import type { Jwk } from '../jose/jwk.js';
import { CoseAlgorithm } from './cose-key.js';
/**
 * COSE_Sign1 protected header parameters.
 *
 * The protected header is integrity-protected by inclusion in the Sig_structure.
 * At minimum, it MUST contain the algorithm identifier.
 *
 * @see {@link https://www.rfc-editor.org/rfc/rfc9052#section-4 | RFC 9052, Section 4}
 */
export interface CoseSign1ProtectedHeader {
    /** Algorithm identifier (label 1). Required. */
    alg: CoseAlgorithm;
    /** Content type (label 3). */
    contentType?: string | number;
    /** Key ID (label 4). */
    kid?: Uint8Array;
    /** Additional header parameters. */
    [key: string]: unknown;
}
/**
 * COSE_Sign1 unprotected header parameters.
 *
 * These parameters are NOT integrity-protected.
 *
 * @see {@link https://www.rfc-editor.org/rfc/rfc9052#section-4 | RFC 9052, Section 4}
 */
export interface CoseSign1UnprotectedHeader {
    /** Key ID (label 4). */
    kid?: Uint8Array;
    /** Additional header parameters. */
    [key: string]: unknown;
}
/**
 * Parameters for creating a COSE_Sign1 structure.
 */
export interface CoseSign1CreateParams {
    /** The signing key in JWK format. Must contain the private key (`d`). */
    key: Jwk;
    /** The payload to sign. */
    payload: Uint8Array;
    /**
     * Protected header parameters. If omitted, the algorithm is inferred from the key
     * and a minimal protected header `{ alg }` is used.
     */
    protectedHeader?: CoseSign1ProtectedHeader;
    /** Unprotected header parameters. */
    unprotectedHeader?: CoseSign1UnprotectedHeader;
    /**
     * External additional authenticated data (external_aad).
     * Included in the Sig_structure but not in the COSE_Sign1 message itself.
     * Defaults to empty bytes.
     */
    externalAad?: Uint8Array;
    /**
     * If true, the payload is detached (not included in the COSE_Sign1 serialization).
     * The payload field in the CBOR array will be `null`.
     */
    detachedPayload?: boolean;
}
/**
 * Parameters for verifying a COSE_Sign1 structure.
 */
export interface CoseSign1VerifyParams {
    /** The COSE_Sign1 CBOR-encoded message to verify. */
    coseSign1: Uint8Array;
    /** The public key in JWK format for verification. */
    key: Jwk;
    /**
     * External additional authenticated data (external_aad).
     * Must match the value used during signing.
     * Defaults to empty bytes.
     */
    externalAad?: Uint8Array;
    /**
     * Detached payload. Required if the COSE_Sign1 was created with `detachedPayload: true`.
     */
    payload?: Uint8Array;
}
/**
 * Decoded COSE_Sign1 structure.
 */
export interface CoseSign1Decoded {
    /** The protected header parameters (decoded from CBOR). */
    protectedHeader: CoseSign1ProtectedHeader;
    /** The raw protected header bytes (needed for signature verification). */
    protectedHeaderBytes: Uint8Array;
    /** The unprotected header parameters. */
    unprotectedHeader: Map<number, unknown>;
    /** The payload (null if detached). */
    payload: Uint8Array | null;
    /** The signature. */
    signature: Uint8Array;
}
/**
 * CBOR tag for COSE_Sign1 (RFC 9052, Section 4.2).
 */
/**
 * COSE_Sign1 implementation per RFC 9052.
 *
 * Provides creation, verification, and decoding of COSE_Sign1 (single-signer)
 * signed messages. This is the CBOR-based counterpart to JOSE/JWS and is used
 * in TEE attestation (EAT tokens), CWT, and other COSE-based protocols.
 *
 * Supported algorithms:
 * - EdDSA (Ed25519) — CoseAlgorithm.EdDSA (-8)
 * - ES256 (P-256 / secp256r1 with SHA-256) — CoseAlgorithm.ES256 (-7)
 *
 * @see {@link https://www.rfc-editor.org/rfc/rfc9052#section-4.3 | RFC 9052, Section 4.3}
 */
export declare class CoseSign1 {
    /**
     * Creates a COSE_Sign1 message.
     *
     * Constructs the `Sig_structure1` to-be-signed bytes per RFC 9052 Section 4.4,
     * signs them with the provided key, and returns the CBOR-encoded COSE_Sign1 array:
     *
     * ```
     * COSE_Sign1 = [
     *   protected : bstr,       ; CBOR-encoded protected header
     *   unprotected : map,      ; unprotected header parameters
     *   payload : bstr / nil,   ; payload (nil if detached)
     *   signature : bstr        ; signature
     * ]
     * ```
     *
     * @param params - The parameters for creating the COSE_Sign1 message.
     * @returns The CBOR-encoded COSE_Sign1 message.
     * @throws {CryptoError} If the algorithm is not supported or signing fails.
     *
     * @see {@link https://www.rfc-editor.org/rfc/rfc9052#section-4.3 | RFC 9052, Section 4.3}
     * @see {@link https://www.rfc-editor.org/rfc/rfc9052#section-4.4 | RFC 9052, Section 4.4}
     */
    static create(params: CoseSign1CreateParams): Promise<Uint8Array>;
    /**
     * Verifies a COSE_Sign1 message.
     *
     * Decodes the CBOR-encoded message, reconstructs the `Sig_structure1`, and verifies
     * the signature using the provided public key.
     *
     * @param params - The parameters for verifying the COSE_Sign1 message.
     * @returns `true` if the signature is valid, `false` otherwise.
     * @throws {CryptoError} If the message is malformed or the algorithm is not supported.
     *
     * @see {@link https://www.rfc-editor.org/rfc/rfc9052#section-4.4 | RFC 9052, Section 4.4}
     */
    static verify(params: CoseSign1VerifyParams): Promise<boolean>;
    /**
     * Decodes a CBOR-encoded COSE_Sign1 message into its constituent parts.
     *
     * The COSE_Sign1 structure is a CBOR array of four elements:
     * ```
     * [protected, unprotected, payload, signature]
     * ```
     *
     * The message may optionally be wrapped in CBOR tag 18.
     *
     * @param coseSign1 - The CBOR-encoded COSE_Sign1 message.
     * @returns The decoded COSE_Sign1 components.
     * @throws {CryptoError} If the message does not conform to COSE_Sign1 structure.
     */
    static decode(coseSign1: Uint8Array): CoseSign1Decoded;
    /**
     * Builds the Sig_structure1 array for COSE_Sign1 signing and verification.
     *
     * ```
     * Sig_structure1 = [
     *   context : "Signature1",
     *   body_protected : bstr,
     *   external_aad : bstr,
     *   payload : bstr
     * ]
     * ```
     *
     * @see {@link https://www.rfc-editor.org/rfc/rfc9052#section-4.4 | RFC 9052, Section 4.4}
     */
    private static buildSigStructure1;
    /**
     * Converts a {@link CoseSign1ProtectedHeader} to a CBOR Map with integer labels.
     */
    private static buildProtectedHeaderMap;
    /**
     * Converts a {@link CoseSign1UnprotectedHeader} to a CBOR Map with integer labels.
     */
    private static buildUnprotectedHeaderMap;
    /**
     * Signs the to-be-signed bytes with the appropriate algorithm.
     */
    private static signBytes;
    /**
     * Verifies a signature over the to-be-signed bytes with the appropriate algorithm.
     */
    private static verifyBytes;
}
//# sourceMappingURL=cose-sign1.d.ts.map