import { Buffer } from 'node:buffer';
export interface KeystoreDname {
    commonName: string;
    organizationName?: string;
    countryCode?: string;
}
export interface KeystoreOptions {
    alias: string;
    storePassword: string;
    keyPassword: string;
    dname: KeystoreDname;
    /** Default: 27 years (~10000 days, Android Play standard) */
    validityYears?: number;
    /** Default: 2048-bit RSA */
    keySize?: number;
}
export interface KeystoreResult {
    p12Base64: string;
    p12Bytes: Buffer;
    alias: string;
    notAfter: Date;
}
/**
 * Generate a URL-safe random password suitable for Android keystore use.
 * 24 bytes → 32-char base64url string. Collision-resistant, never written in logs.
 */
export declare function generateRandomPassword(): string;
/**
 * Generate a PKCS#12 (.p12) keystore with a self-signed certificate.
 *
 * Key decisions:
 * - 3DES encryption for Gradle/keytool compatibility (same as iOS csr.ts).
 * - 27-year validity — Google Play requires keys to outlive all future app updates.
 * - 2048-bit RSA — standard for Android app signing.
 * - Subject/issuer identical (self-signed).
 *
 * Throws if alias or passwords are empty.
 */
export declare function generateKeystore(options: KeystoreOptions): KeystoreResult;
export type ProbeKeyPasswordResult = {
    ok: true;
} | {
    ok: false;
    reason: 'wrong-password' | 'unsupported-format' | 'parse-error' | 'no-private-key';
    message: string;
};
/**
 * Check whether the given password can both unlock a PKCS#12 keystore AND
 * decrypt the private key inside it.
 *
 * Useful for the "skip the key-password prompt if it's the same as the store
 * password" UX path: in practice most PKCS#12 keystores use a single password
 * for both the integrity MAC and the encrypted private-key bag. If this
 * returns `ok: true`, the CLI can use the store password as the key password
 * without asking the user.
 *
 * Returns `unsupported-format` for JKS (node-forge can't parse it) — caller
 * should fall back to prompting.
 */
export declare function tryUnlockPrivateKey(bytes: Uint8Array, password: string): ProbeKeyPasswordResult;
export type ListAliasesResult = {
    ok: true;
    aliases: string[];
} | {
    ok: false;
    reason: 'wrong-password' | 'unsupported-format' | 'parse-error';
    message: string;
};
/**
 * Extract key aliases (PKCS#12 `friendlyName` attributes) from a keystore file.
 *
 * Works for PKCS#12 (.p12, .pfx) keystores. JKS (Java KeyStore — common for
 * .jks / .keystore files created by `keytool`) is NOT PKCS#12 and cannot be
 * parsed by node-forge; callers should treat `unsupported-format` as "ask the
 * user for the alias manually".
 */
export declare function listKeystoreAliases(bytes: Uint8Array, password: string): ListAliasesResult;