@fgv/ts-extras 5.1.0-17 → 5.1.0-18

package/dist/packlets/crypto-utils/keystore/keyStore.js

@@ -63,8 +63,9 @@ function getCurrentTimestamp() {
  * @public
  */
 export class KeyStore {
-    constructor(cryptoProvider, iterations, keystoreFile, isNew = true) {
+    constructor(cryptoProvider, iterations, keystoreFile, isNew, privateKeyStorage) {
         this._cryptoProvider = cryptoProvider;
+        this._privateKeyStorage = privateKeyStorage;
         this._iterations = iterations;
         this._keystoreFile = keystoreFile;
         this._state = 'locked';
@@ -87,7 +88,7 @@ export class KeyStore {
         if (iterations < 1) {
             return fail('Iterations must be at least 1');
         }
-        return succeed(new KeyStore(params.cryptoProvider, iterations, undefined, true));
+        return succeed(new KeyStore(params.cryptoProvider, iterations, undefined, true, params.privateKeyStorage));
     }
     /**
      * Opens an existing encrypted key store.
@@ -103,7 +104,7 @@ export class KeyStore {
             return fail(`Invalid key store file: ${fileResult.message}`);
         }
         const iterations = fileResult.value.keyDerivation.iterations;
-        return succeed(new KeyStore(params.cryptoProvider, iterations, fileResult.value, false));
+        return succeed(new KeyStore(params.cryptoProvider, iterations, fileResult.value, false, params.privateKeyStorage));
     }
     // ============================================================================
     // Lifecycle Methods
@@ -217,7 +218,9 @@ export class KeyStore {
         // Clear secrets from memory (overwrite for security)
         if (this._secrets) {
             for (const entry of this._secrets.values()) {
-                entry.key.fill(0);
+                if (entry.type !== 'asymmetric-keypair') {
+                    entry.key.fill(0);
+                }
             }
             this._secrets.clear();
             this._secrets = undefined;
@@ -279,7 +282,9 @@ export class KeyStore {
         return succeed(Array.from(this._secrets.keys()));
     }
     /**
-     * Gets a secret by name.
+     * Gets a secret by name. Returns the {@link CryptoUtils.KeyStore.IKeyStoreEntry | discriminated union}
+     * — callers must check `entry.type` before accessing `key`/`id` since asymmetric
+     * entries carry no raw key material.
      * @param name - Name of the secret
      * @returns Success with secret entry, Failure if not found or locked
      * @public
@@ -294,6 +299,27 @@ export class KeyStore {
         }
         return succeed(entry);
     }
+    /**
+     * Returns the public-key JWK for an asymmetric-keypair entry.
+     * Available without {@link CryptoUtils.KeyStore.IPrivateKeyStorage} since the
+     * public key lives in the vault metadata directly.
+     * @param name - Name of the entry
+     * @returns Success with the JWK, Failure if not found, locked, or wrong type
+     * @public
+     */
+    getPublicKeyJwk(name) {
+        if (!this._secrets) {
+            return fail('Key store is locked');
+        }
+        const entry = this._secrets.get(name);
+        if (!entry) {
+            return fail(`Secret '${name}' not found`);
+        }
+        if (entry.type !== 'asymmetric-keypair') {
+            return fail(`Secret '${name}' is not an asymmetric keypair (type: ${entry.type})`);
+        }
+        return succeed(entry.publicKeyJwk);
+    }
     /**
      * Checks if a secret exists.
      * @param name - Name of the secret
@@ -320,7 +346,6 @@ export class KeyStore {
         if (!name || name.length === 0) {
             return fail('Secret name cannot be empty');
         }
-        const replaced = this._secrets.has(name);
         // Generate a new random key
         const keyResult = await this._cryptoProvider.generateKey();
         /* c8 ignore next 3 - crypto provider errors tested but coverage intermittently missed */
@@ -334,9 +359,11 @@ export class KeyStore {
             description: options === null || options === void 0 ? void 0 : options.description,
             createdAt: getCurrentTimestamp()
         };
+        const existing = this._secrets.get(name);
+        const warning = existing ? await this._releaseEntryResources(existing) : undefined;
         this._secrets.set(name, entry);
         this._dirty = true;
-        return succeed({ entry, replaced });
+        return succeed({ entry, replaced: existing !== undefined, warning });
     }
     /**
      * Imports raw 32-byte key material into the vault.
@@ -352,7 +379,7 @@ export class KeyStore {
      * @returns Success with entry, Failure if locked, key invalid, or exists and !replace
      * @public
      */
-    importSecret(name, key, options) {
+    async importSecret(name, key, options) {
         var _a;
         if (!this._secrets) {
             return fail('Key store is locked');
@@ -363,8 +390,8 @@ export class KeyStore {
         if (key.length !== Constants.AES_256_KEY_SIZE) {
             return fail(`Key must be ${Constants.AES_256_KEY_SIZE} bytes, got ${key.length}`);
         }
-        const exists = this._secrets.has(name);
-        if (exists && !(options === null || options === void 0 ? void 0 : options.replace)) {
+        const existing = this._secrets.get(name);
+        if (existing && !(options === null || options === void 0 ? void 0 : options.replace)) {
             return fail(`Secret '${name}' already exists - use replace=true to overwrite`);
         }
         const entry = {
@@ -374,9 +401,10 @@ export class KeyStore {
             description: options === null || options === void 0 ? void 0 : options.description,
             createdAt: getCurrentTimestamp()
         };
+        const warning = existing ? await this._releaseEntryResources(existing) : undefined;
         this._secrets.set(name, entry);
         this._dirty = true;
-        return succeed({ entry, replaced: exists });
+        return succeed({ entry, replaced: existing !== undefined, warning });
     }
     /**
      * Adds a secret derived from a password using PBKDF2.
@@ -403,8 +431,8 @@ export class KeyStore {
         if (!password || password.length === 0) {
             return fail('Password cannot be empty');
         }
-        const exists = this._secrets.has(name);
-        if (exists && !(options === null || options === void 0 ? void 0 : options.replace)) {
+        const existing = this._secrets.get(name);
+        if (existing && !(options === null || options === void 0 ? void 0 : options.replace)) {
             return fail(`Secret '${name}' already exists - use replace=true to overwrite`);
         }
         const iterations = (_a = options === null || options === void 0 ? void 0 : options.iterations) !== null && _a !== void 0 ? _a : DEFAULT_SECRET_ITERATIONS;
@@ -427,11 +455,13 @@ export class KeyStore {
             description: options === null || options === void 0 ? void 0 : options.description,
             createdAt: getCurrentTimestamp()
         };
+        const warning = existing ? await this._releaseEntryResources(existing) : undefined;
         this._secrets.set(name, entry);
         this._dirty = true;
         return succeed({
             entry,
-            replaced: exists,
+            replaced: existing !== undefined,
+            warning,
             keyDerivation: {
                 kdf: 'pbkdf2',
                 salt: this._cryptoProvider.toBase64(saltResult.value),
@@ -440,12 +470,16 @@ export class KeyStore {
         });
     }
     /**
-     * Removes a secret by name.
+     * Removes a secret by name. Vault-first: the in-memory vault entry is dropped
+     * before any storage cleanup runs. For asymmetric-keypair entries, best-effort
+     * calls {@link CryptoUtils.KeyStore.IPrivateKeyStorage}.delete on the entry's
+     * `id`; a failure is reported via `warning` on the result but does not roll
+     * back the vault removal.
      * @param name - Name of the secret to remove
-     * @returns Success with removed entry, Failure if not found or locked
+     * @returns Success with removed entry (and optional warning), Failure if not found or locked
      * @public
      */
-    removeSecret(name) {
+    async removeSecret(name) {
         if (!this._secrets) {
             return fail('Key store is locked');
         }
@@ -453,11 +487,12 @@ export class KeyStore {
         if (!entry) {
             return fail(`Secret '${name}' not found`);
         }
-        // Clear the key before removing (security)
-        entry.key.fill(0);
+        // Vault-first: drop the in-memory entry before touching storage so a
+        // storage failure cannot block removal.
         this._secrets.delete(name);
         this._dirty = true;
-        return succeed(entry);
+        const warning = await this._releaseEntryResources(entry);
+        return succeed({ entry, warning });
     }
     /**
      * Imports an API key string into the vault.
@@ -468,7 +503,7 @@ export class KeyStore {
      * @returns Success with entry, Failure if locked, empty, or exists and !replace
      * @public
      */
-    importApiKey(name, apiKey, options) {
+    async importApiKey(name, apiKey, options) {
         if (!this._secrets) {
             return fail('Key store is locked');
         }
@@ -478,8 +513,8 @@ export class KeyStore {
         if (!apiKey || apiKey.length === 0) {
             return fail('API key cannot be empty');
         }
-        const exists = this._secrets.has(name);
-        if (exists && !(options === null || options === void 0 ? void 0 : options.replace)) {
+        const existing = this._secrets.get(name);
+        if (existing && !(options === null || options === void 0 ? void 0 : options.replace)) {
             return fail(`Secret '${name}' already exists - use replace=true to overwrite`);
         }
         const encoder = new TextEncoder();
@@ -490,9 +525,10 @@ export class KeyStore {
             description: options === null || options === void 0 ? void 0 : options.description,
             createdAt: getCurrentTimestamp()
         };
+        const warning = existing ? await this._releaseEntryResources(existing) : undefined;
         this._secrets.set(name, entry);
         this._dirty = true;
-        return succeed({ entry, replaced: exists });
+        return succeed({ entry, replaced: existing !== undefined, warning });
     }
     /**
      * Retrieves an API key string by name.
@@ -515,6 +551,118 @@ export class KeyStore {
         const decoder = new TextDecoder();
         return succeed(decoder.decode(entry.key));
     }
+    // ============================================================================
+    // Asymmetric Keypair Management
+    // ============================================================================
+    /**
+     * Adds a new asymmetric keypair to the vault. Storage-first: the private key
+     * is stored under a freshly-minted `id` before the public-key vault entry is
+     * committed. If the storage call fails, no vault entry is written and the
+     * operation returns Failure.
+     *
+     * When `replace: true` displaces an existing entry (asymmetric or symmetric),
+     * a fresh `id` is minted; the displaced entry's resources are released
+     * best-effort. Failure of the storage delete is reported via `warning` on the
+     * result but does not roll back the replacement.
+     *
+     * Requires a {@link CryptoUtils.KeyStore.IPrivateKeyStorage} backend
+     * supplied at construction.
+     *
+     * @param name - Unique name for the entry
+     * @param options - Algorithm, optional description, replace flag
+     * @returns Success with the new entry, Failure if locked, no provider, or storage write failed
+     * @public
+     */
+    async addKeyPair(name, options) {
+        if (!this._secrets) {
+            return fail('Key store is locked');
+        }
+        if (!name || name.length === 0) {
+            return fail('Entry name cannot be empty');
+        }
+        if (!this._privateKeyStorage) {
+            return fail('No private key storage configured');
+        }
+        const existing = this._secrets.get(name);
+        if (existing && !options.replace) {
+            return fail(`Secret '${name}' already exists - use replace=true to overwrite`);
+        }
+        // Generate the keypair before touching storage. extractable=true on backends
+        // that round-trip via JWK; extractable=false on backends that hold CryptoKey
+        // refs directly.
+        const extractable = !this._privateKeyStorage.supportsNonExtractable;
+        const keyPairResult = await this._cryptoProvider.generateKeyPair(options.algorithm, extractable);
+        /* c8 ignore next 3 - crypto provider errors covered in nodeCryptoProvider tests; cannot be triggered here without mocking */
+        if (keyPairResult.isFailure()) {
+            return fail(`Failed to generate keypair for '${name}': ${keyPairResult.message}`);
+        }
+        const { publicKey, privateKey } = keyPairResult.value;
+        const jwkResult = await this._cryptoProvider.exportPublicKeyJwk(publicKey);
+        /* c8 ignore next 3 - export of an extractable freshly-generated public key is hard to fail */
+        if (jwkResult.isFailure()) {
+            return fail(`Failed to export public key for '${name}': ${jwkResult.message}`);
+        }
+        const idResult = this._generateId();
+        /* c8 ignore next 3 - random-bytes failure is hard to trigger with a healthy provider */
+        if (idResult.isFailure()) {
+            return fail(`Failed to mint storage id for '${name}': ${idResult.message}`);
+        }
+        const id = idResult.value;
+        // Storage-first: write the private key before committing the vault entry.
+        const storeResult = await this._privateKeyStorage.store(id, privateKey);
+        if (storeResult.isFailure()) {
+            return fail(`Failed to persist private key for '${name}': ${storeResult.message}`);
+        }
+        const entry = {
+            name,
+            type: 'asymmetric-keypair',
+            id,
+            algorithm: options.algorithm,
+            publicKeyJwk: jwkResult.value,
+            description: options.description,
+            createdAt: getCurrentTimestamp()
+        };
+        const warning = existing ? await this._releaseEntryResources(existing) : undefined;
+        this._secrets.set(name, entry);
+        this._dirty = true;
+        return succeed({ entry, replaced: existing !== undefined, warning });
+    }
+    /**
+     * Retrieves the keypair for an asymmetric-keypair entry. The private key is
+     * loaded from {@link CryptoUtils.KeyStore.IPrivateKeyStorage} on every call —
+     * the keystore never caches private `CryptoKey` references between calls.
+     * The public key is re-imported from the vault's JWK so callers always
+     * receive a `CryptoKey` rather than the JWK form.
+     * @param name - Name of the entry
+     * @returns Success with `{ publicKey, privateKey }`, Failure if not found,
+     * locked, wrong type, no provider, or storage load failed.
+     * @public
+     */
+    async getKeyPair(name) {
+        if (!this._secrets) {
+            return fail('Key store is locked');
+        }
+        const entry = this._secrets.get(name);
+        if (!entry) {
+            return fail(`Secret '${name}' not found`);
+        }
+        if (entry.type !== 'asymmetric-keypair') {
+            return fail(`Secret '${name}' is not an asymmetric keypair (type: ${entry.type})`);
+        }
+        if (!this._privateKeyStorage) {
+            return fail('No private key storage configured');
+        }
+        const privateResult = await this._privateKeyStorage.load(entry.id);
+        if (privateResult.isFailure()) {
+            return fail(`Failed to load private key for '${name}': ${privateResult.message}`);
+        }
+        const publicResult = await this._cryptoProvider.importPublicKeyJwk(entry.publicKeyJwk, entry.algorithm);
+        /* c8 ignore next 3 - vault JWKs that previously exported cleanly are extremely unlikely to fail re-import */
+        if (publicResult.isFailure()) {
+            return fail(`Failed to re-import public key for '${name}': ${publicResult.message}`);
+        }
+        return succeed({ publicKey: publicResult.value, privateKey: privateResult.value });
+    }
     /**
      * Lists secret names filtered by type.
      * @param type - The secret type to filter by
@@ -554,7 +702,8 @@ export class KeyStore {
         if (oldName !== newName && this._secrets.has(newName)) {
             return fail(`Secret '${newName}' already exists`);
         }
-        // Create new entry with new name (preserve type)
+        // Create new entry with new name. For asymmetric entries the spread
+        // preserves `id` so the storage handle survives the rename.
         const newEntry = Object.assign(Object.assign({}, entry), { name: newName });
         this._secrets.delete(oldName);
         this._secrets.set(newName, newEntry);
@@ -674,6 +823,9 @@ export class KeyStore {
         if (secretResult.isFailure()) {
             return fail(`encryptByName: ${secretResult.message}`);
         }
+        if (secretResult.value.type === 'asymmetric-keypair') {
+            return fail(`encryptByName: secret '${secretName}' is an asymmetric keypair, not symmetric key material`);
+        }
         return createEncryptedFile({
             content,
             secretName,
@@ -701,6 +853,9 @@ export class KeyStore {
             if (!entry) {
                 return fail(`Secret '${secretName}' not found in key store`);
             }
+            if (entry.type === 'asymmetric-keypair') {
+                return fail(`Secret '${secretName}' is an asymmetric keypair, not symmetric key material`);
+            }
             return succeed(entry.key);
         };
         return succeed(provider);
@@ -734,13 +889,26 @@ export class KeyStore {
         // Build vault contents
         const secretEntries = {};
         for (const [name, entry] of secrets) {
-            secretEntries[name] = {
-                name: entry.name,
-                type: entry.type,
-                key: this._cryptoProvider.toBase64(entry.key),
-                description: entry.description,
-                createdAt: entry.createdAt
-            };
+            if (entry.type === 'asymmetric-keypair') {
+                secretEntries[name] = {
+                    name: entry.name,
+                    type: entry.type,
+                    id: entry.id,
+                    algorithm: entry.algorithm,
+                    publicKeyJwk: entry.publicKeyJwk,
+                    description: entry.description,
+                    createdAt: entry.createdAt
+                };
+            }
+            else {
+                secretEntries[name] = {
+                    name: entry.name,
+                    type: entry.type,
+                    key: this._cryptoProvider.toBase64(entry.key),
+                    description: entry.description,
+                    createdAt: entry.createdAt
+                };
+            }
         }
         const vaultContents = {
             version: KEYSTORE_FORMAT,
@@ -780,7 +948,6 @@ export class KeyStore {
      * Shared by `unlock()` and `unlockWithKey()`.
      */
     async _decryptVault(derivedKey) {
-        var _a;
         const keystoreFile = this._keystoreFile;
         if (keystoreFile === undefined) {
             return fail('No key store file loaded');
@@ -820,20 +987,33 @@ export class KeyStore {
         }
         const secrets = new Map();
         for (const [name, jsonEntry] of Object.entries(vaultResult.value.secrets)) {
-            const keyBytesResult = this._cryptoProvider.fromBase64(jsonEntry.key);
-            /* c8 ignore next 3 - error path tested but coverage intermittently missed */
-            if (keyBytesResult.isFailure()) {
-                return fail(`Invalid key for secret '${name}': ${keyBytesResult.message}`);
+            if (jsonEntry.type === 'asymmetric-keypair') {
+                const entry = {
+                    name,
+                    type: jsonEntry.type,
+                    id: jsonEntry.id,
+                    algorithm: jsonEntry.algorithm,
+                    publicKeyJwk: jsonEntry.publicKeyJwk,
+                    description: jsonEntry.description,
+                    createdAt: jsonEntry.createdAt
+                };
+                secrets.set(name, entry);
+            }
+            else {
+                const keyBytesResult = this._cryptoProvider.fromBase64(jsonEntry.key);
+                /* c8 ignore next 3 - error path tested but coverage intermittently missed */
+                if (keyBytesResult.isFailure()) {
+                    return fail(`Invalid key for secret '${name}': ${keyBytesResult.message}`);
+                }
+                const entry = {
+                    name,
+                    type: jsonEntry.type,
+                    key: keyBytesResult.value,
+                    description: jsonEntry.description,
+                    createdAt: jsonEntry.createdAt
+                };
+                secrets.set(name, entry);
             }
-            const entry = {
-                name,
-                /* c8 ignore next 1 - backwards compatibility: old vaults may lack type field */
-                type: (_a = jsonEntry.type) !== null && _a !== void 0 ? _a : 'encryption-key',
-                key: keyBytesResult.value,
-                description: jsonEntry.description,
-                createdAt: jsonEntry.createdAt
-            };
-            secrets.set(name, entry);
         }
         // All validation passed — commit state atomically
         this._salt = saltResult.value;
@@ -842,5 +1022,50 @@ export class KeyStore {
         this._dirty = false;
         return succeed(this);
     }
+    // ============================================================================
+    // Private: Helpers for asymmetric flows
+    // ============================================================================
+    /**
+     * Releases the resources held by an entry being displaced from the vault.
+     * Symmetric entries get their key buffer zeroed in place. Asymmetric entries
+     * have their private-key blob best-effort deleted from
+     * {@link CryptoUtils.KeyStore.IPrivateKeyStorage}; if the storage call fails,
+     * a warning string is returned but the displacement still proceeds — the
+     * orphaned blob is left for consumer-side GC. Without a configured provider,
+     * asymmetric cleanup is silently skipped.
+     * @returns A warning string if storage cleanup failed, otherwise undefined.
+     */
+    async _releaseEntryResources(entry) {
+        if (entry.type === 'asymmetric-keypair') {
+            if (!this._privateKeyStorage) {
+                return undefined;
+            }
+            const deleteResult = await this._privateKeyStorage.delete(entry.id);
+            if (deleteResult.isFailure()) {
+                return `Failed to delete prior storage blob for '${entry.name}' (id ${entry.id}): ${deleteResult.message}`;
+            }
+            return undefined;
+        }
+        entry.key.fill(0);
+        return undefined;
+    }
+    /**
+     * Mints a fresh UUID v4 storage handle using the crypto provider's
+     * {@link CryptoUtils.ICryptoProvider.generateRandomBytes | generateRandomBytes}.
+     * Random-bytes failures propagate as Failure.
+     */
+    _generateId() {
+        return this._cryptoProvider.generateRandomBytes(16).onSuccess((bytes) => {
+            // Per RFC 4122 §4.4: set version (4) and variant (10xx) bits.
+            // eslint-disable-next-line no-bitwise
+            bytes[6] = (bytes[6] & 0x0f) | 0x40;
+            // eslint-disable-next-line no-bitwise
+            bytes[8] = (bytes[8] & 0x3f) | 0x80;
+            const hex = Array.from(bytes)
+                .map((b) => b.toString(16).padStart(2, '0'))
+                .join('');
+            return succeed(`${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20, 32)}`);
+        });
+    }
 }
 //# sourceMappingURL=keyStore.js.map

package/dist/packlets/crypto-utils/keystore/model.js

@@ -17,6 +17,9 @@
 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 // SOFTWARE.
+// Re-export so consumers can continue to access the algorithm enum via the
+// CryptoUtils.KeyStore namespace alongside the rest of the keystore types.
+export { allKeyPairAlgorithms } from '../model';
 /**
  * Current format version constant.
  * @public
@@ -33,11 +36,29 @@ export const DEFAULT_KEYSTORE_ITERATIONS = 600000;
  * @public
  */
 export const MIN_SALT_LENGTH = 16;
+/**
+ * All valid symmetric secret types.
+ * @public
+ */
+export const allKeyStoreSymmetricSecretTypes = [
+    'encryption-key',
+    'api-key'
+];
+/**
+ * All valid asymmetric secret types.
+ * @public
+ */
+export const allKeyStoreAsymmetricSecretTypes = [
+    'asymmetric-keypair'
+];
 /**
  * All valid key store secret types.
  * @public
  */
-export const allKeyStoreSecretTypes = ['encryption-key', 'api-key'];
+export const allKeyStoreSecretTypes = [
+    ...allKeyStoreAsymmetricSecretTypes,
+    ...allKeyStoreSymmetricSecretTypes
+];
 /**
  * Default PBKDF2 iterations for secret-level key derivation.
  * Lower than keystore encryption since these are used more frequently.

package/dist/packlets/crypto-utils/keystore/privateKeyStorage.js

@@ -0,0 +1,21 @@
+// Copyright (c) 2026 Erik Fortune
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in all
+// copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+// SOFTWARE.
+export {};
+//# sourceMappingURL=privateKeyStorage.js.map

package/dist/packlets/crypto-utils/model.js

@@ -19,6 +19,11 @@
 // SOFTWARE.
 import * as Constants from './constants';
 export { Constants };
+/**
+ * All valid key pair algorithms.
+ * @public
+ */
+export const allKeyPairAlgorithms = ['ecdsa-p256', 'rsa-oaep-2048'];
 // ============================================================================
 // Detection Helper
 // ============================================================================

package/dist/packlets/crypto-utils/nodeCryptoProvider.js

@@ -18,8 +18,9 @@
 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 // SOFTWARE.
 import * as crypto from 'crypto';
-import { captureResult, fail, Failure, succeed, Success } from '@fgv/ts-utils';
+import { captureAsyncResult, captureResult, fail, Failure, succeed, Success } from '@fgv/ts-utils';
 import * as Constants from './constants';
+import { keyPairAlgorithmParams } from './keyPairAlgorithmParams';
 /**
  * Node.js implementation of {@link CryptoUtils.ICryptoProvider} using the built-in crypto module.
  * Uses AES-256-GCM for authenticated encryption.
@@ -162,6 +163,48 @@ export class NodeCryptoProvider {
         }
         return Success.with(new Uint8Array(Buffer.from(base64, 'base64')));
     }
+    // ============================================================================
+    // Asymmetric Key Operations
+    // ============================================================================
+    /**
+     * Generates a new asymmetric keypair using Node's WebCrypto.
+     * @param algorithm - The {@link CryptoUtils.KeyPairAlgorithm | algorithm} to use.
+     * @param extractable - Whether the resulting keys may be exported.
+     * @returns `Success` with the generated `CryptoKeyPair`, or `Failure` with an error.
+     */
+    async generateKeyPair(algorithm, extractable) {
+        const params = keyPairAlgorithmParams[algorithm];
+        const result = await captureAsyncResult(() => crypto.webcrypto.subtle.generateKey(params.generateKey, extractable, params.keyPairUsages));
+        return result.withErrorFormat((e) => `Failed to generate ${algorithm} keypair: ${e}`);
+    }
+    /**
+     * Exports a public `CryptoKey` as a JSON Web Key.
+     * @remarks
+     * Rejects non-public keys at runtime. WebCrypto's `exportKey('jwk', ...)`
+     * does not enforce public-vs-private; without this guard a caller that
+     * passed an extractable private key would receive its private fields
+     * (`d`, `p`, `q`, ...) as JWK, defeating the method's name.
+     * @param publicKey - Extractable public key to export.
+     * @returns `Success` with the JWK, or `Failure` if not a public key or if export fails.
+     */
+    async exportPublicKeyJwk(publicKey) {
+        if (publicKey.type !== 'public') {
+            return fail(`exportPublicKeyJwk requires a public CryptoKey, got '${publicKey.type}'`);
+        }
+        const result = await captureAsyncResult(() => crypto.webcrypto.subtle.exportKey('jwk', publicKey));
+        return result.withErrorFormat((e) => `Failed to export public key as JWK: ${e}`);
+    }
+    /**
+     * Imports a public-key JWK as a `CryptoKey` for the requested algorithm.
+     * @param jwk - The JSON Web Key produced by a prior export.
+     * @param algorithm - The algorithm the key was generated for.
+     * @returns `Success` with the imported public `CryptoKey`, or `Failure` with an error.
+     */
+    async importPublicKeyJwk(jwk, algorithm) {
+        const params = keyPairAlgorithmParams[algorithm];
+        const result = await captureAsyncResult(() => crypto.webcrypto.subtle.importKey('jwk', jwk, params.importPublicKey, true, params.publicKeyUsages));
+        return result.withErrorFormat((e) => `Failed to import ${algorithm} public key from JWK: ${e}`);
+    }
 }
 /**
  * Singleton instance of {@link CryptoUtils.NodeCryptoProvider}.