/**
 * @file connection.ts
 * @description DTLS 1.2 connection state machine (client and server roles).
 * @module dtls/connection
 *
 * Implements the handshake for TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 over an
 * abstract datagram channel. The owner supplies an `output` callback to send
 * datagrams and feeds inbound datagrams to `handlePacket`. On success the
 * connection emits 'connect'; application records arrive via 'data' and are
 * sent via `send`.
 *
 * Scope: one cipher suite, secp256r1, ECDSA P-256 certificates, extended
 * master secret. This is the subset Chromium/Firefox negotiate for data
 * channels, so it interoperates with browsers while staying pure-Node.
 *
 * References: RFC 6347 (DTLS 1.2), RFC 5246 (TLS 1.2), RFC 7627 (EMS),
 * RFC 8422 (ECC cipher suites), RFC 5288 (AES-GCM).
 */
import * as crypto from 'crypto';
import { EventEmitter } from 'events';
declare const ROLE: Readonly<{
    CLIENT: "client";
    SERVER: "server";
}>;
declare const STATE: Readonly<{
    NEW: "new";
    HANDSHAKING: "handshaking";
    CONNECTED: "connected";
    CLOSED: "closed";
    FAILED: "failed";
}>;
/** A certificate fingerprint as advertised in SDP a=fingerprint. */
interface Fingerprint {
    algorithm: string;
    value: string;
}
/** Callback used to verify the peer's certificate fingerprint. */
type VerifyFingerprint = (fp: Fingerprint, remoteCertDer: Buffer) => boolean;
/** Constructor options for {@link DtlsConnection}. */
interface DtlsConnectionOptions {
    /** 'client' | 'server' */
    role: string;
    /** local DER certificate */
    certDer: Buffer;
    /** local EC private key */
    privateKey: crypto.KeyObject;
    /** called with the peer cert fingerprint; return false to reject. */
    verifyFingerprint?: VerifyFingerprint;
    /** send a datagram to the peer */
    output: (datagram: Buffer) => void;
}
/**
 * @class DtlsConnection
 * @extends EventEmitter
 */
declare class DtlsConnection extends EventEmitter {
    #private;
    role: string;
    state: string;
    /**
     * @param opts connection options
     */
    constructor(opts: DtlsConnectionOptions);
    /** Begin the handshake (client sends the first flight). */
    start(): void;
    /**
     * Feed an inbound datagram (one UDP packet, possibly several records).
     * @param packet
     */
    handlePacket(packet: Buffer): void;
    /**
     * Send application data over the established connection.
     * @param data
     */
    send(data: Buffer): void;
    /** Send a close_notify and tear down. */
    close(): void;
    /** The peer's certificate DER, available after the handshake. */
    getRemoteCertificate(): Buffer | null;
}
export { DtlsConnection, ROLE, STATE };