@avieldr/react-native-rsa 1.0.0

package/lib/typescript/src/types.d.ts

@@ -0,0 +1,63 @@
+/** Private key encoding format */
+export type KeyFormat = 'pkcs1' | 'pkcs8';
+/** Padding mode for encrypt/decrypt operations */
+export type EncryptionPadding = 'oaep' | 'pkcs1';
+/** Padding mode for sign/verify operations */
+export type SignaturePadding = 'pss' | 'pkcs1';
+/** Hash algorithm used for padding schemes */
+export type HashAlgorithm = 'sha256' | 'sha1' | 'sha384' | 'sha512';
+/**
+ * Controls how the JS input string is interpreted before sending to native.
+ *   - 'utf8':   the string is UTF-8 text (will be encoded to base64 before bridging)
+ *   - 'base64': the string is already base64-encoded binary data
+ */
+export type InputEncoding = 'utf8' | 'base64';
+export interface GenerateKeyPairOptions {
+    /** Output format for the private key. Default: 'pkcs1' */
+    format?: KeyFormat;
+}
+export interface RSAKeyPair {
+    /** Public key in PEM format (SPKI/X.509) */
+    publicKey: string;
+    /** Private key in PEM format (PKCS#1 or PKCS#8 depending on options) */
+    privateKey: string;
+}
+export interface RSAKeyInfo {
+    isValid: boolean;
+    format: 'pkcs1' | 'pkcs8' | 'public' | 'unknown';
+    keyType: 'private' | 'public' | 'unknown';
+    pemLineCount: number;
+    derByteLength: number;
+    errors: string[];
+}
+export interface EncryptOptions {
+    /** Padding mode. Default: 'oaep' */
+    padding?: EncryptionPadding;
+    /** Hash algorithm (used with OAEP). Default: 'sha256' */
+    hash?: HashAlgorithm;
+    /** How to interpret the input string. Default: 'utf8' */
+    encoding?: InputEncoding;
+}
+export interface DecryptOptions {
+    /** Padding mode — must match encryption. Default: 'oaep' */
+    padding?: EncryptionPadding;
+    /** Hash algorithm — must match encryption. Default: 'sha256' */
+    hash?: HashAlgorithm;
+}
+export interface SignOptions {
+    /** Padding mode. Default: 'pss' */
+    padding?: SignaturePadding;
+    /** Hash algorithm. Default: 'sha256' */
+    hash?: HashAlgorithm;
+    /** How to interpret the input string. Default: 'utf8' */
+    encoding?: InputEncoding;
+}
+export interface VerifyOptions {
+    /** Padding mode — must match signing. Default: 'pss' */
+    padding?: SignaturePadding;
+    /** Hash algorithm — must match signing. Default: 'sha256' */
+    hash?: HashAlgorithm;
+    /** How to interpret the input string. Default: 'utf8' */
+    encoding?: InputEncoding;
+}
+//# sourceMappingURL=types.d.ts.map

package/lib/typescript/src/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/types.ts"],"names":[],"mappings":"AAEA,kCAAkC;AAClC,MAAM,MAAM,SAAS,GAAG,OAAO,GAAG,OAAO,CAAC;AAI1C,kDAAkD;AAClD,MAAM,MAAM,iBAAiB,GAAG,MAAM,GAAG,OAAO,CAAC;AAEjD,8CAA8C;AAC9C,MAAM,MAAM,gBAAgB,GAAG,KAAK,GAAG,OAAO,CAAC;AAE/C,8CAA8C;AAC9C,MAAM,MAAM,aAAa,GAAG,QAAQ,GAAG,MAAM,GAAG,QAAQ,GAAG,QAAQ,CAAC;AAEpE;;;;GAIG;AACH,MAAM,MAAM,aAAa,GAAG,MAAM,GAAG,QAAQ,CAAC;AAI9C,MAAM,WAAW,sBAAsB;IACrC,0DAA0D;IAC1D,MAAM,CAAC,EAAE,SAAS,CAAC;CACpB;AAED,MAAM,WAAW,UAAU;IACzB,4CAA4C;IAC5C,SAAS,EAAE,MAAM,CAAC;IAClB,wEAAwE;IACxE,UAAU,EAAE,MAAM,CAAC;CACpB;AAID,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,OAAO,GAAG,OAAO,GAAG,QAAQ,GAAG,SAAS,CAAC;IACjD,OAAO,EAAE,SAAS,GAAG,QAAQ,GAAG,SAAS,CAAC;IAC1C,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAID,MAAM,WAAW,cAAc;IAC7B,oCAAoC;IACpC,OAAO,CAAC,EAAE,iBAAiB,CAAC;IAC5B,yDAAyD;IACzD,IAAI,CAAC,EAAE,aAAa,CAAC;IACrB,yDAAyD;IACzD,QAAQ,CAAC,EAAE,aAAa,CAAC;CAC1B;AAED,MAAM,WAAW,cAAc;IAC7B,4DAA4D;IAC5D,OAAO,CAAC,EAAE,iBAAiB,CAAC;IAC5B,gEAAgE;IAChE,IAAI,CAAC,EAAE,aAAa,CAAC;CACtB;AAID,MAAM,WAAW,WAAW;IAC1B,mCAAmC;IACnC,OAAO,CAAC,EAAE,gBAAgB,CAAC;IAC3B,wCAAwC;IACxC,IAAI,CAAC,EAAE,aAAa,CAAC;IACrB,yDAAyD;IACzD,QAAQ,CAAC,EAAE,aAAa,CAAC;CAC1B;AAED,MAAM,WAAW,aAAa;IAC5B,wDAAwD;IACxD,OAAO,CAAC,EAAE,gBAAgB,CAAC;IAC3B,6DAA6D;IAC7D,IAAI,CAAC,EAAE,aAAa,CAAC;IACrB,yDAAyD;IACzD,QAAQ,CAAC,EAAE,aAAa,CAAC;CAC1B"}

package/package.json

@@ -0,0 +1,133 @@
+{
+  "name": "@avieldr/react-native-rsa",
+  "version": "1.0.0",
+  "description": "High-performance native RSA cryptography for React Native",
+  "main": "./lib/module/index.js",
+  "types": "./lib/typescript/src/index.d.ts",
+  "exports": {
+    ".": {
+      "source": "./src/index.ts",
+      "types": "./lib/typescript/src/index.d.ts",
+      "default": "./lib/module/index.js"
+    },
+    "./package.json": "./package.json"
+  },
+  "files": [
+    "src",
+    "lib",
+    "android",
+    "ios",
+    "*.podspec",
+    "!ios/build",
+    "!android/build",
+    "!android/gradle",
+    "!android/gradlew",
+    "!android/gradlew.bat",
+    "!android/local.properties",
+    "!**/__tests__",
+    "!**/__fixtures__",
+    "!**/__mocks__",
+    "!**/.*"
+  ],
+  "scripts": {
+    "example": "yarn workspace react-native-rsa-example",
+    "clean": "del-cli android/build example/android/build example/android/app/build example/ios/build lib",
+    "prepare": "bob build",
+    "typecheck": "tsc",
+    "lint": "eslint \"**/*.{js,ts,tsx}\""
+  },
+  "keywords": [
+    "react-native",
+    "ios",
+    "android",
+    "rsa",
+    "crypto",
+    "cryptography",
+    "encryption",
+    "signing",
+    "security",
+    "turbo-module",
+    "new-architecture"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/avieldr/react-native-rsa-turbo.git"
+  },
+  "author": "Aviel Drori <avielwebdesign@gmail.com>",
+  "license": "MIT",
+  "bugs": {
+    "url": "https://github.com/avieldr/react-native-rsa-turbo/issues"
+  },
+  "homepage": "https://github.com/avieldr/react-native-rsa-turbo#readme",
+  "publishConfig": {
+    "registry": "https://registry.npmjs.org/",
+    "access": "public"
+  },
+  "devDependencies": {
+    "@eslint/compat": "^1.3.2",
+    "@eslint/eslintrc": "^3.3.1",
+    "@eslint/js": "^9.35.0",
+    "@react-native/babel-preset": "0.83.0",
+    "@react-native/eslint-config": "0.83.0",
+    "@types/react": "^19.2.0",
+    "del-cli": "^6.0.0",
+    "eslint": "^9.35.0",
+    "eslint-config-prettier": "^10.1.8",
+    "eslint-plugin-prettier": "^5.5.4",
+    "prettier": "^2.8.8",
+    "react": "19.2.0",
+    "react-native": "0.83.0",
+    "react-native-builder-bob": "^0.40.13",
+    "turbo": "^2.5.6",
+    "typescript": "^5.9.2"
+  },
+  "peerDependencies": {
+    "react": "*",
+    "react-native": "*"
+  },
+  "workspaces": [
+    "example"
+  ],
+  "packageManager": "yarn@4.11.0",
+  "react-native-builder-bob": {
+    "source": "src",
+    "output": "lib",
+    "targets": [
+      [
+        "module",
+        {
+          "esm": true
+        }
+      ],
+      [
+        "typescript",
+        {
+          "project": "tsconfig.build.json"
+        }
+      ]
+    ]
+  },
+  "codegenConfig": {
+    "name": "RsaSpec",
+    "type": "modules",
+    "jsSrcsDir": "src",
+    "android": {
+      "javaPackageName": "com.rsa"
+    }
+  },
+  "prettier": {
+    "quoteProps": "consistent",
+    "singleQuote": true,
+    "tabWidth": 2,
+    "trailingComma": "es5",
+    "useTabs": false
+  },
+  "create-react-native-library": {
+    "type": "turbo-module",
+    "languages": "kotlin-objc",
+    "tools": [
+      "eslint"
+    ],
+    "version": "0.57.0"
+  }
+}

package/src/NativeRsa.ts

@@ -0,0 +1,59 @@
+import { TurboModuleRegistry, type TurboModule } from 'react-native';
+
+/**
+ * Native bridge specification for RSA operations.
+ *
+ * All methods use flat string parameters (no objects/arrays) because
+ * React Native's codegen works best with simple types across the bridge.
+ *
+ * Data is passed as base64 strings to avoid binary encoding issues.
+ * The JS layer (index.ts) handles defaults resolution and UTF-8→base64 encoding.
+ */
+export interface Spec extends TurboModule {
+  /** Generate an RSA key pair → { publicKey, privateKey } in PEM format */
+  generateKeyPair(
+    keySize: number,
+    format: string
+  ): Promise<{ publicKey: string; privateKey: string }>;
+
+  /** Extract public key from a private key PEM → public key PEM */
+  getPublicKeyFromPrivate(privateKeyPEM: string): Promise<string>;
+
+  /** Encrypt base64 data with a public key → base64 ciphertext */
+  encrypt(
+    dataBase64: string,
+    publicKeyPEM: string,
+    padding: string,
+    hash: string
+  ): Promise<string>;
+
+  /** Decrypt base64 ciphertext with a private key → base64 plaintext */
+  decrypt(
+    dataBase64: string,
+    privateKeyPEM: string,
+    padding: string,
+    hash: string
+  ): Promise<string>;
+
+  /** Sign base64 data with a private key → base64 signature */
+  sign(
+    dataBase64: string,
+    privateKeyPEM: string,
+    padding: string,
+    hash: string
+  ): Promise<string>;
+
+  /** Verify a base64 signature against base64 data → boolean */
+  verify(
+    dataBase64: string,
+    signatureBase64: string,
+    publicKeyPEM: string,
+    padding: string,
+    hash: string
+  ): Promise<boolean>;
+
+  /** Convert a private key PEM between PKCS#1 and PKCS#8 formats */
+  convertPrivateKey(pem: string, targetFormat: string): Promise<string>;
+}
+
+export default TurboModuleRegistry.getEnforcing<Spec>('Rsa');

package/src/constants.ts

@@ -0,0 +1,25 @@
+/**
+ * Default values for all RSA operation options.
+ *
+ * These are applied in `index.ts` when the caller omits an option.
+ * Keeping them in one place ensures consistency across encrypt, decrypt, sign, verify.
+ */
+export const DEFAULTS = {
+  /** Default padding for encrypt/decrypt — OAEP is recommended over PKCS#1 */
+  ENCRYPTION_PADDING: 'oaep' as const,
+
+  /** Default padding for sign/verify — PSS is recommended over PKCS#1 */
+  SIGNATURE_PADDING: 'pss' as const,
+
+  /** Default hash algorithm */
+  HASH: 'sha256' as const,
+
+  /** Default input string encoding — UTF-8 text is the common case */
+  ENCODING: 'utf8' as const,
+
+  /** Default private key format for key generation */
+  KEY_FORMAT: 'pkcs1' as const,
+};
+
+/** Supported RSA key sizes in bits */
+export const VALID_KEY_SIZES = [1024, 2048, 4096] as const;

package/src/encoding.ts

@@ -0,0 +1,139 @@
+/**
+ * Pure-JS UTF-8 ↔ Base64 encoding utilities.
+ *
+ * These work in all React Native JS engines (Hermes, JSC) without
+ * external dependencies. They handle full Unicode including surrogate pairs.
+ *
+ * Used by the public API to convert UTF-8 input strings to base64
+ * before sending them across the native bridge.
+ */
+
+const BASE64_CHARS =
+  'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
+
+/**
+ * Encode a UTF-8 string to base64.
+ *
+ * Steps:
+ *   1. Convert the JS string (UTF-16) to UTF-8 byte values
+ *   2. Encode those bytes as base64
+ *
+ * Handles multi-byte characters and surrogate pairs correctly.
+ */
+export function utf8ToBase64(str: string): string {
+  // Step 1: UTF-16 string → UTF-8 byte array
+  const bytes: number[] = [];
+  for (let i = 0; i < str.length; i++) {
+    let codePoint = str.codePointAt(i)!;
+    // Skip the low surrogate of a surrogate pair (codePointAt already decoded it)
+    if (codePoint > 0xffff) {
+      i++;
+    }
+
+    if (codePoint < 0x80) {
+      // 1-byte: ASCII (0xxxxxxx)
+      bytes.push(codePoint);
+    } else if (codePoint < 0x800) {
+      // 2-byte: (110xxxxx 10xxxxxx)
+      bytes.push(0xc0 | (codePoint >> 6), 0x80 | (codePoint & 0x3f));
+    } else if (codePoint < 0x10000) {
+      // 3-byte: (1110xxxx 10xxxxxx 10xxxxxx)
+      bytes.push(
+        0xe0 | (codePoint >> 12),
+        0x80 | ((codePoint >> 6) & 0x3f),
+        0x80 | (codePoint & 0x3f)
+      );
+    } else {
+      // 4-byte: (11110xxx 10xxxxxx 10xxxxxx 10xxxxxx) — for emoji, etc.
+      bytes.push(
+        0xf0 | (codePoint >> 18),
+        0x80 | ((codePoint >> 12) & 0x3f),
+        0x80 | ((codePoint >> 6) & 0x3f),
+        0x80 | (codePoint & 0x3f)
+      );
+    }
+  }
+
+  // Step 2: Byte array → Base64 string (3 bytes per group → 4 base64 chars)
+  let result = '';
+  for (let i = 0; i < bytes.length; i += 3) {
+    const a = bytes[i]!;
+    const b = i + 1 < bytes.length ? bytes[i + 1]! : 0;
+    const c = i + 2 < bytes.length ? bytes[i + 2]! : 0;
+
+    result += BASE64_CHARS[a >> 2];
+    result += BASE64_CHARS[((a & 3) << 4) | (b >> 4)];
+    result +=
+      i + 1 < bytes.length ? BASE64_CHARS[((b & 0xf) << 2) | (c >> 6)] : '=';
+    result += i + 2 < bytes.length ? BASE64_CHARS[c & 0x3f] : '=';
+  }
+  return result;
+}
+
+/**
+ * Decode a base64 string to a UTF-8 string.
+ *
+ * Steps:
+ *   1. Decode base64 → raw byte values
+ *   2. Interpret those bytes as UTF-8 and build a JS string
+ *
+ * Useful for reading decrypted plaintext that was originally UTF-8 text.
+ */
+export function base64ToUtf8(base64: string): string {
+  // Step 1: Base64 string → byte array
+  const cleaned = base64.replace(/[^A-Za-z0-9+/=]/g, '');
+  const bytes: number[] = [];
+  for (let i = 0; i < cleaned.length; i += 4) {
+    const a = BASE64_CHARS.indexOf(cleaned[i]!);
+    const b = BASE64_CHARS.indexOf(cleaned[i + 1]!);
+    const c =
+      cleaned[i + 2] === '=' ? 0 : BASE64_CHARS.indexOf(cleaned[i + 2]!);
+    const d =
+      cleaned[i + 3] === '=' ? 0 : BASE64_CHARS.indexOf(cleaned[i + 3]!);
+
+    const bits = (a << 18) | (b << 12) | (c << 6) | d;
+    bytes.push((bits >> 16) & 0xff);
+    if (cleaned[i + 2] !== '=') {
+      bytes.push((bits >> 8) & 0xff);
+    }
+    if (cleaned[i + 3] !== '=') {
+      bytes.push(bits & 0xff);
+    }
+  }
+
+  // Step 2: UTF-8 byte array → JS string
+  let str = '';
+  let idx = 0;
+  while (idx < bytes.length) {
+    const byte = bytes[idx]!;
+    if (byte < 0x80) {
+      // 1-byte: ASCII
+      str += String.fromCodePoint(byte);
+      idx++;
+    } else if ((byte & 0xe0) === 0xc0) {
+      // 2-byte character
+      str += String.fromCodePoint(
+        ((byte & 0x1f) << 6) | (bytes[idx + 1]! & 0x3f)
+      );
+      idx += 2;
+    } else if ((byte & 0xf0) === 0xe0) {
+      // 3-byte character
+      str += String.fromCodePoint(
+        ((byte & 0x0f) << 12) |
+          ((bytes[idx + 1]! & 0x3f) << 6) |
+          (bytes[idx + 2]! & 0x3f)
+      );
+      idx += 3;
+    } else {
+      // 4-byte character (emoji, etc.)
+      const codePoint =
+        ((byte & 0x07) << 18) |
+        ((bytes[idx + 1]! & 0x3f) << 12) |
+        ((bytes[idx + 2]! & 0x3f) << 6) |
+        (bytes[idx + 3]! & 0x3f);
+      str += String.fromCodePoint(codePoint);
+      idx += 4;
+    }
+  }
+  return str;
+}

package/src/errors.ts

@@ -0,0 +1,206 @@
+import { VALID_KEY_SIZES } from './constants';
+
+/**
+ * Error codes thrown by @avieldr/react-native-rsa.
+ *
+ * Validation errors (thrown before native call):
+ *   - INVALID_INPUT: Required parameter is missing or empty
+ *   - INVALID_KEY: Key format is wrong or key type mismatch
+ *   - INVALID_KEY_SIZE: Unsupported key size
+ *   - INVALID_PADDING: Unknown padding mode
+ *   - INVALID_HASH: Unknown hash algorithm
+ *   - INVALID_FORMAT: Unknown key format
+ *   - INVALID_ENCODING: Unknown encoding type
+ *
+ * Native operation errors (thrown by platform crypto):
+ *   - KEY_GENERATION_FAILED: Native key generation failed
+ *   - KEY_EXTRACTION_FAILED: Failed to extract public key from private
+ *   - KEY_CONVERSION_FAILED: Failed to convert key format
+ *   - ENCRYPTION_FAILED: Native encryption operation failed
+ *   - DECRYPTION_FAILED: Native decryption operation failed
+ *   - SIGNING_FAILED: Native signing operation failed
+ *   - VERIFICATION_FAILED: Native signature verification failed
+ */
+export type RsaErrorCode =
+  // Validation errors
+  | 'INVALID_INPUT'
+  | 'INVALID_KEY'
+  | 'INVALID_KEY_SIZE'
+  | 'INVALID_PADDING'
+  | 'INVALID_HASH'
+  | 'INVALID_FORMAT'
+  | 'INVALID_ENCODING'
+  // Native operation errors
+  | 'KEY_GENERATION_FAILED'
+  | 'KEY_EXTRACTION_FAILED'
+  | 'KEY_CONVERSION_FAILED'
+  | 'ENCRYPTION_FAILED'
+  | 'DECRYPTION_FAILED'
+  | 'SIGNING_FAILED'
+  | 'VERIFICATION_FAILED';
+
+/**
+ * Error thrown by @avieldr/react-native-rsa for invalid inputs or native failures.
+ * Extends Error with a `code` property for programmatic handling.
+ */
+export class RsaError extends Error {
+  readonly code: RsaErrorCode;
+  /** The original error from the native layer, if any */
+  readonly cause?: Error;
+
+  constructor(code: RsaErrorCode, message: string, cause?: Error) {
+    super(message);
+    this.name = 'RsaError';
+    this.code = code;
+    this.cause = cause;
+  }
+}
+
+/**
+ * Map of native error codes to RsaErrorCode.
+ * Native modules reject with codes like "RSAEncryptError" — we normalize them.
+ */
+const NATIVE_ERROR_CODE_MAP: Record<string, RsaErrorCode> = {
+  RSAKeyGenerationError: 'KEY_GENERATION_FAILED',
+  RSAKeyExtractionError: 'KEY_EXTRACTION_FAILED',
+  RSAConvertKeyError: 'KEY_CONVERSION_FAILED',
+  RSAEncryptError: 'ENCRYPTION_FAILED',
+  RSADecryptError: 'DECRYPTION_FAILED',
+  RSASignError: 'SIGNING_FAILED',
+  RSAVerifyError: 'VERIFICATION_FAILED',
+};
+
+/**
+ * Wrap a native error into an RsaError with a normalized code.
+ * If the error is already an RsaError, returns it unchanged.
+ */
+export function wrapNativeError(error: unknown, fallbackCode: RsaErrorCode): RsaError {
+  if (error instanceof RsaError) {
+    return error;
+  }
+
+  if (error instanceof Error) {
+    // React Native errors from native modules have a `code` property
+    const nativeCode = (error as { code?: string }).code;
+    const code = (nativeCode && NATIVE_ERROR_CODE_MAP[nativeCode]) || fallbackCode;
+    return new RsaError(code, error.message, error);
+  }
+
+  // Unknown error type
+  return new RsaError(fallbackCode, String(error));
+}
+
+// --- Validation helpers ---
+
+export function requireString(
+  value: unknown,
+  name: string
+): asserts value is string {
+  if (typeof value !== 'string' || value.length === 0) {
+    throw new RsaError('INVALID_INPUT', `'${name}' must be a non-empty string`);
+  }
+}
+
+export function requirePrivateKey(pem: string): void {
+  requireString(pem, 'privateKey');
+  if (
+    pem.includes('BEGIN PUBLIC KEY')
+  ) {
+    throw new RsaError(
+      'INVALID_KEY',
+      'Expected a private key (BEGIN RSA PRIVATE KEY or BEGIN PRIVATE KEY), but received a public key'
+    );
+  }
+  if (
+    !pem.includes('BEGIN RSA PRIVATE KEY') &&
+    !pem.includes('BEGIN PRIVATE KEY')
+  ) {
+    throw new RsaError(
+      'INVALID_KEY',
+      'Expected a private key (BEGIN RSA PRIVATE KEY or BEGIN PRIVATE KEY)'
+    );
+  }
+}
+
+export function requirePublicKey(pem: string): void {
+  requireString(pem, 'publicKey');
+  if (
+    pem.includes('BEGIN RSA PRIVATE KEY') ||
+    pem.includes('BEGIN PRIVATE KEY')
+  ) {
+    throw new RsaError(
+      'INVALID_KEY',
+      'Expected a public key (BEGIN PUBLIC KEY), but received a private key'
+    );
+  }
+  if (!pem.includes('BEGIN PUBLIC KEY')) {
+    throw new RsaError(
+      'INVALID_KEY',
+      'Expected a public key (BEGIN PUBLIC KEY)'
+    );
+  }
+}
+
+export function validateKeySize(keySize: number): void {
+  if (!(VALID_KEY_SIZES as readonly number[]).includes(keySize)) {
+    throw new RsaError(
+      'INVALID_KEY_SIZE',
+      `Invalid key size ${keySize}. Supported sizes: ${VALID_KEY_SIZES.join(', ')}`
+    );
+  }
+}
+
+const VALID_ENCRYPTION_PADDINGS = ['oaep', 'pkcs1'];
+
+export function validateEncryptionPadding(padding: string): void {
+  if (!VALID_ENCRYPTION_PADDINGS.includes(padding)) {
+    throw new RsaError(
+      'INVALID_PADDING',
+      `Invalid encryption padding '${padding}'. Must be 'oaep' or 'pkcs1'`
+    );
+  }
+}
+
+const VALID_SIGNATURE_PADDINGS = ['pss', 'pkcs1'];
+
+export function validateSignaturePadding(padding: string): void {
+  if (!VALID_SIGNATURE_PADDINGS.includes(padding)) {
+    throw new RsaError(
+      'INVALID_PADDING',
+      `Invalid signature padding '${padding}'. Must be 'pss' or 'pkcs1'`
+    );
+  }
+}
+
+const VALID_HASHES = ['sha1', 'sha256', 'sha384', 'sha512'];
+
+export function validateHash(hash: string): void {
+  if (!VALID_HASHES.includes(hash)) {
+    throw new RsaError(
+      'INVALID_HASH',
+      `Invalid hash '${hash}'. Must be 'sha1', 'sha256', 'sha384', or 'sha512'`
+    );
+  }
+}
+
+const VALID_KEY_FORMATS = ['pkcs1', 'pkcs8'];
+
+export function validateKeyFormat(format: string): void {
+  if (!VALID_KEY_FORMATS.includes(format)) {
+    throw new RsaError(
+      'INVALID_FORMAT',
+      `Invalid key format '${format}'. Must be 'pkcs1' or 'pkcs8'`
+    );
+  }
+}
+
+const VALID_ENCODINGS = ['utf8', 'base64'];
+
+export function validateEncoding(encoding: string): void {
+  if (!VALID_ENCODINGS.includes(encoding)) {
+    throw new RsaError(
+      'INVALID_ENCODING',
+      `Invalid encoding '${encoding}'. Must be 'utf8' or 'base64'`
+    );
+  }
+}