/**
 * @file x509.ts
 * @description Self-signed X.509 v3 certificate generation for WebRTC DTLS.
 * @module crypto/x509
 *
 * WebRTC peers authenticate by self-signed certificate. The SDP carries
 * a=fingerprint as the hash of the DER-encoded certificate (RFC 8122), which
 * the peer verifies against the certificate presented during the DTLS
 * handshake. Node has no certificate builder, so we assemble a minimal but
 * spec-valid ECDSA P-256 / ecdsa-with-SHA256 certificate by hand.
 */
import * as crypto from 'crypto';
/**
 * Options for {@link generateSelfSigned}.
 */
export interface GenerateSelfSignedOptions {
    /** CN; WebRTC uses a random value. */
    commonName?: string;
    /** Validity period in days. */
    days?: number;
    /** Override start time (default: now - 1 day). */
    notBefore?: Date;
}
/**
 * Result of {@link generateSelfSigned}.
 */
export interface SelfSignedCertificate {
    /** DER-encoded certificate. */
    certDer: Buffer;
    privateKey: crypto.KeyObject;
    publicKey: crypto.KeyObject;
    notBefore: Date;
    notAfter: Date;
}
export declare const OID: Readonly<{
    ecPublicKey: "1.2.840.10045.2.1";
    prime256v1: "1.2.840.10045.3.1.7";
    ecdsaWithSHA256: "1.2.840.10045.4.3.2";
    commonName: "2.5.4.3";
}>;
/**
 * Generate a self-signed ECDSA P-256 certificate.
 *
 * @param {GenerateSelfSignedOptions} [options]
 * @returns {SelfSignedCertificate}
 */
export declare function generateSelfSigned(options?: GenerateSelfSignedOptions): SelfSignedCertificate;
/**
 * Compute the certificate fingerprint as used in SDP a=fingerprint (RFC 8122):
 * hash over the DER-encoded certificate, uppercase hex, colon-separated.
 *
 * @param {Buffer} certDer
 * @param {string} [algorithm='sha-256'] - 'sha-256' | 'sha-384' | 'sha-512'
 * @returns {string}
 */
export declare function fingerprint(certDer: Buffer, algorithm?: string): string;