curve-p256
Version:
The secp256r1 (p-256) elliptic curve for ECDH & ECDSA
1,477 lines • 52.2 kB
JavaScript
let dt;
typeof globalThis < "u" && (dt = globalThis);
if (typeof self < "u")
dt = self;
else if (typeof window < "u")
dt = window;
else if (typeof global < "u")
dt = global;
else
try {
dt = Function("return this")();
} catch {
}
function he() {
return dt;
}
function Et(t) {
if (!ArrayBuffer.isView(t))
throw new TypeError(
"Failed to execute 'getRandomValues' on 'Crypto': parameter 1 is not of type 'ArrayBufferView'."
);
if (t.byteLength > 65536) {
const e = "Failed to execute 'getRandomValues' on 'Crypto': The ArrayBufferView's byte length (" + t.byteLength + ") exceeds the number of bytes of entropy available via this API (65536).";
throw "DOMException" in globalThis ? new globalThis.DOMException(e) : new Error(e);
}
const n = Math.pow(256, t.BYTES_PER_ELEMENT);
for (let e = 0; e < t.byteLength; ++e)
t[e] = Math.floor(n * Math.random());
return t;
}
function Tt(t, n) {
if (typeof t != "number")
throw new TypeError(
`[ERR_INVALID_ARG_TYPE]: The "size" argument must be of type number. Received type ${typeof t} (${t})`
);
if (t < 0 || t > 2147483647)
throw new RangeError(
`[ERR_OUT_OF_RANGE]: The value of "size" is out of range. It must be >= 0 && <= 2147483647. Received ${t}`
);
if (n && typeof n != "function")
throw new TypeError(
`[ERR_INVALID_ARG_TYPE]: The "callback" argument must be of type function. Received type ${typeof n} (${n})`
);
if (!n) {
const e = new Uint8Array(t);
return Et(e);
}
return new Promise((e) => {
const r = new Uint8Array(t), o = null;
try {
n(null, Et(r));
} catch {
n(o, r);
}
e(r);
});
}
function Dt() {
return Tt(16).reduce((e, r, o) => {
let i = e + r.toString(16).padStart(2, "0");
return (o === 3 || o === 5 || o === 7 || o === 9) && (i += "-"), i;
}, "");
}
const X = he();
(function() {
"crypto" in X ? ("getRandomValues" in X.crypto || (X.crypto.getRandomValues = Et), "randomBytes" in X.crypto || (X.crypto.randomBytes = Tt), "randomUUID" in X.crypto || (X.crypto.randomUUID = Dt)) : X.crypto = {
getRandomValues: Et,
randomBytes: Tt,
randomUUID: Dt
};
})();
const _t = X.crypto;
function Mt(t) {
if (!Number.isSafeInteger(t) || t < 0) throw new Error(`Wrong positive integer: ${t}`);
}
function we(t) {
return t instanceof Uint8Array || t != null && typeof t == "object" && t.constructor.name === "Uint8Array";
}
function Xt(t, ...n) {
if (!we(t)) throw new Error("Expected Uint8Array");
if (n.length > 0 && !n.includes(t.length))
throw new Error(`Expected Uint8Array of length ${n}, not of length=${t.length}`);
}
function ge(t) {
if (typeof t != "function" || typeof t.create != "function")
throw new Error("Hash should be wrapped by utils.wrapConstructor");
Mt(t.outputLen), Mt(t.blockLen);
}
function Bt(t, n = !0) {
if (t.destroyed) throw new Error("Hash instance has been destroyed");
if (n && t.finished) throw new Error("Hash#digest() has already been called");
}
function ye(t, n) {
Xt(t);
const e = n.outputLen;
if (t.length < e)
throw new Error(`digestInto() expects output buffer of length at least ${e}`);
}
/*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */
function Qt(t) {
return t instanceof Uint8Array || t != null && typeof t == "object" && t.constructor.name === "Uint8Array";
}
const It = (t) => new DataView(t.buffer, t.byteOffset, t.byteLength), W = (t, n) => t << 32 - n | t >>> n, me = new Uint8Array(new Uint32Array([287454020]).buffer)[0] === 68;
if (!me) throw new Error("Non little-endian hardware is not supported");
function pe(t) {
if (typeof t != "string") throw new Error(`utf8ToBytes expected string, got ${typeof t}`);
return new Uint8Array(new TextEncoder().encode(t));
}
function Lt(t) {
if (typeof t == "string" && (t = pe(t)), !Qt(t)) throw new Error(`expected Uint8Array, got ${typeof t}`);
return t;
}
function be(...t) {
let n = 0;
for (let r = 0; r < t.length; r++) {
const o = t[r];
if (!Qt(o)) throw new Error("Uint8Array expected");
n += o.length;
}
const e = new Uint8Array(n);
for (let r = 0, o = 0; r < t.length; r++) {
const i = t[r];
e.set(i, o), o += i.length;
}
return e;
}
class Jt {
// Safe version that clones internal state
clone() {
return this._cloneInto();
}
}
function Ee(t) {
const n = (r) => t().update(Lt(r)).digest(), e = t();
return n.outputLen = e.outputLen, n.blockLen = e.blockLen, n.create = () => t(), n;
}
function Be(t = 32) {
if (_t && typeof _t.getRandomValues == "function")
return _t.getRandomValues(new Uint8Array(t));
throw new Error("crypto.getRandomValues must be defined");
}
class Ft extends Jt {
constructor(n, e) {
super(), this.finished = !1, this.destroyed = !1, ge(n);
const r = Lt(e);
if (this.iHash = n.create(), typeof this.iHash.update != "function")
throw new Error("Expected instance of class which extends utils.Hash");
this.blockLen = this.iHash.blockLen, this.outputLen = this.iHash.outputLen;
const o = this.blockLen, i = new Uint8Array(o);
i.set(r.length > o ? n.create().update(r).digest() : r);
for (let f = 0; f < i.length; f++) i[f] ^= 54;
this.iHash.update(i), this.oHash = n.create();
for (let f = 0; f < i.length; f++) i[f] ^= 106;
this.oHash.update(i), i.fill(0);
}
update(n) {
return Bt(this), this.iHash.update(n), this;
}
digestInto(n) {
Bt(this), Xt(n, this.outputLen), this.finished = !0, this.iHash.digestInto(n), this.oHash.update(n), this.oHash.digestInto(n), this.destroy();
}
digest() {
const n = new Uint8Array(this.oHash.outputLen);
return this.digestInto(n), n;
}
_cloneInto(n) {
n || (n = Object.create(Object.getPrototypeOf(this), {}));
const { oHash: e, iHash: r, finished: o, destroyed: i, blockLen: f, outputLen: s } = this;
return n = n, n.finished = o, n.destroyed = i, n.blockLen = f, n.outputLen = s, n.oHash = e._cloneInto(n.oHash), n.iHash = r._cloneInto(n.iHash), n;
}
destroy() {
this.destroyed = !0, this.oHash.destroy(), this.iHash.destroy();
}
}
const te = (t, n, e) => new Ft(t, n).update(e).digest();
te.create = (t, n) => new Ft(t, n);
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
const ee = BigInt(0), At = BigInt(1), ve = BigInt(2);
function D(t) {
return t instanceof Uint8Array || t != null && typeof t == "object" && t.constructor.name === "Uint8Array";
}
const Ae = /* @__PURE__ */ Array.from(
{ length: 256 },
(t, n) => n.toString(16).padStart(2, "0")
);
function ht(t) {
if (!D(t)) throw new Error("Uint8Array expected");
let n = "";
for (let e = 0; e < t.length; e++)
n += Ae[t[e]];
return n;
}
function ne(t) {
const n = t.toString(16);
return n.length & 1 ? `0${n}` : n;
}
function Nt(t) {
if (typeof t != "string") throw new Error("hex string expected, got " + typeof t);
return BigInt(t === "" ? "0" : `0x${t}`);
}
const K = { _0: 48, _9: 57, _A: 65, _F: 70, _a: 97, _f: 102 };
function jt(t) {
if (t >= K._0 && t <= K._9) return t - K._0;
if (t >= K._A && t <= K._F) return t - (K._A - 10);
if (t >= K._a && t <= K._f) return t - (K._a - 10);
}
function wt(t) {
if (typeof t != "string") throw new Error("hex string expected, got " + typeof t);
const n = t.length, e = n / 2;
if (n % 2) throw new Error("padded hex string expected, got unpadded hex of length " + n);
const r = new Uint8Array(e);
for (let o = 0, i = 0; o < e; o++, i += 2) {
const f = jt(t.charCodeAt(i)), s = jt(t.charCodeAt(i + 1));
if (f === void 0 || s === void 0) {
const c = t[i] + t[i + 1];
throw new Error('hex string expected, got non-hex character "' + c + '" at index ' + i);
}
r[o] = f * 16 + s;
}
return r;
}
function ot(t) {
return Nt(ht(t));
}
function $t(t) {
if (!D(t)) throw new Error("Uint8Array expected");
return Nt(ht(Uint8Array.from(t).reverse()));
}
function gt(t, n) {
return wt(t.toString(16).padStart(n * 2, "0"));
}
function Vt(t, n) {
return gt(t, n).reverse();
}
function Se(t) {
return wt(ne(t));
}
function z(t, n, e) {
let r;
if (typeof n == "string")
try {
r = wt(n);
} catch (i) {
throw new Error(`${t} must be valid hex string, got "${n}". Cause: ${i}`);
}
else if (D(n))
r = Uint8Array.from(n);
else
throw new Error(`${t} must be hex string or Uint8Array`);
const o = r.length;
if (typeof e == "number" && o !== e)
throw new Error(`${t} expected ${e} bytes, got ${o}`);
return r;
}
function Y(...t) {
let n = 0;
for (let o = 0; o < t.length; o++) {
const i = t[o];
if (!D(i)) throw new Error("Uint8Array expected");
n += i.length;
}
let e = new Uint8Array(n), r = 0;
for (let o = 0; o < t.length; o++) {
const i = t[o];
e.set(i, r), r += i.length;
}
return e;
}
function xe(t, n) {
if (t.length !== n.length) return !1;
let e = 0;
for (let r = 0; r < t.length; r++) e |= t[r] ^ n[r];
return e === 0;
}
function St(t) {
if (typeof t != "string") throw new Error(`utf8ToBytes expected string, got ${typeof t}`);
return new Uint8Array(new TextEncoder().encode(t));
}
function _e(t) {
let n;
for (n = 0; t > ee; t >>= At, n += 1) ;
return n;
}
function Ie(t, n) {
return t >> BigInt(n) & At;
}
const Ue = (t, n, e) => t | (e ? At : ee) << BigInt(n), Ht = (t) => (ve << BigInt(t - 1)) - At, Ut = (t) => new Uint8Array(t), zt = (t) => Uint8Array.from(t);
function re(t, n, e) {
if (typeof t != "number" || t < 2) throw new Error("hashLen must be a number");
if (typeof n != "number" || n < 2) throw new Error("qByteLen must be a number");
if (typeof e != "function") throw new Error("hmacFn must be a function");
let r = Ut(t), o = Ut(t), i = 0;
const f = () => {
r.fill(1), o.fill(0), i = 0;
}, s = (...d) => e(o, r, ...d), c = (d = Ut()) => {
o = s(zt([0]), d), r = s(), d.length !== 0 && (o = s(zt([1]), d), r = s());
}, u = () => {
if (i++ >= 1e3) throw new Error("drbg: tried 1000 values");
let d = 0;
const I = [];
for (; d < n; ) {
r = s();
const S = r.slice();
I.push(S), d += r.length;
}
return Y(...I);
};
return (d, I) => {
f(), c(d);
let S;
for (; !(S = I(u())); ) c();
return f(), S;
};
}
const Oe = {
bigint: (t) => typeof t == "bigint",
function: (t) => typeof t == "function",
boolean: (t) => typeof t == "boolean",
string: (t) => typeof t == "string",
stringOrUint8Array: (t) => typeof t == "string" || D(t),
isSafeInteger: (t) => Number.isSafeInteger(t),
array: (t) => Array.isArray(t),
field: (t, n) => n.Fp.isValid(t),
hash: (t) => typeof t == "function" && Number.isSafeInteger(t.outputLen)
};
function yt(t, n, e = {}) {
const r = (o, i, f) => {
const s = Oe[i];
if (typeof s != "function")
throw new Error(`Invalid validator "${i}", expected function`);
const c = t[o];
if (!(f && c === void 0) && !s(c, t))
throw new Error(
`Invalid param ${String(o)}=${c} (${typeof c}), expected ${i}`
);
};
for (const [o, i] of Object.entries(n)) r(o, i, !1);
for (const [o, i] of Object.entries(e)) r(o, i, !0);
return t;
}
const Te = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.defineProperty({
__proto__: null,
bitGet: Ie,
bitLen: _e,
bitMask: Ht,
bitSet: Ue,
bytesToHex: ht,
bytesToNumberBE: ot,
bytesToNumberLE: $t,
concatBytes: Y,
createHmacDrbg: re,
ensureBytes: z,
equalBytes: xe,
hexToBytes: wt,
hexToNumber: Nt,
isBytes: D,
numberToBytesBE: gt,
numberToBytesLE: Vt,
numberToHexUnpadded: ne,
numberToVarBytesBE: Se,
utf8ToBytes: St,
validateObject: yt
}, Symbol.toStringTag, { value: "Module" }));
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
const V = BigInt(0), N = BigInt(1), st = BigInt(2), Re = BigInt(3), Rt = BigInt(4), Yt = BigInt(5), Gt = BigInt(8);
BigInt(9);
BigInt(16);
function k(t, n) {
const e = t % n;
return e >= V ? e : n + e;
}
function qe(t, n, e) {
if (e <= V || n < V) throw new Error("Expected power/modulo > 0");
if (e === N) return V;
let r = N;
for (; n > V; )
n & N && (r = r * t % e), t = t * t % e, n >>= N;
return r;
}
function qt(t, n) {
if (t === V || n <= V)
throw new Error(`invert: expected positive integers, got n=${t} mod=${n}`);
let e = k(t, n), r = n, o = V, i = N;
for (; e !== V; ) {
const s = r / e, c = r % e, u = o - i * s;
r = e, e = c, o = i, i = u;
}
if (r !== N) throw new Error("invert: does not exist");
return k(o, n);
}
function Le(t) {
const n = (t - N) / st;
let e, r, o;
for (e = t - N, r = 0; e % st === V; e /= st, r++) ;
for (o = st; o < t && qe(o, n, t) !== t - N; o++) ;
if (r === 1) {
const f = (t + N) / Rt;
return function(c, u) {
const y = c.pow(u, f);
if (!c.eql(c.sqr(y), u)) throw new Error("Cannot find square root");
return y;
};
}
const i = (e + N) / st;
return function(s, c) {
if (s.pow(c, n) === s.neg(s.ONE)) throw new Error("Cannot find square root");
let u = r, y = s.pow(s.mul(s.ONE, o), e), d = s.pow(c, i), I = s.pow(c, e);
for (; !s.eql(I, s.ONE); ) {
if (s.eql(I, s.ZERO)) return s.ZERO;
let S = 1;
for (let B = s.sqr(I); S < u && !s.eql(B, s.ONE); S++)
B = s.sqr(B);
const p = s.pow(y, N << BigInt(u - S - 1));
y = s.sqr(p), d = s.mul(d, p), I = s.mul(I, y), u = S;
}
return d;
};
}
function Ne(t) {
if (t % Rt === Re) {
const n = (t + N) / Rt;
return function(r, o) {
const i = r.pow(o, n);
if (!r.eql(r.sqr(i), o)) throw new Error("Cannot find square root");
return i;
};
}
if (t % Gt === Yt) {
const n = (t - Yt) / Gt;
return function(r, o) {
const i = r.mul(o, st), f = r.pow(i, n), s = r.mul(o, f), c = r.mul(r.mul(s, st), f), u = r.mul(s, r.sub(c, r.ONE));
if (!r.eql(r.sqr(u), o)) throw new Error("Cannot find square root");
return u;
};
}
return Le(t);
}
const $e = [
"create",
"isValid",
"is0",
"neg",
"inv",
"sqrt",
"sqr",
"eql",
"add",
"sub",
"mul",
"pow",
"div",
"addN",
"subN",
"mulN",
"sqrN"
];
function oe(t) {
const n = {
ORDER: "bigint",
MASK: "bigint",
BYTES: "isSafeInteger",
BITS: "isSafeInteger"
}, e = $e.reduce((r, o) => (r[o] = "function", r), n);
return yt(t, e);
}
function Ve(t, n, e) {
if (e < V) throw new Error("Expected power > 0");
if (e === V) return t.ONE;
if (e === N) return n;
let r = t.ONE, o = n;
for (; e > V; )
e & N && (r = t.mul(r, o)), o = t.sqr(o), e >>= N;
return r;
}
function He(t, n) {
const e = new Array(n.length), r = n.reduce((i, f, s) => t.is0(f) ? i : (e[s] = i, t.mul(i, f)), t.ONE), o = t.inv(r);
return n.reduceRight((i, f, s) => t.is0(f) ? i : (e[s] = t.mul(i, e[s]), t.mul(i, f)), o), e;
}
function ie(t, n) {
const e = n !== void 0 ? n : t.toString(2).length, r = Math.ceil(e / 8);
return { nBitLength: e, nByteLength: r };
}
function Ce(t, n, e = !1, r = {}) {
if (t <= V) throw new Error(`Expected Field ORDER > 0, got ${t}`);
const { nBitLength: o, nByteLength: i } = ie(t, n);
if (i > 2048) throw new Error("Field lengths over 2048 bytes are not supported");
const f = Ne(t), s = Object.freeze({
ORDER: t,
BITS: o,
BYTES: i,
MASK: Ht(o),
ZERO: V,
ONE: N,
create: (c) => k(c, t),
isValid: (c) => {
if (typeof c != "bigint")
throw new Error(`Invalid field element: expected bigint, got ${typeof c}`);
return V <= c && c < t;
},
is0: (c) => c === V,
isOdd: (c) => (c & N) === N,
neg: (c) => k(-c, t),
eql: (c, u) => c === u,
sqr: (c) => k(c * c, t),
add: (c, u) => k(c + u, t),
sub: (c, u) => k(c - u, t),
mul: (c, u) => k(c * u, t),
pow: (c, u) => Ve(s, c, u),
div: (c, u) => k(c * qt(u, t), t),
// Same as above, but doesn't normalize
sqrN: (c) => c * c,
addN: (c, u) => c + u,
subN: (c, u) => c - u,
mulN: (c, u) => c * u,
inv: (c) => qt(c, t),
sqrt: r.sqrt || ((c) => f(s, c)),
invertBatch: (c) => He(s, c),
// TODO: do we really need constant cmov?
// We don't have const-time bigints anyway, so probably will be not very useful
cmov: (c, u, y) => y ? u : c,
toBytes: (c) => e ? Vt(c, i) : gt(c, i),
fromBytes: (c) => {
if (c.length !== i)
throw new Error(`Fp.fromBytes: expected ${i}, got ${c.length}`);
return e ? $t(c) : ot(c);
}
});
return Object.freeze(s);
}
function se(t) {
if (typeof t != "bigint") throw new Error("field order must be bigint");
const n = t.toString(2).length;
return Math.ceil(n / 8);
}
function ce(t) {
const n = se(t);
return n + Math.ceil(n / 2);
}
function Ze(t, n, e = !1) {
const r = t.length, o = se(n), i = ce(n);
if (r < 16 || r < i || r > 1024)
throw new Error(`expected ${i}-1024 bytes of input, got ${r}`);
const f = e ? ot(t) : $t(t), s = k(f, n - N) + N;
return e ? Vt(s, o) : gt(s, o);
}
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
const Pe = BigInt(0), Ot = BigInt(1);
function ke(t, n) {
const e = (o, i) => {
const f = i.negate();
return o ? f : i;
}, r = (o) => {
const i = Math.ceil(n / o) + 1, f = 2 ** (o - 1);
return { windows: i, windowSize: f };
};
return {
constTimeNegate: e,
// non-const time multiplication ladder
unsafeLadder(o, i) {
let f = t.ZERO, s = o;
for (; i > Pe; )
i & Ot && (f = f.add(s)), s = s.double(), i >>= Ot;
return f;
},
/**
* Creates a wNAF precomputation window. Used for caching.
* Default window size is set by `utils.precompute()` and is equal to 8.
* Number of precomputed points depends on the curve size:
* 2^(𝑊−1) * (Math.ceil(𝑛 / 𝑊) + 1), where:
* - 𝑊 is the window size
* - 𝑛 is the bitlength of the curve order.
* For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
* @returns precomputed point tables flattened to a single array
*/
precomputeWindow(o, i) {
const { windows: f, windowSize: s } = r(i), c = [];
let u = o, y = u;
for (let d = 0; d < f; d++) {
y = u, c.push(y);
for (let I = 1; I < s; I++)
y = y.add(u), c.push(y);
u = y.double();
}
return c;
},
/**
* Implements ec multiplication using precomputed tables and w-ary non-adjacent form.
* @param W window size
* @param precomputes precomputed tables
* @param n scalar (we don't check here, but should be less than curve order)
* @returns real and fake (for const-time) points
*/
wNAF(o, i, f) {
const { windows: s, windowSize: c } = r(o);
let u = t.ZERO, y = t.BASE;
const d = BigInt(2 ** o - 1), I = 2 ** o, S = BigInt(o);
for (let p = 0; p < s; p++) {
const B = p * c;
let a = Number(f & d);
f >>= S, a > c && (a -= I, f += Ot);
const l = B, h = B + Math.abs(a) - 1, m = p % 2 !== 0, b = a < 0;
a === 0 ? y = y.add(e(m, i[l])) : u = u.add(e(b, i[h]));
}
return { p: u, f: y };
},
wNAFCached(o, i, f, s) {
const c = o._WINDOW_SIZE || 1;
let u = i.get(o);
return u || (u = this.precomputeWindow(o, c), c !== 1 && i.set(o, s(u))), this.wNAF(c, u, f);
}
};
}
function fe(t) {
return oe(t.Fp), yt(
t,
{
n: "bigint",
h: "bigint",
Gx: "field",
Gy: "field"
},
{
nBitLength: "isSafeInteger",
nByteLength: "isSafeInteger"
}
), Object.freeze({
...ie(t.n, t.nBitLength),
...t,
p: t.Fp.ORDER
});
}
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
function De(t) {
const n = fe(t);
yt(
n,
{
a: "field",
b: "field"
},
{
allowedPrivateKeyLengths: "array",
wrapPrivateKey: "boolean",
isTorsionFree: "function",
clearCofactor: "function",
allowInfinityPoint: "boolean",
fromBytes: "function",
toBytes: "function"
}
);
const { endo: e, Fp: r, a: o } = n;
if (e) {
if (!r.eql(o, r.ZERO))
throw new Error("Endomorphism can only be defined for Koblitz curves that have a=0");
if (typeof e != "object" || typeof e.beta != "bigint" || typeof e.splitScalar != "function")
throw new Error("Expected endomorphism with beta: bigint and splitScalar: function");
}
return Object.freeze({ ...n });
}
const { bytesToNumberBE: Me, hexToBytes: je } = Te, ct = {
// asn.1 DER encoding utils
Err: class extends Error {
constructor(n = "") {
super(n);
}
},
_parseInt(t) {
const { Err: n } = ct;
if (t.length < 2 || t[0] !== 2) throw new n("Invalid signature integer tag");
const e = t[1], r = t.subarray(2, e + 2);
if (!e || r.length !== e) throw new n("Invalid signature integer: wrong length");
if (r[0] & 128) throw new n("Invalid signature integer: negative");
if (r[0] === 0 && !(r[1] & 128))
throw new n("Invalid signature integer: unnecessary leading zero");
return { d: Me(r), l: t.subarray(e + 2) };
},
toSig(t) {
const { Err: n } = ct, e = typeof t == "string" ? je(t) : t;
if (!D(e)) throw new Error("ui8a expected");
let r = e.length;
if (r < 2 || e[0] != 48) throw new n("Invalid signature tag");
if (e[1] !== r - 2) throw new n("Invalid signature: incorrect length");
const { d: o, l: i } = ct._parseInt(e.subarray(2)), { d: f, l: s } = ct._parseInt(i);
if (s.length) throw new n("Invalid signature: left bytes after parsing");
return { r: o, s: f };
},
hexFromSig(t) {
const n = (u) => Number.parseInt(u[0], 16) & 8 ? "00" + u : u, e = (u) => {
const y = u.toString(16);
return y.length & 1 ? `0${y}` : y;
}, r = n(e(t.s)), o = n(e(t.r)), i = r.length / 2, f = o.length / 2, s = e(i), c = e(f);
return `30${e(f + i + 4)}02${c}${o}02${s}${r}`;
}
}, G = BigInt(0), L = BigInt(1), tt = BigInt(2), vt = BigInt(3), Wt = BigInt(4);
function ze(t) {
const n = De(t), { Fp: e } = n, r = n.toBytes || ((B, a, l) => {
const h = a.toAffine();
return Y(Uint8Array.from([4]), e.toBytes(h.x), e.toBytes(h.y));
}), o = n.fromBytes || ((B) => {
const a = B.subarray(1), l = e.fromBytes(a.subarray(0, e.BYTES)), h = e.fromBytes(a.subarray(e.BYTES, 2 * e.BYTES));
return { x: l, y: h };
});
function i(B) {
const { a, b: l } = n, h = e.sqr(B), m = e.mul(h, B);
return e.add(e.add(m, e.mul(B, a)), l);
}
if (!e.eql(e.sqr(n.Gy), i(n.Gx)))
throw new Error("bad generator point: equation left != right");
function f(B) {
return typeof B == "bigint" && G < B && B < n.n;
}
function s(B) {
if (!f(B)) throw new Error("Expected valid bigint: 0 < bigint < curve.n");
}
function c(B) {
const { allowedPrivateKeyLengths: a, nByteLength: l, wrapPrivateKey: h, n: m } = n;
if (a && typeof B != "bigint") {
if (D(B) && (B = ht(B)), typeof B != "string" || !a.includes(B.length)) throw new Error("Invalid key");
B = B.padStart(l * 2, "0");
}
let b;
try {
b = typeof B == "bigint" ? B : ot(z("private key", B, l));
} catch {
throw new Error(`private key must be ${l} bytes, hex or bigint, not ${typeof B}`);
}
return h && (b = k(b, m)), s(b), b;
}
const u = /* @__PURE__ */ new Map();
function y(B) {
if (!(B instanceof d)) throw new Error("ProjectivePoint expected");
}
const p = class p {
constructor(a, l, h) {
if (this.px = a, this.py = l, this.pz = h, a == null || !e.isValid(a)) throw new Error("x required");
if (l == null || !e.isValid(l)) throw new Error("y required");
if (h == null || !e.isValid(h)) throw new Error("z required");
}
// Does not validate if the point is on-curve.
// Use fromHex instead, or call assertValidity() later.
static fromAffine(a) {
const { x: l, y: h } = a || {};
if (!a || !e.isValid(l) || !e.isValid(h)) throw new Error("invalid affine point");
if (a instanceof p) throw new Error("projective point not allowed");
const m = (b) => e.eql(b, e.ZERO);
return m(l) && m(h) ? p.ZERO : new p(l, h, e.ONE);
}
get x() {
return this.toAffine().x;
}
get y() {
return this.toAffine().y;
}
/**
* Takes a bunch of Projective Points but executes only one
* inversion on all of them. Inversion is very slow operation,
* so this improves performance massively.
* Optimization: converts a list of projective points to a list of identical points with Z=1.
*/
static normalizeZ(a) {
const l = e.invertBatch(a.map((h) => h.pz));
return a.map((h, m) => h.toAffine(l[m])).map(p.fromAffine);
}
/**
* Converts hash string or Uint8Array to Point.
* @param hex short/long ECDSA hex
*/
static fromHex(a) {
const l = p.fromAffine(o(z("pointHex", a)));
return l.assertValidity(), l;
}
// Multiplies generator point by privateKey.
static fromPrivateKey(a) {
return p.BASE.multiply(c(a));
}
// "Private method", don't use it directly
_setWindowSize(a) {
this._WINDOW_SIZE = a, u.delete(this);
}
// A point on curve is valid if it conforms to equation.
assertValidity() {
if (this.is0()) {
if (n.allowInfinityPoint && !e.is0(this.py)) return;
throw new Error("bad point: ZERO");
}
const { x: a, y: l } = this.toAffine();
if (!e.isValid(a) || !e.isValid(l)) throw new Error("bad point: x or y not FE");
const h = e.sqr(l), m = i(a);
if (!e.eql(h, m)) throw new Error("bad point: equation left != right");
if (!this.isTorsionFree()) throw new Error("bad point: not in prime-order subgroup");
}
hasEvenY() {
const { y: a } = this.toAffine();
if (e.isOdd) return !e.isOdd(a);
throw new Error("Field doesn't support isOdd");
}
/**
* Compare one point to another.
*/
equals(a) {
y(a);
const { px: l, py: h, pz: m } = this, { px: b, py: U, pz: _ } = a, E = e.eql(e.mul(l, _), e.mul(b, m)), A = e.eql(e.mul(h, _), e.mul(U, m));
return E && A;
}
/**
* Flips point to one corresponding to (x, -y) in Affine coordinates.
*/
negate() {
return new p(this.px, e.neg(this.py), this.pz);
}
// Renes-Costello-Batina exception-free doubling formula.
// There is 30% faster Jacobian formula, but it is not complete.
// https://eprint.iacr.org/2015/1060, algorithm 3
// Cost: 8M + 3S + 3*a + 2*b3 + 15add.
double() {
const { a, b: l } = n, h = e.mul(l, vt), { px: m, py: b, pz: U } = this;
let _ = e.ZERO, E = e.ZERO, A = e.ZERO, x = e.mul(m, m), M = e.mul(b, b), R = e.mul(U, U), O = e.mul(m, b);
return O = e.add(O, O), A = e.mul(m, U), A = e.add(A, A), _ = e.mul(a, A), E = e.mul(h, R), E = e.add(_, E), _ = e.sub(M, E), E = e.add(M, E), E = e.mul(_, E), _ = e.mul(O, _), A = e.mul(h, A), R = e.mul(a, R), O = e.sub(x, R), O = e.mul(a, O), O = e.add(O, A), A = e.add(x, x), x = e.add(A, x), x = e.add(x, R), x = e.mul(x, O), E = e.add(E, x), R = e.mul(b, U), R = e.add(R, R), x = e.mul(R, O), _ = e.sub(_, x), A = e.mul(R, M), A = e.add(A, A), A = e.add(A, A), new p(_, E, A);
}
// Renes-Costello-Batina exception-free addition formula.
// There is 30% faster Jacobian formula, but it is not complete.
// https://eprint.iacr.org/2015/1060, algorithm 1
// Cost: 12M + 0S + 3*a + 3*b3 + 23add.
add(a) {
y(a);
const { px: l, py: h, pz: m } = this, { px: b, py: U, pz: _ } = a;
let E = e.ZERO, A = e.ZERO, x = e.ZERO;
const M = n.a, R = e.mul(n.b, vt);
let O = e.mul(l, b), H = e.mul(h, U), C = e.mul(m, _), g = e.add(l, h), w = e.add(b, U);
g = e.mul(g, w), w = e.add(O, H), g = e.sub(g, w), w = e.add(l, m);
let v = e.add(b, _);
return w = e.mul(w, v), v = e.add(O, C), w = e.sub(w, v), v = e.add(h, m), E = e.add(U, _), v = e.mul(v, E), E = e.add(H, C), v = e.sub(v, E), x = e.mul(M, w), E = e.mul(R, C), x = e.add(E, x), E = e.sub(H, x), x = e.add(H, x), A = e.mul(E, x), H = e.add(O, O), H = e.add(H, O), C = e.mul(M, C), w = e.mul(R, w), H = e.add(H, C), C = e.sub(O, C), C = e.mul(M, C), w = e.add(w, C), O = e.mul(H, w), A = e.add(A, O), O = e.mul(v, w), E = e.mul(g, E), E = e.sub(E, O), O = e.mul(g, H), x = e.mul(v, x), x = e.add(x, O), new p(E, A, x);
}
subtract(a) {
return this.add(a.negate());
}
is0() {
return this.equals(p.ZERO);
}
wNAF(a) {
return S.wNAFCached(this, u, a, (l) => {
const h = e.invertBatch(l.map((m) => m.pz));
return l.map((m, b) => m.toAffine(h[b])).map(p.fromAffine);
});
}
/**
* Non-constant-time multiplication. Uses double-and-add algorithm.
* It's faster, but should only be used when you don't care about
* an exposed private key e.g. sig verification, which works over *public* keys.
*/
multiplyUnsafe(a) {
const l = p.ZERO;
if (a === G) return l;
if (s(a), a === L) return this;
const { endo: h } = n;
if (!h) return S.unsafeLadder(this, a);
let { k1neg: m, k1: b, k2neg: U, k2: _ } = h.splitScalar(a), E = l, A = l, x = this;
for (; b > G || _ > G; )
b & L && (E = E.add(x)), _ & L && (A = A.add(x)), x = x.double(), b >>= L, _ >>= L;
return m && (E = E.negate()), U && (A = A.negate()), A = new p(e.mul(A.px, h.beta), A.py, A.pz), E.add(A);
}
/**
* Constant time multiplication.
* Uses wNAF method. Windowed method may be 10% faster,
* but takes 2x longer to generate and consumes 2x memory.
* Uses precomputes when available.
* Uses endomorphism for Koblitz curves.
* @param scalar by which the point would be multiplied
* @returns New point
*/
multiply(a) {
s(a);
let l = a, h, m;
const { endo: b } = n;
if (b) {
const { k1neg: U, k1: _, k2neg: E, k2: A } = b.splitScalar(l);
let { p: x, f: M } = this.wNAF(_), { p: R, f: O } = this.wNAF(A);
x = S.constTimeNegate(U, x), R = S.constTimeNegate(E, R), R = new p(e.mul(R.px, b.beta), R.py, R.pz), h = x.add(R), m = M.add(O);
} else {
const { p: U, f: _ } = this.wNAF(l);
h = U, m = _;
}
return p.normalizeZ([h, m])[0];
}
/**
* Efficiently calculate `aP + bQ`. Unsafe, can expose private key, if used incorrectly.
* Not using Strauss-Shamir trick: precomputation tables are faster.
* The trick could be useful if both P and Q are not G (not in our case).
* @returns non-zero affine point
*/
multiplyAndAddUnsafe(a, l, h) {
const m = p.BASE, b = (_, E) => E === G || E === L || !_.equals(m) ? _.multiplyUnsafe(E) : _.multiply(E), U = b(this, l).add(b(a, h));
return U.is0() ? void 0 : U;
}
// Converts Projective point to affine (x, y) coordinates.
// Can accept precomputed Z^-1 - for example, from invertBatch.
// (x, y, z) ∋ (x=x/z, y=y/z)
toAffine(a) {
const { px: l, py: h, pz: m } = this, b = this.is0();
a == null && (a = b ? e.ONE : e.inv(m));
const U = e.mul(l, a), _ = e.mul(h, a), E = e.mul(m, a);
if (b) return { x: e.ZERO, y: e.ZERO };
if (!e.eql(E, e.ONE)) throw new Error("invZ was invalid");
return { x: U, y: _ };
}
isTorsionFree() {
const { h: a, isTorsionFree: l } = n;
if (a === L) return !0;
if (l) return l(p, this);
throw new Error("isTorsionFree() has not been declared for the elliptic curve");
}
clearCofactor() {
const { h: a, clearCofactor: l } = n;
return a === L ? this : l ? l(p, this) : this.multiplyUnsafe(n.h);
}
toRawBytes(a = !0) {
return this.assertValidity(), r(p, this, a);
}
toHex(a = !0) {
return ht(this.toRawBytes(a));
}
};
p.BASE = new p(n.Gx, n.Gy, e.ONE), p.ZERO = new p(e.ZERO, e.ONE, e.ZERO);
let d = p;
const I = n.nBitLength, S = ke(d, n.endo ? Math.ceil(I / 2) : I);
return {
CURVE: n,
ProjectivePoint: d,
normPrivateKeyToScalar: c,
weierstrassEquation: i,
isWithinCurveOrder: f
};
}
function Ye(t) {
const n = fe(t);
return yt(
n,
{
hash: "hash",
hmac: "function",
randomBytes: "function"
},
{
bits2int: "function",
bits2int_modN: "function",
lowS: "boolean"
}
), Object.freeze({ lowS: !0, ...n });
}
function Ge(t) {
const n = Ye(t), { Fp: e, n: r } = n, o = e.BYTES + 1, i = 2 * e.BYTES + 1;
function f(g) {
return G < g && g < e.ORDER;
}
function s(g) {
return k(g, r);
}
function c(g) {
return qt(g, r);
}
const {
ProjectivePoint: u,
normPrivateKeyToScalar: y,
weierstrassEquation: d,
isWithinCurveOrder: I
} = ze({
...n,
toBytes(g, w, v) {
const q = w.toAffine(), T = e.toBytes(q.x), $ = Y;
return v ? $(Uint8Array.from([w.hasEvenY() ? 2 : 3]), T) : $(Uint8Array.from([4]), T, e.toBytes(q.y));
},
fromBytes(g) {
const w = g.length, v = g[0], q = g.subarray(1);
if (w === o && (v === 2 || v === 3)) {
const T = ot(q);
if (!f(T)) throw new Error("Point is not on curve");
const $ = d(T);
let Z = e.sqrt($);
const P = (Z & L) === L;
return (v & 1) === 1 !== P && (Z = e.neg(Z)), { x: T, y: Z };
} else if (w === i && v === 4) {
const T = e.fromBytes(q.subarray(0, e.BYTES)), $ = e.fromBytes(q.subarray(e.BYTES, 2 * e.BYTES));
return { x: T, y: $ };
} else
throw new Error(
`Point of length ${w} was invalid. Expected ${o} compressed bytes or ${i} uncompressed bytes`
);
}
}), S = (g) => ht(gt(g, n.nByteLength));
function p(g) {
const w = r >> L;
return g > w;
}
function B(g) {
return p(g) ? s(-g) : g;
}
const a = (g, w, v) => ot(g.slice(w, v));
class l {
constructor(w, v, q) {
this.r = w, this.s = v, this.recovery = q, this.assertValidity();
}
// pair (bytes of r, bytes of s)
static fromCompact(w) {
const v = n.nByteLength;
return w = z("compactSignature", w, v * 2), new l(a(w, 0, v), a(w, v, 2 * v));
}
// DER encoded ECDSA signature
// https://bitcoin.stackexchange.com/questions/57644/what-are-the-parts-of-a-bitcoin-transaction-input-script
static fromDER(w) {
const { r: v, s: q } = ct.toSig(z("DER", w));
return new l(v, q);
}
assertValidity() {
if (!I(this.r)) throw new Error("r must be 0 < r < CURVE.n");
if (!I(this.s)) throw new Error("s must be 0 < s < CURVE.n");
}
addRecoveryBit(w) {
return new l(this.r, this.s, w);
}
recoverPublicKey(w) {
const { r: v, s: q, recovery: T } = this, $ = E(z("msgHash", w));
if (T == null || ![0, 1, 2, 3].includes(T)) throw new Error("recovery id invalid");
const Z = T === 2 || T === 3 ? v + n.n : v;
if (Z >= e.ORDER) throw new Error("recovery id 2 or 3 invalid");
const P = (T & 1) === 0 ? "02" : "03", Q = u.fromHex(P + S(Z)), J = c(Z), ft = s(-$ * J), mt = s(q * J), F = u.BASE.multiplyAndAddUnsafe(Q, ft, mt);
if (!F) throw new Error("point at infinify");
return F.assertValidity(), F;
}
// Signatures should be low-s, to prevent malleability.
hasHighS() {
return p(this.s);
}
normalizeS() {
return this.hasHighS() ? new l(this.r, s(-this.s), this.recovery) : this;
}
// DER-encoded
toDERRawBytes() {
return wt(this.toDERHex());
}
toDERHex() {
return ct.hexFromSig({ r: this.r, s: this.s });
}
// padded bytes of r, then padded bytes of s
toCompactRawBytes() {
return wt(this.toCompactHex());
}
toCompactHex() {
return S(this.r) + S(this.s);
}
}
const h = {
isValidPrivateKey(g) {
try {
return y(g), !0;
} catch {
return !1;
}
},
normPrivateKeyToScalar: y,
/**
* Produces cryptographically secure private key from random of size
* (groupLen + ceil(groupLen / 2)) with modulo bias being negligible.
*/
randomPrivateKey: () => {
const g = ce(n.n);
return Ze(n.randomBytes(g), n.n);
},
/**
* Creates precompute table for an arbitrary EC point. Makes point "cached".
* Allows to massively speed-up `point.multiply(scalar)`.
* @returns cached point
* @example
* const fast = utils.precompute(8, ProjectivePoint.fromHex(someonesPubKey));
* fast.multiply(privKey); // much faster ECDH now
*/
precompute(g = 8, w = u.BASE) {
return w._setWindowSize(g), w.multiply(BigInt(3)), w;
}
};
function m(g, w = !0) {
return u.fromPrivateKey(g).toRawBytes(w);
}
function b(g) {
const w = D(g), v = typeof g == "string", q = (w || v) && g.length;
return w ? q === o || q === i : v ? q === 2 * o || q === 2 * i : g instanceof u;
}
function U(g, w, v = !0) {
if (b(g)) throw new Error("first arg must be private key");
if (!b(w)) throw new Error("second arg must be public key");
return u.fromHex(w).multiply(y(g)).toRawBytes(v);
}
const _ = n.bits2int || function(g) {
const w = ot(g), v = g.length * 8 - n.nBitLength;
return v > 0 ? w >> BigInt(v) : w;
}, E = n.bits2int_modN || function(g) {
return s(_(g));
}, A = Ht(n.nBitLength);
function x(g) {
if (typeof g != "bigint") throw new Error("bigint expected");
if (!(G <= g && g < A))
throw new Error(`bigint expected < 2^${n.nBitLength}`);
return gt(g, n.nByteLength);
}
function M(g, w, v = R) {
if (["recovered", "canonical"].some((it) => it in v))
throw new Error("sign() legacy options not supported");
const { hash: q, randomBytes: T } = n;
let { lowS: $, prehash: Z, extraEntropy: P } = v;
$ == null && ($ = !0), g = z("msgHash", g), Z && (g = z("prehashed msgHash", q(g)));
const Q = E(g), J = y(w), ft = [x(J), x(Q)];
if (P != null) {
const it = P === !0 ? T(e.BYTES) : P;
ft.push(z("extraEntropy", it));
}
const mt = Y(...ft), F = Q;
function xt(it) {
const ut = _(it);
if (!I(ut)) return;
const Zt = c(ut), at = u.BASE.multiply(ut).toAffine(), j = s(at.x);
if (j === G) return;
const lt = s(Zt * s(F + j * J));
if (lt === G) return;
let Pt = (at.x === j ? 0 : 2) | Number(at.y & L), kt = lt;
return $ && p(lt) && (kt = B(lt), Pt ^= 1), new l(j, kt, Pt);
}
return { seed: mt, k2sig: xt };
}
const R = { lowS: n.lowS, prehash: !1 }, O = { lowS: n.lowS, prehash: !1 };
function H(g, w, v = R) {
const { seed: q, k2sig: T } = M(g, w, v), $ = n;
return re($.hash.outputLen, $.nByteLength, $.hmac)(q, T);
}
u.BASE._setWindowSize(8);
function C(g, w, v, q = O) {
var at;
const T = g;
if (w = z("msgHash", w), v = z("publicKey", v), "strict" in q) throw new Error("options.strict was renamed to lowS");
const { lowS: $, prehash: Z } = q;
let P, Q;
try {
if (typeof T == "string" || D(T))
try {
P = l.fromDER(T);
} catch (j) {
if (!(j instanceof ct.Err)) throw j;
P = l.fromCompact(T);
}
else if (typeof T == "object" && typeof T.r == "bigint" && typeof T.s == "bigint") {
const { r: j, s: lt } = T;
P = new l(j, lt);
} else
throw new Error("PARSE");
Q = u.fromHex(v);
} catch (j) {
if (j.message === "PARSE")
throw new Error("signature must be Signature instance, Uint8Array or hex string");
return !1;
}
if ($ && P.hasHighS()) return !1;
Z && (w = n.hash(w));
const { r: J, s: ft } = P, mt = E(w), F = c(ft), xt = s(mt * F), it = s(J * F), ut = (at = u.BASE.multiplyAndAddUnsafe(Q, xt, it)) == null ? void 0 : at.toAffine();
return ut ? s(ut.x) === J : !1;
}
return {
CURVE: n,
getPublicKey: m,
getSharedSecret: U,
sign: H,
verify: C,
ProjectivePoint: u,
Signature: l,
utils: h
};
}
function We(t, n) {
const e = t.ORDER;
let r = G;
for (let p = e - L; p % tt === G; p /= tt) r += L;
const o = r, i = tt << o - L - L, f = i * tt, s = (e - L) / f, c = (s - L) / tt, u = f - L, y = i, d = t.pow(n, s), I = t.pow(n, (s + L) / tt);
let S = (p, B) => {
let a = d, l = t.pow(B, u), h = t.sqr(l);
h = t.mul(h, B);
let m = t.mul(p, h);
m = t.pow(m, c), m = t.mul(m, l), l = t.mul(m, B), h = t.mul(m, p);
let b = t.mul(h, l);
m = t.pow(b, y);
let U = t.eql(m, t.ONE);
l = t.mul(h, I), m = t.mul(b, a), h = t.cmov(l, h, U), b = t.cmov(m, b, U);
for (let _ = o; _ > L; _--) {
let E = _ - tt;
E = tt << E - L;
let A = t.pow(b, E);
const x = t.eql(A, t.ONE);
l = t.mul(h, a), a = t.mul(a, a), A = t.mul(b, a), h = t.cmov(l, h, x), b = t.cmov(A, b, x);
}
return { isValid: U, value: h };
};
if (t.ORDER % Wt === vt) {
const p = (t.ORDER - vt) / Wt, B = t.sqrt(t.neg(n));
S = (a, l) => {
let h = t.sqr(l);
const m = t.mul(a, l);
h = t.mul(h, m);
let b = t.pow(h, p);
b = t.mul(b, m);
const U = t.mul(b, B), _ = t.mul(t.sqr(b), l), E = t.eql(_, a);
let A = t.cmov(U, b, E);
return { isValid: E, value: A };
};
}
return S;
}
function Ke(t, n) {
if (oe(t), !t.isValid(n.A) || !t.isValid(n.B) || !t.isValid(n.Z))
throw new Error("mapToCurveSimpleSWU: invalid opts");
const e = We(t, n.Z);
if (!t.isOdd) throw new Error("Fp.isOdd is not implemented!");
return (r) => {
let o, i, f, s, c, u, y, d;
o = t.sqr(r), o = t.mul(o, n.Z), i = t.sqr(o), i = t.add(i, o), f = t.add(i, t.ONE), f = t.mul(f, n.B), s = t.cmov(n.Z, t.neg(i), !t.eql(i, t.ZERO)), s = t.mul(s, n.A), i = t.sqr(f), u = t.sqr(s), c = t.mul(u, n.A), i = t.add(i, c), i = t.mul(i, f), u = t.mul(u, s), c = t.mul(u, n.B), i = t.add(i, c), y = t.mul(o, f);
const { isValid: I, value: S } = e(i, u);
d = t.mul(o, r), d = t.mul(d, S), y = t.cmov(y, f, I), d = t.cmov(d, S, I);
const p = t.isOdd(r) === t.isOdd(d);
return d = t.cmov(t.neg(d), d, p), y = t.div(y, s), { x: y, y: d };
};
}
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
function Xe(t) {
return {
hash: t,
hmac: (n, ...e) => te(t, n, be(...e)),
randomBytes: Be
};
}
function Qe(t, n) {
const e = (r) => Ge({ ...t, ...Xe(r) });
return Object.freeze({ ...e(n), create: e });
}
function Je(t, n, e, r) {
if (typeof t.setBigUint64 == "function") return t.setBigUint64(n, e, r);
const o = BigInt(32), i = BigInt(4294967295), f = Number(e >> o & i), s = Number(e & i), c = r ? 4 : 0, u = r ? 0 : 4;
t.setUint32(n + c, f, r), t.setUint32(n + u, s, r);
}
class Fe extends Jt {
constructor(n, e, r, o) {
super(), this.blockLen = n, this.outputLen = e, this.padOffset = r, this.isLE = o, this.finished = !1, this.length = 0, this.pos = 0, this.destroyed = !1, this.buffer = new Uint8Array(n), this.view = It(this.buffer);
}
update(n) {
Bt(this);
const { view: e, buffer: r, blockLen: o } = this;
n = Lt(n);
const i = n.length;
for (let f = 0; f < i; ) {
const s = Math.min(o - this.pos, i - f);
if (s === o) {
const c = It(n);
for (; o <= i - f; f += o) this.process(c, f);
continue;
}
r.set(n.subarray(f, f + s), this.pos), this.pos += s, f += s, this.pos === o && (this.process(e, 0), this.pos = 0);
}
return this.length += n.length, this.roundClean(), this;
}
digestInto(n) {
Bt(this), ye(n, this), this.finished = !0;
const { buffer: e, view: r, blockLen: o, isLE: i } = this;
let { pos: f } = this;
e[f++] = 128, this.buffer.subarray(f).fill(0), this.padOffset > o - f && (this.process(r, 0), f = 0);
for (let d = f; d < o; d++) e[d] = 0;
Je(r, o - 8, BigInt(this.length * 8), i), this.process(r, 0);
const s = It(n), c = this.outputLen;
if (c % 4) throw new Error("_sha2: outputLen should be aligned to 32bit");
const u = c / 4, y = this.get();
if (u > y.length) throw new Error("_sha2: outputLen bigger than state");
for (let d = 0; d < u; d++) s.setUint32(4 * d, y[d], i);
}
digest() {
const { buffer: n, outputLen: e } = this;
this.digestInto(n);
const r = n.slice(0, e);
return this.destroy(), r;
}
_cloneInto(n) {
n || (n = new this.constructor()), n.set(...this.get());
const { blockLen: e, buffer: r, length: o, finished: i, destroyed: f, pos: s } = this;
return n.length = o, n.pos = s, n.finished = i, n.destroyed = f, o % e && n.buffer.set(r), n;
}
}
const tn = (t, n, e) => t & n ^ ~t & e, en = (t, n, e) => t & n ^ t & e ^ n & e, nn = /* @__PURE__ */ new Uint32Array([
1116352408,
1899447441,
3049323471,
3921009573,
961987163,
1508970993,
2453635748,
2870763221,
3624381080,
310598401,
607225278,
1426881987,
1925078388,
2162078206,
2614888103,
3248222580,
3835390401,
4022224774,
264347078,
604807628,
770255983,
1249150122,
1555081692,
1996064986,
2554220882,
2821834349,
2952996808,
3210313671,
3336571891,
3584528711,
113926993,
338241895,
666307205,
773529912,
1294757372,
1396182291,
1695183700,
1986661051,
2177026350,
2456956037,
2730485921,
2820302411,
3259730800,
3345764771,
3516065817,
3600352804,
4094571909,
275423344,
430227734,
506948616,
659060556,
883997877,
958139571,
1322822218,
1537002063,
1747873779,
1955562222,
2024104815,
2227730452,
2361852424,
2428436474,
2756734187,
3204031479,
3329325298
]), et = /* @__PURE__ */ new Uint32Array([
1779033703,
3144134277,
1013904242,
2773480762,
1359893119,
2600822924,
528734635,
1541459225
]), nt = /* @__PURE__ */ new Uint32Array(64);
class rn extends Fe {
constructor() {
super(64, 32, 8, !1), this.A = et[0] | 0, this.B = et[1] | 0, this.C = et[2] | 0, this.D = et[3] | 0, this.E = et[4] | 0, this.F = et[5] | 0, this.G = et[6] | 0, this.H = et[7] | 0;
}
get() {
const { A: n, B: e, C: r, D: o, E: i, F: f, G: s, H: c } = this;
return [n, e, r, o, i, f, s, c];
}
// prettier-ignore
set(n, e, r, o, i, f, s, c) {
this.A = n | 0, this.B = e | 0, this.C = r | 0, this.D = o | 0, this.E = i | 0, this.F = f | 0, this.G = s | 0, this.H = c | 0;
}
process(n, e) {
for (let d = 0; d < 16; d++, e += 4) nt[d] = n.getUint32(e, !1);
for (let d = 16; d < 64; d++) {
const I = nt[d - 15], S = nt[d - 2], p = W(I, 7) ^ W(I, 18) ^ I >>> 3, B = W(S, 17) ^ W(S, 19) ^ S >>> 10;
nt[d] = B + nt[d - 7] + p + nt[d - 16] | 0;
}
let { A: r, B: o, C: i, D: f, E: s, F: c, G: u, H: y } = this;
for (let d = 0; d < 64; d++) {
const I = W(s, 6) ^ W(s, 11) ^ W(s, 25), S = y + I + tn(s, c, u) + nn[d] + nt[d] | 0, B = (W(r, 2) ^ W(r, 13) ^ W(r, 22)) + en(r, o, i) | 0;
y = u, u = c, c = s, s = f + S | 0, f = i, i = o, o = r, r = S + B | 0;
}
r = r + this.A | 0, o = o + this.B | 0, i = i + this.C | 0, f = f + this.D | 0, s = s + this.E | 0, c = c + this.F | 0, u = u + this.G | 0, y = y + this.H | 0, this.set(r, o, i, f, s, c, u, y);
}
roundClean() {
nt.fill(0);
}
destroy() {
this.set(0, 0, 0, 0, 0, 0, 0, 0), this.buffer.fill(0);
}
}
const ue = /* @__PURE__ */ Ee(() => new rn());
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
function on(t) {
if (D(t)) return t;
if (typeof t == "string") return St(t);
throw new Error("DST must be Uint8Array or string");
}
const sn = ot;
function rt(t, n) {
if (t < 0 || t >= 1 << 8 * n)
throw new Error(`bad I2OSP call: value=${t} length=${n}`);
const e = Array.from({ length: n }).fill(0);
for (let r = n - 1; r >= 0; r--)
e[r] = t & 255, t >>>= 8;
return new Uint8Array(e);
}
function cn(t, n) {
const e = new Uint8Array(t.length);
for (let r = 0; r < t.length; r++)
e[r] = t[r] ^ n[r];
return e;
}
function pt(t) {
if (!D(t)) throw new Error("Uint8Array expected");
}
function Ct(t) {
if (!Number.isSafeInteger(t)) throw new Error("number expected");
}
function fn(t, n, e, r) {
pt(t), pt(n), Ct(e), n.length > 255 && (n = r(Y(St("H2C-OVERSIZE-DST-"), n)));
const { outputLen: o, blockLen: i } = r, f = Math.ceil(e / o);
if (f > 255) throw new Error("Invalid xmd length");
const s = Y(n, rt(n.length, 1)), c = rt(0, i), u = rt(e, 2), y = new Array(f), d = r(Y(c, t, u, rt(0, 1), s));
y[0] = r(Y(d, rt(1, 1), s));
for (let S = 1; S <= f; S++) {
const p = [cn(d, y[S - 1]), rt(S + 1, 1), s];
y[S] = r(Y(...p));
}
return Y(...y).slice(0, e);
}
function un(t, n, e, r, o) {
if (pt(t), pt(n), Ct(e), n.length > 255) {
const i = Math.ceil(2 * r / 8);
n = o.create({ dkLen: i }).update(St("H2C-OVERSIZE-DST-")).update(n).digest();
}
if (e > 65535 || n.length > 255)
throw new Error("expand_message_xof: invalid lenInBytes");
return o.create({ dkLen: e }).update(t).update(rt(e, 2)).update(n).update(rt(n.length, 1)).digest();
}
function Kt(t, n, e) {
yt(e, {
DST: "stringOrUint8Array",
p: "bigint",
m: "isSafeInteger",
k: "isSafeInteger",
hash: "hash"
});
const { p: r, k: o, m: i, hash: f, expand: s, DST: c } = e;
pt(t), Ct(n);
const u = on(c), y = r.toString(2).length, d = Math.ceil((y + o) / 8), I = n * i * d;
let S;
if (s === "xmd")
S = fn(t, u, I, f);
else if (s === "xof")
S = un(t, u, I, o, f);
else if (s === "_internal_pass")
S = t;
else
throw new Error('expand must be "xmd" or "xof"');
const p = new Array(n);
for (let B = 0; B < n; B++) {
const a = new Array(i);
for (let l = 0; l < i; l++) {
const h = d * (l + B * i), m = S.subarray(h, h + d);
a[l] = k(sn(m), r);
}
p[B] = a;
}
return p;
}
function an(t, n, e) {
if (typeof