UNPKG

1.53 MBJavaScriptView Raw
1/*! OpenPGP.js v5.0.0-1 - 2021-03-03 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
2var openpgp = (function (exports) {
3 'use strict';
4
5 const globalThis = typeof window !== 'undefined' ? window : typeof global !== 'undefined' ? global : typeof self !== 'undefined' ? self : {};
6
7 /**
8 * web-streams-polyfill v2.1.1
9 */
10 /// <reference lib="es2015.symbol" />
11 const SymbolPolyfill = typeof Symbol === 'function' && typeof Symbol.iterator === 'symbol' ?
12 Symbol :
13 description => `Symbol(${description})`;
14
15 /// <reference lib="dom" />
16 function noop() {
17 // do nothing
18 }
19
20 /// <reference lib="es2015.core" />
21 // https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Number/isNaN#Polyfill
22 const NumberIsNaN = Number.isNaN || function (x) {
23 // eslint-disable-next-line no-self-compare
24 return x !== x;
25 };
26
27 const rethrowAssertionErrorRejection = noop;
28
29 function typeIsObject(x) {
30 return (typeof x === 'object' && x !== null) || typeof x === 'function';
31 }
32 function createArrayFromList(elements) {
33 // We use arrays to represent lists, so this is basically a no-op.
34 // Do a slice though just in case we happen to depend on the unique-ness.
35 return elements.slice();
36 }
37 function ArrayBufferCopy(dest, destOffset, src, srcOffset, n) {
38 new Uint8Array(dest).set(new Uint8Array(src, srcOffset, n), destOffset);
39 }
40 function IsFiniteNonNegativeNumber(v) {
41 if (IsNonNegativeNumber(v) === false) {
42 return false;
43 }
44 if (v === Infinity) {
45 return false;
46 }
47 return true;
48 }
49 function IsNonNegativeNumber(v) {
50 if (typeof v !== 'number') {
51 return false;
52 }
53 if (NumberIsNaN(v)) {
54 return false;
55 }
56 if (v < 0) {
57 return false;
58 }
59 return true;
60 }
61 function Call(F, V, args) {
62 if (typeof F !== 'function') {
63 throw new TypeError('Argument is not a function');
64 }
65 return Function.prototype.apply.call(F, V, args);
66 }
67 function CreateAlgorithmFromUnderlyingMethod(underlyingObject, methodName, algoArgCount, extraArgs) {
68 const method = underlyingObject[methodName];
69 if (method !== undefined) {
70 if (typeof method !== 'function') {
71 throw new TypeError(`${method} is not a method`);
72 }
73 switch (algoArgCount) {
74 case 0: {
75 return () => {
76 return PromiseCall(method, underlyingObject, extraArgs);
77 };
78 }
79 case 1: {
80 return arg => {
81 const fullArgs = [arg].concat(extraArgs);
82 return PromiseCall(method, underlyingObject, fullArgs);
83 };
84 }
85 }
86 }
87 return () => promiseResolvedWith(undefined);
88 }
89 function InvokeOrNoop(O, P, args) {
90 const method = O[P];
91 if (method === undefined) {
92 return undefined;
93 }
94 return Call(method, O, args);
95 }
96 function PromiseCall(F, V, args) {
97 try {
98 return promiseResolvedWith(Call(F, V, args));
99 }
100 catch (value) {
101 return promiseRejectedWith(value);
102 }
103 }
104 // Not implemented correctly
105 function TransferArrayBuffer(O) {
106 return O;
107 }
108 // Not implemented correctly
109 function IsDetachedBuffer(O) {
110 return false;
111 }
112 function ValidateAndNormalizeHighWaterMark(highWaterMark) {
113 highWaterMark = Number(highWaterMark);
114 if (NumberIsNaN(highWaterMark) || highWaterMark < 0) {
115 throw new RangeError('highWaterMark property of a queuing strategy must be non-negative and non-NaN');
116 }
117 return highWaterMark;
118 }
119 function MakeSizeAlgorithmFromSizeFunction(size) {
120 if (size === undefined) {
121 return () => 1;
122 }
123 if (typeof size !== 'function') {
124 throw new TypeError('size property of a queuing strategy must be a function');
125 }
126 return chunk => size(chunk);
127 }
128 const originalPromise = Promise;
129 const originalPromiseThen = Promise.prototype.then;
130 const originalPromiseResolve = Promise.resolve.bind(originalPromise);
131 const originalPromiseReject = Promise.reject.bind(originalPromise);
132 function newPromise(executor) {
133 return new originalPromise(executor);
134 }
135 function promiseResolvedWith(value) {
136 return originalPromiseResolve(value);
137 }
138 function promiseRejectedWith(reason) {
139 return originalPromiseReject(reason);
140 }
141 function PerformPromiseThen(promise, onFulfilled, onRejected) {
142 // There doesn't appear to be any way to correctly emulate the behaviour from JavaScript, so this is just an
143 // approximation.
144 return originalPromiseThen.call(promise, onFulfilled, onRejected);
145 }
146 function uponPromise(promise, onFulfilled, onRejected) {
147 PerformPromiseThen(PerformPromiseThen(promise, onFulfilled, onRejected), undefined, rethrowAssertionErrorRejection);
148 }
149 function uponFulfillment(promise, onFulfilled) {
150 uponPromise(promise, onFulfilled);
151 }
152 function uponRejection(promise, onRejected) {
153 uponPromise(promise, undefined, onRejected);
154 }
155 function transformPromiseWith(promise, fulfillmentHandler, rejectionHandler) {
156 return PerformPromiseThen(promise, fulfillmentHandler, rejectionHandler);
157 }
158 function setPromiseIsHandledToTrue(promise) {
159 PerformPromiseThen(promise, undefined, rethrowAssertionErrorRejection);
160 }
161
162 // Original from Chromium
163 // https://chromium.googlesource.com/chromium/src/+/0aee4434a4dba42a42abaea9bfbc0cd196a63bc1/third_party/blink/renderer/core/streams/SimpleQueue.js
164 const QUEUE_MAX_ARRAY_SIZE = 16384;
165 /**
166 * Simple queue structure.
167 *
168 * Avoids scalability issues with using a packed array directly by using
169 * multiple arrays in a linked list and keeping the array size bounded.
170 */
171 class SimpleQueue {
172 constructor() {
173 this._cursor = 0;
174 this._size = 0;
175 // _front and _back are always defined.
176 this._front = {
177 _elements: [],
178 _next: undefined
179 };
180 this._back = this._front;
181 // The cursor is used to avoid calling Array.shift().
182 // It contains the index of the front element of the array inside the
183 // front-most node. It is always in the range [0, QUEUE_MAX_ARRAY_SIZE).
184 this._cursor = 0;
185 // When there is only one node, size === elements.length - cursor.
186 this._size = 0;
187 }
188 get length() {
189 return this._size;
190 }
191 // For exception safety, this method is structured in order:
192 // 1. Read state
193 // 2. Calculate required state mutations
194 // 3. Perform state mutations
195 push(element) {
196 const oldBack = this._back;
197 let newBack = oldBack;
198 if (oldBack._elements.length === QUEUE_MAX_ARRAY_SIZE - 1) {
199 newBack = {
200 _elements: [],
201 _next: undefined
202 };
203 }
204 // push() is the mutation most likely to throw an exception, so it
205 // goes first.
206 oldBack._elements.push(element);
207 if (newBack !== oldBack) {
208 this._back = newBack;
209 oldBack._next = newBack;
210 }
211 ++this._size;
212 }
213 // Like push(), shift() follows the read -> calculate -> mutate pattern for
214 // exception safety.
215 shift() { // must not be called on an empty queue
216 const oldFront = this._front;
217 let newFront = oldFront;
218 const oldCursor = this._cursor;
219 let newCursor = oldCursor + 1;
220 const elements = oldFront._elements;
221 const element = elements[oldCursor];
222 if (newCursor === QUEUE_MAX_ARRAY_SIZE) {
223 newFront = oldFront._next;
224 newCursor = 0;
225 }
226 // No mutations before this point.
227 --this._size;
228 this._cursor = newCursor;
229 if (oldFront !== newFront) {
230 this._front = newFront;
231 }
232 // Permit shifted element to be garbage collected.
233 elements[oldCursor] = undefined;
234 return element;
235 }
236 // The tricky thing about forEach() is that it can be called
237 // re-entrantly. The queue may be mutated inside the callback. It is easy to
238 // see that push() within the callback has no negative effects since the end
239 // of the queue is checked for on every iteration. If shift() is called
240 // repeatedly within the callback then the next iteration may return an
241 // element that has been removed. In this case the callback will be called
242 // with undefined values until we either "catch up" with elements that still
243 // exist or reach the back of the queue.
244 forEach(callback) {
245 let i = this._cursor;
246 let node = this._front;
247 let elements = node._elements;
248 while (i !== elements.length || node._next !== undefined) {
249 if (i === elements.length) {
250 node = node._next;
251 elements = node._elements;
252 i = 0;
253 if (elements.length === 0) {
254 break;
255 }
256 }
257 callback(elements[i]);
258 ++i;
259 }
260 }
261 // Return the element that would be returned if shift() was called now,
262 // without modifying the queue.
263 peek() { // must not be called on an empty queue
264 const front = this._front;
265 const cursor = this._cursor;
266 return front._elements[cursor];
267 }
268 }
269
270 function ReadableStreamCreateReadResult(value, done, forAuthorCode) {
271 let prototype = null;
272 if (forAuthorCode === true) {
273 prototype = Object.prototype;
274 }
275 const obj = Object.create(prototype);
276 obj.value = value;
277 obj.done = done;
278 return obj;
279 }
280 function ReadableStreamReaderGenericInitialize(reader, stream) {
281 reader._forAuthorCode = true;
282 reader._ownerReadableStream = stream;
283 stream._reader = reader;
284 if (stream._state === 'readable') {
285 defaultReaderClosedPromiseInitialize(reader);
286 }
287 else if (stream._state === 'closed') {
288 defaultReaderClosedPromiseInitializeAsResolved(reader);
289 }
290 else {
291 defaultReaderClosedPromiseInitializeAsRejected(reader, stream._storedError);
292 }
293 }
294 // A client of ReadableStreamDefaultReader and ReadableStreamBYOBReader may use these functions directly to bypass state
295 // check.
296 function ReadableStreamReaderGenericCancel(reader, reason) {
297 const stream = reader._ownerReadableStream;
298 return ReadableStreamCancel(stream, reason);
299 }
300 function ReadableStreamReaderGenericRelease(reader) {
301 if (reader._ownerReadableStream._state === 'readable') {
302 defaultReaderClosedPromiseReject(reader, new TypeError('Reader was released and can no longer be used to monitor the stream\'s closedness'));
303 }
304 else {
305 defaultReaderClosedPromiseResetToRejected(reader, new TypeError('Reader was released and can no longer be used to monitor the stream\'s closedness'));
306 }
307 reader._ownerReadableStream._reader = undefined;
308 reader._ownerReadableStream = undefined;
309 }
310 // Helper functions for the readers.
311 function readerLockException(name) {
312 return new TypeError('Cannot ' + name + ' a stream using a released reader');
313 }
314 // Helper functions for the ReadableStreamDefaultReader.
315 function defaultReaderClosedPromiseInitialize(reader) {
316 reader._closedPromise = newPromise((resolve, reject) => {
317 reader._closedPromise_resolve = resolve;
318 reader._closedPromise_reject = reject;
319 });
320 }
321 function defaultReaderClosedPromiseInitializeAsRejected(reader, reason) {
322 defaultReaderClosedPromiseInitialize(reader);
323 defaultReaderClosedPromiseReject(reader, reason);
324 }
325 function defaultReaderClosedPromiseInitializeAsResolved(reader) {
326 defaultReaderClosedPromiseInitialize(reader);
327 defaultReaderClosedPromiseResolve(reader);
328 }
329 function defaultReaderClosedPromiseReject(reader, reason) {
330 setPromiseIsHandledToTrue(reader._closedPromise);
331 reader._closedPromise_reject(reason);
332 reader._closedPromise_resolve = undefined;
333 reader._closedPromise_reject = undefined;
334 }
335 function defaultReaderClosedPromiseResetToRejected(reader, reason) {
336 defaultReaderClosedPromiseInitializeAsRejected(reader, reason);
337 }
338 function defaultReaderClosedPromiseResolve(reader) {
339 reader._closedPromise_resolve(undefined);
340 reader._closedPromise_resolve = undefined;
341 reader._closedPromise_reject = undefined;
342 }
343
344 const CancelSteps = SymbolPolyfill('[[CancelSteps]]');
345 const PullSteps = SymbolPolyfill('[[PullSteps]]');
346
347 // Abstract operations for the ReadableStream.
348 function AcquireReadableStreamDefaultReader(stream, forAuthorCode = false) {
349 const reader = new ReadableStreamDefaultReader(stream);
350 reader._forAuthorCode = forAuthorCode;
351 return reader;
352 }
353 // ReadableStream API exposed for controllers.
354 function ReadableStreamAddReadRequest(stream) {
355 const promise = newPromise((resolve, reject) => {
356 const readRequest = {
357 _resolve: resolve,
358 _reject: reject
359 };
360 stream._reader._readRequests.push(readRequest);
361 });
362 return promise;
363 }
364 function ReadableStreamFulfillReadRequest(stream, chunk, done) {
365 const reader = stream._reader;
366 const readRequest = reader._readRequests.shift();
367 readRequest._resolve(ReadableStreamCreateReadResult(chunk, done, reader._forAuthorCode));
368 }
369 function ReadableStreamGetNumReadRequests(stream) {
370 return stream._reader._readRequests.length;
371 }
372 function ReadableStreamHasDefaultReader(stream) {
373 const reader = stream._reader;
374 if (reader === undefined) {
375 return false;
376 }
377 if (!IsReadableStreamDefaultReader(reader)) {
378 return false;
379 }
380 return true;
381 }
382 class ReadableStreamDefaultReader {
383 constructor(stream) {
384 if (IsReadableStream(stream) === false) {
385 throw new TypeError('ReadableStreamDefaultReader can only be constructed with a ReadableStream instance');
386 }
387 if (IsReadableStreamLocked(stream) === true) {
388 throw new TypeError('This stream has already been locked for exclusive reading by another reader');
389 }
390 ReadableStreamReaderGenericInitialize(this, stream);
391 this._readRequests = new SimpleQueue();
392 }
393 get closed() {
394 if (!IsReadableStreamDefaultReader(this)) {
395 return promiseRejectedWith(defaultReaderBrandCheckException('closed'));
396 }
397 return this._closedPromise;
398 }
399 cancel(reason) {
400 if (!IsReadableStreamDefaultReader(this)) {
401 return promiseRejectedWith(defaultReaderBrandCheckException('cancel'));
402 }
403 if (this._ownerReadableStream === undefined) {
404 return promiseRejectedWith(readerLockException('cancel'));
405 }
406 return ReadableStreamReaderGenericCancel(this, reason);
407 }
408 read() {
409 if (!IsReadableStreamDefaultReader(this)) {
410 return promiseRejectedWith(defaultReaderBrandCheckException('read'));
411 }
412 if (this._ownerReadableStream === undefined) {
413 return promiseRejectedWith(readerLockException('read from'));
414 }
415 return ReadableStreamDefaultReaderRead(this);
416 }
417 releaseLock() {
418 if (!IsReadableStreamDefaultReader(this)) {
419 throw defaultReaderBrandCheckException('releaseLock');
420 }
421 if (this._ownerReadableStream === undefined) {
422 return;
423 }
424 if (this._readRequests.length > 0) {
425 throw new TypeError('Tried to release a reader lock when that reader has pending read() calls un-settled');
426 }
427 ReadableStreamReaderGenericRelease(this);
428 }
429 }
430 // Abstract operations for the readers.
431 function IsReadableStreamDefaultReader(x) {
432 if (!typeIsObject(x)) {
433 return false;
434 }
435 if (!Object.prototype.hasOwnProperty.call(x, '_readRequests')) {
436 return false;
437 }
438 return true;
439 }
440 function ReadableStreamDefaultReaderRead(reader) {
441 const stream = reader._ownerReadableStream;
442 stream._disturbed = true;
443 if (stream._state === 'closed') {
444 return promiseResolvedWith(ReadableStreamCreateReadResult(undefined, true, reader._forAuthorCode));
445 }
446 if (stream._state === 'errored') {
447 return promiseRejectedWith(stream._storedError);
448 }
449 return stream._readableStreamController[PullSteps]();
450 }
451 // Helper functions for the ReadableStreamDefaultReader.
452 function defaultReaderBrandCheckException(name) {
453 return new TypeError(`ReadableStreamDefaultReader.prototype.${name} can only be used on a ReadableStreamDefaultReader`);
454 }
455
456 /// <reference lib="es2018.asynciterable" />
457 let AsyncIteratorPrototype;
458 if (typeof SymbolPolyfill.asyncIterator === 'symbol') {
459 // We're running inside a ES2018+ environment, but we're compiling to an older syntax.
460 // We cannot access %AsyncIteratorPrototype% without non-ES2018 syntax, but we can re-create it.
461 AsyncIteratorPrototype = {
462 // 25.1.3.1 %AsyncIteratorPrototype% [ @@asyncIterator ] ( )
463 // https://tc39.github.io/ecma262/#sec-asynciteratorprototype-asynciterator
464 [SymbolPolyfill.asyncIterator]() {
465 return this;
466 }
467 };
468 Object.defineProperty(AsyncIteratorPrototype, SymbolPolyfill.asyncIterator, { enumerable: false });
469 }
470
471 /// <reference lib="es2018.asynciterable" />
472 const ReadableStreamAsyncIteratorPrototype = {
473 next() {
474 if (IsReadableStreamAsyncIterator(this) === false) {
475 return promiseRejectedWith(streamAsyncIteratorBrandCheckException('next'));
476 }
477 const reader = this._asyncIteratorReader;
478 if (reader._ownerReadableStream === undefined) {
479 return promiseRejectedWith(readerLockException('iterate'));
480 }
481 return transformPromiseWith(ReadableStreamDefaultReaderRead(reader), result => {
482 const done = result.done;
483 if (done) {
484 ReadableStreamReaderGenericRelease(reader);
485 }
486 const value = result.value;
487 return ReadableStreamCreateReadResult(value, done, true);
488 });
489 },
490 return(value) {
491 if (IsReadableStreamAsyncIterator(this) === false) {
492 return promiseRejectedWith(streamAsyncIteratorBrandCheckException('next'));
493 }
494 const reader = this._asyncIteratorReader;
495 if (reader._ownerReadableStream === undefined) {
496 return promiseRejectedWith(readerLockException('finish iterating'));
497 }
498 if (reader._readRequests.length > 0) {
499 return promiseRejectedWith(new TypeError('Tried to release a reader lock when that reader has pending read() calls un-settled'));
500 }
501 if (this._preventCancel === false) {
502 const result = ReadableStreamReaderGenericCancel(reader, value);
503 ReadableStreamReaderGenericRelease(reader);
504 return transformPromiseWith(result, () => ReadableStreamCreateReadResult(value, true, true));
505 }
506 ReadableStreamReaderGenericRelease(reader);
507 return promiseResolvedWith(ReadableStreamCreateReadResult(value, true, true));
508 }
509 };
510 if (AsyncIteratorPrototype !== undefined) {
511 Object.setPrototypeOf(ReadableStreamAsyncIteratorPrototype, AsyncIteratorPrototype);
512 }
513 Object.defineProperty(ReadableStreamAsyncIteratorPrototype, 'next', { enumerable: false });
514 Object.defineProperty(ReadableStreamAsyncIteratorPrototype, 'return', { enumerable: false });
515 // Abstract operations for the ReadableStream.
516 function AcquireReadableStreamAsyncIterator(stream, preventCancel = false) {
517 const reader = AcquireReadableStreamDefaultReader(stream);
518 const iterator = Object.create(ReadableStreamAsyncIteratorPrototype);
519 iterator._asyncIteratorReader = reader;
520 iterator._preventCancel = Boolean(preventCancel);
521 return iterator;
522 }
523 function IsReadableStreamAsyncIterator(x) {
524 if (!typeIsObject(x)) {
525 return false;
526 }
527 if (!Object.prototype.hasOwnProperty.call(x, '_asyncIteratorReader')) {
528 return false;
529 }
530 return true;
531 }
532 // Helper functions for the ReadableStream.
533 function streamAsyncIteratorBrandCheckException(name) {
534 return new TypeError(`ReadableStreamAsyncIterator.${name} can only be used on a ReadableSteamAsyncIterator`);
535 }
536
537 function DequeueValue(container) {
538 const pair = container._queue.shift();
539 container._queueTotalSize -= pair.size;
540 if (container._queueTotalSize < 0) {
541 container._queueTotalSize = 0;
542 }
543 return pair.value;
544 }
545 function EnqueueValueWithSize(container, value, size) {
546 size = Number(size);
547 if (!IsFiniteNonNegativeNumber(size)) {
548 throw new RangeError('Size must be a finite, non-NaN, non-negative number.');
549 }
550 container._queue.push({ value, size });
551 container._queueTotalSize += size;
552 }
553 function PeekQueueValue(container) {
554 const pair = container._queue.peek();
555 return pair.value;
556 }
557 function ResetQueue(container) {
558 container._queue = new SimpleQueue();
559 container._queueTotalSize = 0;
560 }
561
562 const AbortSteps = SymbolPolyfill('[[AbortSteps]]');
563 const ErrorSteps = SymbolPolyfill('[[ErrorSteps]]');
564 class WritableStream {
565 constructor(underlyingSink = {}, strategy = {}) {
566 InitializeWritableStream(this);
567 const size = strategy.size;
568 let highWaterMark = strategy.highWaterMark;
569 const type = underlyingSink.type;
570 if (type !== undefined) {
571 throw new RangeError('Invalid type is specified');
572 }
573 const sizeAlgorithm = MakeSizeAlgorithmFromSizeFunction(size);
574 if (highWaterMark === undefined) {
575 highWaterMark = 1;
576 }
577 highWaterMark = ValidateAndNormalizeHighWaterMark(highWaterMark);
578 SetUpWritableStreamDefaultControllerFromUnderlyingSink(this, underlyingSink, highWaterMark, sizeAlgorithm);
579 }
580 get locked() {
581 if (IsWritableStream(this) === false) {
582 throw streamBrandCheckException('locked');
583 }
584 return IsWritableStreamLocked(this);
585 }
586 abort(reason) {
587 if (IsWritableStream(this) === false) {
588 return promiseRejectedWith(streamBrandCheckException('abort'));
589 }
590 if (IsWritableStreamLocked(this) === true) {
591 return promiseRejectedWith(new TypeError('Cannot abort a stream that already has a writer'));
592 }
593 return WritableStreamAbort(this, reason);
594 }
595 close() {
596 if (IsWritableStream(this) === false) {
597 return promiseRejectedWith(streamBrandCheckException('close'));
598 }
599 if (IsWritableStreamLocked(this) === true) {
600 return promiseRejectedWith(new TypeError('Cannot close a stream that already has a writer'));
601 }
602 if (WritableStreamCloseQueuedOrInFlight(this) === true) {
603 return promiseRejectedWith(new TypeError('Cannot close an already-closing stream'));
604 }
605 return WritableStreamClose(this);
606 }
607 getWriter() {
608 if (IsWritableStream(this) === false) {
609 throw streamBrandCheckException('getWriter');
610 }
611 return AcquireWritableStreamDefaultWriter(this);
612 }
613 }
614 // Abstract operations for the WritableStream.
615 function AcquireWritableStreamDefaultWriter(stream) {
616 return new WritableStreamDefaultWriter(stream);
617 }
618 // Throws if and only if startAlgorithm throws.
619 function CreateWritableStream(startAlgorithm, writeAlgorithm, closeAlgorithm, abortAlgorithm, highWaterMark = 1, sizeAlgorithm = () => 1) {
620 const stream = Object.create(WritableStream.prototype);
621 InitializeWritableStream(stream);
622 const controller = Object.create(WritableStreamDefaultController.prototype);
623 SetUpWritableStreamDefaultController(stream, controller, startAlgorithm, writeAlgorithm, closeAlgorithm, abortAlgorithm, highWaterMark, sizeAlgorithm);
624 return stream;
625 }
626 function InitializeWritableStream(stream) {
627 stream._state = 'writable';
628 // The error that will be reported by new method calls once the state becomes errored. Only set when [[state]] is
629 // 'erroring' or 'errored'. May be set to an undefined value.
630 stream._storedError = undefined;
631 stream._writer = undefined;
632 // Initialize to undefined first because the constructor of the controller checks this
633 // variable to validate the caller.
634 stream._writableStreamController = undefined;
635 // This queue is placed here instead of the writer class in order to allow for passing a writer to the next data
636 // producer without waiting for the queued writes to finish.
637 stream._writeRequests = new SimpleQueue();
638 // Write requests are removed from _writeRequests when write() is called on the underlying sink. This prevents
639 // them from being erroneously rejected on error. If a write() call is in-flight, the request is stored here.
640 stream._inFlightWriteRequest = undefined;
641 // The promise that was returned from writer.close(). Stored here because it may be fulfilled after the writer
642 // has been detached.
643 stream._closeRequest = undefined;
644 // Close request is removed from _closeRequest when close() is called on the underlying sink. This prevents it
645 // from being erroneously rejected on error. If a close() call is in-flight, the request is stored here.
646 stream._inFlightCloseRequest = undefined;
647 // The promise that was returned from writer.abort(). This may also be fulfilled after the writer has detached.
648 stream._pendingAbortRequest = undefined;
649 // The backpressure signal set by the controller.
650 stream._backpressure = false;
651 }
652 function IsWritableStream(x) {
653 if (!typeIsObject(x)) {
654 return false;
655 }
656 if (!Object.prototype.hasOwnProperty.call(x, '_writableStreamController')) {
657 return false;
658 }
659 return true;
660 }
661 function IsWritableStreamLocked(stream) {
662 if (stream._writer === undefined) {
663 return false;
664 }
665 return true;
666 }
667 function WritableStreamAbort(stream, reason) {
668 const state = stream._state;
669 if (state === 'closed' || state === 'errored') {
670 return promiseResolvedWith(undefined);
671 }
672 if (stream._pendingAbortRequest !== undefined) {
673 return stream._pendingAbortRequest._promise;
674 }
675 let wasAlreadyErroring = false;
676 if (state === 'erroring') {
677 wasAlreadyErroring = true;
678 // reason will not be used, so don't keep a reference to it.
679 reason = undefined;
680 }
681 const promise = newPromise((resolve, reject) => {
682 stream._pendingAbortRequest = {
683 _promise: undefined,
684 _resolve: resolve,
685 _reject: reject,
686 _reason: reason,
687 _wasAlreadyErroring: wasAlreadyErroring
688 };
689 });
690 stream._pendingAbortRequest._promise = promise;
691 if (wasAlreadyErroring === false) {
692 WritableStreamStartErroring(stream, reason);
693 }
694 return promise;
695 }
696 function WritableStreamClose(stream) {
697 const state = stream._state;
698 if (state === 'closed' || state === 'errored') {
699 return promiseRejectedWith(new TypeError(`The stream (in ${state} state) is not in the writable state and cannot be closed`));
700 }
701 const promise = newPromise((resolve, reject) => {
702 const closeRequest = {
703 _resolve: resolve,
704 _reject: reject
705 };
706 stream._closeRequest = closeRequest;
707 });
708 const writer = stream._writer;
709 if (writer !== undefined && stream._backpressure === true && state === 'writable') {
710 defaultWriterReadyPromiseResolve(writer);
711 }
712 WritableStreamDefaultControllerClose(stream._writableStreamController);
713 return promise;
714 }
715 // WritableStream API exposed for controllers.
716 function WritableStreamAddWriteRequest(stream) {
717 const promise = newPromise((resolve, reject) => {
718 const writeRequest = {
719 _resolve: resolve,
720 _reject: reject
721 };
722 stream._writeRequests.push(writeRequest);
723 });
724 return promise;
725 }
726 function WritableStreamDealWithRejection(stream, error) {
727 const state = stream._state;
728 if (state === 'writable') {
729 WritableStreamStartErroring(stream, error);
730 return;
731 }
732 WritableStreamFinishErroring(stream);
733 }
734 function WritableStreamStartErroring(stream, reason) {
735 const controller = stream._writableStreamController;
736 stream._state = 'erroring';
737 stream._storedError = reason;
738 const writer = stream._writer;
739 if (writer !== undefined) {
740 WritableStreamDefaultWriterEnsureReadyPromiseRejected(writer, reason);
741 }
742 if (WritableStreamHasOperationMarkedInFlight(stream) === false && controller._started === true) {
743 WritableStreamFinishErroring(stream);
744 }
745 }
746 function WritableStreamFinishErroring(stream) {
747 stream._state = 'errored';
748 stream._writableStreamController[ErrorSteps]();
749 const storedError = stream._storedError;
750 stream._writeRequests.forEach(writeRequest => {
751 writeRequest._reject(storedError);
752 });
753 stream._writeRequests = new SimpleQueue();
754 if (stream._pendingAbortRequest === undefined) {
755 WritableStreamRejectCloseAndClosedPromiseIfNeeded(stream);
756 return;
757 }
758 const abortRequest = stream._pendingAbortRequest;
759 stream._pendingAbortRequest = undefined;
760 if (abortRequest._wasAlreadyErroring === true) {
761 abortRequest._reject(storedError);
762 WritableStreamRejectCloseAndClosedPromiseIfNeeded(stream);
763 return;
764 }
765 const promise = stream._writableStreamController[AbortSteps](abortRequest._reason);
766 uponPromise(promise, () => {
767 abortRequest._resolve();
768 WritableStreamRejectCloseAndClosedPromiseIfNeeded(stream);
769 }, (reason) => {
770 abortRequest._reject(reason);
771 WritableStreamRejectCloseAndClosedPromiseIfNeeded(stream);
772 });
773 }
774 function WritableStreamFinishInFlightWrite(stream) {
775 stream._inFlightWriteRequest._resolve(undefined);
776 stream._inFlightWriteRequest = undefined;
777 }
778 function WritableStreamFinishInFlightWriteWithError(stream, error) {
779 stream._inFlightWriteRequest._reject(error);
780 stream._inFlightWriteRequest = undefined;
781 WritableStreamDealWithRejection(stream, error);
782 }
783 function WritableStreamFinishInFlightClose(stream) {
784 stream._inFlightCloseRequest._resolve(undefined);
785 stream._inFlightCloseRequest = undefined;
786 const state = stream._state;
787 if (state === 'erroring') {
788 // The error was too late to do anything, so it is ignored.
789 stream._storedError = undefined;
790 if (stream._pendingAbortRequest !== undefined) {
791 stream._pendingAbortRequest._resolve();
792 stream._pendingAbortRequest = undefined;
793 }
794 }
795 stream._state = 'closed';
796 const writer = stream._writer;
797 if (writer !== undefined) {
798 defaultWriterClosedPromiseResolve(writer);
799 }
800 }
801 function WritableStreamFinishInFlightCloseWithError(stream, error) {
802 stream._inFlightCloseRequest._reject(error);
803 stream._inFlightCloseRequest = undefined;
804 // Never execute sink abort() after sink close().
805 if (stream._pendingAbortRequest !== undefined) {
806 stream._pendingAbortRequest._reject(error);
807 stream._pendingAbortRequest = undefined;
808 }
809 WritableStreamDealWithRejection(stream, error);
810 }
811 // TODO(ricea): Fix alphabetical order.
812 function WritableStreamCloseQueuedOrInFlight(stream) {
813 if (stream._closeRequest === undefined && stream._inFlightCloseRequest === undefined) {
814 return false;
815 }
816 return true;
817 }
818 function WritableStreamHasOperationMarkedInFlight(stream) {
819 if (stream._inFlightWriteRequest === undefined && stream._inFlightCloseRequest === undefined) {
820 return false;
821 }
822 return true;
823 }
824 function WritableStreamMarkCloseRequestInFlight(stream) {
825 stream._inFlightCloseRequest = stream._closeRequest;
826 stream._closeRequest = undefined;
827 }
828 function WritableStreamMarkFirstWriteRequestInFlight(stream) {
829 stream._inFlightWriteRequest = stream._writeRequests.shift();
830 }
831 function WritableStreamRejectCloseAndClosedPromiseIfNeeded(stream) {
832 if (stream._closeRequest !== undefined) {
833 stream._closeRequest._reject(stream._storedError);
834 stream._closeRequest = undefined;
835 }
836 const writer = stream._writer;
837 if (writer !== undefined) {
838 defaultWriterClosedPromiseReject(writer, stream._storedError);
839 }
840 }
841 function WritableStreamUpdateBackpressure(stream, backpressure) {
842 const writer = stream._writer;
843 if (writer !== undefined && backpressure !== stream._backpressure) {
844 if (backpressure === true) {
845 defaultWriterReadyPromiseReset(writer);
846 }
847 else {
848 defaultWriterReadyPromiseResolve(writer);
849 }
850 }
851 stream._backpressure = backpressure;
852 }
853 class WritableStreamDefaultWriter {
854 constructor(stream) {
855 if (IsWritableStream(stream) === false) {
856 throw new TypeError('WritableStreamDefaultWriter can only be constructed with a WritableStream instance');
857 }
858 if (IsWritableStreamLocked(stream) === true) {
859 throw new TypeError('This stream has already been locked for exclusive writing by another writer');
860 }
861 this._ownerWritableStream = stream;
862 stream._writer = this;
863 const state = stream._state;
864 if (state === 'writable') {
865 if (WritableStreamCloseQueuedOrInFlight(stream) === false && stream._backpressure === true) {
866 defaultWriterReadyPromiseInitialize(this);
867 }
868 else {
869 defaultWriterReadyPromiseInitializeAsResolved(this);
870 }
871 defaultWriterClosedPromiseInitialize(this);
872 }
873 else if (state === 'erroring') {
874 defaultWriterReadyPromiseInitializeAsRejected(this, stream._storedError);
875 defaultWriterClosedPromiseInitialize(this);
876 }
877 else if (state === 'closed') {
878 defaultWriterReadyPromiseInitializeAsResolved(this);
879 defaultWriterClosedPromiseInitializeAsResolved(this);
880 }
881 else {
882 const storedError = stream._storedError;
883 defaultWriterReadyPromiseInitializeAsRejected(this, storedError);
884 defaultWriterClosedPromiseInitializeAsRejected(this, storedError);
885 }
886 }
887 get closed() {
888 if (IsWritableStreamDefaultWriter(this) === false) {
889 return promiseRejectedWith(defaultWriterBrandCheckException('closed'));
890 }
891 return this._closedPromise;
892 }
893 get desiredSize() {
894 if (IsWritableStreamDefaultWriter(this) === false) {
895 throw defaultWriterBrandCheckException('desiredSize');
896 }
897 if (this._ownerWritableStream === undefined) {
898 throw defaultWriterLockException('desiredSize');
899 }
900 return WritableStreamDefaultWriterGetDesiredSize(this);
901 }
902 get ready() {
903 if (IsWritableStreamDefaultWriter(this) === false) {
904 return promiseRejectedWith(defaultWriterBrandCheckException('ready'));
905 }
906 return this._readyPromise;
907 }
908 abort(reason) {
909 if (IsWritableStreamDefaultWriter(this) === false) {
910 return promiseRejectedWith(defaultWriterBrandCheckException('abort'));
911 }
912 if (this._ownerWritableStream === undefined) {
913 return promiseRejectedWith(defaultWriterLockException('abort'));
914 }
915 return WritableStreamDefaultWriterAbort(this, reason);
916 }
917 close() {
918 if (IsWritableStreamDefaultWriter(this) === false) {
919 return promiseRejectedWith(defaultWriterBrandCheckException('close'));
920 }
921 const stream = this._ownerWritableStream;
922 if (stream === undefined) {
923 return promiseRejectedWith(defaultWriterLockException('close'));
924 }
925 if (WritableStreamCloseQueuedOrInFlight(stream) === true) {
926 return promiseRejectedWith(new TypeError('Cannot close an already-closing stream'));
927 }
928 return WritableStreamDefaultWriterClose(this);
929 }
930 releaseLock() {
931 if (IsWritableStreamDefaultWriter(this) === false) {
932 throw defaultWriterBrandCheckException('releaseLock');
933 }
934 const stream = this._ownerWritableStream;
935 if (stream === undefined) {
936 return;
937 }
938 WritableStreamDefaultWriterRelease(this);
939 }
940 write(chunk) {
941 if (IsWritableStreamDefaultWriter(this) === false) {
942 return promiseRejectedWith(defaultWriterBrandCheckException('write'));
943 }
944 if (this._ownerWritableStream === undefined) {
945 return promiseRejectedWith(defaultWriterLockException('write to'));
946 }
947 return WritableStreamDefaultWriterWrite(this, chunk);
948 }
949 }
950 // Abstract operations for the WritableStreamDefaultWriter.
951 function IsWritableStreamDefaultWriter(x) {
952 if (!typeIsObject(x)) {
953 return false;
954 }
955 if (!Object.prototype.hasOwnProperty.call(x, '_ownerWritableStream')) {
956 return false;
957 }
958 return true;
959 }
960 // A client of WritableStreamDefaultWriter may use these functions directly to bypass state check.
961 function WritableStreamDefaultWriterAbort(writer, reason) {
962 const stream = writer._ownerWritableStream;
963 return WritableStreamAbort(stream, reason);
964 }
965 function WritableStreamDefaultWriterClose(writer) {
966 const stream = writer._ownerWritableStream;
967 return WritableStreamClose(stream);
968 }
969 function WritableStreamDefaultWriterCloseWithErrorPropagation(writer) {
970 const stream = writer._ownerWritableStream;
971 const state = stream._state;
972 if (WritableStreamCloseQueuedOrInFlight(stream) === true || state === 'closed') {
973 return promiseResolvedWith(undefined);
974 }
975 if (state === 'errored') {
976 return promiseRejectedWith(stream._storedError);
977 }
978 return WritableStreamDefaultWriterClose(writer);
979 }
980 function WritableStreamDefaultWriterEnsureClosedPromiseRejected(writer, error) {
981 if (writer._closedPromiseState === 'pending') {
982 defaultWriterClosedPromiseReject(writer, error);
983 }
984 else {
985 defaultWriterClosedPromiseResetToRejected(writer, error);
986 }
987 }
988 function WritableStreamDefaultWriterEnsureReadyPromiseRejected(writer, error) {
989 if (writer._readyPromiseState === 'pending') {
990 defaultWriterReadyPromiseReject(writer, error);
991 }
992 else {
993 defaultWriterReadyPromiseResetToRejected(writer, error);
994 }
995 }
996 function WritableStreamDefaultWriterGetDesiredSize(writer) {
997 const stream = writer._ownerWritableStream;
998 const state = stream._state;
999 if (state === 'errored' || state === 'erroring') {
1000 return null;
1001 }
1002 if (state === 'closed') {
1003 return 0;
1004 }
1005 return WritableStreamDefaultControllerGetDesiredSize(stream._writableStreamController);
1006 }
1007 function WritableStreamDefaultWriterRelease(writer) {
1008 const stream = writer._ownerWritableStream;
1009 const releasedError = new TypeError('Writer was released and can no longer be used to monitor the stream\'s closedness');
1010 WritableStreamDefaultWriterEnsureReadyPromiseRejected(writer, releasedError);
1011 // The state transitions to "errored" before the sink abort() method runs, but the writer.closed promise is not
1012 // rejected until afterwards. This means that simply testing state will not work.
1013 WritableStreamDefaultWriterEnsureClosedPromiseRejected(writer, releasedError);
1014 stream._writer = undefined;
1015 writer._ownerWritableStream = undefined;
1016 }
1017 function WritableStreamDefaultWriterWrite(writer, chunk) {
1018 const stream = writer._ownerWritableStream;
1019 const controller = stream._writableStreamController;
1020 const chunkSize = WritableStreamDefaultControllerGetChunkSize(controller, chunk);
1021 if (stream !== writer._ownerWritableStream) {
1022 return promiseRejectedWith(defaultWriterLockException('write to'));
1023 }
1024 const state = stream._state;
1025 if (state === 'errored') {
1026 return promiseRejectedWith(stream._storedError);
1027 }
1028 if (WritableStreamCloseQueuedOrInFlight(stream) === true || state === 'closed') {
1029 return promiseRejectedWith(new TypeError('The stream is closing or closed and cannot be written to'));
1030 }
1031 if (state === 'erroring') {
1032 return promiseRejectedWith(stream._storedError);
1033 }
1034 const promise = WritableStreamAddWriteRequest(stream);
1035 WritableStreamDefaultControllerWrite(controller, chunk, chunkSize);
1036 return promise;
1037 }
1038 class WritableStreamDefaultController {
1039 /** @internal */
1040 constructor() {
1041 throw new TypeError('WritableStreamDefaultController cannot be constructed explicitly');
1042 }
1043 error(e) {
1044 if (IsWritableStreamDefaultController(this) === false) {
1045 throw new TypeError('WritableStreamDefaultController.prototype.error can only be used on a WritableStreamDefaultController');
1046 }
1047 const state = this._controlledWritableStream._state;
1048 if (state !== 'writable') {
1049 // The stream is closed, errored or will be soon. The sink can't do anything useful if it gets an error here, so
1050 // just treat it as a no-op.
1051 return;
1052 }
1053 WritableStreamDefaultControllerError(this, e);
1054 }
1055 /** @internal */
1056 [AbortSteps](reason) {
1057 const result = this._abortAlgorithm(reason);
1058 WritableStreamDefaultControllerClearAlgorithms(this);
1059 return result;
1060 }
1061 /** @internal */
1062 [ErrorSteps]() {
1063 ResetQueue(this);
1064 }
1065 }
1066 // Abstract operations implementing interface required by the WritableStream.
1067 function IsWritableStreamDefaultController(x) {
1068 if (!typeIsObject(x)) {
1069 return false;
1070 }
1071 if (!Object.prototype.hasOwnProperty.call(x, '_controlledWritableStream')) {
1072 return false;
1073 }
1074 return true;
1075 }
1076 function SetUpWritableStreamDefaultController(stream, controller, startAlgorithm, writeAlgorithm, closeAlgorithm, abortAlgorithm, highWaterMark, sizeAlgorithm) {
1077 controller._controlledWritableStream = stream;
1078 stream._writableStreamController = controller;
1079 // Need to set the slots so that the assert doesn't fire. In the spec the slots already exist implicitly.
1080 controller._queue = undefined;
1081 controller._queueTotalSize = undefined;
1082 ResetQueue(controller);
1083 controller._started = false;
1084 controller._strategySizeAlgorithm = sizeAlgorithm;
1085 controller._strategyHWM = highWaterMark;
1086 controller._writeAlgorithm = writeAlgorithm;
1087 controller._closeAlgorithm = closeAlgorithm;
1088 controller._abortAlgorithm = abortAlgorithm;
1089 const backpressure = WritableStreamDefaultControllerGetBackpressure(controller);
1090 WritableStreamUpdateBackpressure(stream, backpressure);
1091 const startResult = startAlgorithm();
1092 const startPromise = promiseResolvedWith(startResult);
1093 uponPromise(startPromise, () => {
1094 controller._started = true;
1095 WritableStreamDefaultControllerAdvanceQueueIfNeeded(controller);
1096 }, r => {
1097 controller._started = true;
1098 WritableStreamDealWithRejection(stream, r);
1099 });
1100 }
1101 function SetUpWritableStreamDefaultControllerFromUnderlyingSink(stream, underlyingSink, highWaterMark, sizeAlgorithm) {
1102 const controller = Object.create(WritableStreamDefaultController.prototype);
1103 function startAlgorithm() {
1104 return InvokeOrNoop(underlyingSink, 'start', [controller]);
1105 }
1106 const writeAlgorithm = CreateAlgorithmFromUnderlyingMethod(underlyingSink, 'write', 1, [controller]);
1107 const closeAlgorithm = CreateAlgorithmFromUnderlyingMethod(underlyingSink, 'close', 0, []);
1108 const abortAlgorithm = CreateAlgorithmFromUnderlyingMethod(underlyingSink, 'abort', 1, []);
1109 SetUpWritableStreamDefaultController(stream, controller, startAlgorithm, writeAlgorithm, closeAlgorithm, abortAlgorithm, highWaterMark, sizeAlgorithm);
1110 }
1111 // ClearAlgorithms may be called twice. Erroring the same stream in multiple ways will often result in redundant calls.
1112 function WritableStreamDefaultControllerClearAlgorithms(controller) {
1113 controller._writeAlgorithm = undefined;
1114 controller._closeAlgorithm = undefined;
1115 controller._abortAlgorithm = undefined;
1116 controller._strategySizeAlgorithm = undefined;
1117 }
1118 function WritableStreamDefaultControllerClose(controller) {
1119 EnqueueValueWithSize(controller, 'close', 0);
1120 WritableStreamDefaultControllerAdvanceQueueIfNeeded(controller);
1121 }
1122 function WritableStreamDefaultControllerGetChunkSize(controller, chunk) {
1123 try {
1124 return controller._strategySizeAlgorithm(chunk);
1125 }
1126 catch (chunkSizeE) {
1127 WritableStreamDefaultControllerErrorIfNeeded(controller, chunkSizeE);
1128 return 1;
1129 }
1130 }
1131 function WritableStreamDefaultControllerGetDesiredSize(controller) {
1132 return controller._strategyHWM - controller._queueTotalSize;
1133 }
1134 function WritableStreamDefaultControllerWrite(controller, chunk, chunkSize) {
1135 const writeRecord = { chunk };
1136 try {
1137 EnqueueValueWithSize(controller, writeRecord, chunkSize);
1138 }
1139 catch (enqueueE) {
1140 WritableStreamDefaultControllerErrorIfNeeded(controller, enqueueE);
1141 return;
1142 }
1143 const stream = controller._controlledWritableStream;
1144 if (WritableStreamCloseQueuedOrInFlight(stream) === false && stream._state === 'writable') {
1145 const backpressure = WritableStreamDefaultControllerGetBackpressure(controller);
1146 WritableStreamUpdateBackpressure(stream, backpressure);
1147 }
1148 WritableStreamDefaultControllerAdvanceQueueIfNeeded(controller);
1149 }
1150 // Abstract operations for the WritableStreamDefaultController.
1151 function WritableStreamDefaultControllerAdvanceQueueIfNeeded(controller) {
1152 const stream = controller._controlledWritableStream;
1153 if (controller._started === false) {
1154 return;
1155 }
1156 if (stream._inFlightWriteRequest !== undefined) {
1157 return;
1158 }
1159 const state = stream._state;
1160 if (state === 'erroring') {
1161 WritableStreamFinishErroring(stream);
1162 return;
1163 }
1164 if (controller._queue.length === 0) {
1165 return;
1166 }
1167 const writeRecord = PeekQueueValue(controller);
1168 if (writeRecord === 'close') {
1169 WritableStreamDefaultControllerProcessClose(controller);
1170 }
1171 else {
1172 WritableStreamDefaultControllerProcessWrite(controller, writeRecord.chunk);
1173 }
1174 }
1175 function WritableStreamDefaultControllerErrorIfNeeded(controller, error) {
1176 if (controller._controlledWritableStream._state === 'writable') {
1177 WritableStreamDefaultControllerError(controller, error);
1178 }
1179 }
1180 function WritableStreamDefaultControllerProcessClose(controller) {
1181 const stream = controller._controlledWritableStream;
1182 WritableStreamMarkCloseRequestInFlight(stream);
1183 DequeueValue(controller);
1184 const sinkClosePromise = controller._closeAlgorithm();
1185 WritableStreamDefaultControllerClearAlgorithms(controller);
1186 uponPromise(sinkClosePromise, () => {
1187 WritableStreamFinishInFlightClose(stream);
1188 }, reason => {
1189 WritableStreamFinishInFlightCloseWithError(stream, reason);
1190 });
1191 }
1192 function WritableStreamDefaultControllerProcessWrite(controller, chunk) {
1193 const stream = controller._controlledWritableStream;
1194 WritableStreamMarkFirstWriteRequestInFlight(stream);
1195 const sinkWritePromise = controller._writeAlgorithm(chunk);
1196 uponPromise(sinkWritePromise, () => {
1197 WritableStreamFinishInFlightWrite(stream);
1198 const state = stream._state;
1199 DequeueValue(controller);
1200 if (WritableStreamCloseQueuedOrInFlight(stream) === false && state === 'writable') {
1201 const backpressure = WritableStreamDefaultControllerGetBackpressure(controller);
1202 WritableStreamUpdateBackpressure(stream, backpressure);
1203 }
1204 WritableStreamDefaultControllerAdvanceQueueIfNeeded(controller);
1205 }, reason => {
1206 if (stream._state === 'writable') {
1207 WritableStreamDefaultControllerClearAlgorithms(controller);
1208 }
1209 WritableStreamFinishInFlightWriteWithError(stream, reason);
1210 });
1211 }
1212 function WritableStreamDefaultControllerGetBackpressure(controller) {
1213 const desiredSize = WritableStreamDefaultControllerGetDesiredSize(controller);
1214 return desiredSize <= 0;
1215 }
1216 // A client of WritableStreamDefaultController may use these functions directly to bypass state check.
1217 function WritableStreamDefaultControllerError(controller, error) {
1218 const stream = controller._controlledWritableStream;
1219 WritableStreamDefaultControllerClearAlgorithms(controller);
1220 WritableStreamStartErroring(stream, error);
1221 }
1222 // Helper functions for the WritableStream.
1223 function streamBrandCheckException(name) {
1224 return new TypeError(`WritableStream.prototype.${name} can only be used on a WritableStream`);
1225 }
1226 // Helper functions for the WritableStreamDefaultWriter.
1227 function defaultWriterBrandCheckException(name) {
1228 return new TypeError(`WritableStreamDefaultWriter.prototype.${name} can only be used on a WritableStreamDefaultWriter`);
1229 }
1230 function defaultWriterLockException(name) {
1231 return new TypeError('Cannot ' + name + ' a stream using a released writer');
1232 }
1233 function defaultWriterClosedPromiseInitialize(writer) {
1234 writer._closedPromise = newPromise((resolve, reject) => {
1235 writer._closedPromise_resolve = resolve;
1236 writer._closedPromise_reject = reject;
1237 writer._closedPromiseState = 'pending';
1238 });
1239 }
1240 function defaultWriterClosedPromiseInitializeAsRejected(writer, reason) {
1241 defaultWriterClosedPromiseInitialize(writer);
1242 defaultWriterClosedPromiseReject(writer, reason);
1243 }
1244 function defaultWriterClosedPromiseInitializeAsResolved(writer) {
1245 defaultWriterClosedPromiseInitialize(writer);
1246 defaultWriterClosedPromiseResolve(writer);
1247 }
1248 function defaultWriterClosedPromiseReject(writer, reason) {
1249 setPromiseIsHandledToTrue(writer._closedPromise);
1250 writer._closedPromise_reject(reason);
1251 writer._closedPromise_resolve = undefined;
1252 writer._closedPromise_reject = undefined;
1253 writer._closedPromiseState = 'rejected';
1254 }
1255 function defaultWriterClosedPromiseResetToRejected(writer, reason) {
1256 defaultWriterClosedPromiseInitializeAsRejected(writer, reason);
1257 }
1258 function defaultWriterClosedPromiseResolve(writer) {
1259 writer._closedPromise_resolve(undefined);
1260 writer._closedPromise_resolve = undefined;
1261 writer._closedPromise_reject = undefined;
1262 writer._closedPromiseState = 'resolved';
1263 }
1264 function defaultWriterReadyPromiseInitialize(writer) {
1265 writer._readyPromise = newPromise((resolve, reject) => {
1266 writer._readyPromise_resolve = resolve;
1267 writer._readyPromise_reject = reject;
1268 });
1269 writer._readyPromiseState = 'pending';
1270 }
1271 function defaultWriterReadyPromiseInitializeAsRejected(writer, reason) {
1272 defaultWriterReadyPromiseInitialize(writer);
1273 defaultWriterReadyPromiseReject(writer, reason);
1274 }
1275 function defaultWriterReadyPromiseInitializeAsResolved(writer) {
1276 defaultWriterReadyPromiseInitialize(writer);
1277 defaultWriterReadyPromiseResolve(writer);
1278 }
1279 function defaultWriterReadyPromiseReject(writer, reason) {
1280 setPromiseIsHandledToTrue(writer._readyPromise);
1281 writer._readyPromise_reject(reason);
1282 writer._readyPromise_resolve = undefined;
1283 writer._readyPromise_reject = undefined;
1284 writer._readyPromiseState = 'rejected';
1285 }
1286 function defaultWriterReadyPromiseReset(writer) {
1287 defaultWriterReadyPromiseInitialize(writer);
1288 }
1289 function defaultWriterReadyPromiseResetToRejected(writer, reason) {
1290 defaultWriterReadyPromiseInitializeAsRejected(writer, reason);
1291 }
1292 function defaultWriterReadyPromiseResolve(writer) {
1293 writer._readyPromise_resolve(undefined);
1294 writer._readyPromise_resolve = undefined;
1295 writer._readyPromise_reject = undefined;
1296 writer._readyPromiseState = 'fulfilled';
1297 }
1298
1299 function isAbortSignal(value) {
1300 if (typeof value !== 'object' || value === null) {
1301 return false;
1302 }
1303 try {
1304 return typeof value.aborted === 'boolean';
1305 }
1306 catch (_a) {
1307 // AbortSignal.prototype.aborted throws if its brand check fails
1308 return false;
1309 }
1310 }
1311
1312 /// <reference lib="dom" />
1313 const NativeDOMException = typeof DOMException !== 'undefined' ? DOMException : undefined;
1314
1315 /// <reference types="node" />
1316 function isDOMExceptionConstructor(ctor) {
1317 if (!(typeof ctor === 'function' || typeof ctor === 'object')) {
1318 return false;
1319 }
1320 try {
1321 new ctor();
1322 return true;
1323 }
1324 catch (_a) {
1325 return false;
1326 }
1327 }
1328 function createDOMExceptionPolyfill() {
1329 const ctor = function DOMException(message, name) {
1330 this.message = message || '';
1331 this.name = name || 'Error';
1332 if (Error.captureStackTrace) {
1333 Error.captureStackTrace(this, this.constructor);
1334 }
1335 };
1336 ctor.prototype = Object.create(Error.prototype);
1337 Object.defineProperty(ctor.prototype, 'constructor', { value: ctor, writable: true, configurable: true });
1338 return ctor;
1339 }
1340 const DOMException$1 = isDOMExceptionConstructor(NativeDOMException) ? NativeDOMException : createDOMExceptionPolyfill();
1341
1342 function ReadableStreamPipeTo(source, dest, preventClose, preventAbort, preventCancel, signal) {
1343 const reader = AcquireReadableStreamDefaultReader(source);
1344 const writer = AcquireWritableStreamDefaultWriter(dest);
1345 source._disturbed = true;
1346 let shuttingDown = false;
1347 // This is used to keep track of the spec's requirement that we wait for ongoing writes during shutdown.
1348 let currentWrite = promiseResolvedWith(undefined);
1349 return newPromise((resolve, reject) => {
1350 let abortAlgorithm;
1351 if (signal !== undefined) {
1352 abortAlgorithm = () => {
1353 const error = new DOMException$1('Aborted', 'AbortError');
1354 const actions = [];
1355 if (preventAbort === false) {
1356 actions.push(() => {
1357 if (dest._state === 'writable') {
1358 return WritableStreamAbort(dest, error);
1359 }
1360 return promiseResolvedWith(undefined);
1361 });
1362 }
1363 if (preventCancel === false) {
1364 actions.push(() => {
1365 if (source._state === 'readable') {
1366 return ReadableStreamCancel(source, error);
1367 }
1368 return promiseResolvedWith(undefined);
1369 });
1370 }
1371 shutdownWithAction(() => Promise.all(actions.map(action => action())), true, error);
1372 };
1373 if (signal.aborted === true) {
1374 abortAlgorithm();
1375 return;
1376 }
1377 signal.addEventListener('abort', abortAlgorithm);
1378 }
1379 // Using reader and writer, read all chunks from this and write them to dest
1380 // - Backpressure must be enforced
1381 // - Shutdown must stop all activity
1382 function pipeLoop() {
1383 return newPromise((resolveLoop, rejectLoop) => {
1384 function next(done) {
1385 if (done) {
1386 resolveLoop();
1387 }
1388 else {
1389 // Use `PerformPromiseThen` instead of `uponPromise` to avoid
1390 // adding unnecessary `.catch(rethrowAssertionErrorRejection)` handlers
1391 PerformPromiseThen(pipeStep(), next, rejectLoop);
1392 }
1393 }
1394 next(false);
1395 });
1396 }
1397 function pipeStep() {
1398 if (shuttingDown === true) {
1399 return promiseResolvedWith(true);
1400 }
1401 return PerformPromiseThen(writer._readyPromise, () => {
1402 return PerformPromiseThen(ReadableStreamDefaultReaderRead(reader), result => {
1403 if (result.done === true) {
1404 return true;
1405 }
1406 currentWrite = PerformPromiseThen(WritableStreamDefaultWriterWrite(writer, result.value), undefined, noop);
1407 return false;
1408 });
1409 });
1410 }
1411 // Errors must be propagated forward
1412 isOrBecomesErrored(source, reader._closedPromise, storedError => {
1413 if (preventAbort === false) {
1414 shutdownWithAction(() => WritableStreamAbort(dest, storedError), true, storedError);
1415 }
1416 else {
1417 shutdown(true, storedError);
1418 }
1419 });
1420 // Errors must be propagated backward
1421 isOrBecomesErrored(dest, writer._closedPromise, storedError => {
1422 if (preventCancel === false) {
1423 shutdownWithAction(() => ReadableStreamCancel(source, storedError), true, storedError);
1424 }
1425 else {
1426 shutdown(true, storedError);
1427 }
1428 });
1429 // Closing must be propagated forward
1430 isOrBecomesClosed(source, reader._closedPromise, () => {
1431 if (preventClose === false) {
1432 shutdownWithAction(() => WritableStreamDefaultWriterCloseWithErrorPropagation(writer));
1433 }
1434 else {
1435 shutdown();
1436 }
1437 });
1438 // Closing must be propagated backward
1439 if (WritableStreamCloseQueuedOrInFlight(dest) === true || dest._state === 'closed') {
1440 const destClosed = new TypeError('the destination writable stream closed before all data could be piped to it');
1441 if (preventCancel === false) {
1442 shutdownWithAction(() => ReadableStreamCancel(source, destClosed), true, destClosed);
1443 }
1444 else {
1445 shutdown(true, destClosed);
1446 }
1447 }
1448 setPromiseIsHandledToTrue(pipeLoop());
1449 function waitForWritesToFinish() {
1450 // Another write may have started while we were waiting on this currentWrite, so we have to be sure to wait
1451 // for that too.
1452 const oldCurrentWrite = currentWrite;
1453 return PerformPromiseThen(currentWrite, () => oldCurrentWrite !== currentWrite ? waitForWritesToFinish() : undefined);
1454 }
1455 function isOrBecomesErrored(stream, promise, action) {
1456 if (stream._state === 'errored') {
1457 action(stream._storedError);
1458 }
1459 else {
1460 uponRejection(promise, action);
1461 }
1462 }
1463 function isOrBecomesClosed(stream, promise, action) {
1464 if (stream._state === 'closed') {
1465 action();
1466 }
1467 else {
1468 uponFulfillment(promise, action);
1469 }
1470 }
1471 function shutdownWithAction(action, originalIsError, originalError) {
1472 if (shuttingDown === true) {
1473 return;
1474 }
1475 shuttingDown = true;
1476 if (dest._state === 'writable' && WritableStreamCloseQueuedOrInFlight(dest) === false) {
1477 uponFulfillment(waitForWritesToFinish(), doTheRest);
1478 }
1479 else {
1480 doTheRest();
1481 }
1482 function doTheRest() {
1483 uponPromise(action(), () => finalize(originalIsError, originalError), newError => finalize(true, newError));
1484 }
1485 }
1486 function shutdown(isError, error) {
1487 if (shuttingDown === true) {
1488 return;
1489 }
1490 shuttingDown = true;
1491 if (dest._state === 'writable' && WritableStreamCloseQueuedOrInFlight(dest) === false) {
1492 uponFulfillment(waitForWritesToFinish(), () => finalize(isError, error));
1493 }
1494 else {
1495 finalize(isError, error);
1496 }
1497 }
1498 function finalize(isError, error) {
1499 WritableStreamDefaultWriterRelease(writer);
1500 ReadableStreamReaderGenericRelease(reader);
1501 if (signal !== undefined) {
1502 signal.removeEventListener('abort', abortAlgorithm);
1503 }
1504 if (isError) {
1505 reject(error);
1506 }
1507 else {
1508 resolve(undefined);
1509 }
1510 }
1511 });
1512 }
1513
1514 class ReadableStreamDefaultController {
1515 /** @internal */
1516 constructor() {
1517 throw new TypeError();
1518 }
1519 get desiredSize() {
1520 if (IsReadableStreamDefaultController(this) === false) {
1521 throw defaultControllerBrandCheckException('desiredSize');
1522 }
1523 return ReadableStreamDefaultControllerGetDesiredSize(this);
1524 }
1525 close() {
1526 if (IsReadableStreamDefaultController(this) === false) {
1527 throw defaultControllerBrandCheckException('close');
1528 }
1529 if (ReadableStreamDefaultControllerCanCloseOrEnqueue(this) === false) {
1530 throw new TypeError('The stream is not in a state that permits close');
1531 }
1532 ReadableStreamDefaultControllerClose(this);
1533 }
1534 enqueue(chunk) {
1535 if (IsReadableStreamDefaultController(this) === false) {
1536 throw defaultControllerBrandCheckException('enqueue');
1537 }
1538 if (ReadableStreamDefaultControllerCanCloseOrEnqueue(this) === false) {
1539 throw new TypeError('The stream is not in a state that permits enqueue');
1540 }
1541 return ReadableStreamDefaultControllerEnqueue(this, chunk);
1542 }
1543 error(e) {
1544 if (IsReadableStreamDefaultController(this) === false) {
1545 throw defaultControllerBrandCheckException('error');
1546 }
1547 ReadableStreamDefaultControllerError(this, e);
1548 }
1549 /** @internal */
1550 [CancelSteps](reason) {
1551 ResetQueue(this);
1552 const result = this._cancelAlgorithm(reason);
1553 ReadableStreamDefaultControllerClearAlgorithms(this);
1554 return result;
1555 }
1556 /** @internal */
1557 [PullSteps]() {
1558 const stream = this._controlledReadableStream;
1559 if (this._queue.length > 0) {
1560 const chunk = DequeueValue(this);
1561 if (this._closeRequested === true && this._queue.length === 0) {
1562 ReadableStreamDefaultControllerClearAlgorithms(this);
1563 ReadableStreamClose(stream);
1564 }
1565 else {
1566 ReadableStreamDefaultControllerCallPullIfNeeded(this);
1567 }
1568 return promiseResolvedWith(ReadableStreamCreateReadResult(chunk, false, stream._reader._forAuthorCode));
1569 }
1570 const pendingPromise = ReadableStreamAddReadRequest(stream);
1571 ReadableStreamDefaultControllerCallPullIfNeeded(this);
1572 return pendingPromise;
1573 }
1574 }
1575 // Abstract operations for the ReadableStreamDefaultController.
1576 function IsReadableStreamDefaultController(x) {
1577 if (!typeIsObject(x)) {
1578 return false;
1579 }
1580 if (!Object.prototype.hasOwnProperty.call(x, '_controlledReadableStream')) {
1581 return false;
1582 }
1583 return true;
1584 }
1585 function ReadableStreamDefaultControllerCallPullIfNeeded(controller) {
1586 const shouldPull = ReadableStreamDefaultControllerShouldCallPull(controller);
1587 if (shouldPull === false) {
1588 return;
1589 }
1590 if (controller._pulling === true) {
1591 controller._pullAgain = true;
1592 return;
1593 }
1594 controller._pulling = true;
1595 const pullPromise = controller._pullAlgorithm();
1596 uponPromise(pullPromise, () => {
1597 controller._pulling = false;
1598 if (controller._pullAgain === true) {
1599 controller._pullAgain = false;
1600 ReadableStreamDefaultControllerCallPullIfNeeded(controller);
1601 }
1602 }, e => {
1603 ReadableStreamDefaultControllerError(controller, e);
1604 });
1605 }
1606 function ReadableStreamDefaultControllerShouldCallPull(controller) {
1607 const stream = controller._controlledReadableStream;
1608 if (ReadableStreamDefaultControllerCanCloseOrEnqueue(controller) === false) {
1609 return false;
1610 }
1611 if (controller._started === false) {
1612 return false;
1613 }
1614 if (IsReadableStreamLocked(stream) === true && ReadableStreamGetNumReadRequests(stream) > 0) {
1615 return true;
1616 }
1617 const desiredSize = ReadableStreamDefaultControllerGetDesiredSize(controller);
1618 if (desiredSize > 0) {
1619 return true;
1620 }
1621 return false;
1622 }
1623 function ReadableStreamDefaultControllerClearAlgorithms(controller) {
1624 controller._pullAlgorithm = undefined;
1625 controller._cancelAlgorithm = undefined;
1626 controller._strategySizeAlgorithm = undefined;
1627 }
1628 // A client of ReadableStreamDefaultController may use these functions directly to bypass state check.
1629 function ReadableStreamDefaultControllerClose(controller) {
1630 const stream = controller._controlledReadableStream;
1631 controller._closeRequested = true;
1632 if (controller._queue.length === 0) {
1633 ReadableStreamDefaultControllerClearAlgorithms(controller);
1634 ReadableStreamClose(stream);
1635 }
1636 }
1637 function ReadableStreamDefaultControllerEnqueue(controller, chunk) {
1638 const stream = controller._controlledReadableStream;
1639 if (IsReadableStreamLocked(stream) === true && ReadableStreamGetNumReadRequests(stream) > 0) {
1640 ReadableStreamFulfillReadRequest(stream, chunk, false);
1641 }
1642 else {
1643 let chunkSize;
1644 try {
1645 chunkSize = controller._strategySizeAlgorithm(chunk);
1646 }
1647 catch (chunkSizeE) {
1648 ReadableStreamDefaultControllerError(controller, chunkSizeE);
1649 throw chunkSizeE;
1650 }
1651 try {
1652 EnqueueValueWithSize(controller, chunk, chunkSize);
1653 }
1654 catch (enqueueE) {
1655 ReadableStreamDefaultControllerError(controller, enqueueE);
1656 throw enqueueE;
1657 }
1658 }
1659 ReadableStreamDefaultControllerCallPullIfNeeded(controller);
1660 }
1661 function ReadableStreamDefaultControllerError(controller, e) {
1662 const stream = controller._controlledReadableStream;
1663 if (stream._state !== 'readable') {
1664 return;
1665 }
1666 ResetQueue(controller);
1667 ReadableStreamDefaultControllerClearAlgorithms(controller);
1668 ReadableStreamError(stream, e);
1669 }
1670 function ReadableStreamDefaultControllerGetDesiredSize(controller) {
1671 const stream = controller._controlledReadableStream;
1672 const state = stream._state;
1673 if (state === 'errored') {
1674 return null;
1675 }
1676 if (state === 'closed') {
1677 return 0;
1678 }
1679 return controller._strategyHWM - controller._queueTotalSize;
1680 }
1681 // This is used in the implementation of TransformStream.
1682 function ReadableStreamDefaultControllerHasBackpressure(controller) {
1683 if (ReadableStreamDefaultControllerShouldCallPull(controller) === true) {
1684 return false;
1685 }
1686 return true;
1687 }
1688 function ReadableStreamDefaultControllerCanCloseOrEnqueue(controller) {
1689 const state = controller._controlledReadableStream._state;
1690 if (controller._closeRequested === false && state === 'readable') {
1691 return true;
1692 }
1693 return false;
1694 }
1695 function SetUpReadableStreamDefaultController(stream, controller, startAlgorithm, pullAlgorithm, cancelAlgorithm, highWaterMark, sizeAlgorithm) {
1696 controller._controlledReadableStream = stream;
1697 controller._queue = undefined;
1698 controller._queueTotalSize = undefined;
1699 ResetQueue(controller);
1700 controller._started = false;
1701 controller._closeRequested = false;
1702 controller._pullAgain = false;
1703 controller._pulling = false;
1704 controller._strategySizeAlgorithm = sizeAlgorithm;
1705 controller._strategyHWM = highWaterMark;
1706 controller._pullAlgorithm = pullAlgorithm;
1707 controller._cancelAlgorithm = cancelAlgorithm;
1708 stream._readableStreamController = controller;
1709 const startResult = startAlgorithm();
1710 uponPromise(promiseResolvedWith(startResult), () => {
1711 controller._started = true;
1712 ReadableStreamDefaultControllerCallPullIfNeeded(controller);
1713 }, r => {
1714 ReadableStreamDefaultControllerError(controller, r);
1715 });
1716 }
1717 function SetUpReadableStreamDefaultControllerFromUnderlyingSource(stream, underlyingSource, highWaterMark, sizeAlgorithm) {
1718 const controller = Object.create(ReadableStreamDefaultController.prototype);
1719 function startAlgorithm() {
1720 return InvokeOrNoop(underlyingSource, 'start', [controller]);
1721 }
1722 const pullAlgorithm = CreateAlgorithmFromUnderlyingMethod(underlyingSource, 'pull', 0, [controller]);
1723 const cancelAlgorithm = CreateAlgorithmFromUnderlyingMethod(underlyingSource, 'cancel', 1, []);
1724 SetUpReadableStreamDefaultController(stream, controller, startAlgorithm, pullAlgorithm, cancelAlgorithm, highWaterMark, sizeAlgorithm);
1725 }
1726 // Helper functions for the ReadableStreamDefaultController.
1727 function defaultControllerBrandCheckException(name) {
1728 return new TypeError(`ReadableStreamDefaultController.prototype.${name} can only be used on a ReadableStreamDefaultController`);
1729 }
1730
1731 function ReadableStreamTee(stream, cloneForBranch2) {
1732 const reader = AcquireReadableStreamDefaultReader(stream);
1733 let reading = false;
1734 let canceled1 = false;
1735 let canceled2 = false;
1736 let reason1;
1737 let reason2;
1738 let branch1;
1739 let branch2;
1740 let resolveCancelPromise;
1741 const cancelPromise = newPromise(resolve => {
1742 resolveCancelPromise = resolve;
1743 });
1744 function pullAlgorithm() {
1745 if (reading === true) {
1746 return promiseResolvedWith(undefined);
1747 }
1748 reading = true;
1749 const readPromise = transformPromiseWith(ReadableStreamDefaultReaderRead(reader), result => {
1750 reading = false;
1751 const done = result.done;
1752 if (done === true) {
1753 if (canceled1 === false) {
1754 ReadableStreamDefaultControllerClose(branch1._readableStreamController);
1755 }
1756 if (canceled2 === false) {
1757 ReadableStreamDefaultControllerClose(branch2._readableStreamController);
1758 }
1759 return;
1760 }
1761 const value = result.value;
1762 const value1 = value;
1763 const value2 = value;
1764 // There is no way to access the cloning code right now in the reference implementation.
1765 // If we add one then we'll need an implementation for serializable objects.
1766 // if (canceled2 === false && cloneForBranch2 === true) {
1767 // value2 = StructuredDeserialize(StructuredSerialize(value2));
1768 // }
1769 if (canceled1 === false) {
1770 ReadableStreamDefaultControllerEnqueue(branch1._readableStreamController, value1);
1771 }
1772 if (canceled2 === false) {
1773 ReadableStreamDefaultControllerEnqueue(branch2._readableStreamController, value2);
1774 }
1775 });
1776 setPromiseIsHandledToTrue(readPromise);
1777 return promiseResolvedWith(undefined);
1778 }
1779 function cancel1Algorithm(reason) {
1780 canceled1 = true;
1781 reason1 = reason;
1782 if (canceled2 === true) {
1783 const compositeReason = createArrayFromList([reason1, reason2]);
1784 const cancelResult = ReadableStreamCancel(stream, compositeReason);
1785 resolveCancelPromise(cancelResult);
1786 }
1787 return cancelPromise;
1788 }
1789 function cancel2Algorithm(reason) {
1790 canceled2 = true;
1791 reason2 = reason;
1792 if (canceled1 === true) {
1793 const compositeReason = createArrayFromList([reason1, reason2]);
1794 const cancelResult = ReadableStreamCancel(stream, compositeReason);
1795 resolveCancelPromise(cancelResult);
1796 }
1797 return cancelPromise;
1798 }
1799 function startAlgorithm() { }
1800 branch1 = CreateReadableStream(startAlgorithm, pullAlgorithm, cancel1Algorithm);
1801 branch2 = CreateReadableStream(startAlgorithm, pullAlgorithm, cancel2Algorithm);
1802 uponRejection(reader._closedPromise, (r) => {
1803 ReadableStreamDefaultControllerError(branch1._readableStreamController, r);
1804 ReadableStreamDefaultControllerError(branch2._readableStreamController, r);
1805 });
1806 return [branch1, branch2];
1807 }
1808
1809 /// <reference lib="es2015.core" />
1810 // https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Number/isInteger#Polyfill
1811 const NumberIsInteger = Number.isInteger || function (value) {
1812 return typeof value === 'number' &&
1813 isFinite(value) &&
1814 Math.floor(value) === value;
1815 };
1816
1817 class ReadableStreamBYOBRequest {
1818 /** @internal */
1819 constructor() {
1820 throw new TypeError('ReadableStreamBYOBRequest cannot be used directly');
1821 }
1822 get view() {
1823 if (IsReadableStreamBYOBRequest(this) === false) {
1824 throw byobRequestBrandCheckException('view');
1825 }
1826 return this._view;
1827 }
1828 respond(bytesWritten) {
1829 if (IsReadableStreamBYOBRequest(this) === false) {
1830 throw byobRequestBrandCheckException('respond');
1831 }
1832 if (this._associatedReadableByteStreamController === undefined) {
1833 throw new TypeError('This BYOB request has been invalidated');
1834 }
1835 if (IsDetachedBuffer(this._view.buffer) === true) ;
1836 ReadableByteStreamControllerRespond(this._associatedReadableByteStreamController, bytesWritten);
1837 }
1838 respondWithNewView(view) {
1839 if (IsReadableStreamBYOBRequest(this) === false) {
1840 throw byobRequestBrandCheckException('respond');
1841 }
1842 if (this._associatedReadableByteStreamController === undefined) {
1843 throw new TypeError('This BYOB request has been invalidated');
1844 }
1845 if (!ArrayBuffer.isView(view)) {
1846 throw new TypeError('You can only respond with array buffer views');
1847 }
1848 if (IsDetachedBuffer(view.buffer) === true) ;
1849 ReadableByteStreamControllerRespondWithNewView(this._associatedReadableByteStreamController, view);
1850 }
1851 }
1852 class ReadableByteStreamController {
1853 /** @internal */
1854 constructor() {
1855 throw new TypeError('ReadableByteStreamController constructor cannot be used directly');
1856 }
1857 get byobRequest() {
1858 if (IsReadableByteStreamController(this) === false) {
1859 throw byteStreamControllerBrandCheckException('byobRequest');
1860 }
1861 if (this._byobRequest === undefined && this._pendingPullIntos.length > 0) {
1862 const firstDescriptor = this._pendingPullIntos.peek();
1863 const view = new Uint8Array(firstDescriptor.buffer, firstDescriptor.byteOffset + firstDescriptor.bytesFilled, firstDescriptor.byteLength - firstDescriptor.bytesFilled);
1864 const byobRequest = Object.create(ReadableStreamBYOBRequest.prototype);
1865 SetUpReadableStreamBYOBRequest(byobRequest, this, view);
1866 this._byobRequest = byobRequest;
1867 }
1868 return this._byobRequest;
1869 }
1870 get desiredSize() {
1871 if (IsReadableByteStreamController(this) === false) {
1872 throw byteStreamControllerBrandCheckException('desiredSize');
1873 }
1874 return ReadableByteStreamControllerGetDesiredSize(this);
1875 }
1876 close() {
1877 if (IsReadableByteStreamController(this) === false) {
1878 throw byteStreamControllerBrandCheckException('close');
1879 }
1880 if (this._closeRequested === true) {
1881 throw new TypeError('The stream has already been closed; do not close it again!');
1882 }
1883 const state = this._controlledReadableByteStream._state;
1884 if (state !== 'readable') {
1885 throw new TypeError(`The stream (in ${state} state) is not in the readable state and cannot be closed`);
1886 }
1887 ReadableByteStreamControllerClose(this);
1888 }
1889 enqueue(chunk) {
1890 if (IsReadableByteStreamController(this) === false) {
1891 throw byteStreamControllerBrandCheckException('enqueue');
1892 }
1893 if (this._closeRequested === true) {
1894 throw new TypeError('stream is closed or draining');
1895 }
1896 const state = this._controlledReadableByteStream._state;
1897 if (state !== 'readable') {
1898 throw new TypeError(`The stream (in ${state} state) is not in the readable state and cannot be enqueued to`);
1899 }
1900 if (!ArrayBuffer.isView(chunk)) {
1901 throw new TypeError('You can only enqueue array buffer views when using a ReadableByteStreamController');
1902 }
1903 if (IsDetachedBuffer(chunk.buffer) === true) ;
1904 ReadableByteStreamControllerEnqueue(this, chunk);
1905 }
1906 error(e) {
1907 if (IsReadableByteStreamController(this) === false) {
1908 throw byteStreamControllerBrandCheckException('error');
1909 }
1910 ReadableByteStreamControllerError(this, e);
1911 }
1912 /** @internal */
1913 [CancelSteps](reason) {
1914 if (this._pendingPullIntos.length > 0) {
1915 const firstDescriptor = this._pendingPullIntos.peek();
1916 firstDescriptor.bytesFilled = 0;
1917 }
1918 ResetQueue(this);
1919 const result = this._cancelAlgorithm(reason);
1920 ReadableByteStreamControllerClearAlgorithms(this);
1921 return result;
1922 }
1923 /** @internal */
1924 [PullSteps]() {
1925 const stream = this._controlledReadableByteStream;
1926 if (this._queueTotalSize > 0) {
1927 const entry = this._queue.shift();
1928 this._queueTotalSize -= entry.byteLength;
1929 ReadableByteStreamControllerHandleQueueDrain(this);
1930 let view;
1931 try {
1932 view = new Uint8Array(entry.buffer, entry.byteOffset, entry.byteLength);
1933 }
1934 catch (viewE) {
1935 return promiseRejectedWith(viewE);
1936 }
1937 return promiseResolvedWith(ReadableStreamCreateReadResult(view, false, stream._reader._forAuthorCode));
1938 }
1939 const autoAllocateChunkSize = this._autoAllocateChunkSize;
1940 if (autoAllocateChunkSize !== undefined) {
1941 let buffer;
1942 try {
1943 buffer = new ArrayBuffer(autoAllocateChunkSize);
1944 }
1945 catch (bufferE) {
1946 return promiseRejectedWith(bufferE);
1947 }
1948 const pullIntoDescriptor = {
1949 buffer,
1950 byteOffset: 0,
1951 byteLength: autoAllocateChunkSize,
1952 bytesFilled: 0,
1953 elementSize: 1,
1954 ctor: Uint8Array,
1955 readerType: 'default'
1956 };
1957 this._pendingPullIntos.push(pullIntoDescriptor);
1958 }
1959 const promise = ReadableStreamAddReadRequest(stream);
1960 ReadableByteStreamControllerCallPullIfNeeded(this);
1961 return promise;
1962 }
1963 }
1964 // Abstract operations for the ReadableByteStreamController.
1965 function IsReadableByteStreamController(x) {
1966 if (!typeIsObject(x)) {
1967 return false;
1968 }
1969 if (!Object.prototype.hasOwnProperty.call(x, '_controlledReadableByteStream')) {
1970 return false;
1971 }
1972 return true;
1973 }
1974 function IsReadableStreamBYOBRequest(x) {
1975 if (!typeIsObject(x)) {
1976 return false;
1977 }
1978 if (!Object.prototype.hasOwnProperty.call(x, '_associatedReadableByteStreamController')) {
1979 return false;
1980 }
1981 return true;
1982 }
1983 function ReadableByteStreamControllerCallPullIfNeeded(controller) {
1984 const shouldPull = ReadableByteStreamControllerShouldCallPull(controller);
1985 if (shouldPull === false) {
1986 return;
1987 }
1988 if (controller._pulling === true) {
1989 controller._pullAgain = true;
1990 return;
1991 }
1992 controller._pulling = true;
1993 // TODO: Test controller argument
1994 const pullPromise = controller._pullAlgorithm();
1995 uponPromise(pullPromise, () => {
1996 controller._pulling = false;
1997 if (controller._pullAgain === true) {
1998 controller._pullAgain = false;
1999 ReadableByteStreamControllerCallPullIfNeeded(controller);
2000 }
2001 }, e => {
2002 ReadableByteStreamControllerError(controller, e);
2003 });
2004 }
2005 function ReadableByteStreamControllerClearPendingPullIntos(controller) {
2006 ReadableByteStreamControllerInvalidateBYOBRequest(controller);
2007 controller._pendingPullIntos = new SimpleQueue();
2008 }
2009 function ReadableByteStreamControllerCommitPullIntoDescriptor(stream, pullIntoDescriptor) {
2010 let done = false;
2011 if (stream._state === 'closed') {
2012 done = true;
2013 }
2014 const filledView = ReadableByteStreamControllerConvertPullIntoDescriptor(pullIntoDescriptor);
2015 if (pullIntoDescriptor.readerType === 'default') {
2016 ReadableStreamFulfillReadRequest(stream, filledView, done);
2017 }
2018 else {
2019 ReadableStreamFulfillReadIntoRequest(stream, filledView, done);
2020 }
2021 }
2022 function ReadableByteStreamControllerConvertPullIntoDescriptor(pullIntoDescriptor) {
2023 const bytesFilled = pullIntoDescriptor.bytesFilled;
2024 const elementSize = pullIntoDescriptor.elementSize;
2025 return new pullIntoDescriptor.ctor(pullIntoDescriptor.buffer, pullIntoDescriptor.byteOffset, bytesFilled / elementSize);
2026 }
2027 function ReadableByteStreamControllerEnqueueChunkToQueue(controller, buffer, byteOffset, byteLength) {
2028 controller._queue.push({ buffer, byteOffset, byteLength });
2029 controller._queueTotalSize += byteLength;
2030 }
2031 function ReadableByteStreamControllerFillPullIntoDescriptorFromQueue(controller, pullIntoDescriptor) {
2032 const elementSize = pullIntoDescriptor.elementSize;
2033 const currentAlignedBytes = pullIntoDescriptor.bytesFilled - pullIntoDescriptor.bytesFilled % elementSize;
2034 const maxBytesToCopy = Math.min(controller._queueTotalSize, pullIntoDescriptor.byteLength - pullIntoDescriptor.bytesFilled);
2035 const maxBytesFilled = pullIntoDescriptor.bytesFilled + maxBytesToCopy;
2036 const maxAlignedBytes = maxBytesFilled - maxBytesFilled % elementSize;
2037 let totalBytesToCopyRemaining = maxBytesToCopy;
2038 let ready = false;
2039 if (maxAlignedBytes > currentAlignedBytes) {
2040 totalBytesToCopyRemaining = maxAlignedBytes - pullIntoDescriptor.bytesFilled;
2041 ready = true;
2042 }
2043 const queue = controller._queue;
2044 while (totalBytesToCopyRemaining > 0) {
2045 const headOfQueue = queue.peek();
2046 const bytesToCopy = Math.min(totalBytesToCopyRemaining, headOfQueue.byteLength);
2047 const destStart = pullIntoDescriptor.byteOffset + pullIntoDescriptor.bytesFilled;
2048 ArrayBufferCopy(pullIntoDescriptor.buffer, destStart, headOfQueue.buffer, headOfQueue.byteOffset, bytesToCopy);
2049 if (headOfQueue.byteLength === bytesToCopy) {
2050 queue.shift();
2051 }
2052 else {
2053 headOfQueue.byteOffset += bytesToCopy;
2054 headOfQueue.byteLength -= bytesToCopy;
2055 }
2056 controller._queueTotalSize -= bytesToCopy;
2057 ReadableByteStreamControllerFillHeadPullIntoDescriptor(controller, bytesToCopy, pullIntoDescriptor);
2058 totalBytesToCopyRemaining -= bytesToCopy;
2059 }
2060 return ready;
2061 }
2062 function ReadableByteStreamControllerFillHeadPullIntoDescriptor(controller, size, pullIntoDescriptor) {
2063 ReadableByteStreamControllerInvalidateBYOBRequest(controller);
2064 pullIntoDescriptor.bytesFilled += size;
2065 }
2066 function ReadableByteStreamControllerHandleQueueDrain(controller) {
2067 if (controller._queueTotalSize === 0 && controller._closeRequested === true) {
2068 ReadableByteStreamControllerClearAlgorithms(controller);
2069 ReadableStreamClose(controller._controlledReadableByteStream);
2070 }
2071 else {
2072 ReadableByteStreamControllerCallPullIfNeeded(controller);
2073 }
2074 }
2075 function ReadableByteStreamControllerInvalidateBYOBRequest(controller) {
2076 if (controller._byobRequest === undefined) {
2077 return;
2078 }
2079 controller._byobRequest._associatedReadableByteStreamController = undefined;
2080 controller._byobRequest._view = undefined;
2081 controller._byobRequest = undefined;
2082 }
2083 function ReadableByteStreamControllerProcessPullIntoDescriptorsUsingQueue(controller) {
2084 while (controller._pendingPullIntos.length > 0) {
2085 if (controller._queueTotalSize === 0) {
2086 return;
2087 }
2088 const pullIntoDescriptor = controller._pendingPullIntos.peek();
2089 if (ReadableByteStreamControllerFillPullIntoDescriptorFromQueue(controller, pullIntoDescriptor) === true) {
2090 ReadableByteStreamControllerShiftPendingPullInto(controller);
2091 ReadableByteStreamControllerCommitPullIntoDescriptor(controller._controlledReadableByteStream, pullIntoDescriptor);
2092 }
2093 }
2094 }
2095 function ReadableByteStreamControllerPullInto(controller, view) {
2096 const stream = controller._controlledReadableByteStream;
2097 let elementSize = 1;
2098 if (view.constructor !== DataView) {
2099 elementSize = view.constructor.BYTES_PER_ELEMENT;
2100 }
2101 const ctor = view.constructor;
2102 const buffer = TransferArrayBuffer(view.buffer);
2103 const pullIntoDescriptor = {
2104 buffer,
2105 byteOffset: view.byteOffset,
2106 byteLength: view.byteLength,
2107 bytesFilled: 0,
2108 elementSize,
2109 ctor,
2110 readerType: 'byob'
2111 };
2112 if (controller._pendingPullIntos.length > 0) {
2113 controller._pendingPullIntos.push(pullIntoDescriptor);
2114 // No ReadableByteStreamControllerCallPullIfNeeded() call since:
2115 // - No change happens on desiredSize
2116 // - The source has already been notified of that there's at least 1 pending read(view)
2117 return ReadableStreamAddReadIntoRequest(stream);
2118 }
2119 if (stream._state === 'closed') {
2120 const emptyView = new ctor(pullIntoDescriptor.buffer, pullIntoDescriptor.byteOffset, 0);
2121 return promiseResolvedWith(ReadableStreamCreateReadResult(emptyView, true, stream._reader._forAuthorCode));
2122 }
2123 if (controller._queueTotalSize > 0) {
2124 if (ReadableByteStreamControllerFillPullIntoDescriptorFromQueue(controller, pullIntoDescriptor) === true) {
2125 const filledView = ReadableByteStreamControllerConvertPullIntoDescriptor(pullIntoDescriptor);
2126 ReadableByteStreamControllerHandleQueueDrain(controller);
2127 return promiseResolvedWith(ReadableStreamCreateReadResult(filledView, false, stream._reader._forAuthorCode));
2128 }
2129 if (controller._closeRequested === true) {
2130 const e = new TypeError('Insufficient bytes to fill elements in the given buffer');
2131 ReadableByteStreamControllerError(controller, e);
2132 return promiseRejectedWith(e);
2133 }
2134 }
2135 controller._pendingPullIntos.push(pullIntoDescriptor);
2136 const promise = ReadableStreamAddReadIntoRequest(stream);
2137 ReadableByteStreamControllerCallPullIfNeeded(controller);
2138 return promise;
2139 }
2140 function ReadableByteStreamControllerRespondInClosedState(controller, firstDescriptor) {
2141 firstDescriptor.buffer = TransferArrayBuffer(firstDescriptor.buffer);
2142 const stream = controller._controlledReadableByteStream;
2143 if (ReadableStreamHasBYOBReader(stream) === true) {
2144 while (ReadableStreamGetNumReadIntoRequests(stream) > 0) {
2145 const pullIntoDescriptor = ReadableByteStreamControllerShiftPendingPullInto(controller);
2146 ReadableByteStreamControllerCommitPullIntoDescriptor(stream, pullIntoDescriptor);
2147 }
2148 }
2149 }
2150 function ReadableByteStreamControllerRespondInReadableState(controller, bytesWritten, pullIntoDescriptor) {
2151 if (pullIntoDescriptor.bytesFilled + bytesWritten > pullIntoDescriptor.byteLength) {
2152 throw new RangeError('bytesWritten out of range');
2153 }
2154 ReadableByteStreamControllerFillHeadPullIntoDescriptor(controller, bytesWritten, pullIntoDescriptor);
2155 if (pullIntoDescriptor.bytesFilled < pullIntoDescriptor.elementSize) {
2156 // TODO: Figure out whether we should detach the buffer or not here.
2157 return;
2158 }
2159 ReadableByteStreamControllerShiftPendingPullInto(controller);
2160 const remainderSize = pullIntoDescriptor.bytesFilled % pullIntoDescriptor.elementSize;
2161 if (remainderSize > 0) {
2162 const end = pullIntoDescriptor.byteOffset + pullIntoDescriptor.bytesFilled;
2163 const remainder = pullIntoDescriptor.buffer.slice(end - remainderSize, end);
2164 ReadableByteStreamControllerEnqueueChunkToQueue(controller, remainder, 0, remainder.byteLength);
2165 }
2166 pullIntoDescriptor.buffer = TransferArrayBuffer(pullIntoDescriptor.buffer);
2167 pullIntoDescriptor.bytesFilled -= remainderSize;
2168 ReadableByteStreamControllerCommitPullIntoDescriptor(controller._controlledReadableByteStream, pullIntoDescriptor);
2169 ReadableByteStreamControllerProcessPullIntoDescriptorsUsingQueue(controller);
2170 }
2171 function ReadableByteStreamControllerRespondInternal(controller, bytesWritten) {
2172 const firstDescriptor = controller._pendingPullIntos.peek();
2173 const stream = controller._controlledReadableByteStream;
2174 if (stream._state === 'closed') {
2175 if (bytesWritten !== 0) {
2176 throw new TypeError('bytesWritten must be 0 when calling respond() on a closed stream');
2177 }
2178 ReadableByteStreamControllerRespondInClosedState(controller, firstDescriptor);
2179 }
2180 else {
2181 ReadableByteStreamControllerRespondInReadableState(controller, bytesWritten, firstDescriptor);
2182 }
2183 ReadableByteStreamControllerCallPullIfNeeded(controller);
2184 }
2185 function ReadableByteStreamControllerShiftPendingPullInto(controller) {
2186 const descriptor = controller._pendingPullIntos.shift();
2187 ReadableByteStreamControllerInvalidateBYOBRequest(controller);
2188 return descriptor;
2189 }
2190 function ReadableByteStreamControllerShouldCallPull(controller) {
2191 const stream = controller._controlledReadableByteStream;
2192 if (stream._state !== 'readable') {
2193 return false;
2194 }
2195 if (controller._closeRequested === true) {
2196 return false;
2197 }
2198 if (controller._started === false) {
2199 return false;
2200 }
2201 if (ReadableStreamHasDefaultReader(stream) === true && ReadableStreamGetNumReadRequests(stream) > 0) {
2202 return true;
2203 }
2204 if (ReadableStreamHasBYOBReader(stream) === true && ReadableStreamGetNumReadIntoRequests(stream) > 0) {
2205 return true;
2206 }
2207 const desiredSize = ReadableByteStreamControllerGetDesiredSize(controller);
2208 if (desiredSize > 0) {
2209 return true;
2210 }
2211 return false;
2212 }
2213 function ReadableByteStreamControllerClearAlgorithms(controller) {
2214 controller._pullAlgorithm = undefined;
2215 controller._cancelAlgorithm = undefined;
2216 }
2217 // A client of ReadableByteStreamController may use these functions directly to bypass state check.
2218 function ReadableByteStreamControllerClose(controller) {
2219 const stream = controller._controlledReadableByteStream;
2220 if (controller._queueTotalSize > 0) {
2221 controller._closeRequested = true;
2222 return;
2223 }
2224 if (controller._pendingPullIntos.length > 0) {
2225 const firstPendingPullInto = controller._pendingPullIntos.peek();
2226 if (firstPendingPullInto.bytesFilled > 0) {
2227 const e = new TypeError('Insufficient bytes to fill elements in the given buffer');
2228 ReadableByteStreamControllerError(controller, e);
2229 throw e;
2230 }
2231 }
2232 ReadableByteStreamControllerClearAlgorithms(controller);
2233 ReadableStreamClose(stream);
2234 }
2235 function ReadableByteStreamControllerEnqueue(controller, chunk) {
2236 const stream = controller._controlledReadableByteStream;
2237 const buffer = chunk.buffer;
2238 const byteOffset = chunk.byteOffset;
2239 const byteLength = chunk.byteLength;
2240 const transferredBuffer = TransferArrayBuffer(buffer);
2241 if (ReadableStreamHasDefaultReader(stream) === true) {
2242 if (ReadableStreamGetNumReadRequests(stream) === 0) {
2243 ReadableByteStreamControllerEnqueueChunkToQueue(controller, transferredBuffer, byteOffset, byteLength);
2244 }
2245 else {
2246 const transferredView = new Uint8Array(transferredBuffer, byteOffset, byteLength);
2247 ReadableStreamFulfillReadRequest(stream, transferredView, false);
2248 }
2249 }
2250 else if (ReadableStreamHasBYOBReader(stream) === true) {
2251 // TODO: Ideally in this branch detaching should happen only if the buffer is not consumed fully.
2252 ReadableByteStreamControllerEnqueueChunkToQueue(controller, transferredBuffer, byteOffset, byteLength);
2253 ReadableByteStreamControllerProcessPullIntoDescriptorsUsingQueue(controller);
2254 }
2255 else {
2256 ReadableByteStreamControllerEnqueueChunkToQueue(controller, transferredBuffer, byteOffset, byteLength);
2257 }
2258 ReadableByteStreamControllerCallPullIfNeeded(controller);
2259 }
2260 function ReadableByteStreamControllerError(controller, e) {
2261 const stream = controller._controlledReadableByteStream;
2262 if (stream._state !== 'readable') {
2263 return;
2264 }
2265 ReadableByteStreamControllerClearPendingPullIntos(controller);
2266 ResetQueue(controller);
2267 ReadableByteStreamControllerClearAlgorithms(controller);
2268 ReadableStreamError(stream, e);
2269 }
2270 function ReadableByteStreamControllerGetDesiredSize(controller) {
2271 const stream = controller._controlledReadableByteStream;
2272 const state = stream._state;
2273 if (state === 'errored') {
2274 return null;
2275 }
2276 if (state === 'closed') {
2277 return 0;
2278 }
2279 return controller._strategyHWM - controller._queueTotalSize;
2280 }
2281 function ReadableByteStreamControllerRespond(controller, bytesWritten) {
2282 bytesWritten = Number(bytesWritten);
2283 if (IsFiniteNonNegativeNumber(bytesWritten) === false) {
2284 throw new RangeError('bytesWritten must be a finite');
2285 }
2286 ReadableByteStreamControllerRespondInternal(controller, bytesWritten);
2287 }
2288 function ReadableByteStreamControllerRespondWithNewView(controller, view) {
2289 const firstDescriptor = controller._pendingPullIntos.peek();
2290 if (firstDescriptor.byteOffset + firstDescriptor.bytesFilled !== view.byteOffset) {
2291 throw new RangeError('The region specified by view does not match byobRequest');
2292 }
2293 if (firstDescriptor.byteLength !== view.byteLength) {
2294 throw new RangeError('The buffer of view has different capacity than byobRequest');
2295 }
2296 firstDescriptor.buffer = view.buffer;
2297 ReadableByteStreamControllerRespondInternal(controller, view.byteLength);
2298 }
2299 function SetUpReadableByteStreamController(stream, controller, startAlgorithm, pullAlgorithm, cancelAlgorithm, highWaterMark, autoAllocateChunkSize) {
2300 controller._controlledReadableByteStream = stream;
2301 controller._pullAgain = false;
2302 controller._pulling = false;
2303 controller._byobRequest = undefined;
2304 // Need to set the slots so that the assert doesn't fire. In the spec the slots already exist implicitly.
2305 controller._queue = controller._queueTotalSize = undefined;
2306 ResetQueue(controller);
2307 controller._closeRequested = false;
2308 controller._started = false;
2309 controller._strategyHWM = ValidateAndNormalizeHighWaterMark(highWaterMark);
2310 controller._pullAlgorithm = pullAlgorithm;
2311 controller._cancelAlgorithm = cancelAlgorithm;
2312 controller._autoAllocateChunkSize = autoAllocateChunkSize;
2313 controller._pendingPullIntos = new SimpleQueue();
2314 stream._readableStreamController = controller;
2315 const startResult = startAlgorithm();
2316 uponPromise(promiseResolvedWith(startResult), () => {
2317 controller._started = true;
2318 ReadableByteStreamControllerCallPullIfNeeded(controller);
2319 }, r => {
2320 ReadableByteStreamControllerError(controller, r);
2321 });
2322 }
2323 function SetUpReadableByteStreamControllerFromUnderlyingSource(stream, underlyingByteSource, highWaterMark) {
2324 const controller = Object.create(ReadableByteStreamController.prototype);
2325 function startAlgorithm() {
2326 return InvokeOrNoop(underlyingByteSource, 'start', [controller]);
2327 }
2328 const pullAlgorithm = CreateAlgorithmFromUnderlyingMethod(underlyingByteSource, 'pull', 0, [controller]);
2329 const cancelAlgorithm = CreateAlgorithmFromUnderlyingMethod(underlyingByteSource, 'cancel', 1, []);
2330 let autoAllocateChunkSize = underlyingByteSource.autoAllocateChunkSize;
2331 if (autoAllocateChunkSize !== undefined) {
2332 autoAllocateChunkSize = Number(autoAllocateChunkSize);
2333 if (NumberIsInteger(autoAllocateChunkSize) === false || autoAllocateChunkSize <= 0) {
2334 throw new RangeError('autoAllocateChunkSize must be a positive integer');
2335 }
2336 }
2337 SetUpReadableByteStreamController(stream, controller, startAlgorithm, pullAlgorithm, cancelAlgorithm, highWaterMark, autoAllocateChunkSize);
2338 }
2339 function SetUpReadableStreamBYOBRequest(request, controller, view) {
2340 request._associatedReadableByteStreamController = controller;
2341 request._view = view;
2342 }
2343 // Helper functions for the ReadableStreamBYOBRequest.
2344 function byobRequestBrandCheckException(name) {
2345 return new TypeError(`ReadableStreamBYOBRequest.prototype.${name} can only be used on a ReadableStreamBYOBRequest`);
2346 }
2347 // Helper functions for the ReadableByteStreamController.
2348 function byteStreamControllerBrandCheckException(name) {
2349 return new TypeError(`ReadableByteStreamController.prototype.${name} can only be used on a ReadableByteStreamController`);
2350 }
2351
2352 // Abstract operations for the ReadableStream.
2353 function AcquireReadableStreamBYOBReader(stream, forAuthorCode = false) {
2354 const reader = new ReadableStreamBYOBReader(stream);
2355 reader._forAuthorCode = forAuthorCode;
2356 return reader;
2357 }
2358 // ReadableStream API exposed for controllers.
2359 function ReadableStreamAddReadIntoRequest(stream) {
2360 const promise = newPromise((resolve, reject) => {
2361 const readIntoRequest = {
2362 _resolve: resolve,
2363 _reject: reject
2364 };
2365 stream._reader._readIntoRequests.push(readIntoRequest);
2366 });
2367 return promise;
2368 }
2369 function ReadableStreamFulfillReadIntoRequest(stream, chunk, done) {
2370 const reader = stream._reader;
2371 const readIntoRequest = reader._readIntoRequests.shift();
2372 readIntoRequest._resolve(ReadableStreamCreateReadResult(chunk, done, reader._forAuthorCode));
2373 }
2374 function ReadableStreamGetNumReadIntoRequests(stream) {
2375 return stream._reader._readIntoRequests.length;
2376 }
2377 function ReadableStreamHasBYOBReader(stream) {
2378 const reader = stream._reader;
2379 if (reader === undefined) {
2380 return false;
2381 }
2382 if (!IsReadableStreamBYOBReader(reader)) {
2383 return false;
2384 }
2385 return true;
2386 }
2387 class ReadableStreamBYOBReader {
2388 constructor(stream) {
2389 if (!IsReadableStream(stream)) {
2390 throw new TypeError('ReadableStreamBYOBReader can only be constructed with a ReadableStream instance given a ' +
2391 'byte source');
2392 }
2393 if (IsReadableByteStreamController(stream._readableStreamController) === false) {
2394 throw new TypeError('Cannot construct a ReadableStreamBYOBReader for a stream not constructed with a byte ' +
2395 'source');
2396 }
2397 if (IsReadableStreamLocked(stream)) {
2398 throw new TypeError('This stream has already been locked for exclusive reading by another reader');
2399 }
2400 ReadableStreamReaderGenericInitialize(this, stream);
2401 this._readIntoRequests = new SimpleQueue();
2402 }
2403 get closed() {
2404 if (!IsReadableStreamBYOBReader(this)) {
2405 return promiseRejectedWith(byobReaderBrandCheckException('closed'));
2406 }
2407 return this._closedPromise;
2408 }
2409 cancel(reason) {
2410 if (!IsReadableStreamBYOBReader(this)) {
2411 return promiseRejectedWith(byobReaderBrandCheckException('cancel'));
2412 }
2413 if (this._ownerReadableStream === undefined) {
2414 return promiseRejectedWith(readerLockException('cancel'));
2415 }
2416 return ReadableStreamReaderGenericCancel(this, reason);
2417 }
2418 read(view) {
2419 if (!IsReadableStreamBYOBReader(this)) {
2420 return promiseRejectedWith(byobReaderBrandCheckException('read'));
2421 }
2422 if (this._ownerReadableStream === undefined) {
2423 return promiseRejectedWith(readerLockException('read from'));
2424 }
2425 if (!ArrayBuffer.isView(view)) {
2426 return promiseRejectedWith(new TypeError('view must be an array buffer view'));
2427 }
2428 if (IsDetachedBuffer(view.buffer) === true) ;
2429 if (view.byteLength === 0) {
2430 return promiseRejectedWith(new TypeError('view must have non-zero byteLength'));
2431 }
2432 return ReadableStreamBYOBReaderRead(this, view);
2433 }
2434 releaseLock() {
2435 if (!IsReadableStreamBYOBReader(this)) {
2436 throw byobReaderBrandCheckException('releaseLock');
2437 }
2438 if (this._ownerReadableStream === undefined) {
2439 return;
2440 }
2441 if (this._readIntoRequests.length > 0) {
2442 throw new TypeError('Tried to release a reader lock when that reader has pending read() calls un-settled');
2443 }
2444 ReadableStreamReaderGenericRelease(this);
2445 }
2446 }
2447 // Abstract operations for the readers.
2448 function IsReadableStreamBYOBReader(x) {
2449 if (!typeIsObject(x)) {
2450 return false;
2451 }
2452 if (!Object.prototype.hasOwnProperty.call(x, '_readIntoRequests')) {
2453 return false;
2454 }
2455 return true;
2456 }
2457 function ReadableStreamBYOBReaderRead(reader, view) {
2458 const stream = reader._ownerReadableStream;
2459 stream._disturbed = true;
2460 if (stream._state === 'errored') {
2461 return promiseRejectedWith(stream._storedError);
2462 }
2463 // Controllers must implement this.
2464 return ReadableByteStreamControllerPullInto(stream._readableStreamController, view);
2465 }
2466 // Helper functions for the ReadableStreamBYOBReader.
2467 function byobReaderBrandCheckException(name) {
2468 return new TypeError(`ReadableStreamBYOBReader.prototype.${name} can only be used on a ReadableStreamBYOBReader`);
2469 }
2470
2471 class ReadableStream {
2472 constructor(underlyingSource = {}, strategy = {}) {
2473 InitializeReadableStream(this);
2474 const size = strategy.size;
2475 let highWaterMark = strategy.highWaterMark;
2476 const type = underlyingSource.type;
2477 const typeString = String(type);
2478 if (typeString === 'bytes') {
2479 if (size !== undefined) {
2480 throw new RangeError('The strategy for a byte stream cannot have a size function');
2481 }
2482 if (highWaterMark === undefined) {
2483 highWaterMark = 0;
2484 }
2485 highWaterMark = ValidateAndNormalizeHighWaterMark(highWaterMark);
2486 SetUpReadableByteStreamControllerFromUnderlyingSource(this, underlyingSource, highWaterMark);
2487 }
2488 else if (type === undefined) {
2489 const sizeAlgorithm = MakeSizeAlgorithmFromSizeFunction(size);
2490 if (highWaterMark === undefined) {
2491 highWaterMark = 1;
2492 }
2493 highWaterMark = ValidateAndNormalizeHighWaterMark(highWaterMark);
2494 SetUpReadableStreamDefaultControllerFromUnderlyingSource(this, underlyingSource, highWaterMark, sizeAlgorithm);
2495 }
2496 else {
2497 throw new RangeError('Invalid type is specified');
2498 }
2499 }
2500 get locked() {
2501 if (IsReadableStream(this) === false) {
2502 throw streamBrandCheckException$1('locked');
2503 }
2504 return IsReadableStreamLocked(this);
2505 }
2506 cancel(reason) {
2507 if (IsReadableStream(this) === false) {
2508 return promiseRejectedWith(streamBrandCheckException$1('cancel'));
2509 }
2510 if (IsReadableStreamLocked(this) === true) {
2511 return promiseRejectedWith(new TypeError('Cannot cancel a stream that already has a reader'));
2512 }
2513 return ReadableStreamCancel(this, reason);
2514 }
2515 getReader({ mode } = {}) {
2516 if (IsReadableStream(this) === false) {
2517 throw streamBrandCheckException$1('getReader');
2518 }
2519 if (mode === undefined) {
2520 return AcquireReadableStreamDefaultReader(this, true);
2521 }
2522 mode = String(mode);
2523 if (mode === 'byob') {
2524 return AcquireReadableStreamBYOBReader(this, true);
2525 }
2526 throw new RangeError('Invalid mode is specified');
2527 }
2528 pipeThrough({ writable, readable }, { preventClose, preventAbort, preventCancel, signal } = {}) {
2529 if (IsReadableStream(this) === false) {
2530 throw streamBrandCheckException$1('pipeThrough');
2531 }
2532 if (IsWritableStream(writable) === false) {
2533 throw new TypeError('writable argument to pipeThrough must be a WritableStream');
2534 }
2535 if (IsReadableStream(readable) === false) {
2536 throw new TypeError('readable argument to pipeThrough must be a ReadableStream');
2537 }
2538 preventClose = Boolean(preventClose);
2539 preventAbort = Boolean(preventAbort);
2540 preventCancel = Boolean(preventCancel);
2541 if (signal !== undefined && !isAbortSignal(signal)) {
2542 throw new TypeError('ReadableStream.prototype.pipeThrough\'s signal option must be an AbortSignal');
2543 }
2544 if (IsReadableStreamLocked(this) === true) {
2545 throw new TypeError('ReadableStream.prototype.pipeThrough cannot be used on a locked ReadableStream');
2546 }
2547 if (IsWritableStreamLocked(writable) === true) {
2548 throw new TypeError('ReadableStream.prototype.pipeThrough cannot be used on a locked WritableStream');
2549 }
2550 const promise = ReadableStreamPipeTo(this, writable, preventClose, preventAbort, preventCancel, signal);
2551 setPromiseIsHandledToTrue(promise);
2552 return readable;
2553 }
2554 pipeTo(dest, { preventClose, preventAbort, preventCancel, signal } = {}) {
2555 if (IsReadableStream(this) === false) {
2556 return promiseRejectedWith(streamBrandCheckException$1('pipeTo'));
2557 }
2558 if (IsWritableStream(dest) === false) {
2559 return promiseRejectedWith(new TypeError('ReadableStream.prototype.pipeTo\'s first argument must be a WritableStream'));
2560 }
2561 preventClose = Boolean(preventClose);
2562 preventAbort = Boolean(preventAbort);
2563 preventCancel = Boolean(preventCancel);
2564 if (signal !== undefined && !isAbortSignal(signal)) {
2565 return promiseRejectedWith(new TypeError('ReadableStream.prototype.pipeTo\'s signal option must be an AbortSignal'));
2566 }
2567 if (IsReadableStreamLocked(this) === true) {
2568 return promiseRejectedWith(new TypeError('ReadableStream.prototype.pipeTo cannot be used on a locked ReadableStream'));
2569 }
2570 if (IsWritableStreamLocked(dest) === true) {
2571 return promiseRejectedWith(new TypeError('ReadableStream.prototype.pipeTo cannot be used on a locked WritableStream'));
2572 }
2573 return ReadableStreamPipeTo(this, dest, preventClose, preventAbort, preventCancel, signal);
2574 }
2575 tee() {
2576 if (IsReadableStream(this) === false) {
2577 throw streamBrandCheckException$1('tee');
2578 }
2579 const branches = ReadableStreamTee(this);
2580 return createArrayFromList(branches);
2581 }
2582 getIterator({ preventCancel = false } = {}) {
2583 if (IsReadableStream(this) === false) {
2584 throw streamBrandCheckException$1('getIterator');
2585 }
2586 return AcquireReadableStreamAsyncIterator(this, preventCancel);
2587 }
2588 }
2589 if (typeof SymbolPolyfill.asyncIterator === 'symbol') {
2590 Object.defineProperty(ReadableStream.prototype, SymbolPolyfill.asyncIterator, {
2591 value: ReadableStream.prototype.getIterator,
2592 enumerable: false,
2593 writable: true,
2594 configurable: true
2595 });
2596 }
2597 // Abstract operations for the ReadableStream.
2598 // Throws if and only if startAlgorithm throws.
2599 function CreateReadableStream(startAlgorithm, pullAlgorithm, cancelAlgorithm, highWaterMark = 1, sizeAlgorithm = () => 1) {
2600 const stream = Object.create(ReadableStream.prototype);
2601 InitializeReadableStream(stream);
2602 const controller = Object.create(ReadableStreamDefaultController.prototype);
2603 SetUpReadableStreamDefaultController(stream, controller, startAlgorithm, pullAlgorithm, cancelAlgorithm, highWaterMark, sizeAlgorithm);
2604 return stream;
2605 }
2606 function InitializeReadableStream(stream) {
2607 stream._state = 'readable';
2608 stream._reader = undefined;
2609 stream._storedError = undefined;
2610 stream._disturbed = false;
2611 }
2612 function IsReadableStream(x) {
2613 if (!typeIsObject(x)) {
2614 return false;
2615 }
2616 if (!Object.prototype.hasOwnProperty.call(x, '_readableStreamController')) {
2617 return false;
2618 }
2619 return true;
2620 }
2621 function IsReadableStreamLocked(stream) {
2622 if (stream._reader === undefined) {
2623 return false;
2624 }
2625 return true;
2626 }
2627 // ReadableStream API exposed for controllers.
2628 function ReadableStreamCancel(stream, reason) {
2629 stream._disturbed = true;
2630 if (stream._state === 'closed') {
2631 return promiseResolvedWith(undefined);
2632 }
2633 if (stream._state === 'errored') {
2634 return promiseRejectedWith(stream._storedError);
2635 }
2636 ReadableStreamClose(stream);
2637 const sourceCancelPromise = stream._readableStreamController[CancelSteps](reason);
2638 return transformPromiseWith(sourceCancelPromise, noop);
2639 }
2640 function ReadableStreamClose(stream) {
2641 stream._state = 'closed';
2642 const reader = stream._reader;
2643 if (reader === undefined) {
2644 return;
2645 }
2646 if (IsReadableStreamDefaultReader(reader)) {
2647 reader._readRequests.forEach(readRequest => {
2648 readRequest._resolve(ReadableStreamCreateReadResult(undefined, true, reader._forAuthorCode));
2649 });
2650 reader._readRequests = new SimpleQueue();
2651 }
2652 defaultReaderClosedPromiseResolve(reader);
2653 }
2654 function ReadableStreamError(stream, e) {
2655 stream._state = 'errored';
2656 stream._storedError = e;
2657 const reader = stream._reader;
2658 if (reader === undefined) {
2659 return;
2660 }
2661 if (IsReadableStreamDefaultReader(reader)) {
2662 reader._readRequests.forEach(readRequest => {
2663 readRequest._reject(e);
2664 });
2665 reader._readRequests = new SimpleQueue();
2666 }
2667 else {
2668 reader._readIntoRequests.forEach(readIntoRequest => {
2669 readIntoRequest._reject(e);
2670 });
2671 reader._readIntoRequests = new SimpleQueue();
2672 }
2673 defaultReaderClosedPromiseReject(reader, e);
2674 }
2675 // Helper functions for the ReadableStream.
2676 function streamBrandCheckException$1(name) {
2677 return new TypeError(`ReadableStream.prototype.${name} can only be used on a ReadableStream`);
2678 }
2679
2680 // Class TransformStream
2681 class TransformStream {
2682 constructor(transformer = {}, writableStrategy = {}, readableStrategy = {}) {
2683 const writableSizeFunction = writableStrategy.size;
2684 let writableHighWaterMark = writableStrategy.highWaterMark;
2685 const readableSizeFunction = readableStrategy.size;
2686 let readableHighWaterMark = readableStrategy.highWaterMark;
2687 const writableType = transformer.writableType;
2688 if (writableType !== undefined) {
2689 throw new RangeError('Invalid writable type specified');
2690 }
2691 const writableSizeAlgorithm = MakeSizeAlgorithmFromSizeFunction(writableSizeFunction);
2692 if (writableHighWaterMark === undefined) {
2693 writableHighWaterMark = 1;
2694 }
2695 writableHighWaterMark = ValidateAndNormalizeHighWaterMark(writableHighWaterMark);
2696 const readableType = transformer.readableType;
2697 if (readableType !== undefined) {
2698 throw new RangeError('Invalid readable type specified');
2699 }
2700 const readableSizeAlgorithm = MakeSizeAlgorithmFromSizeFunction(readableSizeFunction);
2701 if (readableHighWaterMark === undefined) {
2702 readableHighWaterMark = 0;
2703 }
2704 readableHighWaterMark = ValidateAndNormalizeHighWaterMark(readableHighWaterMark);
2705 let startPromise_resolve;
2706 const startPromise = newPromise(resolve => {
2707 startPromise_resolve = resolve;
2708 });
2709 InitializeTransformStream(this, startPromise, writableHighWaterMark, writableSizeAlgorithm, readableHighWaterMark, readableSizeAlgorithm);
2710 SetUpTransformStreamDefaultControllerFromTransformer(this, transformer);
2711 const startResult = InvokeOrNoop(transformer, 'start', [this._transformStreamController]);
2712 startPromise_resolve(startResult);
2713 }
2714 get readable() {
2715 if (IsTransformStream(this) === false) {
2716 throw streamBrandCheckException$2('readable');
2717 }
2718 return this._readable;
2719 }
2720 get writable() {
2721 if (IsTransformStream(this) === false) {
2722 throw streamBrandCheckException$2('writable');
2723 }
2724 return this._writable;
2725 }
2726 }
2727 function InitializeTransformStream(stream, startPromise, writableHighWaterMark, writableSizeAlgorithm, readableHighWaterMark, readableSizeAlgorithm) {
2728 function startAlgorithm() {
2729 return startPromise;
2730 }
2731 function writeAlgorithm(chunk) {
2732 return TransformStreamDefaultSinkWriteAlgorithm(stream, chunk);
2733 }
2734 function abortAlgorithm(reason) {
2735 return TransformStreamDefaultSinkAbortAlgorithm(stream, reason);
2736 }
2737 function closeAlgorithm() {
2738 return TransformStreamDefaultSinkCloseAlgorithm(stream);
2739 }
2740 stream._writable = CreateWritableStream(startAlgorithm, writeAlgorithm, closeAlgorithm, abortAlgorithm, writableHighWaterMark, writableSizeAlgorithm);
2741 function pullAlgorithm() {
2742 return TransformStreamDefaultSourcePullAlgorithm(stream);
2743 }
2744 function cancelAlgorithm(reason) {
2745 TransformStreamErrorWritableAndUnblockWrite(stream, reason);
2746 return promiseResolvedWith(undefined);
2747 }
2748 stream._readable = CreateReadableStream(startAlgorithm, pullAlgorithm, cancelAlgorithm, readableHighWaterMark, readableSizeAlgorithm);
2749 // The [[backpressure]] slot is set to undefined so that it can be initialised by TransformStreamSetBackpressure.
2750 stream._backpressure = undefined;
2751 stream._backpressureChangePromise = undefined;
2752 stream._backpressureChangePromise_resolve = undefined;
2753 TransformStreamSetBackpressure(stream, true);
2754 // Used by IsWritableStream() which is called by SetUpTransformStreamDefaultController().
2755 stream._transformStreamController = undefined;
2756 }
2757 function IsTransformStream(x) {
2758 if (!typeIsObject(x)) {
2759 return false;
2760 }
2761 if (!Object.prototype.hasOwnProperty.call(x, '_transformStreamController')) {
2762 return false;
2763 }
2764 return true;
2765 }
2766 // This is a no-op if both sides are already errored.
2767 function TransformStreamError(stream, e) {
2768 ReadableStreamDefaultControllerError(stream._readable._readableStreamController, e);
2769 TransformStreamErrorWritableAndUnblockWrite(stream, e);
2770 }
2771 function TransformStreamErrorWritableAndUnblockWrite(stream, e) {
2772 TransformStreamDefaultControllerClearAlgorithms(stream._transformStreamController);
2773 WritableStreamDefaultControllerErrorIfNeeded(stream._writable._writableStreamController, e);
2774 if (stream._backpressure === true) {
2775 // Pretend that pull() was called to permit any pending write() calls to complete. TransformStreamSetBackpressure()
2776 // cannot be called from enqueue() or pull() once the ReadableStream is errored, so this will will be the final time
2777 // _backpressure is set.
2778 TransformStreamSetBackpressure(stream, false);
2779 }
2780 }
2781 function TransformStreamSetBackpressure(stream, backpressure) {
2782 // Passes also when called during construction.
2783 if (stream._backpressureChangePromise !== undefined) {
2784 stream._backpressureChangePromise_resolve();
2785 }
2786 stream._backpressureChangePromise = newPromise(resolve => {
2787 stream._backpressureChangePromise_resolve = resolve;
2788 });
2789 stream._backpressure = backpressure;
2790 }
2791 class TransformStreamDefaultController {
2792 /** @internal */
2793 constructor() {
2794 throw new TypeError('TransformStreamDefaultController instances cannot be created directly');
2795 }
2796 get desiredSize() {
2797 if (IsTransformStreamDefaultController(this) === false) {
2798 throw defaultControllerBrandCheckException$1('desiredSize');
2799 }
2800 const readableController = this._controlledTransformStream._readable._readableStreamController;
2801 return ReadableStreamDefaultControllerGetDesiredSize(readableController);
2802 }
2803 enqueue(chunk) {
2804 if (IsTransformStreamDefaultController(this) === false) {
2805 throw defaultControllerBrandCheckException$1('enqueue');
2806 }
2807 TransformStreamDefaultControllerEnqueue(this, chunk);
2808 }
2809 error(reason) {
2810 if (IsTransformStreamDefaultController(this) === false) {
2811 throw defaultControllerBrandCheckException$1('error');
2812 }
2813 TransformStreamDefaultControllerError(this, reason);
2814 }
2815 terminate() {
2816 if (IsTransformStreamDefaultController(this) === false) {
2817 throw defaultControllerBrandCheckException$1('terminate');
2818 }
2819 TransformStreamDefaultControllerTerminate(this);
2820 }
2821 }
2822 // Transform Stream Default Controller Abstract Operations
2823 function IsTransformStreamDefaultController(x) {
2824 if (!typeIsObject(x)) {
2825 return false;
2826 }
2827 if (!Object.prototype.hasOwnProperty.call(x, '_controlledTransformStream')) {
2828 return false;
2829 }
2830 return true;
2831 }
2832 function SetUpTransformStreamDefaultController(stream, controller, transformAlgorithm, flushAlgorithm) {
2833 controller._controlledTransformStream = stream;
2834 stream._transformStreamController = controller;
2835 controller._transformAlgorithm = transformAlgorithm;
2836 controller._flushAlgorithm = flushAlgorithm;
2837 }
2838 function SetUpTransformStreamDefaultControllerFromTransformer(stream, transformer) {
2839 const controller = Object.create(TransformStreamDefaultController.prototype);
2840 let transformAlgorithm = (chunk) => {
2841 try {
2842 TransformStreamDefaultControllerEnqueue(controller, chunk);
2843 return promiseResolvedWith(undefined);
2844 }
2845 catch (transformResultE) {
2846 return promiseRejectedWith(transformResultE);
2847 }
2848 };
2849 const transformMethod = transformer.transform;
2850 if (transformMethod !== undefined) {
2851 if (typeof transformMethod !== 'function') {
2852 throw new TypeError('transform is not a method');
2853 }
2854 transformAlgorithm = chunk => PromiseCall(transformMethod, transformer, [chunk, controller]);
2855 }
2856 const flushAlgorithm = CreateAlgorithmFromUnderlyingMethod(transformer, 'flush', 0, [controller]);
2857 SetUpTransformStreamDefaultController(stream, controller, transformAlgorithm, flushAlgorithm);
2858 }
2859 function TransformStreamDefaultControllerClearAlgorithms(controller) {
2860 controller._transformAlgorithm = undefined;
2861 controller._flushAlgorithm = undefined;
2862 }
2863 function TransformStreamDefaultControllerEnqueue(controller, chunk) {
2864 const stream = controller._controlledTransformStream;
2865 const readableController = stream._readable._readableStreamController;
2866 if (ReadableStreamDefaultControllerCanCloseOrEnqueue(readableController) === false) {
2867 throw new TypeError('Readable side is not in a state that permits enqueue');
2868 }
2869 // We throttle transform invocations based on the backpressure of the ReadableStream, but we still
2870 // accept TransformStreamDefaultControllerEnqueue() calls.
2871 try {
2872 ReadableStreamDefaultControllerEnqueue(readableController, chunk);
2873 }
2874 catch (e) {
2875 // This happens when readableStrategy.size() throws.
2876 TransformStreamErrorWritableAndUnblockWrite(stream, e);
2877 throw stream._readable._storedError;
2878 }
2879 const backpressure = ReadableStreamDefaultControllerHasBackpressure(readableController);
2880 if (backpressure !== stream._backpressure) {
2881 TransformStreamSetBackpressure(stream, true);
2882 }
2883 }
2884 function TransformStreamDefaultControllerError(controller, e) {
2885 TransformStreamError(controller._controlledTransformStream, e);
2886 }
2887 function TransformStreamDefaultControllerPerformTransform(controller, chunk) {
2888 const transformPromise = controller._transformAlgorithm(chunk);
2889 return transformPromiseWith(transformPromise, undefined, r => {
2890 TransformStreamError(controller._controlledTransformStream, r);
2891 throw r;
2892 });
2893 }
2894 function TransformStreamDefaultControllerTerminate(controller) {
2895 const stream = controller._controlledTransformStream;
2896 const readableController = stream._readable._readableStreamController;
2897 if (ReadableStreamDefaultControllerCanCloseOrEnqueue(readableController) === true) {
2898 ReadableStreamDefaultControllerClose(readableController);
2899 }
2900 const error = new TypeError('TransformStream terminated');
2901 TransformStreamErrorWritableAndUnblockWrite(stream, error);
2902 }
2903 // TransformStreamDefaultSink Algorithms
2904 function TransformStreamDefaultSinkWriteAlgorithm(stream, chunk) {
2905 const controller = stream._transformStreamController;
2906 if (stream._backpressure === true) {
2907 const backpressureChangePromise = stream._backpressureChangePromise;
2908 return transformPromiseWith(backpressureChangePromise, () => {
2909 const writable = stream._writable;
2910 const state = writable._state;
2911 if (state === 'erroring') {
2912 throw writable._storedError;
2913 }
2914 return TransformStreamDefaultControllerPerformTransform(controller, chunk);
2915 });
2916 }
2917 return TransformStreamDefaultControllerPerformTransform(controller, chunk);
2918 }
2919 function TransformStreamDefaultSinkAbortAlgorithm(stream, reason) {
2920 // abort() is not called synchronously, so it is possible for abort() to be called when the stream is already
2921 // errored.
2922 TransformStreamError(stream, reason);
2923 return promiseResolvedWith(undefined);
2924 }
2925 function TransformStreamDefaultSinkCloseAlgorithm(stream) {
2926 // stream._readable cannot change after construction, so caching it across a call to user code is safe.
2927 const readable = stream._readable;
2928 const controller = stream._transformStreamController;
2929 const flushPromise = controller._flushAlgorithm();
2930 TransformStreamDefaultControllerClearAlgorithms(controller);
2931 // Return a promise that is fulfilled with undefined on success.
2932 return transformPromiseWith(flushPromise, () => {
2933 if (readable._state === 'errored') {
2934 throw readable._storedError;
2935 }
2936 const readableController = readable._readableStreamController;
2937 if (ReadableStreamDefaultControllerCanCloseOrEnqueue(readableController) === true) {
2938 ReadableStreamDefaultControllerClose(readableController);
2939 }
2940 }, r => {
2941 TransformStreamError(stream, r);
2942 throw readable._storedError;
2943 });
2944 }
2945 // TransformStreamDefaultSource Algorithms
2946 function TransformStreamDefaultSourcePullAlgorithm(stream) {
2947 // Invariant. Enforced by the promises returned by start() and pull().
2948 TransformStreamSetBackpressure(stream, false);
2949 // Prevent the next pull() call until there is backpressure.
2950 return stream._backpressureChangePromise;
2951 }
2952 // Helper functions for the TransformStreamDefaultController.
2953 function defaultControllerBrandCheckException$1(name) {
2954 return new TypeError(`TransformStreamDefaultController.prototype.${name} can only be used on a TransformStreamDefaultController`);
2955 }
2956 // Helper functions for the TransformStream.
2957 function streamBrandCheckException$2(name) {
2958 return new TypeError(`TransformStream.prototype.${name} can only be used on a TransformStream`);
2959 }
2960
2961 /*! *****************************************************************************
2962 Copyright (c) Microsoft Corporation. All rights reserved.
2963 Licensed under the Apache License, Version 2.0 (the "License"); you may not use
2964 this file except in compliance with the License. You may obtain a copy of the
2965 License at http://www.apache.org/licenses/LICENSE-2.0
2966
2967 THIS CODE IS PROVIDED ON AN *AS IS* BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
2968 KIND, EITHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION ANY IMPLIED
2969 WARRANTIES OR CONDITIONS OF TITLE, FITNESS FOR A PARTICULAR PURPOSE,
2970 MERCHANTABLITY OR NON-INFRINGEMENT.
2971
2972 See the Apache Version 2.0 License for specific language governing permissions
2973 and limitations under the License.
2974 ***************************************************************************** */
2975 /* global Reflect, Promise */
2976
2977 var extendStatics = function(d, b) {
2978 extendStatics = Object.setPrototypeOf ||
2979 ({ __proto__: [] } instanceof Array && function (d, b) { d.__proto__ = b; }) ||
2980 function (d, b) { for (var p in b) if (b.hasOwnProperty(p)) d[p] = b[p]; };
2981 return extendStatics(d, b);
2982 };
2983
2984 function __extends(d, b) {
2985 extendStatics(d, b);
2986 function __() { this.constructor = d; }
2987 d.prototype = b === null ? Object.create(b) : (__.prototype = b.prototype, new __());
2988 }
2989
2990 function assert(test) {
2991 if (!test) {
2992 throw new TypeError('Assertion failed');
2993 }
2994 }
2995
2996 function noop$1() {
2997 return;
2998 }
2999 function typeIsObject$1(x) {
3000 return (typeof x === 'object' && x !== null) || typeof x === 'function';
3001 }
3002
3003 function isStreamConstructor(ctor) {
3004 if (typeof ctor !== 'function') {
3005 return false;
3006 }
3007 var startCalled = false;
3008 try {
3009 new ctor({
3010 start: function () {
3011 startCalled = true;
3012 }
3013 });
3014 }
3015 catch (e) {
3016 // ignore
3017 }
3018 return startCalled;
3019 }
3020 function isReadableStream(readable) {
3021 if (!typeIsObject$1(readable)) {
3022 return false;
3023 }
3024 if (typeof readable.getReader !== 'function') {
3025 return false;
3026 }
3027 return true;
3028 }
3029 function isReadableStreamConstructor(ctor) {
3030 if (!isStreamConstructor(ctor)) {
3031 return false;
3032 }
3033 if (!isReadableStream(new ctor())) {
3034 return false;
3035 }
3036 return true;
3037 }
3038 function supportsByobReader(readable) {
3039 try {
3040 var reader = readable.getReader({ mode: 'byob' });
3041 reader.releaseLock();
3042 return true;
3043 }
3044 catch (_a) {
3045 return false;
3046 }
3047 }
3048 function supportsByteSource(ctor) {
3049 try {
3050 new ctor({ type: 'bytes' });
3051 return true;
3052 }
3053 catch (_a) {
3054 return false;
3055 }
3056 }
3057
3058 function createReadableStreamWrapper(ctor) {
3059 assert(isReadableStreamConstructor(ctor));
3060 var byteSourceSupported = supportsByteSource(ctor);
3061 return function (readable, _a) {
3062 var type = (_a === void 0 ? {} : _a).type;
3063 type = parseReadableType(type);
3064 if (type === 'bytes' && !byteSourceSupported) {
3065 type = undefined;
3066 }
3067 if (readable.constructor === ctor) {
3068 if (type !== 'bytes' || supportsByobReader(readable)) {
3069 return readable;
3070 }
3071 }
3072 var source = createWrappingReadableSource(readable, { type: type });
3073 return new ctor(source);
3074 };
3075 }
3076 function createWrappingReadableSource(readable, _a) {
3077 var type = (_a === void 0 ? {} : _a).type;
3078 assert(isReadableStream(readable));
3079 assert(readable.locked === false);
3080 type = parseReadableType(type);
3081 var source;
3082 if (type === 'bytes') {
3083 source = new WrappingReadableByteStreamSource(readable);
3084 }
3085 else {
3086 source = new WrappingReadableStreamDefaultSource(readable);
3087 }
3088 return source;
3089 }
3090 function parseReadableType(type) {
3091 var typeString = String(type);
3092 if (typeString === 'bytes') {
3093 return typeString;
3094 }
3095 else if (type === undefined) {
3096 return type;
3097 }
3098 else {
3099 throw new RangeError('Invalid type is specified');
3100 }
3101 }
3102 var AbstractWrappingReadableStreamSource = /** @class */ (function () {
3103 function AbstractWrappingReadableStreamSource(underlyingStream) {
3104 this._underlyingReader = undefined;
3105 this._readerMode = undefined;
3106 this._readableStreamController = undefined;
3107 this._pendingRead = undefined;
3108 this._underlyingStream = underlyingStream;
3109 // always keep a reader attached to detect close/error
3110 this._attachDefaultReader();
3111 }
3112 AbstractWrappingReadableStreamSource.prototype.start = function (controller) {
3113 this._readableStreamController = controller;
3114 };
3115 AbstractWrappingReadableStreamSource.prototype.cancel = function (reason) {
3116 assert(this._underlyingReader !== undefined);
3117 return this._underlyingReader.cancel(reason);
3118 };
3119 AbstractWrappingReadableStreamSource.prototype._attachDefaultReader = function () {
3120 if (this._readerMode === "default" /* DEFAULT */) {
3121 return;
3122 }
3123 this._detachReader();
3124 var reader = this._underlyingStream.getReader();
3125 this._readerMode = "default" /* DEFAULT */;
3126 this._attachReader(reader);
3127 };
3128 AbstractWrappingReadableStreamSource.prototype._attachReader = function (reader) {
3129 var _this = this;
3130 assert(this._underlyingReader === undefined);
3131 this._underlyingReader = reader;
3132 var closed = this._underlyingReader.closed;
3133 if (!closed) {
3134 return;
3135 }
3136 closed
3137 .then(function () { return _this._finishPendingRead(); })
3138 .then(function () {
3139 if (reader === _this._underlyingReader) {
3140 _this._readableStreamController.close();
3141 }
3142 }, function (reason) {
3143 if (reader === _this._underlyingReader) {
3144 _this._readableStreamController.error(reason);
3145 }
3146 })
3147 .catch(noop$1);
3148 };
3149 AbstractWrappingReadableStreamSource.prototype._detachReader = function () {
3150 if (this._underlyingReader === undefined) {
3151 return;
3152 }
3153 this._underlyingReader.releaseLock();
3154 this._underlyingReader = undefined;
3155 this._readerMode = undefined;
3156 };
3157 AbstractWrappingReadableStreamSource.prototype._pullWithDefaultReader = function () {
3158 var _this = this;
3159 this._attachDefaultReader();
3160 // TODO Backpressure?
3161 var read = this._underlyingReader.read()
3162 .then(function (result) {
3163 var controller = _this._readableStreamController;
3164 if (result.done) {
3165 _this._tryClose();
3166 }
3167 else {
3168 controller.enqueue(result.value);
3169 }
3170 });
3171 this._setPendingRead(read);
3172 return read;
3173 };
3174 AbstractWrappingReadableStreamSource.prototype._tryClose = function () {
3175 try {
3176 this._readableStreamController.close();
3177 }
3178 catch (_a) {
3179 // already errored or closed
3180 }
3181 };
3182 AbstractWrappingReadableStreamSource.prototype._setPendingRead = function (readPromise) {
3183 var _this = this;
3184 var pendingRead;
3185 var finishRead = function () {
3186 if (_this._pendingRead === pendingRead) {
3187 _this._pendingRead = undefined;
3188 }
3189 };
3190 this._pendingRead = pendingRead = readPromise.then(finishRead, finishRead);
3191 };
3192 AbstractWrappingReadableStreamSource.prototype._finishPendingRead = function () {
3193 var _this = this;
3194 if (!this._pendingRead) {
3195 return undefined;
3196 }
3197 var afterRead = function () { return _this._finishPendingRead(); };
3198 return this._pendingRead.then(afterRead, afterRead);
3199 };
3200 return AbstractWrappingReadableStreamSource;
3201 }());
3202 var WrappingReadableStreamDefaultSource = /** @class */ (function (_super) {
3203 __extends(WrappingReadableStreamDefaultSource, _super);
3204 function WrappingReadableStreamDefaultSource() {
3205 return _super !== null && _super.apply(this, arguments) || this;
3206 }
3207 WrappingReadableStreamDefaultSource.prototype.pull = function () {
3208 return this._pullWithDefaultReader();
3209 };
3210 return WrappingReadableStreamDefaultSource;
3211 }(AbstractWrappingReadableStreamSource));
3212 function toUint8Array(view) {
3213 return new Uint8Array(view.buffer, view.byteOffset, view.byteLength);
3214 }
3215 function copyArrayBufferView(from, to) {
3216 var fromArray = toUint8Array(from);
3217 var toArray = toUint8Array(to);
3218 toArray.set(fromArray, 0);
3219 }
3220 var WrappingReadableByteStreamSource = /** @class */ (function (_super) {
3221 __extends(WrappingReadableByteStreamSource, _super);
3222 function WrappingReadableByteStreamSource(underlyingStream) {
3223 var _this = this;
3224 var supportsByob = supportsByobReader(underlyingStream);
3225 _this = _super.call(this, underlyingStream) || this;
3226 _this._supportsByob = supportsByob;
3227 return _this;
3228 }
3229 Object.defineProperty(WrappingReadableByteStreamSource.prototype, "type", {
3230 get: function () {
3231 return 'bytes';
3232 },
3233 enumerable: true,
3234 configurable: true
3235 });
3236 WrappingReadableByteStreamSource.prototype._attachByobReader = function () {
3237 if (this._readerMode === "byob" /* BYOB */) {
3238 return;
3239 }
3240 assert(this._supportsByob);
3241 this._detachReader();
3242 var reader = this._underlyingStream.getReader({ mode: 'byob' });
3243 this._readerMode = "byob" /* BYOB */;
3244 this._attachReader(reader);
3245 };
3246 WrappingReadableByteStreamSource.prototype.pull = function () {
3247 if (this._supportsByob) {
3248 var byobRequest = this._readableStreamController.byobRequest;
3249 if (byobRequest !== undefined) {
3250 return this._pullWithByobRequest(byobRequest);
3251 }
3252 }
3253 return this._pullWithDefaultReader();
3254 };
3255 WrappingReadableByteStreamSource.prototype._pullWithByobRequest = function (byobRequest) {
3256 var _this = this;
3257 this._attachByobReader();
3258 // reader.read(view) detaches the input view, therefore we cannot pass byobRequest.view directly
3259 // create a separate buffer to read into, then copy that to byobRequest.view
3260 var buffer = new Uint8Array(byobRequest.view.byteLength);
3261 // TODO Backpressure?
3262 var read = this._underlyingReader.read(buffer)
3263 .then(function (result) {
3264 _this._readableStreamController;
3265 if (result.done) {
3266 _this._tryClose();
3267 byobRequest.respond(0);
3268 }
3269 else {
3270 copyArrayBufferView(result.value, byobRequest.view);
3271 byobRequest.respond(result.value.byteLength);
3272 }
3273 });
3274 this._setPendingRead(read);
3275 return read;
3276 };
3277 return WrappingReadableByteStreamSource;
3278 }(AbstractWrappingReadableStreamSource));
3279
3280 const isNode = typeof globalThis.process === 'object' &&
3281 typeof globalThis.process.versions === 'object';
3282
3283 const NodeReadableStream = isNode && void('stream').Readable;
3284
3285 /**
3286 * Check whether data is a Stream, and if so of which type
3287 * @param {Any} input data to check
3288 * @returns {'web'|'ponyfill'|'node'|false}
3289 */
3290 function isStream(input) {
3291 if (globalThis.ReadableStream && globalThis.ReadableStream.prototype.isPrototypeOf(input)) {
3292 return 'web';
3293 }
3294 if (stream.ReadableStream.prototype.isPrototypeOf(input)) {
3295 return 'ponyfill';
3296 }
3297 if (NodeReadableStream && NodeReadableStream.prototype.isPrototypeOf(input)) {
3298 return 'node';
3299 }
3300 return false;
3301 }
3302
3303 /**
3304 * Check whether data is a Uint8Array
3305 * @param {Any} input data to check
3306 * @returns {Boolean}
3307 */
3308 function isUint8Array(input) {
3309 return Uint8Array.prototype.isPrototypeOf(input);
3310 }
3311
3312 /**
3313 * Concat Uint8Arrays
3314 * @param {Array<Uint8array>} Array of Uint8Arrays to concatenate
3315 * @returns {Uint8array} Concatenated array
3316 */
3317 function concatUint8Array(arrays) {
3318 if (arrays.length === 1) return arrays[0];
3319
3320 let totalLength = 0;
3321 for (let i = 0; i < arrays.length; i++) {
3322 if (!isUint8Array(arrays[i])) {
3323 throw new Error('concatUint8Array: Data must be in the form of a Uint8Array');
3324 }
3325
3326 totalLength += arrays[i].length;
3327 }
3328
3329 const result = new Uint8Array(totalLength);
3330 let pos = 0;
3331 arrays.forEach(function (element) {
3332 result.set(element, pos);
3333 pos += element.length;
3334 });
3335
3336 return result;
3337 }
3338
3339 const NodeBuffer = isNode && void('buffer').Buffer;
3340 const NodeReadableStream$1 = isNode && void('stream').Readable;
3341
3342 /**
3343 * Web / node stream conversion functions
3344 * From https://github.com/gwicke/node-web-streams
3345 */
3346
3347 let nodeToWeb;
3348 let webToNode;
3349
3350 if (NodeReadableStream$1) {
3351
3352 /**
3353 * Convert a Node Readable Stream to a Web ReadableStream
3354 * @param {Readable} nodeStream
3355 * @returns {ReadableStream}
3356 */
3357 nodeToWeb = function(nodeStream) {
3358 return new stream.ReadableStream({
3359 start(controller) {
3360 nodeStream.pause();
3361 nodeStream.on('data', chunk => {
3362 if (NodeBuffer.isBuffer(chunk)) {
3363 chunk = new Uint8Array(chunk.buffer, chunk.byteOffset, chunk.byteLength);
3364 }
3365 controller.enqueue(chunk);
3366 nodeStream.pause();
3367 });
3368 nodeStream.on('end', () => controller.close());
3369 nodeStream.on('error', e => controller.error(e));
3370 },
3371 pull() {
3372 nodeStream.resume();
3373 },
3374 cancel(reason) {
3375 nodeStream.pause();
3376 if (nodeStream.cancel) {
3377 return nodeStream.cancel(reason);
3378 }
3379 }
3380 });
3381 };
3382
3383
3384 class NodeReadable extends NodeReadableStream$1 {
3385 constructor(webStream, options) {
3386 super(options);
3387 this._webStream = webStream;
3388 this._reader = stream.getReader(webStream);
3389 this._reading = false;
3390 this._doneReadingPromise = Promise.resolve();
3391 this._cancelling = false;
3392 }
3393
3394 _read(size) {
3395 if (this._reading || this._cancelling) {
3396 return;
3397 }
3398 this._reading = true;
3399 const doRead = async () => {
3400 try {
3401 while (true) {
3402 const { done, value } = await this._reader.read();
3403 if (done) {
3404 this.push(null);
3405 break;
3406 }
3407 if (!this.push(value) || this._cancelling) {
3408 this._reading = false;
3409 break;
3410 }
3411 }
3412 } catch(e) {
3413 this.emit('error', e);
3414 }
3415 };
3416 this._doneReadingPromise = doRead();
3417 }
3418
3419 async cancel(reason) {
3420 this._cancelling = true;
3421 await this._doneReadingPromise;
3422 this._reader.releaseLock();
3423 return this._webStream.cancel(reason);
3424 }
3425 }
3426
3427 /**
3428 * Convert a Web ReadableStream to a Node Readable Stream
3429 * @param {ReadableStream} webStream
3430 * @returns {Readable}
3431 */
3432 webToNode = function(webStream) {
3433 return new NodeReadable(webStream);
3434 };
3435
3436 }
3437
3438 const doneReadingSet = new WeakSet();
3439 const externalBuffer = Symbol('externalBuffer');
3440
3441 /**
3442 * A wrapper class over the native ReadableStreamDefaultReader.
3443 * This additionally implements pushing back data on the stream, which
3444 * lets us implement peeking and a host of convenience functions.
3445 * It also lets you read data other than streams, such as a Uint8Array.
3446 * @class
3447 */
3448 function Reader(input) {
3449 this.stream = input;
3450 if (input[externalBuffer]) {
3451 this[externalBuffer] = input[externalBuffer].slice();
3452 }
3453 let streamType = stream.isStream(input);
3454 if (streamType === 'node') {
3455 input = stream.nodeToWeb(input);
3456 }
3457 if (streamType) {
3458 const reader = input.getReader();
3459 this._read = reader.read.bind(reader);
3460 this._releaseLock = () => {
3461 reader.closed.catch(function() {});
3462 reader.releaseLock();
3463 };
3464 return;
3465 }
3466 let doneReading = false;
3467 this._read = async () => {
3468 if (doneReading || doneReadingSet.has(input)) {
3469 return { value: undefined, done: true };
3470 }
3471 doneReading = true;
3472 return { value: input, done: false };
3473 };
3474 this._releaseLock = () => {
3475 if (doneReading) {
3476 try {
3477 doneReadingSet.add(input);
3478 } catch(e) {}
3479 }
3480 };
3481 }
3482
3483 /**
3484 * Read a chunk of data.
3485 * @returns {Promise<Object>} Either { done: false, value: Uint8Array | String } or { done: true, value: undefined }
3486 * @async
3487 */
3488 Reader.prototype.read = async function() {
3489 if (this[externalBuffer] && this[externalBuffer].length) {
3490 const value = this[externalBuffer].shift();
3491 return { done: false, value };
3492 }
3493 return this._read();
3494 };
3495
3496 /**
3497 * Allow others to read the stream.
3498 */
3499 Reader.prototype.releaseLock = function() {
3500 if (this[externalBuffer]) {
3501 this.stream[externalBuffer] = this[externalBuffer];
3502 }
3503 this._releaseLock();
3504 };
3505
3506 /**
3507 * Read up to and including the first \n character.
3508 * @returns {Promise<String|Undefined>}
3509 * @async
3510 */
3511 Reader.prototype.readLine = async function() {
3512 let buffer = [];
3513 let returnVal;
3514 while (!returnVal) {
3515 let { done, value } = await this.read();
3516 value += '';
3517 if (done) {
3518 if (buffer.length) return stream.concat(buffer);
3519 return;
3520 }
3521 const lineEndIndex = value.indexOf('\n') + 1;
3522 if (lineEndIndex) {
3523 returnVal = stream.concat(buffer.concat(value.substr(0, lineEndIndex)));
3524 buffer = [];
3525 }
3526 if (lineEndIndex !== value.length) {
3527 buffer.push(value.substr(lineEndIndex));
3528 }
3529 }
3530 this.unshift(...buffer);
3531 return returnVal;
3532 };
3533
3534 /**
3535 * Read a single byte/character.
3536 * @returns {Promise<Number|String|Undefined>}
3537 * @async
3538 */
3539 Reader.prototype.readByte = async function() {
3540 const { done, value } = await this.read();
3541 if (done) return;
3542 const byte = value[0];
3543 this.unshift(stream.slice(value, 1));
3544 return byte;
3545 };
3546
3547 /**
3548 * Read a specific amount of bytes/characters, unless the stream ends before that amount.
3549 * @returns {Promise<Uint8Array|String|Undefined>}
3550 * @async
3551 */
3552 Reader.prototype.readBytes = async function(length) {
3553 const buffer = [];
3554 let bufferLength = 0;
3555 while (true) {
3556 const { done, value } = await this.read();
3557 if (done) {
3558 if (buffer.length) return stream.concat(buffer);
3559 return;
3560 }
3561 buffer.push(value);
3562 bufferLength += value.length;
3563 if (bufferLength >= length) {
3564 const bufferConcat = stream.concat(buffer);
3565 this.unshift(stream.slice(bufferConcat, length));
3566 return stream.slice(bufferConcat, 0, length);
3567 }
3568 }
3569 };
3570
3571 /**
3572 * Peek (look ahead) a specific amount of bytes/characters, unless the stream ends before that amount.
3573 * @returns {Promise<Uint8Array|String|Undefined>}
3574 * @async
3575 */
3576 Reader.prototype.peekBytes = async function(length) {
3577 const bytes = await this.readBytes(length);
3578 this.unshift(bytes);
3579 return bytes;
3580 };
3581
3582 /**
3583 * Push data to the front of the stream.
3584 * Data must have been read in the last call to read*.
3585 * @param {...(Uint8Array|String|Undefined)} values
3586 */
3587 Reader.prototype.unshift = function(...values) {
3588 if (!this[externalBuffer]) {
3589 this[externalBuffer] = [];
3590 }
3591 if (
3592 values.length === 1 && isUint8Array(values[0]) &&
3593 this[externalBuffer].length && values[0].length &&
3594 this[externalBuffer][0].byteOffset >= values[0].length
3595 ) {
3596 this[externalBuffer][0] = new Uint8Array(
3597 this[externalBuffer][0].buffer,
3598 this[externalBuffer][0].byteOffset - values[0].length,
3599 this[externalBuffer][0].byteLength + values[0].length
3600 );
3601 return;
3602 }
3603 this[externalBuffer].unshift(...values.filter(value => value && value.length));
3604 };
3605
3606 /**
3607 * Read the stream to the end and return its contents, concatenated by the join function (defaults to streams.concat).
3608 * @param {Function} join
3609 * @returns {Promise<Uint8array|String|Any>} the return value of join()
3610 * @async
3611 */
3612 Reader.prototype.readToEnd = async function(join=stream.concat) {
3613 const result = [];
3614 while (true) {
3615 const { done, value } = await this.read();
3616 if (done) break;
3617 result.push(value);
3618 }
3619 return join(result);
3620 };
3621
3622 const { ReadableStream: ReadableStream$1, WritableStream: WritableStream$1, TransformStream: TransformStream$1 } = globalThis.TransformStream ? globalThis : {
3623 ReadableStream: ReadableStream,
3624 WritableStream: WritableStream,
3625 TransformStream: TransformStream
3626 };
3627
3628 const toPonyfillReadable = globalThis.ReadableStream &&
3629 ReadableStream$1 !== globalThis.ReadableStream &&
3630 createReadableStreamWrapper(ReadableStream$1);
3631
3632 const NodeBuffer$1 = isNode && void('buffer').Buffer;
3633
3634 /**
3635 * Convert data to Stream
3636 * @param {ReadableStream|Uint8array|String} input data to convert
3637 * @returns {ReadableStream} Converted data
3638 */
3639 function toStream(input) {
3640 let streamType = isStream(input);
3641 if (streamType === 'node') {
3642 return nodeToWeb(input);
3643 }
3644 if (streamType === 'web' && toPonyfillReadable) {
3645 return toPonyfillReadable(input);
3646 }
3647 if (streamType) {
3648 return input;
3649 }
3650 return new ReadableStream$1({
3651 start(controller) {
3652 controller.enqueue(input);
3653 controller.close();
3654 }
3655 });
3656 }
3657
3658 /**
3659 * Concat a list of Uint8Arrays, Strings or Streams
3660 * The caller should not mix Uint8Arrays with Strings, but may mix Streams with non-Streams.
3661 * @param {Array<Uint8array|String|ReadableStream>} Array of Uint8Arrays/Strings/Streams to concatenate
3662 * @returns {Uint8array|String|ReadableStream} Concatenated array
3663 */
3664 function concat(list) {
3665 if (list.some(isStream)) {
3666 return concatStream(list);
3667 }
3668 if (typeof list[0] === 'string') {
3669 return list.join('');
3670 }
3671 if (NodeBuffer$1 && NodeBuffer$1.isBuffer(list[0])) {
3672 return NodeBuffer$1.concat(list);
3673 }
3674 return concatUint8Array(list);
3675 }
3676
3677 /**
3678 * Concat a list of Streams
3679 * @param {Array<ReadableStream|Uint8array|String>} list Array of Uint8Arrays/Strings/Streams to concatenate
3680 * @returns {ReadableStream} Concatenated list
3681 */
3682 function concatStream(list) {
3683 list = list.map(toStream);
3684 const transform = transformWithCancel(async function(reason) {
3685 await Promise.all(transforms.map(stream => cancel(stream, reason)));
3686 });
3687 let prev = Promise.resolve();
3688 const transforms = list.map((stream, i) => transformPair(stream, (readable, writable) => {
3689 prev = prev.then(() => pipe(readable, transform.writable, {
3690 preventClose: i !== list.length - 1
3691 }));
3692 return prev;
3693 }));
3694 return transform.readable;
3695 }
3696
3697 /**
3698 * Get a Reader
3699 * @param {ReadableStream|Uint8array|String} input
3700 * @returns {Reader}
3701 */
3702 function getReader(input) {
3703 return new Reader(input);
3704 }
3705
3706 /**
3707 * Get a Writer
3708 * @param {WritableStream} input
3709 * @returns {WritableStreamDefaultWriter}
3710 */
3711 function getWriter(input) {
3712 const writer = input.getWriter();
3713 const releaseLock = writer.releaseLock;
3714 writer.releaseLock = () => {
3715 writer.closed.catch(function() {});
3716 releaseLock.call(writer);
3717 };
3718 return writer;
3719 }
3720
3721 /**
3722 * Pipe a readable stream to a writable stream. Don't throw on input stream errors, but forward them to the output stream.
3723 * @param {ReadableStream|Uint8array|String} input
3724 * @param {WritableStream} target
3725 * @param {Object} (optional) options
3726 * @returns {Promise<undefined>} Promise indicating when piping has finished (input stream closed or errored)
3727 * @async
3728 */
3729 async function pipe(input, target, options) {
3730 input = toStream(input);
3731 try {
3732 if (input[externalBuffer]) {
3733 const writer = getWriter(target);
3734 for (let i = 0; i < input[externalBuffer].length; i++) {
3735 await writer.ready;
3736 await writer.write(input[externalBuffer][i]);
3737 }
3738 writer.releaseLock();
3739 }
3740 return await input.pipeTo(target, options);
3741 } catch(e) {}
3742 }
3743
3744 /**
3745 * Pipe a readable stream through a transform stream.
3746 * @param {ReadableStream|Uint8array|String} input
3747 * @param {Object} (optional) options
3748 * @returns {ReadableStream} transformed stream
3749 */
3750 function transformRaw(input, options) {
3751 const transformStream = new TransformStream$1(options);
3752 pipe(input, transformStream.writable);
3753 return transformStream.readable;
3754 }
3755
3756 /**
3757 * Create a cancelable TransformStream.
3758 * @param {Function} cancel
3759 * @returns {TransformStream}
3760 */
3761 function transformWithCancel(cancel) {
3762 let pulled = false;
3763 let backpressureChangePromiseResolve;
3764 let outputController;
3765 return {
3766 readable: new ReadableStream$1({
3767 start(controller) {
3768 outputController = controller;
3769 },
3770 pull() {
3771 if (backpressureChangePromiseResolve) {
3772 backpressureChangePromiseResolve();
3773 } else {
3774 pulled = true;
3775 }
3776 },
3777 cancel
3778 }, {highWaterMark: 0}),
3779 writable: new WritableStream$1({
3780 write: async function(chunk) {
3781 outputController.enqueue(chunk);
3782 if (!pulled) {
3783 await new Promise(resolve => {
3784 backpressureChangePromiseResolve = resolve;
3785 });
3786 backpressureChangePromiseResolve = null;
3787 } else {
3788 pulled = false;
3789 }
3790 },
3791 close: outputController.close.bind(outputController),
3792 abort: outputController.error.bind(outputController)
3793 })
3794 };
3795 }
3796
3797 /**
3798 * Transform a stream using helper functions which are called on each chunk, and on stream close, respectively.
3799 * @param {ReadableStream|Uint8array|String} input
3800 * @param {Function} process
3801 * @param {Function} finish
3802 * @returns {ReadableStream|Uint8array|String}
3803 */
3804 function transform(input, process = () => undefined, finish = () => undefined) {
3805 if (isStream(input)) {
3806 return transformRaw(input, {
3807 async transform(value, controller) {
3808 try {
3809 const result = await process(value);
3810 if (result !== undefined) controller.enqueue(result);
3811 } catch(e) {
3812 controller.error(e);
3813 }
3814 },
3815 async flush(controller) {
3816 try {
3817 const result = await finish();
3818 if (result !== undefined) controller.enqueue(result);
3819 } catch(e) {
3820 controller.error(e);
3821 }
3822 }
3823 });
3824 }
3825 const result1 = process(input);
3826 const result2 = finish();
3827 if (result1 !== undefined && result2 !== undefined) return concat([result1, result2]);
3828 return result1 !== undefined ? result1 : result2;
3829 }
3830
3831 /**
3832 * Transform a stream using a helper function which is passed a readable and a writable stream.
3833 * This function also maintains the possibility to cancel the input stream,
3834 * and does so on cancelation of the output stream, despite cancelation
3835 * normally being impossible when the input stream is being read from.
3836 * @param {ReadableStream|Uint8array|String} input
3837 * @param {Function} fn
3838 * @returns {ReadableStream}
3839 */
3840 function transformPair(input, fn) {
3841 let incomingTransformController;
3842 const incoming = new TransformStream$1({
3843 start(controller) {
3844 incomingTransformController = controller;
3845 }
3846 });
3847
3848 const pipeDonePromise = pipe(input, incoming.writable);
3849
3850 const outgoing = transformWithCancel(async function() {
3851 incomingTransformController.error(new Error('Readable side was canceled.'));
3852 await pipeDonePromise;
3853 await new Promise(setTimeout);
3854 });
3855 fn(incoming.readable, outgoing.writable);
3856 return outgoing.readable;
3857 }
3858
3859 /**
3860 * Parse a stream using a helper function which is passed a Reader.
3861 * The reader additionally has a remainder() method which returns a
3862 * stream pointing to the remainder of input, and is linked to input
3863 * for cancelation.
3864 * @param {ReadableStream|Uint8array|String} input
3865 * @param {Function} fn
3866 * @returns {Any} the return value of fn()
3867 */
3868 function parse(input, fn) {
3869 let returnValue;
3870 const transformed = transformPair(input, (readable, writable) => {
3871 const reader = getReader(readable);
3872 reader.remainder = () => {
3873 reader.releaseLock();
3874 pipe(readable, writable);
3875 return transformed;
3876 };
3877 returnValue = fn(reader);
3878 });
3879 return returnValue;
3880 }
3881
3882 /**
3883 * Tee a Stream for reading it twice. The input stream can no longer be read after tee()ing.
3884 * Reading either of the two returned streams will pull from the input stream.
3885 * The input stream will only be canceled if both of the returned streams are canceled.
3886 * @param {ReadableStream|Uint8array|String} input
3887 * @returns {Array<ReadableStream|Uint8array|String>} array containing two copies of input
3888 */
3889 function tee(input) {
3890 if (isStream(input)) {
3891 const teed = toStream(input).tee();
3892 teed[0][externalBuffer] = teed[1][externalBuffer] = input[externalBuffer];
3893 return teed;
3894 }
3895 return [slice(input), slice(input)];
3896 }
3897
3898 /**
3899 * Clone a Stream for reading it twice. The input stream can still be read after clone()ing.
3900 * Reading from the clone will pull from the input stream.
3901 * The input stream will only be canceled if both the clone and the input stream are canceled.
3902 * @param {ReadableStream|Uint8array|String} input
3903 * @returns {ReadableStream|Uint8array|String} cloned input
3904 */
3905 function clone(input) {
3906 if (isStream(input)) {
3907 const teed = tee(input);
3908 overwrite(input, teed[0]);
3909 return teed[1];
3910 }
3911 return slice(input);
3912 }
3913
3914 /**
3915 * Clone a Stream for reading it twice. Data will arrive at the same rate as the input stream is being read.
3916 * Reading from the clone will NOT pull from the input stream. Data only arrives when reading the input stream.
3917 * The input stream will NOT be canceled if the clone is canceled, only if the input stream are canceled.
3918 * If the input stream is canceled, the clone will be errored.
3919 * @param {ReadableStream|Uint8array|String} input
3920 * @returns {ReadableStream|Uint8array|String} cloned input
3921 */
3922 function passiveClone(input) {
3923 if (isStream(input)) {
3924 return new ReadableStream$1({
3925 start(controller) {
3926 const transformed = transformPair(input, async (readable, writable) => {
3927 const reader = getReader(readable);
3928 const writer = getWriter(writable);
3929 try {
3930 while (true) {
3931 await writer.ready;
3932 const { done, value } = await reader.read();
3933 if (done) {
3934 try { controller.close(); } catch(e) {}
3935 await writer.close();
3936 return;
3937 }
3938 try { controller.enqueue(value); } catch(e) {}
3939 await writer.write(value);
3940 }
3941 } catch(e) {
3942 controller.error(e);
3943 await writer.abort(e);
3944 }
3945 });
3946 overwrite(input, transformed);
3947 }
3948 });
3949 }
3950 return slice(input);
3951 }
3952
3953 /**
3954 * Modify a stream object to point to a different stream object.
3955 * This is used internally by clone() and passiveClone() to provide an abstraction over tee().
3956 * @param {ReadableStream} input
3957 * @param {ReadableStream} clone
3958 */
3959 function overwrite(input, clone) {
3960 // Overwrite input.getReader, input.locked, etc to point to clone
3961 Object.entries(Object.getOwnPropertyDescriptors(ReadableStream$1.prototype)).forEach(([name, descriptor]) => {
3962 if (name === 'constructor') {
3963 return;
3964 }
3965 if (descriptor.value) {
3966 descriptor.value = descriptor.value.bind(clone);
3967 } else {
3968 descriptor.get = descriptor.get.bind(clone);
3969 }
3970 Object.defineProperty(input, name, descriptor);
3971 });
3972 }
3973
3974 /**
3975 * Return a stream pointing to a part of the input stream.
3976 * @param {ReadableStream|Uint8array|String} input
3977 * @returns {ReadableStream|Uint8array|String} clone
3978 */
3979 function slice(input, begin=0, end=Infinity) {
3980 if (isStream(input)) {
3981 if (begin >= 0 && end >= 0) {
3982 let bytesRead = 0;
3983 return transformRaw(input, {
3984 transform(value, controller) {
3985 if (bytesRead < end) {
3986 if (bytesRead + value.length >= begin) {
3987 controller.enqueue(slice(value, Math.max(begin - bytesRead, 0), end - bytesRead));
3988 }
3989 bytesRead += value.length;
3990 } else {
3991 controller.terminate();
3992 }
3993 }
3994 });
3995 }
3996 if (begin < 0 && (end < 0 || end === Infinity)) {
3997 let lastBytes = [];
3998 return transform(input, value => {
3999 if (value.length >= -begin) lastBytes = [value];
4000 else lastBytes.push(value);
4001 }, () => slice(concat(lastBytes), begin, end));
4002 }
4003 if (begin === 0 && end < 0) {
4004 let lastBytes;
4005 return transform(input, value => {
4006 const returnValue = lastBytes ? concat([lastBytes, value]) : value;
4007 if (returnValue.length >= -end) {
4008 lastBytes = slice(returnValue, end);
4009 return slice(returnValue, begin, end);
4010 } else {
4011 lastBytes = returnValue;
4012 }
4013 });
4014 }
4015 console.warn(`stream.slice(input, ${begin}, ${end}) not implemented efficiently.`);
4016 return fromAsync(async () => slice(await readToEnd(input), begin, end));
4017 }
4018 if (input[externalBuffer]) {
4019 input = concat(input[externalBuffer].concat([input]));
4020 }
4021 if (isUint8Array(input) && !(NodeBuffer$1 && NodeBuffer$1.isBuffer(input))) {
4022 if (end === Infinity) end = input.length;
4023 return input.subarray(begin, end);
4024 }
4025 return input.slice(begin, end);
4026 }
4027
4028 /**
4029 * Read a stream to the end and return its contents, concatenated by the concat function (defaults to concat).
4030 * @param {ReadableStream|Uint8array|String} input
4031 * @param {Function} concat
4032 * @returns {Promise<Uint8array|String|Any>} the return value of concat()
4033 * @async
4034 */
4035 async function readToEnd(input, concat) {
4036 if (isStream(input)) {
4037 return getReader(input).readToEnd(concat);
4038 }
4039 return input;
4040 }
4041
4042 /**
4043 * Cancel a stream.
4044 * @param {ReadableStream|Uint8array|String} input
4045 * @param {Any} reason
4046 * @returns {Promise<Any>} indicates when the stream has been canceled
4047 * @async
4048 */
4049 async function cancel(input, reason) {
4050 if (isStream(input) && input.cancel) {
4051 return input.cancel(reason);
4052 }
4053 }
4054
4055 /**
4056 * Convert an async function to a Stream. When the function returns, its return value is enqueued to the stream.
4057 * @param {Function} fn
4058 * @returns {ReadableStream}
4059 */
4060 function fromAsync(fn) {
4061 return new ReadableStream$1({
4062 pull: async controller => {
4063 try {
4064 controller.enqueue(await fn());
4065 controller.close();
4066 } catch(e) {
4067 controller.error(e);
4068 }
4069 }
4070 });
4071 }
4072
4073
4074 var stream = { ReadableStream: ReadableStream$1, WritableStream: WritableStream$1, TransformStream: TransformStream$1, isStream, isUint8Array, toStream, concatUint8Array, concatStream, concat, getReader, getWriter, pipe, transformRaw, transform, transformPair, parse, clone, passiveClone, slice, readToEnd, cancel, fromAsync, nodeToWeb, webToNode };
4075
4076 /* eslint-disable new-cap */
4077
4078 /**
4079 * @fileoverview
4080 * BigInteger implementation of basic operations
4081 * that wraps the native BigInt library.
4082 * Operations are not constant time,
4083 * but we try and limit timing leakage where we can
4084 * @module biginteger/native
4085 * @private
4086 */
4087
4088 /**
4089 * @private
4090 */
4091 class BigInteger {
4092 /**
4093 * Get a BigInteger (input must be big endian for strings and arrays)
4094 * @param {Number|String|Uint8Array} n - Value to convert
4095 * @throws {Error} on null or undefined input
4096 */
4097 constructor(n) {
4098 if (n === undefined) {
4099 throw new Error('Invalid BigInteger input');
4100 }
4101
4102 if (n instanceof Uint8Array) {
4103 const bytes = n;
4104 const hex = new Array(bytes.length);
4105 for (let i = 0; i < bytes.length; i++) {
4106 const hexByte = bytes[i].toString(16);
4107 hex[i] = (bytes[i] <= 0xF) ? ('0' + hexByte) : hexByte;
4108 }
4109 this.value = BigInt('0x0' + hex.join(''));
4110 } else {
4111 this.value = BigInt(n);
4112 }
4113 }
4114
4115 clone() {
4116 return new BigInteger(this.value);
4117 }
4118
4119 /**
4120 * BigInteger increment in place
4121 */
4122 iinc() {
4123 this.value++;
4124 return this;
4125 }
4126
4127 /**
4128 * BigInteger increment
4129 * @returns {BigInteger} this + 1.
4130 */
4131 inc() {
4132 return this.clone().iinc();
4133 }
4134
4135 /**
4136 * BigInteger decrement in place
4137 */
4138 idec() {
4139 this.value--;
4140 return this;
4141 }
4142
4143 /**
4144 * BigInteger decrement
4145 * @returns {BigInteger} this - 1.
4146 */
4147 dec() {
4148 return this.clone().idec();
4149 }
4150
4151 /**
4152 * BigInteger addition in place
4153 * @param {BigInteger} x - Value to add
4154 */
4155 iadd(x) {
4156 this.value += x.value;
4157 return this;
4158 }
4159
4160 /**
4161 * BigInteger addition
4162 * @param {BigInteger} x - Value to add
4163 * @returns {BigInteger} this + x.
4164 */
4165 add(x) {
4166 return this.clone().iadd(x);
4167 }
4168
4169 /**
4170 * BigInteger subtraction in place
4171 * @param {BigInteger} x - Value to subtract
4172 */
4173 isub(x) {
4174 this.value -= x.value;
4175 return this;
4176 }
4177
4178 /**
4179 * BigInteger subtraction
4180 * @param {BigInteger} x - Value to subtract
4181 * @returns {BigInteger} this - x.
4182 */
4183 sub(x) {
4184 return this.clone().isub(x);
4185 }
4186
4187 /**
4188 * BigInteger multiplication in place
4189 * @param {BigInteger} x - Value to multiply
4190 */
4191 imul(x) {
4192 this.value *= x.value;
4193 return this;
4194 }
4195
4196 /**
4197 * BigInteger multiplication
4198 * @param {BigInteger} x - Value to multiply
4199 * @returns {BigInteger} this * x.
4200 */
4201 mul(x) {
4202 return this.clone().imul(x);
4203 }
4204
4205 /**
4206 * Compute value modulo m, in place
4207 * @param {BigInteger} m - Modulo
4208 */
4209 imod(m) {
4210 this.value %= m.value;
4211 if (this.isNegative()) {
4212 this.iadd(m);
4213 }
4214 return this;
4215 }
4216
4217 /**
4218 * Compute value modulo m
4219 * @param {BigInteger} m - Modulo
4220 * @returns {BigInteger} this mod m.
4221 */
4222 mod(m) {
4223 return this.clone().imod(m);
4224 }
4225
4226 /**
4227 * Compute modular exponentiation using square and multiply
4228 * @param {BigInteger} e - Exponent
4229 * @param {BigInteger} n - Modulo
4230 * @returns {BigInteger} this ** e mod n.
4231 */
4232 modExp(e, n) {
4233 if (n.isZero()) throw Error("Modulo cannot be zero");
4234 if (n.isOne()) return new BigInteger(0);
4235 if (e.isNegative()) throw Error("Unsopported negative exponent");
4236
4237 let exp = e.value;
4238 let x = this.value;
4239
4240 x %= n.value;
4241 let r = BigInt(1);
4242 while (exp > BigInt(0)) {
4243 const lsb = exp & BigInt(1);
4244 exp >>= BigInt(1); // e / 2
4245 // Always compute multiplication step, to reduce timing leakage
4246 const rx = (r * x) % n.value;
4247 // Update r only if lsb is 1 (odd exponent)
4248 r = lsb ? rx : r;
4249 x = (x * x) % n.value; // Square
4250 }
4251 return new BigInteger(r);
4252 }
4253
4254
4255 /**
4256 * Compute the inverse of this value modulo n
4257 * Note: this and and n must be relatively prime
4258 * @param {BigInteger} n - Modulo
4259 * @returns {BigInteger} x such that this*x = 1 mod n
4260 * @throws {Error} if the inverse does not exist
4261 */
4262 modInv(n) {
4263 const { gcd, x } = this._egcd(n);
4264 if (!gcd.isOne()) {
4265 throw new Error('Inverse does not exist');
4266 }
4267 return x.add(n).mod(n);
4268 }
4269
4270 /**
4271 * Extended Eucleadian algorithm (http://anh.cs.luc.edu/331/notes/xgcd.pdf)
4272 * Given a = this and b, compute (x, y) such that ax + by = gdc(a, b)
4273 * @param {BigInteger} b - Second operand
4274 * @returns {{ gcd, x, y: BigInteger }}
4275 */
4276 _egcd(b) {
4277 let x = BigInt(0);
4278 let y = BigInt(1);
4279 let xPrev = BigInt(1);
4280 let yPrev = BigInt(0);
4281
4282 let a = this.value;
4283 b = b.value;
4284
4285 while (b !== BigInt(0)) {
4286 const q = a / b;
4287 let tmp = x;
4288 x = xPrev - q * x;
4289 xPrev = tmp;
4290
4291 tmp = y;
4292 y = yPrev - q * y;
4293 yPrev = tmp;
4294
4295 tmp = b;
4296 b = a % b;
4297 a = tmp;
4298 }
4299
4300 return {
4301 x: new BigInteger(xPrev),
4302 y: new BigInteger(yPrev),
4303 gcd: new BigInteger(a)
4304 };
4305 }
4306
4307 /**
4308 * Compute greatest common divisor between this and n
4309 * @param {BigInteger} b - Operand
4310 * @returns {BigInteger} gcd
4311 */
4312 gcd(b) {
4313 let a = this.value;
4314 b = b.value;
4315 while (b !== BigInt(0)) {
4316 const tmp = b;
4317 b = a % b;
4318 a = tmp;
4319 }
4320 return new BigInteger(a);
4321 }
4322
4323 /**
4324 * Shift this to the left by x, in place
4325 * @param {BigInteger} x - Shift value
4326 */
4327 ileftShift(x) {
4328 this.value <<= x.value;
4329 return this;
4330 }
4331
4332 /**
4333 * Shift this to the left by x
4334 * @param {BigInteger} x - Shift value
4335 * @returns {BigInteger} this << x.
4336 */
4337 leftShift(x) {
4338 return this.clone().ileftShift(x);
4339 }
4340
4341 /**
4342 * Shift this to the right by x, in place
4343 * @param {BigInteger} x - Shift value
4344 */
4345 irightShift(x) {
4346 this.value >>= x.value;
4347 return this;
4348 }
4349
4350 /**
4351 * Shift this to the right by x
4352 * @param {BigInteger} x - Shift value
4353 * @returns {BigInteger} this >> x.
4354 */
4355 rightShift(x) {
4356 return this.clone().irightShift(x);
4357 }
4358
4359 /**
4360 * Whether this value is equal to x
4361 * @param {BigInteger} x
4362 * @returns {Boolean}
4363 */
4364 equal(x) {
4365 return this.value === x.value;
4366 }
4367
4368 /**
4369 * Whether this value is less than x
4370 * @param {BigInteger} x
4371 * @returns {Boolean}
4372 */
4373 lt(x) {
4374 return this.value < x.value;
4375 }
4376
4377 /**
4378 * Whether this value is less than or equal to x
4379 * @param {BigInteger} x
4380 * @returns {Boolean}
4381 */
4382 lte(x) {
4383 return this.value <= x.value;
4384 }
4385
4386 /**
4387 * Whether this value is greater than x
4388 * @param {BigInteger} x
4389 * @returns {Boolean}
4390 */
4391 gt(x) {
4392 return this.value > x.value;
4393 }
4394
4395 /**
4396 * Whether this value is greater than or equal to x
4397 * @param {BigInteger} x
4398 * @returns {Boolean}
4399 */
4400 gte(x) {
4401 return this.value >= x.value;
4402 }
4403
4404 isZero() {
4405 return this.value === BigInt(0);
4406 }
4407
4408 isOne() {
4409 return this.value === BigInt(1);
4410 }
4411
4412 isNegative() {
4413 return this.value < BigInt(0);
4414 }
4415
4416 isEven() {
4417 return !(this.value & BigInt(1));
4418 }
4419
4420 abs() {
4421 const res = this.clone();
4422 if (this.isNegative()) {
4423 res.value = -res.value;
4424 }
4425 return res;
4426 }
4427
4428 /**
4429 * Get this value as a string
4430 * @returns {String} this value.
4431 */
4432 toString() {
4433 return this.value.toString();
4434 }
4435
4436 /**
4437 * Get this value as an exact Number (max 53 bits)
4438 * Fails if this value is too large
4439 * @returns {Number}
4440 */
4441 toNumber() {
4442 const number = Number(this.value);
4443 if (number > Number.MAX_SAFE_INTEGER) {
4444 // We throw and error to conform with the bn.js implementation
4445 throw new Error('Number can only safely store up to 53 bits');
4446 }
4447 return number;
4448 }
4449
4450 /**
4451 * Get value of i-th bit
4452 * @param {Number} i - Bit index
4453 * @returns {Number} Bit value.
4454 */
4455 getBit(i) {
4456 const bit = (this.value >> BigInt(i)) & BigInt(1);
4457 return (bit === BigInt(0)) ? 0 : 1;
4458 }
4459
4460 /**
4461 * Compute bit length
4462 * @returns {Number} Bit length.
4463 */
4464 bitLength() {
4465 const zero = new BigInteger(0);
4466 const one = new BigInteger(1);
4467 const negOne = new BigInteger(-1);
4468
4469 // -1n >> -1n is -1n
4470 // 1n >> 1n is 0n
4471 const target = this.isNegative() ? negOne : zero;
4472 let bitlen = 1;
4473 const tmp = this.clone();
4474 while (!tmp.irightShift(one).equal(target)) {
4475 bitlen++;
4476 }
4477 return bitlen;
4478 }
4479
4480 /**
4481 * Compute byte length
4482 * @returns {Number} Byte length.
4483 */
4484 byteLength() {
4485 const zero = new BigInteger(0);
4486 const negOne = new BigInteger(-1);
4487
4488 const target = this.isNegative() ? negOne : zero;
4489 const eight = new BigInteger(8);
4490 let len = 1;
4491 const tmp = this.clone();
4492 while (!tmp.irightShift(eight).equal(target)) {
4493 len++;
4494 }
4495 return len;
4496 }
4497
4498 /**
4499 * Get Uint8Array representation of this number
4500 * @param {String} endian - Endianess of output array (defaults to 'be')
4501 * @param {Number} length - Of output array
4502 * @returns {Uint8Array}
4503 */
4504 toUint8Array(endian = 'be', length) {
4505 // we get and parse the hex string (https://coolaj86.com/articles/convert-js-bigints-to-typedarrays/)
4506 // this is faster than shift+mod iterations
4507 let hex = this.value.toString(16);
4508 if (hex.length % 2 === 1) {
4509 hex = '0' + hex;
4510 }
4511
4512 const rawLength = hex.length / 2;
4513 const bytes = new Uint8Array(length || rawLength);
4514 // parse hex
4515 const offset = length ? (length - rawLength) : 0;
4516 let i = 0;
4517 while (i < rawLength) {
4518 bytes[i + offset] = parseInt(hex.slice(2 * i, 2 * i + 2), 16);
4519 i++;
4520 }
4521
4522 if (endian !== 'be') {
4523 bytes.reverse();
4524 }
4525
4526 return bytes;
4527 }
4528 }
4529
4530 async function getBigInteger() {
4531 if (util.detectBigInt()) {
4532 return BigInteger;
4533 } else {
4534 const { default: BigInteger } = await Promise.resolve().then(function () { return bn_interface; });
4535 return BigInteger;
4536 }
4537 }
4538
4539 // GPG4Browsers - An OpenPGP implementation in javascript
4540
4541 const debugMode = globalThis.process && globalThis.process.env.NODE_ENV === 'development';
4542
4543 const util = {
4544 isString: function(data) {
4545 return typeof data === 'string' || String.prototype.isPrototypeOf(data);
4546 },
4547
4548 isArray: function(data) {
4549 return Array.prototype.isPrototypeOf(data);
4550 },
4551
4552 isBigInteger: function(data) {
4553 return data !== null && typeof data === 'object' && data.value &&
4554 // eslint-disable-next-line valid-typeof
4555 (typeof data.value === 'bigint' || this.isBN(data.value));
4556 },
4557
4558 isBN: function(data) {
4559 return data !== null && typeof data === 'object' &&
4560 (data.constructor.name === 'BN' ||
4561 (data.constructor.wordSize === 26 && Array.isArray(data.words))); // taken from BN.isBN()
4562 },
4563
4564 isUint8Array: stream.isUint8Array,
4565
4566 isStream: stream.isStream,
4567
4568 /**
4569 * Convert MessagePorts back to ReadableStreams
4570 * @param {Object} obj
4571 * @returns {Object}
4572 */
4573 restoreStreams: function(obj, streaming) {
4574 if (Object.prototype.toString.call(obj) === '[object MessagePort]') {
4575 return new (streaming === 'web' ? globalThis.ReadableStream : stream.ReadableStream)({
4576 pull(controller) {
4577 return new Promise(resolve => {
4578 obj.onmessage = evt => {
4579 const { done, value, error } = evt.data;
4580 if (error) {
4581 controller.error(new Error(error));
4582 } else if (!done) {
4583 controller.enqueue(value);
4584 } else {
4585 controller.close();
4586 }
4587 resolve();
4588 };
4589 obj.postMessage({ action: 'read' });
4590 });
4591 },
4592 cancel() {
4593 return new Promise(resolve => {
4594 obj.onmessage = resolve;
4595 obj.postMessage({ action: 'cancel' });
4596 });
4597 }
4598 }, { highWaterMark: 0 });
4599 }
4600 if (Object.prototype.isPrototypeOf(obj) && !Uint8Array.prototype.isPrototypeOf(obj)) {
4601 Object.entries(obj).forEach(([key, value]) => { // recursively search all children
4602 obj[key] = util.restoreStreams(value, streaming);
4603 });
4604 }
4605 return obj;
4606 },
4607
4608 readNumber: function (bytes) {
4609 let n = 0;
4610 for (let i = 0; i < bytes.length; i++) {
4611 n += (256 ** i) * bytes[bytes.length - 1 - i];
4612 }
4613 return n;
4614 },
4615
4616 writeNumber: function (n, bytes) {
4617 const b = new Uint8Array(bytes);
4618 for (let i = 0; i < bytes; i++) {
4619 b[i] = (n >> (8 * (bytes - i - 1))) & 0xFF;
4620 }
4621
4622 return b;
4623 },
4624
4625 readDate: function (bytes) {
4626 const n = util.readNumber(bytes);
4627 const d = new Date(n * 1000);
4628 return d;
4629 },
4630
4631 writeDate: function (time) {
4632 const numeric = Math.floor(time.getTime() / 1000);
4633
4634 return util.writeNumber(numeric, 4);
4635 },
4636
4637 normalizeDate: function (time = Date.now()) {
4638 return time === null || time === Infinity ? time : new Date(Math.floor(+time / 1000) * 1000);
4639 },
4640
4641 /**
4642 * Create hex string from a binary
4643 * @param {String} str - String to convert
4644 * @returns {String} String containing the hexadecimal values.
4645 */
4646 strToHex: function (str) {
4647 if (str === null) {
4648 return "";
4649 }
4650 const r = [];
4651 const e = str.length;
4652 let c = 0;
4653 let h;
4654 while (c < e) {
4655 h = str.charCodeAt(c++).toString(16);
4656 while (h.length < 2) {
4657 h = "0" + h;
4658 }
4659 r.push("" + h);
4660 }
4661 return r.join('');
4662 },
4663
4664 /**
4665 * Create binary string from a hex encoded string
4666 * @param {String} str - Hex string to convert
4667 * @returns {String}
4668 */
4669 hexToStr: function (hex) {
4670 let str = '';
4671 for (let i = 0; i < hex.length; i += 2) {
4672 str += String.fromCharCode(parseInt(hex.substr(i, 2), 16));
4673 }
4674 return str;
4675 },
4676
4677 /**
4678 * Read one MPI from bytes in input
4679 * @param {Uint8Array} bytes - Input data to parse
4680 * @returns {Uint8Array} Parsed MPI.
4681 */
4682 readMPI: function (bytes) {
4683 const bits = (bytes[0] << 8) | bytes[1];
4684 const bytelen = (bits + 7) >>> 3;
4685 return bytes.subarray(2, 2 + bytelen);
4686 },
4687
4688 /**
4689 * Left-pad Uint8Array to length by adding 0x0 bytes
4690 * @param {Uint8Array} bytes - Data to pad
4691 * @param {Number} length - Padded length
4692 * @returns {Uint8Array} Padded bytes.
4693 */
4694 leftPad(bytes, length) {
4695 const padded = new Uint8Array(length);
4696 const offset = length - bytes.length;
4697 padded.set(bytes, offset);
4698 return padded;
4699 },
4700
4701 /**
4702 * Convert a Uint8Array to an MPI-formatted Uint8Array.
4703 * @param {Uint8Array} bin - An array of 8-bit integers to convert
4704 * @returns {Uint8Array} MPI-formatted Uint8Array.
4705 */
4706 uint8ArrayToMpi: function (bin) {
4707 let i; // index of leading non-zero byte
4708 for (i = 0; i < bin.length; i++) if (bin[i] !== 0) break;
4709 if (i === bin.length) {
4710 throw new Error('Zero MPI');
4711 }
4712 const stripped = bin.subarray(i);
4713 const size = (stripped.length - 1) * 8 + util.nbits(stripped[0]);
4714 const prefix = Uint8Array.from([(size & 0xFF00) >> 8, size & 0xFF]);
4715 return util.concatUint8Array([prefix, stripped]);
4716 },
4717
4718 /**
4719 * Convert a hex string to an array of 8-bit integers
4720 * @param {String} hex - A hex string to convert
4721 * @returns {Uint8Array} An array of 8-bit integers.
4722 */
4723 hexToUint8Array: function (hex) {
4724 const result = new Uint8Array(hex.length >> 1);
4725 for (let k = 0; k < hex.length >> 1; k++) {
4726 result[k] = parseInt(hex.substr(k << 1, 2), 16);
4727 }
4728 return result;
4729 },
4730
4731 /**
4732 * Convert an array of 8-bit integers to a hex string
4733 * @param {Uint8Array} bytes - Array of 8-bit integers to convert
4734 * @returns {String} Hexadecimal representation of the array.
4735 */
4736 uint8ArrayToHex: function (bytes) {
4737 const r = [];
4738 const e = bytes.length;
4739 let c = 0;
4740 let h;
4741 while (c < e) {
4742 h = bytes[c++].toString(16);
4743 while (h.length < 2) {
4744 h = "0" + h;
4745 }
4746 r.push("" + h);
4747 }
4748 return r.join('');
4749 },
4750
4751 /**
4752 * Convert a string to an array of 8-bit integers
4753 * @param {String} str - String to convert
4754 * @returns {Uint8Array} An array of 8-bit integers.
4755 */
4756 strToUint8Array: function (str) {
4757 return stream.transform(str, str => {
4758 if (!util.isString(str)) {
4759 throw new Error('strToUint8Array: Data must be in the form of a string');
4760 }
4761
4762 const result = new Uint8Array(str.length);
4763 for (let i = 0; i < str.length; i++) {
4764 result[i] = str.charCodeAt(i);
4765 }
4766 return result;
4767 });
4768 },
4769
4770 /**
4771 * Convert an array of 8-bit integers to a string
4772 * @param {Uint8Array} bytes - An array of 8-bit integers to convert
4773 * @returns {String} String representation of the array.
4774 */
4775 uint8ArrayToStr: function (bytes) {
4776 bytes = new Uint8Array(bytes);
4777 const result = [];
4778 const bs = 1 << 14;
4779 const j = bytes.length;
4780
4781 for (let i = 0; i < j; i += bs) {
4782 result.push(String.fromCharCode.apply(String, bytes.subarray(i, i + bs < j ? i + bs : j)));
4783 }
4784 return result.join('');
4785 },
4786
4787 /**
4788 * Convert a native javascript string to a Uint8Array of utf8 bytes
4789 * @param {String|ReadableStream} str - The string to convert
4790 * @returns {Uint8Array|ReadableStream} A valid squence of utf8 bytes.
4791 */
4792 encodeUtf8: function (str) {
4793 const encoder = new TextEncoder('utf-8');
4794 // eslint-disable-next-line no-inner-declarations
4795 function process(value, lastChunk = false) {
4796 return encoder.encode(value, { stream: !lastChunk });
4797 }
4798 return stream.transform(str, process, () => process('', true));
4799 },
4800
4801 /**
4802 * Convert a Uint8Array of utf8 bytes to a native javascript string
4803 * @param {Uint8Array|ReadableStream} utf8 - A valid squence of utf8 bytes
4804 * @returns {String|ReadableStream} A native javascript string.
4805 */
4806 decodeUtf8: function (utf8) {
4807 const decoder = new TextDecoder('utf-8');
4808 // eslint-disable-next-line no-inner-declarations
4809 function process(value, lastChunk = false) {
4810 return decoder.decode(value, { stream: !lastChunk });
4811 }
4812 return stream.transform(utf8, process, () => process(new Uint8Array(), true));
4813 },
4814
4815 /**
4816 * Concat a list of Uint8Arrays, Strings or Streams
4817 * The caller must not mix Uint8Arrays with Strings, but may mix Streams with non-Streams.
4818 * @param {Array<Uint8Array|String|ReadableStream>} Array - Of Uint8Arrays/Strings/Streams to concatenate
4819 * @returns {Uint8Array|String|ReadableStream} Concatenated array.
4820 */
4821 concat: stream.concat,
4822
4823 /**
4824 * Concat Uint8Arrays
4825 * @param {Array<Uint8Array>} Array - Of Uint8Arrays to concatenate
4826 * @returns {Uint8Array} Concatenated array.
4827 */
4828 concatUint8Array: stream.concatUint8Array,
4829
4830 /**
4831 * Check Uint8Array equality
4832 * @param {Uint8Array} array1 - First array
4833 * @param {Uint8Array} array2 - Second array
4834 * @returns {Boolean} Equality.
4835 */
4836 equalsUint8Array: function (array1, array2) {
4837 if (!util.isUint8Array(array1) || !util.isUint8Array(array2)) {
4838 throw new Error('Data must be in the form of a Uint8Array');
4839 }
4840
4841 if (array1.length !== array2.length) {
4842 return false;
4843 }
4844
4845 for (let i = 0; i < array1.length; i++) {
4846 if (array1[i] !== array2[i]) {
4847 return false;
4848 }
4849 }
4850 return true;
4851 },
4852
4853 /**
4854 * Calculates a 16bit sum of a Uint8Array by adding each character
4855 * codes modulus 65535
4856 * @param {Uint8Array} Uint8Array - To create a sum of
4857 * @returns {Uint8Array} 2 bytes containing the sum of all charcodes % 65535.
4858 */
4859 writeChecksum: function (text) {
4860 let s = 0;
4861 for (let i = 0; i < text.length; i++) {
4862 s = (s + text[i]) & 0xFFFF;
4863 }
4864 return util.writeNumber(s, 2);
4865 },
4866
4867 /**
4868 * Helper function to print a debug message. Debug
4869 * messages are only printed if
4870 * @param {String} str - String of the debug message
4871 */
4872 printDebug: function (str) {
4873 if (debugMode) {
4874 console.log(str);
4875 }
4876 },
4877
4878 /**
4879 * Helper function to print a debug message. Debug
4880 * messages are only printed if
4881 * Different than print_debug because will call Uint8ArrayToHex iff necessary.
4882 * @param {String} str - String of the debug message
4883 */
4884 printDebugHexArrayDump: function (str, arrToHex) {
4885 if (debugMode) {
4886 str += ': ' + util.uint8ArrayToHex(arrToHex);
4887 console.log(str);
4888 }
4889 },
4890
4891 /**
4892 * Helper function to print a debug message. Debug
4893 * messages are only printed if
4894 * Different than print_debug because will call strToHex iff necessary.
4895 * @param {String} str - String of the debug message
4896 */
4897 printDebugHexStrDump: function (str, strToHex) {
4898 if (debugMode) {
4899 str += util.strToHex(strToHex);
4900 console.log(str);
4901 }
4902 },
4903
4904 /**
4905 * Helper function to print a debug error. Debug
4906 * messages are only printed if
4907 * @param {String} str - String of the debug message
4908 */
4909 printDebugError: function (error) {
4910 if (debugMode) {
4911 console.error(error);
4912 }
4913 },
4914
4915 /**
4916 * Read a stream to the end and print it to the console when it's closed.
4917 * @param {String} str - String of the debug message
4918 * @param {ReadableStream|Uint8array|String} input - Stream to print
4919 * @param {Function} concat - Function to concatenate chunks of the stream (defaults to util.concat).
4920 */
4921 printEntireStream: function (str, input, concat) {
4922 stream.readToEnd(stream.clone(input), concat).then(result => {
4923 console.log(str + ': ', result);
4924 });
4925 },
4926
4927 // returns bit length of the integer x
4928 nbits: function (x) {
4929 let r = 1;
4930 let t = x >>> 16;
4931 if (t !== 0) {
4932 x = t;
4933 r += 16;
4934 }
4935 t = x >> 8;
4936 if (t !== 0) {
4937 x = t;
4938 r += 8;
4939 }
4940 t = x >> 4;
4941 if (t !== 0) {
4942 x = t;
4943 r += 4;
4944 }
4945 t = x >> 2;
4946 if (t !== 0) {
4947 x = t;
4948 r += 2;
4949 }
4950 t = x >> 1;
4951 if (t !== 0) {
4952 x = t;
4953 r += 1;
4954 }
4955 return r;
4956 },
4957
4958 /**
4959 * If S[1] == 0, then double(S) == (S[2..128] || 0);
4960 * otherwise, double(S) == (S[2..128] || 0) xor
4961 * (zeros(120) || 10000111).
4962 *
4963 * Both OCB and EAX (through CMAC) require this function to be constant-time.
4964 *
4965 * @param {Uint8Array} data
4966 */
4967 double: function(data) {
4968 const double_var = new Uint8Array(data.length);
4969 const last = data.length - 1;
4970 for (let i = 0; i < last; i++) {
4971 double_var[i] = (data[i] << 1) ^ (data[i + 1] >> 7);
4972 }
4973 double_var[last] = (data[last] << 1) ^ ((data[0] >> 7) * 0x87);
4974 return double_var;
4975 },
4976
4977 /**
4978 * Shift a Uint8Array to the right by n bits
4979 * @param {Uint8Array} array - The array to shift
4980 * @param {Integer} bits - Amount of bits to shift (MUST be smaller
4981 * than 8)
4982 * @returns {String} Resulting array.
4983 */
4984 shiftRight: function (array, bits) {
4985 if (bits) {
4986 for (let i = array.length - 1; i >= 0; i--) {
4987 array[i] >>= bits;
4988 if (i > 0) {
4989 array[i] |= (array[i - 1] << (8 - bits));
4990 }
4991 }
4992 }
4993 return array;
4994 },
4995
4996 /**
4997 * Get native Web Cryptography api, only the current version of the spec.
4998 * @returns {Object} The SubtleCrypto api or 'undefined'.
4999 */
5000 getWebCrypto: function() {
5001 return typeof globalThis !== 'undefined' && globalThis.crypto && globalThis.crypto.subtle;
5002 },
5003
5004 /**
5005 * Detect Node.js runtime.
5006 */
5007 detectNode: function() {
5008 return typeof globalThis.process === 'object' &&
5009 typeof globalThis.process.versions === 'object';
5010 },
5011
5012 /**
5013 * Detect native BigInt support
5014 */
5015 detectBigInt: () => typeof BigInt !== 'undefined',
5016
5017 /**
5018 * Get BigInteger class
5019 * It wraps the native BigInt type if it's available
5020 * Otherwise it relies on bn.js
5021 * @returns {BigInteger}
5022 * @async
5023 */
5024 getBigInteger,
5025
5026 /**
5027 * Get native Node.js crypto api.
5028 * @returns {Object} The crypto module or 'undefined'.
5029 */
5030 getNodeCrypto: function() {
5031 return void('crypto');
5032 },
5033
5034 getNodeZlib: function() {
5035 return void('zlib');
5036 },
5037
5038 /**
5039 * Get native Node.js Buffer constructor. This should be used since
5040 * Buffer is not available under browserify.
5041 * @returns {Function} The Buffer constructor or 'undefined'.
5042 */
5043 getNodeBuffer: function() {
5044 return ({}).Buffer;
5045 },
5046
5047 getNodeStream: function() {
5048 return ({}).Readable;
5049 },
5050
5051 getHardwareConcurrency: function() {
5052 if (util.detectNode()) {
5053 const os = void('os');
5054 return os.cpus().length;
5055 }
5056
5057 return navigator.hardwareConcurrency || 1;
5058 },
5059
5060 isEmailAddress: function(data) {
5061 if (!util.isString(data)) {
5062 return false;
5063 }
5064 const re = /^(([^<>()[\]\\.,;:\s@"]+(\.[^<>()[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+([a-zA-Z]{2,}|xn--[a-zA-Z\-0-9]+)))$/;
5065 return re.test(data);
5066 },
5067
5068 /**
5069 * Normalize line endings to <CR><LF>
5070 * Support any encoding where CR=0x0D, LF=0x0A
5071 */
5072 canonicalizeEOL: function(data) {
5073 const CR = 13;
5074 const LF = 10;
5075 let carryOverCR = false;
5076
5077 return stream.transform(data, bytes => {
5078 if (carryOverCR) {
5079 bytes = util.concatUint8Array([new Uint8Array([CR]), bytes]);
5080 }
5081
5082 if (bytes[bytes.length - 1] === CR) {
5083 carryOverCR = true;
5084 bytes = bytes.subarray(0, -1);
5085 } else {
5086 carryOverCR = false;
5087 }
5088
5089 let index;
5090 const indices = [];
5091 for (let i = 0; ; i = index) {
5092 index = bytes.indexOf(LF, i) + 1;
5093 if (index) {
5094 if (bytes[index - 2] !== CR) indices.push(index);
5095 } else {
5096 break;
5097 }
5098 }
5099 if (!indices.length) {
5100 return bytes;
5101 }
5102
5103 const normalized = new Uint8Array(bytes.length + indices.length);
5104 let j = 0;
5105 for (let i = 0; i < indices.length; i++) {
5106 const sub = bytes.subarray(indices[i - 1] || 0, indices[i]);
5107 normalized.set(sub, j);
5108 j += sub.length;
5109 normalized[j - 1] = CR;
5110 normalized[j] = LF;
5111 j++;
5112 }
5113 normalized.set(bytes.subarray(indices[indices.length - 1] || 0), j);
5114 return normalized;
5115 }, () => (carryOverCR ? new Uint8Array([CR]) : undefined));
5116 },
5117
5118 /**
5119 * Convert line endings from canonicalized <CR><LF> to native <LF>
5120 * Support any encoding where CR=0x0D, LF=0x0A
5121 */
5122 nativeEOL: function(data) {
5123 const CR = 13;
5124 const LF = 10;
5125 let carryOverCR = false;
5126
5127 return stream.transform(data, bytes => {
5128 if (carryOverCR && bytes[0] !== LF) {
5129 bytes = util.concatUint8Array([new Uint8Array([CR]), bytes]);
5130 } else {
5131 bytes = new Uint8Array(bytes); // Don't mutate passed bytes
5132 }
5133
5134 if (bytes[bytes.length - 1] === CR) {
5135 carryOverCR = true;
5136 bytes = bytes.subarray(0, -1);
5137 } else {
5138 carryOverCR = false;
5139 }
5140
5141 let index;
5142 let j = 0;
5143 for (let i = 0; i !== bytes.length; i = index) {
5144 index = bytes.indexOf(CR, i) + 1;
5145 if (!index) index = bytes.length;
5146 const last = index - (bytes[index] === LF ? 1 : 0);
5147 if (i) bytes.copyWithin(j, i, last);
5148 j += last - i;
5149 }
5150 return bytes.subarray(0, j);
5151 }, () => (carryOverCR ? new Uint8Array([CR]) : undefined));
5152 },
5153
5154 /**
5155 * Remove trailing spaces and tabs from each line
5156 */
5157 removeTrailingSpaces: function(text) {
5158 return text.split('\n').map(line => {
5159 let i = line.length - 1;
5160 for (; i >= 0 && (line[i] === ' ' || line[i] === '\t'); i--);
5161 return line.substr(0, i + 1);
5162 }).join('\n');
5163 },
5164
5165 wrapError: function(message, error) {
5166 if (!error) {
5167 return new Error(message);
5168 }
5169
5170 // update error message
5171 try {
5172 error.message = message + ': ' + error.message;
5173 } catch (e) {}
5174
5175 return error;
5176 }
5177 };
5178
5179 /* OpenPGP radix-64/base64 string encoding/decoding
5180 * Copyright 2005 Herbert Hanewinkel, www.haneWIN.de
5181 * version 1.0, check www.haneWIN.de for the latest version
5182 *
5183 * This software is provided as-is, without express or implied warranty.
5184 * Permission to use, copy, modify, distribute or sell this software, with or
5185 * without fee, for any purpose and by any individual or organization, is hereby
5186 * granted, provided that the above copyright notice and this paragraph appear
5187 * in all copies. Distribution as a part of an application or binary must
5188 * include the above copyright notice in the documentation and/or other materials
5189 * provided with the application or distribution.
5190 */
5191
5192 const Buffer = util.getNodeBuffer();
5193
5194 let encodeChunk;
5195 let decodeChunk;
5196 if (Buffer) {
5197 encodeChunk = buf => Buffer.from(buf).toString('base64');
5198 decodeChunk = str => {
5199 const b = Buffer.from(str, 'base64');
5200 return new Uint8Array(b.buffer, b.byteOffset, b.byteLength);
5201 };
5202 } else {
5203 encodeChunk = buf => btoa(util.uint8ArrayToStr(buf));
5204 decodeChunk = str => util.strToUint8Array(atob(str));
5205 }
5206
5207 /**
5208 * Convert binary array to radix-64
5209 * @param {Uint8Array | ReadableStream<Uint8Array>} data - Uint8Array to convert
5210 * @returns {String | ReadableStream<String>} Radix-64 version of input string.
5211 * @static
5212 */
5213 function encode(data) {
5214 let buf = new Uint8Array();
5215 return stream.transform(data, value => {
5216 buf = util.concatUint8Array([buf, value]);
5217 const r = [];
5218 const bytesPerLine = 45; // 60 chars per line * (3 bytes / 4 chars of base64).
5219 const lines = Math.floor(buf.length / bytesPerLine);
5220 const bytes = lines * bytesPerLine;
5221 const encoded = encodeChunk(buf.subarray(0, bytes));
5222 for (let i = 0; i < lines; i++) {
5223 r.push(encoded.substr(i * 60, 60));
5224 r.push('\n');
5225 }
5226 buf = buf.subarray(bytes);
5227 return r.join('');
5228 }, () => (buf.length ? encodeChunk(buf) + '\n' : ''));
5229 }
5230
5231 /**
5232 * Convert radix-64 to binary array
5233 * @param {String | ReadableStream<String>} data - Radix-64 string to convert
5234 * @returns {Uint8Array | ReadableStream<Uint8Array>} Binary array version of input string.
5235 * @static
5236 */
5237 function decode(data) {
5238 let buf = '';
5239 return stream.transform(data, value => {
5240 buf += value;
5241
5242 // Count how many whitespace characters there are in buf
5243 let spaces = 0;
5244 const spacechars = [' ', '\t', '\r', '\n'];
5245 for (let i = 0; i < spacechars.length; i++) {
5246 const spacechar = spacechars[i];
5247 for (let pos = buf.indexOf(spacechar); pos !== -1; pos = buf.indexOf(spacechar, pos + 1)) {
5248 spaces++;
5249 }
5250 }
5251
5252 // Backtrack until we have 4n non-whitespace characters
5253 // that we can safely base64-decode
5254 let length = buf.length;
5255 for (; length > 0 && (length - spaces) % 4 !== 0; length--) {
5256 if (spacechars.includes(buf[length])) spaces--;
5257 }
5258
5259 const decoded = decodeChunk(buf.substr(0, length));
5260 buf = buf.substr(length);
5261 return decoded;
5262 }, () => decodeChunk(buf));
5263 }
5264
5265 /**
5266 * Convert a Base-64 encoded string an array of 8-bit integer
5267 *
5268 * Note: accepts both Radix-64 and URL-safe strings
5269 * @param {String} base64 - Base-64 encoded string to convert
5270 * @returns {Uint8Array} An array of 8-bit integers.
5271 */
5272 function b64ToUint8Array(base64) {
5273 return decode(base64.replace(/-/g, '+').replace(/_/g, '/'));
5274 }
5275
5276 /**
5277 * Convert an array of 8-bit integer to a Base-64 encoded string
5278 * @param {Uint8Array} bytes - An array of 8-bit integers to convert
5279 * @param {bool} url - If true, output is URL-safe
5280 * @returns {String} Base-64 encoded string.
5281 */
5282 function uint8ArrayToB64(bytes, url) {
5283 let encoded = encode(bytes).replace(/[\r\n]/g, '');
5284 if (url) {
5285 encoded = encoded.replace(/[+]/g, '-').replace(/[/]/g, '_').replace(/[=]/g, '');
5286 }
5287 return encoded;
5288 }
5289
5290 /**
5291 * @module enums
5292 */
5293
5294 const byValue = Symbol('byValue');
5295
5296 var enums = {
5297
5298 /** Maps curve names under various standards to one
5299 * @see {@link https://wiki.gnupg.org/ECC|ECC - GnuPG wiki}
5300 * @enum {String}
5301 * @readonly
5302 */
5303 curve: {
5304 /** NIST P-256 Curve */
5305 "p256": "p256",
5306 "P-256": "p256",
5307 "secp256r1": "p256",
5308 "prime256v1": "p256",
5309 "1.2.840.10045.3.1.7": "p256",
5310 "2a8648ce3d030107": "p256",
5311 "2A8648CE3D030107": "p256",
5312
5313 /** NIST P-384 Curve */
5314 "p384": "p384",
5315 "P-384": "p384",
5316 "secp384r1": "p384",
5317 "1.3.132.0.34": "p384",
5318 "2b81040022": "p384",
5319 "2B81040022": "p384",
5320
5321 /** NIST P-521 Curve */
5322 "p521": "p521",
5323 "P-521": "p521",
5324 "secp521r1": "p521",
5325 "1.3.132.0.35": "p521",
5326 "2b81040023": "p521",
5327 "2B81040023": "p521",
5328
5329 /** SECG SECP256k1 Curve */
5330 "secp256k1": "secp256k1",
5331 "1.3.132.0.10": "secp256k1",
5332 "2b8104000a": "secp256k1",
5333 "2B8104000A": "secp256k1",
5334
5335 /** Ed25519 */
5336 "ED25519": "ed25519",
5337 "ed25519": "ed25519",
5338 "Ed25519": "ed25519",
5339 "1.3.6.1.4.1.11591.15.1": "ed25519",
5340 "2b06010401da470f01": "ed25519",
5341 "2B06010401DA470F01": "ed25519",
5342
5343 /** Curve25519 */
5344 "X25519": "curve25519",
5345 "cv25519": "curve25519",
5346 "curve25519": "curve25519",
5347 "Curve25519": "curve25519",
5348 "1.3.6.1.4.1.3029.1.5.1": "curve25519",
5349 "2b060104019755010501": "curve25519",
5350 "2B060104019755010501": "curve25519",
5351
5352 /** BrainpoolP256r1 Curve */
5353 "brainpoolP256r1": "brainpoolP256r1",
5354 "1.3.36.3.3.2.8.1.1.7": "brainpoolP256r1",
5355 "2b2403030208010107": "brainpoolP256r1",
5356 "2B2403030208010107": "brainpoolP256r1",
5357
5358 /** BrainpoolP384r1 Curve */
5359 "brainpoolP384r1": "brainpoolP384r1",
5360 "1.3.36.3.3.2.8.1.1.11": "brainpoolP384r1",
5361 "2b240303020801010b": "brainpoolP384r1",
5362 "2B240303020801010B": "brainpoolP384r1",
5363
5364 /** BrainpoolP512r1 Curve */
5365 "brainpoolP512r1": "brainpoolP512r1",
5366 "1.3.36.3.3.2.8.1.1.13": "brainpoolP512r1",
5367 "2b240303020801010d": "brainpoolP512r1",
5368 "2B240303020801010D": "brainpoolP512r1"
5369 },
5370
5371 /** A string to key specifier type
5372 * @enum {Integer}
5373 * @readonly
5374 */
5375 s2k: {
5376 simple: 0,
5377 salted: 1,
5378 iterated: 3,
5379 gnu: 101
5380 },
5381
5382 /** {@link https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-9.1|RFC4880bis-04, section 9.1}
5383 * @enum {Integer}
5384 * @readonly
5385 */
5386 publicKey: {
5387 /** RSA (Encrypt or Sign) [HAC] */
5388 rsaEncryptSign: 1,
5389 /** RSA (Encrypt only) [HAC] */
5390 rsaEncrypt: 2,
5391 /** RSA (Sign only) [HAC] */
5392 rsaSign: 3,
5393 /** Elgamal (Encrypt only) [ELGAMAL] [HAC] */
5394 elgamal: 16,
5395 /** DSA (Sign only) [FIPS186] [HAC] */
5396 dsa: 17,
5397 /** ECDH (Encrypt only) [RFC6637] */
5398 ecdh: 18,
5399 /** ECDSA (Sign only) [RFC6637] */
5400 ecdsa: 19,
5401 /** EdDSA (Sign only)
5402 * [{@link https://tools.ietf.org/html/draft-koch-eddsa-for-openpgp-04|Draft RFC}] */
5403 eddsa: 22,
5404 /** Reserved for AEDH */
5405 aedh: 23,
5406 /** Reserved for AEDSA */
5407 aedsa: 24
5408 },
5409
5410 /** {@link https://tools.ietf.org/html/rfc4880#section-9.2|RFC4880, section 9.2}
5411 * @enum {Integer}
5412 * @readonly
5413 */
5414 symmetric: {
5415 plaintext: 0,
5416 /** Not implemented! */
5417 idea: 1,
5418 tripledes: 2,
5419 cast5: 3,
5420 blowfish: 4,
5421 aes128: 7,
5422 aes192: 8,
5423 aes256: 9,
5424 twofish: 10
5425 },
5426
5427 /** {@link https://tools.ietf.org/html/rfc4880#section-9.3|RFC4880, section 9.3}
5428 * @enum {Integer}
5429 * @readonly
5430 */
5431 compression: {
5432 uncompressed: 0,
5433 /** RFC1951 */
5434 zip: 1,
5435 /** RFC1950 */
5436 zlib: 2,
5437 bzip2: 3
5438 },
5439
5440 /** {@link https://tools.ietf.org/html/rfc4880#section-9.4|RFC4880, section 9.4}
5441 * @enum {Integer}
5442 * @readonly
5443 */
5444 hash: {
5445 md5: 1,
5446 sha1: 2,
5447 ripemd: 3,
5448 sha256: 8,
5449 sha384: 9,
5450 sha512: 10,
5451 sha224: 11
5452 },
5453
5454 /** A list of hash names as accepted by webCrypto functions.
5455 * {@link https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest|Parameters, algo}
5456 * @enum {String}
5457 */
5458 webHash: {
5459 'SHA-1': 2,
5460 'SHA-256': 8,
5461 'SHA-384': 9,
5462 'SHA-512': 10
5463 },
5464
5465 /** {@link https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-9.6|RFC4880bis-04, section 9.6}
5466 * @enum {Integer}
5467 * @readonly
5468 */
5469 aead: {
5470 eax: 1,
5471 ocb: 2,
5472 experimentalGcm: 100 // Private algorithm
5473 },
5474
5475 /** A list of packet types and numeric tags associated with them.
5476 * @enum {Integer}
5477 * @readonly
5478 */
5479 packet: {
5480 publicKeyEncryptedSessionKey: 1,
5481 signature: 2,
5482 symEncryptedSessionKey: 3,
5483 onePassSignature: 4,
5484 secretKey: 5,
5485 publicKey: 6,
5486 secretSubkey: 7,
5487 compressedData: 8,
5488 symmetricallyEncryptedData: 9,
5489 marker: 10,
5490 literalData: 11,
5491 trust: 12,
5492 userID: 13,
5493 publicSubkey: 14,
5494 userAttribute: 17,
5495 symEncryptedIntegrityProtectedData: 18,
5496 modificationDetectionCode: 19,
5497 AEADEncryptedData: 20 // see IETF draft: https://tools.ietf.org/html/draft-ford-openpgp-format-00#section-2.1
5498 },
5499
5500 /** Data types in the literal packet
5501 * @enum {Integer}
5502 * @readonly
5503 */
5504 literal: {
5505 /** Binary data 'b' */
5506 binary: 'b'.charCodeAt(),
5507 /** Text data 't' */
5508 text: 't'.charCodeAt(),
5509 /** Utf8 data 'u' */
5510 utf8: 'u'.charCodeAt(),
5511 /** MIME message body part 'm' */
5512 mime: 'm'.charCodeAt()
5513 },
5514
5515
5516 /** One pass signature packet type
5517 * @enum {Integer}
5518 * @readonly
5519 */
5520 signature: {
5521 /** 0x00: Signature of a binary document. */
5522 binary: 0,
5523 /** 0x01: Signature of a canonical text document.
5524 *
5525 * Canonicalyzing the document by converting line endings. */
5526 text: 1,
5527 /** 0x02: Standalone signature.
5528 *
5529 * This signature is a signature of only its own subpacket contents.
5530 * It is calculated identically to a signature over a zero-lengh
5531 * binary document. Note that it doesn't make sense to have a V3
5532 * standalone signature. */
5533 standalone: 2,
5534 /** 0x10: Generic certification of a User ID and Public-Key packet.
5535 *
5536 * The issuer of this certification does not make any particular
5537 * assertion as to how well the certifier has checked that the owner
5538 * of the key is in fact the person described by the User ID. */
5539 certGeneric: 16,
5540 /** 0x11: Persona certification of a User ID and Public-Key packet.
5541 *
5542 * The issuer of this certification has not done any verification of
5543 * the claim that the owner of this key is the User ID specified. */
5544 certPersona: 17,
5545 /** 0x12: Casual certification of a User ID and Public-Key packet.
5546 *
5547 * The issuer of this certification has done some casual
5548 * verification of the claim of identity. */
5549 certCasual: 18,
5550 /** 0x13: Positive certification of a User ID and Public-Key packet.
5551 *
5552 * The issuer of this certification has done substantial
5553 * verification of the claim of identity.
5554 *
5555 * Most OpenPGP implementations make their "key signatures" as 0x10
5556 * certifications. Some implementations can issue 0x11-0x13
5557 * certifications, but few differentiate between the types. */
5558 certPositive: 19,
5559 /** 0x30: Certification revocation signature
5560 *
5561 * This signature revokes an earlier User ID certification signature
5562 * (signature class 0x10 through 0x13) or direct-key signature
5563 * (0x1F). It should be issued by the same key that issued the
5564 * revoked signature or an authorized revocation key. The signature
5565 * is computed over the same data as the certificate that it
5566 * revokes, and should have a later creation date than that
5567 * certificate. */
5568 certRevocation: 48,
5569 /** 0x18: Subkey Binding Signature
5570 *
5571 * This signature is a statement by the top-level signing key that
5572 * indicates that it owns the subkey. This signature is calculated
5573 * directly on the primary key and subkey, and not on any User ID or
5574 * other packets. A signature that binds a signing subkey MUST have
5575 * an Embedded Signature subpacket in this binding signature that
5576 * contains a 0x19 signature made by the signing subkey on the
5577 * primary key and subkey. */
5578 subkeyBinding: 24,
5579 /** 0x19: Primary Key Binding Signature
5580 *
5581 * This signature is a statement by a signing subkey, indicating
5582 * that it is owned by the primary key and subkey. This signature
5583 * is calculated the same way as a 0x18 signature: directly on the
5584 * primary key and subkey, and not on any User ID or other packets.
5585 *
5586 * When a signature is made over a key, the hash data starts with the
5587 * octet 0x99, followed by a two-octet length of the key, and then body
5588 * of the key packet. (Note that this is an old-style packet header for
5589 * a key packet with two-octet length.) A subkey binding signature
5590 * (type 0x18) or primary key binding signature (type 0x19) then hashes
5591 * the subkey using the same format as the main key (also using 0x99 as
5592 * the first octet). */
5593 keyBinding: 25,
5594 /** 0x1F: Signature directly on a key
5595 *
5596 * This signature is calculated directly on a key. It binds the
5597 * information in the Signature subpackets to the key, and is
5598 * appropriate to be used for subpackets that provide information
5599 * about the key, such as the Revocation Key subpacket. It is also
5600 * appropriate for statements that non-self certifiers want to make
5601 * about the key itself, rather than the binding between a key and a
5602 * name. */
5603 key: 31,
5604 /** 0x20: Key revocation signature
5605 *
5606 * The signature is calculated directly on the key being revoked. A
5607 * revoked key is not to be used. Only revocation signatures by the
5608 * key being revoked, or by an authorized revocation key, should be
5609 * considered valid revocation signatures.a */
5610 keyRevocation: 32,
5611 /** 0x28: Subkey revocation signature
5612 *
5613 * The signature is calculated directly on the subkey being revoked.
5614 * A revoked subkey is not to be used. Only revocation signatures
5615 * by the top-level signature key that is bound to this subkey, or
5616 * by an authorized revocation key, should be considered valid
5617 * revocation signatures.
5618 *
5619 * Key revocation signatures (types 0x20 and 0x28)
5620 * hash only the key being revoked. */
5621 subkeyRevocation: 40,
5622 /** 0x40: Timestamp signature.
5623 * This signature is only meaningful for the timestamp contained in
5624 * it. */
5625 timestamp: 64,
5626 /** 0x50: Third-Party Confirmation signature.
5627 *
5628 * This signature is a signature over some other OpenPGP Signature
5629 * packet(s). It is analogous to a notary seal on the signed data.
5630 * A third-party signature SHOULD include Signature Target
5631 * subpacket(s) to give easy identification. Note that we really do
5632 * mean SHOULD. There are plausible uses for this (such as a blind
5633 * party that only sees the signature, not the key or source
5634 * document) that cannot include a target subpacket. */
5635 thirdParty: 80
5636 },
5637
5638 /** Signature subpacket type
5639 * @enum {Integer}
5640 * @readonly
5641 */
5642 signatureSubpacket: {
5643 signatureCreationTime: 2,
5644 signatureExpirationTime: 3,
5645 exportableCertification: 4,
5646 trustSignature: 5,
5647 regularExpression: 6,
5648 revocable: 7,
5649 keyExpirationTime: 9,
5650 placeholderBackwardsCompatibility: 10,
5651 preferredSymmetricAlgorithms: 11,
5652 revocationKey: 12,
5653 issuer: 16,
5654 notationData: 20,
5655 preferredHashAlgorithms: 21,
5656 preferredCompressionAlgorithms: 22,
5657 keyServerPreferences: 23,
5658 preferredKeyServer: 24,
5659 primaryUserId: 25,
5660 policyUri: 26,
5661 keyFlags: 27,
5662 signersUserId: 28,
5663 reasonForRevocation: 29,
5664 features: 30,
5665 signatureTarget: 31,
5666 embeddedSignature: 32,
5667 issuerFingerprint: 33,
5668 preferredAeadAlgorithms: 34
5669 },
5670
5671 /** Key flags
5672 * @enum {Integer}
5673 * @readonly
5674 */
5675 keyFlags: {
5676 /** 0x01 - This key may be used to certify other keys. */
5677 certifyKeys: 1,
5678 /** 0x02 - This key may be used to sign data. */
5679 signData: 2,
5680 /** 0x04 - This key may be used to encrypt communications. */
5681 encryptCommunication: 4,
5682 /** 0x08 - This key may be used to encrypt storage. */
5683 encryptStorage: 8,
5684 /** 0x10 - The private component of this key may have been split
5685 * by a secret-sharing mechanism. */
5686 splitPrivateKey: 16,
5687 /** 0x20 - This key may be used for authentication. */
5688 authentication: 32,
5689 /** 0x80 - The private component of this key may be in the
5690 * possession of more than one person. */
5691 sharedPrivateKey: 128
5692 },
5693
5694 /** Armor type
5695 * @enum {Integer}
5696 * @readonly
5697 */
5698 armor: {
5699 multipartSection: 0,
5700 multipartLast: 1,
5701 signed: 2,
5702 message: 3,
5703 publicKey: 4,
5704 privateKey: 5,
5705 signature: 6
5706 },
5707
5708 /** {@link https://tools.ietf.org/html/rfc4880#section-5.2.3.23|RFC4880, section 5.2.3.23}
5709 * @enum {Integer}
5710 * @readonly
5711 */
5712 reasonForRevocation: {
5713 /** No reason specified (key revocations or cert revocations) */
5714 noReason: 0,
5715 /** Key is superseded (key revocations) */
5716 keySuperseded: 1,
5717 /** Key material has been compromised (key revocations) */
5718 keyCompromised: 2,
5719 /** Key is retired and no longer used (key revocations) */
5720 keyRetired: 3,
5721 /** User ID information is no longer valid (cert revocations) */
5722 userIdInvalid: 32
5723 },
5724
5725 /** {@link https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-5.2.3.25|RFC4880bis-04, section 5.2.3.25}
5726 * @enum {Integer}
5727 * @readonly
5728 */
5729 features: {
5730 /** 0x01 - Modification Detection (packets 18 and 19) */
5731 modificationDetection: 1,
5732 /** 0x02 - AEAD Encrypted Data Packet (packet 20) and version 5
5733 * Symmetric-Key Encrypted Session Key Packets (packet 3) */
5734 aead: 2,
5735 /** 0x04 - Version 5 Public-Key Packet format and corresponding new
5736 * fingerprint format */
5737 v5Keys: 4
5738 },
5739
5740 /** Asserts validity and converts from string/integer to integer. */
5741 write: function(type, e) {
5742 if (typeof e === 'number') {
5743 e = this.read(type, e);
5744 }
5745
5746 if (type[e] !== undefined) {
5747 return type[e];
5748 }
5749
5750 throw new Error('Invalid enum value.');
5751 },
5752
5753 /** Converts from an integer to string. */
5754 read: function(type, e) {
5755 if (!type[byValue]) {
5756 type[byValue] = [];
5757 Object.entries(type).forEach(([key, value]) => {
5758 type[byValue][value] = key;
5759 });
5760 }
5761
5762 if (type[byValue][e] !== undefined) {
5763 return type[byValue][e];
5764 }
5765
5766 throw new Error('Invalid enum value.');
5767 }
5768
5769 };
5770
5771 // GPG4Browsers - An OpenPGP implementation in javascript
5772
5773 var defaultConfig = {
5774 /**
5775 * @memberof module:config
5776 * @property {Integer} preferHashAlgorithm Default hash algorithm {@link module:enums.hash}
5777 */
5778 preferHashAlgorithm: enums.hash.sha256,
5779 /**
5780 * @memberof module:config
5781 * @property {Integer} encryptionCipher Default encryption cipher {@link module:enums.symmetric}
5782 */
5783 encryptionCipher: enums.symmetric.aes256,
5784 /**
5785 * @memberof module:config
5786 * @property {Integer} compression Default compression algorithm {@link module:enums.compression}
5787 */
5788 compression: enums.compression.uncompressed,
5789 /**
5790 * @memberof module:config
5791 * @property {Integer} deflateLevel Default zip/zlib compression level, between 1 and 9
5792 */
5793 deflateLevel: 6,
5794
5795 /**
5796 * Use Authenticated Encryption with Additional Data (AEAD) protection for symmetric encryption.
5797 * Note: not all OpenPGP implementations are compatible with this option.
5798 * **FUTURE OPENPGP.JS VERSIONS MAY BREAK COMPATIBILITY WHEN USING THIS OPTION**
5799 * @see {@link https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-07|RFC4880bis-07}
5800 * @memberof module:config
5801 * @property {Boolean} aeadProtect
5802 */
5803 aeadProtect: false,
5804 /**
5805 * Default Authenticated Encryption with Additional Data (AEAD) encryption mode
5806 * Only has an effect when aeadProtect is set to true.
5807 * @memberof module:config
5808 * @property {Integer} aeadMode Default AEAD mode {@link module:enums.aead}
5809 */
5810 aeadMode: enums.aead.eax,
5811 /**
5812 * Chunk Size Byte for Authenticated Encryption with Additional Data (AEAD) mode
5813 * Only has an effect when aeadProtect is set to true.
5814 * Must be an integer value from 0 to 56.
5815 * @memberof module:config
5816 * @property {Integer} aeadChunkSizeByte
5817 */
5818 aeadChunkSizeByte: 12,
5819 /**
5820 * Use V5 keys.
5821 * Note: not all OpenPGP implementations are compatible with this option.
5822 * **FUTURE OPENPGP.JS VERSIONS MAY BREAK COMPATIBILITY WHEN USING THIS OPTION**
5823 * @memberof module:config
5824 * @property {Boolean} v5Keys
5825 */
5826 v5Keys: false,
5827 /**
5828 * {@link https://tools.ietf.org/html/rfc4880#section-3.7.1.3|RFC4880 3.7.1.3}:
5829 * Iteration Count Byte for S2K (String to Key)
5830 * @memberof module:config
5831 * @property {Integer} s2kIterationCountByte
5832 */
5833 s2kIterationCountByte: 224,
5834 /**
5835 * Allow decryption of messages without integrity protection.
5836 * This is an **insecure** setting:
5837 * - message modifications cannot be detected, thus processing the decrypted data is potentially unsafe.
5838 * - it enables downgrade attacks against integrity-protected messages.
5839 * @memberof module:config
5840 * @property {Boolean} allowUnauthenticatedMessages
5841 */
5842 allowUnauthenticatedMessages: false,
5843 /**
5844 * Allow streaming unauthenticated data before its integrity has been checked.
5845 * This setting is **insecure** if the partially decrypted message is processed further or displayed to the user.
5846 * @memberof module:config
5847 * @property {Boolean} allowUnauthenticatedStream
5848 */
5849 allowUnauthenticatedStream: false,
5850 /**
5851 * @memberof module:config
5852 * @property {Boolean} checksumRequired Do not throw error when armor is missing a checksum
5853 */
5854 checksumRequired: false,
5855 /**
5856 * @memberof module:config
5857 * @property {Number} minRsaBits Minimum RSA key size allowed for key generation
5858 */
5859 minRsaBits: 2048,
5860 /**
5861 * Work-around for rare GPG decryption bug when encrypting with multiple passwords.
5862 * **Slower and slightly less secure**
5863 * @memberof module:config
5864 * @property {Boolean} passwordCollisionCheck
5865 */
5866 passwordCollisionCheck: false,
5867 /**
5868 * @memberof module:config
5869 * @property {Boolean} revocationsExpire If true, expired revocation signatures are ignored
5870 */
5871 revocationsExpire: false,
5872 /**
5873 * Allow decryption using RSA keys without `encrypt` flag.
5874 * This setting is potentially insecure, but it is needed to get around an old openpgpjs bug
5875 * where key flags were ignored when selecting a key for encryption.
5876 * @memberof module:config
5877 * @property {Boolean} allowInsecureDecryptionWithSigningKeys
5878 */
5879 allowInsecureDecryptionWithSigningKeys: false,
5880
5881 /**
5882 * @memberof module:config
5883 * @property {Integer} minBytesForWebCrypto The minimum amount of bytes for which to use native WebCrypto APIs when available
5884 */
5885 minBytesForWebCrypto: 1000,
5886 /**
5887 * @memberof module:config
5888 * @property {Boolean} tolerant Ignore unsupported/unrecognizable packets instead of throwing an error
5889 */
5890 tolerant: true,
5891
5892 /**
5893 * @memberof module:config
5894 * @property {Boolean} showVersion Whether to include {@link module:config/config.versionString} in armored messages
5895 */
5896 showVersion: false,
5897 /**
5898 * @memberof module:config
5899 * @property {Boolean} showComment Whether to include {@link module:config/config.commentString} in armored messages
5900 */
5901 showComment: false,
5902 /**
5903 * @memberof module:config
5904 * @property {String} versionString A version string to be included in armored messages
5905 */
5906 versionString: "OpenPGP.js 5.0.0-1",
5907 /**
5908 * @memberof module:config
5909 * @property {String} commentString A comment string to be included in armored messages
5910 */
5911 commentString: "https://openpgpjs.org",
5912
5913 /**
5914 * Max userid string length (used for parsing)
5915 * @memberof module:config
5916 * @property {Integer} maxUseridLength
5917 */
5918 maxUseridLength: 1024 * 5,
5919 /**
5920 * Contains notatations that are considered "known". Known notations do not trigger
5921 * validation error when the notation is marked as critical.
5922 * @memberof module:config
5923 * @property {Array} knownNotations
5924 */
5925 knownNotations: ["preferred-email-encoding@pgp.com", "pka-address@gnupg.org"],
5926 /**
5927 * @memberof module:config
5928 * @property {Boolean} useIndutnyElliptic Whether to use the indutny/elliptic library. When false, certain curves will not be supported.
5929 */
5930 useIndutnyElliptic: true,
5931 /**
5932 * @memberof module:config
5933 * @property {Set<Integer>} reject_hash_algorithms Reject insecure hash algorithms {@link module:enums.hash}
5934 */
5935 rejectHashAlgorithms: new globalThis.Set([enums.hash.md5, enums.hash.ripemd]),
5936 /**
5937 * @memberof module:config
5938 * @property {Set<Integer>} reject_message_hash_algorithms Reject insecure message hash algorithms {@link module:enums.hash}
5939 */
5940 rejectMessageHashAlgorithms: new globalThis.Set([enums.hash.md5, enums.hash.ripemd, enums.hash.sha1])
5941 };
5942
5943 // GPG4Browsers - An OpenPGP implementation in javascript
5944
5945 /**
5946 * Finds out which Ascii Armoring type is used. Throws error if unknown type.
5947 * @param {String} text - ascii armored text
5948 * @returns {Integer} 0 = MESSAGE PART n of m.
5949 * 1 = MESSAGE PART n
5950 * 2 = SIGNED MESSAGE
5951 * 3 = PGP MESSAGE
5952 * 4 = PUBLIC KEY BLOCK
5953 * 5 = PRIVATE KEY BLOCK
5954 * 6 = SIGNATURE
5955 * @private
5956 */
5957 function getType(text) {
5958 const reHeader = /^-----BEGIN PGP (MESSAGE, PART \d+\/\d+|MESSAGE, PART \d+|SIGNED MESSAGE|MESSAGE|PUBLIC KEY BLOCK|PRIVATE KEY BLOCK|SIGNATURE)-----$/m;
5959
5960 const header = text.match(reHeader);
5961
5962 if (!header) {
5963 throw new Error('Unknown ASCII armor type');
5964 }
5965
5966 // BEGIN PGP MESSAGE, PART X/Y
5967 // Used for multi-part messages, where the armor is split amongst Y
5968 // parts, and this is the Xth part out of Y.
5969 if (/MESSAGE, PART \d+\/\d+/.test(header[1])) {
5970 return enums.armor.multipartSection;
5971 } else
5972 // BEGIN PGP MESSAGE, PART X
5973 // Used for multi-part messages, where this is the Xth part of an
5974 // unspecified number of parts. Requires the MESSAGE-ID Armor
5975 // Header to be used.
5976 if (/MESSAGE, PART \d+/.test(header[1])) {
5977 return enums.armor.multipartLast;
5978 } else
5979 // BEGIN PGP SIGNED MESSAGE
5980 if (/SIGNED MESSAGE/.test(header[1])) {
5981 return enums.armor.signed;
5982 } else
5983 // BEGIN PGP MESSAGE
5984 // Used for signed, encrypted, or compressed files.
5985 if (/MESSAGE/.test(header[1])) {
5986 return enums.armor.message;
5987 } else
5988 // BEGIN PGP PUBLIC KEY BLOCK
5989 // Used for armoring public keys.
5990 if (/PUBLIC KEY BLOCK/.test(header[1])) {
5991 return enums.armor.publicKey;
5992 } else
5993 // BEGIN PGP PRIVATE KEY BLOCK
5994 // Used for armoring private keys.
5995 if (/PRIVATE KEY BLOCK/.test(header[1])) {
5996 return enums.armor.privateKey;
5997 } else
5998 // BEGIN PGP SIGNATURE
5999 // Used for detached signatures, OpenPGP/MIME signatures, and
6000 // cleartext signatures. Note that PGP 2.x uses BEGIN PGP MESSAGE
6001 // for detached signatures.
6002 if (/SIGNATURE/.test(header[1])) {
6003 return enums.armor.signature;
6004 }
6005 }
6006
6007 /**
6008 * Add additional information to the armor version of an OpenPGP binary
6009 * packet block.
6010 * @author Alex
6011 * @version 2011-12-16
6012 * @param {String} [customComment] - Additional comment to add to the armored string
6013 * @returns {String} The header information.
6014 * @private
6015 */
6016 function addheader(customComment, config) {
6017 let result = "";
6018 if (config.showVersion) {
6019 result += "Version: " + config.versionString + '\n';
6020 }
6021 if (config.showComment) {
6022 result += "Comment: " + config.commentString + '\n';
6023 }
6024 if (customComment) {
6025 result += "Comment: " + customComment + '\n';
6026 }
6027 result += '\n';
6028 return result;
6029 }
6030
6031
6032 /**
6033 * Calculates a checksum over the given data and returns it base64 encoded
6034 * @param {String | ReadableStream<String>} data - Data to create a CRC-24 checksum for
6035 * @returns {String | ReadableStream<String>} Base64 encoded checksum.
6036 * @private
6037 */
6038 function getCheckSum(data) {
6039 const crc = createcrc24(data);
6040 return encode(crc);
6041 }
6042
6043 // https://create.stephan-brumme.com/crc32/#slicing-by-8-overview
6044
6045 const crc_table = [
6046 new Array(0xFF),
6047 new Array(0xFF),
6048 new Array(0xFF),
6049 new Array(0xFF)
6050 ];
6051
6052 for (let i = 0; i <= 0xFF; i++) {
6053 let crc = i << 16;
6054 for (let j = 0; j < 8; j++) {
6055 crc = (crc << 1) ^ ((crc & 0x800000) !== 0 ? 0x864CFB : 0);
6056 }
6057 crc_table[0][i] =
6058 ((crc & 0xFF0000) >> 16) |
6059 (crc & 0x00FF00) |
6060 ((crc & 0x0000FF) << 16);
6061 }
6062 for (let i = 0; i <= 0xFF; i++) {
6063 crc_table[1][i] = (crc_table[0][i] >> 8) ^ crc_table[0][crc_table[0][i] & 0xFF];
6064 }
6065 for (let i = 0; i <= 0xFF; i++) {
6066 crc_table[2][i] = (crc_table[1][i] >> 8) ^ crc_table[0][crc_table[1][i] & 0xFF];
6067 }
6068 for (let i = 0; i <= 0xFF; i++) {
6069 crc_table[3][i] = (crc_table[2][i] >> 8) ^ crc_table[0][crc_table[2][i] & 0xFF];
6070 }
6071
6072 // https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/DataView#Endianness
6073 const isLittleEndian = (function() {
6074 const buffer = new ArrayBuffer(2);
6075 new DataView(buffer).setInt16(0, 0xFF, true /* littleEndian */);
6076 // Int16Array uses the platform's endianness.
6077 return new Int16Array(buffer)[0] === 0xFF;
6078 }());
6079
6080 /**
6081 * Internal function to calculate a CRC-24 checksum over a given string (data)
6082 * @param {String | ReadableStream<String>} input - Data to create a CRC-24 checksum for
6083 * @returns {Uint8Array | ReadableStream<Uint8Array>} The CRC-24 checksum.
6084 * @private
6085 */
6086 function createcrc24(input) {
6087 let crc = 0xCE04B7;
6088 return stream.transform(input, value => {
6089 const len32 = isLittleEndian ? Math.floor(value.length / 4) : 0;
6090 const arr32 = new Uint32Array(value.buffer, value.byteOffset, len32);
6091 for (let i = 0; i < len32; i++) {
6092 crc ^= arr32[i];
6093 crc =
6094 crc_table[0][(crc >> 24) & 0xFF] ^
6095 crc_table[1][(crc >> 16) & 0xFF] ^
6096 crc_table[2][(crc >> 8) & 0xFF] ^
6097 crc_table[3][(crc >> 0) & 0xFF];
6098 }
6099 for (let i = len32 * 4; i < value.length; i++) {
6100 crc = (crc >> 8) ^ crc_table[0][(crc & 0xFF) ^ value[i]];
6101 }
6102 }, () => new Uint8Array([crc, crc >> 8, crc >> 16]));
6103 }
6104
6105 /**
6106 * Verify armored headers. RFC4880, section 6.3: "OpenPGP should consider improperly formatted
6107 * Armor Headers to be corruption of the ASCII Armor."
6108 * @private
6109 * @param {Array<String>} headers - Armor headers
6110 */
6111 function verifyHeaders(headers) {
6112 for (let i = 0; i < headers.length; i++) {
6113 if (!/^([^\s:]|[^\s:][^:]*[^\s:]): .+$/.test(headers[i])) {
6114 throw new Error('Improperly formatted armor header: ' + headers[i]);
6115 }
6116 if (!/^(Version|Comment|MessageID|Hash|Charset): .+$/.test(headers[i])) {
6117 util.printDebugError(new Error('Unknown header: ' + headers[i]));
6118 }
6119 }
6120 }
6121
6122 /**
6123 * Splits a message into two parts, the body and the checksum. This is an internal function
6124 * @param {String} text - OpenPGP armored message part
6125 * @returns {Object} An object with attribute "body" containing the body.
6126 * and an attribute "checksum" containing the checksum.
6127 * @private
6128 */
6129 function splitChecksum(text) {
6130 let body = text;
6131 let checksum = "";
6132
6133 const lastEquals = text.lastIndexOf("=");
6134
6135 if (lastEquals >= 0 && lastEquals !== text.length - 1) { // '=' as the last char means no checksum
6136 body = text.slice(0, lastEquals);
6137 checksum = text.slice(lastEquals + 1).substr(0, 4);
6138 }
6139
6140 return { body: body, checksum: checksum };
6141 }
6142
6143 /**
6144 * Dearmor an OpenPGP armored message; verify the checksum and return
6145 * the encoded bytes
6146 * @param {String} input - OpenPGP armored message
6147 * @returns {Object} An object with attribute "text" containing the message text,
6148 * an attribute "data" containing a stream of bytes and "type" for the ASCII armor type
6149 * @async
6150 * @static
6151 */
6152 function unarmor(input, config = defaultConfig) {
6153 return new Promise(async (resolve, reject) => {
6154 try {
6155 const reSplit = /^-----[^-]+-----$/m;
6156 const reEmptyLine = /^[ \f\r\t\u00a0\u2000-\u200a\u202f\u205f\u3000]*$/;
6157
6158 let type;
6159 const headers = [];
6160 let lastHeaders = headers;
6161 let headersDone;
6162 let text = [];
6163 let textDone;
6164 let checksum;
6165 let data = decode(stream.transformPair(input, async (readable, writable) => {
6166 const reader = stream.getReader(readable);
6167 try {
6168 while (true) {
6169 let line = await reader.readLine();
6170 if (line === undefined) {
6171 throw new Error('Misformed armored text');
6172 }
6173 // remove trailing whitespace at end of lines
6174 line = util.removeTrailingSpaces(line.replace(/[\r\n]/g, ''));
6175 if (!type) {
6176 if (reSplit.test(line)) {
6177 type = getType(line);
6178 }
6179 } else if (!headersDone) {
6180 if (reSplit.test(line)) {
6181 reject(new Error('Mandatory blank line missing between armor headers and armor data'));
6182 }
6183 if (!reEmptyLine.test(line)) {
6184 lastHeaders.push(line);
6185 } else {
6186 verifyHeaders(lastHeaders);
6187 headersDone = true;
6188 if (textDone || type !== 2) {
6189 resolve({ text, data, headers, type });
6190 break;
6191 }
6192 }
6193 } else if (!textDone && type === 2) {
6194 if (!reSplit.test(line)) {
6195 // Reverse dash-escaping for msg
6196 text.push(line.replace(/^- /, ''));
6197 } else {
6198 text = text.join('\r\n');
6199 textDone = true;
6200 verifyHeaders(lastHeaders);
6201 lastHeaders = [];
6202 headersDone = false;
6203 }
6204 }
6205 }
6206 } catch (e) {
6207 reject(e);
6208 return;
6209 }
6210 const writer = stream.getWriter(writable);
6211 try {
6212 while (true) {
6213 await writer.ready;
6214 const { done, value } = await reader.read();
6215 if (done) {
6216 throw new Error('Misformed armored text');
6217 }
6218 const line = value + '';
6219 if (line.indexOf('=') === -1 && line.indexOf('-') === -1) {
6220 await writer.write(line);
6221 } else {
6222 let remainder = await reader.readToEnd();
6223 if (!remainder.length) remainder = '';
6224 remainder = line + remainder;
6225 remainder = util.removeTrailingSpaces(remainder.replace(/\r/g, ''));
6226 const parts = remainder.split(reSplit);
6227 if (parts.length === 1) {
6228 throw new Error('Misformed armored text');
6229 }
6230 const split = splitChecksum(parts[0].slice(0, -1));
6231 checksum = split.checksum;
6232 await writer.write(split.body);
6233 break;
6234 }
6235 }
6236 await writer.ready;
6237 await writer.close();
6238 } catch (e) {
6239 await writer.abort(e);
6240 }
6241 }));
6242 data = stream.transformPair(data, async (readable, writable) => {
6243 const checksumVerified = stream.readToEnd(getCheckSum(stream.passiveClone(readable)));
6244 checksumVerified.catch(() => {});
6245 await stream.pipe(readable, writable, {
6246 preventClose: true
6247 });
6248 const writer = stream.getWriter(writable);
6249 try {
6250 const checksumVerifiedString = (await checksumVerified).replace('\n', '');
6251 if (checksum !== checksumVerifiedString && (checksum || config.checksumRequired)) {
6252 throw new Error("Ascii armor integrity check on message failed: '" + checksum + "' should be '" +
6253 checksumVerifiedString + "'");
6254 }
6255 await writer.ready;
6256 await writer.close();
6257 } catch (e) {
6258 await writer.abort(e);
6259 }
6260 });
6261 } catch (e) {
6262 reject(e);
6263 }
6264 });
6265 }
6266
6267
6268 /**
6269 * Armor an OpenPGP binary packet block
6270 * @param {module:enums.armor} messageType - Type of the message
6271 * @param {Uint8Array | ReadableStream<Uint8Array>} body - The message body to armor
6272 * @param {Integer} [partIndex]
6273 * @param {Integer} [partTotal]
6274 * @param {String} [customComment] - Additional comment to add to the armored string
6275 * @returns {String | ReadableStream<String>} Armored text.
6276 * @static
6277 */
6278 function armor(messageType, body, partIndex, partTotal, customComment, config = defaultConfig) {
6279 let text;
6280 let hash;
6281 if (messageType === enums.armor.signed) {
6282 text = body.text;
6283 hash = body.hash;
6284 body = body.data;
6285 }
6286 const bodyClone = stream.passiveClone(body);
6287 const result = [];
6288 switch (messageType) {
6289 case enums.armor.multipartSection:
6290 result.push("-----BEGIN PGP MESSAGE, PART " + partIndex + "/" + partTotal + "-----\n");
6291 result.push(addheader(customComment, config));
6292 result.push(encode(body));
6293 result.push("=", getCheckSum(bodyClone));
6294 result.push("-----END PGP MESSAGE, PART " + partIndex + "/" + partTotal + "-----\n");
6295 break;
6296 case enums.armor.multipartLast:
6297 result.push("-----BEGIN PGP MESSAGE, PART " + partIndex + "-----\n");
6298 result.push(addheader(customComment, config));
6299 result.push(encode(body));
6300 result.push("=", getCheckSum(bodyClone));
6301 result.push("-----END PGP MESSAGE, PART " + partIndex + "-----\n");
6302 break;
6303 case enums.armor.signed:
6304 result.push("\n-----BEGIN PGP SIGNED MESSAGE-----\n");
6305 result.push("Hash: " + hash + "\n\n");
6306 result.push(text.replace(/^-/mg, "- -"));
6307 result.push("\n-----BEGIN PGP SIGNATURE-----\n");
6308 result.push(addheader(customComment, config));
6309 result.push(encode(body));
6310 result.push("=", getCheckSum(bodyClone));
6311 result.push("-----END PGP SIGNATURE-----\n");
6312 break;
6313 case enums.armor.message:
6314 result.push("-----BEGIN PGP MESSAGE-----\n");
6315 result.push(addheader(customComment, config));
6316 result.push(encode(body));
6317 result.push("=", getCheckSum(bodyClone));
6318 result.push("-----END PGP MESSAGE-----\n");
6319 break;
6320 case enums.armor.publicKey:
6321 result.push("-----BEGIN PGP PUBLIC KEY BLOCK-----\n");
6322 result.push(addheader(customComment, config));
6323 result.push(encode(body));
6324 result.push("=", getCheckSum(bodyClone));
6325 result.push("-----END PGP PUBLIC KEY BLOCK-----\n");
6326 break;
6327 case enums.armor.privateKey:
6328 result.push("-----BEGIN PGP PRIVATE KEY BLOCK-----\n");
6329 result.push(addheader(customComment, config));
6330 result.push(encode(body));
6331 result.push("=", getCheckSum(bodyClone));
6332 result.push("-----END PGP PRIVATE KEY BLOCK-----\n");
6333 break;
6334 case enums.armor.signature:
6335 result.push("-----BEGIN PGP SIGNATURE-----\n");
6336 result.push(addheader(customComment, config));
6337 result.push(encode(body));
6338 result.push("=", getCheckSum(bodyClone));
6339 result.push("-----END PGP SIGNATURE-----\n");
6340 break;
6341 }
6342
6343 return util.concat(result);
6344 }
6345
6346 // GPG4Browsers - An OpenPGP implementation in javascript
6347
6348 /**
6349 * Implementation of type key id
6350 *
6351 * {@link https://tools.ietf.org/html/rfc4880#section-3.3|RFC4880 3.3}:
6352 * A Key ID is an eight-octet scalar that identifies a key.
6353 * Implementations SHOULD NOT assume that Key IDs are unique. The
6354 * section "Enhanced Key Formats" below describes how Key IDs are
6355 * formed.
6356 */
6357 class Keyid {
6358 constructor() {
6359 this.bytes = '';
6360 }
6361
6362 /**
6363 * Parsing method for a key id
6364 * @param {Uint8Array} bytes - Input to read the key id from
6365 */
6366 read(bytes) {
6367 this.bytes = util.uint8ArrayToStr(bytes.subarray(0, 8));
6368 }
6369
6370 /**
6371 * Serializes the Key ID
6372 * @returns {Uint8Array} Key ID as a Uint8Array.
6373 */
6374 write() {
6375 return util.strToUint8Array(this.bytes);
6376 }
6377
6378 /**
6379 * Returns the Key ID represented as a hexadecimal string
6380 * @returns {String} Key ID as a hexadecimal string.
6381 */
6382 toHex() {
6383 return util.strToHex(this.bytes);
6384 }
6385
6386 /**
6387 * Checks equality of Key ID's
6388 * @param {Keyid} keyid
6389 * @param {Boolean} matchWildcard - Indicates whether to check if either keyid is a wildcard
6390 */
6391 equals(keyid, matchWildcard = false) {
6392 return (matchWildcard && (keyid.isWildcard() || this.isWildcard())) || this.bytes === keyid.bytes;
6393 }
6394
6395 /**
6396 * Checks to see if the Key ID is unset
6397 * @returns {Boolean} True if the Key ID is null.
6398 */
6399 isNull() {
6400 return this.bytes === '';
6401 }
6402
6403 /**
6404 * Checks to see if the Key ID is a "wildcard" Key ID (all zeros)
6405 * @returns {Boolean} True if this is a wildcard Key ID.
6406 */
6407 isWildcard() {
6408 return /^0+$/.test(this.toHex());
6409 }
6410
6411 static mapToHex(keyId) {
6412 return keyId.toHex();
6413 }
6414
6415 static fromId(hex) {
6416 const keyid = new Keyid();
6417 keyid.read(util.hexToUint8Array(hex));
6418 return keyid;
6419 }
6420
6421 static wildcard() {
6422 const keyid = new Keyid();
6423 keyid.read(new Uint8Array(8));
6424 return keyid;
6425 }
6426 }
6427
6428 /**
6429 * @file {@link http://asmjs.org Asm.js} implementation of the {@link https://en.wikipedia.org/wiki/Advanced_Encryption_Standard Advanced Encryption Standard}.
6430 * @author Artem S Vybornov <vybornov@gmail.com>
6431 * @license MIT
6432 */
6433 var AES_asm = function () {
6434
6435 /**
6436 * Galois Field stuff init flag
6437 */
6438 var ginit_done = false;
6439
6440 /**
6441 * Galois Field exponentiation and logarithm tables for 3 (the generator)
6442 */
6443 var gexp3, glog3;
6444
6445 /**
6446 * Init Galois Field tables
6447 */
6448 function ginit() {
6449 gexp3 = [],
6450 glog3 = [];
6451
6452 var a = 1, c, d;
6453 for (c = 0; c < 255; c++) {
6454 gexp3[c] = a;
6455
6456 // Multiply by three
6457 d = a & 0x80, a <<= 1, a &= 255;
6458 if (d === 0x80) a ^= 0x1b;
6459 a ^= gexp3[c];
6460
6461 // Set the log table value
6462 glog3[gexp3[c]] = c;
6463 }
6464 gexp3[255] = gexp3[0];
6465 glog3[0] = 0;
6466
6467 ginit_done = true;
6468 }
6469
6470 /**
6471 * Galois Field multiplication
6472 * @param {number} a
6473 * @param {number} b
6474 * @return {number}
6475 */
6476 function gmul(a, b) {
6477 var c = gexp3[(glog3[a] + glog3[b]) % 255];
6478 if (a === 0 || b === 0) c = 0;
6479 return c;
6480 }
6481
6482 /**
6483 * Galois Field reciprocal
6484 * @param {number} a
6485 * @return {number}
6486 */
6487 function ginv(a) {
6488 var i = gexp3[255 - glog3[a]];
6489 if (a === 0) i = 0;
6490 return i;
6491 }
6492
6493 /**
6494 * AES stuff init flag
6495 */
6496 var aes_init_done = false;
6497
6498 /**
6499 * Encryption, Decryption, S-Box and KeyTransform tables
6500 *
6501 * @type {number[]}
6502 */
6503 var aes_sbox;
6504
6505 /**
6506 * @type {number[]}
6507 */
6508 var aes_sinv;
6509
6510 /**
6511 * @type {number[][]}
6512 */
6513 var aes_enc;
6514
6515 /**
6516 * @type {number[][]}
6517 */
6518 var aes_dec;
6519
6520 /**
6521 * Init AES tables
6522 */
6523 function aes_init() {
6524 if (!ginit_done) ginit();
6525
6526 // Calculates AES S-Box value
6527 function _s(a) {
6528 var c, s, x;
6529 s = x = ginv(a);
6530 for (c = 0; c < 4; c++) {
6531 s = ((s << 1) | (s >>> 7)) & 255;
6532 x ^= s;
6533 }
6534 x ^= 99;
6535 return x;
6536 }
6537
6538 // Tables
6539 aes_sbox = [],
6540 aes_sinv = [],
6541 aes_enc = [[], [], [], []],
6542 aes_dec = [[], [], [], []];
6543
6544 for (var i = 0; i < 256; i++) {
6545 var s = _s(i);
6546
6547 // S-Box and its inverse
6548 aes_sbox[i] = s;
6549 aes_sinv[s] = i;
6550
6551 // Ecryption and Decryption tables
6552 aes_enc[0][i] = (gmul(2, s) << 24) | (s << 16) | (s << 8) | gmul(3, s);
6553 aes_dec[0][s] = (gmul(14, i) << 24) | (gmul(9, i) << 16) | (gmul(13, i) << 8) | gmul(11, i);
6554 // Rotate tables
6555 for (var t = 1; t < 4; t++) {
6556 aes_enc[t][i] = (aes_enc[t - 1][i] >>> 8) | (aes_enc[t - 1][i] << 24);
6557 aes_dec[t][s] = (aes_dec[t - 1][s] >>> 8) | (aes_dec[t - 1][s] << 24);
6558 }
6559 }
6560
6561 aes_init_done = true;
6562 }
6563
6564 /**
6565 * Asm.js module constructor.
6566 *
6567 * <p>
6568 * Heap buffer layout by offset:
6569 * <pre>
6570 * 0x0000 encryption key schedule
6571 * 0x0400 decryption key schedule
6572 * 0x0800 sbox
6573 * 0x0c00 inv sbox
6574 * 0x1000 encryption tables
6575 * 0x2000 decryption tables
6576 * 0x3000 reserved (future GCM multiplication lookup table)
6577 * 0x4000 data
6578 * </pre>
6579 * Don't touch anything before <code>0x400</code>.
6580 * </p>
6581 *
6582 * @alias AES_asm
6583 * @class
6584 * @param foreign - <i>ignored</i>
6585 * @param buffer - heap buffer to link with
6586 */
6587 var wrapper = function (foreign, buffer) {
6588 // Init AES stuff for the first time
6589 if (!aes_init_done) aes_init();
6590
6591 // Fill up AES tables
6592 var heap = new Uint32Array(buffer);
6593 heap.set(aes_sbox, 0x0800 >> 2);
6594 heap.set(aes_sinv, 0x0c00 >> 2);
6595 for (var i = 0; i < 4; i++) {
6596 heap.set(aes_enc[i], (0x1000 + 0x400 * i) >> 2);
6597 heap.set(aes_dec[i], (0x2000 + 0x400 * i) >> 2);
6598 }
6599
6600 /**
6601 * Calculate AES key schedules.
6602 * @instance
6603 * @memberof AES_asm
6604 * @param {number} ks - key size, 4/6/8 (for 128/192/256-bit key correspondingly)
6605 * @param {number} k0 - key vector components
6606 * @param {number} k1 - key vector components
6607 * @param {number} k2 - key vector components
6608 * @param {number} k3 - key vector components
6609 * @param {number} k4 - key vector components
6610 * @param {number} k5 - key vector components
6611 * @param {number} k6 - key vector components
6612 * @param {number} k7 - key vector components
6613 */
6614 function set_key(ks, k0, k1, k2, k3, k4, k5, k6, k7) {
6615 var ekeys = heap.subarray(0x000, 60),
6616 dkeys = heap.subarray(0x100, 0x100 + 60);
6617
6618 // Encryption key schedule
6619 ekeys.set([k0, k1, k2, k3, k4, k5, k6, k7]);
6620 for (var i = ks, rcon = 1; i < 4 * ks + 28; i++) {
6621 var k = ekeys[i - 1];
6622 if ((i % ks === 0) || (ks === 8 && i % ks === 4)) {
6623 k = aes_sbox[k >>> 24] << 24 ^ aes_sbox[k >>> 16 & 255] << 16 ^ aes_sbox[k >>> 8 & 255] << 8 ^ aes_sbox[k & 255];
6624 }
6625 if (i % ks === 0) {
6626 k = (k << 8) ^ (k >>> 24) ^ (rcon << 24);
6627 rcon = (rcon << 1) ^ ((rcon & 0x80) ? 0x1b : 0);
6628 }
6629 ekeys[i] = ekeys[i - ks] ^ k;
6630 }
6631
6632 // Decryption key schedule
6633 for (var j = 0; j < i; j += 4) {
6634 for (var jj = 0; jj < 4; jj++) {
6635 var k = ekeys[i - (4 + j) + (4 - jj) % 4];
6636 if (j < 4 || j >= i - 4) {
6637 dkeys[j + jj] = k;
6638 } else {
6639 dkeys[j + jj] = aes_dec[0][aes_sbox[k >>> 24]]
6640 ^ aes_dec[1][aes_sbox[k >>> 16 & 255]]
6641 ^ aes_dec[2][aes_sbox[k >>> 8 & 255]]
6642 ^ aes_dec[3][aes_sbox[k & 255]];
6643 }
6644 }
6645 }
6646
6647 // Set rounds number
6648 asm.set_rounds(ks + 5);
6649 }
6650
6651 // create library object with necessary properties
6652 var stdlib = {Uint8Array: Uint8Array, Uint32Array: Uint32Array};
6653
6654 var asm = function (stdlib, foreign, buffer) {
6655 "use asm";
6656
6657 var S0 = 0, S1 = 0, S2 = 0, S3 = 0,
6658 I0 = 0, I1 = 0, I2 = 0, I3 = 0,
6659 N0 = 0, N1 = 0, N2 = 0, N3 = 0,
6660 M0 = 0, M1 = 0, M2 = 0, M3 = 0,
6661 H0 = 0, H1 = 0, H2 = 0, H3 = 0,
6662 R = 0;
6663
6664 var HEAP = new stdlib.Uint32Array(buffer),
6665 DATA = new stdlib.Uint8Array(buffer);
6666
6667 /**
6668 * AES core
6669 * @param {number} k - precomputed key schedule offset
6670 * @param {number} s - precomputed sbox table offset
6671 * @param {number} t - precomputed round table offset
6672 * @param {number} r - number of inner rounds to perform
6673 * @param {number} x0 - 128-bit input block vector
6674 * @param {number} x1 - 128-bit input block vector
6675 * @param {number} x2 - 128-bit input block vector
6676 * @param {number} x3 - 128-bit input block vector
6677 */
6678 function _core(k, s, t, r, x0, x1, x2, x3) {
6679 k = k | 0;
6680 s = s | 0;
6681 t = t | 0;
6682 r = r | 0;
6683 x0 = x0 | 0;
6684 x1 = x1 | 0;
6685 x2 = x2 | 0;
6686 x3 = x3 | 0;
6687
6688 var t1 = 0, t2 = 0, t3 = 0,
6689 y0 = 0, y1 = 0, y2 = 0, y3 = 0,
6690 i = 0;
6691
6692 t1 = t | 0x400, t2 = t | 0x800, t3 = t | 0xc00;
6693
6694 // round 0
6695 x0 = x0 ^ HEAP[(k | 0) >> 2],
6696 x1 = x1 ^ HEAP[(k | 4) >> 2],
6697 x2 = x2 ^ HEAP[(k | 8) >> 2],
6698 x3 = x3 ^ HEAP[(k | 12) >> 2];
6699
6700 // round 1..r
6701 for (i = 16; (i | 0) <= (r << 4); i = (i + 16) | 0) {
6702 y0 = HEAP[(t | x0 >> 22 & 1020) >> 2] ^ HEAP[(t1 | x1 >> 14 & 1020) >> 2] ^ HEAP[(t2 | x2 >> 6 & 1020) >> 2] ^ HEAP[(t3 | x3 << 2 & 1020) >> 2] ^ HEAP[(k | i | 0) >> 2],
6703 y1 = HEAP[(t | x1 >> 22 & 1020) >> 2] ^ HEAP[(t1 | x2 >> 14 & 1020) >> 2] ^ HEAP[(t2 | x3 >> 6 & 1020) >> 2] ^ HEAP[(t3 | x0 << 2 & 1020) >> 2] ^ HEAP[(k | i | 4) >> 2],
6704 y2 = HEAP[(t | x2 >> 22 & 1020) >> 2] ^ HEAP[(t1 | x3 >> 14 & 1020) >> 2] ^ HEAP[(t2 | x0 >> 6 & 1020) >> 2] ^ HEAP[(t3 | x1 << 2 & 1020) >> 2] ^ HEAP[(k | i | 8) >> 2],
6705 y3 = HEAP[(t | x3 >> 22 & 1020) >> 2] ^ HEAP[(t1 | x0 >> 14 & 1020) >> 2] ^ HEAP[(t2 | x1 >> 6 & 1020) >> 2] ^ HEAP[(t3 | x2 << 2 & 1020) >> 2] ^ HEAP[(k | i | 12) >> 2];
6706 x0 = y0, x1 = y1, x2 = y2, x3 = y3;
6707 }
6708
6709 // final round
6710 S0 = HEAP[(s | x0 >> 22 & 1020) >> 2] << 24 ^ HEAP[(s | x1 >> 14 & 1020) >> 2] << 16 ^ HEAP[(s | x2 >> 6 & 1020) >> 2] << 8 ^ HEAP[(s | x3 << 2 & 1020) >> 2] ^ HEAP[(k | i | 0) >> 2],
6711 S1 = HEAP[(s | x1 >> 22 & 1020) >> 2] << 24 ^ HEAP[(s | x2 >> 14 & 1020) >> 2] << 16 ^ HEAP[(s | x3 >> 6 & 1020) >> 2] << 8 ^ HEAP[(s | x0 << 2 & 1020) >> 2] ^ HEAP[(k | i | 4) >> 2],
6712 S2 = HEAP[(s | x2 >> 22 & 1020) >> 2] << 24 ^ HEAP[(s | x3 >> 14 & 1020) >> 2] << 16 ^ HEAP[(s | x0 >> 6 & 1020) >> 2] << 8 ^ HEAP[(s | x1 << 2 & 1020) >> 2] ^ HEAP[(k | i | 8) >> 2],
6713 S3 = HEAP[(s | x3 >> 22 & 1020) >> 2] << 24 ^ HEAP[(s | x0 >> 14 & 1020) >> 2] << 16 ^ HEAP[(s | x1 >> 6 & 1020) >> 2] << 8 ^ HEAP[(s | x2 << 2 & 1020) >> 2] ^ HEAP[(k | i | 12) >> 2];
6714 }
6715
6716 /**
6717 * ECB mode encryption
6718 * @param {number} x0 - 128-bit input block vector
6719 * @param {number} x1 - 128-bit input block vector
6720 * @param {number} x2 - 128-bit input block vector
6721 * @param {number} x3 - 128-bit input block vector
6722 */
6723 function _ecb_enc(x0, x1, x2, x3) {
6724 x0 = x0 | 0;
6725 x1 = x1 | 0;
6726 x2 = x2 | 0;
6727 x3 = x3 | 0;
6728
6729 _core(
6730 0x0000, 0x0800, 0x1000,
6731 R,
6732 x0,
6733 x1,
6734 x2,
6735 x3
6736 );
6737 }
6738
6739 /**
6740 * ECB mode decryption
6741 * @param {number} x0 - 128-bit input block vector
6742 * @param {number} x1 - 128-bit input block vector
6743 * @param {number} x2 - 128-bit input block vector
6744 * @param {number} x3 - 128-bit input block vector
6745 */
6746 function _ecb_dec(x0, x1, x2, x3) {
6747 x0 = x0 | 0;
6748 x1 = x1 | 0;
6749 x2 = x2 | 0;
6750 x3 = x3 | 0;
6751
6752 var t = 0;
6753
6754 _core(
6755 0x0400, 0x0c00, 0x2000,
6756 R,
6757 x0,
6758 x3,
6759 x2,
6760 x1
6761 );
6762
6763 t = S1, S1 = S3, S3 = t;
6764 }
6765
6766
6767 /**
6768 * CBC mode encryption
6769 * @param {number} x0 - 128-bit input block vector
6770 * @param {number} x1 - 128-bit input block vector
6771 * @param {number} x2 - 128-bit input block vector
6772 * @param {number} x3 - 128-bit input block vector
6773 */
6774 function _cbc_enc(x0, x1, x2, x3) {
6775 x0 = x0 | 0;
6776 x1 = x1 | 0;
6777 x2 = x2 | 0;
6778 x3 = x3 | 0;
6779
6780 _core(
6781 0x0000, 0x0800, 0x1000,
6782 R,
6783 I0 ^ x0,
6784 I1 ^ x1,
6785 I2 ^ x2,
6786 I3 ^ x3
6787 );
6788
6789 I0 = S0,
6790 I1 = S1,
6791 I2 = S2,
6792 I3 = S3;
6793 }
6794
6795 /**
6796 * CBC mode decryption
6797 * @param {number} x0 - 128-bit input block vector
6798 * @param {number} x1 - 128-bit input block vector
6799 * @param {number} x2 - 128-bit input block vector
6800 * @param {number} x3 - 128-bit input block vector
6801 */
6802 function _cbc_dec(x0, x1, x2, x3) {
6803 x0 = x0 | 0;
6804 x1 = x1 | 0;
6805 x2 = x2 | 0;
6806 x3 = x3 | 0;
6807
6808 var t = 0;
6809
6810 _core(
6811 0x0400, 0x0c00, 0x2000,
6812 R,
6813 x0,
6814 x3,
6815 x2,
6816 x1
6817 );
6818
6819 t = S1, S1 = S3, S3 = t;
6820
6821 S0 = S0 ^ I0,
6822 S1 = S1 ^ I1,
6823 S2 = S2 ^ I2,
6824 S3 = S3 ^ I3;
6825
6826 I0 = x0,
6827 I1 = x1,
6828 I2 = x2,
6829 I3 = x3;
6830 }
6831
6832 /**
6833 * CFB mode encryption
6834 * @param {number} x0 - 128-bit input block vector
6835 * @param {number} x1 - 128-bit input block vector
6836 * @param {number} x2 - 128-bit input block vector
6837 * @param {number} x3 - 128-bit input block vector
6838 */
6839 function _cfb_enc(x0, x1, x2, x3) {
6840 x0 = x0 | 0;
6841 x1 = x1 | 0;
6842 x2 = x2 | 0;
6843 x3 = x3 | 0;
6844
6845 _core(
6846 0x0000, 0x0800, 0x1000,
6847 R,
6848 I0,
6849 I1,
6850 I2,
6851 I3
6852 );
6853
6854 I0 = S0 = S0 ^ x0,
6855 I1 = S1 = S1 ^ x1,
6856 I2 = S2 = S2 ^ x2,
6857 I3 = S3 = S3 ^ x3;
6858 }
6859
6860
6861 /**
6862 * CFB mode decryption
6863 * @param {number} x0 - 128-bit input block vector
6864 * @param {number} x1 - 128-bit input block vector
6865 * @param {number} x2 - 128-bit input block vector
6866 * @param {number} x3 - 128-bit input block vector
6867 */
6868 function _cfb_dec(x0, x1, x2, x3) {
6869 x0 = x0 | 0;
6870 x1 = x1 | 0;
6871 x2 = x2 | 0;
6872 x3 = x3 | 0;
6873
6874 _core(
6875 0x0000, 0x0800, 0x1000,
6876 R,
6877 I0,
6878 I1,
6879 I2,
6880 I3
6881 );
6882
6883 S0 = S0 ^ x0,
6884 S1 = S1 ^ x1,
6885 S2 = S2 ^ x2,
6886 S3 = S3 ^ x3;
6887
6888 I0 = x0,
6889 I1 = x1,
6890 I2 = x2,
6891 I3 = x3;
6892 }
6893
6894 /**
6895 * OFB mode encryption / decryption
6896 * @param {number} x0 - 128-bit input block vector
6897 * @param {number} x1 - 128-bit input block vector
6898 * @param {number} x2 - 128-bit input block vector
6899 * @param {number} x3 - 128-bit input block vector
6900 */
6901 function _ofb(x0, x1, x2, x3) {
6902 x0 = x0 | 0;
6903 x1 = x1 | 0;
6904 x2 = x2 | 0;
6905 x3 = x3 | 0;
6906
6907 _core(
6908 0x0000, 0x0800, 0x1000,
6909 R,
6910 I0,
6911 I1,
6912 I2,
6913 I3
6914 );
6915
6916 I0 = S0,
6917 I1 = S1,
6918 I2 = S2,
6919 I3 = S3;
6920
6921 S0 = S0 ^ x0,
6922 S1 = S1 ^ x1,
6923 S2 = S2 ^ x2,
6924 S3 = S3 ^ x3;
6925 }
6926
6927 /**
6928 * CTR mode encryption / decryption
6929 * @param {number} x0 - 128-bit input block vector
6930 * @param {number} x1 - 128-bit input block vector
6931 * @param {number} x2 - 128-bit input block vector
6932 * @param {number} x3 - 128-bit input block vector
6933 */
6934 function _ctr(x0, x1, x2, x3) {
6935 x0 = x0 | 0;
6936 x1 = x1 | 0;
6937 x2 = x2 | 0;
6938 x3 = x3 | 0;
6939
6940 _core(
6941 0x0000, 0x0800, 0x1000,
6942 R,
6943 N0,
6944 N1,
6945 N2,
6946 N3
6947 );
6948
6949 N3 = (~M3 & N3) | M3 & (N3 + 1);
6950 N2 = (~M2 & N2) | M2 & (N2 + ((N3 | 0) == 0));
6951 N1 = (~M1 & N1) | M1 & (N1 + ((N2 | 0) == 0));
6952 N0 = (~M0 & N0) | M0 & (N0 + ((N1 | 0) == 0));
6953
6954 S0 = S0 ^ x0;
6955 S1 = S1 ^ x1;
6956 S2 = S2 ^ x2;
6957 S3 = S3 ^ x3;
6958 }
6959
6960 /**
6961 * GCM mode MAC calculation
6962 * @param {number} x0 - 128-bit input block vector
6963 * @param {number} x1 - 128-bit input block vector
6964 * @param {number} x2 - 128-bit input block vector
6965 * @param {number} x3 - 128-bit input block vector
6966 */
6967 function _gcm_mac(x0, x1, x2, x3) {
6968 x0 = x0 | 0;
6969 x1 = x1 | 0;
6970 x2 = x2 | 0;
6971 x3 = x3 | 0;
6972
6973 var y0 = 0, y1 = 0, y2 = 0, y3 = 0,
6974 z0 = 0, z1 = 0, z2 = 0, z3 = 0,
6975 i = 0, c = 0;
6976
6977 x0 = x0 ^ I0,
6978 x1 = x1 ^ I1,
6979 x2 = x2 ^ I2,
6980 x3 = x3 ^ I3;
6981
6982 y0 = H0 | 0,
6983 y1 = H1 | 0,
6984 y2 = H2 | 0,
6985 y3 = H3 | 0;
6986
6987 for (; (i | 0) < 128; i = (i + 1) | 0) {
6988 if (y0 >>> 31) {
6989 z0 = z0 ^ x0,
6990 z1 = z1 ^ x1,
6991 z2 = z2 ^ x2,
6992 z3 = z3 ^ x3;
6993 }
6994
6995 y0 = (y0 << 1) | (y1 >>> 31),
6996 y1 = (y1 << 1) | (y2 >>> 31),
6997 y2 = (y2 << 1) | (y3 >>> 31),
6998 y3 = (y3 << 1);
6999
7000 c = x3 & 1;
7001
7002 x3 = (x3 >>> 1) | (x2 << 31),
7003 x2 = (x2 >>> 1) | (x1 << 31),
7004 x1 = (x1 >>> 1) | (x0 << 31),
7005 x0 = (x0 >>> 1);
7006
7007 if (c) x0 = x0 ^ 0xe1000000;
7008 }
7009
7010 I0 = z0,
7011 I1 = z1,
7012 I2 = z2,
7013 I3 = z3;
7014 }
7015
7016 /**
7017 * Set the internal rounds number.
7018 * @instance
7019 * @memberof AES_asm
7020 * @param {number} r - number if inner AES rounds
7021 */
7022 function set_rounds(r) {
7023 r = r | 0;
7024 R = r;
7025 }
7026
7027 /**
7028 * Populate the internal state of the module.
7029 * @instance
7030 * @memberof AES_asm
7031 * @param {number} s0 - state vector
7032 * @param {number} s1 - state vector
7033 * @param {number} s2 - state vector
7034 * @param {number} s3 - state vector
7035 */
7036 function set_state(s0, s1, s2, s3) {
7037 s0 = s0 | 0;
7038 s1 = s1 | 0;
7039 s2 = s2 | 0;
7040 s3 = s3 | 0;
7041
7042 S0 = s0,
7043 S1 = s1,
7044 S2 = s2,
7045 S3 = s3;
7046 }
7047
7048 /**
7049 * Populate the internal iv of the module.
7050 * @instance
7051 * @memberof AES_asm
7052 * @param {number} i0 - iv vector
7053 * @param {number} i1 - iv vector
7054 * @param {number} i2 - iv vector
7055 * @param {number} i3 - iv vector
7056 */
7057 function set_iv(i0, i1, i2, i3) {
7058 i0 = i0 | 0;
7059 i1 = i1 | 0;
7060 i2 = i2 | 0;
7061 i3 = i3 | 0;
7062
7063 I0 = i0,
7064 I1 = i1,
7065 I2 = i2,
7066 I3 = i3;
7067 }
7068
7069 /**
7070 * Set nonce for CTR-family modes.
7071 * @instance
7072 * @memberof AES_asm
7073 * @param {number} n0 - nonce vector
7074 * @param {number} n1 - nonce vector
7075 * @param {number} n2 - nonce vector
7076 * @param {number} n3 - nonce vector
7077 */
7078 function set_nonce(n0, n1, n2, n3) {
7079 n0 = n0 | 0;
7080 n1 = n1 | 0;
7081 n2 = n2 | 0;
7082 n3 = n3 | 0;
7083
7084 N0 = n0,
7085 N1 = n1,
7086 N2 = n2,
7087 N3 = n3;
7088 }
7089
7090 /**
7091 * Set counter mask for CTR-family modes.
7092 * @instance
7093 * @memberof AES_asm
7094 * @param {number} m0 - counter mask vector
7095 * @param {number} m1 - counter mask vector
7096 * @param {number} m2 - counter mask vector
7097 * @param {number} m3 - counter mask vector
7098 */
7099 function set_mask(m0, m1, m2, m3) {
7100 m0 = m0 | 0;
7101 m1 = m1 | 0;
7102 m2 = m2 | 0;
7103 m3 = m3 | 0;
7104
7105 M0 = m0,
7106 M1 = m1,
7107 M2 = m2,
7108 M3 = m3;
7109 }
7110
7111 /**
7112 * Set counter for CTR-family modes.
7113 * @instance
7114 * @memberof AES_asm
7115 * @param {number} c0 - counter vector
7116 * @param {number} c1 - counter vector
7117 * @param {number} c2 - counter vector
7118 * @param {number} c3 - counter vector
7119 */
7120 function set_counter(c0, c1, c2, c3) {
7121 c0 = c0 | 0;
7122 c1 = c1 | 0;
7123 c2 = c2 | 0;
7124 c3 = c3 | 0;
7125
7126 N3 = (~M3 & N3) | M3 & c3,
7127 N2 = (~M2 & N2) | M2 & c2,
7128 N1 = (~M1 & N1) | M1 & c1,
7129 N0 = (~M0 & N0) | M0 & c0;
7130 }
7131
7132 /**
7133 * Store the internal state vector into the heap.
7134 * @instance
7135 * @memberof AES_asm
7136 * @param {number} pos - offset where to put the data
7137 * @return {number} The number of bytes have been written into the heap, always 16.
7138 */
7139 function get_state(pos) {
7140 pos = pos | 0;
7141
7142 if (pos & 15) return -1;
7143
7144 DATA[pos | 0] = S0 >>> 24,
7145 DATA[pos | 1] = S0 >>> 16 & 255,
7146 DATA[pos | 2] = S0 >>> 8 & 255,
7147 DATA[pos | 3] = S0 & 255,
7148 DATA[pos | 4] = S1 >>> 24,
7149 DATA[pos | 5] = S1 >>> 16 & 255,
7150 DATA[pos | 6] = S1 >>> 8 & 255,
7151 DATA[pos | 7] = S1 & 255,
7152 DATA[pos | 8] = S2 >>> 24,
7153 DATA[pos | 9] = S2 >>> 16 & 255,
7154 DATA[pos | 10] = S2 >>> 8 & 255,
7155 DATA[pos | 11] = S2 & 255,
7156 DATA[pos | 12] = S3 >>> 24,
7157 DATA[pos | 13] = S3 >>> 16 & 255,
7158 DATA[pos | 14] = S3 >>> 8 & 255,
7159 DATA[pos | 15] = S3 & 255;
7160
7161 return 16;
7162 }
7163
7164 /**
7165 * Store the internal iv vector into the heap.
7166 * @instance
7167 * @memberof AES_asm
7168 * @param {number} pos - offset where to put the data
7169 * @return {number} The number of bytes have been written into the heap, always 16.
7170 */
7171 function get_iv(pos) {
7172 pos = pos | 0;
7173
7174 if (pos & 15) return -1;
7175
7176 DATA[pos | 0] = I0 >>> 24,
7177 DATA[pos | 1] = I0 >>> 16 & 255,
7178 DATA[pos | 2] = I0 >>> 8 & 255,
7179 DATA[pos | 3] = I0 & 255,
7180 DATA[pos | 4] = I1 >>> 24,
7181 DATA[pos | 5] = I1 >>> 16 & 255,
7182 DATA[pos | 6] = I1 >>> 8 & 255,
7183 DATA[pos | 7] = I1 & 255,
7184 DATA[pos | 8] = I2 >>> 24,
7185 DATA[pos | 9] = I2 >>> 16 & 255,
7186 DATA[pos | 10] = I2 >>> 8 & 255,
7187 DATA[pos | 11] = I2 & 255,
7188 DATA[pos | 12] = I3 >>> 24,
7189 DATA[pos | 13] = I3 >>> 16 & 255,
7190 DATA[pos | 14] = I3 >>> 8 & 255,
7191 DATA[pos | 15] = I3 & 255;
7192
7193 return 16;
7194 }
7195
7196 /**
7197 * GCM initialization.
7198 * @instance
7199 * @memberof AES_asm
7200 */
7201 function gcm_init() {
7202 _ecb_enc(0, 0, 0, 0);
7203 H0 = S0,
7204 H1 = S1,
7205 H2 = S2,
7206 H3 = S3;
7207 }
7208
7209 /**
7210 * Perform ciphering operation on the supplied data.
7211 * @instance
7212 * @memberof AES_asm
7213 * @param {number} mode - block cipher mode (see {@link AES_asm} mode constants)
7214 * @param {number} pos - offset of the data being processed
7215 * @param {number} len - length of the data being processed
7216 * @return {number} Actual amount of data have been processed.
7217 */
7218 function cipher(mode, pos, len) {
7219 mode = mode | 0;
7220 pos = pos | 0;
7221 len = len | 0;
7222
7223 var ret = 0;
7224
7225 if (pos & 15) return -1;
7226
7227 while ((len | 0) >= 16) {
7228 _cipher_modes[mode & 7](
7229 DATA[pos | 0] << 24 | DATA[pos | 1] << 16 | DATA[pos | 2] << 8 | DATA[pos | 3],
7230 DATA[pos | 4] << 24 | DATA[pos | 5] << 16 | DATA[pos | 6] << 8 | DATA[pos | 7],
7231 DATA[pos | 8] << 24 | DATA[pos | 9] << 16 | DATA[pos | 10] << 8 | DATA[pos | 11],
7232 DATA[pos | 12] << 24 | DATA[pos | 13] << 16 | DATA[pos | 14] << 8 | DATA[pos | 15]
7233 );
7234
7235 DATA[pos | 0] = S0 >>> 24,
7236 DATA[pos | 1] = S0 >>> 16 & 255,
7237 DATA[pos | 2] = S0 >>> 8 & 255,
7238 DATA[pos | 3] = S0 & 255,
7239 DATA[pos | 4] = S1 >>> 24,
7240 DATA[pos | 5] = S1 >>> 16 & 255,
7241 DATA[pos | 6] = S1 >>> 8 & 255,
7242 DATA[pos | 7] = S1 & 255,
7243 DATA[pos | 8] = S2 >>> 24,
7244 DATA[pos | 9] = S2 >>> 16 & 255,
7245 DATA[pos | 10] = S2 >>> 8 & 255,
7246 DATA[pos | 11] = S2 & 255,
7247 DATA[pos | 12] = S3 >>> 24,
7248 DATA[pos | 13] = S3 >>> 16 & 255,
7249 DATA[pos | 14] = S3 >>> 8 & 255,
7250 DATA[pos | 15] = S3 & 255;
7251
7252 ret = (ret + 16) | 0,
7253 pos = (pos + 16) | 0,
7254 len = (len - 16) | 0;
7255 }
7256
7257 return ret | 0;
7258 }
7259
7260 /**
7261 * Calculates MAC of the supplied data.
7262 * @instance
7263 * @memberof AES_asm
7264 * @param {number} mode - block cipher mode (see {@link AES_asm} mode constants)
7265 * @param {number} pos - offset of the data being processed
7266 * @param {number} len - length of the data being processed
7267 * @return {number} Actual amount of data have been processed.
7268 */
7269 function mac(mode, pos, len) {
7270 mode = mode | 0;
7271 pos = pos | 0;
7272 len = len | 0;
7273
7274 var ret = 0;
7275
7276 if (pos & 15) return -1;
7277
7278 while ((len | 0) >= 16) {
7279 _mac_modes[mode & 1](
7280 DATA[pos | 0] << 24 | DATA[pos | 1] << 16 | DATA[pos | 2] << 8 | DATA[pos | 3],
7281 DATA[pos | 4] << 24 | DATA[pos | 5] << 16 | DATA[pos | 6] << 8 | DATA[pos | 7],
7282 DATA[pos | 8] << 24 | DATA[pos | 9] << 16 | DATA[pos | 10] << 8 | DATA[pos | 11],
7283 DATA[pos | 12] << 24 | DATA[pos | 13] << 16 | DATA[pos | 14] << 8 | DATA[pos | 15]
7284 );
7285
7286 ret = (ret + 16) | 0,
7287 pos = (pos + 16) | 0,
7288 len = (len - 16) | 0;
7289 }
7290
7291 return ret | 0;
7292 }
7293
7294 /**
7295 * AES cipher modes table (virual methods)
7296 */
7297 var _cipher_modes = [_ecb_enc, _ecb_dec, _cbc_enc, _cbc_dec, _cfb_enc, _cfb_dec, _ofb, _ctr];
7298
7299 /**
7300 * AES MAC modes table (virual methods)
7301 */
7302 var _mac_modes = [_cbc_enc, _gcm_mac];
7303
7304 /**
7305 * Asm.js module exports
7306 */
7307 return {
7308 set_rounds: set_rounds,
7309 set_state: set_state,
7310 set_iv: set_iv,
7311 set_nonce: set_nonce,
7312 set_mask: set_mask,
7313 set_counter: set_counter,
7314 get_state: get_state,
7315 get_iv: get_iv,
7316 gcm_init: gcm_init,
7317 cipher: cipher,
7318 mac: mac,
7319 };
7320 }(stdlib, foreign, buffer);
7321
7322 asm.set_key = set_key;
7323
7324 return asm;
7325 };
7326
7327 /**
7328 * AES enciphering mode constants
7329 * @enum {number}
7330 * @const
7331 */
7332 wrapper.ENC = {
7333 ECB: 0,
7334 CBC: 2,
7335 CFB: 4,
7336 OFB: 6,
7337 CTR: 7,
7338 },
7339
7340 /**
7341 * AES deciphering mode constants
7342 * @enum {number}
7343 * @const
7344 */
7345 wrapper.DEC = {
7346 ECB: 1,
7347 CBC: 3,
7348 CFB: 5,
7349 OFB: 6,
7350 CTR: 7,
7351 },
7352
7353 /**
7354 * AES MAC mode constants
7355 * @enum {number}
7356 * @const
7357 */
7358 wrapper.MAC = {
7359 CBC: 0,
7360 GCM: 1,
7361 };
7362
7363 /**
7364 * Heap data offset
7365 * @type {number}
7366 * @const
7367 */
7368 wrapper.HEAP_DATA = 0x4000;
7369
7370 return wrapper;
7371 }();
7372
7373 function is_bytes(a) {
7374 return a instanceof Uint8Array;
7375 }
7376 function _heap_init(heap, heapSize) {
7377 const size = heap ? heap.byteLength : heapSize || 65536;
7378 if (size & 0xfff || size <= 0)
7379 throw new Error('heap size must be a positive integer and a multiple of 4096');
7380 heap = heap || new Uint8Array(new ArrayBuffer(size));
7381 return heap;
7382 }
7383 function _heap_write(heap, hpos, data, dpos, dlen) {
7384 const hlen = heap.length - hpos;
7385 const wlen = hlen < dlen ? hlen : dlen;
7386 heap.set(data.subarray(dpos, dpos + wlen), hpos);
7387 return wlen;
7388 }
7389 function joinBytes(...arg) {
7390 const totalLenght = arg.reduce((sum, curr) => sum + curr.length, 0);
7391 const ret = new Uint8Array(totalLenght);
7392 let cursor = 0;
7393 for (let i = 0; i < arg.length; i++) {
7394 ret.set(arg[i], cursor);
7395 cursor += arg[i].length;
7396 }
7397 return ret;
7398 }
7399
7400 class IllegalStateError extends Error {
7401 constructor(...args) {
7402 super(...args);
7403 }
7404 }
7405 class IllegalArgumentError extends Error {
7406 constructor(...args) {
7407 super(...args);
7408 }
7409 }
7410 class SecurityError extends Error {
7411 constructor(...args) {
7412 super(...args);
7413 }
7414 }
7415
7416 const heap_pool = [];
7417 const asm_pool = [];
7418 class AES {
7419 constructor(key, iv, padding = true, mode, heap, asm) {
7420 this.pos = 0;
7421 this.len = 0;
7422 this.mode = mode;
7423 // The AES object state
7424 this.pos = 0;
7425 this.len = 0;
7426 this.key = key;
7427 this.iv = iv;
7428 this.padding = padding;
7429 // The AES "worker"
7430 this.acquire_asm(heap, asm);
7431 }
7432 acquire_asm(heap, asm) {
7433 if (this.heap === undefined || this.asm === undefined) {
7434 this.heap = heap || heap_pool.pop() || _heap_init().subarray(AES_asm.HEAP_DATA);
7435 this.asm = asm || asm_pool.pop() || new AES_asm(null, this.heap.buffer);
7436 this.reset(this.key, this.iv);
7437 }
7438 return { heap: this.heap, asm: this.asm };
7439 }
7440 release_asm() {
7441 if (this.heap !== undefined && this.asm !== undefined) {
7442 heap_pool.push(this.heap);
7443 asm_pool.push(this.asm);
7444 }
7445 this.heap = undefined;
7446 this.asm = undefined;
7447 }
7448 reset(key, iv) {
7449 const { asm } = this.acquire_asm();
7450 // Key
7451 const keylen = key.length;
7452 if (keylen !== 16 && keylen !== 24 && keylen !== 32)
7453 throw new IllegalArgumentError('illegal key size');
7454 const keyview = new DataView(key.buffer, key.byteOffset, key.byteLength);
7455 asm.set_key(keylen >> 2, keyview.getUint32(0), keyview.getUint32(4), keyview.getUint32(8), keyview.getUint32(12), keylen > 16 ? keyview.getUint32(16) : 0, keylen > 16 ? keyview.getUint32(20) : 0, keylen > 24 ? keyview.getUint32(24) : 0, keylen > 24 ? keyview.getUint32(28) : 0);
7456 // IV
7457 if (iv !== undefined) {
7458 if (iv.length !== 16)
7459 throw new IllegalArgumentError('illegal iv size');
7460 let ivview = new DataView(iv.buffer, iv.byteOffset, iv.byteLength);
7461 asm.set_iv(ivview.getUint32(0), ivview.getUint32(4), ivview.getUint32(8), ivview.getUint32(12));
7462 }
7463 else {
7464 asm.set_iv(0, 0, 0, 0);
7465 }
7466 }
7467 AES_Encrypt_process(data) {
7468 if (!is_bytes(data))
7469 throw new TypeError("data isn't of expected type");
7470 let { heap, asm } = this.acquire_asm();
7471 let amode = AES_asm.ENC[this.mode];
7472 let hpos = AES_asm.HEAP_DATA;
7473 let pos = this.pos;
7474 let len = this.len;
7475 let dpos = 0;
7476 let dlen = data.length || 0;
7477 let rpos = 0;
7478 let rlen = (len + dlen) & -16;
7479 let wlen = 0;
7480 let result = new Uint8Array(rlen);
7481 while (dlen > 0) {
7482 wlen = _heap_write(heap, pos + len, data, dpos, dlen);
7483 len += wlen;
7484 dpos += wlen;
7485 dlen -= wlen;
7486 wlen = asm.cipher(amode, hpos + pos, len);
7487 if (wlen)
7488 result.set(heap.subarray(pos, pos + wlen), rpos);
7489 rpos += wlen;
7490 if (wlen < len) {
7491 pos += wlen;
7492 len -= wlen;
7493 }
7494 else {
7495 pos = 0;
7496 len = 0;
7497 }
7498 }
7499 this.pos = pos;
7500 this.len = len;
7501 return result;
7502 }
7503 AES_Encrypt_finish() {
7504 let { heap, asm } = this.acquire_asm();
7505 let amode = AES_asm.ENC[this.mode];
7506 let hpos = AES_asm.HEAP_DATA;
7507 let pos = this.pos;
7508 let len = this.len;
7509 let plen = 16 - (len % 16);
7510 let rlen = len;
7511 if (this.hasOwnProperty('padding')) {
7512 if (this.padding) {
7513 for (let p = 0; p < plen; ++p) {
7514 heap[pos + len + p] = plen;
7515 }
7516 len += plen;
7517 rlen = len;
7518 }
7519 else if (len % 16) {
7520 throw new IllegalArgumentError('data length must be a multiple of the block size');
7521 }
7522 }
7523 else {
7524 len += plen;
7525 }
7526 const result = new Uint8Array(rlen);
7527 if (len)
7528 asm.cipher(amode, hpos + pos, len);
7529 if (rlen)
7530 result.set(heap.subarray(pos, pos + rlen));
7531 this.pos = 0;
7532 this.len = 0;
7533 this.release_asm();
7534 return result;
7535 }
7536 AES_Decrypt_process(data) {
7537 if (!is_bytes(data))
7538 throw new TypeError("data isn't of expected type");
7539 let { heap, asm } = this.acquire_asm();
7540 let amode = AES_asm.DEC[this.mode];
7541 let hpos = AES_asm.HEAP_DATA;
7542 let pos = this.pos;
7543 let len = this.len;
7544 let dpos = 0;
7545 let dlen = data.length || 0;
7546 let rpos = 0;
7547 let rlen = (len + dlen) & -16;
7548 let plen = 0;
7549 let wlen = 0;
7550 if (this.padding) {
7551 plen = len + dlen - rlen || 16;
7552 rlen -= plen;
7553 }
7554 const result = new Uint8Array(rlen);
7555 while (dlen > 0) {
7556 wlen = _heap_write(heap, pos + len, data, dpos, dlen);
7557 len += wlen;
7558 dpos += wlen;
7559 dlen -= wlen;
7560 wlen = asm.cipher(amode, hpos + pos, len - (!dlen ? plen : 0));
7561 if (wlen)
7562 result.set(heap.subarray(pos, pos + wlen), rpos);
7563 rpos += wlen;
7564 if (wlen < len) {
7565 pos += wlen;
7566 len -= wlen;
7567 }
7568 else {
7569 pos = 0;
7570 len = 0;
7571 }
7572 }
7573 this.pos = pos;
7574 this.len = len;
7575 return result;
7576 }
7577 AES_Decrypt_finish() {
7578 let { heap, asm } = this.acquire_asm();
7579 let amode = AES_asm.DEC[this.mode];
7580 let hpos = AES_asm.HEAP_DATA;
7581 let pos = this.pos;
7582 let len = this.len;
7583 let rlen = len;
7584 if (len > 0) {
7585 if (len % 16) {
7586 if (this.hasOwnProperty('padding')) {
7587 throw new IllegalArgumentError('data length must be a multiple of the block size');
7588 }
7589 else {
7590 len += 16 - (len % 16);
7591 }
7592 }
7593 asm.cipher(amode, hpos + pos, len);
7594 if (this.hasOwnProperty('padding') && this.padding) {
7595 let pad = heap[pos + rlen - 1];
7596 if (pad < 1 || pad > 16 || pad > rlen)
7597 throw new SecurityError('bad padding');
7598 let pcheck = 0;
7599 for (let i = pad; i > 1; i--)
7600 pcheck |= pad ^ heap[pos + rlen - i];
7601 if (pcheck)
7602 throw new SecurityError('bad padding');
7603 rlen -= pad;
7604 }
7605 }
7606 const result = new Uint8Array(rlen);
7607 if (rlen > 0) {
7608 result.set(heap.subarray(pos, pos + rlen));
7609 }
7610 this.pos = 0;
7611 this.len = 0;
7612 this.release_asm();
7613 return result;
7614 }
7615 }
7616
7617 class AES_ECB {
7618 static encrypt(data, key, padding = false) {
7619 return new AES_ECB(key, padding).encrypt(data);
7620 }
7621 static decrypt(data, key, padding = false) {
7622 return new AES_ECB(key, padding).decrypt(data);
7623 }
7624 constructor(key, padding = false, aes) {
7625 this.aes = aes ? aes : new AES(key, undefined, padding, 'ECB');
7626 }
7627 encrypt(data) {
7628 const r1 = this.aes.AES_Encrypt_process(data);
7629 const r2 = this.aes.AES_Encrypt_finish();
7630 return joinBytes(r1, r2);
7631 }
7632 decrypt(data) {
7633 const r1 = this.aes.AES_Decrypt_process(data);
7634 const r2 = this.aes.AES_Decrypt_finish();
7635 return joinBytes(r1, r2);
7636 }
7637 }
7638
7639 // TODO use webCrypto or nodeCrypto when possible.
7640 function aes(length) {
7641 const C = function(key) {
7642 const aes_ecb = new AES_ECB(key);
7643
7644 this.encrypt = function(block) {
7645 return aes_ecb.encrypt(block);
7646 };
7647
7648 this.decrypt = function(block) {
7649 return aes_ecb.decrypt(block);
7650 };
7651 };
7652
7653 C.blockSize = C.prototype.blockSize = 16;
7654 C.keySize = C.prototype.keySize = length / 8;
7655
7656 return C;
7657 }
7658
7659 //Paul Tero, July 2001
7660 //http://www.tero.co.uk/des/
7661 //
7662 //Optimised for performance with large blocks by Michael Hayworth, November 2001
7663 //http://www.netdealing.com
7664 //
7665 // Modified by Recurity Labs GmbH
7666
7667 //THIS SOFTWARE IS PROVIDED "AS IS" AND
7668 //ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
7669 //IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
7670 //ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
7671 //FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
7672 //DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
7673 //OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
7674 //HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
7675 //LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
7676 //OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
7677 //SUCH DAMAGE.
7678
7679 //des
7680 //this takes the key, the message, and whether to encrypt or decrypt
7681
7682 function des(keys, message, encrypt, mode, iv, padding) {
7683 //declaring this locally speeds things up a bit
7684 const spfunction1 = [
7685 0x1010400, 0, 0x10000, 0x1010404, 0x1010004, 0x10404, 0x4, 0x10000, 0x400, 0x1010400,
7686 0x1010404, 0x400, 0x1000404, 0x1010004, 0x1000000, 0x4, 0x404, 0x1000400, 0x1000400, 0x10400, 0x10400, 0x1010000,
7687 0x1010000, 0x1000404, 0x10004, 0x1000004, 0x1000004, 0x10004, 0, 0x404, 0x10404, 0x1000000, 0x10000, 0x1010404, 0x4,
7688 0x1010000, 0x1010400, 0x1000000, 0x1000000, 0x400, 0x1010004, 0x10000, 0x10400, 0x1000004, 0x400, 0x4, 0x1000404,
7689 0x10404, 0x1010404, 0x10004, 0x1010000, 0x1000404, 0x1000004, 0x404, 0x10404, 0x1010400, 0x404, 0x1000400,
7690 0x1000400, 0, 0x10004, 0x10400, 0, 0x1010004
7691 ];
7692 const spfunction2 = [
7693 -0x7fef7fe0, -0x7fff8000, 0x8000, 0x108020, 0x100000, 0x20, -0x7fefffe0, -0x7fff7fe0,
7694 -0x7fffffe0, -0x7fef7fe0, -0x7fef8000, -0x80000000, -0x7fff8000, 0x100000, 0x20, -0x7fefffe0, 0x108000, 0x100020,
7695 -0x7fff7fe0, 0, -0x80000000, 0x8000, 0x108020, -0x7ff00000, 0x100020, -0x7fffffe0, 0, 0x108000, 0x8020, -0x7fef8000,
7696 -0x7ff00000, 0x8020, 0, 0x108020, -0x7fefffe0, 0x100000, -0x7fff7fe0, -0x7ff00000, -0x7fef8000, 0x8000, -0x7ff00000,
7697 -0x7fff8000, 0x20, -0x7fef7fe0, 0x108020, 0x20, 0x8000, -0x80000000, 0x8020, -0x7fef8000, 0x100000, -0x7fffffe0,
7698 0x100020, -0x7fff7fe0, -0x7fffffe0, 0x100020, 0x108000, 0, -0x7fff8000, 0x8020, -0x80000000, -0x7fefffe0,
7699 -0x7fef7fe0, 0x108000
7700 ];
7701 const spfunction3 = [
7702 0x208, 0x8020200, 0, 0x8020008, 0x8000200, 0, 0x20208, 0x8000200, 0x20008, 0x8000008,
7703 0x8000008, 0x20000, 0x8020208, 0x20008, 0x8020000, 0x208, 0x8000000, 0x8, 0x8020200, 0x200, 0x20200, 0x8020000,
7704 0x8020008, 0x20208, 0x8000208, 0x20200, 0x20000, 0x8000208, 0x8, 0x8020208, 0x200, 0x8000000, 0x8020200, 0x8000000,
7705 0x20008, 0x208, 0x20000, 0x8020200, 0x8000200, 0, 0x200, 0x20008, 0x8020208, 0x8000200, 0x8000008, 0x200, 0,
7706 0x8020008, 0x8000208, 0x20000, 0x8000000, 0x8020208, 0x8, 0x20208, 0x20200, 0x8000008, 0x8020000, 0x8000208, 0x208,
7707 0x8020000, 0x20208, 0x8, 0x8020008, 0x20200
7708 ];
7709 const spfunction4 = [
7710 0x802001, 0x2081, 0x2081, 0x80, 0x802080, 0x800081, 0x800001, 0x2001, 0, 0x802000,
7711 0x802000, 0x802081, 0x81, 0, 0x800080, 0x800001, 0x1, 0x2000, 0x800000, 0x802001, 0x80, 0x800000, 0x2001, 0x2080,
7712 0x800081, 0x1, 0x2080, 0x800080, 0x2000, 0x802080, 0x802081, 0x81, 0x800080, 0x800001, 0x802000, 0x802081, 0x81, 0,
7713 0, 0x802000, 0x2080, 0x800080, 0x800081, 0x1, 0x802001, 0x2081, 0x2081, 0x80, 0x802081, 0x81, 0x1, 0x2000, 0x800001,
7714 0x2001, 0x802080, 0x800081, 0x2001, 0x2080, 0x800000, 0x802001, 0x80, 0x800000, 0x2000, 0x802080
7715 ];
7716 const spfunction5 = [
7717 0x100, 0x2080100, 0x2080000, 0x42000100, 0x80000, 0x100, 0x40000000, 0x2080000,
7718 0x40080100, 0x80000, 0x2000100, 0x40080100, 0x42000100, 0x42080000, 0x80100, 0x40000000, 0x2000000, 0x40080000,
7719 0x40080000, 0, 0x40000100, 0x42080100, 0x42080100, 0x2000100, 0x42080000, 0x40000100, 0, 0x42000000, 0x2080100,
7720 0x2000000, 0x42000000, 0x80100, 0x80000, 0x42000100, 0x100, 0x2000000, 0x40000000, 0x2080000, 0x42000100,
7721 0x40080100, 0x2000100, 0x40000000, 0x42080000, 0x2080100, 0x40080100, 0x100, 0x2000000, 0x42080000, 0x42080100,
7722 0x80100, 0x42000000, 0x42080100, 0x2080000, 0, 0x40080000, 0x42000000, 0x80100, 0x2000100, 0x40000100, 0x80000, 0,
7723 0x40080000, 0x2080100, 0x40000100
7724 ];
7725 const spfunction6 = [
7726 0x20000010, 0x20400000, 0x4000, 0x20404010, 0x20400000, 0x10, 0x20404010, 0x400000,
7727 0x20004000, 0x404010, 0x400000, 0x20000010, 0x400010, 0x20004000, 0x20000000, 0x4010, 0, 0x400010, 0x20004010,
7728 0x4000, 0x404000, 0x20004010, 0x10, 0x20400010, 0x20400010, 0, 0x404010, 0x20404000, 0x4010, 0x404000, 0x20404000,
7729 0x20000000, 0x20004000, 0x10, 0x20400010, 0x404000, 0x20404010, 0x400000, 0x4010, 0x20000010, 0x400000, 0x20004000,
7730 0x20000000, 0x4010, 0x20000010, 0x20404010, 0x404000, 0x20400000, 0x404010, 0x20404000, 0, 0x20400010, 0x10, 0x4000,
7731 0x20400000, 0x404010, 0x4000, 0x400010, 0x20004010, 0, 0x20404000, 0x20000000, 0x400010, 0x20004010
7732 ];
7733 const spfunction7 = [
7734 0x200000, 0x4200002, 0x4000802, 0, 0x800, 0x4000802, 0x200802, 0x4200800, 0x4200802,
7735 0x200000, 0, 0x4000002, 0x2, 0x4000000, 0x4200002, 0x802, 0x4000800, 0x200802, 0x200002, 0x4000800, 0x4000002,
7736 0x4200000, 0x4200800, 0x200002, 0x4200000, 0x800, 0x802, 0x4200802, 0x200800, 0x2, 0x4000000, 0x200800, 0x4000000,
7737 0x200800, 0x200000, 0x4000802, 0x4000802, 0x4200002, 0x4200002, 0x2, 0x200002, 0x4000000, 0x4000800, 0x200000,
7738 0x4200800, 0x802, 0x200802, 0x4200800, 0x802, 0x4000002, 0x4200802, 0x4200000, 0x200800, 0, 0x2, 0x4200802, 0,
7739 0x200802, 0x4200000, 0x800, 0x4000002, 0x4000800, 0x800, 0x200002
7740 ];
7741 const spfunction8 = [
7742 0x10001040, 0x1000, 0x40000, 0x10041040, 0x10000000, 0x10001040, 0x40, 0x10000000,
7743 0x40040, 0x10040000, 0x10041040, 0x41000, 0x10041000, 0x41040, 0x1000, 0x40, 0x10040000, 0x10000040, 0x10001000,
7744 0x1040, 0x41000, 0x40040, 0x10040040, 0x10041000, 0x1040, 0, 0, 0x10040040, 0x10000040, 0x10001000, 0x41040,
7745 0x40000, 0x41040, 0x40000, 0x10041000, 0x1000, 0x40, 0x10040040, 0x1000, 0x41040, 0x10001000, 0x40, 0x10000040,
7746 0x10040000, 0x10040040, 0x10000000, 0x40000, 0x10001040, 0, 0x10041040, 0x40040, 0x10000040, 0x10040000, 0x10001000,
7747 0x10001040, 0, 0x10041040, 0x41000, 0x41000, 0x1040, 0x1040, 0x40040, 0x10000000, 0x10041000
7748 ];
7749
7750 //create the 16 or 48 subkeys we will need
7751 let m = 0;
7752 let i;
7753 let j;
7754 let temp;
7755 let right1;
7756 let right2;
7757 let left;
7758 let right;
7759 let looping;
7760 let cbcleft;
7761 let cbcleft2;
7762 let cbcright;
7763 let cbcright2;
7764 let endloop;
7765 let loopinc;
7766 let len = message.length;
7767
7768 //set up the loops for single and triple des
7769 const iterations = keys.length === 32 ? 3 : 9; //single or triple des
7770 if (iterations === 3) {
7771 looping = encrypt ? [0, 32, 2] : [30, -2, -2];
7772 } else {
7773 looping = encrypt ? [0, 32, 2, 62, 30, -2, 64, 96, 2] : [94, 62, -2, 32, 64, 2, 30, -2, -2];
7774 }
7775
7776 //pad the message depending on the padding parameter
7777 //only add padding if encrypting - note that you need to use the same padding option for both encrypt and decrypt
7778 if (encrypt) {
7779 message = des_addPadding(message, padding);
7780 len = message.length;
7781 }
7782
7783 //store the result here
7784 let result = new Uint8Array(len);
7785 let k = 0;
7786
7787 if (mode === 1) { //CBC mode
7788 cbcleft = (iv[m++] << 24) | (iv[m++] << 16) | (iv[m++] << 8) | iv[m++];
7789 cbcright = (iv[m++] << 24) | (iv[m++] << 16) | (iv[m++] << 8) | iv[m++];
7790 m = 0;
7791 }
7792
7793 //loop through each 64 bit chunk of the message
7794 while (m < len) {
7795 left = (message[m++] << 24) | (message[m++] << 16) | (message[m++] << 8) | message[m++];
7796 right = (message[m++] << 24) | (message[m++] << 16) | (message[m++] << 8) | message[m++];
7797
7798 //for Cipher Block Chaining mode, xor the message with the previous result
7799 if (mode === 1) {
7800 if (encrypt) {
7801 left ^= cbcleft;
7802 right ^= cbcright;
7803 } else {
7804 cbcleft2 = cbcleft;
7805 cbcright2 = cbcright;
7806 cbcleft = left;
7807 cbcright = right;
7808 }
7809 }
7810
7811 //first each 64 but chunk of the message must be permuted according to IP
7812 temp = ((left >>> 4) ^ right) & 0x0f0f0f0f;
7813 right ^= temp;
7814 left ^= (temp << 4);
7815 temp = ((left >>> 16) ^ right) & 0x0000ffff;
7816 right ^= temp;
7817 left ^= (temp << 16);
7818 temp = ((right >>> 2) ^ left) & 0x33333333;
7819 left ^= temp;
7820 right ^= (temp << 2);
7821 temp = ((right >>> 8) ^ left) & 0x00ff00ff;
7822 left ^= temp;
7823 right ^= (temp << 8);
7824 temp = ((left >>> 1) ^ right) & 0x55555555;
7825 right ^= temp;
7826 left ^= (temp << 1);
7827
7828 left = ((left << 1) | (left >>> 31));
7829 right = ((right << 1) | (right >>> 31));
7830
7831 //do this either 1 or 3 times for each chunk of the message
7832 for (j = 0; j < iterations; j += 3) {
7833 endloop = looping[j + 1];
7834 loopinc = looping[j + 2];
7835 //now go through and perform the encryption or decryption
7836 for (i = looping[j]; i !== endloop; i += loopinc) { //for efficiency
7837 right1 = right ^ keys[i];
7838 right2 = ((right >>> 4) | (right << 28)) ^ keys[i + 1];
7839 //the result is attained by passing these bytes through the S selection functions
7840 temp = left;
7841 left = right;
7842 right = temp ^ (spfunction2[(right1 >>> 24) & 0x3f] | spfunction4[(right1 >>> 16) & 0x3f] | spfunction6[(right1 >>>
7843 8) & 0x3f] | spfunction8[right1 & 0x3f] | spfunction1[(right2 >>> 24) & 0x3f] | spfunction3[(right2 >>> 16) &
7844 0x3f] | spfunction5[(right2 >>> 8) & 0x3f] | spfunction7[right2 & 0x3f]);
7845 }
7846 temp = left;
7847 left = right;
7848 right = temp; //unreverse left and right
7849 } //for either 1 or 3 iterations
7850
7851 //move then each one bit to the right
7852 left = ((left >>> 1) | (left << 31));
7853 right = ((right >>> 1) | (right << 31));
7854
7855 //now perform IP-1, which is IP in the opposite direction
7856 temp = ((left >>> 1) ^ right) & 0x55555555;
7857 right ^= temp;
7858 left ^= (temp << 1);
7859 temp = ((right >>> 8) ^ left) & 0x00ff00ff;
7860 left ^= temp;
7861 right ^= (temp << 8);
7862 temp = ((right >>> 2) ^ left) & 0x33333333;
7863 left ^= temp;
7864 right ^= (temp << 2);
7865 temp = ((left >>> 16) ^ right) & 0x0000ffff;
7866 right ^= temp;
7867 left ^= (temp << 16);
7868 temp = ((left >>> 4) ^ right) & 0x0f0f0f0f;
7869 right ^= temp;
7870 left ^= (temp << 4);
7871
7872 //for Cipher Block Chaining mode, xor the message with the previous result
7873 if (mode === 1) {
7874 if (encrypt) {
7875 cbcleft = left;
7876 cbcright = right;
7877 } else {
7878 left ^= cbcleft2;
7879 right ^= cbcright2;
7880 }
7881 }
7882
7883 result[k++] = (left >>> 24);
7884 result[k++] = ((left >>> 16) & 0xff);
7885 result[k++] = ((left >>> 8) & 0xff);
7886 result[k++] = (left & 0xff);
7887 result[k++] = (right >>> 24);
7888 result[k++] = ((right >>> 16) & 0xff);
7889 result[k++] = ((right >>> 8) & 0xff);
7890 result[k++] = (right & 0xff);
7891 } //for every 8 characters, or 64 bits in the message
7892
7893 //only remove padding if decrypting - note that you need to use the same padding option for both encrypt and decrypt
7894 if (!encrypt) {
7895 result = des_removePadding(result, padding);
7896 }
7897
7898 return result;
7899 } //end of des
7900
7901
7902 //des_createKeys
7903 //this takes as input a 64 bit key (even though only 56 bits are used)
7904 //as an array of 2 integers, and returns 16 48 bit keys
7905
7906 function des_createKeys(key) {
7907 //declaring this locally speeds things up a bit
7908 const pc2bytes0 = [
7909 0, 0x4, 0x20000000, 0x20000004, 0x10000, 0x10004, 0x20010000, 0x20010004, 0x200, 0x204,
7910 0x20000200, 0x20000204, 0x10200, 0x10204, 0x20010200, 0x20010204
7911 ];
7912 const pc2bytes1 = [
7913 0, 0x1, 0x100000, 0x100001, 0x4000000, 0x4000001, 0x4100000, 0x4100001, 0x100, 0x101, 0x100100,
7914 0x100101, 0x4000100, 0x4000101, 0x4100100, 0x4100101
7915 ];
7916 const pc2bytes2 = [
7917 0, 0x8, 0x800, 0x808, 0x1000000, 0x1000008, 0x1000800, 0x1000808, 0, 0x8, 0x800, 0x808,
7918 0x1000000, 0x1000008, 0x1000800, 0x1000808
7919 ];
7920 const pc2bytes3 = [
7921 0, 0x200000, 0x8000000, 0x8200000, 0x2000, 0x202000, 0x8002000, 0x8202000, 0x20000, 0x220000,
7922 0x8020000, 0x8220000, 0x22000, 0x222000, 0x8022000, 0x8222000
7923 ];
7924 const pc2bytes4 = [
7925 0, 0x40000, 0x10, 0x40010, 0, 0x40000, 0x10, 0x40010, 0x1000, 0x41000, 0x1010, 0x41010, 0x1000,
7926 0x41000, 0x1010, 0x41010
7927 ];
7928 const pc2bytes5 = [
7929 0, 0x400, 0x20, 0x420, 0, 0x400, 0x20, 0x420, 0x2000000, 0x2000400, 0x2000020, 0x2000420,
7930 0x2000000, 0x2000400, 0x2000020, 0x2000420
7931 ];
7932 const pc2bytes6 = [
7933 0, 0x10000000, 0x80000, 0x10080000, 0x2, 0x10000002, 0x80002, 0x10080002, 0, 0x10000000,
7934 0x80000, 0x10080000, 0x2, 0x10000002, 0x80002, 0x10080002
7935 ];
7936 const pc2bytes7 = [
7937 0, 0x10000, 0x800, 0x10800, 0x20000000, 0x20010000, 0x20000800, 0x20010800, 0x20000, 0x30000,
7938 0x20800, 0x30800, 0x20020000, 0x20030000, 0x20020800, 0x20030800
7939 ];
7940 const pc2bytes8 = [
7941 0, 0x40000, 0, 0x40000, 0x2, 0x40002, 0x2, 0x40002, 0x2000000, 0x2040000, 0x2000000, 0x2040000,
7942 0x2000002, 0x2040002, 0x2000002, 0x2040002
7943 ];
7944 const pc2bytes9 = [
7945 0, 0x10000000, 0x8, 0x10000008, 0, 0x10000000, 0x8, 0x10000008, 0x400, 0x10000400, 0x408,
7946 0x10000408, 0x400, 0x10000400, 0x408, 0x10000408
7947 ];
7948 const pc2bytes10 = [
7949 0, 0x20, 0, 0x20, 0x100000, 0x100020, 0x100000, 0x100020, 0x2000, 0x2020, 0x2000, 0x2020,
7950 0x102000, 0x102020, 0x102000, 0x102020
7951 ];
7952 const pc2bytes11 = [
7953 0, 0x1000000, 0x200, 0x1000200, 0x200000, 0x1200000, 0x200200, 0x1200200, 0x4000000, 0x5000000,
7954 0x4000200, 0x5000200, 0x4200000, 0x5200000, 0x4200200, 0x5200200
7955 ];
7956 const pc2bytes12 = [
7957 0, 0x1000, 0x8000000, 0x8001000, 0x80000, 0x81000, 0x8080000, 0x8081000, 0x10, 0x1010,
7958 0x8000010, 0x8001010, 0x80010, 0x81010, 0x8080010, 0x8081010
7959 ];
7960 const pc2bytes13 = [0, 0x4, 0x100, 0x104, 0, 0x4, 0x100, 0x104, 0x1, 0x5, 0x101, 0x105, 0x1, 0x5, 0x101, 0x105];
7961
7962 //how many iterations (1 for des, 3 for triple des)
7963 const iterations = key.length > 8 ? 3 : 1; //changed by Paul 16/6/2007 to use Triple DES for 9+ byte keys
7964 //stores the return keys
7965 const keys = new Array(32 * iterations);
7966 //now define the left shifts which need to be done
7967 const shifts = [0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 0];
7968 //other variables
7969 let lefttemp;
7970 let righttemp;
7971 let m = 0;
7972 let n = 0;
7973 let temp;
7974
7975 for (let j = 0; j < iterations; j++) { //either 1 or 3 iterations
7976 let left = (key[m++] << 24) | (key[m++] << 16) | (key[m++] << 8) | key[m++];
7977 let right = (key[m++] << 24) | (key[m++] << 16) | (key[m++] << 8) | key[m++];
7978
7979 temp = ((left >>> 4) ^ right) & 0x0f0f0f0f;
7980 right ^= temp;
7981 left ^= (temp << 4);
7982 temp = ((right >>> -16) ^ left) & 0x0000ffff;
7983 left ^= temp;
7984 right ^= (temp << -16);
7985 temp = ((left >>> 2) ^ right) & 0x33333333;
7986 right ^= temp;
7987 left ^= (temp << 2);
7988 temp = ((right >>> -16) ^ left) & 0x0000ffff;
7989 left ^= temp;
7990 right ^= (temp << -16);
7991 temp = ((left >>> 1) ^ right) & 0x55555555;
7992 right ^= temp;
7993 left ^= (temp << 1);
7994 temp = ((right >>> 8) ^ left) & 0x00ff00ff;
7995 left ^= temp;
7996 right ^= (temp << 8);
7997 temp = ((left >>> 1) ^ right) & 0x55555555;
7998 right ^= temp;
7999 left ^= (temp << 1);
8000
8001 //the right side needs to be shifted and to get the last four bits of the left side
8002 temp = (left << 8) | ((right >>> 20) & 0x000000f0);
8003 //left needs to be put upside down
8004 left = (right << 24) | ((right << 8) & 0xff0000) | ((right >>> 8) & 0xff00) | ((right >>> 24) & 0xf0);
8005 right = temp;
8006
8007 //now go through and perform these shifts on the left and right keys
8008 for (let i = 0; i < shifts.length; i++) {
8009 //shift the keys either one or two bits to the left
8010 if (shifts[i]) {
8011 left = (left << 2) | (left >>> 26);
8012 right = (right << 2) | (right >>> 26);
8013 } else {
8014 left = (left << 1) | (left >>> 27);
8015 right = (right << 1) | (right >>> 27);
8016 }
8017 left &= -0xf;
8018 right &= -0xf;
8019
8020 //now apply PC-2, in such a way that E is easier when encrypting or decrypting
8021 //this conversion will look like PC-2 except only the last 6 bits of each byte are used
8022 //rather than 48 consecutive bits and the order of lines will be according to
8023 //how the S selection functions will be applied: S2, S4, S6, S8, S1, S3, S5, S7
8024 lefttemp = pc2bytes0[left >>> 28] | pc2bytes1[(left >>> 24) & 0xf] | pc2bytes2[(left >>> 20) & 0xf] | pc2bytes3[(
8025 left >>> 16) & 0xf] | pc2bytes4[(left >>> 12) & 0xf] | pc2bytes5[(left >>> 8) & 0xf] | pc2bytes6[(left >>> 4) &
8026 0xf];
8027 righttemp = pc2bytes7[right >>> 28] | pc2bytes8[(right >>> 24) & 0xf] | pc2bytes9[(right >>> 20) & 0xf] |
8028 pc2bytes10[(right >>> 16) & 0xf] | pc2bytes11[(right >>> 12) & 0xf] | pc2bytes12[(right >>> 8) & 0xf] |
8029 pc2bytes13[(right >>> 4) & 0xf];
8030 temp = ((righttemp >>> 16) ^ lefttemp) & 0x0000ffff;
8031 keys[n++] = lefttemp ^ temp;
8032 keys[n++] = righttemp ^ (temp << 16);
8033 }
8034 } //for each iterations
8035 //return the keys we've created
8036 return keys;
8037 } //end of des_createKeys
8038
8039
8040 function des_addPadding(message, padding) {
8041 const padLength = 8 - (message.length % 8);
8042
8043 let pad;
8044 if (padding === 2 && (padLength < 8)) { //pad the message with spaces
8045 pad = " ".charCodeAt(0);
8046 } else if (padding === 1) { //PKCS7 padding
8047 pad = padLength;
8048 } else if (!padding && (padLength < 8)) { //pad the message out with null bytes
8049 pad = 0;
8050 } else if (padLength === 8) {
8051 return message;
8052 } else {
8053 throw new Error('des: invalid padding');
8054 }
8055
8056 const paddedMessage = new Uint8Array(message.length + padLength);
8057 for (let i = 0; i < message.length; i++) {
8058 paddedMessage[i] = message[i];
8059 }
8060 for (let j = 0; j < padLength; j++) {
8061 paddedMessage[message.length + j] = pad;
8062 }
8063
8064 return paddedMessage;
8065 }
8066
8067 function des_removePadding(message, padding) {
8068 let padLength = null;
8069 let pad;
8070 if (padding === 2) { // space padded
8071 pad = " ".charCodeAt(0);
8072 } else if (padding === 1) { // PKCS7
8073 padLength = message[message.length - 1];
8074 } else if (!padding) { // null padding
8075 pad = 0;
8076 } else {
8077 throw new Error('des: invalid padding');
8078 }
8079
8080 if (!padLength) {
8081 padLength = 1;
8082 while (message[message.length - padLength] === pad) {
8083 padLength++;
8084 }
8085 padLength--;
8086 }
8087
8088 return message.subarray(0, message.length - padLength);
8089 }
8090
8091 // added by Recurity Labs
8092
8093 function TripleDES(key) {
8094 this.key = [];
8095
8096 for (let i = 0; i < 3; i++) {
8097 this.key.push(new Uint8Array(key.subarray(i * 8, (i * 8) + 8)));
8098 }
8099
8100 this.encrypt = function(block) {
8101 return des(
8102 des_createKeys(this.key[2]),
8103 des(
8104 des_createKeys(this.key[1]),
8105 des(
8106 des_createKeys(this.key[0]),
8107 block, true, 0, null, null
8108 ),
8109 false, 0, null, null
8110 ), true, 0, null, null
8111 );
8112 };
8113 }
8114
8115 TripleDES.keySize = TripleDES.prototype.keySize = 24;
8116 TripleDES.blockSize = TripleDES.prototype.blockSize = 8;
8117
8118 // This is "original" DES
8119
8120 function DES(key) {
8121 this.key = key;
8122
8123 this.encrypt = function(block, padding) {
8124 const keys = des_createKeys(this.key);
8125 return des(keys, block, true, 0, null, padding);
8126 };
8127
8128 this.decrypt = function(block, padding) {
8129 const keys = des_createKeys(this.key);
8130 return des(keys, block, false, 0, null, padding);
8131 };
8132 }
8133
8134 // Use of this source code is governed by a BSD-style
8135 // license that can be found in the LICENSE file.
8136
8137 // Copyright 2010 pjacobs@xeekr.com . All rights reserved.
8138
8139 // Modified by Recurity Labs GmbH
8140
8141 // fixed/modified by Herbert Hanewinkel, www.haneWIN.de
8142 // check www.haneWIN.de for the latest version
8143
8144 // cast5.js is a Javascript implementation of CAST-128, as defined in RFC 2144.
8145 // CAST-128 is a common OpenPGP cipher.
8146
8147
8148 // CAST5 constructor
8149
8150 function OpenpgpSymencCast5() {
8151 this.BlockSize = 8;
8152 this.KeySize = 16;
8153
8154 this.setKey = function(key) {
8155 this.masking = new Array(16);
8156 this.rotate = new Array(16);
8157
8158 this.reset();
8159
8160 if (key.length === this.KeySize) {
8161 this.keySchedule(key);
8162 } else {
8163 throw new Error('CAST-128: keys must be 16 bytes');
8164 }
8165 return true;
8166 };
8167
8168 this.reset = function() {
8169 for (let i = 0; i < 16; i++) {
8170 this.masking[i] = 0;
8171 this.rotate[i] = 0;
8172 }
8173 };
8174
8175 this.getBlockSize = function() {
8176 return this.BlockSize;
8177 };
8178
8179 this.encrypt = function(src) {
8180 const dst = new Array(src.length);
8181
8182 for (let i = 0; i < src.length; i += 8) {
8183 let l = (src[i] << 24) | (src[i + 1] << 16) | (src[i + 2] << 8) | src[i + 3];
8184 let r = (src[i + 4] << 24) | (src[i + 5] << 16) | (src[i + 6] << 8) | src[i + 7];
8185 let t;
8186
8187 t = r;
8188 r = l ^ f1(r, this.masking[0], this.rotate[0]);
8189 l = t;
8190 t = r;
8191 r = l ^ f2(r, this.masking[1], this.rotate[1]);
8192 l = t;
8193 t = r;
8194 r = l ^ f3(r, this.masking[2], this.rotate[2]);
8195 l = t;
8196 t = r;
8197 r = l ^ f1(r, this.masking[3], this.rotate[3]);
8198 l = t;
8199
8200 t = r;
8201 r = l ^ f2(r, this.masking[4], this.rotate[4]);
8202 l = t;
8203 t = r;
8204 r = l ^ f3(r, this.masking[5], this.rotate[5]);
8205 l = t;
8206 t = r;
8207 r = l ^ f1(r, this.masking[6], this.rotate[6]);
8208 l = t;
8209 t = r;
8210 r = l ^ f2(r, this.masking[7], this.rotate[7]);
8211 l = t;
8212
8213 t = r;
8214 r = l ^ f3(r, this.masking[8], this.rotate[8]);
8215 l = t;
8216 t = r;
8217 r = l ^ f1(r, this.masking[9], this.rotate[9]);
8218 l = t;
8219 t = r;
8220 r = l ^ f2(r, this.masking[10], this.rotate[10]);
8221 l = t;
8222 t = r;
8223 r = l ^ f3(r, this.masking[11], this.rotate[11]);
8224 l = t;
8225
8226 t = r;
8227 r = l ^ f1(r, this.masking[12], this.rotate[12]);
8228 l = t;
8229 t = r;
8230 r = l ^ f2(r, this.masking[13], this.rotate[13]);
8231 l = t;
8232 t = r;
8233 r = l ^ f3(r, this.masking[14], this.rotate[14]);
8234 l = t;
8235 t = r;
8236 r = l ^ f1(r, this.masking[15], this.rotate[15]);
8237 l = t;
8238
8239 dst[i] = (r >>> 24) & 255;
8240 dst[i + 1] = (r >>> 16) & 255;
8241 dst[i + 2] = (r >>> 8) & 255;
8242 dst[i + 3] = r & 255;
8243 dst[i + 4] = (l >>> 24) & 255;
8244 dst[i + 5] = (l >>> 16) & 255;
8245 dst[i + 6] = (l >>> 8) & 255;
8246 dst[i + 7] = l & 255;
8247 }
8248
8249 return dst;
8250 };
8251
8252 this.decrypt = function(src) {
8253 const dst = new Array(src.length);
8254
8255 for (let i = 0; i < src.length; i += 8) {
8256 let l = (src[i] << 24) | (src[i + 1] << 16) | (src[i + 2] << 8) | src[i + 3];
8257 let r = (src[i + 4] << 24) | (src[i + 5] << 16) | (src[i + 6] << 8) | src[i + 7];
8258 let t;
8259
8260 t = r;
8261 r = l ^ f1(r, this.masking[15], this.rotate[15]);
8262 l = t;
8263 t = r;
8264 r = l ^ f3(r, this.masking[14], this.rotate[14]);
8265 l = t;
8266 t = r;
8267 r = l ^ f2(r, this.masking[13], this.rotate[13]);
8268 l = t;
8269 t = r;
8270 r = l ^ f1(r, this.masking[12], this.rotate[12]);
8271 l = t;
8272
8273 t = r;
8274 r = l ^ f3(r, this.masking[11], this.rotate[11]);
8275 l = t;
8276 t = r;
8277 r = l ^ f2(r, this.masking[10], this.rotate[10]);
8278 l = t;
8279 t = r;
8280 r = l ^ f1(r, this.masking[9], this.rotate[9]);
8281 l = t;
8282 t = r;
8283 r = l ^ f3(r, this.masking[8], this.rotate[8]);
8284 l = t;
8285
8286 t = r;
8287 r = l ^ f2(r, this.masking[7], this.rotate[7]);
8288 l = t;
8289 t = r;
8290 r = l ^ f1(r, this.masking[6], this.rotate[6]);
8291 l = t;
8292 t = r;
8293 r = l ^ f3(r, this.masking[5], this.rotate[5]);
8294 l = t;
8295 t = r;
8296 r = l ^ f2(r, this.masking[4], this.rotate[4]);
8297 l = t;
8298
8299 t = r;
8300 r = l ^ f1(r, this.masking[3], this.rotate[3]);
8301 l = t;
8302 t = r;
8303 r = l ^ f3(r, this.masking[2], this.rotate[2]);
8304 l = t;
8305 t = r;
8306 r = l ^ f2(r, this.masking[1], this.rotate[1]);
8307 l = t;
8308 t = r;
8309 r = l ^ f1(r, this.masking[0], this.rotate[0]);
8310 l = t;
8311
8312 dst[i] = (r >>> 24) & 255;
8313 dst[i + 1] = (r >>> 16) & 255;
8314 dst[i + 2] = (r >>> 8) & 255;
8315 dst[i + 3] = r & 255;
8316 dst[i + 4] = (l >>> 24) & 255;
8317 dst[i + 5] = (l >> 16) & 255;
8318 dst[i + 6] = (l >> 8) & 255;
8319 dst[i + 7] = l & 255;
8320 }
8321
8322 return dst;
8323 };
8324 const scheduleA = new Array(4);
8325
8326 scheduleA[0] = new Array(4);
8327 scheduleA[0][0] = [4, 0, 0xd, 0xf, 0xc, 0xe, 0x8];
8328 scheduleA[0][1] = [5, 2, 16 + 0, 16 + 2, 16 + 1, 16 + 3, 0xa];
8329 scheduleA[0][2] = [6, 3, 16 + 7, 16 + 6, 16 + 5, 16 + 4, 9];
8330 scheduleA[0][3] = [7, 1, 16 + 0xa, 16 + 9, 16 + 0xb, 16 + 8, 0xb];
8331
8332 scheduleA[1] = new Array(4);
8333 scheduleA[1][0] = [0, 6, 16 + 5, 16 + 7, 16 + 4, 16 + 6, 16 + 0];
8334 scheduleA[1][1] = [1, 4, 0, 2, 1, 3, 16 + 2];
8335 scheduleA[1][2] = [2, 5, 7, 6, 5, 4, 16 + 1];
8336 scheduleA[1][3] = [3, 7, 0xa, 9, 0xb, 8, 16 + 3];
8337
8338 scheduleA[2] = new Array(4);
8339 scheduleA[2][0] = [4, 0, 0xd, 0xf, 0xc, 0xe, 8];
8340 scheduleA[2][1] = [5, 2, 16 + 0, 16 + 2, 16 + 1, 16 + 3, 0xa];
8341 scheduleA[2][2] = [6, 3, 16 + 7, 16 + 6, 16 + 5, 16 + 4, 9];
8342 scheduleA[2][3] = [7, 1, 16 + 0xa, 16 + 9, 16 + 0xb, 16 + 8, 0xb];
8343
8344
8345 scheduleA[3] = new Array(4);
8346 scheduleA[3][0] = [0, 6, 16 + 5, 16 + 7, 16 + 4, 16 + 6, 16 + 0];
8347 scheduleA[3][1] = [1, 4, 0, 2, 1, 3, 16 + 2];
8348 scheduleA[3][2] = [2, 5, 7, 6, 5, 4, 16 + 1];
8349 scheduleA[3][3] = [3, 7, 0xa, 9, 0xb, 8, 16 + 3];
8350
8351 const scheduleB = new Array(4);
8352
8353 scheduleB[0] = new Array(4);
8354 scheduleB[0][0] = [16 + 8, 16 + 9, 16 + 7, 16 + 6, 16 + 2];
8355 scheduleB[0][1] = [16 + 0xa, 16 + 0xb, 16 + 5, 16 + 4, 16 + 6];
8356 scheduleB[0][2] = [16 + 0xc, 16 + 0xd, 16 + 3, 16 + 2, 16 + 9];
8357 scheduleB[0][3] = [16 + 0xe, 16 + 0xf, 16 + 1, 16 + 0, 16 + 0xc];
8358
8359 scheduleB[1] = new Array(4);
8360 scheduleB[1][0] = [3, 2, 0xc, 0xd, 8];
8361 scheduleB[1][1] = [1, 0, 0xe, 0xf, 0xd];
8362 scheduleB[1][2] = [7, 6, 8, 9, 3];
8363 scheduleB[1][3] = [5, 4, 0xa, 0xb, 7];
8364
8365
8366 scheduleB[2] = new Array(4);
8367 scheduleB[2][0] = [16 + 3, 16 + 2, 16 + 0xc, 16 + 0xd, 16 + 9];
8368 scheduleB[2][1] = [16 + 1, 16 + 0, 16 + 0xe, 16 + 0xf, 16 + 0xc];
8369 scheduleB[2][2] = [16 + 7, 16 + 6, 16 + 8, 16 + 9, 16 + 2];
8370 scheduleB[2][3] = [16 + 5, 16 + 4, 16 + 0xa, 16 + 0xb, 16 + 6];
8371
8372
8373 scheduleB[3] = new Array(4);
8374 scheduleB[3][0] = [8, 9, 7, 6, 3];
8375 scheduleB[3][1] = [0xa, 0xb, 5, 4, 7];
8376 scheduleB[3][2] = [0xc, 0xd, 3, 2, 8];
8377 scheduleB[3][3] = [0xe, 0xf, 1, 0, 0xd];
8378
8379 // changed 'in' to 'inn' (in javascript 'in' is a reserved word)
8380 this.keySchedule = function(inn) {
8381 const t = new Array(8);
8382 const k = new Array(32);
8383
8384 let j;
8385
8386 for (let i = 0; i < 4; i++) {
8387 j = i * 4;
8388 t[i] = (inn[j] << 24) | (inn[j + 1] << 16) | (inn[j + 2] << 8) | inn[j + 3];
8389 }
8390
8391 const x = [6, 7, 4, 5];
8392 let ki = 0;
8393 let w;
8394
8395 for (let half = 0; half < 2; half++) {
8396 for (let round = 0; round < 4; round++) {
8397 for (j = 0; j < 4; j++) {
8398 const a = scheduleA[round][j];
8399 w = t[a[1]];
8400
8401 w ^= sBox[4][(t[a[2] >>> 2] >>> (24 - 8 * (a[2] & 3))) & 0xff];
8402 w ^= sBox[5][(t[a[3] >>> 2] >>> (24 - 8 * (a[3] & 3))) & 0xff];
8403 w ^= sBox[6][(t[a[4] >>> 2] >>> (24 - 8 * (a[4] & 3))) & 0xff];
8404 w ^= sBox[7][(t[a[5] >>> 2] >>> (24 - 8 * (a[5] & 3))) & 0xff];
8405 w ^= sBox[x[j]][(t[a[6] >>> 2] >>> (24 - 8 * (a[6] & 3))) & 0xff];
8406 t[a[0]] = w;
8407 }
8408
8409 for (j = 0; j < 4; j++) {
8410 const b = scheduleB[round][j];
8411 w = sBox[4][(t[b[0] >>> 2] >>> (24 - 8 * (b[0] & 3))) & 0xff];
8412
8413 w ^= sBox[5][(t[b[1] >>> 2] >>> (24 - 8 * (b[1] & 3))) & 0xff];
8414 w ^= sBox[6][(t[b[2] >>> 2] >>> (24 - 8 * (b[2] & 3))) & 0xff];
8415 w ^= sBox[7][(t[b[3] >>> 2] >>> (24 - 8 * (b[3] & 3))) & 0xff];
8416 w ^= sBox[4 + j][(t[b[4] >>> 2] >>> (24 - 8 * (b[4] & 3))) & 0xff];
8417 k[ki] = w;
8418 ki++;
8419 }
8420 }
8421 }
8422
8423 for (let i = 0; i < 16; i++) {
8424 this.masking[i] = k[i];
8425 this.rotate[i] = k[16 + i] & 0x1f;
8426 }
8427 };
8428
8429 // These are the three 'f' functions. See RFC 2144, section 2.2.
8430
8431 function f1(d, m, r) {
8432 const t = m + d;
8433 const I = (t << r) | (t >>> (32 - r));
8434 return ((sBox[0][I >>> 24] ^ sBox[1][(I >>> 16) & 255]) - sBox[2][(I >>> 8) & 255]) + sBox[3][I & 255];
8435 }
8436
8437 function f2(d, m, r) {
8438 const t = m ^ d;
8439 const I = (t << r) | (t >>> (32 - r));
8440 return ((sBox[0][I >>> 24] - sBox[1][(I >>> 16) & 255]) + sBox[2][(I >>> 8) & 255]) ^ sBox[3][I & 255];
8441 }
8442
8443 function f3(d, m, r) {
8444 const t = m - d;
8445 const I = (t << r) | (t >>> (32 - r));
8446 return ((sBox[0][I >>> 24] + sBox[1][(I >>> 16) & 255]) ^ sBox[2][(I >>> 8) & 255]) - sBox[3][I & 255];
8447 }
8448
8449 const sBox = new Array(8);
8450 sBox[0] = [
8451 0x30fb40d4, 0x9fa0ff0b, 0x6beccd2f, 0x3f258c7a, 0x1e213f2f, 0x9c004dd3, 0x6003e540, 0xcf9fc949,
8452 0xbfd4af27, 0x88bbbdb5, 0xe2034090, 0x98d09675, 0x6e63a0e0, 0x15c361d2, 0xc2e7661d, 0x22d4ff8e,
8453 0x28683b6f, 0xc07fd059, 0xff2379c8, 0x775f50e2, 0x43c340d3, 0xdf2f8656, 0x887ca41a, 0xa2d2bd2d,
8454 0xa1c9e0d6, 0x346c4819, 0x61b76d87, 0x22540f2f, 0x2abe32e1, 0xaa54166b, 0x22568e3a, 0xa2d341d0,
8455 0x66db40c8, 0xa784392f, 0x004dff2f, 0x2db9d2de, 0x97943fac, 0x4a97c1d8, 0x527644b7, 0xb5f437a7,
8456 0xb82cbaef, 0xd751d159, 0x6ff7f0ed, 0x5a097a1f, 0x827b68d0, 0x90ecf52e, 0x22b0c054, 0xbc8e5935,
8457 0x4b6d2f7f, 0x50bb64a2, 0xd2664910, 0xbee5812d, 0xb7332290, 0xe93b159f, 0xb48ee411, 0x4bff345d,
8458 0xfd45c240, 0xad31973f, 0xc4f6d02e, 0x55fc8165, 0xd5b1caad, 0xa1ac2dae, 0xa2d4b76d, 0xc19b0c50,
8459 0x882240f2, 0x0c6e4f38, 0xa4e4bfd7, 0x4f5ba272, 0x564c1d2f, 0xc59c5319, 0xb949e354, 0xb04669fe,
8460 0xb1b6ab8a, 0xc71358dd, 0x6385c545, 0x110f935d, 0x57538ad5, 0x6a390493, 0xe63d37e0, 0x2a54f6b3,
8461 0x3a787d5f, 0x6276a0b5, 0x19a6fcdf, 0x7a42206a, 0x29f9d4d5, 0xf61b1891, 0xbb72275e, 0xaa508167,
8462 0x38901091, 0xc6b505eb, 0x84c7cb8c, 0x2ad75a0f, 0x874a1427, 0xa2d1936b, 0x2ad286af, 0xaa56d291,
8463 0xd7894360, 0x425c750d, 0x93b39e26, 0x187184c9, 0x6c00b32d, 0x73e2bb14, 0xa0bebc3c, 0x54623779,
8464 0x64459eab, 0x3f328b82, 0x7718cf82, 0x59a2cea6, 0x04ee002e, 0x89fe78e6, 0x3fab0950, 0x325ff6c2,
8465 0x81383f05, 0x6963c5c8, 0x76cb5ad6, 0xd49974c9, 0xca180dcf, 0x380782d5, 0xc7fa5cf6, 0x8ac31511,
8466 0x35e79e13, 0x47da91d0, 0xf40f9086, 0xa7e2419e, 0x31366241, 0x051ef495, 0xaa573b04, 0x4a805d8d,
8467 0x548300d0, 0x00322a3c, 0xbf64cddf, 0xba57a68e, 0x75c6372b, 0x50afd341, 0xa7c13275, 0x915a0bf5,
8468 0x6b54bfab, 0x2b0b1426, 0xab4cc9d7, 0x449ccd82, 0xf7fbf265, 0xab85c5f3, 0x1b55db94, 0xaad4e324,
8469 0xcfa4bd3f, 0x2deaa3e2, 0x9e204d02, 0xc8bd25ac, 0xeadf55b3, 0xd5bd9e98, 0xe31231b2, 0x2ad5ad6c,
8470 0x954329de, 0xadbe4528, 0xd8710f69, 0xaa51c90f, 0xaa786bf6, 0x22513f1e, 0xaa51a79b, 0x2ad344cc,
8471 0x7b5a41f0, 0xd37cfbad, 0x1b069505, 0x41ece491, 0xb4c332e6, 0x032268d4, 0xc9600acc, 0xce387e6d,
8472 0xbf6bb16c, 0x6a70fb78, 0x0d03d9c9, 0xd4df39de, 0xe01063da, 0x4736f464, 0x5ad328d8, 0xb347cc96,
8473 0x75bb0fc3, 0x98511bfb, 0x4ffbcc35, 0xb58bcf6a, 0xe11f0abc, 0xbfc5fe4a, 0xa70aec10, 0xac39570a,
8474 0x3f04442f, 0x6188b153, 0xe0397a2e, 0x5727cb79, 0x9ceb418f, 0x1cacd68d, 0x2ad37c96, 0x0175cb9d,
8475 0xc69dff09, 0xc75b65f0, 0xd9db40d8, 0xec0e7779, 0x4744ead4, 0xb11c3274, 0xdd24cb9e, 0x7e1c54bd,
8476 0xf01144f9, 0xd2240eb1, 0x9675b3fd, 0xa3ac3755, 0xd47c27af, 0x51c85f4d, 0x56907596, 0xa5bb15e6,
8477 0x580304f0, 0xca042cf1, 0x011a37ea, 0x8dbfaadb, 0x35ba3e4a, 0x3526ffa0, 0xc37b4d09, 0xbc306ed9,
8478 0x98a52666, 0x5648f725, 0xff5e569d, 0x0ced63d0, 0x7c63b2cf, 0x700b45e1, 0xd5ea50f1, 0x85a92872,
8479 0xaf1fbda7, 0xd4234870, 0xa7870bf3, 0x2d3b4d79, 0x42e04198, 0x0cd0ede7, 0x26470db8, 0xf881814c,
8480 0x474d6ad7, 0x7c0c5e5c, 0xd1231959, 0x381b7298, 0xf5d2f4db, 0xab838653, 0x6e2f1e23, 0x83719c9e,
8481 0xbd91e046, 0x9a56456e, 0xdc39200c, 0x20c8c571, 0x962bda1c, 0xe1e696ff, 0xb141ab08, 0x7cca89b9,
8482 0x1a69e783, 0x02cc4843, 0xa2f7c579, 0x429ef47d, 0x427b169c, 0x5ac9f049, 0xdd8f0f00, 0x5c8165bf
8483 ];
8484
8485 sBox[1] = [
8486 0x1f201094, 0xef0ba75b, 0x69e3cf7e, 0x393f4380, 0xfe61cf7a, 0xeec5207a, 0x55889c94, 0x72fc0651,
8487 0xada7ef79, 0x4e1d7235, 0xd55a63ce, 0xde0436ba, 0x99c430ef, 0x5f0c0794, 0x18dcdb7d, 0xa1d6eff3,
8488 0xa0b52f7b, 0x59e83605, 0xee15b094, 0xe9ffd909, 0xdc440086, 0xef944459, 0xba83ccb3, 0xe0c3cdfb,
8489 0xd1da4181, 0x3b092ab1, 0xf997f1c1, 0xa5e6cf7b, 0x01420ddb, 0xe4e7ef5b, 0x25a1ff41, 0xe180f806,
8490 0x1fc41080, 0x179bee7a, 0xd37ac6a9, 0xfe5830a4, 0x98de8b7f, 0x77e83f4e, 0x79929269, 0x24fa9f7b,
8491 0xe113c85b, 0xacc40083, 0xd7503525, 0xf7ea615f, 0x62143154, 0x0d554b63, 0x5d681121, 0xc866c359,
8492 0x3d63cf73, 0xcee234c0, 0xd4d87e87, 0x5c672b21, 0x071f6181, 0x39f7627f, 0x361e3084, 0xe4eb573b,
8493 0x602f64a4, 0xd63acd9c, 0x1bbc4635, 0x9e81032d, 0x2701f50c, 0x99847ab4, 0xa0e3df79, 0xba6cf38c,
8494 0x10843094, 0x2537a95e, 0xf46f6ffe, 0xa1ff3b1f, 0x208cfb6a, 0x8f458c74, 0xd9e0a227, 0x4ec73a34,
8495 0xfc884f69, 0x3e4de8df, 0xef0e0088, 0x3559648d, 0x8a45388c, 0x1d804366, 0x721d9bfd, 0xa58684bb,
8496 0xe8256333, 0x844e8212, 0x128d8098, 0xfed33fb4, 0xce280ae1, 0x27e19ba5, 0xd5a6c252, 0xe49754bd,
8497 0xc5d655dd, 0xeb667064, 0x77840b4d, 0xa1b6a801, 0x84db26a9, 0xe0b56714, 0x21f043b7, 0xe5d05860,
8498 0x54f03084, 0x066ff472, 0xa31aa153, 0xdadc4755, 0xb5625dbf, 0x68561be6, 0x83ca6b94, 0x2d6ed23b,
8499 0xeccf01db, 0xa6d3d0ba, 0xb6803d5c, 0xaf77a709, 0x33b4a34c, 0x397bc8d6, 0x5ee22b95, 0x5f0e5304,
8500 0x81ed6f61, 0x20e74364, 0xb45e1378, 0xde18639b, 0x881ca122, 0xb96726d1, 0x8049a7e8, 0x22b7da7b,
8501 0x5e552d25, 0x5272d237, 0x79d2951c, 0xc60d894c, 0x488cb402, 0x1ba4fe5b, 0xa4b09f6b, 0x1ca815cf,
8502 0xa20c3005, 0x8871df63, 0xb9de2fcb, 0x0cc6c9e9, 0x0beeff53, 0xe3214517, 0xb4542835, 0x9f63293c,
8503 0xee41e729, 0x6e1d2d7c, 0x50045286, 0x1e6685f3, 0xf33401c6, 0x30a22c95, 0x31a70850, 0x60930f13,
8504 0x73f98417, 0xa1269859, 0xec645c44, 0x52c877a9, 0xcdff33a6, 0xa02b1741, 0x7cbad9a2, 0x2180036f,
8505 0x50d99c08, 0xcb3f4861, 0xc26bd765, 0x64a3f6ab, 0x80342676, 0x25a75e7b, 0xe4e6d1fc, 0x20c710e6,
8506 0xcdf0b680, 0x17844d3b, 0x31eef84d, 0x7e0824e4, 0x2ccb49eb, 0x846a3bae, 0x8ff77888, 0xee5d60f6,
8507 0x7af75673, 0x2fdd5cdb, 0xa11631c1, 0x30f66f43, 0xb3faec54, 0x157fd7fa, 0xef8579cc, 0xd152de58,
8508 0xdb2ffd5e, 0x8f32ce19, 0x306af97a, 0x02f03ef8, 0x99319ad5, 0xc242fa0f, 0xa7e3ebb0, 0xc68e4906,
8509 0xb8da230c, 0x80823028, 0xdcdef3c8, 0xd35fb171, 0x088a1bc8, 0xbec0c560, 0x61a3c9e8, 0xbca8f54d,
8510 0xc72feffa, 0x22822e99, 0x82c570b4, 0xd8d94e89, 0x8b1c34bc, 0x301e16e6, 0x273be979, 0xb0ffeaa6,
8511 0x61d9b8c6, 0x00b24869, 0xb7ffce3f, 0x08dc283b, 0x43daf65a, 0xf7e19798, 0x7619b72f, 0x8f1c9ba4,
8512 0xdc8637a0, 0x16a7d3b1, 0x9fc393b7, 0xa7136eeb, 0xc6bcc63e, 0x1a513742, 0xef6828bc, 0x520365d6,
8513 0x2d6a77ab, 0x3527ed4b, 0x821fd216, 0x095c6e2e, 0xdb92f2fb, 0x5eea29cb, 0x145892f5, 0x91584f7f,
8514 0x5483697b, 0x2667a8cc, 0x85196048, 0x8c4bacea, 0x833860d4, 0x0d23e0f9, 0x6c387e8a, 0x0ae6d249,
8515 0xb284600c, 0xd835731d, 0xdcb1c647, 0xac4c56ea, 0x3ebd81b3, 0x230eabb0, 0x6438bc87, 0xf0b5b1fa,
8516 0x8f5ea2b3, 0xfc184642, 0x0a036b7a, 0x4fb089bd, 0x649da589, 0xa345415e, 0x5c038323, 0x3e5d3bb9,
8517 0x43d79572, 0x7e6dd07c, 0x06dfdf1e, 0x6c6cc4ef, 0x7160a539, 0x73bfbe70, 0x83877605, 0x4523ecf1
8518 ];
8519
8520 sBox[2] = [
8521 0x8defc240, 0x25fa5d9f, 0xeb903dbf, 0xe810c907, 0x47607fff, 0x369fe44b, 0x8c1fc644, 0xaececa90,
8522 0xbeb1f9bf, 0xeefbcaea, 0xe8cf1950, 0x51df07ae, 0x920e8806, 0xf0ad0548, 0xe13c8d83, 0x927010d5,
8523 0x11107d9f, 0x07647db9, 0xb2e3e4d4, 0x3d4f285e, 0xb9afa820, 0xfade82e0, 0xa067268b, 0x8272792e,
8524 0x553fb2c0, 0x489ae22b, 0xd4ef9794, 0x125e3fbc, 0x21fffcee, 0x825b1bfd, 0x9255c5ed, 0x1257a240,
8525 0x4e1a8302, 0xbae07fff, 0x528246e7, 0x8e57140e, 0x3373f7bf, 0x8c9f8188, 0xa6fc4ee8, 0xc982b5a5,
8526 0xa8c01db7, 0x579fc264, 0x67094f31, 0xf2bd3f5f, 0x40fff7c1, 0x1fb78dfc, 0x8e6bd2c1, 0x437be59b,
8527 0x99b03dbf, 0xb5dbc64b, 0x638dc0e6, 0x55819d99, 0xa197c81c, 0x4a012d6e, 0xc5884a28, 0xccc36f71,
8528 0xb843c213, 0x6c0743f1, 0x8309893c, 0x0feddd5f, 0x2f7fe850, 0xd7c07f7e, 0x02507fbf, 0x5afb9a04,
8529 0xa747d2d0, 0x1651192e, 0xaf70bf3e, 0x58c31380, 0x5f98302e, 0x727cc3c4, 0x0a0fb402, 0x0f7fef82,
8530 0x8c96fdad, 0x5d2c2aae, 0x8ee99a49, 0x50da88b8, 0x8427f4a0, 0x1eac5790, 0x796fb449, 0x8252dc15,
8531 0xefbd7d9b, 0xa672597d, 0xada840d8, 0x45f54504, 0xfa5d7403, 0xe83ec305, 0x4f91751a, 0x925669c2,
8532 0x23efe941, 0xa903f12e, 0x60270df2, 0x0276e4b6, 0x94fd6574, 0x927985b2, 0x8276dbcb, 0x02778176,
8533 0xf8af918d, 0x4e48f79e, 0x8f616ddf, 0xe29d840e, 0x842f7d83, 0x340ce5c8, 0x96bbb682, 0x93b4b148,
8534 0xef303cab, 0x984faf28, 0x779faf9b, 0x92dc560d, 0x224d1e20, 0x8437aa88, 0x7d29dc96, 0x2756d3dc,
8535 0x8b907cee, 0xb51fd240, 0xe7c07ce3, 0xe566b4a1, 0xc3e9615e, 0x3cf8209d, 0x6094d1e3, 0xcd9ca341,
8536 0x5c76460e, 0x00ea983b, 0xd4d67881, 0xfd47572c, 0xf76cedd9, 0xbda8229c, 0x127dadaa, 0x438a074e,
8537 0x1f97c090, 0x081bdb8a, 0x93a07ebe, 0xb938ca15, 0x97b03cff, 0x3dc2c0f8, 0x8d1ab2ec, 0x64380e51,
8538 0x68cc7bfb, 0xd90f2788, 0x12490181, 0x5de5ffd4, 0xdd7ef86a, 0x76a2e214, 0xb9a40368, 0x925d958f,
8539 0x4b39fffa, 0xba39aee9, 0xa4ffd30b, 0xfaf7933b, 0x6d498623, 0x193cbcfa, 0x27627545, 0x825cf47a,
8540 0x61bd8ba0, 0xd11e42d1, 0xcead04f4, 0x127ea392, 0x10428db7, 0x8272a972, 0x9270c4a8, 0x127de50b,
8541 0x285ba1c8, 0x3c62f44f, 0x35c0eaa5, 0xe805d231, 0x428929fb, 0xb4fcdf82, 0x4fb66a53, 0x0e7dc15b,
8542 0x1f081fab, 0x108618ae, 0xfcfd086d, 0xf9ff2889, 0x694bcc11, 0x236a5cae, 0x12deca4d, 0x2c3f8cc5,
8543 0xd2d02dfe, 0xf8ef5896, 0xe4cf52da, 0x95155b67, 0x494a488c, 0xb9b6a80c, 0x5c8f82bc, 0x89d36b45,
8544 0x3a609437, 0xec00c9a9, 0x44715253, 0x0a874b49, 0xd773bc40, 0x7c34671c, 0x02717ef6, 0x4feb5536,
8545 0xa2d02fff, 0xd2bf60c4, 0xd43f03c0, 0x50b4ef6d, 0x07478cd1, 0x006e1888, 0xa2e53f55, 0xb9e6d4bc,
8546 0xa2048016, 0x97573833, 0xd7207d67, 0xde0f8f3d, 0x72f87b33, 0xabcc4f33, 0x7688c55d, 0x7b00a6b0,
8547 0x947b0001, 0x570075d2, 0xf9bb88f8, 0x8942019e, 0x4264a5ff, 0x856302e0, 0x72dbd92b, 0xee971b69,
8548 0x6ea22fde, 0x5f08ae2b, 0xaf7a616d, 0xe5c98767, 0xcf1febd2, 0x61efc8c2, 0xf1ac2571, 0xcc8239c2,
8549 0x67214cb8, 0xb1e583d1, 0xb7dc3e62, 0x7f10bdce, 0xf90a5c38, 0x0ff0443d, 0x606e6dc6, 0x60543a49,
8550 0x5727c148, 0x2be98a1d, 0x8ab41738, 0x20e1be24, 0xaf96da0f, 0x68458425, 0x99833be5, 0x600d457d,
8551 0x282f9350, 0x8334b362, 0xd91d1120, 0x2b6d8da0, 0x642b1e31, 0x9c305a00, 0x52bce688, 0x1b03588a,
8552 0xf7baefd5, 0x4142ed9c, 0xa4315c11, 0x83323ec5, 0xdfef4636, 0xa133c501, 0xe9d3531c, 0xee353783
8553 ];
8554
8555 sBox[3] = [
8556 0x9db30420, 0x1fb6e9de, 0xa7be7bef, 0xd273a298, 0x4a4f7bdb, 0x64ad8c57, 0x85510443, 0xfa020ed1,
8557 0x7e287aff, 0xe60fb663, 0x095f35a1, 0x79ebf120, 0xfd059d43, 0x6497b7b1, 0xf3641f63, 0x241e4adf,
8558 0x28147f5f, 0x4fa2b8cd, 0xc9430040, 0x0cc32220, 0xfdd30b30, 0xc0a5374f, 0x1d2d00d9, 0x24147b15,
8559 0xee4d111a, 0x0fca5167, 0x71ff904c, 0x2d195ffe, 0x1a05645f, 0x0c13fefe, 0x081b08ca, 0x05170121,
8560 0x80530100, 0xe83e5efe, 0xac9af4f8, 0x7fe72701, 0xd2b8ee5f, 0x06df4261, 0xbb9e9b8a, 0x7293ea25,
8561 0xce84ffdf, 0xf5718801, 0x3dd64b04, 0xa26f263b, 0x7ed48400, 0x547eebe6, 0x446d4ca0, 0x6cf3d6f5,
8562 0x2649abdf, 0xaea0c7f5, 0x36338cc1, 0x503f7e93, 0xd3772061, 0x11b638e1, 0x72500e03, 0xf80eb2bb,
8563 0xabe0502e, 0xec8d77de, 0x57971e81, 0xe14f6746, 0xc9335400, 0x6920318f, 0x081dbb99, 0xffc304a5,
8564 0x4d351805, 0x7f3d5ce3, 0xa6c866c6, 0x5d5bcca9, 0xdaec6fea, 0x9f926f91, 0x9f46222f, 0x3991467d,
8565 0xa5bf6d8e, 0x1143c44f, 0x43958302, 0xd0214eeb, 0x022083b8, 0x3fb6180c, 0x18f8931e, 0x281658e6,
8566 0x26486e3e, 0x8bd78a70, 0x7477e4c1, 0xb506e07c, 0xf32d0a25, 0x79098b02, 0xe4eabb81, 0x28123b23,
8567 0x69dead38, 0x1574ca16, 0xdf871b62, 0x211c40b7, 0xa51a9ef9, 0x0014377b, 0x041e8ac8, 0x09114003,
8568 0xbd59e4d2, 0xe3d156d5, 0x4fe876d5, 0x2f91a340, 0x557be8de, 0x00eae4a7, 0x0ce5c2ec, 0x4db4bba6,
8569 0xe756bdff, 0xdd3369ac, 0xec17b035, 0x06572327, 0x99afc8b0, 0x56c8c391, 0x6b65811c, 0x5e146119,
8570 0x6e85cb75, 0xbe07c002, 0xc2325577, 0x893ff4ec, 0x5bbfc92d, 0xd0ec3b25, 0xb7801ab7, 0x8d6d3b24,
8571 0x20c763ef, 0xc366a5fc, 0x9c382880, 0x0ace3205, 0xaac9548a, 0xeca1d7c7, 0x041afa32, 0x1d16625a,
8572 0x6701902c, 0x9b757a54, 0x31d477f7, 0x9126b031, 0x36cc6fdb, 0xc70b8b46, 0xd9e66a48, 0x56e55a79,
8573 0x026a4ceb, 0x52437eff, 0x2f8f76b4, 0x0df980a5, 0x8674cde3, 0xedda04eb, 0x17a9be04, 0x2c18f4df,
8574 0xb7747f9d, 0xab2af7b4, 0xefc34d20, 0x2e096b7c, 0x1741a254, 0xe5b6a035, 0x213d42f6, 0x2c1c7c26,
8575 0x61c2f50f, 0x6552daf9, 0xd2c231f8, 0x25130f69, 0xd8167fa2, 0x0418f2c8, 0x001a96a6, 0x0d1526ab,
8576 0x63315c21, 0x5e0a72ec, 0x49bafefd, 0x187908d9, 0x8d0dbd86, 0x311170a7, 0x3e9b640c, 0xcc3e10d7,
8577 0xd5cad3b6, 0x0caec388, 0xf73001e1, 0x6c728aff, 0x71eae2a1, 0x1f9af36e, 0xcfcbd12f, 0xc1de8417,
8578 0xac07be6b, 0xcb44a1d8, 0x8b9b0f56, 0x013988c3, 0xb1c52fca, 0xb4be31cd, 0xd8782806, 0x12a3a4e2,
8579 0x6f7de532, 0x58fd7eb6, 0xd01ee900, 0x24adffc2, 0xf4990fc5, 0x9711aac5, 0x001d7b95, 0x82e5e7d2,
8580 0x109873f6, 0x00613096, 0xc32d9521, 0xada121ff, 0x29908415, 0x7fbb977f, 0xaf9eb3db, 0x29c9ed2a,
8581 0x5ce2a465, 0xa730f32c, 0xd0aa3fe8, 0x8a5cc091, 0xd49e2ce7, 0x0ce454a9, 0xd60acd86, 0x015f1919,
8582 0x77079103, 0xdea03af6, 0x78a8565e, 0xdee356df, 0x21f05cbe, 0x8b75e387, 0xb3c50651, 0xb8a5c3ef,
8583 0xd8eeb6d2, 0xe523be77, 0xc2154529, 0x2f69efdf, 0xafe67afb, 0xf470c4b2, 0xf3e0eb5b, 0xd6cc9876,
8584 0x39e4460c, 0x1fda8538, 0x1987832f, 0xca007367, 0xa99144f8, 0x296b299e, 0x492fc295, 0x9266beab,
8585 0xb5676e69, 0x9bd3ddda, 0xdf7e052f, 0xdb25701c, 0x1b5e51ee, 0xf65324e6, 0x6afce36c, 0x0316cc04,
8586 0x8644213e, 0xb7dc59d0, 0x7965291f, 0xccd6fd43, 0x41823979, 0x932bcdf6, 0xb657c34d, 0x4edfd282,
8587 0x7ae5290c, 0x3cb9536b, 0x851e20fe, 0x9833557e, 0x13ecf0b0, 0xd3ffb372, 0x3f85c5c1, 0x0aef7ed2
8588 ];
8589
8590 sBox[4] = [
8591 0x7ec90c04, 0x2c6e74b9, 0x9b0e66df, 0xa6337911, 0xb86a7fff, 0x1dd358f5, 0x44dd9d44, 0x1731167f,
8592 0x08fbf1fa, 0xe7f511cc, 0xd2051b00, 0x735aba00, 0x2ab722d8, 0x386381cb, 0xacf6243a, 0x69befd7a,
8593 0xe6a2e77f, 0xf0c720cd, 0xc4494816, 0xccf5c180, 0x38851640, 0x15b0a848, 0xe68b18cb, 0x4caadeff,
8594 0x5f480a01, 0x0412b2aa, 0x259814fc, 0x41d0efe2, 0x4e40b48d, 0x248eb6fb, 0x8dba1cfe, 0x41a99b02,
8595 0x1a550a04, 0xba8f65cb, 0x7251f4e7, 0x95a51725, 0xc106ecd7, 0x97a5980a, 0xc539b9aa, 0x4d79fe6a,
8596 0xf2f3f763, 0x68af8040, 0xed0c9e56, 0x11b4958b, 0xe1eb5a88, 0x8709e6b0, 0xd7e07156, 0x4e29fea7,
8597 0x6366e52d, 0x02d1c000, 0xc4ac8e05, 0x9377f571, 0x0c05372a, 0x578535f2, 0x2261be02, 0xd642a0c9,
8598 0xdf13a280, 0x74b55bd2, 0x682199c0, 0xd421e5ec, 0x53fb3ce8, 0xc8adedb3, 0x28a87fc9, 0x3d959981,
8599 0x5c1ff900, 0xfe38d399, 0x0c4eff0b, 0x062407ea, 0xaa2f4fb1, 0x4fb96976, 0x90c79505, 0xb0a8a774,
8600 0xef55a1ff, 0xe59ca2c2, 0xa6b62d27, 0xe66a4263, 0xdf65001f, 0x0ec50966, 0xdfdd55bc, 0x29de0655,
8601 0x911e739a, 0x17af8975, 0x32c7911c, 0x89f89468, 0x0d01e980, 0x524755f4, 0x03b63cc9, 0x0cc844b2,
8602 0xbcf3f0aa, 0x87ac36e9, 0xe53a7426, 0x01b3d82b, 0x1a9e7449, 0x64ee2d7e, 0xcddbb1da, 0x01c94910,
8603 0xb868bf80, 0x0d26f3fd, 0x9342ede7, 0x04a5c284, 0x636737b6, 0x50f5b616, 0xf24766e3, 0x8eca36c1,
8604 0x136e05db, 0xfef18391, 0xfb887a37, 0xd6e7f7d4, 0xc7fb7dc9, 0x3063fcdf, 0xb6f589de, 0xec2941da,
8605 0x26e46695, 0xb7566419, 0xf654efc5, 0xd08d58b7, 0x48925401, 0xc1bacb7f, 0xe5ff550f, 0xb6083049,
8606 0x5bb5d0e8, 0x87d72e5a, 0xab6a6ee1, 0x223a66ce, 0xc62bf3cd, 0x9e0885f9, 0x68cb3e47, 0x086c010f,
8607 0xa21de820, 0xd18b69de, 0xf3f65777, 0xfa02c3f6, 0x407edac3, 0xcbb3d550, 0x1793084d, 0xb0d70eba,
8608 0x0ab378d5, 0xd951fb0c, 0xded7da56, 0x4124bbe4, 0x94ca0b56, 0x0f5755d1, 0xe0e1e56e, 0x6184b5be,
8609 0x580a249f, 0x94f74bc0, 0xe327888e, 0x9f7b5561, 0xc3dc0280, 0x05687715, 0x646c6bd7, 0x44904db3,
8610 0x66b4f0a3, 0xc0f1648a, 0x697ed5af, 0x49e92ff6, 0x309e374f, 0x2cb6356a, 0x85808573, 0x4991f840,
8611 0x76f0ae02, 0x083be84d, 0x28421c9a, 0x44489406, 0x736e4cb8, 0xc1092910, 0x8bc95fc6, 0x7d869cf4,
8612 0x134f616f, 0x2e77118d, 0xb31b2be1, 0xaa90b472, 0x3ca5d717, 0x7d161bba, 0x9cad9010, 0xaf462ba2,
8613 0x9fe459d2, 0x45d34559, 0xd9f2da13, 0xdbc65487, 0xf3e4f94e, 0x176d486f, 0x097c13ea, 0x631da5c7,
8614 0x445f7382, 0x175683f4, 0xcdc66a97, 0x70be0288, 0xb3cdcf72, 0x6e5dd2f3, 0x20936079, 0x459b80a5,
8615 0xbe60e2db, 0xa9c23101, 0xeba5315c, 0x224e42f2, 0x1c5c1572, 0xf6721b2c, 0x1ad2fff3, 0x8c25404e,
8616 0x324ed72f, 0x4067b7fd, 0x0523138e, 0x5ca3bc78, 0xdc0fd66e, 0x75922283, 0x784d6b17, 0x58ebb16e,
8617 0x44094f85, 0x3f481d87, 0xfcfeae7b, 0x77b5ff76, 0x8c2302bf, 0xaaf47556, 0x5f46b02a, 0x2b092801,
8618 0x3d38f5f7, 0x0ca81f36, 0x52af4a8a, 0x66d5e7c0, 0xdf3b0874, 0x95055110, 0x1b5ad7a8, 0xf61ed5ad,
8619 0x6cf6e479, 0x20758184, 0xd0cefa65, 0x88f7be58, 0x4a046826, 0x0ff6f8f3, 0xa09c7f70, 0x5346aba0,
8620 0x5ce96c28, 0xe176eda3, 0x6bac307f, 0x376829d2, 0x85360fa9, 0x17e3fe2a, 0x24b79767, 0xf5a96b20,
8621 0xd6cd2595, 0x68ff1ebf, 0x7555442c, 0xf19f06be, 0xf9e0659a, 0xeeb9491d, 0x34010718, 0xbb30cab8,
8622 0xe822fe15, 0x88570983, 0x750e6249, 0xda627e55, 0x5e76ffa8, 0xb1534546, 0x6d47de08, 0xefe9e7d4
8623 ];
8624
8625 sBox[5] = [
8626 0xf6fa8f9d, 0x2cac6ce1, 0x4ca34867, 0xe2337f7c, 0x95db08e7, 0x016843b4, 0xeced5cbc, 0x325553ac,
8627 0xbf9f0960, 0xdfa1e2ed, 0x83f0579d, 0x63ed86b9, 0x1ab6a6b8, 0xde5ebe39, 0xf38ff732, 0x8989b138,
8628 0x33f14961, 0xc01937bd, 0xf506c6da, 0xe4625e7e, 0xa308ea99, 0x4e23e33c, 0x79cbd7cc, 0x48a14367,
8629 0xa3149619, 0xfec94bd5, 0xa114174a, 0xeaa01866, 0xa084db2d, 0x09a8486f, 0xa888614a, 0x2900af98,
8630 0x01665991, 0xe1992863, 0xc8f30c60, 0x2e78ef3c, 0xd0d51932, 0xcf0fec14, 0xf7ca07d2, 0xd0a82072,
8631 0xfd41197e, 0x9305a6b0, 0xe86be3da, 0x74bed3cd, 0x372da53c, 0x4c7f4448, 0xdab5d440, 0x6dba0ec3,
8632 0x083919a7, 0x9fbaeed9, 0x49dbcfb0, 0x4e670c53, 0x5c3d9c01, 0x64bdb941, 0x2c0e636a, 0xba7dd9cd,
8633 0xea6f7388, 0xe70bc762, 0x35f29adb, 0x5c4cdd8d, 0xf0d48d8c, 0xb88153e2, 0x08a19866, 0x1ae2eac8,
8634 0x284caf89, 0xaa928223, 0x9334be53, 0x3b3a21bf, 0x16434be3, 0x9aea3906, 0xefe8c36e, 0xf890cdd9,
8635 0x80226dae, 0xc340a4a3, 0xdf7e9c09, 0xa694a807, 0x5b7c5ecc, 0x221db3a6, 0x9a69a02f, 0x68818a54,
8636 0xceb2296f, 0x53c0843a, 0xfe893655, 0x25bfe68a, 0xb4628abc, 0xcf222ebf, 0x25ac6f48, 0xa9a99387,
8637 0x53bddb65, 0xe76ffbe7, 0xe967fd78, 0x0ba93563, 0x8e342bc1, 0xe8a11be9, 0x4980740d, 0xc8087dfc,
8638 0x8de4bf99, 0xa11101a0, 0x7fd37975, 0xda5a26c0, 0xe81f994f, 0x9528cd89, 0xfd339fed, 0xb87834bf,
8639 0x5f04456d, 0x22258698, 0xc9c4c83b, 0x2dc156be, 0x4f628daa, 0x57f55ec5, 0xe2220abe, 0xd2916ebf,
8640 0x4ec75b95, 0x24f2c3c0, 0x42d15d99, 0xcd0d7fa0, 0x7b6e27ff, 0xa8dc8af0, 0x7345c106, 0xf41e232f,
8641 0x35162386, 0xe6ea8926, 0x3333b094, 0x157ec6f2, 0x372b74af, 0x692573e4, 0xe9a9d848, 0xf3160289,
8642 0x3a62ef1d, 0xa787e238, 0xf3a5f676, 0x74364853, 0x20951063, 0x4576698d, 0xb6fad407, 0x592af950,
8643 0x36f73523, 0x4cfb6e87, 0x7da4cec0, 0x6c152daa, 0xcb0396a8, 0xc50dfe5d, 0xfcd707ab, 0x0921c42f,
8644 0x89dff0bb, 0x5fe2be78, 0x448f4f33, 0x754613c9, 0x2b05d08d, 0x48b9d585, 0xdc049441, 0xc8098f9b,
8645 0x7dede786, 0xc39a3373, 0x42410005, 0x6a091751, 0x0ef3c8a6, 0x890072d6, 0x28207682, 0xa9a9f7be,
8646 0xbf32679d, 0xd45b5b75, 0xb353fd00, 0xcbb0e358, 0x830f220a, 0x1f8fb214, 0xd372cf08, 0xcc3c4a13,
8647 0x8cf63166, 0x061c87be, 0x88c98f88, 0x6062e397, 0x47cf8e7a, 0xb6c85283, 0x3cc2acfb, 0x3fc06976,
8648 0x4e8f0252, 0x64d8314d, 0xda3870e3, 0x1e665459, 0xc10908f0, 0x513021a5, 0x6c5b68b7, 0x822f8aa0,
8649 0x3007cd3e, 0x74719eef, 0xdc872681, 0x073340d4, 0x7e432fd9, 0x0c5ec241, 0x8809286c, 0xf592d891,
8650 0x08a930f6, 0x957ef305, 0xb7fbffbd, 0xc266e96f, 0x6fe4ac98, 0xb173ecc0, 0xbc60b42a, 0x953498da,
8651 0xfba1ae12, 0x2d4bd736, 0x0f25faab, 0xa4f3fceb, 0xe2969123, 0x257f0c3d, 0x9348af49, 0x361400bc,
8652 0xe8816f4a, 0x3814f200, 0xa3f94043, 0x9c7a54c2, 0xbc704f57, 0xda41e7f9, 0xc25ad33a, 0x54f4a084,
8653 0xb17f5505, 0x59357cbe, 0xedbd15c8, 0x7f97c5ab, 0xba5ac7b5, 0xb6f6deaf, 0x3a479c3a, 0x5302da25,
8654 0x653d7e6a, 0x54268d49, 0x51a477ea, 0x5017d55b, 0xd7d25d88, 0x44136c76, 0x0404a8c8, 0xb8e5a121,
8655 0xb81a928a, 0x60ed5869, 0x97c55b96, 0xeaec991b, 0x29935913, 0x01fdb7f1, 0x088e8dfa, 0x9ab6f6f5,
8656 0x3b4cbf9f, 0x4a5de3ab, 0xe6051d35, 0xa0e1d855, 0xd36b4cf1, 0xf544edeb, 0xb0e93524, 0xbebb8fbd,
8657 0xa2d762cf, 0x49c92f54, 0x38b5f331, 0x7128a454, 0x48392905, 0xa65b1db8, 0x851c97bd, 0xd675cf2f
8658 ];
8659
8660 sBox[6] = [
8661 0x85e04019, 0x332bf567, 0x662dbfff, 0xcfc65693, 0x2a8d7f6f, 0xab9bc912, 0xde6008a1, 0x2028da1f,
8662 0x0227bce7, 0x4d642916, 0x18fac300, 0x50f18b82, 0x2cb2cb11, 0xb232e75c, 0x4b3695f2, 0xb28707de,
8663 0xa05fbcf6, 0xcd4181e9, 0xe150210c, 0xe24ef1bd, 0xb168c381, 0xfde4e789, 0x5c79b0d8, 0x1e8bfd43,
8664 0x4d495001, 0x38be4341, 0x913cee1d, 0x92a79c3f, 0x089766be, 0xbaeeadf4, 0x1286becf, 0xb6eacb19,
8665 0x2660c200, 0x7565bde4, 0x64241f7a, 0x8248dca9, 0xc3b3ad66, 0x28136086, 0x0bd8dfa8, 0x356d1cf2,
8666 0x107789be, 0xb3b2e9ce, 0x0502aa8f, 0x0bc0351e, 0x166bf52a, 0xeb12ff82, 0xe3486911, 0xd34d7516,
8667 0x4e7b3aff, 0x5f43671b, 0x9cf6e037, 0x4981ac83, 0x334266ce, 0x8c9341b7, 0xd0d854c0, 0xcb3a6c88,
8668 0x47bc2829, 0x4725ba37, 0xa66ad22b, 0x7ad61f1e, 0x0c5cbafa, 0x4437f107, 0xb6e79962, 0x42d2d816,
8669 0x0a961288, 0xe1a5c06e, 0x13749e67, 0x72fc081a, 0xb1d139f7, 0xf9583745, 0xcf19df58, 0xbec3f756,
8670 0xc06eba30, 0x07211b24, 0x45c28829, 0xc95e317f, 0xbc8ec511, 0x38bc46e9, 0xc6e6fa14, 0xbae8584a,
8671 0xad4ebc46, 0x468f508b, 0x7829435f, 0xf124183b, 0x821dba9f, 0xaff60ff4, 0xea2c4e6d, 0x16e39264,
8672 0x92544a8b, 0x009b4fc3, 0xaba68ced, 0x9ac96f78, 0x06a5b79a, 0xb2856e6e, 0x1aec3ca9, 0xbe838688,
8673 0x0e0804e9, 0x55f1be56, 0xe7e5363b, 0xb3a1f25d, 0xf7debb85, 0x61fe033c, 0x16746233, 0x3c034c28,
8674 0xda6d0c74, 0x79aac56c, 0x3ce4e1ad, 0x51f0c802, 0x98f8f35a, 0x1626a49f, 0xeed82b29, 0x1d382fe3,
8675 0x0c4fb99a, 0xbb325778, 0x3ec6d97b, 0x6e77a6a9, 0xcb658b5c, 0xd45230c7, 0x2bd1408b, 0x60c03eb7,
8676 0xb9068d78, 0xa33754f4, 0xf430c87d, 0xc8a71302, 0xb96d8c32, 0xebd4e7be, 0xbe8b9d2d, 0x7979fb06,
8677 0xe7225308, 0x8b75cf77, 0x11ef8da4, 0xe083c858, 0x8d6b786f, 0x5a6317a6, 0xfa5cf7a0, 0x5dda0033,
8678 0xf28ebfb0, 0xf5b9c310, 0xa0eac280, 0x08b9767a, 0xa3d9d2b0, 0x79d34217, 0x021a718d, 0x9ac6336a,
8679 0x2711fd60, 0x438050e3, 0x069908a8, 0x3d7fedc4, 0x826d2bef, 0x4eeb8476, 0x488dcf25, 0x36c9d566,
8680 0x28e74e41, 0xc2610aca, 0x3d49a9cf, 0xbae3b9df, 0xb65f8de6, 0x92aeaf64, 0x3ac7d5e6, 0x9ea80509,
8681 0xf22b017d, 0xa4173f70, 0xdd1e16c3, 0x15e0d7f9, 0x50b1b887, 0x2b9f4fd5, 0x625aba82, 0x6a017962,
8682 0x2ec01b9c, 0x15488aa9, 0xd716e740, 0x40055a2c, 0x93d29a22, 0xe32dbf9a, 0x058745b9, 0x3453dc1e,
8683 0xd699296e, 0x496cff6f, 0x1c9f4986, 0xdfe2ed07, 0xb87242d1, 0x19de7eae, 0x053e561a, 0x15ad6f8c,
8684 0x66626c1c, 0x7154c24c, 0xea082b2a, 0x93eb2939, 0x17dcb0f0, 0x58d4f2ae, 0x9ea294fb, 0x52cf564c,
8685 0x9883fe66, 0x2ec40581, 0x763953c3, 0x01d6692e, 0xd3a0c108, 0xa1e7160e, 0xe4f2dfa6, 0x693ed285,
8686 0x74904698, 0x4c2b0edd, 0x4f757656, 0x5d393378, 0xa132234f, 0x3d321c5d, 0xc3f5e194, 0x4b269301,
8687 0xc79f022f, 0x3c997e7e, 0x5e4f9504, 0x3ffafbbd, 0x76f7ad0e, 0x296693f4, 0x3d1fce6f, 0xc61e45be,
8688 0xd3b5ab34, 0xf72bf9b7, 0x1b0434c0, 0x4e72b567, 0x5592a33d, 0xb5229301, 0xcfd2a87f, 0x60aeb767,
8689 0x1814386b, 0x30bcc33d, 0x38a0c07d, 0xfd1606f2, 0xc363519b, 0x589dd390, 0x5479f8e6, 0x1cb8d647,
8690 0x97fd61a9, 0xea7759f4, 0x2d57539d, 0x569a58cf, 0xe84e63ad, 0x462e1b78, 0x6580f87e, 0xf3817914,
8691 0x91da55f4, 0x40a230f3, 0xd1988f35, 0xb6e318d2, 0x3ffa50bc, 0x3d40f021, 0xc3c0bdae, 0x4958c24c,
8692 0x518f36b2, 0x84b1d370, 0x0fedce83, 0x878ddada, 0xf2a279c7, 0x94e01be8, 0x90716f4b, 0x954b8aa3
8693 ];
8694
8695 sBox[7] = [
8696 0xe216300d, 0xbbddfffc, 0xa7ebdabd, 0x35648095, 0x7789f8b7, 0xe6c1121b, 0x0e241600, 0x052ce8b5,
8697 0x11a9cfb0, 0xe5952f11, 0xece7990a, 0x9386d174, 0x2a42931c, 0x76e38111, 0xb12def3a, 0x37ddddfc,
8698 0xde9adeb1, 0x0a0cc32c, 0xbe197029, 0x84a00940, 0xbb243a0f, 0xb4d137cf, 0xb44e79f0, 0x049eedfd,
8699 0x0b15a15d, 0x480d3168, 0x8bbbde5a, 0x669ded42, 0xc7ece831, 0x3f8f95e7, 0x72df191b, 0x7580330d,
8700 0x94074251, 0x5c7dcdfa, 0xabbe6d63, 0xaa402164, 0xb301d40a, 0x02e7d1ca, 0x53571dae, 0x7a3182a2,
8701 0x12a8ddec, 0xfdaa335d, 0x176f43e8, 0x71fb46d4, 0x38129022, 0xce949ad4, 0xb84769ad, 0x965bd862,
8702 0x82f3d055, 0x66fb9767, 0x15b80b4e, 0x1d5b47a0, 0x4cfde06f, 0xc28ec4b8, 0x57e8726e, 0x647a78fc,
8703 0x99865d44, 0x608bd593, 0x6c200e03, 0x39dc5ff6, 0x5d0b00a3, 0xae63aff2, 0x7e8bd632, 0x70108c0c,
8704 0xbbd35049, 0x2998df04, 0x980cf42a, 0x9b6df491, 0x9e7edd53, 0x06918548, 0x58cb7e07, 0x3b74ef2e,
8705 0x522fffb1, 0xd24708cc, 0x1c7e27cd, 0xa4eb215b, 0x3cf1d2e2, 0x19b47a38, 0x424f7618, 0x35856039,
8706 0x9d17dee7, 0x27eb35e6, 0xc9aff67b, 0x36baf5b8, 0x09c467cd, 0xc18910b1, 0xe11dbf7b, 0x06cd1af8,
8707 0x7170c608, 0x2d5e3354, 0xd4de495a, 0x64c6d006, 0xbcc0c62c, 0x3dd00db3, 0x708f8f34, 0x77d51b42,
8708 0x264f620f, 0x24b8d2bf, 0x15c1b79e, 0x46a52564, 0xf8d7e54e, 0x3e378160, 0x7895cda5, 0x859c15a5,
8709 0xe6459788, 0xc37bc75f, 0xdb07ba0c, 0x0676a3ab, 0x7f229b1e, 0x31842e7b, 0x24259fd7, 0xf8bef472,
8710 0x835ffcb8, 0x6df4c1f2, 0x96f5b195, 0xfd0af0fc, 0xb0fe134c, 0xe2506d3d, 0x4f9b12ea, 0xf215f225,
8711 0xa223736f, 0x9fb4c428, 0x25d04979, 0x34c713f8, 0xc4618187, 0xea7a6e98, 0x7cd16efc, 0x1436876c,
8712 0xf1544107, 0xbedeee14, 0x56e9af27, 0xa04aa441, 0x3cf7c899, 0x92ecbae6, 0xdd67016d, 0x151682eb,
8713 0xa842eedf, 0xfdba60b4, 0xf1907b75, 0x20e3030f, 0x24d8c29e, 0xe139673b, 0xefa63fb8, 0x71873054,
8714 0xb6f2cf3b, 0x9f326442, 0xcb15a4cc, 0xb01a4504, 0xf1e47d8d, 0x844a1be5, 0xbae7dfdc, 0x42cbda70,
8715 0xcd7dae0a, 0x57e85b7a, 0xd53f5af6, 0x20cf4d8c, 0xcea4d428, 0x79d130a4, 0x3486ebfb, 0x33d3cddc,
8716 0x77853b53, 0x37effcb5, 0xc5068778, 0xe580b3e6, 0x4e68b8f4, 0xc5c8b37e, 0x0d809ea2, 0x398feb7c,
8717 0x132a4f94, 0x43b7950e, 0x2fee7d1c, 0x223613bd, 0xdd06caa2, 0x37df932b, 0xc4248289, 0xacf3ebc3,
8718 0x5715f6b7, 0xef3478dd, 0xf267616f, 0xc148cbe4, 0x9052815e, 0x5e410fab, 0xb48a2465, 0x2eda7fa4,
8719 0xe87b40e4, 0xe98ea084, 0x5889e9e1, 0xefd390fc, 0xdd07d35b, 0xdb485694, 0x38d7e5b2, 0x57720101,
8720 0x730edebc, 0x5b643113, 0x94917e4f, 0x503c2fba, 0x646f1282, 0x7523d24a, 0xe0779695, 0xf9c17a8f,
8721 0x7a5b2121, 0xd187b896, 0x29263a4d, 0xba510cdf, 0x81f47c9f, 0xad1163ed, 0xea7b5965, 0x1a00726e,
8722 0x11403092, 0x00da6d77, 0x4a0cdd61, 0xad1f4603, 0x605bdfb0, 0x9eedc364, 0x22ebe6a8, 0xcee7d28a,
8723 0xa0e736a0, 0x5564a6b9, 0x10853209, 0xc7eb8f37, 0x2de705ca, 0x8951570f, 0xdf09822b, 0xbd691a6c,
8724 0xaa12e4f2, 0x87451c0f, 0xe0f6a27a, 0x3ada4819, 0x4cf1764f, 0x0d771c2b, 0x67cdb156, 0x350d8384,
8725 0x5938fa0f, 0x42399ef3, 0x36997b07, 0x0e84093d, 0x4aa93e61, 0x8360d87b, 0x1fa98b0c, 0x1149382c,
8726 0xe97625a5, 0x0614d1b7, 0x0e25244b, 0x0c768347, 0x589e8d82, 0x0d2059d1, 0xa466bb1e, 0xf8da0a82,
8727 0x04f19130, 0xba6e4ec0, 0x99265164, 0x1ee7230d, 0x50b2ad80, 0xeaee6801, 0x8db2a283, 0xea8bf59e
8728 ];
8729 }
8730
8731 function Cast5(key) {
8732 this.cast5 = new OpenpgpSymencCast5();
8733 this.cast5.setKey(key);
8734
8735 this.encrypt = function(block) {
8736 return this.cast5.encrypt(block);
8737 };
8738 }
8739
8740 Cast5.blockSize = Cast5.prototype.blockSize = 8;
8741 Cast5.keySize = Cast5.prototype.keySize = 16;
8742
8743 /* eslint-disable no-mixed-operators, no-fallthrough */
8744
8745
8746 /* Modified by Recurity Labs GmbH
8747 *
8748 * Cipher.js
8749 * A block-cipher algorithm implementation on JavaScript
8750 * See Cipher.readme.txt for further information.
8751 *
8752 * Copyright(c) 2009 Atsushi Oka [ http://oka.nu/ ]
8753 * This script file is distributed under the LGPL
8754 *
8755 * ACKNOWLEDGMENT
8756 *
8757 * The main subroutines are written by Michiel van Everdingen.
8758 *
8759 * Michiel van Everdingen
8760 * http://home.versatel.nl/MAvanEverdingen/index.html
8761 *
8762 * All rights for these routines are reserved to Michiel van Everdingen.
8763 *
8764 */
8765
8766 ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
8767 //Math
8768 ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
8769
8770 const MAXINT = 0xFFFFFFFF;
8771
8772 function rotw(w, n) {
8773 return (w << n | w >>> (32 - n)) & MAXINT;
8774 }
8775
8776 function getW(a, i) {
8777 return a[i] | a[i + 1] << 8 | a[i + 2] << 16 | a[i + 3] << 24;
8778 }
8779
8780 function setW(a, i, w) {
8781 a.splice(i, 4, w & 0xFF, (w >>> 8) & 0xFF, (w >>> 16) & 0xFF, (w >>> 24) & 0xFF);
8782 }
8783
8784 function getB(x, n) {
8785 return (x >>> (n * 8)) & 0xFF;
8786 }
8787
8788 // //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
8789 // Twofish
8790 // //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
8791
8792 function createTwofish() {
8793 //
8794 let keyBytes = null;
8795 let dataBytes = null;
8796 let dataOffset = -1;
8797 // var dataLength = -1;
8798 // var idx2 = -1;
8799 //
8800
8801 let tfsKey = [];
8802 let tfsM = [
8803 [],
8804 [],
8805 [],
8806 []
8807 ];
8808
8809 function tfsInit(key) {
8810 keyBytes = key;
8811 let i;
8812 let a;
8813 let b;
8814 let c;
8815 let d;
8816 const meKey = [];
8817 const moKey = [];
8818 const inKey = [];
8819 let kLen;
8820 const sKey = [];
8821 let f01;
8822 let f5b;
8823 let fef;
8824
8825 const q0 = [
8826 [8, 1, 7, 13, 6, 15, 3, 2, 0, 11, 5, 9, 14, 12, 10, 4],
8827 [2, 8, 11, 13, 15, 7, 6, 14, 3, 1, 9, 4, 0, 10, 12, 5]
8828 ];
8829 const q1 = [
8830 [14, 12, 11, 8, 1, 2, 3, 5, 15, 4, 10, 6, 7, 0, 9, 13],
8831 [1, 14, 2, 11, 4, 12, 3, 7, 6, 13, 10, 5, 15, 9, 0, 8]
8832 ];
8833 const q2 = [
8834 [11, 10, 5, 14, 6, 13, 9, 0, 12, 8, 15, 3, 2, 4, 7, 1],
8835 [4, 12, 7, 5, 1, 6, 9, 10, 0, 14, 13, 8, 2, 11, 3, 15]
8836 ];
8837 const q3 = [
8838 [13, 7, 15, 4, 1, 2, 6, 14, 9, 11, 3, 0, 8, 5, 12, 10],
8839 [11, 9, 5, 1, 12, 3, 13, 14, 6, 4, 7, 15, 2, 0, 8, 10]
8840 ];
8841 const ror4 = [0, 8, 1, 9, 2, 10, 3, 11, 4, 12, 5, 13, 6, 14, 7, 15];
8842 const ashx = [0, 9, 2, 11, 4, 13, 6, 15, 8, 1, 10, 3, 12, 5, 14, 7];
8843 const q = [
8844 [],
8845 []
8846 ];
8847 const m = [
8848 [],
8849 [],
8850 [],
8851 []
8852 ];
8853
8854 function ffm5b(x) {
8855 return x ^ (x >> 2) ^ [0, 90, 180, 238][x & 3];
8856 }
8857
8858 function ffmEf(x) {
8859 return x ^ (x >> 1) ^ (x >> 2) ^ [0, 238, 180, 90][x & 3];
8860 }
8861
8862 function mdsRem(p, q) {
8863 let i;
8864 let t;
8865 let u;
8866 for (i = 0; i < 8; i++) {
8867 t = q >>> 24;
8868 q = ((q << 8) & MAXINT) | p >>> 24;
8869 p = (p << 8) & MAXINT;
8870 u = t << 1;
8871 if (t & 128) {
8872 u ^= 333;
8873 }
8874 q ^= t ^ (u << 16);
8875 u ^= t >>> 1;
8876 if (t & 1) {
8877 u ^= 166;
8878 }
8879 q ^= u << 24 | u << 8;
8880 }
8881 return q;
8882 }
8883
8884 function qp(n, x) {
8885 const a = x >> 4;
8886 const b = x & 15;
8887 const c = q0[n][a ^ b];
8888 const d = q1[n][ror4[b] ^ ashx[a]];
8889 return q3[n][ror4[d] ^ ashx[c]] << 4 | q2[n][c ^ d];
8890 }
8891
8892 function hFun(x, key) {
8893 let a = getB(x, 0);
8894 let b = getB(x, 1);
8895 let c = getB(x, 2);
8896 let d = getB(x, 3);
8897 switch (kLen) {
8898 case 4:
8899 a = q[1][a] ^ getB(key[3], 0);
8900 b = q[0][b] ^ getB(key[3], 1);
8901 c = q[0][c] ^ getB(key[3], 2);
8902 d = q[1][d] ^ getB(key[3], 3);
8903 case 3:
8904 a = q[1][a] ^ getB(key[2], 0);
8905 b = q[1][b] ^ getB(key[2], 1);
8906 c = q[0][c] ^ getB(key[2], 2);
8907 d = q[0][d] ^ getB(key[2], 3);
8908 case 2:
8909 a = q[0][q[0][a] ^ getB(key[1], 0)] ^ getB(key[0], 0);
8910 b = q[0][q[1][b] ^ getB(key[1], 1)] ^ getB(key[0], 1);
8911 c = q[1][q[0][c] ^ getB(key[1], 2)] ^ getB(key[0], 2);
8912 d = q[1][q[1][d] ^ getB(key[1], 3)] ^ getB(key[0], 3);
8913 }
8914 return m[0][a] ^ m[1][b] ^ m[2][c] ^ m[3][d];
8915 }
8916
8917 keyBytes = keyBytes.slice(0, 32);
8918 i = keyBytes.length;
8919 while (i !== 16 && i !== 24 && i !== 32) {
8920 keyBytes[i++] = 0;
8921 }
8922
8923 for (i = 0; i < keyBytes.length; i += 4) {
8924 inKey[i >> 2] = getW(keyBytes, i);
8925 }
8926 for (i = 0; i < 256; i++) {
8927 q[0][i] = qp(0, i);
8928 q[1][i] = qp(1, i);
8929 }
8930 for (i = 0; i < 256; i++) {
8931 f01 = q[1][i];
8932 f5b = ffm5b(f01);
8933 fef = ffmEf(f01);
8934 m[0][i] = f01 + (f5b << 8) + (fef << 16) + (fef << 24);
8935 m[2][i] = f5b + (fef << 8) + (f01 << 16) + (fef << 24);
8936 f01 = q[0][i];
8937 f5b = ffm5b(f01);
8938 fef = ffmEf(f01);
8939 m[1][i] = fef + (fef << 8) + (f5b << 16) + (f01 << 24);
8940 m[3][i] = f5b + (f01 << 8) + (fef << 16) + (f5b << 24);
8941 }
8942
8943 kLen = inKey.length / 2;
8944 for (i = 0; i < kLen; i++) {
8945 a = inKey[i + i];
8946 meKey[i] = a;
8947 b = inKey[i + i + 1];
8948 moKey[i] = b;
8949 sKey[kLen - i - 1] = mdsRem(a, b);
8950 }
8951 for (i = 0; i < 40; i += 2) {
8952 a = 0x1010101 * i;
8953 b = a + 0x1010101;
8954 a = hFun(a, meKey);
8955 b = rotw(hFun(b, moKey), 8);
8956 tfsKey[i] = (a + b) & MAXINT;
8957 tfsKey[i + 1] = rotw(a + 2 * b, 9);
8958 }
8959 for (i = 0; i < 256; i++) {
8960 a = b = c = d = i;
8961 switch (kLen) {
8962 case 4:
8963 a = q[1][a] ^ getB(sKey[3], 0);
8964 b = q[0][b] ^ getB(sKey[3], 1);
8965 c = q[0][c] ^ getB(sKey[3], 2);
8966 d = q[1][d] ^ getB(sKey[3], 3);
8967 case 3:
8968 a = q[1][a] ^ getB(sKey[2], 0);
8969 b = q[1][b] ^ getB(sKey[2], 1);
8970 c = q[0][c] ^ getB(sKey[2], 2);
8971 d = q[0][d] ^ getB(sKey[2], 3);
8972 case 2:
8973 tfsM[0][i] = m[0][q[0][q[0][a] ^ getB(sKey[1], 0)] ^ getB(sKey[0], 0)];
8974 tfsM[1][i] = m[1][q[0][q[1][b] ^ getB(sKey[1], 1)] ^ getB(sKey[0], 1)];
8975 tfsM[2][i] = m[2][q[1][q[0][c] ^ getB(sKey[1], 2)] ^ getB(sKey[0], 2)];
8976 tfsM[3][i] = m[3][q[1][q[1][d] ^ getB(sKey[1], 3)] ^ getB(sKey[0], 3)];
8977 }
8978 }
8979 }
8980
8981 function tfsG0(x) {
8982 return tfsM[0][getB(x, 0)] ^ tfsM[1][getB(x, 1)] ^ tfsM[2][getB(x, 2)] ^ tfsM[3][getB(x, 3)];
8983 }
8984
8985 function tfsG1(x) {
8986 return tfsM[0][getB(x, 3)] ^ tfsM[1][getB(x, 0)] ^ tfsM[2][getB(x, 1)] ^ tfsM[3][getB(x, 2)];
8987 }
8988
8989 function tfsFrnd(r, blk) {
8990 let a = tfsG0(blk[0]);
8991 let b = tfsG1(blk[1]);
8992 blk[2] = rotw(blk[2] ^ (a + b + tfsKey[4 * r + 8]) & MAXINT, 31);
8993 blk[3] = rotw(blk[3], 1) ^ (a + 2 * b + tfsKey[4 * r + 9]) & MAXINT;
8994 a = tfsG0(blk[2]);
8995 b = tfsG1(blk[3]);
8996 blk[0] = rotw(blk[0] ^ (a + b + tfsKey[4 * r + 10]) & MAXINT, 31);
8997 blk[1] = rotw(blk[1], 1) ^ (a + 2 * b + tfsKey[4 * r + 11]) & MAXINT;
8998 }
8999
9000 function tfsIrnd(i, blk) {
9001 let a = tfsG0(blk[0]);
9002 let b = tfsG1(blk[1]);
9003 blk[2] = rotw(blk[2], 1) ^ (a + b + tfsKey[4 * i + 10]) & MAXINT;
9004 blk[3] = rotw(blk[3] ^ (a + 2 * b + tfsKey[4 * i + 11]) & MAXINT, 31);
9005 a = tfsG0(blk[2]);
9006 b = tfsG1(blk[3]);
9007 blk[0] = rotw(blk[0], 1) ^ (a + b + tfsKey[4 * i + 8]) & MAXINT;
9008 blk[1] = rotw(blk[1] ^ (a + 2 * b + tfsKey[4 * i + 9]) & MAXINT, 31);
9009 }
9010
9011 function tfsClose() {
9012 tfsKey = [];
9013 tfsM = [
9014 [],
9015 [],
9016 [],
9017 []
9018 ];
9019 }
9020
9021 function tfsEncrypt(data, offset) {
9022 dataBytes = data;
9023 dataOffset = offset;
9024 const blk = [getW(dataBytes, dataOffset) ^ tfsKey[0],
9025 getW(dataBytes, dataOffset + 4) ^ tfsKey[1],
9026 getW(dataBytes, dataOffset + 8) ^ tfsKey[2],
9027 getW(dataBytes, dataOffset + 12) ^ tfsKey[3]];
9028 for (let j = 0; j < 8; j++) {
9029 tfsFrnd(j, blk);
9030 }
9031 setW(dataBytes, dataOffset, blk[2] ^ tfsKey[4]);
9032 setW(dataBytes, dataOffset + 4, blk[3] ^ tfsKey[5]);
9033 setW(dataBytes, dataOffset + 8, blk[0] ^ tfsKey[6]);
9034 setW(dataBytes, dataOffset + 12, blk[1] ^ tfsKey[7]);
9035 dataOffset += 16;
9036 return dataBytes;
9037 }
9038
9039 function tfsDecrypt(data, offset) {
9040 dataBytes = data;
9041 dataOffset = offset;
9042 const blk = [getW(dataBytes, dataOffset) ^ tfsKey[4],
9043 getW(dataBytes, dataOffset + 4) ^ tfsKey[5],
9044 getW(dataBytes, dataOffset + 8) ^ tfsKey[6],
9045 getW(dataBytes, dataOffset + 12) ^ tfsKey[7]];
9046 for (let j = 7; j >= 0; j--) {
9047 tfsIrnd(j, blk);
9048 }
9049 setW(dataBytes, dataOffset, blk[2] ^ tfsKey[0]);
9050 setW(dataBytes, dataOffset + 4, blk[3] ^ tfsKey[1]);
9051 setW(dataBytes, dataOffset + 8, blk[0] ^ tfsKey[2]);
9052 setW(dataBytes, dataOffset + 12, blk[1] ^ tfsKey[3]);
9053 dataOffset += 16;
9054 }
9055
9056 // added by Recurity Labs
9057
9058 function tfsFinal() {
9059 return dataBytes;
9060 }
9061
9062 return {
9063 name: "twofish",
9064 blocksize: 128 / 8,
9065 open: tfsInit,
9066 close: tfsClose,
9067 encrypt: tfsEncrypt,
9068 decrypt: tfsDecrypt,
9069 // added by Recurity Labs
9070 finalize: tfsFinal
9071 };
9072 }
9073
9074 // added by Recurity Labs
9075
9076 function TF(key) {
9077 this.tf = createTwofish();
9078 this.tf.open(Array.from(key), 0);
9079
9080 this.encrypt = function(block) {
9081 return this.tf.encrypt(Array.from(block), 0);
9082 };
9083 }
9084
9085 TF.keySize = TF.prototype.keySize = 32;
9086 TF.blockSize = TF.prototype.blockSize = 16;
9087
9088 /* Modified by Recurity Labs GmbH
9089 *
9090 * Originally written by nklein software (nklein.com)
9091 */
9092
9093 /*
9094 * Javascript implementation based on Bruce Schneier's reference implementation.
9095 *
9096 *
9097 * The constructor doesn't do much of anything. It's just here
9098 * so we can start defining properties and methods and such.
9099 */
9100 function Blowfish() {}
9101
9102 /*
9103 * Declare the block size so that protocols know what size
9104 * Initialization Vector (IV) they will need.
9105 */
9106 Blowfish.prototype.BLOCKSIZE = 8;
9107
9108 /*
9109 * These are the default SBOXES.
9110 */
9111 Blowfish.prototype.SBOXES = [
9112 [
9113 0xd1310ba6, 0x98dfb5ac, 0x2ffd72db, 0xd01adfb7, 0xb8e1afed, 0x6a267e96,
9114 0xba7c9045, 0xf12c7f99, 0x24a19947, 0xb3916cf7, 0x0801f2e2, 0x858efc16,
9115 0x636920d8, 0x71574e69, 0xa458fea3, 0xf4933d7e, 0x0d95748f, 0x728eb658,
9116 0x718bcd58, 0x82154aee, 0x7b54a41d, 0xc25a59b5, 0x9c30d539, 0x2af26013,
9117 0xc5d1b023, 0x286085f0, 0xca417918, 0xb8db38ef, 0x8e79dcb0, 0x603a180e,
9118 0x6c9e0e8b, 0xb01e8a3e, 0xd71577c1, 0xbd314b27, 0x78af2fda, 0x55605c60,
9119 0xe65525f3, 0xaa55ab94, 0x57489862, 0x63e81440, 0x55ca396a, 0x2aab10b6,
9120 0xb4cc5c34, 0x1141e8ce, 0xa15486af, 0x7c72e993, 0xb3ee1411, 0x636fbc2a,
9121 0x2ba9c55d, 0x741831f6, 0xce5c3e16, 0x9b87931e, 0xafd6ba33, 0x6c24cf5c,
9122 0x7a325381, 0x28958677, 0x3b8f4898, 0x6b4bb9af, 0xc4bfe81b, 0x66282193,
9123 0x61d809cc, 0xfb21a991, 0x487cac60, 0x5dec8032, 0xef845d5d, 0xe98575b1,
9124 0xdc262302, 0xeb651b88, 0x23893e81, 0xd396acc5, 0x0f6d6ff3, 0x83f44239,
9125 0x2e0b4482, 0xa4842004, 0x69c8f04a, 0x9e1f9b5e, 0x21c66842, 0xf6e96c9a,
9126 0x670c9c61, 0xabd388f0, 0x6a51a0d2, 0xd8542f68, 0x960fa728, 0xab5133a3,
9127 0x6eef0b6c, 0x137a3be4, 0xba3bf050, 0x7efb2a98, 0xa1f1651d, 0x39af0176,
9128 0x66ca593e, 0x82430e88, 0x8cee8619, 0x456f9fb4, 0x7d84a5c3, 0x3b8b5ebe,
9129 0xe06f75d8, 0x85c12073, 0x401a449f, 0x56c16aa6, 0x4ed3aa62, 0x363f7706,
9130 0x1bfedf72, 0x429b023d, 0x37d0d724, 0xd00a1248, 0xdb0fead3, 0x49f1c09b,
9131 0x075372c9, 0x80991b7b, 0x25d479d8, 0xf6e8def7, 0xe3fe501a, 0xb6794c3b,
9132 0x976ce0bd, 0x04c006ba, 0xc1a94fb6, 0x409f60c4, 0x5e5c9ec2, 0x196a2463,
9133 0x68fb6faf, 0x3e6c53b5, 0x1339b2eb, 0x3b52ec6f, 0x6dfc511f, 0x9b30952c,
9134 0xcc814544, 0xaf5ebd09, 0xbee3d004, 0xde334afd, 0x660f2807, 0x192e4bb3,
9135 0xc0cba857, 0x45c8740f, 0xd20b5f39, 0xb9d3fbdb, 0x5579c0bd, 0x1a60320a,
9136 0xd6a100c6, 0x402c7279, 0x679f25fe, 0xfb1fa3cc, 0x8ea5e9f8, 0xdb3222f8,
9137 0x3c7516df, 0xfd616b15, 0x2f501ec8, 0xad0552ab, 0x323db5fa, 0xfd238760,
9138 0x53317b48, 0x3e00df82, 0x9e5c57bb, 0xca6f8ca0, 0x1a87562e, 0xdf1769db,
9139 0xd542a8f6, 0x287effc3, 0xac6732c6, 0x8c4f5573, 0x695b27b0, 0xbbca58c8,
9140 0xe1ffa35d, 0xb8f011a0, 0x10fa3d98, 0xfd2183b8, 0x4afcb56c, 0x2dd1d35b,
9141 0x9a53e479, 0xb6f84565, 0xd28e49bc, 0x4bfb9790, 0xe1ddf2da, 0xa4cb7e33,
9142 0x62fb1341, 0xcee4c6e8, 0xef20cada, 0x36774c01, 0xd07e9efe, 0x2bf11fb4,
9143 0x95dbda4d, 0xae909198, 0xeaad8e71, 0x6b93d5a0, 0xd08ed1d0, 0xafc725e0,
9144 0x8e3c5b2f, 0x8e7594b7, 0x8ff6e2fb, 0xf2122b64, 0x8888b812, 0x900df01c,
9145 0x4fad5ea0, 0x688fc31c, 0xd1cff191, 0xb3a8c1ad, 0x2f2f2218, 0xbe0e1777,
9146 0xea752dfe, 0x8b021fa1, 0xe5a0cc0f, 0xb56f74e8, 0x18acf3d6, 0xce89e299,
9147 0xb4a84fe0, 0xfd13e0b7, 0x7cc43b81, 0xd2ada8d9, 0x165fa266, 0x80957705,
9148 0x93cc7314, 0x211a1477, 0xe6ad2065, 0x77b5fa86, 0xc75442f5, 0xfb9d35cf,
9149 0xebcdaf0c, 0x7b3e89a0, 0xd6411bd3, 0xae1e7e49, 0x00250e2d, 0x2071b35e,
9150 0x226800bb, 0x57b8e0af, 0x2464369b, 0xf009b91e, 0x5563911d, 0x59dfa6aa,
9151 0x78c14389, 0xd95a537f, 0x207d5ba2, 0x02e5b9c5, 0x83260376, 0x6295cfa9,
9152 0x11c81968, 0x4e734a41, 0xb3472dca, 0x7b14a94a, 0x1b510052, 0x9a532915,
9153 0xd60f573f, 0xbc9bc6e4, 0x2b60a476, 0x81e67400, 0x08ba6fb5, 0x571be91f,
9154 0xf296ec6b, 0x2a0dd915, 0xb6636521, 0xe7b9f9b6, 0xff34052e, 0xc5855664,
9155 0x53b02d5d, 0xa99f8fa1, 0x08ba4799, 0x6e85076a
9156 ],
9157 [
9158 0x4b7a70e9, 0xb5b32944, 0xdb75092e, 0xc4192623, 0xad6ea6b0, 0x49a7df7d,
9159 0x9cee60b8, 0x8fedb266, 0xecaa8c71, 0x699a17ff, 0x5664526c, 0xc2b19ee1,
9160 0x193602a5, 0x75094c29, 0xa0591340, 0xe4183a3e, 0x3f54989a, 0x5b429d65,
9161 0x6b8fe4d6, 0x99f73fd6, 0xa1d29c07, 0xefe830f5, 0x4d2d38e6, 0xf0255dc1,
9162 0x4cdd2086, 0x8470eb26, 0x6382e9c6, 0x021ecc5e, 0x09686b3f, 0x3ebaefc9,
9163 0x3c971814, 0x6b6a70a1, 0x687f3584, 0x52a0e286, 0xb79c5305, 0xaa500737,
9164 0x3e07841c, 0x7fdeae5c, 0x8e7d44ec, 0x5716f2b8, 0xb03ada37, 0xf0500c0d,
9165 0xf01c1f04, 0x0200b3ff, 0xae0cf51a, 0x3cb574b2, 0x25837a58, 0xdc0921bd,
9166 0xd19113f9, 0x7ca92ff6, 0x94324773, 0x22f54701, 0x3ae5e581, 0x37c2dadc,
9167 0xc8b57634, 0x9af3dda7, 0xa9446146, 0x0fd0030e, 0xecc8c73e, 0xa4751e41,
9168 0xe238cd99, 0x3bea0e2f, 0x3280bba1, 0x183eb331, 0x4e548b38, 0x4f6db908,
9169 0x6f420d03, 0xf60a04bf, 0x2cb81290, 0x24977c79, 0x5679b072, 0xbcaf89af,
9170 0xde9a771f, 0xd9930810, 0xb38bae12, 0xdccf3f2e, 0x5512721f, 0x2e6b7124,
9171 0x501adde6, 0x9f84cd87, 0x7a584718, 0x7408da17, 0xbc9f9abc, 0xe94b7d8c,
9172 0xec7aec3a, 0xdb851dfa, 0x63094366, 0xc464c3d2, 0xef1c1847, 0x3215d908,
9173 0xdd433b37, 0x24c2ba16, 0x12a14d43, 0x2a65c451, 0x50940002, 0x133ae4dd,
9174 0x71dff89e, 0x10314e55, 0x81ac77d6, 0x5f11199b, 0x043556f1, 0xd7a3c76b,
9175 0x3c11183b, 0x5924a509, 0xf28fe6ed, 0x97f1fbfa, 0x9ebabf2c, 0x1e153c6e,
9176 0x86e34570, 0xeae96fb1, 0x860e5e0a, 0x5a3e2ab3, 0x771fe71c, 0x4e3d06fa,
9177 0x2965dcb9, 0x99e71d0f, 0x803e89d6, 0x5266c825, 0x2e4cc978, 0x9c10b36a,
9178 0xc6150eba, 0x94e2ea78, 0xa5fc3c53, 0x1e0a2df4, 0xf2f74ea7, 0x361d2b3d,
9179 0x1939260f, 0x19c27960, 0x5223a708, 0xf71312b6, 0xebadfe6e, 0xeac31f66,
9180 0xe3bc4595, 0xa67bc883, 0xb17f37d1, 0x018cff28, 0xc332ddef, 0xbe6c5aa5,
9181 0x65582185, 0x68ab9802, 0xeecea50f, 0xdb2f953b, 0x2aef7dad, 0x5b6e2f84,
9182 0x1521b628, 0x29076170, 0xecdd4775, 0x619f1510, 0x13cca830, 0xeb61bd96,
9183 0x0334fe1e, 0xaa0363cf, 0xb5735c90, 0x4c70a239, 0xd59e9e0b, 0xcbaade14,
9184 0xeecc86bc, 0x60622ca7, 0x9cab5cab, 0xb2f3846e, 0x648b1eaf, 0x19bdf0ca,
9185 0xa02369b9, 0x655abb50, 0x40685a32, 0x3c2ab4b3, 0x319ee9d5, 0xc021b8f7,
9186 0x9b540b19, 0x875fa099, 0x95f7997e, 0x623d7da8, 0xf837889a, 0x97e32d77,
9187 0x11ed935f, 0x16681281, 0x0e358829, 0xc7e61fd6, 0x96dedfa1, 0x7858ba99,
9188 0x57f584a5, 0x1b227263, 0x9b83c3ff, 0x1ac24696, 0xcdb30aeb, 0x532e3054,
9189 0x8fd948e4, 0x6dbc3128, 0x58ebf2ef, 0x34c6ffea, 0xfe28ed61, 0xee7c3c73,
9190 0x5d4a14d9, 0xe864b7e3, 0x42105d14, 0x203e13e0, 0x45eee2b6, 0xa3aaabea,
9191 0xdb6c4f15, 0xfacb4fd0, 0xc742f442, 0xef6abbb5, 0x654f3b1d, 0x41cd2105,
9192 0xd81e799e, 0x86854dc7, 0xe44b476a, 0x3d816250, 0xcf62a1f2, 0x5b8d2646,
9193 0xfc8883a0, 0xc1c7b6a3, 0x7f1524c3, 0x69cb7492, 0x47848a0b, 0x5692b285,
9194 0x095bbf00, 0xad19489d, 0x1462b174, 0x23820e00, 0x58428d2a, 0x0c55f5ea,
9195 0x1dadf43e, 0x233f7061, 0x3372f092, 0x8d937e41, 0xd65fecf1, 0x6c223bdb,
9196 0x7cde3759, 0xcbee7460, 0x4085f2a7, 0xce77326e, 0xa6078084, 0x19f8509e,
9197 0xe8efd855, 0x61d99735, 0xa969a7aa, 0xc50c06c2, 0x5a04abfc, 0x800bcadc,
9198 0x9e447a2e, 0xc3453484, 0xfdd56705, 0x0e1e9ec9, 0xdb73dbd3, 0x105588cd,
9199 0x675fda79, 0xe3674340, 0xc5c43465, 0x713e38d8, 0x3d28f89e, 0xf16dff20,
9200 0x153e21e7, 0x8fb03d4a, 0xe6e39f2b, 0xdb83adf7
9201 ],
9202 [
9203 0xe93d5a68, 0x948140f7, 0xf64c261c, 0x94692934, 0x411520f7, 0x7602d4f7,
9204 0xbcf46b2e, 0xd4a20068, 0xd4082471, 0x3320f46a, 0x43b7d4b7, 0x500061af,
9205 0x1e39f62e, 0x97244546, 0x14214f74, 0xbf8b8840, 0x4d95fc1d, 0x96b591af,
9206 0x70f4ddd3, 0x66a02f45, 0xbfbc09ec, 0x03bd9785, 0x7fac6dd0, 0x31cb8504,
9207 0x96eb27b3, 0x55fd3941, 0xda2547e6, 0xabca0a9a, 0x28507825, 0x530429f4,
9208 0x0a2c86da, 0xe9b66dfb, 0x68dc1462, 0xd7486900, 0x680ec0a4, 0x27a18dee,
9209 0x4f3ffea2, 0xe887ad8c, 0xb58ce006, 0x7af4d6b6, 0xaace1e7c, 0xd3375fec,
9210 0xce78a399, 0x406b2a42, 0x20fe9e35, 0xd9f385b9, 0xee39d7ab, 0x3b124e8b,
9211 0x1dc9faf7, 0x4b6d1856, 0x26a36631, 0xeae397b2, 0x3a6efa74, 0xdd5b4332,
9212 0x6841e7f7, 0xca7820fb, 0xfb0af54e, 0xd8feb397, 0x454056ac, 0xba489527,
9213 0x55533a3a, 0x20838d87, 0xfe6ba9b7, 0xd096954b, 0x55a867bc, 0xa1159a58,
9214 0xcca92963, 0x99e1db33, 0xa62a4a56, 0x3f3125f9, 0x5ef47e1c, 0x9029317c,
9215 0xfdf8e802, 0x04272f70, 0x80bb155c, 0x05282ce3, 0x95c11548, 0xe4c66d22,
9216 0x48c1133f, 0xc70f86dc, 0x07f9c9ee, 0x41041f0f, 0x404779a4, 0x5d886e17,
9217 0x325f51eb, 0xd59bc0d1, 0xf2bcc18f, 0x41113564, 0x257b7834, 0x602a9c60,
9218 0xdff8e8a3, 0x1f636c1b, 0x0e12b4c2, 0x02e1329e, 0xaf664fd1, 0xcad18115,
9219 0x6b2395e0, 0x333e92e1, 0x3b240b62, 0xeebeb922, 0x85b2a20e, 0xe6ba0d99,
9220 0xde720c8c, 0x2da2f728, 0xd0127845, 0x95b794fd, 0x647d0862, 0xe7ccf5f0,
9221 0x5449a36f, 0x877d48fa, 0xc39dfd27, 0xf33e8d1e, 0x0a476341, 0x992eff74,
9222 0x3a6f6eab, 0xf4f8fd37, 0xa812dc60, 0xa1ebddf8, 0x991be14c, 0xdb6e6b0d,
9223 0xc67b5510, 0x6d672c37, 0x2765d43b, 0xdcd0e804, 0xf1290dc7, 0xcc00ffa3,
9224 0xb5390f92, 0x690fed0b, 0x667b9ffb, 0xcedb7d9c, 0xa091cf0b, 0xd9155ea3,
9225 0xbb132f88, 0x515bad24, 0x7b9479bf, 0x763bd6eb, 0x37392eb3, 0xcc115979,
9226 0x8026e297, 0xf42e312d, 0x6842ada7, 0xc66a2b3b, 0x12754ccc, 0x782ef11c,
9227 0x6a124237, 0xb79251e7, 0x06a1bbe6, 0x4bfb6350, 0x1a6b1018, 0x11caedfa,
9228 0x3d25bdd8, 0xe2e1c3c9, 0x44421659, 0x0a121386, 0xd90cec6e, 0xd5abea2a,
9229 0x64af674e, 0xda86a85f, 0xbebfe988, 0x64e4c3fe, 0x9dbc8057, 0xf0f7c086,
9230 0x60787bf8, 0x6003604d, 0xd1fd8346, 0xf6381fb0, 0x7745ae04, 0xd736fccc,
9231 0x83426b33, 0xf01eab71, 0xb0804187, 0x3c005e5f, 0x77a057be, 0xbde8ae24,
9232 0x55464299, 0xbf582e61, 0x4e58f48f, 0xf2ddfda2, 0xf474ef38, 0x8789bdc2,
9233 0x5366f9c3, 0xc8b38e74, 0xb475f255, 0x46fcd9b9, 0x7aeb2661, 0x8b1ddf84,
9234 0x846a0e79, 0x915f95e2, 0x466e598e, 0x20b45770, 0x8cd55591, 0xc902de4c,
9235 0xb90bace1, 0xbb8205d0, 0x11a86248, 0x7574a99e, 0xb77f19b6, 0xe0a9dc09,
9236 0x662d09a1, 0xc4324633, 0xe85a1f02, 0x09f0be8c, 0x4a99a025, 0x1d6efe10,
9237 0x1ab93d1d, 0x0ba5a4df, 0xa186f20f, 0x2868f169, 0xdcb7da83, 0x573906fe,
9238 0xa1e2ce9b, 0x4fcd7f52, 0x50115e01, 0xa70683fa, 0xa002b5c4, 0x0de6d027,
9239 0x9af88c27, 0x773f8641, 0xc3604c06, 0x61a806b5, 0xf0177a28, 0xc0f586e0,
9240 0x006058aa, 0x30dc7d62, 0x11e69ed7, 0x2338ea63, 0x53c2dd94, 0xc2c21634,
9241 0xbbcbee56, 0x90bcb6de, 0xebfc7da1, 0xce591d76, 0x6f05e409, 0x4b7c0188,
9242 0x39720a3d, 0x7c927c24, 0x86e3725f, 0x724d9db9, 0x1ac15bb4, 0xd39eb8fc,
9243 0xed545578, 0x08fca5b5, 0xd83d7cd3, 0x4dad0fc4, 0x1e50ef5e, 0xb161e6f8,
9244 0xa28514d9, 0x6c51133c, 0x6fd5c7e7, 0x56e14ec4, 0x362abfce, 0xddc6c837,
9245 0xd79a3234, 0x92638212, 0x670efa8e, 0x406000e0
9246 ],
9247 [
9248 0x3a39ce37, 0xd3faf5cf, 0xabc27737, 0x5ac52d1b, 0x5cb0679e, 0x4fa33742,
9249 0xd3822740, 0x99bc9bbe, 0xd5118e9d, 0xbf0f7315, 0xd62d1c7e, 0xc700c47b,
9250 0xb78c1b6b, 0x21a19045, 0xb26eb1be, 0x6a366eb4, 0x5748ab2f, 0xbc946e79,
9251 0xc6a376d2, 0x6549c2c8, 0x530ff8ee, 0x468dde7d, 0xd5730a1d, 0x4cd04dc6,
9252 0x2939bbdb, 0xa9ba4650, 0xac9526e8, 0xbe5ee304, 0xa1fad5f0, 0x6a2d519a,
9253 0x63ef8ce2, 0x9a86ee22, 0xc089c2b8, 0x43242ef6, 0xa51e03aa, 0x9cf2d0a4,
9254 0x83c061ba, 0x9be96a4d, 0x8fe51550, 0xba645bd6, 0x2826a2f9, 0xa73a3ae1,
9255 0x4ba99586, 0xef5562e9, 0xc72fefd3, 0xf752f7da, 0x3f046f69, 0x77fa0a59,
9256 0x80e4a915, 0x87b08601, 0x9b09e6ad, 0x3b3ee593, 0xe990fd5a, 0x9e34d797,
9257 0x2cf0b7d9, 0x022b8b51, 0x96d5ac3a, 0x017da67d, 0xd1cf3ed6, 0x7c7d2d28,
9258 0x1f9f25cf, 0xadf2b89b, 0x5ad6b472, 0x5a88f54c, 0xe029ac71, 0xe019a5e6,
9259 0x47b0acfd, 0xed93fa9b, 0xe8d3c48d, 0x283b57cc, 0xf8d56629, 0x79132e28,
9260 0x785f0191, 0xed756055, 0xf7960e44, 0xe3d35e8c, 0x15056dd4, 0x88f46dba,
9261 0x03a16125, 0x0564f0bd, 0xc3eb9e15, 0x3c9057a2, 0x97271aec, 0xa93a072a,
9262 0x1b3f6d9b, 0x1e6321f5, 0xf59c66fb, 0x26dcf319, 0x7533d928, 0xb155fdf5,
9263 0x03563482, 0x8aba3cbb, 0x28517711, 0xc20ad9f8, 0xabcc5167, 0xccad925f,
9264 0x4de81751, 0x3830dc8e, 0x379d5862, 0x9320f991, 0xea7a90c2, 0xfb3e7bce,
9265 0x5121ce64, 0x774fbe32, 0xa8b6e37e, 0xc3293d46, 0x48de5369, 0x6413e680,
9266 0xa2ae0810, 0xdd6db224, 0x69852dfd, 0x09072166, 0xb39a460a, 0x6445c0dd,
9267 0x586cdecf, 0x1c20c8ae, 0x5bbef7dd, 0x1b588d40, 0xccd2017f, 0x6bb4e3bb,
9268 0xdda26a7e, 0x3a59ff45, 0x3e350a44, 0xbcb4cdd5, 0x72eacea8, 0xfa6484bb,
9269 0x8d6612ae, 0xbf3c6f47, 0xd29be463, 0x542f5d9e, 0xaec2771b, 0xf64e6370,
9270 0x740e0d8d, 0xe75b1357, 0xf8721671, 0xaf537d5d, 0x4040cb08, 0x4eb4e2cc,
9271 0x34d2466a, 0x0115af84, 0xe1b00428, 0x95983a1d, 0x06b89fb4, 0xce6ea048,
9272 0x6f3f3b82, 0x3520ab82, 0x011a1d4b, 0x277227f8, 0x611560b1, 0xe7933fdc,
9273 0xbb3a792b, 0x344525bd, 0xa08839e1, 0x51ce794b, 0x2f32c9b7, 0xa01fbac9,
9274 0xe01cc87e, 0xbcc7d1f6, 0xcf0111c3, 0xa1e8aac7, 0x1a908749, 0xd44fbd9a,
9275 0xd0dadecb, 0xd50ada38, 0x0339c32a, 0xc6913667, 0x8df9317c, 0xe0b12b4f,
9276 0xf79e59b7, 0x43f5bb3a, 0xf2d519ff, 0x27d9459c, 0xbf97222c, 0x15e6fc2a,
9277 0x0f91fc71, 0x9b941525, 0xfae59361, 0xceb69ceb, 0xc2a86459, 0x12baa8d1,
9278 0xb6c1075e, 0xe3056a0c, 0x10d25065, 0xcb03a442, 0xe0ec6e0e, 0x1698db3b,
9279 0x4c98a0be, 0x3278e964, 0x9f1f9532, 0xe0d392df, 0xd3a0342b, 0x8971f21e,
9280 0x1b0a7441, 0x4ba3348c, 0xc5be7120, 0xc37632d8, 0xdf359f8d, 0x9b992f2e,
9281 0xe60b6f47, 0x0fe3f11d, 0xe54cda54, 0x1edad891, 0xce6279cf, 0xcd3e7e6f,
9282 0x1618b166, 0xfd2c1d05, 0x848fd2c5, 0xf6fb2299, 0xf523f357, 0xa6327623,
9283 0x93a83531, 0x56cccd02, 0xacf08162, 0x5a75ebb5, 0x6e163697, 0x88d273cc,
9284 0xde966292, 0x81b949d0, 0x4c50901b, 0x71c65614, 0xe6c6c7bd, 0x327a140a,
9285 0x45e1d006, 0xc3f27b9a, 0xc9aa53fd, 0x62a80f00, 0xbb25bfe2, 0x35bdd2f6,
9286 0x71126905, 0xb2040222, 0xb6cbcf7c, 0xcd769c2b, 0x53113ec0, 0x1640e3d3,
9287 0x38abbd60, 0x2547adf0, 0xba38209c, 0xf746ce76, 0x77afa1c5, 0x20756060,
9288 0x85cbfe4e, 0x8ae88dd8, 0x7aaaf9b0, 0x4cf9aa7e, 0x1948c25c, 0x02fb8a8c,
9289 0x01c36ae4, 0xd6ebe1f9, 0x90d4f869, 0xa65cdea0, 0x3f09252d, 0xc208e69f,
9290 0xb74e6132, 0xce77e25b, 0x578fdfe3, 0x3ac372e6
9291 ]
9292 ];
9293
9294 //*
9295 //* This is the default PARRAY
9296 //*
9297 Blowfish.prototype.PARRAY = [
9298 0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344, 0xa4093822, 0x299f31d0,
9299 0x082efa98, 0xec4e6c89, 0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c,
9300 0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917, 0x9216d5d9, 0x8979fb1b
9301 ];
9302
9303 //*
9304 //* This is the number of rounds the cipher will go
9305 //*
9306 Blowfish.prototype.NN = 16;
9307
9308 //*
9309 //* This function is needed to get rid of problems
9310 //* with the high-bit getting set. If we don't do
9311 //* this, then sometimes ( aa & 0x00FFFFFFFF ) is not
9312 //* equal to ( bb & 0x00FFFFFFFF ) even when they
9313 //* agree bit-for-bit for the first 32 bits.
9314 //*
9315 Blowfish.prototype._clean = function(xx) {
9316 if (xx < 0) {
9317 const yy = xx & 0x7FFFFFFF;
9318 xx = yy + 0x80000000;
9319 }
9320 return xx;
9321 };
9322
9323 //*
9324 //* This is the mixing function that uses the sboxes
9325 //*
9326 Blowfish.prototype._F = function(xx) {
9327 let yy;
9328
9329 const dd = xx & 0x00FF;
9330 xx >>>= 8;
9331 const cc = xx & 0x00FF;
9332 xx >>>= 8;
9333 const bb = xx & 0x00FF;
9334 xx >>>= 8;
9335 const aa = xx & 0x00FF;
9336
9337 yy = this.sboxes[0][aa] + this.sboxes[1][bb];
9338 yy ^= this.sboxes[2][cc];
9339 yy += this.sboxes[3][dd];
9340
9341 return yy;
9342 };
9343
9344 //*
9345 //* This method takes an array with two values, left and right
9346 //* and does NN rounds of Blowfish on them.
9347 //*
9348 Blowfish.prototype._encrypt_block = function(vals) {
9349 let dataL = vals[0];
9350 let dataR = vals[1];
9351
9352 let ii;
9353
9354 for (ii = 0; ii < this.NN; ++ii) {
9355 dataL ^= this.parray[ii];
9356 dataR = this._F(dataL) ^ dataR;
9357
9358 const tmp = dataL;
9359 dataL = dataR;
9360 dataR = tmp;
9361 }
9362
9363 dataL ^= this.parray[this.NN + 0];
9364 dataR ^= this.parray[this.NN + 1];
9365
9366 vals[0] = this._clean(dataR);
9367 vals[1] = this._clean(dataL);
9368 };
9369
9370 //*
9371 //* This method takes a vector of numbers and turns them
9372 //* into long words so that they can be processed by the
9373 //* real algorithm.
9374 //*
9375 //* Maybe I should make the real algorithm above take a vector
9376 //* instead. That will involve more looping, but it won't require
9377 //* the F() method to deconstruct the vector.
9378 //*
9379 Blowfish.prototype.encrypt_block = function(vector) {
9380 let ii;
9381 const vals = [0, 0];
9382 const off = this.BLOCKSIZE / 2;
9383 for (ii = 0; ii < this.BLOCKSIZE / 2; ++ii) {
9384 vals[0] = (vals[0] << 8) | (vector[ii + 0] & 0x00FF);
9385 vals[1] = (vals[1] << 8) | (vector[ii + off] & 0x00FF);
9386 }
9387
9388 this._encrypt_block(vals);
9389
9390 const ret = [];
9391 for (ii = 0; ii < this.BLOCKSIZE / 2; ++ii) {
9392 ret[ii + 0] = ((vals[0] >>> (24 - 8 * (ii))) & 0x00FF);
9393 ret[ii + off] = ((vals[1] >>> (24 - 8 * (ii))) & 0x00FF);
9394 // vals[ 0 ] = ( vals[ 0 ] >>> 8 );
9395 // vals[ 1 ] = ( vals[ 1 ] >>> 8 );
9396 }
9397
9398 return ret;
9399 };
9400
9401 //*
9402 //* This method takes an array with two values, left and right
9403 //* and undoes NN rounds of Blowfish on them.
9404 //*
9405 Blowfish.prototype._decrypt_block = function(vals) {
9406 let dataL = vals[0];
9407 let dataR = vals[1];
9408
9409 let ii;
9410
9411 for (ii = this.NN + 1; ii > 1; --ii) {
9412 dataL ^= this.parray[ii];
9413 dataR = this._F(dataL) ^ dataR;
9414
9415 const tmp = dataL;
9416 dataL = dataR;
9417 dataR = tmp;
9418 }
9419
9420 dataL ^= this.parray[1];
9421 dataR ^= this.parray[0];
9422
9423 vals[0] = this._clean(dataR);
9424 vals[1] = this._clean(dataL);
9425 };
9426
9427 //*
9428 //* This method takes a key array and initializes the
9429 //* sboxes and parray for this encryption.
9430 //*
9431 Blowfish.prototype.init = function(key) {
9432 let ii;
9433 let jj = 0;
9434
9435 this.parray = [];
9436 for (ii = 0; ii < this.NN + 2; ++ii) {
9437 let data = 0x00000000;
9438 for (let kk = 0; kk < 4; ++kk) {
9439 data = (data << 8) | (key[jj] & 0x00FF);
9440 if (++jj >= key.length) {
9441 jj = 0;
9442 }
9443 }
9444 this.parray[ii] = this.PARRAY[ii] ^ data;
9445 }
9446
9447 this.sboxes = [];
9448 for (ii = 0; ii < 4; ++ii) {
9449 this.sboxes[ii] = [];
9450 for (jj = 0; jj < 256; ++jj) {
9451 this.sboxes[ii][jj] = this.SBOXES[ii][jj];
9452 }
9453 }
9454
9455 const vals = [0x00000000, 0x00000000];
9456
9457 for (ii = 0; ii < this.NN + 2; ii += 2) {
9458 this._encrypt_block(vals);
9459 this.parray[ii + 0] = vals[0];
9460 this.parray[ii + 1] = vals[1];
9461 }
9462
9463 for (ii = 0; ii < 4; ++ii) {
9464 for (jj = 0; jj < 256; jj += 2) {
9465 this._encrypt_block(vals);
9466 this.sboxes[ii][jj + 0] = vals[0];
9467 this.sboxes[ii][jj + 1] = vals[1];
9468 }
9469 }
9470 };
9471
9472 // added by Recurity Labs
9473 function BF(key) {
9474 this.bf = new Blowfish();
9475 this.bf.init(key);
9476
9477 this.encrypt = function(block) {
9478 return this.bf.encrypt_block(block);
9479 };
9480 }
9481
9482 BF.keySize = BF.prototype.keySize = 16;
9483 BF.blockSize = BF.prototype.blockSize = 8;
9484
9485 /**
9486 * @fileoverview Symmetric cryptography functions
9487 * @module crypto/cipher
9488 * @private
9489 */
9490
9491 /**
9492 * AES-128 encryption and decryption (ID 7)
9493 * @function
9494 * @param {String} key - 128-bit key
9495 * @see {@link https://github.com/asmcrypto/asmcrypto.js|asmCrypto}
9496 * @see {@link https://csrc.nist.gov/publications/fips/fips197/fips-197.pdf|NIST FIPS-197}
9497 * @returns {Object}
9498 */
9499 const aes128 = aes(128);
9500 /**
9501 * AES-128 Block Cipher (ID 8)
9502 * @function
9503 * @param {String} key - 192-bit key
9504 * @see {@link https://github.com/asmcrypto/asmcrypto.js|asmCrypto}
9505 * @see {@link https://csrc.nist.gov/publications/fips/fips197/fips-197.pdf|NIST FIPS-197}
9506 * @returns {Object}
9507 */
9508 const aes192 = aes(192);
9509 /**
9510 * AES-128 Block Cipher (ID 9)
9511 * @function
9512 * @param {String} key - 256-bit key
9513 * @see {@link https://github.com/asmcrypto/asmcrypto.js|asmCrypto}
9514 * @see {@link https://csrc.nist.gov/publications/fips/fips197/fips-197.pdf|NIST FIPS-197}
9515 * @returns {Object}
9516 */
9517 const aes256 = aes(256);
9518 // Not in OpenPGP specifications
9519 const des$1 = DES;
9520 /**
9521 * Triple DES Block Cipher (ID 2)
9522 * @function
9523 * @param {String} key - 192-bit key
9524 * @see {@link https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-67r2.pdf|NIST SP 800-67}
9525 * @returns {Object}
9526 */
9527 const tripledes = TripleDES;
9528 /**
9529 * CAST-128 Block Cipher (ID 3)
9530 * @function
9531 * @param {String} key - 128-bit key
9532 * @see {@link https://tools.ietf.org/html/rfc2144|The CAST-128 Encryption Algorithm}
9533 * @returns {Object}
9534 */
9535 const cast5 = Cast5;
9536 /**
9537 * Twofish Block Cipher (ID 10)
9538 * @function
9539 * @param {String} key - 256-bit key
9540 * @see {@link https://tools.ietf.org/html/rfc4880#ref-TWOFISH|TWOFISH}
9541 * @returns {Object}
9542 */
9543 const twofish = TF;
9544 /**
9545 * Blowfish Block Cipher (ID 4)
9546 * @function
9547 * @param {String} key - 128-bit key
9548 * @see {@link https://tools.ietf.org/html/rfc4880#ref-BLOWFISH|BLOWFISH}
9549 * @returns {Object}
9550 */
9551 const blowfish = BF;
9552 /**
9553 * Not implemented
9554 * @function
9555 * @throws {Error}
9556 */
9557 const idea = function() {
9558 throw new Error('IDEA symmetric-key algorithm not implemented');
9559 };
9560
9561 var cipher = /*#__PURE__*/Object.freeze({
9562 __proto__: null,
9563 aes128: aes128,
9564 aes192: aes192,
9565 aes256: aes256,
9566 des: des$1,
9567 tripledes: tripledes,
9568 cast5: cast5,
9569 twofish: twofish,
9570 blowfish: blowfish,
9571 idea: idea
9572 });
9573
9574 var sha1_asm = function ( stdlib, foreign, buffer ) {
9575 "use asm";
9576
9577 // SHA256 state
9578 var H0 = 0, H1 = 0, H2 = 0, H3 = 0, H4 = 0,
9579 TOTAL0 = 0, TOTAL1 = 0;
9580
9581 // HMAC state
9582 var I0 = 0, I1 = 0, I2 = 0, I3 = 0, I4 = 0,
9583 O0 = 0, O1 = 0, O2 = 0, O3 = 0, O4 = 0;
9584
9585 // I/O buffer
9586 var HEAP = new stdlib.Uint8Array(buffer);
9587
9588 function _core ( w0, w1, w2, w3, w4, w5, w6, w7, w8, w9, w10, w11, w12, w13, w14, w15 ) {
9589 w0 = w0|0;
9590 w1 = w1|0;
9591 w2 = w2|0;
9592 w3 = w3|0;
9593 w4 = w4|0;
9594 w5 = w5|0;
9595 w6 = w6|0;
9596 w7 = w7|0;
9597 w8 = w8|0;
9598 w9 = w9|0;
9599 w10 = w10|0;
9600 w11 = w11|0;
9601 w12 = w12|0;
9602 w13 = w13|0;
9603 w14 = w14|0;
9604 w15 = w15|0;
9605
9606 var a = 0, b = 0, c = 0, d = 0, e = 0, n = 0, t = 0,
9607 w16 = 0, w17 = 0, w18 = 0, w19 = 0,
9608 w20 = 0, w21 = 0, w22 = 0, w23 = 0, w24 = 0, w25 = 0, w26 = 0, w27 = 0, w28 = 0, w29 = 0,
9609 w30 = 0, w31 = 0, w32 = 0, w33 = 0, w34 = 0, w35 = 0, w36 = 0, w37 = 0, w38 = 0, w39 = 0,
9610 w40 = 0, w41 = 0, w42 = 0, w43 = 0, w44 = 0, w45 = 0, w46 = 0, w47 = 0, w48 = 0, w49 = 0,
9611 w50 = 0, w51 = 0, w52 = 0, w53 = 0, w54 = 0, w55 = 0, w56 = 0, w57 = 0, w58 = 0, w59 = 0,
9612 w60 = 0, w61 = 0, w62 = 0, w63 = 0, w64 = 0, w65 = 0, w66 = 0, w67 = 0, w68 = 0, w69 = 0,
9613 w70 = 0, w71 = 0, w72 = 0, w73 = 0, w74 = 0, w75 = 0, w76 = 0, w77 = 0, w78 = 0, w79 = 0;
9614
9615 a = H0;
9616 b = H1;
9617 c = H2;
9618 d = H3;
9619 e = H4;
9620
9621 // 0
9622 t = ( w0 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (~b & d)) + 0x5a827999 )|0;
9623 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9624
9625 // 1
9626 t = ( w1 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (~b & d)) + 0x5a827999 )|0;
9627 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9628
9629 // 2
9630 t = ( w2 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (~b & d)) + 0x5a827999 )|0;
9631 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9632
9633 // 3
9634 t = ( w3 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (~b & d)) + 0x5a827999 )|0;
9635 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9636
9637 // 4
9638 t = ( w4 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (~b & d)) + 0x5a827999 )|0;
9639 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9640
9641 // 5
9642 t = ( w5 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (~b & d)) + 0x5a827999 )|0;
9643 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9644
9645 // 6
9646 t = ( w6 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (~b & d)) + 0x5a827999 )|0;
9647 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9648
9649 // 7
9650 t = ( w7 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (~b & d)) + 0x5a827999 )|0;
9651 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9652
9653 // 8
9654 t = ( w8 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (~b & d)) + 0x5a827999 )|0;
9655 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9656
9657 // 9
9658 t = ( w9 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (~b & d)) + 0x5a827999 )|0;
9659 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9660
9661 // 10
9662 t = ( w10 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (~b & d)) + 0x5a827999 )|0;
9663 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9664
9665 // 11
9666 t = ( w11 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (~b & d)) + 0x5a827999 )|0;
9667 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9668
9669 // 12
9670 t = ( w12 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (~b & d)) + 0x5a827999 )|0;
9671 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9672
9673 // 13
9674 t = ( w13 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (~b & d)) + 0x5a827999 )|0;
9675 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9676
9677 // 14
9678 t = ( w14 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (~b & d)) + 0x5a827999 )|0;
9679 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9680
9681 // 15
9682 t = ( w15 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (~b & d)) + 0x5a827999 )|0;
9683 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9684
9685 // 16
9686 n = w13 ^ w8 ^ w2 ^ w0;
9687 w16 = (n << 1) | (n >>> 31);
9688 t = (w16 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (~b & d)) + 0x5a827999 )|0;
9689 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9690
9691 // 17
9692 n = w14 ^ w9 ^ w3 ^ w1;
9693 w17 = (n << 1) | (n >>> 31);
9694 t = (w17 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (~b & d)) + 0x5a827999 )|0;
9695 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9696
9697 // 18
9698 n = w15 ^ w10 ^ w4 ^ w2;
9699 w18 = (n << 1) | (n >>> 31);
9700 t = (w18 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (~b & d)) + 0x5a827999 )|0;
9701 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9702
9703 // 19
9704 n = w16 ^ w11 ^ w5 ^ w3;
9705 w19 = (n << 1) | (n >>> 31);
9706 t = (w19 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (~b & d)) + 0x5a827999 )|0;
9707 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9708
9709 // 20
9710 n = w17 ^ w12 ^ w6 ^ w4;
9711 w20 = (n << 1) | (n >>> 31);
9712 t = (w20 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) + 0x6ed9eba1 )|0;
9713 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9714
9715 // 21
9716 n = w18 ^ w13 ^ w7 ^ w5;
9717 w21 = (n << 1) | (n >>> 31);
9718 t = (w21 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) + 0x6ed9eba1 )|0;
9719 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9720
9721 // 22
9722 n = w19 ^ w14 ^ w8 ^ w6;
9723 w22 = (n << 1) | (n >>> 31);
9724 t = (w22 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) + 0x6ed9eba1 )|0;
9725 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9726
9727 // 23
9728 n = w20 ^ w15 ^ w9 ^ w7;
9729 w23 = (n << 1) | (n >>> 31);
9730 t = (w23 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) + 0x6ed9eba1 )|0;
9731 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9732
9733 // 24
9734 n = w21 ^ w16 ^ w10 ^ w8;
9735 w24 = (n << 1) | (n >>> 31);
9736 t = (w24 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) + 0x6ed9eba1 )|0;
9737 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9738
9739 // 25
9740 n = w22 ^ w17 ^ w11 ^ w9;
9741 w25 = (n << 1) | (n >>> 31);
9742 t = (w25 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) + 0x6ed9eba1 )|0;
9743 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9744
9745 // 26
9746 n = w23 ^ w18 ^ w12 ^ w10;
9747 w26 = (n << 1) | (n >>> 31);
9748 t = (w26 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) + 0x6ed9eba1 )|0;
9749 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9750
9751 // 27
9752 n = w24 ^ w19 ^ w13 ^ w11;
9753 w27 = (n << 1) | (n >>> 31);
9754 t = (w27 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) + 0x6ed9eba1 )|0;
9755 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9756
9757 // 28
9758 n = w25 ^ w20 ^ w14 ^ w12;
9759 w28 = (n << 1) | (n >>> 31);
9760 t = (w28 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) + 0x6ed9eba1 )|0;
9761 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9762
9763 // 29
9764 n = w26 ^ w21 ^ w15 ^ w13;
9765 w29 = (n << 1) | (n >>> 31);
9766 t = (w29 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) + 0x6ed9eba1 )|0;
9767 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9768
9769 // 30
9770 n = w27 ^ w22 ^ w16 ^ w14;
9771 w30 = (n << 1) | (n >>> 31);
9772 t = (w30 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) + 0x6ed9eba1 )|0;
9773 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9774
9775 // 31
9776 n = w28 ^ w23 ^ w17 ^ w15;
9777 w31 = (n << 1) | (n >>> 31);
9778 t = (w31 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) + 0x6ed9eba1 )|0;
9779 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9780
9781 // 32
9782 n = w29 ^ w24 ^ w18 ^ w16;
9783 w32 = (n << 1) | (n >>> 31);
9784 t = (w32 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) + 0x6ed9eba1 )|0;
9785 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9786
9787 // 33
9788 n = w30 ^ w25 ^ w19 ^ w17;
9789 w33 = (n << 1) | (n >>> 31);
9790 t = (w33 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) + 0x6ed9eba1 )|0;
9791 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9792
9793 // 34
9794 n = w31 ^ w26 ^ w20 ^ w18;
9795 w34 = (n << 1) | (n >>> 31);
9796 t = (w34 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) + 0x6ed9eba1 )|0;
9797 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9798
9799 // 35
9800 n = w32 ^ w27 ^ w21 ^ w19;
9801 w35 = (n << 1) | (n >>> 31);
9802 t = (w35 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) + 0x6ed9eba1 )|0;
9803 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9804
9805 // 36
9806 n = w33 ^ w28 ^ w22 ^ w20;
9807 w36 = (n << 1) | (n >>> 31);
9808 t = (w36 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) + 0x6ed9eba1 )|0;
9809 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9810
9811 // 37
9812 n = w34 ^ w29 ^ w23 ^ w21;
9813 w37 = (n << 1) | (n >>> 31);
9814 t = (w37 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) + 0x6ed9eba1 )|0;
9815 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9816
9817 // 38
9818 n = w35 ^ w30 ^ w24 ^ w22;
9819 w38 = (n << 1) | (n >>> 31);
9820 t = (w38 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) + 0x6ed9eba1 )|0;
9821 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9822
9823 // 39
9824 n = w36 ^ w31 ^ w25 ^ w23;
9825 w39 = (n << 1) | (n >>> 31);
9826 t = (w39 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) + 0x6ed9eba1 )|0;
9827 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9828
9829 // 40
9830 n = w37 ^ w32 ^ w26 ^ w24;
9831 w40 = (n << 1) | (n >>> 31);
9832 t = (w40 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (b & d) | (c & d)) - 0x70e44324 )|0;
9833 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9834
9835 // 41
9836 n = w38 ^ w33 ^ w27 ^ w25;
9837 w41 = (n << 1) | (n >>> 31);
9838 t = (w41 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (b & d) | (c & d)) - 0x70e44324 )|0;
9839 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9840
9841 // 42
9842 n = w39 ^ w34 ^ w28 ^ w26;
9843 w42 = (n << 1) | (n >>> 31);
9844 t = (w42 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (b & d) | (c & d)) - 0x70e44324 )|0;
9845 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9846
9847 // 43
9848 n = w40 ^ w35 ^ w29 ^ w27;
9849 w43 = (n << 1) | (n >>> 31);
9850 t = (w43 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (b & d) | (c & d)) - 0x70e44324 )|0;
9851 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9852
9853 // 44
9854 n = w41 ^ w36 ^ w30 ^ w28;
9855 w44 = (n << 1) | (n >>> 31);
9856 t = (w44 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (b & d) | (c & d)) - 0x70e44324 )|0;
9857 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9858
9859 // 45
9860 n = w42 ^ w37 ^ w31 ^ w29;
9861 w45 = (n << 1) | (n >>> 31);
9862 t = (w45 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (b & d) | (c & d)) - 0x70e44324 )|0;
9863 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9864
9865 // 46
9866 n = w43 ^ w38 ^ w32 ^ w30;
9867 w46 = (n << 1) | (n >>> 31);
9868 t = (w46 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (b & d) | (c & d)) - 0x70e44324 )|0;
9869 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9870
9871 // 47
9872 n = w44 ^ w39 ^ w33 ^ w31;
9873 w47 = (n << 1) | (n >>> 31);
9874 t = (w47 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (b & d) | (c & d)) - 0x70e44324 )|0;
9875 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9876
9877 // 48
9878 n = w45 ^ w40 ^ w34 ^ w32;
9879 w48 = (n << 1) | (n >>> 31);
9880 t = (w48 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (b & d) | (c & d)) - 0x70e44324 )|0;
9881 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9882
9883 // 49
9884 n = w46 ^ w41 ^ w35 ^ w33;
9885 w49 = (n << 1) | (n >>> 31);
9886 t = (w49 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (b & d) | (c & d)) - 0x70e44324 )|0;
9887 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9888
9889 // 50
9890 n = w47 ^ w42 ^ w36 ^ w34;
9891 w50 = (n << 1) | (n >>> 31);
9892 t = (w50 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (b & d) | (c & d)) - 0x70e44324 )|0;
9893 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9894
9895 // 51
9896 n = w48 ^ w43 ^ w37 ^ w35;
9897 w51 = (n << 1) | (n >>> 31);
9898 t = (w51 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (b & d) | (c & d)) - 0x70e44324 )|0;
9899 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9900
9901 // 52
9902 n = w49 ^ w44 ^ w38 ^ w36;
9903 w52 = (n << 1) | (n >>> 31);
9904 t = (w52 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (b & d) | (c & d)) - 0x70e44324 )|0;
9905 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9906
9907 // 53
9908 n = w50 ^ w45 ^ w39 ^ w37;
9909 w53 = (n << 1) | (n >>> 31);
9910 t = (w53 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (b & d) | (c & d)) - 0x70e44324 )|0;
9911 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9912
9913 // 54
9914 n = w51 ^ w46 ^ w40 ^ w38;
9915 w54 = (n << 1) | (n >>> 31);
9916 t = (w54 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (b & d) | (c & d)) - 0x70e44324 )|0;
9917 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9918
9919 // 55
9920 n = w52 ^ w47 ^ w41 ^ w39;
9921 w55 = (n << 1) | (n >>> 31);
9922 t = (w55 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (b & d) | (c & d)) - 0x70e44324 )|0;
9923 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9924
9925 // 56
9926 n = w53 ^ w48 ^ w42 ^ w40;
9927 w56 = (n << 1) | (n >>> 31);
9928 t = (w56 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (b & d) | (c & d)) - 0x70e44324 )|0;
9929 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9930
9931 // 57
9932 n = w54 ^ w49 ^ w43 ^ w41;
9933 w57 = (n << 1) | (n >>> 31);
9934 t = (w57 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (b & d) | (c & d)) - 0x70e44324 )|0;
9935 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9936
9937 // 58
9938 n = w55 ^ w50 ^ w44 ^ w42;
9939 w58 = (n << 1) | (n >>> 31);
9940 t = (w58 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (b & d) | (c & d)) - 0x70e44324 )|0;
9941 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9942
9943 // 59
9944 n = w56 ^ w51 ^ w45 ^ w43;
9945 w59 = (n << 1) | (n >>> 31);
9946 t = (w59 + ((a << 5) | (a >>> 27)) + e + ((b & c) | (b & d) | (c & d)) - 0x70e44324 )|0;
9947 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9948
9949 // 60
9950 n = w57 ^ w52 ^ w46 ^ w44;
9951 w60 = (n << 1) | (n >>> 31);
9952 t = (w60 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) - 0x359d3e2a )|0;
9953 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9954
9955 // 61
9956 n = w58 ^ w53 ^ w47 ^ w45;
9957 w61 = (n << 1) | (n >>> 31);
9958 t = (w61 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) - 0x359d3e2a )|0;
9959 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9960
9961 // 62
9962 n = w59 ^ w54 ^ w48 ^ w46;
9963 w62 = (n << 1) | (n >>> 31);
9964 t = (w62 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) - 0x359d3e2a )|0;
9965 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9966
9967 // 63
9968 n = w60 ^ w55 ^ w49 ^ w47;
9969 w63 = (n << 1) | (n >>> 31);
9970 t = (w63 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) - 0x359d3e2a )|0;
9971 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9972
9973 // 64
9974 n = w61 ^ w56 ^ w50 ^ w48;
9975 w64 = (n << 1) | (n >>> 31);
9976 t = (w64 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) - 0x359d3e2a )|0;
9977 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9978
9979 // 65
9980 n = w62 ^ w57 ^ w51 ^ w49;
9981 w65 = (n << 1) | (n >>> 31);
9982 t = (w65 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) - 0x359d3e2a )|0;
9983 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9984
9985 // 66
9986 n = w63 ^ w58 ^ w52 ^ w50;
9987 w66 = (n << 1) | (n >>> 31);
9988 t = (w66 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) - 0x359d3e2a )|0;
9989 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9990
9991 // 67
9992 n = w64 ^ w59 ^ w53 ^ w51;
9993 w67 = (n << 1) | (n >>> 31);
9994 t = (w67 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) - 0x359d3e2a )|0;
9995 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
9996
9997 // 68
9998 n = w65 ^ w60 ^ w54 ^ w52;
9999 w68 = (n << 1) | (n >>> 31);
10000 t = (w68 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) - 0x359d3e2a )|0;
10001 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
10002
10003 // 69
10004 n = w66 ^ w61 ^ w55 ^ w53;
10005 w69 = (n << 1) | (n >>> 31);
10006 t = (w69 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) - 0x359d3e2a )|0;
10007 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
10008
10009 // 70
10010 n = w67 ^ w62 ^ w56 ^ w54;
10011 w70 = (n << 1) | (n >>> 31);
10012 t = (w70 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) - 0x359d3e2a )|0;
10013 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
10014
10015 // 71
10016 n = w68 ^ w63 ^ w57 ^ w55;
10017 w71 = (n << 1) | (n >>> 31);
10018 t = (w71 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) - 0x359d3e2a )|0;
10019 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
10020
10021 // 72
10022 n = w69 ^ w64 ^ w58 ^ w56;
10023 w72 = (n << 1) | (n >>> 31);
10024 t = (w72 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) - 0x359d3e2a )|0;
10025 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
10026
10027 // 73
10028 n = w70 ^ w65 ^ w59 ^ w57;
10029 w73 = (n << 1) | (n >>> 31);
10030 t = (w73 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) - 0x359d3e2a )|0;
10031 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
10032
10033 // 74
10034 n = w71 ^ w66 ^ w60 ^ w58;
10035 w74 = (n << 1) | (n >>> 31);
10036 t = (w74 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) - 0x359d3e2a )|0;
10037 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
10038
10039 // 75
10040 n = w72 ^ w67 ^ w61 ^ w59;
10041 w75 = (n << 1) | (n >>> 31);
10042 t = (w75 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) - 0x359d3e2a )|0;
10043 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
10044
10045 // 76
10046 n = w73 ^ w68 ^ w62 ^ w60;
10047 w76 = (n << 1) | (n >>> 31);
10048 t = (w76 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) - 0x359d3e2a )|0;
10049 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
10050
10051 // 77
10052 n = w74 ^ w69 ^ w63 ^ w61;
10053 w77 = (n << 1) | (n >>> 31);
10054 t = (w77 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) - 0x359d3e2a )|0;
10055 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
10056
10057 // 78
10058 n = w75 ^ w70 ^ w64 ^ w62;
10059 w78 = (n << 1) | (n >>> 31);
10060 t = (w78 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) - 0x359d3e2a )|0;
10061 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
10062
10063 // 79
10064 n = w76 ^ w71 ^ w65 ^ w63;
10065 w79 = (n << 1) | (n >>> 31);
10066 t = (w79 + ((a << 5) | (a >>> 27)) + e + (b ^ c ^ d) - 0x359d3e2a )|0;
10067 e = d; d = c; c = (b << 30) | (b >>> 2); b = a; a = t;
10068
10069 H0 = ( H0 + a )|0;
10070 H1 = ( H1 + b )|0;
10071 H2 = ( H2 + c )|0;
10072 H3 = ( H3 + d )|0;
10073 H4 = ( H4 + e )|0;
10074
10075 }
10076
10077 function _core_heap ( offset ) {
10078 offset = offset|0;
10079
10080 _core(
10081 HEAP[offset|0]<<24 | HEAP[offset|1]<<16 | HEAP[offset|2]<<8 | HEAP[offset|3],
10082 HEAP[offset|4]<<24 | HEAP[offset|5]<<16 | HEAP[offset|6]<<8 | HEAP[offset|7],
10083 HEAP[offset|8]<<24 | HEAP[offset|9]<<16 | HEAP[offset|10]<<8 | HEAP[offset|11],
10084 HEAP[offset|12]<<24 | HEAP[offset|13]<<16 | HEAP[offset|14]<<8 | HEAP[offset|15],
10085 HEAP[offset|16]<<24 | HEAP[offset|17]<<16 | HEAP[offset|18]<<8 | HEAP[offset|19],
10086 HEAP[offset|20]<<24 | HEAP[offset|21]<<16 | HEAP[offset|22]<<8 | HEAP[offset|23],
10087 HEAP[offset|24]<<24 | HEAP[offset|25]<<16 | HEAP[offset|26]<<8 | HEAP[offset|27],
10088 HEAP[offset|28]<<24 | HEAP[offset|29]<<16 | HEAP[offset|30]<<8 | HEAP[offset|31],
10089 HEAP[offset|32]<<24 | HEAP[offset|33]<<16 | HEAP[offset|34]<<8 | HEAP[offset|35],
10090 HEAP[offset|36]<<24 | HEAP[offset|37]<<16 | HEAP[offset|38]<<8 | HEAP[offset|39],
10091 HEAP[offset|40]<<24 | HEAP[offset|41]<<16 | HEAP[offset|42]<<8 | HEAP[offset|43],
10092 HEAP[offset|44]<<24 | HEAP[offset|45]<<16 | HEAP[offset|46]<<8 | HEAP[offset|47],
10093 HEAP[offset|48]<<24 | HEAP[offset|49]<<16 | HEAP[offset|50]<<8 | HEAP[offset|51],
10094 HEAP[offset|52]<<24 | HEAP[offset|53]<<16 | HEAP[offset|54]<<8 | HEAP[offset|55],
10095 HEAP[offset|56]<<24 | HEAP[offset|57]<<16 | HEAP[offset|58]<<8 | HEAP[offset|59],
10096 HEAP[offset|60]<<24 | HEAP[offset|61]<<16 | HEAP[offset|62]<<8 | HEAP[offset|63]
10097 );
10098 }
10099
10100 // offset — multiple of 32
10101 function _state_to_heap ( output ) {
10102 output = output|0;
10103
10104 HEAP[output|0] = H0>>>24;
10105 HEAP[output|1] = H0>>>16&255;
10106 HEAP[output|2] = H0>>>8&255;
10107 HEAP[output|3] = H0&255;
10108 HEAP[output|4] = H1>>>24;
10109 HEAP[output|5] = H1>>>16&255;
10110 HEAP[output|6] = H1>>>8&255;
10111 HEAP[output|7] = H1&255;
10112 HEAP[output|8] = H2>>>24;
10113 HEAP[output|9] = H2>>>16&255;
10114 HEAP[output|10] = H2>>>8&255;
10115 HEAP[output|11] = H2&255;
10116 HEAP[output|12] = H3>>>24;
10117 HEAP[output|13] = H3>>>16&255;
10118 HEAP[output|14] = H3>>>8&255;
10119 HEAP[output|15] = H3&255;
10120 HEAP[output|16] = H4>>>24;
10121 HEAP[output|17] = H4>>>16&255;
10122 HEAP[output|18] = H4>>>8&255;
10123 HEAP[output|19] = H4&255;
10124 }
10125
10126 function reset () {
10127 H0 = 0x67452301;
10128 H1 = 0xefcdab89;
10129 H2 = 0x98badcfe;
10130 H3 = 0x10325476;
10131 H4 = 0xc3d2e1f0;
10132 TOTAL0 = TOTAL1 = 0;
10133 }
10134
10135 function init ( h0, h1, h2, h3, h4, total0, total1 ) {
10136 h0 = h0|0;
10137 h1 = h1|0;
10138 h2 = h2|0;
10139 h3 = h3|0;
10140 h4 = h4|0;
10141 total0 = total0|0;
10142 total1 = total1|0;
10143
10144 H0 = h0;
10145 H1 = h1;
10146 H2 = h2;
10147 H3 = h3;
10148 H4 = h4;
10149 TOTAL0 = total0;
10150 TOTAL1 = total1;
10151 }
10152
10153 // offset — multiple of 64
10154 function process ( offset, length ) {
10155 offset = offset|0;
10156 length = length|0;
10157
10158 var hashed = 0;
10159
10160 if ( offset & 63 )
10161 return -1;
10162
10163 while ( (length|0) >= 64 ) {
10164 _core_heap(offset);
10165
10166 offset = ( offset + 64 )|0;
10167 length = ( length - 64 )|0;
10168
10169 hashed = ( hashed + 64 )|0;
10170 }
10171
10172 TOTAL0 = ( TOTAL0 + hashed )|0;
10173 if ( TOTAL0>>>0 < hashed>>>0 ) TOTAL1 = ( TOTAL1 + 1 )|0;
10174
10175 return hashed|0;
10176 }
10177
10178 // offset — multiple of 64
10179 // output — multiple of 32
10180 function finish ( offset, length, output ) {
10181 offset = offset|0;
10182 length = length|0;
10183 output = output|0;
10184
10185 var hashed = 0,
10186 i = 0;
10187
10188 if ( offset & 63 )
10189 return -1;
10190
10191 if ( ~output )
10192 if ( output & 31 )
10193 return -1;
10194
10195 if ( (length|0) >= 64 ) {
10196 hashed = process( offset, length )|0;
10197 if ( (hashed|0) == -1 )
10198 return -1;
10199
10200 offset = ( offset + hashed )|0;
10201 length = ( length - hashed )|0;
10202 }
10203
10204 hashed = ( hashed + length )|0;
10205 TOTAL0 = ( TOTAL0 + length )|0;
10206 if ( TOTAL0>>>0 < length>>>0 ) TOTAL1 = (TOTAL1 + 1)|0;
10207
10208 HEAP[offset|length] = 0x80;
10209
10210 if ( (length|0) >= 56 ) {
10211 for ( i = (length+1)|0; (i|0) < 64; i = (i+1)|0 )
10212 HEAP[offset|i] = 0x00;
10213 _core_heap(offset);
10214
10215 length = 0;
10216
10217 HEAP[offset|0] = 0;
10218 }
10219
10220 for ( i = (length+1)|0; (i|0) < 59; i = (i+1)|0 )
10221 HEAP[offset|i] = 0;
10222
10223 HEAP[offset|56] = TOTAL1>>>21&255;
10224 HEAP[offset|57] = TOTAL1>>>13&255;
10225 HEAP[offset|58] = TOTAL1>>>5&255;
10226 HEAP[offset|59] = TOTAL1<<3&255 | TOTAL0>>>29;
10227 HEAP[offset|60] = TOTAL0>>>21&255;
10228 HEAP[offset|61] = TOTAL0>>>13&255;
10229 HEAP[offset|62] = TOTAL0>>>5&255;
10230 HEAP[offset|63] = TOTAL0<<3&255;
10231 _core_heap(offset);
10232
10233 if ( ~output )
10234 _state_to_heap(output);
10235
10236 return hashed|0;
10237 }
10238
10239 function hmac_reset () {
10240 H0 = I0;
10241 H1 = I1;
10242 H2 = I2;
10243 H3 = I3;
10244 H4 = I4;
10245 TOTAL0 = 64;
10246 TOTAL1 = 0;
10247 }
10248
10249 function _hmac_opad () {
10250 H0 = O0;
10251 H1 = O1;
10252 H2 = O2;
10253 H3 = O3;
10254 H4 = O4;
10255 TOTAL0 = 64;
10256 TOTAL1 = 0;
10257 }
10258
10259 function hmac_init ( p0, p1, p2, p3, p4, p5, p6, p7, p8, p9, p10, p11, p12, p13, p14, p15 ) {
10260 p0 = p0|0;
10261 p1 = p1|0;
10262 p2 = p2|0;
10263 p3 = p3|0;
10264 p4 = p4|0;
10265 p5 = p5|0;
10266 p6 = p6|0;
10267 p7 = p7|0;
10268 p8 = p8|0;
10269 p9 = p9|0;
10270 p10 = p10|0;
10271 p11 = p11|0;
10272 p12 = p12|0;
10273 p13 = p13|0;
10274 p14 = p14|0;
10275 p15 = p15|0;
10276
10277 // opad
10278 reset();
10279 _core(
10280 p0 ^ 0x5c5c5c5c,
10281 p1 ^ 0x5c5c5c5c,
10282 p2 ^ 0x5c5c5c5c,
10283 p3 ^ 0x5c5c5c5c,
10284 p4 ^ 0x5c5c5c5c,
10285 p5 ^ 0x5c5c5c5c,
10286 p6 ^ 0x5c5c5c5c,
10287 p7 ^ 0x5c5c5c5c,
10288 p8 ^ 0x5c5c5c5c,
10289 p9 ^ 0x5c5c5c5c,
10290 p10 ^ 0x5c5c5c5c,
10291 p11 ^ 0x5c5c5c5c,
10292 p12 ^ 0x5c5c5c5c,
10293 p13 ^ 0x5c5c5c5c,
10294 p14 ^ 0x5c5c5c5c,
10295 p15 ^ 0x5c5c5c5c
10296 );
10297 O0 = H0;
10298 O1 = H1;
10299 O2 = H2;
10300 O3 = H3;
10301 O4 = H4;
10302
10303 // ipad
10304 reset();
10305 _core(
10306 p0 ^ 0x36363636,
10307 p1 ^ 0x36363636,
10308 p2 ^ 0x36363636,
10309 p3 ^ 0x36363636,
10310 p4 ^ 0x36363636,
10311 p5 ^ 0x36363636,
10312 p6 ^ 0x36363636,
10313 p7 ^ 0x36363636,
10314 p8 ^ 0x36363636,
10315 p9 ^ 0x36363636,
10316 p10 ^ 0x36363636,
10317 p11 ^ 0x36363636,
10318 p12 ^ 0x36363636,
10319 p13 ^ 0x36363636,
10320 p14 ^ 0x36363636,
10321 p15 ^ 0x36363636
10322 );
10323 I0 = H0;
10324 I1 = H1;
10325 I2 = H2;
10326 I3 = H3;
10327 I4 = H4;
10328
10329 TOTAL0 = 64;
10330 TOTAL1 = 0;
10331 }
10332
10333 // offset — multiple of 64
10334 // output — multiple of 32
10335 function hmac_finish ( offset, length, output ) {
10336 offset = offset|0;
10337 length = length|0;
10338 output = output|0;
10339
10340 var t0 = 0, t1 = 0, t2 = 0, t3 = 0, t4 = 0, hashed = 0;
10341
10342 if ( offset & 63 )
10343 return -1;
10344
10345 if ( ~output )
10346 if ( output & 31 )
10347 return -1;
10348
10349 hashed = finish( offset, length, -1 )|0;
10350 t0 = H0, t1 = H1, t2 = H2, t3 = H3, t4 = H4;
10351
10352 _hmac_opad();
10353 _core( t0, t1, t2, t3, t4, 0x80000000, 0, 0, 0, 0, 0, 0, 0, 0, 0, 672 );
10354
10355 if ( ~output )
10356 _state_to_heap(output);
10357
10358 return hashed|0;
10359 }
10360
10361 // salt is assumed to be already processed
10362 // offset — multiple of 64
10363 // output — multiple of 32
10364 function pbkdf2_generate_block ( offset, length, block, count, output ) {
10365 offset = offset|0;
10366 length = length|0;
10367 block = block|0;
10368 count = count|0;
10369 output = output|0;
10370
10371 var h0 = 0, h1 = 0, h2 = 0, h3 = 0, h4 = 0,
10372 t0 = 0, t1 = 0, t2 = 0, t3 = 0, t4 = 0;
10373
10374 if ( offset & 63 )
10375 return -1;
10376
10377 if ( ~output )
10378 if ( output & 31 )
10379 return -1;
10380
10381 // pad block number into heap
10382 // FIXME probable OOB write
10383 HEAP[(offset+length)|0] = block>>>24;
10384 HEAP[(offset+length+1)|0] = block>>>16&255;
10385 HEAP[(offset+length+2)|0] = block>>>8&255;
10386 HEAP[(offset+length+3)|0] = block&255;
10387
10388 // finish first iteration
10389 hmac_finish( offset, (length+4)|0, -1 )|0;
10390 h0 = t0 = H0, h1 = t1 = H1, h2 = t2 = H2, h3 = t3 = H3, h4 = t4 = H4;
10391 count = (count-1)|0;
10392
10393 // perform the rest iterations
10394 while ( (count|0) > 0 ) {
10395 hmac_reset();
10396 _core( t0, t1, t2, t3, t4, 0x80000000, 0, 0, 0, 0, 0, 0, 0, 0, 0, 672 );
10397 t0 = H0, t1 = H1, t2 = H2, t3 = H3, t4 = H4;
10398
10399 _hmac_opad();
10400 _core( t0, t1, t2, t3, t4, 0x80000000, 0, 0, 0, 0, 0, 0, 0, 0, 0, 672 );
10401 t0 = H0, t1 = H1, t2 = H2, t3 = H3, t4 = H4;
10402
10403 h0 = h0 ^ H0;
10404 h1 = h1 ^ H1;
10405 h2 = h2 ^ H2;
10406 h3 = h3 ^ H3;
10407 h4 = h4 ^ H4;
10408
10409 count = (count-1)|0;
10410 }
10411
10412 H0 = h0;
10413 H1 = h1;
10414 H2 = h2;
10415 H3 = h3;
10416 H4 = h4;
10417
10418 if ( ~output )
10419 _state_to_heap(output);
10420
10421 return 0;
10422 }
10423
10424 return {
10425 // SHA1
10426 reset: reset,
10427 init: init,
10428 process: process,
10429 finish: finish,
10430
10431 // HMAC-SHA1
10432 hmac_reset: hmac_reset,
10433 hmac_init: hmac_init,
10434 hmac_finish: hmac_finish,
10435
10436 // PBKDF2-HMAC-SHA1
10437 pbkdf2_generate_block: pbkdf2_generate_block
10438 }
10439 };
10440
10441 class Hash {
10442 constructor() {
10443 this.pos = 0;
10444 this.len = 0;
10445 }
10446 reset() {
10447 const { asm } = this.acquire_asm();
10448 this.result = null;
10449 this.pos = 0;
10450 this.len = 0;
10451 asm.reset();
10452 return this;
10453 }
10454 process(data) {
10455 if (this.result !== null)
10456 throw new IllegalStateError('state must be reset before processing new data');
10457 const { asm, heap } = this.acquire_asm();
10458 let hpos = this.pos;
10459 let hlen = this.len;
10460 let dpos = 0;
10461 let dlen = data.length;
10462 let wlen = 0;
10463 while (dlen > 0) {
10464 wlen = _heap_write(heap, hpos + hlen, data, dpos, dlen);
10465 hlen += wlen;
10466 dpos += wlen;
10467 dlen -= wlen;
10468 wlen = asm.process(hpos, hlen);
10469 hpos += wlen;
10470 hlen -= wlen;
10471 if (!hlen)
10472 hpos = 0;
10473 }
10474 this.pos = hpos;
10475 this.len = hlen;
10476 return this;
10477 }
10478 finish() {
10479 if (this.result !== null)
10480 throw new IllegalStateError('state must be reset before processing new data');
10481 const { asm, heap } = this.acquire_asm();
10482 asm.finish(this.pos, this.len, 0);
10483 this.result = new Uint8Array(this.HASH_SIZE);
10484 this.result.set(heap.subarray(0, this.HASH_SIZE));
10485 this.pos = 0;
10486 this.len = 0;
10487 this.release_asm();
10488 return this;
10489 }
10490 }
10491
10492 const _sha1_block_size = 64;
10493 const _sha1_hash_size = 20;
10494 const heap_pool$1 = [];
10495 const asm_pool$1 = [];
10496 class Sha1 extends Hash {
10497 constructor() {
10498 super();
10499 this.NAME = 'sha1';
10500 this.BLOCK_SIZE = _sha1_block_size;
10501 this.HASH_SIZE = _sha1_hash_size;
10502 this.acquire_asm();
10503 }
10504 acquire_asm() {
10505 if (this.heap === undefined || this.asm === undefined) {
10506 this.heap = heap_pool$1.pop() || _heap_init();
10507 this.asm = asm_pool$1.pop() || sha1_asm({ Uint8Array: Uint8Array }, null, this.heap.buffer);
10508 this.reset();
10509 }
10510 return { heap: this.heap, asm: this.asm };
10511 }
10512 release_asm() {
10513 if (this.heap !== undefined && this.asm !== undefined) {
10514 heap_pool$1.push(this.heap);
10515 asm_pool$1.push(this.asm);
10516 }
10517 this.heap = undefined;
10518 this.asm = undefined;
10519 }
10520 static bytes(data) {
10521 return new Sha1().process(data).finish().result;
10522 }
10523 }
10524 Sha1.NAME = 'sha1';
10525 Sha1.heap_pool = [];
10526 Sha1.asm_pool = [];
10527 Sha1.asm_function = sha1_asm;
10528
10529 var sha256_asm = function ( stdlib, foreign, buffer ) {
10530 "use asm";
10531
10532 // SHA256 state
10533 var H0 = 0, H1 = 0, H2 = 0, H3 = 0, H4 = 0, H5 = 0, H6 = 0, H7 = 0,
10534 TOTAL0 = 0, TOTAL1 = 0;
10535
10536 // HMAC state
10537 var I0 = 0, I1 = 0, I2 = 0, I3 = 0, I4 = 0, I5 = 0, I6 = 0, I7 = 0,
10538 O0 = 0, O1 = 0, O2 = 0, O3 = 0, O4 = 0, O5 = 0, O6 = 0, O7 = 0;
10539
10540 // I/O buffer
10541 var HEAP = new stdlib.Uint8Array(buffer);
10542
10543 function _core ( w0, w1, w2, w3, w4, w5, w6, w7, w8, w9, w10, w11, w12, w13, w14, w15 ) {
10544 w0 = w0|0;
10545 w1 = w1|0;
10546 w2 = w2|0;
10547 w3 = w3|0;
10548 w4 = w4|0;
10549 w5 = w5|0;
10550 w6 = w6|0;
10551 w7 = w7|0;
10552 w8 = w8|0;
10553 w9 = w9|0;
10554 w10 = w10|0;
10555 w11 = w11|0;
10556 w12 = w12|0;
10557 w13 = w13|0;
10558 w14 = w14|0;
10559 w15 = w15|0;
10560
10561 var a = 0, b = 0, c = 0, d = 0, e = 0, f = 0, g = 0, h = 0;
10562
10563 a = H0;
10564 b = H1;
10565 c = H2;
10566 d = H3;
10567 e = H4;
10568 f = H5;
10569 g = H6;
10570 h = H7;
10571
10572 // 0
10573 h = ( w0 + h + ( e>>>6 ^ e>>>11 ^ e>>>25 ^ e<<26 ^ e<<21 ^ e<<7 ) + ( g ^ e & (f^g) ) + 0x428a2f98 )|0;
10574 d = ( d + h )|0;
10575 h = ( h + ( (a & b) ^ ( c & (a ^ b) ) ) + ( a>>>2 ^ a>>>13 ^ a>>>22 ^ a<<30 ^ a<<19 ^ a<<10 ) )|0;
10576
10577 // 1
10578 g = ( w1 + g + ( d>>>6 ^ d>>>11 ^ d>>>25 ^ d<<26 ^ d<<21 ^ d<<7 ) + ( f ^ d & (e^f) ) + 0x71374491 )|0;
10579 c = ( c + g )|0;
10580 g = ( g + ( (h & a) ^ ( b & (h ^ a) ) ) + ( h>>>2 ^ h>>>13 ^ h>>>22 ^ h<<30 ^ h<<19 ^ h<<10 ) )|0;
10581
10582 // 2
10583 f = ( w2 + f + ( c>>>6 ^ c>>>11 ^ c>>>25 ^ c<<26 ^ c<<21 ^ c<<7 ) + ( e ^ c & (d^e) ) + 0xb5c0fbcf )|0;
10584 b = ( b + f )|0;
10585 f = ( f + ( (g & h) ^ ( a & (g ^ h) ) ) + ( g>>>2 ^ g>>>13 ^ g>>>22 ^ g<<30 ^ g<<19 ^ g<<10 ) )|0;
10586
10587 // 3
10588 e = ( w3 + e + ( b>>>6 ^ b>>>11 ^ b>>>25 ^ b<<26 ^ b<<21 ^ b<<7 ) + ( d ^ b & (c^d) ) + 0xe9b5dba5 )|0;
10589 a = ( a + e )|0;
10590 e = ( e + ( (f & g) ^ ( h & (f ^ g) ) ) + ( f>>>2 ^ f>>>13 ^ f>>>22 ^ f<<30 ^ f<<19 ^ f<<10 ) )|0;
10591
10592 // 4
10593 d = ( w4 + d + ( a>>>6 ^ a>>>11 ^ a>>>25 ^ a<<26 ^ a<<21 ^ a<<7 ) + ( c ^ a & (b^c) ) + 0x3956c25b )|0;
10594 h = ( h + d )|0;
10595 d = ( d + ( (e & f) ^ ( g & (e ^ f) ) ) + ( e>>>2 ^ e>>>13 ^ e>>>22 ^ e<<30 ^ e<<19 ^ e<<10 ) )|0;
10596
10597 // 5
10598 c = ( w5 + c + ( h>>>6 ^ h>>>11 ^ h>>>25 ^ h<<26 ^ h<<21 ^ h<<7 ) + ( b ^ h & (a^b) ) + 0x59f111f1 )|0;
10599 g = ( g + c )|0;
10600 c = ( c + ( (d & e) ^ ( f & (d ^ e) ) ) + ( d>>>2 ^ d>>>13 ^ d>>>22 ^ d<<30 ^ d<<19 ^ d<<10 ) )|0;
10601
10602 // 6
10603 b = ( w6 + b + ( g>>>6 ^ g>>>11 ^ g>>>25 ^ g<<26 ^ g<<21 ^ g<<7 ) + ( a ^ g & (h^a) ) + 0x923f82a4 )|0;
10604 f = ( f + b )|0;
10605 b = ( b + ( (c & d) ^ ( e & (c ^ d) ) ) + ( c>>>2 ^ c>>>13 ^ c>>>22 ^ c<<30 ^ c<<19 ^ c<<10 ) )|0;
10606
10607 // 7
10608 a = ( w7 + a + ( f>>>6 ^ f>>>11 ^ f>>>25 ^ f<<26 ^ f<<21 ^ f<<7 ) + ( h ^ f & (g^h) ) + 0xab1c5ed5 )|0;
10609 e = ( e + a )|0;
10610 a = ( a + ( (b & c) ^ ( d & (b ^ c) ) ) + ( b>>>2 ^ b>>>13 ^ b>>>22 ^ b<<30 ^ b<<19 ^ b<<10 ) )|0;
10611
10612 // 8
10613 h = ( w8 + h + ( e>>>6 ^ e>>>11 ^ e>>>25 ^ e<<26 ^ e<<21 ^ e<<7 ) + ( g ^ e & (f^g) ) + 0xd807aa98 )|0;
10614 d = ( d + h )|0;
10615 h = ( h + ( (a & b) ^ ( c & (a ^ b) ) ) + ( a>>>2 ^ a>>>13 ^ a>>>22 ^ a<<30 ^ a<<19 ^ a<<10 ) )|0;
10616
10617 // 9
10618 g = ( w9 + g + ( d>>>6 ^ d>>>11 ^ d>>>25 ^ d<<26 ^ d<<21 ^ d<<7 ) + ( f ^ d & (e^f) ) + 0x12835b01 )|0;
10619 c = ( c + g )|0;
10620 g = ( g + ( (h & a) ^ ( b & (h ^ a) ) ) + ( h>>>2 ^ h>>>13 ^ h>>>22 ^ h<<30 ^ h<<19 ^ h<<10 ) )|0;
10621
10622 // 10
10623 f = ( w10 + f + ( c>>>6 ^ c>>>11 ^ c>>>25 ^ c<<26 ^ c<<21 ^ c<<7 ) + ( e ^ c & (d^e) ) + 0x243185be )|0;
10624 b = ( b + f )|0;
10625 f = ( f + ( (g & h) ^ ( a & (g ^ h) ) ) + ( g>>>2 ^ g>>>13 ^ g>>>22 ^ g<<30 ^ g<<19 ^ g<<10 ) )|0;
10626
10627 // 11
10628 e = ( w11 + e + ( b>>>6 ^ b>>>11 ^ b>>>25 ^ b<<26 ^ b<<21 ^ b<<7 ) + ( d ^ b & (c^d) ) + 0x550c7dc3 )|0;
10629 a = ( a + e )|0;
10630 e = ( e + ( (f & g) ^ ( h & (f ^ g) ) ) + ( f>>>2 ^ f>>>13 ^ f>>>22 ^ f<<30 ^ f<<19 ^ f<<10 ) )|0;
10631
10632 // 12
10633 d = ( w12 + d + ( a>>>6 ^ a>>>11 ^ a>>>25 ^ a<<26 ^ a<<21 ^ a<<7 ) + ( c ^ a & (b^c) ) + 0x72be5d74 )|0;
10634 h = ( h + d )|0;
10635 d = ( d + ( (e & f) ^ ( g & (e ^ f) ) ) + ( e>>>2 ^ e>>>13 ^ e>>>22 ^ e<<30 ^ e<<19 ^ e<<10 ) )|0;
10636
10637 // 13
10638 c = ( w13 + c + ( h>>>6 ^ h>>>11 ^ h>>>25 ^ h<<26 ^ h<<21 ^ h<<7 ) + ( b ^ h & (a^b) ) + 0x80deb1fe )|0;
10639 g = ( g + c )|0;
10640 c = ( c + ( (d & e) ^ ( f & (d ^ e) ) ) + ( d>>>2 ^ d>>>13 ^ d>>>22 ^ d<<30 ^ d<<19 ^ d<<10 ) )|0;
10641
10642 // 14
10643 b = ( w14 + b + ( g>>>6 ^ g>>>11 ^ g>>>25 ^ g<<26 ^ g<<21 ^ g<<7 ) + ( a ^ g & (h^a) ) + 0x9bdc06a7 )|0;
10644 f = ( f + b )|0;
10645 b = ( b + ( (c & d) ^ ( e & (c ^ d) ) ) + ( c>>>2 ^ c>>>13 ^ c>>>22 ^ c<<30 ^ c<<19 ^ c<<10 ) )|0;
10646
10647 // 15
10648 a = ( w15 + a + ( f>>>6 ^ f>>>11 ^ f>>>25 ^ f<<26 ^ f<<21 ^ f<<7 ) + ( h ^ f & (g^h) ) + 0xc19bf174 )|0;
10649 e = ( e + a )|0;
10650 a = ( a + ( (b & c) ^ ( d & (b ^ c) ) ) + ( b>>>2 ^ b>>>13 ^ b>>>22 ^ b<<30 ^ b<<19 ^ b<<10 ) )|0;
10651
10652 // 16
10653 w0 = ( ( w1>>>7 ^ w1>>>18 ^ w1>>>3 ^ w1<<25 ^ w1<<14 ) + ( w14>>>17 ^ w14>>>19 ^ w14>>>10 ^ w14<<15 ^ w14<<13 ) + w0 + w9 )|0;
10654 h = ( w0 + h + ( e>>>6 ^ e>>>11 ^ e>>>25 ^ e<<26 ^ e<<21 ^ e<<7 ) + ( g ^ e & (f^g) ) + 0xe49b69c1 )|0;
10655 d = ( d + h )|0;
10656 h = ( h + ( (a & b) ^ ( c & (a ^ b) ) ) + ( a>>>2 ^ a>>>13 ^ a>>>22 ^ a<<30 ^ a<<19 ^ a<<10 ) )|0;
10657
10658 // 17
10659 w1 = ( ( w2>>>7 ^ w2>>>18 ^ w2>>>3 ^ w2<<25 ^ w2<<14 ) + ( w15>>>17 ^ w15>>>19 ^ w15>>>10 ^ w15<<15 ^ w15<<13 ) + w1 + w10 )|0;
10660 g = ( w1 + g + ( d>>>6 ^ d>>>11 ^ d>>>25 ^ d<<26 ^ d<<21 ^ d<<7 ) + ( f ^ d & (e^f) ) + 0xefbe4786 )|0;
10661 c = ( c + g )|0;
10662 g = ( g + ( (h & a) ^ ( b & (h ^ a) ) ) + ( h>>>2 ^ h>>>13 ^ h>>>22 ^ h<<30 ^ h<<19 ^ h<<10 ) )|0;
10663
10664 // 18
10665 w2 = ( ( w3>>>7 ^ w3>>>18 ^ w3>>>3 ^ w3<<25 ^ w3<<14 ) + ( w0>>>17 ^ w0>>>19 ^ w0>>>10 ^ w0<<15 ^ w0<<13 ) + w2 + w11 )|0;
10666 f = ( w2 + f + ( c>>>6 ^ c>>>11 ^ c>>>25 ^ c<<26 ^ c<<21 ^ c<<7 ) + ( e ^ c & (d^e) ) + 0x0fc19dc6 )|0;
10667 b = ( b + f )|0;
10668 f = ( f + ( (g & h) ^ ( a & (g ^ h) ) ) + ( g>>>2 ^ g>>>13 ^ g>>>22 ^ g<<30 ^ g<<19 ^ g<<10 ) )|0;
10669
10670 // 19
10671 w3 = ( ( w4>>>7 ^ w4>>>18 ^ w4>>>3 ^ w4<<25 ^ w4<<14 ) + ( w1>>>17 ^ w1>>>19 ^ w1>>>10 ^ w1<<15 ^ w1<<13 ) + w3 + w12 )|0;
10672 e = ( w3 + e + ( b>>>6 ^ b>>>11 ^ b>>>25 ^ b<<26 ^ b<<21 ^ b<<7 ) + ( d ^ b & (c^d) ) + 0x240ca1cc )|0;
10673 a = ( a + e )|0;
10674 e = ( e + ( (f & g) ^ ( h & (f ^ g) ) ) + ( f>>>2 ^ f>>>13 ^ f>>>22 ^ f<<30 ^ f<<19 ^ f<<10 ) )|0;
10675
10676 // 20
10677 w4 = ( ( w5>>>7 ^ w5>>>18 ^ w5>>>3 ^ w5<<25 ^ w5<<14 ) + ( w2>>>17 ^ w2>>>19 ^ w2>>>10 ^ w2<<15 ^ w2<<13 ) + w4 + w13 )|0;
10678 d = ( w4 + d + ( a>>>6 ^ a>>>11 ^ a>>>25 ^ a<<26 ^ a<<21 ^ a<<7 ) + ( c ^ a & (b^c) ) + 0x2de92c6f )|0;
10679 h = ( h + d )|0;
10680 d = ( d + ( (e & f) ^ ( g & (e ^ f) ) ) + ( e>>>2 ^ e>>>13 ^ e>>>22 ^ e<<30 ^ e<<19 ^ e<<10 ) )|0;
10681
10682 // 21
10683 w5 = ( ( w6>>>7 ^ w6>>>18 ^ w6>>>3 ^ w6<<25 ^ w6<<14 ) + ( w3>>>17 ^ w3>>>19 ^ w3>>>10 ^ w3<<15 ^ w3<<13 ) + w5 + w14 )|0;
10684 c = ( w5 + c + ( h>>>6 ^ h>>>11 ^ h>>>25 ^ h<<26 ^ h<<21 ^ h<<7 ) + ( b ^ h & (a^b) ) + 0x4a7484aa )|0;
10685 g = ( g + c )|0;
10686 c = ( c + ( (d & e) ^ ( f & (d ^ e) ) ) + ( d>>>2 ^ d>>>13 ^ d>>>22 ^ d<<30 ^ d<<19 ^ d<<10 ) )|0;
10687
10688 // 22
10689 w6 = ( ( w7>>>7 ^ w7>>>18 ^ w7>>>3 ^ w7<<25 ^ w7<<14 ) + ( w4>>>17 ^ w4>>>19 ^ w4>>>10 ^ w4<<15 ^ w4<<13 ) + w6 + w15 )|0;
10690 b = ( w6 + b + ( g>>>6 ^ g>>>11 ^ g>>>25 ^ g<<26 ^ g<<21 ^ g<<7 ) + ( a ^ g & (h^a) ) + 0x5cb0a9dc )|0;
10691 f = ( f + b )|0;
10692 b = ( b + ( (c & d) ^ ( e & (c ^ d) ) ) + ( c>>>2 ^ c>>>13 ^ c>>>22 ^ c<<30 ^ c<<19 ^ c<<10 ) )|0;
10693
10694 // 23
10695 w7 = ( ( w8>>>7 ^ w8>>>18 ^ w8>>>3 ^ w8<<25 ^ w8<<14 ) + ( w5>>>17 ^ w5>>>19 ^ w5>>>10 ^ w5<<15 ^ w5<<13 ) + w7 + w0 )|0;
10696 a = ( w7 + a + ( f>>>6 ^ f>>>11 ^ f>>>25 ^ f<<26 ^ f<<21 ^ f<<7 ) + ( h ^ f & (g^h) ) + 0x76f988da )|0;
10697 e = ( e + a )|0;
10698 a = ( a + ( (b & c) ^ ( d & (b ^ c) ) ) + ( b>>>2 ^ b>>>13 ^ b>>>22 ^ b<<30 ^ b<<19 ^ b<<10 ) )|0;
10699
10700 // 24
10701 w8 = ( ( w9>>>7 ^ w9>>>18 ^ w9>>>3 ^ w9<<25 ^ w9<<14 ) + ( w6>>>17 ^ w6>>>19 ^ w6>>>10 ^ w6<<15 ^ w6<<13 ) + w8 + w1 )|0;
10702 h = ( w8 + h + ( e>>>6 ^ e>>>11 ^ e>>>25 ^ e<<26 ^ e<<21 ^ e<<7 ) + ( g ^ e & (f^g) ) + 0x983e5152 )|0;
10703 d = ( d + h )|0;
10704 h = ( h + ( (a & b) ^ ( c & (a ^ b) ) ) + ( a>>>2 ^ a>>>13 ^ a>>>22 ^ a<<30 ^ a<<19 ^ a<<10 ) )|0;
10705
10706 // 25
10707 w9 = ( ( w10>>>7 ^ w10>>>18 ^ w10>>>3 ^ w10<<25 ^ w10<<14 ) + ( w7>>>17 ^ w7>>>19 ^ w7>>>10 ^ w7<<15 ^ w7<<13 ) + w9 + w2 )|0;
10708 g = ( w9 + g + ( d>>>6 ^ d>>>11 ^ d>>>25 ^ d<<26 ^ d<<21 ^ d<<7 ) + ( f ^ d & (e^f) ) + 0xa831c66d )|0;
10709 c = ( c + g )|0;
10710 g = ( g + ( (h & a) ^ ( b & (h ^ a) ) ) + ( h>>>2 ^ h>>>13 ^ h>>>22 ^ h<<30 ^ h<<19 ^ h<<10 ) )|0;
10711
10712 // 26
10713 w10 = ( ( w11>>>7 ^ w11>>>18 ^ w11>>>3 ^ w11<<25 ^ w11<<14 ) + ( w8>>>17 ^ w8>>>19 ^ w8>>>10 ^ w8<<15 ^ w8<<13 ) + w10 + w3 )|0;
10714 f = ( w10 + f + ( c>>>6 ^ c>>>11 ^ c>>>25 ^ c<<26 ^ c<<21 ^ c<<7 ) + ( e ^ c & (d^e) ) + 0xb00327c8 )|0;
10715 b = ( b + f )|0;
10716 f = ( f + ( (g & h) ^ ( a & (g ^ h) ) ) + ( g>>>2 ^ g>>>13 ^ g>>>22 ^ g<<30 ^ g<<19 ^ g<<10 ) )|0;
10717
10718 // 27
10719 w11 = ( ( w12>>>7 ^ w12>>>18 ^ w12>>>3 ^ w12<<25 ^ w12<<14 ) + ( w9>>>17 ^ w9>>>19 ^ w9>>>10 ^ w9<<15 ^ w9<<13 ) + w11 + w4 )|0;
10720 e = ( w11 + e + ( b>>>6 ^ b>>>11 ^ b>>>25 ^ b<<26 ^ b<<21 ^ b<<7 ) + ( d ^ b & (c^d) ) + 0xbf597fc7 )|0;
10721 a = ( a + e )|0;
10722 e = ( e + ( (f & g) ^ ( h & (f ^ g) ) ) + ( f>>>2 ^ f>>>13 ^ f>>>22 ^ f<<30 ^ f<<19 ^ f<<10 ) )|0;
10723
10724 // 28
10725 w12 = ( ( w13>>>7 ^ w13>>>18 ^ w13>>>3 ^ w13<<25 ^ w13<<14 ) + ( w10>>>17 ^ w10>>>19 ^ w10>>>10 ^ w10<<15 ^ w10<<13 ) + w12 + w5 )|0;
10726 d = ( w12 + d + ( a>>>6 ^ a>>>11 ^ a>>>25 ^ a<<26 ^ a<<21 ^ a<<7 ) + ( c ^ a & (b^c) ) + 0xc6e00bf3 )|0;
10727 h = ( h + d )|0;
10728 d = ( d + ( (e & f) ^ ( g & (e ^ f) ) ) + ( e>>>2 ^ e>>>13 ^ e>>>22 ^ e<<30 ^ e<<19 ^ e<<10 ) )|0;
10729
10730 // 29
10731 w13 = ( ( w14>>>7 ^ w14>>>18 ^ w14>>>3 ^ w14<<25 ^ w14<<14 ) + ( w11>>>17 ^ w11>>>19 ^ w11>>>10 ^ w11<<15 ^ w11<<13 ) + w13 + w6 )|0;
10732 c = ( w13 + c + ( h>>>6 ^ h>>>11 ^ h>>>25 ^ h<<26 ^ h<<21 ^ h<<7 ) + ( b ^ h & (a^b) ) + 0xd5a79147 )|0;
10733 g = ( g + c )|0;
10734 c = ( c + ( (d & e) ^ ( f & (d ^ e) ) ) + ( d>>>2 ^ d>>>13 ^ d>>>22 ^ d<<30 ^ d<<19 ^ d<<10 ) )|0;
10735
10736 // 30
10737 w14 = ( ( w15>>>7 ^ w15>>>18 ^ w15>>>3 ^ w15<<25 ^ w15<<14 ) + ( w12>>>17 ^ w12>>>19 ^ w12>>>10 ^ w12<<15 ^ w12<<13 ) + w14 + w7 )|0;
10738 b = ( w14 + b + ( g>>>6 ^ g>>>11 ^ g>>>25 ^ g<<26 ^ g<<21 ^ g<<7 ) + ( a ^ g & (h^a) ) + 0x06ca6351 )|0;
10739 f = ( f + b )|0;
10740 b = ( b + ( (c & d) ^ ( e & (c ^ d) ) ) + ( c>>>2 ^ c>>>13 ^ c>>>22 ^ c<<30 ^ c<<19 ^ c<<10 ) )|0;
10741
10742 // 31
10743 w15 = ( ( w0>>>7 ^ w0>>>18 ^ w0>>>3 ^ w0<<25 ^ w0<<14 ) + ( w13>>>17 ^ w13>>>19 ^ w13>>>10 ^ w13<<15 ^ w13<<13 ) + w15 + w8 )|0;
10744 a = ( w15 + a + ( f>>>6 ^ f>>>11 ^ f>>>25 ^ f<<26 ^ f<<21 ^ f<<7 ) + ( h ^ f & (g^h) ) + 0x14292967 )|0;
10745 e = ( e + a )|0;
10746 a = ( a + ( (b & c) ^ ( d & (b ^ c) ) ) + ( b>>>2 ^ b>>>13 ^ b>>>22 ^ b<<30 ^ b<<19 ^ b<<10 ) )|0;
10747
10748 // 32
10749 w0 = ( ( w1>>>7 ^ w1>>>18 ^ w1>>>3 ^ w1<<25 ^ w1<<14 ) + ( w14>>>17 ^ w14>>>19 ^ w14>>>10 ^ w14<<15 ^ w14<<13 ) + w0 + w9 )|0;
10750 h = ( w0 + h + ( e>>>6 ^ e>>>11 ^ e>>>25 ^ e<<26 ^ e<<21 ^ e<<7 ) + ( g ^ e & (f^g) ) + 0x27b70a85 )|0;
10751 d = ( d + h )|0;
10752 h = ( h + ( (a & b) ^ ( c & (a ^ b) ) ) + ( a>>>2 ^ a>>>13 ^ a>>>22 ^ a<<30 ^ a<<19 ^ a<<10 ) )|0;
10753
10754 // 33
10755 w1 = ( ( w2>>>7 ^ w2>>>18 ^ w2>>>3 ^ w2<<25 ^ w2<<14 ) + ( w15>>>17 ^ w15>>>19 ^ w15>>>10 ^ w15<<15 ^ w15<<13 ) + w1 + w10 )|0;
10756 g = ( w1 + g + ( d>>>6 ^ d>>>11 ^ d>>>25 ^ d<<26 ^ d<<21 ^ d<<7 ) + ( f ^ d & (e^f) ) + 0x2e1b2138 )|0;
10757 c = ( c + g )|0;
10758 g = ( g + ( (h & a) ^ ( b & (h ^ a) ) ) + ( h>>>2 ^ h>>>13 ^ h>>>22 ^ h<<30 ^ h<<19 ^ h<<10 ) )|0;
10759
10760 // 34
10761 w2 = ( ( w3>>>7 ^ w3>>>18 ^ w3>>>3 ^ w3<<25 ^ w3<<14 ) + ( w0>>>17 ^ w0>>>19 ^ w0>>>10 ^ w0<<15 ^ w0<<13 ) + w2 + w11 )|0;
10762 f = ( w2 + f + ( c>>>6 ^ c>>>11 ^ c>>>25 ^ c<<26 ^ c<<21 ^ c<<7 ) + ( e ^ c & (d^e) ) + 0x4d2c6dfc )|0;
10763 b = ( b + f )|0;
10764 f = ( f + ( (g & h) ^ ( a & (g ^ h) ) ) + ( g>>>2 ^ g>>>13 ^ g>>>22 ^ g<<30 ^ g<<19 ^ g<<10 ) )|0;
10765
10766 // 35
10767 w3 = ( ( w4>>>7 ^ w4>>>18 ^ w4>>>3 ^ w4<<25 ^ w4<<14 ) + ( w1>>>17 ^ w1>>>19 ^ w1>>>10 ^ w1<<15 ^ w1<<13 ) + w3 + w12 )|0;
10768 e = ( w3 + e + ( b>>>6 ^ b>>>11 ^ b>>>25 ^ b<<26 ^ b<<21 ^ b<<7 ) + ( d ^ b & (c^d) ) + 0x53380d13 )|0;
10769 a = ( a + e )|0;
10770 e = ( e + ( (f & g) ^ ( h & (f ^ g) ) ) + ( f>>>2 ^ f>>>13 ^ f>>>22 ^ f<<30 ^ f<<19 ^ f<<10 ) )|0;
10771
10772 // 36
10773 w4 = ( ( w5>>>7 ^ w5>>>18 ^ w5>>>3 ^ w5<<25 ^ w5<<14 ) + ( w2>>>17 ^ w2>>>19 ^ w2>>>10 ^ w2<<15 ^ w2<<13 ) + w4 + w13 )|0;
10774 d = ( w4 + d + ( a>>>6 ^ a>>>11 ^ a>>>25 ^ a<<26 ^ a<<21 ^ a<<7 ) + ( c ^ a & (b^c) ) + 0x650a7354 )|0;
10775 h = ( h + d )|0;
10776 d = ( d + ( (e & f) ^ ( g & (e ^ f) ) ) + ( e>>>2 ^ e>>>13 ^ e>>>22 ^ e<<30 ^ e<<19 ^ e<<10 ) )|0;
10777
10778 // 37
10779 w5 = ( ( w6>>>7 ^ w6>>>18 ^ w6>>>3 ^ w6<<25 ^ w6<<14 ) + ( w3>>>17 ^ w3>>>19 ^ w3>>>10 ^ w3<<15 ^ w3<<13 ) + w5 + w14 )|0;
10780 c = ( w5 + c + ( h>>>6 ^ h>>>11 ^ h>>>25 ^ h<<26 ^ h<<21 ^ h<<7 ) + ( b ^ h & (a^b) ) + 0x766a0abb )|0;
10781 g = ( g + c )|0;
10782 c = ( c + ( (d & e) ^ ( f & (d ^ e) ) ) + ( d>>>2 ^ d>>>13 ^ d>>>22 ^ d<<30 ^ d<<19 ^ d<<10 ) )|0;
10783
10784 // 38
10785 w6 = ( ( w7>>>7 ^ w7>>>18 ^ w7>>>3 ^ w7<<25 ^ w7<<14 ) + ( w4>>>17 ^ w4>>>19 ^ w4>>>10 ^ w4<<15 ^ w4<<13 ) + w6 + w15 )|0;
10786 b = ( w6 + b + ( g>>>6 ^ g>>>11 ^ g>>>25 ^ g<<26 ^ g<<21 ^ g<<7 ) + ( a ^ g & (h^a) ) + 0x81c2c92e )|0;
10787 f = ( f + b )|0;
10788 b = ( b + ( (c & d) ^ ( e & (c ^ d) ) ) + ( c>>>2 ^ c>>>13 ^ c>>>22 ^ c<<30 ^ c<<19 ^ c<<10 ) )|0;
10789
10790 // 39
10791 w7 = ( ( w8>>>7 ^ w8>>>18 ^ w8>>>3 ^ w8<<25 ^ w8<<14 ) + ( w5>>>17 ^ w5>>>19 ^ w5>>>10 ^ w5<<15 ^ w5<<13 ) + w7 + w0 )|0;
10792 a = ( w7 + a + ( f>>>6 ^ f>>>11 ^ f>>>25 ^ f<<26 ^ f<<21 ^ f<<7 ) + ( h ^ f & (g^h) ) + 0x92722c85 )|0;
10793 e = ( e + a )|0;
10794 a = ( a + ( (b & c) ^ ( d & (b ^ c) ) ) + ( b>>>2 ^ b>>>13 ^ b>>>22 ^ b<<30 ^ b<<19 ^ b<<10 ) )|0;
10795
10796 // 40
10797 w8 = ( ( w9>>>7 ^ w9>>>18 ^ w9>>>3 ^ w9<<25 ^ w9<<14 ) + ( w6>>>17 ^ w6>>>19 ^ w6>>>10 ^ w6<<15 ^ w6<<13 ) + w8 + w1 )|0;
10798 h = ( w8 + h + ( e>>>6 ^ e>>>11 ^ e>>>25 ^ e<<26 ^ e<<21 ^ e<<7 ) + ( g ^ e & (f^g) ) + 0xa2bfe8a1 )|0;
10799 d = ( d + h )|0;
10800 h = ( h + ( (a & b) ^ ( c & (a ^ b) ) ) + ( a>>>2 ^ a>>>13 ^ a>>>22 ^ a<<30 ^ a<<19 ^ a<<10 ) )|0;
10801
10802 // 41
10803 w9 = ( ( w10>>>7 ^ w10>>>18 ^ w10>>>3 ^ w10<<25 ^ w10<<14 ) + ( w7>>>17 ^ w7>>>19 ^ w7>>>10 ^ w7<<15 ^ w7<<13 ) + w9 + w2 )|0;
10804 g = ( w9 + g + ( d>>>6 ^ d>>>11 ^ d>>>25 ^ d<<26 ^ d<<21 ^ d<<7 ) + ( f ^ d & (e^f) ) + 0xa81a664b )|0;
10805 c = ( c + g )|0;
10806 g = ( g + ( (h & a) ^ ( b & (h ^ a) ) ) + ( h>>>2 ^ h>>>13 ^ h>>>22 ^ h<<30 ^ h<<19 ^ h<<10 ) )|0;
10807
10808 // 42
10809 w10 = ( ( w11>>>7 ^ w11>>>18 ^ w11>>>3 ^ w11<<25 ^ w11<<14 ) + ( w8>>>17 ^ w8>>>19 ^ w8>>>10 ^ w8<<15 ^ w8<<13 ) + w10 + w3 )|0;
10810 f = ( w10 + f + ( c>>>6 ^ c>>>11 ^ c>>>25 ^ c<<26 ^ c<<21 ^ c<<7 ) + ( e ^ c & (d^e) ) + 0xc24b8b70 )|0;
10811 b = ( b + f )|0;
10812 f = ( f + ( (g & h) ^ ( a & (g ^ h) ) ) + ( g>>>2 ^ g>>>13 ^ g>>>22 ^ g<<30 ^ g<<19 ^ g<<10 ) )|0;
10813
10814 // 43
10815 w11 = ( ( w12>>>7 ^ w12>>>18 ^ w12>>>3 ^ w12<<25 ^ w12<<14 ) + ( w9>>>17 ^ w9>>>19 ^ w9>>>10 ^ w9<<15 ^ w9<<13 ) + w11 + w4 )|0;
10816 e = ( w11 + e + ( b>>>6 ^ b>>>11 ^ b>>>25 ^ b<<26 ^ b<<21 ^ b<<7 ) + ( d ^ b & (c^d) ) + 0xc76c51a3 )|0;
10817 a = ( a + e )|0;
10818 e = ( e + ( (f & g) ^ ( h & (f ^ g) ) ) + ( f>>>2 ^ f>>>13 ^ f>>>22 ^ f<<30 ^ f<<19 ^ f<<10 ) )|0;
10819
10820 // 44
10821 w12 = ( ( w13>>>7 ^ w13>>>18 ^ w13>>>3 ^ w13<<25 ^ w13<<14 ) + ( w10>>>17 ^ w10>>>19 ^ w10>>>10 ^ w10<<15 ^ w10<<13 ) + w12 + w5 )|0;
10822 d = ( w12 + d + ( a>>>6 ^ a>>>11 ^ a>>>25 ^ a<<26 ^ a<<21 ^ a<<7 ) + ( c ^ a & (b^c) ) + 0xd192e819 )|0;
10823 h = ( h + d )|0;
10824 d = ( d + ( (e & f) ^ ( g & (e ^ f) ) ) + ( e>>>2 ^ e>>>13 ^ e>>>22 ^ e<<30 ^ e<<19 ^ e<<10 ) )|0;
10825
10826 // 45
10827 w13 = ( ( w14>>>7 ^ w14>>>18 ^ w14>>>3 ^ w14<<25 ^ w14<<14 ) + ( w11>>>17 ^ w11>>>19 ^ w11>>>10 ^ w11<<15 ^ w11<<13 ) + w13 + w6 )|0;
10828 c = ( w13 + c + ( h>>>6 ^ h>>>11 ^ h>>>25 ^ h<<26 ^ h<<21 ^ h<<7 ) + ( b ^ h & (a^b) ) + 0xd6990624 )|0;
10829 g = ( g + c )|0;
10830 c = ( c + ( (d & e) ^ ( f & (d ^ e) ) ) + ( d>>>2 ^ d>>>13 ^ d>>>22 ^ d<<30 ^ d<<19 ^ d<<10 ) )|0;
10831
10832 // 46
10833 w14 = ( ( w15>>>7 ^ w15>>>18 ^ w15>>>3 ^ w15<<25 ^ w15<<14 ) + ( w12>>>17 ^ w12>>>19 ^ w12>>>10 ^ w12<<15 ^ w12<<13 ) + w14 + w7 )|0;
10834 b = ( w14 + b + ( g>>>6 ^ g>>>11 ^ g>>>25 ^ g<<26 ^ g<<21 ^ g<<7 ) + ( a ^ g & (h^a) ) + 0xf40e3585 )|0;
10835 f = ( f + b )|0;
10836 b = ( b + ( (c & d) ^ ( e & (c ^ d) ) ) + ( c>>>2 ^ c>>>13 ^ c>>>22 ^ c<<30 ^ c<<19 ^ c<<10 ) )|0;
10837
10838 // 47
10839 w15 = ( ( w0>>>7 ^ w0>>>18 ^ w0>>>3 ^ w0<<25 ^ w0<<14 ) + ( w13>>>17 ^ w13>>>19 ^ w13>>>10 ^ w13<<15 ^ w13<<13 ) + w15 + w8 )|0;
10840 a = ( w15 + a + ( f>>>6 ^ f>>>11 ^ f>>>25 ^ f<<26 ^ f<<21 ^ f<<7 ) + ( h ^ f & (g^h) ) + 0x106aa070 )|0;
10841 e = ( e + a )|0;
10842 a = ( a + ( (b & c) ^ ( d & (b ^ c) ) ) + ( b>>>2 ^ b>>>13 ^ b>>>22 ^ b<<30 ^ b<<19 ^ b<<10 ) )|0;
10843
10844 // 48
10845 w0 = ( ( w1>>>7 ^ w1>>>18 ^ w1>>>3 ^ w1<<25 ^ w1<<14 ) + ( w14>>>17 ^ w14>>>19 ^ w14>>>10 ^ w14<<15 ^ w14<<13 ) + w0 + w9 )|0;
10846 h = ( w0 + h + ( e>>>6 ^ e>>>11 ^ e>>>25 ^ e<<26 ^ e<<21 ^ e<<7 ) + ( g ^ e & (f^g) ) + 0x19a4c116 )|0;
10847 d = ( d + h )|0;
10848 h = ( h + ( (a & b) ^ ( c & (a ^ b) ) ) + ( a>>>2 ^ a>>>13 ^ a>>>22 ^ a<<30 ^ a<<19 ^ a<<10 ) )|0;
10849
10850 // 49
10851 w1 = ( ( w2>>>7 ^ w2>>>18 ^ w2>>>3 ^ w2<<25 ^ w2<<14 ) + ( w15>>>17 ^ w15>>>19 ^ w15>>>10 ^ w15<<15 ^ w15<<13 ) + w1 + w10 )|0;
10852 g = ( w1 + g + ( d>>>6 ^ d>>>11 ^ d>>>25 ^ d<<26 ^ d<<21 ^ d<<7 ) + ( f ^ d & (e^f) ) + 0x1e376c08 )|0;
10853 c = ( c + g )|0;
10854 g = ( g + ( (h & a) ^ ( b & (h ^ a) ) ) + ( h>>>2 ^ h>>>13 ^ h>>>22 ^ h<<30 ^ h<<19 ^ h<<10 ) )|0;
10855
10856 // 50
10857 w2 = ( ( w3>>>7 ^ w3>>>18 ^ w3>>>3 ^ w3<<25 ^ w3<<14 ) + ( w0>>>17 ^ w0>>>19 ^ w0>>>10 ^ w0<<15 ^ w0<<13 ) + w2 + w11 )|0;
10858 f = ( w2 + f + ( c>>>6 ^ c>>>11 ^ c>>>25 ^ c<<26 ^ c<<21 ^ c<<7 ) + ( e ^ c & (d^e) ) + 0x2748774c )|0;
10859 b = ( b + f )|0;
10860 f = ( f + ( (g & h) ^ ( a & (g ^ h) ) ) + ( g>>>2 ^ g>>>13 ^ g>>>22 ^ g<<30 ^ g<<19 ^ g<<10 ) )|0;
10861
10862 // 51
10863 w3 = ( ( w4>>>7 ^ w4>>>18 ^ w4>>>3 ^ w4<<25 ^ w4<<14 ) + ( w1>>>17 ^ w1>>>19 ^ w1>>>10 ^ w1<<15 ^ w1<<13 ) + w3 + w12 )|0;
10864 e = ( w3 + e + ( b>>>6 ^ b>>>11 ^ b>>>25 ^ b<<26 ^ b<<21 ^ b<<7 ) + ( d ^ b & (c^d) ) + 0x34b0bcb5 )|0;
10865 a = ( a + e )|0;
10866 e = ( e + ( (f & g) ^ ( h & (f ^ g) ) ) + ( f>>>2 ^ f>>>13 ^ f>>>22 ^ f<<30 ^ f<<19 ^ f<<10 ) )|0;
10867
10868 // 52
10869 w4 = ( ( w5>>>7 ^ w5>>>18 ^ w5>>>3 ^ w5<<25 ^ w5<<14 ) + ( w2>>>17 ^ w2>>>19 ^ w2>>>10 ^ w2<<15 ^ w2<<13 ) + w4 + w13 )|0;
10870 d = ( w4 + d + ( a>>>6 ^ a>>>11 ^ a>>>25 ^ a<<26 ^ a<<21 ^ a<<7 ) + ( c ^ a & (b^c) ) + 0x391c0cb3 )|0;
10871 h = ( h + d )|0;
10872 d = ( d + ( (e & f) ^ ( g & (e ^ f) ) ) + ( e>>>2 ^ e>>>13 ^ e>>>22 ^ e<<30 ^ e<<19 ^ e<<10 ) )|0;
10873
10874 // 53
10875 w5 = ( ( w6>>>7 ^ w6>>>18 ^ w6>>>3 ^ w6<<25 ^ w6<<14 ) + ( w3>>>17 ^ w3>>>19 ^ w3>>>10 ^ w3<<15 ^ w3<<13 ) + w5 + w14 )|0;
10876 c = ( w5 + c + ( h>>>6 ^ h>>>11 ^ h>>>25 ^ h<<26 ^ h<<21 ^ h<<7 ) + ( b ^ h & (a^b) ) + 0x4ed8aa4a )|0;
10877 g = ( g + c )|0;
10878 c = ( c + ( (d & e) ^ ( f & (d ^ e) ) ) + ( d>>>2 ^ d>>>13 ^ d>>>22 ^ d<<30 ^ d<<19 ^ d<<10 ) )|0;
10879
10880 // 54
10881 w6 = ( ( w7>>>7 ^ w7>>>18 ^ w7>>>3 ^ w7<<25 ^ w7<<14 ) + ( w4>>>17 ^ w4>>>19 ^ w4>>>10 ^ w4<<15 ^ w4<<13 ) + w6 + w15 )|0;
10882 b = ( w6 + b + ( g>>>6 ^ g>>>11 ^ g>>>25 ^ g<<26 ^ g<<21 ^ g<<7 ) + ( a ^ g & (h^a) ) + 0x5b9cca4f )|0;
10883 f = ( f + b )|0;
10884 b = ( b + ( (c & d) ^ ( e & (c ^ d) ) ) + ( c>>>2 ^ c>>>13 ^ c>>>22 ^ c<<30 ^ c<<19 ^ c<<10 ) )|0;
10885
10886 // 55
10887 w7 = ( ( w8>>>7 ^ w8>>>18 ^ w8>>>3 ^ w8<<25 ^ w8<<14 ) + ( w5>>>17 ^ w5>>>19 ^ w5>>>10 ^ w5<<15 ^ w5<<13 ) + w7 + w0 )|0;
10888 a = ( w7 + a + ( f>>>6 ^ f>>>11 ^ f>>>25 ^ f<<26 ^ f<<21 ^ f<<7 ) + ( h ^ f & (g^h) ) + 0x682e6ff3 )|0;
10889 e = ( e + a )|0;
10890 a = ( a + ( (b & c) ^ ( d & (b ^ c) ) ) + ( b>>>2 ^ b>>>13 ^ b>>>22 ^ b<<30 ^ b<<19 ^ b<<10 ) )|0;
10891
10892 // 56
10893 w8 = ( ( w9>>>7 ^ w9>>>18 ^ w9>>>3 ^ w9<<25 ^ w9<<14 ) + ( w6>>>17 ^ w6>>>19 ^ w6>>>10 ^ w6<<15 ^ w6<<13 ) + w8 + w1 )|0;
10894 h = ( w8 + h + ( e>>>6 ^ e>>>11 ^ e>>>25 ^ e<<26 ^ e<<21 ^ e<<7 ) + ( g ^ e & (f^g) ) + 0x748f82ee )|0;
10895 d = ( d + h )|0;
10896 h = ( h + ( (a & b) ^ ( c & (a ^ b) ) ) + ( a>>>2 ^ a>>>13 ^ a>>>22 ^ a<<30 ^ a<<19 ^ a<<10 ) )|0;
10897
10898 // 57
10899 w9 = ( ( w10>>>7 ^ w10>>>18 ^ w10>>>3 ^ w10<<25 ^ w10<<14 ) + ( w7>>>17 ^ w7>>>19 ^ w7>>>10 ^ w7<<15 ^ w7<<13 ) + w9 + w2 )|0;
10900 g = ( w9 + g + ( d>>>6 ^ d>>>11 ^ d>>>25 ^ d<<26 ^ d<<21 ^ d<<7 ) + ( f ^ d & (e^f) ) + 0x78a5636f )|0;
10901 c = ( c + g )|0;
10902 g = ( g + ( (h & a) ^ ( b & (h ^ a) ) ) + ( h>>>2 ^ h>>>13 ^ h>>>22 ^ h<<30 ^ h<<19 ^ h<<10 ) )|0;
10903
10904 // 58
10905 w10 = ( ( w11>>>7 ^ w11>>>18 ^ w11>>>3 ^ w11<<25 ^ w11<<14 ) + ( w8>>>17 ^ w8>>>19 ^ w8>>>10 ^ w8<<15 ^ w8<<13 ) + w10 + w3 )|0;
10906 f = ( w10 + f + ( c>>>6 ^ c>>>11 ^ c>>>25 ^ c<<26 ^ c<<21 ^ c<<7 ) + ( e ^ c & (d^e) ) + 0x84c87814 )|0;
10907 b = ( b + f )|0;
10908 f = ( f + ( (g & h) ^ ( a & (g ^ h) ) ) + ( g>>>2 ^ g>>>13 ^ g>>>22 ^ g<<30 ^ g<<19 ^ g<<10 ) )|0;
10909
10910 // 59
10911 w11 = ( ( w12>>>7 ^ w12>>>18 ^ w12>>>3 ^ w12<<25 ^ w12<<14 ) + ( w9>>>17 ^ w9>>>19 ^ w9>>>10 ^ w9<<15 ^ w9<<13 ) + w11 + w4 )|0;
10912 e = ( w11 + e + ( b>>>6 ^ b>>>11 ^ b>>>25 ^ b<<26 ^ b<<21 ^ b<<7 ) + ( d ^ b & (c^d) ) + 0x8cc70208 )|0;
10913 a = ( a + e )|0;
10914 e = ( e + ( (f & g) ^ ( h & (f ^ g) ) ) + ( f>>>2 ^ f>>>13 ^ f>>>22 ^ f<<30 ^ f<<19 ^ f<<10 ) )|0;
10915
10916 // 60
10917 w12 = ( ( w13>>>7 ^ w13>>>18 ^ w13>>>3 ^ w13<<25 ^ w13<<14 ) + ( w10>>>17 ^ w10>>>19 ^ w10>>>10 ^ w10<<15 ^ w10<<13 ) + w12 + w5 )|0;
10918 d = ( w12 + d + ( a>>>6 ^ a>>>11 ^ a>>>25 ^ a<<26 ^ a<<21 ^ a<<7 ) + ( c ^ a & (b^c) ) + 0x90befffa )|0;
10919 h = ( h + d )|0;
10920 d = ( d + ( (e & f) ^ ( g & (e ^ f) ) ) + ( e>>>2 ^ e>>>13 ^ e>>>22 ^ e<<30 ^ e<<19 ^ e<<10 ) )|0;
10921
10922 // 61
10923 w13 = ( ( w14>>>7 ^ w14>>>18 ^ w14>>>3 ^ w14<<25 ^ w14<<14 ) + ( w11>>>17 ^ w11>>>19 ^ w11>>>10 ^ w11<<15 ^ w11<<13 ) + w13 + w6 )|0;
10924 c = ( w13 + c + ( h>>>6 ^ h>>>11 ^ h>>>25 ^ h<<26 ^ h<<21 ^ h<<7 ) + ( b ^ h & (a^b) ) + 0xa4506ceb )|0;
10925 g = ( g + c )|0;
10926 c = ( c + ( (d & e) ^ ( f & (d ^ e) ) ) + ( d>>>2 ^ d>>>13 ^ d>>>22 ^ d<<30 ^ d<<19 ^ d<<10 ) )|0;
10927
10928 // 62
10929 w14 = ( ( w15>>>7 ^ w15>>>18 ^ w15>>>3 ^ w15<<25 ^ w15<<14 ) + ( w12>>>17 ^ w12>>>19 ^ w12>>>10 ^ w12<<15 ^ w12<<13 ) + w14 + w7 )|0;
10930 b = ( w14 + b + ( g>>>6 ^ g>>>11 ^ g>>>25 ^ g<<26 ^ g<<21 ^ g<<7 ) + ( a ^ g & (h^a) ) + 0xbef9a3f7 )|0;
10931 f = ( f + b )|0;
10932 b = ( b + ( (c & d) ^ ( e & (c ^ d) ) ) + ( c>>>2 ^ c>>>13 ^ c>>>22 ^ c<<30 ^ c<<19 ^ c<<10 ) )|0;
10933
10934 // 63
10935 w15 = ( ( w0>>>7 ^ w0>>>18 ^ w0>>>3 ^ w0<<25 ^ w0<<14 ) + ( w13>>>17 ^ w13>>>19 ^ w13>>>10 ^ w13<<15 ^ w13<<13 ) + w15 + w8 )|0;
10936 a = ( w15 + a + ( f>>>6 ^ f>>>11 ^ f>>>25 ^ f<<26 ^ f<<21 ^ f<<7 ) + ( h ^ f & (g^h) ) + 0xc67178f2 )|0;
10937 e = ( e + a )|0;
10938 a = ( a + ( (b & c) ^ ( d & (b ^ c) ) ) + ( b>>>2 ^ b>>>13 ^ b>>>22 ^ b<<30 ^ b<<19 ^ b<<10 ) )|0;
10939
10940 H0 = ( H0 + a )|0;
10941 H1 = ( H1 + b )|0;
10942 H2 = ( H2 + c )|0;
10943 H3 = ( H3 + d )|0;
10944 H4 = ( H4 + e )|0;
10945 H5 = ( H5 + f )|0;
10946 H6 = ( H6 + g )|0;
10947 H7 = ( H7 + h )|0;
10948 }
10949
10950 function _core_heap ( offset ) {
10951 offset = offset|0;
10952
10953 _core(
10954 HEAP[offset|0]<<24 | HEAP[offset|1]<<16 | HEAP[offset|2]<<8 | HEAP[offset|3],
10955 HEAP[offset|4]<<24 | HEAP[offset|5]<<16 | HEAP[offset|6]<<8 | HEAP[offset|7],
10956 HEAP[offset|8]<<24 | HEAP[offset|9]<<16 | HEAP[offset|10]<<8 | HEAP[offset|11],
10957 HEAP[offset|12]<<24 | HEAP[offset|13]<<16 | HEAP[offset|14]<<8 | HEAP[offset|15],
10958 HEAP[offset|16]<<24 | HEAP[offset|17]<<16 | HEAP[offset|18]<<8 | HEAP[offset|19],
10959 HEAP[offset|20]<<24 | HEAP[offset|21]<<16 | HEAP[offset|22]<<8 | HEAP[offset|23],
10960 HEAP[offset|24]<<24 | HEAP[offset|25]<<16 | HEAP[offset|26]<<8 | HEAP[offset|27],
10961 HEAP[offset|28]<<24 | HEAP[offset|29]<<16 | HEAP[offset|30]<<8 | HEAP[offset|31],
10962 HEAP[offset|32]<<24 | HEAP[offset|33]<<16 | HEAP[offset|34]<<8 | HEAP[offset|35],
10963 HEAP[offset|36]<<24 | HEAP[offset|37]<<16 | HEAP[offset|38]<<8 | HEAP[offset|39],
10964 HEAP[offset|40]<<24 | HEAP[offset|41]<<16 | HEAP[offset|42]<<8 | HEAP[offset|43],
10965 HEAP[offset|44]<<24 | HEAP[offset|45]<<16 | HEAP[offset|46]<<8 | HEAP[offset|47],
10966 HEAP[offset|48]<<24 | HEAP[offset|49]<<16 | HEAP[offset|50]<<8 | HEAP[offset|51],
10967 HEAP[offset|52]<<24 | HEAP[offset|53]<<16 | HEAP[offset|54]<<8 | HEAP[offset|55],
10968 HEAP[offset|56]<<24 | HEAP[offset|57]<<16 | HEAP[offset|58]<<8 | HEAP[offset|59],
10969 HEAP[offset|60]<<24 | HEAP[offset|61]<<16 | HEAP[offset|62]<<8 | HEAP[offset|63]
10970 );
10971 }
10972
10973 // offset — multiple of 32
10974 function _state_to_heap ( output ) {
10975 output = output|0;
10976
10977 HEAP[output|0] = H0>>>24;
10978 HEAP[output|1] = H0>>>16&255;
10979 HEAP[output|2] = H0>>>8&255;
10980 HEAP[output|3] = H0&255;
10981 HEAP[output|4] = H1>>>24;
10982 HEAP[output|5] = H1>>>16&255;
10983 HEAP[output|6] = H1>>>8&255;
10984 HEAP[output|7] = H1&255;
10985 HEAP[output|8] = H2>>>24;
10986 HEAP[output|9] = H2>>>16&255;
10987 HEAP[output|10] = H2>>>8&255;
10988 HEAP[output|11] = H2&255;
10989 HEAP[output|12] = H3>>>24;
10990 HEAP[output|13] = H3>>>16&255;
10991 HEAP[output|14] = H3>>>8&255;
10992 HEAP[output|15] = H3&255;
10993 HEAP[output|16] = H4>>>24;
10994 HEAP[output|17] = H4>>>16&255;
10995 HEAP[output|18] = H4>>>8&255;
10996 HEAP[output|19] = H4&255;
10997 HEAP[output|20] = H5>>>24;
10998 HEAP[output|21] = H5>>>16&255;
10999 HEAP[output|22] = H5>>>8&255;
11000 HEAP[output|23] = H5&255;
11001 HEAP[output|24] = H6>>>24;
11002 HEAP[output|25] = H6>>>16&255;
11003 HEAP[output|26] = H6>>>8&255;
11004 HEAP[output|27] = H6&255;
11005 HEAP[output|28] = H7>>>24;
11006 HEAP[output|29] = H7>>>16&255;
11007 HEAP[output|30] = H7>>>8&255;
11008 HEAP[output|31] = H7&255;
11009 }
11010
11011 function reset () {
11012 H0 = 0x6a09e667;
11013 H1 = 0xbb67ae85;
11014 H2 = 0x3c6ef372;
11015 H3 = 0xa54ff53a;
11016 H4 = 0x510e527f;
11017 H5 = 0x9b05688c;
11018 H6 = 0x1f83d9ab;
11019 H7 = 0x5be0cd19;
11020 TOTAL0 = TOTAL1 = 0;
11021 }
11022
11023 function init ( h0, h1, h2, h3, h4, h5, h6, h7, total0, total1 ) {
11024 h0 = h0|0;
11025 h1 = h1|0;
11026 h2 = h2|0;
11027 h3 = h3|0;
11028 h4 = h4|0;
11029 h5 = h5|0;
11030 h6 = h6|0;
11031 h7 = h7|0;
11032 total0 = total0|0;
11033 total1 = total1|0;
11034
11035 H0 = h0;
11036 H1 = h1;
11037 H2 = h2;
11038 H3 = h3;
11039 H4 = h4;
11040 H5 = h5;
11041 H6 = h6;
11042 H7 = h7;
11043 TOTAL0 = total0;
11044 TOTAL1 = total1;
11045 }
11046
11047 // offset — multiple of 64
11048 function process ( offset, length ) {
11049 offset = offset|0;
11050 length = length|0;
11051
11052 var hashed = 0;
11053
11054 if ( offset & 63 )
11055 return -1;
11056
11057 while ( (length|0) >= 64 ) {
11058 _core_heap(offset);
11059
11060 offset = ( offset + 64 )|0;
11061 length = ( length - 64 )|0;
11062
11063 hashed = ( hashed + 64 )|0;
11064 }
11065
11066 TOTAL0 = ( TOTAL0 + hashed )|0;
11067 if ( TOTAL0>>>0 < hashed>>>0 ) TOTAL1 = ( TOTAL1 + 1 )|0;
11068
11069 return hashed|0;
11070 }
11071
11072 // offset — multiple of 64
11073 // output — multiple of 32
11074 function finish ( offset, length, output ) {
11075 offset = offset|0;
11076 length = length|0;
11077 output = output|0;
11078
11079 var hashed = 0,
11080 i = 0;
11081
11082 if ( offset & 63 )
11083 return -1;
11084
11085 if ( ~output )
11086 if ( output & 31 )
11087 return -1;
11088
11089 if ( (length|0) >= 64 ) {
11090 hashed = process( offset, length )|0;
11091 if ( (hashed|0) == -1 )
11092 return -1;
11093
11094 offset = ( offset + hashed )|0;
11095 length = ( length - hashed )|0;
11096 }
11097
11098 hashed = ( hashed + length )|0;
11099 TOTAL0 = ( TOTAL0 + length )|0;
11100 if ( TOTAL0>>>0 < length>>>0 ) TOTAL1 = ( TOTAL1 + 1 )|0;
11101
11102 HEAP[offset|length] = 0x80;
11103
11104 if ( (length|0) >= 56 ) {
11105 for ( i = (length+1)|0; (i|0) < 64; i = (i+1)|0 )
11106 HEAP[offset|i] = 0x00;
11107
11108 _core_heap(offset);
11109
11110 length = 0;
11111
11112 HEAP[offset|0] = 0;
11113 }
11114
11115 for ( i = (length+1)|0; (i|0) < 59; i = (i+1)|0 )
11116 HEAP[offset|i] = 0;
11117
11118 HEAP[offset|56] = TOTAL1>>>21&255;
11119 HEAP[offset|57] = TOTAL1>>>13&255;
11120 HEAP[offset|58] = TOTAL1>>>5&255;
11121 HEAP[offset|59] = TOTAL1<<3&255 | TOTAL0>>>29;
11122 HEAP[offset|60] = TOTAL0>>>21&255;
11123 HEAP[offset|61] = TOTAL0>>>13&255;
11124 HEAP[offset|62] = TOTAL0>>>5&255;
11125 HEAP[offset|63] = TOTAL0<<3&255;
11126 _core_heap(offset);
11127
11128 if ( ~output )
11129 _state_to_heap(output);
11130
11131 return hashed|0;
11132 }
11133
11134 function hmac_reset () {
11135 H0 = I0;
11136 H1 = I1;
11137 H2 = I2;
11138 H3 = I3;
11139 H4 = I4;
11140 H5 = I5;
11141 H6 = I6;
11142 H7 = I7;
11143 TOTAL0 = 64;
11144 TOTAL1 = 0;
11145 }
11146
11147 function _hmac_opad () {
11148 H0 = O0;
11149 H1 = O1;
11150 H2 = O2;
11151 H3 = O3;
11152 H4 = O4;
11153 H5 = O5;
11154 H6 = O6;
11155 H7 = O7;
11156 TOTAL0 = 64;
11157 TOTAL1 = 0;
11158 }
11159
11160 function hmac_init ( p0, p1, p2, p3, p4, p5, p6, p7, p8, p9, p10, p11, p12, p13, p14, p15 ) {
11161 p0 = p0|0;
11162 p1 = p1|0;
11163 p2 = p2|0;
11164 p3 = p3|0;
11165 p4 = p4|0;
11166 p5 = p5|0;
11167 p6 = p6|0;
11168 p7 = p7|0;
11169 p8 = p8|0;
11170 p9 = p9|0;
11171 p10 = p10|0;
11172 p11 = p11|0;
11173 p12 = p12|0;
11174 p13 = p13|0;
11175 p14 = p14|0;
11176 p15 = p15|0;
11177
11178 // opad
11179 reset();
11180 _core(
11181 p0 ^ 0x5c5c5c5c,
11182 p1 ^ 0x5c5c5c5c,
11183 p2 ^ 0x5c5c5c5c,
11184 p3 ^ 0x5c5c5c5c,
11185 p4 ^ 0x5c5c5c5c,
11186 p5 ^ 0x5c5c5c5c,
11187 p6 ^ 0x5c5c5c5c,
11188 p7 ^ 0x5c5c5c5c,
11189 p8 ^ 0x5c5c5c5c,
11190 p9 ^ 0x5c5c5c5c,
11191 p10 ^ 0x5c5c5c5c,
11192 p11 ^ 0x5c5c5c5c,
11193 p12 ^ 0x5c5c5c5c,
11194 p13 ^ 0x5c5c5c5c,
11195 p14 ^ 0x5c5c5c5c,
11196 p15 ^ 0x5c5c5c5c
11197 );
11198 O0 = H0;
11199 O1 = H1;
11200 O2 = H2;
11201 O3 = H3;
11202 O4 = H4;
11203 O5 = H5;
11204 O6 = H6;
11205 O7 = H7;
11206
11207 // ipad
11208 reset();
11209 _core(
11210 p0 ^ 0x36363636,
11211 p1 ^ 0x36363636,
11212 p2 ^ 0x36363636,
11213 p3 ^ 0x36363636,
11214 p4 ^ 0x36363636,
11215 p5 ^ 0x36363636,
11216 p6 ^ 0x36363636,
11217 p7 ^ 0x36363636,
11218 p8 ^ 0x36363636,
11219 p9 ^ 0x36363636,
11220 p10 ^ 0x36363636,
11221 p11 ^ 0x36363636,
11222 p12 ^ 0x36363636,
11223 p13 ^ 0x36363636,
11224 p14 ^ 0x36363636,
11225 p15 ^ 0x36363636
11226 );
11227 I0 = H0;
11228 I1 = H1;
11229 I2 = H2;
11230 I3 = H3;
11231 I4 = H4;
11232 I5 = H5;
11233 I6 = H6;
11234 I7 = H7;
11235
11236 TOTAL0 = 64;
11237 TOTAL1 = 0;
11238 }
11239
11240 // offset — multiple of 64
11241 // output — multiple of 32
11242 function hmac_finish ( offset, length, output ) {
11243 offset = offset|0;
11244 length = length|0;
11245 output = output|0;
11246
11247 var t0 = 0, t1 = 0, t2 = 0, t3 = 0, t4 = 0, t5 = 0, t6 = 0, t7 = 0,
11248 hashed = 0;
11249
11250 if ( offset & 63 )
11251 return -1;
11252
11253 if ( ~output )
11254 if ( output & 31 )
11255 return -1;
11256
11257 hashed = finish( offset, length, -1 )|0;
11258 t0 = H0, t1 = H1, t2 = H2, t3 = H3, t4 = H4, t5 = H5, t6 = H6, t7 = H7;
11259
11260 _hmac_opad();
11261 _core( t0, t1, t2, t3, t4, t5, t6, t7, 0x80000000, 0, 0, 0, 0, 0, 0, 768 );
11262
11263 if ( ~output )
11264 _state_to_heap(output);
11265
11266 return hashed|0;
11267 }
11268
11269 // salt is assumed to be already processed
11270 // offset — multiple of 64
11271 // output — multiple of 32
11272 function pbkdf2_generate_block ( offset, length, block, count, output ) {
11273 offset = offset|0;
11274 length = length|0;
11275 block = block|0;
11276 count = count|0;
11277 output = output|0;
11278
11279 var h0 = 0, h1 = 0, h2 = 0, h3 = 0, h4 = 0, h5 = 0, h6 = 0, h7 = 0,
11280 t0 = 0, t1 = 0, t2 = 0, t3 = 0, t4 = 0, t5 = 0, t6 = 0, t7 = 0;
11281
11282 if ( offset & 63 )
11283 return -1;
11284
11285 if ( ~output )
11286 if ( output & 31 )
11287 return -1;
11288
11289 // pad block number into heap
11290 // FIXME probable OOB write
11291 HEAP[(offset+length)|0] = block>>>24;
11292 HEAP[(offset+length+1)|0] = block>>>16&255;
11293 HEAP[(offset+length+2)|0] = block>>>8&255;
11294 HEAP[(offset+length+3)|0] = block&255;
11295
11296 // finish first iteration
11297 hmac_finish( offset, (length+4)|0, -1 )|0;
11298 h0 = t0 = H0, h1 = t1 = H1, h2 = t2 = H2, h3 = t3 = H3, h4 = t4 = H4, h5 = t5 = H5, h6 = t6 = H6, h7 = t7 = H7;
11299 count = (count-1)|0;
11300
11301 // perform the rest iterations
11302 while ( (count|0) > 0 ) {
11303 hmac_reset();
11304 _core( t0, t1, t2, t3, t4, t5, t6, t7, 0x80000000, 0, 0, 0, 0, 0, 0, 768 );
11305 t0 = H0, t1 = H1, t2 = H2, t3 = H3, t4 = H4, t5 = H5, t6 = H6, t7 = H7;
11306
11307 _hmac_opad();
11308 _core( t0, t1, t2, t3, t4, t5, t6, t7, 0x80000000, 0, 0, 0, 0, 0, 0, 768 );
11309 t0 = H0, t1 = H1, t2 = H2, t3 = H3, t4 = H4, t5 = H5, t6 = H6, t7 = H7;
11310
11311 h0 = h0 ^ H0;
11312 h1 = h1 ^ H1;
11313 h2 = h2 ^ H2;
11314 h3 = h3 ^ H3;
11315 h4 = h4 ^ H4;
11316 h5 = h5 ^ H5;
11317 h6 = h6 ^ H6;
11318 h7 = h7 ^ H7;
11319
11320 count = (count-1)|0;
11321 }
11322
11323 H0 = h0;
11324 H1 = h1;
11325 H2 = h2;
11326 H3 = h3;
11327 H4 = h4;
11328 H5 = h5;
11329 H6 = h6;
11330 H7 = h7;
11331
11332 if ( ~output )
11333 _state_to_heap(output);
11334
11335 return 0;
11336 }
11337
11338 return {
11339 // SHA256
11340 reset: reset,
11341 init: init,
11342 process: process,
11343 finish: finish,
11344
11345 // HMAC-SHA256
11346 hmac_reset: hmac_reset,
11347 hmac_init: hmac_init,
11348 hmac_finish: hmac_finish,
11349
11350 // PBKDF2-HMAC-SHA256
11351 pbkdf2_generate_block: pbkdf2_generate_block
11352 }
11353 };
11354
11355 const _sha256_block_size = 64;
11356 const _sha256_hash_size = 32;
11357 const heap_pool$2 = [];
11358 const asm_pool$2 = [];
11359 class Sha256 extends Hash {
11360 constructor() {
11361 super();
11362 this.NAME = 'sha256';
11363 this.BLOCK_SIZE = _sha256_block_size;
11364 this.HASH_SIZE = _sha256_hash_size;
11365 this.acquire_asm();
11366 }
11367 acquire_asm() {
11368 if (this.heap === undefined || this.asm === undefined) {
11369 this.heap = heap_pool$2.pop() || _heap_init();
11370 this.asm = asm_pool$2.pop() || sha256_asm({ Uint8Array: Uint8Array }, null, this.heap.buffer);
11371 this.reset();
11372 }
11373 return { heap: this.heap, asm: this.asm };
11374 }
11375 release_asm() {
11376 if (this.heap !== undefined && this.asm !== undefined) {
11377 heap_pool$2.push(this.heap);
11378 asm_pool$2.push(this.asm);
11379 }
11380 this.heap = undefined;
11381 this.asm = undefined;
11382 }
11383 static bytes(data) {
11384 return new Sha256().process(data).finish().result;
11385 }
11386 }
11387 Sha256.NAME = 'sha256';
11388
11389 var minimalisticAssert = assert$1;
11390
11391 function assert$1(val, msg) {
11392 if (!val)
11393 throw new Error(msg || 'Assertion failed');
11394 }
11395
11396 assert$1.equal = function assertEqual(l, r, msg) {
11397 if (l != r)
11398 throw new Error(msg || ('Assertion failed: ' + l + ' != ' + r));
11399 };
11400
11401 var commonjsGlobal = typeof globalThis !== 'undefined' ? globalThis : typeof window !== 'undefined' ? window : typeof global !== 'undefined' ? global : typeof self !== 'undefined' ? self : {};
11402
11403 function createCommonjsModule(fn, module) {
11404 return module = { exports: {} }, fn(module, module.exports), module.exports;
11405 }
11406
11407 function commonjsRequire () {
11408 throw new Error('Dynamic requires are not currently supported by @rollup/plugin-commonjs');
11409 }
11410
11411 var inherits_browser = createCommonjsModule(function (module) {
11412 if (typeof Object.create === 'function') {
11413 // implementation from standard node.js 'util' module
11414 module.exports = function inherits(ctor, superCtor) {
11415 ctor.super_ = superCtor;
11416 ctor.prototype = Object.create(superCtor.prototype, {
11417 constructor: {
11418 value: ctor,
11419 enumerable: false,
11420 writable: true,
11421 configurable: true
11422 }
11423 });
11424 };
11425 } else {
11426 // old school shim for old browsers
11427 module.exports = function inherits(ctor, superCtor) {
11428 ctor.super_ = superCtor;
11429 var TempCtor = function () {};
11430 TempCtor.prototype = superCtor.prototype;
11431 ctor.prototype = new TempCtor();
11432 ctor.prototype.constructor = ctor;
11433 };
11434 }
11435 });
11436
11437 var inherits_1 = inherits_browser;
11438
11439 function toArray(msg, enc) {
11440 if (Array.isArray(msg))
11441 return msg.slice();
11442 if (!msg)
11443 return [];
11444 var res = [];
11445 if (typeof msg === 'string') {
11446 if (!enc) {
11447 for (var i = 0; i < msg.length; i++) {
11448 var c = msg.charCodeAt(i);
11449 var hi = c >> 8;
11450 var lo = c & 0xff;
11451 if (hi)
11452 res.push(hi, lo);
11453 else
11454 res.push(lo);
11455 }
11456 } else if (enc === 'hex') {
11457 msg = msg.replace(/[^a-z0-9]+/ig, '');
11458 if (msg.length % 2 !== 0)
11459 msg = '0' + msg;
11460 for (i = 0; i < msg.length; i += 2)
11461 res.push(parseInt(msg[i] + msg[i + 1], 16));
11462 }
11463 } else {
11464 for (i = 0; i < msg.length; i++)
11465 res[i] = msg[i] | 0;
11466 }
11467 return res;
11468 }
11469 var toArray_1 = toArray;
11470
11471 function toHex(msg) {
11472 var res = '';
11473 for (var i = 0; i < msg.length; i++)
11474 res += zero2(msg[i].toString(16));
11475 return res;
11476 }
11477 var toHex_1 = toHex;
11478
11479 function htonl(w) {
11480 var res = (w >>> 24) |
11481 ((w >>> 8) & 0xff00) |
11482 ((w << 8) & 0xff0000) |
11483 ((w & 0xff) << 24);
11484 return res >>> 0;
11485 }
11486 var htonl_1 = htonl;
11487
11488 function toHex32(msg, endian) {
11489 var res = '';
11490 for (var i = 0; i < msg.length; i++) {
11491 var w = msg[i];
11492 if (endian === 'little')
11493 w = htonl(w);
11494 res += zero8(w.toString(16));
11495 }
11496 return res;
11497 }
11498 var toHex32_1 = toHex32;
11499
11500 function zero2(word) {
11501 if (word.length === 1)
11502 return '0' + word;
11503 else
11504 return word;
11505 }
11506 var zero2_1 = zero2;
11507
11508 function zero8(word) {
11509 if (word.length === 7)
11510 return '0' + word;
11511 else if (word.length === 6)
11512 return '00' + word;
11513 else if (word.length === 5)
11514 return '000' + word;
11515 else if (word.length === 4)
11516 return '0000' + word;
11517 else if (word.length === 3)
11518 return '00000' + word;
11519 else if (word.length === 2)
11520 return '000000' + word;
11521 else if (word.length === 1)
11522 return '0000000' + word;
11523 else
11524 return word;
11525 }
11526 var zero8_1 = zero8;
11527
11528 function join32(msg, start, end, endian) {
11529 var len = end - start;
11530 minimalisticAssert(len % 4 === 0);
11531 var res = new Array(len / 4);
11532 for (var i = 0, k = start; i < res.length; i++, k += 4) {
11533 var w;
11534 if (endian === 'big')
11535 w = (msg[k] << 24) | (msg[k + 1] << 16) | (msg[k + 2] << 8) | msg[k + 3];
11536 else
11537 w = (msg[k + 3] << 24) | (msg[k + 2] << 16) | (msg[k + 1] << 8) | msg[k];
11538 res[i] = w >>> 0;
11539 }
11540 return res;
11541 }
11542 var join32_1 = join32;
11543
11544 function split32(msg, endian) {
11545 var res = new Array(msg.length * 4);
11546 for (var i = 0, k = 0; i < msg.length; i++, k += 4) {
11547 var m = msg[i];
11548 if (endian === 'big') {
11549 res[k] = m >>> 24;
11550 res[k + 1] = (m >>> 16) & 0xff;
11551 res[k + 2] = (m >>> 8) & 0xff;
11552 res[k + 3] = m & 0xff;
11553 } else {
11554 res[k + 3] = m >>> 24;
11555 res[k + 2] = (m >>> 16) & 0xff;
11556 res[k + 1] = (m >>> 8) & 0xff;
11557 res[k] = m & 0xff;
11558 }
11559 }
11560 return res;
11561 }
11562 var split32_1 = split32;
11563
11564 function rotr32(w, b) {
11565 return (w >>> b) | (w << (32 - b));
11566 }
11567 var rotr32_1 = rotr32;
11568
11569 function rotl32(w, b) {
11570 return (w << b) | (w >>> (32 - b));
11571 }
11572 var rotl32_1 = rotl32;
11573
11574 function sum32(a, b) {
11575 return (a + b) >>> 0;
11576 }
11577 var sum32_1 = sum32;
11578
11579 function sum32_3(a, b, c) {
11580 return (a + b + c) >>> 0;
11581 }
11582 var sum32_3_1 = sum32_3;
11583
11584 function sum32_4(a, b, c, d) {
11585 return (a + b + c + d) >>> 0;
11586 }
11587 var sum32_4_1 = sum32_4;
11588
11589 function sum32_5(a, b, c, d, e) {
11590 return (a + b + c + d + e) >>> 0;
11591 }
11592 var sum32_5_1 = sum32_5;
11593
11594 function sum64(buf, pos, ah, al) {
11595 var bh = buf[pos];
11596 var bl = buf[pos + 1];
11597
11598 var lo = (al + bl) >>> 0;
11599 var hi = (lo < al ? 1 : 0) + ah + bh;
11600 buf[pos] = hi >>> 0;
11601 buf[pos + 1] = lo;
11602 }
11603 var sum64_1 = sum64;
11604
11605 function sum64_hi(ah, al, bh, bl) {
11606 var lo = (al + bl) >>> 0;
11607 var hi = (lo < al ? 1 : 0) + ah + bh;
11608 return hi >>> 0;
11609 }
11610 var sum64_hi_1 = sum64_hi;
11611
11612 function sum64_lo(ah, al, bh, bl) {
11613 var lo = al + bl;
11614 return lo >>> 0;
11615 }
11616 var sum64_lo_1 = sum64_lo;
11617
11618 function sum64_4_hi(ah, al, bh, bl, ch, cl, dh, dl) {
11619 var carry = 0;
11620 var lo = al;
11621 lo = (lo + bl) >>> 0;
11622 carry += lo < al ? 1 : 0;
11623 lo = (lo + cl) >>> 0;
11624 carry += lo < cl ? 1 : 0;
11625 lo = (lo + dl) >>> 0;
11626 carry += lo < dl ? 1 : 0;
11627
11628 var hi = ah + bh + ch + dh + carry;
11629 return hi >>> 0;
11630 }
11631 var sum64_4_hi_1 = sum64_4_hi;
11632
11633 function sum64_4_lo(ah, al, bh, bl, ch, cl, dh, dl) {
11634 var lo = al + bl + cl + dl;
11635 return lo >>> 0;
11636 }
11637 var sum64_4_lo_1 = sum64_4_lo;
11638
11639 function sum64_5_hi(ah, al, bh, bl, ch, cl, dh, dl, eh, el) {
11640 var carry = 0;
11641 var lo = al;
11642 lo = (lo + bl) >>> 0;
11643 carry += lo < al ? 1 : 0;
11644 lo = (lo + cl) >>> 0;
11645 carry += lo < cl ? 1 : 0;
11646 lo = (lo + dl) >>> 0;
11647 carry += lo < dl ? 1 : 0;
11648 lo = (lo + el) >>> 0;
11649 carry += lo < el ? 1 : 0;
11650
11651 var hi = ah + bh + ch + dh + eh + carry;
11652 return hi >>> 0;
11653 }
11654 var sum64_5_hi_1 = sum64_5_hi;
11655
11656 function sum64_5_lo(ah, al, bh, bl, ch, cl, dh, dl, eh, el) {
11657 var lo = al + bl + cl + dl + el;
11658
11659 return lo >>> 0;
11660 }
11661 var sum64_5_lo_1 = sum64_5_lo;
11662
11663 function rotr64_hi(ah, al, num) {
11664 var r = (al << (32 - num)) | (ah >>> num);
11665 return r >>> 0;
11666 }
11667 var rotr64_hi_1 = rotr64_hi;
11668
11669 function rotr64_lo(ah, al, num) {
11670 var r = (ah << (32 - num)) | (al >>> num);
11671 return r >>> 0;
11672 }
11673 var rotr64_lo_1 = rotr64_lo;
11674
11675 function shr64_hi(ah, al, num) {
11676 return ah >>> num;
11677 }
11678 var shr64_hi_1 = shr64_hi;
11679
11680 function shr64_lo(ah, al, num) {
11681 var r = (ah << (32 - num)) | (al >>> num);
11682 return r >>> 0;
11683 }
11684 var shr64_lo_1 = shr64_lo;
11685
11686 var utils = {
11687 inherits: inherits_1,
11688 toArray: toArray_1,
11689 toHex: toHex_1,
11690 htonl: htonl_1,
11691 toHex32: toHex32_1,
11692 zero2: zero2_1,
11693 zero8: zero8_1,
11694 join32: join32_1,
11695 split32: split32_1,
11696 rotr32: rotr32_1,
11697 rotl32: rotl32_1,
11698 sum32: sum32_1,
11699 sum32_3: sum32_3_1,
11700 sum32_4: sum32_4_1,
11701 sum32_5: sum32_5_1,
11702 sum64: sum64_1,
11703 sum64_hi: sum64_hi_1,
11704 sum64_lo: sum64_lo_1,
11705 sum64_4_hi: sum64_4_hi_1,
11706 sum64_4_lo: sum64_4_lo_1,
11707 sum64_5_hi: sum64_5_hi_1,
11708 sum64_5_lo: sum64_5_lo_1,
11709 rotr64_hi: rotr64_hi_1,
11710 rotr64_lo: rotr64_lo_1,
11711 shr64_hi: shr64_hi_1,
11712 shr64_lo: shr64_lo_1
11713 };
11714
11715 function BlockHash() {
11716 this.pending = null;
11717 this.pendingTotal = 0;
11718 this.blockSize = this.constructor.blockSize;
11719 this.outSize = this.constructor.outSize;
11720 this.hmacStrength = this.constructor.hmacStrength;
11721 this.padLength = this.constructor.padLength / 8;
11722 this.endian = 'big';
11723
11724 this._delta8 = this.blockSize / 8;
11725 this._delta32 = this.blockSize / 32;
11726 }
11727 var BlockHash_1 = BlockHash;
11728
11729 BlockHash.prototype.update = function update(msg, enc) {
11730 // Convert message to array, pad it, and join into 32bit blocks
11731 msg = utils.toArray(msg, enc);
11732 if (!this.pending)
11733 this.pending = msg;
11734 else
11735 this.pending = this.pending.concat(msg);
11736 this.pendingTotal += msg.length;
11737
11738 // Enough data, try updating
11739 if (this.pending.length >= this._delta8) {
11740 msg = this.pending;
11741
11742 // Process pending data in blocks
11743 var r = msg.length % this._delta8;
11744 this.pending = msg.slice(msg.length - r, msg.length);
11745 if (this.pending.length === 0)
11746 this.pending = null;
11747
11748 msg = utils.join32(msg, 0, msg.length - r, this.endian);
11749 for (var i = 0; i < msg.length; i += this._delta32)
11750 this._update(msg, i, i + this._delta32);
11751 }
11752
11753 return this;
11754 };
11755
11756 BlockHash.prototype.digest = function digest(enc) {
11757 this.update(this._pad());
11758 minimalisticAssert(this.pending === null);
11759
11760 return this._digest(enc);
11761 };
11762
11763 BlockHash.prototype._pad = function pad() {
11764 var len = this.pendingTotal;
11765 var bytes = this._delta8;
11766 var k = bytes - ((len + this.padLength) % bytes);
11767 var res = new Array(k + this.padLength);
11768 res[0] = 0x80;
11769 for (var i = 1; i < k; i++)
11770 res[i] = 0;
11771
11772 // Append length
11773 len <<= 3;
11774 if (this.endian === 'big') {
11775 for (var t = 8; t < this.padLength; t++)
11776 res[i++] = 0;
11777
11778 res[i++] = 0;
11779 res[i++] = 0;
11780 res[i++] = 0;
11781 res[i++] = 0;
11782 res[i++] = (len >>> 24) & 0xff;
11783 res[i++] = (len >>> 16) & 0xff;
11784 res[i++] = (len >>> 8) & 0xff;
11785 res[i++] = len & 0xff;
11786 } else {
11787 res[i++] = len & 0xff;
11788 res[i++] = (len >>> 8) & 0xff;
11789 res[i++] = (len >>> 16) & 0xff;
11790 res[i++] = (len >>> 24) & 0xff;
11791 res[i++] = 0;
11792 res[i++] = 0;
11793 res[i++] = 0;
11794 res[i++] = 0;
11795
11796 for (t = 8; t < this.padLength; t++)
11797 res[i++] = 0;
11798 }
11799
11800 return res;
11801 };
11802
11803 var common = {
11804 BlockHash: BlockHash_1
11805 };
11806
11807 var rotr32$1 = utils.rotr32;
11808
11809 function ft_1(s, x, y, z) {
11810 if (s === 0)
11811 return ch32(x, y, z);
11812 if (s === 1 || s === 3)
11813 return p32(x, y, z);
11814 if (s === 2)
11815 return maj32(x, y, z);
11816 }
11817 var ft_1_1 = ft_1;
11818
11819 function ch32(x, y, z) {
11820 return (x & y) ^ ((~x) & z);
11821 }
11822 var ch32_1 = ch32;
11823
11824 function maj32(x, y, z) {
11825 return (x & y) ^ (x & z) ^ (y & z);
11826 }
11827 var maj32_1 = maj32;
11828
11829 function p32(x, y, z) {
11830 return x ^ y ^ z;
11831 }
11832 var p32_1 = p32;
11833
11834 function s0_256(x) {
11835 return rotr32$1(x, 2) ^ rotr32$1(x, 13) ^ rotr32$1(x, 22);
11836 }
11837 var s0_256_1 = s0_256;
11838
11839 function s1_256(x) {
11840 return rotr32$1(x, 6) ^ rotr32$1(x, 11) ^ rotr32$1(x, 25);
11841 }
11842 var s1_256_1 = s1_256;
11843
11844 function g0_256(x) {
11845 return rotr32$1(x, 7) ^ rotr32$1(x, 18) ^ (x >>> 3);
11846 }
11847 var g0_256_1 = g0_256;
11848
11849 function g1_256(x) {
11850 return rotr32$1(x, 17) ^ rotr32$1(x, 19) ^ (x >>> 10);
11851 }
11852 var g1_256_1 = g1_256;
11853
11854 var common$1 = {
11855 ft_1: ft_1_1,
11856 ch32: ch32_1,
11857 maj32: maj32_1,
11858 p32: p32_1,
11859 s0_256: s0_256_1,
11860 s1_256: s1_256_1,
11861 g0_256: g0_256_1,
11862 g1_256: g1_256_1
11863 };
11864
11865 var sum32$1 = utils.sum32;
11866 var sum32_4$1 = utils.sum32_4;
11867 var sum32_5$1 = utils.sum32_5;
11868 var ch32$1 = common$1.ch32;
11869 var maj32$1 = common$1.maj32;
11870 var s0_256$1 = common$1.s0_256;
11871 var s1_256$1 = common$1.s1_256;
11872 var g0_256$1 = common$1.g0_256;
11873 var g1_256$1 = common$1.g1_256;
11874
11875 var BlockHash$1 = common.BlockHash;
11876
11877 var sha256_K = [
11878 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
11879 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
11880 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
11881 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
11882 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
11883 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
11884 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
11885 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
11886 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
11887 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
11888 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
11889 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
11890 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
11891 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
11892 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
11893 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
11894 ];
11895
11896 function SHA256() {
11897 if (!(this instanceof SHA256))
11898 return new SHA256();
11899
11900 BlockHash$1.call(this);
11901 this.h = [
11902 0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
11903 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19
11904 ];
11905 this.k = sha256_K;
11906 this.W = new Array(64);
11907 }
11908 utils.inherits(SHA256, BlockHash$1);
11909 var _256 = SHA256;
11910
11911 SHA256.blockSize = 512;
11912 SHA256.outSize = 256;
11913 SHA256.hmacStrength = 192;
11914 SHA256.padLength = 64;
11915
11916 SHA256.prototype._update = function _update(msg, start) {
11917 var W = this.W;
11918
11919 for (var i = 0; i < 16; i++)
11920 W[i] = msg[start + i];
11921 for (; i < W.length; i++)
11922 W[i] = sum32_4$1(g1_256$1(W[i - 2]), W[i - 7], g0_256$1(W[i - 15]), W[i - 16]);
11923
11924 var a = this.h[0];
11925 var b = this.h[1];
11926 var c = this.h[2];
11927 var d = this.h[3];
11928 var e = this.h[4];
11929 var f = this.h[5];
11930 var g = this.h[6];
11931 var h = this.h[7];
11932
11933 minimalisticAssert(this.k.length === W.length);
11934 for (i = 0; i < W.length; i++) {
11935 var T1 = sum32_5$1(h, s1_256$1(e), ch32$1(e, f, g), this.k[i], W[i]);
11936 var T2 = sum32$1(s0_256$1(a), maj32$1(a, b, c));
11937 h = g;
11938 g = f;
11939 f = e;
11940 e = sum32$1(d, T1);
11941 d = c;
11942 c = b;
11943 b = a;
11944 a = sum32$1(T1, T2);
11945 }
11946
11947 this.h[0] = sum32$1(this.h[0], a);
11948 this.h[1] = sum32$1(this.h[1], b);
11949 this.h[2] = sum32$1(this.h[2], c);
11950 this.h[3] = sum32$1(this.h[3], d);
11951 this.h[4] = sum32$1(this.h[4], e);
11952 this.h[5] = sum32$1(this.h[5], f);
11953 this.h[6] = sum32$1(this.h[6], g);
11954 this.h[7] = sum32$1(this.h[7], h);
11955 };
11956
11957 SHA256.prototype._digest = function digest(enc) {
11958 if (enc === 'hex')
11959 return utils.toHex32(this.h, 'big');
11960 else
11961 return utils.split32(this.h, 'big');
11962 };
11963
11964 function SHA224() {
11965 if (!(this instanceof SHA224))
11966 return new SHA224();
11967
11968 _256.call(this);
11969 this.h = [
11970 0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939,
11971 0xffc00b31, 0x68581511, 0x64f98fa7, 0xbefa4fa4 ];
11972 }
11973 utils.inherits(SHA224, _256);
11974 var _224 = SHA224;
11975
11976 SHA224.blockSize = 512;
11977 SHA224.outSize = 224;
11978 SHA224.hmacStrength = 192;
11979 SHA224.padLength = 64;
11980
11981 SHA224.prototype._digest = function digest(enc) {
11982 // Just truncate output
11983 if (enc === 'hex')
11984 return utils.toHex32(this.h.slice(0, 7), 'big');
11985 else
11986 return utils.split32(this.h.slice(0, 7), 'big');
11987 };
11988
11989 var rotr64_hi$1 = utils.rotr64_hi;
11990 var rotr64_lo$1 = utils.rotr64_lo;
11991 var shr64_hi$1 = utils.shr64_hi;
11992 var shr64_lo$1 = utils.shr64_lo;
11993 var sum64$1 = utils.sum64;
11994 var sum64_hi$1 = utils.sum64_hi;
11995 var sum64_lo$1 = utils.sum64_lo;
11996 var sum64_4_hi$1 = utils.sum64_4_hi;
11997 var sum64_4_lo$1 = utils.sum64_4_lo;
11998 var sum64_5_hi$1 = utils.sum64_5_hi;
11999 var sum64_5_lo$1 = utils.sum64_5_lo;
12000
12001 var BlockHash$2 = common.BlockHash;
12002
12003 var sha512_K = [
12004 0x428a2f98, 0xd728ae22, 0x71374491, 0x23ef65cd,
12005 0xb5c0fbcf, 0xec4d3b2f, 0xe9b5dba5, 0x8189dbbc,
12006 0x3956c25b, 0xf348b538, 0x59f111f1, 0xb605d019,
12007 0x923f82a4, 0xaf194f9b, 0xab1c5ed5, 0xda6d8118,
12008 0xd807aa98, 0xa3030242, 0x12835b01, 0x45706fbe,
12009 0x243185be, 0x4ee4b28c, 0x550c7dc3, 0xd5ffb4e2,
12010 0x72be5d74, 0xf27b896f, 0x80deb1fe, 0x3b1696b1,
12011 0x9bdc06a7, 0x25c71235, 0xc19bf174, 0xcf692694,
12012 0xe49b69c1, 0x9ef14ad2, 0xefbe4786, 0x384f25e3,
12013 0x0fc19dc6, 0x8b8cd5b5, 0x240ca1cc, 0x77ac9c65,
12014 0x2de92c6f, 0x592b0275, 0x4a7484aa, 0x6ea6e483,
12015 0x5cb0a9dc, 0xbd41fbd4, 0x76f988da, 0x831153b5,
12016 0x983e5152, 0xee66dfab, 0xa831c66d, 0x2db43210,
12017 0xb00327c8, 0x98fb213f, 0xbf597fc7, 0xbeef0ee4,
12018 0xc6e00bf3, 0x3da88fc2, 0xd5a79147, 0x930aa725,
12019 0x06ca6351, 0xe003826f, 0x14292967, 0x0a0e6e70,
12020 0x27b70a85, 0x46d22ffc, 0x2e1b2138, 0x5c26c926,
12021 0x4d2c6dfc, 0x5ac42aed, 0x53380d13, 0x9d95b3df,
12022 0x650a7354, 0x8baf63de, 0x766a0abb, 0x3c77b2a8,
12023 0x81c2c92e, 0x47edaee6, 0x92722c85, 0x1482353b,
12024 0xa2bfe8a1, 0x4cf10364, 0xa81a664b, 0xbc423001,
12025 0xc24b8b70, 0xd0f89791, 0xc76c51a3, 0x0654be30,
12026 0xd192e819, 0xd6ef5218, 0xd6990624, 0x5565a910,
12027 0xf40e3585, 0x5771202a, 0x106aa070, 0x32bbd1b8,
12028 0x19a4c116, 0xb8d2d0c8, 0x1e376c08, 0x5141ab53,
12029 0x2748774c, 0xdf8eeb99, 0x34b0bcb5, 0xe19b48a8,
12030 0x391c0cb3, 0xc5c95a63, 0x4ed8aa4a, 0xe3418acb,
12031 0x5b9cca4f, 0x7763e373, 0x682e6ff3, 0xd6b2b8a3,
12032 0x748f82ee, 0x5defb2fc, 0x78a5636f, 0x43172f60,
12033 0x84c87814, 0xa1f0ab72, 0x8cc70208, 0x1a6439ec,
12034 0x90befffa, 0x23631e28, 0xa4506ceb, 0xde82bde9,
12035 0xbef9a3f7, 0xb2c67915, 0xc67178f2, 0xe372532b,
12036 0xca273ece, 0xea26619c, 0xd186b8c7, 0x21c0c207,
12037 0xeada7dd6, 0xcde0eb1e, 0xf57d4f7f, 0xee6ed178,
12038 0x06f067aa, 0x72176fba, 0x0a637dc5, 0xa2c898a6,
12039 0x113f9804, 0xbef90dae, 0x1b710b35, 0x131c471b,
12040 0x28db77f5, 0x23047d84, 0x32caab7b, 0x40c72493,
12041 0x3c9ebe0a, 0x15c9bebc, 0x431d67c4, 0x9c100d4c,
12042 0x4cc5d4be, 0xcb3e42b6, 0x597f299c, 0xfc657e2a,
12043 0x5fcb6fab, 0x3ad6faec, 0x6c44198c, 0x4a475817
12044 ];
12045
12046 function SHA512() {
12047 if (!(this instanceof SHA512))
12048 return new SHA512();
12049
12050 BlockHash$2.call(this);
12051 this.h = [
12052 0x6a09e667, 0xf3bcc908,
12053 0xbb67ae85, 0x84caa73b,
12054 0x3c6ef372, 0xfe94f82b,
12055 0xa54ff53a, 0x5f1d36f1,
12056 0x510e527f, 0xade682d1,
12057 0x9b05688c, 0x2b3e6c1f,
12058 0x1f83d9ab, 0xfb41bd6b,
12059 0x5be0cd19, 0x137e2179 ];
12060 this.k = sha512_K;
12061 this.W = new Array(160);
12062 }
12063 utils.inherits(SHA512, BlockHash$2);
12064 var _512 = SHA512;
12065
12066 SHA512.blockSize = 1024;
12067 SHA512.outSize = 512;
12068 SHA512.hmacStrength = 192;
12069 SHA512.padLength = 128;
12070
12071 SHA512.prototype._prepareBlock = function _prepareBlock(msg, start) {
12072 var W = this.W;
12073
12074 // 32 x 32bit words
12075 for (var i = 0; i < 32; i++)
12076 W[i] = msg[start + i];
12077 for (; i < W.length; i += 2) {
12078 var c0_hi = g1_512_hi(W[i - 4], W[i - 3]); // i - 2
12079 var c0_lo = g1_512_lo(W[i - 4], W[i - 3]);
12080 var c1_hi = W[i - 14]; // i - 7
12081 var c1_lo = W[i - 13];
12082 var c2_hi = g0_512_hi(W[i - 30], W[i - 29]); // i - 15
12083 var c2_lo = g0_512_lo(W[i - 30], W[i - 29]);
12084 var c3_hi = W[i - 32]; // i - 16
12085 var c3_lo = W[i - 31];
12086
12087 W[i] = sum64_4_hi$1(
12088 c0_hi, c0_lo,
12089 c1_hi, c1_lo,
12090 c2_hi, c2_lo,
12091 c3_hi, c3_lo);
12092 W[i + 1] = sum64_4_lo$1(
12093 c0_hi, c0_lo,
12094 c1_hi, c1_lo,
12095 c2_hi, c2_lo,
12096 c3_hi, c3_lo);
12097 }
12098 };
12099
12100 SHA512.prototype._update = function _update(msg, start) {
12101 this._prepareBlock(msg, start);
12102
12103 var W = this.W;
12104
12105 var ah = this.h[0];
12106 var al = this.h[1];
12107 var bh = this.h[2];
12108 var bl = this.h[3];
12109 var ch = this.h[4];
12110 var cl = this.h[5];
12111 var dh = this.h[6];
12112 var dl = this.h[7];
12113 var eh = this.h[8];
12114 var el = this.h[9];
12115 var fh = this.h[10];
12116 var fl = this.h[11];
12117 var gh = this.h[12];
12118 var gl = this.h[13];
12119 var hh = this.h[14];
12120 var hl = this.h[15];
12121
12122 minimalisticAssert(this.k.length === W.length);
12123 for (var i = 0; i < W.length; i += 2) {
12124 var c0_hi = hh;
12125 var c0_lo = hl;
12126 var c1_hi = s1_512_hi(eh, el);
12127 var c1_lo = s1_512_lo(eh, el);
12128 var c2_hi = ch64_hi(eh, el, fh, fl, gh);
12129 var c2_lo = ch64_lo(eh, el, fh, fl, gh, gl);
12130 var c3_hi = this.k[i];
12131 var c3_lo = this.k[i + 1];
12132 var c4_hi = W[i];
12133 var c4_lo = W[i + 1];
12134
12135 var T1_hi = sum64_5_hi$1(
12136 c0_hi, c0_lo,
12137 c1_hi, c1_lo,
12138 c2_hi, c2_lo,
12139 c3_hi, c3_lo,
12140 c4_hi, c4_lo);
12141 var T1_lo = sum64_5_lo$1(
12142 c0_hi, c0_lo,
12143 c1_hi, c1_lo,
12144 c2_hi, c2_lo,
12145 c3_hi, c3_lo,
12146 c4_hi, c4_lo);
12147
12148 c0_hi = s0_512_hi(ah, al);
12149 c0_lo = s0_512_lo(ah, al);
12150 c1_hi = maj64_hi(ah, al, bh, bl, ch);
12151 c1_lo = maj64_lo(ah, al, bh, bl, ch, cl);
12152
12153 var T2_hi = sum64_hi$1(c0_hi, c0_lo, c1_hi, c1_lo);
12154 var T2_lo = sum64_lo$1(c0_hi, c0_lo, c1_hi, c1_lo);
12155
12156 hh = gh;
12157 hl = gl;
12158
12159 gh = fh;
12160 gl = fl;
12161
12162 fh = eh;
12163 fl = el;
12164
12165 eh = sum64_hi$1(dh, dl, T1_hi, T1_lo);
12166 el = sum64_lo$1(dl, dl, T1_hi, T1_lo);
12167
12168 dh = ch;
12169 dl = cl;
12170
12171 ch = bh;
12172 cl = bl;
12173
12174 bh = ah;
12175 bl = al;
12176
12177 ah = sum64_hi$1(T1_hi, T1_lo, T2_hi, T2_lo);
12178 al = sum64_lo$1(T1_hi, T1_lo, T2_hi, T2_lo);
12179 }
12180
12181 sum64$1(this.h, 0, ah, al);
12182 sum64$1(this.h, 2, bh, bl);
12183 sum64$1(this.h, 4, ch, cl);
12184 sum64$1(this.h, 6, dh, dl);
12185 sum64$1(this.h, 8, eh, el);
12186 sum64$1(this.h, 10, fh, fl);
12187 sum64$1(this.h, 12, gh, gl);
12188 sum64$1(this.h, 14, hh, hl);
12189 };
12190
12191 SHA512.prototype._digest = function digest(enc) {
12192 if (enc === 'hex')
12193 return utils.toHex32(this.h, 'big');
12194 else
12195 return utils.split32(this.h, 'big');
12196 };
12197
12198 function ch64_hi(xh, xl, yh, yl, zh) {
12199 var r = (xh & yh) ^ ((~xh) & zh);
12200 if (r < 0)
12201 r += 0x100000000;
12202 return r;
12203 }
12204
12205 function ch64_lo(xh, xl, yh, yl, zh, zl) {
12206 var r = (xl & yl) ^ ((~xl) & zl);
12207 if (r < 0)
12208 r += 0x100000000;
12209 return r;
12210 }
12211
12212 function maj64_hi(xh, xl, yh, yl, zh) {
12213 var r = (xh & yh) ^ (xh & zh) ^ (yh & zh);
12214 if (r < 0)
12215 r += 0x100000000;
12216 return r;
12217 }
12218
12219 function maj64_lo(xh, xl, yh, yl, zh, zl) {
12220 var r = (xl & yl) ^ (xl & zl) ^ (yl & zl);
12221 if (r < 0)
12222 r += 0x100000000;
12223 return r;
12224 }
12225
12226 function s0_512_hi(xh, xl) {
12227 var c0_hi = rotr64_hi$1(xh, xl, 28);
12228 var c1_hi = rotr64_hi$1(xl, xh, 2); // 34
12229 var c2_hi = rotr64_hi$1(xl, xh, 7); // 39
12230
12231 var r = c0_hi ^ c1_hi ^ c2_hi;
12232 if (r < 0)
12233 r += 0x100000000;
12234 return r;
12235 }
12236
12237 function s0_512_lo(xh, xl) {
12238 var c0_lo = rotr64_lo$1(xh, xl, 28);
12239 var c1_lo = rotr64_lo$1(xl, xh, 2); // 34
12240 var c2_lo = rotr64_lo$1(xl, xh, 7); // 39
12241
12242 var r = c0_lo ^ c1_lo ^ c2_lo;
12243 if (r < 0)
12244 r += 0x100000000;
12245 return r;
12246 }
12247
12248 function s1_512_hi(xh, xl) {
12249 var c0_hi = rotr64_hi$1(xh, xl, 14);
12250 var c1_hi = rotr64_hi$1(xh, xl, 18);
12251 var c2_hi = rotr64_hi$1(xl, xh, 9); // 41
12252
12253 var r = c0_hi ^ c1_hi ^ c2_hi;
12254 if (r < 0)
12255 r += 0x100000000;
12256 return r;
12257 }
12258
12259 function s1_512_lo(xh, xl) {
12260 var c0_lo = rotr64_lo$1(xh, xl, 14);
12261 var c1_lo = rotr64_lo$1(xh, xl, 18);
12262 var c2_lo = rotr64_lo$1(xl, xh, 9); // 41
12263
12264 var r = c0_lo ^ c1_lo ^ c2_lo;
12265 if (r < 0)
12266 r += 0x100000000;
12267 return r;
12268 }
12269
12270 function g0_512_hi(xh, xl) {
12271 var c0_hi = rotr64_hi$1(xh, xl, 1);
12272 var c1_hi = rotr64_hi$1(xh, xl, 8);
12273 var c2_hi = shr64_hi$1(xh, xl, 7);
12274
12275 var r = c0_hi ^ c1_hi ^ c2_hi;
12276 if (r < 0)
12277 r += 0x100000000;
12278 return r;
12279 }
12280
12281 function g0_512_lo(xh, xl) {
12282 var c0_lo = rotr64_lo$1(xh, xl, 1);
12283 var c1_lo = rotr64_lo$1(xh, xl, 8);
12284 var c2_lo = shr64_lo$1(xh, xl, 7);
12285
12286 var r = c0_lo ^ c1_lo ^ c2_lo;
12287 if (r < 0)
12288 r += 0x100000000;
12289 return r;
12290 }
12291
12292 function g1_512_hi(xh, xl) {
12293 var c0_hi = rotr64_hi$1(xh, xl, 19);
12294 var c1_hi = rotr64_hi$1(xl, xh, 29); // 61
12295 var c2_hi = shr64_hi$1(xh, xl, 6);
12296
12297 var r = c0_hi ^ c1_hi ^ c2_hi;
12298 if (r < 0)
12299 r += 0x100000000;
12300 return r;
12301 }
12302
12303 function g1_512_lo(xh, xl) {
12304 var c0_lo = rotr64_lo$1(xh, xl, 19);
12305 var c1_lo = rotr64_lo$1(xl, xh, 29); // 61
12306 var c2_lo = shr64_lo$1(xh, xl, 6);
12307
12308 var r = c0_lo ^ c1_lo ^ c2_lo;
12309 if (r < 0)
12310 r += 0x100000000;
12311 return r;
12312 }
12313
12314 function SHA384() {
12315 if (!(this instanceof SHA384))
12316 return new SHA384();
12317
12318 _512.call(this);
12319 this.h = [
12320 0xcbbb9d5d, 0xc1059ed8,
12321 0x629a292a, 0x367cd507,
12322 0x9159015a, 0x3070dd17,
12323 0x152fecd8, 0xf70e5939,
12324 0x67332667, 0xffc00b31,
12325 0x8eb44a87, 0x68581511,
12326 0xdb0c2e0d, 0x64f98fa7,
12327 0x47b5481d, 0xbefa4fa4 ];
12328 }
12329 utils.inherits(SHA384, _512);
12330 var _384 = SHA384;
12331
12332 SHA384.blockSize = 1024;
12333 SHA384.outSize = 384;
12334 SHA384.hmacStrength = 192;
12335 SHA384.padLength = 128;
12336
12337 SHA384.prototype._digest = function digest(enc) {
12338 if (enc === 'hex')
12339 return utils.toHex32(this.h.slice(0, 12), 'big');
12340 else
12341 return utils.split32(this.h.slice(0, 12), 'big');
12342 };
12343
12344 var rotl32$1 = utils.rotl32;
12345 var sum32$2 = utils.sum32;
12346 var sum32_3$1 = utils.sum32_3;
12347 var sum32_4$2 = utils.sum32_4;
12348 var BlockHash$3 = common.BlockHash;
12349
12350 function RIPEMD160() {
12351 if (!(this instanceof RIPEMD160))
12352 return new RIPEMD160();
12353
12354 BlockHash$3.call(this);
12355
12356 this.h = [ 0x67452301, 0xefcdab89, 0x98badcfe, 0x10325476, 0xc3d2e1f0 ];
12357 this.endian = 'little';
12358 }
12359 utils.inherits(RIPEMD160, BlockHash$3);
12360 var ripemd160 = RIPEMD160;
12361
12362 RIPEMD160.blockSize = 512;
12363 RIPEMD160.outSize = 160;
12364 RIPEMD160.hmacStrength = 192;
12365 RIPEMD160.padLength = 64;
12366
12367 RIPEMD160.prototype._update = function update(msg, start) {
12368 var A = this.h[0];
12369 var B = this.h[1];
12370 var C = this.h[2];
12371 var D = this.h[3];
12372 var E = this.h[4];
12373 var Ah = A;
12374 var Bh = B;
12375 var Ch = C;
12376 var Dh = D;
12377 var Eh = E;
12378 for (var j = 0; j < 80; j++) {
12379 var T = sum32$2(
12380 rotl32$1(
12381 sum32_4$2(A, f(j, B, C, D), msg[r[j] + start], K(j)),
12382 s[j]),
12383 E);
12384 A = E;
12385 E = D;
12386 D = rotl32$1(C, 10);
12387 C = B;
12388 B = T;
12389 T = sum32$2(
12390 rotl32$1(
12391 sum32_4$2(Ah, f(79 - j, Bh, Ch, Dh), msg[rh[j] + start], Kh(j)),
12392 sh[j]),
12393 Eh);
12394 Ah = Eh;
12395 Eh = Dh;
12396 Dh = rotl32$1(Ch, 10);
12397 Ch = Bh;
12398 Bh = T;
12399 }
12400 T = sum32_3$1(this.h[1], C, Dh);
12401 this.h[1] = sum32_3$1(this.h[2], D, Eh);
12402 this.h[2] = sum32_3$1(this.h[3], E, Ah);
12403 this.h[3] = sum32_3$1(this.h[4], A, Bh);
12404 this.h[4] = sum32_3$1(this.h[0], B, Ch);
12405 this.h[0] = T;
12406 };
12407
12408 RIPEMD160.prototype._digest = function digest(enc) {
12409 if (enc === 'hex')
12410 return utils.toHex32(this.h, 'little');
12411 else
12412 return utils.split32(this.h, 'little');
12413 };
12414
12415 function f(j, x, y, z) {
12416 if (j <= 15)
12417 return x ^ y ^ z;
12418 else if (j <= 31)
12419 return (x & y) | ((~x) & z);
12420 else if (j <= 47)
12421 return (x | (~y)) ^ z;
12422 else if (j <= 63)
12423 return (x & z) | (y & (~z));
12424 else
12425 return x ^ (y | (~z));
12426 }
12427
12428 function K(j) {
12429 if (j <= 15)
12430 return 0x00000000;
12431 else if (j <= 31)
12432 return 0x5a827999;
12433 else if (j <= 47)
12434 return 0x6ed9eba1;
12435 else if (j <= 63)
12436 return 0x8f1bbcdc;
12437 else
12438 return 0xa953fd4e;
12439 }
12440
12441 function Kh(j) {
12442 if (j <= 15)
12443 return 0x50a28be6;
12444 else if (j <= 31)
12445 return 0x5c4dd124;
12446 else if (j <= 47)
12447 return 0x6d703ef3;
12448 else if (j <= 63)
12449 return 0x7a6d76e9;
12450 else
12451 return 0x00000000;
12452 }
12453
12454 var r = [
12455 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
12456 7, 4, 13, 1, 10, 6, 15, 3, 12, 0, 9, 5, 2, 14, 11, 8,
12457 3, 10, 14, 4, 9, 15, 8, 1, 2, 7, 0, 6, 13, 11, 5, 12,
12458 1, 9, 11, 10, 0, 8, 12, 4, 13, 3, 7, 15, 14, 5, 6, 2,
12459 4, 0, 5, 9, 7, 12, 2, 10, 14, 1, 3, 8, 11, 6, 15, 13
12460 ];
12461
12462 var rh = [
12463 5, 14, 7, 0, 9, 2, 11, 4, 13, 6, 15, 8, 1, 10, 3, 12,
12464 6, 11, 3, 7, 0, 13, 5, 10, 14, 15, 8, 12, 4, 9, 1, 2,
12465 15, 5, 1, 3, 7, 14, 6, 9, 11, 8, 12, 2, 10, 0, 4, 13,
12466 8, 6, 4, 1, 3, 11, 15, 0, 5, 12, 2, 13, 9, 7, 10, 14,
12467 12, 15, 10, 4, 1, 5, 8, 7, 6, 2, 13, 14, 0, 3, 9, 11
12468 ];
12469
12470 var s = [
12471 11, 14, 15, 12, 5, 8, 7, 9, 11, 13, 14, 15, 6, 7, 9, 8,
12472 7, 6, 8, 13, 11, 9, 7, 15, 7, 12, 15, 9, 11, 7, 13, 12,
12473 11, 13, 6, 7, 14, 9, 13, 15, 14, 8, 13, 6, 5, 12, 7, 5,
12474 11, 12, 14, 15, 14, 15, 9, 8, 9, 14, 5, 6, 8, 6, 5, 12,
12475 9, 15, 5, 11, 6, 8, 13, 12, 5, 12, 13, 14, 11, 8, 5, 6
12476 ];
12477
12478 var sh = [
12479 8, 9, 9, 11, 13, 15, 15, 5, 7, 7, 8, 11, 14, 14, 12, 6,
12480 9, 13, 15, 7, 12, 8, 9, 11, 7, 7, 12, 7, 6, 15, 13, 11,
12481 9, 7, 15, 11, 8, 6, 6, 14, 12, 13, 5, 14, 13, 13, 7, 5,
12482 15, 5, 8, 11, 14, 14, 6, 14, 6, 9, 12, 9, 12, 5, 15, 8,
12483 8, 5, 12, 9, 12, 5, 14, 6, 8, 13, 6, 5, 15, 13, 11, 11
12484 ];
12485
12486 var ripemd = {
12487 ripemd160: ripemd160
12488 };
12489
12490 /**
12491 * A fast MD5 JavaScript implementation
12492 * Copyright (c) 2012 Joseph Myers
12493 * http://www.myersdaily.org/joseph/javascript/md5-text.html
12494 *
12495 * Permission to use, copy, modify, and distribute this software
12496 * and its documentation for any purposes and without
12497 * fee is hereby granted provided that this copyright notice
12498 * appears in all copies.
12499 *
12500 * Of course, this soft is provided "as is" without express or implied
12501 * warranty of any kind.
12502 */
12503
12504 // MD5 Digest
12505 async function md5(entree) {
12506 const digest = md51(util.uint8ArrayToStr(entree));
12507 return util.hexToUint8Array(hex(digest));
12508 }
12509
12510 function md5cycle(x, k) {
12511 let a = x[0];
12512 let b = x[1];
12513 let c = x[2];
12514 let d = x[3];
12515
12516 a = ff(a, b, c, d, k[0], 7, -680876936);
12517 d = ff(d, a, b, c, k[1], 12, -389564586);
12518 c = ff(c, d, a, b, k[2], 17, 606105819);
12519 b = ff(b, c, d, a, k[3], 22, -1044525330);
12520 a = ff(a, b, c, d, k[4], 7, -176418897);
12521 d = ff(d, a, b, c, k[5], 12, 1200080426);
12522 c = ff(c, d, a, b, k[6], 17, -1473231341);
12523 b = ff(b, c, d, a, k[7], 22, -45705983);
12524 a = ff(a, b, c, d, k[8], 7, 1770035416);
12525 d = ff(d, a, b, c, k[9], 12, -1958414417);
12526 c = ff(c, d, a, b, k[10], 17, -42063);
12527 b = ff(b, c, d, a, k[11], 22, -1990404162);
12528 a = ff(a, b, c, d, k[12], 7, 1804603682);
12529 d = ff(d, a, b, c, k[13], 12, -40341101);
12530 c = ff(c, d, a, b, k[14], 17, -1502002290);
12531 b = ff(b, c, d, a, k[15], 22, 1236535329);
12532
12533 a = gg(a, b, c, d, k[1], 5, -165796510);
12534 d = gg(d, a, b, c, k[6], 9, -1069501632);
12535 c = gg(c, d, a, b, k[11], 14, 643717713);
12536 b = gg(b, c, d, a, k[0], 20, -373897302);
12537 a = gg(a, b, c, d, k[5], 5, -701558691);
12538 d = gg(d, a, b, c, k[10], 9, 38016083);
12539 c = gg(c, d, a, b, k[15], 14, -660478335);
12540 b = gg(b, c, d, a, k[4], 20, -405537848);
12541 a = gg(a, b, c, d, k[9], 5, 568446438);
12542 d = gg(d, a, b, c, k[14], 9, -1019803690);
12543 c = gg(c, d, a, b, k[3], 14, -187363961);
12544 b = gg(b, c, d, a, k[8], 20, 1163531501);
12545 a = gg(a, b, c, d, k[13], 5, -1444681467);
12546 d = gg(d, a, b, c, k[2], 9, -51403784);
12547 c = gg(c, d, a, b, k[7], 14, 1735328473);
12548 b = gg(b, c, d, a, k[12], 20, -1926607734);
12549
12550 a = hh(a, b, c, d, k[5], 4, -378558);
12551 d = hh(d, a, b, c, k[8], 11, -2022574463);
12552 c = hh(c, d, a, b, k[11], 16, 1839030562);
12553 b = hh(b, c, d, a, k[14], 23, -35309556);
12554 a = hh(a, b, c, d, k[1], 4, -1530992060);
12555 d = hh(d, a, b, c, k[4], 11, 1272893353);
12556 c = hh(c, d, a, b, k[7], 16, -155497632);
12557 b = hh(b, c, d, a, k[10], 23, -1094730640);
12558 a = hh(a, b, c, d, k[13], 4, 681279174);
12559 d = hh(d, a, b, c, k[0], 11, -358537222);
12560 c = hh(c, d, a, b, k[3], 16, -722521979);
12561 b = hh(b, c, d, a, k[6], 23, 76029189);
12562 a = hh(a, b, c, d, k[9], 4, -640364487);
12563 d = hh(d, a, b, c, k[12], 11, -421815835);
12564 c = hh(c, d, a, b, k[15], 16, 530742520);
12565 b = hh(b, c, d, a, k[2], 23, -995338651);
12566
12567 a = ii(a, b, c, d, k[0], 6, -198630844);
12568 d = ii(d, a, b, c, k[7], 10, 1126891415);
12569 c = ii(c, d, a, b, k[14], 15, -1416354905);
12570 b = ii(b, c, d, a, k[5], 21, -57434055);
12571 a = ii(a, b, c, d, k[12], 6, 1700485571);
12572 d = ii(d, a, b, c, k[3], 10, -1894986606);
12573 c = ii(c, d, a, b, k[10], 15, -1051523);
12574 b = ii(b, c, d, a, k[1], 21, -2054922799);
12575 a = ii(a, b, c, d, k[8], 6, 1873313359);
12576 d = ii(d, a, b, c, k[15], 10, -30611744);
12577 c = ii(c, d, a, b, k[6], 15, -1560198380);
12578 b = ii(b, c, d, a, k[13], 21, 1309151649);
12579 a = ii(a, b, c, d, k[4], 6, -145523070);
12580 d = ii(d, a, b, c, k[11], 10, -1120210379);
12581 c = ii(c, d, a, b, k[2], 15, 718787259);
12582 b = ii(b, c, d, a, k[9], 21, -343485551);
12583
12584 x[0] = add32(a, x[0]);
12585 x[1] = add32(b, x[1]);
12586 x[2] = add32(c, x[2]);
12587 x[3] = add32(d, x[3]);
12588 }
12589
12590 function cmn(q, a, b, x, s, t) {
12591 a = add32(add32(a, q), add32(x, t));
12592 return add32((a << s) | (a >>> (32 - s)), b);
12593 }
12594
12595 function ff(a, b, c, d, x, s, t) {
12596 return cmn((b & c) | ((~b) & d), a, b, x, s, t);
12597 }
12598
12599 function gg(a, b, c, d, x, s, t) {
12600 return cmn((b & d) | (c & (~d)), a, b, x, s, t);
12601 }
12602
12603 function hh(a, b, c, d, x, s, t) {
12604 return cmn(b ^ c ^ d, a, b, x, s, t);
12605 }
12606
12607 function ii(a, b, c, d, x, s, t) {
12608 return cmn(c ^ (b | (~d)), a, b, x, s, t);
12609 }
12610
12611 function md51(s) {
12612 const n = s.length;
12613 const state = [1732584193, -271733879, -1732584194, 271733878];
12614 let i;
12615 for (i = 64; i <= s.length; i += 64) {
12616 md5cycle(state, md5blk(s.substring(i - 64, i)));
12617 }
12618 s = s.substring(i - 64);
12619 const tail = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0];
12620 for (i = 0; i < s.length; i++) {
12621 tail[i >> 2] |= s.charCodeAt(i) << ((i % 4) << 3);
12622 }
12623 tail[i >> 2] |= 0x80 << ((i % 4) << 3);
12624 if (i > 55) {
12625 md5cycle(state, tail);
12626 for (i = 0; i < 16; i++) {
12627 tail[i] = 0;
12628 }
12629 }
12630 tail[14] = n * 8;
12631 md5cycle(state, tail);
12632 return state;
12633 }
12634
12635 /* there needs to be support for Unicode here,
12636 * unless we pretend that we can redefine the MD-5
12637 * algorithm for multi-byte characters (perhaps
12638 * by adding every four 16-bit characters and
12639 * shortening the sum to 32 bits). Otherwise
12640 * I suggest performing MD-5 as if every character
12641 * was two bytes--e.g., 0040 0025 = @%--but then
12642 * how will an ordinary MD-5 sum be matched?
12643 * There is no way to standardize text to something
12644 * like UTF-8 before transformation; speed cost is
12645 * utterly prohibitive. The JavaScript standard
12646 * itself needs to look at this: it should start
12647 * providing access to strings as preformed UTF-8
12648 * 8-bit unsigned value arrays.
12649 */
12650 function md5blk(s) { /* I figured global was faster. */
12651 const md5blks = [];
12652 let i; /* Andy King said do it this way. */
12653 for (i = 0; i < 64; i += 4) {
12654 md5blks[i >> 2] = s.charCodeAt(i) + (s.charCodeAt(i + 1) << 8) + (s.charCodeAt(i + 2) << 16) + (s.charCodeAt(i + 3) <<
12655 24);
12656 }
12657 return md5blks;
12658 }
12659
12660 const hex_chr = '0123456789abcdef'.split('');
12661
12662 function rhex(n) {
12663 let s = '';
12664 let j = 0;
12665 for (; j < 4; j++) {
12666 s += hex_chr[(n >> (j * 8 + 4)) & 0x0F] + hex_chr[(n >> (j * 8)) & 0x0F];
12667 }
12668 return s;
12669 }
12670
12671 function hex(x) {
12672 for (let i = 0; i < x.length; i++) {
12673 x[i] = rhex(x[i]);
12674 }
12675 return x.join('');
12676 }
12677
12678 /* this function is much faster,
12679 so if possible we use it. Some IEs
12680 are the only ones I know of that
12681 need the idiotic second function,
12682 generated by an if clause. */
12683
12684 function add32(a, b) {
12685 return (a + b) & 0xFFFFFFFF;
12686 }
12687
12688 /**
12689 * @fileoverview Provides an interface to hashing functions available in Node.js or external libraries.
12690 * @see {@link https://github.com/asmcrypto/asmcrypto.js|asmCrypto}
12691 * @see {@link https://github.com/indutny/hash.js|hash.js}
12692 * @module crypto/hash
12693 * @private
12694 */
12695
12696 const webCrypto = util.getWebCrypto();
12697 const nodeCrypto = util.getNodeCrypto();
12698 const Buffer$1 = util.getNodeBuffer();
12699
12700 function node_hash(type) {
12701 return async function (data) {
12702 const shasum = nodeCrypto.createHash(type);
12703 return stream.transform(data, value => {
12704 shasum.update(Buffer$1.from(value));
12705 }, () => new Uint8Array(shasum.digest()));
12706 };
12707 }
12708
12709 function hashjs_hash(hash, webCryptoHash) {
12710 return async function(data, config = defaultConfig) {
12711 if (!util.isStream(data) && webCrypto && webCryptoHash && data.length >= config.minBytesForWebCrypto) {
12712 return new Uint8Array(await webCrypto.digest(webCryptoHash, data));
12713 }
12714 const hashInstance = hash();
12715 return stream.transform(data, value => {
12716 hashInstance.update(value);
12717 }, () => new Uint8Array(hashInstance.digest()));
12718 };
12719 }
12720
12721 function asmcrypto_hash(hash, webCryptoHash) {
12722 return async function(data, config = defaultConfig) {
12723 if (util.isStream(data)) {
12724 const hashInstance = new hash();
12725 return stream.transform(data, value => {
12726 hashInstance.process(value);
12727 }, () => hashInstance.finish().result);
12728 } else if (webCrypto && webCryptoHash && data.length >= config.minBytesForWebCrypto) {
12729 return new Uint8Array(await webCrypto.digest(webCryptoHash, data));
12730 } else {
12731 return hash.bytes(data);
12732 }
12733 };
12734 }
12735
12736 let hash_fns;
12737 if (nodeCrypto) { // Use Node native crypto for all hash functions
12738 hash_fns = {
12739 md5: node_hash('md5'),
12740 sha1: node_hash('sha1'),
12741 sha224: node_hash('sha224'),
12742 sha256: node_hash('sha256'),
12743 sha384: node_hash('sha384'),
12744 sha512: node_hash('sha512'),
12745 ripemd: node_hash('ripemd160')
12746 };
12747 } else { // Use JS fallbacks
12748 hash_fns = {
12749 md5: md5,
12750 sha1: asmcrypto_hash(Sha1, navigator.userAgent.indexOf('Edge') === -1 && 'SHA-1'),
12751 sha224: hashjs_hash(_224),
12752 sha256: asmcrypto_hash(Sha256, 'SHA-256'),
12753 sha384: hashjs_hash(_384, 'SHA-384'),
12754 sha512: hashjs_hash(_512, 'SHA-512'), // asmcrypto sha512 is huge.
12755 ripemd: hashjs_hash(ripemd160)
12756 };
12757 }
12758
12759 var hash = {
12760
12761 /** @see module:md5 */
12762 md5: hash_fns.md5,
12763 /** @see asmCrypto */
12764 sha1: hash_fns.sha1,
12765 /** @see hash.js */
12766 sha224: hash_fns.sha224,
12767 /** @see asmCrypto */
12768 sha256: hash_fns.sha256,
12769 /** @see hash.js */
12770 sha384: hash_fns.sha384,
12771 /** @see asmCrypto */
12772 sha512: hash_fns.sha512,
12773 /** @see hash.js */
12774 ripemd: hash_fns.ripemd,
12775
12776 /**
12777 * Create a hash on the specified data using the specified algorithm
12778 * @param {module:enums.hash} algo - Hash algorithm type (see {@link https://tools.ietf.org/html/rfc4880#section-9.4|RFC 4880 9.4})
12779 * @param {Uint8Array} data - Data to be hashed
12780 * @returns {Uint8Array} Hash value.
12781 * @async
12782 */
12783 digest: function(algo, data) {
12784 switch (algo) {
12785 case 1:
12786 // - MD5 [HAC]
12787 return this.md5(data);
12788 case 2:
12789 // - SHA-1 [FIPS180]
12790 return this.sha1(data);
12791 case 3:
12792 // - RIPE-MD/160 [HAC]
12793 return this.ripemd(data);
12794 case 8:
12795 // - SHA256 [FIPS180]
12796 return this.sha256(data);
12797 case 9:
12798 // - SHA384 [FIPS180]
12799 return this.sha384(data);
12800 case 10:
12801 // - SHA512 [FIPS180]
12802 return this.sha512(data);
12803 case 11:
12804 // - SHA224 [FIPS180]
12805 return this.sha224(data);
12806 default:
12807 throw new Error('Invalid hash function.');
12808 }
12809 },
12810
12811 /**
12812 * Returns the hash size in bytes of the specified hash algorithm type
12813 * @param {module:enums.hash} algo - Hash algorithm type (See {@link https://tools.ietf.org/html/rfc4880#section-9.4|RFC 4880 9.4})
12814 * @returns {Integer} Size in bytes of the resulting hash.
12815 */
12816 getHashByteLength: function(algo) {
12817 switch (algo) {
12818 case 1: // - MD5 [HAC]
12819 return 16;
12820 case 2: // - SHA-1 [FIPS180]
12821 case 3: // - RIPE-MD/160 [HAC]
12822 return 20;
12823 case 8: // - SHA256 [FIPS180]
12824 return 32;
12825 case 9: // - SHA384 [FIPS180]
12826 return 48;
12827 case 10: // - SHA512 [FIPS180]
12828 return 64;
12829 case 11: // - SHA224 [FIPS180]
12830 return 28;
12831 default:
12832 throw new Error('Invalid hash algorithm.');
12833 }
12834 }
12835 };
12836
12837 class AES_CFB {
12838 static encrypt(data, key, iv) {
12839 return new AES_CFB(key, iv).encrypt(data);
12840 }
12841 static decrypt(data, key, iv) {
12842 return new AES_CFB(key, iv).decrypt(data);
12843 }
12844 constructor(key, iv, aes) {
12845 this.aes = aes ? aes : new AES(key, iv, true, 'CFB');
12846 delete this.aes.padding;
12847 }
12848 encrypt(data) {
12849 const r1 = this.aes.AES_Encrypt_process(data);
12850 const r2 = this.aes.AES_Encrypt_finish();
12851 return joinBytes(r1, r2);
12852 }
12853 decrypt(data) {
12854 const r1 = this.aes.AES_Decrypt_process(data);
12855 const r2 = this.aes.AES_Decrypt_finish();
12856 return joinBytes(r1, r2);
12857 }
12858 }
12859
12860 // Modified by ProtonTech AG
12861
12862 const webCrypto$1 = util.getWebCrypto();
12863 const nodeCrypto$1 = util.getNodeCrypto();
12864 const Buffer$2 = util.getNodeBuffer();
12865
12866 const knownAlgos = nodeCrypto$1 ? nodeCrypto$1.getCiphers() : [];
12867 const nodeAlgos = {
12868 idea: knownAlgos.includes('idea-cfb') ? 'idea-cfb' : undefined, /* Unused, not implemented */
12869 tripledes: knownAlgos.includes('des-ede3-cfb') ? 'des-ede3-cfb' : undefined,
12870 cast5: knownAlgos.includes('cast5-cfb') ? 'cast5-cfb' : undefined,
12871 blowfish: knownAlgos.includes('bf-cfb') ? 'bf-cfb' : undefined,
12872 aes128: knownAlgos.includes('aes-128-cfb') ? 'aes-128-cfb' : undefined,
12873 aes192: knownAlgos.includes('aes-192-cfb') ? 'aes-192-cfb' : undefined,
12874 aes256: knownAlgos.includes('aes-256-cfb') ? 'aes-256-cfb' : undefined
12875 /* twofish is not implemented in OpenSSL */
12876 };
12877
12878 async function encrypt(algo, key, plaintext, iv, config) {
12879 if (util.getNodeCrypto() && nodeAlgos[algo]) { // Node crypto library.
12880 return nodeEncrypt(algo, key, plaintext, iv);
12881 }
12882 if (algo.substr(0, 3) === 'aes') {
12883 return aesEncrypt(algo, key, plaintext, iv, config);
12884 }
12885
12886 const cipherfn = new cipher[algo](key);
12887 const block_size = cipherfn.blockSize;
12888
12889 const blockc = iv.slice();
12890 let pt = new Uint8Array();
12891 const process = chunk => {
12892 if (chunk) {
12893 pt = util.concatUint8Array([pt, chunk]);
12894 }
12895 const ciphertext = new Uint8Array(pt.length);
12896 let i;
12897 let j = 0;
12898 while (chunk ? pt.length >= block_size : pt.length) {
12899 const encblock = cipherfn.encrypt(blockc);
12900 for (i = 0; i < block_size; i++) {
12901 blockc[i] = pt[i] ^ encblock[i];
12902 ciphertext[j++] = blockc[i];
12903 }
12904 pt = pt.subarray(block_size);
12905 }
12906 return ciphertext.subarray(0, j);
12907 };
12908 return stream.transform(plaintext, process, process);
12909 }
12910
12911 async function decrypt(algo, key, ciphertext, iv) {
12912 if (util.getNodeCrypto() && nodeAlgos[algo]) { // Node crypto library.
12913 return nodeDecrypt(algo, key, ciphertext, iv);
12914 }
12915 if (algo.substr(0, 3) === 'aes') {
12916 return aesDecrypt(algo, key, ciphertext, iv);
12917 }
12918
12919 const cipherfn = new cipher[algo](key);
12920 const block_size = cipherfn.blockSize;
12921
12922 let blockp = iv;
12923 let ct = new Uint8Array();
12924 const process = chunk => {
12925 if (chunk) {
12926 ct = util.concatUint8Array([ct, chunk]);
12927 }
12928 const plaintext = new Uint8Array(ct.length);
12929 let i;
12930 let j = 0;
12931 while (chunk ? ct.length >= block_size : ct.length) {
12932 const decblock = cipherfn.encrypt(blockp);
12933 blockp = ct;
12934 for (i = 0; i < block_size; i++) {
12935 plaintext[j++] = blockp[i] ^ decblock[i];
12936 }
12937 ct = ct.subarray(block_size);
12938 }
12939 return plaintext.subarray(0, j);
12940 };
12941 return stream.transform(ciphertext, process, process);
12942 }
12943
12944 function aesEncrypt(algo, key, pt, iv, config) {
12945 if (
12946 util.getWebCrypto() &&
12947 key.length !== 24 && // Chrome doesn't support 192 bit keys, see https://www.chromium.org/blink/webcrypto#TOC-AES-support
12948 !util.isStream(pt) &&
12949 pt.length >= 3000 * config.minBytesForWebCrypto // Default to a 3MB minimum. Chrome is pretty slow for small messages, see: https://bugs.chromium.org/p/chromium/issues/detail?id=701188#c2
12950 ) { // Web Crypto
12951 return webEncrypt(algo, key, pt, iv);
12952 }
12953 // asm.js fallback
12954 const cfb = new AES_CFB(key, iv);
12955 return stream.transform(pt, value => cfb.aes.AES_Encrypt_process(value), () => cfb.aes.AES_Encrypt_finish());
12956 }
12957
12958 function aesDecrypt(algo, key, ct, iv) {
12959 if (util.isStream(ct)) {
12960 const cfb = new AES_CFB(key, iv);
12961 return stream.transform(ct, value => cfb.aes.AES_Decrypt_process(value), () => cfb.aes.AES_Decrypt_finish());
12962 }
12963 return AES_CFB.decrypt(ct, key, iv);
12964 }
12965
12966 function xorMut(a, b) {
12967 for (let i = 0; i < a.length; i++) {
12968 a[i] = a[i] ^ b[i];
12969 }
12970 }
12971
12972 async function webEncrypt(algo, key, pt, iv) {
12973 const ALGO = 'AES-CBC';
12974 const _key = await webCrypto$1.importKey('raw', key, { name: ALGO }, false, ['encrypt']);
12975 const { blockSize } = cipher[algo];
12976 const cbc_pt = util.concatUint8Array([new Uint8Array(blockSize), pt]);
12977 const ct = new Uint8Array(await webCrypto$1.encrypt({ name: ALGO, iv }, _key, cbc_pt)).subarray(0, pt.length);
12978 xorMut(ct, pt);
12979 return ct;
12980 }
12981
12982 function nodeEncrypt(algo, key, pt, iv) {
12983 key = Buffer$2.from(key);
12984 iv = Buffer$2.from(iv);
12985 const cipherObj = new nodeCrypto$1.createCipheriv(nodeAlgos[algo], key, iv);
12986 return stream.transform(pt, value => new Uint8Array(cipherObj.update(Buffer$2.from(value))));
12987 }
12988
12989 function nodeDecrypt(algo, key, ct, iv) {
12990 key = Buffer$2.from(key);
12991 iv = Buffer$2.from(iv);
12992 const decipherObj = new nodeCrypto$1.createDecipheriv(nodeAlgos[algo], key, iv);
12993 return stream.transform(ct, value => new Uint8Array(decipherObj.update(Buffer$2.from(value))));
12994 }
12995
12996 var cfb = /*#__PURE__*/Object.freeze({
12997 __proto__: null,
12998 encrypt: encrypt,
12999 decrypt: decrypt
13000 });
13001
13002 const _AES_GCM_data_maxLength = 68719476704; // 2^36 - 2^5
13003 class AES_GCM {
13004 constructor(key, nonce, adata, tagSize = 16, aes) {
13005 this.tagSize = tagSize;
13006 this.gamma0 = 0;
13007 this.counter = 1;
13008 this.aes = aes ? aes : new AES(key, undefined, false, 'CTR');
13009 let { asm, heap } = this.aes.acquire_asm();
13010 // Init GCM
13011 asm.gcm_init();
13012 // Tag size
13013 if (this.tagSize < 4 || this.tagSize > 16)
13014 throw new IllegalArgumentError('illegal tagSize value');
13015 // Nonce
13016 const noncelen = nonce.length || 0;
13017 const noncebuf = new Uint8Array(16);
13018 if (noncelen !== 12) {
13019 this._gcm_mac_process(nonce);
13020 heap[0] = 0;
13021 heap[1] = 0;
13022 heap[2] = 0;
13023 heap[3] = 0;
13024 heap[4] = 0;
13025 heap[5] = 0;
13026 heap[6] = 0;
13027 heap[7] = 0;
13028 heap[8] = 0;
13029 heap[9] = 0;
13030 heap[10] = 0;
13031 heap[11] = noncelen >>> 29;
13032 heap[12] = (noncelen >>> 21) & 255;
13033 heap[13] = (noncelen >>> 13) & 255;
13034 heap[14] = (noncelen >>> 5) & 255;
13035 heap[15] = (noncelen << 3) & 255;
13036 asm.mac(AES_asm.MAC.GCM, AES_asm.HEAP_DATA, 16);
13037 asm.get_iv(AES_asm.HEAP_DATA);
13038 asm.set_iv(0, 0, 0, 0);
13039 noncebuf.set(heap.subarray(0, 16));
13040 }
13041 else {
13042 noncebuf.set(nonce);
13043 noncebuf[15] = 1;
13044 }
13045 const nonceview = new DataView(noncebuf.buffer);
13046 this.gamma0 = nonceview.getUint32(12);
13047 asm.set_nonce(nonceview.getUint32(0), nonceview.getUint32(4), nonceview.getUint32(8), 0);
13048 asm.set_mask(0, 0, 0, 0xffffffff);
13049 // Associated data
13050 if (adata !== undefined) {
13051 if (adata.length > _AES_GCM_data_maxLength)
13052 throw new IllegalArgumentError('illegal adata length');
13053 if (adata.length) {
13054 this.adata = adata;
13055 this._gcm_mac_process(adata);
13056 }
13057 else {
13058 this.adata = undefined;
13059 }
13060 }
13061 else {
13062 this.adata = undefined;
13063 }
13064 // Counter
13065 if (this.counter < 1 || this.counter > 0xffffffff)
13066 throw new RangeError('counter must be a positive 32-bit integer');
13067 asm.set_counter(0, 0, 0, (this.gamma0 + this.counter) | 0);
13068 }
13069 static encrypt(cleartext, key, nonce, adata, tagsize) {
13070 return new AES_GCM(key, nonce, adata, tagsize).encrypt(cleartext);
13071 }
13072 static decrypt(ciphertext, key, nonce, adata, tagsize) {
13073 return new AES_GCM(key, nonce, adata, tagsize).decrypt(ciphertext);
13074 }
13075 encrypt(data) {
13076 return this.AES_GCM_encrypt(data);
13077 }
13078 decrypt(data) {
13079 return this.AES_GCM_decrypt(data);
13080 }
13081 AES_GCM_Encrypt_process(data) {
13082 let dpos = 0;
13083 let dlen = data.length || 0;
13084 let { asm, heap } = this.aes.acquire_asm();
13085 let counter = this.counter;
13086 let pos = this.aes.pos;
13087 let len = this.aes.len;
13088 let rpos = 0;
13089 let rlen = (len + dlen) & -16;
13090 let wlen = 0;
13091 if (((counter - 1) << 4) + len + dlen > _AES_GCM_data_maxLength)
13092 throw new RangeError('counter overflow');
13093 const result = new Uint8Array(rlen);
13094 while (dlen > 0) {
13095 wlen = _heap_write(heap, pos + len, data, dpos, dlen);
13096 len += wlen;
13097 dpos += wlen;
13098 dlen -= wlen;
13099 wlen = asm.cipher(AES_asm.ENC.CTR, AES_asm.HEAP_DATA + pos, len);
13100 wlen = asm.mac(AES_asm.MAC.GCM, AES_asm.HEAP_DATA + pos, wlen);
13101 if (wlen)
13102 result.set(heap.subarray(pos, pos + wlen), rpos);
13103 counter += wlen >>> 4;
13104 rpos += wlen;
13105 if (wlen < len) {
13106 pos += wlen;
13107 len -= wlen;
13108 }
13109 else {
13110 pos = 0;
13111 len = 0;
13112 }
13113 }
13114 this.counter = counter;
13115 this.aes.pos = pos;
13116 this.aes.len = len;
13117 return result;
13118 }
13119 AES_GCM_Encrypt_finish() {
13120 let { asm, heap } = this.aes.acquire_asm();
13121 let counter = this.counter;
13122 let tagSize = this.tagSize;
13123 let adata = this.adata;
13124 let pos = this.aes.pos;
13125 let len = this.aes.len;
13126 const result = new Uint8Array(len + tagSize);
13127 asm.cipher(AES_asm.ENC.CTR, AES_asm.HEAP_DATA + pos, (len + 15) & -16);
13128 if (len)
13129 result.set(heap.subarray(pos, pos + len));
13130 let i = len;
13131 for (; i & 15; i++)
13132 heap[pos + i] = 0;
13133 asm.mac(AES_asm.MAC.GCM, AES_asm.HEAP_DATA + pos, i);
13134 const alen = adata !== undefined ? adata.length : 0;
13135 const clen = ((counter - 1) << 4) + len;
13136 heap[0] = 0;
13137 heap[1] = 0;
13138 heap[2] = 0;
13139 heap[3] = alen >>> 29;
13140 heap[4] = alen >>> 21;
13141 heap[5] = (alen >>> 13) & 255;
13142 heap[6] = (alen >>> 5) & 255;
13143 heap[7] = (alen << 3) & 255;
13144 heap[8] = heap[9] = heap[10] = 0;
13145 heap[11] = clen >>> 29;
13146 heap[12] = (clen >>> 21) & 255;
13147 heap[13] = (clen >>> 13) & 255;
13148 heap[14] = (clen >>> 5) & 255;
13149 heap[15] = (clen << 3) & 255;
13150 asm.mac(AES_asm.MAC.GCM, AES_asm.HEAP_DATA, 16);
13151 asm.get_iv(AES_asm.HEAP_DATA);
13152 asm.set_counter(0, 0, 0, this.gamma0);
13153 asm.cipher(AES_asm.ENC.CTR, AES_asm.HEAP_DATA, 16);
13154 result.set(heap.subarray(0, tagSize), len);
13155 this.counter = 1;
13156 this.aes.pos = 0;
13157 this.aes.len = 0;
13158 return result;
13159 }
13160 AES_GCM_Decrypt_process(data) {
13161 let dpos = 0;
13162 let dlen = data.length || 0;
13163 let { asm, heap } = this.aes.acquire_asm();
13164 let counter = this.counter;
13165 let tagSize = this.tagSize;
13166 let pos = this.aes.pos;
13167 let len = this.aes.len;
13168 let rpos = 0;
13169 let rlen = len + dlen > tagSize ? (len + dlen - tagSize) & -16 : 0;
13170 let tlen = len + dlen - rlen;
13171 let wlen = 0;
13172 if (((counter - 1) << 4) + len + dlen > _AES_GCM_data_maxLength)
13173 throw new RangeError('counter overflow');
13174 const result = new Uint8Array(rlen);
13175 while (dlen > tlen) {
13176 wlen = _heap_write(heap, pos + len, data, dpos, dlen - tlen);
13177 len += wlen;
13178 dpos += wlen;
13179 dlen -= wlen;
13180 wlen = asm.mac(AES_asm.MAC.GCM, AES_asm.HEAP_DATA + pos, wlen);
13181 wlen = asm.cipher(AES_asm.DEC.CTR, AES_asm.HEAP_DATA + pos, wlen);
13182 if (wlen)
13183 result.set(heap.subarray(pos, pos + wlen), rpos);
13184 counter += wlen >>> 4;
13185 rpos += wlen;
13186 pos = 0;
13187 len = 0;
13188 }
13189 if (dlen > 0) {
13190 len += _heap_write(heap, 0, data, dpos, dlen);
13191 }
13192 this.counter = counter;
13193 this.aes.pos = pos;
13194 this.aes.len = len;
13195 return result;
13196 }
13197 AES_GCM_Decrypt_finish() {
13198 let { asm, heap } = this.aes.acquire_asm();
13199 let tagSize = this.tagSize;
13200 let adata = this.adata;
13201 let counter = this.counter;
13202 let pos = this.aes.pos;
13203 let len = this.aes.len;
13204 let rlen = len - tagSize;
13205 if (len < tagSize)
13206 throw new IllegalStateError('authentication tag not found');
13207 const result = new Uint8Array(rlen);
13208 const atag = new Uint8Array(heap.subarray(pos + rlen, pos + len));
13209 let i = rlen;
13210 for (; i & 15; i++)
13211 heap[pos + i] = 0;
13212 asm.mac(AES_asm.MAC.GCM, AES_asm.HEAP_DATA + pos, i);
13213 asm.cipher(AES_asm.DEC.CTR, AES_asm.HEAP_DATA + pos, i);
13214 if (rlen)
13215 result.set(heap.subarray(pos, pos + rlen));
13216 const alen = adata !== undefined ? adata.length : 0;
13217 const clen = ((counter - 1) << 4) + len - tagSize;
13218 heap[0] = 0;
13219 heap[1] = 0;
13220 heap[2] = 0;
13221 heap[3] = alen >>> 29;
13222 heap[4] = alen >>> 21;
13223 heap[5] = (alen >>> 13) & 255;
13224 heap[6] = (alen >>> 5) & 255;
13225 heap[7] = (alen << 3) & 255;
13226 heap[8] = heap[9] = heap[10] = 0;
13227 heap[11] = clen >>> 29;
13228 heap[12] = (clen >>> 21) & 255;
13229 heap[13] = (clen >>> 13) & 255;
13230 heap[14] = (clen >>> 5) & 255;
13231 heap[15] = (clen << 3) & 255;
13232 asm.mac(AES_asm.MAC.GCM, AES_asm.HEAP_DATA, 16);
13233 asm.get_iv(AES_asm.HEAP_DATA);
13234 asm.set_counter(0, 0, 0, this.gamma0);
13235 asm.cipher(AES_asm.ENC.CTR, AES_asm.HEAP_DATA, 16);
13236 let acheck = 0;
13237 for (let i = 0; i < tagSize; ++i)
13238 acheck |= atag[i] ^ heap[i];
13239 if (acheck)
13240 throw new SecurityError('data integrity check failed');
13241 this.counter = 1;
13242 this.aes.pos = 0;
13243 this.aes.len = 0;
13244 return result;
13245 }
13246 AES_GCM_decrypt(data) {
13247 const result1 = this.AES_GCM_Decrypt_process(data);
13248 const result2 = this.AES_GCM_Decrypt_finish();
13249 const result = new Uint8Array(result1.length + result2.length);
13250 if (result1.length)
13251 result.set(result1);
13252 if (result2.length)
13253 result.set(result2, result1.length);
13254 return result;
13255 }
13256 AES_GCM_encrypt(data) {
13257 const result1 = this.AES_GCM_Encrypt_process(data);
13258 const result2 = this.AES_GCM_Encrypt_finish();
13259 const result = new Uint8Array(result1.length + result2.length);
13260 if (result1.length)
13261 result.set(result1);
13262 if (result2.length)
13263 result.set(result2, result1.length);
13264 return result;
13265 }
13266 _gcm_mac_process(data) {
13267 let { asm, heap } = this.aes.acquire_asm();
13268 let dpos = 0;
13269 let dlen = data.length || 0;
13270 let wlen = 0;
13271 while (dlen > 0) {
13272 wlen = _heap_write(heap, 0, data, dpos, dlen);
13273 dpos += wlen;
13274 dlen -= wlen;
13275 while (wlen & 15)
13276 heap[wlen++] = 0;
13277 asm.mac(AES_asm.MAC.GCM, AES_asm.HEAP_DATA, wlen);
13278 }
13279 }
13280 }
13281
13282 // OpenPGP.js - An OpenPGP implementation in javascript
13283
13284 const webCrypto$2 = util.getWebCrypto(); // no GCM support in IE11, Safari 9
13285 const nodeCrypto$2 = util.getNodeCrypto();
13286 const Buffer$3 = util.getNodeBuffer();
13287
13288 const blockLength = 16;
13289 const ivLength = 12; // size of the IV in bytes
13290 const tagLength = 16; // size of the tag in bytes
13291 const ALGO = 'AES-GCM';
13292
13293 /**
13294 * Class to en/decrypt using GCM mode.
13295 * @param {String} cipher - The symmetric cipher algorithm to use e.g. 'aes128'
13296 * @param {Uint8Array} key - The encryption key
13297 */
13298 async function GCM(cipher, key) {
13299 if (cipher.substr(0, 3) !== 'aes') {
13300 throw new Error('GCM mode supports only AES cipher');
13301 }
13302
13303 if (util.getWebCrypto() && key.length !== 24) { // WebCrypto (no 192 bit support) see: https://www.chromium.org/blink/webcrypto#TOC-AES-support
13304 const _key = await webCrypto$2.importKey('raw', key, { name: ALGO }, false, ['encrypt', 'decrypt']);
13305
13306 return {
13307 encrypt: async function(pt, iv, adata = new Uint8Array()) {
13308 if (
13309 !pt.length ||
13310 // iOS does not support GCM-en/decrypting empty messages
13311 // Also, synchronous en/decryption might be faster in this case.
13312 (!adata.length && navigator.userAgent.indexOf('Edge') !== -1)
13313 // Edge does not support GCM-en/decrypting without ADATA
13314 ) {
13315 return AES_GCM.encrypt(pt, key, iv, adata);
13316 }
13317 const ct = await webCrypto$2.encrypt({ name: ALGO, iv, additionalData: adata, tagLength: tagLength * 8 }, _key, pt);
13318 return new Uint8Array(ct);
13319 },
13320
13321 decrypt: async function(ct, iv, adata = new Uint8Array()) {
13322 if (
13323 ct.length === tagLength ||
13324 // iOS does not support GCM-en/decrypting empty messages
13325 // Also, synchronous en/decryption might be faster in this case.
13326 (!adata.length && navigator.userAgent.indexOf('Edge') !== -1)
13327 // Edge does not support GCM-en/decrypting without ADATA
13328 ) {
13329 return AES_GCM.decrypt(ct, key, iv, adata);
13330 }
13331 const pt = await webCrypto$2.decrypt({ name: ALGO, iv, additionalData: adata, tagLength: tagLength * 8 }, _key, ct);
13332 return new Uint8Array(pt);
13333 }
13334 };
13335 }
13336
13337 if (util.getNodeCrypto()) { // Node crypto library
13338 key = Buffer$3.from(key);
13339
13340 return {
13341 encrypt: async function(pt, iv, adata = new Uint8Array()) {
13342 pt = Buffer$3.from(pt);
13343 iv = Buffer$3.from(iv);
13344 adata = Buffer$3.from(adata);
13345 const en = new nodeCrypto$2.createCipheriv('aes-' + (key.length * 8) + '-gcm', key, iv);
13346 en.setAAD(adata);
13347 const ct = Buffer$3.concat([en.update(pt), en.final(), en.getAuthTag()]); // append auth tag to ciphertext
13348 return new Uint8Array(ct);
13349 },
13350
13351 decrypt: async function(ct, iv, adata = new Uint8Array()) {
13352 ct = Buffer$3.from(ct);
13353 iv = Buffer$3.from(iv);
13354 adata = Buffer$3.from(adata);
13355 const de = new nodeCrypto$2.createDecipheriv('aes-' + (key.length * 8) + '-gcm', key, iv);
13356 de.setAAD(adata);
13357 de.setAuthTag(ct.slice(ct.length - tagLength, ct.length)); // read auth tag at end of ciphertext
13358 const pt = Buffer$3.concat([de.update(ct.slice(0, ct.length - tagLength)), de.final()]);
13359 return new Uint8Array(pt);
13360 }
13361 };
13362 }
13363
13364 return {
13365 encrypt: async function(pt, iv, adata) {
13366 return AES_GCM.encrypt(pt, key, iv, adata);
13367 },
13368
13369 decrypt: async function(ct, iv, adata) {
13370 return AES_GCM.decrypt(ct, key, iv, adata);
13371 }
13372 };
13373 }
13374
13375
13376 /**
13377 * Get GCM nonce. Note: this operation is not defined by the standard.
13378 * A future version of the standard may define GCM mode differently,
13379 * hopefully under a different ID (we use Private/Experimental algorithm
13380 * ID 100) so that we can maintain backwards compatibility.
13381 * @param {Uint8Array} iv - The initialization vector (12 bytes)
13382 * @param {Uint8Array} chunkIndex - The chunk index (8 bytes)
13383 */
13384 GCM.getNonce = function(iv, chunkIndex) {
13385 const nonce = iv.slice();
13386 for (let i = 0; i < chunkIndex.length; i++) {
13387 nonce[4 + i] ^= chunkIndex[i];
13388 }
13389 return nonce;
13390 };
13391
13392 GCM.blockLength = blockLength;
13393 GCM.ivLength = ivLength;
13394 GCM.tagLength = tagLength;
13395
13396 class AES_CTR {
13397 static encrypt(data, key, nonce) {
13398 return new AES_CTR(key, nonce).encrypt(data);
13399 }
13400 static decrypt(data, key, nonce) {
13401 return new AES_CTR(key, nonce).encrypt(data);
13402 }
13403 constructor(key, nonce, aes) {
13404 this.aes = aes ? aes : new AES(key, undefined, false, 'CTR');
13405 delete this.aes.padding;
13406 this.AES_CTR_set_options(nonce);
13407 }
13408 encrypt(data) {
13409 const r1 = this.aes.AES_Encrypt_process(data);
13410 const r2 = this.aes.AES_Encrypt_finish();
13411 return joinBytes(r1, r2);
13412 }
13413 decrypt(data) {
13414 const r1 = this.aes.AES_Encrypt_process(data);
13415 const r2 = this.aes.AES_Encrypt_finish();
13416 return joinBytes(r1, r2);
13417 }
13418 AES_CTR_set_options(nonce, counter, size) {
13419 let { asm } = this.aes.acquire_asm();
13420 if (size !== undefined) {
13421 if (size < 8 || size > 48)
13422 throw new IllegalArgumentError('illegal counter size');
13423 let mask = Math.pow(2, size) - 1;
13424 asm.set_mask(0, 0, (mask / 0x100000000) | 0, mask | 0);
13425 }
13426 else {
13427 size = 48;
13428 asm.set_mask(0, 0, 0xffff, 0xffffffff);
13429 }
13430 if (nonce !== undefined) {
13431 let len = nonce.length;
13432 if (!len || len > 16)
13433 throw new IllegalArgumentError('illegal nonce size');
13434 let view = new DataView(new ArrayBuffer(16));
13435 new Uint8Array(view.buffer).set(nonce);
13436 asm.set_nonce(view.getUint32(0), view.getUint32(4), view.getUint32(8), view.getUint32(12));
13437 }
13438 else {
13439 throw new Error('nonce is required');
13440 }
13441 if (counter !== undefined) {
13442 if (counter < 0 || counter >= Math.pow(2, size))
13443 throw new IllegalArgumentError('illegal counter value');
13444 asm.set_counter(0, 0, (counter / 0x100000000) | 0, counter | 0);
13445 }
13446 }
13447 }
13448
13449 class AES_CBC {
13450 static encrypt(data, key, padding = true, iv) {
13451 return new AES_CBC(key, iv, padding).encrypt(data);
13452 }
13453 static decrypt(data, key, padding = true, iv) {
13454 return new AES_CBC(key, iv, padding).decrypt(data);
13455 }
13456 constructor(key, iv, padding = true, aes) {
13457 this.aes = aes ? aes : new AES(key, iv, padding, 'CBC');
13458 }
13459 encrypt(data) {
13460 const r1 = this.aes.AES_Encrypt_process(data);
13461 const r2 = this.aes.AES_Encrypt_finish();
13462 return joinBytes(r1, r2);
13463 }
13464 decrypt(data) {
13465 const r1 = this.aes.AES_Decrypt_process(data);
13466 const r2 = this.aes.AES_Decrypt_finish();
13467 return joinBytes(r1, r2);
13468 }
13469 }
13470
13471 /**
13472 * @fileoverview This module implements AES-CMAC on top of
13473 * native AES-CBC using either the WebCrypto API or Node.js' crypto API.
13474 * @module crypto/cmac
13475 * @private
13476 */
13477
13478 const webCrypto$3 = util.getWebCrypto();
13479 const nodeCrypto$3 = util.getNodeCrypto();
13480 const Buffer$4 = util.getNodeBuffer();
13481
13482
13483 /**
13484 * This implementation of CMAC is based on the description of OMAC in
13485 * http://web.cs.ucdavis.edu/~rogaway/papers/eax.pdf. As per that
13486 * document:
13487 *
13488 * We have made a small modification to the OMAC algorithm as it was
13489 * originally presented, changing one of its two constants.
13490 * Specifically, the constant 4 at line 85 was the constant 1/2 (the
13491 * multiplicative inverse of 2) in the original definition of OMAC [14].
13492 * The OMAC authors indicate that they will promulgate this modification
13493 * [15], which slightly simplifies implementations.
13494 */
13495
13496 const blockLength$1 = 16;
13497
13498
13499 /**
13500 * xor `padding` into the end of `data`. This function implements "the
13501 * operation xor→ [which] xors the shorter string into the end of longer
13502 * one". Since data is always as least as long as padding, we can
13503 * simplify the implementation.
13504 * @param {Uint8Array} data
13505 * @param {Uint8Array} padding
13506 */
13507 function rightXorMut(data, padding) {
13508 const offset = data.length - blockLength$1;
13509 for (let i = 0; i < blockLength$1; i++) {
13510 data[i + offset] ^= padding[i];
13511 }
13512 return data;
13513 }
13514
13515 function pad(data, padding, padding2) {
13516 // if |M| in {n, 2n, 3n, ...}
13517 if (data.length && data.length % blockLength$1 === 0) {
13518 // then return M xor→ B,
13519 return rightXorMut(data, padding);
13520 }
13521 // else return (M || 10^(n−1−(|M| mod n))) xor→ P
13522 const padded = new Uint8Array(data.length + (blockLength$1 - data.length % blockLength$1));
13523 padded.set(data);
13524 padded[data.length] = 0b10000000;
13525 return rightXorMut(padded, padding2);
13526 }
13527
13528 const zeroBlock = new Uint8Array(blockLength$1);
13529
13530 async function CMAC(key) {
13531 const cbc = await CBC(key);
13532
13533 // L ← E_K(0^n); B ← 2L; P ← 4L
13534 const padding = util.double(await cbc(zeroBlock));
13535 const padding2 = util.double(padding);
13536
13537 return async function(data) {
13538 // return CBC_K(pad(M; B, P))
13539 return (await cbc(pad(data, padding, padding2))).subarray(-blockLength$1);
13540 };
13541 }
13542
13543 async function CBC(key) {
13544 if (util.getWebCrypto() && key.length !== 24) { // WebCrypto (no 192 bit support) see: https://www.chromium.org/blink/webcrypto#TOC-AES-support
13545 key = await webCrypto$3.importKey('raw', key, { name: 'AES-CBC', length: key.length * 8 }, false, ['encrypt']);
13546 return async function(pt) {
13547 const ct = await webCrypto$3.encrypt({ name: 'AES-CBC', iv: zeroBlock, length: blockLength$1 * 8 }, key, pt);
13548 return new Uint8Array(ct).subarray(0, ct.byteLength - blockLength$1);
13549 };
13550 }
13551 if (util.getNodeCrypto()) { // Node crypto library
13552 key = Buffer$4.from(key);
13553 return async function(pt) {
13554 pt = Buffer$4.from(pt);
13555 const en = new nodeCrypto$3.createCipheriv('aes-' + (key.length * 8) + '-cbc', key, zeroBlock);
13556 const ct = en.update(pt);
13557 return new Uint8Array(ct);
13558 };
13559 }
13560 // asm.js fallback
13561 return async function(pt) {
13562 return AES_CBC.encrypt(pt, key, false, zeroBlock);
13563 };
13564 }
13565
13566 // OpenPGP.js - An OpenPGP implementation in javascript
13567
13568 const webCrypto$4 = util.getWebCrypto();
13569 const nodeCrypto$4 = util.getNodeCrypto();
13570 const Buffer$5 = util.getNodeBuffer();
13571
13572
13573 const blockLength$2 = 16;
13574 const ivLength$1 = blockLength$2;
13575 const tagLength$1 = blockLength$2;
13576
13577 const zero = new Uint8Array(blockLength$2);
13578 const one = new Uint8Array(blockLength$2); one[blockLength$2 - 1] = 1;
13579 const two = new Uint8Array(blockLength$2); two[blockLength$2 - 1] = 2;
13580
13581 async function OMAC(key) {
13582 const cmac = await CMAC(key);
13583 return function(t, message) {
13584 return cmac(util.concatUint8Array([t, message]));
13585 };
13586 }
13587
13588 async function CTR(key) {
13589 if (
13590 util.getWebCrypto() &&
13591 key.length !== 24 && // WebCrypto (no 192 bit support) see: https://www.chromium.org/blink/webcrypto#TOC-AES-support
13592 navigator.userAgent.indexOf('Edge') === -1
13593 ) {
13594 key = await webCrypto$4.importKey('raw', key, { name: 'AES-CTR', length: key.length * 8 }, false, ['encrypt']);
13595 return async function(pt, iv) {
13596 const ct = await webCrypto$4.encrypt({ name: 'AES-CTR', counter: iv, length: blockLength$2 * 8 }, key, pt);
13597 return new Uint8Array(ct);
13598 };
13599 }
13600 if (util.getNodeCrypto()) { // Node crypto library
13601 key = Buffer$5.from(key);
13602 return async function(pt, iv) {
13603 pt = Buffer$5.from(pt);
13604 iv = Buffer$5.from(iv);
13605 const en = new nodeCrypto$4.createCipheriv('aes-' + (key.length * 8) + '-ctr', key, iv);
13606 const ct = Buffer$5.concat([en.update(pt), en.final()]);
13607 return new Uint8Array(ct);
13608 };
13609 }
13610 // asm.js fallback
13611 return async function(pt, iv) {
13612 return AES_CTR.encrypt(pt, key, iv);
13613 };
13614 }
13615
13616
13617 /**
13618 * Class to en/decrypt using EAX mode.
13619 * @param {String} cipher - The symmetric cipher algorithm to use e.g. 'aes128'
13620 * @param {Uint8Array} key - The encryption key
13621 */
13622 async function EAX(cipher, key) {
13623 if (cipher.substr(0, 3) !== 'aes') {
13624 throw new Error('EAX mode supports only AES cipher');
13625 }
13626
13627 const [
13628 omac,
13629 ctr
13630 ] = await Promise.all([
13631 OMAC(key),
13632 CTR(key)
13633 ]);
13634
13635 return {
13636 /**
13637 * Encrypt plaintext input.
13638 * @param {Uint8Array} plaintext - The cleartext input to be encrypted
13639 * @param {Uint8Array} nonce - The nonce (16 bytes)
13640 * @param {Uint8Array} adata - Associated data to sign
13641 * @returns {Uint8Array} The ciphertext output.
13642 * @async
13643 */
13644 encrypt: async function(plaintext, nonce, adata) {
13645 const [
13646 omacNonce,
13647 omacAdata
13648 ] = await Promise.all([
13649 omac(zero, nonce),
13650 omac(one, adata)
13651 ]);
13652 const ciphered = await ctr(plaintext, omacNonce);
13653 const omacCiphered = await omac(two, ciphered);
13654 const tag = omacCiphered; // Assumes that omac(*).length === tagLength.
13655 for (let i = 0; i < tagLength$1; i++) {
13656 tag[i] ^= omacAdata[i] ^ omacNonce[i];
13657 }
13658 return util.concatUint8Array([ciphered, tag]);
13659 },
13660
13661 /**
13662 * Decrypt ciphertext input.
13663 * @param {Uint8Array} ciphertext - The ciphertext input to be decrypted
13664 * @param {Uint8Array} nonce - The nonce (16 bytes)
13665 * @param {Uint8Array} adata - Associated data to verify
13666 * @returns {Uint8Array} The plaintext output.
13667 * @async
13668 */
13669 decrypt: async function(ciphertext, nonce, adata) {
13670 if (ciphertext.length < tagLength$1) throw new Error('Invalid EAX ciphertext');
13671 const ciphered = ciphertext.subarray(0, -tagLength$1);
13672 const ctTag = ciphertext.subarray(-tagLength$1);
13673 const [
13674 omacNonce,
13675 omacAdata,
13676 omacCiphered
13677 ] = await Promise.all([
13678 omac(zero, nonce),
13679 omac(one, adata),
13680 omac(two, ciphered)
13681 ]);
13682 const tag = omacCiphered; // Assumes that omac(*).length === tagLength.
13683 for (let i = 0; i < tagLength$1; i++) {
13684 tag[i] ^= omacAdata[i] ^ omacNonce[i];
13685 }
13686 if (!util.equalsUint8Array(ctTag, tag)) throw new Error('Authentication tag mismatch');
13687 const plaintext = await ctr(ciphered, omacNonce);
13688 return plaintext;
13689 }
13690 };
13691 }
13692
13693
13694 /**
13695 * Get EAX nonce as defined by {@link https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-5.16.1|RFC4880bis-04, section 5.16.1}.
13696 * @param {Uint8Array} iv - The initialization vector (16 bytes)
13697 * @param {Uint8Array} chunkIndex - The chunk index (8 bytes)
13698 */
13699 EAX.getNonce = function(iv, chunkIndex) {
13700 const nonce = iv.slice();
13701 for (let i = 0; i < chunkIndex.length; i++) {
13702 nonce[8 + i] ^= chunkIndex[i];
13703 }
13704 return nonce;
13705 };
13706
13707 EAX.blockLength = blockLength$2;
13708 EAX.ivLength = ivLength$1;
13709 EAX.tagLength = tagLength$1;
13710
13711 // OpenPGP.js - An OpenPGP implementation in javascript
13712
13713
13714 const blockLength$3 = 16;
13715 const ivLength$2 = 15;
13716
13717 // https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-5.16.2:
13718 // While OCB [RFC7253] allows the authentication tag length to be of any
13719 // number up to 128 bits long, this document requires a fixed
13720 // authentication tag length of 128 bits (16 octets) for simplicity.
13721 const tagLength$2 = 16;
13722
13723
13724 function ntz(n) {
13725 let ntz = 0;
13726 for (let i = 1; (n & i) === 0; i <<= 1) {
13727 ntz++;
13728 }
13729 return ntz;
13730 }
13731
13732 function xorMut$1(S, T) {
13733 for (let i = 0; i < S.length; i++) {
13734 S[i] ^= T[i];
13735 }
13736 return S;
13737 }
13738
13739 function xor(S, T) {
13740 return xorMut$1(S.slice(), T);
13741 }
13742
13743 const zeroBlock$1 = new Uint8Array(blockLength$3);
13744 const one$1 = new Uint8Array([1]);
13745
13746 /**
13747 * Class to en/decrypt using OCB mode.
13748 * @param {String} cipher - The symmetric cipher algorithm to use e.g. 'aes128'
13749 * @param {Uint8Array} key - The encryption key
13750 */
13751 async function OCB(cipher$1, key) {
13752
13753 let maxNtz = 0;
13754 let encipher;
13755 let decipher;
13756 let mask;
13757
13758 constructKeyVariables(cipher$1, key);
13759
13760 function constructKeyVariables(cipher$1, key) {
13761 const aes = new cipher[cipher$1](key);
13762 encipher = aes.encrypt.bind(aes);
13763 decipher = aes.decrypt.bind(aes);
13764
13765 const mask_x = encipher(zeroBlock$1);
13766 const mask_$ = util.double(mask_x);
13767 mask = [];
13768 mask[0] = util.double(mask_$);
13769
13770
13771 mask.x = mask_x;
13772 mask.$ = mask_$;
13773 }
13774
13775 function extendKeyVariables(text, adata) {
13776 const newMaxNtz = util.nbits(Math.max(text.length, adata.length) / blockLength$3 | 0) - 1;
13777 for (let i = maxNtz + 1; i <= newMaxNtz; i++) {
13778 mask[i] = util.double(mask[i - 1]);
13779 }
13780 maxNtz = newMaxNtz;
13781 }
13782
13783 function hash(adata) {
13784 if (!adata.length) {
13785 // Fast path
13786 return zeroBlock$1;
13787 }
13788
13789 //
13790 // Consider A as a sequence of 128-bit blocks
13791 //
13792 const m = adata.length / blockLength$3 | 0;
13793
13794 const offset = new Uint8Array(blockLength$3);
13795 const sum = new Uint8Array(blockLength$3);
13796 for (let i = 0; i < m; i++) {
13797 xorMut$1(offset, mask[ntz(i + 1)]);
13798 xorMut$1(sum, encipher(xor(offset, adata)));
13799 adata = adata.subarray(blockLength$3);
13800 }
13801
13802 //
13803 // Process any final partial block; compute final hash value
13804 //
13805 if (adata.length) {
13806 xorMut$1(offset, mask.x);
13807
13808 const cipherInput = new Uint8Array(blockLength$3);
13809 cipherInput.set(adata, 0);
13810 cipherInput[adata.length] = 0b10000000;
13811 xorMut$1(cipherInput, offset);
13812
13813 xorMut$1(sum, encipher(cipherInput));
13814 }
13815
13816 return sum;
13817 }
13818
13819 /**
13820 * Encrypt/decrypt data.
13821 * @param {encipher|decipher} fn - Encryption/decryption block cipher function
13822 * @param {Uint8Array} text - The cleartext or ciphertext (without tag) input
13823 * @param {Uint8Array} nonce - The nonce (15 bytes)
13824 * @param {Uint8Array} adata - Associated data to sign
13825 * @returns {Uint8Array} The ciphertext or plaintext output, with tag appended in both cases.
13826 */
13827 function crypt(fn, text, nonce, adata) {
13828 //
13829 // Consider P as a sequence of 128-bit blocks
13830 //
13831 const m = text.length / blockLength$3 | 0;
13832
13833 //
13834 // Key-dependent variables
13835 //
13836 extendKeyVariables(text, adata);
13837
13838 //
13839 // Nonce-dependent and per-encryption variables
13840 //
13841 // Nonce = num2str(TAGLEN mod 128,7) || zeros(120-bitlen(N)) || 1 || N
13842 // Note: We assume here that tagLength mod 16 == 0.
13843 const paddedNonce = util.concatUint8Array([zeroBlock$1.subarray(0, ivLength$2 - nonce.length), one$1, nonce]);
13844 // bottom = str2num(Nonce[123..128])
13845 const bottom = paddedNonce[blockLength$3 - 1] & 0b111111;
13846 // Ktop = ENCIPHER(K, Nonce[1..122] || zeros(6))
13847 paddedNonce[blockLength$3 - 1] &= 0b11000000;
13848 const kTop = encipher(paddedNonce);
13849 // Stretch = Ktop || (Ktop[1..64] xor Ktop[9..72])
13850 const stretched = util.concatUint8Array([kTop, xor(kTop.subarray(0, 8), kTop.subarray(1, 9))]);
13851 // Offset_0 = Stretch[1+bottom..128+bottom]
13852 const offset = util.shiftRight(stretched.subarray(0 + (bottom >> 3), 17 + (bottom >> 3)), 8 - (bottom & 7)).subarray(1);
13853 // Checksum_0 = zeros(128)
13854 const checksum = new Uint8Array(blockLength$3);
13855
13856 const ct = new Uint8Array(text.length + tagLength$2);
13857
13858 //
13859 // Process any whole blocks
13860 //
13861 let i;
13862 let pos = 0;
13863 for (i = 0; i < m; i++) {
13864 // Offset_i = Offset_{i-1} xor L_{ntz(i)}
13865 xorMut$1(offset, mask[ntz(i + 1)]);
13866 // C_i = Offset_i xor ENCIPHER(K, P_i xor Offset_i)
13867 // P_i = Offset_i xor DECIPHER(K, C_i xor Offset_i)
13868 ct.set(xorMut$1(fn(xor(offset, text)), offset), pos);
13869 // Checksum_i = Checksum_{i-1} xor P_i
13870 xorMut$1(checksum, fn === encipher ? text : ct.subarray(pos));
13871
13872 text = text.subarray(blockLength$3);
13873 pos += blockLength$3;
13874 }
13875
13876 //
13877 // Process any final partial block and compute raw tag
13878 //
13879 if (text.length) {
13880 // Offset_* = Offset_m xor L_*
13881 xorMut$1(offset, mask.x);
13882 // Pad = ENCIPHER(K, Offset_*)
13883 const padding = encipher(offset);
13884 // C_* = P_* xor Pad[1..bitlen(P_*)]
13885 ct.set(xor(text, padding), pos);
13886
13887 // Checksum_* = Checksum_m xor (P_* || 1 || new Uint8Array(127-bitlen(P_*)))
13888 const xorInput = new Uint8Array(blockLength$3);
13889 xorInput.set(fn === encipher ? text : ct.subarray(pos, -tagLength$2), 0);
13890 xorInput[text.length] = 0b10000000;
13891 xorMut$1(checksum, xorInput);
13892 pos += text.length;
13893 }
13894 // Tag = ENCIPHER(K, Checksum_* xor Offset_* xor L_$) xor HASH(K,A)
13895 const tag = xorMut$1(encipher(xorMut$1(xorMut$1(checksum, offset), mask.$)), hash(adata));
13896
13897 //
13898 // Assemble ciphertext
13899 //
13900 // C = C_1 || C_2 || ... || C_m || C_* || Tag[1..TAGLEN]
13901 ct.set(tag, pos);
13902 return ct;
13903 }
13904
13905
13906 return {
13907 /**
13908 * Encrypt plaintext input.
13909 * @param {Uint8Array} plaintext - The cleartext input to be encrypted
13910 * @param {Uint8Array} nonce - The nonce (15 bytes)
13911 * @param {Uint8Array} adata - Associated data to sign
13912 * @returns {Uint8Array} The ciphertext output.
13913 * @async
13914 */
13915 encrypt: async function(plaintext, nonce, adata) {
13916 return crypt(encipher, plaintext, nonce, adata);
13917 },
13918
13919 /**
13920 * Decrypt ciphertext input.
13921 * @param {Uint8Array} ciphertext - The ciphertext input to be decrypted
13922 * @param {Uint8Array} nonce - The nonce (15 bytes)
13923 * @param {Uint8Array} adata - Associated data to sign
13924 * @returns {Uint8Array} The ciphertext output.
13925 * @async
13926 */
13927 decrypt: async function(ciphertext, nonce, adata) {
13928 if (ciphertext.length < tagLength$2) throw new Error('Invalid OCB ciphertext');
13929
13930 const tag = ciphertext.subarray(-tagLength$2);
13931 ciphertext = ciphertext.subarray(0, -tagLength$2);
13932
13933 const crypted = crypt(decipher, ciphertext, nonce, adata);
13934 // if (Tag[1..TAGLEN] == T)
13935 if (util.equalsUint8Array(tag, crypted.subarray(-tagLength$2))) {
13936 return crypted.subarray(0, -tagLength$2);
13937 }
13938 throw new Error('Authentication tag mismatch');
13939 }
13940 };
13941 }
13942
13943
13944 /**
13945 * Get OCB nonce as defined by {@link https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-5.16.2|RFC4880bis-04, section 5.16.2}.
13946 * @param {Uint8Array} iv - The initialization vector (15 bytes)
13947 * @param {Uint8Array} chunkIndex - The chunk index (8 bytes)
13948 */
13949 OCB.getNonce = function(iv, chunkIndex) {
13950 const nonce = iv.slice();
13951 for (let i = 0; i < chunkIndex.length; i++) {
13952 nonce[7 + i] ^= chunkIndex[i];
13953 }
13954 return nonce;
13955 };
13956
13957 OCB.blockLength = blockLength$3;
13958 OCB.ivLength = ivLength$2;
13959 OCB.tagLength = tagLength$2;
13960
13961 var naclFastLight = createCommonjsModule(function (module) {
13962 /*jshint bitwise: false*/
13963
13964 (function(nacl) {
13965
13966 // Ported in 2014 by Dmitry Chestnykh and Devi Mandiri.
13967 // Public domain.
13968 //
13969 // Implementation derived from TweetNaCl version 20140427.
13970 // See for details: http://tweetnacl.cr.yp.to/
13971
13972 var gf = function(init) {
13973 var i, r = new Float64Array(16);
13974 if (init) for (i = 0; i < init.length; i++) r[i] = init[i];
13975 return r;
13976 };
13977
13978 // Pluggable, initialized in high-level API below.
13979 var randombytes = function(/* x, n */) { throw new Error('no PRNG'); };
13980
13981 var _9 = new Uint8Array(32); _9[0] = 9;
13982
13983 var gf0 = gf(),
13984 gf1 = gf([1]),
13985 _121665 = gf([0xdb41, 1]),
13986 D = gf([0x78a3, 0x1359, 0x4dca, 0x75eb, 0xd8ab, 0x4141, 0x0a4d, 0x0070, 0xe898, 0x7779, 0x4079, 0x8cc7, 0xfe73, 0x2b6f, 0x6cee, 0x5203]),
13987 D2 = gf([0xf159, 0x26b2, 0x9b94, 0xebd6, 0xb156, 0x8283, 0x149a, 0x00e0, 0xd130, 0xeef3, 0x80f2, 0x198e, 0xfce7, 0x56df, 0xd9dc, 0x2406]),
13988 X = gf([0xd51a, 0x8f25, 0x2d60, 0xc956, 0xa7b2, 0x9525, 0xc760, 0x692c, 0xdc5c, 0xfdd6, 0xe231, 0xc0a4, 0x53fe, 0xcd6e, 0x36d3, 0x2169]),
13989 Y = gf([0x6658, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666]),
13990 I = gf([0xa0b0, 0x4a0e, 0x1b27, 0xc4ee, 0xe478, 0xad2f, 0x1806, 0x2f43, 0xd7a7, 0x3dfb, 0x0099, 0x2b4d, 0xdf0b, 0x4fc1, 0x2480, 0x2b83]);
13991
13992 function vn(x, xi, y, yi, n) {
13993 var i,d = 0;
13994 for (i = 0; i < n; i++) d |= x[xi+i]^y[yi+i];
13995 return (1 & ((d - 1) >>> 8)) - 1;
13996 }
13997
13998 function crypto_verify_32(x, xi, y, yi) {
13999 return vn(x,xi,y,yi,32);
14000 }
14001
14002 function set25519(r, a) {
14003 var i;
14004 for (i = 0; i < 16; i++) r[i] = a[i]|0;
14005 }
14006
14007 function car25519(o) {
14008 var i, v, c = 1;
14009 for (i = 0; i < 16; i++) {
14010 v = o[i] + c + 65535;
14011 c = Math.floor(v / 65536);
14012 o[i] = v - c * 65536;
14013 }
14014 o[0] += c-1 + 37 * (c-1);
14015 }
14016
14017 function sel25519(p, q, b) {
14018 var t, c = ~(b-1);
14019 for (var i = 0; i < 16; i++) {
14020 t = c & (p[i] ^ q[i]);
14021 p[i] ^= t;
14022 q[i] ^= t;
14023 }
14024 }
14025
14026 function pack25519(o, n) {
14027 var i, j, b;
14028 var m = gf(), t = gf();
14029 for (i = 0; i < 16; i++) t[i] = n[i];
14030 car25519(t);
14031 car25519(t);
14032 car25519(t);
14033 for (j = 0; j < 2; j++) {
14034 m[0] = t[0] - 0xffed;
14035 for (i = 1; i < 15; i++) {
14036 m[i] = t[i] - 0xffff - ((m[i-1]>>16) & 1);
14037 m[i-1] &= 0xffff;
14038 }
14039 m[15] = t[15] - 0x7fff - ((m[14]>>16) & 1);
14040 b = (m[15]>>16) & 1;
14041 m[14] &= 0xffff;
14042 sel25519(t, m, 1-b);
14043 }
14044 for (i = 0; i < 16; i++) {
14045 o[2*i] = t[i] & 0xff;
14046 o[2*i+1] = t[i]>>8;
14047 }
14048 }
14049
14050 function neq25519(a, b) {
14051 var c = new Uint8Array(32), d = new Uint8Array(32);
14052 pack25519(c, a);
14053 pack25519(d, b);
14054 return crypto_verify_32(c, 0, d, 0);
14055 }
14056
14057 function par25519(a) {
14058 var d = new Uint8Array(32);
14059 pack25519(d, a);
14060 return d[0] & 1;
14061 }
14062
14063 function unpack25519(o, n) {
14064 var i;
14065 for (i = 0; i < 16; i++) o[i] = n[2*i] + (n[2*i+1] << 8);
14066 o[15] &= 0x7fff;
14067 }
14068
14069 function A(o, a, b) {
14070 for (var i = 0; i < 16; i++) o[i] = a[i] + b[i];
14071 }
14072
14073 function Z(o, a, b) {
14074 for (var i = 0; i < 16; i++) o[i] = a[i] - b[i];
14075 }
14076
14077 function M(o, a, b) {
14078 var v, c,
14079 t0 = 0, t1 = 0, t2 = 0, t3 = 0, t4 = 0, t5 = 0, t6 = 0, t7 = 0,
14080 t8 = 0, t9 = 0, t10 = 0, t11 = 0, t12 = 0, t13 = 0, t14 = 0, t15 = 0,
14081 t16 = 0, t17 = 0, t18 = 0, t19 = 0, t20 = 0, t21 = 0, t22 = 0, t23 = 0,
14082 t24 = 0, t25 = 0, t26 = 0, t27 = 0, t28 = 0, t29 = 0, t30 = 0,
14083 b0 = b[0],
14084 b1 = b[1],
14085 b2 = b[2],
14086 b3 = b[3],
14087 b4 = b[4],
14088 b5 = b[5],
14089 b6 = b[6],
14090 b7 = b[7],
14091 b8 = b[8],
14092 b9 = b[9],
14093 b10 = b[10],
14094 b11 = b[11],
14095 b12 = b[12],
14096 b13 = b[13],
14097 b14 = b[14],
14098 b15 = b[15];
14099
14100 v = a[0];
14101 t0 += v * b0;
14102 t1 += v * b1;
14103 t2 += v * b2;
14104 t3 += v * b3;
14105 t4 += v * b4;
14106 t5 += v * b5;
14107 t6 += v * b6;
14108 t7 += v * b7;
14109 t8 += v * b8;
14110 t9 += v * b9;
14111 t10 += v * b10;
14112 t11 += v * b11;
14113 t12 += v * b12;
14114 t13 += v * b13;
14115 t14 += v * b14;
14116 t15 += v * b15;
14117 v = a[1];
14118 t1 += v * b0;
14119 t2 += v * b1;
14120 t3 += v * b2;
14121 t4 += v * b3;
14122 t5 += v * b4;
14123 t6 += v * b5;
14124 t7 += v * b6;
14125 t8 += v * b7;
14126 t9 += v * b8;
14127 t10 += v * b9;
14128 t11 += v * b10;
14129 t12 += v * b11;
14130 t13 += v * b12;
14131 t14 += v * b13;
14132 t15 += v * b14;
14133 t16 += v * b15;
14134 v = a[2];
14135 t2 += v * b0;
14136 t3 += v * b1;
14137 t4 += v * b2;
14138 t5 += v * b3;
14139 t6 += v * b4;
14140 t7 += v * b5;
14141 t8 += v * b6;
14142 t9 += v * b7;
14143 t10 += v * b8;
14144 t11 += v * b9;
14145 t12 += v * b10;
14146 t13 += v * b11;
14147 t14 += v * b12;
14148 t15 += v * b13;
14149 t16 += v * b14;
14150 t17 += v * b15;
14151 v = a[3];
14152 t3 += v * b0;
14153 t4 += v * b1;
14154 t5 += v * b2;
14155 t6 += v * b3;
14156 t7 += v * b4;
14157 t8 += v * b5;
14158 t9 += v * b6;
14159 t10 += v * b7;
14160 t11 += v * b8;
14161 t12 += v * b9;
14162 t13 += v * b10;
14163 t14 += v * b11;
14164 t15 += v * b12;
14165 t16 += v * b13;
14166 t17 += v * b14;
14167 t18 += v * b15;
14168 v = a[4];
14169 t4 += v * b0;
14170 t5 += v * b1;
14171 t6 += v * b2;
14172 t7 += v * b3;
14173 t8 += v * b4;
14174 t9 += v * b5;
14175 t10 += v * b6;
14176 t11 += v * b7;
14177 t12 += v * b8;
14178 t13 += v * b9;
14179 t14 += v * b10;
14180 t15 += v * b11;
14181 t16 += v * b12;
14182 t17 += v * b13;
14183 t18 += v * b14;
14184 t19 += v * b15;
14185 v = a[5];
14186 t5 += v * b0;
14187 t6 += v * b1;
14188 t7 += v * b2;
14189 t8 += v * b3;
14190 t9 += v * b4;
14191 t10 += v * b5;
14192 t11 += v * b6;
14193 t12 += v * b7;
14194 t13 += v * b8;
14195 t14 += v * b9;
14196 t15 += v * b10;
14197 t16 += v * b11;
14198 t17 += v * b12;
14199 t18 += v * b13;
14200 t19 += v * b14;
14201 t20 += v * b15;
14202 v = a[6];
14203 t6 += v * b0;
14204 t7 += v * b1;
14205 t8 += v * b2;
14206 t9 += v * b3;
14207 t10 += v * b4;
14208 t11 += v * b5;
14209 t12 += v * b6;
14210 t13 += v * b7;
14211 t14 += v * b8;
14212 t15 += v * b9;
14213 t16 += v * b10;
14214 t17 += v * b11;
14215 t18 += v * b12;
14216 t19 += v * b13;
14217 t20 += v * b14;
14218 t21 += v * b15;
14219 v = a[7];
14220 t7 += v * b0;
14221 t8 += v * b1;
14222 t9 += v * b2;
14223 t10 += v * b3;
14224 t11 += v * b4;
14225 t12 += v * b5;
14226 t13 += v * b6;
14227 t14 += v * b7;
14228 t15 += v * b8;
14229 t16 += v * b9;
14230 t17 += v * b10;
14231 t18 += v * b11;
14232 t19 += v * b12;
14233 t20 += v * b13;
14234 t21 += v * b14;
14235 t22 += v * b15;
14236 v = a[8];
14237 t8 += v * b0;
14238 t9 += v * b1;
14239 t10 += v * b2;
14240 t11 += v * b3;
14241 t12 += v * b4;
14242 t13 += v * b5;
14243 t14 += v * b6;
14244 t15 += v * b7;
14245 t16 += v * b8;
14246 t17 += v * b9;
14247 t18 += v * b10;
14248 t19 += v * b11;
14249 t20 += v * b12;
14250 t21 += v * b13;
14251 t22 += v * b14;
14252 t23 += v * b15;
14253 v = a[9];
14254 t9 += v * b0;
14255 t10 += v * b1;
14256 t11 += v * b2;
14257 t12 += v * b3;
14258 t13 += v * b4;
14259 t14 += v * b5;
14260 t15 += v * b6;
14261 t16 += v * b7;
14262 t17 += v * b8;
14263 t18 += v * b9;
14264 t19 += v * b10;
14265 t20 += v * b11;
14266 t21 += v * b12;
14267 t22 += v * b13;
14268 t23 += v * b14;
14269 t24 += v * b15;
14270 v = a[10];
14271 t10 += v * b0;
14272 t11 += v * b1;
14273 t12 += v * b2;
14274 t13 += v * b3;
14275 t14 += v * b4;
14276 t15 += v * b5;
14277 t16 += v * b6;
14278 t17 += v * b7;
14279 t18 += v * b8;
14280 t19 += v * b9;
14281 t20 += v * b10;
14282 t21 += v * b11;
14283 t22 += v * b12;
14284 t23 += v * b13;
14285 t24 += v * b14;
14286 t25 += v * b15;
14287 v = a[11];
14288 t11 += v * b0;
14289 t12 += v * b1;
14290 t13 += v * b2;
14291 t14 += v * b3;
14292 t15 += v * b4;
14293 t16 += v * b5;
14294 t17 += v * b6;
14295 t18 += v * b7;
14296 t19 += v * b8;
14297 t20 += v * b9;
14298 t21 += v * b10;
14299 t22 += v * b11;
14300 t23 += v * b12;
14301 t24 += v * b13;
14302 t25 += v * b14;
14303 t26 += v * b15;
14304 v = a[12];
14305 t12 += v * b0;
14306 t13 += v * b1;
14307 t14 += v * b2;
14308 t15 += v * b3;
14309 t16 += v * b4;
14310 t17 += v * b5;
14311 t18 += v * b6;
14312 t19 += v * b7;
14313 t20 += v * b8;
14314 t21 += v * b9;
14315 t22 += v * b10;
14316 t23 += v * b11;
14317 t24 += v * b12;
14318 t25 += v * b13;
14319 t26 += v * b14;
14320 t27 += v * b15;
14321 v = a[13];
14322 t13 += v * b0;
14323 t14 += v * b1;
14324 t15 += v * b2;
14325 t16 += v * b3;
14326 t17 += v * b4;
14327 t18 += v * b5;
14328 t19 += v * b6;
14329 t20 += v * b7;
14330 t21 += v * b8;
14331 t22 += v * b9;
14332 t23 += v * b10;
14333 t24 += v * b11;
14334 t25 += v * b12;
14335 t26 += v * b13;
14336 t27 += v * b14;
14337 t28 += v * b15;
14338 v = a[14];
14339 t14 += v * b0;
14340 t15 += v * b1;
14341 t16 += v * b2;
14342 t17 += v * b3;
14343 t18 += v * b4;
14344 t19 += v * b5;
14345 t20 += v * b6;
14346 t21 += v * b7;
14347 t22 += v * b8;
14348 t23 += v * b9;
14349 t24 += v * b10;
14350 t25 += v * b11;
14351 t26 += v * b12;
14352 t27 += v * b13;
14353 t28 += v * b14;
14354 t29 += v * b15;
14355 v = a[15];
14356 t15 += v * b0;
14357 t16 += v * b1;
14358 t17 += v * b2;
14359 t18 += v * b3;
14360 t19 += v * b4;
14361 t20 += v * b5;
14362 t21 += v * b6;
14363 t22 += v * b7;
14364 t23 += v * b8;
14365 t24 += v * b9;
14366 t25 += v * b10;
14367 t26 += v * b11;
14368 t27 += v * b12;
14369 t28 += v * b13;
14370 t29 += v * b14;
14371 t30 += v * b15;
14372
14373 t0 += 38 * t16;
14374 t1 += 38 * t17;
14375 t2 += 38 * t18;
14376 t3 += 38 * t19;
14377 t4 += 38 * t20;
14378 t5 += 38 * t21;
14379 t6 += 38 * t22;
14380 t7 += 38 * t23;
14381 t8 += 38 * t24;
14382 t9 += 38 * t25;
14383 t10 += 38 * t26;
14384 t11 += 38 * t27;
14385 t12 += 38 * t28;
14386 t13 += 38 * t29;
14387 t14 += 38 * t30;
14388 // t15 left as is
14389
14390 // first car
14391 c = 1;
14392 v = t0 + c + 65535; c = Math.floor(v / 65536); t0 = v - c * 65536;
14393 v = t1 + c + 65535; c = Math.floor(v / 65536); t1 = v - c * 65536;
14394 v = t2 + c + 65535; c = Math.floor(v / 65536); t2 = v - c * 65536;
14395 v = t3 + c + 65535; c = Math.floor(v / 65536); t3 = v - c * 65536;
14396 v = t4 + c + 65535; c = Math.floor(v / 65536); t4 = v - c * 65536;
14397 v = t5 + c + 65535; c = Math.floor(v / 65536); t5 = v - c * 65536;
14398 v = t6 + c + 65535; c = Math.floor(v / 65536); t6 = v - c * 65536;
14399 v = t7 + c + 65535; c = Math.floor(v / 65536); t7 = v - c * 65536;
14400 v = t8 + c + 65535; c = Math.floor(v / 65536); t8 = v - c * 65536;
14401 v = t9 + c + 65535; c = Math.floor(v / 65536); t9 = v - c * 65536;
14402 v = t10 + c + 65535; c = Math.floor(v / 65536); t10 = v - c * 65536;
14403 v = t11 + c + 65535; c = Math.floor(v / 65536); t11 = v - c * 65536;
14404 v = t12 + c + 65535; c = Math.floor(v / 65536); t12 = v - c * 65536;
14405 v = t13 + c + 65535; c = Math.floor(v / 65536); t13 = v - c * 65536;
14406 v = t14 + c + 65535; c = Math.floor(v / 65536); t14 = v - c * 65536;
14407 v = t15 + c + 65535; c = Math.floor(v / 65536); t15 = v - c * 65536;
14408 t0 += c-1 + 37 * (c-1);
14409
14410 // second car
14411 c = 1;
14412 v = t0 + c + 65535; c = Math.floor(v / 65536); t0 = v - c * 65536;
14413 v = t1 + c + 65535; c = Math.floor(v / 65536); t1 = v - c * 65536;
14414 v = t2 + c + 65535; c = Math.floor(v / 65536); t2 = v - c * 65536;
14415 v = t3 + c + 65535; c = Math.floor(v / 65536); t3 = v - c * 65536;
14416 v = t4 + c + 65535; c = Math.floor(v / 65536); t4 = v - c * 65536;
14417 v = t5 + c + 65535; c = Math.floor(v / 65536); t5 = v - c * 65536;
14418 v = t6 + c + 65535; c = Math.floor(v / 65536); t6 = v - c * 65536;
14419 v = t7 + c + 65535; c = Math.floor(v / 65536); t7 = v - c * 65536;
14420 v = t8 + c + 65535; c = Math.floor(v / 65536); t8 = v - c * 65536;
14421 v = t9 + c + 65535; c = Math.floor(v / 65536); t9 = v - c * 65536;
14422 v = t10 + c + 65535; c = Math.floor(v / 65536); t10 = v - c * 65536;
14423 v = t11 + c + 65535; c = Math.floor(v / 65536); t11 = v - c * 65536;
14424 v = t12 + c + 65535; c = Math.floor(v / 65536); t12 = v - c * 65536;
14425 v = t13 + c + 65535; c = Math.floor(v / 65536); t13 = v - c * 65536;
14426 v = t14 + c + 65535; c = Math.floor(v / 65536); t14 = v - c * 65536;
14427 v = t15 + c + 65535; c = Math.floor(v / 65536); t15 = v - c * 65536;
14428 t0 += c-1 + 37 * (c-1);
14429
14430 o[ 0] = t0;
14431 o[ 1] = t1;
14432 o[ 2] = t2;
14433 o[ 3] = t3;
14434 o[ 4] = t4;
14435 o[ 5] = t5;
14436 o[ 6] = t6;
14437 o[ 7] = t7;
14438 o[ 8] = t8;
14439 o[ 9] = t9;
14440 o[10] = t10;
14441 o[11] = t11;
14442 o[12] = t12;
14443 o[13] = t13;
14444 o[14] = t14;
14445 o[15] = t15;
14446 }
14447
14448 function S(o, a) {
14449 M(o, a, a);
14450 }
14451
14452 function inv25519(o, i) {
14453 var c = gf();
14454 var a;
14455 for (a = 0; a < 16; a++) c[a] = i[a];
14456 for (a = 253; a >= 0; a--) {
14457 S(c, c);
14458 if(a !== 2 && a !== 4) M(c, c, i);
14459 }
14460 for (a = 0; a < 16; a++) o[a] = c[a];
14461 }
14462
14463 function pow2523(o, i) {
14464 var c = gf();
14465 var a;
14466 for (a = 0; a < 16; a++) c[a] = i[a];
14467 for (a = 250; a >= 0; a--) {
14468 S(c, c);
14469 if(a !== 1) M(c, c, i);
14470 }
14471 for (a = 0; a < 16; a++) o[a] = c[a];
14472 }
14473
14474 function crypto_scalarmult(q, n, p) {
14475 var z = new Uint8Array(32);
14476 var x = new Float64Array(80), r, i;
14477 var a = gf(), b = gf(), c = gf(),
14478 d = gf(), e = gf(), f = gf();
14479 for (i = 0; i < 31; i++) z[i] = n[i];
14480 z[31]=(n[31]&127)|64;
14481 z[0]&=248;
14482 unpack25519(x,p);
14483 for (i = 0; i < 16; i++) {
14484 b[i]=x[i];
14485 d[i]=a[i]=c[i]=0;
14486 }
14487 a[0]=d[0]=1;
14488 for (i=254; i>=0; --i) {
14489 r=(z[i>>>3]>>>(i&7))&1;
14490 sel25519(a,b,r);
14491 sel25519(c,d,r);
14492 A(e,a,c);
14493 Z(a,a,c);
14494 A(c,b,d);
14495 Z(b,b,d);
14496 S(d,e);
14497 S(f,a);
14498 M(a,c,a);
14499 M(c,b,e);
14500 A(e,a,c);
14501 Z(a,a,c);
14502 S(b,a);
14503 Z(c,d,f);
14504 M(a,c,_121665);
14505 A(a,a,d);
14506 M(c,c,a);
14507 M(a,d,f);
14508 M(d,b,x);
14509 S(b,e);
14510 sel25519(a,b,r);
14511 sel25519(c,d,r);
14512 }
14513 for (i = 0; i < 16; i++) {
14514 x[i+16]=a[i];
14515 x[i+32]=c[i];
14516 x[i+48]=b[i];
14517 x[i+64]=d[i];
14518 }
14519 var x32 = x.subarray(32);
14520 var x16 = x.subarray(16);
14521 inv25519(x32,x32);
14522 M(x16,x16,x32);
14523 pack25519(q,x16);
14524 return 0;
14525 }
14526
14527 function crypto_scalarmult_base(q, n) {
14528 return crypto_scalarmult(q, n, _9);
14529 }
14530
14531 function crypto_box_keypair(y, x) {
14532 randombytes(x, 32);
14533 return crypto_scalarmult_base(y, x);
14534 }
14535
14536 function add(p, q) {
14537 var a = gf(), b = gf(), c = gf(),
14538 d = gf(), e = gf(), f = gf(),
14539 g = gf(), h = gf(), t = gf();
14540
14541 Z(a, p[1], p[0]);
14542 Z(t, q[1], q[0]);
14543 M(a, a, t);
14544 A(b, p[0], p[1]);
14545 A(t, q[0], q[1]);
14546 M(b, b, t);
14547 M(c, p[3], q[3]);
14548 M(c, c, D2);
14549 M(d, p[2], q[2]);
14550 A(d, d, d);
14551 Z(e, b, a);
14552 Z(f, d, c);
14553 A(g, d, c);
14554 A(h, b, a);
14555
14556 M(p[0], e, f);
14557 M(p[1], h, g);
14558 M(p[2], g, f);
14559 M(p[3], e, h);
14560 }
14561
14562 function cswap(p, q, b) {
14563 var i;
14564 for (i = 0; i < 4; i++) {
14565 sel25519(p[i], q[i], b);
14566 }
14567 }
14568
14569 function pack(r, p) {
14570 var tx = gf(), ty = gf(), zi = gf();
14571 inv25519(zi, p[2]);
14572 M(tx, p[0], zi);
14573 M(ty, p[1], zi);
14574 pack25519(r, ty);
14575 r[31] ^= par25519(tx) << 7;
14576 }
14577
14578 function scalarmult(p, q, s) {
14579 var b, i;
14580 set25519(p[0], gf0);
14581 set25519(p[1], gf1);
14582 set25519(p[2], gf1);
14583 set25519(p[3], gf0);
14584 for (i = 255; i >= 0; --i) {
14585 b = (s[(i/8)|0] >> (i&7)) & 1;
14586 cswap(p, q, b);
14587 add(q, p);
14588 add(p, p);
14589 cswap(p, q, b);
14590 }
14591 }
14592
14593 function scalarbase(p, s) {
14594 var q = [gf(), gf(), gf(), gf()];
14595 set25519(q[0], X);
14596 set25519(q[1], Y);
14597 set25519(q[2], gf1);
14598 M(q[3], X, Y);
14599 scalarmult(p, q, s);
14600 }
14601
14602 function crypto_sign_keypair(pk, sk, seeded) {
14603 var d;
14604 var p = [gf(), gf(), gf(), gf()];
14605 var i;
14606
14607 if (!seeded) randombytes(sk, 32);
14608 d = nacl.hash(sk.subarray(0, 32));
14609 d[0] &= 248;
14610 d[31] &= 127;
14611 d[31] |= 64;
14612
14613 scalarbase(p, d);
14614 pack(pk, p);
14615
14616 for (i = 0; i < 32; i++) sk[i+32] = pk[i];
14617 return 0;
14618 }
14619
14620 var L = new Float64Array([0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x10]);
14621
14622 function modL(r, x) {
14623 var carry, i, j, k;
14624 for (i = 63; i >= 32; --i) {
14625 carry = 0;
14626 for (j = i - 32, k = i - 12; j < k; ++j) {
14627 x[j] += carry - 16 * x[i] * L[j - (i - 32)];
14628 carry = Math.floor((x[j] + 128) / 256);
14629 x[j] -= carry * 256;
14630 }
14631 x[j] += carry;
14632 x[i] = 0;
14633 }
14634 carry = 0;
14635 for (j = 0; j < 32; j++) {
14636 x[j] += carry - (x[31] >> 4) * L[j];
14637 carry = x[j] >> 8;
14638 x[j] &= 255;
14639 }
14640 for (j = 0; j < 32; j++) x[j] -= carry * L[j];
14641 for (i = 0; i < 32; i++) {
14642 x[i+1] += x[i] >> 8;
14643 r[i] = x[i] & 255;
14644 }
14645 }
14646
14647 function reduce(r) {
14648 var x = new Float64Array(64), i;
14649 for (i = 0; i < 64; i++) x[i] = r[i];
14650 for (i = 0; i < 64; i++) r[i] = 0;
14651 modL(r, x);
14652 }
14653
14654 // Note: difference from C - smlen returned, not passed as argument.
14655 function crypto_sign(sm, m, n, sk) {
14656 var d, h, r;
14657 var i, j, x = new Float64Array(64);
14658 var p = [gf(), gf(), gf(), gf()];
14659
14660 d = nacl.hash(sk.subarray(0, 32));
14661 d[0] &= 248;
14662 d[31] &= 127;
14663 d[31] |= 64;
14664
14665 var smlen = n + 64;
14666 for (i = 0; i < n; i++) sm[64 + i] = m[i];
14667 for (i = 0; i < 32; i++) sm[32 + i] = d[32 + i];
14668
14669 r = nacl.hash(sm.subarray(32, smlen));
14670 reduce(r);
14671 scalarbase(p, r);
14672 pack(sm, p);
14673
14674 for (i = 32; i < 64; i++) sm[i] = sk[i];
14675 h = nacl.hash(sm.subarray(0, smlen));
14676 reduce(h);
14677
14678 for (i = 0; i < 64; i++) x[i] = 0;
14679 for (i = 0; i < 32; i++) x[i] = r[i];
14680 for (i = 0; i < 32; i++) {
14681 for (j = 0; j < 32; j++) {
14682 x[i+j] += h[i] * d[j];
14683 }
14684 }
14685
14686 modL(sm.subarray(32), x);
14687 return smlen;
14688 }
14689
14690 function unpackneg(r, p) {
14691 var t = gf(), chk = gf(), num = gf(),
14692 den = gf(), den2 = gf(), den4 = gf(),
14693 den6 = gf();
14694
14695 set25519(r[2], gf1);
14696 unpack25519(r[1], p);
14697 S(num, r[1]);
14698 M(den, num, D);
14699 Z(num, num, r[2]);
14700 A(den, r[2], den);
14701
14702 S(den2, den);
14703 S(den4, den2);
14704 M(den6, den4, den2);
14705 M(t, den6, num);
14706 M(t, t, den);
14707
14708 pow2523(t, t);
14709 M(t, t, num);
14710 M(t, t, den);
14711 M(t, t, den);
14712 M(r[0], t, den);
14713
14714 S(chk, r[0]);
14715 M(chk, chk, den);
14716 if (neq25519(chk, num)) M(r[0], r[0], I);
14717
14718 S(chk, r[0]);
14719 M(chk, chk, den);
14720 if (neq25519(chk, num)) return -1;
14721
14722 if (par25519(r[0]) === (p[31]>>7)) Z(r[0], gf0, r[0]);
14723
14724 M(r[3], r[0], r[1]);
14725 return 0;
14726 }
14727
14728 function crypto_sign_open(m, sm, n, pk) {
14729 var i;
14730 var t = new Uint8Array(32), h;
14731 var p = [gf(), gf(), gf(), gf()],
14732 q = [gf(), gf(), gf(), gf()];
14733
14734 if (n < 64) return -1;
14735
14736 if (unpackneg(q, pk)) return -1;
14737
14738 for (i = 0; i < n; i++) m[i] = sm[i];
14739 for (i = 0; i < 32; i++) m[i+32] = pk[i];
14740 h = nacl.hash(m.subarray(0, n));
14741 reduce(h);
14742 scalarmult(p, q, h);
14743
14744 scalarbase(q, sm.subarray(32));
14745 add(p, q);
14746 pack(t, p);
14747
14748 n -= 64;
14749 if (crypto_verify_32(sm, 0, t, 0)) {
14750 for (i = 0; i < n; i++) m[i] = 0;
14751 return -1;
14752 }
14753
14754 for (i = 0; i < n; i++) m[i] = sm[i + 64];
14755 return n;
14756 }
14757
14758 var crypto_scalarmult_BYTES = 32,
14759 crypto_scalarmult_SCALARBYTES = 32,
14760 crypto_box_PUBLICKEYBYTES = 32,
14761 crypto_box_SECRETKEYBYTES = 32,
14762 crypto_sign_BYTES = 64,
14763 crypto_sign_PUBLICKEYBYTES = 32,
14764 crypto_sign_SECRETKEYBYTES = 64,
14765 crypto_sign_SEEDBYTES = 32;
14766
14767 function checkArrayTypes() {
14768 for (var i = 0; i < arguments.length; i++) {
14769 if (!(arguments[i] instanceof Uint8Array))
14770 throw new TypeError('unexpected type, use Uint8Array');
14771 }
14772 }
14773
14774 function cleanup(arr) {
14775 for (var i = 0; i < arr.length; i++) arr[i] = 0;
14776 }
14777
14778 nacl.scalarMult = function(n, p) {
14779 checkArrayTypes(n, p);
14780 if (n.length !== crypto_scalarmult_SCALARBYTES) throw new Error('bad n size');
14781 if (p.length !== crypto_scalarmult_BYTES) throw new Error('bad p size');
14782 var q = new Uint8Array(crypto_scalarmult_BYTES);
14783 crypto_scalarmult(q, n, p);
14784 return q;
14785 };
14786
14787 nacl.box = {};
14788
14789 nacl.box.keyPair = function() {
14790 var pk = new Uint8Array(crypto_box_PUBLICKEYBYTES);
14791 var sk = new Uint8Array(crypto_box_SECRETKEYBYTES);
14792 crypto_box_keypair(pk, sk);
14793 return {publicKey: pk, secretKey: sk};
14794 };
14795
14796 nacl.box.keyPair.fromSecretKey = function(secretKey) {
14797 checkArrayTypes(secretKey);
14798 if (secretKey.length !== crypto_box_SECRETKEYBYTES)
14799 throw new Error('bad secret key size');
14800 var pk = new Uint8Array(crypto_box_PUBLICKEYBYTES);
14801 crypto_scalarmult_base(pk, secretKey);
14802 return {publicKey: pk, secretKey: new Uint8Array(secretKey)};
14803 };
14804
14805 nacl.sign = function(msg, secretKey) {
14806 checkArrayTypes(msg, secretKey);
14807 if (secretKey.length !== crypto_sign_SECRETKEYBYTES)
14808 throw new Error('bad secret key size');
14809 var signedMsg = new Uint8Array(crypto_sign_BYTES+msg.length);
14810 crypto_sign(signedMsg, msg, msg.length, secretKey);
14811 return signedMsg;
14812 };
14813
14814 nacl.sign.detached = function(msg, secretKey) {
14815 var signedMsg = nacl.sign(msg, secretKey);
14816 var sig = new Uint8Array(crypto_sign_BYTES);
14817 for (var i = 0; i < sig.length; i++) sig[i] = signedMsg[i];
14818 return sig;
14819 };
14820
14821 nacl.sign.detached.verify = function(msg, sig, publicKey) {
14822 checkArrayTypes(msg, sig, publicKey);
14823 if (sig.length !== crypto_sign_BYTES)
14824 throw new Error('bad signature size');
14825 if (publicKey.length !== crypto_sign_PUBLICKEYBYTES)
14826 throw new Error('bad public key size');
14827 var sm = new Uint8Array(crypto_sign_BYTES + msg.length);
14828 var m = new Uint8Array(crypto_sign_BYTES + msg.length);
14829 var i;
14830 for (i = 0; i < crypto_sign_BYTES; i++) sm[i] = sig[i];
14831 for (i = 0; i < msg.length; i++) sm[i+crypto_sign_BYTES] = msg[i];
14832 return (crypto_sign_open(m, sm, sm.length, publicKey) >= 0);
14833 };
14834
14835 nacl.sign.keyPair = function() {
14836 var pk = new Uint8Array(crypto_sign_PUBLICKEYBYTES);
14837 var sk = new Uint8Array(crypto_sign_SECRETKEYBYTES);
14838 crypto_sign_keypair(pk, sk);
14839 return {publicKey: pk, secretKey: sk};
14840 };
14841
14842 nacl.sign.keyPair.fromSecretKey = function(secretKey) {
14843 checkArrayTypes(secretKey);
14844 if (secretKey.length !== crypto_sign_SECRETKEYBYTES)
14845 throw new Error('bad secret key size');
14846 var pk = new Uint8Array(crypto_sign_PUBLICKEYBYTES);
14847 for (var i = 0; i < pk.length; i++) pk[i] = secretKey[32+i];
14848 return {publicKey: pk, secretKey: new Uint8Array(secretKey)};
14849 };
14850
14851 nacl.sign.keyPair.fromSeed = function(seed) {
14852 checkArrayTypes(seed);
14853 if (seed.length !== crypto_sign_SEEDBYTES)
14854 throw new Error('bad seed size');
14855 var pk = new Uint8Array(crypto_sign_PUBLICKEYBYTES);
14856 var sk = new Uint8Array(crypto_sign_SECRETKEYBYTES);
14857 for (var i = 0; i < 32; i++) sk[i] = seed[i];
14858 crypto_sign_keypair(pk, sk, true);
14859 return {publicKey: pk, secretKey: sk};
14860 };
14861
14862 nacl.setPRNG = function(fn) {
14863 randombytes = fn;
14864 };
14865
14866 (function() {
14867 // Initialize PRNG if environment provides CSPRNG.
14868 // If not, methods calling randombytes will throw.
14869 var crypto = typeof self !== 'undefined' ? (self.crypto || self.msCrypto) : null;
14870 if (crypto && crypto.getRandomValues) {
14871 // Browsers.
14872 var QUOTA = 65536;
14873 nacl.setPRNG(function(x, n) {
14874 var i, v = new Uint8Array(n);
14875 for (i = 0; i < n; i += QUOTA) {
14876 crypto.getRandomValues(v.subarray(i, i + Math.min(n - i, QUOTA)));
14877 }
14878 for (i = 0; i < n; i++) x[i] = v[i];
14879 cleanup(v);
14880 });
14881 } else if (typeof commonjsRequire !== 'undefined') {
14882 // Node.js.
14883 crypto = void('crypto');
14884 if (crypto && crypto.randomBytes) {
14885 nacl.setPRNG(function(x, n) {
14886 var i, v = crypto.randomBytes(n);
14887 for (i = 0; i < n; i++) x[i] = v[i];
14888 cleanup(v);
14889 });
14890 }
14891 }
14892 })();
14893
14894 })(module.exports ? module.exports : (self.nacl = self.nacl || {}));
14895 });
14896
14897 // GPG4Browsers - An OpenPGP implementation in javascript
14898
14899 const nodeCrypto$5 = util.getNodeCrypto();
14900
14901 /**
14902 * Buffer for secure random numbers
14903 */
14904 class RandomBuffer {
14905 constructor() {
14906 this.buffer = null;
14907 this.size = null;
14908 this.callback = null;
14909 }
14910
14911 /**
14912 * Initialize buffer
14913 * @param {Integer} size - size of buffer
14914 */
14915 init(size, callback) {
14916 this.buffer = new Uint8Array(size);
14917 this.size = 0;
14918 this.callback = callback;
14919 }
14920
14921 /**
14922 * Concat array of secure random numbers to buffer
14923 * @param {Uint8Array} buf
14924 */
14925 set(buf) {
14926 if (!this.buffer) {
14927 throw new Error('RandomBuffer is not initialized');
14928 }
14929 if (!(buf instanceof Uint8Array)) {
14930 throw new Error('Invalid type: buf not an Uint8Array');
14931 }
14932 const freeSpace = this.buffer.length - this.size;
14933 if (buf.length > freeSpace) {
14934 buf = buf.subarray(0, freeSpace);
14935 }
14936 // set buf with offset old size of buffer
14937 this.buffer.set(buf, this.size);
14938 this.size += buf.length;
14939 }
14940
14941 /**
14942 * Take numbers out of buffer and copy to array
14943 * @param {Uint8Array} buf - The destination array
14944 */
14945 async get(buf) {
14946 if (!this.buffer) {
14947 throw new Error('RandomBuffer is not initialized');
14948 }
14949 if (!(buf instanceof Uint8Array)) {
14950 throw new Error('Invalid type: buf not an Uint8Array');
14951 }
14952 if (this.size < buf.length) {
14953 if (!this.callback) {
14954 throw new Error('Random number buffer depleted');
14955 }
14956 // Wait for random bytes from main context, then try again
14957 await this.callback();
14958 return this.get(buf);
14959 }
14960 for (let i = 0; i < buf.length; i++) {
14961 buf[i] = this.buffer[--this.size];
14962 // clear buffer value
14963 this.buffer[this.size] = 0;
14964 }
14965 }
14966 }
14967
14968 /**
14969 * Retrieve secure random byte array of the specified length
14970 * @param {Integer} length - Length in bytes to generate
14971 * @returns {Uint8Array} Random byte array.
14972 * @async
14973 */
14974 async function getRandomBytes(length) {
14975 const buf = new Uint8Array(length);
14976 if (typeof crypto !== 'undefined' && crypto.getRandomValues) {
14977 crypto.getRandomValues(buf);
14978 } else if (typeof globalThis !== 'undefined' && typeof globalThis.msCrypto === 'object' && typeof globalThis.msCrypto.getRandomValues === 'function') {
14979 globalThis.msCrypto.getRandomValues(buf);
14980 } else if (nodeCrypto$5) {
14981 const bytes = nodeCrypto$5.randomBytes(buf.length);
14982 buf.set(bytes);
14983 } else if (randomBuffer.buffer) {
14984 await randomBuffer.get(buf);
14985 } else {
14986 throw new Error('No secure random number generator available.');
14987 }
14988 return buf;
14989 }
14990
14991 /**
14992 * Create a secure random BigInteger that is greater than or equal to min and less than max.
14993 * @param {module:BigInteger} min - Lower bound, included
14994 * @param {module:BigInteger} max - Upper bound, excluded
14995 * @returns {module:BigInteger} Random BigInteger.
14996 * @async
14997 */
14998 async function getRandomBigInteger(min, max) {
14999 const BigInteger = await util.getBigInteger();
15000
15001 if (max.lt(min)) {
15002 throw new Error('Illegal parameter value: max <= min');
15003 }
15004
15005 const modulus = max.sub(min);
15006 const bytes = modulus.byteLength();
15007
15008 // Using a while loop is necessary to avoid bias introduced by the mod operation.
15009 // However, we request 64 extra random bits so that the bias is negligible.
15010 // Section B.1.1 here: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
15011 const r = new BigInteger(await getRandomBytes(bytes + 8));
15012 return r.mod(modulus).add(min);
15013 }
15014
15015 const randomBuffer = new RandomBuffer();
15016
15017 var random = /*#__PURE__*/Object.freeze({
15018 __proto__: null,
15019 getRandomBytes: getRandomBytes,
15020 getRandomBigInteger: getRandomBigInteger,
15021 randomBuffer: randomBuffer
15022 });
15023
15024 // OpenPGP.js - An OpenPGP implementation in javascript
15025
15026 /**
15027 * Probabilistic random number generator
15028 * @param {Integer} bits - Bit length of the prime
15029 * @param {BigInteger} e - Optional RSA exponent to check against the prime
15030 * @param {Integer} k - Optional number of iterations of Miller-Rabin test
15031 * @returns BigInteger
15032 * @async
15033 */
15034 async function randomProbablePrime(bits, e, k) {
15035 const BigInteger = await util.getBigInteger();
15036 const one = new BigInteger(1);
15037 const min = one.leftShift(new BigInteger(bits - 1));
15038 const thirty = new BigInteger(30);
15039 /*
15040 * We can avoid any multiples of 3 and 5 by looking at n mod 30
15041 * n mod 30 = 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
15042 * the next possible prime is mod 30:
15043 * 1 7 7 7 7 7 7 11 11 11 11 13 13 17 17 17 17 19 19 23 23 23 23 29 29 29 29 29 29 1
15044 */
15045 const adds = [1, 6, 5, 4, 3, 2, 1, 4, 3, 2, 1, 2, 1, 4, 3, 2, 1, 2, 1, 4, 3, 2, 1, 6, 5, 4, 3, 2, 1, 2];
15046
15047 const n = await getRandomBigInteger(min, min.leftShift(one));
15048 let i = n.mod(thirty).toNumber();
15049
15050 do {
15051 n.iadd(new BigInteger(adds[i]));
15052 i = (i + adds[i]) % adds.length;
15053 // If reached the maximum, go back to the minimum.
15054 if (n.bitLength() > bits) {
15055 n.imod(min.leftShift(one)).iadd(min);
15056 i = n.mod(thirty).toNumber();
15057 }
15058 } while (!await isProbablePrime(n, e, k));
15059 return n;
15060 }
15061
15062 /**
15063 * Probabilistic primality testing
15064 * @param {BigInteger} n - Number to test
15065 * @param {BigInteger} e - Optional RSA exponent to check against the prime
15066 * @param {Integer} k - Optional number of iterations of Miller-Rabin test
15067 * @returns {boolean}
15068 * @async
15069 */
15070 async function isProbablePrime(n, e, k) {
15071 if (e && !n.dec().gcd(e).isOne()) {
15072 return false;
15073 }
15074 if (!await divisionTest(n)) {
15075 return false;
15076 }
15077 if (!await fermat(n)) {
15078 return false;
15079 }
15080 if (!await millerRabin(n, k)) {
15081 return false;
15082 }
15083 // TODO implement the Lucas test
15084 // See Section C.3.3 here: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
15085 return true;
15086 }
15087
15088 /**
15089 * Tests whether n is probably prime or not using Fermat's test with b = 2.
15090 * Fails if b^(n-1) mod n != 1.
15091 * @param {BigInteger} n - Number to test
15092 * @param {BigInteger} b - Optional Fermat test base
15093 * @returns {boolean}
15094 */
15095 async function fermat(n, b) {
15096 const BigInteger = await util.getBigInteger();
15097 b = b || new BigInteger(2);
15098 return b.modExp(n.dec(), n).isOne();
15099 }
15100
15101 async function divisionTest(n) {
15102 const BigInteger = await util.getBigInteger();
15103 return smallPrimes.every(m => {
15104 return n.mod(new BigInteger(m)) !== 0;
15105 });
15106 }
15107
15108 // https://github.com/gpg/libgcrypt/blob/master/cipher/primegen.c
15109 const smallPrimes = [
15110 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43,
15111 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101,
15112 103, 107, 109, 113, 127, 131, 137, 139, 149, 151,
15113 157, 163, 167, 173, 179, 181, 191, 193, 197, 199,
15114 211, 223, 227, 229, 233, 239, 241, 251, 257, 263,
15115 269, 271, 277, 281, 283, 293, 307, 311, 313, 317,
15116 331, 337, 347, 349, 353, 359, 367, 373, 379, 383,
15117 389, 397, 401, 409, 419, 421, 431, 433, 439, 443,
15118 449, 457, 461, 463, 467, 479, 487, 491, 499, 503,
15119 509, 521, 523, 541, 547, 557, 563, 569, 571, 577,
15120 587, 593, 599, 601, 607, 613, 617, 619, 631, 641,
15121 643, 647, 653, 659, 661, 673, 677, 683, 691, 701,
15122 709, 719, 727, 733, 739, 743, 751, 757, 761, 769,
15123 773, 787, 797, 809, 811, 821, 823, 827, 829, 839,
15124 853, 857, 859, 863, 877, 881, 883, 887, 907, 911,
15125 919, 929, 937, 941, 947, 953, 967, 971, 977, 983,
15126 991, 997, 1009, 1013, 1019, 1021, 1031, 1033,
15127 1039, 1049, 1051, 1061, 1063, 1069, 1087, 1091,
15128 1093, 1097, 1103, 1109, 1117, 1123, 1129, 1151,
15129 1153, 1163, 1171, 1181, 1187, 1193, 1201, 1213,
15130 1217, 1223, 1229, 1231, 1237, 1249, 1259, 1277,
15131 1279, 1283, 1289, 1291, 1297, 1301, 1303, 1307,
15132 1319, 1321, 1327, 1361, 1367, 1373, 1381, 1399,
15133 1409, 1423, 1427, 1429, 1433, 1439, 1447, 1451,
15134 1453, 1459, 1471, 1481, 1483, 1487, 1489, 1493,
15135 1499, 1511, 1523, 1531, 1543, 1549, 1553, 1559,
15136 1567, 1571, 1579, 1583, 1597, 1601, 1607, 1609,
15137 1613, 1619, 1621, 1627, 1637, 1657, 1663, 1667,
15138 1669, 1693, 1697, 1699, 1709, 1721, 1723, 1733,
15139 1741, 1747, 1753, 1759, 1777, 1783, 1787, 1789,
15140 1801, 1811, 1823, 1831, 1847, 1861, 1867, 1871,
15141 1873, 1877, 1879, 1889, 1901, 1907, 1913, 1931,
15142 1933, 1949, 1951, 1973, 1979, 1987, 1993, 1997,
15143 1999, 2003, 2011, 2017, 2027, 2029, 2039, 2053,
15144 2063, 2069, 2081, 2083, 2087, 2089, 2099, 2111,
15145 2113, 2129, 2131, 2137, 2141, 2143, 2153, 2161,
15146 2179, 2203, 2207, 2213, 2221, 2237, 2239, 2243,
15147 2251, 2267, 2269, 2273, 2281, 2287, 2293, 2297,
15148 2309, 2311, 2333, 2339, 2341, 2347, 2351, 2357,
15149 2371, 2377, 2381, 2383, 2389, 2393, 2399, 2411,
15150 2417, 2423, 2437, 2441, 2447, 2459, 2467, 2473,
15151 2477, 2503, 2521, 2531, 2539, 2543, 2549, 2551,
15152 2557, 2579, 2591, 2593, 2609, 2617, 2621, 2633,
15153 2647, 2657, 2659, 2663, 2671, 2677, 2683, 2687,
15154 2689, 2693, 2699, 2707, 2711, 2713, 2719, 2729,
15155 2731, 2741, 2749, 2753, 2767, 2777, 2789, 2791,
15156 2797, 2801, 2803, 2819, 2833, 2837, 2843, 2851,
15157 2857, 2861, 2879, 2887, 2897, 2903, 2909, 2917,
15158 2927, 2939, 2953, 2957, 2963, 2969, 2971, 2999,
15159 3001, 3011, 3019, 3023, 3037, 3041, 3049, 3061,
15160 3067, 3079, 3083, 3089, 3109, 3119, 3121, 3137,
15161 3163, 3167, 3169, 3181, 3187, 3191, 3203, 3209,
15162 3217, 3221, 3229, 3251, 3253, 3257, 3259, 3271,
15163 3299, 3301, 3307, 3313, 3319, 3323, 3329, 3331,
15164 3343, 3347, 3359, 3361, 3371, 3373, 3389, 3391,
15165 3407, 3413, 3433, 3449, 3457, 3461, 3463, 3467,
15166 3469, 3491, 3499, 3511, 3517, 3527, 3529, 3533,
15167 3539, 3541, 3547, 3557, 3559, 3571, 3581, 3583,
15168 3593, 3607, 3613, 3617, 3623, 3631, 3637, 3643,
15169 3659, 3671, 3673, 3677, 3691, 3697, 3701, 3709,
15170 3719, 3727, 3733, 3739, 3761, 3767, 3769, 3779,
15171 3793, 3797, 3803, 3821, 3823, 3833, 3847, 3851,
15172 3853, 3863, 3877, 3881, 3889, 3907, 3911, 3917,
15173 3919, 3923, 3929, 3931, 3943, 3947, 3967, 3989,
15174 4001, 4003, 4007, 4013, 4019, 4021, 4027, 4049,
15175 4051, 4057, 4073, 4079, 4091, 4093, 4099, 4111,
15176 4127, 4129, 4133, 4139, 4153, 4157, 4159, 4177,
15177 4201, 4211, 4217, 4219, 4229, 4231, 4241, 4243,
15178 4253, 4259, 4261, 4271, 4273, 4283, 4289, 4297,
15179 4327, 4337, 4339, 4349, 4357, 4363, 4373, 4391,
15180 4397, 4409, 4421, 4423, 4441, 4447, 4451, 4457,
15181 4463, 4481, 4483, 4493, 4507, 4513, 4517, 4519,
15182 4523, 4547, 4549, 4561, 4567, 4583, 4591, 4597,
15183 4603, 4621, 4637, 4639, 4643, 4649, 4651, 4657,
15184 4663, 4673, 4679, 4691, 4703, 4721, 4723, 4729,
15185 4733, 4751, 4759, 4783, 4787, 4789, 4793, 4799,
15186 4801, 4813, 4817, 4831, 4861, 4871, 4877, 4889,
15187 4903, 4909, 4919, 4931, 4933, 4937, 4943, 4951,
15188 4957, 4967, 4969, 4973, 4987, 4993, 4999
15189 ];
15190
15191
15192 // Miller-Rabin - Miller Rabin algorithm for primality test
15193 // Copyright Fedor Indutny, 2014.
15194 //
15195 // This software is licensed under the MIT License.
15196 //
15197 // Permission is hereby granted, free of charge, to any person obtaining a
15198 // copy of this software and associated documentation files (the
15199 // "Software"), to deal in the Software without restriction, including
15200 // without limitation the rights to use, copy, modify, merge, publish,
15201 // distribute, sublicense, and/or sell copies of the Software, and to permit
15202 // persons to whom the Software is furnished to do so, subject to the
15203 // following conditions:
15204 //
15205 // The above copyright notice and this permission notice shall be included
15206 // in all copies or substantial portions of the Software.
15207 //
15208 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15209 // OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
15210 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
15211 // NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
15212 // DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
15213 // OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
15214 // USE OR OTHER DEALINGS IN THE SOFTWARE.
15215
15216 // Adapted on Jan 2018 from version 4.0.1 at https://github.com/indutny/miller-rabin
15217
15218 // Sample syntax for Fixed-Base Miller-Rabin:
15219 // millerRabin(n, k, () => new BN(small_primes[Math.random() * small_primes.length | 0]))
15220
15221 /**
15222 * Tests whether n is probably prime or not using the Miller-Rabin test.
15223 * See HAC Remark 4.28.
15224 * @param {BigInteger} n - Number to test
15225 * @param {Integer} k - Optional number of iterations of Miller-Rabin test
15226 * @param {Function} rand - Optional function to generate potential witnesses
15227 * @returns {boolean}
15228 * @async
15229 */
15230 async function millerRabin(n, k, rand) {
15231 const BigInteger = await util.getBigInteger();
15232 const len = n.bitLength();
15233
15234 if (!k) {
15235 k = Math.max(1, (len / 48) | 0);
15236 }
15237
15238 const n1 = n.dec(); // n - 1
15239
15240 // Find d and s, (n - 1) = (2 ^ s) * d;
15241 let s = 0;
15242 while (!n1.getBit(s)) { s++; }
15243 const d = n.rightShift(new BigInteger(s));
15244
15245 for (; k > 0; k--) {
15246 const a = rand ? rand() : await getRandomBigInteger(new BigInteger(2), n1);
15247
15248 let x = a.modExp(d, n);
15249 if (x.isOne() || x.equal(n1)) {
15250 continue;
15251 }
15252
15253 let i;
15254 for (i = 1; i < s; i++) {
15255 x = x.mul(x).mod(n);
15256
15257 if (x.isOne()) {
15258 return false;
15259 }
15260 if (x.equal(n1)) {
15261 break;
15262 }
15263 }
15264
15265 if (i === s) {
15266 return false;
15267 }
15268 }
15269
15270 return true;
15271 }
15272
15273 // GPG4Browsers - An OpenPGP implementation in javascript
15274
15275 /**
15276 * ASN1 object identifiers for hashes
15277 * @see {@link https://tools.ietf.org/html/rfc4880#section-5.2.2}
15278 */
15279 const hash_headers = [];
15280 hash_headers[1] = [0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04,
15281 0x10];
15282 hash_headers[2] = [0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14];
15283 hash_headers[3] = [0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x24, 0x03, 0x02, 0x01, 0x05, 0x00, 0x04, 0x14];
15284 hash_headers[8] = [0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00,
15285 0x04, 0x20];
15286 hash_headers[9] = [0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00,
15287 0x04, 0x30];
15288 hash_headers[10] = [0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05,
15289 0x00, 0x04, 0x40];
15290 hash_headers[11] = [0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05,
15291 0x00, 0x04, 0x1C];
15292
15293 /**
15294 * Create padding with secure random data
15295 * @private
15296 * @param {Integer} length - Length of the padding in bytes
15297 * @returns {Uint8Array} Random padding.
15298 * @async
15299 */
15300 async function getPkcs1Padding(length) {
15301 const result = new Uint8Array(length);
15302 let count = 0;
15303 while (count < length) {
15304 const randomBytes = await getRandomBytes(length - count);
15305 for (let i = 0; i < randomBytes.length; i++) {
15306 if (randomBytes[i] !== 0) {
15307 result[count++] = randomBytes[i];
15308 }
15309 }
15310 }
15311 return result;
15312 }
15313
15314 /**
15315 * Create a EME-PKCS1-v1_5 padded message
15316 * @see {@link https://tools.ietf.org/html/rfc4880#section-13.1.1|RFC 4880 13.1.1}
15317 * @param {Uint8Array} message - Message to be encoded
15318 * @param {Integer} keyLength - The length in octets of the key modulus
15319 * @returns {Uint8Array} EME-PKCS1 padded message.
15320 * @async
15321 */
15322 async function emeEncode(message, keyLength) {
15323 const mLength = message.length;
15324 // length checking
15325 if (mLength > keyLength - 11) {
15326 throw new Error('Message too long');
15327 }
15328 // Generate an octet string PS of length k - mLen - 3 consisting of
15329 // pseudo-randomly generated nonzero octets
15330 const PS = await getPkcs1Padding(keyLength - mLength - 3);
15331 // Concatenate PS, the message M, and other padding to form an
15332 // encoded message EM of length k octets as EM = 0x00 || 0x02 || PS || 0x00 || M.
15333 const encoded = new Uint8Array(keyLength);
15334 // 0x00 byte
15335 encoded[1] = 2;
15336 encoded.set(PS, 2);
15337 // 0x00 bytes
15338 encoded.set(message, keyLength - mLength);
15339 return encoded;
15340 }
15341
15342 /**
15343 * Decode a EME-PKCS1-v1_5 padded message
15344 * @see {@link https://tools.ietf.org/html/rfc4880#section-13.1.2|RFC 4880 13.1.2}
15345 * @param {Uint8Array} encoded - Encoded message bytes
15346 * @returns {Uint8Array} Message.
15347 */
15348 function emeDecode(encoded) {
15349 let i = 2;
15350 while (encoded[i] !== 0 && i < encoded.length) {
15351 i++;
15352 }
15353 const psLen = i - 2;
15354 const separator = encoded[i++];
15355 if (encoded[0] === 0 && encoded[1] === 2 && psLen >= 8 && separator === 0) {
15356 return encoded.subarray(i);
15357 }
15358 throw new Error('Decryption error');
15359 }
15360
15361 /**
15362 * Create a EMSA-PKCS1-v1_5 padded message
15363 * @see {@link https://tools.ietf.org/html/rfc4880#section-13.1.3|RFC 4880 13.1.3}
15364 * @param {Integer} algo - Hash algorithm type used
15365 * @param {Uint8Array} hashed - Message to be encoded
15366 * @param {Integer} emLen - Intended length in octets of the encoded message
15367 * @returns {Uint8Array} Encoded message.
15368 */
15369 async function emsaEncode(algo, hashed, emLen) {
15370 let i;
15371 if (hashed.length !== hash.getHashByteLength(algo)) {
15372 throw new Error('Invalid hash length');
15373 }
15374 // produce an ASN.1 DER value for the hash function used.
15375 // Let T be the full hash prefix
15376 const hashPrefix = new Uint8Array(hash_headers[algo].length);
15377 for (i = 0; i < hash_headers[algo].length; i++) {
15378 hashPrefix[i] = hash_headers[algo][i];
15379 }
15380 // and let tLen be the length in octets prefix and hashed data
15381 const tLen = hashPrefix.length + hashed.length;
15382 if (emLen < tLen + 11) {
15383 throw new Error('Intended encoded message length too short');
15384 }
15385 // an octet string PS consisting of emLen - tLen - 3 octets with hexadecimal value 0xFF
15386 // The length of PS will be at least 8 octets
15387 const PS = new Uint8Array(emLen - tLen - 3).fill(0xff);
15388
15389 // Concatenate PS, the hash prefix, hashed data, and other padding to form the
15390 // encoded message EM as EM = 0x00 || 0x01 || PS || 0x00 || prefix || hashed
15391 const EM = new Uint8Array(emLen);
15392 EM[1] = 0x01;
15393 EM.set(PS, 2);
15394 EM.set(hashPrefix, emLen - tLen);
15395 EM.set(hashed, emLen - hashed.length);
15396 return EM;
15397 }
15398
15399 var pkcs1 = /*#__PURE__*/Object.freeze({
15400 __proto__: null,
15401 emeEncode: emeEncode,
15402 emeDecode: emeDecode,
15403 emsaEncode: emsaEncode
15404 });
15405
15406 // GPG4Browsers - An OpenPGP implementation in javascript
15407
15408 const webCrypto$5 = util.getWebCrypto();
15409 const nodeCrypto$6 = util.getNodeCrypto();
15410 const asn1 = nodeCrypto$6 ? void('asn1.js') : undefined;
15411
15412 // Helper for IE11 KeyOperation objects
15413 function promisifyIE11Op(keyObj, err) {
15414 if (typeof keyObj.then !== 'function') { // IE11 KeyOperation
15415 return new Promise(function(resolve, reject) {
15416 keyObj.onerror = function () {
15417 reject(new Error(err));
15418 };
15419 keyObj.oncomplete = function (e) {
15420 resolve(e.target.result);
15421 };
15422 });
15423 }
15424 return keyObj;
15425 }
15426
15427 /* eslint-disable no-invalid-this */
15428 const RSAPrivateKey = util.detectNode() ? asn1.define('RSAPrivateKey', function () {
15429 this.seq().obj( // used for native NodeJS crypto
15430 this.key('version').int(), // 0
15431 this.key('modulus').int(), // n
15432 this.key('publicExponent').int(), // e
15433 this.key('privateExponent').int(), // d
15434 this.key('prime1').int(), // p
15435 this.key('prime2').int(), // q
15436 this.key('exponent1').int(), // dp
15437 this.key('exponent2').int(), // dq
15438 this.key('coefficient').int() // u
15439 );
15440 }) : undefined;
15441
15442 const RSAPublicKey = util.detectNode() ? asn1.define('RSAPubliceKey', function () {
15443 this.seq().obj( // used for native NodeJS crypto
15444 this.key('modulus').int(), // n
15445 this.key('publicExponent').int(), // e
15446 );
15447 }) : undefined;
15448 /* eslint-enable no-invalid-this */
15449
15450 /** Create signature
15451 * @param {module:enums.hash} hash_algo - Hash algorithm
15452 * @param {Uint8Array} data - Message
15453 * @param {Uint8Array} n - RSA public modulus
15454 * @param {Uint8Array} e - RSA public exponent
15455 * @param {Uint8Array} d - RSA private exponent
15456 * @param {Uint8Array} p - RSA private prime p
15457 * @param {Uint8Array} q - RSA private prime q
15458 * @param {Uint8Array} u - RSA private coefficient
15459 * @param {Uint8Array} hashed - Hashed message
15460 * @returns {Uint8Array} RSA Signature.
15461 * @async
15462 */
15463 async function sign(hash_algo, data, n, e, d, p, q, u, hashed) {
15464 if (data && !util.isStream(data)) {
15465 if (util.getWebCrypto()) {
15466 try {
15467 return await webSign(enums.read(enums.webHash, hash_algo), data, n, e, d, p, q, u);
15468 } catch (err) {
15469 util.printDebugError(err);
15470 }
15471 } else if (util.getNodeCrypto()) {
15472 return nodeSign(hash_algo, data, n, e, d, p, q, u);
15473 }
15474 }
15475 return bnSign(hash_algo, n, d, hashed);
15476 }
15477
15478 /**
15479 * Verify signature
15480 * @param {module:enums.hash} hash_algo - Hash algorithm
15481 * @param {Uint8Array} data - Message
15482 * @param {Uint8Array} s - Signature
15483 * @param {Uint8Array} n - RSA public modulus
15484 * @param {Uint8Array} e - RSA public exponent
15485 * @param {Uint8Array} hashed - Hashed message
15486 * @returns {Boolean}
15487 * @async
15488 */
15489 async function verify(hash_algo, data, s, n, e, hashed) {
15490 if (data && !util.isStream(data)) {
15491 if (util.getWebCrypto()) {
15492 try {
15493 return await webVerify(enums.read(enums.webHash, hash_algo), data, s, n, e);
15494 } catch (err) {
15495 util.printDebugError(err);
15496 }
15497 } else if (util.getNodeCrypto()) {
15498 return nodeVerify(hash_algo, data, s, n, e);
15499 }
15500 }
15501 return bnVerify(hash_algo, s, n, e, hashed);
15502 }
15503
15504 /**
15505 * Encrypt message
15506 * @param {Uint8Array} data - Message
15507 * @param {Uint8Array} n - RSA public modulus
15508 * @param {Uint8Array} e - RSA public exponent
15509 * @returns {Uint8Array} RSA Ciphertext.
15510 * @async
15511 */
15512 async function encrypt$1(data, n, e) {
15513 if (util.getNodeCrypto()) {
15514 return nodeEncrypt$1(data, n, e);
15515 }
15516 return bnEncrypt(data, n, e);
15517 }
15518
15519 /**
15520 * Decrypt RSA message
15521 * @param {Uint8Array} m - Message
15522 * @param {Uint8Array} n - RSA public modulus
15523 * @param {Uint8Array} e - RSA public exponent
15524 * @param {Uint8Array} d - RSA private exponent
15525 * @param {Uint8Array} p - RSA private prime p
15526 * @param {Uint8Array} q - RSA private prime q
15527 * @param {Uint8Array} u - RSA private coefficient
15528 * @returns {String} RSA Plaintext.
15529 * @async
15530 */
15531 async function decrypt$1(data, n, e, d, p, q, u) {
15532 if (util.getNodeCrypto()) {
15533 return nodeDecrypt$1(data, n, e, d, p, q, u);
15534 }
15535 return bnDecrypt(data, n, e, d, p, q, u);
15536 }
15537
15538 /**
15539 * Generate a new random private key B bits long with public exponent E.
15540 *
15541 * When possible, webCrypto or nodeCrypto is used. Otherwise, primes are generated using
15542 * 40 rounds of the Miller-Rabin probabilistic random prime generation algorithm.
15543 * @see module:crypto/public_key/prime
15544 * @param {Integer} bits - RSA bit length
15545 * @param {Integer} e - RSA public exponent
15546 * @returns {{n, e, d,
15547 * p, q ,u: Uint8Array}} RSA public modulus, RSA public exponent, RSA private exponent,
15548 * RSA private prime p, RSA private prime q, u = p ** -1 mod q
15549 * @async
15550 */
15551 async function generate(bits, e) {
15552 const BigInteger = await util.getBigInteger();
15553
15554 e = new BigInteger(e);
15555
15556 // Native RSA keygen using Web Crypto
15557 if (util.getWebCrypto()) {
15558 let keyPair;
15559 let keyGenOpt;
15560 if ((globalThis.crypto && globalThis.crypto.subtle) || globalThis.msCrypto) {
15561 // current standard spec
15562 keyGenOpt = {
15563 name: 'RSASSA-PKCS1-v1_5',
15564 modulusLength: bits, // the specified keysize in bits
15565 publicExponent: e.toUint8Array(), // take three bytes (max 65537) for exponent
15566 hash: {
15567 name: 'SHA-1' // not required for actual RSA keys, but for crypto api 'sign' and 'verify'
15568 }
15569 };
15570 keyPair = webCrypto$5.generateKey(keyGenOpt, true, ['sign', 'verify']);
15571 keyPair = await promisifyIE11Op(keyPair, 'Error generating RSA key pair.');
15572 } else if (globalThis.crypto && globalThis.crypto.webkitSubtle) {
15573 // outdated spec implemented by old Webkit
15574 keyGenOpt = {
15575 name: 'RSA-OAEP',
15576 modulusLength: bits, // the specified keysize in bits
15577 publicExponent: e.toUint8Array(), // take three bytes (max 65537) for exponent
15578 hash: {
15579 name: 'SHA-1' // not required for actual RSA keys, but for crypto api 'sign' and 'verify'
15580 }
15581 };
15582 keyPair = await webCrypto$5.generateKey(keyGenOpt, true, ['encrypt', 'decrypt']);
15583 } else {
15584 throw new Error('Unknown WebCrypto implementation');
15585 }
15586
15587 // export the generated keys as JsonWebKey (JWK)
15588 // https://tools.ietf.org/html/draft-ietf-jose-json-web-key-33
15589 let jwk = webCrypto$5.exportKey('jwk', keyPair.privateKey);
15590 jwk = await promisifyIE11Op(jwk, 'Error exporting RSA key pair.');
15591
15592 // parse raw ArrayBuffer bytes to jwk/json (WebKit/Safari/IE11 quirk)
15593 if (jwk instanceof ArrayBuffer) {
15594 jwk = JSON.parse(String.fromCharCode.apply(null, new Uint8Array(jwk)));
15595 }
15596 // map JWK parameters to corresponding OpenPGP names
15597 return {
15598 n: b64ToUint8Array(jwk.n),
15599 e: e.toUint8Array(),
15600 d: b64ToUint8Array(jwk.d),
15601 // switch p and q
15602 p: b64ToUint8Array(jwk.q),
15603 q: b64ToUint8Array(jwk.p),
15604 // Since p and q are switched in places, u is the inverse of jwk.q
15605 u: b64ToUint8Array(jwk.qi)
15606 };
15607 } else if (util.getNodeCrypto() && nodeCrypto$6.generateKeyPair && RSAPrivateKey) {
15608 const opts = {
15609 modulusLength: bits,
15610 publicExponent: e.toNumber(),
15611 publicKeyEncoding: { type: 'pkcs1', format: 'der' },
15612 privateKeyEncoding: { type: 'pkcs1', format: 'der' }
15613 };
15614 const prv = await new Promise((resolve, reject) => nodeCrypto$6.generateKeyPair('rsa', opts, (err, _, der) => {
15615 if (err) {
15616 reject(err);
15617 } else {
15618 resolve(RSAPrivateKey.decode(der, 'der'));
15619 }
15620 }));
15621 /**
15622 * OpenPGP spec differs from DER spec, DER: `u = (inverse of q) mod p`, OpenPGP: `u = (inverse of p) mod q`.
15623 * @link https://tools.ietf.org/html/rfc3447#section-3.2
15624 * @link https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-08#section-5.6.1
15625 */
15626 return {
15627 n: prv.modulus.toArrayLike(Uint8Array),
15628 e: prv.publicExponent.toArrayLike(Uint8Array),
15629 d: prv.privateExponent.toArrayLike(Uint8Array),
15630 // switch p and q
15631 p: prv.prime2.toArrayLike(Uint8Array),
15632 q: prv.prime1.toArrayLike(Uint8Array),
15633 // Since p and q are switched in places, we can keep u as defined by DER
15634 u: prv.coefficient.toArrayLike(Uint8Array)
15635 };
15636 }
15637
15638 // RSA keygen fallback using 40 iterations of the Miller-Rabin test
15639 // See https://stackoverflow.com/a/6330138 for justification
15640 // Also see section C.3 here: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST
15641 let q = await randomProbablePrime(bits - (bits >> 1), e, 40);
15642 let p = await randomProbablePrime(bits >> 1, e, 40);
15643
15644 if (q.lt(p)) {
15645 [p, q] = [q, p];
15646 }
15647 const phi = p.dec().imul(q.dec());
15648 return {
15649 n: p.mul(q).toUint8Array(),
15650 e: e.toUint8Array(),
15651 d: e.modInv(phi).toUint8Array(),
15652 p: p.toUint8Array(),
15653 q: q.toUint8Array(),
15654 // dp: d.mod(p.subn(1)),
15655 // dq: d.mod(q.subn(1)),
15656 u: p.modInv(q).toUint8Array()
15657 };
15658 }
15659
15660 /**
15661 * Validate RSA parameters
15662 * @param {Uint8Array} n - RSA public modulus
15663 * @param {Uint8Array} e - RSA public exponent
15664 * @param {Uint8Array} d - RSA private exponent
15665 * @param {Uint8Array} p - RSA private prime p
15666 * @param {Uint8Array} q - RSA private prime q
15667 * @param {Uint8Array} u - RSA inverse of p w.r.t. q
15668 * @returns {Boolean} Whether params are valid.
15669 * @async
15670 */
15671 async function validateParams(n, e, d, p, q, u) {
15672 const BigInteger = await util.getBigInteger();
15673 n = new BigInteger(n);
15674 p = new BigInteger(p);
15675 q = new BigInteger(q);
15676
15677 // expect pq = n
15678 if (!p.mul(q).equal(n)) {
15679 return false;
15680 }
15681
15682 const two = new BigInteger(2);
15683 // expect p*u = 1 mod q
15684 u = new BigInteger(u);
15685 if (!p.mul(u).mod(q).isOne()) {
15686 return false;
15687 }
15688
15689 e = new BigInteger(e);
15690 d = new BigInteger(d);
15691 /**
15692 * In RSA pkcs#1 the exponents (d, e) are inverses modulo lcm(p-1, q-1)
15693 * We check that [de = 1 mod (p-1)] and [de = 1 mod (q-1)]
15694 * By CRT on coprime factors of (p-1, q-1) it follows that [de = 1 mod lcm(p-1, q-1)]
15695 *
15696 * We blind the multiplication with r, and check that rde = r mod lcm(p-1, q-1)
15697 */
15698 const nSizeOver3 = new BigInteger(Math.floor(n.bitLength() / 3));
15699 const r = await getRandomBigInteger(two, two.leftShift(nSizeOver3)); // r in [ 2, 2^{|n|/3} ) < p and q
15700 const rde = r.mul(d).mul(e);
15701
15702 const areInverses = rde.mod(p.dec()).equal(r) && rde.mod(q.dec()).equal(r);
15703 if (!areInverses) {
15704 return false;
15705 }
15706
15707 return true;
15708 }
15709
15710 async function bnSign(hash_algo, n, d, hashed) {
15711 const BigInteger = await util.getBigInteger();
15712 n = new BigInteger(n);
15713 const m = new BigInteger(await emsaEncode(hash_algo, hashed, n.byteLength()));
15714 d = new BigInteger(d);
15715 if (m.gte(n)) {
15716 throw new Error('Message size cannot exceed modulus size');
15717 }
15718 return m.modExp(d, n).toUint8Array('be', n.byteLength());
15719 }
15720
15721 async function webSign(hash_name, data, n, e, d, p, q, u) {
15722 /** OpenPGP keys require that p < q, and Safari Web Crypto requires that p > q.
15723 * We swap them in privateToJwk, so it usually works out, but nevertheless,
15724 * not all OpenPGP keys are compatible with this requirement.
15725 * OpenPGP.js used to generate RSA keys the wrong way around (p > q), and still
15726 * does if the underlying Web Crypto does so (e.g. old MS Edge 50% of the time).
15727 */
15728 const jwk = await privateToJwk(n, e, d, p, q, u);
15729 const algo = {
15730 name: "RSASSA-PKCS1-v1_5",
15731 hash: { name: hash_name }
15732 };
15733 const key = await webCrypto$5.importKey("jwk", jwk, algo, false, ["sign"]);
15734 // add hash field for ms edge support
15735 return new Uint8Array(await webCrypto$5.sign({ "name": "RSASSA-PKCS1-v1_5", "hash": hash_name }, key, data));
15736 }
15737
15738 async function nodeSign(hash_algo, data, n, e, d, p, q, u) {
15739 const { default: BN } = await Promise.resolve().then(function () { return bn$1; });
15740 const pBNum = new BN(p);
15741 const qBNum = new BN(q);
15742 const dBNum = new BN(d);
15743 const dq = dBNum.mod(qBNum.subn(1)); // d mod (q-1)
15744 const dp = dBNum.mod(pBNum.subn(1)); // d mod (p-1)
15745 const sign = nodeCrypto$6.createSign(enums.read(enums.hash, hash_algo));
15746 sign.write(data);
15747 sign.end();
15748 const keyObject = {
15749 version: 0,
15750 modulus: new BN(n),
15751 publicExponent: new BN(e),
15752 privateExponent: new BN(d),
15753 // switch p and q
15754 prime1: new BN(q),
15755 prime2: new BN(p),
15756 // switch dp and dq
15757 exponent1: dq,
15758 exponent2: dp,
15759 coefficient: new BN(u)
15760 };
15761 if (typeof nodeCrypto$6.createPrivateKey !== 'undefined') { //from version 11.6.0 Node supports der encoded key objects
15762 const der = RSAPrivateKey.encode(keyObject, 'der');
15763 return new Uint8Array(sign.sign({ key: der, format: 'der', type: 'pkcs1' }));
15764 }
15765 const pem = RSAPrivateKey.encode(keyObject, 'pem', {
15766 label: 'RSA PRIVATE KEY'
15767 });
15768 return new Uint8Array(sign.sign(pem));
15769 }
15770
15771 async function bnVerify(hash_algo, s, n, e, hashed) {
15772 const BigInteger = await util.getBigInteger();
15773 n = new BigInteger(n);
15774 s = new BigInteger(s);
15775 e = new BigInteger(e);
15776 if (s.gte(n)) {
15777 throw new Error('Signature size cannot exceed modulus size');
15778 }
15779 const EM1 = s.modExp(e, n).toUint8Array('be', n.byteLength());
15780 const EM2 = await emsaEncode(hash_algo, hashed, n.byteLength());
15781 return util.equalsUint8Array(EM1, EM2);
15782 }
15783
15784 async function webVerify(hash_name, data, s, n, e) {
15785 const jwk = publicToJwk(n, e);
15786 const key = await webCrypto$5.importKey("jwk", jwk, {
15787 name: "RSASSA-PKCS1-v1_5",
15788 hash: { name: hash_name }
15789 }, false, ["verify"]);
15790 // add hash field for ms edge support
15791 return webCrypto$5.verify({ "name": "RSASSA-PKCS1-v1_5", "hash": hash_name }, key, s, data);
15792 }
15793
15794 async function nodeVerify(hash_algo, data, s, n, e) {
15795 const { default: BN } = await Promise.resolve().then(function () { return bn$1; });
15796
15797 const verify = nodeCrypto$6.createVerify(enums.read(enums.hash, hash_algo));
15798 verify.write(data);
15799 verify.end();
15800 const keyObject = {
15801 modulus: new BN(n),
15802 publicExponent: new BN(e)
15803 };
15804 let key;
15805 if (typeof nodeCrypto$6.createPrivateKey !== 'undefined') { //from version 11.6.0 Node supports der encoded key objects
15806 const der = RSAPublicKey.encode(keyObject, 'der');
15807 key = { key: der, format: 'der', type: 'pkcs1' };
15808 } else {
15809 key = RSAPublicKey.encode(keyObject, 'pem', {
15810 label: 'RSA PUBLIC KEY'
15811 });
15812 }
15813 try {
15814 return await verify.verify(key, s);
15815 } catch (err) {
15816 return false;
15817 }
15818 }
15819
15820 async function nodeEncrypt$1(data, n, e) {
15821 const { default: BN } = await Promise.resolve().then(function () { return bn$1; });
15822
15823 const keyObject = {
15824 modulus: new BN(n),
15825 publicExponent: new BN(e)
15826 };
15827 let key;
15828 if (typeof nodeCrypto$6.createPrivateKey !== 'undefined') {
15829 const der = RSAPublicKey.encode(keyObject, 'der');
15830 key = { key: der, format: 'der', type: 'pkcs1', padding: nodeCrypto$6.constants.RSA_PKCS1_PADDING };
15831 } else {
15832 const pem = RSAPublicKey.encode(keyObject, 'pem', {
15833 label: 'RSA PUBLIC KEY'
15834 });
15835 key = { key: pem, padding: nodeCrypto$6.constants.RSA_PKCS1_PADDING };
15836 }
15837 return new Uint8Array(nodeCrypto$6.publicEncrypt(key, data));
15838 }
15839
15840 async function bnEncrypt(data, n, e) {
15841 const BigInteger = await util.getBigInteger();
15842 n = new BigInteger(n);
15843 data = new BigInteger(await emeEncode(data, n.byteLength()));
15844 e = new BigInteger(e);
15845 if (data.gte(n)) {
15846 throw new Error('Message size cannot exceed modulus size');
15847 }
15848 return data.modExp(e, n).toUint8Array('be', n.byteLength());
15849 }
15850
15851 async function nodeDecrypt$1(data, n, e, d, p, q, u) {
15852 const { default: BN } = await Promise.resolve().then(function () { return bn$1; });
15853
15854 const pBNum = new BN(p);
15855 const qBNum = new BN(q);
15856 const dBNum = new BN(d);
15857 const dq = dBNum.mod(qBNum.subn(1)); // d mod (q-1)
15858 const dp = dBNum.mod(pBNum.subn(1)); // d mod (p-1)
15859 const keyObject = {
15860 version: 0,
15861 modulus: new BN(n),
15862 publicExponent: new BN(e),
15863 privateExponent: new BN(d),
15864 // switch p and q
15865 prime1: new BN(q),
15866 prime2: new BN(p),
15867 // switch dp and dq
15868 exponent1: dq,
15869 exponent2: dp,
15870 coefficient: new BN(u)
15871 };
15872 let key;
15873 if (typeof nodeCrypto$6.createPrivateKey !== 'undefined') {
15874 const der = RSAPrivateKey.encode(keyObject, 'der');
15875 key = { key: der, format: 'der' , type: 'pkcs1', padding: nodeCrypto$6.constants.RSA_PKCS1_PADDING };
15876 } else {
15877 const pem = RSAPrivateKey.encode(keyObject, 'pem', {
15878 label: 'RSA PRIVATE KEY'
15879 });
15880 key = { key: pem, padding: nodeCrypto$6.constants.RSA_PKCS1_PADDING };
15881 }
15882 try {
15883 return new Uint8Array(nodeCrypto$6.privateDecrypt(key, data));
15884 } catch (err) {
15885 throw new Error('Decryption error');
15886 }
15887 }
15888
15889 async function bnDecrypt(data, n, e, d, p, q, u) {
15890 const BigInteger = await util.getBigInteger();
15891 data = new BigInteger(data);
15892 n = new BigInteger(n);
15893 e = new BigInteger(e);
15894 d = new BigInteger(d);
15895 p = new BigInteger(p);
15896 q = new BigInteger(q);
15897 u = new BigInteger(u);
15898 if (data.gte(n)) {
15899 throw new Error('Data too large.');
15900 }
15901 const dq = d.mod(q.dec()); // d mod (q-1)
15902 const dp = d.mod(p.dec()); // d mod (p-1)
15903
15904 const unblinder = (await getRandomBigInteger(new BigInteger(2), n)).mod(n);
15905 const blinder = unblinder.modInv(n).modExp(e, n);
15906 data = data.mul(blinder).mod(n);
15907
15908
15909 const mp = data.modExp(dp, p); // data**{d mod (q-1)} mod p
15910 const mq = data.modExp(dq, q); // data**{d mod (p-1)} mod q
15911 const h = u.mul(mq.sub(mp)).mod(q); // u * (mq-mp) mod q (operands already < q)
15912
15913 let result = h.mul(p).add(mp); // result < n due to relations above
15914
15915 result = result.mul(unblinder).mod(n);
15916
15917
15918 return emeDecode(result.toUint8Array('be', n.byteLength()));
15919 }
15920
15921 /** Convert Openpgp private key params to jwk key according to
15922 * @link https://tools.ietf.org/html/rfc7517
15923 * @param {String} hash_algo
15924 * @param {Uint8Array} n
15925 * @param {Uint8Array} e
15926 * @param {Uint8Array} d
15927 * @param {Uint8Array} p
15928 * @param {Uint8Array} q
15929 * @param {Uint8Array} u
15930 */
15931 async function privateToJwk(n, e, d, p, q, u) {
15932 const BigInteger = await util.getBigInteger();
15933 const pNum = new BigInteger(p);
15934 const qNum = new BigInteger(q);
15935 const dNum = new BigInteger(d);
15936
15937 let dq = dNum.mod(qNum.dec()); // d mod (q-1)
15938 let dp = dNum.mod(pNum.dec()); // d mod (p-1)
15939 dp = dp.toUint8Array();
15940 dq = dq.toUint8Array();
15941 return {
15942 kty: 'RSA',
15943 n: uint8ArrayToB64(n, true),
15944 e: uint8ArrayToB64(e, true),
15945 d: uint8ArrayToB64(d, true),
15946 // switch p and q
15947 p: uint8ArrayToB64(q, true),
15948 q: uint8ArrayToB64(p, true),
15949 // switch dp and dq
15950 dp: uint8ArrayToB64(dq, true),
15951 dq: uint8ArrayToB64(dp, true),
15952 qi: uint8ArrayToB64(u, true),
15953 ext: true
15954 };
15955 }
15956
15957 /** Convert Openpgp key public params to jwk key according to
15958 * @link https://tools.ietf.org/html/rfc7517
15959 * @param {String} hash_algo
15960 * @param {Uint8Array} n
15961 * @param {Uint8Array} e
15962 */
15963 function publicToJwk(n, e) {
15964 return {
15965 kty: 'RSA',
15966 n: uint8ArrayToB64(n, true),
15967 e: uint8ArrayToB64(e, true),
15968 ext: true
15969 };
15970 }
15971
15972 var rsa = /*#__PURE__*/Object.freeze({
15973 __proto__: null,
15974 sign: sign,
15975 verify: verify,
15976 encrypt: encrypt$1,
15977 decrypt: decrypt$1,
15978 generate: generate,
15979 validateParams: validateParams
15980 });
15981
15982 // GPG4Browsers - An OpenPGP implementation in javascript
15983
15984 /**
15985 * ElGamal Encryption function
15986 * Note that in OpenPGP, the message needs to be padded with PKCS#1 (same as RSA)
15987 * @param {Uint8Array} data - To be padded and encrypted
15988 * @param {Uint8Array} p
15989 * @param {Uint8Array} g
15990 * @param {Uint8Array} y
15991 * @returns {{ c1: Uint8Array, c2: Uint8Array }}
15992 * @async
15993 */
15994 async function encrypt$2(data, p, g, y) {
15995 const BigInteger = await util.getBigInteger();
15996 p = new BigInteger(p);
15997 g = new BigInteger(g);
15998 y = new BigInteger(y);
15999
16000 const padded = await emeEncode(data, p.byteLength());
16001 const m = new BigInteger(padded);
16002
16003 // OpenPGP uses a "special" version of ElGamal where g is generator of the full group Z/pZ*
16004 // hence g has order p-1, and to avoid that k = 0 mod p-1, we need to pick k in [1, p-2]
16005 const k = await getRandomBigInteger(new BigInteger(1), p.dec());
16006 return {
16007 c1: g.modExp(k, p).toUint8Array(),
16008 c2: y.modExp(k, p).imul(m).imod(p).toUint8Array()
16009 };
16010 }
16011
16012 /**
16013 * ElGamal Encryption function
16014 * @param {Uint8Array} c1
16015 * @param {Uint8Array} c2
16016 * @param {Uint8Array} p
16017 * @param {Uint8Array} x
16018 * @returns {Uint8Array} Unpadded message.
16019 * @async
16020 */
16021 async function decrypt$2(c1, c2, p, x) {
16022 const BigInteger = await util.getBigInteger();
16023 c1 = new BigInteger(c1);
16024 c2 = new BigInteger(c2);
16025 p = new BigInteger(p);
16026 x = new BigInteger(x);
16027
16028 const padded = c1.modExp(x, p).modInv(p).imul(c2).imod(p);
16029 return emeDecode(padded.toUint8Array('be', p.byteLength()));
16030 }
16031
16032 /**
16033 * Validate ElGamal parameters
16034 * @param {Uint8Array} p - ElGamal prime
16035 * @param {Uint8Array} g - ElGamal group generator
16036 * @param {Uint8Array} y - ElGamal public key
16037 * @param {Uint8Array} x - ElGamal private exponent
16038 * @returns {Boolean} Whether params are valid.
16039 * @async
16040 */
16041 async function validateParams$1(p, g, y, x) {
16042 const BigInteger = await util.getBigInteger();
16043 p = new BigInteger(p);
16044 g = new BigInteger(g);
16045 y = new BigInteger(y);
16046
16047 const one = new BigInteger(1);
16048 // Check that 1 < g < p
16049 if (g.lte(one) || g.gte(p)) {
16050 return false;
16051 }
16052
16053 // Expect p-1 to be large
16054 const pSize = new BigInteger(p.bitLength());
16055 const n1023 = new BigInteger(1023);
16056 if (pSize.lt(n1023)) {
16057 return false;
16058 }
16059
16060 /**
16061 * g should have order p-1
16062 * Check that g ** (p-1) = 1 mod p
16063 */
16064 if (!g.modExp(p.dec(), p).isOne()) {
16065 return false;
16066 }
16067
16068 /**
16069 * Since p-1 is not prime, g might have a smaller order that divides p-1
16070 * We want to make sure that the order is large enough to hinder a small subgroup attack
16071 *
16072 * We just check g**i != 1 for all i up to a threshold
16073 */
16074 let res = g;
16075 const i = new BigInteger(1);
16076 const threshold = new BigInteger(2).leftShift(new BigInteger(17)); // we want order > threshold
16077 while (i.lt(threshold)) {
16078 res = res.mul(g).imod(p);
16079 if (res.isOne()) {
16080 return false;
16081 }
16082 i.iinc();
16083 }
16084
16085 /**
16086 * Re-derive public key y' = g ** x mod p
16087 * Expect y == y'
16088 *
16089 * Blinded exponentiation computes g**{r(p-1) + x} to compare to y
16090 */
16091 x = new BigInteger(x);
16092 const two = new BigInteger(2);
16093 const r = await getRandomBigInteger(two.leftShift(pSize.dec()), two.leftShift(pSize)); // draw r of same size as p-1
16094 const rqx = p.dec().imul(r).iadd(x);
16095 if (!y.equal(g.modExp(rqx, p))) {
16096 return false;
16097 }
16098
16099 return true;
16100 }
16101
16102 var elgamal = /*#__PURE__*/Object.freeze({
16103 __proto__: null,
16104 encrypt: encrypt$2,
16105 decrypt: decrypt$2,
16106 validateParams: validateParams$1
16107 });
16108
16109 // OpenPGP.js - An OpenPGP implementation in javascript
16110
16111 class OID {
16112 constructor(oid) {
16113 if (oid instanceof OID) {
16114 this.oid = oid.oid;
16115 } else if (util.isArray(oid) ||
16116 util.isUint8Array(oid)) {
16117 oid = new Uint8Array(oid);
16118 if (oid[0] === 0x06) { // DER encoded oid byte array
16119 if (oid[1] !== oid.length - 2) {
16120 throw new Error('Length mismatch in DER encoded oid');
16121 }
16122 oid = oid.subarray(2);
16123 }
16124 this.oid = oid;
16125 } else {
16126 this.oid = '';
16127 }
16128 }
16129
16130 /**
16131 * Method to read an OID object
16132 * @param {Uint8Array} input - Where to read the OID from
16133 * @returns {Number} Number of read bytes.
16134 */
16135 read(input) {
16136 if (input.length >= 1) {
16137 const length = input[0];
16138 if (input.length >= 1 + length) {
16139 this.oid = input.subarray(1, 1 + length);
16140 return 1 + this.oid.length;
16141 }
16142 }
16143 throw new Error('Invalid oid');
16144 }
16145
16146 /**
16147 * Serialize an OID object
16148 * @returns {Uint8Array} Array with the serialized value the OID.
16149 */
16150 write() {
16151 return util.concatUint8Array([new Uint8Array([this.oid.length]), this.oid]);
16152 }
16153
16154 /**
16155 * Serialize an OID object as a hex string
16156 * @returns {string} String with the hex value of the OID.
16157 */
16158 toHex() {
16159 return util.uint8ArrayToHex(this.oid);
16160 }
16161
16162 /**
16163 * If a known curve object identifier, return the canonical name of the curve
16164 * @returns {string} String with the canonical name of the curve.
16165 */
16166 getName() {
16167 const hex = this.toHex();
16168 if (enums.curve[hex]) {
16169 return enums.write(enums.curve, hex);
16170 } else {
16171 throw new Error('Unknown curve object identifier.');
16172 }
16173 }
16174 }
16175
16176 // OpenPGP.js - An OpenPGP implementation in javascript
16177
16178 function keyFromPrivate(indutnyCurve, priv) {
16179 const keyPair = indutnyCurve.keyPair({ priv: priv });
16180 return keyPair;
16181 }
16182
16183 function keyFromPublic(indutnyCurve, pub) {
16184 const keyPair = indutnyCurve.keyPair({ pub: pub });
16185 if (keyPair.validate().result !== true) {
16186 throw new Error('Invalid elliptic public key');
16187 }
16188 return keyPair;
16189 }
16190
16191 async function getIndutnyCurve(name) {
16192 if (!defaultConfig.useIndutnyElliptic) {
16193 throw new Error('This curve is only supported in the full build of OpenPGP.js');
16194 }
16195 const { default: elliptic } = await Promise.resolve().then(function () { return elliptic$1; });
16196 return new elliptic.ec(name);
16197 }
16198
16199 // OpenPGP.js - An OpenPGP implementation in javascript
16200
16201 const webCrypto$6 = util.getWebCrypto();
16202 const nodeCrypto$7 = util.getNodeCrypto();
16203
16204 const webCurves = {
16205 'p256': 'P-256',
16206 'p384': 'P-384',
16207 'p521': 'P-521'
16208 };
16209 const knownCurves = nodeCrypto$7 ? nodeCrypto$7.getCurves() : [];
16210 const nodeCurves = nodeCrypto$7 ? {
16211 secp256k1: knownCurves.includes('secp256k1') ? 'secp256k1' : undefined,
16212 p256: knownCurves.includes('prime256v1') ? 'prime256v1' : undefined,
16213 p384: knownCurves.includes('secp384r1') ? 'secp384r1' : undefined,
16214 p521: knownCurves.includes('secp521r1') ? 'secp521r1' : undefined,
16215 ed25519: knownCurves.includes('ED25519') ? 'ED25519' : undefined,
16216 curve25519: knownCurves.includes('X25519') ? 'X25519' : undefined,
16217 brainpoolP256r1: knownCurves.includes('brainpoolP256r1') ? 'brainpoolP256r1' : undefined,
16218 brainpoolP384r1: knownCurves.includes('brainpoolP384r1') ? 'brainpoolP384r1' : undefined,
16219 brainpoolP512r1: knownCurves.includes('brainpoolP512r1') ? 'brainpoolP512r1' : undefined
16220 } : {};
16221
16222 const curves = {
16223 p256: {
16224 oid: [0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07],
16225 keyType: enums.publicKey.ecdsa,
16226 hash: enums.hash.sha256,
16227 cipher: enums.symmetric.aes128,
16228 node: nodeCurves.p256,
16229 web: webCurves.p256,
16230 payloadSize: 32,
16231 sharedSize: 256
16232 },
16233 p384: {
16234 oid: [0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x22],
16235 keyType: enums.publicKey.ecdsa,
16236 hash: enums.hash.sha384,
16237 cipher: enums.symmetric.aes192,
16238 node: nodeCurves.p384,
16239 web: webCurves.p384,
16240 payloadSize: 48,
16241 sharedSize: 384
16242 },
16243 p521: {
16244 oid: [0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x23],
16245 keyType: enums.publicKey.ecdsa,
16246 hash: enums.hash.sha512,
16247 cipher: enums.symmetric.aes256,
16248 node: nodeCurves.p521,
16249 web: webCurves.p521,
16250 payloadSize: 66,
16251 sharedSize: 528
16252 },
16253 secp256k1: {
16254 oid: [0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x0A],
16255 keyType: enums.publicKey.ecdsa,
16256 hash: enums.hash.sha256,
16257 cipher: enums.symmetric.aes128,
16258 node: nodeCurves.secp256k1,
16259 payloadSize: 32
16260 },
16261 ed25519: {
16262 oid: [0x06, 0x09, 0x2B, 0x06, 0x01, 0x04, 0x01, 0xDA, 0x47, 0x0F, 0x01],
16263 keyType: enums.publicKey.eddsa,
16264 hash: enums.hash.sha512,
16265 node: false, // nodeCurves.ed25519 TODO
16266 payloadSize: 32
16267 },
16268 curve25519: {
16269 oid: [0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x97, 0x55, 0x01, 0x05, 0x01],
16270 keyType: enums.publicKey.ecdh,
16271 hash: enums.hash.sha256,
16272 cipher: enums.symmetric.aes128,
16273 node: false, // nodeCurves.curve25519 TODO
16274 payloadSize: 32
16275 },
16276 brainpoolP256r1: {
16277 oid: [0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x07],
16278 keyType: enums.publicKey.ecdsa,
16279 hash: enums.hash.sha256,
16280 cipher: enums.symmetric.aes128,
16281 node: nodeCurves.brainpoolP256r1,
16282 payloadSize: 32
16283 },
16284 brainpoolP384r1: {
16285 oid: [0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x0B],
16286 keyType: enums.publicKey.ecdsa,
16287 hash: enums.hash.sha384,
16288 cipher: enums.symmetric.aes192,
16289 node: nodeCurves.brainpoolP384r1,
16290 payloadSize: 48
16291 },
16292 brainpoolP512r1: {
16293 oid: [0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x0D],
16294 keyType: enums.publicKey.ecdsa,
16295 hash: enums.hash.sha512,
16296 cipher: enums.symmetric.aes256,
16297 node: nodeCurves.brainpoolP512r1,
16298 payloadSize: 64
16299 }
16300 };
16301
16302 class Curve {
16303 constructor(oid_or_name, params) {
16304 try {
16305 if (util.isArray(oid_or_name) ||
16306 util.isUint8Array(oid_or_name)) {
16307 // by oid byte array
16308 oid_or_name = new OID(oid_or_name);
16309 }
16310 if (oid_or_name instanceof OID) {
16311 // by curve OID
16312 oid_or_name = oid_or_name.getName();
16313 }
16314 // by curve name or oid string
16315 this.name = enums.write(enums.curve, oid_or_name);
16316 } catch (err) {
16317 throw new Error('Not valid curve');
16318 }
16319 params = params || curves[this.name];
16320
16321 this.keyType = params.keyType;
16322
16323 this.oid = params.oid;
16324 this.hash = params.hash;
16325 this.cipher = params.cipher;
16326 this.node = params.node && curves[this.name];
16327 this.web = params.web && curves[this.name];
16328 this.payloadSize = params.payloadSize;
16329 if (this.web && util.getWebCrypto()) {
16330 this.type = 'web';
16331 } else if (this.node && util.getNodeCrypto()) {
16332 this.type = 'node';
16333 } else if (this.name === 'curve25519') {
16334 this.type = 'curve25519';
16335 } else if (this.name === 'ed25519') {
16336 this.type = 'ed25519';
16337 }
16338 }
16339
16340 async genKeyPair() {
16341 let keyPair;
16342 switch (this.type) {
16343 case 'web':
16344 try {
16345 return await webGenKeyPair(this.name);
16346 } catch (err) {
16347 util.printDebugError("Browser did not support generating ec key " + err.message);
16348 break;
16349 }
16350 case 'node':
16351 return nodeGenKeyPair(this.name);
16352 case 'curve25519': {
16353 const privateKey = await getRandomBytes(32);
16354 privateKey[0] = (privateKey[0] & 127) | 64;
16355 privateKey[31] &= 248;
16356 const secretKey = privateKey.slice().reverse();
16357 keyPair = naclFastLight.box.keyPair.fromSecretKey(secretKey);
16358 const publicKey = util.concatUint8Array([new Uint8Array([0x40]), keyPair.publicKey]);
16359 return { publicKey, privateKey };
16360 }
16361 case 'ed25519': {
16362 const privateKey = await getRandomBytes(32);
16363 const keyPair = naclFastLight.sign.keyPair.fromSeed(privateKey);
16364 const publicKey = util.concatUint8Array([new Uint8Array([0x40]), keyPair.publicKey]);
16365 return { publicKey, privateKey };
16366 }
16367 }
16368 const indutnyCurve = await getIndutnyCurve(this.name);
16369 keyPair = await indutnyCurve.genKeyPair({
16370 entropy: util.uint8ArrayToStr(await getRandomBytes(32))
16371 });
16372 return { publicKey: new Uint8Array(keyPair.getPublic('array', false)), privateKey: keyPair.getPrivate().toArrayLike(Uint8Array) };
16373 }
16374 }
16375
16376 async function generate$1(curve) {
16377 const BigInteger = await util.getBigInteger();
16378
16379 curve = new Curve(curve);
16380 const keyPair = await curve.genKeyPair();
16381 const Q = new BigInteger(keyPair.publicKey).toUint8Array();
16382 const secret = new BigInteger(keyPair.privateKey).toUint8Array('be', curve.payloadSize);
16383 return {
16384 oid: curve.oid,
16385 Q,
16386 secret,
16387 hash: curve.hash,
16388 cipher: curve.cipher
16389 };
16390 }
16391
16392 function getPreferredHashAlgo(oid) {
16393 return curves[enums.write(enums.curve, oid.toHex())].hash;
16394 }
16395
16396 /**
16397 * Validate ECDH and EcDSA parameters
16398 * Not suitable for EdDSA (different secret key format)
16399 * @param {module:enums.publicKey} algo - EC algorithm, to filter supported curves
16400 * @param {module:type/oid} oid - EC object identifier
16401 * @param {Uint8Array} Q - EC public point
16402 * @param {Uint8Array} d - EC secret scalar
16403 * @returns {Boolean} Whether params are valid.
16404 * @async
16405 */
16406 async function validateStandardParams(algo, oid, Q, d) {
16407 const supportedCurves = {
16408 p256: true,
16409 p384: true,
16410 p521: true,
16411 secp256k1: true,
16412 curve25519: algo === enums.publicKey.ecdh,
16413 brainpoolP256r1: true,
16414 brainpoolP384r1: true,
16415 brainpoolP512r1: true
16416 };
16417
16418 // Check whether the given curve is supported
16419 const curveName = oid.getName();
16420 if (!supportedCurves[curveName]) {
16421 return false;
16422 }
16423
16424 if (curveName === 'curve25519') {
16425 d = d.slice().reverse();
16426 // Re-derive public point Q'
16427 const { publicKey } = naclFastLight.box.keyPair.fromSecretKey(d);
16428
16429 Q = new Uint8Array(Q);
16430 const dG = new Uint8Array([0x40, ...publicKey]); // Add public key prefix
16431 if (!util.equalsUint8Array(dG, Q)) {
16432 return false;
16433 }
16434
16435 return true;
16436 }
16437
16438 const curve = await getIndutnyCurve(curveName);
16439 try {
16440 // Parse Q and check that it is on the curve but not at infinity
16441 Q = keyFromPublic(curve, Q).getPublic();
16442 } catch (validationErrors) {
16443 return false;
16444 }
16445
16446 /**
16447 * Re-derive public point Q' = dG from private key
16448 * Expect Q == Q'
16449 */
16450 const dG = keyFromPrivate(curve, d).getPublic();
16451 if (!dG.eq(Q)) {
16452 return false;
16453 }
16454
16455 return true;
16456 }
16457
16458 //////////////////////////
16459 // //
16460 // Helper functions //
16461 // //
16462 //////////////////////////
16463
16464
16465 async function webGenKeyPair(name) {
16466 // Note: keys generated with ECDSA and ECDH are structurally equivalent
16467 const webCryptoKey = await webCrypto$6.generateKey({ name: "ECDSA", namedCurve: webCurves[name] }, true, ["sign", "verify"]);
16468
16469 const privateKey = await webCrypto$6.exportKey("jwk", webCryptoKey.privateKey);
16470 const publicKey = await webCrypto$6.exportKey("jwk", webCryptoKey.publicKey);
16471
16472 return {
16473 publicKey: jwkToRawPublic(publicKey),
16474 privateKey: b64ToUint8Array(privateKey.d)
16475 };
16476 }
16477
16478 async function nodeGenKeyPair(name) {
16479 // Note: ECDSA and ECDH key generation is structurally equivalent
16480 const ecdh = nodeCrypto$7.createECDH(nodeCurves[name]);
16481 await ecdh.generateKeys();
16482 return {
16483 publicKey: new Uint8Array(ecdh.getPublicKey()),
16484 privateKey: new Uint8Array(ecdh.getPrivateKey())
16485 };
16486 }
16487
16488 //////////////////////////
16489 // //
16490 // Helper functions //
16491 // //
16492 //////////////////////////
16493
16494 /**
16495 * @param {JsonWebKey} jwk - key for conversion
16496 *
16497 * @returns {Uint8Array} Raw public key.
16498 */
16499 function jwkToRawPublic(jwk) {
16500 const bufX = b64ToUint8Array(jwk.x);
16501 const bufY = b64ToUint8Array(jwk.y);
16502 const publicKey = new Uint8Array(bufX.length + bufY.length + 1);
16503 publicKey[0] = 0x04;
16504 publicKey.set(bufX, 1);
16505 publicKey.set(bufY, bufX.length + 1);
16506 return publicKey;
16507 }
16508
16509 /**
16510 * @param {Integer} payloadSize - ec payload size
16511 * @param {String} name - curve name
16512 * @param {Uint8Array} publicKey - public key
16513 *
16514 * @returns {JsonWebKey} Public key in jwk format.
16515 */
16516 function rawPublicToJwk(payloadSize, name, publicKey) {
16517 const len = payloadSize;
16518 const bufX = publicKey.slice(1, len + 1);
16519 const bufY = publicKey.slice(len + 1, len * 2 + 1);
16520 // https://www.rfc-editor.org/rfc/rfc7518.txt
16521 const jwk = {
16522 kty: "EC",
16523 crv: name,
16524 x: uint8ArrayToB64(bufX, true),
16525 y: uint8ArrayToB64(bufY, true),
16526 ext: true
16527 };
16528 return jwk;
16529 }
16530
16531 /**
16532 * @param {Integer} payloadSize - ec payload size
16533 * @param {String} name - curve name
16534 * @param {Uint8Array} publicKey - public key
16535 * @param {Uint8Array} privateKey - private key
16536 *
16537 * @returns {JsonWebKey} Private key in jwk format.
16538 */
16539 function privateToJwk$1(payloadSize, name, publicKey, privateKey) {
16540 const jwk = rawPublicToJwk(payloadSize, name, publicKey);
16541 jwk.d = uint8ArrayToB64(privateKey, true);
16542 return jwk;
16543 }
16544
16545 // OpenPGP.js - An OpenPGP implementation in javascript
16546
16547 const webCrypto$7 = util.getWebCrypto();
16548 const nodeCrypto$8 = util.getNodeCrypto();
16549
16550 /**
16551 * Sign a message using the provided key
16552 * @param {module:type/oid} oid - Elliptic curve object identifier
16553 * @param {module:enums.hash} hash_algo - Hash algorithm used to sign
16554 * @param {Uint8Array} message - Message to sign
16555 * @param {Uint8Array} publicKey - Public key
16556 * @param {Uint8Array} privateKey - Private key used to sign the message
16557 * @param {Uint8Array} hashed - The hashed message
16558 * @returns {{r: Uint8Array,
16559 * s: Uint8Array}} Signature of the message
16560 * @async
16561 */
16562 async function sign$1(oid, hash_algo, message, publicKey, privateKey, hashed) {
16563 const curve = new Curve(oid);
16564 if (message && !util.isStream(message)) {
16565 const keyPair = { publicKey, privateKey };
16566 switch (curve.type) {
16567 case 'web': {
16568 // If browser doesn't support a curve, we'll catch it
16569 try {
16570 // Need to await to make sure browser succeeds
16571 return await webSign$1(curve, hash_algo, message, keyPair);
16572 } catch (err) {
16573 // We do not fallback if the error is related to key integrity
16574 // Unfortunaley Safari does not support p521 and throws a DataError when using it
16575 // So we need to always fallback for that curve
16576 if (curve.name !== 'p521' && (err.name === 'DataError' || err.name === 'OperationError')) {
16577 throw err;
16578 }
16579 util.printDebugError("Browser did not support signing: " + err.message);
16580 }
16581 break;
16582 }
16583 case 'node': {
16584 const signature = await nodeSign$1(curve, hash_algo, message, keyPair);
16585 return {
16586 r: signature.r.toArrayLike(Uint8Array),
16587 s: signature.s.toArrayLike(Uint8Array)
16588 };
16589 }
16590 }
16591 }
16592 return ellipticSign(curve, hashed, privateKey);
16593 }
16594
16595 /**
16596 * Verifies if a signature is valid for a message
16597 * @param {module:type/oid} oid - Elliptic curve object identifier
16598 * @param {module:enums.hash} hash_algo - Hash algorithm used in the signature
16599 * @param {{r: Uint8Array,
16600 s: Uint8Array}} signature Signature to verify
16601 * @param {Uint8Array} message - Message to verify
16602 * @param {Uint8Array} publicKey - Public key used to verify the message
16603 * @param {Uint8Array} hashed - The hashed message
16604 * @returns {Boolean}
16605 * @async
16606 */
16607 async function verify$1(oid, hash_algo, signature, message, publicKey, hashed) {
16608 const curve = new Curve(oid);
16609 if (message && !util.isStream(message)) {
16610 switch (curve.type) {
16611 case 'web':
16612 try {
16613 // Need to await to make sure browser succeeds
16614 return await webVerify$1(curve, hash_algo, signature, message, publicKey);
16615 } catch (err) {
16616 // We do not fallback if the error is related to key integrity
16617 // Unfortunately Safari does not support p521 and throws a DataError when using it
16618 // So we need to always fallback for that curve
16619 if (curve.name !== 'p521' && (err.name === 'DataError' || err.name === 'OperationError')) {
16620 throw err;
16621 }
16622 util.printDebugError("Browser did not support verifying: " + err.message);
16623 }
16624 break;
16625 case 'node':
16626 return nodeVerify$1(curve, hash_algo, signature, message, publicKey);
16627 }
16628 }
16629 const digest = (typeof hash_algo === 'undefined') ? message : hashed;
16630 return ellipticVerify(curve, signature, digest, publicKey);
16631 }
16632
16633 /**
16634 * Validate EcDSA parameters
16635 * @param {module:type/oid} oid - Elliptic curve object identifier
16636 * @param {Uint8Array} Q - EcDSA public point
16637 * @param {Uint8Array} d - EcDSA secret scalar
16638 * @returns {Boolean} Whether params are valid.
16639 * @async
16640 */
16641 async function validateParams$2(oid, Q, d) {
16642 const curve = new Curve(oid);
16643 // Reject curves x25519 and ed25519
16644 if (curve.keyType !== enums.publicKey.ecdsa) {
16645 return false;
16646 }
16647
16648 // To speed up the validation, we try to use node- or webcrypto when available
16649 // and sign + verify a random message
16650 switch (curve.type) {
16651 case 'web':
16652 case 'node': {
16653 const message = await getRandomBytes(8);
16654 const hashAlgo = enums.hash.sha256;
16655 const hashed = await hash.digest(hashAlgo, message);
16656 try {
16657 const signature = await sign$1(oid, hashAlgo, message, Q, d, hashed);
16658 return await verify$1(oid, hashAlgo, signature, message, Q, hashed);
16659 } catch (err) {
16660 return false;
16661 }
16662 }
16663 default:
16664 return validateStandardParams(enums.publicKey.ecdsa, oid, Q, d);
16665 }
16666 }
16667
16668
16669 //////////////////////////
16670 // //
16671 // Helper functions //
16672 // //
16673 //////////////////////////
16674
16675 async function ellipticSign(curve, hashed, privateKey) {
16676 const indutnyCurve = await getIndutnyCurve(curve.name);
16677 const key = keyFromPrivate(indutnyCurve, privateKey);
16678 const signature = key.sign(hashed);
16679 return {
16680 r: signature.r.toArrayLike(Uint8Array),
16681 s: signature.s.toArrayLike(Uint8Array)
16682 };
16683 }
16684
16685 async function ellipticVerify(curve, signature, digest, publicKey) {
16686 const indutnyCurve = await getIndutnyCurve(curve.name);
16687 const key = keyFromPublic(indutnyCurve, publicKey);
16688 return key.verify(digest, signature);
16689 }
16690
16691 async function webSign$1(curve, hash_algo, message, keyPair) {
16692 const len = curve.payloadSize;
16693 const jwk = privateToJwk$1(curve.payloadSize, webCurves[curve.name], keyPair.publicKey, keyPair.privateKey);
16694 const key = await webCrypto$7.importKey(
16695 "jwk",
16696 jwk,
16697 {
16698 "name": "ECDSA",
16699 "namedCurve": webCurves[curve.name],
16700 "hash": { name: enums.read(enums.webHash, curve.hash) }
16701 },
16702 false,
16703 ["sign"]
16704 );
16705
16706 const signature = new Uint8Array(await webCrypto$7.sign(
16707 {
16708 "name": 'ECDSA',
16709 "namedCurve": webCurves[curve.name],
16710 "hash": { name: enums.read(enums.webHash, hash_algo) }
16711 },
16712 key,
16713 message
16714 ));
16715
16716 return {
16717 r: signature.slice(0, len),
16718 s: signature.slice(len, len << 1)
16719 };
16720 }
16721
16722 async function webVerify$1(curve, hash_algo, { r, s }, message, publicKey) {
16723 const jwk = rawPublicToJwk(curve.payloadSize, webCurves[curve.name], publicKey);
16724 const key = await webCrypto$7.importKey(
16725 "jwk",
16726 jwk,
16727 {
16728 "name": "ECDSA",
16729 "namedCurve": webCurves[curve.name],
16730 "hash": { name: enums.read(enums.webHash, curve.hash) }
16731 },
16732 false,
16733 ["verify"]
16734 );
16735
16736 const signature = util.concatUint8Array([r, s]).buffer;
16737
16738 return webCrypto$7.verify(
16739 {
16740 "name": 'ECDSA',
16741 "namedCurve": webCurves[curve.name],
16742 "hash": { name: enums.read(enums.webHash, hash_algo) }
16743 },
16744 key,
16745 signature,
16746 message
16747 );
16748 }
16749
16750 async function nodeSign$1(curve, hash_algo, message, keyPair) {
16751 const sign = nodeCrypto$8.createSign(enums.read(enums.hash, hash_algo));
16752 sign.write(message);
16753 sign.end();
16754 const key = ECPrivateKey.encode({
16755 version: 1,
16756 parameters: curve.oid,
16757 privateKey: Array.from(keyPair.privateKey),
16758 publicKey: { unused: 0, data: Array.from(keyPair.publicKey) }
16759 }, 'pem', {
16760 label: 'EC PRIVATE KEY'
16761 });
16762
16763 return ECDSASignature.decode(sign.sign(key), 'der');
16764 }
16765
16766 async function nodeVerify$1(curve, hash_algo, { r, s }, message, publicKey) {
16767 const { default: BN } = await Promise.resolve().then(function () { return bn$1; });
16768
16769 const verify = nodeCrypto$8.createVerify(enums.read(enums.hash, hash_algo));
16770 verify.write(message);
16771 verify.end();
16772 const key = SubjectPublicKeyInfo.encode({
16773 algorithm: {
16774 algorithm: [1, 2, 840, 10045, 2, 1],
16775 parameters: curve.oid
16776 },
16777 subjectPublicKey: { unused: 0, data: Array.from(publicKey) }
16778 }, 'pem', {
16779 label: 'PUBLIC KEY'
16780 });
16781 const signature = ECDSASignature.encode({
16782 r: new BN(r), s: new BN(s)
16783 }, 'der');
16784
16785 try {
16786 return verify.verify(key, signature);
16787 } catch (err) {
16788 return false;
16789 }
16790 }
16791
16792 // Originally written by Owen Smith https://github.com/omsmith
16793 // Adapted on Feb 2018 from https://github.com/Brightspace/node-jwk-to-pem/
16794
16795 /* eslint-disable no-invalid-this */
16796
16797 const asn1$1 = nodeCrypto$8 ? void('asn1.js') : undefined;
16798
16799 const ECDSASignature = nodeCrypto$8 ?
16800 asn1$1.define('ECDSASignature', function() {
16801 this.seq().obj(
16802 this.key('r').int(),
16803 this.key('s').int()
16804 );
16805 }) : undefined;
16806
16807 const ECPrivateKey = nodeCrypto$8 ?
16808 asn1$1.define('ECPrivateKey', function() {
16809 this.seq().obj(
16810 this.key('version').int(),
16811 this.key('privateKey').octstr(),
16812 this.key('parameters').explicit(0).optional().any(),
16813 this.key('publicKey').explicit(1).optional().bitstr()
16814 );
16815 }) : undefined;
16816
16817 const AlgorithmIdentifier = nodeCrypto$8 ?
16818 asn1$1.define('AlgorithmIdentifier', function() {
16819 this.seq().obj(
16820 this.key('algorithm').objid(),
16821 this.key('parameters').optional().any()
16822 );
16823 }) : undefined;
16824
16825 const SubjectPublicKeyInfo = nodeCrypto$8 ?
16826 asn1$1.define('SubjectPublicKeyInfo', function() {
16827 this.seq().obj(
16828 this.key('algorithm').use(AlgorithmIdentifier),
16829 this.key('subjectPublicKey').bitstr()
16830 );
16831 }) : undefined;
16832
16833 var ecdsa = /*#__PURE__*/Object.freeze({
16834 __proto__: null,
16835 sign: sign$1,
16836 verify: verify$1,
16837 validateParams: validateParams$2
16838 });
16839
16840 // OpenPGP.js - An OpenPGP implementation in javascript
16841
16842 naclFastLight.hash = bytes => new Uint8Array(_512().update(bytes).digest());
16843
16844 /**
16845 * Sign a message using the provided key
16846 * @param {module:type/oid} oid - Elliptic curve object identifier
16847 * @param {module:enums.hash} hash_algo - Hash algorithm used to sign
16848 * @param {Uint8Array} message - Message to sign
16849 * @param {Uint8Array} publicKey - Public key
16850 * @param {Uint8Array} privateKey - Private key used to sign the message
16851 * @param {Uint8Array} hashed - The hashed message
16852 * @returns {{r: Uint8Array,
16853 * s: Uint8Array}} Signature of the message
16854 * @async
16855 */
16856 async function sign$2(oid, hash_algo, message, publicKey, privateKey, hashed) {
16857 const secretKey = util.concatUint8Array([privateKey, publicKey.subarray(1)]);
16858 const signature = naclFastLight.sign.detached(hashed, secretKey);
16859 // EdDSA signature params are returned in little-endian format
16860 return {
16861 r: signature.subarray(0, 32),
16862 s: signature.subarray(32)
16863 };
16864 }
16865
16866 /**
16867 * Verifies if a signature is valid for a message
16868 * @param {module:type/oid} oid - Elliptic curve object identifier
16869 * @param {module:enums.hash} hash_algo - Hash algorithm used in the signature
16870 * @param {{r: Uint8Array,
16871 s: Uint8Array}} signature Signature to verify the message
16872 * @param {Uint8Array} m - Message to verify
16873 * @param {Uint8Array} publicKey - Public key used to verify the message
16874 * @param {Uint8Array} hashed - The hashed message
16875 * @returns {Boolean}
16876 * @async
16877 */
16878 async function verify$2(oid, hash_algo, { r, s }, m, publicKey, hashed) {
16879 const signature = util.concatUint8Array([r, s]);
16880 return naclFastLight.sign.detached.verify(hashed, signature, publicKey.subarray(1));
16881 }
16882 /**
16883 * Validate EdDSA parameters
16884 * @param {module:type/oid} oid - Elliptic curve object identifier
16885 * @param {Uint8Array} Q - EdDSA public point
16886 * @param {Uint8Array} k - EdDSA secret seed
16887 * @returns {Boolean} Whether params are valid.
16888 * @async
16889 */
16890 async function validateParams$3(oid, Q, k) {
16891 // Check whether the given curve is supported
16892 if (oid.getName() !== 'ed25519') {
16893 return false;
16894 }
16895
16896 /**
16897 * Derive public point Q' = dG from private key
16898 * and expect Q == Q'
16899 */
16900 const { publicKey } = naclFastLight.sign.keyPair.fromSeed(k);
16901 const dG = new Uint8Array([0x40, ...publicKey]); // Add public key prefix
16902 return util.equalsUint8Array(Q, dG);
16903 }
16904
16905 var eddsa = /*#__PURE__*/Object.freeze({
16906 __proto__: null,
16907 sign: sign$2,
16908 verify: verify$2,
16909 validateParams: validateParams$3
16910 });
16911
16912 // OpenPGP.js - An OpenPGP implementation in javascript
16913
16914 /**
16915 * AES key wrap
16916 * @function
16917 * @param {Uint8Array} key
16918 * @param {Uint8Array} data
16919 * @returns {Uint8Array}
16920 */
16921 function wrap(key, data) {
16922 const aes = new cipher["aes" + (key.length * 8)](key);
16923 const IV = new Uint32Array([0xA6A6A6A6, 0xA6A6A6A6]);
16924 const P = unpack(data);
16925 let A = IV;
16926 const R = P;
16927 const n = P.length / 2;
16928 const t = new Uint32Array([0, 0]);
16929 let B = new Uint32Array(4);
16930 for (let j = 0; j <= 5; ++j) {
16931 for (let i = 0; i < n; ++i) {
16932 t[1] = n * j + (1 + i);
16933 // B = A
16934 B[0] = A[0];
16935 B[1] = A[1];
16936 // B = A || R[i]
16937 B[2] = R[2 * i];
16938 B[3] = R[2 * i + 1];
16939 // B = AES(K, B)
16940 B = unpack(aes.encrypt(pack(B)));
16941 // A = MSB(64, B) ^ t
16942 A = B.subarray(0, 2);
16943 A[0] ^= t[0];
16944 A[1] ^= t[1];
16945 // R[i] = LSB(64, B)
16946 R[2 * i] = B[2];
16947 R[2 * i + 1] = B[3];
16948 }
16949 }
16950 return pack(A, R);
16951 }
16952
16953 /**
16954 * AES key unwrap
16955 * @function
16956 * @param {String} key
16957 * @param {String} data
16958 * @returns {Uint8Array}
16959 * @throws {Error}
16960 */
16961 function unwrap(key, data) {
16962 const aes = new cipher["aes" + (key.length * 8)](key);
16963 const IV = new Uint32Array([0xA6A6A6A6, 0xA6A6A6A6]);
16964 const C = unpack(data);
16965 let A = C.subarray(0, 2);
16966 const R = C.subarray(2);
16967 const n = C.length / 2 - 1;
16968 const t = new Uint32Array([0, 0]);
16969 let B = new Uint32Array(4);
16970 for (let j = 5; j >= 0; --j) {
16971 for (let i = n - 1; i >= 0; --i) {
16972 t[1] = n * j + (i + 1);
16973 // B = A ^ t
16974 B[0] = A[0] ^ t[0];
16975 B[1] = A[1] ^ t[1];
16976 // B = (A ^ t) || R[i]
16977 B[2] = R[2 * i];
16978 B[3] = R[2 * i + 1];
16979 // B = AES-1(B)
16980 B = unpack(aes.decrypt(pack(B)));
16981 // A = MSB(64, B)
16982 A = B.subarray(0, 2);
16983 // R[i] = LSB(64, B)
16984 R[2 * i] = B[2];
16985 R[2 * i + 1] = B[3];
16986 }
16987 }
16988 if (A[0] === IV[0] && A[1] === IV[1]) {
16989 return pack(R);
16990 }
16991 throw new Error("Key Data Integrity failed");
16992 }
16993
16994 function createArrayBuffer(data) {
16995 if (util.isString(data)) {
16996 const { length } = data;
16997 const buffer = new ArrayBuffer(length);
16998 const view = new Uint8Array(buffer);
16999 for (let j = 0; j < length; ++j) {
17000 view[j] = data.charCodeAt(j);
17001 }
17002 return buffer;
17003 }
17004 return new Uint8Array(data).buffer;
17005 }
17006
17007 function unpack(data) {
17008 const { length } = data;
17009 const buffer = createArrayBuffer(data);
17010 const view = new DataView(buffer);
17011 const arr = new Uint32Array(length / 4);
17012 for (let i = 0; i < length / 4; ++i) {
17013 arr[i] = view.getUint32(4 * i);
17014 }
17015 return arr;
17016 }
17017
17018 function pack() {
17019 let length = 0;
17020 for (let k = 0; k < arguments.length; ++k) {
17021 length += 4 * arguments[k].length;
17022 }
17023 const buffer = new ArrayBuffer(length);
17024 const view = new DataView(buffer);
17025 let offset = 0;
17026 for (let i = 0; i < arguments.length; ++i) {
17027 for (let j = 0; j < arguments[i].length; ++j) {
17028 view.setUint32(offset + 4 * j, arguments[i][j]);
17029 }
17030 offset += 4 * arguments[i].length;
17031 }
17032 return new Uint8Array(buffer);
17033 }
17034
17035 var aes_kw = /*#__PURE__*/Object.freeze({
17036 __proto__: null,
17037 wrap: wrap,
17038 unwrap: unwrap
17039 });
17040
17041 // OpenPGP.js - An OpenPGP implementation in javascript
17042
17043 /**
17044 * @fileoverview Functions to add and remove PKCS5 padding
17045 * @see PublicKeyEncryptedSessionKeyPacket
17046 * @module crypto/pkcs5
17047 * @private
17048 */
17049
17050 /**
17051 * Add pkcs5 padding to a message
17052 * @param {Uint8Array} message - message to pad
17053 * @returns {Uint8Array} Padded message.
17054 */
17055 function encode$1(message) {
17056 const c = 8 - (message.length % 8);
17057 const padded = new Uint8Array(message.length + c).fill(c);
17058 padded.set(message);
17059 return padded;
17060 }
17061
17062 /**
17063 * Remove pkcs5 padding from a message
17064 * @param {Uint8Array} message - message to remove padding from
17065 * @returns {Uint8Array} Message without padding.
17066 */
17067 function decode$1(message) {
17068 const len = message.length;
17069 if (len > 0) {
17070 const c = message[len - 1];
17071 if (c >= 1) {
17072 const provided = message.subarray(len - c);
17073 const computed = new Uint8Array(c).fill(c);
17074 if (util.equalsUint8Array(provided, computed)) {
17075 return message.subarray(0, len - c);
17076 }
17077 }
17078 }
17079 throw new Error('Invalid padding');
17080 }
17081
17082 var pkcs5 = /*#__PURE__*/Object.freeze({
17083 __proto__: null,
17084 encode: encode$1,
17085 decode: decode$1
17086 });
17087
17088 // OpenPGP.js - An OpenPGP implementation in javascript
17089
17090 const webCrypto$8 = util.getWebCrypto();
17091 const nodeCrypto$9 = util.getNodeCrypto();
17092
17093 /**
17094 * Validate ECDH parameters
17095 * @param {module:type/oid} oid - Elliptic curve object identifier
17096 * @param {Uint8Array} Q - ECDH public point
17097 * @param {Uint8Array} d - ECDH secret scalar
17098 * @returns {Boolean} Whether params are valid.
17099 * @async
17100 */
17101 async function validateParams$4(oid, Q, d) {
17102 return validateStandardParams(enums.publicKey.ecdh, oid, Q, d);
17103 }
17104
17105 // Build Param for ECDH algorithm (RFC 6637)
17106 function buildEcdhParam(public_algo, oid, kdfParams, fingerprint) {
17107 return util.concatUint8Array([
17108 oid.write(),
17109 new Uint8Array([public_algo]),
17110 kdfParams.write(),
17111 util.strToUint8Array("Anonymous Sender "),
17112 fingerprint.subarray(0, 20)
17113 ]);
17114 }
17115
17116 // Key Derivation Function (RFC 6637)
17117 async function kdf(hash_algo, X, length, param, stripLeading = false, stripTrailing = false) {
17118 // Note: X is little endian for Curve25519, big-endian for all others.
17119 // This is not ideal, but the RFC's are unclear
17120 // https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-02#appendix-B
17121 let i;
17122 if (stripLeading) {
17123 // Work around old go crypto bug
17124 for (i = 0; i < X.length && X[i] === 0; i++);
17125 X = X.subarray(i);
17126 }
17127 if (stripTrailing) {
17128 // Work around old OpenPGP.js bug
17129 for (i = X.length - 1; i >= 0 && X[i] === 0; i--);
17130 X = X.subarray(0, i + 1);
17131 }
17132 const digest = await hash.digest(hash_algo, util.concatUint8Array([
17133 new Uint8Array([0, 0, 0, 1]),
17134 X,
17135 param
17136 ]));
17137 return digest.subarray(0, length);
17138 }
17139
17140 /**
17141 * Generate ECDHE ephemeral key and secret from public key
17142 *
17143 * @param {Curve} curve - Elliptic curve object
17144 * @param {Uint8Array} Q - Recipient public key
17145 * @returns {{publicKey: Uint8Array, sharedKey: Uint8Array}}
17146 * @async
17147 */
17148 async function genPublicEphemeralKey(curve, Q) {
17149 switch (curve.type) {
17150 case 'curve25519': {
17151 const d = await getRandomBytes(32);
17152 const { secretKey, sharedKey } = await genPrivateEphemeralKey(curve, Q, null, d);
17153 let { publicKey } = naclFastLight.box.keyPair.fromSecretKey(secretKey);
17154 publicKey = util.concatUint8Array([new Uint8Array([0x40]), publicKey]);
17155 return { publicKey, sharedKey }; // Note: sharedKey is little-endian here, unlike below
17156 }
17157 case 'web':
17158 if (curve.web && util.getWebCrypto()) {
17159 try {
17160 return await webPublicEphemeralKey(curve, Q);
17161 } catch (err) {
17162 util.printDebugError(err);
17163 }
17164 }
17165 break;
17166 case 'node':
17167 return nodePublicEphemeralKey(curve, Q);
17168 }
17169 return ellipticPublicEphemeralKey(curve, Q);
17170 }
17171
17172 /**
17173 * Encrypt and wrap a session key
17174 *
17175 * @param {module:type/oid} oid - Elliptic curve object identifier
17176 * @param {module:type/kdf_params} kdfParams - KDF params including cipher and algorithm to use
17177 * @param {Uint8Array} data - Unpadded session key data
17178 * @param {Uint8Array} Q - Recipient public key
17179 * @param {Uint8Array} fingerprint - Recipient fingerprint
17180 * @returns {{publicKey: Uint8Array, wrappedKey: Uint8Array}}
17181 * @async
17182 */
17183 async function encrypt$3(oid, kdfParams, data, Q, fingerprint) {
17184 const m = encode$1(data);
17185
17186 const curve = new Curve(oid);
17187 const { publicKey, sharedKey } = await genPublicEphemeralKey(curve, Q);
17188 const param = buildEcdhParam(enums.publicKey.ecdh, oid, kdfParams, fingerprint);
17189 const cipher_algo = enums.read(enums.symmetric, kdfParams.cipher);
17190 const Z = await kdf(kdfParams.hash, sharedKey, cipher[cipher_algo].keySize, param);
17191 const wrappedKey = wrap(Z, m);
17192 return { publicKey, wrappedKey };
17193 }
17194
17195 /**
17196 * Generate ECDHE secret from private key and public part of ephemeral key
17197 *
17198 * @param {Curve} curve - Elliptic curve object
17199 * @param {Uint8Array} V - Public part of ephemeral key
17200 * @param {Uint8Array} Q - Recipient public key
17201 * @param {Uint8Array} d - Recipient private key
17202 * @returns {{secretKey: Uint8Array, sharedKey: Uint8Array}}
17203 * @async
17204 */
17205 async function genPrivateEphemeralKey(curve, V, Q, d) {
17206 if (d.length !== curve.payloadSize) {
17207 const privateKey = new Uint8Array(curve.payloadSize);
17208 privateKey.set(d, curve.payloadSize - d.length);
17209 d = privateKey;
17210 }
17211 switch (curve.type) {
17212 case 'curve25519': {
17213 const secretKey = d.slice().reverse();
17214 const sharedKey = naclFastLight.scalarMult(secretKey, V.subarray(1));
17215 return { secretKey, sharedKey }; // Note: sharedKey is little-endian here, unlike below
17216 }
17217 case 'web':
17218 if (curve.web && util.getWebCrypto()) {
17219 try {
17220 return await webPrivateEphemeralKey(curve, V, Q, d);
17221 } catch (err) {
17222 util.printDebugError(err);
17223 }
17224 }
17225 break;
17226 case 'node':
17227 return nodePrivateEphemeralKey(curve, V, d);
17228 }
17229 return ellipticPrivateEphemeralKey(curve, V, d);
17230 }
17231
17232 /**
17233 * Decrypt and unwrap the value derived from session key
17234 *
17235 * @param {module:type/oid} oid - Elliptic curve object identifier
17236 * @param {module:type/kdf_params} kdfParams - KDF params including cipher and algorithm to use
17237 * @param {Uint8Array} V - Public part of ephemeral key
17238 * @param {Uint8Array} C - Encrypted and wrapped value derived from session key
17239 * @param {Uint8Array} Q - Recipient public key
17240 * @param {Uint8Array} d - Recipient private key
17241 * @param {Uint8Array} fingerprint - Recipient fingerprint
17242 * @returns {Uint8Array} Value derived from session key.
17243 * @async
17244 */
17245 async function decrypt$3(oid, kdfParams, V, C, Q, d, fingerprint) {
17246 const curve = new Curve(oid);
17247 const { sharedKey } = await genPrivateEphemeralKey(curve, V, Q, d);
17248 const param = buildEcdhParam(enums.publicKey.ecdh, oid, kdfParams, fingerprint);
17249 const cipher_algo = enums.read(enums.symmetric, kdfParams.cipher);
17250 let err;
17251 for (let i = 0; i < 3; i++) {
17252 try {
17253 // Work around old go crypto bug and old OpenPGP.js bug, respectively.
17254 const Z = await kdf(kdfParams.hash, sharedKey, cipher[cipher_algo].keySize, param, i === 1, i === 2);
17255 return decode$1(unwrap(Z, C));
17256 } catch (e) {
17257 err = e;
17258 }
17259 }
17260 throw err;
17261 }
17262
17263 /**
17264 * Generate ECDHE secret from private key and public part of ephemeral key using webCrypto
17265 *
17266 * @param {Curve} curve - Elliptic curve object
17267 * @param {Uint8Array} V - Public part of ephemeral key
17268 * @param {Uint8Array} Q - Recipient public key
17269 * @param {Uint8Array} d - Recipient private key
17270 * @returns {{secretKey: Uint8Array, sharedKey: Uint8Array}}
17271 * @async
17272 */
17273 async function webPrivateEphemeralKey(curve, V, Q, d) {
17274 const recipient = privateToJwk$1(curve.payloadSize, curve.web.web, Q, d);
17275 let privateKey = webCrypto$8.importKey(
17276 "jwk",
17277 recipient,
17278 {
17279 name: "ECDH",
17280 namedCurve: curve.web.web
17281 },
17282 true,
17283 ["deriveKey", "deriveBits"]
17284 );
17285 const jwk = rawPublicToJwk(curve.payloadSize, curve.web.web, V);
17286 let sender = webCrypto$8.importKey(
17287 "jwk",
17288 jwk,
17289 {
17290 name: "ECDH",
17291 namedCurve: curve.web.web
17292 },
17293 true,
17294 []
17295 );
17296 [privateKey, sender] = await Promise.all([privateKey, sender]);
17297 let S = webCrypto$8.deriveBits(
17298 {
17299 name: "ECDH",
17300 namedCurve: curve.web.web,
17301 public: sender
17302 },
17303 privateKey,
17304 curve.web.sharedSize
17305 );
17306 let secret = webCrypto$8.exportKey(
17307 "jwk",
17308 privateKey
17309 );
17310 [S, secret] = await Promise.all([S, secret]);
17311 const sharedKey = new Uint8Array(S);
17312 const secretKey = b64ToUint8Array(secret.d);
17313 return { secretKey, sharedKey };
17314 }
17315
17316 /**
17317 * Generate ECDHE ephemeral key and secret from public key using webCrypto
17318 *
17319 * @param {Curve} curve - Elliptic curve object
17320 * @param {Uint8Array} Q - Recipient public key
17321 * @returns {{publicKey: Uint8Array, sharedKey: Uint8Array}}
17322 * @async
17323 */
17324 async function webPublicEphemeralKey(curve, Q) {
17325 const jwk = rawPublicToJwk(curve.payloadSize, curve.web.web, Q);
17326 let keyPair = webCrypto$8.generateKey(
17327 {
17328 name: "ECDH",
17329 namedCurve: curve.web.web
17330 },
17331 true,
17332 ["deriveKey", "deriveBits"]
17333 );
17334 let recipient = webCrypto$8.importKey(
17335 "jwk",
17336 jwk,
17337 {
17338 name: "ECDH",
17339 namedCurve: curve.web.web
17340 },
17341 false,
17342 []
17343 );
17344 [keyPair, recipient] = await Promise.all([keyPair, recipient]);
17345 let s = webCrypto$8.deriveBits(
17346 {
17347 name: "ECDH",
17348 namedCurve: curve.web.web,
17349 public: recipient
17350 },
17351 keyPair.privateKey,
17352 curve.web.sharedSize
17353 );
17354 let p = webCrypto$8.exportKey(
17355 "jwk",
17356 keyPair.publicKey
17357 );
17358 [s, p] = await Promise.all([s, p]);
17359 const sharedKey = new Uint8Array(s);
17360 const publicKey = new Uint8Array(jwkToRawPublic(p));
17361 return { publicKey, sharedKey };
17362 }
17363
17364 /**
17365 * Generate ECDHE secret from private key and public part of ephemeral key using indutny/elliptic
17366 *
17367 * @param {Curve} curve - Elliptic curve object
17368 * @param {Uint8Array} V - Public part of ephemeral key
17369 * @param {Uint8Array} d - Recipient private key
17370 * @returns {{secretKey: Uint8Array, sharedKey: Uint8Array}}
17371 * @async
17372 */
17373 async function ellipticPrivateEphemeralKey(curve, V, d) {
17374 const indutnyCurve = await getIndutnyCurve(curve.name);
17375 V = keyFromPublic(indutnyCurve, V);
17376 d = keyFromPrivate(indutnyCurve, d);
17377 const secretKey = new Uint8Array(d.getPrivate());
17378 const S = d.derive(V.getPublic());
17379 const len = indutnyCurve.curve.p.byteLength();
17380 const sharedKey = S.toArrayLike(Uint8Array, 'be', len);
17381 return { secretKey, sharedKey };
17382 }
17383
17384 /**
17385 * Generate ECDHE ephemeral key and secret from public key using indutny/elliptic
17386 *
17387 * @param {Curve} curve - Elliptic curve object
17388 * @param {Uint8Array} Q - Recipient public key
17389 * @returns {{publicKey: Uint8Array, sharedKey: Uint8Array}}
17390 * @async
17391 */
17392 async function ellipticPublicEphemeralKey(curve, Q) {
17393 const indutnyCurve = await getIndutnyCurve(curve.name);
17394 const v = await curve.genKeyPair();
17395 Q = keyFromPublic(indutnyCurve, Q);
17396 const V = keyFromPrivate(indutnyCurve, v.privateKey);
17397 const publicKey = v.publicKey;
17398 const S = V.derive(Q.getPublic());
17399 const len = indutnyCurve.curve.p.byteLength();
17400 const sharedKey = S.toArrayLike(Uint8Array, 'be', len);
17401 return { publicKey, sharedKey };
17402 }
17403
17404 /**
17405 * Generate ECDHE secret from private key and public part of ephemeral key using nodeCrypto
17406 *
17407 * @param {Curve} curve - Elliptic curve object
17408 * @param {Uint8Array} V - Public part of ephemeral key
17409 * @param {Uint8Array} d - Recipient private key
17410 * @returns {{secretKey: Uint8Array, sharedKey: Uint8Array}}
17411 * @async
17412 */
17413 async function nodePrivateEphemeralKey(curve, V, d) {
17414 const recipient = nodeCrypto$9.createECDH(curve.node.node);
17415 recipient.setPrivateKey(d);
17416 const sharedKey = new Uint8Array(recipient.computeSecret(V));
17417 const secretKey = new Uint8Array(recipient.getPrivateKey());
17418 return { secretKey, sharedKey };
17419 }
17420
17421 /**
17422 * Generate ECDHE ephemeral key and secret from public key using nodeCrypto
17423 *
17424 * @param {Curve} curve - Elliptic curve object
17425 * @param {Uint8Array} Q - Recipient public key
17426 * @returns {{publicKey: Uint8Array, sharedKey: Uint8Array}}
17427 * @async
17428 */
17429 async function nodePublicEphemeralKey(curve, Q) {
17430 const sender = nodeCrypto$9.createECDH(curve.node.node);
17431 sender.generateKeys();
17432 const sharedKey = new Uint8Array(sender.computeSecret(Q));
17433 const publicKey = new Uint8Array(sender.getPublicKey());
17434 return { publicKey, sharedKey };
17435 }
17436
17437 var ecdh = /*#__PURE__*/Object.freeze({
17438 __proto__: null,
17439 validateParams: validateParams$4,
17440 encrypt: encrypt$3,
17441 decrypt: decrypt$3
17442 });
17443
17444 // OpenPGP.js - An OpenPGP implementation in javascript
17445
17446 var elliptic = /*#__PURE__*/Object.freeze({
17447 __proto__: null,
17448 Curve: Curve,
17449 ecdh: ecdh,
17450 ecdsa: ecdsa,
17451 eddsa: eddsa,
17452 generate: generate$1,
17453 getPreferredHashAlgo: getPreferredHashAlgo
17454 });
17455
17456 // GPG4Browsers - An OpenPGP implementation in javascript
17457
17458 /*
17459 TODO regarding the hash function, read:
17460 https://tools.ietf.org/html/rfc4880#section-13.6
17461 https://tools.ietf.org/html/rfc4880#section-14
17462 */
17463
17464 /**
17465 * DSA Sign function
17466 * @param {Integer} hash_algo
17467 * @param {Uint8Array} hashed
17468 * @param {Uint8Array} g
17469 * @param {Uint8Array} p
17470 * @param {Uint8Array} q
17471 * @param {Uint8Array} x
17472 * @returns {{ r: Uint8Array, s: Uint8Array }}
17473 * @async
17474 */
17475 async function sign$3(hash_algo, hashed, g, p, q, x) {
17476 const BigInteger = await util.getBigInteger();
17477 const one = new BigInteger(1);
17478 p = new BigInteger(p);
17479 q = new BigInteger(q);
17480 g = new BigInteger(g);
17481 x = new BigInteger(x);
17482
17483 let k;
17484 let r;
17485 let s;
17486 let t;
17487 g = g.mod(p);
17488 x = x.mod(q);
17489 // If the output size of the chosen hash is larger than the number of
17490 // bits of q, the hash result is truncated to fit by taking the number
17491 // of leftmost bits equal to the number of bits of q. This (possibly
17492 // truncated) hash function result is treated as a number and used
17493 // directly in the DSA signature algorithm.
17494 const h = new BigInteger(hashed.subarray(0, q.byteLength())).mod(q);
17495 // FIPS-186-4, section 4.6:
17496 // The values of r and s shall be checked to determine if r = 0 or s = 0.
17497 // If either r = 0 or s = 0, a new value of k shall be generated, and the
17498 // signature shall be recalculated. It is extremely unlikely that r = 0
17499 // or s = 0 if signatures are generated properly.
17500 while (true) {
17501 // See Appendix B here: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
17502 k = await getRandomBigInteger(one, q); // returns in [1, q-1]
17503 r = g.modExp(k, p).imod(q); // (g**k mod p) mod q
17504 if (r.isZero()) {
17505 continue;
17506 }
17507 const xr = x.mul(r).imod(q);
17508 t = h.add(xr).imod(q); // H(m) + x*r mod q
17509 s = k.modInv(q).imul(t).imod(q); // k**-1 * (H(m) + x*r) mod q
17510 if (s.isZero()) {
17511 continue;
17512 }
17513 break;
17514 }
17515 return {
17516 r: r.toUint8Array('be', q.byteLength()),
17517 s: s.toUint8Array('be', q.byteLength())
17518 };
17519 }
17520
17521 /**
17522 * DSA Verify function
17523 * @param {Integer} hash_algo
17524 * @param {Uint8Array} r
17525 * @param {Uint8Array} s
17526 * @param {Uint8Array} hashed
17527 * @param {Uint8Array} g
17528 * @param {Uint8Array} p
17529 * @param {Uint8Array} q
17530 * @param {Uint8Array} y
17531 * @returns {boolean}
17532 * @async
17533 */
17534 async function verify$3(hash_algo, r, s, hashed, g, p, q, y) {
17535 const BigInteger = await util.getBigInteger();
17536 const zero = new BigInteger(0);
17537 r = new BigInteger(r);
17538 s = new BigInteger(s);
17539
17540 p = new BigInteger(p);
17541 q = new BigInteger(q);
17542 g = new BigInteger(g);
17543 y = new BigInteger(y);
17544
17545 if (r.lte(zero) || r.gte(q) ||
17546 s.lte(zero) || s.gte(q)) {
17547 util.printDebug("invalid DSA Signature");
17548 return false;
17549 }
17550 const h = new BigInteger(hashed.subarray(0, q.byteLength())).imod(q);
17551 const w = s.modInv(q); // s**-1 mod q
17552 if (w.isZero()) {
17553 util.printDebug("invalid DSA Signature");
17554 return false;
17555 }
17556
17557 g = g.mod(p);
17558 y = y.mod(p);
17559 const u1 = h.mul(w).imod(q); // H(m) * w mod q
17560 const u2 = r.mul(w).imod(q); // r * w mod q
17561 const t1 = g.modExp(u1, p); // g**u1 mod p
17562 const t2 = y.modExp(u2, p); // y**u2 mod p
17563 const v = t1.mul(t2).imod(p).imod(q); // (g**u1 * y**u2 mod p) mod q
17564 return v.equal(r);
17565 }
17566
17567 /**
17568 * Validate DSA parameters
17569 * @param {Uint8Array} p - DSA prime
17570 * @param {Uint8Array} q - DSA group order
17571 * @param {Uint8Array} g - DSA sub-group generator
17572 * @param {Uint8Array} y - DSA public key
17573 * @param {Uint8Array} x - DSA private key
17574 * @returns {Boolean} Whether params are valid.
17575 * @async
17576 */
17577 async function validateParams$5(p, q, g, y, x) {
17578 const BigInteger = await util.getBigInteger();
17579 p = new BigInteger(p);
17580 q = new BigInteger(q);
17581 g = new BigInteger(g);
17582 y = new BigInteger(y);
17583 const one = new BigInteger(1);
17584 // Check that 1 < g < p
17585 if (g.lte(one) || g.gte(p)) {
17586 return false;
17587 }
17588
17589 /**
17590 * Check that subgroup order q divides p-1
17591 */
17592 if (!p.dec().mod(q).isZero()) {
17593 return false;
17594 }
17595
17596 /**
17597 * g has order q
17598 * Check that g ** q = 1 mod p
17599 */
17600 if (!g.modExp(q, p).isOne()) {
17601 return false;
17602 }
17603
17604 /**
17605 * Check q is large and probably prime (we mainly want to avoid small factors)
17606 */
17607 const qSize = new BigInteger(q.bitLength());
17608 const n150 = new BigInteger(150);
17609 if (qSize.lt(n150) || !(await isProbablePrime(q, null, 32))) {
17610 return false;
17611 }
17612
17613 /**
17614 * Re-derive public key y' = g ** x mod p
17615 * Expect y == y'
17616 *
17617 * Blinded exponentiation computes g**{rq + x} to compare to y
17618 */
17619 x = new BigInteger(x);
17620 const two = new BigInteger(2);
17621 const r = await getRandomBigInteger(two.leftShift(qSize.dec()), two.leftShift(qSize)); // draw r of same size as q
17622 const rqx = q.mul(r).add(x);
17623 if (!y.equal(g.modExp(rqx, p))) {
17624 return false;
17625 }
17626
17627 return true;
17628 }
17629
17630 var dsa = /*#__PURE__*/Object.freeze({
17631 __proto__: null,
17632 sign: sign$3,
17633 verify: verify$3,
17634 validateParams: validateParams$5
17635 });
17636
17637 /**
17638 * @fileoverview Asymmetric cryptography functions
17639 * @module crypto/public_key
17640 * @private
17641 */
17642
17643 var publicKey = {
17644 /** @see module:crypto/public_key/rsa */
17645 rsa: rsa,
17646 /** @see module:crypto/public_key/elgamal */
17647 elgamal: elgamal,
17648 /** @see module:crypto/public_key/elliptic */
17649 elliptic: elliptic,
17650 /** @see module:crypto/public_key/dsa */
17651 dsa: dsa,
17652 /** @see tweetnacl */
17653 nacl: naclFastLight
17654 };
17655
17656 /**
17657 * @fileoverview Provides functions for asymmetric signing and signature verification
17658 * @module crypto/signature
17659 * @private
17660 */
17661
17662 /**
17663 * Parse signature in binary form to get the parameters.
17664 * The returned values are only padded for EdDSA, since in the other cases their expected length
17665 * depends on the key params, hence we delegate the padding to the signature verification function.
17666 * See {@link https://tools.ietf.org/html/rfc4880#section-9.1|RFC 4880 9.1}
17667 * See {@link https://tools.ietf.org/html/rfc4880#section-5.2.2|RFC 4880 5.2.2.}
17668 * @param {module:enums.publicKey} algo - Public key algorithm
17669 * @param {Uint8Array} signature - Data for which the signature was created
17670 * @returns {Object} True if signature is valid.
17671 * @async
17672 */
17673 function parseSignatureParams(algo, signature) {
17674 let read = 0;
17675 switch (algo) {
17676 // Algorithm-Specific Fields for RSA signatures:
17677 // - MPI of RSA signature value m**d mod n.
17678 case enums.publicKey.rsaEncryptSign:
17679 case enums.publicKey.rsaEncrypt:
17680 case enums.publicKey.rsaSign: {
17681 const s = util.readMPI(signature.subarray(read));
17682 // The signature needs to be the same length as the public key modulo n.
17683 // We pad s on signature verification, where we have access to n.
17684 return { s };
17685 }
17686 // Algorithm-Specific Fields for DSA or ECDSA signatures:
17687 // - MPI of DSA or ECDSA value r.
17688 // - MPI of DSA or ECDSA value s.
17689 case enums.publicKey.dsa:
17690 case enums.publicKey.ecdsa:
17691 {
17692 const r = util.readMPI(signature.subarray(read)); read += r.length + 2;
17693 const s = util.readMPI(signature.subarray(read));
17694 return { r, s };
17695 }
17696 // Algorithm-Specific Fields for EdDSA signatures:
17697 // - MPI of an EC point r.
17698 // - EdDSA value s, in MPI, in the little endian representation
17699 case enums.publicKey.eddsa: {
17700 // When parsing little-endian MPI data, we always need to left-pad it, as done with big-endian values:
17701 // https://www.ietf.org/archive/id/draft-ietf-openpgp-rfc4880bis-10.html#section-3.2-9
17702 let r = util.readMPI(signature.subarray(read)); read += r.length + 2;
17703 r = util.leftPad(r, 32);
17704 let s = util.readMPI(signature.subarray(read));
17705 s = util.leftPad(s, 32);
17706 return { r, s };
17707 }
17708 default:
17709 throw new Error('Invalid signature algorithm.');
17710 }
17711 }
17712
17713 /**
17714 * Verifies the signature provided for data using specified algorithms and public key parameters.
17715 * See {@link https://tools.ietf.org/html/rfc4880#section-9.1|RFC 4880 9.1}
17716 * and {@link https://tools.ietf.org/html/rfc4880#section-9.4|RFC 4880 9.4}
17717 * for public key and hash algorithms.
17718 * @param {module:enums.publicKey} algo - Public key algorithm
17719 * @param {module:enums.hash} hashAlgo - Hash algorithm
17720 * @param {Object} signature - Named algorithm-specific signature parameters
17721 * @param {Object} publicParams - Algorithm-specific public key parameters
17722 * @param {Uint8Array} data - Data for which the signature was created
17723 * @param {Uint8Array} hashed - The hashed data
17724 * @returns {Boolean} True if signature is valid.
17725 * @async
17726 */
17727 async function verify$4(algo, hashAlgo, signature, publicParams, data, hashed) {
17728 switch (algo) {
17729 case enums.publicKey.rsaEncryptSign:
17730 case enums.publicKey.rsaEncrypt:
17731 case enums.publicKey.rsaSign: {
17732 const { n, e } = publicParams;
17733 const s = util.leftPad(signature.s, n.length); // padding needed for webcrypto and node crypto
17734 return publicKey.rsa.verify(hashAlgo, data, s, n, e, hashed);
17735 }
17736 case enums.publicKey.dsa: {
17737 const { g, p, q, y } = publicParams;
17738 const { r, s } = signature; // no need to pad, since we always handle them as BigIntegers
17739 return publicKey.dsa.verify(hashAlgo, r, s, hashed, g, p, q, y);
17740 }
17741 case enums.publicKey.ecdsa: {
17742 const { oid, Q } = publicParams;
17743 const curveSize = new publicKey.elliptic.Curve(oid).payloadSize;
17744 // padding needed for webcrypto
17745 const r = util.leftPad(signature.r, curveSize);
17746 const s = util.leftPad(signature.s, curveSize);
17747 return publicKey.elliptic.ecdsa.verify(oid, hashAlgo, { r, s }, data, Q, hashed);
17748 }
17749 case enums.publicKey.eddsa: {
17750 const { oid, Q } = publicParams;
17751 // signature already padded on parsing
17752 return publicKey.elliptic.eddsa.verify(oid, hashAlgo, signature, data, Q, hashed);
17753 }
17754 default:
17755 throw new Error('Invalid signature algorithm.');
17756 }
17757 }
17758
17759 /**
17760 * Creates a signature on data using specified algorithms and private key parameters.
17761 * See {@link https://tools.ietf.org/html/rfc4880#section-9.1|RFC 4880 9.1}
17762 * and {@link https://tools.ietf.org/html/rfc4880#section-9.4|RFC 4880 9.4}
17763 * for public key and hash algorithms.
17764 * @param {module:enums.publicKey} algo - Public key algorithm
17765 * @param {module:enums.hash} hashAlgo - Hash algorithm
17766 * @param {Object} publicKeyParams - Algorithm-specific public and private key parameters
17767 * @param {Object} privateKeyParams - Algorithm-specific public and private key parameters
17768 * @param {Uint8Array} data - Data to be signed
17769 * @param {Uint8Array} hashed - The hashed data
17770 * @returns {Object} Signature Object containing named signature parameters.
17771 * @async
17772 */
17773 async function sign$4(algo, hashAlgo, publicKeyParams, privateKeyParams, data, hashed) {
17774 if (!publicKeyParams || !privateKeyParams) {
17775 throw new Error('Missing key parameters');
17776 }
17777 switch (algo) {
17778 case enums.publicKey.rsaEncryptSign:
17779 case enums.publicKey.rsaEncrypt:
17780 case enums.publicKey.rsaSign: {
17781 const { n, e } = publicKeyParams;
17782 const { d, p, q, u } = privateKeyParams;
17783 const s = await publicKey.rsa.sign(hashAlgo, data, n, e, d, p, q, u, hashed);
17784 return { s };
17785 }
17786 case enums.publicKey.dsa: {
17787 const { g, p, q } = publicKeyParams;
17788 const { x } = privateKeyParams;
17789 return publicKey.dsa.sign(hashAlgo, hashed, g, p, q, x);
17790 }
17791 case enums.publicKey.elgamal: {
17792 throw new Error('Signing with Elgamal is not defined in the OpenPGP standard.');
17793 }
17794 case enums.publicKey.ecdsa: {
17795 const { oid, Q } = publicKeyParams;
17796 const { d } = privateKeyParams;
17797 return publicKey.elliptic.ecdsa.sign(oid, hashAlgo, data, Q, d, hashed);
17798 }
17799 case enums.publicKey.eddsa: {
17800 const { oid, Q } = publicKeyParams;
17801 const { seed } = privateKeyParams;
17802 return publicKey.elliptic.eddsa.sign(oid, hashAlgo, data, Q, seed, hashed);
17803 }
17804 default:
17805 throw new Error('Invalid signature algorithm.');
17806 }
17807 }
17808
17809 var signature = /*#__PURE__*/Object.freeze({
17810 __proto__: null,
17811 parseSignatureParams: parseSignatureParams,
17812 verify: verify$4,
17813 sign: sign$4
17814 });
17815
17816 // OpenPGP.js - An OpenPGP implementation in javascript
17817
17818 class ECDHSymmetricKey {
17819 constructor(data) {
17820 if (typeof data === 'undefined') {
17821 data = new Uint8Array([]);
17822 } else if (util.isString(data)) {
17823 data = util.strToUint8Array(data);
17824 } else {
17825 data = new Uint8Array(data);
17826 }
17827 this.data = data;
17828 }
17829
17830 /**
17831 * Read an ECDHSymmetricKey from an Uint8Array
17832 * @param {Uint8Array} input - Where to read the encoded symmetric key from
17833 * @returns {Number} Number of read bytes.
17834 */
17835 read(input) {
17836 if (input.length >= 1) {
17837 const length = input[0];
17838 if (input.length >= 1 + length) {
17839 this.data = input.subarray(1, 1 + length);
17840 return 1 + this.data.length;
17841 }
17842 }
17843 throw new Error('Invalid symmetric key');
17844 }
17845
17846 /**
17847 * Write an ECDHSymmetricKey as an Uint8Array
17848 * @returns {Uint8Array} An array containing the value
17849 */
17850 write() {
17851 return util.concatUint8Array([new Uint8Array([this.data.length]), this.data]);
17852 }
17853 }
17854
17855 // OpenPGP.js - An OpenPGP implementation in javascript
17856 // Copyright (C) 2015-2016 Decentral
17857 //
17858 // This library is free software; you can redistribute it and/or
17859 // modify it under the terms of the GNU Lesser General Public
17860 // License as published by the Free Software Foundation; either
17861 // version 3.0 of the License, or (at your option) any later version.
17862 //
17863 // This library is distributed in the hope that it will be useful,
17864 // but WITHOUT ANY WARRANTY; without even the implied warranty of
17865 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17866 // Lesser General Public License for more details.
17867 //
17868 // You should have received a copy of the GNU Lesser General Public
17869 // License along with this library; if not, write to the Free Software
17870 // Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17871
17872 /**
17873 * Implementation of type KDF parameters
17874 *
17875 * {@link https://tools.ietf.org/html/rfc6637#section-7|RFC 6637 7}:
17876 * A key derivation function (KDF) is necessary to implement the EC
17877 * encryption. The Concatenation Key Derivation Function (Approved
17878 * Alternative 1) [NIST-SP800-56A] with the KDF hash function that is
17879 * SHA2-256 [FIPS-180-3] or stronger is REQUIRED.
17880 * @module type/kdf_params
17881 * @private
17882 */
17883
17884 class KDFParams {
17885 /**
17886 * @param {enums.hash} hash - Hash algorithm
17887 * @param {enums.symmetric} cipher - Symmetric algorithm
17888 */
17889 constructor(data) {
17890 if (data) {
17891 const { hash, cipher } = data;
17892 this.hash = hash;
17893 this.cipher = cipher;
17894 } else {
17895 this.hash = null;
17896 this.cipher = null;
17897 }
17898 }
17899
17900 /**
17901 * Read KDFParams from an Uint8Array
17902 * @param {Uint8Array} input - Where to read the KDFParams from
17903 * @returns {Number} Number of read bytes.
17904 */
17905 read(input) {
17906 if (input.length < 4 || input[0] !== 3 || input[1] !== 1) {
17907 throw new Error('Cannot read KDFParams');
17908 }
17909 this.hash = input[2];
17910 this.cipher = input[3];
17911 return 4;
17912 }
17913
17914 /**
17915 * Write KDFParams to an Uint8Array
17916 * @returns {Uint8Array} Array with the KDFParams value
17917 */
17918 write() {
17919 return new Uint8Array([3, 1, this.hash, this.cipher]);
17920 }
17921 }
17922
17923 // GPG4Browsers - An OpenPGP implementation in javascript
17924
17925 /**
17926 * Encrypts data using specified algorithm and public key parameters.
17927 * See {@link https://tools.ietf.org/html/rfc4880#section-9.1|RFC 4880 9.1} for public key algorithms.
17928 * @param {module:enums.publicKey} algo - Public key algorithm
17929 * @param {Object} publicParams - Algorithm-specific public key parameters
17930 * @param {Uint8Array} data - Data to be encrypted
17931 * @param {Uint8Array} fingerprint - Recipient fingerprint
17932 * @returns {Object} Encrypted session key parameters.
17933 * @async
17934 */
17935 async function publicKeyEncrypt(algo, publicParams, data, fingerprint) {
17936 switch (algo) {
17937 case enums.publicKey.rsaEncrypt:
17938 case enums.publicKey.rsaEncryptSign: {
17939 const { n, e } = publicParams;
17940 const c = await publicKey.rsa.encrypt(data, n, e);
17941 return { c };
17942 }
17943 case enums.publicKey.elgamal: {
17944 const { p, g, y } = publicParams;
17945 return publicKey.elgamal.encrypt(data, p, g, y);
17946 }
17947 case enums.publicKey.ecdh: {
17948 const { oid, Q, kdfParams } = publicParams;
17949 const { publicKey: V, wrappedKey: C } = await publicKey.elliptic.ecdh.encrypt(
17950 oid, kdfParams, data, Q, fingerprint);
17951 return { V, C: new ECDHSymmetricKey(C) };
17952 }
17953 default:
17954 return [];
17955 }
17956 }
17957
17958 /**
17959 * Decrypts data using specified algorithm and private key parameters.
17960 * See {@link https://tools.ietf.org/html/rfc4880#section-5.5.3|RFC 4880 5.5.3}
17961 * @param {module:enums.publicKey} algo - Public key algorithm
17962 * @param {Object} publicKeyParams - Algorithm-specific public key parameters
17963 * @param {Object} privateKeyParams - Algorithm-specific private key parameters
17964 * @param {Object} sessionKeyParams - Encrypted session key parameters
17965 * @param {Uint8Array} fingerprint - Recipient fingerprint
17966 * @returns {Uint8Array} Decrypted data.
17967 * @async
17968 */
17969 async function publicKeyDecrypt(algo, publicKeyParams, privateKeyParams, sessionKeyParams, fingerprint) {
17970 switch (algo) {
17971 case enums.publicKey.rsaEncryptSign:
17972 case enums.publicKey.rsaEncrypt: {
17973 const { c } = sessionKeyParams;
17974 const { n, e } = publicKeyParams;
17975 const { d, p, q, u } = privateKeyParams;
17976 return publicKey.rsa.decrypt(c, n, e, d, p, q, u);
17977 }
17978 case enums.publicKey.elgamal: {
17979 const { c1, c2 } = sessionKeyParams;
17980 const p = publicKeyParams.p;
17981 const x = privateKeyParams.x;
17982 return publicKey.elgamal.decrypt(c1, c2, p, x);
17983 }
17984 case enums.publicKey.ecdh: {
17985 const { oid, Q, kdfParams } = publicKeyParams;
17986 const { d } = privateKeyParams;
17987 const { V, C } = sessionKeyParams;
17988 return publicKey.elliptic.ecdh.decrypt(
17989 oid, kdfParams, V, C.data, Q, d, fingerprint);
17990 }
17991 default:
17992 throw new Error('Invalid public key encryption algorithm.');
17993 }
17994 }
17995
17996 /**
17997 * Parse public key material in binary form to get the key parameters
17998 * @param {module:enums.publicKey} algo - The key algorithm
17999 * @param {Uint8Array} bytes - The key material to parse
18000 * @returns {{ read: Number, publicParams: Object }} Number of read bytes plus key parameters referenced by name.
18001 */
18002 function parsePublicKeyParams(algo, bytes) {
18003 let read = 0;
18004 switch (algo) {
18005 case enums.publicKey.rsaEncrypt:
18006 case enums.publicKey.rsaEncryptSign:
18007 case enums.publicKey.rsaSign: {
18008 const n = util.readMPI(bytes.subarray(read)); read += n.length + 2;
18009 const e = util.readMPI(bytes.subarray(read)); read += e.length + 2;
18010 return { read, publicParams: { n, e } };
18011 }
18012 case enums.publicKey.dsa: {
18013 const p = util.readMPI(bytes.subarray(read)); read += p.length + 2;
18014 const q = util.readMPI(bytes.subarray(read)); read += q.length + 2;
18015 const g = util.readMPI(bytes.subarray(read)); read += g.length + 2;
18016 const y = util.readMPI(bytes.subarray(read)); read += y.length + 2;
18017 return { read, publicParams: { p, q, g, y } };
18018 }
18019 case enums.publicKey.elgamal: {
18020 const p = util.readMPI(bytes.subarray(read)); read += p.length + 2;
18021 const g = util.readMPI(bytes.subarray(read)); read += g.length + 2;
18022 const y = util.readMPI(bytes.subarray(read)); read += y.length + 2;
18023 return { read, publicParams: { p, g, y } };
18024 }
18025 case enums.publicKey.ecdsa: {
18026 const oid = new OID(); read += oid.read(bytes);
18027 const Q = util.readMPI(bytes.subarray(read)); read += Q.length + 2;
18028 return { read: read, publicParams: { oid, Q } };
18029 }
18030 case enums.publicKey.eddsa: {
18031 const oid = new OID(); read += oid.read(bytes);
18032 let Q = util.readMPI(bytes.subarray(read)); read += Q.length + 2;
18033 Q = util.leftPad(Q, 33);
18034 return { read: read, publicParams: { oid, Q } };
18035 }
18036 case enums.publicKey.ecdh: {
18037 const oid = new OID(); read += oid.read(bytes);
18038 const Q = util.readMPI(bytes.subarray(read)); read += Q.length + 2;
18039 const kdfParams = new KDFParams(); read += kdfParams.read(bytes.subarray(read));
18040 return { read: read, publicParams: { oid, Q, kdfParams } };
18041 }
18042 default:
18043 throw new Error('Invalid public key encryption algorithm.');
18044 }
18045 }
18046
18047 /**
18048 * Parse private key material in binary form to get the key parameters
18049 * @param {module:enums.publicKey} algo - The key algorithm
18050 * @param {Uint8Array} bytes - The key material to parse
18051 * @param {Object} publicParams - (ECC only) public params, needed to format some private params
18052 * @returns {{ read: Number, privateParams: Object }} Number of read bytes plus the key parameters referenced by name.
18053 */
18054 function parsePrivateKeyParams(algo, bytes, publicParams) {
18055 let read = 0;
18056 switch (algo) {
18057 case enums.publicKey.rsaEncrypt:
18058 case enums.publicKey.rsaEncryptSign:
18059 case enums.publicKey.rsaSign: {
18060 const d = util.readMPI(bytes.subarray(read)); read += d.length + 2;
18061 const p = util.readMPI(bytes.subarray(read)); read += p.length + 2;
18062 const q = util.readMPI(bytes.subarray(read)); read += q.length + 2;
18063 const u = util.readMPI(bytes.subarray(read)); read += u.length + 2;
18064 return { read, privateParams: { d, p, q, u } };
18065 }
18066 case enums.publicKey.dsa:
18067 case enums.publicKey.elgamal: {
18068 const x = util.readMPI(bytes.subarray(read)); read += x.length + 2;
18069 return { read, privateParams: { x } };
18070 }
18071 case enums.publicKey.ecdsa:
18072 case enums.publicKey.ecdh: {
18073 const curve = new Curve(publicParams.oid);
18074 let d = util.readMPI(bytes.subarray(read)); read += d.length + 2;
18075 d = util.leftPad(d, curve.payloadSize);
18076 return { read, privateParams: { d } };
18077 }
18078 case enums.publicKey.eddsa: {
18079 let seed = util.readMPI(bytes.subarray(read)); read += seed.length + 2;
18080 seed = util.leftPad(seed, 32);
18081 return { read, privateParams: { seed } };
18082 }
18083 default:
18084 throw new Error('Invalid public key encryption algorithm.');
18085 }
18086 }
18087
18088 /** Returns the types comprising the encrypted session key of an algorithm
18089 * @param {module:enums.publicKey} algo - The key algorithm
18090 * @param {Uint8Array} bytes - The key material to parse
18091 * @returns {Object} The session key parameters referenced by name.
18092 */
18093 function parseEncSessionKeyParams(algo, bytes) {
18094 let read = 0;
18095 switch (algo) {
18096 // Algorithm-Specific Fields for RSA encrypted session keys:
18097 // - MPI of RSA encrypted value m**e mod n.
18098 case enums.publicKey.rsaEncrypt:
18099 case enums.publicKey.rsaEncryptSign: {
18100 const c = util.readMPI(bytes.subarray(read));
18101 return { c };
18102 }
18103
18104 // Algorithm-Specific Fields for Elgamal encrypted session keys:
18105 // - MPI of Elgamal value g**k mod p
18106 // - MPI of Elgamal value m * y**k mod p
18107 case enums.publicKey.elgamal: {
18108 const c1 = util.readMPI(bytes.subarray(read)); read += c1.length + 2;
18109 const c2 = util.readMPI(bytes.subarray(read));
18110 return { c1, c2 };
18111 }
18112 // Algorithm-Specific Fields for ECDH encrypted session keys:
18113 // - MPI containing the ephemeral key used to establish the shared secret
18114 // - ECDH Symmetric Key
18115 case enums.publicKey.ecdh: {
18116 const V = util.readMPI(bytes.subarray(read)); read += V.length + 2;
18117 const C = new ECDHSymmetricKey(); C.read(bytes.subarray(read));
18118 return { V, C };
18119 }
18120 default:
18121 throw new Error('Invalid public key encryption algorithm.');
18122 }
18123 }
18124
18125 /**
18126 * Convert params to MPI and serializes them in the proper order
18127 * @param {module:enums.publicKey} algo - The public key algorithm
18128 * @param {Object} params - The key parameters indexed by name
18129 * @returns {Uint8Array} The array containing the MPIs.
18130 */
18131 function serializeParams(algo, params) {
18132 const orderedParams = Object.keys(params).map(name => {
18133 const param = params[name];
18134 return util.isUint8Array(param) ? util.uint8ArrayToMpi(param) : param.write();
18135 });
18136 return util.concatUint8Array(orderedParams);
18137 }
18138
18139 /**
18140 * Generate algorithm-specific key parameters
18141 * @param {module:enums.publicKey} algo - The public key algorithm
18142 * @param {Integer} bits - Bit length for RSA keys
18143 * @param {module:type/oid} oid - Object identifier for ECC keys
18144 * @returns {{ publicParams: {Object}, privateParams: {Object} }} The parameters referenced by name.
18145 * @async
18146 */
18147 function generateParams(algo, bits, oid) {
18148 switch (algo) {
18149 case enums.publicKey.rsaEncrypt:
18150 case enums.publicKey.rsaEncryptSign:
18151 case enums.publicKey.rsaSign: {
18152 return publicKey.rsa.generate(bits, 65537).then(({ n, e, d, p, q, u }) => ({
18153 privateParams: { d, p, q, u },
18154 publicParams: { n, e }
18155 }));
18156 }
18157 case enums.publicKey.ecdsa:
18158 return publicKey.elliptic.generate(oid).then(({ oid, Q, secret }) => ({
18159 privateParams: { d: secret },
18160 publicParams: { oid: new OID(oid), Q }
18161 }));
18162 case enums.publicKey.eddsa:
18163 return publicKey.elliptic.generate(oid).then(({ oid, Q, secret }) => ({
18164 privateParams: { seed: secret },
18165 publicParams: { oid: new OID(oid), Q }
18166 }));
18167 case enums.publicKey.ecdh:
18168 return publicKey.elliptic.generate(oid).then(({ oid, Q, secret, hash, cipher }) => ({
18169 privateParams: { d: secret },
18170 publicParams: {
18171 oid: new OID(oid),
18172 Q,
18173 kdfParams: new KDFParams({ hash, cipher })
18174 }
18175 }));
18176 case enums.publicKey.dsa:
18177 case enums.publicKey.elgamal:
18178 throw new Error('Unsupported algorithm for key generation.');
18179 default:
18180 throw new Error('Invalid public key algorithm.');
18181 }
18182 }
18183
18184 /**
18185 * Validate algorithm-specific key parameters
18186 * @param {module:enums.publicKey} algo - The public key algorithm
18187 * @param {Object} publicParams - Algorithm-specific public key parameters
18188 * @param {Object} privateParams - Algorithm-specific private key parameters
18189 * @returns {Boolean} Whether the parameters are valid.
18190 * @async
18191 */
18192 async function validateParams$6(algo, publicParams, privateParams) {
18193 if (!publicParams || !privateParams) {
18194 throw new Error('Missing key parameters');
18195 }
18196 switch (algo) {
18197 case enums.publicKey.rsaEncrypt:
18198 case enums.publicKey.rsaEncryptSign:
18199 case enums.publicKey.rsaSign: {
18200 const { n, e } = publicParams;
18201 const { d, p, q, u } = privateParams;
18202 return publicKey.rsa.validateParams(n, e, d, p, q, u);
18203 }
18204 case enums.publicKey.dsa: {
18205 const { p, q, g, y } = publicParams;
18206 const { x } = privateParams;
18207 return publicKey.dsa.validateParams(p, q, g, y, x);
18208 }
18209 case enums.publicKey.elgamal: {
18210 const { p, g, y } = publicParams;
18211 const { x } = privateParams;
18212 return publicKey.elgamal.validateParams(p, g, y, x);
18213 }
18214 case enums.publicKey.ecdsa:
18215 case enums.publicKey.ecdh: {
18216 const algoModule = publicKey.elliptic[enums.read(enums.publicKey, algo)];
18217 const { oid, Q } = publicParams;
18218 const { d } = privateParams;
18219 return algoModule.validateParams(oid, Q, d);
18220 }
18221 case enums.publicKey.eddsa: {
18222 const { oid, Q } = publicParams;
18223 const { seed } = privateParams;
18224 return publicKey.elliptic.eddsa.validateParams(oid, Q, seed);
18225 }
18226 default:
18227 throw new Error('Invalid public key algorithm.');
18228 }
18229 }
18230
18231 /**
18232 * Generates a random byte prefix for the specified algorithm
18233 * See {@link https://tools.ietf.org/html/rfc4880#section-9.2|RFC 4880 9.2} for algorithms.
18234 * @param {module:enums.symmetric} algo - Symmetric encryption algorithm
18235 * @returns {Uint8Array} Random bytes with length equal to the block size of the cipher, plus the last two bytes repeated.
18236 * @async
18237 */
18238 async function getPrefixRandom(algo) {
18239 const prefixrandom = await getRandomBytes(cipher[algo].blockSize);
18240 const repeat = new Uint8Array([prefixrandom[prefixrandom.length - 2], prefixrandom[prefixrandom.length - 1]]);
18241 return util.concat([prefixrandom, repeat]);
18242 }
18243
18244 /**
18245 * Generating a session key for the specified symmetric algorithm
18246 * See {@link https://tools.ietf.org/html/rfc4880#section-9.2|RFC 4880 9.2} for algorithms.
18247 * @param {module:enums.symmetric} algo - Symmetric encryption algorithm
18248 * @returns {Uint8Array} Random bytes as a string to be used as a key.
18249 * @async
18250 */
18251 function generateSessionKey(algo) {
18252 return getRandomBytes(cipher[algo].keySize);
18253 }
18254
18255 var crypto$1 = /*#__PURE__*/Object.freeze({
18256 __proto__: null,
18257 publicKeyEncrypt: publicKeyEncrypt,
18258 publicKeyDecrypt: publicKeyDecrypt,
18259 parsePublicKeyParams: parsePublicKeyParams,
18260 parsePrivateKeyParams: parsePrivateKeyParams,
18261 parseEncSessionKeyParams: parseEncSessionKeyParams,
18262 serializeParams: serializeParams,
18263 generateParams: generateParams,
18264 validateParams: validateParams$6,
18265 getPrefixRandom: getPrefixRandom,
18266 generateSessionKey: generateSessionKey
18267 });
18268
18269 /**
18270 * @fileoverview Provides access to all cryptographic primitives used in OpenPGP.js
18271 * @see module:crypto/crypto
18272 * @see module:crypto/signature
18273 * @see module:crypto/public_key
18274 * @see module:crypto/cipher
18275 * @see module:crypto/random
18276 * @see module:crypto/hash
18277 * @module crypto
18278 * @private
18279 */
18280
18281 // TODO move cfb and gcm to cipher
18282 const mod = {
18283 /** @see module:crypto/cipher */
18284 cipher: cipher,
18285 /** @see module:crypto/hash */
18286 hash: hash,
18287 /** @see module:crypto/cfb */
18288 cfb: cfb,
18289 /** @see module:crypto/gcm */
18290 gcm: GCM,
18291 experimentalGcm: GCM,
18292 /** @see module:crypto/eax */
18293 eax: EAX,
18294 /** @see module:crypto/ocb */
18295 ocb: OCB,
18296 /** @see module:crypto/public_key */
18297 publicKey: publicKey,
18298 /** @see module:crypto/signature */
18299 signature: signature,
18300 /** @see module:crypto/random */
18301 random: random,
18302 /** @see module:crypto/pkcs1 */
18303 pkcs1: pkcs1,
18304 /** @see module:crypto/pkcs5 */
18305 pkcs5: pkcs5,
18306 /** @see module:crypto/aes_kw */
18307 aes_kw: aes_kw
18308 };
18309
18310 Object.assign(mod, crypto$1);
18311
18312 var TYPED_OK = typeof Uint8Array !== "undefined" &&
18313 typeof Uint16Array !== "undefined" &&
18314 typeof Int32Array !== "undefined";
18315
18316
18317 // reduce buffer size, avoiding mem copy
18318 function shrinkBuf(buf, size) {
18319 if (buf.length === size) {
18320 return buf;
18321 }
18322 if (buf.subarray) {
18323 return buf.subarray(0, size);
18324 }
18325 buf.length = size;
18326 return buf;
18327 }
18328
18329
18330 const fnTyped = {
18331 arraySet: function (dest, src, src_offs, len, dest_offs) {
18332 if (src.subarray && dest.subarray) {
18333 dest.set(src.subarray(src_offs, src_offs + len), dest_offs);
18334 return;
18335 }
18336 // Fallback to ordinary array
18337 for (let i = 0; i < len; i++) {
18338 dest[dest_offs + i] = src[src_offs + i];
18339 }
18340 },
18341 // Join array of chunks to single array.
18342 flattenChunks: function (chunks) {
18343 let i, l, len, pos, chunk;
18344
18345 // calculate data length
18346 len = 0;
18347 for (i = 0, l = chunks.length; i < l; i++) {
18348 len += chunks[i].length;
18349 }
18350
18351 // join chunks
18352 const result = new Uint8Array(len);
18353 pos = 0;
18354 for (i = 0, l = chunks.length; i < l; i++) {
18355 chunk = chunks[i];
18356 result.set(chunk, pos);
18357 pos += chunk.length;
18358 }
18359
18360 return result;
18361 }
18362 };
18363
18364 const fnUntyped = {
18365 arraySet: function (dest, src, src_offs, len, dest_offs) {
18366 for (let i = 0; i < len; i++) {
18367 dest[dest_offs + i] = src[src_offs + i];
18368 }
18369 },
18370 // Join array of chunks to single array.
18371 flattenChunks: function (chunks) {
18372 return [].concat.apply([], chunks);
18373 }
18374 };
18375
18376
18377 // Enable/Disable typed arrays use, for testing
18378 //
18379
18380 let Buf8 = TYPED_OK ? Uint8Array : Array;
18381 let Buf16 = TYPED_OK ? Uint16Array : Array;
18382 let Buf32 = TYPED_OK ? Int32Array : Array;
18383 let flattenChunks = TYPED_OK ? fnTyped.flattenChunks : fnUntyped.flattenChunks;
18384 let arraySet = TYPED_OK ? fnTyped.arraySet : fnUntyped.arraySet;
18385
18386 // (C) 1995-2013 Jean-loup Gailly and Mark Adler
18387 // (C) 2014-2017 Vitaly Puzrin and Andrey Tupitsin
18388 //
18389 // This software is provided 'as-is', without any express or implied
18390 // warranty. In no event will the authors be held liable for any damages
18391 // arising from the use of this software.
18392 //
18393 // Permission is granted to anyone to use this software for any purpose,
18394 // including commercial applications, and to alter it and redistribute it
18395 // freely, subject to the following restrictions:
18396 //
18397 // 1. The origin of this software must not be misrepresented; you must not
18398 // claim that you wrote the original software. If you use this software
18399 // in a product, an acknowledgment in the product documentation would be
18400 // appreciated but is not required.
18401 // 2. Altered source versions must be plainly marked as such, and must not be
18402 // misrepresented as being the original software.
18403 // 3. This notice may not be removed or altered from any source distribution.
18404
18405 /* Allowed flush values; see deflate() and inflate() below for details */
18406 const Z_NO_FLUSH = 0;
18407 const Z_PARTIAL_FLUSH = 1;
18408 const Z_SYNC_FLUSH = 2;
18409 const Z_FULL_FLUSH = 3;
18410 const Z_FINISH = 4;
18411 const Z_BLOCK = 5;
18412 const Z_TREES = 6;
18413
18414 /* Return codes for the compression/decompression functions. Negative values
18415 * are errors, positive values are used for special but normal events.
18416 */
18417 const Z_OK = 0;
18418 const Z_STREAM_END = 1;
18419 const Z_NEED_DICT = 2;
18420 const Z_STREAM_ERROR = -2;
18421 const Z_DATA_ERROR = -3;
18422 //export const Z_MEM_ERROR = -4;
18423 const Z_BUF_ERROR = -5;
18424 const Z_DEFAULT_COMPRESSION = -1;
18425
18426
18427 const Z_FILTERED = 1;
18428 const Z_HUFFMAN_ONLY = 2;
18429 const Z_RLE = 3;
18430 const Z_FIXED = 4;
18431 const Z_DEFAULT_STRATEGY = 0;
18432
18433 /* Possible values of the data_type field (though see inflate()) */
18434 const Z_BINARY = 0;
18435 const Z_TEXT = 1;
18436 //export const Z_ASCII = 1; // = Z_TEXT (deprecated)
18437 const Z_UNKNOWN = 2;
18438
18439 /* The deflate compression method */
18440 const Z_DEFLATED = 8;
18441 //export const Z_NULL = null // Use -1 or null inline, depending on var type
18442
18443 /*============================================================================*/
18444
18445
18446 function zero$1(buf) {
18447 let len = buf.length; while (--len >= 0) {
18448 buf[len] = 0;
18449 }
18450 }
18451
18452 // From zutil.h
18453
18454 const STORED_BLOCK = 0;
18455 const STATIC_TREES = 1;
18456 const DYN_TREES = 2;
18457 /* The three kinds of block type */
18458
18459 const MIN_MATCH = 3;
18460 const MAX_MATCH = 258;
18461 /* The minimum and maximum match lengths */
18462
18463 // From deflate.h
18464 /* ===========================================================================
18465 * Internal compression state.
18466 */
18467
18468 const LENGTH_CODES = 29;
18469 /* number of length codes, not counting the special END_BLOCK code */
18470
18471 const LITERALS = 256;
18472 /* number of literal bytes 0..255 */
18473
18474 const L_CODES = LITERALS + 1 + LENGTH_CODES;
18475 /* number of Literal or Length codes, including the END_BLOCK code */
18476
18477 const D_CODES = 30;
18478 /* number of distance codes */
18479
18480 const BL_CODES = 19;
18481 /* number of codes used to transfer the bit lengths */
18482
18483 const HEAP_SIZE = 2 * L_CODES + 1;
18484 /* maximum heap size */
18485
18486 const MAX_BITS = 15;
18487 /* All codes must not exceed MAX_BITS bits */
18488
18489 const Buf_size = 16;
18490 /* size of bit buffer in bi_buf */
18491
18492
18493 /* ===========================================================================
18494 * Constants
18495 */
18496
18497 const MAX_BL_BITS = 7;
18498 /* Bit length codes must not exceed MAX_BL_BITS bits */
18499
18500 const END_BLOCK = 256;
18501 /* end of block literal code */
18502
18503 const REP_3_6 = 16;
18504 /* repeat previous bit length 3-6 times (2 bits of repeat count) */
18505
18506 const REPZ_3_10 = 17;
18507 /* repeat a zero length 3-10 times (3 bits of repeat count) */
18508
18509 const REPZ_11_138 = 18;
18510 /* repeat a zero length 11-138 times (7 bits of repeat count) */
18511
18512 /* eslint-disable comma-spacing,array-bracket-spacing */
18513 const extra_lbits = /* extra bits for each length code */
18514 [0,0,0,0,0,0,0,0,1,1,1,1,2,2,2,2,3,3,3,3,4,4,4,4,5,5,5,5,0];
18515
18516 const extra_dbits = /* extra bits for each distance code */
18517 [0,0,0,0,1,1,2,2,3,3,4,4,5,5,6,6,7,7,8,8,9,9,10,10,11,11,12,12,13,13];
18518
18519 const extra_blbits = /* extra bits for each bit length code */
18520 [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,3,7];
18521
18522 const bl_order =
18523 [16,17,18,0,8,7,9,6,10,5,11,4,12,3,13,2,14,1,15];
18524 /* eslint-enable comma-spacing,array-bracket-spacing */
18525
18526 /* The lengths of the bit length codes are sent in order of decreasing
18527 * probability, to avoid transmitting the lengths for unused bit length codes.
18528 */
18529
18530 /* ===========================================================================
18531 * Local data. These are initialized only once.
18532 */
18533
18534 // We pre-fill arrays with 0 to avoid uninitialized gaps
18535
18536 const DIST_CODE_LEN = 512; /* see definition of array dist_code below */
18537
18538 // !!!! Use flat array instead of structure, Freq = i*2, Len = i*2+1
18539 const static_ltree = new Array((L_CODES + 2) * 2);
18540 zero$1(static_ltree);
18541 /* The static literal tree. Since the bit lengths are imposed, there is no
18542 * need for the L_CODES extra codes used during heap construction. However
18543 * The codes 286 and 287 are needed to build a canonical tree (see _tr_init
18544 * below).
18545 */
18546
18547 const static_dtree = new Array(D_CODES * 2);
18548 zero$1(static_dtree);
18549 /* The static distance tree. (Actually a trivial tree since all codes use
18550 * 5 bits.)
18551 */
18552
18553 const _dist_code = new Array(DIST_CODE_LEN);
18554 zero$1(_dist_code);
18555 /* Distance codes. The first 256 values correspond to the distances
18556 * 3 .. 258, the last 256 values correspond to the top 8 bits of
18557 * the 15 bit distances.
18558 */
18559
18560 const _length_code = new Array(MAX_MATCH - MIN_MATCH + 1);
18561 zero$1(_length_code);
18562 /* length code for each normalized match length (0 == MIN_MATCH) */
18563
18564 const base_length = new Array(LENGTH_CODES);
18565 zero$1(base_length);
18566 /* First normalized length for each code (0 = MIN_MATCH) */
18567
18568 const base_dist = new Array(D_CODES);
18569 zero$1(base_dist);
18570 /* First normalized distance for each code (0 = distance of 1) */
18571
18572
18573 function StaticTreeDesc(static_tree, extra_bits, extra_base, elems, max_length) {
18574
18575 this.static_tree = static_tree; /* static tree or NULL */
18576 this.extra_bits = extra_bits; /* extra bits for each code or NULL */
18577 this.extra_base = extra_base; /* base index for extra_bits */
18578 this.elems = elems; /* max number of elements in the tree */
18579 this.max_length = max_length; /* max bit length for the codes */
18580
18581 // show if `static_tree` has data or dummy - needed for monomorphic objects
18582 this.has_stree = static_tree && static_tree.length;
18583 }
18584
18585
18586 let static_l_desc;
18587 let static_d_desc;
18588 let static_bl_desc;
18589
18590
18591 function TreeDesc(dyn_tree, stat_desc) {
18592 this.dyn_tree = dyn_tree; /* the dynamic tree */
18593 this.max_code = 0; /* largest code with non zero frequency */
18594 this.stat_desc = stat_desc; /* the corresponding static tree */
18595 }
18596
18597
18598
18599 function d_code(dist) {
18600 return dist < 256 ? _dist_code[dist] : _dist_code[256 + (dist >>> 7)];
18601 }
18602
18603
18604 /* ===========================================================================
18605 * Output a short LSB first on the stream.
18606 * IN assertion: there is enough room in pendingBuf.
18607 */
18608 function put_short(s, w) {
18609 // put_byte(s, (uch)((w) & 0xff));
18610 // put_byte(s, (uch)((ush)(w) >> 8));
18611 s.pending_buf[s.pending++] = w & 0xff;
18612 s.pending_buf[s.pending++] = w >>> 8 & 0xff;
18613 }
18614
18615
18616 /* ===========================================================================
18617 * Send a value on a given number of bits.
18618 * IN assertion: length <= 16 and value fits in length bits.
18619 */
18620 function send_bits(s, value, length) {
18621 if (s.bi_valid > Buf_size - length) {
18622 s.bi_buf |= value << s.bi_valid & 0xffff;
18623 put_short(s, s.bi_buf);
18624 s.bi_buf = value >> Buf_size - s.bi_valid;
18625 s.bi_valid += length - Buf_size;
18626 } else {
18627 s.bi_buf |= value << s.bi_valid & 0xffff;
18628 s.bi_valid += length;
18629 }
18630 }
18631
18632
18633 function send_code(s, c, tree) {
18634 send_bits(s, tree[c * 2]/*.Code*/, tree[c * 2 + 1]/*.Len*/);
18635 }
18636
18637
18638 /* ===========================================================================
18639 * Reverse the first len bits of a code, using straightforward code (a faster
18640 * method would use a table)
18641 * IN assertion: 1 <= len <= 15
18642 */
18643 function bi_reverse(code, len) {
18644 let res = 0;
18645 do {
18646 res |= code & 1;
18647 code >>>= 1;
18648 res <<= 1;
18649 } while (--len > 0);
18650 return res >>> 1;
18651 }
18652
18653
18654 /* ===========================================================================
18655 * Flush the bit buffer, keeping at most 7 bits in it.
18656 */
18657 function bi_flush(s) {
18658 if (s.bi_valid === 16) {
18659 put_short(s, s.bi_buf);
18660 s.bi_buf = 0;
18661 s.bi_valid = 0;
18662
18663 } else if (s.bi_valid >= 8) {
18664 s.pending_buf[s.pending++] = s.bi_buf & 0xff;
18665 s.bi_buf >>= 8;
18666 s.bi_valid -= 8;
18667 }
18668 }
18669
18670
18671 /* ===========================================================================
18672 * Compute the optimal bit lengths for a tree and update the total bit length
18673 * for the current block.
18674 * IN assertion: the fields freq and dad are set, heap[heap_max] and
18675 * above are the tree nodes sorted by increasing frequency.
18676 * OUT assertions: the field len is set to the optimal bit length, the
18677 * array bl_count contains the frequencies for each bit length.
18678 * The length opt_len is updated; static_len is also updated if stree is
18679 * not null.
18680 */
18681 function gen_bitlen(s, desc)
18682 // deflate_state *s;
18683 // tree_desc *desc; /* the tree descriptor */
18684 {
18685 const tree = desc.dyn_tree;
18686 const max_code = desc.max_code;
18687 const stree = desc.stat_desc.static_tree;
18688 const has_stree = desc.stat_desc.has_stree;
18689 const extra = desc.stat_desc.extra_bits;
18690 const base = desc.stat_desc.extra_base;
18691 const max_length = desc.stat_desc.max_length;
18692 let h; /* heap index */
18693 let n, m; /* iterate over the tree elements */
18694 let bits; /* bit length */
18695 let xbits; /* extra bits */
18696 let f; /* frequency */
18697 let overflow = 0; /* number of elements with bit length too large */
18698
18699 for (bits = 0; bits <= MAX_BITS; bits++) {
18700 s.bl_count[bits] = 0;
18701 }
18702
18703 /* In a first pass, compute the optimal bit lengths (which may
18704 * overflow in the case of the bit length tree).
18705 */
18706 tree[s.heap[s.heap_max] * 2 + 1]/*.Len*/ = 0; /* root of the heap */
18707
18708 for (h = s.heap_max + 1; h < HEAP_SIZE; h++) {
18709 n = s.heap[h];
18710 bits = tree[tree[n * 2 + 1]/*.Dad*/ * 2 + 1]/*.Len*/ + 1;
18711 if (bits > max_length) {
18712 bits = max_length;
18713 overflow++;
18714 }
18715 tree[n * 2 + 1]/*.Len*/ = bits;
18716 /* We overwrite tree[n].Dad which is no longer needed */
18717
18718 if (n > max_code) {
18719 continue;
18720 } /* not a leaf node */
18721
18722 s.bl_count[bits]++;
18723 xbits = 0;
18724 if (n >= base) {
18725 xbits = extra[n - base];
18726 }
18727 f = tree[n * 2]/*.Freq*/;
18728 s.opt_len += f * (bits + xbits);
18729 if (has_stree) {
18730 s.static_len += f * (stree[n * 2 + 1]/*.Len*/ + xbits);
18731 }
18732 }
18733 if (overflow === 0) {
18734 return;
18735 }
18736
18737 // Trace((stderr,"\nbit length overflow\n"));
18738 /* This happens for example on obj2 and pic of the Calgary corpus */
18739
18740 /* Find the first bit length which could increase: */
18741 do {
18742 bits = max_length - 1;
18743 while (s.bl_count[bits] === 0) {
18744 bits--;
18745 }
18746 s.bl_count[bits]--; /* move one leaf down the tree */
18747 s.bl_count[bits + 1] += 2; /* move one overflow item as its brother */
18748 s.bl_count[max_length]--;
18749 /* The brother of the overflow item also moves one step up,
18750 * but this does not affect bl_count[max_length]
18751 */
18752 overflow -= 2;
18753 } while (overflow > 0);
18754
18755 /* Now recompute all bit lengths, scanning in increasing frequency.
18756 * h is still equal to HEAP_SIZE. (It is simpler to reconstruct all
18757 * lengths instead of fixing only the wrong ones. This idea is taken
18758 * from 'ar' written by Haruhiko Okumura.)
18759 */
18760 for (bits = max_length; bits !== 0; bits--) {
18761 n = s.bl_count[bits];
18762 while (n !== 0) {
18763 m = s.heap[--h];
18764 if (m > max_code) {
18765 continue;
18766 }
18767 if (tree[m * 2 + 1]/*.Len*/ !== bits) {
18768 // Trace((stderr,"code %d bits %d->%d\n", m, tree[m].Len, bits));
18769 s.opt_len += (bits - tree[m * 2 + 1]/*.Len*/) * tree[m * 2]/*.Freq*/;
18770 tree[m * 2 + 1]/*.Len*/ = bits;
18771 }
18772 n--;
18773 }
18774 }
18775 }
18776
18777
18778 /* ===========================================================================
18779 * Generate the codes for a given tree and bit counts (which need not be
18780 * optimal).
18781 * IN assertion: the array bl_count contains the bit length statistics for
18782 * the given tree and the field len is set for all tree elements.
18783 * OUT assertion: the field code is set for all tree elements of non
18784 * zero code length.
18785 */
18786 function gen_codes(tree, max_code, bl_count)
18787 // ct_data *tree; /* the tree to decorate */
18788 // int max_code; /* largest code with non zero frequency */
18789 // ushf *bl_count; /* number of codes at each bit length */
18790 {
18791 const next_code = new Array(MAX_BITS + 1); /* next code value for each bit length */
18792 let code = 0; /* running code value */
18793 let bits; /* bit index */
18794 let n; /* code index */
18795
18796 /* The distribution counts are first used to generate the code values
18797 * without bit reversal.
18798 */
18799 for (bits = 1; bits <= MAX_BITS; bits++) {
18800 next_code[bits] = code = code + bl_count[bits - 1] << 1;
18801 }
18802 /* Check that the bit counts in bl_count are consistent. The last code
18803 * must be all ones.
18804 */
18805 //Assert (code + bl_count[MAX_BITS]-1 == (1<<MAX_BITS)-1,
18806 // "inconsistent bit counts");
18807 //Tracev((stderr,"\ngen_codes: max_code %d ", max_code));
18808
18809 for (n = 0; n <= max_code; n++) {
18810 const len = tree[n * 2 + 1]/*.Len*/;
18811 if (len === 0) {
18812 continue;
18813 }
18814 /* Now reverse the bits */
18815 tree[n * 2]/*.Code*/ = bi_reverse(next_code[len]++, len);
18816
18817 //Tracecv(tree != static_ltree, (stderr,"\nn %3d %c l %2d c %4x (%x) ",
18818 // n, (isgraph(n) ? n : ' '), len, tree[n].Code, next_code[len]-1));
18819 }
18820 }
18821
18822
18823 /* ===========================================================================
18824 * Initialize the various 'constant' tables.
18825 */
18826 function tr_static_init() {
18827 let n; /* iterates over tree elements */
18828 let bits; /* bit counter */
18829 let length; /* length value */
18830 let code; /* code value */
18831 let dist; /* distance index */
18832 const bl_count = new Array(MAX_BITS + 1);
18833 /* number of codes at each bit length for an optimal tree */
18834
18835 // do check in _tr_init()
18836 //if (static_init_done) return;
18837
18838 /* For some embedded targets, global variables are not initialized: */
18839 /*#ifdef NO_INIT_GLOBAL_POINTERS
18840 static_l_desc.static_tree = static_ltree;
18841 static_l_desc.extra_bits = extra_lbits;
18842 static_d_desc.static_tree = static_dtree;
18843 static_d_desc.extra_bits = extra_dbits;
18844 static_bl_desc.extra_bits = extra_blbits;
18845 #endif*/
18846
18847 /* Initialize the mapping length (0..255) -> length code (0..28) */
18848 length = 0;
18849 for (code = 0; code < LENGTH_CODES - 1; code++) {
18850 base_length[code] = length;
18851 for (n = 0; n < 1 << extra_lbits[code]; n++) {
18852 _length_code[length++] = code;
18853 }
18854 }
18855 //Assert (length == 256, "tr_static_init: length != 256");
18856 /* Note that the length 255 (match length 258) can be represented
18857 * in two different ways: code 284 + 5 bits or code 285, so we
18858 * overwrite length_code[255] to use the best encoding:
18859 */
18860 _length_code[length - 1] = code;
18861
18862 /* Initialize the mapping dist (0..32K) -> dist code (0..29) */
18863 dist = 0;
18864 for (code = 0; code < 16; code++) {
18865 base_dist[code] = dist;
18866 for (n = 0; n < 1 << extra_dbits[code]; n++) {
18867 _dist_code[dist++] = code;
18868 }
18869 }
18870 //Assert (dist == 256, "tr_static_init: dist != 256");
18871 dist >>= 7; /* from now on, all distances are divided by 128 */
18872 for (; code < D_CODES; code++) {
18873 base_dist[code] = dist << 7;
18874 for (n = 0; n < 1 << extra_dbits[code] - 7; n++) {
18875 _dist_code[256 + dist++] = code;
18876 }
18877 }
18878 //Assert (dist == 256, "tr_static_init: 256+dist != 512");
18879
18880 /* Construct the codes of the static literal tree */
18881 for (bits = 0; bits <= MAX_BITS; bits++) {
18882 bl_count[bits] = 0;
18883 }
18884
18885 n = 0;
18886 while (n <= 143) {
18887 static_ltree[n * 2 + 1]/*.Len*/ = 8;
18888 n++;
18889 bl_count[8]++;
18890 }
18891 while (n <= 255) {
18892 static_ltree[n * 2 + 1]/*.Len*/ = 9;
18893 n++;
18894 bl_count[9]++;
18895 }
18896 while (n <= 279) {
18897 static_ltree[n * 2 + 1]/*.Len*/ = 7;
18898 n++;
18899 bl_count[7]++;
18900 }
18901 while (n <= 287) {
18902 static_ltree[n * 2 + 1]/*.Len*/ = 8;
18903 n++;
18904 bl_count[8]++;
18905 }
18906 /* Codes 286 and 287 do not exist, but we must include them in the
18907 * tree construction to get a canonical Huffman tree (longest code
18908 * all ones)
18909 */
18910 gen_codes(static_ltree, L_CODES + 1, bl_count);
18911
18912 /* The static distance tree is trivial: */
18913 for (n = 0; n < D_CODES; n++) {
18914 static_dtree[n * 2 + 1]/*.Len*/ = 5;
18915 static_dtree[n * 2]/*.Code*/ = bi_reverse(n, 5);
18916 }
18917
18918 // Now data ready and we can init static trees
18919 static_l_desc = new StaticTreeDesc(static_ltree, extra_lbits, LITERALS + 1, L_CODES, MAX_BITS);
18920 static_d_desc = new StaticTreeDesc(static_dtree, extra_dbits, 0, D_CODES, MAX_BITS);
18921 static_bl_desc = new StaticTreeDesc(new Array(0), extra_blbits, 0, BL_CODES, MAX_BL_BITS);
18922
18923 //static_init_done = true;
18924 }
18925
18926
18927 /* ===========================================================================
18928 * Initialize a new block.
18929 */
18930 function init_block(s) {
18931 let n; /* iterates over tree elements */
18932
18933 /* Initialize the trees. */
18934 for (n = 0; n < L_CODES; n++) {
18935 s.dyn_ltree[n * 2]/*.Freq*/ = 0;
18936 }
18937 for (n = 0; n < D_CODES; n++) {
18938 s.dyn_dtree[n * 2]/*.Freq*/ = 0;
18939 }
18940 for (n = 0; n < BL_CODES; n++) {
18941 s.bl_tree[n * 2]/*.Freq*/ = 0;
18942 }
18943
18944 s.dyn_ltree[END_BLOCK * 2]/*.Freq*/ = 1;
18945 s.opt_len = s.static_len = 0;
18946 s.last_lit = s.matches = 0;
18947 }
18948
18949
18950 /* ===========================================================================
18951 * Flush the bit buffer and align the output on a byte boundary
18952 */
18953 function bi_windup(s) {
18954 if (s.bi_valid > 8) {
18955 put_short(s, s.bi_buf);
18956 } else if (s.bi_valid > 0) {
18957 //put_byte(s, (Byte)s->bi_buf);
18958 s.pending_buf[s.pending++] = s.bi_buf;
18959 }
18960 s.bi_buf = 0;
18961 s.bi_valid = 0;
18962 }
18963
18964 /* ===========================================================================
18965 * Copy a stored block, storing first the length and its
18966 * one's complement if requested.
18967 */
18968 function copy_block(s, buf, len, header)
18969 //DeflateState *s;
18970 //charf *buf; /* the input data */
18971 //unsigned len; /* its length */
18972 //int header; /* true if block header must be written */
18973 {
18974 bi_windup(s); /* align on byte boundary */
18975
18976 if (header) {
18977 put_short(s, len);
18978 put_short(s, ~len);
18979 }
18980 // while (len--) {
18981 // put_byte(s, *buf++);
18982 // }
18983 arraySet(s.pending_buf, s.window, buf, len, s.pending);
18984 s.pending += len;
18985 }
18986
18987 /* ===========================================================================
18988 * Compares to subtrees, using the tree depth as tie breaker when
18989 * the subtrees have equal frequency. This minimizes the worst case length.
18990 */
18991 function smaller(tree, n, m, depth) {
18992 const _n2 = n * 2;
18993 const _m2 = m * 2;
18994 return tree[_n2]/*.Freq*/ < tree[_m2]/*.Freq*/ ||
18995 tree[_n2]/*.Freq*/ === tree[_m2]/*.Freq*/ && depth[n] <= depth[m];
18996 }
18997
18998 /* ===========================================================================
18999 * Restore the heap property by moving down the tree starting at node k,
19000 * exchanging a node with the smallest of its two sons if necessary, stopping
19001 * when the heap property is re-established (each father smaller than its
19002 * two sons).
19003 */
19004 function pqdownheap(s, tree, k)
19005 // deflate_state *s;
19006 // ct_data *tree; /* the tree to restore */
19007 // int k; /* node to move down */
19008 {
19009 const v = s.heap[k];
19010 let j = k << 1; /* left son of k */
19011 while (j <= s.heap_len) {
19012 /* Set j to the smallest of the two sons: */
19013 if (j < s.heap_len &&
19014 smaller(tree, s.heap[j + 1], s.heap[j], s.depth)) {
19015 j++;
19016 }
19017 /* Exit if v is smaller than both sons */
19018 if (smaller(tree, v, s.heap[j], s.depth)) {
19019 break;
19020 }
19021
19022 /* Exchange v with the smallest son */
19023 s.heap[k] = s.heap[j];
19024 k = j;
19025
19026 /* And continue down the tree, setting j to the left son of k */
19027 j <<= 1;
19028 }
19029 s.heap[k] = v;
19030 }
19031
19032
19033 // inlined manually
19034 // var SMALLEST = 1;
19035
19036 /* ===========================================================================
19037 * Send the block data compressed using the given Huffman trees
19038 */
19039 function compress_block(s, ltree, dtree)
19040 // deflate_state *s;
19041 // const ct_data *ltree; /* literal tree */
19042 // const ct_data *dtree; /* distance tree */
19043 {
19044 let dist; /* distance of matched string */
19045 let lc; /* match length or unmatched char (if dist == 0) */
19046 let lx = 0; /* running index in l_buf */
19047 let code; /* the code to send */
19048 let extra; /* number of extra bits to send */
19049
19050 if (s.last_lit !== 0) {
19051 do {
19052 dist = s.pending_buf[s.d_buf + lx * 2] << 8 | s.pending_buf[s.d_buf + lx * 2 + 1];
19053 lc = s.pending_buf[s.l_buf + lx];
19054 lx++;
19055
19056 if (dist === 0) {
19057 send_code(s, lc, ltree); /* send a literal byte */
19058 //Tracecv(isgraph(lc), (stderr," '%c' ", lc));
19059 } else {
19060 /* Here, lc is the match length - MIN_MATCH */
19061 code = _length_code[lc];
19062 send_code(s, code + LITERALS + 1, ltree); /* send the length code */
19063 extra = extra_lbits[code];
19064 if (extra !== 0) {
19065 lc -= base_length[code];
19066 send_bits(s, lc, extra); /* send the extra length bits */
19067 }
19068 dist--; /* dist is now the match distance - 1 */
19069 code = d_code(dist);
19070 //Assert (code < D_CODES, "bad d_code");
19071
19072 send_code(s, code, dtree); /* send the distance code */
19073 extra = extra_dbits[code];
19074 if (extra !== 0) {
19075 dist -= base_dist[code];
19076 send_bits(s, dist, extra); /* send the extra distance bits */
19077 }
19078 } /* literal or match pair ? */
19079
19080 /* Check that the overlay between pending_buf and d_buf+l_buf is ok: */
19081 //Assert((uInt)(s->pending) < s->lit_bufsize + 2*lx,
19082 // "pendingBuf overflow");
19083
19084 } while (lx < s.last_lit);
19085 }
19086
19087 send_code(s, END_BLOCK, ltree);
19088 }
19089
19090
19091 /* ===========================================================================
19092 * Construct one Huffman tree and assigns the code bit strings and lengths.
19093 * Update the total bit length for the current block.
19094 * IN assertion: the field freq is set for all tree elements.
19095 * OUT assertions: the fields len and code are set to the optimal bit length
19096 * and corresponding code. The length opt_len is updated; static_len is
19097 * also updated if stree is not null. The field max_code is set.
19098 */
19099 function build_tree(s, desc)
19100 // deflate_state *s;
19101 // tree_desc *desc; /* the tree descriptor */
19102 {
19103 const tree = desc.dyn_tree;
19104 const stree = desc.stat_desc.static_tree;
19105 const has_stree = desc.stat_desc.has_stree;
19106 const elems = desc.stat_desc.elems;
19107 let n, m; /* iterate over heap elements */
19108 let max_code = -1; /* largest code with non zero frequency */
19109 let node; /* new node being created */
19110
19111 /* Construct the initial heap, with least frequent element in
19112 * heap[SMALLEST]. The sons of heap[n] are heap[2*n] and heap[2*n+1].
19113 * heap[0] is not used.
19114 */
19115 s.heap_len = 0;
19116 s.heap_max = HEAP_SIZE;
19117
19118 for (n = 0; n < elems; n++) {
19119 if (tree[n * 2]/*.Freq*/ !== 0) {
19120 s.heap[++s.heap_len] = max_code = n;
19121 s.depth[n] = 0;
19122
19123 } else {
19124 tree[n * 2 + 1]/*.Len*/ = 0;
19125 }
19126 }
19127
19128 /* The pkzip format requires that at least one distance code exists,
19129 * and that at least one bit should be sent even if there is only one
19130 * possible code. So to avoid special checks later on we force at least
19131 * two codes of non zero frequency.
19132 */
19133 while (s.heap_len < 2) {
19134 node = s.heap[++s.heap_len] = max_code < 2 ? ++max_code : 0;
19135 tree[node * 2]/*.Freq*/ = 1;
19136 s.depth[node] = 0;
19137 s.opt_len--;
19138
19139 if (has_stree) {
19140 s.static_len -= stree[node * 2 + 1]/*.Len*/;
19141 }
19142 /* node is 0 or 1 so it does not have extra bits */
19143 }
19144 desc.max_code = max_code;
19145
19146 /* The elements heap[heap_len/2+1 .. heap_len] are leaves of the tree,
19147 * establish sub-heaps of increasing lengths:
19148 */
19149 for (n = s.heap_len >> 1/*int /2*/; n >= 1; n--) {
19150 pqdownheap(s, tree, n);
19151 }
19152
19153 /* Construct the Huffman tree by repeatedly combining the least two
19154 * frequent nodes.
19155 */
19156 node = elems; /* next internal node of the tree */
19157 do {
19158 //pqremove(s, tree, n); /* n = node of least frequency */
19159 /*** pqremove ***/
19160 n = s.heap[1/*SMALLEST*/];
19161 s.heap[1/*SMALLEST*/] = s.heap[s.heap_len--];
19162 pqdownheap(s, tree, 1/*SMALLEST*/);
19163 /***/
19164
19165 m = s.heap[1/*SMALLEST*/]; /* m = node of next least frequency */
19166
19167 s.heap[--s.heap_max] = n; /* keep the nodes sorted by frequency */
19168 s.heap[--s.heap_max] = m;
19169
19170 /* Create a new node father of n and m */
19171 tree[node * 2]/*.Freq*/ = tree[n * 2]/*.Freq*/ + tree[m * 2]/*.Freq*/;
19172 s.depth[node] = (s.depth[n] >= s.depth[m] ? s.depth[n] : s.depth[m]) + 1;
19173 tree[n * 2 + 1]/*.Dad*/ = tree[m * 2 + 1]/*.Dad*/ = node;
19174
19175 /* and insert the new node in the heap */
19176 s.heap[1/*SMALLEST*/] = node++;
19177 pqdownheap(s, tree, 1/*SMALLEST*/);
19178
19179 } while (s.heap_len >= 2);
19180
19181 s.heap[--s.heap_max] = s.heap[1/*SMALLEST*/];
19182
19183 /* At this point, the fields freq and dad are set. We can now
19184 * generate the bit lengths.
19185 */
19186 gen_bitlen(s, desc);
19187
19188 /* The field len is now set, we can generate the bit codes */
19189 gen_codes(tree, max_code, s.bl_count);
19190 }
19191
19192
19193 /* ===========================================================================
19194 * Scan a literal or distance tree to determine the frequencies of the codes
19195 * in the bit length tree.
19196 */
19197 function scan_tree(s, tree, max_code)
19198 // deflate_state *s;
19199 // ct_data *tree; /* the tree to be scanned */
19200 // int max_code; /* and its largest code of non zero frequency */
19201 {
19202 let n; /* iterates over all tree elements */
19203 let prevlen = -1; /* last emitted length */
19204 let curlen; /* length of current code */
19205
19206 let nextlen = tree[0 * 2 + 1]/*.Len*/; /* length of next code */
19207
19208 let count = 0; /* repeat count of the current code */
19209 let max_count = 7; /* max repeat count */
19210 let min_count = 4; /* min repeat count */
19211
19212 if (nextlen === 0) {
19213 max_count = 138;
19214 min_count = 3;
19215 }
19216 tree[(max_code + 1) * 2 + 1]/*.Len*/ = 0xffff; /* guard */
19217
19218 for (n = 0; n <= max_code; n++) {
19219 curlen = nextlen;
19220 nextlen = tree[(n + 1) * 2 + 1]/*.Len*/;
19221
19222 if (++count < max_count && curlen === nextlen) {
19223 continue;
19224
19225 } else if (count < min_count) {
19226 s.bl_tree[curlen * 2]/*.Freq*/ += count;
19227
19228 } else if (curlen !== 0) {
19229
19230 if (curlen !== prevlen) {
19231 s.bl_tree[curlen * 2]/*.Freq*/++;
19232 }
19233 s.bl_tree[REP_3_6 * 2]/*.Freq*/++;
19234
19235 } else if (count <= 10) {
19236 s.bl_tree[REPZ_3_10 * 2]/*.Freq*/++;
19237
19238 } else {
19239 s.bl_tree[REPZ_11_138 * 2]/*.Freq*/++;
19240 }
19241
19242 count = 0;
19243 prevlen = curlen;
19244
19245 if (nextlen === 0) {
19246 max_count = 138;
19247 min_count = 3;
19248
19249 } else if (curlen === nextlen) {
19250 max_count = 6;
19251 min_count = 3;
19252
19253 } else {
19254 max_count = 7;
19255 min_count = 4;
19256 }
19257 }
19258 }
19259
19260
19261 /* ===========================================================================
19262 * Send a literal or distance tree in compressed form, using the codes in
19263 * bl_tree.
19264 */
19265 function send_tree(s, tree, max_code)
19266 // deflate_state *s;
19267 // ct_data *tree; /* the tree to be scanned */
19268 // int max_code; /* and its largest code of non zero frequency */
19269 {
19270 let n; /* iterates over all tree elements */
19271 let prevlen = -1; /* last emitted length */
19272 let curlen; /* length of current code */
19273
19274 let nextlen = tree[0 * 2 + 1]/*.Len*/; /* length of next code */
19275
19276 let count = 0; /* repeat count of the current code */
19277 let max_count = 7; /* max repeat count */
19278 let min_count = 4; /* min repeat count */
19279
19280 /* tree[max_code+1].Len = -1; */ /* guard already set */
19281 if (nextlen === 0) {
19282 max_count = 138;
19283 min_count = 3;
19284 }
19285
19286 for (n = 0; n <= max_code; n++) {
19287 curlen = nextlen;
19288 nextlen = tree[(n + 1) * 2 + 1]/*.Len*/;
19289
19290 if (++count < max_count && curlen === nextlen) {
19291 continue;
19292
19293 } else if (count < min_count) {
19294 do {
19295 send_code(s, curlen, s.bl_tree);
19296 } while (--count !== 0);
19297
19298 } else if (curlen !== 0) {
19299 if (curlen !== prevlen) {
19300 send_code(s, curlen, s.bl_tree);
19301 count--;
19302 }
19303 //Assert(count >= 3 && count <= 6, " 3_6?");
19304 send_code(s, REP_3_6, s.bl_tree);
19305 send_bits(s, count - 3, 2);
19306
19307 } else if (count <= 10) {
19308 send_code(s, REPZ_3_10, s.bl_tree);
19309 send_bits(s, count - 3, 3);
19310
19311 } else {
19312 send_code(s, REPZ_11_138, s.bl_tree);
19313 send_bits(s, count - 11, 7);
19314 }
19315
19316 count = 0;
19317 prevlen = curlen;
19318 if (nextlen === 0) {
19319 max_count = 138;
19320 min_count = 3;
19321
19322 } else if (curlen === nextlen) {
19323 max_count = 6;
19324 min_count = 3;
19325
19326 } else {
19327 max_count = 7;
19328 min_count = 4;
19329 }
19330 }
19331 }
19332
19333
19334 /* ===========================================================================
19335 * Construct the Huffman tree for the bit lengths and return the index in
19336 * bl_order of the last bit length code to send.
19337 */
19338 function build_bl_tree(s) {
19339 let max_blindex; /* index of last bit length code of non zero freq */
19340
19341 /* Determine the bit length frequencies for literal and distance trees */
19342 scan_tree(s, s.dyn_ltree, s.l_desc.max_code);
19343 scan_tree(s, s.dyn_dtree, s.d_desc.max_code);
19344
19345 /* Build the bit length tree: */
19346 build_tree(s, s.bl_desc);
19347 /* opt_len now includes the length of the tree representations, except
19348 * the lengths of the bit lengths codes and the 5+5+4 bits for the counts.
19349 */
19350
19351 /* Determine the number of bit length codes to send. The pkzip format
19352 * requires that at least 4 bit length codes be sent. (appnote.txt says
19353 * 3 but the actual value used is 4.)
19354 */
19355 for (max_blindex = BL_CODES - 1; max_blindex >= 3; max_blindex--) {
19356 if (s.bl_tree[bl_order[max_blindex] * 2 + 1]/*.Len*/ !== 0) {
19357 break;
19358 }
19359 }
19360 /* Update opt_len to include the bit length tree and counts */
19361 s.opt_len += 3 * (max_blindex + 1) + 5 + 5 + 4;
19362 //Tracev((stderr, "\ndyn trees: dyn %ld, stat %ld",
19363 // s->opt_len, s->static_len));
19364
19365 return max_blindex;
19366 }
19367
19368
19369 /* ===========================================================================
19370 * Send the header for a block using dynamic Huffman trees: the counts, the
19371 * lengths of the bit length codes, the literal tree and the distance tree.
19372 * IN assertion: lcodes >= 257, dcodes >= 1, blcodes >= 4.
19373 */
19374 function send_all_trees(s, lcodes, dcodes, blcodes)
19375 // deflate_state *s;
19376 // int lcodes, dcodes, blcodes; /* number of codes for each tree */
19377 {
19378 let rank; /* index in bl_order */
19379
19380 //Assert (lcodes >= 257 && dcodes >= 1 && blcodes >= 4, "not enough codes");
19381 //Assert (lcodes <= L_CODES && dcodes <= D_CODES && blcodes <= BL_CODES,
19382 // "too many codes");
19383 //Tracev((stderr, "\nbl counts: "));
19384 send_bits(s, lcodes - 257, 5); /* not +255 as stated in appnote.txt */
19385 send_bits(s, dcodes - 1, 5);
19386 send_bits(s, blcodes - 4, 4); /* not -3 as stated in appnote.txt */
19387 for (rank = 0; rank < blcodes; rank++) {
19388 //Tracev((stderr, "\nbl code %2d ", bl_order[rank]));
19389 send_bits(s, s.bl_tree[bl_order[rank] * 2 + 1]/*.Len*/, 3);
19390 }
19391 //Tracev((stderr, "\nbl tree: sent %ld", s->bits_sent));
19392
19393 send_tree(s, s.dyn_ltree, lcodes - 1); /* literal tree */
19394 //Tracev((stderr, "\nlit tree: sent %ld", s->bits_sent));
19395
19396 send_tree(s, s.dyn_dtree, dcodes - 1); /* distance tree */
19397 //Tracev((stderr, "\ndist tree: sent %ld", s->bits_sent));
19398 }
19399
19400
19401 /* ===========================================================================
19402 * Check if the data type is TEXT or BINARY, using the following algorithm:
19403 * - TEXT if the two conditions below are satisfied:
19404 * a) There are no non-portable control characters belonging to the
19405 * "black list" (0..6, 14..25, 28..31).
19406 * b) There is at least one printable character belonging to the
19407 * "white list" (9 {TAB}, 10 {LF}, 13 {CR}, 32..255).
19408 * - BINARY otherwise.
19409 * - The following partially-portable control characters form a
19410 * "gray list" that is ignored in this detection algorithm:
19411 * (7 {BEL}, 8 {BS}, 11 {VT}, 12 {FF}, 26 {SUB}, 27 {ESC}).
19412 * IN assertion: the fields Freq of dyn_ltree are set.
19413 */
19414 function detect_data_type(s) {
19415 /* black_mask is the bit mask of black-listed bytes
19416 * set bits 0..6, 14..25, and 28..31
19417 * 0xf3ffc07f = binary 11110011111111111100000001111111
19418 */
19419 let black_mask = 0xf3ffc07f;
19420 let n;
19421
19422 /* Check for non-textual ("black-listed") bytes. */
19423 for (n = 0; n <= 31; n++, black_mask >>>= 1) {
19424 if (black_mask & 1 && s.dyn_ltree[n * 2]/*.Freq*/ !== 0) {
19425 return Z_BINARY;
19426 }
19427 }
19428
19429 /* Check for textual ("white-listed") bytes. */
19430 if (s.dyn_ltree[9 * 2]/*.Freq*/ !== 0 || s.dyn_ltree[10 * 2]/*.Freq*/ !== 0 ||
19431 s.dyn_ltree[13 * 2]/*.Freq*/ !== 0) {
19432 return Z_TEXT;
19433 }
19434 for (n = 32; n < LITERALS; n++) {
19435 if (s.dyn_ltree[n * 2]/*.Freq*/ !== 0) {
19436 return Z_TEXT;
19437 }
19438 }
19439
19440 /* There are no "black-listed" or "white-listed" bytes:
19441 * this stream either is empty or has tolerated ("gray-listed") bytes only.
19442 */
19443 return Z_BINARY;
19444 }
19445
19446
19447 let static_init_done = false;
19448
19449 /* ===========================================================================
19450 * Initialize the tree data structures for a new zlib stream.
19451 */
19452 function _tr_init(s) {
19453
19454 if (!static_init_done) {
19455 tr_static_init();
19456 static_init_done = true;
19457 }
19458
19459 s.l_desc = new TreeDesc(s.dyn_ltree, static_l_desc);
19460 s.d_desc = new TreeDesc(s.dyn_dtree, static_d_desc);
19461 s.bl_desc = new TreeDesc(s.bl_tree, static_bl_desc);
19462
19463 s.bi_buf = 0;
19464 s.bi_valid = 0;
19465
19466 /* Initialize the first block of the first file: */
19467 init_block(s);
19468 }
19469
19470
19471 /* ===========================================================================
19472 * Send a stored block
19473 */
19474 function _tr_stored_block(s, buf, stored_len, last)
19475 //DeflateState *s;
19476 //charf *buf; /* input block */
19477 //ulg stored_len; /* length of input block */
19478 //int last; /* one if this is the last block for a file */
19479 {
19480 send_bits(s, (STORED_BLOCK << 1) + (last ? 1 : 0), 3); /* send block type */
19481 copy_block(s, buf, stored_len, true); /* with header */
19482 }
19483
19484
19485 /* ===========================================================================
19486 * Send one empty static block to give enough lookahead for inflate.
19487 * This takes 10 bits, of which 7 may remain in the bit buffer.
19488 */
19489 function _tr_align(s) {
19490 send_bits(s, STATIC_TREES << 1, 3);
19491 send_code(s, END_BLOCK, static_ltree);
19492 bi_flush(s);
19493 }
19494
19495
19496 /* ===========================================================================
19497 * Determine the best encoding for the current block: dynamic trees, static
19498 * trees or store, and output the encoded block to the zip file.
19499 */
19500 function _tr_flush_block(s, buf, stored_len, last)
19501 //DeflateState *s;
19502 //charf *buf; /* input block, or NULL if too old */
19503 //ulg stored_len; /* length of input block */
19504 //int last; /* one if this is the last block for a file */
19505 {
19506 let opt_lenb, static_lenb; /* opt_len and static_len in bytes */
19507 let max_blindex = 0; /* index of last bit length code of non zero freq */
19508
19509 /* Build the Huffman trees unless a stored block is forced */
19510 if (s.level > 0) {
19511
19512 /* Check if the file is binary or text */
19513 if (s.strm.data_type === Z_UNKNOWN) {
19514 s.strm.data_type = detect_data_type(s);
19515 }
19516
19517 /* Construct the literal and distance trees */
19518 build_tree(s, s.l_desc);
19519 // Tracev((stderr, "\nlit data: dyn %ld, stat %ld", s->opt_len,
19520 // s->static_len));
19521
19522 build_tree(s, s.d_desc);
19523 // Tracev((stderr, "\ndist data: dyn %ld, stat %ld", s->opt_len,
19524 // s->static_len));
19525 /* At this point, opt_len and static_len are the total bit lengths of
19526 * the compressed block data, excluding the tree representations.
19527 */
19528
19529 /* Build the bit length tree for the above two trees, and get the index
19530 * in bl_order of the last bit length code to send.
19531 */
19532 max_blindex = build_bl_tree(s);
19533
19534 /* Determine the best encoding. Compute the block lengths in bytes. */
19535 opt_lenb = s.opt_len + 3 + 7 >>> 3;
19536 static_lenb = s.static_len + 3 + 7 >>> 3;
19537
19538 // Tracev((stderr, "\nopt %lu(%lu) stat %lu(%lu) stored %lu lit %u ",
19539 // opt_lenb, s->opt_len, static_lenb, s->static_len, stored_len,
19540 // s->last_lit));
19541
19542 if (static_lenb <= opt_lenb) {
19543 opt_lenb = static_lenb;
19544 }
19545
19546 } else {
19547 // Assert(buf != (char*)0, "lost buf");
19548 opt_lenb = static_lenb = stored_len + 5; /* force a stored block */
19549 }
19550
19551 if (stored_len + 4 <= opt_lenb && buf !== -1) {
19552 /* 4: two words for the lengths */
19553
19554 /* The test buf != NULL is only necessary if LIT_BUFSIZE > WSIZE.
19555 * Otherwise we can't have processed more than WSIZE input bytes since
19556 * the last block flush, because compression would have been
19557 * successful. If LIT_BUFSIZE <= WSIZE, it is never too late to
19558 * transform a block into a stored block.
19559 */
19560 _tr_stored_block(s, buf, stored_len, last);
19561
19562 } else if (s.strategy === Z_FIXED || static_lenb === opt_lenb) {
19563
19564 send_bits(s, (STATIC_TREES << 1) + (last ? 1 : 0), 3);
19565 compress_block(s, static_ltree, static_dtree);
19566
19567 } else {
19568 send_bits(s, (DYN_TREES << 1) + (last ? 1 : 0), 3);
19569 send_all_trees(s, s.l_desc.max_code + 1, s.d_desc.max_code + 1, max_blindex + 1);
19570 compress_block(s, s.dyn_ltree, s.dyn_dtree);
19571 }
19572 // Assert (s->compressed_len == s->bits_sent, "bad compressed size");
19573 /* The above check is made mod 2^32, for files larger than 512 MB
19574 * and uLong implemented on 32 bits.
19575 */
19576 init_block(s);
19577
19578 if (last) {
19579 bi_windup(s);
19580 }
19581 // Tracev((stderr,"\ncomprlen %lu(%lu) ", s->compressed_len>>3,
19582 // s->compressed_len-7*last));
19583 }
19584
19585 /* ===========================================================================
19586 * Save the match info and tally the frequency counts. Return true if
19587 * the current block must be flushed.
19588 */
19589 function _tr_tally(s, dist, lc)
19590 // deflate_state *s;
19591 // unsigned dist; /* distance of matched string */
19592 // unsigned lc; /* match length-MIN_MATCH or unmatched char (if dist==0) */
19593 {
19594 //var out_length, in_length, dcode;
19595
19596 s.pending_buf[s.d_buf + s.last_lit * 2] = dist >>> 8 & 0xff;
19597 s.pending_buf[s.d_buf + s.last_lit * 2 + 1] = dist & 0xff;
19598
19599 s.pending_buf[s.l_buf + s.last_lit] = lc & 0xff;
19600 s.last_lit++;
19601
19602 if (dist === 0) {
19603 /* lc is the unmatched char */
19604 s.dyn_ltree[lc * 2]/*.Freq*/++;
19605 } else {
19606 s.matches++;
19607 /* Here, lc is the match length - MIN_MATCH */
19608 dist--; /* dist = match distance - 1 */
19609 //Assert((ush)dist < (ush)MAX_DIST(s) &&
19610 // (ush)lc <= (ush)(MAX_MATCH-MIN_MATCH) &&
19611 // (ush)d_code(dist) < (ush)D_CODES, "_tr_tally: bad match");
19612
19613 s.dyn_ltree[(_length_code[lc] + LITERALS + 1) * 2]/*.Freq*/++;
19614 s.dyn_dtree[d_code(dist) * 2]/*.Freq*/++;
19615 }
19616
19617 // (!) This block is disabled in zlib defaults,
19618 // don't enable it for binary compatibility
19619
19620 //#ifdef TRUNCATE_BLOCK
19621 // /* Try to guess if it is profitable to stop the current block here */
19622 // if ((s.last_lit & 0x1fff) === 0 && s.level > 2) {
19623 // /* Compute an upper bound for the compressed length */
19624 // out_length = s.last_lit*8;
19625 // in_length = s.strstart - s.block_start;
19626 //
19627 // for (dcode = 0; dcode < D_CODES; dcode++) {
19628 // out_length += s.dyn_dtree[dcode*2]/*.Freq*/ * (5 + extra_dbits[dcode]);
19629 // }
19630 // out_length >>>= 3;
19631 // //Tracev((stderr,"\nlast_lit %u, in %ld, out ~%ld(%ld%%) ",
19632 // // s->last_lit, in_length, out_length,
19633 // // 100L - out_length*100L/in_length));
19634 // if (s.matches < (s.last_lit>>1)/*int /2*/ && out_length < (in_length>>1)/*int /2*/) {
19635 // return true;
19636 // }
19637 // }
19638 //#endif
19639
19640 return s.last_lit === s.lit_bufsize - 1;
19641 /* We avoid equality with lit_bufsize because of wraparound at 64K
19642 * on 16 bit machines and because stored blocks are restricted to
19643 * 64K-1 bytes.
19644 */
19645 }
19646
19647 // Note: adler32 takes 12% for level 0 and 2% for level 6.
19648 // It isn't worth it to make additional optimizations as in original.
19649 // Small size is preferable.
19650
19651 // (C) 1995-2013 Jean-loup Gailly and Mark Adler
19652 // (C) 2014-2017 Vitaly Puzrin and Andrey Tupitsin
19653 //
19654 // This software is provided 'as-is', without any express or implied
19655 // warranty. In no event will the authors be held liable for any damages
19656 // arising from the use of this software.
19657 //
19658 // Permission is granted to anyone to use this software for any purpose,
19659 // including commercial applications, and to alter it and redistribute it
19660 // freely, subject to the following restrictions:
19661 //
19662 // 1. The origin of this software must not be misrepresented; you must not
19663 // claim that you wrote the original software. If you use this software
19664 // in a product, an acknowledgment in the product documentation would be
19665 // appreciated but is not required.
19666 // 2. Altered source versions must be plainly marked as such, and must not be
19667 // misrepresented as being the original software.
19668 // 3. This notice may not be removed or altered from any source distribution.
19669
19670 function adler32(adler, buf, len, pos) {
19671 let s1 = adler & 0xffff |0,
19672 s2 = adler >>> 16 & 0xffff |0,
19673 n = 0;
19674
19675 while (len !== 0) {
19676 // Set limit ~ twice less than 5552, to keep
19677 // s2 in 31-bits, because we force signed ints.
19678 // in other case %= will fail.
19679 n = len > 2000 ? 2000 : len;
19680 len -= n;
19681
19682 do {
19683 s1 = s1 + buf[pos++] |0;
19684 s2 = s2 + s1 |0;
19685 } while (--n);
19686
19687 s1 %= 65521;
19688 s2 %= 65521;
19689 }
19690
19691 return s1 | s2 << 16 |0;
19692 }
19693
19694 // Note: we can't get significant speed boost here.
19695 // So write code to minimize size - no pregenerated tables
19696 // and array tools dependencies.
19697
19698 // (C) 1995-2013 Jean-loup Gailly and Mark Adler
19699 // (C) 2014-2017 Vitaly Puzrin and Andrey Tupitsin
19700 //
19701 // This software is provided 'as-is', without any express or implied
19702 // warranty. In no event will the authors be held liable for any damages
19703 // arising from the use of this software.
19704 //
19705 // Permission is granted to anyone to use this software for any purpose,
19706 // including commercial applications, and to alter it and redistribute it
19707 // freely, subject to the following restrictions:
19708 //
19709 // 1. The origin of this software must not be misrepresented; you must not
19710 // claim that you wrote the original software. If you use this software
19711 // in a product, an acknowledgment in the product documentation would be
19712 // appreciated but is not required.
19713 // 2. Altered source versions must be plainly marked as such, and must not be
19714 // misrepresented as being the original software.
19715 // 3. This notice may not be removed or altered from any source distribution.
19716
19717 // Use ordinary array, since untyped makes no boost here
19718 function makeTable() {
19719 let c;
19720 const table = [];
19721
19722 for (let n = 0; n < 256; n++) {
19723 c = n;
19724 for (let k = 0; k < 8; k++) {
19725 c = c & 1 ? 0xEDB88320 ^ c >>> 1 : c >>> 1;
19726 }
19727 table[n] = c;
19728 }
19729
19730 return table;
19731 }
19732
19733 // Create table on load. Just 255 signed longs. Not a problem.
19734 const crcTable = makeTable();
19735
19736
19737 function crc32(crc, buf, len, pos) {
19738 const t = crcTable,
19739 end = pos + len;
19740
19741 crc ^= -1;
19742
19743 for (let i = pos; i < end; i++) {
19744 crc = crc >>> 8 ^ t[(crc ^ buf[i]) & 0xFF];
19745 }
19746
19747 return crc ^ -1; // >>> 0;
19748 }
19749
19750 // (C) 1995-2013 Jean-loup Gailly and Mark Adler
19751 // (C) 2014-2017 Vitaly Puzrin and Andrey Tupitsin
19752 //
19753 // This software is provided 'as-is', without any express or implied
19754 // warranty. In no event will the authors be held liable for any damages
19755 // arising from the use of this software.
19756 //
19757 // Permission is granted to anyone to use this software for any purpose,
19758 // including commercial applications, and to alter it and redistribute it
19759 // freely, subject to the following restrictions:
19760 //
19761 // 1. The origin of this software must not be misrepresented; you must not
19762 // claim that you wrote the original software. If you use this software
19763 // in a product, an acknowledgment in the product documentation would be
19764 // appreciated but is not required.
19765 // 2. Altered source versions must be plainly marked as such, and must not be
19766 // misrepresented as being the original software.
19767 // 3. This notice may not be removed or altered from any source distribution.
19768
19769 var msg = {
19770 2: "need dictionary", /* Z_NEED_DICT 2 */
19771 1: "stream end", /* Z_STREAM_END 1 */
19772 0: "", /* Z_OK 0 */
19773 "-1": "file error", /* Z_ERRNO (-1) */
19774 "-2": "stream error", /* Z_STREAM_ERROR (-2) */
19775 "-3": "data error", /* Z_DATA_ERROR (-3) */
19776 "-4": "insufficient memory", /* Z_MEM_ERROR (-4) */
19777 "-5": "buffer error", /* Z_BUF_ERROR (-5) */
19778 "-6": "incompatible version" /* Z_VERSION_ERROR (-6) */
19779 };
19780
19781 /*============================================================================*/
19782
19783
19784 const MAX_MEM_LEVEL = 9;
19785
19786
19787 const LENGTH_CODES$1 = 29;
19788 /* number of length codes, not counting the special END_BLOCK code */
19789 const LITERALS$1 = 256;
19790 /* number of literal bytes 0..255 */
19791 const L_CODES$1 = LITERALS$1 + 1 + LENGTH_CODES$1;
19792 /* number of Literal or Length codes, including the END_BLOCK code */
19793 const D_CODES$1 = 30;
19794 /* number of distance codes */
19795 const BL_CODES$1 = 19;
19796 /* number of codes used to transfer the bit lengths */
19797 const HEAP_SIZE$1 = 2 * L_CODES$1 + 1;
19798 /* maximum heap size */
19799 const MAX_BITS$1 = 15;
19800 /* All codes must not exceed MAX_BITS bits */
19801
19802 const MIN_MATCH$1 = 3;
19803 const MAX_MATCH$1 = 258;
19804 const MIN_LOOKAHEAD = (MAX_MATCH$1 + MIN_MATCH$1 + 1);
19805
19806 const PRESET_DICT = 0x20;
19807
19808 const INIT_STATE = 42;
19809 const EXTRA_STATE = 69;
19810 const NAME_STATE = 73;
19811 const COMMENT_STATE = 91;
19812 const HCRC_STATE = 103;
19813 const BUSY_STATE = 113;
19814 const FINISH_STATE = 666;
19815
19816 const BS_NEED_MORE = 1; /* block not completed, need more input or more output */
19817 const BS_BLOCK_DONE = 2; /* block flush performed */
19818 const BS_FINISH_STARTED = 3; /* finish started, need only more output at next deflate */
19819 const BS_FINISH_DONE = 4; /* finish done, accept no more input or output */
19820
19821 const OS_CODE = 0x03; // Unix :) . Don't detect, use this default.
19822
19823 function err(strm, errorCode) {
19824 strm.msg = msg[errorCode];
19825 return errorCode;
19826 }
19827
19828 function rank(f) {
19829 return ((f) << 1) - ((f) > 4 ? 9 : 0);
19830 }
19831
19832 function zero$2(buf) { let len = buf.length; while (--len >= 0) { buf[len] = 0; } }
19833
19834
19835 /* =========================================================================
19836 * Flush as much pending output as possible. All deflate() output goes
19837 * through this function so some applications may wish to modify it
19838 * to avoid allocating a large strm->output buffer and copying into it.
19839 * (See also read_buf()).
19840 */
19841 function flush_pending(strm) {
19842 const s = strm.state;
19843
19844 //_tr_flush_bits(s);
19845 let len = s.pending;
19846 if (len > strm.avail_out) {
19847 len = strm.avail_out;
19848 }
19849 if (len === 0) { return; }
19850
19851 arraySet(strm.output, s.pending_buf, s.pending_out, len, strm.next_out);
19852 strm.next_out += len;
19853 s.pending_out += len;
19854 strm.total_out += len;
19855 strm.avail_out -= len;
19856 s.pending -= len;
19857 if (s.pending === 0) {
19858 s.pending_out = 0;
19859 }
19860 }
19861
19862
19863 function flush_block_only(s, last) {
19864 _tr_flush_block(s, (s.block_start >= 0 ? s.block_start : -1), s.strstart - s.block_start, last);
19865 s.block_start = s.strstart;
19866 flush_pending(s.strm);
19867 }
19868
19869
19870 function put_byte(s, b) {
19871 s.pending_buf[s.pending++] = b;
19872 }
19873
19874
19875 /* =========================================================================
19876 * Put a short in the pending buffer. The 16-bit value is put in MSB order.
19877 * IN assertion: the stream state is correct and there is enough room in
19878 * pending_buf.
19879 */
19880 function putShortMSB(s, b) {
19881 // put_byte(s, (Byte)(b >> 8));
19882 // put_byte(s, (Byte)(b & 0xff));
19883 s.pending_buf[s.pending++] = (b >>> 8) & 0xff;
19884 s.pending_buf[s.pending++] = b & 0xff;
19885 }
19886
19887
19888 /* ===========================================================================
19889 * Read a new buffer from the current input stream, update the adler32
19890 * and total number of bytes read. All deflate() input goes through
19891 * this function so some applications may wish to modify it to avoid
19892 * allocating a large strm->input buffer and copying from it.
19893 * (See also flush_pending()).
19894 */
19895 function read_buf(strm, buf, start, size) {
19896 let len = strm.avail_in;
19897
19898 if (len > size) { len = size; }
19899 if (len === 0) { return 0; }
19900
19901 strm.avail_in -= len;
19902
19903 // zmemcpy(buf, strm->next_in, len);
19904 arraySet(buf, strm.input, strm.next_in, len, start);
19905 if (strm.state.wrap === 1) {
19906 strm.adler = adler32(strm.adler, buf, len, start);
19907 }
19908
19909 else if (strm.state.wrap === 2) {
19910 strm.adler = crc32(strm.adler, buf, len, start);
19911 }
19912
19913 strm.next_in += len;
19914 strm.total_in += len;
19915
19916 return len;
19917 }
19918
19919
19920 /* ===========================================================================
19921 * Set match_start to the longest match starting at the given string and
19922 * return its length. Matches shorter or equal to prev_length are discarded,
19923 * in which case the result is equal to prev_length and match_start is
19924 * garbage.
19925 * IN assertions: cur_match is the head of the hash chain for the current
19926 * string (strstart) and its distance is <= MAX_DIST, and prev_length >= 1
19927 * OUT assertion: the match length is not greater than s->lookahead.
19928 */
19929 function longest_match(s, cur_match) {
19930 let chain_length = s.max_chain_length; /* max hash chain length */
19931 let scan = s.strstart; /* current string */
19932 let match; /* matched string */
19933 let len; /* length of current match */
19934 let best_len = s.prev_length; /* best match length so far */
19935 let nice_match = s.nice_match; /* stop if match long enough */
19936 const limit = (s.strstart > (s.w_size - MIN_LOOKAHEAD)) ?
19937 s.strstart - (s.w_size - MIN_LOOKAHEAD) : 0/*NIL*/;
19938
19939 const _win = s.window; // shortcut
19940
19941 const wmask = s.w_mask;
19942 const prev = s.prev;
19943
19944 /* Stop when cur_match becomes <= limit. To simplify the code,
19945 * we prevent matches with the string of window index 0.
19946 */
19947
19948 const strend = s.strstart + MAX_MATCH$1;
19949 let scan_end1 = _win[scan + best_len - 1];
19950 let scan_end = _win[scan + best_len];
19951
19952 /* The code is optimized for HASH_BITS >= 8 and MAX_MATCH-2 multiple of 16.
19953 * It is easy to get rid of this optimization if necessary.
19954 */
19955 // Assert(s->hash_bits >= 8 && MAX_MATCH == 258, "Code too clever");
19956
19957 /* Do not waste too much time if we already have a good match: */
19958 if (s.prev_length >= s.good_match) {
19959 chain_length >>= 2;
19960 }
19961 /* Do not look for matches beyond the end of the input. This is necessary
19962 * to make deflate deterministic.
19963 */
19964 if (nice_match > s.lookahead) { nice_match = s.lookahead; }
19965
19966 // Assert((ulg)s->strstart <= s->window_size-MIN_LOOKAHEAD, "need lookahead");
19967
19968 do {
19969 // Assert(cur_match < s->strstart, "no future");
19970 match = cur_match;
19971
19972 /* Skip to next match if the match length cannot increase
19973 * or if the match length is less than 2. Note that the checks below
19974 * for insufficient lookahead only occur occasionally for performance
19975 * reasons. Therefore uninitialized memory will be accessed, and
19976 * conditional jumps will be made that depend on those values.
19977 * However the length of the match is limited to the lookahead, so
19978 * the output of deflate is not affected by the uninitialized values.
19979 */
19980
19981 if (_win[match + best_len] !== scan_end ||
19982 _win[match + best_len - 1] !== scan_end1 ||
19983 _win[match] !== _win[scan] ||
19984 _win[++match] !== _win[scan + 1]) {
19985 continue;
19986 }
19987
19988 /* The check at best_len-1 can be removed because it will be made
19989 * again later. (This heuristic is not always a win.)
19990 * It is not necessary to compare scan[2] and match[2] since they
19991 * are always equal when the other bytes match, given that
19992 * the hash keys are equal and that HASH_BITS >= 8.
19993 */
19994 scan += 2;
19995 match++;
19996 // Assert(*scan == *match, "match[2]?");
19997
19998 /* We check for insufficient lookahead only every 8th comparison;
19999 * the 256th check will be made at strstart+258.
20000 */
20001 do {
20002 /*jshint noempty:false*/
20003 } while (_win[++scan] === _win[++match] && _win[++scan] === _win[++match] &&
20004 _win[++scan] === _win[++match] && _win[++scan] === _win[++match] &&
20005 _win[++scan] === _win[++match] && _win[++scan] === _win[++match] &&
20006 _win[++scan] === _win[++match] && _win[++scan] === _win[++match] &&
20007 scan < strend);
20008
20009 // Assert(scan <= s->window+(unsigned)(s->window_size-1), "wild scan");
20010
20011 len = MAX_MATCH$1 - (strend - scan);
20012 scan = strend - MAX_MATCH$1;
20013
20014 if (len > best_len) {
20015 s.match_start = cur_match;
20016 best_len = len;
20017 if (len >= nice_match) {
20018 break;
20019 }
20020 scan_end1 = _win[scan + best_len - 1];
20021 scan_end = _win[scan + best_len];
20022 }
20023 } while ((cur_match = prev[cur_match & wmask]) > limit && --chain_length !== 0);
20024
20025 if (best_len <= s.lookahead) {
20026 return best_len;
20027 }
20028 return s.lookahead;
20029 }
20030
20031
20032 /* ===========================================================================
20033 * Fill the window when the lookahead becomes insufficient.
20034 * Updates strstart and lookahead.
20035 *
20036 * IN assertion: lookahead < MIN_LOOKAHEAD
20037 * OUT assertions: strstart <= window_size-MIN_LOOKAHEAD
20038 * At least one byte has been read, or avail_in == 0; reads are
20039 * performed for at least two bytes (required for the zip translate_eol
20040 * option -- not supported here).
20041 */
20042 function fill_window(s) {
20043 const _w_size = s.w_size;
20044 let p, n, m, more, str;
20045
20046 //Assert(s->lookahead < MIN_LOOKAHEAD, "already enough lookahead");
20047
20048 do {
20049 more = s.window_size - s.lookahead - s.strstart;
20050
20051 // JS ints have 32 bit, block below not needed
20052 /* Deal with !@#$% 64K limit: */
20053 //if (sizeof(int) <= 2) {
20054 // if (more == 0 && s->strstart == 0 && s->lookahead == 0) {
20055 // more = wsize;
20056 //
20057 // } else if (more == (unsigned)(-1)) {
20058 // /* Very unlikely, but possible on 16 bit machine if
20059 // * strstart == 0 && lookahead == 1 (input done a byte at time)
20060 // */
20061 // more--;
20062 // }
20063 //}
20064
20065
20066 /* If the window is almost full and there is insufficient lookahead,
20067 * move the upper half to the lower one to make room in the upper half.
20068 */
20069 if (s.strstart >= _w_size + (_w_size - MIN_LOOKAHEAD)) {
20070
20071 arraySet(s.window, s.window, _w_size, _w_size, 0);
20072 s.match_start -= _w_size;
20073 s.strstart -= _w_size;
20074 /* we now have strstart >= MAX_DIST */
20075 s.block_start -= _w_size;
20076
20077 /* Slide the hash table (could be avoided with 32 bit values
20078 at the expense of memory usage). We slide even when level == 0
20079 to keep the hash table consistent if we switch back to level > 0
20080 later. (Using level 0 permanently is not an optimal usage of
20081 zlib, so we don't care about this pathological case.)
20082 */
20083
20084 n = s.hash_size;
20085 p = n;
20086 do {
20087 m = s.head[--p];
20088 s.head[p] = (m >= _w_size ? m - _w_size : 0);
20089 } while (--n);
20090
20091 n = _w_size;
20092 p = n;
20093 do {
20094 m = s.prev[--p];
20095 s.prev[p] = (m >= _w_size ? m - _w_size : 0);
20096 /* If n is not on any hash chain, prev[n] is garbage but
20097 * its value will never be used.
20098 */
20099 } while (--n);
20100
20101 more += _w_size;
20102 }
20103 if (s.strm.avail_in === 0) {
20104 break;
20105 }
20106
20107 /* If there was no sliding:
20108 * strstart <= WSIZE+MAX_DIST-1 && lookahead <= MIN_LOOKAHEAD - 1 &&
20109 * more == window_size - lookahead - strstart
20110 * => more >= window_size - (MIN_LOOKAHEAD-1 + WSIZE + MAX_DIST-1)
20111 * => more >= window_size - 2*WSIZE + 2
20112 * In the BIG_MEM or MMAP case (not yet supported),
20113 * window_size == input_size + MIN_LOOKAHEAD &&
20114 * strstart + s->lookahead <= input_size => more >= MIN_LOOKAHEAD.
20115 * Otherwise, window_size == 2*WSIZE so more >= 2.
20116 * If there was sliding, more >= WSIZE. So in all cases, more >= 2.
20117 */
20118 //Assert(more >= 2, "more < 2");
20119 n = read_buf(s.strm, s.window, s.strstart + s.lookahead, more);
20120 s.lookahead += n;
20121
20122 /* Initialize the hash value now that we have some input: */
20123 if (s.lookahead + s.insert >= MIN_MATCH$1) {
20124 str = s.strstart - s.insert;
20125 s.ins_h = s.window[str];
20126
20127 /* UPDATE_HASH(s, s->ins_h, s->window[str + 1]); */
20128 s.ins_h = ((s.ins_h << s.hash_shift) ^ s.window[str + 1]) & s.hash_mask;
20129 //#if MIN_MATCH != 3
20130 // Call update_hash() MIN_MATCH-3 more times
20131 //#endif
20132 while (s.insert) {
20133 /* UPDATE_HASH(s, s->ins_h, s->window[str + MIN_MATCH-1]); */
20134 s.ins_h = ((s.ins_h << s.hash_shift) ^ s.window[str + MIN_MATCH$1 - 1]) & s.hash_mask;
20135
20136 s.prev[str & s.w_mask] = s.head[s.ins_h];
20137 s.head[s.ins_h] = str;
20138 str++;
20139 s.insert--;
20140 if (s.lookahead + s.insert < MIN_MATCH$1) {
20141 break;
20142 }
20143 }
20144 }
20145 /* If the whole input has less than MIN_MATCH bytes, ins_h is garbage,
20146 * but this is not important since only literal bytes will be emitted.
20147 */
20148
20149 } while (s.lookahead < MIN_LOOKAHEAD && s.strm.avail_in !== 0);
20150
20151 /* If the WIN_INIT bytes after the end of the current data have never been
20152 * written, then zero those bytes in order to avoid memory check reports of
20153 * the use of uninitialized (or uninitialised as Julian writes) bytes by
20154 * the longest match routines. Update the high water mark for the next
20155 * time through here. WIN_INIT is set to MAX_MATCH since the longest match
20156 * routines allow scanning to strstart + MAX_MATCH, ignoring lookahead.
20157 */
20158 // if (s.high_water < s.window_size) {
20159 // var curr = s.strstart + s.lookahead;
20160 // var init = 0;
20161 //
20162 // if (s.high_water < curr) {
20163 // /* Previous high water mark below current data -- zero WIN_INIT
20164 // * bytes or up to end of window, whichever is less.
20165 // */
20166 // init = s.window_size - curr;
20167 // if (init > WIN_INIT)
20168 // init = WIN_INIT;
20169 // zmemzero(s->window + curr, (unsigned)init);
20170 // s->high_water = curr + init;
20171 // }
20172 // else if (s->high_water < (ulg)curr + WIN_INIT) {
20173 // /* High water mark at or above current data, but below current data
20174 // * plus WIN_INIT -- zero out to current data plus WIN_INIT, or up
20175 // * to end of window, whichever is less.
20176 // */
20177 // init = (ulg)curr + WIN_INIT - s->high_water;
20178 // if (init > s->window_size - s->high_water)
20179 // init = s->window_size - s->high_water;
20180 // zmemzero(s->window + s->high_water, (unsigned)init);
20181 // s->high_water += init;
20182 // }
20183 // }
20184 //
20185 // Assert((ulg)s->strstart <= s->window_size - MIN_LOOKAHEAD,
20186 // "not enough room for search");
20187 }
20188
20189 /* ===========================================================================
20190 * Copy without compression as much as possible from the input stream, return
20191 * the current block state.
20192 * This function does not insert new strings in the dictionary since
20193 * uncompressible data is probably not useful. This function is used
20194 * only for the level=0 compression option.
20195 * NOTE: this function should be optimized to avoid extra copying from
20196 * window to pending_buf.
20197 */
20198 function deflate_stored(s, flush) {
20199 /* Stored blocks are limited to 0xffff bytes, pending_buf is limited
20200 * to pending_buf_size, and each stored block has a 5 byte header:
20201 */
20202 let max_block_size = 0xffff;
20203
20204 if (max_block_size > s.pending_buf_size - 5) {
20205 max_block_size = s.pending_buf_size - 5;
20206 }
20207
20208 /* Copy as much as possible from input to output: */
20209 for (; ;) {
20210 /* Fill the window as much as possible: */
20211 if (s.lookahead <= 1) {
20212
20213 //Assert(s->strstart < s->w_size+MAX_DIST(s) ||
20214 // s->block_start >= (long)s->w_size, "slide too late");
20215 // if (!(s.strstart < s.w_size + (s.w_size - MIN_LOOKAHEAD) ||
20216 // s.block_start >= s.w_size)) {
20217 // throw new Error("slide too late");
20218 // }
20219
20220 fill_window(s);
20221 if (s.lookahead === 0 && flush === Z_NO_FLUSH) {
20222 return BS_NEED_MORE;
20223 }
20224
20225 if (s.lookahead === 0) {
20226 break;
20227 }
20228 /* flush the current block */
20229 }
20230 //Assert(s->block_start >= 0L, "block gone");
20231 // if (s.block_start < 0) throw new Error("block gone");
20232
20233 s.strstart += s.lookahead;
20234 s.lookahead = 0;
20235
20236 /* Emit a stored block if pending_buf will be full: */
20237 const max_start = s.block_start + max_block_size;
20238
20239 if (s.strstart === 0 || s.strstart >= max_start) {
20240 /* strstart == 0 is possible when wraparound on 16-bit machine */
20241 s.lookahead = s.strstart - max_start;
20242 s.strstart = max_start;
20243 /*** FLUSH_BLOCK(s, 0); ***/
20244 flush_block_only(s, false);
20245 if (s.strm.avail_out === 0) {
20246 return BS_NEED_MORE;
20247 }
20248 /***/
20249
20250
20251 }
20252 /* Flush if we may have to slide, otherwise block_start may become
20253 * negative and the data will be gone:
20254 */
20255 if (s.strstart - s.block_start >= (s.w_size - MIN_LOOKAHEAD)) {
20256 /*** FLUSH_BLOCK(s, 0); ***/
20257 flush_block_only(s, false);
20258 if (s.strm.avail_out === 0) {
20259 return BS_NEED_MORE;
20260 }
20261 /***/
20262 }
20263 }
20264
20265 s.insert = 0;
20266
20267 if (flush === Z_FINISH) {
20268 /*** FLUSH_BLOCK(s, 1); ***/
20269 flush_block_only(s, true);
20270 if (s.strm.avail_out === 0) {
20271 return BS_FINISH_STARTED;
20272 }
20273 /***/
20274 return BS_FINISH_DONE;
20275 }
20276
20277 if (s.strstart > s.block_start) {
20278 /*** FLUSH_BLOCK(s, 0); ***/
20279 flush_block_only(s, false);
20280 if (s.strm.avail_out === 0) {
20281 return BS_NEED_MORE;
20282 }
20283 /***/
20284 }
20285
20286 return BS_NEED_MORE;
20287 }
20288
20289 /* ===========================================================================
20290 * Compress as much as possible from the input stream, return the current
20291 * block state.
20292 * This function does not perform lazy evaluation of matches and inserts
20293 * new strings in the dictionary only for unmatched strings or for short
20294 * matches. It is used only for the fast compression options.
20295 */
20296 function deflate_fast(s, flush) {
20297 let hash_head; /* head of the hash chain */
20298 let bflush; /* set if current block must be flushed */
20299
20300 for (; ;) {
20301 /* Make sure that we always have enough lookahead, except
20302 * at the end of the input file. We need MAX_MATCH bytes
20303 * for the next match, plus MIN_MATCH bytes to insert the
20304 * string following the next match.
20305 */
20306 if (s.lookahead < MIN_LOOKAHEAD) {
20307 fill_window(s);
20308 if (s.lookahead < MIN_LOOKAHEAD && flush === Z_NO_FLUSH) {
20309 return BS_NEED_MORE;
20310 }
20311 if (s.lookahead === 0) {
20312 break; /* flush the current block */
20313 }
20314 }
20315
20316 /* Insert the string window[strstart .. strstart+2] in the
20317 * dictionary, and set hash_head to the head of the hash chain:
20318 */
20319 hash_head = 0/*NIL*/;
20320 if (s.lookahead >= MIN_MATCH$1) {
20321 /*** INSERT_STRING(s, s.strstart, hash_head); ***/
20322 s.ins_h = ((s.ins_h << s.hash_shift) ^ s.window[s.strstart + MIN_MATCH$1 - 1]) & s.hash_mask;
20323 hash_head = s.prev[s.strstart & s.w_mask] = s.head[s.ins_h];
20324 s.head[s.ins_h] = s.strstart;
20325 /***/
20326 }
20327
20328 /* Find the longest match, discarding those <= prev_length.
20329 * At this point we have always match_length < MIN_MATCH
20330 */
20331 if (hash_head !== 0/*NIL*/ && ((s.strstart - hash_head) <= (s.w_size - MIN_LOOKAHEAD))) {
20332 /* To simplify the code, we prevent matches with the string
20333 * of window index 0 (in particular we have to avoid a match
20334 * of the string with itself at the start of the input file).
20335 */
20336 s.match_length = longest_match(s, hash_head);
20337 /* longest_match() sets match_start */
20338 }
20339 if (s.match_length >= MIN_MATCH$1) {
20340 // check_match(s, s.strstart, s.match_start, s.match_length); // for debug only
20341
20342 /*** _tr_tally_dist(s, s.strstart - s.match_start,
20343 s.match_length - MIN_MATCH, bflush); ***/
20344 bflush = _tr_tally(s, s.strstart - s.match_start, s.match_length - MIN_MATCH$1);
20345
20346 s.lookahead -= s.match_length;
20347
20348 /* Insert new strings in the hash table only if the match length
20349 * is not too large. This saves time but degrades compression.
20350 */
20351 if (s.match_length <= s.max_lazy_match/*max_insert_length*/ && s.lookahead >= MIN_MATCH$1) {
20352 s.match_length--; /* string at strstart already in table */
20353 do {
20354 s.strstart++;
20355 /*** INSERT_STRING(s, s.strstart, hash_head); ***/
20356 s.ins_h = ((s.ins_h << s.hash_shift) ^ s.window[s.strstart + MIN_MATCH$1 - 1]) & s.hash_mask;
20357 hash_head = s.prev[s.strstart & s.w_mask] = s.head[s.ins_h];
20358 s.head[s.ins_h] = s.strstart;
20359 /***/
20360 /* strstart never exceeds WSIZE-MAX_MATCH, so there are
20361 * always MIN_MATCH bytes ahead.
20362 */
20363 } while (--s.match_length !== 0);
20364 s.strstart++;
20365 } else {
20366 s.strstart += s.match_length;
20367 s.match_length = 0;
20368 s.ins_h = s.window[s.strstart];
20369 /* UPDATE_HASH(s, s.ins_h, s.window[s.strstart+1]); */
20370 s.ins_h = ((s.ins_h << s.hash_shift) ^ s.window[s.strstart + 1]) & s.hash_mask;
20371
20372 //#if MIN_MATCH != 3
20373 // Call UPDATE_HASH() MIN_MATCH-3 more times
20374 //#endif
20375 /* If lookahead < MIN_MATCH, ins_h is garbage, but it does not
20376 * matter since it will be recomputed at next deflate call.
20377 */
20378 }
20379 } else {
20380 /* No match, output a literal byte */
20381 //Tracevv((stderr,"%c", s.window[s.strstart]));
20382 /*** _tr_tally_lit(s, s.window[s.strstart], bflush); ***/
20383 bflush = _tr_tally(s, 0, s.window[s.strstart]);
20384
20385 s.lookahead--;
20386 s.strstart++;
20387 }
20388 if (bflush) {
20389 /*** FLUSH_BLOCK(s, 0); ***/
20390 flush_block_only(s, false);
20391 if (s.strm.avail_out === 0) {
20392 return BS_NEED_MORE;
20393 }
20394 /***/
20395 }
20396 }
20397 s.insert = ((s.strstart < (MIN_MATCH$1 - 1)) ? s.strstart : MIN_MATCH$1 - 1);
20398 if (flush === Z_FINISH) {
20399 /*** FLUSH_BLOCK(s, 1); ***/
20400 flush_block_only(s, true);
20401 if (s.strm.avail_out === 0) {
20402 return BS_FINISH_STARTED;
20403 }
20404 /***/
20405 return BS_FINISH_DONE;
20406 }
20407 if (s.last_lit) {
20408 /*** FLUSH_BLOCK(s, 0); ***/
20409 flush_block_only(s, false);
20410 if (s.strm.avail_out === 0) {
20411 return BS_NEED_MORE;
20412 }
20413 /***/
20414 }
20415 return BS_BLOCK_DONE;
20416 }
20417
20418 /* ===========================================================================
20419 * Same as above, but achieves better compression. We use a lazy
20420 * evaluation for matches: a match is finally adopted only if there is
20421 * no better match at the next window position.
20422 */
20423 function deflate_slow(s, flush) {
20424 let hash_head; /* head of hash chain */
20425 let bflush; /* set if current block must be flushed */
20426
20427 let max_insert;
20428
20429 /* Process the input block. */
20430 for (; ;) {
20431 /* Make sure that we always have enough lookahead, except
20432 * at the end of the input file. We need MAX_MATCH bytes
20433 * for the next match, plus MIN_MATCH bytes to insert the
20434 * string following the next match.
20435 */
20436 if (s.lookahead < MIN_LOOKAHEAD) {
20437 fill_window(s);
20438 if (s.lookahead < MIN_LOOKAHEAD && flush === Z_NO_FLUSH) {
20439 return BS_NEED_MORE;
20440 }
20441 if (s.lookahead === 0) { break; } /* flush the current block */
20442 }
20443
20444 /* Insert the string window[strstart .. strstart+2] in the
20445 * dictionary, and set hash_head to the head of the hash chain:
20446 */
20447 hash_head = 0/*NIL*/;
20448 if (s.lookahead >= MIN_MATCH$1) {
20449 /*** INSERT_STRING(s, s.strstart, hash_head); ***/
20450 s.ins_h = ((s.ins_h << s.hash_shift) ^ s.window[s.strstart + MIN_MATCH$1 - 1]) & s.hash_mask;
20451 hash_head = s.prev[s.strstart & s.w_mask] = s.head[s.ins_h];
20452 s.head[s.ins_h] = s.strstart;
20453 /***/
20454 }
20455
20456 /* Find the longest match, discarding those <= prev_length.
20457 */
20458 s.prev_length = s.match_length;
20459 s.prev_match = s.match_start;
20460 s.match_length = MIN_MATCH$1 - 1;
20461
20462 if (hash_head !== 0/*NIL*/ && s.prev_length < s.max_lazy_match &&
20463 s.strstart - hash_head <= (s.w_size - MIN_LOOKAHEAD)/*MAX_DIST(s)*/) {
20464 /* To simplify the code, we prevent matches with the string
20465 * of window index 0 (in particular we have to avoid a match
20466 * of the string with itself at the start of the input file).
20467 */
20468 s.match_length = longest_match(s, hash_head);
20469 /* longest_match() sets match_start */
20470
20471 if (s.match_length <= 5 &&
20472 (s.strategy === Z_FILTERED || (s.match_length === MIN_MATCH$1 && s.strstart - s.match_start > 4096/*TOO_FAR*/))) {
20473
20474 /* If prev_match is also MIN_MATCH, match_start is garbage
20475 * but we will ignore the current match anyway.
20476 */
20477 s.match_length = MIN_MATCH$1 - 1;
20478 }
20479 }
20480 /* If there was a match at the previous step and the current
20481 * match is not better, output the previous match:
20482 */
20483 if (s.prev_length >= MIN_MATCH$1 && s.match_length <= s.prev_length) {
20484 max_insert = s.strstart + s.lookahead - MIN_MATCH$1;
20485 /* Do not insert strings in hash table beyond this. */
20486
20487 //check_match(s, s.strstart-1, s.prev_match, s.prev_length);
20488
20489 /***_tr_tally_dist(s, s.strstart - 1 - s.prev_match,
20490 s.prev_length - MIN_MATCH, bflush);***/
20491 bflush = _tr_tally(s, s.strstart - 1 - s.prev_match, s.prev_length - MIN_MATCH$1);
20492 /* Insert in hash table all strings up to the end of the match.
20493 * strstart-1 and strstart are already inserted. If there is not
20494 * enough lookahead, the last two strings are not inserted in
20495 * the hash table.
20496 */
20497 s.lookahead -= s.prev_length - 1;
20498 s.prev_length -= 2;
20499 do {
20500 if (++s.strstart <= max_insert) {
20501 /*** INSERT_STRING(s, s.strstart, hash_head); ***/
20502 s.ins_h = ((s.ins_h << s.hash_shift) ^ s.window[s.strstart + MIN_MATCH$1 - 1]) & s.hash_mask;
20503 hash_head = s.prev[s.strstart & s.w_mask] = s.head[s.ins_h];
20504 s.head[s.ins_h] = s.strstart;
20505 /***/
20506 }
20507 } while (--s.prev_length !== 0);
20508 s.match_available = 0;
20509 s.match_length = MIN_MATCH$1 - 1;
20510 s.strstart++;
20511
20512 if (bflush) {
20513 /*** FLUSH_BLOCK(s, 0); ***/
20514 flush_block_only(s, false);
20515 if (s.strm.avail_out === 0) {
20516 return BS_NEED_MORE;
20517 }
20518 /***/
20519 }
20520
20521 } else if (s.match_available) {
20522 /* If there was no match at the previous position, output a
20523 * single literal. If there was a match but the current match
20524 * is longer, truncate the previous match to a single literal.
20525 */
20526 //Tracevv((stderr,"%c", s->window[s->strstart-1]));
20527 /*** _tr_tally_lit(s, s.window[s.strstart-1], bflush); ***/
20528 bflush = _tr_tally(s, 0, s.window[s.strstart - 1]);
20529
20530 if (bflush) {
20531 /*** FLUSH_BLOCK_ONLY(s, 0) ***/
20532 flush_block_only(s, false);
20533 /***/
20534 }
20535 s.strstart++;
20536 s.lookahead--;
20537 if (s.strm.avail_out === 0) {
20538 return BS_NEED_MORE;
20539 }
20540 } else {
20541 /* There is no previous match to compare with, wait for
20542 * the next step to decide.
20543 */
20544 s.match_available = 1;
20545 s.strstart++;
20546 s.lookahead--;
20547 }
20548 }
20549 //Assert (flush != Z_NO_FLUSH, "no flush?");
20550 if (s.match_available) {
20551 //Tracevv((stderr,"%c", s->window[s->strstart-1]));
20552 /*** _tr_tally_lit(s, s.window[s.strstart-1], bflush); ***/
20553 bflush = _tr_tally(s, 0, s.window[s.strstart - 1]);
20554
20555 s.match_available = 0;
20556 }
20557 s.insert = s.strstart < MIN_MATCH$1 - 1 ? s.strstart : MIN_MATCH$1 - 1;
20558 if (flush === Z_FINISH) {
20559 /*** FLUSH_BLOCK(s, 1); ***/
20560 flush_block_only(s, true);
20561 if (s.strm.avail_out === 0) {
20562 return BS_FINISH_STARTED;
20563 }
20564 /***/
20565 return BS_FINISH_DONE;
20566 }
20567 if (s.last_lit) {
20568 /*** FLUSH_BLOCK(s, 0); ***/
20569 flush_block_only(s, false);
20570 if (s.strm.avail_out === 0) {
20571 return BS_NEED_MORE;
20572 }
20573 /***/
20574 }
20575
20576 return BS_BLOCK_DONE;
20577 }
20578
20579
20580 /* ===========================================================================
20581 * For Z_RLE, simply look for runs of bytes, generate matches only of distance
20582 * one. Do not maintain a hash table. (It will be regenerated if this run of
20583 * deflate switches away from Z_RLE.)
20584 */
20585 function deflate_rle(s, flush) {
20586 let bflush; /* set if current block must be flushed */
20587 let prev; /* byte at distance one to match */
20588 let scan, strend; /* scan goes up to strend for length of run */
20589
20590 const _win = s.window;
20591
20592 for (; ;) {
20593 /* Make sure that we always have enough lookahead, except
20594 * at the end of the input file. We need MAX_MATCH bytes
20595 * for the longest run, plus one for the unrolled loop.
20596 */
20597 if (s.lookahead <= MAX_MATCH$1) {
20598 fill_window(s);
20599 if (s.lookahead <= MAX_MATCH$1 && flush === Z_NO_FLUSH) {
20600 return BS_NEED_MORE;
20601 }
20602 if (s.lookahead === 0) { break; } /* flush the current block */
20603 }
20604
20605 /* See how many times the previous byte repeats */
20606 s.match_length = 0;
20607 if (s.lookahead >= MIN_MATCH$1 && s.strstart > 0) {
20608 scan = s.strstart - 1;
20609 prev = _win[scan];
20610 if (prev === _win[++scan] && prev === _win[++scan] && prev === _win[++scan]) {
20611 strend = s.strstart + MAX_MATCH$1;
20612 do {
20613 /*jshint noempty:false*/
20614 } while (prev === _win[++scan] && prev === _win[++scan] &&
20615 prev === _win[++scan] && prev === _win[++scan] &&
20616 prev === _win[++scan] && prev === _win[++scan] &&
20617 prev === _win[++scan] && prev === _win[++scan] &&
20618 scan < strend);
20619 s.match_length = MAX_MATCH$1 - (strend - scan);
20620 if (s.match_length > s.lookahead) {
20621 s.match_length = s.lookahead;
20622 }
20623 }
20624 //Assert(scan <= s->window+(uInt)(s->window_size-1), "wild scan");
20625 }
20626
20627 /* Emit match if have run of MIN_MATCH or longer, else emit literal */
20628 if (s.match_length >= MIN_MATCH$1) {
20629 //check_match(s, s.strstart, s.strstart - 1, s.match_length);
20630
20631 /*** _tr_tally_dist(s, 1, s.match_length - MIN_MATCH, bflush); ***/
20632 bflush = _tr_tally(s, 1, s.match_length - MIN_MATCH$1);
20633
20634 s.lookahead -= s.match_length;
20635 s.strstart += s.match_length;
20636 s.match_length = 0;
20637 } else {
20638 /* No match, output a literal byte */
20639 //Tracevv((stderr,"%c", s->window[s->strstart]));
20640 /*** _tr_tally_lit(s, s.window[s.strstart], bflush); ***/
20641 bflush = _tr_tally(s, 0, s.window[s.strstart]);
20642
20643 s.lookahead--;
20644 s.strstart++;
20645 }
20646 if (bflush) {
20647 /*** FLUSH_BLOCK(s, 0); ***/
20648 flush_block_only(s, false);
20649 if (s.strm.avail_out === 0) {
20650 return BS_NEED_MORE;
20651 }
20652 /***/
20653 }
20654 }
20655 s.insert = 0;
20656 if (flush === Z_FINISH) {
20657 /*** FLUSH_BLOCK(s, 1); ***/
20658 flush_block_only(s, true);
20659 if (s.strm.avail_out === 0) {
20660 return BS_FINISH_STARTED;
20661 }
20662 /***/
20663 return BS_FINISH_DONE;
20664 }
20665 if (s.last_lit) {
20666 /*** FLUSH_BLOCK(s, 0); ***/
20667 flush_block_only(s, false);
20668 if (s.strm.avail_out === 0) {
20669 return BS_NEED_MORE;
20670 }
20671 /***/
20672 }
20673 return BS_BLOCK_DONE;
20674 }
20675
20676 /* ===========================================================================
20677 * For Z_HUFFMAN_ONLY, do not look for matches. Do not maintain a hash table.
20678 * (It will be regenerated if this run of deflate switches away from Huffman.)
20679 */
20680 function deflate_huff(s, flush) {
20681 let bflush; /* set if current block must be flushed */
20682
20683 for (; ;) {
20684 /* Make sure that we have a literal to write. */
20685 if (s.lookahead === 0) {
20686 fill_window(s);
20687 if (s.lookahead === 0) {
20688 if (flush === Z_NO_FLUSH) {
20689 return BS_NEED_MORE;
20690 }
20691 break; /* flush the current block */
20692 }
20693 }
20694
20695 /* Output a literal byte */
20696 s.match_length = 0;
20697 //Tracevv((stderr,"%c", s->window[s->strstart]));
20698 /*** _tr_tally_lit(s, s.window[s.strstart], bflush); ***/
20699 bflush = _tr_tally(s, 0, s.window[s.strstart]);
20700 s.lookahead--;
20701 s.strstart++;
20702 if (bflush) {
20703 /*** FLUSH_BLOCK(s, 0); ***/
20704 flush_block_only(s, false);
20705 if (s.strm.avail_out === 0) {
20706 return BS_NEED_MORE;
20707 }
20708 /***/
20709 }
20710 }
20711 s.insert = 0;
20712 if (flush === Z_FINISH) {
20713 /*** FLUSH_BLOCK(s, 1); ***/
20714 flush_block_only(s, true);
20715 if (s.strm.avail_out === 0) {
20716 return BS_FINISH_STARTED;
20717 }
20718 /***/
20719 return BS_FINISH_DONE;
20720 }
20721 if (s.last_lit) {
20722 /*** FLUSH_BLOCK(s, 0); ***/
20723 flush_block_only(s, false);
20724 if (s.strm.avail_out === 0) {
20725 return BS_NEED_MORE;
20726 }
20727 /***/
20728 }
20729 return BS_BLOCK_DONE;
20730 }
20731
20732 /* Values for max_lazy_match, good_match and max_chain_length, depending on
20733 * the desired pack level (0..9). The values given below have been tuned to
20734 * exclude worst case performance for pathological files. Better values may be
20735 * found for specific files.
20736 */
20737 class Config {
20738 constructor(good_length, max_lazy, nice_length, max_chain, func) {
20739 this.good_length = good_length;
20740 this.max_lazy = max_lazy;
20741 this.nice_length = nice_length;
20742 this.max_chain = max_chain;
20743 this.func = func;
20744 }
20745 }
20746 const configuration_table = [
20747 /* good lazy nice chain */
20748 new Config(0, 0, 0, 0, deflate_stored), /* 0 store only */
20749 new Config(4, 4, 8, 4, deflate_fast), /* 1 max speed, no lazy matches */
20750 new Config(4, 5, 16, 8, deflate_fast), /* 2 */
20751 new Config(4, 6, 32, 32, deflate_fast), /* 3 */
20752
20753 new Config(4, 4, 16, 16, deflate_slow), /* 4 lazy matches */
20754 new Config(8, 16, 32, 32, deflate_slow), /* 5 */
20755 new Config(8, 16, 128, 128, deflate_slow), /* 6 */
20756 new Config(8, 32, 128, 256, deflate_slow), /* 7 */
20757 new Config(32, 128, 258, 1024, deflate_slow), /* 8 */
20758 new Config(32, 258, 258, 4096, deflate_slow) /* 9 max compression */
20759 ];
20760
20761
20762 /* ===========================================================================
20763 * Initialize the "longest match" routines for a new zlib stream
20764 */
20765 function lm_init(s) {
20766 s.window_size = 2 * s.w_size;
20767
20768 /*** CLEAR_HASH(s); ***/
20769 zero$2(s.head); // Fill with NIL (= 0);
20770
20771 /* Set the default configuration parameters:
20772 */
20773 s.max_lazy_match = configuration_table[s.level].max_lazy;
20774 s.good_match = configuration_table[s.level].good_length;
20775 s.nice_match = configuration_table[s.level].nice_length;
20776 s.max_chain_length = configuration_table[s.level].max_chain;
20777
20778 s.strstart = 0;
20779 s.block_start = 0;
20780 s.lookahead = 0;
20781 s.insert = 0;
20782 s.match_length = s.prev_length = MIN_MATCH$1 - 1;
20783 s.match_available = 0;
20784 s.ins_h = 0;
20785 }
20786
20787 class DeflateState {
20788 constructor() {
20789 this.strm = null; /* pointer back to this zlib stream */
20790 this.status = 0; /* as the name implies */
20791 this.pending_buf = null; /* output still pending */
20792 this.pending_buf_size = 0; /* size of pending_buf */
20793 this.pending_out = 0; /* next pending byte to output to the stream */
20794 this.pending = 0; /* nb of bytes in the pending buffer */
20795 this.wrap = 0; /* bit 0 true for zlib, bit 1 true for gzip */
20796 this.gzhead = null; /* gzip header information to write */
20797 this.gzindex = 0; /* where in extra, name, or comment */
20798 this.method = Z_DEFLATED; /* can only be DEFLATED */
20799 this.last_flush = -1; /* value of flush param for previous deflate call */
20800
20801 this.w_size = 0; /* LZ77 window size (32K by default) */
20802 this.w_bits = 0; /* log2(w_size) (8..16) */
20803 this.w_mask = 0; /* w_size - 1 */
20804
20805 this.window = null;
20806 /* Sliding window. Input bytes are read into the second half of the window,
20807 * and move to the first half later to keep a dictionary of at least wSize
20808 * bytes. With this organization, matches are limited to a distance of
20809 * wSize-MAX_MATCH bytes, but this ensures that IO is always
20810 * performed with a length multiple of the block size.
20811 */
20812
20813 this.window_size = 0;
20814 /* Actual size of window: 2*wSize, except when the user input buffer
20815 * is directly used as sliding window.
20816 */
20817
20818 this.prev = null;
20819 /* Link to older string with same hash index. To limit the size of this
20820 * array to 64K, this link is maintained only for the last 32K strings.
20821 * An index in this array is thus a window index modulo 32K.
20822 */
20823
20824 this.head = null; /* Heads of the hash chains or NIL. */
20825
20826 this.ins_h = 0; /* hash index of string to be inserted */
20827 this.hash_size = 0; /* number of elements in hash table */
20828 this.hash_bits = 0; /* log2(hash_size) */
20829 this.hash_mask = 0; /* hash_size-1 */
20830
20831 this.hash_shift = 0;
20832 /* Number of bits by which ins_h must be shifted at each input
20833 * step. It must be such that after MIN_MATCH steps, the oldest
20834 * byte no longer takes part in the hash key, that is:
20835 * hash_shift * MIN_MATCH >= hash_bits
20836 */
20837
20838 this.block_start = 0;
20839 /* Window position at the beginning of the current output block. Gets
20840 * negative when the window is moved backwards.
20841 */
20842
20843 this.match_length = 0; /* length of best match */
20844 this.prev_match = 0; /* previous match */
20845 this.match_available = 0; /* set if previous match exists */
20846 this.strstart = 0; /* start of string to insert */
20847 this.match_start = 0; /* start of matching string */
20848 this.lookahead = 0; /* number of valid bytes ahead in window */
20849
20850 this.prev_length = 0;
20851 /* Length of the best match at previous step. Matches not greater than this
20852 * are discarded. This is used in the lazy match evaluation.
20853 */
20854
20855 this.max_chain_length = 0;
20856 /* To speed up deflation, hash chains are never searched beyond this
20857 * length. A higher limit improves compression ratio but degrades the
20858 * speed.
20859 */
20860
20861 this.max_lazy_match = 0;
20862 /* Attempt to find a better match only when the current match is strictly
20863 * smaller than this value. This mechanism is used only for compression
20864 * levels >= 4.
20865 */
20866 // That's alias to max_lazy_match, don't use directly
20867 //this.max_insert_length = 0;
20868 /* Insert new strings in the hash table only if the match length is not
20869 * greater than this length. This saves time but degrades compression.
20870 * max_insert_length is used only for compression levels <= 3.
20871 */
20872
20873 this.level = 0; /* compression level (1..9) */
20874 this.strategy = 0; /* favor or force Huffman coding*/
20875
20876 this.good_match = 0;
20877 /* Use a faster search when the previous match is longer than this */
20878
20879 this.nice_match = 0; /* Stop searching when current match exceeds this */
20880
20881 /* used by trees.c: */
20882
20883 /* Didn't use ct_data typedef below to suppress compiler warning */
20884
20885 // struct ct_data_s dyn_ltree[HEAP_SIZE]; /* literal and length tree */
20886 // struct ct_data_s dyn_dtree[2*D_CODES+1]; /* distance tree */
20887 // struct ct_data_s bl_tree[2*BL_CODES+1]; /* Huffman tree for bit lengths */
20888
20889 // Use flat array of DOUBLE size, with interleaved fata,
20890 // because JS does not support effective
20891 this.dyn_ltree = new Buf16(HEAP_SIZE$1 * 2);
20892 this.dyn_dtree = new Buf16((2 * D_CODES$1 + 1) * 2);
20893 this.bl_tree = new Buf16((2 * BL_CODES$1 + 1) * 2);
20894 zero$2(this.dyn_ltree);
20895 zero$2(this.dyn_dtree);
20896 zero$2(this.bl_tree);
20897
20898 this.l_desc = null; /* desc. for literal tree */
20899 this.d_desc = null; /* desc. for distance tree */
20900 this.bl_desc = null; /* desc. for bit length tree */
20901
20902 //ush bl_count[MAX_BITS+1];
20903 this.bl_count = new Buf16(MAX_BITS$1 + 1);
20904 /* number of codes at each bit length for an optimal tree */
20905
20906 //int heap[2*L_CODES+1]; /* heap used to build the Huffman trees */
20907 this.heap = new Buf16(2 * L_CODES$1 + 1); /* heap used to build the Huffman trees */
20908 zero$2(this.heap);
20909
20910 this.heap_len = 0; /* number of elements in the heap */
20911 this.heap_max = 0; /* element of largest frequency */
20912 /* The sons of heap[n] are heap[2*n] and heap[2*n+1]. heap[0] is not used.
20913 * The same heap array is used to build all trees.
20914 */
20915
20916 this.depth = new Buf16(2 * L_CODES$1 + 1); //uch depth[2*L_CODES+1];
20917 zero$2(this.depth);
20918 /* Depth of each subtree used as tie breaker for trees of equal frequency
20919 */
20920
20921 this.l_buf = 0; /* buffer index for literals or lengths */
20922
20923 this.lit_bufsize = 0;
20924 /* Size of match buffer for literals/lengths. There are 4 reasons for
20925 * limiting lit_bufsize to 64K:
20926 * - frequencies can be kept in 16 bit counters
20927 * - if compression is not successful for the first block, all input
20928 * data is still in the window so we can still emit a stored block even
20929 * when input comes from standard input. (This can also be done for
20930 * all blocks if lit_bufsize is not greater than 32K.)
20931 * - if compression is not successful for a file smaller than 64K, we can
20932 * even emit a stored file instead of a stored block (saving 5 bytes).
20933 * This is applicable only for zip (not gzip or zlib).
20934 * - creating new Huffman trees less frequently may not provide fast
20935 * adaptation to changes in the input data statistics. (Take for
20936 * example a binary file with poorly compressible code followed by
20937 * a highly compressible string table.) Smaller buffer sizes give
20938 * fast adaptation but have of course the overhead of transmitting
20939 * trees more frequently.
20940 * - I can't count above 4
20941 */
20942
20943 this.last_lit = 0; /* running index in l_buf */
20944
20945 this.d_buf = 0;
20946 /* Buffer index for distances. To simplify the code, d_buf and l_buf have
20947 * the same number of elements. To use different lengths, an extra flag
20948 * array would be necessary.
20949 */
20950
20951 this.opt_len = 0; /* bit length of current block with optimal trees */
20952 this.static_len = 0; /* bit length of current block with static trees */
20953 this.matches = 0; /* number of string matches in current block */
20954 this.insert = 0; /* bytes at end of window left to insert */
20955
20956
20957 this.bi_buf = 0;
20958 /* Output buffer. bits are inserted starting at the bottom (least
20959 * significant bits).
20960 */
20961 this.bi_valid = 0;
20962 /* Number of valid bits in bi_buf. All bits above the last valid bit
20963 * are always zero.
20964 */
20965
20966 // Used for window memory init. We safely ignore it for JS. That makes
20967 // sense only for pointers and memory check tools.
20968 //this.high_water = 0;
20969 /* High water mark offset in window for initialized bytes -- bytes above
20970 * this are set to zero in order to avoid memory check warnings when
20971 * longest match routines access bytes past the input. This is then
20972 * updated to the new high water mark.
20973 */
20974 }
20975 }
20976
20977 function deflateResetKeep(strm) {
20978 let s;
20979
20980 if (!strm || !strm.state) {
20981 return err(strm, Z_STREAM_ERROR);
20982 }
20983
20984 strm.total_in = strm.total_out = 0;
20985 strm.data_type = Z_UNKNOWN;
20986
20987 s = strm.state;
20988 s.pending = 0;
20989 s.pending_out = 0;
20990
20991 if (s.wrap < 0) {
20992 s.wrap = -s.wrap;
20993 /* was made negative by deflate(..., Z_FINISH); */
20994 }
20995 s.status = (s.wrap ? INIT_STATE : BUSY_STATE);
20996 strm.adler = (s.wrap === 2) ?
20997 0 // crc32(0, Z_NULL, 0)
20998 :
20999 1; // adler32(0, Z_NULL, 0)
21000 s.last_flush = Z_NO_FLUSH;
21001 _tr_init(s);
21002 return Z_OK;
21003 }
21004
21005
21006 function deflateReset(strm) {
21007 const ret = deflateResetKeep(strm);
21008 if (ret === Z_OK) {
21009 lm_init(strm.state);
21010 }
21011 return ret;
21012 }
21013
21014
21015 function deflateSetHeader(strm, head) {
21016 if (!strm || !strm.state) { return Z_STREAM_ERROR; }
21017 if (strm.state.wrap !== 2) { return Z_STREAM_ERROR; }
21018 strm.state.gzhead = head;
21019 return Z_OK;
21020 }
21021
21022
21023 function deflateInit2(strm, level, method, windowBits, memLevel, strategy) {
21024 if (!strm) { // === Z_NULL
21025 return Z_STREAM_ERROR;
21026 }
21027 let wrap = 1;
21028
21029 if (level === Z_DEFAULT_COMPRESSION) {
21030 level = 6;
21031 }
21032
21033 if (windowBits < 0) { /* suppress zlib wrapper */
21034 wrap = 0;
21035 windowBits = -windowBits;
21036 }
21037
21038 else if (windowBits > 15) {
21039 wrap = 2; /* write gzip wrapper instead */
21040 windowBits -= 16;
21041 }
21042
21043
21044 if (memLevel < 1 || memLevel > MAX_MEM_LEVEL || method !== Z_DEFLATED ||
21045 windowBits < 8 || windowBits > 15 || level < 0 || level > 9 ||
21046 strategy < 0 || strategy > Z_FIXED) {
21047 return err(strm, Z_STREAM_ERROR);
21048 }
21049
21050
21051 if (windowBits === 8) {
21052 windowBits = 9;
21053 }
21054 /* until 256-byte window bug fixed */
21055
21056 const s = new DeflateState();
21057
21058 strm.state = s;
21059 s.strm = strm;
21060
21061 s.wrap = wrap;
21062 s.gzhead = null;
21063 s.w_bits = windowBits;
21064 s.w_size = 1 << s.w_bits;
21065 s.w_mask = s.w_size - 1;
21066
21067 s.hash_bits = memLevel + 7;
21068 s.hash_size = 1 << s.hash_bits;
21069 s.hash_mask = s.hash_size - 1;
21070 s.hash_shift = ~~((s.hash_bits + MIN_MATCH$1 - 1) / MIN_MATCH$1);
21071 s.window = new Buf8(s.w_size * 2);
21072 s.head = new Buf16(s.hash_size);
21073 s.prev = new Buf16(s.w_size);
21074
21075 // Don't need mem init magic for JS.
21076 //s.high_water = 0; /* nothing written to s->window yet */
21077
21078 s.lit_bufsize = 1 << (memLevel + 6); /* 16K elements by default */
21079
21080 s.pending_buf_size = s.lit_bufsize * 4;
21081
21082 //overlay = (ushf *) ZALLOC(strm, s->lit_bufsize, sizeof(ush)+2);
21083 //s->pending_buf = (uchf *) overlay;
21084 s.pending_buf = new Buf8(s.pending_buf_size);
21085
21086 // It is offset from `s.pending_buf` (size is `s.lit_bufsize * 2`)
21087 //s->d_buf = overlay + s->lit_bufsize/sizeof(ush);
21088 s.d_buf = 1 * s.lit_bufsize;
21089
21090 //s->l_buf = s->pending_buf + (1+sizeof(ush))*s->lit_bufsize;
21091 s.l_buf = (1 + 2) * s.lit_bufsize;
21092
21093 s.level = level;
21094 s.strategy = strategy;
21095 s.method = method;
21096
21097 return deflateReset(strm);
21098 }
21099
21100
21101 function deflate(strm, flush) {
21102 let old_flush, s;
21103 let beg, val; // for gzip header write only
21104
21105 if (!strm || !strm.state ||
21106 flush > Z_BLOCK || flush < 0) {
21107 return strm ? err(strm, Z_STREAM_ERROR) : Z_STREAM_ERROR;
21108 }
21109
21110 s = strm.state;
21111
21112 if (!strm.output ||
21113 (!strm.input && strm.avail_in !== 0) ||
21114 (s.status === FINISH_STATE && flush !== Z_FINISH)) {
21115 return err(strm, (strm.avail_out === 0) ? Z_BUF_ERROR : Z_STREAM_ERROR);
21116 }
21117
21118 s.strm = strm; /* just in case */
21119 old_flush = s.last_flush;
21120 s.last_flush = flush;
21121
21122 /* Write the header */
21123 if (s.status === INIT_STATE) {
21124
21125 if (s.wrap === 2) { // GZIP header
21126 strm.adler = 0; //crc32(0L, Z_NULL, 0);
21127 put_byte(s, 31);
21128 put_byte(s, 139);
21129 put_byte(s, 8);
21130 if (!s.gzhead) { // s->gzhead == Z_NULL
21131 put_byte(s, 0);
21132 put_byte(s, 0);
21133 put_byte(s, 0);
21134 put_byte(s, 0);
21135 put_byte(s, 0);
21136 put_byte(s, s.level === 9 ? 2 :
21137 (s.strategy >= Z_HUFFMAN_ONLY || s.level < 2 ?
21138 4 : 0));
21139 put_byte(s, OS_CODE);
21140 s.status = BUSY_STATE;
21141 }
21142 else {
21143 put_byte(s, (s.gzhead.text ? 1 : 0) +
21144 (s.gzhead.hcrc ? 2 : 0) +
21145 (!s.gzhead.extra ? 0 : 4) +
21146 (!s.gzhead.name ? 0 : 8) +
21147 (!s.gzhead.comment ? 0 : 16)
21148 );
21149 put_byte(s, s.gzhead.time & 0xff);
21150 put_byte(s, (s.gzhead.time >> 8) & 0xff);
21151 put_byte(s, (s.gzhead.time >> 16) & 0xff);
21152 put_byte(s, (s.gzhead.time >> 24) & 0xff);
21153 put_byte(s, s.level === 9 ? 2 :
21154 (s.strategy >= Z_HUFFMAN_ONLY || s.level < 2 ?
21155 4 : 0));
21156 put_byte(s, s.gzhead.os & 0xff);
21157 if (s.gzhead.extra && s.gzhead.extra.length) {
21158 put_byte(s, s.gzhead.extra.length & 0xff);
21159 put_byte(s, (s.gzhead.extra.length >> 8) & 0xff);
21160 }
21161 if (s.gzhead.hcrc) {
21162 strm.adler = crc32(strm.adler, s.pending_buf, s.pending, 0);
21163 }
21164 s.gzindex = 0;
21165 s.status = EXTRA_STATE;
21166 }
21167 }
21168 else // DEFLATE header
21169 {
21170 let header = (Z_DEFLATED + ((s.w_bits - 8) << 4)) << 8;
21171 let level_flags = -1;
21172
21173 if (s.strategy >= Z_HUFFMAN_ONLY || s.level < 2) {
21174 level_flags = 0;
21175 } else if (s.level < 6) {
21176 level_flags = 1;
21177 } else if (s.level === 6) {
21178 level_flags = 2;
21179 } else {
21180 level_flags = 3;
21181 }
21182 header |= (level_flags << 6);
21183 if (s.strstart !== 0) { header |= PRESET_DICT; }
21184 header += 31 - (header % 31);
21185
21186 s.status = BUSY_STATE;
21187 putShortMSB(s, header);
21188
21189 /* Save the adler32 of the preset dictionary: */
21190 if (s.strstart !== 0) {
21191 putShortMSB(s, strm.adler >>> 16);
21192 putShortMSB(s, strm.adler & 0xffff);
21193 }
21194 strm.adler = 1; // adler32(0L, Z_NULL, 0);
21195 }
21196 }
21197
21198 //#ifdef GZIP
21199 if (s.status === EXTRA_STATE) {
21200 if (s.gzhead.extra/* != Z_NULL*/) {
21201 beg = s.pending; /* start of bytes to update crc */
21202
21203 while (s.gzindex < (s.gzhead.extra.length & 0xffff)) {
21204 if (s.pending === s.pending_buf_size) {
21205 if (s.gzhead.hcrc && s.pending > beg) {
21206 strm.adler = crc32(strm.adler, s.pending_buf, s.pending - beg, beg);
21207 }
21208 flush_pending(strm);
21209 beg = s.pending;
21210 if (s.pending === s.pending_buf_size) {
21211 break;
21212 }
21213 }
21214 put_byte(s, s.gzhead.extra[s.gzindex] & 0xff);
21215 s.gzindex++;
21216 }
21217 if (s.gzhead.hcrc && s.pending > beg) {
21218 strm.adler = crc32(strm.adler, s.pending_buf, s.pending - beg, beg);
21219 }
21220 if (s.gzindex === s.gzhead.extra.length) {
21221 s.gzindex = 0;
21222 s.status = NAME_STATE;
21223 }
21224 }
21225 else {
21226 s.status = NAME_STATE;
21227 }
21228 }
21229 if (s.status === NAME_STATE) {
21230 if (s.gzhead.name/* != Z_NULL*/) {
21231 beg = s.pending; /* start of bytes to update crc */
21232 //int val;
21233
21234 do {
21235 if (s.pending === s.pending_buf_size) {
21236 if (s.gzhead.hcrc && s.pending > beg) {
21237 strm.adler = crc32(strm.adler, s.pending_buf, s.pending - beg, beg);
21238 }
21239 flush_pending(strm);
21240 beg = s.pending;
21241 if (s.pending === s.pending_buf_size) {
21242 val = 1;
21243 break;
21244 }
21245 }
21246 // JS specific: little magic to add zero terminator to end of string
21247 if (s.gzindex < s.gzhead.name.length) {
21248 val = s.gzhead.name.charCodeAt(s.gzindex++) & 0xff;
21249 } else {
21250 val = 0;
21251 }
21252 put_byte(s, val);
21253 } while (val !== 0);
21254
21255 if (s.gzhead.hcrc && s.pending > beg) {
21256 strm.adler = crc32(strm.adler, s.pending_buf, s.pending - beg, beg);
21257 }
21258 if (val === 0) {
21259 s.gzindex = 0;
21260 s.status = COMMENT_STATE;
21261 }
21262 }
21263 else {
21264 s.status = COMMENT_STATE;
21265 }
21266 }
21267 if (s.status === COMMENT_STATE) {
21268 if (s.gzhead.comment/* != Z_NULL*/) {
21269 beg = s.pending; /* start of bytes to update crc */
21270 //int val;
21271
21272 do {
21273 if (s.pending === s.pending_buf_size) {
21274 if (s.gzhead.hcrc && s.pending > beg) {
21275 strm.adler = crc32(strm.adler, s.pending_buf, s.pending - beg, beg);
21276 }
21277 flush_pending(strm);
21278 beg = s.pending;
21279 if (s.pending === s.pending_buf_size) {
21280 val = 1;
21281 break;
21282 }
21283 }
21284 // JS specific: little magic to add zero terminator to end of string
21285 if (s.gzindex < s.gzhead.comment.length) {
21286 val = s.gzhead.comment.charCodeAt(s.gzindex++) & 0xff;
21287 } else {
21288 val = 0;
21289 }
21290 put_byte(s, val);
21291 } while (val !== 0);
21292
21293 if (s.gzhead.hcrc && s.pending > beg) {
21294 strm.adler = crc32(strm.adler, s.pending_buf, s.pending - beg, beg);
21295 }
21296 if (val === 0) {
21297 s.status = HCRC_STATE;
21298 }
21299 }
21300 else {
21301 s.status = HCRC_STATE;
21302 }
21303 }
21304 if (s.status === HCRC_STATE) {
21305 if (s.gzhead.hcrc) {
21306 if (s.pending + 2 > s.pending_buf_size) {
21307 flush_pending(strm);
21308 }
21309 if (s.pending + 2 <= s.pending_buf_size) {
21310 put_byte(s, strm.adler & 0xff);
21311 put_byte(s, (strm.adler >> 8) & 0xff);
21312 strm.adler = 0; //crc32(0L, Z_NULL, 0);
21313 s.status = BUSY_STATE;
21314 }
21315 }
21316 else {
21317 s.status = BUSY_STATE;
21318 }
21319 }
21320 //#endif
21321
21322 /* Flush as much pending output as possible */
21323 if (s.pending !== 0) {
21324 flush_pending(strm);
21325 if (strm.avail_out === 0) {
21326 /* Since avail_out is 0, deflate will be called again with
21327 * more output space, but possibly with both pending and
21328 * avail_in equal to zero. There won't be anything to do,
21329 * but this is not an error situation so make sure we
21330 * return OK instead of BUF_ERROR at next call of deflate:
21331 */
21332 s.last_flush = -1;
21333 return Z_OK;
21334 }
21335
21336 /* Make sure there is something to do and avoid duplicate consecutive
21337 * flushes. For repeated and useless calls with Z_FINISH, we keep
21338 * returning Z_STREAM_END instead of Z_BUF_ERROR.
21339 */
21340 } else if (strm.avail_in === 0 && rank(flush) <= rank(old_flush) &&
21341 flush !== Z_FINISH) {
21342 return err(strm, Z_BUF_ERROR);
21343 }
21344
21345 /* User must not provide more input after the first FINISH: */
21346 if (s.status === FINISH_STATE && strm.avail_in !== 0) {
21347 return err(strm, Z_BUF_ERROR);
21348 }
21349
21350 /* Start a new block or continue the current one.
21351 */
21352 if (strm.avail_in !== 0 || s.lookahead !== 0 ||
21353 (flush !== Z_NO_FLUSH && s.status !== FINISH_STATE)) {
21354 var bstate = (s.strategy === Z_HUFFMAN_ONLY) ? deflate_huff(s, flush) :
21355 (s.strategy === Z_RLE ? deflate_rle(s, flush) :
21356 configuration_table[s.level].func(s, flush));
21357
21358 if (bstate === BS_FINISH_STARTED || bstate === BS_FINISH_DONE) {
21359 s.status = FINISH_STATE;
21360 }
21361 if (bstate === BS_NEED_MORE || bstate === BS_FINISH_STARTED) {
21362 if (strm.avail_out === 0) {
21363 s.last_flush = -1;
21364 /* avoid BUF_ERROR next call, see above */
21365 }
21366 return Z_OK;
21367 /* If flush != Z_NO_FLUSH && avail_out == 0, the next call
21368 * of deflate should use the same flush parameter to make sure
21369 * that the flush is complete. So we don't have to output an
21370 * empty block here, this will be done at next call. This also
21371 * ensures that for a very small output buffer, we emit at most
21372 * one empty block.
21373 */
21374 }
21375 if (bstate === BS_BLOCK_DONE) {
21376 if (flush === Z_PARTIAL_FLUSH) {
21377 _tr_align(s);
21378 }
21379 else if (flush !== Z_BLOCK) { /* FULL_FLUSH or SYNC_FLUSH */
21380
21381 _tr_stored_block(s, 0, 0, false);
21382 /* For a full flush, this empty block will be recognized
21383 * as a special marker by inflate_sync().
21384 */
21385 if (flush === Z_FULL_FLUSH) {
21386 /*** CLEAR_HASH(s); ***/ /* forget history */
21387 zero$2(s.head); // Fill with NIL (= 0);
21388
21389 if (s.lookahead === 0) {
21390 s.strstart = 0;
21391 s.block_start = 0;
21392 s.insert = 0;
21393 }
21394 }
21395 }
21396 flush_pending(strm);
21397 if (strm.avail_out === 0) {
21398 s.last_flush = -1; /* avoid BUF_ERROR at next call, see above */
21399 return Z_OK;
21400 }
21401 }
21402 }
21403 //Assert(strm->avail_out > 0, "bug2");
21404 //if (strm.avail_out <= 0) { throw new Error("bug2");}
21405
21406 if (flush !== Z_FINISH) { return Z_OK; }
21407 if (s.wrap <= 0) { return Z_STREAM_END; }
21408
21409 /* Write the trailer */
21410 if (s.wrap === 2) {
21411 put_byte(s, strm.adler & 0xff);
21412 put_byte(s, (strm.adler >> 8) & 0xff);
21413 put_byte(s, (strm.adler >> 16) & 0xff);
21414 put_byte(s, (strm.adler >> 24) & 0xff);
21415 put_byte(s, strm.total_in & 0xff);
21416 put_byte(s, (strm.total_in >> 8) & 0xff);
21417 put_byte(s, (strm.total_in >> 16) & 0xff);
21418 put_byte(s, (strm.total_in >> 24) & 0xff);
21419 }
21420 else {
21421 putShortMSB(s, strm.adler >>> 16);
21422 putShortMSB(s, strm.adler & 0xffff);
21423 }
21424
21425 flush_pending(strm);
21426 /* If avail_out is zero, the application will call deflate again
21427 * to flush the rest.
21428 */
21429 if (s.wrap > 0) { s.wrap = -s.wrap; }
21430 /* write the trailer only once! */
21431 return s.pending !== 0 ? Z_OK : Z_STREAM_END;
21432 }
21433
21434 function deflateEnd(strm) {
21435 let status;
21436
21437 if (!strm/*== Z_NULL*/ || !strm.state/*== Z_NULL*/) {
21438 return Z_STREAM_ERROR;
21439 }
21440
21441 status = strm.state.status;
21442 if (status !== INIT_STATE &&
21443 status !== EXTRA_STATE &&
21444 status !== NAME_STATE &&
21445 status !== COMMENT_STATE &&
21446 status !== HCRC_STATE &&
21447 status !== BUSY_STATE &&
21448 status !== FINISH_STATE
21449 ) {
21450 return err(strm, Z_STREAM_ERROR);
21451 }
21452
21453 strm.state = null;
21454
21455 return status === BUSY_STATE ? err(strm, Z_DATA_ERROR) : Z_OK;
21456 }
21457
21458
21459 /* =========================================================================
21460 * Initializes the compression dictionary from the given byte
21461 * sequence without producing any compressed output.
21462 */
21463 function deflateSetDictionary(strm, dictionary) {
21464 const dictLength = dictionary.length;
21465
21466 let s;
21467 let str, n;
21468 let wrap;
21469 let avail;
21470 let next;
21471 let input;
21472 let tmpDict;
21473
21474 if (!strm/*== Z_NULL*/ || !strm.state/*== Z_NULL*/) {
21475 return Z_STREAM_ERROR;
21476 }
21477
21478 s = strm.state;
21479 wrap = s.wrap;
21480
21481 if (wrap === 2 || (wrap === 1 && s.status !== INIT_STATE) || s.lookahead) {
21482 return Z_STREAM_ERROR;
21483 }
21484
21485 /* when using zlib wrappers, compute Adler-32 for provided dictionary */
21486 if (wrap === 1) {
21487 /* adler32(strm->adler, dictionary, dictLength); */
21488 strm.adler = adler32(strm.adler, dictionary, dictLength, 0);
21489 }
21490
21491 s.wrap = 0; /* avoid computing Adler-32 in read_buf */
21492
21493 /* if dictionary would fill window, just replace the history */
21494 if (dictLength >= s.w_size) {
21495 if (wrap === 0) { /* already empty otherwise */
21496 /*** CLEAR_HASH(s); ***/
21497 zero$2(s.head); // Fill with NIL (= 0);
21498 s.strstart = 0;
21499 s.block_start = 0;
21500 s.insert = 0;
21501 }
21502 /* use the tail */
21503 // dictionary = dictionary.slice(dictLength - s.w_size);
21504 tmpDict = new Buf8(s.w_size);
21505 arraySet(tmpDict, dictionary, dictLength - s.w_size, s.w_size, 0);
21506 dictionary = tmpDict;
21507 dictLength = s.w_size;
21508 }
21509 /* insert dictionary into window and hash */
21510 avail = strm.avail_in;
21511 next = strm.next_in;
21512 input = strm.input;
21513 strm.avail_in = dictLength;
21514 strm.next_in = 0;
21515 strm.input = dictionary;
21516 fill_window(s);
21517 while (s.lookahead >= MIN_MATCH$1) {
21518 str = s.strstart;
21519 n = s.lookahead - (MIN_MATCH$1 - 1);
21520 do {
21521 /* UPDATE_HASH(s, s->ins_h, s->window[str + MIN_MATCH-1]); */
21522 s.ins_h = ((s.ins_h << s.hash_shift) ^ s.window[str + MIN_MATCH$1 - 1]) & s.hash_mask;
21523
21524 s.prev[str & s.w_mask] = s.head[s.ins_h];
21525
21526 s.head[s.ins_h] = str;
21527 str++;
21528 } while (--n);
21529 s.strstart = str;
21530 s.lookahead = MIN_MATCH$1 - 1;
21531 fill_window(s);
21532 }
21533 s.strstart += s.lookahead;
21534 s.block_start = s.strstart;
21535 s.insert = s.lookahead;
21536 s.lookahead = 0;
21537 s.match_length = s.prev_length = MIN_MATCH$1 - 1;
21538 s.match_available = 0;
21539 strm.next_in = next;
21540 strm.input = input;
21541 strm.avail_in = avail;
21542 s.wrap = wrap;
21543 return Z_OK;
21544 }
21545
21546 /* Not implemented
21547 exports.deflateBound = deflateBound;
21548 exports.deflateCopy = deflateCopy;
21549 exports.deflateParams = deflateParams;
21550 exports.deflatePending = deflatePending;
21551 exports.deflatePrime = deflatePrime;
21552 exports.deflateTune = deflateTune;
21553 */
21554
21555 // String encode/decode helpers
21556
21557 try {
21558 String.fromCharCode.apply(null, [ 0 ]);
21559 } catch (__) {
21560 }
21561 try {
21562 String.fromCharCode.apply(null, new Uint8Array(1));
21563 } catch (__) {
21564 }
21565
21566
21567 // Table with utf8 lengths (calculated by first byte of sequence)
21568 // Note, that 5 & 6-byte values and some 4-byte values can not be represented in JS,
21569 // because max possible codepoint is 0x10ffff
21570 const _utf8len = new Buf8(256);
21571 for (let q = 0; q < 256; q++) {
21572 _utf8len[q] = q >= 252 ? 6 : q >= 248 ? 5 : q >= 240 ? 4 : q >= 224 ? 3 : q >= 192 ? 2 : 1;
21573 }
21574 _utf8len[254] = _utf8len[254] = 1; // Invalid sequence start
21575
21576
21577 // convert string to array (typed, when possible)
21578 function string2buf (str) {
21579 let c, c2, m_pos, i, buf_len = 0;
21580 const str_len = str.length;
21581
21582 // count binary size
21583 for (m_pos = 0; m_pos < str_len; m_pos++) {
21584 c = str.charCodeAt(m_pos);
21585 if ((c & 0xfc00) === 0xd800 && m_pos + 1 < str_len) {
21586 c2 = str.charCodeAt(m_pos + 1);
21587 if ((c2 & 0xfc00) === 0xdc00) {
21588 c = 0x10000 + (c - 0xd800 << 10) + (c2 - 0xdc00);
21589 m_pos++;
21590 }
21591 }
21592 buf_len += c < 0x80 ? 1 : c < 0x800 ? 2 : c < 0x10000 ? 3 : 4;
21593 }
21594
21595 // allocate buffer
21596 const buf = new Buf8(buf_len);
21597
21598 // convert
21599 for (i = 0, m_pos = 0; i < buf_len; m_pos++) {
21600 c = str.charCodeAt(m_pos);
21601 if ((c & 0xfc00) === 0xd800 && m_pos + 1 < str_len) {
21602 c2 = str.charCodeAt(m_pos + 1);
21603 if ((c2 & 0xfc00) === 0xdc00) {
21604 c = 0x10000 + (c - 0xd800 << 10) + (c2 - 0xdc00);
21605 m_pos++;
21606 }
21607 }
21608 if (c < 0x80) {
21609 /* one byte */
21610 buf[i++] = c;
21611 } else if (c < 0x800) {
21612 /* two bytes */
21613 buf[i++] = 0xC0 | c >>> 6;
21614 buf[i++] = 0x80 | c & 0x3f;
21615 } else if (c < 0x10000) {
21616 /* three bytes */
21617 buf[i++] = 0xE0 | c >>> 12;
21618 buf[i++] = 0x80 | c >>> 6 & 0x3f;
21619 buf[i++] = 0x80 | c & 0x3f;
21620 } else {
21621 /* four bytes */
21622 buf[i++] = 0xf0 | c >>> 18;
21623 buf[i++] = 0x80 | c >>> 12 & 0x3f;
21624 buf[i++] = 0x80 | c >>> 6 & 0x3f;
21625 buf[i++] = 0x80 | c & 0x3f;
21626 }
21627 }
21628
21629 return buf;
21630 }
21631
21632
21633 // Convert binary string (typed, when possible)
21634 function binstring2buf (str) {
21635 const buf = new Buf8(str.length);
21636 for (let i = 0, len = buf.length; i < len; i++) {
21637 buf[i] = str.charCodeAt(i);
21638 }
21639 return buf;
21640 }
21641
21642 // (C) 1995-2013 Jean-loup Gailly and Mark Adler
21643 // (C) 2014-2017 Vitaly Puzrin and Andrey Tupitsin
21644 //
21645 // This software is provided 'as-is', without any express or implied
21646 // warranty. In no event will the authors be held liable for any damages
21647 // arising from the use of this software.
21648 //
21649 // Permission is granted to anyone to use this software for any purpose,
21650 // including commercial applications, and to alter it and redistribute it
21651 // freely, subject to the following restrictions:
21652 //
21653 // 1. The origin of this software must not be misrepresented; you must not
21654 // claim that you wrote the original software. If you use this software
21655 // in a product, an acknowledgment in the product documentation would be
21656 // appreciated but is not required.
21657 // 2. Altered source versions must be plainly marked as such, and must not be
21658 // misrepresented as being the original software.
21659 // 3. This notice may not be removed or altered from any source distribution.
21660
21661 class ZStream {
21662 constructor() {
21663 /* next input byte */
21664 this.input = null; // JS specific, because we have no pointers
21665 this.next_in = 0;
21666 /* number of bytes available at input */
21667 this.avail_in = 0;
21668 /* total number of input bytes read so far */
21669 this.total_in = 0;
21670 /* next output byte should be put there */
21671 this.output = null; // JS specific, because we have no pointers
21672 this.next_out = 0;
21673 /* remaining free space at output */
21674 this.avail_out = 0;
21675 /* total number of bytes output so far */
21676 this.total_out = 0;
21677 /* last error message, NULL if no error */
21678 this.msg = ''/*Z_NULL*/;
21679 /* not visible by applications */
21680 this.state = null;
21681 /* best guess about the data type: binary or text */
21682 this.data_type = 2/*Z_UNKNOWN*/;
21683 /* adler32 value of the uncompressed data */
21684 this.adler = 0;
21685 }
21686 }
21687
21688 /* ===========================================================================*/
21689
21690
21691 /**
21692 * class Deflate
21693 *
21694 * Generic JS-style wrapper for zlib calls. If you don't need
21695 * streaming behaviour - use more simple functions: [[deflate]],
21696 * [[deflateRaw]] and [[gzip]].
21697 **/
21698
21699 /* internal
21700 * Deflate.chunks -> Array
21701 *
21702 * Chunks of output data, if [[Deflate#onData]] not overridden.
21703 **/
21704
21705 /**
21706 * Deflate.result -> Uint8Array|Array
21707 *
21708 * Compressed result, generated by default [[Deflate#onData]]
21709 * and [[Deflate#onEnd]] handlers. Filled after you push last chunk
21710 * (call [[Deflate#push]] with `Z_FINISH` / `true` param) or if you
21711 * push a chunk with explicit flush (call [[Deflate#push]] with
21712 * `Z_SYNC_FLUSH` param).
21713 **/
21714
21715 /**
21716 * Deflate.err -> Number
21717 *
21718 * Error code after deflate finished. 0 (Z_OK) on success.
21719 * You will not need it in real life, because deflate errors
21720 * are possible only on wrong options or bad `onData` / `onEnd`
21721 * custom handlers.
21722 **/
21723
21724 /**
21725 * Deflate.msg -> String
21726 *
21727 * Error message, if [[Deflate.err]] != 0
21728 **/
21729
21730
21731 /**
21732 * new Deflate(options)
21733 * - options (Object): zlib deflate options.
21734 *
21735 * Creates new deflator instance with specified params. Throws exception
21736 * on bad params. Supported options:
21737 *
21738 * - `level`
21739 * - `windowBits`
21740 * - `memLevel`
21741 * - `strategy`
21742 * - `dictionary`
21743 *
21744 * [http://zlib.net/manual.html#Advanced](http://zlib.net/manual.html#Advanced)
21745 * for more information on these.
21746 *
21747 * Additional options, for internal needs:
21748 *
21749 * - `chunkSize` - size of generated data chunks (16K by default)
21750 * - `raw` (Boolean) - do raw deflate
21751 * - `gzip` (Boolean) - create gzip wrapper
21752 * - `to` (String) - if equal to 'string', then result will be "binary string"
21753 * (each char code [0..255])
21754 * - `header` (Object) - custom header for gzip
21755 * - `text` (Boolean) - true if compressed data believed to be text
21756 * - `time` (Number) - modification time, unix timestamp
21757 * - `os` (Number) - operation system code
21758 * - `extra` (Array) - array of bytes with extra data (max 65536)
21759 * - `name` (String) - file name (binary string)
21760 * - `comment` (String) - comment (binary string)
21761 * - `hcrc` (Boolean) - true if header crc should be added
21762 *
21763 * ##### Example:
21764 *
21765 * ```javascript
21766 * var pako = void('pako')
21767 * , chunk1 = Uint8Array([1,2,3,4,5,6,7,8,9])
21768 * , chunk2 = Uint8Array([10,11,12,13,14,15,16,17,18,19]);
21769 *
21770 * var deflate = new pako.Deflate({ level: 3});
21771 *
21772 * deflate.push(chunk1, false);
21773 * deflate.push(chunk2, true); // true -> last chunk
21774 *
21775 * if (deflate.err) { throw new Error(deflate.err); }
21776 *
21777 * console.log(deflate.result);
21778 * ```
21779 **/
21780
21781 class Deflate {
21782 constructor(options) {
21783 this.options = {
21784 level: Z_DEFAULT_COMPRESSION,
21785 method: Z_DEFLATED,
21786 chunkSize: 16384,
21787 windowBits: 15,
21788 memLevel: 8,
21789 strategy: Z_DEFAULT_STRATEGY,
21790 ...(options || {})
21791 };
21792
21793 const opt = this.options;
21794
21795 if (opt.raw && (opt.windowBits > 0)) {
21796 opt.windowBits = -opt.windowBits;
21797 }
21798
21799 else if (opt.gzip && (opt.windowBits > 0) && (opt.windowBits < 16)) {
21800 opt.windowBits += 16;
21801 }
21802
21803 this.err = 0; // error code, if happens (0 = Z_OK)
21804 this.msg = ''; // error message
21805 this.ended = false; // used to avoid multiple onEnd() calls
21806 this.chunks = []; // chunks of compressed data
21807
21808 this.strm = new ZStream();
21809 this.strm.avail_out = 0;
21810
21811 var status = deflateInit2(
21812 this.strm,
21813 opt.level,
21814 opt.method,
21815 opt.windowBits,
21816 opt.memLevel,
21817 opt.strategy
21818 );
21819
21820 if (status !== Z_OK) {
21821 throw new Error(msg[status]);
21822 }
21823
21824 if (opt.header) {
21825 deflateSetHeader(this.strm, opt.header);
21826 }
21827
21828 if (opt.dictionary) {
21829 let dict;
21830 // Convert data if needed
21831 if (typeof opt.dictionary === 'string') {
21832 // If we need to compress text, change encoding to utf8.
21833 dict = string2buf(opt.dictionary);
21834 } else if (opt.dictionary instanceof ArrayBuffer) {
21835 dict = new Uint8Array(opt.dictionary);
21836 } else {
21837 dict = opt.dictionary;
21838 }
21839
21840 status = deflateSetDictionary(this.strm, dict);
21841
21842 if (status !== Z_OK) {
21843 throw new Error(msg[status]);
21844 }
21845
21846 this._dict_set = true;
21847 }
21848 }
21849
21850 /**
21851 * Deflate#push(data[, mode]) -> Boolean
21852 * - data (Uint8Array|Array|ArrayBuffer|String): input data. Strings will be
21853 * converted to utf8 byte sequence.
21854 * - mode (Number|Boolean): 0..6 for corresponding Z_NO_FLUSH..Z_TREE modes.
21855 * See constants. Skipped or `false` means Z_NO_FLUSH, `true` means Z_FINISH.
21856 *
21857 * Sends input data to deflate pipe, generating [[Deflate#onData]] calls with
21858 * new compressed chunks. Returns `true` on success. The last data block must have
21859 * mode Z_FINISH (or `true`). That will flush internal pending buffers and call
21860 * [[Deflate#onEnd]]. For interim explicit flushes (without ending the stream) you
21861 * can use mode Z_SYNC_FLUSH, keeping the compression context.
21862 *
21863 * On fail call [[Deflate#onEnd]] with error code and return false.
21864 *
21865 * We strongly recommend to use `Uint8Array` on input for best speed (output
21866 * array format is detected automatically). Also, don't skip last param and always
21867 * use the same type in your code (boolean or number). That will improve JS speed.
21868 *
21869 * For regular `Array`-s make sure all elements are [0..255].
21870 *
21871 * ##### Example
21872 *
21873 * ```javascript
21874 * push(chunk, false); // push one of data chunks
21875 * ...
21876 * push(chunk, true); // push last chunk
21877 * ```
21878 **/
21879 push(data, mode) {
21880 const { strm, options: { chunkSize } } = this;
21881 var status, _mode;
21882
21883 if (this.ended) { return false; }
21884
21885 _mode = (mode === ~~mode) ? mode : ((mode === true) ? Z_FINISH : Z_NO_FLUSH);
21886
21887 // Convert data if needed
21888 if (typeof data === 'string') {
21889 // If we need to compress text, change encoding to utf8.
21890 strm.input = string2buf(data);
21891 } else if (data instanceof ArrayBuffer) {
21892 strm.input = new Uint8Array(data);
21893 } else {
21894 strm.input = data;
21895 }
21896
21897 strm.next_in = 0;
21898 strm.avail_in = strm.input.length;
21899
21900 do {
21901 if (strm.avail_out === 0) {
21902 strm.output = new Buf8(chunkSize);
21903 strm.next_out = 0;
21904 strm.avail_out = chunkSize;
21905 }
21906 status = deflate(strm, _mode); /* no bad return value */
21907
21908 if (status !== Z_STREAM_END && status !== Z_OK) {
21909 this.onEnd(status);
21910 this.ended = true;
21911 return false;
21912 }
21913 if (strm.avail_out === 0 || (strm.avail_in === 0 && (_mode === Z_FINISH || _mode === Z_SYNC_FLUSH))) {
21914 this.onData(shrinkBuf(strm.output, strm.next_out));
21915 }
21916 } while ((strm.avail_in > 0 || strm.avail_out === 0) && status !== Z_STREAM_END);
21917
21918 // Finalize on the last chunk.
21919 if (_mode === Z_FINISH) {
21920 status = deflateEnd(this.strm);
21921 this.onEnd(status);
21922 this.ended = true;
21923 return status === Z_OK;
21924 }
21925
21926 // callback interim results if Z_SYNC_FLUSH.
21927 if (_mode === Z_SYNC_FLUSH) {
21928 this.onEnd(Z_OK);
21929 strm.avail_out = 0;
21930 return true;
21931 }
21932
21933 return true;
21934 };
21935 /**
21936 * Deflate#onData(chunk) -> Void
21937 * - chunk (Uint8Array|Array|String): output data. Type of array depends
21938 * on js engine support. When string output requested, each chunk
21939 * will be string.
21940 *
21941 * By default, stores data blocks in `chunks[]` property and glue
21942 * those in `onEnd`. Override this handler, if you need another behaviour.
21943 **/
21944 onData(chunk) {
21945 this.chunks.push(chunk);
21946 };
21947
21948 /**
21949 * Deflate#onEnd(status) -> Void
21950 * - status (Number): deflate status. 0 (Z_OK) on success,
21951 * other if not.
21952 *
21953 * Called once after you tell deflate that the input stream is
21954 * complete (Z_FINISH) or should be flushed (Z_SYNC_FLUSH)
21955 * or if an error happened. By default - join collected chunks,
21956 * free memory and fill `results` / `err` properties.
21957 **/
21958 onEnd(status) {
21959 // On success - join
21960 if (status === Z_OK) {
21961 this.result = flattenChunks(this.chunks);
21962 }
21963 this.chunks = [];
21964 this.err = status;
21965 this.msg = this.strm.msg;
21966 };
21967 }
21968
21969 // (C) 1995-2013 Jean-loup Gailly and Mark Adler
21970 // (C) 2014-2017 Vitaly Puzrin and Andrey Tupitsin
21971 //
21972 // This software is provided 'as-is', without any express or implied
21973 // warranty. In no event will the authors be held liable for any damages
21974 // arising from the use of this software.
21975 //
21976 // Permission is granted to anyone to use this software for any purpose,
21977 // including commercial applications, and to alter it and redistribute it
21978 // freely, subject to the following restrictions:
21979 //
21980 // 1. The origin of this software must not be misrepresented; you must not
21981 // claim that you wrote the original software. If you use this software
21982 // in a product, an acknowledgment in the product documentation would be
21983 // appreciated but is not required.
21984 // 2. Altered source versions must be plainly marked as such, and must not be
21985 // misrepresented as being the original software.
21986 // 3. This notice may not be removed or altered from any source distribution.
21987
21988 // See state defs from inflate.js
21989 const BAD = 30; /* got a data error -- remain here until reset */
21990 const TYPE = 12; /* i: waiting for type bits, including last-flag bit */
21991
21992 /*
21993 Decode literal, length, and distance codes and write out the resulting
21994 literal and match bytes until either not enough input or output is
21995 available, an end-of-block is encountered, or a data error is encountered.
21996 When large enough input and output buffers are supplied to inflate(), for
21997 example, a 16K input buffer and a 64K output buffer, more than 95% of the
21998 inflate execution time is spent in this routine.
21999
22000 Entry assumptions:
22001
22002 state.mode === LEN
22003 strm.avail_in >= 6
22004 strm.avail_out >= 258
22005 start >= strm.avail_out
22006 state.bits < 8
22007
22008 On return, state.mode is one of:
22009
22010 LEN -- ran out of enough output space or enough available input
22011 TYPE -- reached end of block code, inflate() to interpret next block
22012 BAD -- error in block data
22013
22014 Notes:
22015
22016 - The maximum input bits used by a length/distance pair is 15 bits for the
22017 length code, 5 bits for the length extra, 15 bits for the distance code,
22018 and 13 bits for the distance extra. This totals 48 bits, or six bytes.
22019 Therefore if strm.avail_in >= 6, then there is enough input to avoid
22020 checking for available input while decoding.
22021
22022 - The maximum bytes that a single length/distance pair can output is 258
22023 bytes, which is the maximum length that can be coded. inflate_fast()
22024 requires strm.avail_out >= 258 for each loop to avoid checking for
22025 output space.
22026 */
22027 function inflate_fast(strm, start) {
22028 let _in; /* local strm.input */
22029 let _out; /* local strm.output */
22030 // Use `s_window` instead `window`, avoid conflict with instrumentation tools
22031 let hold; /* local strm.hold */
22032 let bits; /* local strm.bits */
22033 let here; /* retrieved table entry */
22034 let op; /* code bits, operation, extra bits, or */
22035 /* window position, window bytes to copy */
22036 let len; /* match length, unused bytes */
22037 let dist; /* match distance */
22038 let from; /* where to copy match from */
22039 let from_source;
22040
22041
22042
22043 /* copy state to local variables */
22044 const state = strm.state;
22045 //here = state.here;
22046 _in = strm.next_in;
22047 const input = strm.input;
22048 const last = _in + (strm.avail_in - 5);
22049 _out = strm.next_out;
22050 const output = strm.output;
22051 const beg = _out - (start - strm.avail_out);
22052 const end = _out + (strm.avail_out - 257);
22053 //#ifdef INFLATE_STRICT
22054 const dmax = state.dmax;
22055 //#endif
22056 const wsize = state.wsize;
22057 const whave = state.whave;
22058 const wnext = state.wnext;
22059 const s_window = state.window;
22060 hold = state.hold;
22061 bits = state.bits;
22062 const lcode = state.lencode;
22063 const dcode = state.distcode;
22064 const lmask = (1 << state.lenbits) - 1;
22065 const dmask = (1 << state.distbits) - 1;
22066
22067
22068 /* decode literals and length/distances until end-of-block or not enough
22069 input data or output space */
22070
22071 top:
22072 do {
22073 if (bits < 15) {
22074 hold += input[_in++] << bits;
22075 bits += 8;
22076 hold += input[_in++] << bits;
22077 bits += 8;
22078 }
22079
22080 here = lcode[hold & lmask];
22081
22082 dolen:
22083 for (;;) { // Goto emulation
22084 op = here >>> 24/*here.bits*/;
22085 hold >>>= op;
22086 bits -= op;
22087 op = here >>> 16 & 0xff/*here.op*/;
22088 if (op === 0) { /* literal */
22089 //Tracevv((stderr, here.val >= 0x20 && here.val < 0x7f ?
22090 // "inflate: literal '%c'\n" :
22091 // "inflate: literal 0x%02x\n", here.val));
22092 output[_out++] = here & 0xffff/*here.val*/;
22093 } else if (op & 16) { /* length base */
22094 len = here & 0xffff/*here.val*/;
22095 op &= 15; /* number of extra bits */
22096 if (op) {
22097 if (bits < op) {
22098 hold += input[_in++] << bits;
22099 bits += 8;
22100 }
22101 len += hold & (1 << op) - 1;
22102 hold >>>= op;
22103 bits -= op;
22104 }
22105 //Tracevv((stderr, "inflate: length %u\n", len));
22106 if (bits < 15) {
22107 hold += input[_in++] << bits;
22108 bits += 8;
22109 hold += input[_in++] << bits;
22110 bits += 8;
22111 }
22112 here = dcode[hold & dmask];
22113
22114 dodist:
22115 for (;;) { // goto emulation
22116 op = here >>> 24/*here.bits*/;
22117 hold >>>= op;
22118 bits -= op;
22119 op = here >>> 16 & 0xff/*here.op*/;
22120
22121 if (op & 16) { /* distance base */
22122 dist = here & 0xffff/*here.val*/;
22123 op &= 15; /* number of extra bits */
22124 if (bits < op) {
22125 hold += input[_in++] << bits;
22126 bits += 8;
22127 if (bits < op) {
22128 hold += input[_in++] << bits;
22129 bits += 8;
22130 }
22131 }
22132 dist += hold & (1 << op) - 1;
22133 //#ifdef INFLATE_STRICT
22134 if (dist > dmax) {
22135 strm.msg = "invalid distance too far back";
22136 state.mode = BAD;
22137 break top;
22138 }
22139 //#endif
22140 hold >>>= op;
22141 bits -= op;
22142 //Tracevv((stderr, "inflate: distance %u\n", dist));
22143 op = _out - beg; /* max distance in output */
22144 if (dist > op) { /* see if copy from window */
22145 op = dist - op; /* distance back in window */
22146 if (op > whave) {
22147 if (state.sane) {
22148 strm.msg = "invalid distance too far back";
22149 state.mode = BAD;
22150 break top;
22151 }
22152
22153 // (!) This block is disabled in zlib defaults,
22154 // don't enable it for binary compatibility
22155 //#ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR
22156 // if (len <= op - whave) {
22157 // do {
22158 // output[_out++] = 0;
22159 // } while (--len);
22160 // continue top;
22161 // }
22162 // len -= op - whave;
22163 // do {
22164 // output[_out++] = 0;
22165 // } while (--op > whave);
22166 // if (op === 0) {
22167 // from = _out - dist;
22168 // do {
22169 // output[_out++] = output[from++];
22170 // } while (--len);
22171 // continue top;
22172 // }
22173 //#endif
22174 }
22175 from = 0; // window index
22176 from_source = s_window;
22177 if (wnext === 0) { /* very common case */
22178 from += wsize - op;
22179 if (op < len) { /* some from window */
22180 len -= op;
22181 do {
22182 output[_out++] = s_window[from++];
22183 } while (--op);
22184 from = _out - dist; /* rest from output */
22185 from_source = output;
22186 }
22187 } else if (wnext < op) { /* wrap around window */
22188 from += wsize + wnext - op;
22189 op -= wnext;
22190 if (op < len) { /* some from end of window */
22191 len -= op;
22192 do {
22193 output[_out++] = s_window[from++];
22194 } while (--op);
22195 from = 0;
22196 if (wnext < len) { /* some from start of window */
22197 op = wnext;
22198 len -= op;
22199 do {
22200 output[_out++] = s_window[from++];
22201 } while (--op);
22202 from = _out - dist; /* rest from output */
22203 from_source = output;
22204 }
22205 }
22206 } else { /* contiguous in window */
22207 from += wnext - op;
22208 if (op < len) { /* some from window */
22209 len -= op;
22210 do {
22211 output[_out++] = s_window[from++];
22212 } while (--op);
22213 from = _out - dist; /* rest from output */
22214 from_source = output;
22215 }
22216 }
22217 while (len > 2) {
22218 output[_out++] = from_source[from++];
22219 output[_out++] = from_source[from++];
22220 output[_out++] = from_source[from++];
22221 len -= 3;
22222 }
22223 if (len) {
22224 output[_out++] = from_source[from++];
22225 if (len > 1) {
22226 output[_out++] = from_source[from++];
22227 }
22228 }
22229 } else {
22230 from = _out - dist; /* copy direct from output */
22231 do { /* minimum length is three */
22232 output[_out++] = output[from++];
22233 output[_out++] = output[from++];
22234 output[_out++] = output[from++];
22235 len -= 3;
22236 } while (len > 2);
22237 if (len) {
22238 output[_out++] = output[from++];
22239 if (len > 1) {
22240 output[_out++] = output[from++];
22241 }
22242 }
22243 }
22244 } else if ((op & 64) === 0) { /* 2nd level distance code */
22245 here = dcode[(here & 0xffff)/*here.val*/ + (hold & (1 << op) - 1)];
22246 continue dodist;
22247 } else {
22248 strm.msg = "invalid distance code";
22249 state.mode = BAD;
22250 break top;
22251 }
22252
22253 break; // need to emulate goto via "continue"
22254 }
22255 } else if ((op & 64) === 0) { /* 2nd level length code */
22256 here = lcode[(here & 0xffff)/*here.val*/ + (hold & (1 << op) - 1)];
22257 continue dolen;
22258 } else if (op & 32) { /* end-of-block */
22259 //Tracevv((stderr, "inflate: end of block\n"));
22260 state.mode = TYPE;
22261 break top;
22262 } else {
22263 strm.msg = "invalid literal/length code";
22264 state.mode = BAD;
22265 break top;
22266 }
22267
22268 break; // need to emulate goto via "continue"
22269 }
22270 } while (_in < last && _out < end);
22271
22272 /* return unused bytes (on entry, bits < 8, so in won't go too far back) */
22273 len = bits >> 3;
22274 _in -= len;
22275 bits -= len << 3;
22276 hold &= (1 << bits) - 1;
22277
22278 /* update state and return */
22279 strm.next_in = _in;
22280 strm.next_out = _out;
22281 strm.avail_in = _in < last ? 5 + (last - _in) : 5 - (_in - last);
22282 strm.avail_out = _out < end ? 257 + (end - _out) : 257 - (_out - end);
22283 state.hold = hold;
22284 state.bits = bits;
22285 return;
22286 }
22287
22288 const MAXBITS = 15;
22289 const ENOUGH_LENS = 852;
22290 const ENOUGH_DISTS = 592;
22291 //var ENOUGH = (ENOUGH_LENS+ENOUGH_DISTS);
22292
22293 const CODES = 0;
22294 const LENS = 1;
22295 const DISTS = 2;
22296
22297 const lbase = [ /* Length codes 257..285 base */
22298 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31,
22299 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258, 0, 0
22300 ];
22301
22302 const lext = [ /* Length codes 257..285 extra */
22303 16, 16, 16, 16, 16, 16, 16, 16, 17, 17, 17, 17, 18, 18, 18, 18,
22304 19, 19, 19, 19, 20, 20, 20, 20, 21, 21, 21, 21, 16, 72, 78
22305 ];
22306
22307 const dbase = [ /* Distance codes 0..29 base */
22308 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193,
22309 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145,
22310 8193, 12289, 16385, 24577, 0, 0
22311 ];
22312
22313 const dext = [ /* Distance codes 0..29 extra */
22314 16, 16, 16, 16, 17, 17, 18, 18, 19, 19, 20, 20, 21, 21, 22, 22,
22315 23, 23, 24, 24, 25, 25, 26, 26, 27, 27,
22316 28, 28, 29, 29, 64, 64
22317 ];
22318
22319 function inflate_table(type, lens, lens_index, codes, table, table_index, work, opts) {
22320 const bits = opts.bits;
22321 //here = opts.here; /* table entry for duplication */
22322
22323 let len = 0; /* a code's length in bits */
22324 let sym = 0; /* index of code symbols */
22325 let min = 0, max = 0; /* minimum and maximum code lengths */
22326 let root = 0; /* number of index bits for root table */
22327 let curr = 0; /* number of index bits for current table */
22328 let drop = 0; /* code bits to drop for sub-table */
22329 let left = 0; /* number of prefix codes available */
22330 let used = 0; /* code entries in table used */
22331 let huff = 0; /* Huffman code */
22332 let incr; /* for incrementing code, index */
22333 let fill; /* index for replicating entries */
22334 let low; /* low bits for current root entry */
22335 let next; /* next available space in table */
22336 let base = null; /* base value table to use */
22337 let base_index = 0;
22338 // var shoextra; /* extra bits table to use */
22339 let end; /* use base and extra for symbol > end */
22340 const count = new Buf16(MAXBITS + 1); //[MAXBITS+1]; /* number of codes of each length */
22341 const offs = new Buf16(MAXBITS + 1); //[MAXBITS+1]; /* offsets in table for each length */
22342 let extra = null;
22343 let extra_index = 0;
22344
22345 let here_bits, here_op, here_val;
22346
22347 /*
22348 Process a set of code lengths to create a canonical Huffman code. The
22349 code lengths are lens[0..codes-1]. Each length corresponds to the
22350 symbols 0..codes-1. The Huffman code is generated by first sorting the
22351 symbols by length from short to long, and retaining the symbol order
22352 for codes with equal lengths. Then the code starts with all zero bits
22353 for the first code of the shortest length, and the codes are integer
22354 increments for the same length, and zeros are appended as the length
22355 increases. For the deflate format, these bits are stored backwards
22356 from their more natural integer increment ordering, and so when the
22357 decoding tables are built in the large loop below, the integer codes
22358 are incremented backwards.
22359
22360 This routine assumes, but does not check, that all of the entries in
22361 lens[] are in the range 0..MAXBITS. The caller must assure this.
22362 1..MAXBITS is interpreted as that code length. zero means that that
22363 symbol does not occur in this code.
22364
22365 The codes are sorted by computing a count of codes for each length,
22366 creating from that a table of starting indices for each length in the
22367 sorted table, and then entering the symbols in order in the sorted
22368 table. The sorted table is work[], with that space being provided by
22369 the caller.
22370
22371 The length counts are used for other purposes as well, i.e. finding
22372 the minimum and maximum length codes, determining if there are any
22373 codes at all, checking for a valid set of lengths, and looking ahead
22374 at length counts to determine sub-table sizes when building the
22375 decoding tables.
22376 */
22377
22378 /* accumulate lengths for codes (assumes lens[] all in 0..MAXBITS) */
22379 for (len = 0; len <= MAXBITS; len++) {
22380 count[len] = 0;
22381 }
22382 for (sym = 0; sym < codes; sym++) {
22383 count[lens[lens_index + sym]]++;
22384 }
22385
22386 /* bound code lengths, force root to be within code lengths */
22387 root = bits;
22388 for (max = MAXBITS; max >= 1; max--) {
22389 if (count[max] !== 0) {
22390 break;
22391 }
22392 }
22393 if (root > max) {
22394 root = max;
22395 }
22396 if (max === 0) { /* no symbols to code at all */
22397 //table.op[opts.table_index] = 64; //here.op = (var char)64; /* invalid code marker */
22398 //table.bits[opts.table_index] = 1; //here.bits = (var char)1;
22399 //table.val[opts.table_index++] = 0; //here.val = (var short)0;
22400 table[table_index++] = 1 << 24 | 64 << 16 | 0;
22401
22402
22403 //table.op[opts.table_index] = 64;
22404 //table.bits[opts.table_index] = 1;
22405 //table.val[opts.table_index++] = 0;
22406 table[table_index++] = 1 << 24 | 64 << 16 | 0;
22407
22408 opts.bits = 1;
22409 return 0; /* no symbols, but wait for decoding to report error */
22410 }
22411 for (min = 1; min < max; min++) {
22412 if (count[min] !== 0) {
22413 break;
22414 }
22415 }
22416 if (root < min) {
22417 root = min;
22418 }
22419
22420 /* check for an over-subscribed or incomplete set of lengths */
22421 left = 1;
22422 for (len = 1; len <= MAXBITS; len++) {
22423 left <<= 1;
22424 left -= count[len];
22425 if (left < 0) {
22426 return -1;
22427 } /* over-subscribed */
22428 }
22429 if (left > 0 && (type === CODES || max !== 1)) {
22430 return -1; /* incomplete set */
22431 }
22432
22433 /* generate offsets into symbol table for each length for sorting */
22434 offs[1] = 0;
22435 for (len = 1; len < MAXBITS; len++) {
22436 offs[len + 1] = offs[len] + count[len];
22437 }
22438
22439 /* sort symbols by length, by symbol order within each length */
22440 for (sym = 0; sym < codes; sym++) {
22441 if (lens[lens_index + sym] !== 0) {
22442 work[offs[lens[lens_index + sym]]++] = sym;
22443 }
22444 }
22445
22446 /*
22447 Create and fill in decoding tables. In this loop, the table being
22448 filled is at next and has curr index bits. The code being used is huff
22449 with length len. That code is converted to an index by dropping drop
22450 bits off of the bottom. For codes where len is less than drop + curr,
22451 those top drop + curr - len bits are incremented through all values to
22452 fill the table with replicated entries.
22453
22454 root is the number of index bits for the root table. When len exceeds
22455 root, sub-tables are created pointed to by the root entry with an index
22456 of the low root bits of huff. This is saved in low to check for when a
22457 new sub-table should be started. drop is zero when the root table is
22458 being filled, and drop is root when sub-tables are being filled.
22459
22460 When a new sub-table is needed, it is necessary to look ahead in the
22461 code lengths to determine what size sub-table is needed. The length
22462 counts are used for this, and so count[] is decremented as codes are
22463 entered in the tables.
22464
22465 used keeps track of how many table entries have been allocated from the
22466 provided *table space. It is checked for LENS and DIST tables against
22467 the constants ENOUGH_LENS and ENOUGH_DISTS to guard against changes in
22468 the initial root table size constants. See the comments in inftrees.h
22469 for more information.
22470
22471 sym increments through all symbols, and the loop terminates when
22472 all codes of length max, i.e. all codes, have been processed. This
22473 routine permits incomplete codes, so another loop after this one fills
22474 in the rest of the decoding tables with invalid code markers.
22475 */
22476
22477 /* set up for code type */
22478 // poor man optimization - use if-else instead of switch,
22479 // to avoid deopts in old v8
22480 if (type === CODES) {
22481 base = extra = work; /* dummy value--not used */
22482 end = 19;
22483
22484 } else if (type === LENS) {
22485 base = lbase;
22486 base_index -= 257;
22487 extra = lext;
22488 extra_index -= 257;
22489 end = 256;
22490
22491 } else { /* DISTS */
22492 base = dbase;
22493 extra = dext;
22494 end = -1;
22495 }
22496
22497 /* initialize opts for loop */
22498 huff = 0; /* starting code */
22499 sym = 0; /* starting code symbol */
22500 len = min; /* starting code length */
22501 next = table_index; /* current table to fill in */
22502 curr = root; /* current table index bits */
22503 drop = 0; /* current bits to drop from code for index */
22504 low = -1; /* trigger new sub-table when len > root */
22505 used = 1 << root; /* use root table entries */
22506 const mask = used - 1; /* mask for comparing low */
22507
22508 /* check available table space */
22509 if (type === LENS && used > ENOUGH_LENS ||
22510 type === DISTS && used > ENOUGH_DISTS) {
22511 return 1;
22512 }
22513
22514 /* process all codes and make table entries */
22515 for (;;) {
22516 /* create table entry */
22517 here_bits = len - drop;
22518 if (work[sym] < end) {
22519 here_op = 0;
22520 here_val = work[sym];
22521 } else if (work[sym] > end) {
22522 here_op = extra[extra_index + work[sym]];
22523 here_val = base[base_index + work[sym]];
22524 } else {
22525 here_op = 32 + 64; /* end of block */
22526 here_val = 0;
22527 }
22528
22529 /* replicate for those indices with low len bits equal to huff */
22530 incr = 1 << len - drop;
22531 fill = 1 << curr;
22532 min = fill; /* save offset to next table */
22533 do {
22534 fill -= incr;
22535 table[next + (huff >> drop) + fill] = here_bits << 24 | here_op << 16 | here_val |0;
22536 } while (fill !== 0);
22537
22538 /* backwards increment the len-bit code huff */
22539 incr = 1 << len - 1;
22540 while (huff & incr) {
22541 incr >>= 1;
22542 }
22543 if (incr !== 0) {
22544 huff &= incr - 1;
22545 huff += incr;
22546 } else {
22547 huff = 0;
22548 }
22549
22550 /* go to next symbol, update count, len */
22551 sym++;
22552 if (--count[len] === 0) {
22553 if (len === max) {
22554 break;
22555 }
22556 len = lens[lens_index + work[sym]];
22557 }
22558
22559 /* create new sub-table if needed */
22560 if (len > root && (huff & mask) !== low) {
22561 /* if first time, transition to sub-tables */
22562 if (drop === 0) {
22563 drop = root;
22564 }
22565
22566 /* increment past last table */
22567 next += min; /* here min is 1 << curr */
22568
22569 /* determine length of next table */
22570 curr = len - drop;
22571 left = 1 << curr;
22572 while (curr + drop < max) {
22573 left -= count[curr + drop];
22574 if (left <= 0) {
22575 break;
22576 }
22577 curr++;
22578 left <<= 1;
22579 }
22580
22581 /* check for enough space */
22582 used += 1 << curr;
22583 if (type === LENS && used > ENOUGH_LENS ||
22584 type === DISTS && used > ENOUGH_DISTS) {
22585 return 1;
22586 }
22587
22588 /* point entry in root table to sub-table */
22589 low = huff & mask;
22590 /*table.op[low] = curr;
22591 table.bits[low] = root;
22592 table.val[low] = next - opts.table_index;*/
22593 table[low] = root << 24 | curr << 16 | next - table_index |0;
22594 }
22595 }
22596
22597 /* fill in remaining table entry if code is incomplete (guaranteed to have
22598 at most one remaining entry, since if the code is incomplete, the
22599 maximum code length that was allowed to get this far is one bit) */
22600 if (huff !== 0) {
22601 //table.op[next + huff] = 64; /* invalid code marker */
22602 //table.bits[next + huff] = len - drop;
22603 //table.val[next + huff] = 0;
22604 table[next + huff] = len - drop << 24 | 64 << 16 |0;
22605 }
22606
22607 /* set return parameters */
22608 //opts.table_index += used;
22609 opts.bits = root;
22610 return 0;
22611 }
22612
22613 const CODES$1 = 0;
22614 const LENS$1 = 1;
22615 const DISTS$1 = 2;
22616
22617 /* STATES ====================================================================*/
22618 /* ===========================================================================*/
22619
22620
22621 const HEAD = 1; /* i: waiting for magic header */
22622 const FLAGS = 2; /* i: waiting for method and flags (gzip) */
22623 const TIME = 3; /* i: waiting for modification time (gzip) */
22624 const OS = 4; /* i: waiting for extra flags and operating system (gzip) */
22625 const EXLEN = 5; /* i: waiting for extra length (gzip) */
22626 const EXTRA = 6; /* i: waiting for extra bytes (gzip) */
22627 const NAME = 7; /* i: waiting for end of file name (gzip) */
22628 const COMMENT = 8; /* i: waiting for end of comment (gzip) */
22629 const HCRC = 9; /* i: waiting for header crc (gzip) */
22630 const DICTID = 10; /* i: waiting for dictionary check value */
22631 const DICT = 11; /* waiting for inflateSetDictionary() call */
22632 const TYPE$1 = 12; /* i: waiting for type bits, including last-flag bit */
22633 const TYPEDO = 13; /* i: same, but skip check to exit inflate on new block */
22634 const STORED = 14; /* i: waiting for stored size (length and complement) */
22635 const COPY_ = 15; /* i/o: same as COPY below, but only first time in */
22636 const COPY = 16; /* i/o: waiting for input or output to copy stored block */
22637 const TABLE = 17; /* i: waiting for dynamic block table lengths */
22638 const LENLENS = 18; /* i: waiting for code length code lengths */
22639 const CODELENS = 19; /* i: waiting for length/lit and distance code lengths */
22640 const LEN_ = 20; /* i: same as LEN below, but only first time in */
22641 const LEN = 21; /* i: waiting for length/lit/eob code */
22642 const LENEXT = 22; /* i: waiting for length extra bits */
22643 const DIST = 23; /* i: waiting for distance code */
22644 const DISTEXT = 24; /* i: waiting for distance extra bits */
22645 const MATCH = 25; /* o: waiting for output space to copy string */
22646 const LIT = 26; /* o: waiting for output space to write literal */
22647 const CHECK = 27; /* i: waiting for 32-bit check value */
22648 const LENGTH = 28; /* i: waiting for 32-bit length (gzip) */
22649 const DONE = 29; /* finished check, done -- remain here until reset */
22650 const BAD$1 = 30; /* got a data error -- remain here until reset */
22651 //const MEM = 31; /* got an inflate() memory error -- remain here until reset */
22652 const SYNC = 32; /* looking for synchronization bytes to restart inflate() */
22653
22654 /* ===========================================================================*/
22655
22656
22657
22658 const ENOUGH_LENS$1 = 852;
22659 const ENOUGH_DISTS$1 = 592;
22660
22661
22662 function zswap32(q) {
22663 return (((q >>> 24) & 0xff) +
22664 ((q >>> 8) & 0xff00) +
22665 ((q & 0xff00) << 8) +
22666 ((q & 0xff) << 24));
22667 }
22668
22669
22670 class InflateState {
22671 constructor() {
22672 this.mode = 0; /* current inflate mode */
22673 this.last = false; /* true if processing last block */
22674 this.wrap = 0; /* bit 0 true for zlib, bit 1 true for gzip */
22675 this.havedict = false; /* true if dictionary provided */
22676 this.flags = 0; /* gzip header method and flags (0 if zlib) */
22677 this.dmax = 0; /* zlib header max distance (INFLATE_STRICT) */
22678 this.check = 0; /* protected copy of check value */
22679 this.total = 0; /* protected copy of output count */
22680 // TODO: may be {}
22681 this.head = null; /* where to save gzip header information */
22682
22683 /* sliding window */
22684 this.wbits = 0; /* log base 2 of requested window size */
22685 this.wsize = 0; /* window size or zero if not using window */
22686 this.whave = 0; /* valid bytes in the window */
22687 this.wnext = 0; /* window write index */
22688 this.window = null; /* allocated sliding window, if needed */
22689
22690 /* bit accumulator */
22691 this.hold = 0; /* input bit accumulator */
22692 this.bits = 0; /* number of bits in "in" */
22693
22694 /* for string and stored block copying */
22695 this.length = 0; /* literal or length of data to copy */
22696 this.offset = 0; /* distance back to copy string from */
22697
22698 /* for table and code decoding */
22699 this.extra = 0; /* extra bits needed */
22700
22701 /* fixed and dynamic code tables */
22702 this.lencode = null; /* starting table for length/literal codes */
22703 this.distcode = null; /* starting table for distance codes */
22704 this.lenbits = 0; /* index bits for lencode */
22705 this.distbits = 0; /* index bits for distcode */
22706
22707 /* dynamic table building */
22708 this.ncode = 0; /* number of code length code lengths */
22709 this.nlen = 0; /* number of length code lengths */
22710 this.ndist = 0; /* number of distance code lengths */
22711 this.have = 0; /* number of code lengths in lens[] */
22712 this.next = null; /* next available space in codes[] */
22713
22714 this.lens = new Buf16(320); /* temporary storage for code lengths */
22715 this.work = new Buf16(288); /* work area for code table building */
22716
22717 /*
22718 because we don't have pointers in js, we use lencode and distcode directly
22719 as buffers so we don't need codes
22720 */
22721 //this.codes = new utils.Buf32(ENOUGH); /* space for code tables */
22722 this.lendyn = null; /* dynamic table for length/literal codes (JS specific) */
22723 this.distdyn = null; /* dynamic table for distance codes (JS specific) */
22724 this.sane = 0; /* if false, allow invalid distance too far */
22725 this.back = 0; /* bits back of last unprocessed length/lit */
22726 this.was = 0; /* initial length of match */
22727 }
22728 }
22729
22730 function inflateResetKeep(strm) {
22731 let state;
22732
22733 if (!strm || !strm.state) { return Z_STREAM_ERROR; }
22734 state = strm.state;
22735 strm.total_in = strm.total_out = state.total = 0;
22736 strm.msg = ''; /*Z_NULL*/
22737 if (state.wrap) { /* to support ill-conceived Java test suite */
22738 strm.adler = state.wrap & 1;
22739 }
22740 state.mode = HEAD;
22741 state.last = 0;
22742 state.havedict = 0;
22743 state.dmax = 32768;
22744 state.head = null/*Z_NULL*/;
22745 state.hold = 0;
22746 state.bits = 0;
22747 //state.lencode = state.distcode = state.next = state.codes;
22748 state.lencode = state.lendyn = new Buf32(ENOUGH_LENS$1);
22749 state.distcode = state.distdyn = new Buf32(ENOUGH_DISTS$1);
22750
22751 state.sane = 1;
22752 state.back = -1;
22753 //Tracev((stderr, "inflate: reset\n"));
22754 return Z_OK;
22755 }
22756
22757 function inflateReset(strm) {
22758 let state;
22759
22760 if (!strm || !strm.state) { return Z_STREAM_ERROR; }
22761 state = strm.state;
22762 state.wsize = 0;
22763 state.whave = 0;
22764 state.wnext = 0;
22765 return inflateResetKeep(strm);
22766
22767 }
22768
22769 function inflateReset2(strm, windowBits) {
22770 let wrap;
22771 let state;
22772
22773 /* get the state */
22774 if (!strm || !strm.state) { return Z_STREAM_ERROR; }
22775 state = strm.state;
22776
22777 /* extract wrap request from windowBits parameter */
22778 if (windowBits < 0) {
22779 wrap = 0;
22780 windowBits = -windowBits;
22781 }
22782 else {
22783 wrap = (windowBits >> 4) + 1;
22784 if (windowBits < 48) {
22785 windowBits &= 15;
22786 }
22787 }
22788
22789 /* set number of window bits, free window if different */
22790 if (windowBits && (windowBits < 8 || windowBits > 15)) {
22791 return Z_STREAM_ERROR;
22792 }
22793 if (state.window !== null && state.wbits !== windowBits) {
22794 state.window = null;
22795 }
22796
22797 /* update state and reset the rest of it */
22798 state.wrap = wrap;
22799 state.wbits = windowBits;
22800 return inflateReset(strm);
22801 }
22802
22803 function inflateInit2(strm, windowBits) {
22804 let ret;
22805 let state;
22806
22807 if (!strm) { return Z_STREAM_ERROR; }
22808 //strm.msg = Z_NULL; /* in case we return an error */
22809
22810 state = new InflateState();
22811
22812 //if (state === Z_NULL) return Z_MEM_ERROR;
22813 //Tracev((stderr, "inflate: allocated\n"));
22814 strm.state = state;
22815 state.window = null/*Z_NULL*/;
22816 ret = inflateReset2(strm, windowBits);
22817 if (ret !== Z_OK) {
22818 strm.state = null/*Z_NULL*/;
22819 }
22820 return ret;
22821 }
22822
22823
22824 /*
22825 Return state with length and distance decoding tables and index sizes set to
22826 fixed code decoding. Normally this returns fixed tables from inffixed.h.
22827 If BUILDFIXED is defined, then instead this routine builds the tables the
22828 first time it's called, and returns those tables the first time and
22829 thereafter. This reduces the size of the code by about 2K bytes, in
22830 exchange for a little execution time. However, BUILDFIXED should not be
22831 used for threaded applications, since the rewriting of the tables and virgin
22832 may not be thread-safe.
22833 */
22834 let virgin = true;
22835
22836 let lenfix, distfix; // We have no pointers in JS, so keep tables separate
22837
22838 function fixedtables(state) {
22839 /* build fixed huffman tables if first call (may not be thread safe) */
22840 if (virgin) {
22841 let sym;
22842
22843 lenfix = new Buf32(512);
22844 distfix = new Buf32(32);
22845
22846 /* literal/length table */
22847 sym = 0;
22848 while (sym < 144) { state.lens[sym++] = 8; }
22849 while (sym < 256) { state.lens[sym++] = 9; }
22850 while (sym < 280) { state.lens[sym++] = 7; }
22851 while (sym < 288) { state.lens[sym++] = 8; }
22852
22853 inflate_table(LENS$1, state.lens, 0, 288, lenfix, 0, state.work, { bits: 9 });
22854
22855 /* distance table */
22856 sym = 0;
22857 while (sym < 32) { state.lens[sym++] = 5; }
22858
22859 inflate_table(DISTS$1, state.lens, 0, 32, distfix, 0, state.work, { bits: 5 });
22860
22861 /* do this just once */
22862 virgin = false;
22863 }
22864
22865 state.lencode = lenfix;
22866 state.lenbits = 9;
22867 state.distcode = distfix;
22868 state.distbits = 5;
22869 }
22870
22871
22872 /*
22873 Update the window with the last wsize (normally 32K) bytes written before
22874 returning. If window does not exist yet, create it. This is only called
22875 when a window is already in use, or when output has been written during this
22876 inflate call, but the end of the deflate stream has not been reached yet.
22877 It is also called to create a window for dictionary data when a dictionary
22878 is loaded.
22879
22880 Providing output buffers larger than 32K to inflate() should provide a speed
22881 advantage, since only the last 32K of output is copied to the sliding window
22882 upon return from inflate(), and since all distances after the first 32K of
22883 output will fall in the output data, making match copies simpler and faster.
22884 The advantage may be dependent on the size of the processor's data caches.
22885 */
22886 function updatewindow(strm, src, end, copy) {
22887 let dist;
22888 const state = strm.state;
22889
22890 /* if it hasn't been done already, allocate space for the window */
22891 if (state.window === null) {
22892 state.wsize = 1 << state.wbits;
22893 state.wnext = 0;
22894 state.whave = 0;
22895
22896 state.window = new Buf8(state.wsize);
22897 }
22898
22899 /* copy state->wsize or less output bytes into the circular window */
22900 if (copy >= state.wsize) {
22901 arraySet(state.window, src, end - state.wsize, state.wsize, 0);
22902 state.wnext = 0;
22903 state.whave = state.wsize;
22904 }
22905 else {
22906 dist = state.wsize - state.wnext;
22907 if (dist > copy) {
22908 dist = copy;
22909 }
22910 //zmemcpy(state->window + state->wnext, end - copy, dist);
22911 arraySet(state.window, src, end - copy, dist, state.wnext);
22912 copy -= dist;
22913 if (copy) {
22914 //zmemcpy(state->window, end - copy, copy);
22915 arraySet(state.window, src, end - copy, copy, 0);
22916 state.wnext = copy;
22917 state.whave = state.wsize;
22918 }
22919 else {
22920 state.wnext += dist;
22921 if (state.wnext === state.wsize) { state.wnext = 0; }
22922 if (state.whave < state.wsize) { state.whave += dist; }
22923 }
22924 }
22925 return 0;
22926 }
22927
22928 function inflate(strm, flush) {
22929 let state;
22930 let input, output; // input/output buffers
22931 let next; /* next input INDEX */
22932 let put; /* next output INDEX */
22933 let have, left; /* available input and output */
22934 let hold; /* bit buffer */
22935 let bits; /* bits in bit buffer */
22936 let _in, _out; /* save starting available input and output */
22937 let copy; /* number of stored or match bytes to copy */
22938 let from; /* where to copy match bytes from */
22939 let from_source;
22940 let here = 0; /* current decoding table entry */
22941 let here_bits, here_op, here_val; // paked "here" denormalized (JS specific)
22942 //var last; /* parent table entry */
22943 let last_bits, last_op, last_val; // paked "last" denormalized (JS specific)
22944 let len; /* length to copy for repeats, bits to drop */
22945 let ret; /* return code */
22946 let hbuf = new Buf8(4); /* buffer for gzip header crc calculation */
22947 let opts;
22948
22949 let n; // temporary var for NEED_BITS
22950
22951 const order = /* permutation of code lengths */
22952 [ 16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15 ];
22953
22954
22955 if (!strm || !strm.state || !strm.output ||
22956 (!strm.input && strm.avail_in !== 0)) {
22957 return Z_STREAM_ERROR;
22958 }
22959
22960 state = strm.state;
22961 if (state.mode === TYPE$1) { state.mode = TYPEDO; } /* skip check */
22962
22963
22964 //--- LOAD() ---
22965 put = strm.next_out;
22966 output = strm.output;
22967 left = strm.avail_out;
22968 next = strm.next_in;
22969 input = strm.input;
22970 have = strm.avail_in;
22971 hold = state.hold;
22972 bits = state.bits;
22973 //---
22974
22975 _in = have;
22976 _out = left;
22977 ret = Z_OK;
22978
22979 inf_leave: // goto emulation
22980 for (;;) {
22981 switch (state.mode) {
22982 case HEAD:
22983 if (state.wrap === 0) {
22984 state.mode = TYPEDO;
22985 break;
22986 }
22987 //=== NEEDBITS(16);
22988 while (bits < 16) {
22989 if (have === 0) { break inf_leave; }
22990 have--;
22991 hold += input[next++] << bits;
22992 bits += 8;
22993 }
22994 //===//
22995 if ((state.wrap & 2) && hold === 0x8b1f) { /* gzip header */
22996 state.check = 0/*crc32(0L, Z_NULL, 0)*/;
22997 //=== CRC2(state.check, hold);
22998 hbuf[0] = hold & 0xff;
22999 hbuf[1] = (hold >>> 8) & 0xff;
23000 state.check = crc32(state.check, hbuf, 2, 0);
23001 //===//
23002
23003 //=== INITBITS();
23004 hold = 0;
23005 bits = 0;
23006 //===//
23007 state.mode = FLAGS;
23008 break;
23009 }
23010 state.flags = 0; /* expect zlib header */
23011 if (state.head) {
23012 state.head.done = false;
23013 }
23014 if (!(state.wrap & 1) || /* check if zlib header allowed */
23015 (((hold & 0xff)/*BITS(8)*/ << 8) + (hold >> 8)) % 31) {
23016 strm.msg = 'incorrect header check';
23017 state.mode = BAD$1;
23018 break;
23019 }
23020 if ((hold & 0x0f)/*BITS(4)*/ !== Z_DEFLATED) {
23021 strm.msg = 'unknown compression method';
23022 state.mode = BAD$1;
23023 break;
23024 }
23025 //--- DROPBITS(4) ---//
23026 hold >>>= 4;
23027 bits -= 4;
23028 //---//
23029 len = (hold & 0x0f)/*BITS(4)*/ + 8;
23030 if (state.wbits === 0) {
23031 state.wbits = len;
23032 }
23033 else if (len > state.wbits) {
23034 strm.msg = 'invalid window size';
23035 state.mode = BAD$1;
23036 break;
23037 }
23038 state.dmax = 1 << len;
23039 //Tracev((stderr, "inflate: zlib header ok\n"));
23040 strm.adler = state.check = 1/*adler32(0L, Z_NULL, 0)*/;
23041 state.mode = hold & 0x200 ? DICTID : TYPE$1;
23042 //=== INITBITS();
23043 hold = 0;
23044 bits = 0;
23045 //===//
23046 break;
23047 case FLAGS:
23048 //=== NEEDBITS(16); */
23049 while (bits < 16) {
23050 if (have === 0) { break inf_leave; }
23051 have--;
23052 hold += input[next++] << bits;
23053 bits += 8;
23054 }
23055 //===//
23056 state.flags = hold;
23057 if ((state.flags & 0xff) !== Z_DEFLATED) {
23058 strm.msg = 'unknown compression method';
23059 state.mode = BAD$1;
23060 break;
23061 }
23062 if (state.flags & 0xe000) {
23063 strm.msg = 'unknown header flags set';
23064 state.mode = BAD$1;
23065 break;
23066 }
23067 if (state.head) {
23068 state.head.text = ((hold >> 8) & 1);
23069 }
23070 if (state.flags & 0x0200) {
23071 //=== CRC2(state.check, hold);
23072 hbuf[0] = hold & 0xff;
23073 hbuf[1] = (hold >>> 8) & 0xff;
23074 state.check = crc32(state.check, hbuf, 2, 0);
23075 //===//
23076 }
23077 //=== INITBITS();
23078 hold = 0;
23079 bits = 0;
23080 //===//
23081 state.mode = TIME;
23082 /* falls through */
23083 case TIME:
23084 //=== NEEDBITS(32); */
23085 while (bits < 32) {
23086 if (have === 0) { break inf_leave; }
23087 have--;
23088 hold += input[next++] << bits;
23089 bits += 8;
23090 }
23091 //===//
23092 if (state.head) {
23093 state.head.time = hold;
23094 }
23095 if (state.flags & 0x0200) {
23096 //=== CRC4(state.check, hold)
23097 hbuf[0] = hold & 0xff;
23098 hbuf[1] = (hold >>> 8) & 0xff;
23099 hbuf[2] = (hold >>> 16) & 0xff;
23100 hbuf[3] = (hold >>> 24) & 0xff;
23101 state.check = crc32(state.check, hbuf, 4, 0);
23102 //===
23103 }
23104 //=== INITBITS();
23105 hold = 0;
23106 bits = 0;
23107 //===//
23108 state.mode = OS;
23109 /* falls through */
23110 case OS:
23111 //=== NEEDBITS(16); */
23112 while (bits < 16) {
23113 if (have === 0) { break inf_leave; }
23114 have--;
23115 hold += input[next++] << bits;
23116 bits += 8;
23117 }
23118 //===//
23119 if (state.head) {
23120 state.head.xflags = (hold & 0xff);
23121 state.head.os = (hold >> 8);
23122 }
23123 if (state.flags & 0x0200) {
23124 //=== CRC2(state.check, hold);
23125 hbuf[0] = hold & 0xff;
23126 hbuf[1] = (hold >>> 8) & 0xff;
23127 state.check = crc32(state.check, hbuf, 2, 0);
23128 //===//
23129 }
23130 //=== INITBITS();
23131 hold = 0;
23132 bits = 0;
23133 //===//
23134 state.mode = EXLEN;
23135 /* falls through */
23136 case EXLEN:
23137 if (state.flags & 0x0400) {
23138 //=== NEEDBITS(16); */
23139 while (bits < 16) {
23140 if (have === 0) { break inf_leave; }
23141 have--;
23142 hold += input[next++] << bits;
23143 bits += 8;
23144 }
23145 //===//
23146 state.length = hold;
23147 if (state.head) {
23148 state.head.extra_len = hold;
23149 }
23150 if (state.flags & 0x0200) {
23151 //=== CRC2(state.check, hold);
23152 hbuf[0] = hold & 0xff;
23153 hbuf[1] = (hold >>> 8) & 0xff;
23154 state.check = crc32(state.check, hbuf, 2, 0);
23155 //===//
23156 }
23157 //=== INITBITS();
23158 hold = 0;
23159 bits = 0;
23160 //===//
23161 }
23162 else if (state.head) {
23163 state.head.extra = null/*Z_NULL*/;
23164 }
23165 state.mode = EXTRA;
23166 /* falls through */
23167 case EXTRA:
23168 if (state.flags & 0x0400) {
23169 copy = state.length;
23170 if (copy > have) { copy = have; }
23171 if (copy) {
23172 if (state.head) {
23173 len = state.head.extra_len - state.length;
23174 if (!state.head.extra) {
23175 // Use untyped array for more convenient processing later
23176 state.head.extra = new Array(state.head.extra_len);
23177 }
23178 arraySet(
23179 state.head.extra,
23180 input,
23181 next,
23182 // extra field is limited to 65536 bytes
23183 // - no need for additional size check
23184 copy,
23185 /*len + copy > state.head.extra_max - len ? state.head.extra_max : copy,*/
23186 len
23187 );
23188 //zmemcpy(state.head.extra + len, next,
23189 // len + copy > state.head.extra_max ?
23190 // state.head.extra_max - len : copy);
23191 }
23192 if (state.flags & 0x0200) {
23193 state.check = crc32(state.check, input, copy, next);
23194 }
23195 have -= copy;
23196 next += copy;
23197 state.length -= copy;
23198 }
23199 if (state.length) { break inf_leave; }
23200 }
23201 state.length = 0;
23202 state.mode = NAME;
23203 /* falls through */
23204 case NAME:
23205 if (state.flags & 0x0800) {
23206 if (have === 0) { break inf_leave; }
23207 copy = 0;
23208 do {
23209 // TODO: 2 or 1 bytes?
23210 len = input[next + copy++];
23211 /* use constant limit because in js we should not preallocate memory */
23212 if (state.head && len &&
23213 (state.length < 65536 /*state.head.name_max*/)) {
23214 state.head.name += String.fromCharCode(len);
23215 }
23216 } while (len && copy < have);
23217
23218 if (state.flags & 0x0200) {
23219 state.check = crc32(state.check, input, copy, next);
23220 }
23221 have -= copy;
23222 next += copy;
23223 if (len) { break inf_leave; }
23224 }
23225 else if (state.head) {
23226 state.head.name = null;
23227 }
23228 state.length = 0;
23229 state.mode = COMMENT;
23230 /* falls through */
23231 case COMMENT:
23232 if (state.flags & 0x1000) {
23233 if (have === 0) { break inf_leave; }
23234 copy = 0;
23235 do {
23236 len = input[next + copy++];
23237 /* use constant limit because in js we should not preallocate memory */
23238 if (state.head && len &&
23239 (state.length < 65536 /*state.head.comm_max*/)) {
23240 state.head.comment += String.fromCharCode(len);
23241 }
23242 } while (len && copy < have);
23243 if (state.flags & 0x0200) {
23244 state.check = crc32(state.check, input, copy, next);
23245 }
23246 have -= copy;
23247 next += copy;
23248 if (len) { break inf_leave; }
23249 }
23250 else if (state.head) {
23251 state.head.comment = null;
23252 }
23253 state.mode = HCRC;
23254 /* falls through */
23255 case HCRC:
23256 if (state.flags & 0x0200) {
23257 //=== NEEDBITS(16); */
23258 while (bits < 16) {
23259 if (have === 0) { break inf_leave; }
23260 have--;
23261 hold += input[next++] << bits;
23262 bits += 8;
23263 }
23264 //===//
23265 if (hold !== (state.check & 0xffff)) {
23266 strm.msg = 'header crc mismatch';
23267 state.mode = BAD$1;
23268 break;
23269 }
23270 //=== INITBITS();
23271 hold = 0;
23272 bits = 0;
23273 //===//
23274 }
23275 if (state.head) {
23276 state.head.hcrc = ((state.flags >> 9) & 1);
23277 state.head.done = true;
23278 }
23279 strm.adler = state.check = 0;
23280 state.mode = TYPE$1;
23281 break;
23282 case DICTID:
23283 //=== NEEDBITS(32); */
23284 while (bits < 32) {
23285 if (have === 0) { break inf_leave; }
23286 have--;
23287 hold += input[next++] << bits;
23288 bits += 8;
23289 }
23290 //===//
23291 strm.adler = state.check = zswap32(hold);
23292 //=== INITBITS();
23293 hold = 0;
23294 bits = 0;
23295 //===//
23296 state.mode = DICT;
23297 /* falls through */
23298 case DICT:
23299 if (state.havedict === 0) {
23300 //--- RESTORE() ---
23301 strm.next_out = put;
23302 strm.avail_out = left;
23303 strm.next_in = next;
23304 strm.avail_in = have;
23305 state.hold = hold;
23306 state.bits = bits;
23307 //---
23308 return Z_NEED_DICT;
23309 }
23310 strm.adler = state.check = 1/*adler32(0L, Z_NULL, 0)*/;
23311 state.mode = TYPE$1;
23312 /* falls through */
23313 case TYPE$1:
23314 if (flush === Z_BLOCK || flush === Z_TREES) { break inf_leave; }
23315 /* falls through */
23316 case TYPEDO:
23317 if (state.last) {
23318 //--- BYTEBITS() ---//
23319 hold >>>= bits & 7;
23320 bits -= bits & 7;
23321 //---//
23322 state.mode = CHECK;
23323 break;
23324 }
23325 //=== NEEDBITS(3); */
23326 while (bits < 3) {
23327 if (have === 0) { break inf_leave; }
23328 have--;
23329 hold += input[next++] << bits;
23330 bits += 8;
23331 }
23332 //===//
23333 state.last = (hold & 0x01)/*BITS(1)*/;
23334 //--- DROPBITS(1) ---//
23335 hold >>>= 1;
23336 bits -= 1;
23337 //---//
23338
23339 switch ((hold & 0x03)/*BITS(2)*/) {
23340 case 0: /* stored block */
23341 //Tracev((stderr, "inflate: stored block%s\n",
23342 // state.last ? " (last)" : ""));
23343 state.mode = STORED;
23344 break;
23345 case 1: /* fixed block */
23346 fixedtables(state);
23347 //Tracev((stderr, "inflate: fixed codes block%s\n",
23348 // state.last ? " (last)" : ""));
23349 state.mode = LEN_; /* decode codes */
23350 if (flush === Z_TREES) {
23351 //--- DROPBITS(2) ---//
23352 hold >>>= 2;
23353 bits -= 2;
23354 //---//
23355 break inf_leave;
23356 }
23357 break;
23358 case 2: /* dynamic block */
23359 //Tracev((stderr, "inflate: dynamic codes block%s\n",
23360 // state.last ? " (last)" : ""));
23361 state.mode = TABLE;
23362 break;
23363 case 3:
23364 strm.msg = 'invalid block type';
23365 state.mode = BAD$1;
23366 }
23367 //--- DROPBITS(2) ---//
23368 hold >>>= 2;
23369 bits -= 2;
23370 //---//
23371 break;
23372 case STORED:
23373 //--- BYTEBITS() ---// /* go to byte boundary */
23374 hold >>>= bits & 7;
23375 bits -= bits & 7;
23376 //---//
23377 //=== NEEDBITS(32); */
23378 while (bits < 32) {
23379 if (have === 0) { break inf_leave; }
23380 have--;
23381 hold += input[next++] << bits;
23382 bits += 8;
23383 }
23384 //===//
23385 if ((hold & 0xffff) !== ((hold >>> 16) ^ 0xffff)) {
23386 strm.msg = 'invalid stored block lengths';
23387 state.mode = BAD$1;
23388 break;
23389 }
23390 state.length = hold & 0xffff;
23391 //Tracev((stderr, "inflate: stored length %u\n",
23392 // state.length));
23393 //=== INITBITS();
23394 hold = 0;
23395 bits = 0;
23396 //===//
23397 state.mode = COPY_;
23398 if (flush === Z_TREES) { break inf_leave; }
23399 /* falls through */
23400 case COPY_:
23401 state.mode = COPY;
23402 /* falls through */
23403 case COPY:
23404 copy = state.length;
23405 if (copy) {
23406 if (copy > have) { copy = have; }
23407 if (copy > left) { copy = left; }
23408 if (copy === 0) { break inf_leave; }
23409 //--- zmemcpy(put, next, copy); ---
23410 arraySet(output, input, next, copy, put);
23411 //---//
23412 have -= copy;
23413 next += copy;
23414 left -= copy;
23415 put += copy;
23416 state.length -= copy;
23417 break;
23418 }
23419 //Tracev((stderr, "inflate: stored end\n"));
23420 state.mode = TYPE$1;
23421 break;
23422 case TABLE:
23423 //=== NEEDBITS(14); */
23424 while (bits < 14) {
23425 if (have === 0) { break inf_leave; }
23426 have--;
23427 hold += input[next++] << bits;
23428 bits += 8;
23429 }
23430 //===//
23431 state.nlen = (hold & 0x1f)/*BITS(5)*/ + 257;
23432 //--- DROPBITS(5) ---//
23433 hold >>>= 5;
23434 bits -= 5;
23435 //---//
23436 state.ndist = (hold & 0x1f)/*BITS(5)*/ + 1;
23437 //--- DROPBITS(5) ---//
23438 hold >>>= 5;
23439 bits -= 5;
23440 //---//
23441 state.ncode = (hold & 0x0f)/*BITS(4)*/ + 4;
23442 //--- DROPBITS(4) ---//
23443 hold >>>= 4;
23444 bits -= 4;
23445 //---//
23446 //#ifndef PKZIP_BUG_WORKAROUND
23447 if (state.nlen > 286 || state.ndist > 30) {
23448 strm.msg = 'too many length or distance symbols';
23449 state.mode = BAD$1;
23450 break;
23451 }
23452 //#endif
23453 //Tracev((stderr, "inflate: table sizes ok\n"));
23454 state.have = 0;
23455 state.mode = LENLENS;
23456 /* falls through */
23457 case LENLENS:
23458 while (state.have < state.ncode) {
23459 //=== NEEDBITS(3);
23460 while (bits < 3) {
23461 if (have === 0) { break inf_leave; }
23462 have--;
23463 hold += input[next++] << bits;
23464 bits += 8;
23465 }
23466 //===//
23467 state.lens[order[state.have++]] = (hold & 0x07);//BITS(3);
23468 //--- DROPBITS(3) ---//
23469 hold >>>= 3;
23470 bits -= 3;
23471 //---//
23472 }
23473 while (state.have < 19) {
23474 state.lens[order[state.have++]] = 0;
23475 }
23476 // We have separate tables & no pointers. 2 commented lines below not needed.
23477 //state.next = state.codes;
23478 //state.lencode = state.next;
23479 // Switch to use dynamic table
23480 state.lencode = state.lendyn;
23481 state.lenbits = 7;
23482
23483 opts = { bits: state.lenbits };
23484 ret = inflate_table(CODES$1, state.lens, 0, 19, state.lencode, 0, state.work, opts);
23485 state.lenbits = opts.bits;
23486
23487 if (ret) {
23488 strm.msg = 'invalid code lengths set';
23489 state.mode = BAD$1;
23490 break;
23491 }
23492 //Tracev((stderr, "inflate: code lengths ok\n"));
23493 state.have = 0;
23494 state.mode = CODELENS;
23495 /* falls through */
23496 case CODELENS:
23497 while (state.have < state.nlen + state.ndist) {
23498 for (;;) {
23499 here = state.lencode[hold & ((1 << state.lenbits) - 1)];/*BITS(state.lenbits)*/
23500 here_bits = here >>> 24;
23501 here_op = (here >>> 16) & 0xff;
23502 here_val = here & 0xffff;
23503
23504 if ((here_bits) <= bits) { break; }
23505 //--- PULLBYTE() ---//
23506 if (have === 0) { break inf_leave; }
23507 have--;
23508 hold += input[next++] << bits;
23509 bits += 8;
23510 //---//
23511 }
23512 if (here_val < 16) {
23513 //--- DROPBITS(here.bits) ---//
23514 hold >>>= here_bits;
23515 bits -= here_bits;
23516 //---//
23517 state.lens[state.have++] = here_val;
23518 }
23519 else {
23520 if (here_val === 16) {
23521 //=== NEEDBITS(here.bits + 2);
23522 n = here_bits + 2;
23523 while (bits < n) {
23524 if (have === 0) { break inf_leave; }
23525 have--;
23526 hold += input[next++] << bits;
23527 bits += 8;
23528 }
23529 //===//
23530 //--- DROPBITS(here.bits) ---//
23531 hold >>>= here_bits;
23532 bits -= here_bits;
23533 //---//
23534 if (state.have === 0) {
23535 strm.msg = 'invalid bit length repeat';
23536 state.mode = BAD$1;
23537 break;
23538 }
23539 len = state.lens[state.have - 1];
23540 copy = 3 + (hold & 0x03);//BITS(2);
23541 //--- DROPBITS(2) ---//
23542 hold >>>= 2;
23543 bits -= 2;
23544 //---//
23545 }
23546 else if (here_val === 17) {
23547 //=== NEEDBITS(here.bits + 3);
23548 n = here_bits + 3;
23549 while (bits < n) {
23550 if (have === 0) { break inf_leave; }
23551 have--;
23552 hold += input[next++] << bits;
23553 bits += 8;
23554 }
23555 //===//
23556 //--- DROPBITS(here.bits) ---//
23557 hold >>>= here_bits;
23558 bits -= here_bits;
23559 //---//
23560 len = 0;
23561 copy = 3 + (hold & 0x07);//BITS(3);
23562 //--- DROPBITS(3) ---//
23563 hold >>>= 3;
23564 bits -= 3;
23565 //---//
23566 }
23567 else {
23568 //=== NEEDBITS(here.bits + 7);
23569 n = here_bits + 7;
23570 while (bits < n) {
23571 if (have === 0) { break inf_leave; }
23572 have--;
23573 hold += input[next++] << bits;
23574 bits += 8;
23575 }
23576 //===//
23577 //--- DROPBITS(here.bits) ---//
23578 hold >>>= here_bits;
23579 bits -= here_bits;
23580 //---//
23581 len = 0;
23582 copy = 11 + (hold & 0x7f);//BITS(7);
23583 //--- DROPBITS(7) ---//
23584 hold >>>= 7;
23585 bits -= 7;
23586 //---//
23587 }
23588 if (state.have + copy > state.nlen + state.ndist) {
23589 strm.msg = 'invalid bit length repeat';
23590 state.mode = BAD$1;
23591 break;
23592 }
23593 while (copy--) {
23594 state.lens[state.have++] = len;
23595 }
23596 }
23597 }
23598
23599 /* handle error breaks in while */
23600 if (state.mode === BAD$1) { break; }
23601
23602 /* check for end-of-block code (better have one) */
23603 if (state.lens[256] === 0) {
23604 strm.msg = 'invalid code -- missing end-of-block';
23605 state.mode = BAD$1;
23606 break;
23607 }
23608
23609 /* build code tables -- note: do not change the lenbits or distbits
23610 values here (9 and 6) without reading the comments in inftrees.h
23611 concerning the ENOUGH constants, which depend on those values */
23612 state.lenbits = 9;
23613
23614 opts = { bits: state.lenbits };
23615 ret = inflate_table(LENS$1, state.lens, 0, state.nlen, state.lencode, 0, state.work, opts);
23616 // We have separate tables & no pointers. 2 commented lines below not needed.
23617 // state.next_index = opts.table_index;
23618 state.lenbits = opts.bits;
23619 // state.lencode = state.next;
23620
23621 if (ret) {
23622 strm.msg = 'invalid literal/lengths set';
23623 state.mode = BAD$1;
23624 break;
23625 }
23626
23627 state.distbits = 6;
23628 //state.distcode.copy(state.codes);
23629 // Switch to use dynamic table
23630 state.distcode = state.distdyn;
23631 opts = { bits: state.distbits };
23632 ret = inflate_table(DISTS$1, state.lens, state.nlen, state.ndist, state.distcode, 0, state.work, opts);
23633 // We have separate tables & no pointers. 2 commented lines below not needed.
23634 // state.next_index = opts.table_index;
23635 state.distbits = opts.bits;
23636 // state.distcode = state.next;
23637
23638 if (ret) {
23639 strm.msg = 'invalid distances set';
23640 state.mode = BAD$1;
23641 break;
23642 }
23643 //Tracev((stderr, 'inflate: codes ok\n'));
23644 state.mode = LEN_;
23645 if (flush === Z_TREES) { break inf_leave; }
23646 /* falls through */
23647 case LEN_:
23648 state.mode = LEN;
23649 /* falls through */
23650 case LEN:
23651 if (have >= 6 && left >= 258) {
23652 //--- RESTORE() ---
23653 strm.next_out = put;
23654 strm.avail_out = left;
23655 strm.next_in = next;
23656 strm.avail_in = have;
23657 state.hold = hold;
23658 state.bits = bits;
23659 //---
23660 inflate_fast(strm, _out);
23661 //--- LOAD() ---
23662 put = strm.next_out;
23663 output = strm.output;
23664 left = strm.avail_out;
23665 next = strm.next_in;
23666 input = strm.input;
23667 have = strm.avail_in;
23668 hold = state.hold;
23669 bits = state.bits;
23670 //---
23671
23672 if (state.mode === TYPE$1) {
23673 state.back = -1;
23674 }
23675 break;
23676 }
23677 state.back = 0;
23678 for (;;) {
23679 here = state.lencode[hold & ((1 << state.lenbits) - 1)]; /*BITS(state.lenbits)*/
23680 here_bits = here >>> 24;
23681 here_op = (here >>> 16) & 0xff;
23682 here_val = here & 0xffff;
23683
23684 if (here_bits <= bits) { break; }
23685 //--- PULLBYTE() ---//
23686 if (have === 0) { break inf_leave; }
23687 have--;
23688 hold += input[next++] << bits;
23689 bits += 8;
23690 //---//
23691 }
23692 if (here_op && (here_op & 0xf0) === 0) {
23693 last_bits = here_bits;
23694 last_op = here_op;
23695 last_val = here_val;
23696 for (;;) {
23697 here = state.lencode[last_val +
23698 ((hold & ((1 << (last_bits + last_op)) - 1))/*BITS(last.bits + last.op)*/ >> last_bits)];
23699 here_bits = here >>> 24;
23700 here_op = (here >>> 16) & 0xff;
23701 here_val = here & 0xffff;
23702
23703 if ((last_bits + here_bits) <= bits) { break; }
23704 //--- PULLBYTE() ---//
23705 if (have === 0) { break inf_leave; }
23706 have--;
23707 hold += input[next++] << bits;
23708 bits += 8;
23709 //---//
23710 }
23711 //--- DROPBITS(last.bits) ---//
23712 hold >>>= last_bits;
23713 bits -= last_bits;
23714 //---//
23715 state.back += last_bits;
23716 }
23717 //--- DROPBITS(here.bits) ---//
23718 hold >>>= here_bits;
23719 bits -= here_bits;
23720 //---//
23721 state.back += here_bits;
23722 state.length = here_val;
23723 if (here_op === 0) {
23724 //Tracevv((stderr, here.val >= 0x20 && here.val < 0x7f ?
23725 // "inflate: literal '%c'\n" :
23726 // "inflate: literal 0x%02x\n", here.val));
23727 state.mode = LIT;
23728 break;
23729 }
23730 if (here_op & 32) {
23731 //Tracevv((stderr, "inflate: end of block\n"));
23732 state.back = -1;
23733 state.mode = TYPE$1;
23734 break;
23735 }
23736 if (here_op & 64) {
23737 strm.msg = 'invalid literal/length code';
23738 state.mode = BAD$1;
23739 break;
23740 }
23741 state.extra = here_op & 15;
23742 state.mode = LENEXT;
23743 /* falls through */
23744 case LENEXT:
23745 if (state.extra) {
23746 //=== NEEDBITS(state.extra);
23747 n = state.extra;
23748 while (bits < n) {
23749 if (have === 0) { break inf_leave; }
23750 have--;
23751 hold += input[next++] << bits;
23752 bits += 8;
23753 }
23754 //===//
23755 state.length += hold & ((1 << state.extra) - 1)/*BITS(state.extra)*/;
23756 //--- DROPBITS(state.extra) ---//
23757 hold >>>= state.extra;
23758 bits -= state.extra;
23759 //---//
23760 state.back += state.extra;
23761 }
23762 //Tracevv((stderr, "inflate: length %u\n", state.length));
23763 state.was = state.length;
23764 state.mode = DIST;
23765 /* falls through */
23766 case DIST:
23767 for (;;) {
23768 here = state.distcode[hold & ((1 << state.distbits) - 1)];/*BITS(state.distbits)*/
23769 here_bits = here >>> 24;
23770 here_op = (here >>> 16) & 0xff;
23771 here_val = here & 0xffff;
23772
23773 if ((here_bits) <= bits) { break; }
23774 //--- PULLBYTE() ---//
23775 if (have === 0) { break inf_leave; }
23776 have--;
23777 hold += input[next++] << bits;
23778 bits += 8;
23779 //---//
23780 }
23781 if ((here_op & 0xf0) === 0) {
23782 last_bits = here_bits;
23783 last_op = here_op;
23784 last_val = here_val;
23785 for (;;) {
23786 here = state.distcode[last_val +
23787 ((hold & ((1 << (last_bits + last_op)) - 1))/*BITS(last.bits + last.op)*/ >> last_bits)];
23788 here_bits = here >>> 24;
23789 here_op = (here >>> 16) & 0xff;
23790 here_val = here & 0xffff;
23791
23792 if ((last_bits + here_bits) <= bits) { break; }
23793 //--- PULLBYTE() ---//
23794 if (have === 0) { break inf_leave; }
23795 have--;
23796 hold += input[next++] << bits;
23797 bits += 8;
23798 //---//
23799 }
23800 //--- DROPBITS(last.bits) ---//
23801 hold >>>= last_bits;
23802 bits -= last_bits;
23803 //---//
23804 state.back += last_bits;
23805 }
23806 //--- DROPBITS(here.bits) ---//
23807 hold >>>= here_bits;
23808 bits -= here_bits;
23809 //---//
23810 state.back += here_bits;
23811 if (here_op & 64) {
23812 strm.msg = 'invalid distance code';
23813 state.mode = BAD$1;
23814 break;
23815 }
23816 state.offset = here_val;
23817 state.extra = (here_op) & 15;
23818 state.mode = DISTEXT;
23819 /* falls through */
23820 case DISTEXT:
23821 if (state.extra) {
23822 //=== NEEDBITS(state.extra);
23823 n = state.extra;
23824 while (bits < n) {
23825 if (have === 0) { break inf_leave; }
23826 have--;
23827 hold += input[next++] << bits;
23828 bits += 8;
23829 }
23830 //===//
23831 state.offset += hold & ((1 << state.extra) - 1)/*BITS(state.extra)*/;
23832 //--- DROPBITS(state.extra) ---//
23833 hold >>>= state.extra;
23834 bits -= state.extra;
23835 //---//
23836 state.back += state.extra;
23837 }
23838 //#ifdef INFLATE_STRICT
23839 if (state.offset > state.dmax) {
23840 strm.msg = 'invalid distance too far back';
23841 state.mode = BAD$1;
23842 break;
23843 }
23844 //#endif
23845 //Tracevv((stderr, "inflate: distance %u\n", state.offset));
23846 state.mode = MATCH;
23847 /* falls through */
23848 case MATCH:
23849 if (left === 0) { break inf_leave; }
23850 copy = _out - left;
23851 if (state.offset > copy) { /* copy from window */
23852 copy = state.offset - copy;
23853 if (copy > state.whave) {
23854 if (state.sane) {
23855 strm.msg = 'invalid distance too far back';
23856 state.mode = BAD$1;
23857 break;
23858 }
23859 // (!) This block is disabled in zlib defaults,
23860 // don't enable it for binary compatibility
23861 //#ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR
23862 // Trace((stderr, "inflate.c too far\n"));
23863 // copy -= state.whave;
23864 // if (copy > state.length) { copy = state.length; }
23865 // if (copy > left) { copy = left; }
23866 // left -= copy;
23867 // state.length -= copy;
23868 // do {
23869 // output[put++] = 0;
23870 // } while (--copy);
23871 // if (state.length === 0) { state.mode = LEN; }
23872 // break;
23873 //#endif
23874 }
23875 if (copy > state.wnext) {
23876 copy -= state.wnext;
23877 from = state.wsize - copy;
23878 }
23879 else {
23880 from = state.wnext - copy;
23881 }
23882 if (copy > state.length) { copy = state.length; }
23883 from_source = state.window;
23884 }
23885 else { /* copy from output */
23886 from_source = output;
23887 from = put - state.offset;
23888 copy = state.length;
23889 }
23890 if (copy > left) { copy = left; }
23891 left -= copy;
23892 state.length -= copy;
23893 do {
23894 output[put++] = from_source[from++];
23895 } while (--copy);
23896 if (state.length === 0) { state.mode = LEN; }
23897 break;
23898 case LIT:
23899 if (left === 0) { break inf_leave; }
23900 output[put++] = state.length;
23901 left--;
23902 state.mode = LEN;
23903 break;
23904 case CHECK:
23905 if (state.wrap) {
23906 //=== NEEDBITS(32);
23907 while (bits < 32) {
23908 if (have === 0) { break inf_leave; }
23909 have--;
23910 // Use '|' instead of '+' to make sure that result is signed
23911 hold |= input[next++] << bits;
23912 bits += 8;
23913 }
23914 //===//
23915 _out -= left;
23916 strm.total_out += _out;
23917 state.total += _out;
23918 if (_out) {
23919 strm.adler = state.check =
23920 /*UPDATE(state.check, put - _out, _out);*/
23921 (state.flags ? crc32(state.check, output, _out, put - _out) : adler32(state.check, output, _out, put - _out));
23922
23923 }
23924 _out = left;
23925 // NB: crc32 stored as signed 32-bit int, zswap32 returns signed too
23926 if ((state.flags ? hold : zswap32(hold)) !== state.check) {
23927 strm.msg = 'incorrect data check';
23928 state.mode = BAD$1;
23929 break;
23930 }
23931 //=== INITBITS();
23932 hold = 0;
23933 bits = 0;
23934 //===//
23935 //Tracev((stderr, "inflate: check matches trailer\n"));
23936 }
23937 state.mode = LENGTH;
23938 /* falls through */
23939 case LENGTH:
23940 if (state.wrap && state.flags) {
23941 //=== NEEDBITS(32);
23942 while (bits < 32) {
23943 if (have === 0) { break inf_leave; }
23944 have--;
23945 hold += input[next++] << bits;
23946 bits += 8;
23947 }
23948 //===//
23949 if (hold !== (state.total & 0xffffffff)) {
23950 strm.msg = 'incorrect length check';
23951 state.mode = BAD$1;
23952 break;
23953 }
23954 //=== INITBITS();
23955 hold = 0;
23956 bits = 0;
23957 //===//
23958 //Tracev((stderr, "inflate: length matches trailer\n"));
23959 }
23960 state.mode = DONE;
23961 /* falls through */
23962 case DONE:
23963 ret = Z_STREAM_END;
23964 break inf_leave;
23965 case BAD$1:
23966 ret = Z_DATA_ERROR;
23967 break inf_leave;
23968 // case MEM:
23969 // return Z_MEM_ERROR;
23970 case SYNC:
23971 /* falls through */
23972 default:
23973 return Z_STREAM_ERROR;
23974 }
23975 }
23976
23977 // inf_leave <- here is real place for "goto inf_leave", emulated via "break inf_leave"
23978
23979 /*
23980 Return from inflate(), updating the total counts and the check value.
23981 If there was no progress during the inflate() call, return a buffer
23982 error. Call updatewindow() to create and/or update the window state.
23983 Note: a memory error from inflate() is non-recoverable.
23984 */
23985
23986 //--- RESTORE() ---
23987 strm.next_out = put;
23988 strm.avail_out = left;
23989 strm.next_in = next;
23990 strm.avail_in = have;
23991 state.hold = hold;
23992 state.bits = bits;
23993 //---
23994
23995 if (state.wsize || (_out !== strm.avail_out && state.mode < BAD$1 &&
23996 (state.mode < CHECK || flush !== Z_FINISH))) {
23997 if (updatewindow(strm, strm.output, strm.next_out, _out - strm.avail_out)) ;
23998 }
23999 _in -= strm.avail_in;
24000 _out -= strm.avail_out;
24001 strm.total_in += _in;
24002 strm.total_out += _out;
24003 state.total += _out;
24004 if (state.wrap && _out) {
24005 strm.adler = state.check = /*UPDATE(state.check, strm.next_out - _out, _out);*/
24006 (state.flags ? crc32(state.check, output, _out, strm.next_out - _out) : adler32(state.check, output, _out, strm.next_out - _out));
24007 }
24008 strm.data_type = state.bits + (state.last ? 64 : 0) +
24009 (state.mode === TYPE$1 ? 128 : 0) +
24010 (state.mode === LEN_ || state.mode === COPY_ ? 256 : 0);
24011 if (((_in === 0 && _out === 0) || flush === Z_FINISH) && ret === Z_OK) {
24012 ret = Z_BUF_ERROR;
24013 }
24014 return ret;
24015 }
24016
24017 function inflateEnd(strm) {
24018
24019 if (!strm || !strm.state /*|| strm->zfree == (free_func)0*/) {
24020 return Z_STREAM_ERROR;
24021 }
24022
24023 const state = strm.state;
24024 if (state.window) {
24025 state.window = null;
24026 }
24027 strm.state = null;
24028 return Z_OK;
24029 }
24030
24031 function inflateGetHeader(strm, head) {
24032 let state;
24033
24034 /* check state */
24035 if (!strm || !strm.state) { return Z_STREAM_ERROR; }
24036 state = strm.state;
24037 if ((state.wrap & 2) === 0) { return Z_STREAM_ERROR; }
24038
24039 /* save header structure */
24040 state.head = head;
24041 head.done = false;
24042 return Z_OK;
24043 }
24044
24045 function inflateSetDictionary(strm, dictionary) {
24046 const dictLength = dictionary.length;
24047
24048 let state;
24049 let dictid;
24050
24051 /* check state */
24052 if (!strm /* == Z_NULL */ || !strm.state /* == Z_NULL */) { return Z_STREAM_ERROR; }
24053 state = strm.state;
24054
24055 if (state.wrap !== 0 && state.mode !== DICT) {
24056 return Z_STREAM_ERROR;
24057 }
24058
24059 /* check for correct dictionary identifier */
24060 if (state.mode === DICT) {
24061 dictid = 1; /* adler32(0, null, 0)*/
24062 /* dictid = adler32(dictid, dictionary, dictLength); */
24063 dictid = adler32(dictid, dictionary, dictLength, 0);
24064 if (dictid !== state.check) {
24065 return Z_DATA_ERROR;
24066 }
24067 }
24068 /* copy dictionary to window using updatewindow(), which will amend the
24069 existing dictionary if appropriate */
24070 updatewindow(strm, dictionary, dictLength, dictLength);
24071 // if (ret) {
24072 // state.mode = MEM;
24073 // return Z_MEM_ERROR;
24074 // }
24075 state.havedict = 1;
24076 // Tracev((stderr, "inflate: dictionary set\n"));
24077 return Z_OK;
24078 }
24079
24080 /* Not implemented
24081 exports.inflateCopy = inflateCopy;
24082 exports.inflateGetDictionary = inflateGetDictionary;
24083 exports.inflateMark = inflateMark;
24084 exports.inflatePrime = inflatePrime;
24085 exports.inflateSync = inflateSync;
24086 exports.inflateSyncPoint = inflateSyncPoint;
24087 exports.inflateUndermine = inflateUndermine;
24088 */
24089
24090 // (C) 1995-2013 Jean-loup Gailly and Mark Adler
24091 // (C) 2014-2017 Vitaly Puzrin and Andrey Tupitsin
24092 //
24093 // This software is provided 'as-is', without any express or implied
24094 // warranty. In no event will the authors be held liable for any damages
24095 // arising from the use of this software.
24096 //
24097 // Permission is granted to anyone to use this software for any purpose,
24098 // including commercial applications, and to alter it and redistribute it
24099 // freely, subject to the following restrictions:
24100 //
24101 // 1. The origin of this software must not be misrepresented; you must not
24102 // claim that you wrote the original software. If you use this software
24103 // in a product, an acknowledgment in the product documentation would be
24104 // appreciated but is not required.
24105 // 2. Altered source versions must be plainly marked as such, and must not be
24106 // misrepresented as being the original software.
24107 // 3. This notice may not be removed or altered from any source distribution.
24108
24109 class GZheader {
24110 constructor() {
24111 /* true if compressed data believed to be text */
24112 this.text = 0;
24113 /* modification time */
24114 this.time = 0;
24115 /* extra flags (not used when writing a gzip file) */
24116 this.xflags = 0;
24117 /* operating system */
24118 this.os = 0;
24119 /* pointer to extra field or Z_NULL if none */
24120 this.extra = null;
24121 /* extra field length (valid if extra != Z_NULL) */
24122 this.extra_len = 0; // Actually, we don't need it in JS,
24123 // but leave for few code modifications
24124
24125 //
24126 // Setup limits is not necessary because in js we should not preallocate memory
24127 // for inflate use constant limit in 65536 bytes
24128 //
24129
24130 /* space at extra (only when reading header) */
24131 // this.extra_max = 0;
24132 /* pointer to zero-terminated file name or Z_NULL */
24133 this.name = '';
24134 /* space at name (only when reading header) */
24135 // this.name_max = 0;
24136 /* pointer to zero-terminated comment or Z_NULL */
24137 this.comment = '';
24138 /* space at comment (only when reading header) */
24139 // this.comm_max = 0;
24140 /* true if there was or will be a header crc */
24141 this.hcrc = 0;
24142 /* true when done reading gzip header (not used when writing a gzip file) */
24143 this.done = false;
24144 }
24145 }
24146
24147 /**
24148 * class Inflate
24149 *
24150 * Generic JS-style wrapper for zlib calls. If you don't need
24151 * streaming behaviour - use more simple functions: [[inflate]]
24152 * and [[inflateRaw]].
24153 **/
24154
24155 /* internal
24156 * inflate.chunks -> Array
24157 *
24158 * Chunks of output data, if [[Inflate#onData]] not overridden.
24159 **/
24160
24161 /**
24162 * Inflate.result -> Uint8Array|Array|String
24163 *
24164 * Uncompressed result, generated by default [[Inflate#onData]]
24165 * and [[Inflate#onEnd]] handlers. Filled after you push last chunk
24166 * (call [[Inflate#push]] with `Z_FINISH` / `true` param) or if you
24167 * push a chunk with explicit flush (call [[Inflate#push]] with
24168 * `Z_SYNC_FLUSH` param).
24169 **/
24170
24171 /**
24172 * Inflate.err -> Number
24173 *
24174 * Error code after inflate finished. 0 (Z_OK) on success.
24175 * Should be checked if broken data possible.
24176 **/
24177
24178 /**
24179 * Inflate.msg -> String
24180 *
24181 * Error message, if [[Inflate.err]] != 0
24182 **/
24183
24184
24185 /**
24186 * new Inflate(options)
24187 * - options (Object): zlib inflate options.
24188 *
24189 * Creates new inflator instance with specified params. Throws exception
24190 * on bad params. Supported options:
24191 *
24192 * - `windowBits`
24193 * - `dictionary`
24194 *
24195 * [http://zlib.net/manual.html#Advanced](http://zlib.net/manual.html#Advanced)
24196 * for more information on these.
24197 *
24198 * Additional options, for internal needs:
24199 *
24200 * - `chunkSize` - size of generated data chunks (16K by default)
24201 * - `raw` (Boolean) - do raw inflate
24202 * - `to` (String) - if equal to 'string', then result will be converted
24203 * from utf8 to utf16 (javascript) string. When string output requested,
24204 * chunk length can differ from `chunkSize`, depending on content.
24205 *
24206 * By default, when no options set, autodetect deflate/gzip data format via
24207 * wrapper header.
24208 *
24209 * ##### Example:
24210 *
24211 * ```javascript
24212 * var pako = void('pako')
24213 * , chunk1 = Uint8Array([1,2,3,4,5,6,7,8,9])
24214 * , chunk2 = Uint8Array([10,11,12,13,14,15,16,17,18,19]);
24215 *
24216 * var inflate = new pako.Inflate({ level: 3});
24217 *
24218 * inflate.push(chunk1, false);
24219 * inflate.push(chunk2, true); // true -> last chunk
24220 *
24221 * if (inflate.err) { throw new Error(inflate.err); }
24222 *
24223 * console.log(inflate.result);
24224 * ```
24225 **/
24226 class Inflate {
24227 constructor(options) {
24228 this.options = {
24229 chunkSize: 16384,
24230 windowBits: 0,
24231 ...(options || {})
24232 };
24233
24234 const opt = this.options;
24235
24236 // Force window size for `raw` data, if not set directly,
24237 // because we have no header for autodetect.
24238 if (opt.raw && (opt.windowBits >= 0) && (opt.windowBits < 16)) {
24239 opt.windowBits = -opt.windowBits;
24240 if (opt.windowBits === 0) { opt.windowBits = -15; }
24241 }
24242
24243 // If `windowBits` not defined (and mode not raw) - set autodetect flag for gzip/deflate
24244 if ((opt.windowBits >= 0) && (opt.windowBits < 16) &&
24245 !(options && options.windowBits)) {
24246 opt.windowBits += 32;
24247 }
24248
24249 // Gzip header has no info about windows size, we can do autodetect only
24250 // for deflate. So, if window size not set, force it to max when gzip possible
24251 if ((opt.windowBits > 15) && (opt.windowBits < 48)) {
24252 // bit 3 (16) -> gzipped data
24253 // bit 4 (32) -> autodetect gzip/deflate
24254 if ((opt.windowBits & 15) === 0) {
24255 opt.windowBits |= 15;
24256 }
24257 }
24258
24259 this.err = 0; // error code, if happens (0 = Z_OK)
24260 this.msg = ''; // error message
24261 this.ended = false; // used to avoid multiple onEnd() calls
24262 this.chunks = []; // chunks of compressed data
24263
24264 this.strm = new ZStream();
24265 this.strm.avail_out = 0;
24266
24267 let status = inflateInit2(
24268 this.strm,
24269 opt.windowBits
24270 );
24271
24272 if (status !== Z_OK) {
24273 throw new Error(msg[status]);
24274 }
24275
24276 this.header = new GZheader();
24277
24278 inflateGetHeader(this.strm, this.header);
24279
24280 // Setup dictionary
24281 if (opt.dictionary) {
24282 // Convert data if needed
24283 if (typeof opt.dictionary === 'string') {
24284 opt.dictionary = string2buf(opt.dictionary);
24285 } else if (opt.dictionary instanceof ArrayBuffer) {
24286 opt.dictionary = new Uint8Array(opt.dictionary);
24287 }
24288 if (opt.raw) { //In raw mode we need to set the dictionary early
24289 status = inflateSetDictionary(this.strm, opt.dictionary);
24290 if (status !== Z_OK) {
24291 throw new Error(msg[status]);
24292 }
24293 }
24294 }
24295 }
24296 /**
24297 * Inflate#push(data[, mode]) -> Boolean
24298 * - data (Uint8Array|Array|ArrayBuffer|String): input data
24299 * - mode (Number|Boolean): 0..6 for corresponding Z_NO_FLUSH..Z_TREE modes.
24300 * See constants. Skipped or `false` means Z_NO_FLUSH, `true` means Z_FINISH.
24301 *
24302 * Sends input data to inflate pipe, generating [[Inflate#onData]] calls with
24303 * new output chunks. Returns `true` on success. The last data block must have
24304 * mode Z_FINISH (or `true`). That will flush internal pending buffers and call
24305 * [[Inflate#onEnd]]. For interim explicit flushes (without ending the stream) you
24306 * can use mode Z_SYNC_FLUSH, keeping the decompression context.
24307 *
24308 * On fail call [[Inflate#onEnd]] with error code and return false.
24309 *
24310 * We strongly recommend to use `Uint8Array` on input for best speed (output
24311 * format is detected automatically). Also, don't skip last param and always
24312 * use the same type in your code (boolean or number). That will improve JS speed.
24313 *
24314 * For regular `Array`-s make sure all elements are [0..255].
24315 *
24316 * ##### Example
24317 *
24318 * ```javascript
24319 * push(chunk, false); // push one of data chunks
24320 * ...
24321 * push(chunk, true); // push last chunk
24322 * ```
24323 **/
24324 push(data, mode) {
24325 const { strm, options: { chunkSize, dictionary } } = this;
24326 let status, _mode;
24327
24328 // Flag to properly process Z_BUF_ERROR on testing inflate call
24329 // when we check that all output data was flushed.
24330 let allowBufError = false;
24331
24332 if (this.ended) { return false; }
24333 _mode = (mode === ~~mode) ? mode : ((mode === true) ? Z_FINISH : Z_NO_FLUSH);
24334
24335 // Convert data if needed
24336 if (typeof data === 'string') {
24337 // Only binary strings can be decompressed on practice
24338 strm.input = binstring2buf(data);
24339 } else if (data instanceof ArrayBuffer) {
24340 strm.input = new Uint8Array(data);
24341 } else {
24342 strm.input = data;
24343 }
24344
24345 strm.next_in = 0;
24346 strm.avail_in = strm.input.length;
24347
24348 do {
24349 if (strm.avail_out === 0) {
24350 strm.output = new Buf8(chunkSize);
24351 strm.next_out = 0;
24352 strm.avail_out = chunkSize;
24353 }
24354
24355 status = inflate(strm, Z_NO_FLUSH); /* no bad return value */
24356
24357 if (status === Z_NEED_DICT && dictionary) {
24358 status = inflateSetDictionary(this.strm, dictionary);
24359 }
24360
24361 if (status === Z_BUF_ERROR && allowBufError === true) {
24362 status = Z_OK;
24363 allowBufError = false;
24364 }
24365
24366 if (status !== Z_STREAM_END && status !== Z_OK) {
24367 this.onEnd(status);
24368 this.ended = true;
24369 return false;
24370 }
24371
24372 if (strm.next_out) {
24373 if (strm.avail_out === 0 || status === Z_STREAM_END || (strm.avail_in === 0 && (_mode === Z_FINISH || _mode === Z_SYNC_FLUSH))) {
24374 this.onData(shrinkBuf(strm.output, strm.next_out));
24375 }
24376 }
24377
24378 // When no more input data, we should check that internal inflate buffers
24379 // are flushed. The only way to do it when avail_out = 0 - run one more
24380 // inflate pass. But if output data not exists, inflate return Z_BUF_ERROR.
24381 // Here we set flag to process this error properly.
24382 //
24383 // NOTE. Deflate does not return error in this case and does not needs such
24384 // logic.
24385 if (strm.avail_in === 0 && strm.avail_out === 0) {
24386 allowBufError = true;
24387 }
24388
24389 } while ((strm.avail_in > 0 || strm.avail_out === 0) && status !== Z_STREAM_END);
24390
24391 if (status === Z_STREAM_END) {
24392 _mode = Z_FINISH;
24393 }
24394
24395 // Finalize on the last chunk.
24396 if (_mode === Z_FINISH) {
24397 status = inflateEnd(this.strm);
24398 this.onEnd(status);
24399 this.ended = true;
24400 return status === Z_OK;
24401 }
24402
24403 // callback interim results if Z_SYNC_FLUSH.
24404 if (_mode === Z_SYNC_FLUSH) {
24405 this.onEnd(Z_OK);
24406 strm.avail_out = 0;
24407 return true;
24408 }
24409
24410 return true;
24411 };
24412
24413 /**
24414 * Inflate#onData(chunk) -> Void
24415 * - chunk (Uint8Array|Array|String): output data. Type of array depends
24416 * on js engine support. When string output requested, each chunk
24417 * will be string.
24418 *
24419 * By default, stores data blocks in `chunks[]` property and glue
24420 * those in `onEnd`. Override this handler, if you need another behaviour.
24421 **/
24422 onData(chunk) {
24423 this.chunks.push(chunk);
24424 };
24425
24426
24427
24428 /**
24429 * Inflate#onEnd(status) -> Void
24430 * - status (Number): inflate status. 0 (Z_OK) on success,
24431 * other if not.
24432 *
24433 * Called either after you tell inflate that the input stream is
24434 * complete (Z_FINISH) or should be flushed (Z_SYNC_FLUSH)
24435 * or if an error happened. By default - join collected chunks,
24436 * free memory and fill `results` / `err` properties.
24437 **/
24438 onEnd(status) {
24439 // On success - join
24440 if (status === Z_OK) {
24441 this.result = flattenChunks(this.chunks);
24442 }
24443 this.chunks = [];
24444 this.err = status;
24445 this.msg = this.strm.msg;
24446 };
24447 }
24448
24449 /*
24450 node-bzip - a pure-javascript Node.JS module for decoding bzip2 data
24451
24452 Copyright (C) 2012 Eli Skeggs
24453
24454 This library is free software; you can redistribute it and/or
24455 modify it under the terms of the GNU Lesser General Public
24456 License as published by the Free Software Foundation; either
24457 version 2.1 of the License, or (at your option) any later version.
24458
24459 This library is distributed in the hope that it will be useful,
24460 but WITHOUT ANY WARRANTY; without even the implied warranty of
24461 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
24462 Lesser General Public License for more details.
24463
24464 You should have received a copy of the GNU Lesser General Public
24465 License along with this library; if not, see
24466 http://www.gnu.org/licenses/lgpl-2.1.html
24467
24468 Adapted from bzip2.js, copyright 2011 antimatter15 (antimatter15@gmail.com).
24469
24470 Based on micro-bunzip by Rob Landley (rob@landley.net).
24471
24472 Based on bzip2 decompression code by Julian R Seward (jseward@acm.org),
24473 which also acknowledges contributions by Mike Burrows, David Wheeler,
24474 Peter Fenwick, Alistair Moffat, Radford Neal, Ian H. Witten,
24475 Robert Sedgewick, and Jon L. Bentley.
24476 */
24477
24478 var BITMASK = [0x00, 0x01, 0x03, 0x07, 0x0F, 0x1F, 0x3F, 0x7F, 0xFF];
24479
24480 // offset in bytes
24481 var BitReader = function(stream) {
24482 this.stream = stream;
24483 this.bitOffset = 0;
24484 this.curByte = 0;
24485 this.hasByte = false;
24486 };
24487
24488 BitReader.prototype._ensureByte = function() {
24489 if (!this.hasByte) {
24490 this.curByte = this.stream.readByte();
24491 this.hasByte = true;
24492 }
24493 };
24494
24495 // reads bits from the buffer
24496 BitReader.prototype.read = function(bits) {
24497 var result = 0;
24498 while (bits > 0) {
24499 this._ensureByte();
24500 var remaining = 8 - this.bitOffset;
24501 // if we're in a byte
24502 if (bits >= remaining) {
24503 result <<= remaining;
24504 result |= BITMASK[remaining] & this.curByte;
24505 this.hasByte = false;
24506 this.bitOffset = 0;
24507 bits -= remaining;
24508 } else {
24509 result <<= bits;
24510 var shift = remaining - bits;
24511 result |= (this.curByte & (BITMASK[bits] << shift)) >> shift;
24512 this.bitOffset += bits;
24513 bits = 0;
24514 }
24515 }
24516 return result;
24517 };
24518
24519 // seek to an arbitrary point in the buffer (expressed in bits)
24520 BitReader.prototype.seek = function(pos) {
24521 var n_bit = pos % 8;
24522 var n_byte = (pos - n_bit) / 8;
24523 this.bitOffset = n_bit;
24524 this.stream.seek(n_byte);
24525 this.hasByte = false;
24526 };
24527
24528 // reads 6 bytes worth of data using the read method
24529 BitReader.prototype.pi = function() {
24530 var buf = new Uint8Array(6), i;
24531 for (i = 0; i < buf.length; i++) {
24532 buf[i] = this.read(8);
24533 }
24534 return bufToHex(buf);
24535 };
24536
24537 function bufToHex(buf) {
24538 return Array.prototype.map.call(buf, x => ('00' + x.toString(16)).slice(-2)).join('');
24539 }
24540
24541 var bitreader = BitReader;
24542
24543 /* very simple input/output stream interface */
24544 var Stream = function() {
24545 };
24546
24547 // input streams //////////////
24548 /** Returns the next byte, or -1 for EOF. */
24549 Stream.prototype.readByte = function() {
24550 throw new Error("abstract method readByte() not implemented");
24551 };
24552 /** Attempts to fill the buffer; returns number of bytes read, or
24553 * -1 for EOF. */
24554 Stream.prototype.read = function(buffer, bufOffset, length) {
24555 var bytesRead = 0;
24556 while (bytesRead < length) {
24557 var c = this.readByte();
24558 if (c < 0) { // EOF
24559 return (bytesRead===0) ? -1 : bytesRead;
24560 }
24561 buffer[bufOffset++] = c;
24562 bytesRead++;
24563 }
24564 return bytesRead;
24565 };
24566 Stream.prototype.seek = function(new_pos) {
24567 throw new Error("abstract method seek() not implemented");
24568 };
24569
24570 // output streams ///////////
24571 Stream.prototype.writeByte = function(_byte) {
24572 throw new Error("abstract method readByte() not implemented");
24573 };
24574 Stream.prototype.write = function(buffer, bufOffset, length) {
24575 var i;
24576 for (i=0; i<length; i++) {
24577 this.writeByte(buffer[bufOffset++]);
24578 }
24579 return length;
24580 };
24581 Stream.prototype.flush = function() {
24582 };
24583
24584 var stream$1 = Stream;
24585
24586 /* CRC32, used in Bzip2 implementation.
24587 * This is a port of CRC32.java from the jbzip2 implementation at
24588 * https://code.google.com/p/jbzip2
24589 * which is:
24590 * Copyright (c) 2011 Matthew Francis
24591 *
24592 * Permission is hereby granted, free of charge, to any person
24593 * obtaining a copy of this software and associated documentation
24594 * files (the "Software"), to deal in the Software without
24595 * restriction, including without limitation the rights to use,
24596 * copy, modify, merge, publish, distribute, sublicense, and/or sell
24597 * copies of the Software, and to permit persons to whom the
24598 * Software is furnished to do so, subject to the following
24599 * conditions:
24600 *
24601 * The above copyright notice and this permission notice shall be
24602 * included in all copies or substantial portions of the Software.
24603 *
24604 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
24605 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
24606 * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
24607 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
24608 * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
24609 * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
24610 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
24611 * OTHER DEALINGS IN THE SOFTWARE.
24612 * This JavaScript implementation is:
24613 * Copyright (c) 2013 C. Scott Ananian
24614 * with the same licensing terms as Matthew Francis' original implementation.
24615 */
24616 var crc32$1 = (function() {
24617
24618 /**
24619 * A static CRC lookup table
24620 */
24621 var crc32Lookup = new Uint32Array([
24622 0x00000000, 0x04c11db7, 0x09823b6e, 0x0d4326d9, 0x130476dc, 0x17c56b6b, 0x1a864db2, 0x1e475005,
24623 0x2608edb8, 0x22c9f00f, 0x2f8ad6d6, 0x2b4bcb61, 0x350c9b64, 0x31cd86d3, 0x3c8ea00a, 0x384fbdbd,
24624 0x4c11db70, 0x48d0c6c7, 0x4593e01e, 0x4152fda9, 0x5f15adac, 0x5bd4b01b, 0x569796c2, 0x52568b75,
24625 0x6a1936c8, 0x6ed82b7f, 0x639b0da6, 0x675a1011, 0x791d4014, 0x7ddc5da3, 0x709f7b7a, 0x745e66cd,
24626 0x9823b6e0, 0x9ce2ab57, 0x91a18d8e, 0x95609039, 0x8b27c03c, 0x8fe6dd8b, 0x82a5fb52, 0x8664e6e5,
24627 0xbe2b5b58, 0xbaea46ef, 0xb7a96036, 0xb3687d81, 0xad2f2d84, 0xa9ee3033, 0xa4ad16ea, 0xa06c0b5d,
24628 0xd4326d90, 0xd0f37027, 0xddb056fe, 0xd9714b49, 0xc7361b4c, 0xc3f706fb, 0xceb42022, 0xca753d95,
24629 0xf23a8028, 0xf6fb9d9f, 0xfbb8bb46, 0xff79a6f1, 0xe13ef6f4, 0xe5ffeb43, 0xe8bccd9a, 0xec7dd02d,
24630 0x34867077, 0x30476dc0, 0x3d044b19, 0x39c556ae, 0x278206ab, 0x23431b1c, 0x2e003dc5, 0x2ac12072,
24631 0x128e9dcf, 0x164f8078, 0x1b0ca6a1, 0x1fcdbb16, 0x018aeb13, 0x054bf6a4, 0x0808d07d, 0x0cc9cdca,
24632 0x7897ab07, 0x7c56b6b0, 0x71159069, 0x75d48dde, 0x6b93dddb, 0x6f52c06c, 0x6211e6b5, 0x66d0fb02,
24633 0x5e9f46bf, 0x5a5e5b08, 0x571d7dd1, 0x53dc6066, 0x4d9b3063, 0x495a2dd4, 0x44190b0d, 0x40d816ba,
24634 0xaca5c697, 0xa864db20, 0xa527fdf9, 0xa1e6e04e, 0xbfa1b04b, 0xbb60adfc, 0xb6238b25, 0xb2e29692,
24635 0x8aad2b2f, 0x8e6c3698, 0x832f1041, 0x87ee0df6, 0x99a95df3, 0x9d684044, 0x902b669d, 0x94ea7b2a,
24636 0xe0b41de7, 0xe4750050, 0xe9362689, 0xedf73b3e, 0xf3b06b3b, 0xf771768c, 0xfa325055, 0xfef34de2,
24637 0xc6bcf05f, 0xc27dede8, 0xcf3ecb31, 0xcbffd686, 0xd5b88683, 0xd1799b34, 0xdc3abded, 0xd8fba05a,
24638 0x690ce0ee, 0x6dcdfd59, 0x608edb80, 0x644fc637, 0x7a089632, 0x7ec98b85, 0x738aad5c, 0x774bb0eb,
24639 0x4f040d56, 0x4bc510e1, 0x46863638, 0x42472b8f, 0x5c007b8a, 0x58c1663d, 0x558240e4, 0x51435d53,
24640 0x251d3b9e, 0x21dc2629, 0x2c9f00f0, 0x285e1d47, 0x36194d42, 0x32d850f5, 0x3f9b762c, 0x3b5a6b9b,
24641 0x0315d626, 0x07d4cb91, 0x0a97ed48, 0x0e56f0ff, 0x1011a0fa, 0x14d0bd4d, 0x19939b94, 0x1d528623,
24642 0xf12f560e, 0xf5ee4bb9, 0xf8ad6d60, 0xfc6c70d7, 0xe22b20d2, 0xe6ea3d65, 0xeba91bbc, 0xef68060b,
24643 0xd727bbb6, 0xd3e6a601, 0xdea580d8, 0xda649d6f, 0xc423cd6a, 0xc0e2d0dd, 0xcda1f604, 0xc960ebb3,
24644 0xbd3e8d7e, 0xb9ff90c9, 0xb4bcb610, 0xb07daba7, 0xae3afba2, 0xaafbe615, 0xa7b8c0cc, 0xa379dd7b,
24645 0x9b3660c6, 0x9ff77d71, 0x92b45ba8, 0x9675461f, 0x8832161a, 0x8cf30bad, 0x81b02d74, 0x857130c3,
24646 0x5d8a9099, 0x594b8d2e, 0x5408abf7, 0x50c9b640, 0x4e8ee645, 0x4a4ffbf2, 0x470cdd2b, 0x43cdc09c,
24647 0x7b827d21, 0x7f436096, 0x7200464f, 0x76c15bf8, 0x68860bfd, 0x6c47164a, 0x61043093, 0x65c52d24,
24648 0x119b4be9, 0x155a565e, 0x18197087, 0x1cd86d30, 0x029f3d35, 0x065e2082, 0x0b1d065b, 0x0fdc1bec,
24649 0x3793a651, 0x3352bbe6, 0x3e119d3f, 0x3ad08088, 0x2497d08d, 0x2056cd3a, 0x2d15ebe3, 0x29d4f654,
24650 0xc5a92679, 0xc1683bce, 0xcc2b1d17, 0xc8ea00a0, 0xd6ad50a5, 0xd26c4d12, 0xdf2f6bcb, 0xdbee767c,
24651 0xe3a1cbc1, 0xe760d676, 0xea23f0af, 0xeee2ed18, 0xf0a5bd1d, 0xf464a0aa, 0xf9278673, 0xfde69bc4,
24652 0x89b8fd09, 0x8d79e0be, 0x803ac667, 0x84fbdbd0, 0x9abc8bd5, 0x9e7d9662, 0x933eb0bb, 0x97ffad0c,
24653 0xafb010b1, 0xab710d06, 0xa6322bdf, 0xa2f33668, 0xbcb4666d, 0xb8757bda, 0xb5365d03, 0xb1f740b4
24654 ]);
24655
24656 var CRC32 = function() {
24657 /**
24658 * The current CRC
24659 */
24660 var crc = 0xffffffff;
24661
24662 /**
24663 * @return The current CRC
24664 */
24665 this.getCRC = function() {
24666 return (~crc) >>> 0; // return an unsigned value
24667 };
24668
24669 /**
24670 * Update the CRC with a single byte
24671 * @param value The value to update the CRC with
24672 */
24673 this.updateCRC = function(value) {
24674 crc = (crc << 8) ^ crc32Lookup[((crc >>> 24) ^ value) & 0xff];
24675 };
24676
24677 /**
24678 * Update the CRC with a sequence of identical bytes
24679 * @param value The value to update the CRC with
24680 * @param count The number of bytes
24681 */
24682 this.updateCRCRun = function(value, count) {
24683 while (count-- > 0) {
24684 crc = (crc << 8) ^ crc32Lookup[((crc >>> 24) ^ value) & 0xff];
24685 }
24686 };
24687 };
24688 return CRC32;
24689 })();
24690
24691 /*
24692 seek-bzip - a pure-javascript module for seeking within bzip2 data
24693
24694 Copyright (C) 2013 C. Scott Ananian
24695 Copyright (C) 2012 Eli Skeggs
24696 Copyright (C) 2011 Kevin Kwok
24697
24698 This library is free software; you can redistribute it and/or
24699 modify it under the terms of the GNU Lesser General Public
24700 License as published by the Free Software Foundation; either
24701 version 2.1 of the License, or (at your option) any later version.
24702
24703 This library is distributed in the hope that it will be useful,
24704 but WITHOUT ANY WARRANTY; without even the implied warranty of
24705 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
24706 Lesser General Public License for more details.
24707
24708 You should have received a copy of the GNU Lesser General Public
24709 License along with this library; if not, see
24710 http://www.gnu.org/licenses/lgpl-2.1.html
24711
24712 Adapted from node-bzip, copyright 2012 Eli Skeggs.
24713 Adapted from bzip2.js, copyright 2011 Kevin Kwok (antimatter15@gmail.com).
24714
24715 Based on micro-bunzip by Rob Landley (rob@landley.net).
24716
24717 Based on bzip2 decompression code by Julian R Seward (jseward@acm.org),
24718 which also acknowledges contributions by Mike Burrows, David Wheeler,
24719 Peter Fenwick, Alistair Moffat, Radford Neal, Ian H. Witten,
24720 Robert Sedgewick, and Jon L. Bentley.
24721 */
24722
24723
24724
24725
24726
24727 var MAX_HUFCODE_BITS = 20;
24728 var MAX_SYMBOLS = 258;
24729 var SYMBOL_RUNA = 0;
24730 var SYMBOL_RUNB = 1;
24731 var MIN_GROUPS = 2;
24732 var MAX_GROUPS = 6;
24733 var GROUP_SIZE = 50;
24734
24735 var WHOLEPI = "314159265359";
24736 var SQRTPI = "177245385090";
24737
24738 var mtf = function(array, index) {
24739 var src = array[index], i;
24740 for (i = index; i > 0; i--) {
24741 array[i] = array[i-1];
24742 }
24743 array[0] = src;
24744 return src;
24745 };
24746
24747 var Err = {
24748 OK: 0,
24749 LAST_BLOCK: -1,
24750 NOT_BZIP_DATA: -2,
24751 UNEXPECTED_INPUT_EOF: -3,
24752 UNEXPECTED_OUTPUT_EOF: -4,
24753 DATA_ERROR: -5,
24754 OUT_OF_MEMORY: -6,
24755 OBSOLETE_INPUT: -7,
24756 END_OF_BLOCK: -8
24757 };
24758 var ErrorMessages = {};
24759 ErrorMessages[Err.LAST_BLOCK] = "Bad file checksum";
24760 ErrorMessages[Err.NOT_BZIP_DATA] = "Not bzip data";
24761 ErrorMessages[Err.UNEXPECTED_INPUT_EOF] = "Unexpected input EOF";
24762 ErrorMessages[Err.UNEXPECTED_OUTPUT_EOF] = "Unexpected output EOF";
24763 ErrorMessages[Err.DATA_ERROR] = "Data error";
24764 ErrorMessages[Err.OUT_OF_MEMORY] = "Out of memory";
24765 ErrorMessages[Err.OBSOLETE_INPUT] = "Obsolete (pre 0.9.5) bzip format not supported.";
24766
24767 var _throw = function(status, optDetail) {
24768 var msg = ErrorMessages[status] || 'unknown error';
24769 if (optDetail) { msg += ': '+optDetail; }
24770 var e = new TypeError(msg);
24771 e.errorCode = status;
24772 throw e;
24773 };
24774
24775 var Bunzip = function(inputStream, outputStream) {
24776 this.writePos = this.writeCurrent = this.writeCount = 0;
24777
24778 this._start_bunzip(inputStream, outputStream);
24779 };
24780 Bunzip.prototype._init_block = function() {
24781 var moreBlocks = this._get_next_block();
24782 if ( !moreBlocks ) {
24783 this.writeCount = -1;
24784 return false; /* no more blocks */
24785 }
24786 this.blockCRC = new crc32$1();
24787 return true;
24788 };
24789 /* XXX micro-bunzip uses (inputStream, inputBuffer, len) as arguments */
24790 Bunzip.prototype._start_bunzip = function(inputStream, outputStream) {
24791 /* Ensure that file starts with "BZh['1'-'9']." */
24792 var buf = new Uint8Array(4);
24793 if (inputStream.read(buf, 0, 4) !== 4 ||
24794 String.fromCharCode(buf[0], buf[1], buf[2]) !== 'BZh')
24795 _throw(Err.NOT_BZIP_DATA, 'bad magic');
24796
24797 var level = buf[3] - 0x30;
24798 if (level < 1 || level > 9)
24799 _throw(Err.NOT_BZIP_DATA, 'level out of range');
24800
24801 this.reader = new bitreader(inputStream);
24802
24803 /* Fourth byte (ascii '1'-'9'), indicates block size in units of 100k of
24804 uncompressed data. Allocate intermediate buffer for block. */
24805 this.dbufSize = 100000 * level;
24806 this.nextoutput = 0;
24807 this.outputStream = outputStream;
24808 this.streamCRC = 0;
24809 };
24810 Bunzip.prototype._get_next_block = function() {
24811 var i, j, k;
24812 var reader = this.reader;
24813 // this is get_next_block() function from micro-bunzip:
24814 /* Read in header signature and CRC, then validate signature.
24815 (last block signature means CRC is for whole file, return now) */
24816 var h = reader.pi();
24817 if (h === SQRTPI) { // last block
24818 return false; /* no more blocks */
24819 }
24820 if (h !== WHOLEPI)
24821 _throw(Err.NOT_BZIP_DATA);
24822 this.targetBlockCRC = reader.read(32) >>> 0; // (convert to unsigned)
24823 this.streamCRC = (this.targetBlockCRC ^
24824 ((this.streamCRC << 1) | (this.streamCRC>>>31))) >>> 0;
24825 /* We can add support for blockRandomised if anybody complains. There was
24826 some code for this in busybox 1.0.0-pre3, but nobody ever noticed that
24827 it didn't actually work. */
24828 if (reader.read(1))
24829 _throw(Err.OBSOLETE_INPUT);
24830 var origPointer = reader.read(24);
24831 if (origPointer > this.dbufSize)
24832 _throw(Err.DATA_ERROR, 'initial position out of bounds');
24833 /* mapping table: if some byte values are never used (encoding things
24834 like ascii text), the compression code removes the gaps to have fewer
24835 symbols to deal with, and writes a sparse bitfield indicating which
24836 values were present. We make a translation table to convert the symbols
24837 back to the corresponding bytes. */
24838 var t = reader.read(16);
24839 var symToByte = new Uint8Array(256), symTotal = 0;
24840 for (i = 0; i < 16; i++) {
24841 if (t & (1 << (0xF - i))) {
24842 var o = i * 16;
24843 k = reader.read(16);
24844 for (j = 0; j < 16; j++)
24845 if (k & (1 << (0xF - j)))
24846 symToByte[symTotal++] = o + j;
24847 }
24848 }
24849
24850 /* How many different huffman coding groups does this block use? */
24851 var groupCount = reader.read(3);
24852 if (groupCount < MIN_GROUPS || groupCount > MAX_GROUPS)
24853 _throw(Err.DATA_ERROR);
24854 /* nSelectors: Every GROUP_SIZE many symbols we select a new huffman coding
24855 group. Read in the group selector list, which is stored as MTF encoded
24856 bit runs. (MTF=Move To Front, as each value is used it's moved to the
24857 start of the list.) */
24858 var nSelectors = reader.read(15);
24859 if (nSelectors === 0)
24860 _throw(Err.DATA_ERROR);
24861
24862 var mtfSymbol = new Uint8Array(256);
24863 for (i = 0; i < groupCount; i++)
24864 mtfSymbol[i] = i;
24865
24866 var selectors = new Uint8Array(nSelectors); // was 32768...
24867
24868 for (i = 0; i < nSelectors; i++) {
24869 /* Get next value */
24870 for (j = 0; reader.read(1); j++)
24871 if (j >= groupCount) _throw(Err.DATA_ERROR);
24872 /* Decode MTF to get the next selector */
24873 selectors[i] = mtf(mtfSymbol, j);
24874 }
24875
24876 /* Read the huffman coding tables for each group, which code for symTotal
24877 literal symbols, plus two run symbols (RUNA, RUNB) */
24878 var symCount = symTotal + 2;
24879 var groups = [], hufGroup;
24880 for (j = 0; j < groupCount; j++) {
24881 var length = new Uint8Array(symCount), temp = new Uint16Array(MAX_HUFCODE_BITS + 1);
24882 /* Read huffman code lengths for each symbol. They're stored in
24883 a way similar to mtf; record a starting value for the first symbol,
24884 and an offset from the previous value for everys symbol after that. */
24885 t = reader.read(5); // lengths
24886 for (i = 0; i < symCount; i++) {
24887 for (;;) {
24888 if (t < 1 || t > MAX_HUFCODE_BITS) _throw(Err.DATA_ERROR);
24889 /* If first bit is 0, stop. Else second bit indicates whether
24890 to increment or decrement the value. */
24891 if(!reader.read(1))
24892 break;
24893 if(!reader.read(1))
24894 t++;
24895 else
24896 t--;
24897 }
24898 length[i] = t;
24899 }
24900
24901 /* Find largest and smallest lengths in this group */
24902 var minLen, maxLen;
24903 minLen = maxLen = length[0];
24904 for (i = 1; i < symCount; i++) {
24905 if (length[i] > maxLen)
24906 maxLen = length[i];
24907 else if (length[i] < minLen)
24908 minLen = length[i];
24909 }
24910
24911 /* Calculate permute[], base[], and limit[] tables from length[].
24912 *
24913 * permute[] is the lookup table for converting huffman coded symbols
24914 * into decoded symbols. base[] is the amount to subtract from the
24915 * value of a huffman symbol of a given length when using permute[].
24916 *
24917 * limit[] indicates the largest numerical value a symbol with a given
24918 * number of bits can have. This is how the huffman codes can vary in
24919 * length: each code with a value>limit[length] needs another bit.
24920 */
24921 hufGroup = {};
24922 groups.push(hufGroup);
24923 hufGroup.permute = new Uint16Array(MAX_SYMBOLS);
24924 hufGroup.limit = new Uint32Array(MAX_HUFCODE_BITS + 2);
24925 hufGroup.base = new Uint32Array(MAX_HUFCODE_BITS + 1);
24926 hufGroup.minLen = minLen;
24927 hufGroup.maxLen = maxLen;
24928 /* Calculate permute[]. Concurently, initialize temp[] and limit[]. */
24929 var pp = 0;
24930 for (i = minLen; i <= maxLen; i++) {
24931 temp[i] = hufGroup.limit[i] = 0;
24932 for (t = 0; t < symCount; t++)
24933 if (length[t] === i)
24934 hufGroup.permute[pp++] = t;
24935 }
24936 /* Count symbols coded for at each bit length */
24937 for (i = 0; i < symCount; i++)
24938 temp[length[i]]++;
24939 /* Calculate limit[] (the largest symbol-coding value at each bit
24940 * length, which is (previous limit<<1)+symbols at this level), and
24941 * base[] (number of symbols to ignore at each bit length, which is
24942 * limit minus the cumulative count of symbols coded for already). */
24943 pp = t = 0;
24944 for (i = minLen; i < maxLen; i++) {
24945 pp += temp[i];
24946 /* We read the largest possible symbol size and then unget bits
24947 after determining how many we need, and those extra bits could
24948 be set to anything. (They're noise from future symbols.) At
24949 each level we're really only interested in the first few bits,
24950 so here we set all the trailing to-be-ignored bits to 1 so they
24951 don't affect the value>limit[length] comparison. */
24952 hufGroup.limit[i] = pp - 1;
24953 pp <<= 1;
24954 t += temp[i];
24955 hufGroup.base[i + 1] = pp - t;
24956 }
24957 hufGroup.limit[maxLen + 1] = Number.MAX_VALUE; /* Sentinal value for reading next sym. */
24958 hufGroup.limit[maxLen] = pp + temp[maxLen] - 1;
24959 hufGroup.base[minLen] = 0;
24960 }
24961 /* We've finished reading and digesting the block header. Now read this
24962 block's huffman coded symbols from the file and undo the huffman coding
24963 and run length encoding, saving the result into dbuf[dbufCount++]=uc */
24964
24965 /* Initialize symbol occurrence counters and symbol Move To Front table */
24966 var byteCount = new Uint32Array(256);
24967 for (i = 0; i < 256; i++)
24968 mtfSymbol[i] = i;
24969 /* Loop through compressed symbols. */
24970 var runPos = 0, dbufCount = 0, selector = 0, uc;
24971 var dbuf = this.dbuf = new Uint32Array(this.dbufSize);
24972 symCount = 0;
24973 for (;;) {
24974 /* Determine which huffman coding group to use. */
24975 if (!(symCount--)) {
24976 symCount = GROUP_SIZE - 1;
24977 if (selector >= nSelectors) { _throw(Err.DATA_ERROR); }
24978 hufGroup = groups[selectors[selector++]];
24979 }
24980 /* Read next huffman-coded symbol. */
24981 i = hufGroup.minLen;
24982 j = reader.read(i);
24983 for (;;i++) {
24984 if (i > hufGroup.maxLen) { _throw(Err.DATA_ERROR); }
24985 if (j <= hufGroup.limit[i])
24986 break;
24987 j = (j << 1) | reader.read(1);
24988 }
24989 /* Huffman decode value to get nextSym (with bounds checking) */
24990 j -= hufGroup.base[i];
24991 if (j < 0 || j >= MAX_SYMBOLS) { _throw(Err.DATA_ERROR); }
24992 var nextSym = hufGroup.permute[j];
24993 /* We have now decoded the symbol, which indicates either a new literal
24994 byte, or a repeated run of the most recent literal byte. First,
24995 check if nextSym indicates a repeated run, and if so loop collecting
24996 how many times to repeat the last literal. */
24997 if (nextSym === SYMBOL_RUNA || nextSym === SYMBOL_RUNB) {
24998 /* If this is the start of a new run, zero out counter */
24999 if (!runPos){
25000 runPos = 1;
25001 t = 0;
25002 }
25003 /* Neat trick that saves 1 symbol: instead of or-ing 0 or 1 at
25004 each bit position, add 1 or 2 instead. For example,
25005 1011 is 1<<0 + 1<<1 + 2<<2. 1010 is 2<<0 + 2<<1 + 1<<2.
25006 You can make any bit pattern that way using 1 less symbol than
25007 the basic or 0/1 method (except all bits 0, which would use no
25008 symbols, but a run of length 0 doesn't mean anything in this
25009 context). Thus space is saved. */
25010 if (nextSym === SYMBOL_RUNA)
25011 t += runPos;
25012 else
25013 t += 2 * runPos;
25014 runPos <<= 1;
25015 continue;
25016 }
25017 /* When we hit the first non-run symbol after a run, we now know
25018 how many times to repeat the last literal, so append that many
25019 copies to our buffer of decoded symbols (dbuf) now. (The last
25020 literal used is the one at the head of the mtfSymbol array.) */
25021 if (runPos){
25022 runPos = 0;
25023 if (dbufCount + t > this.dbufSize) { _throw(Err.DATA_ERROR); }
25024 uc = symToByte[mtfSymbol[0]];
25025 byteCount[uc] += t;
25026 while (t--)
25027 dbuf[dbufCount++] = uc;
25028 }
25029 /* Is this the terminating symbol? */
25030 if (nextSym > symTotal)
25031 break;
25032 /* At this point, nextSym indicates a new literal character. Subtract
25033 one to get the position in the MTF array at which this literal is
25034 currently to be found. (Note that the result can't be -1 or 0,
25035 because 0 and 1 are RUNA and RUNB. But another instance of the
25036 first symbol in the mtf array, position 0, would have been handled
25037 as part of a run above. Therefore 1 unused mtf position minus
25038 2 non-literal nextSym values equals -1.) */
25039 if (dbufCount >= this.dbufSize) { _throw(Err.DATA_ERROR); }
25040 i = nextSym - 1;
25041 uc = mtf(mtfSymbol, i);
25042 uc = symToByte[uc];
25043 /* We have our literal byte. Save it into dbuf. */
25044 byteCount[uc]++;
25045 dbuf[dbufCount++] = uc;
25046 }
25047 /* At this point, we've read all the huffman-coded symbols (and repeated
25048 runs) for this block from the input stream, and decoded them into the
25049 intermediate buffer. There are dbufCount many decoded bytes in dbuf[].
25050 Now undo the Burrows-Wheeler transform on dbuf.
25051 See http://dogma.net/markn/articles/bwt/bwt.htm
25052 */
25053 if (origPointer < 0 || origPointer >= dbufCount) { _throw(Err.DATA_ERROR); }
25054 /* Turn byteCount into cumulative occurrence counts of 0 to n-1. */
25055 j = 0;
25056 for (i = 0; i < 256; i++) {
25057 k = j + byteCount[i];
25058 byteCount[i] = j;
25059 j = k;
25060 }
25061 /* Figure out what order dbuf would be in if we sorted it. */
25062 for (i = 0; i < dbufCount; i++) {
25063 uc = dbuf[i] & 0xff;
25064 dbuf[byteCount[uc]] |= (i << 8);
25065 byteCount[uc]++;
25066 }
25067 /* Decode first byte by hand to initialize "previous" byte. Note that it
25068 doesn't get output, and if the first three characters are identical
25069 it doesn't qualify as a run (hence writeRunCountdown=5). */
25070 var pos = 0, current = 0, run = 0;
25071 if (dbufCount) {
25072 pos = dbuf[origPointer];
25073 current = (pos & 0xff);
25074 pos >>= 8;
25075 run = -1;
25076 }
25077 this.writePos = pos;
25078 this.writeCurrent = current;
25079 this.writeCount = dbufCount;
25080 this.writeRun = run;
25081
25082 return true; /* more blocks to come */
25083 };
25084 /* Undo burrows-wheeler transform on intermediate buffer to produce output.
25085 If start_bunzip was initialized with out_fd=-1, then up to len bytes of
25086 data are written to outbuf. Return value is number of bytes written or
25087 error (all errors are negative numbers). If out_fd!=-1, outbuf and len
25088 are ignored, data is written to out_fd and return is RETVAL_OK or error.
25089 */
25090 Bunzip.prototype._read_bunzip = function(outputBuffer, len) {
25091 var copies, previous, outbyte;
25092 /* james@jamestaylor.org: writeCount goes to -1 when the buffer is fully
25093 decoded, which results in this returning RETVAL_LAST_BLOCK, also
25094 equal to -1... Confusing, I'm returning 0 here to indicate no
25095 bytes written into the buffer */
25096 if (this.writeCount < 0) { return 0; }
25097 var dbuf = this.dbuf, pos = this.writePos, current = this.writeCurrent;
25098 var dbufCount = this.writeCount; this.outputsize;
25099 var run = this.writeRun;
25100
25101 while (dbufCount) {
25102 dbufCount--;
25103 previous = current;
25104 pos = dbuf[pos];
25105 current = pos & 0xff;
25106 pos >>= 8;
25107 if (run++ === 3){
25108 copies = current;
25109 outbyte = previous;
25110 current = -1;
25111 } else {
25112 copies = 1;
25113 outbyte = current;
25114 }
25115 this.blockCRC.updateCRCRun(outbyte, copies);
25116 while (copies--) {
25117 this.outputStream.writeByte(outbyte);
25118 this.nextoutput++;
25119 }
25120 if (current != previous)
25121 run = 0;
25122 }
25123 this.writeCount = dbufCount;
25124 // check CRC
25125 if (this.blockCRC.getCRC() !== this.targetBlockCRC) {
25126 _throw(Err.DATA_ERROR, "Bad block CRC "+
25127 "(got "+this.blockCRC.getCRC().toString(16)+
25128 " expected "+this.targetBlockCRC.toString(16)+")");
25129 }
25130 return this.nextoutput;
25131 };
25132
25133 var coerceInputStream = function(input) {
25134 if ('readByte' in input) { return input; }
25135 var inputStream = new stream$1();
25136 inputStream.pos = 0;
25137 inputStream.readByte = function() { return input[this.pos++]; };
25138 inputStream.seek = function(pos) { this.pos = pos; };
25139 inputStream.eof = function() { return this.pos >= input.length; };
25140 return inputStream;
25141 };
25142 var coerceOutputStream = function(output) {
25143 var outputStream = new stream$1();
25144 var resizeOk = true;
25145 if (output) {
25146 if (typeof(output)==='number') {
25147 outputStream.buffer = new Uint8Array(output);
25148 resizeOk = false;
25149 } else if ('writeByte' in output) {
25150 return output;
25151 } else {
25152 outputStream.buffer = output;
25153 resizeOk = false;
25154 }
25155 } else {
25156 outputStream.buffer = new Uint8Array(16384);
25157 }
25158 outputStream.pos = 0;
25159 outputStream.writeByte = function(_byte) {
25160 if (resizeOk && this.pos >= this.buffer.length) {
25161 var newBuffer = new Uint8Array(this.buffer.length*2);
25162 newBuffer.set(this.buffer);
25163 this.buffer = newBuffer;
25164 }
25165 this.buffer[this.pos++] = _byte;
25166 };
25167 outputStream.getBuffer = function() {
25168 // trim buffer
25169 if (this.pos !== this.buffer.length) {
25170 if (!resizeOk)
25171 throw new TypeError('outputsize does not match decoded input');
25172 var newBuffer = new Uint8Array(this.pos);
25173 newBuffer.set(this.buffer.subarray(0, this.pos));
25174 this.buffer = newBuffer;
25175 }
25176 return this.buffer;
25177 };
25178 outputStream._coerced = true;
25179 return outputStream;
25180 };
25181
25182 /* Static helper functions */
25183 // 'input' can be a stream or a buffer
25184 // 'output' can be a stream or a buffer or a number (buffer size)
25185 const decode$2 = function(input, output, multistream) {
25186 // make a stream from a buffer, if necessary
25187 var inputStream = coerceInputStream(input);
25188 var outputStream = coerceOutputStream(output);
25189
25190 var bz = new Bunzip(inputStream, outputStream);
25191 while (true) {
25192 if ('eof' in inputStream && inputStream.eof()) break;
25193 if (bz._init_block()) {
25194 bz._read_bunzip();
25195 } else {
25196 var targetStreamCRC = bz.reader.read(32) >>> 0; // (convert to unsigned)
25197 if (targetStreamCRC !== bz.streamCRC) {
25198 _throw(Err.DATA_ERROR, "Bad stream CRC "+
25199 "(got "+bz.streamCRC.toString(16)+
25200 " expected "+targetStreamCRC.toString(16)+")");
25201 }
25202 if (multistream &&
25203 'eof' in inputStream &&
25204 !inputStream.eof()) {
25205 // note that start_bunzip will also resync the bit reader to next byte
25206 bz._start_bunzip(inputStream, outputStream);
25207 } else break;
25208 }
25209 }
25210 if ('getBuffer' in outputStream)
25211 return outputStream.getBuffer();
25212 };
25213 const decodeBlock = function(input, pos, output) {
25214 // make a stream from a buffer, if necessary
25215 var inputStream = coerceInputStream(input);
25216 var outputStream = coerceOutputStream(output);
25217 var bz = new Bunzip(inputStream, outputStream);
25218 bz.reader.seek(pos);
25219 /* Fill the decode buffer for the block */
25220 var moreBlocks = bz._get_next_block();
25221 if (moreBlocks) {
25222 /* Init the CRC for writing */
25223 bz.blockCRC = new crc32$1();
25224
25225 /* Zero this so the current byte from before the seek is not written */
25226 bz.writeCopies = 0;
25227
25228 /* Decompress the block and write to stdout */
25229 bz._read_bunzip();
25230 // XXX keep writing?
25231 }
25232 if ('getBuffer' in outputStream)
25233 return outputStream.getBuffer();
25234 };
25235 /* Reads bzip2 file from stream or buffer `input`, and invoke
25236 * `callback(position, size)` once for each bzip2 block,
25237 * where position gives the starting position (in *bits*)
25238 * and size gives uncompressed size of the block (in *bytes*). */
25239 const table = function(input, callback, multistream) {
25240 // make a stream from a buffer, if necessary
25241 var inputStream = new stream$1();
25242 inputStream.delegate = coerceInputStream(input);
25243 inputStream.pos = 0;
25244 inputStream.readByte = function() {
25245 this.pos++;
25246 return this.delegate.readByte();
25247 };
25248 if (inputStream.delegate.eof) {
25249 inputStream.eof = inputStream.delegate.eof.bind(inputStream.delegate);
25250 }
25251 var outputStream = new stream$1();
25252 outputStream.pos = 0;
25253 outputStream.writeByte = function() { this.pos++; };
25254
25255 var bz = new Bunzip(inputStream, outputStream);
25256 var blockSize = bz.dbufSize;
25257 while (true) {
25258 if ('eof' in inputStream && inputStream.eof()) break;
25259
25260 var position = inputStream.pos*8 + bz.reader.bitOffset;
25261 if (bz.reader.hasByte) { position -= 8; }
25262
25263 if (bz._init_block()) {
25264 var start = outputStream.pos;
25265 bz._read_bunzip();
25266 callback(position, outputStream.pos - start);
25267 } else {
25268 bz.reader.read(32); // (but we ignore the crc)
25269 if (multistream &&
25270 'eof' in inputStream &&
25271 !inputStream.eof()) {
25272 // note that start_bunzip will also resync the bit reader to next byte
25273 bz._start_bunzip(inputStream, outputStream);
25274 console.assert(bz.dbufSize === blockSize,
25275 "shouldn't change block size within multistream file");
25276 } else break;
25277 }
25278 }
25279 };
25280
25281 var lib = {
25282 Bunzip,
25283 Stream: stream$1,
25284 Err,
25285 decode: decode$2,
25286 decodeBlock,
25287 table
25288 };
25289 var lib_4 = lib.decode;
25290
25291 // GPG4Browsers - An OpenPGP implementation in javascript
25292
25293 /**
25294 * Implementation of the Compressed Data Packet (Tag 8)
25295 *
25296 * {@link https://tools.ietf.org/html/rfc4880#section-5.6|RFC4880 5.6}:
25297 * The Compressed Data packet contains compressed data. Typically,
25298 * this packet is found as the contents of an encrypted packet, or following
25299 * a Signature or One-Pass Signature packet, and contains a literal data packet.
25300 */
25301 class CompressedDataPacket {
25302 /**
25303 * @param {Object} [config] - Full configuration, defaults to openpgp.config
25304 */
25305 constructor(config = defaultConfig) {
25306 /**
25307 * Packet type
25308 * @type {module:enums.packet}
25309 */
25310 this.tag = enums.packet.compressedData;
25311 /**
25312 * List of packets
25313 * @type {PacketList}
25314 */
25315 this.packets = null;
25316 /**
25317 * Compression algorithm
25318 * @type {compression}
25319 */
25320 this.algorithm = enums.read(enums.compression, config.compression);
25321
25322 /**
25323 * Compressed packet data
25324 * @type {Uint8Array | ReadableStream<Uint8Array>}
25325 */
25326 this.compressed = null;
25327
25328 /**
25329 * zip/zlib compression level, between 1 and 9
25330 */
25331 this.deflateLevel = config.deflateLevel;
25332 }
25333
25334 /**
25335 * Parsing function for the packet.
25336 * @param {Uint8Array | ReadableStream<Uint8Array>} bytes - Payload of a tag 8 packet
25337 */
25338 async read(bytes, config, streaming) {
25339 await stream.parse(bytes, async reader => {
25340
25341 // One octet that gives the algorithm used to compress the packet.
25342 this.algorithm = enums.read(enums.compression, await reader.readByte());
25343
25344 // Compressed data, which makes up the remainder of the packet.
25345 this.compressed = reader.remainder();
25346
25347 await this.decompress(streaming);
25348 });
25349 }
25350
25351
25352 /**
25353 * Return the compressed packet.
25354 * @returns {Uint8Array | ReadableStream<Uint8Array>} Binary compressed packet.
25355 */
25356 write() {
25357 if (this.compressed === null) {
25358 this.compress();
25359 }
25360
25361 return util.concat([new Uint8Array([enums.write(enums.compression, this.algorithm)]), this.compressed]);
25362 }
25363
25364
25365 /**
25366 * Decompression method for decompressing the compressed data
25367 * read by read_packet
25368 */
25369 async decompress(streaming) {
25370
25371 if (!decompress_fns[this.algorithm]) {
25372 throw new Error(this.algorithm + ' decompression not supported');
25373 }
25374
25375 await this.packets.read(decompress_fns[this.algorithm](this.compressed), {
25376 LiteralDataPacket,
25377 OnePassSignaturePacket,
25378 SignaturePacket
25379 }, streaming);
25380 }
25381
25382 /**
25383 * Compress the packet data (member decompressedData)
25384 */
25385 compress() {
25386 if (!compress_fns[this.algorithm]) {
25387 throw new Error(this.algorithm + ' compression not supported');
25388 }
25389
25390 this.compressed = compress_fns[this.algorithm](this.packets.write(), this.deflateLevel);
25391 }
25392 }
25393
25394 //////////////////////////
25395 // //
25396 // Helper functions //
25397 // //
25398 //////////////////////////
25399
25400
25401 const nodeZlib = util.getNodeZlib();
25402
25403 function uncompressed(data) {
25404 return data;
25405 }
25406
25407 function node_zlib(func, options = {}) {
25408 return function (data) {
25409 return stream.nodeToWeb(stream.webToNode(data).pipe(func(options)));
25410 };
25411 }
25412
25413 function pako_zlib(constructor, options = {}) {
25414 return function(data) {
25415 const obj = new constructor(options);
25416 return stream.transform(data, value => {
25417 if (value.length) {
25418 obj.push(value, Z_SYNC_FLUSH);
25419 return obj.result;
25420 }
25421 }, () => {
25422 if (constructor === Deflate) {
25423 obj.push([], Z_FINISH);
25424 return obj.result;
25425 }
25426 });
25427 };
25428 }
25429
25430 function bzip2(func) {
25431 return function(data) {
25432 return stream.fromAsync(async () => func(await stream.readToEnd(data)));
25433 };
25434 }
25435
25436 const compress_fns = nodeZlib ? {
25437 zip: /*#__PURE__*/ (compressed, level) => node_zlib(nodeZlib.createDeflateRaw, { level })(compressed),
25438 zlib: /*#__PURE__*/ (compressed, level) => node_zlib(nodeZlib.createDeflate, { level })(compressed)
25439 } : {
25440 zip: /*#__PURE__*/ (compressed, level) => pako_zlib(Deflate, { raw: true, level })(compressed),
25441 zlib: /*#__PURE__*/ (compressed, level) => pako_zlib(Deflate, { level })(compressed)
25442 };
25443
25444 const decompress_fns = nodeZlib ? {
25445 uncompressed: uncompressed,
25446 zip: /*#__PURE__*/ node_zlib(nodeZlib.createInflateRaw),
25447 zlib: /*#__PURE__*/ node_zlib(nodeZlib.createInflate),
25448 bzip2: /*#__PURE__*/ bzip2(lib_4)
25449 } : {
25450 uncompressed: uncompressed,
25451 zip: /*#__PURE__*/ pako_zlib(Inflate, { raw: true }),
25452 zlib: /*#__PURE__*/ pako_zlib(Inflate),
25453 bzip2: /*#__PURE__*/ bzip2(lib_4)
25454 };
25455
25456 // GPG4Browsers - An OpenPGP implementation in javascript
25457
25458 const VERSION = 1; // A one-octet version number of the data packet.
25459
25460 /**
25461 * Implementation of the Sym. Encrypted Integrity Protected Data Packet (Tag 18)
25462 *
25463 * {@link https://tools.ietf.org/html/rfc4880#section-5.13|RFC4880 5.13}:
25464 * The Symmetrically Encrypted Integrity Protected Data packet is
25465 * a variant of the Symmetrically Encrypted Data packet. It is a new feature
25466 * created for OpenPGP that addresses the problem of detecting a modification to
25467 * encrypted data. It is used in combination with a Modification Detection Code
25468 * packet.
25469 */
25470 class SymEncryptedIntegrityProtectedDataPacket {
25471 constructor() {
25472 this.tag = enums.packet.symEncryptedIntegrityProtectedData;
25473 this.version = VERSION;
25474 /** The encrypted payload. */
25475 this.encrypted = null; // string
25476 /**
25477 * If after decrypting the packet this is set to true,
25478 * a modification has been detected and thus the contents
25479 * should be discarded.
25480 * @type {Boolean}
25481 */
25482 this.modification = false;
25483 this.packets = null;
25484 }
25485
25486 async read(bytes) {
25487 await stream.parse(bytes, async reader => {
25488
25489 // - A one-octet version number. The only currently defined value is 1.
25490 if (await reader.readByte() !== VERSION) {
25491 throw new Error('Invalid packet version.');
25492 }
25493
25494 // - Encrypted data, the output of the selected symmetric-key cipher
25495 // operating in Cipher Feedback mode with shift amount equal to the
25496 // block size of the cipher (CFB-n where n is the block size).
25497 this.encrypted = reader.remainder();
25498 });
25499 }
25500
25501 write() {
25502 return util.concat([new Uint8Array([VERSION]), this.encrypted]);
25503 }
25504
25505 /**
25506 * Encrypt the payload in the packet.
25507 * @param {String} sessionKeyAlgorithm - The selected symmetric encryption algorithm to be used e.g. 'aes128'
25508 * @param {Uint8Array} key - The key of cipher blocksize length to be used
25509 * @param {Boolean} streaming - Whether to set this.encrypted to a stream
25510 * @param {Object} [config] - Full configuration, defaults to openpgp.config
25511 * @returns {Boolean}
25512 * @async
25513 */
25514 async encrypt(sessionKeyAlgorithm, key, streaming, config = defaultConfig) {
25515 let bytes = this.packets.write();
25516 if (!streaming) bytes = await stream.readToEnd(bytes);
25517 const prefix = await mod.getPrefixRandom(sessionKeyAlgorithm);
25518 const mdc = new Uint8Array([0xD3, 0x14]); // modification detection code packet
25519
25520 const tohash = util.concat([prefix, bytes, mdc]);
25521 const hash = await mod.hash.sha1(stream.passiveClone(tohash));
25522 const plaintext = util.concat([tohash, hash]);
25523
25524 this.encrypted = await mod.cfb.encrypt(sessionKeyAlgorithm, key, plaintext, new Uint8Array(mod.cipher[sessionKeyAlgorithm].blockSize), config);
25525 return true;
25526 }
25527
25528 /**
25529 * Decrypts the encrypted data contained in the packet.
25530 * @param {String} sessionKeyAlgorithm - The selected symmetric encryption algorithm to be used e.g. 'aes128'
25531 * @param {Uint8Array} key - The key of cipher blocksize length to be used
25532 * @param {Boolean} streaming - Whether to read this.encrypted as a stream
25533 * @param {Object} [config] - Full configuration, defaults to openpgp.config
25534 * @returns {Boolean}
25535 * @async
25536 */
25537 async decrypt(sessionKeyAlgorithm, key, streaming, config = defaultConfig) {
25538 let encrypted = stream.clone(this.encrypted);
25539 if (!streaming) encrypted = await stream.readToEnd(encrypted);
25540 const decrypted = await mod.cfb.decrypt(sessionKeyAlgorithm, key, encrypted, new Uint8Array(mod.cipher[sessionKeyAlgorithm].blockSize));
25541
25542 // there must be a modification detection code packet as the
25543 // last packet and everything gets hashed except the hash itself
25544 const realHash = stream.slice(stream.passiveClone(decrypted), -20);
25545 const tohash = stream.slice(decrypted, 0, -20);
25546 const verifyHash = Promise.all([
25547 stream.readToEnd(await mod.hash.sha1(stream.passiveClone(tohash))),
25548 stream.readToEnd(realHash)
25549 ]).then(([hash, mdc]) => {
25550 if (!util.equalsUint8Array(hash, mdc)) {
25551 throw new Error('Modification detected.');
25552 }
25553 return new Uint8Array();
25554 });
25555 const bytes = stream.slice(tohash, mod.cipher[sessionKeyAlgorithm].blockSize + 2); // Remove random prefix
25556 let packetbytes = stream.slice(bytes, 0, -2); // Remove MDC packet
25557 packetbytes = stream.concat([packetbytes, stream.fromAsync(() => verifyHash)]);
25558 if (!util.isStream(encrypted) || !config.allowUnauthenticatedStream) {
25559 packetbytes = await stream.readToEnd(packetbytes);
25560 }
25561 await this.packets.read(packetbytes, {
25562 LiteralDataPacket,
25563 CompressedDataPacket,
25564 OnePassSignaturePacket,
25565 SignaturePacket
25566 }, streaming);
25567 return true;
25568 }
25569 }
25570
25571 // OpenPGP.js - An OpenPGP implementation in javascript
25572
25573 const VERSION$1 = 1; // A one-octet version number of the data packet.
25574
25575 /**
25576 * Implementation of the Symmetrically Encrypted Authenticated Encryption with
25577 * Additional Data (AEAD) Protected Data Packet
25578 *
25579 * {@link https://tools.ietf.org/html/draft-ford-openpgp-format-00#section-2.1}:
25580 * AEAD Protected Data Packet
25581 */
25582 class AEADEncryptedDataPacket {
25583 constructor() {
25584 this.tag = enums.packet.AEADEncryptedData;
25585 this.version = VERSION$1;
25586 this.cipherAlgo = null;
25587 this.aeadAlgorithm = 'eax';
25588 this.aeadAlgo = null;
25589 this.chunkSizeByte = null;
25590 this.iv = null;
25591 this.encrypted = null;
25592 this.packets = null;
25593 }
25594
25595 /**
25596 * Parse an encrypted payload of bytes in the order: version, IV, ciphertext (see specification)
25597 * @param {Uint8Array | ReadableStream<Uint8Array>} bytes
25598 */
25599 async read(bytes) {
25600 await stream.parse(bytes, async reader => {
25601 if (await reader.readByte() !== VERSION$1) { // The only currently defined value is 1.
25602 throw new Error('Invalid packet version.');
25603 }
25604 this.cipherAlgo = await reader.readByte();
25605 this.aeadAlgo = await reader.readByte();
25606 this.chunkSizeByte = await reader.readByte();
25607 const mode = mod[enums.read(enums.aead, this.aeadAlgo)];
25608 this.iv = await reader.readBytes(mode.ivLength);
25609 this.encrypted = reader.remainder();
25610 });
25611 }
25612
25613 /**
25614 * Write the encrypted payload of bytes in the order: version, IV, ciphertext (see specification)
25615 * @returns {Uint8Array | ReadableStream<Uint8Array>} The encrypted payload.
25616 */
25617 write() {
25618 return util.concat([new Uint8Array([this.version, this.cipherAlgo, this.aeadAlgo, this.chunkSizeByte]), this.iv, this.encrypted]);
25619 }
25620
25621 /**
25622 * Decrypt the encrypted payload.
25623 * @param {String} sessionKeyAlgorithm - The session key's cipher algorithm e.g. 'aes128'
25624 * @param {Uint8Array} key - The session key used to encrypt the payload
25625 * @param {Boolean} streaming - Whether the top-level function will return a stream
25626 * @throws {Error} if decryption was not successful
25627 * @async
25628 */
25629 async decrypt(sessionKeyAlgorithm, key, streaming) {
25630 await this.packets.read(await this.crypt('decrypt', key, stream.clone(this.encrypted), streaming), {
25631 LiteralDataPacket,
25632 CompressedDataPacket,
25633 OnePassSignaturePacket,
25634 SignaturePacket
25635 }, streaming);
25636 }
25637
25638 /**
25639 * Encrypt the packet list payload.
25640 * @param {String} sessionKeyAlgorithm - The session key's cipher algorithm e.g. 'aes128'
25641 * @param {Uint8Array} key - The session key used to encrypt the payload
25642 * @param {Boolean} streaming - Whether the top-level function will return a stream
25643 * @param {Object} [config] - Full configuration, defaults to openpgp.config
25644 * @throws {Error} if encryption was not successful
25645 * @async
25646 */
25647 async encrypt(sessionKeyAlgorithm, key, streaming, config = defaultConfig) {
25648 this.cipherAlgo = enums.write(enums.symmetric, sessionKeyAlgorithm);
25649 this.aeadAlgo = enums.write(enums.aead, this.aeadAlgorithm);
25650 const mode = mod[enums.read(enums.aead, this.aeadAlgo)];
25651 this.iv = await mod.random.getRandomBytes(mode.ivLength); // generate new random IV
25652 this.chunkSizeByte = config.aeadChunkSizeByte;
25653 const data = this.packets.write();
25654 this.encrypted = await this.crypt('encrypt', key, data, streaming);
25655 }
25656
25657 /**
25658 * En/decrypt the payload.
25659 * @param {encrypt|decrypt} fn - Whether to encrypt or decrypt
25660 * @param {Uint8Array} key - The session key used to en/decrypt the payload
25661 * @param {Uint8Array | ReadableStream<Uint8Array>} data - The data to en/decrypt
25662 * @param {Boolean} streaming - Whether the top-level function will return a stream
25663 * @returns {Uint8Array | ReadableStream<Uint8Array>}
25664 * @async
25665 */
25666 async crypt(fn, key, data, streaming) {
25667 const cipher = enums.read(enums.symmetric, this.cipherAlgo);
25668 const mode = mod[enums.read(enums.aead, this.aeadAlgo)];
25669 const modeInstance = await mode(cipher, key);
25670 const tagLengthIfDecrypting = fn === 'decrypt' ? mode.tagLength : 0;
25671 const tagLengthIfEncrypting = fn === 'encrypt' ? mode.tagLength : 0;
25672 const chunkSize = 2 ** (this.chunkSizeByte + 6) + tagLengthIfDecrypting; // ((uint64_t)1 << (c + 6))
25673 const adataBuffer = new ArrayBuffer(21);
25674 const adataArray = new Uint8Array(adataBuffer, 0, 13);
25675 const adataTagArray = new Uint8Array(adataBuffer);
25676 const adataView = new DataView(adataBuffer);
25677 const chunkIndexArray = new Uint8Array(adataBuffer, 5, 8);
25678 adataArray.set([0xC0 | this.tag, this.version, this.cipherAlgo, this.aeadAlgo, this.chunkSizeByte], 0);
25679 let chunkIndex = 0;
25680 let latestPromise = Promise.resolve();
25681 let cryptedBytes = 0;
25682 let queuedBytes = 0;
25683 const iv = this.iv;
25684 return stream.transformPair(data, async (readable, writable) => {
25685 const reader = stream.getReader(readable);
25686 const buffer = new stream.TransformStream({}, {
25687 highWaterMark: streaming ? util.getHardwareConcurrency() * 2 ** (this.chunkSizeByte + 6) : Infinity,
25688 size: array => array.length
25689 });
25690 stream.pipe(buffer.readable, writable);
25691 const writer = stream.getWriter(buffer.writable);
25692 try {
25693 while (true) {
25694 let chunk = await reader.readBytes(chunkSize + tagLengthIfDecrypting) || new Uint8Array();
25695 const finalChunk = chunk.subarray(chunk.length - tagLengthIfDecrypting);
25696 chunk = chunk.subarray(0, chunk.length - tagLengthIfDecrypting);
25697 let cryptedPromise;
25698 let done;
25699 if (!chunkIndex || chunk.length) {
25700 reader.unshift(finalChunk);
25701 cryptedPromise = modeInstance[fn](chunk, mode.getNonce(iv, chunkIndexArray), adataArray);
25702 queuedBytes += chunk.length - tagLengthIfDecrypting + tagLengthIfEncrypting;
25703 } else {
25704 // After the last chunk, we either encrypt a final, empty
25705 // data chunk to get the final authentication tag or
25706 // validate that final authentication tag.
25707 adataView.setInt32(13 + 4, cryptedBytes); // Should be setInt64(13, ...)
25708 cryptedPromise = modeInstance[fn](finalChunk, mode.getNonce(iv, chunkIndexArray), adataTagArray);
25709 queuedBytes += tagLengthIfEncrypting;
25710 done = true;
25711 }
25712 cryptedBytes += chunk.length - tagLengthIfDecrypting;
25713 // eslint-disable-next-line no-loop-func
25714 latestPromise = latestPromise.then(() => cryptedPromise).then(async crypted => {
25715 await writer.ready;
25716 await writer.write(crypted);
25717 queuedBytes -= crypted.length;
25718 }).catch(err => writer.abort(err));
25719 if (done || queuedBytes > writer.desiredSize) {
25720 await latestPromise; // Respect backpressure
25721 }
25722 if (!done) {
25723 adataView.setInt32(5 + 4, ++chunkIndex); // Should be setInt64(5, ...)
25724 } else {
25725 await writer.close();
25726 break;
25727 }
25728 }
25729 } catch (e) {
25730 await writer.abort(e);
25731 }
25732 });
25733 }
25734 }
25735
25736 // GPG4Browsers - An OpenPGP implementation in javascript
25737
25738 /**
25739 * Public-Key Encrypted Session Key Packets (Tag 1)
25740 *
25741 * {@link https://tools.ietf.org/html/rfc4880#section-5.1|RFC4880 5.1}:
25742 * A Public-Key Encrypted Session Key packet holds the session key
25743 * used to encrypt a message. Zero or more Public-Key Encrypted Session Key
25744 * packets and/or Symmetric-Key Encrypted Session Key packets may precede a
25745 * Symmetrically Encrypted Data Packet, which holds an encrypted message. The
25746 * message is encrypted with the session key, and the session key is itself
25747 * encrypted and stored in the Encrypted Session Key packet(s). The
25748 * Symmetrically Encrypted Data Packet is preceded by one Public-Key Encrypted
25749 * Session Key packet for each OpenPGP key to which the message is encrypted.
25750 * The recipient of the message finds a session key that is encrypted to their
25751 * public key, decrypts the session key, and then uses the session key to
25752 * decrypt the message.
25753 */
25754 class PublicKeyEncryptedSessionKeyPacket {
25755 constructor() {
25756 this.tag = enums.packet.publicKeyEncryptedSessionKey;
25757 this.version = 3;
25758
25759 this.publicKeyId = new Keyid();
25760 this.publicKeyAlgorithm = null;
25761
25762 this.sessionKey = null;
25763 this.sessionKeyAlgorithm = null;
25764
25765 /** @type {Object} */
25766 this.encrypted = {};
25767 }
25768
25769 /**
25770 * Parsing function for a publickey encrypted session key packet (tag 1).
25771 *
25772 * @param {Uint8Array} bytes - Payload of a tag 1 packet
25773 */
25774 read(bytes) {
25775 this.version = bytes[0];
25776 this.publicKeyId.read(bytes.subarray(1, bytes.length));
25777 this.publicKeyAlgorithm = enums.read(enums.publicKey, bytes[9]);
25778
25779 const algo = enums.write(enums.publicKey, this.publicKeyAlgorithm);
25780 this.encrypted = mod.parseEncSessionKeyParams(algo, bytes.subarray(10));
25781 }
25782
25783 /**
25784 * Create a binary representation of a tag 1 packet
25785 *
25786 * @returns {Uint8Array} The Uint8Array representation.
25787 */
25788 write() {
25789 const algo = enums.write(enums.publicKey, this.publicKeyAlgorithm);
25790
25791 const arr = [
25792 new Uint8Array([this.version]),
25793 this.publicKeyId.write(),
25794 new Uint8Array([enums.write(enums.publicKey, this.publicKeyAlgorithm)]),
25795 mod.serializeParams(algo, this.encrypted)
25796 ];
25797
25798 return util.concatUint8Array(arr);
25799 }
25800
25801 /**
25802 * Encrypt session key packet
25803 * @param {PublicKeyPacket} key - Public key
25804 * @returns {Boolean}
25805 * @async
25806 */
25807 async encrypt(key) {
25808 const data = util.concatUint8Array([
25809 new Uint8Array([enums.write(enums.symmetric, this.sessionKeyAlgorithm)]),
25810 this.sessionKey,
25811 util.writeChecksum(this.sessionKey)
25812 ]);
25813 const algo = enums.write(enums.publicKey, this.publicKeyAlgorithm);
25814 this.encrypted = await mod.publicKeyEncrypt(
25815 algo, key.publicParams, data, key.getFingerprintBytes());
25816 return true;
25817 }
25818
25819 /**
25820 * Decrypts the session key (only for public key encrypted session key
25821 * packets (tag 1)
25822 *
25823 * @param {SecretKeyPacket} key
25824 * Private key with secret params unlocked
25825 * @returns {Boolean}
25826 * @async
25827 */
25828 async decrypt(key) {
25829 const algo = enums.write(enums.publicKey, this.publicKeyAlgorithm);
25830 const keyAlgo = enums.write(enums.publicKey, key.algorithm);
25831 // check that session key algo matches the secret key algo
25832 if (algo !== keyAlgo) {
25833 throw new Error('Decryption error');
25834 }
25835 const decoded = await mod.publicKeyDecrypt(algo, key.publicParams, key.privateParams, this.encrypted, key.getFingerprintBytes());
25836 const checksum = decoded.subarray(decoded.length - 2);
25837 const sessionKey = decoded.subarray(1, decoded.length - 2);
25838 if (!util.equalsUint8Array(checksum, util.writeChecksum(sessionKey))) {
25839 throw new Error('Decryption error');
25840 } else {
25841 this.sessionKey = sessionKey;
25842 this.sessionKeyAlgorithm = enums.read(enums.symmetric, decoded[0]);
25843 }
25844 return true;
25845 }
25846 }
25847
25848 // GPG4Browsers - An OpenPGP implementation in javascript
25849
25850 class S2K {
25851 /**
25852 * @param {Object} [config] - Full configuration, defaults to openpgp.config
25853 */
25854 constructor(config = defaultConfig) {
25855 /** @type {module:enums.hash} */
25856 this.algorithm = 'sha256';
25857 /** @type {module:enums.s2k} */
25858 this.type = 'iterated';
25859 /** @type {Integer} */
25860 this.c = config.s2kIterationCountByte;
25861 /** Eight bytes of salt in a binary string.
25862 * @type {String}
25863 */
25864 this.salt = null;
25865 }
25866
25867 get_count() {
25868 // Exponent bias, defined in RFC4880
25869 const expbias = 6;
25870
25871 return (16 + (this.c & 15)) << ((this.c >> 4) + expbias);
25872 }
25873
25874 /**
25875 * Parsing function for a string-to-key specifier ({@link https://tools.ietf.org/html/rfc4880#section-3.7|RFC 4880 3.7}).
25876 * @param {String} bytes - Payload of string-to-key specifier
25877 * @returns {Integer} Actual length of the object.
25878 */
25879 read(bytes) {
25880 let i = 0;
25881 this.type = enums.read(enums.s2k, bytes[i++]);
25882 this.algorithm = bytes[i++];
25883 if (this.type !== 'gnu') {
25884 this.algorithm = enums.read(enums.hash, this.algorithm);
25885 }
25886
25887 switch (this.type) {
25888 case 'simple':
25889 break;
25890
25891 case 'salted':
25892 this.salt = bytes.subarray(i, i + 8);
25893 i += 8;
25894 break;
25895
25896 case 'iterated':
25897 this.salt = bytes.subarray(i, i + 8);
25898 i += 8;
25899
25900 // Octet 10: count, a one-octet, coded value
25901 this.c = bytes[i++];
25902 break;
25903
25904 case 'gnu':
25905 if (util.uint8ArrayToStr(bytes.subarray(i, i + 3)) === "GNU") {
25906 i += 3; // GNU
25907 const gnuExtType = 1000 + bytes[i++];
25908 if (gnuExtType === 1001) {
25909 this.type = 'gnu-dummy';
25910 // GnuPG extension mode 1001 -- don't write secret key at all
25911 } else {
25912 throw new Error("Unknown s2k gnu protection mode.");
25913 }
25914 } else {
25915 throw new Error("Unknown s2k type.");
25916 }
25917 break;
25918
25919 default:
25920 throw new Error("Unknown s2k type.");
25921 }
25922
25923 return i;
25924 }
25925
25926 /**
25927 * Serializes s2k information
25928 * @returns {Uint8Array} Binary representation of s2k.
25929 */
25930 write() {
25931 if (this.type === 'gnu-dummy') {
25932 return new Uint8Array([101, 0, ...util.strToUint8Array('GNU'), 1]);
25933 }
25934
25935 const arr = [new Uint8Array([enums.write(enums.s2k, this.type), enums.write(enums.hash, this.algorithm)])];
25936
25937 switch (this.type) {
25938 case 'simple':
25939 break;
25940 case 'salted':
25941 arr.push(this.salt);
25942 break;
25943 case 'iterated':
25944 arr.push(this.salt);
25945 arr.push(new Uint8Array([this.c]));
25946 break;
25947 case 'gnu':
25948 throw new Error("GNU s2k type not supported.");
25949 default:
25950 throw new Error("Unknown s2k type.");
25951 }
25952
25953 return util.concatUint8Array(arr);
25954 }
25955
25956 /**
25957 * Produces a key using the specified passphrase and the defined
25958 * hashAlgorithm
25959 * @param {String} passphrase - Passphrase containing user input
25960 * @returns {Uint8Array} Produced key with a length corresponding to.
25961 * hashAlgorithm hash length
25962 */
25963 async produce_key(passphrase, numBytes) {
25964 passphrase = util.encodeUtf8(passphrase);
25965 const algorithm = enums.write(enums.hash, this.algorithm);
25966
25967 const arr = [];
25968 let rlength = 0;
25969
25970 let prefixlen = 0;
25971 while (rlength < numBytes) {
25972 let toHash;
25973 switch (this.type) {
25974 case 'simple':
25975 toHash = util.concatUint8Array([new Uint8Array(prefixlen), passphrase]);
25976 break;
25977 case 'salted':
25978 toHash = util.concatUint8Array([new Uint8Array(prefixlen), this.salt, passphrase]);
25979 break;
25980 case 'iterated': {
25981 const data = util.concatUint8Array([this.salt, passphrase]);
25982 let datalen = data.length;
25983 const count = Math.max(this.get_count(), datalen);
25984 toHash = new Uint8Array(prefixlen + count);
25985 toHash.set(data, prefixlen);
25986 for (let pos = prefixlen + datalen; pos < count; pos += datalen, datalen *= 2) {
25987 toHash.copyWithin(pos, prefixlen, pos);
25988 }
25989 break;
25990 }
25991 case 'gnu':
25992 throw new Error("GNU s2k type not supported.");
25993 default:
25994 throw new Error("Unknown s2k type.");
25995 }
25996 const result = await mod.hash.digest(algorithm, toHash);
25997 arr.push(result);
25998 rlength += result.length;
25999 prefixlen++;
26000 }
26001
26002 return util.concatUint8Array(arr).subarray(0, numBytes);
26003 }
26004 }
26005
26006 // GPG4Browsers - An OpenPGP implementation in javascript
26007
26008 /**
26009 * Symmetric-Key Encrypted Session Key Packets (Tag 3)
26010 *
26011 * {@link https://tools.ietf.org/html/rfc4880#section-5.3|RFC4880 5.3}:
26012 * The Symmetric-Key Encrypted Session Key packet holds the
26013 * symmetric-key encryption of a session key used to encrypt a message.
26014 * Zero or more Public-Key Encrypted Session Key packets and/or
26015 * Symmetric-Key Encrypted Session Key packets may precede a
26016 * Symmetrically Encrypted Data packet that holds an encrypted message.
26017 * The message is encrypted with a session key, and the session key is
26018 * itself encrypted and stored in the Encrypted Session Key packet or
26019 * the Symmetric-Key Encrypted Session Key packet.
26020 */
26021 class SymEncryptedSessionKeyPacket {
26022 /**
26023 * @param {Object} [config] - Full configuration, defaults to openpgp.config
26024 */
26025 constructor(config = defaultConfig) {
26026 this.tag = enums.packet.symEncryptedSessionKey;
26027 this.version = config.aeadProtect ? 5 : 4;
26028 this.sessionKey = null;
26029 this.sessionKeyEncryptionAlgorithm = null;
26030 this.sessionKeyAlgorithm = 'aes256';
26031 this.aeadAlgorithm = enums.read(enums.aead, config.aeadMode);
26032 this.encrypted = null;
26033 this.s2k = null;
26034 this.iv = null;
26035 }
26036
26037 /**
26038 * Parsing function for a symmetric encrypted session key packet (tag 3).
26039 *
26040 * @param {Uint8Array} bytes - Payload of a tag 3 packet
26041 */
26042 read(bytes) {
26043 let offset = 0;
26044
26045 // A one-octet version number. The only currently defined version is 4.
26046 this.version = bytes[offset++];
26047
26048 // A one-octet number describing the symmetric algorithm used.
26049 const algo = enums.read(enums.symmetric, bytes[offset++]);
26050
26051 if (this.version === 5) {
26052 // A one-octet AEAD algorithm.
26053 this.aeadAlgorithm = enums.read(enums.aead, bytes[offset++]);
26054 }
26055
26056 // A string-to-key (S2K) specifier, length as defined above.
26057 this.s2k = new S2K();
26058 offset += this.s2k.read(bytes.subarray(offset, bytes.length));
26059
26060 if (this.version === 5) {
26061 const mode = mod[this.aeadAlgorithm];
26062
26063 // A starting initialization vector of size specified by the AEAD
26064 // algorithm.
26065 this.iv = bytes.subarray(offset, offset += mode.ivLength);
26066 }
26067
26068 // The encrypted session key itself, which is decrypted with the
26069 // string-to-key object. This is optional in version 4.
26070 if (this.version === 5 || offset < bytes.length) {
26071 this.encrypted = bytes.subarray(offset, bytes.length);
26072 this.sessionKeyEncryptionAlgorithm = algo;
26073 } else {
26074 this.sessionKeyAlgorithm = algo;
26075 }
26076 }
26077
26078 /**
26079 * Create a binary representation of a tag 3 packet
26080 *
26081 * @returns {Uint8Array} The Uint8Array representation.
26082 */
26083 write() {
26084 const algo = this.encrypted === null ?
26085 this.sessionKeyAlgorithm :
26086 this.sessionKeyEncryptionAlgorithm;
26087
26088 let bytes;
26089
26090 if (this.version === 5) {
26091 bytes = util.concatUint8Array([new Uint8Array([this.version, enums.write(enums.symmetric, algo), enums.write(enums.aead, this.aeadAlgorithm)]), this.s2k.write(), this.iv, this.encrypted]);
26092 } else {
26093 bytes = util.concatUint8Array([new Uint8Array([this.version, enums.write(enums.symmetric, algo)]), this.s2k.write()]);
26094
26095 if (this.encrypted !== null) {
26096 bytes = util.concatUint8Array([bytes, this.encrypted]);
26097 }
26098 }
26099
26100 return bytes;
26101 }
26102
26103 /**
26104 * Decrypts the session key
26105 * @param {String} passphrase - The passphrase in string form
26106 * @throws {Error} if decryption was not successful
26107 * @async
26108 */
26109 async decrypt(passphrase) {
26110 const algo = this.sessionKeyEncryptionAlgorithm !== null ?
26111 this.sessionKeyEncryptionAlgorithm :
26112 this.sessionKeyAlgorithm;
26113
26114 const length = mod.cipher[algo].keySize;
26115 const key = await this.s2k.produce_key(passphrase, length);
26116
26117 if (this.version === 5) {
26118 const mode = mod[this.aeadAlgorithm];
26119 const adata = new Uint8Array([0xC0 | this.tag, this.version, enums.write(enums.symmetric, this.sessionKeyEncryptionAlgorithm), enums.write(enums.aead, this.aeadAlgorithm)]);
26120 const modeInstance = await mode(algo, key);
26121 this.sessionKey = await modeInstance.decrypt(this.encrypted, this.iv, adata);
26122 } else if (this.encrypted !== null) {
26123 const decrypted = await mod.cfb.decrypt(algo, key, this.encrypted, new Uint8Array(mod.cipher[algo].blockSize));
26124
26125 this.sessionKeyAlgorithm = enums.read(enums.symmetric, decrypted[0]);
26126 this.sessionKey = decrypted.subarray(1, decrypted.length);
26127 } else {
26128 this.sessionKey = key;
26129 }
26130 }
26131
26132 /**
26133 * Encrypts the session key
26134 * @param {String} passphrase - The passphrase in string form
26135 * @param {Object} [config] - Full configuration, defaults to openpgp.config
26136 * @throws {Error} if encryption was not successful
26137 * @async
26138 */
26139 async encrypt(passphrase, config = defaultConfig) {
26140 const algo = this.sessionKeyEncryptionAlgorithm !== null ?
26141 this.sessionKeyEncryptionAlgorithm :
26142 this.sessionKeyAlgorithm;
26143
26144 this.sessionKeyEncryptionAlgorithm = algo;
26145
26146 this.s2k = new S2K(config);
26147 this.s2k.salt = await mod.random.getRandomBytes(8);
26148
26149 const length = mod.cipher[algo].keySize;
26150 const key = await this.s2k.produce_key(passphrase, length);
26151
26152 if (this.sessionKey === null) {
26153 this.sessionKey = await mod.generateSessionKey(this.sessionKeyAlgorithm);
26154 }
26155
26156 if (this.version === 5) {
26157 const mode = mod[this.aeadAlgorithm];
26158 this.iv = await mod.random.getRandomBytes(mode.ivLength); // generate new random IV
26159 const adata = new Uint8Array([0xC0 | this.tag, this.version, enums.write(enums.symmetric, this.sessionKeyEncryptionAlgorithm), enums.write(enums.aead, this.aeadAlgorithm)]);
26160 const modeInstance = await mode(algo, key);
26161 this.encrypted = await modeInstance.encrypt(this.sessionKey, this.iv, adata);
26162 } else {
26163 const algo_enum = new Uint8Array([enums.write(enums.symmetric, this.sessionKeyAlgorithm)]);
26164 const private_key = util.concatUint8Array([algo_enum, this.sessionKey]);
26165 this.encrypted = await mod.cfb.encrypt(algo, key, private_key, new Uint8Array(mod.cipher[algo].blockSize), config);
26166 }
26167 }
26168 }
26169
26170 // GPG4Browsers - An OpenPGP implementation in javascript
26171
26172 /**
26173 * Implementation of the Literal Data Packet (Tag 11)
26174 *
26175 * {@link https://tools.ietf.org/html/rfc4880#section-5.9|RFC4880 5.9}:
26176 * A Literal Data packet contains the body of a message; data that is not to be
26177 * further interpreted.
26178 */
26179 class LiteralDataPacket {
26180 /**
26181 * @param {Date} date - The creation date of the literal package
26182 */
26183 constructor(date = new Date()) {
26184 this.tag = enums.packet.literalData;
26185 this.format = 'utf8'; // default format for literal data packets
26186 this.date = util.normalizeDate(date);
26187 this.text = null; // textual data representation
26188 this.data = null; // literal data representation
26189 this.filename = '';
26190 }
26191
26192 /**
26193 * Set the packet data to a javascript native string, end of line
26194 * will be normalized to \r\n and by default text is converted to UTF8
26195 * @param {String | ReadableStream<String>} text - Any native javascript string
26196 * @param {utf8|binary|text|mime} [format] - The format of the string of bytes
26197 */
26198 setText(text, format = 'utf8') {
26199 this.format = format;
26200 this.text = text;
26201 this.data = null;
26202 }
26203
26204 /**
26205 * Returns literal data packets as native JavaScript string
26206 * with normalized end of line to \n
26207 * @param {Boolean} [clone] - Whether to return a clone so that getBytes/getText can be called again
26208 * @returns {String | ReadableStream<String>} Literal data as text.
26209 */
26210 getText(clone = false) {
26211 if (this.text === null || util.isStream(this.text)) { // Assume that this.text has been read
26212 this.text = util.decodeUtf8(util.nativeEOL(this.getBytes(clone)));
26213 }
26214 return this.text;
26215 }
26216
26217 /**
26218 * Set the packet data to value represented by the provided string of bytes.
26219 * @param {Uint8Array | ReadableStream<Uint8Array>} bytes - The string of bytes
26220 * @param {utf8|binary|text|mime} format - The format of the string of bytes
26221 */
26222 setBytes(bytes, format) {
26223 this.format = format;
26224 this.data = bytes;
26225 this.text = null;
26226 }
26227
26228
26229 /**
26230 * Get the byte sequence representing the literal packet data
26231 * @param {Boolean} [clone] - Whether to return a clone so that getBytes/getText can be called again
26232 * @returns {Uint8Array | ReadableStream<Uint8Array>} A sequence of bytes.
26233 */
26234 getBytes(clone = false) {
26235 if (this.data === null) {
26236 // encode UTF8 and normalize EOL to \r\n
26237 this.data = util.canonicalizeEOL(util.encodeUtf8(this.text));
26238 }
26239 if (clone) {
26240 return stream.passiveClone(this.data);
26241 }
26242 return this.data;
26243 }
26244
26245
26246 /**
26247 * Sets the filename of the literal packet data
26248 * @param {String} filename - Any native javascript string
26249 */
26250 setFilename(filename) {
26251 this.filename = filename;
26252 }
26253
26254
26255 /**
26256 * Get the filename of the literal packet data
26257 * @returns {String} Filename.
26258 */
26259 getFilename() {
26260 return this.filename;
26261 }
26262
26263
26264 /**
26265 * Parsing function for a literal data packet (tag 11).
26266 *
26267 * @param {Uint8Array | ReadableStream<Uint8Array>} input - Payload of a tag 11 packet
26268 * @returns {LiteralDataPacket} Object representation.
26269 */
26270 async read(bytes) {
26271 await stream.parse(bytes, async reader => {
26272 // - A one-octet field that describes how the data is formatted.
26273 const format = enums.read(enums.literal, await reader.readByte());
26274
26275 const filename_len = await reader.readByte();
26276 this.filename = util.decodeUtf8(await reader.readBytes(filename_len));
26277
26278 this.date = util.readDate(await reader.readBytes(4));
26279
26280 const data = reader.remainder();
26281
26282 this.setBytes(data, format);
26283 });
26284 }
26285
26286 /**
26287 * Creates a Uint8Array representation of the packet, excluding the data
26288 *
26289 * @returns {Uint8Array} Uint8Array representation of the packet.
26290 */
26291 writeHeader() {
26292 const filename = util.encodeUtf8(this.filename);
26293 const filename_length = new Uint8Array([filename.length]);
26294
26295 const format = new Uint8Array([enums.write(enums.literal, this.format)]);
26296 const date = util.writeDate(this.date);
26297
26298 return util.concatUint8Array([format, filename_length, filename, date]);
26299 }
26300
26301 /**
26302 * Creates a Uint8Array representation of the packet
26303 *
26304 * @returns {Uint8Array | ReadableStream<Uint8Array>} Uint8Array representation of the packet.
26305 */
26306 write() {
26307 const header = this.writeHeader();
26308 const data = this.getBytes();
26309
26310 return util.concat([header, data]);
26311 }
26312 }
26313
26314 // GPG4Browsers - An OpenPGP implementation in javascript
26315
26316 /**
26317 * Implementation of the Key Material Packet (Tag 5,6,7,14)
26318 *
26319 * {@link https://tools.ietf.org/html/rfc4880#section-5.5|RFC4480 5.5}:
26320 * A key material packet contains all the information about a public or
26321 * private key. There are four variants of this packet type, and two
26322 * major versions.
26323 *
26324 * A Public-Key packet starts a series of packets that forms an OpenPGP
26325 * key (sometimes called an OpenPGP certificate).
26326 */
26327 class PublicKeyPacket {
26328 /**
26329 * @param {Date} [date] - Creation date
26330 * @param {Object} [config] - Full configuration, defaults to openpgp.config
26331 */
26332 constructor(date = new Date(), config = defaultConfig) {
26333 /**
26334 * Packet type
26335 * @type {module:enums.packet}
26336 */
26337 this.tag = enums.packet.publicKey;
26338 /**
26339 * Packet version
26340 * @type {Integer}
26341 */
26342 this.version = config.v5Keys ? 5 : 4;
26343 /**
26344 * Key creation date.
26345 * @type {Date}
26346 */
26347 this.created = util.normalizeDate(date);
26348 /**
26349 * Public key algorithm.
26350 * @type {String}
26351 */
26352 this.algorithm = null;
26353 /**
26354 * Algorithm specific public params
26355 * @type {Object}
26356 */
26357 this.publicParams = null;
26358 /**
26359 * Time until expiration in days (V3 only)
26360 * @type {Integer}
26361 */
26362 this.expirationTimeV3 = 0;
26363 /**
26364 * Fingerprint in lowercase hex
26365 * @type {String}
26366 */
26367 this.fingerprint = null;
26368 /**
26369 * Keyid
26370 * @type {module:type/keyid~Keyid}
26371 */
26372 this.keyid = null;
26373 }
26374
26375 /**
26376 * Internal Parser for public keys as specified in {@link https://tools.ietf.org/html/rfc4880#section-5.5.2|RFC 4880 section 5.5.2 Public-Key Packet Formats}
26377 * called by read_tag&lt;num&gt;
26378 * @param {Uint8Array} bytes - Input array to read the packet from
26379 * @returns {Object} This object with attributes set by the parser.
26380 */
26381 read(bytes) {
26382 let pos = 0;
26383 // A one-octet version number (3, 4 or 5).
26384 this.version = bytes[pos++];
26385
26386 if (this.version === 4 || this.version === 5) {
26387 // - A four-octet number denoting the time that the key was created.
26388 this.created = util.readDate(bytes.subarray(pos, pos + 4));
26389 pos += 4;
26390
26391 // - A one-octet number denoting the public-key algorithm of this key.
26392 this.algorithm = enums.read(enums.publicKey, bytes[pos++]);
26393 const algo = enums.write(enums.publicKey, this.algorithm);
26394
26395 if (this.version === 5) {
26396 // - A four-octet scalar octet count for the following key material.
26397 pos += 4;
26398 }
26399
26400 // - A series of values comprising the key material.
26401 try {
26402 const { read, publicParams } = mod.parsePublicKeyParams(algo, bytes.subarray(pos));
26403 this.publicParams = publicParams;
26404 pos += read;
26405 } catch (err) {
26406 throw new Error('Error reading MPIs');
26407 }
26408
26409 return pos;
26410 }
26411 throw new Error('Version ' + this.version + ' of the key packet is unsupported.');
26412 }
26413
26414 /**
26415 * Creates an OpenPGP public key packet for the given key.
26416 * @returns {Uint8Array} Bytes encoding the public key OpenPGP packet.
26417 */
26418 write() {
26419 const arr = [];
26420 // Version
26421 arr.push(new Uint8Array([this.version]));
26422 arr.push(util.writeDate(this.created));
26423 // A one-octet number denoting the public-key algorithm of this key
26424 const algo = enums.write(enums.publicKey, this.algorithm);
26425 arr.push(new Uint8Array([algo]));
26426
26427 const params = mod.serializeParams(algo, this.publicParams);
26428 if (this.version === 5) {
26429 // A four-octet scalar octet count for the following key material
26430 arr.push(util.writeNumber(params.length, 4));
26431 }
26432 // Algorithm-specific params
26433 arr.push(params);
26434 return util.concatUint8Array(arr);
26435 }
26436
26437 /**
26438 * Write packet in order to be hashed; either for a signature or a fingerprint.
26439 */
26440 writeForHash(version) {
26441 const bytes = this.writePublicKey();
26442
26443 if (version === 5) {
26444 return util.concatUint8Array([new Uint8Array([0x9A]), util.writeNumber(bytes.length, 4), bytes]);
26445 }
26446 return util.concatUint8Array([new Uint8Array([0x99]), util.writeNumber(bytes.length, 2), bytes]);
26447 }
26448
26449 /**
26450 * Check whether secret-key data is available in decrypted form. Returns null for public keys.
26451 * @returns {Boolean|null}
26452 */
26453 isDecrypted() {
26454 return null;
26455 }
26456
26457 /**
26458 * Returns the creation time of the key
26459 * @returns {Date}
26460 */
26461 getCreationTime() {
26462 return this.created;
26463 }
26464
26465 /**
26466 * Calculates the key id of the key
26467 * @returns {module:type/keyid~Keyid} A 8 byte key id.
26468 */
26469 getKeyId() {
26470 if (this.keyid) {
26471 return this.keyid;
26472 }
26473 this.keyid = new Keyid();
26474 if (this.version === 5) {
26475 this.keyid.read(util.hexToUint8Array(this.getFingerprint()).subarray(0, 8));
26476 } else if (this.version === 4) {
26477 this.keyid.read(util.hexToUint8Array(this.getFingerprint()).subarray(12, 20));
26478 }
26479 return this.keyid;
26480 }
26481
26482 /**
26483 * Calculates the fingerprint of the key
26484 * @returns {Uint8Array} A Uint8Array containing the fingerprint.
26485 */
26486 getFingerprintBytes() {
26487 if (this.fingerprint) {
26488 return this.fingerprint;
26489 }
26490 const toHash = this.writeForHash(this.version);
26491 if (this.version === 5) {
26492 this.fingerprint = Sha256.bytes(toHash);
26493 } else if (this.version === 4) {
26494 this.fingerprint = Sha1.bytes(toHash);
26495 }
26496 return this.fingerprint;
26497 }
26498
26499 /**
26500 * Calculates the fingerprint of the key
26501 * @returns {String} A string containing the fingerprint in lowercase hex.
26502 */
26503 getFingerprint() {
26504 return util.uint8ArrayToHex(this.getFingerprintBytes());
26505 }
26506
26507 /**
26508 * Calculates whether two keys have the same fingerprint without actually calculating the fingerprint
26509 * @returns {Boolean} Whether the two keys have the same version and public key data.
26510 */
26511 hasSameFingerprintAs(other) {
26512 return this.version === other.version && util.equalsUint8Array(this.writePublicKey(), other.writePublicKey());
26513 }
26514
26515 /**
26516 * Returns algorithm information
26517 * @returns {Object} An object of the form {algorithm: String, bits:int, curve:String}.
26518 */
26519 getAlgorithmInfo() {
26520 const result = {};
26521 result.algorithm = this.algorithm;
26522 // RSA, DSA or ElGamal public modulo
26523 const modulo = this.publicParams.n || this.publicParams.p;
26524 if (modulo) {
26525 result.bits = modulo.length * 8;
26526 } else {
26527 result.curve = this.publicParams.oid.getName();
26528 }
26529 return result;
26530 }
26531 }
26532
26533 /**
26534 * Alias of read()
26535 * @see PublicKeyPacket#read
26536 */
26537 PublicKeyPacket.prototype.readPublicKey = PublicKeyPacket.prototype.read;
26538
26539 /**
26540 * Alias of write()
26541 * @see PublicKeyPacket#write
26542 */
26543 PublicKeyPacket.prototype.writePublicKey = PublicKeyPacket.prototype.write;
26544
26545 // GPG4Browsers - An OpenPGP implementation in javascript
26546
26547 /**
26548 * Implementation of the Symmetrically Encrypted Data Packet (Tag 9)
26549 *
26550 * {@link https://tools.ietf.org/html/rfc4880#section-5.7|RFC4880 5.7}:
26551 * The Symmetrically Encrypted Data packet contains data encrypted with a
26552 * symmetric-key algorithm. When it has been decrypted, it contains other
26553 * packets (usually a literal data packet or compressed data packet, but in
26554 * theory other Symmetrically Encrypted Data packets or sequences of packets
26555 * that form whole OpenPGP messages).
26556 */
26557 class SymmetricallyEncryptedDataPacket {
26558 constructor() {
26559 /**
26560 * Packet type
26561 * @type {module:enums.packet}
26562 */
26563 this.tag = enums.packet.symmetricallyEncryptedData;
26564 /**
26565 * Encrypted secret-key data
26566 */
26567 this.encrypted = null;
26568 /**
26569 * Decrypted packets contained within.
26570 * @type {PacketList}
26571 */
26572 this.packets = null;
26573 }
26574
26575 read(bytes) {
26576 this.encrypted = bytes;
26577 }
26578
26579 write() {
26580 return this.encrypted;
26581 }
26582
26583 /**
26584 * Decrypt the symmetrically-encrypted packet data
26585 * See {@link https://tools.ietf.org/html/rfc4880#section-9.2|RFC 4880 9.2} for algorithms.
26586 * @param {module:enums.symmetric} sessionKeyAlgorithm - Symmetric key algorithm to use
26587 * @param {Uint8Array} key - The key of cipher blocksize length to be used
26588 * @param {Object} [config] - Full configuration, defaults to openpgp.config
26589
26590 * @throws {Error} if decryption was not successful
26591 * @async
26592 */
26593 async decrypt(sessionKeyAlgorithm, key, streaming, config = defaultConfig) {
26594 // If MDC errors are not being ignored, all missing MDC packets in symmetrically encrypted data should throw an error
26595 if (!config.allowUnauthenticatedMessages) {
26596 throw new Error('Message is not authenticated.');
26597 }
26598
26599 const encrypted = await stream.readToEnd(stream.clone(this.encrypted));
26600 const decrypted = await mod.cfb.decrypt(sessionKeyAlgorithm, key,
26601 encrypted.subarray(mod.cipher[sessionKeyAlgorithm].blockSize + 2),
26602 encrypted.subarray(2, mod.cipher[sessionKeyAlgorithm].blockSize + 2)
26603 );
26604
26605 await this.packets.read(decrypted, {
26606 LiteralDataPacket,
26607 CompressedDataPacket,
26608 OnePassSignaturePacket,
26609 SignaturePacket
26610 }, streaming);
26611 }
26612
26613 /**
26614 * Encrypt the symmetrically-encrypted packet data
26615 * See {@link https://tools.ietf.org/html/rfc4880#section-9.2|RFC 4880 9.2} for algorithms.
26616 * @param {module:enums.symmetric} sessionKeyAlgorithm - Symmetric key algorithm to use
26617 * @param {Uint8Array} key - The key of cipher blocksize length to be used
26618 * @param {Object} [config] - Full configuration, defaults to openpgp.config
26619 * @throws {Error} if encryption was not successful
26620 * @async
26621 */
26622 async encrypt(algo, key, streaming, config = defaultConfig) {
26623 const data = this.packets.write();
26624
26625 const prefix = await mod.getPrefixRandom(algo);
26626 const FRE = await mod.cfb.encrypt(algo, key, prefix, new Uint8Array(mod.cipher[algo].blockSize), config);
26627 const ciphertext = await mod.cfb.encrypt(algo, key, data, FRE.subarray(2), config);
26628 this.encrypted = util.concat([FRE, ciphertext]);
26629 }
26630 }
26631
26632 // GPG4Browsers - An OpenPGP implementation in javascript
26633
26634 /**
26635 * Implementation of the strange "Marker packet" (Tag 10)
26636 *
26637 * {@link https://tools.ietf.org/html/rfc4880#section-5.8|RFC4880 5.8}:
26638 * An experimental version of PGP used this packet as the Literal
26639 * packet, but no released version of PGP generated Literal packets with this
26640 * tag. With PGP 5.x, this packet has been reassigned and is reserved for use as
26641 * the Marker packet.
26642 *
26643 * Such a packet MUST be ignored when received.
26644 */
26645 class MarkerPacket {
26646 constructor() {
26647 this.tag = enums.packet.marker;
26648 }
26649
26650 /**
26651 * Parsing function for a literal data packet (tag 10).
26652 *
26653 * @param {String} input - Payload of a tag 10 packet
26654 * @param {Integer} position
26655 * Position to start reading from the input string
26656 * @param {Integer} len
26657 * Length of the packet or the remaining length of
26658 * input at position
26659 * @returns {MarkerPacket} Object representation.
26660 */
26661 read(bytes) {
26662 if (bytes[0] === 0x50 && // P
26663 bytes[1] === 0x47 && // G
26664 bytes[2] === 0x50) { // P
26665 return true;
26666 }
26667 // marker packet does not contain "PGP"
26668 return false;
26669 }
26670 }
26671
26672 // GPG4Browsers - An OpenPGP implementation in javascript
26673
26674 /**
26675 * A Public-Subkey packet (tag 14) has exactly the same format as a
26676 * Public-Key packet, but denotes a subkey. One or more subkeys may be
26677 * associated with a top-level key. By convention, the top-level key
26678 * provides signature services, and the subkeys provide encryption
26679 * services.
26680 * @extends PublicKeyPacket
26681 */
26682 class PublicSubkeyPacket extends PublicKeyPacket {
26683 /**
26684 * @param {Date} [date] - Creation date
26685 * @param {Object} [config] - Full configuration, defaults to openpgp.config
26686 */
26687 constructor(date, config) {
26688 super(date, config);
26689 this.tag = enums.packet.publicSubkey;
26690 }
26691 }
26692
26693 // GPG4Browsers - An OpenPGP implementation in javascript
26694
26695 function readSimpleLength(bytes) {
26696 let len = 0;
26697 let offset;
26698 const type = bytes[0];
26699
26700
26701 if (type < 192) {
26702 [len] = bytes;
26703 offset = 1;
26704 } else if (type < 255) {
26705 len = ((bytes[0] - 192) << 8) + (bytes[1]) + 192;
26706 offset = 2;
26707 } else if (type === 255) {
26708 len = util.readNumber(bytes.subarray(1, 1 + 4));
26709 offset = 5;
26710 }
26711
26712 return {
26713 len: len,
26714 offset: offset
26715 };
26716 }
26717
26718 /**
26719 * Encodes a given integer of length to the openpgp length specifier to a
26720 * string
26721 *
26722 * @param {Integer} length - The length to encode
26723 * @returns {Uint8Array} String with openpgp length representation.
26724 */
26725 function writeSimpleLength(length) {
26726 if (length < 192) {
26727 return new Uint8Array([length]);
26728 } else if (length > 191 && length < 8384) {
26729 /*
26730 * let a = (total data packet length) - 192 let bc = two octet
26731 * representation of a let d = b + 192
26732 */
26733 return new Uint8Array([((length - 192) >> 8) + 192, (length - 192) & 0xFF]);
26734 }
26735 return util.concatUint8Array([new Uint8Array([255]), util.writeNumber(length, 4)]);
26736 }
26737
26738 function writePartialLength(power) {
26739 if (power < 0 || power > 30) {
26740 throw new Error('Partial Length power must be between 1 and 30');
26741 }
26742 return new Uint8Array([224 + power]);
26743 }
26744
26745 function writeTag(tag_type) {
26746 /* we're only generating v4 packet headers here */
26747 return new Uint8Array([0xC0 | tag_type]);
26748 }
26749
26750 /**
26751 * Writes a packet header version 4 with the given tag_type and length to a
26752 * string
26753 *
26754 * @param {Integer} tag_type - Tag type
26755 * @param {Integer} length - Length of the payload
26756 * @returns {String} String of the header.
26757 */
26758 function writeHeader(tag_type, length) {
26759 /* we're only generating v4 packet headers here */
26760 return util.concatUint8Array([writeTag(tag_type), writeSimpleLength(length)]);
26761 }
26762
26763 /**
26764 * Whether the packet type supports partial lengths per RFC4880
26765 * @param {Integer} tag_type - Tag type
26766 * @returns {Boolean} String of the header.
26767 */
26768 function supportsStreaming(tag_type) {
26769 return [
26770 enums.packet.literalData,
26771 enums.packet.compressedData,
26772 enums.packet.symmetricallyEncryptedData,
26773 enums.packet.symEncryptedIntegrityProtectedData,
26774 enums.packet.AEADEncryptedData
26775 ].includes(tag_type);
26776 }
26777
26778 /**
26779 * Generic static Packet Parser function
26780 *
26781 * @param {Uint8Array | ReadableStream<Uint8Array>} input - Input stream as string
26782 * @param {Function} callback - Function to call with the parsed packet
26783 * @returns {Boolean} Returns false if the stream was empty and parsing is done, and true otherwise.
26784 */
26785 async function readPackets(input, streaming, callback) {
26786 const reader = stream.getReader(input);
26787 let writer;
26788 let callbackReturned;
26789 try {
26790 const peekedBytes = await reader.peekBytes(2);
26791 // some sanity checks
26792 if (!peekedBytes || peekedBytes.length < 2 || (peekedBytes[0] & 0x80) === 0) {
26793 throw new Error("Error during parsing. This message / key probably does not conform to a valid OpenPGP format.");
26794 }
26795 const headerByte = await reader.readByte();
26796 let tag = -1;
26797 let format = -1;
26798 let packet_length;
26799
26800 format = 0; // 0 = old format; 1 = new format
26801 if ((headerByte & 0x40) !== 0) {
26802 format = 1;
26803 }
26804
26805 let packet_length_type;
26806 if (format) {
26807 // new format header
26808 tag = headerByte & 0x3F; // bit 5-0
26809 } else {
26810 // old format header
26811 tag = (headerByte & 0x3F) >> 2; // bit 5-2
26812 packet_length_type = headerByte & 0x03; // bit 1-0
26813 }
26814
26815 const packetSupportsStreaming = supportsStreaming(tag);
26816 let packet = null;
26817 if (streaming && packetSupportsStreaming) {
26818 const transform = new stream.TransformStream();
26819 writer = stream.getWriter(transform.writable);
26820 packet = transform.readable;
26821 callbackReturned = callback({ tag, packet });
26822 } else {
26823 packet = [];
26824 }
26825
26826 let wasPartialLength;
26827 do {
26828 if (!format) {
26829 // 4.2.1. Old Format Packet Lengths
26830 switch (packet_length_type) {
26831 case 0:
26832 // The packet has a one-octet length. The header is 2 octets
26833 // long.
26834 packet_length = await reader.readByte();
26835 break;
26836 case 1:
26837 // The packet has a two-octet length. The header is 3 octets
26838 // long.
26839 packet_length = (await reader.readByte() << 8) | await reader.readByte();
26840 break;
26841 case 2:
26842 // The packet has a four-octet length. The header is 5
26843 // octets long.
26844 packet_length = (await reader.readByte() << 24) | (await reader.readByte() << 16) | (await reader.readByte() <<
26845 8) | await reader.readByte();
26846 break;
26847 default:
26848 // 3 - The packet is of indeterminate length. The header is 1
26849 // octet long, and the implementation must determine how long
26850 // the packet is. If the packet is in a file, this means that
26851 // the packet extends until the end of the file. In general,
26852 // an implementation SHOULD NOT use indeterminate-length
26853 // packets except where the end of the data will be clear
26854 // from the context, and even then it is better to use a
26855 // definite length, or a new format header. The new format
26856 // headers described below have a mechanism for precisely
26857 // encoding data of indeterminate length.
26858 packet_length = Infinity;
26859 break;
26860 }
26861 } else { // 4.2.2. New Format Packet Lengths
26862 // 4.2.2.1. One-Octet Lengths
26863 const lengthByte = await reader.readByte();
26864 wasPartialLength = false;
26865 if (lengthByte < 192) {
26866 packet_length = lengthByte;
26867 // 4.2.2.2. Two-Octet Lengths
26868 } else if (lengthByte >= 192 && lengthByte < 224) {
26869 packet_length = ((lengthByte - 192) << 8) + (await reader.readByte()) + 192;
26870 // 4.2.2.4. Partial Body Lengths
26871 } else if (lengthByte > 223 && lengthByte < 255) {
26872 packet_length = 1 << (lengthByte & 0x1F);
26873 wasPartialLength = true;
26874 if (!packetSupportsStreaming) {
26875 throw new TypeError('This packet type does not support partial lengths.');
26876 }
26877 // 4.2.2.3. Five-Octet Lengths
26878 } else {
26879 packet_length = (await reader.readByte() << 24) | (await reader.readByte() << 16) | (await reader.readByte() <<
26880 8) | await reader.readByte();
26881 }
26882 }
26883 if (packet_length > 0) {
26884 let bytesRead = 0;
26885 while (true) {
26886 if (writer) await writer.ready;
26887 const { done, value } = await reader.read();
26888 if (done) {
26889 if (packet_length === Infinity) break;
26890 throw new Error('Unexpected end of packet');
26891 }
26892 const chunk = packet_length === Infinity ? value : value.subarray(0, packet_length - bytesRead);
26893 if (writer) await writer.write(chunk);
26894 else packet.push(chunk);
26895 bytesRead += value.length;
26896 if (bytesRead >= packet_length) {
26897 reader.unshift(value.subarray(packet_length - bytesRead + value.length));
26898 break;
26899 }
26900 }
26901 }
26902 } while (wasPartialLength);
26903
26904 // If this was not a packet that "supports streaming", we peek to check
26905 // whether it is the last packet in the message. We peek 2 bytes instead
26906 // of 1 because the beginning of this function also peeks 2 bytes, and we
26907 // want to cut a `subarray` of the correct length into `web-stream-tools`'
26908 // `externalBuffer` as a tiny optimization here.
26909 //
26910 // If it *was* a streaming packet (i.e. the data packets), we peek at the
26911 // entire remainder of the stream, in order to forward errors in the
26912 // remainder of the stream to the packet data. (Note that this means we
26913 // read/peek at all signature packets before closing the literal data
26914 // packet, for example.) This forwards MDC errors to the literal data
26915 // stream, for example, so that they don't get lost / forgotten on
26916 // decryptedMessage.packets.stream, which we never look at.
26917 //
26918 // An example of what we do when stream-parsing a message containing
26919 // [ one-pass signature packet, literal data packet, signature packet ]:
26920 // 1. Read the one-pass signature packet
26921 // 2. Peek 2 bytes of the literal data packet
26922 // 3. Parse the one-pass signature packet
26923 //
26924 // 4. Read the literal data packet, simultaneously stream-parsing it
26925 // 5. Peek until the end of the message
26926 // 6. Finish parsing the literal data packet
26927 //
26928 // 7. Read the signature packet again (we already peeked at it in step 5)
26929 // 8. Peek at the end of the stream again (`peekBytes` returns undefined)
26930 // 9. Parse the signature packet
26931 //
26932 // Note that this means that if there's an error in the very end of the
26933 // stream, such as an MDC error, we throw in step 5 instead of in step 8
26934 // (or never), which is the point of this exercise.
26935 const nextPacket = await reader.peekBytes(packetSupportsStreaming ? Infinity : 2);
26936 if (writer) {
26937 await writer.ready;
26938 await writer.close();
26939 } else {
26940 packet = util.concatUint8Array(packet);
26941 await callback({ tag, packet });
26942 }
26943 return !nextPacket || !nextPacket.length;
26944 } catch (e) {
26945 if (writer) {
26946 await writer.abort(e);
26947 return true;
26948 } else {
26949 throw e;
26950 }
26951 } finally {
26952 if (writer) {
26953 await callbackReturned;
26954 }
26955 reader.releaseLock();
26956 }
26957 }
26958
26959 // GPG4Browsers - An OpenPGP implementation in javascript
26960
26961 /**
26962 * Implementation of the User Attribute Packet (Tag 17)
26963 *
26964 * The User Attribute packet is a variation of the User ID packet. It
26965 * is capable of storing more types of data than the User ID packet,
26966 * which is limited to text. Like the User ID packet, a User Attribute
26967 * packet may be certified by the key owner ("self-signed") or any other
26968 * key owner who cares to certify it. Except as noted, a User Attribute
26969 * packet may be used anywhere that a User ID packet may be used.
26970 *
26971 * While User Attribute packets are not a required part of the OpenPGP
26972 * standard, implementations SHOULD provide at least enough
26973 * compatibility to properly handle a certification signature on the
26974 * User Attribute packet. A simple way to do this is by treating the
26975 * User Attribute packet as a User ID packet with opaque contents, but
26976 * an implementation may use any method desired.
26977 */
26978 class UserAttributePacket {
26979 constructor() {
26980 this.tag = enums.packet.userAttribute;
26981 this.attributes = [];
26982 }
26983
26984 /**
26985 * parsing function for a user attribute packet (tag 17).
26986 * @param {Uint8Array} input - Payload of a tag 17 packet
26987 */
26988 read(bytes) {
26989 let i = 0;
26990 while (i < bytes.length) {
26991 const len = readSimpleLength(bytes.subarray(i, bytes.length));
26992 i += len.offset;
26993
26994 this.attributes.push(util.uint8ArrayToStr(bytes.subarray(i, i + len.len)));
26995 i += len.len;
26996 }
26997 }
26998
26999 /**
27000 * Creates a binary representation of the user attribute packet
27001 * @returns {Uint8Array} String representation.
27002 */
27003 write() {
27004 const arr = [];
27005 for (let i = 0; i < this.attributes.length; i++) {
27006 arr.push(writeSimpleLength(this.attributes[i].length));
27007 arr.push(util.strToUint8Array(this.attributes[i]));
27008 }
27009 return util.concatUint8Array(arr);
27010 }
27011
27012 /**
27013 * Compare for equality
27014 * @param {UserAttributePacket} usrAttr
27015 * @returns {Boolean} True if equal.
27016 */
27017 equals(usrAttr) {
27018 if (!usrAttr || !(usrAttr instanceof UserAttributePacket)) {
27019 return false;
27020 }
27021 return this.attributes.every(function(attr, index) {
27022 return attr === usrAttr.attributes[index];
27023 });
27024 }
27025 }
27026
27027 // GPG4Browsers - An OpenPGP implementation in javascript
27028
27029 /**
27030 * Implementation of the Signature Packet (Tag 2)
27031 *
27032 * {@link https://tools.ietf.org/html/rfc4880#section-5.2|RFC4480 5.2}:
27033 * A Signature packet describes a binding between some public key and
27034 * some data. The most common signatures are a signature of a file or a
27035 * block of text, and a signature that is a certification of a User ID.
27036 */
27037 class SignaturePacket {
27038 /**
27039 * @param {Date} date - The creation date of the signature
27040 */
27041 constructor(date = new Date()) {
27042 this.tag = enums.packet.signature;
27043 this.version = 4; // This is set to 5 below if we sign with a V5 key.
27044 this.signatureType = null;
27045 this.hashAlgorithm = null;
27046 this.publicKeyAlgorithm = null;
27047
27048 this.signatureData = null;
27049 this.unhashedSubpackets = [];
27050 this.signedHashValue = null;
27051
27052 this.created = util.normalizeDate(date);
27053 this.signatureExpirationTime = null;
27054 this.signatureNeverExpires = true;
27055 this.exportable = null;
27056 this.trustLevel = null;
27057 this.trustAmount = null;
27058 this.regularExpression = null;
27059 this.revocable = null;
27060 this.keyExpirationTime = null;
27061 this.keyNeverExpires = null;
27062 this.preferredSymmetricAlgorithms = null;
27063 this.revocationKeyClass = null;
27064 this.revocationKeyAlgorithm = null;
27065 this.revocationKeyFingerprint = null;
27066 this.issuerKeyId = new Keyid();
27067 this.rawNotations = [];
27068 this.notations = {};
27069 this.preferredHashAlgorithms = null;
27070 this.preferredCompressionAlgorithms = null;
27071 this.keyServerPreferences = null;
27072 this.preferredKeyServer = null;
27073 this.isPrimaryUserID = null;
27074 this.policyURI = null;
27075 this.keyFlags = null;
27076 this.signersUserId = null;
27077 this.reasonForRevocationFlag = null;
27078 this.reasonForRevocationString = null;
27079 this.features = null;
27080 this.signatureTargetPublicKeyAlgorithm = null;
27081 this.signatureTargetHashAlgorithm = null;
27082 this.signatureTargetHash = null;
27083 this.embeddedSignature = null;
27084 this.issuerKeyVersion = null;
27085 this.issuerFingerprint = null;
27086 this.preferredAeadAlgorithms = null;
27087
27088 this.verified = null;
27089 this.revoked = null;
27090 }
27091
27092 /**
27093 * parsing function for a signature packet (tag 2).
27094 * @param {String} bytes - Payload of a tag 2 packet
27095 * @returns {SignaturePacket} Object representation.
27096 */
27097 read(bytes) {
27098 let i = 0;
27099 this.version = bytes[i++];
27100
27101 if (this.version !== 4 && this.version !== 5) {
27102 throw new Error('Version ' + this.version + ' of the signature is unsupported.');
27103 }
27104
27105 this.signatureType = bytes[i++];
27106 this.publicKeyAlgorithm = bytes[i++];
27107 this.hashAlgorithm = bytes[i++];
27108
27109 // hashed subpackets
27110 i += this.read_sub_packets(bytes.subarray(i, bytes.length), true);
27111
27112 // A V4 signature hashes the packet body
27113 // starting from its first field, the version number, through the end
27114 // of the hashed subpacket data. Thus, the fields hashed are the
27115 // signature version, the signature type, the public-key algorithm, the
27116 // hash algorithm, the hashed subpacket length, and the hashed
27117 // subpacket body.
27118 this.signatureData = bytes.subarray(0, i);
27119
27120 // unhashed subpackets
27121 i += this.read_sub_packets(bytes.subarray(i, bytes.length), false);
27122
27123 // Two-octet field holding left 16 bits of signed hash value.
27124 this.signedHashValue = bytes.subarray(i, i + 2);
27125 i += 2;
27126
27127 this.params = mod.signature.parseSignatureParams(this.publicKeyAlgorithm, bytes.subarray(i, bytes.length));
27128 }
27129
27130 /**
27131 * @returns {Uint8Array | ReadableStream<Uint8Array>}
27132 */
27133 write_params() {
27134 if (this.params instanceof Promise) {
27135 return stream.fromAsync(
27136 async () => mod.serializeParams(this.publicKeyAlgorithm, await this.params)
27137 );
27138 }
27139 return mod.serializeParams(this.publicKeyAlgorithm, this.params);
27140 }
27141
27142 write() {
27143 const arr = [];
27144 arr.push(this.signatureData);
27145 arr.push(this.write_unhashed_sub_packets());
27146 arr.push(this.signedHashValue);
27147 arr.push(this.write_params());
27148 return util.concat(arr);
27149 }
27150
27151 /**
27152 * Signs provided data. This needs to be done prior to serialization.
27153 * @param {SecretKeyPacket} key - Private key used to sign the message.
27154 * @param {Object} data - Contains packets to be signed.
27155 * @param {Boolean} [detached] - Whether to create a detached signature
27156 * @param {Boolean} [streaming] - Whether to process data as a stream
27157 * @throws {Error} if signing failed
27158 * @async
27159 */
27160 async sign(key, data, detached = false, streaming = false) {
27161 const signatureType = enums.write(enums.signature, this.signatureType);
27162 const publicKeyAlgorithm = enums.write(enums.publicKey, this.publicKeyAlgorithm);
27163 const hashAlgorithm = enums.write(enums.hash, this.hashAlgorithm);
27164
27165 if (key.version === 5) {
27166 this.version = 5;
27167 }
27168 const arr = [new Uint8Array([this.version, signatureType, publicKeyAlgorithm, hashAlgorithm])];
27169
27170 this.issuerKeyVersion = key.version;
27171 this.issuerFingerprint = key.getFingerprintBytes();
27172 this.issuerKeyId = key.getKeyId();
27173
27174 // Add hashed subpackets
27175 arr.push(this.write_hashed_sub_packets());
27176
27177 this.signatureData = util.concat(arr);
27178
27179 const toHash = this.toHash(signatureType, data, detached);
27180 const hash = await this.hash(signatureType, data, toHash, detached);
27181
27182 this.signedHashValue = stream.slice(stream.clone(hash), 0, 2);
27183 const signed = async () => mod.signature.sign(
27184 publicKeyAlgorithm, hashAlgorithm, key.publicParams, key.privateParams, toHash, await stream.readToEnd(hash)
27185 );
27186 if (streaming) {
27187 this.params = signed();
27188 } else {
27189 this.params = await signed();
27190
27191 // Store the fact that this signature is valid, e.g. for when we call `await
27192 // getLatestValidSignature(this.revocationSignatures, key, data)` later.
27193 // Note that this only holds up if the key and data passed to verify are the
27194 // same as the ones passed to sign.
27195 this.verified = true;
27196 }
27197 }
27198
27199 /**
27200 * Creates Uint8Array of bytes of all subpacket data except Issuer and Embedded Signature subpackets
27201 * @returns {Uint8Array} Subpacket data.
27202 */
27203 write_hashed_sub_packets() {
27204 const sub = enums.signatureSubpacket;
27205 const arr = [];
27206 let bytes;
27207 if (this.created !== null) {
27208 arr.push(write_sub_packet(sub.signatureCreationTime, util.writeDate(this.created)));
27209 }
27210 if (this.signatureExpirationTime !== null) {
27211 arr.push(write_sub_packet(sub.signatureExpirationTime, util.writeNumber(this.signatureExpirationTime, 4)));
27212 }
27213 if (this.exportable !== null) {
27214 arr.push(write_sub_packet(sub.exportableCertification, new Uint8Array([this.exportable ? 1 : 0])));
27215 }
27216 if (this.trustLevel !== null) {
27217 bytes = new Uint8Array([this.trustLevel, this.trustAmount]);
27218 arr.push(write_sub_packet(sub.trustSignature, bytes));
27219 }
27220 if (this.regularExpression !== null) {
27221 arr.push(write_sub_packet(sub.regularExpression, this.regularExpression));
27222 }
27223 if (this.revocable !== null) {
27224 arr.push(write_sub_packet(sub.revocable, new Uint8Array([this.revocable ? 1 : 0])));
27225 }
27226 if (this.keyExpirationTime !== null) {
27227 arr.push(write_sub_packet(sub.keyExpirationTime, util.writeNumber(this.keyExpirationTime, 4)));
27228 }
27229 if (this.preferredSymmetricAlgorithms !== null) {
27230 bytes = util.strToUint8Array(util.uint8ArrayToStr(this.preferredSymmetricAlgorithms));
27231 arr.push(write_sub_packet(sub.preferredSymmetricAlgorithms, bytes));
27232 }
27233 if (this.revocationKeyClass !== null) {
27234 bytes = new Uint8Array([this.revocationKeyClass, this.revocationKeyAlgorithm]);
27235 bytes = util.concat([bytes, this.revocationKeyFingerprint]);
27236 arr.push(write_sub_packet(sub.revocationKey, bytes));
27237 }
27238 this.rawNotations.forEach(([{ name, value, humanReadable }]) => {
27239 bytes = [new Uint8Array([humanReadable ? 0x80 : 0, 0, 0, 0])];
27240 // 2 octets of name length
27241 bytes.push(util.writeNumber(name.length, 2));
27242 // 2 octets of value length
27243 bytes.push(util.writeNumber(value.length, 2));
27244 bytes.push(util.strToUint8Array(name));
27245 bytes.push(value);
27246 bytes = util.concat(bytes);
27247 arr.push(write_sub_packet(sub.notationData, bytes));
27248 });
27249 if (this.preferredHashAlgorithms !== null) {
27250 bytes = util.strToUint8Array(util.uint8ArrayToStr(this.preferredHashAlgorithms));
27251 arr.push(write_sub_packet(sub.preferredHashAlgorithms, bytes));
27252 }
27253 if (this.preferredCompressionAlgorithms !== null) {
27254 bytes = util.strToUint8Array(util.uint8ArrayToStr(this.preferredCompressionAlgorithms));
27255 arr.push(write_sub_packet(sub.preferredCompressionAlgorithms, bytes));
27256 }
27257 if (this.keyServerPreferences !== null) {
27258 bytes = util.strToUint8Array(util.uint8ArrayToStr(this.keyServerPreferences));
27259 arr.push(write_sub_packet(sub.keyServerPreferences, bytes));
27260 }
27261 if (this.preferredKeyServer !== null) {
27262 arr.push(write_sub_packet(sub.preferredKeyServer, util.strToUint8Array(this.preferredKeyServer)));
27263 }
27264 if (this.isPrimaryUserID !== null) {
27265 arr.push(write_sub_packet(sub.primaryUserId, new Uint8Array([this.isPrimaryUserID ? 1 : 0])));
27266 }
27267 if (this.policyURI !== null) {
27268 arr.push(write_sub_packet(sub.policyUri, util.strToUint8Array(this.policyURI)));
27269 }
27270 if (this.keyFlags !== null) {
27271 bytes = util.strToUint8Array(util.uint8ArrayToStr(this.keyFlags));
27272 arr.push(write_sub_packet(sub.keyFlags, bytes));
27273 }
27274 if (this.signersUserId !== null) {
27275 arr.push(write_sub_packet(sub.signersUserId, util.strToUint8Array(this.signersUserId)));
27276 }
27277 if (this.reasonForRevocationFlag !== null) {
27278 bytes = util.strToUint8Array(String.fromCharCode(this.reasonForRevocationFlag) + this.reasonForRevocationString);
27279 arr.push(write_sub_packet(sub.reasonForRevocation, bytes));
27280 }
27281 if (this.features !== null) {
27282 bytes = util.strToUint8Array(util.uint8ArrayToStr(this.features));
27283 arr.push(write_sub_packet(sub.features, bytes));
27284 }
27285 if (this.signatureTargetPublicKeyAlgorithm !== null) {
27286 bytes = [new Uint8Array([this.signatureTargetPublicKeyAlgorithm, this.signatureTargetHashAlgorithm])];
27287 bytes.push(util.strToUint8Array(this.signatureTargetHash));
27288 bytes = util.concat(bytes);
27289 arr.push(write_sub_packet(sub.signatureTarget, bytes));
27290 }
27291 if (this.preferredAeadAlgorithms !== null) {
27292 bytes = util.strToUint8Array(util.uint8ArrayToStr(this.preferredAeadAlgorithms));
27293 arr.push(write_sub_packet(sub.preferredAeadAlgorithms, bytes));
27294 }
27295
27296 const result = util.concat(arr);
27297 const length = util.writeNumber(result.length, 2);
27298
27299 return util.concat([length, result]);
27300 }
27301
27302 /**
27303 * Creates Uint8Array of bytes of Issuer and Embedded Signature subpackets
27304 * @returns {Uint8Array} Subpacket data.
27305 */
27306 write_unhashed_sub_packets() {
27307 const sub = enums.signatureSubpacket;
27308 const arr = [];
27309 let bytes;
27310 if (!this.issuerKeyId.isNull() && this.issuerKeyVersion !== 5) {
27311 // If the version of [the] key is greater than 4, this subpacket
27312 // MUST NOT be included in the signature.
27313 arr.push(write_sub_packet(sub.issuer, this.issuerKeyId.write()));
27314 }
27315 if (this.embeddedSignature !== null) {
27316 arr.push(write_sub_packet(sub.embeddedSignature, this.embeddedSignature.write()));
27317 }
27318 if (this.issuerFingerprint !== null) {
27319 bytes = [new Uint8Array([this.issuerKeyVersion]), this.issuerFingerprint];
27320 bytes = util.concat(bytes);
27321 arr.push(write_sub_packet(sub.issuerFingerprint, bytes));
27322 }
27323 this.unhashedSubpackets.forEach(data => {
27324 arr.push(writeSimpleLength(data.length));
27325 arr.push(data);
27326 });
27327
27328 const result = util.concat(arr);
27329 const length = util.writeNumber(result.length, 2);
27330
27331 return util.concat([length, result]);
27332 }
27333
27334 // V4 signature sub packets
27335
27336 read_sub_packet(bytes, trusted = true) {
27337 let mypos = 0;
27338
27339 const read_array = (prop, bytes) => {
27340 this[prop] = [];
27341
27342 for (let i = 0; i < bytes.length; i++) {
27343 this[prop].push(bytes[i]);
27344 }
27345 };
27346
27347 // The leftmost bit denotes a "critical" packet
27348 const critical = bytes[mypos] & 0x80;
27349 const type = bytes[mypos] & 0x7F;
27350
27351 // GPG puts the Issuer and Signature subpackets in the unhashed area.
27352 // Tampering with those invalidates the signature, so we can trust them.
27353 // Ignore all other unhashed subpackets.
27354 if (!trusted && ![
27355 enums.signatureSubpacket.issuer,
27356 enums.signatureSubpacket.issuerFingerprint,
27357 enums.signatureSubpacket.embeddedSignature
27358 ].includes(type)) {
27359 this.unhashedSubpackets.push(bytes.subarray(mypos, bytes.length));
27360 return;
27361 }
27362
27363 mypos++;
27364
27365 // subpacket type
27366 switch (type) {
27367 case 2:
27368 // Signature Creation Time
27369 this.created = util.readDate(bytes.subarray(mypos, bytes.length));
27370 break;
27371 case 3: {
27372 // Signature Expiration Time in seconds
27373 const seconds = util.readNumber(bytes.subarray(mypos, bytes.length));
27374
27375 this.signatureNeverExpires = seconds === 0;
27376 this.signatureExpirationTime = seconds;
27377
27378 break;
27379 }
27380 case 4:
27381 // Exportable Certification
27382 this.exportable = bytes[mypos++] === 1;
27383 break;
27384 case 5:
27385 // Trust Signature
27386 this.trustLevel = bytes[mypos++];
27387 this.trustAmount = bytes[mypos++];
27388 break;
27389 case 6:
27390 // Regular Expression
27391 this.regularExpression = bytes[mypos];
27392 break;
27393 case 7:
27394 // Revocable
27395 this.revocable = bytes[mypos++] === 1;
27396 break;
27397 case 9: {
27398 // Key Expiration Time in seconds
27399 const seconds = util.readNumber(bytes.subarray(mypos, bytes.length));
27400
27401 this.keyExpirationTime = seconds;
27402 this.keyNeverExpires = seconds === 0;
27403
27404 break;
27405 }
27406 case 11:
27407 // Preferred Symmetric Algorithms
27408 read_array('preferredSymmetricAlgorithms', bytes.subarray(mypos, bytes.length));
27409 break;
27410 case 12:
27411 // Revocation Key
27412 // (1 octet of class, 1 octet of public-key algorithm ID, 20
27413 // octets of
27414 // fingerprint)
27415 this.revocationKeyClass = bytes[mypos++];
27416 this.revocationKeyAlgorithm = bytes[mypos++];
27417 this.revocationKeyFingerprint = bytes.subarray(mypos, mypos + 20);
27418 break;
27419
27420 case 16:
27421 // Issuer
27422 this.issuerKeyId.read(bytes.subarray(mypos, bytes.length));
27423 break;
27424
27425 case 20: {
27426 // Notation Data
27427 const humanReadable = !!(bytes[mypos] & 0x80);
27428
27429 // We extract key/value tuple from the byte stream.
27430 mypos += 4;
27431 const m = util.readNumber(bytes.subarray(mypos, mypos + 2));
27432 mypos += 2;
27433 const n = util.readNumber(bytes.subarray(mypos, mypos + 2));
27434 mypos += 2;
27435
27436 const name = util.uint8ArrayToStr(bytes.subarray(mypos, mypos + m));
27437 const value = bytes.subarray(mypos + m, mypos + m + n);
27438
27439 this.rawNotations.push({ name, humanReadable, value, critical });
27440
27441 if (humanReadable) {
27442 this.notations[name] = util.uint8ArrayToStr(value);
27443 }
27444 break;
27445 }
27446 case 21:
27447 // Preferred Hash Algorithms
27448 read_array('preferredHashAlgorithms', bytes.subarray(mypos, bytes.length));
27449 break;
27450 case 22:
27451 // Preferred Compression Algorithms
27452 read_array('preferredCompressionAlgorithms', bytes.subarray(mypos, bytes.length));
27453 break;
27454 case 23:
27455 // Key Server Preferences
27456 read_array('keyServerPreferences', bytes.subarray(mypos, bytes.length));
27457 break;
27458 case 24:
27459 // Preferred Key Server
27460 this.preferredKeyServer = util.uint8ArrayToStr(bytes.subarray(mypos, bytes.length));
27461 break;
27462 case 25:
27463 // Primary User ID
27464 this.isPrimaryUserID = bytes[mypos++] !== 0;
27465 break;
27466 case 26:
27467 // Policy URI
27468 this.policyURI = util.uint8ArrayToStr(bytes.subarray(mypos, bytes.length));
27469 break;
27470 case 27:
27471 // Key Flags
27472 read_array('keyFlags', bytes.subarray(mypos, bytes.length));
27473 break;
27474 case 28:
27475 // Signer's User ID
27476 this.signersUserId = util.uint8ArrayToStr(bytes.subarray(mypos, bytes.length));
27477 break;
27478 case 29:
27479 // Reason for Revocation
27480 this.reasonForRevocationFlag = bytes[mypos++];
27481 this.reasonForRevocationString = util.uint8ArrayToStr(bytes.subarray(mypos, bytes.length));
27482 break;
27483 case 30:
27484 // Features
27485 read_array('features', bytes.subarray(mypos, bytes.length));
27486 break;
27487 case 31: {
27488 // Signature Target
27489 // (1 octet public-key algorithm, 1 octet hash algorithm, N octets hash)
27490 this.signatureTargetPublicKeyAlgorithm = bytes[mypos++];
27491 this.signatureTargetHashAlgorithm = bytes[mypos++];
27492
27493 const len = mod.getHashByteLength(this.signatureTargetHashAlgorithm);
27494
27495 this.signatureTargetHash = util.uint8ArrayToStr(bytes.subarray(mypos, mypos + len));
27496 break;
27497 }
27498 case 32:
27499 // Embedded Signature
27500 this.embeddedSignature = new SignaturePacket();
27501 this.embeddedSignature.read(bytes.subarray(mypos, bytes.length));
27502 break;
27503 case 33:
27504 // Issuer Fingerprint
27505 this.issuerKeyVersion = bytes[mypos++];
27506 this.issuerFingerprint = bytes.subarray(mypos, bytes.length);
27507 if (this.issuerKeyVersion === 5) {
27508 this.issuerKeyId.read(this.issuerFingerprint);
27509 } else {
27510 this.issuerKeyId.read(this.issuerFingerprint.subarray(-8));
27511 }
27512 break;
27513 case 34:
27514 // Preferred AEAD Algorithms
27515 read_array.call(this, 'preferredAeadAlgorithms', bytes.subarray(mypos, bytes.length));
27516 break;
27517 default: {
27518 const err = new Error("Unknown signature subpacket type " + type + " @:" + mypos);
27519 if (critical) {
27520 throw err;
27521 } else {
27522 util.printDebug(err);
27523 }
27524 }
27525 }
27526 }
27527
27528 read_sub_packets(bytes, trusted = true, config) {
27529 // Two-octet scalar octet count for following subpacket data.
27530 const subpacket_length = util.readNumber(bytes.subarray(0, 2));
27531
27532 let i = 2;
27533
27534 // subpacket data set (zero or more subpackets)
27535 while (i < 2 + subpacket_length) {
27536 const len = readSimpleLength(bytes.subarray(i, bytes.length));
27537 i += len.offset;
27538
27539 this.read_sub_packet(bytes.subarray(i, i + len.len), trusted, config);
27540
27541 i += len.len;
27542 }
27543
27544 return i;
27545 }
27546
27547 // Produces data to produce signature on
27548 toSign(type, data) {
27549 const t = enums.signature;
27550
27551 switch (type) {
27552 case t.binary:
27553 if (data.text !== null) {
27554 return util.encodeUtf8(data.getText(true));
27555 }
27556 return data.getBytes(true);
27557
27558 case t.text: {
27559 const bytes = data.getBytes(true);
27560 // normalize EOL to \r\n
27561 return util.canonicalizeEOL(bytes);
27562 }
27563 case t.standalone:
27564 return new Uint8Array(0);
27565
27566 case t.certGeneric:
27567 case t.certPersona:
27568 case t.certCasual:
27569 case t.certPositive:
27570 case t.certRevocation: {
27571 let packet;
27572 let tag;
27573
27574 if (data.userId) {
27575 tag = 0xB4;
27576 packet = data.userId;
27577 } else if (data.userAttribute) {
27578 tag = 0xD1;
27579 packet = data.userAttribute;
27580 } else {
27581 throw new Error('Either a userId or userAttribute packet needs to be ' +
27582 'supplied for certification.');
27583 }
27584
27585 const bytes = packet.write();
27586
27587 return util.concat([this.toSign(t.key, data),
27588 new Uint8Array([tag]),
27589 util.writeNumber(bytes.length, 4),
27590 bytes]);
27591 }
27592 case t.subkeyBinding:
27593 case t.subkeyRevocation:
27594 case t.keyBinding:
27595 return util.concat([this.toSign(t.key, data), this.toSign(t.key, {
27596 key: data.bind
27597 })]);
27598
27599 case t.key:
27600 if (data.key === undefined) {
27601 throw new Error('Key packet is required for this signature.');
27602 }
27603 return data.key.writeForHash(this.version);
27604
27605 case t.keyRevocation:
27606 return this.toSign(t.key, data);
27607 case t.timestamp:
27608 return new Uint8Array(0);
27609 case t.thirdParty:
27610 throw new Error('Not implemented');
27611 default:
27612 throw new Error('Unknown signature type.');
27613 }
27614 }
27615
27616 calculateTrailer(data, detached) {
27617 let length = 0;
27618 return stream.transform(stream.clone(this.signatureData), value => {
27619 length += value.length;
27620 }, () => {
27621 const arr = [];
27622 if (this.version === 5 && (this.signatureType === enums.signature.binary || this.signatureType === enums.signature.text)) {
27623 if (detached) {
27624 arr.push(new Uint8Array(6));
27625 } else {
27626 arr.push(data.writeHeader());
27627 }
27628 }
27629 arr.push(new Uint8Array([this.version, 0xFF]));
27630 if (this.version === 5) {
27631 arr.push(new Uint8Array(4));
27632 }
27633 arr.push(util.writeNumber(length, 4));
27634 // For v5, this should really be writeNumber(length, 8) rather than the
27635 // hardcoded 4 zero bytes above
27636 return util.concat(arr);
27637 });
27638 }
27639
27640 toHash(signatureType, data, detached = false) {
27641 const bytes = this.toSign(signatureType, data);
27642
27643 return util.concat([bytes, this.signatureData, this.calculateTrailer(data, detached)]);
27644 }
27645
27646 async hash(signatureType, data, toHash, detached = false, streaming = true) {
27647 const hashAlgorithm = enums.write(enums.hash, this.hashAlgorithm);
27648 if (!toHash) toHash = this.toHash(signatureType, data, detached);
27649 if (!streaming && util.isStream(toHash)) {
27650 return stream.fromAsync(async () => this.hash(signatureType, data, await stream.readToEnd(toHash), detached));
27651 }
27652 return mod.hash.digest(hashAlgorithm, toHash);
27653 }
27654
27655 /**
27656 * verifies the signature packet. Note: not all signature types are implemented
27657 * @param {PublicSubkeyPacket|PublicKeyPacket|
27658 * SecretSubkeyPacket|SecretKeyPacket} key the public key to verify the signature
27659 * @param {module:enums.signature} signatureType - Expected signature type
27660 * @param {String|Object} data - Data which on the signature applies
27661 * @param {Boolean} [detached] - Whether to verify a detached signature
27662 * @param {Boolean} [streaming] - Whether to process data as a stream
27663 * @param {Object} [config] - Full configuration, defaults to openpgp.config
27664 * @throws {Error} if signature validation failed
27665 * @async
27666 */
27667 async verify(key, signatureType, data, detached = false, streaming = false, config = defaultConfig) {
27668 const publicKeyAlgorithm = enums.write(enums.publicKey, this.publicKeyAlgorithm);
27669 const hashAlgorithm = enums.write(enums.hash, this.hashAlgorithm);
27670
27671 if (publicKeyAlgorithm !== enums.write(enums.publicKey, key.algorithm)) {
27672 throw new Error('Public key algorithm used to sign signature does not match issuer key algorithm.');
27673 }
27674
27675 let toHash;
27676 let hash;
27677 if (this.hashed) {
27678 hash = await this.hashed;
27679 } else {
27680 toHash = this.toHash(signatureType, data, detached);
27681 if (!streaming) toHash = await stream.readToEnd(toHash);
27682 hash = await this.hash(signatureType, data, toHash);
27683 }
27684 hash = await stream.readToEnd(hash);
27685 if (this.signedHashValue[0] !== hash[0] ||
27686 this.signedHashValue[1] !== hash[1]) {
27687 throw new Error('Message digest did not match');
27688 }
27689
27690 this.params = await this.params;
27691
27692 const verified = await mod.signature.verify(
27693 publicKeyAlgorithm, hashAlgorithm, this.params, key.publicParams,
27694 toHash, hash
27695 );
27696 if (!verified) {
27697 throw new Error('Signature verification failed');
27698 }
27699 if (config.rejectHashAlgorithms.has(hashAlgorithm)) {
27700 throw new Error('Insecure hash algorithm: ' + enums.read(enums.hash, hashAlgorithm).toUpperCase());
27701 }
27702 if (config.rejectMessageHashAlgorithms.has(hashAlgorithm) &&
27703 [enums.signature.binary, enums.signature.text].includes(this.signatureType)) {
27704 throw new Error('Insecure message hash algorithm: ' + enums.read(enums.hash, hashAlgorithm).toUpperCase());
27705 }
27706 this.rawNotations.forEach(({ name, critical }) => {
27707 if (critical && (config.knownNotations.indexOf(name) < 0)) {
27708 throw new Error(`Unknown critical notation: ${name}`);
27709 }
27710 });
27711 if (this.revocationKeyClass !== null) {
27712 throw new Error('This key is intended to be revoked with an authorized key, which OpenPGP.js does not support.');
27713 }
27714 this.verified = true;
27715 }
27716
27717 /**
27718 * Verifies signature expiration date
27719 * @param {Date} [date] - Use the given date for verification instead of the current time
27720 * @returns {Boolean} True if expired.
27721 */
27722 isExpired(date = new Date()) {
27723 const normDate = util.normalizeDate(date);
27724 if (normDate !== null) {
27725 const expirationTime = this.getExpirationTime();
27726 return !(this.created <= normDate && normDate <= expirationTime);
27727 }
27728 return false;
27729 }
27730
27731 /**
27732 * Returns the expiration time of the signature or Infinity if signature does not expire
27733 * @returns {Date} Expiration time.
27734 */
27735 getExpirationTime() {
27736 return !this.signatureNeverExpires ? new Date(this.created.getTime() + this.signatureExpirationTime * 1000) : Infinity;
27737 }
27738 }
27739
27740 /**
27741 * Creates a string representation of a sub signature packet
27742 * @see {@link https://tools.ietf.org/html/rfc4880#section-5.2.3.1|RFC4880 5.2.3.1}
27743 * @see {@link https://tools.ietf.org/html/rfc4880#section-5.2.3.2|RFC4880 5.2.3.2}
27744 * @param {Integer} type - Subpacket signature type.
27745 * @param {String} data - Data to be included
27746 * @returns {String} A string-representation of a sub signature packet.
27747 * @private
27748 */
27749 function write_sub_packet(type, data) {
27750 const arr = [];
27751 arr.push(writeSimpleLength(data.length + 1));
27752 arr.push(new Uint8Array([type]));
27753 arr.push(data);
27754 return util.concat(arr);
27755 }
27756
27757 // GPG4Browsers - An OpenPGP implementation in javascript
27758
27759 /**
27760 * Implementation of the One-Pass Signature Packets (Tag 4)
27761 *
27762 * {@link https://tools.ietf.org/html/rfc4880#section-5.4|RFC4880 5.4}:
27763 * The One-Pass Signature packet precedes the signed data and contains
27764 * enough information to allow the receiver to begin calculating any
27765 * hashes needed to verify the signature. It allows the Signature
27766 * packet to be placed at the end of the message, so that the signer
27767 * can compute the entire signed message in one pass.
27768 */
27769 class OnePassSignaturePacket {
27770 constructor() {
27771 /**
27772 * Packet type
27773 * @type {module:enums.packet}
27774 */
27775 this.tag = enums.packet.onePassSignature;
27776 /** A one-octet version number. The current version is 3. */
27777 this.version = null;
27778 /**
27779 * A one-octet signature type.
27780 * Signature types are described in
27781 * {@link https://tools.ietf.org/html/rfc4880#section-5.2.1|RFC4880 Section 5.2.1}.
27782 */
27783 this.signatureType = null;
27784 /**
27785 * A one-octet number describing the hash algorithm used.
27786 * @see {@link https://tools.ietf.org/html/rfc4880#section-9.4|RFC4880 9.4}
27787 */
27788 this.hashAlgorithm = null;
27789 /**
27790 * A one-octet number describing the public-key algorithm used.
27791 * @see {@link https://tools.ietf.org/html/rfc4880#section-9.1|RFC4880 9.1}
27792 */
27793 this.publicKeyAlgorithm = null;
27794 /** An eight-octet number holding the Key ID of the signing key. */
27795 this.issuerKeyId = null;
27796 /**
27797 * A one-octet number holding a flag showing whether the signature is nested.
27798 * A zero value indicates that the next packet is another One-Pass Signature packet
27799 * that describes another signature to be applied to the same message data.
27800 */
27801 this.flags = null;
27802 }
27803
27804 /**
27805 * parsing function for a one-pass signature packet (tag 4).
27806 * @param {Uint8Array} bytes - Payload of a tag 4 packet
27807 * @returns {OnePassSignaturePacket} Object representation.
27808 */
27809 read(bytes) {
27810 let mypos = 0;
27811 // A one-octet version number. The current version is 3.
27812 this.version = bytes[mypos++];
27813
27814 // A one-octet signature type. Signature types are described in
27815 // Section 5.2.1.
27816 this.signatureType = bytes[mypos++];
27817
27818 // A one-octet number describing the hash algorithm used.
27819 this.hashAlgorithm = bytes[mypos++];
27820
27821 // A one-octet number describing the public-key algorithm used.
27822 this.publicKeyAlgorithm = bytes[mypos++];
27823
27824 // An eight-octet number holding the Key ID of the signing key.
27825 this.issuerKeyId = new Keyid();
27826 this.issuerKeyId.read(bytes.subarray(mypos, mypos + 8));
27827 mypos += 8;
27828
27829 // A one-octet number holding a flag showing whether the signature
27830 // is nested. A zero value indicates that the next packet is
27831 // another One-Pass Signature packet that describes another
27832 // signature to be applied to the same message data.
27833 this.flags = bytes[mypos++];
27834 return this;
27835 }
27836
27837 /**
27838 * creates a string representation of a one-pass signature packet
27839 * @returns {Uint8Array} A Uint8Array representation of a one-pass signature packet.
27840 */
27841 write() {
27842 const start = new Uint8Array([3, enums.write(enums.signature, this.signatureType),
27843 enums.write(enums.hash, this.hashAlgorithm),
27844 enums.write(enums.publicKey, this.publicKeyAlgorithm)]);
27845
27846 const end = new Uint8Array([this.flags]);
27847
27848 return util.concatUint8Array([start, this.issuerKeyId.write(), end]);
27849 }
27850
27851 calculateTrailer(...args) {
27852 return stream.fromAsync(async () => SignaturePacket.prototype.calculateTrailer.apply(await this.correspondingSig, args));
27853 }
27854
27855 async verify() {
27856 const correspondingSig = await this.correspondingSig;
27857 if (!correspondingSig || correspondingSig.tag !== enums.packet.signature) {
27858 throw new Error('Corresponding signature packet missing');
27859 }
27860 if (
27861 correspondingSig.signatureType !== this.signatureType ||
27862 correspondingSig.hashAlgorithm !== this.hashAlgorithm ||
27863 correspondingSig.publicKeyAlgorithm !== this.publicKeyAlgorithm ||
27864 !correspondingSig.issuerKeyId.equals(this.issuerKeyId)
27865 ) {
27866 throw new Error('Corresponding signature packet does not match one-pass signature packet');
27867 }
27868 correspondingSig.hashed = this.hashed;
27869 return correspondingSig.verify.apply(correspondingSig, arguments);
27870 }
27871 }
27872
27873 OnePassSignaturePacket.prototype.hash = SignaturePacket.prototype.hash;
27874 OnePassSignaturePacket.prototype.toHash = SignaturePacket.prototype.toHash;
27875 OnePassSignaturePacket.prototype.toSign = SignaturePacket.prototype.toSign;
27876
27877 // GPG4Browsers - An OpenPGP implementation in javascript
27878
27879 /**
27880 * A Secret-Key packet contains all the information that is found in a
27881 * Public-Key packet, including the public-key material, but also
27882 * includes the secret-key material after all the public-key fields.
27883 * @extends PublicKeyPacket
27884 */
27885 class SecretKeyPacket extends PublicKeyPacket {
27886 /**
27887 * @param {Date} [date] - Creation date
27888 * @param {Object} [config] - Full configuration, defaults to openpgp.config
27889 */
27890 constructor(date = new Date(), config = defaultConfig) {
27891 super(date, config);
27892 /**
27893 * Packet type
27894 * @type {module:enums.packet}
27895 */
27896 this.tag = enums.packet.secretKey;
27897 /**
27898 * Secret-key data
27899 */
27900 this.keyMaterial = null;
27901 /**
27902 * Indicates whether secret-key data is encrypted. `this.isEncrypted === false` means data is available in decrypted form.
27903 */
27904 this.isEncrypted = null;
27905 /**
27906 * S2K usage
27907 * @type {Integer}
27908 */
27909 this.s2k_usage = 0;
27910 /**
27911 * S2K object
27912 * @type {type/s2k}
27913 */
27914 this.s2k = null;
27915 /**
27916 * Symmetric algorithm
27917 * @type {String}
27918 */
27919 this.symmetric = null;
27920 /**
27921 * AEAD algorithm
27922 * @type {String}
27923 */
27924 this.aead = null;
27925 /**
27926 * Decrypted private parameters, referenced by name
27927 * @type {Object}
27928 */
27929 this.privateParams = null;
27930 }
27931
27932 // 5.5.3. Secret-Key Packet Formats
27933
27934 /**
27935 * Internal parser for private keys as specified in
27936 * {@link https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-5.5.3|RFC4880bis-04 section 5.5.3}
27937 * @param {String} bytes - Input string to read the packet from
27938 */
27939 read(bytes) {
27940 // - A Public-Key or Public-Subkey packet, as described above.
27941 let i = this.readPublicKey(bytes);
27942
27943 // - One octet indicating string-to-key usage conventions. Zero
27944 // indicates that the secret-key data is not encrypted. 255 or 254
27945 // indicates that a string-to-key specifier is being given. Any
27946 // other value is a symmetric-key encryption algorithm identifier.
27947 this.s2k_usage = bytes[i++];
27948
27949 // - Only for a version 5 packet, a one-octet scalar octet count of
27950 // the next 4 optional fields.
27951 if (this.version === 5) {
27952 i++;
27953 }
27954
27955 // - [Optional] If string-to-key usage octet was 255, 254, or 253, a
27956 // one-octet symmetric encryption algorithm.
27957 if (this.s2k_usage === 255 || this.s2k_usage === 254 || this.s2k_usage === 253) {
27958 this.symmetric = bytes[i++];
27959 this.symmetric = enums.read(enums.symmetric, this.symmetric);
27960
27961 // - [Optional] If string-to-key usage octet was 253, a one-octet
27962 // AEAD algorithm.
27963 if (this.s2k_usage === 253) {
27964 this.aead = bytes[i++];
27965 this.aead = enums.read(enums.aead, this.aead);
27966 }
27967
27968 // - [Optional] If string-to-key usage octet was 255, 254, or 253, a
27969 // string-to-key specifier. The length of the string-to-key
27970 // specifier is implied by its type, as described above.
27971 this.s2k = new S2K();
27972 i += this.s2k.read(bytes.subarray(i, bytes.length));
27973
27974 if (this.s2k.type === 'gnu-dummy') {
27975 return;
27976 }
27977 } else if (this.s2k_usage) {
27978 this.symmetric = this.s2k_usage;
27979 this.symmetric = enums.read(enums.symmetric, this.symmetric);
27980 }
27981
27982 // - [Optional] If secret data is encrypted (string-to-key usage octet
27983 // not zero), an Initial Vector (IV) of the same length as the
27984 // cipher's block size.
27985 if (this.s2k_usage) {
27986 this.iv = bytes.subarray(
27987 i,
27988 i + mod.cipher[this.symmetric].blockSize
27989 );
27990
27991 i += this.iv.length;
27992 }
27993
27994 // - Only for a version 5 packet, a four-octet scalar octet count for
27995 // the following key material.
27996 if (this.version === 5) {
27997 i += 4;
27998 }
27999
28000 // - Plain or encrypted multiprecision integers comprising the secret
28001 // key data. These algorithm-specific fields are as described
28002 // below.
28003 this.keyMaterial = bytes.subarray(i);
28004 this.isEncrypted = !!this.s2k_usage;
28005
28006 if (!this.isEncrypted) {
28007 const cleartext = this.keyMaterial.subarray(0, -2);
28008 if (!util.equalsUint8Array(util.writeChecksum(cleartext), this.keyMaterial.subarray(-2))) {
28009 throw new Error('Key checksum mismatch');
28010 }
28011 try {
28012 const algo = enums.write(enums.publicKey, this.algorithm);
28013 const { privateParams } = mod.parsePrivateKeyParams(algo, cleartext, this.publicParams);
28014 this.privateParams = privateParams;
28015 } catch (err) {
28016 throw new Error('Error reading MPIs');
28017 }
28018 }
28019 }
28020
28021 /**
28022 * Creates an OpenPGP key packet for the given key.
28023 * @returns {Uint8Array} A string of bytes containing the secret key OpenPGP packet.
28024 */
28025 write() {
28026 const arr = [this.writePublicKey()];
28027
28028 arr.push(new Uint8Array([this.s2k_usage]));
28029
28030 const optionalFieldsArr = [];
28031 // - [Optional] If string-to-key usage octet was 255, 254, or 253, a
28032 // one- octet symmetric encryption algorithm.
28033 if (this.s2k_usage === 255 || this.s2k_usage === 254 || this.s2k_usage === 253) {
28034 optionalFieldsArr.push(enums.write(enums.symmetric, this.symmetric));
28035
28036 // - [Optional] If string-to-key usage octet was 253, a one-octet
28037 // AEAD algorithm.
28038 if (this.s2k_usage === 253) {
28039 optionalFieldsArr.push(enums.write(enums.aead, this.aead));
28040 }
28041
28042 // - [Optional] If string-to-key usage octet was 255, 254, or 253, a
28043 // string-to-key specifier. The length of the string-to-key
28044 // specifier is implied by its type, as described above.
28045 optionalFieldsArr.push(...this.s2k.write());
28046 }
28047
28048 // - [Optional] If secret data is encrypted (string-to-key usage octet
28049 // not zero), an Initial Vector (IV) of the same length as the
28050 // cipher's block size.
28051 if (this.s2k_usage && this.s2k.type !== 'gnu-dummy') {
28052 optionalFieldsArr.push(...this.iv);
28053 }
28054
28055 if (this.version === 5) {
28056 arr.push(new Uint8Array([optionalFieldsArr.length]));
28057 }
28058 arr.push(new Uint8Array(optionalFieldsArr));
28059
28060 if (!this.isDummy()) {
28061 if (!this.s2k_usage) {
28062 const algo = enums.write(enums.publicKey, this.algorithm);
28063 const cleartextParams = mod.serializeParams(algo, this.privateParams);
28064 this.keyMaterial = util.concatUint8Array([
28065 cleartextParams,
28066 util.writeChecksum(cleartextParams)
28067 ]);
28068 }
28069
28070 if (this.version === 5) {
28071 arr.push(util.writeNumber(this.keyMaterial.length, 4));
28072 }
28073 arr.push(this.keyMaterial);
28074 }
28075
28076 return util.concatUint8Array(arr);
28077 }
28078
28079 /**
28080 * Check whether secret-key data is available in decrypted form.
28081 * Returns false for gnu-dummy keys and null for public keys.
28082 * @returns {Boolean|null}
28083 */
28084 isDecrypted() {
28085 return this.isEncrypted === false;
28086 }
28087
28088 /**
28089 * Check whether this is a gnu-dummy key
28090 * @returns {Boolean}
28091 */
28092 isDummy() {
28093 return !!(this.s2k && this.s2k.type === 'gnu-dummy');
28094 }
28095
28096 /**
28097 * Remove private key material, converting the key to a dummy one.
28098 * The resulting key cannot be used for signing/decrypting but can still verify signatures.
28099 * @param {Object} [config] - Full configuration, defaults to openpgp.config
28100 */
28101 makeDummy(config = defaultConfig) {
28102 if (this.isDummy()) {
28103 return;
28104 }
28105 if (this.isDecrypted()) {
28106 this.clearPrivateParams();
28107 }
28108 this.isEncrypted = null;
28109 this.keyMaterial = null;
28110 this.s2k = new S2K(config);
28111 this.s2k.algorithm = 0;
28112 this.s2k.c = 0;
28113 this.s2k.type = 'gnu-dummy';
28114 this.s2k_usage = 254;
28115 this.symmetric = 'aes256';
28116 }
28117
28118 /**
28119 * Encrypt the payload. By default, we use aes256 and iterated, salted string
28120 * to key specifier. If the key is in a decrypted state (isEncrypted === false)
28121 * and the passphrase is empty or undefined, the key will be set as not encrypted.
28122 * This can be used to remove passphrase protection after calling decrypt().
28123 * @param {String} passphrase
28124 * @param {Object} [config] - Full configuration, defaults to openpgp.config
28125 * @throws {Error} if encryption was not successful
28126 * @async
28127 */
28128 async encrypt(passphrase, config = defaultConfig) {
28129 if (this.isDummy()) {
28130 return;
28131 }
28132
28133 if (!this.isDecrypted()) {
28134 throw new Error('Key packet is already encrypted');
28135 }
28136
28137 if (this.isDecrypted() && !passphrase) {
28138 this.s2k_usage = 0;
28139 return;
28140 } else if (!passphrase) {
28141 throw new Error('The key must be decrypted before removing passphrase protection.');
28142 }
28143
28144 this.s2k = new S2K(config);
28145 this.s2k.salt = await mod.random.getRandomBytes(8);
28146 const algo = enums.write(enums.publicKey, this.algorithm);
28147 const cleartext = mod.serializeParams(algo, this.privateParams);
28148 this.symmetric = 'aes256';
28149 const key = await produceEncryptionKey(this.s2k, passphrase, this.symmetric);
28150 const blockLen = mod.cipher[this.symmetric].blockSize;
28151 this.iv = await mod.random.getRandomBytes(blockLen);
28152
28153 if (config.aeadProtect) {
28154 this.s2k_usage = 253;
28155 this.aead = 'eax';
28156 const mode = mod[this.aead];
28157 const modeInstance = await mode(this.symmetric, key);
28158 this.keyMaterial = await modeInstance.encrypt(cleartext, this.iv.subarray(0, mode.ivLength), new Uint8Array());
28159 } else {
28160 this.s2k_usage = 254;
28161 this.keyMaterial = await mod.cfb.encrypt(this.symmetric, key, util.concatUint8Array([
28162 cleartext,
28163 await mod.hash.sha1(cleartext, config)
28164 ]), this.iv, config);
28165 }
28166 }
28167
28168 /**
28169 * Decrypts the private key params which are needed to use the key.
28170 * {@link SecretKeyPacket.isDecrypted} should be false, as
28171 * otherwise calls to this function will throw an error.
28172 * @param {String} passphrase - The passphrase for this private key as string
28173 * @throws {Error} if decryption was not successful
28174 * @async
28175 */
28176 async decrypt(passphrase) {
28177 if (this.isDummy()) {
28178 return false;
28179 }
28180
28181 if (this.isDecrypted()) {
28182 throw new Error('Key packet is already decrypted.');
28183 }
28184
28185 let key;
28186 if (this.s2k_usage === 254 || this.s2k_usage === 253) {
28187 key = await produceEncryptionKey(this.s2k, passphrase, this.symmetric);
28188 } else if (this.s2k_usage === 255) {
28189 throw new Error('Encrypted private key is authenticated using an insecure two-byte hash');
28190 } else {
28191 throw new Error('Private key is encrypted using an insecure S2K function: unsalted MD5');
28192 }
28193
28194 let cleartext;
28195 if (this.s2k_usage === 253) {
28196 const mode = mod[this.aead];
28197 try {
28198 const modeInstance = await mode(this.symmetric, key);
28199 cleartext = await modeInstance.decrypt(this.keyMaterial, this.iv.subarray(0, mode.ivLength), new Uint8Array());
28200 } catch (err) {
28201 if (err.message === 'Authentication tag mismatch') {
28202 throw new Error('Incorrect key passphrase: ' + err.message);
28203 }
28204 throw err;
28205 }
28206 } else {
28207 const cleartextWithHash = await mod.cfb.decrypt(this.symmetric, key, this.keyMaterial, this.iv);
28208
28209 cleartext = cleartextWithHash.subarray(0, -20);
28210 const hash = await mod.hash.sha1(cleartext);
28211
28212 if (!util.equalsUint8Array(hash, cleartextWithHash.subarray(-20))) {
28213 throw new Error('Incorrect key passphrase');
28214 }
28215 }
28216
28217 try {
28218 const algo = enums.write(enums.publicKey, this.algorithm);
28219 const { privateParams } = mod.parsePrivateKeyParams(algo, cleartext, this.publicParams);
28220 this.privateParams = privateParams;
28221 } catch (err) {
28222 throw new Error('Error reading MPIs');
28223 }
28224 this.isEncrypted = false;
28225 this.keyMaterial = null;
28226 this.s2k_usage = 0;
28227 }
28228
28229 /**
28230 * Checks that the key parameters are consistent
28231 * @throws {Error} if validation was not successful
28232 * @async
28233 */
28234 async validate() {
28235 if (this.isDummy()) {
28236 return;
28237 }
28238
28239 if (!this.isDecrypted()) {
28240 throw new Error('Key is not decrypted');
28241 }
28242
28243 const algo = enums.write(enums.publicKey, this.algorithm);
28244
28245 let validParams;
28246 try {
28247 // this can throw if some parameters are undefined
28248 validParams = await mod.validateParams(algo, this.publicParams, this.privateParams);
28249 } catch (_) {
28250 validParams = false;
28251 }
28252 if (!validParams) {
28253 throw new Error('Key is invalid');
28254 }
28255 }
28256
28257 async generate(bits, curve) {
28258 const algo = enums.write(enums.publicKey, this.algorithm);
28259 const { privateParams, publicParams } = await mod.generateParams(algo, bits, curve);
28260 this.privateParams = privateParams;
28261 this.publicParams = publicParams;
28262 this.isEncrypted = false;
28263 }
28264
28265 /**
28266 * Clear private key parameters
28267 */
28268 clearPrivateParams() {
28269 if (this.isDummy()) {
28270 return;
28271 }
28272
28273 Object.keys(this.privateParams).forEach(name => {
28274 const param = this.privateParams[name];
28275 param.fill(0);
28276 delete this.privateParams[name];
28277 });
28278 this.privateParams = null;
28279 this.isEncrypted = true;
28280 }
28281 }
28282
28283 async function produceEncryptionKey(s2k, passphrase, algorithm) {
28284 return s2k.produce_key(
28285 passphrase,
28286 mod.cipher[algorithm].keySize
28287 );
28288 }
28289
28290 var emailAddresses = createCommonjsModule(function (module) {
28291 // email-addresses.js - RFC 5322 email address parser
28292 // v 3.1.0
28293 //
28294 // http://tools.ietf.org/html/rfc5322
28295 //
28296 // This library does not validate email addresses.
28297 // emailAddresses attempts to parse addresses using the (fairly liberal)
28298 // grammar specified in RFC 5322.
28299 //
28300 // email-addresses returns {
28301 // ast: <an abstract syntax tree based on rfc5322>,
28302 // addresses: [{
28303 // node: <node in ast for this address>,
28304 // name: <display-name>,
28305 // address: <addr-spec>,
28306 // local: <local-part>,
28307 // domain: <domain>
28308 // }, ...]
28309 // }
28310 //
28311 // emailAddresses.parseOneAddress and emailAddresses.parseAddressList
28312 // work as you might expect. Try it out.
28313 //
28314 // Many thanks to Dominic Sayers and his documentation on the is_email function,
28315 // http://code.google.com/p/isemail/ , which helped greatly in writing this parser.
28316
28317 (function (global) {
28318
28319 function parse5322(opts) {
28320
28321 // tokenizing functions
28322
28323 function inStr() { return pos < len; }
28324 function curTok() { return parseString[pos]; }
28325 function getPos() { return pos; }
28326 function setPos(i) { pos = i; }
28327 function nextTok() { pos += 1; }
28328 function initialize() {
28329 pos = 0;
28330 len = parseString.length;
28331 }
28332
28333 // parser helper functions
28334
28335 function o(name, value) {
28336 return {
28337 name: name,
28338 tokens: value || "",
28339 semantic: value || "",
28340 children: []
28341 };
28342 }
28343
28344 function wrap(name, ast) {
28345 var n;
28346 if (ast === null) { return null; }
28347 n = o(name);
28348 n.tokens = ast.tokens;
28349 n.semantic = ast.semantic;
28350 n.children.push(ast);
28351 return n;
28352 }
28353
28354 function add(parent, child) {
28355 if (child !== null) {
28356 parent.tokens += child.tokens;
28357 parent.semantic += child.semantic;
28358 }
28359 parent.children.push(child);
28360 return parent;
28361 }
28362
28363 function compareToken(fxnCompare) {
28364 var tok;
28365 if (!inStr()) { return null; }
28366 tok = curTok();
28367 if (fxnCompare(tok)) {
28368 nextTok();
28369 return o('token', tok);
28370 }
28371 return null;
28372 }
28373
28374 function literal(lit) {
28375 return function literalFunc() {
28376 return wrap('literal', compareToken(function (tok) {
28377 return tok === lit;
28378 }));
28379 };
28380 }
28381
28382 function and() {
28383 var args = arguments;
28384 return function andFunc() {
28385 var i, s, result, start;
28386 start = getPos();
28387 s = o('and');
28388 for (i = 0; i < args.length; i += 1) {
28389 result = args[i]();
28390 if (result === null) {
28391 setPos(start);
28392 return null;
28393 }
28394 add(s, result);
28395 }
28396 return s;
28397 };
28398 }
28399
28400 function or() {
28401 var args = arguments;
28402 return function orFunc() {
28403 var i, result, start;
28404 start = getPos();
28405 for (i = 0; i < args.length; i += 1) {
28406 result = args[i]();
28407 if (result !== null) {
28408 return result;
28409 }
28410 setPos(start);
28411 }
28412 return null;
28413 };
28414 }
28415
28416 function opt(prod) {
28417 return function optFunc() {
28418 var result, start;
28419 start = getPos();
28420 result = prod();
28421 if (result !== null) {
28422 return result;
28423 }
28424 else {
28425 setPos(start);
28426 return o('opt');
28427 }
28428 };
28429 }
28430
28431 function invis(prod) {
28432 return function invisFunc() {
28433 var result = prod();
28434 if (result !== null) {
28435 result.semantic = "";
28436 }
28437 return result;
28438 };
28439 }
28440
28441 function colwsp(prod) {
28442 return function collapseSemanticWhitespace() {
28443 var result = prod();
28444 if (result !== null && result.semantic.length > 0) {
28445 result.semantic = " ";
28446 }
28447 return result;
28448 };
28449 }
28450
28451 function star(prod, minimum) {
28452 return function starFunc() {
28453 var s, result, count, start, min;
28454 start = getPos();
28455 s = o('star');
28456 count = 0;
28457 min = minimum === undefined ? 0 : minimum;
28458 while ((result = prod()) !== null) {
28459 count = count + 1;
28460 add(s, result);
28461 }
28462 if (count >= min) {
28463 return s;
28464 }
28465 else {
28466 setPos(start);
28467 return null;
28468 }
28469 };
28470 }
28471
28472 // One expects names to get normalized like this:
28473 // " First Last " -> "First Last"
28474 // "First Last" -> "First Last"
28475 // "First Last" -> "First Last"
28476 function collapseWhitespace(s) {
28477 return s.replace(/([ \t]|\r\n)+/g, ' ').replace(/^\s*/, '').replace(/\s*$/, '');
28478 }
28479
28480 // UTF-8 pseudo-production (RFC 6532)
28481 // RFC 6532 extends RFC 5322 productions to include UTF-8
28482 // using the following productions:
28483 // UTF8-non-ascii = UTF8-2 / UTF8-3 / UTF8-4
28484 // UTF8-2 = <Defined in Section 4 of RFC3629>
28485 // UTF8-3 = <Defined in Section 4 of RFC3629>
28486 // UTF8-4 = <Defined in Section 4 of RFC3629>
28487 //
28488 // For reference, the extended RFC 5322 productions are:
28489 // VCHAR =/ UTF8-non-ascii
28490 // ctext =/ UTF8-non-ascii
28491 // atext =/ UTF8-non-ascii
28492 // qtext =/ UTF8-non-ascii
28493 // dtext =/ UTF8-non-ascii
28494 function isUTF8NonAscii(tok) {
28495 // In JavaScript, we just deal directly with Unicode code points,
28496 // so we aren't checking individual bytes for UTF-8 encoding.
28497 // Just check that the character is non-ascii.
28498 return tok.charCodeAt(0) >= 128;
28499 }
28500
28501
28502 // common productions (RFC 5234)
28503 // http://tools.ietf.org/html/rfc5234
28504 // B.1. Core Rules
28505
28506 // CR = %x0D
28507 // ; carriage return
28508 function cr() { return wrap('cr', literal('\r')()); }
28509
28510 // CRLF = CR LF
28511 // ; Internet standard newline
28512 function crlf() { return wrap('crlf', and(cr, lf)()); }
28513
28514 // DQUOTE = %x22
28515 // ; " (Double Quote)
28516 function dquote() { return wrap('dquote', literal('"')()); }
28517
28518 // HTAB = %x09
28519 // ; horizontal tab
28520 function htab() { return wrap('htab', literal('\t')()); }
28521
28522 // LF = %x0A
28523 // ; linefeed
28524 function lf() { return wrap('lf', literal('\n')()); }
28525
28526 // SP = %x20
28527 function sp() { return wrap('sp', literal(' ')()); }
28528
28529 // VCHAR = %x21-7E
28530 // ; visible (printing) characters
28531 function vchar() {
28532 return wrap('vchar', compareToken(function vcharFunc(tok) {
28533 var code = tok.charCodeAt(0);
28534 var accept = (0x21 <= code && code <= 0x7E);
28535 if (opts.rfc6532) {
28536 accept = accept || isUTF8NonAscii(tok);
28537 }
28538 return accept;
28539 }));
28540 }
28541
28542 // WSP = SP / HTAB
28543 // ; white space
28544 function wsp() { return wrap('wsp', or(sp, htab)()); }
28545
28546
28547 // email productions (RFC 5322)
28548 // http://tools.ietf.org/html/rfc5322
28549 // 3.2.1. Quoted characters
28550
28551 // quoted-pair = ("\" (VCHAR / WSP)) / obs-qp
28552 function quotedPair() {
28553 var qp = wrap('quoted-pair',
28554 or(
28555 and(literal('\\'), or(vchar, wsp)),
28556 obsQP
28557 )());
28558 if (qp === null) { return null; }
28559 // a quoted pair will be two characters, and the "\" character
28560 // should be semantically "invisible" (RFC 5322 3.2.1)
28561 qp.semantic = qp.semantic[1];
28562 return qp;
28563 }
28564
28565 // 3.2.2. Folding White Space and Comments
28566
28567 // FWS = ([*WSP CRLF] 1*WSP) / obs-FWS
28568 function fws() {
28569 return wrap('fws', or(
28570 obsFws,
28571 and(
28572 opt(and(
28573 star(wsp),
28574 invis(crlf)
28575 )),
28576 star(wsp, 1)
28577 )
28578 )());
28579 }
28580
28581 // ctext = %d33-39 / ; Printable US-ASCII
28582 // %d42-91 / ; characters not including
28583 // %d93-126 / ; "(", ")", or "\"
28584 // obs-ctext
28585 function ctext() {
28586 return wrap('ctext', or(
28587 function ctextFunc1() {
28588 return compareToken(function ctextFunc2(tok) {
28589 var code = tok.charCodeAt(0);
28590 var accept =
28591 (33 <= code && code <= 39) ||
28592 (42 <= code && code <= 91) ||
28593 (93 <= code && code <= 126);
28594 if (opts.rfc6532) {
28595 accept = accept || isUTF8NonAscii(tok);
28596 }
28597 return accept;
28598 });
28599 },
28600 obsCtext
28601 )());
28602 }
28603
28604 // ccontent = ctext / quoted-pair / comment
28605 function ccontent() {
28606 return wrap('ccontent', or(ctext, quotedPair, comment)());
28607 }
28608
28609 // comment = "(" *([FWS] ccontent) [FWS] ")"
28610 function comment() {
28611 return wrap('comment', and(
28612 literal('('),
28613 star(and(opt(fws), ccontent)),
28614 opt(fws),
28615 literal(')')
28616 )());
28617 }
28618
28619 // CFWS = (1*([FWS] comment) [FWS]) / FWS
28620 function cfws() {
28621 return wrap('cfws', or(
28622 and(
28623 star(
28624 and(opt(fws), comment),
28625 1
28626 ),
28627 opt(fws)
28628 ),
28629 fws
28630 )());
28631 }
28632
28633 // 3.2.3. Atom
28634
28635 //atext = ALPHA / DIGIT / ; Printable US-ASCII
28636 // "!" / "#" / ; characters not including
28637 // "$" / "%" / ; specials. Used for atoms.
28638 // "&" / "'" /
28639 // "*" / "+" /
28640 // "-" / "/" /
28641 // "=" / "?" /
28642 // "^" / "_" /
28643 // "`" / "{" /
28644 // "|" / "}" /
28645 // "~"
28646 function atext() {
28647 return wrap('atext', compareToken(function atextFunc(tok) {
28648 var accept =
28649 ('a' <= tok && tok <= 'z') ||
28650 ('A' <= tok && tok <= 'Z') ||
28651 ('0' <= tok && tok <= '9') ||
28652 (['!', '#', '$', '%', '&', '\'', '*', '+', '-', '/',
28653 '=', '?', '^', '_', '`', '{', '|', '}', '~'].indexOf(tok) >= 0);
28654 if (opts.rfc6532) {
28655 accept = accept || isUTF8NonAscii(tok);
28656 }
28657 return accept;
28658 }));
28659 }
28660
28661 // atom = [CFWS] 1*atext [CFWS]
28662 function atom() {
28663 return wrap('atom', and(colwsp(opt(cfws)), star(atext, 1), colwsp(opt(cfws)))());
28664 }
28665
28666 // dot-atom-text = 1*atext *("." 1*atext)
28667 function dotAtomText() {
28668 var s, maybeText;
28669 s = wrap('dot-atom-text', star(atext, 1)());
28670 if (s === null) { return s; }
28671 maybeText = star(and(literal('.'), star(atext, 1)))();
28672 if (maybeText !== null) {
28673 add(s, maybeText);
28674 }
28675 return s;
28676 }
28677
28678 // dot-atom = [CFWS] dot-atom-text [CFWS]
28679 function dotAtom() {
28680 return wrap('dot-atom', and(invis(opt(cfws)), dotAtomText, invis(opt(cfws)))());
28681 }
28682
28683 // 3.2.4. Quoted Strings
28684
28685 // qtext = %d33 / ; Printable US-ASCII
28686 // %d35-91 / ; characters not including
28687 // %d93-126 / ; "\" or the quote character
28688 // obs-qtext
28689 function qtext() {
28690 return wrap('qtext', or(
28691 function qtextFunc1() {
28692 return compareToken(function qtextFunc2(tok) {
28693 var code = tok.charCodeAt(0);
28694 var accept =
28695 (33 === code) ||
28696 (35 <= code && code <= 91) ||
28697 (93 <= code && code <= 126);
28698 if (opts.rfc6532) {
28699 accept = accept || isUTF8NonAscii(tok);
28700 }
28701 return accept;
28702 });
28703 },
28704 obsQtext
28705 )());
28706 }
28707
28708 // qcontent = qtext / quoted-pair
28709 function qcontent() {
28710 return wrap('qcontent', or(qtext, quotedPair)());
28711 }
28712
28713 // quoted-string = [CFWS]
28714 // DQUOTE *([FWS] qcontent) [FWS] DQUOTE
28715 // [CFWS]
28716 function quotedString() {
28717 return wrap('quoted-string', and(
28718 invis(opt(cfws)),
28719 invis(dquote), star(and(opt(colwsp(fws)), qcontent)), opt(invis(fws)), invis(dquote),
28720 invis(opt(cfws))
28721 )());
28722 }
28723
28724 // 3.2.5 Miscellaneous Tokens
28725
28726 // word = atom / quoted-string
28727 function word() {
28728 return wrap('word', or(atom, quotedString)());
28729 }
28730
28731 // phrase = 1*word / obs-phrase
28732 function phrase() {
28733 return wrap('phrase', or(obsPhrase, star(word, 1))());
28734 }
28735
28736 // 3.4. Address Specification
28737 // address = mailbox / group
28738 function address() {
28739 return wrap('address', or(mailbox, group)());
28740 }
28741
28742 // mailbox = name-addr / addr-spec
28743 function mailbox() {
28744 return wrap('mailbox', or(nameAddr, addrSpec)());
28745 }
28746
28747 // name-addr = [display-name] angle-addr
28748 function nameAddr() {
28749 return wrap('name-addr', and(opt(displayName), angleAddr)());
28750 }
28751
28752 // angle-addr = [CFWS] "<" addr-spec ">" [CFWS] /
28753 // obs-angle-addr
28754 function angleAddr() {
28755 return wrap('angle-addr', or(
28756 and(
28757 invis(opt(cfws)),
28758 literal('<'),
28759 addrSpec,
28760 literal('>'),
28761 invis(opt(cfws))
28762 ),
28763 obsAngleAddr
28764 )());
28765 }
28766
28767 // group = display-name ":" [group-list] ";" [CFWS]
28768 function group() {
28769 return wrap('group', and(
28770 displayName,
28771 literal(':'),
28772 opt(groupList),
28773 literal(';'),
28774 invis(opt(cfws))
28775 )());
28776 }
28777
28778 // display-name = phrase
28779 function displayName() {
28780 return wrap('display-name', function phraseFixedSemantic() {
28781 var result = phrase();
28782 if (result !== null) {
28783 result.semantic = collapseWhitespace(result.semantic);
28784 }
28785 return result;
28786 }());
28787 }
28788
28789 // mailbox-list = (mailbox *("," mailbox)) / obs-mbox-list
28790 function mailboxList() {
28791 return wrap('mailbox-list', or(
28792 and(
28793 mailbox,
28794 star(and(literal(','), mailbox))
28795 ),
28796 obsMboxList
28797 )());
28798 }
28799
28800 // address-list = (address *("," address)) / obs-addr-list
28801 function addressList() {
28802 return wrap('address-list', or(
28803 and(
28804 address,
28805 star(and(literal(','), address))
28806 ),
28807 obsAddrList
28808 )());
28809 }
28810
28811 // group-list = mailbox-list / CFWS / obs-group-list
28812 function groupList() {
28813 return wrap('group-list', or(
28814 mailboxList,
28815 invis(cfws),
28816 obsGroupList
28817 )());
28818 }
28819
28820 // 3.4.1 Addr-Spec Specification
28821
28822 // local-part = dot-atom / quoted-string / obs-local-part
28823 function localPart() {
28824 // note: quoted-string, dotAtom are proper subsets of obs-local-part
28825 // so we really just have to look for obsLocalPart, if we don't care about the exact parse tree
28826 return wrap('local-part', or(obsLocalPart, dotAtom, quotedString)());
28827 }
28828
28829 // dtext = %d33-90 / ; Printable US-ASCII
28830 // %d94-126 / ; characters not including
28831 // obs-dtext ; "[", "]", or "\"
28832 function dtext() {
28833 return wrap('dtext', or(
28834 function dtextFunc1() {
28835 return compareToken(function dtextFunc2(tok) {
28836 var code = tok.charCodeAt(0);
28837 var accept =
28838 (33 <= code && code <= 90) ||
28839 (94 <= code && code <= 126);
28840 if (opts.rfc6532) {
28841 accept = accept || isUTF8NonAscii(tok);
28842 }
28843 return accept;
28844 });
28845 },
28846 obsDtext
28847 )()
28848 );
28849 }
28850
28851 // domain-literal = [CFWS] "[" *([FWS] dtext) [FWS] "]" [CFWS]
28852 function domainLiteral() {
28853 return wrap('domain-literal', and(
28854 invis(opt(cfws)),
28855 literal('['),
28856 star(and(opt(fws), dtext)),
28857 opt(fws),
28858 literal(']'),
28859 invis(opt(cfws))
28860 )());
28861 }
28862
28863 // domain = dot-atom / domain-literal / obs-domain
28864 function domain() {
28865 return wrap('domain', function domainCheckTLD() {
28866 var result = or(obsDomain, dotAtom, domainLiteral)();
28867 if (opts.rejectTLD) {
28868 if (result && result.semantic && result.semantic.indexOf('.') < 0) {
28869 return null;
28870 }
28871 }
28872 // strip all whitespace from domains
28873 if (result) {
28874 result.semantic = result.semantic.replace(/\s+/g, '');
28875 }
28876 return result;
28877 }());
28878 }
28879
28880 // addr-spec = local-part "@" domain
28881 function addrSpec() {
28882 return wrap('addr-spec', and(
28883 localPart, literal('@'), domain
28884 )());
28885 }
28886
28887 // 3.6.2 Originator Fields
28888 // Below we only parse the field body, not the name of the field
28889 // like "From:", "Sender:", or "Reply-To:". Other libraries that
28890 // parse email headers can parse those and defer to these productions
28891 // for the "RFC 5322" part.
28892
28893 // RFC 6854 2.1. Replacement of RFC 5322, Section 3.6.2. Originator Fields
28894 // from = "From:" (mailbox-list / address-list) CRLF
28895 function fromSpec() {
28896 return wrap('from', or(
28897 mailboxList,
28898 addressList
28899 )());
28900 }
28901
28902 // RFC 6854 2.1. Replacement of RFC 5322, Section 3.6.2. Originator Fields
28903 // sender = "Sender:" (mailbox / address) CRLF
28904 function senderSpec() {
28905 return wrap('sender', or(
28906 mailbox,
28907 address
28908 )());
28909 }
28910
28911 // RFC 6854 2.1. Replacement of RFC 5322, Section 3.6.2. Originator Fields
28912 // reply-to = "Reply-To:" address-list CRLF
28913 function replyToSpec() {
28914 return wrap('reply-to', addressList());
28915 }
28916
28917 // 4.1. Miscellaneous Obsolete Tokens
28918
28919 // obs-NO-WS-CTL = %d1-8 / ; US-ASCII control
28920 // %d11 / ; characters that do not
28921 // %d12 / ; include the carriage
28922 // %d14-31 / ; return, line feed, and
28923 // %d127 ; white space characters
28924 function obsNoWsCtl() {
28925 return opts.strict ? null : wrap('obs-NO-WS-CTL', compareToken(function (tok) {
28926 var code = tok.charCodeAt(0);
28927 return ((1 <= code && code <= 8) ||
28928 (11 === code || 12 === code) ||
28929 (14 <= code && code <= 31) ||
28930 (127 === code));
28931 }));
28932 }
28933
28934 // obs-ctext = obs-NO-WS-CTL
28935 function obsCtext() { return opts.strict ? null : wrap('obs-ctext', obsNoWsCtl()); }
28936
28937 // obs-qtext = obs-NO-WS-CTL
28938 function obsQtext() { return opts.strict ? null : wrap('obs-qtext', obsNoWsCtl()); }
28939
28940 // obs-qp = "\" (%d0 / obs-NO-WS-CTL / LF / CR)
28941 function obsQP() {
28942 return opts.strict ? null : wrap('obs-qp', and(
28943 literal('\\'),
28944 or(literal('\0'), obsNoWsCtl, lf, cr)
28945 )());
28946 }
28947
28948 // obs-phrase = word *(word / "." / CFWS)
28949 function obsPhrase() {
28950 if (opts.strict ) return null;
28951 return opts.atInDisplayName ? wrap('obs-phrase', and(
28952 word,
28953 star(or(word, literal('.'), literal('@'), colwsp(cfws)))
28954 )()) :
28955 wrap('obs-phrase', and(
28956 word,
28957 star(or(word, literal('.'), colwsp(cfws)))
28958 )());
28959 }
28960
28961 // 4.2. Obsolete Folding White Space
28962
28963 // NOTE: read the errata http://www.rfc-editor.org/errata_search.php?rfc=5322&eid=1908
28964 // obs-FWS = 1*([CRLF] WSP)
28965 function obsFws() {
28966 return opts.strict ? null : wrap('obs-FWS', star(
28967 and(invis(opt(crlf)), wsp),
28968 1
28969 )());
28970 }
28971
28972 // 4.4. Obsolete Addressing
28973
28974 // obs-angle-addr = [CFWS] "<" obs-route addr-spec ">" [CFWS]
28975 function obsAngleAddr() {
28976 return opts.strict ? null : wrap('obs-angle-addr', and(
28977 invis(opt(cfws)),
28978 literal('<'),
28979 obsRoute,
28980 addrSpec,
28981 literal('>'),
28982 invis(opt(cfws))
28983 )());
28984 }
28985
28986 // obs-route = obs-domain-list ":"
28987 function obsRoute() {
28988 return opts.strict ? null : wrap('obs-route', and(
28989 obsDomainList,
28990 literal(':')
28991 )());
28992 }
28993
28994 // obs-domain-list = *(CFWS / ",") "@" domain
28995 // *("," [CFWS] ["@" domain])
28996 function obsDomainList() {
28997 return opts.strict ? null : wrap('obs-domain-list', and(
28998 star(or(invis(cfws), literal(','))),
28999 literal('@'),
29000 domain,
29001 star(and(
29002 literal(','),
29003 invis(opt(cfws)),
29004 opt(and(literal('@'), domain))
29005 ))
29006 )());
29007 }
29008
29009 // obs-mbox-list = *([CFWS] ",") mailbox *("," [mailbox / CFWS])
29010 function obsMboxList() {
29011 return opts.strict ? null : wrap('obs-mbox-list', and(
29012 star(and(
29013 invis(opt(cfws)),
29014 literal(',')
29015 )),
29016 mailbox,
29017 star(and(
29018 literal(','),
29019 opt(and(
29020 mailbox,
29021 invis(cfws)
29022 ))
29023 ))
29024 )());
29025 }
29026
29027 // obs-addr-list = *([CFWS] ",") address *("," [address / CFWS])
29028 function obsAddrList() {
29029 return opts.strict ? null : wrap('obs-addr-list', and(
29030 star(and(
29031 invis(opt(cfws)),
29032 literal(',')
29033 )),
29034 address,
29035 star(and(
29036 literal(','),
29037 opt(and(
29038 address,
29039 invis(cfws)
29040 ))
29041 ))
29042 )());
29043 }
29044
29045 // obs-group-list = 1*([CFWS] ",") [CFWS]
29046 function obsGroupList() {
29047 return opts.strict ? null : wrap('obs-group-list', and(
29048 star(and(
29049 invis(opt(cfws)),
29050 literal(',')
29051 ), 1),
29052 invis(opt(cfws))
29053 )());
29054 }
29055
29056 // obs-local-part = word *("." word)
29057 function obsLocalPart() {
29058 return opts.strict ? null : wrap('obs-local-part', and(word, star(and(literal('.'), word)))());
29059 }
29060
29061 // obs-domain = atom *("." atom)
29062 function obsDomain() {
29063 return opts.strict ? null : wrap('obs-domain', and(atom, star(and(literal('.'), atom)))());
29064 }
29065
29066 // obs-dtext = obs-NO-WS-CTL / quoted-pair
29067 function obsDtext() {
29068 return opts.strict ? null : wrap('obs-dtext', or(obsNoWsCtl, quotedPair)());
29069 }
29070
29071 /////////////////////////////////////////////////////
29072
29073 // ast analysis
29074
29075 function findNode(name, root) {
29076 var i, stack, node;
29077 if (root === null || root === undefined) { return null; }
29078 stack = [root];
29079 while (stack.length > 0) {
29080 node = stack.pop();
29081 if (node.name === name) {
29082 return node;
29083 }
29084 for (i = node.children.length - 1; i >= 0; i -= 1) {
29085 stack.push(node.children[i]);
29086 }
29087 }
29088 return null;
29089 }
29090
29091 function findAllNodes(name, root) {
29092 var i, stack, node, result;
29093 if (root === null || root === undefined) { return null; }
29094 stack = [root];
29095 result = [];
29096 while (stack.length > 0) {
29097 node = stack.pop();
29098 if (node.name === name) {
29099 result.push(node);
29100 }
29101 for (i = node.children.length - 1; i >= 0; i -= 1) {
29102 stack.push(node.children[i]);
29103 }
29104 }
29105 return result;
29106 }
29107
29108 function findAllNodesNoChildren(names, root) {
29109 var i, stack, node, result, namesLookup;
29110 if (root === null || root === undefined) { return null; }
29111 stack = [root];
29112 result = [];
29113 namesLookup = {};
29114 for (i = 0; i < names.length; i += 1) {
29115 namesLookup[names[i]] = true;
29116 }
29117
29118 while (stack.length > 0) {
29119 node = stack.pop();
29120 if (node.name in namesLookup) {
29121 result.push(node);
29122 // don't look at children (hence findAllNodesNoChildren)
29123 } else {
29124 for (i = node.children.length - 1; i >= 0; i -= 1) {
29125 stack.push(node.children[i]);
29126 }
29127 }
29128 }
29129 return result;
29130 }
29131
29132 function giveResult(ast) {
29133 var addresses, groupsAndMailboxes, i, groupOrMailbox, result;
29134 if (ast === null) {
29135 return null;
29136 }
29137 addresses = [];
29138
29139 // An address is a 'group' (i.e. a list of mailboxes) or a 'mailbox'.
29140 groupsAndMailboxes = findAllNodesNoChildren(['group', 'mailbox'], ast);
29141 for (i = 0; i < groupsAndMailboxes.length; i += 1) {
29142 groupOrMailbox = groupsAndMailboxes[i];
29143 if (groupOrMailbox.name === 'group') {
29144 addresses.push(giveResultGroup(groupOrMailbox));
29145 } else if (groupOrMailbox.name === 'mailbox') {
29146 addresses.push(giveResultMailbox(groupOrMailbox));
29147 }
29148 }
29149
29150 result = {
29151 ast: ast,
29152 addresses: addresses,
29153 };
29154 if (opts.simple) {
29155 result = simplifyResult(result);
29156 }
29157 if (opts.oneResult) {
29158 return oneResult(result);
29159 }
29160 if (opts.simple) {
29161 return result && result.addresses;
29162 } else {
29163 return result;
29164 }
29165 }
29166
29167 function giveResultGroup(group) {
29168 var i;
29169 var groupName = findNode('display-name', group);
29170 var groupResultMailboxes = [];
29171 var mailboxes = findAllNodesNoChildren(['mailbox'], group);
29172 for (i = 0; i < mailboxes.length; i += 1) {
29173 groupResultMailboxes.push(giveResultMailbox(mailboxes[i]));
29174 }
29175 return {
29176 node: group,
29177 parts: {
29178 name: groupName,
29179 },
29180 type: group.name, // 'group'
29181 name: grabSemantic(groupName),
29182 addresses: groupResultMailboxes,
29183 };
29184 }
29185
29186 function giveResultMailbox(mailbox) {
29187 var name = findNode('display-name', mailbox);
29188 var aspec = findNode('addr-spec', mailbox);
29189 var cfws = findAllNodes('cfws', mailbox);
29190 var comments = findAllNodesNoChildren(['comment'], mailbox);
29191
29192
29193 var local = findNode('local-part', aspec);
29194 var domain = findNode('domain', aspec);
29195 return {
29196 node: mailbox,
29197 parts: {
29198 name: name,
29199 address: aspec,
29200 local: local,
29201 domain: domain,
29202 comments: cfws
29203 },
29204 type: mailbox.name, // 'mailbox'
29205 name: grabSemantic(name),
29206 address: grabSemantic(aspec),
29207 local: grabSemantic(local),
29208 domain: grabSemantic(domain),
29209 comments: concatComments(comments),
29210 groupName: grabSemantic(mailbox.groupName),
29211 };
29212 }
29213
29214 function grabSemantic(n) {
29215 return n !== null && n !== undefined ? n.semantic : null;
29216 }
29217
29218 function simplifyResult(result) {
29219 var i;
29220 if (result && result.addresses) {
29221 for (i = 0; i < result.addresses.length; i += 1) {
29222 delete result.addresses[i].node;
29223 }
29224 }
29225 return result;
29226 }
29227
29228 function concatComments(comments) {
29229 var result = '';
29230 if (comments) {
29231 for (var i = 0; i < comments.length; i += 1) {
29232 result += grabSemantic(comments[i]);
29233 }
29234 }
29235 return result;
29236 }
29237
29238 function oneResult(result) {
29239 if (!result) { return null; }
29240 if (!opts.partial && result.addresses.length > 1) { return null; }
29241 return result.addresses && result.addresses[0];
29242 }
29243
29244 /////////////////////////////////////////////////////
29245
29246 var parseString, pos, len, parsed, startProduction;
29247
29248 opts = handleOpts(opts, {});
29249 if (opts === null) { return null; }
29250
29251 parseString = opts.input;
29252
29253 startProduction = {
29254 'address': address,
29255 'address-list': addressList,
29256 'angle-addr': angleAddr,
29257 'from': fromSpec,
29258 'group': group,
29259 'mailbox': mailbox,
29260 'mailbox-list': mailboxList,
29261 'reply-to': replyToSpec,
29262 'sender': senderSpec,
29263 }[opts.startAt] || addressList;
29264
29265 if (!opts.strict) {
29266 initialize();
29267 opts.strict = true;
29268 parsed = startProduction(parseString);
29269 if (opts.partial || !inStr()) {
29270 return giveResult(parsed);
29271 }
29272 opts.strict = false;
29273 }
29274
29275 initialize();
29276 parsed = startProduction(parseString);
29277 if (!opts.partial && inStr()) { return null; }
29278 return giveResult(parsed);
29279 }
29280
29281 function parseOneAddressSimple(opts) {
29282 return parse5322(handleOpts(opts, {
29283 oneResult: true,
29284 rfc6532: true,
29285 simple: true,
29286 startAt: 'address-list',
29287 }));
29288 }
29289
29290 function parseAddressListSimple(opts) {
29291 return parse5322(handleOpts(opts, {
29292 rfc6532: true,
29293 simple: true,
29294 startAt: 'address-list',
29295 }));
29296 }
29297
29298 function parseFromSimple(opts) {
29299 return parse5322(handleOpts(opts, {
29300 rfc6532: true,
29301 simple: true,
29302 startAt: 'from',
29303 }));
29304 }
29305
29306 function parseSenderSimple(opts) {
29307 return parse5322(handleOpts(opts, {
29308 oneResult: true,
29309 rfc6532: true,
29310 simple: true,
29311 startAt: 'sender',
29312 }));
29313 }
29314
29315 function parseReplyToSimple(opts) {
29316 return parse5322(handleOpts(opts, {
29317 rfc6532: true,
29318 simple: true,
29319 startAt: 'reply-to',
29320 }));
29321 }
29322
29323 function handleOpts(opts, defs) {
29324 function isString(str) {
29325 return Object.prototype.toString.call(str) === '[object String]';
29326 }
29327
29328 function isObject(o) {
29329 return o === Object(o);
29330 }
29331
29332 function isNullUndef(o) {
29333 return o === null || o === undefined;
29334 }
29335
29336 var defaults, o;
29337
29338 if (isString(opts)) {
29339 opts = { input: opts };
29340 } else if (!isObject(opts)) {
29341 return null;
29342 }
29343
29344 if (!isString(opts.input)) { return null; }
29345 if (!defs) { return null; }
29346
29347 defaults = {
29348 oneResult: false,
29349 partial: false,
29350 rejectTLD: false,
29351 rfc6532: false,
29352 simple: false,
29353 startAt: 'address-list',
29354 strict: false,
29355 atInDisplayName: false
29356 };
29357
29358 for (o in defaults) {
29359 if (isNullUndef(opts[o])) {
29360 opts[o] = !isNullUndef(defs[o]) ? defs[o] : defaults[o];
29361 }
29362 }
29363 return opts;
29364 }
29365
29366 parse5322.parseOneAddress = parseOneAddressSimple;
29367 parse5322.parseAddressList = parseAddressListSimple;
29368 parse5322.parseFrom = parseFromSimple;
29369 parse5322.parseSender = parseSenderSimple;
29370 parse5322.parseReplyTo = parseReplyToSimple;
29371
29372 {
29373 module.exports = parse5322;
29374 }
29375
29376 }());
29377 });
29378
29379 // GPG4Browsers - An OpenPGP implementation in javascript
29380
29381 /**
29382 * Implementation of the User ID Packet (Tag 13)
29383 *
29384 * A User ID packet consists of UTF-8 text that is intended to represent
29385 * the name and email address of the key holder. By convention, it
29386 * includes an RFC 2822 [RFC2822] mail name-addr, but there are no
29387 * restrictions on its content. The packet length in the header
29388 * specifies the length of the User ID.
29389 */
29390 class UserIDPacket {
29391 constructor() {
29392 this.tag = enums.packet.userID;
29393 /** A string containing the user id. Usually in the form
29394 * John Doe <john@example.com>
29395 * @type {String}
29396 */
29397 this.userid = '';
29398
29399 this.name = '';
29400 this.email = '';
29401 this.comment = '';
29402 }
29403
29404 /**
29405 * Create UserIDPacket instance from object
29406 * @param {Object} userId - Object specifying userId name, email and comment
29407 * @returns {UserIDPacket}
29408 * @static
29409 */
29410 static fromObject(userId) {
29411 if (util.isString(userId) ||
29412 (userId.name && !util.isString(userId.name)) ||
29413 (userId.email && !util.isEmailAddress(userId.email)) ||
29414 (userId.comment && !util.isString(userId.comment))) {
29415 throw new Error('Invalid user ID format');
29416 }
29417 const packet = new UserIDPacket();
29418 Object.assign(packet, userId);
29419 const components = [];
29420 if (packet.name) components.push(packet.name);
29421 if (packet.comment) components.push(`(${packet.comment})`);
29422 if (packet.email) components.push(`<${packet.email}>`);
29423 packet.userid = components.join(' ');
29424 return packet;
29425 }
29426
29427 /**
29428 * Parsing function for a user id packet (tag 13).
29429 * @param {Uint8Array} input - Payload of a tag 13 packet
29430 */
29431 read(bytes, config = defaultConfig) {
29432 const userid = util.decodeUtf8(bytes);
29433 if (userid.length > config.maxUseridLength) {
29434 throw new Error('User ID string is too long');
29435 }
29436 try {
29437 const { name, address: email, comments } = emailAddresses.parseOneAddress({ input: userid, atInDisplayName: true });
29438 this.comment = comments.replace(/^\(|\)$/g, '');
29439 this.name = name;
29440 this.email = email;
29441 } catch (e) {}
29442 this.userid = userid;
29443 }
29444
29445 /**
29446 * Creates a binary representation of the user id packet
29447 * @returns {Uint8Array} Binary representation.
29448 */
29449 write() {
29450 return util.encodeUtf8(this.userid);
29451 }
29452 }
29453
29454 // GPG4Browsers - An OpenPGP implementation in javascript
29455
29456 /**
29457 * A Secret-Subkey packet (tag 7) is the subkey analog of the Secret
29458 * Key packet and has exactly the same format.
29459 * @extends SecretKeyPacket
29460 */
29461 class SecretSubkeyPacket extends SecretKeyPacket {
29462 /**
29463 * @param {Date} [date] - Creation date
29464 * @param {Object} [config] - Full configuration, defaults to openpgp.config
29465 */
29466 constructor(date = new Date(), config = defaultConfig) {
29467 super(date, config);
29468 this.tag = enums.packet.secretSubkey;
29469 }
29470 }
29471
29472 /* eslint class-methods-use-this: ["error", { "exceptMethods": ["read"] }] */
29473
29474 /**
29475 * Implementation of the Trust Packet (Tag 12)
29476 *
29477 * {@link https://tools.ietf.org/html/rfc4880#section-5.10|RFC4880 5.10}:
29478 * The Trust packet is used only within keyrings and is not normally
29479 * exported. Trust packets contain data that record the user's
29480 * specifications of which key holders are trustworthy introducers,
29481 * along with other information that implementing software uses for
29482 * trust information. The format of Trust packets is defined by a given
29483 * implementation.
29484 *
29485 * Trust packets SHOULD NOT be emitted to output streams that are
29486 * transferred to other users, and they SHOULD be ignored on any input
29487 * other than local keyring files.
29488 */
29489 class TrustPacket {
29490 constructor() {
29491 this.tag = enums.packet.trust;
29492 }
29493
29494 /**
29495 * Parsing function for a trust packet (tag 12).
29496 * Currently not implemented as we ignore trust packets
29497 * @param {String} byptes - Payload of a tag 12 packet
29498 */
29499 read() {} // TODO
29500 }
29501
29502 /**
29503 * @fileoverview Exports all OpenPGP packet types
29504 * @module packet/all_packets
29505 * @private
29506 */
29507
29508 /**
29509 * Allocate a new packet
29510 * @function newPacketFromTag
29511 * @param {String} tag - Property name from {@link module:enums.packet}
29512 * @returns {Object} New packet object with type based on tag.
29513 */
29514 function newPacketFromTag(tag, allowedPackets) {
29515 const className = packetClassFromTagName(tag);
29516 if (!allowedPackets[className]) {
29517 throw new Error('Packet not allowed in this context: ' + className);
29518 }
29519 return new allowedPackets[className]();
29520 }
29521
29522 /**
29523 * Convert tag name to class name
29524 * @param {String} tag - Property name from {@link module:enums.packet}
29525 * @returns {String}
29526 * @private
29527 */
29528 function packetClassFromTagName(tag) {
29529 return tag.substr(0, 1).toUpperCase() + tag.substr(1) + 'Packet';
29530 }
29531
29532 /**
29533 * This class represents a list of openpgp packets.
29534 * Take care when iterating over it - the packets themselves
29535 * are stored as numerical indices.
29536 * @extends Array
29537 */
29538 class PacketList extends Array {
29539 /**
29540 * Reads a stream of binary data and interprets it as a list of packets.
29541 * @param {Uint8Array | ReadableStream<Uint8Array>} bytes - A Uint8Array of bytes.
29542 */
29543 async read(bytes, allowedPackets, streaming, config = defaultConfig) {
29544 this.stream = stream.transformPair(bytes, async (readable, writable) => {
29545 const writer = stream.getWriter(writable);
29546 try {
29547 while (true) {
29548 await writer.ready;
29549 const done = await readPackets(readable, streaming, async parsed => {
29550 try {
29551 const tag = enums.read(enums.packet, parsed.tag);
29552 const packet = newPacketFromTag(tag, allowedPackets);
29553 packet.packets = new PacketList();
29554 packet.fromStream = util.isStream(parsed.packet);
29555 await packet.read(parsed.packet, config, streaming);
29556 await writer.write(packet);
29557 } catch (e) {
29558 if (!config.tolerant || supportsStreaming(parsed.tag)) {
29559 // The packets that support streaming are the ones that contain
29560 // message data. Those are also the ones we want to be more strict
29561 // about and throw on parse errors for.
29562 await writer.abort(e);
29563 }
29564 util.printDebugError(e);
29565 }
29566 });
29567 if (done) {
29568 await writer.ready;
29569 await writer.close();
29570 return;
29571 }
29572 }
29573 } catch (e) {
29574 await writer.abort(e);
29575 }
29576 });
29577
29578 // Wait until first few packets have been read
29579 const reader = stream.getReader(this.stream);
29580 while (true) {
29581 const { done, value } = await reader.read();
29582 if (!done) {
29583 this.push(value);
29584 } else {
29585 this.stream = null;
29586 }
29587 if (done || supportsStreaming(value.tag)) {
29588 break;
29589 }
29590 }
29591 reader.releaseLock();
29592 }
29593
29594 /**
29595 * Creates a binary representation of openpgp objects contained within the
29596 * class instance.
29597 * @returns {Uint8Array} A Uint8Array containing valid openpgp packets.
29598 */
29599 write() {
29600 const arr = [];
29601
29602 for (let i = 0; i < this.length; i++) {
29603 const packetbytes = this[i].write();
29604 if (util.isStream(packetbytes) && supportsStreaming(this[i].tag)) {
29605 let buffer = [];
29606 let bufferLength = 0;
29607 const minLength = 512;
29608 arr.push(writeTag(this[i].tag));
29609 arr.push(stream.transform(packetbytes, value => {
29610 buffer.push(value);
29611 bufferLength += value.length;
29612 if (bufferLength >= minLength) {
29613 const powerOf2 = Math.min(Math.log(bufferLength) / Math.LN2 | 0, 30);
29614 const chunkSize = 2 ** powerOf2;
29615 const bufferConcat = util.concat([writePartialLength(powerOf2)].concat(buffer));
29616 buffer = [bufferConcat.subarray(1 + chunkSize)];
29617 bufferLength = buffer[0].length;
29618 return bufferConcat.subarray(0, 1 + chunkSize);
29619 }
29620 }, () => util.concat([writeSimpleLength(bufferLength)].concat(buffer))));
29621 } else {
29622 if (util.isStream(packetbytes)) {
29623 let length = 0;
29624 arr.push(stream.transform(stream.clone(packetbytes), value => {
29625 length += value.length;
29626 }, () => writeHeader(this[i].tag, length)));
29627 } else {
29628 arr.push(writeHeader(this[i].tag, packetbytes.length));
29629 }
29630 arr.push(packetbytes);
29631 }
29632 }
29633
29634 return util.concat(arr);
29635 }
29636
29637 /**
29638 * Adds a packet to the list. This is the only supported method of doing so;
29639 * writing to packetlist[i] directly will result in an error.
29640 * @param {Object} packet - Packet to push
29641 */
29642 push(packet) {
29643 if (!packet) {
29644 return;
29645 }
29646
29647 packet.packets = packet.packets || new PacketList();
29648
29649 super.push(packet);
29650 }
29651
29652 /**
29653 * Creates a new PacketList with all packets from the given types
29654 */
29655 filterByTag(...args) {
29656 const filtered = new PacketList();
29657
29658 const handle = tag => packetType => tag === packetType;
29659
29660 for (let i = 0; i < this.length; i++) {
29661 if (args.some(handle(this[i].tag))) {
29662 filtered.push(this[i]);
29663 }
29664 }
29665
29666 return filtered;
29667 }
29668
29669 /**
29670 * Traverses packet tree and returns first matching packet
29671 * @param {module:enums.packet} type - The packet type
29672 * @returns {Packet|undefined}
29673 */
29674 findPacket(type) {
29675 return this.find(packet => packet.tag === type);
29676 }
29677
29678 /**
29679 * Returns array of found indices by tag
29680 */
29681 indexOfTag(...args) {
29682 const tagIndex = [];
29683 const that = this;
29684
29685 const handle = tag => packetType => tag === packetType;
29686
29687 for (let i = 0; i < this.length; i++) {
29688 if (args.some(handle(that[i].tag))) {
29689 tagIndex.push(i);
29690 }
29691 }
29692 return tagIndex;
29693 }
29694
29695 /**
29696 * Concatenates packetlist or array of packets
29697 */
29698 concat(packetlist) {
29699 if (packetlist) {
29700 for (let i = 0; i < packetlist.length; i++) {
29701 this.push(packetlist[i]);
29702 }
29703 }
29704 return this;
29705 }
29706 }
29707
29708 // GPG4Browsers - An OpenPGP implementation in javascript
29709
29710 /**
29711 * Class that represents an OpenPGP signature.
29712 */
29713 class Signature {
29714 /**
29715 * @param {PacketList} packetlist - The signature packets
29716 */
29717 constructor(packetlist) {
29718 this.packets = packetlist || new PacketList();
29719 }
29720
29721 /**
29722 * Returns binary encoded signature
29723 * @returns {ReadableStream<Uint8Array>} Binary signature.
29724 */
29725 write() {
29726 return this.packets.write();
29727 }
29728
29729 /**
29730 * Returns ASCII armored text of signature
29731 * @param {Object} [config] - Full configuration, defaults to openpgp.config
29732 * @returns {ReadableStream<String>} ASCII armor.
29733 */
29734 armor(config = defaultConfig) {
29735 return armor(enums.armor.signature, this.write(), undefined, undefined, undefined, config);
29736 }
29737 }
29738
29739 /**
29740 * reads an (optionally armored) OpenPGP signature and returns a signature object
29741 * @param {Object} options
29742 * @param {String | ReadableStream<String>} [options.armoredSignature] - Armored signature to be parsed
29743 * @param {Uint8Array | ReadableStream<Uint8Array>} [options.binarySignature] - Binary signature to be parsed
29744 * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}
29745 * @returns {Signature} New signature object.
29746 * @async
29747 * @static
29748 */
29749 async function readSignature({ armoredSignature, binarySignature, config }) {
29750 config = { ...defaultConfig, ...config };
29751 let input = armoredSignature || binarySignature;
29752 if (!input) {
29753 throw new Error('readSignature: must pass options object containing `armoredSignature` or `binarySignature`');
29754 }
29755 if (armoredSignature) {
29756 const { type, data } = await unarmor(input, config);
29757 if (type !== enums.armor.signature) {
29758 throw new Error('Armored text not of type signature');
29759 }
29760 input = data;
29761 }
29762 const packetlist = new PacketList();
29763 await packetlist.read(input, { SignaturePacket }, undefined, config);
29764 return new Signature(packetlist);
29765 }
29766
29767 /**
29768 * @fileoverview Provides helpers methods for key module
29769 * @module key/helper
29770 * @private
29771 */
29772
29773 const allowedKeyPackets = {
29774 PublicKeyPacket,
29775 PublicSubkeyPacket,
29776 SecretKeyPacket,
29777 SecretSubkeyPacket,
29778 UserIDPacket,
29779 UserAttributePacket,
29780 SignaturePacket
29781 };
29782
29783 async function generateSecretSubkey(options, config) {
29784 const secretSubkeyPacket = new SecretSubkeyPacket(options.date, config);
29785 secretSubkeyPacket.packets = null;
29786 secretSubkeyPacket.algorithm = enums.read(enums.publicKey, options.algorithm);
29787 await secretSubkeyPacket.generate(options.rsaBits, options.curve);
29788 return secretSubkeyPacket;
29789 }
29790
29791 async function generateSecretKey(options, config) {
29792 const secretKeyPacket = new SecretKeyPacket(options.date, config);
29793 secretKeyPacket.packets = null;
29794 secretKeyPacket.algorithm = enums.read(enums.publicKey, options.algorithm);
29795 await secretKeyPacket.generate(options.rsaBits, options.curve, options.config);
29796 return secretKeyPacket;
29797 }
29798
29799 /**
29800 * Returns the valid and non-expired signature that has the latest creation date, while ignoring signatures created in the future.
29801 * @param {Array<SignaturePacket>} signatures - List of signatures
29802 * @param {Date} date - Use the given date instead of the current time
29803 * @param {Object} config - full configuration
29804 * @returns {SignaturePacket} The latest valid signature.
29805 * @async
29806 */
29807 async function getLatestValidSignature(signatures, primaryKey, signatureType, dataToVerify, date = new Date(), config) {
29808 let signature;
29809 let exception;
29810 for (let i = signatures.length - 1; i >= 0; i--) {
29811 try {
29812 if (
29813 (!signature || signatures[i].created >= signature.created) &&
29814 // check binding signature is not expired (ie, check for V4 expiration time)
29815 !signatures[i].isExpired(date)
29816 ) {
29817 // check binding signature is verified
29818 signatures[i].verified || await signatures[i].verify(primaryKey, signatureType, dataToVerify, undefined, undefined, config);
29819 signature = signatures[i];
29820 }
29821 } catch (e) {
29822 exception = e;
29823 }
29824 }
29825 if (!signature) {
29826 throw util.wrapError(
29827 `Could not find valid ${enums.read(enums.signature, signatureType)} signature in key ${primaryKey.getKeyId().toHex()}`
29828 .replace('certGeneric ', 'self-')
29829 .replace(/([a-z])([A-Z])/g, (_, $1, $2) => $1 + ' ' + $2.toLowerCase())
29830 , exception);
29831 }
29832 return signature;
29833 }
29834
29835 function isDataExpired(keyPacket, signature, date = new Date()) {
29836 const normDate = util.normalizeDate(date);
29837 if (normDate !== null) {
29838 const expirationTime = getExpirationTime(keyPacket, signature);
29839 return !(keyPacket.created <= normDate && normDate <= expirationTime) ||
29840 (signature && signature.isExpired(date));
29841 }
29842 return false;
29843 }
29844
29845 /**
29846 * Create Binding signature to the key according to the {@link https://tools.ietf.org/html/rfc4880#section-5.2.1}
29847 * @param {SecretSubkeyPacket} subkey - Subkey key packet
29848 * @param {SecretKeyPacket} primaryKey - Primary key packet
29849 * @param {Object} options
29850 * @param {Object} config - Full configuration
29851 */
29852 async function createBindingSignature(subkey, primaryKey, options, config) {
29853 const dataToSign = {};
29854 dataToSign.key = primaryKey;
29855 dataToSign.bind = subkey;
29856 const subkeySignaturePacket = new SignaturePacket(options.date);
29857 subkeySignaturePacket.signatureType = enums.signature.subkeyBinding;
29858 subkeySignaturePacket.publicKeyAlgorithm = primaryKey.algorithm;
29859 subkeySignaturePacket.hashAlgorithm = await getPreferredHashAlgo$1(null, subkey, undefined, undefined, config);
29860 if (options.sign) {
29861 subkeySignaturePacket.keyFlags = [enums.keyFlags.signData];
29862 subkeySignaturePacket.embeddedSignature = await createSignaturePacket(dataToSign, null, subkey, {
29863 signatureType: enums.signature.keyBinding
29864 }, options.date, undefined, undefined, undefined, config);
29865 } else {
29866 subkeySignaturePacket.keyFlags = [enums.keyFlags.encryptCommunication | enums.keyFlags.encryptStorage];
29867 }
29868 if (options.keyExpirationTime > 0) {
29869 subkeySignaturePacket.keyExpirationTime = options.keyExpirationTime;
29870 subkeySignaturePacket.keyNeverExpires = false;
29871 }
29872 await subkeySignaturePacket.sign(primaryKey, dataToSign);
29873 return subkeySignaturePacket;
29874 }
29875
29876 /**
29877 * Returns the preferred signature hash algorithm of a key
29878 * @param {Key} [key] - The key to get preferences from
29879 * @param {SecretKeyPacket|SecretSubkeyPacket} keyPacket - key packet used for signing
29880 * @param {Date} [date] - Use the given date for verification instead of the current time
29881 * @param {Object} [userId] - User ID
29882 * @param {Object} config - full configuration
29883 * @returns {String}
29884 * @async
29885 */
29886 async function getPreferredHashAlgo$1(key, keyPacket, date = new Date(), userId = {}, config) {
29887 let hash_algo = config.preferHashAlgorithm;
29888 let pref_algo = hash_algo;
29889 if (key) {
29890 const primaryUser = await key.getPrimaryUser(date, userId, config);
29891 if (primaryUser.selfCertification.preferredHashAlgorithms) {
29892 [pref_algo] = primaryUser.selfCertification.preferredHashAlgorithms;
29893 hash_algo = mod.hash.getHashByteLength(hash_algo) <= mod.hash.getHashByteLength(pref_algo) ?
29894 pref_algo : hash_algo;
29895 }
29896 }
29897 switch (Object.getPrototypeOf(keyPacket)) {
29898 case SecretKeyPacket.prototype:
29899 case PublicKeyPacket.prototype:
29900 case SecretSubkeyPacket.prototype:
29901 case PublicSubkeyPacket.prototype:
29902 switch (keyPacket.algorithm) {
29903 case 'ecdh':
29904 case 'ecdsa':
29905 case 'eddsa':
29906 pref_algo = mod.publicKey.elliptic.getPreferredHashAlgo(keyPacket.publicParams.oid);
29907 }
29908 }
29909 return mod.hash.getHashByteLength(hash_algo) <= mod.hash.getHashByteLength(pref_algo) ?
29910 pref_algo : hash_algo;
29911 }
29912
29913 /**
29914 * Returns the preferred symmetric/aead algorithm for a set of keys
29915 * @param {symmetric|aead} type - Type of preference to return
29916 * @param {Array<Key>} keys - Set of keys
29917 * @param {Date} [date] - Use the given date for verification instead of the current time
29918 * @param {Array} [userIds] - User IDs
29919 * @param {Object} [config] - Full configuration, defaults to openpgp.config
29920 * @returns {module:enums.symmetric} Preferred symmetric algorithm.
29921 * @async
29922 */
29923 async function getPreferredAlgo(type, keys, date = new Date(), userIds = [], config = defaultConfig) {
29924 const prefProperty = type === 'symmetric' ? 'preferredSymmetricAlgorithms' : 'preferredAeadAlgorithms';
29925 const defaultAlgo = type === 'symmetric' ? enums.symmetric.aes128 : enums.aead.eax;
29926 const prioMap = {};
29927 await Promise.all(keys.map(async function(key, i) {
29928 const primaryUser = await key.getPrimaryUser(date, userIds[i], config);
29929 if (!primaryUser.selfCertification[prefProperty]) {
29930 return defaultAlgo;
29931 }
29932 primaryUser.selfCertification[prefProperty].forEach(function(algo, index) {
29933 const entry = prioMap[algo] || (prioMap[algo] = { prio: 0, count: 0, algo: algo });
29934 entry.prio += 64 >> index;
29935 entry.count++;
29936 });
29937 }));
29938 let prefAlgo = { prio: 0, algo: defaultAlgo };
29939 Object.values(prioMap).forEach(({ prio, count, algo }) => {
29940 try {
29941 if (algo !== enums[type].plaintext &&
29942 algo !== enums[type].idea && // not implemented
29943 enums.read(enums[type], algo) && // known algorithm
29944 count === keys.length && // available for all keys
29945 prio > prefAlgo.prio) {
29946 prefAlgo = prioMap[algo];
29947 }
29948 } catch (e) {}
29949 });
29950 return prefAlgo.algo;
29951 }
29952
29953 /**
29954 * Create signature packet
29955 * @param {Object} dataToSign - Contains packets to be signed
29956 * @param {SecretKeyPacket|
29957 * SecretSubkeyPacket} signingKeyPacket secret key packet for signing
29958 * @param {Object} [signatureProperties] - Properties to write on the signature packet before signing
29959 * @param {Date} [date] - Override the creationtime of the signature
29960 * @param {Object} [userId] - User ID
29961 * @param {Object} [detached] - Whether to create a detached signature packet
29962 * @param {Boolean} [streaming] - Whether to process data as a stream
29963 * @param {Object} config - full configuration
29964 * @returns {SignaturePacket} Signature packet.
29965 * @async
29966 */
29967 async function createSignaturePacket(dataToSign, privateKey, signingKeyPacket, signatureProperties, date, userId, detached = false, streaming = false, config) {
29968 if (signingKeyPacket.isDummy()) {
29969 throw new Error('Cannot sign with a gnu-dummy key.');
29970 }
29971 if (!signingKeyPacket.isDecrypted()) {
29972 throw new Error('Private key is not decrypted.');
29973 }
29974 const signaturePacket = new SignaturePacket(date);
29975 Object.assign(signaturePacket, signatureProperties);
29976 signaturePacket.publicKeyAlgorithm = signingKeyPacket.algorithm;
29977 signaturePacket.hashAlgorithm = await getPreferredHashAlgo$1(privateKey, signingKeyPacket, date, userId, config);
29978 await signaturePacket.sign(signingKeyPacket, dataToSign, detached, streaming);
29979 return signaturePacket;
29980 }
29981
29982 /**
29983 * Merges signatures from source[attr] to dest[attr]
29984 * @param {Object} source
29985 * @param {Object} dest
29986 * @param {String} attr
29987 * @param {Function} checkFn - optional, signature only merged if true
29988 */
29989 async function mergeSignatures(source, dest, attr, checkFn) {
29990 source = source[attr];
29991 if (source) {
29992 if (!dest[attr].length) {
29993 dest[attr] = source;
29994 } else {
29995 await Promise.all(source.map(async function(sourceSig) {
29996 if (!sourceSig.isExpired() && (!checkFn || await checkFn(sourceSig)) &&
29997 !dest[attr].some(function(destSig) {
29998 return util.equalsUint8Array(destSig.write_params(), sourceSig.write_params());
29999 })) {
30000 dest[attr].push(sourceSig);
30001 }
30002 }));
30003 }
30004 }
30005 }
30006
30007 /**
30008 * Checks if a given certificate or binding signature is revoked
30009 * @param {SecretKeyPacket|
30010 * PublicKeyPacket} primaryKey The primary key packet
30011 * @param {Object} dataToVerify - The data to check
30012 * @param {Array<SignaturePacket>} revocations - The revocation signatures to check
30013 * @param {SignaturePacket} signature - The certificate or signature to check
30014 * @param {PublicSubkeyPacket|
30015 * SecretSubkeyPacket|
30016 * PublicKeyPacket|
30017 * SecretKeyPacket} key, optional The key packet to check the signature
30018 * @param {Date} date - Use the given date instead of the current time
30019 * @param {Object} config - Full configuration
30020 * @returns {Boolean} True if the signature revokes the data.
30021 * @async
30022 */
30023 async function isDataRevoked(primaryKey, signatureType, dataToVerify, revocations, signature, key, date = new Date(), config) {
30024 key = key || primaryKey;
30025 const normDate = util.normalizeDate(date);
30026 const revocationKeyIds = [];
30027 await Promise.all(revocations.map(async function(revocationSignature) {
30028 try {
30029 if (
30030 // Note: a third-party revocation signature could legitimately revoke a
30031 // self-signature if the signature has an authorized revocation key.
30032 // However, we don't support passing authorized revocation keys, nor
30033 // verifying such revocation signatures. Instead, we indicate an error
30034 // when parsing a key with an authorized revocation key, and ignore
30035 // third-party revocation signatures here. (It could also be revoking a
30036 // third-party key certification, which should only affect
30037 // `verifyAllCertifications`.)
30038 (!signature || revocationSignature.issuerKeyId.equals(signature.issuerKeyId)) &&
30039 !(config.revocationsExpire && revocationSignature.isExpired(normDate))
30040 ) {
30041 revocationSignature.verified || await revocationSignature.verify(key, signatureType, dataToVerify, undefined, undefined, config);
30042
30043 // TODO get an identifier of the revoked object instead
30044 revocationKeyIds.push(revocationSignature.issuerKeyId);
30045 }
30046 } catch (e) {}
30047 }));
30048 // TODO further verify that this is the signature that should be revoked
30049 if (signature) {
30050 signature.revoked = revocationKeyIds.some(keyId => keyId.equals(signature.issuerKeyId)) ? true :
30051 signature.revoked || false;
30052 return signature.revoked;
30053 }
30054 return revocationKeyIds.length > 0;
30055 }
30056
30057 function getExpirationTime(keyPacket, signature) {
30058 let expirationTime;
30059 // check V4 expiration time
30060 if (signature.keyNeverExpires === false) {
30061 expirationTime = keyPacket.created.getTime() + signature.keyExpirationTime * 1000;
30062 }
30063 return expirationTime ? new Date(expirationTime) : Infinity;
30064 }
30065
30066 /**
30067 * Returns whether aead is supported by all keys in the set
30068 * @param {Array<Key>} keys - Set of keys
30069 * @param {Date} [date] - Use the given date for verification instead of the current time
30070 * @param {Array} [userIds] - User IDs
30071 * @param {Object} config - full configuration
30072 * @returns {Boolean}
30073 * @async
30074 */
30075 async function isAeadSupported(keys, date = new Date(), userIds = [], config = defaultConfig) {
30076 let supported = true;
30077 // TODO replace when Promise.some or Promise.any are implemented
30078 await Promise.all(keys.map(async function(key, i) {
30079 const primaryUser = await key.getPrimaryUser(date, userIds[i], config);
30080 if (!primaryUser.selfCertification.features ||
30081 !(primaryUser.selfCertification.features[0] & enums.features.aead)) {
30082 supported = false;
30083 }
30084 }));
30085 return supported;
30086 }
30087
30088 function sanitizeKeyOptions(options, subkeyDefaults = {}) {
30089 options.type = options.type || subkeyDefaults.type;
30090 options.curve = options.curve || subkeyDefaults.curve;
30091 options.rsaBits = options.rsaBits || subkeyDefaults.rsaBits;
30092 options.keyExpirationTime = options.keyExpirationTime !== undefined ? options.keyExpirationTime : subkeyDefaults.keyExpirationTime;
30093 options.passphrase = util.isString(options.passphrase) ? options.passphrase : subkeyDefaults.passphrase;
30094 options.date = options.date || subkeyDefaults.date;
30095
30096 options.sign = options.sign || false;
30097
30098 switch (options.type) {
30099 case 'ecc':
30100 try {
30101 options.curve = enums.write(enums.curve, options.curve);
30102 } catch (e) {
30103 throw new Error('Invalid curve');
30104 }
30105 if (options.curve === enums.curve.ed25519 || options.curve === enums.curve.curve25519) {
30106 options.curve = options.sign ? enums.curve.ed25519 : enums.curve.curve25519;
30107 }
30108 if (options.sign) {
30109 options.algorithm = options.curve === enums.curve.ed25519 ? enums.publicKey.eddsa : enums.publicKey.ecdsa;
30110 } else {
30111 options.algorithm = enums.publicKey.ecdh;
30112 }
30113 break;
30114 case 'rsa':
30115 options.algorithm = enums.publicKey.rsaEncryptSign;
30116 break;
30117 default:
30118 throw new Error(`Unsupported key type ${options.type}`);
30119 }
30120 return options;
30121 }
30122
30123 function isValidSigningKeyPacket(keyPacket, signature) {
30124 if (!signature.verified || signature.revoked !== false) { // Sanity check
30125 throw new Error('Signature not verified');
30126 }
30127 return keyPacket.algorithm !== enums.read(enums.publicKey, enums.publicKey.rsaEncrypt) &&
30128 keyPacket.algorithm !== enums.read(enums.publicKey, enums.publicKey.elgamal) &&
30129 keyPacket.algorithm !== enums.read(enums.publicKey, enums.publicKey.ecdh) &&
30130 (!signature.keyFlags ||
30131 (signature.keyFlags[0] & enums.keyFlags.signData) !== 0);
30132 }
30133
30134 function isValidEncryptionKeyPacket(keyPacket, signature) {
30135 if (!signature.verified || signature.revoked !== false) { // Sanity check
30136 throw new Error('Signature not verified');
30137 }
30138 return keyPacket.algorithm !== enums.read(enums.publicKey, enums.publicKey.dsa) &&
30139 keyPacket.algorithm !== enums.read(enums.publicKey, enums.publicKey.rsaSign) &&
30140 keyPacket.algorithm !== enums.read(enums.publicKey, enums.publicKey.ecdsa) &&
30141 keyPacket.algorithm !== enums.read(enums.publicKey, enums.publicKey.eddsa) &&
30142 (!signature.keyFlags ||
30143 (signature.keyFlags[0] & enums.keyFlags.encryptCommunication) !== 0 ||
30144 (signature.keyFlags[0] & enums.keyFlags.encryptStorage) !== 0);
30145 }
30146
30147 function isValidDecryptionKeyPacket(signature, config) {
30148 if (!signature.verified) { // Sanity check
30149 throw new Error('Signature not verified');
30150 }
30151
30152 if (config.allowInsecureDecryptionWithSigningKeys) {
30153 // This is only relevant for RSA keys, all other signing ciphers cannot decrypt
30154 return true;
30155 }
30156
30157 return !signature.keyFlags ||
30158 (signature.keyFlags[0] & enums.keyFlags.encryptCommunication) !== 0 ||
30159 (signature.keyFlags[0] & enums.keyFlags.encryptStorage) !== 0;
30160 }
30161
30162 /**
30163 * @module key/User
30164 * @private
30165 */
30166
30167 /**
30168 * Class that represents an user ID or attribute packet and the relevant signatures.
30169 */
30170 class User {
30171 constructor(userPacket) {
30172 if (!(this instanceof User)) {
30173 return new User(userPacket);
30174 }
30175 this.userId = userPacket.tag === enums.packet.userID ? userPacket : null;
30176 this.userAttribute = userPacket.tag === enums.packet.userAttribute ? userPacket : null;
30177 this.selfCertifications = [];
30178 this.otherCertifications = [];
30179 this.revocationSignatures = [];
30180 }
30181
30182 /**
30183 * Transforms structured user data to packetlist
30184 * @returns {PacketList}
30185 */
30186 toPacketlist() {
30187 const packetlist = new PacketList();
30188 packetlist.push(this.userId || this.userAttribute);
30189 packetlist.concat(this.revocationSignatures);
30190 packetlist.concat(this.selfCertifications);
30191 packetlist.concat(this.otherCertifications);
30192 return packetlist;
30193 }
30194
30195 /**
30196 * Signs user
30197 * @param {SecretKeyPacket|
30198 * PublicKeyPacket} primaryKey The primary key packet
30199 * @param {Array<Key>} privateKeys - Decrypted private keys for signing
30200 * @param {Object} config - Full configuration
30201 * @returns {Key} New user with new certificate signatures.
30202 * @async
30203 */
30204 async sign(primaryKey, privateKeys, config) {
30205 const dataToSign = {
30206 userId: this.userId,
30207 userAttribute: this.userAttribute,
30208 key: primaryKey
30209 };
30210 const user = new User(dataToSign.userId || dataToSign.userAttribute);
30211 user.otherCertifications = await Promise.all(privateKeys.map(async function(privateKey) {
30212 if (privateKey.isPublic()) {
30213 throw new Error('Need private key for signing');
30214 }
30215 if (privateKey.hasSameFingerprintAs(primaryKey)) {
30216 throw new Error('Not implemented for self signing');
30217 }
30218 const signingKey = await privateKey.getSigningKey(undefined, undefined, undefined, config);
30219 return createSignaturePacket(dataToSign, privateKey, signingKey.keyPacket, {
30220 // Most OpenPGP implementations use generic certification (0x10)
30221 signatureType: enums.signature.certGeneric,
30222 keyFlags: [enums.keyFlags.certifyKeys | enums.keyFlags.signData]
30223 }, undefined, undefined, undefined, undefined, config);
30224 }));
30225 await user.update(this, primaryKey);
30226 return user;
30227 }
30228
30229 /**
30230 * Checks if a given certificate of the user is revoked
30231 * @param {SecretKeyPacket|
30232 * PublicKeyPacket} primaryKey The primary key packet
30233 * @param {SignaturePacket} certificate - The certificate to verify
30234 * @param {PublicSubkeyPacket|
30235 * SecretSubkeyPacket|
30236 * PublicKeyPacket|
30237 * SecretKeyPacket} key, optional The key to verify the signature
30238 * @param {Date} date - Use the given date instead of the current time
30239 * @param {Object} config - Full configuration
30240 * @returns {Boolean} True if the certificate is revoked.
30241 * @async
30242 */
30243 async isRevoked(primaryKey, certificate, key, date = new Date(), config) {
30244 return isDataRevoked(
30245 primaryKey, enums.signature.certRevocation, {
30246 key: primaryKey,
30247 userId: this.userId,
30248 userAttribute: this.userAttribute
30249 }, this.revocationSignatures, certificate, key, date, config
30250 );
30251 }
30252
30253 /**
30254 * Verifies the user certificate. Throws if the user certificate is invalid.
30255 * @param {SecretKeyPacket|
30256 * PublicKeyPacket} primaryKey The primary key packet
30257 * @param {SignaturePacket} certificate - A certificate of this user
30258 * @param {Array<Key>} keys - Array of keys to verify certificate signatures
30259 * @param {Date} date - Use the given date instead of the current time
30260 * @param {Object} config - Full configuration
30261 * @returns {true|null} Status of the certificate.
30262 * @async
30263 */
30264 async verifyCertificate(primaryKey, certificate, keys, date = new Date(), config) {
30265 const that = this;
30266 const keyid = certificate.issuerKeyId;
30267 const dataToVerify = {
30268 userId: this.userId,
30269 userAttribute: this.userAttribute,
30270 key: primaryKey
30271 };
30272 const results = await Promise.all(keys.map(async function(key) {
30273 if (!key.getKeyIds().some(id => id.equals(keyid))) {
30274 return null;
30275 }
30276 const signingKey = await key.getSigningKey(keyid, date, undefined, config);
30277 if (certificate.revoked || await that.isRevoked(primaryKey, certificate, signingKey.keyPacket, date, config)) {
30278 throw new Error('User certificate is revoked');
30279 }
30280 try {
30281 certificate.verified || await certificate.verify(signingKey.keyPacket, enums.signature.certGeneric, dataToVerify, undefined, undefined, config);
30282 } catch (e) {
30283 throw util.wrapError('User certificate is invalid', e);
30284 }
30285 if (certificate.isExpired(date)) {
30286 throw new Error('User certificate is expired');
30287 }
30288 return true;
30289 }));
30290 return results.find(result => result !== null) || null;
30291 }
30292
30293 /**
30294 * Verifies all user certificates
30295 * @param {SecretKeyPacket|
30296 * PublicKeyPacket} primaryKey The primary key packet
30297 * @param {Array<Key>} keys - Array of keys to verify certificate signatures
30298 * @param {Date} date - Use the given date instead of the current time
30299 * @param {Object} config - Full configuration
30300 * @returns {Promise<Array<{keyid: module:type/keyid~Keyid,
30301 * valid: Boolean}>>} List of signer's keyid and validity of signature
30302 * @async
30303 */
30304 async verifyAllCertifications(primaryKey, keys, date = new Date(), config) {
30305 const that = this;
30306 const certifications = this.selfCertifications.concat(this.otherCertifications);
30307 return Promise.all(certifications.map(async function(certification) {
30308 return {
30309 keyid: certification.issuerKeyId,
30310 valid: await that.verifyCertificate(primaryKey, certification, keys, date, config).catch(() => false)
30311 };
30312 }));
30313 }
30314
30315 /**
30316 * Verify User. Checks for existence of self signatures, revocation signatures
30317 * and validity of self signature.
30318 * @param {SecretKeyPacket|
30319 * PublicKeyPacket} primaryKey The primary key packet
30320 * @param {Date} date - Use the given date instead of the current time
30321 * @param {Object} config - Full configuration
30322 * @returns {true} Status of user.
30323 * @throws {Error} if there are no valid self signatures.
30324 * @async
30325 */
30326 async verify(primaryKey, date = new Date(), config) {
30327 if (!this.selfCertifications.length) {
30328 throw new Error('No self-certifications');
30329 }
30330 const that = this;
30331 const dataToVerify = {
30332 userId: this.userId,
30333 userAttribute: this.userAttribute,
30334 key: primaryKey
30335 };
30336 // TODO replace when Promise.some or Promise.any are implemented
30337 let exception;
30338 for (let i = this.selfCertifications.length - 1; i >= 0; i--) {
30339 try {
30340 const selfCertification = this.selfCertifications[i];
30341 if (selfCertification.revoked || await that.isRevoked(primaryKey, selfCertification, undefined, date, config)) {
30342 throw new Error('Self-certification is revoked');
30343 }
30344 try {
30345 selfCertification.verified || await selfCertification.verify(primaryKey, enums.signature.certGeneric, dataToVerify, undefined, undefined, config);
30346 } catch (e) {
30347 throw util.wrapError('Self-certification is invalid', e);
30348 }
30349 if (selfCertification.isExpired(date)) {
30350 throw new Error('Self-certification is expired');
30351 }
30352 return true;
30353 } catch (e) {
30354 exception = e;
30355 }
30356 }
30357 throw exception;
30358 }
30359
30360 /**
30361 * Update user with new components from specified user
30362 * @param {User} user - Source user to merge
30363 * @param {SecretKeyPacket|
30364 * SecretSubkeyPacket} primaryKey primary key used for validation
30365 * @param {Object} config - Full configuration
30366 * @returns {undefined}
30367 * @async
30368 */
30369 async update(user, primaryKey, config) {
30370 const dataToVerify = {
30371 userId: this.userId,
30372 userAttribute: this.userAttribute,
30373 key: primaryKey
30374 };
30375 // self signatures
30376 await mergeSignatures(user, this, 'selfCertifications', async function(srcSelfSig) {
30377 try {
30378 srcSelfSig.verified || await srcSelfSig.verify(primaryKey, enums.signature.certGeneric, dataToVerify, undefined, undefined, config);
30379 return true;
30380 } catch (e) {
30381 return false;
30382 }
30383 });
30384 // other signatures
30385 await mergeSignatures(user, this, 'otherCertifications');
30386 // revocation signatures
30387 await mergeSignatures(user, this, 'revocationSignatures', function(srcRevSig) {
30388 return isDataRevoked(primaryKey, enums.signature.certRevocation, dataToVerify, [srcRevSig], undefined, undefined, undefined, config);
30389 });
30390 }
30391 }
30392
30393 /**
30394 * @module key/SubKey
30395 * @private
30396 */
30397
30398 /**
30399 * Class that represents a subkey packet and the relevant signatures.
30400 * @borrows PublicSubkeyPacket#getKeyId as SubKey#getKeyId
30401 * @borrows PublicSubkeyPacket#getFingerprint as SubKey#getFingerprint
30402 * @borrows PublicSubkeyPacket#hasSameFingerprintAs as SubKey#hasSameFingerprintAs
30403 * @borrows PublicSubkeyPacket#getAlgorithmInfo as SubKey#getAlgorithmInfo
30404 * @borrows PublicSubkeyPacket#getCreationTime as SubKey#getCreationTime
30405 * @borrows PublicSubkeyPacket#isDecrypted as SubKey#isDecrypted
30406 */
30407 class SubKey {
30408 constructor(subKeyPacket) {
30409 if (!(this instanceof SubKey)) {
30410 return new SubKey(subKeyPacket);
30411 }
30412 this.keyPacket = subKeyPacket;
30413 this.bindingSignatures = [];
30414 this.revocationSignatures = [];
30415 }
30416
30417 /**
30418 * Transforms structured subkey data to packetlist
30419 * @returns {PacketList}
30420 */
30421 toPacketlist() {
30422 const packetlist = new PacketList();
30423 packetlist.push(this.keyPacket);
30424 packetlist.concat(this.revocationSignatures);
30425 packetlist.concat(this.bindingSignatures);
30426 return packetlist;
30427 }
30428
30429 /**
30430 * Checks if a binding signature of a subkey is revoked
30431 * @param {SecretKeyPacket|
30432 * PublicKeyPacket} primaryKey The primary key packet
30433 * @param {SignaturePacket} signature - The binding signature to verify
30434 * @param {PublicSubkeyPacket|
30435 * SecretSubkeyPacket|
30436 * PublicKeyPacket|
30437 * SecretKeyPacket} key, optional The key to verify the signature
30438 * @param {Date} date - Use the given date instead of the current time
30439 * @param {Object} [config] - Full configuration, defaults to openpgp.config
30440 * @returns {Boolean} True if the binding signature is revoked.
30441 * @async
30442 */
30443 async isRevoked(primaryKey, signature, key, date = new Date(), config = defaultConfig) {
30444 return isDataRevoked(
30445 primaryKey, enums.signature.subkeyRevocation, {
30446 key: primaryKey,
30447 bind: this.keyPacket
30448 }, this.revocationSignatures, signature, key, date, config
30449 );
30450 }
30451
30452 /**
30453 * Verify subkey. Checks for revocation signatures, expiration time
30454 * and valid binding signature.
30455 * @param {SecretKeyPacket|
30456 * PublicKeyPacket} primaryKey The primary key packet
30457 * @param {Date} date - Use the given date instead of the current time
30458 * @param {Object} [config] - Full configuration, defaults to openpgp.config
30459 * @returns {SignaturePacket}
30460 * @throws {Error} if the subkey is invalid.
30461 * @async
30462 */
30463 async verify(primaryKey, date = new Date(), config = defaultConfig) {
30464 const dataToVerify = { key: primaryKey, bind: this.keyPacket };
30465 // check subkey binding signatures
30466 const bindingSignature = await getLatestValidSignature(this.bindingSignatures, primaryKey, enums.signature.subkeyBinding, dataToVerify, date, config);
30467 // check binding signature is not revoked
30468 if (bindingSignature.revoked || await this.isRevoked(primaryKey, bindingSignature, null, date, config)) {
30469 throw new Error('Subkey is revoked');
30470 }
30471 // check for expiration time
30472 if (isDataExpired(this.keyPacket, bindingSignature, date)) {
30473 throw new Error('Subkey is expired');
30474 }
30475 return bindingSignature;
30476 }
30477
30478 /**
30479 * Returns the expiration time of the subkey or Infinity if key does not expire
30480 * Returns null if the subkey is invalid.
30481 * @param {SecretKeyPacket|
30482 * PublicKeyPacket} primaryKey The primary key packet
30483 * @param {Date} date - Use the given date instead of the current time
30484 * @param {Object} [config] - Full configuration, defaults to openpgp.config
30485 * @returns {Date | Infinity | null}
30486 * @async
30487 */
30488 async getExpirationTime(primaryKey, date = new Date(), config = defaultConfig) {
30489 const dataToVerify = { key: primaryKey, bind: this.keyPacket };
30490 let bindingSignature;
30491 try {
30492 bindingSignature = await getLatestValidSignature(this.bindingSignatures, primaryKey, enums.signature.subkeyBinding, dataToVerify, date, config);
30493 } catch (e) {
30494 return null;
30495 }
30496 const keyExpiry = getExpirationTime(this.keyPacket, bindingSignature);
30497 const sigExpiry = bindingSignature.getExpirationTime();
30498 return keyExpiry < sigExpiry ? keyExpiry : sigExpiry;
30499 }
30500
30501 /**
30502 * Update subkey with new components from specified subkey
30503 * @param {SubKey} subKey - Source subkey to merge
30504 * @param {SecretKeyPacket|
30505 SecretSubkeyPacket} primaryKey primary key used for validation
30506 * @param {Object} [config] - Full configuration, defaults to openpgp.config
30507 * @throws {Error} if update failed
30508 * @async
30509 */
30510 async update(subKey, primaryKey, config = defaultConfig) {
30511 if (!this.hasSameFingerprintAs(subKey)) {
30512 throw new Error('SubKey update method: fingerprints of subkeys not equal');
30513 }
30514 // key packet
30515 if (this.keyPacket.tag === enums.packet.publicSubkey &&
30516 subKey.keyPacket.tag === enums.packet.secretSubkey) {
30517 this.keyPacket = subKey.keyPacket;
30518 }
30519 // update missing binding signatures
30520 const that = this;
30521 const dataToVerify = { key: primaryKey, bind: that.keyPacket };
30522 await mergeSignatures(subKey, this, 'bindingSignatures', async function(srcBindSig) {
30523 for (let i = 0; i < that.bindingSignatures.length; i++) {
30524 if (that.bindingSignatures[i].issuerKeyId.equals(srcBindSig.issuerKeyId)) {
30525 if (srcBindSig.created > that.bindingSignatures[i].created) {
30526 that.bindingSignatures[i] = srcBindSig;
30527 }
30528 return false;
30529 }
30530 }
30531 try {
30532 srcBindSig.verified || await srcBindSig.verify(primaryKey, enums.signature.subkeyBinding, dataToVerify, undefined, undefined, config);
30533 return true;
30534 } catch (e) {
30535 return false;
30536 }
30537 });
30538 // revocation signatures
30539 await mergeSignatures(subKey, this, 'revocationSignatures', function(srcRevSig) {
30540 return isDataRevoked(primaryKey, enums.signature.subkeyRevocation, dataToVerify, [srcRevSig], undefined, undefined, undefined, config);
30541 });
30542 }
30543
30544 /**
30545 * Revokes the subkey
30546 * @param {SecretKeyPacket} primaryKey - decrypted private primary key for revocation
30547 * @param {Object} reasonForRevocation - optional, object indicating the reason for revocation
30548 * @param {module:enums.reasonForRevocation} reasonForRevocation.flag optional, flag indicating the reason for revocation
30549 * @param {String} reasonForRevocation.string optional, string explaining the reason for revocation
30550 * @param {Date} date - optional, override the creationtime of the revocation signature
30551 * @param {Object} [config] - Full configuration, defaults to openpgp.config
30552 * @returns {SubKey} New subkey with revocation signature.
30553 * @async
30554 */
30555 async revoke(
30556 primaryKey,
30557 {
30558 flag: reasonForRevocationFlag = enums.reasonForRevocation.noReason,
30559 string: reasonForRevocationString = ''
30560 } = {},
30561 date = new Date(),
30562 config = defaultConfig
30563 ) {
30564 const dataToSign = { key: primaryKey, bind: this.keyPacket };
30565 const subKey = new SubKey(this.keyPacket);
30566 subKey.revocationSignatures.push(await createSignaturePacket(dataToSign, null, primaryKey, {
30567 signatureType: enums.signature.subkeyRevocation,
30568 reasonForRevocationFlag: enums.write(enums.reasonForRevocation, reasonForRevocationFlag),
30569 reasonForRevocationString
30570 }, date, undefined, undefined, undefined, config));
30571 await subKey.update(this, primaryKey);
30572 return subKey;
30573 }
30574
30575 hasSameFingerprintAs(other) {
30576 return this.keyPacket.hasSameFingerprintAs(other.keyPacket || other);
30577 }
30578 }
30579
30580 ['getKeyId', 'getFingerprint', 'getAlgorithmInfo', 'getCreationTime', 'isDecrypted'].forEach(name => {
30581 SubKey.prototype[name] =
30582 function() {
30583 return this.keyPacket[name]();
30584 };
30585 });
30586
30587 // GPG4Browsers - An OpenPGP implementation in javascript
30588
30589 /**
30590 * Class that represents an OpenPGP key. Must contain a primary key.
30591 * Can contain additional subkeys, signatures, user ids, user attributes.
30592 * @borrows PublicKeyPacket#getKeyId as Key#getKeyId
30593 * @borrows PublicKeyPacket#getFingerprint as Key#getFingerprint
30594 * @borrows PublicKeyPacket#hasSameFingerprintAs as Key#hasSameFingerprintAs
30595 * @borrows PublicKeyPacket#getAlgorithmInfo as Key#getAlgorithmInfo
30596 * @borrows PublicKeyPacket#getCreationTime as Key#getCreationTime
30597 */
30598 class Key {
30599 /**
30600 * @param {PacketList} packetlist - The packets that form this key
30601 */
30602 constructor(packetlist) {
30603 if (!(this instanceof Key)) {
30604 return new Key(packetlist);
30605 }
30606 // same data as in packetlist but in structured form
30607 this.keyPacket = null;
30608 this.revocationSignatures = [];
30609 this.directSignatures = [];
30610 this.users = [];
30611 this.subKeys = [];
30612 this.packetlist2structure(packetlist);
30613 if (!this.keyPacket) {
30614 throw new Error('Invalid key: need at least key packet');
30615 }
30616 }
30617
30618 get primaryKey() {
30619 return this.keyPacket;
30620 }
30621
30622 /**
30623 * Transforms packetlist to structured key data
30624 * @param {PacketList} packetlist - The packets that form a key
30625 */
30626 packetlist2structure(packetlist) {
30627 let user;
30628 let primaryKeyId;
30629 let subKey;
30630 for (let i = 0; i < packetlist.length; i++) {
30631 switch (packetlist[i].tag) {
30632 case enums.packet.publicKey:
30633 case enums.packet.secretKey:
30634 if (this.keyPacket) {
30635 throw new Error('Key block contains multiple keys');
30636 }
30637 this.keyPacket = packetlist[i];
30638 primaryKeyId = this.getKeyId();
30639 break;
30640 case enums.packet.userID:
30641 case enums.packet.userAttribute:
30642 user = new User(packetlist[i]);
30643 this.users.push(user);
30644 break;
30645 case enums.packet.publicSubkey:
30646 case enums.packet.secretSubkey:
30647 user = null;
30648 subKey = new SubKey(packetlist[i]);
30649 this.subKeys.push(subKey);
30650 break;
30651 case enums.packet.signature:
30652 switch (packetlist[i].signatureType) {
30653 case enums.signature.certGeneric:
30654 case enums.signature.certPersona:
30655 case enums.signature.certCasual:
30656 case enums.signature.certPositive:
30657 if (!user) {
30658 util.printDebug('Dropping certification signatures without preceding user packet');
30659 continue;
30660 }
30661 if (packetlist[i].issuerKeyId.equals(primaryKeyId)) {
30662 user.selfCertifications.push(packetlist[i]);
30663 } else {
30664 user.otherCertifications.push(packetlist[i]);
30665 }
30666 break;
30667 case enums.signature.certRevocation:
30668 if (user) {
30669 user.revocationSignatures.push(packetlist[i]);
30670 } else {
30671 this.directSignatures.push(packetlist[i]);
30672 }
30673 break;
30674 case enums.signature.key:
30675 this.directSignatures.push(packetlist[i]);
30676 break;
30677 case enums.signature.subkeyBinding:
30678 if (!subKey) {
30679 util.printDebug('Dropping subkey binding signature without preceding subkey packet');
30680 continue;
30681 }
30682 subKey.bindingSignatures.push(packetlist[i]);
30683 break;
30684 case enums.signature.keyRevocation:
30685 this.revocationSignatures.push(packetlist[i]);
30686 break;
30687 case enums.signature.subkeyRevocation:
30688 if (!subKey) {
30689 util.printDebug('Dropping subkey revocation signature without preceding subkey packet');
30690 continue;
30691 }
30692 subKey.revocationSignatures.push(packetlist[i]);
30693 break;
30694 }
30695 break;
30696 }
30697 }
30698 }
30699
30700 /**
30701 * Transforms structured key data to packetlist
30702 * @returns {PacketList} The packets that form a key.
30703 */
30704 toPacketlist() {
30705 const packetlist = new PacketList();
30706 packetlist.push(this.keyPacket);
30707 packetlist.concat(this.revocationSignatures);
30708 packetlist.concat(this.directSignatures);
30709 this.users.map(user => packetlist.concat(user.toPacketlist()));
30710 this.subKeys.map(subKey => packetlist.concat(subKey.toPacketlist()));
30711 return packetlist;
30712 }
30713
30714 /**
30715 * Clones the key object
30716 * @returns {Key} Shallow clone of the key.
30717 * @async
30718 */
30719 async clone() {
30720 return new Key(this.toPacketlist());
30721 }
30722
30723 /**
30724 * Returns an array containing all public or private subkeys matching keyId;
30725 * If keyId is not present, returns all subkeys.
30726 * @param {type/keyid} keyId
30727 * @returns {Array<SubKey>}
30728 */
30729 getSubkeys(keyId = null) {
30730 const subKeys = [];
30731 this.subKeys.forEach(subKey => {
30732 if (!keyId || subKey.getKeyId().equals(keyId, true)) {
30733 subKeys.push(subKey);
30734 }
30735 });
30736 return subKeys;
30737 }
30738
30739 /**
30740 * Returns an array containing all public or private keys matching keyId.
30741 * If keyId is not present, returns all keys starting with the primary key.
30742 * @param {type/keyid} keyId
30743 * @returns {Array<Key|SubKey>}
30744 */
30745 getKeys(keyId = null) {
30746 const keys = [];
30747 if (!keyId || this.getKeyId().equals(keyId, true)) {
30748 keys.push(this);
30749 }
30750 return keys.concat(this.getSubkeys(keyId));
30751 }
30752
30753 /**
30754 * Returns key IDs of all keys
30755 * @returns {Array<module:type/keyid~Keyid>}
30756 */
30757 getKeyIds() {
30758 return this.getKeys().map(key => key.getKeyId());
30759 }
30760
30761 /**
30762 * Returns userids
30763 * @returns {Array<string>} Array of userids.
30764 */
30765 getUserIds() {
30766 return this.users.map(user => {
30767 return user.userId ? user.userId.userid : null;
30768 }).filter(userid => userid !== null);
30769 }
30770
30771 /**
30772 * Returns true if this is a public key
30773 * @returns {Boolean}
30774 */
30775 isPublic() {
30776 return this.keyPacket.tag === enums.packet.publicKey;
30777 }
30778
30779 /**
30780 * Returns true if this is a private key
30781 * @returns {Boolean}
30782 */
30783 isPrivate() {
30784 return this.keyPacket.tag === enums.packet.secretKey;
30785 }
30786
30787 /**
30788 * Returns key as public key (shallow copy)
30789 * @param {Object} [config] - Full configuration, defaults to openpgp.config
30790 * @returns {Key} New public Key.
30791 */
30792 toPublic() {
30793 const packetlist = new PacketList();
30794 const keyPackets = this.toPacketlist();
30795 let bytes;
30796 let pubKeyPacket;
30797 let pubSubkeyPacket;
30798 for (let i = 0; i < keyPackets.length; i++) {
30799 switch (keyPackets[i].tag) {
30800 case enums.packet.secretKey:
30801 bytes = keyPackets[i].writePublicKey();
30802 pubKeyPacket = new PublicKeyPacket();
30803 pubKeyPacket.read(bytes);
30804 packetlist.push(pubKeyPacket);
30805 break;
30806 case enums.packet.secretSubkey:
30807 bytes = keyPackets[i].writePublicKey();
30808 pubSubkeyPacket = new PublicSubkeyPacket();
30809 pubSubkeyPacket.read(bytes);
30810 packetlist.push(pubSubkeyPacket);
30811 break;
30812 default:
30813 packetlist.push(keyPackets[i]);
30814 }
30815 }
30816 return new Key(packetlist);
30817 }
30818
30819 /**
30820 * Returns ASCII armored text of key
30821 * @param {Object} [config] - Full configuration, defaults to openpgp.config
30822 * @returns {ReadableStream<String>} ASCII armor.
30823 */
30824 armor(config = defaultConfig) {
30825 const type = this.isPublic() ? enums.armor.publicKey : enums.armor.privateKey;
30826 return armor(type, this.toPacketlist().write(), undefined, undefined, undefined, config);
30827 }
30828
30829 /**
30830 * Returns last created key or key by given keyId that is available for signing and verification
30831 * @param {module:type/keyid~Keyid} keyId, optional
30832 * @param {Date} [date] - Use the given date for verification instead of the current time
30833 * @param {Object} userId, optional user ID
30834 * @param {Object} [config] - Full configuration, defaults to openpgp.config
30835 * @returns {Key|SubKey|null} Key or null if no signing key has been found.
30836 * @async
30837 */
30838 async getSigningKey(keyId = null, date = new Date(), userId = {}, config = defaultConfig) {
30839 await this.verifyPrimaryKey(date, userId, config);
30840 const primaryKey = this.keyPacket;
30841 const subKeys = this.subKeys.slice().sort((a, b) => b.keyPacket.created - a.keyPacket.created);
30842 let exception;
30843 for (let i = 0; i < subKeys.length; i++) {
30844 if (!keyId || subKeys[i].getKeyId().equals(keyId)) {
30845 try {
30846 await subKeys[i].verify(primaryKey, date, config);
30847 const dataToVerify = { key: primaryKey, bind: subKeys[i].keyPacket };
30848 const bindingSignature = await getLatestValidSignature(subKeys[i].bindingSignatures, primaryKey, enums.signature.subkeyBinding, dataToVerify, date, config);
30849 if (
30850 bindingSignature &&
30851 bindingSignature.embeddedSignature &&
30852 isValidSigningKeyPacket(subKeys[i].keyPacket, bindingSignature) &&
30853 await getLatestValidSignature([bindingSignature.embeddedSignature], subKeys[i].keyPacket, enums.signature.keyBinding, dataToVerify, date, config)
30854 ) {
30855 return subKeys[i];
30856 }
30857 } catch (e) {
30858 exception = e;
30859 }
30860 }
30861 }
30862 const primaryUser = await this.getPrimaryUser(date, userId, config);
30863 if ((!keyId || primaryKey.getKeyId().equals(keyId)) &&
30864 isValidSigningKeyPacket(primaryKey, primaryUser.selfCertification)) {
30865 return this;
30866 }
30867 throw util.wrapError('Could not find valid signing key packet in key ' + this.getKeyId().toHex(), exception);
30868 }
30869
30870 /**
30871 * Returns last created key or key by given keyId that is available for encryption or decryption
30872 * @param {module:type/keyid~Keyid} keyId, optional
30873 * @param {Date} date, optional
30874 * @param {String} userId, optional
30875 * @param {Object} [config] - Full configuration, defaults to openpgp.config
30876 * @returns {Key|SubKey|null} Key or null if no encryption key has been found.
30877 * @async
30878 */
30879 async getEncryptionKey(keyId, date = new Date(), userId = {}, config = defaultConfig) {
30880 await this.verifyPrimaryKey(date, userId, config);
30881 const primaryKey = this.keyPacket;
30882 // V4: by convention subkeys are preferred for encryption service
30883 const subKeys = this.subKeys.slice().sort((a, b) => b.keyPacket.created - a.keyPacket.created);
30884 let exception;
30885 for (let i = 0; i < subKeys.length; i++) {
30886 if (!keyId || subKeys[i].getKeyId().equals(keyId)) {
30887 try {
30888 await subKeys[i].verify(primaryKey, date, config);
30889 const dataToVerify = { key: primaryKey, bind: subKeys[i].keyPacket };
30890 const bindingSignature = await getLatestValidSignature(subKeys[i].bindingSignatures, primaryKey, enums.signature.subkeyBinding, dataToVerify, date, config);
30891 if (bindingSignature && isValidEncryptionKeyPacket(subKeys[i].keyPacket, bindingSignature)) {
30892 return subKeys[i];
30893 }
30894 } catch (e) {
30895 exception = e;
30896 }
30897 }
30898 }
30899 // if no valid subkey for encryption, evaluate primary key
30900 const primaryUser = await this.getPrimaryUser(date, userId, config);
30901 if ((!keyId || primaryKey.getKeyId().equals(keyId)) &&
30902 isValidEncryptionKeyPacket(primaryKey, primaryUser.selfCertification)) {
30903 return this;
30904 }
30905 throw util.wrapError('Could not find valid encryption key packet in key ' + this.getKeyId().toHex(), exception);
30906 }
30907
30908 /**
30909 * Returns all keys that are available for decryption, matching the keyId when given
30910 * This is useful to retrieve keys for session key decryption
30911 * @param {module:type/keyid~Keyid} keyId, optional
30912 * @param {Date} date, optional
30913 * @param {String} userId, optional
30914 * @param {Object} [config] - Full configuration, defaults to openpgp.config
30915 * @returns {Array<Key|SubKey>} Array of decryption keys.
30916 * @async
30917 */
30918 async getDecryptionKeys(keyId, date = new Date(), userId = {}, config = defaultConfig) {
30919 const primaryKey = this.keyPacket;
30920 const keys = [];
30921 for (let i = 0; i < this.subKeys.length; i++) {
30922 if (!keyId || this.subKeys[i].getKeyId().equals(keyId, true)) {
30923 try {
30924 const dataToVerify = { key: primaryKey, bind: this.subKeys[i].keyPacket };
30925 const bindingSignature = await getLatestValidSignature(this.subKeys[i].bindingSignatures, primaryKey, enums.signature.subkeyBinding, dataToVerify, date, config);
30926 if (bindingSignature && isValidDecryptionKeyPacket(bindingSignature, config)) {
30927 keys.push(this.subKeys[i]);
30928 }
30929 } catch (e) {}
30930 }
30931 }
30932
30933 // evaluate primary key
30934 const primaryUser = await this.getPrimaryUser(date, userId, config);
30935 if ((!keyId || primaryKey.getKeyId().equals(keyId, true)) &&
30936 isValidDecryptionKeyPacket(primaryUser.selfCertification, config)) {
30937 keys.push(this);
30938 }
30939
30940 return keys;
30941 }
30942
30943 /**
30944 * Encrypts all secret key and subkey packets matching keyId
30945 * @param {String|Array<String>} passphrases - If multiple passphrases, then should be in same order as packets each should encrypt
30946 * @param {module:type/keyid~Keyid} keyId
30947 * @param {Object} [config] - Full configuration, defaults to openpgp.config
30948 * @throws {Error} if encryption failed for any key or subkey
30949 * @async
30950 */
30951 async encrypt(passphrases, keyId = null, config = defaultConfig) {
30952 if (!this.isPrivate()) {
30953 throw new Error("Nothing to encrypt in a public key");
30954 }
30955
30956 const keys = this.getKeys(keyId);
30957 passphrases = util.isArray(passphrases) ? passphrases : new Array(keys.length).fill(passphrases);
30958 if (passphrases.length !== keys.length) {
30959 throw new Error("Invalid number of passphrases for key");
30960 }
30961
30962 await Promise.all(keys.map(async function(key, i) {
30963 const { keyPacket } = key;
30964 await keyPacket.encrypt(passphrases[i], config);
30965 keyPacket.clearPrivateParams();
30966 }));
30967 }
30968
30969 /**
30970 * Decrypts all secret key and subkey packets matching keyId
30971 * @param {String|Array<String>} passphrases
30972 * @param {module:type/keyid~Keyid} keyId
30973 * @param {Object} [config] - Full configuration, defaults to openpgp.config
30974 * @throws {Error} if any matching key or subkey packets did not decrypt successfully
30975 * @async
30976 */
30977 async decrypt(passphrases, keyId = null, config = defaultConfig) {
30978 if (!this.isPrivate()) {
30979 throw new Error("Nothing to decrypt in a public key");
30980 }
30981 passphrases = util.isArray(passphrases) ? passphrases : [passphrases];
30982
30983 await Promise.all(this.getKeys(keyId).map(async function(key) {
30984 let decrypted = false;
30985 let error = null;
30986 await Promise.all(passphrases.map(async function(passphrase) {
30987 try {
30988 await key.keyPacket.decrypt(passphrase);
30989 // If we are decrypting a single key packet, we also validate it directly
30990 if (keyId) await key.keyPacket.validate();
30991 decrypted = true;
30992 } catch (e) {
30993 error = e;
30994 }
30995 }));
30996 if (!decrypted) {
30997 throw error;
30998 }
30999 }));
31000
31001 if (!keyId) {
31002 // The full key should be decrypted and we can validate it all
31003 await this.validate(config);
31004 }
31005 }
31006
31007 /**
31008 * Returns true if the primary key or any subkey is decrypted.
31009 * A dummy key is considered encrypted.
31010 */
31011 isDecrypted() {
31012 return this.getKeys().some(({ keyPacket }) => keyPacket.isDecrypted());
31013 }
31014
31015 /**
31016 * Check whether the private and public primary key parameters correspond
31017 * Together with verification of binding signatures, this guarantees key integrity
31018 * In case of gnu-dummy primary key, it is enough to validate any signing subkeys
31019 * otherwise all encryption subkeys are validated
31020 * If only gnu-dummy keys are found, we cannot properly validate so we throw an error
31021 * @param {Object} [config] - Full configuration, defaults to openpgp.config
31022 * @throws {Error} if validation was not successful and the key cannot be trusted
31023 * @async
31024 */
31025 async validate(config = defaultConfig) {
31026 if (!this.isPrivate()) {
31027 throw new Error("Cannot validate a public key");
31028 }
31029
31030 let signingKeyPacket;
31031 if (!this.primaryKey.isDummy()) {
31032 signingKeyPacket = this.primaryKey;
31033 } else {
31034 /**
31035 * It is enough to validate any signing keys
31036 * since its binding signatures are also checked
31037 */
31038 const signingKey = await this.getSigningKey(null, null, undefined, config);
31039 // This could again be a dummy key
31040 if (signingKey && !signingKey.keyPacket.isDummy()) {
31041 signingKeyPacket = signingKey.keyPacket;
31042 }
31043 }
31044
31045 if (signingKeyPacket) {
31046 return signingKeyPacket.validate();
31047 } else {
31048 const keys = this.getKeys();
31049 const allDummies = keys.map(key => key.keyPacket.isDummy()).every(Boolean);
31050 if (allDummies) {
31051 throw new Error("Cannot validate an all-gnu-dummy key");
31052 }
31053
31054 return Promise.all(keys.map(async key => key.keyPacket.validate()));
31055 }
31056 }
31057
31058 /**
31059 * Clear private key parameters
31060 */
31061 clearPrivateParams() {
31062 if (!this.isPrivate()) {
31063 throw new Error("Can't clear private parameters of a public key");
31064 }
31065 this.getKeys().forEach(({ keyPacket }) => {
31066 if (keyPacket.isDecrypted()) {
31067 keyPacket.clearPrivateParams();
31068 }
31069 });
31070 }
31071
31072 /**
31073 * Checks if a signature on a key is revoked
31074 * @param {SignaturePacket} signature - The signature to verify
31075 * @param {PublicSubkeyPacket|
31076 * SecretSubkeyPacket|
31077 * PublicKeyPacket|
31078 * SecretKeyPacket} key, optional The key to verify the signature
31079 * @param {Date} date - Use the given date instead of the current time
31080 * @param {Object} [config] - Full configuration, defaults to openpgp.config
31081 * @returns {Boolean} True if the certificate is revoked.
31082 * @async
31083 */
31084 async isRevoked(signature, key, date = new Date(), config = defaultConfig) {
31085 return isDataRevoked(
31086 this.keyPacket, enums.signature.keyRevocation, { key: this.keyPacket }, this.revocationSignatures, signature, key, date, config
31087 );
31088 }
31089
31090 /**
31091 * Verify primary key. Checks for revocation signatures, expiration time
31092 * and valid self signature. Throws if the primary key is invalid.
31093 * @param {Date} [date] - Use the given date for verification instead of the current time
31094 * @param {Object} [userId] - User ID
31095 * @param {Object} [config] - Full configuration, defaults to openpgp.config
31096 * @throws {Error} If key verification failed
31097 * @async
31098 */
31099 async verifyPrimaryKey(date = new Date(), userId = {}, config = defaultConfig) {
31100 const primaryKey = this.keyPacket;
31101 // check for key revocation signatures
31102 if (await this.isRevoked(null, null, date, config)) {
31103 throw new Error('Primary key is revoked');
31104 }
31105 // check for valid, unrevoked, unexpired self signature
31106 const { selfCertification } = await this.getPrimaryUser(date, userId, config);
31107 // check for expiration time
31108 if (isDataExpired(primaryKey, selfCertification, date)) {
31109 throw new Error('Primary key is expired');
31110 }
31111 }
31112
31113 /**
31114 * Returns the latest date when the key can be used for encrypting, signing, or both, depending on the `capabilities` paramater.
31115 * When `capabilities` is null, defaults to returning the expiry date of the primary key.
31116 * Returns null if `capabilities` is passed and the key does not have the specified capabilities or is revoked or invalid.
31117 * Returns Infinity if the key doesn't expire.
31118 * @param {encrypt|sign|encrypt_sign} capabilities, optional
31119 * @param {module:type/keyid~Keyid} keyId, optional
31120 * @param {Object} userId, optional user ID
31121 * @param {Object} [config] - Full configuration, defaults to openpgp.config
31122 * @returns {Date | Infinity | null}
31123 * @async
31124 */
31125 async getExpirationTime(capabilities, keyId, userId, config = defaultConfig) {
31126 const primaryUser = await this.getPrimaryUser(null, userId, config);
31127 const selfCert = primaryUser.selfCertification;
31128 const keyExpiry = getExpirationTime(this.keyPacket, selfCert);
31129 const sigExpiry = selfCert.getExpirationTime();
31130 let expiry = keyExpiry < sigExpiry ? keyExpiry : sigExpiry;
31131 if (capabilities === 'encrypt' || capabilities === 'encrypt_sign') {
31132 const encryptKey =
31133 await this.getEncryptionKey(keyId, expiry, userId, config).catch(() => {}) ||
31134 await this.getEncryptionKey(keyId, null, userId, config).catch(() => {});
31135 if (!encryptKey) return null;
31136 const encryptExpiry = await encryptKey.getExpirationTime(this.keyPacket, undefined, config);
31137 if (encryptExpiry < expiry) expiry = encryptExpiry;
31138 }
31139 if (capabilities === 'sign' || capabilities === 'encrypt_sign') {
31140 const signKey =
31141 await this.getSigningKey(keyId, expiry, userId, config).catch(() => {}) ||
31142 await this.getSigningKey(keyId, null, userId, config).catch(() => {});
31143 if (!signKey) return null;
31144 const signExpiry = await signKey.getExpirationTime(this.keyPacket, undefined, config);
31145 if (signExpiry < expiry) expiry = signExpiry;
31146 }
31147 return expiry;
31148 }
31149
31150 /**
31151 * Returns primary user and most significant (latest valid) self signature
31152 * - if multiple primary users exist, returns the one with the latest self signature
31153 * - otherwise, returns the user with the latest self signature
31154 * @param {Date} [date] - Use the given date for verification instead of the current time
31155 * @param {Object} [userId] - User ID to get instead of the primary user, if it exists
31156 * @param {Object} [config] - Full configuration, defaults to openpgp.config
31157 * @returns {Promise<{user: User,
31158 * selfCertification: SignaturePacket}>} The primary user and the self signature
31159 * @async
31160 */
31161 async getPrimaryUser(date = new Date(), userId = {}, config = defaultConfig) {
31162 const primaryKey = this.keyPacket;
31163 const users = [];
31164 let exception;
31165 for (let i = 0; i < this.users.length; i++) {
31166 try {
31167 const user = this.users[i];
31168 if (!user.userId) {
31169 continue;
31170 }
31171 if (
31172 (userId.name !== undefined && user.userId.name !== userId.name) ||
31173 (userId.email !== undefined && user.userId.email !== userId.email) ||
31174 (userId.comment !== undefined && user.userId.comment !== userId.comment)
31175 ) {
31176 throw new Error('Could not find user that matches that user ID');
31177 }
31178 const dataToVerify = { userId: user.userId, key: primaryKey };
31179 const selfCertification = await getLatestValidSignature(user.selfCertifications, primaryKey, enums.signature.certGeneric, dataToVerify, date, config);
31180 users.push({ index: i, user, selfCertification });
31181 } catch (e) {
31182 exception = e;
31183 }
31184 }
31185 if (!users.length) {
31186 throw exception || new Error('Could not find primary user');
31187 }
31188 await Promise.all(users.map(async function (a) {
31189 return a.user.revoked || a.user.isRevoked(primaryKey, a.selfCertification, null, date, config);
31190 }));
31191 // sort by primary user flag and signature creation time
31192 const primaryUser = users.sort(function(a, b) {
31193 const A = a.selfCertification;
31194 const B = b.selfCertification;
31195 return B.revoked - A.revoked || A.isPrimaryUserID - B.isPrimaryUserID || A.created - B.created;
31196 }).pop();
31197 const { user, selfCertification: cert } = primaryUser;
31198 if (cert.revoked || await user.isRevoked(primaryKey, cert, null, date, config)) {
31199 throw new Error('Primary user is revoked');
31200 }
31201 return primaryUser;
31202 }
31203
31204 /**
31205 * Update key with new components from specified key with same key ID:
31206 * users, subkeys, certificates are merged into the destination key,
31207 * duplicates and expired signatures are ignored.
31208 *
31209 * If the specified key is a private key and the destination key is public,
31210 * the destination key is transformed to a private key.
31211 * @param {Key} key - Source key to merge
31212 * @param {Object} [config] - Full configuration, defaults to openpgp.config
31213 * @returns {undefined}
31214 * @async
31215 */
31216 async update(key, config = defaultConfig) {
31217 if (!this.hasSameFingerprintAs(key)) {
31218 throw new Error('Key update method: fingerprints of keys not equal');
31219 }
31220 if (this.isPublic() && key.isPrivate()) {
31221 // check for equal subkey packets
31222 const equal = (this.subKeys.length === key.subKeys.length) &&
31223 (this.subKeys.every(destSubKey => {
31224 return key.subKeys.some(srcSubKey => {
31225 return destSubKey.hasSameFingerprintAs(srcSubKey);
31226 });
31227 }));
31228 if (!equal) {
31229 throw new Error('Cannot update public key with private key if subkey mismatch');
31230 }
31231 this.keyPacket = key.keyPacket;
31232 }
31233 // revocation signatures
31234 await mergeSignatures(key, this, 'revocationSignatures', srcRevSig => {
31235 return isDataRevoked(this.keyPacket, enums.signature.keyRevocation, this, [srcRevSig], null, key.keyPacket, undefined, config);
31236 });
31237 // direct signatures
31238 await mergeSignatures(key, this, 'directSignatures');
31239 // TODO replace when Promise.some or Promise.any are implemented
31240 // users
31241 await Promise.all(key.users.map(async srcUser => {
31242 let found = false;
31243 await Promise.all(this.users.map(async dstUser => {
31244 if ((srcUser.userId && dstUser.userId &&
31245 (srcUser.userId.userid === dstUser.userId.userid)) ||
31246 (srcUser.userAttribute && (srcUser.userAttribute.equals(dstUser.userAttribute)))) {
31247 await dstUser.update(srcUser, this.keyPacket, config);
31248 found = true;
31249 }
31250 }));
31251 if (!found) {
31252 this.users.push(srcUser);
31253 }
31254 }));
31255 // TODO replace when Promise.some or Promise.any are implemented
31256 // subkeys
31257 await Promise.all(key.subKeys.map(async srcSubKey => {
31258 let found = false;
31259 await Promise.all(this.subKeys.map(async dstSubKey => {
31260 if (dstSubKey.hasSameFingerprintAs(srcSubKey)) {
31261 await dstSubKey.update(srcSubKey, this.keyPacket, config);
31262 found = true;
31263 }
31264 }));
31265 if (!found) {
31266 this.subKeys.push(srcSubKey);
31267 }
31268 }));
31269 }
31270
31271 /**
31272 * Revokes the key
31273 * @param {Object} reasonForRevocation - optional, object indicating the reason for revocation
31274 * @param {module:enums.reasonForRevocation} reasonForRevocation.flag optional, flag indicating the reason for revocation
31275 * @param {String} reasonForRevocation.string optional, string explaining the reason for revocation
31276 * @param {Date} date - optional, override the creationtime of the revocation signature
31277 * @param {Object} [config] - Full configuration, defaults to openpgp.config
31278 * @returns {Key} New key with revocation signature.
31279 * @async
31280 */
31281 async revoke(
31282 {
31283 flag: reasonForRevocationFlag = enums.reasonForRevocation.noReason,
31284 string: reasonForRevocationString = ''
31285 } = {},
31286 date = new Date(),
31287 config = defaultConfig
31288 ) {
31289 if (this.isPublic()) {
31290 throw new Error('Need private key for revoking');
31291 }
31292 const dataToSign = { key: this.keyPacket };
31293 const key = await this.clone();
31294 key.revocationSignatures.push(await createSignaturePacket(dataToSign, null, this.keyPacket, {
31295 signatureType: enums.signature.keyRevocation,
31296 reasonForRevocationFlag: enums.write(enums.reasonForRevocation, reasonForRevocationFlag),
31297 reasonForRevocationString
31298 }, date, undefined, undefined, undefined, config));
31299 return key;
31300 }
31301
31302 /**
31303 * Get revocation certificate from a revoked key.
31304 * (To get a revocation certificate for an unrevoked key, call revoke() first.)
31305 * @param {Date} date - Use the given date instead of the current time
31306 * @param {Object} [config] - Full configuration, defaults to openpgp.config
31307 * @returns {String} Armored revocation certificate.
31308 * @async
31309 */
31310 async getRevocationCertificate(date = new Date(), config = defaultConfig) {
31311 const dataToVerify = { key: this.keyPacket };
31312 const revocationSignature = await getLatestValidSignature(this.revocationSignatures, this.keyPacket, enums.signature.keyRevocation, dataToVerify, date, config);
31313 const packetlist = new PacketList();
31314 packetlist.push(revocationSignature);
31315 return armor(enums.armor.publicKey, packetlist.write(), null, null, 'This is a revocation certificate');
31316 }
31317
31318 /**
31319 * Applies a revocation certificate to a key
31320 * This adds the first signature packet in the armored text to the key,
31321 * if it is a valid revocation signature.
31322 * @param {String} revocationCertificate - armored revocation certificate
31323 * @param {Object} [config] - Full configuration, defaults to openpgp.config
31324 * @returns {Key} New revoked key.
31325 * @async
31326 */
31327 async applyRevocationCertificate(revocationCertificate, config = defaultConfig) {
31328 const input = await unarmor(revocationCertificate, config);
31329 const packetlist = new PacketList();
31330 await packetlist.read(input.data, { SignaturePacket }, undefined, config);
31331 const revocationSignature = packetlist.findPacket(enums.packet.signature);
31332 if (!revocationSignature || revocationSignature.signatureType !== enums.signature.keyRevocation) {
31333 throw new Error('Could not find revocation signature packet');
31334 }
31335 if (!revocationSignature.issuerKeyId.equals(this.getKeyId())) {
31336 throw new Error('Revocation signature does not match key');
31337 }
31338 if (revocationSignature.isExpired()) {
31339 throw new Error('Revocation signature is expired');
31340 }
31341 try {
31342 await revocationSignature.verify(this.keyPacket, enums.signature.keyRevocation, { key: this.keyPacket }, undefined, undefined, config);
31343 } catch (e) {
31344 throw util.wrapError('Could not verify revocation signature', e);
31345 }
31346 const key = await this.clone();
31347 key.revocationSignatures.push(revocationSignature);
31348 return key;
31349 }
31350
31351 /**
31352 * Signs primary user of key
31353 * @param {Array<Key>} privateKeys - decrypted private keys for signing
31354 * @param {Date} [date] - Use the given date for verification instead of the current time
31355 * @param {Object} [userId] - User ID to get instead of the primary user, if it exists
31356 * @param {Object} [config] - Full configuration, defaults to openpgp.config
31357 * @returns {Key} New public key with new certificate signature.
31358 * @async
31359 */
31360 async signPrimaryUser(privateKeys, date, userId, config = defaultConfig) {
31361 const { index, user } = await this.getPrimaryUser(date, userId, config);
31362 const userSign = await user.sign(this.keyPacket, privateKeys, config);
31363 const key = await this.clone();
31364 key.users[index] = userSign;
31365 return key;
31366 }
31367
31368 /**
31369 * Signs all users of key
31370 * @param {Array<Key>} privateKeys - decrypted private keys for signing
31371 * @param {Object} [config] - Full configuration, defaults to openpgp.config
31372 * @returns {Key} New public key with new certificate signature.
31373 * @async
31374 */
31375 async signAllUsers(privateKeys, config = defaultConfig) {
31376 const that = this;
31377 const key = await this.clone();
31378 key.users = await Promise.all(this.users.map(function(user) {
31379 return user.sign(that.keyPacket, privateKeys, config);
31380 }));
31381 return key;
31382 }
31383
31384 /**
31385 * Verifies primary user of key
31386 * - if no arguments are given, verifies the self certificates;
31387 * - otherwise, verifies all certificates signed with given keys.
31388 * @param {Array<Key>} keys - array of keys to verify certificate signatures
31389 * @param {Date} [date] - Use the given date for verification instead of the current time
31390 * @param {Object} [userId] - User ID to get instead of the primary user, if it exists
31391 * @param {Object} [config] - Full configuration, defaults to openpgp.config
31392 * @returns {Promise<Array<{keyid: module:type/keyid~Keyid,
31393 * valid: Boolean}>>} List of signer's keyid and validity of signature
31394 * @async
31395 */
31396 async verifyPrimaryUser(keys, date, userId, config = defaultConfig) {
31397 const primaryKey = this.keyPacket;
31398 const { user } = await this.getPrimaryUser(date, userId, config);
31399 const results = keys ? await user.verifyAllCertifications(primaryKey, keys, undefined, config) :
31400 [{ keyid: primaryKey.keyid, valid: await user.verify(primaryKey, undefined, config).catch(() => false) }];
31401 return results;
31402 }
31403
31404 /**
31405 * Verifies all users of key
31406 * - if no arguments are given, verifies the self certificates;
31407 * - otherwise, verifies all certificates signed with given keys.
31408 * @param {Array<Key>} keys - array of keys to verify certificate signatures
31409 * @param {Object} [config] - Full configuration, defaults to openpgp.config
31410 * @returns {Promise<Array<{userid: String,
31411 * keyid: module:type/keyid~Keyid,
31412 * valid: Boolean}>>} list of userid, signer's keyid and validity of signature
31413 * @async
31414 */
31415 async verifyAllUsers(keys, config = defaultConfig) {
31416 const results = [];
31417 const primaryKey = this.keyPacket;
31418 await Promise.all(this.users.map(async function(user) {
31419 const signatures = keys ? await user.verifyAllCertifications(primaryKey, keys, undefined, config) :
31420 [{ keyid: primaryKey.keyid, valid: await user.verify(primaryKey, undefined, config).catch(() => false) }];
31421 signatures.forEach(signature => {
31422 results.push({
31423 userid: user.userId.userid,
31424 keyid: signature.keyid,
31425 valid: signature.valid
31426 });
31427 });
31428 }));
31429 return results;
31430 }
31431
31432 /**
31433 * Generates a new OpenPGP subkey, and returns a clone of the Key object with the new subkey added.
31434 * Supports RSA and ECC keys. Defaults to the algorithm and bit size/curve of the primary key. DSA primary keys default to RSA subkeys.
31435 * @param {ecc|rsa} options.type The subkey algorithm: ECC or RSA
31436 * @param {String} options.curve (optional) Elliptic curve for ECC keys
31437 * @param {Integer} options.rsaBits (optional) Number of bits for RSA subkeys
31438 * @param {Number} options.keyExpirationTime (optional) Number of seconds from the key creation time after which the key expires
31439 * @param {Date} options.date (optional) Override the creation date of the key and the key signatures
31440 * @param {Boolean} options.sign (optional) Indicates whether the subkey should sign rather than encrypt. Defaults to false
31441 * @param {Object} options.config (optional) custom configuration settings to overwrite those in [config]{@link module:config}
31442 * @returns {Key}
31443 * @async
31444 */
31445 async addSubkey(options = {}) {
31446 const config = { ...defaultConfig, ...options.config };
31447 if (!this.isPrivate()) {
31448 throw new Error("Cannot add a subkey to a public key");
31449 }
31450 if (options.passphrase) {
31451 throw new Error("Subkey could not be encrypted here, please encrypt whole key");
31452 }
31453 if (options.rsaBits < config.minRsaBits) {
31454 throw new Error(`rsaBits should be at least ${config.minRsaBits}, got: ${options.rsaBits}`);
31455 }
31456 const secretKeyPacket = this.primaryKey;
31457 if (secretKeyPacket.isDummy()) {
31458 throw new Error("Cannot add subkey to gnu-dummy primary key");
31459 }
31460 if (!secretKeyPacket.isDecrypted()) {
31461 throw new Error("Key is not decrypted");
31462 }
31463 const defaultOptions = secretKeyPacket.getAlgorithmInfo();
31464 defaultOptions.type = defaultOptions.curve ? 'ecc' : 'rsa'; // DSA keys default to RSA
31465 defaultOptions.rsaBits = defaultOptions.bits || 4096;
31466 defaultOptions.curve = defaultOptions.curve || 'curve25519';
31467 options = sanitizeKeyOptions(options, defaultOptions);
31468 const keyPacket = await generateSecretSubkey(options);
31469 const bindingSignature = await createBindingSignature(keyPacket, secretKeyPacket, options, config);
31470 const packetList = this.toPacketlist();
31471 packetList.push(keyPacket);
31472 packetList.push(bindingSignature);
31473 return new Key(packetList);
31474 }
31475 }
31476
31477 ['getKeyId', 'getFingerprint', 'getAlgorithmInfo', 'getCreationTime', 'hasSameFingerprintAs'].forEach(name => {
31478 Key.prototype[name] =
31479 SubKey.prototype[name];
31480 });
31481
31482 // OpenPGP.js - An OpenPGP implementation in javascript
31483
31484 /**
31485 * Generates a new OpenPGP key. Supports RSA and ECC keys.
31486 * By default, primary and subkeys will be of same type.
31487 * @param {ecc|rsa} options.type The primary key algorithm type: ECC or RSA
31488 * @param {String} options.curve Elliptic curve for ECC keys
31489 * @param {Integer} options.rsaBits Number of bits for RSA keys
31490 * @param {Array<String|Object>} options.userIds User IDs as strings or objects: 'Jo Doe <info@jo.com>' or { name:'Jo Doe', email:'info@jo.com' }
31491 * @param {String} options.passphrase Passphrase used to encrypt the resulting private key
31492 * @param {Number} options.keyExpirationTime (optional) Number of seconds from the key creation time after which the key expires
31493 * @param {Date} options.date Creation date of the key and the key signatures
31494 * @param {Object} config - Full configuration
31495 * @param {Array<Object>} options.subkeys (optional) options for each subkey, default to main key options. e.g. [{sign: true, passphrase: '123'}]
31496 * sign parameter defaults to false, and indicates whether the subkey should sign rather than encrypt
31497 * @returns {Key}
31498 * @async
31499 * @static
31500 * @private
31501 */
31502 async function generate$2(options, config) {
31503 options.sign = true; // primary key is always a signing key
31504 options = sanitizeKeyOptions(options);
31505 options.subkeys = options.subkeys.map((subkey, index) => sanitizeKeyOptions(options.subkeys[index], options));
31506 let promises = [generateSecretKey(options, config)];
31507 promises = promises.concat(options.subkeys.map(options => generateSecretSubkey(options, config)));
31508 return Promise.all(promises).then(packets => wrapKeyObject(packets[0], packets.slice(1), options, config));
31509 }
31510
31511 /**
31512 * Reformats and signs an OpenPGP key with a given User ID. Currently only supports RSA keys.
31513 * @param {Key} options.privateKey The private key to reformat
31514 * @param {Array<String|Object>} options.userIds User IDs as strings or objects: 'Jo Doe <info@jo.com>' or { name:'Jo Doe', email:'info@jo.com' }
31515 * @param {String} options.passphrase Passphrase used to encrypt the resulting private key
31516 * @param {Number} options.keyExpirationTime Number of seconds from the key creation time after which the key expires
31517 * @param {Date} options.date Override the creation date of the key and the key signatures
31518 * @param {Array<Object>} options.subkeys (optional) options for each subkey, default to main key options. e.g. [{sign: true, passphrase: '123'}]
31519 * @param {Object} config - Full configuration
31520 *
31521 * @returns {Key}
31522 * @async
31523 * @static
31524 * @private
31525 */
31526 async function reformat(options, config) {
31527 options = sanitize(options);
31528
31529 if (options.privateKey.primaryKey.isDummy()) {
31530 throw new Error('Cannot reformat a gnu-dummy primary key');
31531 }
31532
31533 const isDecrypted = options.privateKey.getKeys().every(({ keyPacket }) => keyPacket.isDecrypted());
31534 if (!isDecrypted) {
31535 throw new Error('Key is not decrypted');
31536 }
31537
31538 const packetlist = options.privateKey.toPacketlist();
31539 let secretKeyPacket;
31540 const secretSubkeyPackets = [];
31541 for (let i = 0; i < packetlist.length; i++) {
31542 if (packetlist[i].tag === enums.packet.secretKey) {
31543 secretKeyPacket = packetlist[i];
31544 } else if (packetlist[i].tag === enums.packet.secretSubkey) {
31545 secretSubkeyPackets.push(packetlist[i]);
31546 }
31547 }
31548 if (!secretKeyPacket) {
31549 throw new Error('Key does not contain a secret key packet');
31550 }
31551
31552 if (!options.subkeys) {
31553 options.subkeys = await Promise.all(secretSubkeyPackets.map(async secretSubkeyPacket => ({
31554 sign: await options.privateKey.getSigningKey(secretSubkeyPacket.getKeyId(), null, undefined, config).catch(() => {}) &&
31555 !await options.privateKey.getEncryptionKey(secretSubkeyPacket.getKeyId(), null, undefined, config).catch(() => {})
31556 })));
31557 }
31558
31559 if (options.subkeys.length !== secretSubkeyPackets.length) {
31560 throw new Error('Number of subkey options does not match number of subkeys');
31561 }
31562
31563 options.subkeys = options.subkeys.map(function(subkey, index) { return sanitize(options.subkeys[index], options); });
31564
31565 return wrapKeyObject(secretKeyPacket, secretSubkeyPackets, options, config);
31566
31567 function sanitize(options, subkeyDefaults = {}) {
31568 options.keyExpirationTime = options.keyExpirationTime || subkeyDefaults.keyExpirationTime;
31569 options.passphrase = util.isString(options.passphrase) ? options.passphrase : subkeyDefaults.passphrase;
31570 options.date = options.date || subkeyDefaults.date;
31571
31572 return options;
31573 }
31574 }
31575
31576
31577 async function wrapKeyObject(secretKeyPacket, secretSubkeyPackets, options, config) {
31578 // set passphrase protection
31579 if (options.passphrase) {
31580 await secretKeyPacket.encrypt(options.passphrase, config);
31581 }
31582
31583 await Promise.all(secretSubkeyPackets.map(async function(secretSubkeyPacket, index) {
31584 const subkeyPassphrase = options.subkeys[index].passphrase;
31585 if (subkeyPassphrase) {
31586 await secretSubkeyPacket.encrypt(subkeyPassphrase, config);
31587 }
31588 }));
31589
31590 const packetlist = new PacketList();
31591
31592 packetlist.push(secretKeyPacket);
31593
31594 await Promise.all(options.userIds.map(async function(userId, index) {
31595 function createdPreferredAlgos(algos, configAlgo) {
31596 if (configAlgo) { // Not `uncompressed` / `plaintext`
31597 const configIndex = algos.indexOf(configAlgo);
31598 if (configIndex >= 1) { // If it is included and not in first place,
31599 algos.splice(configIndex, 1); // remove it.
31600 }
31601 if (configIndex !== 0) { // If it was included and not in first place, or wasn't included,
31602 algos.unshift(configAlgo); // add it to the front.
31603 }
31604 }
31605 return algos;
31606 }
31607
31608 const userIdPacket = UserIDPacket.fromObject(userId);
31609 const dataToSign = {};
31610 dataToSign.userId = userIdPacket;
31611 dataToSign.key = secretKeyPacket;
31612 const signaturePacket = new SignaturePacket(options.date);
31613 signaturePacket.signatureType = enums.signature.certGeneric;
31614 signaturePacket.publicKeyAlgorithm = secretKeyPacket.algorithm;
31615 signaturePacket.hashAlgorithm = await getPreferredHashAlgo$1(null, secretKeyPacket, undefined, undefined, config);
31616 signaturePacket.keyFlags = [enums.keyFlags.certifyKeys | enums.keyFlags.signData];
31617 signaturePacket.preferredSymmetricAlgorithms = createdPreferredAlgos([
31618 // prefer aes256, aes128, then aes192 (no WebCrypto support: https://www.chromium.org/blink/webcrypto#TOC-AES-support)
31619 enums.symmetric.aes256,
31620 enums.symmetric.aes128,
31621 enums.symmetric.aes192
31622 ], config.encryptionCipher);
31623 if (config.aeadProtect) {
31624 signaturePacket.preferredAeadAlgorithms = createdPreferredAlgos([
31625 enums.aead.eax,
31626 enums.aead.ocb
31627 ], config.aeadMode);
31628 }
31629 signaturePacket.preferredHashAlgorithms = createdPreferredAlgos([
31630 // prefer fast asm.js implementations (SHA-256)
31631 enums.hash.sha256,
31632 enums.hash.sha512
31633 ], config.preferHashAlgorithm);
31634 signaturePacket.preferredCompressionAlgorithms = createdPreferredAlgos([
31635 enums.compression.zlib,
31636 enums.compression.zip,
31637 enums.compression.uncompressed
31638 ], config.compression);
31639 if (index === 0) {
31640 signaturePacket.isPrimaryUserID = true;
31641 }
31642 // integrity protection always enabled
31643 signaturePacket.features = [0];
31644 signaturePacket.features[0] |= enums.features.modificationDetection;
31645 if (config.aeadProtect) {
31646 signaturePacket.features[0] |= enums.features.aead;
31647 }
31648 if (config.v5Keys) {
31649 signaturePacket.features[0] |= enums.features.v5Keys;
31650 }
31651 if (options.keyExpirationTime > 0) {
31652 signaturePacket.keyExpirationTime = options.keyExpirationTime;
31653 signaturePacket.keyNeverExpires = false;
31654 }
31655 await signaturePacket.sign(secretKeyPacket, dataToSign);
31656
31657 return { userIdPacket, signaturePacket };
31658 })).then(list => {
31659 list.forEach(({ userIdPacket, signaturePacket }) => {
31660 packetlist.push(userIdPacket);
31661 packetlist.push(signaturePacket);
31662 });
31663 });
31664
31665 await Promise.all(secretSubkeyPackets.map(async function(secretSubkeyPacket, index) {
31666 const subkeyOptions = options.subkeys[index];
31667 const subkeySignaturePacket = await createBindingSignature(secretSubkeyPacket, secretKeyPacket, subkeyOptions, config);
31668 return { secretSubkeyPacket, subkeySignaturePacket };
31669 })).then(packets => {
31670 packets.forEach(({ secretSubkeyPacket, subkeySignaturePacket }) => {
31671 packetlist.push(secretSubkeyPacket);
31672 packetlist.push(subkeySignaturePacket);
31673 });
31674 });
31675
31676 // Add revocation signature packet for creating a revocation certificate.
31677 // This packet should be removed before returning the key.
31678 const dataToSign = { key: secretKeyPacket };
31679 packetlist.push(await createSignaturePacket(dataToSign, null, secretKeyPacket, {
31680 signatureType: enums.signature.keyRevocation,
31681 reasonForRevocationFlag: enums.reasonForRevocation.noReason,
31682 reasonForRevocationString: ''
31683 }, options.date, undefined, undefined, undefined, config));
31684
31685 // set passphrase protection
31686 if (options.passphrase) {
31687 secretKeyPacket.clearPrivateParams();
31688 }
31689
31690 await Promise.all(secretSubkeyPackets.map(async function(secretSubkeyPacket, index) {
31691 const subkeyPassphrase = options.subkeys[index].passphrase;
31692 if (subkeyPassphrase) {
31693 secretSubkeyPacket.clearPrivateParams();
31694 }
31695 }));
31696
31697 return new Key(packetlist);
31698 }
31699
31700 /**
31701 * Reads an (optionally armored) OpenPGP key and returns a key object
31702 * @param {Object} options
31703 * @param {String | ReadableStream<String>} [options.armoredKey] - Armored key to be parsed
31704 * @param {Uint8Array | ReadableStream<Uint8Array>} [options.binaryKey] - Binary key to be parsed
31705 * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}
31706 * @returns {Key} Key object.
31707 * @async
31708 * @static
31709 */
31710 async function readKey({ armoredKey, binaryKey, config }) {
31711 config = { ...defaultConfig, ...config };
31712 if (!armoredKey && !binaryKey) {
31713 throw new Error('readKey: must pass options object containing `armoredKey` or `binaryKey`');
31714 }
31715 let input;
31716 if (armoredKey) {
31717 const { type, data } = await unarmor(armoredKey, config);
31718 if (!(type === enums.armor.publicKey || type === enums.armor.privateKey)) {
31719 throw new Error('Armored text not of type key');
31720 }
31721 input = data;
31722 } else {
31723 input = binaryKey;
31724 }
31725 const packetlist = new PacketList();
31726 await packetlist.read(input, allowedKeyPackets, undefined, config);
31727 return new Key(packetlist);
31728 }
31729
31730 /**
31731 * Reads an (optionally armored) OpenPGP key block and returns a list of key objects
31732 * @param {Object} options
31733 * @param {String | ReadableStream<String>} [options.armoredKeys] - Armored keys to be parsed
31734 * @param {Uint8Array | ReadableStream<Uint8Array>} [options.binaryKeys] - Binary keys to be parsed
31735 * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}
31736 * @returns {Array<Key>} Key objects.
31737 * @async
31738 * @static
31739 */
31740 async function readKeys({ armoredKeys, binaryKeys, config }) {
31741 config = { ...defaultConfig, ...config };
31742 let input = armoredKeys || binaryKeys;
31743 if (!input) {
31744 throw new Error('readKeys: must pass options object containing `armoredKeys` or `binaryKeys`');
31745 }
31746 if (armoredKeys) {
31747 const { type, data } = await unarmor(armoredKeys, config);
31748 if (type !== enums.armor.publicKey && type !== enums.armor.privateKey) {
31749 throw new Error('Armored text not of type key');
31750 }
31751 input = data;
31752 }
31753 const keys = [];
31754 const packetlist = new PacketList();
31755 await packetlist.read(input, allowedKeyPackets, undefined, config);
31756 const keyIndex = packetlist.indexOfTag(enums.packet.publicKey, enums.packet.secretKey);
31757 if (keyIndex.length === 0) {
31758 throw new Error('No key packet found');
31759 }
31760 for (let i = 0; i < keyIndex.length; i++) {
31761 const oneKeyList = packetlist.slice(keyIndex[i], keyIndex[i + 1]);
31762 const newKey = new Key(oneKeyList);
31763 keys.push(newKey);
31764 }
31765 return keys;
31766 }
31767
31768 // GPG4Browsers - An OpenPGP implementation in javascript
31769
31770
31771 /**
31772 * Class that represents an OpenPGP message.
31773 * Can be an encrypted message, signed message, compressed message or literal message
31774 * See {@link https://tools.ietf.org/html/rfc4880#section-11.3}
31775 */
31776 class Message {
31777 /**
31778 * @param {PacketList} packetlist - The packets that form this message
31779 */
31780 constructor(packetlist) {
31781 this.packets = packetlist || new PacketList();
31782 }
31783
31784 /**
31785 * Returns the key IDs of the keys to which the session key is encrypted
31786 * @returns {Array<module:type/keyid~Keyid>} Array of keyid objects.
31787 */
31788 getEncryptionKeyIds() {
31789 const keyIds = [];
31790 const pkESKeyPacketlist = this.packets.filterByTag(enums.packet.publicKeyEncryptedSessionKey);
31791 pkESKeyPacketlist.forEach(function(packet) {
31792 keyIds.push(packet.publicKeyId);
31793 });
31794 return keyIds;
31795 }
31796
31797 /**
31798 * Returns the key IDs of the keys that signed the message
31799 * @returns {Array<module:type/keyid~Keyid>} Array of keyid objects.
31800 */
31801 getSigningKeyIds() {
31802 const keyIds = [];
31803 const msg = this.unwrapCompressed();
31804 // search for one pass signatures
31805 const onePassSigList = msg.packets.filterByTag(enums.packet.onePassSignature);
31806 onePassSigList.forEach(function(packet) {
31807 keyIds.push(packet.issuerKeyId);
31808 });
31809 // if nothing found look for signature packets
31810 if (!keyIds.length) {
31811 const signatureList = msg.packets.filterByTag(enums.packet.signature);
31812 signatureList.forEach(function(packet) {
31813 keyIds.push(packet.issuerKeyId);
31814 });
31815 }
31816 return keyIds;
31817 }
31818
31819 /**
31820 * Decrypt the message. Either a private key, a session key, or a password must be specified.
31821 * @param {Array<Key>} [privateKeys] - Private keys with decrypted secret data
31822 * @param {Array<String>} [passwords] - Passwords used to decrypt
31823 * @param {Array<Object>} [sessionKeys] - Session keys in the form: { data:Uint8Array, algorithm:String, [aeadAlgorithm:String] }
31824 * @param {Boolean} [streaming] - Whether to process data as a stream
31825 * @param {Object} [config] - Full configuration, defaults to openpgp.config
31826 * @returns {Message} New message with decrypted content.
31827 * @async
31828 */
31829 async decrypt(privateKeys, passwords, sessionKeys, streaming, config = defaultConfig) {
31830 const keyObjs = sessionKeys || await this.decryptSessionKeys(privateKeys, passwords, config);
31831
31832 const symEncryptedPacketlist = this.packets.filterByTag(
31833 enums.packet.symmetricallyEncryptedData,
31834 enums.packet.symEncryptedIntegrityProtectedData,
31835 enums.packet.AEADEncryptedData
31836 );
31837
31838 if (symEncryptedPacketlist.length === 0) {
31839 return this;
31840 }
31841
31842 const symEncryptedPacket = symEncryptedPacketlist[0];
31843 let exception = null;
31844 const decryptedPromise = Promise.all(keyObjs.map(async keyObj => {
31845 if (!keyObj || !util.isUint8Array(keyObj.data) || !util.isString(keyObj.algorithm)) {
31846 throw new Error('Invalid session key for decryption.');
31847 }
31848
31849 try {
31850 await symEncryptedPacket.decrypt(keyObj.algorithm, keyObj.data, streaming, config);
31851 } catch (e) {
31852 util.printDebugError(e);
31853 exception = e;
31854 }
31855 }));
31856 // We don't await stream.cancel here because it only returns when the other copy is canceled too.
31857 stream.cancel(symEncryptedPacket.encrypted); // Don't keep copy of encrypted data in memory.
31858 symEncryptedPacket.encrypted = null;
31859 await decryptedPromise;
31860
31861 if (!symEncryptedPacket.packets || !symEncryptedPacket.packets.length) {
31862 throw exception || new Error('Decryption failed.');
31863 }
31864
31865 const resultMsg = new Message(symEncryptedPacket.packets);
31866 symEncryptedPacket.packets = new PacketList(); // remove packets after decryption
31867
31868 return resultMsg;
31869 }
31870
31871 /**
31872 * Decrypt encrypted session keys either with private keys or passwords.
31873 * @param {Array<Key>} [privateKeys] - Private keys with decrypted secret data
31874 * @param {Array<String>} [passwords] - Passwords used to decrypt
31875 * @param {Object} [config] - Full configuration, defaults to openpgp.config
31876 * @returns {Promise<Array<{ data: Uint8Array,
31877 algorithm: String }>>} array of object with potential sessionKey, algorithm pairs
31878 * @async
31879 */
31880 async decryptSessionKeys(privateKeys, passwords, config = defaultConfig) {
31881 let keyPackets = [];
31882
31883 let exception;
31884 if (passwords) {
31885 const symESKeyPacketlist = this.packets.filterByTag(enums.packet.symEncryptedSessionKey);
31886 if (!symESKeyPacketlist) {
31887 throw new Error('No symmetrically encrypted session key packet found.');
31888 }
31889 await Promise.all(passwords.map(async function(password, i) {
31890 let packets;
31891 if (i) {
31892 packets = new PacketList();
31893 await packets.read(symESKeyPacketlist.write(), { SymEncryptedSessionKeyPacket });
31894 } else {
31895 packets = symESKeyPacketlist;
31896 }
31897 await Promise.all(packets.map(async function(keyPacket) {
31898 try {
31899 await keyPacket.decrypt(password);
31900 keyPackets.push(keyPacket);
31901 } catch (err) {
31902 util.printDebugError(err);
31903 }
31904 }));
31905 }));
31906 } else if (privateKeys) {
31907 const pkESKeyPacketlist = this.packets.filterByTag(enums.packet.publicKeyEncryptedSessionKey);
31908 if (!pkESKeyPacketlist) {
31909 throw new Error('No public key encrypted session key packet found.');
31910 }
31911 await Promise.all(pkESKeyPacketlist.map(async function(keyPacket) {
31912 await Promise.all(privateKeys.map(async function(privateKey) {
31913 let algos = [
31914 enums.symmetric.aes256, // Old OpenPGP.js default fallback
31915 enums.symmetric.aes128, // RFC4880bis fallback
31916 enums.symmetric.tripledes, // RFC4880 fallback
31917 enums.symmetric.cast5 // Golang OpenPGP fallback
31918 ];
31919 try {
31920 const primaryUser = await privateKey.getPrimaryUser(undefined, undefined, config); // TODO: Pass userId from somewhere.
31921 if (primaryUser.selfCertification.preferredSymmetricAlgorithms) {
31922 algos = algos.concat(primaryUser.selfCertification.preferredSymmetricAlgorithms);
31923 }
31924 } catch (e) {}
31925
31926 // do not check key expiration to allow decryption of old messages
31927 const privateKeyPackets = (await privateKey.getDecryptionKeys(keyPacket.publicKeyId, null, undefined, config)).map(key => key.keyPacket);
31928 await Promise.all(privateKeyPackets.map(async function(privateKeyPacket) {
31929 if (!privateKeyPacket || privateKeyPacket.isDummy()) {
31930 return;
31931 }
31932 if (!privateKeyPacket.isDecrypted()) {
31933 throw new Error('Private key is not decrypted.');
31934 }
31935 try {
31936 await keyPacket.decrypt(privateKeyPacket);
31937 if (!algos.includes(enums.write(enums.symmetric, keyPacket.sessionKeyAlgorithm))) {
31938 throw new Error('A non-preferred symmetric algorithm was used.');
31939 }
31940 keyPackets.push(keyPacket);
31941 } catch (err) {
31942 util.printDebugError(err);
31943 exception = err;
31944 }
31945 }));
31946 }));
31947 stream.cancel(keyPacket.encrypted); // Don't keep copy of encrypted data in memory.
31948 keyPacket.encrypted = null;
31949 }));
31950 } else {
31951 throw new Error('No key or password specified.');
31952 }
31953
31954 if (keyPackets.length) {
31955 // Return only unique session keys
31956 if (keyPackets.length > 1) {
31957 const seen = {};
31958 keyPackets = keyPackets.filter(function(item) {
31959 const k = item.sessionKeyAlgorithm + util.uint8ArrayToStr(item.sessionKey);
31960 if (seen.hasOwnProperty(k)) {
31961 return false;
31962 }
31963 seen[k] = true;
31964 return true;
31965 });
31966 }
31967
31968 return keyPackets.map(packet => ({ data: packet.sessionKey, algorithm: packet.sessionKeyAlgorithm }));
31969 }
31970 throw exception || new Error('Session key decryption failed.');
31971 }
31972
31973 /**
31974 * Get literal data that is the body of the message
31975 * @returns {(Uint8Array|null)} Literal body of the message as Uint8Array.
31976 */
31977 getLiteralData() {
31978 const msg = this.unwrapCompressed();
31979 const literal = msg.packets.findPacket(enums.packet.literalData);
31980 return (literal && literal.getBytes()) || null;
31981 }
31982
31983 /**
31984 * Get filename from literal data packet
31985 * @returns {(String|null)} Filename of literal data packet as string.
31986 */
31987 getFilename() {
31988 const msg = this.unwrapCompressed();
31989 const literal = msg.packets.findPacket(enums.packet.literalData);
31990 return (literal && literal.getFilename()) || null;
31991 }
31992
31993 /**
31994 * Get literal data as text
31995 * @returns {(String|null)} Literal body of the message interpreted as text.
31996 */
31997 getText() {
31998 const msg = this.unwrapCompressed();
31999 const literal = msg.packets.findPacket(enums.packet.literalData);
32000 if (literal) {
32001 return literal.getText();
32002 }
32003 return null;
32004 }
32005
32006 /**
32007 * Generate a new session key object, taking the algorithm preferences of the passed public keys into account, if any.
32008 * @param {Array<Key>} [keys] - Public key(s) to select algorithm preferences for
32009 * @param {Date} [date] - Date to select algorithm preferences at
32010 * @param {Array<Object>} [userIds] - User IDs to select algorithm preferences for
32011 * @param {Object} [config] - Full configuration, defaults to openpgp.config
32012 * @returns {{ data: Uint8Array, algorithm: String }} Object with session key data and algorithm.
32013 * @async
32014 */
32015 static async generateSessionKey(keys = [], date = new Date(), userIds = [], config = defaultConfig) {
32016 const algorithm = enums.read(enums.symmetric, await getPreferredAlgo('symmetric', keys, date, userIds, config));
32017 const aeadAlgorithm = config.aeadProtect && await isAeadSupported(keys, date, userIds, config) ?
32018 enums.read(enums.aead, await getPreferredAlgo('aead', keys, date, userIds, config)) :
32019 undefined;
32020 const sessionKeyData = await mod.generateSessionKey(algorithm);
32021 return { data: sessionKeyData, algorithm, aeadAlgorithm };
32022 }
32023
32024 /**
32025 * Encrypt the message either with public keys, passwords, or both at once.
32026 * @param {Array<Key>} [keys] - Public key(s) for message encryption
32027 * @param {Array<String>} [passwords] - Password(s) for message encryption
32028 * @param {Object} [sessionKey] - Session key in the form: { data:Uint8Array, algorithm:String, [aeadAlgorithm:String] }
32029 * @param {Boolean} [wildcard] - Use a key ID of 0 instead of the public key IDs
32030 * @param {Array<module:type/keyid~Keyid>} [encryptionKeyIds] - Array of key IDs to use for encryption. Each encryptionKeyIds[i] corresponds to publicKeys[i]
32031 * @param {Date} [date] - Override the creation date of the literal package
32032 * @param {Array<Object>} [userIds] - User IDs to encrypt for, e.g. [{ name:'Robert Receiver', email:'robert@openpgp.org' }]
32033 * @param {Boolean} [streaming] - Whether to process data as a stream
32034 * @param {Object} [config] - Full configuration, defaults to openpgp.config
32035 * @returns {Message} New message with encrypted content.
32036 * @async
32037 */
32038 async encrypt(keys, passwords, sessionKey, wildcard = false, encryptionKeyIds = [], date = new Date(), userIds = [], streaming, config = defaultConfig) {
32039 if (sessionKey) {
32040 if (!util.isUint8Array(sessionKey.data) || !util.isString(sessionKey.algorithm)) {
32041 throw new Error('Invalid session key for encryption.');
32042 }
32043 } else if (keys && keys.length) {
32044 sessionKey = await Message.generateSessionKey(keys, date, userIds, config);
32045 } else if (passwords && passwords.length) {
32046 sessionKey = await Message.generateSessionKey(undefined, undefined, undefined, config);
32047 } else {
32048 throw new Error('No keys, passwords, or session key provided.');
32049 }
32050
32051 const { data: sessionKeyData, algorithm, aeadAlgorithm } = sessionKey;
32052
32053 const msg = await Message.encryptSessionKey(sessionKeyData, algorithm, aeadAlgorithm, keys, passwords, wildcard, encryptionKeyIds, date, userIds, config);
32054
32055 let symEncryptedPacket;
32056 if (aeadAlgorithm) {
32057 symEncryptedPacket = new AEADEncryptedDataPacket();
32058 symEncryptedPacket.aeadAlgorithm = aeadAlgorithm;
32059 } else {
32060 symEncryptedPacket = new SymEncryptedIntegrityProtectedDataPacket();
32061 }
32062 symEncryptedPacket.packets = this.packets;
32063
32064 await symEncryptedPacket.encrypt(algorithm, sessionKeyData, streaming, config);
32065
32066 msg.packets.push(symEncryptedPacket);
32067 symEncryptedPacket.packets = new PacketList(); // remove packets after encryption
32068 return msg;
32069 }
32070
32071 /**
32072 * Encrypt a session key either with public keys, passwords, or both at once.
32073 * @param {Uint8Array} sessionKey - session key for encryption
32074 * @param {String} algorithm - session key algorithm
32075 * @param {String} [aeadAlgorithm] - Aead algorithm, e.g. 'eax' or 'ocb'
32076 * @param {Array<Key>} [publicKeys] - Public key(s) for message encryption
32077 * @param {Array<String>} [passwords] - For message encryption
32078 * @param {Boolean} [wildcard] - Use a key ID of 0 instead of the public key IDs
32079 * @param {Array<module:type/keyid~Keyid>} [encryptionKeyIds] - Array of key IDs to use for encryption. Each encryptionKeyIds[i] corresponds to publicKeys[i]
32080 * @param {Date} [date] - Override the date
32081 * @param {Array} [userIds] - User IDs to encrypt for, e.g. [{ name:'Robert Receiver', email:'robert@openpgp.org' }]
32082 * @param {Object} [config] - Full configuration, defaults to openpgp.config
32083 * @returns {Message} New message with encrypted content.
32084 * @async
32085 */
32086 static async encryptSessionKey(sessionKey, algorithm, aeadAlgorithm, publicKeys, passwords, wildcard = false, encryptionKeyIds = [], date = new Date(), userIds = [], config = defaultConfig) {
32087 const packetlist = new PacketList();
32088
32089 if (publicKeys) {
32090 const results = await Promise.all(publicKeys.map(async function(publicKey, i) {
32091 const encryptionKey = await publicKey.getEncryptionKey(encryptionKeyIds[i], date, userIds, config);
32092 const pkESKeyPacket = new PublicKeyEncryptedSessionKeyPacket();
32093 pkESKeyPacket.publicKeyId = wildcard ? Keyid.wildcard() : encryptionKey.getKeyId();
32094 pkESKeyPacket.publicKeyAlgorithm = encryptionKey.keyPacket.algorithm;
32095 pkESKeyPacket.sessionKey = sessionKey;
32096 pkESKeyPacket.sessionKeyAlgorithm = algorithm;
32097 await pkESKeyPacket.encrypt(encryptionKey.keyPacket);
32098 delete pkESKeyPacket.sessionKey; // delete plaintext session key after encryption
32099 return pkESKeyPacket;
32100 }));
32101 packetlist.concat(results);
32102 }
32103 if (passwords) {
32104 const testDecrypt = async function(keyPacket, password) {
32105 try {
32106 await keyPacket.decrypt(password);
32107 return 1;
32108 } catch (e) {
32109 return 0;
32110 }
32111 };
32112
32113 const sum = (accumulator, currentValue) => accumulator + currentValue;
32114
32115 const encryptPassword = async function(sessionKey, algorithm, aeadAlgorithm, password) {
32116 const symEncryptedSessionKeyPacket = new SymEncryptedSessionKeyPacket(config);
32117 symEncryptedSessionKeyPacket.sessionKey = sessionKey;
32118 symEncryptedSessionKeyPacket.sessionKeyAlgorithm = algorithm;
32119 if (aeadAlgorithm) {
32120 symEncryptedSessionKeyPacket.aeadAlgorithm = aeadAlgorithm;
32121 }
32122 await symEncryptedSessionKeyPacket.encrypt(password, config);
32123
32124 if (config.passwordCollisionCheck) {
32125 const results = await Promise.all(passwords.map(pwd => testDecrypt(symEncryptedSessionKeyPacket, pwd)));
32126 if (results.reduce(sum) !== 1) {
32127 return encryptPassword(sessionKey, algorithm, password);
32128 }
32129 }
32130
32131 delete symEncryptedSessionKeyPacket.sessionKey; // delete plaintext session key after encryption
32132 return symEncryptedSessionKeyPacket;
32133 };
32134
32135 const results = await Promise.all(passwords.map(pwd => encryptPassword(sessionKey, algorithm, aeadAlgorithm, pwd)));
32136 packetlist.concat(results);
32137 }
32138
32139 return new Message(packetlist);
32140 }
32141
32142 /**
32143 * Sign the message (the literal data packet of the message)
32144 * @param {Array<Key>} privateKeys - private keys with decrypted secret key data for signing
32145 * @param {Signature} [signature] - Any existing detached signature to add to the message
32146 * @param {Array<module:type/keyid~Keyid>} [signingKeyIds] - Array of key IDs to use for signing. Each signingKeyIds[i] corresponds to privateKeys[i]
32147 * @param {Date} [date] - Override the creation time of the signature
32148 * @param {Array} [userIds] - User IDs to sign with, e.g. [{ name:'Steve Sender', email:'steve@openpgp.org' }]
32149 * @param {Boolean} [streaming] - Whether to process data as a stream
32150 * @param {Object} [config] - Full configuration, defaults to openpgp.config
32151 * @returns {Message} New message with signed content.
32152 * @async
32153 */
32154 async sign(privateKeys = [], signature = null, signingKeyIds = [], date = new Date(), userIds = [], streaming = false, config = defaultConfig) {
32155 const packetlist = new PacketList();
32156
32157 const literalDataPacket = this.packets.findPacket(enums.packet.literalData);
32158 if (!literalDataPacket) {
32159 throw new Error('No literal data packet to sign.');
32160 }
32161
32162 let i;
32163 let existingSigPacketlist;
32164 // If data packet was created from Uint8Array, use binary, otherwise use text
32165 const signatureType = literalDataPacket.text === null ?
32166 enums.signature.binary : enums.signature.text;
32167
32168 if (signature) {
32169 existingSigPacketlist = signature.packets.filterByTag(enums.packet.signature);
32170 for (i = existingSigPacketlist.length - 1; i >= 0; i--) {
32171 const signaturePacket = existingSigPacketlist[i];
32172 const onePassSig = new OnePassSignaturePacket();
32173 onePassSig.signatureType = signaturePacket.signatureType;
32174 onePassSig.hashAlgorithm = signaturePacket.hashAlgorithm;
32175 onePassSig.publicKeyAlgorithm = signaturePacket.publicKeyAlgorithm;
32176 onePassSig.issuerKeyId = signaturePacket.issuerKeyId;
32177 if (!privateKeys.length && i === 0) {
32178 onePassSig.flags = 1;
32179 }
32180 packetlist.push(onePassSig);
32181 }
32182 }
32183
32184 await Promise.all(Array.from(privateKeys).reverse().map(async function (privateKey, i) {
32185 if (privateKey.isPublic()) {
32186 throw new Error('Need private key for signing');
32187 }
32188 const signingKeyId = signingKeyIds[privateKeys.length - 1 - i];
32189 const signingKey = await privateKey.getSigningKey(signingKeyId, date, userIds, config);
32190 const onePassSig = new OnePassSignaturePacket();
32191 onePassSig.signatureType = signatureType;
32192 onePassSig.hashAlgorithm = await getPreferredHashAlgo$1(privateKey, signingKey.keyPacket, date, userIds, config);
32193 onePassSig.publicKeyAlgorithm = signingKey.keyPacket.algorithm;
32194 onePassSig.issuerKeyId = signingKey.getKeyId();
32195 if (i === privateKeys.length - 1) {
32196 onePassSig.flags = 1;
32197 }
32198 return onePassSig;
32199 })).then(onePassSignatureList => {
32200 onePassSignatureList.forEach(onePassSig => packetlist.push(onePassSig));
32201 });
32202
32203 packetlist.push(literalDataPacket);
32204 packetlist.concat(await createSignaturePackets(literalDataPacket, privateKeys, signature, signingKeyIds, date, userIds, false, streaming, config));
32205
32206 return new Message(packetlist);
32207 }
32208
32209 /**
32210 * Compresses the message (the literal and -if signed- signature data packets of the message)
32211 * @param {Object} [config] - Full configuration, defaults to openpgp.config
32212 * @returns {Message} New message with compressed content.
32213 */
32214 compress(config = defaultConfig) {
32215 if (config.compression === enums.compression.uncompressed) {
32216 return this;
32217 }
32218
32219 const compressed = new CompressedDataPacket(config);
32220 compressed.packets = this.packets;
32221
32222 const packetList = new PacketList();
32223 packetList.push(compressed);
32224
32225 return new Message(packetList);
32226 }
32227
32228 /**
32229 * Create a detached signature for the message (the literal data packet of the message)
32230 * @param {Array<Key>} privateKeys - private keys with decrypted secret key data for signing
32231 * @param {Signature} [signature] - Any existing detached signature
32232 * @param {Array<module:type/keyid~Keyid>} [signingKeyIds] - Array of key IDs to use for signing. Each signingKeyIds[i] corresponds to privateKeys[i]
32233 * @param {Date} [date] - Override the creation time of the signature
32234 * @param {Array} [userIds] - User IDs to sign with, e.g. [{ name:'Steve Sender', email:'steve@openpgp.org' }]
32235 * @param {Boolean} [streaming] - Whether to process data as a stream
32236 * @param {Object} [config] - Full configuration, defaults to openpgp.config
32237 * @returns {Signature} New detached signature of message content.
32238 * @async
32239 */
32240 async signDetached(privateKeys = [], signature = null, signingKeyIds = [], date = new Date(), userIds = [], streaming = false, config = defaultConfig) {
32241 const literalDataPacket = this.packets.findPacket(enums.packet.literalData);
32242 if (!literalDataPacket) {
32243 throw new Error('No literal data packet to sign.');
32244 }
32245 return new Signature(await createSignaturePackets(literalDataPacket, privateKeys, signature, signingKeyIds, date, userIds, true, streaming, config));
32246 }
32247
32248 /**
32249 * Verify message signatures
32250 * @param {Array<Key>} keys - Array of keys to verify signatures
32251 * @param {Date} [date] - Verify the signature against the given date, i.e. check signature creation time < date < expiration time
32252 * @param {Boolean} [streaming] - Whether to process data as a stream
32253 * @param {Object} [config] - Full configuration, defaults to openpgp.config
32254 * @returns {Array<({keyid: module:type/keyid~Keyid, valid: Boolean})>} List of signer's keyid and validity of signature.
32255 * @async
32256 */
32257 async verify(keys, date = new Date(), streaming, config = defaultConfig) {
32258 const msg = this.unwrapCompressed();
32259 const literalDataList = msg.packets.filterByTag(enums.packet.literalData);
32260 if (literalDataList.length !== 1) {
32261 throw new Error('Can only verify message with one literal data packet.');
32262 }
32263 if (!streaming) {
32264 msg.packets.concat(await stream.readToEnd(msg.packets.stream, _ => _));
32265 }
32266 const onePassSigList = msg.packets.filterByTag(enums.packet.onePassSignature).reverse();
32267 const signatureList = msg.packets.filterByTag(enums.packet.signature);
32268 if (streaming && onePassSigList.length && !signatureList.length && msg.packets.stream) {
32269 await Promise.all(onePassSigList.map(async onePassSig => {
32270 onePassSig.correspondingSig = new Promise((resolve, reject) => {
32271 onePassSig.correspondingSigResolve = resolve;
32272 onePassSig.correspondingSigReject = reject;
32273 });
32274 onePassSig.signatureData = stream.fromAsync(async () => (await onePassSig.correspondingSig).signatureData);
32275 onePassSig.hashed = stream.readToEnd(await onePassSig.hash(onePassSig.signatureType, literalDataList[0], undefined, false, streaming));
32276 onePassSig.hashed.catch(() => {});
32277 }));
32278 msg.packets.stream = stream.transformPair(msg.packets.stream, async (readable, writable) => {
32279 const reader = stream.getReader(readable);
32280 const writer = stream.getWriter(writable);
32281 try {
32282 for (let i = 0; i < onePassSigList.length; i++) {
32283 const { value: signature } = await reader.read();
32284 onePassSigList[i].correspondingSigResolve(signature);
32285 }
32286 await reader.readToEnd();
32287 await writer.ready;
32288 await writer.close();
32289 } catch (e) {
32290 onePassSigList.forEach(onePassSig => {
32291 onePassSig.correspondingSigReject(e);
32292 });
32293 await writer.abort(e);
32294 }
32295 });
32296 return createVerificationObjects(onePassSigList, literalDataList, keys, date, false, streaming, config);
32297 }
32298 return createVerificationObjects(signatureList, literalDataList, keys, date, false, streaming, config);
32299 }
32300
32301 /**
32302 * Verify detached message signature
32303 * @param {Array<Key>} keys - Array of keys to verify signatures
32304 * @param {Signature} signature
32305 * @param {Date} date - Verify the signature against the given date, i.e. check signature creation time < date < expiration time
32306 * @param {Object} [config] - Full configuration, defaults to openpgp.config
32307 * @returns {Array<({keyid: module:type/keyid~Keyid, valid: Boolean})>} List of signer's keyid and validity of signature.
32308 * @async
32309 */
32310 verifyDetached(signature, keys, date = new Date(), streaming, config = defaultConfig) {
32311 const msg = this.unwrapCompressed();
32312 const literalDataList = msg.packets.filterByTag(enums.packet.literalData);
32313 if (literalDataList.length !== 1) {
32314 throw new Error('Can only verify message with one literal data packet.');
32315 }
32316 const signatureList = signature.packets;
32317 return createVerificationObjects(signatureList, literalDataList, keys, date, true, undefined, config);
32318 }
32319
32320 /**
32321 * Unwrap compressed message
32322 * @returns {Message} Message Content of compressed message.
32323 */
32324 unwrapCompressed() {
32325 const compressed = this.packets.filterByTag(enums.packet.compressedData);
32326 if (compressed.length) {
32327 return new Message(compressed[0].packets);
32328 }
32329 return this;
32330 }
32331
32332 /**
32333 * Append signature to unencrypted message object
32334 * @param {String|Uint8Array} detachedSignature - The detached ASCII-armored or Uint8Array PGP signature
32335 */
32336 async appendSignature(detachedSignature) {
32337 await this.packets.read(util.isUint8Array(detachedSignature) ? detachedSignature : (await unarmor(detachedSignature)).data, { SignaturePacket });
32338 }
32339
32340 /**
32341 * Returns binary encoded message
32342 * @returns {ReadableStream<Uint8Array>} Binary message.
32343 */
32344 write() {
32345 return this.packets.write();
32346 }
32347
32348 /**
32349 * Returns ASCII armored text of message
32350 * @param {Object} [config] - Full configuration, defaults to openpgp.config
32351 * @returns {ReadableStream<String>} ASCII armor.
32352 */
32353 armor(config = defaultConfig) {
32354 return armor(enums.armor.message, this.write(), null, null, null, config);
32355 }
32356
32357 /**
32358 * Creates new message object from text.
32359 * @param {String | ReadableStream<String>} text - The message contents
32360 * @param {String} [filename=""] - Name of the file (if any)
32361 * @param {Date} [date=current date] - Date of the message, or modification date of the file
32362 * @param {'utf8'|'binary'|'text'|'mime'} [type='utf8'] - Data packet type
32363 * @returns {Message} New message object.
32364 * @static
32365 */
32366 static fromText(text, filename, date = new Date(), type = 'utf8') {
32367 const streamType = util.isStream(text);
32368 if (streamType === 'node') {
32369 text = stream.nodeToWeb(text);
32370 }
32371 const literalDataPacket = new LiteralDataPacket(date);
32372 // text will be converted to UTF8
32373 literalDataPacket.setText(text, type);
32374 if (filename !== undefined) {
32375 literalDataPacket.setFilename(filename);
32376 }
32377 const literalDataPacketlist = new PacketList();
32378 literalDataPacketlist.push(literalDataPacket);
32379 const message = new Message(literalDataPacketlist);
32380 message.fromStream = streamType;
32381 return message;
32382 }
32383
32384 /**
32385 * Creates new message object from binary data.
32386 * @param {Uint8Array | ReadableStream<Uint8Array>} bytes - The message contents
32387 * @param {String} [filename=""] - Name of the file (if any)
32388 * @param {Date} [date=current date] - Date of the message, or modification date of the file
32389 * @param {'utf8'|'binary'|'text'|'mime'} [type='binary'] - Data packet type
32390 * @returns {Message} New message object.
32391 * @static
32392 */
32393 static fromBinary(bytes, filename, date = new Date(), type = 'binary') {
32394 const streamType = util.isStream(bytes);
32395 if (!util.isUint8Array(bytes) && !streamType) {
32396 throw new Error('Data must be in the form of a Uint8Array or Stream');
32397 }
32398 if (streamType === 'node') {
32399 bytes = stream.nodeToWeb(bytes);
32400 }
32401
32402 const literalDataPacket = new LiteralDataPacket(date);
32403 literalDataPacket.setBytes(bytes, type);
32404 if (filename !== undefined) {
32405 literalDataPacket.setFilename(filename);
32406 }
32407 const literalDataPacketlist = new PacketList();
32408 literalDataPacketlist.push(literalDataPacket);
32409 const message = new Message(literalDataPacketlist);
32410 message.fromStream = streamType;
32411 return message;
32412 }
32413 }
32414
32415 /**
32416 * Create signature packets for the message
32417 * @param {LiteralDataPacket} literalDataPacket - the literal data packet to sign
32418 * @param {Array<Key>} privateKeys - private keys with decrypted secret key data for signing
32419 * @param {Signature} [signature] - Any existing detached signature to append
32420 * @param {Array<module:type/keyid~Keyid>} [signingKeyIds] - Array of key IDs to use for signing. Each signingKeyIds[i] corresponds to privateKeys[i]
32421 * @param {Date} [date] - Override the creationtime of the signature
32422 * @param {Array} [userIds] - User IDs to sign with, e.g. [{ name:'Steve Sender', email:'steve@openpgp.org' }]
32423 * @param {Boolean} [detached] - Whether to create detached signature packets
32424 * @param {Boolean} [streaming] - Whether to process data as a stream
32425 * @param {Object} [config] - Full configuration, defaults to openpgp.config
32426 * @returns {PacketList} List of signature packets.
32427 * @async
32428 * @private
32429 */
32430 async function createSignaturePackets(literalDataPacket, privateKeys, signature = null, signingKeyIds = [], date = new Date(), userIds = [], detached = false, streaming = false, config = defaultConfig) {
32431 const packetlist = new PacketList();
32432
32433 // If data packet was created from Uint8Array, use binary, otherwise use text
32434 const signatureType = literalDataPacket.text === null ?
32435 enums.signature.binary : enums.signature.text;
32436
32437 await Promise.all(privateKeys.map(async (privateKey, i) => {
32438 const userId = userIds[i];
32439 if (privateKey.isPublic()) {
32440 throw new Error('Need private key for signing');
32441 }
32442 const signingKey = await privateKey.getSigningKey(signingKeyIds[i], date, userId, config);
32443 return createSignaturePacket(literalDataPacket, privateKey, signingKey.keyPacket, { signatureType }, date, userId, detached, streaming, config);
32444 })).then(signatureList => {
32445 signatureList.forEach(signaturePacket => packetlist.push(signaturePacket));
32446 });
32447
32448 if (signature) {
32449 const existingSigPacketlist = signature.packets.filterByTag(enums.packet.signature);
32450 packetlist.concat(existingSigPacketlist);
32451 }
32452 return packetlist;
32453 }
32454
32455 /**
32456 * Create object containing signer's keyid and validity of signature
32457 * @param {SignaturePacket} signature - Signature packets
32458 * @param {Array<LiteralDataPacket>} literalDataList - Array of literal data packets
32459 * @param {Array<Key>} keys - Array of keys to verify signatures
32460 * @param {Date} date - Verify the signature against the given date,
32461 * i.e. check signature creation time < date < expiration time
32462 * @param {Boolean} [detached] - Whether to verify detached signature packets
32463 * @param {Object} [config] - Full configuration, defaults to openpgp.config
32464 * @returns {Promise<Array<{keyid: module:type/keyid~Keyid,
32465 * valid: Boolean|null}>>} list of signer's keyid and validity of signature
32466 * @async
32467 * @private
32468 */
32469 async function createVerificationObject(signature, literalDataList, keys, date = new Date(), detached = false, streaming = false, config = defaultConfig) {
32470 let primaryKey = null;
32471 let signingKey = null;
32472 await Promise.all(keys.map(async function(key) {
32473 // Look for the unique key that matches issuerKeyId of signature
32474 try {
32475 signingKey = await key.getSigningKey(signature.issuerKeyId, null, undefined, config);
32476 primaryKey = key;
32477 } catch (e) {}
32478 }));
32479
32480 const signaturePacket = signature.correspondingSig || signature;
32481 const verifiedSig = {
32482 keyid: signature.issuerKeyId,
32483 verified: (async () => {
32484 if (!signingKey) {
32485 return null;
32486 }
32487 await signature.verify(signingKey.keyPacket, signature.signatureType, literalDataList[0], detached, streaming, config);
32488 const sig = await signaturePacket;
32489 if (sig.isExpired(date) || !(
32490 sig.created >= signingKey.getCreationTime() &&
32491 sig.created < await (signingKey === primaryKey ?
32492 signingKey.getExpirationTime(undefined, undefined, undefined, config) :
32493 signingKey.getExpirationTime(primaryKey, date, undefined, config)
32494 )
32495 )) {
32496 throw new Error('Signature is expired');
32497 }
32498 return true;
32499 })(),
32500 signature: (async () => {
32501 const sig = await signaturePacket;
32502 const packetlist = new PacketList();
32503 packetlist.push(sig);
32504 return new Signature(packetlist);
32505 })()
32506 };
32507
32508 // Mark potential promise rejections as "handled". This is needed because in
32509 // some cases, we reject them before the user has a reasonable chance to
32510 // handle them (e.g. `await readToEnd(result.data); await result.verified` and
32511 // the data stream errors).
32512 verifiedSig.signature.catch(() => {});
32513 verifiedSig.verified.catch(() => {});
32514
32515 return verifiedSig;
32516 }
32517
32518 /**
32519 * Create list of objects containing signer's keyid and validity of signature
32520 * @param {Array<SignaturePacket>} signatureList - Array of signature packets
32521 * @param {Array<LiteralDataPacket>} literalDataList - Array of literal data packets
32522 * @param {Array<Key>} keys - Array of keys to verify signatures
32523 * @param {Date} date - Verify the signature against the given date,
32524 * i.e. check signature creation time < date < expiration time
32525 * @param {Boolean} [detached] - Whether to verify detached signature packets
32526 * @param {Object} [config] - Full configuration, defaults to openpgp.config
32527 * @returns {Promise<Array<{keyid: module:type/keyid~Keyid,
32528 * valid: Boolean}>>} list of signer's keyid and validity of signature
32529 * @async
32530 * @private
32531 */
32532 async function createVerificationObjects(signatureList, literalDataList, keys, date = new Date(), detached = false, streaming = false, config = defaultConfig) {
32533 return Promise.all(signatureList.filter(function(signature) {
32534 return ['text', 'binary'].includes(enums.read(enums.signature, signature.signatureType));
32535 }).map(async function(signature) {
32536 return createVerificationObject(signature, literalDataList, keys, date, detached, streaming, config);
32537 }));
32538 }
32539
32540 /**
32541 * Reads an (optionally armored) OpenPGP message and returns a Message object
32542 * @param {Object} options
32543 * @param {String | ReadableStream<String>} [options.armoredMessage] - Armored message to be parsed
32544 * @param {Uint8Array | ReadableStream<Uint8Array>} [options.binaryMessage] - Binary to be parsed
32545 * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}
32546 * @returns {Message} New message object.
32547 * @async
32548 * @static
32549 */
32550 async function readMessage({ armoredMessage, binaryMessage, config }) {
32551 config = { ...defaultConfig, ...config };
32552 let input = armoredMessage || binaryMessage;
32553 if (!input) {
32554 throw new Error('readMessage: must pass options object containing `armoredMessage` or `binaryMessage`');
32555 }
32556 const streamType = util.isStream(input);
32557 if (streamType === 'node') {
32558 input = stream.nodeToWeb(input);
32559 }
32560 if (armoredMessage) {
32561 const { type, data } = await unarmor(input, config);
32562 if (type !== enums.armor.message) {
32563 throw new Error('Armored text not of type message');
32564 }
32565 input = data;
32566 }
32567 const packetlist = new PacketList();
32568 await packetlist.read(input, {
32569 LiteralDataPacket,
32570 CompressedDataPacket,
32571 AEADEncryptedDataPacket,
32572 SymEncryptedIntegrityProtectedDataPacket,
32573 SymmetricallyEncryptedDataPacket,
32574 PublicKeyEncryptedSessionKeyPacket,
32575 SymEncryptedSessionKeyPacket,
32576 OnePassSignaturePacket,
32577 SignaturePacket
32578 }, streamType, config);
32579 const message = new Message(packetlist);
32580 message.fromStream = streamType;
32581 return message;
32582 }
32583
32584 // GPG4Browsers - An OpenPGP implementation in javascript
32585
32586 /**
32587 * Class that represents an OpenPGP cleartext signed message.
32588 * See {@link https://tools.ietf.org/html/rfc4880#section-7}
32589 */
32590 class CleartextMessage {
32591 /**
32592 * @param {String} text - The cleartext of the signed message
32593 * @param {Signature} signature - The detached signature or an empty signature for unsigned messages
32594 */
32595 constructor(text, signature) {
32596 // normalize EOL to canonical form <CR><LF>
32597 this.text = util.removeTrailingSpaces(text).replace(/\r?\n/g, '\r\n');
32598 if (signature && !(signature instanceof Signature)) {
32599 throw new Error('Invalid signature input');
32600 }
32601 this.signature = signature || new Signature(new PacketList());
32602 }
32603
32604 /**
32605 * Returns the key IDs of the keys that signed the cleartext message
32606 * @returns {Array<module:type/keyid~Keyid>} Array of keyid objects.
32607 */
32608 getSigningKeyIds() {
32609 const keyIds = [];
32610 const signatureList = this.signature.packets;
32611 signatureList.forEach(function(packet) {
32612 keyIds.push(packet.issuerKeyId);
32613 });
32614 return keyIds;
32615 }
32616
32617 /**
32618 * Sign the cleartext message
32619 * @param {Array<Key>} privateKeys - private keys with decrypted secret key data for signing
32620 * @param {Signature} [signature] - Any existing detached signature
32621 * @param {Array<module:type/keyid~Keyid>} [signingKeyIds] - Array of key IDs to use for signing. Each signingKeyIds[i] corresponds to privateKeys[i]
32622 * @param {Date} [date] - The creation time of the signature that should be created
32623 * @param {Array} [userIds] - User IDs to sign with, e.g. [{ name:'Steve Sender', email:'steve@openpgp.org' }]
32624 * @param {Object} [config] - Full configuration, defaults to openpgp.config
32625 * @returns {CleartextMessage} New cleartext message with signed content.
32626 * @async
32627 */
32628 async sign(privateKeys, signature = null, signingKeyIds = [], date = new Date(), userIds = [], config = defaultConfig) {
32629 return new CleartextMessage(this.text, await this.signDetached(privateKeys, signature, signingKeyIds, date, userIds, config));
32630 }
32631
32632 /**
32633 * Sign the cleartext message
32634 * @param {Array<Key>} privateKeys - private keys with decrypted secret key data for signing
32635 * @param {Signature} [signature] - Any existing detached signature
32636 * @param {Array<module:type/keyid~Keyid>} [signingKeyIds] - Array of key IDs to use for signing. Each signingKeyIds[i] corresponds to privateKeys[i]
32637 * @param {Date} [date] - The creation time of the signature that should be created
32638 * @param {Array} [userIds] - User IDs to sign with, e.g. [{ name:'Steve Sender', email:'steve@openpgp.org' }]
32639 * @param {Object} [config] - Full configuration, defaults to openpgp.config
32640 * @returns {Signature} New detached signature of message content.
32641 * @async
32642 */
32643 async signDetached(privateKeys, signature = null, signingKeyIds = [], date = new Date(), userIds = [], config = defaultConfig) {
32644 const literalDataPacket = new LiteralDataPacket();
32645 literalDataPacket.setText(this.text);
32646
32647 return new Signature(await createSignaturePackets(literalDataPacket, privateKeys, signature, signingKeyIds, date, userIds, true, undefined, config));
32648 }
32649
32650 /**
32651 * Verify signatures of cleartext signed message
32652 * @param {Array<Key>} keys - Array of keys to verify signatures
32653 * @param {Date} [date] - Verify the signature against the given date, i.e. check signature creation time < date < expiration time
32654 * @param {Object} [config] - Full configuration, defaults to openpgp.config
32655 * @returns {Array<{keyid: module:type/keyid~Keyid, valid: Boolean}>} List of signer's keyid and validity of signature.
32656 * @async
32657 */
32658 verify(keys, date = new Date(), config = defaultConfig) {
32659 return this.verifyDetached(this.signature, keys, date, config);
32660 }
32661
32662 /**
32663 * Verify signatures of cleartext signed message
32664 * @param {Array<Key>} keys - Array of keys to verify signatures
32665 * @param {Date} [date] - Verify the signature against the given date, i.e. check signature creation time < date < expiration time
32666 * @param {Object} [config] - Full configuration, defaults to openpgp.config
32667 * @returns {Array<{keyid: module:type/keyid~Keyid, valid: Boolean}>} List of signer's keyid and validity of signature.
32668 * @async
32669 */
32670 verifyDetached(signature, keys, date = new Date(), config = defaultConfig) {
32671 const signatureList = signature.packets;
32672 const literalDataPacket = new LiteralDataPacket();
32673 // we assume that cleartext signature is generated based on UTF8 cleartext
32674 literalDataPacket.setText(this.text);
32675 return createVerificationObjects(signatureList, [literalDataPacket], keys, date, true, undefined, config);
32676 }
32677
32678 /**
32679 * Get cleartext
32680 * @returns {String} Cleartext of message.
32681 */
32682 getText() {
32683 // normalize end of line to \n
32684 return this.text.replace(/\r\n/g, '\n');
32685 }
32686
32687 /**
32688 * Returns ASCII armored text of cleartext signed message
32689 * @param {Object} [config] - Full configuration, defaults to openpgp.config
32690 * @returns {String | ReadableStream<String>} ASCII armor.
32691 */
32692 armor(config = defaultConfig) {
32693 let hashes = this.signature.packets.map(function(packet) {
32694 return enums.read(enums.hash, packet.hashAlgorithm).toUpperCase();
32695 });
32696 hashes = hashes.filter(function(item, i, ar) { return ar.indexOf(item) === i; });
32697 const body = {
32698 hash: hashes.join(),
32699 text: this.text,
32700 data: this.signature.packets.write()
32701 };
32702 return armor(enums.armor.signed, body, undefined, undefined, undefined, config);
32703 }
32704
32705 /**
32706 * Creates a new CleartextMessage object from text
32707 * @param {String} text
32708 * @static
32709 */
32710 static fromText(text) {
32711 return new CleartextMessage(text);
32712 }
32713 }
32714
32715
32716 /**
32717 * Reads an OpenPGP cleartext signed message and returns a CleartextMessage object
32718 * @param {Object} options
32719 * @param {String | ReadableStream<String>} options.cleartextMessage - Text to be parsed
32720 * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}
32721 * @returns {CleartextMessage} New cleartext message object.
32722 * @async
32723 * @static
32724 */
32725 async function readCleartextMessage({ cleartextMessage, config }) {
32726 config = { ...defaultConfig, ...config };
32727 if (!cleartextMessage) {
32728 throw new Error('readCleartextMessage: must pass options object containing `cleartextMessage`');
32729 }
32730 const input = await unarmor(cleartextMessage);
32731 if (input.type !== enums.armor.signed) {
32732 throw new Error('No cleartext signed message.');
32733 }
32734 const packetlist = new PacketList();
32735 await packetlist.read(input.data, { SignaturePacket }, undefined, config);
32736 verifyHeaders$1(input.headers, packetlist);
32737 const signature = new Signature(packetlist);
32738 return new CleartextMessage(input.text, signature);
32739 }
32740
32741 /**
32742 * Compare hash algorithm specified in the armor header with signatures
32743 * @param {Array<String>} headers - Armor headers
32744 * @param {PacketList} packetlist - The packetlist with signature packets
32745 * @private
32746 */
32747 function verifyHeaders$1(headers, packetlist) {
32748 const checkHashAlgos = function(hashAlgos) {
32749 const check = packet => algo => packet.hashAlgorithm === algo;
32750
32751 for (let i = 0; i < packetlist.length; i++) {
32752 if (packetlist[i].tag === enums.packet.signature && !hashAlgos.some(check(packetlist[i]))) {
32753 return false;
32754 }
32755 }
32756 return true;
32757 };
32758
32759 let oneHeader = null;
32760 let hashAlgos = [];
32761 headers.forEach(function(header) {
32762 oneHeader = header.match(/Hash: (.+)/); // get header value
32763 if (oneHeader) {
32764 oneHeader = oneHeader[1].replace(/\s/g, ''); // remove whitespace
32765 oneHeader = oneHeader.split(',');
32766 oneHeader = oneHeader.map(function(hash) {
32767 hash = hash.toLowerCase();
32768 try {
32769 return enums.write(enums.hash, hash);
32770 } catch (e) {
32771 throw new Error('Unknown hash algorithm in armor header: ' + hash);
32772 }
32773 });
32774 hashAlgos = hashAlgos.concat(oneHeader);
32775 } else {
32776 throw new Error('Only "Hash" header allowed in cleartext signed message');
32777 }
32778 });
32779
32780 if (!hashAlgos.length && !checkHashAlgos([enums.hash.md5])) {
32781 throw new Error('If no "Hash" header in cleartext signed message, then only MD5 signatures allowed');
32782 } else if (hashAlgos.length && !checkHashAlgos(hashAlgos)) {
32783 throw new Error('Hash algorithm mismatch in armor header and signature');
32784 }
32785 }
32786
32787 // OpenPGP.js - An OpenPGP implementation in javascript
32788
32789 let toNativeReadable;
32790 if (globalThis.ReadableStream) {
32791 try {
32792 toNativeReadable = createReadableStreamWrapper(globalThis.ReadableStream);
32793 } catch (e) {}
32794 }
32795
32796 //////////////////////
32797 // //
32798 // Key handling //
32799 // //
32800 //////////////////////
32801
32802
32803 /**
32804 * Generates a new OpenPGP key pair. Supports RSA and ECC keys. By default, primary and subkeys will be of same type.
32805 * @param {Object} options
32806 * @param {'ecc'|'rsa'} [options.type='ecc'] - The primary key algorithm type: ECC (default) or RSA
32807 * @param {Object|Array<Object>} options.userIds - User IDs as objects: `{ name: 'Jo Doe', email: 'info@jo.com' }`
32808 * @param {String} [options.passphrase=(not protected)] - The passphrase used to encrypt the generated private key
32809 * @param {Number} [options.rsaBits=4096] - Number of bits for RSA keys
32810 * @param {String} [options.curve='curve25519'] - Elliptic curve for ECC keys:
32811 * curve25519 (default), p256, p384, p521, secp256k1,
32812 * brainpoolP256r1, brainpoolP384r1, or brainpoolP512r1
32813 * @param {Date} [options.date=current date] - Override the creation date of the key and the key signatures
32814 * @param {Number} [options.keyExpirationTime=0 (never expires)] - Number of seconds from the key creation time after which the key expires
32815 * @param {Array<Object>} [options.subkeys=a single encryption subkey] - Options for each subkey, default to main key options. e.g. `[{sign: true, passphrase: '123'}]`
32816 * sign parameter defaults to false, and indicates whether the subkey should sign rather than encrypt
32817 * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}
32818 * @returns {Object} The generated key object in the form:
32819 * { key:Key, privateKeyArmored:String, publicKeyArmored:String, revocationCertificate:String }
32820 * @async
32821 * @static
32822 */
32823 function generateKey({ userIds = [], passphrase = "", type = "ecc", rsaBits = 4096, curve = "curve25519", keyExpirationTime = 0, date = new Date(), subkeys = [{}], config }) {
32824 config = { ...defaultConfig, ...config };
32825 userIds = toArray$1(userIds);
32826 const options = { userIds, passphrase, type, rsaBits, curve, keyExpirationTime, date, subkeys };
32827 if (type === "rsa" && rsaBits < config.minRsaBits) {
32828 throw new Error(`rsaBits should be at least ${config.minRsaBits}, got: ${rsaBits}`);
32829 }
32830
32831 return generate$2(options, config).then(async key => {
32832 const revocationCertificate = await key.getRevocationCertificate(date, config);
32833 key.revocationSignatures = [];
32834
32835 return {
32836
32837 key: key,
32838 privateKeyArmored: key.armor(config),
32839 publicKeyArmored: key.toPublic().armor(config),
32840 revocationCertificate: revocationCertificate
32841
32842 };
32843 }).catch(onError.bind(null, 'Error generating keypair'));
32844 }
32845
32846 /**
32847 * Reformats signature packets for a key and rewraps key object.
32848 * @param {Object} options
32849 * @param {Key} options.privateKey - Private key to reformat
32850 * @param {Object|Array<Object>} options.userIds - User IDs as objects: `{ name: 'Jo Doe', email: 'info@jo.com' }`
32851 * @param {String} [options.passphrase=(not protected)] - The passphrase used to encrypt the generated private key
32852 * @param {Number} [options.keyExpirationTime=0 (never expires)] - Number of seconds from the key creation time after which the key expires
32853 * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}
32854 * @returns {Object} The generated key object in the form:
32855 * { key:Key, privateKeyArmored:String, publicKeyArmored:String, revocationCertificate:String }
32856 * @async
32857 * @static
32858 */
32859 function reformatKey({ privateKey, userIds = [], passphrase = "", keyExpirationTime = 0, date, config }) {
32860 config = { ...defaultConfig, ...config };
32861 userIds = toArray$1(userIds);
32862 const options = { privateKey, userIds, passphrase, keyExpirationTime, date };
32863
32864 return reformat(options, config).then(async key => {
32865 const revocationCertificate = await key.getRevocationCertificate(date, config);
32866 key.revocationSignatures = [];
32867
32868 return {
32869
32870 key: key,
32871 privateKeyArmored: key.armor(config),
32872 publicKeyArmored: key.toPublic().armor(config),
32873 revocationCertificate: revocationCertificate
32874
32875 };
32876 }).catch(onError.bind(null, 'Error reformatting keypair'));
32877 }
32878
32879 /**
32880 * Revokes a key. Requires either a private key or a revocation certificate.
32881 * If a revocation certificate is passed, the reasonForRevocation parameter will be ignored.
32882 * @param {Object} options
32883 * @param {Key} options.key - Public or private key to revoke
32884 * @param {String} [options.revocationCertificate] - Revocation certificate to revoke the key with
32885 * @param {Object} [options.reasonForRevocation] - Object indicating the reason for revocation
32886 * @param {module:enums.reasonForRevocation} [options.reasonForRevocation.flag=[noReason]{@link module:enums.reasonForRevocation}] - Flag indicating the reason for revocation
32887 * @param {String} [options.reasonForRevocation.string=""] - String explaining the reason for revocation
32888 * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}
32889 * @returns {Object} The revoked key object in the form:
32890 * `{ privateKey:Key, privateKeyArmored:String, publicKey:Key, publicKeyArmored:String }`
32891 * (if private key is passed) or `{ publicKey:Key, publicKeyArmored:String }` (otherwise)
32892 * @async
32893 * @static
32894 */
32895 function revokeKey({ key, revocationCertificate, reasonForRevocation, config }) {
32896 config = { ...defaultConfig, ...config };
32897 return Promise.resolve().then(() => {
32898 if (revocationCertificate) {
32899 return key.applyRevocationCertificate(revocationCertificate, config);
32900 } else {
32901 return key.revoke(reasonForRevocation, undefined, config);
32902 }
32903 }).then(async key => {
32904 if (key.isPrivate()) {
32905 const publicKey = key.toPublic();
32906 return {
32907 privateKey: key,
32908 privateKeyArmored: key.armor(config),
32909 publicKey: publicKey,
32910 publicKeyArmored: publicKey.armor(config)
32911 };
32912 }
32913 return {
32914 publicKey: key,
32915 publicKeyArmored: key.armor(config)
32916 };
32917 }).catch(onError.bind(null, 'Error revoking key'));
32918 }
32919
32920 /**
32921 * Unlock a private key with the given passphrase.
32922 * This method does not change the original key.
32923 * @param {Object} options
32924 * @param {Key} options.privateKey - The private key to decrypt
32925 * @param {String|Array<String>} options.passphrase - The user's passphrase(s)
32926 * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}
32927 * @returns {Key} The unlocked key object.
32928 * @async
32929 */
32930 async function decryptKey({ privateKey, passphrase, config }) {
32931 config = { ...defaultConfig, ...config };
32932 const key = await privateKey.clone();
32933 // shallow clone is enough since the encrypted material is not changed in place by decryption
32934 key.getKeys().forEach(k => {
32935 k.keyPacket = Object.create(
32936 Object.getPrototypeOf(k.keyPacket),
32937 Object.getOwnPropertyDescriptors(k.keyPacket)
32938 );
32939 });
32940 try {
32941 await key.decrypt(passphrase, undefined, config);
32942 return key;
32943 } catch (err) {
32944 key.clearPrivateParams();
32945 return onError('Error decrypting private key', err);
32946 }
32947 }
32948
32949 /**
32950 * Lock a private key with the given passphrase.
32951 * This method does not change the original key.
32952 * @param {Object} options
32953 * @param {Key} options.privateKey - The private key to encrypt
32954 * @param {String|Array<String>} options.passphrase - If multiple passphrases, they should be in the same order as the packets each should encrypt
32955 * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}
32956 * @returns {Key} The locked key object.
32957 * @async
32958 */
32959 async function encryptKey({ privateKey, passphrase, config }) {
32960 config = { ...defaultConfig, ...config };
32961 const key = await privateKey.clone();
32962 key.getKeys().forEach(k => {
32963 // shallow clone the key packets
32964 k.keyPacket = Object.create(
32965 Object.getPrototypeOf(k.keyPacket),
32966 Object.getOwnPropertyDescriptors(k.keyPacket)
32967 );
32968 if (!k.keyPacket.isDecrypted()) return;
32969 // deep clone the private params, which are cleared during encryption
32970 const privateParams = {};
32971 Object.keys(k.keyPacket.privateParams).forEach(name => {
32972 privateParams[name] = new Uint8Array(k.keyPacket.privateParams[name]);
32973 });
32974 k.keyPacket.privateParams = privateParams;
32975 });
32976 try {
32977 await key.encrypt(passphrase, undefined, config);
32978 return key;
32979 } catch (err) {
32980 key.clearPrivateParams();
32981 return onError('Error encrypting private key', err);
32982 }
32983 }
32984
32985
32986 ///////////////////////////////////////////
32987 // //
32988 // Message encryption and decryption //
32989 // //
32990 ///////////////////////////////////////////
32991
32992
32993 /**
32994 * Encrypts message text/data with public keys, passwords or both at once. At least either public keys or passwords
32995 * must be specified. If private keys are specified, those will be used to sign the message.
32996 * @param {Object} options
32997 * @param {Message} options.message - Message to be encrypted as created by {@link Message.fromText} or {@link Message.fromBinary}
32998 * @param {Key|Array<Key>} [options.publicKeys] - Array of keys or single key, used to encrypt the message
32999 * @param {Key|Array<Key>} [options.privateKeys] - Private keys for signing. If omitted message will not be signed
33000 * @param {String|Array<String>} [options.passwords] - Array of passwords or a single password to encrypt the message
33001 * @param {Object} [options.sessionKey] - Session key in the form: `{ data:Uint8Array, algorithm:String }`
33002 * @param {Boolean} [options.armor=true] - Whether the return values should be ascii armored (true, the default) or binary (false)
33003 * @param {'web'|'ponyfill'|'node'|false} [options.streaming=type of stream `message` was created from, if any] - Whether to return data as a stream
33004 * @param {Signature} [options.signature] - A detached signature to add to the encrypted message
33005 * @param {Boolean} [options.wildcard=false] - Use a key ID of 0 instead of the public key IDs
33006 * @param {Array<module:type/keyid~Keyid>} [options.signingKeyIds=latest-created valid signing (sub)keys] - Array of key IDs to use for signing. Each `signingKeyIds[i]` corresponds to `privateKeys[i]`
33007 * @param {Array<module:type/keyid~Keyid>} [options.encryptionKeyIds=latest-created valid encryption (sub)keys] - Array of key IDs to use for encryption. Each `encryptionKeyIds[i]` corresponds to `publicKeys[i]`
33008 * @param {Date} [options.date=current date] - Override the creation date of the message signature
33009 * @param {Array<Object>} [options.fromUserIds=primary user IDs] - Array of user IDs to sign with, one per key in `privateKeys`, e.g. `[{ name: 'Steve Sender', email: 'steve@openpgp.org' }]`
33010 * @param {Array<Object>} [options.toUserIds=primary user IDs] - Array of user IDs to encrypt for, one per key in `publicKeys`, e.g. `[{ name: 'Robert Receiver', email: 'robert@openpgp.org' }]`
33011 * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}
33012 * @returns {String|ReadableStream<String>|NodeStream<String>|Uint8Array|ReadableStream<Uint8Array>|NodeStream<Uint8Array>} Encrypted message (string if `armor` was true, the default; Uint8Array if `armor` was false).
33013 * @async
33014 * @static
33015 */
33016 function encrypt$4({ message, publicKeys, privateKeys, passwords, sessionKey, armor = true, streaming = message && message.fromStream, detached = false, signature = null, wildcard = false, signingKeyIds = [], encryptionKeyIds = [], date = new Date(), fromUserIds = [], toUserIds = [], config }) {
33017 config = { ...defaultConfig, ...config };
33018 checkMessage(message); publicKeys = toArray$1(publicKeys); privateKeys = toArray$1(privateKeys); passwords = toArray$1(passwords); fromUserIds = toArray$1(fromUserIds); toUserIds = toArray$1(toUserIds);
33019 if (detached) {
33020 throw new Error("detached option has been removed from openpgp.encrypt. Separately call openpgp.sign instead. Don't forget to remove privateKeys option as well.");
33021 }
33022
33023 return Promise.resolve().then(async function() {
33024 if (!privateKeys) {
33025 privateKeys = [];
33026 }
33027 if (privateKeys.length || signature) { // sign the message only if private keys or signature is specified
33028 message = await message.sign(privateKeys, signature, signingKeyIds, date, fromUserIds, message.fromStream, config);
33029 }
33030 message = message.compress(config);
33031 message = await message.encrypt(publicKeys, passwords, sessionKey, wildcard, encryptionKeyIds, date, toUserIds, streaming, config);
33032 const data = armor ? message.armor(config) : message.write();
33033 return convertStream(data, streaming, armor ? 'utf8' : 'binary');
33034 }).catch(onError.bind(null, 'Error encrypting message'));
33035 }
33036
33037 /**
33038 * Decrypts a message with the user's private key, a session key or a password. Either a private key,
33039 * a session key or a password must be specified.
33040 * @param {Object} options
33041 * @param {Message} options.message - The message object with the encrypted data
33042 * @param {Key|Array<Key>} [options.privateKeys] - Private keys with decrypted secret key data or session key
33043 * @param {String|Array<String>} [options.passwords] - Passwords to decrypt the message
33044 * @param {Object|Array<Object>} [options.sessionKeys] - Session keys in the form: { data:Uint8Array, algorithm:String }
33045 * @param {Key|Array<Key>} [options.publicKeys] - Array of public keys or single key, to verify signatures
33046 * @param {'utf8'|'binary'} [options.format='utf8'] - Whether to return data as a string(Stream) or Uint8Array(Stream). If 'utf8' (the default), also normalize newlines.
33047 * @param {'web'|'ponyfill'|'node'|false} [options.streaming=type of stream `message` was created from, if any] - Whether to return data as a stream. Defaults to the type of stream `message` was created from, if any.
33048 * @param {Signature} [options.signature] - Detached signature for verification
33049 * @param {Date} [options.date=current date] - Use the given date for verification instead of the current time
33050 * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}
33051 * @returns {Object} Object containing decrypted and verified message in the form:
33052 *
33053 * {
33054 * data: String|ReadableStream<String>|NodeStream, (if format was 'utf8', the default)
33055 * data: Uint8Array|ReadableStream<Uint8Array>|NodeStream, (if format was 'binary')
33056 * filename: String,
33057 * signatures: [
33058 * {
33059 * keyid: module:type/keyid~Keyid,
33060 * verified: Promise<Boolean>,
33061 * valid: Boolean (if streaming was false)
33062 * }, ...
33063 * ]
33064 * }
33065 * @async
33066 * @static
33067 */
33068 function decrypt$4({ message, privateKeys, passwords, sessionKeys, publicKeys, format = 'utf8', streaming = message && message.fromStream, signature = null, date = new Date(), config }) {
33069 config = { ...defaultConfig, ...config };
33070 checkMessage(message); publicKeys = toArray$1(publicKeys); privateKeys = toArray$1(privateKeys); passwords = toArray$1(passwords); sessionKeys = toArray$1(sessionKeys);
33071
33072 return message.decrypt(privateKeys, passwords, sessionKeys, streaming, config).then(async function(decrypted) {
33073 if (!publicKeys) {
33074 publicKeys = [];
33075 }
33076
33077 const result = {};
33078 result.signatures = signature ? await decrypted.verifyDetached(signature, publicKeys, date, streaming, config) : await decrypted.verify(publicKeys, date, streaming, config);
33079 result.data = format === 'binary' ? decrypted.getLiteralData() : decrypted.getText();
33080 result.filename = decrypted.getFilename();
33081 linkStreams(result, message);
33082 result.data = await convertStream(result.data, streaming, format);
33083 if (!streaming) await prepareSignatures(result.signatures);
33084 return result;
33085 }).catch(onError.bind(null, 'Error decrypting message'));
33086 }
33087
33088
33089 //////////////////////////////////////////
33090 // //
33091 // Message signing and verification //
33092 // //
33093 //////////////////////////////////////////
33094
33095
33096 /**
33097 * Signs a message.
33098 * @param {Object} options
33099 * @param {CleartextMessage|Message} options.message - (cleartext) message to be signed
33100 * @param {Key|Array<Key>} options.privateKeys - Array of keys or single key with decrypted secret key data to sign cleartext
33101 * @param {Boolean} [options.armor=true] - Whether the return values should be ascii armored (true, the default) or binary (false)
33102 * @param {'web'|'ponyfill'|'node'|false} [options.streaming=type of stream `message` was created from, if any] - Whether to return data as a stream. Defaults to the type of stream `message` was created from, if any.
33103 * @param {Boolean} [options.detached=false] - If the return value should contain a detached signature
33104 * @param {Array<module:type/keyid~Keyid>} [options.signingKeyIds=latest-created valid signing (sub)keys] - Array of key IDs to use for signing. Each signingKeyIds[i] corresponds to privateKeys[i]
33105 * @param {Date} [options.date=current date] - Override the creation date of the signature
33106 * @param {Array<Object>} [options.fromUserIds=primary user IDs] - Array of user IDs to sign with, one per key in `privateKeys`, e.g. `[{ name: 'Steve Sender', email: 'steve@openpgp.org' }]`
33107 * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}
33108 * @returns {String|ReadableStream<String>|NodeStream<String>|Uint8Array|ReadableStream<Uint8Array>|NodeStream<Uint8Array>} Signed message (string if `armor` was true, the default; Uint8Array if `armor` was false).
33109 * @async
33110 * @static
33111 */
33112 function sign$5({ message, privateKeys, armor = true, streaming = message && message.fromStream, detached = false, signingKeyIds = [], date = new Date(), fromUserIds = [], config }) {
33113 config = { ...defaultConfig, ...config };
33114 checkCleartextOrMessage(message);
33115 if (message instanceof CleartextMessage && !armor) throw new Error("Can't sign non-armored cleartext message");
33116 if (message instanceof CleartextMessage && detached) throw new Error("Can't sign detached cleartext message");
33117 privateKeys = toArray$1(privateKeys); fromUserIds = toArray$1(fromUserIds);
33118
33119 return Promise.resolve().then(async function() {
33120 let signature;
33121 if (message instanceof CleartextMessage) {
33122 signature = await message.sign(privateKeys, undefined, signingKeyIds, date, fromUserIds, config);
33123 } else if (detached) {
33124 signature = await message.signDetached(privateKeys, undefined, signingKeyIds, date, fromUserIds, message.fromStream, config);
33125 } else {
33126 signature = await message.sign(privateKeys, undefined, signingKeyIds, date, fromUserIds, message.fromStream, config);
33127 }
33128 signature = armor ? signature.armor(config) : signature.write();
33129 if (detached) {
33130 signature = stream.transformPair(message.packets.write(), async (readable, writable) => {
33131 await Promise.all([
33132 stream.pipe(signature, writable),
33133 stream.readToEnd(readable).catch(() => {})
33134 ]);
33135 });
33136 }
33137 return convertStream(signature, streaming, armor ? 'utf8' : 'binary');
33138 }).catch(onError.bind(null, 'Error signing message'));
33139 }
33140
33141 /**
33142 * Verifies signatures of cleartext signed message
33143 * @param {Object} options
33144 * @param {Key|Array<Key>} options.publicKeys - Array of publicKeys or single key, to verify signatures
33145 * @param {CleartextMessage|Message} options.message - (cleartext) message object with signatures
33146 * @param {'utf8'|'binary'} [options.format='utf8'] - Whether to return data as a string(Stream) or Uint8Array(Stream). If 'utf8' (the default), also normalize newlines.
33147 * @param {'web'|'ponyfill'|'node'|false} [options.streaming=type of stream `message` was created from, if any] - Whether to return data as a stream. Defaults to the type of stream `message` was created from, if any.
33148 * @param {Signature} [options.signature] - Detached signature for verification
33149 * @param {Date} [options.date=current date] - Use the given date for verification instead of the current time
33150 * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}
33151 * @returns {Object} Object containing verified message in the form:
33152 *
33153 * {
33154 * data: String|ReadableStream<String>|NodeStream, (if `message` was a CleartextMessage)
33155 * data: Uint8Array|ReadableStream<Uint8Array>|NodeStream, (if `message` was a Message)
33156 * signatures: [
33157 * {
33158 * keyid: module:type/keyid~Keyid,
33159 * verified: Promise<Boolean>,
33160 * valid: Boolean (if `streaming` was false)
33161 * }, ...
33162 * ]
33163 * }
33164 * @async
33165 * @static
33166 */
33167 function verify$5({ message, publicKeys, format = 'utf8', streaming = message && message.fromStream, signature = null, date = new Date(), config }) {
33168 config = { ...defaultConfig, ...config };
33169 checkCleartextOrMessage(message);
33170 if (message instanceof CleartextMessage && format === 'binary') throw new Error("Can't return cleartext message data as binary");
33171 publicKeys = toArray$1(publicKeys);
33172
33173 return Promise.resolve().then(async function() {
33174 const result = {};
33175 if (message instanceof CleartextMessage) {
33176 result.signatures = signature ? await message.verifyDetached(signature, publicKeys, date, config) : await message.verify(publicKeys, date, config);
33177 } else {
33178 result.signatures = signature ? await message.verifyDetached(signature, publicKeys, date, streaming, config) : await message.verify(publicKeys, date, streaming, config);
33179 }
33180 result.data = format === 'binary' ? message.getLiteralData() : message.getText();
33181 if (streaming) linkStreams(result, message);
33182 result.data = await convertStream(result.data, streaming, format);
33183 if (!streaming) await prepareSignatures(result.signatures);
33184 return result;
33185 }).catch(onError.bind(null, 'Error verifying signed message'));
33186 }
33187
33188
33189 ///////////////////////////////////////////////
33190 // //
33191 // Session key encryption and decryption //
33192 // //
33193 ///////////////////////////////////////////////
33194
33195 /**
33196 * Generate a new session key object, taking the algorithm preferences of the passed public keys into account.
33197 * @param {Object} options
33198 * @param {Key|Array<Key>} options.publicKeys - Array of public keys or single key used to select algorithm preferences for
33199 * @param {Date} [options.date=current date] - Date to select algorithm preferences at
33200 * @param {Array} [options.toUserIds=primary user IDs] - User IDs to select algorithm preferences for
33201 * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}
33202 * @returns {{ data: Uint8Array, algorithm: String }} Object with session key data and algorithm.
33203 * @async
33204 * @static
33205 */
33206 function generateSessionKey$1({ publicKeys, date = new Date(), toUserIds = [], config }) {
33207 config = { ...defaultConfig, ...config };
33208 publicKeys = toArray$1(publicKeys); toUserIds = toArray$1(toUserIds);
33209
33210 return Promise.resolve().then(async function() {
33211
33212 return Message.generateSessionKey(publicKeys, date, toUserIds, config);
33213
33214 }).catch(onError.bind(null, 'Error generating session key'));
33215 }
33216
33217 /**
33218 * Encrypt a symmetric session key with public keys, passwords, or both at once. At least either public keys
33219 * or passwords must be specified.
33220 * @param {Object} options
33221 * @param {Uint8Array} options.data - The session key to be encrypted e.g. 16 random bytes (for aes128)
33222 * @param {String} options.algorithm - Algorithm of the symmetric session key e.g. 'aes128' or 'aes256'
33223 * @param {String} [options.aeadAlgorithm] - Aead algorithm, e.g. 'eax' or 'ocb'
33224 * @param {Key|Array<Key>} [options.publicKeys] - Array of public keys or single key, used to encrypt the key
33225 * @param {String|Array<String>} [options.passwords] - Passwords for the message
33226 * @param {Boolean} [options.armor=true] - Whether the return values should be ascii armored (true, the default) or binary (false)
33227 * @param {Boolean} [options.wildcard=false] - Use a key ID of 0 instead of the public key IDs
33228 * @param {Array<module:type/keyid~Keyid>} [options.encryptionKeyIds=latest-created valid encryption (sub)keys] - Array of key IDs to use for encryption. Each encryptionKeyIds[i] corresponds to publicKeys[i]
33229 * @param {Date} [options.date=current date] - Override the date
33230 * @param {Array} [options.toUserIds=primary user IDs] - Array of user IDs to encrypt for, one per key in `publicKeys`, e.g. `[{ name: 'Phil Zimmermann', email: 'phil@openpgp.org' }]`
33231 * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}
33232 * @returns {String|Uint8Array} Encrypted session keys (string if `armor` was true, the default; Uint8Array if `armor` was false).
33233 * @async
33234 * @static
33235 */
33236 function encryptSessionKey({ data, algorithm, aeadAlgorithm, publicKeys, passwords, armor = true, wildcard = false, encryptionKeyIds = [], date = new Date(), toUserIds = [], config }) {
33237 config = { ...defaultConfig, ...config };
33238 checkBinary(data); checkString(algorithm, 'algorithm'); publicKeys = toArray$1(publicKeys); passwords = toArray$1(passwords); toUserIds = toArray$1(toUserIds);
33239
33240 return Promise.resolve().then(async function() {
33241
33242 const message = await Message.encryptSessionKey(data, algorithm, aeadAlgorithm, publicKeys, passwords, wildcard, encryptionKeyIds, date, toUserIds, config);
33243 return armor ? message.armor(config) : message.write();
33244
33245 }).catch(onError.bind(null, 'Error encrypting session key'));
33246 }
33247
33248 /**
33249 * Decrypt symmetric session keys with a private key or password. Either a private key or
33250 * a password must be specified.
33251 * @param {Object} options
33252 * @param {Message} options.message - A message object containing the encrypted session key packets
33253 * @param {Key|Array<Key>} [options.privateKeys] - Private keys with decrypted secret key data
33254 * @param {String|Array<String>} [options.passwords] - Passwords to decrypt the session key
33255 * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}
33256 * @returns {Object|undefined} Array of decrypted session key, algorithm pairs in the form:
33257 * { data:Uint8Array, algorithm:String }
33258 * or 'undefined' if no key packets found
33259 * @async
33260 * @static
33261 */
33262 function decryptSessionKeys({ message, privateKeys, passwords, config }) {
33263 config = { ...defaultConfig, ...config };
33264 checkMessage(message); privateKeys = toArray$1(privateKeys); passwords = toArray$1(passwords);
33265
33266 return Promise.resolve().then(async function() {
33267
33268 return message.decryptSessionKeys(privateKeys, passwords, config);
33269
33270 }).catch(onError.bind(null, 'Error decrypting session keys'));
33271 }
33272
33273
33274 //////////////////////////
33275 // //
33276 // Helper functions //
33277 // //
33278 //////////////////////////
33279
33280
33281 /**
33282 * Input validation
33283 * @private
33284 */
33285 function checkString(data, name) {
33286 if (!util.isString(data)) {
33287 throw new Error('Parameter [' + (name || 'data') + '] must be of type String');
33288 }
33289 }
33290 function checkBinary(data, name) {
33291 if (!util.isUint8Array(data)) {
33292 throw new Error('Parameter [' + (name || 'data') + '] must be of type Uint8Array');
33293 }
33294 }
33295 function checkMessage(message) {
33296 if (!(message instanceof Message)) {
33297 throw new Error('Parameter [message] needs to be of type Message');
33298 }
33299 }
33300 function checkCleartextOrMessage(message) {
33301 if (!(message instanceof CleartextMessage) && !(message instanceof Message)) {
33302 throw new Error('Parameter [message] needs to be of type Message or CleartextMessage');
33303 }
33304 }
33305
33306 /**
33307 * Normalize parameter to an array if it is not undefined.
33308 * @param {Object} param - the parameter to be normalized
33309 * @returns {Array<Object>|undefined} The resulting array or undefined.
33310 * @private
33311 */
33312 function toArray$1(param) {
33313 if (param && !util.isArray(param)) {
33314 param = [param];
33315 }
33316 return param;
33317 }
33318
33319 /**
33320 * Convert data to or from Stream
33321 * @param {Object} data - the data to convert
33322 * @param {'web'|'ponyfill'|'node'|false} [options.streaming] - Whether to return a ReadableStream, and of what type
33323 * @param {'utf8'|'binary'} [options.encoding] - How to return data in Node Readable streams
33324 * @returns {Object} The data in the respective format.
33325 * @private
33326 */
33327 async function convertStream(data, streaming, encoding = 'utf8') {
33328 let streamType = util.isStream(data);
33329 if (!streaming && streamType) {
33330 return stream.readToEnd(data);
33331 }
33332 if (streaming && !streamType) {
33333 data = stream.toStream(data);
33334 streamType = util.isStream(data);
33335 }
33336 if (streaming === 'node') {
33337 data = stream.webToNode(data);
33338 if (encoding !== 'binary') data.setEncoding(encoding);
33339 return data;
33340 }
33341 if (streaming === 'web' && streamType === 'ponyfill' && toNativeReadable) {
33342 return toNativeReadable(data);
33343 }
33344 return data;
33345 }
33346
33347 /**
33348 * Link result.data to the message stream for cancellation.
33349 * Also, forward errors in the message to result.data.
33350 * @param {Object} result - the data to convert
33351 * @param {Message} message - message object
33352 * @returns {Object}
33353 * @private
33354 */
33355 function linkStreams(result, message) {
33356 result.data = stream.transformPair(message.packets.stream, async (readable, writable) => {
33357 await stream.pipe(result.data, writable, {
33358 preventClose: true
33359 });
33360 const writer = stream.getWriter(writable);
33361 try {
33362 // Forward errors in the message stream to result.data.
33363 await stream.readToEnd(readable, _ => _);
33364 await writer.close();
33365 } catch (e) {
33366 await writer.abort(e);
33367 }
33368 });
33369 }
33370
33371 /**
33372 * Wait until signature objects have been verified
33373 * @param {Object} signatures - list of signatures
33374 * @private
33375 */
33376 async function prepareSignatures(signatures) {
33377 await Promise.all(signatures.map(async signature => {
33378 signature.signature = await signature.signature;
33379 try {
33380 signature.valid = await signature.verified;
33381 } catch (e) {
33382 signature.valid = false;
33383 signature.error = e;
33384 util.printDebugError(e);
33385 }
33386 }));
33387 }
33388
33389
33390 /**
33391 * Global error handler that logs the stack trace and rethrows a high lvl error message.
33392 * @param {String} message - A human readable high level error Message
33393 * @param {Error} error - The internal error that caused the failure
33394 * @private
33395 */
33396 function onError(message, error) {
33397 // log the stack trace
33398 util.printDebugError(error);
33399
33400 // update error message
33401 try {
33402 error.message = message + ': ' + error.message;
33403 } catch (e) {}
33404
33405 throw error;
33406 }
33407
33408 var bn = createCommonjsModule(function (module) {
33409 (function (module, exports) {
33410
33411 // Utils
33412 function assert (val, msg) {
33413 if (!val) throw new Error(msg || 'Assertion failed');
33414 }
33415
33416 // Could use `inherits` module, but don't want to move from single file
33417 // architecture yet.
33418 function inherits (ctor, superCtor) {
33419 ctor.super_ = superCtor;
33420 var TempCtor = function () {};
33421 TempCtor.prototype = superCtor.prototype;
33422 ctor.prototype = new TempCtor();
33423 ctor.prototype.constructor = ctor;
33424 }
33425
33426 // BN
33427
33428 function BN (number, base, endian) {
33429 if (BN.isBN(number)) {
33430 return number;
33431 }
33432
33433 this.negative = 0;
33434 this.words = null;
33435 this.length = 0;
33436
33437 // Reduction context
33438 this.red = null;
33439
33440 if (number !== null) {
33441 if (base === 'le' || base === 'be') {
33442 endian = base;
33443 base = 10;
33444 }
33445
33446 this._init(number || 0, base || 10, endian || 'be');
33447 }
33448 }
33449 if (typeof module === 'object') {
33450 module.exports = BN;
33451 } else {
33452 exports.BN = BN;
33453 }
33454
33455 BN.BN = BN;
33456 BN.wordSize = 26;
33457
33458 var Buffer;
33459 try {
33460 Buffer = void('buffer').Buffer;
33461 } catch (e) {
33462 }
33463
33464 BN.isBN = function isBN (num) {
33465 if (num instanceof BN) {
33466 return true;
33467 }
33468
33469 return num !== null && typeof num === 'object' &&
33470 num.constructor.wordSize === BN.wordSize && Array.isArray(num.words);
33471 };
33472
33473 BN.max = function max (left, right) {
33474 if (left.cmp(right) > 0) return left;
33475 return right;
33476 };
33477
33478 BN.min = function min (left, right) {
33479 if (left.cmp(right) < 0) return left;
33480 return right;
33481 };
33482
33483 BN.prototype._init = function init (number, base, endian) {
33484 if (typeof number === 'number') {
33485 return this._initNumber(number, base, endian);
33486 }
33487
33488 if (typeof number === 'object') {
33489 return this._initArray(number, base, endian);
33490 }
33491
33492 if (base === 'hex') {
33493 base = 16;
33494 }
33495 assert(base === (base | 0) && base >= 2 && base <= 36);
33496
33497 number = number.toString().replace(/\s+/g, '');
33498 var start = 0;
33499 if (number[0] === '-') {
33500 start++;
33501 }
33502
33503 if (base === 16) {
33504 this._parseHex(number, start);
33505 } else {
33506 this._parseBase(number, base, start);
33507 }
33508
33509 if (number[0] === '-') {
33510 this.negative = 1;
33511 }
33512
33513 this.strip();
33514
33515 if (endian !== 'le') return;
33516
33517 this._initArray(this.toArray(), base, endian);
33518 };
33519
33520 BN.prototype._initNumber = function _initNumber (number, base, endian) {
33521 if (number < 0) {
33522 this.negative = 1;
33523 number = -number;
33524 }
33525 if (number < 0x4000000) {
33526 this.words = [ number & 0x3ffffff ];
33527 this.length = 1;
33528 } else if (number < 0x10000000000000) {
33529 this.words = [
33530 number & 0x3ffffff,
33531 (number / 0x4000000) & 0x3ffffff
33532 ];
33533 this.length = 2;
33534 } else {
33535 assert(number < 0x20000000000000); // 2 ^ 53 (unsafe)
33536 this.words = [
33537 number & 0x3ffffff,
33538 (number / 0x4000000) & 0x3ffffff,
33539 1
33540 ];
33541 this.length = 3;
33542 }
33543
33544 if (endian !== 'le') return;
33545
33546 // Reverse the bytes
33547 this._initArray(this.toArray(), base, endian);
33548 };
33549
33550 BN.prototype._initArray = function _initArray (number, base, endian) {
33551 // Perhaps a Uint8Array
33552 assert(typeof number.length === 'number');
33553 if (number.length <= 0) {
33554 this.words = [ 0 ];
33555 this.length = 1;
33556 return this;
33557 }
33558
33559 this.length = Math.ceil(number.length / 3);
33560 this.words = new Array(this.length);
33561 for (var i = 0; i < this.length; i++) {
33562 this.words[i] = 0;
33563 }
33564
33565 var j, w;
33566 var off = 0;
33567 if (endian === 'be') {
33568 for (i = number.length - 1, j = 0; i >= 0; i -= 3) {
33569 w = number[i] | (number[i - 1] << 8) | (number[i - 2] << 16);
33570 this.words[j] |= (w << off) & 0x3ffffff;
33571 this.words[j + 1] = (w >>> (26 - off)) & 0x3ffffff;
33572 off += 24;
33573 if (off >= 26) {
33574 off -= 26;
33575 j++;
33576 }
33577 }
33578 } else if (endian === 'le') {
33579 for (i = 0, j = 0; i < number.length; i += 3) {
33580 w = number[i] | (number[i + 1] << 8) | (number[i + 2] << 16);
33581 this.words[j] |= (w << off) & 0x3ffffff;
33582 this.words[j + 1] = (w >>> (26 - off)) & 0x3ffffff;
33583 off += 24;
33584 if (off >= 26) {
33585 off -= 26;
33586 j++;
33587 }
33588 }
33589 }
33590 return this.strip();
33591 };
33592
33593 function parseHex (str, start, end) {
33594 var r = 0;
33595 var len = Math.min(str.length, end);
33596 for (var i = start; i < len; i++) {
33597 var c = str.charCodeAt(i) - 48;
33598
33599 r <<= 4;
33600
33601 // 'a' - 'f'
33602 if (c >= 49 && c <= 54) {
33603 r |= c - 49 + 0xa;
33604
33605 // 'A' - 'F'
33606 } else if (c >= 17 && c <= 22) {
33607 r |= c - 17 + 0xa;
33608
33609 // '0' - '9'
33610 } else {
33611 r |= c & 0xf;
33612 }
33613 }
33614 return r;
33615 }
33616
33617 BN.prototype._parseHex = function _parseHex (number, start) {
33618 // Create possibly bigger array to ensure that it fits the number
33619 this.length = Math.ceil((number.length - start) / 6);
33620 this.words = new Array(this.length);
33621 for (var i = 0; i < this.length; i++) {
33622 this.words[i] = 0;
33623 }
33624
33625 var j, w;
33626 // Scan 24-bit chunks and add them to the number
33627 var off = 0;
33628 for (i = number.length - 6, j = 0; i >= start; i -= 6) {
33629 w = parseHex(number, i, i + 6);
33630 this.words[j] |= (w << off) & 0x3ffffff;
33631 // NOTE: `0x3fffff` is intentional here, 26bits max shift + 24bit hex limb
33632 this.words[j + 1] |= w >>> (26 - off) & 0x3fffff;
33633 off += 24;
33634 if (off >= 26) {
33635 off -= 26;
33636 j++;
33637 }
33638 }
33639 if (i + 6 !== start) {
33640 w = parseHex(number, start, i + 6);
33641 this.words[j] |= (w << off) & 0x3ffffff;
33642 this.words[j + 1] |= w >>> (26 - off) & 0x3fffff;
33643 }
33644 this.strip();
33645 };
33646
33647 function parseBase (str, start, end, mul) {
33648 var r = 0;
33649 var len = Math.min(str.length, end);
33650 for (var i = start; i < len; i++) {
33651 var c = str.charCodeAt(i) - 48;
33652
33653 r *= mul;
33654
33655 // 'a'
33656 if (c >= 49) {
33657 r += c - 49 + 0xa;
33658
33659 // 'A'
33660 } else if (c >= 17) {
33661 r += c - 17 + 0xa;
33662
33663 // '0' - '9'
33664 } else {
33665 r += c;
33666 }
33667 }
33668 return r;
33669 }
33670
33671 BN.prototype._parseBase = function _parseBase (number, base, start) {
33672 // Initialize as zero
33673 this.words = [ 0 ];
33674 this.length = 1;
33675
33676 // Find length of limb in base
33677 for (var limbLen = 0, limbPow = 1; limbPow <= 0x3ffffff; limbPow *= base) {
33678 limbLen++;
33679 }
33680 limbLen--;
33681 limbPow = (limbPow / base) | 0;
33682
33683 var total = number.length - start;
33684 var mod = total % limbLen;
33685 var end = Math.min(total, total - mod) + start;
33686
33687 var word = 0;
33688 for (var i = start; i < end; i += limbLen) {
33689 word = parseBase(number, i, i + limbLen, base);
33690
33691 this.imuln(limbPow);
33692 if (this.words[0] + word < 0x4000000) {
33693 this.words[0] += word;
33694 } else {
33695 this._iaddn(word);
33696 }
33697 }
33698
33699 if (mod !== 0) {
33700 var pow = 1;
33701 word = parseBase(number, i, number.length, base);
33702
33703 for (i = 0; i < mod; i++) {
33704 pow *= base;
33705 }
33706
33707 this.imuln(pow);
33708 if (this.words[0] + word < 0x4000000) {
33709 this.words[0] += word;
33710 } else {
33711 this._iaddn(word);
33712 }
33713 }
33714 };
33715
33716 BN.prototype.copy = function copy (dest) {
33717 dest.words = new Array(this.length);
33718 for (var i = 0; i < this.length; i++) {
33719 dest.words[i] = this.words[i];
33720 }
33721 dest.length = this.length;
33722 dest.negative = this.negative;
33723 dest.red = this.red;
33724 };
33725
33726 BN.prototype.clone = function clone () {
33727 var r = new BN(null);
33728 this.copy(r);
33729 return r;
33730 };
33731
33732 BN.prototype._expand = function _expand (size) {
33733 while (this.length < size) {
33734 this.words[this.length++] = 0;
33735 }
33736 return this;
33737 };
33738
33739 // Remove leading `0` from `this`
33740 BN.prototype.strip = function strip () {
33741 while (this.length > 1 && this.words[this.length - 1] === 0) {
33742 this.length--;
33743 }
33744 return this._normSign();
33745 };
33746
33747 BN.prototype._normSign = function _normSign () {
33748 // -0 = 0
33749 if (this.length === 1 && this.words[0] === 0) {
33750 this.negative = 0;
33751 }
33752 return this;
33753 };
33754
33755 BN.prototype.inspect = function inspect () {
33756 return (this.red ? '<BN-R: ' : '<BN: ') + this.toString(16) + '>';
33757 };
33758
33759 /*
33760
33761 var zeros = [];
33762 var groupSizes = [];
33763 var groupBases = [];
33764
33765 var s = '';
33766 var i = -1;
33767 while (++i < BN.wordSize) {
33768 zeros[i] = s;
33769 s += '0';
33770 }
33771 groupSizes[0] = 0;
33772 groupSizes[1] = 0;
33773 groupBases[0] = 0;
33774 groupBases[1] = 0;
33775 var base = 2 - 1;
33776 while (++base < 36 + 1) {
33777 var groupSize = 0;
33778 var groupBase = 1;
33779 while (groupBase < (1 << BN.wordSize) / base) {
33780 groupBase *= base;
33781 groupSize += 1;
33782 }
33783 groupSizes[base] = groupSize;
33784 groupBases[base] = groupBase;
33785 }
33786
33787 */
33788
33789 var zeros = [
33790 '',
33791 '0',
33792 '00',
33793 '000',
33794 '0000',
33795 '00000',
33796 '000000',
33797 '0000000',
33798 '00000000',
33799 '000000000',
33800 '0000000000',
33801 '00000000000',
33802 '000000000000',
33803 '0000000000000',
33804 '00000000000000',
33805 '000000000000000',
33806 '0000000000000000',
33807 '00000000000000000',
33808 '000000000000000000',
33809 '0000000000000000000',
33810 '00000000000000000000',
33811 '000000000000000000000',
33812 '0000000000000000000000',
33813 '00000000000000000000000',
33814 '000000000000000000000000',
33815 '0000000000000000000000000'
33816 ];
33817
33818 var groupSizes = [
33819 0, 0,
33820 25, 16, 12, 11, 10, 9, 8,
33821 8, 7, 7, 7, 7, 6, 6,
33822 6, 6, 6, 6, 6, 5, 5,
33823 5, 5, 5, 5, 5, 5, 5,
33824 5, 5, 5, 5, 5, 5, 5
33825 ];
33826
33827 var groupBases = [
33828 0, 0,
33829 33554432, 43046721, 16777216, 48828125, 60466176, 40353607, 16777216,
33830 43046721, 10000000, 19487171, 35831808, 62748517, 7529536, 11390625,
33831 16777216, 24137569, 34012224, 47045881, 64000000, 4084101, 5153632,
33832 6436343, 7962624, 9765625, 11881376, 14348907, 17210368, 20511149,
33833 24300000, 28629151, 33554432, 39135393, 45435424, 52521875, 60466176
33834 ];
33835
33836 BN.prototype.toString = function toString (base, padding) {
33837 base = base || 10;
33838 padding = padding | 0 || 1;
33839
33840 var out;
33841 if (base === 16 || base === 'hex') {
33842 out = '';
33843 var off = 0;
33844 var carry = 0;
33845 for (var i = 0; i < this.length; i++) {
33846 var w = this.words[i];
33847 var word = (((w << off) | carry) & 0xffffff).toString(16);
33848 carry = (w >>> (24 - off)) & 0xffffff;
33849 if (carry !== 0 || i !== this.length - 1) {
33850 out = zeros[6 - word.length] + word + out;
33851 } else {
33852 out = word + out;
33853 }
33854 off += 2;
33855 if (off >= 26) {
33856 off -= 26;
33857 i--;
33858 }
33859 }
33860 if (carry !== 0) {
33861 out = carry.toString(16) + out;
33862 }
33863 while (out.length % padding !== 0) {
33864 out = '0' + out;
33865 }
33866 if (this.negative !== 0) {
33867 out = '-' + out;
33868 }
33869 return out;
33870 }
33871
33872 if (base === (base | 0) && base >= 2 && base <= 36) {
33873 // var groupSize = Math.floor(BN.wordSize * Math.LN2 / Math.log(base));
33874 var groupSize = groupSizes[base];
33875 // var groupBase = Math.pow(base, groupSize);
33876 var groupBase = groupBases[base];
33877 out = '';
33878 var c = this.clone();
33879 c.negative = 0;
33880 while (!c.isZero()) {
33881 var r = c.modn(groupBase).toString(base);
33882 c = c.idivn(groupBase);
33883
33884 if (!c.isZero()) {
33885 out = zeros[groupSize - r.length] + r + out;
33886 } else {
33887 out = r + out;
33888 }
33889 }
33890 if (this.isZero()) {
33891 out = '0' + out;
33892 }
33893 while (out.length % padding !== 0) {
33894 out = '0' + out;
33895 }
33896 if (this.negative !== 0) {
33897 out = '-' + out;
33898 }
33899 return out;
33900 }
33901
33902 assert(false, 'Base should be between 2 and 36');
33903 };
33904
33905 BN.prototype.toNumber = function toNumber () {
33906 var ret = this.words[0];
33907 if (this.length === 2) {
33908 ret += this.words[1] * 0x4000000;
33909 } else if (this.length === 3 && this.words[2] === 0x01) {
33910 // NOTE: at this stage it is known that the top bit is set
33911 ret += 0x10000000000000 + (this.words[1] * 0x4000000);
33912 } else if (this.length > 2) {
33913 assert(false, 'Number can only safely store up to 53 bits');
33914 }
33915 return (this.negative !== 0) ? -ret : ret;
33916 };
33917
33918 BN.prototype.toJSON = function toJSON () {
33919 return this.toString(16);
33920 };
33921
33922 BN.prototype.toBuffer = function toBuffer (endian, length) {
33923 assert(typeof Buffer !== 'undefined');
33924 return this.toArrayLike(Buffer, endian, length);
33925 };
33926
33927 BN.prototype.toArray = function toArray (endian, length) {
33928 return this.toArrayLike(Array, endian, length);
33929 };
33930
33931 BN.prototype.toArrayLike = function toArrayLike (ArrayType, endian, length) {
33932 var byteLength = this.byteLength();
33933 var reqLength = length || Math.max(1, byteLength);
33934 assert(byteLength <= reqLength, 'byte array longer than desired length');
33935 assert(reqLength > 0, 'Requested array length <= 0');
33936
33937 this.strip();
33938 var littleEndian = endian === 'le';
33939 var res = new ArrayType(reqLength);
33940
33941 var b, i;
33942 var q = this.clone();
33943 if (!littleEndian) {
33944 // Assume big-endian
33945 for (i = 0; i < reqLength - byteLength; i++) {
33946 res[i] = 0;
33947 }
33948
33949 for (i = 0; !q.isZero(); i++) {
33950 b = q.andln(0xff);
33951 q.iushrn(8);
33952
33953 res[reqLength - i - 1] = b;
33954 }
33955 } else {
33956 for (i = 0; !q.isZero(); i++) {
33957 b = q.andln(0xff);
33958 q.iushrn(8);
33959
33960 res[i] = b;
33961 }
33962
33963 for (; i < reqLength; i++) {
33964 res[i] = 0;
33965 }
33966 }
33967
33968 return res;
33969 };
33970
33971 if (Math.clz32) {
33972 BN.prototype._countBits = function _countBits (w) {
33973 return 32 - Math.clz32(w);
33974 };
33975 } else {
33976 BN.prototype._countBits = function _countBits (w) {
33977 var t = w;
33978 var r = 0;
33979 if (t >= 0x1000) {
33980 r += 13;
33981 t >>>= 13;
33982 }
33983 if (t >= 0x40) {
33984 r += 7;
33985 t >>>= 7;
33986 }
33987 if (t >= 0x8) {
33988 r += 4;
33989 t >>>= 4;
33990 }
33991 if (t >= 0x02) {
33992 r += 2;
33993 t >>>= 2;
33994 }
33995 return r + t;
33996 };
33997 }
33998
33999 BN.prototype._zeroBits = function _zeroBits (w) {
34000 // Short-cut
34001 if (w === 0) return 26;
34002
34003 var t = w;
34004 var r = 0;
34005 if ((t & 0x1fff) === 0) {
34006 r += 13;
34007 t >>>= 13;
34008 }
34009 if ((t & 0x7f) === 0) {
34010 r += 7;
34011 t >>>= 7;
34012 }
34013 if ((t & 0xf) === 0) {
34014 r += 4;
34015 t >>>= 4;
34016 }
34017 if ((t & 0x3) === 0) {
34018 r += 2;
34019 t >>>= 2;
34020 }
34021 if ((t & 0x1) === 0) {
34022 r++;
34023 }
34024 return r;
34025 };
34026
34027 // Return number of used bits in a BN
34028 BN.prototype.bitLength = function bitLength () {
34029 var w = this.words[this.length - 1];
34030 var hi = this._countBits(w);
34031 return (this.length - 1) * 26 + hi;
34032 };
34033
34034 function toBitArray (num) {
34035 var w = new Array(num.bitLength());
34036
34037 for (var bit = 0; bit < w.length; bit++) {
34038 var off = (bit / 26) | 0;
34039 var wbit = bit % 26;
34040
34041 w[bit] = (num.words[off] & (1 << wbit)) >>> wbit;
34042 }
34043
34044 return w;
34045 }
34046
34047 // Number of trailing zero bits
34048 BN.prototype.zeroBits = function zeroBits () {
34049 if (this.isZero()) return 0;
34050
34051 var r = 0;
34052 for (var i = 0; i < this.length; i++) {
34053 var b = this._zeroBits(this.words[i]);
34054 r += b;
34055 if (b !== 26) break;
34056 }
34057 return r;
34058 };
34059
34060 BN.prototype.byteLength = function byteLength () {
34061 return Math.ceil(this.bitLength() / 8);
34062 };
34063
34064 BN.prototype.toTwos = function toTwos (width) {
34065 if (this.negative !== 0) {
34066 return this.abs().inotn(width).iaddn(1);
34067 }
34068 return this.clone();
34069 };
34070
34071 BN.prototype.fromTwos = function fromTwos (width) {
34072 if (this.testn(width - 1)) {
34073 return this.notn(width).iaddn(1).ineg();
34074 }
34075 return this.clone();
34076 };
34077
34078 BN.prototype.isNeg = function isNeg () {
34079 return this.negative !== 0;
34080 };
34081
34082 // Return negative clone of `this`
34083 BN.prototype.neg = function neg () {
34084 return this.clone().ineg();
34085 };
34086
34087 BN.prototype.ineg = function ineg () {
34088 if (!this.isZero()) {
34089 this.negative ^= 1;
34090 }
34091
34092 return this;
34093 };
34094
34095 // Or `num` with `this` in-place
34096 BN.prototype.iuor = function iuor (num) {
34097 while (this.length < num.length) {
34098 this.words[this.length++] = 0;
34099 }
34100
34101 for (var i = 0; i < num.length; i++) {
34102 this.words[i] = this.words[i] | num.words[i];
34103 }
34104
34105 return this.strip();
34106 };
34107
34108 BN.prototype.ior = function ior (num) {
34109 assert((this.negative | num.negative) === 0);
34110 return this.iuor(num);
34111 };
34112
34113 // Or `num` with `this`
34114 BN.prototype.or = function or (num) {
34115 if (this.length > num.length) return this.clone().ior(num);
34116 return num.clone().ior(this);
34117 };
34118
34119 BN.prototype.uor = function uor (num) {
34120 if (this.length > num.length) return this.clone().iuor(num);
34121 return num.clone().iuor(this);
34122 };
34123
34124 // And `num` with `this` in-place
34125 BN.prototype.iuand = function iuand (num) {
34126 // b = min-length(num, this)
34127 var b;
34128 if (this.length > num.length) {
34129 b = num;
34130 } else {
34131 b = this;
34132 }
34133
34134 for (var i = 0; i < b.length; i++) {
34135 this.words[i] = this.words[i] & num.words[i];
34136 }
34137
34138 this.length = b.length;
34139
34140 return this.strip();
34141 };
34142
34143 BN.prototype.iand = function iand (num) {
34144 assert((this.negative | num.negative) === 0);
34145 return this.iuand(num);
34146 };
34147
34148 // And `num` with `this`
34149 BN.prototype.and = function and (num) {
34150 if (this.length > num.length) return this.clone().iand(num);
34151 return num.clone().iand(this);
34152 };
34153
34154 BN.prototype.uand = function uand (num) {
34155 if (this.length > num.length) return this.clone().iuand(num);
34156 return num.clone().iuand(this);
34157 };
34158
34159 // Xor `num` with `this` in-place
34160 BN.prototype.iuxor = function iuxor (num) {
34161 // a.length > b.length
34162 var a;
34163 var b;
34164 if (this.length > num.length) {
34165 a = this;
34166 b = num;
34167 } else {
34168 a = num;
34169 b = this;
34170 }
34171
34172 for (var i = 0; i < b.length; i++) {
34173 this.words[i] = a.words[i] ^ b.words[i];
34174 }
34175
34176 if (this !== a) {
34177 for (; i < a.length; i++) {
34178 this.words[i] = a.words[i];
34179 }
34180 }
34181
34182 this.length = a.length;
34183
34184 return this.strip();
34185 };
34186
34187 BN.prototype.ixor = function ixor (num) {
34188 assert((this.negative | num.negative) === 0);
34189 return this.iuxor(num);
34190 };
34191
34192 // Xor `num` with `this`
34193 BN.prototype.xor = function xor (num) {
34194 if (this.length > num.length) return this.clone().ixor(num);
34195 return num.clone().ixor(this);
34196 };
34197
34198 BN.prototype.uxor = function uxor (num) {
34199 if (this.length > num.length) return this.clone().iuxor(num);
34200 return num.clone().iuxor(this);
34201 };
34202
34203 // Not ``this`` with ``width`` bitwidth
34204 BN.prototype.inotn = function inotn (width) {
34205 assert(typeof width === 'number' && width >= 0);
34206
34207 var bytesNeeded = Math.ceil(width / 26) | 0;
34208 var bitsLeft = width % 26;
34209
34210 // Extend the buffer with leading zeroes
34211 this._expand(bytesNeeded);
34212
34213 if (bitsLeft > 0) {
34214 bytesNeeded--;
34215 }
34216
34217 // Handle complete words
34218 for (var i = 0; i < bytesNeeded; i++) {
34219 this.words[i] = ~this.words[i] & 0x3ffffff;
34220 }
34221
34222 // Handle the residue
34223 if (bitsLeft > 0) {
34224 this.words[i] = ~this.words[i] & (0x3ffffff >> (26 - bitsLeft));
34225 }
34226
34227 // And remove leading zeroes
34228 return this.strip();
34229 };
34230
34231 BN.prototype.notn = function notn (width) {
34232 return this.clone().inotn(width);
34233 };
34234
34235 // Set `bit` of `this`
34236 BN.prototype.setn = function setn (bit, val) {
34237 assert(typeof bit === 'number' && bit >= 0);
34238
34239 var off = (bit / 26) | 0;
34240 var wbit = bit % 26;
34241
34242 this._expand(off + 1);
34243
34244 if (val) {
34245 this.words[off] = this.words[off] | (1 << wbit);
34246 } else {
34247 this.words[off] = this.words[off] & ~(1 << wbit);
34248 }
34249
34250 return this.strip();
34251 };
34252
34253 // Add `num` to `this` in-place
34254 BN.prototype.iadd = function iadd (num) {
34255 var r;
34256
34257 // negative + positive
34258 if (this.negative !== 0 && num.negative === 0) {
34259 this.negative = 0;
34260 r = this.isub(num);
34261 this.negative ^= 1;
34262 return this._normSign();
34263
34264 // positive + negative
34265 } else if (this.negative === 0 && num.negative !== 0) {
34266 num.negative = 0;
34267 r = this.isub(num);
34268 num.negative = 1;
34269 return r._normSign();
34270 }
34271
34272 // a.length > b.length
34273 var a, b;
34274 if (this.length > num.length) {
34275 a = this;
34276 b = num;
34277 } else {
34278 a = num;
34279 b = this;
34280 }
34281
34282 var carry = 0;
34283 for (var i = 0; i < b.length; i++) {
34284 r = (a.words[i] | 0) + (b.words[i] | 0) + carry;
34285 this.words[i] = r & 0x3ffffff;
34286 carry = r >>> 26;
34287 }
34288 for (; carry !== 0 && i < a.length; i++) {
34289 r = (a.words[i] | 0) + carry;
34290 this.words[i] = r & 0x3ffffff;
34291 carry = r >>> 26;
34292 }
34293
34294 this.length = a.length;
34295 if (carry !== 0) {
34296 this.words[this.length] = carry;
34297 this.length++;
34298 // Copy the rest of the words
34299 } else if (a !== this) {
34300 for (; i < a.length; i++) {
34301 this.words[i] = a.words[i];
34302 }
34303 }
34304
34305 return this;
34306 };
34307
34308 // Add `num` to `this`
34309 BN.prototype.add = function add (num) {
34310 var res;
34311 if (num.negative !== 0 && this.negative === 0) {
34312 num.negative = 0;
34313 res = this.sub(num);
34314 num.negative ^= 1;
34315 return res;
34316 } else if (num.negative === 0 && this.negative !== 0) {
34317 this.negative = 0;
34318 res = num.sub(this);
34319 this.negative = 1;
34320 return res;
34321 }
34322
34323 if (this.length > num.length) return this.clone().iadd(num);
34324
34325 return num.clone().iadd(this);
34326 };
34327
34328 // Subtract `num` from `this` in-place
34329 BN.prototype.isub = function isub (num) {
34330 // this - (-num) = this + num
34331 if (num.negative !== 0) {
34332 num.negative = 0;
34333 var r = this.iadd(num);
34334 num.negative = 1;
34335 return r._normSign();
34336
34337 // -this - num = -(this + num)
34338 } else if (this.negative !== 0) {
34339 this.negative = 0;
34340 this.iadd(num);
34341 this.negative = 1;
34342 return this._normSign();
34343 }
34344
34345 // At this point both numbers are positive
34346 var cmp = this.cmp(num);
34347
34348 // Optimization - zeroify
34349 if (cmp === 0) {
34350 this.negative = 0;
34351 this.length = 1;
34352 this.words[0] = 0;
34353 return this;
34354 }
34355
34356 // a > b
34357 var a, b;
34358 if (cmp > 0) {
34359 a = this;
34360 b = num;
34361 } else {
34362 a = num;
34363 b = this;
34364 }
34365
34366 var carry = 0;
34367 for (var i = 0; i < b.length; i++) {
34368 r = (a.words[i] | 0) - (b.words[i] | 0) + carry;
34369 carry = r >> 26;
34370 this.words[i] = r & 0x3ffffff;
34371 }
34372 for (; carry !== 0 && i < a.length; i++) {
34373 r = (a.words[i] | 0) + carry;
34374 carry = r >> 26;
34375 this.words[i] = r & 0x3ffffff;
34376 }
34377
34378 // Copy rest of the words
34379 if (carry === 0 && i < a.length && a !== this) {
34380 for (; i < a.length; i++) {
34381 this.words[i] = a.words[i];
34382 }
34383 }
34384
34385 this.length = Math.max(this.length, i);
34386
34387 if (a !== this) {
34388 this.negative = 1;
34389 }
34390
34391 return this.strip();
34392 };
34393
34394 // Subtract `num` from `this`
34395 BN.prototype.sub = function sub (num) {
34396 return this.clone().isub(num);
34397 };
34398
34399 function smallMulTo (self, num, out) {
34400 out.negative = num.negative ^ self.negative;
34401 var len = (self.length + num.length) | 0;
34402 out.length = len;
34403 len = (len - 1) | 0;
34404
34405 // Peel one iteration (compiler can't do it, because of code complexity)
34406 var a = self.words[0] | 0;
34407 var b = num.words[0] | 0;
34408 var r = a * b;
34409
34410 var lo = r & 0x3ffffff;
34411 var carry = (r / 0x4000000) | 0;
34412 out.words[0] = lo;
34413
34414 for (var k = 1; k < len; k++) {
34415 // Sum all words with the same `i + j = k` and accumulate `ncarry`,
34416 // note that ncarry could be >= 0x3ffffff
34417 var ncarry = carry >>> 26;
34418 var rword = carry & 0x3ffffff;
34419 var maxJ = Math.min(k, num.length - 1);
34420 for (var j = Math.max(0, k - self.length + 1); j <= maxJ; j++) {
34421 var i = (k - j) | 0;
34422 a = self.words[i] | 0;
34423 b = num.words[j] | 0;
34424 r = a * b + rword;
34425 ncarry += (r / 0x4000000) | 0;
34426 rword = r & 0x3ffffff;
34427 }
34428 out.words[k] = rword | 0;
34429 carry = ncarry | 0;
34430 }
34431 if (carry !== 0) {
34432 out.words[k] = carry | 0;
34433 } else {
34434 out.length--;
34435 }
34436
34437 return out.strip();
34438 }
34439
34440 // TODO(indutny): it may be reasonable to omit it for users who don't need
34441 // to work with 256-bit numbers, otherwise it gives 20% improvement for 256-bit
34442 // multiplication (like elliptic secp256k1).
34443 var comb10MulTo = function comb10MulTo (self, num, out) {
34444 var a = self.words;
34445 var b = num.words;
34446 var o = out.words;
34447 var c = 0;
34448 var lo;
34449 var mid;
34450 var hi;
34451 var a0 = a[0] | 0;
34452 var al0 = a0 & 0x1fff;
34453 var ah0 = a0 >>> 13;
34454 var a1 = a[1] | 0;
34455 var al1 = a1 & 0x1fff;
34456 var ah1 = a1 >>> 13;
34457 var a2 = a[2] | 0;
34458 var al2 = a2 & 0x1fff;
34459 var ah2 = a2 >>> 13;
34460 var a3 = a[3] | 0;
34461 var al3 = a3 & 0x1fff;
34462 var ah3 = a3 >>> 13;
34463 var a4 = a[4] | 0;
34464 var al4 = a4 & 0x1fff;
34465 var ah4 = a4 >>> 13;
34466 var a5 = a[5] | 0;
34467 var al5 = a5 & 0x1fff;
34468 var ah5 = a5 >>> 13;
34469 var a6 = a[6] | 0;
34470 var al6 = a6 & 0x1fff;
34471 var ah6 = a6 >>> 13;
34472 var a7 = a[7] | 0;
34473 var al7 = a7 & 0x1fff;
34474 var ah7 = a7 >>> 13;
34475 var a8 = a[8] | 0;
34476 var al8 = a8 & 0x1fff;
34477 var ah8 = a8 >>> 13;
34478 var a9 = a[9] | 0;
34479 var al9 = a9 & 0x1fff;
34480 var ah9 = a9 >>> 13;
34481 var b0 = b[0] | 0;
34482 var bl0 = b0 & 0x1fff;
34483 var bh0 = b0 >>> 13;
34484 var b1 = b[1] | 0;
34485 var bl1 = b1 & 0x1fff;
34486 var bh1 = b1 >>> 13;
34487 var b2 = b[2] | 0;
34488 var bl2 = b2 & 0x1fff;
34489 var bh2 = b2 >>> 13;
34490 var b3 = b[3] | 0;
34491 var bl3 = b3 & 0x1fff;
34492 var bh3 = b3 >>> 13;
34493 var b4 = b[4] | 0;
34494 var bl4 = b4 & 0x1fff;
34495 var bh4 = b4 >>> 13;
34496 var b5 = b[5] | 0;
34497 var bl5 = b5 & 0x1fff;
34498 var bh5 = b5 >>> 13;
34499 var b6 = b[6] | 0;
34500 var bl6 = b6 & 0x1fff;
34501 var bh6 = b6 >>> 13;
34502 var b7 = b[7] | 0;
34503 var bl7 = b7 & 0x1fff;
34504 var bh7 = b7 >>> 13;
34505 var b8 = b[8] | 0;
34506 var bl8 = b8 & 0x1fff;
34507 var bh8 = b8 >>> 13;
34508 var b9 = b[9] | 0;
34509 var bl9 = b9 & 0x1fff;
34510 var bh9 = b9 >>> 13;
34511
34512 out.negative = self.negative ^ num.negative;
34513 out.length = 19;
34514 /* k = 0 */
34515 lo = Math.imul(al0, bl0);
34516 mid = Math.imul(al0, bh0);
34517 mid = (mid + Math.imul(ah0, bl0)) | 0;
34518 hi = Math.imul(ah0, bh0);
34519 var w0 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0;
34520 c = (((hi + (mid >>> 13)) | 0) + (w0 >>> 26)) | 0;
34521 w0 &= 0x3ffffff;
34522 /* k = 1 */
34523 lo = Math.imul(al1, bl0);
34524 mid = Math.imul(al1, bh0);
34525 mid = (mid + Math.imul(ah1, bl0)) | 0;
34526 hi = Math.imul(ah1, bh0);
34527 lo = (lo + Math.imul(al0, bl1)) | 0;
34528 mid = (mid + Math.imul(al0, bh1)) | 0;
34529 mid = (mid + Math.imul(ah0, bl1)) | 0;
34530 hi = (hi + Math.imul(ah0, bh1)) | 0;
34531 var w1 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0;
34532 c = (((hi + (mid >>> 13)) | 0) + (w1 >>> 26)) | 0;
34533 w1 &= 0x3ffffff;
34534 /* k = 2 */
34535 lo = Math.imul(al2, bl0);
34536 mid = Math.imul(al2, bh0);
34537 mid = (mid + Math.imul(ah2, bl0)) | 0;
34538 hi = Math.imul(ah2, bh0);
34539 lo = (lo + Math.imul(al1, bl1)) | 0;
34540 mid = (mid + Math.imul(al1, bh1)) | 0;
34541 mid = (mid + Math.imul(ah1, bl1)) | 0;
34542 hi = (hi + Math.imul(ah1, bh1)) | 0;
34543 lo = (lo + Math.imul(al0, bl2)) | 0;
34544 mid = (mid + Math.imul(al0, bh2)) | 0;
34545 mid = (mid + Math.imul(ah0, bl2)) | 0;
34546 hi = (hi + Math.imul(ah0, bh2)) | 0;
34547 var w2 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0;
34548 c = (((hi + (mid >>> 13)) | 0) + (w2 >>> 26)) | 0;
34549 w2 &= 0x3ffffff;
34550 /* k = 3 */
34551 lo = Math.imul(al3, bl0);
34552 mid = Math.imul(al3, bh0);
34553 mid = (mid + Math.imul(ah3, bl0)) | 0;
34554 hi = Math.imul(ah3, bh0);
34555 lo = (lo + Math.imul(al2, bl1)) | 0;
34556 mid = (mid + Math.imul(al2, bh1)) | 0;
34557 mid = (mid + Math.imul(ah2, bl1)) | 0;
34558 hi = (hi + Math.imul(ah2, bh1)) | 0;
34559 lo = (lo + Math.imul(al1, bl2)) | 0;
34560 mid = (mid + Math.imul(al1, bh2)) | 0;
34561 mid = (mid + Math.imul(ah1, bl2)) | 0;
34562 hi = (hi + Math.imul(ah1, bh2)) | 0;
34563 lo = (lo + Math.imul(al0, bl3)) | 0;
34564 mid = (mid + Math.imul(al0, bh3)) | 0;
34565 mid = (mid + Math.imul(ah0, bl3)) | 0;
34566 hi = (hi + Math.imul(ah0, bh3)) | 0;
34567 var w3 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0;
34568 c = (((hi + (mid >>> 13)) | 0) + (w3 >>> 26)) | 0;
34569 w3 &= 0x3ffffff;
34570 /* k = 4 */
34571 lo = Math.imul(al4, bl0);
34572 mid = Math.imul(al4, bh0);
34573 mid = (mid + Math.imul(ah4, bl0)) | 0;
34574 hi = Math.imul(ah4, bh0);
34575 lo = (lo + Math.imul(al3, bl1)) | 0;
34576 mid = (mid + Math.imul(al3, bh1)) | 0;
34577 mid = (mid + Math.imul(ah3, bl1)) | 0;
34578 hi = (hi + Math.imul(ah3, bh1)) | 0;
34579 lo = (lo + Math.imul(al2, bl2)) | 0;
34580 mid = (mid + Math.imul(al2, bh2)) | 0;
34581 mid = (mid + Math.imul(ah2, bl2)) | 0;
34582 hi = (hi + Math.imul(ah2, bh2)) | 0;
34583 lo = (lo + Math.imul(al1, bl3)) | 0;
34584 mid = (mid + Math.imul(al1, bh3)) | 0;
34585 mid = (mid + Math.imul(ah1, bl3)) | 0;
34586 hi = (hi + Math.imul(ah1, bh3)) | 0;
34587 lo = (lo + Math.imul(al0, bl4)) | 0;
34588 mid = (mid + Math.imul(al0, bh4)) | 0;
34589 mid = (mid + Math.imul(ah0, bl4)) | 0;
34590 hi = (hi + Math.imul(ah0, bh4)) | 0;
34591 var w4 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0;
34592 c = (((hi + (mid >>> 13)) | 0) + (w4 >>> 26)) | 0;
34593 w4 &= 0x3ffffff;
34594 /* k = 5 */
34595 lo = Math.imul(al5, bl0);
34596 mid = Math.imul(al5, bh0);
34597 mid = (mid + Math.imul(ah5, bl0)) | 0;
34598 hi = Math.imul(ah5, bh0);
34599 lo = (lo + Math.imul(al4, bl1)) | 0;
34600 mid = (mid + Math.imul(al4, bh1)) | 0;
34601 mid = (mid + Math.imul(ah4, bl1)) | 0;
34602 hi = (hi + Math.imul(ah4, bh1)) | 0;
34603 lo = (lo + Math.imul(al3, bl2)) | 0;
34604 mid = (mid + Math.imul(al3, bh2)) | 0;
34605 mid = (mid + Math.imul(ah3, bl2)) | 0;
34606 hi = (hi + Math.imul(ah3, bh2)) | 0;
34607 lo = (lo + Math.imul(al2, bl3)) | 0;
34608 mid = (mid + Math.imul(al2, bh3)) | 0;
34609 mid = (mid + Math.imul(ah2, bl3)) | 0;
34610 hi = (hi + Math.imul(ah2, bh3)) | 0;
34611 lo = (lo + Math.imul(al1, bl4)) | 0;
34612 mid = (mid + Math.imul(al1, bh4)) | 0;
34613 mid = (mid + Math.imul(ah1, bl4)) | 0;
34614 hi = (hi + Math.imul(ah1, bh4)) | 0;
34615 lo = (lo + Math.imul(al0, bl5)) | 0;
34616 mid = (mid + Math.imul(al0, bh5)) | 0;
34617 mid = (mid + Math.imul(ah0, bl5)) | 0;
34618 hi = (hi + Math.imul(ah0, bh5)) | 0;
34619 var w5 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0;
34620 c = (((hi + (mid >>> 13)) | 0) + (w5 >>> 26)) | 0;
34621 w5 &= 0x3ffffff;
34622 /* k = 6 */
34623 lo = Math.imul(al6, bl0);
34624 mid = Math.imul(al6, bh0);
34625 mid = (mid + Math.imul(ah6, bl0)) | 0;
34626 hi = Math.imul(ah6, bh0);
34627 lo = (lo + Math.imul(al5, bl1)) | 0;
34628 mid = (mid + Math.imul(al5, bh1)) | 0;
34629 mid = (mid + Math.imul(ah5, bl1)) | 0;
34630 hi = (hi + Math.imul(ah5, bh1)) | 0;
34631 lo = (lo + Math.imul(al4, bl2)) | 0;
34632 mid = (mid + Math.imul(al4, bh2)) | 0;
34633 mid = (mid + Math.imul(ah4, bl2)) | 0;
34634 hi = (hi + Math.imul(ah4, bh2)) | 0;
34635 lo = (lo + Math.imul(al3, bl3)) | 0;
34636 mid = (mid + Math.imul(al3, bh3)) | 0;
34637 mid = (mid + Math.imul(ah3, bl3)) | 0;
34638 hi = (hi + Math.imul(ah3, bh3)) | 0;
34639 lo = (lo + Math.imul(al2, bl4)) | 0;
34640 mid = (mid + Math.imul(al2, bh4)) | 0;
34641 mid = (mid + Math.imul(ah2, bl4)) | 0;
34642 hi = (hi + Math.imul(ah2, bh4)) | 0;
34643 lo = (lo + Math.imul(al1, bl5)) | 0;
34644 mid = (mid + Math.imul(al1, bh5)) | 0;
34645 mid = (mid + Math.imul(ah1, bl5)) | 0;
34646 hi = (hi + Math.imul(ah1, bh5)) | 0;
34647 lo = (lo + Math.imul(al0, bl6)) | 0;
34648 mid = (mid + Math.imul(al0, bh6)) | 0;
34649 mid = (mid + Math.imul(ah0, bl6)) | 0;
34650 hi = (hi + Math.imul(ah0, bh6)) | 0;
34651 var w6 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0;
34652 c = (((hi + (mid >>> 13)) | 0) + (w6 >>> 26)) | 0;
34653 w6 &= 0x3ffffff;
34654 /* k = 7 */
34655 lo = Math.imul(al7, bl0);
34656 mid = Math.imul(al7, bh0);
34657 mid = (mid + Math.imul(ah7, bl0)) | 0;
34658 hi = Math.imul(ah7, bh0);
34659 lo = (lo + Math.imul(al6, bl1)) | 0;
34660 mid = (mid + Math.imul(al6, bh1)) | 0;
34661 mid = (mid + Math.imul(ah6, bl1)) | 0;
34662 hi = (hi + Math.imul(ah6, bh1)) | 0;
34663 lo = (lo + Math.imul(al5, bl2)) | 0;
34664 mid = (mid + Math.imul(al5, bh2)) | 0;
34665 mid = (mid + Math.imul(ah5, bl2)) | 0;
34666 hi = (hi + Math.imul(ah5, bh2)) | 0;
34667 lo = (lo + Math.imul(al4, bl3)) | 0;
34668 mid = (mid + Math.imul(al4, bh3)) | 0;
34669 mid = (mid + Math.imul(ah4, bl3)) | 0;
34670 hi = (hi + Math.imul(ah4, bh3)) | 0;
34671 lo = (lo + Math.imul(al3, bl4)) | 0;
34672 mid = (mid + Math.imul(al3, bh4)) | 0;
34673 mid = (mid + Math.imul(ah3, bl4)) | 0;
34674 hi = (hi + Math.imul(ah3, bh4)) | 0;
34675 lo = (lo + Math.imul(al2, bl5)) | 0;
34676 mid = (mid + Math.imul(al2, bh5)) | 0;
34677 mid = (mid + Math.imul(ah2, bl5)) | 0;
34678 hi = (hi + Math.imul(ah2, bh5)) | 0;
34679 lo = (lo + Math.imul(al1, bl6)) | 0;
34680 mid = (mid + Math.imul(al1, bh6)) | 0;
34681 mid = (mid + Math.imul(ah1, bl6)) | 0;
34682 hi = (hi + Math.imul(ah1, bh6)) | 0;
34683 lo = (lo + Math.imul(al0, bl7)) | 0;
34684 mid = (mid + Math.imul(al0, bh7)) | 0;
34685 mid = (mid + Math.imul(ah0, bl7)) | 0;
34686 hi = (hi + Math.imul(ah0, bh7)) | 0;
34687 var w7 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0;
34688 c = (((hi + (mid >>> 13)) | 0) + (w7 >>> 26)) | 0;
34689 w7 &= 0x3ffffff;
34690 /* k = 8 */
34691 lo = Math.imul(al8, bl0);
34692 mid = Math.imul(al8, bh0);
34693 mid = (mid + Math.imul(ah8, bl0)) | 0;
34694 hi = Math.imul(ah8, bh0);
34695 lo = (lo + Math.imul(al7, bl1)) | 0;
34696 mid = (mid + Math.imul(al7, bh1)) | 0;
34697 mid = (mid + Math.imul(ah7, bl1)) | 0;
34698 hi = (hi + Math.imul(ah7, bh1)) | 0;
34699 lo = (lo + Math.imul(al6, bl2)) | 0;
34700 mid = (mid + Math.imul(al6, bh2)) | 0;
34701 mid = (mid + Math.imul(ah6, bl2)) | 0;
34702 hi = (hi + Math.imul(ah6, bh2)) | 0;
34703 lo = (lo + Math.imul(al5, bl3)) | 0;
34704 mid = (mid + Math.imul(al5, bh3)) | 0;
34705 mid = (mid + Math.imul(ah5, bl3)) | 0;
34706 hi = (hi + Math.imul(ah5, bh3)) | 0;
34707 lo = (lo + Math.imul(al4, bl4)) | 0;
34708 mid = (mid + Math.imul(al4, bh4)) | 0;
34709 mid = (mid + Math.imul(ah4, bl4)) | 0;
34710 hi = (hi + Math.imul(ah4, bh4)) | 0;
34711 lo = (lo + Math.imul(al3, bl5)) | 0;
34712 mid = (mid + Math.imul(al3, bh5)) | 0;
34713 mid = (mid + Math.imul(ah3, bl5)) | 0;
34714 hi = (hi + Math.imul(ah3, bh5)) | 0;
34715 lo = (lo + Math.imul(al2, bl6)) | 0;
34716 mid = (mid + Math.imul(al2, bh6)) | 0;
34717 mid = (mid + Math.imul(ah2, bl6)) | 0;
34718 hi = (hi + Math.imul(ah2, bh6)) | 0;
34719 lo = (lo + Math.imul(al1, bl7)) | 0;
34720 mid = (mid + Math.imul(al1, bh7)) | 0;
34721 mid = (mid + Math.imul(ah1, bl7)) | 0;
34722 hi = (hi + Math.imul(ah1, bh7)) | 0;
34723 lo = (lo + Math.imul(al0, bl8)) | 0;
34724 mid = (mid + Math.imul(al0, bh8)) | 0;
34725 mid = (mid + Math.imul(ah0, bl8)) | 0;
34726 hi = (hi + Math.imul(ah0, bh8)) | 0;
34727 var w8 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0;
34728 c = (((hi + (mid >>> 13)) | 0) + (w8 >>> 26)) | 0;
34729 w8 &= 0x3ffffff;
34730 /* k = 9 */
34731 lo = Math.imul(al9, bl0);
34732 mid = Math.imul(al9, bh0);
34733 mid = (mid + Math.imul(ah9, bl0)) | 0;
34734 hi = Math.imul(ah9, bh0);
34735 lo = (lo + Math.imul(al8, bl1)) | 0;
34736 mid = (mid + Math.imul(al8, bh1)) | 0;
34737 mid = (mid + Math.imul(ah8, bl1)) | 0;
34738 hi = (hi + Math.imul(ah8, bh1)) | 0;
34739 lo = (lo + Math.imul(al7, bl2)) | 0;
34740 mid = (mid + Math.imul(al7, bh2)) | 0;
34741 mid = (mid + Math.imul(ah7, bl2)) | 0;
34742 hi = (hi + Math.imul(ah7, bh2)) | 0;
34743 lo = (lo + Math.imul(al6, bl3)) | 0;
34744 mid = (mid + Math.imul(al6, bh3)) | 0;
34745 mid = (mid + Math.imul(ah6, bl3)) | 0;
34746 hi = (hi + Math.imul(ah6, bh3)) | 0;
34747 lo = (lo + Math.imul(al5, bl4)) | 0;
34748 mid = (mid + Math.imul(al5, bh4)) | 0;
34749 mid = (mid + Math.imul(ah5, bl4)) | 0;
34750 hi = (hi + Math.imul(ah5, bh4)) | 0;
34751 lo = (lo + Math.imul(al4, bl5)) | 0;
34752 mid = (mid + Math.imul(al4, bh5)) | 0;
34753 mid = (mid + Math.imul(ah4, bl5)) | 0;
34754 hi = (hi + Math.imul(ah4, bh5)) | 0;
34755 lo = (lo + Math.imul(al3, bl6)) | 0;
34756 mid = (mid + Math.imul(al3, bh6)) | 0;
34757 mid = (mid + Math.imul(ah3, bl6)) | 0;
34758 hi = (hi + Math.imul(ah3, bh6)) | 0;
34759 lo = (lo + Math.imul(al2, bl7)) | 0;
34760 mid = (mid + Math.imul(al2, bh7)) | 0;
34761 mid = (mid + Math.imul(ah2, bl7)) | 0;
34762 hi = (hi + Math.imul(ah2, bh7)) | 0;
34763 lo = (lo + Math.imul(al1, bl8)) | 0;
34764 mid = (mid + Math.imul(al1, bh8)) | 0;
34765 mid = (mid + Math.imul(ah1, bl8)) | 0;
34766 hi = (hi + Math.imul(ah1, bh8)) | 0;
34767 lo = (lo + Math.imul(al0, bl9)) | 0;
34768 mid = (mid + Math.imul(al0, bh9)) | 0;
34769 mid = (mid + Math.imul(ah0, bl9)) | 0;
34770 hi = (hi + Math.imul(ah0, bh9)) | 0;
34771 var w9 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0;
34772 c = (((hi + (mid >>> 13)) | 0) + (w9 >>> 26)) | 0;
34773 w9 &= 0x3ffffff;
34774 /* k = 10 */
34775 lo = Math.imul(al9, bl1);
34776 mid = Math.imul(al9, bh1);
34777 mid = (mid + Math.imul(ah9, bl1)) | 0;
34778 hi = Math.imul(ah9, bh1);
34779 lo = (lo + Math.imul(al8, bl2)) | 0;
34780 mid = (mid + Math.imul(al8, bh2)) | 0;
34781 mid = (mid + Math.imul(ah8, bl2)) | 0;
34782 hi = (hi + Math.imul(ah8, bh2)) | 0;
34783 lo = (lo + Math.imul(al7, bl3)) | 0;
34784 mid = (mid + Math.imul(al7, bh3)) | 0;
34785 mid = (mid + Math.imul(ah7, bl3)) | 0;
34786 hi = (hi + Math.imul(ah7, bh3)) | 0;
34787 lo = (lo + Math.imul(al6, bl4)) | 0;
34788 mid = (mid + Math.imul(al6, bh4)) | 0;
34789 mid = (mid + Math.imul(ah6, bl4)) | 0;
34790 hi = (hi + Math.imul(ah6, bh4)) | 0;
34791 lo = (lo + Math.imul(al5, bl5)) | 0;
34792 mid = (mid + Math.imul(al5, bh5)) | 0;
34793 mid = (mid + Math.imul(ah5, bl5)) | 0;
34794 hi = (hi + Math.imul(ah5, bh5)) | 0;
34795 lo = (lo + Math.imul(al4, bl6)) | 0;
34796 mid = (mid + Math.imul(al4, bh6)) | 0;
34797 mid = (mid + Math.imul(ah4, bl6)) | 0;
34798 hi = (hi + Math.imul(ah4, bh6)) | 0;
34799 lo = (lo + Math.imul(al3, bl7)) | 0;
34800 mid = (mid + Math.imul(al3, bh7)) | 0;
34801 mid = (mid + Math.imul(ah3, bl7)) | 0;
34802 hi = (hi + Math.imul(ah3, bh7)) | 0;
34803 lo = (lo + Math.imul(al2, bl8)) | 0;
34804 mid = (mid + Math.imul(al2, bh8)) | 0;
34805 mid = (mid + Math.imul(ah2, bl8)) | 0;
34806 hi = (hi + Math.imul(ah2, bh8)) | 0;
34807 lo = (lo + Math.imul(al1, bl9)) | 0;
34808 mid = (mid + Math.imul(al1, bh9)) | 0;
34809 mid = (mid + Math.imul(ah1, bl9)) | 0;
34810 hi = (hi + Math.imul(ah1, bh9)) | 0;
34811 var w10 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0;
34812 c = (((hi + (mid >>> 13)) | 0) + (w10 >>> 26)) | 0;
34813 w10 &= 0x3ffffff;
34814 /* k = 11 */
34815 lo = Math.imul(al9, bl2);
34816 mid = Math.imul(al9, bh2);
34817 mid = (mid + Math.imul(ah9, bl2)) | 0;
34818 hi = Math.imul(ah9, bh2);
34819 lo = (lo + Math.imul(al8, bl3)) | 0;
34820 mid = (mid + Math.imul(al8, bh3)) | 0;
34821 mid = (mid + Math.imul(ah8, bl3)) | 0;
34822 hi = (hi + Math.imul(ah8, bh3)) | 0;
34823 lo = (lo + Math.imul(al7, bl4)) | 0;
34824 mid = (mid + Math.imul(al7, bh4)) | 0;
34825 mid = (mid + Math.imul(ah7, bl4)) | 0;
34826 hi = (hi + Math.imul(ah7, bh4)) | 0;
34827 lo = (lo + Math.imul(al6, bl5)) | 0;
34828 mid = (mid + Math.imul(al6, bh5)) | 0;
34829 mid = (mid + Math.imul(ah6, bl5)) | 0;
34830 hi = (hi + Math.imul(ah6, bh5)) | 0;
34831 lo = (lo + Math.imul(al5, bl6)) | 0;
34832 mid = (mid + Math.imul(al5, bh6)) | 0;
34833 mid = (mid + Math.imul(ah5, bl6)) | 0;
34834 hi = (hi + Math.imul(ah5, bh6)) | 0;
34835 lo = (lo + Math.imul(al4, bl7)) | 0;
34836 mid = (mid + Math.imul(al4, bh7)) | 0;
34837 mid = (mid + Math.imul(ah4, bl7)) | 0;
34838 hi = (hi + Math.imul(ah4, bh7)) | 0;
34839 lo = (lo + Math.imul(al3, bl8)) | 0;
34840 mid = (mid + Math.imul(al3, bh8)) | 0;
34841 mid = (mid + Math.imul(ah3, bl8)) | 0;
34842 hi = (hi + Math.imul(ah3, bh8)) | 0;
34843 lo = (lo + Math.imul(al2, bl9)) | 0;
34844 mid = (mid + Math.imul(al2, bh9)) | 0;
34845 mid = (mid + Math.imul(ah2, bl9)) | 0;
34846 hi = (hi + Math.imul(ah2, bh9)) | 0;
34847 var w11 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0;
34848 c = (((hi + (mid >>> 13)) | 0) + (w11 >>> 26)) | 0;
34849 w11 &= 0x3ffffff;
34850 /* k = 12 */
34851 lo = Math.imul(al9, bl3);
34852 mid = Math.imul(al9, bh3);
34853 mid = (mid + Math.imul(ah9, bl3)) | 0;
34854 hi = Math.imul(ah9, bh3);
34855 lo = (lo + Math.imul(al8, bl4)) | 0;
34856 mid = (mid + Math.imul(al8, bh4)) | 0;
34857 mid = (mid + Math.imul(ah8, bl4)) | 0;
34858 hi = (hi + Math.imul(ah8, bh4)) | 0;
34859 lo = (lo + Math.imul(al7, bl5)) | 0;
34860 mid = (mid + Math.imul(al7, bh5)) | 0;
34861 mid = (mid + Math.imul(ah7, bl5)) | 0;
34862 hi = (hi + Math.imul(ah7, bh5)) | 0;
34863 lo = (lo + Math.imul(al6, bl6)) | 0;
34864 mid = (mid + Math.imul(al6, bh6)) | 0;
34865 mid = (mid + Math.imul(ah6, bl6)) | 0;
34866 hi = (hi + Math.imul(ah6, bh6)) | 0;
34867 lo = (lo + Math.imul(al5, bl7)) | 0;
34868 mid = (mid + Math.imul(al5, bh7)) | 0;
34869 mid = (mid + Math.imul(ah5, bl7)) | 0;
34870 hi = (hi + Math.imul(ah5, bh7)) | 0;
34871 lo = (lo + Math.imul(al4, bl8)) | 0;
34872 mid = (mid + Math.imul(al4, bh8)) | 0;
34873 mid = (mid + Math.imul(ah4, bl8)) | 0;
34874 hi = (hi + Math.imul(ah4, bh8)) | 0;
34875 lo = (lo + Math.imul(al3, bl9)) | 0;
34876 mid = (mid + Math.imul(al3, bh9)) | 0;
34877 mid = (mid + Math.imul(ah3, bl9)) | 0;
34878 hi = (hi + Math.imul(ah3, bh9)) | 0;
34879 var w12 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0;
34880 c = (((hi + (mid >>> 13)) | 0) + (w12 >>> 26)) | 0;
34881 w12 &= 0x3ffffff;
34882 /* k = 13 */
34883 lo = Math.imul(al9, bl4);
34884 mid = Math.imul(al9, bh4);
34885 mid = (mid + Math.imul(ah9, bl4)) | 0;
34886 hi = Math.imul(ah9, bh4);
34887 lo = (lo + Math.imul(al8, bl5)) | 0;
34888 mid = (mid + Math.imul(al8, bh5)) | 0;
34889 mid = (mid + Math.imul(ah8, bl5)) | 0;
34890 hi = (hi + Math.imul(ah8, bh5)) | 0;
34891 lo = (lo + Math.imul(al7, bl6)) | 0;
34892 mid = (mid + Math.imul(al7, bh6)) | 0;
34893 mid = (mid + Math.imul(ah7, bl6)) | 0;
34894 hi = (hi + Math.imul(ah7, bh6)) | 0;
34895 lo = (lo + Math.imul(al6, bl7)) | 0;
34896 mid = (mid + Math.imul(al6, bh7)) | 0;
34897 mid = (mid + Math.imul(ah6, bl7)) | 0;
34898 hi = (hi + Math.imul(ah6, bh7)) | 0;
34899 lo = (lo + Math.imul(al5, bl8)) | 0;
34900 mid = (mid + Math.imul(al5, bh8)) | 0;
34901 mid = (mid + Math.imul(ah5, bl8)) | 0;
34902 hi = (hi + Math.imul(ah5, bh8)) | 0;
34903 lo = (lo + Math.imul(al4, bl9)) | 0;
34904 mid = (mid + Math.imul(al4, bh9)) | 0;
34905 mid = (mid + Math.imul(ah4, bl9)) | 0;
34906 hi = (hi + Math.imul(ah4, bh9)) | 0;
34907 var w13 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0;
34908 c = (((hi + (mid >>> 13)) | 0) + (w13 >>> 26)) | 0;
34909 w13 &= 0x3ffffff;
34910 /* k = 14 */
34911 lo = Math.imul(al9, bl5);
34912 mid = Math.imul(al9, bh5);
34913 mid = (mid + Math.imul(ah9, bl5)) | 0;
34914 hi = Math.imul(ah9, bh5);
34915 lo = (lo + Math.imul(al8, bl6)) | 0;
34916 mid = (mid + Math.imul(al8, bh6)) | 0;
34917 mid = (mid + Math.imul(ah8, bl6)) | 0;
34918 hi = (hi + Math.imul(ah8, bh6)) | 0;
34919 lo = (lo + Math.imul(al7, bl7)) | 0;
34920 mid = (mid + Math.imul(al7, bh7)) | 0;
34921 mid = (mid + Math.imul(ah7, bl7)) | 0;
34922 hi = (hi + Math.imul(ah7, bh7)) | 0;
34923 lo = (lo + Math.imul(al6, bl8)) | 0;
34924 mid = (mid + Math.imul(al6, bh8)) | 0;
34925 mid = (mid + Math.imul(ah6, bl8)) | 0;
34926 hi = (hi + Math.imul(ah6, bh8)) | 0;
34927 lo = (lo + Math.imul(al5, bl9)) | 0;
34928 mid = (mid + Math.imul(al5, bh9)) | 0;
34929 mid = (mid + Math.imul(ah5, bl9)) | 0;
34930 hi = (hi + Math.imul(ah5, bh9)) | 0;
34931 var w14 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0;
34932 c = (((hi + (mid >>> 13)) | 0) + (w14 >>> 26)) | 0;
34933 w14 &= 0x3ffffff;
34934 /* k = 15 */
34935 lo = Math.imul(al9, bl6);
34936 mid = Math.imul(al9, bh6);
34937 mid = (mid + Math.imul(ah9, bl6)) | 0;
34938 hi = Math.imul(ah9, bh6);
34939 lo = (lo + Math.imul(al8, bl7)) | 0;
34940 mid = (mid + Math.imul(al8, bh7)) | 0;
34941 mid = (mid + Math.imul(ah8, bl7)) | 0;
34942 hi = (hi + Math.imul(ah8, bh7)) | 0;
34943 lo = (lo + Math.imul(al7, bl8)) | 0;
34944 mid = (mid + Math.imul(al7, bh8)) | 0;
34945 mid = (mid + Math.imul(ah7, bl8)) | 0;
34946 hi = (hi + Math.imul(ah7, bh8)) | 0;
34947 lo = (lo + Math.imul(al6, bl9)) | 0;
34948 mid = (mid + Math.imul(al6, bh9)) | 0;
34949 mid = (mid + Math.imul(ah6, bl9)) | 0;
34950 hi = (hi + Math.imul(ah6, bh9)) | 0;
34951 var w15 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0;
34952 c = (((hi + (mid >>> 13)) | 0) + (w15 >>> 26)) | 0;
34953 w15 &= 0x3ffffff;
34954 /* k = 16 */
34955 lo = Math.imul(al9, bl7);
34956 mid = Math.imul(al9, bh7);
34957 mid = (mid + Math.imul(ah9, bl7)) | 0;
34958 hi = Math.imul(ah9, bh7);
34959 lo = (lo + Math.imul(al8, bl8)) | 0;
34960 mid = (mid + Math.imul(al8, bh8)) | 0;
34961 mid = (mid + Math.imul(ah8, bl8)) | 0;
34962 hi = (hi + Math.imul(ah8, bh8)) | 0;
34963 lo = (lo + Math.imul(al7, bl9)) | 0;
34964 mid = (mid + Math.imul(al7, bh9)) | 0;
34965 mid = (mid + Math.imul(ah7, bl9)) | 0;
34966 hi = (hi + Math.imul(ah7, bh9)) | 0;
34967 var w16 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0;
34968 c = (((hi + (mid >>> 13)) | 0) + (w16 >>> 26)) | 0;
34969 w16 &= 0x3ffffff;
34970 /* k = 17 */
34971 lo = Math.imul(al9, bl8);
34972 mid = Math.imul(al9, bh8);
34973 mid = (mid + Math.imul(ah9, bl8)) | 0;
34974 hi = Math.imul(ah9, bh8);
34975 lo = (lo + Math.imul(al8, bl9)) | 0;
34976 mid = (mid + Math.imul(al8, bh9)) | 0;
34977 mid = (mid + Math.imul(ah8, bl9)) | 0;
34978 hi = (hi + Math.imul(ah8, bh9)) | 0;
34979 var w17 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0;
34980 c = (((hi + (mid >>> 13)) | 0) + (w17 >>> 26)) | 0;
34981 w17 &= 0x3ffffff;
34982 /* k = 18 */
34983 lo = Math.imul(al9, bl9);
34984 mid = Math.imul(al9, bh9);
34985 mid = (mid + Math.imul(ah9, bl9)) | 0;
34986 hi = Math.imul(ah9, bh9);
34987 var w18 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0;
34988 c = (((hi + (mid >>> 13)) | 0) + (w18 >>> 26)) | 0;
34989 w18 &= 0x3ffffff;
34990 o[0] = w0;
34991 o[1] = w1;
34992 o[2] = w2;
34993 o[3] = w3;
34994 o[4] = w4;
34995 o[5] = w5;
34996 o[6] = w6;
34997 o[7] = w7;
34998 o[8] = w8;
34999 o[9] = w9;
35000 o[10] = w10;
35001 o[11] = w11;
35002 o[12] = w12;
35003 o[13] = w13;
35004 o[14] = w14;
35005 o[15] = w15;
35006 o[16] = w16;
35007 o[17] = w17;
35008 o[18] = w18;
35009 if (c !== 0) {
35010 o[19] = c;
35011 out.length++;
35012 }
35013 return out;
35014 };
35015
35016 // Polyfill comb
35017 if (!Math.imul) {
35018 comb10MulTo = smallMulTo;
35019 }
35020
35021 function bigMulTo (self, num, out) {
35022 out.negative = num.negative ^ self.negative;
35023 out.length = self.length + num.length;
35024
35025 var carry = 0;
35026 var hncarry = 0;
35027 for (var k = 0; k < out.length - 1; k++) {
35028 // Sum all words with the same `i + j = k` and accumulate `ncarry`,
35029 // note that ncarry could be >= 0x3ffffff
35030 var ncarry = hncarry;
35031 hncarry = 0;
35032 var rword = carry & 0x3ffffff;
35033 var maxJ = Math.min(k, num.length - 1);
35034 for (var j = Math.max(0, k - self.length + 1); j <= maxJ; j++) {
35035 var i = k - j;
35036 var a = self.words[i] | 0;
35037 var b = num.words[j] | 0;
35038 var r = a * b;
35039
35040 var lo = r & 0x3ffffff;
35041 ncarry = (ncarry + ((r / 0x4000000) | 0)) | 0;
35042 lo = (lo + rword) | 0;
35043 rword = lo & 0x3ffffff;
35044 ncarry = (ncarry + (lo >>> 26)) | 0;
35045
35046 hncarry += ncarry >>> 26;
35047 ncarry &= 0x3ffffff;
35048 }
35049 out.words[k] = rword;
35050 carry = ncarry;
35051 ncarry = hncarry;
35052 }
35053 if (carry !== 0) {
35054 out.words[k] = carry;
35055 } else {
35056 out.length--;
35057 }
35058
35059 return out.strip();
35060 }
35061
35062 function jumboMulTo (self, num, out) {
35063 var fftm = new FFTM();
35064 return fftm.mulp(self, num, out);
35065 }
35066
35067 BN.prototype.mulTo = function mulTo (num, out) {
35068 var res;
35069 var len = this.length + num.length;
35070 if (this.length === 10 && num.length === 10) {
35071 res = comb10MulTo(this, num, out);
35072 } else if (len < 63) {
35073 res = smallMulTo(this, num, out);
35074 } else if (len < 1024) {
35075 res = bigMulTo(this, num, out);
35076 } else {
35077 res = jumboMulTo(this, num, out);
35078 }
35079
35080 return res;
35081 };
35082
35083 // Cooley-Tukey algorithm for FFT
35084 // slightly revisited to rely on looping instead of recursion
35085
35086 function FFTM (x, y) {
35087 this.x = x;
35088 this.y = y;
35089 }
35090
35091 FFTM.prototype.makeRBT = function makeRBT (N) {
35092 var t = new Array(N);
35093 var l = BN.prototype._countBits(N) - 1;
35094 for (var i = 0; i < N; i++) {
35095 t[i] = this.revBin(i, l, N);
35096 }
35097
35098 return t;
35099 };
35100
35101 // Returns binary-reversed representation of `x`
35102 FFTM.prototype.revBin = function revBin (x, l, N) {
35103 if (x === 0 || x === N - 1) return x;
35104
35105 var rb = 0;
35106 for (var i = 0; i < l; i++) {
35107 rb |= (x & 1) << (l - i - 1);
35108 x >>= 1;
35109 }
35110
35111 return rb;
35112 };
35113
35114 // Performs "tweedling" phase, therefore 'emulating'
35115 // behaviour of the recursive algorithm
35116 FFTM.prototype.permute = function permute (rbt, rws, iws, rtws, itws, N) {
35117 for (var i = 0; i < N; i++) {
35118 rtws[i] = rws[rbt[i]];
35119 itws[i] = iws[rbt[i]];
35120 }
35121 };
35122
35123 FFTM.prototype.transform = function transform (rws, iws, rtws, itws, N, rbt) {
35124 this.permute(rbt, rws, iws, rtws, itws, N);
35125
35126 for (var s = 1; s < N; s <<= 1) {
35127 var l = s << 1;
35128
35129 var rtwdf = Math.cos(2 * Math.PI / l);
35130 var itwdf = Math.sin(2 * Math.PI / l);
35131
35132 for (var p = 0; p < N; p += l) {
35133 var rtwdf_ = rtwdf;
35134 var itwdf_ = itwdf;
35135
35136 for (var j = 0; j < s; j++) {
35137 var re = rtws[p + j];
35138 var ie = itws[p + j];
35139
35140 var ro = rtws[p + j + s];
35141 var io = itws[p + j + s];
35142
35143 var rx = rtwdf_ * ro - itwdf_ * io;
35144
35145 io = rtwdf_ * io + itwdf_ * ro;
35146 ro = rx;
35147
35148 rtws[p + j] = re + ro;
35149 itws[p + j] = ie + io;
35150
35151 rtws[p + j + s] = re - ro;
35152 itws[p + j + s] = ie - io;
35153
35154 /* jshint maxdepth : false */
35155 if (j !== l) {
35156 rx = rtwdf * rtwdf_ - itwdf * itwdf_;
35157
35158 itwdf_ = rtwdf * itwdf_ + itwdf * rtwdf_;
35159 rtwdf_ = rx;
35160 }
35161 }
35162 }
35163 }
35164 };
35165
35166 FFTM.prototype.guessLen13b = function guessLen13b (n, m) {
35167 var N = Math.max(m, n) | 1;
35168 var odd = N & 1;
35169 var i = 0;
35170 for (N = N / 2 | 0; N; N = N >>> 1) {
35171 i++;
35172 }
35173
35174 return 1 << i + 1 + odd;
35175 };
35176
35177 FFTM.prototype.conjugate = function conjugate (rws, iws, N) {
35178 if (N <= 1) return;
35179
35180 for (var i = 0; i < N / 2; i++) {
35181 var t = rws[i];
35182
35183 rws[i] = rws[N - i - 1];
35184 rws[N - i - 1] = t;
35185
35186 t = iws[i];
35187
35188 iws[i] = -iws[N - i - 1];
35189 iws[N - i - 1] = -t;
35190 }
35191 };
35192
35193 FFTM.prototype.normalize13b = function normalize13b (ws, N) {
35194 var carry = 0;
35195 for (var i = 0; i < N / 2; i++) {
35196 var w = Math.round(ws[2 * i + 1] / N) * 0x2000 +
35197 Math.round(ws[2 * i] / N) +
35198 carry;
35199
35200 ws[i] = w & 0x3ffffff;
35201
35202 if (w < 0x4000000) {
35203 carry = 0;
35204 } else {
35205 carry = w / 0x4000000 | 0;
35206 }
35207 }
35208
35209 return ws;
35210 };
35211
35212 FFTM.prototype.convert13b = function convert13b (ws, len, rws, N) {
35213 var carry = 0;
35214 for (var i = 0; i < len; i++) {
35215 carry = carry + (ws[i] | 0);
35216
35217 rws[2 * i] = carry & 0x1fff; carry = carry >>> 13;
35218 rws[2 * i + 1] = carry & 0x1fff; carry = carry >>> 13;
35219 }
35220
35221 // Pad with zeroes
35222 for (i = 2 * len; i < N; ++i) {
35223 rws[i] = 0;
35224 }
35225
35226 assert(carry === 0);
35227 assert((carry & ~0x1fff) === 0);
35228 };
35229
35230 FFTM.prototype.stub = function stub (N) {
35231 var ph = new Array(N);
35232 for (var i = 0; i < N; i++) {
35233 ph[i] = 0;
35234 }
35235
35236 return ph;
35237 };
35238
35239 FFTM.prototype.mulp = function mulp (x, y, out) {
35240 var N = 2 * this.guessLen13b(x.length, y.length);
35241
35242 var rbt = this.makeRBT(N);
35243
35244 var _ = this.stub(N);
35245
35246 var rws = new Array(N);
35247 var rwst = new Array(N);
35248 var iwst = new Array(N);
35249
35250 var nrws = new Array(N);
35251 var nrwst = new Array(N);
35252 var niwst = new Array(N);
35253
35254 var rmws = out.words;
35255 rmws.length = N;
35256
35257 this.convert13b(x.words, x.length, rws, N);
35258 this.convert13b(y.words, y.length, nrws, N);
35259
35260 this.transform(rws, _, rwst, iwst, N, rbt);
35261 this.transform(nrws, _, nrwst, niwst, N, rbt);
35262
35263 for (var i = 0; i < N; i++) {
35264 var rx = rwst[i] * nrwst[i] - iwst[i] * niwst[i];
35265 iwst[i] = rwst[i] * niwst[i] + iwst[i] * nrwst[i];
35266 rwst[i] = rx;
35267 }
35268
35269 this.conjugate(rwst, iwst, N);
35270 this.transform(rwst, iwst, rmws, _, N, rbt);
35271 this.conjugate(rmws, _, N);
35272 this.normalize13b(rmws, N);
35273
35274 out.negative = x.negative ^ y.negative;
35275 out.length = x.length + y.length;
35276 return out.strip();
35277 };
35278
35279 // Multiply `this` by `num`
35280 BN.prototype.mul = function mul (num) {
35281 var out = new BN(null);
35282 out.words = new Array(this.length + num.length);
35283 return this.mulTo(num, out);
35284 };
35285
35286 // Multiply employing FFT
35287 BN.prototype.mulf = function mulf (num) {
35288 var out = new BN(null);
35289 out.words = new Array(this.length + num.length);
35290 return jumboMulTo(this, num, out);
35291 };
35292
35293 // In-place Multiplication
35294 BN.prototype.imul = function imul (num) {
35295 return this.clone().mulTo(num, this);
35296 };
35297
35298 BN.prototype.imuln = function imuln (num) {
35299 assert(typeof num === 'number');
35300 assert(num < 0x4000000);
35301
35302 // Carry
35303 var carry = 0;
35304 for (var i = 0; i < this.length; i++) {
35305 var w = (this.words[i] | 0) * num;
35306 var lo = (w & 0x3ffffff) + (carry & 0x3ffffff);
35307 carry >>= 26;
35308 carry += (w / 0x4000000) | 0;
35309 // NOTE: lo is 27bit maximum
35310 carry += lo >>> 26;
35311 this.words[i] = lo & 0x3ffffff;
35312 }
35313
35314 if (carry !== 0) {
35315 this.words[i] = carry;
35316 this.length++;
35317 }
35318
35319 return this;
35320 };
35321
35322 BN.prototype.muln = function muln (num) {
35323 return this.clone().imuln(num);
35324 };
35325
35326 // `this` * `this`
35327 BN.prototype.sqr = function sqr () {
35328 return this.mul(this);
35329 };
35330
35331 // `this` * `this` in-place
35332 BN.prototype.isqr = function isqr () {
35333 return this.imul(this.clone());
35334 };
35335
35336 // Math.pow(`this`, `num`)
35337 BN.prototype.pow = function pow (num) {
35338 var w = toBitArray(num);
35339 if (w.length === 0) return new BN(1);
35340
35341 // Skip leading zeroes
35342 var res = this;
35343 for (var i = 0; i < w.length; i++, res = res.sqr()) {
35344 if (w[i] !== 0) break;
35345 }
35346
35347 if (++i < w.length) {
35348 for (var q = res.sqr(); i < w.length; i++, q = q.sqr()) {
35349 if (w[i] === 0) continue;
35350
35351 res = res.mul(q);
35352 }
35353 }
35354
35355 return res;
35356 };
35357
35358 // Shift-left in-place
35359 BN.prototype.iushln = function iushln (bits) {
35360 assert(typeof bits === 'number' && bits >= 0);
35361 var r = bits % 26;
35362 var s = (bits - r) / 26;
35363 var carryMask = (0x3ffffff >>> (26 - r)) << (26 - r);
35364 var i;
35365
35366 if (r !== 0) {
35367 var carry = 0;
35368
35369 for (i = 0; i < this.length; i++) {
35370 var newCarry = this.words[i] & carryMask;
35371 var c = ((this.words[i] | 0) - newCarry) << r;
35372 this.words[i] = c | carry;
35373 carry = newCarry >>> (26 - r);
35374 }
35375
35376 if (carry) {
35377 this.words[i] = carry;
35378 this.length++;
35379 }
35380 }
35381
35382 if (s !== 0) {
35383 for (i = this.length - 1; i >= 0; i--) {
35384 this.words[i + s] = this.words[i];
35385 }
35386
35387 for (i = 0; i < s; i++) {
35388 this.words[i] = 0;
35389 }
35390
35391 this.length += s;
35392 }
35393
35394 return this.strip();
35395 };
35396
35397 BN.prototype.ishln = function ishln (bits) {
35398 // TODO(indutny): implement me
35399 assert(this.negative === 0);
35400 return this.iushln(bits);
35401 };
35402
35403 // Shift-right in-place
35404 // NOTE: `hint` is a lowest bit before trailing zeroes
35405 // NOTE: if `extended` is present - it will be filled with destroyed bits
35406 BN.prototype.iushrn = function iushrn (bits, hint, extended) {
35407 assert(typeof bits === 'number' && bits >= 0);
35408 var h;
35409 if (hint) {
35410 h = (hint - (hint % 26)) / 26;
35411 } else {
35412 h = 0;
35413 }
35414
35415 var r = bits % 26;
35416 var s = Math.min((bits - r) / 26, this.length);
35417 var mask = 0x3ffffff ^ ((0x3ffffff >>> r) << r);
35418 var maskedWords = extended;
35419
35420 h -= s;
35421 h = Math.max(0, h);
35422
35423 // Extended mode, copy masked part
35424 if (maskedWords) {
35425 for (var i = 0; i < s; i++) {
35426 maskedWords.words[i] = this.words[i];
35427 }
35428 maskedWords.length = s;
35429 }
35430
35431 if (s === 0) ; else if (this.length > s) {
35432 this.length -= s;
35433 for (i = 0; i < this.length; i++) {
35434 this.words[i] = this.words[i + s];
35435 }
35436 } else {
35437 this.words[0] = 0;
35438 this.length = 1;
35439 }
35440
35441 var carry = 0;
35442 for (i = this.length - 1; i >= 0 && (carry !== 0 || i >= h); i--) {
35443 var word = this.words[i] | 0;
35444 this.words[i] = (carry << (26 - r)) | (word >>> r);
35445 carry = word & mask;
35446 }
35447
35448 // Push carried bits as a mask
35449 if (maskedWords && carry !== 0) {
35450 maskedWords.words[maskedWords.length++] = carry;
35451 }
35452
35453 if (this.length === 0) {
35454 this.words[0] = 0;
35455 this.length = 1;
35456 }
35457
35458 return this.strip();
35459 };
35460
35461 BN.prototype.ishrn = function ishrn (bits, hint, extended) {
35462 // TODO(indutny): implement me
35463 assert(this.negative === 0);
35464 return this.iushrn(bits, hint, extended);
35465 };
35466
35467 // Shift-left
35468 BN.prototype.shln = function shln (bits) {
35469 return this.clone().ishln(bits);
35470 };
35471
35472 BN.prototype.ushln = function ushln (bits) {
35473 return this.clone().iushln(bits);
35474 };
35475
35476 // Shift-right
35477 BN.prototype.shrn = function shrn (bits) {
35478 return this.clone().ishrn(bits);
35479 };
35480
35481 BN.prototype.ushrn = function ushrn (bits) {
35482 return this.clone().iushrn(bits);
35483 };
35484
35485 // Test if n bit is set
35486 BN.prototype.testn = function testn (bit) {
35487 assert(typeof bit === 'number' && bit >= 0);
35488 var r = bit % 26;
35489 var s = (bit - r) / 26;
35490 var q = 1 << r;
35491
35492 // Fast case: bit is much higher than all existing words
35493 if (this.length <= s) return false;
35494
35495 // Check bit and return
35496 var w = this.words[s];
35497
35498 return !!(w & q);
35499 };
35500
35501 // Return only lowers bits of number (in-place)
35502 BN.prototype.imaskn = function imaskn (bits) {
35503 assert(typeof bits === 'number' && bits >= 0);
35504 var r = bits % 26;
35505 var s = (bits - r) / 26;
35506
35507 assert(this.negative === 0, 'imaskn works only with positive numbers');
35508
35509 if (this.length <= s) {
35510 return this;
35511 }
35512
35513 if (r !== 0) {
35514 s++;
35515 }
35516 this.length = Math.min(s, this.length);
35517
35518 if (r !== 0) {
35519 var mask = 0x3ffffff ^ ((0x3ffffff >>> r) << r);
35520 this.words[this.length - 1] &= mask;
35521 }
35522
35523 return this.strip();
35524 };
35525
35526 // Return only lowers bits of number
35527 BN.prototype.maskn = function maskn (bits) {
35528 return this.clone().imaskn(bits);
35529 };
35530
35531 // Add plain number `num` to `this`
35532 BN.prototype.iaddn = function iaddn (num) {
35533 assert(typeof num === 'number');
35534 assert(num < 0x4000000);
35535 if (num < 0) return this.isubn(-num);
35536
35537 // Possible sign change
35538 if (this.negative !== 0) {
35539 if (this.length === 1 && (this.words[0] | 0) < num) {
35540 this.words[0] = num - (this.words[0] | 0);
35541 this.negative = 0;
35542 return this;
35543 }
35544
35545 this.negative = 0;
35546 this.isubn(num);
35547 this.negative = 1;
35548 return this;
35549 }
35550
35551 // Add without checks
35552 return this._iaddn(num);
35553 };
35554
35555 BN.prototype._iaddn = function _iaddn (num) {
35556 this.words[0] += num;
35557
35558 // Carry
35559 for (var i = 0; i < this.length && this.words[i] >= 0x4000000; i++) {
35560 this.words[i] -= 0x4000000;
35561 if (i === this.length - 1) {
35562 this.words[i + 1] = 1;
35563 } else {
35564 this.words[i + 1]++;
35565 }
35566 }
35567 this.length = Math.max(this.length, i + 1);
35568
35569 return this;
35570 };
35571
35572 // Subtract plain number `num` from `this`
35573 BN.prototype.isubn = function isubn (num) {
35574 assert(typeof num === 'number');
35575 assert(num < 0x4000000);
35576 if (num < 0) return this.iaddn(-num);
35577
35578 if (this.negative !== 0) {
35579 this.negative = 0;
35580 this.iaddn(num);
35581 this.negative = 1;
35582 return this;
35583 }
35584
35585 this.words[0] -= num;
35586
35587 if (this.length === 1 && this.words[0] < 0) {
35588 this.words[0] = -this.words[0];
35589 this.negative = 1;
35590 } else {
35591 // Carry
35592 for (var i = 0; i < this.length && this.words[i] < 0; i++) {
35593 this.words[i] += 0x4000000;
35594 this.words[i + 1] -= 1;
35595 }
35596 }
35597
35598 return this.strip();
35599 };
35600
35601 BN.prototype.addn = function addn (num) {
35602 return this.clone().iaddn(num);
35603 };
35604
35605 BN.prototype.subn = function subn (num) {
35606 return this.clone().isubn(num);
35607 };
35608
35609 BN.prototype.iabs = function iabs () {
35610 this.negative = 0;
35611
35612 return this;
35613 };
35614
35615 BN.prototype.abs = function abs () {
35616 return this.clone().iabs();
35617 };
35618
35619 BN.prototype._ishlnsubmul = function _ishlnsubmul (num, mul, shift) {
35620 var len = num.length + shift;
35621 var i;
35622
35623 this._expand(len);
35624
35625 var w;
35626 var carry = 0;
35627 for (i = 0; i < num.length; i++) {
35628 w = (this.words[i + shift] | 0) + carry;
35629 var right = (num.words[i] | 0) * mul;
35630 w -= right & 0x3ffffff;
35631 carry = (w >> 26) - ((right / 0x4000000) | 0);
35632 this.words[i + shift] = w & 0x3ffffff;
35633 }
35634 for (; i < this.length - shift; i++) {
35635 w = (this.words[i + shift] | 0) + carry;
35636 carry = w >> 26;
35637 this.words[i + shift] = w & 0x3ffffff;
35638 }
35639
35640 if (carry === 0) return this.strip();
35641
35642 // Subtraction overflow
35643 assert(carry === -1);
35644 carry = 0;
35645 for (i = 0; i < this.length; i++) {
35646 w = -(this.words[i] | 0) + carry;
35647 carry = w >> 26;
35648 this.words[i] = w & 0x3ffffff;
35649 }
35650 this.negative = 1;
35651
35652 return this.strip();
35653 };
35654
35655 BN.prototype._wordDiv = function _wordDiv (num, mode) {
35656 var shift = this.length - num.length;
35657
35658 var a = this.clone();
35659 var b = num;
35660
35661 // Normalize
35662 var bhi = b.words[b.length - 1] | 0;
35663 var bhiBits = this._countBits(bhi);
35664 shift = 26 - bhiBits;
35665 if (shift !== 0) {
35666 b = b.ushln(shift);
35667 a.iushln(shift);
35668 bhi = b.words[b.length - 1] | 0;
35669 }
35670
35671 // Initialize quotient
35672 var m = a.length - b.length;
35673 var q;
35674
35675 if (mode !== 'mod') {
35676 q = new BN(null);
35677 q.length = m + 1;
35678 q.words = new Array(q.length);
35679 for (var i = 0; i < q.length; i++) {
35680 q.words[i] = 0;
35681 }
35682 }
35683
35684 var diff = a.clone()._ishlnsubmul(b, 1, m);
35685 if (diff.negative === 0) {
35686 a = diff;
35687 if (q) {
35688 q.words[m] = 1;
35689 }
35690 }
35691
35692 for (var j = m - 1; j >= 0; j--) {
35693 var qj = (a.words[b.length + j] | 0) * 0x4000000 +
35694 (a.words[b.length + j - 1] | 0);
35695
35696 // NOTE: (qj / bhi) is (0x3ffffff * 0x4000000 + 0x3ffffff) / 0x2000000 max
35697 // (0x7ffffff)
35698 qj = Math.min((qj / bhi) | 0, 0x3ffffff);
35699
35700 a._ishlnsubmul(b, qj, j);
35701 while (a.negative !== 0) {
35702 qj--;
35703 a.negative = 0;
35704 a._ishlnsubmul(b, 1, j);
35705 if (!a.isZero()) {
35706 a.negative ^= 1;
35707 }
35708 }
35709 if (q) {
35710 q.words[j] = qj;
35711 }
35712 }
35713 if (q) {
35714 q.strip();
35715 }
35716 a.strip();
35717
35718 // Denormalize
35719 if (mode !== 'div' && shift !== 0) {
35720 a.iushrn(shift);
35721 }
35722
35723 return {
35724 div: q || null,
35725 mod: a
35726 };
35727 };
35728
35729 // NOTE: 1) `mode` can be set to `mod` to request mod only,
35730 // to `div` to request div only, or be absent to
35731 // request both div & mod
35732 // 2) `positive` is true if unsigned mod is requested
35733 BN.prototype.divmod = function divmod (num, mode, positive) {
35734 assert(!num.isZero());
35735
35736 if (this.isZero()) {
35737 return {
35738 div: new BN(0),
35739 mod: new BN(0)
35740 };
35741 }
35742
35743 var div, mod, res;
35744 if (this.negative !== 0 && num.negative === 0) {
35745 res = this.neg().divmod(num, mode);
35746
35747 if (mode !== 'mod') {
35748 div = res.div.neg();
35749 }
35750
35751 if (mode !== 'div') {
35752 mod = res.mod.neg();
35753 if (positive && mod.negative !== 0) {
35754 mod.iadd(num);
35755 }
35756 }
35757
35758 return {
35759 div: div,
35760 mod: mod
35761 };
35762 }
35763
35764 if (this.negative === 0 && num.negative !== 0) {
35765 res = this.divmod(num.neg(), mode);
35766
35767 if (mode !== 'mod') {
35768 div = res.div.neg();
35769 }
35770
35771 return {
35772 div: div,
35773 mod: res.mod
35774 };
35775 }
35776
35777 if ((this.negative & num.negative) !== 0) {
35778 res = this.neg().divmod(num.neg(), mode);
35779
35780 if (mode !== 'div') {
35781 mod = res.mod.neg();
35782 if (positive && mod.negative !== 0) {
35783 mod.isub(num);
35784 }
35785 }
35786
35787 return {
35788 div: res.div,
35789 mod: mod
35790 };
35791 }
35792
35793 // Both numbers are positive at this point
35794
35795 // Strip both numbers to approximate shift value
35796 if (num.length > this.length || this.cmp(num) < 0) {
35797 return {
35798 div: new BN(0),
35799 mod: this
35800 };
35801 }
35802
35803 // Very short reduction
35804 if (num.length === 1) {
35805 if (mode === 'div') {
35806 return {
35807 div: this.divn(num.words[0]),
35808 mod: null
35809 };
35810 }
35811
35812 if (mode === 'mod') {
35813 return {
35814 div: null,
35815 mod: new BN(this.modn(num.words[0]))
35816 };
35817 }
35818
35819 return {
35820 div: this.divn(num.words[0]),
35821 mod: new BN(this.modn(num.words[0]))
35822 };
35823 }
35824
35825 return this._wordDiv(num, mode);
35826 };
35827
35828 // Find `this` / `num`
35829 BN.prototype.div = function div (num) {
35830 return this.divmod(num, 'div', false).div;
35831 };
35832
35833 // Find `this` % `num`
35834 BN.prototype.mod = function mod (num) {
35835 return this.divmod(num, 'mod', false).mod;
35836 };
35837
35838 BN.prototype.umod = function umod (num) {
35839 return this.divmod(num, 'mod', true).mod;
35840 };
35841
35842 // Find Round(`this` / `num`)
35843 BN.prototype.divRound = function divRound (num) {
35844 var dm = this.divmod(num);
35845
35846 // Fast case - exact division
35847 if (dm.mod.isZero()) return dm.div;
35848
35849 var mod = dm.div.negative !== 0 ? dm.mod.isub(num) : dm.mod;
35850
35851 var half = num.ushrn(1);
35852 var r2 = num.andln(1);
35853 var cmp = mod.cmp(half);
35854
35855 // Round down
35856 if (cmp < 0 || r2 === 1 && cmp === 0) return dm.div;
35857
35858 // Round up
35859 return dm.div.negative !== 0 ? dm.div.isubn(1) : dm.div.iaddn(1);
35860 };
35861
35862 BN.prototype.modn = function modn (num) {
35863 assert(num <= 0x3ffffff);
35864 var p = (1 << 26) % num;
35865
35866 var acc = 0;
35867 for (var i = this.length - 1; i >= 0; i--) {
35868 acc = (p * acc + (this.words[i] | 0)) % num;
35869 }
35870
35871 return acc;
35872 };
35873
35874 // In-place division by number
35875 BN.prototype.idivn = function idivn (num) {
35876 assert(num <= 0x3ffffff);
35877
35878 var carry = 0;
35879 for (var i = this.length - 1; i >= 0; i--) {
35880 var w = (this.words[i] | 0) + carry * 0x4000000;
35881 this.words[i] = (w / num) | 0;
35882 carry = w % num;
35883 }
35884
35885 return this.strip();
35886 };
35887
35888 BN.prototype.divn = function divn (num) {
35889 return this.clone().idivn(num);
35890 };
35891
35892 BN.prototype.egcd = function egcd (p) {
35893 assert(p.negative === 0);
35894 assert(!p.isZero());
35895
35896 var x = this;
35897 var y = p.clone();
35898
35899 if (x.negative !== 0) {
35900 x = x.umod(p);
35901 } else {
35902 x = x.clone();
35903 }
35904
35905 // A * x + B * y = x
35906 var A = new BN(1);
35907 var B = new BN(0);
35908
35909 // C * x + D * y = y
35910 var C = new BN(0);
35911 var D = new BN(1);
35912
35913 var g = 0;
35914
35915 while (x.isEven() && y.isEven()) {
35916 x.iushrn(1);
35917 y.iushrn(1);
35918 ++g;
35919 }
35920
35921 var yp = y.clone();
35922 var xp = x.clone();
35923
35924 while (!x.isZero()) {
35925 for (var i = 0, im = 1; (x.words[0] & im) === 0 && i < 26; ++i, im <<= 1);
35926 if (i > 0) {
35927 x.iushrn(i);
35928 while (i-- > 0) {
35929 if (A.isOdd() || B.isOdd()) {
35930 A.iadd(yp);
35931 B.isub(xp);
35932 }
35933
35934 A.iushrn(1);
35935 B.iushrn(1);
35936 }
35937 }
35938
35939 for (var j = 0, jm = 1; (y.words[0] & jm) === 0 && j < 26; ++j, jm <<= 1);
35940 if (j > 0) {
35941 y.iushrn(j);
35942 while (j-- > 0) {
35943 if (C.isOdd() || D.isOdd()) {
35944 C.iadd(yp);
35945 D.isub(xp);
35946 }
35947
35948 C.iushrn(1);
35949 D.iushrn(1);
35950 }
35951 }
35952
35953 if (x.cmp(y) >= 0) {
35954 x.isub(y);
35955 A.isub(C);
35956 B.isub(D);
35957 } else {
35958 y.isub(x);
35959 C.isub(A);
35960 D.isub(B);
35961 }
35962 }
35963
35964 return {
35965 a: C,
35966 b: D,
35967 gcd: y.iushln(g)
35968 };
35969 };
35970
35971 // This is reduced incarnation of the binary EEA
35972 // above, designated to invert members of the
35973 // _prime_ fields F(p) at a maximal speed
35974 BN.prototype._invmp = function _invmp (p) {
35975 assert(p.negative === 0);
35976 assert(!p.isZero());
35977
35978 var a = this;
35979 var b = p.clone();
35980
35981 if (a.negative !== 0) {
35982 a = a.umod(p);
35983 } else {
35984 a = a.clone();
35985 }
35986
35987 var x1 = new BN(1);
35988 var x2 = new BN(0);
35989
35990 var delta = b.clone();
35991
35992 while (a.cmpn(1) > 0 && b.cmpn(1) > 0) {
35993 for (var i = 0, im = 1; (a.words[0] & im) === 0 && i < 26; ++i, im <<= 1);
35994 if (i > 0) {
35995 a.iushrn(i);
35996 while (i-- > 0) {
35997 if (x1.isOdd()) {
35998 x1.iadd(delta);
35999 }
36000
36001 x1.iushrn(1);
36002 }
36003 }
36004
36005 for (var j = 0, jm = 1; (b.words[0] & jm) === 0 && j < 26; ++j, jm <<= 1);
36006 if (j > 0) {
36007 b.iushrn(j);
36008 while (j-- > 0) {
36009 if (x2.isOdd()) {
36010 x2.iadd(delta);
36011 }
36012
36013 x2.iushrn(1);
36014 }
36015 }
36016
36017 if (a.cmp(b) >= 0) {
36018 a.isub(b);
36019 x1.isub(x2);
36020 } else {
36021 b.isub(a);
36022 x2.isub(x1);
36023 }
36024 }
36025
36026 var res;
36027 if (a.cmpn(1) === 0) {
36028 res = x1;
36029 } else {
36030 res = x2;
36031 }
36032
36033 if (res.cmpn(0) < 0) {
36034 res.iadd(p);
36035 }
36036
36037 return res;
36038 };
36039
36040 BN.prototype.gcd = function gcd (num) {
36041 if (this.isZero()) return num.abs();
36042 if (num.isZero()) return this.abs();
36043
36044 var a = this.clone();
36045 var b = num.clone();
36046 a.negative = 0;
36047 b.negative = 0;
36048
36049 // Remove common factor of two
36050 for (var shift = 0; a.isEven() && b.isEven(); shift++) {
36051 a.iushrn(1);
36052 b.iushrn(1);
36053 }
36054
36055 do {
36056 while (a.isEven()) {
36057 a.iushrn(1);
36058 }
36059 while (b.isEven()) {
36060 b.iushrn(1);
36061 }
36062
36063 var r = a.cmp(b);
36064 if (r < 0) {
36065 // Swap `a` and `b` to make `a` always bigger than `b`
36066 var t = a;
36067 a = b;
36068 b = t;
36069 } else if (r === 0 || b.cmpn(1) === 0) {
36070 break;
36071 }
36072
36073 a.isub(b);
36074 } while (true);
36075
36076 return b.iushln(shift);
36077 };
36078
36079 // Invert number in the field F(num)
36080 BN.prototype.invm = function invm (num) {
36081 return this.egcd(num).a.umod(num);
36082 };
36083
36084 BN.prototype.isEven = function isEven () {
36085 return (this.words[0] & 1) === 0;
36086 };
36087
36088 BN.prototype.isOdd = function isOdd () {
36089 return (this.words[0] & 1) === 1;
36090 };
36091
36092 // And first word and num
36093 BN.prototype.andln = function andln (num) {
36094 return this.words[0] & num;
36095 };
36096
36097 // Increment at the bit position in-line
36098 BN.prototype.bincn = function bincn (bit) {
36099 assert(typeof bit === 'number');
36100 var r = bit % 26;
36101 var s = (bit - r) / 26;
36102 var q = 1 << r;
36103
36104 // Fast case: bit is much higher than all existing words
36105 if (this.length <= s) {
36106 this._expand(s + 1);
36107 this.words[s] |= q;
36108 return this;
36109 }
36110
36111 // Add bit and propagate, if needed
36112 var carry = q;
36113 for (var i = s; carry !== 0 && i < this.length; i++) {
36114 var w = this.words[i] | 0;
36115 w += carry;
36116 carry = w >>> 26;
36117 w &= 0x3ffffff;
36118 this.words[i] = w;
36119 }
36120 if (carry !== 0) {
36121 this.words[i] = carry;
36122 this.length++;
36123 }
36124 return this;
36125 };
36126
36127 BN.prototype.isZero = function isZero () {
36128 return this.length === 1 && this.words[0] === 0;
36129 };
36130
36131 BN.prototype.cmpn = function cmpn (num) {
36132 var negative = num < 0;
36133
36134 if (this.negative !== 0 && !negative) return -1;
36135 if (this.negative === 0 && negative) return 1;
36136
36137 this.strip();
36138
36139 var res;
36140 if (this.length > 1) {
36141 res = 1;
36142 } else {
36143 if (negative) {
36144 num = -num;
36145 }
36146
36147 assert(num <= 0x3ffffff, 'Number is too big');
36148
36149 var w = this.words[0] | 0;
36150 res = w === num ? 0 : w < num ? -1 : 1;
36151 }
36152 if (this.negative !== 0) return -res | 0;
36153 return res;
36154 };
36155
36156 // Compare two numbers and return:
36157 // 1 - if `this` > `num`
36158 // 0 - if `this` == `num`
36159 // -1 - if `this` < `num`
36160 BN.prototype.cmp = function cmp (num) {
36161 if (this.negative !== 0 && num.negative === 0) return -1;
36162 if (this.negative === 0 && num.negative !== 0) return 1;
36163
36164 var res = this.ucmp(num);
36165 if (this.negative !== 0) return -res | 0;
36166 return res;
36167 };
36168
36169 // Unsigned comparison
36170 BN.prototype.ucmp = function ucmp (num) {
36171 // At this point both numbers have the same sign
36172 if (this.length > num.length) return 1;
36173 if (this.length < num.length) return -1;
36174
36175 var res = 0;
36176 for (var i = this.length - 1; i >= 0; i--) {
36177 var a = this.words[i] | 0;
36178 var b = num.words[i] | 0;
36179
36180 if (a === b) continue;
36181 if (a < b) {
36182 res = -1;
36183 } else if (a > b) {
36184 res = 1;
36185 }
36186 break;
36187 }
36188 return res;
36189 };
36190
36191 BN.prototype.gtn = function gtn (num) {
36192 return this.cmpn(num) === 1;
36193 };
36194
36195 BN.prototype.gt = function gt (num) {
36196 return this.cmp(num) === 1;
36197 };
36198
36199 BN.prototype.gten = function gten (num) {
36200 return this.cmpn(num) >= 0;
36201 };
36202
36203 BN.prototype.gte = function gte (num) {
36204 return this.cmp(num) >= 0;
36205 };
36206
36207 BN.prototype.ltn = function ltn (num) {
36208 return this.cmpn(num) === -1;
36209 };
36210
36211 BN.prototype.lt = function lt (num) {
36212 return this.cmp(num) === -1;
36213 };
36214
36215 BN.prototype.lten = function lten (num) {
36216 return this.cmpn(num) <= 0;
36217 };
36218
36219 BN.prototype.lte = function lte (num) {
36220 return this.cmp(num) <= 0;
36221 };
36222
36223 BN.prototype.eqn = function eqn (num) {
36224 return this.cmpn(num) === 0;
36225 };
36226
36227 BN.prototype.eq = function eq (num) {
36228 return this.cmp(num) === 0;
36229 };
36230
36231 //
36232 // A reduce context, could be using montgomery or something better, depending
36233 // on the `m` itself.
36234 //
36235 BN.red = function red (num) {
36236 return new Red(num);
36237 };
36238
36239 BN.prototype.toRed = function toRed (ctx) {
36240 assert(!this.red, 'Already a number in reduction context');
36241 assert(this.negative === 0, 'red works only with positives');
36242 return ctx.convertTo(this)._forceRed(ctx);
36243 };
36244
36245 BN.prototype.fromRed = function fromRed () {
36246 assert(this.red, 'fromRed works only with numbers in reduction context');
36247 return this.red.convertFrom(this);
36248 };
36249
36250 BN.prototype._forceRed = function _forceRed (ctx) {
36251 this.red = ctx;
36252 return this;
36253 };
36254
36255 BN.prototype.forceRed = function forceRed (ctx) {
36256 assert(!this.red, 'Already a number in reduction context');
36257 return this._forceRed(ctx);
36258 };
36259
36260 BN.prototype.redAdd = function redAdd (num) {
36261 assert(this.red, 'redAdd works only with red numbers');
36262 return this.red.add(this, num);
36263 };
36264
36265 BN.prototype.redIAdd = function redIAdd (num) {
36266 assert(this.red, 'redIAdd works only with red numbers');
36267 return this.red.iadd(this, num);
36268 };
36269
36270 BN.prototype.redSub = function redSub (num) {
36271 assert(this.red, 'redSub works only with red numbers');
36272 return this.red.sub(this, num);
36273 };
36274
36275 BN.prototype.redISub = function redISub (num) {
36276 assert(this.red, 'redISub works only with red numbers');
36277 return this.red.isub(this, num);
36278 };
36279
36280 BN.prototype.redShl = function redShl (num) {
36281 assert(this.red, 'redShl works only with red numbers');
36282 return this.red.shl(this, num);
36283 };
36284
36285 BN.prototype.redMul = function redMul (num) {
36286 assert(this.red, 'redMul works only with red numbers');
36287 this.red._verify2(this, num);
36288 return this.red.mul(this, num);
36289 };
36290
36291 BN.prototype.redIMul = function redIMul (num) {
36292 assert(this.red, 'redMul works only with red numbers');
36293 this.red._verify2(this, num);
36294 return this.red.imul(this, num);
36295 };
36296
36297 BN.prototype.redSqr = function redSqr () {
36298 assert(this.red, 'redSqr works only with red numbers');
36299 this.red._verify1(this);
36300 return this.red.sqr(this);
36301 };
36302
36303 BN.prototype.redISqr = function redISqr () {
36304 assert(this.red, 'redISqr works only with red numbers');
36305 this.red._verify1(this);
36306 return this.red.isqr(this);
36307 };
36308
36309 // Square root over p
36310 BN.prototype.redSqrt = function redSqrt () {
36311 assert(this.red, 'redSqrt works only with red numbers');
36312 this.red._verify1(this);
36313 return this.red.sqrt(this);
36314 };
36315
36316 BN.prototype.redInvm = function redInvm () {
36317 assert(this.red, 'redInvm works only with red numbers');
36318 this.red._verify1(this);
36319 return this.red.invm(this);
36320 };
36321
36322 // Return negative clone of `this` % `red modulo`
36323 BN.prototype.redNeg = function redNeg () {
36324 assert(this.red, 'redNeg works only with red numbers');
36325 this.red._verify1(this);
36326 return this.red.neg(this);
36327 };
36328
36329 BN.prototype.redPow = function redPow (num) {
36330 assert(this.red && !num.red, 'redPow(normalNum)');
36331 this.red._verify1(this);
36332 return this.red.pow(this, num);
36333 };
36334
36335 // Prime numbers with efficient reduction
36336 var primes = {
36337 k256: null,
36338 p224: null,
36339 p192: null,
36340 p25519: null
36341 };
36342
36343 // Pseudo-Mersenne prime
36344 function MPrime (name, p) {
36345 // P = 2 ^ N - K
36346 this.name = name;
36347 this.p = new BN(p, 16);
36348 this.n = this.p.bitLength();
36349 this.k = new BN(1).iushln(this.n).isub(this.p);
36350
36351 this.tmp = this._tmp();
36352 }
36353
36354 MPrime.prototype._tmp = function _tmp () {
36355 var tmp = new BN(null);
36356 tmp.words = new Array(Math.ceil(this.n / 13));
36357 return tmp;
36358 };
36359
36360 MPrime.prototype.ireduce = function ireduce (num) {
36361 // Assumes that `num` is less than `P^2`
36362 // num = HI * (2 ^ N - K) + HI * K + LO = HI * K + LO (mod P)
36363 var r = num;
36364 var rlen;
36365
36366 do {
36367 this.split(r, this.tmp);
36368 r = this.imulK(r);
36369 r = r.iadd(this.tmp);
36370 rlen = r.bitLength();
36371 } while (rlen > this.n);
36372
36373 var cmp = rlen < this.n ? -1 : r.ucmp(this.p);
36374 if (cmp === 0) {
36375 r.words[0] = 0;
36376 r.length = 1;
36377 } else if (cmp > 0) {
36378 r.isub(this.p);
36379 } else {
36380 r.strip();
36381 }
36382
36383 return r;
36384 };
36385
36386 MPrime.prototype.split = function split (input, out) {
36387 input.iushrn(this.n, 0, out);
36388 };
36389
36390 MPrime.prototype.imulK = function imulK (num) {
36391 return num.imul(this.k);
36392 };
36393
36394 function K256 () {
36395 MPrime.call(
36396 this,
36397 'k256',
36398 'ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff fffffffe fffffc2f');
36399 }
36400 inherits(K256, MPrime);
36401
36402 K256.prototype.split = function split (input, output) {
36403 // 256 = 9 * 26 + 22
36404 var mask = 0x3fffff;
36405
36406 var outLen = Math.min(input.length, 9);
36407 for (var i = 0; i < outLen; i++) {
36408 output.words[i] = input.words[i];
36409 }
36410 output.length = outLen;
36411
36412 if (input.length <= 9) {
36413 input.words[0] = 0;
36414 input.length = 1;
36415 return;
36416 }
36417
36418 // Shift by 9 limbs
36419 var prev = input.words[9];
36420 output.words[output.length++] = prev & mask;
36421
36422 for (i = 10; i < input.length; i++) {
36423 var next = input.words[i] | 0;
36424 input.words[i - 10] = ((next & mask) << 4) | (prev >>> 22);
36425 prev = next;
36426 }
36427 prev >>>= 22;
36428 input.words[i - 10] = prev;
36429 if (prev === 0 && input.length > 10) {
36430 input.length -= 10;
36431 } else {
36432 input.length -= 9;
36433 }
36434 };
36435
36436 K256.prototype.imulK = function imulK (num) {
36437 // K = 0x1000003d1 = [ 0x40, 0x3d1 ]
36438 num.words[num.length] = 0;
36439 num.words[num.length + 1] = 0;
36440 num.length += 2;
36441
36442 // bounded at: 0x40 * 0x3ffffff + 0x3d0 = 0x100000390
36443 var lo = 0;
36444 for (var i = 0; i < num.length; i++) {
36445 var w = num.words[i] | 0;
36446 lo += w * 0x3d1;
36447 num.words[i] = lo & 0x3ffffff;
36448 lo = w * 0x40 + ((lo / 0x4000000) | 0);
36449 }
36450
36451 // Fast length reduction
36452 if (num.words[num.length - 1] === 0) {
36453 num.length--;
36454 if (num.words[num.length - 1] === 0) {
36455 num.length--;
36456 }
36457 }
36458 return num;
36459 };
36460
36461 function P224 () {
36462 MPrime.call(
36463 this,
36464 'p224',
36465 'ffffffff ffffffff ffffffff ffffffff 00000000 00000000 00000001');
36466 }
36467 inherits(P224, MPrime);
36468
36469 function P192 () {
36470 MPrime.call(
36471 this,
36472 'p192',
36473 'ffffffff ffffffff ffffffff fffffffe ffffffff ffffffff');
36474 }
36475 inherits(P192, MPrime);
36476
36477 function P25519 () {
36478 // 2 ^ 255 - 19
36479 MPrime.call(
36480 this,
36481 '25519',
36482 '7fffffffffffffff ffffffffffffffff ffffffffffffffff ffffffffffffffed');
36483 }
36484 inherits(P25519, MPrime);
36485
36486 P25519.prototype.imulK = function imulK (num) {
36487 // K = 0x13
36488 var carry = 0;
36489 for (var i = 0; i < num.length; i++) {
36490 var hi = (num.words[i] | 0) * 0x13 + carry;
36491 var lo = hi & 0x3ffffff;
36492 hi >>>= 26;
36493
36494 num.words[i] = lo;
36495 carry = hi;
36496 }
36497 if (carry !== 0) {
36498 num.words[num.length++] = carry;
36499 }
36500 return num;
36501 };
36502
36503 // Exported mostly for testing purposes, use plain name instead
36504 BN._prime = function prime (name) {
36505 // Cached version of prime
36506 if (primes[name]) return primes[name];
36507
36508 var prime;
36509 if (name === 'k256') {
36510 prime = new K256();
36511 } else if (name === 'p224') {
36512 prime = new P224();
36513 } else if (name === 'p192') {
36514 prime = new P192();
36515 } else if (name === 'p25519') {
36516 prime = new P25519();
36517 } else {
36518 throw new Error('Unknown prime ' + name);
36519 }
36520 primes[name] = prime;
36521
36522 return prime;
36523 };
36524
36525 //
36526 // Base reduction engine
36527 //
36528 function Red (m) {
36529 if (typeof m === 'string') {
36530 var prime = BN._prime(m);
36531 this.m = prime.p;
36532 this.prime = prime;
36533 } else {
36534 assert(m.gtn(1), 'modulus must be greater than 1');
36535 this.m = m;
36536 this.prime = null;
36537 }
36538 }
36539
36540 Red.prototype._verify1 = function _verify1 (a) {
36541 assert(a.negative === 0, 'red works only with positives');
36542 assert(a.red, 'red works only with red numbers');
36543 };
36544
36545 Red.prototype._verify2 = function _verify2 (a, b) {
36546 assert((a.negative | b.negative) === 0, 'red works only with positives');
36547 assert(a.red && a.red === b.red,
36548 'red works only with red numbers');
36549 };
36550
36551 Red.prototype.imod = function imod (a) {
36552 if (this.prime) return this.prime.ireduce(a)._forceRed(this);
36553 return a.umod(this.m)._forceRed(this);
36554 };
36555
36556 Red.prototype.neg = function neg (a) {
36557 if (a.isZero()) {
36558 return a.clone();
36559 }
36560
36561 return this.m.sub(a)._forceRed(this);
36562 };
36563
36564 Red.prototype.add = function add (a, b) {
36565 this._verify2(a, b);
36566
36567 var res = a.add(b);
36568 if (res.cmp(this.m) >= 0) {
36569 res.isub(this.m);
36570 }
36571 return res._forceRed(this);
36572 };
36573
36574 Red.prototype.iadd = function iadd (a, b) {
36575 this._verify2(a, b);
36576
36577 var res = a.iadd(b);
36578 if (res.cmp(this.m) >= 0) {
36579 res.isub(this.m);
36580 }
36581 return res;
36582 };
36583
36584 Red.prototype.sub = function sub (a, b) {
36585 this._verify2(a, b);
36586
36587 var res = a.sub(b);
36588 if (res.cmpn(0) < 0) {
36589 res.iadd(this.m);
36590 }
36591 return res._forceRed(this);
36592 };
36593
36594 Red.prototype.isub = function isub (a, b) {
36595 this._verify2(a, b);
36596
36597 var res = a.isub(b);
36598 if (res.cmpn(0) < 0) {
36599 res.iadd(this.m);
36600 }
36601 return res;
36602 };
36603
36604 Red.prototype.shl = function shl (a, num) {
36605 this._verify1(a);
36606 return this.imod(a.ushln(num));
36607 };
36608
36609 Red.prototype.imul = function imul (a, b) {
36610 this._verify2(a, b);
36611 return this.imod(a.imul(b));
36612 };
36613
36614 Red.prototype.mul = function mul (a, b) {
36615 this._verify2(a, b);
36616 return this.imod(a.mul(b));
36617 };
36618
36619 Red.prototype.isqr = function isqr (a) {
36620 return this.imul(a, a.clone());
36621 };
36622
36623 Red.prototype.sqr = function sqr (a) {
36624 return this.mul(a, a);
36625 };
36626
36627 Red.prototype.sqrt = function sqrt (a) {
36628 if (a.isZero()) return a.clone();
36629
36630 var mod3 = this.m.andln(3);
36631 assert(mod3 % 2 === 1);
36632
36633 // Fast case
36634 if (mod3 === 3) {
36635 var pow = this.m.add(new BN(1)).iushrn(2);
36636 return this.pow(a, pow);
36637 }
36638
36639 // Tonelli-Shanks algorithm (Totally unoptimized and slow)
36640 //
36641 // Find Q and S, that Q * 2 ^ S = (P - 1)
36642 var q = this.m.subn(1);
36643 var s = 0;
36644 while (!q.isZero() && q.andln(1) === 0) {
36645 s++;
36646 q.iushrn(1);
36647 }
36648 assert(!q.isZero());
36649
36650 var one = new BN(1).toRed(this);
36651 var nOne = one.redNeg();
36652
36653 // Find quadratic non-residue
36654 // NOTE: Max is such because of generalized Riemann hypothesis.
36655 var lpow = this.m.subn(1).iushrn(1);
36656 var z = this.m.bitLength();
36657 z = new BN(2 * z * z).toRed(this);
36658
36659 while (this.pow(z, lpow).cmp(nOne) !== 0) {
36660 z.redIAdd(nOne);
36661 }
36662
36663 var c = this.pow(z, q);
36664 var r = this.pow(a, q.addn(1).iushrn(1));
36665 var t = this.pow(a, q);
36666 var m = s;
36667 while (t.cmp(one) !== 0) {
36668 var tmp = t;
36669 for (var i = 0; tmp.cmp(one) !== 0; i++) {
36670 tmp = tmp.redSqr();
36671 }
36672 assert(i < m);
36673 var b = this.pow(c, new BN(1).iushln(m - i - 1));
36674
36675 r = r.redMul(b);
36676 c = b.redSqr();
36677 t = t.redMul(c);
36678 m = i;
36679 }
36680
36681 return r;
36682 };
36683
36684 Red.prototype.invm = function invm (a) {
36685 var inv = a._invmp(this.m);
36686 if (inv.negative !== 0) {
36687 inv.negative = 0;
36688 return this.imod(inv).redNeg();
36689 } else {
36690 return this.imod(inv);
36691 }
36692 };
36693
36694 Red.prototype.pow = function pow (a, num) {
36695 if (num.isZero()) return new BN(1).toRed(this);
36696 if (num.cmpn(1) === 0) return a.clone();
36697
36698 var windowSize = 4;
36699 var wnd = new Array(1 << windowSize);
36700 wnd[0] = new BN(1).toRed(this);
36701 wnd[1] = a;
36702 for (var i = 2; i < wnd.length; i++) {
36703 wnd[i] = this.mul(wnd[i - 1], a);
36704 }
36705
36706 var res = wnd[0];
36707 var current = 0;
36708 var currentLen = 0;
36709 var start = num.bitLength() % 26;
36710 if (start === 0) {
36711 start = 26;
36712 }
36713
36714 for (i = num.length - 1; i >= 0; i--) {
36715 var word = num.words[i];
36716 for (var j = start - 1; j >= 0; j--) {
36717 var bit = (word >> j) & 1;
36718 if (res !== wnd[0]) {
36719 res = this.sqr(res);
36720 }
36721
36722 if (bit === 0 && current === 0) {
36723 currentLen = 0;
36724 continue;
36725 }
36726
36727 current <<= 1;
36728 current |= bit;
36729 currentLen++;
36730 if (currentLen !== windowSize && (i !== 0 || j !== 0)) continue;
36731
36732 res = this.mul(res, wnd[current]);
36733 currentLen = 0;
36734 current = 0;
36735 }
36736 start = 26;
36737 }
36738
36739 return res;
36740 };
36741
36742 Red.prototype.convertTo = function convertTo (num) {
36743 var r = num.umod(this.m);
36744
36745 return r === num ? r.clone() : r;
36746 };
36747
36748 Red.prototype.convertFrom = function convertFrom (num) {
36749 var res = num.clone();
36750 res.red = null;
36751 return res;
36752 };
36753
36754 //
36755 // Montgomery method engine
36756 //
36757
36758 BN.mont = function mont (num) {
36759 return new Mont(num);
36760 };
36761
36762 function Mont (m) {
36763 Red.call(this, m);
36764
36765 this.shift = this.m.bitLength();
36766 if (this.shift % 26 !== 0) {
36767 this.shift += 26 - (this.shift % 26);
36768 }
36769
36770 this.r = new BN(1).iushln(this.shift);
36771 this.r2 = this.imod(this.r.sqr());
36772 this.rinv = this.r._invmp(this.m);
36773
36774 this.minv = this.rinv.mul(this.r).isubn(1).div(this.m);
36775 this.minv = this.minv.umod(this.r);
36776 this.minv = this.r.sub(this.minv);
36777 }
36778 inherits(Mont, Red);
36779
36780 Mont.prototype.convertTo = function convertTo (num) {
36781 return this.imod(num.ushln(this.shift));
36782 };
36783
36784 Mont.prototype.convertFrom = function convertFrom (num) {
36785 var r = this.imod(num.mul(this.rinv));
36786 r.red = null;
36787 return r;
36788 };
36789
36790 Mont.prototype.imul = function imul (a, b) {
36791 if (a.isZero() || b.isZero()) {
36792 a.words[0] = 0;
36793 a.length = 1;
36794 return a;
36795 }
36796
36797 var t = a.imul(b);
36798 var c = t.maskn(this.shift).mul(this.minv).imaskn(this.shift).mul(this.m);
36799 var u = t.isub(c).iushrn(this.shift);
36800 var res = u;
36801
36802 if (u.cmp(this.m) >= 0) {
36803 res = u.isub(this.m);
36804 } else if (u.cmpn(0) < 0) {
36805 res = u.iadd(this.m);
36806 }
36807
36808 return res._forceRed(this);
36809 };
36810
36811 Mont.prototype.mul = function mul (a, b) {
36812 if (a.isZero() || b.isZero()) return new BN(0)._forceRed(this);
36813
36814 var t = a.mul(b);
36815 var c = t.maskn(this.shift).mul(this.minv).imaskn(this.shift).mul(this.m);
36816 var u = t.isub(c).iushrn(this.shift);
36817 var res = u;
36818 if (u.cmp(this.m) >= 0) {
36819 res = u.isub(this.m);
36820 } else if (u.cmpn(0) < 0) {
36821 res = u.iadd(this.m);
36822 }
36823
36824 return res._forceRed(this);
36825 };
36826
36827 Mont.prototype.invm = function invm (a) {
36828 // (AR)^-1 * R^2 = (A^-1 * R^-1) * R^2 = A^-1 * R
36829 var res = this.imod(a._invmp(this.m).mul(this.r2));
36830 return res._forceRed(this);
36831 };
36832 })(module, commonjsGlobal);
36833 });
36834
36835 var bn$1 = /*#__PURE__*/Object.freeze({
36836 __proto__: null,
36837 'default': bn,
36838 __moduleExports: bn
36839 });
36840
36841 /**
36842 * @fileoverview
36843 * BigInteger implementation of basic operations
36844 * Wrapper of bn.js library (wwww.github.com/indutny/bn.js)
36845 * @module biginteger/bn
36846 * @private
36847 */
36848
36849 /**
36850 * @private
36851 */
36852 class BigInteger$1 {
36853 /**
36854 * Get a BigInteger (input must be big endian for strings and arrays)
36855 * @param {Number|String|Uint8Array} n - Value to convert
36856 * @throws {Error} on undefined input
36857 */
36858 constructor(n) {
36859 if (n === undefined) {
36860 throw new Error('Invalid BigInteger input');
36861 }
36862
36863 this.value = new bn(n);
36864 }
36865
36866 clone() {
36867 const clone = new BigInteger$1(null);
36868 this.value.copy(clone.value);
36869 return clone;
36870 }
36871
36872 /**
36873 * BigInteger increment in place
36874 */
36875 iinc() {
36876 this.value.iadd(new bn(1));
36877 return this;
36878 }
36879
36880 /**
36881 * BigInteger increment
36882 * @returns {BigInteger} this + 1.
36883 */
36884 inc() {
36885 return this.clone().iinc();
36886 }
36887
36888 /**
36889 * BigInteger decrement in place
36890 */
36891 idec() {
36892 this.value.isub(new bn(1));
36893 return this;
36894 }
36895
36896 /**
36897 * BigInteger decrement
36898 * @returns {BigInteger} this - 1.
36899 */
36900 dec() {
36901 return this.clone().idec();
36902 }
36903
36904
36905 /**
36906 * BigInteger addition in place
36907 * @param {BigInteger} x - Value to add
36908 */
36909 iadd(x) {
36910 this.value.iadd(x.value);
36911 return this;
36912 }
36913
36914 /**
36915 * BigInteger addition
36916 * @param {BigInteger} x - Value to add
36917 * @returns {BigInteger} this + x.
36918 */
36919 add(x) {
36920 return this.clone().iadd(x);
36921 }
36922
36923 /**
36924 * BigInteger subtraction in place
36925 * @param {BigInteger} x - Value to subtract
36926 */
36927 isub(x) {
36928 this.value.isub(x.value);
36929 return this;
36930 }
36931
36932 /**
36933 * BigInteger subtraction
36934 * @param {BigInteger} x - Value to subtract
36935 * @returns {BigInteger} this - x.
36936 */
36937 sub(x) {
36938 return this.clone().isub(x);
36939 }
36940
36941 /**
36942 * BigInteger multiplication in place
36943 * @param {BigInteger} x - Value to multiply
36944 */
36945 imul(x) {
36946 this.value.imul(x.value);
36947 return this;
36948 }
36949
36950 /**
36951 * BigInteger multiplication
36952 * @param {BigInteger} x - Value to multiply
36953 * @returns {BigInteger} this * x.
36954 */
36955 mul(x) {
36956 return this.clone().imul(x);
36957 }
36958
36959 /**
36960 * Compute value modulo m, in place
36961 * @param {BigInteger} m - Modulo
36962 */
36963 imod(m) {
36964 this.value = this.value.umod(m.value);
36965 return this;
36966 }
36967
36968 /**
36969 * Compute value modulo m
36970 * @param {BigInteger} m - Modulo
36971 * @returns {BigInteger} this mod m.
36972 */
36973 mod(m) {
36974 return this.clone().imod(m);
36975 }
36976
36977 /**
36978 * Compute modular exponentiation
36979 * Much faster than this.exp(e).mod(n)
36980 * @param {BigInteger} e - Exponent
36981 * @param {BigInteger} n - Modulo
36982 * @returns {BigInteger} this ** e mod n.
36983 */
36984 modExp(e, n) {
36985 // We use either Montgomery or normal reduction context
36986 // Montgomery requires coprime n and R (montogmery multiplier)
36987 // bn.js picks R as power of 2, so n must be odd
36988 const nred = n.isEven() ? bn.red(n.value) : bn.mont(n.value);
36989 const x = this.clone();
36990 x.value = x.value.toRed(nred).redPow(e.value).fromRed();
36991 return x;
36992 }
36993
36994 /**
36995 * Compute the inverse of this value modulo n
36996 * Note: this and and n must be relatively prime
36997 * @param {BigInteger} n - Modulo
36998 * @returns {BigInteger} x such that this*x = 1 mod n
36999 * @throws {Error} if the inverse does not exist
37000 */
37001 modInv(n) {
37002 // invm returns a wrong result if the inverse does not exist
37003 if (!this.gcd(n).isOne()) {
37004 throw new Error('Inverse does not exist');
37005 }
37006 return new BigInteger$1(this.value.invm(n.value));
37007 }
37008
37009 /**
37010 * Compute greatest common divisor between this and n
37011 * @param {BigInteger} n - Operand
37012 * @returns {BigInteger} gcd
37013 */
37014 gcd(n) {
37015 return new BigInteger$1(this.value.gcd(n.value));
37016 }
37017
37018 /**
37019 * Shift this to the left by x, in place
37020 * @param {BigInteger} x - Shift value
37021 */
37022 ileftShift(x) {
37023 this.value.ishln(x.value.toNumber());
37024 return this;
37025 }
37026
37027 /**
37028 * Shift this to the left by x
37029 * @param {BigInteger} x - Shift value
37030 * @returns {BigInteger} this << x.
37031 */
37032 leftShift(x) {
37033 return this.clone().ileftShift(x);
37034 }
37035
37036 /**
37037 * Shift this to the right by x, in place
37038 * @param {BigInteger} x - Shift value
37039 */
37040 irightShift(x) {
37041 this.value.ishrn(x.value.toNumber());
37042 return this;
37043 }
37044
37045 /**
37046 * Shift this to the right by x
37047 * @param {BigInteger} x - Shift value
37048 * @returns {BigInteger} this >> x.
37049 */
37050 rightShift(x) {
37051 return this.clone().irightShift(x);
37052 }
37053
37054 /**
37055 * Whether this value is equal to x
37056 * @param {BigInteger} x
37057 * @returns {Boolean}
37058 */
37059 equal(x) {
37060 return this.value.eq(x.value);
37061 }
37062
37063 /**
37064 * Whether this value is less than x
37065 * @param {BigInteger} x
37066 * @returns {Boolean}
37067 */
37068 lt(x) {
37069 return this.value.lt(x.value);
37070 }
37071
37072 /**
37073 * Whether this value is less than or equal to x
37074 * @param {BigInteger} x
37075 * @returns {Boolean}
37076 */
37077 lte(x) {
37078 return this.value.lte(x.value);
37079 }
37080
37081 /**
37082 * Whether this value is greater than x
37083 * @param {BigInteger} x
37084 * @returns {Boolean}
37085 */
37086 gt(x) {
37087 return this.value.gt(x.value);
37088 }
37089
37090 /**
37091 * Whether this value is greater than or equal to x
37092 * @param {BigInteger} x
37093 * @returns {Boolean}
37094 */
37095 gte(x) {
37096 return this.value.gte(x.value);
37097 }
37098
37099 isZero() {
37100 return this.value.isZero();
37101 }
37102
37103 isOne() {
37104 return this.value.eq(new bn(1));
37105 }
37106
37107 isNegative() {
37108 return this.value.isNeg();
37109 }
37110
37111 isEven() {
37112 return this.value.isEven();
37113 }
37114
37115 abs() {
37116 const res = this.clone();
37117 res.value = res.value.abs();
37118 return res;
37119 }
37120
37121 /**
37122 * Get this value as a string
37123 * @returns {String} this value.
37124 */
37125 toString() {
37126 return this.value.toString();
37127 }
37128
37129 /**
37130 * Get this value as an exact Number (max 53 bits)
37131 * Fails if this value is too large
37132 * @returns {Number}
37133 */
37134 toNumber() {
37135 return this.value.toNumber();
37136 }
37137
37138 /**
37139 * Get value of i-th bit
37140 * @param {Number} i - Bit index
37141 * @returns {Number} Bit value.
37142 */
37143 getBit(i) {
37144 return this.value.testn(i) ? 1 : 0;
37145 }
37146
37147 /**
37148 * Compute bit length
37149 * @returns {Number} Bit length.
37150 */
37151 bitLength() {
37152 return this.value.bitLength();
37153 }
37154
37155 /**
37156 * Compute byte length
37157 * @returns {Number} Byte length.
37158 */
37159 byteLength() {
37160 return this.value.byteLength();
37161 }
37162
37163 /**
37164 * Get Uint8Array representation of this number
37165 * @param {String} endian - Endianess of output array (defaults to 'be')
37166 * @param {Number} length - Of output array
37167 * @returns {Uint8Array}
37168 */
37169 toUint8Array(endian = 'be', length) {
37170 return this.value.toArrayLike(Uint8Array, endian, length);
37171 }
37172 }
37173
37174 var bn_interface = /*#__PURE__*/Object.freeze({
37175 __proto__: null,
37176 'default': BigInteger$1
37177 });
37178
37179 var utils_1 = createCommonjsModule(function (module, exports) {
37180
37181 var utils = exports;
37182
37183 function toArray(msg, enc) {
37184 if (Array.isArray(msg))
37185 return msg.slice();
37186 if (!msg)
37187 return [];
37188 var res = [];
37189 if (typeof msg !== 'string') {
37190 for (var i = 0; i < msg.length; i++)
37191 res[i] = msg[i] | 0;
37192 return res;
37193 }
37194 if (enc === 'hex') {
37195 msg = msg.replace(/[^a-z0-9]+/ig, '');
37196 if (msg.length % 2 !== 0)
37197 msg = '0' + msg;
37198 for (var i = 0; i < msg.length; i += 2)
37199 res.push(parseInt(msg[i] + msg[i + 1], 16));
37200 } else {
37201 for (var i = 0; i < msg.length; i++) {
37202 var c = msg.charCodeAt(i);
37203 var hi = c >> 8;
37204 var lo = c & 0xff;
37205 if (hi)
37206 res.push(hi, lo);
37207 else
37208 res.push(lo);
37209 }
37210 }
37211 return res;
37212 }
37213 utils.toArray = toArray;
37214
37215 function zero2(word) {
37216 if (word.length === 1)
37217 return '0' + word;
37218 else
37219 return word;
37220 }
37221 utils.zero2 = zero2;
37222
37223 function toHex(msg) {
37224 var res = '';
37225 for (var i = 0; i < msg.length; i++)
37226 res += zero2(msg[i].toString(16));
37227 return res;
37228 }
37229 utils.toHex = toHex;
37230
37231 utils.encode = function encode(arr, enc) {
37232 if (enc === 'hex')
37233 return toHex(arr);
37234 else
37235 return arr;
37236 };
37237 });
37238
37239 var utils_1$1 = createCommonjsModule(function (module, exports) {
37240
37241 var utils = exports;
37242
37243
37244
37245
37246 utils.assert = minimalisticAssert;
37247 utils.toArray = utils_1.toArray;
37248 utils.zero2 = utils_1.zero2;
37249 utils.toHex = utils_1.toHex;
37250 utils.encode = utils_1.encode;
37251
37252 // Represent num in a w-NAF form
37253 function getNAF(num, w) {
37254 var naf = [];
37255 var ws = 1 << (w + 1);
37256 var k = num.clone();
37257 while (k.cmpn(1) >= 0) {
37258 var z;
37259 if (k.isOdd()) {
37260 var mod = k.andln(ws - 1);
37261 if (mod > (ws >> 1) - 1)
37262 z = (ws >> 1) - mod;
37263 else
37264 z = mod;
37265 k.isubn(z);
37266 } else {
37267 z = 0;
37268 }
37269 naf.push(z);
37270
37271 // Optimization, shift by word if possible
37272 var shift = (k.cmpn(0) !== 0 && k.andln(ws - 1) === 0) ? (w + 1) : 1;
37273 for (var i = 1; i < shift; i++)
37274 naf.push(0);
37275 k.iushrn(shift);
37276 }
37277
37278 return naf;
37279 }
37280 utils.getNAF = getNAF;
37281
37282 // Represent k1, k2 in a Joint Sparse Form
37283 function getJSF(k1, k2) {
37284 var jsf = [
37285 [],
37286 []
37287 ];
37288
37289 k1 = k1.clone();
37290 k2 = k2.clone();
37291 var d1 = 0;
37292 var d2 = 0;
37293 while (k1.cmpn(-d1) > 0 || k2.cmpn(-d2) > 0) {
37294
37295 // First phase
37296 var m14 = (k1.andln(3) + d1) & 3;
37297 var m24 = (k2.andln(3) + d2) & 3;
37298 if (m14 === 3)
37299 m14 = -1;
37300 if (m24 === 3)
37301 m24 = -1;
37302 var u1;
37303 if ((m14 & 1) === 0) {
37304 u1 = 0;
37305 } else {
37306 var m8 = (k1.andln(7) + d1) & 7;
37307 if ((m8 === 3 || m8 === 5) && m24 === 2)
37308 u1 = -m14;
37309 else
37310 u1 = m14;
37311 }
37312 jsf[0].push(u1);
37313
37314 var u2;
37315 if ((m24 & 1) === 0) {
37316 u2 = 0;
37317 } else {
37318 var m8 = (k2.andln(7) + d2) & 7;
37319 if ((m8 === 3 || m8 === 5) && m14 === 2)
37320 u2 = -m24;
37321 else
37322 u2 = m24;
37323 }
37324 jsf[1].push(u2);
37325
37326 // Second phase
37327 if (2 * d1 === u1 + 1)
37328 d1 = 1 - d1;
37329 if (2 * d2 === u2 + 1)
37330 d2 = 1 - d2;
37331 k1.iushrn(1);
37332 k2.iushrn(1);
37333 }
37334
37335 return jsf;
37336 }
37337 utils.getJSF = getJSF;
37338
37339 function cachedProperty(obj, name, computer) {
37340 var key = '_' + name;
37341 obj.prototype[name] = function cachedProperty() {
37342 return this[key] !== undefined ? this[key] :
37343 this[key] = computer.call(this);
37344 };
37345 }
37346 utils.cachedProperty = cachedProperty;
37347
37348 function parseBytes(bytes) {
37349 return typeof bytes === 'string' ? utils.toArray(bytes, 'hex') :
37350 bytes;
37351 }
37352 utils.parseBytes = parseBytes;
37353
37354 function intFromLE(bytes) {
37355 return new bn(bytes, 'hex', 'le');
37356 }
37357 utils.intFromLE = intFromLE;
37358 });
37359
37360 var r$1;
37361
37362 var brorand = function rand(len) {
37363 if (!r$1)
37364 r$1 = new Rand(null);
37365
37366 return r$1.generate(len);
37367 };
37368
37369 function Rand(rand) {
37370 this.rand = rand;
37371 }
37372 var Rand_1 = Rand;
37373
37374 Rand.prototype.generate = function generate(len) {
37375 return this._rand(len);
37376 };
37377
37378 // Emulate crypto API using randy
37379 Rand.prototype._rand = function _rand(n) {
37380 if (this.rand.getBytes)
37381 return this.rand.getBytes(n);
37382
37383 var res = new Uint8Array(n);
37384 for (var i = 0; i < res.length; i++)
37385 res[i] = this.rand.getByte();
37386 return res;
37387 };
37388
37389 if (typeof self === 'object') {
37390 if (self.crypto && self.crypto.getRandomValues) {
37391 // Modern browsers
37392 Rand.prototype._rand = function _rand(n) {
37393 var arr = new Uint8Array(n);
37394 self.crypto.getRandomValues(arr);
37395 return arr;
37396 };
37397 } else if (self.msCrypto && self.msCrypto.getRandomValues) {
37398 // IE
37399 Rand.prototype._rand = function _rand(n) {
37400 var arr = new Uint8Array(n);
37401 self.msCrypto.getRandomValues(arr);
37402 return arr;
37403 };
37404
37405 // Safari's WebWorkers do not have `crypto`
37406 } else if (typeof window === 'object') {
37407 // Old junk
37408 Rand.prototype._rand = function() {
37409 throw new Error('Not implemented yet');
37410 };
37411 }
37412 } else {
37413 // Node.js or Web worker with no crypto support
37414 try {
37415 var crypto$2 = void('crypto');
37416 if (typeof crypto$2.randomBytes !== 'function')
37417 throw new Error('Not supported');
37418
37419 Rand.prototype._rand = function _rand(n) {
37420 return crypto$2.randomBytes(n);
37421 };
37422 } catch (e) {
37423 }
37424 }
37425 brorand.Rand = Rand_1;
37426
37427 var getNAF = utils_1$1.getNAF;
37428 var getJSF = utils_1$1.getJSF;
37429 var assert$2 = utils_1$1.assert;
37430
37431 function BaseCurve(type, conf) {
37432 this.type = type;
37433 this.p = new bn(conf.p, 16);
37434
37435 // Use Montgomery, when there is no fast reduction for the prime
37436 this.red = conf.prime ? bn.red(conf.prime) : bn.mont(this.p);
37437
37438 // Useful for many curves
37439 this.zero = new bn(0).toRed(this.red);
37440 this.one = new bn(1).toRed(this.red);
37441 this.two = new bn(2).toRed(this.red);
37442
37443 // Curve configuration, optional
37444 this.n = conf.n && new bn(conf.n, 16);
37445 this.g = conf.g && this.pointFromJSON(conf.g, conf.gRed);
37446
37447 // Temporary arrays
37448 this._wnafT1 = new Array(4);
37449 this._wnafT2 = new Array(4);
37450 this._wnafT3 = new Array(4);
37451 this._wnafT4 = new Array(4);
37452
37453 // Generalized Greg Maxwell's trick
37454 var adjustCount = this.n && this.p.div(this.n);
37455 if (!adjustCount || adjustCount.cmpn(100) > 0) {
37456 this.redN = null;
37457 } else {
37458 this._maxwellTrick = true;
37459 this.redN = this.n.toRed(this.red);
37460 }
37461 }
37462 var base = BaseCurve;
37463
37464 BaseCurve.prototype.point = function point() {
37465 throw new Error('Not implemented');
37466 };
37467
37468 BaseCurve.prototype.validate = function validate() {
37469 throw new Error('Not implemented');
37470 };
37471
37472 BaseCurve.prototype._fixedNafMul = function _fixedNafMul(p, k) {
37473 assert$2(p.precomputed);
37474 var doubles = p._getDoubles();
37475
37476 var naf = getNAF(k, 1);
37477 var I = (1 << (doubles.step + 1)) - (doubles.step % 2 === 0 ? 2 : 1);
37478 I /= 3;
37479
37480 // Translate into more windowed form
37481 var repr = [];
37482 for (var j = 0; j < naf.length; j += doubles.step) {
37483 var nafW = 0;
37484 for (var k = j + doubles.step - 1; k >= j; k--)
37485 nafW = (nafW << 1) + naf[k];
37486 repr.push(nafW);
37487 }
37488
37489 var a = this.jpoint(null, null, null);
37490 var b = this.jpoint(null, null, null);
37491 for (var i = I; i > 0; i--) {
37492 for (var j = 0; j < repr.length; j++) {
37493 var nafW = repr[j];
37494 if (nafW === i)
37495 b = b.mixedAdd(doubles.points[j]);
37496 else if (nafW === -i)
37497 b = b.mixedAdd(doubles.points[j].neg());
37498 }
37499 a = a.add(b);
37500 }
37501 return a.toP();
37502 };
37503
37504 BaseCurve.prototype._wnafMul = function _wnafMul(p, k) {
37505 var w = 4;
37506
37507 // Precompute window
37508 var nafPoints = p._getNAFPoints(w);
37509 w = nafPoints.wnd;
37510 var wnd = nafPoints.points;
37511
37512 // Get NAF form
37513 var naf = getNAF(k, w);
37514
37515 // Add `this`*(N+1) for every w-NAF index
37516 var acc = this.jpoint(null, null, null);
37517 for (var i = naf.length - 1; i >= 0; i--) {
37518 // Count zeroes
37519 for (var k = 0; i >= 0 && naf[i] === 0; i--)
37520 k++;
37521 if (i >= 0)
37522 k++;
37523 acc = acc.dblp(k);
37524
37525 if (i < 0)
37526 break;
37527 var z = naf[i];
37528 assert$2(z !== 0);
37529 if (p.type === 'affine') {
37530 // J +- P
37531 if (z > 0)
37532 acc = acc.mixedAdd(wnd[(z - 1) >> 1]);
37533 else
37534 acc = acc.mixedAdd(wnd[(-z - 1) >> 1].neg());
37535 } else {
37536 // J +- J
37537 if (z > 0)
37538 acc = acc.add(wnd[(z - 1) >> 1]);
37539 else
37540 acc = acc.add(wnd[(-z - 1) >> 1].neg());
37541 }
37542 }
37543 return p.type === 'affine' ? acc.toP() : acc;
37544 };
37545
37546 BaseCurve.prototype._wnafMulAdd = function _wnafMulAdd(defW,
37547 points,
37548 coeffs,
37549 len,
37550 jacobianResult) {
37551 var wndWidth = this._wnafT1;
37552 var wnd = this._wnafT2;
37553 var naf = this._wnafT3;
37554
37555 // Fill all arrays
37556 var max = 0;
37557 for (var i = 0; i < len; i++) {
37558 var p = points[i];
37559 var nafPoints = p._getNAFPoints(defW);
37560 wndWidth[i] = nafPoints.wnd;
37561 wnd[i] = nafPoints.points;
37562 }
37563
37564 // Comb small window NAFs
37565 for (var i = len - 1; i >= 1; i -= 2) {
37566 var a = i - 1;
37567 var b = i;
37568 if (wndWidth[a] !== 1 || wndWidth[b] !== 1) {
37569 naf[a] = getNAF(coeffs[a], wndWidth[a]);
37570 naf[b] = getNAF(coeffs[b], wndWidth[b]);
37571 max = Math.max(naf[a].length, max);
37572 max = Math.max(naf[b].length, max);
37573 continue;
37574 }
37575
37576 var comb = [
37577 points[a], /* 1 */
37578 null, /* 3 */
37579 null, /* 5 */
37580 points[b] /* 7 */
37581 ];
37582
37583 // Try to avoid Projective points, if possible
37584 if (points[a].y.cmp(points[b].y) === 0) {
37585 comb[1] = points[a].add(points[b]);
37586 comb[2] = points[a].toJ().mixedAdd(points[b].neg());
37587 } else if (points[a].y.cmp(points[b].y.redNeg()) === 0) {
37588 comb[1] = points[a].toJ().mixedAdd(points[b]);
37589 comb[2] = points[a].add(points[b].neg());
37590 } else {
37591 comb[1] = points[a].toJ().mixedAdd(points[b]);
37592 comb[2] = points[a].toJ().mixedAdd(points[b].neg());
37593 }
37594
37595 var index = [
37596 -3, /* -1 -1 */
37597 -1, /* -1 0 */
37598 -5, /* -1 1 */
37599 -7, /* 0 -1 */
37600 0, /* 0 0 */
37601 7, /* 0 1 */
37602 5, /* 1 -1 */
37603 1, /* 1 0 */
37604 3 /* 1 1 */
37605 ];
37606
37607 var jsf = getJSF(coeffs[a], coeffs[b]);
37608 max = Math.max(jsf[0].length, max);
37609 naf[a] = new Array(max);
37610 naf[b] = new Array(max);
37611 for (var j = 0; j < max; j++) {
37612 var ja = jsf[0][j] | 0;
37613 var jb = jsf[1][j] | 0;
37614
37615 naf[a][j] = index[(ja + 1) * 3 + (jb + 1)];
37616 naf[b][j] = 0;
37617 wnd[a] = comb;
37618 }
37619 }
37620
37621 var acc = this.jpoint(null, null, null);
37622 var tmp = this._wnafT4;
37623 for (var i = max; i >= 0; i--) {
37624 var k = 0;
37625
37626 while (i >= 0) {
37627 var zero = true;
37628 for (var j = 0; j < len; j++) {
37629 tmp[j] = naf[j][i] | 0;
37630 if (tmp[j] !== 0)
37631 zero = false;
37632 }
37633 if (!zero)
37634 break;
37635 k++;
37636 i--;
37637 }
37638 if (i >= 0)
37639 k++;
37640 acc = acc.dblp(k);
37641 if (i < 0)
37642 break;
37643
37644 for (var j = 0; j < len; j++) {
37645 var z = tmp[j];
37646 var p;
37647 if (z === 0)
37648 continue;
37649 else if (z > 0)
37650 p = wnd[j][(z - 1) >> 1];
37651 else if (z < 0)
37652 p = wnd[j][(-z - 1) >> 1].neg();
37653
37654 if (p.type === 'affine')
37655 acc = acc.mixedAdd(p);
37656 else
37657 acc = acc.add(p);
37658 }
37659 }
37660 // Zeroify references
37661 for (var i = 0; i < len; i++)
37662 wnd[i] = null;
37663
37664 if (jacobianResult)
37665 return acc;
37666 else
37667 return acc.toP();
37668 };
37669
37670 function BasePoint(curve, type) {
37671 this.curve = curve;
37672 this.type = type;
37673 this.precomputed = null;
37674 }
37675 BaseCurve.BasePoint = BasePoint;
37676
37677 BasePoint.prototype.eq = function eq(/*other*/) {
37678 throw new Error('Not implemented');
37679 };
37680
37681 BasePoint.prototype.validate = function validate() {
37682 return this.curve.validate(this);
37683 };
37684
37685 BaseCurve.prototype.decodePoint = function decodePoint(bytes, enc) {
37686 bytes = utils_1$1.toArray(bytes, enc);
37687
37688 var len = this.p.byteLength();
37689
37690 // uncompressed, hybrid-odd, hybrid-even
37691 if ((bytes[0] === 0x04 || bytes[0] === 0x06 || bytes[0] === 0x07) &&
37692 bytes.length - 1 === 2 * len) {
37693 if (bytes[0] === 0x06)
37694 assert$2(bytes[bytes.length - 1] % 2 === 0);
37695 else if (bytes[0] === 0x07)
37696 assert$2(bytes[bytes.length - 1] % 2 === 1);
37697
37698 var res = this.point(bytes.slice(1, 1 + len),
37699 bytes.slice(1 + len, 1 + 2 * len));
37700
37701 return res;
37702 } else if ((bytes[0] === 0x02 || bytes[0] === 0x03) &&
37703 bytes.length - 1 === len) {
37704 return this.pointFromX(bytes.slice(1, 1 + len), bytes[0] === 0x03);
37705 }
37706 throw new Error('Unknown point format');
37707 };
37708
37709 BasePoint.prototype.encodeCompressed = function encodeCompressed(enc) {
37710 return this.encode(enc, true);
37711 };
37712
37713 BasePoint.prototype._encode = function _encode(compact) {
37714 var len = this.curve.p.byteLength();
37715 var x = this.getX().toArray('be', len);
37716
37717 if (compact)
37718 return [ this.getY().isEven() ? 0x02 : 0x03 ].concat(x);
37719
37720 return [ 0x04 ].concat(x, this.getY().toArray('be', len)) ;
37721 };
37722
37723 BasePoint.prototype.encode = function encode(enc, compact) {
37724 return utils_1$1.encode(this._encode(compact), enc);
37725 };
37726
37727 BasePoint.prototype.precompute = function precompute(power) {
37728 if (this.precomputed)
37729 return this;
37730
37731 var precomputed = {
37732 doubles: null,
37733 naf: null,
37734 beta: null
37735 };
37736 precomputed.naf = this._getNAFPoints(8);
37737 precomputed.doubles = this._getDoubles(4, power);
37738 precomputed.beta = this._getBeta();
37739 this.precomputed = precomputed;
37740
37741 return this;
37742 };
37743
37744 BasePoint.prototype._hasDoubles = function _hasDoubles(k) {
37745 if (!this.precomputed)
37746 return false;
37747
37748 var doubles = this.precomputed.doubles;
37749 if (!doubles)
37750 return false;
37751
37752 return doubles.points.length >= Math.ceil((k.bitLength() + 1) / doubles.step);
37753 };
37754
37755 BasePoint.prototype._getDoubles = function _getDoubles(step, power) {
37756 if (this.precomputed && this.precomputed.doubles)
37757 return this.precomputed.doubles;
37758
37759 var doubles = [ this ];
37760 var acc = this;
37761 for (var i = 0; i < power; i += step) {
37762 for (var j = 0; j < step; j++)
37763 acc = acc.dbl();
37764 doubles.push(acc);
37765 }
37766 return {
37767 step: step,
37768 points: doubles
37769 };
37770 };
37771
37772 BasePoint.prototype._getNAFPoints = function _getNAFPoints(wnd) {
37773 if (this.precomputed && this.precomputed.naf)
37774 return this.precomputed.naf;
37775
37776 var res = [ this ];
37777 var max = (1 << wnd) - 1;
37778 var dbl = max === 1 ? null : this.dbl();
37779 for (var i = 1; i < max; i++)
37780 res[i] = res[i - 1].add(dbl);
37781 return {
37782 wnd: wnd,
37783 points: res
37784 };
37785 };
37786
37787 BasePoint.prototype._getBeta = function _getBeta() {
37788 return null;
37789 };
37790
37791 BasePoint.prototype.dblp = function dblp(k) {
37792 var r = this;
37793 for (var i = 0; i < k; i++)
37794 r = r.dbl();
37795 return r;
37796 };
37797
37798 var assert$3 = utils_1$1.assert;
37799
37800 function ShortCurve(conf) {
37801 base.call(this, 'short', conf);
37802
37803 this.a = new bn(conf.a, 16).toRed(this.red);
37804 this.b = new bn(conf.b, 16).toRed(this.red);
37805 this.tinv = this.two.redInvm();
37806
37807 this.zeroA = this.a.fromRed().cmpn(0) === 0;
37808 this.threeA = this.a.fromRed().sub(this.p).cmpn(-3) === 0;
37809
37810 // If the curve is endomorphic, precalculate beta and lambda
37811 this.endo = this._getEndomorphism(conf);
37812 this._endoWnafT1 = new Array(4);
37813 this._endoWnafT2 = new Array(4);
37814 }
37815 inherits_browser(ShortCurve, base);
37816 var short_1 = ShortCurve;
37817
37818 ShortCurve.prototype._getEndomorphism = function _getEndomorphism(conf) {
37819 // No efficient endomorphism
37820 if (!this.zeroA || !this.g || !this.n || this.p.modn(3) !== 1)
37821 return;
37822
37823 // Compute beta and lambda, that lambda * P = (beta * Px; Py)
37824 var beta;
37825 var lambda;
37826 if (conf.beta) {
37827 beta = new bn(conf.beta, 16).toRed(this.red);
37828 } else {
37829 var betas = this._getEndoRoots(this.p);
37830 // Choose the smallest beta
37831 beta = betas[0].cmp(betas[1]) < 0 ? betas[0] : betas[1];
37832 beta = beta.toRed(this.red);
37833 }
37834 if (conf.lambda) {
37835 lambda = new bn(conf.lambda, 16);
37836 } else {
37837 // Choose the lambda that is matching selected beta
37838 var lambdas = this._getEndoRoots(this.n);
37839 if (this.g.mul(lambdas[0]).x.cmp(this.g.x.redMul(beta)) === 0) {
37840 lambda = lambdas[0];
37841 } else {
37842 lambda = lambdas[1];
37843 assert$3(this.g.mul(lambda).x.cmp(this.g.x.redMul(beta)) === 0);
37844 }
37845 }
37846
37847 // Get basis vectors, used for balanced length-two representation
37848 var basis;
37849 if (conf.basis) {
37850 basis = conf.basis.map(function(vec) {
37851 return {
37852 a: new bn(vec.a, 16),
37853 b: new bn(vec.b, 16)
37854 };
37855 });
37856 } else {
37857 basis = this._getEndoBasis(lambda);
37858 }
37859
37860 return {
37861 beta: beta,
37862 lambda: lambda,
37863 basis: basis
37864 };
37865 };
37866
37867 ShortCurve.prototype._getEndoRoots = function _getEndoRoots(num) {
37868 // Find roots of for x^2 + x + 1 in F
37869 // Root = (-1 +- Sqrt(-3)) / 2
37870 //
37871 var red = num === this.p ? this.red : bn.mont(num);
37872 var tinv = new bn(2).toRed(red).redInvm();
37873 var ntinv = tinv.redNeg();
37874
37875 var s = new bn(3).toRed(red).redNeg().redSqrt().redMul(tinv);
37876
37877 var l1 = ntinv.redAdd(s).fromRed();
37878 var l2 = ntinv.redSub(s).fromRed();
37879 return [ l1, l2 ];
37880 };
37881
37882 ShortCurve.prototype._getEndoBasis = function _getEndoBasis(lambda) {
37883 // aprxSqrt >= sqrt(this.n)
37884 var aprxSqrt = this.n.ushrn(Math.floor(this.n.bitLength() / 2));
37885
37886 // 3.74
37887 // Run EGCD, until r(L + 1) < aprxSqrt
37888 var u = lambda;
37889 var v = this.n.clone();
37890 var x1 = new bn(1);
37891 var y1 = new bn(0);
37892 var x2 = new bn(0);
37893 var y2 = new bn(1);
37894
37895 // NOTE: all vectors are roots of: a + b * lambda = 0 (mod n)
37896 var a0;
37897 var b0;
37898 // First vector
37899 var a1;
37900 var b1;
37901 // Second vector
37902 var a2;
37903 var b2;
37904
37905 var prevR;
37906 var i = 0;
37907 var r;
37908 var x;
37909 while (u.cmpn(0) !== 0) {
37910 var q = v.div(u);
37911 r = v.sub(q.mul(u));
37912 x = x2.sub(q.mul(x1));
37913 var y = y2.sub(q.mul(y1));
37914
37915 if (!a1 && r.cmp(aprxSqrt) < 0) {
37916 a0 = prevR.neg();
37917 b0 = x1;
37918 a1 = r.neg();
37919 b1 = x;
37920 } else if (a1 && ++i === 2) {
37921 break;
37922 }
37923 prevR = r;
37924
37925 v = u;
37926 u = r;
37927 x2 = x1;
37928 x1 = x;
37929 y2 = y1;
37930 y1 = y;
37931 }
37932 a2 = r.neg();
37933 b2 = x;
37934
37935 var len1 = a1.sqr().add(b1.sqr());
37936 var len2 = a2.sqr().add(b2.sqr());
37937 if (len2.cmp(len1) >= 0) {
37938 a2 = a0;
37939 b2 = b0;
37940 }
37941
37942 // Normalize signs
37943 if (a1.negative) {
37944 a1 = a1.neg();
37945 b1 = b1.neg();
37946 }
37947 if (a2.negative) {
37948 a2 = a2.neg();
37949 b2 = b2.neg();
37950 }
37951
37952 return [
37953 { a: a1, b: b1 },
37954 { a: a2, b: b2 }
37955 ];
37956 };
37957
37958 ShortCurve.prototype._endoSplit = function _endoSplit(k) {
37959 var basis = this.endo.basis;
37960 var v1 = basis[0];
37961 var v2 = basis[1];
37962
37963 var c1 = v2.b.mul(k).divRound(this.n);
37964 var c2 = v1.b.neg().mul(k).divRound(this.n);
37965
37966 var p1 = c1.mul(v1.a);
37967 var p2 = c2.mul(v2.a);
37968 var q1 = c1.mul(v1.b);
37969 var q2 = c2.mul(v2.b);
37970
37971 // Calculate answer
37972 var k1 = k.sub(p1).sub(p2);
37973 var k2 = q1.add(q2).neg();
37974 return { k1: k1, k2: k2 };
37975 };
37976
37977 ShortCurve.prototype.pointFromX = function pointFromX(x, odd) {
37978 x = new bn(x, 16);
37979 if (!x.red)
37980 x = x.toRed(this.red);
37981
37982 var y2 = x.redSqr().redMul(x).redIAdd(x.redMul(this.a)).redIAdd(this.b);
37983 var y = y2.redSqrt();
37984 if (y.redSqr().redSub(y2).cmp(this.zero) !== 0)
37985 throw new Error('invalid point');
37986
37987 // XXX Is there any way to tell if the number is odd without converting it
37988 // to non-red form?
37989 var isOdd = y.fromRed().isOdd();
37990 if (odd && !isOdd || !odd && isOdd)
37991 y = y.redNeg();
37992
37993 return this.point(x, y);
37994 };
37995
37996 ShortCurve.prototype.validate = function validate(point) {
37997 if (point.inf)
37998 return true;
37999
38000 var x = point.x;
38001 var y = point.y;
38002
38003 var ax = this.a.redMul(x);
38004 var rhs = x.redSqr().redMul(x).redIAdd(ax).redIAdd(this.b);
38005 return y.redSqr().redISub(rhs).cmpn(0) === 0;
38006 };
38007
38008 ShortCurve.prototype._endoWnafMulAdd =
38009 function _endoWnafMulAdd(points, coeffs, jacobianResult) {
38010 var npoints = this._endoWnafT1;
38011 var ncoeffs = this._endoWnafT2;
38012 for (var i = 0; i < points.length; i++) {
38013 var split = this._endoSplit(coeffs[i]);
38014 var p = points[i];
38015 var beta = p._getBeta();
38016
38017 if (split.k1.negative) {
38018 split.k1.ineg();
38019 p = p.neg(true);
38020 }
38021 if (split.k2.negative) {
38022 split.k2.ineg();
38023 beta = beta.neg(true);
38024 }
38025
38026 npoints[i * 2] = p;
38027 npoints[i * 2 + 1] = beta;
38028 ncoeffs[i * 2] = split.k1;
38029 ncoeffs[i * 2 + 1] = split.k2;
38030 }
38031 var res = this._wnafMulAdd(1, npoints, ncoeffs, i * 2, jacobianResult);
38032
38033 // Clean-up references to points and coefficients
38034 for (var j = 0; j < i * 2; j++) {
38035 npoints[j] = null;
38036 ncoeffs[j] = null;
38037 }
38038 return res;
38039 };
38040
38041 function Point(curve, x, y, isRed) {
38042 base.BasePoint.call(this, curve, 'affine');
38043 if (x === null && y === null) {
38044 this.x = null;
38045 this.y = null;
38046 this.inf = true;
38047 } else {
38048 this.x = new bn(x, 16);
38049 this.y = new bn(y, 16);
38050 // Force redgomery representation when loading from JSON
38051 if (isRed) {
38052 this.x.forceRed(this.curve.red);
38053 this.y.forceRed(this.curve.red);
38054 }
38055 if (!this.x.red)
38056 this.x = this.x.toRed(this.curve.red);
38057 if (!this.y.red)
38058 this.y = this.y.toRed(this.curve.red);
38059 this.inf = false;
38060 }
38061 }
38062 inherits_browser(Point, base.BasePoint);
38063
38064 ShortCurve.prototype.point = function point(x, y, isRed) {
38065 return new Point(this, x, y, isRed);
38066 };
38067
38068 ShortCurve.prototype.pointFromJSON = function pointFromJSON(obj, red) {
38069 return Point.fromJSON(this, obj, red);
38070 };
38071
38072 Point.prototype._getBeta = function _getBeta() {
38073 if (!this.curve.endo)
38074 return;
38075
38076 var pre = this.precomputed;
38077 if (pre && pre.beta)
38078 return pre.beta;
38079
38080 var beta = this.curve.point(this.x.redMul(this.curve.endo.beta), this.y);
38081 if (pre) {
38082 var curve = this.curve;
38083 var endoMul = function(p) {
38084 return curve.point(p.x.redMul(curve.endo.beta), p.y);
38085 };
38086 pre.beta = beta;
38087 beta.precomputed = {
38088 beta: null,
38089 naf: pre.naf && {
38090 wnd: pre.naf.wnd,
38091 points: pre.naf.points.map(endoMul)
38092 },
38093 doubles: pre.doubles && {
38094 step: pre.doubles.step,
38095 points: pre.doubles.points.map(endoMul)
38096 }
38097 };
38098 }
38099 return beta;
38100 };
38101
38102 Point.prototype.toJSON = function toJSON() {
38103 if (!this.precomputed)
38104 return [ this.x, this.y ];
38105
38106 return [ this.x, this.y, this.precomputed && {
38107 doubles: this.precomputed.doubles && {
38108 step: this.precomputed.doubles.step,
38109 points: this.precomputed.doubles.points.slice(1)
38110 },
38111 naf: this.precomputed.naf && {
38112 wnd: this.precomputed.naf.wnd,
38113 points: this.precomputed.naf.points.slice(1)
38114 }
38115 } ];
38116 };
38117
38118 Point.fromJSON = function fromJSON(curve, obj, red) {
38119 if (typeof obj === 'string')
38120 obj = JSON.parse(obj);
38121 var res = curve.point(obj[0], obj[1], red);
38122 if (!obj[2])
38123 return res;
38124
38125 function obj2point(obj) {
38126 return curve.point(obj[0], obj[1], red);
38127 }
38128
38129 var pre = obj[2];
38130 res.precomputed = {
38131 beta: null,
38132 doubles: pre.doubles && {
38133 step: pre.doubles.step,
38134 points: [ res ].concat(pre.doubles.points.map(obj2point))
38135 },
38136 naf: pre.naf && {
38137 wnd: pre.naf.wnd,
38138 points: [ res ].concat(pre.naf.points.map(obj2point))
38139 }
38140 };
38141 return res;
38142 };
38143
38144 Point.prototype.inspect = function inspect() {
38145 if (this.isInfinity())
38146 return '<EC Point Infinity>';
38147 return '<EC Point x: ' + this.x.fromRed().toString(16, 2) +
38148 ' y: ' + this.y.fromRed().toString(16, 2) + '>';
38149 };
38150
38151 Point.prototype.isInfinity = function isInfinity() {
38152 return this.inf;
38153 };
38154
38155 Point.prototype.add = function add(p) {
38156 // O + P = P
38157 if (this.inf)
38158 return p;
38159
38160 // P + O = P
38161 if (p.inf)
38162 return this;
38163
38164 // P + P = 2P
38165 if (this.eq(p))
38166 return this.dbl();
38167
38168 // P + (-P) = O
38169 if (this.neg().eq(p))
38170 return this.curve.point(null, null);
38171
38172 // P + Q = O
38173 if (this.x.cmp(p.x) === 0)
38174 return this.curve.point(null, null);
38175
38176 var c = this.y.redSub(p.y);
38177 if (c.cmpn(0) !== 0)
38178 c = c.redMul(this.x.redSub(p.x).redInvm());
38179 var nx = c.redSqr().redISub(this.x).redISub(p.x);
38180 var ny = c.redMul(this.x.redSub(nx)).redISub(this.y);
38181 return this.curve.point(nx, ny);
38182 };
38183
38184 Point.prototype.dbl = function dbl() {
38185 if (this.inf)
38186 return this;
38187
38188 // 2P = O
38189 var ys1 = this.y.redAdd(this.y);
38190 if (ys1.cmpn(0) === 0)
38191 return this.curve.point(null, null);
38192
38193 var a = this.curve.a;
38194
38195 var x2 = this.x.redSqr();
38196 var dyinv = ys1.redInvm();
38197 var c = x2.redAdd(x2).redIAdd(x2).redIAdd(a).redMul(dyinv);
38198
38199 var nx = c.redSqr().redISub(this.x.redAdd(this.x));
38200 var ny = c.redMul(this.x.redSub(nx)).redISub(this.y);
38201 return this.curve.point(nx, ny);
38202 };
38203
38204 Point.prototype.getX = function getX() {
38205 return this.x.fromRed();
38206 };
38207
38208 Point.prototype.getY = function getY() {
38209 return this.y.fromRed();
38210 };
38211
38212 Point.prototype.mul = function mul(k) {
38213 k = new bn(k, 16);
38214 if (this.isInfinity())
38215 return this;
38216 else if (this._hasDoubles(k))
38217 return this.curve._fixedNafMul(this, k);
38218 else if (this.curve.endo)
38219 return this.curve._endoWnafMulAdd([ this ], [ k ]);
38220 else
38221 return this.curve._wnafMul(this, k);
38222 };
38223
38224 Point.prototype.mulAdd = function mulAdd(k1, p2, k2) {
38225 var points = [ this, p2 ];
38226 var coeffs = [ k1, k2 ];
38227 if (this.curve.endo)
38228 return this.curve._endoWnafMulAdd(points, coeffs);
38229 else
38230 return this.curve._wnafMulAdd(1, points, coeffs, 2);
38231 };
38232
38233 Point.prototype.jmulAdd = function jmulAdd(k1, p2, k2) {
38234 var points = [ this, p2 ];
38235 var coeffs = [ k1, k2 ];
38236 if (this.curve.endo)
38237 return this.curve._endoWnafMulAdd(points, coeffs, true);
38238 else
38239 return this.curve._wnafMulAdd(1, points, coeffs, 2, true);
38240 };
38241
38242 Point.prototype.eq = function eq(p) {
38243 return this === p ||
38244 this.inf === p.inf &&
38245 (this.inf || this.x.cmp(p.x) === 0 && this.y.cmp(p.y) === 0);
38246 };
38247
38248 Point.prototype.neg = function neg(_precompute) {
38249 if (this.inf)
38250 return this;
38251
38252 var res = this.curve.point(this.x, this.y.redNeg());
38253 if (_precompute && this.precomputed) {
38254 var pre = this.precomputed;
38255 var negate = function(p) {
38256 return p.neg();
38257 };
38258 res.precomputed = {
38259 naf: pre.naf && {
38260 wnd: pre.naf.wnd,
38261 points: pre.naf.points.map(negate)
38262 },
38263 doubles: pre.doubles && {
38264 step: pre.doubles.step,
38265 points: pre.doubles.points.map(negate)
38266 }
38267 };
38268 }
38269 return res;
38270 };
38271
38272 Point.prototype.toJ = function toJ() {
38273 if (this.inf)
38274 return this.curve.jpoint(null, null, null);
38275
38276 var res = this.curve.jpoint(this.x, this.y, this.curve.one);
38277 return res;
38278 };
38279
38280 function JPoint(curve, x, y, z) {
38281 base.BasePoint.call(this, curve, 'jacobian');
38282 if (x === null && y === null && z === null) {
38283 this.x = this.curve.one;
38284 this.y = this.curve.one;
38285 this.z = new bn(0);
38286 } else {
38287 this.x = new bn(x, 16);
38288 this.y = new bn(y, 16);
38289 this.z = new bn(z, 16);
38290 }
38291 if (!this.x.red)
38292 this.x = this.x.toRed(this.curve.red);
38293 if (!this.y.red)
38294 this.y = this.y.toRed(this.curve.red);
38295 if (!this.z.red)
38296 this.z = this.z.toRed(this.curve.red);
38297
38298 this.zOne = this.z === this.curve.one;
38299 }
38300 inherits_browser(JPoint, base.BasePoint);
38301
38302 ShortCurve.prototype.jpoint = function jpoint(x, y, z) {
38303 return new JPoint(this, x, y, z);
38304 };
38305
38306 JPoint.prototype.toP = function toP() {
38307 if (this.isInfinity())
38308 return this.curve.point(null, null);
38309
38310 var zinv = this.z.redInvm();
38311 var zinv2 = zinv.redSqr();
38312 var ax = this.x.redMul(zinv2);
38313 var ay = this.y.redMul(zinv2).redMul(zinv);
38314
38315 return this.curve.point(ax, ay);
38316 };
38317
38318 JPoint.prototype.neg = function neg() {
38319 return this.curve.jpoint(this.x, this.y.redNeg(), this.z);
38320 };
38321
38322 JPoint.prototype.add = function add(p) {
38323 // O + P = P
38324 if (this.isInfinity())
38325 return p;
38326
38327 // P + O = P
38328 if (p.isInfinity())
38329 return this;
38330
38331 // 12M + 4S + 7A
38332 var pz2 = p.z.redSqr();
38333 var z2 = this.z.redSqr();
38334 var u1 = this.x.redMul(pz2);
38335 var u2 = p.x.redMul(z2);
38336 var s1 = this.y.redMul(pz2.redMul(p.z));
38337 var s2 = p.y.redMul(z2.redMul(this.z));
38338
38339 var h = u1.redSub(u2);
38340 var r = s1.redSub(s2);
38341 if (h.cmpn(0) === 0) {
38342 if (r.cmpn(0) !== 0)
38343 return this.curve.jpoint(null, null, null);
38344 else
38345 return this.dbl();
38346 }
38347
38348 var h2 = h.redSqr();
38349 var h3 = h2.redMul(h);
38350 var v = u1.redMul(h2);
38351
38352 var nx = r.redSqr().redIAdd(h3).redISub(v).redISub(v);
38353 var ny = r.redMul(v.redISub(nx)).redISub(s1.redMul(h3));
38354 var nz = this.z.redMul(p.z).redMul(h);
38355
38356 return this.curve.jpoint(nx, ny, nz);
38357 };
38358
38359 JPoint.prototype.mixedAdd = function mixedAdd(p) {
38360 // O + P = P
38361 if (this.isInfinity())
38362 return p.toJ();
38363
38364 // P + O = P
38365 if (p.isInfinity())
38366 return this;
38367
38368 // 8M + 3S + 7A
38369 var z2 = this.z.redSqr();
38370 var u1 = this.x;
38371 var u2 = p.x.redMul(z2);
38372 var s1 = this.y;
38373 var s2 = p.y.redMul(z2).redMul(this.z);
38374
38375 var h = u1.redSub(u2);
38376 var r = s1.redSub(s2);
38377 if (h.cmpn(0) === 0) {
38378 if (r.cmpn(0) !== 0)
38379 return this.curve.jpoint(null, null, null);
38380 else
38381 return this.dbl();
38382 }
38383
38384 var h2 = h.redSqr();
38385 var h3 = h2.redMul(h);
38386 var v = u1.redMul(h2);
38387
38388 var nx = r.redSqr().redIAdd(h3).redISub(v).redISub(v);
38389 var ny = r.redMul(v.redISub(nx)).redISub(s1.redMul(h3));
38390 var nz = this.z.redMul(h);
38391
38392 return this.curve.jpoint(nx, ny, nz);
38393 };
38394
38395 JPoint.prototype.dblp = function dblp(pow) {
38396 if (pow === 0)
38397 return this;
38398 if (this.isInfinity())
38399 return this;
38400 if (!pow)
38401 return this.dbl();
38402
38403 if (this.curve.zeroA || this.curve.threeA) {
38404 var r = this;
38405 for (var i = 0; i < pow; i++)
38406 r = r.dbl();
38407 return r;
38408 }
38409
38410 // 1M + 2S + 1A + N * (4S + 5M + 8A)
38411 // N = 1 => 6M + 6S + 9A
38412 var a = this.curve.a;
38413 var tinv = this.curve.tinv;
38414
38415 var jx = this.x;
38416 var jy = this.y;
38417 var jz = this.z;
38418 var jz4 = jz.redSqr().redSqr();
38419
38420 // Reuse results
38421 var jyd = jy.redAdd(jy);
38422 for (var i = 0; i < pow; i++) {
38423 var jx2 = jx.redSqr();
38424 var jyd2 = jyd.redSqr();
38425 var jyd4 = jyd2.redSqr();
38426 var c = jx2.redAdd(jx2).redIAdd(jx2).redIAdd(a.redMul(jz4));
38427
38428 var t1 = jx.redMul(jyd2);
38429 var nx = c.redSqr().redISub(t1.redAdd(t1));
38430 var t2 = t1.redISub(nx);
38431 var dny = c.redMul(t2);
38432 dny = dny.redIAdd(dny).redISub(jyd4);
38433 var nz = jyd.redMul(jz);
38434 if (i + 1 < pow)
38435 jz4 = jz4.redMul(jyd4);
38436
38437 jx = nx;
38438 jz = nz;
38439 jyd = dny;
38440 }
38441
38442 return this.curve.jpoint(jx, jyd.redMul(tinv), jz);
38443 };
38444
38445 JPoint.prototype.dbl = function dbl() {
38446 if (this.isInfinity())
38447 return this;
38448
38449 if (this.curve.zeroA)
38450 return this._zeroDbl();
38451 else if (this.curve.threeA)
38452 return this._threeDbl();
38453 else
38454 return this._dbl();
38455 };
38456
38457 JPoint.prototype._zeroDbl = function _zeroDbl() {
38458 var nx;
38459 var ny;
38460 var nz;
38461 // Z = 1
38462 if (this.zOne) {
38463 // hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html
38464 // #doubling-mdbl-2007-bl
38465 // 1M + 5S + 14A
38466
38467 // XX = X1^2
38468 var xx = this.x.redSqr();
38469 // YY = Y1^2
38470 var yy = this.y.redSqr();
38471 // YYYY = YY^2
38472 var yyyy = yy.redSqr();
38473 // S = 2 * ((X1 + YY)^2 - XX - YYYY)
38474 var s = this.x.redAdd(yy).redSqr().redISub(xx).redISub(yyyy);
38475 s = s.redIAdd(s);
38476 // M = 3 * XX + a; a = 0
38477 var m = xx.redAdd(xx).redIAdd(xx);
38478 // T = M ^ 2 - 2*S
38479 var t = m.redSqr().redISub(s).redISub(s);
38480
38481 // 8 * YYYY
38482 var yyyy8 = yyyy.redIAdd(yyyy);
38483 yyyy8 = yyyy8.redIAdd(yyyy8);
38484 yyyy8 = yyyy8.redIAdd(yyyy8);
38485
38486 // X3 = T
38487 nx = t;
38488 // Y3 = M * (S - T) - 8 * YYYY
38489 ny = m.redMul(s.redISub(t)).redISub(yyyy8);
38490 // Z3 = 2*Y1
38491 nz = this.y.redAdd(this.y);
38492 } else {
38493 // hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html
38494 // #doubling-dbl-2009-l
38495 // 2M + 5S + 13A
38496
38497 // A = X1^2
38498 var a = this.x.redSqr();
38499 // B = Y1^2
38500 var b = this.y.redSqr();
38501 // C = B^2
38502 var c = b.redSqr();
38503 // D = 2 * ((X1 + B)^2 - A - C)
38504 var d = this.x.redAdd(b).redSqr().redISub(a).redISub(c);
38505 d = d.redIAdd(d);
38506 // E = 3 * A
38507 var e = a.redAdd(a).redIAdd(a);
38508 // F = E^2
38509 var f = e.redSqr();
38510
38511 // 8 * C
38512 var c8 = c.redIAdd(c);
38513 c8 = c8.redIAdd(c8);
38514 c8 = c8.redIAdd(c8);
38515
38516 // X3 = F - 2 * D
38517 nx = f.redISub(d).redISub(d);
38518 // Y3 = E * (D - X3) - 8 * C
38519 ny = e.redMul(d.redISub(nx)).redISub(c8);
38520 // Z3 = 2 * Y1 * Z1
38521 nz = this.y.redMul(this.z);
38522 nz = nz.redIAdd(nz);
38523 }
38524
38525 return this.curve.jpoint(nx, ny, nz);
38526 };
38527
38528 JPoint.prototype._threeDbl = function _threeDbl() {
38529 var nx;
38530 var ny;
38531 var nz;
38532 // Z = 1
38533 if (this.zOne) {
38534 // hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html
38535 // #doubling-mdbl-2007-bl
38536 // 1M + 5S + 15A
38537
38538 // XX = X1^2
38539 var xx = this.x.redSqr();
38540 // YY = Y1^2
38541 var yy = this.y.redSqr();
38542 // YYYY = YY^2
38543 var yyyy = yy.redSqr();
38544 // S = 2 * ((X1 + YY)^2 - XX - YYYY)
38545 var s = this.x.redAdd(yy).redSqr().redISub(xx).redISub(yyyy);
38546 s = s.redIAdd(s);
38547 // M = 3 * XX + a
38548 var m = xx.redAdd(xx).redIAdd(xx).redIAdd(this.curve.a);
38549 // T = M^2 - 2 * S
38550 var t = m.redSqr().redISub(s).redISub(s);
38551 // X3 = T
38552 nx = t;
38553 // Y3 = M * (S - T) - 8 * YYYY
38554 var yyyy8 = yyyy.redIAdd(yyyy);
38555 yyyy8 = yyyy8.redIAdd(yyyy8);
38556 yyyy8 = yyyy8.redIAdd(yyyy8);
38557 ny = m.redMul(s.redISub(t)).redISub(yyyy8);
38558 // Z3 = 2 * Y1
38559 nz = this.y.redAdd(this.y);
38560 } else {
38561 // hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b
38562 // 3M + 5S
38563
38564 // delta = Z1^2
38565 var delta = this.z.redSqr();
38566 // gamma = Y1^2
38567 var gamma = this.y.redSqr();
38568 // beta = X1 * gamma
38569 var beta = this.x.redMul(gamma);
38570 // alpha = 3 * (X1 - delta) * (X1 + delta)
38571 var alpha = this.x.redSub(delta).redMul(this.x.redAdd(delta));
38572 alpha = alpha.redAdd(alpha).redIAdd(alpha);
38573 // X3 = alpha^2 - 8 * beta
38574 var beta4 = beta.redIAdd(beta);
38575 beta4 = beta4.redIAdd(beta4);
38576 var beta8 = beta4.redAdd(beta4);
38577 nx = alpha.redSqr().redISub(beta8);
38578 // Z3 = (Y1 + Z1)^2 - gamma - delta
38579 nz = this.y.redAdd(this.z).redSqr().redISub(gamma).redISub(delta);
38580 // Y3 = alpha * (4 * beta - X3) - 8 * gamma^2
38581 var ggamma8 = gamma.redSqr();
38582 ggamma8 = ggamma8.redIAdd(ggamma8);
38583 ggamma8 = ggamma8.redIAdd(ggamma8);
38584 ggamma8 = ggamma8.redIAdd(ggamma8);
38585 ny = alpha.redMul(beta4.redISub(nx)).redISub(ggamma8);
38586 }
38587
38588 return this.curve.jpoint(nx, ny, nz);
38589 };
38590
38591 JPoint.prototype._dbl = function _dbl() {
38592 var a = this.curve.a;
38593
38594 // 4M + 6S + 10A
38595 var jx = this.x;
38596 var jy = this.y;
38597 var jz = this.z;
38598 var jz4 = jz.redSqr().redSqr();
38599
38600 var jx2 = jx.redSqr();
38601 var jy2 = jy.redSqr();
38602
38603 var c = jx2.redAdd(jx2).redIAdd(jx2).redIAdd(a.redMul(jz4));
38604
38605 var jxd4 = jx.redAdd(jx);
38606 jxd4 = jxd4.redIAdd(jxd4);
38607 var t1 = jxd4.redMul(jy2);
38608 var nx = c.redSqr().redISub(t1.redAdd(t1));
38609 var t2 = t1.redISub(nx);
38610
38611 var jyd8 = jy2.redSqr();
38612 jyd8 = jyd8.redIAdd(jyd8);
38613 jyd8 = jyd8.redIAdd(jyd8);
38614 jyd8 = jyd8.redIAdd(jyd8);
38615 var ny = c.redMul(t2).redISub(jyd8);
38616 var nz = jy.redAdd(jy).redMul(jz);
38617
38618 return this.curve.jpoint(nx, ny, nz);
38619 };
38620
38621 JPoint.prototype.trpl = function trpl() {
38622 if (!this.curve.zeroA)
38623 return this.dbl().add(this);
38624
38625 // hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#tripling-tpl-2007-bl
38626 // 5M + 10S + ...
38627
38628 // XX = X1^2
38629 var xx = this.x.redSqr();
38630 // YY = Y1^2
38631 var yy = this.y.redSqr();
38632 // ZZ = Z1^2
38633 var zz = this.z.redSqr();
38634 // YYYY = YY^2
38635 var yyyy = yy.redSqr();
38636 // M = 3 * XX + a * ZZ2; a = 0
38637 var m = xx.redAdd(xx).redIAdd(xx);
38638 // MM = M^2
38639 var mm = m.redSqr();
38640 // E = 6 * ((X1 + YY)^2 - XX - YYYY) - MM
38641 var e = this.x.redAdd(yy).redSqr().redISub(xx).redISub(yyyy);
38642 e = e.redIAdd(e);
38643 e = e.redAdd(e).redIAdd(e);
38644 e = e.redISub(mm);
38645 // EE = E^2
38646 var ee = e.redSqr();
38647 // T = 16*YYYY
38648 var t = yyyy.redIAdd(yyyy);
38649 t = t.redIAdd(t);
38650 t = t.redIAdd(t);
38651 t = t.redIAdd(t);
38652 // U = (M + E)^2 - MM - EE - T
38653 var u = m.redIAdd(e).redSqr().redISub(mm).redISub(ee).redISub(t);
38654 // X3 = 4 * (X1 * EE - 4 * YY * U)
38655 var yyu4 = yy.redMul(u);
38656 yyu4 = yyu4.redIAdd(yyu4);
38657 yyu4 = yyu4.redIAdd(yyu4);
38658 var nx = this.x.redMul(ee).redISub(yyu4);
38659 nx = nx.redIAdd(nx);
38660 nx = nx.redIAdd(nx);
38661 // Y3 = 8 * Y1 * (U * (T - U) - E * EE)
38662 var ny = this.y.redMul(u.redMul(t.redISub(u)).redISub(e.redMul(ee)));
38663 ny = ny.redIAdd(ny);
38664 ny = ny.redIAdd(ny);
38665 ny = ny.redIAdd(ny);
38666 // Z3 = (Z1 + E)^2 - ZZ - EE
38667 var nz = this.z.redAdd(e).redSqr().redISub(zz).redISub(ee);
38668
38669 return this.curve.jpoint(nx, ny, nz);
38670 };
38671
38672 JPoint.prototype.mul = function mul(k, kbase) {
38673 k = new bn(k, kbase);
38674
38675 return this.curve._wnafMul(this, k);
38676 };
38677
38678 JPoint.prototype.eq = function eq(p) {
38679 if (p.type === 'affine')
38680 return this.eq(p.toJ());
38681
38682 if (this === p)
38683 return true;
38684
38685 // x1 * z2^2 == x2 * z1^2
38686 var z2 = this.z.redSqr();
38687 var pz2 = p.z.redSqr();
38688 if (this.x.redMul(pz2).redISub(p.x.redMul(z2)).cmpn(0) !== 0)
38689 return false;
38690
38691 // y1 * z2^3 == y2 * z1^3
38692 var z3 = z2.redMul(this.z);
38693 var pz3 = pz2.redMul(p.z);
38694 return this.y.redMul(pz3).redISub(p.y.redMul(z3)).cmpn(0) === 0;
38695 };
38696
38697 JPoint.prototype.eqXToP = function eqXToP(x) {
38698 var zs = this.z.redSqr();
38699 var rx = x.toRed(this.curve.red).redMul(zs);
38700 if (this.x.cmp(rx) === 0)
38701 return true;
38702
38703 var xc = x.clone();
38704 var t = this.curve.redN.redMul(zs);
38705 for (;;) {
38706 xc.iadd(this.curve.n);
38707 if (xc.cmp(this.curve.p) >= 0)
38708 return false;
38709
38710 rx.redIAdd(t);
38711 if (this.x.cmp(rx) === 0)
38712 return true;
38713 }
38714 };
38715
38716 JPoint.prototype.inspect = function inspect() {
38717 if (this.isInfinity())
38718 return '<EC JPoint Infinity>';
38719 return '<EC JPoint x: ' + this.x.toString(16, 2) +
38720 ' y: ' + this.y.toString(16, 2) +
38721 ' z: ' + this.z.toString(16, 2) + '>';
38722 };
38723
38724 JPoint.prototype.isInfinity = function isInfinity() {
38725 // XXX This code assumes that zero is always zero in red
38726 return this.z.cmpn(0) === 0;
38727 };
38728
38729 function MontCurve(conf) {
38730 base.call(this, 'mont', conf);
38731
38732 this.a = new bn(conf.a, 16).toRed(this.red);
38733 this.b = new bn(conf.b, 16).toRed(this.red);
38734 this.i4 = new bn(4).toRed(this.red).redInvm();
38735 this.two = new bn(2).toRed(this.red);
38736 // Note: this implementation is according to the original paper
38737 // by P. Montgomery, NOT the one by D. J. Bernstein.
38738 this.a24 = this.i4.redMul(this.a.redAdd(this.two));
38739 }
38740 inherits_browser(MontCurve, base);
38741 var mont = MontCurve;
38742
38743 MontCurve.prototype.validate = function validate(point) {
38744 var x = point.normalize().x;
38745 var x2 = x.redSqr();
38746 var rhs = x2.redMul(x).redAdd(x2.redMul(this.a)).redAdd(x);
38747 var y = rhs.redSqrt();
38748
38749 return y.redSqr().cmp(rhs) === 0;
38750 };
38751
38752 function Point$1(curve, x, z) {
38753 base.BasePoint.call(this, curve, 'projective');
38754 if (x === null && z === null) {
38755 this.x = this.curve.one;
38756 this.z = this.curve.zero;
38757 } else {
38758 this.x = new bn(x, 16);
38759 this.z = new bn(z, 16);
38760 if (!this.x.red)
38761 this.x = this.x.toRed(this.curve.red);
38762 if (!this.z.red)
38763 this.z = this.z.toRed(this.curve.red);
38764 }
38765 }
38766 inherits_browser(Point$1, base.BasePoint);
38767
38768 MontCurve.prototype.decodePoint = function decodePoint(bytes, enc) {
38769 var bytes = utils_1$1.toArray(bytes, enc);
38770
38771 // TODO Curve448
38772 // Montgomery curve points must be represented in the compressed format
38773 // https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-02#appendix-B
38774 if (bytes.length === 33 && bytes[0] === 0x40)
38775 bytes = bytes.slice(1, 33).reverse(); // point must be little-endian
38776 if (bytes.length !== 32)
38777 throw new Error('Unknown point compression format');
38778 return this.point(bytes, 1);
38779 };
38780
38781 MontCurve.prototype.point = function point(x, z) {
38782 return new Point$1(this, x, z);
38783 };
38784
38785 MontCurve.prototype.pointFromJSON = function pointFromJSON(obj) {
38786 return Point$1.fromJSON(this, obj);
38787 };
38788
38789 Point$1.prototype.precompute = function precompute() {
38790 // No-op
38791 };
38792
38793 Point$1.prototype._encode = function _encode(compact) {
38794 var len = this.curve.p.byteLength();
38795
38796 // Note: the output should always be little-endian
38797 // https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-02#appendix-B
38798 if (compact) {
38799 return [ 0x40 ].concat(this.getX().toArray('le', len));
38800 } else {
38801 return this.getX().toArray('be', len);
38802 }
38803 };
38804
38805 Point$1.fromJSON = function fromJSON(curve, obj) {
38806 return new Point$1(curve, obj[0], obj[1] || curve.one);
38807 };
38808
38809 Point$1.prototype.inspect = function inspect() {
38810 if (this.isInfinity())
38811 return '<EC Point Infinity>';
38812 return '<EC Point x: ' + this.x.fromRed().toString(16, 2) +
38813 ' z: ' + this.z.fromRed().toString(16, 2) + '>';
38814 };
38815
38816 Point$1.prototype.isInfinity = function isInfinity() {
38817 // XXX This code assumes that zero is always zero in red
38818 return this.z.cmpn(0) === 0;
38819 };
38820
38821 Point$1.prototype.dbl = function dbl() {
38822 // http://hyperelliptic.org/EFD/g1p/auto-montgom-xz.html#doubling-dbl-1987-m-3
38823 // 2M + 2S + 4A
38824
38825 // A = X1 + Z1
38826 var a = this.x.redAdd(this.z);
38827 // AA = A^2
38828 var aa = a.redSqr();
38829 // B = X1 - Z1
38830 var b = this.x.redSub(this.z);
38831 // BB = B^2
38832 var bb = b.redSqr();
38833 // C = AA - BB
38834 var c = aa.redSub(bb);
38835 // X3 = AA * BB
38836 var nx = aa.redMul(bb);
38837 // Z3 = C * (BB + A24 * C)
38838 var nz = c.redMul(bb.redAdd(this.curve.a24.redMul(c)));
38839 return this.curve.point(nx, nz);
38840 };
38841
38842 Point$1.prototype.add = function add() {
38843 throw new Error('Not supported on Montgomery curve');
38844 };
38845
38846 Point$1.prototype.diffAdd = function diffAdd(p, diff) {
38847 // http://hyperelliptic.org/EFD/g1p/auto-montgom-xz.html#diffadd-dadd-1987-m-3
38848 // 4M + 2S + 6A
38849
38850 // A = X2 + Z2
38851 var a = this.x.redAdd(this.z);
38852 // B = X2 - Z2
38853 var b = this.x.redSub(this.z);
38854 // C = X3 + Z3
38855 var c = p.x.redAdd(p.z);
38856 // D = X3 - Z3
38857 var d = p.x.redSub(p.z);
38858 // DA = D * A
38859 var da = d.redMul(a);
38860 // CB = C * B
38861 var cb = c.redMul(b);
38862 // X5 = Z1 * (DA + CB)^2
38863 var nx = diff.z.redMul(da.redAdd(cb).redSqr());
38864 // Z5 = X1 * (DA - CB)^2
38865 var nz = diff.x.redMul(da.redISub(cb).redSqr());
38866 return this.curve.point(nx, nz);
38867 };
38868
38869 Point$1.prototype.mul = function mul(k) {
38870 k = new bn(k, 16);
38871
38872 var t = k.clone();
38873 var a = this; // (N / 2) * Q + Q
38874 var b = this.curve.point(null, null); // (N / 2) * Q
38875 var c = this; // Q
38876
38877 for (var bits = []; t.cmpn(0) !== 0; t.iushrn(1))
38878 bits.push(t.andln(1));
38879
38880 for (var i = bits.length - 1; i >= 0; i--) {
38881 if (bits[i] === 0) {
38882 // N * Q + Q = ((N / 2) * Q + Q)) + (N / 2) * Q
38883 a = a.diffAdd(b, c);
38884 // N * Q = 2 * ((N / 2) * Q + Q))
38885 b = b.dbl();
38886 } else {
38887 // N * Q = ((N / 2) * Q + Q) + ((N / 2) * Q)
38888 b = a.diffAdd(b, c);
38889 // N * Q + Q = 2 * ((N / 2) * Q + Q)
38890 a = a.dbl();
38891 }
38892 }
38893 return b;
38894 };
38895
38896 Point$1.prototype.mulAdd = function mulAdd() {
38897 throw new Error('Not supported on Montgomery curve');
38898 };
38899
38900 Point$1.prototype.jumlAdd = function jumlAdd() {
38901 throw new Error('Not supported on Montgomery curve');
38902 };
38903
38904 Point$1.prototype.eq = function eq(other) {
38905 return this.getX().cmp(other.getX()) === 0;
38906 };
38907
38908 Point$1.prototype.normalize = function normalize() {
38909 this.x = this.x.redMul(this.z.redInvm());
38910 this.z = this.curve.one;
38911 return this;
38912 };
38913
38914 Point$1.prototype.getX = function getX() {
38915 // Normalize coordinates
38916 this.normalize();
38917
38918 return this.x.fromRed();
38919 };
38920
38921 var assert$4 = utils_1$1.assert;
38922
38923 function EdwardsCurve(conf) {
38924 // NOTE: Important as we are creating point in Base.call()
38925 this.twisted = (conf.a | 0) !== 1;
38926 this.mOneA = this.twisted && (conf.a | 0) === -1;
38927 this.extended = this.mOneA;
38928
38929 base.call(this, 'edwards', conf);
38930
38931 this.a = new bn(conf.a, 16).umod(this.red.m);
38932 this.a = this.a.toRed(this.red);
38933 this.c = new bn(conf.c, 16).toRed(this.red);
38934 this.c2 = this.c.redSqr();
38935 this.d = new bn(conf.d, 16).toRed(this.red);
38936 this.dd = this.d.redAdd(this.d);
38937
38938 assert$4(!this.twisted || this.c.fromRed().cmpn(1) === 0);
38939 this.oneC = (conf.c | 0) === 1;
38940 }
38941 inherits_browser(EdwardsCurve, base);
38942 var edwards = EdwardsCurve;
38943
38944 EdwardsCurve.prototype._mulA = function _mulA(num) {
38945 if (this.mOneA)
38946 return num.redNeg();
38947 else
38948 return this.a.redMul(num);
38949 };
38950
38951 EdwardsCurve.prototype._mulC = function _mulC(num) {
38952 if (this.oneC)
38953 return num;
38954 else
38955 return this.c.redMul(num);
38956 };
38957
38958 // Just for compatibility with Short curve
38959 EdwardsCurve.prototype.jpoint = function jpoint(x, y, z, t) {
38960 return this.point(x, y, z, t);
38961 };
38962
38963 EdwardsCurve.prototype.pointFromX = function pointFromX(x, odd) {
38964 x = new bn(x, 16);
38965 if (!x.red)
38966 x = x.toRed(this.red);
38967
38968 var x2 = x.redSqr();
38969 var rhs = this.c2.redSub(this.a.redMul(x2));
38970 var lhs = this.one.redSub(this.c2.redMul(this.d).redMul(x2));
38971
38972 var y2 = rhs.redMul(lhs.redInvm());
38973 var y = y2.redSqrt();
38974 if (y.redSqr().redSub(y2).cmp(this.zero) !== 0)
38975 throw new Error('invalid point');
38976
38977 var isOdd = y.fromRed().isOdd();
38978 if (odd && !isOdd || !odd && isOdd)
38979 y = y.redNeg();
38980
38981 return this.point(x, y);
38982 };
38983
38984 EdwardsCurve.prototype.pointFromY = function pointFromY(y, odd) {
38985 y = new bn(y, 16);
38986 if (!y.red)
38987 y = y.toRed(this.red);
38988
38989 // x^2 = (y^2 - c^2) / (c^2 d y^2 - a)
38990 var y2 = y.redSqr();
38991 var lhs = y2.redSub(this.c2);
38992 var rhs = y2.redMul(this.d).redMul(this.c2).redSub(this.a);
38993 var x2 = lhs.redMul(rhs.redInvm());
38994
38995 if (x2.cmp(this.zero) === 0) {
38996 if (odd)
38997 throw new Error('invalid point');
38998 else
38999 return this.point(this.zero, y);
39000 }
39001
39002 var x = x2.redSqrt();
39003 if (x.redSqr().redSub(x2).cmp(this.zero) !== 0)
39004 throw new Error('invalid point');
39005
39006 if (x.fromRed().isOdd() !== odd)
39007 x = x.redNeg();
39008
39009 return this.point(x, y);
39010 };
39011
39012 EdwardsCurve.prototype.validate = function validate(point) {
39013 if (point.isInfinity())
39014 return true;
39015
39016 // Curve: A * X^2 + Y^2 = C^2 * (1 + D * X^2 * Y^2)
39017 point.normalize();
39018
39019 var x2 = point.x.redSqr();
39020 var y2 = point.y.redSqr();
39021 var lhs = x2.redMul(this.a).redAdd(y2);
39022 var rhs = this.c2.redMul(this.one.redAdd(this.d.redMul(x2).redMul(y2)));
39023
39024 return lhs.cmp(rhs) === 0;
39025 };
39026
39027 function Point$2(curve, x, y, z, t) {
39028 base.BasePoint.call(this, curve, 'projective');
39029 if (x === null && y === null && z === null) {
39030 this.x = this.curve.zero;
39031 this.y = this.curve.one;
39032 this.z = this.curve.one;
39033 this.t = this.curve.zero;
39034 this.zOne = true;
39035 } else {
39036 this.x = new bn(x, 16);
39037 this.y = new bn(y, 16);
39038 this.z = z ? new bn(z, 16) : this.curve.one;
39039 this.t = t && new bn(t, 16);
39040 if (!this.x.red)
39041 this.x = this.x.toRed(this.curve.red);
39042 if (!this.y.red)
39043 this.y = this.y.toRed(this.curve.red);
39044 if (!this.z.red)
39045 this.z = this.z.toRed(this.curve.red);
39046 if (this.t && !this.t.red)
39047 this.t = this.t.toRed(this.curve.red);
39048 this.zOne = this.z === this.curve.one;
39049
39050 // Use extended coordinates
39051 if (this.curve.extended && !this.t) {
39052 this.t = this.x.redMul(this.y);
39053 if (!this.zOne)
39054 this.t = this.t.redMul(this.z.redInvm());
39055 }
39056 }
39057 }
39058 inherits_browser(Point$2, base.BasePoint);
39059
39060 EdwardsCurve.prototype.pointFromJSON = function pointFromJSON(obj) {
39061 return Point$2.fromJSON(this, obj);
39062 };
39063
39064 EdwardsCurve.prototype.point = function point(x, y, z, t) {
39065 return new Point$2(this, x, y, z, t);
39066 };
39067
39068 Point$2.fromJSON = function fromJSON(curve, obj) {
39069 return new Point$2(curve, obj[0], obj[1], obj[2]);
39070 };
39071
39072 Point$2.prototype.inspect = function inspect() {
39073 if (this.isInfinity())
39074 return '<EC Point Infinity>';
39075 return '<EC Point x: ' + this.x.fromRed().toString(16, 2) +
39076 ' y: ' + this.y.fromRed().toString(16, 2) +
39077 ' z: ' + this.z.fromRed().toString(16, 2) + '>';
39078 };
39079
39080 Point$2.prototype.isInfinity = function isInfinity() {
39081 // XXX This code assumes that zero is always zero in red
39082 return this.x.cmpn(0) === 0 &&
39083 (this.y.cmp(this.z) === 0 ||
39084 (this.zOne && this.y.cmp(this.curve.c) === 0));
39085 };
39086
39087 Point$2.prototype._extDbl = function _extDbl() {
39088 // hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html
39089 // #doubling-dbl-2008-hwcd
39090 // 4M + 4S
39091
39092 // A = X1^2
39093 var a = this.x.redSqr();
39094 // B = Y1^2
39095 var b = this.y.redSqr();
39096 // C = 2 * Z1^2
39097 var c = this.z.redSqr();
39098 c = c.redIAdd(c);
39099 // D = a * A
39100 var d = this.curve._mulA(a);
39101 // E = (X1 + Y1)^2 - A - B
39102 var e = this.x.redAdd(this.y).redSqr().redISub(a).redISub(b);
39103 // G = D + B
39104 var g = d.redAdd(b);
39105 // F = G - C
39106 var f = g.redSub(c);
39107 // H = D - B
39108 var h = d.redSub(b);
39109 // X3 = E * F
39110 var nx = e.redMul(f);
39111 // Y3 = G * H
39112 var ny = g.redMul(h);
39113 // T3 = E * H
39114 var nt = e.redMul(h);
39115 // Z3 = F * G
39116 var nz = f.redMul(g);
39117 return this.curve.point(nx, ny, nz, nt);
39118 };
39119
39120 Point$2.prototype._projDbl = function _projDbl() {
39121 // hyperelliptic.org/EFD/g1p/auto-twisted-projective.html
39122 // #doubling-dbl-2008-bbjlp
39123 // #doubling-dbl-2007-bl
39124 // and others
39125 // Generally 3M + 4S or 2M + 4S
39126
39127 // B = (X1 + Y1)^2
39128 var b = this.x.redAdd(this.y).redSqr();
39129 // C = X1^2
39130 var c = this.x.redSqr();
39131 // D = Y1^2
39132 var d = this.y.redSqr();
39133
39134 var nx;
39135 var ny;
39136 var nz;
39137 if (this.curve.twisted) {
39138 // E = a * C
39139 var e = this.curve._mulA(c);
39140 // F = E + D
39141 var f = e.redAdd(d);
39142 if (this.zOne) {
39143 // X3 = (B - C - D) * (F - 2)
39144 nx = b.redSub(c).redSub(d).redMul(f.redSub(this.curve.two));
39145 // Y3 = F * (E - D)
39146 ny = f.redMul(e.redSub(d));
39147 // Z3 = F^2 - 2 * F
39148 nz = f.redSqr().redSub(f).redSub(f);
39149 } else {
39150 // H = Z1^2
39151 var h = this.z.redSqr();
39152 // J = F - 2 * H
39153 var j = f.redSub(h).redISub(h);
39154 // X3 = (B-C-D)*J
39155 nx = b.redSub(c).redISub(d).redMul(j);
39156 // Y3 = F * (E - D)
39157 ny = f.redMul(e.redSub(d));
39158 // Z3 = F * J
39159 nz = f.redMul(j);
39160 }
39161 } else {
39162 // E = C + D
39163 var e = c.redAdd(d);
39164 // H = (c * Z1)^2
39165 var h = this.curve._mulC(this.z).redSqr();
39166 // J = E - 2 * H
39167 var j = e.redSub(h).redSub(h);
39168 // X3 = c * (B - E) * J
39169 nx = this.curve._mulC(b.redISub(e)).redMul(j);
39170 // Y3 = c * E * (C - D)
39171 ny = this.curve._mulC(e).redMul(c.redISub(d));
39172 // Z3 = E * J
39173 nz = e.redMul(j);
39174 }
39175 return this.curve.point(nx, ny, nz);
39176 };
39177
39178 Point$2.prototype.dbl = function dbl() {
39179 if (this.isInfinity())
39180 return this;
39181
39182 // Double in extended coordinates
39183 if (this.curve.extended)
39184 return this._extDbl();
39185 else
39186 return this._projDbl();
39187 };
39188
39189 Point$2.prototype._extAdd = function _extAdd(p) {
39190 // hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html
39191 // #addition-add-2008-hwcd-3
39192 // 8M
39193
39194 // A = (Y1 - X1) * (Y2 - X2)
39195 var a = this.y.redSub(this.x).redMul(p.y.redSub(p.x));
39196 // B = (Y1 + X1) * (Y2 + X2)
39197 var b = this.y.redAdd(this.x).redMul(p.y.redAdd(p.x));
39198 // C = T1 * k * T2
39199 var c = this.t.redMul(this.curve.dd).redMul(p.t);
39200 // D = Z1 * 2 * Z2
39201 var d = this.z.redMul(p.z.redAdd(p.z));
39202 // E = B - A
39203 var e = b.redSub(a);
39204 // F = D - C
39205 var f = d.redSub(c);
39206 // G = D + C
39207 var g = d.redAdd(c);
39208 // H = B + A
39209 var h = b.redAdd(a);
39210 // X3 = E * F
39211 var nx = e.redMul(f);
39212 // Y3 = G * H
39213 var ny = g.redMul(h);
39214 // T3 = E * H
39215 var nt = e.redMul(h);
39216 // Z3 = F * G
39217 var nz = f.redMul(g);
39218 return this.curve.point(nx, ny, nz, nt);
39219 };
39220
39221 Point$2.prototype._projAdd = function _projAdd(p) {
39222 // hyperelliptic.org/EFD/g1p/auto-twisted-projective.html
39223 // #addition-add-2008-bbjlp
39224 // #addition-add-2007-bl
39225 // 10M + 1S
39226
39227 // A = Z1 * Z2
39228 var a = this.z.redMul(p.z);
39229 // B = A^2
39230 var b = a.redSqr();
39231 // C = X1 * X2
39232 var c = this.x.redMul(p.x);
39233 // D = Y1 * Y2
39234 var d = this.y.redMul(p.y);
39235 // E = d * C * D
39236 var e = this.curve.d.redMul(c).redMul(d);
39237 // F = B - E
39238 var f = b.redSub(e);
39239 // G = B + E
39240 var g = b.redAdd(e);
39241 // X3 = A * F * ((X1 + Y1) * (X2 + Y2) - C - D)
39242 var tmp = this.x.redAdd(this.y).redMul(p.x.redAdd(p.y)).redISub(c).redISub(d);
39243 var nx = a.redMul(f).redMul(tmp);
39244 var ny;
39245 var nz;
39246 if (this.curve.twisted) {
39247 // Y3 = A * G * (D - a * C)
39248 ny = a.redMul(g).redMul(d.redSub(this.curve._mulA(c)));
39249 // Z3 = F * G
39250 nz = f.redMul(g);
39251 } else {
39252 // Y3 = A * G * (D - C)
39253 ny = a.redMul(g).redMul(d.redSub(c));
39254 // Z3 = c * F * G
39255 nz = this.curve._mulC(f).redMul(g);
39256 }
39257 return this.curve.point(nx, ny, nz);
39258 };
39259
39260 Point$2.prototype.add = function add(p) {
39261 if (this.isInfinity())
39262 return p;
39263 if (p.isInfinity())
39264 return this;
39265
39266 if (this.curve.extended)
39267 return this._extAdd(p);
39268 else
39269 return this._projAdd(p);
39270 };
39271
39272 Point$2.prototype.mul = function mul(k) {
39273 if (this._hasDoubles(k))
39274 return this.curve._fixedNafMul(this, k);
39275 else
39276 return this.curve._wnafMul(this, k);
39277 };
39278
39279 Point$2.prototype.mulAdd = function mulAdd(k1, p, k2) {
39280 return this.curve._wnafMulAdd(1, [ this, p ], [ k1, k2 ], 2, false);
39281 };
39282
39283 Point$2.prototype.jmulAdd = function jmulAdd(k1, p, k2) {
39284 return this.curve._wnafMulAdd(1, [ this, p ], [ k1, k2 ], 2, true);
39285 };
39286
39287 Point$2.prototype.normalize = function normalize() {
39288 if (this.zOne)
39289 return this;
39290
39291 // Normalize coordinates
39292 var zi = this.z.redInvm();
39293 this.x = this.x.redMul(zi);
39294 this.y = this.y.redMul(zi);
39295 if (this.t)
39296 this.t = this.t.redMul(zi);
39297 this.z = this.curve.one;
39298 this.zOne = true;
39299 return this;
39300 };
39301
39302 Point$2.prototype.neg = function neg() {
39303 return this.curve.point(this.x.redNeg(),
39304 this.y,
39305 this.z,
39306 this.t && this.t.redNeg());
39307 };
39308
39309 Point$2.prototype.getX = function getX() {
39310 this.normalize();
39311 return this.x.fromRed();
39312 };
39313
39314 Point$2.prototype.getY = function getY() {
39315 this.normalize();
39316 return this.y.fromRed();
39317 };
39318
39319 Point$2.prototype.eq = function eq(other) {
39320 return this === other ||
39321 this.getX().cmp(other.getX()) === 0 &&
39322 this.getY().cmp(other.getY()) === 0;
39323 };
39324
39325 Point$2.prototype.eqXToP = function eqXToP(x) {
39326 var rx = x.toRed(this.curve.red).redMul(this.z);
39327 if (this.x.cmp(rx) === 0)
39328 return true;
39329
39330 var xc = x.clone();
39331 var t = this.curve.redN.redMul(this.z);
39332 for (;;) {
39333 xc.iadd(this.curve.n);
39334 if (xc.cmp(this.curve.p) >= 0)
39335 return false;
39336
39337 rx.redIAdd(t);
39338 if (this.x.cmp(rx) === 0)
39339 return true;
39340 }
39341 };
39342
39343 // Compatibility with BaseCurve
39344 Point$2.prototype.toP = Point$2.prototype.normalize;
39345 Point$2.prototype.mixedAdd = Point$2.prototype.add;
39346
39347 var curve_1 = createCommonjsModule(function (module, exports) {
39348
39349 var curve = exports;
39350
39351 curve.base = base;
39352 curve.short = short_1;
39353 curve.mont = mont;
39354 curve.edwards = edwards;
39355 });
39356
39357 var rotl32$2 = utils.rotl32;
39358 var sum32$3 = utils.sum32;
39359 var sum32_5$2 = utils.sum32_5;
39360 var ft_1$1 = common$1.ft_1;
39361 var BlockHash$4 = common.BlockHash;
39362
39363 var sha1_K = [
39364 0x5A827999, 0x6ED9EBA1,
39365 0x8F1BBCDC, 0xCA62C1D6
39366 ];
39367
39368 function SHA1() {
39369 if (!(this instanceof SHA1))
39370 return new SHA1();
39371
39372 BlockHash$4.call(this);
39373 this.h = [
39374 0x67452301, 0xefcdab89, 0x98badcfe,
39375 0x10325476, 0xc3d2e1f0 ];
39376 this.W = new Array(80);
39377 }
39378
39379 utils.inherits(SHA1, BlockHash$4);
39380 var _1 = SHA1;
39381
39382 SHA1.blockSize = 512;
39383 SHA1.outSize = 160;
39384 SHA1.hmacStrength = 80;
39385 SHA1.padLength = 64;
39386
39387 SHA1.prototype._update = function _update(msg, start) {
39388 var W = this.W;
39389
39390 for (var i = 0; i < 16; i++)
39391 W[i] = msg[start + i];
39392
39393 for(; i < W.length; i++)
39394 W[i] = rotl32$2(W[i - 3] ^ W[i - 8] ^ W[i - 14] ^ W[i - 16], 1);
39395
39396 var a = this.h[0];
39397 var b = this.h[1];
39398 var c = this.h[2];
39399 var d = this.h[3];
39400 var e = this.h[4];
39401
39402 for (i = 0; i < W.length; i++) {
39403 var s = ~~(i / 20);
39404 var t = sum32_5$2(rotl32$2(a, 5), ft_1$1(s, b, c, d), e, W[i], sha1_K[s]);
39405 e = d;
39406 d = c;
39407 c = rotl32$2(b, 30);
39408 b = a;
39409 a = t;
39410 }
39411
39412 this.h[0] = sum32$3(this.h[0], a);
39413 this.h[1] = sum32$3(this.h[1], b);
39414 this.h[2] = sum32$3(this.h[2], c);
39415 this.h[3] = sum32$3(this.h[3], d);
39416 this.h[4] = sum32$3(this.h[4], e);
39417 };
39418
39419 SHA1.prototype._digest = function digest(enc) {
39420 if (enc === 'hex')
39421 return utils.toHex32(this.h, 'big');
39422 else
39423 return utils.split32(this.h, 'big');
39424 };
39425
39426 var sha1 = _1;
39427 var sha224 = _224;
39428 var sha256 = _256;
39429 var sha384 = _384;
39430 var sha512 = _512;
39431
39432 var sha = {
39433 sha1: sha1,
39434 sha224: sha224,
39435 sha256: sha256,
39436 sha384: sha384,
39437 sha512: sha512
39438 };
39439
39440 function Hmac(hash, key, enc) {
39441 if (!(this instanceof Hmac))
39442 return new Hmac(hash, key, enc);
39443 this.Hash = hash;
39444 this.blockSize = hash.blockSize / 8;
39445 this.outSize = hash.outSize / 8;
39446 this.inner = null;
39447 this.outer = null;
39448
39449 this._init(utils.toArray(key, enc));
39450 }
39451 var hmac = Hmac;
39452
39453 Hmac.prototype._init = function init(key) {
39454 // Shorten key, if needed
39455 if (key.length > this.blockSize)
39456 key = new this.Hash().update(key).digest();
39457 minimalisticAssert(key.length <= this.blockSize);
39458
39459 // Add padding to key
39460 for (var i = key.length; i < this.blockSize; i++)
39461 key.push(0);
39462
39463 for (i = 0; i < key.length; i++)
39464 key[i] ^= 0x36;
39465 this.inner = new this.Hash().update(key);
39466
39467 // 0x36 ^ 0x5c = 0x6a
39468 for (i = 0; i < key.length; i++)
39469 key[i] ^= 0x6a;
39470 this.outer = new this.Hash().update(key);
39471 };
39472
39473 Hmac.prototype.update = function update(msg, enc) {
39474 this.inner.update(msg, enc);
39475 return this;
39476 };
39477
39478 Hmac.prototype.digest = function digest(enc) {
39479 this.outer.update(this.inner.digest());
39480 return this.outer.digest(enc);
39481 };
39482
39483 var hash_1 = createCommonjsModule(function (module, exports) {
39484 var hash = exports;
39485
39486 hash.utils = utils;
39487 hash.common = common;
39488 hash.sha = sha;
39489 hash.ripemd = ripemd;
39490 hash.hmac = hmac;
39491
39492 // Proxy hash functions to the main object
39493 hash.sha1 = hash.sha.sha1;
39494 hash.sha256 = hash.sha.sha256;
39495 hash.sha224 = hash.sha.sha224;
39496 hash.sha384 = hash.sha.sha384;
39497 hash.sha512 = hash.sha.sha512;
39498 hash.ripemd160 = hash.ripemd.ripemd160;
39499 });
39500
39501 var secp256k1 = {
39502 doubles: {
39503 step: 4,
39504 points: [
39505 [
39506 'e60fce93b59e9ec53011aabc21c23e97b2a31369b87a5ae9c44ee89e2a6dec0a',
39507 'f7e3507399e595929db99f34f57937101296891e44d23f0be1f32cce69616821'
39508 ],
39509 [
39510 '8282263212c609d9ea2a6e3e172de238d8c39cabd5ac1ca10646e23fd5f51508',
39511 '11f8a8098557dfe45e8256e830b60ace62d613ac2f7b17bed31b6eaff6e26caf'
39512 ],
39513 [
39514 '175e159f728b865a72f99cc6c6fc846de0b93833fd2222ed73fce5b551e5b739',
39515 'd3506e0d9e3c79eba4ef97a51ff71f5eacb5955add24345c6efa6ffee9fed695'
39516 ],
39517 [
39518 '363d90d447b00c9c99ceac05b6262ee053441c7e55552ffe526bad8f83ff4640',
39519 '4e273adfc732221953b445397f3363145b9a89008199ecb62003c7f3bee9de9'
39520 ],
39521 [
39522 '8b4b5f165df3c2be8c6244b5b745638843e4a781a15bcd1b69f79a55dffdf80c',
39523 '4aad0a6f68d308b4b3fbd7813ab0da04f9e336546162ee56b3eff0c65fd4fd36'
39524 ],
39525 [
39526 '723cbaa6e5db996d6bf771c00bd548c7b700dbffa6c0e77bcb6115925232fcda',
39527 '96e867b5595cc498a921137488824d6e2660a0653779494801dc069d9eb39f5f'
39528 ],
39529 [
39530 'eebfa4d493bebf98ba5feec812c2d3b50947961237a919839a533eca0e7dd7fa',
39531 '5d9a8ca3970ef0f269ee7edaf178089d9ae4cdc3a711f712ddfd4fdae1de8999'
39532 ],
39533 [
39534 '100f44da696e71672791d0a09b7bde459f1215a29b3c03bfefd7835b39a48db0',
39535 'cdd9e13192a00b772ec8f3300c090666b7ff4a18ff5195ac0fbd5cd62bc65a09'
39536 ],
39537 [
39538 'e1031be262c7ed1b1dc9227a4a04c017a77f8d4464f3b3852c8acde6e534fd2d',
39539 '9d7061928940405e6bb6a4176597535af292dd419e1ced79a44f18f29456a00d'
39540 ],
39541 [
39542 'feea6cae46d55b530ac2839f143bd7ec5cf8b266a41d6af52d5e688d9094696d',
39543 'e57c6b6c97dce1bab06e4e12bf3ecd5c981c8957cc41442d3155debf18090088'
39544 ],
39545 [
39546 'da67a91d91049cdcb367be4be6ffca3cfeed657d808583de33fa978bc1ec6cb1',
39547 '9bacaa35481642bc41f463f7ec9780e5dec7adc508f740a17e9ea8e27a68be1d'
39548 ],
39549 [
39550 '53904faa0b334cdda6e000935ef22151ec08d0f7bb11069f57545ccc1a37b7c0',
39551 '5bc087d0bc80106d88c9eccac20d3c1c13999981e14434699dcb096b022771c8'
39552 ],
39553 [
39554 '8e7bcd0bd35983a7719cca7764ca906779b53a043a9b8bcaeff959f43ad86047',
39555 '10b7770b2a3da4b3940310420ca9514579e88e2e47fd68b3ea10047e8460372a'
39556 ],
39557 [
39558 '385eed34c1cdff21e6d0818689b81bde71a7f4f18397e6690a841e1599c43862',
39559 '283bebc3e8ea23f56701de19e9ebf4576b304eec2086dc8cc0458fe5542e5453'
39560 ],
39561 [
39562 '6f9d9b803ecf191637c73a4413dfa180fddf84a5947fbc9c606ed86c3fac3a7',
39563 '7c80c68e603059ba69b8e2a30e45c4d47ea4dd2f5c281002d86890603a842160'
39564 ],
39565 [
39566 '3322d401243c4e2582a2147c104d6ecbf774d163db0f5e5313b7e0e742d0e6bd',
39567 '56e70797e9664ef5bfb019bc4ddaf9b72805f63ea2873af624f3a2e96c28b2a0'
39568 ],
39569 [
39570 '85672c7d2de0b7da2bd1770d89665868741b3f9af7643397721d74d28134ab83',
39571 '7c481b9b5b43b2eb6374049bfa62c2e5e77f17fcc5298f44c8e3094f790313a6'
39572 ],
39573 [
39574 '948bf809b1988a46b06c9f1919413b10f9226c60f668832ffd959af60c82a0a',
39575 '53a562856dcb6646dc6b74c5d1c3418c6d4dff08c97cd2bed4cb7f88d8c8e589'
39576 ],
39577 [
39578 '6260ce7f461801c34f067ce0f02873a8f1b0e44dfc69752accecd819f38fd8e8',
39579 'bc2da82b6fa5b571a7f09049776a1ef7ecd292238051c198c1a84e95b2b4ae17'
39580 ],
39581 [
39582 'e5037de0afc1d8d43d8348414bbf4103043ec8f575bfdc432953cc8d2037fa2d',
39583 '4571534baa94d3b5f9f98d09fb990bddbd5f5b03ec481f10e0e5dc841d755bda'
39584 ],
39585 [
39586 'e06372b0f4a207adf5ea905e8f1771b4e7e8dbd1c6a6c5b725866a0ae4fce725',
39587 '7a908974bce18cfe12a27bb2ad5a488cd7484a7787104870b27034f94eee31dd'
39588 ],
39589 [
39590 '213c7a715cd5d45358d0bbf9dc0ce02204b10bdde2a3f58540ad6908d0559754',
39591 '4b6dad0b5ae462507013ad06245ba190bb4850f5f36a7eeddff2c27534b458f2'
39592 ],
39593 [
39594 '4e7c272a7af4b34e8dbb9352a5419a87e2838c70adc62cddf0cc3a3b08fbd53c',
39595 '17749c766c9d0b18e16fd09f6def681b530b9614bff7dd33e0b3941817dcaae6'
39596 ],
39597 [
39598 'fea74e3dbe778b1b10f238ad61686aa5c76e3db2be43057632427e2840fb27b6',
39599 '6e0568db9b0b13297cf674deccb6af93126b596b973f7b77701d3db7f23cb96f'
39600 ],
39601 [
39602 '76e64113f677cf0e10a2570d599968d31544e179b760432952c02a4417bdde39',
39603 'c90ddf8dee4e95cf577066d70681f0d35e2a33d2b56d2032b4b1752d1901ac01'
39604 ],
39605 [
39606 'c738c56b03b2abe1e8281baa743f8f9a8f7cc643df26cbee3ab150242bcbb891',
39607 '893fb578951ad2537f718f2eacbfbbbb82314eef7880cfe917e735d9699a84c3'
39608 ],
39609 [
39610 'd895626548b65b81e264c7637c972877d1d72e5f3a925014372e9f6588f6c14b',
39611 'febfaa38f2bc7eae728ec60818c340eb03428d632bb067e179363ed75d7d991f'
39612 ],
39613 [
39614 'b8da94032a957518eb0f6433571e8761ceffc73693e84edd49150a564f676e03',
39615 '2804dfa44805a1e4d7c99cc9762808b092cc584d95ff3b511488e4e74efdf6e7'
39616 ],
39617 [
39618 'e80fea14441fb33a7d8adab9475d7fab2019effb5156a792f1a11778e3c0df5d',
39619 'eed1de7f638e00771e89768ca3ca94472d155e80af322ea9fcb4291b6ac9ec78'
39620 ],
39621 [
39622 'a301697bdfcd704313ba48e51d567543f2a182031efd6915ddc07bbcc4e16070',
39623 '7370f91cfb67e4f5081809fa25d40f9b1735dbf7c0a11a130c0d1a041e177ea1'
39624 ],
39625 [
39626 '90ad85b389d6b936463f9d0512678de208cc330b11307fffab7ac63e3fb04ed4',
39627 'e507a3620a38261affdcbd9427222b839aefabe1582894d991d4d48cb6ef150'
39628 ],
39629 [
39630 '8f68b9d2f63b5f339239c1ad981f162ee88c5678723ea3351b7b444c9ec4c0da',
39631 '662a9f2dba063986de1d90c2b6be215dbbea2cfe95510bfdf23cbf79501fff82'
39632 ],
39633 [
39634 'e4f3fb0176af85d65ff99ff9198c36091f48e86503681e3e6686fd5053231e11',
39635 '1e63633ad0ef4f1c1661a6d0ea02b7286cc7e74ec951d1c9822c38576feb73bc'
39636 ],
39637 [
39638 '8c00fa9b18ebf331eb961537a45a4266c7034f2f0d4e1d0716fb6eae20eae29e',
39639 'efa47267fea521a1a9dc343a3736c974c2fadafa81e36c54e7d2a4c66702414b'
39640 ],
39641 [
39642 'e7a26ce69dd4829f3e10cec0a9e98ed3143d084f308b92c0997fddfc60cb3e41',
39643 '2a758e300fa7984b471b006a1aafbb18d0a6b2c0420e83e20e8a9421cf2cfd51'
39644 ],
39645 [
39646 'b6459e0ee3662ec8d23540c223bcbdc571cbcb967d79424f3cf29eb3de6b80ef',
39647 '67c876d06f3e06de1dadf16e5661db3c4b3ae6d48e35b2ff30bf0b61a71ba45'
39648 ],
39649 [
39650 'd68a80c8280bb840793234aa118f06231d6f1fc67e73c5a5deda0f5b496943e8',
39651 'db8ba9fff4b586d00c4b1f9177b0e28b5b0e7b8f7845295a294c84266b133120'
39652 ],
39653 [
39654 '324aed7df65c804252dc0270907a30b09612aeb973449cea4095980fc28d3d5d',
39655 '648a365774b61f2ff130c0c35aec1f4f19213b0c7e332843967224af96ab7c84'
39656 ],
39657 [
39658 '4df9c14919cde61f6d51dfdbe5fee5dceec4143ba8d1ca888e8bd373fd054c96',
39659 '35ec51092d8728050974c23a1d85d4b5d506cdc288490192ebac06cad10d5d'
39660 ],
39661 [
39662 '9c3919a84a474870faed8a9c1cc66021523489054d7f0308cbfc99c8ac1f98cd',
39663 'ddb84f0f4a4ddd57584f044bf260e641905326f76c64c8e6be7e5e03d4fc599d'
39664 ],
39665 [
39666 '6057170b1dd12fdf8de05f281d8e06bb91e1493a8b91d4cc5a21382120a959e5',
39667 '9a1af0b26a6a4807add9a2daf71df262465152bc3ee24c65e899be932385a2a8'
39668 ],
39669 [
39670 'a576df8e23a08411421439a4518da31880cef0fba7d4df12b1a6973eecb94266',
39671 '40a6bf20e76640b2c92b97afe58cd82c432e10a7f514d9f3ee8be11ae1b28ec8'
39672 ],
39673 [
39674 '7778a78c28dec3e30a05fe9629de8c38bb30d1f5cf9a3a208f763889be58ad71',
39675 '34626d9ab5a5b22ff7098e12f2ff580087b38411ff24ac563b513fc1fd9f43ac'
39676 ],
39677 [
39678 '928955ee637a84463729fd30e7afd2ed5f96274e5ad7e5cb09eda9c06d903ac',
39679 'c25621003d3f42a827b78a13093a95eeac3d26efa8a8d83fc5180e935bcd091f'
39680 ],
39681 [
39682 '85d0fef3ec6db109399064f3a0e3b2855645b4a907ad354527aae75163d82751',
39683 '1f03648413a38c0be29d496e582cf5663e8751e96877331582c237a24eb1f962'
39684 ],
39685 [
39686 'ff2b0dce97eece97c1c9b6041798b85dfdfb6d8882da20308f5404824526087e',
39687 '493d13fef524ba188af4c4dc54d07936c7b7ed6fb90e2ceb2c951e01f0c29907'
39688 ],
39689 [
39690 '827fbbe4b1e880ea9ed2b2e6301b212b57f1ee148cd6dd28780e5e2cf856e241',
39691 'c60f9c923c727b0b71bef2c67d1d12687ff7a63186903166d605b68baec293ec'
39692 ],
39693 [
39694 'eaa649f21f51bdbae7be4ae34ce6e5217a58fdce7f47f9aa7f3b58fa2120e2b3',
39695 'be3279ed5bbbb03ac69a80f89879aa5a01a6b965f13f7e59d47a5305ba5ad93d'
39696 ],
39697 [
39698 'e4a42d43c5cf169d9391df6decf42ee541b6d8f0c9a137401e23632dda34d24f',
39699 '4d9f92e716d1c73526fc99ccfb8ad34ce886eedfa8d8e4f13a7f7131deba9414'
39700 ],
39701 [
39702 '1ec80fef360cbdd954160fadab352b6b92b53576a88fea4947173b9d4300bf19',
39703 'aeefe93756b5340d2f3a4958a7abbf5e0146e77f6295a07b671cdc1cc107cefd'
39704 ],
39705 [
39706 '146a778c04670c2f91b00af4680dfa8bce3490717d58ba889ddb5928366642be',
39707 'b318e0ec3354028add669827f9d4b2870aaa971d2f7e5ed1d0b297483d83efd0'
39708 ],
39709 [
39710 'fa50c0f61d22e5f07e3acebb1aa07b128d0012209a28b9776d76a8793180eef9',
39711 '6b84c6922397eba9b72cd2872281a68a5e683293a57a213b38cd8d7d3f4f2811'
39712 ],
39713 [
39714 'da1d61d0ca721a11b1a5bf6b7d88e8421a288ab5d5bba5220e53d32b5f067ec2',
39715 '8157f55a7c99306c79c0766161c91e2966a73899d279b48a655fba0f1ad836f1'
39716 ],
39717 [
39718 'a8e282ff0c9706907215ff98e8fd416615311de0446f1e062a73b0610d064e13',
39719 '7f97355b8db81c09abfb7f3c5b2515888b679a3e50dd6bd6cef7c73111f4cc0c'
39720 ],
39721 [
39722 '174a53b9c9a285872d39e56e6913cab15d59b1fa512508c022f382de8319497c',
39723 'ccc9dc37abfc9c1657b4155f2c47f9e6646b3a1d8cb9854383da13ac079afa73'
39724 ],
39725 [
39726 '959396981943785c3d3e57edf5018cdbe039e730e4918b3d884fdff09475b7ba',
39727 '2e7e552888c331dd8ba0386a4b9cd6849c653f64c8709385e9b8abf87524f2fd'
39728 ],
39729 [
39730 'd2a63a50ae401e56d645a1153b109a8fcca0a43d561fba2dbb51340c9d82b151',
39731 'e82d86fb6443fcb7565aee58b2948220a70f750af484ca52d4142174dcf89405'
39732 ],
39733 [
39734 '64587e2335471eb890ee7896d7cfdc866bacbdbd3839317b3436f9b45617e073',
39735 'd99fcdd5bf6902e2ae96dd6447c299a185b90a39133aeab358299e5e9faf6589'
39736 ],
39737 [
39738 '8481bde0e4e4d885b3a546d3e549de042f0aa6cea250e7fd358d6c86dd45e458',
39739 '38ee7b8cba5404dd84a25bf39cecb2ca900a79c42b262e556d64b1b59779057e'
39740 ],
39741 [
39742 '13464a57a78102aa62b6979ae817f4637ffcfed3c4b1ce30bcd6303f6caf666b',
39743 '69be159004614580ef7e433453ccb0ca48f300a81d0942e13f495a907f6ecc27'
39744 ],
39745 [
39746 'bc4a9df5b713fe2e9aef430bcc1dc97a0cd9ccede2f28588cada3a0d2d83f366',
39747 'd3a81ca6e785c06383937adf4b798caa6e8a9fbfa547b16d758d666581f33c1'
39748 ],
39749 [
39750 '8c28a97bf8298bc0d23d8c749452a32e694b65e30a9472a3954ab30fe5324caa',
39751 '40a30463a3305193378fedf31f7cc0eb7ae784f0451cb9459e71dc73cbef9482'
39752 ],
39753 [
39754 '8ea9666139527a8c1dd94ce4f071fd23c8b350c5a4bb33748c4ba111faccae0',
39755 '620efabbc8ee2782e24e7c0cfb95c5d735b783be9cf0f8e955af34a30e62b945'
39756 ],
39757 [
39758 'dd3625faef5ba06074669716bbd3788d89bdde815959968092f76cc4eb9a9787',
39759 '7a188fa3520e30d461da2501045731ca941461982883395937f68d00c644a573'
39760 ],
39761 [
39762 'f710d79d9eb962297e4f6232b40e8f7feb2bc63814614d692c12de752408221e',
39763 'ea98e67232d3b3295d3b535532115ccac8612c721851617526ae47a9c77bfc82'
39764 ]
39765 ]
39766 },
39767 naf: {
39768 wnd: 7,
39769 points: [
39770 [
39771 'f9308a019258c31049344f85f89d5229b531c845836f99b08601f113bce036f9',
39772 '388f7b0f632de8140fe337e62a37f3566500a99934c2231b6cb9fd7584b8e672'
39773 ],
39774 [
39775 '2f8bde4d1a07209355b4a7250a5c5128e88b84bddc619ab7cba8d569b240efe4',
39776 'd8ac222636e5e3d6d4dba9dda6c9c426f788271bab0d6840dca87d3aa6ac62d6'
39777 ],
39778 [
39779 '5cbdf0646e5db4eaa398f365f2ea7a0e3d419b7e0330e39ce92bddedcac4f9bc',
39780 '6aebca40ba255960a3178d6d861a54dba813d0b813fde7b5a5082628087264da'
39781 ],
39782 [
39783 'acd484e2f0c7f65309ad178a9f559abde09796974c57e714c35f110dfc27ccbe',
39784 'cc338921b0a7d9fd64380971763b61e9add888a4375f8e0f05cc262ac64f9c37'
39785 ],
39786 [
39787 '774ae7f858a9411e5ef4246b70c65aac5649980be5c17891bbec17895da008cb',
39788 'd984a032eb6b5e190243dd56d7b7b365372db1e2dff9d6a8301d74c9c953c61b'
39789 ],
39790 [
39791 'f28773c2d975288bc7d1d205c3748651b075fbc6610e58cddeeddf8f19405aa8',
39792 'ab0902e8d880a89758212eb65cdaf473a1a06da521fa91f29b5cb52db03ed81'
39793 ],
39794 [
39795 'd7924d4f7d43ea965a465ae3095ff41131e5946f3c85f79e44adbcf8e27e080e',
39796 '581e2872a86c72a683842ec228cc6defea40af2bd896d3a5c504dc9ff6a26b58'
39797 ],
39798 [
39799 'defdea4cdb677750a420fee807eacf21eb9898ae79b9768766e4faa04a2d4a34',
39800 '4211ab0694635168e997b0ead2a93daeced1f4a04a95c0f6cfb199f69e56eb77'
39801 ],
39802 [
39803 '2b4ea0a797a443d293ef5cff444f4979f06acfebd7e86d277475656138385b6c',
39804 '85e89bc037945d93b343083b5a1c86131a01f60c50269763b570c854e5c09b7a'
39805 ],
39806 [
39807 '352bbf4a4cdd12564f93fa332ce333301d9ad40271f8107181340aef25be59d5',
39808 '321eb4075348f534d59c18259dda3e1f4a1b3b2e71b1039c67bd3d8bcf81998c'
39809 ],
39810 [
39811 '2fa2104d6b38d11b0230010559879124e42ab8dfeff5ff29dc9cdadd4ecacc3f',
39812 '2de1068295dd865b64569335bd5dd80181d70ecfc882648423ba76b532b7d67'
39813 ],
39814 [
39815 '9248279b09b4d68dab21a9b066edda83263c3d84e09572e269ca0cd7f5453714',
39816 '73016f7bf234aade5d1aa71bdea2b1ff3fc0de2a887912ffe54a32ce97cb3402'
39817 ],
39818 [
39819 'daed4f2be3a8bf278e70132fb0beb7522f570e144bf615c07e996d443dee8729',
39820 'a69dce4a7d6c98e8d4a1aca87ef8d7003f83c230f3afa726ab40e52290be1c55'
39821 ],
39822 [
39823 'c44d12c7065d812e8acf28d7cbb19f9011ecd9e9fdf281b0e6a3b5e87d22e7db',
39824 '2119a460ce326cdc76c45926c982fdac0e106e861edf61c5a039063f0e0e6482'
39825 ],
39826 [
39827 '6a245bf6dc698504c89a20cfded60853152b695336c28063b61c65cbd269e6b4',
39828 'e022cf42c2bd4a708b3f5126f16a24ad8b33ba48d0423b6efd5e6348100d8a82'
39829 ],
39830 [
39831 '1697ffa6fd9de627c077e3d2fe541084ce13300b0bec1146f95ae57f0d0bd6a5',
39832 'b9c398f186806f5d27561506e4557433a2cf15009e498ae7adee9d63d01b2396'
39833 ],
39834 [
39835 '605bdb019981718b986d0f07e834cb0d9deb8360ffb7f61df982345ef27a7479',
39836 '2972d2de4f8d20681a78d93ec96fe23c26bfae84fb14db43b01e1e9056b8c49'
39837 ],
39838 [
39839 '62d14dab4150bf497402fdc45a215e10dcb01c354959b10cfe31c7e9d87ff33d',
39840 '80fc06bd8cc5b01098088a1950eed0db01aa132967ab472235f5642483b25eaf'
39841 ],
39842 [
39843 '80c60ad0040f27dade5b4b06c408e56b2c50e9f56b9b8b425e555c2f86308b6f',
39844 '1c38303f1cc5c30f26e66bad7fe72f70a65eed4cbe7024eb1aa01f56430bd57a'
39845 ],
39846 [
39847 '7a9375ad6167ad54aa74c6348cc54d344cc5dc9487d847049d5eabb0fa03c8fb',
39848 'd0e3fa9eca8726909559e0d79269046bdc59ea10c70ce2b02d499ec224dc7f7'
39849 ],
39850 [
39851 'd528ecd9b696b54c907a9ed045447a79bb408ec39b68df504bb51f459bc3ffc9',
39852 'eecf41253136e5f99966f21881fd656ebc4345405c520dbc063465b521409933'
39853 ],
39854 [
39855 '49370a4b5f43412ea25f514e8ecdad05266115e4a7ecb1387231808f8b45963',
39856 '758f3f41afd6ed428b3081b0512fd62a54c3f3afbb5b6764b653052a12949c9a'
39857 ],
39858 [
39859 '77f230936ee88cbbd73df930d64702ef881d811e0e1498e2f1c13eb1fc345d74',
39860 '958ef42a7886b6400a08266e9ba1b37896c95330d97077cbbe8eb3c7671c60d6'
39861 ],
39862 [
39863 'f2dac991cc4ce4b9ea44887e5c7c0bce58c80074ab9d4dbaeb28531b7739f530',
39864 'e0dedc9b3b2f8dad4da1f32dec2531df9eb5fbeb0598e4fd1a117dba703a3c37'
39865 ],
39866 [
39867 '463b3d9f662621fb1b4be8fbbe2520125a216cdfc9dae3debcba4850c690d45b',
39868 '5ed430d78c296c3543114306dd8622d7c622e27c970a1de31cb377b01af7307e'
39869 ],
39870 [
39871 'f16f804244e46e2a09232d4aff3b59976b98fac14328a2d1a32496b49998f247',
39872 'cedabd9b82203f7e13d206fcdf4e33d92a6c53c26e5cce26d6579962c4e31df6'
39873 ],
39874 [
39875 'caf754272dc84563b0352b7a14311af55d245315ace27c65369e15f7151d41d1',
39876 'cb474660ef35f5f2a41b643fa5e460575f4fa9b7962232a5c32f908318a04476'
39877 ],
39878 [
39879 '2600ca4b282cb986f85d0f1709979d8b44a09c07cb86d7c124497bc86f082120',
39880 '4119b88753c15bd6a693b03fcddbb45d5ac6be74ab5f0ef44b0be9475a7e4b40'
39881 ],
39882 [
39883 '7635ca72d7e8432c338ec53cd12220bc01c48685e24f7dc8c602a7746998e435',
39884 '91b649609489d613d1d5e590f78e6d74ecfc061d57048bad9e76f302c5b9c61'
39885 ],
39886 [
39887 '754e3239f325570cdbbf4a87deee8a66b7f2b33479d468fbc1a50743bf56cc18',
39888 '673fb86e5bda30fb3cd0ed304ea49a023ee33d0197a695d0c5d98093c536683'
39889 ],
39890 [
39891 'e3e6bd1071a1e96aff57859c82d570f0330800661d1c952f9fe2694691d9b9e8',
39892 '59c9e0bba394e76f40c0aa58379a3cb6a5a2283993e90c4167002af4920e37f5'
39893 ],
39894 [
39895 '186b483d056a033826ae73d88f732985c4ccb1f32ba35f4b4cc47fdcf04aa6eb',
39896 '3b952d32c67cf77e2e17446e204180ab21fb8090895138b4a4a797f86e80888b'
39897 ],
39898 [
39899 'df9d70a6b9876ce544c98561f4be4f725442e6d2b737d9c91a8321724ce0963f',
39900 '55eb2dafd84d6ccd5f862b785dc39d4ab157222720ef9da217b8c45cf2ba2417'
39901 ],
39902 [
39903 '5edd5cc23c51e87a497ca815d5dce0f8ab52554f849ed8995de64c5f34ce7143',
39904 'efae9c8dbc14130661e8cec030c89ad0c13c66c0d17a2905cdc706ab7399a868'
39905 ],
39906 [
39907 '290798c2b6476830da12fe02287e9e777aa3fba1c355b17a722d362f84614fba',
39908 'e38da76dcd440621988d00bcf79af25d5b29c094db2a23146d003afd41943e7a'
39909 ],
39910 [
39911 'af3c423a95d9f5b3054754efa150ac39cd29552fe360257362dfdecef4053b45',
39912 'f98a3fd831eb2b749a93b0e6f35cfb40c8cd5aa667a15581bc2feded498fd9c6'
39913 ],
39914 [
39915 '766dbb24d134e745cccaa28c99bf274906bb66b26dcf98df8d2fed50d884249a',
39916 '744b1152eacbe5e38dcc887980da38b897584a65fa06cedd2c924f97cbac5996'
39917 ],
39918 [
39919 '59dbf46f8c94759ba21277c33784f41645f7b44f6c596a58ce92e666191abe3e',
39920 'c534ad44175fbc300f4ea6ce648309a042ce739a7919798cd85e216c4a307f6e'
39921 ],
39922 [
39923 'f13ada95103c4537305e691e74e9a4a8dd647e711a95e73cb62dc6018cfd87b8',
39924 'e13817b44ee14de663bf4bc808341f326949e21a6a75c2570778419bdaf5733d'
39925 ],
39926 [
39927 '7754b4fa0e8aced06d4167a2c59cca4cda1869c06ebadfb6488550015a88522c',
39928 '30e93e864e669d82224b967c3020b8fa8d1e4e350b6cbcc537a48b57841163a2'
39929 ],
39930 [
39931 '948dcadf5990e048aa3874d46abef9d701858f95de8041d2a6828c99e2262519',
39932 'e491a42537f6e597d5d28a3224b1bc25df9154efbd2ef1d2cbba2cae5347d57e'
39933 ],
39934 [
39935 '7962414450c76c1689c7b48f8202ec37fb224cf5ac0bfa1570328a8a3d7c77ab',
39936 '100b610ec4ffb4760d5c1fc133ef6f6b12507a051f04ac5760afa5b29db83437'
39937 ],
39938 [
39939 '3514087834964b54b15b160644d915485a16977225b8847bb0dd085137ec47ca',
39940 'ef0afbb2056205448e1652c48e8127fc6039e77c15c2378b7e7d15a0de293311'
39941 ],
39942 [
39943 'd3cc30ad6b483e4bc79ce2c9dd8bc54993e947eb8df787b442943d3f7b527eaf',
39944 '8b378a22d827278d89c5e9be8f9508ae3c2ad46290358630afb34db04eede0a4'
39945 ],
39946 [
39947 '1624d84780732860ce1c78fcbfefe08b2b29823db913f6493975ba0ff4847610',
39948 '68651cf9b6da903e0914448c6cd9d4ca896878f5282be4c8cc06e2a404078575'
39949 ],
39950 [
39951 '733ce80da955a8a26902c95633e62a985192474b5af207da6df7b4fd5fc61cd4',
39952 'f5435a2bd2badf7d485a4d8b8db9fcce3e1ef8e0201e4578c54673bc1dc5ea1d'
39953 ],
39954 [
39955 '15d9441254945064cf1a1c33bbd3b49f8966c5092171e699ef258dfab81c045c',
39956 'd56eb30b69463e7234f5137b73b84177434800bacebfc685fc37bbe9efe4070d'
39957 ],
39958 [
39959 'a1d0fcf2ec9de675b612136e5ce70d271c21417c9d2b8aaaac138599d0717940',
39960 'edd77f50bcb5a3cab2e90737309667f2641462a54070f3d519212d39c197a629'
39961 ],
39962 [
39963 'e22fbe15c0af8ccc5780c0735f84dbe9a790badee8245c06c7ca37331cb36980',
39964 'a855babad5cd60c88b430a69f53a1a7a38289154964799be43d06d77d31da06'
39965 ],
39966 [
39967 '311091dd9860e8e20ee13473c1155f5f69635e394704eaa74009452246cfa9b3',
39968 '66db656f87d1f04fffd1f04788c06830871ec5a64feee685bd80f0b1286d8374'
39969 ],
39970 [
39971 '34c1fd04d301be89b31c0442d3e6ac24883928b45a9340781867d4232ec2dbdf',
39972 '9414685e97b1b5954bd46f730174136d57f1ceeb487443dc5321857ba73abee'
39973 ],
39974 [
39975 'f219ea5d6b54701c1c14de5b557eb42a8d13f3abbcd08affcc2a5e6b049b8d63',
39976 '4cb95957e83d40b0f73af4544cccf6b1f4b08d3c07b27fb8d8c2962a400766d1'
39977 ],
39978 [
39979 'd7b8740f74a8fbaab1f683db8f45de26543a5490bca627087236912469a0b448',
39980 'fa77968128d9c92ee1010f337ad4717eff15db5ed3c049b3411e0315eaa4593b'
39981 ],
39982 [
39983 '32d31c222f8f6f0ef86f7c98d3a3335ead5bcd32abdd94289fe4d3091aa824bf',
39984 '5f3032f5892156e39ccd3d7915b9e1da2e6dac9e6f26e961118d14b8462e1661'
39985 ],
39986 [
39987 '7461f371914ab32671045a155d9831ea8793d77cd59592c4340f86cbc18347b5',
39988 '8ec0ba238b96bec0cbdddcae0aa442542eee1ff50c986ea6b39847b3cc092ff6'
39989 ],
39990 [
39991 'ee079adb1df1860074356a25aa38206a6d716b2c3e67453d287698bad7b2b2d6',
39992 '8dc2412aafe3be5c4c5f37e0ecc5f9f6a446989af04c4e25ebaac479ec1c8c1e'
39993 ],
39994 [
39995 '16ec93e447ec83f0467b18302ee620f7e65de331874c9dc72bfd8616ba9da6b5',
39996 '5e4631150e62fb40d0e8c2a7ca5804a39d58186a50e497139626778e25b0674d'
39997 ],
39998 [
39999 'eaa5f980c245f6f038978290afa70b6bd8855897f98b6aa485b96065d537bd99',
40000 'f65f5d3e292c2e0819a528391c994624d784869d7e6ea67fb18041024edc07dc'
40001 ],
40002 [
40003 '78c9407544ac132692ee1910a02439958ae04877151342ea96c4b6b35a49f51',
40004 'f3e0319169eb9b85d5404795539a5e68fa1fbd583c064d2462b675f194a3ddb4'
40005 ],
40006 [
40007 '494f4be219a1a77016dcd838431aea0001cdc8ae7a6fc688726578d9702857a5',
40008 '42242a969283a5f339ba7f075e36ba2af925ce30d767ed6e55f4b031880d562c'
40009 ],
40010 [
40011 'a598a8030da6d86c6bc7f2f5144ea549d28211ea58faa70ebf4c1e665c1fe9b5',
40012 '204b5d6f84822c307e4b4a7140737aec23fc63b65b35f86a10026dbd2d864e6b'
40013 ],
40014 [
40015 'c41916365abb2b5d09192f5f2dbeafec208f020f12570a184dbadc3e58595997',
40016 '4f14351d0087efa49d245b328984989d5caf9450f34bfc0ed16e96b58fa9913'
40017 ],
40018 [
40019 '841d6063a586fa475a724604da03bc5b92a2e0d2e0a36acfe4c73a5514742881',
40020 '73867f59c0659e81904f9a1c7543698e62562d6744c169ce7a36de01a8d6154'
40021 ],
40022 [
40023 '5e95bb399a6971d376026947f89bde2f282b33810928be4ded112ac4d70e20d5',
40024 '39f23f366809085beebfc71181313775a99c9aed7d8ba38b161384c746012865'
40025 ],
40026 [
40027 '36e4641a53948fd476c39f8a99fd974e5ec07564b5315d8bf99471bca0ef2f66',
40028 'd2424b1b1abe4eb8164227b085c9aa9456ea13493fd563e06fd51cf5694c78fc'
40029 ],
40030 [
40031 '336581ea7bfbbb290c191a2f507a41cf5643842170e914faeab27c2c579f726',
40032 'ead12168595fe1be99252129b6e56b3391f7ab1410cd1e0ef3dcdcabd2fda224'
40033 ],
40034 [
40035 '8ab89816dadfd6b6a1f2634fcf00ec8403781025ed6890c4849742706bd43ede',
40036 '6fdcef09f2f6d0a044e654aef624136f503d459c3e89845858a47a9129cdd24e'
40037 ],
40038 [
40039 '1e33f1a746c9c5778133344d9299fcaa20b0938e8acff2544bb40284b8c5fb94',
40040 '60660257dd11b3aa9c8ed618d24edff2306d320f1d03010e33a7d2057f3b3b6'
40041 ],
40042 [
40043 '85b7c1dcb3cec1b7ee7f30ded79dd20a0ed1f4cc18cbcfcfa410361fd8f08f31',
40044 '3d98a9cdd026dd43f39048f25a8847f4fcafad1895d7a633c6fed3c35e999511'
40045 ],
40046 [
40047 '29df9fbd8d9e46509275f4b125d6d45d7fbe9a3b878a7af872a2800661ac5f51',
40048 'b4c4fe99c775a606e2d8862179139ffda61dc861c019e55cd2876eb2a27d84b'
40049 ],
40050 [
40051 'a0b1cae06b0a847a3fea6e671aaf8adfdfe58ca2f768105c8082b2e449fce252',
40052 'ae434102edde0958ec4b19d917a6a28e6b72da1834aff0e650f049503a296cf2'
40053 ],
40054 [
40055 '4e8ceafb9b3e9a136dc7ff67e840295b499dfb3b2133e4ba113f2e4c0e121e5',
40056 'cf2174118c8b6d7a4b48f6d534ce5c79422c086a63460502b827ce62a326683c'
40057 ],
40058 [
40059 'd24a44e047e19b6f5afb81c7ca2f69080a5076689a010919f42725c2b789a33b',
40060 '6fb8d5591b466f8fc63db50f1c0f1c69013f996887b8244d2cdec417afea8fa3'
40061 ],
40062 [
40063 'ea01606a7a6c9cdd249fdfcfacb99584001edd28abbab77b5104e98e8e3b35d4',
40064 '322af4908c7312b0cfbfe369f7a7b3cdb7d4494bc2823700cfd652188a3ea98d'
40065 ],
40066 [
40067 'af8addbf2b661c8a6c6328655eb96651252007d8c5ea31be4ad196de8ce2131f',
40068 '6749e67c029b85f52a034eafd096836b2520818680e26ac8f3dfbcdb71749700'
40069 ],
40070 [
40071 'e3ae1974566ca06cc516d47e0fb165a674a3dabcfca15e722f0e3450f45889',
40072 '2aeabe7e4531510116217f07bf4d07300de97e4874f81f533420a72eeb0bd6a4'
40073 ],
40074 [
40075 '591ee355313d99721cf6993ffed1e3e301993ff3ed258802075ea8ced397e246',
40076 'b0ea558a113c30bea60fc4775460c7901ff0b053d25ca2bdeee98f1a4be5d196'
40077 ],
40078 [
40079 '11396d55fda54c49f19aa97318d8da61fa8584e47b084945077cf03255b52984',
40080 '998c74a8cd45ac01289d5833a7beb4744ff536b01b257be4c5767bea93ea57a4'
40081 ],
40082 [
40083 '3c5d2a1ba39c5a1790000738c9e0c40b8dcdfd5468754b6405540157e017aa7a',
40084 'b2284279995a34e2f9d4de7396fc18b80f9b8b9fdd270f6661f79ca4c81bd257'
40085 ],
40086 [
40087 'cc8704b8a60a0defa3a99a7299f2e9c3fbc395afb04ac078425ef8a1793cc030',
40088 'bdd46039feed17881d1e0862db347f8cf395b74fc4bcdc4e940b74e3ac1f1b13'
40089 ],
40090 [
40091 'c533e4f7ea8555aacd9777ac5cad29b97dd4defccc53ee7ea204119b2889b197',
40092 '6f0a256bc5efdf429a2fb6242f1a43a2d9b925bb4a4b3a26bb8e0f45eb596096'
40093 ],
40094 [
40095 'c14f8f2ccb27d6f109f6d08d03cc96a69ba8c34eec07bbcf566d48e33da6593',
40096 'c359d6923bb398f7fd4473e16fe1c28475b740dd098075e6c0e8649113dc3a38'
40097 ],
40098 [
40099 'a6cbc3046bc6a450bac24789fa17115a4c9739ed75f8f21ce441f72e0b90e6ef',
40100 '21ae7f4680e889bb130619e2c0f95a360ceb573c70603139862afd617fa9b9f'
40101 ],
40102 [
40103 '347d6d9a02c48927ebfb86c1359b1caf130a3c0267d11ce6344b39f99d43cc38',
40104 '60ea7f61a353524d1c987f6ecec92f086d565ab687870cb12689ff1e31c74448'
40105 ],
40106 [
40107 'da6545d2181db8d983f7dcb375ef5866d47c67b1bf31c8cf855ef7437b72656a',
40108 '49b96715ab6878a79e78f07ce5680c5d6673051b4935bd897fea824b77dc208a'
40109 ],
40110 [
40111 'c40747cc9d012cb1a13b8148309c6de7ec25d6945d657146b9d5994b8feb1111',
40112 '5ca560753be2a12fc6de6caf2cb489565db936156b9514e1bb5e83037e0fa2d4'
40113 ],
40114 [
40115 '4e42c8ec82c99798ccf3a610be870e78338c7f713348bd34c8203ef4037f3502',
40116 '7571d74ee5e0fb92a7a8b33a07783341a5492144cc54bcc40a94473693606437'
40117 ],
40118 [
40119 '3775ab7089bc6af823aba2e1af70b236d251cadb0c86743287522a1b3b0dedea',
40120 'be52d107bcfa09d8bcb9736a828cfa7fac8db17bf7a76a2c42ad961409018cf7'
40121 ],
40122 [
40123 'cee31cbf7e34ec379d94fb814d3d775ad954595d1314ba8846959e3e82f74e26',
40124 '8fd64a14c06b589c26b947ae2bcf6bfa0149ef0be14ed4d80f448a01c43b1c6d'
40125 ],
40126 [
40127 'b4f9eaea09b6917619f6ea6a4eb5464efddb58fd45b1ebefcdc1a01d08b47986',
40128 '39e5c9925b5a54b07433a4f18c61726f8bb131c012ca542eb24a8ac07200682a'
40129 ],
40130 [
40131 'd4263dfc3d2df923a0179a48966d30ce84e2515afc3dccc1b77907792ebcc60e',
40132 '62dfaf07a0f78feb30e30d6295853ce189e127760ad6cf7fae164e122a208d54'
40133 ],
40134 [
40135 '48457524820fa65a4f8d35eb6930857c0032acc0a4a2de422233eeda897612c4',
40136 '25a748ab367979d98733c38a1fa1c2e7dc6cc07db2d60a9ae7a76aaa49bd0f77'
40137 ],
40138 [
40139 'dfeeef1881101f2cb11644f3a2afdfc2045e19919152923f367a1767c11cceda',
40140 'ecfb7056cf1de042f9420bab396793c0c390bde74b4bbdff16a83ae09a9a7517'
40141 ],
40142 [
40143 '6d7ef6b17543f8373c573f44e1f389835d89bcbc6062ced36c82df83b8fae859',
40144 'cd450ec335438986dfefa10c57fea9bcc521a0959b2d80bbf74b190dca712d10'
40145 ],
40146 [
40147 'e75605d59102a5a2684500d3b991f2e3f3c88b93225547035af25af66e04541f',
40148 'f5c54754a8f71ee540b9b48728473e314f729ac5308b06938360990e2bfad125'
40149 ],
40150 [
40151 'eb98660f4c4dfaa06a2be453d5020bc99a0c2e60abe388457dd43fefb1ed620c',
40152 '6cb9a8876d9cb8520609af3add26cd20a0a7cd8a9411131ce85f44100099223e'
40153 ],
40154 [
40155 '13e87b027d8514d35939f2e6892b19922154596941888336dc3563e3b8dba942',
40156 'fef5a3c68059a6dec5d624114bf1e91aac2b9da568d6abeb2570d55646b8adf1'
40157 ],
40158 [
40159 'ee163026e9fd6fe017c38f06a5be6fc125424b371ce2708e7bf4491691e5764a',
40160 '1acb250f255dd61c43d94ccc670d0f58f49ae3fa15b96623e5430da0ad6c62b2'
40161 ],
40162 [
40163 'b268f5ef9ad51e4d78de3a750c2dc89b1e626d43505867999932e5db33af3d80',
40164 '5f310d4b3c99b9ebb19f77d41c1dee018cf0d34fd4191614003e945a1216e423'
40165 ],
40166 [
40167 'ff07f3118a9df035e9fad85eb6c7bfe42b02f01ca99ceea3bf7ffdba93c4750d',
40168 '438136d603e858a3a5c440c38eccbaddc1d2942114e2eddd4740d098ced1f0d8'
40169 ],
40170 [
40171 '8d8b9855c7c052a34146fd20ffb658bea4b9f69e0d825ebec16e8c3ce2b526a1',
40172 'cdb559eedc2d79f926baf44fb84ea4d44bcf50fee51d7ceb30e2e7f463036758'
40173 ],
40174 [
40175 '52db0b5384dfbf05bfa9d472d7ae26dfe4b851ceca91b1eba54263180da32b63',
40176 'c3b997d050ee5d423ebaf66a6db9f57b3180c902875679de924b69d84a7b375'
40177 ],
40178 [
40179 'e62f9490d3d51da6395efd24e80919cc7d0f29c3f3fa48c6fff543becbd43352',
40180 '6d89ad7ba4876b0b22c2ca280c682862f342c8591f1daf5170e07bfd9ccafa7d'
40181 ],
40182 [
40183 '7f30ea2476b399b4957509c88f77d0191afa2ff5cb7b14fd6d8e7d65aaab1193',
40184 'ca5ef7d4b231c94c3b15389a5f6311e9daff7bb67b103e9880ef4bff637acaec'
40185 ],
40186 [
40187 '5098ff1e1d9f14fb46a210fada6c903fef0fb7b4a1dd1d9ac60a0361800b7a00',
40188 '9731141d81fc8f8084d37c6e7542006b3ee1b40d60dfe5362a5b132fd17ddc0'
40189 ],
40190 [
40191 '32b78c7de9ee512a72895be6b9cbefa6e2f3c4ccce445c96b9f2c81e2778ad58',
40192 'ee1849f513df71e32efc3896ee28260c73bb80547ae2275ba497237794c8753c'
40193 ],
40194 [
40195 'e2cb74fddc8e9fbcd076eef2a7c72b0ce37d50f08269dfc074b581550547a4f7',
40196 'd3aa2ed71c9dd2247a62df062736eb0baddea9e36122d2be8641abcb005cc4a4'
40197 ],
40198 [
40199 '8438447566d4d7bedadc299496ab357426009a35f235cb141be0d99cd10ae3a8',
40200 'c4e1020916980a4da5d01ac5e6ad330734ef0d7906631c4f2390426b2edd791f'
40201 ],
40202 [
40203 '4162d488b89402039b584c6fc6c308870587d9c46f660b878ab65c82c711d67e',
40204 '67163e903236289f776f22c25fb8a3afc1732f2b84b4e95dbda47ae5a0852649'
40205 ],
40206 [
40207 '3fad3fa84caf0f34f0f89bfd2dcf54fc175d767aec3e50684f3ba4a4bf5f683d',
40208 'cd1bc7cb6cc407bb2f0ca647c718a730cf71872e7d0d2a53fa20efcdfe61826'
40209 ],
40210 [
40211 '674f2600a3007a00568c1a7ce05d0816c1fb84bf1370798f1c69532faeb1a86b',
40212 '299d21f9413f33b3edf43b257004580b70db57da0b182259e09eecc69e0d38a5'
40213 ],
40214 [
40215 'd32f4da54ade74abb81b815ad1fb3b263d82d6c692714bcff87d29bd5ee9f08f',
40216 'f9429e738b8e53b968e99016c059707782e14f4535359d582fc416910b3eea87'
40217 ],
40218 [
40219 '30e4e670435385556e593657135845d36fbb6931f72b08cb1ed954f1e3ce3ff6',
40220 '462f9bce619898638499350113bbc9b10a878d35da70740dc695a559eb88db7b'
40221 ],
40222 [
40223 'be2062003c51cc3004682904330e4dee7f3dcd10b01e580bf1971b04d4cad297',
40224 '62188bc49d61e5428573d48a74e1c655b1c61090905682a0d5558ed72dccb9bc'
40225 ],
40226 [
40227 '93144423ace3451ed29e0fb9ac2af211cb6e84a601df5993c419859fff5df04a',
40228 '7c10dfb164c3425f5c71a3f9d7992038f1065224f72bb9d1d902a6d13037b47c'
40229 ],
40230 [
40231 'b015f8044f5fcbdcf21ca26d6c34fb8197829205c7b7d2a7cb66418c157b112c',
40232 'ab8c1e086d04e813744a655b2df8d5f83b3cdc6faa3088c1d3aea1454e3a1d5f'
40233 ],
40234 [
40235 'd5e9e1da649d97d89e4868117a465a3a4f8a18de57a140d36b3f2af341a21b52',
40236 '4cb04437f391ed73111a13cc1d4dd0db1693465c2240480d8955e8592f27447a'
40237 ],
40238 [
40239 'd3ae41047dd7ca065dbf8ed77b992439983005cd72e16d6f996a5316d36966bb',
40240 'bd1aeb21ad22ebb22a10f0303417c6d964f8cdd7df0aca614b10dc14d125ac46'
40241 ],
40242 [
40243 '463e2763d885f958fc66cdd22800f0a487197d0a82e377b49f80af87c897b065',
40244 'bfefacdb0e5d0fd7df3a311a94de062b26b80c61fbc97508b79992671ef7ca7f'
40245 ],
40246 [
40247 '7985fdfd127c0567c6f53ec1bb63ec3158e597c40bfe747c83cddfc910641917',
40248 '603c12daf3d9862ef2b25fe1de289aed24ed291e0ec6708703a5bd567f32ed03'
40249 ],
40250 [
40251 '74a1ad6b5f76e39db2dd249410eac7f99e74c59cb83d2d0ed5ff1543da7703e9',
40252 'cc6157ef18c9c63cd6193d83631bbea0093e0968942e8c33d5737fd790e0db08'
40253 ],
40254 [
40255 '30682a50703375f602d416664ba19b7fc9bab42c72747463a71d0896b22f6da3',
40256 '553e04f6b018b4fa6c8f39e7f311d3176290d0e0f19ca73f17714d9977a22ff8'
40257 ],
40258 [
40259 '9e2158f0d7c0d5f26c3791efefa79597654e7a2b2464f52b1ee6c1347769ef57',
40260 '712fcdd1b9053f09003a3481fa7762e9ffd7c8ef35a38509e2fbf2629008373'
40261 ],
40262 [
40263 '176e26989a43c9cfeba4029c202538c28172e566e3c4fce7322857f3be327d66',
40264 'ed8cc9d04b29eb877d270b4878dc43c19aefd31f4eee09ee7b47834c1fa4b1c3'
40265 ],
40266 [
40267 '75d46efea3771e6e68abb89a13ad747ecf1892393dfc4f1b7004788c50374da8',
40268 '9852390a99507679fd0b86fd2b39a868d7efc22151346e1a3ca4726586a6bed8'
40269 ],
40270 [
40271 '809a20c67d64900ffb698c4c825f6d5f2310fb0451c869345b7319f645605721',
40272 '9e994980d9917e22b76b061927fa04143d096ccc54963e6a5ebfa5f3f8e286c1'
40273 ],
40274 [
40275 '1b38903a43f7f114ed4500b4eac7083fdefece1cf29c63528d563446f972c180',
40276 '4036edc931a60ae889353f77fd53de4a2708b26b6f5da72ad3394119daf408f9'
40277 ]
40278 ]
40279 }
40280 };
40281
40282 var curves_1 = createCommonjsModule(function (module, exports) {
40283
40284 var curves = exports;
40285
40286
40287
40288
40289
40290 var assert = utils_1$1.assert;
40291
40292 function PresetCurve(options) {
40293 if (options.type === 'short')
40294 this.curve = new curve_1.short(options);
40295 else if (options.type === 'edwards')
40296 this.curve = new curve_1.edwards(options);
40297 else if (options.type === 'mont')
40298 this.curve = new curve_1.mont(options);
40299 else throw new Error('Unknown curve type.');
40300 this.g = this.curve.g;
40301 this.n = this.curve.n;
40302 this.hash = options.hash;
40303
40304 assert(this.g.validate(), 'Invalid curve');
40305 assert(this.g.mul(this.n).isInfinity(), 'Invalid curve, n*G != O');
40306 }
40307 curves.PresetCurve = PresetCurve;
40308
40309 function defineCurve(name, options) {
40310 Object.defineProperty(curves, name, {
40311 configurable: true,
40312 enumerable: true,
40313 get: function() {
40314 var curve = new PresetCurve(options);
40315 Object.defineProperty(curves, name, {
40316 configurable: true,
40317 enumerable: true,
40318 value: curve
40319 });
40320 return curve;
40321 }
40322 });
40323 }
40324
40325 defineCurve('p192', {
40326 type: 'short',
40327 prime: 'p192',
40328 p: 'ffffffff ffffffff ffffffff fffffffe ffffffff ffffffff',
40329 a: 'ffffffff ffffffff ffffffff fffffffe ffffffff fffffffc',
40330 b: '64210519 e59c80e7 0fa7e9ab 72243049 feb8deec c146b9b1',
40331 n: 'ffffffff ffffffff ffffffff 99def836 146bc9b1 b4d22831',
40332 hash: hash_1.sha256,
40333 gRed: false,
40334 g: [
40335 '188da80e b03090f6 7cbf20eb 43a18800 f4ff0afd 82ff1012',
40336 '07192b95 ffc8da78 631011ed 6b24cdd5 73f977a1 1e794811'
40337 ]
40338 });
40339
40340 defineCurve('p224', {
40341 type: 'short',
40342 prime: 'p224',
40343 p: 'ffffffff ffffffff ffffffff ffffffff 00000000 00000000 00000001',
40344 a: 'ffffffff ffffffff ffffffff fffffffe ffffffff ffffffff fffffffe',
40345 b: 'b4050a85 0c04b3ab f5413256 5044b0b7 d7bfd8ba 270b3943 2355ffb4',
40346 n: 'ffffffff ffffffff ffffffff ffff16a2 e0b8f03e 13dd2945 5c5c2a3d',
40347 hash: hash_1.sha256,
40348 gRed: false,
40349 g: [
40350 'b70e0cbd 6bb4bf7f 321390b9 4a03c1d3 56c21122 343280d6 115c1d21',
40351 'bd376388 b5f723fb 4c22dfe6 cd4375a0 5a074764 44d58199 85007e34'
40352 ]
40353 });
40354
40355 defineCurve('p256', {
40356 type: 'short',
40357 prime: null,
40358 p: 'ffffffff 00000001 00000000 00000000 00000000 ffffffff ffffffff ffffffff',
40359 a: 'ffffffff 00000001 00000000 00000000 00000000 ffffffff ffffffff fffffffc',
40360 b: '5ac635d8 aa3a93e7 b3ebbd55 769886bc 651d06b0 cc53b0f6 3bce3c3e 27d2604b',
40361 n: 'ffffffff 00000000 ffffffff ffffffff bce6faad a7179e84 f3b9cac2 fc632551',
40362 hash: hash_1.sha256,
40363 gRed: false,
40364 g: [
40365 '6b17d1f2 e12c4247 f8bce6e5 63a440f2 77037d81 2deb33a0 f4a13945 d898c296',
40366 '4fe342e2 fe1a7f9b 8ee7eb4a 7c0f9e16 2bce3357 6b315ece cbb64068 37bf51f5'
40367 ]
40368 });
40369
40370 defineCurve('p384', {
40371 type: 'short',
40372 prime: null,
40373 p: 'ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ' +
40374 'fffffffe ffffffff 00000000 00000000 ffffffff',
40375 a: 'ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ' +
40376 'fffffffe ffffffff 00000000 00000000 fffffffc',
40377 b: 'b3312fa7 e23ee7e4 988e056b e3f82d19 181d9c6e fe814112 0314088f ' +
40378 '5013875a c656398d 8a2ed19d 2a85c8ed d3ec2aef',
40379 n: 'ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff c7634d81 ' +
40380 'f4372ddf 581a0db2 48b0a77a ecec196a ccc52973',
40381 hash: hash_1.sha384,
40382 gRed: false,
40383 g: [
40384 'aa87ca22 be8b0537 8eb1c71e f320ad74 6e1d3b62 8ba79b98 59f741e0 82542a38 ' +
40385 '5502f25d bf55296c 3a545e38 72760ab7',
40386 '3617de4a 96262c6f 5d9e98bf 9292dc29 f8f41dbd 289a147c e9da3113 b5f0b8c0 ' +
40387 '0a60b1ce 1d7e819d 7a431d7c 90ea0e5f'
40388 ]
40389 });
40390
40391 defineCurve('p521', {
40392 type: 'short',
40393 prime: null,
40394 p: '000001ff ffffffff ffffffff ffffffff ffffffff ffffffff ' +
40395 'ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ' +
40396 'ffffffff ffffffff ffffffff ffffffff ffffffff',
40397 a: '000001ff ffffffff ffffffff ffffffff ffffffff ffffffff ' +
40398 'ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ' +
40399 'ffffffff ffffffff ffffffff ffffffff fffffffc',
40400 b: '00000051 953eb961 8e1c9a1f 929a21a0 b68540ee a2da725b ' +
40401 '99b315f3 b8b48991 8ef109e1 56193951 ec7e937b 1652c0bd ' +
40402 '3bb1bf07 3573df88 3d2c34f1 ef451fd4 6b503f00',
40403 n: '000001ff ffffffff ffffffff ffffffff ffffffff ffffffff ' +
40404 'ffffffff ffffffff fffffffa 51868783 bf2f966b 7fcc0148 ' +
40405 'f709a5d0 3bb5c9b8 899c47ae bb6fb71e 91386409',
40406 hash: hash_1.sha512,
40407 gRed: false,
40408 g: [
40409 '000000c6 858e06b7 0404e9cd 9e3ecb66 2395b442 9c648139 ' +
40410 '053fb521 f828af60 6b4d3dba a14b5e77 efe75928 fe1dc127 ' +
40411 'a2ffa8de 3348b3c1 856a429b f97e7e31 c2e5bd66',
40412 '00000118 39296a78 9a3bc004 5c8a5fb4 2c7d1bd9 98f54449 ' +
40413 '579b4468 17afbd17 273e662c 97ee7299 5ef42640 c550b901 ' +
40414 '3fad0761 353c7086 a272c240 88be9476 9fd16650'
40415 ]
40416 });
40417
40418 // https://tools.ietf.org/html/rfc7748#section-4.1
40419 defineCurve('curve25519', {
40420 type: 'mont',
40421 prime: 'p25519',
40422 p: '7fffffffffffffff ffffffffffffffff ffffffffffffffff ffffffffffffffed',
40423 a: '76d06',
40424 b: '1',
40425 n: '1000000000000000 0000000000000000 14def9dea2f79cd6 5812631a5cf5d3ed',
40426 cofactor: '8',
40427 hash: hash_1.sha256,
40428 gRed: false,
40429 g: [
40430 '9'
40431 ]
40432 });
40433
40434 defineCurve('ed25519', {
40435 type: 'edwards',
40436 prime: 'p25519',
40437 p: '7fffffffffffffff ffffffffffffffff ffffffffffffffff ffffffffffffffed',
40438 a: '-1',
40439 c: '1',
40440 // -121665 * (121666^(-1)) (mod P)
40441 d: '52036cee2b6ffe73 8cc740797779e898 00700a4d4141d8ab 75eb4dca135978a3',
40442 n: '1000000000000000 0000000000000000 14def9dea2f79cd6 5812631a5cf5d3ed',
40443 cofactor: '8',
40444 hash: hash_1.sha256,
40445 gRed: false,
40446 g: [
40447 '216936d3cd6e53fec0a4e231fdd6dc5c692cc7609525a7b2c9562d608f25d51a',
40448 // 4/5
40449 '6666666666666666666666666666666666666666666666666666666666666658'
40450 ]
40451 });
40452
40453 // https://tools.ietf.org/html/rfc5639#section-3.4
40454 defineCurve('brainpoolP256r1', {
40455 type: 'short',
40456 prime: null,
40457 p: 'A9FB57DB A1EEA9BC 3E660A90 9D838D72 6E3BF623 D5262028 2013481D 1F6E5377',
40458 a: '7D5A0975 FC2C3057 EEF67530 417AFFE7 FB8055C1 26DC5C6C E94A4B44 F330B5D9',
40459 b: '26DC5C6C E94A4B44 F330B5D9 BBD77CBF 95841629 5CF7E1CE 6BCCDC18 FF8C07B6',
40460 n: 'A9FB57DB A1EEA9BC 3E660A90 9D838D71 8C397AA3 B561A6F7 901E0E82 974856A7',
40461 hash: hash_1.sha256, // or 384, or 512
40462 gRed: false,
40463 g: [
40464 '8BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262',
40465 '547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997'
40466 ]
40467 });
40468
40469 // https://tools.ietf.org/html/rfc5639#section-3.6
40470 defineCurve('brainpoolP384r1', {
40471 type: 'short',
40472 prime: null,
40473 p: '8CB91E82 A3386D28 0F5D6F7E 50E641DF 152F7109 ED5456B4 12B1DA19 7FB71123' +
40474 'ACD3A729 901D1A71 87470013 3107EC53',
40475 a: '7BC382C6 3D8C150C 3C72080A CE05AFA0 C2BEA28E 4FB22787 139165EF BA91F90F' +
40476 '8AA5814A 503AD4EB 04A8C7DD 22CE2826',
40477 b: '04A8C7DD 22CE2826 8B39B554 16F0447C 2FB77DE1 07DCD2A6 2E880EA5 3EEB62D5' +
40478 '7CB43902 95DBC994 3AB78696 FA504C11',
40479 n: '8CB91E82 A3386D28 0F5D6F7E 50E641DF 152F7109 ED5456B3 1F166E6C AC0425A7' +
40480 'CF3AB6AF 6B7FC310 3B883202 E9046565',
40481 hash: hash_1.sha384, // or 512
40482 gRed: false,
40483 g: [
40484 '1D1C64F068CF45FFA2A63A81B7C13F6B8847A3E77EF14FE3DB7FCAFE0CBD10' +
40485 'E8E826E03436D646AAEF87B2E247D4AF1E',
40486 '8ABE1D7520F9C2A45CB1EB8E95CFD55262B70B29FEEC5864E19C054FF99129' +
40487 '280E4646217791811142820341263C5315'
40488 ]
40489 });
40490
40491 // https://tools.ietf.org/html/rfc5639#section-3.7
40492 defineCurve('brainpoolP512r1', {
40493 type: 'short',
40494 prime: null,
40495 p: 'AADD9DB8 DBE9C48B 3FD4E6AE 33C9FC07 CB308DB3 B3C9D20E D6639CCA 70330871' +
40496 '7D4D9B00 9BC66842 AECDA12A E6A380E6 2881FF2F 2D82C685 28AA6056 583A48F3',
40497 a: '7830A331 8B603B89 E2327145 AC234CC5 94CBDD8D 3DF91610 A83441CA EA9863BC' +
40498 '2DED5D5A A8253AA1 0A2EF1C9 8B9AC8B5 7F1117A7 2BF2C7B9 E7C1AC4D 77FC94CA',
40499 b: '3DF91610 A83441CA EA9863BC 2DED5D5A A8253AA1 0A2EF1C9 8B9AC8B5 7F1117A7' +
40500 '2BF2C7B9 E7C1AC4D 77FC94CA DC083E67 984050B7 5EBAE5DD 2809BD63 8016F723',
40501 n: 'AADD9DB8 DBE9C48B 3FD4E6AE 33C9FC07 CB308DB3 B3C9D20E D6639CCA 70330870' +
40502 '553E5C41 4CA92619 41866119 7FAC1047 1DB1D381 085DDADD B5879682 9CA90069',
40503 hash: hash_1.sha512,
40504 gRed: false,
40505 g: [
40506 '81AEE4BDD82ED9645A21322E9C4C6A9385ED9F70B5D916C1B43B62EEF4D009' +
40507 '8EFF3B1F78E2D0D48D50D1687B93B97D5F7C6D5047406A5E688B352209BCB9F822',
40508 '7DDE385D566332ECC0EABFA9CF7822FDF209F70024A57B1AA000C55B881F81' +
40509 '11B2DCDE494A5F485E5BCA4BD88A2763AED1CA2B2FA8F0540678CD1E0F3AD80892'
40510 ]
40511 });
40512
40513 // https://en.bitcoin.it/wiki/Secp256k1
40514 var pre;
40515 try {
40516 pre = secp256k1;
40517 } catch (e) {
40518 pre = undefined;
40519 }
40520
40521 defineCurve('secp256k1', {
40522 type: 'short',
40523 prime: 'k256',
40524 p: 'ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff fffffffe fffffc2f',
40525 a: '0',
40526 b: '7',
40527 n: 'ffffffff ffffffff ffffffff fffffffe baaedce6 af48a03b bfd25e8c d0364141',
40528 h: '1',
40529 hash: hash_1.sha256,
40530
40531 // Precomputed endomorphism
40532 beta: '7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee',
40533 lambda: '5363ad4cc05c30e0a5261c028812645a122e22ea20816678df02967c1b23bd72',
40534 basis: [
40535 {
40536 a: '3086d221a7d46bcde86c90e49284eb15',
40537 b: '-e4437ed6010e88286f547fa90abfe4c3'
40538 },
40539 {
40540 a: '114ca50f7a8e2f3f657c1108d9d44cfd8',
40541 b: '3086d221a7d46bcde86c90e49284eb15'
40542 }
40543 ],
40544
40545 gRed: false,
40546 g: [
40547 '79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798',
40548 '483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8',
40549 pre
40550 ]
40551 });
40552 });
40553
40554 function HmacDRBG(options) {
40555 if (!(this instanceof HmacDRBG))
40556 return new HmacDRBG(options);
40557 this.hash = options.hash;
40558 this.predResist = !!options.predResist;
40559
40560 this.outLen = this.hash.outSize;
40561 this.minEntropy = options.minEntropy || this.hash.hmacStrength;
40562
40563 this._reseed = null;
40564 this.reseedInterval = null;
40565 this.K = null;
40566 this.V = null;
40567
40568 var entropy = utils_1.toArray(options.entropy, options.entropyEnc || 'hex');
40569 var nonce = utils_1.toArray(options.nonce, options.nonceEnc || 'hex');
40570 var pers = utils_1.toArray(options.pers, options.persEnc || 'hex');
40571 minimalisticAssert(entropy.length >= (this.minEntropy / 8),
40572 'Not enough entropy. Minimum is: ' + this.minEntropy + ' bits');
40573 this._init(entropy, nonce, pers);
40574 }
40575 var hmacDrbg = HmacDRBG;
40576
40577 HmacDRBG.prototype._init = function init(entropy, nonce, pers) {
40578 var seed = entropy.concat(nonce).concat(pers);
40579
40580 this.K = new Array(this.outLen / 8);
40581 this.V = new Array(this.outLen / 8);
40582 for (var i = 0; i < this.V.length; i++) {
40583 this.K[i] = 0x00;
40584 this.V[i] = 0x01;
40585 }
40586
40587 this._update(seed);
40588 this._reseed = 1;
40589 this.reseedInterval = 0x1000000000000; // 2^48
40590 };
40591
40592 HmacDRBG.prototype._hmac = function hmac() {
40593 return new hash_1.hmac(this.hash, this.K);
40594 };
40595
40596 HmacDRBG.prototype._update = function update(seed) {
40597 var kmac = this._hmac()
40598 .update(this.V)
40599 .update([ 0x00 ]);
40600 if (seed)
40601 kmac = kmac.update(seed);
40602 this.K = kmac.digest();
40603 this.V = this._hmac().update(this.V).digest();
40604 if (!seed)
40605 return;
40606
40607 this.K = this._hmac()
40608 .update(this.V)
40609 .update([ 0x01 ])
40610 .update(seed)
40611 .digest();
40612 this.V = this._hmac().update(this.V).digest();
40613 };
40614
40615 HmacDRBG.prototype.reseed = function reseed(entropy, entropyEnc, add, addEnc) {
40616 // Optional entropy enc
40617 if (typeof entropyEnc !== 'string') {
40618 addEnc = add;
40619 add = entropyEnc;
40620 entropyEnc = null;
40621 }
40622
40623 entropy = utils_1.toArray(entropy, entropyEnc);
40624 add = utils_1.toArray(add, addEnc);
40625
40626 minimalisticAssert(entropy.length >= (this.minEntropy / 8),
40627 'Not enough entropy. Minimum is: ' + this.minEntropy + ' bits');
40628
40629 this._update(entropy.concat(add || []));
40630 this._reseed = 1;
40631 };
40632
40633 HmacDRBG.prototype.generate = function generate(len, enc, add, addEnc) {
40634 if (this._reseed > this.reseedInterval)
40635 throw new Error('Reseed is required');
40636
40637 // Optional encoding
40638 if (typeof enc !== 'string') {
40639 addEnc = add;
40640 add = enc;
40641 enc = null;
40642 }
40643
40644 // Optional additional data
40645 if (add) {
40646 add = utils_1.toArray(add, addEnc || 'hex');
40647 this._update(add);
40648 }
40649
40650 var temp = [];
40651 while (temp.length < len) {
40652 this.V = this._hmac().update(this.V).digest();
40653 temp = temp.concat(this.V);
40654 }
40655
40656 var res = temp.slice(0, len);
40657 this._update(add);
40658 this._reseed++;
40659 return utils_1.encode(res, enc);
40660 };
40661
40662 var assert$5 = utils_1$1.assert;
40663
40664 function KeyPair(ec, options) {
40665 this.ec = ec;
40666 this.priv = null;
40667 this.pub = null;
40668
40669 // KeyPair(ec, { priv: ..., pub: ... })
40670 if (options.priv)
40671 this._importPrivate(options.priv, options.privEnc);
40672 if (options.pub)
40673 this._importPublic(options.pub, options.pubEnc);
40674 }
40675 var key = KeyPair;
40676
40677 KeyPair.fromPublic = function fromPublic(ec, pub, enc) {
40678 if (pub instanceof KeyPair)
40679 return pub;
40680
40681 return new KeyPair(ec, {
40682 pub: pub,
40683 pubEnc: enc
40684 });
40685 };
40686
40687 KeyPair.fromPrivate = function fromPrivate(ec, priv, enc) {
40688 if (priv instanceof KeyPair)
40689 return priv;
40690
40691 return new KeyPair(ec, {
40692 priv: priv,
40693 privEnc: enc
40694 });
40695 };
40696
40697 // TODO: should not validate for X25519
40698 KeyPair.prototype.validate = function validate() {
40699 var pub = this.getPublic();
40700
40701 if (pub.isInfinity())
40702 return { result: false, reason: 'Invalid public key' };
40703 if (!pub.validate())
40704 return { result: false, reason: 'Public key is not a point' };
40705 if (!pub.mul(this.ec.curve.n).isInfinity())
40706 return { result: false, reason: 'Public key * N != O' };
40707
40708 return { result: true, reason: null };
40709 };
40710
40711 KeyPair.prototype.getPublic = function getPublic(enc, compact) {
40712 if (!this.pub)
40713 this.pub = this.ec.g.mul(this.priv);
40714
40715 if (!enc)
40716 return this.pub;
40717
40718 return this.pub.encode(enc, compact);
40719 };
40720
40721 KeyPair.prototype.getPrivate = function getPrivate(enc) {
40722 if (enc === 'hex')
40723 return this.priv.toString(16, 2);
40724 else
40725 return this.priv;
40726 };
40727
40728 KeyPair.prototype._importPrivate = function _importPrivate(key, enc) {
40729 this.priv = new bn(key, enc || 16);
40730
40731 // For Curve25519/Curve448 we have a specific procedure.
40732 // TODO Curve448
40733 if (this.ec.curve.type === 'mont') {
40734 var one = this.ec.curve.one;
40735 var mask = one.ushln(255 - 3).sub(one).ushln(3);
40736 this.priv = this.priv.or(one.ushln(255 - 1));
40737 this.priv = this.priv.and(mask);
40738 } else
40739 // Ensure that the priv won't be bigger than n, otherwise we may fail
40740 // in fixed multiplication method
40741 this.priv = this.priv.umod(this.ec.curve.n);
40742 };
40743
40744 KeyPair.prototype._importPublic = function _importPublic(key, enc) {
40745 if (key.x || key.y) {
40746 // Montgomery points only have an `x` coordinate.
40747 // Weierstrass/Edwards points on the other hand have both `x` and
40748 // `y` coordinates.
40749 if (this.ec.curve.type === 'mont') {
40750 assert$5(key.x, 'Need x coordinate');
40751 } else if (this.ec.curve.type === 'short' ||
40752 this.ec.curve.type === 'edwards') {
40753 assert$5(key.x && key.y, 'Need both x and y coordinate');
40754 }
40755 this.pub = this.ec.curve.point(key.x, key.y);
40756 return;
40757 }
40758 this.pub = this.ec.curve.decodePoint(key, enc);
40759 };
40760
40761 // ECDH
40762 KeyPair.prototype.derive = function derive(pub) {
40763 return pub.mul(this.priv).getX();
40764 };
40765
40766 // ECDSA
40767 KeyPair.prototype.sign = function sign(msg, enc, options) {
40768 return this.ec.sign(msg, this, enc, options);
40769 };
40770
40771 KeyPair.prototype.verify = function verify(msg, signature) {
40772 return this.ec.verify(msg, signature, this);
40773 };
40774
40775 KeyPair.prototype.inspect = function inspect() {
40776 return '<Key priv: ' + (this.priv && this.priv.toString(16, 2)) +
40777 ' pub: ' + (this.pub && this.pub.inspect()) + ' >';
40778 };
40779
40780 var assert$6 = utils_1$1.assert;
40781
40782 function Signature$1(options, enc) {
40783 if (options instanceof Signature$1)
40784 return options;
40785
40786 if (this._importDER(options, enc))
40787 return;
40788
40789 assert$6(options.r && options.s, 'Signature without r or s');
40790 this.r = new bn(options.r, 16);
40791 this.s = new bn(options.s, 16);
40792 if (options.recoveryParam === undefined)
40793 this.recoveryParam = null;
40794 else
40795 this.recoveryParam = options.recoveryParam;
40796 }
40797 var signature$1 = Signature$1;
40798
40799 function Position() {
40800 this.place = 0;
40801 }
40802
40803 function getLength(buf, p) {
40804 var initial = buf[p.place++];
40805 if (!(initial & 0x80)) {
40806 return initial;
40807 }
40808 var octetLen = initial & 0xf;
40809 var val = 0;
40810 for (var i = 0, off = p.place; i < octetLen; i++, off++) {
40811 val <<= 8;
40812 val |= buf[off];
40813 }
40814 p.place = off;
40815 return val;
40816 }
40817
40818 function rmPadding(buf) {
40819 var i = 0;
40820 var len = buf.length - 1;
40821 while (!buf[i] && !(buf[i + 1] & 0x80) && i < len) {
40822 i++;
40823 }
40824 if (i === 0) {
40825 return buf;
40826 }
40827 return buf.slice(i);
40828 }
40829
40830 Signature$1.prototype._importDER = function _importDER(data, enc) {
40831 data = utils_1$1.toArray(data, enc);
40832 var p = new Position();
40833 if (data[p.place++] !== 0x30) {
40834 return false;
40835 }
40836 var len = getLength(data, p);
40837 if ((len + p.place) !== data.length) {
40838 return false;
40839 }
40840 if (data[p.place++] !== 0x02) {
40841 return false;
40842 }
40843 var rlen = getLength(data, p);
40844 var r = data.slice(p.place, rlen + p.place);
40845 p.place += rlen;
40846 if (data[p.place++] !== 0x02) {
40847 return false;
40848 }
40849 var slen = getLength(data, p);
40850 if (data.length !== slen + p.place) {
40851 return false;
40852 }
40853 var s = data.slice(p.place, slen + p.place);
40854 if (r[0] === 0 && (r[1] & 0x80)) {
40855 r = r.slice(1);
40856 }
40857 if (s[0] === 0 && (s[1] & 0x80)) {
40858 s = s.slice(1);
40859 }
40860
40861 this.r = new bn(r);
40862 this.s = new bn(s);
40863 this.recoveryParam = null;
40864
40865 return true;
40866 };
40867
40868 function constructLength(arr, len) {
40869 if (len < 0x80) {
40870 arr.push(len);
40871 return;
40872 }
40873 var octets = 1 + (Math.log(len) / Math.LN2 >>> 3);
40874 arr.push(octets | 0x80);
40875 while (--octets) {
40876 arr.push((len >>> (octets << 3)) & 0xff);
40877 }
40878 arr.push(len);
40879 }
40880
40881 Signature$1.prototype.toDER = function toDER(enc) {
40882 var r = this.r.toArray();
40883 var s = this.s.toArray();
40884
40885 // Pad values
40886 if (r[0] & 0x80)
40887 r = [ 0 ].concat(r);
40888 // Pad values
40889 if (s[0] & 0x80)
40890 s = [ 0 ].concat(s);
40891
40892 r = rmPadding(r);
40893 s = rmPadding(s);
40894
40895 while (!s[0] && !(s[1] & 0x80)) {
40896 s = s.slice(1);
40897 }
40898 var arr = [ 0x02 ];
40899 constructLength(arr, r.length);
40900 arr = arr.concat(r);
40901 arr.push(0x02);
40902 constructLength(arr, s.length);
40903 var backHalf = arr.concat(s);
40904 var res = [ 0x30 ];
40905 constructLength(res, backHalf.length);
40906 res = res.concat(backHalf);
40907 return utils_1$1.encode(res, enc);
40908 };
40909
40910 var assert$7 = utils_1$1.assert;
40911
40912
40913
40914
40915 function EC(options) {
40916 if (!(this instanceof EC))
40917 return new EC(options);
40918
40919 // Shortcut `elliptic.ec(curve-name)`
40920 if (typeof options === 'string') {
40921 assert$7(curves_1.hasOwnProperty(options), 'Unknown curve ' + options);
40922
40923 options = curves_1[options];
40924 }
40925
40926 // Shortcut for `elliptic.ec(elliptic.curves.curveName)`
40927 if (options instanceof curves_1.PresetCurve)
40928 options = { curve: options };
40929
40930 this.curve = options.curve.curve;
40931 this.n = this.curve.n;
40932 this.nh = this.n.ushrn(1);
40933 this.g = this.curve.g;
40934
40935 // Point on curve
40936 this.g = options.curve.g;
40937 this.g.precompute(options.curve.n.bitLength() + 1);
40938
40939 // Hash function for DRBG
40940 this.hash = options.hash || options.curve.hash;
40941 }
40942 var ec = EC;
40943
40944 EC.prototype.keyPair = function keyPair(options) {
40945 return new key(this, options);
40946 };
40947
40948 EC.prototype.keyFromPrivate = function keyFromPrivate(priv, enc) {
40949 return key.fromPrivate(this, priv, enc);
40950 };
40951
40952 EC.prototype.keyFromPublic = function keyFromPublic(pub, enc) {
40953 return key.fromPublic(this, pub, enc);
40954 };
40955
40956 EC.prototype.genKeyPair = function genKeyPair(options) {
40957 if (!options)
40958 options = {};
40959
40960 // Instantiate Hmac_DRBG
40961 var drbg = new hmacDrbg({
40962 hash: this.hash,
40963 pers: options.pers,
40964 persEnc: options.persEnc || 'utf8',
40965 entropy: options.entropy || brorand(this.hash.hmacStrength),
40966 entropyEnc: options.entropy && options.entropyEnc || 'utf8',
40967 nonce: this.n.toArray()
40968 });
40969
40970 // Key generation for curve25519 is simpler
40971 if (this.curve.type === 'mont') {
40972 var priv = new bn(drbg.generate(32));
40973 return this.keyFromPrivate(priv);
40974 }
40975
40976 var bytes = this.n.byteLength();
40977 var ns2 = this.n.sub(new bn(2));
40978 do {
40979 var priv = new bn(drbg.generate(bytes));
40980 if (priv.cmp(ns2) > 0)
40981 continue;
40982
40983 priv.iaddn(1);
40984 return this.keyFromPrivate(priv);
40985 } while (true);
40986 };
40987
40988 EC.prototype._truncateToN = function truncateToN(msg, truncOnly, bitSize) {
40989 bitSize = bitSize || msg.byteLength() * 8;
40990 var delta = bitSize - this.n.bitLength();
40991 if (delta > 0)
40992 msg = msg.ushrn(delta);
40993 if (!truncOnly && msg.cmp(this.n) >= 0)
40994 return msg.sub(this.n);
40995 else
40996 return msg;
40997 };
40998
40999 EC.prototype.truncateMsg = function truncateMSG(msg) {
41000 // Bit size is only determined correctly for Uint8Arrays and hex strings
41001 var bitSize;
41002 if (msg instanceof Uint8Array) {
41003 bitSize = msg.byteLength * 8;
41004 msg = this._truncateToN(new bn(msg, 16), false, bitSize);
41005 } else if (typeof msg === 'string') {
41006 bitSize = msg.length * 4;
41007 msg = this._truncateToN(new bn(msg, 16), false, bitSize);
41008 } else {
41009 msg = this._truncateToN(new bn(msg, 16));
41010 }
41011 return msg;
41012 };
41013
41014 EC.prototype.sign = function sign(msg, key, enc, options) {
41015 if (typeof enc === 'object') {
41016 options = enc;
41017 enc = null;
41018 }
41019 if (!options)
41020 options = {};
41021
41022 key = this.keyFromPrivate(key, enc);
41023 msg = this.truncateMsg(msg);
41024
41025 // Zero-extend key to provide enough entropy
41026 var bytes = this.n.byteLength();
41027 var bkey = key.getPrivate().toArray('be', bytes);
41028
41029 // Zero-extend nonce to have the same byte size as N
41030 var nonce = msg.toArray('be', bytes);
41031
41032 // Instantiate Hmac_DRBG
41033 var drbg = new hmacDrbg({
41034 hash: this.hash,
41035 entropy: bkey,
41036 nonce: nonce,
41037 pers: options.pers,
41038 persEnc: options.persEnc || 'utf8'
41039 });
41040
41041 // Number of bytes to generate
41042 var ns1 = this.n.sub(new bn(1));
41043
41044 for (var iter = 0; true; iter++) {
41045 var k = options.k ?
41046 options.k(iter) :
41047 new bn(drbg.generate(this.n.byteLength()));
41048 k = this._truncateToN(k, true);
41049 if (k.cmpn(1) <= 0 || k.cmp(ns1) >= 0)
41050 continue;
41051
41052 var kp = this.g.mul(k);
41053 if (kp.isInfinity())
41054 continue;
41055
41056 var kpX = kp.getX();
41057 var r = kpX.umod(this.n);
41058 if (r.cmpn(0) === 0)
41059 continue;
41060
41061 var s = k.invm(this.n).mul(r.mul(key.getPrivate()).iadd(msg));
41062 s = s.umod(this.n);
41063 if (s.cmpn(0) === 0)
41064 continue;
41065
41066 var recoveryParam = (kp.getY().isOdd() ? 1 : 0) |
41067 (kpX.cmp(r) !== 0 ? 2 : 0);
41068
41069 // Use complement of `s`, if it is > `n / 2`
41070 if (options.canonical && s.cmp(this.nh) > 0) {
41071 s = this.n.sub(s);
41072 recoveryParam ^= 1;
41073 }
41074
41075 return new signature$1({ r: r, s: s, recoveryParam: recoveryParam });
41076 }
41077 };
41078
41079 EC.prototype.verify = function verify(msg, signature, key, enc) {
41080 key = this.keyFromPublic(key, enc);
41081 signature = new signature$1(signature, 'hex');
41082 // Fallback to the old code
41083 var ret = this._verify(this.truncateMsg(msg), signature, key) ||
41084 this._verify(this._truncateToN(new bn(msg, 16)), signature, key);
41085 return ret;
41086 };
41087
41088 EC.prototype._verify = function _verify(msg, signature, key) {
41089 // Perform primitive values validation
41090 var r = signature.r;
41091 var s = signature.s;
41092 if (r.cmpn(1) < 0 || r.cmp(this.n) >= 0)
41093 return false;
41094 if (s.cmpn(1) < 0 || s.cmp(this.n) >= 0)
41095 return false;
41096
41097 // Validate signature
41098 var sinv = s.invm(this.n);
41099 var u1 = sinv.mul(msg).umod(this.n);
41100 var u2 = sinv.mul(r).umod(this.n);
41101
41102 if (!this.curve._maxwellTrick) {
41103 var p = this.g.mulAdd(u1, key.getPublic(), u2);
41104 if (p.isInfinity())
41105 return false;
41106
41107 return p.getX().umod(this.n).cmp(r) === 0;
41108 }
41109
41110 // NOTE: Greg Maxwell's trick, inspired by:
41111 // https://git.io/vad3K
41112
41113 var p = this.g.jmulAdd(u1, key.getPublic(), u2);
41114 if (p.isInfinity())
41115 return false;
41116
41117 // Compare `p.x` of Jacobian point with `r`,
41118 // this will do `p.x == r * p.z^2` instead of multiplying `p.x` by the
41119 // inverse of `p.z^2`
41120 return p.eqXToP(r);
41121 };
41122
41123 EC.prototype.recoverPubKey = function(msg, signature, j, enc) {
41124 assert$7((3 & j) === j, 'The recovery param is more than two bits');
41125 signature = new signature$1(signature, enc);
41126
41127 var n = this.n;
41128 var e = new bn(msg);
41129 var r = signature.r;
41130 var s = signature.s;
41131
41132 // A set LSB signifies that the y-coordinate is odd
41133 var isYOdd = j & 1;
41134 var isSecondKey = j >> 1;
41135 if (r.cmp(this.curve.p.umod(this.curve.n)) >= 0 && isSecondKey)
41136 throw new Error('Unable to find sencond key candinate');
41137
41138 // 1.1. Let x = r + jn.
41139 if (isSecondKey)
41140 r = this.curve.pointFromX(r.add(this.curve.n), isYOdd);
41141 else
41142 r = this.curve.pointFromX(r, isYOdd);
41143
41144 var rInv = signature.r.invm(n);
41145 var s1 = n.sub(e).mul(rInv).umod(n);
41146 var s2 = s.mul(rInv).umod(n);
41147
41148 // 1.6.1 Compute Q = r^-1 (sR - eG)
41149 // Q = r^-1 (sR + -eG)
41150 return this.g.mulAdd(s1, r, s2);
41151 };
41152
41153 EC.prototype.getKeyRecoveryParam = function(e, signature, Q, enc) {
41154 signature = new signature$1(signature, enc);
41155 if (signature.recoveryParam !== null)
41156 return signature.recoveryParam;
41157
41158 for (var i = 0; i < 4; i++) {
41159 var Qprime;
41160 try {
41161 Qprime = this.recoverPubKey(e, signature, i);
41162 } catch (e) {
41163 continue;
41164 }
41165
41166 if (Qprime.eq(Q))
41167 return i;
41168 }
41169 throw new Error('Unable to find valid recovery factor');
41170 };
41171
41172 var assert$8 = utils_1$1.assert;
41173 var parseBytes = utils_1$1.parseBytes;
41174 var cachedProperty = utils_1$1.cachedProperty;
41175
41176 /**
41177 * @param {EDDSA} eddsa - instance
41178 * @param {Object} params - public/private key parameters
41179 *
41180 * @param {Array<Byte>} [params.secret] - secret seed bytes
41181 * @param {Point} [params.pub] - public key point (aka `A` in eddsa terms)
41182 * @param {Array<Byte>} [params.pub] - public key point encoded as bytes
41183 *
41184 */
41185 function KeyPair$1(eddsa, params) {
41186 this.eddsa = eddsa;
41187 if (params.hasOwnProperty('secret'))
41188 this._secret = parseBytes(params.secret);
41189 if (eddsa.isPoint(params.pub))
41190 this._pub = params.pub;
41191 else {
41192 this._pubBytes = parseBytes(params.pub);
41193 if (this._pubBytes && this._pubBytes.length === 33 &&
41194 this._pubBytes[0] === 0x40)
41195 this._pubBytes = this._pubBytes.slice(1, 33);
41196 if (this._pubBytes && this._pubBytes.length !== 32)
41197 throw new Error('Unknown point compression format');
41198 }
41199 }
41200
41201 KeyPair$1.fromPublic = function fromPublic(eddsa, pub) {
41202 if (pub instanceof KeyPair$1)
41203 return pub;
41204 return new KeyPair$1(eddsa, { pub: pub });
41205 };
41206
41207 KeyPair$1.fromSecret = function fromSecret(eddsa, secret) {
41208 if (secret instanceof KeyPair$1)
41209 return secret;
41210 return new KeyPair$1(eddsa, { secret: secret });
41211 };
41212
41213 KeyPair$1.prototype.secret = function secret() {
41214 return this._secret;
41215 };
41216
41217 cachedProperty(KeyPair$1, 'pubBytes', function pubBytes() {
41218 return this.eddsa.encodePoint(this.pub());
41219 });
41220
41221 cachedProperty(KeyPair$1, 'pub', function pub() {
41222 if (this._pubBytes)
41223 return this.eddsa.decodePoint(this._pubBytes);
41224 return this.eddsa.g.mul(this.priv());
41225 });
41226
41227 cachedProperty(KeyPair$1, 'privBytes', function privBytes() {
41228 var eddsa = this.eddsa;
41229 var hash = this.hash();
41230 var lastIx = eddsa.encodingLength - 1;
41231
41232 // https://tools.ietf.org/html/rfc8032#section-5.1.5
41233 var a = hash.slice(0, eddsa.encodingLength);
41234 a[0] &= 248;
41235 a[lastIx] &= 127;
41236 a[lastIx] |= 64;
41237
41238 return a;
41239 });
41240
41241 cachedProperty(KeyPair$1, 'priv', function priv() {
41242 return this.eddsa.decodeInt(this.privBytes());
41243 });
41244
41245 cachedProperty(KeyPair$1, 'hash', function hash() {
41246 return this.eddsa.hash().update(this.secret()).digest();
41247 });
41248
41249 cachedProperty(KeyPair$1, 'messagePrefix', function messagePrefix() {
41250 return this.hash().slice(this.eddsa.encodingLength);
41251 });
41252
41253 KeyPair$1.prototype.sign = function sign(message) {
41254 assert$8(this._secret, 'KeyPair can only verify');
41255 return this.eddsa.sign(message, this);
41256 };
41257
41258 KeyPair$1.prototype.verify = function verify(message, sig) {
41259 return this.eddsa.verify(message, sig, this);
41260 };
41261
41262 KeyPair$1.prototype.getSecret = function getSecret(enc) {
41263 assert$8(this._secret, 'KeyPair is public only');
41264 return utils_1$1.encode(this.secret(), enc);
41265 };
41266
41267 KeyPair$1.prototype.getPublic = function getPublic(enc, compact) {
41268 return utils_1$1.encode((compact ? [ 0x40 ] : []).concat(this.pubBytes()), enc);
41269 };
41270
41271 var key$1 = KeyPair$1;
41272
41273 var assert$9 = utils_1$1.assert;
41274 var cachedProperty$1 = utils_1$1.cachedProperty;
41275 var parseBytes$1 = utils_1$1.parseBytes;
41276
41277 /**
41278 * @param {EDDSA} eddsa - eddsa instance
41279 * @param {Array<Bytes>|Object} sig -
41280 * @param {Array<Bytes>|Point} [sig.R] - R point as Point or bytes
41281 * @param {Array<Bytes>|bn} [sig.S] - S scalar as bn or bytes
41282 * @param {Array<Bytes>} [sig.Rencoded] - R point encoded
41283 * @param {Array<Bytes>} [sig.Sencoded] - S scalar encoded
41284 */
41285 function Signature$2(eddsa, sig) {
41286 this.eddsa = eddsa;
41287
41288 if (typeof sig !== 'object')
41289 sig = parseBytes$1(sig);
41290
41291 if (Array.isArray(sig)) {
41292 sig = {
41293 R: sig.slice(0, eddsa.encodingLength),
41294 S: sig.slice(eddsa.encodingLength)
41295 };
41296 }
41297
41298 assert$9(sig.R && sig.S, 'Signature without R or S');
41299
41300 if (eddsa.isPoint(sig.R))
41301 this._R = sig.R;
41302 if (sig.S instanceof bn)
41303 this._S = sig.S;
41304
41305 this._Rencoded = Array.isArray(sig.R) ? sig.R : sig.Rencoded;
41306 this._Sencoded = Array.isArray(sig.S) ? sig.S : sig.Sencoded;
41307 }
41308
41309 cachedProperty$1(Signature$2, 'S', function S() {
41310 return this.eddsa.decodeInt(this.Sencoded());
41311 });
41312
41313 cachedProperty$1(Signature$2, 'R', function R() {
41314 return this.eddsa.decodePoint(this.Rencoded());
41315 });
41316
41317 cachedProperty$1(Signature$2, 'Rencoded', function Rencoded() {
41318 return this.eddsa.encodePoint(this.R());
41319 });
41320
41321 cachedProperty$1(Signature$2, 'Sencoded', function Sencoded() {
41322 return this.eddsa.encodeInt(this.S());
41323 });
41324
41325 Signature$2.prototype.toBytes = function toBytes() {
41326 return this.Rencoded().concat(this.Sencoded());
41327 };
41328
41329 Signature$2.prototype.toHex = function toHex() {
41330 return utils_1$1.encode(this.toBytes(), 'hex').toUpperCase();
41331 };
41332
41333 var signature$2 = Signature$2;
41334
41335 var assert$a = utils_1$1.assert;
41336 var parseBytes$2 = utils_1$1.parseBytes;
41337
41338
41339
41340 function EDDSA(curve) {
41341 assert$a(curve === 'ed25519', 'only tested with ed25519 so far');
41342
41343 if (!(this instanceof EDDSA))
41344 return new EDDSA(curve);
41345
41346 var curve = curves_1[curve].curve;
41347 this.curve = curve;
41348 this.g = curve.g;
41349 this.g.precompute(curve.n.bitLength() + 1);
41350
41351 this.pointClass = curve.point().constructor;
41352 this.encodingLength = Math.ceil(curve.n.bitLength() / 8);
41353 this.hash = hash_1.sha512;
41354 }
41355
41356 var eddsa$1 = EDDSA;
41357
41358 /**
41359 * @param {Array|String} message - message bytes
41360 * @param {Array|String|KeyPair} secret - secret bytes or a keypair
41361 * @returns {Signature} - signature
41362 */
41363 EDDSA.prototype.sign = function sign(message, secret) {
41364 message = parseBytes$2(message);
41365 var key = this.keyFromSecret(secret);
41366 var r = this.hashInt(key.messagePrefix(), message);
41367 var R = this.g.mul(r);
41368 var Rencoded = this.encodePoint(R);
41369 var s_ = this.hashInt(Rencoded, key.pubBytes(), message)
41370 .mul(key.priv());
41371 var S = r.add(s_).umod(this.curve.n);
41372 return this.makeSignature({ R: R, S: S, Rencoded: Rencoded });
41373 };
41374
41375 /**
41376 * @param {Array} message - message bytes
41377 * @param {Array|String|Signature} sig - sig bytes
41378 * @param {Array|String|Point|KeyPair} pub - public key
41379 * @returns {Boolean} - true if public key matches sig of message
41380 */
41381 EDDSA.prototype.verify = function verify(message, sig, pub) {
41382 message = parseBytes$2(message);
41383 sig = this.makeSignature(sig);
41384 var key = this.keyFromPublic(pub);
41385 var h = this.hashInt(sig.Rencoded(), key.pubBytes(), message);
41386 var SG = this.g.mul(sig.S());
41387 var RplusAh = sig.R().add(key.pub().mul(h));
41388 return RplusAh.eq(SG);
41389 };
41390
41391 EDDSA.prototype.hashInt = function hashInt() {
41392 var hash = this.hash();
41393 for (var i = 0; i < arguments.length; i++)
41394 hash.update(arguments[i]);
41395 return utils_1$1.intFromLE(hash.digest()).umod(this.curve.n);
41396 };
41397
41398 EDDSA.prototype.keyPair = function keyPair(options) {
41399 return new key$1(this, options);
41400 };
41401
41402 EDDSA.prototype.keyFromPublic = function keyFromPublic(pub) {
41403 return key$1.fromPublic(this, pub);
41404 };
41405
41406 EDDSA.prototype.keyFromSecret = function keyFromSecret(secret) {
41407 return key$1.fromSecret(this, secret);
41408 };
41409
41410 EDDSA.prototype.genKeyPair = function genKeyPair(options) {
41411 if (!options)
41412 options = {};
41413
41414 // Instantiate Hmac_DRBG
41415 var drbg = new hmacDrbg({
41416 hash: this.hash,
41417 pers: options.pers,
41418 persEnc: options.persEnc || 'utf8',
41419 entropy: options.entropy || brorand(this.hash.hmacStrength),
41420 entropyEnc: options.entropy && options.entropyEnc || 'utf8',
41421 nonce: this.curve.n.toArray()
41422 });
41423
41424 return this.keyFromSecret(drbg.generate(32));
41425 };
41426
41427 EDDSA.prototype.makeSignature = function makeSignature(sig) {
41428 if (sig instanceof signature$2)
41429 return sig;
41430 return new signature$2(this, sig);
41431 };
41432
41433 /**
41434 * * https://tools.ietf.org/html/draft-josefsson-eddsa-ed25519-03#section-5.2
41435 *
41436 * EDDSA defines methods for encoding and decoding points and integers. These are
41437 * helper convenience methods, that pass along to utility functions implied
41438 * parameters.
41439 *
41440 */
41441 EDDSA.prototype.encodePoint = function encodePoint(point) {
41442 var enc = point.getY().toArray('le', this.encodingLength);
41443 enc[this.encodingLength - 1] |= point.getX().isOdd() ? 0x80 : 0;
41444 return enc;
41445 };
41446
41447 EDDSA.prototype.decodePoint = function decodePoint(bytes) {
41448 bytes = utils_1$1.parseBytes(bytes);
41449
41450 var lastIx = bytes.length - 1;
41451 var normed = bytes.slice(0, lastIx).concat(bytes[lastIx] & ~0x80);
41452 var xIsOdd = (bytes[lastIx] & 0x80) !== 0;
41453
41454 var y = utils_1$1.intFromLE(normed);
41455 return this.curve.pointFromY(y, xIsOdd);
41456 };
41457
41458 EDDSA.prototype.encodeInt = function encodeInt(num) {
41459 return num.toArray('le', this.encodingLength);
41460 };
41461
41462 EDDSA.prototype.decodeInt = function decodeInt(bytes) {
41463 return utils_1$1.intFromLE(bytes);
41464 };
41465
41466 EDDSA.prototype.isPoint = function isPoint(val) {
41467 return val instanceof this.pointClass;
41468 };
41469
41470 var elliptic_1 = createCommonjsModule(function (module, exports) {
41471
41472 var elliptic = exports;
41473
41474 elliptic.utils = utils_1$1;
41475 elliptic.rand = brorand;
41476 elliptic.curve = curve_1;
41477 elliptic.curves = curves_1;
41478
41479 // Protocols
41480 elliptic.ec = ec;
41481 elliptic.eddsa = eddsa$1;
41482 });
41483
41484 var elliptic$1 = /*#__PURE__*/Object.freeze({
41485 __proto__: null,
41486 'default': elliptic_1,
41487 __moduleExports: elliptic_1
41488 });
41489
41490 exports.AEADEncryptedDataPacket = AEADEncryptedDataPacket;
41491 exports.CleartextMessage = CleartextMessage;
41492 exports.CompressedDataPacket = CompressedDataPacket;
41493 exports.Key = Key;
41494 exports.LiteralDataPacket = LiteralDataPacket;
41495 exports.MarkerPacket = MarkerPacket;
41496 exports.Message = Message;
41497 exports.OnePassSignaturePacket = OnePassSignaturePacket;
41498 exports.PacketList = PacketList;
41499 exports.PublicKeyEncryptedSessionKeyPacket = PublicKeyEncryptedSessionKeyPacket;
41500 exports.PublicKeyPacket = PublicKeyPacket;
41501 exports.PublicSubkeyPacket = PublicSubkeyPacket;
41502 exports.SecretKeyPacket = SecretKeyPacket;
41503 exports.SecretSubkeyPacket = SecretSubkeyPacket;
41504 exports.Signature = Signature;
41505 exports.SignaturePacket = SignaturePacket;
41506 exports.SymEncryptedIntegrityProtectedDataPacket = SymEncryptedIntegrityProtectedDataPacket;
41507 exports.SymEncryptedSessionKeyPacket = SymEncryptedSessionKeyPacket;
41508 exports.SymmetricallyEncryptedDataPacket = SymmetricallyEncryptedDataPacket;
41509 exports.TrustPacket = TrustPacket;
41510 exports.UserAttributePacket = UserAttributePacket;
41511 exports.UserIDPacket = UserIDPacket;
41512 exports.armor = armor;
41513 exports.config = defaultConfig;
41514 exports.decrypt = decrypt$4;
41515 exports.decryptKey = decryptKey;
41516 exports.decryptSessionKeys = decryptSessionKeys;
41517 exports.encrypt = encrypt$4;
41518 exports.encryptKey = encryptKey;
41519 exports.encryptSessionKey = encryptSessionKey;
41520 exports.enums = enums;
41521 exports.generateKey = generateKey;
41522 exports.generateSessionKey = generateSessionKey$1;
41523 exports.newPacketFromTag = newPacketFromTag;
41524 exports.readCleartextMessage = readCleartextMessage;
41525 exports.readKey = readKey;
41526 exports.readKeys = readKeys;
41527 exports.readMessage = readMessage;
41528 exports.readSignature = readSignature;
41529 exports.reformatKey = reformatKey;
41530 exports.revokeKey = revokeKey;
41531 exports.sign = sign$5;
41532 exports.stream = stream;
41533 exports.unarmor = unarmor;
41534 exports.verify = verify$5;
41535
41536 Object.defineProperty(exports, '__esModule', { value: true });
41537
41538 return exports;
41539
41540}({}));