export interface ActorKeypair {
    publicKey: CryptoKey;
    privateKey: CryptoKey;
}
/** Generate an RSA 2048 keypair for HTTP Signatures */
export declare function generateKeypair(): Promise<ActorKeypair>;
/** Export public key as SPKI PEM */
export declare function exportPublicKeyPem(keypair: ActorKeypair): Promise<string>;
/** Export private key as PKCS8 PEM */
export declare function exportPrivateKeyPem(keypair: ActorKeypair): Promise<string>;
/** Build the Key ID URI for an actor's public key */
export declare function buildKeyId(domain: string, username: string): string;
/**
 * Verify an HTTP Signature on an incoming ActivityPub request
 * (draft-cavage-http-signatures-12, the de facto fediverse standard).
 *
 * Returns true if the signature is valid AND the coverage policy is met.
 * Returns false on missing/invalid Signature header, missing required
 * signed headers, missing/stale digest, or cryptographic failure.
 *
 * **Coverage policy (strict by default — matches Mastodon/Pleroma/Lemmy):**
 * - The `headers=` parameter MUST be present and explicit; no defaults.
 * - `(request-target)`, `host`, and `date` MUST be in the signed set.
 * - If the request body is non-empty, `digest` MUST be in the signed set
 *   AND the digest header value MUST match the SHA-256 of the raw body.
 *
 * **Digest verification (Item 6 fix, session 149):** the body is hashed
 * exactly as received (`request.text()` on a clone of the verify Request);
 * the caller is responsible for building that Request with the ORIGINAL
 * raw bytes from the wire, not a re-serialized JSON copy.
 * `JSON.stringify(JSON.parse(x)) !== x` in general (whitespace, escapes,
 * key ordering), so re-serializing breaks digest comparison even when the
 * sender computed everything correctly.
 */
export declare function verifyHttpSignature(request: Request, publicKeyPem: string): Promise<boolean>;
//# sourceMappingURL=keypairs.d.ts.map