import { Binary, type SymmetricKey } from '@opentdf/sdk/singlecontainer';
type AlgorithmUrn = string;
type EncryptResult = {
    payload: Binary;
    authTag?: Binary;
};
type DecryptResult = {
    payload: Binary;
};
/**
 * Generate a random AES-256 symmetric key.
 * The VirtruCryptoKey handle is kept alive inside the opaque SymmetricKey —
 * key material never leaves the FIPS WASM keystore.
 */
export declare function generateKey(length?: number): Promise<SymmetricKey>;
/**
 * Encrypt a payload with a symmetric AES key.
 * When payload is a SymmetricKey the key bytes are exported internally to
 * perform key-wrapping — they are never surfaced to the caller.
 */
export declare function encrypt(payload: Binary | SymmetricKey, key: SymmetricKey, iv: Binary, algorithm?: AlgorithmUrn): Promise<EncryptResult>;
/**
 * Decrypt a payload with a symmetric AES key.
 */
export declare function decrypt(payload: Binary, key: SymmetricKey, iv: Binary, algorithm?: AlgorithmUrn, authTag?: Binary): Promise<DecryptResult>;
/**
 * Compute HMAC-SHA256.
 * The SymmetricKey must have been created with extractable:true (e.g. via
 * importSymmetricKey) so its bytes can be re-imported as an HMAC key.
 */
export declare function hmac(data: Uint8Array, key: SymmetricKey): Promise<Uint8Array>;
/**
 * Verify HMAC-SHA256 using constant-time comparison.
 */
export declare function verifyHmac(data: Uint8Array, signature: Uint8Array, key: SymmetricKey): Promise<boolean>;
/**
 * Import raw key bytes as an opaque SymmetricKey.
 * The resulting key is extractable so it can be used for HMAC and key-wrapping.
 */
export declare function importSymmetricKey(keyBytes: Uint8Array): Promise<SymmetricKey>;
/**
 * Split a symmetric key into N shares using XOR secret sharing.
 *
 * For numShares === 1 (single-KAS), the key is returned as-is — no key
 * material is exported and no splitting occurs. This is the common DSP case.
 *
 * For numShares > 1 (multi-KAS), XOR secret sharing requires exporting the
 * raw key bytes. This is not yet implemented in FIPS mode.
 */
export declare function splitSymmetricKey(key: SymmetricKey, numShares: number): Promise<SymmetricKey[]>;
/**
 * Merge symmetric key shares back into the original key using XOR.
 *
 * For a single share (single-KAS), the share is returned as-is — no key
 * material is exported and no XOR occurs. This is the common DSP case.
 *
 * For multiple shares (multi-KAS), XOR merging requires exporting raw key bytes.
 * This is not yet implemented in FIPS mode.
 */
export declare function mergeSymmetricKeys(shares: SymmetricKey[]): Promise<SymmetricKey>;
export {};