import { DIDResolutionResult, Resolvable, VerificationMethod } from 'did-resolver';
import { EcdsaSignature } from './util.js';
export type Signer = (data: string | Uint8Array) => Promise<EcdsaSignature | string>;
export type SignerAlgorithm = (payload: string, signer: Signer) => Promise<string>;
export type ProofPurposeTypes = 'assertionMethod' | 'authentication' | 'capabilityDelegation' | 'capabilityInvocation';
export interface JWTOptions {
    issuer: string;
    signer: Signer;
    /**
     * @deprecated Please use `header.alg` to specify the JWT algorithm.
     */
    alg?: string;
    expiresIn?: number;
    canonicalize?: boolean;
}
export interface JWTVerifyOptions {
    /** @deprecated Please use `proofPurpose: 'authentication' instead` */
    auth?: boolean;
    audience?: string;
    callbackUrl?: string;
    resolver?: Resolvable;
    skewTime?: number;
    /** See https://www.w3.org/TR/did-spec-registries/#verification-relationships */
    proofPurpose?: ProofPurposeTypes;
    policies?: JWTVerifyPolicies;
    didAuthenticator?: DIDAuthenticator;
}
/**
 * Overrides the different types of checks performed on the JWT besides the signature check
 */
export interface JWTVerifyPolicies {
    now?: number;
    nbf?: boolean;
    iat?: boolean;
    exp?: boolean;
    aud?: boolean;
}
export interface JWSCreationOptions {
    canonicalize?: boolean;
}
export interface DIDAuthenticator {
    authenticators: VerificationMethod[];
    issuer: string;
    didResolutionResult: DIDResolutionResult;
}
export interface JWTHeader {
    typ: 'JWT';
    alg: string;
    [x: string]: any;
}
export interface JWTPayload {
    iss?: string;
    sub?: string;
    aud?: string | string[];
    iat?: number;
    nbf?: number;
    exp?: number;
    rexp?: number;
    [x: string]: any;
}
export interface JWTDecoded {
    header: JWTHeader;
    payload: JWTPayload;
    signature: string;
    data: string;
}
export interface JWSDecoded {
    header: JWTHeader;
    payload: string;
    signature: string;
    data: string;
}
/**
 * Result object returned by {@link verifyJWT}
 */
export interface JWTVerified {
    /**
     * Set to true for a JWT that passes all the required checks minus any verification overrides.
     */
    verified: true;
    /**
     * The decoded JWT payload
     */
    payload: Partial<JWTPayload>;
    /**
     * The result of resolving the issuer DID
     */
    didResolutionResult: DIDResolutionResult;
    /**
     * the issuer DID
     */
    issuer: string;
    /**
     * The public key of the issuer that matches the JWT signature
     */
    signer: VerificationMethod;
    /**
     * The original JWT that was verified
     */
    jwt: string;
    /**
     * Any overrides that were used during verification
     */
    policies?: JWTVerifyPolicies;
}
export declare const SELF_ISSUED_V2 = "https://self-issued.me/v2";
export declare const SELF_ISSUED_V2_VC_INTEROP = "https://self-issued.me/v2/openid-vc";
export declare const SELF_ISSUED_V0_1 = "https://self-issued.me";
export declare const NBF_SKEW = 300;
/**
 *  Decodes a JWT and returns an object representing the payload
 *
 *  @example
 *  decodeJWT('eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NksifQ.eyJpYXQiOjE1...')
 *
 *  @param    {String}            jwt                a JSON Web Token to verify
 * @param    {Object}            [recurse]          whether to recurse into the payload to decode any nested JWTs
 *  @return   {Object}                               a JS object representing the decoded JWT
 */
export declare function decodeJWT(jwt: string, recurse?: boolean): JWTDecoded;
/**
 *  Creates a signed JWS given a payload, a signer, and an optional header.
 *
 *  @example
 *  const signer = ES256KSigner(process.env.PRIVATE_KEY)
 *  const jws = await createJWS({ my: 'payload' }, signer)
 *
 *  @param    {Object}            payload           payload object
 *  @param    {Signer}            signer            a signer, see `ES256KSigner or `EdDSASigner`
 *  @param    {Object}            header            optional object to specify or customize the JWS header
 *  @param    {Object}            options           can be used to trigger automatic canonicalization of header and
 *                                                    payload properties
 *  @return   {Promise<string>}                     a Promise which resolves to a JWS string or rejects with an error
 */
export declare function createJWS(payload: string | Partial<JWTPayload>, signer: Signer, header?: Partial<JWTHeader>, options?: JWSCreationOptions): Promise<string>;
/**
 *  Creates a signed JWT given an address which becomes the issuer, a signer, and a payload for which the signature is
 * over.
 *
 *  @example
 *  const signer = ES256KSigner(process.env.PRIVATE_KEY)
 *  createJWT({address: '5A8bRWU3F7j3REx3vkJ...', signer}, {key1: 'value', key2: ..., ... }).then(jwt => {
 *      ...
 *  })
 *
 *  @param    {Object}            payload               payload object
 *  @param    {Object}            [options]             an unsigned credential object
 *  @param    {String}            options.issuer        The DID of the issuer (signer) of JWT
 *  @param    {String}            options.alg           [DEPRECATED] The JWT signing algorithm to use. Supports:
 *   [ES256K, ES256K-R, Ed25519, EdDSA], Defaults to: ES256K. Please use `header.alg` to specify the algorithm
 *  @param    {Signer}            options.signer        a `Signer` function, Please see `ES256KSigner` or `EdDSASigner`
 *  @param    {boolean}           options.canonicalize  optional flag to canonicalize header and payload before signing
 *  @param    {Object}            header                optional object to specify or customize the JWT header
 *  @return   {Promise<Object, Error>}                  a promise which resolves with a signed JSON Web Token or
 *   rejects with an error
 */
export declare function createJWT(payload: Partial<JWTPayload>, { issuer, signer, alg, expiresIn, canonicalize }: JWTOptions, header?: Partial<JWTHeader>): Promise<string>;
/**
 *  Creates a multi-signature signed JWT given multiple issuers and their corresponding signers, and a payload for
 * which the signature is over.
 *
 *  @example
 *  const signer = ES256KSigner(process.env.PRIVATE_KEY)
 *  createJWT({address: '5A8bRWU3F7j3REx3vkJ...', signer}, {key1: 'value', key2: ..., ... }).then(jwt => {
 *      ...
 *  })
 *
 *  @param    {Object}            payload               payload object
 *  @param    {Object}            [options]             an unsigned credential object
 *  @param    {boolean}           options.expiresIn     optional flag to denote the expiration time
 *  @param    {boolean}           options.canonicalize  optional flag to canonicalize header and payload before signing
 *  @param    {Object[]}          issuers               array of the issuers, their signers and algorithms
 *  @param    {string}            issuers[].issuer      The DID of the issuer (signer) of JWT
 *  @param    {Signer}            issuers[].signer      a `Signer` function, Please see `ES256KSigner` or `EdDSASigner`
 *  @param    {String}            issuers[].alg         [DEPRECATED] The JWT signing algorithm to use. Supports:
 *   [ES256K, ES256K-R, Ed25519, EdDSA], Defaults to: ES256K. Please use `header.alg` to specify the algorithm
 *  @return   {Promise<Object, Error>}                  a promise which resolves with a signed JSON Web Token or
 *   rejects with an error
 */
export declare function createMultisignatureJWT(payload: Partial<JWTPayload>, { expiresIn, canonicalize }: Partial<JWTOptions>, issuers: {
    issuer: string;
    signer: Signer;
    alg: string;
}[]): Promise<string>;
export declare function verifyJWTDecoded({ header, payload, data, signature }: JWTDecoded, pubKeys: VerificationMethod | VerificationMethod[]): VerificationMethod;
export declare function verifyJWSDecoded({ header, data, signature }: JWSDecoded, pubKeys: VerificationMethod | VerificationMethod[]): VerificationMethod;
/**
 *  Verifies given JWS. If the JWS is valid, returns the public key that was
 *  used to sign the JWS, or throws an `Error` if none of the `pubKeys` match.
 *
 *  @example
 *  const pubKey = verifyJWS('eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NksifQ.eyJyZXF1Z....', { publicKeyHex: '0x12341...' })
 *
 *  @param    {String}                          jws         A JWS string to verify
 *  @param    {Array<VerificationMethod> | VerificationMethod}    pubKeys     The public keys used to verify the JWS
 *  @return   {VerificationMethod}                       The public key used to sign the JWS
 */
export declare function verifyJWS(jws: string, pubKeys: VerificationMethod | VerificationMethod[]): VerificationMethod;
/**
 *  Verifies given JWT. If the JWT is valid, the promise returns an object including the JWT, the payload of the JWT,
 *  and the DID document of the issuer of the JWT.
 *
 *  @example
 *  ```ts
 *  verifyJWT(
 *      'did:uport:eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NksifQ.eyJyZXF1Z....',
 *      {audience: '5A8bRWU3F7j3REx3vkJ...', callbackUrl: 'https://...'}
 *    ).then(obj => {
 *        const did = obj.did // DID of signer
 *        const payload = obj.payload
 *        const doc = obj.didResolutionResult.didDocument // DID Document of issuer
 *        const jwt = obj.jwt
 *        const signerKeyId = obj.signer.id // ID of key in DID document that signed JWT
 *        ...
 *    })
 *  ```
 *
 *  @param    {String}            jwt                a JSON Web Token to verify
 *  @param    {Object}            [options]           an unsigned credential object
 *  @param    {Boolean}           options.auth        Require signer to be listed in the authentication section of the
 *   DID document (for Authentication purposes)
 *  @param    {String}            options.audience    DID of the recipient of the JWT
 *  @param    {String}            options.callbackUrl callback url in JWT
 *  @return   {Promise<Object, Error>}               a promise which resolves with a response object or rejects with an
 *   error
 */
export declare function verifyJWT(jwt: string, options?: JWTVerifyOptions): Promise<JWTVerified>;
/**
 * Resolves relevant public keys or other authenticating material used to verify signature from the DID document of
 * provided DID
 *
 *  @example
 *  ```ts
 *  resolveAuthenticator(resolver, 'ES256K', 'did:uport:2nQtiQG6Cgm1GYTBaaKAgr76uY7iSexUkqX').then(obj => {
 *      const payload = obj.payload
 *      const profile = obj.profile
 *      const jwt = obj.jwt
 *      // ...
 *  })
 *  ```
 *
 *  @param resolver - {Resolvable} a DID resolver function that can obtain the `DIDDocument` for the `issuer`
 *  @param alg - {String} a JWT algorithm
 *  @param issuer - {String} a Decentralized Identifier (DID) to lookup
 *  @param proofPurpose - {ProofPurposeTypes} *Optional* Use the verificationMethod linked in that section of the
 *   issuer DID document
 *  @return {Promise<DIDAuthenticator>} a promise which resolves with an object containing an array of authenticators
 *   or rejects with an error if none exist
 */
export declare function resolveAuthenticator(resolver: Resolvable, alg: string, issuer: string, proofPurpose?: ProofPurposeTypes): Promise<DIDAuthenticator>;
//# sourceMappingURL=JWT.d.ts.map