/**
 * AES encryption for ZIP files (WinZip AE-1 / AE-2).
 *
 * Implements the WinZip AES encryption format as documented in:
 * - https://www.winzip.com/en/support/aes-encryption/
 *
 * This implementation supports both AE-1 and AE-2 encryption modes:
 * - AE-1: Uses both CRC-32 and HMAC-SHA1 authentication
 * - AE-2: Uses only HMAC-SHA1 authentication (CRC-32 is set to 0)
 *
 * Key derivation uses PBKDF2 with HMAC-SHA1 as the PRF.
 * Encryption uses AES in CTR mode.
 *
 * Works in both Node.js and browsers using the Web Crypto API.
 */
/**
 * AES key strength options.
 */
export type AesKeyStrength = 128 | 192 | 256;
/**
 * AES vendor ID for WinZip format.
 */
export declare const AES_VENDOR_ID = 17729;
/**
 * AES vendor version for AE-2 (CRC-32 not used).
 */
export declare const AES_VERSION_AE2 = 2;
/**
 * AES vendor version for AE-1 (CRC-32 used).
 */
export declare const AES_VERSION_AE1 = 1;
/**
 * Compression method value indicating AES encryption.
 */
export declare const COMPRESSION_METHOD_AES = 99;
/**
 * AES extra field header ID.
 */
export declare const AES_EXTRA_FIELD_ID = 39169;
/**
 * Salt lengths for different key strengths.
 */
export declare const AES_SALT_LENGTH: Record<AesKeyStrength, number>;
/**
 * Key lengths for different strengths.
 */
export declare const AES_KEY_LENGTH: Record<AesKeyStrength, number>;
/**
 * Key strength byte values used in AES extra field.
 */
export declare const AES_STRENGTH_BYTE: Record<AesKeyStrength, number>;
/**
 * Reverse mapping from strength byte to key strength.
 */
export declare const AES_STRENGTH_FROM_BYTE: Record<number, AesKeyStrength>;
/**
 * HMAC-SHA1 authentication code length (truncated to 10 bytes).
 */
export declare const AES_AUTH_CODE_LENGTH = 10;
/**
 * Password verification value length.
 */
export declare const AES_PASSWORD_VERIFY_LENGTH = 2;
/**
 * AES encryption info parsed from extra field.
 */
export interface AesExtraFieldInfo {
    /** AE format version (1 or 2) */
    version: number;
    /** Vendor ID (should be 0x4541 "AE") */
    vendorId: number;
    /** Key strength (128, 192, or 256) */
    keyStrength: AesKeyStrength;
    /** Original compression method */
    compressionMethod: number;
}
/**
 * Derived key material from PBKDF2.
 */
export interface AesDerivedKeys {
    /** AES encryption key */
    encryptionKey: Uint8Array;
    /** HMAC-SHA1 key */
    hmacKey: Uint8Array;
    /** Password verification value (2 bytes) */
    passwordVerify: Uint8Array;
}
/**
 * Parsed AES encrypted data components.
 */
export interface AesEncryptedComponents {
    /** Salt (8/12/16 bytes depending on key strength) */
    salt: Uint8Array;
    /** Password verification value (2 bytes) */
    storedVerify: Uint8Array;
    /** Encrypted ciphertext */
    ciphertext: Uint8Array;
    /** HMAC-SHA1 authentication code (10 bytes) */
    storedHmac: Uint8Array;
}
/**
 * Derive AES keys from password using PBKDF2.
 *
 * The derived key material is split into:
 * - Encryption key (16/24/32 bytes)
 * - HMAC key (32 bytes)
 * - Password verification (2 bytes)
 */
export declare function aesDerive(password: string | Uint8Array, salt: Uint8Array, keyStrength: AesKeyStrength): Promise<AesDerivedKeys>;
/**
 * Compute HMAC-SHA1 authentication code.
 *
 * @param key - HMAC key (32 bytes)
 * @param data - Data to authenticate
 * @returns 10-byte authentication code (truncated from 20 bytes)
 */
export declare function aesComputeHmac(key: Uint8Array, data: Uint8Array): Promise<Uint8Array>;
/**
 * AES-CTR encryption/decryption.
 *
 * WinZip uses a custom CTR mode with:
 * - 16-byte blocks
 * - Little-endian counter starting at 1
 * - Counter in the low bytes of the IV
 *
 * Note: AES-CTR is symmetric - encrypt and decrypt are the same operation.
 */
export declare function aesCtr(key: Uint8Array, data: Uint8Array, _encrypt?: boolean): Promise<Uint8Array>;
/**
 * Parse AES extra field data.
 *
 * Structure (7 bytes):
 * - Bytes 0-1: Version (0x0001 or 0x0002)
 * - Bytes 2-3: Vendor ID ("AE" = 0x4541)
 * - Byte 4: Key strength (1=128, 2=192, 3=256)
 * - Bytes 5-6: Actual compression method
 */
export declare function parseAesExtraField(data: Uint8Array): AesExtraFieldInfo | null;
/**
 * Build AES extra field data.
 */
export declare function buildAesExtraField(version: 1 | 2, keyStrength: AesKeyStrength, compressionMethod: number): Uint8Array;
/**
 * Decrypt AES-encrypted ZIP entry data.
 *
 * Structure of encrypted data:
 * - Salt: saltLen bytes (8/12/16 for AES-128/192/256)
 * - Password verification: 2 bytes
 * - Encrypted data: variable
 * - Authentication code: 10 bytes
 *
 * @param encryptedData - Full encrypted data
 * @param password - Password string or bytes
 * @param keyStrength - AES key strength (128, 192, or 256)
 * @returns Decrypted data or null if authentication fails
 */
export declare function aesDecrypt(encryptedData: Uint8Array, password: string | Uint8Array, keyStrength: AesKeyStrength): Promise<Uint8Array>;
/**
 * Encrypt data using AES for ZIP.
 *
 * @param data - Plain data to encrypt
 * @param password - Password string or bytes
 * @param keyStrength - AES key strength (128, 192, or 256)
 * @returns Encrypted data with salt, verification, ciphertext, and HMAC
 */
export declare function aesEncrypt(data: Uint8Array, password: string | Uint8Array, keyStrength: AesKeyStrength): Promise<Uint8Array>;
/**
 * Calculate the total encrypted size for a given plaintext size.
 */
export declare function aesEncryptedSize(plaintextSize: number, keyStrength: AesKeyStrength): number;
/**
 * Check if a password is valid for AES-encrypted data without full decryption.
 * This is useful for quick password validation without decompressing data.
 *
 * @param encryptedData - Full encrypted data
 * @param password - Password string or bytes
 * @param keyStrength - AES key strength (128, 192, or 256)
 * @returns true if password verification passes, false otherwise
 */
export declare function aesCheckPasswordOnly(encryptedData: Uint8Array, password: string | Uint8Array, keyStrength: AesKeyStrength): Promise<boolean>;
/**
 * Alias for aesCheckPasswordOnly for API consistency with zipCryptoVerifyPassword.
 */
export { aesCheckPasswordOnly as aesVerifyPassword };
/**
 * Verify the HMAC signature of AES-encrypted data without decryption.
 * This is useful for integrity verification without decompressing data.
 *
 * @param encryptedData - Full encrypted data
 * @param password - Password string or bytes
 * @param keyStrength - AES key strength (128, 192, or 256)
 * @returns true if HMAC verification passes, false otherwise
 * @throws Error if password verification fails
 */
export declare function aesCheckSignature(encryptedData: Uint8Array, password: string | Uint8Array, keyStrength: AesKeyStrength): Promise<boolean>;