import { X509Certificate } from "@peculiar/x509";
import { RevocationResult } from "./types";
/**
 * Extract OCSP responder URLs from certificate
 * @param cert X509Certificate to extract OCSP URLs from
 * @returns Array of OCSP responder URLs
 */
export declare function extractOCSPUrls(cert: X509Certificate): string[];
/**
 * Extract CA Issuers URLs from certificate (for fetching issuer cert)
 * @param cert X509Certificate to extract URLs from
 * @returns Array of CA Issuers URLs
 */
export declare function extractCAIssuersUrls(cert: X509Certificate): string[];
/**
 * Find issuer certificate from certificate chain
 * @param cert Certificate to find issuer for
 * @param chain Array of PEM-formatted certificates
 * @returns Issuer certificate or null if not found
 */
export declare function findIssuerInChain(cert: X509Certificate, chain: string[]): X509Certificate | null;
/**
 * Extract any certificates carried inside embedded OCSP responses.
 *
 * OCSP responses frequently bundle the responder certificate and the issuer CA
 * certificate. They are a useful offline source of the issuer certificate needed
 * to build a (live) OCSP request when the container's certificate chain is empty.
 *
 * @param base64Responses Base64-encoded DER OCSP responses (from RevocationValues)
 * @returns PEM-encoded certificates found in the responses
 */
export declare function extractCertsFromOCSPResponses(base64Responses: string[]): string[];
/**
 * Resolve the issuer certificate for a cert from a candidate chain, preferring a
 * candidate whose key actually signed the cert. This avoids building an OCSP
 * request against the wrong (e.g. tampered, same-name) issuer.
 *
 * @param cert Certificate to find the issuer for
 * @param chain Candidate certificates (PEM)
 * @returns The verified issuer certificate, or null
 */
export declare function resolveIssuerFromChain(cert: X509Certificate, chain: string[]): Promise<X509Certificate | null>;
/**
 * Fetch issuer certificate from AIA extension
 * @param cert Certificate to fetch issuer for
 * @param timeout Timeout in ms
 * @param proxyUrl Optional CORS proxy URL
 * @returns Issuer certificate or null
 */
export declare function fetchIssuerFromAIA(cert: X509Certificate, timeout?: number, proxyUrl?: string): Promise<X509Certificate | null>;
/**
 * Build OCSP request for a certificate
 * @param cert Certificate to check
 * @param issuerCert Issuer certificate
 * @returns DER-encoded OCSP request
 */
export declare function buildOCSPRequest(cert: X509Certificate, issuerCert: X509Certificate): Promise<ArrayBuffer>;
/**
 * Parse OCSP response and extract revocation status
 * @param responseData DER-encoded OCSP response
 * @returns Revocation result
 */
export declare function parseOCSPResponse(responseData: ArrayBuffer): RevocationResult;
/**
 * Check certificate revocation via OCSP
 * @param cert Certificate to check
 * @param issuerCert Issuer certificate (optional, will try to find/fetch)
 * @param options OCSP check options
 * @returns Revocation result
 */
export declare function checkOCSP(cert: X509Certificate, issuerCert: X509Certificate | null, options?: {
    timeout?: number;
    certificateChain?: string[];
    proxyUrl?: string;
}): Promise<RevocationResult>;