import { JWK } from 'jose'; declare class COSEBase { #private; readonly unprotectedHeaders: Map; readonly protectedHeaders: Map; constructor(protectedHeaders: Uint8Array | Map, unprotectedHeaders: Map); protected get encodedProtectedHeaders(): Uint8Array | undefined; encode(): Uint8Array; } /** * A map that has a type for its keys and values */ declare class TypedMap implements Iterable { #private; constructor(entries?: Iterable); [Symbol.iterator](): Iterator; /** * * Sets the value for the key in the map * * @param key - The key to set the value for * @param value - The value to set */ set(key: K, value: Extract[1]): void; /** * * Returns the value associated to the key, or undefined if there is none * * @param key - The key to get the value for * @returns - The value associated to the key, or undefined if there is none */ get(key: K): Extract[1] | undefined; /** * Returns an iterable of key, value pairs for every entry in the map. * * @returns - An iterable of key, value pairs for every entry in the map */ entries(): IterableIterator; /** * Returns an iterable of keys in the map * * @returns - An iterable of keys in the map */ keys(): IterableIterator; /** * Returns an iterable of values in the map * * @returns - An iterable of values in the map */ values(): IterableIterator; /** * Clears the map */ clear(): void; /** * Deletes the entry for the given key * * @param key - The key to delete * @returns Whether the key was deleted */ delete(key: K): boolean; /** * * Checks if the map has an entry for the given key * * @param key - The key to check for * @returns Whether the map has an entry for the given key */ has(key: K): boolean; /** * Returns the number of entries in the map */ get size(): number; /** * Returns the internal ES map */ get esMap(): Map; static wrap(map: TypedMap | Iterable | undefined): TypedMap; } /** * COSE Header labels registered in the IANA "COSE Header Parameters" registry. * Reference: https://www.iana.org/assignments/cose/cose.xhtml#header-parameters */ declare enum Headers { Algorithm = 1, Critical = 2, ContentType = 3, KeyID = 4, IV = 5, PartialIV = 6, CounterSignature = 7, CounterSignature0 = 9, CounterSignatureV2 = 11, CounterSignature0V2 = 12, X5Bag = 32, X5Chain = 33, X5T = 34, X5U = 35 } declare enum Algorithms { EdDSA = -8, ES256 = -7, ES384 = -35, ES512 = -36, PS256 = -37, PS384 = -38, PS512 = -39, RS256 = -257, RS384 = -258, RS512 = -259 } declare enum MacAlgorithms { HS256 = 5, HS384 = 6, HS512 = 7 } declare class ProtectedHeaders extends TypedMap<[Headers.Algorithm, Algorithms] | [Headers.Critical, Headers[]] | [Headers.ContentType, number | Uint8Array] | [Headers.KeyID, Uint8Array] | [ Omit, Uint8Array | Uint8Array[] | number | number[] ]> { /** * Ensure input is a ProtectedHeaders instance. * * @param headers - The headers to wrap. * @returns */ static from(headers: ProtectedHeaders | ConstructorParameters[0]): ProtectedHeaders; /** * CBOR encode the hedaers instance * @returns {Uint8Array} - The encoded protected headers. */ encode(): Uint8Array; } type SupportedMacAlg = 'HS256' | 'HS384' | 'HS512'; declare class MacProtectedHeaders extends TypedMap<[Headers.Algorithm, MacAlgorithms] | [Headers.Critical, Headers[]] | [Headers.ContentType, number | Uint8Array] | [Headers.KeyID, Uint8Array] | [ Omit, Uint8Array | number | number[] ]> { /** * Ensure input is a MacProtectedHeaders instance. * * @param headers - The headers to wrap. * @returns */ static from(headers: MacProtectedHeaders | ConstructorParameters[0]): MacProtectedHeaders; } declare class UnprotectedHeaders extends TypedMap<[Headers.ContentType, number | Uint8Array] | [Headers.KeyID, Uint8Array] | [Headers.IV, Uint8Array] | [Headers.PartialIV, Uint8Array] | [Headers.X5Chain, Uint8Array | Uint8Array[]] | [ Exclude, number | number[] | Uint8Array | Uint8Array[] ]> { /** * Ensure input is a MacProtectedHeaders instance. * * @param headers - The headers to wrap. * @returns */ static from(headers: UnprotectedHeaders | ConstructorParameters[0]): UnprotectedHeaders; } interface VerifyOptions$1 { externalAAD?: Uint8Array; detachedPayload?: Uint8Array; algorithms?: MacAlgorithms[]; } declare class Mac0 extends COSEBase { readonly payload: Uint8Array; private _tag?; constructor(protectedHeaders: Map | Uint8Array, unprotectedHeaders: Map, payload: Uint8Array, _tag?: Uint8Array | undefined); private static createMAC0; getContentForEncoding(): (Uint8Array | Map | undefined)[]; get tag(): Uint8Array; set tag(sig: Uint8Array); get alg(): MacAlgorithms | undefined; get algName(): SupportedMacAlg | undefined; hasSupportedAlg(): boolean; static create(protectedHeaders: MacProtectedHeaders | ConstructorParameters[0], unprotectedHeaders: UnprotectedHeaders | ConstructorParameters[0] | undefined, payload: Uint8Array, signature?: Uint8Array): Mac0; getRawSigningData(): { data: Uint8Array; alg: SupportedMacAlg; }; getRawVerificationData(options?: VerifyOptions$1): { alg: SupportedMacAlg; signature: Uint8Array; data: Uint8Array; }; static tag: number; } interface VerifyOptions { externalAAD?: Uint8Array; detachedPayload?: Uint8Array; algorithms?: Algorithms[]; } declare class SignatureBase extends COSEBase { private _signature?; constructor(protectedHeaders: Uint8Array | Map, unprotectedHeaders: Map, _signature?: Uint8Array | undefined); get signature(): Uint8Array; set signature(sig: Uint8Array); /** This parameter is used to indicate the algorithm used for the security processing. This parameter MUST be authenticated where the ability to do so exists. This support is provided by AEAD algorithms or construction (COSE_Sign, COSE_Sign0, COSE_Mac, and COSE_Mac0). This authentication can be done either by placing the header in the protected header bucket or as part of the externally supplied data. The value is taken from the "COSE Algorithms" registry (see Section 16.4). */ get alg(): Algorithms | undefined; get algName(): string | undefined; /** This parameter identifies one piece of data that can be used as input to find the needed cryptographic key. The value of this parameter can be matched against the 'kid' member in a COSE_Key structure. Other methods of key distribution can define an equivalent field to be matched. Applications MUST NOT assume that 'kid' values are unique. There may be more than one key with the same 'kid' value, so all of the keys associated with this 'kid' may need to be checked. The internal structure of 'kid' values is not defined and cannot be relied on by applications. Key identifier values are hints about which key to use. This is not a security-critical field. For this reason, it can be placed in the unprotected headers bucket. */ get kid(): Uint8Array | undefined; get x5chain(): [Uint8Array, ...Uint8Array[]] | undefined; protected internalGetRawVerificationData(payload: Uint8Array, options?: VerifyOptions): { alg: string; signature: Uint8Array; data: Uint8Array; }; } declare class Sign1 extends SignatureBase { readonly payload: Uint8Array; constructor(protectedHeaders: Map | Uint8Array, unprotectedHeaders: Map, payload: Uint8Array, _signature?: Uint8Array); getContentForEncoding(): (Uint8Array | Map | undefined)[]; private static Signature1; static create(protectedHeaders: ProtectedHeaders | ConstructorParameters[0], unprotectedHeaders: UnprotectedHeaders | ConstructorParameters[0] | undefined, payload: Uint8Array, signature?: Uint8Array): Sign1; getRawSigningData(): { data: Uint8Array; alg: string; }; getRawVerificationData(options?: VerifyOptions): { alg: string; signature: Uint8Array; data: Uint8Array; }; static tag: number; } type DataItemParams = { data: T; buffer: Uint8Array; } | { data: T; } | { buffer: Uint8Array; }; /** * DataItem is an extension defined https://www.rfc-editor.org/rfc/rfc8949.html#name-encoded-cbor-data-item * > Sometimes it is beneficial to carry an embedded CBOR data item that is * > not meant to be decoded immediately at the time the enclosing data item is being decoded. * * The idea of this class is to provide lazy encode and decode of cbor data. * * Due to a bug in the cbor-x library, we are eagerly encoding the data in the constructor. * https://github.com/kriszyp/cbor-x/issues/83 * */ declare class DataItem { #private; constructor(params: DataItemParams); get data(): T; get buffer(): Uint8Array; static fromData(data: T): DataItem; } /** * The IssuerAuth which is a COSE_Sign1 message * as defined in https://www.iana.org/assignments/cose/cose.xhtml#messages */ declare class IssuerAuth extends Sign1 { #private; get decodedPayload(): MSO; get certificateChain(): [Uint8Array, ...Uint8Array[]]; get certificate(): Uint8Array; getIssuingCountry(ctx: { x509: X509Context; }): string; getIssuingStateOrProvince(ctx: { x509: X509Context; }): string; static create(protectedHeaders: ProtectedHeaders, unprotectedHeaders: UnprotectedHeaders | undefined, payload: Uint8Array): IssuerAuth; } type IssuerSignedDataItem = DataItem>; declare class IssuerSignedItem { #private; constructor(dataItem: IssuerSignedDataItem); encode(): Uint8Array; get dataItem(): IssuerSignedDataItem; private get decodedData(); get digestID(): number; get random(): Uint8Array; get elementIdentifier(): string; get elementValue(): unknown; calculateDigest(alg: DigestAlgorithm, ctx: { crypto: MdocContext['crypto']; }): Promise; isValid(nameSpace: string, { decodedPayload: { valueDigests, digestAlgorithm } }: IssuerAuth, ctx: { crypto: MdocContext['crypto']; }): Promise; matchCertificate(nameSpace: string, issuerAuth: IssuerAuth, ctx: { x509: X509Context; }): boolean | undefined; static create(digestID: number, elementIdentifier: string, elementValue: unknown, ctx: { crypto: MdocContext['crypto']; }): IssuerSignedItem; } interface ValidityInfo { signed: Date; validFrom: Date; validUntil: Date; expectedUpdate?: Date; } type IssuerNameSpaces = Map; type MdocNameSpaces = Map>; interface IssuerSigned { issuerAuth: IssuerAuth; nameSpaces: IssuerNameSpaces; } type DeviceAuth = ({ deviceMac: Mac0; } & { deviceSignature?: never; }) | ({ deviceMac?: never; } & { deviceSignature: Sign1; }); interface DeviceSigned { deviceAuth: DeviceAuth; nameSpaces: Map>; } type DigestAlgorithm = 'SHA-256' | 'SHA-384' | 'SHA-512'; interface DiagnosticInformation { general: { type: string; version: string; status: number; documents: number; }; validityInfo: ValidityInfo; attributes: { ns: string; id: string; value: unknown; isValid: boolean; matchCertificate?: boolean; }[]; deviceAttributes: { ns: string; id: string; value: unknown; }[]; issuerCertificate?: { subjectName: string; notBefore: Date; notAfter: Date; serialNumber: string; thumbprint: string; pem: string; }; issuerSignature: { alg: string; isValid: boolean; reasons?: string[]; digests: Record; }; deviceKey: { jwk: JWK; }; deviceSignature: { alg: string; isValid: boolean; reasons?: string[]; }; dataIntegrity: { disclosedAttributes: string; isValid: boolean; reasons?: string[]; }; } interface DeviceKeyInfo { deviceKey: Map; [key: string]: unknown; } interface MSO { digestAlgorithm: DigestAlgorithm; docType: string; version: string; validityInfo: ValidityInfo; valueDigests?: Map>; validityDigests?: Record>; deviceKeyInfo?: DeviceKeyInfo; } type DocType = 'org.iso.18013.5.1.mDL' | (string & {}); type SupportedAlgs = 'ES256' | 'ES384' | 'ES512' | 'EdDSA'; type MacSupportedAlgs = 'HS256'; type MaybePromise = Promise | TType; interface X509Context { getIssuerNameField: (input: { certificate: Uint8Array; field: string; }) => string[]; getPublicKey: (input: { certificate: Uint8Array; alg: string; }) => MaybePromise; validateCertificateChain: (input: { trustedCertificates: [Uint8Array, ...Uint8Array[]]; x5chain: [Uint8Array, ...Uint8Array[]]; }) => MaybePromise; getCertificateData: (input: { certificate: Uint8Array; }) => MaybePromise<{ issuerName: string; subjectName: string; serialNumber: string; thumbprint: string; notBefore: Date; notAfter: Date; pem: string; }>; } interface MdocContext { crypto: { random: (length: number) => Uint8Array; digest: (input: { digestAlgorithm: DigestAlgorithm; bytes: Uint8Array; }) => MaybePromise; /** * Calculates the ephemeral mac key for the device authentication. * * There are two cases for this function: * 1. SDeviceKey.Priv and EReaderKey.Pub for the mdoc * 2. EReaderKey.Priv and SDeviceKey.Pub for the mdoc reader * * @param {Uint8Array} privateKey - The private key of the current party * @param {Uint8Array} publicKey - The public key of the other party * @param {Uint8Array} sessionTranscriptBytes - The session transcript bytes * @returns {Uint8Array} - The ephemeral mac key */ calculateEphemeralMacKeyJwk: (input: { privateKey: Uint8Array; publicKey: Uint8Array; sessionTranscriptBytes: Uint8Array; }) => MaybePromise; }; cose: { sign1: { sign: (input: { sign1: Sign1; jwk: JWK; }) => MaybePromise; verify(input: { jwk: JWK; options?: VerifyOptions | undefined; sign1: Sign1; }): MaybePromise; }; mac0: { sign: (input: { jwk: JWK; mac0: Mac0; }) => MaybePromise; verify(input: { mac0: Mac0; jwk: JWK; options: VerifyOptions$1; }): MaybePromise; }; }; x509: X509Context; } declare enum FLOAT32_OPTIONS { NEVER = 0, ALWAYS = 1, DECIMAL_ROUND = 3, DECIMAL_FIT = 4, } interface Options { alwaysUseFloat?: boolean useFloat32?: FLOAT32_OPTIONS useRecords?: boolean structures?: {}[] structuredClone?: boolean mapsAsObjects?: boolean variableMapSize?: boolean copyBuffers?: boolean bundleStrings?: boolean useTimestamp32?: boolean largeBigIntToFloat?: boolean encodeUndefinedAsNil?: boolean maxSharedStructures?: number maxOwnStructures?: number useSelfDescribedHeader?: boolean useToJSON?: boolean keyMap?: {} shouldShareStructure?: (keys: string[]) => boolean getStructures?(): {}[] saveStructures?(structures: {}[]): boolean | undefined onInvalidDate?: () => any tagUint8Array?: boolean pack?: boolean sequential?: boolean } declare const customInspectSymbol: unique symbol; declare class DateOnly { private date; constructor(date?: string); get [Symbol.toStringTag](): string; toString(): string; toJSON(): string; toISOString(): string; [customInspectSymbol](): string; } declare const cborDecode: (input: Uint8Array, options?: Options) => any; declare const cborDecodeUnknown: (input: Uint8Array, options?: Options) => unknown; declare const cborEncode: (obj: unknown, options?: Options) => Uint8Array; declare enum Curve { 'P-256' = 1, 'P-384' = 2, 'P-521' = 3, X25519 = 4, X448 = 5, Ed25519 = 6, Ed448 = 7 } declare enum KeyOps { Sign = 1, Verify = 2, Encrypt = 3, Decrypt = 4, WrapKey = 5, UnwrapKey = 6, DeriveKey = 7, DeriveBits = 8, MACCreate = 9, MACVerify = 10 } declare enum KeyType { OKP = 1, EC = 2, OCT = 4, Reserved = 0 } declare enum COSEKeyParam { KeyType = 1, KeyID = 2, Algorithm = 3, KeyOps = 4, Curve = -1, BaseIV = 5, x = -2, y = -3, d = -4, k = -1 } declare class COSEKey extends TypedMap<[COSEKeyParam.KeyType, KeyType] | [COSEKeyParam.KeyID, Uint8Array] | [COSEKeyParam.Algorithm, Algorithms] | [COSEKeyParam.KeyOps, KeyOps[]] | [COSEKeyParam.BaseIV, Uint8Array] | [COSEKeyParam.Curve, Curve] | [COSEKeyParam.x, Uint8Array] | [COSEKeyParam.y, Uint8Array] | [COSEKeyParam.d, Uint8Array] | [COSEKeyParam.k, Uint8Array]> { /** * Import a COSEKey either decoded as Map or as an encoded CBOR. * * @param data {Uint8Array | Map} * @returns */ static import(data: Uint8Array | Map): COSEKey; /** * * Create a COSEKey from a JWK. * * @param jwk {JWK} - A JWK. * @returns */ static fromJWK(jwk: JWK): COSEKey; /** * * Returns a JWK representation of the COSEKey. * * @returns {JWK} - The JWK representation of the COSEKey. */ toJWK(): JWK; /** * * Encode the COSEKey as a CBOR buffer. * * @returns {Uint8Array} - The encoded COSEKey. */ encode(): Uint8Array; } /** * Exports the COSE Key as a raw key. * * It's effectively the same than: * * crypto.subtle.exportKey('raw', importedJWK) * * Note: This only works for KTY = EC. * * @param {Map} key - The COSE Key * @returns {Uint8Array} - The raw key */ declare const COSEKeyToRAW: (key: Map | Uint8Array) => Uint8Array; interface VerificationAssessment { status: 'PASSED' | 'FAILED' | 'WARNING'; category: 'DOCUMENT_FORMAT' | 'DEVICE_AUTH' | 'ISSUER_AUTH' | 'DATA_INTEGRITY'; check: string; reason?: string; } type VerificationCallback = (item: VerificationAssessment) => void; declare const defaultCallback: VerificationCallback; interface ItemsRequestData { docType: string; nameSpaces: DeviceRequestNameSpaces; requestInfo?: Record; } type ItemsRequestDataItem = DataItem; declare class ItemsRequest { #private; constructor(dataItem: ItemsRequestDataItem); get dataItem(): ItemsRequestDataItem; get data(): ItemsRequestData; static create(docType: string, nameSpaces: DeviceRequestNameSpaces, requestInfo?: Record): ItemsRequest; } interface DocRequest { itemsRequest: ItemsRequest; readerAuth?: ReaderAuth; } type ReaderAuth = [ Uint8Array | undefined, Uint8Array | undefined, Uint8Array | undefined, Uint8Array | undefined ]; type DeviceRequestNameSpaces = Map>; declare class DeviceRequest { version: string; docRequests: DocRequest[]; constructor(version: string, docRequests: DocRequest[]); static from(version: string, docRequests: { itemsRequestData: ItemsRequestData; readerAuth?: ReaderAuth; }[]): DeviceRequest; static parse(cbor: Uint8Array): DeviceRequest; static encodeDocRequest(r: DocRequest): Map; encode(): Uint8Array; } /** * Represents an issuer signed document. * * Note: You don't need instantiate this class. * This is the return type of the parser and the document.sign() method. */ declare class IssuerSignedDocument { readonly docType: DocType; readonly issuerSigned: IssuerSigned; constructor(docType: DocType, issuerSigned: IssuerSigned); /** * Create the structure for encoding a document. * * @returns {Map} - The document as a map */ prepare(): Map; /** * Helper method to get the values in a namespace as a JS object. * * @param {string} namespace - The namespace to add. * @returns {Map} - The values in the namespace as an object */ getIssuerNameSpace(namespace: string): Map | undefined; /** * List of namespaces in the document. */ get issuerSignedNameSpaces(): string[]; get allIssuerSignedNamespaces(): MdocNameSpaces; } type ErrorCode = number; interface DocumentError { DocType: ErrorCode; } declare enum MDocStatus { OK = 0, GeneralError = 10, CBORDecodingError = 11, CBORValidationError = 12 } declare class MDoc { readonly documents: IssuerSignedDocument[]; readonly version: string; readonly status: MDocStatus; readonly documentErrors: DocumentError[]; constructor(documents?: IssuerSignedDocument[], version?: string, status?: MDocStatus, documentErrors?: DocumentError[]); addDocument(document: IssuerSignedDocument): void; encode(): Uint8Array; } interface PresentationDefinitionField { path: string[]; intent_to_retain: boolean; optional?: boolean; } interface Format { mso_mdoc: { alg: string[]; }; } interface InputDescriptor { id: string; format: Format; constraints: { limit_disclosure: string; fields: PresentationDefinitionField[]; }; } interface PresentationDefinition { id: string; input_descriptors: InputDescriptor[]; } /** * A builder class for creating a device response. */ declare class DeviceResponse { private mdoc; private pd?; private deviceRequest?; private sessionTranscriptBytes?; private sessionTranscriptCallback?; private useMac; private devicePrivateKey?; nameSpaces: Map>; private alg?; private macAlg?; private ephemeralPublicKey?; /** * Create a DeviceResponse builder. * * @param {MDoc | Uint8Array} mdoc - The mdoc to use as a base for the device response. * It can be either a parsed MDoc or a CBOR encoded MDoc. * @returns {DeviceResponse} - A DeviceResponse builder. */ static from(mdoc: MDoc | Uint8Array): DeviceResponse; constructor(mdoc: MDoc); /** * * @param pd - The presentation definition to use for the device response. * @returns {DeviceResponse} */ usingPresentationDefinition(pd: PresentationDefinition): DeviceResponse; /** * * @param deviceRequest - The device request * @returns {DeviceResponse} */ usingDeviceRequest(deviceRequest: DeviceRequest): DeviceResponse; /** * Set the session transcript data to use for the device response. * * This is arbitrary and should match the session transcript as it will be calculated by the verifier. * The transcript must be a CBOR encoded DataItem of an array, there is no further requirement. * * Example: `usingSessionTranscriptBytes(cborEncode(DataItem.fromData([a,b,c])))` where `a`, `b` and `c` can be anything including `null`. * * It is preferable to use {@link usingSessionTranscriptForOID4VP} or {@link usingSessionTranscriptForWebAPI} when possible. * * @param {Uint8Array} sessionTranscriptBytes - The sessionTranscriptBytes data to use in the session transcript. * @returns {DeviceResponse} */ usingSessionTranscriptBytes(sessionTranscriptBytes: Uint8Array): DeviceResponse; private usingSessionTranscriptCallback; /** * Set the session transcript data to use for the device response as defined in ISO/IEC 18013-7 in Annex B (OID4VP), 2024 draft. * * This should match the session transcript as it will be calculated by the verifier. * * @param {string} mdocGeneratedNonce - A cryptographically random number with sufficient entropy. * @param {string} clientId - The client_id Authorization Request parameter from the Authorization Request Object. * @param {string} responseUri - The response_uri Authorization Request parameter from the Authorization Request Object. * @param {string} verifierGeneratedNonce - The nonce Authorization Request parameter from the Authorization Request Object. * @returns {DeviceResponse} */ usingSessionTranscriptForOID4VP(input: { mdocGeneratedNonce: string; clientId: string; responseUri: string; verifierGeneratedNonce: string; }): DeviceResponse; static calculateSessionTranscriptBytesForOID4VP(input: { context: { crypto: MdocContext['crypto']; }; mdocGeneratedNonce: string; clientId: string; responseUri: string; verifierGeneratedNonce: string; }): Promise; static calculateSessionTranscriptBytesForOID4VPDCApi(input: { context: { crypto: MdocContext['crypto']; }; clientId: string; origin: string; verifierGeneratedNonce: string; }): Promise; /** * Set the session transcript data to use for the device response as defined in [OID4VP B.3.4.1, Draft 24](https://openid.net/specs/openid-4-verifiable-presentations-1_0-24.html#appendix-B.3.4.1) * * This should match the session transcript as it will be calculated by the verifier. * * @param {string} clientId - The client_id Authorization Request parameter from the Authorization Request Object. * @param {string} origin - The origin of the Authorization Request, as defined in Appendix A.2. of OID4VP * @param {string} verifierGeneratedNonce - The nonce Authorization Request parameter from the Authorization Request Object. * @returns {DeviceResponse} */ usingSessionTranscriptForForOID4VPDCApi(input: { origin: string; clientId: string; verifierGeneratedNonce: string; }): DeviceResponse; /** * Set the session transcript data to use for the device response as defined in ISO/IEC 18013-7 in Annex A (Web API), 2024 draft. * * This should match the session transcript as it will be calculated by the verifier. * * @param {Uint8Array} deviceEngagementBytes - The device engagement, encoded as a Tagged 24 cbor * @param {Uint8Array} readerEngagementBytes - The reader engagement, encoded as a Tagged 24 cbor * @param {Uint8Array} eReaderKeyBytes - The reader ephemeral public key as a COSE Key, encoded as a Tagged 24 cbor * @returns {DeviceResponse} */ usingSessionTranscriptForWebAPI(input: { deviceEngagementBytes: Uint8Array; readerEngagementBytes: Uint8Array; eReaderKeyBytes: Uint8Array; }): DeviceResponse; static calculateSessionTranscriptBytesForWebApi(input: { context: { crypto: MdocContext['crypto']; }; deviceEngagementBytes: Uint8Array; readerEngagementBytes: Uint8Array; eReaderKeyBytes: Uint8Array; }): Promise; /** * Add a namespace to the device response. * * @param {string} nameSpace - The name space to add to the device response. * @param {Record | Map} data - The data to add to the name space. * @returns {DeviceResponse} */ addDeviceNameSpace(nameSpace: string, data: Map | Record): DeviceResponse; /** * Set the device's private key to be used for signing the device response. * * @param {JWK} devicePrivateKey - The device's private key either as a JWK or a COSEKey. * @param {SupportedAlgs} alg - The algorithm to use for signing the device response. * @returns {DeviceResponse} */ authenticateWithSignature(devicePrivateKey: JWK, alg: SupportedAlgs): DeviceResponse; /** * Set the reader shared key to be used for signing the device response with MAC. * * @param {JWK} devicePrivateKey - The device's private key either as a JWK or a COSEKey. * @param {JWK} ephemeralPublicKey - The public part of the ephemeral key generated by the MDOC. * @param {SupportedAlgs} alg - The algorithm to use for signing the device response. * @returns {DeviceResponse} */ authenticateWithMAC(devicePrivateKey: JWK, ephemeralPublicKey: JWK, alg: MacSupportedAlgs): DeviceResponse; /** * Sign the device response and return the MDoc. * * @returns {Promise} - The device response as an MDoc. */ sign(ctx: { crypto: MdocContext['crypto']; cose: MdocContext['cose']; }): Promise; private getDeviceSigned; private getDeviceAuthMac; private getDeviceAuthSign; } /** * Represents a device signed document. * * Note: You don't need to instantiate this class. * This is the return type of the parser and it will be generated by the DeviceResponse builder. */ declare class DeviceSignedDocument extends IssuerSignedDocument { readonly deviceSigned: DeviceSigned; constructor(docType: DocType, issuerSigned: IssuerSigned, deviceSigned: DeviceSigned); prepare(): Map; /** * Helper method to get the values in a namespace as a JS object. * * @param {string} namespace - The namespace to add. * @returns {Map} - The values in the namespace as an object */ getDeviceNameSpace(namespace: string): Map | undefined; /** * List of namespaces in the document. */ get deviceSignedNameSpaces(): string[]; get allDeviceSignedNamespaces(): MdocNameSpaces; } /** * Use this class when building new documents. * * This class allow you to build a document and sign it with the issuer's private key. */ declare class Document { #private; readonly docType: DocType; ctx: { crypto: MdocContext['crypto']; }; constructor(doc: DocType, ctx: { crypto: MdocContext['crypto']; }); /** * Add a namespace to an unsigned document. * * @param {string} namespace - The namespace to add. * @param {Record} values - The values to add to the namespace. * @returns {Document} - The document */ addIssuerNameSpace(namespace: 'org.iso.18013.5.1' | (string & {}), values: Record): Document; /** * Get the values in a namespace. * * @param {string} namespace - The namespace to add. * @returns {Record} - The values in the namespace as an object */ getIssuerNameSpace(namespace: string): Record | undefined; /** * Add the device public key which will be include in the issuer signature. * The device public key could be in JWK format or as COSE_Key format. * * @param params * @param {JWK | Uint8Array} params.devicePublicKey - The device public key. */ addDeviceKeyInfo({ deviceKey }: { deviceKey: JWK | Uint8Array; }): Document; /** * Add validity info to the document that will be used in the issuer signature. * * @param info - the validity info * @param {Date} [info.signed] - The date the document is signed. default: now * @param {Date} [info.validFrom] - The date the document is valid from. default: signed * @param {Date} [info.validUntil] - The date the document is valid until. default: signed + 1 year * @param {Date} [info.expectedUpdate] - The date the document is expected to be updated. default: null * @returns */ addValidityInfo(info?: Partial): Document; /** * Set the digest algorithm used for the value digests in the issuer signature. * * The default is SHA-256. * * @param {DigestAlgorithm} digestAlgorithm - The digest algorithm to use. * @returns */ useDigestAlgorithm(digestAlgorithm: DigestAlgorithm): Document; /** * Generate the issuer signature for the document. * * @param {Object} params - The parameters object * @param {JWK | Uint8Array} params.issuerPrivateKey - The issuer's private key either in JWK format or COSE_KEY format as buffer. * @param {string | Uint8Array} params.issuerCertificate - The issuer's certificate in pem format or as a buffer. * @param {SupportedAlgs} params.alg - The algorhitm used for the MSO signature. * @param {string | Uint8Array} [params.kid] - The key id of the issuer's private key. default: issuerPrivateKey.kid * @returns {Promise} - The signed document */ sign(params: { issuerPrivateKey: JWK; issuerCertificate: string | Uint8Array; alg: SupportedAlgs; kid?: string | Uint8Array; }, ctx: { crypto: MdocContext['crypto']; cose: MdocContext['cose']; }): Promise; } declare const limitDisclosureToDeviceRequestNameSpaces: (mdoc: IssuerSignedDocument, deviceRequestNameSpaces: DeviceRequestNameSpaces) => Map; declare const limitDisclosureToInputDescriptor: (mdoc: IssuerSignedDocument, inputDescriptor: InputDescriptor) => Map; /** * Parse a IssuerSignedDocument * * @param issuerSigned - The cbor encoded or decoded IssuerSigned Structure * @returns {Promise} - The parsed IssuerSigned document */ declare const parseIssuerSigned: (issuerSigned: Uint8Array | Map, expectedDocType?: string) => IssuerSignedDocument; /** * Parse a DeviceSignedDocument * * @param deviceSigned - The cbor encoded or decoded DeviceSigned Structure * @param issuerSigned - The cbor encoded or decoded IssuerSigned Structure * @returns {Promise} - The parsed DeviceSigned document */ declare const parseDeviceSigned: (deviceSigned: Uint8Array | Map, issuerSigned: Uint8Array | Map, expectedDocType?: string) => DeviceSignedDocument; /** * Parse an mdoc * * @param encoded - The cbor encoded mdoc * @returns {Promise} - The parsed device response */ declare const parseDeviceResponse: (encoded: Uint8Array) => MDoc; declare class Verifier { /** * * @param input.trustedCertificates The IACA root certificates list of the supported issuers. */ verifyIssuerSignature(input: { trustedCertificates: Uint8Array[]; issuerAuth: IssuerAuth; now?: Date; disableCertificateChainValidation: boolean; onCheckG?: VerificationCallback; }, ctx: { x509: X509Context; cose: MdocContext['cose']; }): Promise; verifyDeviceSignature(input: { deviceSigned: DeviceSignedDocument; ephemeralPrivateKey?: JWK | Uint8Array; sessionTranscriptBytes?: Uint8Array; onCheckG?: VerificationCallback; }, ctx: { crypto: MdocContext['crypto']; cose: MdocContext['cose']; }): Promise; verifyData(input: { mdoc: IssuerSignedDocument; onCheckG?: VerificationCallback; }, ctx: { x509: X509Context; crypto: MdocContext['crypto']; }): Promise; /** * Parse and validate a DeviceResponse as specified in ISO/IEC 18013-5 (Device Retrieval section). * * @param input.encodedDeviceResponse * @param input.encodedSessionTranscript The CBOR encoded SessionTranscript. * @param input.ephemeralReaderKey The private part of the ephemeral key used in the session where the DeviceResponse was obtained. This is only required if the DeviceResponse is using the MAC method for device authentication. */ verifyDeviceResponse(input: { encodedDeviceResponse: Uint8Array; encodedSessionTranscript?: Uint8Array; ephemeralReaderKey?: JWK | Uint8Array; disableCertificateChainValidation?: boolean; trustedCertificates: Uint8Array[]; now?: Date; onCheck?: VerificationCallback; }, ctx: { x509: X509Context; crypto: MdocContext['crypto']; cose: MdocContext['cose']; }): Promise; getDiagnosticInformation(encodedDeviceResponse: Uint8Array, options: { trustedCertificates: Uint8Array[]; encodedSessionTranscript?: Uint8Array; ephemeralReaderKey?: JWK | Uint8Array; disableCertificateChainValidation?: boolean; }, ctx: { x509: X509Context; crypto: MdocContext['crypto']; cose: MdocContext['cose']; }): Promise; } declare function uint8ArrayToBase64Url(bytes: Uint8Array): string; declare function uint8ArrayToHex(bytes: Uint8Array): string; declare function hexToUint8Array(hexString: string): Uint8Array; /** * UTF-8 encodes the `input` string and returns a `Uint8Array` containing the * encoded bytes. * @param [input='an empty string'] The text to encode. */ declare function stringToUint8Array(input: string): Uint8Array; declare function areEqualUint8Array(buf1: Uint8Array, buf2: Uint8Array): boolean; export { COSEKey, COSEKeyToRAW, DataItem, DateOnly, DeviceRequest, DeviceResponse, DeviceSignedDocument, type DiagnosticInformation, Document, IssuerSignedDocument, IssuerSignedItem, MDoc, MDocStatus, type MaybePromise, type MdocContext, type MdocNameSpaces, type PresentationDefinition, type ValidityInfo, type VerificationAssessment, type VerificationCallback, Verifier, type X509Context, areEqualUint8Array, cborDecode, cborDecodeUnknown, cborEncode, defaultCallback, hexToUint8Array, limitDisclosureToDeviceRequestNameSpaces, limitDisclosureToInputDescriptor, parseDeviceResponse, parseDeviceSigned, parseIssuerSigned, stringToUint8Array, uint8ArrayToBase64Url, uint8ArrayToHex };