@opentdf/sdk 0.9.0-beta.92 → 0.9.0-beta.94

package/dist/types/tdf3/src/crypto/declarations.d.ts

@@ -11,50 +11,315 @@ export type DecryptResult = {
 };
 /**
  * PEM formatted keypair.
+ * Used for import/export compatibility. Internal code should use KeyPair (opaque keys).
  */
 export type PemKeyPair = {
     publicKey: string;
     privateKey: string;
 };
+/**
+ * Key algorithm identifier combining key type and parameters.
+ */
+export type KeyAlgorithm = 'rsa:2048' | 'rsa:4096' | 'ec:secp256r1' | 'ec:secp384r1' | 'ec:secp521r1';
+/**
+ * Options for key generation and import.
+ */
+export type KeyOptions = {
+    /**
+     * Key usage: 'encrypt' for RSA-OAEP, 'sign' for RSA/ECDSA signing, 'derive' for ECDH.
+     * If not specified, defaults based on the generation method or key type.
+     */
+    usage?: 'encrypt' | 'sign' | 'derive';
+    /**
+     * Whether keys can be exported. Defaults to true.
+     * HSM-backed implementations may force false for private keys.
+     */
+    extractable?: boolean;
+    /**
+     * Optional algorithm hint for import validation.
+     * Helps disambiguate or validate imported keys.
+     */
+    algorithmHint?: KeyAlgorithm;
+};
+/**
+ * Opaque public key - internal representation hidden.
+ * Code outside CryptoService treats this as a token.
+ *
+ * Includes metadata for algorithm selection without needing CryptoService calls.
+ */
+export type PublicKey = {
+    readonly _brand: 'PublicKey';
+    /** Algorithm identifier (e.g., 'rsa:2048', 'ec:secp256r1') */
+    readonly algorithm: KeyAlgorithm;
+    /** RSA modulus bit length (only for RSA keys) */
+    readonly modulusBits?: number;
+    /** EC curve name (only for EC keys) */
+    readonly curve?: ECCurve;
+};
+/**
+ * Opaque private key - internal representation hidden.
+ * Code outside CryptoService treats this as a token.
+ *
+ * Includes metadata for algorithm selection without needing CryptoService calls.
+ */
+export type PrivateKey = {
+    readonly _brand: 'PrivateKey';
+    /** Algorithm identifier (e.g., 'rsa:2048', 'ec:secp256r1') */
+    readonly algorithm: KeyAlgorithm;
+    /** RSA modulus bit length (only for RSA keys) */
+    readonly modulusBits?: number;
+    /** EC curve name (only for EC keys) */
+    readonly curve?: ECCurve;
+};
+/**
+ * Opaque key pair with matching algorithms.
+ */
+export type KeyPair = {
+    readonly publicKey: PublicKey;
+    readonly privateKey: PrivateKey;
+};
 /**
  * The minimum acceptable asymetric key size, currently 2^11.
  */
 export declare const MIN_ASYMMETRIC_KEY_SIZE_BITS = 2048;
-export type AnyKeyPair = PemKeyPair | CryptoKeyPair;
+/**
+ * Opaque symmetric key - internal representation hidden.
+ * Code outside CryptoService treats this as a token.
+ * Used for AES encryption/decryption.
+ *
+ * Includes metadata for key length without needing CryptoService calls.
+ */
+export type SymmetricKey = {
+    readonly _brand: 'SymmetricKey';
+    /** Key length in bits (e.g., 256 for AES-256) */
+    readonly length: number;
+};
+/**
+ * Elliptic curves supported for ECDH/ECDSA operations.
+ */
+export type ECCurve = 'P-256' | 'P-384' | 'P-521';
+/**
+ * Asymmetric signing algorithms (require PEM keys).
+ */
+export type AsymmetricSigningAlgorithm = 'RS256' | 'ES256' | 'ES384' | 'ES512';
+/**
+ * Symmetric signing algorithm (requires raw key bytes).
+ */
+export type SymmetricSigningAlgorithm = 'HS256';
+/**
+ * All supported signing algorithms.
+ */
+export type SigningAlgorithm = AsymmetricSigningAlgorithm | SymmetricSigningAlgorithm;
+/**
+ * Supported hash algorithms.
+ */
+export type HashAlgorithm = 'SHA-256' | 'SHA-384' | 'SHA-512';
+/**
+ * Parameters for HKDF key derivation.
+ */
+export type HkdfParams = {
+    /** Hash algorithm to use for HKDF. */
+    hash: HashAlgorithm;
+    /** Salt for HKDF (can be empty Uint8Array). */
+    salt: Uint8Array;
+    /** Optional info/context for HKDF. */
+    info?: Uint8Array;
+    /** Desired key length in bits. Defaults to 256. */
+    keyLength?: number;
+};
+/**
+ * Public key information returned from parsePublicKeyPem.
+ */
+export type PublicKeyInfo = {
+    /** Detected algorithm of the key. */
+    algorithm: 'rsa:2048' | 'rsa:4096' | 'ec:secp256r1' | 'ec:secp384r1' | 'ec:secp521r1';
+    /** Normalized PEM string. */
+    pem: string;
+};
 export type CryptoService = {
     /** Track which crypto implementation we are using */
     name: string;
     /** Default algorithm identifier. */
     method: AlgorithmUrn;
-    /** Convert or narrow from AnyKeyPair to PemKeyPair */
-    cryptoToPemPair: (keys: AnyKeyPair) => Promise<PemKeyPair>;
     /**
      * Try to decrypt content with the default or handed algorithm. Throws on
      * most failure, if auth tagging is implemented for example.
      */
-    decrypt: (payload: Binary, key: Binary, iv: Binary, algorithm?: AlgorithmUrn, authTag?: Binary) => Promise<DecryptResult>;
-    decryptWithPrivateKey: (encryptedPayload: Binary, privateKey: string) => Promise<Binary>;
+    decrypt: (payload: Binary, key: SymmetricKey, iv: Binary, algorithm?: AlgorithmUrn, authTag?: Binary) => Promise<DecryptResult>;
+    decryptWithPrivateKey: (encryptedPayload: Binary, privateKey: PrivateKey) => Promise<Binary>;
     /**
      * Encrypt content with the default or handed algorithm.
+     * Accepts Binary or SymmetricKey as payload (for key wrapping with symmetric keys).
      */
-    encrypt: (payload: Binary, key: Binary, iv: Binary, algorithm?: AlgorithmUrn) => Promise<EncryptResult>;
-    encryptWithPublicKey: (payload: Binary, publicKey: string) => Promise<Binary>;
-    /** Get length random bytes as a hex-encoded string. */
-    generateInitializationVector: (length?: number) => Promise<string>;
-    /** Get length random bytes as a hex-encoded string. */
-    generateKey: (length?: number) => Promise<string>;
+    encrypt: (payload: Binary | SymmetricKey, key: SymmetricKey, iv: Binary, algorithm?: AlgorithmUrn) => Promise<EncryptResult>;
     /**
-     * Generate an RSA key pair
+     * Encrypt with asymmetric public key (RSA-OAEP).
+     * Accepts Binary or SymmetricKey for key wrapping.
+     */
+    encryptWithPublicKey: (payload: Binary | SymmetricKey, publicKey: PublicKey) => Promise<Binary>;
+    /** Generate symmetric AES key (opaque, never hex string). */
+    generateKey: (length?: number) => Promise<SymmetricKey>;
+    /**
+     * Generate an RSA key pair for encryption/decryption.
      * @param size in bits, defaults to a reasonable size for the default method
+     * @returns Opaque key pair
      */
-    generateKeyPair: (size?: number) => Promise<AnyKeyPair>;
-    generateSigningKeyPair: () => Promise<AnyKeyPair>;
+    generateKeyPair: (size?: number) => Promise<KeyPair>;
     /**
-     * Create an HMAC SHA256 hash
+     * Generate an RSA key pair for signing/verification.
+     * @returns Opaque key pair
      */
-    hmac: (key: string, content: string) => Promise<string>;
+    generateSigningKeyPair: () => Promise<KeyPair>;
     randomBytes: (byteLength: number) => Promise<Uint8Array>;
-    /** Compute the hex-encoded SHA hash of a UTF-16 encoded string. */
-    sha256: (content: string) => Promise<string>;
+    /**
+     * Sign data with an asymmetric private key.
+     * @param data - Data to sign
+     * @param privateKey - Opaque private key
+     * @param algorithm - Signing algorithm (RS256, ES256, ES384, ES512)
+     */
+    sign: (data: Uint8Array, privateKey: PrivateKey, algorithm: AsymmetricSigningAlgorithm) => Promise<Uint8Array>;
+    /**
+     * Verify signature with an asymmetric public key.
+     * @param data - Original data that was signed
+     * @param signature - Signature to verify
+     * @param publicKey - Opaque public key
+     * @param algorithm - Must match algorithm used for signing
+     */
+    verify: (data: Uint8Array, signature: Uint8Array, publicKey: PublicKey, algorithm: AsymmetricSigningAlgorithm) => Promise<boolean>;
+    /**
+     * Compute HMAC-SHA256 of data with a symmetric key.
+     * @param data - Data to authenticate
+     * @param key - Opaque symmetric key
+     * @returns Raw HMAC bytes
+     */
+    hmac: (data: Uint8Array, key: SymmetricKey) => Promise<Uint8Array>;
+    /**
+     * Verify HMAC-SHA256.
+     * @param data - Original data that was authenticated
+     * @param signature - HMAC to verify
+     * @param key - Opaque symmetric key
+     */
+    verifyHmac: (data: Uint8Array, signature: Uint8Array, key: SymmetricKey) => Promise<boolean>;
+    /**
+     * Compute hash digest.
+     * @param algorithm - Hash algorithm to use (SHA-256, SHA-384, SHA-512)
+     * @param data - Data to hash
+     */
+    digest: (algorithm: HashAlgorithm, data: Uint8Array) => Promise<Uint8Array>;
+    /**
+     * Generate an EC key pair for ECDH key agreement.
+     * @param curve - Elliptic curve to use (defaults to P-256)
+     * @throws ConfigurationError if EC operations not supported
+     */
+    generateECKeyPair: (curve?: ECCurve) => Promise<KeyPair>;
+    /**
+     * Perform ECDH key agreement followed by HKDF key derivation.
+     * Returns opaque symmetric key suitable for symmetric encryption.
+     *
+     * @param privateKey - Opaque EC private key
+     * @param publicKey - Opaque EC public key of other party
+     * @param hkdfParams - Parameters for HKDF derivation
+     * @returns Opaque symmetric key
+     * @throws ConfigurationError if EC operations not supported
+     */
+    deriveKeyFromECDH: (privateKey: PrivateKey, publicKey: PublicKey, hkdfParams: HkdfParams) => Promise<SymmetricKey>;
+    /**
+     * Import a PEM public key as an opaque key.
+     * @param pem - PEM-encoded public key
+     * @param options - Import options (usage required for RSA keys to disambiguate encrypt vs sign)
+     * @returns Opaque public key with metadata
+     */
+    importPublicKey: (pem: string, options: KeyOptions) => Promise<PublicKey>;
+    /**
+     * Import a PEM private key as an opaque key.
+     * Optional - intended for use in tests or by downstream integrators who need to bring
+     * their own PEM key material. Main SDK code should use opaque PrivateKey objects directly.
+     * @param pem - PEM-encoded private key
+     * @param options - Import options (usage required for RSA keys to disambiguate encrypt vs sign)
+     * @returns Opaque private key with metadata
+     */
+    importPrivateKey?: (pem: string, options: KeyOptions) => Promise<PrivateKey>;
+    /**
+     * Parse and validate a PEM public key, returning algorithm info.
+     *
+     * @param pem - PEM-encoded public key or X.509 certificate
+     * @returns Validated PEM and detected algorithm
+     * @throws ConfigurationError if key format invalid or algorithm not supported
+     */
+    parsePublicKeyPem: (pem: string) => Promise<PublicKeyInfo>;
+    /**
+     * Export an opaque public key to PEM format.
+     * @param key - Opaque public key
+     * @returns PEM-encoded public key (SPKI format)
+     */
+    exportPublicKeyPem: (key: PublicKey) => Promise<string>;
+    /**
+     * OPTIONAL -- ONLY USE FOR TESTING/DEVELOPMENT. Private keys should NOT be exportable in secure environments.
+     * Export an opaque private key to PEM format.
+     * @param key - Opaque private key
+     * @returns PEM-encoded private key (PKCS8 format)
+     */
+    exportPrivateKeyPem?: (key: PrivateKey) => Promise<string>;
+    /**
+     * Export an opaque public key to JWK format.
+     * @param key - Opaque public key
+     * @returns JWK representation
+     */
+    exportPublicKeyJwk: (key: PublicKey) => Promise<JsonWebKey>;
+    /**
+     * Extract PEM public key from X.509 certificate or return PEM key as-is.
+     *
+     * Used to normalize KAS public keys which may be provided as either:
+     * - X.509 certificates (-----BEGIN CERTIFICATE-----)
+     * - Raw PEM public keys (-----BEGIN PUBLIC KEY-----)
+     *
+     * For certificates, jwaAlgorithm must be provided to correctly parse the key
+     * (e.g., 'RS256', 'RS512', 'ES256', 'ES384', 'ES512'). For raw PEM keys,
+     * the algorithm parameter is ignored.
+     *
+     * @param certOrPem - PEM-encoded public key or X.509 certificate
+     * @param jwaAlgorithm - JWA algorithm for certificate parsing (required for certificates)
+     * @returns PEM-encoded public key (SPKI format)
+     * @throws Error if input is not valid PEM or certificate
+     */
+    extractPublicKeyPem: (certOrPem: string, jwaAlgorithm?: string) => Promise<string>;
+    /**
+     * Convert a JWK (JSON Web Key) public key to PEM format.
+     * Supports both RSA and EC keys.
+     *
+     * @param jwk - JSON Web Key object
+     * @returns PEM-encoded public key
+     * @throws ConfigurationError if JWK format invalid
+     */
+    jwkToPublicKeyPem: (jwk: JsonWebKey) => Promise<string>;
+    /**
+     * Import raw key bytes as an opaque symmetric key.
+     * Used for external keys (e.g., unwrapped from KAS).
+     * @param keyBytes - Raw key bytes
+     * @returns Opaque symmetric key
+     */
+    importSymmetricKey: (keyBytes: Uint8Array) => Promise<SymmetricKey>;
+    /**
+     * Split a symmetric key into N shares using XOR secret sharing.
+     *
+     * DefaultCryptoService: Uses keySplit() utility (extracts bytes internally)
+     * HSM implementations: Must use native splitting OR throw ConfigurationError
+     *
+     * @param key - Symmetric key to split
+     * @param numShares - Number of shares to create
+     * @returns Array of opaque key shares
+     * @throws ConfigurationError if not supported by the implementation
+     *
+     * Note: Multi-KAS may not be available in all secure environments (single KAS only)
+     */
+    splitSymmetricKey: (key: SymmetricKey, numShares: number) => Promise<SymmetricKey[]>;
+    /**
+     * Merge symmetric key shares back into the original key using XOR.
+     *
+     * @param shares - Array of key shares (from splitSymmetricKey)
+     * @returns Merged symmetric key
+     * @throws ConfigurationError if not supported by the implementation
+     */
+    mergeSymmetricKeys: (shares: SymmetricKey[]) => Promise<SymmetricKey>;
 };
 //# sourceMappingURL=declarations.d.ts.map

package/dist/types/tdf3/src/crypto/declarations.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"declarations.d.ts","sourceRoot":"","sources":["../../../../../tdf3/src/crypto/declarations.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AACtC,OAAO,EAAE,KAAK,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAE7D,MAAM,MAAM,aAAa,GAAG;IAC1B,yBAAyB;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,8BAA8B;IAC9B,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,MAAM,MAAM,aAAa,GAAG;IAC1B,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,UAAU,GAAG;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,4BAA4B,OAAO,CAAC;AAEjD,MAAM,MAAM,UAAU,GAAG,UAAU,GAAG,aAAa,CAAC;AAEpD,MAAM,MAAM,aAAa,GAAG;IAC1B,qDAAqD;IACrD,IAAI,EAAE,MAAM,CAAC;IAEb,oCAAoC;IACpC,MAAM,EAAE,YAAY,CAAC;IAErB,sDAAsD;IACtD,eAAe,EAAE,CAAC,IAAI,EAAE,UAAU,KAAK,OAAO,CAAC,UAAU,CAAC,CAAC;IAE3D;;;OAGG;IACH,OAAO,EAAE,CACP,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,MAAM,EACX,EAAE,EAAE,MAAM,EACV,SAAS,CAAC,EAAE,YAAY,EACxB,OAAO,CAAC,EAAE,MAAM,KACb,OAAO,CAAC,aAAa,CAAC,CAAC;IAE5B,qBAAqB,EAAE,CAAC,gBAAgB,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAEzF;;OAEG;IACH,OAAO,EAAE,CACP,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,MAAM,EACX,EAAE,EAAE,MAAM,EACV,SAAS,CAAC,EAAE,YAAY,KACrB,OAAO,CAAC,aAAa,CAAC,CAAC;IAE5B,oBAAoB,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAE9E,uDAAuD;IACvD,4BAA4B,EAAE,CAAC,MAAM,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAEnE,uDAAuD;IACvD,WAAW,EAAE,CAAC,MAAM,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAElD;;;OAGG;IACH,eAAe,EAAE,CAAC,IAAI,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,UAAU,CAAC,CAAC;IAExD,sBAAsB,EAAE,MAAM,OAAO,CAAC,UAAU,CAAC,CAAC;IAElD;;OAEG;IACH,IAAI,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAExD,WAAW,EAAE,CAAC,UAAU,EAAE,MAAM,KAAK,OAAO,CAAC,UAAU,CAAC,CAAC;IAEzD,mEAAmE;IACnE,MAAM,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;CAC9C,CAAC"}
+{"version":3,"file":"declarations.d.ts","sourceRoot":"","sources":["../../../../../tdf3/src/crypto/declarations.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AACtC,OAAO,EAAE,KAAK,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAE7D,MAAM,MAAM,aAAa,GAAG;IAC1B,yBAAyB;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,8BAA8B;IAC9B,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,MAAM,MAAM,aAAa,GAAG;IAC1B,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,UAAU,GAAG;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,YAAY,GACpB,UAAU,GACV,UAAU,GACV,cAAc,GACd,cAAc,GACd,cAAc,CAAC;AAEnB;;GAEG;AACH,MAAM,MAAM,UAAU,GAAG;IACvB;;;OAGG;IACH,KAAK,CAAC,EAAE,SAAS,GAAG,MAAM,GAAG,QAAQ,CAAC;IAEtC;;;OAGG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC;IAEtB;;;OAGG;IACH,aAAa,CAAC,EAAE,YAAY,CAAC;CAC9B,CAAC;AAEF;;;;;GAKG;AACH,MAAM,MAAM,SAAS,GAAG;IACtB,QAAQ,CAAC,MAAM,EAAE,WAAW,CAAC;IAC7B,8DAA8D;IAC9D,QAAQ,CAAC,SAAS,EAAE,YAAY,CAAC;IACjC,iDAAiD;IACjD,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,uCAAuC;IACvC,QAAQ,CAAC,KAAK,CAAC,EAAE,OAAO,CAAC;CAC1B,CAAC;AAEF;;;;;GAKG;AACH,MAAM,MAAM,UAAU,GAAG;IACvB,QAAQ,CAAC,MAAM,EAAE,YAAY,CAAC;IAC9B,8DAA8D;IAC9D,QAAQ,CAAC,SAAS,EAAE,YAAY,CAAC;IACjC,iDAAiD;IACjD,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,uCAAuC;IACvC,QAAQ,CAAC,KAAK,CAAC,EAAE,OAAO,CAAC;CAC1B,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,OAAO,GAAG;IACpB,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAC;IAC9B,QAAQ,CAAC,UAAU,EAAE,UAAU,CAAC;CACjC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,4BAA4B,OAAO,CAAC;AAEjD;;;;;;GAMG;AACH,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,CAAC,MAAM,EAAE,cAAc,CAAC;IAChC,iDAAiD;IACjD,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,OAAO,GAAG,OAAO,GAAG,OAAO,GAAG,OAAO,CAAC;AAElD;;GAEG;AACH,MAAM,MAAM,0BAA0B,GAAG,OAAO,GAAG,OAAO,GAAG,OAAO,GAAG,OAAO,CAAC;AAE/E;;GAEG;AACH,MAAM,MAAM,yBAAyB,GAAG,OAAO,CAAC;AAEhD;;GAEG;AACH,MAAM,MAAM,gBAAgB,GAAG,0BAA0B,GAAG,yBAAyB,CAAC;AAEtF;;GAEG;AACH,MAAM,MAAM,aAAa,GAAG,SAAS,GAAG,SAAS,GAAG,SAAS,CAAC;AAE9D;;GAEG;AACH,MAAM,MAAM,UAAU,GAAG;IACvB,sCAAsC;IACtC,IAAI,EAAE,aAAa,CAAC;IACpB,+CAA+C;IAC/C,IAAI,EAAE,UAAU,CAAC;IACjB,sCAAsC;IACtC,IAAI,CAAC,EAAE,UAAU,CAAC;IAClB,mDAAmD;IACnD,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,aAAa,GAAG;IAC1B,qCAAqC;IACrC,SAAS,EAAE,UAAU,GAAG,UAAU,GAAG,cAAc,GAAG,cAAc,GAAG,cAAc,CAAC;IACtF,6BAA6B;IAC7B,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,MAAM,aAAa,GAAG;IAC1B,qDAAqD;IACrD,IAAI,EAAE,MAAM,CAAC;IAEb,oCAAoC;IACpC,MAAM,EAAE,YAAY,CAAC;IAErB;;;OAGG;IACH,OAAO,EAAE,CACP,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,YAAY,EACjB,EAAE,EAAE,MAAM,EACV,SAAS,CAAC,EAAE,YAAY,EACxB,OAAO,CAAC,EAAE,MAAM,KACb,OAAO,CAAC,aAAa,CAAC,CAAC;IAE5B,qBAAqB,EAAE,CAAC,gBAAgB,EAAE,MAAM,EAAE,UAAU,EAAE,UAAU,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAE7F;;;OAGG;IACH,OAAO,EAAE,CACP,OAAO,EAAE,MAAM,GAAG,YAAY,EAC9B,GAAG,EAAE,YAAY,EACjB,EAAE,EAAE,MAAM,EACV,SAAS,CAAC,EAAE,YAAY,KACrB,OAAO,CAAC,aAAa,CAAC,CAAC;IAE5B;;;OAGG;IACH,oBAAoB,EAAE,CAAC,OAAO,EAAE,MAAM,GAAG,YAAY,EAAE,SAAS,EAAE,SAAS,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAEhG,6DAA6D;IAC7D,WAAW,EAAE,CAAC,MAAM,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,YAAY,CAAC,CAAC;IAExD;;;;OAIG;IACH,eAAe,EAAE,CAAC,IAAI,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;IAErD;;;OAGG;IACH,sBAAsB,EAAE,MAAM,OAAO,CAAC,OAAO,CAAC,CAAC;IAE/C,WAAW,EAAE,CAAC,UAAU,EAAE,MAAM,KAAK,OAAO,CAAC,UAAU,CAAC,CAAC;IAEzD;;;;;OAKG;IACH,IAAI,EAAE,CACJ,IAAI,EAAE,UAAU,EAChB,UAAU,EAAE,UAAU,EACtB,SAAS,EAAE,0BAA0B,KAClC,OAAO,CAAC,UAAU,CAAC,CAAC;IAEzB;;;;;;OAMG;IACH,MAAM,EAAE,CACN,IAAI,EAAE,UAAU,EAChB,SAAS,EAAE,UAAU,EACrB,SAAS,EAAE,SAAS,EACpB,SAAS,EAAE,0BAA0B,KAClC,OAAO,CAAC,OAAO,CAAC,CAAC;IAEtB;;;;;OAKG;IACH,IAAI,EAAE,CAAC,IAAI,EAAE,UAAU,EAAE,GAAG,EAAE,YAAY,KAAK,OAAO,CAAC,UAAU,CAAC,CAAC;IAEnE;;;;;OAKG;IACH,UAAU,EAAE,CAAC,IAAI,EAAE,UAAU,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,EAAE,YAAY,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;IAE7F;;;;OAIG;IACH,MAAM,EAAE,CAAC,SAAS,EAAE,aAAa,EAAE,IAAI,EAAE,UAAU,KAAK,OAAO,CAAC,UAAU,CAAC,CAAC;IAE5E;;;;OAIG;IACH,iBAAiB,EAAE,CAAC,KAAK,CAAC,EAAE,OAAO,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;IAEzD;;;;;;;;;OASG;IACH,iBAAiB,EAAE,CACjB,UAAU,EAAE,UAAU,EACtB,SAAS,EAAE,SAAS,EACpB,UAAU,EAAE,UAAU,KACnB,OAAO,CAAC,YAAY,CAAC,CAAC;IAI3B;;;;;OAKG;IACH,eAAe,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,KAAK,OAAO,CAAC,SAAS,CAAC,CAAC;IAE1E;;;;;;;OAOG;IACH,gBAAgB,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,KAAK,OAAO,CAAC,UAAU,CAAC,CAAC;IAE7E;;;;;;OAMG;IACH,iBAAiB,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,aAAa,CAAC,CAAC;IAI3D;;;;OAIG;IACH,kBAAkB,EAAE,CAAC,GAAG,EAAE,SAAS,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAExD;;;;;OAKG;IACH,mBAAmB,CAAC,EAAE,CAAC,GAAG,EAAE,UAAU,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAC3D;;;;OAIG;IACH,kBAAkB,EAAE,CAAC,GAAG,EAAE,SAAS,KAAK,OAAO,CAAC,UAAU,CAAC,CAAC;IAE5D;;;;;;;;;;;;;;;OAeG;IACH,mBAAmB,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,YAAY,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAEnF;;;;;;;OAOG;IACH,iBAAiB,EAAE,CAAC,GAAG,EAAE,UAAU,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAIxD;;;;;OAKG;IACH,kBAAkB,EAAE,CAAC,QAAQ,EAAE,UAAU,KAAK,OAAO,CAAC,YAAY,CAAC,CAAC;IAEpE;;;;;;;;;;;;OAYG;IACH,iBAAiB,EAAE,CAAC,GAAG,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,KAAK,OAAO,CAAC,YAAY,EAAE,CAAC,CAAC;IAErF;;;;;;OAMG;IACH,kBAAkB,EAAE,CAAC,MAAM,EAAE,YAAY,EAAE,KAAK,OAAO,CAAC,YAAY,CAAC,CAAC;CACvE,CAAC"}

package/dist/types/tdf3/src/crypto/index.d.ts

@@ -4,7 +4,7 @@
  * @private
  */
 import { Binary } from '../binary.js';
-import { CryptoService, DecryptResult, EncryptResult, PemKeyPair } from './declarations.js';
+import { type AsymmetricSigningAlgorithm, type CryptoService, type DecryptResult, type ECCurve, type EncryptResult, type HashAlgorithm, type HkdfParams, type KeyOptions, type KeyPair, type PrivateKey, type PublicKey, type PublicKeyInfo, type SymmetricKey } from './declarations.js';
 import { AlgorithmUrn } from '../ciphers/algorithms.js';
 export declare const isSupported: boolean;
 export declare const method = "http://www.w3.org/2001/04/xmlenc#aes256-cbc";
@@ -16,33 +16,30 @@ export declare const name = "BrowserNativeCryptoService";
 export declare function rsaOaepSha1(modulusLength?: number): RsaHashedKeyGenParams;
 export declare function rsaPkcs1Sha256(modulusLength?: number): RsaHashedKeyGenParams;
 /**
- * Generate a random hex key
- * @return New key as a hex string
+ * Generate a random symmetric key (opaque).
+ * @param length - Key length in bytes (default 32 for AES-256)
+ * @return Opaque symmetric key
  */
-export declare function generateKey(length?: number): Promise<string>;
+export declare function generateKey(length?: number): Promise<SymmetricKey>;
 /**
  * Generate an RSA key pair
  * @see    {@link https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/generateKey}
  * @param  size in bits
  */
-export declare function generateKeyPair(size?: number): Promise<CryptoKeyPair>;
+export declare function generateKeyPair(size?: number): Promise<KeyPair>;
 /**
  * Generate an RSA key pair suitable for signatures
  * @see    {@link https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/generateKey}
  */
-export declare function generateSigningKeyPair(): Promise<CryptoKeyPair>;
-export declare function cryptoToPemPair(keysMaybe: unknown): Promise<PemKeyPair>;
+export declare function generateSigningKeyPair(): Promise<KeyPair>;
 /**
- * Encrypt using a public key
- * @param payload Payload to encrypt
- * @param publicKey PEM formatted public key
+ * Encrypt using a public key (RSA-OAEP).
+ * Accepts Binary or SymmetricKey for key wrapping.
+ * @param payload Payload to encrypt (Binary) or symmetric key to wrap (SymmetricKey)
+ * @param publicKey Opaque public key
  * @return Encrypted payload
  */
-export declare function encryptWithPublicKey(payload: Binary, publicKey: string): Promise<Binary>;
-/**
- * Generate a 16-byte initialization vector
- */
-export declare function generateInitializationVector(length?: number): Promise<string>;
+export declare function encryptWithPublicKey(payload: Binary | SymmetricKey, publicKey: PublicKey): Promise<Binary>;
 export declare function randomBytes(byteLength: number): Promise<Uint8Array>;
 /**
  * Returns a promise to the encryption key as a binary string.
@@ -58,19 +55,19 @@ export declare function randomBytesAsHex(length: number): Promise<string>;
 /**
  * Decrypt a public-key encrypted payload with a private key
  * @param  encryptedPayload  Payload to decrypt
- * @param  privateKey        PEM formatted private keynpmv
+ * @param  privateKey        Opaque private key
  * @return Decrypted payload
  */
-export declare function decryptWithPrivateKey(encryptedPayload: Binary, privateKey: string): Promise<Binary>;
+export declare function decryptWithPrivateKey(encryptedPayload: Binary, privateKey: PrivateKey): Promise<Binary>;
 /**
  * Decrypt content synchronously
  * @param payload The payload to decrypt
- * @param key     The encryption key
+ * @param key     The symmetric encryption key (opaque)
  * @param iv      The initialization vector
  * @param algorithm The algorithm to use for encryption
  * @param authTag The authentication tag for authenticated crypto.
  */
-export declare function decrypt(payload: Binary, key: Binary, iv: Binary, algorithm?: AlgorithmUrn, authTag?: Binary): Promise<DecryptResult>;
+export declare function decrypt(payload: Binary, key: SymmetricKey, iv: Binary, algorithm?: AlgorithmUrn, authTag?: Binary): Promise<DecryptResult>;
 /**
  * Encrypt content synchronously
  * @param payload   The payload to encrypt
@@ -78,26 +75,106 @@ export declare function decrypt(payload: Binary, key: Binary, iv: Binary, algori
  * @param iv        The initialization vector
  * @param algorithm The algorithm to use for encryption
  */
-export declare function encrypt(payload: Binary, key: Binary, iv: Binary, algorithm?: AlgorithmUrn): Promise<EncryptResult>;
+export declare function encrypt(payload: Binary | SymmetricKey, key: SymmetricKey, iv: Binary, algorithm?: AlgorithmUrn): Promise<EncryptResult>;
 /**
  * Create a SHA256 hash. Code refrenced from MDN:
  * https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest
  * @param  content  String content
  * @return Hex hash
  */
-export declare function sha256(content: string): Promise<string>;
-/**
- * Create an HMAC SHA256 hash
- * @param  key     Key string
- * @param  content Content string
- * @return Hex hash
- */
-export declare function hmac(key: string, content: string): Promise<string>;
 /**
  * Create an ArrayBuffer from a hex string.
  * https://developers.google.com/web/updates/2012/06/How-to-convert-ArrayBuffer-to-and-from-String?hl=en
  * @param  hex - Hex string
  */
 export declare function hex2Ab(hex: string): ArrayBuffer;
+/**
+ * Sign data with an asymmetric private key.
+ */
+export declare function sign(data: Uint8Array, privateKey: PrivateKey, algorithm: AsymmetricSigningAlgorithm): Promise<Uint8Array>;
+/**
+ * Verify signature with an asymmetric public key.
+ */
+export declare function verify(data: Uint8Array, signature: Uint8Array, publicKey: PublicKey, algorithm: AsymmetricSigningAlgorithm): Promise<boolean>;
+/**
+ * Compute hash digest.
+ */
+export declare function digest(algorithm: HashAlgorithm, data: Uint8Array): Promise<Uint8Array>;
+/**
+ * Extract PEM public key from X.509 certificate or return PEM key as-is.
+ *
+ * @param certOrPem - A PEM-encoded X.509 certificate or public key
+ * @param jwaAlgorithm - JWA algorithm hint for certificate parsing (RS256, RS512, ES256, ES384, ES512).
+ *                       If not provided for a certificate, will attempt to auto-detect from OIDs.
+ */
+export declare function extractPublicKeyPem(certOrPem: string, jwaAlgorithm?: string): Promise<string>;
+/**
+ * Generate an EC key pair for ECDH key agreement.
+ */
+export declare function generateECKeyPair(curve?: ECCurve): Promise<KeyPair>;
+/**
+ * Perform ECDH key agreement followed by HKDF key derivation.
+ * Returns opaque symmetric key for symmetric encryption.
+ */
+export declare function deriveKeyFromECDH(privateKey: PrivateKey, publicKey: PublicKey, hkdfParams: HkdfParams): Promise<SymmetricKey>;
+/**
+ * Compute HMAC-SHA256 of data with a symmetric key.
+ */
+export declare function hmac(data: Uint8Array, key: SymmetricKey): Promise<Uint8Array>;
+/**
+ * Verify HMAC-SHA256. Standalone utility — not part of CryptoService interface.
+ */
+export declare function verifyHmac(data: Uint8Array, signature: Uint8Array, key: SymmetricKey): Promise<boolean>;
+/**
+ * Import and validate a PEM public key, returning algorithm info.
+ * Uses JWK export for robust key parameter detection.
+ */
+export declare function parsePublicKeyPem(pem: string): Promise<PublicKeyInfo>;
+/**
+ * Convert a JWK (JSON Web Key) to PEM format.
+ */
+export declare function jwkToPublicKeyPem(jwk: JsonWebKey): Promise<string>;
+/**
+ * Convert a PEM public key to JWK format.
+ * Returns only public key components (no private key data).
+ */
+export declare function publicKeyPemToJwk(publicKeyPem: string): Promise<JsonWebKey>;
+/**
+ * Import a PEM public key as an opaque key.
+ */
+export declare function importPublicKey(pem: string, options: KeyOptions): Promise<PublicKey>;
+/**
+ * Import a PEM private key as an opaque key.
+ */
+export declare function importPrivateKey(pem: string, options: KeyOptions): Promise<PrivateKey>;
+/**
+ * Export an opaque public key to PEM format.
+ */
+export declare function exportPublicKeyPem(key: PublicKey): Promise<string>;
+/**
+ * Export an opaque private key to PEM format.
+ * ONLY USE FOR TESTING/DEVELOPMENT. Private keys should NOT be exportable in secure environments.
+ */
+export declare function exportPrivateKeyPem(key: PrivateKey): Promise<string>;
+/**
+ * Export an opaque public key to JWK format.
+ */
+export declare function exportPublicKeyJwk(key: PublicKey): Promise<JsonWebKey>;
+/**
+ * Import raw key bytes as an opaque symmetric key.
+ * Used for external keys (e.g., unwrapped from KAS).
+ */
+export declare function importSymmetricKey(keyBytes: Uint8Array): Promise<SymmetricKey>;
+/**
+ * Split a symmetric key into N shares using XOR secret sharing.
+ * Key bytes are extracted internally for splitting.
+ * HSM implementations cannot extract bytes and should throw ConfigurationError.
+ */
+export declare function splitSymmetricKey(key: SymmetricKey, numShares: number): Promise<SymmetricKey[]>;
+/**
+ * Merge symmetric key shares back into the original key using XOR.
+ * Key bytes are extracted internally for merging.
+ */
+export declare function mergeSymmetricKeys(shares: SymmetricKey[]): Promise<SymmetricKey>;
 export declare const DefaultCryptoService: CryptoService;
 //# sourceMappingURL=index.d.ts.map

package/dist/types/tdf3/src/crypto/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../tdf3/src/crypto/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AACtC,OAAO,EACL,aAAa,EACb,aAAa,EACb,aAAa,EAEb,UAAU,EACX,MAAM,mBAAmB,CAAC;AAK3B,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAIxD,eAAO,MAAM,WAAW,SAA4C,CAAC;AAErE,eAAO,MAAM,MAAM,gDAAgD,CAAC;AACpE,eAAO,MAAM,IAAI,+BAA+B,CAAC;AAEjD;;;GAGG;AACH,wBAAgB,WAAW,CACzB,aAAa,GAAE,MAAqC,GACnD,qBAAqB,CAYvB;AAED,wBAAgB,cAAc,CAC5B,aAAa,GAAE,MAAqC,GACnD,qBAAqB,CAYvB;AAED;;;GAGG;AACH,wBAAsB,WAAW,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAElE;AAED;;;;GAIG;AACH,wBAAsB,eAAe,CAAC,IAAI,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CAG3E;AAED;;;GAGG;AACH,wBAAsB,sBAAsB,IAAI,OAAO,CAAC,aAAa,CAAC,CAWrE;AAED,wBAAsB,eAAe,CAAC,SAAS,EAAE,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,CAe7E;AAED;;;;;GAKG;AACH,wBAAsB,oBAAoB,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAmB9F;AAED;;GAEG;AACH,wBAAsB,4BAA4B,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAEnF;AAED,wBAAsB,WAAW,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CAIzE;AAED;;;;;;;;;GASG;AACH,wBAAsB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAKtE;AAED;;;;;GAKG;AACH,wBAAsB,qBAAqB,CACzC,gBAAgB,EAAE,MAAM,EACxB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,MAAM,CAAC,CAkBjB;AAED;;;;;;;GAOG;AACH,wBAAgB,OAAO,CACrB,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,MAAM,EACX,EAAE,EAAE,MAAM,EACV,SAAS,CAAC,EAAE,YAAY,EACxB,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC,aAAa,CAAC,CAExB;AAED;;;;;;GAMG;AACH,wBAAgB,OAAO,CACrB,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,MAAM,EACX,EAAE,EAAE,MAAM,EACV,SAAS,CAAC,EAAE,YAAY,GACvB,OAAO,CAAC,aAAa,CAAC,CAExB;AA6FD;;;;;GAKG;AACH,wBAAsB,MAAM,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAI7D;AAED;;;;;GAKG;AACH,wBAAsB,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAexE;AAED;;;;GAIG;AACH,wBAAgB,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,WAAW,CAS/C;AAED,eAAO,MAAM,oBAAoB,EAAE,aAelC,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../tdf3/src/crypto/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AACtC,OAAO,EACL,KAAK,0BAA0B,EAC/B,KAAK,aAAa,EAClB,KAAK,aAAa,EAClB,KAAK,OAAO,EACZ,KAAK,aAAa,EAClB,KAAK,aAAa,EAClB,KAAK,UAAU,EAEf,KAAK,UAAU,EACf,KAAK,OAAO,EAEZ,KAAK,UAAU,EACf,KAAK,SAAS,EACd,KAAK,aAAa,EAClB,KAAK,YAAY,EAClB,MAAM,mBAAmB,CAAC;AAK3B,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAYxD,eAAO,MAAM,WAAW,SAA4C,CAAC;AAErE,eAAO,MAAM,MAAM,gDAAgD,CAAC;AACpE,eAAO,MAAM,IAAI,+BAA+B,CAAC;AAEjD;;;GAGG;AACH,wBAAgB,WAAW,CACzB,aAAa,GAAE,MAAqC,GACnD,qBAAqB,CAYvB;AAED,wBAAgB,cAAc,CAC5B,aAAa,GAAE,MAAqC,GACnD,qBAAqB,CAYvB;AAED;;;;GAIG;AACH,wBAAsB,WAAW,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAGxE;AAsFD;;;;GAIG;AACH,wBAAsB,eAAe,CAAC,IAAI,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAqBrE;AAED;;;GAGG;AACH,wBAAsB,sBAAsB,IAAI,OAAO,CAAC,OAAO,CAAC,CAS/D;AAED;;;;;;GAMG;AACH,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,MAAM,GAAG,YAAY,EAC9B,SAAS,EAAE,SAAS,GACnB,OAAO,CAAC,MAAM,CAAC,CAejB;AAED,wBAAsB,WAAW,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CAIzE;AAED;;;;;;;;;GASG;AACH,wBAAsB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAKtE;AAED;;;;;GAKG;AACH,wBAAsB,qBAAqB,CACzC,gBAAgB,EAAE,MAAM,EACxB,UAAU,EAAE,UAAU,GACrB,OAAO,CAAC,MAAM,CAAC,CAWjB;AAED;;;;;;;GAOG;AACH,wBAAgB,OAAO,CACrB,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,YAAY,EACjB,EAAE,EAAE,MAAM,EACV,SAAS,CAAC,EAAE,YAAY,EACxB,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC,aAAa,CAAC,CAExB;AAED;;;;;;GAMG;AACH,wBAAgB,OAAO,CACrB,OAAO,EAAE,MAAM,GAAG,YAAY,EAC9B,GAAG,EAAE,YAAY,EACjB,EAAE,EAAE,MAAM,EACV,SAAS,CAAC,EAAE,YAAY,GACvB,OAAO,CAAC,aAAa,CAAC,CAExB;AA0GD;;;;;GAKG;AAEH;;;;GAIG;AACH,wBAAgB,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,WAAW,CAS/C;AAyKD;;GAEG;AACH,wBAAsB,IAAI,CACxB,IAAI,EAAE,UAAU,EAChB,UAAU,EAAE,UAAU,EACtB,SAAS,EAAE,0BAA0B,GACpC,OAAO,CAAC,UAAU,CAAC,CAWrB;AAED;;GAEG;AACH,wBAAsB,MAAM,CAC1B,IAAI,EAAE,UAAU,EAChB,SAAS,EAAE,UAAU,EACrB,SAAS,EAAE,SAAS,EACpB,SAAS,EAAE,0BAA0B,GACpC,OAAO,CAAC,OAAO,CAAC,CAWlB;AAED;;GAEG;AACH,wBAAsB,MAAM,CAAC,SAAS,EAAE,aAAa,EAAE,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,CAS5F;AAED;;;;;;GAMG;AACH,wBAAsB,mBAAmB,CACvC,SAAS,EAAE,MAAM,EACjB,YAAY,CAAC,EAAE,MAAM,GACpB,OAAO,CAAC,MAAM,CAAC,CAqBjB;AAkBD;;GAEG;AACH,wBAAsB,iBAAiB,CAAC,KAAK,GAAE,OAAiB,GAAG,OAAO,CAAC,OAAO,CAAC,CA4BlF;AAiCD;;;GAGG;AACH,wBAAsB,iBAAiB,CACrC,UAAU,EAAE,UAAU,EACtB,SAAS,EAAE,SAAS,EACpB,UAAU,EAAE,UAAU,GACrB,OAAO,CAAC,YAAY,CAAC,CA+CvB;AAED;;GAEG;AACH,wBAAsB,IAAI,CAAC,IAAI,EAAE,UAAU,EAAE,GAAG,EAAE,YAAY,GAAG,OAAO,CAAC,UAAU,CAAC,CAanF;AAED;;GAEG;AACH,wBAAsB,UAAU,CAC9B,IAAI,EAAE,UAAU,EAChB,SAAS,EAAE,UAAU,EACrB,GAAG,EAAE,YAAY,GAChB,OAAO,CAAC,OAAO,CAAC,CAUlB;AAuBD;;;GAGG;AACH,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CAmD3E;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,CAqBxE;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CAoCjF;AAMD;;GAEG;AACH,wBAAsB,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,CA8D1F;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,CAqG5F;AAMD;;GAEG;AACH,wBAAsB,kBAAkB,CAAC,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAIxE;AAED;;;GAGG;AACH,wBAAsB,mBAAmB,CAAC,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,CAI1E;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CAAC,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC,CAG5E;AAED;;;GAGG;AACH,wBAAsB,kBAAkB,CAAC,QAAQ,EAAE,UAAU,GAAG,OAAO,CAAC,YAAY,CAAC,CAEpF;AAED;;;;GAIG;AACH,wBAAsB,iBAAiB,CACrC,GAAG,EAAE,YAAY,EACjB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,YAAY,EAAE,CAAC,CAIzB;AAED;;;GAGG;AACH,wBAAsB,kBAAkB,CAAC,MAAM,EAAE,YAAY,EAAE,GAAG,OAAO,CAAC,YAAY,CAAC,CAItF;AAED,eAAO,MAAM,oBAAoB,EAAE,aA6BlC,CAAC"}

package/dist/types/tdf3/src/crypto/jose/jwt-claims-set.d.ts

@@ -0,0 +1,3 @@
+import type { JWTHeaderParameters, JWTPayload, JWTVerifyOptions } from 'jose';
+export default function joseJwtClaimsSet(protectedHeader: JWTHeaderParameters, encodedPayload: Uint8Array, options?: JWTVerifyOptions): JWTPayload;
+//# sourceMappingURL=jwt-claims-set.d.ts.map

package/dist/types/tdf3/src/crypto/jose/jwt-claims-set.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-claims-set.d.ts","sourceRoot":"","sources":["../../../../../../tdf3/src/crypto/jose/jwt-claims-set.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,mBAAmB,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,MAAM,CAAC;AAG9E,MAAM,CAAC,OAAO,UAAU,gBAAgB,CACtC,eAAe,EAAE,mBAAmB,EACpC,cAAc,EAAE,UAAU,EAC1B,OAAO,CAAC,EAAE,gBAAgB,GACzB,UAAU,CAEZ"}

package/dist/types/tdf3/src/crypto/jose/validate-crit.d.ts

@@ -0,0 +1,5 @@
+declare const _default: (Err: new (message?: string, options?: {
+    cause?: unknown;
+}) => Error, recognizedDefault: Map<string, boolean>, recognizedOption: Record<string, boolean> | undefined, protectedHeader: Record<string, unknown> | undefined, joseHeader: Record<string, unknown>) => Set<string>;
+export default _default;
+//# sourceMappingURL=validate-crit.d.ts.map

package/dist/types/tdf3/src/crypto/jose/validate-crit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate-crit.d.ts","sourceRoot":"","sources":["../../../../../../tdf3/src/crypto/jose/validate-crit.ts"],"names":[],"mappings":"wBAE+B,CAC7B,GAAG,EAAE,KAAK,OAAO,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE;IAAE,KAAK,CAAC,EAAE,OAAO,CAAA;CAAE,KAAK,KAAK,EACnE,iBAAiB,EAAE,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,EACvC,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SAAS,EACrD,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SAAS,EACpD,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAChC,GAAG,CAAC,MAAM,CAAC;AANhB,wBAMiB"}

package/dist/types/tdf3/src/crypto/jose/vendor/lib/buffer_utils.d.ts

@@ -0,0 +1,6 @@
+export declare const encoder: TextEncoder;
+export declare const decoder: TextDecoder;
+export declare function concat(...buffers: any[]): Uint8Array<any>;
+export declare function uint64be(value: any): Uint8Array<ArrayBuffer>;
+export declare function uint32be(value: any): Uint8Array<ArrayBuffer>;
+//# sourceMappingURL=buffer_utils.d.ts.map

package/dist/types/tdf3/src/crypto/jose/vendor/lib/buffer_utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"buffer_utils.d.ts","sourceRoot":"","sources":["../../../../../../../../tdf3/src/crypto/jose/vendor/lib/buffer_utils.ts"],"names":[],"mappings":"AAEA,eAAO,MAAM,OAAO,aAAoB,CAAC;AACzC,eAAO,MAAM,OAAO,aAAoB,CAAC;AAEzC,wBAAgB,MAAM,CAAC,GAAG,OAAO,OAAA,mBAShC;AAOD,wBAAgB,QAAQ,CAAC,KAAK,KAAA,2BAO7B;AACD,wBAAgB,QAAQ,CAAC,KAAK,KAAA,2BAI7B"}

package/dist/types/tdf3/src/crypto/jose/vendor/lib/epoch.d.ts

@@ -0,0 +1,3 @@
+declare const _default: (date: any) => number;
+export default _default;
+//# sourceMappingURL=epoch.d.ts.map

package/dist/types/tdf3/src/crypto/jose/vendor/lib/epoch.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"epoch.d.ts","sourceRoot":"","sources":["../../../../../../../../tdf3/src/crypto/jose/vendor/lib/epoch.ts"],"names":[],"mappings":"yBAEgB,SAAI;AAApB,wBAA2D"}

package/dist/types/tdf3/src/crypto/jose/vendor/lib/is_object.d.ts

@@ -0,0 +1,3 @@
+declare const _default: (input: any) => boolean;
+export default _default;
+//# sourceMappingURL=is_object.d.ts.map

package/dist/types/tdf3/src/crypto/jose/vendor/lib/is_object.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"is_object.d.ts","sourceRoot":"","sources":["../../../../../../../../tdf3/src/crypto/jose/vendor/lib/is_object.ts"],"names":[],"mappings":"yBAKgB,UAAK;AAArB,wBAYE"}

package/dist/types/tdf3/src/crypto/jose/vendor/lib/jwt_claims_set.d.ts

@@ -0,0 +1,3 @@
+declare const _default: (protectedHeader: any, encodedPayload: any, options?: {}) => any;
+export default _default;
+//# sourceMappingURL=jwt_claims_set.d.ts.map

package/dist/types/tdf3/src/crypto/jose/vendor/lib/jwt_claims_set.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt_claims_set.d.ts","sourceRoot":"","sources":["../../../../../../../../tdf3/src/crypto/jose/vendor/lib/jwt_claims_set.ts"],"names":[],"mappings":"yBAiBgB,oBAAe,EAAE,mBAAc,EAAE,YAAY;AAA7D,wBAwFE"}

package/dist/types/tdf3/src/crypto/jose/vendor/lib/secs.d.ts

@@ -0,0 +1,3 @@
+declare const _default: (str: any) => number;
+export default _default;
+//# sourceMappingURL=secs.d.ts.map

package/dist/types/tdf3/src/crypto/jose/vendor/lib/secs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secs.d.ts","sourceRoot":"","sources":["../../../../../../../../tdf3/src/crypto/jose/vendor/lib/secs.ts"],"names":[],"mappings":"yBAQgB,QAAG;AAAnB,wBAgDE"}

package/dist/types/tdf3/src/crypto/jose/vendor/lib/validate_crit.d.ts

@@ -0,0 +1,3 @@
+declare const _default: (Err: any, recognizedDefault: any, recognizedOption: any, protectedHeader: any, joseHeader: any) => Set<unknown>;
+export default _default;
+//# sourceMappingURL=validate_crit.d.ts.map

package/dist/types/tdf3/src/crypto/jose/vendor/lib/validate_crit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate_crit.d.ts","sourceRoot":"","sources":["../../../../../../../../tdf3/src/crypto/jose/vendor/lib/validate_crit.ts"],"names":[],"mappings":"yBAGgB,QAAG,EAAE,sBAAiB,EAAE,qBAAgB,EAAE,oBAAe,EAAE,eAAU;AAArF,wBA+BE"}