@gjsify/crypto 0.1.0

package/lib/types/dh.d.ts

@@ -0,0 +1,79 @@
+import { Buffer } from 'node:buffer';
+export declare class DiffieHellman {
+    private _prime;
+    private _generator;
+    private _generatorBuf;
+    private _primeByteLength;
+    private _pubKey;
+    private _privKey;
+    private _primeCode;
+    private _malleable;
+    constructor(prime: Buffer, generator: Buffer, malleable?: boolean);
+    /**
+     * Error code from prime/generator validation.
+     * Lazily computed on first access.
+     */
+    get verifyError(): number;
+    /**
+     * Generate a random private key and compute the corresponding public key.
+     * Returns the public key as a Buffer (or encoded string).
+     */
+    generateKeys(): Buffer;
+    generateKeys(encoding: BufferEncoding): string;
+    /**
+     * Compute the shared secret using the other party's public key.
+     */
+    computeSecret(otherPublicKey: Buffer | Uint8Array | string, inputEncoding?: BufferEncoding): Buffer;
+    computeSecret(otherPublicKey: Buffer | Uint8Array | string, inputEncoding: BufferEncoding, outputEncoding: BufferEncoding): string;
+    /**
+     * Get the prime as a Buffer or encoded string.
+     */
+    getPrime(): Buffer;
+    getPrime(encoding: BufferEncoding): string;
+    /**
+     * Get the generator as a Buffer or encoded string.
+     */
+    getGenerator(): Buffer;
+    getGenerator(encoding: BufferEncoding): string;
+    /**
+     * Get the public key as a Buffer or encoded string.
+     */
+    getPublicKey(): Buffer;
+    getPublicKey(encoding: BufferEncoding): string;
+    /**
+     * Get the private key as a Buffer or encoded string.
+     */
+    getPrivateKey(): Buffer;
+    getPrivateKey(encoding: BufferEncoding): string;
+    /**
+     * Set the public key. Only available for malleable DH instances
+     * (created via createDiffieHellman, not getDiffieHellman).
+     */
+    setPublicKey(publicKey: Buffer | Uint8Array | string, encoding?: BufferEncoding): void;
+    /**
+     * Set the private key. Only available for malleable DH instances
+     * (created via createDiffieHellman, not getDiffieHellman).
+     */
+    setPrivateKey(privateKey: Buffer | Uint8Array | string, encoding?: BufferEncoding): void;
+}
+/**
+ * Create a DiffieHellman key exchange object.
+ *
+ * Usage:
+ *   createDiffieHellman(primeLength)
+ *   createDiffieHellman(primeLength, generator)
+ *   createDiffieHellman(prime, primeEncoding, generator, generatorEncoding)
+ *   createDiffieHellman(prime, generator)
+ */
+export declare function createDiffieHellman(prime: number | string | Buffer | Uint8Array, primeEncoding?: BufferEncoding | number | string | Buffer | Uint8Array, generator?: number | string | Buffer | Uint8Array, generatorEncoding?: BufferEncoding): DiffieHellman;
+/**
+ * Create a DiffieHellman key exchange object using a predefined MODP group.
+ *
+ * Note: Instances from getDiffieHellman do NOT have setPublicKey/setPrivateKey,
+ * matching Node.js behavior where predefined group instances are not malleable.
+ */
+export declare function getDiffieHellman(groupName: string): DiffieHellman;
+/** Alias for getDiffieHellman. */
+export declare const createDiffieHellmanGroup: typeof getDiffieHellman;
+/** Alias for getDiffieHellman. */
+export declare const DiffieHellmanGroup: typeof getDiffieHellman;

package/lib/types/ecdh.d.ts

@@ -0,0 +1,96 @@
+import { Buffer } from 'node:buffer';
+/** A point on an elliptic curve, or null for the point at infinity. */
+type ECPoint = {
+    x: bigint;
+    y: bigint;
+} | null;
+interface CurveParams {
+    /** Field prime */
+    p: bigint;
+    /** Curve coefficient a */
+    a: bigint;
+    /** Curve coefficient b */
+    b: bigint;
+    /** Generator x-coordinate */
+    Gx: bigint;
+    /** Generator y-coordinate */
+    Gy: bigint;
+    /** Order of the generator */
+    n: bigint;
+    /** Byte length of a field element */
+    byteLength: number;
+}
+declare const CURVES: Record<string, CurveParams>;
+declare const CURVE_ALIASES: Record<string, string>;
+/**
+ * Non-negative modulus: always returns a value in [0, mod).
+ */
+declare function mod(a: bigint, m: bigint): bigint;
+/**
+ * Modular multiplicative inverse using extended Euclidean algorithm.
+ * Returns x such that (a * x) mod m = 1.
+ * Throws if a and m are not coprime.
+ */
+declare function modInverse(a: bigint, m: bigint): bigint;
+/**
+ * Add two points on the curve.
+ * Returns the point at infinity (null) when appropriate.
+ */
+declare function pointAdd(P: ECPoint, Q: ECPoint, curve: CurveParams): ECPoint;
+/**
+ * Scalar multiplication using the double-and-add method (constant-time-ish
+ * with respect to the bit length of the scalar, but not fully
+ * constant-time — acceptable since we are not a production crypto library
+ * and match the behaviour of refs/create-ecdh which uses elliptic.js).
+ *
+ * Uses a fixed-window approach of width 1 (Montgomery ladder variant) to
+ * avoid the most trivial timing leaks.
+ */
+declare function scalarMul(k: bigint, P: ECPoint, curve: CurveParams): ECPoint;
+declare class ECDH {
+    private _curve;
+    private _curveName;
+    private _privateKey;
+    private _publicKey;
+    constructor(curveName: string);
+    /**
+     * Generate a random private key and derive the corresponding public key.
+     * Returns the public key.
+     */
+    generateKeys(): Buffer;
+    generateKeys(encoding: BufferEncoding, format?: 'uncompressed' | 'compressed' | 'hybrid'): string;
+    /**
+     * Compute the shared secret using the other party's public key.
+     */
+    computeSecret(otherPublicKey: string | Buffer | Uint8Array | ArrayBufferView, inputEncoding?: BufferEncoding, outputEncoding?: BufferEncoding): Buffer | string;
+    /**
+     * Return the public key. Optionally encode as a string.
+     */
+    getPublicKey(): Buffer;
+    getPublicKey(encoding: BufferEncoding, format?: 'uncompressed' | 'compressed' | 'hybrid'): string;
+    /**
+     * Return the private key. Optionally encode as a string.
+     */
+    getPrivateKey(): Buffer;
+    getPrivateKey(encoding: BufferEncoding): string;
+    /**
+     * Set the public key. The key can be in uncompressed, compressed, or hybrid format.
+     */
+    setPublicKey(key: string | Buffer | Uint8Array | ArrayBufferView, encoding?: BufferEncoding): void;
+    /**
+     * Set the private key and derive the corresponding public key.
+     */
+    setPrivateKey(key: string | Buffer | Uint8Array | ArrayBufferView, encoding?: BufferEncoding): void;
+}
+/**
+ * Create an ECDH key exchange object for the specified curve.
+ *
+ * Supported curves: secp256k1, prime256v1 (P-256), secp384r1 (P-384), secp521r1 (P-521).
+ */
+export { mod, modInverse, scalarMul, pointAdd, CURVES, CURVE_ALIASES };
+export type { ECPoint, CurveParams };
+export declare function createECDH(curveName: string): ECDH;
+/**
+ * Return a list of supported elliptic curve names.
+ */
+export declare function getCurves(): string[];

package/lib/types/ecdsa.d.ts

@@ -0,0 +1,21 @@
+/**
+ * ECDSA signature generation per FIPS 186-4 Section 6.4.
+ *
+ * @param hashAlgo Hash algorithm name (e.g. 'sha256')
+ * @param privKeyBytes Private key as big-endian bytes
+ * @param data Data to sign (will be hashed)
+ * @param curveName Curve name (e.g. 'P-256')
+ * @returns Signature as r || s concatenated (each curve.byteLength bytes)
+ */
+export declare function ecdsaSign(hashAlgo: string, privKeyBytes: Uint8Array, data: Uint8Array, curveName: string): Uint8Array;
+/**
+ * ECDSA signature verification per FIPS 186-4 Section 6.4.
+ *
+ * @param hashAlgo Hash algorithm name (e.g. 'sha256')
+ * @param pubKeyBytes Public key as uncompressed point (0x04 || x || y)
+ * @param signature Signature as r || s concatenated
+ * @param data Signed data (will be hashed)
+ * @param curveName Curve name (e.g. 'P-256')
+ * @returns true if signature is valid
+ */
+export declare function ecdsaVerify(hashAlgo: string, pubKeyBytes: Uint8Array, signature: Uint8Array, data: Uint8Array, curveName: string): boolean;

package/lib/types/hash.d.ts

@@ -0,0 +1,25 @@
+import { Transform } from 'node:stream';
+import type { TransformCallback } from 'node:stream';
+import { Buffer } from 'node:buffer';
+/**
+ * Creates and returns a Hash object that can be used to generate hash digests
+ * using the given algorithm.
+ */
+export declare class Hash extends Transform {
+    private _algorithm;
+    private _checksum;
+    private _finalized;
+    constructor(algorithm: string);
+    /** Update the hash with data. */
+    update(data: string | Buffer | Uint8Array, inputEncoding?: BufferEncoding): this;
+    /** Calculate the digest of all data passed to update(). */
+    digest(encoding?: BufferEncoding): Buffer | string;
+    /** Copy this hash to a new Hash object. */
+    copy(): Hash;
+    _transform(chunk: any, encoding: BufferEncoding, callback: TransformCallback): void;
+    _flush(callback: TransformCallback): void;
+}
+/** Get the list of supported hash algorithms. */
+export declare function getHashes(): string[];
+/** Convenience: one-shot hash (Node 21+). */
+export declare function hash(algorithm: string, data: string | Buffer | Uint8Array, encoding?: BufferEncoding): Buffer | string;

package/lib/types/hkdf.d.ts

@@ -0,0 +1,9 @@
+import { Buffer } from 'node:buffer';
+/**
+ * Synchronous HKDF key derivation.
+ */
+export declare function hkdfSync(digest: string, ikm: string | Buffer | Uint8Array | DataView | ArrayBuffer, salt: string | Buffer | Uint8Array | DataView | ArrayBuffer, info: string | Buffer | Uint8Array | DataView | ArrayBuffer, keylen: number): ArrayBuffer;
+/**
+ * Asynchronous HKDF key derivation.
+ */
+export declare function hkdf(digest: string, ikm: string | Buffer | Uint8Array | DataView | ArrayBuffer, salt: string | Buffer | Uint8Array | DataView | ArrayBuffer, info: string | Buffer | Uint8Array | DataView | ArrayBuffer, keylen: number, callback: (err: Error | null, derivedKey?: ArrayBuffer) => void): void;

package/lib/types/hmac.d.ts

@@ -0,0 +1,20 @@
+import { Transform } from 'node:stream';
+import type { TransformCallback } from 'node:stream';
+import { Buffer } from 'node:buffer';
+/**
+ * Creates and returns an Hmac object that uses the given algorithm and key.
+ * Implemented using createHash (GLib.Checksum) since GLib.Hmac bindings are broken in GJS.
+ */
+export declare class Hmac extends Transform {
+    private _algorithm;
+    private _innerHash;
+    private _outerKeyPad;
+    private _finalized;
+    constructor(algorithm: string, key: string | Buffer | Uint8Array);
+    /** Update the HMAC with data. */
+    update(data: string | Buffer | Uint8Array, inputEncoding?: BufferEncoding): this;
+    /** Calculate the HMAC digest. */
+    digest(encoding?: BufferEncoding): Buffer | string;
+    _transform(chunk: any, encoding: BufferEncoding, callback: TransformCallback): void;
+    _flush(callback: TransformCallback): void;
+}

package/lib/types/index.d.ts

@@ -0,0 +1,105 @@
+export { Hash, getHashes, hash } from './hash.js';
+export { Hmac } from './hmac.js';
+export { randomBytes, randomFill, randomFillSync, randomUUID, randomInt, } from './random.js';
+export { timingSafeEqual } from './timing-safe-equal.js';
+export { constants } from './constants.js';
+export { pbkdf2, pbkdf2Sync } from './pbkdf2.js';
+export { hkdf, hkdfSync } from './hkdf.js';
+export { scrypt, scryptSync } from './scrypt.js';
+import { Hash } from './hash.js';
+import { Hmac } from './hmac.js';
+/** Create a Hash object for the given algorithm. */
+export declare function createHash(algorithm: string): Hash;
+/** Create an Hmac object for the given algorithm and key. */
+export declare function createHmac(algorithm: string, key: string | Buffer | Uint8Array): Hmac;
+export { createCipher, createCipheriv, createDecipher, createDecipheriv, getCiphers } from './cipher.js';
+export { Sign, Verify, createSign, createVerify } from './sign.js';
+export { createDiffieHellman, getDiffieHellman, DiffieHellman, DiffieHellmanGroup, createDiffieHellmanGroup } from './dh.js';
+export { createECDH, getCurves } from './ecdh.js';
+export { ecdsaSign, ecdsaVerify } from './ecdsa.js';
+export { publicEncrypt, privateDecrypt, privateEncrypt, publicDecrypt } from './public-encrypt.js';
+export { rsaPssSign, rsaPssVerify } from './rsa-pss.js';
+export { rsaOaepEncrypt, rsaOaepDecrypt } from './rsa-oaep.js';
+export { mgf1 } from './mgf1.js';
+export { KeyObject, createSecretKey, createPublicKey, createPrivateKey } from './key-object.js';
+export { X509Certificate } from './x509.js';
+import { getHashes, hash } from './hash.js';
+import { randomBytes, randomFill, randomFillSync, randomUUID, randomInt } from './random.js';
+import { timingSafeEqual } from './timing-safe-equal.js';
+import { pbkdf2, pbkdf2Sync } from './pbkdf2.js';
+import { hkdf, hkdfSync } from './hkdf.js';
+import { scrypt, scryptSync } from './scrypt.js';
+import { createCipher, createCipheriv, createDecipher, createDecipheriv, getCiphers } from './cipher.js';
+import { Sign, Verify, createSign, createVerify } from './sign.js';
+import { createDiffieHellman, getDiffieHellman, DiffieHellman } from './dh.js';
+import { createECDH, getCurves } from './ecdh.js';
+import { ecdsaSign, ecdsaVerify } from './ecdsa.js';
+import { publicEncrypt, privateDecrypt, privateEncrypt, publicDecrypt } from './public-encrypt.js';
+import { rsaPssSign, rsaPssVerify } from './rsa-pss.js';
+import { rsaOaepEncrypt, rsaOaepDecrypt } from './rsa-oaep.js';
+import { mgf1 } from './mgf1.js';
+import { KeyObject, createSecretKey, createPublicKey, createPrivateKey } from './key-object.js';
+import { X509Certificate } from './x509.js';
+declare const _default: {
+    Hash: typeof Hash;
+    getHashes: typeof getHashes;
+    hash: typeof hash;
+    Hmac: typeof Hmac;
+    randomBytes: typeof randomBytes;
+    randomFill: typeof randomFill;
+    randomFillSync: typeof randomFillSync;
+    randomUUID: typeof randomUUID;
+    randomInt: typeof randomInt;
+    timingSafeEqual: typeof timingSafeEqual;
+    constants: {
+        readonly RSA_PKCS1_PADDING: 1;
+        readonly RSA_NO_PADDING: 3;
+        readonly RSA_PKCS1_OAEP_PADDING: 4;
+        readonly RSA_PKCS1_PSS_PADDING: 6;
+        readonly DH_CHECK_P_NOT_SAFE_PRIME: 2;
+        readonly DH_CHECK_P_NOT_PRIME: 1;
+        readonly DH_UNABLE_TO_CHECK_GENERATOR: 4;
+        readonly DH_NOT_SUITABLE_GENERATOR: 8;
+    };
+    pbkdf2: typeof pbkdf2;
+    pbkdf2Sync: typeof pbkdf2Sync;
+    hkdf: typeof hkdf;
+    hkdfSync: typeof hkdfSync;
+    scrypt: typeof scrypt;
+    scryptSync: typeof scryptSync;
+    createHash: typeof createHash;
+    createHmac: typeof createHmac;
+    createCipher: typeof createCipher;
+    createCipheriv: typeof createCipheriv;
+    createDecipher: typeof createDecipher;
+    createDecipheriv: typeof createDecipheriv;
+    getCiphers: typeof getCiphers;
+    Sign: typeof Sign;
+    Verify: typeof Verify;
+    createSign: typeof createSign;
+    createVerify: typeof createVerify;
+    createDiffieHellman: typeof createDiffieHellman;
+    getDiffieHellman: typeof getDiffieHellman;
+    DiffieHellman: typeof DiffieHellman;
+    DiffieHellmanGroup: typeof getDiffieHellman;
+    createDiffieHellmanGroup: typeof getDiffieHellman;
+    createECDH: typeof createECDH;
+    getCurves: typeof getCurves;
+    ecdsaSign: typeof ecdsaSign;
+    ecdsaVerify: typeof ecdsaVerify;
+    publicEncrypt: typeof publicEncrypt;
+    privateDecrypt: typeof privateDecrypt;
+    privateEncrypt: typeof privateEncrypt;
+    publicDecrypt: typeof publicDecrypt;
+    rsaPssSign: typeof rsaPssSign;
+    rsaPssVerify: typeof rsaPssVerify;
+    rsaOaepEncrypt: typeof rsaOaepEncrypt;
+    rsaOaepDecrypt: typeof rsaOaepDecrypt;
+    mgf1: typeof mgf1;
+    KeyObject: typeof KeyObject;
+    createSecretKey: typeof createSecretKey;
+    createPublicKey: typeof createPublicKey;
+    createPrivateKey: typeof createPrivateKey;
+    X509Certificate: typeof X509Certificate;
+};
+export default _default;

package/lib/types/key-object.d.ts

@@ -0,0 +1,36 @@
+import { Buffer } from 'node:buffer';
+export declare class KeyObject {
+    readonly type: 'secret' | 'public' | 'private';
+    /** @internal */
+    _handle: unknown;
+    constructor(type: 'secret' | 'public' | 'private', handle: unknown);
+    get symmetricKeySize(): number | undefined;
+    get asymmetricKeyType(): string | undefined;
+    get asymmetricKeySize(): number | undefined;
+    equals(otherKeyObject: KeyObject): boolean;
+    export(options?: {
+        type?: string;
+        format?: string;
+    }): Buffer | string | object;
+    get [Symbol.toStringTag](): string;
+}
+interface KeyInput {
+    key: string | Buffer | KeyObject | object;
+    format?: 'pem' | 'der' | 'jwk';
+    type?: 'pkcs1' | 'spki' | 'pkcs8' | 'sec1';
+    passphrase?: string | Buffer;
+    encoding?: BufferEncoding;
+}
+/**
+ * Create a secret key from raw bytes.
+ */
+export declare function createSecretKey(key: Buffer | Uint8Array | string, encoding?: BufferEncoding): KeyObject;
+/**
+ * Create a public key from PEM, DER, JWK, or another KeyObject.
+ */
+export declare function createPublicKey(key: string | Buffer | KeyInput | KeyObject): KeyObject;
+/**
+ * Create a private key from PEM, DER, JWK, or KeyInput.
+ */
+export declare function createPrivateKey(key: string | Buffer | KeyInput): KeyObject;
+export {};

package/lib/types/mgf1.d.ts

@@ -0,0 +1,5 @@
+/**
+ * MGF1 mask generation function.
+ * Produces a mask of `length` bytes from `seed` using `hashAlgo`.
+ */
+export declare function mgf1(hashAlgo: string, seed: Uint8Array, length: number): Uint8Array;

package/lib/types/pbkdf2.d.ts

@@ -0,0 +1,9 @@
+import { Buffer } from 'node:buffer';
+/**
+ * Synchronous PBKDF2 key derivation.
+ */
+export declare function pbkdf2Sync(password: string | Buffer | Uint8Array | DataView, salt: string | Buffer | Uint8Array | DataView, iterations: number, keylen: number, digest?: string): Buffer;
+/**
+ * Asynchronous PBKDF2 key derivation.
+ */
+export declare function pbkdf2(password: string | Buffer | Uint8Array | DataView, salt: string | Buffer | Uint8Array | DataView, iterations: number, keylen: number, digest: string, callback: (err: Error | null, derivedKey?: Buffer) => void): void;

package/lib/types/public-encrypt.d.ts

@@ -0,0 +1,42 @@
+import { Buffer } from 'node:buffer';
+interface KeyInput {
+    key: string | Buffer;
+    passphrase?: string;
+    padding?: number;
+}
+/**
+ * Encrypt data using an RSA public key with PKCS#1 v1.5 Type 2 padding.
+ *
+ * @param key - PEM-encoded RSA public key (or private key, from which public components are extracted)
+ * @param buffer - Data to encrypt (must be <= keyLen - 11 bytes)
+ * @returns Encrypted data as a Buffer
+ */
+export declare function publicEncrypt(key: string | Buffer | KeyInput, buffer: Buffer | Uint8Array): Buffer;
+/**
+ * Decrypt data using an RSA private key (reverses publicEncrypt).
+ *
+ * @param key - PEM-encoded RSA private key
+ * @param buffer - Encrypted data
+ * @returns Decrypted data as a Buffer
+ */
+export declare function privateDecrypt(key: string | Buffer | KeyInput, buffer: Buffer | Uint8Array): Buffer;
+/**
+ * Encrypt data using an RSA private key with PKCS#1 v1.5 Type 1 padding.
+ * This is the raw RSA private-key operation used for compatibility with
+ * signature-like use cases.
+ *
+ * @param key - PEM-encoded RSA private key
+ * @param buffer - Data to encrypt
+ * @returns Encrypted data as a Buffer
+ */
+export declare function privateEncrypt(key: string | Buffer | KeyInput, buffer: Buffer | Uint8Array): Buffer;
+/**
+ * Decrypt data using an RSA public key (reverses privateEncrypt).
+ * Removes PKCS#1 v1.5 Type 1 padding.
+ *
+ * @param key - PEM-encoded RSA public key (or private key for public components)
+ * @param buffer - Encrypted data
+ * @returns Decrypted data as a Buffer
+ */
+export declare function publicDecrypt(key: string | Buffer | KeyInput, buffer: Buffer | Uint8Array): Buffer;
+export {};

package/lib/types/random.d.ts

@@ -0,0 +1,22 @@
+import { Buffer } from 'node:buffer';
+/**
+ * Generate cryptographically strong pseudo-random data.
+ */
+export declare function randomBytes(size: number): Buffer;
+export declare function randomBytes(size: number, callback: (err: Error | null, buf: Buffer) => void): void;
+/**
+ * Fill a buffer with cryptographically strong pseudo-random data (synchronous).
+ */
+export declare function randomFillSync(buffer: Buffer | Uint8Array, offset?: number, size?: number): Buffer | Uint8Array;
+/**
+ * Fill a buffer with cryptographically strong pseudo-random data (async).
+ */
+export declare function randomFill(buffer: Buffer | Uint8Array, offset: number | ((err: Error | null, buf: Buffer | Uint8Array) => void), size?: number | ((err: Error | null, buf: Buffer | Uint8Array) => void), callback?: (err: Error | null, buf: Buffer | Uint8Array) => void): void;
+/**
+ * Generate a random UUID v4 string.
+ */
+export declare function randomUUID(): string;
+/**
+ * Generate a random integer between min (inclusive) and max (exclusive).
+ */
+export declare function randomInt(min: number, max?: number | ((err: Error | null, value: number) => void), callback?: (err: Error | null, value: number) => void): number | void;

package/lib/types/rsa-oaep.d.ts

@@ -0,0 +1,8 @@
+/**
+ * RSA-OAEP encrypt using PEM public key.
+ */
+export declare function rsaOaepEncrypt(hashAlgo: string, pubKeyPem: string, plaintext: Uint8Array, label?: Uint8Array): Uint8Array;
+/**
+ * RSA-OAEP decrypt using PEM private key.
+ */
+export declare function rsaOaepDecrypt(hashAlgo: string, privKeyPem: string, ciphertext: Uint8Array, label?: Uint8Array): Uint8Array;

package/lib/types/rsa-pss.d.ts

@@ -0,0 +1,8 @@
+/**
+ * RSA-PSS sign using PEM private key.
+ */
+export declare function rsaPssSign(hashAlgo: string, privKeyPem: string, data: Uint8Array, saltLength: number): Uint8Array;
+/**
+ * RSA-PSS verify using PEM public key.
+ */
+export declare function rsaPssVerify(hashAlgo: string, pubKeyPem: string, signature: Uint8Array, data: Uint8Array, saltLength: number): boolean;

package/lib/types/scrypt.d.ts

@@ -0,0 +1,11 @@
+import { Buffer } from 'node:buffer';
+export interface ScryptOptions {
+    N?: number;
+    r?: number;
+    p?: number;
+    maxmem?: number;
+}
+type ScryptCallback = (err: Error | null, derivedKey: Buffer) => void;
+export declare function scryptSync(password: string | Buffer | Uint8Array, salt: string | Buffer | Uint8Array, keylen: number, options?: ScryptOptions): Buffer;
+export declare function scrypt(password: string | Buffer | Uint8Array, salt: string | Buffer | Uint8Array, keylen: number, optionsOrCallback: ScryptOptions | ScryptCallback, callback?: ScryptCallback): void;
+export {};

package/lib/types/sign.d.ts

@@ -0,0 +1,61 @@
+import { Buffer } from 'node:buffer';
+interface KeyInput {
+    key: string;
+    passphrase?: string;
+    padding?: number;
+}
+/**
+ * The Sign class generates RSA PKCS#1 v1.5 signatures.
+ *
+ * Usage:
+ *   const sign = createSign('RSA-SHA256');
+ *   sign.update('data');
+ *   const signature = sign.sign(privateKey);
+ */
+export declare class Sign {
+    private _algorithm;
+    private _hash;
+    private _finalized;
+    constructor(algorithm: string);
+    /**
+     * Update the Sign object with the given data.
+     */
+    update(data: string | Buffer | Uint8Array, inputEncoding?: BufferEncoding): this;
+    /**
+     * Compute the signature using the private key.
+     * Returns the signature as a Buffer (or string if outputEncoding is given).
+     */
+    sign(privateKey: string | Buffer | KeyInput, outputEncoding?: BufferEncoding): Buffer | string;
+}
+/**
+ * The Verify class verifies RSA PKCS#1 v1.5 signatures.
+ *
+ * Usage:
+ *   const verify = createVerify('RSA-SHA256');
+ *   verify.update('data');
+ *   const ok = verify.verify(publicKey, signature);
+ */
+export declare class Verify {
+    private _algorithm;
+    private _hash;
+    private _finalized;
+    constructor(algorithm: string);
+    /**
+     * Update the Verify object with the given data.
+     */
+    update(data: string | Buffer | Uint8Array, inputEncoding?: BufferEncoding): this;
+    /**
+     * Verify the signature against the public key.
+     * Returns true if the signature is valid, false otherwise.
+     */
+    verify(publicKey: string | Buffer | KeyInput, signature: string | Buffer | Uint8Array, signatureEncoding?: BufferEncoding): boolean;
+}
+/**
+ * Create and return a Sign object for the given algorithm.
+ */
+export declare function createSign(algorithm: string): Sign;
+/**
+ * Create and return a Verify object for the given algorithm.
+ */
+export declare function createVerify(algorithm: string): Verify;
+export {};

package/lib/types/timing-safe-equal.d.ts

@@ -0,0 +1,6 @@
+import { Buffer } from 'node:buffer';
+/**
+ * Compare two buffers in constant time to prevent timing attacks.
+ * Both buffers must have the same length.
+ */
+export declare function timingSafeEqual(a: Buffer | Uint8Array, b: Buffer | Uint8Array): boolean;

package/lib/types/x509.d.ts

@@ -0,0 +1,72 @@
+import { Buffer } from 'node:buffer';
+import { KeyObject } from './key-object.js';
+/**
+ * X509Certificate encapsulates an X.509 certificate and provides
+ * read-only access to its information.
+ */
+export declare class X509Certificate {
+    private _components;
+    private _pem;
+    constructor(buf: string | Buffer | Uint8Array);
+    /** The DER encoded certificate data. */
+    get raw(): Buffer;
+    /** The serial number of the certificate as a hex string. */
+    get serialNumber(): string;
+    /** The subject of the certificate. */
+    get subject(): string;
+    /** The issuer of the certificate. */
+    get issuer(): string;
+    /** The start date of the certificate validity period. */
+    get validFrom(): string;
+    /** The end date of the certificate validity period. */
+    get validTo(): string;
+    /** SHA-1 fingerprint of the certificate. */
+    get fingerprint(): string;
+    /** SHA-256 fingerprint of the certificate. */
+    get fingerprint256(): string;
+    /** SHA-512 fingerprint of the certificate. */
+    get fingerprint512(): string;
+    /** The public key of the certificate as a KeyObject. */
+    get publicKey(): KeyObject;
+    /** The Subject Alternative Name extension, if present. */
+    get subjectAltName(): string | undefined;
+    /** The key usage extension (stub — returns undefined). */
+    get keyUsage(): string[] | undefined;
+    /** Information access extension (stub — returns undefined). */
+    get infoAccess(): string | undefined;
+    /** Whether this certificate is a CA certificate. */
+    get ca(): boolean;
+    /**
+     * Check whether the certificate matches the given hostname.
+     */
+    checkHost(name: string): string | undefined;
+    /**
+     * Check whether the certificate matches the given email address.
+     */
+    checkEmail(email: string): string | undefined;
+    /**
+     * Check whether the certificate matches the given IP address.
+     */
+    checkIP(ip: string): string | undefined;
+    /**
+     * Verify the certificate signature using the given public key.
+     */
+    verify(_publicKey: KeyObject): boolean;
+    /**
+     * Check whether this certificate was issued by the given issuer certificate.
+     */
+    checkIssued(otherCert: X509Certificate): boolean;
+    /**
+     * Returns a legacy certificate object for compatibility.
+     */
+    toLegacyObject(): Record<string, unknown>;
+    /**
+     * Returns the PEM-encoded certificate.
+     */
+    toString(): string;
+    /**
+     * Returns the PEM-encoded certificate in JSON context.
+     */
+    toJSON(): string;
+    get [Symbol.toStringTag](): string;
+}