node-rtc-connection 1.0.19 → 2.0.4

package/dist/types/crypto/der.d.ts

@@ -0,0 +1,107 @@
+/**
+ * @file der.ts
+ * @description Minimal ASN.1 DER encoder/decoder for X.509 certificate generation.
+ * @module crypto/der
+ *
+ * Implements just enough of ITU-T X.690 DER to build and read the structures
+ * WebRTC needs: self-signed ECDSA certificates and SubjectPublicKeyInfo.
+ *
+ * All encoders return Buffers. The TLV length is always encoded in the
+ * minimal (definite, shortest-form) representation required by DER.
+ */
+export declare const TAG: Readonly<{
+    BOOLEAN: 1;
+    INTEGER: 2;
+    BIT_STRING: 3;
+    OCTET_STRING: 4;
+    NULL: 5;
+    OID: 6;
+    UTF8_STRING: 12;
+    PRINTABLE_STRING: 19;
+    IA5_STRING: 22;
+    UTC_TIME: 23;
+    GENERALIZED_TIME: 24;
+    SEQUENCE: 48;
+    SET: 49;
+}>;
+/**
+ * Encode a DER length in definite, shortest form.
+ * @param {number} len
+ * @returns {Buffer}
+ */
+export declare function encodeLength(len: number): Buffer;
+/**
+ * Wrap a body in a TLV with the given tag.
+ * @param {number} tag
+ * @param {Buffer} body
+ * @returns {Buffer}
+ */
+export declare function tlv(tag: number, body: Buffer): Buffer;
+/**
+ * Encode an unsigned big-endian integer (from a Buffer) as a DER INTEGER,
+ * adding a leading 0x00 when the high bit is set so it stays positive.
+ * @param {Buffer} buf - Big-endian magnitude.
+ * @returns {Buffer}
+ */
+export declare function encodeIntegerFromBuffer(buf: Buffer): Buffer;
+/**
+ * Encode a small non-negative JS integer as a DER INTEGER.
+ * @param {number} value
+ * @returns {Buffer}
+ */
+export declare function encodeInteger(value: number): Buffer;
+/**
+ * Encode an OBJECT IDENTIFIER from its dotted-decimal string.
+ * @param {string} oid - e.g. "1.2.840.10045.2.1"
+ * @returns {Buffer}
+ */
+export declare function encodeOID(oid: string): Buffer;
+/**
+ * Encode a BIT STRING with zero unused bits.
+ * @param {Buffer} data
+ * @returns {Buffer}
+ */
+export declare function encodeBitString(data: Buffer): Buffer;
+/**
+ * Encode an OCTET STRING.
+ * @param {Buffer} data
+ * @returns {Buffer}
+ */
+export declare function encodeOctetString(data: Buffer): Buffer;
+/**
+ * Encode a SEQUENCE from already-encoded components.
+ * @param {Buffer[]} components
+ * @returns {Buffer}
+ */
+export declare function encodeSequence(components: Buffer[]): Buffer;
+/**
+ * Encode a SET from already-encoded components.
+ * @param {Buffer[]} components
+ * @returns {Buffer}
+ */
+export declare function encodeSet(components: Buffer[]): Buffer;
+/**
+ * Encode NULL.
+ * @returns {Buffer}
+ */
+export declare function encodeNull(): Buffer;
+/**
+ * Encode a UTF8String.
+ * @param {string} str
+ * @returns {Buffer}
+ */
+export declare function encodeUTF8String(str: string): Buffer;
+/**
+ * Encode a context-specific [n] explicit wrapper (constructed).
+ * @param {number} n - context tag number
+ * @param {Buffer} body
+ * @returns {Buffer}
+ */
+export declare function encodeExplicit(n: number, body: Buffer): Buffer;
+/**
+ * Encode an X.509 time. Uses UTCTime for years < 2050, else GeneralizedTime,
+ * per RFC 5280 §4.1.2.5.
+ * @param {Date} date
+ * @returns {Buffer}
+ */
+export declare function encodeTime(date: Date): Buffer;

package/dist/types/crypto/x509.d.ts

@@ -0,0 +1,56 @@
+/**
+ * @file x509.ts
+ * @description Self-signed X.509 v3 certificate generation for WebRTC DTLS.
+ * @module crypto/x509
+ *
+ * WebRTC peers authenticate by self-signed certificate. The SDP carries
+ * a=fingerprint as the hash of the DER-encoded certificate (RFC 8122), which
+ * the peer verifies against the certificate presented during the DTLS
+ * handshake. Node has no certificate builder, so we assemble a minimal but
+ * spec-valid ECDSA P-256 / ecdsa-with-SHA256 certificate by hand.
+ */
+import * as crypto from 'crypto';
+/**
+ * Options for {@link generateSelfSigned}.
+ */
+export interface GenerateSelfSignedOptions {
+    /** CN; WebRTC uses a random value. */
+    commonName?: string;
+    /** Validity period in days. */
+    days?: number;
+    /** Override start time (default: now - 1 day). */
+    notBefore?: Date;
+}
+/**
+ * Result of {@link generateSelfSigned}.
+ */
+export interface SelfSignedCertificate {
+    /** DER-encoded certificate. */
+    certDer: Buffer;
+    privateKey: crypto.KeyObject;
+    publicKey: crypto.KeyObject;
+    notBefore: Date;
+    notAfter: Date;
+}
+export declare const OID: Readonly<{
+    ecPublicKey: "1.2.840.10045.2.1";
+    prime256v1: "1.2.840.10045.3.1.7";
+    ecdsaWithSHA256: "1.2.840.10045.4.3.2";
+    commonName: "2.5.4.3";
+}>;
+/**
+ * Generate a self-signed ECDSA P-256 certificate.
+ *
+ * @param {GenerateSelfSignedOptions} [options]
+ * @returns {SelfSignedCertificate}
+ */
+export declare function generateSelfSigned(options?: GenerateSelfSignedOptions): SelfSignedCertificate;
+/**
+ * Compute the certificate fingerprint as used in SDP a=fingerprint (RFC 8122):
+ * hash over the DER-encoded certificate, uppercase hex, colon-separated.
+ *
+ * @param {Buffer} certDer
+ * @param {string} [algorithm='sha-256'] - 'sha-256' | 'sha-384' | 'sha-512'
+ * @returns {string}
+ */
+export declare function fingerprint(certDer: Buffer, algorithm?: string): string;

package/dist/types/datachannel/RTCDataChannel.d.ts

@@ -0,0 +1,179 @@
+/**
+ * @file RTCDataChannel.ts
+ * @description WebRTC DataChannel implementation for peer-to-peer data transfer.
+ * @module datachannel/RTCDataChannel
+ *
+ * Implements the W3C RTCDataChannel interface
+ * (https://www.w3.org/TR/webrtc/#rtcdatachannel).
+ */
+import { EventEmitter } from 'events';
+/**
+ * RTCDataChannelState - Current state of the data channel
+ * @readonly
+ * @enum {string}
+ */
+export declare const RTCDataChannelState: Readonly<{
+    CONNECTING: "connecting";
+    OPEN: "open";
+    CLOSING: "closing";
+    CLOSED: "closed";
+}>;
+type RTCDataChannelReadyState = 'connecting' | 'open' | 'closing' | 'closed';
+type RTCDataChannelBinaryType = 'arraybuffer' | 'blob';
+/**
+ * Package-internal events that wire an RTCDataChannel to the SCTP transport.
+ * They are keyed by Symbol so they never collide with — or leak into — the
+ * public event surface ('open'/'message'/'close'/'error'/'bufferedamountlow').
+ * The SCTP data-channel manager and the channel communicate purely by emitting
+ * these on the channel's own EventEmitter:
+ *
+ *   - SEND    channel → transport: outbound frame `(data: Buffer, isBinary: boolean)`
+ *   - RECEIVE transport → channel: inbound frame  `(data: Buffer, isBinary: boolean)`
+ *   - OPEN    transport → channel: transition the channel to 'open'
+ *   - SET_ID  transport → channel: assign the SCTP stream id `(id: number)`
+ */
+export declare const RTCDataChannelEvents: Readonly<{
+    SEND: symbol;
+    RECEIVE: symbol;
+    OPEN: symbol;
+    SET_ID: symbol;
+}>;
+/**
+ * RTCDataChannelInit - Configuration for creating a data channel
+ * @typedef {Object} RTCDataChannelInit
+ * @property {boolean} [ordered=true] - Whether messages must arrive in order
+ * @property {number} [maxPacketLifeTime] - Maximum packet lifetime in milliseconds
+ * @property {number} [maxRetransmits] - Maximum number of retransmissions
+ * @property {string} [protocol=''] - Subprotocol name
+ * @property {boolean} [negotiated=false] - Whether channel was negotiated out-of-band
+ * @property {number} [id] - Channel ID (required if negotiated is true)
+ */
+export interface RTCDataChannelInit {
+    ordered?: boolean;
+    maxPacketLifeTime?: number;
+    maxRetransmits?: number;
+    protocol?: string;
+    negotiated?: boolean;
+    id?: number;
+}
+/**
+ * @class RTCDataChannel
+ * @extends EventEmitter
+ * @description Represents a bidirectional data channel between peers.
+ * Provides reliable or unreliable data transfer with configurable ordering.
+ *
+ * Events:
+ * - 'open': Fired when the channel opens
+ * - 'message': Fired when a message is received
+ * - 'bufferedamountlow': Fired when bufferedAmount drops below threshold
+ * - 'error': Fired when an error occurs
+ * - 'closing': Fired when the channel is closing
+ * - 'close': Fired when the channel closes
+ *
+ * @example
+ * const dataChannel = peerConnection.createDataChannel('myChannel', {
+ *   ordered: true,
+ *   maxRetransmits: 3
+ * });
+ *
+ * dataChannel.on('open', () => {
+ *   console.log('Channel opened');
+ *   dataChannel.send('Hello!');
+ * });
+ *
+ * dataChannel.on('message', (event) => {
+ *   console.log('Received:', event.data);
+ * });
+ */
+export declare class RTCDataChannel extends EventEmitter {
+    #private;
+    /**
+     * Create an RTCDataChannel instance.
+     * @param {string} label - Channel label
+     * @param {RTCDataChannelInit} [init] - Channel configuration
+     */
+    constructor(label: string, init?: RTCDataChannelInit);
+    /**
+     * Get the channel label.
+     * @returns {string} Channel label
+     */
+    get label(): string;
+    /**
+     * Check if messages are delivered in order.
+     * @returns {boolean} True if ordered
+     */
+    get ordered(): boolean;
+    /**
+     * Get the maximum packet lifetime in milliseconds.
+     * @returns {number|null} Maximum lifetime or null if not set
+     */
+    get maxPacketLifeTime(): number | null;
+    /**
+     * Get the maximum number of retransmissions.
+     * @returns {number|null} Maximum retransmits or null if not set
+     */
+    get maxRetransmits(): number | null;
+    /**
+     * Get the subprotocol name.
+     * @returns {string} Protocol name
+     */
+    get protocol(): string;
+    /**
+     * Check if the channel was negotiated out-of-band.
+     * @returns {boolean} True if negotiated
+     */
+    get negotiated(): boolean;
+    /**
+     * Get the channel ID.
+     * @returns {number|null} Channel ID or null if not assigned
+     */
+    get id(): number | null;
+    /**
+     * Get the current state of the channel.
+     * @returns {string} Channel state
+     */
+    get readyState(): RTCDataChannelReadyState;
+    /**
+     * Get the number of bytes queued to send.
+     * @returns {number} Buffered amount in bytes
+     */
+    get bufferedAmount(): number;
+    /**
+     * Get the threshold for bufferedamountlow event.
+     * @returns {number} Threshold in bytes
+     */
+    get bufferedAmountLowThreshold(): number;
+    /**
+     * Set the threshold for bufferedamountlow event.
+     * @param {number} value - Threshold in bytes
+     */
+    set bufferedAmountLowThreshold(value: number);
+    /**
+     * Get the binary data type.
+     * @returns {string} 'arraybuffer' or 'blob'
+     */
+    get binaryType(): RTCDataChannelBinaryType;
+    /**
+     * Set the binary data type.
+     * @param {string} value - 'arraybuffer' or 'blob'
+     * @throws {TypeError} If value is invalid
+     */
+    set binaryType(value: RTCDataChannelBinaryType);
+    /**
+     * Check if the channel is reliable (deprecated).
+     * @returns {boolean} True if ordered and no packet lifetime/retransmit limits
+     * @deprecated Use ordered, maxPacketLifeTime, and maxRetransmits instead
+     */
+    get reliable(): boolean;
+    /**
+     * Send a message through the channel.
+     * @param {string|ArrayBuffer|ArrayBufferView|Blob} data - Data to send
+     * @throws {Error} If channel is not open or data is invalid
+     */
+    send(data: string | ArrayBuffer | ArrayBufferView | Buffer): void;
+    /**
+     * Close the data channel.
+     */
+    close(): void;
+}
+export {};

package/dist/types/dtls/RTCCertificate.d.ts

@@ -0,0 +1,163 @@
+/**
+ * @file RTCCertificate.ts
+ * @description DTLS certificate implementation for WebRTC.
+ * @module dtls/RTCCertificate
+ *
+ * Implements the W3C RTCCertificate interface
+ * (https://www.w3.org/TR/webrtc/#rtccertificate-interface). Certificate and key
+ * generation are handled by src/crypto/x509.ts.
+ */
+import * as crypto from 'crypto';
+/**
+ * RTCDtlsFingerprint - DTLS certificate fingerprint
+ */
+export interface RTCDtlsFingerprint {
+    /** Hash algorithm (e.g., 'sha-256') */
+    algorithm: string;
+    /** Fingerprint value (colon-separated hex) */
+    value: string;
+}
+/** Internal certificate data held by an {@link RTCCertificate}. */
+interface CertData {
+    certDer: Buffer | null;
+    privateKey: crypto.KeyObject | string;
+    publicKey: crypto.KeyObject | string;
+    expires: number;
+    hash?: string;
+}
+/** Options accepted by {@link RTCCertificate.generateCertificate}. */
+interface RTCGenerateCertificateOptions {
+    /** Common name for the certificate */
+    name?: string;
+    /** Expiration time in ms (default: 30 days from now) */
+    expires?: number;
+    /** Days until expiration */
+    days?: number;
+    /** Hash algorithm */
+    hash?: string;
+}
+/** Key parameters accepted by {@link RTCCertificate.isSupportedKeyParams}. */
+interface RTCCertificateKeyParams {
+    type: string;
+    rsaModulusLength?: number;
+    namedCurve?: string;
+}
+/** PEM serialization produced by {@link RTCCertificate.toPEM}. */
+interface RTCCertificatePEM {
+    pemPrivateKey: string;
+    pemCertificate: string;
+}
+/**
+ * @class RTCCertificate
+ * @description Represents a certificate used for DTLS in WebRTC.
+ * The certificate includes a key pair and expiration time.
+ *
+ * @example
+ * // Generate a certificate
+ * const cert = await RTCCertificate.generateCertificate();
+ * console.log('Expires:', new Date(cert.expires));
+ * console.log('Fingerprints:', cert.getFingerprints());
+ *
+ * @example
+ * // Generate with custom expiration
+ * const cert = await RTCCertificate.generateCertificate({
+ *   name: 'my-peer',
+ *   expires: Date.now() + (90 * 24 * 60 * 60 * 1000) // 90 days
+ * });
+ */
+declare class RTCCertificate {
+    #private;
+    /**
+     * Create an RTCCertificate instance.
+     * Use generateCertificate() static method instead of calling directly.
+     * @param certData - Internal certificate data
+     * @private
+     */
+    constructor(certData: CertData);
+    /**
+     * Get the DER-encoded X.509 certificate.
+     * Used by the DTLS handshake to transmit the local certificate.
+     * @internal
+     */
+    getCertificateDer(): Buffer | null;
+    /**
+     * Get the expiration time.
+     * @returns Expiration time in milliseconds since epoch (DOMTimeStamp)
+     */
+    get expires(): number;
+    /**
+     * Get the certificate fingerprints.
+     * Returns an array of fingerprints for the certificate chain.
+     * For self-signed certificates, this returns a single fingerprint.
+     *
+     * @returns Array of fingerprint objects
+     */
+    getFingerprints(): RTCDtlsFingerprint[];
+    /**
+     * Get the private key as a Node crypto KeyObject (for the DTLS handshake).
+     * @internal
+     */
+    getPrivateKeyObject(): crypto.KeyObject;
+    /**
+     * Get the private key in PEM format.
+     * @returns PEM-encoded private key
+     * @internal
+     */
+    getPrivateKey(): string;
+    /**
+     * Get the public key in PEM format.
+     * @returns PEM-encoded public key
+     * @internal
+     */
+    getPublicKey(): string;
+    /**
+     * Convert to PEM format (for serialization/storage).
+     * The certificate is exported as a PEM-wrapped DER X.509 certificate.
+     * @returns Object with pemPrivateKey and pemCertificate
+     */
+    toPEM(): RTCCertificatePEM;
+    /**
+     * Check if the certificate has expired.
+     * @returns True if expired, false otherwise
+     */
+    isExpired(): boolean;
+    /**
+     * Generate a new RTCCertificate asynchronously.
+     *
+     * @param options - Generation options
+     * @returns Promise resolving to generated certificate
+     *
+     * @example
+     * const cert = await RTCCertificate.generateCertificate({
+     *   name: 'my-app',
+     *   expires: Date.now() + (90 * 24 * 60 * 60 * 1000) // 90 days
+     * });
+     */
+    static generateCertificate(options?: RTCGenerateCertificateOptions): Promise<RTCCertificate>;
+    /**
+     * Create a certificate from PEM strings.
+     *
+     * @param pemPrivateKey - PEM-encoded private key
+     * @param pemCertificate - PEM-encoded certificate (or public key)
+     * @param expires - Expiration time in ms (default: 30 days from now)
+     * @returns Certificate instance
+     *
+     * @example
+     * const cert = RTCCertificate.fromPEM(
+     *   privateKeyPEM,
+     *   publicKeyPEM,
+     *   Date.now() + (30 * 24 * 60 * 60 * 1000)
+     * );
+     */
+    static fromPEM(pemPrivateKey: string, pemCertificate: string, expires?: number): RTCCertificate;
+    /**
+     * Check if key parameters are supported.
+     * Currently supports RSA with 1024-4096 bits and ECDSA.
+     *
+     * @param keyParams - Key parameters
+     * @returns True if supported, false otherwise
+     */
+    static isSupportedKeyParams(keyParams: RTCCertificateKeyParams): boolean;
+}
+export default RTCCertificate;
+export { RTCCertificate };

package/dist/types/dtls/cipher.d.ts

@@ -0,0 +1,81 @@
+/**
+ * @file cipher.ts
+ * @description AEAD record protection for DTLS 1.2 with AES-128-GCM.
+ * @module dtls/cipher
+ *
+ * Implements key derivation and the GCM record encrypt/decrypt for the suite
+ * TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (RFC 5288 / RFC 6347).
+ *
+ * Key block layout for AEAD (no MAC keys):
+ *   client_write_key[16] | server_write_key[16] |
+ *   client_write_IV[4]   | server_write_IV[4]      (implicit salt)
+ *
+ * GCM nonce  = write_IV (4) || explicit_nonce (8)
+ * Record     = explicit_nonce (8) || ciphertext || tag (16)
+ * AAD (DTLS) = seq_num (8 = epoch||seq) || type (1) || version (2) || plaintext_len (2)
+ */
+/**
+ * Per-direction keys/IVs produced by {@link deriveKeys}.
+ */
+export interface DerivedKeys {
+    clientKey: Buffer;
+    serverKey: Buffer;
+    clientIV: Buffer;
+    serverIV: Buffer;
+}
+/**
+ * Derive the master secret from the pre-master secret (RFC 5246 §8.1).
+ * @param {Buffer} preMasterSecret
+ * @param {Buffer} clientRandom - 32 bytes
+ * @param {Buffer} serverRandom - 32 bytes
+ * @returns {Buffer} 48-byte master secret
+ */
+export declare function deriveMasterSecret(preMasterSecret: Buffer, clientRandom: Buffer, serverRandom: Buffer): Buffer;
+/**
+ * Derive the extended master secret (RFC 7627) using the handshake hash.
+ * @param {Buffer} preMasterSecret
+ * @param {Buffer} sessionHash - hash of handshake messages through CKE
+ * @returns {Buffer} 48-byte master secret
+ */
+export declare function deriveExtendedMasterSecret(preMasterSecret: Buffer, sessionHash: Buffer): Buffer;
+/**
+ * Expand the key block and split it into per-direction keys/IVs.
+ * @param {Buffer} masterSecret
+ * @param {Buffer} clientRandom
+ * @param {Buffer} serverRandom
+ * @returns {DerivedKeys}
+ */
+export declare function deriveKeys(masterSecret: Buffer, clientRandom: Buffer, serverRandom: Buffer): DerivedKeys;
+/**
+ * @class GcmCipher
+ * @description Holds the key/IV for one direction and does record AEAD.
+ */
+export declare class GcmCipher {
+    #private;
+    /**
+     * @param {Buffer} key - 16-byte AES key
+     * @param {Buffer} fixedIv - 4-byte implicit salt
+     */
+    constructor(key: Buffer, fixedIv: Buffer);
+    /**
+     * Encrypt a record fragment.
+     * @param {number} epoch
+     * @param {number} seq
+     * @param {number} type
+     * @param {number} version
+     * @param {Buffer} plaintext
+     * @returns {Buffer} explicit_nonce || ciphertext || tag
+     */
+    encrypt(epoch: number, seq: number, type: number, version: number, plaintext: Buffer): Buffer;
+    /**
+     * Decrypt a record fragment.
+     * @param {number} epoch
+     * @param {number} seq
+     * @param {number} type
+     * @param {number} version
+     * @param {Buffer} record - explicit_nonce || ciphertext || tag
+     * @returns {Buffer} plaintext
+     * @throws on authentication failure
+     */
+    decrypt(epoch: number, seq: number, type: number, version: number, record: Buffer): Buffer;
+}

package/dist/types/dtls/connection.d.ts

@@ -0,0 +1,81 @@
+/**
+ * @file connection.ts
+ * @description DTLS 1.2 connection state machine (client and server roles).
+ * @module dtls/connection
+ *
+ * Implements the handshake for TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 over an
+ * abstract datagram channel. The owner supplies an `output` callback to send
+ * datagrams and feeds inbound datagrams to `handlePacket`. On success the
+ * connection emits 'connect'; application records arrive via 'data' and are
+ * sent via `send`.
+ *
+ * Scope: one cipher suite, secp256r1, ECDSA P-256 certificates, extended
+ * master secret. This is the subset Chromium/Firefox negotiate for data
+ * channels, so it interoperates with browsers while staying pure-Node.
+ *
+ * References: RFC 6347 (DTLS 1.2), RFC 5246 (TLS 1.2), RFC 7627 (EMS),
+ * RFC 8422 (ECC cipher suites), RFC 5288 (AES-GCM).
+ */
+import * as crypto from 'crypto';
+import { EventEmitter } from 'events';
+declare const ROLE: Readonly<{
+    CLIENT: "client";
+    SERVER: "server";
+}>;
+declare const STATE: Readonly<{
+    NEW: "new";
+    HANDSHAKING: "handshaking";
+    CONNECTED: "connected";
+    CLOSED: "closed";
+    FAILED: "failed";
+}>;
+/** A certificate fingerprint as advertised in SDP a=fingerprint. */
+interface Fingerprint {
+    algorithm: string;
+    value: string;
+}
+/** Callback used to verify the peer's certificate fingerprint. */
+type VerifyFingerprint = (fp: Fingerprint, remoteCertDer: Buffer) => boolean;
+/** Constructor options for {@link DtlsConnection}. */
+interface DtlsConnectionOptions {
+    /** 'client' | 'server' */
+    role: string;
+    /** local DER certificate */
+    certDer: Buffer;
+    /** local EC private key */
+    privateKey: crypto.KeyObject;
+    /** called with the peer cert fingerprint; return false to reject. */
+    verifyFingerprint?: VerifyFingerprint;
+    /** send a datagram to the peer */
+    output: (datagram: Buffer) => void;
+}
+/**
+ * @class DtlsConnection
+ * @extends EventEmitter
+ */
+declare class DtlsConnection extends EventEmitter {
+    #private;
+    role: string;
+    state: string;
+    /**
+     * @param opts connection options
+     */
+    constructor(opts: DtlsConnectionOptions);
+    /** Begin the handshake (client sends the first flight). */
+    start(): void;
+    /**
+     * Feed an inbound datagram (one UDP packet, possibly several records).
+     * @param packet
+     */
+    handlePacket(packet: Buffer): void;
+    /**
+     * Send application data over the established connection.
+     * @param data
+     */
+    send(data: Buffer): void;
+    /** Send a close_notify and tear down. */
+    close(): void;
+    /** The peer's certificate DER, available after the handshake. */
+    getRemoteCertificate(): Buffer | null;
+}
+export { DtlsConnection, ROLE, STATE };

package/dist/types/dtls/prf.d.ts

@@ -0,0 +1,29 @@
+/**
+ * @file prf.ts
+ * @description TLS 1.2 pseudo-random function (RFC 5246 §5) with SHA-256.
+ * @module dtls/prf
+ *
+ * The cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uses P_SHA256 for
+ * the PRF. This module also exposes the underlying HMAC-based P_hash.
+ */
+/**
+ * P_hash(secret, seed) expanded to `length` bytes (RFC 5246 §5).
+ *   A(0) = seed
+ *   A(i) = HMAC(secret, A(i-1))
+ *   P_hash = HMAC(secret, A(1)+seed) | HMAC(secret, A(2)+seed) | ...
+ *
+ * @param hashAlg - Node hash name, e.g. 'sha256'.
+ * @param secret
+ * @param seed
+ * @param length
+ */
+export declare function pHash(hashAlg: string, secret: Buffer, seed: Buffer, length: number): Buffer;
+/**
+ * TLS 1.2 PRF = P_SHA256(secret, label + seed).
+ *
+ * @param secret
+ * @param label - ASCII label, e.g. "master secret".
+ * @param seed
+ * @param length
+ */
+export declare function prf(secret: Buffer, label: string, seed: Buffer, length: number): Buffer;