@opentdf/sdk 0.9.0-beta.91 → 0.9.0-beta.93

package/dist/types/tdf3/src/crypto/index.d.ts

@@ -4,7 +4,7 @@
  * @private
  */
 import { Binary } from '../binary.js';
-import { CryptoService, DecryptResult, EncryptResult, PemKeyPair } from './declarations.js';
+import { type AsymmetricSigningAlgorithm, type CryptoService, type DecryptResult, type ECCurve, type EncryptResult, type HashAlgorithm, type HkdfParams, type KeyOptions, type KeyPair, type PrivateKey, type PublicKey, type PublicKeyInfo, type SymmetricKey } from './declarations.js';
 import { AlgorithmUrn } from '../ciphers/algorithms.js';
 export declare const isSupported: boolean;
 export declare const method = "http://www.w3.org/2001/04/xmlenc#aes256-cbc";
@@ -16,33 +16,30 @@ export declare const name = "BrowserNativeCryptoService";
 export declare function rsaOaepSha1(modulusLength?: number): RsaHashedKeyGenParams;
 export declare function rsaPkcs1Sha256(modulusLength?: number): RsaHashedKeyGenParams;
 /**
- * Generate a random hex key
- * @return New key as a hex string
+ * Generate a random symmetric key (opaque).
+ * @param length - Key length in bytes (default 32 for AES-256)
+ * @return Opaque symmetric key
  */
-export declare function generateKey(length?: number): Promise<string>;
+export declare function generateKey(length?: number): Promise<SymmetricKey>;
 /**
  * Generate an RSA key pair
  * @see    {@link https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/generateKey}
  * @param  size in bits
  */
-export declare function generateKeyPair(size?: number): Promise<CryptoKeyPair>;
+export declare function generateKeyPair(size?: number): Promise<KeyPair>;
 /**
  * Generate an RSA key pair suitable for signatures
  * @see    {@link https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/generateKey}
  */
-export declare function generateSigningKeyPair(): Promise<CryptoKeyPair>;
-export declare function cryptoToPemPair(keysMaybe: unknown): Promise<PemKeyPair>;
+export declare function generateSigningKeyPair(): Promise<KeyPair>;
 /**
- * Encrypt using a public key
- * @param payload Payload to encrypt
- * @param publicKey PEM formatted public key
+ * Encrypt using a public key (RSA-OAEP).
+ * Accepts Binary or SymmetricKey for key wrapping.
+ * @param payload Payload to encrypt (Binary) or symmetric key to wrap (SymmetricKey)
+ * @param publicKey Opaque public key
  * @return Encrypted payload
  */
-export declare function encryptWithPublicKey(payload: Binary, publicKey: string): Promise<Binary>;
-/**
- * Generate a 16-byte initialization vector
- */
-export declare function generateInitializationVector(length?: number): Promise<string>;
+export declare function encryptWithPublicKey(payload: Binary | SymmetricKey, publicKey: PublicKey): Promise<Binary>;
 export declare function randomBytes(byteLength: number): Promise<Uint8Array>;
 /**
  * Returns a promise to the encryption key as a binary string.
@@ -58,19 +55,19 @@ export declare function randomBytesAsHex(length: number): Promise<string>;
 /**
  * Decrypt a public-key encrypted payload with a private key
  * @param  encryptedPayload  Payload to decrypt
- * @param  privateKey        PEM formatted private keynpmv
+ * @param  privateKey        Opaque private key
  * @return Decrypted payload
  */
-export declare function decryptWithPrivateKey(encryptedPayload: Binary, privateKey: string): Promise<Binary>;
+export declare function decryptWithPrivateKey(encryptedPayload: Binary, privateKey: PrivateKey): Promise<Binary>;
 /**
  * Decrypt content synchronously
  * @param payload The payload to decrypt
- * @param key     The encryption key
+ * @param key     The symmetric encryption key (opaque)
  * @param iv      The initialization vector
  * @param algorithm The algorithm to use for encryption
  * @param authTag The authentication tag for authenticated crypto.
  */
-export declare function decrypt(payload: Binary, key: Binary, iv: Binary, algorithm?: AlgorithmUrn, authTag?: Binary): Promise<DecryptResult>;
+export declare function decrypt(payload: Binary, key: SymmetricKey, iv: Binary, algorithm?: AlgorithmUrn, authTag?: Binary): Promise<DecryptResult>;
 /**
  * Encrypt content synchronously
  * @param payload   The payload to encrypt
@@ -78,26 +75,106 @@ export declare function decrypt(payload: Binary, key: Binary, iv: Binary, algori
  * @param iv        The initialization vector
  * @param algorithm The algorithm to use for encryption
  */
-export declare function encrypt(payload: Binary, key: Binary, iv: Binary, algorithm?: AlgorithmUrn): Promise<EncryptResult>;
+export declare function encrypt(payload: Binary | SymmetricKey, key: SymmetricKey, iv: Binary, algorithm?: AlgorithmUrn): Promise<EncryptResult>;
 /**
  * Create a SHA256 hash. Code refrenced from MDN:
  * https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest
  * @param  content  String content
  * @return Hex hash
  */
-export declare function sha256(content: string): Promise<string>;
-/**
- * Create an HMAC SHA256 hash
- * @param  key     Key string
- * @param  content Content string
- * @return Hex hash
- */
-export declare function hmac(key: string, content: string): Promise<string>;
 /**
  * Create an ArrayBuffer from a hex string.
  * https://developers.google.com/web/updates/2012/06/How-to-convert-ArrayBuffer-to-and-from-String?hl=en
  * @param  hex - Hex string
  */
 export declare function hex2Ab(hex: string): ArrayBuffer;
+/**
+ * Sign data with an asymmetric private key.
+ */
+export declare function sign(data: Uint8Array, privateKey: PrivateKey, algorithm: AsymmetricSigningAlgorithm): Promise<Uint8Array>;
+/**
+ * Verify signature with an asymmetric public key.
+ */
+export declare function verify(data: Uint8Array, signature: Uint8Array, publicKey: PublicKey, algorithm: AsymmetricSigningAlgorithm): Promise<boolean>;
+/**
+ * Compute hash digest.
+ */
+export declare function digest(algorithm: HashAlgorithm, data: Uint8Array): Promise<Uint8Array>;
+/**
+ * Extract PEM public key from X.509 certificate or return PEM key as-is.
+ *
+ * @param certOrPem - A PEM-encoded X.509 certificate or public key
+ * @param jwaAlgorithm - JWA algorithm hint for certificate parsing (RS256, RS512, ES256, ES384, ES512).
+ *                       If not provided for a certificate, will attempt to auto-detect from OIDs.
+ */
+export declare function extractPublicKeyPem(certOrPem: string, jwaAlgorithm?: string): Promise<string>;
+/**
+ * Generate an EC key pair for ECDH key agreement.
+ */
+export declare function generateECKeyPair(curve?: ECCurve): Promise<KeyPair>;
+/**
+ * Perform ECDH key agreement followed by HKDF key derivation.
+ * Returns opaque symmetric key for symmetric encryption.
+ */
+export declare function deriveKeyFromECDH(privateKey: PrivateKey, publicKey: PublicKey, hkdfParams: HkdfParams): Promise<SymmetricKey>;
+/**
+ * Compute HMAC-SHA256 of data with a symmetric key.
+ */
+export declare function hmac(data: Uint8Array, key: SymmetricKey): Promise<Uint8Array>;
+/**
+ * Verify HMAC-SHA256. Standalone utility — not part of CryptoService interface.
+ */
+export declare function verifyHmac(data: Uint8Array, signature: Uint8Array, key: SymmetricKey): Promise<boolean>;
+/**
+ * Import and validate a PEM public key, returning algorithm info.
+ * Uses JWK export for robust key parameter detection.
+ */
+export declare function parsePublicKeyPem(pem: string): Promise<PublicKeyInfo>;
+/**
+ * Convert a JWK (JSON Web Key) to PEM format.
+ */
+export declare function jwkToPublicKeyPem(jwk: JsonWebKey): Promise<string>;
+/**
+ * Convert a PEM public key to JWK format.
+ * Returns only public key components (no private key data).
+ */
+export declare function publicKeyPemToJwk(publicKeyPem: string): Promise<JsonWebKey>;
+/**
+ * Import a PEM public key as an opaque key.
+ */
+export declare function importPublicKey(pem: string, options: KeyOptions): Promise<PublicKey>;
+/**
+ * Import a PEM private key as an opaque key.
+ */
+export declare function importPrivateKey(pem: string, options: KeyOptions): Promise<PrivateKey>;
+/**
+ * Export an opaque public key to PEM format.
+ */
+export declare function exportPublicKeyPem(key: PublicKey): Promise<string>;
+/**
+ * Export an opaque private key to PEM format.
+ * ONLY USE FOR TESTING/DEVELOPMENT. Private keys should NOT be exportable in secure environments.
+ */
+export declare function exportPrivateKeyPem(key: PrivateKey): Promise<string>;
+/**
+ * Export an opaque public key to JWK format.
+ */
+export declare function exportPublicKeyJwk(key: PublicKey): Promise<JsonWebKey>;
+/**
+ * Import raw key bytes as an opaque symmetric key.
+ * Used for external keys (e.g., unwrapped from KAS).
+ */
+export declare function importSymmetricKey(keyBytes: Uint8Array): Promise<SymmetricKey>;
+/**
+ * Split a symmetric key into N shares using XOR secret sharing.
+ * Key bytes are extracted internally for splitting.
+ * HSM implementations cannot extract bytes and should throw ConfigurationError.
+ */
+export declare function splitSymmetricKey(key: SymmetricKey, numShares: number): Promise<SymmetricKey[]>;
+/**
+ * Merge symmetric key shares back into the original key using XOR.
+ * Key bytes are extracted internally for merging.
+ */
+export declare function mergeSymmetricKeys(shares: SymmetricKey[]): Promise<SymmetricKey>;
 export declare const DefaultCryptoService: CryptoService;
 //# sourceMappingURL=index.d.ts.map

package/dist/types/tdf3/src/crypto/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../tdf3/src/crypto/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AACtC,OAAO,EACL,aAAa,EACb,aAAa,EACb,aAAa,EAEb,UAAU,EACX,MAAM,mBAAmB,CAAC;AAK3B,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAIxD,eAAO,MAAM,WAAW,SAA4C,CAAC;AAErE,eAAO,MAAM,MAAM,gDAAgD,CAAC;AACpE,eAAO,MAAM,IAAI,+BAA+B,CAAC;AAEjD;;;GAGG;AACH,wBAAgB,WAAW,CACzB,aAAa,GAAE,MAAqC,GACnD,qBAAqB,CAYvB;AAED,wBAAgB,cAAc,CAC5B,aAAa,GAAE,MAAqC,GACnD,qBAAqB,CAYvB;AAED;;;GAGG;AACH,wBAAsB,WAAW,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAElE;AAED;;;;GAIG;AACH,wBAAsB,eAAe,CAAC,IAAI,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CAG3E;AAED;;;GAGG;AACH,wBAAsB,sBAAsB,IAAI,OAAO,CAAC,aAAa,CAAC,CAWrE;AAED,wBAAsB,eAAe,CAAC,SAAS,EAAE,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,CAe7E;AAED;;;;;GAKG;AACH,wBAAsB,oBAAoB,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAmB9F;AAED;;GAEG;AACH,wBAAsB,4BAA4B,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAEnF;AAED,wBAAsB,WAAW,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CAIzE;AAED;;;;;;;;;GASG;AACH,wBAAsB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAKtE;AAED;;;;;GAKG;AACH,wBAAsB,qBAAqB,CACzC,gBAAgB,EAAE,MAAM,EACxB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,MAAM,CAAC,CAkBjB;AAED;;;;;;;GAOG;AACH,wBAAgB,OAAO,CACrB,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,MAAM,EACX,EAAE,EAAE,MAAM,EACV,SAAS,CAAC,EAAE,YAAY,EACxB,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC,aAAa,CAAC,CAExB;AAED;;;;;;GAMG;AACH,wBAAgB,OAAO,CACrB,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,MAAM,EACX,EAAE,EAAE,MAAM,EACV,SAAS,CAAC,EAAE,YAAY,GACvB,OAAO,CAAC,aAAa,CAAC,CAExB;AA6FD;;;;;GAKG;AACH,wBAAsB,MAAM,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAI7D;AAED;;;;;GAKG;AACH,wBAAsB,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAexE;AAED;;;;GAIG;AACH,wBAAgB,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,WAAW,CAS/C;AAED,eAAO,MAAM,oBAAoB,EAAE,aAelC,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../tdf3/src/crypto/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AACtC,OAAO,EACL,KAAK,0BAA0B,EAC/B,KAAK,aAAa,EAClB,KAAK,aAAa,EAClB,KAAK,OAAO,EACZ,KAAK,aAAa,EAClB,KAAK,aAAa,EAClB,KAAK,UAAU,EAEf,KAAK,UAAU,EACf,KAAK,OAAO,EAEZ,KAAK,UAAU,EACf,KAAK,SAAS,EACd,KAAK,aAAa,EAClB,KAAK,YAAY,EAClB,MAAM,mBAAmB,CAAC;AAK3B,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAYxD,eAAO,MAAM,WAAW,SAA4C,CAAC;AAErE,eAAO,MAAM,MAAM,gDAAgD,CAAC;AACpE,eAAO,MAAM,IAAI,+BAA+B,CAAC;AAEjD;;;GAGG;AACH,wBAAgB,WAAW,CACzB,aAAa,GAAE,MAAqC,GACnD,qBAAqB,CAYvB;AAED,wBAAgB,cAAc,CAC5B,aAAa,GAAE,MAAqC,GACnD,qBAAqB,CAYvB;AAED;;;;GAIG;AACH,wBAAsB,WAAW,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAGxE;AAsFD;;;;GAIG;AACH,wBAAsB,eAAe,CAAC,IAAI,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAqBrE;AAED;;;GAGG;AACH,wBAAsB,sBAAsB,IAAI,OAAO,CAAC,OAAO,CAAC,CAS/D;AAED;;;;;;GAMG;AACH,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,MAAM,GAAG,YAAY,EAC9B,SAAS,EAAE,SAAS,GACnB,OAAO,CAAC,MAAM,CAAC,CAejB;AAED,wBAAsB,WAAW,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CAIzE;AAED;;;;;;;;;GASG;AACH,wBAAsB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAKtE;AAED;;;;;GAKG;AACH,wBAAsB,qBAAqB,CACzC,gBAAgB,EAAE,MAAM,EACxB,UAAU,EAAE,UAAU,GACrB,OAAO,CAAC,MAAM,CAAC,CAWjB;AAED;;;;;;;GAOG;AACH,wBAAgB,OAAO,CACrB,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,YAAY,EACjB,EAAE,EAAE,MAAM,EACV,SAAS,CAAC,EAAE,YAAY,EACxB,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC,aAAa,CAAC,CAExB;AAED;;;;;;GAMG;AACH,wBAAgB,OAAO,CACrB,OAAO,EAAE,MAAM,GAAG,YAAY,EAC9B,GAAG,EAAE,YAAY,EACjB,EAAE,EAAE,MAAM,EACV,SAAS,CAAC,EAAE,YAAY,GACvB,OAAO,CAAC,aAAa,CAAC,CAExB;AA0GD;;;;;GAKG;AAEH;;;;GAIG;AACH,wBAAgB,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,WAAW,CAS/C;AAyKD;;GAEG;AACH,wBAAsB,IAAI,CACxB,IAAI,EAAE,UAAU,EAChB,UAAU,EAAE,UAAU,EACtB,SAAS,EAAE,0BAA0B,GACpC,OAAO,CAAC,UAAU,CAAC,CAWrB;AAED;;GAEG;AACH,wBAAsB,MAAM,CAC1B,IAAI,EAAE,UAAU,EAChB,SAAS,EAAE,UAAU,EACrB,SAAS,EAAE,SAAS,EACpB,SAAS,EAAE,0BAA0B,GACpC,OAAO,CAAC,OAAO,CAAC,CAWlB;AAED;;GAEG;AACH,wBAAsB,MAAM,CAAC,SAAS,EAAE,aAAa,EAAE,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,CAS5F;AAED;;;;;;GAMG;AACH,wBAAsB,mBAAmB,CACvC,SAAS,EAAE,MAAM,EACjB,YAAY,CAAC,EAAE,MAAM,GACpB,OAAO,CAAC,MAAM,CAAC,CAqBjB;AAkBD;;GAEG;AACH,wBAAsB,iBAAiB,CAAC,KAAK,GAAE,OAAiB,GAAG,OAAO,CAAC,OAAO,CAAC,CA4BlF;AAiCD;;;GAGG;AACH,wBAAsB,iBAAiB,CACrC,UAAU,EAAE,UAAU,EACtB,SAAS,EAAE,SAAS,EACpB,UAAU,EAAE,UAAU,GACrB,OAAO,CAAC,YAAY,CAAC,CA+CvB;AAED;;GAEG;AACH,wBAAsB,IAAI,CAAC,IAAI,EAAE,UAAU,EAAE,GAAG,EAAE,YAAY,GAAG,OAAO,CAAC,UAAU,CAAC,CAanF;AAED;;GAEG;AACH,wBAAsB,UAAU,CAC9B,IAAI,EAAE,UAAU,EAChB,SAAS,EAAE,UAAU,EACrB,GAAG,EAAE,YAAY,GAChB,OAAO,CAAC,OAAO,CAAC,CAUlB;AAuBD;;;GAGG;AACH,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CAmD3E;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,CAqBxE;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CAoCjF;AAMD;;GAEG;AACH,wBAAsB,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,CA8D1F;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,CAqG5F;AAMD;;GAEG;AACH,wBAAsB,kBAAkB,CAAC,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAIxE;AAED;;;GAGG;AACH,wBAAsB,mBAAmB,CAAC,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,CAI1E;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CAAC,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC,CAG5E;AAED;;;GAGG;AACH,wBAAsB,kBAAkB,CAAC,QAAQ,EAAE,UAAU,GAAG,OAAO,CAAC,YAAY,CAAC,CAEpF;AAED;;;;GAIG;AACH,wBAAsB,iBAAiB,CACrC,GAAG,EAAE,YAAY,EACjB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,YAAY,EAAE,CAAC,CAIzB;AAED;;;GAGG;AACH,wBAAsB,kBAAkB,CAAC,MAAM,EAAE,YAAY,EAAE,GAAG,OAAO,CAAC,YAAY,CAAC,CAItF;AAED,eAAO,MAAM,oBAAoB,EAAE,aA6BlC,CAAC"}

package/dist/types/tdf3/src/crypto/jose/jwt-claims-set.d.ts

@@ -0,0 +1,3 @@
+import type { JWTHeaderParameters, JWTPayload, JWTVerifyOptions } from 'jose';
+export default function joseJwtClaimsSet(protectedHeader: JWTHeaderParameters, encodedPayload: Uint8Array, options?: JWTVerifyOptions): JWTPayload;
+//# sourceMappingURL=jwt-claims-set.d.ts.map

package/dist/types/tdf3/src/crypto/jose/jwt-claims-set.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-claims-set.d.ts","sourceRoot":"","sources":["../../../../../../tdf3/src/crypto/jose/jwt-claims-set.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,mBAAmB,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,MAAM,CAAC;AAG9E,MAAM,CAAC,OAAO,UAAU,gBAAgB,CACtC,eAAe,EAAE,mBAAmB,EACpC,cAAc,EAAE,UAAU,EAC1B,OAAO,CAAC,EAAE,gBAAgB,GACzB,UAAU,CAEZ"}

package/dist/types/tdf3/src/crypto/jose/validate-crit.d.ts

@@ -0,0 +1,5 @@
+declare const _default: (Err: new (message?: string, options?: {
+    cause?: unknown;
+}) => Error, recognizedDefault: Map<string, boolean>, recognizedOption: Record<string, boolean> | undefined, protectedHeader: Record<string, unknown> | undefined, joseHeader: Record<string, unknown>) => Set<string>;
+export default _default;
+//# sourceMappingURL=validate-crit.d.ts.map

package/dist/types/tdf3/src/crypto/jose/validate-crit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate-crit.d.ts","sourceRoot":"","sources":["../../../../../../tdf3/src/crypto/jose/validate-crit.ts"],"names":[],"mappings":"wBAE+B,CAC7B,GAAG,EAAE,KAAK,OAAO,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE;IAAE,KAAK,CAAC,EAAE,OAAO,CAAA;CAAE,KAAK,KAAK,EACnE,iBAAiB,EAAE,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,EACvC,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SAAS,EACrD,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SAAS,EACpD,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAChC,GAAG,CAAC,MAAM,CAAC;AANhB,wBAMiB"}

package/dist/types/tdf3/src/crypto/jose/vendor/lib/buffer_utils.d.ts

@@ -0,0 +1,6 @@
+export declare const encoder: TextEncoder;
+export declare const decoder: TextDecoder;
+export declare function concat(...buffers: any[]): Uint8Array<any>;
+export declare function uint64be(value: any): Uint8Array<ArrayBuffer>;
+export declare function uint32be(value: any): Uint8Array<ArrayBuffer>;
+//# sourceMappingURL=buffer_utils.d.ts.map

package/dist/types/tdf3/src/crypto/jose/vendor/lib/buffer_utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"buffer_utils.d.ts","sourceRoot":"","sources":["../../../../../../../../tdf3/src/crypto/jose/vendor/lib/buffer_utils.ts"],"names":[],"mappings":"AAEA,eAAO,MAAM,OAAO,aAAoB,CAAC;AACzC,eAAO,MAAM,OAAO,aAAoB,CAAC;AAEzC,wBAAgB,MAAM,CAAC,GAAG,OAAO,OAAA,mBAShC;AAOD,wBAAgB,QAAQ,CAAC,KAAK,KAAA,2BAO7B;AACD,wBAAgB,QAAQ,CAAC,KAAK,KAAA,2BAI7B"}

package/dist/types/tdf3/src/crypto/jose/vendor/lib/epoch.d.ts

@@ -0,0 +1,3 @@
+declare const _default: (date: any) => number;
+export default _default;
+//# sourceMappingURL=epoch.d.ts.map

package/dist/types/tdf3/src/crypto/jose/vendor/lib/epoch.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"epoch.d.ts","sourceRoot":"","sources":["../../../../../../../../tdf3/src/crypto/jose/vendor/lib/epoch.ts"],"names":[],"mappings":"yBAEgB,SAAI;AAApB,wBAA2D"}

package/dist/types/tdf3/src/crypto/jose/vendor/lib/is_object.d.ts

@@ -0,0 +1,3 @@
+declare const _default: (input: any) => boolean;
+export default _default;
+//# sourceMappingURL=is_object.d.ts.map

package/dist/types/tdf3/src/crypto/jose/vendor/lib/is_object.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"is_object.d.ts","sourceRoot":"","sources":["../../../../../../../../tdf3/src/crypto/jose/vendor/lib/is_object.ts"],"names":[],"mappings":"yBAKgB,UAAK;AAArB,wBAYE"}

package/dist/types/tdf3/src/crypto/jose/vendor/lib/jwt_claims_set.d.ts

@@ -0,0 +1,3 @@
+declare const _default: (protectedHeader: any, encodedPayload: any, options?: {}) => any;
+export default _default;
+//# sourceMappingURL=jwt_claims_set.d.ts.map

package/dist/types/tdf3/src/crypto/jose/vendor/lib/jwt_claims_set.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt_claims_set.d.ts","sourceRoot":"","sources":["../../../../../../../../tdf3/src/crypto/jose/vendor/lib/jwt_claims_set.ts"],"names":[],"mappings":"yBAiBgB,oBAAe,EAAE,mBAAc,EAAE,YAAY;AAA7D,wBAwFE"}

package/dist/types/tdf3/src/crypto/jose/vendor/lib/secs.d.ts

@@ -0,0 +1,3 @@
+declare const _default: (str: any) => number;
+export default _default;
+//# sourceMappingURL=secs.d.ts.map

package/dist/types/tdf3/src/crypto/jose/vendor/lib/secs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secs.d.ts","sourceRoot":"","sources":["../../../../../../../../tdf3/src/crypto/jose/vendor/lib/secs.ts"],"names":[],"mappings":"yBAQgB,QAAG;AAAnB,wBAgDE"}

package/dist/types/tdf3/src/crypto/jose/vendor/lib/validate_crit.d.ts

@@ -0,0 +1,3 @@
+declare const _default: (Err: any, recognizedDefault: any, recognizedOption: any, protectedHeader: any, joseHeader: any) => Set<unknown>;
+export default _default;
+//# sourceMappingURL=validate_crit.d.ts.map

package/dist/types/tdf3/src/crypto/jose/vendor/lib/validate_crit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate_crit.d.ts","sourceRoot":"","sources":["../../../../../../../../tdf3/src/crypto/jose/vendor/lib/validate_crit.ts"],"names":[],"mappings":"yBAGgB,QAAG,EAAE,sBAAiB,EAAE,qBAAgB,EAAE,oBAAe,EAAE,eAAU;AAArF,wBA+BE"}

package/dist/types/tdf3/src/crypto/jose/vendor/util/errors.d.ts

@@ -0,0 +1,76 @@
+export declare class JOSEError extends Error {
+    static code: string;
+    code: string;
+    constructor(message: any, options: any);
+}
+export declare class JWTClaimValidationFailed extends JOSEError {
+    static code: string;
+    code: string;
+    claim: string;
+    reason: string;
+    payload: any;
+    constructor(message: any, payload: any, claim?: string, reason?: string);
+}
+export declare class JWTExpired extends JOSEError {
+    static code: string;
+    code: string;
+    claim: string;
+    reason: string;
+    payload: any;
+    constructor(message: any, payload: any, claim?: string, reason?: string);
+}
+export declare class JOSEAlgNotAllowed extends JOSEError {
+    static code: string;
+    code: string;
+}
+export declare class JOSENotSupported extends JOSEError {
+    static code: string;
+    code: string;
+}
+export declare class JWEDecryptionFailed extends JOSEError {
+    static code: string;
+    code: string;
+    constructor(message: string | undefined, options: any);
+}
+export declare class JWEInvalid extends JOSEError {
+    static code: string;
+    code: string;
+}
+export declare class JWSInvalid extends JOSEError {
+    static code: string;
+    code: string;
+}
+export declare class JWTInvalid extends JOSEError {
+    static code: string;
+    code: string;
+}
+export declare class JWKInvalid extends JOSEError {
+    static code: string;
+    code: string;
+}
+export declare class JWKSInvalid extends JOSEError {
+    static code: string;
+    code: string;
+}
+export declare class JWKSNoMatchingKey extends JOSEError {
+    static code: string;
+    code: string;
+    constructor(message: string | undefined, options: any);
+}
+export declare class JWKSMultipleMatchingKeys extends JOSEError {
+    [Symbol.asyncIterator]: any;
+    static code: string;
+    code: string;
+    constructor(message: string | undefined, options: any);
+}
+export declare class JWKSTimeout extends JOSEError {
+    static code: string;
+    code: string;
+    constructor(message: string | undefined, options: any);
+}
+export declare class JWSSignatureVerificationFailed extends JOSEError {
+    static code: string;
+    code: string;
+    constructor(message: string | undefined, options: any);
+}
+//# sourceMappingURL=errors.d.ts.map

package/dist/types/tdf3/src/crypto/jose/vendor/util/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../../../../../../../tdf3/src/crypto/jose/vendor/util/errors.ts"],"names":[],"mappings":"AAEA,qBAAa,SAAU,SAAQ,KAAK;IAChC,MAAM,CAAC,IAAI,SAAsB;IACjC,IAAI,SAAsB;gBACd,OAAO,KAAA,EAAE,OAAO,KAAA;CAK/B;AACD,qBAAa,wBAAyB,SAAQ,SAAS;IACnD,MAAM,CAAC,IAAI,SAAqC;IAChD,IAAI,SAAqC;IACzC,KAAK,SAAC;IACN,MAAM,SAAC;IACP,OAAO,MAAC;gBACI,OAAO,KAAA,EAAE,OAAO,KAAA,EAAE,KAAK,SAAgB,EAAE,MAAM,SAAgB;CAM9E;AACD,qBAAa,UAAW,SAAQ,SAAS;IACrC,MAAM,CAAC,IAAI,SAAqB;IAChC,IAAI,SAAqB;IACzB,KAAK,SAAC;IACN,MAAM,SAAC;IACP,OAAO,MAAC;gBACI,OAAO,KAAA,EAAE,OAAO,KAAA,EAAE,KAAK,SAAgB,EAAE,MAAM,SAAgB;CAM9E;AACD,qBAAa,iBAAkB,SAAQ,SAAS;IAC5C,MAAM,CAAC,IAAI,SAA8B;IACzC,IAAI,SAA8B;CACrC;AACD,qBAAa,gBAAiB,SAAQ,SAAS;IAC3C,MAAM,CAAC,IAAI,SAA4B;IACvC,IAAI,SAA4B;CACnC;AACD,qBAAa,mBAAoB,SAAQ,SAAS;IAC9C,MAAM,CAAC,IAAI,SAA+B;IAC1C,IAAI,SAA+B;gBACvB,OAAO,oBAAgC,EAAE,OAAO,KAAA;CAG/D;AACD,qBAAa,UAAW,SAAQ,SAAS;IACrC,MAAM,CAAC,IAAI,SAAqB;IAChC,IAAI,SAAqB;CAC5B;AACD,qBAAa,UAAW,SAAQ,SAAS;IACrC,MAAM,CAAC,IAAI,SAAqB;IAChC,IAAI,SAAqB;CAC5B;AACD,qBAAa,UAAW,SAAQ,SAAS;IACrC,MAAM,CAAC,IAAI,SAAqB;IAChC,IAAI,SAAqB;CAC5B;AACD,qBAAa,UAAW,SAAQ,SAAS;IACrC,MAAM,CAAC,IAAI,SAAqB;IAChC,IAAI,SAAqB;CAC5B;AACD,qBAAa,WAAY,SAAQ,SAAS;IACtC,MAAM,CAAC,IAAI,SAAsB;IACjC,IAAI,SAAsB;CAC7B;AACD,qBAAa,iBAAkB,SAAQ,SAAS;IAC5C,MAAM,CAAC,IAAI,SAA8B;IACzC,IAAI,SAA8B;gBACtB,OAAO,oBAAoD,EAAE,OAAO,KAAA;CAGnF;AACD,qBAAa,wBAAyB,SAAQ,SAAS;IACnD,CAAC,MAAM,CAAC,aAAa,CAAC,MAAC;IACvB,MAAM,CAAC,IAAI,SAAqC;IAChD,IAAI,SAAqC;gBAC7B,OAAO,oBAAyD,EAAE,OAAO,KAAA;CAGxF;AACD,qBAAa,WAAY,SAAQ,SAAS;IACtC,MAAM,CAAC,IAAI,SAAsB;IACjC,IAAI,SAAsB;gBACd,OAAO,oBAAsB,EAAE,OAAO,KAAA;CAGrD;AACD,qBAAa,8BAA+B,SAAQ,SAAS;IACzD,MAAM,CAAC,IAAI,SAA2C;IACtD,IAAI,SAA2C;gBACnC,OAAO,oBAAkC,EAAE,OAAO,KAAA;CAGjE"}

package/dist/types/tdf3/src/crypto/jwt.d.ts

@@ -0,0 +1,76 @@
+import { type CryptoService, type PrivateKey, type PublicKey, type SigningAlgorithm, type SymmetricKey } from './declarations.js';
+import { type JWTHeaderParameters, type JWTPayload, type JWTVerifyOptions, type SignOptions } from 'jose';
+export type JwtHeader = JWTHeaderParameters & {
+    alg: SigningAlgorithm;
+};
+export type JwtPayload = JWTPayload;
+/**
+ * Options for JWT signing. Matches jose SignOptions interface.
+ */
+export type SignJwtOptions = SignOptions;
+/**
+ * Options for JWT verification. Matches jose JWTVerifyOptions interface.
+ * Combines signature verification options and JWT claim verification options.
+ */
+export type VerifyJwtOptions = Omit<JWTVerifyOptions, 'algorithms'> & {
+    /**
+     * A list of accepted JWS "alg" (Algorithm) Header Parameter values.
+     * By default all algorithms supported by the CryptoService are allowed.
+     * Unsecured JWTs ({ "alg": "none" }) are never accepted.
+     */
+    algorithms?: SigningAlgorithm[];
+};
+/**
+ * Base64url encode data per RFC 4648 Section 5.
+ * Uses URL-safe alphabet (- and _ instead of + and /) with no padding.
+ * Exported for testing purposes.
+ */
+export declare function base64urlEncode(data: string | Uint8Array): string;
+/**
+ * Decode the protected header from a JWT without verifying the signature.
+ * Useful for inspecting the header to determine key type before verification.
+ *
+ * @param token - The JWT string
+ * @returns The decoded header
+ * @throws Error if the token is malformed or uses alg "none"
+ */
+export declare function decodeProtectedHeader(token: string): JwtHeader;
+/**
+ * Sign a JWT using CryptoService. Replaces jose SignJWT.
+ *
+ * Implementation:
+ * 1. Base64url encode header and payload as JSON
+ * 2. Create signing input: `${headerB64}.${payloadB64}`
+ * 3. Sign via cryptoService.sign() (asymmetric) or hmac() (HS256)
+ * 4. Return compact JWT: `${headerB64}.${payloadB64}.${signatureB64}`
+ *
+ * @param cryptoService - Crypto implementation to use
+ * @param payload - JWT payload (claims)
+ * @param key - PEM-encoded private key for asymmetric algorithms, or raw key bytes for HS256
+ * @param header - JWT header (must include alg)
+ * @param options - Optional signing options (e.g., crit header handling)
+ * @returns Compact JWT string
+ */
+export declare function signJwt(cryptoService: CryptoService, payload: JwtPayload, key: PrivateKey | SymmetricKey, header: JwtHeader, options?: SignJwtOptions): Promise<string>;
+/**
+ * Verify a JWT and return its contents. Replaces jose jwtVerify.
+ *
+ * Implementation:
+ * 1. Split token into header.payload.signature
+ * 2. Decode header, validate algorithm against allowlist
+ * 3. Verify signature via cryptoService.verify() (asymmetric) or verifyHmac() (HS256)
+ * 4. Validate JWT claims (aud, iss, exp, nbf, etc.)
+ * 5. Return decoded header and payload
+ *
+ * @param cryptoService - Crypto implementation to use
+ * @param token - The JWT string to verify
+ * @param key - For asymmetric: PEM string or PublicKey (opaque). For HS256: Uint8Array or SymmetricKey (opaque).
+ * @param options - Verification options including algorithm allowlist and claim validations
+ * @throws Error if signature invalid, algorithm not in allowlist, claims invalid, or token malformed
+ * @returns Decoded header and payload
+ */
+export declare function verifyJwt(cryptoService: CryptoService, token: string, key: string | Uint8Array | PublicKey | SymmetricKey, options?: VerifyJwtOptions): Promise<{
+    header: JwtHeader;
+    payload: JwtPayload;
+}>;
+//# sourceMappingURL=jwt.d.ts.map

package/dist/types/tdf3/src/crypto/jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../../../../tdf3/src/crypto/jwt.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,KAAK,aAAa,EAClB,KAAK,UAAU,EACf,KAAK,SAAS,EACd,KAAK,gBAAgB,EACrB,KAAK,YAAY,EAClB,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EAGL,KAAK,mBAAmB,EACxB,KAAK,UAAU,EACf,KAAK,gBAAgB,EACrB,KAAK,WAAW,EACjB,MAAM,MAAM,CAAC;AAId,MAAM,MAAM,SAAS,GAAG,mBAAmB,GAAG;IAAE,GAAG,EAAE,gBAAgB,CAAA;CAAE,CAAC;AACxE,MAAM,MAAM,UAAU,GAAG,UAAU,CAAC;AAEpC;;GAEG;AACH,MAAM,MAAM,cAAc,GAAG,WAAW,CAAC;AAEzC;;;GAGG;AACH,MAAM,MAAM,gBAAgB,GAAG,IAAI,CAAC,gBAAgB,EAAE,YAAY,CAAC,GAAG;IACpE;;;;OAIG;IACH,UAAU,CAAC,EAAE,gBAAgB,EAAE,CAAC;CACjC,CAAC;AAEF;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,UAAU,GAAG,MAAM,CAUjE;AAwBD;;;;;;;GAOG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,CAE9D;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAsB,OAAO,CAC3B,aAAa,EAAE,aAAa,EAC5B,OAAO,EAAE,UAAU,EACnB,GAAG,EAAE,UAAU,GAAG,YAAY,EAC9B,MAAM,EAAE,SAAS,EACjB,OAAO,CAAC,EAAE,cAAc,GACvB,OAAO,CAAC,MAAM,CAAC,CA+BjB;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,SAAS,CAC7B,aAAa,EAAE,aAAa,EAC5B,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,MAAM,GAAG,UAAU,GAAG,SAAS,GAAG,YAAY,EACnD,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC;IAAE,MAAM,EAAE,SAAS,CAAC;IAAC,OAAO,EAAE,UAAU,CAAA;CAAE,CAAC,CAsFrD"}

package/dist/types/tdf3/src/crypto/salt.d.ts

@@ -1,2 +1,7 @@
-export declare const ztdfSalt: Promise<Uint8Array<ArrayBuffer>>;
+import type { CryptoService } from './declarations.js';
+/**
+ * Get the ZTDF salt (SHA-256 of "TDF").
+ * Lazily computed on first call and cached thereafter.
+ */
+export declare function getZtdfSalt(cryptoService: CryptoService): Promise<Uint8Array>;
 //# sourceMappingURL=salt.d.ts.map

package/dist/types/tdf3/src/crypto/salt.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"salt.d.ts","sourceRoot":"","sources":["../../../../../tdf3/src/crypto/salt.ts"],"names":[],"mappings":"AAUA,eAAO,MAAM,QAAQ,kCAAiB,CAAC"}
+{"version":3,"file":"salt.d.ts","sourceRoot":"","sources":["../../../../../tdf3/src/crypto/salt.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAIvD;;;GAGG;AACH,wBAAsB,WAAW,CAAC,aAAa,EAAE,aAAa,GAAG,OAAO,CAAC,UAAU,CAAC,CAUnF"}

package/dist/types/tdf3/src/models/encryption-information.d.ts

@@ -2,10 +2,10 @@ import { Binary } from '../binary.js';
 import { type SymmetricCipher } from '../ciphers/symmetric-cipher-base.js';
 import { type KeyAccess, type KeyAccessObject } from './key-access.js';
 import { type Policy } from './policy.js';
-import { type CryptoService, type DecryptResult, type EncryptResult } from '../crypto/declarations.js';
+import { type CryptoService, type DecryptResult, type EncryptResult, type SymmetricKey } from '../crypto/declarations.js';
 import { IntegrityAlgorithm } from '../tdf.js';
 export type KeyInfo = {
-    readonly unwrappedKeyBinary: Binary;
+    readonly unwrappedKey: SymmetricKey;
     readonly unwrappedKeyIvBinary: Binary;
 };
 export type Segment = {
@@ -40,8 +40,8 @@ export declare class SplitKey {
     keyAccess: KeyAccess[];
     constructor(cipher: SymmetricCipher);
     generateKey(): Promise<KeyInfo>;
-    encrypt(contentBinary: Binary, keyBinary: Binary, ivBinaryOptional?: Binary): Promise<EncryptResult>;
-    decrypt(content: Uint8Array, keyBinary: Binary): Promise<DecryptResult>;
+    encrypt(contentBinary: Binary, key: SymmetricKey, ivBinaryOptional?: Binary): Promise<EncryptResult>;
+    decrypt(content: Uint8Array, key: SymmetricKey): Promise<DecryptResult>;
     getKeyAccessObjects(policy: Policy, keyInfo: KeyInfo): Promise<KeyAccessObject[]>;
     generateIvBinary(): Promise<Binary>;
     write(policy: Policy, keyInfo: KeyInfo): Promise<EncryptionInformation>;

package/dist/types/tdf3/src/models/encryption-information.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"encryption-information.d.ts","sourceRoot":"","sources":["../../../../../tdf3/src/models/encryption-information.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AACtC,OAAO,EAAE,KAAK,eAAe,EAAE,MAAM,qCAAqC,CAAC;AAC3E,OAAO,EAAE,KAAK,SAAS,EAAE,KAAK,eAAe,EAAE,MAAM,iBAAiB,CAAC;AACvE,OAAO,EAAE,KAAK,MAAM,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EACL,KAAK,aAAa,EAClB,KAAK,aAAa,EAClB,KAAK,aAAa,EACnB,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AAG/C,MAAM,MAAM,OAAO,GAAG;IACpB,QAAQ,CAAC,kBAAkB,EAAE,MAAM,CAAC;IACpC,QAAQ,CAAC,oBAAoB,EAAE,MAAM,CAAC;CACvC,CAAC;AAEF,MAAM,MAAM,OAAO,GAAG;IACpB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IAEtB,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAE9B,QAAQ,CAAC,oBAAoB,CAAC,EAAE,MAAM,CAAC;CACxC,CAAC;AAEF,MAAM,MAAM,SAAS,GAAG,OAAO,CAAC;AAEhC,MAAM,MAAM,qBAAqB,GAAG;IAClC,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAC;IACzB,QAAQ,CAAC,SAAS,EAAE,eAAe,EAAE,CAAC;IACtC,QAAQ,CAAC,oBAAoB,EAAE;QAC7B,QAAQ,CAAC,aAAa,EAAE;YACtB,GAAG,EAAE,kBAAkB,CAAC;YACxB,GAAG,EAAE,MAAM,CAAC;SACb,CAAC;QACF,cAAc,CAAC,EAAE,kBAAkB,CAAC;QACpC,QAAQ,EAAE,OAAO,EAAE,CAAC;QACpB,kBAAkB,CAAC,EAAE,MAAM,CAAC;QAC5B,2BAA2B,CAAC,EAAE,MAAM,CAAC;KACtC,CAAC;IACF,QAAQ,CAAC,MAAM,EAAE;QACf,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;QAC3B,YAAY,EAAE,OAAO,CAAC;QACtB,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;KACrB,CAAC;IACF,MAAM,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,qBAAa,QAAQ;aAIS,MAAM,EAAE,eAAe;IAHnD,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC;IACtC,SAAS,EAAE,SAAS,EAAE,CAAC;gBAEK,MAAM,EAAE,eAAe;IAK7C,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC;IAO/B,OAAO,CACX,aAAa,EAAE,MAAM,EACrB,SAAS,EAAE,MAAM,EACjB,gBAAgB,CAAC,EAAE,MAAM,GACxB,OAAO,CAAC,aAAa,CAAC;IAKnB,OAAO,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC;IAIvE,mBAAmB,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,eAAe,EAAE,CAAC;IAyDjF,gBAAgB,IAAI,OAAO,CAAC,MAAM,CAAC;IAKnC,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,qBAAqB,CAAC;CA8B9E"}
+{"version":3,"file":"encryption-information.d.ts","sourceRoot":"","sources":["../../../../../tdf3/src/models/encryption-information.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AACtC,OAAO,EAAE,KAAK,eAAe,EAAE,MAAM,qCAAqC,CAAC;AAC3E,OAAO,EAAE,KAAK,SAAS,EAAE,KAAK,eAAe,EAAE,MAAM,iBAAiB,CAAC;AACvE,OAAO,EAAE,KAAK,MAAM,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EACL,KAAK,aAAa,EAClB,KAAK,aAAa,EAClB,KAAK,aAAa,EAClB,KAAK,YAAY,EAClB,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AAG/C,MAAM,MAAM,OAAO,GAAG;IACpB,QAAQ,CAAC,YAAY,EAAE,YAAY,CAAC;IACpC,QAAQ,CAAC,oBAAoB,EAAE,MAAM,CAAC;CACvC,CAAC;AAEF,MAAM,MAAM,OAAO,GAAG;IACpB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IAEtB,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAE9B,QAAQ,CAAC,oBAAoB,CAAC,EAAE,MAAM,CAAC;CACxC,CAAC;AAEF,MAAM,MAAM,SAAS,GAAG,OAAO,CAAC;AAEhC,MAAM,MAAM,qBAAqB,GAAG;IAClC,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAC;IACzB,QAAQ,CAAC,SAAS,EAAE,eAAe,EAAE,CAAC;IACtC,QAAQ,CAAC,oBAAoB,EAAE;QAC7B,QAAQ,CAAC,aAAa,EAAE;YACtB,GAAG,EAAE,kBAAkB,CAAC;YACxB,GAAG,EAAE,MAAM,CAAC;SACb,CAAC;QACF,cAAc,CAAC,EAAE,kBAAkB,CAAC;QACpC,QAAQ,EAAE,OAAO,EAAE,CAAC;QACpB,kBAAkB,CAAC,EAAE,MAAM,CAAC;QAC5B,2BAA2B,CAAC,EAAE,MAAM,CAAC;KACtC,CAAC;IACF,QAAQ,CAAC,MAAM,EAAE;QACf,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;QAC3B,YAAY,EAAE,OAAO,CAAC;QACtB,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;KACrB,CAAC;IACF,MAAM,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,qBAAa,QAAQ;aAIS,MAAM,EAAE,eAAe;IAHnD,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC;IACtC,SAAS,EAAE,SAAS,EAAE,CAAC;gBAEK,MAAM,EAAE,eAAe;IAK7C,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC;IAM/B,OAAO,CACX,aAAa,EAAE,MAAM,EACrB,GAAG,EAAE,YAAY,EACjB,gBAAgB,CAAC,EAAE,MAAM,GACxB,OAAO,CAAC,aAAa,CAAC;IAKnB,OAAO,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG,EAAE,YAAY,GAAG,OAAO,CAAC,aAAa,CAAC;IAIvE,mBAAmB,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,eAAe,EAAE,CAAC;IAmDjF,gBAAgB,IAAI,OAAO,CAAC,MAAM,CAAC;IAKnC,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,qBAAqB,CAAC;CA8B9E"}

package/dist/types/tdf3/src/models/key-access.d.ts

@@ -1,3 +1,4 @@
+import type { CryptoService, KeyPair, SymmetricKey } from '../crypto/declarations.js';
 import { Policy } from './policy.js';
 export type KeyAccessType = 'remote' | 'wrapped' | 'ec-wrapped';
 export declare const schemaVersion = "1.0";
@@ -6,23 +7,25 @@ export declare class ECWrapped {
     readonly kid: string | undefined;
     readonly publicKey: string;
     readonly metadata: unknown;
+    readonly cryptoService: CryptoService;
     readonly sid?: string | undefined;
     readonly type = "ec-wrapped";
-    readonly ephemeralKeyPair: Promise<CryptoKeyPair>;
+    readonly ephemeralKeyPair: Promise<KeyPair>;
     keyAccessObject?: KeyAccessObject;
-    constructor(url: string, kid: string | undefined, publicKey: string, metadata: unknown, sid?: string | undefined);
-    write(policy: Policy, dek: Uint8Array, encryptedMetadataStr: string): Promise<KeyAccessObject>;
+    constructor(url: string, kid: string | undefined, publicKey: string, metadata: unknown, cryptoService: CryptoService, sid?: string | undefined);
+    write(policy: Policy, dek: SymmetricKey, encryptedMetadataStr: string): Promise<KeyAccessObject>;
 }
 export declare class Wrapped {
     readonly url: string;
     readonly kid: string | undefined;
     readonly publicKey: string;
     readonly metadata: unknown;
+    readonly cryptoService: CryptoService;
     readonly sid?: string | undefined;
     readonly type = "wrapped";
     keyAccessObject?: KeyAccessObject;
-    constructor(url: string, kid: string | undefined, publicKey: string, metadata: unknown, sid?: string | undefined);
-    write(policy: Policy, keyBuffer: Uint8Array, encryptedMetadataStr: string): Promise<KeyAccessObject>;
+    constructor(url: string, kid: string | undefined, publicKey: string, metadata: unknown, cryptoService: CryptoService, sid?: string | undefined);
+    write(policy: Policy, key: SymmetricKey, encryptedMetadataStr: string): Promise<KeyAccessObject>;
 }
 export type KeyAccess = ECWrapped | Wrapped;
 /**

package/dist/types/tdf3/src/models/key-access.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"key-access.d.ts","sourceRoot":"","sources":["../../../../../tdf3/src/models/key-access.ts"],"names":[],"mappings":"AAQA,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAErC,MAAM,MAAM,aAAa,GAAG,QAAQ,GAAG,SAAS,GAAG,YAAY,CAAC;AAEhE,eAAO,MAAM,aAAa,QAAQ,CAAC;AAEnC,qBAAa,SAAS;aAMF,GAAG,EAAE,MAAM;aACX,GAAG,EAAE,MAAM,GAAG,SAAS;aACvB,SAAS,EAAE,MAAM;aACjB,QAAQ,EAAE,OAAO;aACjB,GAAG,CAAC,EAAE,MAAM;IAT9B,QAAQ,CAAC,IAAI,gBAAgB;IAC7B,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAC,aAAa,CAAC,CAAC;IAClD,eAAe,CAAC,EAAE,eAAe,CAAC;gBAGhB,GAAG,EAAE,MAAM,EACX,GAAG,EAAE,MAAM,GAAG,SAAS,EACvB,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,OAAO,EACjB,GAAG,CAAC,EAAE,MAAM,YAAA;IAYxB,KAAK,CACT,MAAM,EAAE,MAAM,EACd,GAAG,EAAE,UAAU,EACf,oBAAoB,EAAE,MAAM,GAC3B,OAAO,CAAC,eAAe,CAAC;CA4C5B;AAED,qBAAa,OAAO;aAKA,GAAG,EAAE,MAAM;aACX,GAAG,EAAE,MAAM,GAAG,SAAS;aACvB,SAAS,EAAE,MAAM;aACjB,QAAQ,EAAE,OAAO;aACjB,GAAG,CAAC,EAAE,MAAM;IAR9B,QAAQ,CAAC,IAAI,aAAa;IAC1B,eAAe,CAAC,EAAE,eAAe,CAAC;gBAGhB,GAAG,EAAE,MAAM,EACX,GAAG,EAAE,MAAM,GAAG,SAAS,EACvB,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,OAAO,EACjB,GAAG,CAAC,EAAE,MAAM,YAAA;IAGxB,KAAK,CACT,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,UAAU,EACrB,oBAAoB,EAAE,MAAM,GAC3B,OAAO,CAAC,eAAe,CAAC;CAkC5B;AAED,MAAM,MAAM,SAAS,GAAG,SAAS,GAAG,OAAO,CAAC;AAE5C;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG;IAC5B;;;;OAIG;IACH,IAAI,EAAE,aAAa,CAAC;IAEpB;;;;;;OAMG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb;;OAEG;IACH,GAAG,EAAE,MAAM,CAAC;IAEZ;;OAEG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb;;OAEG;IACH,QAAQ,EAAE,KAAK,CAAC;IAEhB;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB;;;;;OAKG;IACH,aAAa,CAAC,EAAE;QACd,GAAG,EAAE,MAAM,CAAC;QACZ,IAAI,EAAE,MAAM,CAAC;KACd,CAAC;IAEF;;;;;OAKG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAE3B;;OAEG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;OAEG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B,CAAC"}
+{"version":3,"file":"key-access.d.ts","sourceRoot":"","sources":["../../../../../tdf3/src/models/key-access.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,aAAa,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAC;AAGtF,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAErC,MAAM,MAAM,aAAa,GAAG,QAAQ,GAAG,SAAS,GAAG,YAAY,CAAC;AAEhE,eAAO,MAAM,aAAa,QAAQ,CAAC;AAEnC,qBAAa,SAAS;aAMF,GAAG,EAAE,MAAM;aACX,GAAG,EAAE,MAAM,GAAG,SAAS;aACvB,SAAS,EAAE,MAAM;aACjB,QAAQ,EAAE,OAAO;aACjB,aAAa,EAAE,aAAa;aAC5B,GAAG,CAAC,EAAE,MAAM;IAV9B,QAAQ,CAAC,IAAI,gBAAgB;IAC7B,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IAC5C,eAAe,CAAC,EAAE,eAAe,CAAC;gBAGhB,GAAG,EAAE,MAAM,EACX,GAAG,EAAE,MAAM,GAAG,SAAS,EACvB,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,OAAO,EACjB,aAAa,EAAE,aAAa,EAC5B,GAAG,CAAC,EAAE,MAAM,YAAA;IAMxB,KAAK,CACT,MAAM,EAAE,MAAM,EACd,GAAG,EAAE,YAAY,EACjB,oBAAoB,EAAE,MAAM,GAC3B,OAAO,CAAC,eAAe,CAAC;CAmE5B;AAED,qBAAa,OAAO;aAKA,GAAG,EAAE,MAAM;aACX,GAAG,EAAE,MAAM,GAAG,SAAS;aACvB,SAAS,EAAE,MAAM;aACjB,QAAQ,EAAE,OAAO;aACjB,aAAa,EAAE,aAAa;aAC5B,GAAG,CAAC,EAAE,MAAM;IAT9B,QAAQ,CAAC,IAAI,aAAa;IAC1B,eAAe,CAAC,EAAE,eAAe,CAAC;gBAGhB,GAAG,EAAE,MAAM,EACX,GAAG,EAAE,MAAM,GAAG,SAAS,EACvB,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,OAAO,EACjB,aAAa,EAAE,aAAa,EAC5B,GAAG,CAAC,EAAE,MAAM,YAAA;IAGxB,KAAK,CACT,MAAM,EAAE,MAAM,EACd,GAAG,EAAE,YAAY,EACjB,oBAAoB,EAAE,MAAM,GAC3B,OAAO,CAAC,eAAe,CAAC;CAkC5B;AAED,MAAM,MAAM,SAAS,GAAG,SAAS,GAAG,OAAO,CAAC;AAE5C;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG;IAC5B;;;;OAIG;IACH,IAAI,EAAE,aAAa,CAAC;IAEpB;;;;;;OAMG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb;;OAEG;IACH,GAAG,EAAE,MAAM,CAAC;IAEZ;;OAEG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb;;OAEG;IACH,QAAQ,EAAE,KAAK,CAAC;IAEhB;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB;;;;;OAKG;IACH,aAAa,CAAC,EAAE;QACd,GAAG,EAAE,MAAM,CAAC;QACZ,IAAI,EAAE,MAAM,CAAC;KACd,CAAC;IAEF;;;;;OAKG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAE3B;;OAEG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;OAEG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B,CAAC"}

package/dist/types/tdf3/src/tdf.d.ts

@@ -2,11 +2,10 @@ import { KasPublicKeyAlgorithm, KasPublicKeyInfo, OriginAllowList } from '../../
 import { type AuthProvider } from '../../src/auth/auth.js';
 import { type Chunker } from '../../src/seekable.js';
 import { AssertionConfig, AssertionVerificationKeys } from './assertions.js';
-import { Binary } from './binary.js';
 import { SymmetricCipher } from './ciphers/symmetric-cipher-base.js';
 import { DecryptParams } from './client/builders.js';
 import { DecoratedReadableStream } from './client/DecoratedReadableStream.js';
-import { type CryptoService, type DecryptResult } from './crypto/declarations.js';
+import { type CryptoService, type DecryptResult, type KeyPair, type SymmetricKey } from './crypto/declarations.js';
 import { KeyAccessType, KeyInfo, Manifest, Policy, SplitKey, KeyAccess, KeyAccessObject, SplitType } from './models/index.js';
 import { ZipReader } from './utils/index.js';
 import { CentralDirectory } from './utils/zip-reader.js';
@@ -30,6 +29,7 @@ export type BuildKeyAccess = {
     publicKey: string;
     metadata?: Metadata;
     sid?: string;
+    cryptoService: CryptoService;
 };
 type Mailbox<T> = Promise<T> & {
     set: (value: T) => void;
@@ -46,7 +46,7 @@ export type IntegrityAlgorithm = 'GMAC' | 'HS256';
 export type EncryptConfiguration = {
     allowList?: OriginAllowList;
     cryptoService: CryptoService;
-    dpopKeys: CryptoKeyPair;
+    dpopKeys: KeyPair;
     encryptionInformation: SplitKey;
     segmentSizeDefault: number;
     integrityAlgorithm: IntegrityAlgorithm;
@@ -69,7 +69,7 @@ export type DecryptConfiguration = {
     allowList?: OriginAllowList;
     authProvider: AuthProvider;
     cryptoService: CryptoService;
-    dpopKeys: CryptoKeyPair;
+    dpopKeys: KeyPair;
     chunker: Chunker;
     keyMiddleware: KeyMiddleware;
     progressHandler?: (bytesProcessed: number) => void;
@@ -96,7 +96,7 @@ export type KasPublicKeyFormat = 'pkcs8' | 'jwks';
  * the value from `${kas}/kas_public_key`.
  */
 export declare function fetchKasPublicKey(kas: string, algorithm?: KasPublicKeyAlgorithm, kid?: string): Promise<KasPublicKeyInfo>;
-export declare function extractPemFromKeyString(keyString: string, alg: KasPublicKeyAlgorithm): Promise<string>;
+export declare function extractPemFromKeyString(keyString: string, alg: KasPublicKeyAlgorithm, cryptoService: CryptoService): Promise<string>;
 /**
  * Build a key access object and add it to the list. Can specify either
  * a (url, publicKey) pair (legacy, deprecated) or an attribute URL (future).
@@ -110,7 +110,7 @@ export declare function extractPemFromKeyString(keyString: string, alg: KasPubli
  * @param  {String? Object?} options.metadata - Metadata. Appears to be dead code.
  * @return {KeyAccess}- the key access object loaded
  */
-export declare function buildKeyAccess({ type, url, publicKey, kid, metadata, sid, alg, }: BuildKeyAccess): Promise<KeyAccess>;
+export declare function buildKeyAccess({ type, url, publicKey, kid, metadata, sid, alg, cryptoService, }: BuildKeyAccess): Promise<KeyAccess>;
 export declare function validatePolicyObject(policy: Policy): void;
 export declare function writeStream(cfg: EncryptConfiguration): Promise<DecoratedReadableStream>;
 export type InspectedTDFOverview = {
@@ -120,9 +120,9 @@ export type InspectedTDFOverview = {
 };
 export declare function loadTDFStream(chunker: Chunker): Promise<InspectedTDFOverview>;
 export declare function splitLookupTableFactory(keyAccess: KeyAccessObject[], allowedKases: OriginAllowList): Record<string, Record<string, KeyAccessObject>>;
-export declare function sliceAndDecrypt({ buffer, reconstructedKeyBinary, slice, cipher, segmentIntegrityAlgorithm, specVersion, }: {
+export declare function sliceAndDecrypt({ buffer, reconstructedKey, slice, cipher, cryptoService, segmentIntegrityAlgorithm, specVersion, }: {
     buffer: Uint8Array;
-    reconstructedKeyBinary: Binary;
+    reconstructedKey: SymmetricKey;
     slice: Chunk[];
     cipher: SymmetricCipher;
     cryptoService: CryptoService;