24843230473

Committed 23 Apr 2026 03:16PM UTC coverage: 74.673%. First build

Build # 24843230473

Build Type

Pull #487

github

Committed by

web-flow

Commit Message

Merge 17983afcb into 9af5b5961

Pull Request Pull Request #487: Emit GCMParameters SEQUENCE for AES-GCM AlgorithmIdentifier (RFC 5084)

Coverage Stats

2468 of 4367 branches covered (56.51%)

63 of 69 new or added lines in 4 files covered. (91.3%)

6740 of 9026 relevant lines covered (74.67%)

1617.99 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

85.85

/src/EnvelopedData.ts

import * as asn1js from "asn1js";
import * as pvutils from "pvutils";
import { BufferSourceConverter } from "pvtsutils";
import * as common from "./common";
import { OriginatorInfo, OriginatorInfoJson } from "./OriginatorInfo";
import { RecipientInfo, RecipientInfoJson } from "./RecipientInfo";
import { EncryptedContentInfo, EncryptedContentInfoJson, EncryptedContentInfoSchema, EncryptedContentInfoSplit } from "./EncryptedContentInfo";
import { Attribute, AttributeJson } from "./Attribute";
import { AlgorithmIdentifier, AlgorithmIdentifierParameters } from "./AlgorithmIdentifier";
import { GCMParams } from "./GCMParams";
import { RSAESOAEPParams } from "./RSAESOAEPParams";
import { KeyTransRecipientInfo } from "./KeyTransRecipientInfo";
import { IssuerAndSerialNumber } from "./IssuerAndSerialNumber";
import { RecipientKeyIdentifier } from "./RecipientKeyIdentifier";
import { RecipientEncryptedKey } from "./RecipientEncryptedKey";
import { KeyAgreeRecipientIdentifier } from "./KeyAgreeRecipientIdentifier";
import { KeyAgreeRecipientInfo, KeyAgreeRecipientInfoParameters } from "./KeyAgreeRecipientInfo";
import { RecipientEncryptedKeys } from "./RecipientEncryptedKeys";
import { KEKRecipientInfo } from "./KEKRecipientInfo";
import { KEKIdentifier } from "./KEKIdentifier";
import { PBKDF2Params } from "./PBKDF2Params";
import { PasswordRecipientinfo } from "./PasswordRecipientinfo";
import { ECCCMSSharedInfo } from "./ECCCMSSharedInfo";
import { OriginatorIdentifierOrKey } from "./OriginatorIdentifierOrKey";
import { OriginatorPublicKey } from "./OriginatorPublicKey";
import * as Schema from "./Schema";
import { Certificate } from "./Certificate";
import { ArgumentError, AsnError } from "./errors";
import { PkiObject, PkiObjectParameters } from "./PkiObject";
import { EMPTY_STRING } from "./constants";

const VERSION = "version";
const ORIGINATOR_INFO = "originatorInfo";
const RECIPIENT_INFOS = "recipientInfos";
const ENCRYPTED_CONTENT_INFO = "encryptedContentInfo";
const UNPROTECTED_ATTRS = "unprotectedAttrs";
const CLEAR_PROPS = [
  VERSION,
  ORIGINATOR_INFO,
  RECIPIENT_INFOS,
  ENCRYPTED_CONTENT_INFO,
  UNPROTECTED_ATTRS
];

const defaultEncryptionParams = {
  kdfAlgorithm: "SHA-512",
  kekEncryptionLength: 256
};
const curveLengthByName: Record<string, number> = {
  "P-256": 256,
  "P-384": 384,
  "P-521": 528
};

export interface IEnvelopedData {
  /**
   * Version number.
   *
   * The appropriate value depends on `originatorInfo`, `RecipientInfo`, and `unprotectedAttrs`.
   *
   * The version MUST be assigned as follows:
   * ```
   * IF (originatorInfo is present) AND
   *    ((any certificates with a type of other are present) OR
   *    (any crls with a type of other are present))
   * THEN version is 4
   * ELSE
   *    IF ((originatorInfo is present) AND
   *       (any version 2 attribute certificates are present)) OR
   *       (any RecipientInfo structures include pwri) OR
   *       (any RecipientInfo structures include ori)
   *    THEN version is 3
   *    ELSE
   *       IF (originatorInfo is absent) AND
   *          (unprotectedAttrs is absent) AND
   *          (all RecipientInfo structures are version 0)
   *       THEN version is 0
   *       ELSE version is 2
   * ```
   */
  version: number;
  /**
   * Optionally provides information about the originator. It is present only if required by the key management algorithm.
   * It may contain certificates and CRLs.
   */
  originatorInfo?: OriginatorInfo;
  /**
   * Collection of per-recipient information. There MUST be at least one element in the collection.
   */
  recipientInfos: RecipientInfo[];
  /**
   * Encrypted content information
   */
  encryptedContentInfo: EncryptedContentInfo;
  /**
   * Collection of attributes that are not encrypted
   */
  unprotectedAttrs?: Attribute[];
}

/**
 * JSON representation of {@link EnvelopedData}
 */
export interface EnvelopedDataJson {
  version: number;
  originatorInfo?: OriginatorInfoJson;
  recipientInfos: RecipientInfoJson[];
  encryptedContentInfo: EncryptedContentInfoJson;
  unprotectedAttrs?: AttributeJson[];
}

export type EnvelopedDataParameters = PkiObjectParameters & Partial<IEnvelopedData> & EncryptedContentInfoSplit;

export interface EnvelopedDataEncryptionParams {
  kekEncryptionLength: number;
  kdfAlgorithm: string;
}

export interface EnvelopedDataDecryptBaseParams {
  preDefinedData?: BufferSource;
  recipientCertificate?: Certificate;
}

export interface EnvelopedDataDecryptKeyParams extends EnvelopedDataDecryptBaseParams {
  recipientPrivateKey: CryptoKey;
  /**
   * Crypto provider assigned to `recipientPrivateKey`. If the filed is empty uses default crypto provider.
   */
  crypto?: Crypto;
}

export interface EnvelopedDataDecryptBufferParams extends EnvelopedDataDecryptBaseParams {
  recipientPrivateKey?: BufferSource;
}

export type EnvelopedDataDecryptParams = EnvelopedDataDecryptBufferParams | EnvelopedDataDecryptKeyParams;

/**
 * Represents the EnvelopedData structure described in [RFC5652](https://datatracker.ietf.org/doc/html/rfc5652)
 *
 * @example The following example demonstrates how to create and encrypt CMS Enveloped Data
 * ```js
 * const cmsEnveloped = new pkijs.EnvelopedData();
 *
 * // Add recipient
 * cmsEnveloped.addRecipientByCertificate(cert, { oaepHashAlgorithm: "SHA-256" });
 *
 * // Secret key algorithm
 * const alg = {
 *   name: "AES-GCM",
 *   length: 256,
 * }
 * await cmsEnveloped.encrypt(alg, dataToEncrypt);
 *
 * // Add Enveloped Data into CMS Content Info
 * const cmsContent = new pkijs.ContentInfo();
 * cmsContent.contentType = pkijs.ContentInfo.ENVELOPED_DATA;
 * cmsContent.content = cmsEnveloped.toSchema();
 *
 * const cmsContentRaw = cmsContent.toSchema().toBER();
 * ```
 *
 * @example The following example demonstrates how to decrypt CMS Enveloped Data
 * ```js
 * // Get a "crypto" extension
 * const crypto = pkijs.getCrypto();
 *
 * // Parse CMS Content Info
 * const cmsContent = pkijs.ContentInfo.fromBER(cmsContentRaw);
 * if (cmsContent.contentType !== pkijs.ContentInfo.ENVELOPED_DATA) {
 *   throw new Error("CMS is not Enveloped Data");
 * }
 * // Parse CMS Enveloped Data
 * const cmsEnveloped = new pkijs.EnvelopedData({ schema: cmsContent.content });
 *
 * // Export private key to PKCS#8
 * const pkcs8 = await crypto.exportKey("pkcs8", keys.privateKey);
 *
 * // Decrypt data
 * const decryptedData = await cmsEnveloped.decrypt(0, {
 *   recipientCertificate: cert,
 *   recipientPrivateKey: pkcs8,
 * });
 * ```
 */
export class EnvelopedData extends PkiObject implements IEnvelopedData {

  public static override CLASS_NAME = "EnvelopedData";

  public version!: number;
  public originatorInfo?: OriginatorInfo;
  public recipientInfos!: RecipientInfo[];
  public encryptedContentInfo!: EncryptedContentInfo;
  public unprotectedAttrs?: Attribute[];

  public policy: Required<EncryptedContentInfoSplit>;

  /**
   * Initializes a new instance of the {@link EnvelopedData} class
   * @param parameters Initialization parameters
   */
  constructor(parameters: EnvelopedDataParameters = {}) {
    super();

    this.version = pvutils.getParametersValue(parameters, VERSION, EnvelopedData.defaultValues(VERSION));
    if (ORIGINATOR_INFO in parameters) {
      this.originatorInfo = pvutils.getParametersValue(parameters, ORIGINATOR_INFO, EnvelopedData.defaultValues(ORIGINATOR_INFO));
    }
    this.recipientInfos = pvutils.getParametersValue(parameters, RECIPIENT_INFOS, EnvelopedData.defaultValues(RECIPIENT_INFOS));
    this.encryptedContentInfo = pvutils.getParametersValue(parameters, ENCRYPTED_CONTENT_INFO, EnvelopedData.defaultValues(ENCRYPTED_CONTENT_INFO));
    if (UNPROTECTED_ATTRS in parameters) {
      this.unprotectedAttrs = pvutils.getParametersValue(parameters, UNPROTECTED_ATTRS, EnvelopedData.defaultValues(UNPROTECTED_ATTRS));
    }
    this.policy = {
      disableSplit: !!parameters.disableSplit,
    };

    if (parameters.schema) {
      this.fromSchema(parameters.schema);
    }
  }

  /**
   * Returns default values for all class members
   * @param memberName String name for a class member
   * @returns Default value
   */
  public static override defaultValues(memberName: typeof VERSION): number;
  public static override defaultValues(memberName: typeof ORIGINATOR_INFO): OriginatorInfo;
  public static override defaultValues(memberName: typeof RECIPIENT_INFOS): RecipientInfo[];
  public static override defaultValues(memberName: typeof ENCRYPTED_CONTENT_INFO): EncryptedContentInfo;
  public static override defaultValues(memberName: typeof UNPROTECTED_ATTRS): Attribute[];
  public static override defaultValues(memberName: string): any {
    switch (memberName) {
      case VERSION:
        return 0;
      case ORIGINATOR_INFO:
        return new OriginatorInfo();
      case RECIPIENT_INFOS:
        return [];
      case ENCRYPTED_CONTENT_INFO:
        return new EncryptedContentInfo();
      case UNPROTECTED_ATTRS:
        return [];
      default:
        return super.defaultValues(memberName);
    }
  }

  /**
   * Compare values with default values for all class members
   * @param memberName String name for a class member
   * @param memberValue Value to compare with default value
   */
  public static compareWithDefault(memberName: string, memberValue: any): boolean {
    switch (memberName) {
      case VERSION:
        return (memberValue === EnvelopedData.defaultValues(memberName));
      case ORIGINATOR_INFO:
        return ((memberValue.certs.certificates.length === 0) && (memberValue.crls.crls.length === 0));
      case RECIPIENT_INFOS:
      case UNPROTECTED_ATTRS:
        return (memberValue.length === 0);
      case ENCRYPTED_CONTENT_INFO:
        return ((EncryptedContentInfo.compareWithDefault("contentType", memberValue.contentType)) &&
          (EncryptedContentInfo.compareWithDefault("contentEncryptionAlgorithm", memberValue.contentEncryptionAlgorithm) &&
            (EncryptedContentInfo.compareWithDefault("encryptedContent", memberValue.encryptedContent))));
      default:
        return super.defaultValues(memberName);
    }
  }

  /**
   * @inheritdoc
   * @asn ASN.1 schema
   * ```asn
   * EnvelopedData ::= SEQUENCE {
   *    version CMSVersion,
   *    originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
   *    recipientInfos RecipientInfos,
   *    encryptedContentInfo EncryptedContentInfo,
   *    unprotectedAttrs [1] IMPLICIT UnprotectedAttributes OPTIONAL }
   *```
   */
  public static override schema(parameters: Schema.SchemaParameters<{
    version?: string;
    originatorInfo?: string;
    recipientInfos?: string;
    encryptedContentInfo?: EncryptedContentInfoSchema;
    unprotectedAttrs?: string;
  }> = {}): Schema.SchemaType {
    const names = pvutils.getParametersValue<NonNullable<typeof parameters.names>>(parameters, "names", {});

    return (new asn1js.Sequence({
      name: (names.blockName || EMPTY_STRING),
      value: [
        new asn1js.Integer({ name: (names.version || EMPTY_STRING) }),
        new asn1js.Constructed({
          name: (names.originatorInfo || EMPTY_STRING),
          optional: true,
          idBlock: {
            tagClass: 3, // CONTEXT-SPECIFIC
            tagNumber: 0 // [0]
          },
          value: OriginatorInfo.schema().valueBlock.value
        }),
        new asn1js.Set({
          value: [
            new asn1js.Repeated({
              name: (names.recipientInfos || EMPTY_STRING),
              value: RecipientInfo.schema()
            })
          ]
        }),
        EncryptedContentInfo.schema(names.encryptedContentInfo || {}),
        new asn1js.Constructed({
          optional: true,
          idBlock: {
            tagClass: 3, // CONTEXT-SPECIFIC
            tagNumber: 1 // [1]
          },
          value: [
            new asn1js.Repeated({
              name: (names.unprotectedAttrs || EMPTY_STRING),
              value: Attribute.schema()
            })
          ]
        })
      ]
    }));
  }

  public fromSchema(schema: Schema.SchemaType): void {
    // Clear input data first
    pvutils.clearProps(schema, CLEAR_PROPS);

    // Check the schema is valid
    const asn1 = asn1js.compareSchema(schema,
      schema,
      EnvelopedData.schema({
        names: {
          version: VERSION,
          originatorInfo: ORIGINATOR_INFO,
          recipientInfos: RECIPIENT_INFOS,
          encryptedContentInfo: {
            names: {
              blockName: ENCRYPTED_CONTENT_INFO
            }
          },
          unprotectedAttrs: UNPROTECTED_ATTRS
        }
      })
    );
    AsnError.assertSchema(asn1, this.className);

    // Get internal properties from parsed schema
    this.version = asn1.result.version.valueBlock.valueDec;

    if (ORIGINATOR_INFO in asn1.result) {
      this.originatorInfo = new OriginatorInfo({
        schema: new asn1js.Sequence({
          value: asn1.result.originatorInfo.valueBlock.value
        })
      });
    }

    this.recipientInfos = Array.from(asn1.result.recipientInfos, o => new RecipientInfo({ schema: o }));
    this.encryptedContentInfo = new EncryptedContentInfo({ schema: asn1.result.encryptedContentInfo });

    if (UNPROTECTED_ATTRS in asn1.result)
      this.unprotectedAttrs = Array.from(asn1.result.unprotectedAttrs, o => new Attribute({ schema: o }));
  }

  public toSchema(): asn1js.Sequence {
    //#region Create array for output sequence
    const outputArray = [];

    outputArray.push(new asn1js.Integer({ value: this.version }));

    if (this.originatorInfo) {
      outputArray.push(new asn1js.Constructed({
        optional: true,
        idBlock: {
          tagClass: 3, // CONTEXT-SPECIFIC
          tagNumber: 0 // [0]
        },
        value: this.originatorInfo.toSchema().valueBlock.value
      }));
    }

    outputArray.push(new asn1js.Set({
      value: Array.from(this.recipientInfos, o => o.toSchema())
    }));

    outputArray.push(this.encryptedContentInfo.toSchema());

    if (this.unprotectedAttrs) {
      outputArray.push(new asn1js.Constructed({
        optional: true,
        idBlock: {
          tagClass: 3, // CONTEXT-SPECIFIC
          tagNumber: 1 // [1]
        },
        value: Array.from(this.unprotectedAttrs, o => o.toSchema())
      }));
    }
    //#endregion

    //#region Construct and return new ASN.1 schema for this object
    return (new asn1js.Sequence({
      value: outputArray
    }));
    //#endregion
  }

  public toJSON(): EnvelopedDataJson {
    const res: EnvelopedDataJson = {
      version: this.version,
      recipientInfos: Array.from(this.recipientInfos, o => o.toJSON()),
      encryptedContentInfo: this.encryptedContentInfo.toJSON(),
    };

    if (this.originatorInfo)
      res.originatorInfo = this.originatorInfo.toJSON();

    if (this.unprotectedAttrs)
      res.unprotectedAttrs = Array.from(this.unprotectedAttrs, o => o.toJSON());

    return res;
  }

  /**
   * Helpers function for filling "RecipientInfo" based on recipient's certificate.
   * Problem with WebCrypto is that for RSA certificates we have only one option - "key transport" and
   * for ECC certificates we also have one option - "key agreement". As soon as Google will implement
   * DH algorithm it would be possible to use "key agreement" also for RSA certificates.
   * @param certificate Recipient's certificate
   * @param parameters Additional parameters necessary for "fine tunning" of encryption process
   * @param variant Variant = 1 is for "key transport", variant = 2 is for "key agreement". In fact the "variant" is unnecessary now because Google has no DH algorithm implementation. Thus key encryption scheme would be choosen by certificate type only: "key transport" for RSA and "key agreement" for ECC certificates.
   * @param crypto Crypto engine
   */
  public addRecipientByCertificate(certificate: Certificate, parameters?: object, variant?: number, crypto = common.getCrypto(true)): boolean {
    //#region Initialize encryption parameters
    const encryptionParameters = Object.assign(
      { useOAEP: true, oaepHashAlgorithm: "SHA-512" },
      defaultEncryptionParams,
      parameters || {}
    );
    //#endregion

    //#region Check type of certificate
    if (certificate.subjectPublicKeyInfo.algorithm.algorithmId.indexOf("1.2.840.113549") !== (-1))
      variant = 1; // For the moment it is the only variant for RSA-based certificates
    else {
      if (certificate.subjectPublicKeyInfo.algorithm.algorithmId.indexOf("1.2.840.10045") !== (-1))
        variant = 2; // For the moment it is the only variant for ECC-based certificates
      else
        throw new Error(`Unknown type of certificate's public key: ${certificate.subjectPublicKeyInfo.algorithm.algorithmId}`);
    }
    //#endregion

    //#region Add new "recipient" depends on "variant" and certificate type
    switch (variant) {
      case 1: // Key transport scheme
        {
          let algorithmId;
          let algorithmParams;

          if (encryptionParameters.useOAEP === true) {
            // keyEncryptionAlgorithm
            algorithmId = crypto.getOIDByAlgorithm({
              name: "RSA-OAEP"
            }, true, "keyEncryptionAlgorithm");

            //#region RSAES-OAEP-params
            const hashOID = crypto.getOIDByAlgorithm({
              name: encryptionParameters.oaepHashAlgorithm
            }, true, "RSAES-OAEP-params");

            const hashAlgorithm = new AlgorithmIdentifier({
              algorithmId: hashOID,
              algorithmParams: new asn1js.Null()
            });

            const rsaOAEPParams = new RSAESOAEPParams({
              hashAlgorithm,
              maskGenAlgorithm: new AlgorithmIdentifier({
                algorithmId: "1.2.840.113549.1.1.8", // id-mgf1
                algorithmParams: hashAlgorithm.toSchema()
              })
            });

            algorithmParams = rsaOAEPParams.toSchema();
            //#endregion
          }
          else // Use old RSAES-PKCS1-v1_5 schema instead
          {
            //#region keyEncryptionAlgorithm
            algorithmId = crypto.getOIDByAlgorithm({
              name: "RSAES-PKCS1-v1_5"
            });
            if (algorithmId === EMPTY_STRING)
              throw new Error("Can not find OID for RSAES-PKCS1-v1_5");
            //#endregion

            algorithmParams = new asn1js.Null();
          }

          //#region KeyTransRecipientInfo
          const keyInfo = new KeyTransRecipientInfo({
            version: 0,
            rid: new IssuerAndSerialNumber({
              issuer: certificate.issuer,
              serialNumber: certificate.serialNumber
            }),
            keyEncryptionAlgorithm: new AlgorithmIdentifier({
              algorithmId,
              algorithmParams
            }),
            recipientCertificate: certificate,
            // "encryptedKey" will be calculated in "encrypt" function
          });
          //#endregion

          //#region Final values for "CMS_ENVELOPED_DATA"
          this.recipientInfos.push(new RecipientInfo({
            variant: 1,
            value: keyInfo
          }));
          //#endregion
        }
        break;
      case 2: // Key agreement scheme
        {
          const recipientIdentifier = new KeyAgreeRecipientIdentifier({
            variant: 1,
            value: new IssuerAndSerialNumber({
              issuer: certificate.issuer,
              serialNumber: certificate.serialNumber
            })
          });
          this._addKeyAgreeRecipientInfo(
            recipientIdentifier,
            encryptionParameters,
            { recipientCertificate: certificate },
            crypto,
          );
        }
        break;
      default:
        throw new Error(`Unknown "variant" value: ${variant}`);
    }
    //#endregion

    return true;
  }

  /**
   * Add recipient based on pre-defined data like password or KEK
   * @param preDefinedData ArrayBuffer with pre-defined data
   * @param parameters Additional parameters necessary for "fine tunning" of encryption process
   * @param variant Variant = 1 for pre-defined "key encryption key" (KEK). Variant = 2 for password-based encryption.
   * @param crypto Crypto engine
   */
  public addRecipientByPreDefinedData(preDefinedData: ArrayBuffer, parameters: {
    keyIdentifier?: ArrayBuffer;
    hmacHashAlgorithm?: string;
    iterationCount?: number;
    keyEncryptionAlgorithm?: AesKeyGenParams;
    keyEncryptionAlgorithmParams?: any;
  } = {}, variant: number, crypto = common.getCrypto(true)) {
    //#region Check initial parameters
    ArgumentError.assert(preDefinedData, "preDefinedData", "ArrayBuffer");
    if (!preDefinedData.byteLength) {
      throw new Error("Pre-defined data could have zero length");
    }
    //#endregion

    //#region Initialize encryption parameters
    if (!parameters.keyIdentifier) {
      const keyIdentifierBuffer = new ArrayBuffer(16);
      const keyIdentifierView = new Uint8Array(keyIdentifierBuffer);
      crypto.getRandomValues(keyIdentifierView);

      parameters.keyIdentifier = keyIdentifierBuffer;
    }

    if (!parameters.hmacHashAlgorithm)
      parameters.hmacHashAlgorithm = "SHA-512";

    if (parameters.iterationCount === undefined) {
      parameters.iterationCount = 2048;
    }

    if (!parameters.keyEncryptionAlgorithm) {
      parameters.keyEncryptionAlgorithm = {
        name: "AES-KW",
        length: 256
      };
    }

    if (!parameters.keyEncryptionAlgorithmParams)
      parameters.keyEncryptionAlgorithmParams = new asn1js.Null();
    //#endregion

    //#region Add new recipient based on passed variant
    switch (variant) {
      case 1: // KEKRecipientInfo
        {
          // keyEncryptionAlgorithm
          const kekOID = crypto.getOIDByAlgorithm(parameters.keyEncryptionAlgorithm, true, "keyEncryptionAlgorithm");

          //#region KEKRecipientInfo
          const keyInfo = new KEKRecipientInfo({
            version: 4,
            kekid: new KEKIdentifier({
              keyIdentifier: new asn1js.OctetString({ valueHex: parameters.keyIdentifier })
            }),
            keyEncryptionAlgorithm: new AlgorithmIdentifier({
              algorithmId: kekOID,
              /*
               For AES-KW params are NULL, but for other algorithm could another situation.
               */
              algorithmParams: parameters.keyEncryptionAlgorithmParams
            }),
            preDefinedKEK: preDefinedData
            // "encryptedKey" would be set in "ecrypt" function
          });
          //#endregion

          //#region Final values for "CMS_ENVELOPED_DATA"
          this.recipientInfos.push(new RecipientInfo({
            variant: 3,
            value: keyInfo
          }));
          //#endregion
        }
        break;
      case 2: // PasswordRecipientinfo
        {
          // keyDerivationAlgorithm
          const pbkdf2OID = crypto.getOIDByAlgorithm({ name: "PBKDF2" }, true, "keyDerivationAlgorithm");

          //#region Salt
          const saltBuffer = new ArrayBuffer(64);
          const saltView = new Uint8Array(saltBuffer);
          crypto.getRandomValues(saltView);
          //#endregion

          //#region HMAC-based algorithm
          const hmacOID = crypto.getOIDByAlgorithm({
            name: "HMAC",
            hash: {
              name: parameters.hmacHashAlgorithm
            }
          } as Algorithm, true, "hmacHashAlgorithm");
          //#endregion

          //#region PBKDF2-params
          const pbkdf2Params = new PBKDF2Params({
            salt: new asn1js.OctetString({ valueHex: saltBuffer }),
            iterationCount: parameters.iterationCount,
            prf: new AlgorithmIdentifier({
              algorithmId: hmacOID,
              algorithmParams: new asn1js.Null()
            })
          });
          //#endregion

          // keyEncryptionAlgorithm
          const kekOID = crypto.getOIDByAlgorithm(parameters.keyEncryptionAlgorithm, true, "keyEncryptionAlgorithm");

          //#region PasswordRecipientinfo
          const keyInfo = new PasswordRecipientinfo({
            version: 0,
            keyDerivationAlgorithm: new AlgorithmIdentifier({
              algorithmId: pbkdf2OID,
              algorithmParams: pbkdf2Params.toSchema()
            }),
            keyEncryptionAlgorithm: new AlgorithmIdentifier({
              algorithmId: kekOID,
              /*
               For AES-KW params are NULL, but for other algorithm could be another situation.
               */
              algorithmParams: parameters.keyEncryptionAlgorithmParams
            }),
            password: preDefinedData
            // "encryptedKey" would be set in "encrypt" function
          });
          //#endregion

          //#region Final values for "CMS_ENVELOPED_DATA"
          this.recipientInfos.push(new RecipientInfo({
            variant: 4,
            value: keyInfo
          }));
          //#endregion
        }
        break;
      default:
        throw new Error(`Unknown value for "variant": ${variant}`);
    }
    //#endregion
  }

  /**
   * Add a "RecipientInfo" using a KeyAgreeRecipientInfo of type RecipientKeyIdentifier.
   * @param key Recipient's public key
   * @param keyId The id for the recipient's public key
   * @param parameters Additional parameters for "fine tuning" the encryption process
   * @param crypto Crypto engine
   */
  addRecipientByKeyIdentifier(key?: CryptoKey, keyId?: ArrayBuffer, parameters?: any, crypto = common.getCrypto(true)) {
    //#region Initialize encryption parameters
    const encryptionParameters = Object.assign({}, defaultEncryptionParams, parameters || {});
    //#endregion

    const recipientIdentifier = new KeyAgreeRecipientIdentifier({
      variant: 2,
      value: new RecipientKeyIdentifier({
        subjectKeyIdentifier: new asn1js.OctetString({ valueHex: keyId }),
      })
    });
    this._addKeyAgreeRecipientInfo(
      recipientIdentifier,
      encryptionParameters,
      { recipientPublicKey: key },
      crypto,
    );
  }

  /**
   * Add a "RecipientInfo" using a KeyAgreeRecipientInfo of type RecipientKeyIdentifier.
   * @param recipientIdentifier Recipient identifier
   * @param encryptionParameters Additional parameters for "fine tuning" the encryption process
   * @param extraRecipientInfoParams Additional params for KeyAgreeRecipientInfo
   * @param crypto Crypto engine
   */
  private _addKeyAgreeRecipientInfo(recipientIdentifier: KeyAgreeRecipientIdentifier, encryptionParameters: EnvelopedDataEncryptionParams, extraRecipientInfoParams: KeyAgreeRecipientInfoParameters, crypto = common.getCrypto(true)) {
    //#region RecipientEncryptedKey
    const encryptedKey = new RecipientEncryptedKey({
      rid: recipientIdentifier
      // "encryptedKey" will be calculated in "encrypt" function
    });
    //#endregion

    //#region keyEncryptionAlgorithm
    const aesKWoid = crypto.getOIDByAlgorithm({
      name: "AES-KW",
      length: encryptionParameters.kekEncryptionLength
    } as Algorithm, true, "keyEncryptionAlgorithm");

    const aesKW = new AlgorithmIdentifier({
      algorithmId: aesKWoid,
    });
    //#endregion

    //#region KeyAgreeRecipientInfo
    const ecdhOID = crypto.getOIDByAlgorithm({
      name: "ECDH",
      kdf: encryptionParameters.kdfAlgorithm
    } as Algorithm, true, "KeyAgreeRecipientInfo");

    // In fact there is no need in so long UKM, but RFC2631
    // has requirement that "UserKeyMaterial" must be 512 bits long
    const ukmBuffer = new ArrayBuffer(64);
    const ukmView = new Uint8Array(ukmBuffer);
    crypto.getRandomValues(ukmView); // Generate random values in 64 bytes long buffer

    const recipientInfoParams = {
      version: 3,
      // "originator" will be calculated in "encrypt" function because ephemeral key would be generated there
      ukm: new asn1js.OctetString({ valueHex: ukmBuffer }),
      keyEncryptionAlgorithm: new AlgorithmIdentifier({
        algorithmId: ecdhOID,
        algorithmParams: aesKW.toSchema()
      }),
      recipientEncryptedKeys: new RecipientEncryptedKeys({
        encryptedKeys: [encryptedKey]
      })
    };
    const keyInfo = new KeyAgreeRecipientInfo(Object.assign(recipientInfoParams, extraRecipientInfoParams));
    //#endregion

    //#region Final values for "CMS_ENVELOPED_DATA"
    this.recipientInfos.push(new RecipientInfo({
      variant: 2,
      value: keyInfo
    }));
    //#endregion
  }

  /**
   * Creates a new CMS Enveloped Data content with encrypted data
   * @param contentEncryptionAlgorithm WebCrypto algorithm. For the moment here could be only "AES-CBC" or "AES-GCM" algorithms.
   * @param contentToEncrypt Content to encrypt
   * @param crypto Crypto engine
   */
  public async encrypt(contentEncryptionAlgorithm: Algorithm, contentToEncrypt: ArrayBuffer, crypto = common.getCrypto(true)): Promise<(void | { ecdhPrivateKey: CryptoKey; })[]> {
    //#region Initial variables
    // AES-GCM uses a 12-byte nonce per NIST SP 800-38D §8.2.1 and RFC 5084
    // recommendation. Other AES modes use a 16-byte IV.
    const isAesGcm = contentEncryptionAlgorithm.name === "AES-GCM";
    const ivBuffer = new ArrayBuffer(isAesGcm ? 12 : 16);
    const ivView = new Uint8Array(ivBuffer);
    crypto.getRandomValues(ivView);

    const contentView = new Uint8Array(contentToEncrypt);
    //#endregion

    // Check for input parameters
    const contentEncryptionOID = crypto.getOIDByAlgorithm(contentEncryptionAlgorithm, true, "contentEncryptionAlgorithm");

    //#region Generate new content encryption key
    const sessionKey = await crypto.generateKey(contentEncryptionAlgorithm as AesKeyAlgorithm, true, ["encrypt"]);
    //#endregion
    //#region Encrypt content

    const encryptedContent = await crypto.encrypt({
      name: contentEncryptionAlgorithm.name,
      iv: ivView
    },
      sessionKey,
      contentView);
    //#endregion
    //#region Export raw content of content encryption key
    const exportedSessionKey = await crypto.exportKey("raw", sessionKey);

    //#endregion
    //#region Append common information to CMS_ENVELOPED_DATA
    this.version = 2;
    this.encryptedContentInfo = new EncryptedContentInfo({
      disableSplit: this.policy.disableSplit,
      contentType: "1.2.840.113549.1.7.1", // "data"
      contentEncryptionAlgorithm: new AlgorithmIdentifier({
        algorithmId: contentEncryptionOID,
        // RFC 5084 §3.2 requires AES-GCM AlgorithmIdentifier parameters to be
        // a GCMParameters SEQUENCE (nonce + optional ICV length), not a bare
        // OCTET STRING. WebCrypto AES-GCM emits a 128-bit / 16-byte ICV by
        // default; advertise it explicitly rather than relying on the schema
        // default of 12. Other ciphers keep the legacy OCTET-STRING IV.
        algorithmParams: isAesGcm
          ? new GCMParams({ nonce: ivBuffer, icvLen: 16 }).toSchema()
          : new asn1js.OctetString({ valueHex: ivBuffer })
      }),
      encryptedContent: new asn1js.OctetString({ valueHex: encryptedContent })
    });
    //#endregion

    //#region Special sub-functions to work with each recipient's type
    const SubKeyAgreeRecipientInfo = async (index: number) => {
      //#region Initial variables
      const recipientInfo = this.recipientInfos[index].value as KeyAgreeRecipientInfo;
      let recipientCurve: string;
      //#endregion

      //#region Get public key and named curve from recipient's certificate or public key
      let recipientPublicKey: CryptoKey;
      if (recipientInfo.recipientPublicKey) {
        recipientCurve = (recipientInfo.recipientPublicKey.algorithm as EcKeyAlgorithm).namedCurve;
        recipientPublicKey = recipientInfo.recipientPublicKey;
      } else if (recipientInfo.recipientCertificate) {
        const curveObject = recipientInfo.recipientCertificate.subjectPublicKeyInfo.algorithm.algorithmParams;

        if (curveObject.constructor.blockName() !== asn1js.ObjectIdentifier.blockName())
          throw new Error(`Incorrect "recipientCertificate" for index ${index}`);

        const curveOID = curveObject.valueBlock.toString();

        switch (curveOID) {
          case "1.2.840.10045.3.1.7":
            recipientCurve = "P-256";
            break;
          case "1.3.132.0.34":
            recipientCurve = "P-384";
            break;
          case "1.3.132.0.35":
            recipientCurve = "P-521";
            break;
          default:
            throw new Error(`Incorrect curve OID for index ${index}`);
        }

        recipientPublicKey = await recipientInfo.recipientCertificate.getPublicKey({
          algorithm: {
            algorithm: {
              name: "ECDH",
              namedCurve: recipientCurve
            } as EcKeyAlgorithm,
            usages: []
          }
        }, crypto);
      } else {
        throw new Error("Unsupported RecipientInfo");
      }
      //#endregion

      //#region Generate ephemeral ECDH key
      const recipientCurveLength = curveLengthByName[recipientCurve];

      const ecdhKeys = await crypto.generateKey(
        { name: "ECDH", namedCurve: recipientCurve } as EcKeyGenParams,
        true,
        ["deriveBits"]
      );
      //#endregion
      //#region Export public key of ephemeral ECDH key pair

      const exportedECDHPublicKey = await crypto.exportKey("spki", ecdhKeys.publicKey);
      //#endregion

      //#region Create shared secret
      const derivedBits = await crypto.deriveBits({
        name: "ECDH",
        public: recipientPublicKey
      },
        ecdhKeys.privateKey,
        recipientCurveLength);
      //#endregion

      //#region Apply KDF function to shared secret

      //#region Get length of used AES-KW algorithm
      const aesKWAlgorithm = new AlgorithmIdentifier({ schema: recipientInfo.keyEncryptionAlgorithm.algorithmParams });

      const kwAlgorithm = crypto.getAlgorithmByOID<AesKeyAlgorithm>(aesKWAlgorithm.algorithmId, true, "aesKWAlgorithm");
      //#endregion

      //#region Translate AES-KW length to ArrayBuffer
      let kwLength = kwAlgorithm.length;

      const kwLengthBuffer = new ArrayBuffer(4);
      const kwLengthView = new Uint8Array(kwLengthBuffer);

      for (let j = 3; j >= 0; j--) {
        kwLengthView[j] = kwLength;
        kwLength >>= 8;
      }
      //#endregion

      //#region Create and encode "ECC-CMS-SharedInfo" structure
      const eccInfo = new ECCCMSSharedInfo({
        keyInfo: new AlgorithmIdentifier({
          algorithmId: aesKWAlgorithm.algorithmId
        }),
        entityUInfo: (recipientInfo as KeyAgreeRecipientInfo).ukm, // TODO remove `as KeyAgreeRecipientInfo`
        suppPubInfo: new asn1js.OctetString({ valueHex: kwLengthBuffer })
      });

      const encodedInfo = eccInfo.toSchema().toBER(false);
      //#endregion

      //#region Get SHA algorithm used together with ECDH
      const ecdhAlgorithm = crypto.getAlgorithmByOID<any>(recipientInfo.keyEncryptionAlgorithm.algorithmId, true, "ecdhAlgorithm");
      //#endregion

      const derivedKeyRaw = await common.kdf(ecdhAlgorithm.kdf, derivedBits, kwAlgorithm.length, encodedInfo, crypto);
      //#endregion
      //#region Import AES-KW key from result of KDF function
      const awsKW = await crypto.importKey("raw", derivedKeyRaw, { name: "AES-KW" }, true, ["wrapKey"]);
      //#endregion
      //#region Finally wrap session key by using AES-KW algorithm
      const wrappedKey = await crypto.wrapKey("raw", sessionKey, awsKW, { name: "AES-KW" });
      //#endregion
      //#region Append all necessary data to current CMS_RECIPIENT_INFO object
      //#region OriginatorIdentifierOrKey
      const originator = new OriginatorIdentifierOrKey();
      originator.variant = 3;
      originator.value = OriginatorPublicKey.fromBER(exportedECDHPublicKey);

      recipientInfo.originator = originator;
      //#endregion

      //#region RecipientEncryptedKey
      /*
       We will not support using of same ephemeral key for many recipients
       */
      recipientInfo.recipientEncryptedKeys.encryptedKeys[0].encryptedKey = new asn1js.OctetString({ valueHex: wrappedKey });
      //#endregion

      return { ecdhPrivateKey: ecdhKeys.privateKey };
      //#endregion
    };

    const SubKeyTransRecipientInfo = async (index: number) => {
      const recipientInfo = this.recipientInfos[index].value as KeyTransRecipientInfo; // TODO Remove `as KeyTransRecipientInfo`
      const algorithmParameters = crypto.getAlgorithmByOID<any>(recipientInfo.keyEncryptionAlgorithm.algorithmId, true, "keyEncryptionAlgorithm");

      //#region RSA-OAEP case
      if (algorithmParameters.name === "RSA-OAEP") {
        const schema = recipientInfo.keyEncryptionAlgorithm.algorithmParams;
        const rsaOAEPParams = new RSAESOAEPParams({ schema });

        algorithmParameters.hash = crypto.getAlgorithmByOID(rsaOAEPParams.hashAlgorithm.algorithmId);
        if (("name" in algorithmParameters.hash) === false)
          throw new Error(`Incorrect OID for hash algorithm: ${rsaOAEPParams.hashAlgorithm.algorithmId}`);
      }
      //#endregion

      try {
        const publicKey = await recipientInfo.recipientCertificate.getPublicKey({
          algorithm: {
            algorithm: algorithmParameters,
            usages: ["encrypt", "wrapKey"]
          }
        }, crypto);

        const encryptedKey = await crypto.encrypt(publicKey.algorithm, publicKey, exportedSessionKey);

        //#region RecipientEncryptedKey
        recipientInfo.encryptedKey = new asn1js.OctetString({ valueHex: encryptedKey });
        //#endregion
      }
      catch {
        // nothing
      }
    };

    const SubKEKRecipientInfo = async (index: number) => {
      //#region Initial variables
      const recipientInfo = this.recipientInfos[index].value as KEKRecipientInfo; // TODO Remove `as KEKRecipientInfo`
      //#endregion

      //#region Import KEK from pre-defined data

      //#region Get WebCrypto form of "keyEncryptionAlgorithm"
      const kekAlgorithm = crypto.getAlgorithmByOID(recipientInfo.keyEncryptionAlgorithm.algorithmId, true, "kekAlgorithm");
      //#endregion

      const kekKey = await crypto.importKey("raw",
        new Uint8Array(recipientInfo.preDefinedKEK),
        kekAlgorithm,
        true,
        ["wrapKey"]); // Too specific for AES-KW
      //#endregion

      //#region Wrap previously exported session key

      const wrappedKey = await crypto.wrapKey("raw", sessionKey, kekKey, kekAlgorithm);
      //#endregion
      //#region Append all necessary data to current CMS_RECIPIENT_INFO object
      //#region RecipientEncryptedKey
      recipientInfo.encryptedKey = new asn1js.OctetString({ valueHex: wrappedKey });
      //#endregion
      //#endregion
    };

    const SubPasswordRecipientinfo = async (index: number) => {
      //#region Initial variables
      const recipientInfo = this.recipientInfos[index].value as PasswordRecipientinfo; // TODO Remove `as PasswordRecipientinfo`
      let pbkdf2Params: PBKDF2Params;
      //#endregion

      //#region Check that we have encoded "keyDerivationAlgorithm" plus "PBKDF2_params" in there

      if (!recipientInfo.keyDerivationAlgorithm)
        throw new Error("Please append encoded \"keyDerivationAlgorithm\"");

      if (!recipientInfo.keyDerivationAlgorithm.algorithmParams)
        throw new Error("Incorrectly encoded \"keyDerivationAlgorithm\"");

      try {
        pbkdf2Params = new PBKDF2Params({ schema: recipientInfo.keyDerivationAlgorithm.algorithmParams });
      }
      catch {
        throw new Error("Incorrectly encoded \"keyDerivationAlgorithm\"");
      }

      //#endregion
      //#region Derive PBKDF2 key from "password" buffer
      const passwordView = new Uint8Array(recipientInfo.password);

      const derivationKey = await crypto.importKey("raw",
        passwordView,
        "PBKDF2",
        false,
        ["deriveKey"]);
      //#endregion
      //#region Derive key for "keyEncryptionAlgorithm"
      //#region Get WebCrypto form of "keyEncryptionAlgorithm"
      const kekAlgorithm = crypto.getAlgorithmByOID<any>(recipientInfo.keyEncryptionAlgorithm.algorithmId, true, "kekAlgorithm");

      //#endregion

      //#region Get HMAC hash algorithm
      let hmacHashAlgorithm = "SHA-1";

      if (pbkdf2Params.prf) {
        const prfAlgorithm = crypto.getAlgorithmByOID<any>(pbkdf2Params.prf.algorithmId, true, "prfAlgorithm");
        hmacHashAlgorithm = prfAlgorithm.hash.name;
      }
      //#endregion

      //#region Get PBKDF2 "salt" value
      const saltView = new Uint8Array(pbkdf2Params.salt.valueBlock.valueHex);
      //#endregion

      //#region Get PBKDF2 iterations count
      const iterations = pbkdf2Params.iterationCount;
      //#endregion

      const derivedKey = await crypto.deriveKey({
        name: "PBKDF2",
        hash: {
          name: hmacHashAlgorithm
        },
        salt: saltView,
        iterations
      },
        derivationKey,
        kekAlgorithm,
        true,
        ["wrapKey"]); // Usages are too specific for KEK algorithm

      //#endregion
      //#region Wrap previously exported session key (Also too specific for KEK algorithm)
      const wrappedKey = await crypto.wrapKey("raw", sessionKey, derivedKey, kekAlgorithm);
      //#endregion
      //#region Append all necessary data to current CMS_RECIPIENT_INFO object
      //#region RecipientEncryptedKey
      recipientInfo.encryptedKey = new asn1js.OctetString({ valueHex: wrappedKey });
      //#endregion
      //#endregion
    };

    //#endregion

    const res = [];
    //#region Create special routines for each "recipient"
    for (let i = 0; i < this.recipientInfos.length; i++) {
      switch (this.recipientInfos[i].variant) {
        case 1: // KeyTransRecipientInfo
          res.push(await SubKeyTransRecipientInfo(i));
          break;
        case 2: // KeyAgreeRecipientInfo
          res.push(await SubKeyAgreeRecipientInfo(i));
          break;
        case 3: // KEKRecipientInfo
          res.push(await SubKEKRecipientInfo(i));
          break;
        case 4: // PasswordRecipientinfo
          res.push(await SubPasswordRecipientinfo(i));
          break;
        default:
          throw new Error(`Unknown recipient type in array with index ${i}`);
      }
    }
    //#endregion
    return res;
  }

  /**
   * Decrypts existing CMS Enveloped Data content
   * @param recipientIndex Index of recipient
   * @param parameters Additional parameters
   * @param crypto Crypto engine
   */
  async decrypt(recipientIndex: number, parameters: EnvelopedDataDecryptParams, crypto = common.getCrypto(true)) {
    //#region Initial variables
    const decryptionParameters = parameters || {};
    //#endregion

    //#region Check for input parameters
    if ((recipientIndex + 1) > this.recipientInfos.length) {
      throw new Error(`Maximum value for "index" is: ${this.recipientInfos.length - 1}`);
    }
    //#endregion

    //#region Special sub-functions to work with each recipient's type
    const SubKeyAgreeRecipientInfo = async (index: number) => {
      //#region Initial variables
      const recipientInfo = this.recipientInfos[index].value as KeyAgreeRecipientInfo; // TODO Remove `as KeyAgreeRecipientInfo`
      //#endregion

      let curveOID: string;
      let recipientCurve: string;
      let recipientCurveLength: number;
      const originator = recipientInfo.originator;

      //#region Get "namedCurve" parameter from recipient's certificate

      if (decryptionParameters.recipientCertificate) {
        const curveObject = decryptionParameters.recipientCertificate.subjectPublicKeyInfo.algorithm.algorithmParams;
        if (curveObject.constructor.blockName() !== asn1js.ObjectIdentifier.blockName()) {
          throw new Error(`Incorrect "recipientCertificate" for index ${index}`);
        }
        curveOID = curveObject.valueBlock.toString();
      } else if (originator.value.algorithm.algorithmParams) {
        const curveObject = originator.value.algorithm.algorithmParams;
        if (curveObject.constructor.blockName() !== asn1js.ObjectIdentifier.blockName()) {
          throw new Error(`Incorrect originator for index ${index}`);
        }
        curveOID = curveObject.valueBlock.toString();
      } else {
        throw new Error("Parameter \"recipientCertificate\" is mandatory for \"KeyAgreeRecipientInfo\" if algorithm params are missing from originator");
      }

      if (!decryptionParameters.recipientPrivateKey)
        throw new Error("Parameter \"recipientPrivateKey\" is mandatory for \"KeyAgreeRecipientInfo\"");

      switch (curveOID) {
        case "1.2.840.10045.3.1.7":
          recipientCurve = "P-256";
          recipientCurveLength = 256;
          break;
        case "1.3.132.0.34":
          recipientCurve = "P-384";
          recipientCurveLength = 384;
          break;
        case "1.3.132.0.35":
          recipientCurve = "P-521";
          recipientCurveLength = 528;
          break;
        default:
          throw new Error(`Incorrect curve OID for index ${index}`);
      }

      let ecdhPrivateKey: CryptoKey;
      let keyCrypto: SubtleCrypto = crypto;
      if (BufferSourceConverter.isBufferSource(decryptionParameters.recipientPrivateKey)) {
        ecdhPrivateKey = await crypto.importKey("pkcs8",
          decryptionParameters.recipientPrivateKey,
          {
            name: "ECDH",
            namedCurve: recipientCurve
          } as EcKeyImportParams,
          true,
          ["deriveBits"]
        );
      } else {
        ecdhPrivateKey = decryptionParameters.recipientPrivateKey;
        if ("crypto" in decryptionParameters && decryptionParameters.crypto) {
          keyCrypto = decryptionParameters.crypto.subtle;
        }
      }
      //#endregion
      //#region Import sender's ephemeral public key
      //#region Change "OriginatorPublicKey" if "curve" parameter absent
      if (("algorithmParams" in originator.value.algorithm) === false)
        originator.value.algorithm.algorithmParams = new asn1js.ObjectIdentifier({ value: curveOID });
      //#endregion

      //#region Create ArrayBuffer with sender's public key
      const buffer = originator.value.toSchema().toBER(false);
      //#endregion

      const ecdhPublicKey = await crypto.importKey("spki",
        buffer,
        {
          name: "ECDH",
          namedCurve: recipientCurve
        } as EcKeyImportParams,
        true,
        []);

      //#endregion
      //#region Create shared secret
      const sharedSecret = await keyCrypto.deriveBits({
        name: "ECDH",
        public: ecdhPublicKey
      },
        ecdhPrivateKey,
        recipientCurveLength);
      //#endregion
      //#region Apply KDF function to shared secret
      async function applyKDF(includeAlgorithmParams?: boolean) {
        includeAlgorithmParams = includeAlgorithmParams || false;

        //#region Get length of used AES-KW algorithm
        const aesKWAlgorithm = new AlgorithmIdentifier({ schema: recipientInfo.keyEncryptionAlgorithm.algorithmParams });

        const kwAlgorithm = crypto.getAlgorithmByOID<any>(aesKWAlgorithm.algorithmId, true, "kwAlgorithm");
        //#endregion

        //#region Translate AES-KW length to ArrayBuffer
        let kwLength = kwAlgorithm.length;

        const kwLengthBuffer = new ArrayBuffer(4);
        const kwLengthView = new Uint8Array(kwLengthBuffer);

        for (let j = 3; j >= 0; j--) {
          kwLengthView[j] = kwLength;
          kwLength >>= 8;
        }
        //#endregion

        //#region Create and encode "ECC-CMS-SharedInfo" structure
        const keyInfoAlgorithm: AlgorithmIdentifierParameters = {
          algorithmId: aesKWAlgorithm.algorithmId
        };
        if (includeAlgorithmParams) {
          keyInfoAlgorithm.algorithmParams = new asn1js.Null();
        }
        const eccInfo = new ECCCMSSharedInfo({
          keyInfo: new AlgorithmIdentifier(keyInfoAlgorithm),
          entityUInfo: recipientInfo.ukm,
          suppPubInfo: new asn1js.OctetString({ valueHex: kwLengthBuffer })
        });

        const encodedInfo = eccInfo.toSchema().toBER(false);
        //#endregion

        //#region Get SHA algorithm used together with ECDH
        const ecdhAlgorithm = crypto.getAlgorithmByOID<any>(recipientInfo.keyEncryptionAlgorithm.algorithmId, true, "ecdhAlgorithm");
        if (!ecdhAlgorithm.name) {
          throw new Error(`Incorrect OID for key encryption algorithm: ${recipientInfo.keyEncryptionAlgorithm.algorithmId}`);
        }
        //#endregion

        return common.kdf(ecdhAlgorithm.kdf, sharedSecret, kwAlgorithm.length, encodedInfo, crypto);
      }

      const kdfResult = await applyKDF();
      //#endregion
      //#region Import AES-KW key from result of KDF function
      const importAesKwKey = async (kdfResult: ArrayBuffer) => {
        return crypto.importKey("raw",
          kdfResult,
          { name: "AES-KW" },
          true,
          ["unwrapKey"]
        );
      };

      const aesKwKey = await importAesKwKey(kdfResult);

      //#endregion
      //#region Finally unwrap session key
      const unwrapSessionKey = async (aesKwKey: CryptoKey) => {
        //#region Get WebCrypto form of content encryption algorithm
        const algorithmId = this.encryptedContentInfo.contentEncryptionAlgorithm.algorithmId;
        const contentEncryptionAlgorithm = crypto.getAlgorithmByOID<any>(algorithmId, true, "contentEncryptionAlgorithm");
        //#endregion

        return crypto.unwrapKey("raw",
          recipientInfo.recipientEncryptedKeys.encryptedKeys[0].encryptedKey.valueBlock.valueHexView as BufferSource,
          aesKwKey,
          { name: "AES-KW" },
          contentEncryptionAlgorithm,
          true,
          ["decrypt"]);
      };

      try {
        return await unwrapSessionKey(aesKwKey);
      } catch {
        const kdfResult = await applyKDF(true);
        const aesKwKey = await importAesKwKey(kdfResult);
        return unwrapSessionKey(aesKwKey);
      }
    };
    //#endregion

    const SubKeyTransRecipientInfo = async (index: number) => {
      const recipientInfo = this.recipientInfos[index].value as KeyTransRecipientInfo; // TODO Remove `as KeyTransRecipientInfo`
      if (!decryptionParameters.recipientPrivateKey) {
        throw new Error("Parameter \"recipientPrivateKey\" is mandatory for \"KeyTransRecipientInfo\"");
      }

      const algorithmParameters = crypto.getAlgorithmByOID<any>(recipientInfo.keyEncryptionAlgorithm.algorithmId, true, "keyEncryptionAlgorithm");

      //#region RSA-OAEP case
      if (algorithmParameters.name === "RSA-OAEP") {
        const schema = recipientInfo.keyEncryptionAlgorithm.algorithmParams;
        const rsaOAEPParams = new RSAESOAEPParams({ schema });

        algorithmParameters.hash = crypto.getAlgorithmByOID(rsaOAEPParams.hashAlgorithm.algorithmId);
        if (("name" in algorithmParameters.hash) === false)
          throw new Error(`Incorrect OID for hash algorithm: ${rsaOAEPParams.hashAlgorithm.algorithmId}`);
      }
      //#endregion

      let privateKey: CryptoKey;
      let keyCrypto: SubtleCrypto = crypto;
      if (BufferSourceConverter.isBufferSource(decryptionParameters.recipientPrivateKey)) {
        privateKey = await crypto.importKey(
          "pkcs8",
          decryptionParameters.recipientPrivateKey,
          algorithmParameters,
          true,
          ["decrypt"]
        );
      } else {
        privateKey = decryptionParameters.recipientPrivateKey;
        if ("crypto" in decryptionParameters && decryptionParameters.crypto) {
          keyCrypto = decryptionParameters.crypto.subtle;
        }
      }

      const sessionKey = await keyCrypto.decrypt(
        privateKey.algorithm,
        privateKey,
        recipientInfo.encryptedKey.valueBlock.valueHexView as BufferSource
      );

      //#region Get WebCrypto form of content encryption algorithm
      const algorithmId = this.encryptedContentInfo.contentEncryptionAlgorithm.algorithmId;
      const contentEncryptionAlgorithm = crypto.getAlgorithmByOID(algorithmId, true, "contentEncryptionAlgorithm");
      if (("name" in contentEncryptionAlgorithm) === false)
        throw new Error(`Incorrect "contentEncryptionAlgorithm": ${algorithmId}`);
      //#endregion

      return crypto.importKey("raw",
        sessionKey,
        contentEncryptionAlgorithm,
        true,
        ["decrypt"]
      );
    };

    const SubKEKRecipientInfo = async (index: number) => {
      //#region Initial variables
      const recipientInfo = this.recipientInfos[index].value as KEKRecipientInfo; // TODO Remove `as KEKRecipientInfo`
      //#endregion

      //#region Import KEK from pre-defined data
      if (!decryptionParameters.preDefinedData)
        throw new Error("Parameter \"preDefinedData\" is mandatory for \"KEKRecipientInfo\"");

      //#region Get WebCrypto form of "keyEncryptionAlgorithm"
      const kekAlgorithm = crypto.getAlgorithmByOID<any>(recipientInfo.keyEncryptionAlgorithm.algorithmId, true, "kekAlgorithm");
      //#endregion

      const importedKey = await crypto.importKey("raw",
        decryptionParameters.preDefinedData,
        kekAlgorithm,
        true,
        ["unwrapKey"]); // Too specific for AES-KW

      //#endregion
      //#region Unwrap previously exported session key
      //#region Get WebCrypto form of content encryption algorithm
      const algorithmId = this.encryptedContentInfo.contentEncryptionAlgorithm.algorithmId;
      const contentEncryptionAlgorithm = crypto.getAlgorithmByOID<any>(algorithmId, true, "contentEncryptionAlgorithm");
      if (!contentEncryptionAlgorithm.name) {
        throw new Error(`Incorrect "contentEncryptionAlgorithm": ${algorithmId}`);
      }
      //#endregion

      return crypto.unwrapKey("raw",
        recipientInfo.encryptedKey.valueBlock.valueHexView as BufferSource,
        importedKey,
        kekAlgorithm,
        contentEncryptionAlgorithm,
        true,
        ["decrypt"]);
      //#endregion
    };

    const SubPasswordRecipientinfo = async (index: number) => {
      //#region Initial variables
      const recipientInfo = this.recipientInfos[index].value as PasswordRecipientinfo; // TODO Remove `as PasswordRecipientinfo`
      let pbkdf2Params: PBKDF2Params;
      //#endregion

      //#region Derive PBKDF2 key from "password" buffer

      if (!decryptionParameters.preDefinedData) {
        throw new Error("Parameter \"preDefinedData\" is mandatory for \"KEKRecipientInfo\"");
      }

      if (!recipientInfo.keyDerivationAlgorithm) {
        throw new Error("Please append encoded \"keyDerivationAlgorithm\"");
      }

      if (!recipientInfo.keyDerivationAlgorithm.algorithmParams) {
        throw new Error("Incorrectly encoded \"keyDerivationAlgorithm\"");
      }

      try {
        pbkdf2Params = new PBKDF2Params({ schema: recipientInfo.keyDerivationAlgorithm.algorithmParams });
      }
      catch {
        throw new Error("Incorrectly encoded \"keyDerivationAlgorithm\"");
      }

      const pbkdf2Key = await crypto.importKey("raw",
        decryptionParameters.preDefinedData,
        "PBKDF2",
        false,
        ["deriveKey"]);
      //#endregion
      //#region Derive key for "keyEncryptionAlgorithm"
      //#region Get WebCrypto form of "keyEncryptionAlgorithm"
      const kekAlgorithm = crypto.getAlgorithmByOID<any>(recipientInfo.keyEncryptionAlgorithm.algorithmId, true, "keyEncryptionAlgorithm");
      //#endregion

      // Get HMAC hash algorithm
      const hmacHashAlgorithm = pbkdf2Params.prf
        ? crypto.getAlgorithmByOID<any>(pbkdf2Params.prf.algorithmId, true, "prfAlgorithm").hash.name
        : "SHA-1";

      //#region Get PBKDF2 "salt" value
      const saltView = new Uint8Array(pbkdf2Params.salt.valueBlock.valueHex);
      //#endregion

      //#region Get PBKDF2 iterations count
      const iterations = pbkdf2Params.iterationCount;
      //#endregion

      const kekKey = await crypto.deriveKey({
        name: "PBKDF2",
        hash: {
          name: hmacHashAlgorithm
        },
        salt: saltView,
        iterations
      },
        pbkdf2Key,
        kekAlgorithm,
        true,
        ["unwrapKey"]); // Usages are too specific for KEK algorithm
      //#endregion
      //#region Unwrap previously exported session key
      //#region Get WebCrypto form of content encryption algorithm
      const algorithmId = this.encryptedContentInfo.contentEncryptionAlgorithm.algorithmId;
      const contentEncryptionAlgorithm = crypto.getAlgorithmByOID<any>(algorithmId, true, "contentEncryptionAlgorithm");
      //#endregion

      return crypto.unwrapKey("raw",
        recipientInfo.encryptedKey.valueBlock.valueHexView as BufferSource,
        kekKey,
        kekAlgorithm,
        contentEncryptionAlgorithm,
        true,
        ["decrypt"]);
      //#endregion
    };

    //#endregion

    //#region Perform steps, specific to each type of session key encryption
    let unwrappedKey: CryptoKey;
    switch (this.recipientInfos[recipientIndex].variant) {
      case 1: // KeyTransRecipientInfo
        unwrappedKey = await SubKeyTransRecipientInfo(recipientIndex);
        break;
      case 2: // KeyAgreeRecipientInfo
        unwrappedKey = await SubKeyAgreeRecipientInfo(recipientIndex);
        break;
      case 3: // KEKRecipientInfo
        unwrappedKey = await SubKEKRecipientInfo(recipientIndex);
        break;
      case 4: // PasswordRecipientinfo
        unwrappedKey = await SubPasswordRecipientinfo(recipientIndex);
        break;
      default:
        throw new Error(`Unknown recipient type in array with index ${recipientIndex}`);
    }
    //#endregion

    //#region Finally decrypt data by session key
    //#region Get WebCrypto form of content encryption algorithm
    const algorithmId = this.encryptedContentInfo.contentEncryptionAlgorithm.algorithmId;
    const contentEncryptionAlgorithm = crypto.getAlgorithmByOID(algorithmId, true, "contentEncryptionAlgorithm");
    //#endregion

    //#region Get "initialization vector" for content encryption algorithm
    // AES-GCM parameters are a GCMParameters SEQUENCE per RFC 5084 §3.2.
    // Older pkijs output emitted a bare OCTET STRING; fall back to that
    // shape so previously-produced blobs remain decryptable.
    const isAesGcm = (contentEncryptionAlgorithm as any).name === "AES-GCM";
    let ivBuffer: ArrayBuffer;
    let gcmTagLengthBits: number | undefined;
    if (isAesGcm) {
      try {
        const gcmParams = new GCMParams({
          schema: this.encryptedContentInfo.contentEncryptionAlgorithm.algorithmParams
        });
        ivBuffer = gcmParams.nonce;
        // RFC 5084 default is 12; WebCrypto default is 16.
        gcmTagLengthBits = ((gcmParams.icvLen ?? 12) * 8);
      } catch {
        // Legacy fallback: params encoded as bare OCTET STRING.
        // No explicit ICV length available; let WebCrypto use its default (128 bits).
        ivBuffer = this.encryptedContentInfo.contentEncryptionAlgorithm.algorithmParams.valueBlock.valueHex;
      }
    } else {
      ivBuffer = this.encryptedContentInfo.contentEncryptionAlgorithm.algorithmParams.valueBlock.valueHex;
    }
    const ivView = new Uint8Array(ivBuffer);
    //#endregion

    //#region Create correct data block for decryption
    if (!this.encryptedContentInfo.encryptedContent) {
      throw new Error("Required property `encryptedContent` is empty");
    }
    const dataBuffer = this.encryptedContentInfo.getEncryptedContent();
    //#endregion

    const decryptAlgorithm: Algorithm & { iv: Uint8Array; tagLength?: number } = {
      name: (contentEncryptionAlgorithm as any).name,
      iv: ivView
    };
    if (isAesGcm && gcmTagLengthBits !== undefined) {
      decryptAlgorithm.tagLength = gcmTagLengthBits;
    }
    return crypto.decrypt(decryptAlgorithm, unwrappedKey, dataBuffer);
    //#endregion
  }

}

PeculiarVentures / PKI.js / 24843230473

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous