/**
 * @license
 * Copyright 2020 Google LLC
 * SPDX-License-Identifier: Apache-2.0
 */
import { Aead } from '../aead/internal/aead';
import * as KeyManager from './key_manager';
import { KeysetReader } from './keyset_reader';
import { KeysetWriter } from './keyset_writer';
import * as PrimitiveSet from './primitive_set';
import { PbKeyset, PbKeyTemplate } from './proto';
import * as Util from './util';
/**
 * Keyset handle provide abstracted access to Keysets, to limit the exposure of
 * actual protocol buffers that hold sensitive key material.
 *
 * @final
 */
export declare class KeysetHandle {
    private readonly keyset_;
    constructor(keyset: PbKeyset);
    /**
     * Returns a primitive that uses key material from this keyset handle. If
     * opt_customKeyManager is defined then the provided key manager is used to
     * instantiate primitives. Otherwise key manager from Registry is used.
     */
    getPrimitive<P>(primitiveType: Util.Constructor<P>, opt_customKeyManager?: KeyManager.KeyManager<P> | null): Promise<P>;
    /**
     * Creates a set of primitives corresponding to the keys with status Enabled
     * in the given keysetHandle, assuming all the correspoding key managers are
     * present (keys with status different from Enabled are skipped). If provided
     * uses customKeyManager instead of registered key managers for keys supported
     * by the customKeyManager.
     *
     * Visible for testing.
     */
    getPrimitiveSet<P>(primitiveType: Util.Constructor<P>, opt_customKeyManager?: KeyManager.KeyManager<P> | null): Promise<PrimitiveSet.PrimitiveSet<P>>;
    /**
     * Encrypts the underlying keyset with the provided masterKeyAead wnd writes
     * the resulting encryptedKeyset to the given writer which must be non-null.
     *
     *
     */
    write(writer: KeysetWriter, masterKeyAead: Aead): Promise<void>;
    /**
     * Writes this keyset using `writer` if and only if the keyset doesn't contain
     * any secret key material.
     *
     * This can be used to persist public keysets or envelope encryption keysets.
     * Use `CleartextKeysetHandle` to persist keysets containing secret key
     * material.
     */
    writeNoSecret(writer: KeysetWriter): Uint8Array;
    /**
     * Returns the keyset held by this KeysetHandle.
     *
     */
    getKeyset(): PbKeyset;
    /**
     * If the managed keyset contains private keys, returns a `KeysetHandle` of
     * the public keys.
     */
    getPublicKeysetHandle(): KeysetHandle;
}
/**
 * Creates a KeysetHandle from an encrypted keyset obtained via reader, using
 * masterKeyAead to decrypt the keyset.
 *
 *
 */
export declare function read(reader: KeysetReader, masterKeyAead: Aead): Promise<KeysetHandle>;
/**
 * Returns a new KeysetHandle that contains a single new key generated
 * according to keyTemplate.
 *
 *
 */
export declare function generateNew(keyTemplate: PbKeyTemplate): Promise<KeysetHandle>;
/**
 * Creates a KeysetHandle from a keyset, obtained via reader, which
 * must contain no secret key material.
 *
 * This can be used to load public keysets or envelope encryption keysets.
 * Users that need to load cleartext keysets can use CleartextKeysetHandle.
 *
 */
export declare function readNoSecret(reader: KeysetReader): KeysetHandle;