@twin.org/crypto 0.0.1-next.9 → 0.0.2-next.3

package/dist/cjs/index.cjs

@@ -8,6 +8,7 @@ var blake2b = require('@noble/hashes/blake2b');
 var bip32 = require('@scure/bip32');
 var slip10_js = require('micro-key-producer/slip10.js');
 var chacha = require('@noble/ciphers/chacha');
+var node_crypto = require('node:crypto');
 var blake3 = require('@noble/hashes/blake3');
 var hmac = require('@noble/hashes/hmac');
 var sha1 = require('@noble/hashes/sha1');
@@ -188,6 +189,39 @@ class Ed25519 {
             return false;
         }
     }
+    /**
+     * Convert a private key in PKCS8 format.
+     * @param privateKey The private key to convert.
+     * @returns The private key in PKCS8 format.
+     */
+    static async privateKeyToPkcs8(privateKey) {
+        core.Guards.uint8Array(Ed25519._CLASS_NAME, "privateKey", privateKey);
+        if (privateKey.length !== Ed25519.PRIVATE_KEY_SIZE) {
+            throw new core.GeneralError(Ed25519._CLASS_NAME, "privateKeyLength", {
+                requiredSize: Ed25519.PRIVATE_KEY_SIZE,
+                actualSize: privateKey.length
+            });
+        }
+        // crypto.subtle.importKey does not support Ed25519 keys in raw format.
+        // We need to convert the key to PKCS8 format before importing.
+        // The PKCS8 format is the raw key prefixed with the ASN.1 sequence for an Ed25519 private key.
+        // The ASN.1 sequence is 48 46 02 01 00 30 05 06 03 2b 65 70 04 20 04 20 (0x302e020100300506032b657004220420)
+        const pkcs8Prefix = new Uint8Array([48, 46, 2, 1, 0, 48, 5, 6, 3, 43, 101, 112, 4, 34, 4, 32]);
+        const fullKey = core.Uint8ArrayHelper.concat([pkcs8Prefix, privateKey]);
+        return crypto.subtle.importKey("pkcs8", fullKey, "Ed25519", true, ["sign"]);
+    }
+    /**
+     * Convert a crypto key to raw private key.
+     * @param cryptoKey The crypto key to convert.
+     * @returns The raw private key.
+     */
+    static async pkcs8ToPrivateKey(cryptoKey) {
+        core.Guards.defined(Ed25519._CLASS_NAME, "cryptoKey", cryptoKey);
+        // crypto.subtle.exportKey does not support Ed25519 keys in raw format.
+        // so we export as PKCS8 and remove the ASN.1 sequence prefix.
+        const pkcs8Bytes = await crypto.subtle.exportKey("pkcs8", cryptoKey);
+        return new Uint8Array(pkcs8Bytes.slice(16));
+    }
 }
 
 // Copyright 2024 IOTA Stiftung.
@@ -592,6 +626,24 @@ class Bip44 {
     static basePath(coinType) {
         return `m/44'/${coinType}'`;
     }
+    /**
+     * Generate an address from the seed and parts.
+     * @param seed The account seed.
+     * @param keyType The key type.
+     * @param coinType The coin type.
+     * @param accountIndex The account index.
+     * @param isInternal Is this an internal address.
+     * @param addressIndex The address index.
+     * @returns The generated path and the associated keypair.
+     */
+    static address(seed, keyType, coinType, accountIndex, isInternal, addressIndex) {
+        const keyPair = Bip44.keyPair(seed, keyType, coinType, accountIndex, isInternal, addressIndex);
+        const addressData = Blake2b.sum256(keyPair.publicKey);
+        return {
+            address: core.Converter.bytesToHex(addressData, true),
+            ...keyPair
+        };
+    }
     /**
      * Generate a bech32 address from the seed and parts.
      * @param seed The account seed.
@@ -666,8 +718,215 @@ class ChaCha20Poly1305 {
 // Copyright 2024 IOTA Stiftung.
 // SPDX-License-Identifier: Apache-2.0.
 /**
- * This is a TypeScript port of https://github.com/katzenpost/core/blob/master/crypto/extra25519/extra25519.go.
+ * Implementation of the RSA cipher.
  */
+class RSA {
+    /**
+     * Runtime name for the class.
+     * @internal
+     */
+    static _CLASS_NAME = "RSA";
+    /**
+     * The public key for encryption.
+     * @internal
+     */
+    _publicKey;
+    /**
+     * The private key for decryption.
+     * @internal
+     */
+    _privateKey;
+    /**
+     * The block size for encryption.
+     * @internal
+     */
+    _blockSize;
+    /**
+     * The key size for decryption.
+     * @internal
+     */
+    _keySize;
+    /**
+     * Create a new instance of RSA.
+     * @param publicKey The public key for encryption (DER format as Uint8Array).
+     * @param privateKey The private key for decryption (DER format as Uint8Array).
+     */
+    constructor(publicKey, privateKey) {
+        core.Guards.uint8Array(RSA._CLASS_NAME, "publicKey", publicKey);
+        this._publicKey = node_crypto.createPublicKey({
+            key: Buffer.from(publicKey),
+            format: "der",
+            type: "spki"
+        });
+        if (!core.Is.empty(privateKey)) {
+            this._privateKey = node_crypto.createPrivateKey({
+                key: Buffer.from(privateKey),
+                format: "der",
+                type: "pkcs8"
+            });
+        }
+        // Get modulus length in bits from key details
+        const modulusLengthBits = this._publicKey.asymmetricKeyDetails?.modulusLength;
+        if (core.Is.empty(modulusLengthBits)) {
+            throw new core.GeneralError(RSA._CLASS_NAME, "invalidKeySize");
+        }
+        // Convert bits to bytes
+        this._keySize = Math.ceil(modulusLengthBits / 8);
+        // Calculate block size for OAEP with SHA-256
+        // Formula: keySize - 2 * hashLength - 2
+        const hashLength = 32; // SHA-256 = 32 bytes
+        // eslint-disable-next-line no-mixed-operators
+        this._blockSize = this._keySize - 2 * hashLength - 2;
+    }
+    /**
+     * Generate a new RSA key pair in PKCS8 format.
+     * @param modulusLength The key size in bits (default: 2048).
+     * @returns The public and private keys as Uint8Array.
+     */
+    static generateKeyPair(modulusLength = 2048) {
+        const { publicKey, privateKey } = node_crypto.generateKeyPairSync("rsa", {
+            modulusLength,
+            publicKeyEncoding: {
+                type: "spki",
+                format: "der"
+            },
+            privateKeyEncoding: {
+                type: "pkcs8",
+                format: "der"
+            }
+        });
+        return {
+            publicKey: new Uint8Array(publicKey),
+            privateKey: new Uint8Array(privateKey)
+        };
+    }
+    /**
+     * Convert a PKCS1 key to a PKCS8 key.
+     * @param pkcs1Key The PKCS1 key as Uint8Array.
+     * @returns The PKCS8 key as Uint8Array.
+     */
+    static convertPkcs1ToPkcs8(pkcs1Key) {
+        core.Guards.uint8Array(RSA._CLASS_NAME, "pkcs1Key", pkcs1Key);
+        const privateKey = node_crypto.createPrivateKey({
+            key: Buffer.from(pkcs1Key),
+            format: "der",
+            type: "pkcs1"
+        });
+        return new Uint8Array(privateKey.export({
+            format: "der",
+            type: "pkcs8"
+        }));
+    }
+    /**
+     * Break the private key down in to its components.
+     * @param pkcs8Key The PKCS8 key as Uint8Array.
+     * @returns The key components.
+     */
+    static getPrivateKeyComponents(pkcs8Key) {
+        core.Guards.uint8Array(RSA._CLASS_NAME, "pkcs8Key", pkcs8Key);
+        const privateKey = node_crypto.createPrivateKey({
+            key: Buffer.from(pkcs8Key),
+            format: "der",
+            type: "pkcs8"
+        });
+        const jwk = privateKey.export({ format: "jwk" });
+        return {
+            n: this.base64UrlToBigInt(jwk.n),
+            e: this.base64UrlToBigInt(jwk.e),
+            d: this.base64UrlToBigInt(jwk.d),
+            p: this.base64UrlToBigInt(jwk.p),
+            q: this.base64UrlToBigInt(jwk.q),
+            dp: this.base64UrlToBigInt(jwk.dp),
+            dq: this.base64UrlToBigInt(jwk.dq),
+            qi: this.base64UrlToBigInt(jwk.qi)
+        };
+    }
+    /**
+     * Break the public key down in to its components.
+     * @param spkiKey The SPKI key as Uint8Array.
+     * @returns The key components.
+     */
+    static getPublicKeyComponents(spkiKey) {
+        core.Guards.uint8Array(RSA._CLASS_NAME, "spkiKey", spkiKey);
+        const publicKey = node_crypto.createPublicKey({
+            key: Buffer.from(spkiKey),
+            format: "der",
+            type: "spki"
+        });
+        const jwk = publicKey.export({ format: "jwk" });
+        return {
+            n: this.base64UrlToBigInt(jwk.n),
+            e: this.base64UrlToBigInt(jwk.e)
+        };
+    }
+    /**
+     * Convert base64 encoded data to a big int.
+     * @param bytes The bytes to convert.
+     * @returns The bigint representation of the bytes.
+     * @internal
+     */
+    static base64UrlToBigInt(base64Url) {
+        if (core.Is.empty(base64Url)) {
+            return BigInt(0);
+        }
+        const bytes = core.Converter.base64UrlToBytes(base64Url);
+        const hexString = Array.from(bytes)
+            .map(byte => byte.toString(16).padStart(2, "0"))
+            .join("");
+        return BigInt(`0x${hexString}`);
+    }
+    /**
+     * Encrypt the data.
+     * @param data The data to encrypt.
+     * @returns The data encrypted.
+     */
+    encrypt(data) {
+        core.Guards.uint8Array(RSA._CLASS_NAME, "data", data);
+        if (data.length === 0) {
+            return new Uint8Array(0);
+        }
+        const blocks = [];
+        // Split data into blocks of block size
+        for (let i = 0; i < data.length; i += this._blockSize) {
+            const block = data.slice(i, i + this._blockSize);
+            const encryptedBlock = node_crypto.publicEncrypt({
+                key: this._publicKey,
+                padding: node_crypto.constants.RSA_PKCS1_OAEP_PADDING
+            }, block);
+            blocks.push(encryptedBlock);
+        }
+        return core.Uint8ArrayHelper.concat(blocks);
+    }
+    /**
+     * Decrypt the data.
+     * @param data The data to decrypt.
+     * @returns The data decrypted.
+     * @throws GeneralError If no private key is provided.
+     */
+    decrypt(data) {
+        core.Guards.uint8Array(RSA._CLASS_NAME, "data", data);
+        if (core.Is.empty(this._privateKey)) {
+            throw new core.GeneralError(RSA._CLASS_NAME, "noPrivateKey");
+        }
+        if (data.length === 0) {
+            return new Uint8Array(0);
+        }
+        const blocks = [];
+        // Split encrypted data into blocks of key size
+        for (let i = 0; i < data.length; i += this._keySize) {
+            const block = data.slice(i, i + this._keySize);
+            const decryptedBlock = node_crypto.privateDecrypt({
+                key: this._privateKey,
+                padding: node_crypto.constants.RSA_PKCS1_OAEP_PADDING
+            }, block);
+            blocks.push(decryptedBlock);
+        }
+        return core.Uint8ArrayHelper.concat(blocks);
+    }
+}
+
+// Copyright 2024 IOTA Stiftung.
+// SPDX-License-Identifier: Apache-2.0.
 /**
  * Implementation of X25519.
  */
@@ -1475,6 +1734,48 @@ class Sha512 {
     }
 }
 
+// Copyright 2024 IOTA Stiftung.
+// SPDX-License-Identifier: Apache-2.0.
+/**
+ * Helper class for working with PEM (Privacy-Enhanced Mail) formatted data.
+ */
+class PemHelper {
+    /**
+     * Runtime name for the class.
+     * @internal
+     */
+    static _CLASS_NAME = "PemHelper";
+    /**
+     * Strip the PEM content of its headers, footers, and newlines.
+     * @param pemContent The PEM content to strip.
+     * @returns The stripped PEM content in bas64 format.
+     */
+    static stripPemMarkers(pemContent) {
+        core.Guards.string(PemHelper._CLASS_NAME, "pemContent", pemContent);
+        return pemContent
+            .replace(/-----BEGIN.*-----/, "")
+            .replace(/-----END.*-----/, "")
+            .replace(/\n/g, "")
+            .trim();
+    }
+    /**
+     * Format the PEM content to have a specific line length.
+     * @param marker The marker for the PEM content, e.g. RSA PRIVATE KEY
+     * @param base64Content The base64 content to format.
+     * @param lineLength The length of each line in the PEM content, default is 64 characters.
+     * @returns The formatted PEM content.
+     */
+    static formatPem(marker, base64Content, lineLength = 64) {
+        core.Guards.stringValue(PemHelper._CLASS_NAME, "marker", marker);
+        core.Guards.stringBase64(PemHelper._CLASS_NAME, "base64Content", base64Content);
+        const lines = [];
+        for (let i = 0; i < base64Content.length; i += lineLength) {
+            lines.push(base64Content.slice(i, i + lineLength));
+        }
+        return [`-----BEGIN ${marker}-----`, ...lines, `-----END ${marker}-----`].join("\n");
+    }
+}
+
 // Copyright 2024 IOTA Stiftung.
 // SPDX-License-Identifier: Apache-2.0.
 /**
@@ -1761,6 +2062,8 @@ exports.KeyType = KeyType;
 exports.PasswordGenerator = PasswordGenerator;
 exports.PasswordValidator = PasswordValidator;
 exports.Pbkdf2 = Pbkdf2;
+exports.PemHelper = PemHelper;
+exports.RSA = RSA;
 exports.Secp256k1 = Secp256k1;
 exports.Sha1 = Sha1;
 exports.Sha256 = Sha256;

package/dist/esm/index.mjs

@@ -1,11 +1,12 @@
 import { bech32 } from '@scure/base';
-import { Guards, BaseError, GeneralError, Is, Converter, GuardError, Base32, RandomHelper, Validation } from '@twin.org/core';
+import { Guards, BaseError, GeneralError, Is, Uint8ArrayHelper, Converter, GuardError, Base32, RandomHelper, Validation } from '@twin.org/core';
 import { ed25519, edwardsToMontgomeryPriv, edwardsToMontgomeryPub } from '@noble/curves/ed25519';
 import { secp256k1 } from '@noble/curves/secp256k1';
 import { blake2b } from '@noble/hashes/blake2b';
 import { HDKey as HDKey$1 } from '@scure/bip32';
 import { HDKey } from 'micro-key-producer/slip10.js';
 import { chacha20poly1305 } from '@noble/ciphers/chacha';
+import { createPublicKey, createPrivateKey, generateKeyPairSync, publicEncrypt, constants, privateDecrypt } from 'node:crypto';
 import { blake3 } from '@noble/hashes/blake3';
 import { hmac } from '@noble/hashes/hmac';
 import { sha1 } from '@noble/hashes/sha1';
@@ -166,6 +167,39 @@ class Ed25519 {
             return false;
         }
     }
+    /**
+     * Convert a private key in PKCS8 format.
+     * @param privateKey The private key to convert.
+     * @returns The private key in PKCS8 format.
+     */
+    static async privateKeyToPkcs8(privateKey) {
+        Guards.uint8Array(Ed25519._CLASS_NAME, "privateKey", privateKey);
+        if (privateKey.length !== Ed25519.PRIVATE_KEY_SIZE) {
+            throw new GeneralError(Ed25519._CLASS_NAME, "privateKeyLength", {
+                requiredSize: Ed25519.PRIVATE_KEY_SIZE,
+                actualSize: privateKey.length
+            });
+        }
+        // crypto.subtle.importKey does not support Ed25519 keys in raw format.
+        // We need to convert the key to PKCS8 format before importing.
+        // The PKCS8 format is the raw key prefixed with the ASN.1 sequence for an Ed25519 private key.
+        // The ASN.1 sequence is 48 46 02 01 00 30 05 06 03 2b 65 70 04 20 04 20 (0x302e020100300506032b657004220420)
+        const pkcs8Prefix = new Uint8Array([48, 46, 2, 1, 0, 48, 5, 6, 3, 43, 101, 112, 4, 34, 4, 32]);
+        const fullKey = Uint8ArrayHelper.concat([pkcs8Prefix, privateKey]);
+        return crypto.subtle.importKey("pkcs8", fullKey, "Ed25519", true, ["sign"]);
+    }
+    /**
+     * Convert a crypto key to raw private key.
+     * @param cryptoKey The crypto key to convert.
+     * @returns The raw private key.
+     */
+    static async pkcs8ToPrivateKey(cryptoKey) {
+        Guards.defined(Ed25519._CLASS_NAME, "cryptoKey", cryptoKey);
+        // crypto.subtle.exportKey does not support Ed25519 keys in raw format.
+        // so we export as PKCS8 and remove the ASN.1 sequence prefix.
+        const pkcs8Bytes = await crypto.subtle.exportKey("pkcs8", cryptoKey);
+        return new Uint8Array(pkcs8Bytes.slice(16));
+    }
 }
 
 // Copyright 2024 IOTA Stiftung.
@@ -570,6 +604,24 @@ class Bip44 {
     static basePath(coinType) {
         return `m/44'/${coinType}'`;
     }
+    /**
+     * Generate an address from the seed and parts.
+     * @param seed The account seed.
+     * @param keyType The key type.
+     * @param coinType The coin type.
+     * @param accountIndex The account index.
+     * @param isInternal Is this an internal address.
+     * @param addressIndex The address index.
+     * @returns The generated path and the associated keypair.
+     */
+    static address(seed, keyType, coinType, accountIndex, isInternal, addressIndex) {
+        const keyPair = Bip44.keyPair(seed, keyType, coinType, accountIndex, isInternal, addressIndex);
+        const addressData = Blake2b.sum256(keyPair.publicKey);
+        return {
+            address: Converter.bytesToHex(addressData, true),
+            ...keyPair
+        };
+    }
     /**
      * Generate a bech32 address from the seed and parts.
      * @param seed The account seed.
@@ -644,8 +696,215 @@ class ChaCha20Poly1305 {
 // Copyright 2024 IOTA Stiftung.
 // SPDX-License-Identifier: Apache-2.0.
 /**
- * This is a TypeScript port of https://github.com/katzenpost/core/blob/master/crypto/extra25519/extra25519.go.
+ * Implementation of the RSA cipher.
  */
+class RSA {
+    /**
+     * Runtime name for the class.
+     * @internal
+     */
+    static _CLASS_NAME = "RSA";
+    /**
+     * The public key for encryption.
+     * @internal
+     */
+    _publicKey;
+    /**
+     * The private key for decryption.
+     * @internal
+     */
+    _privateKey;
+    /**
+     * The block size for encryption.
+     * @internal
+     */
+    _blockSize;
+    /**
+     * The key size for decryption.
+     * @internal
+     */
+    _keySize;
+    /**
+     * Create a new instance of RSA.
+     * @param publicKey The public key for encryption (DER format as Uint8Array).
+     * @param privateKey The private key for decryption (DER format as Uint8Array).
+     */
+    constructor(publicKey, privateKey) {
+        Guards.uint8Array(RSA._CLASS_NAME, "publicKey", publicKey);
+        this._publicKey = createPublicKey({
+            key: Buffer.from(publicKey),
+            format: "der",
+            type: "spki"
+        });
+        if (!Is.empty(privateKey)) {
+            this._privateKey = createPrivateKey({
+                key: Buffer.from(privateKey),
+                format: "der",
+                type: "pkcs8"
+            });
+        }
+        // Get modulus length in bits from key details
+        const modulusLengthBits = this._publicKey.asymmetricKeyDetails?.modulusLength;
+        if (Is.empty(modulusLengthBits)) {
+            throw new GeneralError(RSA._CLASS_NAME, "invalidKeySize");
+        }
+        // Convert bits to bytes
+        this._keySize = Math.ceil(modulusLengthBits / 8);
+        // Calculate block size for OAEP with SHA-256
+        // Formula: keySize - 2 * hashLength - 2
+        const hashLength = 32; // SHA-256 = 32 bytes
+        // eslint-disable-next-line no-mixed-operators
+        this._blockSize = this._keySize - 2 * hashLength - 2;
+    }
+    /**
+     * Generate a new RSA key pair in PKCS8 format.
+     * @param modulusLength The key size in bits (default: 2048).
+     * @returns The public and private keys as Uint8Array.
+     */
+    static generateKeyPair(modulusLength = 2048) {
+        const { publicKey, privateKey } = generateKeyPairSync("rsa", {
+            modulusLength,
+            publicKeyEncoding: {
+                type: "spki",
+                format: "der"
+            },
+            privateKeyEncoding: {
+                type: "pkcs8",
+                format: "der"
+            }
+        });
+        return {
+            publicKey: new Uint8Array(publicKey),
+            privateKey: new Uint8Array(privateKey)
+        };
+    }
+    /**
+     * Convert a PKCS1 key to a PKCS8 key.
+     * @param pkcs1Key The PKCS1 key as Uint8Array.
+     * @returns The PKCS8 key as Uint8Array.
+     */
+    static convertPkcs1ToPkcs8(pkcs1Key) {
+        Guards.uint8Array(RSA._CLASS_NAME, "pkcs1Key", pkcs1Key);
+        const privateKey = createPrivateKey({
+            key: Buffer.from(pkcs1Key),
+            format: "der",
+            type: "pkcs1"
+        });
+        return new Uint8Array(privateKey.export({
+            format: "der",
+            type: "pkcs8"
+        }));
+    }
+    /**
+     * Break the private key down in to its components.
+     * @param pkcs8Key The PKCS8 key as Uint8Array.
+     * @returns The key components.
+     */
+    static getPrivateKeyComponents(pkcs8Key) {
+        Guards.uint8Array(RSA._CLASS_NAME, "pkcs8Key", pkcs8Key);
+        const privateKey = createPrivateKey({
+            key: Buffer.from(pkcs8Key),
+            format: "der",
+            type: "pkcs8"
+        });
+        const jwk = privateKey.export({ format: "jwk" });
+        return {
+            n: this.base64UrlToBigInt(jwk.n),
+            e: this.base64UrlToBigInt(jwk.e),
+            d: this.base64UrlToBigInt(jwk.d),
+            p: this.base64UrlToBigInt(jwk.p),
+            q: this.base64UrlToBigInt(jwk.q),
+            dp: this.base64UrlToBigInt(jwk.dp),
+            dq: this.base64UrlToBigInt(jwk.dq),
+            qi: this.base64UrlToBigInt(jwk.qi)
+        };
+    }
+    /**
+     * Break the public key down in to its components.
+     * @param spkiKey The SPKI key as Uint8Array.
+     * @returns The key components.
+     */
+    static getPublicKeyComponents(spkiKey) {
+        Guards.uint8Array(RSA._CLASS_NAME, "spkiKey", spkiKey);
+        const publicKey = createPublicKey({
+            key: Buffer.from(spkiKey),
+            format: "der",
+            type: "spki"
+        });
+        const jwk = publicKey.export({ format: "jwk" });
+        return {
+            n: this.base64UrlToBigInt(jwk.n),
+            e: this.base64UrlToBigInt(jwk.e)
+        };
+    }
+    /**
+     * Convert base64 encoded data to a big int.
+     * @param bytes The bytes to convert.
+     * @returns The bigint representation of the bytes.
+     * @internal
+     */
+    static base64UrlToBigInt(base64Url) {
+        if (Is.empty(base64Url)) {
+            return BigInt(0);
+        }
+        const bytes = Converter.base64UrlToBytes(base64Url);
+        const hexString = Array.from(bytes)
+            .map(byte => byte.toString(16).padStart(2, "0"))
+            .join("");
+        return BigInt(`0x${hexString}`);
+    }
+    /**
+     * Encrypt the data.
+     * @param data The data to encrypt.
+     * @returns The data encrypted.
+     */
+    encrypt(data) {
+        Guards.uint8Array(RSA._CLASS_NAME, "data", data);
+        if (data.length === 0) {
+            return new Uint8Array(0);
+        }
+        const blocks = [];
+        // Split data into blocks of block size
+        for (let i = 0; i < data.length; i += this._blockSize) {
+            const block = data.slice(i, i + this._blockSize);
+            const encryptedBlock = publicEncrypt({
+                key: this._publicKey,
+                padding: constants.RSA_PKCS1_OAEP_PADDING
+            }, block);
+            blocks.push(encryptedBlock);
+        }
+        return Uint8ArrayHelper.concat(blocks);
+    }
+    /**
+     * Decrypt the data.
+     * @param data The data to decrypt.
+     * @returns The data decrypted.
+     * @throws GeneralError If no private key is provided.
+     */
+    decrypt(data) {
+        Guards.uint8Array(RSA._CLASS_NAME, "data", data);
+        if (Is.empty(this._privateKey)) {
+            throw new GeneralError(RSA._CLASS_NAME, "noPrivateKey");
+        }
+        if (data.length === 0) {
+            return new Uint8Array(0);
+        }
+        const blocks = [];
+        // Split encrypted data into blocks of key size
+        for (let i = 0; i < data.length; i += this._keySize) {
+            const block = data.slice(i, i + this._keySize);
+            const decryptedBlock = privateDecrypt({
+                key: this._privateKey,
+                padding: constants.RSA_PKCS1_OAEP_PADDING
+            }, block);
+            blocks.push(decryptedBlock);
+        }
+        return Uint8ArrayHelper.concat(blocks);
+    }
+}
+
+// Copyright 2024 IOTA Stiftung.
+// SPDX-License-Identifier: Apache-2.0.
 /**
  * Implementation of X25519.
  */
@@ -1453,6 +1712,48 @@ class Sha512 {
     }
 }
 
+// Copyright 2024 IOTA Stiftung.
+// SPDX-License-Identifier: Apache-2.0.
+/**
+ * Helper class for working with PEM (Privacy-Enhanced Mail) formatted data.
+ */
+class PemHelper {
+    /**
+     * Runtime name for the class.
+     * @internal
+     */
+    static _CLASS_NAME = "PemHelper";
+    /**
+     * Strip the PEM content of its headers, footers, and newlines.
+     * @param pemContent The PEM content to strip.
+     * @returns The stripped PEM content in bas64 format.
+     */
+    static stripPemMarkers(pemContent) {
+        Guards.string(PemHelper._CLASS_NAME, "pemContent", pemContent);
+        return pemContent
+            .replace(/-----BEGIN.*-----/, "")
+            .replace(/-----END.*-----/, "")
+            .replace(/\n/g, "")
+            .trim();
+    }
+    /**
+     * Format the PEM content to have a specific line length.
+     * @param marker The marker for the PEM content, e.g. RSA PRIVATE KEY
+     * @param base64Content The base64 content to format.
+     * @param lineLength The length of each line in the PEM content, default is 64 characters.
+     * @returns The formatted PEM content.
+     */
+    static formatPem(marker, base64Content, lineLength = 64) {
+        Guards.stringValue(PemHelper._CLASS_NAME, "marker", marker);
+        Guards.stringBase64(PemHelper._CLASS_NAME, "base64Content", base64Content);
+        const lines = [];
+        for (let i = 0; i < base64Content.length; i += lineLength) {
+            lines.push(base64Content.slice(i, i + lineLength));
+        }
+        return [`-----BEGIN ${marker}-----`, ...lines, `-----END ${marker}-----`].join("\n");
+    }
+}
+
 // Copyright 2024 IOTA Stiftung.
 // SPDX-License-Identifier: Apache-2.0.
 /**
@@ -1723,4 +2024,4 @@ class PasswordValidator {
     }
 }
 
-export { Bech32, Bip32Path, Bip39, Bip44, Blake2b, Blake3, ChaCha20Poly1305, Ed25519, HmacSha1, HmacSha256, HmacSha512, Hotp, KeyType, PasswordGenerator, PasswordValidator, Pbkdf2, Secp256k1, Sha1, Sha256, Sha3, Sha512, Slip0010, Totp, X25519, Zip215 };
+export { Bech32, Bip32Path, Bip39, Bip44, Blake2b, Blake3, ChaCha20Poly1305, Ed25519, HmacSha1, HmacSha256, HmacSha512, Hotp, KeyType, PasswordGenerator, PasswordValidator, Pbkdf2, PemHelper, RSA, Secp256k1, Sha1, Sha256, Sha3, Sha512, Slip0010, Totp, X25519, Zip215 };