@enbox/crypto 0.0.3 → 0.0.5

package/dist/types/cose/eat.d.ts

@@ -0,0 +1,203 @@
+import type { CoseSign1ProtectedHeader } from './cose-sign1.js';
+import type { Jwk } from '../jose/jwk.js';
+/**
+ * EAT (Entity Attestation Token) claim key constants.
+ *
+ * EAT reuses CWT registered claim keys and adds attestation-specific claims.
+ *
+ * @see {@link https://www.rfc-editor.org/rfc/rfc9711 | RFC 9711 — Entity Attestation Token (EAT)}
+ * @see {@link https://www.rfc-editor.org/rfc/rfc8392 | RFC 8392 — CWT (CBOR Web Token)}
+ */
+export declare enum EatClaimKey {
+    /** Issuer (iss) — RFC 8392 */
+    Iss = 1,
+    /** Subject (sub) — RFC 8392 */
+    Sub = 2,
+    /** Audience (aud) — RFC 8392 */
+    Aud = 3,
+    /** Expiration Time (exp) — RFC 8392 */
+    Exp = 4,
+    /** Not Before (nbf) — RFC 8392 */
+    Nbf = 5,
+    /** Issued At (iat) — RFC 8392 */
+    Iat = 6,
+    /** CWT ID (cti) — RFC 8392 */
+    Cti = 7,
+    /** Nonce (eat_nonce) — RFC 9711, Section 4.1 */
+    Nonce = 10,
+    /** UEID (Universal Entity ID) — RFC 9711, Section 4.2.1 */
+    Ueid = 256,
+    /** SUEIDs (Semi-permanent UEIDs) — RFC 9711, Section 4.2.2 */
+    Sueids = 257,
+    /** OEM ID (Hardware OEM Identification) — RFC 9711, Section 4.2.3 */
+    Oemid = 258,
+    /** Hardware Model — RFC 9711, Section 4.2.4 */
+    Hwmodel = 259,
+    /** Hardware Version — RFC 9711, Section 4.2.5 */
+    Hwversion = 260,
+    /** Secure Boot — RFC 9711, Section 4.2.7 */
+    Secboot = 262,
+    /** Debug Status — RFC 9711, Section 4.2.8 */
+    Dbgstat = 263,
+    /** Location — RFC 9711, Section 4.2.9 */
+    Location = 264,
+    /** Profile — RFC 9711, Section 4.2.10 */
+    Profile = 265,
+    /** Submods (Submodules) — RFC 9711, Section 4.2.18 */
+    Submods = 266,
+    /** Measurement Results — RFC 9711, Section 4.2.15 */
+    Measres = 272,
+    /** Intended Use — RFC 9711, Section 4.2.14 */
+    Intuse = 268
+}
+/**
+ * Debug status values for the `dbgstat` claim.
+ *
+ * @see {@link https://www.rfc-editor.org/rfc/rfc9711#section-4.2.8 | RFC 9711, Section 4.2.8}
+ */
+export declare enum EatDebugStatus {
+    /** Debug is enabled */
+    Enabled = 0,
+    /** Debug is disabled */
+    Disabled = 1,
+    /** Debug is disabled since manufacture */
+    DisabledSinceBoot = 2,
+    /** Debug is disabled permanently */
+    DisabledPermanently = 3,
+    /** Debug is disabled fully and permanently */
+    DisabledFullyAndPermanently = 4
+}
+/**
+ * Security level for the `seclevel` claim.
+ *
+ * @see {@link https://www.rfc-editor.org/rfc/rfc9711#section-4.2.6 | RFC 9711, Section 4.2.6}
+ */
+export declare enum EatSecurityLevel {
+    /** Unrestricted — no security guarantees */
+    Unrestricted = 1,
+    /** Restricted — some restrictions on environment */
+    Restricted = 2,
+    /** Secure Restricted — hardware-enforced restrictions */
+    SecureRestricted = 3,
+    /** Hardware — hardware-isolated execution environment */
+    Hardware = 4
+}
+/**
+ * Parsed EAT claims, providing typed access to standard and attestation-specific claims.
+ *
+ * All fields are optional because EAT does not mandate any specific claims; the
+ * required set depends on the attestation profile.
+ *
+ * @see {@link https://www.rfc-editor.org/rfc/rfc9711 | RFC 9711}
+ */
+export interface EatClaims {
+    /** Issuer — identifies the entity that issued the token. */
+    iss?: string;
+    /** Subject — identifies the entity that is the subject of the token. */
+    sub?: string;
+    /** Audience — identifies the intended recipient(s). */
+    aud?: string;
+    /** Expiration time (seconds since epoch). */
+    exp?: number;
+    /** Not Before (seconds since epoch). */
+    nbf?: number;
+    /** Issued At (seconds since epoch). */
+    iat?: number;
+    /** CWT ID — unique token identifier (byte string). */
+    cti?: Uint8Array;
+    /** Nonce — challenge value binding the token to a request. */
+    nonce?: Uint8Array | Uint8Array[];
+    /** Universal Entity ID. */
+    ueid?: Uint8Array;
+    /** Hardware model identifier. */
+    hwmodel?: Uint8Array;
+    /** Hardware version. */
+    hwversion?: unknown;
+    /** Debug status. */
+    dbgstat?: EatDebugStatus;
+    /** Measurement results — software component measurements. */
+    measres?: unknown;
+    /** Submodules — nested EAT tokens or claims from sub-components. */
+    submods?: Map<string, unknown>;
+    /**
+     * All raw claims as a Map for access to non-standard or profile-specific claims.
+     * Integer keys correspond to {@link EatClaimKey} values.
+     */
+    rawClaims: Map<number | string, unknown>;
+}
+/**
+ * Parameters for decoding an EAT token.
+ */
+export interface EatDecodeParams {
+    /** The CBOR-encoded EAT token (COSE_Sign1 envelope). */
+    token: Uint8Array;
+}
+/**
+ * Parameters for verifying and decoding an EAT token.
+ */
+export interface EatVerifyParams {
+    /** The CBOR-encoded EAT token (COSE_Sign1 envelope). */
+    token: Uint8Array;
+    /** The public key for signature verification, in JWK format. */
+    key: Jwk;
+    /** External additional authenticated data. Defaults to empty bytes. */
+    externalAad?: Uint8Array;
+}
+/**
+ * Result of decoding an EAT token.
+ */
+export interface EatDecodeResult {
+    /** The parsed protected header from the COSE_Sign1 envelope. */
+    protectedHeader: CoseSign1ProtectedHeader;
+    /** The parsed EAT claims from the payload. */
+    claims: EatClaims;
+}
+/**
+ * Entity Attestation Token (EAT) implementation per RFC 9711.
+ *
+ * EATs are CBOR-based attestation tokens carried in COSE_Sign1 envelopes.
+ * They are used by TEE platforms (ARM CCA, Intel TDX, AMD SEV-SNP, Nitro Enclaves)
+ * to provide hardware-rooted attestation evidence.
+ *
+ * This implementation focuses on decoding and verification of EAT tokens — the
+ * primary use case for a DWN node that needs to verify TEE attestation from
+ * compute modules.
+ *
+ * @see {@link https://www.rfc-editor.org/rfc/rfc9711 | RFC 9711 — Entity Attestation Token (EAT)}
+ */
+export declare class Eat {
+    /**
+     * Decodes an EAT token without verifying its signature.
+     *
+     * Use this method only when signature verification is performed separately
+     * (e.g., by a TEE attestation service) or for debugging/inspection.
+     *
+     * @param params - The parameters for decoding.
+     * @returns The decoded protected header and claims.
+     * @throws {CryptoError} If the token is not valid COSE_Sign1 or the payload is not valid CBOR.
+     */
+    static decode({ token }: EatDecodeParams): EatDecodeResult;
+    /**
+     * Verifies the signature of an EAT token and decodes its claims.
+     *
+     * This is the primary method for processing EAT tokens from TEE attestation.
+     * It verifies the COSE_Sign1 signature using the provided public key, then
+     * parses the EAT claims from the payload.
+     *
+     * @param params - The parameters for verification and decoding.
+     * @returns The decoded protected header and claims if verification succeeds.
+     * @throws {CryptoError} If verification fails or the token is malformed.
+     */
+    static verifyAndDecode(params: EatVerifyParams): Promise<EatDecodeResult>;
+    /**
+     * Parses CBOR-encoded EAT claims into a typed {@link EatClaims} object.
+     *
+     * Handles both integer-keyed (CBOR standard) and string-keyed claims.
+     *
+     * @param payload - The CBOR-encoded claims byte string.
+     * @returns The parsed EAT claims.
+     * @throws {CryptoError} If the payload is not valid CBOR or not a map.
+     */
+    private static parseClaims;
+}
+//# sourceMappingURL=eat.d.ts.map

package/dist/types/cose/eat.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"eat.d.ts","sourceRoot":"","sources":["../../../src/cose/eat.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,iBAAiB,CAAC;AAChE,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAC;AAM1C;;;;;;;GAOG;AACH,oBAAY,WAAW;IACrB,8BAA8B;IAC9B,GAAG,IAAI;IACP,+BAA+B;IAC/B,GAAG,IAAI;IACP,gCAAgC;IAChC,GAAG,IAAI;IACP,uCAAuC;IACvC,GAAG,IAAI;IACP,kCAAkC;IAClC,GAAG,IAAI;IACP,iCAAiC;IACjC,GAAG,IAAI;IACP,8BAA8B;IAC9B,GAAG,IAAI;IACP,gDAAgD;IAChD,KAAK,KAAK;IACV,2DAA2D;IAC3D,IAAI,MAAM;IACV,8DAA8D;IAC9D,MAAM,MAAM;IACZ,qEAAqE;IACrE,KAAK,MAAM;IACX,+CAA+C;IAC/C,OAAO,MAAM;IACb,iDAAiD;IACjD,SAAS,MAAM;IACf,4CAA4C;IAC5C,OAAO,MAAM;IACb,6CAA6C;IAC7C,OAAO,MAAM;IACb,yCAAyC;IACzC,QAAQ,MAAM;IACd,yCAAyC;IACzC,OAAO,MAAM;IACb,sDAAsD;IACtD,OAAO,MAAM;IACb,qDAAqD;IACrD,OAAO,MAAM;IACb,8CAA8C;IAC9C,MAAM,MAAM;CACb;AAED;;;;GAIG;AACH,oBAAY,cAAc;IACxB,uBAAuB;IACvB,OAAO,IAAI;IACX,wBAAwB;IACxB,QAAQ,IAAI;IACZ,0CAA0C;IAC1C,iBAAiB,IAAI;IACrB,oCAAoC;IACpC,mBAAmB,IAAI;IACvB,8CAA8C;IAC9C,2BAA2B,IAAI;CAChC;AAED;;;;GAIG;AACH,oBAAY,gBAAgB;IAC1B,4CAA4C;IAC5C,YAAY,IAAI;IAChB,oDAAoD;IACpD,UAAU,IAAI;IACd,yDAAyD;IACzD,gBAAgB,IAAI;IACpB,yDAAyD;IACzD,QAAQ,IAAI;CACb;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,SAAS;IACxB,4DAA4D;IAC5D,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,wEAAwE;IACxE,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,uDAAuD;IACvD,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,6CAA6C;IAC7C,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,wCAAwC;IACxC,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,uCAAuC;IACvC,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,sDAAsD;IACtD,GAAG,CAAC,EAAE,UAAU,CAAC;IAEjB,8DAA8D;IAC9D,KAAK,CAAC,EAAE,UAAU,GAAG,UAAU,EAAE,CAAC;IAElC,2BAA2B;IAC3B,IAAI,CAAC,EAAE,UAAU,CAAC;IAElB,iCAAiC;IACjC,OAAO,CAAC,EAAE,UAAU,CAAC;IAErB,wBAAwB;IACxB,SAAS,CAAC,EAAE,OAAO,CAAC;IAEpB,oBAAoB;IACpB,OAAO,CAAC,EAAE,cAAc,CAAC;IAEzB,6DAA6D;IAC7D,OAAO,CAAC,EAAE,OAAO,CAAC;IAElB,oEAAoE;IACpE,OAAO,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAE/B;;;OAGG;IACH,SAAS,EAAE,GAAG,CAAC,MAAM,GAAG,MAAM,EAAE,OAAO,CAAC,CAAC;CAC1C;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,wDAAwD;IACxD,KAAK,EAAE,UAAU,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,wDAAwD;IACxD,KAAK,EAAE,UAAU,CAAC;IAElB,gEAAgE;IAChE,GAAG,EAAE,GAAG,CAAC;IAET,uEAAuE;IACvE,WAAW,CAAC,EAAE,UAAU,CAAC;CAC1B;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,gEAAgE;IAChE,eAAe,EAAE,wBAAwB,CAAC;IAE1C,8CAA8C;IAC9C,MAAM,EAAE,SAAS,CAAC;CACnB;AAED;;;;;;;;;;;;GAYG;AACH,qBAAa,GAAG;IACd;;;;;;;;;OASG;WACW,MAAM,CAAC,EAAE,KAAK,EAAE,EAAE,eAAe,GAAG,eAAe;IAoBjE;;;;;;;;;;OAUG;WACiB,eAAe,CAAC,MAAM,EAAE,eAAe,GAAG,OAAO,CAAC,eAAe,CAAC;IAqBtF;;;;;;;;OAQG;IACH,OAAO,CAAC,MAAM,CAAC,WAAW;CAmG3B"}

package/dist/types/crypto-error.d.ts

@@ -19,6 +19,10 @@ export declare enum CryptoErrorCode {
     AlgorithmNotSupported = "algorithmNotSupported",
     /** The encoding operation (either encoding or decoding) failed. */
     EncodingError = "encodingError",
+    /** The COSE_Sign1 message does not conform to valid structure. */
+    InvalidCoseSign1 = "invalidCoseSign1",
+    /** The EAT (Entity Attestation Token) is malformed or failed verification. */
+    InvalidEat = "invalidEat",
     /** The JWE supplied does not conform to valid syntax. */
     InvalidJwe = "invalidJwe",
     /** The JWK supplied does not conform to valid syntax. */

package/dist/types/crypto-error.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"crypto-error.d.ts","sourceRoot":"","sources":["../../src/crypto-error.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,qBAAa,WAAY,SAAQ,KAAK;IAOjB,IAAI,EAAE,eAAe;IANxC;;;;;OAKG;gBACgB,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,MAAM;CAc1D;AAED;;GAEG;AACH,oBAAY,eAAe;IACzB,gFAAgF;IAChF,qBAAqB,0BAA0B;IAE/C,mEAAmE;IACnE,aAAa,kBAAkB;IAE/B,yDAAyD;IACzD,UAAU,eAAe;IAEzB,yDAAyD;IACzD,UAAU,eAAe;IAEzB,sEAAsE;IACtE,qBAAqB,0BAA0B;CAChD"}
+{"version":3,"file":"crypto-error.d.ts","sourceRoot":"","sources":["../../src/crypto-error.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,qBAAa,WAAY,SAAQ,KAAK;IAOjB,IAAI,EAAE,eAAe;IANxC;;;;;OAKG;gBACgB,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,MAAM;CAc1D;AAED;;GAEG;AACH,oBAAY,eAAe;IACzB,gFAAgF;IAChF,qBAAqB,0BAA0B;IAE/C,mEAAmE;IACnE,aAAa,kBAAkB;IAE/B,kEAAkE;IAClE,gBAAgB,qBAAqB;IAErC,8EAA8E;IAC9E,UAAU,eAAe;IAEzB,yDAAyD;IACzD,UAAU,eAAe;IAEzB,yDAAyD;IACzD,UAAU,eAAe;IAEzB,sEAAsE;IACtE,qBAAqB,0BAA0B;CAChD"}

package/dist/types/index.d.ts

@@ -1,12 +1,20 @@
 export * from './crypto-error.js';
 export * from './local-key-manager.js';
 export * from './utils.js';
+export * from './cose/cbor.js';
+export * from './cose/cose-key.js';
+export * from './cose/cose-sign1.js';
+export * from './cose/eat.js';
 export * from './algorithms/aes-ctr.js';
 export * from './algorithms/aes-gcm.js';
+export * from './algorithms/aes-kw.js';
 export * from './algorithms/crypto-algorithm.js';
 export * from './algorithms/ecdsa.js';
 export * from './algorithms/eddsa.js';
+export * from './algorithms/hkdf.js';
+export * from './algorithms/pbkdf2.js';
 export * from './algorithms/sha-2.js';
+export * from './algorithms/x25519.js';
 export * from './jose/jwe.js';
 export * from './jose/jwk.js';
 export * from './jose/jws.js';
@@ -16,6 +24,7 @@ export * from './primitives/aes-ctr.js';
 export * from './primitives/aes-gcm.js';
 export * from './primitives/aes-kw.js';
 export * from './primitives/concat-kdf.js';
+export * from './primitives/ecies-secp256k1.js';
 export * from './primitives/ed25519.js';
 export * from './primitives/hkdf.js';
 export * from './primitives/secp256r1.js';

package/dist/types/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,mBAAmB,CAAC;AAClC,cAAc,wBAAwB,CAAC;AACvC,cAAc,YAAY,CAAC;AAE3B,cAAc,yBAAyB,CAAC;AACxC,cAAc,yBAAyB,CAAC;AACxC,cAAc,kCAAkC,CAAC;AACjD,cAAc,uBAAuB,CAAC;AACtC,cAAc,uBAAuB,CAAC;AACtC,cAAc,uBAAuB,CAAC;AAEtC,cAAc,eAAe,CAAC;AAC9B,cAAc,eAAe,CAAC;AAC9B,cAAc,eAAe,CAAC;AAC9B,cAAc,eAAe,CAAC;AAC9B,cAAc,iBAAiB,CAAC;AAEhC,cAAc,yBAAyB,CAAC;AACxC,cAAc,yBAAyB,CAAC;AACxC,cAAc,wBAAwB,CAAC;AACvC,cAAc,4BAA4B,CAAC;AAC3C,cAAc,yBAAyB,CAAC;AACxC,cAAc,sBAAsB,CAAC;AACrC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,wBAAwB,CAAC;AACvC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,wBAAwB,CAAC;AACvC,cAAc,wBAAwB,CAAC;AACvC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,oCAAoC,CAAC;AAEnD,mBAAmB,mBAAmB,CAAC;AACvC,mBAAmB,uBAAuB,CAAC;AAC3C,mBAAmB,mBAAmB,CAAC;AACvC,mBAAmB,uBAAuB,CAAC;AAC3C,mBAAmB,2BAA2B,CAAC;AAC/C,mBAAmB,0BAA0B,CAAC;AAC9C,mBAAmB,wBAAwB,CAAC;AAC5C,mBAAmB,0BAA0B,CAAC;AAC9C,mBAAmB,mBAAmB,CAAC;AACvC,mBAAmB,wBAAwB,CAAC;AAC5C,mBAAmB,0BAA0B,CAAC;AAC9C,mBAAmB,4BAA4B,CAAC;AAChD,mBAAmB,uBAAuB,CAAC;AAC3C,mBAAmB,mBAAmB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,mBAAmB,CAAC;AAClC,cAAc,wBAAwB,CAAC;AACvC,cAAc,YAAY,CAAC;AAE3B,cAAc,gBAAgB,CAAC;AAC/B,cAAc,oBAAoB,CAAC;AACnC,cAAc,sBAAsB,CAAC;AACrC,cAAc,eAAe,CAAC;AAE9B,cAAc,yBAAyB,CAAC;AACxC,cAAc,yBAAyB,CAAC;AACxC,cAAc,wBAAwB,CAAC;AACvC,cAAc,kCAAkC,CAAC;AACjD,cAAc,uBAAuB,CAAC;AACtC,cAAc,uBAAuB,CAAC;AACtC,cAAc,sBAAsB,CAAC;AACrC,cAAc,wBAAwB,CAAC;AACvC,cAAc,uBAAuB,CAAC;AACtC,cAAc,wBAAwB,CAAC;AAEvC,cAAc,eAAe,CAAC;AAC9B,cAAc,eAAe,CAAC;AAC9B,cAAc,eAAe,CAAC;AAC9B,cAAc,eAAe,CAAC;AAC9B,cAAc,iBAAiB,CAAC;AAEhC,cAAc,yBAAyB,CAAC;AACxC,cAAc,yBAAyB,CAAC;AACxC,cAAc,wBAAwB,CAAC;AACvC,cAAc,4BAA4B,CAAC;AAC3C,cAAc,iCAAiC,CAAC;AAChD,cAAc,yBAAyB,CAAC;AACxC,cAAc,sBAAsB,CAAC;AACrC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,wBAAwB,CAAC;AACvC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,wBAAwB,CAAC;AACvC,cAAc,wBAAwB,CAAC;AACvC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,oCAAoC,CAAC;AAEnD,mBAAmB,mBAAmB,CAAC;AACvC,mBAAmB,uBAAuB,CAAC;AAC3C,mBAAmB,mBAAmB,CAAC;AACvC,mBAAmB,uBAAuB,CAAC;AAC3C,mBAAmB,2BAA2B,CAAC;AAC/C,mBAAmB,0BAA0B,CAAC;AAC9C,mBAAmB,wBAAwB,CAAC;AAC5C,mBAAmB,0BAA0B,CAAC;AAC9C,mBAAmB,mBAAmB,CAAC;AACvC,mBAAmB,wBAAwB,CAAC;AAC5C,mBAAmB,0BAA0B,CAAC;AAC9C,mBAAmB,4BAA4B,CAAC;AAChD,mBAAmB,uBAAuB,CAAC;AAC3C,mBAAmB,mBAAmB,CAAC"}

package/dist/types/local-key-manager.d.ts

@@ -1,8 +1,8 @@
 import type { KeyValueStore } from '@enbox/common';
-import type { CryptoApi } from './types/crypto-api.js';
 import type { Jwk } from './jose/jwk.js';
 import type { KeyIdentifier } from './types/identifier.js';
 import type { KeyImporterExporter } from './types/key-io.js';
+import type { KeyManager } from './types/crypto-api.js';
 import type { KmsDigestParams, KmsExportKeyParams, KmsGenerateKeyParams, KmsGetKeyUriParams, KmsGetPublicKeyParams, KmsImportKeyParams, KmsSignParams, KmsVerifyParams } from './types/params-kms.js';
 /**
  * The `LocalKeyManagerParams` interface specifies the parameters for initializing an instance of
@@ -42,9 +42,9 @@ export interface LocalKeyManagerGenerateKeyParams extends KmsGenerateKeyParams {
      * - `"Ed25519"`
      * - `"secp256k1"`
      */
-    algorithm: 'Ed25519' | 'secp256k1' | 'secp256r1';
+    algorithm: 'Ed25519' | 'secp256k1' | 'secp256r1' | 'X25519';
 }
-export declare class LocalKeyManager implements CryptoApi, KeyImporterExporter<KmsImportKeyParams, KeyIdentifier, KmsExportKeyParams> {
+export declare class LocalKeyManager implements KeyManager, KeyImporterExporter<KmsImportKeyParams, KeyIdentifier, KmsExportKeyParams> {
     /**
      * A private map that stores instances of cryptographic algorithm implementations. Each key in
      * this map is an `AlgorithmConstructor`, and its corresponding value is an instance of a class
@@ -131,7 +131,7 @@ export declare class LocalKeyManager implements CryptoApi, KeyImporterExporter<K
      * @remarks
      * This method generates a {@link https://datatracker.ietf.org/doc/html/rfc3986 | URI}
      * (Uniform Resource Identifier) for the given JWK, which uniquely identifies the key across all
-     * `CryptoApi` implementations. The key URI is constructed by appending the
+     * `KeyManager` implementations. The key URI is constructed by appending the
      * {@link https://datatracker.ietf.org/doc/html/rfc7638 | JWK thumbprint} to the prefix
      * `urn:jwk:`. The JWK thumbprint is deterministically computed from the JWK and is consistent
      * regardless of property order or optional property inclusion in the JWK. This ensures that the

package/dist/types/local-key-manager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"local-key-manager.d.ts","sourceRoot":"","sources":["../../src/local-key-manager.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAInD,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAEvD,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AAI7D,OAAO,KAAK,EACV,eAAe,EACf,kBAAkB,EAClB,oBAAoB,EACpB,kBAAkB,EAClB,qBAAqB,EACrB,kBAAkB,EAClB,aAAa,EACb,eAAe,EAChB,MAAM,uBAAuB,CAAC;AA6C/B;;;;;;GAMG;AACH,MAAM,MAAM,qBAAqB,GAAG;IAClC;;;;;OAKG;IACH,QAAQ,CAAC,EAAE,aAAa,CAAC,aAAa,EAAE,GAAG,CAAC,CAAC;CAC9C,CAAC;AAEF;;;GAGG;AACH,MAAM,WAAW,2BAA4B,SAAQ,eAAe;IAClE;;;OAGG;IACH,SAAS,EAAE,SAAS,CAAC;CACtB;AAED;;;;GAIG;AACH,MAAM,WAAW,gCAAiC,SAAQ,oBAAoB;IAC5E;;;;OAIG;IACH,SAAS,EAAE,SAAS,GAAG,WAAW,GAAG,WAAW,CAAC;CAClD;AAED,qBAAa,eAAgB,YACzB,SAAS,EACT,mBAAmB,CAAC,kBAAkB,EAAE,aAAa,EAAE,kBAAkB,CAAC;IAE5E;;;;;OAKG;IACH,OAAO,CAAC,mBAAmB,CAA8E;IAEzG;;;;;;;OAOG;IACH,OAAO,CAAC,SAAS,CAAoC;gBAEzC,MAAM,CAAC,EAAE,qBAAqB;IAI1C;;;;;;;;;;;;;;;;;;;;;;;;OAwBG;IACU,MAAM,CAAC,EAAE,SAAS,EAAE,IAAI,EAAE,EACrC,2BAA2B,GAC1B,OAAO,CAAC,UAAU,CAAC;IAUtB;;;;;;;;;;;;;;;;;;OAkBG;IACU,SAAS,CAAC,EAAE,MAAM,EAAE,EAC/B,kBAAkB,GACjB,OAAO,CAAC,GAAG,CAAC;IAOf;;;;;;;;;;;;;;;OAeG;IACU,WAAW,CAAC,EAAE,SAAS,EAAE,EACpC,gCAAgC,GAC/B,OAAO,CAAC,aAAa,CAAC;IAoBzB;;;;;;;;;;;;;;;;;;;;;;;;;;OA0BG;IACU,SAAS,CAAC,EAAE,GAAG,EAAE,EAC5B,kBAAkB,GACjB,OAAO,CAAC,aAAa,CAAC;IAUzB;;;;;;;;;;;;;;;OAeG;IACU,YAAY,CAAC,EAAE,MAAM,EAAE,EAClC,qBAAqB,GACpB,OAAO,CAAC,GAAG,CAAC;IAgBf;;;;;;;;;;;;;;;;;;;;;;;OAuBG;IACU,SAAS,CAAC,EAAE,GAAG,EAAE,EAC5B,kBAAkB,GACjB,OAAO,CAAC,aAAa,CAAC;IAkBzB;;;;;;;;;;;;;;;;;;;;;;OAsBG;IACU,IAAI,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,EAChC,aAAa,GACZ,OAAO,CAAC,UAAU,CAAC;IAgBtB;;;;;;;;;;;;;;;;;;;;;;;;OAwBG;IACU,MAAM,CAAC,EAAE,GAAG,EAAE,SAAS,EAAE,IAAI,EAAE,EAC1C,eAAe,GACd,OAAO,CAAC,OAAO,CAAC;IAanB;;;;;;;;;;;;;;;;;;;OAmBG;IACH,OAAO,CAAC,YAAY;IAmBpB;;;;;;;;;;;;;;;;;;;OAmBG;IACH,OAAO,CAAC,gBAAgB;IAkBxB;;;;;;;;;;;;;;OAcG;YACW,aAAa;CAY5B"}
+{"version":3,"file":"local-key-manager.d.ts","sourceRoot":"","sources":["../../src/local-key-manager.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAKnD,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AAC7D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAIxD,OAAO,KAAK,EACV,eAAe,EACf,kBAAkB,EAClB,oBAAoB,EACpB,kBAAkB,EAClB,qBAAqB,EACrB,kBAAkB,EAClB,aAAa,EACb,eAAe,EAChB,MAAM,uBAAuB,CAAC;AAkD/B;;;;;;GAMG;AACH,MAAM,MAAM,qBAAqB,GAAG;IAClC;;;;;OAKG;IACH,QAAQ,CAAC,EAAE,aAAa,CAAC,aAAa,EAAE,GAAG,CAAC,CAAC;CAC9C,CAAC;AAEF;;;GAGG;AACH,MAAM,WAAW,2BAA4B,SAAQ,eAAe;IAClE;;;OAGG;IACH,SAAS,EAAE,SAAS,CAAC;CACtB;AAED;;;;GAIG;AACH,MAAM,WAAW,gCAAiC,SAAQ,oBAAoB;IAC5E;;;;OAIG;IACH,SAAS,EAAE,SAAS,GAAG,WAAW,GAAG,WAAW,GAAG,QAAQ,CAAC;CAC7D;AAED,qBAAa,eAAgB,YACzB,UAAU,EACV,mBAAmB,CAAC,kBAAkB,EAAE,aAAa,EAAE,kBAAkB,CAAC;IAE5E;;;;;OAKG;IACH,OAAO,CAAC,mBAAmB,CAA8E;IAEzG;;;;;;;OAOG;IACH,OAAO,CAAC,SAAS,CAAoC;gBAEzC,MAAM,CAAC,EAAE,qBAAqB;IAI1C;;;;;;;;;;;;;;;;;;;;;;;;OAwBG;IACU,MAAM,CAAC,EAAE,SAAS,EAAE,IAAI,EAAE,EACrC,2BAA2B,GAC1B,OAAO,CAAC,UAAU,CAAC;IAUtB;;;;;;;;;;;;;;;;;;OAkBG;IACU,SAAS,CAAC,EAAE,MAAM,EAAE,EAC/B,kBAAkB,GACjB,OAAO,CAAC,GAAG,CAAC;IAOf;;;;;;;;;;;;;;;OAeG;IACU,WAAW,CAAC,EAAE,SAAS,EAAE,EACpC,gCAAgC,GAC/B,OAAO,CAAC,aAAa,CAAC;IAoBzB;;;;;;;;;;;;;;;;;;;;;;;;;;OA0BG;IACU,SAAS,CAAC,EAAE,GAAG,EAAE,EAC5B,kBAAkB,GACjB,OAAO,CAAC,aAAa,CAAC;IAUzB;;;;;;;;;;;;;;;OAeG;IACU,YAAY,CAAC,EAAE,MAAM,EAAE,EAClC,qBAAqB,GACpB,OAAO,CAAC,GAAG,CAAC;IAgBf;;;;;;;;;;;;;;;;;;;;;;;OAuBG;IACU,SAAS,CAAC,EAAE,GAAG,EAAE,EAC5B,kBAAkB,GACjB,OAAO,CAAC,aAAa,CAAC;IAkBzB;;;;;;;;;;;;;;;;;;;;;;OAsBG;IACU,IAAI,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,EAChC,aAAa,GACZ,OAAO,CAAC,UAAU,CAAC;IAgBtB;;;;;;;;;;;;;;;;;;;;;;;;OAwBG;IACU,MAAM,CAAC,EAAE,GAAG,EAAE,SAAS,EAAE,IAAI,EAAE,EAC1C,eAAe,GACd,OAAO,CAAC,OAAO,CAAC;IAanB;;;;;;;;;;;;;;;;;;;OAmBG;IACH,OAAO,CAAC,YAAY;IAmBpB;;;;;;;;;;;;;;;;;;;OAmBG;IACH,OAAO,CAAC,gBAAgB;IAkBxB;;;;;;;;;;;;;;OAcG;YACW,aAAa;CAY5B"}

package/dist/types/primitives/ecies-secp256k1.d.ts

@@ -0,0 +1,53 @@
+/**
+ * Output of an ECIES-SECP256K1 encryption operation.
+ */
+export type EciesSecp256k1EncryptionOutput = {
+    /** The AES-GCM initialization vector. */
+    initializationVector: Uint8Array;
+    /** The ephemeral secp256k1 public key (compressed, 33 bytes). */
+    ephemeralPublicKey: Uint8Array;
+    /** The encrypted data. */
+    ciphertext: Uint8Array;
+    /** The AES-GCM authentication tag (16 bytes). */
+    messageAuthenticationCode: Uint8Array;
+};
+/**
+ * Input required for ECIES-SECP256K1 decryption.
+ */
+export type EciesSecp256k1EncryptionInput = EciesSecp256k1EncryptionOutput & {
+    /** The recipient's secp256k1 private key (raw 32 bytes). */
+    privateKey: Uint8Array;
+};
+/**
+ * Browser-compatible ECIES (Elliptic Curve Integrated Encryption Scheme) using secp256k1.
+ *
+ * Wire-format compatible with `eciesjs` v0.4.x configured with
+ * `isEphemeralKeyCompressed: true, isHkdfKeyCompressed: false` (the default).
+ *
+ * Protocol:
+ *   1. Generate an ephemeral secp256k1 key pair.
+ *   2. ECDH shared secret (uncompressed point).
+ *   3. HKDF-SHA-256 key derivation: `hkdf(sha256, ephemeralPubUncompressed || sharedPointUncompressed)`.
+ *   4. AES-256-GCM encryption with random 16-byte nonce.
+ *
+ * All underlying primitives (`@noble/ciphers`, `@noble/curves`, `@noble/hashes`)
+ * are pure JavaScript and work in Node, Bun, and browsers.
+ */
+export declare class EciesSecp256k1 {
+    /**
+     * Encrypt plaintext for a given secp256k1 public key.
+     * @param publicKeyBytes - Recipient's public key (compressed 33 bytes or uncompressed 65 bytes).
+     * @param plaintext - The data to encrypt.
+     */
+    static encrypt(publicKeyBytes: Uint8Array, plaintext: Uint8Array): EciesSecp256k1EncryptionOutput;
+    /**
+     * Decrypt ciphertext produced by {@link EciesSecp256k1.encrypt}.
+     * @param input - The encryption output plus the recipient's private key.
+     */
+    static decrypt(input: EciesSecp256k1EncryptionInput): Uint8Array;
+    /**
+     * Whether the ephemeral public key is compressed (always true for this implementation).
+     */
+    static get isEphemeralKeyCompressed(): boolean;
+}
+//# sourceMappingURL=ecies-secp256k1.d.ts.map

package/dist/types/primitives/ecies-secp256k1.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ecies-secp256k1.d.ts","sourceRoot":"","sources":["../../../src/primitives/ecies-secp256k1.ts"],"names":[],"mappings":"AAiBA;;GAEG;AACH,MAAM,MAAM,8BAA8B,GAAG;IAC3C,yCAAyC;IACzC,oBAAoB,EAAE,UAAU,CAAC;IACjC,iEAAiE;IACjE,kBAAkB,EAAE,UAAU,CAAC;IAC/B,0BAA0B;IAC1B,UAAU,EAAE,UAAU,CAAC;IACvB,iDAAiD;IACjD,yBAAyB,EAAE,UAAU,CAAC;CACvC,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,6BAA6B,GAAG,8BAA8B,GAAG;IAC3E,4DAA4D;IAC5D,UAAU,EAAE,UAAU,CAAC;CACxB,CAAC;AAEF;;;;;;;;;;;;;;GAcG;AACH,qBAAa,cAAc;IACzB;;;;OAIG;WACW,OAAO,CAAC,cAAc,EAAE,UAAU,EAAE,SAAS,EAAE,UAAU,GAAG,8BAA8B;IAyBxG;;;OAGG;WACW,OAAO,CAAC,KAAK,EAAE,6BAA6B,GAAG,UAAU;IAiBvE;;OAEG;IACH,WAAkB,wBAAwB,IAAI,OAAO,CAEpD;CACF"}

package/dist/types/primitives/x25519.d.ts

@@ -238,32 +238,25 @@ export declare class X25519 {
         publicKey: Jwk;
     }): Promise<Uint8Array>;
     /**
-     * Computes an RFC6090-compliant Elliptic Curve Diffie-Hellman (ECDH) shared secret
-     * using secp256k1 private and public keys in JSON Web Key (JWK) format.
+     * Computes an X25519 Elliptic Curve Diffie-Hellman (ECDH) shared secret
+     * using X25519 private and public keys in JSON Web Key (JWK) format.
      *
      * @remarks
      * This method facilitates the ECDH key agreement protocol, which is a method of securely
      * deriving a shared secret between two parties based on their private and public keys.
      * It takes the private key of one party (privateKeyA) and the public key of another
-     * party (publicKeyB) to compute a shared secret. The shared secret is derived from the
-     * x-coordinate of the elliptic curve point resulting from the multiplication of the
-     * public key with the private key.
-     *
-     * Note: When performing Elliptic Curve Diffie-Hellman (ECDH) key agreement,
-     * the resulting shared secret is a point on the elliptic curve, which
-     * consists of an x-coordinate and a y-coordinate. With a 256-bit curve like
-     * secp256k1, each of these coordinates is 32 bytes (256 bits) long. However,
-     * in the ECDH process, it's standard practice to use only the x-coordinate
-     * of the shared secret point as the resulting shared key. This is because
-     * the y-coordinate does not add to the entropy of the key, and both parties
-     * can independently compute the x-coordinate.  Consquently, this implementation
-     * omits the y-coordinate for simplicity and standard compliance.
+     * party (publicKeyB) to compute a shared secret. The shared secret is the raw output
+     * of the X25519 function as defined in RFC 7748.
+     *
+     * Note: Unlike Weierstrass curves (e.g., secp256k1), X25519 is a Montgomery curve
+     * where the ECDH output is a single 32-byte scalar value, not an (x, y) point.
+     * The result is used directly as the shared secret.
      *
      * @example
      * ```ts
      * const privateKeyA = { ... }; // A Jwk object for party A
      * const publicKeyB = { ... }; // A PublicKeyJwk object for party B
-     * const sharedSecret = await Secp256k1.sharedSecret({
+     * const sharedSecret = await X25519.sharedSecret({
      *   privateKeyA,
      *   publicKeyB
      * });

package/dist/types/primitives/x25519.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"x25519.d.ts","sourceRoot":"","sources":["../../../src/primitives/x25519.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAC;AAC1C,OAAO,KAAK,EAAE,sBAAsB,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAI5F;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AACH,qBAAa,MAAM;IACjB;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA4BG;WACiB,iBAAiB,CAAC,EAAE,eAAe,EAAE,EAAE;QACzD,eAAe,EAAE,UAAU,CAAC;KAC7B,GAAG,OAAO,CAAC,GAAG,CAAC;IAkBhB;;;;;;;;;;;;;;;;;;;;;;;;;;;OA2BG;WACiB,gBAAgB,CAAC,EAAE,cAAc,EAAE,EAAE;QACvD,cAAc,EAAE,UAAU,CAAC;KAC5B,GAAG,OAAO,CAAC,GAAG,CAAC;IAchB;;;;;;;;;;;;;;;;;;;;;;;;OAwBG;WACiB,gBAAgB,CAAC,EAAE,GAAG,EAAE,EAC1C,sBAAsB,GACrB,OAAO,CAAC,GAAG,CAAC;IAoBf;;;;;;;;;;;;;;;;;;;;;;;;OAwBG;WACiB,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC;IAa/C;;;;;;;;;;;;;;;;;;;;;;;;;;OA0BG;WACiB,YAAY,CAAC,EAAE,GAAG,EAAE,EACtC,kBAAkB,GACjB,OAAO,CAAC,GAAG,CAAC;IAef;;;;;;;;;;;;;;;;;;;;;;;;OAwBG;WACiB,iBAAiB,CAAC,EAAE,UAAU,EAAE,EAAE;QACpD,UAAU,EAAE,GAAG,CAAC;KACjB,GAAG,OAAO,CAAC,UAAU,CAAC;IAYvB;;;;;;;;;;;;;;;;;;;;;;OAsBG;WACiB,gBAAgB,CAAC,EAAE,SAAS,EAAE,EAAE;QAClD,SAAS,EAAE,GAAG,CAAC;KAChB,GAAG,OAAO,CAAC,UAAU,CAAC;IAYvB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAqCG;WACiB,YAAY,CAAC,EAAE,WAAW,EAAE,UAAU,EAAE,EAAE;QAC5D,WAAW,EAAE,GAAG,CAAC;QACjB,UAAU,EAAE,GAAG,CAAC;KACjB,GAAG,OAAO,CAAC,UAAU,CAAC;CAexB"}
+{"version":3,"file":"x25519.d.ts","sourceRoot":"","sources":["../../../src/primitives/x25519.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAC;AAC1C,OAAO,KAAK,EAAE,sBAAsB,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAI5F;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AACH,qBAAa,MAAM;IACjB;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA4BG;WACiB,iBAAiB,CAAC,EAAE,eAAe,EAAE,EAAE;QACzD,eAAe,EAAE,UAAU,CAAC;KAC7B,GAAG,OAAO,CAAC,GAAG,CAAC;IAkBhB;;;;;;;;;;;;;;;;;;;;;;;;;;;OA2BG;WACiB,gBAAgB,CAAC,EAAE,cAAc,EAAE,EAAE;QACvD,cAAc,EAAE,UAAU,CAAC;KAC5B,GAAG,OAAO,CAAC,GAAG,CAAC;IAchB;;;;;;;;;;;;;;;;;;;;;;;;OAwBG;WACiB,gBAAgB,CAAC,EAAE,GAAG,EAAE,EAC1C,sBAAsB,GACrB,OAAO,CAAC,GAAG,CAAC;IAoBf;;;;;;;;;;;;;;;;;;;;;;;;OAwBG;WACiB,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC;IAa/C;;;;;;;;;;;;;;;;;;;;;;;;;;OA0BG;WACiB,YAAY,CAAC,EAAE,GAAG,EAAE,EACtC,kBAAkB,GACjB,OAAO,CAAC,GAAG,CAAC;IAef;;;;;;;;;;;;;;;;;;;;;;;;OAwBG;WACiB,iBAAiB,CAAC,EAAE,UAAU,EAAE,EAAE;QACpD,UAAU,EAAE,GAAG,CAAC;KACjB,GAAG,OAAO,CAAC,UAAU,CAAC;IAYvB;;;;;;;;;;;;;;;;;;;;;;OAsBG;WACiB,gBAAgB,CAAC,EAAE,SAAS,EAAE,EAAE;QAClD,SAAS,EAAE,GAAG,CAAC;KAChB,GAAG,OAAO,CAAC,UAAU,CAAC;IAYvB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA8BG;WACiB,YAAY,CAAC,EAAE,WAAW,EAAE,UAAU,EAAE,EAAE;QAC5D,WAAW,EAAE,GAAG,CAAC;QACjB,UAAU,EAAE,GAAG,CAAC;KACjB,GAAG,OAAO,CAAC,UAAU,CAAC;CAexB"}

package/dist/types/types/crypto-api.d.ts

@@ -1,10 +1,16 @@
+import type { AsymmetricKeyConverter } from './key-converter.js';
 import type { AsymmetricKeyGenerator } from './key-generator.js';
+import type { Cipher } from './cipher.js';
 import type { Hasher } from './hasher.js';
+import type { Jwk } from '../jose/jwk.js';
 import type { KeyIdentifier } from './identifier.js';
+import type { KeyWrapper } from './key-wrapper.js';
 import type { Signer } from './signer.js';
-import type { KmsDigestParams, KmsGenerateKeyParams, KmsGetKeyUriParams, KmsGetPublicKeyParams, KmsSignParams, KmsVerifyParams } from './params-kms.js';
+import type { BytesToPrivateKeyParams, BytesToPublicKeyParams, CipherParams, DeriveKeyBytesParams, DeriveKeyFromBytesParams, DigestParams, GenerateKeyParams, GetPublicKeyParams, PrivateKeyToBytesParams, PublicKeyToBytesParams, SignParams, UnwrapKeyParams, VerifyParams, WrapKeyParams } from './params-direct.js';
+import type { KeyBytesDeriver, SimpleKeyDeriver } from './key-deriver.js';
+import type { KmsCipherParams, KmsDigestParams, KmsGenerateKeyParams, KmsGetKeyUriParams, KmsGetPublicKeyParams, KmsSignParams, KmsVerifyParams } from './params-kms.js';
 /**
- * The `CryptoApi` interface integrates key generation, hashing, and signing functionalities,
+ * The `DsaApi` interface integrates key generation, hashing, and signing functionalities,
  * designed for use with a Key Management System (KMS). It extends `AsymmetricKeyGenerator` for
  * generating asymmetric keys, `Hasher` for hash digest computations, and `Signer` for signing and
  * verifying operations.
@@ -24,12 +30,54 @@ import type { KmsDigestParams, KmsGenerateKeyParams, KmsGetKeyUriParams, KmsGetP
  *   identifier (e.g. JWK thumbprint, UUID generated by hosted KMS, etc.).
  * - Must support key generation, hashing, signing, and verifying operations.
  * - May be extended to support other cryptographic operations.
- * - Implementations of the `CryptoApi` interface can be passed as an argument to the public API
+ * - Implementations of the `DsaApi` interface can be passed as an argument to the public API
  *   methods of Web5 libraries that involve key material (e.g., DID creation, VC signing, arbitrary
  *   data signing/verification, etc.).
  */
-export interface CryptoApi<GenerateKeyInput = KmsGenerateKeyParams, GenerateKeyOutput = KeyIdentifier, GetPublicKeyInput = KmsGetPublicKeyParams, DigestInput = KmsDigestParams, SignInput = KmsSignParams, VerifyInput = KmsVerifyParams> extends AsymmetricKeyGenerator<GenerateKeyInput, GenerateKeyOutput, GetPublicKeyInput>, Hasher<DigestInput>, Signer<SignInput, VerifyInput> {
+export interface DsaApi<GenerateKeyInput = KmsGenerateKeyParams, GenerateKeyOutput = KeyIdentifier, GetPublicKeyInput = KmsGetPublicKeyParams, DigestInput = KmsDigestParams, SignInput = KmsSignParams, VerifyInput = KmsVerifyParams> extends AsymmetricKeyGenerator<GenerateKeyInput, GenerateKeyOutput, GetPublicKeyInput>, Hasher<DigestInput>, Signer<SignInput, VerifyInput> {
+}
+/**
+ * The `CryptoApi` interface extends {@link DsaApi} with encryption, key conversion,
+ * key derivation, and key wrapping capabilities.
+ *
+ * This is the full-featured cryptographic API used by agent-level code that needs direct-key
+ * cipher, key conversion, and key derivation operations beyond what the base `DsaApi` provides.
+ */
+export interface CryptoApi<GenerateKeyInput = GenerateKeyParams, GenerateKeyOutput = Jwk, GetPublicKeyInput = GetPublicKeyParams, DigestInput = DigestParams, SignInput = SignParams, VerifyInput = VerifyParams, EncryptInput = CipherParams, DecryptInput = CipherParams, BytesToPublicKeyInput = BytesToPublicKeyParams, PublicKeyToBytesInput = PublicKeyToBytesParams, BytesToPrivateKeyInput = BytesToPrivateKeyParams, PrivateKeyToBytesInput = PrivateKeyToBytesParams, DeriveKeyInput = DeriveKeyFromBytesParams, DeriveKeyOutput = Jwk, DeriveKeyBytesInput = DeriveKeyBytesParams, DeriveKeyBytesOutput = Uint8Array, WrapKeyInput = WrapKeyParams, UnwrapKeyInput = UnwrapKeyParams> extends DsaApi<GenerateKeyInput, GenerateKeyOutput, GetPublicKeyInput, DigestInput, SignInput, VerifyInput>, Cipher<EncryptInput, DecryptInput>, AsymmetricKeyConverter<BytesToPublicKeyInput, PublicKeyToBytesInput, BytesToPrivateKeyInput, PrivateKeyToBytesInput>, SimpleKeyDeriver<DeriveKeyInput, DeriveKeyOutput>, KeyBytesDeriver<DeriveKeyBytesInput, DeriveKeyBytesOutput>, KeyWrapper<WrapKeyInput, UnwrapKeyInput> {
+}
+/** @deprecated Use {@link CryptoApi} instead. */
+export type ExtendedCryptoApi<GenerateKeyInput = GenerateKeyParams, GenerateKeyOutput = Jwk, GetPublicKeyInput = GetPublicKeyParams, DigestInput = DigestParams, SignInput = SignParams, VerifyInput = VerifyParams, EncryptInput = CipherParams, DecryptInput = CipherParams, BytesToPublicKeyInput = BytesToPublicKeyParams, PublicKeyToBytesInput = PublicKeyToBytesParams, BytesToPrivateKeyInput = BytesToPrivateKeyParams, PrivateKeyToBytesInput = PrivateKeyToBytesParams, DeriveKeyInput = DeriveKeyFromBytesParams, DeriveKeyOutput = Jwk, DeriveKeyBytesInput = DeriveKeyBytesParams, DeriveKeyBytesOutput = Uint8Array, WrapKeyInput = WrapKeyParams, UnwrapKeyInput = UnwrapKeyParams> = CryptoApi<GenerateKeyInput, GenerateKeyOutput, GetPublicKeyInput, DigestInput, SignInput, VerifyInput, EncryptInput, DecryptInput, BytesToPublicKeyInput, PublicKeyToBytesInput, BytesToPrivateKeyInput, PrivateKeyToBytesInput, DeriveKeyInput, DeriveKeyOutput, DeriveKeyBytesInput, DeriveKeyBytesOutput, WrapKeyInput, UnwrapKeyInput>;
+/**
+ * Parameters for configuring a {@link KeyManager} implementation.
+ */
+export interface KeyManagerParams {
+    CipherInput?: unknown;
+    GenerateKeyInput?: unknown;
+    GenerateKeyOutput?: unknown;
+    GetPublicKeyInput?: unknown;
+    SignInput?: unknown;
+    VerifyInput?: unknown;
+}
+/**
+ * Default parameter types for {@link KeyManager}, using KMS-oriented types.
+ */
+export interface DefaultKeyManagerParams {
+    CipherInput: KmsCipherParams;
+    GenerateKeyInput: KmsGenerateKeyParams;
+    GenerateKeyOutput: KeyIdentifier;
+    GetPublicKeyInput: KmsGetPublicKeyParams;
+    SignInput: KmsSignParams;
+    VerifyInput: KmsVerifyParams;
+}
+/**
+ * The `KeyManager` interface integrates key generation and signing capabilities.
+ *
+ * Concrete implementations of this interface are intended to be used as a Key Management System
+ * (KMS), which is responsible for generating and storing cryptographic keys.
+ */
+export interface KeyManager<T extends KeyManagerParams = DefaultKeyManagerParams> extends DsaApi<T['GenerateKeyInput'], T['GenerateKeyOutput'], T['GetPublicKeyInput'], KmsDigestParams, T['SignInput'], T['VerifyInput']> {
     /**
+     * Returns the Key URI for a given JWK.
      *
      * @param params - The parameters for getting the key URI.
      * @param params.key - The key to get the URI for.

package/dist/types/types/crypto-api.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"crypto-api.d.ts","sourceRoot":"","sources":["../../../src/types/crypto-api.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AACjE,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AACrD,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,KAAK,EACV,eAAe,EACf,oBAAoB,EACpB,kBAAkB,EAClB,qBAAqB,EACrB,aAAa,EACb,eAAe,EAChB,MAAM,iBAAiB,CAAC;AAEzB;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,WAAW,SAAS,CACxB,gBAAgB,GAAG,oBAAoB,EACvC,iBAAiB,GAAG,aAAa,EACjC,iBAAiB,GAAG,qBAAqB,EACzC,WAAW,GAAG,eAAe,EAC7B,SAAS,GAAG,aAAa,EACzB,WAAW,GAAG,eAAe,CAC7B,SAAQ,sBAAsB,CAAC,gBAAgB,EAAE,iBAAiB,EAAE,iBAAiB,CAAC,EAC9E,MAAM,CAAC,WAAW,CAAC,EACnB,MAAM,CAAC,SAAS,EAAE,WAAW,CAAC;IACtC;;;;;OAKG;IACH,SAAS,CAAC,MAAM,EAAE,kBAAkB,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;CAC/D"}
+{"version":3,"file":"crypto-api.d.ts","sourceRoot":"","sources":["../../../src/types/crypto-api.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AACjE,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AACjE,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAC;AAC1C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AACrD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AACnD,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,KAAK,EACV,uBAAuB,EACvB,sBAAsB,EACtB,YAAY,EACZ,oBAAoB,EACpB,wBAAwB,EACxB,YAAY,EACZ,iBAAiB,EACjB,kBAAkB,EAClB,uBAAuB,EACvB,sBAAsB,EACtB,UAAU,EACV,eAAe,EACf,YAAY,EACZ,aAAa,EACd,MAAM,oBAAoB,CAAC;AAC5B,OAAO,KAAK,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAC1E,OAAO,KAAK,EACV,eAAe,EACf,eAAe,EACf,oBAAoB,EACpB,kBAAkB,EAClB,qBAAqB,EACrB,aAAa,EACb,eAAe,EAChB,MAAM,iBAAiB,CAAC;AAEzB;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,WAAW,MAAM,CACrB,gBAAgB,GAAG,oBAAoB,EACvC,iBAAiB,GAAG,aAAa,EACjC,iBAAiB,GAAG,qBAAqB,EACzC,WAAW,GAAG,eAAe,EAC7B,SAAS,GAAG,aAAa,EACzB,WAAW,GAAG,eAAe,CAC5B,SAAQ,sBAAsB,CAAC,gBAAgB,EAAE,iBAAiB,EAAE,iBAAiB,CAAC,EAC/E,MAAM,CAAC,WAAW,CAAC,EACnB,MAAM,CAAC,SAAS,EAAE,WAAW,CAAC;CAAG;AAE3C;;;;;;GAMG;AACH,MAAM,WAAW,SAAS,CACxB,gBAAgB,GAAG,iBAAiB,EACpC,iBAAiB,GAAG,GAAG,EACvB,iBAAiB,GAAG,kBAAkB,EACtC,WAAW,GAAG,YAAY,EAC1B,SAAS,GAAG,UAAU,EACtB,WAAW,GAAG,YAAY,EAC1B,YAAY,GAAG,YAAY,EAC3B,YAAY,GAAG,YAAY,EAC3B,qBAAqB,GAAG,sBAAsB,EAC9C,qBAAqB,GAAG,sBAAsB,EAC9C,sBAAsB,GAAG,uBAAuB,EAChD,sBAAsB,GAAG,uBAAuB,EAChD,cAAc,GAAG,wBAAwB,EACzC,eAAe,GAAG,GAAG,EACrB,mBAAmB,GAAG,oBAAoB,EAC1C,oBAAoB,GAAG,UAAU,EACjC,YAAY,GAAG,aAAa,EAC5B,cAAc,GAAG,eAAe,CAChC,SACA,MAAM,CAAC,gBAAgB,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,WAAW,EAAE,SAAS,EAAE,WAAW,CAAC,EACnG,MAAM,CAAC,YAAY,EAAE,YAAY,CAAC,EAClC,sBAAsB,CAAC,qBAAqB,EAAE,qBAAqB,EAAE,sBAAsB,EAAE,sBAAsB,CAAC,EACpH,gBAAgB,CAAC,cAAc,EAAE,eAAe,CAAC,EACjD,eAAe,CAAC,mBAAmB,EAAE,oBAAoB,CAAC,EAC1D,UAAU,CAAC,YAAY,EAAE,cAAc,CAAC;CAAG;AAE7C,iDAAiD;AACjD,MAAM,MAAM,iBAAiB,CAC3B,gBAAgB,GAAG,iBAAiB,EACpC,iBAAiB,GAAG,GAAG,EACvB,iBAAiB,GAAG,kBAAkB,EACtC,WAAW,GAAG,YAAY,EAC1B,SAAS,GAAG,UAAU,EACtB,WAAW,GAAG,YAAY,EAC1B,YAAY,GAAG,YAAY,EAC3B,YAAY,GAAG,YAAY,EAC3B,qBAAqB,GAAG,sBAAsB,EAC9C,qBAAqB,GAAG,sBAAsB,EAC9C,sBAAsB,GAAG,uBAAuB,EAChD,sBAAsB,GAAG,uBAAuB,EAChD,cAAc,GAAG,wBAAwB,EACzC,eAAe,GAAG,GAAG,EACrB,mBAAmB,GAAG,oBAAoB,EAC1C,oBAAoB,GAAG,UAAU,EACjC,YAAY,GAAG,aAAa,EAC5B,cAAc,GAAG,eAAe,IAC9B,SAAS,CACX,gBAAgB,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,WAAW,EAAE,SAAS,EAAE,WAAW,EAC3F,YAAY,EAAE,YAAY,EAAE,qBAAqB,EAAE,qBAAqB,EACxE,sBAAsB,EAAE,sBAAsB,EAAE,cAAc,EAAE,eAAe,EAC/E,mBAAmB,EAAE,oBAAoB,EAAE,YAAY,EAAE,cAAc,CACxE,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACtC,WAAW,EAAE,eAAe,CAAC;IAC7B,gBAAgB,EAAE,oBAAoB,CAAC;IACvC,iBAAiB,EAAE,aAAa,CAAC;IACjC,iBAAiB,EAAE,qBAAqB,CAAC;IACzC,SAAS,EAAE,aAAa,CAAC;IACzB,WAAW,EAAE,eAAe,CAAC;CAC9B;AAED;;;;;GAKG;AACH,MAAM,WAAW,UAAU,CAAC,CAAC,SAAS,gBAAgB,GAAG,uBAAuB,CAC9E,SAAQ,MAAM,CAAC,CAAC,CAAC,kBAAkB,CAAC,EAAE,CAAC,CAAC,mBAAmB,CAAC,EAAE,CAAC,CAAC,mBAAmB,CAAC,EAAE,eAAe,EAAE,CAAC,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,aAAa,CAAC,CAAC;IAExI;;;;;;OAMG;IACH,SAAS,CAAC,MAAM,EAAE,kBAAkB,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;CAC/D"}

package/dist/types/types/key-converter.d.ts

@@ -1,8 +1,17 @@
 import type { Jwk } from '../jose/jwk.js';
 /**
  * `KeyConverter` interface for converting private keys between byte array and JWK formats.
+ *
+ * @typeParam BytesToPrivateKeyInput - The input type for `bytesToPrivateKey`. Defaults to
+ *   `{ privateKeyBytes: Uint8Array }`.
+ * @typeParam PrivateKeyToBytesInput - The input type for `privateKeyToBytes`. Defaults to
+ *   `{ privateKey: Jwk }`.
  */
-export interface KeyConverter {
+export interface KeyConverter<BytesToPrivateKeyInput = {
+    privateKeyBytes: Uint8Array;
+}, PrivateKeyToBytesInput = {
+    privateKey: Jwk;
+}> {
     /**
      * Converts a private key from a byte array to JWK format.
      *
@@ -11,9 +20,7 @@ export interface KeyConverter {
      *
      * @returns A Promise that resolves to the private key in JWK format.
      */
-    bytesToPrivateKey(params: {
-        privateKeyBytes: Uint8Array;
-    }): Promise<Jwk>;
+    bytesToPrivateKey(params: BytesToPrivateKeyInput): Promise<Jwk>;
     /**
      * Converts a private key from JWK format to a byte array.
      *
@@ -22,15 +29,34 @@ export interface KeyConverter {
      *
      * @returns A Promise that resolves to the private key as a Uint8Array.
      */
-    privateKeyToBytes(params: {
-        privateKey: Jwk;
-    }): Promise<Uint8Array>;
+    privateKeyToBytes(params: PrivateKeyToBytesInput): Promise<Uint8Array>;
 }
 /**
- * `AsymmetricKeyConverter` interface extends {@link KeyConverter |`KeyConverter`}, adding support
+ * `AsymmetricKeyConverter` interface extends {@link KeyConverter | `KeyConverter`}, adding support
  * for public key conversions.
+ *
+ * When used with default type parameters, this interface includes all four conversion methods
+ * (bytes-to/from private key AND bytes-to/from public key). When used with explicit type
+ * parameters, both the private and public key conversion types can be customized.
+ *
+ * @typeParam BytesToPublicKeyInput - The input type for `bytesToPublicKey`. Defaults to
+ *   `{ publicKeyBytes: Uint8Array }`.
+ * @typeParam PublicKeyToBytesInput - The input type for `publicKeyToBytes`. Defaults to
+ *   `{ publicKey: Jwk }`.
+ * @typeParam BytesToPrivateKeyInput - The input type for `bytesToPrivateKey`. Defaults to
+ *   `{ privateKeyBytes: Uint8Array }`.
+ * @typeParam PrivateKeyToBytesInput - The input type for `privateKeyToBytes`. Defaults to
+ *   `{ privateKey: Jwk }`.
  */
-export interface AsymmetricKeyConverter extends KeyConverter {
+export interface AsymmetricKeyConverter<BytesToPublicKeyInput = {
+    publicKeyBytes: Uint8Array;
+}, PublicKeyToBytesInput = {
+    publicKey: Jwk;
+}, BytesToPrivateKeyInput = {
+    privateKeyBytes: Uint8Array;
+}, PrivateKeyToBytesInput = {
+    privateKey: Jwk;
+}> extends KeyConverter<BytesToPrivateKeyInput, PrivateKeyToBytesInput> {
     /**
      * Converts a public key from a byte array to JWK format.
      *
@@ -39,9 +65,7 @@ export interface AsymmetricKeyConverter extends KeyConverter {
      *
      * @returns A Promise that resolves to the public key in JWK format.
      */
-    bytesToPublicKey(params: {
-        publicKeyBytes: Uint8Array;
-    }): Promise<Jwk>;
+    bytesToPublicKey(params: BytesToPublicKeyInput): Promise<Jwk>;
     /**
      * Converts a public key from JWK format to a byte array.
      *
@@ -50,8 +74,6 @@ export interface AsymmetricKeyConverter extends KeyConverter {
      *
      * @returns A Promise that resolves to the public key as a Uint8Array.
      */
-    publicKeyToBytes(params: {
-        publicKey: Jwk;
-    }): Promise<Uint8Array>;
+    publicKeyToBytes(params: PublicKeyToBytesInput): Promise<Uint8Array>;
 }
 //# sourceMappingURL=key-converter.d.ts.map

package/dist/types/types/key-converter.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"key-converter.d.ts","sourceRoot":"","sources":["../../../src/types/key-converter.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAC;AAE1C;;GAEG;AACH,MAAM,WAAW,YAAY;IAE3B;;;;;;;OAOG;IACH,iBAAiB,CAAC,MAAM,EAAE;QAAE,eAAe,EAAE,UAAU,CAAA;KAAE,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;IAEzE;;;;;;;OAOG;IACH,iBAAiB,CAAC,MAAM,EAAE;QAAE,UAAU,EAAE,GAAG,CAAA;KAAE,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;CACrE;AAED;;;GAGG;AACH,MAAM,WAAW,sBAAuB,SAAQ,YAAY;IAC1D;;;;;;;OAOG;IACH,gBAAgB,CAAC,MAAM,EAAE;QAAE,cAAc,EAAE,UAAU,CAAA;KAAE,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;IAEvE;;;;;;;OAOG;IACH,gBAAgB,CAAC,MAAM,EAAE;QAAE,SAAS,EAAE,GAAG,CAAA;KAAE,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;CACnE"}
+{"version":3,"file":"key-converter.d.ts","sourceRoot":"","sources":["../../../src/types/key-converter.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAC;AAE1C;;;;;;;GAOG;AACH,MAAM,WAAW,YAAY,CAC3B,sBAAsB,GAAG;IAAE,eAAe,EAAE,UAAU,CAAA;CAAE,EACxD,sBAAsB,GAAG;IAAE,UAAU,EAAE,GAAG,CAAA;CAAE;IAG5C;;;;;;;OAOG;IACH,iBAAiB,CAAC,MAAM,EAAE,sBAAsB,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;IAEhE;;;;;;;OAOG;IACH,iBAAiB,CAAC,MAAM,EAAE,sBAAsB,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;CACxE;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,WAAW,sBAAsB,CACrC,qBAAqB,GAAG;IAAE,cAAc,EAAE,UAAU,CAAA;CAAE,EACtD,qBAAqB,GAAG;IAAE,SAAS,EAAE,GAAG,CAAA;CAAE,EAC1C,sBAAsB,GAAG;IAAE,eAAe,EAAE,UAAU,CAAA;CAAE,EACxD,sBAAsB,GAAG;IAAE,UAAU,EAAE,GAAG,CAAA;CAAE,CAC5C,SAAQ,YAAY,CAAC,sBAAsB,EAAE,sBAAsB,CAAC;IACpE;;;;;;;OAOG;IACH,gBAAgB,CAAC,MAAM,EAAE,qBAAqB,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;IAE9D;;;;;;;OAOG;IACH,gBAAgB,CAAC,MAAM,EAAE,qBAAqB,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;CACtE"}