@raytio/core 11.5.0 → 11.6.0

package/dist/crypto/pgpKey/export.js

@@ -0,0 +1,322 @@
+"use strict";
+/**
+ * PGP Key Export
+ *
+ * Export PKCS8 private keys to OpenPGP armored format.
+ * Compatible with GPG and GitHub.
+ *
+ * This module converts existing PKCS8 key material to OpenPGP format,
+ * preserving the original cryptographic material rather than generating
+ * new keys.
+ *
+ * Issue #1374
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PGPKeyExportError = void 0;
+exports.exportPGPKeyToArmored = exportPGPKeyToArmored;
+const generator_1 = require("./generator");
+/**
+ * Error thrown when key export fails
+ */
+// eslint-disable-next-line fp/no-class -- Custom error class for specific error handling
+class PGPKeyExportError extends Error {
+    constructor(message, code) {
+        super(message);
+        // eslint-disable-next-line fp/no-this, fp/no-mutation -- Required for Error subclassing
+        this.name = "PGPKeyExportError";
+        // eslint-disable-next-line fp/no-this, fp/no-mutation -- Required for Error subclassing
+        this.code = code;
+    }
+}
+exports.PGPKeyExportError = PGPKeyExportError;
+// ============================================================================
+// Helper functions
+// ============================================================================
+/**
+ * Convert base64url encoding to Uint8Array
+ *
+ * @param base64url - Base64url encoded string
+ * @returns Decoded bytes
+ */
+function base64UrlToUint8Array(base64url) {
+    // Convert base64url to base64
+    const base64 = base64url.replace(/-/g, "+").replace(/_/g, "/");
+    // Add padding if needed
+    const paddedBase64 = base64.padEnd(base64.length + ((4 - (base64.length % 4)) % 4), "=");
+    const binary = atob(paddedBase64);
+    const bytes = new Uint8Array(binary.length);
+    Array.from({ length: binary.length }).forEach((_, i) => {
+        // eslint-disable-next-line fp/no-mutation -- Building byte array element by element
+        bytes[i] = binary.charCodeAt(i);
+    });
+    return bytes;
+}
+/**
+ * Import PKCS8 private key bytes as an extractable CryptoKey
+ *
+ * @param privateKeyBytes - PKCS8 encoded private key
+ * @returns Extractable CryptoKey
+ */
+async function importPrivateKeyExtractable(privateKeyBytes) {
+    return crypto.subtle.importKey("pkcs8", privateKeyBytes, { name: "RSA-PSS", hash: "SHA-256" }, true, // extractable
+    ["sign"]);
+}
+/**
+ * Extract RSA parameters from a CryptoKey as JWK
+ *
+ * @param privateKey - CryptoKey to extract parameters from
+ * @returns JWK with RSA parameters
+ */
+async function extractRSAParams(privateKey) {
+    return crypto.subtle.exportKey("jwk", privateKey);
+}
+/**
+ * Compute modular inverse: u = q^-1 mod p
+ * Used for the 'u' parameter in OpenPGP RSA keys
+ */
+function modInverse(a, modulus) {
+    // Extended Euclidean Algorithm
+    const m0 = modulus;
+    let x0 = BigInt(0);
+    let x1 = BigInt(1);
+    if (modulus === BigInt(1))
+        return BigInt(0);
+    let aVal = a;
+    let mVal = modulus;
+    while (aVal > BigInt(1)) {
+        const q = aVal / mVal;
+        let t = mVal;
+        // eslint-disable-next-line fp/no-mutation -- Algorithm requires mutation
+        mVal = aVal % mVal;
+        // eslint-disable-next-line fp/no-mutation -- Algorithm requires mutation
+        aVal = t;
+        // eslint-disable-next-line fp/no-mutation -- Algorithm requires mutation
+        t = x0;
+        // eslint-disable-next-line fp/no-mutation -- Algorithm requires mutation
+        x0 = x1 - q * x0;
+        // eslint-disable-next-line fp/no-mutation -- Algorithm requires mutation
+        x1 = t;
+    }
+    // Make x1 positive
+    if (x1 < BigInt(0)) {
+        // eslint-disable-next-line fp/no-mutation -- Ensuring positive result
+        x1 += m0;
+    }
+    return x1;
+}
+/**
+ * Convert BigInt to Uint8Array (big-endian)
+ */
+function bigIntToUint8Array(num) {
+    const hex = num.toString(16);
+    // Ensure even number of hex digits
+    const paddedHex = hex.length % 2 === 0 ? hex : `0${hex}`;
+    const bytes = new Uint8Array(paddedHex.length / 2);
+    Array.from({ length: bytes.length }).forEach((_, i) => {
+        // eslint-disable-next-line fp/no-mutation -- Building byte array element by element
+        bytes[i] = parseInt(paddedHex.slice(i * 2, i * 2 + 2), 16);
+    });
+    return bytes;
+}
+/**
+ * Convert Uint8Array to BigInt (big-endian)
+ */
+function uint8ArrayToBigInt(bytes) {
+    let result = BigInt(0);
+    for (const byte of bytes) {
+        // eslint-disable-next-line fp/no-mutation, no-bitwise -- Building bigint value
+        result = (result << BigInt(8)) + BigInt(byte);
+    }
+    return result;
+}
+// ============================================================================
+// Public API
+// ============================================================================
+/**
+ * Export a PKCS8 private key to OpenPGP armored format
+ *
+ * This function converts existing PKCS8 RSA key material to OpenPGP format,
+ * preserving the original cryptographic material. The exported key can be
+ * used with GPG, GitHub, and other OpenPGP-compatible tools.
+ *
+ * @param privateKeyBytes - PKCS8 encoded private key bytes
+ * @param options - Export options (passphrase, userIds, date)
+ * @returns Armored private and public keys with fingerprint
+ * @throws PGPKeyExportError if export fails
+ */
+async function exportPGPKeyToArmored(privateKeyBytes, options = {}) {
+    var _a;
+    // Dynamic import to avoid bundling openpgp for users who don't need export
+    const openpgp = await Promise.resolve().then(() => __importStar(require("openpgp")));
+    // Cast enums to internal type for access to features enum
+    const internalEnums = openpgp.enums;
+    // Import the PKCS8 key as extractable and get JWK
+    let jwk;
+    try {
+        const cryptoKey = await importPrivateKeyExtractable(privateKeyBytes);
+        // eslint-disable-next-line fp/no-mutation -- Assigning result to declared variable
+        jwk = await extractRSAParams(cryptoKey);
+    }
+    catch (_b) {
+        throw new PGPKeyExportError("Failed to import private key. Please check the key format.", "IMPORT_ERROR");
+    }
+    // Validate we have all required RSA parameters
+    if (!jwk.n || !jwk.e || !jwk.d || !jwk.p || !jwk.q) {
+        throw new PGPKeyExportError("Invalid RSA key: missing required parameters.", "INVALID_KEY");
+    }
+    // Compute SPKI-based fingerprint (consistent with generator and import flows)
+    const publicCryptoKey = await crypto.subtle.importKey("jwk", { kty: "RSA", n: jwk.n, e: jwk.e }, { name: "RSA-PSS", hash: "SHA-256" }, true, ["verify"]);
+    const spkiBuffer = await crypto.subtle.exportKey("spki", publicCryptoKey);
+    const fingerprint = await (0, generator_1.computeKeyFingerprint)(new Uint8Array(spkiBuffer));
+    // Convert JWK parameters to Uint8Arrays for OpenPGP
+    const n = base64UrlToUint8Array(jwk.n);
+    const e = base64UrlToUint8Array(jwk.e);
+    const d = base64UrlToUint8Array(jwk.d);
+    const p = base64UrlToUint8Array(jwk.p);
+    const q = base64UrlToUint8Array(jwk.q);
+    // Compute u = q^-1 mod p (required by OpenPGP format)
+    const pBigInt = uint8ArrayToBigInt(p);
+    const qBigInt = uint8ArrayToBigInt(q);
+    const uBigInt = modInverse(qBigInt, pBigInt);
+    const u = bigIntToUint8Array(uBigInt);
+    // Determine user IDs for the key
+    const userIds = options.userIds && options.userIds.length > 0
+        ? options.userIds
+        : [{ name: "Raytio User", email: "user@rayt.io" }];
+    const creationDate = (_a = options.date) !== null && _a !== void 0 ? _a : new Date();
+    try {
+        // Create SecretKeyPacket with our existing key material
+        // The constructor doesn't take date in the types, but does at runtime
+        const SecretKeyPacketClass = openpgp.SecretKeyPacket;
+        const secretKeyPacket = new SecretKeyPacketClass(creationDate);
+        // Set the algorithm to RSA Encrypt-Sign
+        // eslint-disable-next-line fp/no-mutation -- Required for packet construction
+        secretKeyPacket.algorithm = internalEnums.publicKey.rsaEncryptSign;
+        // Set the public parameters (n, e)
+        // eslint-disable-next-line fp/no-mutation -- Required for packet construction
+        secretKeyPacket.publicParams = { n, e };
+        // Set the private parameters (d, p, q, u)
+        // eslint-disable-next-line fp/no-mutation -- Required for packet construction
+        secretKeyPacket.privateParams = { d, p, q, u };
+        // Mark as not encrypted (we'll encrypt later if passphrase provided)
+        // eslint-disable-next-line fp/no-mutation -- Required for packet construction
+        secretKeyPacket.isEncrypted = false;
+        // Compute fingerprint and key ID
+        await secretKeyPacket.computeFingerprintAndKeyID();
+        // Create a UserIDPacket for each user ID
+        const userIdPackets = userIds.map(uid => {
+            var _a, _b;
+            return openpgp.UserIDPacket.fromObject({
+                name: (_a = uid.name) !== null && _a !== void 0 ? _a : "",
+                email: (_b = uid.email) !== null && _b !== void 0 ? _b : "",
+            });
+        });
+        // Create self-certification signature for each user ID
+        const signaturePackets = await Promise.all(userIdPackets.map(async (userIdPacket) => {
+            const SignaturePacketClass = openpgp.SignaturePacket;
+            const signaturePacket = new SignaturePacketClass();
+            // Set signature properties
+            // eslint-disable-next-line fp/no-mutation -- Required for signature construction
+            signaturePacket.signatureType = internalEnums.signature.certPositive;
+            // eslint-disable-next-line fp/no-mutation -- Required for signature construction
+            signaturePacket.publicKeyAlgorithm =
+                internalEnums.publicKey.rsaEncryptSign;
+            // eslint-disable-next-line fp/no-mutation -- Required for signature construction
+            signaturePacket.hashAlgorithm = internalEnums.hash.sha256;
+            // Set key flags for certification and signing
+            // eslint-disable-next-line fp/no-mutation -- Required for signature construction
+            signaturePacket.keyFlags = new Uint8Array([
+                // eslint-disable-next-line no-bitwise -- Bitwise OR for combining key flags
+                internalEnums.keyFlags.certifyKeys | internalEnums.keyFlags.signData,
+            ]);
+            // Set preferred algorithms
+            // eslint-disable-next-line fp/no-mutation -- Required for signature construction
+            signaturePacket.preferredSymmetricAlgorithms = [
+                internalEnums.symmetric.aes256,
+                internalEnums.symmetric.aes128,
+            ];
+            // eslint-disable-next-line fp/no-mutation -- Required for signature construction
+            signaturePacket.preferredHashAlgorithms = [
+                internalEnums.hash.sha512,
+                internalEnums.hash.sha256,
+            ];
+            // eslint-disable-next-line fp/no-mutation -- Required for signature construction
+            signaturePacket.preferredCompressionAlgorithms = [
+                internalEnums.compression.uncompressed,
+                internalEnums.compression.zlib,
+                internalEnums.compression.zip,
+            ];
+            // Set features (modification detection)
+            // eslint-disable-next-line fp/no-mutation -- Required for signature construction
+            signaturePacket.features = new Uint8Array([
+                internalEnums.features.modificationDetection,
+            ]);
+            // Sign the user ID with the secret key
+            // The sign method takes different arguments at runtime than in types
+            const dataToSign = {
+                userID: userIdPacket,
+                key: secretKeyPacket,
+            };
+            await signaturePacket.sign(secretKeyPacket, dataToSign, creationDate, false, openpgp.config);
+            return signaturePacket;
+        }));
+        // Build packet list: SecretKeyPacket, then (UserIDPacket, SignaturePacket) pairs
+        const packetList = new openpgp.PacketList();
+        // eslint-disable-next-line fp/no-mutating-methods -- Required for building packet list
+        packetList.push(secretKeyPacket);
+        userIdPackets.forEach((userIdPacket, index) => {
+            // eslint-disable-next-line fp/no-mutating-methods -- Required for building packet list
+            packetList.push(userIdPacket);
+            // eslint-disable-next-line fp/no-mutating-methods -- Required for building packet list
+            packetList.push(signaturePackets[index]);
+        });
+        // Create PrivateKey from packet list
+        // The constructor expects a generic PacketList<AnyPacket>
+        const privateKey = new openpgp.PrivateKey(packetList);
+        // Encrypt the key if passphrase is provided
+        let finalPrivateKey = privateKey;
+        if (options.passphrase) {
+            // eslint-disable-next-line fp/no-mutation -- Reassigning encrypted key
+            finalPrivateKey = await openpgp.encryptKey({
+                privateKey,
+                passphrase: options.passphrase,
+            });
+        }
+        // Get armored versions
+        const armoredPrivateKey = finalPrivateKey.armor();
+        const armoredPublicKey = finalPrivateKey.toPublic().armor();
+        return {
+            armoredPrivateKey,
+            armoredPublicKey,
+            isEncrypted: Boolean(options.passphrase),
+            fingerprint,
+        };
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : "Unknown error occurred";
+        throw new PGPKeyExportError(`Failed to create OpenPGP key from PKCS8 material: ${message}`, "CONVERSION_ERROR");
+    }
+}

package/dist/crypto/pgpKey/format.d.ts

@@ -0,0 +1,61 @@
+/**
+ * PEM Format Utilities
+ *
+ * Utilities for working with PEM-formatted cryptographic keys.
+ * Issue #1374
+ */
+/**
+ * Check if a string is in valid PEM format
+ *
+ * PEM format requires:
+ * - A BEGIN header with a type (e.g., "-----BEGIN PUBLIC KEY-----")
+ * - Base64-encoded content
+ * - An END footer with matching type (e.g., "-----END PUBLIC KEY-----")
+ *
+ * @param input - String to check
+ * @returns true if the string is valid PEM format, false otherwise
+ */
+export declare function isPemFormat(input: string): boolean;
+/**
+ * Extract the type from a PEM-formatted string
+ *
+ * For example, extracts "PUBLIC KEY" from:
+ * -----BEGIN PUBLIC KEY-----
+ * ...
+ * -----END PUBLIC KEY-----
+ *
+ * @param pem - PEM-formatted string
+ * @returns The type string (e.g., "PUBLIC KEY", "PRIVATE KEY"), or null if not valid PEM
+ */
+export declare function extractPemType(pem: string): string | null;
+/**
+ * Convert PEM-formatted string to raw bytes
+ *
+ * Extracts the base64 content from between the PEM headers and decodes it.
+ *
+ * @param pem - PEM-formatted string
+ * @returns Raw bytes as Uint8Array
+ * @throws Error if the input is not valid PEM format
+ */
+export declare function pemToBytes(pem: string): Uint8Array;
+/**
+ * Convert raw bytes to PEM format
+ *
+ * Encodes the bytes as base64 and wraps with PEM headers.
+ * Base64 content is wrapped at 64 characters per line per RFC 7468.
+ *
+ * @param bytes - Raw bytes to encode
+ * @param type - PEM type (e.g., "PUBLIC KEY", "PRIVATE KEY")
+ * @returns PEM-formatted string
+ */
+export declare function bytesToPem(bytes: Uint8Array, type: string): string;
+/**
+ * Format a key fingerprint for display
+ *
+ * Converts to uppercase and groups into 4-character blocks separated by spaces.
+ * For example: "abcd1234efgh5678" becomes "ABCD 1234 EFGH 5678"
+ *
+ * @param fingerprint - Raw fingerprint string (typically 40 hex characters)
+ * @returns Formatted fingerprint string
+ */
+export declare function formatFingerprint(fingerprint: string): string;

package/dist/crypto/pgpKey/format.js

@@ -0,0 +1,143 @@
+"use strict";
+/**
+ * PEM Format Utilities
+ *
+ * Utilities for working with PEM-formatted cryptographic keys.
+ * Issue #1374
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isPemFormat = isPemFormat;
+exports.extractPemType = extractPemType;
+exports.pemToBytes = pemToBytes;
+exports.bytesToPem = bytesToPem;
+exports.formatFingerprint = formatFingerprint;
+const utils_1 = require("../kdf/utils");
+/**
+ * PEM header/footer pattern
+ * Matches: -----BEGIN <TYPE>----- and -----END <TYPE>-----
+ */
+const PEM_HEADER_REGEX = /-----BEGIN ([A-Z0-9 ]+)-----/;
+const PEM_FOOTER_REGEX = /-----END ([A-Z0-9 ]+)-----/;
+/**
+ * Base64 character set for validation
+ */
+const BASE64_CHARS = /^[A-Za-z0-9+/=\s]+$/;
+/**
+ * Check if a string is in valid PEM format
+ *
+ * PEM format requires:
+ * - A BEGIN header with a type (e.g., "-----BEGIN PUBLIC KEY-----")
+ * - Base64-encoded content
+ * - An END footer with matching type (e.g., "-----END PUBLIC KEY-----")
+ *
+ * @param input - String to check
+ * @returns true if the string is valid PEM format, false otherwise
+ */
+function isPemFormat(input) {
+    if (!input || typeof input !== "string") {
+        return false;
+    }
+    const headerMatch = input.match(PEM_HEADER_REGEX);
+    const footerMatch = input.match(PEM_FOOTER_REGEX);
+    if (!headerMatch || !footerMatch) {
+        return false;
+    }
+    // Types must match
+    const headerType = headerMatch[1];
+    const footerType = footerMatch[1];
+    if (headerType !== footerType) {
+        return false;
+    }
+    // Check that there's content between header and footer
+    const headerEnd = input.indexOf("-----", input.indexOf("BEGIN") + 5) + 5;
+    const footerStart = input.lastIndexOf("-----END");
+    if (headerEnd >= footerStart) {
+        return false;
+    }
+    const content = input.slice(headerEnd, footerStart).trim();
+    return content.length > 0 && BASE64_CHARS.test(content);
+}
+/**
+ * Extract the type from a PEM-formatted string
+ *
+ * For example, extracts "PUBLIC KEY" from:
+ * -----BEGIN PUBLIC KEY-----
+ * ...
+ * -----END PUBLIC KEY-----
+ *
+ * @param pem - PEM-formatted string
+ * @returns The type string (e.g., "PUBLIC KEY", "PRIVATE KEY"), or null if not valid PEM
+ */
+function extractPemType(pem) {
+    if (!pem || typeof pem !== "string") {
+        return null;
+    }
+    const match = pem.match(PEM_HEADER_REGEX);
+    return match ? match[1] : null;
+}
+/**
+ * Convert PEM-formatted string to raw bytes
+ *
+ * Extracts the base64 content from between the PEM headers and decodes it.
+ *
+ * @param pem - PEM-formatted string
+ * @returns Raw bytes as Uint8Array
+ * @throws Error if the input is not valid PEM format
+ */
+function pemToBytes(pem) {
+    if (!pem || typeof pem !== "string") {
+        throw new Error("Invalid PEM: input must be a non-empty string");
+    }
+    const headerMatch = pem.match(PEM_HEADER_REGEX);
+    const footerMatch = pem.match(PEM_FOOTER_REGEX);
+    if (!headerMatch || !footerMatch) {
+        throw new Error("Invalid PEM: missing header or footer");
+    }
+    // Extract content between header and footer
+    const headerEnd = pem.indexOf("-----", pem.indexOf("BEGIN") + 5) + 5;
+    const footerStart = pem.lastIndexOf("-----END");
+    const base64Content = pem.slice(headerEnd, footerStart).replace(/\s/g, ""); // Remove all whitespace
+    // Decode base64 to bytes using functional approach
+    const binaryString = atob(base64Content);
+    return Uint8Array.from(binaryString, c => c.charCodeAt(0));
+}
+/**
+ * Convert raw bytes to PEM format
+ *
+ * Encodes the bytes as base64 and wraps with PEM headers.
+ * Base64 content is wrapped at 64 characters per line per RFC 7468.
+ *
+ * @param bytes - Raw bytes to encode
+ * @param type - PEM type (e.g., "PUBLIC KEY", "PRIVATE KEY")
+ * @returns PEM-formatted string
+ */
+function bytesToPem(bytes, type) {
+    var _a;
+    // Convert bytes to base64 using functional approach
+    const base64 = (0, utils_1.uint8ArrayToBase64)(bytes);
+    // Wrap at 64 characters per line using regex match
+    const lines = (_a = base64.match(/.{1,64}/g)) !== null && _a !== void 0 ? _a : [];
+    // Build PEM string
+    const header = `-----BEGIN ${type}-----`;
+    const footer = `-----END ${type}-----`;
+    return [header, ...lines, footer].join("\n");
+}
+/**
+ * Format a key fingerprint for display
+ *
+ * Converts to uppercase and groups into 4-character blocks separated by spaces.
+ * For example: "abcd1234efgh5678" becomes "ABCD 1234 EFGH 5678"
+ *
+ * @param fingerprint - Raw fingerprint string (typically 40 hex characters)
+ * @returns Formatted fingerprint string
+ */
+function formatFingerprint(fingerprint) {
+    var _a;
+    if (!fingerprint) {
+        return "";
+    }
+    const upper = fingerprint.toUpperCase();
+    // Split into 4-char groups using regex match
+    const groups = (_a = upper.match(/.{1,4}/g)) !== null && _a !== void 0 ? _a : [];
+    return groups.join(" ");
+}

package/dist/crypto/pgpKey/generator.d.ts

@@ -0,0 +1,20 @@
+/**
+ * PGP Key Generator
+ *
+ * Generates RSA 4096-bit key pairs using Web Crypto API.
+ * Issue #1374
+ */
+import type { PGPKeyPair } from "./types";
+/**
+ * Compute SHA-256 fingerprint of public key bytes
+ *
+ * @param publicKeyBytes - Raw public key bytes (SPKI format)
+ * @returns First 40 hex characters of SHA-256 hash
+ */
+export declare function computeKeyFingerprint(publicKeyBytes: Uint8Array): Promise<string>;
+/**
+ * Generate an RSA 4096-bit key pair for digital signatures
+ *
+ * @returns Generated key pair with PEM public key and raw private key bytes
+ */
+export declare function generatePGPKeyPair(): Promise<PGPKeyPair>;

package/dist/crypto/pgpKey/generator.js

@@ -0,0 +1,76 @@
+"use strict";
+/**
+ * PGP Key Generator
+ *
+ * Generates RSA 4096-bit key pairs using Web Crypto API.
+ * Issue #1374
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.computeKeyFingerprint = computeKeyFingerprint;
+exports.generatePGPKeyPair = generatePGPKeyPair;
+const utils_1 = require("../kdf/utils");
+const types_1 = require("./types");
+/**
+ * RSA key generation parameters
+ */
+const RSA_PARAMS = {
+    name: "RSA-PSS",
+    modulusLength: 4096,
+    publicExponent: new Uint8Array([1, 0, 1]), // 65537
+    hash: "SHA-256",
+};
+/**
+ * Compute SHA-256 fingerprint of public key bytes
+ *
+ * @param publicKeyBytes - Raw public key bytes (SPKI format)
+ * @returns First 40 hex characters of SHA-256 hash
+ */
+async function computeKeyFingerprint(publicKeyBytes) {
+    const hashBuffer = await crypto.subtle.digest("SHA-256", publicKeyBytes);
+    const hashArray = new Uint8Array(hashBuffer);
+    // Convert to hex and take first 40 characters
+    const hexString = Array.from(hashArray)
+        .map(b => b.toString(16).padStart(2, "0"))
+        .join("");
+    return hexString.substring(0, types_1.KEY_FINGERPRINT_LENGTH);
+}
+/**
+ * Convert ArrayBuffer to PEM format
+ *
+ * @param buffer - Raw key bytes
+ * @param type - PEM type (PUBLIC KEY or PRIVATE KEY)
+ * @returns PEM formatted string
+ */
+function arrayBufferToPem(buffer, type) {
+    var _a;
+    const base64 = (0, utils_1.uint8ArrayToBase64)(new Uint8Array(buffer));
+    const lines = (_a = base64.match(/.{1,64}/g)) !== null && _a !== void 0 ? _a : [];
+    return `-----BEGIN ${type}-----\n${lines.join("\n")}\n-----END ${type}-----`;
+}
+/**
+ * Generate an RSA 4096-bit key pair for digital signatures
+ *
+ * @returns Generated key pair with PEM public key and raw private key bytes
+ */
+async function generatePGPKeyPair() {
+    // Generate the key pair
+    const keyPair = await crypto.subtle.generateKey(RSA_PARAMS, true, [
+        "sign",
+        "verify",
+    ]);
+    // Export public key as SPKI
+    const publicKeyBuffer = await crypto.subtle.exportKey("spki", keyPair.publicKey);
+    const publicKeyPem = arrayBufferToPem(publicKeyBuffer, "PUBLIC KEY");
+    // Export private key as PKCS8
+    const privateKeyBuffer = await crypto.subtle.exportKey("pkcs8", keyPair.privateKey);
+    const privateKeyBytes = new Uint8Array(privateKeyBuffer);
+    // Compute fingerprint
+    const keyId = await computeKeyFingerprint(new Uint8Array(publicKeyBuffer));
+    const algorithm = "RSA-4096";
+    return {
+        publicKeyPem,
+        privateKeyBytes,
+        keyId,
+        algorithm,
+    };
+}

package/dist/crypto/pgpKey/import.d.ts

@@ -0,0 +1,69 @@
+/**
+ * PGP Key Import Parser
+ *
+ * Parse and validate armored PGP private keys for import.
+ * Converts to PKCS8 format compatible with Web Crypto API.
+ *
+ * Issue #1374
+ */
+import type { PGPKeyAlgorithm } from "./types";
+/**
+ * Result from parsing an armored PGP key
+ */
+export interface ParsedPGPKey {
+    /** Private key in PKCS8 format (raw bytes) */
+    privateKeyBytes: Uint8Array;
+    /** Public key in PEM format (SPKI) */
+    publicKeyPem: string;
+    /** Key fingerprint (40 hex chars) */
+    keyId: string;
+    /** Key algorithm */
+    algorithm: PGPKeyAlgorithm;
+    /** Key size in bits */
+    keySize: number;
+    /** User IDs associated with the key */
+    userIds: string[];
+    /** When the key was created */
+    createdAt: string;
+}
+/**
+ * Validation result for imported key
+ */
+export interface KeyValidationResult {
+    /** Whether the key is valid for import */
+    isValid: boolean;
+    /** Error message if invalid */
+    error?: string;
+    /** Warning message (e.g., key size < 4096) */
+    warning?: string;
+}
+/**
+ * Error thrown when key import fails
+ */
+export declare class PGPKeyImportError extends Error {
+    readonly code: string;
+    constructor(message: string, code: string);
+}
+/**
+ * Check if a string looks like an armored PGP key
+ *
+ * @param input - String to check
+ * @returns true if it appears to be armored PGP format
+ */
+export declare function isArmoredPGPKey(input: string): boolean;
+/**
+ * Parse an armored PGP private key
+ *
+ * @param armoredKey - Armored PGP private key string
+ * @param passphrase - Optional passphrase if key is encrypted
+ * @returns Parsed key data
+ * @throws PGPKeyImportError if parsing fails
+ */
+export declare function parseArmoredPGPKey(armoredKey: string, passphrase?: string): Promise<ParsedPGPKey>;
+/**
+ * Validate an imported key
+ *
+ * @param parsedKey - Parsed key to validate
+ * @returns Validation result with any warnings
+ */
+export declare function validateImportedKey(parsedKey: ParsedPGPKey): KeyValidationResult;