@opentdf/sdk
    Preparing search index...

    Type Alias CryptoService

    type CryptoService = {
        decrypt: (
            payload: Binary,
            key: SymmetricKey,
            iv: Binary,
            algorithm?: AlgorithmUrn,
            authTag?: Binary,
        ) => Promise<DecryptResult>;
        decryptWithPrivateKey: (
            encryptedPayload: Binary,
            privateKey: PrivateKey,
        ) => Promise<Binary>;
        deriveKeyFromECDH: (
            privateKey: PrivateKey,
            publicKey: PublicKey,
            hkdfParams: HkdfParams,
        ) => Promise<SymmetricKey>;
        digest: (algorithm: HashAlgorithm, data: Uint8Array) => Promise<Uint8Array>;
        encrypt: (
            payload: Binary | SymmetricKey,
            key: SymmetricKey,
            iv: Binary,
            algorithm?: AlgorithmUrn,
        ) => Promise<EncryptResult>;
        encryptWithPublicKey: (
            payload: Binary | SymmetricKey,
            publicKey: PublicKey,
        ) => Promise<Binary>;
        exportPrivateKeyPem?: (key: PrivateKey) => Promise<string>;
        exportPublicKeyJwk: (key: PublicKey) => Promise<JsonWebKey>;
        exportPublicKeyPem: (key: PublicKey) => Promise<string>;
        extractPublicKeyPem: (
            certOrPem: string,
            jwaAlgorithm?: string,
        ) => Promise<string>;
        generateECKeyPair: (curve?: ECCurve) => Promise<KeyPair>;
        generateKey: (length?: number) => Promise<SymmetricKey>;
        generateKeyPair: (size?: number) => Promise<KeyPair>;
        generateSigningKeyPair: () => Promise<KeyPair>;
        hmac: (data: Uint8Array, key: SymmetricKey) => Promise<Uint8Array>;
        importPrivateKey?: (
            pem: string,
            options: KeyOptions,
        ) => Promise<PrivateKey>;
        importPublicKey: (pem: string, options: KeyOptions) => Promise<PublicKey>;
        importSymmetricKey: (keyBytes: Uint8Array) => Promise<SymmetricKey>;
        jwkToPublicKeyPem: (jwk: JsonWebKey) => Promise<string>;
        mergeSymmetricKeys: (shares: SymmetricKey[]) => Promise<SymmetricKey>;
        method: AlgorithmUrn;
        name: string;
        parsePublicKeyPem: (pem: string) => Promise<PublicKeyInfo>;
        randomBytes: (byteLength: number) => Promise<Uint8Array>;
        sign: (
            data: Uint8Array,
            privateKey: PrivateKey,
            algorithm: AsymmetricSigningAlgorithm,
        ) => Promise<Uint8Array>;
        splitSymmetricKey: (
            key: SymmetricKey,
            numShares: number,
        ) => Promise<SymmetricKey[]>;
        verify: (
            data: Uint8Array,
            signature: Uint8Array,
            publicKey: PublicKey,
            algorithm: AsymmetricSigningAlgorithm,
        ) => Promise<boolean>;
        verifyHmac: (
            data: Uint8Array,
            signature: Uint8Array,
            key: SymmetricKey,
        ) => Promise<boolean>;
    }
    Index

    Properties

    decrypt decryptWithPrivateKey deriveKeyFromECDH digest encrypt encryptWithPublicKey exportPrivateKeyPem? exportPublicKeyJwk exportPublicKeyPem extractPublicKeyPem generateECKeyPair generateKey generateKeyPair generateSigningKeyPair hmac importPrivateKey? importPublicKey importSymmetricKey jwkToPublicKeyPem mergeSymmetricKeys method name parsePublicKeyPem randomBytes sign splitSymmetricKey verify verifyHmac

    Properties

    decrypt: (
        payload: Binary,
        key: SymmetricKey,
        iv: Binary,
        algorithm?: AlgorithmUrn,
        authTag?: Binary,
    ) => Promise<DecryptResult>

    Try to decrypt content with the default or handed algorithm. Throws on most failure, if auth tagging is implemented for example.

    decryptWithPrivateKey: (
        encryptedPayload: Binary,
        privateKey: PrivateKey,
    ) => Promise<Binary>
    deriveKeyFromECDH: (
        privateKey: PrivateKey,
        publicKey: PublicKey,
        hkdfParams: HkdfParams,
    ) => Promise<SymmetricKey>

    Perform ECDH key agreement followed by HKDF key derivation. Returns opaque symmetric key suitable for symmetric encryption.

    Type Declaration

      • (
            privateKey: PrivateKey,
            publicKey: PublicKey,
            hkdfParams: HkdfParams,
        ): Promise<SymmetricKey>

      • Parameters

        • privateKey: PrivateKey

          Opaque EC private key

        • publicKey: PublicKey

          Opaque EC public key of other party

        • hkdfParams: HkdfParams

          Parameters for HKDF derivation

        Returns Promise<SymmetricKey>

        Opaque symmetric key

    ConfigurationError if EC operations not supported

    digest: (algorithm: HashAlgorithm, data: Uint8Array) => Promise<Uint8Array>

    Compute hash digest.

    Type Declaration

      • (algorithm: HashAlgorithm, data: Uint8Array): Promise<Uint8Array>

      • Parameters

        • algorithm: HashAlgorithm

          Hash algorithm to use (SHA-256, SHA-384, SHA-512)

        • data: Uint8Array

          Data to hash

        Returns Promise<Uint8Array>

    encrypt: (
        payload: Binary | SymmetricKey,
        key: SymmetricKey,
        iv: Binary,
        algorithm?: AlgorithmUrn,
    ) => Promise<EncryptResult>

    Encrypt content with the default or handed algorithm. Accepts Binary or SymmetricKey as payload (for key wrapping with symmetric keys).

    encryptWithPublicKey: (
        payload: Binary | SymmetricKey,
        publicKey: PublicKey,
    ) => Promise<Binary>

    Encrypt with asymmetric public key (RSA-OAEP). Accepts Binary or SymmetricKey for key wrapping.

    exportPrivateKeyPem?: (key: PrivateKey) => Promise<string>

    OPTIONAL -- ONLY USE FOR TESTING/DEVELOPMENT. Private keys should NOT be exportable in secure environments. Export an opaque private key to PEM format.

    Type Declaration

      • (key: PrivateKey): Promise<string>

      • Parameters

        • key: PrivateKey

          Opaque private key

        Returns Promise<string>

        PEM-encoded private key (PKCS8 format)

    exportPublicKeyJwk: (key: PublicKey) => Promise<JsonWebKey>

    Export an opaque public key to JWK format.

    Type Declaration

      • (key: PublicKey): Promise<JsonWebKey>

      • Parameters

        • key: PublicKey

          Opaque public key

        Returns Promise<JsonWebKey>

        JWK representation

    exportPublicKeyPem: (key: PublicKey) => Promise<string>

    Export an opaque public key to PEM format.

    Type Declaration

      • (key: PublicKey): Promise<string>

      • Parameters

        • key: PublicKey

          Opaque public key

        Returns Promise<string>

        PEM-encoded public key (SPKI format)

    extractPublicKeyPem: (
        certOrPem: string,
        jwaAlgorithm?: string,
    ) => Promise<string>

    Extract PEM public key from X.509 certificate or return PEM key as-is.

    Used to normalize KAS public keys which may be provided as either:

    • X.509 certificates (-----BEGIN CERTIFICATE-----)
    • Raw PEM public keys (-----BEGIN PUBLIC KEY-----)

    For certificates, jwaAlgorithm must be provided to correctly parse the key (e.g., 'RS256', 'RS512', 'ES256', 'ES384', 'ES512'). For raw PEM keys, the algorithm parameter is ignored.

    Type Declaration

      • (certOrPem: string, jwaAlgorithm?: string): Promise<string>

      • Parameters

        • certOrPem: string

          PEM-encoded public key or X.509 certificate

        • OptionaljwaAlgorithm: string

          JWA algorithm for certificate parsing (required for certificates)

        Returns Promise<string>

        PEM-encoded public key (SPKI format)

    Error if input is not valid PEM or certificate

    generateECKeyPair: (curve?: ECCurve) => Promise<KeyPair>

    Generate an EC key pair for ECDH key agreement.

    Type Declaration

      • (curve?: ECCurve): Promise<KeyPair>

      • Parameters

        • Optionalcurve: ECCurve

          Elliptic curve to use (defaults to P-256)

        Returns Promise<KeyPair>

    ConfigurationError if EC operations not supported

    generateKey: (length?: number) => Promise<SymmetricKey>

    Generate symmetric AES key (opaque, never hex string).

    generateKeyPair: (size?: number) => Promise<KeyPair>

    Generate an RSA key pair for encryption/decryption.

    Type Declaration

      • (size?: number): Promise<KeyPair>

      • Parameters

        • Optionalsize: number

          in bits, defaults to a reasonable size for the default method

        Returns Promise<KeyPair>

        Opaque key pair

    generateSigningKeyPair: () => Promise<KeyPair>

    Generate an RSA key pair for signing/verification.

    Type Declaration

      • (): Promise<KeyPair>

      • Returns Promise<KeyPair>

        Opaque key pair

    hmac: (data: Uint8Array, key: SymmetricKey) => Promise<Uint8Array>

    Compute HMAC-SHA256 of data with a symmetric key.

    Type Declaration

      • (data: Uint8Array, key: SymmetricKey): Promise<Uint8Array>

      • Parameters

        • data: Uint8Array

          Data to authenticate

        • key: SymmetricKey

          Opaque symmetric key

        Returns Promise<Uint8Array>

        Raw HMAC bytes

    importPrivateKey?: (pem: string, options: KeyOptions) => Promise<PrivateKey>

    Import a PEM private key as an opaque key. Optional - intended for use in tests or by downstream integrators who need to bring their own PEM key material. Main SDK code should use opaque PrivateKey objects directly.

    Type Declaration

      • (pem: string, options: KeyOptions): Promise<PrivateKey>

      • Parameters

        • pem: string

          PEM-encoded private key

        • options: KeyOptions

          Import options (usage required for RSA keys to disambiguate encrypt vs sign)

        Returns Promise<PrivateKey>

        Opaque private key with metadata

    importPublicKey: (pem: string, options: KeyOptions) => Promise<PublicKey>

    Import a PEM public key as an opaque key.

    Type Declaration

      • (pem: string, options: KeyOptions): Promise<PublicKey>

      • Parameters

        • pem: string

          PEM-encoded public key

        • options: KeyOptions

          Import options (usage required for RSA keys to disambiguate encrypt vs sign)

        Returns Promise<PublicKey>

        Opaque public key with metadata

    importSymmetricKey: (keyBytes: Uint8Array) => Promise<SymmetricKey>

    Import raw key bytes as an opaque symmetric key. Used for external keys (e.g., unwrapped from KAS).

    Type Declaration

      • (keyBytes: Uint8Array): Promise<SymmetricKey>

      • Parameters

        • keyBytes: Uint8Array

          Raw key bytes

        Returns Promise<SymmetricKey>

        Opaque symmetric key

    jwkToPublicKeyPem: (jwk: JsonWebKey) => Promise<string>

    Convert a JWK (JSON Web Key) public key to PEM format. Supports both RSA and EC keys.

    Type Declaration

      • (jwk: JsonWebKey): Promise<string>

      • Parameters

        • jwk: JsonWebKey

          JSON Web Key object

        Returns Promise<string>

        PEM-encoded public key

    ConfigurationError if JWK format invalid

    mergeSymmetricKeys: (shares: SymmetricKey[]) => Promise<SymmetricKey>

    Merge symmetric key shares back into the original key using XOR.

    Type Declaration

      • (shares: SymmetricKey[]): Promise<SymmetricKey>

      • Parameters

        • shares: SymmetricKey[]

          Array of key shares (from splitSymmetricKey)

        Returns Promise<SymmetricKey>

        Merged symmetric key

    ConfigurationError if not supported by the implementation

    method: AlgorithmUrn

    Default algorithm identifier.

    name: string

    Track which crypto implementation we are using

    parsePublicKeyPem: (pem: string) => Promise<PublicKeyInfo>

    Parse and validate a PEM public key, returning algorithm info.

    Type Declaration

      • (pem: string): Promise<PublicKeyInfo>

      • Parameters

        • pem: string

          PEM-encoded public key or X.509 certificate

        Returns Promise<PublicKeyInfo>

        Validated PEM and detected algorithm

    ConfigurationError if key format invalid or algorithm not supported

    randomBytes: (byteLength: number) => Promise<Uint8Array>
    sign: (
        data: Uint8Array,
        privateKey: PrivateKey,
        algorithm: AsymmetricSigningAlgorithm,
    ) => Promise<Uint8Array>

    Sign data with an asymmetric private key.

    Type Declaration

      • (
            data: Uint8Array,
            privateKey: PrivateKey,
            algorithm: AsymmetricSigningAlgorithm,
        ): Promise<Uint8Array>

      • Parameters

        • data: Uint8Array

          Data to sign

        • privateKey: PrivateKey

          Opaque private key

        • algorithm: AsymmetricSigningAlgorithm

          Signing algorithm (RS256, ES256, ES384, ES512)

        Returns Promise<Uint8Array>

    splitSymmetricKey: (
        key: SymmetricKey,
        numShares: number,
    ) => Promise<SymmetricKey[]>

    Split a symmetric key into N shares using XOR secret sharing.

    DefaultCryptoService: Uses keySplit() utility (extracts bytes internally) HSM implementations: Must use native splitting OR throw ConfigurationError

    Type Declaration

      • (key: SymmetricKey, numShares: number): Promise<SymmetricKey[]>

      • Parameters

        • key: SymmetricKey

          Symmetric key to split

        • numShares: number

          Number of shares to create

        Returns Promise<SymmetricKey[]>

        Array of opaque key shares

    ConfigurationError if not supported by the implementation

    Note: Multi-KAS may not be available in all secure environments (single KAS only)

    verify: (
        data: Uint8Array,
        signature: Uint8Array,
        publicKey: PublicKey,
        algorithm: AsymmetricSigningAlgorithm,
    ) => Promise<boolean>

    Verify signature with an asymmetric public key.

    Type Declaration

      • (
            data: Uint8Array,
            signature: Uint8Array,
            publicKey: PublicKey,
            algorithm: AsymmetricSigningAlgorithm,
        ): Promise<boolean>

      • Parameters

        • data: Uint8Array

          Original data that was signed

        • signature: Uint8Array

          Signature to verify

        • publicKey: PublicKey

          Opaque public key

        • algorithm: AsymmetricSigningAlgorithm

          Must match algorithm used for signing

        Returns Promise<boolean>

    verifyHmac: (
        data: Uint8Array,
        signature: Uint8Array,
        key: SymmetricKey,
    ) => Promise<boolean>

    Verify HMAC-SHA256.

    Type Declaration

      • (data: Uint8Array, signature: Uint8Array, key: SymmetricKey): Promise<boolean>

      • Parameters

        • data: Uint8Array

          Original data that was authenticated

        • signature: Uint8Array

          HMAC to verify

        • key: SymmetricKey

          Opaque symmetric key

        Returns Promise<boolean>

    Settings

    Member Visibility

    On This Page

    Properties