import { type KeyOptions, type PrivateKey, type PublicKey, type PublicKeyInfo } from '@opentdf/sdk/singlecontainer';
/**
 * Import a PEM public key (SPKI) as an opaque PublicKey.
 * Only RSA keys are supported in FIPS mode.
 *
 * @param pem - PEM-encoded public key (`-----BEGIN PUBLIC KEY-----`)
 * @param options.usage - `'encrypt'` (RSA-OAEP) or `'sign'` (RS256 verify). Defaults to `'encrypt'`.
 * @param options.extractable - Defaults to `true`.
 * @param options.algorithmHint - Skips SPKI parsing when provided.
 */
export declare function importPublicKey(pem: string, options: KeyOptions): Promise<PublicKey>;
/**
 * Import a PEM private key (PKCS#8) as an opaque PrivateKey.
 * Only RSA keys are supported in FIPS mode.
 *
 * @param pem - PEM-encoded private key (`-----BEGIN PRIVATE KEY-----`)
 * @param options.usage - `'encrypt'` (RSA-OAEP decrypt) or `'sign'` (RS256). Defaults to `'encrypt'`.
 * @param options.extractable - Defaults to `false`.
 * @param options.algorithmHint - Algorithm label to attach. Defaults to `'rsa:2048'`.
 */
export declare function importPrivateKey(pem: string, options: KeyOptions): Promise<PrivateKey>;
/**
 * Export an opaque public key to PEM (SPKI / `-----BEGIN PUBLIC KEY-----`).
 * Handles VirtruCrypto's PKCS#1 output for generated keys transparently.
 */
export declare function exportPublicKeyPem(key: PublicKey): Promise<string>;
/**
 * Export an opaque public key to JWK.
 * Uses WebCrypto for the JWK conversion after normalizing to SPKI.
 */
export declare function exportPublicKeyJwk(key: PublicKey): Promise<JsonWebKey>;
/**
 * Export an opaque private key to PEM (PKCS#8 / `-----BEGIN PRIVATE KEY-----`).
 *
 * FOR TESTING / DEVELOPMENT ONLY — not included in the CryptoService interface.
 * Only works for keys that were imported via importPrivateKey (PKCS#8 format).
 * Generated private keys cannot be exported from the FIPS keystore.
 */
export declare function exportPrivateKeyPem(key: PrivateKey): Promise<string>;
/**
 * Use the WebCrypto API to parse a PEM public key and extract its algorithm info.
 */
export declare function parsePublicKeyPem(pem: string): Promise<PublicKeyInfo>;
/**
 * Use the WebCrypto API to extract the public key PEM from a certificate or PEM string.
 */
export declare function extractPublicKeyPem(certOrPem: string): Promise<string>;
/**
 * Use the WebCrypto API to convert a JWK public key to PEM format.
 */
export declare function jwkToPublicKeyPem(jwk: JsonWebKey): Promise<string>;
