCM\":\n case \"A192GCM\":\n case \"A256GCM\":\n if (cek instanceof Uint8Array) (0, $49ddc742411ee52a$export$2e2bcd8739ae039)(cek, parseInt(enc.slice(1, 4), 10));\n return $ae680723017e3689$var$gcmEncrypt(enc, plaintext, cek, iv, aad);\n default:\n throw new (0, $599ac781534a947a$export$19ddbcbf2016ab28)(\"Unsupported JWE Content Encryption Algorithm\");\n }\n};\nvar $ae680723017e3689$export$2e2bcd8739ae039 = $ae680723017e3689$var$encrypt;\n\n\n\n\n\nasync function $c4131030fcf4d460$export$4997ffc0176396a6(alg, key, cek, iv) {\n const jweAlgorithm = alg.slice(0, 7);\n iv || (iv = (0, $da503c283075069a$export$2e2bcd8739ae039)(jweAlgorithm));\n const { ciphertext: encryptedKey, tag: tag } = await (0, $ae680723017e3689$export$2e2bcd8739ae039)(jweAlgorithm, cek, key, iv, new Uint8Array(0));\n return {\n encryptedKey: encryptedKey,\n iv: (0, $54a6e0e463467b0a$export$c564cdbbe6da493)(iv),\n tag: (0, $54a6e0e463467b0a$export$c564cdbbe6da493)(tag)\n };\n}\nasync function $c4131030fcf4d460$export$debb760848ca95a(alg, key, encryptedKey, iv, tag) {\n const jweAlgorithm = alg.slice(0, 7);\n return (0, $8e3c9f32bae103db$export$2e2bcd8739ae039)(jweAlgorithm, key, encryptedKey, iv, tag, new Uint8Array(0));\n}\n\n\nasync function $491143ea092c3ec9$var$decryptKeyManagement(alg, key, encryptedKey, joseHeader, options) {\n (0, $8a5b1565e0dee973$export$2e2bcd8739ae039)(alg, key, \"decrypt\");\n switch(alg){\n case \"dir\":\n if (encryptedKey !== undefined) throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(\"Encountered unexpected JWE Encrypted Key\");\n return key;\n case \"ECDH-ES\":\n if (encryptedKey !== undefined) throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(\"Encountered unexpected JWE Encrypted Key\");\n case \"ECDH-ES+A128KW\":\n case \"ECDH-ES+A192KW\":\n case \"ECDH-ES+A256KW\":\n {\n if (!(0, $319a04fbce04ffdb$export$2e2bcd8739ae039)(joseHeader.epk)) throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(`JOSE Header \"epk\" (Ephemeral Public Key) missing or invalid`);\n if (!$44ac2949c0fdd669$export$f28ab77d793719b2(key)) throw new (0, $599ac781534a947a$export$19ddbcbf2016ab28)(\"ECDH with the provided key is not allowed or not supported by your javascript runtime\");\n const epk = await (0, $d3f3b992c534ed5a$export$2b70d37b4d0b888b)(joseHeader.epk, alg);\n let partyUInfo;\n let partyVInfo;\n if (joseHeader.apu !== undefined) {\n if (typeof joseHeader.apu !== \"string\") throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(`JOSE Header \"apu\" (Agreement PartyUInfo) invalid`);\n partyUInfo = (0, $54a6e0e463467b0a$export$2f872c0f2117be69)(joseHeader.apu);\n }\n if (joseHeader.apv !== undefined) {\n if (typeof joseHeader.apv !== \"string\") throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(`JOSE Header \"apv\" (Agreement PartyVInfo) invalid`);\n partyVInfo = (0, $54a6e0e463467b0a$export$2f872c0f2117be69)(joseHeader.apv);\n }\n const sharedSecret = await $44ac2949c0fdd669$export$87770b6b245073b5(epk, key, alg === \"ECDH-ES\" ? joseHeader.enc : alg, alg === \"ECDH-ES\" ? (0, $723ad0955c3ec8bb$export$db433e85ac514a95)(joseHeader.enc) : parseInt(alg.slice(-5, -2), 10), partyUInfo, partyVInfo);\n if (alg === \"ECDH-ES\") return sharedSecret;\n if (encryptedKey === undefined) throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(\"JWE Encrypted Key missing\");\n return (0, $224272b9dcd7f753$export$debb760848ca95a)(alg.slice(-6), sharedSecret, encryptedKey);\n }\n case \"RSA1_5\":\n case \"RSA-OAEP\":\n case \"RSA-OAEP-256\":\n case \"RSA-OAEP-384\":\n case \"RSA-OAEP-512\":\n if (encryptedKey === undefined) throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(\"JWE Encrypted Key missing\");\n return (0, $a05561e091e16287$export$e85a0c9a1067c5d3)(alg, key, encryptedKey);\n case \"PBES2-HS256+A128KW\":\n case \"PBES2-HS384+A192KW\":\n case \"PBES2-HS512+A256KW\":\n {\n if (encryptedKey === undefined) throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(\"JWE Encrypted Key missing\");\n if (typeof joseHeader.p2c !== \"number\") throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(`JOSE Header \"p2c\" (PBES2 Count) missing or invalid`);\n const p2cLimit = (options === null || options === void 0 ? void 0 : options.maxPBES2Count) || 10000;\n if (joseHeader.p2c > p2cLimit) throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(`JOSE Header \"p2c\" (PBES2 Count) out is of acceptable bounds`);\n if (typeof joseHeader.p2s !== \"string\") throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(`JOSE Header \"p2s\" (PBES2 Salt) missing or invalid`);\n return (0, $4c1ef315ddeae8f1$export$e85a0c9a1067c5d3)(alg, key, encryptedKey, joseHeader.p2c, (0, $54a6e0e463467b0a$export$2f872c0f2117be69)(joseHeader.p2s));\n }\n case \"A128KW\":\n case \"A192KW\":\n case \"A256KW\":\n if (encryptedKey === undefined) throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(\"JWE Encrypted Key missing\");\n return (0, $224272b9dcd7f753$export$debb760848ca95a)(alg, key, encryptedKey);\n case \"A128GCMKW\":\n case \"A192GCMKW\":\n case \"A256GCMKW\":\n {\n if (encryptedKey === undefined) throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(\"JWE Encrypted Key missing\");\n if (typeof joseHeader.iv !== \"string\") throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(`JOSE Header \"iv\" (Initialization Vector) missing or invalid`);\n if (typeof joseHeader.tag !== \"string\") throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(`JOSE Header \"tag\" (Authentication Tag) missing or invalid`);\n const iv = (0, $54a6e0e463467b0a$export$2f872c0f2117be69)(joseHeader.iv);\n const tag = (0, $54a6e0e463467b0a$export$2f872c0f2117be69)(joseHeader.tag);\n return (0, $c4131030fcf4d460$export$debb760848ca95a)(alg, key, encryptedKey, iv, tag);\n }\n default:\n throw new (0, $599ac781534a947a$export$19ddbcbf2016ab28)('Invalid or unsupported \"alg\" (JWE Algorithm) header value');\n }\n}\nvar $491143ea092c3ec9$export$2e2bcd8739ae039 = $491143ea092c3ec9$var$decryptKeyManagement;\n\n\n\n\n\nfunction $0b572ece71b785f0$var$validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {\n if (joseHeader.crit !== undefined && protectedHeader.crit === undefined) throw new Err('\"crit\" (Critical) Header Parameter MUST be integrity protected');\n if (!protectedHeader || protectedHeader.crit === undefined) return new Set();\n if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input)=>typeof input !== \"string\" || input.length === 0)) throw new Err('\"crit\" (Critical) Header Parameter MUST be an array of non-empty strings when present');\n let recognized;\n if (recognizedOption !== undefined) recognized = new Map([\n ...Object.entries(recognizedOption),\n ...recognizedDefault.entries()\n ]);\n else recognized = recognizedDefault;\n for (const parameter of protectedHeader.crit){\n if (!recognized.has(parameter)) throw new (0, $599ac781534a947a$export$19ddbcbf2016ab28)(`Extension Header Parameter \"${parameter}\" is not recognized`);\n if (joseHeader[parameter] === undefined) throw new Err(`Extension Header Parameter \"${parameter}\" is missing`);\n else if (recognized.get(parameter) && protectedHeader[parameter] === undefined) throw new Err(`Extension Header Parameter \"${parameter}\" MUST be integrity protected`);\n }\n return new Set(protectedHeader.crit);\n}\nvar $0b572ece71b785f0$export$2e2bcd8739ae039 = $0b572ece71b785f0$var$validateCrit;\n\n\nconst $33550bd8f4719411$var$validateAlgorithms = (option, algorithms)=>{\n if (algorithms !== undefined && (!Array.isArray(algorithms) || algorithms.some((s)=>typeof s !== \"string\"))) throw new TypeError(`\"${option}\" option must be an array of strings`);\n if (!algorithms) return undefined;\n return new Set(algorithms);\n};\nvar $33550bd8f4719411$export$2e2bcd8739ae039 = $33550bd8f4719411$var$validateAlgorithms;\n\n\nasync function $04c938c2900bb1d1$export$b75cd12892ae94d2(jwe, key, options) {\n var _a;\n if (!(0, $319a04fbce04ffdb$export$2e2bcd8739ae039)(jwe)) throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(\"Flattened JWE must be an object\");\n if (jwe.protected === undefined && jwe.header === undefined && jwe.unprotected === undefined) throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(\"JOSE Header missing\");\n if (typeof jwe.iv !== \"string\") throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(\"JWE Initialization Vector missing or incorrect type\");\n if (typeof jwe.ciphertext !== \"string\") throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(\"JWE Ciphertext missing or incorrect type\");\n if (typeof jwe.tag !== \"string\") throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(\"JWE Authentication Tag missing or incorrect type\");\n if (jwe.protected !== undefined && typeof jwe.protected !== \"string\") throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(\"JWE Protected Header incorrect type\");\n if (jwe.encrypted_key !== undefined && typeof jwe.encrypted_key !== \"string\") throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(\"JWE Encrypted Key incorrect type\");\n if (jwe.aad !== undefined && typeof jwe.aad !== \"string\") throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(\"JWE AAD incorrect type\");\n if (jwe.header !== undefined && !(0, $319a04fbce04ffdb$export$2e2bcd8739ae039)(jwe.header)) throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(\"JWE Shared Unprotected Header incorrect type\");\n if (jwe.unprotected !== undefined && !(0, $319a04fbce04ffdb$export$2e2bcd8739ae039)(jwe.unprotected)) throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(\"JWE Per-Recipient Unprotected Header incorrect type\");\n let parsedProt;\n if (jwe.protected) try {\n const protectedHeader = (0, $54a6e0e463467b0a$export$2f872c0f2117be69)(jwe.protected);\n parsedProt = JSON.parse((0, $8c3dacf85b96b392$export$124c96e6ce37090b).decode(protectedHeader));\n } catch (_b) {\n throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(\"JWE Protected Header is invalid\");\n }\n if (!(0, $751ed1ebc64f8b96$export$2e2bcd8739ae039)(parsedProt, jwe.header, jwe.unprotected)) throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(\"JWE Protected, JWE Unprotected Header, and JWE Per-Recipient Unprotected Header Parameter names must be disjoint\");\n const joseHeader = {\n ...parsedProt,\n ...jwe.header,\n ...jwe.unprotected\n };\n (0, $0b572ece71b785f0$export$2e2bcd8739ae039)((0, $599ac781534a947a$export$19f281f2275f6a15), new Map(), options === null || options === void 0 ? void 0 : options.crit, parsedProt, joseHeader);\n if (joseHeader.zip !== undefined) {\n if (!parsedProt || !parsedProt.zip) throw new (0, $599ac781534a947a$export$19f281f2275f6a15)('JWE \"zip\" (Compression Algorithm) Header MUST be integrity protected');\n if (joseHeader.zip !== \"DEF\") throw new (0, $599ac781534a947a$export$19ddbcbf2016ab28)('Unsupported JWE \"zip\" (Compression Algorithm) Header Parameter value');\n }\n const { alg: alg, enc: enc } = joseHeader;\n if (typeof alg !== \"string\" || !alg) throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(\"missing JWE Algorithm (alg) in JWE Header\");\n if (typeof enc !== \"string\" || !enc) throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(\"missing JWE Encryption Algorithm (enc) in JWE Header\");\n const keyManagementAlgorithms = options && (0, $33550bd8f4719411$export$2e2bcd8739ae039)(\"keyManagementAlgorithms\", options.keyManagementAlgorithms);\n const contentEncryptionAlgorithms = options && (0, $33550bd8f4719411$export$2e2bcd8739ae039)(\"contentEncryptionAlgorithms\", options.contentEncryptionAlgorithms);\n if (keyManagementAlgorithms && !keyManagementAlgorithms.has(alg)) throw new (0, $599ac781534a947a$export$d51fd7fedeccc338)('\"alg\" (Algorithm) Header Parameter not allowed');\n if (contentEncryptionAlgorithms && !contentEncryptionAlgorithms.has(enc)) throw new (0, $599ac781534a947a$export$d51fd7fedeccc338)('\"enc\" (Encryption Algorithm) Header Parameter not allowed');\n let encryptedKey;\n if (jwe.encrypted_key !== undefined) encryptedKey = (0, $54a6e0e463467b0a$export$2f872c0f2117be69)(jwe.encrypted_key);\n let resolvedKey = false;\n if (typeof key === \"function\") {\n key = await key(parsedProt, jwe);\n resolvedKey = true;\n }\n let cek;\n try {\n cek = await (0, $491143ea092c3ec9$export$2e2bcd8739ae039)(alg, key, encryptedKey, joseHeader, options);\n } catch (err) {\n if (err instanceof TypeError || err instanceof (0, $599ac781534a947a$export$19f281f2275f6a15) || err instanceof (0, $599ac781534a947a$export$19ddbcbf2016ab28)) throw err;\n cek = (0, $723ad0955c3ec8bb$export$2e2bcd8739ae039)(enc);\n }\n const iv = (0, $54a6e0e463467b0a$export$2f872c0f2117be69)(jwe.iv);\n const tag = (0, $54a6e0e463467b0a$export$2f872c0f2117be69)(jwe.tag);\n const protectedHeader = (0, $8c3dacf85b96b392$export$5486af06137bf21a).encode((_a = jwe.protected) !== null && _a !== void 0 ? _a : \"\");\n let additionalData;\n if (jwe.aad !== undefined) additionalData = (0, $8c3dacf85b96b392$export$ee1b3e54f0441b22)(protectedHeader, (0, $8c3dacf85b96b392$export$5486af06137bf21a).encode(\".\"), (0, $8c3dacf85b96b392$export$5486af06137bf21a).encode(jwe.aad));\n else additionalData = protectedHeader;\n let plaintext = await (0, $8e3c9f32bae103db$export$2e2bcd8739ae039)(enc, cek, (0, $54a6e0e463467b0a$export$2f872c0f2117be69)(jwe.ciphertext), iv, tag, additionalData);\n if (joseHeader.zip === \"DEF\") plaintext = await ((options === null || options === void 0 ? void 0 : options.inflateRaw) || (0, $183cd4e96b76501e$export$cae1ce83fe4a1782))(plaintext);\n const result = {\n plaintext: plaintext\n };\n if (jwe.protected !== undefined) result.protectedHeader = parsedProt;\n if (jwe.aad !== undefined) result.additionalAuthenticatedData = (0, $54a6e0e463467b0a$export$2f872c0f2117be69)(jwe.aad);\n if (jwe.unprotected !== undefined) result.sharedUnprotectedHeader = jwe.unprotected;\n if (jwe.header !== undefined) result.unprotectedHeader = jwe.header;\n if (resolvedKey) return {\n ...result,\n key: key\n };\n return result;\n}\n\n\n\n\nasync function $1b1a9f568583dcab$export$c9a8efe6bfd872ce(jwe, key, options) {\n if (jwe instanceof Uint8Array) jwe = (0, $8c3dacf85b96b392$export$124c96e6ce37090b).decode(jwe);\n if (typeof jwe !== \"string\") throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(\"Compact JWE must be a string or Uint8Array\");\n const { 0: protectedHeader, 1: encryptedKey, 2: iv, 3: ciphertext, 4: tag, length: length } = jwe.split(\".\");\n if (length !== 5) throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(\"Invalid Compact JWE\");\n const decrypted = await (0, $04c938c2900bb1d1$export$b75cd12892ae94d2)({\n ciphertext: ciphertext,\n iv: iv || undefined,\n protected: protectedHeader || undefined,\n tag: tag || undefined,\n encrypted_key: encryptedKey || undefined\n }, key, options);\n const result = {\n plaintext: decrypted.plaintext,\n protectedHeader: decrypted.protectedHeader\n };\n if (typeof key === \"function\") return {\n ...result,\n key: decrypted.key\n };\n return result;\n}\n\n\n\n\n\n\nasync function $e95577fc4034f34a$export$56bc728c88264430(jwe, key, options) {\n if (!(0, $319a04fbce04ffdb$export$2e2bcd8739ae039)(jwe)) throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(\"General JWE must be an object\");\n if (!Array.isArray(jwe.recipients) || !jwe.recipients.every((0, $319a04fbce04ffdb$export$2e2bcd8739ae039))) throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(\"JWE Recipients missing or incorrect type\");\n if (!jwe.recipients.length) throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(\"JWE Recipients has no members\");\n for (const recipient of jwe.recipients)try {\n return await (0, $04c938c2900bb1d1$export$b75cd12892ae94d2)({\n aad: jwe.aad,\n ciphertext: jwe.ciphertext,\n encrypted_key: recipient.encrypted_key,\n header: recipient.header,\n iv: jwe.iv,\n protected: jwe.protected,\n tag: jwe.tag,\n unprotected: jwe.unprotected\n }, key, options);\n } catch (_a) {}\n throw new (0, $599ac781534a947a$export$1a57512ad9773b2a)();\n}\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nconst $891135ce5ed081a3$var$keyToJWK = async (key)=>{\n if (key instanceof Uint8Array) return {\n kty: \"oct\",\n k: (0, $54a6e0e463467b0a$export$c564cdbbe6da493)(key)\n };\n if (!(0, $3f0b33e7ccc65ae0$export$600b5603bbac4c6)(key)) throw new TypeError((0, $233e587bc0c17441$export$2e2bcd8739ae039)(key, ...(0, $002bdc4a0215a55c$export$b14ad400b1d09e0f), \"Uint8Array\"));\n if (!key.extractable) throw new TypeError(\"non-extractable CryptoKey cannot be exported as a JWK\");\n const { ext: ext, key_ops: key_ops, alg: alg, use: use, ...jwk } = await (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.exportKey(\"jwk\", key);\n return jwk;\n};\nvar $891135ce5ed081a3$export$2e2bcd8739ae039 = $891135ce5ed081a3$var$keyToJWK;\n\n\nasync function $9ee02072b0883f32$export$7f687badbeed246d(key) {\n return (0, $b876728f20516af6$export$cfba7e924fe414ca)(key);\n}\nasync function $9ee02072b0883f32$export$ba4a7192ac1a47fe(key) {\n return (0, $b876728f20516af6$export$cac76a78a90b914d)(key);\n}\nasync function $9ee02072b0883f32$export$ffb510cfd482ce82(key) {\n return (0, $891135ce5ed081a3$export$2e2bcd8739ae039)(key);\n}\n\n\n\n\nasync function $b0cae4bcf42b1576$var$encryptKeyManagement(alg, enc, key, providedCek, providedParameters = {}) {\n let encryptedKey;\n let parameters;\n let cek;\n (0, $8a5b1565e0dee973$export$2e2bcd8739ae039)(alg, key, \"encrypt\");\n switch(alg){\n case \"dir\":\n cek = key;\n break;\n case \"ECDH-ES\":\n case \"ECDH-ES+A128KW\":\n case \"ECDH-ES+A192KW\":\n case \"ECDH-ES+A256KW\":\n {\n if (!$44ac2949c0fdd669$export$f28ab77d793719b2(key)) throw new (0, $599ac781534a947a$export$19ddbcbf2016ab28)(\"ECDH with the provided key is not allowed or not supported by your javascript runtime\");\n const { apu: apu, apv: apv } = providedParameters;\n let { epk: ephemeralKey } = providedParameters;\n ephemeralKey || (ephemeralKey = (await $44ac2949c0fdd669$export$1338dee8c889e310(key)).privateKey);\n const { x: x, y: y, crv: crv, kty: kty } = await (0, $9ee02072b0883f32$export$ffb510cfd482ce82)(ephemeralKey);\n const sharedSecret = await $44ac2949c0fdd669$export$87770b6b245073b5(key, ephemeralKey, alg === \"ECDH-ES\" ? enc : alg, alg === \"ECDH-ES\" ? (0, $723ad0955c3ec8bb$export$db433e85ac514a95)(enc) : parseInt(alg.slice(-5, -2), 10), apu, apv);\n parameters = {\n epk: {\n x: x,\n crv: crv,\n kty: kty\n }\n };\n if (kty === \"EC\") parameters.epk.y = y;\n if (apu) parameters.apu = (0, $54a6e0e463467b0a$export$c564cdbbe6da493)(apu);\n if (apv) parameters.apv = (0, $54a6e0e463467b0a$export$c564cdbbe6da493)(apv);\n if (alg === \"ECDH-ES\") {\n cek = sharedSecret;\n break;\n }\n cek = providedCek || (0, $723ad0955c3ec8bb$export$2e2bcd8739ae039)(enc);\n const kwAlg = alg.slice(-6);\n encryptedKey = await (0, $224272b9dcd7f753$export$4997ffc0176396a6)(kwAlg, sharedSecret, cek);\n break;\n }\n case \"RSA1_5\":\n case \"RSA-OAEP\":\n case \"RSA-OAEP-256\":\n case \"RSA-OAEP-384\":\n case \"RSA-OAEP-512\":\n cek = providedCek || (0, $723ad0955c3ec8bb$export$2e2bcd8739ae039)(enc);\n encryptedKey = await (0, $a05561e091e16287$export$5b0f6292f11d1d18)(alg, key, cek);\n break;\n case \"PBES2-HS256+A128KW\":\n case \"PBES2-HS384+A192KW\":\n case \"PBES2-HS512+A256KW\":\n {\n cek = providedCek || (0, $723ad0955c3ec8bb$export$2e2bcd8739ae039)(enc);\n const { p2c: p2c, p2s: p2s } = providedParameters;\n ({ encryptedKey: encryptedKey, ...parameters } = await (0, $4c1ef315ddeae8f1$export$5b0f6292f11d1d18)(alg, key, cek, p2c, p2s));\n break;\n }\n case \"A128KW\":\n case \"A192KW\":\n case \"A256KW\":\n cek = providedCek || (0, $723ad0955c3ec8bb$export$2e2bcd8739ae039)(enc);\n encryptedKey = await (0, $224272b9dcd7f753$export$4997ffc0176396a6)(alg, key, cek);\n break;\n case \"A128GCMKW\":\n case \"A192GCMKW\":\n case \"A256GCMKW\":\n {\n cek = providedCek || (0, $723ad0955c3ec8bb$export$2e2bcd8739ae039)(enc);\n const { iv: iv } = providedParameters;\n ({ encryptedKey: encryptedKey, ...parameters } = await (0, $c4131030fcf4d460$export$4997ffc0176396a6)(alg, key, cek, iv));\n break;\n }\n default:\n throw new (0, $599ac781534a947a$export$19ddbcbf2016ab28)('Invalid or unsupported \"alg\" (JWE Algorithm) header value');\n }\n return {\n cek: cek,\n encryptedKey: encryptedKey,\n parameters: parameters\n };\n}\nvar $b0cae4bcf42b1576$export$2e2bcd8739ae039 = $b0cae4bcf42b1576$var$encryptKeyManagement;\n\n\n\n\n\n\nconst $9d1c699dfcbf8bf8$export$39c45cb77eaf132 = Symbol();\nclass $9d1c699dfcbf8bf8$export$eec23736d3c24809 {\n constructor(plaintext){\n if (!(plaintext instanceof Uint8Array)) throw new TypeError(\"plaintext must be an instance of Uint8Array\");\n this._plaintext = plaintext;\n }\n setKeyManagementParameters(parameters) {\n if (this._keyManagementParameters) throw new TypeError(\"setKeyManagementParameters can only be called once\");\n this._keyManagementParameters = parameters;\n return this;\n }\n setProtectedHeader(protectedHeader) {\n if (this._protectedHeader) throw new TypeError(\"setProtectedHeader can only be called once\");\n this._protectedHeader = protectedHeader;\n return this;\n }\n setSharedUnprotectedHeader(sharedUnprotectedHeader) {\n if (this._sharedUnprotectedHeader) throw new TypeError(\"setSharedUnprotectedHeader can only be called once\");\n this._sharedUnprotectedHeader = sharedUnprotectedHeader;\n return this;\n }\n setUnprotectedHeader(unprotectedHeader) {\n if (this._unprotectedHeader) throw new TypeError(\"setUnprotectedHeader can only be called once\");\n this._unprotectedHeader = unprotectedHeader;\n return this;\n }\n setAdditionalAuthenticatedData(aad) {\n this._aad = aad;\n return this;\n }\n setContentEncryptionKey(cek) {\n if (this._cek) throw new TypeError(\"setContentEncryptionKey can only be called once\");\n this._cek = cek;\n return this;\n }\n setInitializationVector(iv) {\n if (this._iv) throw new TypeError(\"setInitializationVector can only be called once\");\n this._iv = iv;\n return this;\n }\n async encrypt(key, options) {\n if (!this._protectedHeader && !this._unprotectedHeader && !this._sharedUnprotectedHeader) throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(\"either setProtectedHeader, setUnprotectedHeader, or sharedUnprotectedHeader must be called before #encrypt()\");\n if (!(0, $751ed1ebc64f8b96$export$2e2bcd8739ae039)(this._protectedHeader, this._unprotectedHeader, this._sharedUnprotectedHeader)) throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(\"JWE Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint\");\n const joseHeader = {\n ...this._protectedHeader,\n ...this._unprotectedHeader,\n ...this._sharedUnprotectedHeader\n };\n (0, $0b572ece71b785f0$export$2e2bcd8739ae039)((0, $599ac781534a947a$export$19f281f2275f6a15), new Map(), options === null || options === void 0 ? void 0 : options.crit, this._protectedHeader, joseHeader);\n if (joseHeader.zip !== undefined) {\n if (!this._protectedHeader || !this._protectedHeader.zip) throw new (0, $599ac781534a947a$export$19f281f2275f6a15)('JWE \"zip\" (Compression Algorithm) Header MUST be integrity protected');\n if (joseHeader.zip !== \"DEF\") throw new (0, $599ac781534a947a$export$19ddbcbf2016ab28)('Unsupported JWE \"zip\" (Compression Algorithm) Header Parameter value');\n }\n const { alg: alg, enc: enc } = joseHeader;\n if (typeof alg !== \"string\" || !alg) throw new (0, $599ac781534a947a$export$19f281f2275f6a15)('JWE \"alg\" (Algorithm) Header Parameter missing or invalid');\n if (typeof enc !== \"string\" || !enc) throw new (0, $599ac781534a947a$export$19f281f2275f6a15)('JWE \"enc\" (Encryption Algorithm) Header Parameter missing or invalid');\n let encryptedKey;\n if (alg === \"dir\") {\n if (this._cek) throw new TypeError(\"setContentEncryptionKey cannot be called when using Direct Encryption\");\n } else if (alg === \"ECDH-ES\") {\n if (this._cek) throw new TypeError(\"setContentEncryptionKey cannot be called when using Direct Key Agreement\");\n }\n let cek;\n {\n let parameters;\n ({ cek: cek, encryptedKey: encryptedKey, parameters: parameters } = await (0, $b0cae4bcf42b1576$export$2e2bcd8739ae039)(alg, enc, key, this._cek, this._keyManagementParameters));\n if (parameters) {\n if (options && $9d1c699dfcbf8bf8$export$39c45cb77eaf132 in options) {\n if (!this._unprotectedHeader) this.setUnprotectedHeader(parameters);\n else this._unprotectedHeader = {\n ...this._unprotectedHeader,\n ...parameters\n };\n } else if (!this._protectedHeader) this.setProtectedHeader(parameters);\n else this._protectedHeader = {\n ...this._protectedHeader,\n ...parameters\n };\n }\n }\n this._iv || (this._iv = (0, $da503c283075069a$export$2e2bcd8739ae039)(enc));\n let additionalData;\n let protectedHeader;\n let aadMember;\n if (this._protectedHeader) protectedHeader = (0, $8c3dacf85b96b392$export$5486af06137bf21a).encode((0, $54a6e0e463467b0a$export$c564cdbbe6da493)(JSON.stringify(this._protectedHeader)));\n else protectedHeader = (0, $8c3dacf85b96b392$export$5486af06137bf21a).encode(\"\");\n if (this._aad) {\n aadMember = (0, $54a6e0e463467b0a$export$c564cdbbe6da493)(this._aad);\n additionalData = (0, $8c3dacf85b96b392$export$ee1b3e54f0441b22)(protectedHeader, (0, $8c3dacf85b96b392$export$5486af06137bf21a).encode(\".\"), (0, $8c3dacf85b96b392$export$5486af06137bf21a).encode(aadMember));\n } else additionalData = protectedHeader;\n let ciphertext;\n let tag;\n if (joseHeader.zip === \"DEF\") {\n const deflated = await ((options === null || options === void 0 ? void 0 : options.deflateRaw) || (0, $183cd4e96b76501e$export$2316623ecd1285ab))(this._plaintext);\n ({ ciphertext: ciphertext, tag: tag } = await (0, $ae680723017e3689$export$2e2bcd8739ae039)(enc, deflated, cek, this._iv, additionalData));\n } else ({ ciphertext: ciphertext, tag: tag } = await (0, $ae680723017e3689$export$2e2bcd8739ae039)(enc, this._plaintext, cek, this._iv, additionalData));\n const jwe = {\n ciphertext: (0, $54a6e0e463467b0a$export$c564cdbbe6da493)(ciphertext),\n iv: (0, $54a6e0e463467b0a$export$c564cdbbe6da493)(this._iv),\n tag: (0, $54a6e0e463467b0a$export$c564cdbbe6da493)(tag)\n };\n if (encryptedKey) jwe.encrypted_key = (0, $54a6e0e463467b0a$export$c564cdbbe6da493)(encryptedKey);\n if (aadMember) jwe.aad = aadMember;\n if (this._protectedHeader) jwe.protected = (0, $8c3dacf85b96b392$export$124c96e6ce37090b).decode(protectedHeader);\n if (this._sharedUnprotectedHeader) jwe.unprotected = this._sharedUnprotectedHeader;\n if (this._unprotectedHeader) jwe.header = this._unprotectedHeader;\n return jwe;\n }\n}\n\n\n\n\n\n\n\n\nclass $54e37d233946ddfd$var$IndividualRecipient {\n constructor(enc, key, options){\n this.parent = enc;\n this.key = key;\n this.options = options;\n }\n setUnprotectedHeader(unprotectedHeader) {\n if (this.unprotectedHeader) throw new TypeError(\"setUnprotectedHeader can only be called once\");\n this.unprotectedHeader = unprotectedHeader;\n return this;\n }\n addRecipient(...args) {\n return this.parent.addRecipient(...args);\n }\n encrypt(...args) {\n return this.parent.encrypt(...args);\n }\n done() {\n return this.parent;\n }\n}\nclass $54e37d233946ddfd$export$44234adffc6b0b92 {\n constructor(plaintext){\n this._recipients = [];\n this._plaintext = plaintext;\n }\n addRecipient(key, options) {\n const recipient = new $54e37d233946ddfd$var$IndividualRecipient(this, key, {\n crit: options === null || options === void 0 ? void 0 : options.crit\n });\n this._recipients.push(recipient);\n return recipient;\n }\n setProtectedHeader(protectedHeader) {\n if (this._protectedHeader) throw new TypeError(\"setProtectedHeader can only be called once\");\n this._protectedHeader = protectedHeader;\n return this;\n }\n setSharedUnprotectedHeader(sharedUnprotectedHeader) {\n if (this._unprotectedHeader) throw new TypeError(\"setSharedUnprotectedHeader can only be called once\");\n this._unprotectedHeader = sharedUnprotectedHeader;\n return this;\n }\n setAdditionalAuthenticatedData(aad) {\n this._aad = aad;\n return this;\n }\n async encrypt(options) {\n var _a, _b, _c;\n if (!this._recipients.length) throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(\"at least one recipient must be added\");\n options = {\n deflateRaw: options === null || options === void 0 ? void 0 : options.deflateRaw\n };\n if (this._recipients.length === 1) {\n const [recipient] = this._recipients;\n const flattened = await new (0, $9d1c699dfcbf8bf8$export$eec23736d3c24809)(this._plaintext).setAdditionalAuthenticatedData(this._aad).setProtectedHeader(this._protectedHeader).setSharedUnprotectedHeader(this._unprotectedHeader).setUnprotectedHeader(recipient.unprotectedHeader).encrypt(recipient.key, {\n ...recipient.options,\n ...options\n });\n let jwe = {\n ciphertext: flattened.ciphertext,\n iv: flattened.iv,\n recipients: [\n {}\n ],\n tag: flattened.tag\n };\n if (flattened.aad) jwe.aad = flattened.aad;\n if (flattened.protected) jwe.protected = flattened.protected;\n if (flattened.unprotected) jwe.unprotected = flattened.unprotected;\n if (flattened.encrypted_key) jwe.recipients[0].encrypted_key = flattened.encrypted_key;\n if (flattened.header) jwe.recipients[0].header = flattened.header;\n return jwe;\n }\n let enc;\n for(let i = 0; i < this._recipients.length; i++){\n const recipient = this._recipients[i];\n if (!(0, $751ed1ebc64f8b96$export$2e2bcd8739ae039)(this._protectedHeader, this._unprotectedHeader, recipient.unprotectedHeader)) throw new (0, $599ac781534a947a$export$19f281f2275f6a15)(\"JWE Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint\");\n const joseHeader = {\n ...this._protectedHeader,\n ...this._unprotectedHeader,\n ...recipient.unprotectedHeader\n };\n const { alg: alg } = joseHeader;\n if (typeof alg !== \"string\" || !alg) throw new (0, $599ac781534a947a$export$19f281f2275f6a15)('JWE \"alg\" (Algorithm) Header Parameter missing or invalid');\n if (alg === \"dir\" || alg === \"ECDH-ES\") throw new (0, $599ac781534a947a$export$19f281f2275f6a15)('\"dir\" and \"ECDH-ES\" alg may only be used with a single recipient');\n if (typeof joseHeader.enc !== \"string\" || !joseHeader.enc) throw new (0, $599ac781534a947a$export$19f281f2275f6a15)('JWE \"enc\" (Encryption Algorithm) Header Parameter missing or invalid');\n if (!enc) enc = joseHeader.enc;\n else if (enc !== joseHeader.enc) throw new (0, $599ac781534a947a$export$19f281f2275f6a15)('JWE \"enc\" (Encryption Algorithm) Header Parameter must be the same for all recipients');\n (0, $0b572ece71b785f0$export$2e2bcd8739ae039)((0, $599ac781534a947a$export$19f281f2275f6a15), new Map(), recipient.options.crit, this._protectedHeader, joseHeader);\n if (joseHeader.zip !== undefined) {\n if (!this._protectedHeader || !this._protectedHeader.zip) throw new (0, $599ac781534a947a$export$19f281f2275f6a15)('JWE \"zip\" (Compression Algorithm) Header MUST be integrity protected');\n }\n }\n const cek = (0, $723ad0955c3ec8bb$export$2e2bcd8739ae039)(enc);\n let jwe = {\n ciphertext: \"\",\n iv: \"\",\n recipients: [],\n tag: \"\"\n };\n for(let i = 0; i < this._recipients.length; i++){\n const recipient = this._recipients[i];\n const target = {};\n jwe.recipients.push(target);\n const joseHeader = {\n ...this._protectedHeader,\n ...this._unprotectedHeader,\n ...recipient.unprotectedHeader\n };\n const p2c = joseHeader.alg.startsWith(\"PBES2\") ? 2048 + i : undefined;\n if (i === 0) {\n const flattened = await new (0, $9d1c699dfcbf8bf8$export$eec23736d3c24809)(this._plaintext).setAdditionalAuthenticatedData(this._aad).setContentEncryptionKey(cek).setProtectedHeader(this._protectedHeader).setSharedUnprotectedHeader(this._unprotectedHeader).setUnprotectedHeader(recipient.unprotectedHeader).setKeyManagementParameters({\n p2c: p2c\n }).encrypt(recipient.key, {\n ...recipient.options,\n ...options,\n [(0, $9d1c699dfcbf8bf8$export$39c45cb77eaf132)]: true\n });\n jwe.ciphertext = flattened.ciphertext;\n jwe.iv = flattened.iv;\n jwe.tag = flattened.tag;\n if (flattened.aad) jwe.aad = flattened.aad;\n if (flattened.protected) jwe.protected = flattened.protected;\n if (flattened.unprotected) jwe.unprotected = flattened.unprotected;\n target.encrypted_key = flattened.encrypted_key;\n if (flattened.header) target.header = flattened.header;\n continue;\n }\n const { encryptedKey: encryptedKey, parameters: parameters } = await (0, $b0cae4bcf42b1576$export$2e2bcd8739ae039)(((_a = recipient.unprotectedHeader) === null || _a === void 0 ? void 0 : _a.alg) || ((_b = this._protectedHeader) === null || _b === void 0 ? void 0 : _b.alg) || ((_c = this._unprotectedHeader) === null || _c === void 0 ? void 0 : _c.alg), enc, recipient.key, cek, {\n p2c: p2c\n });\n target.encrypted_key = (0, $54a6e0e463467b0a$export$c564cdbbe6da493)(encryptedKey);\n if (recipient.unprotectedHeader || parameters) target.header = {\n ...recipient.unprotectedHeader,\n ...parameters\n };\n }\n return jwe;\n }\n}\n\n\n\n\n\nfunction $fd9ff84d4ad74129$export$2e2bcd8739ae039(alg, algorithm) {\n const hash = `SHA-${alg.slice(-3)}`;\n switch(alg){\n case \"HS256\":\n case \"HS384\":\n case \"HS512\":\n return {\n hash: hash,\n name: \"HMAC\"\n };\n case \"PS256\":\n case \"PS384\":\n case \"PS512\":\n return {\n hash: hash,\n name: \"RSA-PSS\",\n saltLength: alg.slice(-3) >> 3\n };\n case \"RS256\":\n case \"RS384\":\n case \"RS512\":\n return {\n hash: hash,\n name: \"RSASSA-PKCS1-v1_5\"\n };\n case \"ES256\":\n case \"ES384\":\n case \"ES512\":\n return {\n hash: hash,\n name: \"ECDSA\",\n namedCurve: algorithm.namedCurve\n };\n case \"EdDSA\":\n if ((0, $5852df024b41aa91$export$7b262397cadac19f)() && algorithm.name === \"NODE-ED25519\") return {\n name: \"NODE-ED25519\",\n namedCurve: \"NODE-ED25519\"\n };\n return {\n name: algorithm.name\n };\n default:\n throw new (0, $599ac781534a947a$export$19ddbcbf2016ab28)(`alg ${alg} is not supported either by JOSE or your javascript runtime`);\n }\n}\n\n\n\n\n\n\n\n\nfunction $dd8265016b6a4c59$export$2e2bcd8739ae039(alg, key, usage) {\n if ((0, $3f0b33e7ccc65ae0$export$600b5603bbac4c6)(key)) {\n (0, $bd0b36fb17abf4f5$export$39a36029eee6729)(key, alg, usage);\n return key;\n }\n if (key instanceof Uint8Array) {\n if (!alg.startsWith(\"HS\")) throw new TypeError((0, $233e587bc0c17441$export$2e2bcd8739ae039)(key, ...(0, $002bdc4a0215a55c$export$b14ad400b1d09e0f)));\n return (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.importKey(\"raw\", key, {\n hash: `SHA-${alg.slice(-3)}`,\n name: \"HMAC\"\n }, false, [\n usage\n ]);\n }\n throw new TypeError((0, $233e587bc0c17441$export$2e2bcd8739ae039)(key, ...(0, $002bdc4a0215a55c$export$b14ad400b1d09e0f), \"Uint8Array\"));\n}\n\n\nconst $dbb3eb797cbe0e44$var$verify = async (alg, key, signature, data)=>{\n const cryptoKey = await (0, $dd8265016b6a4c59$export$2e2bcd8739ae039)(alg, key, \"verify\");\n (0, $2c8180cef663e103$export$2e2bcd8739ae039)(alg, cryptoKey);\n const algorithm = (0, $fd9ff84d4ad74129$export$2e2bcd8739ae039)(alg, cryptoKey.algorithm);\n try {\n return await (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.verify(algorithm, cryptoKey, signature, data);\n } catch (_a) {\n return false;\n }\n};\nvar $dbb3eb797cbe0e44$export$2e2bcd8739ae039 = $dbb3eb797cbe0e44$var$verify;\n\n\n\n\n\n\n\n\n\nasync function $b1a47cad1ba554c8$export$b2614975507c40c9(jws, key, options) {\n var _a;\n if (!(0, $319a04fbce04ffdb$export$2e2bcd8739ae039)(jws)) throw new (0, $599ac781534a947a$export$e838de724af3d116)(\"Flattened JWS must be an object\");\n if (jws.protected === undefined && jws.header === undefined) throw new (0, $599ac781534a947a$export$e838de724af3d116)('Flattened JWS must have either of the \"protected\" or \"header\" members');\n if (jws.protected !== undefined && typeof jws.protected !== \"string\") throw new (0, $599ac781534a947a$export$e838de724af3d116)(\"JWS Protected Header incorrect type\");\n if (jws.payload === undefined) throw new (0, $599ac781534a947a$export$e838de724af3d116)(\"JWS Payload missing\");\n if (typeof jws.signature !== \"string\") throw new (0, $599ac781534a947a$export$e838de724af3d116)(\"JWS Signature missing or incorrect type\");\n if (jws.header !== undefined && !(0, $319a04fbce04ffdb$export$2e2bcd8739ae039)(jws.header)) throw new (0, $599ac781534a947a$export$e838de724af3d116)(\"JWS Unprotected Header incorrect type\");\n let parsedProt = {};\n if (jws.protected) try {\n const protectedHeader = (0, $54a6e0e463467b0a$export$2f872c0f2117be69)(jws.protected);\n parsedProt = JSON.parse((0, $8c3dacf85b96b392$export$124c96e6ce37090b).decode(protectedHeader));\n } catch (_b) {\n throw new (0, $599ac781534a947a$export$e838de724af3d116)(\"JWS Protected Header is invalid\");\n }\n if (!(0, $751ed1ebc64f8b96$export$2e2bcd8739ae039)(parsedProt, jws.header)) throw new (0, $599ac781534a947a$export$e838de724af3d116)(\"JWS Protected and JWS Unprotected Header Parameter names must be disjoint\");\n const joseHeader = {\n ...parsedProt,\n ...jws.header\n };\n const extensions = (0, $0b572ece71b785f0$export$2e2bcd8739ae039)((0, $599ac781534a947a$export$e838de724af3d116), new Map([\n [\n \"b64\",\n true\n ]\n ]), options === null || options === void 0 ? void 0 : options.crit, parsedProt, joseHeader);\n let b64 = true;\n if (extensions.has(\"b64\")) {\n b64 = parsedProt.b64;\n if (typeof b64 !== \"boolean\") throw new (0, $599ac781534a947a$export$e838de724af3d116)('The \"b64\" (base64url-encode payload) Header Parameter must be a boolean');\n }\n const { alg: alg } = joseHeader;\n if (typeof alg !== \"string\" || !alg) throw new (0, $599ac781534a947a$export$e838de724af3d116)('JWS \"alg\" (Algorithm) Header Parameter missing or invalid');\n const algorithms = options && (0, $33550bd8f4719411$export$2e2bcd8739ae039)(\"algorithms\", options.algorithms);\n if (algorithms && !algorithms.has(alg)) throw new (0, $599ac781534a947a$export$d51fd7fedeccc338)('\"alg\" (Algorithm) Header Parameter not allowed');\n if (b64) {\n if (typeof jws.payload !== \"string\") throw new (0, $599ac781534a947a$export$e838de724af3d116)(\"JWS Payload must be a string\");\n } else if (typeof jws.payload !== \"string\" && !(jws.payload instanceof Uint8Array)) throw new (0, $599ac781534a947a$export$e838de724af3d116)(\"JWS Payload must be a string or an Uint8Array instance\");\n let resolvedKey = false;\n if (typeof key === \"function\") {\n key = await key(parsedProt, jws);\n resolvedKey = true;\n }\n (0, $8a5b1565e0dee973$export$2e2bcd8739ae039)(alg, key, \"verify\");\n const data = (0, $8c3dacf85b96b392$export$ee1b3e54f0441b22)((0, $8c3dacf85b96b392$export$5486af06137bf21a).encode((_a = jws.protected) !== null && _a !== void 0 ? _a : \"\"), (0, $8c3dacf85b96b392$export$5486af06137bf21a).encode(\".\"), typeof jws.payload === \"string\" ? (0, $8c3dacf85b96b392$export$5486af06137bf21a).encode(jws.payload) : jws.payload);\n const signature = (0, $54a6e0e463467b0a$export$2f872c0f2117be69)(jws.signature);\n const verified = await (0, $dbb3eb797cbe0e44$export$2e2bcd8739ae039)(alg, key, signature, data);\n if (!verified) throw new (0, $599ac781534a947a$export$c67a0218e7c50378)();\n let payload;\n if (b64) payload = (0, $54a6e0e463467b0a$export$2f872c0f2117be69)(jws.payload);\n else if (typeof jws.payload === \"string\") payload = (0, $8c3dacf85b96b392$export$5486af06137bf21a).encode(jws.payload);\n else payload = jws.payload;\n const result = {\n payload: payload\n };\n if (jws.protected !== undefined) result.protectedHeader = parsedProt;\n if (jws.header !== undefined) result.unprotectedHeader = jws.header;\n if (resolvedKey) return {\n ...result,\n key: key\n };\n return result;\n}\n\n\n\n\nasync function $6446add785626fa5$export$996150e72a8992e(jws, key, options) {\n if (jws instanceof Uint8Array) jws = (0, $8c3dacf85b96b392$export$124c96e6ce37090b).decode(jws);\n if (typeof jws !== \"string\") throw new (0, $599ac781534a947a$export$e838de724af3d116)(\"Compact JWS must be a string or Uint8Array\");\n const { 0: protectedHeader, 1: payload, 2: signature, length: length } = jws.split(\".\");\n if (length !== 3) throw new (0, $599ac781534a947a$export$e838de724af3d116)(\"Invalid Compact JWS\");\n const verified = await (0, $b1a47cad1ba554c8$export$b2614975507c40c9)({\n payload: payload,\n protected: protectedHeader,\n signature: signature\n }, key, options);\n const result = {\n payload: verified.payload,\n protectedHeader: verified.protectedHeader\n };\n if (typeof key === \"function\") return {\n ...result,\n key: verified.key\n };\n return result;\n}\n\n\n\n\n\n\nasync function $65c7a3c0b49d7a21$export$45b643129436bc63(jws, key, options) {\n if (!(0, $319a04fbce04ffdb$export$2e2bcd8739ae039)(jws)) throw new (0, $599ac781534a947a$export$e838de724af3d116)(\"General JWS must be an object\");\n if (!Array.isArray(jws.signatures) || !jws.signatures.every((0, $319a04fbce04ffdb$export$2e2bcd8739ae039))) throw new (0, $599ac781534a947a$export$e838de724af3d116)(\"JWS Signatures missing or incorrect type\");\n for (const signature of jws.signatures)try {\n return await (0, $b1a47cad1ba554c8$export$b2614975507c40c9)({\n header: signature.header,\n payload: jws.payload,\n protected: signature.protected,\n signature: signature.signature\n }, key, options);\n } catch (_a) {}\n throw new (0, $599ac781534a947a$export$c67a0218e7c50378)();\n}\n\n\n\n\n\nvar $ca33ae1426f1aba8$export$2e2bcd8739ae039 = (date)=>Math.floor(date.getTime() / 1000);\n\n\nconst $e00eea37b383aa7e$var$minute = 60;\nconst $e00eea37b383aa7e$var$hour = $e00eea37b383aa7e$var$minute * 60;\nconst $e00eea37b383aa7e$var$day = $e00eea37b383aa7e$var$hour * 24;\nconst $e00eea37b383aa7e$var$week = $e00eea37b383aa7e$var$day * 7;\nconst $e00eea37b383aa7e$var$year = $e00eea37b383aa7e$var$day * 365.25;\nconst $e00eea37b383aa7e$var$REGEX = /^(\\d+|\\d+\\.\\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)$/i;\nvar $e00eea37b383aa7e$export$2e2bcd8739ae039 = (str)=>{\n const matched = $e00eea37b383aa7e$var$REGEX.exec(str);\n if (!matched) throw new TypeError(\"Invalid time period format\");\n const value = parseFloat(matched[1]);\n const unit = matched[2].toLowerCase();\n switch(unit){\n case \"sec\":\n case \"secs\":\n case \"second\":\n case \"seconds\":\n case \"s\":\n return Math.round(value);\n case \"minute\":\n case \"minutes\":\n case \"min\":\n case \"mins\":\n case \"m\":\n return Math.round(value * $e00eea37b383aa7e$var$minute);\n case \"hour\":\n case \"hours\":\n case \"hr\":\n case \"hrs\":\n case \"h\":\n return Math.round(value * $e00eea37b383aa7e$var$hour);\n case \"day\":\n case \"days\":\n case \"d\":\n return Math.round(value * $e00eea37b383aa7e$var$day);\n case \"week\":\n case \"weeks\":\n case \"w\":\n return Math.round(value * $e00eea37b383aa7e$var$week);\n default:\n return Math.round(value * $e00eea37b383aa7e$var$year);\n }\n};\n\n\n\nconst $b4d6c2e00c056d92$var$normalizeTyp = (value)=>value.toLowerCase().replace(/^application\\//, \"\");\nconst $b4d6c2e00c056d92$var$checkAudiencePresence = (audPayload, audOption)=>{\n if (typeof audPayload === \"string\") return audOption.includes(audPayload);\n if (Array.isArray(audPayload)) return audOption.some(Set.prototype.has.bind(new Set(audPayload)));\n return false;\n};\nvar $b4d6c2e00c056d92$export$2e2bcd8739ae039 = (protectedHeader, encodedPayload, options = {})=>{\n const { typ: typ } = options;\n if (typ && (typeof protectedHeader.typ !== \"string\" || $b4d6c2e00c056d92$var$normalizeTyp(protectedHeader.typ) !== $b4d6c2e00c056d92$var$normalizeTyp(typ))) throw new (0, $599ac781534a947a$export$f1e14efb908196e9)('unexpected \"typ\" JWT header value', \"typ\", \"check_failed\");\n let payload;\n try {\n payload = JSON.parse((0, $8c3dacf85b96b392$export$124c96e6ce37090b).decode(encodedPayload));\n } catch (_a) {}\n if (!(0, $319a04fbce04ffdb$export$2e2bcd8739ae039)(payload)) throw new (0, $599ac781534a947a$export$936b39ada0bbfceb)(\"JWT Claims Set must be a top-level JSON object\");\n const { issuer: issuer } = options;\n if (issuer && !(Array.isArray(issuer) ? issuer : [\n issuer\n ]).includes(payload.iss)) throw new (0, $599ac781534a947a$export$f1e14efb908196e9)('unexpected \"iss\" claim value', \"iss\", \"check_failed\");\n const { subject: subject } = options;\n if (subject && payload.sub !== subject) throw new (0, $599ac781534a947a$export$f1e14efb908196e9)('unexpected \"sub\" claim value', \"sub\", \"check_failed\");\n const { audience: audience } = options;\n if (audience && !$b4d6c2e00c056d92$var$checkAudiencePresence(payload.aud, typeof audience === \"string\" ? [\n audience\n ] : audience)) throw new (0, $599ac781534a947a$export$f1e14efb908196e9)('unexpected \"aud\" claim value', \"aud\", \"check_failed\");\n let tolerance;\n switch(typeof options.clockTolerance){\n case \"string\":\n tolerance = (0, $e00eea37b383aa7e$export$2e2bcd8739ae039)(options.clockTolerance);\n break;\n case \"number\":\n tolerance = options.clockTolerance;\n break;\n case \"undefined\":\n tolerance = 0;\n break;\n default:\n throw new TypeError(\"Invalid clockTolerance option type\");\n }\n const { currentDate: currentDate } = options;\n const now = (0, $ca33ae1426f1aba8$export$2e2bcd8739ae039)(currentDate || new Date());\n if ((payload.iat !== undefined || options.maxTokenAge) && typeof payload.iat !== \"number\") throw new (0, $599ac781534a947a$export$f1e14efb908196e9)('\"iat\" claim must be a number', \"iat\", \"invalid\");\n if (payload.nbf !== undefined) {\n if (typeof payload.nbf !== \"number\") throw new (0, $599ac781534a947a$export$f1e14efb908196e9)('\"nbf\" claim must be a number', \"nbf\", \"invalid\");\n if (payload.nbf > now + tolerance) throw new (0, $599ac781534a947a$export$f1e14efb908196e9)('\"nbf\" claim timestamp check failed', \"nbf\", \"check_failed\");\n }\n if (payload.exp !== undefined) {\n if (typeof payload.exp !== \"number\") throw new (0, $599ac781534a947a$export$f1e14efb908196e9)('\"exp\" claim must be a number', \"exp\", \"invalid\");\n if (payload.exp <= now - tolerance) throw new (0, $599ac781534a947a$export$4b386bf852b7863d)('\"exp\" claim timestamp check failed', \"exp\", \"check_failed\");\n }\n if (options.maxTokenAge) {\n const age = now - payload.iat;\n const max = typeof options.maxTokenAge === \"number\" ? options.maxTokenAge : (0, $e00eea37b383aa7e$export$2e2bcd8739ae039)(options.maxTokenAge);\n if (age - tolerance > max) throw new (0, $599ac781534a947a$export$4b386bf852b7863d)('\"iat\" claim timestamp check failed (too far in the past)', \"iat\", \"check_failed\");\n if (age < 0 - tolerance) throw new (0, $599ac781534a947a$export$f1e14efb908196e9)('\"iat\" claim timestamp check failed (it should be in the past)', \"iat\", \"check_failed\");\n }\n return payload;\n};\n\n\n\nasync function $059e3a140d30ed13$export$c878fd0f8381da51(jwt, key, options) {\n var _a;\n const verified = await (0, $6446add785626fa5$export$996150e72a8992e)(jwt, key, options);\n if (((_a = verified.protectedHeader.crit) === null || _a === void 0 ? void 0 : _a.includes(\"b64\")) && verified.protectedHeader.b64 === false) throw new (0, $599ac781534a947a$export$936b39ada0bbfceb)(\"JWTs MUST NOT use unencoded payload\");\n const payload = (0, $b4d6c2e00c056d92$export$2e2bcd8739ae039)(verified.protectedHeader, verified.payload, options);\n const result = {\n payload: payload,\n protectedHeader: verified.protectedHeader\n };\n if (typeof key === \"function\") return {\n ...result,\n key: verified.key\n };\n return result;\n}\n\n\n\n\n\nasync function $dabb925293a77b9d$export$6ee899505bc40a19(jwt, key, options) {\n const decrypted = await (0, $1b1a9f568583dcab$export$c9a8efe6bfd872ce)(jwt, key, options);\n const payload = (0, $b4d6c2e00c056d92$export$2e2bcd8739ae039)(decrypted.protectedHeader, decrypted.plaintext, options);\n const { protectedHeader: protectedHeader } = decrypted;\n if (protectedHeader.iss !== undefined && protectedHeader.iss !== payload.iss) throw new (0, $599ac781534a947a$export$f1e14efb908196e9)('replicated \"iss\" claim header parameter mismatch', \"iss\", \"mismatch\");\n if (protectedHeader.sub !== undefined && protectedHeader.sub !== payload.sub) throw new (0, $599ac781534a947a$export$f1e14efb908196e9)('replicated \"sub\" claim header parameter mismatch', \"sub\", \"mismatch\");\n if (protectedHeader.aud !== undefined && JSON.stringify(protectedHeader.aud) !== JSON.stringify(payload.aud)) throw new (0, $599ac781534a947a$export$f1e14efb908196e9)('replicated \"aud\" claim header parameter mismatch', \"aud\", \"mismatch\");\n const result = {\n payload: payload,\n protectedHeader: protectedHeader\n };\n if (typeof key === \"function\") return {\n ...result,\n key: decrypted.key\n };\n return result;\n}\n\n\n\nclass $960dbbe2ca85a5d4$export$965e4de9938e070e {\n constructor(plaintext){\n this._flattened = new (0, $9d1c699dfcbf8bf8$export$eec23736d3c24809)(plaintext);\n }\n setContentEncryptionKey(cek) {\n this._flattened.setContentEncryptionKey(cek);\n return this;\n }\n setInitializationVector(iv) {\n this._flattened.setInitializationVector(iv);\n return this;\n }\n setProtectedHeader(protectedHeader) {\n this._flattened.setProtectedHeader(protectedHeader);\n return this;\n }\n setKeyManagementParameters(parameters) {\n this._flattened.setKeyManagementParameters(parameters);\n return this;\n }\n async encrypt(key, options) {\n const jwe = await this._flattened.encrypt(key, options);\n return [\n jwe.protected,\n jwe.encrypted_key,\n jwe.iv,\n jwe.ciphertext,\n jwe.tag\n ].join(\".\");\n }\n}\n\n\n\n\n\n\n\n\nconst $af54292801bcc1f9$var$sign = async (alg, key, data)=>{\n const cryptoKey = await (0, $dd8265016b6a4c59$export$2e2bcd8739ae039)(alg, key, \"sign\");\n (0, $2c8180cef663e103$export$2e2bcd8739ae039)(alg, cryptoKey);\n const signature = await (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.sign((0, $fd9ff84d4ad74129$export$2e2bcd8739ae039)(alg, cryptoKey.algorithm), cryptoKey, data);\n return new Uint8Array(signature);\n};\nvar $af54292801bcc1f9$export$2e2bcd8739ae039 = $af54292801bcc1f9$var$sign;\n\n\n\n\n\n\n\nclass $ef6876836c58b0e4$export$9a8af5200da5ddb1 {\n constructor(payload){\n if (!(payload instanceof Uint8Array)) throw new TypeError(\"payload must be an instance of Uint8Array\");\n this._payload = payload;\n }\n setProtectedHeader(protectedHeader) {\n if (this._protectedHeader) throw new TypeError(\"setProtectedHeader can only be called once\");\n this._protectedHeader = protectedHeader;\n return this;\n }\n setUnprotectedHeader(unprotectedHeader) {\n if (this._unprotectedHeader) throw new TypeError(\"setUnprotectedHeader can only be called once\");\n this._unprotectedHeader = unprotectedHeader;\n return this;\n }\n async sign(key, options) {\n if (!this._protectedHeader && !this._unprotectedHeader) throw new (0, $599ac781534a947a$export$e838de724af3d116)(\"either setProtectedHeader or setUnprotectedHeader must be called before #sign()\");\n if (!(0, $751ed1ebc64f8b96$export$2e2bcd8739ae039)(this._protectedHeader, this._unprotectedHeader)) throw new (0, $599ac781534a947a$export$e838de724af3d116)(\"JWS Protected and JWS Unprotected Header Parameter names must be disjoint\");\n const joseHeader = {\n ...this._protectedHeader,\n ...this._unprotectedHeader\n };\n const extensions = (0, $0b572ece71b785f0$export$2e2bcd8739ae039)((0, $599ac781534a947a$export$e838de724af3d116), new Map([\n [\n \"b64\",\n true\n ]\n ]), options === null || options === void 0 ? void 0 : options.crit, this._protectedHeader, joseHeader);\n let b64 = true;\n if (extensions.has(\"b64\")) {\n b64 = this._protectedHeader.b64;\n if (typeof b64 !== \"boolean\") throw new (0, $599ac781534a947a$export$e838de724af3d116)('The \"b64\" (base64url-encode payload) Header Parameter must be a boolean');\n }\n const { alg: alg } = joseHeader;\n if (typeof alg !== \"string\" || !alg) throw new (0, $599ac781534a947a$export$e838de724af3d116)('JWS \"alg\" (Algorithm) Header Parameter missing or invalid');\n (0, $8a5b1565e0dee973$export$2e2bcd8739ae039)(alg, key, \"sign\");\n let payload = this._payload;\n if (b64) payload = (0, $8c3dacf85b96b392$export$5486af06137bf21a).encode((0, $54a6e0e463467b0a$export$c564cdbbe6da493)(payload));\n let protectedHeader;\n if (this._protectedHeader) protectedHeader = (0, $8c3dacf85b96b392$export$5486af06137bf21a).encode((0, $54a6e0e463467b0a$export$c564cdbbe6da493)(JSON.stringify(this._protectedHeader)));\n else protectedHeader = (0, $8c3dacf85b96b392$export$5486af06137bf21a).encode(\"\");\n const data = (0, $8c3dacf85b96b392$export$ee1b3e54f0441b22)(protectedHeader, (0, $8c3dacf85b96b392$export$5486af06137bf21a).encode(\".\"), payload);\n const signature = await (0, $af54292801bcc1f9$export$2e2bcd8739ae039)(alg, key, data);\n const jws = {\n signature: (0, $54a6e0e463467b0a$export$c564cdbbe6da493)(signature),\n payload: \"\"\n };\n if (b64) jws.payload = (0, $8c3dacf85b96b392$export$124c96e6ce37090b).decode(payload);\n if (this._unprotectedHeader) jws.header = this._unprotectedHeader;\n if (this._protectedHeader) jws.protected = (0, $8c3dacf85b96b392$export$124c96e6ce37090b).decode(protectedHeader);\n return jws;\n }\n}\n\n\nclass $12d745ca26469470$export$b6738d8e70498d17 {\n constructor(payload){\n this._flattened = new (0, $ef6876836c58b0e4$export$9a8af5200da5ddb1)(payload);\n }\n setProtectedHeader(protectedHeader) {\n this._flattened.setProtectedHeader(protectedHeader);\n return this;\n }\n async sign(key, options) {\n const jws = await this._flattened.sign(key, options);\n if (jws.payload === undefined) throw new TypeError(\"use the flattened module for creating JWS with b64: false\");\n return `${jws.protected}.${jws.payload}.${jws.signature}`;\n }\n}\n\n\n\n\n\nclass $bd5afc6fb4098417$var$IndividualSignature {\n constructor(sig, key, options){\n this.parent = sig;\n this.key = key;\n this.options = options;\n }\n setProtectedHeader(protectedHeader) {\n if (this.protectedHeader) throw new TypeError(\"setProtectedHeader can only be called once\");\n this.protectedHeader = protectedHeader;\n return this;\n }\n setUnprotectedHeader(unprotectedHeader) {\n if (this.unprotectedHeader) throw new TypeError(\"setUnprotectedHeader can only be called once\");\n this.unprotectedHeader = unprotectedHeader;\n return this;\n }\n addSignature(...args) {\n return this.parent.addSignature(...args);\n }\n sign(...args) {\n return this.parent.sign(...args);\n }\n done() {\n return this.parent;\n }\n}\nclass $bd5afc6fb4098417$export$7e2f94727ed1a34b {\n constructor(payload){\n this._signatures = [];\n this._payload = payload;\n }\n addSignature(key, options) {\n const signature = new $bd5afc6fb4098417$var$IndividualSignature(this, key, options);\n this._signatures.push(signature);\n return signature;\n }\n async sign() {\n if (!this._signatures.length) throw new (0, $599ac781534a947a$export$e838de724af3d116)(\"at least one signature must be added\");\n const jws = {\n signatures: [],\n payload: \"\"\n };\n for(let i = 0; i < this._signatures.length; i++){\n const signature = this._signatures[i];\n const flattened = new (0, $ef6876836c58b0e4$export$9a8af5200da5ddb1)(this._payload);\n flattened.setProtectedHeader(signature.protectedHeader);\n flattened.setUnprotectedHeader(signature.unprotectedHeader);\n const { payload: payload, ...rest } = await flattened.sign(signature.key, signature.options);\n if (i === 0) jws.payload = payload;\n else if (jws.payload !== payload) throw new (0, $599ac781534a947a$export$e838de724af3d116)(\"inconsistent use of JWS Unencoded Payload Option (RFC7797)\");\n jws.signatures.push(rest);\n }\n return jws;\n }\n}\n\n\n\n\n\n\n\n\nclass $46f2da2b3de4ed34$export$2ef1b74b7c7e6eb3 {\n constructor(payload){\n if (!(0, $319a04fbce04ffdb$export$2e2bcd8739ae039)(payload)) throw new TypeError(\"JWT Claims Set MUST be an object\");\n this._payload = payload;\n }\n setIssuer(issuer) {\n this._payload = {\n ...this._payload,\n iss: issuer\n };\n return this;\n }\n setSubject(subject) {\n this._payload = {\n ...this._payload,\n sub: subject\n };\n return this;\n }\n setAudience(audience) {\n this._payload = {\n ...this._payload,\n aud: audience\n };\n return this;\n }\n setJti(jwtId) {\n this._payload = {\n ...this._payload,\n jti: jwtId\n };\n return this;\n }\n setNotBefore(input) {\n if (typeof input === \"number\") this._payload = {\n ...this._payload,\n nbf: input\n };\n else this._payload = {\n ...this._payload,\n nbf: (0, $ca33ae1426f1aba8$export$2e2bcd8739ae039)(new Date()) + (0, $e00eea37b383aa7e$export$2e2bcd8739ae039)(input)\n };\n return this;\n }\n setExpirationTime(input) {\n if (typeof input === \"number\") this._payload = {\n ...this._payload,\n exp: input\n };\n else this._payload = {\n ...this._payload,\n exp: (0, $ca33ae1426f1aba8$export$2e2bcd8739ae039)(new Date()) + (0, $e00eea37b383aa7e$export$2e2bcd8739ae039)(input)\n };\n return this;\n }\n setIssuedAt(input) {\n if (typeof input === \"undefined\") this._payload = {\n ...this._payload,\n iat: (0, $ca33ae1426f1aba8$export$2e2bcd8739ae039)(new Date())\n };\n else this._payload = {\n ...this._payload,\n iat: input\n };\n return this;\n }\n}\n\n\nclass $cb3fa919fa1549c0$export$88d4e5d23fbe6c84 extends (0, $46f2da2b3de4ed34$export$2ef1b74b7c7e6eb3) {\n setProtectedHeader(protectedHeader) {\n this._protectedHeader = protectedHeader;\n return this;\n }\n async sign(key, options) {\n var _a;\n const sig = new (0, $12d745ca26469470$export$b6738d8e70498d17)((0, $8c3dacf85b96b392$export$5486af06137bf21a).encode(JSON.stringify(this._payload)));\n sig.setProtectedHeader(this._protectedHeader);\n if (Array.isArray((_a = this._protectedHeader) === null || _a === void 0 ? void 0 : _a.crit) && this._protectedHeader.crit.includes(\"b64\") && this._protectedHeader.b64 === false) throw new (0, $599ac781534a947a$export$936b39ada0bbfceb)(\"JWTs MUST NOT use unencoded payload\");\n return sig.sign(key, options);\n }\n}\n\n\n\n\n\nclass $0c71009a661b4763$export$28c9f8d29aec6f3d extends (0, $46f2da2b3de4ed34$export$2ef1b74b7c7e6eb3) {\n setProtectedHeader(protectedHeader) {\n if (this._protectedHeader) throw new TypeError(\"setProtectedHeader can only be called once\");\n this._protectedHeader = protectedHeader;\n return this;\n }\n setKeyManagementParameters(parameters) {\n if (this._keyManagementParameters) throw new TypeError(\"setKeyManagementParameters can only be called once\");\n this._keyManagementParameters = parameters;\n return this;\n }\n setContentEncryptionKey(cek) {\n if (this._cek) throw new TypeError(\"setContentEncryptionKey can only be called once\");\n this._cek = cek;\n return this;\n }\n setInitializationVector(iv) {\n if (this._iv) throw new TypeError(\"setInitializationVector can only be called once\");\n this._iv = iv;\n return this;\n }\n replicateIssuerAsHeader() {\n this._replicateIssuerAsHeader = true;\n return this;\n }\n replicateSubjectAsHeader() {\n this._replicateSubjectAsHeader = true;\n return this;\n }\n replicateAudienceAsHeader() {\n this._replicateAudienceAsHeader = true;\n return this;\n }\n async encrypt(key, options) {\n const enc = new (0, $960dbbe2ca85a5d4$export$965e4de9938e070e)((0, $8c3dacf85b96b392$export$5486af06137bf21a).encode(JSON.stringify(this._payload)));\n if (this._replicateIssuerAsHeader) this._protectedHeader = {\n ...this._protectedHeader,\n iss: this._payload.iss\n };\n if (this._replicateSubjectAsHeader) this._protectedHeader = {\n ...this._protectedHeader,\n sub: this._payload.sub\n };\n if (this._replicateAudienceAsHeader) this._protectedHeader = {\n ...this._protectedHeader,\n aud: this._payload.aud\n };\n enc.setProtectedHeader(this._protectedHeader);\n if (this._iv) enc.setInitializationVector(this._iv);\n if (this._cek) enc.setContentEncryptionKey(this._cek);\n if (this._keyManagementParameters) enc.setKeyManagementParameters(this._keyManagementParameters);\n return enc.encrypt(key, options);\n }\n}\n\n\n\n\n\n\n\nconst $21a28d57e89a027d$var$check = (value, description)=>{\n if (typeof value !== \"string\" || !value) throw new (0, $599ac781534a947a$export$b3992e0f88fb07e3)(`${description} missing or invalid`);\n};\nasync function $21a28d57e89a027d$export$f1ec189735e8660f(jwk, digestAlgorithm) {\n if (!(0, $319a04fbce04ffdb$export$2e2bcd8739ae039)(jwk)) throw new TypeError(\"JWK must be an object\");\n digestAlgorithm !== null && digestAlgorithm !== void 0 ? digestAlgorithm : digestAlgorithm = \"sha256\";\n if (digestAlgorithm !== \"sha256\" && digestAlgorithm !== \"sha384\" && digestAlgorithm !== \"sha512\") throw new TypeError('digestAlgorithm must one of \"sha256\", \"sha384\", or \"sha512\"');\n let components;\n switch(jwk.kty){\n case \"EC\":\n $21a28d57e89a027d$var$check(jwk.crv, '\"crv\" (Curve) Parameter');\n $21a28d57e89a027d$var$check(jwk.x, '\"x\" (X Coordinate) Parameter');\n $21a28d57e89a027d$var$check(jwk.y, '\"y\" (Y Coordinate) Parameter');\n components = {\n crv: jwk.crv,\n kty: jwk.kty,\n x: jwk.x,\n y: jwk.y\n };\n break;\n case \"OKP\":\n $21a28d57e89a027d$var$check(jwk.crv, '\"crv\" (Subtype of Key Pair) Parameter');\n $21a28d57e89a027d$var$check(jwk.x, '\"x\" (Public Key) Parameter');\n components = {\n crv: jwk.crv,\n kty: jwk.kty,\n x: jwk.x\n };\n break;\n case \"RSA\":\n $21a28d57e89a027d$var$check(jwk.e, '\"e\" (Exponent) Parameter');\n $21a28d57e89a027d$var$check(jwk.n, '\"n\" (Modulus) Parameter');\n components = {\n e: jwk.e,\n kty: jwk.kty,\n n: jwk.n\n };\n break;\n case \"oct\":\n $21a28d57e89a027d$var$check(jwk.k, '\"k\" (Key Value) Parameter');\n components = {\n k: jwk.k,\n kty: jwk.kty\n };\n break;\n default:\n throw new (0, $599ac781534a947a$export$19ddbcbf2016ab28)('\"kty\" (Key Type) Parameter missing or unsupported');\n }\n const data = (0, $8c3dacf85b96b392$export$5486af06137bf21a).encode(JSON.stringify(components));\n return (0, $54a6e0e463467b0a$export$c564cdbbe6da493)(await (0, $491757e359519ceb$export$2e2bcd8739ae039)(digestAlgorithm, data));\n}\nasync function $21a28d57e89a027d$export$b9879ebc49d4fd7a(jwk, digestAlgorithm) {\n digestAlgorithm !== null && digestAlgorithm !== void 0 ? digestAlgorithm : digestAlgorithm = \"sha256\";\n const thumbprint = await $21a28d57e89a027d$export$f1ec189735e8660f(jwk, digestAlgorithm);\n return `urn:ietf:params:oauth:jwk-thumbprint:sha-${digestAlgorithm.slice(-3)}:${thumbprint}`;\n}\n\n\n\n\n\nasync function $ca86cc6e287c4a76$export$c51e3062a159ef59(protectedHeader, token) {\n const joseHeader = {\n ...protectedHeader,\n ...token === null || token === void 0 ? void 0 : token.header\n };\n if (!(0, $319a04fbce04ffdb$export$2e2bcd8739ae039)(joseHeader.jwk)) throw new (0, $599ac781534a947a$export$e838de724af3d116)('\"jwk\" (JSON Web Key) Header Parameter must be a JSON object');\n const key = await (0, $d3f3b992c534ed5a$export$2b70d37b4d0b888b)({\n ...joseHeader.jwk,\n ext: true\n }, joseHeader.alg, true);\n if (key instanceof Uint8Array || key.type !== \"public\") throw new (0, $599ac781534a947a$export$e838de724af3d116)('\"jwk\" (JSON Web Key) Header Parameter must be a public key');\n return key;\n}\n\n\n\n\n\nfunction $34d7790339015997$var$getKtyFromAlg(alg) {\n switch(typeof alg === \"string\" && alg.slice(0, 2)){\n case \"RS\":\n case \"PS\":\n return \"RSA\";\n case \"ES\":\n return \"EC\";\n case \"Ed\":\n return \"OKP\";\n default:\n throw new (0, $599ac781534a947a$export$19ddbcbf2016ab28)('Unsupported \"alg\" value for a JSON Web Key Set');\n }\n}\nfunction $34d7790339015997$export$d01e0ebadbb4baf(jwks) {\n return jwks && typeof jwks === \"object\" && Array.isArray(jwks.keys) && jwks.keys.every($34d7790339015997$var$isJWKLike);\n}\nfunction $34d7790339015997$var$isJWKLike(key) {\n return (0, $319a04fbce04ffdb$export$2e2bcd8739ae039)(key);\n}\nfunction $34d7790339015997$var$clone(obj) {\n if (typeof structuredClone === \"function\") return structuredClone(obj);\n return JSON.parse(JSON.stringify(obj));\n}\nclass $34d7790339015997$export$cfeaec9a672ea12b {\n constructor(jwks){\n this._cached = new WeakMap();\n if (!$34d7790339015997$export$d01e0ebadbb4baf(jwks)) throw new (0, $599ac781534a947a$export$9b22c2a1e2403b8e)(\"JSON Web Key Set malformed\");\n this._jwks = $34d7790339015997$var$clone(jwks);\n }\n async getKey(protectedHeader, token) {\n const { alg: alg, kid: kid } = {\n ...protectedHeader,\n ...token === null || token === void 0 ? void 0 : token.header\n };\n const kty = $34d7790339015997$var$getKtyFromAlg(alg);\n const candidates = this._jwks.keys.filter((jwk)=>{\n let candidate = kty === jwk.kty;\n if (candidate && typeof kid === \"string\") candidate = kid === jwk.kid;\n if (candidate && typeof jwk.alg === \"string\") candidate = alg === jwk.alg;\n if (candidate && typeof jwk.use === \"string\") candidate = jwk.use === \"sig\";\n if (candidate && Array.isArray(jwk.key_ops)) candidate = jwk.key_ops.includes(\"verify\");\n if (candidate && alg === \"EdDSA\") candidate = jwk.crv === \"Ed25519\" || jwk.crv === \"Ed448\";\n if (candidate) switch(alg){\n case \"ES256\":\n candidate = jwk.crv === \"P-256\";\n break;\n case \"ES256K\":\n candidate = jwk.crv === \"secp256k1\";\n break;\n case \"ES384\":\n candidate = jwk.crv === \"P-384\";\n break;\n case \"ES512\":\n candidate = jwk.crv === \"P-521\";\n break;\n }\n return candidate;\n });\n const { 0: jwk, length: length } = candidates;\n if (length === 0) throw new (0, $599ac781534a947a$export$3d5ed1a538bed04e)();\n else if (length !== 1) {\n const error = new (0, $599ac781534a947a$export$dc036de401a5c284)();\n const { _cached: _cached } = this;\n error[Symbol.asyncIterator] = async function*() {\n for (const jwk of candidates)try {\n yield await $34d7790339015997$var$importWithAlgCache(_cached, jwk, alg);\n } catch (_a) {\n continue;\n }\n };\n throw error;\n }\n return $34d7790339015997$var$importWithAlgCache(this._cached, jwk, alg);\n }\n}\nasync function $34d7790339015997$var$importWithAlgCache(cache, jwk, alg) {\n const cached = cache.get(jwk) || cache.set(jwk, {}).get(jwk);\n if (cached[alg] === undefined) {\n const key = await (0, $d3f3b992c534ed5a$export$2b70d37b4d0b888b)({\n ...jwk,\n ext: true\n }, alg);\n if (key instanceof Uint8Array || key.type !== \"public\") throw new (0, $599ac781534a947a$export$9b22c2a1e2403b8e)(\"JSON Web Key Set members must be public keys\");\n cached[alg] = key;\n }\n return cached[alg];\n}\nfunction $34d7790339015997$export$4892abc640e5f80e(jwks) {\n const set = new $34d7790339015997$export$cfeaec9a672ea12b(jwks);\n return async function(protectedHeader, token) {\n return set.getKey(protectedHeader, token);\n };\n}\n\n\n\nconst $22e7f56c38b2bd5a$var$fetchJwks = async (url, timeout, options)=>{\n let controller;\n let id;\n let timedOut = false;\n if (typeof AbortController === \"function\") {\n controller = new AbortController();\n id = setTimeout(()=>{\n timedOut = true;\n controller.abort();\n }, timeout);\n }\n const response = await fetch(url.href, {\n signal: controller ? controller.signal : undefined,\n redirect: \"manual\",\n headers: options.headers\n }).catch((err)=>{\n if (timedOut) throw new (0, $599ac781534a947a$export$3f30acebf25c04e6)();\n throw err;\n });\n if (id !== undefined) clearTimeout(id);\n if (response.status !== 200) throw new (0, $599ac781534a947a$export$f754d6850d76bf87)(\"Expected 200 OK from the JSON Web Key Set HTTP response\");\n try {\n return await response.json();\n } catch (_a) {\n throw new (0, $599ac781534a947a$export$f754d6850d76bf87)(\"Failed to parse the JSON Web Key Set HTTP response as JSON\");\n }\n};\nvar $22e7f56c38b2bd5a$export$2e2bcd8739ae039 = $22e7f56c38b2bd5a$var$fetchJwks;\n\n\n\n\n\nclass $3c97161a25c83f88$var$RemoteJWKSet extends (0, $34d7790339015997$export$cfeaec9a672ea12b) {\n constructor(url, options){\n super({\n keys: []\n });\n this._jwks = undefined;\n if (!(url instanceof URL)) throw new TypeError(\"url must be an instance of URL\");\n this._url = new URL(url.href);\n this._options = {\n agent: options === null || options === void 0 ? void 0 : options.agent,\n headers: options === null || options === void 0 ? void 0 : options.headers\n };\n this._timeoutDuration = typeof (options === null || options === void 0 ? void 0 : options.timeoutDuration) === \"number\" ? options === null || options === void 0 ? void 0 : options.timeoutDuration : 5000;\n this._cooldownDuration = typeof (options === null || options === void 0 ? void 0 : options.cooldownDuration) === \"number\" ? options === null || options === void 0 ? void 0 : options.cooldownDuration : 30000;\n this._cacheMaxAge = typeof (options === null || options === void 0 ? void 0 : options.cacheMaxAge) === \"number\" ? options === null || options === void 0 ? void 0 : options.cacheMaxAge : 600000;\n }\n coolingDown() {\n return typeof this._jwksTimestamp === \"number\" ? Date.now() < this._jwksTimestamp + this._cooldownDuration : false;\n }\n fresh() {\n return typeof this._jwksTimestamp === \"number\" ? Date.now() < this._jwksTimestamp + this._cacheMaxAge : false;\n }\n async getKey(protectedHeader, token) {\n if (!this._jwks || !this.fresh()) await this.reload();\n try {\n return await super.getKey(protectedHeader, token);\n } catch (err) {\n if (err instanceof (0, $599ac781534a947a$export$3d5ed1a538bed04e)) {\n if (this.coolingDown() === false) {\n await this.reload();\n return super.getKey(protectedHeader, token);\n }\n }\n throw err;\n }\n }\n async reload() {\n if (this._pendingFetch && (0, $5852df024b41aa91$export$7b262397cadac19f)()) this._pendingFetch = undefined;\n this._pendingFetch || (this._pendingFetch = (0, $22e7f56c38b2bd5a$export$2e2bcd8739ae039)(this._url, this._timeoutDuration, this._options).then((json)=>{\n if (!(0, $34d7790339015997$export$d01e0ebadbb4baf)(json)) throw new (0, $599ac781534a947a$export$9b22c2a1e2403b8e)(\"JSON Web Key Set malformed\");\n this._jwks = {\n keys: json.keys\n };\n this._jwksTimestamp = Date.now();\n this._pendingFetch = undefined;\n }).catch((err)=>{\n this._pendingFetch = undefined;\n throw err;\n }));\n await this._pendingFetch;\n }\n}\nfunction $3c97161a25c83f88$export$78ce35c2df51c333(url, options) {\n const set = new $3c97161a25c83f88$var$RemoteJWKSet(url, options);\n return async function(protectedHeader, token) {\n return set.getKey(protectedHeader, token);\n };\n}\n\n\n\n\n\n\n\nclass $77e6b4edfb8cf2f7$export$6404fb90f16d8733 extends (0, $46f2da2b3de4ed34$export$2ef1b74b7c7e6eb3) {\n encode() {\n const header = $54a6e0e463467b0a$export$c564cdbbe6da493(JSON.stringify({\n alg: \"none\"\n }));\n const payload = $54a6e0e463467b0a$export$c564cdbbe6da493(JSON.stringify(this._payload));\n return `${header}.${payload}.`;\n }\n static decode(jwt, options) {\n if (typeof jwt !== \"string\") throw new (0, $599ac781534a947a$export$936b39ada0bbfceb)(\"Unsecured JWT must be a string\");\n const { 0: encodedHeader, 1: encodedPayload, 2: signature, length: length } = jwt.split(\".\");\n if (length !== 3 || signature !== \"\") throw new (0, $599ac781534a947a$export$936b39ada0bbfceb)(\"Invalid Unsecured JWT\");\n let header;\n try {\n header = JSON.parse((0, $8c3dacf85b96b392$export$124c96e6ce37090b).decode($54a6e0e463467b0a$export$2f872c0f2117be69(encodedHeader)));\n if (header.alg !== \"none\") throw new Error();\n } catch (_a) {\n throw new (0, $599ac781534a947a$export$936b39ada0bbfceb)(\"Invalid Unsecured JWT\");\n }\n const payload = (0, $b4d6c2e00c056d92$export$2e2bcd8739ae039)(header, $54a6e0e463467b0a$export$2f872c0f2117be69(encodedPayload), options);\n return {\n payload: payload,\n header: header\n };\n }\n}\n\n\n\n\n\nconst $037928530fb1a7c6$export$c564cdbbe6da493 = $54a6e0e463467b0a$export$c564cdbbe6da493;\nconst $037928530fb1a7c6$export$2f872c0f2117be69 = $54a6e0e463467b0a$export$2f872c0f2117be69;\n\n\n\n\nfunction $bebad503ff32169d$export$ca23208356ba8d90(token) {\n let protectedB64u;\n if (typeof token === \"string\") {\n const parts = token.split(\".\");\n if (parts.length === 3 || parts.length === 5) [protectedB64u] = parts;\n } else if (typeof token === \"object\" && token) {\n if (\"protected\" in token) protectedB64u = token.protected;\n else throw new TypeError(\"Token does not contain a Protected Header\");\n }\n try {\n if (typeof protectedB64u !== \"string\" || !protectedB64u) throw new Error();\n const result = JSON.parse((0, $8c3dacf85b96b392$export$124c96e6ce37090b).decode((0, $037928530fb1a7c6$export$2f872c0f2117be69)(protectedB64u)));\n if (!(0, $319a04fbce04ffdb$export$2e2bcd8739ae039)(result)) throw new Error();\n return result;\n } catch (_a) {\n throw new TypeError(\"Invalid Token or Protected Header formatting\");\n }\n}\n\n\n\n\n\n\nfunction $8450eca62cfceb24$export$dcef71b8fb9a6794(jwt) {\n if (typeof jwt !== \"string\") throw new (0, $599ac781534a947a$export$936b39ada0bbfceb)(\"JWTs must use Compact JWS serialization, JWT must be a string\");\n const { 1: payload, length: length } = jwt.split(\".\");\n if (length === 5) throw new (0, $599ac781534a947a$export$936b39ada0bbfceb)(\"Only JWTs using Compact JWS serialization can be decoded\");\n if (length !== 3) throw new (0, $599ac781534a947a$export$936b39ada0bbfceb)(\"Invalid JWT\");\n if (!payload) throw new (0, $599ac781534a947a$export$936b39ada0bbfceb)(\"JWTs must contain a payload\");\n let decoded;\n try {\n decoded = (0, $037928530fb1a7c6$export$2f872c0f2117be69)(payload);\n } catch (_a) {\n throw new (0, $599ac781534a947a$export$936b39ada0bbfceb)(\"Failed to parse the base64url encoded payload\");\n }\n let result;\n try {\n result = JSON.parse((0, $8c3dacf85b96b392$export$124c96e6ce37090b).decode(decoded));\n } catch (_b) {\n throw new (0, $599ac781534a947a$export$936b39ada0bbfceb)(\"Failed to parse the decoded payload as JSON\");\n }\n if (!(0, $319a04fbce04ffdb$export$2e2bcd8739ae039)(result)) throw new (0, $599ac781534a947a$export$936b39ada0bbfceb)(\"Invalid JWT Claims Set\");\n return result;\n}\n\n\n\n\n\n\n\nasync function $27e8ab24924f68d3$export$25395fe8d170ad7(alg, options) {\n var _a;\n let length;\n let algorithm;\n let keyUsages;\n switch(alg){\n case \"HS256\":\n case \"HS384\":\n case \"HS512\":\n length = parseInt(alg.slice(-3), 10);\n algorithm = {\n name: \"HMAC\",\n hash: `SHA-${length}`,\n length: length\n };\n keyUsages = [\n \"sign\",\n \"verify\"\n ];\n break;\n case \"A128CBC-HS256\":\n case \"A192CBC-HS384\":\n case \"A256CBC-HS512\":\n length = parseInt(alg.slice(-3), 10);\n return (0, $add6505a95ba3e92$export$2e2bcd8739ae039)(new Uint8Array(length >> 3));\n case \"A128KW\":\n case \"A192KW\":\n case \"A256KW\":\n length = parseInt(alg.slice(1, 4), 10);\n algorithm = {\n name: \"AES-KW\",\n length: length\n };\n keyUsages = [\n \"wrapKey\",\n \"unwrapKey\"\n ];\n break;\n case \"A128GCMKW\":\n case \"A192GCMKW\":\n case \"A256GCMKW\":\n case \"A128GCM\":\n case \"A192GCM\":\n case \"A256GCM\":\n length = parseInt(alg.slice(1, 4), 10);\n algorithm = {\n name: \"AES-GCM\",\n length: length\n };\n keyUsages = [\n \"encrypt\",\n \"decrypt\"\n ];\n break;\n default:\n throw new (0, $599ac781534a947a$export$19ddbcbf2016ab28)('Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value');\n }\n return (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.generateKey(algorithm, (_a = options === null || options === void 0 ? void 0 : options.extractable) !== null && _a !== void 0 ? _a : false, keyUsages);\n}\nfunction $27e8ab24924f68d3$var$getModulusLengthOption(options) {\n var _a;\n const modulusLength = (_a = options === null || options === void 0 ? void 0 : options.modulusLength) !== null && _a !== void 0 ? _a : 2048;\n if (typeof modulusLength !== \"number\" || modulusLength < 2048) throw new (0, $599ac781534a947a$export$19ddbcbf2016ab28)(\"Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used\");\n return modulusLength;\n}\nasync function $27e8ab24924f68d3$export$a949d36eab55b41f(alg, options) {\n var _a, _b, _c, _d;\n let algorithm;\n let keyUsages;\n switch(alg){\n case \"PS256\":\n case \"PS384\":\n case \"PS512\":\n algorithm = {\n name: \"RSA-PSS\",\n hash: `SHA-${alg.slice(-3)}`,\n publicExponent: new Uint8Array([\n 0x01,\n 0x00,\n 0x01\n ]),\n modulusLength: $27e8ab24924f68d3$var$getModulusLengthOption(options)\n };\n keyUsages = [\n \"sign\",\n \"verify\"\n ];\n break;\n case \"RS256\":\n case \"RS384\":\n case \"RS512\":\n algorithm = {\n name: \"RSASSA-PKCS1-v1_5\",\n hash: `SHA-${alg.slice(-3)}`,\n publicExponent: new Uint8Array([\n 0x01,\n 0x00,\n 0x01\n ]),\n modulusLength: $27e8ab24924f68d3$var$getModulusLengthOption(options)\n };\n keyUsages = [\n \"sign\",\n \"verify\"\n ];\n break;\n case \"RSA-OAEP\":\n case \"RSA-OAEP-256\":\n case \"RSA-OAEP-384\":\n case \"RSA-OAEP-512\":\n algorithm = {\n name: \"RSA-OAEP\",\n hash: `SHA-${parseInt(alg.slice(-3), 10) || 1}`,\n publicExponent: new Uint8Array([\n 0x01,\n 0x00,\n 0x01\n ]),\n modulusLength: $27e8ab24924f68d3$var$getModulusLengthOption(options)\n };\n keyUsages = [\n \"decrypt\",\n \"unwrapKey\",\n \"encrypt\",\n \"wrapKey\"\n ];\n break;\n case \"ES256\":\n algorithm = {\n name: \"ECDSA\",\n namedCurve: \"P-256\"\n };\n keyUsages = [\n \"sign\",\n \"verify\"\n ];\n break;\n case \"ES384\":\n algorithm = {\n name: \"ECDSA\",\n namedCurve: \"P-384\"\n };\n keyUsages = [\n \"sign\",\n \"verify\"\n ];\n break;\n case \"ES512\":\n algorithm = {\n name: \"ECDSA\",\n namedCurve: \"P-521\"\n };\n keyUsages = [\n \"sign\",\n \"verify\"\n ];\n break;\n case \"EdDSA\":\n keyUsages = [\n \"sign\",\n \"verify\"\n ];\n const crv = (_a = options === null || options === void 0 ? void 0 : options.crv) !== null && _a !== void 0 ? _a : \"Ed25519\";\n switch(crv){\n case \"Ed25519\":\n case \"Ed448\":\n algorithm = {\n name: crv\n };\n break;\n default:\n throw new (0, $599ac781534a947a$export$19ddbcbf2016ab28)(\"Invalid or unsupported crv option provided\");\n }\n break;\n case \"ECDH-ES\":\n case \"ECDH-ES+A128KW\":\n case \"ECDH-ES+A192KW\":\n case \"ECDH-ES+A256KW\":\n {\n keyUsages = [\n \"deriveKey\",\n \"deriveBits\"\n ];\n const crv = (_b = options === null || options === void 0 ? void 0 : options.crv) !== null && _b !== void 0 ? _b : \"P-256\";\n switch(crv){\n case \"P-256\":\n case \"P-384\":\n case \"P-521\":\n algorithm = {\n name: \"ECDH\",\n namedCurve: crv\n };\n break;\n case \"X25519\":\n case \"X448\":\n algorithm = {\n name: crv\n };\n break;\n default:\n throw new (0, $599ac781534a947a$export$19ddbcbf2016ab28)(\"Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, X25519, and X448\");\n }\n break;\n }\n default:\n throw new (0, $599ac781534a947a$export$19ddbcbf2016ab28)('Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value');\n }\n try {\n return await (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.generateKey(algorithm, (_c = options === null || options === void 0 ? void 0 : options.extractable) !== null && _c !== void 0 ? _c : false, keyUsages);\n } catch (err) {\n if (algorithm.name === \"Ed25519\" && (err === null || err === void 0 ? void 0 : err.name) === \"NotSupportedError\" && (0, $5852df024b41aa91$export$7b262397cadac19f)()) {\n algorithm = {\n name: \"NODE-ED25519\",\n namedCurve: \"NODE-ED25519\"\n };\n return await (0, $3f0b33e7ccc65ae0$export$2e2bcd8739ae039).subtle.generateKey(algorithm, (_d = options === null || options === void 0 ? void 0 : options.extractable) !== null && _d !== void 0 ? _d : false, keyUsages);\n }\n throw err;\n }\n}\n\n\nasync function $fac953757d12c296$export$a949d36eab55b41f(alg, options) {\n return (0, $27e8ab24924f68d3$export$a949d36eab55b41f)(alg, options);\n}\n\n\n\nasync function $32b2e4a7f1f02d78$export$25395fe8d170ad7(alg, options) {\n return (0, $27e8ab24924f68d3$export$25395fe8d170ad7)(alg, options);\n}\n\n\n\n\n\nfunction $295d08103c698a2a$var$createDataValue(idToken, field) {\n const value = document.createElement(\"p\");\n value.className = \"jwt-data-value\";\n value.textContent = `${idToken[field]}`;\n return value;\n}\nfunction $295d08103c698a2a$var$createDataRow(field) {\n const name = document.createElement(\"p\");\n name.className = \"jwt-data-name\";\n name.textContent = `${field}:`;\n return name;\n}\nfunction $295d08103c698a2a$var$renderIdTokenContents() {\n const idTokenQueryParam = new URLSearchParams(window.location.search).get(\"id_token\");\n if (!idTokenQueryParam) return;\n const idToken = $8450eca62cfceb24$export$dcef71b8fb9a6794(idTokenQueryParam);\n const container = document.getElementById(\"jwt-container\");\n const header = document.createElement(\"h2\");\n header.textContent = \"ID-token contents\";\n container.append(header);\n for(const field in idToken){\n const name = $295d08103c698a2a$var$createDataRow(field);\n const value = $295d08103c698a2a$var$createDataValue(idToken, field);\n const br = document.createElement(\"br\");\n container.append(name);\n container.append(value);\n container.append(br);\n }\n}\nfunction $295d08103c698a2a$var$renderButtons() {\n const idTokenQueryParam = new URLSearchParams(window.location.search).get(\"id_token\");\n if (!idTokenQueryParam) {\n document.getElementById(\"logout\").style.display = \"none\";\n return;\n }\n document.getElementById(\"login\").style.display = \"none\";\n}\n$295d08103c698a2a$var$renderIdTokenContents();\n$295d08103c698a2a$var$renderButtons();\n\n\n//# sourceMappingURL=index.6d9657b5.js.map\n","import * as jose from 'jose'\nimport { JWTPayload } from \"jose\";\n\nfunction createDataValue(idToken: JWTPayload, field: string) {\n const value = document.createElement(\"p\")\n value.className = \"jwt-data-value\"\n value.textContent = `${idToken[field]}`\n return value;\n}\n\nfunction createDataRow(field: string) {\n const name = document.createElement(\"p\")\n name.className = \"jwt-data-name\"\n name.textContent = `${field}:`\n return name;\n}\n\nfunction renderIdTokenContents() {\n const idTokenQueryParam = new URLSearchParams(window.location.search).get(\"id_token\")\n\n if (!idTokenQueryParam) {\n return\n }\n\n const idToken = jose.decodeJwt(idTokenQueryParam)\n\n const container = document.getElementById(\"jwt-container\")\n\n const header = document.createElement(\"h2\")\n header.textContent = \"ID-token contents\"\n container.append(header)\n\n for (const field in idToken) {\n const name = createDataRow(field);\n const value = createDataValue(idToken, field);\n const br = document.createElement('br')\n container.append(name)\n container.append(value)\n container.append(br)\n }\n}\n\nfunction renderButtons() {\n const idTokenQueryParam = new URLSearchParams(window.location.search).get(\"id_token\")\n\n if (!idTokenQueryParam) {\n document.getElementById(\"logout\").style.display = \"none\"\n return\n }\n\n document.getElementById(\"login\").style.display = \"none\"\n}\n\nrenderIdTokenContents()\nrenderButtons()","export { compactDecrypt } from './jwe/compact/decrypt.js';\nexport { flattenedDecrypt } from './jwe/flattened/decrypt.js';\nexport { generalDecrypt } from './jwe/general/decrypt.js';\nexport { GeneralEncrypt } from './jwe/general/encrypt.js';\nexport { compactVerify } from './jws/compact/verify.js';\nexport { flattenedVerify } from './jws/flattened/verify.js';\nexport { generalVerify } from './jws/general/verify.js';\nexport { jwtVerify } from './jwt/verify.js';\nexport { jwtDecrypt } from './jwt/decrypt.js';\nexport { CompactEncrypt } from './jwe/compact/encrypt.js';\nexport { FlattenedEncrypt } from './jwe/flattened/encrypt.js';\nexport { CompactSign } from './jws/compact/sign.js';\nexport { FlattenedSign } from './jws/flattened/sign.js';\nexport { GeneralSign } from './jws/general/sign.js';\nexport { SignJWT } from './jwt/sign.js';\nexport { EncryptJWT } from './jwt/encrypt.js';\nexport { calculateJwkThumbprint, calculateJwkThumbprintUri } from './jwk/thumbprint.js';\nexport { EmbeddedJWK } from './jwk/embedded.js';\nexport { createLocalJWKSet } from './jwks/local.js';\nexport { createRemoteJWKSet } from './jwks/remote.js';\nexport { UnsecuredJWT } from './jwt/unsecured.js';\nexport { exportPKCS8, exportSPKI, exportJWK } from './key/export.js';\nexport { importSPKI, importPKCS8, importX509, importJWK } from './key/import.js';\nexport { decodeProtectedHeader } from './util/decode_protected_header.js';\nexport { decodeJwt } from './util/decode_jwt.js';\nimport * as errors_1 from './util/errors.js';\nexport { errors_1 as errors };\nexport { generateKeyPair } from './key/generate_key_pair.js';\nexport { generateSecret } from './key/generate_secret.js';\nimport * as base64url_1 from './util/base64url.js';\nexport { base64url_1 as base64url };\n","import { flattenedDecrypt } from '../flattened/decrypt.js';\nimport { JWEInvalid } from '../../util/errors.js';\nimport { decoder } from '../../lib/buffer_utils.js';\nexport async function compactDecrypt(jwe, key, options) {\n if (jwe instanceof Uint8Array) {\n jwe = decoder.decode(jwe);\n }\n if (typeof jwe !== 'string') {\n throw new JWEInvalid('Compact JWE must be a string or Uint8Array');\n }\n const { 0: protectedHeader, 1: encryptedKey, 2: iv, 3: ciphertext, 4: tag, length, } = jwe.split('.');\n if (length !== 5) {\n throw new JWEInvalid('Invalid Compact JWE');\n }\n const decrypted = await flattenedDecrypt({\n ciphertext,\n iv: (iv || undefined),\n protected: protectedHeader || undefined,\n tag: (tag || undefined),\n encrypted_key: encryptedKey || undefined,\n }, key, options);\n const result = { plaintext: decrypted.plaintext, protectedHeader: decrypted.protectedHeader };\n if (typeof key === 'function') {\n return { ...result, key: decrypted.key };\n }\n return result;\n}\n","import { decode as base64url } from '../../runtime/base64url.js';\nimport decrypt from '../../runtime/decrypt.js';\nimport { inflate } from '../../runtime/zlib.js';\nimport { JOSEAlgNotAllowed, JOSENotSupported, JWEInvalid } from '../../util/errors.js';\nimport isDisjoint from '../../lib/is_disjoint.js';\nimport isObject from '../../lib/is_object.js';\nimport decryptKeyManagement from '../../lib/decrypt_key_management.js';\nimport { encoder, decoder, concat } from '../../lib/buffer_utils.js';\nimport generateCek from '../../lib/cek.js';\nimport validateCrit from '../../lib/validate_crit.js';\nimport validateAlgorithms from '../../lib/validate_algorithms.js';\nexport async function flattenedDecrypt(jwe, key, options) {\n var _a;\n if (!isObject(jwe)) {\n throw new JWEInvalid('Flattened JWE must be an object');\n }\n if (jwe.protected === undefined && jwe.header === undefined && jwe.unprotected === undefined) {\n throw new JWEInvalid('JOSE Header missing');\n }\n if (typeof jwe.iv !== 'string') {\n throw new JWEInvalid('JWE Initialization Vector missing or incorrect type');\n }\n if (typeof jwe.ciphertext !== 'string') {\n throw new JWEInvalid('JWE Ciphertext missing or incorrect type');\n }\n if (typeof jwe.tag !== 'string') {\n throw new JWEInvalid('JWE Authentication Tag missing or incorrect type');\n }\n if (jwe.protected !== undefined && typeof jwe.protected !== 'string') {\n throw new JWEInvalid('JWE Protected Header incorrect type');\n }\n if (jwe.encrypted_key !== undefined && typeof jwe.encrypted_key !== 'string') {\n throw new JWEInvalid('JWE Encrypted Key incorrect type');\n }\n if (jwe.aad !== undefined && typeof jwe.aad !== 'string') {\n throw new JWEInvalid('JWE AAD incorrect type');\n }\n if (jwe.header !== undefined && !isObject(jwe.header)) {\n throw new JWEInvalid('JWE Shared Unprotected Header incorrect type');\n }\n if (jwe.unprotected !== undefined && !isObject(jwe.unprotected)) {\n throw new JWEInvalid('JWE Per-Recipient Unprotected Header incorrect type');\n }\n let parsedProt;\n if (jwe.protected) {\n try {\n const protectedHeader = base64url(jwe.protected);\n parsedProt = JSON.parse(decoder.decode(protectedHeader));\n }\n catch (_b) {\n throw new JWEInvalid('JWE Protected Header is invalid');\n }\n }\n if (!isDisjoint(parsedProt, jwe.header, jwe.unprotected)) {\n throw new JWEInvalid('JWE Protected, JWE Unprotected Header, and JWE Per-Recipient Unprotected Header Parameter names must be disjoint');\n }\n const joseHeader = {\n ...parsedProt,\n ...jwe.header,\n ...jwe.unprotected,\n };\n validateCrit(JWEInvalid, new Map(), options === null || options === void 0 ? void 0 : options.crit, parsedProt, joseHeader);\n if (joseHeader.zip !== undefined) {\n if (!parsedProt || !parsedProt.zip) {\n throw new JWEInvalid('JWE \"zip\" (Compression Algorithm) Header MUST be integrity protected');\n }\n if (joseHeader.zip !== 'DEF') {\n throw new JOSENotSupported('Unsupported JWE \"zip\" (Compression Algorithm) Header Parameter value');\n }\n }\n const { alg, enc } = joseHeader;\n if (typeof alg !== 'string' || !alg) {\n throw new JWEInvalid('missing JWE Algorithm (alg) in JWE Header');\n }\n if (typeof enc !== 'string' || !enc) {\n throw new JWEInvalid('missing JWE Encryption Algorithm (enc) in JWE Header');\n }\n const keyManagementAlgorithms = options && validateAlgorithms('keyManagementAlgorithms', options.keyManagementAlgorithms);\n const contentEncryptionAlgorithms = options &&\n validateAlgorithms('contentEncryptionAlgorithms', options.contentEncryptionAlgorithms);\n if (keyManagementAlgorithms && !keyManagementAlgorithms.has(alg)) {\n throw new JOSEAlgNotAllowed('\"alg\" (Algorithm) Header Parameter not allowed');\n }\n if (contentEncryptionAlgorithms && !contentEncryptionAlgorithms.has(enc)) {\n throw new JOSEAlgNotAllowed('\"enc\" (Encryption Algorithm) Header Parameter not allowed');\n }\n let encryptedKey;\n if (jwe.encrypted_key !== undefined) {\n encryptedKey = base64url(jwe.encrypted_key);\n }\n let resolvedKey = false;\n if (typeof key === 'function') {\n key = await key(parsedProt, jwe);\n resolvedKey = true;\n }\n let cek;\n try {\n cek = await decryptKeyManagement(alg, key, encryptedKey, joseHeader, options);\n }\n catch (err) {\n if (err instanceof TypeError || err instanceof JWEInvalid || err instanceof JOSENotSupported) {\n throw err;\n }\n cek = generateCek(enc);\n }\n const iv = base64url(jwe.iv);\n const tag = base64url(jwe.tag);\n const protectedHeader = encoder.encode((_a = jwe.protected) !== null && _a !== void 0 ? _a : '');\n let additionalData;\n if (jwe.aad !== undefined) {\n additionalData = concat(protectedHeader, encoder.encode('.'), encoder.encode(jwe.aad));\n }\n else {\n additionalData = protectedHeader;\n }\n let plaintext = await decrypt(enc, cek, base64url(jwe.ciphertext), iv, tag, additionalData);\n if (joseHeader.zip === 'DEF') {\n plaintext = await ((options === null || options === void 0 ? void 0 : options.inflateRaw) || inflate)(plaintext);\n }\n const result = { plaintext };\n if (jwe.protected !== undefined) {\n result.protectedHeader = parsedProt;\n }\n if (jwe.aad !== undefined) {\n result.additionalAuthenticatedData = base64url(jwe.aad);\n }\n if (jwe.unprotected !== undefined) {\n result.sharedUnprotectedHeader = jwe.unprotected;\n }\n if (jwe.header !== undefined) {\n result.unprotectedHeader = jwe.header;\n }\n if (resolvedKey) {\n return { ...result, key };\n }\n return result;\n}\n","import { encoder, decoder } from '../lib/buffer_utils.js';\nexport const encodeBase64 = (input) => {\n let unencoded = input;\n if (typeof unencoded === 'string') {\n unencoded = encoder.encode(unencoded);\n }\n const CHUNK_SIZE = 0x8000;\n const arr = [];\n for (let i = 0; i < unencoded.length; i += CHUNK_SIZE) {\n arr.push(String.fromCharCode.apply(null, unencoded.subarray(i, i + CHUNK_SIZE)));\n }\n return btoa(arr.join(''));\n};\nexport const encode = (input) => {\n return encodeBase64(input).replace(/=/g, '').replace(/\\+/g, '-').replace(/\\//g, '_');\n};\nexport const decodeBase64 = (encoded) => {\n const binary = atob(encoded);\n const bytes = new Uint8Array(binary.length);\n for (let i = 0; i < binary.length; i++) {\n bytes[i] = binary.charCodeAt(i);\n }\n return bytes;\n};\nexport const decode = (input) => {\n let encoded = input;\n if (encoded instanceof Uint8Array) {\n encoded = decoder.decode(encoded);\n }\n encoded = encoded.replace(/-/g, '+').replace(/_/g, '/').replace(/\\s/g, '');\n try {\n return decodeBase64(encoded);\n }\n catch (_a) {\n throw new TypeError('The input to be decoded is not correctly encoded.');\n }\n};\n","import digest from '../runtime/digest.js';\nexport const encoder = new TextEncoder();\nexport const decoder = new TextDecoder();\nconst MAX_INT32 = 2 ** 32;\nexport function concat(...buffers) {\n const size = buffers.reduce((acc, { length }) => acc + length, 0);\n const buf = new Uint8Array(size);\n let i = 0;\n buffers.forEach((buffer) => {\n buf.set(buffer, i);\n i += buffer.length;\n });\n return buf;\n}\nexport function p2s(alg, p2sInput) {\n return concat(encoder.encode(alg), new Uint8Array([0]), p2sInput);\n}\nfunction writeUInt32BE(buf, value, offset) {\n if (value < 0 || value >= MAX_INT32) {\n throw new RangeError(`value must be >= 0 and <= ${MAX_INT32 - 1}. Received ${value}`);\n }\n buf.set([value >>> 24, value >>> 16, value >>> 8, value & 0xff], offset);\n}\nexport function uint64be(value) {\n const high = Math.floor(value / MAX_INT32);\n const low = value % MAX_INT32;\n const buf = new Uint8Array(8);\n writeUInt32BE(buf, high, 0);\n writeUInt32BE(buf, low, 4);\n return buf;\n}\nexport function uint32be(value) {\n const buf = new Uint8Array(4);\n writeUInt32BE(buf, value);\n return buf;\n}\nexport function lengthAndInput(input) {\n return concat(uint32be(input.length), input);\n}\nexport async function concatKdf(secret, bits, value) {\n const iterations = Math.ceil((bits >> 3) / 32);\n const res = new Uint8Array(iterations * 32);\n for (let iter = 0; iter < iterations; iter++) {\n const buf = new Uint8Array(4 + secret.length + value.length);\n buf.set(uint32be(iter + 1));\n buf.set(secret, 4);\n buf.set(value, 4 + secret.length);\n res.set(await digest('sha256', buf), iter * 32);\n }\n return res.slice(0, bits >> 3);\n}\n","import crypto from './webcrypto.js';\nconst digest = async (algorithm, data) => {\n const subtleDigest = `SHA-${algorithm.slice(-3)}`;\n return new Uint8Array(await crypto.subtle.digest(subtleDigest, data));\n};\nexport default digest;\n","export default crypto;\nexport const isCryptoKey = (key) => key instanceof CryptoKey;\n","import { concat, uint64be } from '../lib/buffer_utils.js';\nimport checkIvLength from '../lib/check_iv_length.js';\nimport checkCekLength from './check_cek_length.js';\nimport timingSafeEqual from './timing_safe_equal.js';\nimport { JOSENotSupported, JWEDecryptionFailed } from '../util/errors.js';\nimport crypto, { isCryptoKey } from './webcrypto.js';\nimport { checkEncCryptoKey } from '../lib/crypto_key.js';\nimport invalidKeyInput from '../lib/invalid_key_input.js';\nimport { types } from './is_key_like.js';\nasync function cbcDecrypt(enc, cek, ciphertext, iv, tag, aad) {\n if (!(cek instanceof Uint8Array)) {\n throw new TypeError(invalidKeyInput(cek, 'Uint8Array'));\n }\n const keySize = parseInt(enc.slice(1, 4), 10);\n const encKey = await crypto.subtle.importKey('raw', cek.subarray(keySize >> 3), 'AES-CBC', false, ['decrypt']);\n const macKey = await crypto.subtle.importKey('raw', cek.subarray(0, keySize >> 3), {\n hash: `SHA-${keySize << 1}`,\n name: 'HMAC',\n }, false, ['sign']);\n const macData = concat(aad, iv, ciphertext, uint64be(aad.length << 3));\n const expectedTag = new Uint8Array((await crypto.subtle.sign('HMAC', macKey, macData)).slice(0, keySize >> 3));\n let macCheckPassed;\n try {\n macCheckPassed = timingSafeEqual(tag, expectedTag);\n }\n catch (_a) {\n }\n if (!macCheckPassed) {\n throw new JWEDecryptionFailed();\n }\n let plaintext;\n try {\n plaintext = new Uint8Array(await crypto.subtle.decrypt({ iv, name: 'AES-CBC' }, encKey, ciphertext));\n }\n catch (_b) {\n }\n if (!plaintext) {\n throw new JWEDecryptionFailed();\n }\n return plaintext;\n}\nasync function gcmDecrypt(enc, cek, ciphertext, iv, tag, aad) {\n let encKey;\n if (cek instanceof Uint8Array) {\n encKey = await crypto.subtle.importKey('raw', cek, 'AES-GCM', false, ['decrypt']);\n }\n else {\n checkEncCryptoKey(cek, enc, 'decrypt');\n encKey = cek;\n }\n try {\n return new Uint8Array(await crypto.subtle.decrypt({\n additionalData: aad,\n iv,\n name: 'AES-GCM',\n tagLength: 128,\n }, encKey, concat(ciphertext, tag)));\n }\n catch (_a) {\n throw new JWEDecryptionFailed();\n }\n}\nconst decrypt = async (enc, cek, ciphertext, iv, tag, aad) => {\n if (!isCryptoKey(cek) && !(cek instanceof Uint8Array)) {\n throw new TypeError(invalidKeyInput(cek, ...types, 'Uint8Array'));\n }\n checkIvLength(enc, iv);\n switch (enc) {\n case 'A128CBC-HS256':\n case 'A192CBC-HS384':\n case 'A256CBC-HS512':\n if (cek instanceof Uint8Array)\n checkCekLength(cek, parseInt(enc.slice(-3), 10));\n return cbcDecrypt(enc, cek, ciphertext, iv, tag, aad);\n case 'A128GCM':\n case 'A192GCM':\n case 'A256GCM':\n if (cek instanceof Uint8Array)\n checkCekLength(cek, parseInt(enc.slice(1, 4), 10));\n return gcmDecrypt(enc, cek, ciphertext, iv, tag, aad);\n default:\n throw new JOSENotSupported('Unsupported JWE Content Encryption Algorithm');\n }\n};\nexport default decrypt;\n","import { JWEInvalid } from '../util/errors.js';\nimport { bitLength } from './iv.js';\nconst checkIvLength = (enc, iv) => {\n if (iv.length << 3 !== bitLength(enc)) {\n throw new JWEInvalid('Invalid Initialization Vector length');\n }\n};\nexport default checkIvLength;\n","export class JOSEError extends Error {\n static get code() {\n return 'ERR_JOSE_GENERIC';\n }\n constructor(message) {\n var _a;\n super(message);\n this.code = 'ERR_JOSE_GENERIC';\n this.name = this.constructor.name;\n (_a = Error.captureStackTrace) === null || _a === void 0 ? void 0 : _a.call(Error, this, this.constructor);\n }\n}\nexport class JWTClaimValidationFailed extends JOSEError {\n static get code() {\n return 'ERR_JWT_CLAIM_VALIDATION_FAILED';\n }\n constructor(message, claim = 'unspecified', reason = 'unspecified') {\n super(message);\n this.code = 'ERR_JWT_CLAIM_VALIDATION_FAILED';\n this.claim = claim;\n this.reason = reason;\n }\n}\nexport class JWTExpired extends JOSEError {\n static get code() {\n return 'ERR_JWT_EXPIRED';\n }\n constructor(message, claim = 'unspecified', reason = 'unspecified') {\n super(message);\n this.code = 'ERR_JWT_EXPIRED';\n this.claim = claim;\n this.reason = reason;\n }\n}\nexport class JOSEAlgNotAllowed extends JOSEError {\n constructor() {\n super(...arguments);\n this.code = 'ERR_JOSE_ALG_NOT_ALLOWED';\n }\n static get code() {\n return 'ERR_JOSE_ALG_NOT_ALLOWED';\n }\n}\nexport class JOSENotSupported extends JOSEError {\n constructor() {\n super(...arguments);\n this.code = 'ERR_JOSE_NOT_SUPPORTED';\n }\n static get code() {\n return 'ERR_JOSE_NOT_SUPPORTED';\n }\n}\nexport class JWEDecryptionFailed extends JOSEError {\n constructor() {\n super(...arguments);\n this.code = 'ERR_JWE_DECRYPTION_FAILED';\n this.message = 'decryption operation failed';\n }\n static get code() {\n return 'ERR_JWE_DECRYPTION_FAILED';\n }\n}\nexport class JWEInvalid extends JOSEError {\n constructor() {\n super(...arguments);\n this.code = 'ERR_JWE_INVALID';\n }\n static get code() {\n return 'ERR_JWE_INVALID';\n }\n}\nexport class JWSInvalid extends JOSEError {\n constructor() {\n super(...arguments);\n this.code = 'ERR_JWS_INVALID';\n }\n static get code() {\n return 'ERR_JWS_INVALID';\n }\n}\nexport class JWTInvalid extends JOSEError {\n constructor() {\n super(...arguments);\n this.code = 'ERR_JWT_INVALID';\n }\n static get code() {\n return 'ERR_JWT_INVALID';\n }\n}\nexport class JWKInvalid extends JOSEError {\n constructor() {\n super(...arguments);\n this.code = 'ERR_JWK_INVALID';\n }\n static get code() {\n return 'ERR_JWK_INVALID';\n }\n}\nexport class JWKSInvalid extends JOSEError {\n constructor() {\n super(...arguments);\n this.code = 'ERR_JWKS_INVALID';\n }\n static get code() {\n return 'ERR_JWKS_INVALID';\n }\n}\nexport class JWKSNoMatchingKey extends JOSEError {\n constructor() {\n super(...arguments);\n this.code = 'ERR_JWKS_NO_MATCHING_KEY';\n this.message = 'no applicable key found in the JSON Web Key Set';\n }\n static get code() {\n return 'ERR_JWKS_NO_MATCHING_KEY';\n }\n}\nexport class JWKSMultipleMatchingKeys extends JOSEError {\n constructor() {\n super(...arguments);\n this.code = 'ERR_JWKS_MULTIPLE_MATCHING_KEYS';\n this.message = 'multiple matching keys found in the JSON Web Key Set';\n }\n static get code() {\n return 'ERR_JWKS_MULTIPLE_MATCHING_KEYS';\n }\n}\nSymbol.asyncIterator;\nexport class JWKSTimeout extends JOSEError {\n constructor() {\n super(...arguments);\n this.code = 'ERR_JWKS_TIMEOUT';\n this.message = 'request timed out';\n }\n static get code() {\n return 'ERR_JWKS_TIMEOUT';\n }\n}\nexport class JWSSignatureVerificationFailed extends JOSEError {\n constructor() {\n super(...arguments);\n this.code = 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED';\n this.message = 'signature verification failed';\n }\n static get code() {\n return 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED';\n }\n}\n","import { JOSENotSupported } from '../util/errors.js';\nimport random from '../runtime/random.js';\nexport function bitLength(alg) {\n switch (alg) {\n case 'A128GCM':\n case 'A128GCMKW':\n case 'A192GCM':\n case 'A192GCMKW':\n case 'A256GCM':\n case 'A256GCMKW':\n return 96;\n case 'A128CBC-HS256':\n case 'A192CBC-HS384':\n case 'A256CBC-HS512':\n return 128;\n default:\n throw new JOSENotSupported(`Unsupported JWE Algorithm: ${alg}`);\n }\n}\nexport default (alg) => random(new Uint8Array(bitLength(alg) >> 3));\n","import crypto from './webcrypto.js';\nexport default crypto.getRandomValues.bind(crypto);\n","import { JWEInvalid } from '../util/errors.js';\nconst checkCekLength = (cek, expected) => {\n const actual = cek.byteLength << 3;\n if (actual !== expected) {\n throw new JWEInvalid(`Invalid Content Encryption Key length. Expected ${expected} bits, got ${actual} bits`);\n }\n};\nexport default checkCekLength;\n","const timingSafeEqual = (a, b) => {\n if (!(a instanceof Uint8Array)) {\n throw new TypeError('First argument must be a buffer');\n }\n if (!(b instanceof Uint8Array)) {\n throw new TypeError('Second argument must be a buffer');\n }\n if (a.length !== b.length) {\n throw new TypeError('Input buffers must have the same length');\n }\n const len = a.length;\n let out = 0;\n let i = -1;\n while (++i < len) {\n out |= a[i] ^ b[i];\n }\n return out === 0;\n};\nexport default timingSafeEqual;\n","import { isCloudflareWorkers } from '../runtime/env.js';\nfunction unusable(name, prop = 'algorithm.name') {\n return new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);\n}\nfunction isAlgorithm(algorithm, name) {\n return algorithm.name === name;\n}\nfunction getHashLength(hash) {\n return parseInt(hash.name.slice(4), 10);\n}\nfunction getNamedCurve(alg) {\n switch (alg) {\n case 'ES256':\n return 'P-256';\n case 'ES384':\n return 'P-384';\n case 'ES512':\n return 'P-521';\n default:\n throw new Error('unreachable');\n }\n}\nfunction checkUsage(key, usages) {\n if (usages.length && !usages.some((expected) => key.usages.includes(expected))) {\n let msg = 'CryptoKey does not support this operation, its usages must include ';\n if (usages.length > 2) {\n const last = usages.pop();\n msg += `one of ${usages.join(', ')}, or ${last}.`;\n }\n else if (usages.length === 2) {\n msg += `one of ${usages[0]} or ${usages[1]}.`;\n }\n else {\n msg += `${usages[0]}.`;\n }\n throw new TypeError(msg);\n }\n}\nexport function checkSigCryptoKey(key, alg, ...usages) {\n switch (alg) {\n case 'HS256':\n case 'HS384':\n case 'HS512': {\n if (!isAlgorithm(key.algorithm, 'HMAC'))\n throw unusable('HMAC');\n const expected = parseInt(alg.slice(2), 10);\n const actual = getHashLength(key.algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n break;\n }\n case 'RS256':\n case 'RS384':\n case 'RS512': {\n if (!isAlgorithm(key.algorithm, 'RSASSA-PKCS1-v1_5'))\n throw unusable('RSASSA-PKCS1-v1_5');\n const expected = parseInt(alg.slice(2), 10);\n const actual = getHashLength(key.algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n break;\n }\n case 'PS256':\n case 'PS384':\n case 'PS512': {\n if (!isAlgorithm(key.algorithm, 'RSA-PSS'))\n throw unusable('RSA-PSS');\n const expected = parseInt(alg.slice(2), 10);\n const actual = getHashLength(key.algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n break;\n }\n case 'EdDSA': {\n if (key.algorithm.name !== 'Ed25519' && key.algorithm.name !== 'Ed448') {\n if (isCloudflareWorkers()) {\n if (isAlgorithm(key.algorithm, 'NODE-ED25519'))\n break;\n throw unusable('Ed25519, Ed448, or NODE-ED25519');\n }\n throw unusable('Ed25519 or Ed448');\n }\n break;\n }\n case 'ES256':\n case 'ES384':\n case 'ES512': {\n if (!isAlgorithm(key.algorithm, 'ECDSA'))\n throw unusable('ECDSA');\n const expected = getNamedCurve(alg);\n const actual = key.algorithm.namedCurve;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.namedCurve');\n break;\n }\n default:\n throw new TypeError('CryptoKey does not support this operation');\n }\n checkUsage(key, usages);\n}\nexport function checkEncCryptoKey(key, alg, ...usages) {\n switch (alg) {\n case 'A128GCM':\n case 'A192GCM':\n case 'A256GCM': {\n if (!isAlgorithm(key.algorithm, 'AES-GCM'))\n throw unusable('AES-GCM');\n const expected = parseInt(alg.slice(1, 4), 10);\n const actual = key.algorithm.length;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.length');\n break;\n }\n case 'A128KW':\n case 'A192KW':\n case 'A256KW': {\n if (!isAlgorithm(key.algorithm, 'AES-KW'))\n throw unusable('AES-KW');\n const expected = parseInt(alg.slice(1, 4), 10);\n const actual = key.algorithm.length;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.length');\n break;\n }\n case 'ECDH': {\n switch (key.algorithm.name) {\n case 'ECDH':\n case 'X25519':\n case 'X448':\n break;\n default:\n throw unusable('ECDH, X25519, or X448');\n }\n break;\n }\n case 'PBES2-HS256+A128KW':\n case 'PBES2-HS384+A192KW':\n case 'PBES2-HS512+A256KW':\n if (!isAlgorithm(key.algorithm, 'PBKDF2'))\n throw unusable('PBKDF2');\n break;\n case 'RSA-OAEP':\n case 'RSA-OAEP-256':\n case 'RSA-OAEP-384':\n case 'RSA-OAEP-512': {\n if (!isAlgorithm(key.algorithm, 'RSA-OAEP'))\n throw unusable('RSA-OAEP');\n const expected = parseInt(alg.slice(9), 10) || 1;\n const actual = getHashLength(key.algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n break;\n }\n default:\n throw new TypeError('CryptoKey does not support this operation');\n }\n checkUsage(key, usages);\n}\n","export function isCloudflareWorkers() {\n return (typeof WebSocketPair !== 'undefined' ||\n (typeof navigator !== 'undefined' && navigator.userAgent === 'Cloudflare-Workers') ||\n (typeof EdgeRuntime !== 'undefined' && EdgeRuntime === 'vercel'));\n}\n","function message(msg, actual, ...types) {\n if (types.length > 2) {\n const last = types.pop();\n msg += `one of type ${types.join(', ')}, or ${last}.`;\n }\n else if (types.length === 2) {\n msg += `one of type ${types[0]} or ${types[1]}.`;\n }\n else {\n msg += `of type ${types[0]}.`;\n }\n if (actual == null) {\n msg += ` Received ${actual}`;\n }\n else if (typeof actual === 'function' && actual.name) {\n msg += ` Received function ${actual.name}`;\n }\n else if (typeof actual === 'object' && actual != null) {\n if (actual.constructor && actual.constructor.name) {\n msg += ` Received an instance of ${actual.constructor.name}`;\n }\n }\n return msg;\n}\nexport default (actual, ...types) => {\n return message('Key must be ', actual, ...types);\n};\nexport function withAlg(alg, actual, ...types) {\n return message(`Key for the ${alg} algorithm must be `, actual, ...types);\n}\n","import { isCryptoKey } from './webcrypto.js';\nexport default (key) => {\n return isCryptoKey(key);\n};\nexport const types = ['CryptoKey'];\n","import { JOSENotSupported } from '../util/errors.js';\nexport const inflate = async () => {\n throw new JOSENotSupported('JWE \"zip\" (Compression Algorithm) Header Parameter is not supported by your javascript runtime. You need to use the `inflateRaw` decrypt option to provide Inflate Raw implementation.');\n};\nexport const deflate = async () => {\n throw new JOSENotSupported('JWE \"zip\" (Compression Algorithm) Header Parameter is not supported by your javascript runtime. You need to use the `deflateRaw` encrypt option to provide Deflate Raw implementation.');\n};\n","const isDisjoint = (...headers) => {\n const sources = headers.filter(Boolean);\n if (sources.length === 0 || sources.length === 1) {\n return true;\n }\n let acc;\n for (const header of sources) {\n const parameters = Object.keys(header);\n if (!acc || acc.size === 0) {\n acc = new Set(parameters);\n continue;\n }\n for (const parameter of parameters) {\n if (acc.has(parameter)) {\n return false;\n }\n acc.add(parameter);\n }\n }\n return true;\n};\nexport default isDisjoint;\n","function isObjectLike(value) {\n return typeof value === 'object' && value !== null;\n}\nexport default function isObject(input) {\n if (!isObjectLike(input) || Object.prototype.toString.call(input) !== '[object Object]') {\n return false;\n }\n if (Object.getPrototypeOf(input) === null) {\n return true;\n }\n let proto = input;\n while (Object.getPrototypeOf(proto) !== null) {\n proto = Object.getPrototypeOf(proto);\n }\n return Object.getPrototypeOf(input) === proto;\n}\n","import { unwrap as aesKw } from '../runtime/aeskw.js';\nimport * as ECDH from '../runtime/ecdhes.js';\nimport { decrypt as pbes2Kw } from '../runtime/pbes2kw.js';\nimport { decrypt as rsaEs } from '../runtime/rsaes.js';\nimport { decode as base64url } from '../runtime/base64url.js';\nimport { JOSENotSupported, JWEInvalid } from '../util/errors.js';\nimport { bitLength as cekLength } from '../lib/cek.js';\nimport { importJWK } from '../key/import.js';\nimport checkKeyType from './check_key_type.js';\nimport isObject from './is_object.js';\nimport { unwrap as aesGcmKw } from './aesgcmkw.js';\nasync function decryptKeyManagement(alg, key, encryptedKey, joseHeader, options) {\n checkKeyType(alg, key, 'decrypt');\n switch (alg) {\n case 'dir': {\n if (encryptedKey !== undefined)\n throw new JWEInvalid('Encountered unexpected JWE Encrypted Key');\n return key;\n }\n case 'ECDH-ES':\n if (encryptedKey !== undefined)\n throw new JWEInvalid('Encountered unexpected JWE Encrypted Key');\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW': {\n if (!isObject(joseHeader.epk))\n throw new JWEInvalid(`JOSE Header \"epk\" (Ephemeral Public Key) missing or invalid`);\n if (!ECDH.ecdhAllowed(key))\n throw new JOSENotSupported('ECDH with the provided key is not allowed or not supported by your javascript runtime');\n const epk = await importJWK(joseHeader.epk, alg);\n let partyUInfo;\n let partyVInfo;\n if (joseHeader.apu !== undefined) {\n if (typeof joseHeader.apu !== 'string')\n throw new JWEInvalid(`JOSE Header \"apu\" (Agreement PartyUInfo) invalid`);\n partyUInfo = base64url(joseHeader.apu);\n }\n if (joseHeader.apv !== undefined) {\n if (typeof joseHeader.apv !== 'string')\n throw new JWEInvalid(`JOSE Header \"apv\" (Agreement PartyVInfo) invalid`);\n partyVInfo = base64url(joseHeader.apv);\n }\n const sharedSecret = await ECDH.deriveKey(epk, key, alg === 'ECDH-ES' ? joseHeader.enc : alg, alg === 'ECDH-ES' ? cekLength(joseHeader.enc) : parseInt(alg.slice(-5, -2), 10), partyUInfo, partyVInfo);\n if (alg === 'ECDH-ES')\n return sharedSecret;\n if (encryptedKey === undefined)\n throw new JWEInvalid('JWE Encrypted Key missing');\n return aesKw(alg.slice(-6), sharedSecret, encryptedKey);\n }\n case 'RSA1_5':\n case 'RSA-OAEP':\n case 'RSA-OAEP-256':\n case 'RSA-OAEP-384':\n case 'RSA-OAEP-512': {\n if (encryptedKey === undefined)\n throw new JWEInvalid('JWE Encrypted Key missing');\n return rsaEs(alg, key, encryptedKey);\n }\n case 'PBES2-HS256+A128KW':\n case 'PBES2-HS384+A192KW':\n case 'PBES2-HS512+A256KW': {\n if (encryptedKey === undefined)\n throw new JWEInvalid('JWE Encrypted Key missing');\n if (typeof joseHeader.p2c !== 'number')\n throw new JWEInvalid(`JOSE Header \"p2c\" (PBES2 Count) missing or invalid`);\n const p2cLimit = (options === null || options === void 0 ? void 0 : options.maxPBES2Count) || 10000;\n if (joseHeader.p2c > p2cLimit)\n throw new JWEInvalid(`JOSE Header \"p2c\" (PBES2 Count) out is of acceptable bounds`);\n if (typeof joseHeader.p2s !== 'string')\n throw new JWEInvalid(`JOSE Header \"p2s\" (PBES2 Salt) missing or invalid`);\n return pbes2Kw(alg, key, encryptedKey, joseHeader.p2c, base64url(joseHeader.p2s));\n }\n case 'A128KW':\n case 'A192KW':\n case 'A256KW': {\n if (encryptedKey === undefined)\n throw new JWEInvalid('JWE Encrypted Key missing');\n return aesKw(alg, key, encryptedKey);\n }\n case 'A128GCMKW':\n case 'A192GCMKW':\n case 'A256GCMKW': {\n if (encryptedKey === undefined)\n throw new JWEInvalid('JWE Encrypted Key missing');\n if (typeof joseHeader.iv !== 'string')\n throw new JWEInvalid(`JOSE Header \"iv\" (Initialization Vector) missing or invalid`);\n if (typeof joseHeader.tag !== 'string')\n throw new JWEInvalid(`JOSE Header \"tag\" (Authentication Tag) missing or invalid`);\n const iv = base64url(joseHeader.iv);\n const tag = base64url(joseHeader.tag);\n return aesGcmKw(alg, key, encryptedKey, iv, tag);\n }\n default: {\n throw new JOSENotSupported('Invalid or unsupported \"alg\" (JWE Algorithm) header value');\n }\n }\n}\nexport default decryptKeyManagement;\n","import bogusWebCrypto from './bogus.js';\nimport crypto, { isCryptoKey } from './webcrypto.js';\nimport { checkEncCryptoKey } from '../lib/crypto_key.js';\nimport invalidKeyInput from '../lib/invalid_key_input.js';\nimport { types } from './is_key_like.js';\nfunction checkKeySize(key, alg) {\n if (key.algorithm.length !== parseInt(alg.slice(1, 4), 10)) {\n throw new TypeError(`Invalid key size for alg: ${alg}`);\n }\n}\nfunction getCryptoKey(key, alg, usage) {\n if (isCryptoKey(key)) {\n checkEncCryptoKey(key, alg, usage);\n return key;\n }\n if (key instanceof Uint8Array) {\n return crypto.subtle.importKey('raw', key, 'AES-KW', true, [usage]);\n }\n throw new TypeError(invalidKeyInput(key, ...types, 'Uint8Array'));\n}\nexport const wrap = async (alg, key, cek) => {\n const cryptoKey = await getCryptoKey(key, alg, 'wrapKey');\n checkKeySize(cryptoKey, alg);\n const cryptoKeyCek = await crypto.subtle.importKey('raw', cek, ...bogusWebCrypto);\n return new Uint8Array(await crypto.subtle.wrapKey('raw', cryptoKeyCek, cryptoKey, 'AES-KW'));\n};\nexport const unwrap = async (alg, key, encryptedKey) => {\n const cryptoKey = await getCryptoKey(key, alg, 'unwrapKey');\n checkKeySize(cryptoKey, alg);\n const cryptoKeyCek = await crypto.subtle.unwrapKey('raw', encryptedKey, cryptoKey, 'AES-KW', ...bogusWebCrypto);\n return new Uint8Array(await crypto.subtle.exportKey('raw', cryptoKeyCek));\n};\n","const bogusWebCrypto = [\n { hash: 'SHA-256', name: 'HMAC' },\n true,\n ['sign'],\n];\nexport default bogusWebCrypto;\n","import { encoder, concat, uint32be, lengthAndInput, concatKdf } from '../lib/buffer_utils.js';\nimport crypto, { isCryptoKey } from './webcrypto.js';\nimport { checkEncCryptoKey } from '../lib/crypto_key.js';\nimport invalidKeyInput from '../lib/invalid_key_input.js';\nimport { types } from './is_key_like.js';\nexport async function deriveKey(publicKey, privateKey, algorithm, keyLength, apu = new Uint8Array(0), apv = new Uint8Array(0)) {\n if (!isCryptoKey(publicKey)) {\n throw new TypeError(invalidKeyInput(publicKey, ...types));\n }\n checkEncCryptoKey(publicKey, 'ECDH');\n if (!isCryptoKey(privateKey)) {\n throw new TypeError(invalidKeyInput(privateKey, ...types));\n }\n checkEncCryptoKey(privateKey, 'ECDH', 'deriveBits');\n const value = concat(lengthAndInput(encoder.encode(algorithm)), lengthAndInput(apu), lengthAndInput(apv), uint32be(keyLength));\n let length;\n if (publicKey.algorithm.name === 'X25519') {\n length = 256;\n }\n else if (publicKey.algorithm.name === 'X448') {\n length = 448;\n }\n else {\n length =\n Math.ceil(parseInt(publicKey.algorithm.namedCurve.substr(-3), 10) / 8) << 3;\n }\n const sharedSecret = new Uint8Array(await crypto.subtle.deriveBits({\n name: publicKey.algorithm.name,\n public: publicKey,\n }, privateKey, length));\n return concatKdf(sharedSecret, keyLength, value);\n}\nexport async function generateEpk(key) {\n if (!isCryptoKey(key)) {\n throw new TypeError(invalidKeyInput(key, ...types));\n }\n return crypto.subtle.generateKey(key.algorithm, true, ['deriveBits']);\n}\nexport function ecdhAllowed(key) {\n if (!isCryptoKey(key)) {\n throw new TypeError(invalidKeyInput(key, ...types));\n }\n return (['P-256', 'P-384', 'P-521'].includes(key.algorithm.namedCurve) ||\n key.algorithm.name === 'X25519' ||\n key.algorithm.name === 'X448');\n}\n","import random from './random.js';\nimport { p2s as concatSalt } from '../lib/buffer_utils.js';\nimport { encode as base64url } from './base64url.js';\nimport { wrap, unwrap } from './aeskw.js';\nimport checkP2s from '../lib/check_p2s.js';\nimport crypto, { isCryptoKey } from './webcrypto.js';\nimport { checkEncCryptoKey } from '../lib/crypto_key.js';\nimport invalidKeyInput from '../lib/invalid_key_input.js';\nimport { types } from './is_key_like.js';\nfunction getCryptoKey(key, alg) {\n if (key instanceof Uint8Array) {\n return crypto.subtle.importKey('raw', key, 'PBKDF2', false, ['deriveBits']);\n }\n if (isCryptoKey(key)) {\n checkEncCryptoKey(key, alg, 'deriveBits', 'deriveKey');\n return key;\n }\n throw new TypeError(invalidKeyInput(key, ...types, 'Uint8Array'));\n}\nasync function deriveKey(p2s, alg, p2c, key) {\n checkP2s(p2s);\n const salt = concatSalt(alg, p2s);\n const keylen = parseInt(alg.slice(13, 16), 10);\n const subtleAlg = {\n hash: `SHA-${alg.slice(8, 11)}`,\n iterations: p2c,\n name: 'PBKDF2',\n salt,\n };\n const wrapAlg = {\n length: keylen,\n name: 'AES-KW',\n };\n const cryptoKey = await getCryptoKey(key, alg);\n if (cryptoKey.usages.includes('deriveBits')) {\n return new Uint8Array(await crypto.subtle.deriveBits(subtleAlg, cryptoKey, keylen));\n }\n if (cryptoKey.usages.includes('deriveKey')) {\n return crypto.subtle.deriveKey(subtleAlg, cryptoKey, wrapAlg, false, ['wrapKey', 'unwrapKey']);\n }\n throw new TypeError('PBKDF2 key \"usages\" must include \"deriveBits\" or \"deriveKey\"');\n}\nexport const encrypt = async (alg, key, cek, p2c = 2048, p2s = random(new Uint8Array(16))) => {\n const derived = await deriveKey(p2s, alg, p2c, key);\n const encryptedKey = await wrap(alg.slice(-6), derived, cek);\n return { encryptedKey, p2c, p2s: base64url(p2s) };\n};\nexport const decrypt = async (alg, key, encryptedKey, p2c, p2s) => {\n const derived = await deriveKey(p2s, alg, p2c, key);\n return unwrap(alg.slice(-6), derived, encryptedKey);\n};\n","import { JWEInvalid } from '../util/errors.js';\nexport default function checkP2s(p2s) {\n if (!(p2s instanceof Uint8Array) || p2s.length < 8) {\n throw new JWEInvalid('PBES2 Salt Input must be 8 or more octets');\n }\n}\n","import subtleAlgorithm from './subtle_rsaes.js';\nimport bogusWebCrypto from './bogus.js';\nimport crypto, { isCryptoKey } from './webcrypto.js';\nimport { checkEncCryptoKey } from '../lib/crypto_key.js';\nimport checkKeyLength from './check_key_length.js';\nimport invalidKeyInput from '../lib/invalid_key_input.js';\nimport { types } from './is_key_like.js';\nexport const encrypt = async (alg, key, cek) => {\n if (!isCryptoKey(key)) {\n throw new TypeError(invalidKeyInput(key, ...types));\n }\n checkEncCryptoKey(key, alg, 'encrypt', 'wrapKey');\n checkKeyLength(alg, key);\n if (key.usages.includes('encrypt')) {\n return new Uint8Array(await crypto.subtle.encrypt(subtleAlgorithm(alg), key, cek));\n }\n if (key.usages.includes('wrapKey')) {\n const cryptoKeyCek = await crypto.subtle.importKey('raw', cek, ...bogusWebCrypto);\n return new Uint8Array(await crypto.subtle.wrapKey('raw', cryptoKeyCek, key, subtleAlgorithm(alg)));\n }\n throw new TypeError('RSA-OAEP key \"usages\" must include \"encrypt\" or \"wrapKey\" for this operation');\n};\nexport const decrypt = async (alg, key, encryptedKey) => {\n if (!isCryptoKey(key)) {\n throw new TypeError(invalidKeyInput(key, ...types));\n }\n checkEncCryptoKey(key, alg, 'decrypt', 'unwrapKey');\n checkKeyLength(alg, key);\n if (key.usages.includes('decrypt')) {\n return new Uint8Array(await crypto.subtle.decrypt(subtleAlgorithm(alg), key, encryptedKey));\n }\n if (key.usages.includes('unwrapKey')) {\n const cryptoKeyCek = await crypto.subtle.unwrapKey('raw', encryptedKey, key, subtleAlgorithm(alg), ...bogusWebCrypto);\n return new Uint8Array(await crypto.subtle.exportKey('raw', cryptoKeyCek));\n }\n throw new TypeError('RSA-OAEP key \"usages\" must include \"decrypt\" or \"unwrapKey\" for this operation');\n};\n","import { JOSENotSupported } from '../util/errors.js';\nexport default function subtleRsaEs(alg) {\n switch (alg) {\n case 'RSA-OAEP':\n case 'RSA-OAEP-256':\n case 'RSA-OAEP-384':\n case 'RSA-OAEP-512':\n return 'RSA-OAEP';\n default:\n throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);\n }\n}\n","export default (alg, key) => {\n if (alg.startsWith('RS') || alg.startsWith('PS')) {\n const { modulusLength } = key.algorithm;\n if (typeof modulusLength !== 'number' || modulusLength < 2048) {\n throw new TypeError(`${alg} requires key modulusLength to be 2048 bits or larger`);\n }\n }\n};\n","import { JOSENotSupported } from '../util/errors.js';\nimport random from '../runtime/random.js';\nexport function bitLength(alg) {\n switch (alg) {\n case 'A128GCM':\n return 128;\n case 'A192GCM':\n return 192;\n case 'A256GCM':\n case 'A128CBC-HS256':\n return 256;\n case 'A192CBC-HS384':\n return 384;\n case 'A256CBC-HS512':\n return 512;\n default:\n throw new JOSENotSupported(`Unsupported JWE Algorithm: ${alg}`);\n }\n}\nexport default (alg) => random(new Uint8Array(bitLength(alg) >> 3));\n","import { decode as decodeBase64URL } from '../runtime/base64url.js';\nimport { fromSPKI, fromPKCS8, fromX509 } from '../runtime/asn1.js';\nimport asKeyObject from '../runtime/jwk_to_key.js';\nimport { JOSENotSupported } from '../util/errors.js';\nimport isObject from '../lib/is_object.js';\nexport async function importSPKI(spki, alg, options) {\n if (typeof spki !== 'string' || spki.indexOf('-----BEGIN PUBLIC KEY-----') !== 0) {\n throw new TypeError('\"spki\" must be SPKI formatted string');\n }\n return fromSPKI(spki, alg, options);\n}\nexport async function importX509(x509, alg, options) {\n if (typeof x509 !== 'string' || x509.indexOf('-----BEGIN CERTIFICATE-----') !== 0) {\n throw new TypeError('\"x509\" must be X.509 formatted string');\n }\n return fromX509(x509, alg, options);\n}\nexport async function importPKCS8(pkcs8, alg, options) {\n if (typeof pkcs8 !== 'string' || pkcs8.indexOf('-----BEGIN PRIVATE KEY-----') !== 0) {\n throw new TypeError('\"pkcs8\" must be PKCS#8 formatted string');\n }\n return fromPKCS8(pkcs8, alg, options);\n}\nexport async function importJWK(jwk, alg, octAsKeyObject) {\n var _a;\n if (!isObject(jwk)) {\n throw new TypeError('JWK must be an object');\n }\n alg || (alg = jwk.alg);\n switch (jwk.kty) {\n case 'oct':\n if (typeof jwk.k !== 'string' || !jwk.k) {\n throw new TypeError('missing \"k\" (Key Value) Parameter value');\n }\n octAsKeyObject !== null && octAsKeyObject !== void 0 ? octAsKeyObject : (octAsKeyObject = jwk.ext !== true);\n if (octAsKeyObject) {\n return asKeyObject({ ...jwk, alg, ext: (_a = jwk.ext) !== null && _a !== void 0 ? _a : false });\n }\n return decodeBase64URL(jwk.k);\n case 'RSA':\n if (jwk.oth !== undefined) {\n throw new JOSENotSupported('RSA JWK \"oth\" (Other Primes Info) Parameter value is not supported');\n }\n case 'EC':\n case 'OKP':\n return asKeyObject({ ...jwk, alg });\n default:\n throw new JOSENotSupported('Unsupported \"kty\" (Key Type) Parameter value');\n }\n}\n","import { isCloudflareWorkers } from './env.js';\nimport crypto, { isCryptoKey } from './webcrypto.js';\nimport invalidKeyInput from '../lib/invalid_key_input.js';\nimport { encodeBase64, decodeBase64 } from './base64url.js';\nimport formatPEM from '../lib/format_pem.js';\nimport { JOSENotSupported } from '../util/errors.js';\nimport { types } from './is_key_like.js';\nconst genericExport = async (keyType, keyFormat, key) => {\n if (!isCryptoKey(key)) {\n throw new TypeError(invalidKeyInput(key, ...types));\n }\n if (!key.extractable) {\n throw new TypeError('CryptoKey is not extractable');\n }\n if (key.type !== keyType) {\n throw new TypeError(`key is not a ${keyType} key`);\n }\n return formatPEM(encodeBase64(new Uint8Array(await crypto.subtle.exportKey(keyFormat, key))), `${keyType.toUpperCase()} KEY`);\n};\nexport const toSPKI = (key) => {\n return genericExport('public', 'spki', key);\n};\nexport const toPKCS8 = (key) => {\n return genericExport('private', 'pkcs8', key);\n};\nconst findOid = (keyData, oid, from = 0) => {\n if (from === 0) {\n oid.unshift(oid.length);\n oid.unshift(0x06);\n }\n let i = keyData.indexOf(oid[0], from);\n if (i === -1)\n return false;\n const sub = keyData.subarray(i, i + oid.length);\n if (sub.length !== oid.length)\n return false;\n return sub.every((value, index) => value === oid[index]) || findOid(keyData, oid, i + 1);\n};\nconst getNamedCurve = (keyData) => {\n switch (true) {\n case findOid(keyData, [0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07]):\n return 'P-256';\n case findOid(keyData, [0x2b, 0x81, 0x04, 0x00, 0x22]):\n return 'P-384';\n case findOid(keyData, [0x2b, 0x81, 0x04, 0x00, 0x23]):\n return 'P-521';\n case findOid(keyData, [0x2b, 0x65, 0x6e]):\n return 'X25519';\n case findOid(keyData, [0x2b, 0x65, 0x6f]):\n return 'X448';\n case findOid(keyData, [0x2b, 0x65, 0x70]):\n return 'Ed25519';\n case findOid(keyData, [0x2b, 0x65, 0x71]):\n return 'Ed448';\n default:\n throw new JOSENotSupported('Invalid or unsupported EC Key Curve or OKP Key Sub Type');\n }\n};\nconst genericImport = async (replace, keyFormat, pem, alg, options) => {\n var _a, _b;\n let algorithm;\n let keyUsages;\n const keyData = new Uint8Array(atob(pem.replace(replace, ''))\n .split('')\n .map((c) => c.charCodeAt(0)));\n const isPublic = keyFormat === 'spki';\n switch (alg) {\n case 'PS256':\n case 'PS384':\n case 'PS512':\n algorithm = { name: 'RSA-PSS', hash: `SHA-${alg.slice(-3)}` };\n keyUsages = isPublic ? ['verify'] : ['sign'];\n break;\n case 'RS256':\n case 'RS384':\n case 'RS512':\n algorithm = { name: 'RSASSA-PKCS1-v1_5', hash: `SHA-${alg.slice(-3)}` };\n keyUsages = isPublic ? ['verify'] : ['sign'];\n break;\n case 'RSA-OAEP':\n case 'RSA-OAEP-256':\n case 'RSA-OAEP-384':\n case 'RSA-OAEP-512':\n algorithm = {\n name: 'RSA-OAEP',\n hash: `SHA-${parseInt(alg.slice(-3), 10) || 1}`,\n };\n keyUsages = isPublic ? ['encrypt', 'wrapKey'] : ['decrypt', 'unwrapKey'];\n break;\n case 'ES256':\n algorithm = { name: 'ECDSA', namedCurve: 'P-256' };\n keyUsages = isPublic ? ['verify'] : ['sign'];\n break;\n case 'ES384':\n algorithm = { name: 'ECDSA', namedCurve: 'P-384' };\n keyUsages = isPublic ? ['verify'] : ['sign'];\n break;\n case 'ES512':\n algorithm = { name: 'ECDSA', namedCurve: 'P-521' };\n keyUsages = isPublic ? ['verify'] : ['sign'];\n break;\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW': {\n const namedCurve = getNamedCurve(keyData);\n algorithm = namedCurve.startsWith('P-') ? { name: 'ECDH', namedCurve } : { name: namedCurve };\n keyUsages = isPublic ? [] : ['deriveBits'];\n break;\n }\n case 'EdDSA':\n algorithm = { name: getNamedCurve(keyData) };\n keyUsages = isPublic ? ['verify'] : ['sign'];\n break;\n default:\n throw new JOSENotSupported('Invalid or unsupported \"alg\" (Algorithm) value');\n }\n try {\n return await crypto.subtle.importKey(keyFormat, keyData, algorithm, (_a = options === null || options === void 0 ? void 0 : options.extractable) !== null && _a !== void 0 ? _a : false, keyUsages);\n }\n catch (err) {\n if (algorithm.name === 'Ed25519' &&\n (err === null || err === void 0 ? void 0 : err.name) === 'NotSupportedError' &&\n isCloudflareWorkers()) {\n algorithm = { name: 'NODE-ED25519', namedCurve: 'NODE-ED25519' };\n return await crypto.subtle.importKey(keyFormat, keyData, algorithm, (_b = options === null || options === void 0 ? void 0 : options.extractable) !== null && _b !== void 0 ? _b : false, keyUsages);\n }\n throw err;\n }\n};\nexport const fromPKCS8 = (pem, alg, options) => {\n return genericImport(/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\\s)/g, 'pkcs8', pem, alg, options);\n};\nexport const fromSPKI = (pem, alg, options) => {\n return genericImport(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\\s)/g, 'spki', pem, alg, options);\n};\nfunction getElement(seq) {\n let result = [];\n let next = 0;\n while (next < seq.length) {\n let nextPart = parseElement(seq.subarray(next));\n result.push(nextPart);\n next += nextPart.byteLength;\n }\n return result;\n}\nfunction parseElement(bytes) {\n let position = 0;\n let tag = bytes[0] & 0x1f;\n position++;\n if (tag === 0x1f) {\n tag = 0;\n while (bytes[position] >= 0x80) {\n tag = tag * 128 + bytes[position] - 0x80;\n position++;\n }\n tag = tag * 128 + bytes[position] - 0x80;\n position++;\n }\n let length = 0;\n if (bytes[position] < 0x80) {\n length = bytes[position];\n position++;\n }\n else if (length === 0x80) {\n length = 0;\n while (bytes[position + length] !== 0 || bytes[position + length + 1] !== 0) {\n if (length > bytes.byteLength) {\n throw new TypeError('invalid indefinite form length');\n }\n length++;\n }\n const byteLength = position + length + 2;\n return {\n byteLength,\n contents: bytes.subarray(position, position + length),\n raw: bytes.subarray(0, byteLength),\n };\n }\n else {\n let numberOfDigits = bytes[position] & 0x7f;\n position++;\n length = 0;\n for (let i = 0; i < numberOfDigits; i++) {\n length = length * 256 + bytes[position];\n position++;\n }\n }\n const byteLength = position + length;\n return {\n byteLength,\n contents: bytes.subarray(position, byteLength),\n raw: bytes.subarray(0, byteLength),\n };\n}\nfunction spkiFromX509(buf) {\n const tbsCertificate = getElement(getElement(parseElement(buf).contents)[0].contents);\n return encodeBase64(tbsCertificate[tbsCertificate[0].raw[0] === 0xa0 ? 6 : 5].raw);\n}\nfunction getSPKI(x509) {\n const pem = x509.replace(/(?:-----(?:BEGIN|END) CERTIFICATE-----|\\s)/g, '');\n const raw = decodeBase64(pem);\n return formatPEM(spkiFromX509(raw), 'PUBLIC KEY');\n}\nexport const fromX509 = (pem, alg, options) => {\n let spki;\n try {\n spki = getSPKI(pem);\n }\n catch (cause) {\n throw new TypeError('failed to parse the X.509 certificate', { cause });\n }\n return fromSPKI(spki, alg, options);\n};\n","export default (b64, descriptor) => {\n const newlined = (b64.match(/.{1,64}/g) || []).join('\\n');\n return `-----BEGIN ${descriptor}-----\\n${newlined}\\n-----END ${descriptor}-----`;\n};\n","import { isCloudflareWorkers } from './env.js';\nimport crypto from './webcrypto.js';\nimport { JOSENotSupported } from '../util/errors.js';\nimport { decode as base64url } from './base64url.js';\nfunction subtleMapping(jwk) {\n let algorithm;\n let keyUsages;\n switch (jwk.kty) {\n case 'oct': {\n switch (jwk.alg) {\n case 'HS256':\n case 'HS384':\n case 'HS512':\n algorithm = { name: 'HMAC', hash: `SHA-${jwk.alg.slice(-3)}` };\n keyUsages = ['sign', 'verify'];\n break;\n case 'A128CBC-HS256':\n case 'A192CBC-HS384':\n case 'A256CBC-HS512':\n throw new JOSENotSupported(`${jwk.alg} keys cannot be imported as CryptoKey instances`);\n case 'A128GCM':\n case 'A192GCM':\n case 'A256GCM':\n case 'A128GCMKW':\n case 'A192GCMKW':\n case 'A256GCMKW':\n algorithm = { name: 'AES-GCM' };\n keyUsages = ['encrypt', 'decrypt'];\n break;\n case 'A128KW':\n case 'A192KW':\n case 'A256KW':\n algorithm = { name: 'AES-KW' };\n keyUsages = ['wrapKey', 'unwrapKey'];\n break;\n case 'PBES2-HS256+A128KW':\n case 'PBES2-HS384+A192KW':\n case 'PBES2-HS512+A256KW':\n algorithm = { name: 'PBKDF2' };\n keyUsages = ['deriveBits'];\n break;\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value');\n }\n break;\n }\n case 'RSA': {\n switch (jwk.alg) {\n case 'PS256':\n case 'PS384':\n case 'PS512':\n algorithm = { name: 'RSA-PSS', hash: `SHA-${jwk.alg.slice(-3)}` };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'RS256':\n case 'RS384':\n case 'RS512':\n algorithm = { name: 'RSASSA-PKCS1-v1_5', hash: `SHA-${jwk.alg.slice(-3)}` };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'RSA-OAEP':\n case 'RSA-OAEP-256':\n case 'RSA-OAEP-384':\n case 'RSA-OAEP-512':\n algorithm = {\n name: 'RSA-OAEP',\n hash: `SHA-${parseInt(jwk.alg.slice(-3), 10) || 1}`,\n };\n keyUsages = jwk.d ? ['decrypt', 'unwrapKey'] : ['encrypt', 'wrapKey'];\n break;\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value');\n }\n break;\n }\n case 'EC': {\n switch (jwk.alg) {\n case 'ES256':\n algorithm = { name: 'ECDSA', namedCurve: 'P-256' };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'ES384':\n algorithm = { name: 'ECDSA', namedCurve: 'P-384' };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'ES512':\n algorithm = { name: 'ECDSA', namedCurve: 'P-521' };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW':\n algorithm = { name: 'ECDH', namedCurve: jwk.crv };\n keyUsages = jwk.d ? ['deriveBits'] : [];\n break;\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value');\n }\n break;\n }\n case 'OKP': {\n switch (jwk.alg) {\n case 'EdDSA':\n algorithm = { name: jwk.crv };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW':\n algorithm = { name: jwk.crv };\n keyUsages = jwk.d ? ['deriveBits'] : [];\n break;\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value');\n }\n break;\n }\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"kty\" (Key Type) Parameter value');\n }\n return { algorithm, keyUsages };\n}\nconst parse = async (jwk) => {\n var _a, _b;\n if (!jwk.alg) {\n throw new TypeError('\"alg\" argument is required when \"jwk.alg\" is not present');\n }\n const { algorithm, keyUsages } = subtleMapping(jwk);\n const rest = [\n algorithm,\n (_a = jwk.ext) !== null && _a !== void 0 ? _a : false,\n (_b = jwk.key_ops) !== null && _b !== void 0 ? _b : keyUsages,\n ];\n if (algorithm.name === 'PBKDF2') {\n return crypto.subtle.importKey('raw', base64url(jwk.k), ...rest);\n }\n const keyData = { ...jwk };\n delete keyData.alg;\n delete keyData.use;\n try {\n return await crypto.subtle.importKey('jwk', keyData, ...rest);\n }\n catch (err) {\n if (algorithm.name === 'Ed25519' &&\n (err === null || err === void 0 ? void 0 : err.name) === 'NotSupportedError' &&\n isCloudflareWorkers()) {\n rest[0] = { name: 'NODE-ED25519', namedCurve: 'NODE-ED25519' };\n return await crypto.subtle.importKey('jwk', keyData, ...rest);\n }\n throw err;\n }\n};\nexport default parse;\n","import { withAlg as invalidKeyInput } from './invalid_key_input.js';\nimport isKeyLike, { types } from '../runtime/is_key_like.js';\nconst symmetricTypeCheck = (alg, key) => {\n if (key instanceof Uint8Array)\n return;\n if (!isKeyLike(key)) {\n throw new TypeError(invalidKeyInput(alg, key, ...types, 'Uint8Array'));\n }\n if (key.type !== 'secret') {\n throw new TypeError(`${types.join(' or ')} instances for symmetric algorithms must be of type \"secret\"`);\n }\n};\nconst asymmetricTypeCheck = (alg, key, usage) => {\n if (!isKeyLike(key)) {\n throw new TypeError(invalidKeyInput(alg, key, ...types));\n }\n if (key.type === 'secret') {\n throw new TypeError(`${types.join(' or ')} instances for asymmetric algorithms must not be of type \"secret\"`);\n }\n if (usage === 'sign' && key.type === 'public') {\n throw new TypeError(`${types.join(' or ')} instances for asymmetric algorithm signing must be of type \"private\"`);\n }\n if (usage === 'decrypt' && key.type === 'public') {\n throw new TypeError(`${types.join(' or ')} instances for asymmetric algorithm decryption must be of type \"private\"`);\n }\n if (key.algorithm && usage === 'verify' && key.type === 'private') {\n throw new TypeError(`${types.join(' or ')} instances for asymmetric algorithm verifying must be of type \"public\"`);\n }\n if (key.algorithm && usage === 'encrypt' && key.type === 'private') {\n throw new TypeError(`${types.join(' or ')} instances for asymmetric algorithm encryption must be of type \"public\"`);\n }\n};\nconst checkKeyType = (alg, key, usage) => {\n const symmetric = alg.startsWith('HS') ||\n alg === 'dir' ||\n alg.startsWith('PBES2') ||\n /^A\\d{3}(?:GCM)?KW$/.test(alg);\n if (symmetric) {\n symmetricTypeCheck(alg, key);\n }\n else {\n asymmetricTypeCheck(alg, key, usage);\n }\n};\nexport default checkKeyType;\n","import encrypt from '../runtime/encrypt.js';\nimport decrypt from '../runtime/decrypt.js';\nimport generateIv from './iv.js';\nimport { encode as base64url } from '../runtime/base64url.js';\nexport async function wrap(alg, key, cek, iv) {\n const jweAlgorithm = alg.slice(0, 7);\n iv || (iv = generateIv(jweAlgorithm));\n const { ciphertext: encryptedKey, tag } = await encrypt(jweAlgorithm, cek, key, iv, new Uint8Array(0));\n return { encryptedKey, iv: base64url(iv), tag: base64url(tag) };\n}\nexport async function unwrap(alg, key, encryptedKey, iv, tag) {\n const jweAlgorithm = alg.slice(0, 7);\n return decrypt(jweAlgorithm, key, encryptedKey, iv, tag, new Uint8Array(0));\n}\n","import { concat, uint64be } from '../lib/buffer_utils.js';\nimport checkIvLength from '../lib/check_iv_length.js';\nimport checkCekLength from './check_cek_length.js';\nimport crypto, { isCryptoKey } from './webcrypto.js';\nimport { checkEncCryptoKey } from '../lib/crypto_key.js';\nimport invalidKeyInput from '../lib/invalid_key_input.js';\nimport { JOSENotSupported } from '../util/errors.js';\nimport { types } from './is_key_like.js';\nasync function cbcEncrypt(enc, plaintext, cek, iv, aad) {\n if (!(cek instanceof Uint8Array)) {\n throw new TypeError(invalidKeyInput(cek, 'Uint8Array'));\n }\n const keySize = parseInt(enc.slice(1, 4), 10);\n const encKey = await crypto.subtle.importKey('raw', cek.subarray(keySize >> 3), 'AES-CBC', false, ['encrypt']);\n const macKey = await crypto.subtle.importKey('raw', cek.subarray(0, keySize >> 3), {\n hash: `SHA-${keySize << 1}`,\n name: 'HMAC',\n }, false, ['sign']);\n const ciphertext = new Uint8Array(await crypto.subtle.encrypt({\n iv,\n name: 'AES-CBC',\n }, encKey, plaintext));\n const macData = concat(aad, iv, ciphertext, uint64be(aad.length << 3));\n const tag = new Uint8Array((await crypto.subtle.sign('HMAC', macKey, macData)).slice(0, keySize >> 3));\n return { ciphertext, tag };\n}\nasync function gcmEncrypt(enc, plaintext, cek, iv, aad) {\n let encKey;\n if (cek instanceof Uint8Array) {\n encKey = await crypto.subtle.importKey('raw', cek, 'AES-GCM', false, ['encrypt']);\n }\n else {\n checkEncCryptoKey(cek, enc, 'encrypt');\n encKey = cek;\n }\n const encrypted = new Uint8Array(await crypto.subtle.encrypt({\n additionalData: aad,\n iv,\n name: 'AES-GCM',\n tagLength: 128,\n }, encKey, plaintext));\n const tag = encrypted.slice(-16);\n const ciphertext = encrypted.slice(0, -16);\n return { ciphertext, tag };\n}\nconst encrypt = async (enc, plaintext, cek, iv, aad) => {\n if (!isCryptoKey(cek) && !(cek instanceof Uint8Array)) {\n throw new TypeError(invalidKeyInput(cek, ...types, 'Uint8Array'));\n }\n checkIvLength(enc, iv);\n switch (enc) {\n case 'A128CBC-HS256':\n case 'A192CBC-HS384':\n case 'A256CBC-HS512':\n if (cek instanceof Uint8Array)\n checkCekLength(cek, parseInt(enc.slice(-3), 10));\n return cbcEncrypt(enc, plaintext, cek, iv, aad);\n case 'A128GCM':\n case 'A192GCM':\n case 'A256GCM':\n if (cek instanceof Uint8Array)\n checkCekLength(cek, parseInt(enc.slice(1, 4), 10));\n return gcmEncrypt(enc, plaintext, cek, iv, aad);\n default:\n throw new JOSENotSupported('Unsupported JWE Content Encryption Algorithm');\n }\n};\nexport default encrypt;\n","import { JOSENotSupported } from '../util/errors.js';\nfunction validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {\n if (joseHeader.crit !== undefined && protectedHeader.crit === undefined) {\n throw new Err('\"crit\" (Critical) Header Parameter MUST be integrity protected');\n }\n if (!protectedHeader || protectedHeader.crit === undefined) {\n return new Set();\n }\n if (!Array.isArray(protectedHeader.crit) ||\n protectedHeader.crit.length === 0 ||\n protectedHeader.crit.some((input) => typeof input !== 'string' || input.length === 0)) {\n throw new Err('\"crit\" (Critical) Header Parameter MUST be an array of non-empty strings when present');\n }\n let recognized;\n if (recognizedOption !== undefined) {\n recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);\n }\n else {\n recognized = recognizedDefault;\n }\n for (const parameter of protectedHeader.crit) {\n if (!recognized.has(parameter)) {\n throw new JOSENotSupported(`Extension Header Parameter \"${parameter}\" is not recognized`);\n }\n if (joseHeader[parameter] === undefined) {\n throw new Err(`Extension Header Parameter \"${parameter}\" is missing`);\n }\n else if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {\n throw new Err(`Extension Header Parameter \"${parameter}\" MUST be integrity protected`);\n }\n }\n return new Set(protectedHeader.crit);\n}\nexport default validateCrit;\n","const validateAlgorithms = (option, algorithms) => {\n if (algorithms !== undefined &&\n (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== 'string'))) {\n throw new TypeError(`\"${option}\" option must be an array of strings`);\n }\n if (!algorithms) {\n return undefined;\n }\n return new Set(algorithms);\n};\nexport default validateAlgorithms;\n","import { flattenedDecrypt } from '../flattened/decrypt.js';\nimport { JWEDecryptionFailed, JWEInvalid } from '../../util/errors.js';\nimport isObject from '../../lib/is_object.js';\nexport async function generalDecrypt(jwe, key, options) {\n if (!isObject(jwe)) {\n throw new JWEInvalid('General JWE must be an object');\n }\n if (!Array.isArray(jwe.recipients) || !jwe.recipients.every(isObject)) {\n throw new JWEInvalid('JWE Recipients missing or incorrect type');\n }\n if (!jwe.recipients.length) {\n throw new JWEInvalid('JWE Recipients has no members');\n }\n for (const recipient of jwe.recipients) {\n try {\n return await flattenedDecrypt({\n aad: jwe.aad,\n ciphertext: jwe.ciphertext,\n encrypted_key: recipient.encrypted_key,\n header: recipient.header,\n iv: jwe.iv,\n protected: jwe.protected,\n tag: jwe.tag,\n unprotected: jwe.unprotected,\n }, key, options);\n }\n catch (_a) {\n }\n }\n throw new JWEDecryptionFailed();\n}\n","import { FlattenedEncrypt, unprotected } from '../flattened/encrypt.js';\nimport { JWEInvalid } from '../../util/errors.js';\nimport generateCek from '../../lib/cek.js';\nimport isDisjoint from '../../lib/is_disjoint.js';\nimport encryptKeyManagement from '../../lib/encrypt_key_management.js';\nimport { encode as base64url } from '../../runtime/base64url.js';\nimport validateCrit from '../../lib/validate_crit.js';\nclass IndividualRecipient {\n constructor(enc, key, options) {\n this.parent = enc;\n this.key = key;\n this.options = options;\n }\n setUnprotectedHeader(unprotectedHeader) {\n if (this.unprotectedHeader) {\n throw new TypeError('setUnprotectedHeader can only be called once');\n }\n this.unprotectedHeader = unprotectedHeader;\n return this;\n }\n addRecipient(...args) {\n return this.parent.addRecipient(...args);\n }\n encrypt(...args) {\n return this.parent.encrypt(...args);\n }\n done() {\n return this.parent;\n }\n}\nexport class GeneralEncrypt {\n constructor(plaintext) {\n this._recipients = [];\n this._plaintext = plaintext;\n }\n addRecipient(key, options) {\n const recipient = new IndividualRecipient(this, key, { crit: options === null || options === void 0 ? void 0 : options.crit });\n this._recipients.push(recipient);\n return recipient;\n }\n setProtectedHeader(protectedHeader) {\n if (this._protectedHeader) {\n throw new TypeError('setProtectedHeader can only be called once');\n }\n this._protectedHeader = protectedHeader;\n return this;\n }\n setSharedUnprotectedHeader(sharedUnprotectedHeader) {\n if (this._unprotectedHeader) {\n throw new TypeError('setSharedUnprotectedHeader can only be called once');\n }\n this._unprotectedHeader = sharedUnprotectedHeader;\n return this;\n }\n setAdditionalAuthenticatedData(aad) {\n this._aad = aad;\n return this;\n }\n async encrypt(options) {\n var _a, _b, _c;\n if (!this._recipients.length) {\n throw new JWEInvalid('at least one recipient must be added');\n }\n options = { deflateRaw: options === null || options === void 0 ? void 0 : options.deflateRaw };\n if (this._recipients.length === 1) {\n const [recipient] = this._recipients;\n const flattened = await new FlattenedEncrypt(this._plaintext)\n .setAdditionalAuthenticatedData(this._aad)\n .setProtectedHeader(this._protectedHeader)\n .setSharedUnprotectedHeader(this._unprotectedHeader)\n .setUnprotectedHeader(recipient.unprotectedHeader)\n .encrypt(recipient.key, { ...recipient.options, ...options });\n let jwe = {\n ciphertext: flattened.ciphertext,\n iv: flattened.iv,\n recipients: [{}],\n tag: flattened.tag,\n };\n if (flattened.aad)\n jwe.aad = flattened.aad;\n if (flattened.protected)\n jwe.protected = flattened.protected;\n if (flattened.unprotected)\n jwe.unprotected = flattened.unprotected;\n if (flattened.encrypted_key)\n jwe.recipients[0].encrypted_key = flattened.encrypted_key;\n if (flattened.header)\n jwe.recipients[0].header = flattened.header;\n return jwe;\n }\n let enc;\n for (let i = 0; i < this._recipients.length; i++) {\n const recipient = this._recipients[i];\n if (!isDisjoint(this._protectedHeader, this._unprotectedHeader, recipient.unprotectedHeader)) {\n throw new JWEInvalid('JWE Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint');\n }\n const joseHeader = {\n ...this._protectedHeader,\n ...this._unprotectedHeader,\n ...recipient.unprotectedHeader,\n };\n const { alg } = joseHeader;\n if (typeof alg !== 'string' || !alg) {\n throw new JWEInvalid('JWE \"alg\" (Algorithm) Header Parameter missing or invalid');\n }\n if (alg === 'dir' || alg === 'ECDH-ES') {\n throw new JWEInvalid('\"dir\" and \"ECDH-ES\" alg may only be used with a single recipient');\n }\n if (typeof joseHeader.enc !== 'string' || !joseHeader.enc) {\n throw new JWEInvalid('JWE \"enc\" (Encryption Algorithm) Header Parameter missing or invalid');\n }\n if (!enc) {\n enc = joseHeader.enc;\n }\n else if (enc !== joseHeader.enc) {\n throw new JWEInvalid('JWE \"enc\" (Encryption Algorithm) Header Parameter must be the same for all recipients');\n }\n validateCrit(JWEInvalid, new Map(), recipient.options.crit, this._protectedHeader, joseHeader);\n if (joseHeader.zip !== undefined) {\n if (!this._protectedHeader || !this._protectedHeader.zip) {\n throw new JWEInvalid('JWE \"zip\" (Compression Algorithm) Header MUST be integrity protected');\n }\n }\n }\n const cek = generateCek(enc);\n let jwe = {\n ciphertext: '',\n iv: '',\n recipients: [],\n tag: '',\n };\n for (let i = 0; i < this._recipients.length; i++) {\n const recipient = this._recipients[i];\n const target = {};\n jwe.recipients.push(target);\n const joseHeader = {\n ...this._protectedHeader,\n ...this._unprotectedHeader,\n ...recipient.unprotectedHeader,\n };\n const p2c = joseHeader.alg.startsWith('PBES2') ? 2048 + i : undefined;\n if (i === 0) {\n const flattened = await new FlattenedEncrypt(this._plaintext)\n .setAdditionalAuthenticatedData(this._aad)\n .setContentEncryptionKey(cek)\n .setProtectedHeader(this._protectedHeader)\n .setSharedUnprotectedHeader(this._unprotectedHeader)\n .setUnprotectedHeader(recipient.unprotectedHeader)\n .setKeyManagementParameters({ p2c })\n .encrypt(recipient.key, {\n ...recipient.options,\n ...options,\n [unprotected]: true,\n });\n jwe.ciphertext = flattened.ciphertext;\n jwe.iv = flattened.iv;\n jwe.tag = flattened.tag;\n if (flattened.aad)\n jwe.aad = flattened.aad;\n if (flattened.protected)\n jwe.protected = flattened.protected;\n if (flattened.unprotected)\n jwe.unprotected = flattened.unprotected;\n target.encrypted_key = flattened.encrypted_key;\n if (flattened.header)\n target.header = flattened.header;\n continue;\n }\n const { encryptedKey, parameters } = await encryptKeyManagement(((_a = recipient.unprotectedHeader) === null || _a === void 0 ? void 0 : _a.alg) ||\n ((_b = this._protectedHeader) === null || _b === void 0 ? void 0 : _b.alg) ||\n ((_c = this._unprotectedHeader) === null || _c === void 0 ? void 0 : _c.alg), enc, recipient.key, cek, { p2c });\n target.encrypted_key = base64url(encryptedKey);\n if (recipient.unprotectedHeader || parameters)\n target.header = { ...recipient.unprotectedHeader, ...parameters };\n }\n return jwe;\n }\n}\n","import { encode as base64url } from '../../runtime/base64url.js';\nimport encrypt from '../../runtime/encrypt.js';\nimport { deflate } from '../../runtime/zlib.js';\nimport generateIv from '../../lib/iv.js';\nimport encryptKeyManagement from '../../lib/encrypt_key_management.js';\nimport { JOSENotSupported, JWEInvalid } from '../../util/errors.js';\nimport isDisjoint from '../../lib/is_disjoint.js';\nimport { encoder, decoder, concat } from '../../lib/buffer_utils.js';\nimport validateCrit from '../../lib/validate_crit.js';\nexport const unprotected = Symbol();\nexport class FlattenedEncrypt {\n constructor(plaintext) {\n if (!(plaintext instanceof Uint8Array)) {\n throw new TypeError('plaintext must be an instance of Uint8Array');\n }\n this._plaintext = plaintext;\n }\n setKeyManagementParameters(parameters) {\n if (this._keyManagementParameters) {\n throw new TypeError('setKeyManagementParameters can only be called once');\n }\n this._keyManagementParameters = parameters;\n return this;\n }\n setProtectedHeader(protectedHeader) {\n if (this._protectedHeader) {\n throw new TypeError('setProtectedHeader can only be called once');\n }\n this._protectedHeader = protectedHeader;\n return this;\n }\n setSharedUnprotectedHeader(sharedUnprotectedHeader) {\n if (this._sharedUnprotectedHeader) {\n throw new TypeError('setSharedUnprotectedHeader can only be called once');\n }\n this._sharedUnprotectedHeader = sharedUnprotectedHeader;\n return this;\n }\n setUnprotectedHeader(unprotectedHeader) {\n if (this._unprotectedHeader) {\n throw new TypeError('setUnprotectedHeader can only be called once');\n }\n this._unprotectedHeader = unprotectedHeader;\n return this;\n }\n setAdditionalAuthenticatedData(aad) {\n this._aad = aad;\n return this;\n }\n setContentEncryptionKey(cek) {\n if (this._cek) {\n throw new TypeError('setContentEncryptionKey can only be called once');\n }\n this._cek = cek;\n return this;\n }\n setInitializationVector(iv) {\n if (this._iv) {\n throw new TypeError('setInitializationVector can only be called once');\n }\n this._iv = iv;\n return this;\n }\n async encrypt(key, options) {\n if (!this._protectedHeader && !this._unprotectedHeader && !this._sharedUnprotectedHeader) {\n throw new JWEInvalid('either setProtectedHeader, setUnprotectedHeader, or sharedUnprotectedHeader must be called before #encrypt()');\n }\n if (!isDisjoint(this._protectedHeader, this._unprotectedHeader, this._sharedUnprotectedHeader)) {\n throw new JWEInvalid('JWE Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint');\n }\n const joseHeader = {\n ...this._protectedHeader,\n ...this._unprotectedHeader,\n ...this._sharedUnprotectedHeader,\n };\n validateCrit(JWEInvalid, new Map(), options === null || options === void 0 ? void 0 : options.crit, this._protectedHeader, joseHeader);\n if (joseHeader.zip !== undefined) {\n if (!this._protectedHeader || !this._protectedHeader.zip) {\n throw new JWEInvalid('JWE \"zip\" (Compression Algorithm) Header MUST be integrity protected');\n }\n if (joseHeader.zip !== 'DEF') {\n throw new JOSENotSupported('Unsupported JWE \"zip\" (Compression Algorithm) Header Parameter value');\n }\n }\n const { alg, enc } = joseHeader;\n if (typeof alg !== 'string' || !alg) {\n throw new JWEInvalid('JWE \"alg\" (Algorithm) Header Parameter missing or invalid');\n }\n if (typeof enc !== 'string' || !enc) {\n throw new JWEInvalid('JWE \"enc\" (Encryption Algorithm) Header Parameter missing or invalid');\n }\n let encryptedKey;\n if (alg === 'dir') {\n if (this._cek) {\n throw new TypeError('setContentEncryptionKey cannot be called when using Direct Encryption');\n }\n }\n else if (alg === 'ECDH-ES') {\n if (this._cek) {\n throw new TypeError('setContentEncryptionKey cannot be called when using Direct Key Agreement');\n }\n }\n let cek;\n {\n let parameters;\n ({ cek, encryptedKey, parameters } = await encryptKeyManagement(alg, enc, key, this._cek, this._keyManagementParameters));\n if (parameters) {\n if (options && unprotected in options) {\n if (!this._unprotectedHeader) {\n this.setUnprotectedHeader(parameters);\n }\n else {\n this._unprotectedHeader = { ...this._unprotectedHeader, ...parameters };\n }\n }\n else {\n if (!this._protectedHeader) {\n this.setProtectedHeader(parameters);\n }\n else {\n this._protectedHeader = { ...this._protectedHeader, ...parameters };\n }\n }\n }\n }\n this._iv || (this._iv = generateIv(enc));\n let additionalData;\n let protectedHeader;\n let aadMember;\n if (this._protectedHeader) {\n protectedHeader = encoder.encode(base64url(JSON.stringify(this._protectedHeader)));\n }\n else {\n protectedHeader = encoder.encode('');\n }\n if (this._aad) {\n aadMember = base64url(this._aad);\n additionalData = concat(protectedHeader, encoder.encode('.'), encoder.encode(aadMember));\n }\n else {\n additionalData = protectedHeader;\n }\n let ciphertext;\n let tag;\n if (joseHeader.zip === 'DEF') {\n const deflated = await ((options === null || options === void 0 ? void 0 : options.deflateRaw) || deflate)(this._plaintext);\n ({ ciphertext, tag } = await encrypt(enc, deflated, cek, this._iv, additionalData));\n }\n else {\n ;\n ({ ciphertext, tag } = await encrypt(enc, this._plaintext, cek, this._iv, additionalData));\n }\n const jwe = {\n ciphertext: base64url(ciphertext),\n iv: base64url(this._iv),\n tag: base64url(tag),\n };\n if (encryptedKey) {\n jwe.encrypted_key = base64url(encryptedKey);\n }\n if (aadMember) {\n jwe.aad = aadMember;\n }\n if (this._protectedHeader) {\n jwe.protected = decoder.decode(protectedHeader);\n }\n if (this._sharedUnprotectedHeader) {\n jwe.unprotected = this._sharedUnprotectedHeader;\n }\n if (this._unprotectedHeader) {\n jwe.header = this._unprotectedHeader;\n }\n return jwe;\n }\n}\n","import { wrap as aesKw } from '../runtime/aeskw.js';\nimport * as ECDH from '../runtime/ecdhes.js';\nimport { encrypt as pbes2Kw } from '../runtime/pbes2kw.js';\nimport { encrypt as rsaEs } from '../runtime/rsaes.js';\nimport { encode as base64url } from '../runtime/base64url.js';\nimport generateCek, { bitLength as cekLength } from '../lib/cek.js';\nimport { JOSENotSupported } from '../util/errors.js';\nimport { exportJWK } from '../key/export.js';\nimport checkKeyType from './check_key_type.js';\nimport { wrap as aesGcmKw } from './aesgcmkw.js';\nasync function encryptKeyManagement(alg, enc, key, providedCek, providedParameters = {}) {\n let encryptedKey;\n let parameters;\n let cek;\n checkKeyType(alg, key, 'encrypt');\n switch (alg) {\n case 'dir': {\n cek = key;\n break;\n }\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW': {\n if (!ECDH.ecdhAllowed(key)) {\n throw new JOSENotSupported('ECDH with the provided key is not allowed or not supported by your javascript runtime');\n }\n const { apu, apv } = providedParameters;\n let { epk: ephemeralKey } = providedParameters;\n ephemeralKey || (ephemeralKey = (await ECDH.generateEpk(key)).privateKey);\n const { x, y, crv, kty } = await exportJWK(ephemeralKey);\n const sharedSecret = await ECDH.deriveKey(key, ephemeralKey, alg === 'ECDH-ES' ? enc : alg, alg === 'ECDH-ES' ? cekLength(enc) : parseInt(alg.slice(-5, -2), 10), apu, apv);\n parameters = { epk: { x, crv, kty } };\n if (kty === 'EC')\n parameters.epk.y = y;\n if (apu)\n parameters.apu = base64url(apu);\n if (apv)\n parameters.apv = base64url(apv);\n if (alg === 'ECDH-ES') {\n cek = sharedSecret;\n break;\n }\n cek = providedCek || generateCek(enc);\n const kwAlg = alg.slice(-6);\n encryptedKey = await aesKw(kwAlg, sharedSecret, cek);\n break;\n }\n case 'RSA1_5':\n case 'RSA-OAEP':\n case 'RSA-OAEP-256':\n case 'RSA-OAEP-384':\n case 'RSA-OAEP-512': {\n cek = providedCek || generateCek(enc);\n encryptedKey = await rsaEs(alg, key, cek);\n break;\n }\n case 'PBES2-HS256+A128KW':\n case 'PBES2-HS384+A192KW':\n case 'PBES2-HS512+A256KW': {\n cek = providedCek || generateCek(enc);\n const { p2c, p2s } = providedParameters;\n ({ encryptedKey, ...parameters } = await pbes2Kw(alg, key, cek, p2c, p2s));\n break;\n }\n case 'A128KW':\n case 'A192KW':\n case 'A256KW': {\n cek = providedCek || generateCek(enc);\n encryptedKey = await aesKw(alg, key, cek);\n break;\n }\n case 'A128GCMKW':\n case 'A192GCMKW':\n case 'A256GCMKW': {\n cek = providedCek || generateCek(enc);\n const { iv } = providedParameters;\n ({ encryptedKey, ...parameters } = await aesGcmKw(alg, key, cek, iv));\n break;\n }\n default: {\n throw new JOSENotSupported('Invalid or unsupported \"alg\" (JWE Algorithm) header value');\n }\n }\n return { cek, encryptedKey, parameters };\n}\nexport default encryptKeyManagement;\n","import { toSPKI as exportPublic } from '../runtime/asn1.js';\nimport { toPKCS8 as exportPrivate } from '../runtime/asn1.js';\nimport keyToJWK from '../runtime/key_to_jwk.js';\nexport async function exportSPKI(key) {\n return exportPublic(key);\n}\nexport async function exportPKCS8(key) {\n return exportPrivate(key);\n}\nexport async function exportJWK(key) {\n return keyToJWK(key);\n}\n","import crypto, { isCryptoKey } from './webcrypto.js';\nimport invalidKeyInput from '../lib/invalid_key_input.js';\nimport { encode as base64url } from './base64url.js';\nimport { types } from './is_key_like.js';\nconst keyToJWK = async (key) => {\n if (key instanceof Uint8Array) {\n return {\n kty: 'oct',\n k: base64url(key),\n };\n }\n if (!isCryptoKey(key)) {\n throw new TypeError(invalidKeyInput(key, ...types, 'Uint8Array'));\n }\n if (!key.extractable) {\n throw new TypeError('non-extractable CryptoKey cannot be exported as a JWK');\n }\n const { ext, key_ops, alg, use, ...jwk } = await crypto.subtle.exportKey('jwk', key);\n return jwk;\n};\nexport default keyToJWK;\n","import { flattenedVerify } from '../flattened/verify.js';\nimport { JWSInvalid } from '../../util/errors.js';\nimport { decoder } from '../../lib/buffer_utils.js';\nexport async function compactVerify(jws, key, options) {\n if (jws instanceof Uint8Array) {\n jws = decoder.decode(jws);\n }\n if (typeof jws !== 'string') {\n throw new JWSInvalid('Compact JWS must be a string or Uint8Array');\n }\n const { 0: protectedHeader, 1: payload, 2: signature, length } = jws.split('.');\n if (length !== 3) {\n throw new JWSInvalid('Invalid Compact JWS');\n }\n const verified = await flattenedVerify({ payload, protected: protectedHeader, signature }, key, options);\n const result = { payload: verified.payload, protectedHeader: verified.protectedHeader };\n if (typeof key === 'function') {\n return { ...result, key: verified.key };\n }\n return result;\n}\n","import { decode as base64url } from '../../runtime/base64url.js';\nimport verify from '../../runtime/verify.js';\nimport { JOSEAlgNotAllowed, JWSInvalid, JWSSignatureVerificationFailed } from '../../util/errors.js';\nimport { concat, encoder, decoder } from '../../lib/buffer_utils.js';\nimport isDisjoint from '../../lib/is_disjoint.js';\nimport isObject from '../../lib/is_object.js';\nimport checkKeyType from '../../lib/check_key_type.js';\nimport validateCrit from '../../lib/validate_crit.js';\nimport validateAlgorithms from '../../lib/validate_algorithms.js';\nexport async function flattenedVerify(jws, key, options) {\n var _a;\n if (!isObject(jws)) {\n throw new JWSInvalid('Flattened JWS must be an object');\n }\n if (jws.protected === undefined && jws.header === undefined) {\n throw new JWSInvalid('Flattened JWS must have either of the \"protected\" or \"header\" members');\n }\n if (jws.protected !== undefined && typeof jws.protected !== 'string') {\n throw new JWSInvalid('JWS Protected Header incorrect type');\n }\n if (jws.payload === undefined) {\n throw new JWSInvalid('JWS Payload missing');\n }\n if (typeof jws.signature !== 'string') {\n throw new JWSInvalid('JWS Signature missing or incorrect type');\n }\n if (jws.header !== undefined && !isObject(jws.header)) {\n throw new JWSInvalid('JWS Unprotected Header incorrect type');\n }\n let parsedProt = {};\n if (jws.protected) {\n try {\n const protectedHeader = base64url(jws.protected);\n parsedProt = JSON.parse(decoder.decode(protectedHeader));\n }\n catch (_b) {\n throw new JWSInvalid('JWS Protected Header is invalid');\n }\n }\n if (!isDisjoint(parsedProt, jws.header)) {\n throw new JWSInvalid('JWS Protected and JWS Unprotected Header Parameter names must be disjoint');\n }\n const joseHeader = {\n ...parsedProt,\n ...jws.header,\n };\n const extensions = validateCrit(JWSInvalid, new Map([['b64', true]]), options === null || options === void 0 ? void 0 : options.crit, parsedProt, joseHeader);\n let b64 = true;\n if (extensions.has('b64')) {\n b64 = parsedProt.b64;\n if (typeof b64 !== 'boolean') {\n throw new JWSInvalid('The \"b64\" (base64url-encode payload) Header Parameter must be a boolean');\n }\n }\n const { alg } = joseHeader;\n if (typeof alg !== 'string' || !alg) {\n throw new JWSInvalid('JWS \"alg\" (Algorithm) Header Parameter missing or invalid');\n }\n const algorithms = options && validateAlgorithms('algorithms', options.algorithms);\n if (algorithms && !algorithms.has(alg)) {\n throw new JOSEAlgNotAllowed('\"alg\" (Algorithm) Header Parameter not allowed');\n }\n if (b64) {\n if (typeof jws.payload !== 'string') {\n throw new JWSInvalid('JWS Payload must be a string');\n }\n }\n else if (typeof jws.payload !== 'string' && !(jws.payload instanceof Uint8Array)) {\n throw new JWSInvalid('JWS Payload must be a string or an Uint8Array instance');\n }\n let resolvedKey = false;\n if (typeof key === 'function') {\n key = await key(parsedProt, jws);\n resolvedKey = true;\n }\n checkKeyType(alg, key, 'verify');\n const data = concat(encoder.encode((_a = jws.protected) !== null && _a !== void 0 ? _a : ''), encoder.encode('.'), typeof jws.payload === 'string' ? encoder.encode(jws.payload) : jws.payload);\n const signature = base64url(jws.signature);\n const verified = await verify(alg, key, signature, data);\n if (!verified) {\n throw new JWSSignatureVerificationFailed();\n }\n let payload;\n if (b64) {\n payload = base64url(jws.payload);\n }\n else if (typeof jws.payload === 'string') {\n payload = encoder.encode(jws.payload);\n }\n else {\n payload = jws.payload;\n }\n const result = { payload };\n if (jws.protected !== undefined) {\n result.protectedHeader = parsedProt;\n }\n if (jws.header !== undefined) {\n result.unprotectedHeader = jws.header;\n }\n if (resolvedKey) {\n return { ...result, key };\n }\n return result;\n}\n","import subtleAlgorithm from './subtle_dsa.js';\nimport crypto from './webcrypto.js';\nimport checkKeyLength from './check_key_length.js';\nimport getVerifyKey from './get_sign_verify_key.js';\nconst verify = async (alg, key, signature, data) => {\n const cryptoKey = await getVerifyKey(alg, key, 'verify');\n checkKeyLength(alg, cryptoKey);\n const algorithm = subtleAlgorithm(alg, cryptoKey.algorithm);\n try {\n return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);\n }\n catch (_a) {\n return false;\n }\n};\nexport default verify;\n","import { isCloudflareWorkers } from './env.js';\nimport { JOSENotSupported } from '../util/errors.js';\nexport default function subtleDsa(alg, algorithm) {\n const hash = `SHA-${alg.slice(-3)}`;\n switch (alg) {\n case 'HS256':\n case 'HS384':\n case 'HS512':\n return { hash, name: 'HMAC' };\n case 'PS256':\n case 'PS384':\n case 'PS512':\n return { hash, name: 'RSA-PSS', saltLength: alg.slice(-3) >> 3 };\n case 'RS256':\n case 'RS384':\n case 'RS512':\n return { hash, name: 'RSASSA-PKCS1-v1_5' };\n case 'ES256':\n case 'ES384':\n case 'ES512':\n return { hash, name: 'ECDSA', namedCurve: algorithm.namedCurve };\n case 'EdDSA':\n if (isCloudflareWorkers() && algorithm.name === 'NODE-ED25519') {\n return { name: 'NODE-ED25519', namedCurve: 'NODE-ED25519' };\n }\n return { name: algorithm.name };\n default:\n throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);\n }\n}\n","import crypto, { isCryptoKey } from './webcrypto.js';\nimport { checkSigCryptoKey } from '../lib/crypto_key.js';\nimport invalidKeyInput from '../lib/invalid_key_input.js';\nimport { types } from './is_key_like.js';\nexport default function getCryptoKey(alg, key, usage) {\n if (isCryptoKey(key)) {\n checkSigCryptoKey(key, alg, usage);\n return key;\n }\n if (key instanceof Uint8Array) {\n if (!alg.startsWith('HS')) {\n throw new TypeError(invalidKeyInput(key, ...types));\n }\n return crypto.subtle.importKey('raw', key, { hash: `SHA-${alg.slice(-3)}`, name: 'HMAC' }, false, [usage]);\n }\n throw new TypeError(invalidKeyInput(key, ...types, 'Uint8Array'));\n}\n","import { flattenedVerify } from '../flattened/verify.js';\nimport { JWSInvalid, JWSSignatureVerificationFailed } from '../../util/errors.js';\nimport isObject from '../../lib/is_object.js';\nexport async function generalVerify(jws, key, options) {\n if (!isObject(jws)) {\n throw new JWSInvalid('General JWS must be an object');\n }\n if (!Array.isArray(jws.signatures) || !jws.signatures.every(isObject)) {\n throw new JWSInvalid('JWS Signatures missing or incorrect type');\n }\n for (const signature of jws.signatures) {\n try {\n return await flattenedVerify({\n header: signature.header,\n payload: jws.payload,\n protected: signature.protected,\n signature: signature.signature,\n }, key, options);\n }\n catch (_a) {\n }\n }\n throw new JWSSignatureVerificationFailed();\n}\n","import { compactVerify } from '../jws/compact/verify.js';\nimport jwtPayload from '../lib/jwt_claims_set.js';\nimport { JWTInvalid } from '../util/errors.js';\nexport async function jwtVerify(jwt, key, options) {\n var _a;\n const verified = await compactVerify(jwt, key, options);\n if (((_a = verified.protectedHeader.crit) === null || _a === void 0 ? void 0 : _a.includes('b64')) && verified.protectedHeader.b64 === false) {\n throw new JWTInvalid('JWTs MUST NOT use unencoded payload');\n }\n const payload = jwtPayload(verified.protectedHeader, verified.payload, options);\n const result = { payload, protectedHeader: verified.protectedHeader };\n if (typeof key === 'function') {\n return { ...result, key: verified.key };\n }\n return result;\n}\n","import { JWTClaimValidationFailed, JWTExpired, JWTInvalid } from '../util/errors.js';\nimport { decoder } from './buffer_utils.js';\nimport epoch from './epoch.js';\nimport secs from './secs.js';\nimport isObject from './is_object.js';\nconst normalizeTyp = (value) => value.toLowerCase().replace(/^application\\//, '');\nconst checkAudiencePresence = (audPayload, audOption) => {\n if (typeof audPayload === 'string') {\n return audOption.includes(audPayload);\n }\n if (Array.isArray(audPayload)) {\n return audOption.some(Set.prototype.has.bind(new Set(audPayload)));\n }\n return false;\n};\nexport default (protectedHeader, encodedPayload, options = {}) => {\n const { typ } = options;\n if (typ &&\n (typeof protectedHeader.typ !== 'string' ||\n normalizeTyp(protectedHeader.typ) !== normalizeTyp(typ))) {\n throw new JWTClaimValidationFailed('unexpected \"typ\" JWT header value', 'typ', 'check_failed');\n }\n let payload;\n try {\n payload = JSON.parse(decoder.decode(encodedPayload));\n }\n catch (_a) {\n }\n if (!isObject(payload)) {\n throw new JWTInvalid('JWT Claims Set must be a top-level JSON object');\n }\n const { issuer } = options;\n if (issuer && !(Array.isArray(issuer) ? issuer : [issuer]).includes(payload.iss)) {\n throw new JWTClaimValidationFailed('unexpected \"iss\" claim value', 'iss', 'check_failed');\n }\n const { subject } = options;\n if (subject && payload.sub !== subject) {\n throw new JWTClaimValidationFailed('unexpected \"sub\" claim value', 'sub', 'check_failed');\n }\n const { audience } = options;\n if (audience &&\n !checkAudiencePresence(payload.aud, typeof audience === 'string' ? [audience] : audience)) {\n throw new JWTClaimValidationFailed('unexpected \"aud\" claim value', 'aud', 'check_failed');\n }\n let tolerance;\n switch (typeof options.clockTolerance) {\n case 'string':\n tolerance = secs(options.clockTolerance);\n break;\n case 'number':\n tolerance = options.clockTolerance;\n break;\n case 'undefined':\n tolerance = 0;\n break;\n default:\n throw new TypeError('Invalid clockTolerance option type');\n }\n const { currentDate } = options;\n const now = epoch(currentDate || new Date());\n if ((payload.iat !== undefined || options.maxTokenAge) && typeof payload.iat !== 'number') {\n throw new JWTClaimValidationFailed('\"iat\" claim must be a number', 'iat', 'invalid');\n }\n if (payload.nbf !== undefined) {\n if (typeof payload.nbf !== 'number') {\n throw new JWTClaimValidationFailed('\"nbf\" claim must be a number', 'nbf', 'invalid');\n }\n if (payload.nbf > now + tolerance) {\n throw new JWTClaimValidationFailed('\"nbf\" claim timestamp check failed', 'nbf', 'check_failed');\n }\n }\n if (payload.exp !== undefined) {\n if (typeof payload.exp !== 'number') {\n throw new JWTClaimValidationFailed('\"exp\" claim must be a number', 'exp', 'invalid');\n }\n if (payload.exp <= now - tolerance) {\n throw new JWTExpired('\"exp\" claim timestamp check failed', 'exp', 'check_failed');\n }\n }\n if (options.maxTokenAge) {\n const age = now - payload.iat;\n const max = typeof options.maxTokenAge === 'number' ? options.maxTokenAge : secs(options.maxTokenAge);\n if (age - tolerance > max) {\n throw new JWTExpired('\"iat\" claim timestamp check failed (too far in the past)', 'iat', 'check_failed');\n }\n if (age < 0 - tolerance) {\n throw new JWTClaimValidationFailed('\"iat\" claim timestamp check failed (it should be in the past)', 'iat', 'check_failed');\n }\n }\n return payload;\n};\n","export default (date) => Math.floor(date.getTime() / 1000);\n","const minute = 60;\nconst hour = minute * 60;\nconst day = hour * 24;\nconst week = day * 7;\nconst year = day * 365.25;\nconst REGEX = /^(\\d+|\\d+\\.\\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)$/i;\nexport default (str) => {\n const matched = REGEX.exec(str);\n if (!matched) {\n throw new TypeError('Invalid time period format');\n }\n const value = parseFloat(matched[1]);\n const unit = matched[2].toLowerCase();\n switch (unit) {\n case 'sec':\n case 'secs':\n case 'second':\n case 'seconds':\n case 's':\n return Math.round(value);\n case 'minute':\n case 'minutes':\n case 'min':\n case 'mins':\n case 'm':\n return Math.round(value * minute);\n case 'hour':\n case 'hours':\n case 'hr':\n case 'hrs':\n case 'h':\n return Math.round(value * hour);\n case 'day':\n case 'days':\n case 'd':\n return Math.round(value * day);\n case 'week':\n case 'weeks':\n case 'w':\n return Math.round(value * week);\n default:\n return Math.round(value * year);\n }\n};\n","import { compactDecrypt } from '../jwe/compact/decrypt.js';\nimport jwtPayload from '../lib/jwt_claims_set.js';\nimport { JWTClaimValidationFailed } from '../util/errors.js';\nexport async function jwtDecrypt(jwt, key, options) {\n const decrypted = await compactDecrypt(jwt, key, options);\n const payload = jwtPayload(decrypted.protectedHeader, decrypted.plaintext, options);\n const { protectedHeader } = decrypted;\n if (protectedHeader.iss !== undefined && protectedHeader.iss !== payload.iss) {\n throw new JWTClaimValidationFailed('replicated \"iss\" claim header parameter mismatch', 'iss', 'mismatch');\n }\n if (protectedHeader.sub !== undefined && protectedHeader.sub !== payload.sub) {\n throw new JWTClaimValidationFailed('replicated \"sub\" claim header parameter mismatch', 'sub', 'mismatch');\n }\n if (protectedHeader.aud !== undefined &&\n JSON.stringify(protectedHeader.aud) !== JSON.stringify(payload.aud)) {\n throw new JWTClaimValidationFailed('replicated \"aud\" claim header parameter mismatch', 'aud', 'mismatch');\n }\n const result = { payload, protectedHeader };\n if (typeof key === 'function') {\n return { ...result, key: decrypted.key };\n }\n return result;\n}\n","import { FlattenedEncrypt } from '../flattened/encrypt.js';\nexport class CompactEncrypt {\n constructor(plaintext) {\n this._flattened = new FlattenedEncrypt(plaintext);\n }\n setContentEncryptionKey(cek) {\n this._flattened.setContentEncryptionKey(cek);\n return this;\n }\n setInitializationVector(iv) {\n this._flattened.setInitializationVector(iv);\n return this;\n }\n setProtectedHeader(protectedHeader) {\n this._flattened.setProtectedHeader(protectedHeader);\n return this;\n }\n setKeyManagementParameters(parameters) {\n this._flattened.setKeyManagementParameters(parameters);\n return this;\n }\n async encrypt(key, options) {\n const jwe = await this._flattened.encrypt(key, options);\n return [jwe.protected, jwe.encrypted_key, jwe.iv, jwe.ciphertext, jwe.tag].join('.');\n }\n}\n","import { FlattenedSign } from '../flattened/sign.js';\nexport class CompactSign {\n constructor(payload) {\n this._flattened = new FlattenedSign(payload);\n }\n setProtectedHeader(protectedHeader) {\n this._flattened.setProtectedHeader(protectedHeader);\n return this;\n }\n async sign(key, options) {\n const jws = await this._flattened.sign(key, options);\n if (jws.payload === undefined) {\n throw new TypeError('use the flattened module for creating JWS with b64: false');\n }\n return `${jws.protected}.${jws.payload}.${jws.signature}`;\n }\n}\n","import { encode as base64url } from '../../runtime/base64url.js';\nimport sign from '../../runtime/sign.js';\nimport isDisjoint from '../../lib/is_disjoint.js';\nimport { JWSInvalid } from '../../util/errors.js';\nimport { encoder, decoder, concat } from '../../lib/buffer_utils.js';\nimport checkKeyType from '../../lib/check_key_type.js';\nimport validateCrit from '../../lib/validate_crit.js';\nexport class FlattenedSign {\n constructor(payload) {\n if (!(payload instanceof Uint8Array)) {\n throw new TypeError('payload must be an instance of Uint8Array');\n }\n this._payload = payload;\n }\n setProtectedHeader(protectedHeader) {\n if (this._protectedHeader) {\n throw new TypeError('setProtectedHeader can only be called once');\n }\n this._protectedHeader = protectedHeader;\n return this;\n }\n setUnprotectedHeader(unprotectedHeader) {\n if (this._unprotectedHeader) {\n throw new TypeError('setUnprotectedHeader can only be called once');\n }\n this._unprotectedHeader = unprotectedHeader;\n return this;\n }\n async sign(key, options) {\n if (!this._protectedHeader && !this._unprotectedHeader) {\n throw new JWSInvalid('either setProtectedHeader or setUnprotectedHeader must be called before #sign()');\n }\n if (!isDisjoint(this._protectedHeader, this._unprotectedHeader)) {\n throw new JWSInvalid('JWS Protected and JWS Unprotected Header Parameter names must be disjoint');\n }\n const joseHeader = {\n ...this._protectedHeader,\n ...this._unprotectedHeader,\n };\n const extensions = validateCrit(JWSInvalid, new Map([['b64', true]]), options === null || options === void 0 ? void 0 : options.crit, this._protectedHeader, joseHeader);\n let b64 = true;\n if (extensions.has('b64')) {\n b64 = this._protectedHeader.b64;\n if (typeof b64 !== 'boolean') {\n throw new JWSInvalid('The \"b64\" (base64url-encode payload) Header Parameter must be a boolean');\n }\n }\n const { alg } = joseHeader;\n if (typeof alg !== 'string' || !alg) {\n throw new JWSInvalid('JWS \"alg\" (Algorithm) Header Parameter missing or invalid');\n }\n checkKeyType(alg, key, 'sign');\n let payload = this._payload;\n if (b64) {\n payload = encoder.encode(base64url(payload));\n }\n let protectedHeader;\n if (this._protectedHeader) {\n protectedHeader = encoder.encode(base64url(JSON.stringify(this._protectedHeader)));\n }\n else {\n protectedHeader = encoder.encode('');\n }\n const data = concat(protectedHeader, encoder.encode('.'), payload);\n const signature = await sign(alg, key, data);\n const jws = {\n signature: base64url(signature),\n payload: '',\n };\n if (b64) {\n jws.payload = decoder.decode(payload);\n }\n if (this._unprotectedHeader) {\n jws.header = this._unprotectedHeader;\n }\n if (this._protectedHeader) {\n jws.protected = decoder.decode(protectedHeader);\n }\n return jws;\n }\n}\n","import subtleAlgorithm from './subtle_dsa.js';\nimport crypto from './webcrypto.js';\nimport checkKeyLength from './check_key_length.js';\nimport getSignKey from './get_sign_verify_key.js';\nconst sign = async (alg, key, data) => {\n const cryptoKey = await getSignKey(alg, key, 'sign');\n checkKeyLength(alg, cryptoKey);\n const signature = await crypto.subtle.sign(subtleAlgorithm(alg, cryptoKey.algorithm), cryptoKey, data);\n return new Uint8Array(signature);\n};\nexport default sign;\n","import { FlattenedSign } from '../flattened/sign.js';\nimport { JWSInvalid } from '../../util/errors.js';\nclass IndividualSignature {\n constructor(sig, key, options) {\n this.parent = sig;\n this.key = key;\n this.options = options;\n }\n setProtectedHeader(protectedHeader) {\n if (this.protectedHeader) {\n throw new TypeError('setProtectedHeader can only be called once');\n }\n this.protectedHeader = protectedHeader;\n return this;\n }\n setUnprotectedHeader(unprotectedHeader) {\n if (this.unprotectedHeader) {\n throw new TypeError('setUnprotectedHeader can only be called once');\n }\n this.unprotectedHeader = unprotectedHeader;\n return this;\n }\n addSignature(...args) {\n return this.parent.addSignature(...args);\n }\n sign(...args) {\n return this.parent.sign(...args);\n }\n done() {\n return this.parent;\n }\n}\nexport class GeneralSign {\n constructor(payload) {\n this._signatures = [];\n this._payload = payload;\n }\n addSignature(key, options) {\n const signature = new IndividualSignature(this, key, options);\n this._signatures.push(signature);\n return signature;\n }\n async sign() {\n if (!this._signatures.length) {\n throw new JWSInvalid('at least one signature must be added');\n }\n const jws = {\n signatures: [],\n payload: '',\n };\n for (let i = 0; i < this._signatures.length; i++) {\n const signature = this._signatures[i];\n const flattened = new FlattenedSign(this._payload);\n flattened.setProtectedHeader(signature.protectedHeader);\n flattened.setUnprotectedHeader(signature.unprotectedHeader);\n const { payload, ...rest } = await flattened.sign(signature.key, signature.options);\n if (i === 0) {\n jws.payload = payload;\n }\n else if (jws.payload !== payload) {\n throw new JWSInvalid('inconsistent use of JWS Unencoded Payload Option (RFC7797)');\n }\n jws.signatures.push(rest);\n }\n return jws;\n }\n}\n","import { CompactSign } from '../jws/compact/sign.js';\nimport { JWTInvalid } from '../util/errors.js';\nimport { encoder } from '../lib/buffer_utils.js';\nimport { ProduceJWT } from './produce.js';\nexport class SignJWT extends ProduceJWT {\n setProtectedHeader(protectedHeader) {\n this._protectedHeader = protectedHeader;\n return this;\n }\n async sign(key, options) {\n var _a;\n const sig = new CompactSign(encoder.encode(JSON.stringify(this._payload)));\n sig.setProtectedHeader(this._protectedHeader);\n if (Array.isArray((_a = this._protectedHeader) === null || _a === void 0 ? void 0 : _a.crit) &&\n this._protectedHeader.crit.includes('b64') &&\n this._protectedHeader.b64 === false) {\n throw new JWTInvalid('JWTs MUST NOT use unencoded payload');\n }\n return sig.sign(key, options);\n }\n}\n","import epoch from '../lib/epoch.js';\nimport isObject from '../lib/is_object.js';\nimport secs from '../lib/secs.js';\nexport class ProduceJWT {\n constructor(payload) {\n if (!isObject(payload)) {\n throw new TypeError('JWT Claims Set MUST be an object');\n }\n this._payload = payload;\n }\n setIssuer(issuer) {\n this._payload = { ...this._payload, iss: issuer };\n return this;\n }\n setSubject(subject) {\n this._payload = { ...this._payload, sub: subject };\n return this;\n }\n setAudience(audience) {\n this._payload = { ...this._payload, aud: audience };\n return this;\n }\n setJti(jwtId) {\n this._payload = { ...this._payload, jti: jwtId };\n return this;\n }\n setNotBefore(input) {\n if (typeof input === 'number') {\n this._payload = { ...this._payload, nbf: input };\n }\n else {\n this._payload = { ...this._payload, nbf: epoch(new Date()) + secs(input) };\n }\n return this;\n }\n setExpirationTime(input) {\n if (typeof input === 'number') {\n this._payload = { ...this._payload, exp: input };\n }\n else {\n this._payload = { ...this._payload, exp: epoch(new Date()) + secs(input) };\n }\n return this;\n }\n setIssuedAt(input) {\n if (typeof input === 'undefined') {\n this._payload = { ...this._payload, iat: epoch(new Date()) };\n }\n else {\n this._payload = { ...this._payload, iat: input };\n }\n return this;\n }\n}\n","import { CompactEncrypt } from '../jwe/compact/encrypt.js';\nimport { encoder } from '../lib/buffer_utils.js';\nimport { ProduceJWT } from './produce.js';\nexport class EncryptJWT extends ProduceJWT {\n setProtectedHeader(protectedHeader) {\n if (this._protectedHeader) {\n throw new TypeError('setProtectedHeader can only be called once');\n }\n this._protectedHeader = protectedHeader;\n return this;\n }\n setKeyManagementParameters(parameters) {\n if (this._keyManagementParameters) {\n throw new TypeError('setKeyManagementParameters can only be called once');\n }\n this._keyManagementParameters = parameters;\n return this;\n }\n setContentEncryptionKey(cek) {\n if (this._cek) {\n throw new TypeError('setContentEncryptionKey can only be called once');\n }\n this._cek = cek;\n return this;\n }\n setInitializationVector(iv) {\n if (this._iv) {\n throw new TypeError('setInitializationVector can only be called once');\n }\n this._iv = iv;\n return this;\n }\n replicateIssuerAsHeader() {\n this._replicateIssuerAsHeader = true;\n return this;\n }\n replicateSubjectAsHeader() {\n this._replicateSubjectAsHeader = true;\n return this;\n }\n replicateAudienceAsHeader() {\n this._replicateAudienceAsHeader = true;\n return this;\n }\n async encrypt(key, options) {\n const enc = new CompactEncrypt(encoder.encode(JSON.stringify(this._payload)));\n if (this._replicateIssuerAsHeader) {\n this._protectedHeader = { ...this._protectedHeader, iss: this._payload.iss };\n }\n if (this._replicateSubjectAsHeader) {\n this._protectedHeader = { ...this._protectedHeader, sub: this._payload.sub };\n }\n if (this._replicateAudienceAsHeader) {\n this._protectedHeader = { ...this._protectedHeader, aud: this._payload.aud };\n }\n enc.setProtectedHeader(this._protectedHeader);\n if (this._iv) {\n enc.setInitializationVector(this._iv);\n }\n if (this._cek) {\n enc.setContentEncryptionKey(this._cek);\n }\n if (this._keyManagementParameters) {\n enc.setKeyManagementParameters(this._keyManagementParameters);\n }\n return enc.encrypt(key, options);\n }\n}\n","import digest from '../runtime/digest.js';\nimport { encode as base64url } from '../runtime/base64url.js';\nimport { JOSENotSupported, JWKInvalid } from '../util/errors.js';\nimport { encoder } from '../lib/buffer_utils.js';\nimport isObject from '../lib/is_object.js';\nconst check = (value, description) => {\n if (typeof value !== 'string' || !value) {\n throw new JWKInvalid(`${description} missing or invalid`);\n }\n};\nexport async function calculateJwkThumbprint(jwk, digestAlgorithm) {\n if (!isObject(jwk)) {\n throw new TypeError('JWK must be an object');\n }\n digestAlgorithm !== null && digestAlgorithm !== void 0 ? digestAlgorithm : (digestAlgorithm = 'sha256');\n if (digestAlgorithm !== 'sha256' &&\n digestAlgorithm !== 'sha384' &&\n digestAlgorithm !== 'sha512') {\n throw new TypeError('digestAlgorithm must one of \"sha256\", \"sha384\", or \"sha512\"');\n }\n let components;\n switch (jwk.kty) {\n case 'EC':\n check(jwk.crv, '\"crv\" (Curve) Parameter');\n check(jwk.x, '\"x\" (X Coordinate) Parameter');\n check(jwk.y, '\"y\" (Y Coordinate) Parameter');\n components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y };\n break;\n case 'OKP':\n check(jwk.crv, '\"crv\" (Subtype of Key Pair) Parameter');\n check(jwk.x, '\"x\" (Public Key) Parameter');\n components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x };\n break;\n case 'RSA':\n check(jwk.e, '\"e\" (Exponent) Parameter');\n check(jwk.n, '\"n\" (Modulus) Parameter');\n components = { e: jwk.e, kty: jwk.kty, n: jwk.n };\n break;\n case 'oct':\n check(jwk.k, '\"k\" (Key Value) Parameter');\n components = { k: jwk.k, kty: jwk.kty };\n break;\n default:\n throw new JOSENotSupported('\"kty\" (Key Type) Parameter missing or unsupported');\n }\n const data = encoder.encode(JSON.stringify(components));\n return base64url(await digest(digestAlgorithm, data));\n}\nexport async function calculateJwkThumbprintUri(jwk, digestAlgorithm) {\n digestAlgorithm !== null && digestAlgorithm !== void 0 ? digestAlgorithm : (digestAlgorithm = 'sha256');\n const thumbprint = await calculateJwkThumbprint(jwk, digestAlgorithm);\n return `urn:ietf:params:oauth:jwk-thumbprint:sha-${digestAlgorithm.slice(-3)}:${thumbprint}`;\n}\n","import { importJWK } from '../key/import.js';\nimport isObject from '../lib/is_object.js';\nimport { JWSInvalid } from '../util/errors.js';\nexport async function EmbeddedJWK(protectedHeader, token) {\n const joseHeader = {\n ...protectedHeader,\n ...token === null || token === void 0 ? void 0 : token.header,\n };\n if (!isObject(joseHeader.jwk)) {\n throw new JWSInvalid('\"jwk\" (JSON Web Key) Header Parameter must be a JSON object');\n }\n const key = await importJWK({ ...joseHeader.jwk, ext: true }, joseHeader.alg, true);\n if (key instanceof Uint8Array || key.type !== 'public') {\n throw new JWSInvalid('\"jwk\" (JSON Web Key) Header Parameter must be a public key');\n }\n return key;\n}\n","import { importJWK } from '../key/import.js';\nimport { JWKSInvalid, JOSENotSupported, JWKSNoMatchingKey, JWKSMultipleMatchingKeys, } from '../util/errors.js';\nimport isObject from '../lib/is_object.js';\nfunction getKtyFromAlg(alg) {\n switch (typeof alg === 'string' && alg.slice(0, 2)) {\n case 'RS':\n case 'PS':\n return 'RSA';\n case 'ES':\n return 'EC';\n case 'Ed':\n return 'OKP';\n default:\n throw new JOSENotSupported('Unsupported \"alg\" value for a JSON Web Key Set');\n }\n}\nexport function isJWKSLike(jwks) {\n return (jwks &&\n typeof jwks === 'object' &&\n Array.isArray(jwks.keys) &&\n jwks.keys.every(isJWKLike));\n}\nfunction isJWKLike(key) {\n return isObject(key);\n}\nfunction clone(obj) {\n if (typeof structuredClone === 'function') {\n return structuredClone(obj);\n }\n return JSON.parse(JSON.stringify(obj));\n}\nexport class LocalJWKSet {\n constructor(jwks) {\n this._cached = new WeakMap();\n if (!isJWKSLike(jwks)) {\n throw new JWKSInvalid('JSON Web Key Set malformed');\n }\n this._jwks = clone(jwks);\n }\n async getKey(protectedHeader, token) {\n const { alg, kid } = { ...protectedHeader, ...token === null || token === void 0 ? void 0 : token.header };\n const kty = getKtyFromAlg(alg);\n const candidates = this._jwks.keys.filter((jwk) => {\n let candidate = kty === jwk.kty;\n if (candidate && typeof kid === 'string') {\n candidate = kid === jwk.kid;\n }\n if (candidate && typeof jwk.alg === 'string') {\n candidate = alg === jwk.alg;\n }\n if (candidate && typeof jwk.use === 'string') {\n candidate = jwk.use === 'sig';\n }\n if (candidate && Array.isArray(jwk.key_ops)) {\n candidate = jwk.key_ops.includes('verify');\n }\n if (candidate && alg === 'EdDSA') {\n candidate = jwk.crv === 'Ed25519' || jwk.crv === 'Ed448';\n }\n if (candidate) {\n switch (alg) {\n case 'ES256':\n candidate = jwk.crv === 'P-256';\n break;\n case 'ES256K':\n candidate = jwk.crv === 'secp256k1';\n break;\n case 'ES384':\n candidate = jwk.crv === 'P-384';\n break;\n case 'ES512':\n candidate = jwk.crv === 'P-521';\n break;\n }\n }\n return candidate;\n });\n const { 0: jwk, length } = candidates;\n if (length === 0) {\n throw new JWKSNoMatchingKey();\n }\n else if (length !== 1) {\n const error = new JWKSMultipleMatchingKeys();\n const { _cached } = this;\n error[Symbol.asyncIterator] = async function* () {\n for (const jwk of candidates) {\n try {\n yield await importWithAlgCache(_cached, jwk, alg);\n }\n catch (_a) {\n continue;\n }\n }\n };\n throw error;\n }\n return importWithAlgCache(this._cached, jwk, alg);\n }\n}\nasync function importWithAlgCache(cache, jwk, alg) {\n const cached = cache.get(jwk) || cache.set(jwk, {}).get(jwk);\n if (cached[alg] === undefined) {\n const key = await importJWK({ ...jwk, ext: true }, alg);\n if (key instanceof Uint8Array || key.type !== 'public') {\n throw new JWKSInvalid('JSON Web Key Set members must be public keys');\n }\n cached[alg] = key;\n }\n return cached[alg];\n}\nexport function createLocalJWKSet(jwks) {\n const set = new LocalJWKSet(jwks);\n return async function (protectedHeader, token) {\n return set.getKey(protectedHeader, token);\n };\n}\n","import fetchJwks from '../runtime/fetch_jwks.js';\nimport { isCloudflareWorkers } from '../runtime/env.js';\nimport { JWKSInvalid, JWKSNoMatchingKey } from '../util/errors.js';\nimport { isJWKSLike, LocalJWKSet } from './local.js';\nclass RemoteJWKSet extends LocalJWKSet {\n constructor(url, options) {\n super({ keys: [] });\n this._jwks = undefined;\n if (!(url instanceof URL)) {\n throw new TypeError('url must be an instance of URL');\n }\n this._url = new URL(url.href);\n this._options = { agent: options === null || options === void 0 ? void 0 : options.agent, headers: options === null || options === void 0 ? void 0 : options.headers };\n this._timeoutDuration =\n typeof (options === null || options === void 0 ? void 0 : options.timeoutDuration) === 'number' ? options === null || options === void 0 ? void 0 : options.timeoutDuration : 5000;\n this._cooldownDuration =\n typeof (options === null || options === void 0 ? void 0 : options.cooldownDuration) === 'number' ? options === null || options === void 0 ? void 0 : options.cooldownDuration : 30000;\n this._cacheMaxAge = typeof (options === null || options === void 0 ? void 0 : options.cacheMaxAge) === 'number' ? options === null || options === void 0 ? void 0 : options.cacheMaxAge : 600000;\n }\n coolingDown() {\n return typeof this._jwksTimestamp === 'number'\n ? Date.now() < this._jwksTimestamp + this._cooldownDuration\n : false;\n }\n fresh() {\n return typeof this._jwksTimestamp === 'number'\n ? Date.now() < this._jwksTimestamp + this._cacheMaxAge\n : false;\n }\n async getKey(protectedHeader, token) {\n if (!this._jwks || !this.fresh()) {\n await this.reload();\n }\n try {\n return await super.getKey(protectedHeader, token);\n }\n catch (err) {\n if (err instanceof JWKSNoMatchingKey) {\n if (this.coolingDown() === false) {\n await this.reload();\n return super.getKey(protectedHeader, token);\n }\n }\n throw err;\n }\n }\n async reload() {\n if (this._pendingFetch && isCloudflareWorkers()) {\n this._pendingFetch = undefined;\n }\n this._pendingFetch || (this._pendingFetch = fetchJwks(this._url, this._timeoutDuration, this._options)\n .then((json) => {\n if (!isJWKSLike(json)) {\n throw new JWKSInvalid('JSON Web Key Set malformed');\n }\n this._jwks = { keys: json.keys };\n this._jwksTimestamp = Date.now();\n this._pendingFetch = undefined;\n })\n .catch((err) => {\n this._pendingFetch = undefined;\n throw err;\n }));\n await this._pendingFetch;\n }\n}\nexport function createRemoteJWKSet(url, options) {\n const set = new RemoteJWKSet(url, options);\n return async function (protectedHeader, token) {\n return set.getKey(protectedHeader, token);\n };\n}\n","import { JOSEError, JWKSTimeout } from '../util/errors.js';\nconst fetchJwks = async (url, timeout, options) => {\n let controller;\n let id;\n let timedOut = false;\n if (typeof AbortController === 'function') {\n controller = new AbortController();\n id = setTimeout(() => {\n timedOut = true;\n controller.abort();\n }, timeout);\n }\n const response = await fetch(url.href, {\n signal: controller ? controller.signal : undefined,\n redirect: 'manual',\n headers: options.headers,\n }).catch((err) => {\n if (timedOut)\n throw new JWKSTimeout();\n throw err;\n });\n if (id !== undefined)\n clearTimeout(id);\n if (response.status !== 200) {\n throw new JOSEError('Expected 200 OK from the JSON Web Key Set HTTP response');\n }\n try {\n return await response.json();\n }\n catch (_a) {\n throw new JOSEError('Failed to parse the JSON Web Key Set HTTP response as JSON');\n }\n};\nexport default fetchJwks;\n","import * as base64url from '../runtime/base64url.js';\nimport { decoder } from '../lib/buffer_utils.js';\nimport { JWTInvalid } from '../util/errors.js';\nimport jwtPayload from '../lib/jwt_claims_set.js';\nimport { ProduceJWT } from './produce.js';\nexport class UnsecuredJWT extends ProduceJWT {\n encode() {\n const header = base64url.encode(JSON.stringify({ alg: 'none' }));\n const payload = base64url.encode(JSON.stringify(this._payload));\n return `${header}.${payload}.`;\n }\n static decode(jwt, options) {\n if (typeof jwt !== 'string') {\n throw new JWTInvalid('Unsecured JWT must be a string');\n }\n const { 0: encodedHeader, 1: encodedPayload, 2: signature, length } = jwt.split('.');\n if (length !== 3 || signature !== '') {\n throw new JWTInvalid('Invalid Unsecured JWT');\n }\n let header;\n try {\n header = JSON.parse(decoder.decode(base64url.decode(encodedHeader)));\n if (header.alg !== 'none')\n throw new Error();\n }\n catch (_a) {\n throw new JWTInvalid('Invalid Unsecured JWT');\n }\n const payload = jwtPayload(header, base64url.decode(encodedPayload), options);\n return { payload, header };\n }\n}\n","import { decode as base64url } from './base64url.js';\nimport { decoder } from '../lib/buffer_utils.js';\nimport isObject from '../lib/is_object.js';\nexport function decodeProtectedHeader(token) {\n let protectedB64u;\n if (typeof token === 'string') {\n const parts = token.split('.');\n if (parts.length === 3 || parts.length === 5) {\n ;\n [protectedB64u] = parts;\n }\n }\n else if (typeof token === 'object' && token) {\n if ('protected' in token) {\n protectedB64u = token.protected;\n }\n else {\n throw new TypeError('Token does not contain a Protected Header');\n }\n }\n try {\n if (typeof protectedB64u !== 'string' || !protectedB64u) {\n throw new Error();\n }\n const result = JSON.parse(decoder.decode(base64url(protectedB64u)));\n if (!isObject(result)) {\n throw new Error();\n }\n return result;\n }\n catch (_a) {\n throw new TypeError('Invalid Token or Protected Header formatting');\n }\n}\n","import * as base64url from '../runtime/base64url.js';\nexport const encode = base64url.encode;\nexport const decode = base64url.decode;\n","import { decode as base64url } from './base64url.js';\nimport { decoder } from '../lib/buffer_utils.js';\nimport isObject from '../lib/is_object.js';\nimport { JWTInvalid } from './errors.js';\nexport function decodeJwt(jwt) {\n if (typeof jwt !== 'string')\n throw new JWTInvalid('JWTs must use Compact JWS serialization, JWT must be a string');\n const { 1: payload, length } = jwt.split('.');\n if (length === 5)\n throw new JWTInvalid('Only JWTs using Compact JWS serialization can be decoded');\n if (length !== 3)\n throw new JWTInvalid('Invalid JWT');\n if (!payload)\n throw new JWTInvalid('JWTs must contain a payload');\n let decoded;\n try {\n decoded = base64url(payload);\n }\n catch (_a) {\n throw new JWTInvalid('Failed to parse the base64url encoded payload');\n }\n let result;\n try {\n result = JSON.parse(decoder.decode(decoded));\n }\n catch (_b) {\n throw new JWTInvalid('Failed to parse the decoded payload as JSON');\n }\n if (!isObject(result))\n throw new JWTInvalid('Invalid JWT Claims Set');\n return result;\n}\n","import { generateKeyPair as generate } from '../runtime/generate.js';\nexport async function generateKeyPair(alg, options) {\n return generate(alg, options);\n}\n","import { isCloudflareWorkers } from './env.js';\nimport crypto from './webcrypto.js';\nimport { JOSENotSupported } from '../util/errors.js';\nimport random from './random.js';\nexport async function generateSecret(alg, options) {\n var _a;\n let length;\n let algorithm;\n let keyUsages;\n switch (alg) {\n case 'HS256':\n case 'HS384':\n case 'HS512':\n length = parseInt(alg.slice(-3), 10);\n algorithm = { name: 'HMAC', hash: `SHA-${length}`, length };\n keyUsages = ['sign', 'verify'];\n break;\n case 'A128CBC-HS256':\n case 'A192CBC-HS384':\n case 'A256CBC-HS512':\n length = parseInt(alg.slice(-3), 10);\n return random(new Uint8Array(length >> 3));\n case 'A128KW':\n case 'A192KW':\n case 'A256KW':\n length = parseInt(alg.slice(1, 4), 10);\n algorithm = { name: 'AES-KW', length };\n keyUsages = ['wrapKey', 'unwrapKey'];\n break;\n case 'A128GCMKW':\n case 'A192GCMKW':\n case 'A256GCMKW':\n case 'A128GCM':\n case 'A192GCM':\n case 'A256GCM':\n length = parseInt(alg.slice(1, 4), 10);\n algorithm = { name: 'AES-GCM', length };\n keyUsages = ['encrypt', 'decrypt'];\n break;\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value');\n }\n return crypto.subtle.generateKey(algorithm, (_a = options === null || options === void 0 ? void 0 : options.extractable) !== null && _a !== void 0 ? _a : false, keyUsages);\n}\nfunction getModulusLengthOption(options) {\n var _a;\n const modulusLength = (_a = options === null || options === void 0 ? void 0 : options.modulusLength) !== null && _a !== void 0 ? _a : 2048;\n if (typeof modulusLength !== 'number' || modulusLength < 2048) {\n throw new JOSENotSupported('Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used');\n }\n return modulusLength;\n}\nexport async function generateKeyPair(alg, options) {\n var _a, _b, _c, _d;\n let algorithm;\n let keyUsages;\n switch (alg) {\n case 'PS256':\n case 'PS384':\n case 'PS512':\n algorithm = {\n name: 'RSA-PSS',\n hash: `SHA-${alg.slice(-3)}`,\n publicExponent: new Uint8Array([0x01, 0x00, 0x01]),\n modulusLength: getModulusLengthOption(options),\n };\n keyUsages = ['sign', 'verify'];\n break;\n case 'RS256':\n case 'RS384':\n case 'RS512':\n algorithm = {\n name: 'RSASSA-PKCS1-v1_5',\n hash: `SHA-${alg.slice(-3)}`,\n publicExponent: new Uint8Array([0x01, 0x00, 0x01]),\n modulusLength: getModulusLengthOption(options),\n };\n keyUsages = ['sign', 'verify'];\n break;\n case 'RSA-OAEP':\n case 'RSA-OAEP-256':\n case 'RSA-OAEP-384':\n case 'RSA-OAEP-512':\n algorithm = {\n name: 'RSA-OAEP',\n hash: `SHA-${parseInt(alg.slice(-3), 10) || 1}`,\n publicExponent: new Uint8Array([0x01, 0x00, 0x01]),\n modulusLength: getModulusLengthOption(options),\n };\n keyUsages = ['decrypt', 'unwrapKey', 'encrypt', 'wrapKey'];\n break;\n case 'ES256':\n algorithm = { name: 'ECDSA', namedCurve: 'P-256' };\n keyUsages = ['sign', 'verify'];\n break;\n case 'ES384':\n algorithm = { name: 'ECDSA', namedCurve: 'P-384' };\n keyUsages = ['sign', 'verify'];\n break;\n case 'ES512':\n algorithm = { name: 'ECDSA', namedCurve: 'P-521' };\n keyUsages = ['sign', 'verify'];\n break;\n case 'EdDSA':\n keyUsages = ['sign', 'verify'];\n const crv = (_a = options === null || options === void 0 ? void 0 : options.crv) !== null && _a !== void 0 ? _a : 'Ed25519';\n switch (crv) {\n case 'Ed25519':\n case 'Ed448':\n algorithm = { name: crv };\n break;\n default:\n throw new JOSENotSupported('Invalid or unsupported crv option provided');\n }\n break;\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW': {\n keyUsages = ['deriveKey', 'deriveBits'];\n const crv = (_b = options === null || options === void 0 ? void 0 : options.crv) !== null && _b !== void 0 ? _b : 'P-256';\n switch (crv) {\n case 'P-256':\n case 'P-384':\n case 'P-521': {\n algorithm = { name: 'ECDH', namedCurve: crv };\n break;\n }\n case 'X25519':\n case 'X448':\n algorithm = { name: crv };\n break;\n default:\n throw new JOSENotSupported('Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, X25519, and X448');\n }\n break;\n }\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value');\n }\n try {\n return (await crypto.subtle.generateKey(algorithm, (_c = options === null || options === void 0 ? void 0 : options.extractable) !== null && _c !== void 0 ? _c : false, keyUsages));\n }\n catch (err) {\n if (algorithm.name === 'Ed25519' &&\n (err === null || err === void 0 ? void 0 : err.name) === 'NotSupportedError' &&\n isCloudflareWorkers()) {\n algorithm = { name: 'NODE-ED25519', namedCurve: 'NODE-ED25519' };\n return (await crypto.subtle.generateKey(algorithm, (_d = options === null || options === void 0 ? void 0 : options.extractable) !== null && _d !== void 0 ? _d : false, keyUsages));\n }\n throw err;\n }\n}\n","import { generateSecret as generate } from '../runtime/generate.js';\nexport async function generateSecret(alg, options) {\n return generate(alg, options);\n}\n"],"names":["$3f0b33e7ccc65ae0$export$2e2bcd8739ae039","crypto","TextEncoder","$8c3dacf85b96b392$export$124c96e6ce37090b","TextDecoder","$54a6e0e463467b0a$export$94fdf11bafc8de6b","encoded","binary","atob","bytes","Uint8Array","length","i","charCodeAt","$599ac781534a947a$export$f754d6850d76bf87","Error","code","constructor","message","_a","name","captureStackTrace","call","$599ac781534a947a$export$936b39ada0bbfceb","arguments","getRandomValues","bind","Symbol","$037928530fb1a7c6$export$2f872c0f2117be69","input","decode","replace","TypeError","$295d08103c698a2a$var$renderIdTokenContents","idTokenQueryParam","URLSearchParams","window","location","search","get","idToken","$8450eca62cfceb24$export$dcef71b8fb9a6794","jwt","decoded","result","payload","split","JSON","parse","_b","value","Object","prototype","toString","getPrototypeOf","proto","container","document","getElementById","header","createElement","field","textContent","append","$295d08103c698a2a$var$createDataRow","className","$295d08103c698a2a$var$createDataValue","br","$295d08103c698a2a$var$renderButtons","style","display"],"version":3,"file":"index.6d9657b5.js.map"}