@enbox/crypto 0.0.2 → 0.0.4

package/src/primitives/secp256k1.ts

@@ -1,9 +1,9 @@
 import type { AffinePoint } from '@noble/curves/abstract/weierstrass';
 
 import { Convert } from '@enbox/common';
-import { sha256 } from '@noble/hashes/sha256';
-import { secp256k1 } from '@noble/curves/secp256k1';
 import { numberToBytesBE } from '@noble/curves/abstract/utils';
+import { secp256k1 } from '@noble/curves/secp256k1';
+import { sha256 } from '@noble/hashes/sha256';
 
 import type { Jwk } from '../jose/jwk.js';
 import type { ComputePublicKeyParams, GetPublicKeyParams, SignParams, VerifyParams } from '../types/params-direct.js';
@@ -304,7 +304,7 @@ export class Secp256k1 {
     ComputePublicKeyParams
   ): Promise<Jwk> {
     // Convert the provided private key to a byte array.
-    const privateKeyBytes  = await Secp256k1.privateKeyToBytes({ privateKey: key });
+    const privateKeyBytes = await Secp256k1.privateKeyToBytes({ privateKey: key });
 
     // Get the elliptic curve point (x and y coordinates) for the provided private key.
     const point = await Secp256k1.getCurvePoint({ keyBytes: privateKeyBytes });
@@ -357,7 +357,7 @@ export class Secp256k1 {
     // into a single byte array.
     const compactSignature = signatureObject.toCompactRawBytes();
 
-    return  compactSignature;
+    return compactSignature;
   }
 
   /**
@@ -468,7 +468,7 @@ export class Secp256k1 {
     }
 
     // Remove the private key property ('d') and make a shallow copy of the provided key.
-    let { d, ...publicKey } = key;
+    const { d, ...publicKey } = key;
 
     // If the key ID is undefined, set it to the JWK thumbprint.
     publicKey.kid ??= await computeJwkThumbprint({ jwk: publicKey });
@@ -732,7 +732,7 @@ export class Secp256k1 {
       // Check if points are on the Short Weierstrass curve.
       point.assertValidity();
 
-    } catch(error: any) {
+    } catch {
       return false;
     }
 

package/src/primitives/secp256r1.ts

@@ -1,9 +1,9 @@
 import type { AffinePoint } from '@noble/curves/abstract/weierstrass';
 
 import { Convert } from '@enbox/common';
-import { sha256 } from '@noble/hashes/sha256';
-import { secp256r1 } from '@noble/curves/p256';
 import { numberToBytesBE } from '@noble/curves/abstract/utils';
+import { secp256r1 } from '@noble/curves/p256';
+import { sha256 } from '@noble/hashes/sha256';
 
 import type { Jwk } from '../jose/jwk.js';
 import type { ComputePublicKeyParams, GetPublicKeyParams, SignParams, VerifyParams } from '../types/params-direct.js';
@@ -304,7 +304,7 @@ export class Secp256r1 {
     ComputePublicKeyParams
   ): Promise<Jwk> {
     // Convert the provided private key to a byte array.
-    const privateKeyBytes  = await Secp256r1.privateKeyToBytes({ privateKey: key });
+    const privateKeyBytes = await Secp256r1.privateKeyToBytes({ privateKey: key });
 
     // Get the elliptic curve point (x and y coordinates) for the provided private key.
     const point = await Secp256r1.getCurvePoint({ keyBytes: privateKeyBytes });
@@ -357,7 +357,7 @@ export class Secp256r1 {
     // into a single byte array.
     const compactSignature = signatureObject.toCompactRawBytes();
 
-    return  compactSignature;
+    return compactSignature;
   }
 
   /**
@@ -468,7 +468,7 @@ export class Secp256r1 {
     }
 
     // Remove the private key property ('d') and make a shallow copy of the provided key.
-    let { d, ...publicKey } = key;
+    const { d, ...publicKey } = key;
 
     // If the key ID is undefined, set it to the JWK thumbprint.
     publicKey.kid ??= await computeJwkThumbprint({ jwk: publicKey });
@@ -732,7 +732,7 @@ export class Secp256r1 {
       // Check if points are on the Short Weierstrass curve.
       point.assertValidity();
 
-    } catch(error: any) {
+    } catch {
       return false;
     }
 

package/src/primitives/x25519.ts

@@ -79,7 +79,7 @@ export class X25519 {
     privateKeyBytes: Uint8Array;
   }): Promise<Jwk> {
     // Derive the public key from the private key.
-    const publicKeyBytes  = x25519.getPublicKey(privateKeyBytes);
+    const publicKeyBytes = x25519.getPublicKey(privateKeyBytes);
 
     // Construct the private key in JWK format.
     const privateKey: Jwk = {
@@ -168,7 +168,7 @@ export class X25519 {
     ComputePublicKeyParams
   ): Promise<Jwk> {
     // Convert the provided private key to a byte array.
-    const privateKeyBytes  = await X25519.privateKeyToBytes({ privateKey: key });
+    const privateKeyBytes = await X25519.privateKeyToBytes({ privateKey: key });
 
     // Derive the public key from the private key.
     const publicKeyBytes = x25519.getPublicKey(privateKeyBytes);
@@ -260,7 +260,7 @@ export class X25519 {
     }
 
     // Remove the private key property ('d') and make a shallow copy of the provided key.
-    let { d, ...publicKey } = key;
+    const { d, ...publicKey } = key;
 
     // If the key ID is undefined, set it to the JWK thumbprint.
     publicKey.kid ??= await computeJwkThumbprint({ jwk: publicKey });
@@ -345,32 +345,25 @@ export class X25519 {
   }
 
   /**
-   * Computes an RFC6090-compliant Elliptic Curve Diffie-Hellman (ECDH) shared secret
-   * using secp256k1 private and public keys in JSON Web Key (JWK) format.
+   * Computes an X25519 Elliptic Curve Diffie-Hellman (ECDH) shared secret
+   * using X25519 private and public keys in JSON Web Key (JWK) format.
    *
    * @remarks
    * This method facilitates the ECDH key agreement protocol, which is a method of securely
    * deriving a shared secret between two parties based on their private and public keys.
    * It takes the private key of one party (privateKeyA) and the public key of another
-   * party (publicKeyB) to compute a shared secret. The shared secret is derived from the
-   * x-coordinate of the elliptic curve point resulting from the multiplication of the
-   * public key with the private key.
-   *
-   * Note: When performing Elliptic Curve Diffie-Hellman (ECDH) key agreement,
-   * the resulting shared secret is a point on the elliptic curve, which
-   * consists of an x-coordinate and a y-coordinate. With a 256-bit curve like
-   * secp256k1, each of these coordinates is 32 bytes (256 bits) long. However,
-   * in the ECDH process, it's standard practice to use only the x-coordinate
-   * of the shared secret point as the resulting shared key. This is because
-   * the y-coordinate does not add to the entropy of the key, and both parties
-   * can independently compute the x-coordinate.  Consquently, this implementation
-   * omits the y-coordinate for simplicity and standard compliance.
+   * party (publicKeyB) to compute a shared secret. The shared secret is the raw output
+   * of the X25519 function as defined in RFC 7748.
+   *
+   * Note: Unlike Weierstrass curves (e.g., secp256k1), X25519 is a Montgomery curve
+   * where the ECDH output is a single 32-byte scalar value, not an (x, y) point.
+   * The result is used directly as the shared secret.
    *
    * @example
    * ```ts
    * const privateKeyA = { ... }; // A Jwk object for party A
    * const publicKeyB = { ... }; // A PublicKeyJwk object for party B
-   * const sharedSecret = await Secp256k1.sharedSecret({
+   * const sharedSecret = await X25519.sharedSecret({
    *   privateKeyA,
    *   publicKeyB
    * });

package/src/primitives/xchacha20-poly1305.ts

@@ -1,6 +1,6 @@
 import { Convert } from '@enbox/common';
-import { xchacha20poly1305 } from '@noble/ciphers/chacha';
 import { getWebcryptoSubtle } from '@noble/ciphers/webcrypto';
+import { xchacha20poly1305 } from '@noble/ciphers/chacha';
 
 import type { Jwk } from '../jose/jwk.js';
 
@@ -147,7 +147,32 @@ export class XChaCha20Poly1305 {
     // Convert the private key from JWK format to bytes.
     const privateKeyBytes = await XChaCha20Poly1305.privateKeyToBytes({ privateKey: key });
 
-    const xc20p = xchacha20poly1305(privateKeyBytes, nonce, additionalData);
+    return XChaCha20Poly1305.decryptRaw({ data, keyBytes: privateKeyBytes, nonce, additionalData });
+  }
+
+  /**
+   * Decrypts data using XChaCha20-Poly1305 with a raw byte array key.
+   *
+   * @remarks
+   * This is a lower-level method that accepts the key as a raw `Uint8Array` instead of a JWK.
+   * It is useful in scenarios where the key material is already in byte form (e.g., derived
+   * from ECDH + HKDF) and constructing a JWK would add unnecessary overhead.
+   *
+   * @param params - The parameters for the decryption operation.
+   * @param params.data - The encrypted data including the authentication tag.
+   * @param params.keyBytes - The 256-bit (32-byte) decryption key as a Uint8Array.
+   * @param params.nonce - The 24-byte nonce used during encryption.
+   * @param params.additionalData - Optional additional authenticated data.
+   *
+   * @returns A Promise that resolves to the decrypted plaintext as a Uint8Array.
+   */
+  public static async decryptRaw({ data, keyBytes, nonce, additionalData }: {
+    additionalData?: Uint8Array;
+    data: Uint8Array;
+    keyBytes: Uint8Array;
+    nonce: Uint8Array;
+  }): Promise<Uint8Array> {
+    const xc20p = xchacha20poly1305(keyBytes, nonce, additionalData);
     const plaintext = xc20p.decrypt(data);
 
     return plaintext;
@@ -186,7 +211,7 @@ export class XChaCha20Poly1305 {
    * @returns A Promise that resolves to a byte array containing the encrypted data and the
    *          authentication tag.
    */
-  public static async encrypt({ data, key, nonce, additionalData}: {
+  public static async encrypt({ data, key, nonce, additionalData }: {
     additionalData?: Uint8Array;
     data: Uint8Array;
     key: Jwk;
@@ -195,7 +220,35 @@ export class XChaCha20Poly1305 {
     // Convert the private key from JWK format to bytes.
     const privateKeyBytes = await XChaCha20Poly1305.privateKeyToBytes({ privateKey: key });
 
-    const xc20p = xchacha20poly1305(privateKeyBytes, nonce, additionalData);
+    return XChaCha20Poly1305.encryptRaw({ data, keyBytes: privateKeyBytes, nonce, additionalData });
+  }
+
+  /**
+   * Encrypts data using XChaCha20-Poly1305 with a raw byte array key.
+   *
+   * @remarks
+   * This is a lower-level method that accepts the key as a raw `Uint8Array` instead of a JWK.
+   * It is useful in scenarios where the key material is already in byte form (e.g., derived
+   * from ECDH + HKDF) and constructing a JWK would add unnecessary overhead.
+   *
+   * The returned `Uint8Array` contains the ciphertext followed by the 16-byte Poly1305
+   * authentication tag.
+   *
+   * @param params - The parameters for the encryption operation.
+   * @param params.data - The plaintext data to encrypt.
+   * @param params.keyBytes - The 256-bit (32-byte) encryption key as a Uint8Array.
+   * @param params.nonce - A 24-byte nonce for the encryption process.
+   * @param params.additionalData - Optional additional authenticated data.
+   *
+   * @returns A Promise that resolves to the ciphertext + authentication tag as a Uint8Array.
+   */
+  public static async encryptRaw({ data, keyBytes, nonce, additionalData }: {
+    additionalData?: Uint8Array;
+    data: Uint8Array;
+    keyBytes: Uint8Array;
+    nonce: Uint8Array;
+  }): Promise<Uint8Array> {
+    const xc20p = xchacha20poly1305(keyBytes, nonce, additionalData);
     const ciphertext = xc20p.encrypt(data);
 
     return ciphertext;

package/src/primitives/xchacha20.ts

@@ -1,6 +1,6 @@
 import { Convert } from '@enbox/common';
-import { xchacha20 } from '@noble/ciphers/chacha';
 import { getWebcryptoSubtle } from '@noble/ciphers/webcrypto';
+import { xchacha20 } from '@noble/ciphers/chacha';
 
 import type { Jwk } from '../jose/jwk.js';
 

package/src/types/cipher.ts

@@ -1,4 +1,4 @@
-import type { EnclosedEncryptParams, EnclosedDecryptParams } from './params-enclosed.js';
+import type { EnclosedDecryptParams, EnclosedEncryptParams } from './params-enclosed.js';
 
 /**
  * The `Cipher` interface provides methods for encrypting and decrypting data.

package/src/types/crypto-api.ts

@@ -1,18 +1,40 @@
+import type { AsymmetricKeyConverter } from './key-converter.js';
+import type { AsymmetricKeyGenerator } from './key-generator.js';
+import type { Cipher } from './cipher.js';
 import type { Hasher } from './hasher.js';
-import type { Signer } from './signer.js';
+import type { Jwk } from '../jose/jwk.js';
 import type { KeyIdentifier } from './identifier.js';
-import type { AsymmetricKeyGenerator } from './key-generator.js';
+import type { KeyWrapper } from './key-wrapper.js';
+import type { Signer } from './signer.js';
 import type {
-  KmsSignParams,
+  BytesToPrivateKeyParams,
+  BytesToPublicKeyParams,
+  CipherParams,
+  DeriveKeyBytesParams,
+  DeriveKeyFromBytesParams,
+  DigestParams,
+  GenerateKeyParams,
+  GetPublicKeyParams,
+  PrivateKeyToBytesParams,
+  PublicKeyToBytesParams,
+  SignParams,
+  UnwrapKeyParams,
+  VerifyParams,
+  WrapKeyParams,
+} from './params-direct.js';
+import type { KeyBytesDeriver, SimpleKeyDeriver } from './key-deriver.js';
+import type {
+  KmsCipherParams,
   KmsDigestParams,
-  KmsVerifyParams,
-  KmsGetKeyUriParams,
   KmsGenerateKeyParams,
+  KmsGetKeyUriParams,
   KmsGetPublicKeyParams,
+  KmsSignParams,
+  KmsVerifyParams,
 } from './params-kms.js';
 
 /**
- * The `CryptoApi` interface integrates key generation, hashing, and signing functionalities,
+ * The `DsaApi` interface integrates key generation, hashing, and signing functionalities,
  * designed for use with a Key Management System (KMS). It extends `AsymmetricKeyGenerator` for
  * generating asymmetric keys, `Hasher` for hash digest computations, and `Signer` for signing and
  * verifying operations.
@@ -32,25 +54,121 @@ import type {
  *   identifier (e.g. JWK thumbprint, UUID generated by hosted KMS, etc.).
  * - Must support key generation, hashing, signing, and verifying operations.
  * - May be extended to support other cryptographic operations.
- * - Implementations of the `CryptoApi` interface can be passed as an argument to the public API
+ * - Implementations of the `DsaApi` interface can be passed as an argument to the public API
  *   methods of Web5 libraries that involve key material (e.g., DID creation, VC signing, arbitrary
  *   data signing/verification, etc.).
  */
-export interface CryptoApi<
+export interface DsaApi<
   GenerateKeyInput = KmsGenerateKeyParams,
   GenerateKeyOutput = KeyIdentifier,
   GetPublicKeyInput = KmsGetPublicKeyParams,
   DigestInput = KmsDigestParams,
   SignInput = KmsSignParams,
   VerifyInput = KmsVerifyParams
-> extends AsymmetricKeyGenerator<GenerateKeyInput, GenerateKeyOutput, GetPublicKeyInput>,
+ > extends AsymmetricKeyGenerator<GenerateKeyInput, GenerateKeyOutput, GetPublicKeyInput>,
           Hasher<DigestInput>,
-          Signer<SignInput, VerifyInput> {
+          Signer<SignInput, VerifyInput> {}
+
+/**
+ * The `CryptoApi` interface extends {@link DsaApi} with encryption, key conversion,
+ * key derivation, and key wrapping capabilities.
+ *
+ * This is the full-featured cryptographic API used by agent-level code that needs direct-key
+ * cipher, key conversion, and key derivation operations beyond what the base `DsaApi` provides.
+ */
+export interface CryptoApi<
+  GenerateKeyInput = GenerateKeyParams,
+  GenerateKeyOutput = Jwk,
+  GetPublicKeyInput = GetPublicKeyParams,
+  DigestInput = DigestParams,
+  SignInput = SignParams,
+  VerifyInput = VerifyParams,
+  EncryptInput = CipherParams,
+  DecryptInput = CipherParams,
+  BytesToPublicKeyInput = BytesToPublicKeyParams,
+  PublicKeyToBytesInput = PublicKeyToBytesParams,
+  BytesToPrivateKeyInput = BytesToPrivateKeyParams,
+  PrivateKeyToBytesInput = PrivateKeyToBytesParams,
+  DeriveKeyInput = DeriveKeyFromBytesParams,
+  DeriveKeyOutput = Jwk,
+  DeriveKeyBytesInput = DeriveKeyBytesParams,
+  DeriveKeyBytesOutput = Uint8Array,
+  WrapKeyInput = WrapKeyParams,
+  UnwrapKeyInput = UnwrapKeyParams
+> extends
+  DsaApi<GenerateKeyInput, GenerateKeyOutput, GetPublicKeyInput, DigestInput, SignInput, VerifyInput>,
+  Cipher<EncryptInput, DecryptInput>,
+  AsymmetricKeyConverter<BytesToPublicKeyInput, PublicKeyToBytesInput, BytesToPrivateKeyInput, PrivateKeyToBytesInput>,
+  SimpleKeyDeriver<DeriveKeyInput, DeriveKeyOutput>,
+  KeyBytesDeriver<DeriveKeyBytesInput, DeriveKeyBytesOutput>,
+  KeyWrapper<WrapKeyInput, UnwrapKeyInput> {}
+
+/** @deprecated Use {@link CryptoApi} instead. */
+export type ExtendedCryptoApi<
+  GenerateKeyInput = GenerateKeyParams,
+  GenerateKeyOutput = Jwk,
+  GetPublicKeyInput = GetPublicKeyParams,
+  DigestInput = DigestParams,
+  SignInput = SignParams,
+  VerifyInput = VerifyParams,
+  EncryptInput = CipherParams,
+  DecryptInput = CipherParams,
+  BytesToPublicKeyInput = BytesToPublicKeyParams,
+  PublicKeyToBytesInput = PublicKeyToBytesParams,
+  BytesToPrivateKeyInput = BytesToPrivateKeyParams,
+  PrivateKeyToBytesInput = PrivateKeyToBytesParams,
+  DeriveKeyInput = DeriveKeyFromBytesParams,
+  DeriveKeyOutput = Jwk,
+  DeriveKeyBytesInput = DeriveKeyBytesParams,
+  DeriveKeyBytesOutput = Uint8Array,
+  WrapKeyInput = WrapKeyParams,
+  UnwrapKeyInput = UnwrapKeyParams
+> = CryptoApi<
+  GenerateKeyInput, GenerateKeyOutput, GetPublicKeyInput, DigestInput, SignInput, VerifyInput,
+  EncryptInput, DecryptInput, BytesToPublicKeyInput, PublicKeyToBytesInput,
+  BytesToPrivateKeyInput, PrivateKeyToBytesInput, DeriveKeyInput, DeriveKeyOutput,
+  DeriveKeyBytesInput, DeriveKeyBytesOutput, WrapKeyInput, UnwrapKeyInput
+>;
+
+/**
+ * Parameters for configuring a {@link KeyManager} implementation.
+ */
+export interface KeyManagerParams {
+  CipherInput?: unknown;
+  GenerateKeyInput?: unknown;
+  GenerateKeyOutput?: unknown;
+  GetPublicKeyInput?: unknown;
+  SignInput?: unknown;
+  VerifyInput?: unknown;
+}
+
+/**
+ * Default parameter types for {@link KeyManager}, using KMS-oriented types.
+ */
+export interface DefaultKeyManagerParams {
+  CipherInput: KmsCipherParams;
+  GenerateKeyInput: KmsGenerateKeyParams;
+  GenerateKeyOutput: KeyIdentifier;
+  GetPublicKeyInput: KmsGetPublicKeyParams;
+  SignInput: KmsSignParams;
+  VerifyInput: KmsVerifyParams;
+}
+
+/**
+ * The `KeyManager` interface integrates key generation and signing capabilities.
+ *
+ * Concrete implementations of this interface are intended to be used as a Key Management System
+ * (KMS), which is responsible for generating and storing cryptographic keys.
+ */
+export interface KeyManager<T extends KeyManagerParams = DefaultKeyManagerParams>
+  extends DsaApi<T['GenerateKeyInput'], T['GenerateKeyOutput'], T['GetPublicKeyInput'], KmsDigestParams, T['SignInput'], T['VerifyInput']> {
+
   /**
+   * Returns the Key URI for a given JWK.
    *
    * @param params - The parameters for getting the key URI.
    * @param params.key - The key to get the URI for.
    * @returns The key URI.
    */
   getKeyUri(params: KmsGetKeyUriParams): Promise<KeyIdentifier>;
-}
+}

package/src/types/key-converter.ts

@@ -2,8 +2,16 @@ import type { Jwk } from '../jose/jwk.js';
 
 /**
  * `KeyConverter` interface for converting private keys between byte array and JWK formats.
+ *
+ * @typeParam BytesToPrivateKeyInput - The input type for `bytesToPrivateKey`. Defaults to
+ *   `{ privateKeyBytes: Uint8Array }`.
+ * @typeParam PrivateKeyToBytesInput - The input type for `privateKeyToBytes`. Defaults to
+ *   `{ privateKey: Jwk }`.
  */
-export interface KeyConverter {
+export interface KeyConverter<
+  BytesToPrivateKeyInput = { privateKeyBytes: Uint8Array },
+  PrivateKeyToBytesInput = { privateKey: Jwk }
+> {
 
   /**
    * Converts a private key from a byte array to JWK format.
@@ -13,7 +21,7 @@ export interface KeyConverter {
    *
    * @returns A Promise that resolves to the private key in JWK format.
    */
-  bytesToPrivateKey(params: { privateKeyBytes: Uint8Array }): Promise<Jwk>;
+  bytesToPrivateKey(params: BytesToPrivateKeyInput): Promise<Jwk>;
 
   /**
    * Converts a private key from JWK format to a byte array.
@@ -23,14 +31,32 @@ export interface KeyConverter {
    *
    * @returns A Promise that resolves to the private key as a Uint8Array.
    */
-  privateKeyToBytes(params: { privateKey: Jwk }): Promise<Uint8Array>;
+  privateKeyToBytes(params: PrivateKeyToBytesInput): Promise<Uint8Array>;
 }
 
 /**
- * `AsymmetricKeyConverter` interface extends {@link KeyConverter |`KeyConverter`}, adding support
+ * `AsymmetricKeyConverter` interface extends {@link KeyConverter | `KeyConverter`}, adding support
  * for public key conversions.
+ *
+ * When used with default type parameters, this interface includes all four conversion methods
+ * (bytes-to/from private key AND bytes-to/from public key). When used with explicit type
+ * parameters, both the private and public key conversion types can be customized.
+ *
+ * @typeParam BytesToPublicKeyInput - The input type for `bytesToPublicKey`. Defaults to
+ *   `{ publicKeyBytes: Uint8Array }`.
+ * @typeParam PublicKeyToBytesInput - The input type for `publicKeyToBytes`. Defaults to
+ *   `{ publicKey: Jwk }`.
+ * @typeParam BytesToPrivateKeyInput - The input type for `bytesToPrivateKey`. Defaults to
+ *   `{ privateKeyBytes: Uint8Array }`.
+ * @typeParam PrivateKeyToBytesInput - The input type for `privateKeyToBytes`. Defaults to
+ *   `{ privateKey: Jwk }`.
  */
-export interface AsymmetricKeyConverter extends KeyConverter {
+export interface AsymmetricKeyConverter<
+  BytesToPublicKeyInput = { publicKeyBytes: Uint8Array },
+  PublicKeyToBytesInput = { publicKey: Jwk },
+  BytesToPrivateKeyInput = { privateKeyBytes: Uint8Array },
+  PrivateKeyToBytesInput = { privateKey: Jwk }
+> extends KeyConverter<BytesToPrivateKeyInput, PrivateKeyToBytesInput> {
   /**
    * Converts a public key from a byte array to JWK format.
    *
@@ -39,7 +65,7 @@ export interface AsymmetricKeyConverter extends KeyConverter {
    *
    * @returns A Promise that resolves to the public key in JWK format.
    */
-  bytesToPublicKey(params: { publicKeyBytes: Uint8Array }): Promise<Jwk>;
+  bytesToPublicKey(params: BytesToPublicKeyInput): Promise<Jwk>;
 
   /**
    * Converts a public key from JWK format to a byte array.
@@ -49,5 +75,5 @@ export interface AsymmetricKeyConverter extends KeyConverter {
    *
    * @returns A Promise that resolves to the public key as a Uint8Array.
    */
-  publicKeyToBytes(params: { publicKey: Jwk }): Promise<Uint8Array>;
+  publicKeyToBytes(params: PublicKeyToBytesInput): Promise<Uint8Array>;
 }

package/src/types/key-deriver.ts

@@ -40,4 +40,53 @@ export interface KeyDeriver<
    * @returns A Promise resolving to the derived key in the specified output format.
    */
   deriveKey(params: DeriveKeyInput): Promise<DeriveKeyOutput>;
+}
+
+/**
+ * The `SimpleKeyDeriver` interface provides a single `deriveKey()` method for key derivation,
+ * without the `deriveBits()` method that {@link KeyDeriver} includes.
+ *
+ * This is useful for implementations that only need key derivation (not raw bit derivation).
+ */
+export interface SimpleKeyDeriver<
+  DeriveKeyInput,
+  DeriveKeyOutput,
+> {
+  /**
+   * Derives a cryptographic key based on the provided input parameters.
+   *
+   * @param params - The parameters for the key derivation process.
+   *
+   * @returns A Promise resolving to the derived key in the specified output format.
+   */
+  deriveKey(params: DeriveKeyInput): Promise<DeriveKeyOutput>;
+}
+
+/**
+ * The `KeyBytesDeriver` interface provides a method for deriving a byte array using a key
+ * derivation algorithm.
+ *
+ * The `deriveKeyBytes()` method derives cryptographic bits from input data using the specified
+ * key derivation algorithm. This interface is designed to support various key derivation
+ * algorithms, accommodating different input and output types.
+ */
+export interface KeyBytesDeriver<
+  DeriveKeyBytesInput,
+  DeriveKeyBytesOutput
+> {
+  /**
+   * Generates a specified number of cryptographic bits from given input parameters.
+   *
+   * @remarks
+   * The `deriveKeyBytes()` method of the {@link KeyBytesDeriver | `KeyBytesDeriver`} interface is
+   * used to create cryptographic material such as initialization vectors or keys from various
+   * sources. The method takes in parameters specific to the chosen key derivation algorithm and
+   * outputs a promise that resolves to a `Uint8Array` containing the derived bits.
+   *
+   * @param params - The parameters for the key derivation process, specific to the chosen
+   *                 algorithm.
+   *
+   * @returns A Promise resolving to the derived bits in the specified format.
+   */
+  deriveKeyBytes(params: DeriveKeyBytesInput): Promise<DeriveKeyBytesOutput>;
 }

package/src/types/key-io.ts

@@ -39,4 +39,44 @@ export interface KeyImporterExporter<
    * @returns A Promise resolving to the key identifier of the imported key.
    */
   importKey(params: ImportKeyInput): Promise<ImportKeyOutput>;
+}
+
+/**
+ * The `KeyExporter` interface provides a method for exporting cryptographic keys.
+ */
+export interface KeyExporter<ExportKeyInput, ExportKeyOutput = Jwk> {
+  /**
+   * Exports a cryptographic key to an external JWK object.
+   *
+   * @param params - The parameters for the key export operation.
+   *
+   * @returns A Promise resolving to the exported key in JWK format.
+   */
+  exportKey(params: ExportKeyInput): Promise<ExportKeyOutput>;
+}
+
+/**
+ * The `KeyImporter` interface provides a method for importing cryptographic keys.
+ */
+export interface KeyImporter<ImportKeyInput, ImportKeyOutput = void> {
+  /**
+   * Imports an external key in JWK format.
+   *
+   * @param params - The parameters for the key import operation.
+   *
+   * @returns A Promise resolving to the key identifier of the imported key.
+   */
+  importKey(params: ImportKeyInput): Promise<ImportKeyOutput>;
+}
+
+/**
+ * The `KeyDeleter` interface provides a method for deleting cryptographic keys.
+ */
+export interface KeyDeleter<DeleteKeyInput> {
+  /**
+   * Deletes a cryptographic key from the key store.
+   *
+   * @param params - The parameters for the key deletion operation.
+   */
+  deleteKey(params: DeleteKeyInput): Promise<void>;
 }