/** * Node.js Crypto Provider * * Implementation using Node.js native crypto module. */ import crypto from 'node:crypto'; import type { CryptoProvider } from './types'; export { isRsaPssAlg, jwtAlgToNodeAlg } from './jwt-alg'; /** * Node.js crypto provider implementation. */ export declare const nodeCrypto: CryptoProvider; /** Alias for conditional import resolution via `#crypto-provider`. */ export { nodeCrypto as cryptoProvider }; /** * RSA JWK structure for public keys */ export interface RsaJwk { kty: 'RSA'; kid: string; alg: string; use: 'sig'; n: string; e: string; } /** * RSA key pair structure */ export interface RsaKeyPair { /** Private key for signing */ privateKey: crypto.KeyObject; /** Public key for verification */ publicKey: crypto.KeyObject; /** Public key in JWK format */ publicJwk: RsaJwk; } /** * Generate an RSA key pair with the specified modulus length * * @param modulusLength - Key size in bits (default: 2048, suitable for short-lived OAuth/JWT verification; use 3072+ for longer-term keys) * @param alg - JWT algorithm (default: 'RS256') * @returns RSA key pair with private, public keys and JWK */ export declare function generateRsaKeyPair(modulusLength?: number, alg?: string): RsaKeyPair; /** * Sign data using RSA with the specified algorithm. * * For RSA-PSS (PS256/PS384/PS512), callers must pass appropriate padding/saltLength options. */ export declare function rsaSign(algorithm: string, data: Buffer, privateKey: crypto.KeyObject, options?: Omit): Buffer; export declare function rsaVerify(jwtAlg: string, data: Buffer, publicJwk: JsonWebKey, signature: Buffer): boolean; /** * Sign data with an RSA private JWK and return a base64url-encoded signature. * * Mirror of {@link rsaVerify} on the signing side: takes a JWT alg name * (`RS256`/`RS384`/`RS512`/`PS256`/`PS384`/`PS512`), a private key in JWK * format, and the data bytes; returns the detached signature as a base64url * string suitable for inline JSON envelopes (e.g. tamper-evident audit * records that re-use the same key registry as bundle signing). * * Node-only — `crypto.createPrivateKey({ format: 'jwk' })` is not exposed in * WebCrypto with the same shape, so audit signing is gated to Node runtimes. * * @param jwtAlg - JWT algorithm identifier (e.g. 'RS256', 'PS256') * @param data - Bytes to sign * @param privateJwk - Private key in JWK format * @returns Base64url-encoded signature */ export declare function rsaSignBase64Url(jwtAlg: string, data: Buffer | Uint8Array, privateJwk: JsonWebKey): string; /** * Verify an RSA / RSA-PSS / EdDSA signature synchronously. * * Node-only — mirrors {@link rsaSignBase64Url}'s sync, JWK-first surface so * server-side callers (audit signer verifier, bundle signature verifier) * have a single utility to call instead of touching `node:crypto` directly. * * - RS256/RS384/RS512 / PS256/PS384/PS512: pass `jwtAlg` and an RSA JWK. * - EdDSA: pass `'EdDSA'` and an Ed25519 JWK (`kty: 'OKP'`, `crv: 'Ed25519'`). * * Returns `false` (never throws) for malformed keys / unsupported algs so * callers can surface a single "verification failed" reason instead of * branching on every internal crypto error. * * @param jwtAlg - JWT algorithm identifier (`'RS256'`, `'PS256'`, `'EdDSA'`, ...) * @param data - Bytes that were signed * @param publicJwk - Public key in JWK format * @param signature - Signature bytes (raw, NOT base64url) */ export declare function rsaVerifySync(jwtAlg: string, data: Buffer | Uint8Array, publicJwk: JsonWebKey, signature: Buffer | Uint8Array): boolean; /** * Convert a PEM-encoded public key (SPKI) to a JWK. * * Node-only. Used by host code that has historically configured trust roots * as PEMs (bundle-signature trust list, audit verifier trust list) so the * verifier path can normalize to JWK before calling {@link rsaVerifySync}. * * Throws if the PEM cannot be parsed — callers should catch and translate * into a structured "malformed_public_key" reason where appropriate. */ export declare function pemToPublicJwk(pem: string): JsonWebKey; /** * Create a JWT signed with an RSA key * * @param payload - JWT payload * @param privateKey - RSA private key * @param kid - Key ID for the JWT header * @param alg - JWT algorithm (default: 'RS256') * @returns Signed JWT string */ export declare function createSignedJwt(payload: Record, privateKey: crypto.KeyObject, kid: string, alg?: string): string;