import type { MutualAuthCertificate, MutualAuthRole, TrustAnchor } from './types.js'; export interface BuildCertificateInput { role: MutualAuthRole; subject_id: string; subject_pubkey_hex: string; issuer_id: string; issuer_role: MutualAuthRole | 'trust_anchor'; binding: string; not_before: number; not_after: number; supported_versions: string[]; attestation_grade?: 0 | 1 | 2 | 3; capabilities?: string[]; } /** Build an unsigned certificate. Call signCertificate next. */ export declare function buildCertificate(input: BuildCertificateInput, issuer_pubkey_hex: string): Omit; /** Sign an unsigned certificate with the issuer's private key (hex). */ export declare function signCertificate(unsigned: Omit, issuer_sk_hex: string): MutualAuthCertificate; /** Stable content-hash identifier for a certificate (for session_id * derivation, audit references, etc.). Does not include the signature * so equivalent unsigned certificates produce the same id. */ export declare function certificateId(cert: MutualAuthCertificate): string; export interface VerifyCertificateOutcome { ok: boolean; reason?: 'signature_invalid' | 'expired' | 'not_yet_valid' | 'version_empty'; } export declare function verifyCertificateSignature(cert: MutualAuthCertificate): VerifyCertificateOutcome; /** Check validity window using a supplied now() (unix ms). */ export declare function isCertificateTemporallyValid(cert: MutualAuthCertificate, now_ms: number, max_clock_skew_ms?: number): VerifyCertificateOutcome; export interface AnchorCheckOutcome { ok: boolean; anchor?: TrustAnchor; reason?: 'unknown_issuer' | 'revoked_anchor' | 'binding_mismatch'; } /** Given a certificate and a local trust-anchor list, determine if * the certificate was issued by a trusted anchor and whether the * anchor's binding constraints (if any) permit this cert's binding. */ export declare function checkAnchor(cert: MutualAuthCertificate, anchors: TrustAnchor[], revoked_anchor_ids?: string[]): AnchorCheckOutcome; //# sourceMappingURL=certificate.d.ts.map