import { FieldContext, FieldRuleExecutor, FieldTransform, FieldType, RuleContext } from "../../serde/serde";
import { DekClient, Dek, Kek } from "./dekregistry/dekregistry-client";
import { ClientConfig } from "../../rest-service";
export declare enum DekFormat {
    AES128_GCM = "AES128_GCM",
    AES256_GCM = "AES256_GCM",
    AES256_SIV = "AES256_SIV"
}
interface KekId {
    name: string;
    deleted: boolean;
}
interface DekId {
    kekName: string;
    subject: string;
    version: number | null;
    algorithm: string;
    deleted: boolean;
}
export declare class Clock {
    now(): number;
}
export declare class FieldEncryptionExecutor extends FieldRuleExecutor {
    client: DekClient | null;
    clock: Clock;
    /**
     * Register the field encryption executor with the rule registry.
     */
    static register(): FieldEncryptionExecutor;
    static registerWithClock(clock: Clock): FieldEncryptionExecutor;
    constructor(clock?: Clock);
    configure(clientConfig: ClientConfig, config: Map<string, string>): void;
    type(): string;
    newTransform(ctx: RuleContext): FieldTransform;
    close(): Promise<void>;
    private getCryptor;
    private getKekName;
    private getDekExpiryDays;
}
export declare class Cryptor {
    static readonly EMPTY_AAD: Buffer<ArrayBuffer>;
    dekFormat: DekFormat;
    isDeterministic: boolean;
    constructor(dekFormat: DekFormat);
    private keySize;
    generateKey(): Buffer;
    encrypt(dek: Buffer, plaintext: Buffer): Promise<Buffer>;
    decrypt(dek: Buffer, ciphertext: Buffer): Promise<Buffer>;
    encryptWithAesSiv(key: Uint8Array, plaintext: Uint8Array): Promise<Uint8Array>;
    decryptWithAesSiv(key: Uint8Array, ciphertext: Uint8Array): Promise<Uint8Array>;
    encryptWithAesGcm(key: Uint8Array, plaintext: Uint8Array): Promise<Uint8Array>;
    decryptWithAesGcm(key: Uint8Array, ciphertext: Uint8Array): Promise<Uint8Array>;
}
export declare class FieldEncryptionExecutorTransform implements FieldTransform {
    private executor;
    private cryptor;
    private kekName;
    private kek;
    private dekExpiryDays;
    constructor(executor: FieldEncryptionExecutor, cryptor: Cryptor, kekName: string, dekExpiryDays: number);
    isDekRotated(): boolean;
    getKek(ctx: RuleContext): Promise<Kek>;
    getOrCreateKek(ctx: RuleContext): Promise<Kek>;
    retrieveKekFromRegistry(key: KekId): Promise<Kek | null>;
    storeKekToRegistry(key: KekId, kmsType: string, kmsKeyId: string, shared: boolean): Promise<Kek | null>;
    getOrCreateDek(ctx: RuleContext, version: number | null): Promise<Dek>;
    retrieveDekFromRegistry(key: DekId): Promise<Dek | null>;
    storeDekToRegistry(key: DekId, encryptedDek: Buffer | null): Promise<Dek | null>;
    isExpired(ctx: RuleContext, dek: Dek | null): boolean;
    transform(ctx: RuleContext, fieldCtx: FieldContext, fieldValue: any): Promise<any>;
    prefixVersion(version: number, ciphertext: Buffer): Buffer;
    extractVersion(ciphertext: Buffer): number | null;
    toBytes(type: FieldType, value: any): Buffer | null;
    toObject(type: FieldType, value: Buffer): any;
}
export {};