@raytio/core 11.4.1 → 11.6.0

package/dist/crypto/pgpKey/import.js

@@ -0,0 +1,239 @@
+"use strict";
+/**
+ * PGP Key Import Parser
+ *
+ * Parse and validate armored PGP private keys for import.
+ * Converts to PKCS8 format compatible with Web Crypto API.
+ *
+ * Issue #1374
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PGPKeyImportError = void 0;
+exports.isArmoredPGPKey = isArmoredPGPKey;
+exports.parseArmoredPGPKey = parseArmoredPGPKey;
+exports.validateImportedKey = validateImportedKey;
+const utils_1 = require("../kdf/utils");
+const generator_1 = require("./generator");
+/**
+ * Error thrown when key import fails
+ */
+// eslint-disable-next-line fp/no-class -- Custom error class for specific error handling
+class PGPKeyImportError extends Error {
+    constructor(message, code) {
+        super(message);
+        // eslint-disable-next-line fp/no-this, fp/no-mutation -- Required for Error subclassing
+        this.name = "PGPKeyImportError";
+        // eslint-disable-next-line fp/no-this, fp/no-mutation -- Required for Error subclassing
+        this.code = code;
+    }
+}
+exports.PGPKeyImportError = PGPKeyImportError;
+// ============================================================================
+// Helper functions (defined first to avoid use-before-define errors)
+// ============================================================================
+/**
+ * Convert Uint8Array to base64url encoding (for JWK)
+ */
+function uint8ArrayToBase64Url(bytes) {
+    const base64 = (0, utils_1.uint8ArrayToBase64)(bytes);
+    return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+/**
+ * Convert BigInt from Uint8Array (big-endian)
+ */
+function bigIntFromUint8Array(bytes) {
+    let result = BigInt(0);
+    for (const byte of bytes) {
+        // eslint-disable-next-line fp/no-mutation, no-bitwise -- Building bigint value using bit shift
+        result = (result << BigInt(8)) + BigInt(byte);
+    }
+    return result;
+}
+/**
+ * Convert BigInt to Uint8Array (big-endian) with specified length
+ */
+function bigIntToUint8Array(num, length) {
+    const hex = num.toString(16).padStart(length * 2, "0");
+    const bytes = new Uint8Array(length);
+    Array.from({ length }).forEach((_, i) => {
+        // eslint-disable-next-line fp/no-mutation -- Building byte array element by element
+        bytes[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);
+    });
+    return bytes;
+}
+/**
+ * Convert ArrayBuffer to PEM format
+ */
+function arrayBufferToPem(buffer, type) {
+    var _a;
+    const base64 = (0, utils_1.uint8ArrayToBase64)(new Uint8Array(buffer));
+    const lines = (_a = base64.match(/.{1,64}/g)) !== null && _a !== void 0 ? _a : [];
+    return `-----BEGIN ${type}-----\n${lines.join("\n")}\n-----END ${type}-----`;
+}
+/**
+ * Extract key material from openpgp key packet and convert to Web Crypto formats
+ */
+async function extractKeyMaterial(keyPacket) {
+    // Get RSA parameters from the key packet
+    const { n, e } = keyPacket.publicParams;
+    const { d, p, q, u } = keyPacket.privateParams;
+    // Compute dp, dq from d, p, q
+    // dp = d mod (p-1)
+    // dq = d mod (q-1)
+    // qi = u (which is q^-1 mod p in PGP)
+    const dBigInt = bigIntFromUint8Array(d);
+    const pBigInt = bigIntFromUint8Array(p);
+    const qBigInt = bigIntFromUint8Array(q);
+    const dpBigInt = dBigInt % (pBigInt - BigInt(1));
+    const dqBigInt = dBigInt % (qBigInt - BigInt(1));
+    // For RSA keys, we need to construct JWK format
+    // Import as JWK first, then export as PKCS8
+    const publicJwk = {
+        kty: "RSA",
+        n: uint8ArrayToBase64Url(n),
+        e: uint8ArrayToBase64Url(e),
+    };
+    const privateJwk = Object.assign(Object.assign({}, publicJwk), { d: uint8ArrayToBase64Url(d), p: uint8ArrayToBase64Url(p), q: uint8ArrayToBase64Url(q), dp: uint8ArrayToBase64Url(bigIntToUint8Array(dpBigInt, p.length)), dq: uint8ArrayToBase64Url(bigIntToUint8Array(dqBigInt, q.length)), qi: uint8ArrayToBase64Url(u) });
+    // Import private key as JWK
+    const cryptoPrivateKey = await crypto.subtle.importKey("jwk", privateJwk, { name: "RSA-PSS", hash: "SHA-256" }, true, ["sign"]);
+    // Import public key as JWK
+    const cryptoPublicKey = await crypto.subtle.importKey("jwk", publicJwk, { name: "RSA-PSS", hash: "SHA-256" }, true, ["verify"]);
+    // Export private key as PKCS8
+    const privateKeyBuffer = await crypto.subtle.exportKey("pkcs8", cryptoPrivateKey);
+    const privateKeyBytes = new Uint8Array(privateKeyBuffer);
+    // Export public key as SPKI and convert to PEM
+    const publicKeyBuffer = await crypto.subtle.exportKey("spki", cryptoPublicKey);
+    const publicKeyPem = arrayBufferToPem(publicKeyBuffer, "PUBLIC KEY");
+    const publicKeySpkiBytes = new Uint8Array(publicKeyBuffer);
+    return { privateKeyBytes, publicKeyPem, publicKeySpkiBytes };
+}
+// ============================================================================
+// Public API
+// ============================================================================
+/**
+ * Check if a string looks like an armored PGP key
+ *
+ * @param input - String to check
+ * @returns true if it appears to be armored PGP format
+ */
+function isArmoredPGPKey(input) {
+    return (input.includes("-----BEGIN PGP PRIVATE KEY BLOCK-----") ||
+        input.includes("-----BEGIN PGP PRIVATE KEY-----"));
+}
+/**
+ * Parse an armored PGP private key
+ *
+ * @param armoredKey - Armored PGP private key string
+ * @param passphrase - Optional passphrase if key is encrypted
+ * @returns Parsed key data
+ * @throws PGPKeyImportError if parsing fails
+ */
+async function parseArmoredPGPKey(armoredKey, passphrase) {
+    // Dynamic import to avoid bundling openpgp for users who don't need import
+    const openpgp = await Promise.resolve().then(() => __importStar(require("openpgp")));
+    let privateKey;
+    try {
+        // Read the armored key
+        // eslint-disable-next-line fp/no-mutation -- Assigning result to declared variable
+        privateKey = await openpgp.readPrivateKey({ armoredKey });
+    }
+    catch (_a) {
+        throw new PGPKeyImportError("Failed to parse armored key. Please check the format.", "PARSE_ERROR");
+    }
+    // Check if key is encrypted and needs passphrase
+    if (!privateKey.isDecrypted()) {
+        if (!passphrase) {
+            throw new PGPKeyImportError("This key is passphrase-protected. Please enter your passphrase.", "PASSPHRASE_REQUIRED");
+        }
+        try {
+            // eslint-disable-next-line fp/no-mutation -- Reassigning decrypted key
+            privateKey = await openpgp.decryptKey({
+                privateKey,
+                passphrase,
+            });
+        }
+        catch (_b) {
+            throw new PGPKeyImportError("Incorrect passphrase. Please try again.", "INVALID_PASSPHRASE");
+        }
+    }
+    // Get the primary key packet
+    const { keyPacket } = privateKey;
+    // Validate algorithm - we only support RSA
+    // openpgp uses numeric enums at runtime: rsaEncryptSign=1, rsaEncrypt=2, rsaSign=3
+    const algorithmId = keyPacket.algorithm;
+    const RSA_ALGORITHM_IDS = new Set([
+        1, // rsaEncryptSign
+        2, // rsaEncrypt
+        3, // rsaSign
+    ]);
+    if (!RSA_ALGORITHM_IDS.has(algorithmId)) {
+        throw new PGPKeyImportError(`Unsupported algorithm: ${algorithmId}. Only RSA keys are supported.`, "UNSUPPORTED_ALGORITHM");
+    }
+    // Get key size from the modulus (n) length
+    // Type assertion needed because openpgp types are complex
+    const publicParams = keyPacket.publicParams;
+    const keySize = publicParams.n.length * 8;
+    // Extract the raw key material and convert to PKCS8
+    const { privateKeyBytes, publicKeyPem, publicKeySpkiBytes } = await extractKeyMaterial(keyPacket);
+    // Compute fingerprint using SHA-256 of SPKI bytes (consistent with generator)
+    const keyId = await (0, generator_1.computeKeyFingerprint)(publicKeySpkiBytes);
+    // Get user IDs
+    const userIds = privateKey.getUserIDs();
+    // Determine algorithm label
+    const algorithmLabel = keySize >= 4096 ? "RSA-4096" : "RSA-2048";
+    return {
+        privateKeyBytes,
+        publicKeyPem,
+        keyId,
+        algorithm: algorithmLabel,
+        keySize,
+        userIds,
+        createdAt: keyPacket.created.toISOString(),
+    };
+}
+/**
+ * Validate an imported key
+ *
+ * @param parsedKey - Parsed key to validate
+ * @returns Validation result with any warnings
+ */
+function validateImportedKey(parsedKey) {
+    // Check minimum key size
+    if (parsedKey.keySize < 2048) {
+        return {
+            isValid: false,
+            error: `Key size (${parsedKey.keySize} bits) is too small. Minimum 2048 bits required.`,
+        };
+    }
+    // Warn if key size is less than recommended
+    if (parsedKey.keySize < 4096) {
+        return {
+            isValid: true,
+            warning: `Key size is ${parsedKey.keySize} bits. We recommend 4096 bits for maximum security.`,
+        };
+    }
+    return { isValid: true };
+}

package/dist/crypto/pgpKey/index.d.ts

@@ -0,0 +1,19 @@
+/**
+ * PGP Key Module
+ *
+ * Provides generation, encryption, storage, and management of
+ * PGP keys for digital signatures.
+ *
+ * Issue #1374
+ */
+export * from "./types";
+export { generatePGPKeyPair, computeKeyFingerprint } from "./generator";
+export { encryptPrivateKey, decryptPrivateKey, importPrivateKey, importPublicKey, } from "./encryption";
+export type { EncryptedPrivateKey } from "./encryption";
+export { storePGPPrivateKey, getPGPPrivateKey, deletePGPPrivateKey, hasPGPPrivateKey, createIndexedDBPGPKeyStorage, } from "./storage";
+export { isPemFormat, extractPemType, pemToBytes, bytesToPem, formatFingerprint, } from "./format";
+export { signData, verifySignature, signText, verifyTextSignature, } from "./signing";
+export { isArmoredPGPKey, parseArmoredPGPKey, validateImportedKey, PGPKeyImportError, } from "./import";
+export type { ParsedPGPKey, KeyValidationResult } from "./import";
+export { exportPGPKeyToArmored, PGPKeyExportError } from "./export";
+export type { ExportPGPKeyOptions, ExportedPGPKey } from "./export";

package/dist/crypto/pgpKey/index.js

@@ -0,0 +1,67 @@
+"use strict";
+/**
+ * PGP Key Module
+ *
+ * Provides generation, encryption, storage, and management of
+ * PGP keys for digital signatures.
+ *
+ * Issue #1374
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PGPKeyExportError = exports.exportPGPKeyToArmored = exports.PGPKeyImportError = exports.validateImportedKey = exports.parseArmoredPGPKey = exports.isArmoredPGPKey = exports.verifyTextSignature = exports.signText = exports.verifySignature = exports.signData = exports.formatFingerprint = exports.bytesToPem = exports.pemToBytes = exports.extractPemType = exports.isPemFormat = exports.createIndexedDBPGPKeyStorage = exports.hasPGPPrivateKey = exports.deletePGPPrivateKey = exports.getPGPPrivateKey = exports.storePGPPrivateKey = exports.importPublicKey = exports.importPrivateKey = exports.decryptPrivateKey = exports.encryptPrivateKey = exports.computeKeyFingerprint = exports.generatePGPKeyPair = void 0;
+// Re-export types
+__exportStar(require("./types"), exports);
+// Re-export generator
+var generator_1 = require("./generator");
+Object.defineProperty(exports, "generatePGPKeyPair", { enumerable: true, get: function () { return generator_1.generatePGPKeyPair; } });
+Object.defineProperty(exports, "computeKeyFingerprint", { enumerable: true, get: function () { return generator_1.computeKeyFingerprint; } });
+// Re-export encryption
+var encryption_1 = require("./encryption");
+Object.defineProperty(exports, "encryptPrivateKey", { enumerable: true, get: function () { return encryption_1.encryptPrivateKey; } });
+Object.defineProperty(exports, "decryptPrivateKey", { enumerable: true, get: function () { return encryption_1.decryptPrivateKey; } });
+Object.defineProperty(exports, "importPrivateKey", { enumerable: true, get: function () { return encryption_1.importPrivateKey; } });
+Object.defineProperty(exports, "importPublicKey", { enumerable: true, get: function () { return encryption_1.importPublicKey; } });
+// Re-export storage
+var storage_1 = require("./storage");
+Object.defineProperty(exports, "storePGPPrivateKey", { enumerable: true, get: function () { return storage_1.storePGPPrivateKey; } });
+Object.defineProperty(exports, "getPGPPrivateKey", { enumerable: true, get: function () { return storage_1.getPGPPrivateKey; } });
+Object.defineProperty(exports, "deletePGPPrivateKey", { enumerable: true, get: function () { return storage_1.deletePGPPrivateKey; } });
+Object.defineProperty(exports, "hasPGPPrivateKey", { enumerable: true, get: function () { return storage_1.hasPGPPrivateKey; } });
+Object.defineProperty(exports, "createIndexedDBPGPKeyStorage", { enumerable: true, get: function () { return storage_1.createIndexedDBPGPKeyStorage; } });
+// Re-export format utilities
+var format_1 = require("./format");
+Object.defineProperty(exports, "isPemFormat", { enumerable: true, get: function () { return format_1.isPemFormat; } });
+Object.defineProperty(exports, "extractPemType", { enumerable: true, get: function () { return format_1.extractPemType; } });
+Object.defineProperty(exports, "pemToBytes", { enumerable: true, get: function () { return format_1.pemToBytes; } });
+Object.defineProperty(exports, "bytesToPem", { enumerable: true, get: function () { return format_1.bytesToPem; } });
+Object.defineProperty(exports, "formatFingerprint", { enumerable: true, get: function () { return format_1.formatFingerprint; } });
+// Re-export signing
+var signing_1 = require("./signing");
+Object.defineProperty(exports, "signData", { enumerable: true, get: function () { return signing_1.signData; } });
+Object.defineProperty(exports, "verifySignature", { enumerable: true, get: function () { return signing_1.verifySignature; } });
+Object.defineProperty(exports, "signText", { enumerable: true, get: function () { return signing_1.signText; } });
+Object.defineProperty(exports, "verifyTextSignature", { enumerable: true, get: function () { return signing_1.verifyTextSignature; } });
+// Re-export import functions
+var import_1 = require("./import");
+Object.defineProperty(exports, "isArmoredPGPKey", { enumerable: true, get: function () { return import_1.isArmoredPGPKey; } });
+Object.defineProperty(exports, "parseArmoredPGPKey", { enumerable: true, get: function () { return import_1.parseArmoredPGPKey; } });
+Object.defineProperty(exports, "validateImportedKey", { enumerable: true, get: function () { return import_1.validateImportedKey; } });
+Object.defineProperty(exports, "PGPKeyImportError", { enumerable: true, get: function () { return import_1.PGPKeyImportError; } });
+// Re-export export functions
+var export_1 = require("./export");
+Object.defineProperty(exports, "exportPGPKeyToArmored", { enumerable: true, get: function () { return export_1.exportPGPKeyToArmored; } });
+Object.defineProperty(exports, "PGPKeyExportError", { enumerable: true, get: function () { return export_1.PGPKeyExportError; } });

package/dist/crypto/pgpKey/signing.d.ts

@@ -0,0 +1,44 @@
+/**
+ * PGP Key Signing Operations
+ *
+ * Provides RSA-PSS digital signature and verification functions.
+ * Issue #1374
+ */
+/**
+ * Sign raw bytes with an RSA-PSS private key
+ *
+ * @param data - Data to sign as Uint8Array
+ * @param privateKey - CryptoKey configured for RSA-PSS signing
+ * @returns Signature bytes (512 bytes for RSA-4096)
+ */
+export declare function signData(data: Uint8Array, privateKey: CryptoKey): Promise<Uint8Array>;
+/**
+ * Verify an RSA-PSS signature
+ *
+ * @param data - Original data that was signed
+ * @param signature - Signature bytes to verify
+ * @param publicKey - CryptoKey configured for RSA-PSS verification
+ * @returns True if signature is valid, false otherwise
+ */
+export declare function verifySignature(data: Uint8Array, signature: Uint8Array, publicKey: CryptoKey): Promise<boolean>;
+/**
+ * Sign text and return base64-encoded signature
+ *
+ * Convenience wrapper that encodes text to UTF-8 bytes before signing.
+ *
+ * @param text - Text to sign
+ * @param privateKey - CryptoKey configured for RSA-PSS signing
+ * @returns Base64-encoded signature string
+ */
+export declare function signText(text: string, privateKey: CryptoKey): Promise<string>;
+/**
+ * Verify a base64-encoded signature for text
+ *
+ * Convenience wrapper that decodes base64 signature and encodes text to UTF-8.
+ *
+ * @param text - Original text that was signed
+ * @param signatureBase64 - Base64-encoded signature to verify
+ * @param publicKey - CryptoKey configured for RSA-PSS verification
+ * @returns True if signature is valid, false otherwise
+ */
+export declare function verifyTextSignature(text: string, signatureBase64: string, publicKey: CryptoKey): Promise<boolean>;

package/dist/crypto/pgpKey/signing.js

@@ -0,0 +1,71 @@
+"use strict";
+/**
+ * PGP Key Signing Operations
+ *
+ * Provides RSA-PSS digital signature and verification functions.
+ * Issue #1374
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.signData = signData;
+exports.verifySignature = verifySignature;
+exports.signText = signText;
+exports.verifyTextSignature = verifyTextSignature;
+const utils_1 = require("../kdf/utils");
+/**
+ * RSA-PSS signature parameters
+ */
+const RSA_PSS_PARAMS = {
+    name: "RSA-PSS",
+    saltLength: 32, // Recommended for SHA-256
+};
+/**
+ * Sign raw bytes with an RSA-PSS private key
+ *
+ * @param data - Data to sign as Uint8Array
+ * @param privateKey - CryptoKey configured for RSA-PSS signing
+ * @returns Signature bytes (512 bytes for RSA-4096)
+ */
+async function signData(data, privateKey) {
+    const signature = await crypto.subtle.sign(RSA_PSS_PARAMS, privateKey, data);
+    return new Uint8Array(signature);
+}
+/**
+ * Verify an RSA-PSS signature
+ *
+ * @param data - Original data that was signed
+ * @param signature - Signature bytes to verify
+ * @param publicKey - CryptoKey configured for RSA-PSS verification
+ * @returns True if signature is valid, false otherwise
+ */
+async function verifySignature(data, signature, publicKey) {
+    return crypto.subtle.verify(RSA_PSS_PARAMS, publicKey, signature, data);
+}
+/**
+ * Sign text and return base64-encoded signature
+ *
+ * Convenience wrapper that encodes text to UTF-8 bytes before signing.
+ *
+ * @param text - Text to sign
+ * @param privateKey - CryptoKey configured for RSA-PSS signing
+ * @returns Base64-encoded signature string
+ */
+async function signText(text, privateKey) {
+    const data = new TextEncoder().encode(text);
+    const signature = await signData(data, privateKey);
+    return (0, utils_1.uint8ArrayToBase64)(signature);
+}
+/**
+ * Verify a base64-encoded signature for text
+ *
+ * Convenience wrapper that decodes base64 signature and encodes text to UTF-8.
+ *
+ * @param text - Original text that was signed
+ * @param signatureBase64 - Base64-encoded signature to verify
+ * @param publicKey - CryptoKey configured for RSA-PSS verification
+ * @returns True if signature is valid, false otherwise
+ */
+async function verifyTextSignature(text, signatureBase64, publicKey) {
+    const data = new TextEncoder().encode(text);
+    const signature = Uint8Array.from(atob(signatureBase64), c => c.charCodeAt(0));
+    return verifySignature(data, signature, publicKey);
+}

package/dist/crypto/pgpKey/storage.d.ts

@@ -0,0 +1,43 @@
+/**
+ * PGP Key Storage
+ *
+ * IndexedDB-based storage for encrypted PGP private keys.
+ * The encrypted private key is stored locally on the device and never sent to servers.
+ *
+ * Issue #1374
+ */
+import type { PGPKeyStorage, StoredPGPPrivateKey } from "./types";
+/**
+ * Generate storage key for a user's PGP private key
+ */
+export declare function getStorageKey(userId: string): string;
+/**
+ * Store an encrypted PGP private key in IndexedDB
+ *
+ * @param record - The encrypted private key record to store
+ */
+export declare function storePGPPrivateKey(record: StoredPGPPrivateKey): Promise<void>;
+/**
+ * Retrieve an encrypted PGP private key from IndexedDB
+ *
+ * @param userId - User's Cognito sub
+ * @returns The encrypted private key record or null if not found
+ */
+export declare function getPGPPrivateKey(userId: string): Promise<StoredPGPPrivateKey | null>;
+/**
+ * Delete an encrypted PGP private key from IndexedDB
+ *
+ * @param userId - User's Cognito sub
+ */
+export declare function deletePGPPrivateKey(userId: string): Promise<void>;
+/**
+ * Check if an encrypted PGP private key exists for a user
+ *
+ * @param userId - User's Cognito sub
+ * @returns true if a key exists
+ */
+export declare function hasPGPPrivateKey(userId: string): Promise<boolean>;
+/**
+ * Create a PGPKeyStorage implementation using IndexedDB
+ */
+export declare function createIndexedDBPGPKeyStorage(): PGPKeyStorage;

package/dist/crypto/pgpKey/storage.js

@@ -0,0 +1,141 @@
+"use strict";
+/**
+ * PGP Key Storage
+ *
+ * IndexedDB-based storage for encrypted PGP private keys.
+ * The encrypted private key is stored locally on the device and never sent to servers.
+ *
+ * Issue #1374
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getStorageKey = getStorageKey;
+exports.storePGPPrivateKey = storePGPPrivateKey;
+exports.getPGPPrivateKey = getPGPPrivateKey;
+exports.deletePGPPrivateKey = deletePGPPrivateKey;
+exports.hasPGPPrivateKey = hasPGPPrivateKey;
+exports.createIndexedDBPGPKeyStorage = createIndexedDBPGPKeyStorage;
+const types_1 = require("./types");
+/**
+ * Generate storage key for a user's PGP private key
+ */
+function getStorageKey(userId) {
+    return `pgp-private-key-${userId}`;
+}
+/**
+ * Open the IndexedDB database for PGP key storage
+ */
+function openDatabase() {
+    return new Promise((resolve, reject) => {
+        const request = indexedDB.open(types_1.PGP_KEY_DB_CONFIG.name, types_1.PGP_KEY_DB_CONFIG.version);
+        /* eslint-disable fp/no-mutation -- IndexedDB API requires callback assignment */
+        request.onerror = () => {
+            reject(new Error("Failed to open PGP key database"));
+        };
+        request.onsuccess = () => {
+            resolve(request.result);
+        };
+        request.onupgradeneeded = event => {
+            const db = event.target.result;
+            // Create object store if it doesn't exist
+            if (!db.objectStoreNames.contains(types_1.PGP_KEY_DB_CONFIG.storeName)) {
+                db.createObjectStore(types_1.PGP_KEY_DB_CONFIG.storeName);
+            }
+        };
+        /* eslint-enable fp/no-mutation */
+    });
+}
+/**
+ * Store an encrypted PGP private key in IndexedDB
+ *
+ * @param record - The encrypted private key record to store
+ */
+async function storePGPPrivateKey(record) {
+    const db = await openDatabase();
+    return new Promise((resolve, reject) => {
+        const transaction = db.transaction(types_1.PGP_KEY_DB_CONFIG.storeName, "readwrite");
+        const store = transaction.objectStore(types_1.PGP_KEY_DB_CONFIG.storeName);
+        const request = store.put(record, getStorageKey(record.userId));
+        /* eslint-disable fp/no-mutation -- IndexedDB API requires callback assignment */
+        request.onerror = () => {
+            reject(new Error("Failed to store PGP private key"));
+        };
+        request.onsuccess = () => {
+            resolve();
+        };
+        transaction.oncomplete = () => {
+            db.close();
+        };
+        /* eslint-enable fp/no-mutation */
+    });
+}
+/**
+ * Retrieve an encrypted PGP private key from IndexedDB
+ *
+ * @param userId - User's Cognito sub
+ * @returns The encrypted private key record or null if not found
+ */
+async function getPGPPrivateKey(userId) {
+    const db = await openDatabase();
+    return new Promise((resolve, reject) => {
+        const transaction = db.transaction(types_1.PGP_KEY_DB_CONFIG.storeName, "readonly");
+        const store = transaction.objectStore(types_1.PGP_KEY_DB_CONFIG.storeName);
+        const request = store.get(getStorageKey(userId));
+        /* eslint-disable fp/no-mutation -- IndexedDB API requires callback assignment */
+        request.onerror = () => {
+            reject(new Error("Failed to retrieve PGP private key"));
+        };
+        request.onsuccess = () => {
+            var _a;
+            resolve((_a = request.result) !== null && _a !== void 0 ? _a : null);
+        };
+        transaction.oncomplete = () => {
+            db.close();
+        };
+        /* eslint-enable fp/no-mutation */
+    });
+}
+/**
+ * Delete an encrypted PGP private key from IndexedDB
+ *
+ * @param userId - User's Cognito sub
+ */
+async function deletePGPPrivateKey(userId) {
+    const db = await openDatabase();
+    return new Promise((resolve, reject) => {
+        const transaction = db.transaction(types_1.PGP_KEY_DB_CONFIG.storeName, "readwrite");
+        const store = transaction.objectStore(types_1.PGP_KEY_DB_CONFIG.storeName);
+        const request = store.delete(getStorageKey(userId));
+        /* eslint-disable fp/no-mutation -- IndexedDB API requires callback assignment */
+        request.onerror = () => {
+            reject(new Error("Failed to delete PGP private key"));
+        };
+        request.onsuccess = () => {
+            resolve();
+        };
+        transaction.oncomplete = () => {
+            db.close();
+        };
+        /* eslint-enable fp/no-mutation */
+    });
+}
+/**
+ * Check if an encrypted PGP private key exists for a user
+ *
+ * @param userId - User's Cognito sub
+ * @returns true if a key exists
+ */
+async function hasPGPPrivateKey(userId) {
+    const record = await getPGPPrivateKey(userId);
+    return record !== null;
+}
+/**
+ * Create a PGPKeyStorage implementation using IndexedDB
+ */
+function createIndexedDBPGPKeyStorage() {
+    return {
+        store: storePGPPrivateKey,
+        get: getPGPPrivateKey,
+        delete: deletePGPPrivateKey,
+        exists: hasPGPPrivateKey,
+    };
+}