@enbox/crypto 0.0.2 → 0.0.4

package/dist/types/primitives/ecies-secp256k1.d.ts

@@ -0,0 +1,53 @@
+/**
+ * Output of an ECIES-SECP256K1 encryption operation.
+ */
+export type EciesSecp256k1EncryptionOutput = {
+    /** The AES-GCM initialization vector. */
+    initializationVector: Uint8Array;
+    /** The ephemeral secp256k1 public key (compressed, 33 bytes). */
+    ephemeralPublicKey: Uint8Array;
+    /** The encrypted data. */
+    ciphertext: Uint8Array;
+    /** The AES-GCM authentication tag (16 bytes). */
+    messageAuthenticationCode: Uint8Array;
+};
+/**
+ * Input required for ECIES-SECP256K1 decryption.
+ */
+export type EciesSecp256k1EncryptionInput = EciesSecp256k1EncryptionOutput & {
+    /** The recipient's secp256k1 private key (raw 32 bytes). */
+    privateKey: Uint8Array;
+};
+/**
+ * Browser-compatible ECIES (Elliptic Curve Integrated Encryption Scheme) using secp256k1.
+ *
+ * Wire-format compatible with `eciesjs` v0.4.x configured with
+ * `isEphemeralKeyCompressed: true, isHkdfKeyCompressed: false` (the default).
+ *
+ * Protocol:
+ *   1. Generate an ephemeral secp256k1 key pair.
+ *   2. ECDH shared secret (uncompressed point).
+ *   3. HKDF-SHA-256 key derivation: `hkdf(sha256, ephemeralPubUncompressed || sharedPointUncompressed)`.
+ *   4. AES-256-GCM encryption with random 16-byte nonce.
+ *
+ * All underlying primitives (`@noble/ciphers`, `@noble/curves`, `@noble/hashes`)
+ * are pure JavaScript and work in Node, Bun, and browsers.
+ */
+export declare class EciesSecp256k1 {
+    /**
+     * Encrypt plaintext for a given secp256k1 public key.
+     * @param publicKeyBytes - Recipient's public key (compressed 33 bytes or uncompressed 65 bytes).
+     * @param plaintext - The data to encrypt.
+     */
+    static encrypt(publicKeyBytes: Uint8Array, plaintext: Uint8Array): EciesSecp256k1EncryptionOutput;
+    /**
+     * Decrypt ciphertext produced by {@link EciesSecp256k1.encrypt}.
+     * @param input - The encryption output plus the recipient's private key.
+     */
+    static decrypt(input: EciesSecp256k1EncryptionInput): Uint8Array;
+    /**
+     * Whether the ephemeral public key is compressed (always true for this implementation).
+     */
+    static get isEphemeralKeyCompressed(): boolean;
+}
+//# sourceMappingURL=ecies-secp256k1.d.ts.map

package/dist/types/primitives/ecies-secp256k1.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ecies-secp256k1.d.ts","sourceRoot":"","sources":["../../../src/primitives/ecies-secp256k1.ts"],"names":[],"mappings":"AAiBA;;GAEG;AACH,MAAM,MAAM,8BAA8B,GAAG;IAC3C,yCAAyC;IACzC,oBAAoB,EAAE,UAAU,CAAC;IACjC,iEAAiE;IACjE,kBAAkB,EAAE,UAAU,CAAC;IAC/B,0BAA0B;IAC1B,UAAU,EAAE,UAAU,CAAC;IACvB,iDAAiD;IACjD,yBAAyB,EAAE,UAAU,CAAC;CACvC,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,6BAA6B,GAAG,8BAA8B,GAAG;IAC3E,4DAA4D;IAC5D,UAAU,EAAE,UAAU,CAAC;CACxB,CAAC;AAEF;;;;;;;;;;;;;;GAcG;AACH,qBAAa,cAAc;IACzB;;;;OAIG;WACW,OAAO,CAAC,cAAc,EAAE,UAAU,EAAE,SAAS,EAAE,UAAU,GAAG,8BAA8B;IAyBxG;;;OAGG;WACW,OAAO,CAAC,KAAK,EAAE,6BAA6B,GAAG,UAAU;IAiBvE;;OAEG;IACH,WAAkB,wBAAwB,IAAI,OAAO,CAEpD;CACF"}

package/dist/types/primitives/hkdf.d.ts

@@ -0,0 +1,90 @@
+import type { DeriveKeyBytesParams } from '../types/params-direct.js';
+/**
+ * The object that should be passed into `Hkdf.deriveKeyBytes()`, when using the HKDF algorithm.
+ */
+export type HkdfParams = {
+    /**
+     * A string representing the digest algorithm to use. This may be one of:
+     * - 'SHA-256'
+     * - 'SHA-384'
+     * - 'SHA-512'
+     */
+    hash: 'SHA-256' | 'SHA-384' | 'SHA-512';
+    /**
+     * The salt value to use in the derivation process.
+     *
+     * Ideally, the salt is a random or pseudo-random value with the same length as the output of the
+     * digest function. Unlike the input key material passed into deriveKey(), salt does not need to
+     * be kept secret.
+     *
+     * Note: The {@link https://datatracker.ietf.org/doc/html/rfc5869 | HKDF specification} states
+     *       that adding salt "adds significantly to the strength of HKDF".
+     */
+    salt: string | Uint8Array;
+    /**
+     * Optional application-specific information to use in the HKDF.
+     *
+     * If given, this value is used to bind the derived key to application-specific contextual
+     * information. This makes it possible to derive different keys for different contexts while using
+     * the same input key material.
+     *
+     * If not provided, the `info` value is set to an empty array.
+     *
+     * Note: It is important that the `info` value be independent and unrelated to the input key
+     * material.
+     */
+    info?: string | Uint8Array;
+};
+/**
+ * The `Hkdf` class provides an interface for HMAC-based Extract-and-Expand Key Derivation Function (HKDF)
+ * as defined in RFC 5869.
+ *
+ * Note: The `baseKeyBytes` that will be the input key material for HKDF should be a high-entropy secret
+ * value, such as a cryptographic key. It should be kept confidential and not be derived from a
+ * low-entropy value, such as a password.
+ *
+ * @example
+ * ```ts
+ * const info = new Uint8Array([...]);
+ * const derivedKeyBytes = await Hkdf.deriveKeyBytes({
+ *   baseKeyBytes: new Uint8Array([...]), // Input keying material
+ *   hash: 'SHA-256', // The hash function to use ('SHA-256', 'SHA-384', 'SHA-512')
+ *   salt: new Uint8Array([...]), // The salt value
+ *   info: new Uint8Array([...]), // Optional application-specific information
+ *   length: 256 // The length of the derived key in bits
+ * });
+ * ```
+ */
+export declare class Hkdf {
+    /**
+     * Derives a key using the HMAC-based Extract-and-Expand Key Derivation Function (HKDF).
+     *
+     * This method generates a derived key using a hash function from input keying material given as
+     * `baseKeyBytes`. The length of the derived key can be specified. Optionally, it can also use a salt
+     * and info for the derivation process.
+     *
+     * HKDF is useful in various cryptographic applications and protocols, especially when
+     * there's a need to derive multiple keys from a single source of key material.
+     *
+     * Note: The `baseKeyBytes` that will be the input key material for HKDF should be a high-entropy
+     * secret value, such as a cryptographic key. It should be kept confidential and not be derived
+     * from a low-entropy value, such as a password.
+     *
+     * @example
+     * ```ts
+     * const info = new Uint8Array([...]);
+     * const derivedKeyBytes = await Hkdf.deriveKeyBytes({
+     *   baseKeyBytes: new Uint8Array([...]), // Input keying material
+     *   hash: 'SHA-256', // The hash function to use ('SHA-256', 'SHA-384', 'SHA-512')
+     *   salt: new Uint8Array([...]), // The salt value
+     *   info: new Uint8Array([...]), // Optional application-specific information
+     *   length: 256 // The length of the derived key in bits
+     * });
+     * ```
+     *
+     * @param params - The parameters for key derivation.
+     * @returns A Promise that resolves to the derived key as a byte array.
+     */
+    static deriveKeyBytes({ baseKeyBytes, length, hash, salt, info }: DeriveKeyBytesParams & HkdfParams): Promise<Uint8Array>;
+}
+//# sourceMappingURL=hkdf.d.ts.map

package/dist/types/primitives/hkdf.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hkdf.d.ts","sourceRoot":"","sources":["../../../src/primitives/hkdf.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AAMtE;;GAEG;AACH,MAAM,MAAM,UAAU,GAAG;IACvB;;;;;OAKG;IACH,IAAI,EAAE,SAAS,GAAG,SAAS,GAAG,SAAS,CAAC;IAExC;;;;;;;;;OASG;IACH,IAAI,EAAE,MAAM,GAAG,UAAU,CAAC;IAE1B;;;;;;;;;;;OAWG;IACH,IAAI,CAAC,EAAE,MAAM,GAAG,UAAU,CAAC;CAC5B,CAAC;AAEF;;;;;;;;;;;;;;;;;;;GAmBG;AACH,qBAAa,IAAI;IACf;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA4BG;WACiB,cAAc,CAAC,EAAE,YAAY,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,IAAuB,EAAE,EAC9F,oBAAoB,GAAG,UAAU,GAChC,OAAO,CAAC,UAAU,CAAC;CAuBvB"}

package/dist/types/primitives/pbkdf2.d.ts

@@ -1,3 +1,30 @@
+import type { DeriveKeyBytesParams } from '../types/params-direct.js';
+/**
+ * The object that should be passed into `Pbkdf2.deriveKeyBytes()`, when using the PBKDF2 algorithm.
+ */
+export interface Pbkdf2Params {
+    /**
+     * A string representing the digest algorithm to use. This may be one of:
+     * - 'SHA-256'
+     * - 'SHA-384'
+     * - 'SHA-512'
+     */
+    hash: 'SHA-256' | 'SHA-384' | 'SHA-512';
+    /**
+     * The salt value to use in the derivation process, as a Uint8Array. This should be a random or
+     * pseudo-random value of at least 16 bytes. Unlike the `password`, `salt` does not need to be
+     * kept secret.
+     */
+    salt: Uint8Array;
+    /**
+     * A `Number` representing the number of iterations the hash function will be executed in
+     * `deriveKey()`. This impacts the computational cost of the `deriveKey()` operation, making it
+     * more resistant to dictionary attacks. The higher the number, the more secure, but also slower,
+     * the operation. Choose a value that balances security needs and performance for your
+     * application.
+     */
+    iterations: number;
+}
 /**
  * The object that should be passed into `Pbkdf2.deriveKey()`, when using the PBKDF2 algorithm.
  */
@@ -90,5 +117,36 @@ export declare class Pbkdf2 {
      * @returns A Promise that resolves to the derived key as a Uint8Array.
      */
     static deriveKey({ hash, password, salt, iterations, length }: Pbkdf2DeriveKeyParams): Promise<Uint8Array>;
+    /**
+     * Derives cryptographic key bytes from base key material using the PBKDF2 algorithm.
+     *
+     * @remarks
+     * This method is similar to {@link Pbkdf2.deriveKey | `deriveKey()`} but accepts
+     * raw key bytes (`baseKeyBytes`) instead of a password. It is intended for use cases
+     * where the input key material is already available as a byte array.
+     *
+     * Notes:
+     * - The `baseKeyBytes` that will be the input key material for PBKDF2 is expected to be a
+     *   low-entropy value, such as a password or passphrase. It should be kept confidential.
+     * - In 2023,
+     *   {@link https://web.archive.org/web/20230123232056/https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2
+     *   | OWASP recommended}
+     *   a minimum of 600,000 iterations for PBKDF2-HMAC-SHA256 and 210,000 for PBKDF2-HMAC-SHA512.
+     *
+     * @example
+     * ```ts
+     * const derivedKeyBytes = await Pbkdf2.deriveKeyBytes({
+     *   baseKeyBytes: new TextEncoder().encode('password'),
+     *   hash: 'SHA-256',
+     *   salt: new Uint8Array([...]),
+     *   iterations: 600_000,
+     *   length: 256
+     * });
+     * ```
+     *
+     * @param params - The parameters for key derivation.
+     * @returns A Promise that resolves to the derived key as a byte array.
+     */
+    static deriveKeyBytes({ baseKeyBytes, hash, salt, iterations, length }: DeriveKeyBytesParams & Pbkdf2Params): Promise<Uint8Array>;
 }
 //# sourceMappingURL=pbkdf2.d.ts.map

package/dist/types/primitives/pbkdf2.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"pbkdf2.d.ts","sourceRoot":"","sources":["../../../src/primitives/pbkdf2.ts"],"names":[],"mappings":"AAEA;;GAEG;AACH,MAAM,MAAM,qBAAqB,GAAG;IAClC;;;;;OAKG;IACH,IAAI,EAAE,SAAS,GAAG,SAAS,GAAG,SAAS,CAAC;IAExC;;OAEG;IACH,QAAQ,EAAE,UAAU,CAAC;IAErB;;;;OAIG;IACH,IAAI,EAAE,UAAU,CAAC;IAEjB;;;;;;OAMG;IACH,UAAU,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,MAAM,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,qBAAa,MAAM;IACjB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA6BG;WACiB,SAAS,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,EACxE,qBAAqB,GACpB,OAAO,CAAC,UAAU,CAAC;CAqBvB"}
+{"version":3,"file":"pbkdf2.d.ts","sourceRoot":"","sources":["../../../src/primitives/pbkdf2.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AAMtE;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B;;;;;OAKG;IACH,IAAI,EAAE,SAAS,GAAG,SAAS,GAAG,SAAS,CAAC;IAExC;;;;OAIG;IACH,IAAI,EAAE,UAAU,CAAC;IAEjB;;;;;;OAMG;IACH,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,MAAM,qBAAqB,GAAG;IAClC;;;;;OAKG;IACH,IAAI,EAAE,SAAS,GAAG,SAAS,GAAG,SAAS,CAAC;IAExC;;OAEG;IACH,QAAQ,EAAE,UAAU,CAAC;IAErB;;;;OAIG;IACH,IAAI,EAAE,UAAU,CAAC;IAEjB;;;;;;OAMG;IACH,UAAU,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,MAAM,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,qBAAa,MAAM;IACjB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA6BG;WACiB,SAAS,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,EACxE,qBAAqB,GACpB,OAAO,CAAC,UAAU,CAAC;IAsBtB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA6BG;WACiB,cAAc,CAAC,EAAE,YAAY,EAAE,IAAI,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,EACjF,oBAAoB,GAAG,YAAY,GAClC,OAAO,CAAC,UAAU,CAAC;CAyBvB"}

package/dist/types/primitives/x25519.d.ts

@@ -238,32 +238,25 @@ export declare class X25519 {
         publicKey: Jwk;
     }): Promise<Uint8Array>;
     /**
-     * Computes an RFC6090-compliant Elliptic Curve Diffie-Hellman (ECDH) shared secret
-     * using secp256k1 private and public keys in JSON Web Key (JWK) format.
+     * Computes an X25519 Elliptic Curve Diffie-Hellman (ECDH) shared secret
+     * using X25519 private and public keys in JSON Web Key (JWK) format.
      *
      * @remarks
      * This method facilitates the ECDH key agreement protocol, which is a method of securely
      * deriving a shared secret between two parties based on their private and public keys.
      * It takes the private key of one party (privateKeyA) and the public key of another
-     * party (publicKeyB) to compute a shared secret. The shared secret is derived from the
-     * x-coordinate of the elliptic curve point resulting from the multiplication of the
-     * public key with the private key.
-     *
-     * Note: When performing Elliptic Curve Diffie-Hellman (ECDH) key agreement,
-     * the resulting shared secret is a point on the elliptic curve, which
-     * consists of an x-coordinate and a y-coordinate. With a 256-bit curve like
-     * secp256k1, each of these coordinates is 32 bytes (256 bits) long. However,
-     * in the ECDH process, it's standard practice to use only the x-coordinate
-     * of the shared secret point as the resulting shared key. This is because
-     * the y-coordinate does not add to the entropy of the key, and both parties
-     * can independently compute the x-coordinate.  Consquently, this implementation
-     * omits the y-coordinate for simplicity and standard compliance.
+     * party (publicKeyB) to compute a shared secret. The shared secret is the raw output
+     * of the X25519 function as defined in RFC 7748.
+     *
+     * Note: Unlike Weierstrass curves (e.g., secp256k1), X25519 is a Montgomery curve
+     * where the ECDH output is a single 32-byte scalar value, not an (x, y) point.
+     * The result is used directly as the shared secret.
      *
      * @example
      * ```ts
      * const privateKeyA = { ... }; // A Jwk object for party A
      * const publicKeyB = { ... }; // A PublicKeyJwk object for party B
-     * const sharedSecret = await Secp256k1.sharedSecret({
+     * const sharedSecret = await X25519.sharedSecret({
      *   privateKeyA,
      *   publicKeyB
      * });

package/dist/types/primitives/x25519.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"x25519.d.ts","sourceRoot":"","sources":["../../../src/primitives/x25519.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAC;AAC1C,OAAO,KAAK,EAAE,sBAAsB,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAI5F;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AACH,qBAAa,MAAM;IACjB;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA4BG;WACiB,iBAAiB,CAAC,EAAE,eAAe,EAAE,EAAE;QACzD,eAAe,EAAE,UAAU,CAAC;KAC7B,GAAG,OAAO,CAAC,GAAG,CAAC;IAkBhB;;;;;;;;;;;;;;;;;;;;;;;;;;;OA2BG;WACiB,gBAAgB,CAAC,EAAE,cAAc,EAAE,EAAE;QACvD,cAAc,EAAE,UAAU,CAAC;KAC5B,GAAG,OAAO,CAAC,GAAG,CAAC;IAchB;;;;;;;;;;;;;;;;;;;;;;;;OAwBG;WACiB,gBAAgB,CAAC,EAAE,GAAG,EAAE,EAC1C,sBAAsB,GACrB,OAAO,CAAC,GAAG,CAAC;IAoBf;;;;;;;;;;;;;;;;;;;;;;;;OAwBG;WACiB,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC;IAa/C;;;;;;;;;;;;;;;;;;;;;;;;;;OA0BG;WACiB,YAAY,CAAC,EAAE,GAAG,EAAE,EACtC,kBAAkB,GACjB,OAAO,CAAC,GAAG,CAAC;IAef;;;;;;;;;;;;;;;;;;;;;;;;OAwBG;WACiB,iBAAiB,CAAC,EAAE,UAAU,EAAE,EAAE;QACpD,UAAU,EAAE,GAAG,CAAC;KACjB,GAAG,OAAO,CAAC,UAAU,CAAC;IAYvB;;;;;;;;;;;;;;;;;;;;;;OAsBG;WACiB,gBAAgB,CAAC,EAAE,SAAS,EAAE,EAAE;QAClD,SAAS,EAAE,GAAG,CAAC;KAChB,GAAG,OAAO,CAAC,UAAU,CAAC;IAYvB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAqCG;WACiB,YAAY,CAAC,EAAE,WAAW,EAAE,UAAU,EAAE,EAAE;QAC5D,WAAW,EAAE,GAAG,CAAC;QACjB,UAAU,EAAE,GAAG,CAAC;KACjB,GAAG,OAAO,CAAC,UAAU,CAAC;CAexB"}
+{"version":3,"file":"x25519.d.ts","sourceRoot":"","sources":["../../../src/primitives/x25519.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAC;AAC1C,OAAO,KAAK,EAAE,sBAAsB,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAI5F;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AACH,qBAAa,MAAM;IACjB;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA4BG;WACiB,iBAAiB,CAAC,EAAE,eAAe,EAAE,EAAE;QACzD,eAAe,EAAE,UAAU,CAAC;KAC7B,GAAG,OAAO,CAAC,GAAG,CAAC;IAkBhB;;;;;;;;;;;;;;;;;;;;;;;;;;;OA2BG;WACiB,gBAAgB,CAAC,EAAE,cAAc,EAAE,EAAE;QACvD,cAAc,EAAE,UAAU,CAAC;KAC5B,GAAG,OAAO,CAAC,GAAG,CAAC;IAchB;;;;;;;;;;;;;;;;;;;;;;;;OAwBG;WACiB,gBAAgB,CAAC,EAAE,GAAG,EAAE,EAC1C,sBAAsB,GACrB,OAAO,CAAC,GAAG,CAAC;IAoBf;;;;;;;;;;;;;;;;;;;;;;;;OAwBG;WACiB,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC;IAa/C;;;;;;;;;;;;;;;;;;;;;;;;;;OA0BG;WACiB,YAAY,CAAC,EAAE,GAAG,EAAE,EACtC,kBAAkB,GACjB,OAAO,CAAC,GAAG,CAAC;IAef;;;;;;;;;;;;;;;;;;;;;;;;OAwBG;WACiB,iBAAiB,CAAC,EAAE,UAAU,EAAE,EAAE;QACpD,UAAU,EAAE,GAAG,CAAC;KACjB,GAAG,OAAO,CAAC,UAAU,CAAC;IAYvB;;;;;;;;;;;;;;;;;;;;;;OAsBG;WACiB,gBAAgB,CAAC,EAAE,SAAS,EAAE,EAAE;QAClD,SAAS,EAAE,GAAG,CAAC;KAChB,GAAG,OAAO,CAAC,UAAU,CAAC;IAYvB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA8BG;WACiB,YAAY,CAAC,EAAE,WAAW,EAAE,UAAU,EAAE,EAAE;QAC5D,WAAW,EAAE,GAAG,CAAC;QACjB,UAAU,EAAE,GAAG,CAAC;KACjB,GAAG,OAAO,CAAC,UAAU,CAAC;CAexB"}

package/dist/types/primitives/xchacha20-poly1305.d.ts

@@ -124,6 +124,28 @@ export declare class XChaCha20Poly1305 {
         key: Jwk;
         nonce: Uint8Array;
     }): Promise<Uint8Array>;
+    /**
+     * Decrypts data using XChaCha20-Poly1305 with a raw byte array key.
+     *
+     * @remarks
+     * This is a lower-level method that accepts the key as a raw `Uint8Array` instead of a JWK.
+     * It is useful in scenarios where the key material is already in byte form (e.g., derived
+     * from ECDH + HKDF) and constructing a JWK would add unnecessary overhead.
+     *
+     * @param params - The parameters for the decryption operation.
+     * @param params.data - The encrypted data including the authentication tag.
+     * @param params.keyBytes - The 256-bit (32-byte) decryption key as a Uint8Array.
+     * @param params.nonce - The 24-byte nonce used during encryption.
+     * @param params.additionalData - Optional additional authenticated data.
+     *
+     * @returns A Promise that resolves to the decrypted plaintext as a Uint8Array.
+     */
+    static decryptRaw({ data, keyBytes, nonce, additionalData }: {
+        additionalData?: Uint8Array;
+        data: Uint8Array;
+        keyBytes: Uint8Array;
+        nonce: Uint8Array;
+    }): Promise<Uint8Array>;
     /**
      * Encrypts the provided data using XChaCha20-Poly1305.
      *
@@ -163,6 +185,31 @@ export declare class XChaCha20Poly1305 {
         key: Jwk;
         nonce: Uint8Array;
     }): Promise<Uint8Array>;
+    /**
+     * Encrypts data using XChaCha20-Poly1305 with a raw byte array key.
+     *
+     * @remarks
+     * This is a lower-level method that accepts the key as a raw `Uint8Array` instead of a JWK.
+     * It is useful in scenarios where the key material is already in byte form (e.g., derived
+     * from ECDH + HKDF) and constructing a JWK would add unnecessary overhead.
+     *
+     * The returned `Uint8Array` contains the ciphertext followed by the 16-byte Poly1305
+     * authentication tag.
+     *
+     * @param params - The parameters for the encryption operation.
+     * @param params.data - The plaintext data to encrypt.
+     * @param params.keyBytes - The 256-bit (32-byte) encryption key as a Uint8Array.
+     * @param params.nonce - A 24-byte nonce for the encryption process.
+     * @param params.additionalData - Optional additional authenticated data.
+     *
+     * @returns A Promise that resolves to the ciphertext + authentication tag as a Uint8Array.
+     */
+    static encryptRaw({ data, keyBytes, nonce, additionalData }: {
+        additionalData?: Uint8Array;
+        data: Uint8Array;
+        keyBytes: Uint8Array;
+        nonce: Uint8Array;
+    }): Promise<Uint8Array>;
     /**
      * Generates a symmetric key for XChaCha20-Poly1305 in JSON Web Key (JWK) format.
      *

package/dist/types/primitives/xchacha20-poly1305.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"xchacha20-poly1305.d.ts","sourceRoot":"","sources":["../../../src/primitives/xchacha20-poly1305.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAC;AAI1C;;;;;;;;GAQG;AACH,eAAO,MAAM,mBAAmB,KAAK,CAAC;AAEtC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgDG;AACH,qBAAa,iBAAiB;IAC5B;;;;;;;;;;;;;;;;;;;;;;;OAuBG;WACiB,iBAAiB,CAAC,EAAE,eAAe,EAAE,EAAE;QACzD,eAAe,EAAE,UAAU,CAAC;KAC7B,GAAG,OAAO,CAAC,GAAG,CAAC;IAahB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA+BG;WACiB,OAAO,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,cAAc,EAAE,EAAE;QAChE,cAAc,CAAC,EAAE,UAAU,CAAC;QAC5B,IAAI,EAAE,UAAU,CAAC;QACjB,GAAG,EAAE,GAAG,CAAC;QACT,KAAK,EAAE,UAAU,CAAC;KACnB,GAAG,OAAO,CAAC,UAAU,CAAC;IAUvB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAgCG;WACiB,OAAO,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,cAAc,EAAC,EAAE;QAC/D,cAAc,CAAC,EAAE,UAAU,CAAC;QAC5B,IAAI,EAAE,UAAU,CAAC;QACjB,GAAG,EAAE,GAAG,CAAC;QACT,KAAK,EAAE,UAAU,CAAC;KACnB,GAAG,OAAO,CAAC,UAAU,CAAC;IAUvB;;;;;;;;;;;;;;;;;;;;OAoBG;WACiB,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC;IAkB/C;;;;;;;;;;;;;;;;;OAiBG;WACiB,iBAAiB,CAAC,EAAE,UAAU,EAAE,EAAE;QACpD,UAAU,EAAE,GAAG,CAAC;KACjB,GAAG,OAAO,CAAC,UAAU,CAAC;CAWxB"}
+{"version":3,"file":"xchacha20-poly1305.d.ts","sourceRoot":"","sources":["../../../src/primitives/xchacha20-poly1305.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAC;AAI1C;;;;;;;;GAQG;AACH,eAAO,MAAM,mBAAmB,KAAK,CAAC;AAEtC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgDG;AACH,qBAAa,iBAAiB;IAC5B;;;;;;;;;;;;;;;;;;;;;;;OAuBG;WACiB,iBAAiB,CAAC,EAAE,eAAe,EAAE,EAAE;QACzD,eAAe,EAAE,UAAU,CAAC;KAC7B,GAAG,OAAO,CAAC,GAAG,CAAC;IAahB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA+BG;WACiB,OAAO,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,cAAc,EAAE,EAAE;QAChE,cAAc,CAAC,EAAE,UAAU,CAAC;QAC5B,IAAI,EAAE,UAAU,CAAC;QACjB,GAAG,EAAE,GAAG,CAAC;QACT,KAAK,EAAE,UAAU,CAAC;KACnB,GAAG,OAAO,CAAC,UAAU,CAAC;IAOvB;;;;;;;;;;;;;;;OAeG;WACiB,UAAU,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,cAAc,EAAE,EAAE;QACxE,cAAc,CAAC,EAAE,UAAU,CAAC;QAC5B,IAAI,EAAE,UAAU,CAAC;QACjB,QAAQ,EAAE,UAAU,CAAC;QACrB,KAAK,EAAE,UAAU,CAAC;KACnB,GAAG,OAAO,CAAC,UAAU,CAAC;IAOvB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAgCG;WACiB,OAAO,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,cAAc,EAAE,EAAE;QAChE,cAAc,CAAC,EAAE,UAAU,CAAC;QAC5B,IAAI,EAAE,UAAU,CAAC;QACjB,GAAG,EAAE,GAAG,CAAC;QACT,KAAK,EAAE,UAAU,CAAC;KACnB,GAAG,OAAO,CAAC,UAAU,CAAC;IAOvB;;;;;;;;;;;;;;;;;;OAkBG;WACiB,UAAU,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,cAAc,EAAE,EAAE;QACxE,cAAc,CAAC,EAAE,UAAU,CAAC;QAC5B,IAAI,EAAE,UAAU,CAAC;QACjB,QAAQ,EAAE,UAAU,CAAC;QACrB,KAAK,EAAE,UAAU,CAAC;KACnB,GAAG,OAAO,CAAC,UAAU,CAAC;IAOvB;;;;;;;;;;;;;;;;;;;;OAoBG;WACiB,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC;IAkB/C;;;;;;;;;;;;;;;;;OAiBG;WACiB,iBAAiB,CAAC,EAAE,UAAU,EAAE,EAAE;QACpD,UAAU,EAAE,GAAG,CAAC;KACjB,GAAG,OAAO,CAAC,UAAU,CAAC;CAWxB"}

package/dist/types/types/cipher.d.ts

@@ -1,4 +1,4 @@
-import type { EnclosedEncryptParams, EnclosedDecryptParams } from './params-enclosed.js';
+import type { EnclosedDecryptParams, EnclosedEncryptParams } from './params-enclosed.js';
 /**
  * The `Cipher` interface provides methods for encrypting and decrypting data.
  *

package/dist/types/types/crypto-api.d.ts

@@ -1,10 +1,16 @@
+import type { AsymmetricKeyConverter } from './key-converter.js';
+import type { AsymmetricKeyGenerator } from './key-generator.js';
+import type { Cipher } from './cipher.js';
 import type { Hasher } from './hasher.js';
-import type { Signer } from './signer.js';
+import type { Jwk } from '../jose/jwk.js';
 import type { KeyIdentifier } from './identifier.js';
-import type { AsymmetricKeyGenerator } from './key-generator.js';
-import type { KmsSignParams, KmsDigestParams, KmsVerifyParams, KmsGetKeyUriParams, KmsGenerateKeyParams, KmsGetPublicKeyParams } from './params-kms.js';
+import type { KeyWrapper } from './key-wrapper.js';
+import type { Signer } from './signer.js';
+import type { BytesToPrivateKeyParams, BytesToPublicKeyParams, CipherParams, DeriveKeyBytesParams, DeriveKeyFromBytesParams, DigestParams, GenerateKeyParams, GetPublicKeyParams, PrivateKeyToBytesParams, PublicKeyToBytesParams, SignParams, UnwrapKeyParams, VerifyParams, WrapKeyParams } from './params-direct.js';
+import type { KeyBytesDeriver, SimpleKeyDeriver } from './key-deriver.js';
+import type { KmsCipherParams, KmsDigestParams, KmsGenerateKeyParams, KmsGetKeyUriParams, KmsGetPublicKeyParams, KmsSignParams, KmsVerifyParams } from './params-kms.js';
 /**
- * The `CryptoApi` interface integrates key generation, hashing, and signing functionalities,
+ * The `DsaApi` interface integrates key generation, hashing, and signing functionalities,
  * designed for use with a Key Management System (KMS). It extends `AsymmetricKeyGenerator` for
  * generating asymmetric keys, `Hasher` for hash digest computations, and `Signer` for signing and
  * verifying operations.
@@ -24,12 +30,54 @@ import type { KmsSignParams, KmsDigestParams, KmsVerifyParams, KmsGetKeyUriParam
  *   identifier (e.g. JWK thumbprint, UUID generated by hosted KMS, etc.).
  * - Must support key generation, hashing, signing, and verifying operations.
  * - May be extended to support other cryptographic operations.
- * - Implementations of the `CryptoApi` interface can be passed as an argument to the public API
+ * - Implementations of the `DsaApi` interface can be passed as an argument to the public API
  *   methods of Web5 libraries that involve key material (e.g., DID creation, VC signing, arbitrary
  *   data signing/verification, etc.).
  */
-export interface CryptoApi<GenerateKeyInput = KmsGenerateKeyParams, GenerateKeyOutput = KeyIdentifier, GetPublicKeyInput = KmsGetPublicKeyParams, DigestInput = KmsDigestParams, SignInput = KmsSignParams, VerifyInput = KmsVerifyParams> extends AsymmetricKeyGenerator<GenerateKeyInput, GenerateKeyOutput, GetPublicKeyInput>, Hasher<DigestInput>, Signer<SignInput, VerifyInput> {
+export interface DsaApi<GenerateKeyInput = KmsGenerateKeyParams, GenerateKeyOutput = KeyIdentifier, GetPublicKeyInput = KmsGetPublicKeyParams, DigestInput = KmsDigestParams, SignInput = KmsSignParams, VerifyInput = KmsVerifyParams> extends AsymmetricKeyGenerator<GenerateKeyInput, GenerateKeyOutput, GetPublicKeyInput>, Hasher<DigestInput>, Signer<SignInput, VerifyInput> {
+}
+/**
+ * The `CryptoApi` interface extends {@link DsaApi} with encryption, key conversion,
+ * key derivation, and key wrapping capabilities.
+ *
+ * This is the full-featured cryptographic API used by agent-level code that needs direct-key
+ * cipher, key conversion, and key derivation operations beyond what the base `DsaApi` provides.
+ */
+export interface CryptoApi<GenerateKeyInput = GenerateKeyParams, GenerateKeyOutput = Jwk, GetPublicKeyInput = GetPublicKeyParams, DigestInput = DigestParams, SignInput = SignParams, VerifyInput = VerifyParams, EncryptInput = CipherParams, DecryptInput = CipherParams, BytesToPublicKeyInput = BytesToPublicKeyParams, PublicKeyToBytesInput = PublicKeyToBytesParams, BytesToPrivateKeyInput = BytesToPrivateKeyParams, PrivateKeyToBytesInput = PrivateKeyToBytesParams, DeriveKeyInput = DeriveKeyFromBytesParams, DeriveKeyOutput = Jwk, DeriveKeyBytesInput = DeriveKeyBytesParams, DeriveKeyBytesOutput = Uint8Array, WrapKeyInput = WrapKeyParams, UnwrapKeyInput = UnwrapKeyParams> extends DsaApi<GenerateKeyInput, GenerateKeyOutput, GetPublicKeyInput, DigestInput, SignInput, VerifyInput>, Cipher<EncryptInput, DecryptInput>, AsymmetricKeyConverter<BytesToPublicKeyInput, PublicKeyToBytesInput, BytesToPrivateKeyInput, PrivateKeyToBytesInput>, SimpleKeyDeriver<DeriveKeyInput, DeriveKeyOutput>, KeyBytesDeriver<DeriveKeyBytesInput, DeriveKeyBytesOutput>, KeyWrapper<WrapKeyInput, UnwrapKeyInput> {
+}
+/** @deprecated Use {@link CryptoApi} instead. */
+export type ExtendedCryptoApi<GenerateKeyInput = GenerateKeyParams, GenerateKeyOutput = Jwk, GetPublicKeyInput = GetPublicKeyParams, DigestInput = DigestParams, SignInput = SignParams, VerifyInput = VerifyParams, EncryptInput = CipherParams, DecryptInput = CipherParams, BytesToPublicKeyInput = BytesToPublicKeyParams, PublicKeyToBytesInput = PublicKeyToBytesParams, BytesToPrivateKeyInput = BytesToPrivateKeyParams, PrivateKeyToBytesInput = PrivateKeyToBytesParams, DeriveKeyInput = DeriveKeyFromBytesParams, DeriveKeyOutput = Jwk, DeriveKeyBytesInput = DeriveKeyBytesParams, DeriveKeyBytesOutput = Uint8Array, WrapKeyInput = WrapKeyParams, UnwrapKeyInput = UnwrapKeyParams> = CryptoApi<GenerateKeyInput, GenerateKeyOutput, GetPublicKeyInput, DigestInput, SignInput, VerifyInput, EncryptInput, DecryptInput, BytesToPublicKeyInput, PublicKeyToBytesInput, BytesToPrivateKeyInput, PrivateKeyToBytesInput, DeriveKeyInput, DeriveKeyOutput, DeriveKeyBytesInput, DeriveKeyBytesOutput, WrapKeyInput, UnwrapKeyInput>;
+/**
+ * Parameters for configuring a {@link KeyManager} implementation.
+ */
+export interface KeyManagerParams {
+    CipherInput?: unknown;
+    GenerateKeyInput?: unknown;
+    GenerateKeyOutput?: unknown;
+    GetPublicKeyInput?: unknown;
+    SignInput?: unknown;
+    VerifyInput?: unknown;
+}
+/**
+ * Default parameter types for {@link KeyManager}, using KMS-oriented types.
+ */
+export interface DefaultKeyManagerParams {
+    CipherInput: KmsCipherParams;
+    GenerateKeyInput: KmsGenerateKeyParams;
+    GenerateKeyOutput: KeyIdentifier;
+    GetPublicKeyInput: KmsGetPublicKeyParams;
+    SignInput: KmsSignParams;
+    VerifyInput: KmsVerifyParams;
+}
+/**
+ * The `KeyManager` interface integrates key generation and signing capabilities.
+ *
+ * Concrete implementations of this interface are intended to be used as a Key Management System
+ * (KMS), which is responsible for generating and storing cryptographic keys.
+ */
+export interface KeyManager<T extends KeyManagerParams = DefaultKeyManagerParams> extends DsaApi<T['GenerateKeyInput'], T['GenerateKeyOutput'], T['GetPublicKeyInput'], KmsDigestParams, T['SignInput'], T['VerifyInput']> {
     /**
+     * Returns the Key URI for a given JWK.
      *
      * @param params - The parameters for getting the key URI.
      * @param params.key - The key to get the URI for.

package/dist/types/types/crypto-api.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"crypto-api.d.ts","sourceRoot":"","sources":["../../../src/types/crypto-api.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AACrD,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AACjE,OAAO,KAAK,EACV,aAAa,EACb,eAAe,EACf,eAAe,EACf,kBAAkB,EAClB,oBAAoB,EACpB,qBAAqB,EACtB,MAAM,iBAAiB,CAAC;AAEzB;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,WAAW,SAAS,CACxB,gBAAgB,GAAG,oBAAoB,EACvC,iBAAiB,GAAG,aAAa,EACjC,iBAAiB,GAAG,qBAAqB,EACzC,WAAW,GAAG,eAAe,EAC7B,SAAS,GAAG,aAAa,EACzB,WAAW,GAAG,eAAe,CAC7B,SAAQ,sBAAsB,CAAC,gBAAgB,EAAE,iBAAiB,EAAE,iBAAiB,CAAC,EAC9E,MAAM,CAAC,WAAW,CAAC,EACnB,MAAM,CAAC,SAAS,EAAE,WAAW,CAAC;IACtC;;;;;OAKG;IACH,SAAS,CAAC,MAAM,EAAE,kBAAkB,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;CAC/D"}
+{"version":3,"file":"crypto-api.d.ts","sourceRoot":"","sources":["../../../src/types/crypto-api.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AACjE,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AACjE,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAC;AAC1C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AACrD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AACnD,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,KAAK,EACV,uBAAuB,EACvB,sBAAsB,EACtB,YAAY,EACZ,oBAAoB,EACpB,wBAAwB,EACxB,YAAY,EACZ,iBAAiB,EACjB,kBAAkB,EAClB,uBAAuB,EACvB,sBAAsB,EACtB,UAAU,EACV,eAAe,EACf,YAAY,EACZ,aAAa,EACd,MAAM,oBAAoB,CAAC;AAC5B,OAAO,KAAK,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAC1E,OAAO,KAAK,EACV,eAAe,EACf,eAAe,EACf,oBAAoB,EACpB,kBAAkB,EAClB,qBAAqB,EACrB,aAAa,EACb,eAAe,EAChB,MAAM,iBAAiB,CAAC;AAEzB;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,WAAW,MAAM,CACrB,gBAAgB,GAAG,oBAAoB,EACvC,iBAAiB,GAAG,aAAa,EACjC,iBAAiB,GAAG,qBAAqB,EACzC,WAAW,GAAG,eAAe,EAC7B,SAAS,GAAG,aAAa,EACzB,WAAW,GAAG,eAAe,CAC5B,SAAQ,sBAAsB,CAAC,gBAAgB,EAAE,iBAAiB,EAAE,iBAAiB,CAAC,EAC/E,MAAM,CAAC,WAAW,CAAC,EACnB,MAAM,CAAC,SAAS,EAAE,WAAW,CAAC;CAAG;AAE3C;;;;;;GAMG;AACH,MAAM,WAAW,SAAS,CACxB,gBAAgB,GAAG,iBAAiB,EACpC,iBAAiB,GAAG,GAAG,EACvB,iBAAiB,GAAG,kBAAkB,EACtC,WAAW,GAAG,YAAY,EAC1B,SAAS,GAAG,UAAU,EACtB,WAAW,GAAG,YAAY,EAC1B,YAAY,GAAG,YAAY,EAC3B,YAAY,GAAG,YAAY,EAC3B,qBAAqB,GAAG,sBAAsB,EAC9C,qBAAqB,GAAG,sBAAsB,EAC9C,sBAAsB,GAAG,uBAAuB,EAChD,sBAAsB,GAAG,uBAAuB,EAChD,cAAc,GAAG,wBAAwB,EACzC,eAAe,GAAG,GAAG,EACrB,mBAAmB,GAAG,oBAAoB,EAC1C,oBAAoB,GAAG,UAAU,EACjC,YAAY,GAAG,aAAa,EAC5B,cAAc,GAAG,eAAe,CAChC,SACA,MAAM,CAAC,gBAAgB,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,WAAW,EAAE,SAAS,EAAE,WAAW,CAAC,EACnG,MAAM,CAAC,YAAY,EAAE,YAAY,CAAC,EAClC,sBAAsB,CAAC,qBAAqB,EAAE,qBAAqB,EAAE,sBAAsB,EAAE,sBAAsB,CAAC,EACpH,gBAAgB,CAAC,cAAc,EAAE,eAAe,CAAC,EACjD,eAAe,CAAC,mBAAmB,EAAE,oBAAoB,CAAC,EAC1D,UAAU,CAAC,YAAY,EAAE,cAAc,CAAC;CAAG;AAE7C,iDAAiD;AACjD,MAAM,MAAM,iBAAiB,CAC3B,gBAAgB,GAAG,iBAAiB,EACpC,iBAAiB,GAAG,GAAG,EACvB,iBAAiB,GAAG,kBAAkB,EACtC,WAAW,GAAG,YAAY,EAC1B,SAAS,GAAG,UAAU,EACtB,WAAW,GAAG,YAAY,EAC1B,YAAY,GAAG,YAAY,EAC3B,YAAY,GAAG,YAAY,EAC3B,qBAAqB,GAAG,sBAAsB,EAC9C,qBAAqB,GAAG,sBAAsB,EAC9C,sBAAsB,GAAG,uBAAuB,EAChD,sBAAsB,GAAG,uBAAuB,EAChD,cAAc,GAAG,wBAAwB,EACzC,eAAe,GAAG,GAAG,EACrB,mBAAmB,GAAG,oBAAoB,EAC1C,oBAAoB,GAAG,UAAU,EACjC,YAAY,GAAG,aAAa,EAC5B,cAAc,GAAG,eAAe,IAC9B,SAAS,CACX,gBAAgB,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,WAAW,EAAE,SAAS,EAAE,WAAW,EAC3F,YAAY,EAAE,YAAY,EAAE,qBAAqB,EAAE,qBAAqB,EACxE,sBAAsB,EAAE,sBAAsB,EAAE,cAAc,EAAE,eAAe,EAC/E,mBAAmB,EAAE,oBAAoB,EAAE,YAAY,EAAE,cAAc,CACxE,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACtC,WAAW,EAAE,eAAe,CAAC;IAC7B,gBAAgB,EAAE,oBAAoB,CAAC;IACvC,iBAAiB,EAAE,aAAa,CAAC;IACjC,iBAAiB,EAAE,qBAAqB,CAAC;IACzC,SAAS,EAAE,aAAa,CAAC;IACzB,WAAW,EAAE,eAAe,CAAC;CAC9B;AAED;;;;;GAKG;AACH,MAAM,WAAW,UAAU,CAAC,CAAC,SAAS,gBAAgB,GAAG,uBAAuB,CAC9E,SAAQ,MAAM,CAAC,CAAC,CAAC,kBAAkB,CAAC,EAAE,CAAC,CAAC,mBAAmB,CAAC,EAAE,CAAC,CAAC,mBAAmB,CAAC,EAAE,eAAe,EAAE,CAAC,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,aAAa,CAAC,CAAC;IAExI;;;;;;OAMG;IACH,SAAS,CAAC,MAAM,EAAE,kBAAkB,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;CAC/D"}

package/dist/types/types/key-converter.d.ts

@@ -1,8 +1,17 @@
 import type { Jwk } from '../jose/jwk.js';
 /**
  * `KeyConverter` interface for converting private keys between byte array and JWK formats.
+ *
+ * @typeParam BytesToPrivateKeyInput - The input type for `bytesToPrivateKey`. Defaults to
+ *   `{ privateKeyBytes: Uint8Array }`.
+ * @typeParam PrivateKeyToBytesInput - The input type for `privateKeyToBytes`. Defaults to
+ *   `{ privateKey: Jwk }`.
  */
-export interface KeyConverter {
+export interface KeyConverter<BytesToPrivateKeyInput = {
+    privateKeyBytes: Uint8Array;
+}, PrivateKeyToBytesInput = {
+    privateKey: Jwk;
+}> {
     /**
      * Converts a private key from a byte array to JWK format.
      *
@@ -11,9 +20,7 @@ export interface KeyConverter {
      *
      * @returns A Promise that resolves to the private key in JWK format.
      */
-    bytesToPrivateKey(params: {
-        privateKeyBytes: Uint8Array;
-    }): Promise<Jwk>;
+    bytesToPrivateKey(params: BytesToPrivateKeyInput): Promise<Jwk>;
     /**
      * Converts a private key from JWK format to a byte array.
      *
@@ -22,15 +29,34 @@ export interface KeyConverter {
      *
      * @returns A Promise that resolves to the private key as a Uint8Array.
      */
-    privateKeyToBytes(params: {
-        privateKey: Jwk;
-    }): Promise<Uint8Array>;
+    privateKeyToBytes(params: PrivateKeyToBytesInput): Promise<Uint8Array>;
 }
 /**
- * `AsymmetricKeyConverter` interface extends {@link KeyConverter |`KeyConverter`}, adding support
+ * `AsymmetricKeyConverter` interface extends {@link KeyConverter | `KeyConverter`}, adding support
  * for public key conversions.
+ *
+ * When used with default type parameters, this interface includes all four conversion methods
+ * (bytes-to/from private key AND bytes-to/from public key). When used with explicit type
+ * parameters, both the private and public key conversion types can be customized.
+ *
+ * @typeParam BytesToPublicKeyInput - The input type for `bytesToPublicKey`. Defaults to
+ *   `{ publicKeyBytes: Uint8Array }`.
+ * @typeParam PublicKeyToBytesInput - The input type for `publicKeyToBytes`. Defaults to
+ *   `{ publicKey: Jwk }`.
+ * @typeParam BytesToPrivateKeyInput - The input type for `bytesToPrivateKey`. Defaults to
+ *   `{ privateKeyBytes: Uint8Array }`.
+ * @typeParam PrivateKeyToBytesInput - The input type for `privateKeyToBytes`. Defaults to
+ *   `{ privateKey: Jwk }`.
  */
-export interface AsymmetricKeyConverter extends KeyConverter {
+export interface AsymmetricKeyConverter<BytesToPublicKeyInput = {
+    publicKeyBytes: Uint8Array;
+}, PublicKeyToBytesInput = {
+    publicKey: Jwk;
+}, BytesToPrivateKeyInput = {
+    privateKeyBytes: Uint8Array;
+}, PrivateKeyToBytesInput = {
+    privateKey: Jwk;
+}> extends KeyConverter<BytesToPrivateKeyInput, PrivateKeyToBytesInput> {
     /**
      * Converts a public key from a byte array to JWK format.
      *
@@ -39,9 +65,7 @@ export interface AsymmetricKeyConverter extends KeyConverter {
      *
      * @returns A Promise that resolves to the public key in JWK format.
      */
-    bytesToPublicKey(params: {
-        publicKeyBytes: Uint8Array;
-    }): Promise<Jwk>;
+    bytesToPublicKey(params: BytesToPublicKeyInput): Promise<Jwk>;
     /**
      * Converts a public key from JWK format to a byte array.
      *
@@ -50,8 +74,6 @@ export interface AsymmetricKeyConverter extends KeyConverter {
      *
      * @returns A Promise that resolves to the public key as a Uint8Array.
      */
-    publicKeyToBytes(params: {
-        publicKey: Jwk;
-    }): Promise<Uint8Array>;
+    publicKeyToBytes(params: PublicKeyToBytesInput): Promise<Uint8Array>;
 }
 //# sourceMappingURL=key-converter.d.ts.map

package/dist/types/types/key-converter.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"key-converter.d.ts","sourceRoot":"","sources":["../../../src/types/key-converter.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAC;AAE1C;;GAEG;AACH,MAAM,WAAW,YAAY;IAE3B;;;;;;;OAOG;IACH,iBAAiB,CAAC,MAAM,EAAE;QAAE,eAAe,EAAE,UAAU,CAAA;KAAE,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;IAEzE;;;;;;;OAOG;IACH,iBAAiB,CAAC,MAAM,EAAE;QAAE,UAAU,EAAE,GAAG,CAAA;KAAE,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;CACrE;AAED;;;GAGG;AACH,MAAM,WAAW,sBAAuB,SAAQ,YAAY;IAC1D;;;;;;;OAOG;IACH,gBAAgB,CAAC,MAAM,EAAE;QAAE,cAAc,EAAE,UAAU,CAAA;KAAE,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;IAEvE;;;;;;;OAOG;IACH,gBAAgB,CAAC,MAAM,EAAE;QAAE,SAAS,EAAE,GAAG,CAAA;KAAE,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;CACnE"}
+{"version":3,"file":"key-converter.d.ts","sourceRoot":"","sources":["../../../src/types/key-converter.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAC;AAE1C;;;;;;;GAOG;AACH,MAAM,WAAW,YAAY,CAC3B,sBAAsB,GAAG;IAAE,eAAe,EAAE,UAAU,CAAA;CAAE,EACxD,sBAAsB,GAAG;IAAE,UAAU,EAAE,GAAG,CAAA;CAAE;IAG5C;;;;;;;OAOG;IACH,iBAAiB,CAAC,MAAM,EAAE,sBAAsB,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;IAEhE;;;;;;;OAOG;IACH,iBAAiB,CAAC,MAAM,EAAE,sBAAsB,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;CACxE;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,WAAW,sBAAsB,CACrC,qBAAqB,GAAG;IAAE,cAAc,EAAE,UAAU,CAAA;CAAE,EACtD,qBAAqB,GAAG;IAAE,SAAS,EAAE,GAAG,CAAA;CAAE,EAC1C,sBAAsB,GAAG;IAAE,eAAe,EAAE,UAAU,CAAA;CAAE,EACxD,sBAAsB,GAAG;IAAE,UAAU,EAAE,GAAG,CAAA;CAAE,CAC5C,SAAQ,YAAY,CAAC,sBAAsB,EAAE,sBAAsB,CAAC;IACpE;;;;;;;OAOG;IACH,gBAAgB,CAAC,MAAM,EAAE,qBAAqB,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;IAE9D;;;;;;;OAOG;IACH,gBAAgB,CAAC,MAAM,EAAE,qBAAqB,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;CACtE"}

package/dist/types/types/key-deriver.d.ts

@@ -36,4 +36,45 @@ export interface KeyDeriver<DeriveBitsInput, DeriveKeyInput, DeriveKeyOutput> {
      */
     deriveKey(params: DeriveKeyInput): Promise<DeriveKeyOutput>;
 }
+/**
+ * The `SimpleKeyDeriver` interface provides a single `deriveKey()` method for key derivation,
+ * without the `deriveBits()` method that {@link KeyDeriver} includes.
+ *
+ * This is useful for implementations that only need key derivation (not raw bit derivation).
+ */
+export interface SimpleKeyDeriver<DeriveKeyInput, DeriveKeyOutput> {
+    /**
+     * Derives a cryptographic key based on the provided input parameters.
+     *
+     * @param params - The parameters for the key derivation process.
+     *
+     * @returns A Promise resolving to the derived key in the specified output format.
+     */
+    deriveKey(params: DeriveKeyInput): Promise<DeriveKeyOutput>;
+}
+/**
+ * The `KeyBytesDeriver` interface provides a method for deriving a byte array using a key
+ * derivation algorithm.
+ *
+ * The `deriveKeyBytes()` method derives cryptographic bits from input data using the specified
+ * key derivation algorithm. This interface is designed to support various key derivation
+ * algorithms, accommodating different input and output types.
+ */
+export interface KeyBytesDeriver<DeriveKeyBytesInput, DeriveKeyBytesOutput> {
+    /**
+     * Generates a specified number of cryptographic bits from given input parameters.
+     *
+     * @remarks
+     * The `deriveKeyBytes()` method of the {@link KeyBytesDeriver | `KeyBytesDeriver`} interface is
+     * used to create cryptographic material such as initialization vectors or keys from various
+     * sources. The method takes in parameters specific to the chosen key derivation algorithm and
+     * outputs a promise that resolves to a `Uint8Array` containing the derived bits.
+     *
+     * @param params - The parameters for the key derivation process, specific to the chosen
+     *                 algorithm.
+     *
+     * @returns A Promise resolving to the derived bits in the specified format.
+     */
+    deriveKeyBytes(params: DeriveKeyBytesInput): Promise<DeriveKeyBytesOutput>;
+}
 //# sourceMappingURL=key-deriver.d.ts.map

package/dist/types/types/key-deriver.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"key-deriver.d.ts","sourceRoot":"","sources":["../../../src/types/key-deriver.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,MAAM,WAAW,UAAU,CACzB,eAAe,EACf,cAAc,EACd,eAAe;IAEf;;;;;;;;;;;;OAYG;IACH,UAAU,CAAC,MAAM,EAAE,eAAe,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IAEzD;;;;;;;;;;;;OAYG;IACH,SAAS,CAAC,MAAM,EAAE,cAAc,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;CAC7D"}
+{"version":3,"file":"key-deriver.d.ts","sourceRoot":"","sources":["../../../src/types/key-deriver.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,MAAM,WAAW,UAAU,CACzB,eAAe,EACf,cAAc,EACd,eAAe;IAEf;;;;;;;;;;;;OAYG;IACH,UAAU,CAAC,MAAM,EAAE,eAAe,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IAEzD;;;;;;;;;;;;OAYG;IACH,SAAS,CAAC,MAAM,EAAE,cAAc,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;CAC7D;AAED;;;;;GAKG;AACH,MAAM,WAAW,gBAAgB,CAC/B,cAAc,EACd,eAAe;IAEf;;;;;;OAMG;IACH,SAAS,CAAC,MAAM,EAAE,cAAc,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;CAC7D;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,eAAe,CAC9B,mBAAmB,EACnB,oBAAoB;IAEpB;;;;;;;;;;;;;OAaG;IACH,cAAc,CAAC,MAAM,EAAE,mBAAmB,GAAG,OAAO,CAAC,oBAAoB,CAAC,CAAC;CAC5E"}

package/dist/types/types/key-io.d.ts

@@ -34,4 +34,41 @@ export interface KeyImporterExporter<ImportKeyInput, ImportKeyOutput, ExportKeyI
      */
     importKey(params: ImportKeyInput): Promise<ImportKeyOutput>;
 }
+/**
+ * The `KeyExporter` interface provides a method for exporting cryptographic keys.
+ */
+export interface KeyExporter<ExportKeyInput, ExportKeyOutput = Jwk> {
+    /**
+     * Exports a cryptographic key to an external JWK object.
+     *
+     * @param params - The parameters for the key export operation.
+     *
+     * @returns A Promise resolving to the exported key in JWK format.
+     */
+    exportKey(params: ExportKeyInput): Promise<ExportKeyOutput>;
+}
+/**
+ * The `KeyImporter` interface provides a method for importing cryptographic keys.
+ */
+export interface KeyImporter<ImportKeyInput, ImportKeyOutput = void> {
+    /**
+     * Imports an external key in JWK format.
+     *
+     * @param params - The parameters for the key import operation.
+     *
+     * @returns A Promise resolving to the key identifier of the imported key.
+     */
+    importKey(params: ImportKeyInput): Promise<ImportKeyOutput>;
+}
+/**
+ * The `KeyDeleter` interface provides a method for deleting cryptographic keys.
+ */
+export interface KeyDeleter<DeleteKeyInput> {
+    /**
+     * Deletes a cryptographic key from the key store.
+     *
+     * @param params - The parameters for the key deletion operation.
+     */
+    deleteKey(params: DeleteKeyInput): Promise<void>;
+}
 //# sourceMappingURL=key-io.d.ts.map