@enbox/crypto 0.0.3 → 0.0.5

package/dist/types/algorithms/hkdf.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hkdf.d.ts","sourceRoot":"","sources":["../../../src/algorithms/hkdf.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AACtE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAE/D,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAGxD;;;GAGG;AACH,MAAM,WAAW,wBAAyB,SAAQ,oBAAoB;IACpE;;;;;OAKG;IACH,SAAS,EAAE,UAAU,GAAG,UAAU,GAAG,UAAU,CAAC;CACjD;AAED;;;GAGG;AACH,qBAAa,aAAc,SAAQ,eACjC,YAAW,eAAe,CAAC,wBAAwB,EAAE,UAAU,CAAC;IAEhE;;;;;;;;;OASG;IACU,cAAc,CAAC,EAAE,SAAS,EAAE,GAAG,MAAM,EAAE,EAClD,wBAAwB,GAAG,IAAI,CAAC,UAAU,EAAE,MAAM,CAAC,GAClD,OAAO,CAAC,UAAU,CAAC;CAavB"}

package/dist/types/algorithms/pbkdf2.d.ts

@@ -0,0 +1,35 @@
+import type { DeriveKeyBytesParams } from '../types/params-direct.js';
+import type { KeyBytesDeriver } from '../types/key-deriver.js';
+import type { Pbkdf2Params } from '../primitives/pbkdf2.js';
+import { CryptoAlgorithm } from './crypto-algorithm.js';
+/**
+ * The `Pbkdf2DeriveKeyBytesParams` interface defines the algorithm-specific parameters that
+ * should be passed into the `deriveKeyBytes()` method when using the PBKDF2 algorithm.
+ */
+export interface Pbkdf2DeriveKeyBytesParams extends DeriveKeyBytesParams {
+    /** Specifies the algorithm variant for PBKDF2 key derivation.
+     * The value determines the hash function that will be used and must be one of the following:
+     * - `"PBES2-HS256+A128KW"`: PBKDF2 with HMAC SHA-256 and A128KW key wrapping.
+     * - `"PBES2-HS384+A192KW"`: PBKDF2 with HMAC SHA-384 and A192KW key wrapping.
+     * - `"PBES2-HS512+A256KW"`: PBKDF2 with HMAC SHA-512 and A256KW key wrapping.
+     */
+    algorithm: 'PBES2-HS256+A128KW' | 'PBES2-HS384+A192KW' | 'PBES2-HS512+A256KW';
+}
+/**
+ * The `Pbkdf2Algorithm` class provides a concrete implementation for PBKDF2 key derivation. It
+ * wraps the {@link Pbkdf2} primitive and maps PBES2 JOSE algorithm names to hash functions.
+ */
+export declare class Pbkdf2Algorithm extends CryptoAlgorithm implements KeyBytesDeriver<Pbkdf2DeriveKeyBytesParams, Uint8Array> {
+    /**
+     * Derives a cryptographic byte array using PBKDF2.
+     *
+     * @param params - The parameters for the key derivation operation.
+     * @param params.algorithm - The PBES2 algorithm variant (e.g., `'PBES2-HS512+A256KW'`).
+     * @param params.baseKeyBytes - The password or passphrase as bytes.
+     * @param params.length - The desired length of the output in bits.
+     *
+     * @returns A Promise that resolves to the derived key bytes.
+     */
+    deriveKeyBytes({ algorithm, ...params }: Pbkdf2DeriveKeyBytesParams & Omit<Pbkdf2Params, 'hash'>): Promise<Uint8Array>;
+}
+//# sourceMappingURL=pbkdf2.d.ts.map

package/dist/types/algorithms/pbkdf2.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pbkdf2.d.ts","sourceRoot":"","sources":["../../../src/algorithms/pbkdf2.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AACtE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC/D,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAE5D,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAGxD;;;GAGG;AACH,MAAM,WAAW,0BAA2B,SAAQ,oBAAoB;IACtE;;;;;OAKG;IACH,SAAS,EAAE,oBAAoB,GAAG,oBAAoB,GAAG,oBAAoB,CAAC;CAC/E;AAED;;;GAGG;AACH,qBAAa,eAAgB,SAAQ,eACnC,YAAW,eAAe,CAAC,0BAA0B,EAAE,UAAU,CAAC;IAElE;;;;;;;;;OASG;IACU,cAAc,CAAC,EAAE,SAAS,EAAE,GAAG,MAAM,EAAE,EAClD,0BAA0B,GAAG,IAAI,CAAC,YAAY,EAAE,MAAM,CAAC,GACtD,OAAO,CAAC,UAAU,CAAC;CAgBvB"}

package/dist/types/algorithms/sha-2.d.ts

@@ -18,7 +18,7 @@ export interface Sha2DigestParams extends DigestParams {
  * of the hash function and arbitrary data as input and returns the hash digest of the data.
  *
  * This class is typically accessed through implementations that extend the
- * {@link CryptoApi | `CryptoApi`} interface.
+ * {@link DsaApi | `DsaApi`} interface.
  */
 export declare class Sha2Algorithm extends CryptoAlgorithm implements Hasher<Sha2DigestParams> {
     /**

package/dist/types/algorithms/x25519.d.ts

@@ -0,0 +1,76 @@
+import type { AsymmetricKeyGenerator } from '../types/key-generator.js';
+import type { Jwk } from '../jose/jwk.js';
+import type { KeyConverter } from '../types/key-converter.js';
+import type { BytesToPrivateKeyParams, ComputePublicKeyParams, GenerateKeyParams, GetPublicKeyParams, PrivateKeyToBytesParams } from '../types/params-direct.js';
+import { CryptoAlgorithm } from './crypto-algorithm.js';
+/**
+ * The `X25519GenerateKeyParams` interface defines the algorithm-specific parameters that should be
+ * passed into the `generateKey()` method when using the X25519 key agreement algorithm.
+ */
+export interface X25519GenerateKeyParams extends GenerateKeyParams {
+    /**
+     * A string defining the type of key to generate. The value must be:
+     * - `"X25519"`: Elliptic-curve Diffie-Hellman (ECDH) using Curve25519.
+     */
+    algorithm: 'X25519';
+}
+/**
+ * The `X25519Algorithm` class provides a concrete implementation for key generation,
+ * public key derivation, and key conversion using the X25519 elliptic curve. X25519 is a
+ * key agreement curve (not a signature curve) used for ECDH key exchange in JWE encryption.
+ *
+ * This class implements the {@link AsymmetricKeyGenerator | `AsymmetricKeyGenerator`} and
+ * {@link KeyConverter | `KeyConverter`} interfaces, providing private key generation,
+ * public key derivation, and byte/JWK conversion.
+ */
+export declare class X25519Algorithm extends CryptoAlgorithm implements AsymmetricKeyGenerator<X25519GenerateKeyParams, Jwk, GetPublicKeyParams>, KeyConverter {
+    /**
+     * Converts a raw private key in bytes to its corresponding JWK format.
+     *
+     * @param params - The parameters for the private key conversion.
+     * @param params.algorithm - Must be `'X25519'`.
+     * @param params.privateKeyBytes - The raw private key as a Uint8Array.
+     *
+     * @returns A Promise that resolves to the private key in JWK format.
+     */
+    bytesToPrivateKey({ algorithm, privateKeyBytes }: BytesToPrivateKeyParams & {
+        algorithm: 'X25519';
+    }): Promise<Jwk>;
+    /**
+     * Derives the public key in JWK format from a given X25519 private key.
+     *
+     * @param params - The parameters for the public key derivation.
+     * @param params.key - The private key in JWK format from which to derive the public key.
+     *
+     * @returns A Promise that resolves to the derived public key in JWK format.
+     */
+    computePublicKey({ key }: ComputePublicKeyParams): Promise<Jwk>;
+    /**
+     * Generates a new X25519 private key in JWK format.
+     *
+     * @param params - The parameters for key generation.
+     * @param params.algorithm - Must be `'X25519'`.
+     *
+     * @returns A Promise that resolves to the generated private key in JWK format.
+     */
+    generateKey({ algorithm }: X25519GenerateKeyParams): Promise<Jwk>;
+    /**
+     * Retrieves the public key properties from a given X25519 private key in JWK format.
+     *
+     * @param params - The parameters for retrieving the public key properties.
+     * @param params.key - The private key in JWK format.
+     *
+     * @returns A Promise that resolves to the public key in JWK format.
+     */
+    getPublicKey({ key }: GetPublicKeyParams): Promise<Jwk>;
+    /**
+     * Converts a private key from JWK format to a byte array.
+     *
+     * @param params - The parameters for the private key conversion.
+     * @param params.privateKey - The private key in JWK format.
+     *
+     * @returns A Promise that resolves to the private key as a Uint8Array.
+     */
+    privateKeyToBytes({ privateKey }: PrivateKeyToBytesParams): Promise<Uint8Array>;
+}
+//# sourceMappingURL=x25519.d.ts.map

package/dist/types/algorithms/x25519.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"x25519.d.ts","sourceRoot":"","sources":["../../../src/algorithms/x25519.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,2BAA2B,CAAC;AACxE,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAC;AAC1C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EACV,uBAAuB,EACvB,sBAAsB,EACtB,iBAAiB,EACjB,kBAAkB,EAClB,uBAAuB,EACxB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAMxD;;;GAGG;AACH,MAAM,WAAW,uBAAwB,SAAQ,iBAAiB;IAChE;;;OAGG;IACH,SAAS,EAAE,QAAQ,CAAC;CACrB;AAED;;;;;;;;GAQG;AACH,qBAAa,eAAgB,SAAQ,eACnC,YAAW,sBAAsB,CAAC,uBAAuB,EAAE,GAAG,EAAE,kBAAkB,CAAC,EACxE,YAAY;IAEvB;;;;;;;;OAQG;IACU,iBAAiB,CAAC,EAAE,SAAS,EAAE,eAAe,EAAE,EAC3D,uBAAuB,GAAG;QAAE,SAAS,EAAE,QAAQ,CAAA;KAAE,GAChD,OAAO,CAAC,GAAG,CAAC;IAaf;;;;;;;OAOG;IACU,gBAAgB,CAAC,EAAE,GAAG,EAAE,EACnC,sBAAsB,GACrB,OAAO,CAAC,GAAG,CAAC;IAef;;;;;;;OAOG;IACG,WAAW,CAAC,EAAE,SAAS,EAAE,EAC7B,uBAAuB,GACtB,OAAO,CAAC,GAAG,CAAC;IAaf;;;;;;;OAOG;IACU,YAAY,CAAC,EAAE,GAAG,EAAE,EAC/B,kBAAkB,GACjB,OAAO,CAAC,GAAG,CAAC;IAef;;;;;;;OAOG;IACU,iBAAiB,CAAC,EAAE,UAAU,EAAE,EAC3C,uBAAuB,GACtB,OAAO,CAAC,UAAU,CAAC;CAGvB"}

package/dist/types/cose/cbor.d.ts

@@ -0,0 +1,30 @@
+/**
+ * CBOR (Concise Binary Object Representation) encoding and decoding utilities.
+ *
+ * Provides a thin wrapper around the `cborg` library, exposing `encode` and `decode`
+ * operations for use by COSE and EAT implementations.
+ *
+ * @see {@link https://www.rfc-editor.org/rfc/rfc8949 | RFC 8949 — CBOR}
+ */
+export declare class Cbor {
+    /**
+     * Encodes a JavaScript value to a CBOR byte string.
+     *
+     * @param value - The value to encode. Supports objects, arrays, strings, numbers,
+     *   booleans, null, undefined, Uint8Array (encoded as CBOR byte string), and Map.
+     * @returns The CBOR-encoded bytes.
+     */
+    static encode(value: unknown): Uint8Array;
+    /**
+     * Decodes a CBOR byte string to a JavaScript value.
+     *
+     * CBOR maps are decoded as JavaScript `Map` instances to support integer keys,
+     * which is required by COSE (RFC 9052) and EAT (RFC 9711).
+     *
+     * @param data - The CBOR-encoded bytes to decode.
+     * @returns The decoded JavaScript value.
+     * @throws If the input is not valid CBOR.
+     */
+    static decode<T = unknown>(data: Uint8Array): T;
+}
+//# sourceMappingURL=cbor.d.ts.map

package/dist/types/cose/cbor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cbor.d.ts","sourceRoot":"","sources":["../../../src/cose/cbor.ts"],"names":[],"mappings":"AAEA;;;;;;;GAOG;AACH,qBAAa,IAAI;IACf;;;;;;OAMG;WACW,MAAM,CAAC,KAAK,EAAE,OAAO,GAAG,UAAU;IAIhD;;;;;;;;;OASG;WACW,MAAM,CAAC,CAAC,GAAG,OAAO,EAAE,IAAI,EAAE,UAAU,GAAG,CAAC;CAGvD"}

package/dist/types/cose/cose-key.d.ts

@@ -0,0 +1,106 @@
+import type { Jwk } from '../jose/jwk.js';
+/**
+ * COSE Key Type values (RFC 9052, Section 7).
+ *
+ * @see {@link https://www.iana.org/assignments/cose/cose.xhtml#key-type | IANA COSE Key Types}
+ */
+export declare enum CoseKeyType {
+    /** Octet Key Pair (e.g., Ed25519, X25519) */
+    OKP = 1,
+    /** Elliptic Curve (e.g., P-256, P-384, P-521) */
+    EC2 = 2,
+    /** Symmetric key */
+    Symmetric = 4
+}
+/**
+ * COSE Elliptic Curve identifiers (RFC 9053, Section 7.1).
+ *
+ * @see {@link https://www.iana.org/assignments/cose/cose.xhtml#elliptic-curves | IANA COSE Elliptic Curves}
+ */
+export declare enum CoseEllipticCurve {
+    /** NIST P-256 (secp256r1) */
+    P256 = 1,
+    /** NIST P-384 (secp384r1) */
+    P384 = 2,
+    /** NIST P-521 (secp521r1) */
+    P521 = 3,
+    /** X25519 for ECDH */
+    X25519 = 4,
+    /** X448 for ECDH */
+    X448 = 5,
+    /** Ed25519 for EdDSA */
+    Ed25519 = 6,
+    /** Ed448 for EdDSA */
+    Ed448 = 7,
+    /** secp256k1 */
+    Secp256k1 = 8
+}
+/**
+ * COSE Algorithm identifiers (RFC 9053).
+ *
+ * Only includes algorithms relevant to Enbox confidential compute.
+ *
+ * @see {@link https://www.iana.org/assignments/cose/cose.xhtml#algorithms | IANA COSE Algorithms}
+ */
+export declare enum CoseAlgorithm {
+    /** EdDSA (Ed25519 or Ed448) */
+    EdDSA = -8,
+    /** ECDSA with SHA-256 (P-256) */
+    ES256 = -7,
+    /** ECDSA with SHA-384 (P-384) */
+    ES384 = -35,
+    /** ECDSA with SHA-512 (P-521) */
+    ES512 = -36,
+    /** ECDSA with SHA-256 (secp256k1) */
+    ES256K = -47
+}
+/**
+ * Utilities for converting between JWK and COSE key representations.
+ *
+ * COSE keys use integer labels and CBOR encoding, while JWK uses string
+ * property names and JSON. This class provides bidirectional conversion.
+ *
+ * @see {@link https://www.rfc-editor.org/rfc/rfc9052#section-7 | RFC 9052, Section 7}
+ */
+export declare class CoseKey {
+    /**
+     * Converts a JWK to a COSE key represented as a Map.
+     *
+     * @param jwk - The JWK to convert.
+     * @returns A Map with integer labels as keys, suitable for CBOR encoding.
+     * @throws {CryptoError} If the JWK key type or curve is not supported.
+     */
+    static fromJwk(jwk: Jwk): Map<number, unknown>;
+    /**
+     * Converts a COSE key Map to a JWK.
+     *
+     * @param coseKey - A Map with integer labels as keys (from CBOR decoding).
+     * @returns The equivalent JWK.
+     * @throws {CryptoError} If the COSE key type or curve is not supported.
+     */
+    static toJwk(coseKey: Map<number, unknown>): Jwk;
+    /**
+     * Infers the COSE algorithm identifier from a JWK.
+     *
+     * If the JWK has an `alg` field, it is used directly. Otherwise, the algorithm
+     * is inferred from the key type and curve.
+     *
+     * @param jwk - The JWK to infer the algorithm from.
+     * @returns The COSE algorithm identifier.
+     * @throws {CryptoError} If the algorithm cannot be determined.
+     */
+    static algorithmFromJwk(jwk: Jwk): CoseAlgorithm;
+    /**
+     * Maps a COSE algorithm identifier to a JWK algorithm name.
+     *
+     * @param alg - The COSE algorithm identifier.
+     * @returns The JWK algorithm name.
+     * @throws {CryptoError} If the algorithm is not supported.
+     */
+    static algorithmToJwk(alg: CoseAlgorithm): string;
+    /**
+     * Applies common COSE key fields (kid, alg) to a JWK.
+     */
+    private static applyCommonFields;
+}
+//# sourceMappingURL=cose-key.d.ts.map

package/dist/types/cose/cose-key.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cose-key.d.ts","sourceRoot":"","sources":["../../../src/cose/cose-key.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAC;AAM1C;;;;GAIG;AACH,oBAAY,WAAW;IACrB,6CAA6C;IAC7C,GAAG,IAAI;IACP,iDAAiD;IACjD,GAAG,IAAI;IACP,oBAAoB;IACpB,SAAS,IAAI;CACd;AAED;;;;GAIG;AACH,oBAAY,iBAAiB;IAC3B,6BAA6B;IAC7B,IAAI,IAAI;IACR,6BAA6B;IAC7B,IAAI,IAAI;IACR,6BAA6B;IAC7B,IAAI,IAAI;IACR,sBAAsB;IACtB,MAAM,IAAI;IACV,oBAAoB;IACpB,IAAI,IAAI;IACR,wBAAwB;IACxB,OAAO,IAAI;IACX,sBAAsB;IACtB,KAAK,IAAI;IACT,gBAAgB;IAChB,SAAS,IAAI;CACd;AAED;;;;;;GAMG;AACH,oBAAY,aAAa;IACvB,+BAA+B;IAC/B,KAAK,KAAK;IACV,iCAAiC;IACjC,KAAK,KAAK;IACV,iCAAiC;IACjC,KAAK,MAAM;IACX,iCAAiC;IACjC,KAAK,MAAM;IACX,qCAAqC;IACrC,MAAM,MAAM;CACb;AAmFD;;;;;;;GAOG;AACH,qBAAa,OAAO;IAClB;;;;;;OAMG;WACW,OAAO,CAAC,GAAG,EAAE,GAAG,GAAG,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC;IAmDrD;;;;;;OAMG;WACW,KAAK,CAAC,OAAO,EAAE,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,GAAG;IA6DvD;;;;;;;;;OASG;WACW,gBAAgB,CAAC,GAAG,EAAE,GAAG,GAAG,aAAa;IAyBvD;;;;;;OAMG;WACW,cAAc,CAAC,GAAG,EAAE,aAAa,GAAG,MAAM;IAOxD;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,iBAAiB;CAWjC"}

package/dist/types/cose/cose-sign1.d.ts

@@ -0,0 +1,195 @@
+import type { Jwk } from '../jose/jwk.js';
+import { CoseAlgorithm } from './cose-key.js';
+/**
+ * COSE_Sign1 protected header parameters.
+ *
+ * The protected header is integrity-protected by inclusion in the Sig_structure.
+ * At minimum, it MUST contain the algorithm identifier.
+ *
+ * @see {@link https://www.rfc-editor.org/rfc/rfc9052#section-4 | RFC 9052, Section 4}
+ */
+export interface CoseSign1ProtectedHeader {
+    /** Algorithm identifier (label 1). Required. */
+    alg: CoseAlgorithm;
+    /** Content type (label 3). */
+    contentType?: string | number;
+    /** Key ID (label 4). */
+    kid?: Uint8Array;
+    /** Additional header parameters. */
+    [key: string]: unknown;
+}
+/**
+ * COSE_Sign1 unprotected header parameters.
+ *
+ * These parameters are NOT integrity-protected.
+ *
+ * @see {@link https://www.rfc-editor.org/rfc/rfc9052#section-4 | RFC 9052, Section 4}
+ */
+export interface CoseSign1UnprotectedHeader {
+    /** Key ID (label 4). */
+    kid?: Uint8Array;
+    /** Additional header parameters. */
+    [key: string]: unknown;
+}
+/**
+ * Parameters for creating a COSE_Sign1 structure.
+ */
+export interface CoseSign1CreateParams {
+    /** The signing key in JWK format. Must contain the private key (`d`). */
+    key: Jwk;
+    /** The payload to sign. */
+    payload: Uint8Array;
+    /**
+     * Protected header parameters. If omitted, the algorithm is inferred from the key
+     * and a minimal protected header `{ alg }` is used.
+     */
+    protectedHeader?: CoseSign1ProtectedHeader;
+    /** Unprotected header parameters. */
+    unprotectedHeader?: CoseSign1UnprotectedHeader;
+    /**
+     * External additional authenticated data (external_aad).
+     * Included in the Sig_structure but not in the COSE_Sign1 message itself.
+     * Defaults to empty bytes.
+     */
+    externalAad?: Uint8Array;
+    /**
+     * If true, the payload is detached (not included in the COSE_Sign1 serialization).
+     * The payload field in the CBOR array will be `null`.
+     */
+    detachedPayload?: boolean;
+}
+/**
+ * Parameters for verifying a COSE_Sign1 structure.
+ */
+export interface CoseSign1VerifyParams {
+    /** The COSE_Sign1 CBOR-encoded message to verify. */
+    coseSign1: Uint8Array;
+    /** The public key in JWK format for verification. */
+    key: Jwk;
+    /**
+     * External additional authenticated data (external_aad).
+     * Must match the value used during signing.
+     * Defaults to empty bytes.
+     */
+    externalAad?: Uint8Array;
+    /**
+     * Detached payload. Required if the COSE_Sign1 was created with `detachedPayload: true`.
+     */
+    payload?: Uint8Array;
+}
+/**
+ * Decoded COSE_Sign1 structure.
+ */
+export interface CoseSign1Decoded {
+    /** The protected header parameters (decoded from CBOR). */
+    protectedHeader: CoseSign1ProtectedHeader;
+    /** The raw protected header bytes (needed for signature verification). */
+    protectedHeaderBytes: Uint8Array;
+    /** The unprotected header parameters. */
+    unprotectedHeader: Map<number, unknown>;
+    /** The payload (null if detached). */
+    payload: Uint8Array | null;
+    /** The signature. */
+    signature: Uint8Array;
+}
+/**
+ * CBOR tag for COSE_Sign1 (RFC 9052, Section 4.2).
+ */
+/**
+ * COSE_Sign1 implementation per RFC 9052.
+ *
+ * Provides creation, verification, and decoding of COSE_Sign1 (single-signer)
+ * signed messages. This is the CBOR-based counterpart to JOSE/JWS and is used
+ * in TEE attestation (EAT tokens), CWT, and other COSE-based protocols.
+ *
+ * Supported algorithms:
+ * - EdDSA (Ed25519) — CoseAlgorithm.EdDSA (-8)
+ * - ES256 (P-256 / secp256r1 with SHA-256) — CoseAlgorithm.ES256 (-7)
+ *
+ * @see {@link https://www.rfc-editor.org/rfc/rfc9052#section-4.3 | RFC 9052, Section 4.3}
+ */
+export declare class CoseSign1 {
+    /**
+     * Creates a COSE_Sign1 message.
+     *
+     * Constructs the `Sig_structure1` to-be-signed bytes per RFC 9052 Section 4.4,
+     * signs them with the provided key, and returns the CBOR-encoded COSE_Sign1 array:
+     *
+     * ```
+     * COSE_Sign1 = [
+     *   protected : bstr,       ; CBOR-encoded protected header
+     *   unprotected : map,      ; unprotected header parameters
+     *   payload : bstr / nil,   ; payload (nil if detached)
+     *   signature : bstr        ; signature
+     * ]
+     * ```
+     *
+     * @param params - The parameters for creating the COSE_Sign1 message.
+     * @returns The CBOR-encoded COSE_Sign1 message.
+     * @throws {CryptoError} If the algorithm is not supported or signing fails.
+     *
+     * @see {@link https://www.rfc-editor.org/rfc/rfc9052#section-4.3 | RFC 9052, Section 4.3}
+     * @see {@link https://www.rfc-editor.org/rfc/rfc9052#section-4.4 | RFC 9052, Section 4.4}
+     */
+    static create(params: CoseSign1CreateParams): Promise<Uint8Array>;
+    /**
+     * Verifies a COSE_Sign1 message.
+     *
+     * Decodes the CBOR-encoded message, reconstructs the `Sig_structure1`, and verifies
+     * the signature using the provided public key.
+     *
+     * @param params - The parameters for verifying the COSE_Sign1 message.
+     * @returns `true` if the signature is valid, `false` otherwise.
+     * @throws {CryptoError} If the message is malformed or the algorithm is not supported.
+     *
+     * @see {@link https://www.rfc-editor.org/rfc/rfc9052#section-4.4 | RFC 9052, Section 4.4}
+     */
+    static verify(params: CoseSign1VerifyParams): Promise<boolean>;
+    /**
+     * Decodes a CBOR-encoded COSE_Sign1 message into its constituent parts.
+     *
+     * The COSE_Sign1 structure is a CBOR array of four elements:
+     * ```
+     * [protected, unprotected, payload, signature]
+     * ```
+     *
+     * The message may optionally be wrapped in CBOR tag 18.
+     *
+     * @param coseSign1 - The CBOR-encoded COSE_Sign1 message.
+     * @returns The decoded COSE_Sign1 components.
+     * @throws {CryptoError} If the message does not conform to COSE_Sign1 structure.
+     */
+    static decode(coseSign1: Uint8Array): CoseSign1Decoded;
+    /**
+     * Builds the Sig_structure1 array for COSE_Sign1 signing and verification.
+     *
+     * ```
+     * Sig_structure1 = [
+     *   context : "Signature1",
+     *   body_protected : bstr,
+     *   external_aad : bstr,
+     *   payload : bstr
+     * ]
+     * ```
+     *
+     * @see {@link https://www.rfc-editor.org/rfc/rfc9052#section-4.4 | RFC 9052, Section 4.4}
+     */
+    private static buildSigStructure1;
+    /**
+     * Converts a {@link CoseSign1ProtectedHeader} to a CBOR Map with integer labels.
+     */
+    private static buildProtectedHeaderMap;
+    /**
+     * Converts a {@link CoseSign1UnprotectedHeader} to a CBOR Map with integer labels.
+     */
+    private static buildUnprotectedHeaderMap;
+    /**
+     * Signs the to-be-signed bytes with the appropriate algorithm.
+     */
+    private static signBytes;
+    /**
+     * Verifies a signature over the to-be-signed bytes with the appropriate algorithm.
+     */
+    private static verifyBytes;
+}
+//# sourceMappingURL=cose-sign1.d.ts.map

package/dist/types/cose/cose-sign1.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cose-sign1.d.ts","sourceRoot":"","sources":["../../../src/cose/cose-sign1.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAC;AAK1C,OAAO,EAAE,aAAa,EAAW,MAAM,eAAe,CAAC;AAGvD;;;;;;;GAOG;AACH,MAAM,WAAW,wBAAwB;IACvC,gDAAgD;IAChD,GAAG,EAAE,aAAa,CAAC;IAEnB,8BAA8B;IAC9B,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAE9B,wBAAwB;IACxB,GAAG,CAAC,EAAE,UAAU,CAAC;IAEjB,oCAAoC;IACpC,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED;;;;;;GAMG;AACH,MAAM,WAAW,0BAA0B;IACzC,wBAAwB;IACxB,GAAG,CAAC,EAAE,UAAU,CAAC;IAEjB,oCAAoC;IACpC,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,yEAAyE;IACzE,GAAG,EAAE,GAAG,CAAC;IAET,2BAA2B;IAC3B,OAAO,EAAE,UAAU,CAAC;IAEpB;;;OAGG;IACH,eAAe,CAAC,EAAE,wBAAwB,CAAC;IAE3C,qCAAqC;IACrC,iBAAiB,CAAC,EAAE,0BAA0B,CAAC;IAE/C;;;;OAIG;IACH,WAAW,CAAC,EAAE,UAAU,CAAC;IAEzB;;;OAGG;IACH,eAAe,CAAC,EAAE,OAAO,CAAC;CAC3B;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,qDAAqD;IACrD,SAAS,EAAE,UAAU,CAAC;IAEtB,qDAAqD;IACrD,GAAG,EAAE,GAAG,CAAC;IAET;;;;OAIG;IACH,WAAW,CAAC,EAAE,UAAU,CAAC;IAEzB;;OAEG;IACH,OAAO,CAAC,EAAE,UAAU,CAAC;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,2DAA2D;IAC3D,eAAe,EAAE,wBAAwB,CAAC;IAE1C,0EAA0E;IAC1E,oBAAoB,EAAE,UAAU,CAAC;IAEjC,yCAAyC;IACzC,iBAAiB,EAAE,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAExC,sCAAsC;IACtC,OAAO,EAAE,UAAU,GAAG,IAAI,CAAC;IAE3B,qBAAqB;IACrB,SAAS,EAAE,UAAU,CAAC;CACvB;AAgBD;;GAEG;AAGH;;;;;;;;;;;;GAYG;AACH,qBAAa,SAAS;IACpB;;;;;;;;;;;;;;;;;;;;;OAqBG;WACiB,MAAM,CAAC,MAAM,EAAE,qBAAqB,GAAG,OAAO,CAAC,UAAU,CAAC;IAwC9E;;;;;;;;;;;OAWG;WACiB,MAAM,CAAC,MAAM,EAAE,qBAAqB,GAAG,OAAO,CAAC,OAAO,CAAC;IAgC3E;;;;;;;;;;;;;OAaG;WACW,MAAM,CAAC,SAAS,EAAE,UAAU,GAAG,gBAAgB;IA6F7D;;;;;;;;;;;;;OAaG;IACH,OAAO,CAAC,MAAM,CAAC,kBAAkB;IAajC;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,uBAAuB;IAgBtC;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,yBAAyB;IAUxC;;OAEG;mBACkB,SAAS;IAoB9B;;OAEG;mBACkB,WAAW;CAoBjC"}