stdlib/openssl/0/openssl.rbs

# <!-- rdoc-file=ext/openssl/ossl.c -->
# OpenSSL provides SSL, TLS and general purpose cryptography.  It wraps the
# [OpenSSL](https://www.openssl.org/) library.
#
# # Examples
#
# All examples assume you have loaded OpenSSL with:
#
#     require 'openssl'
#
# These examples build atop each other.  For example the key created in the next
# is used in throughout these examples.
#
# ## Keys
#
# ### Creating a Key
#
# This example creates a 2048 bit RSA keypair and writes it to the current
# directory.
#
#     key = OpenSSL::PKey::RSA.new 2048
#
#     File.write 'private_key.pem', key.private_to_pem
#     File.write 'public_key.pem', key.public_to_pem
#
# ### Exporting a Key
#
# Keys saved to disk without encryption are not secure as anyone who gets ahold
# of the key may use it unless it is encrypted.  In order to securely export a
# key you may export it with a password.
#
#     cipher = OpenSSL::Cipher.new 'aes-256-cbc'
#     password = 'my secure password goes here'
#
#     key_secure = key.private_to_pem cipher, password
#
#     File.write 'private.secure.pem', key_secure
#
# OpenSSL::Cipher.ciphers returns a list of available ciphers.
#
# ### Loading a Key
#
# A key can also be loaded from a file.
#
#     key2 = OpenSSL::PKey.read File.read 'private_key.pem'
#     key2.public? # => true
#     key2.private? # => true
#
# or
#
#     key3 = OpenSSL::PKey.read File.read 'public_key.pem'
#     key3.public? # => true
#     key3.private? # => false
#
# ### Loading an Encrypted Key
#
# OpenSSL will prompt you for your password when loading an encrypted key. If
# you will not be able to type in the password you may provide it when loading
# the key:
#
#     key4_pem = File.read 'private.secure.pem'
#     password = 'my secure password goes here'
#     key4 = OpenSSL::PKey.read key4_pem, password
#
# ## RSA Encryption
#
# RSA provides encryption and decryption using the public and private keys. You
# can use a variety of padding methods depending upon the intended use of
# encrypted data.
#
# ### Encryption & Decryption
#
# Asymmetric public/private key encryption is slow and victim to attack in cases
# where it is used without padding or directly to encrypt larger chunks of data.
# Typical use cases for RSA encryption involve "wrapping" a symmetric key with
# the public key of the recipient who would "unwrap" that symmetric key again
# using their private key. The following illustrates a simplified example of
# such a key transport scheme. It shouldn't be used in practice, though,
# standardized protocols should always be preferred.
#
#     wrapped_key = key.public_encrypt key
#
# A symmetric key encrypted with the public key can only be decrypted with the
# corresponding private key of the recipient.
#
#     original_key = key.private_decrypt wrapped_key
#
# By default PKCS#1 padding will be used, but it is also possible to use other
# forms of padding, see PKey::RSA for further details.
#
# ### Signatures
#
# Using "private_encrypt" to encrypt some data with the private key is
# equivalent to applying a digital signature to the data. A verifying party may
# validate the signature by comparing the result of decrypting the signature
# with "public_decrypt" to the original data. However, OpenSSL::PKey already has
# methods "sign" and "verify" that handle digital signatures in a standardized
# way - "private_encrypt" and "public_decrypt" shouldn't be used in practice.
#
# To sign a document, a cryptographically secure hash of the document is
# computed first, which is then signed using the private key.
#
#     signature = key.sign 'SHA256', document
#
# To validate the signature, again a hash of the document is computed and the
# signature is decrypted using the public key. The result is then compared to
# the hash just computed, if they are equal the signature was valid.
#
#     if key.verify 'SHA256', signature, document
#       puts 'Valid'
#     else
#       puts 'Invalid'
#     end
#
# ## PBKDF2 Password-based Encryption
#
# If supported by the underlying OpenSSL version used, Password-based Encryption
# should use the features of PKCS5. If not supported or if required by legacy
# applications, the older, less secure methods specified in RFC 2898 are also
# supported (see below).
#
# PKCS5 supports PBKDF2 as it was specified in PKCS#5
# [v2.0](http://www.rsa.com/rsalabs/node.asp?id=2127). It still uses a password,
# a salt, and additionally a number of iterations that will slow the key
# derivation process down. The slower this is, the more work it requires being
# able to brute-force the resulting key.
#
# ### Encryption
#
# The strategy is to first instantiate a Cipher for encryption, and then to
# generate a random IV plus a key derived from the password using PBKDF2. PKCS
# #5 v2.0 recommends at least 8 bytes for the salt, the number of iterations
# largely depends on the hardware being used.
#
#     cipher = OpenSSL::Cipher.new 'aes-256-cbc'
#     cipher.encrypt
#     iv = cipher.random_iv
#
#     pwd = 'some hopefully not to easily guessable password'
#     salt = OpenSSL::Random.random_bytes 16
#     iter = 20000
#     key_len = cipher.key_len
#     digest = OpenSSL::Digest.new('SHA256')
#
#     key = OpenSSL::PKCS5.pbkdf2_hmac(pwd, salt, iter, key_len, digest)
#     cipher.key = key
#
#     Now encrypt the data:
#
#     encrypted = cipher.update document
#     encrypted << cipher.final
#
# ### Decryption
#
# Use the same steps as before to derive the symmetric AES key, this time
# setting the Cipher up for decryption.
#
#     cipher = OpenSSL::Cipher.new 'aes-256-cbc'
#     cipher.decrypt
#     cipher.iv = iv # the one generated with #random_iv
#
#     pwd = 'some hopefully not to easily guessable password'
#     salt = ... # the one generated above
#     iter = 20000
#     key_len = cipher.key_len
#     digest = OpenSSL::Digest.new('SHA256')
#
#     key = OpenSSL::PKCS5.pbkdf2_hmac(pwd, salt, iter, key_len, digest)
#     cipher.key = key
#
#     Now decrypt the data:
#
#     decrypted = cipher.update encrypted
#     decrypted << cipher.final
#
# ## X509 Certificates
#
# ### Creating a Certificate
#
# This example creates a self-signed certificate using an RSA key and a SHA1
# signature.
#
#     key = OpenSSL::PKey::RSA.new 2048
#     name = OpenSSL::X509::Name.parse '/CN=nobody/DC=example'
#
#     cert = OpenSSL::X509::Certificate.new
#     cert.version = 2
#     cert.serial = 0
#     cert.not_before = Time.now
#     cert.not_after = Time.now + 3600
#
#     cert.public_key = key.public_key
#     cert.subject = name
#
# ### Certificate Extensions
#
# You can add extensions to the certificate with OpenSSL::SSL::ExtensionFactory
# to indicate the purpose of the certificate.
#
#     extension_factory = OpenSSL::X509::ExtensionFactory.new nil, cert
#
#     cert.add_extension \
#       extension_factory.create_extension('basicConstraints', 'CA:FALSE', true)
#
#     cert.add_extension \
#       extension_factory.create_extension(
#         'keyUsage', 'keyEncipherment,dataEncipherment,digitalSignature')
#
#     cert.add_extension \
#       extension_factory.create_extension('subjectKeyIdentifier', 'hash')
#
# The list of supported extensions (and in some cases their possible values) can
# be derived from the "objects.h" file in the OpenSSL source code.
#
# ### Signing a Certificate
#
# To sign a certificate set the issuer and use OpenSSL::X509::Certificate#sign
# with a digest algorithm.  This creates a self-signed cert because we're using
# the same name and key to sign the certificate as was used to create the
# certificate.
#
#     cert.issuer = name
#     cert.sign key, OpenSSL::Digest.new('SHA1')
#
#     open 'certificate.pem', 'w' do |io| io.write cert.to_pem end
#
# ### Loading a Certificate
#
# Like a key, a cert can also be loaded from a file.
#
#     cert2 = OpenSSL::X509::Certificate.new File.read 'certificate.pem'
#
# ### Verifying a Certificate
#
# Certificate#verify will return true when a certificate was signed with the
# given public key.
#
#     raise 'certificate can not be verified' unless cert2.verify key
#
# ## Certificate Authority
#
# A certificate authority (CA) is a trusted third party that allows you to
# verify the ownership of unknown certificates.  The CA issues key signatures
# that indicate it trusts the user of that key.  A user encountering the key can
# verify the signature by using the CA's public key.
#
# ### CA Key
#
# CA keys are valuable, so we encrypt and save it to disk and make sure it is
# not readable by other users.
#
#     ca_key = OpenSSL::PKey::RSA.new 2048
#     password = 'my secure password goes here'
#
#     cipher = 'aes-256-cbc'
#
#     open 'ca_key.pem', 'w', 0400 do |io|
#       io.write ca_key.private_to_pem(cipher, password)
#     end
#
# ### CA Certificate
#
# A CA certificate is created the same way we created a certificate above, but
# with different extensions.
#
#     ca_name = OpenSSL::X509::Name.parse '/CN=ca/DC=example'
#
#     ca_cert = OpenSSL::X509::Certificate.new
#     ca_cert.serial = 0
#     ca_cert.version = 2
#     ca_cert.not_before = Time.now
#     ca_cert.not_after = Time.now + 86400
#
#     ca_cert.public_key = ca_key.public_key
#     ca_cert.subject = ca_name
#     ca_cert.issuer = ca_name
#
#     extension_factory = OpenSSL::X509::ExtensionFactory.new
#     extension_factory.subject_certificate = ca_cert
#     extension_factory.issuer_certificate = ca_cert
#
#     ca_cert.add_extension \
#       extension_factory.create_extension('subjectKeyIdentifier', 'hash')
#
# This extension indicates the CA's key may be used as a CA.
#
#     ca_cert.add_extension \
#       extension_factory.create_extension('basicConstraints', 'CA:TRUE', true)
#
# This extension indicates the CA's key may be used to verify signatures on both
# certificates and certificate revocations.
#
#     ca_cert.add_extension \
#       extension_factory.create_extension(
#         'keyUsage', 'cRLSign,keyCertSign', true)
#
# Root CA certificates are self-signed.
#
#     ca_cert.sign ca_key, OpenSSL::Digest.new('SHA1')
#
# The CA certificate is saved to disk so it may be distributed to all the users
# of the keys this CA will sign.
#
#     open 'ca_cert.pem', 'w' do |io|
#       io.write ca_cert.to_pem
#     end
#
# ### Certificate Signing Request
#
# The CA signs keys through a Certificate Signing Request (CSR).  The CSR
# contains the information necessary to identify the key.
#
#     csr = OpenSSL::X509::Request.new
#     csr.version = 0
#     csr.subject = name
#     csr.public_key = key.public_key
#     csr.sign key, OpenSSL::Digest.new('SHA1')
#
# A CSR is saved to disk and sent to the CA for signing.
#
#     open 'csr.pem', 'w' do |io|
#       io.write csr.to_pem
#     end
#
# ### Creating a Certificate from a CSR
#
# Upon receiving a CSR the CA will verify it before signing it.  A minimal
# verification would be to check the CSR's signature.
#
#     csr = OpenSSL::X509::Request.new File.read 'csr.pem'
#
#     raise 'CSR can not be verified' unless csr.verify csr.public_key
#
# After verification a certificate is created, marked for various usages, signed
# with the CA key and returned to the requester.
#
#     csr_cert = OpenSSL::X509::Certificate.new
#     csr_cert.serial = 0
#     csr_cert.version = 2
#     csr_cert.not_before = Time.now
#     csr_cert.not_after = Time.now + 600
#
#     csr_cert.subject = csr.subject
#     csr_cert.public_key = csr.public_key
#     csr_cert.issuer = ca_cert.subject
#
#     extension_factory = OpenSSL::X509::ExtensionFactory.new
#     extension_factory.subject_certificate = csr_cert
#     extension_factory.issuer_certificate = ca_cert
#
#     csr_cert.add_extension \
#       extension_factory.create_extension('basicConstraints', 'CA:FALSE')
#
#     csr_cert.add_extension \
#       extension_factory.create_extension(
#         'keyUsage', 'keyEncipherment,dataEncipherment,digitalSignature')
#
#     csr_cert.add_extension \
#       extension_factory.create_extension('subjectKeyIdentifier', 'hash')
#
#     csr_cert.sign ca_key, OpenSSL::Digest.new('SHA1')
#
#     open 'csr_cert.pem', 'w' do |io|
#       io.write csr_cert.to_pem
#     end
#
# ## SSL and TLS Connections
#
# Using our created key and certificate we can create an SSL or TLS connection.
# An SSLContext is used to set up an SSL session.
#
#     context = OpenSSL::SSL::SSLContext.new
#
# ### SSL Server
#
# An SSL server requires the certificate and private key to communicate securely
# with its clients:
#
#     context.cert = cert
#     context.key = key
#
# Then create an SSLServer with a TCP server socket and the context.  Use the
# SSLServer like an ordinary TCP server.
#
#     require 'socket'
#
#     tcp_server = TCPServer.new 5000
#     ssl_server = OpenSSL::SSL::SSLServer.new tcp_server, context
#
#     loop do
#       ssl_connection = ssl_server.accept
#
#       data = ssl_connection.gets
#
#       response = "I got #{data.dump}"
#       puts response
#
#       ssl_connection.puts "I got #{data.dump}"
#       ssl_connection.close
#     end
#
# ### SSL client
#
# An SSL client is created with a TCP socket and the context. SSLSocket#connect
# must be called to initiate the SSL handshake and start encryption.  A key and
# certificate are not required for the client socket.
#
# Note that SSLSocket#close doesn't close the underlying socket by default. Set
# SSLSocket#sync_close to true if you want.
#
#     require 'socket'
#
#     tcp_socket = TCPSocket.new 'localhost', 5000
#     ssl_client = OpenSSL::SSL::SSLSocket.new tcp_socket, context
#     ssl_client.sync_close = true
#     ssl_client.connect
#
#     ssl_client.puts "hello server!"
#     puts ssl_client.gets
#
#     ssl_client.close # shutdown the TLS connection and close tcp_socket
#
# ### Peer Verification
#
# An unverified SSL connection does not provide much security.  For enhanced
# security the client or server can verify the certificate of its peer.
#
# The client can be modified to verify the server's certificate against the
# certificate authority's certificate:
#
#     context.ca_file = 'ca_cert.pem'
#     context.verify_mode = OpenSSL::SSL::VERIFY_PEER
#
#     require 'socket'
#
#     tcp_socket = TCPSocket.new 'localhost', 5000
#     ssl_client = OpenSSL::SSL::SSLSocket.new tcp_socket, context
#     ssl_client.connect
#
#     ssl_client.puts "hello server!"
#     puts ssl_client.gets
#
# If the server certificate is invalid or `context.ca_file` is not set when
# verifying peers an OpenSSL::SSL::SSLError will be raised.
#
module OpenSSL
  # <!--
  #   rdoc-file=ext/openssl/lib/openssl/digest.rb
  #   - Digest(name)
  # -->
  # Returns a Digest subclass by *name*
  #
  #     require 'openssl'
  #
  #     OpenSSL::Digest("MD5")
  #     # => OpenSSL::Digest::MD5
  #
  #     Digest("Foo")
  #     # => NameError: wrong constant name Foo
  #
  def self.Digest: (String name) -> singleton(Digest)

  # <!--
  #   rdoc-file=ext/openssl/ossl.c
  #   - OpenSSL.debug -> true | false
  # -->
  #
  def self.debug: () -> bool

  # <!--
  #   rdoc-file=ext/openssl/ossl.c
  #   - OpenSSL.debug = boolean -> boolean
  # -->
  # Turns on or off debug mode. With debug mode, all errors added to the OpenSSL
  # error queue will be printed to stderr.
  #
  def self.debug=: [U] (boolish) -> U

  # <!--
  #   rdoc-file=ext/openssl/ossl.c
  #   - OpenSSL.errors -> [String...]
  # -->
  # See any remaining errors held in queue.
  #
  # Any errors you see here are probably due to a bug in Ruby's OpenSSL
  # implementation.
  #
  def self.errors: () -> Array[String]

  # <!--
  #   rdoc-file=ext/openssl/ossl.c
  #   - OpenSSL.fips_mode -> true | false
  # -->
  #
  def self.fips_mode: () -> bool

  # <!--
  #   rdoc-file=ext/openssl/ossl.c
  #   - OpenSSL.fips_mode = boolean -> boolean
  # -->
  # Turns FIPS mode on or off. Turning on FIPS mode will obviously only have an
  # effect for FIPS-capable installations of the OpenSSL library. Trying to do so
  # otherwise will result in an error.
  #
  # ### Examples
  #     OpenSSL.fips_mode = true   # turn FIPS mode on
  #     OpenSSL.fips_mode = false  # and off again
  #
  def self.fips_mode=: [U] (boolish) -> U

  # <!--
  #   rdoc-file=ext/openssl/ossl.c
  #   - OpenSSL.fixed_length_secure_compare(string, string) -> boolean
  # -->
  # Constant time memory comparison for fixed length strings, such as results of
  # HMAC calculations.
  #
  # Returns `true` if the strings are identical, `false` if they are of the same
  # length but not identical. If the length is different, `ArgumentError` is
  # raised.
  #
  def self.fixed_length_secure_compare: (String, String) -> bool

  # <!--
  #   rdoc-file=ext/openssl/lib/openssl.rb
  #   - OpenSSL.secure_compare(string, string) -> boolean
  # -->
  # Constant time memory comparison. Inputs are hashed using SHA-256 to mask the
  # length of the secret. Returns `true` if the strings are identical, `false`
  # otherwise.
  #
  def self.secure_compare: (String a, String b) -> bool

  # <!-- rdoc-file=ext/openssl/ossl.c -->
  # Boolean indicating whether OpenSSL is FIPS-capable or not
  #
  OPENSSL_FIPS: bool

  OPENSSL_LIBRARY_VERSION: String

  # <!-- rdoc-file=ext/openssl/ossl.c -->
  # Version of OpenSSL the ruby OpenSSL extension was built with
  #
  OPENSSL_VERSION: String

  # <!-- rdoc-file=ext/openssl/ossl.c -->
  # Version number of OpenSSL the ruby OpenSSL extension was built with (base 16).
  # The formats are below.
  #
  # OpenSSL 3
  # :   `0xMNN00PP0 (major minor 00 patch 0)`
  # OpenSSL before 3
  # :   `0xMNNFFPPS (major minor fix patch status)`
  # LibreSSL
  # :   `0x20000000 (fixed value)`
  #
  #
  # See also the man page OPENSSL_VERSION_NUMBER(3).
  #
  OPENSSL_VERSION_NUMBER: Integer

  VERSION: String

  # <!-- rdoc-file=ext/openssl/ossl_asn1.c -->
  # Abstract Syntax Notation One (or ASN.1) is a notation syntax to describe data
  # structures and is defined in ITU-T X.680. ASN.1 itself does not mandate any
  # encoding or parsing rules, but usually ASN.1 data structures are encoded using
  # the Distinguished Encoding Rules (DER) or less often the Basic Encoding Rules
  # (BER) described in ITU-T X.690. DER and BER encodings are binary
  # Tag-Length-Value (TLV) encodings that are quite concise compared to other
  # popular data description formats such as XML, JSON etc. ASN.1 data structures
  # are very common in cryptographic applications, e.g. X.509 public key
  # certificates or certificate revocation lists (CRLs) are all defined in ASN.1
  # and DER-encoded. ASN.1, DER and BER are the building blocks of applied
  # cryptography. The ASN1 module provides the necessary classes that allow
  # generation of ASN.1 data structures and the methods to encode them using a DER
  # encoding. The decode method allows parsing arbitrary BER-/DER-encoded data to
  # a Ruby object that can then be modified and re-encoded at will.
  #
  # ## ASN.1 class hierarchy
  #
  # The base class representing ASN.1 structures is ASN1Data. ASN1Data offers
  # attributes to read and set the *tag*, the *tag_class* and finally the *value*
  # of a particular ASN.1 item. Upon parsing, any tagged values (implicit or
  # explicit) will be represented by ASN1Data instances because their "real type"
  # can only be determined using out-of-band information from the ASN.1 type
  # declaration. Since this information is normally known when encoding a type,
  # all sub-classes of ASN1Data offer an additional attribute *tagging* that
  # allows to encode a value implicitly (`:IMPLICIT`) or explicitly (`:EXPLICIT`).
  #
  # ### Constructive
  #
  # Constructive is, as its name implies, the base class for all constructed
  # encodings, i.e. those that consist of several values, opposed to "primitive"
  # encodings with just one single value. The value of an Constructive is always
  # an Array.
  #
  # #### ASN1::Set and ASN1::Sequence
  #
  # The most common constructive encodings are SETs and SEQUENCEs, which is why
  # there are two sub-classes of Constructive representing each of them.
  #
  # ### Primitive
  #
  # This is the super class of all primitive values. Primitive itself is not used
  # when parsing ASN.1 data, all values are either instances of a corresponding
  # sub-class of Primitive or they are instances of ASN1Data if the value was
  # tagged implicitly or explicitly. Please cf. Primitive documentation for
  # details on sub-classes and their respective mappings of ASN.1 data types to
  # Ruby objects.
  #
  # ## Possible values for *tagging*
  #
  # When constructing an ASN1Data object the ASN.1 type definition may require
  # certain elements to be either implicitly or explicitly tagged. This can be
  # achieved by setting the *tagging* attribute manually for sub-classes of
  # ASN1Data. Use the symbol `:IMPLICIT` for implicit tagging and `:EXPLICIT` if
  # the element requires explicit tagging.
  #
  # ## Possible values for *tag_class*
  #
  # It is possible to create arbitrary ASN1Data objects that also support a
  # PRIVATE or APPLICATION tag class. Possible values for the *tag_class*
  # attribute are:
  # *   `:UNIVERSAL` (the default for untagged values)
  # *   `:CONTEXT_SPECIFIC` (the default for tagged values)
  # *   `:APPLICATION`
  # *   `:PRIVATE`
  #
  #
  # ## Tag constants
  #
  # There is a constant defined for each universal tag:
  # *   OpenSSL::ASN1::EOC (0)
  # *   OpenSSL::ASN1::BOOLEAN (1)
  # *   OpenSSL::ASN1::INTEGER (2)
  # *   OpenSSL::ASN1::BIT_STRING (3)
  # *   OpenSSL::ASN1::OCTET_STRING (4)
  # *   OpenSSL::ASN1::NULL (5)
  # *   OpenSSL::ASN1::OBJECT (6)
  # *   OpenSSL::ASN1::ENUMERATED (10)
  # *   OpenSSL::ASN1::UTF8STRING (12)
  # *   OpenSSL::ASN1::SEQUENCE (16)
  # *   OpenSSL::ASN1::SET (17)
  # *   OpenSSL::ASN1::NUMERICSTRING (18)
  # *   OpenSSL::ASN1::PRINTABLESTRING (19)
  # *   OpenSSL::ASN1::T61STRING (20)
  # *   OpenSSL::ASN1::VIDEOTEXSTRING (21)
  # *   OpenSSL::ASN1::IA5STRING (22)
  # *   OpenSSL::ASN1::UTCTIME (23)
  # *   OpenSSL::ASN1::GENERALIZEDTIME (24)
  # *   OpenSSL::ASN1::GRAPHICSTRING (25)
  # *   OpenSSL::ASN1::ISO64STRING (26)
  # *   OpenSSL::ASN1::GENERALSTRING (27)
  # *   OpenSSL::ASN1::UNIVERSALSTRING (28)
  # *   OpenSSL::ASN1::BMPSTRING (30)
  #
  #
  # ## UNIVERSAL_TAG_NAME constant
  #
  # An Array that stores the name of a given tag number. These names are the same
  # as the name of the tag constant that is additionally defined, e.g.
  # `UNIVERSAL_TAG_NAME[2] = "INTEGER"` and `OpenSSL::ASN1::INTEGER = 2`.
  #
  # ## Example usage
  #
  # ### Decoding and viewing a DER-encoded file
  #     require 'openssl'
  #     require 'pp'
  #     der = File.binread('data.der')
  #     asn1 = OpenSSL::ASN1.decode(der)
  #     pp der
  #
  # ### Creating an ASN.1 structure and DER-encoding it
  #     require 'openssl'
  #     version = OpenSSL::ASN1::Integer.new(1)
  #     # Explicitly 0-tagged implies context-specific tag class
  #     serial = OpenSSL::ASN1::Integer.new(12345, 0, :EXPLICIT, :CONTEXT_SPECIFIC)
  #     name = OpenSSL::ASN1::PrintableString.new('Data 1')
  #     sequence = OpenSSL::ASN1::Sequence.new( [ version, serial, name ] )
  #     der = sequence.to_der
  #
  module ASN1
    type tagging = :IMPLICIT | :EXPLICIT

    type tag_class = :UNIVERSAL | :CONTEXT_SPECIFIC | :APPLICATION | :PRIVATE

    def self.BMPString: (String value, ?bn tag, ?tagging tagging) -> BMPString

    def self.BitString: (String value, ?bn tag, ?tagging tagging) -> BitString

    def self.Boolean: (boolish value, ?bn tag, ?tagging tagging) -> Boolean

    def self.EndOfContent: () -> EndOfContent

    def self.Enumerated: (bn value, ?bn tag, ?tagging tagging) -> Enumerated

    def self.GeneralString: (String value, ?bn tag, ?tagging tagging) -> GeneralString

    def self.GeneralizedTime: (::Time value, ?bn tag, ?tagging tagging) -> GeneralizedTime

    def self.GraphicString: (String value, ?bn tag, ?tagging tagging) -> GraphicString

    def self.IA5String: (String value, ?bn tag, ?tagging tagging) -> IA5String

    def self.ISO64String: (String value, ?bn tag, ?tagging tagging) -> ISO64String

    def self.Integer: (bn value, ?bn tag, ?tagging tagging) -> Integer

    def self.Null: (nil) -> Null

    def self.NumericString: (String value, ?bn tag, ?tagging tagging) -> NumericString

    def self.ObjectId: (String value, ?bn tag, ?tagging tagging) -> ObjectId

    def self.OctetString: (String value, ?bn tag, ?tagging tagging) -> OctetString

    def self.PrintableString: (String value, ?bn tag, ?tagging tagging) -> PrintableString

    def self.Sequence: (Array[ASN1Data] value, ?bn tag, ?tagging tagging) -> Sequence

    def self.Set: (Array[ASN1Data] value, ?bn tag, ?tagging tagging) -> Set

    def self.T61String: (String value, ?bn tag, ?tagging tagging) -> T61String

    def self.UTCTime: (::Time value, ?bn tag, ?tagging tagging) -> UTCTime

    def self.UTF8String: (String value, ?bn tag, ?tagging tagging) -> UTF8String

    def self.UniversalString: (String value, ?bn tag, ?tagging tagging) -> UniversalString

    def self.VideotexString: (String value, ?bn tag, ?tagging tagging) -> VideotexString

    # <!--
    #   rdoc-file=ext/openssl/ossl_asn1.c
    #   - OpenSSL::ASN1.decode(der) -> ASN1Data
    # -->
    # Decodes a BER- or DER-encoded value and creates an ASN1Data instance. *der*
    # may be a String or any object that features a `.to_der` method transforming it
    # into a BER-/DER-encoded String+
    #
    # ## Example
    #     der = File.binread('asn1data')
    #     asn1 = OpenSSL::ASN1.decode(der)
    #
    def self.decode: (String | _ToDer der) -> ASN1Data

    # <!--
    #   rdoc-file=ext/openssl/ossl_asn1.c
    #   - OpenSSL::ASN1.decode_all(der) -> Array of ASN1Data
    # -->
    # Similar to #decode with the difference that #decode expects one distinct value
    # represented in *der*. #decode_all on the contrary decodes a sequence of
    # sequential BER/DER values lined up in *der* and returns them as an array.
    #
    # ## Example
    #     ders = File.binread('asn1data_seq')
    #     asn1_ary = OpenSSL::ASN1.decode_all(ders)
    #
    def self.decode_all: (String | _ToDer der) -> Array[ASN1Data]

    # <!--
    #   rdoc-file=ext/openssl/ossl_asn1.c
    #   - OpenSSL::ASN1.traverse(asn1) -> nil
    # -->
    # If a block is given, it prints out each of the elements encountered. Block
    # parameters are (in that order):
    # *   depth: The recursion depth, plus one with each constructed value being
    #     encountered (Integer)
    # *   offset: Current byte offset (Integer)
    # *   header length: Combined length in bytes of the Tag and Length headers.
    #     (Integer)
    # *   length: The overall remaining length of the entire data (Integer)
    # *   constructed: Whether this value is constructed or not (Boolean)
    # *   tag_class: Current tag class (Symbol)
    # *   tag: The current tag number (Integer)
    #
    #
    # ## Example
    #     der = File.binread('asn1data.der')
    #     OpenSSL::ASN1.traverse(der) do | depth, offset, header_len, length, constructed, tag_class, tag|
    #       puts "Depth: #{depth} Offset: #{offset} Length: #{length}"
    #       puts "Header length: #{header_len} Tag: #{tag} Tag class: #{tag_class} Constructed: #{constructed}"
    #     end
    #
    def self.traverse: (String | _ToDer der) { ([::Integer, ::Integer, ::Integer, ::Integer, bool, tag_class, ::Integer]) -> void } -> void

    BIT_STRING: Integer

    BMPSTRING: Integer

    BOOLEAN: Integer

    CHARACTER_STRING: Integer

    EMBEDDED_PDV: Integer

    ENUMERATED: Integer

    EOC: Integer

    EXTERNAL: Integer

    GENERALIZEDTIME: Integer

    GENERALSTRING: Integer

    GRAPHICSTRING: Integer

    IA5STRING: Integer

    INTEGER: Integer

    ISO64STRING: Integer

    NULL: Integer

    NUMERICSTRING: Integer

    OBJECT: Integer

    OBJECT_DESCRIPTOR: Integer

    OCTET_STRING: Integer

    PRINTABLESTRING: Integer

    REAL: Integer

    RELATIVE_OID: Integer

    SEQUENCE: Integer

    SET: Integer

    T61STRING: Integer

    UNIVERSALSTRING: Integer

    # <!-- rdoc-file=ext/openssl/ossl_asn1.c -->
    # Array storing tag names at the tag's index.
    #
    UNIVERSAL_TAG_NAME: Array[untyped]

    UTCTIME: Integer

    UTF8STRING: Integer

    VIDEOTEXSTRING: Integer

    interface _ToDer
      def to_der: () -> String
    end

    # <!-- rdoc-file=ext/openssl/ossl_asn1.c -->
    # The top-level class representing any ASN.1 object. When parsed by ASN1.decode,
    # tagged values are always represented by an instance of ASN1Data.
    #
    # ## The role of ASN1Data for parsing tagged values
    #
    # When encoding an ASN.1 type it is inherently clear what original type (e.g.
    # INTEGER, OCTET STRING etc.) this value has, regardless of its tagging. But
    # opposed to the time an ASN.1 type is to be encoded, when parsing them it is
    # not possible to deduce the "real type" of tagged values. This is why tagged
    # values are generally parsed into ASN1Data instances, but with a different
    # outcome for implicit and explicit tagging.
    #
    # ### Example of a parsed implicitly tagged value
    #
    # An implicitly 1-tagged INTEGER value will be parsed as an ASN1Data with
    # *   *tag* equal to 1
    # *   *tag_class* equal to `:CONTEXT_SPECIFIC`
    # *   *value* equal to a String that carries the raw encoding of the INTEGER.
    #
    # This implies that a subsequent decoding step is required to completely decode
    # implicitly tagged values.
    #
    # ### Example of a parsed explicitly tagged value
    #
    # An explicitly 1-tagged INTEGER value will be parsed as an ASN1Data with
    # *   *tag* equal to 1
    # *   *tag_class* equal to `:CONTEXT_SPECIFIC`
    # *   *value* equal to an Array with one single element, an instance of
    #     OpenSSL::ASN1::Integer, i.e. the inner element is the non-tagged primitive
    #     value, and the tagging is represented in the outer ASN1Data
    #
    #
    # ## Example - Decoding an implicitly tagged INTEGER
    #     int = OpenSSL::ASN1::Integer.new(1, 0, :IMPLICIT) # implicit 0-tagged
    #     seq = OpenSSL::ASN1::Sequence.new( [int] )
    #     der = seq.to_der
    #     asn1 = OpenSSL::ASN1.decode(der)
    #     # pp asn1 => #<OpenSSL::ASN1::Sequence:0x87326e0
    #     #              @indefinite_length=false,
    #     #              @tag=16,
    #     #              @tag_class=:UNIVERSAL,
    #     #              @tagging=nil,
    #     #              @value=
    #     #                [#<OpenSSL::ASN1::ASN1Data:0x87326f4
    #     #                   @indefinite_length=false,
    #     #                   @tag=0,
    #     #                   @tag_class=:CONTEXT_SPECIFIC,
    #     #                   @value="\x01">]>
    #     raw_int = asn1.value[0]
    #     # manually rewrite tag and tag class to make it an UNIVERSAL value
    #     raw_int.tag = OpenSSL::ASN1::INTEGER
    #     raw_int.tag_class = :UNIVERSAL
    #     int2 = OpenSSL::ASN1.decode(raw_int)
    #     puts int2.value # => 1
    #
    # ## Example - Decoding an explicitly tagged INTEGER
    #     int = OpenSSL::ASN1::Integer.new(1, 0, :EXPLICIT) # explicit 0-tagged
    #     seq = OpenSSL::ASN1::Sequence.new( [int] )
    #     der = seq.to_der
    #     asn1 = OpenSSL::ASN1.decode(der)
    #     # pp asn1 => #<OpenSSL::ASN1::Sequence:0x87326e0
    #     #              @indefinite_length=false,
    #     #              @tag=16,
    #     #              @tag_class=:UNIVERSAL,
    #     #              @tagging=nil,
    #     #              @value=
    #     #                [#<OpenSSL::ASN1::ASN1Data:0x87326f4
    #     #                   @indefinite_length=false,
    #     #                   @tag=0,
    #     #                   @tag_class=:CONTEXT_SPECIFIC,
    #     #                   @value=
    #     #                     [#<OpenSSL::ASN1::Integer:0x85bf308
    #     #                        @indefinite_length=false,
    #     #                        @tag=2,
    #     #                        @tag_class=:UNIVERSAL
    #     #                        @tagging=nil,
    #     #                        @value=1>]>]>
    #     int2 = asn1.value[0].value[0]
    #     puts int2.value # => 1
    #
    class ASN1Data
      # <!-- rdoc-file=ext/openssl/ossl_asn1.c -->
      # Never `nil`. A boolean value indicating whether the encoding uses indefinite
      # length (in the case of parsing) or whether an indefinite length form shall be
      # used (in the encoding case). In DER, every value uses definite length form.
      # But in scenarios where large amounts of data need to be transferred it might
      # be desirable to have some kind of streaming support available. For example,
      # huge OCTET STRINGs are preferably sent in smaller-sized chunks, each at a
      # time. This is possible in BER by setting the length bytes of an encoding to
      # zero and by this indicating that the following value will be sent in chunks.
      # Indefinite length encodings are always constructed. The end of such a stream
      # of chunks is indicated by sending a EOC (End of Content) tag. SETs and
      # SEQUENCEs may use an indefinite length encoding, but also primitive types such
      # as e.g. OCTET STRINGS or BIT STRINGS may leverage this functionality (cf.
      # ITU-T X.690).
      #
      def indefinite_length: () -> bool

      # <!-- rdoc-file=ext/openssl/ossl_asn1.c -->
      # Never `nil`. A boolean value indicating whether the encoding uses indefinite
      # length (in the case of parsing) or whether an indefinite length form shall be
      # used (in the encoding case). In DER, every value uses definite length form.
      # But in scenarios where large amounts of data need to be transferred it might
      # be desirable to have some kind of streaming support available. For example,
      # huge OCTET STRINGs are preferably sent in smaller-sized chunks, each at a
      # time. This is possible in BER by setting the length bytes of an encoding to
      # zero and by this indicating that the following value will be sent in chunks.
      # Indefinite length encodings are always constructed. The end of such a stream
      # of chunks is indicated by sending a EOC (End of Content) tag. SETs and
      # SEQUENCEs may use an indefinite length encoding, but also primitive types such
      # as e.g. OCTET STRINGS or BIT STRINGS may leverage this functionality (cf.
      # ITU-T X.690).
      #
      def indefinite_length=: [U] (boolish) -> U

      # <!-- rdoc-file=ext/openssl/ossl_asn1.c -->
      # Never `nil`. A boolean value indicating whether the encoding uses indefinite
      # length (in the case of parsing) or whether an indefinite length form shall be
      # used (in the encoding case). In DER, every value uses definite length form.
      # But in scenarios where large amounts of data need to be transferred it might
      # be desirable to have some kind of streaming support available. For example,
      # huge OCTET STRINGs are preferably sent in smaller-sized chunks, each at a
      # time. This is possible in BER by setting the length bytes of an encoding to
      # zero and by this indicating that the following value will be sent in chunks.
      # Indefinite length encodings are always constructed. The end of such a stream
      # of chunks is indicated by sending a EOC (End of Content) tag. SETs and
      # SEQUENCEs may use an indefinite length encoding, but also primitive types such
      # as e.g. OCTET STRINGS or BIT STRINGS may leverage this functionality (cf.
      # ITU-T X.690).
      #
      alias infinite_length indefinite_length

      # <!-- rdoc-file=ext/openssl/ossl_asn1.c -->
      # Never `nil`. A boolean value indicating whether the encoding uses indefinite
      # length (in the case of parsing) or whether an indefinite length form shall be
      # used (in the encoding case). In DER, every value uses definite length form.
      # But in scenarios where large amounts of data need to be transferred it might
      # be desirable to have some kind of streaming support available. For example,
      # huge OCTET STRINGs are preferably sent in smaller-sized chunks, each at a
      # time. This is possible in BER by setting the length bytes of an encoding to
      # zero and by this indicating that the following value will be sent in chunks.
      # Indefinite length encodings are always constructed. The end of such a stream
      # of chunks is indicated by sending a EOC (End of Content) tag. SETs and
      # SEQUENCEs may use an indefinite length encoding, but also primitive types such
      # as e.g. OCTET STRINGS or BIT STRINGS may leverage this functionality (cf.
      # ITU-T X.690).
      #
      alias infinite_length= indefinite_length=

      # <!-- rdoc-file=ext/openssl/ossl_asn1.c -->
      # An Integer representing the tag number of this ASN1Data. Never `nil`.
      #
      def tag: () -> bn

      # <!-- rdoc-file=ext/openssl/ossl_asn1.c -->
      # An Integer representing the tag number of this ASN1Data. Never `nil`.
      #
      def tag=: (::Integer) -> ::Integer
              | (BN) -> BN

      # <!-- rdoc-file=ext/openssl/ossl_asn1.c -->
      # A Symbol representing the tag class of this ASN1Data. Never `nil`. See
      # ASN1Data for possible values.
      #
      def tag_class: () -> tag_class

      # <!-- rdoc-file=ext/openssl/ossl_asn1.c -->
      # A Symbol representing the tag class of this ASN1Data. Never `nil`. See
      # ASN1Data for possible values.
      #
      def tag_class=: (tag_class) -> tag_class

      # <!--
      #   rdoc-file=ext/openssl/ossl_asn1.c
      #   - asn1.to_der => DER-encoded String
      # -->
      # Encodes this ASN1Data into a DER-encoded String value. The result is
      # DER-encoded except for the possibility of indefinite length forms. Indefinite
      # length forms are not allowed in strict DER, so strictly speaking the result of
      # such an encoding would be a BER-encoding.
      #
      def to_der: () -> String

      # <!-- rdoc-file=ext/openssl/ossl_asn1.c -->
      # Carries the value of a ASN.1 type. Please confer Constructive and Primitive
      # for the mappings between ASN.1 data types and Ruby classes.
      #
      def value: () -> untyped

      # <!-- rdoc-file=ext/openssl/ossl_asn1.c -->
      # Carries the value of a ASN.1 type. Please confer Constructive and Primitive
      # for the mappings between ASN.1 data types and Ruby classes.
      #
      def value=: (untyped) -> untyped

      private

      # <!--
      #   rdoc-file=ext/openssl/ossl_asn1.c
      #   - OpenSSL::ASN1::ASN1Data.new(value, tag, tag_class) => ASN1Data
      # -->
      # *value*: Please have a look at Constructive and Primitive to see how Ruby
      # types are mapped to ASN.1 types and vice versa.
      #
      # *tag*: An Integer indicating the tag number.
      #
      # *tag_class*: A Symbol indicating the tag class. Please cf. ASN1 for possible
      # values.
      #
      # ## Example
      #     asn1_int = OpenSSL::ASN1Data.new(42, 2, :UNIVERSAL) # => Same as OpenSSL::ASN1::Integer.new(42)
      #     tagged_int = OpenSSL::ASN1Data.new(42, 0, :CONTEXT_SPECIFIC) # implicitly 0-tagged INTEGER
      #
      def initialize: (untyped value, ::Integer tag, tag_class tag_class) -> void
    end

    # <!-- rdoc-file=ext/openssl/ossl_asn1.c -->
    # Generic error class for all errors raised in ASN1 and any of the classes
    # defined in it.
    #
    class ASN1Error < OpenSSL::OpenSSLError
    end

    class BMPString < OpenSSL::ASN1::Primitive
    end

    class BitString < OpenSSL::ASN1::Primitive
      def unused_bits: () -> ::Integer

      def unused_bits=: (::Integer) -> ::Integer

      def value: () -> String

      def value=: (String) -> String
    end

    class Boolean < OpenSSL::ASN1::Primitive
      def value: () -> bool

      def value=: [U] (boolish) -> U
    end

    # <!-- rdoc-file=ext/openssl/ossl_asn1.c -->
    # The parent class for all constructed encodings. The *value* attribute of a
    # Constructive is always an Array. Attributes are the same as for ASN1Data, with
    # the addition of *tagging*.
    #
    # ## SET and SEQUENCE
    #
    # Most constructed encodings come in the form of a SET or a SEQUENCE. These
    # encodings are represented by one of the two sub-classes of Constructive:
    # *   OpenSSL::ASN1::Set
    # *   OpenSSL::ASN1::Sequence
    #
    # Please note that tagged sequences and sets are still parsed as instances of
    # ASN1Data. Find further details on tagged values there.
    #
    # ### Example - constructing a SEQUENCE
    #     int = OpenSSL::ASN1::Integer.new(1)
    #     str = OpenSSL::ASN1::PrintableString.new('abc')
    #     sequence = OpenSSL::ASN1::Sequence.new( [ int, str ] )
    #
    # ### Example - constructing a SET
    #     int = OpenSSL::ASN1::Integer.new(1)
    #     str = OpenSSL::ASN1::PrintableString.new('abc')
    #     set = OpenSSL::ASN1::Set.new( [ int, str ] )
    #
    class Constructive < OpenSSL::ASN1::ASN1Data
      include Enumerable[ASN1Data]

      # <!--
      #   rdoc-file=ext/openssl/ossl_asn1.c
      #   - asn1_ary.each { |asn1| block } => asn1_ary
      # -->
      # Calls the given block once for each element in self, passing that element as
      # parameter *asn1*. If no block is given, an enumerator is returned instead.
      #
      # ## Example
      #     asn1_ary.each do |asn1|
      #       puts asn1
      #     end
      #
      def each: () ?{ (ASN1Data) -> void } -> self

      # <!-- rdoc-file=ext/openssl/ossl_asn1.c -->
      # May be used as a hint for encoding a value either implicitly or explicitly by
      # setting it either to `:IMPLICIT` or to `:EXPLICIT`. *tagging* is not set when
      # a ASN.1 structure is parsed using OpenSSL::ASN1.decode.
      #
      def tagging: () -> tagging?

      # <!-- rdoc-file=ext/openssl/ossl_asn1.c -->
      # May be used as a hint for encoding a value either implicitly or explicitly by
      # setting it either to `:IMPLICIT` or to `:EXPLICIT`. *tagging* is not set when
      # a ASN.1 structure is parsed using OpenSSL::ASN1.decode.
      #
      def tagging=: (tagging) -> tagging

      # <!--
      #   rdoc-file=ext/openssl/ossl_asn1.c
      #   - asn1.to_der => DER-encoded String
      # -->
      # See ASN1Data#to_der for details.
      #
      def to_der: () -> String

      private

      # <!--
      #   rdoc-file=ext/openssl/ossl_asn1.c
      #   - OpenSSL::ASN1::Primitive.new(value [, tag, tagging, tag_class ]) => Primitive
      # -->
      # *value*: is mandatory.
      #
      # *tag*: optional, may be specified for tagged values. If no *tag* is specified,
      # the UNIVERSAL tag corresponding to the Primitive sub-class is used by default.
      #
      # *tagging*: may be used as an encoding hint to encode a value either explicitly
      # or implicitly, see ASN1 for possible values.
      #
      # *tag_class*: if *tag* and *tagging* are `nil` then this is set to `:UNIVERSAL`
      # by default. If either *tag* or *tagging* are set then `:CONTEXT_SPECIFIC` is
      # used as the default. For possible values please cf. ASN1.
      #
      # ## Example
      #     int = OpenSSL::ASN1::Integer.new(42)
      #     zero_tagged_int = OpenSSL::ASN1::Integer.new(42, 0, :IMPLICIT)
      #     private_explicit_zero_tagged_int = OpenSSL::ASN1::Integer.new(42, 0, :EXPLICIT, :PRIVATE)
      #
      def initialize: (Array[ASN1Data]) -> void
    end

    class EndOfContent < OpenSSL::ASN1::ASN1Data
      def to_der: () -> String

      private

      def initialize: () -> void
    end

    class Enumerated < OpenSSL::ASN1::Primitive
      def value: () -> ::Integer

      def value=: (::Integer) -> ::Integer
    end

    class GeneralString < OpenSSL::ASN1::Primitive
      def value: () -> String

      def value=: (String) -> String
    end

    class GeneralizedTime < OpenSSL::ASN1::Primitive
      def value: () -> Time

      def value=: (Time) -> Time
    end

    class GraphicString < OpenSSL::ASN1::Primitive
      def value: () -> String

      def value=: (String) -> String
    end

    class IA5String < OpenSSL::ASN1::Primitive
      def value: () -> String

      def value=: (String) -> String
    end

    class ISO64String < OpenSSL::ASN1::Primitive
      def value: () -> String

      def value=: (String) -> String
    end

    class Integer < OpenSSL::ASN1::Primitive
      def value: () -> ::Integer

      def value=: (::Integer) -> ::Integer
    end

    class Null < OpenSSL::ASN1::Primitive
      def value: () -> nil

      def value=: (nil) -> nil
    end

    class NumericString < OpenSSL::ASN1::Primitive
      def value: () -> String

      def value=: (String) -> String
    end

    # <!-- rdoc-file=ext/openssl/ossl_asn1.c -->
    # Represents the primitive object id for OpenSSL::ASN1
    #
    class ObjectId < OpenSSL::ASN1::Primitive
      # <!--
      #   rdoc-file=ext/openssl/ossl_asn1.c
      #   - OpenSSL::ASN1::ObjectId.register(object_id, short_name, long_name)
      # -->
      # This adds a new ObjectId to the internal tables. Where *object_id* is the
      # numerical form, *short_name* is the short name, and *long_name* is the long
      # name.
      #
      # Returns `true` if successful. Raises an OpenSSL::ASN1::ASN1Error if it fails.
      #
      def self.register: (String object_id, String short_name, String ong_name) -> bool

      def value: () -> String

      def value=: (String) -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_asn1.c
      #   - oid == other_oid => true or false
      # -->
      # Returns `true` if *other_oid* is the same as *oid*
      #
      def ==: (ObjectId other) -> bool

      # <!--
      #   rdoc-file=ext/openssl/ossl_asn1.c
      #   - oid.ln -> string
      #   - oid.long_name -> string
      # -->
      # The long name of the ObjectId, as defined in <openssl/objects.h>.
      #
      def ln: () -> String?

      # <!-- rdoc-file=ext/openssl/ossl_asn1.c -->
      # The long name of the ObjectId, as defined in <openssl/objects.h>.
      #
      alias long_name ln

      # <!--
      #   rdoc-file=ext/openssl/ossl_asn1.c
      #   - oid.oid -> string
      # -->
      # Returns a String representing the Object Identifier in the dot notation, e.g.
      # "1.2.3.4.5"
      #
      def oid: () -> String

      # <!-- rdoc-file=ext/openssl/ossl_asn1.c -->
      # The short name of the ObjectId, as defined in <openssl/objects.h>.
      #
      alias short_name sn

      # <!--
      #   rdoc-file=ext/openssl/ossl_asn1.c
      #   - oid.sn -> string
      #   - oid.short_name -> string
      # -->
      # The short name of the ObjectId, as defined in <openssl/objects.h>.
      #
      def sn: () -> String?
    end

    class OctetString < OpenSSL::ASN1::Primitive
      def value: () -> String

      def value=: (String) -> String
    end

    # <!-- rdoc-file=ext/openssl/ossl_asn1.c -->
    # The parent class for all primitive encodings. Attributes are the same as for
    # ASN1Data, with the addition of *tagging*. Primitive values can never be
    # encoded with indefinite length form, thus it is not possible to set the
    # *indefinite_length* attribute for Primitive and its sub-classes.
    #
    # ## Primitive sub-classes and their mapping to Ruby classes
    # *   OpenSSL::ASN1::EndOfContent    <=> *value* is always `nil`
    # *   OpenSSL::ASN1::Boolean         <=> *value* is `true` or `false`
    # *   OpenSSL::ASN1::Integer         <=> *value* is an OpenSSL::BN
    # *   OpenSSL::ASN1::BitString       <=> *value* is a String
    # *   OpenSSL::ASN1::OctetString     <=> *value* is a String
    # *   OpenSSL::ASN1::Null            <=> *value* is always `nil`
    # *   OpenSSL::ASN1::Object          <=> *value* is a String
    # *   OpenSSL::ASN1::Enumerated      <=> *value* is an OpenSSL::BN
    # *   OpenSSL::ASN1::UTF8String      <=> *value* is a String
    # *   OpenSSL::ASN1::NumericString   <=> *value* is a String
    # *   OpenSSL::ASN1::PrintableString <=> *value* is a String
    # *   OpenSSL::ASN1::T61String       <=> *value* is a String
    # *   OpenSSL::ASN1::VideotexString  <=> *value* is a String
    # *   OpenSSL::ASN1::IA5String       <=> *value* is a String
    # *   OpenSSL::ASN1::UTCTime         <=> *value* is a Time
    # *   OpenSSL::ASN1::GeneralizedTime <=> *value* is a Time
    # *   OpenSSL::ASN1::GraphicString   <=> *value* is a String
    # *   OpenSSL::ASN1::ISO64String     <=> *value* is a String
    # *   OpenSSL::ASN1::GeneralString   <=> *value* is a String
    # *   OpenSSL::ASN1::UniversalString <=> *value* is a String
    # *   OpenSSL::ASN1::BMPString       <=> *value* is a String
    #
    #
    # ## OpenSSL::ASN1::BitString
    #
    # ### Additional attributes
    # *unused_bits*: if the underlying BIT STRING's length is a multiple of 8 then
    # *unused_bits* is 0. Otherwise *unused_bits* indicates the number of bits that
    # are to be ignored in the final octet of the BitString's *value*.
    #
    # ## OpenSSL::ASN1::ObjectId
    #
    # NOTE: While OpenSSL::ASN1::ObjectId.new will allocate a new ObjectId, it is
    # not typically allocated this way, but rather that are received from parsed
    # ASN1 encodings.
    #
    # ### Additional attributes
    # *   *sn*: the short name as defined in <openssl/objects.h>.
    # *   *ln*: the long name as defined in <openssl/objects.h>.
    # *   *oid*: the object identifier as a String, e.g. "1.2.3.4.5"
    # *   *short_name*: alias for *sn*.
    # *   *long_name*: alias for *ln*.
    #
    #
    # ## Examples
    # With the Exception of OpenSSL::ASN1::EndOfContent, each Primitive class
    # constructor takes at least one parameter, the *value*.
    #
    # ### Creating EndOfContent
    #     eoc = OpenSSL::ASN1::EndOfContent.new
    #
    # ### Creating any other Primitive
    #     prim = <class>.new(value) # <class> being one of the sub-classes except EndOfContent
    #     prim_zero_tagged_implicit = <class>.new(value, 0, :IMPLICIT)
    #     prim_zero_tagged_explicit = <class>.new(value, 0, :EXPLICIT)
    #
    class Primitive < OpenSSL::ASN1::ASN1Data
      # <!-- rdoc-file=ext/openssl/ossl_asn1.c -->
      # May be used as a hint for encoding a value either implicitly or explicitly by
      # setting it either to `:IMPLICIT` or to `:EXPLICIT`. *tagging* is not set when
      # a ASN.1 structure is parsed using OpenSSL::ASN1.decode.
      #
      def tagging: () -> tagging?

      # <!-- rdoc-file=ext/openssl/ossl_asn1.c -->
      # May be used as a hint for encoding a value either implicitly or explicitly by
      # setting it either to `:IMPLICIT` or to `:EXPLICIT`. *tagging* is not set when
      # a ASN.1 structure is parsed using OpenSSL::ASN1.decode.
      #
      def tagging=: (tagging) -> tagging

      # <!--
      #   rdoc-file=ext/openssl/ossl_asn1.c
      #   - asn1.to_der => DER-encoded String
      # -->
      # See ASN1Data#to_der for details.
      #
      def to_der: () -> String

      private

      # <!--
      #   rdoc-file=ext/openssl/ossl_asn1.c
      #   - OpenSSL::ASN1::Primitive.new(value [, tag, tagging, tag_class ]) => Primitive
      # -->
      # *value*: is mandatory.
      #
      # *tag*: optional, may be specified for tagged values. If no *tag* is specified,
      # the UNIVERSAL tag corresponding to the Primitive sub-class is used by default.
      #
      # *tagging*: may be used as an encoding hint to encode a value either explicitly
      # or implicitly, see ASN1 for possible values.
      #
      # *tag_class*: if *tag* and *tagging* are `nil` then this is set to `:UNIVERSAL`
      # by default. If either *tag* or *tagging* are set then `:CONTEXT_SPECIFIC` is
      # used as the default. For possible values please cf. ASN1.
      #
      # ## Example
      #     int = OpenSSL::ASN1::Integer.new(42)
      #     zero_tagged_int = OpenSSL::ASN1::Integer.new(42, 0, :IMPLICIT)
      #     private_explicit_zero_tagged_int = OpenSSL::ASN1::Integer.new(42, 0, :EXPLICIT, :PRIVATE)
      #
      def initialize: (untyped value, ?Integer tag, ?tagging tagging) -> void
    end

    class PrintableString < OpenSSL::ASN1::Primitive
      def value: () -> String

      def value=: (String) -> String
    end

    class Sequence < OpenSSL::ASN1::Constructive
      def value: () -> Array[ASN1Data]

      def value=: (Array[ASN1Data]) -> Array[ASN1Data]
    end

    class Set < OpenSSL::ASN1::Constructive
    end

    class T61String < OpenSSL::ASN1::Primitive
      def value: () -> String

      def value=: (String) -> String
    end

    class UTCTime < OpenSSL::ASN1::Primitive
      def value: () -> Time

      def value=: (Time) -> Time
    end

    class UTF8String < OpenSSL::ASN1::Primitive
      def value: () -> String

      def value=: (String) -> String
    end

    class UniversalString < OpenSSL::ASN1::Primitive
      def value: () -> String

      def value=: (String) -> String
    end

    class VideotexString < OpenSSL::ASN1::Primitive
      def value: () -> String

      def value=: (String) -> String
    end
  end

  type bn = BN | ::Integer

  class BN
    include Comparable

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - BN.generate_prime(bits, [, safe [, add [, rem]]]) => bn
    # -->
    # Generates a random prime number of bit length *bits*. If *safe* is set to
    # `true`, generates a safe prime. If *add* is specified, generates a prime that
    # fulfills condition `p % add = rem`.
    #
    # ### Parameters
    # *   *bits* - integer
    # *   *safe* - boolean
    # *   *add* - BN
    # *   *rem* - BN
    #
    def self.generate_prime: (::Integer bits, ?boolish safe, ?bn add, ?bn rem) -> instance

    def self.pseudo_rand: (*untyped) -> untyped

    def self.pseudo_rand_range: (untyped) -> untyped

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - BN.rand(bits [, fill [, odd]]) -> aBN
    # -->
    # Generates a cryptographically strong pseudo-random number of `bits`.
    #
    # See also the man page BN_rand(3).
    #
    def self.rand: (*untyped) -> untyped

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - BN.rand_range(range) -> aBN
    # -->
    # Generates a cryptographically strong pseudo-random number in the range
    # 0...`range`.
    #
    # See also the man page BN_rand_range(3).
    #
    def self.rand_range: (untyped) -> untyped

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - bn % bn2 => aBN
    # -->
    #
    def %: (int) -> instance

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - bn * bn2 => aBN
    # -->
    #
    def *: (int) -> instance

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - bn ** bn2 => aBN
    # -->
    #
    def **: (int) -> instance

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - bn + bn2 => aBN
    # -->
    #
    def +: (int) -> instance

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - +bn -> aBN
    # -->
    #
    def +@: () -> instance

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - bn - bn2 => aBN
    # -->
    #
    def -: (int) -> instance

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - -bn -> aBN
    # -->
    #
    def -@: () -> instance

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - bn1 / bn2 => [result, remainder]
    # -->
    # Division of OpenSSL::BN instances
    #
    def /: (int) -> [ instance, instance ]

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - bn << bits -> aBN
    # -->
    #
    def <<: (int) -> instance

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - <=>(p1)
    # -->
    #
    alias <=> cmp

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - bn == obj => true or false
    # -->
    # Returns `true` only if *obj* has the same value as *bn*. Contrast this with
    # OpenSSL::BN#eql?, which requires obj to be OpenSSL::BN.
    #
    def ==: (untyped) -> bool

    # <!-- rdoc-file=ext/openssl/ossl_bn.c -->
    # Returns `true` only if *obj* has the same value as *bn*. Contrast this with
    # OpenSSL::BN#eql?, which requires obj to be OpenSSL::BN.
    #
    alias === ==

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - bn >> bits -> aBN
    # -->
    #
    def >>: (int) -> int

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - bn.bit_set?(bit) => true | false
    # -->
    # Tests bit *bit* in *bn* and returns `true` if set, `false` if not set.
    #
    def bit_set?: (int) -> bool

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - bn.clear_bit!(bit) -> self
    # -->
    #
    def clear_bit!: (int) -> void

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - bn.cmp(bn2) => integer
    # -->
    #
    def cmp: (Integer) -> Integer

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - coerce(p1)
    # -->
    #
    def coerce: (::Integer) -> Array[Integer]
              | (BN) -> Array[BN]

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - copy(p1)
    # -->
    #
    def copy: (int) -> instance

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - bn.eql?(obj) => true or false
    # -->
    # Returns `true` only if *obj* is a `OpenSSL::BN` with the same value as *bn*.
    # Contrast this with OpenSSL::BN#==, which performs type conversions.
    #
    def eql?: (untyped other) -> bool

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - bn.gcd(bn2) => aBN
    # -->
    #
    def gcd: (int) -> instance

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - bn.hash => Integer
    # -->
    # Returns a hash code for this object.
    #
    # See also Object#hash.
    #
    def hash: () -> Integer

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - bn.lshift!(bits) -> self
    # -->
    #
    def lshift!: (int bits) -> self

    def mask_bits!: (int) -> void

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - bn.mod_add(bn1, bn2) -> aBN
    # -->
    #
    def mod_add: (int, int) -> instance

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - bn.mod_exp(bn1, bn2) -> aBN
    # -->
    #
    def mod_exp: (int, int) -> instance

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - bn.mod_inverse(bn2) => aBN
    # -->
    #
    def mod_inverse: (int) -> instance

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - bn.mod_mul(bn1, bn2) -> aBN
    # -->
    #
    def mod_mul: (int, int) -> instance

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - bn.mod_sqr(bn2) => aBN
    # -->
    #
    def mod_sqr: (int) -> instance

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - bn.mod_sub(bn1, bn2) -> aBN
    # -->
    #
    def mod_sub: (int, int) -> instance

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - bn.negative? => true | false
    # -->
    #
    def negative?: () -> bool

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - bn.num_bits => integer
    # -->
    #
    def num_bits: () -> ::Integer

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - bn.num_bytes => integer
    # -->
    #
    def num_bytes: () -> ::Integer

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - bn.odd? => true | false
    # -->
    #
    def odd?: () -> bool

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - bn.one? => true | false
    # -->
    #
    def one?: () -> bool

    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/bn.rb
    #   - pretty_print(q)
    # -->
    #
    def pretty_print: (untyped q) -> untyped

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - bn.prime? => true | false
    #   - bn.prime?(checks) => true | false
    # -->
    # Performs a Miller-Rabin probabilistic primality test for `bn`.
    #
    # **`checks` parameter is deprecated in version 3.0.** It has no effect.
    #
    def prime?: (?int checks) -> bool

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - bn.prime_fasttest? => true | false
    #   - bn.prime_fasttest?(checks) => true | false
    #   - bn.prime_fasttest?(checks, trial_div) => true | false
    # -->
    # Performs a Miller-Rabin probabilistic primality test for `bn`.
    #
    # **Deprecated in version 3.0.** Use #prime? instead.
    #
    # `checks` and `trial_div` parameters no longer have any effect.
    #
    def prime_fasttest?: (?int checks, ?int trial_div) -> bool

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - bn.rshift!(bits) -> self
    # -->
    #
    def rshift!: (int bits) -> self

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - bn.set_bit!(bit) -> self
    # -->
    #
    def set_bit!: (int bit) -> self

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - bn.sqr => aBN
    # -->
    #
    def sqr: () -> instance

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - to_bn()
    # -->
    #
    def to_bn: () -> self

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - bn.to_i => integer
    # -->
    #
    def to_i: () -> ::Integer

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - to_int()
    # -->
    #
    alias to_int to_i

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - bn.to_s(base = 10) -> string
    # -->
    # Returns the string representation of the bignum.
    #
    # BN.new can parse the encoded string to convert back into an OpenSSL::BN.
    #
    # `base`
    # :   The format. Must be one of the following:
    #     *   `0`  - MPI format. See the man page BN_bn2mpi(3) for details.
    #     *   `2`  - Variable-length and big-endian binary encoding. The sign of the
    #         bignum is ignored.
    #     *   `10` - Decimal number representation, with a leading '-' for a
    #         negative bignum.
    #     *   `16` - Hexadeciaml number representation, with a leading '-' for a
    #         negative bignum.
    #
    def to_s: () -> String
            | (0) -> String
            | (2) -> String
            | (10) -> String
            | (16) -> String
            | (int base) -> String

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - bn.ucmp(bn2) => integer
    # -->
    #
    def ucmp: (int bn2) -> ::Integer

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - bn.zero? => true | false
    # -->
    #
    def zero?: () -> bool

    private

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - OpenSSL::BN.new(bn) -> aBN
    #   - OpenSSL::BN.new(integer) -> aBN
    #   - OpenSSL::BN.new(string, base = 10) -> aBN
    # -->
    # Construct a new OpenSSL BIGNUM object.
    #
    # If `bn` is an Integer or OpenSSL::BN, a new instance of OpenSSL::BN
    # representing the same value is returned. See also Integer#to_bn for the
    # short-hand.
    #
    # If a String is given, the content will be parsed according to `base`.
    #
    # `string`
    # :   The string to be parsed.
    # `base`
    # :   The format. Must be one of the following:
    #     *   `0`  - MPI format. See the man page BN_mpi2bn(3) for details.
    #     *   `2`  - Variable-length and big-endian binary encoding of a positive
    #         number.
    #     *   `10` - Decimal number representation, with a leading '-' for a
    #         negative number.
    #     *   `16` - Hexadeciaml number representation, with a leading '-' for a
    #         negative number.
    #
    def initialize: (instance) -> void
                  | (int) -> void
                  | (string) -> void
                  | (string, 0 | 2 | 10 | 16) -> void

    # <!--
    #   rdoc-file=ext/openssl/ossl_bn.c
    #   - initialize_copy(p1)
    # -->
    #
    def initialize_copy: (instance other) -> instance
  end

  # <!-- rdoc-file=ext/openssl/ossl_bn.c -->
  # Generic Error for all of OpenSSL::BN (big num)
  #
  class BNError < OpenSSL::OpenSSLError
  end

  # <!-- rdoc-file=ext/openssl/lib/openssl/buffering.rb -->
  # OpenSSL IO buffering mix-in module.
  #
  # This module allows an OpenSSL::SSL::SSLSocket to behave like an IO.
  #
  # You typically won't use this module directly, you can see it implemented in
  # OpenSSL::SSL::SSLSocket.
  #
  module Buffering
    include Enumerable[untyped]

    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/buffering.rb
    #   - <<(s)
    # -->
    # Writes *s* to the stream.  *s* will be converted to a String using `.to_s`
    # method.
    #
    def <<: (String s) -> self

    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/buffering.rb
    #   - close()
    # -->
    # Closes the SSLSocket and flushes any unwritten data.
    #
    def close: () -> void

    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/buffering.rb
    #   - each(eol=$/) { |line| ... }
    # -->
    # Executes the block for every line in the stream where lines are separated by
    # *eol*.
    #
    # See also #gets
    #
    def each: (?String eol) ?{ (String) -> void } -> void

    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/buffering.rb
    #   - each_byte() { |byte| ... }
    # -->
    # Calls the given block once for each byte in the stream.
    #
    def each_byte: () ?{ (Integer) -> void } -> void

    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/buffering.rb
    #   - each_line(eol=$/)
    # -->
    #
    alias each_line each

    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/buffering.rb
    #   - eof()
    # -->
    #
    alias eof eof?

    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/buffering.rb
    #   - eof?()
    # -->
    # Returns true if the stream is at file which means there is no more data to be
    # read.
    #
    def eof?: () -> bool

    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/buffering.rb
    #   - flush()
    # -->
    # Flushes buffered data to the SSLSocket.
    #
    def flush: () -> self

    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/buffering.rb
    #   - getc()
    # -->
    # Reads one character from the stream.  Returns nil if called at end of file.
    #
    def getc: () -> String?

    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/buffering.rb
    #   - gets(eol=$/, limit=nil)
    # -->
    # Reads the next "line" from the stream.  Lines are separated by *eol*.  If
    # *limit* is provided the result will not be longer than the given number of
    # bytes.
    #
    # *eol* may be a String or Regexp.
    #
    # Unlike IO#gets the line read will not be assigned to +$_+.
    #
    # Unlike IO#gets the separator must be provided if a limit is provided.
    #
    def gets: (?String | Regexp eol, ?Integer limit) -> String?

    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/buffering.rb
    #   - print(*args)
    # -->
    # Writes *args* to the stream.
    #
    # See IO#print for full details.
    #
    def print: (*untyped args) -> nil

    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/buffering.rb
    #   - printf(s, *args)
    # -->
    # Formats and writes to the stream converting parameters under control of the
    # format string.
    #
    # See Kernel#sprintf for format string details.
    #
    def printf: (String format_string, *untyped args) -> nil

    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/buffering.rb
    #   - puts(*args)
    # -->
    # Writes *args* to the stream along with a record separator.
    #
    # See IO#puts for full details.
    #
    def puts: (*untyped args) -> nil

    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/buffering.rb
    #   - read(size=nil, buf=nil)
    # -->
    # Reads *size* bytes from the stream.  If *buf* is provided it must reference a
    # string which will receive the data.
    #
    # See IO#read for full details.
    #
    def read: (?Integer? size, ?String buf) -> String?

    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/buffering.rb
    #   - read_nonblock(maxlen, buf=nil, exception: true)
    # -->
    # Reads at most *maxlen* bytes in the non-blocking manner.
    #
    # When no data can be read without blocking it raises OpenSSL::SSL::SSLError
    # extended by IO::WaitReadable or IO::WaitWritable.
    #
    # IO::WaitReadable means SSL needs to read internally so read_nonblock should be
    # called again when the underlying IO is readable.
    #
    # IO::WaitWritable means SSL needs to write internally so read_nonblock should
    # be called again after the underlying IO is writable.
    #
    # OpenSSL::Buffering#read_nonblock needs two rescue clause as follows:
    #
    #     # emulates blocking read (readpartial).
    #     begin
    #       result = ssl.read_nonblock(maxlen)
    #     rescue IO::WaitReadable
    #       IO.select([io])
    #       retry
    #     rescue IO::WaitWritable
    #       IO.select(nil, [io])
    #       retry
    #     end
    #
    # Note that one reason that read_nonblock writes to the underlying IO is when
    # the peer requests a new TLS/SSL handshake.  See openssl the FAQ for more
    # details.  http://www.openssl.org/support/faq.html
    #
    # By specifying a keyword argument *exception* to `false`, you can indicate that
    # read_nonblock should not raise an IO::Wait*able exception, but return the
    # symbol `:wait_writable` or `:wait_readable` instead. At EOF, it will return
    # `nil` instead of raising EOFError.
    #
    def read_nonblock: (Integer maxlen, ?String buf, ?exception: true) -> String
                     | (Integer maxlen, ?String buf, exception: false) -> (String | :wait_writable | :wait_readable | nil)

    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/buffering.rb
    #   - readchar()
    # -->
    # Reads a one-character string from the stream.  Raises an EOFError at end of
    # file.
    #
    def readchar: () -> String

    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/buffering.rb
    #   - readline(eol=$/)
    # -->
    # Reads a line from the stream which is separated by *eol*.
    #
    # Raises EOFError if at end of file.
    #
    def readline: (?String eol) -> String

    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/buffering.rb
    #   - readlines(eol=$/)
    # -->
    # Reads lines from the stream which are separated by *eol*.
    #
    # See also #gets
    #
    def readlines: (?String eol) -> ::Array[String]

    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/buffering.rb
    #   - readpartial(maxlen, buf=nil)
    # -->
    # Reads at most *maxlen* bytes from the stream.  If *buf* is provided it must
    # reference a string which will receive the data.
    #
    # See IO#readpartial for full details.
    #
    def readpartial: (Integer maxlen, ?String buf) -> String

    # <!-- rdoc-file=ext/openssl/lib/openssl/buffering.rb -->
    # The "sync mode" of the SSLSocket.
    #
    # See IO#sync for full details.
    #
    def sync: () -> bool

    # <!-- rdoc-file=ext/openssl/lib/openssl/buffering.rb -->
    # The "sync mode" of the SSLSocket.
    #
    # See IO#sync for full details.
    #
    def sync=: (boolish) -> void

    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/buffering.rb
    #   - ungetc(c)
    # -->
    # Pushes character *c* back onto the stream such that a subsequent buffered
    # character read will return it.
    #
    # Unlike IO#getc multiple bytes may be pushed back onto the stream.
    #
    # Has no effect on unbuffered reads (such as #sysread).
    #
    def ungetc: (String c) -> String

    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/buffering.rb
    #   - write(*s)
    # -->
    # Writes *s* to the stream.  If the argument is not a String it will be
    # converted using `.to_s` method.  Returns the number of bytes written.
    #
    def write: (*_ToS s) -> Integer

    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/buffering.rb
    #   - write_nonblock(s, exception: true)
    # -->
    # Writes *s* in the non-blocking manner.
    #
    # If there is buffered data, it is flushed first.  This may block.
    #
    # write_nonblock returns number of bytes written to the SSL connection.
    #
    # When no data can be written without blocking it raises OpenSSL::SSL::SSLError
    # extended by IO::WaitReadable or IO::WaitWritable.
    #
    # IO::WaitReadable means SSL needs to read internally so write_nonblock should
    # be called again after the underlying IO is readable.
    #
    # IO::WaitWritable means SSL needs to write internally so write_nonblock should
    # be called again after underlying IO is writable.
    #
    # So OpenSSL::Buffering#write_nonblock needs two rescue clause as follows.
    #
    #     # emulates blocking write.
    #     begin
    #       result = ssl.write_nonblock(str)
    #     rescue IO::WaitReadable
    #       IO.select([io])
    #       retry
    #     rescue IO::WaitWritable
    #       IO.select(nil, [io])
    #       retry
    #     end
    #
    # Note that one reason that write_nonblock reads from the underlying IO is when
    # the peer requests a new TLS/SSL handshake.  See the openssl FAQ for more
    # details.  http://www.openssl.org/support/faq.html
    #
    # By specifying a keyword argument *exception* to `false`, you can indicate that
    # write_nonblock should not raise an IO::Wait*able exception, but return the
    # symbol `:wait_writable` or `:wait_readable` instead.
    #
    def write_nonblock: (_ToS s, ?exception: true) -> Integer
                      | (_ToS s, exception: false) -> (Integer | :wait_writable | :wait_readable | nil)

    private

    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/buffering.rb
    #   - consume_rbuff(size=nil)
    # -->
    # Consumes *size* bytes from the buffer
    #
    def consume_rbuff: (?untyped size) -> untyped

    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/buffering.rb
    #   - do_write(s)
    # -->
    # Writes *s* to the buffer.  When the buffer is full or #sync is true the buffer
    # is flushed to the underlying socket.
    #
    def do_write: (untyped s) -> untyped

    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/buffering.rb
    #   - fill_rbuff()
    # -->
    # Fills the buffer from the underlying SSLSocket
    #
    def fill_rbuff: () -> untyped

    # <!-- rdoc-file=ext/openssl/lib/openssl/buffering.rb -->
    # Default size to read from or write to the SSLSocket for buffer operations.
    #
    BLOCK_SIZE: Integer

    # <!-- rdoc-file=ext/openssl/lib/openssl/buffering.rb -->
    # A buffer which will retain binary encoding.
    #
    class Buffer < String
      BINARY: Encoding

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/buffering.rb
      #   - <<(string)
      # -->
      #
      def <<: (String string) -> self

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/buffering.rb
      #   - concat(string)
      # -->
      #
      alias concat <<
    end
  end

  # <!-- rdoc-file=ext/openssl/ossl_cipher.c -->
  # Provides symmetric algorithms for encryption and decryption. The algorithms
  # that are available depend on the particular version of OpenSSL that is
  # installed.
  #
  # ### Listing all supported algorithms
  #
  # A list of supported algorithms can be obtained by
  #
  #     puts OpenSSL::Cipher.ciphers
  #
  # ### Instantiating a Cipher
  #
  # There are several ways to create a Cipher instance. Generally, a Cipher
  # algorithm is categorized by its name, the key length in bits and the cipher
  # mode to be used. The most generic way to create a Cipher is the following
  #
  #     cipher = OpenSSL::Cipher.new('<name>-<key length>-<mode>')
  #
  # That is, a string consisting of the hyphenated concatenation of the individual
  # components name, key length and mode. Either all uppercase or all lowercase
  # strings may be used, for example:
  #
  #     cipher = OpenSSL::Cipher.new('aes-128-cbc')
  #
  # ### Choosing either encryption or decryption mode
  #
  # Encryption and decryption are often very similar operations for symmetric
  # algorithms, this is reflected by not having to choose different classes for
  # either operation, both can be done using the same class. Still, after
  # obtaining a Cipher instance, we need to tell the instance what it is that we
  # intend to do with it, so we need to call either
  #
  #     cipher.encrypt
  #
  # or
  #
  #     cipher.decrypt
  #
  # on the Cipher instance. This should be the first call after creating the
  # instance, otherwise configuration that has already been set could get lost in
  # the process.
  #
  # ### Choosing a key
  #
  # Symmetric encryption requires a key that is the same for the encrypting and
  # for the decrypting party and after initial key establishment should be kept as
  # private information. There are a lot of ways to create insecure keys, the most
  # notable is to simply take a password as the key without processing the
  # password further. A simple and secure way to create a key for a particular
  # Cipher is
  #
  #     cipher = OpenSSL::Cipher.new('aes-256-cfb')
  #     cipher.encrypt
  #     key = cipher.random_key # also sets the generated key on the Cipher
  #
  # If you absolutely need to use passwords as encryption keys, you should use
  # Password-Based Key Derivation Function 2 (PBKDF2) by generating the key with
  # the help of the functionality provided by OpenSSL::PKCS5.pbkdf2_hmac_sha1 or
  # OpenSSL::PKCS5.pbkdf2_hmac.
  #
  # Although there is Cipher#pkcs5_keyivgen, its use is deprecated and it should
  # only be used in legacy applications because it does not use the newer PKCS#5
  # v2 algorithms.
  #
  # ### Choosing an IV
  #
  # The cipher modes CBC, CFB, OFB and CTR all need an "initialization vector", or
  # short, IV. ECB mode is the only mode that does not require an IV, but there is
  # almost no legitimate use case for this mode because of the fact that it does
  # not sufficiently hide plaintext patterns. Therefore
  #
  # **You should never use ECB mode unless you are absolutely sure that you
  # absolutely need it**
  #
  # Because of this, you will end up with a mode that explicitly requires an IV in
  # any case. Although the IV can be seen as public information, i.e. it may be
  # transmitted in public once generated, it should still stay unpredictable to
  # prevent certain kinds of attacks. Therefore, ideally
  #
  # **Always create a secure random IV for every encryption of your Cipher**
  #
  # A new, random IV should be created for every encryption of data. Think of the
  # IV as a nonce (number used once) - it's public but random and unpredictable. A
  # secure random IV can be created as follows
  #
  #     cipher = ...
  #     cipher.encrypt
  #     key = cipher.random_key
  #     iv = cipher.random_iv # also sets the generated IV on the Cipher
  #
  # Although the key is generally a random value, too, it is a bad choice as an
  # IV. There are elaborate ways how an attacker can take advantage of such an IV.
  # As a general rule of thumb, exposing the key directly or indirectly should be
  # avoided at all cost and exceptions only be made with good reason.
  #
  # ### Calling Cipher#final
  #
  # ECB (which should not be used) and CBC are both block-based modes. This means
  # that unlike for the other streaming-based modes, they operate on fixed-size
  # blocks of data, and therefore they require a "finalization" step to produce or
  # correctly decrypt the last block of data by appropriately handling some form
  # of padding. Therefore it is essential to add the output of
  # OpenSSL::Cipher#final to your encryption/decryption buffer or you will end up
  # with decryption errors or truncated data.
  #
  # Although this is not really necessary for streaming-mode ciphers, it is still
  # recommended to apply the same pattern of adding the output of Cipher#final
  # there as well - it also enables you to switch between modes more easily in the
  # future.
  #
  # ### Encrypting and decrypting some data
  #
  #     data = "Very, very confidential data"
  #
  #     cipher = OpenSSL::Cipher.new('aes-128-cbc')
  #     cipher.encrypt
  #     key = cipher.random_key
  #     iv = cipher.random_iv
  #
  #     encrypted = cipher.update(data) + cipher.final
  #     ...
  #     decipher = OpenSSL::Cipher.new('aes-128-cbc')
  #     decipher.decrypt
  #     decipher.key = key
  #     decipher.iv = iv
  #
  #     plain = decipher.update(encrypted) + decipher.final
  #
  #     puts data == plain #=> true
  #
  # ### Authenticated Encryption and Associated Data (AEAD)
  #
  # If the OpenSSL version used supports it, an Authenticated Encryption mode
  # (such as GCM or CCM) should always be preferred over any unauthenticated mode.
  # Currently, OpenSSL supports AE only in combination with Associated Data (AEAD)
  # where additional associated data is included in the encryption process to
  # compute a tag at the end of the encryption. This tag will also be used in the
  # decryption process and by verifying its validity, the authenticity of a given
  # ciphertext is established.
  #
  # This is superior to unauthenticated modes in that it allows to detect if
  # somebody effectively changed the ciphertext after it had been encrypted. This
  # prevents malicious modifications of the ciphertext that could otherwise be
  # exploited to modify ciphertexts in ways beneficial to potential attackers.
  #
  # An associated data is used where there is additional information, such as
  # headers or some metadata, that must be also authenticated but not necessarily
  # need to be encrypted. If no associated data is needed for encryption and later
  # decryption, the OpenSSL library still requires a value to be set - "" may be
  # used in case none is available.
  #
  # An example using the GCM (Galois/Counter Mode). You have 16 bytes *key*, 12
  # bytes (96 bits) *nonce* and the associated data *auth_data*. Be sure not to
  # reuse the *key* and *nonce* pair. Reusing an nonce ruins the security
  # guarantees of GCM mode.
  #
  #     cipher = OpenSSL::Cipher.new('aes-128-gcm').encrypt
  #     cipher.key = key
  #     cipher.iv = nonce
  #     cipher.auth_data = auth_data
  #
  #     encrypted = cipher.update(data) + cipher.final
  #     tag = cipher.auth_tag # produces 16 bytes tag by default
  #
  # Now you are the receiver. You know the *key* and have received *nonce*,
  # *auth_data*, *encrypted* and *tag* through an untrusted network. Note that GCM
  # accepts an arbitrary length tag between 1 and 16 bytes. You may additionally
  # need to check that the received tag has the correct length, or you allow
  # attackers to forge a valid single byte tag for the tampered ciphertext with a
  # probability of 1/256.
  #
  #     raise "tag is truncated!" unless tag.bytesize == 16
  #     decipher = OpenSSL::Cipher.new('aes-128-gcm').decrypt
  #     decipher.key = key
  #     decipher.iv = nonce
  #     decipher.auth_tag = tag
  #     decipher.auth_data = auth_data
  #
  #     decrypted = decipher.update(encrypted) + decipher.final
  #
  #     puts data == decrypted #=> true
  #
  class Cipher
    # <!--
    #   rdoc-file=ext/openssl/ossl_cipher.c
    #   - OpenSSL::Cipher.ciphers -> array[string...]
    # -->
    # Returns the names of all available ciphers in an array.
    #
    def self.ciphers: () -> Array[String]

    # <!--
    #   rdoc-file=ext/openssl/ossl_cipher.c
    #   - cipher.auth_data = string -> string
    # -->
    # Sets the cipher's additional authenticated data. This field must be set when
    # using AEAD cipher modes such as GCM or CCM. If no associated data shall be
    # used, this method must **still** be called with a value of "". The contents of
    # this field should be non-sensitive data which will be added to the ciphertext
    # to generate the authentication tag which validates the contents of the
    # ciphertext.
    #
    # The AAD must be set prior to encryption or decryption. In encryption mode, it
    # must be set after calling Cipher#encrypt and setting Cipher#key= and
    # Cipher#iv=. When decrypting, the authenticated data must be set after key, iv
    # and especially **after** the authentication tag has been set. I.e. set it only
    # after calling Cipher#decrypt, Cipher#key=, Cipher#iv= and Cipher#auth_tag=
    # first.
    #
    def auth_data=: (String) -> String

    # <!--
    #   rdoc-file=ext/openssl/ossl_cipher.c
    #   - cipher.auth_tag(tag_len = 16) -> String
    # -->
    # Gets the authentication tag generated by Authenticated Encryption Cipher modes
    # (GCM for example). This tag may be stored along with the ciphertext, then set
    # on the decryption cipher to authenticate the contents of the ciphertext
    # against changes. If the optional integer parameter *tag_len* is given, the
    # returned tag will be *tag_len* bytes long. If the parameter is omitted, the
    # default length of 16 bytes or the length previously set by #auth_tag_len= will
    # be used. For maximum security, the longest possible should be chosen.
    #
    # The tag may only be retrieved after calling Cipher#final.
    #
    def auth_tag: (?Integer tag_len) -> String

    # <!--
    #   rdoc-file=ext/openssl/ossl_cipher.c
    #   - cipher.auth_tag = string -> string
    # -->
    # Sets the authentication tag to verify the integrity of the ciphertext. This
    # can be called only when the cipher supports AE. The tag must be set after
    # calling Cipher#decrypt, Cipher#key= and Cipher#iv=, but before calling
    # Cipher#final. After all decryption is performed, the tag is verified
    # automatically in the call to Cipher#final.
    #
    # For OCB mode, the tag length must be supplied with #auth_tag_len= beforehand.
    #
    def auth_tag=: (String) -> String

    # <!--
    #   rdoc-file=ext/openssl/ossl_cipher.c
    #   - cipher.auth_tag_len = Integer -> Integer
    # -->
    # Sets the length of the authentication tag to be generated or to be given for
    # AEAD ciphers that requires it as in input parameter. Note that not all AEAD
    # ciphers support this method.
    #
    # In OCB mode, the length must be supplied both when encrypting and when
    # decrypting, and must be before specifying an IV.
    #
    def auth_tag_len=: (Integer) -> Integer

    # <!--
    #   rdoc-file=ext/openssl/ossl_cipher.c
    #   - cipher.authenticated? -> true | false
    # -->
    # Indicated whether this Cipher instance uses an Authenticated Encryption mode.
    #
    def authenticated?: () -> bool

    # <!--
    #   rdoc-file=ext/openssl/ossl_cipher.c
    #   - cipher.block_size -> integer
    # -->
    # Returns the size in bytes of the blocks on which this Cipher operates on.
    #
    def block_size: () -> Integer

    # <!--
    #   rdoc-file=ext/openssl/ossl_cipher.c
    #   - cipher.decrypt -> self
    # -->
    # Initializes the Cipher for decryption.
    #
    # Make sure to call Cipher#encrypt or Cipher#decrypt before using any of the
    # following methods:
    #
    #     #key=, #iv=, #random_key, #random_iv, #pkcs5_keyivgen
    # :
    #
    # Internally calls EVP_CipherInit_ex(ctx, NULL, NULL, NULL, NULL, 0).
    #
    def decrypt: () -> self

    # <!--
    #   rdoc-file=ext/openssl/ossl_cipher.c
    #   - cipher.encrypt -> self
    # -->
    # Initializes the Cipher for encryption.
    #
    # Make sure to call Cipher#encrypt or Cipher#decrypt before using any of the
    # following methods:
    #
    #     #key=, #iv=, #random_key, #random_iv, #pkcs5_keyivgen
    # :
    #
    # Internally calls EVP_CipherInit_ex(ctx, NULL, NULL, NULL, NULL, 1).
    #
    def encrypt: () -> self

    # <!--
    #   rdoc-file=ext/openssl/ossl_cipher.c
    #   - cipher.final -> string
    # -->
    # Returns the remaining data held in the cipher object. Further calls to
    # Cipher#update or Cipher#final will return garbage. This call should always be
    # made as the last call of an encryption or decryption operation, after having
    # fed the entire plaintext or ciphertext to the Cipher instance.
    #
    # If an authenticated cipher was used, a CipherError is raised if the tag could
    # not be authenticated successfully. Only call this method after setting the
    # authentication tag and passing the entire contents of the ciphertext into the
    # cipher.
    #
    def final: () -> String

    # <!--
    #   rdoc-file=ext/openssl/ossl_cipher.c
    #   - cipher.iv = string -> string
    # -->
    # Sets the cipher IV. Please note that since you should never be using ECB mode,
    # an IV is always explicitly required and should be set prior to encryption. The
    # IV itself can be safely transmitted in public, but it should be unpredictable
    # to prevent certain kinds of attacks. You may use Cipher#random_iv to create a
    # secure random IV.
    #
    # Only call this method after calling Cipher#encrypt or Cipher#decrypt.
    #
    def iv=: (String iv) -> String

    # <!--
    #   rdoc-file=ext/openssl/ossl_cipher.c
    #   - cipher.iv_len -> integer
    # -->
    # Returns the expected length in bytes for an IV for this Cipher.
    #
    def iv_len: () -> Integer

    # <!--
    #   rdoc-file=ext/openssl/ossl_cipher.c
    #   - cipher.iv_len = integer -> integer
    # -->
    # Sets the IV/nonce length of the Cipher. Normally block ciphers don't allow
    # changing the IV length, but some make use of IV for 'nonce'. You may need this
    # for interoperability with other applications.
    #
    def iv_len=: (Integer) -> Integer

    # <!--
    #   rdoc-file=ext/openssl/ossl_cipher.c
    #   - cipher.key = string -> string
    # -->
    # Sets the cipher key. To generate a key, you should either use a secure random
    # byte string or, if the key is to be derived from a password, you should rely
    # on PBKDF2 functionality provided by OpenSSL::PKCS5. To generate a secure
    # random-based key, Cipher#random_key may be used.
    #
    # Only call this method after calling Cipher#encrypt or Cipher#decrypt.
    #
    def key=: (String key) -> String

    # <!--
    #   rdoc-file=ext/openssl/ossl_cipher.c
    #   - cipher.key_len -> integer
    # -->
    # Returns the key length in bytes of the Cipher.
    #
    def key_len: () -> Integer

    # <!--
    #   rdoc-file=ext/openssl/ossl_cipher.c
    #   - cipher.key_len = integer -> integer
    # -->
    # Sets the key length of the cipher.  If the cipher is a fixed length cipher
    # then attempting to set the key length to any value other than the fixed value
    # is an error.
    #
    # Under normal circumstances you do not need to call this method (and probably
    # shouldn't).
    #
    # See EVP_CIPHER_CTX_set_key_length for further information.
    #
    def key_len=: (Integer) -> Integer

    # <!--
    #   rdoc-file=ext/openssl/ossl_cipher.c
    #   - cipher.name -> string
    # -->
    # Returns the name of the cipher which may differ slightly from the original
    # name provided.
    #
    def name: () -> String

    # <!--
    #   rdoc-file=ext/openssl/ossl_cipher.c
    #   - cipher.padding = integer -> integer
    # -->
    # Enables or disables padding. By default encryption operations are padded using
    # standard block padding and the padding is checked and removed when decrypting.
    # If the pad parameter is zero then no padding is performed, the total amount of
    # data encrypted or decrypted must then be a multiple of the block size or an
    # error will occur.
    #
    # See EVP_CIPHER_CTX_set_padding for further information.
    #
    def padding=: (Integer) -> Integer

    # <!--
    #   rdoc-file=ext/openssl/ossl_cipher.c
    #   - cipher.pkcs5_keyivgen(pass, salt = nil, iterations = 2048, digest = "MD5") -> nil
    # -->
    # Generates and sets the key/IV based on a password.
    #
    # **WARNING**: This method is only PKCS5 v1.5 compliant when using RC2, RC4-40,
    # or DES with MD5 or SHA1. Using anything else (like AES) will generate the
    # key/iv using an OpenSSL specific method. This method is deprecated and should
    # no longer be used. Use a PKCS5 v2 key generation method from OpenSSL::PKCS5
    # instead.
    #
    # ### Parameters
    # *   *salt* must be an 8 byte string if provided.
    # *   *iterations* is an integer with a default of 2048.
    # *   *digest* is a Digest object that defaults to 'MD5'
    #
    #
    # A minimum of 1000 iterations is recommended.
    #
    def pkcs5_keyivgen: (String pass, ?String salt, ?Integer iterations, ?String digest) -> void

    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/cipher.rb
    #   - cipher.random_iv -> iv
    # -->
    # Generate a random IV with OpenSSL::Random.random_bytes and sets it to the
    # cipher, and returns it.
    #
    # You must call #encrypt or #decrypt before calling this method.
    #
    def random_iv: () -> String

    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/cipher.rb
    #   - cipher.random_key -> key
    # -->
    # Generate a random key with OpenSSL::Random.random_bytes and sets it to the
    # cipher, and returns it.
    #
    # You must call #encrypt or #decrypt before calling this method.
    #
    def random_key: () -> String

    # <!--
    #   rdoc-file=ext/openssl/ossl_cipher.c
    #   - cipher.reset -> self
    # -->
    # Fully resets the internal state of the Cipher. By using this, the same Cipher
    # instance may be used several times for encryption or decryption tasks.
    #
    # Internally calls EVP_CipherInit_ex(ctx, NULL, NULL, NULL, NULL, -1).
    #
    def reset: () -> self

    # <!--
    #   rdoc-file=ext/openssl/ossl_cipher.c
    #   - cipher.update(data [, buffer]) -> string or buffer
    # -->
    # Encrypts data in a streaming fashion. Hand consecutive blocks of data to the
    # #update method in order to encrypt it. Returns the encrypted data chunk. When
    # done, the output of Cipher#final should be additionally added to the result.
    #
    # If *buffer* is given, the encryption/decryption result will be written to it.
    # *buffer* will be resized automatically.
    #
    def update: (String data, ?String buffer) -> String

    private

    def ciphers: () -> Array[String]

    # <!--
    #   rdoc-file=ext/openssl/ossl_cipher.c
    #   - Cipher.new(string) -> cipher
    # -->
    # The string must contain a valid cipher name like "aes-256-cbc".
    #
    # A list of cipher names is available by calling OpenSSL::Cipher.ciphers.
    #
    def initialize: (String cipher_name) -> void

    # <!--
    #   rdoc-file=ext/openssl/ossl_cipher.c
    #   - initialize_copy(p1)
    # -->
    #
    def initialize_copy: (untyped) -> untyped

    class AES < OpenSSL::Cipher
      private

      def initialize: (*_ToS args) -> void
    end

    class AES128 < OpenSSL::Cipher
      private

      def initialize: (?_ToS mode) -> void
    end

    class AES192 < OpenSSL::Cipher
      private

      def initialize: (?_ToS mode) -> void
    end

    class AES256 < OpenSSL::Cipher
      private

      def initialize: (?_ToS mode) -> void
    end

    class BF < OpenSSL::Cipher
      private

      def initialize: (*_ToS args) -> void
    end

    class CAST5 < OpenSSL::Cipher
      private

      def initialize: (*_ToS args) -> void
    end

    # <!-- rdoc-file=ext/openssl/lib/openssl/cipher.rb -->
    # Deprecated.
    #
    # This class is only provided for backwards compatibility. Use OpenSSL::Cipher.
    #
    class Cipher < OpenSSL::Cipher
    end

    class CipherError < OpenSSL::OpenSSLError
    end

    class DES < OpenSSL::Cipher
      private

      def initialize: (*_ToS args) -> void
    end

    class IDEA < OpenSSL::Cipher
      private

      def initialize: (*_ToS args) -> void
    end

    class RC2 < OpenSSL::Cipher
      private

      def initialize: (*_ToS args) -> void
    end

    class RC4 < OpenSSL::Cipher
      private

      def initialize: (*_ToS args) -> void
    end

    class RC5 < OpenSSL::Cipher
      private

      def initialize: (*_ToS args) -> void
    end
  end

  # <!-- rdoc-file=ext/openssl/ossl_config.c -->
  # Configuration for the openssl library.
  #
  # Many system's installation of openssl library will depend on your system
  # configuration. See the value of OpenSSL::Config::DEFAULT_CONFIG_FILE for the
  # location of the file for your host.
  #
  # See also http://www.openssl.org/docs/apps/config.html
  #
  class Config
    include Enumerable[[ String, String, String ]]

    def self.load: (?_ToS filename) -> instance

    # <!--
    #   rdoc-file=ext/openssl/ossl_config.c
    #   - Config.parse(string) -> OpenSSL::Config
    # -->
    # Parses a given *string* as a blob that contains configuration for OpenSSL.
    #
    def self.parse: (String string) -> instance

    # <!--
    #   rdoc-file=ext/openssl/ossl_config.c
    #   - Config.parse_config(io) -> hash
    # -->
    # Parses the configuration data read from *io* and returns the whole content as
    # a Hash.
    #
    def self.parse_config: (IO io) -> Hash[String, Hash[String, String]]

    # <!--
    #   rdoc-file=ext/openssl/ossl_config.c
    #   - config[section] -> hash
    # -->
    # Gets all key-value pairs in a specific *section* from the current
    # configuration.
    #
    # Given the following configurating file being loaded:
    #
    #     config = OpenSSL::Config.load('foo.cnf')
    #       #=> #<OpenSSL::Config sections=["default"]>
    #     puts config.to_s
    #       #=> [ default ]
    #       #   foo=bar
    #
    # You can get a hash of the specific section like so:
    #
    #     config['default']
    #       #=> {"foo"=>"bar"}
    #
    def []: (String section) -> Hash[String, String]

    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/config.rb
    #   - []=(section, pairs)
    # -->
    # *Deprecated in v2.2.0*. This method will be removed in a future release.
    #
    # Sets a specific *section* name with a Hash *pairs*.
    #
    # Given the following configuration being created:
    #
    #     config = OpenSSL::Config.new
    #       #=> #<OpenSSL::Config sections=[]>
    #     config['default'] = {"foo"=>"bar","baz"=>"buz"}
    #       #=> {"foo"=>"bar", "baz"=>"buz"}
    #     puts config.to_s
    #       #=> [ default ]
    #       #   foo=bar
    #       #   baz=buz
    #
    # It's important to note that this will essentially merge any of the keys in
    # *pairs* with the existing *section*. For example:
    #
    #     config['default']
    #       #=> {"foo"=>"bar", "baz"=>"buz"}
    #     config['default'] = {"foo" => "changed"}
    #       #=> {"foo"=>"changed"}
    #     config['default']
    #       #=> {"foo"=>"changed", "baz"=>"buz"}
    #
    def []=: (String section, _Each[[ String, String ]] pairs) -> _Each[[ String, String ]]

    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/config.rb
    #   - add_value(section, key, value)
    # -->
    # *Deprecated in v2.2.0*. This method will be removed in a future release.
    #
    # Set the target *key* with a given *value* under a specific *section*.
    #
    # Given the following configurating file being loaded:
    #
    #     config = OpenSSL::Config.load('foo.cnf')
    #       #=> #<OpenSSL::Config sections=["default"]>
    #     puts config.to_s
    #       #=> [ default ]
    #       #   foo=bar
    #
    # You can set the value of *foo* under the *default* section to a new value:
    #
    #     config.add_value('default', 'foo', 'buzz')
    #       #=> "buzz"
    #     puts config.to_s
    #       #=> [ default ]
    #       #   foo=buzz
    #
    def add_value: (String section, untyped key, untyped value) -> untyped

    # <!--
    #   rdoc-file=ext/openssl/ossl_config.c
    #   - config.each { |section, key, value| }
    # -->
    # Retrieves the section and its pairs for the current configuration.
    #
    #     config.each do |section, key, value|
    #       # ...
    #     end
    #
    def each: () { ([ String, String, String ] args0) -> void } -> self

    # <!--
    #   rdoc-file=ext/openssl/ossl_config.c
    #   - config.get_value(section, key) -> string
    # -->
    # Gets the value of *key* from the given *section*.
    #
    # Given the following configurating file being loaded:
    #
    #     config = OpenSSL::Config.load('foo.cnf')
    #       #=> #<OpenSSL::Config sections=["default"]>
    #     puts config.to_s
    #       #=> [ default ]
    #       #   foo=bar
    #
    # You can get a specific value from the config if you know the *section* and
    # *key* like so:
    #
    #     config.get_value('default','foo')
    #       #=> "bar"
    #
    def get_value: (String section, String key) -> String?

    # <!--
    #   rdoc-file=ext/openssl/ossl_config.c
    #   - config.inspect -> string
    # -->
    # String representation of this configuration object, including the class name
    # and its sections.
    #
    def inspect: () -> String

    def section: (String name) -> Hash[String, String]

    # <!--
    #   rdoc-file=ext/openssl/ossl_config.c
    #   - config.sections -> array of string
    # -->
    # Get the names of all sections in the current configuration.
    #
    def sections: () -> Array[String]

    # <!--
    #   rdoc-file=ext/openssl/ossl_config.c
    #   - config.to_s -> string
    # -->
    # Gets the parsable form of the current configuration.
    #
    # Given the following configuration being created:
    #
    #     config = OpenSSL::Config.new
    #       #=> #<OpenSSL::Config sections=[]>
    #     config['default'] = {"foo"=>"bar","baz"=>"buz"}
    #       #=> {"foo"=>"bar", "baz"=>"buz"}
    #     puts config.to_s
    #       #=> [ default ]
    #       #   foo=bar
    #       #   baz=buz
    #
    # You can parse get the serialized configuration using #to_s and then parse it
    # later:
    #
    #     serialized_config = config.to_s
    #     # much later...
    #     new_config = OpenSSL::Config.parse(serialized_config)
    #       #=> #<OpenSSL::Config sections=["default"]>
    #     puts new_config
    #       #=> [ default ]
    #           foo=bar
    #           baz=buz
    #
    def to_s: () -> String

    private

    # <!--
    #   rdoc-file=ext/openssl/ossl_config.c
    #   - Config.new(filename) -> OpenSSL::Config
    # -->
    # Creates an instance of OpenSSL::Config from the content of the file specified
    # by *filename*.
    #
    # This can be used in contexts like OpenSSL::X509::ExtensionFactory.config=
    #
    # This can raise IO exceptions based on the access, or availability of the file.
    # A ConfigError exception may be raised depending on the validity of the data
    # being configured.
    #
    def initialize: (?_ToS filename) -> void

    # <!--
    #   rdoc-file=ext/openssl/ossl_config.c
    #   - initialize_copy(p1)
    # -->
    #
    def initialize_copy: (instance other) -> void

    # <!-- rdoc-file=ext/openssl/ossl_config.c -->
    # The default system configuration file for OpenSSL.
    #
    DEFAULT_CONFIG_FILE: String
  end

  # <!-- rdoc-file=ext/openssl/ossl_config.c -->
  # General error for openssl library configuration files. Including formatting,
  # parsing errors, etc.
  #
  class ConfigError < OpenSSL::OpenSSLError
  end

  # <!-- rdoc-file=ext/openssl/ossl_digest.c -->
  # OpenSSL::Digest allows you to compute message digests (sometimes
  # interchangeably called "hashes") of arbitrary data that are cryptographically
  # secure, i.e. a Digest implements a secure one-way function.
  #
  # One-way functions offer some useful properties. E.g. given two distinct inputs
  # the probability that both yield the same output is highly unlikely. Combined
  # with the fact that every message digest algorithm has a fixed-length output of
  # just a few bytes, digests are often used to create unique identifiers for
  # arbitrary data. A common example is the creation of a unique id for binary
  # documents that are stored in a database.
  #
  # Another useful characteristic of one-way functions (and thus the name) is that
  # given a digest there is no indication about the original data that produced
  # it, i.e. the only way to identify the original input is to "brute-force"
  # through every possible combination of inputs.
  #
  # These characteristics make one-way functions also ideal companions for public
  # key signature algorithms: instead of signing an entire document, first a hash
  # of the document is produced with a considerably faster message digest
  # algorithm and only the few bytes of its output need to be signed using the
  # slower public key algorithm. To validate the integrity of a signed document,
  # it suffices to re-compute the hash and verify that it is equal to that in the
  # signature.
  #
  # You can get a list of all digest algorithms supported on your system by
  # running this command in your terminal:
  #
  #     openssl list -digest-algorithms
  #
  # Among the OpenSSL 1.1.1 supported message digest algorithms are:
  # *   SHA224, SHA256, SHA384, SHA512, SHA512-224 and SHA512-256
  # *   SHA3-224, SHA3-256, SHA3-384 and SHA3-512
  # *   BLAKE2s256 and BLAKE2b512
  #
  #
  # Each of these algorithms can be instantiated using the name:
  #
  #     digest = OpenSSL::Digest.new('SHA256')
  #
  # "Breaking" a message digest algorithm means defying its one-way function
  # characteristics, i.e. producing a collision or finding a way to get to the
  # original data by means that are more efficient than brute-forcing etc. Most of
  # the supported digest algorithms can be considered broken in this sense, even
  # the very popular MD5 and SHA1 algorithms. Should security be your highest
  # concern, then you should probably rely on SHA224, SHA256, SHA384 or SHA512.
  #
  # ### Hashing a file
  #
  #     data = File.binread('document')
  #     sha256 = OpenSSL::Digest.new('SHA256')
  #     digest = sha256.digest(data)
  #
  # ### Hashing several pieces of data at once
  #
  #     data1 = File.binread('file1')
  #     data2 = File.binread('file2')
  #     data3 = File.binread('file3')
  #     sha256 = OpenSSL::Digest.new('SHA256')
  #     sha256 << data1
  #     sha256 << data2
  #     sha256 << data3
  #     digest = sha256.digest
  #
  # ### Reuse a Digest instance
  #
  #     data1 = File.binread('file1')
  #     sha256 = OpenSSL::Digest.new('SHA256')
  #     digest1 = sha256.digest(data1)
  #
  #     data2 = File.binread('file2')
  #     sha256.reset
  #     digest2 = sha256.digest(data2)
  #
  class Digest < ::Digest::Class
    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/digest.rb
    #   - digest(name, data)
    # -->
    # Return the hash value computed with *name* Digest. *name* is either the long
    # name or short name of a supported digest algorithm.
    #
    # ### Example
    #
    #     OpenSSL::Digest.digest("SHA256", "abc")
    #
    def self.digest: (String name, String data) -> String

    # <!-- rdoc-file=ext/openssl/ossl_digest.c -->
    # Not every message digest can be computed in one single pass. If a message
    # digest is to be computed from several subsequent sources, then each may be
    # passed individually to the Digest instance.
    #
    # ### Example
    #     digest = OpenSSL::Digest.new('SHA256')
    #     digest.update('First input')
    #     digest << 'Second input' # equivalent to digest.update('Second input')
    #     result = digest.digest
    #
    alias << update

    # <!--
    #   rdoc-file=ext/openssl/ossl_digest.c
    #   - digest.block_length -> integer
    # -->
    # Returns the block length of the digest algorithm, i.e. the length in bytes of
    # an individual block. Most modern algorithms partition a message to be digested
    # into a sequence of fix-sized blocks that are processed consecutively.
    #
    # ### Example
    #     digest = OpenSSL::Digest.new('SHA1')
    #     puts digest.block_length # => 64
    #
    def block_length: () -> Integer

    def digest: (?String data) -> String

    # <!--
    #   rdoc-file=ext/openssl/ossl_digest.c
    #   - digest.digest_length -> integer
    # -->
    # Returns the output size of the digest, i.e. the length in bytes of the final
    # message digest result.
    #
    # ### Example
    #     digest = OpenSSL::Digest.new('SHA1')
    #     puts digest.digest_length # => 20
    #
    def digest_length: () -> Integer

    def hexdigest: () -> String

    # <!--
    #   rdoc-file=ext/openssl/ossl_digest.c
    #   - digest.name -> string
    # -->
    # Returns the sn of this Digest algorithm.
    #
    # ### Example
    #     digest = OpenSSL::Digest.new('SHA512')
    #     puts digest.name # => SHA512
    #
    def name: () -> String

    # <!--
    #   rdoc-file=ext/openssl/ossl_digest.c
    #   - digest.reset -> self
    # -->
    # Resets the Digest in the sense that any Digest#update that has been performed
    # is abandoned and the Digest is set to its initial state again.
    #
    def reset: () -> self

    # <!--
    #   rdoc-file=ext/openssl/ossl_digest.c
    #   - digest.update(string) -> aString
    # -->
    # Not every message digest can be computed in one single pass. If a message
    # digest is to be computed from several subsequent sources, then each may be
    # passed individually to the Digest instance.
    #
    # ### Example
    #     digest = OpenSSL::Digest.new('SHA256')
    #     digest.update('First input')
    #     digest << 'Second input' # equivalent to digest.update('Second input')
    #     result = digest.digest
    #
    def update: (String data) -> self

    private

    # <!--
    #   rdoc-file=ext/openssl/ossl_digest.c
    #   - digest.finish -> aString
    # -->
    #
    def finish: (*untyped) -> untyped

    # <!--
    #   rdoc-file=ext/openssl/ossl_digest.c
    #   - Digest.new(string [, data]) -> Digest
    # -->
    # Creates a Digest instance based on *string*, which is either the ln (long
    # name) or sn (short name) of a supported digest algorithm.
    #
    # If *data* (a String) is given, it is used as the initial input to the Digest
    # instance, i.e.
    #
    #     digest = OpenSSL::Digest.new('sha256', 'digestdata')
    #
    # is equivalent to
    #
    #     digest = OpenSSL::Digest.new('sha256')
    #     digest.update('digestdata')
    #
    def initialize: (String name, ?String data) -> void

    # <!--
    #   rdoc-file=ext/openssl/ossl_digest.c
    #   - initialize_copy(p1)
    # -->
    #
    def initialize_copy: (instance) -> void

    class Digest < OpenSSL::Digest
    end

    # <!-- rdoc-file=ext/openssl/ossl_digest.c -->
    # Generic Exception class that is raised if an error occurs during a Digest
    # operation.
    #
    class DigestError < OpenSSL::OpenSSLError
    end

    class MD4 < OpenSSL::Digest
      def self.digest: (String data) -> String

      def self.hexdigest: (String data) -> String

      private

      def initialize: (?String data) -> void
    end

    class MD5 < OpenSSL::Digest
      def self.digest: (String data) -> String

      def self.hexdigest: (String data) -> String

      private

      def initialize: (?String data) -> void
    end

    class RIPEMD160 < OpenSSL::Digest
      def self.digest: (String data) -> String

      def self.hexdigest: (String data) -> String

      private

      def initialize: (?String data) -> void
    end

    class SHA1 < OpenSSL::Digest
      def self.digest: (String data) -> String

      def self.hexdigest: (String data) -> String

      private

      def initialize: (?String data) -> void
    end

    class SHA224 < OpenSSL::Digest
      def self.digest: (String data) -> String

      def self.hexdigest: (String data) -> String

      private

      def initialize: (?String data) -> void
    end

    class SHA256 < OpenSSL::Digest
      def self.digest: (String data) -> String

      def self.hexdigest: (String data) -> String

      private

      def initialize: (?String data) -> void
    end

    class SHA384 < OpenSSL::Digest
      def self.digest: (String data) -> String

      def self.hexdigest: (String data) -> String

      private

      def initialize: (?String data) -> void
    end

    class SHA512 < OpenSSL::Digest
      def self.digest: (String data) -> String

      def self.hexdigest: (String data) -> String

      private

      def initialize: (?String data) -> void
    end
  end

  # <!-- rdoc-file=ext/openssl/ossl_engine.c -->
  # This class is the access to openssl's ENGINE cryptographic module
  # implementation.
  #
  # See also, https://www.openssl.org/docs/crypto/engine.html
  #
  class Engine
    # <!--
    #   rdoc-file=ext/openssl/ossl_engine.c
    #   - OpenSSL::Engine.by_id(name) -> engine
    # -->
    # Fetches the engine as specified by the *id* String.
    #
    #     OpenSSL::Engine.by_id("openssl")
    #      => #<OpenSSL::Engine id="openssl" name="Software engine support">
    #
    # See OpenSSL::Engine.engines for the currently loaded engines.
    #
    def self.by_id: (String name) -> instance

    # <!--
    #   rdoc-file=ext/openssl/ossl_engine.c
    #   - OpenSSL::Engine.cleanup
    # -->
    # It is only necessary to run cleanup when engines are loaded via
    # OpenSSL::Engine.load. However, running cleanup before exit is recommended.
    #
    # Note that this is needed and works only in OpenSSL < 1.1.0.
    #
    def self.cleanup: () -> void

    # <!--
    #   rdoc-file=ext/openssl/ossl_engine.c
    #   - OpenSSL::Engine.engines -> [engine, ...]
    # -->
    # Returns an array of currently loaded engines.
    #
    def self.engines: () -> Array[instance]

    # <!--
    #   rdoc-file=ext/openssl/ossl_engine.c
    #   - OpenSSL::Engine.load(name = nil)
    # -->
    # This method loads engines. If *name* is nil, then all builtin engines are
    # loaded. Otherwise, the given *name*, as a String,  is loaded if available to
    # your runtime, and returns true. If *name* is not found, then nil is returned.
    #
    def self.load: (?String name) -> (true | nil)

    # <!--
    #   rdoc-file=ext/openssl/ossl_engine.c
    #   - engine.cipher(name) -> OpenSSL::Cipher
    # -->
    # Returns a new instance of OpenSSL::Cipher by *name*, if it is available in
    # this engine.
    #
    # An EngineError will be raised if the cipher is unavailable.
    #
    #     e = OpenSSL::Engine.by_id("openssl")
    #      => #<OpenSSL::Engine id="openssl" name="Software engine support">
    #     e.cipher("RC4")
    #      => #<OpenSSL::Cipher:0x007fc5cacc3048>
    #
    def cipher: (String cipher) -> Cipher

    # <!--
    #   rdoc-file=ext/openssl/ossl_engine.c
    #   - engine.cmds -> [["name", "description", "flags"], ...]
    # -->
    # Returns an array of command definitions for the current engine
    #
    def cmds: () -> Array[[ String, String, String ]]

    # <!--
    #   rdoc-file=ext/openssl/ossl_engine.c
    #   - engine.ctrl_cmd(command, value = nil) -> engine
    # -->
    # Sends the given *command* to this engine.
    #
    # Raises an EngineError if the command fails.
    #
    def ctrl_cmd: (String cmd, ?String value) -> self

    # <!--
    #   rdoc-file=ext/openssl/ossl_engine.c
    #   - engine.digest(name) -> OpenSSL::Digest
    # -->
    # Returns a new instance of OpenSSL::Digest by *name*.
    #
    # Will raise an EngineError if the digest is unavailable.
    #
    #     e = OpenSSL::Engine.by_id("openssl")
    #       #=> #<OpenSSL::Engine id="openssl" name="Software engine support">
    #     e.digest("SHA1")
    #       #=> #<OpenSSL::Digest: da39a3ee5e6b4b0d3255bfef95601890afd80709>
    #     e.digest("zomg")
    #       #=> OpenSSL::Engine::EngineError: no such digest `zomg'
    #
    def digest: (String digest) -> Digest

    # <!--
    #   rdoc-file=ext/openssl/ossl_engine.c
    #   - engine.finish -> nil
    # -->
    # Releases all internal structural references for this engine.
    #
    # May raise an EngineError if the engine is unavailable
    #
    def finish: () -> nil

    # <!--
    #   rdoc-file=ext/openssl/ossl_engine.c
    #   - engine.id -> string
    # -->
    # Gets the id for this engine.
    #
    #     OpenSSL::Engine.load
    #     OpenSSL::Engine.engines #=> [#<OpenSSL::Engine#>, ...]
    #     OpenSSL::Engine.engines.first.id
    #       #=> "rsax"
    #
    def id: () -> String

    # <!--
    #   rdoc-file=ext/openssl/ossl_engine.c
    #   - engine.inspect -> string
    # -->
    # Pretty prints this engine.
    #
    def inspect: () -> String

    # <!--
    #   rdoc-file=ext/openssl/ossl_engine.c
    #   - engine.load_private_key(id = nil, data = nil) -> OpenSSL::PKey
    # -->
    # Loads the given private key identified by *id* and *data*.
    #
    # An EngineError is raised of the OpenSSL::PKey is unavailable.
    #
    def load_private_key: (?String id, ?String data) -> PKey::PKey

    # <!--
    #   rdoc-file=ext/openssl/ossl_engine.c
    #   - engine.load_public_key(id = nil, data = nil) -> OpenSSL::PKey
    # -->
    # Loads the given public key identified by *id* and *data*.
    #
    # An EngineError is raised of the OpenSSL::PKey is unavailable.
    #
    def load_public_key: (?String id, ?String data) -> PKey::PKey

    # <!--
    #   rdoc-file=ext/openssl/ossl_engine.c
    #   - engine.name -> string
    # -->
    # Get the descriptive name for this engine.
    #
    #     OpenSSL::Engine.load
    #     OpenSSL::Engine.engines #=> [#<OpenSSL::Engine#>, ...]
    #     OpenSSL::Engine.engines.first.name
    #       #=> "RSAX engine support"
    #
    def name: () -> String

    # <!--
    #   rdoc-file=ext/openssl/ossl_engine.c
    #   - engine.set_default(flag)
    # -->
    # Set the defaults for this engine with the given *flag*.
    #
    # These flags are used to control combinations of algorithm methods.
    #
    # *flag* can be one of the following, other flags are available depending on
    # your OS.
    #
    # All flags
    # :   0xFFFF
    # No flags
    # :   0x0000
    #
    #
    # See also <openssl/engine.h>
    #
    def set_default: (Integer flag) -> bool

    METHOD_ALL: Integer

    METHOD_CIPHERS: Integer

    METHOD_DH: Integer

    METHOD_DIGESTS: Integer

    METHOD_DSA: Integer

    METHOD_NONE: Integer

    METHOD_RAND: Integer

    METHOD_RSA: Integer

    # <!-- rdoc-file=ext/openssl/ossl_engine.c -->
    # This is the generic exception for OpenSSL::Engine related errors
    #
    class EngineError < OpenSSL::OpenSSLError
    end
  end

  # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
  # This module contains configuration information about the SSL extension, for
  # example if socket support is enabled, or the host name TLS extension is
  # enabled.  Constants in this module will always be defined, but contain `true`
  # or `false` values depending on the configuration of your OpenSSL installation.
  #
  module ExtConfig
    HAVE_TLSEXT_HOST_NAME: bool

    OPENSSL_NO_SOCK: bool
  end

  # <!-- rdoc-file=ext/openssl/ossl_hmac.c -->
  # OpenSSL::HMAC allows computing Hash-based Message Authentication Code (HMAC).
  # It is a type of message authentication code (MAC) involving a hash function in
  # combination with a key. HMAC can be used to verify the integrity of a message
  # as well as the authenticity.
  #
  # OpenSSL::HMAC has a similar interface to OpenSSL::Digest.
  #
  # ### HMAC-SHA256 using one-shot interface
  #
  #     key = "key"
  #     data = "message-to-be-authenticated"
  #     mac = OpenSSL::HMAC.hexdigest("SHA256", key, data)
  #     #=> "cddb0db23f469c8bf072b21fd837149bd6ace9ab771cceef14c9e517cc93282e"
  #
  # ### HMAC-SHA256 using incremental interface
  #
  #     data1 = File.binread("file1")
  #     data2 = File.binread("file2")
  #     key = "key"
  #     hmac = OpenSSL::HMAC.new(key, 'SHA256')
  #     hmac << data1
  #     hmac << data2
  #     mac = hmac.digest
  #
  class HMAC
    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/hmac.rb
    #   - HMAC.digest(digest, key, data) -> aString
    # -->
    # Returns the authentication code as a binary string. The *digest* parameter
    # specifies the digest algorithm to use. This may be a String representing the
    # algorithm name or an instance of OpenSSL::Digest.
    #
    # ### Example
    #     key = 'key'
    #     data = 'The quick brown fox jumps over the lazy dog'
    #
    #     hmac = OpenSSL::HMAC.digest('SHA1', key, data)
    #     #=> "\xDE|\x9B\x85\xB8\xB7\x8A\xA6\xBC\x8Az6\xF7\n\x90p\x1C\x9D\xB4\xD9"
    #
    def self.digest: (String | Digest algo, String key, String data) -> String

    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/hmac.rb
    #   - HMAC.hexdigest(digest, key, data) -> aString
    # -->
    # Returns the authentication code as a hex-encoded string. The *digest*
    # parameter specifies the digest algorithm to use. This may be a String
    # representing the algorithm name or an instance of OpenSSL::Digest.
    #
    # ### Example
    #     key = 'key'
    #     data = 'The quick brown fox jumps over the lazy dog'
    #
    #     hmac = OpenSSL::HMAC.hexdigest('SHA1', key, data)
    #     #=> "de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9"
    #
    def self.hexdigest: (String | Digest algo, String key, String data) -> String

    # <!-- rdoc-file=ext/openssl/ossl_hmac.c -->
    # Returns *hmac* updated with the message to be authenticated. Can be called
    # repeatedly with chunks of the message.
    #
    # ### Example
    #
    #     first_chunk = 'The quick brown fox jumps '
    #     second_chunk = 'over the lazy dog'
    #
    #     instance.update(first_chunk)
    #     #=> 5b9a8038a65d571076d97fe783989e52278a492a
    #     instance.update(second_chunk)
    #     #=> de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9
    #
    alias << update

    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/hmac.rb
    #   - ==(other)
    # -->
    # Securely compare with another HMAC instance in constant time.
    #
    def ==: (instance other) -> bool

    # <!--
    #   rdoc-file=ext/openssl/ossl_hmac.c
    #   - hmac.digest -> string
    # -->
    # Returns the authentication code an instance represents as a binary string.
    #
    # ### Example
    #     instance = OpenSSL::HMAC.new('key', 'SHA1')
    #     #=> f42bb0eeb018ebbd4597ae7213711ec60760843f
    #     instance.digest
    #     #=> "\xF4+\xB0\xEE\xB0\x18\xEB\xBDE\x97\xAEr\x13q\x1E\xC6\a`\x84?"
    #
    def digest: () -> String

    # <!--
    #   rdoc-file=ext/openssl/ossl_hmac.c
    #   - hmac.hexdigest -> string
    # -->
    # Returns the authentication code an instance represents as a hex-encoded
    # string.
    #
    def hexdigest: () -> String

    # <!-- rdoc-file=ext/openssl/lib/openssl/hmac.rb -->
    # Returns the authentication code as a hex-encoded string. The *digest*
    # parameter specifies the digest algorithm to use. This may be a String
    # representing the algorithm name or an instance of OpenSSL::Digest.
    #
    # ### Example
    #     key = 'key'
    #     data = 'The quick brown fox jumps over the lazy dog'
    #
    #     hmac = OpenSSL::HMAC.hexdigest('SHA1', key, data)
    #     #=> "de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9"
    #
    alias inspect hexdigest

    # <!--
    #   rdoc-file=ext/openssl/ossl_hmac.c
    #   - hmac.reset -> self
    # -->
    # Returns *hmac* as it was when it was first initialized, with all processed
    # data cleared from it.
    #
    # ### Example
    #
    #     data = "The quick brown fox jumps over the lazy dog"
    #     instance = OpenSSL::HMAC.new('key', 'SHA1')
    #     #=> f42bb0eeb018ebbd4597ae7213711ec60760843f
    #
    #     instance.update(data)
    #     #=> de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9
    #     instance.reset
    #     #=> f42bb0eeb018ebbd4597ae7213711ec60760843f
    #
    def reset: () -> self

    # <!-- rdoc-file=ext/openssl/lib/openssl/hmac.rb -->
    # Returns the authentication code as a hex-encoded string. The *digest*
    # parameter specifies the digest algorithm to use. This may be a String
    # representing the algorithm name or an instance of OpenSSL::Digest.
    #
    # ### Example
    #     key = 'key'
    #     data = 'The quick brown fox jumps over the lazy dog'
    #
    #     hmac = OpenSSL::HMAC.hexdigest('SHA1', key, data)
    #     #=> "de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9"
    #
    alias to_s hexdigest

    # <!--
    #   rdoc-file=ext/openssl/ossl_hmac.c
    #   - hmac.update(string) -> self
    # -->
    # Returns *hmac* updated with the message to be authenticated. Can be called
    # repeatedly with chunks of the message.
    #
    # ### Example
    #
    #     first_chunk = 'The quick brown fox jumps '
    #     second_chunk = 'over the lazy dog'
    #
    #     instance.update(first_chunk)
    #     #=> 5b9a8038a65d571076d97fe783989e52278a492a
    #     instance.update(second_chunk)
    #     #=> de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9
    #
    def update: (String data) -> self

    private

    # <!--
    #   rdoc-file=ext/openssl/ossl_hmac.c
    #   - HMAC.new(key, digest) -> hmac
    # -->
    # Returns an instance of OpenSSL::HMAC set with the key and digest algorithm to
    # be used. The instance represents the initial state of the message
    # authentication code before any data has been processed. To process data with
    # it, use the instance method #update with your data as an argument.
    #
    # ### Example
    #
    #     key = 'key'
    #     instance = OpenSSL::HMAC.new(key, 'SHA1')
    #     #=> f42bb0eeb018ebbd4597ae7213711ec60760843f
    #     instance.class
    #     #=> OpenSSL::HMAC
    #
    # ### A note about comparisons
    #
    # Two instances can be securely compared with #== in constant time:
    #
    #         other_instance = OpenSSL::HMAC.new('key', 'SHA1')
    #     #=> f42bb0eeb018ebbd4597ae7213711ec60760843f
    #     instance == other_instance
    #     #=> true
    #
    def initialize: (String key, String | Digest digest) -> void

    # <!--
    #   rdoc-file=ext/openssl/ossl_hmac.c
    #   - initialize_copy(p1)
    # -->
    #
    def initialize_copy: (instance) -> void
  end

  # <!-- rdoc-file=ext/openssl/ossl_hmac.c -->
  # Document-class: OpenSSL::HMAC
  #
  # OpenSSL::HMAC allows computing Hash-based Message Authentication Code (HMAC).
  # It is a type of message authentication code (MAC) involving a hash function in
  # combination with a key. HMAC can be used to verify the integrity of a message
  # as well as the authenticity.
  #
  # OpenSSL::HMAC has a similar interface to OpenSSL::Digest.
  #
  # ### HMAC-SHA256 using one-shot interface
  #
  #     key = "key"
  #     data = "message-to-be-authenticated"
  #     mac = OpenSSL::HMAC.hexdigest("SHA256", key, data)
  #     #=> "cddb0db23f469c8bf072b21fd837149bd6ace9ab771cceef14c9e517cc93282e"
  #
  # ### HMAC-SHA256 using incremental interface
  #
  #     data1 = File.binread("file1")
  #     data2 = File.binread("file2")
  #     key = "key"
  #     hmac = OpenSSL::HMAC.new(key, 'SHA256')
  #     hmac << data1
  #     hmac << data2
  #     mac = hmac.digest
  #
  class HMACError < OpenSSL::OpenSSLError
  end

  # <!-- rdoc-file=ext/openssl/ossl_kdf.c -->
  # Provides functionality of various KDFs (key derivation function).
  #
  # KDF is typically used for securely deriving arbitrary length symmetric keys to
  # be used with an OpenSSL::Cipher from passwords. Another use case is for
  # storing passwords: Due to the ability to tweak the effort of computation by
  # increasing the iteration count, computation can be slowed down artificially in
  # order to render possible attacks infeasible.
  #
  # Currently, OpenSSL::KDF provides implementations for the following KDF:
  #
  # *   PKCS #5 PBKDF2 (Password-Based Key Derivation Function 2) in combination
  #     with HMAC
  # *   scrypt
  # *   HKDF
  #
  #
  # ## Examples
  # ### Generating a 128 bit key for a Cipher (e.g. AES)
  #     pass = "secret"
  #     salt = OpenSSL::Random.random_bytes(16)
  #     iter = 20_000
  #     key_len = 16
  #     key = OpenSSL::KDF.pbkdf2_hmac(pass, salt: salt, iterations: iter,
  #                                    length: key_len, hash: "sha1")
  #
  # ### Storing Passwords
  #     pass = "secret"
  #     # store this with the generated value
  #     salt = OpenSSL::Random.random_bytes(16)
  #     iter = 20_000
  #     hash = OpenSSL::Digest.new('SHA256')
  #     len = hash.digest_length
  #     # the final value to be stored
  #     value = OpenSSL::KDF.pbkdf2_hmac(pass, salt: salt, iterations: iter,
  #                                      length: len, hash: hash)
  #
  # ## Important Note on Checking Passwords
  # When comparing passwords provided by the user with previously stored values, a
  # common mistake made is comparing the two values using "==". Typically, "=="
  # short-circuits on evaluation, and is therefore vulnerable to timing attacks.
  # The proper way is to use a method that always takes the same amount of time
  # when comparing two values, thus not leaking any information to potential
  # attackers. To do this, use `OpenSSL.fixed_length_secure_compare`.
  #
  module KDF
    # <!--
    #   rdoc-file=ext/openssl/ossl_kdf.c
    #   - KDF.hkdf(ikm, salt:, info:, length:, hash:) -> String
    # -->
    # HMAC-based Extract-and-Expand Key Derivation Function (HKDF) as specified in
    # [RFC 5869](https://tools.ietf.org/html/rfc5869).
    #
    # New in OpenSSL 1.1.0.
    #
    # ### Parameters
    # *ikm*
    # :   The input keying material.
    # *salt*
    # :   The salt.
    # *info*
    # :   The context and application specific information.
    # *length*
    # :   The output length in octets. Must be <= `255 * HashLen`, where HashLen is
    #     the length of the hash function output in octets.
    # *hash*
    # :   The hash function.
    #
    #
    # ### Example
    #     # The values from https://datatracker.ietf.org/doc/html/rfc5869#appendix-A.1
    #     ikm = ["0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"].pack("H*")
    #     salt = ["000102030405060708090a0b0c"].pack("H*")
    #     info = ["f0f1f2f3f4f5f6f7f8f9"].pack("H*")
    #     p OpenSSL::KDF.hkdf(ikm, salt: salt, info: info, length: 42, hash: "SHA256").unpack1("H*")
    #     # => "3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865"
    #
    def self.hkdf: (String ikm, salt: String, info: String, length: Integer, hash: String) -> String

    # <!--
    #   rdoc-file=ext/openssl/ossl_kdf.c
    #   - KDF.pbkdf2_hmac(pass, salt:, iterations:, length:, hash:) -> aString
    # -->
    # PKCS #5 PBKDF2 (Password-Based Key Derivation Function 2) in combination with
    # HMAC. Takes *pass*, *salt* and *iterations*, and then derives a key of
    # *length* bytes.
    #
    # For more information about PBKDF2, see RFC 2898 Section 5.2
    # (https://tools.ietf.org/html/rfc2898#section-5.2).
    #
    # ### Parameters
    # pass
    # :   The password.
    # salt
    # :   The salt. Salts prevent attacks based on dictionaries of common passwords
    #     and attacks based on rainbow tables. It is a public value that can be
    #     safely stored along with the password (e.g. if the derived value is used
    #     for password storage).
    # iterations
    # :   The iteration count. This provides the ability to tune the algorithm. It
    #     is better to use the highest count possible for the maximum resistance to
    #     brute-force attacks.
    # length
    # :   The desired length of the derived key in octets.
    # hash
    # :   The hash algorithm used with HMAC for the PRF. May be a String
    #     representing the algorithm name, or an instance of OpenSSL::Digest.
    #
    def self.pbkdf2_hmac: (String pass, salt: String, iterations: Integer, length: Integer, hash: String | Digest) -> String

    # <!--
    #   rdoc-file=ext/openssl/ossl_kdf.c
    #   - KDF.scrypt(pass, salt:, N:, r:, p:, length:) -> aString
    # -->
    # Derives a key from *pass* using given parameters with the scrypt
    # password-based key derivation function. The result can be used for password
    # storage.
    #
    # scrypt is designed to be memory-hard and more secure against brute-force
    # attacks using custom hardwares than alternative KDFs such as PBKDF2 or bcrypt.
    #
    # The keyword arguments *N*, *r* and *p* can be used to tune scrypt. RFC 7914
    # (published on 2016-08, https://tools.ietf.org/html/rfc7914#section-2) states
    # that using values r=8 and p=1 appears to yield good results.
    #
    # See RFC 7914 (https://tools.ietf.org/html/rfc7914) for more information.
    #
    # ### Parameters
    # pass
    # :   Passphrase.
    # salt
    # :   Salt.
    # N
    # :   CPU/memory cost parameter. This must be a power of 2.
    # r
    # :   Block size parameter.
    # p
    # :   Parallelization parameter.
    # length
    # :   Length in octets of the derived key.
    #
    #
    # ### Example
    #     pass = "password"
    #     salt = SecureRandom.random_bytes(16)
    #     dk = OpenSSL::KDF.scrypt(pass, salt: salt, N: 2**14, r: 8, p: 1, length: 32)
    #     p dk #=> "\xDA\xE4\xE2...\x7F\xA1\x01T"
    #
    def self.scrypt: (String pass, salt: String, N: Integer, r: Integer, p: Integer, length: Integer) -> String

    private

    def hkdf: (*untyped) -> untyped

    def pbkdf2_hmac: (*untyped) -> untyped

    def scrypt: (*untyped) -> untyped

    # <!-- rdoc-file=ext/openssl/ossl_kdf.c -->
    # Generic exception class raised if an error occurs in OpenSSL::KDF module.
    #
    class KDFError < OpenSSL::OpenSSLError
    end
  end

  module Marshal
    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/marshal.rb
    #   - included(base)
    # -->
    #
    def self.included: (untyped base) -> untyped

    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/marshal.rb
    #   - _dump(_level)
    # -->
    #
    def _dump: (untyped _level) -> untyped

    module ClassMethods
      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/marshal.rb
      #   - _load(string)
      # -->
      #
      def _load: (untyped string) -> untyped
    end
  end

  # <!-- rdoc-file=ext/openssl/ossl_ns_spki.c -->
  # OpenSSL::Netscape is a namespace for SPKI (Simple Public Key Infrastructure)
  # which implements Signed Public Key and Challenge. See [RFC
  # 2692](http://tools.ietf.org/html/rfc2692) and [RFC
  # 2693](http://tools.ietf.org/html/rfc2692) for details.
  #
  module Netscape
    # <!-- rdoc-file=ext/openssl/ossl_ns_spki.c -->
    # A Simple Public Key Infrastructure implementation (pronounced "spooky"). The
    # structure is defined as
    #     PublicKeyAndChallenge ::= SEQUENCE {
    #       spki SubjectPublicKeyInfo,
    #       challenge IA5STRING
    #     }
    #
    #     SignedPublicKeyAndChallenge ::= SEQUENCE {
    #       publicKeyAndChallenge PublicKeyAndChallenge,
    #       signatureAlgorithm AlgorithmIdentifier,
    #       signature BIT STRING
    #     }
    #
    # where the definitions of SubjectPublicKeyInfo and AlgorithmIdentifier can be
    # found in RFC5280. SPKI is typically used in browsers for generating a
    # public/private key pair and a subsequent certificate request, using the HTML
    # <keygen> element.
    #
    # ## Examples
    #
    # ### Creating an SPKI
    #     key = OpenSSL::PKey::RSA.new 2048
    #     spki = OpenSSL::Netscape::SPKI.new
    #     spki.challenge = "RandomChallenge"
    #     spki.public_key = key.public_key
    #     spki.sign(key, OpenSSL::Digest.new('SHA256'))
    #     #send a request containing this to a server generating a certificate
    #
    # ### Verifying an SPKI request
    #     request = #...
    #     spki = OpenSSL::Netscape::SPKI.new request
    #     unless spki.verify(spki.public_key)
    #       # signature is invalid
    #     end
    #     #proceed
    #
    class SPKI
      # <!--
      #   rdoc-file=ext/openssl/ossl_ns_spki.c
      #   - spki.challenge => string
      # -->
      # Returns the challenge string associated with this SPKI.
      #
      def challenge: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_ns_spki.c
      #   - spki.challenge = str => string
      # -->
      # ### Parameters
      # *   *str* - the challenge string to be set for this instance
      #
      #
      # Sets the challenge to be associated with the SPKI. May be used by the server,
      # e.g. to prevent replay.
      #
      def challenge=: (String) -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_ns_spki.c
      #   - spki.public_key => pkey
      # -->
      # Returns the public key associated with the SPKI, an instance of OpenSSL::PKey.
      #
      def public_key: () -> PKey::PKey

      # <!--
      #   rdoc-file=ext/openssl/ossl_ns_spki.c
      #   - spki.public_key = pub => pkey
      # -->
      # ### Parameters
      # *   *pub* - the public key to be set for this instance
      #
      #
      # Sets the public key to be associated with the SPKI, an instance of
      # OpenSSL::PKey. This should be the public key corresponding to the private key
      # used for signing the SPKI.
      #
      def public_key=: (PKey::PKey) -> PKey::PKey

      # <!--
      #   rdoc-file=ext/openssl/ossl_ns_spki.c
      #   - spki.sign(key, digest) => spki
      # -->
      # ### Parameters
      # *   *key* - the private key to be used for signing this instance
      # *   *digest* - the digest to be used for signing this instance
      #
      #
      # To sign an SPKI, the private key corresponding to the public key set for this
      # instance should be used, in addition to a digest algorithm in the form of an
      # OpenSSL::Digest. The private key should be an instance of OpenSSL::PKey.
      #
      def sign: (PKey::PKey key, Digest digest) -> instance

      # <!--
      #   rdoc-file=ext/openssl/ossl_ns_spki.c
      #   - spki.to_der => DER-encoded string
      # -->
      # Returns the DER encoding of this SPKI.
      #
      def to_der: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_ns_spki.c
      #   - spki.to_pem => PEM-encoded string
      # -->
      # Returns the PEM encoding of this SPKI.
      #
      def to_pem: () -> String

      # <!-- rdoc-file=ext/openssl/ossl_ns_spki.c -->
      # Returns the PEM encoding of this SPKI.
      #
      alias to_s to_pem

      # <!--
      #   rdoc-file=ext/openssl/ossl_ns_spki.c
      #   - spki.to_text => string
      # -->
      # Returns a textual representation of this SPKI, useful for debugging purposes.
      #
      def to_text: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_ns_spki.c
      #   - spki.verify(key) => boolean
      # -->
      # ### Parameters
      # *   *key* - the public key to be used for verifying the SPKI signature
      #
      #
      # Returns `true` if the signature is valid, `false` otherwise. To verify an
      # SPKI, the public key contained within the SPKI should be used.
      #
      def verify: (PKey::PKey key) -> bool

      private

      # <!--
      #   rdoc-file=ext/openssl/ossl_ns_spki.c
      #   - SPKI.new([request]) => spki
      # -->
      # ### Parameters
      # *   *request* - optional raw request, either in PEM or DER format.
      #
      def initialize: (?String request) -> void
    end

    # <!-- rdoc-file=ext/openssl/ossl_ns_spki.c -->
    # Generic Exception class that is raised if an error occurs during an operation
    # on an instance of OpenSSL::Netscape::SPKI.
    #
    class SPKIError < OpenSSL::OpenSSLError
    end
  end

  # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
  # OpenSSL::OCSP implements Online Certificate Status Protocol requests and
  # responses.
  #
  # Creating and sending an OCSP request requires a subject certificate that
  # contains an OCSP URL in an authorityInfoAccess extension and the issuer
  # certificate for the subject certificate.  First, load the issuer and subject
  # certificates:
  #
  #     subject = OpenSSL::X509::Certificate.new subject_pem
  #     issuer  = OpenSSL::X509::Certificate.new issuer_pem
  #
  # To create the request we need to create a certificate ID for the subject
  # certificate so the CA knows which certificate we are asking about:
  #
  #     digest = OpenSSL::Digest.new('SHA1')
  #     certificate_id =
  #       OpenSSL::OCSP::CertificateId.new subject, issuer, digest
  #
  # Then create a request and add the certificate ID to it:
  #
  #     request = OpenSSL::OCSP::Request.new
  #     request.add_certid certificate_id
  #
  # Adding a nonce to the request protects against replay attacks but not all CA
  # process the nonce.
  #
  #     request.add_nonce
  #
  # To submit the request to the CA for verification we need to extract the OCSP
  # URI from the subject certificate:
  #
  #     ocsp_uris = subject.ocsp_uris
  #
  #     require 'uri'
  #
  #     ocsp_uri = URI ocsp_uris[0]
  #
  # To submit the request we'll POST the request to the OCSP URI (per RFC 2560).
  # Note that we only handle HTTP requests and don't handle any redirects in this
  # example, so this is insufficient for serious use.
  #
  #     require 'net/http'
  #
  #     http_response =
  #       Net::HTTP.start ocsp_uri.hostname, ocsp_uri.port do |http|
  #         http.post ocsp_uri.path, request.to_der,
  #                   'content-type' => 'application/ocsp-request'
  #     end
  #
  #     response = OpenSSL::OCSP::Response.new http_response.body
  #     response_basic = response.basic
  #
  # First we check if the response has a valid signature.  Without a valid
  # signature we cannot trust it.  If you get a failure here you may be missing a
  # system certificate store or may be missing the intermediate certificates.
  #
  #     store = OpenSSL::X509::Store.new
  #     store.set_default_paths
  #
  #     unless response_basic.verify [], store then
  #       raise 'response is not signed by a trusted certificate'
  #     end
  #
  # The response contains the status information (success/fail).  We can display
  # the status as a string:
  #
  #     puts response.status_string #=> successful
  #
  # Next we need to know the response details to determine if the response matches
  # our request.  First we check the nonce.  Again, not all CAs support a nonce.
  # See Request#check_nonce for the meanings of the return values.
  #
  #     p request.check_nonce basic_response #=> value from -1 to 3
  #
  # Then extract the status information for the certificate from the basic
  # response.
  #
  #     single_response = basic_response.find_response(certificate_id)
  #
  #     unless single_response
  #       raise 'basic_response does not have the status for the certificate'
  #     end
  #
  # Then check the validity. A status issued in the future must be rejected.
  #
  #     unless single_response.check_validity
  #       raise 'this_update is in the future or next_update time has passed'
  #     end
  #
  #     case single_response.cert_status
  #     when OpenSSL::OCSP::V_CERTSTATUS_GOOD
  #       puts 'certificate is still valid'
  #     when OpenSSL::OCSP::V_CERTSTATUS_REVOKED
  #       puts "certificate has been revoked at #{single_response.revocation_time}"
  #     when OpenSSL::OCSP::V_CERTSTATUS_UNKNOWN
  #       puts 'responder doesn't know about the certificate'
  #     end
  #
  module OCSP
    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # (This flag is not used by OpenSSL 1.0.1g)
    #
    NOCASIGN: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # Do not include certificates in the response
    #
    NOCERTS: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # Do not verify the certificate chain on the response
    #
    NOCHAIN: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # Do not make additional signing certificate checks
    #
    NOCHECKS: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # (This flag is not used by OpenSSL 1.0.1g)
    #
    NODELEGATED: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # Do not check trust
    #
    NOEXPLICIT: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # Do not search certificates contained in the response for a signer
    #
    NOINTERN: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # Do not check the signature on the response
    #
    NOSIGS: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # Do not include producedAt time in response
    #
    NOTIME: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # Do not verify the response at all
    #
    NOVERIFY: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # Identify the response by signing the certificate key ID
    #
    RESPID_KEY: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # Internal error in issuer
    #
    RESPONSE_STATUS_INTERNALERROR: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # Illegal confirmation request
    #
    RESPONSE_STATUS_MALFORMEDREQUEST: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # You must sign the request and resubmit
    #
    RESPONSE_STATUS_SIGREQUIRED: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # Response has valid confirmations
    #
    RESPONSE_STATUS_SUCCESSFUL: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # Try again later
    #
    RESPONSE_STATUS_TRYLATER: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # Your request is unauthorized.
    #
    RESPONSE_STATUS_UNAUTHORIZED: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # The certificate subject's name or other information changed
    #
    REVOKED_STATUS_AFFILIATIONCHANGED: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # This CA certificate was revoked due to a key compromise
    #
    REVOKED_STATUS_CACOMPROMISE: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # The certificate is on hold
    #
    REVOKED_STATUS_CERTIFICATEHOLD: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # The certificate is no longer needed
    #
    REVOKED_STATUS_CESSATIONOFOPERATION: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # The certificate was revoked due to a key compromise
    #
    REVOKED_STATUS_KEYCOMPROMISE: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # The certificate was revoked for an unknown reason
    #
    REVOKED_STATUS_NOSTATUS: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # The certificate was previously on hold and should now be removed from the CRL
    #
    REVOKED_STATUS_REMOVEFROMCRL: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # The certificate was superseded by a new certificate
    #
    REVOKED_STATUS_SUPERSEDED: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # The certificate was revoked for an unspecified reason
    #
    REVOKED_STATUS_UNSPECIFIED: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # Do not verify additional certificates
    #
    TRUSTOTHER: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # Indicates the certificate is not revoked but does not necessarily mean the
    # certificate was issued or that this response is within the certificate's
    # validity interval
    #
    V_CERTSTATUS_GOOD: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # Indicates the certificate has been revoked either permanently or temporarily
    # (on hold).
    #
    V_CERTSTATUS_REVOKED: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # Indicates the responder does not know about the certificate being requested.
    #
    V_CERTSTATUS_UNKNOWN: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # The responder ID is based on the public key.
    #
    V_RESPID_KEY: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # The responder ID is based on the key name.
    #
    V_RESPID_NAME: Integer

    type ocsp_status = Integer

    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # An OpenSSL::OCSP::BasicResponse contains the status of a certificate check
    # which is created from an OpenSSL::OCSP::Request.  A BasicResponse is more
    # detailed than a Response.
    #
    class BasicResponse
      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - basic_response.add_nonce(nonce = nil)
      # -->
      # Adds *nonce* to this response.  If no nonce was provided a random nonce will
      # be added.
      #
      def add_nonce: (?String nonce) -> self

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - basic_response.add_status(certificate_id, status, reason, revocation_time, this_update, next_update, extensions) -> basic_response
      # -->
      # Adds a certificate status for *certificate_id*. *status* is the status, and
      # must be one of these:
      #
      # *   OpenSSL::OCSP::V_CERTSTATUS_GOOD
      # *   OpenSSL::OCSP::V_CERTSTATUS_REVOKED
      # *   OpenSSL::OCSP::V_CERTSTATUS_UNKNOWN
      #
      #
      # *reason* and *revocation_time* can be given only when *status* is
      # OpenSSL::OCSP::V_CERTSTATUS_REVOKED. *reason* describes the reason for the
      # revocation, and must be one of OpenSSL::OCSP::REVOKED_STATUS_* constants.
      # *revocation_time* is the time when the certificate is revoked.
      #
      # *this_update* and *next_update* indicate the time at which the status is
      # verified to be correct and the time at or before which newer information will
      # be available, respectively. *next_update* is optional.
      #
      # *extensions* is an Array of OpenSSL::X509::Extension to be included in the
      # SingleResponse. This is also optional.
      #
      # Note that the times, *revocation_time*, *this_update* and *next_update* can be
      # specified in either of Integer or Time object. If they are Integer, it is
      # treated as the relative seconds from the current time.
      #
      def add_status: (CertificateId certificate_id, ocsp_status status, Integer? reason, Integer? revocation_time, ?Integer | Time this_update, ?Integer | Time next_update, ?Array[X509::Extension] extensions) -> self

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - basic_response.copy_nonce(request) -> Integer
      # -->
      # Copies the nonce from *request* into this response.  Returns 1 on success and
      # 0 on failure.
      #
      def copy_nonce: (Request request) -> Integer

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - basic_response.find_response(certificate_id) -> SingleResponse | nil
      # -->
      # Returns a SingleResponse whose CertId matches with *certificate_id*, or `nil`
      # if this BasicResponse does not contain it.
      #
      def find_response: (CertificateId certificate_id) -> SingleResponse?

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - basic_response.responses -> Array of SingleResponse
      # -->
      # Returns an Array of SingleResponse for this BasicResponse.
      #
      def responses: () -> Array[SingleResponse]

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - basic_response.sign(cert, key, certs = nil, flags = 0, digest = nil) -> self
      # -->
      # Signs this OCSP response using the *cert*, *key* and optional *digest*. This
      # behaves in the similar way as OpenSSL::OCSP::Request#sign.
      #
      # *flags* can include:
      # OpenSSL::OCSP::NOCERTS
      # :   don't include certificates
      # OpenSSL::OCSP::NOTIME
      # :   don't set producedAt
      # OpenSSL::OCSP::RESPID_KEY
      # :   use signer's public key hash as responderID
      #
      def sign: (X509::Certificate cert, PKey::PKey key, ?Array[X509::Certificate] certs, ?Integer flags, ?Digest digest) -> self

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - basic_response.status -> statuses
      # -->
      # Returns an Array of statuses for this response.  Each status contains a
      # CertificateId, the status (0 for good, 1 for revoked, 2 for unknown), the
      # reason for the status, the revocation time, the time of this update, the time
      # for the next update and a list of OpenSSL::X509::Extension.
      #
      # This should be superseded by BasicResponse#responses and #find_response that
      # return SingleResponse.
      #
      def status: () -> Integer

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - basic_response.to_der -> String
      # -->
      # Encodes this basic response into a DER-encoded string.
      #
      def to_der: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - basic_response.verify(certificates, store, flags = 0) -> true or false
      # -->
      # Verifies the signature of the response using the given *certificates* and
      # *store*. This works in the similar way as OpenSSL::OCSP::Request#verify.
      #
      def verify: (Array[X509::Certificate] certs, X509::Store store, ?Integer flags) -> bool

      private

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - OpenSSL::OCSP::BasicResponse.new(der_string = nil) -> basic_response
      # -->
      # Creates a new BasicResponse. If *der_string* is given, decodes *der_string* as
      # DER.
      #
      def initialize: (?String der) -> void

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - initialize_copy(p1)
      # -->
      #
      def initialize_copy: (instance) -> void
    end

    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # An OpenSSL::OCSP::CertificateId identifies a certificate to the CA so that a
    # status check can be performed.
    #
    class CertificateId
      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - certificate_id.cmp(other) -> true or false
      # -->
      # Compares this certificate id with *other* and returns `true` if they are the
      # same.
      #
      def cmp: (instance other) -> bool

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - certificate_id.cmp_issuer(other) -> true or false
      # -->
      # Compares this certificate id's issuer with *other* and returns `true` if they
      # are the same.
      #
      def cmp_issuer: (instance other) -> bool

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - certificate_id.hash_algorithm -> String
      # -->
      # Returns the ln (long name) of the hash algorithm used to generate the
      # issuerNameHash and the issuerKeyHash values.
      #
      def hash_algorithm: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - certificate_id.issuer_key_hash -> String
      # -->
      # Returns the issuerKeyHash of this certificate ID, the hash of the issuer's
      # public key.
      #
      def issuer_key_hash: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - certificate_id.issuer_name_hash -> String
      # -->
      # Returns the issuerNameHash of this certificate ID, the hash of the issuer's
      # distinguished name calculated with the hashAlgorithm.
      #
      def issuer_name_hash: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - certificate_id.serial -> Integer
      # -->
      # Returns the serial number of the certificate for which status is being
      # requested.
      #
      def serial: () -> Integer

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - certificate_id.to_der -> String
      # -->
      # Encodes this certificate identifier into a DER-encoded string.
      #
      def to_der: () -> String

      private

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - OpenSSL::OCSP::CertificateId.new(subject, issuer, digest = nil) -> certificate_id
      #   - OpenSSL::OCSP::CertificateId.new(der_string)                    -> certificate_id
      #   - OpenSSL::OCSP::CertificateId.new(obj)                           -> certificate_id
      # -->
      # Creates a new OpenSSL::OCSP::CertificateId for the given *subject* and
      # *issuer* X509 certificates.  The *digest* is a digest algorithm that is used
      # to compute the hash values. This defaults to SHA-1.
      #
      # If only one argument is given, decodes it as DER representation of a
      # certificate ID or generates certificate ID from the object that responds to
      # the to_der method.
      #
      def initialize: (String | ASN1::_ToDer der) -> void
                    | (X509::Certificate subject, X509::Certificate issuer, ?Digest digest) -> void

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - initialize_copy(p1)
      # -->
      #
      def initialize_copy: (instance) -> void
    end

    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # OCSP error class.
    #
    class OCSPError < OpenSSL::OpenSSLError
    end

    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # An OpenSSL::OCSP::Request contains the certificate information for determining
    # if a certificate has been revoked or not.  A Request can be created for a
    # certificate or from a DER-encoded request created elsewhere.
    #
    class Request
      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - request.add_certid(certificate_id) -> request
      # -->
      # Adds *certificate_id* to the request.
      #
      def add_certid: (CertificateId certificate_id) -> self

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - request.add_nonce(nonce = nil) -> request
      # -->
      # Adds a *nonce* to the OCSP request.  If no nonce is given a random one will be
      # generated.
      #
      # The nonce is used to prevent replay attacks but some servers do not support
      # it.
      #
      def add_nonce: (?String nonce) -> self

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - request.certid -> [certificate_id, ...]
      # -->
      # Returns all certificate IDs in this request.
      #
      def certid: () -> Array[CertificateId]

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - request.check_nonce(response) -> result
      # -->
      # Checks the nonce validity for this request and *response*.
      #
      # The return value is one of the following:
      #
      # -1
      # :   nonce in request only.
      # 0
      # :   nonces both present and not equal.
      # 1
      # :   nonces present and equal.
      # 2
      # :   nonces both absent.
      # 3
      # :   nonce present in response only.
      #
      #
      # For most responses, clients can check *result* > 0.  If a responder doesn't
      # handle nonces `result.nonzero?` may be necessary.  A result of `0` is always
      # an error.
      #
      def check_nonce: (Response response) -> (-1 | 0 | 1 | 2 | 3)

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - request.sign(cert, key, certs = nil, flags = 0, digest = nil) -> self
      # -->
      # Signs this OCSP request using *cert*, *key* and optional *digest*. If *digest*
      # is not specified, SHA-1 is used. *certs* is an optional Array of additional
      # certificates which are included in the request in addition to the signer
      # certificate. Note that if *certs* is `nil` or not given, flag
      # OpenSSL::OCSP::NOCERTS is enabled. Pass an empty array to include only the
      # signer certificate.
      #
      # *flags* is a bitwise OR of the following constants:
      #
      # OpenSSL::OCSP::NOCERTS
      # :   Don't include any certificates in the request. *certs* will be ignored.
      #
      def sign: (X509::Certificate cert, PKey::PKey key, ?Array[X509::Certificate] certs, ?Integer flags, ?Digest digest) -> self

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - request.signed? -> true or false
      # -->
      # Returns `true` if the request is signed, `false` otherwise. Note that the
      # validity of the signature is **not** checked. Use #verify to verify that.
      #
      def signed?: () -> bool

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - to_der()
      # -->
      # Returns this request as a DER-encoded string
      #
      def to_der: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - request.verify(certificates, store, flags = 0) -> true or false
      # -->
      # Verifies this request using the given *certificates* and *store*.
      # *certificates* is an array of OpenSSL::X509::Certificate, *store* is an
      # OpenSSL::X509::Store.
      #
      # Note that `false` is returned if the request does not have a signature. Use
      # #signed? to check whether the request is signed or not.
      #
      def verify: (Array[X509::Certificate] certs, X509::Store store, ?Integer flags) -> bool

      private

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - OpenSSL::OCSP::Request.new              -> request
      #   - OpenSSL::OCSP::Request.new(request_der) -> request
      # -->
      # Creates a new OpenSSL::OCSP::Request.  The request may be created empty or
      # from a *request_der* string.
      #
      def initialize: (?String der) -> void

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - initialize_copy(p1)
      # -->
      #
      def initialize_copy: (instance) -> void
    end

    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # An OpenSSL::OCSP::Response contains the status of a certificate check which is
    # created from an OpenSSL::OCSP::Request.
    #
    class Response
      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - OpenSSL::OCSP::Response.create(status, basic_response = nil) -> response
      # -->
      # Creates an OpenSSL::OCSP::Response from *status* and *basic_response*.
      #
      def self.create: (Integer status, ?BasicResponse response) -> instance

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - response.basic
      # -->
      # Returns a BasicResponse for this response
      #
      def basic: () -> BasicResponse?

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - response.status -> Integer
      # -->
      # Returns the status of the response.
      #
      def status: () -> Integer

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - response.status_string -> String
      # -->
      # Returns a status string for the response.
      #
      def status_string: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - response.to_der -> String
      # -->
      # Returns this response as a DER-encoded string.
      #
      def to_der: () -> String

      private

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - OpenSSL::OCSP::Response.new               -> response
      #   - OpenSSL::OCSP::Response.new(response_der) -> response
      # -->
      # Creates a new OpenSSL::OCSP::Response.  The response may be created empty or
      # from a *response_der* string.
      #
      def initialize: (?String der) -> void

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - initialize_copy(p1)
      # -->
      #
      def initialize_copy: (instance) -> void
    end

    # <!-- rdoc-file=ext/openssl/ossl_ocsp.c -->
    # An OpenSSL::OCSP::SingleResponse represents an OCSP SingleResponse structure,
    # which contains the basic information of the status of the certificate.
    #
    class SingleResponse
      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - single_response.cert_status -> Integer
      # -->
      # Returns the status of the certificate identified by the certid. The return
      # value may be one of these constant:
      #
      # *   V_CERTSTATUS_GOOD
      # *   V_CERTSTATUS_REVOKED
      # *   V_CERTSTATUS_UNKNOWN
      #
      #
      # When the status is V_CERTSTATUS_REVOKED, the time at which the certificate was
      # revoked can be retrieved by #revocation_time.
      #
      def cert_status: () -> ocsp_status

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - single_response.certid -> CertificateId
      # -->
      # Returns the CertificateId for which this SingleResponse is.
      #
      def certid: () -> CertificateId

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - single_response.check_validity(nsec = 0, maxsec = -1) -> true | false
      # -->
      # Checks the validity of thisUpdate and nextUpdate fields of this
      # SingleResponse. This checks the current time is within the range thisUpdate to
      # nextUpdate.
      #
      # It is possible that the OCSP request takes a few seconds or the time is not
      # accurate. To avoid rejecting a valid response, this method allows the times to
      # be within *nsec* seconds of the current time.
      #
      # Some responders don't set the nextUpdate field. This may cause a very old
      # response to be considered valid. The *maxsec* parameter can be used to limit
      # the age of responses.
      #
      def check_validity: (?Integer nsec, ?Integer maxsec) -> bool

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - single_response.extensions -> Array of X509::Extension
      # -->
      #
      def extensions: () -> Array[X509::Certificate]

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - single_response.next_update -> Time | nil
      # -->
      #
      def next_update: () -> Time?

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - single_response.revocation_reason -> Integer | nil
      # -->
      #
      def revocation_reason: () -> Integer?

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - single_response.revocation_time -> Time | nil
      # -->
      #
      def revocation_time: () -> Time?

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - single_response.this_update -> Time
      # -->
      #
      def this_update: () -> Time

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - single_response.to_der -> String
      # -->
      # Encodes this SingleResponse into a DER-encoded string.
      #
      def to_der: () -> String

      private

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - OpenSSL::OCSP::SingleResponse.new(der_string) -> SingleResponse
      # -->
      # Creates a new SingleResponse from *der_string*.
      #
      def initialize: (String der) -> void

      # <!--
      #   rdoc-file=ext/openssl/ossl_ocsp.c
      #   - initialize_copy(p1)
      # -->
      #
      def initialize_copy: (instance) -> void
    end
  end

  # <!-- rdoc-file=ext/openssl/ossl.c -->
  # Generic error, common for all classes under OpenSSL module
  #
  class OpenSSLError < StandardError
  end

  # <!-- rdoc-file=ext/openssl/ossl_pkcs12.c -->
  # Defines a file format commonly used to store private keys with accompanying
  # public key certificates, protected with a password-based symmetric key.
  #
  class PKCS12
    # <!--
    #   rdoc-file=ext/openssl/ossl_pkcs12.c
    #   - PKCS12.create(pass, name, key, cert [, ca, [, key_pbe [, cert_pbe [, key_iter [, mac_iter [, keytype]]]]]])
    # -->
    # ### Parameters
    # *   *pass* - string
    # *   *name* - A string describing the key.
    # *   *key* - Any PKey.
    # *   *cert* - A X509::Certificate.
    #     *   The public_key portion of the certificate must contain a valid public
    #         key.
    #     *   The not_before and not_after fields must be filled in.
    #
    # *   *ca* - An optional array of X509::Certificate's.
    # *   *key_pbe* - string
    # *   *cert_pbe* - string
    # *   *key_iter* - integer
    # *   *mac_iter* - integer
    # *   *keytype* - An integer representing an MSIE specific extension.
    #
    #
    # Any optional arguments may be supplied as `nil` to preserve the OpenSSL
    # defaults.
    #
    # See the OpenSSL documentation for PKCS12_create().
    #
    def self.create: (String pass, String name, PKey::PKey key, X509::Certificate cert, ?Array[X509::Certificate]? ca, ?String? key_pbe, ?String? cert_pbe, ?Integer? key_iter, ?Integer? mac_iter, ?Integer? keytype) -> instance

    def ca_certs: () -> Array[X509::Certificate]?

    def certificate: () -> X509::Certificate

    def key: () -> PKey::PKey

    # <!--
    #   rdoc-file=ext/openssl/ossl_pkcs12.c
    #   - to_der()
    # -->
    #
    def to_der: () -> String

    private

    # <!--
    #   rdoc-file=ext/openssl/ossl_pkcs12.c
    #   - PKCS12.new -> pkcs12
    #   - PKCS12.new(str) -> pkcs12
    #   - PKCS12.new(str, pass) -> pkcs12
    # -->
    # ### Parameters
    # *   *str* - Must be a DER encoded PKCS12 string.
    # *   *pass* - string
    #
    def initialize: (?String der, ?String pass) -> void

    # <!--
    #   rdoc-file=ext/openssl/ossl_pkcs12.c
    #   - initialize_copy(p1)
    # -->
    #
    def initialize_copy: (instance) -> void

    class PKCS12Error < OpenSSL::OpenSSLError
    end
  end

  module PKCS5
    def self.pbkdf2_hmac: (String pass, String salt, Integer iter, Integer keylen, String | Digest digest) -> String

    def self.pbkdf2_hmac_sha1: (String pass, String salt, Integer iter, Integer keylen) -> String

    private

    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/pkcs5.rb
    #   - pbkdf2_hmac(pass, salt, iter, keylen, digest)
    # -->
    # OpenSSL::PKCS5.pbkdf2_hmac has been renamed to OpenSSL::KDF.pbkdf2_hmac. This
    # method is provided for backwards compatibility.
    #
    def pbkdf2_hmac: (untyped pass, untyped salt, untyped iter, untyped keylen, untyped digest) -> untyped

    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/pkcs5.rb
    #   - pbkdf2_hmac_sha1(pass, salt, iter, keylen)
    # -->
    #
    def pbkdf2_hmac_sha1: (untyped pass, untyped salt, untyped iter, untyped keylen) -> untyped
  end

  class PKCS7
    # <!--
    #   rdoc-file=ext/openssl/ossl_pkcs7.c
    #   - PKCS7.encrypt(certs, data, [, cipher [, flags]]) => pkcs7
    # -->
    #
    def self.encrypt: (X509::Certificate certs, String data, ?Cipher cipher, ?Integer flags) -> instance

    # <!--
    #   rdoc-file=ext/openssl/ossl_pkcs7.c
    #   - PKCS7.read_smime(string) => pkcs7
    # -->
    #
    def self.read_smime: (String) -> instance

    # <!--
    #   rdoc-file=ext/openssl/ossl_pkcs7.c
    #   - PKCS7.sign(cert, key, data, [, certs [, flags]]) => pkcs7
    # -->
    #
    def self.sign: (X509::Certificate certs, PKey::PKey key, String data, ?OpenSSL::Cipher cipher, ?Integer flags) -> instance

    # <!--
    #   rdoc-file=ext/openssl/ossl_pkcs7.c
    #   - PKCS7.write_smime(pkcs7 [, data [, flags]]) => string
    # -->
    #
    def self.write_smime: (instance pkcs7, ?String data, ?Integer flags) -> String

    # <!--
    #   rdoc-file=ext/openssl/ossl_pkcs7.c
    #   - add_certificate(p1)
    # -->
    #
    def add_certificate: (X509::Certificate cert) -> self

    # <!--
    #   rdoc-file=ext/openssl/ossl_pkcs7.c
    #   - add_crl(p1)
    # -->
    #
    def add_crl: (X509::CRL crl) -> self

    # <!--
    #   rdoc-file=ext/openssl/ossl_pkcs7.c
    #   - add_data(p1)
    # -->
    #
    def add_data: (String data) -> self

    # <!--
    #   rdoc-file=ext/openssl/ossl_pkcs7.c
    #   - add_recipient(p1)
    # -->
    #
    def add_recipient: (RecipientInfo recipient) -> self

    # <!--
    #   rdoc-file=ext/openssl/ossl_pkcs7.c
    #   - add_signer(p1)
    # -->
    #
    def add_signer: (SignerInfo signer) -> self

    # <!--
    #   rdoc-file=ext/openssl/ossl_pkcs7.c
    #   - certificates()
    # -->
    #
    def certificates: () -> Array[X509::Certificate]?

    # <!--
    #   rdoc-file=ext/openssl/ossl_pkcs7.c
    #   - certificates=(p1)
    # -->
    #
    def certificates=: (Array[X509::Certificate]) -> self

    # <!--
    #   rdoc-file=ext/openssl/ossl_pkcs7.c
    #   - cipher=(p1)
    # -->
    #
    def cipher=: (Cipher cipher) -> self

    # <!--
    #   rdoc-file=ext/openssl/ossl_pkcs7.c
    #   - crls()
    # -->
    #
    def crls: () -> Array[X509::CRL]?

    # <!--
    #   rdoc-file=ext/openssl/ossl_pkcs7.c
    #   - crls=(p1)
    # -->
    #
    def crls=: (Array[X509::CRL]) -> self

    def data: () -> String?

    # <!--
    #   rdoc-file=ext/openssl/ossl_pkcs7.c
    #   - data=(p1)
    # -->
    #
    alias data= add_data

    # <!--
    #   rdoc-file=ext/openssl/ossl_pkcs7.c
    #   - decrypt(p1, p2 = v2, p3 = v3)
    # -->
    #
    def decrypt: (PKey::PKey p1, ?PKey::PKey p2, ?PKey::PKey p3) -> String

    # <!--
    #   rdoc-file=ext/openssl/ossl_pkcs7.c
    #   - detached()
    # -->
    #
    def detached: () -> bool

    # <!--
    #   rdoc-file=ext/openssl/ossl_pkcs7.c
    #   - detached=(p1)
    # -->
    #
    def detached=: [U] (boolish) -> U

    # <!--
    #   rdoc-file=ext/openssl/ossl_pkcs7.c
    #   - detached?()
    # -->
    #
    def detached?: () -> bool

    def error_string: () -> String?

    def error_string=: (String) -> String

    # <!--
    #   rdoc-file=ext/openssl/ossl_pkcs7.c
    #   - recipients()
    # -->
    #
    def recipients: () -> Array[RecipientInfo]

    # <!--
    #   rdoc-file=ext/openssl/ossl_pkcs7.c
    #   - signers()
    # -->
    #
    def signers: () -> Array[SignerInfo]

    # <!--
    #   rdoc-file=ext/openssl/ossl_pkcs7.c
    #   - to_der()
    # -->
    #
    def to_der: () -> String

    # <!--
    #   rdoc-file=ext/openssl/ossl_pkcs7.c
    #   - to_pem()
    # -->
    #
    def to_pem: () -> String

    # <!--
    #   rdoc-file=ext/openssl/ossl_pkcs7.c
    #   - to_s()
    # -->
    #
    alias to_s to_pem

    # <!--
    #   rdoc-file=ext/openssl/ossl_pkcs7.c
    #   - pkcs7.type => string or nil
    # -->
    #
    def type: () -> String?

    # <!--
    #   rdoc-file=ext/openssl/ossl_pkcs7.c
    #   - pkcs7.type = type => type
    # -->
    #
    def type=: (String) -> String

    # <!--
    #   rdoc-file=ext/openssl/ossl_pkcs7.c
    #   - verify(p1, p2, p3 = v3, p4 = v4)
    # -->
    #
    def verify: (PKey::PKey p1, PKey::PKey p2, ?PKey::PKey p3, ?PKey::PKey p4) -> bool

    private

    # <!--
    #   rdoc-file=ext/openssl/ossl_pkcs7.c
    #   - PKCS7.new => pkcs7
    #   - PKCS7.new(string) => pkcs7
    # -->
    # Many methods in this class aren't documented.
    #
    def initialize: (?String der) -> void

    # <!--
    #   rdoc-file=ext/openssl/ossl_pkcs7.c
    #   - initialize_copy(p1)
    # -->
    #
    def initialize_copy: (instance) -> untyped

    BINARY: Integer

    DETACHED: Integer

    NOATTR: Integer

    NOCERTS: Integer

    NOCHAIN: Integer

    NOINTERN: Integer

    NOSIGS: Integer

    NOSMIMECAP: Integer

    NOVERIFY: Integer

    TEXT: Integer

    class PKCS7Error < OpenSSL::OpenSSLError
    end

    class RecipientInfo
      # <!--
      #   rdoc-file=ext/openssl/ossl_pkcs7.c
      #   - enc_key()
      # -->
      #
      def enc_key: () -> PKey::PKey

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkcs7.c
      #   - issuer()
      # -->
      #
      def issuer: () -> X509::Name

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkcs7.c
      #   - serial()
      # -->
      #
      def serial: () -> Integer

      private

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkcs7.c
      #   - new(p1)
      # -->
      #
      def initialize: (X509::Certificate certificate) -> void
    end

    class SignerInfo
      # <!--
      #   rdoc-file=ext/openssl/ossl_pkcs7.c
      #   - issuer()
      # -->
      #
      def issuer: () -> X509::Name

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkcs7.c
      #   - serial()
      # -->
      #
      def serial: () -> Integer

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkcs7.c
      #   - signed_time()
      # -->
      #
      def signed_time: () -> Time?

      private

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkcs7.c
      #   - new(p1, p2, p3)
      # -->
      #
      def initialize: (X509::Certificate certificate, PKey::PKey key, Digest digest) -> void
    end
  end

  # <!-- rdoc-file=ext/openssl/ossl_pkey.c -->
  # ## Asymmetric Public Key Algorithms
  #
  # Asymmetric public key algorithms solve the problem of establishing and sharing
  # secret keys to en-/decrypt messages. The key in such an algorithm consists of
  # two parts: a public key that may be distributed to others and a private key
  # that needs to remain secret.
  #
  # Messages encrypted with a public key can only be decrypted by recipients that
  # are in possession of the associated private key. Since public key algorithms
  # are considerably slower than symmetric key algorithms (cf. OpenSSL::Cipher)
  # they are often used to establish a symmetric key shared between two parties
  # that are in possession of each other's public key.
  #
  # Asymmetric algorithms offer a lot of nice features that are used in a lot of
  # different areas. A very common application is the creation and validation of
  # digital signatures. To sign a document, the signatory generally uses a message
  # digest algorithm (cf. OpenSSL::Digest) to compute a digest of the document
  # that is then encrypted (i.e. signed) using the private key. Anyone in
  # possession of the public key may then verify the signature by computing the
  # message digest of the original document on their own, decrypting the signature
  # using the signatory's public key and comparing the result to the message
  # digest they previously computed. The signature is valid if and only if the
  # decrypted signature is equal to this message digest.
  #
  # The PKey module offers support for three popular public/private key
  # algorithms:
  # *   RSA (OpenSSL::PKey::RSA)
  # *   DSA (OpenSSL::PKey::DSA)
  # *   Elliptic Curve Cryptography (OpenSSL::PKey::EC)
  #
  # Each of these implementations is in fact a sub-class of the abstract PKey
  # class which offers the interface for supporting digital signatures in the form
  # of PKey#sign and PKey#verify.
  #
  # ## Diffie-Hellman Key Exchange
  #
  # Finally PKey also features OpenSSL::PKey::DH, an implementation of the
  # Diffie-Hellman key exchange protocol based on discrete logarithms in finite
  # fields, the same basis that DSA is built on. The Diffie-Hellman protocol can
  # be used to exchange (symmetric) keys over insecure channels without needing
  # any prior joint knowledge between the participating parties. As the security
  # of DH demands relatively long "public keys" (i.e. the part that is overtly
  # transmitted between participants) DH tends to be quite slow. If security or
  # speed is your primary concern, OpenSSL::PKey::EC offers another implementation
  # of the Diffie-Hellman protocol.
  #
  module PKey
    # <!--
    #   rdoc-file=ext/openssl/ossl_pkey.c
    #   - OpenSSL::PKey.read(string [, pwd ]) -> PKey
    #   - OpenSSL::PKey.read(io [, pwd ]) -> PKey
    # -->
    # Reads a DER or PEM encoded string from *string* or *io* and returns an
    # instance of the appropriate PKey class.
    #
    # ### Parameters
    # *   *string* is a DER- or PEM-encoded string containing an arbitrary private
    #     or public key.
    # *   *io* is an instance of IO containing a DER- or PEM-encoded arbitrary
    #     private or public key.
    # *   *pwd* is an optional password in case *string* or *io* is an encrypted PEM
    #     resource.
    #
    def self?.read: (String | IO pem, ?String password) -> PKey

    # <!-- rdoc-file=ext/openssl/ossl_pkey_dh.c -->
    # An implementation of the Diffie-Hellman key exchange protocol based on
    # discrete logarithms in finite fields, the same basis that DSA is built on.
    #
    # ### Accessor methods for the Diffie-Hellman parameters
    # DH#p
    # :   The prime (an OpenSSL::BN) of the Diffie-Hellman parameters.
    # DH#g
    # :   The generator (an OpenSSL::BN) g of the Diffie-Hellman parameters.
    # DH#pub_key
    # :   The per-session public key (an OpenSSL::BN) matching the private key. This
    #     needs to be passed to DH#compute_key.
    # DH#priv_key
    # :   The per-session private key, an OpenSSL::BN.
    #
    #
    # ### Example of a key exchange
    #     # you may send the parameters (der) and own public key (pub1) publicly
    #     # to the participating party
    #     dh1 = OpenSSL::PKey::DH.new(2048)
    #     der = dh1.to_der
    #     pub1 = dh1.pub_key
    #
    #     # the other party generates its per-session key pair
    #     dhparams = OpenSSL::PKey::DH.new(der)
    #     dh2 = OpenSSL::PKey.generate_key(dhparams)
    #     pub2 = dh2.pub_key
    #
    #     symm_key1 = dh1.compute_key(pub2)
    #     symm_key2 = dh2.compute_key(pub1)
    #     puts symm_key1 == symm_key2 # => true
    #
    class DH < OpenSSL::PKey::PKey
      include OpenSSL::Marshal

      extend OpenSSL::Marshal::ClassMethods

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/pkey.rb
      #   - DH.generate(size, generator = 2) -> dh
      # -->
      # Creates a new DH instance from scratch by generating random parameters and a
      # key pair.
      #
      # See also OpenSSL::PKey.generate_parameters and OpenSSL::PKey.generate_key.
      #
      # `size`
      # :   The desired key size in bits.
      # `generator`
      # :   The generator.
      #
      def self.generate: (Integer size, ?Integer generator) -> instance

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/pkey.rb
      #   - dh.compute_key(pub_bn) -> string
      # -->
      # Returns a String containing a shared secret computed from the other party's
      # public value.
      #
      # This method is provided for backwards compatibility, and calls #derive
      # internally.
      #
      # ### Parameters
      # *   *pub_bn* is a OpenSSL::BN, **not** the DH instance returned by
      #     DH#public_key as that contains the DH parameters only.
      #
      def compute_key: (bn pub_bn) -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_dh.c
      #   - dh.export -> aString
      #   - dh.to_pem -> aString
      #   - dh.to_s -> aString
      # -->
      # Serializes the DH parameters to a PEM-encoding.
      #
      # Note that any existing per-session public/private keys will **not** get
      # encoded, just the Diffie-Hellman parameters will be encoded.
      #
      # PEM-encoded parameters will look like:
      #
      #     -----BEGIN DH PARAMETERS-----
      #     [...]
      #     -----END DH PARAMETERS-----
      #
      # See also #public_to_pem (X.509 SubjectPublicKeyInfo) and #private_to_pem (PKCS
      # #8 PrivateKeyInfo or EncryptedPrivateKeyInfo) for serialization with the
      # private or public key components.
      #
      def export: () -> String

      def g: () -> BN?

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/pkey.rb
      #   - dh.generate_key! -> self
      # -->
      # Generates a private and public key unless a private key already exists. If
      # this DH instance was generated from public DH parameters (e.g. by encoding the
      # result of DH#public_key), then this method needs to be called first in order
      # to generate the per-session keys before performing the actual key exchange.
      #
      # **Deprecated in version 3.0**. This method is incompatible with OpenSSL 3.0.0
      # or later.
      #
      # See also OpenSSL::PKey.generate_key.
      #
      # Example:
      #     # DEPRECATED USAGE: This will not work on OpenSSL 3.0 or later
      #     dh0 = OpenSSL::PKey::DH.new(2048)
      #     dh = dh0.public_key # #public_key only copies the DH parameters (contrary to the name)
      #     dh.generate_key!
      #     puts dh.private? # => true
      #     puts dh0.pub_key == dh.pub_key #=> false
      #
      #     # With OpenSSL::PKey.generate_key
      #     dh0 = OpenSSL::PKey::DH.new(2048)
      #     dh = OpenSSL::PKey.generate_key(dh0)
      #     puts dh0.pub_key == dh.pub_key #=> false
      #
      def generate_key!: () -> self

      def p: () -> BN

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_dh.c
      #   - dh.params -> hash
      # -->
      # Stores all parameters of key to the hash INSECURE: PRIVATE INFORMATIONS CAN
      # LEAK OUT!!! Don't use :-)) (I's up to you)
      #
      def params: () -> Hash[String, BN]

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_dh.c
      #   - dh.params_ok? -> true | false
      # -->
      # Validates the Diffie-Hellman parameters associated with this instance. It
      # checks whether a safe prime and a suitable generator are used. If this is not
      # the case, `false` is returned.
      #
      # See also the man page EVP_PKEY_param_check(3).
      #
      def params_ok?: () -> bool

      def priv_key: () -> BN

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_dh.c
      #   - dh.private? -> true | false
      # -->
      # Indicates whether this DH instance has a private key associated with it or
      # not. The private key may be retrieved with DH#priv_key.
      #
      def private?: () -> bool

      def pub_key: () -> BN

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_dh.c
      #   - dh.public? -> true | false
      # -->
      # Indicates whether this DH instance has a public key associated with it or not.
      # The public key may be retrieved with DH#pub_key.
      #
      def public?: () -> bool

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/pkey.rb
      #   - dh.public_key -> dhnew
      # -->
      # Returns a new DH instance that carries just the DH parameters.
      #
      # Contrary to the method name, the returned DH object contains only parameters
      # and not the public key.
      #
      # This method is provided for backwards compatibility. In most cases, there is
      # no need to call this method.
      #
      # For the purpose of re-generating the key pair while keeping the parameters,
      # check OpenSSL::PKey.generate_key.
      #
      # Example:
      #     # OpenSSL::PKey::DH.generate by default generates a random key pair
      #     dh1 = OpenSSL::PKey::DH.generate(2048)
      #     p dh1.priv_key #=> #<OpenSSL::BN 1288347...>
      #     dhcopy = dh1.public_key
      #     p dhcopy.priv_key #=> nil
      #
      def public_key: () -> instance

      def q: () -> BN

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_dh.c
      #   - dh.set_key(pub_key, priv_key) -> self
      # -->
      # Sets *pub_key* and *priv_key* for the DH instance. *priv_key* may be `nil`.
      #
      def set_key: (bn pub_key, bn? priv_key) -> self

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_dh.c
      #   - dh.set_pqg(p, q, g) -> self
      # -->
      # Sets *p*, *q*, *g* to the DH instance.
      #
      def set_pqg: (bn p, bn q, bn g) -> self

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_dh.c
      #   - dh.to_der -> aString
      # -->
      # Serializes the DH parameters to a DER-encoding
      #
      # Note that any existing per-session public/private keys will **not** get
      # encoded, just the Diffie-Hellman parameters will be encoded.
      #
      # See also #public_to_der (X.509 SubjectPublicKeyInfo) and #private_to_der (PKCS
      # #8 PrivateKeyInfo or EncryptedPrivateKeyInfo) for serialization with the
      # private or public key components.
      #
      def to_der: () -> String

      # <!-- rdoc-file=ext/openssl/ossl_pkey_dh.c -->
      # Serializes the DH parameters to a PEM-encoding.
      #
      # Note that any existing per-session public/private keys will **not** get
      # encoded, just the Diffie-Hellman parameters will be encoded.
      #
      # PEM-encoded parameters will look like:
      #
      #     -----BEGIN DH PARAMETERS-----
      #     [...]
      #     -----END DH PARAMETERS-----
      #
      # See also #public_to_pem (X.509 SubjectPublicKeyInfo) and #private_to_pem (PKCS
      # #8 PrivateKeyInfo or EncryptedPrivateKeyInfo) for serialization with the
      # private or public key components.
      #
      alias to_pem export

      # <!-- rdoc-file=ext/openssl/ossl_pkey_dh.c -->
      # Serializes the DH parameters to a PEM-encoding.
      #
      # Note that any existing per-session public/private keys will **not** get
      # encoded, just the Diffie-Hellman parameters will be encoded.
      #
      # PEM-encoded parameters will look like:
      #
      #     -----BEGIN DH PARAMETERS-----
      #     [...]
      #     -----END DH PARAMETERS-----
      #
      # See also #public_to_pem (X.509 SubjectPublicKeyInfo) and #private_to_pem (PKCS
      # #8 PrivateKeyInfo or EncryptedPrivateKeyInfo) for serialization with the
      # private or public key components.
      #
      alias to_s export

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_dh.c
      #   - dh.to_text -> aString
      # -->
      # Prints all parameters of key to buffer INSECURE: PRIVATE INFORMATIONS CAN LEAK
      # OUT!!! Don't use :-)) (I's up to you)
      #
      def to_text: () -> String

      private

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_dh.c
      #   - DH.new -> dh
      #   - DH.new(string) -> dh
      #   - DH.new(size [, generator]) -> dh
      # -->
      # Creates a new instance of OpenSSL::PKey::DH.
      #
      # If called without arguments, an empty instance without any parameter or key
      # components is created. Use #set_pqg to manually set the parameters afterwards
      # (and optionally #set_key to set private and public key components).
      #
      # If a String is given, tries to parse it as a DER- or PEM- encoded parameters.
      # See also OpenSSL::PKey.read which can parse keys of any kinds.
      #
      # The DH.new(size [, generator]) form is an alias of DH.generate.
      #
      # `string`
      # :   A String that contains the DER or PEM encoded key.
      # `size`
      # :   See DH.generate.
      # `generator`
      # :   See DH.generate.
      #
      #
      # Examples:
      #     # Creating an instance from scratch
      #     # Note that this is deprecated and will not work on OpenSSL 3.0 or later.
      #     dh = OpenSSL::PKey::DH.new
      #     dh.set_pqg(bn_p, nil, bn_g)
      #
      #     # Generating a parameters and a key pair
      #     dh = OpenSSL::PKey::DH.new(2048) # An alias of OpenSSL::PKey::DH.generate(2048)
      #
      #     # Reading DH parameters
      #     dh_params = OpenSSL::PKey::DH.new(File.read('parameters.pem')) # loads parameters only
      #     dh = OpenSSL::PKey.generate_key(dh_params) # generates a key pair
      #
      def initialize: (Integer size, ?Integer generator) -> void
                    | (String pem) -> void
                    | () -> void

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_dh.c
      #   - initialize_copy(p1)
      # -->
      #
      def initialize_copy: (instance) -> void
    end

    # <!-- rdoc-file=ext/openssl/ossl_pkey_dh.c -->
    # Generic exception that is raised if an operation on a DH PKey fails
    # unexpectedly or in case an instantiation of an instance of DH fails due to
    # non-conformant input data.
    #
    class DHError < OpenSSL::PKey::PKeyError
    end

    # <!-- rdoc-file=ext/openssl/ossl_pkey_dsa.c -->
    # DSA, the Digital Signature Algorithm, is specified in NIST's FIPS 186-3. It is
    # an asymmetric public key algorithm that may be used similar to e.g. RSA.
    #
    class DSA < OpenSSL::PKey::PKey
      include OpenSSL::Marshal

      extend OpenSSL::Marshal::ClassMethods

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/pkey.rb
      #   - DSA.generate(size) -> dsa
      # -->
      # Creates a new DSA instance by generating a private/public key pair from
      # scratch.
      #
      # See also OpenSSL::PKey.generate_parameters and OpenSSL::PKey.generate_key.
      #
      # `size`
      # :   The desired key size in bits.
      #
      def self.generate: (Integer size) -> instance

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_dsa.c
      #   - dsa.export([cipher, password]) -> aString
      #   - dsa.to_pem([cipher, password]) -> aString
      #   - dsa.to_s([cipher, password]) -> aString
      # -->
      # Serializes a private or public key to a PEM-encoding.
      #
      # When the key contains public components only
      # :   Serializes it into an X.509 SubjectPublicKeyInfo. The parameters *cipher*
      #     and *password* are ignored.
      #
      #     A PEM-encoded key will look like:
      #
      #         -----BEGIN PUBLIC KEY-----
      #         [...]
      #         -----END PUBLIC KEY-----
      #
      #     Consider using #public_to_pem instead. This serializes the key into an
      #     X.509 SubjectPublicKeyInfo regardless of whether it is a public key or a
      #     private key.
      #
      # When the key contains private components, and no parameters are given
      # :   Serializes it into a traditional OpenSSL DSAPrivateKey.
      #
      #     A PEM-encoded key will look like:
      #
      #         -----BEGIN DSA PRIVATE KEY-----
      #         [...]
      #         -----END DSA PRIVATE KEY-----
      #
      # When the key contains private components, and *cipher* and *password* are given
      # :   Serializes it into a traditional OpenSSL DSAPrivateKey and encrypts it in
      #     OpenSSL's traditional PEM encryption format. *cipher* must be a cipher
      #     name understood by OpenSSL::Cipher.new or an instance of OpenSSL::Cipher.
      #
      #     An encrypted PEM-encoded key will look like:
      #
      #         -----BEGIN DSA PRIVATE KEY-----
      #         Proc-Type: 4,ENCRYPTED
      #         DEK-Info: AES-128-CBC,733F5302505B34701FC41F5C0746E4C0
      #
      #         [...]
      #         -----END DSA PRIVATE KEY-----
      #
      #     Note that this format uses MD5 to derive the encryption key, and hence
      #     will not be available on FIPS-compliant systems.
      #
      #
      # **This method is kept for compatibility.** This should only be used when the
      # traditional, non-standard OpenSSL format is required.
      #
      # Consider using #public_to_pem (X.509 SubjectPublicKeyInfo) or #private_to_pem
      # (PKCS #8 PrivateKeyInfo or EncryptedPrivateKeyInfo) instead.
      #
      def export: (String cipher, String password) -> String
                | () -> String

      def g: () -> BN

      def p: () -> BN

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_dsa.c
      #   - dsa.params -> hash
      # -->
      # Stores all parameters of key to the hash INSECURE: PRIVATE INFORMATIONS CAN
      # LEAK OUT!!! Don't use :-)) (I's up to you)
      #
      def params: () -> Hash[String, BN]

      def priv_key: () -> BN

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_dsa.c
      #   - dsa.private? -> true | false
      # -->
      # Indicates whether this DSA instance has a private key associated with it or
      # not. The private key may be retrieved with DSA#private_key.
      #
      def private?: () -> bool

      def pub_key: () -> BN

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_dsa.c
      #   - dsa.public? -> true | false
      # -->
      # Indicates whether this DSA instance has a public key associated with it or
      # not. The public key may be retrieved with DSA#public_key.
      #
      def public?: () -> bool

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/pkey.rb
      #   - dsa.public_key -> dsanew
      # -->
      # Returns a new DSA instance that carries just the DSA parameters and the public
      # key.
      #
      # This method is provided for backwards compatibility. In most cases, there is
      # no need to call this method.
      #
      # For the purpose of serializing the public key, to PEM or DER encoding of X.509
      # SubjectPublicKeyInfo format, check PKey#public_to_pem and PKey#public_to_der.
      #
      def public_key: () -> instance

      def q: () -> BN

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_dsa.c
      #   - dsa.set_key(pub_key, priv_key) -> self
      # -->
      # Sets *pub_key* and *priv_key* for the DSA instance. *priv_key* may be `nil`.
      #
      def set_key: (bn pub_key, bn? priv_key) -> self

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_dsa.c
      #   - dsa.set_pqg(p, q, g) -> self
      # -->
      # Sets *p*, *q*, *g* to the DSA instance.
      #
      def set_pqg: (bn p, bn q, bn g) -> self

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/pkey.rb
      #   - dsa.syssign(string) -> string
      # -->
      # Computes and returns the DSA signature of `string`, where `string` is expected
      # to be an already-computed message digest of the original input data. The
      # signature is issued using the private key of this DSA instance.
      #
      # **Deprecated in version 3.0**. Consider using PKey::PKey#sign_raw and
      # PKey::PKey#verify_raw instead.
      #
      # `string`
      # :   A message digest of the original input data to be signed.
      #
      #
      # Example:
      #     dsa = OpenSSL::PKey::DSA.new(2048)
      #     doc = "Sign me"
      #     digest = OpenSSL::Digest.digest('SHA1', doc)
      #
      #     # With legacy #syssign and #sysverify:
      #     sig = dsa.syssign(digest)
      #     p dsa.sysverify(digest, sig) #=> true
      #
      #     # With #sign_raw and #verify_raw:
      #     sig = dsa.sign_raw(nil, digest)
      #     p dsa.verify_raw(nil, sig, digest) #=> true
      #
      def syssign: (String digest) -> String

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/pkey.rb
      #   - dsa.sysverify(digest, sig) -> true | false
      # -->
      # Verifies whether the signature is valid given the message digest input. It
      # does so by validating `sig` using the public key of this DSA instance.
      #
      # **Deprecated in version 3.0**. Consider using PKey::PKey#sign_raw and
      # PKey::PKey#verify_raw instead.
      #
      # `digest`
      # :   A message digest of the original input data to be signed.
      # `sig`
      # :   A DSA signature value.
      #
      def sysverify: (String digest, String data) -> bool

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_dsa.c
      #   - dsa.to_der -> aString
      # -->
      # Serializes a private or public key to a DER-encoding.
      #
      # See #to_pem for details.
      #
      # **This method is kept for compatibility.** This should only be used when the
      # traditional, non-standard OpenSSL format is required.
      #
      # Consider using #public_to_der or #private_to_der instead.
      #
      def to_der: () -> String

      # <!-- rdoc-file=ext/openssl/ossl_pkey_dsa.c -->
      # Serializes a private or public key to a PEM-encoding.
      #
      # When the key contains public components only
      # :   Serializes it into an X.509 SubjectPublicKeyInfo. The parameters *cipher*
      #     and *password* are ignored.
      #
      #     A PEM-encoded key will look like:
      #
      #         -----BEGIN PUBLIC KEY-----
      #         [...]
      #         -----END PUBLIC KEY-----
      #
      #     Consider using #public_to_pem instead. This serializes the key into an
      #     X.509 SubjectPublicKeyInfo regardless of whether it is a public key or a
      #     private key.
      #
      # When the key contains private components, and no parameters are given
      # :   Serializes it into a traditional OpenSSL DSAPrivateKey.
      #
      #     A PEM-encoded key will look like:
      #
      #         -----BEGIN DSA PRIVATE KEY-----
      #         [...]
      #         -----END DSA PRIVATE KEY-----
      #
      # When the key contains private components, and *cipher* and *password* are given
      # :   Serializes it into a traditional OpenSSL DSAPrivateKey and encrypts it in
      #     OpenSSL's traditional PEM encryption format. *cipher* must be a cipher
      #     name understood by OpenSSL::Cipher.new or an instance of OpenSSL::Cipher.
      #
      #     An encrypted PEM-encoded key will look like:
      #
      #         -----BEGIN DSA PRIVATE KEY-----
      #         Proc-Type: 4,ENCRYPTED
      #         DEK-Info: AES-128-CBC,733F5302505B34701FC41F5C0746E4C0
      #
      #         [...]
      #         -----END DSA PRIVATE KEY-----
      #
      #     Note that this format uses MD5 to derive the encryption key, and hence
      #     will not be available on FIPS-compliant systems.
      #
      #
      # **This method is kept for compatibility.** This should only be used when the
      # traditional, non-standard OpenSSL format is required.
      #
      # Consider using #public_to_pem (X.509 SubjectPublicKeyInfo) or #private_to_pem
      # (PKCS #8 PrivateKeyInfo or EncryptedPrivateKeyInfo) instead.
      #
      alias to_pem export

      # <!-- rdoc-file=ext/openssl/ossl_pkey_dsa.c -->
      # Serializes a private or public key to a PEM-encoding.
      #
      # When the key contains public components only
      # :   Serializes it into an X.509 SubjectPublicKeyInfo. The parameters *cipher*
      #     and *password* are ignored.
      #
      #     A PEM-encoded key will look like:
      #
      #         -----BEGIN PUBLIC KEY-----
      #         [...]
      #         -----END PUBLIC KEY-----
      #
      #     Consider using #public_to_pem instead. This serializes the key into an
      #     X.509 SubjectPublicKeyInfo regardless of whether it is a public key or a
      #     private key.
      #
      # When the key contains private components, and no parameters are given
      # :   Serializes it into a traditional OpenSSL DSAPrivateKey.
      #
      #     A PEM-encoded key will look like:
      #
      #         -----BEGIN DSA PRIVATE KEY-----
      #         [...]
      #         -----END DSA PRIVATE KEY-----
      #
      # When the key contains private components, and *cipher* and *password* are given
      # :   Serializes it into a traditional OpenSSL DSAPrivateKey and encrypts it in
      #     OpenSSL's traditional PEM encryption format. *cipher* must be a cipher
      #     name understood by OpenSSL::Cipher.new or an instance of OpenSSL::Cipher.
      #
      #     An encrypted PEM-encoded key will look like:
      #
      #         -----BEGIN DSA PRIVATE KEY-----
      #         Proc-Type: 4,ENCRYPTED
      #         DEK-Info: AES-128-CBC,733F5302505B34701FC41F5C0746E4C0
      #
      #         [...]
      #         -----END DSA PRIVATE KEY-----
      #
      #     Note that this format uses MD5 to derive the encryption key, and hence
      #     will not be available on FIPS-compliant systems.
      #
      #
      # **This method is kept for compatibility.** This should only be used when the
      # traditional, non-standard OpenSSL format is required.
      #
      # Consider using #public_to_pem (X.509 SubjectPublicKeyInfo) or #private_to_pem
      # (PKCS #8 PrivateKeyInfo or EncryptedPrivateKeyInfo) instead.
      #
      alias to_s export

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_dsa.c
      #   - dsa.to_text -> aString
      # -->
      # Prints all parameters of key to buffer INSECURE: PRIVATE INFORMATIONS CAN LEAK
      # OUT!!! Don't use :-)) (I's up to you)
      #
      def to_text: () -> String

      private

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_dsa.c
      #   - DSA.new -> dsa
      #   - DSA.new(string [, pass]) -> dsa
      #   - DSA.new(size) -> dsa
      # -->
      # Creates a new DSA instance by reading an existing key from *string*.
      #
      # If called without arguments, creates a new instance with no key components
      # set. They can be set individually by #set_pqg and #set_key.
      #
      # If called with a String, tries to parse as DER or PEM encoding of a DSA key.
      # See also OpenSSL::PKey.read which can parse keys of any kinds.
      #
      # If called with a number, generates random parameters and a key pair. This form
      # works as an alias of DSA.generate.
      #
      # `string`
      # :   A String that contains a DER or PEM encoded key.
      # `pass`
      # :   A String that contains an optional password.
      # `size`
      # :   See DSA.generate.
      #
      #
      # Examples:
      #     p OpenSSL::PKey::DSA.new(1024)
      #     #=> #<OpenSSL::PKey::DSA:0x000055a8d6025bf0 oid=DSA>
      #
      #     p OpenSSL::PKey::DSA.new(File.read('dsa.pem'))
      #     #=> #<OpenSSL::PKey::DSA:0x000055555d6b8110 oid=DSA>
      #
      #     p OpenSSL::PKey::DSA.new(File.read('dsa.pem'), 'mypassword')
      #     #=> #<OpenSSL::PKey::DSA:0x0000556f973c40b8 oid=DSA>
      #
      def initialize: (String pem, ?String pass) -> void
                    | (?Integer size) -> void

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_dsa.c
      #   - initialize_copy(p1)
      # -->
      #
      def initialize_copy: (instance) -> void
    end

    # <!-- rdoc-file=ext/openssl/ossl_pkey_dsa.c -->
    # Generic exception that is raised if an operation on a DSA PKey fails
    # unexpectedly or in case an instantiation of an instance of DSA fails due to
    # non-conformant input data.
    #
    class DSAError < OpenSSL::PKey::PKeyError
    end

    # <!-- rdoc-file=ext/openssl/ossl_pkey_ec.c -->
    # OpenSSL::PKey::EC provides access to Elliptic Curve Digital Signature
    # Algorithm (ECDSA) and Elliptic Curve Diffie-Hellman (ECDH).
    #
    # ### Key exchange
    #     ec1 = OpenSSL::PKey::EC.generate("prime256v1")
    #     ec2 = OpenSSL::PKey::EC.generate("prime256v1")
    #     # ec1 and ec2 have own private key respectively
    #     shared_key1 = ec1.dh_compute_key(ec2.public_key)
    #     shared_key2 = ec2.dh_compute_key(ec1.public_key)
    #
    #     p shared_key1 == shared_key2 #=> true
    #
    class EC < OpenSSL::PKey::PKey
      include OpenSSL::Marshal

      extend OpenSSL::Marshal::ClassMethods

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_ec.c
      #   - EC.builtin_curves => [[sn, comment], ...]
      # -->
      # Obtains a list of all predefined curves by the OpenSSL. Curve names are
      # returned as sn.
      #
      # See the OpenSSL documentation for EC_get_builtin_curves().
      #
      def self.builtin_curves: () -> Array[[ String, String ]]

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_ec.c
      #   - EC.generate(ec_group) -> ec
      #   - EC.generate(string) -> ec
      # -->
      # Creates a new EC instance with a new random private and public key.
      #
      def self.generate: (String | Group pem_or_der_or_group_or_curve_name) -> instance

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_ec.c
      #   - key.check_key   => true
      # -->
      # Raises an exception if the key is invalid.
      #
      # See also the man page EVP_PKEY_public_check(3).
      #
      def check_key: () -> true

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/pkey.rb
      #   - ec.dh_compute_key(pubkey) -> string
      # -->
      # Derives a shared secret by ECDH. *pubkey* must be an instance of
      # OpenSSL::PKey::EC::Point and must belong to the same group.
      #
      # This method is provided for backwards compatibility, and calls #derive
      # internally.
      #
      def dh_compute_key: (Point public_key) -> String

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/pkey.rb
      #   - key.dsa_sign_asn1(data) -> String
      # -->
      # **Deprecated in version 3.0**. Consider using PKey::PKey#sign_raw and
      # PKey::PKey#verify_raw instead.
      #
      def dsa_sign_asn1: (String digest) -> String

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/pkey.rb
      #   - key.dsa_verify_asn1(data, sig) -> true | false
      # -->
      # **Deprecated in version 3.0**. Consider using PKey::PKey#sign_raw and
      # PKey::PKey#verify_raw instead.
      #
      def dsa_verify_asn1: (String digest, String signature) -> bool

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_ec.c
      #   - key.export([cipher, password]) => String
      #   - key.to_pem([cipher, password]) => String
      # -->
      # Serializes a private or public key to a PEM-encoding.
      #
      # When the key contains public components only
      # :   Serializes it into an X.509 SubjectPublicKeyInfo. The parameters *cipher*
      #     and *password* are ignored.
      #
      #     A PEM-encoded key will look like:
      #
      #         -----BEGIN PUBLIC KEY-----
      #         [...]
      #         -----END PUBLIC KEY-----
      #
      #     Consider using #public_to_pem instead. This serializes the key into an
      #     X.509 SubjectPublicKeyInfo regardless of whether it is a public key or a
      #     private key.
      #
      # When the key contains private components, and no parameters are given
      # :   Serializes it into a SEC 1/RFC 5915 ECPrivateKey.
      #
      #     A PEM-encoded key will look like:
      #
      #         -----BEGIN EC PRIVATE KEY-----
      #         [...]
      #         -----END EC PRIVATE KEY-----
      #
      # When the key contains private components, and *cipher* and *password* are given
      # :   Serializes it into a SEC 1/RFC 5915 ECPrivateKey and encrypts it in
      #     OpenSSL's traditional PEM encryption format. *cipher* must be a cipher
      #     name understood by OpenSSL::Cipher.new or an instance of OpenSSL::Cipher.
      #
      #     An encrypted PEM-encoded key will look like:
      #
      #         -----BEGIN EC PRIVATE KEY-----
      #         Proc-Type: 4,ENCRYPTED
      #         DEK-Info: AES-128-CBC,733F5302505B34701FC41F5C0746E4C0
      #
      #         [...]
      #         -----END EC PRIVATE KEY-----
      #
      #     Note that this format uses MD5 to derive the encryption key, and hence
      #     will not be available on FIPS-compliant systems.
      #
      #
      # **This method is kept for compatibility.** This should only be used when the
      # SEC 1/RFC 5915 ECPrivateKey format is required.
      #
      # Consider using #public_to_pem (X.509 SubjectPublicKeyInfo) or #private_to_pem
      # (PKCS #8 PrivateKeyInfo or EncryptedPrivateKeyInfo) instead.
      #
      def export: (String cipher, String password) -> String
                | () -> String

      # <!-- rdoc-file=ext/openssl/ossl_pkey_ec.c -->
      # Generates a new random private and public key.
      #
      # See also the OpenSSL documentation for EC_KEY_generate_key()
      #
      # ### Example
      #     ec = OpenSSL::PKey::EC.new("prime256v1")
      #     p ec.private_key # => nil
      #     ec.generate_key!
      #     p ec.private_key # => #<OpenSSL::BN XXXXXX>
      #
      alias generate_key generate_key!

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_ec.c
      #   - key.generate_key!   => self
      # -->
      # Generates a new random private and public key.
      #
      # See also the OpenSSL documentation for EC_KEY_generate_key()
      #
      # ### Example
      #     ec = OpenSSL::PKey::EC.new("prime256v1")
      #     p ec.private_key # => nil
      #     ec.generate_key!
      #     p ec.private_key # => #<OpenSSL::BN XXXXXX>
      #
      def generate_key!: () -> self

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_ec.c
      #   - key.group   => group
      # -->
      # Returns the EC::Group that the key is associated with. Modifying the returned
      # group does not affect *key*.
      #
      def group: () -> Group?

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_ec.c
      #   - key.group = group
      # -->
      # Sets the EC::Group for the key. The group structure is internally copied so
      # modification to *group* after assigning to a key has no effect on the key.
      #
      def group=: (Group) -> Group

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_ec.c
      #   - key.private? => true or false
      # -->
      # Returns whether this EC instance has a private key. The private key (BN) can
      # be retrieved with EC#private_key.
      #
      def private?: () -> bool

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_ec.c
      #   - key.private_key   => OpenSSL::BN
      # -->
      # See the OpenSSL documentation for EC_KEY_get0_private_key()
      #
      def private_key: () -> BN?

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_ec.c
      #   - key.private_key = openssl_bn
      # -->
      # See the OpenSSL documentation for EC_KEY_set_private_key()
      #
      def private_key=: (bn priv_key) -> self

      # <!-- rdoc-file=ext/openssl/ossl_pkey_ec.c -->
      # Returns whether this EC instance has a private key. The private key (BN) can
      # be retrieved with EC#private_key.
      #
      alias private_key? private?

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_ec.c
      #   - key.public? => true or false
      # -->
      # Returns whether this EC instance has a public key. The public key (EC::Point)
      # can be retrieved with EC#public_key.
      #
      def public?: () -> bool

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_ec.c
      #   - key.public_key   => OpenSSL::PKey::EC::Point
      # -->
      # See the OpenSSL documentation for EC_KEY_get0_public_key()
      #
      def public_key: () -> Point?

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_ec.c
      #   - key.public_key = ec_point
      # -->
      # See the OpenSSL documentation for EC_KEY_set_public_key()
      #
      def public_key=: (bn priv_key) -> self

      # <!-- rdoc-file=ext/openssl/ossl_pkey_ec.c -->
      # Returns whether this EC instance has a public key. The public key (EC::Point)
      # can be retrieved with EC#public_key.
      #
      alias public_key? public?

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_ec.c
      #   - key.to_der   => String
      # -->
      # Serializes a private or public key to a DER-encoding.
      #
      # See #to_pem for details.
      #
      # **This method is kept for compatibility.** This should only be used when the
      # SEC 1/RFC 5915 ECPrivateKey format is required.
      #
      # Consider using #public_to_der or #private_to_der instead.
      #
      def to_der: () -> String

      # <!-- rdoc-file=ext/openssl/ossl_pkey_ec.c -->
      # Serializes a private or public key to a PEM-encoding.
      #
      # When the key contains public components only
      # :   Serializes it into an X.509 SubjectPublicKeyInfo. The parameters *cipher*
      #     and *password* are ignored.
      #
      #     A PEM-encoded key will look like:
      #
      #         -----BEGIN PUBLIC KEY-----
      #         [...]
      #         -----END PUBLIC KEY-----
      #
      #     Consider using #public_to_pem instead. This serializes the key into an
      #     X.509 SubjectPublicKeyInfo regardless of whether it is a public key or a
      #     private key.
      #
      # When the key contains private components, and no parameters are given
      # :   Serializes it into a SEC 1/RFC 5915 ECPrivateKey.
      #
      #     A PEM-encoded key will look like:
      #
      #         -----BEGIN EC PRIVATE KEY-----
      #         [...]
      #         -----END EC PRIVATE KEY-----
      #
      # When the key contains private components, and *cipher* and *password* are given
      # :   Serializes it into a SEC 1/RFC 5915 ECPrivateKey and encrypts it in
      #     OpenSSL's traditional PEM encryption format. *cipher* must be a cipher
      #     name understood by OpenSSL::Cipher.new or an instance of OpenSSL::Cipher.
      #
      #     An encrypted PEM-encoded key will look like:
      #
      #         -----BEGIN EC PRIVATE KEY-----
      #         Proc-Type: 4,ENCRYPTED
      #         DEK-Info: AES-128-CBC,733F5302505B34701FC41F5C0746E4C0
      #
      #         [...]
      #         -----END EC PRIVATE KEY-----
      #
      #     Note that this format uses MD5 to derive the encryption key, and hence
      #     will not be available on FIPS-compliant systems.
      #
      #
      # **This method is kept for compatibility.** This should only be used when the
      # SEC 1/RFC 5915 ECPrivateKey format is required.
      #
      # Consider using #public_to_pem (X.509 SubjectPublicKeyInfo) or #private_to_pem
      # (PKCS #8 PrivateKeyInfo or EncryptedPrivateKeyInfo) instead.
      #
      alias to_pem export

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_ec.c
      #   - key.to_text   => String
      # -->
      # See the OpenSSL documentation for EC_KEY_print()
      #
      def to_text: () -> String

      private

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_ec.c
      #   - OpenSSL::PKey::EC.new
      #   - OpenSSL::PKey::EC.new(ec_key)
      #   - OpenSSL::PKey::EC.new(ec_group)
      #   - OpenSSL::PKey::EC.new("secp112r1")
      #   - OpenSSL::PKey::EC.new(pem_string [, pwd])
      #   - OpenSSL::PKey::EC.new(der_string)
      # -->
      # Creates a new EC object from given arguments.
      #
      def initialize: () -> void
                    | (instance ec_key) -> void
                    | (Group group) -> void
                    | (String pem_or_der_or_curve, ?String pass) -> void

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_ec.c
      #   - initialize_copy(p1)
      # -->
      #
      def initialize_copy: (instance) -> void

      EXPLICIT_CURVE: Integer

      NAMED_CURVE: Integer

      type ec_method = :GFp_simple | :GFp_mont | :GFp_nist | :GF2m_simple

      type point_conversion_format = :compressed | :uncompressed | :hybrid

      class Group
        # <!-- rdoc-file=ext/openssl/ossl_pkey_ec.c -->
        # Returns `true` if the two groups use the same curve and have the same
        # parameters, `false` otherwise.
        #
        alias == eql?

        # <!--
        #   rdoc-file=ext/openssl/ossl_pkey_ec.c
        #   - group.asn1_flag -> Integer
        # -->
        # Returns the flags set on the group.
        #
        # See also #asn1_flag=.
        #
        def asn1_flag: () -> Integer

        # <!--
        #   rdoc-file=ext/openssl/ossl_pkey_ec.c
        #   - group.asn1_flag = flags
        # -->
        # Sets flags on the group. The flag value is used to determine how to encode the
        # group: encode explicit parameters or named curve using an OID.
        #
        # The flag value can be either of:
        #
        # *   EC::NAMED_CURVE
        # *   EC::EXPLICIT_CURVE
        #
        #
        # See the OpenSSL documentation for EC_GROUP_set_asn1_flag().
        #
        def asn1_flag=: (Integer) -> Integer

        # <!--
        #   rdoc-file=ext/openssl/ossl_pkey_ec.c
        #   - group.get_cofactor   => cofactor_bn
        # -->
        # Returns the cofactor of the group.
        #
        # See the OpenSSL documentation for EC_GROUP_get_cofactor()
        #
        def cofactor: () -> BN

        # <!--
        #   rdoc-file=ext/openssl/ossl_pkey_ec.c
        #   - group.curve_name  => String
        # -->
        # Returns the curve name (sn).
        #
        # See the OpenSSL documentation for EC_GROUP_get_curve_name()
        #
        def curve_name: () -> String

        # <!--
        #   rdoc-file=ext/openssl/ossl_pkey_ec.c
        #   - group.degree   => integer
        # -->
        # See the OpenSSL documentation for EC_GROUP_get_degree()
        #
        def degree: () -> Integer

        # <!--
        #   rdoc-file=ext/openssl/ossl_pkey_ec.c
        #   - group1.eql?(group2)   => true | false
        #   - group1 == group2   => true | false
        # -->
        # Returns `true` if the two groups use the same curve and have the same
        # parameters, `false` otherwise.
        #
        def eql?: (instance other) -> bool

        # <!--
        #   rdoc-file=ext/openssl/ossl_pkey_ec.c
        #   - group.generator   => ec_point
        # -->
        # Returns the generator of the group.
        #
        # See the OpenSSL documentation for EC_GROUP_get0_generator()
        #
        def generator: () -> Point?

        # <!--
        #   rdoc-file=ext/openssl/ossl_pkey_ec.c
        #   - group.get_order   => order_bn
        # -->
        # Returns the order of the group.
        #
        # See the OpenSSL documentation for EC_GROUP_get_order()
        #
        def order: () -> BN

        # <!--
        #   rdoc-file=ext/openssl/ossl_pkey_ec.c
        #   - group.point_conversion_form -> Symbol
        # -->
        # Returns the form how EC::Point data is encoded as ASN.1.
        #
        # See also #point_conversion_form=.
        #
        def point_conversion_form: () -> point_conversion_format

        # <!--
        #   rdoc-file=ext/openssl/ossl_pkey_ec.c
        #   - group.point_conversion_form = form
        # -->
        # Sets the form how EC::Point data is encoded as ASN.1 as defined in X9.62.
        #
        # *format* can be one of these:
        #
        # `:compressed`
        # :   Encoded as z||x, where z is an octet indicating which solution of the
        #     equation y is. z will be 0x02 or 0x03.
        # `:uncompressed`
        # :   Encoded as z||x||y, where z is an octet 0x04.
        # `:hybrid`
        # :   Encodes as z||x||y, where z is an octet indicating which solution of the
        #     equation y is. z will be 0x06 or 0x07.
        #
        #
        # See the OpenSSL documentation for EC_GROUP_set_point_conversion_form()
        #
        def point_conversion_form=: (point_conversion_format format) -> point_conversion_format

        # <!--
        #   rdoc-file=ext/openssl/ossl_pkey_ec.c
        #   - group.seed   => String or nil
        # -->
        # See the OpenSSL documentation for EC_GROUP_get0_seed()
        #
        def seed: () -> String?

        # <!--
        #   rdoc-file=ext/openssl/ossl_pkey_ec.c
        #   - group.seed = seed  => seed
        # -->
        # See the OpenSSL documentation for EC_GROUP_set_seed()
        #
        def seed=: (String seed) -> String

        # <!--
        #   rdoc-file=ext/openssl/ossl_pkey_ec.c
        #   - group.set_generator(generator, order, cofactor)   => self
        # -->
        # Sets the curve parameters. *generator* must be an instance of EC::Point that
        # is on the curve. *order* and *cofactor* are integers.
        #
        # See the OpenSSL documentation for EC_GROUP_set_generator()
        #
        def set_generator: (Point generator, Integer order, Integer cofactor) -> self

        # <!--
        #   rdoc-file=ext/openssl/ossl_pkey_ec.c
        #   - group.to_der   => String
        # -->
        # See the OpenSSL documentation for i2d_ECPKParameters_bio()
        #
        def to_der: () -> String

        # <!--
        #   rdoc-file=ext/openssl/ossl_pkey_ec.c
        #   - group.to_pem   => String
        # -->
        # See the OpenSSL documentation for PEM_write_bio_ECPKParameters()
        #
        def to_pem: () -> String

        # <!--
        #   rdoc-file=ext/openssl/ossl_pkey_ec.c
        #   - group.to_text   => String
        # -->
        # See the OpenSSL documentation for ECPKParameters_print()
        #
        def to_text: () -> String

        private

        # <!--
        #   rdoc-file=ext/openssl/ossl_pkey_ec.c
        #   - OpenSSL::PKey::EC::Group.new(ec_group)
        #   - OpenSSL::PKey::EC::Group.new(pem_or_der_encoded)
        #   - OpenSSL::PKey::EC::Group.new(:GFp, bignum_p, bignum_a, bignum_b)
        #   - OpenSSL::PKey::EC::Group.new(:GF2m, bignum_p, bignum_a, bignum_b)
        # -->
        # Creates a new EC::Group object.
        #
        # If the first argument is :GFp or :GF2m, creates a new curve with given
        # parameters.
        #
        def initialize: (instance group) -> void
                      | (String pem_or_der_encoded) -> void
                      | (ec_method ec_method) -> void
                      | (:GFp | :GF2m ec_method, Integer bignum_p, Integer bignum_a, Integer bignum_b) -> void

        # <!--
        #   rdoc-file=ext/openssl/ossl_pkey_ec.c
        #   - initialize_copy(p1)
        # -->
        #
        def initialize_copy: (instance) -> void

        class Error < OpenSSL::OpenSSLError
        end
      end

      class Point
        # <!--
        #   rdoc-file=ext/openssl/ossl_pkey_ec.c
        #   - ==(p1)
        # -->
        #
        alias == eql?

        # <!--
        #   rdoc-file=ext/openssl/ossl_pkey_ec.c
        #   - point.add(point) => point
        # -->
        # Performs elliptic curve point addition.
        #
        def add: (instance point) -> instance

        # <!--
        #   rdoc-file=ext/openssl/ossl_pkey_ec.c
        #   - point1.eql?(point2) => true | false
        #   - point1 == point2 => true | false
        # -->
        #
        def eql?: (instance other) -> bool

        def group: () -> Group

        # <!--
        #   rdoc-file=ext/openssl/ossl_pkey_ec.c
        #   - point.infinity? => true | false
        # -->
        #
        def infinity?: () -> bool

        # <!--
        #   rdoc-file=ext/openssl/ossl_pkey_ec.c
        #   - point.invert! => self
        # -->
        #
        def invert!: () -> self

        # <!--
        #   rdoc-file=ext/openssl/ossl_pkey_ec.c
        #   - point.make_affine! => self
        # -->
        # This method is deprecated and should not be used. This is a no-op.
        #
        def make_affine!: () -> self

        # <!--
        #   rdoc-file=ext/openssl/ossl_pkey_ec.c
        #   - point.mul(bn1 [, bn2]) => point
        #   - point.mul(bns, points [, bn2]) => point
        # -->
        # Performs elliptic curve point multiplication.
        #
        # The first form calculates `bn1 * point + bn2 * G`, where `G` is the generator
        # of the group of *point*. *bn2* may be omitted, and in that case, the result is
        # just `bn1 * point`.
        #
        # The second form calculates `bns[0] * point + bns[1] * points[0] + ... +
        # bns[-1] * points[-1] + bn2 * G`. *bn2* may be omitted. *bns* must be an array
        # of OpenSSL::BN. *points* must be an array of OpenSSL::PKey::EC::Point. Please
        # note that `points[0]` is not multiplied by `bns[0]`, but `bns[1]`.
        #
        def mul: (bn bn1, ?bn bn2) -> instance
               | (Array[bn] bns, Array[instance], ?bn bn2) -> instance

        # <!--
        #   rdoc-file=ext/openssl/ossl_pkey_ec.c
        #   - point.on_curve? => true | false
        # -->
        #
        def on_curve?: () -> bool

        # <!--
        #   rdoc-file=ext/openssl/ossl_pkey_ec.c
        #   - point.set_to_infinity! => self
        # -->
        #
        def set_to_infinity!: () -> self

        # <!--
        #   rdoc-file=ext/openssl/lib/openssl/pkey.rb
        #   - point.to_bn([conversion_form]) -> OpenSSL::BN
        # -->
        # Returns the octet string representation of the EC point as an instance of
        # OpenSSL::BN.
        #
        # If *conversion_form* is not given, the *point_conversion_form* attribute set
        # to the group is used.
        #
        # See #to_octet_string for more information.
        #
        def to_bn: (?point_conversion_format conversion_form) -> BN

        # <!--
        #   rdoc-file=ext/openssl/ossl_pkey_ec.c
        #   - point.to_octet_string(conversion_form) -> String
        # -->
        # Returns the octet string representation of the elliptic curve point.
        #
        # *conversion_form* specifies how the point is converted. Possible values are:
        #
        # *   `:compressed`
        # *   `:uncompressed`
        # *   `:hybrid`
        #
        def to_octet_string: (point_conversion_format) -> String

        private

        # <!--
        #   rdoc-file=ext/openssl/ossl_pkey_ec.c
        #   - OpenSSL::PKey::EC::Point.new(point)
        #   - OpenSSL::PKey::EC::Point.new(group [, encoded_point])
        # -->
        # Creates a new instance of OpenSSL::PKey::EC::Point. If the only argument is an
        # instance of EC::Point, a copy is returned. Otherwise, creates a point that
        # belongs to *group*.
        #
        # *encoded_point* is the octet string representation of the point. This must be
        # either a String or an OpenSSL::BN.
        #
        def initialize: (instance point) -> void
                      | (Group group, ?String | BN encoded_point) -> void

        # <!--
        #   rdoc-file=ext/openssl/ossl_pkey_ec.c
        #   - initialize_copy(p1)
        # -->
        #
        def initialize_copy: (instance) -> void

        class Error < OpenSSL::OpenSSLError
        end
      end
    end

    class ECError < OpenSSL::PKey::PKeyError
    end

    # <!-- rdoc-file=ext/openssl/ossl_pkey.c -->
    # An abstract class that bundles signature creation (PKey#sign) and validation
    # (PKey#verify) that is common to all implementations except OpenSSL::PKey::DH
    # *   OpenSSL::PKey::RSA
    # *   OpenSSL::PKey::DSA
    # *   OpenSSL::PKey::EC
    #
    class PKey
      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey.c
      #   - pkey.inspect -> string
      # -->
      # Returns a string describing the PKey object.
      #
      def inspect: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey.c
      #   - pkey.oid -> string
      # -->
      # Returns the short name of the OID associated with *pkey*.
      #
      def oid: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey.c
      #   - pkey.private_to_der                   -> string
      #   - pkey.private_to_der(cipher, password) -> string
      # -->
      # Serializes the private key to DER-encoded PKCS #8 format. If called without
      # arguments, unencrypted PKCS #8 PrivateKeyInfo format is used. If called with a
      # cipher name and a password, PKCS #8 EncryptedPrivateKeyInfo format with PBES2
      # encryption scheme is used.
      #
      def private_to_der: (String cipher, String password) -> String
                        | () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey.c
      #   - pkey.private_to_pem                   -> string
      #   - pkey.private_to_pem(cipher, password) -> string
      # -->
      # Serializes the private key to PEM-encoded PKCS #8 format. See #private_to_der
      # for more details.
      #
      # An unencrypted PEM-encoded key will look like:
      #
      #     -----BEGIN PRIVATE KEY-----
      #     [...]
      #     -----END PRIVATE KEY-----
      #
      # An encrypted PEM-encoded key will look like:
      #
      #     -----BEGIN ENCRYPTED PRIVATE KEY-----
      #     [...]
      #     -----END ENCRYPTED PRIVATE KEY-----
      #
      def private_to_pem: (String cipher, String password) -> String
                        | () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey.c
      #   - pkey.public_to_der -> string
      # -->
      # Serializes the public key to DER-encoded X.509 SubjectPublicKeyInfo format.
      #
      def public_to_der: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey.c
      #   - pkey.public_to_pem -> string
      # -->
      # Serializes the public key to PEM-encoded X.509 SubjectPublicKeyInfo format.
      #
      # A PEM-encoded key will look like:
      #
      #     -----BEGIN PUBLIC KEY-----
      #     [...]
      #     -----END PUBLIC KEY-----
      #
      def public_to_pem: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey.c
      #   - pkey.sign(digest, data [, options]) -> string
      # -->
      # Hashes and signs the `data` using a message digest algorithm `digest` and a
      # private key `pkey`.
      #
      # See #verify for the verification operation.
      #
      # See also the man page EVP_DigestSign(3).
      #
      # `digest`
      # :   A String that represents the message digest algorithm name, or `nil` if
      #     the PKey type requires no digest algorithm. For backwards compatibility,
      #     this can be an instance of OpenSSL::Digest. Its state will not affect the
      #     signature.
      # `data`
      # :   A String. The data to be hashed and signed.
      # `options`
      # :   A Hash that contains algorithm specific control operations to OpenSSL. See
      #     OpenSSL's man page EVP_PKEY_CTX_ctrl_str(3) for details. `options`
      #     parameter was added in version 3.0.
      #
      #
      # Example:
      #     data = "Sign me!"
      #     pkey = OpenSSL::PKey.generate_key("RSA", rsa_keygen_bits: 2048)
      #     signopts = { rsa_padding_mode: "pss" }
      #     signature = pkey.sign("SHA256", data, signopts)
      #
      #     # Creates a copy of the RSA key pkey, but without the private components
      #     pub_key = pkey.public_key
      #     puts pub_key.verify("SHA256", signature, data, signopts) # => true
      #
      def sign: (Digest digest, String data) -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey.c
      #   - pkey.verify(digest, signature, data [, options]) -> true or false
      # -->
      # Verifies the `signature` for the `data` using a message digest algorithm
      # `digest` and a public key `pkey`.
      #
      # Returns `true` if the signature is successfully verified, `false` otherwise.
      # The caller must check the return value.
      #
      # See #sign for the signing operation and an example.
      #
      # See also the man page EVP_DigestVerify(3).
      #
      # `digest`
      # :   See #sign.
      # `signature`
      # :   A String containing the signature to be verified.
      # `data`
      # :   See #sign.
      # `options`
      # :   See #sign. `options` parameter was added in version 3.0.
      #
      def verify: (Digest digest, String signature, String data) -> bool

      private

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey.c
      #   - PKeyClass.new -> self
      # -->
      # Because PKey is an abstract class, actually calling this method explicitly
      # will raise a NotImplementedError.
      #
      def initialize: () -> void
    end

    # <!-- rdoc-file=ext/openssl/ossl_pkey.c -->
    # Raised when errors occur during PKey#sign or PKey#verify.
    #
    class PKeyError < OpenSSL::OpenSSLError
    end

    # <!-- rdoc-file=ext/openssl/ossl_pkey_rsa.c -->
    # RSA is an asymmetric public key algorithm that has been formalized in RFC
    # 3447. It is in widespread use in public key infrastructures (PKI) where
    # certificates (cf. OpenSSL::X509::Certificate) often are issued on the basis of
    # a public/private RSA key pair. RSA is used in a wide field of applications
    # such as secure (symmetric) key exchange, e.g. when establishing a secure
    # TLS/SSL connection. It is also used in various digital signature schemes.
    #
    class RSA < OpenSSL::PKey::PKey
      include OpenSSL::Marshal

      extend OpenSSL::Marshal::ClassMethods

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/pkey.rb
      #   - RSA.generate(size, exponent = 65537) -> RSA
      # -->
      # Generates an RSA keypair.
      #
      # See also OpenSSL::PKey.generate_key.
      #
      # `size`
      # :   The desired key size in bits.
      # `exponent`
      # :   An odd Integer, normally 3, 17, or 65537.
      #
      def self.generate: (Integer size, ?Integer exponent) -> instance

      def d: () -> BN?

      def dmp1: () -> BN?

      def dmq1: () -> BN?

      def e: () -> BN?

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_rsa.c
      #   - rsa.export([cipher, password]) => PEM-format String
      #   - rsa.to_pem([cipher, password]) => PEM-format String
      #   - rsa.to_s([cipher, password]) => PEM-format String
      # -->
      # Serializes a private or public key to a PEM-encoding.
      #
      # When the key contains public components only
      # :   Serializes it into an X.509 SubjectPublicKeyInfo. The parameters *cipher*
      #     and *password* are ignored.
      #
      #     A PEM-encoded key will look like:
      #
      #         -----BEGIN PUBLIC KEY-----
      #         [...]
      #         -----END PUBLIC KEY-----
      #
      #     Consider using #public_to_pem instead. This serializes the key into an
      #     X.509 SubjectPublicKeyInfo regardless of whether the key is a public key
      #     or a private key.
      #
      # When the key contains private components, and no parameters are given
      # :   Serializes it into a PKCS #1 RSAPrivateKey.
      #
      #     A PEM-encoded key will look like:
      #
      #         -----BEGIN RSA PRIVATE KEY-----
      #         [...]
      #         -----END RSA PRIVATE KEY-----
      #
      # When the key contains private components, and *cipher* and *password* are given
      # :   Serializes it into a PKCS #1 RSAPrivateKey and encrypts it in OpenSSL's
      #     traditional PEM encryption format. *cipher* must be a cipher name
      #     understood by OpenSSL::Cipher.new or an instance of OpenSSL::Cipher.
      #
      #     An encrypted PEM-encoded key will look like:
      #
      #         -----BEGIN RSA PRIVATE KEY-----
      #         Proc-Type: 4,ENCRYPTED
      #         DEK-Info: AES-128-CBC,733F5302505B34701FC41F5C0746E4C0
      #
      #         [...]
      #         -----END RSA PRIVATE KEY-----
      #
      #     Note that this format uses MD5 to derive the encryption key, and hence
      #     will not be available on FIPS-compliant systems.
      #
      #
      # **This method is kept for compatibility.** This should only be used when the
      # PKCS #1 RSAPrivateKey format is required.
      #
      # Consider using #public_to_pem (X.509 SubjectPublicKeyInfo) or #private_to_pem
      # (PKCS #8 PrivateKeyInfo or EncryptedPrivateKeyInfo) instead.
      #
      def export: (String cipher, String password) -> String
                | () -> String

      def iqmp: () -> BN?

      def n: () -> BN?

      def p: () -> BN?

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_rsa.c
      #   - rsa.params => hash
      # -->
      # THIS METHOD IS INSECURE, PRIVATE INFORMATION CAN LEAK OUT!!!
      #
      # Stores all parameters of key to the hash.  The hash has keys 'n', 'e', 'd',
      # 'p', 'q', 'dmp1', 'dmq1', 'iqmp'.
      #
      # Don't use :-)) (It's up to you)
      #
      def params: () -> Hash[String, BN]

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_rsa.c
      #   - rsa.private? => true | false
      # -->
      # Does this keypair contain a private key?
      #
      def private?: () -> bool

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/pkey.rb
      #   - rsa.private_decrypt(string)          -> String
      #   - rsa.private_decrypt(string, padding) -> String
      # -->
      # Decrypt `string`, which has been encrypted with the public key, with the
      # private key. `padding` defaults to PKCS1_PADDING, which is known to be
      # insecure but is kept for backwards compatibility.
      #
      # **Deprecated in version 3.0**. Consider using PKey::PKey#encrypt and
      # PKey::PKey#decrypt instead.
      #
      def private_decrypt: (String data, ?Integer padding) -> String

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/pkey.rb
      #   - rsa.private_encrypt(string)          -> String
      #   - rsa.private_encrypt(string, padding) -> String
      # -->
      # Encrypt `string` with the private key.  `padding` defaults to PKCS1_PADDING,
      # which is known to be insecure but is kept for backwards compatibility. The
      # encrypted string output can be decrypted using #public_decrypt.
      #
      # **Deprecated in version 3.0**. Consider using PKey::PKey#sign_raw and
      # PKey::PKey#verify_raw, and PKey::PKey#verify_recover instead.
      #
      def private_encrypt: (String data, ?Integer padding) -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_rsa.c
      #   - rsa.public? => true
      # -->
      # The return value is always `true` since every private key is also a public
      # key.
      #
      def public?: () -> bool

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/pkey.rb
      #   - rsa.public_decrypt(string)          -> String
      #   - rsa.public_decrypt(string, padding) -> String
      # -->
      # Decrypt `string`, which has been encrypted with the private key, with the
      # public key.  `padding` defaults to PKCS1_PADDING which is known to be insecure
      # but is kept for backwards compatibility.
      #
      # **Deprecated in version 3.0**. Consider using PKey::PKey#sign_raw and
      # PKey::PKey#verify_raw, and PKey::PKey#verify_recover instead.
      #
      def public_decrypt: (String data, ?Integer padding) -> String

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/pkey.rb
      #   - rsa.public_encrypt(string)          -> String
      #   - rsa.public_encrypt(string, padding) -> String
      # -->
      # Encrypt `string` with the public key.  `padding` defaults to PKCS1_PADDING,
      # which is known to be insecure but is kept for backwards compatibility. The
      # encrypted string output can be decrypted using #private_decrypt.
      #
      # **Deprecated in version 3.0**. Consider using PKey::PKey#encrypt and
      # PKey::PKey#decrypt instead.
      #
      def public_encrypt: (String data, ?Integer padding) -> String

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/pkey.rb
      #   - rsa.public_key -> rsanew
      # -->
      # Returns a new RSA instance that carries just the public key components.
      #
      # This method is provided for backwards compatibility. In most cases, there is
      # no need to call this method.
      #
      # For the purpose of serializing the public key, to PEM or DER encoding of X.509
      # SubjectPublicKeyInfo format, check PKey#public_to_pem and PKey#public_to_der.
      #
      def public_key: () -> instance

      def q: () -> BN?

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_rsa.c
      #   - rsa.set_crt_params(dmp1, dmq1, iqmp) -> self
      # -->
      # Sets *dmp1*, *dmq1*, *iqmp* for the RSA instance. They are calculated by `d
      # mod (p - 1)`, `d mod (q - 1)` and `q^(-1) mod p` respectively.
      #
      def set_crt_params: (bn dmp1, bn dmq1, bn iqmp) -> self

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_rsa.c
      #   - rsa.set_factors(p, q) -> self
      # -->
      # Sets *p*, *q* for the RSA instance.
      #
      def set_factors: (bn p, bn q) -> self

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_rsa.c
      #   - rsa.set_key(n, e, d) -> self
      # -->
      # Sets *n*, *e*, *d* for the RSA instance.
      #
      def set_key: (bn n, bn e, bn d) -> self

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_rsa.c
      #   - rsa.sign_pss(digest, data, salt_length:, mgf1_hash:) -> String
      # -->
      # Signs *data* using the Probabilistic Signature Scheme (RSA-PSS) and returns
      # the calculated signature.
      #
      # RSAError will be raised if an error occurs.
      #
      # See #verify_pss for the verification operation.
      #
      # ### Parameters
      # *digest*
      # :   A String containing the message digest algorithm name.
      # *data*
      # :   A String. The data to be signed.
      # *salt_length*
      # :   The length in octets of the salt. Two special values are reserved:
      #     `:digest` means the digest length, and `:max` means the maximum possible
      #     length for the combination of the private key and the selected message
      #     digest algorithm.
      # *mgf1_hash*
      # :   The hash algorithm used in MGF1 (the currently supported mask generation
      #     function (MGF)).
      #
      #
      # ### Example
      #     data = "Sign me!"
      #     pkey = OpenSSL::PKey::RSA.new(2048)
      #     signature = pkey.sign_pss("SHA256", data, salt_length: :max, mgf1_hash: "SHA256")
      #     pub_key = OpenSSL::PKey.read(pkey.public_to_der)
      #     puts pub_key.verify_pss("SHA256", signature, data,
      #                             salt_length: :auto, mgf1_hash: "SHA256") # => true
      #
      def sign_pss: (String digest, String data, salt_length: :digest | :max | Integer, mgf1_hash: String) -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_rsa.c
      #   - rsa.to_der => DER-format String
      # -->
      # Serializes a private or public key to a DER-encoding.
      #
      # See #to_pem for details.
      #
      # **This method is kept for compatibility.** This should only be used when the
      # PKCS #1 RSAPrivateKey format is required.
      #
      # Consider using #public_to_der or #private_to_der instead.
      #
      def to_der: () -> String

      # <!-- rdoc-file=ext/openssl/ossl_pkey_rsa.c -->
      # Serializes a private or public key to a PEM-encoding.
      #
      # When the key contains public components only
      # :   Serializes it into an X.509 SubjectPublicKeyInfo. The parameters *cipher*
      #     and *password* are ignored.
      #
      #     A PEM-encoded key will look like:
      #
      #         -----BEGIN PUBLIC KEY-----
      #         [...]
      #         -----END PUBLIC KEY-----
      #
      #     Consider using #public_to_pem instead. This serializes the key into an
      #     X.509 SubjectPublicKeyInfo regardless of whether the key is a public key
      #     or a private key.
      #
      # When the key contains private components, and no parameters are given
      # :   Serializes it into a PKCS #1 RSAPrivateKey.
      #
      #     A PEM-encoded key will look like:
      #
      #         -----BEGIN RSA PRIVATE KEY-----
      #         [...]
      #         -----END RSA PRIVATE KEY-----
      #
      # When the key contains private components, and *cipher* and *password* are given
      # :   Serializes it into a PKCS #1 RSAPrivateKey and encrypts it in OpenSSL's
      #     traditional PEM encryption format. *cipher* must be a cipher name
      #     understood by OpenSSL::Cipher.new or an instance of OpenSSL::Cipher.
      #
      #     An encrypted PEM-encoded key will look like:
      #
      #         -----BEGIN RSA PRIVATE KEY-----
      #         Proc-Type: 4,ENCRYPTED
      #         DEK-Info: AES-128-CBC,733F5302505B34701FC41F5C0746E4C0
      #
      #         [...]
      #         -----END RSA PRIVATE KEY-----
      #
      #     Note that this format uses MD5 to derive the encryption key, and hence
      #     will not be available on FIPS-compliant systems.
      #
      #
      # **This method is kept for compatibility.** This should only be used when the
      # PKCS #1 RSAPrivateKey format is required.
      #
      # Consider using #public_to_pem (X.509 SubjectPublicKeyInfo) or #private_to_pem
      # (PKCS #8 PrivateKeyInfo or EncryptedPrivateKeyInfo) instead.
      #
      alias to_pem export

      # <!-- rdoc-file=ext/openssl/ossl_pkey_rsa.c -->
      # Serializes a private or public key to a PEM-encoding.
      #
      # When the key contains public components only
      # :   Serializes it into an X.509 SubjectPublicKeyInfo. The parameters *cipher*
      #     and *password* are ignored.
      #
      #     A PEM-encoded key will look like:
      #
      #         -----BEGIN PUBLIC KEY-----
      #         [...]
      #         -----END PUBLIC KEY-----
      #
      #     Consider using #public_to_pem instead. This serializes the key into an
      #     X.509 SubjectPublicKeyInfo regardless of whether the key is a public key
      #     or a private key.
      #
      # When the key contains private components, and no parameters are given
      # :   Serializes it into a PKCS #1 RSAPrivateKey.
      #
      #     A PEM-encoded key will look like:
      #
      #         -----BEGIN RSA PRIVATE KEY-----
      #         [...]
      #         -----END RSA PRIVATE KEY-----
      #
      # When the key contains private components, and *cipher* and *password* are given
      # :   Serializes it into a PKCS #1 RSAPrivateKey and encrypts it in OpenSSL's
      #     traditional PEM encryption format. *cipher* must be a cipher name
      #     understood by OpenSSL::Cipher.new or an instance of OpenSSL::Cipher.
      #
      #     An encrypted PEM-encoded key will look like:
      #
      #         -----BEGIN RSA PRIVATE KEY-----
      #         Proc-Type: 4,ENCRYPTED
      #         DEK-Info: AES-128-CBC,733F5302505B34701FC41F5C0746E4C0
      #
      #         [...]
      #         -----END RSA PRIVATE KEY-----
      #
      #     Note that this format uses MD5 to derive the encryption key, and hence
      #     will not be available on FIPS-compliant systems.
      #
      #
      # **This method is kept for compatibility.** This should only be used when the
      # PKCS #1 RSAPrivateKey format is required.
      #
      # Consider using #public_to_pem (X.509 SubjectPublicKeyInfo) or #private_to_pem
      # (PKCS #8 PrivateKeyInfo or EncryptedPrivateKeyInfo) instead.
      #
      alias to_s export

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_rsa.c
      #   - rsa.to_text => String
      # -->
      # THIS METHOD IS INSECURE, PRIVATE INFORMATION CAN LEAK OUT!!!
      #
      # Dumps all parameters of a keypair to a String
      #
      # Don't use :-)) (It's up to you)
      #
      def to_text: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_rsa.c
      #   - rsa.verify_pss(digest, signature, data, salt_length:, mgf1_hash:) -> true | false
      # -->
      # Verifies *data* using the Probabilistic Signature Scheme (RSA-PSS).
      #
      # The return value is `true` if the signature is valid, `false` otherwise.
      # RSAError will be raised if an error occurs.
      #
      # See #sign_pss for the signing operation and an example code.
      #
      # ### Parameters
      # *digest*
      # :   A String containing the message digest algorithm name.
      # *data*
      # :   A String. The data to be signed.
      # *salt_length*
      # :   The length in octets of the salt. Two special values are reserved:
      #     `:digest` means the digest length, and `:auto` means automatically
      #     determining the length based on the signature.
      # *mgf1_hash*
      # :   The hash algorithm used in MGF1.
      #
      def verify_pss: (String digest, String signature, String data, salt_length: :auto | :digest | Integer, mgf1_hash: String) -> bool

      private

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_rsa.c
      #   - RSA.new -> rsa
      #   - RSA.new(encoded_key [, password ]) -> rsa
      #   - RSA.new(encoded_key) { password } -> rsa
      #   - RSA.new(size [, exponent]) -> rsa
      # -->
      # Generates or loads an RSA keypair.
      #
      # If called without arguments, creates a new instance with no key components
      # set. They can be set individually by #set_key, #set_factors, and
      # #set_crt_params.
      #
      # If called with a String, tries to parse as DER or PEM encoding of an RSA key.
      # Note that if *password* is not specified, but the key is encrypted with a
      # password, OpenSSL will prompt for it. See also OpenSSL::PKey.read which can
      # parse keys of any kind.
      #
      # If called with a number, generates a new key pair. This form works as an alias
      # of RSA.generate.
      #
      # Examples:
      #     OpenSSL::PKey::RSA.new 2048
      #     OpenSSL::PKey::RSA.new File.read 'rsa.pem'
      #     OpenSSL::PKey::RSA.new File.read('rsa.pem'), 'my password'
      #
      def initialize: () -> void
                    | (Integer key_size) -> void
                    | (String encoded_key, ?String pass_phrase) -> void

      # <!--
      #   rdoc-file=ext/openssl/ossl_pkey_rsa.c
      #   - initialize_copy(p1)
      # -->
      #
      def initialize_copy: (instance) -> void

      NO_PADDING: Integer

      PKCS1_OAEP_PADDING: Integer

      PKCS1_PADDING: Integer

      SSLV23_PADDING: Integer
    end

    # <!-- rdoc-file=ext/openssl/ossl_pkey_rsa.c -->
    # Generic exception that is raised if an operation on an RSA PKey fails
    # unexpectedly or in case an instantiation of an instance of RSA fails due to
    # non-conformant input data.
    #
    class RSAError < OpenSSL::PKey::PKeyError
    end
  end

  module Random
    # <!--
    #   rdoc-file=ext/openssl/ossl_rand.c
    #   - load_random_file(filename) -> true
    # -->
    # Reads bytes from *filename* and adds them to the PRNG.
    #
    def self.load_random_file: (String filename) -> true

    # <!--
    #   rdoc-file=ext/openssl/ossl_rand.c
    #   - add(str, entropy) -> self
    # -->
    # Mixes the bytes from *str* into the Pseudo Random Number Generator(PRNG)
    # state.
    #
    # Thus, if the data from *str* are unpredictable to an adversary, this increases
    # the uncertainty about the state and makes the PRNG output less predictable.
    #
    # The *entropy* argument is (the lower bound of) an estimate of how much
    # randomness is contained in *str*, measured in bytes.
    #
    # ### Example
    #
    #     pid = $$
    #     now = Time.now
    #     ary = [now.to_i, now.nsec, 1000, pid]
    #     OpenSSL::Random.add(ary.join, 0.0)
    #     OpenSSL::Random.seed(ary.join)
    #
    def self.random_add: (String str, Numeric entropy) -> self

    # <!--
    #   rdoc-file=ext/openssl/ossl_rand.c
    #   - random_bytes(length) -> string
    # -->
    # Generates a String with *length* number of cryptographically strong
    # pseudo-random bytes.
    #
    # ### Example
    #
    #     OpenSSL::Random.random_bytes(12)
    #     #=> "..."
    #
    def self.random_bytes: (Integer length) -> String

    # <!--
    #   rdoc-file=ext/openssl/ossl_rand.c
    #   - seed(str) -> str
    # -->
    # ::seed is equivalent to ::add where *entropy* is length of *str*.
    #
    def self.seed: (String seed) -> String

    # <!--
    #   rdoc-file=ext/openssl/ossl_rand.c
    #   - status? => true | false
    # -->
    # Return `true` if the PRNG has been seeded with enough data, `false` otherwise.
    #
    def self.status?: () -> bool

    # <!--
    #   rdoc-file=ext/openssl/ossl_rand.c
    #   - write_random_file(filename) -> true
    # -->
    # Writes a number of random generated bytes (currently 1024) to *filename* which
    # can be used to initialize the PRNG by calling ::load_random_file in a later
    # session.
    #
    def self.write_random_file: (String filename) -> true

    class RandomError < OpenSSL::OpenSSLError
    end
  end

  # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
  # Use SSLContext to set up the parameters for a TLS (former SSL) connection.
  # Both client and server TLS connections are supported, SSLSocket and SSLServer
  # may be used in conjunction with an instance of SSLContext to set up
  # connections.
  #
  module SSL
    # <!--
    #   rdoc-file=ext/openssl/lib/openssl/ssl.rb
    #   - verify_certificate_identity(cert, hostname)
    # -->
    #
    def self.verify_certificate_identity: (X509::Certificate cert, String hostname) -> bool

    def self.verify_hostname: (String hostname, String san) -> bool

    def self.verify_wildcard: (String domain_component, String san_component) -> bool

    OP_ALL: Integer

    OP_ALLOW_NO_DHE_KEX: Integer

    OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION: Integer

    OP_CIPHER_SERVER_PREFERENCE: Integer

    OP_CRYPTOPRO_TLSEXT_BUG: Integer

    OP_DONT_INSERT_EMPTY_FRAGMENTS: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
    # Deprecated in OpenSSL 1.0.1k and 1.0.2.
    #
    OP_EPHEMERAL_RSA: Integer

    OP_LEGACY_SERVER_CONNECT: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
    # Deprecated in OpenSSL 1.1.0.
    #
    OP_MICROSOFT_BIG_SSLV3_BUFFER: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
    # Deprecated in OpenSSL 1.1.0.
    #
    OP_MICROSOFT_SESS_ID_BUG: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
    # Deprecated in OpenSSL 0.9.7h and 0.9.8b.
    #
    OP_MSIE_SSLV2_RSA_PADDING: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
    # Deprecated in OpenSSL 1.1.0.
    #
    OP_NETSCAPE_CA_DN_BUG: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
    # Deprecated in OpenSSL 1.1.0.
    #
    OP_NETSCAPE_CHALLENGE_BUG: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
    # Deprecated in OpenSSL 1.1.0.
    #
    OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
    # Deprecated in OpenSSL 0.9.8q and 1.0.0c.
    #
    OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG: Integer

    OP_NO_COMPRESSION: Integer

    OP_NO_ENCRYPT_THEN_MAC: Integer

    OP_NO_RENEGOTIATION: Integer

    OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
    # Deprecated in OpenSSL 1.1.0.
    #
    OP_NO_SSLv2: Integer

    OP_NO_SSLv3: Integer

    OP_NO_TICKET: Integer

    OP_NO_TLSv1: Integer

    OP_NO_TLSv1_1: Integer

    OP_NO_TLSv1_2: Integer

    OP_NO_TLSv1_3: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
    # Deprecated in OpenSSL 1.0.1.
    #
    OP_PKCS1_CHECK_1: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
    # Deprecated in OpenSSL 1.0.1.
    #
    OP_PKCS1_CHECK_2: Integer

    OP_SAFARI_ECDHE_ECDSA_BUG: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
    # Deprecated in OpenSSL 1.1.0.
    #
    OP_SINGLE_DH_USE: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
    # Deprecated in OpenSSL 1.1.0.
    #
    OP_SINGLE_ECDH_USE: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
    # Deprecated in OpenSSL 1.1.0.
    #
    OP_SSLEAY_080_CLIENT_DH_BUG: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
    # Deprecated in OpenSSL 1.0.1h and 1.0.2.
    #
    OP_SSLREF2_REUSE_CERT_TYPE_BUG: Integer

    OP_TLSEXT_PADDING: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
    # Deprecated in OpenSSL 1.1.0.
    #
    OP_TLS_BLOCK_PADDING_BUG: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
    # Deprecated in OpenSSL 1.1.0.
    #
    OP_TLS_D5_BUG: Integer

    OP_TLS_ROLLBACK_BUG: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
    # SSL 2.0
    #
    SSL2_VERSION: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
    # SSL 3.0
    #
    SSL3_VERSION: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
    # TLS 1.1
    #
    TLS1_1_VERSION: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
    # TLS 1.2
    #
    TLS1_2_VERSION: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
    # TLS 1.3
    #
    TLS1_3_VERSION: Integer

    # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
    # TLS 1.0
    #
    TLS1_VERSION: Integer

    VERIFY_CLIENT_ONCE: Integer

    VERIFY_FAIL_IF_NO_PEER_CERT: Integer

    VERIFY_NONE: Integer

    VERIFY_PEER: Integer

    type tls_version = Symbol | Integer

    type verify_mode = Integer

    # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
    # An SSLContext is used to set various options regarding certificates,
    # algorithms, verification, session caching, etc.  The SSLContext is used to
    # create an SSLSocket.
    #
    # All attributes must be set before creating an SSLSocket as the SSLContext will
    # be frozen afterward.
    #
    class SSLContext
      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ctx.add_certificate(certificate, pkey [, extra_certs]) -> self
      # -->
      # Adds a certificate to the context. *pkey* must be a corresponding private key
      # with *certificate*.
      #
      # Multiple certificates with different public key type can be added by repeated
      # calls of this method, and OpenSSL will choose the most appropriate certificate
      # during the handshake.
      #
      # #cert=, #key=, and #extra_chain_cert= are old accessor methods for setting
      # certificate and internally call this method.
      #
      # ### Parameters
      # *certificate*
      # :   A certificate. An instance of OpenSSL::X509::Certificate.
      # *pkey*
      # :   The private key for *certificate*. An instance of OpenSSL::PKey::PKey.
      # *extra_certs*
      # :   Optional. An array of OpenSSL::X509::Certificate. When sending a
      #     certificate chain, the certificates specified by this are sent following
      #     *certificate*, in the order in the array.
      #
      #
      # ### Example
      #     rsa_cert = OpenSSL::X509::Certificate.new(...)
      #     rsa_pkey = OpenSSL::PKey.read(...)
      #     ca_intermediate_cert = OpenSSL::X509::Certificate.new(...)
      #     ctx.add_certificate(rsa_cert, rsa_pkey, [ca_intermediate_cert])
      #
      #     ecdsa_cert = ...
      #     ecdsa_pkey = ...
      #     another_ca_cert = ...
      #     ctx.add_certificate(ecdsa_cert, ecdsa_pkey, [another_ca_cert])
      #
      def add_certificate: (X509::Certificate certificate, PKey::PKey pkey, ?Array[X509::Certificate] extra_certs) -> self

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # An Enumerable of Strings. Each String represents a protocol to be advertised
      # as the list of supported protocols for Application-Layer Protocol Negotiation.
      # Supported in OpenSSL 1.0.2 and higher. Has no effect on the server side. If
      # not set explicitly, the ALPN extension will not be included in the handshake.
      #
      # ### Example
      #
      #     ctx.alpn_protocols = ["http/1.1", "spdy/2", "h2"]
      #
      def alpn_protocols: () -> Array[String]?

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # An Enumerable of Strings. Each String represents a protocol to be advertised
      # as the list of supported protocols for Application-Layer Protocol Negotiation.
      # Supported in OpenSSL 1.0.2 and higher. Has no effect on the server side. If
      # not set explicitly, the ALPN extension will not be included in the handshake.
      #
      # ### Example
      #
      #     ctx.alpn_protocols = ["http/1.1", "spdy/2", "h2"]
      #
      def alpn_protocols=: (Array[String]) -> Array[String]

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # A callback invoked on the server side when the server needs to select a
      # protocol from the list sent by the client. Supported in OpenSSL 1.0.2 and
      # higher. The callback must return a protocol of those advertised by the client.
      # If none is acceptable, raising an error in the callback will cause the
      # handshake to fail. Not setting this callback explicitly means not supporting
      # the ALPN extension on the server - any protocols advertised by the client will
      # be ignored.
      #
      # ### Example
      #
      #     ctx.alpn_select_cb = lambda do |protocols|
      #       # inspect the protocols and select one
      #       protocols.first
      #     end
      #
      def alpn_select_cb: () -> (^(Array[String]) -> String? | nil)

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # A callback invoked on the server side when the server needs to select a
      # protocol from the list sent by the client. Supported in OpenSSL 1.0.2 and
      # higher. The callback must return a protocol of those advertised by the client.
      # If none is acceptable, raising an error in the callback will cause the
      # handshake to fail. Not setting this callback explicitly means not supporting
      # the ALPN extension on the server - any protocols advertised by the client will
      # be ignored.
      #
      # ### Example
      #
      #     ctx.alpn_select_cb = lambda do |protocols|
      #       # inspect the protocols and select one
      #       protocols.first
      #     end
      #
      def alpn_select_cb=: (^(Array[String]) -> String? alpn_select_callback) -> void

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # The path to a file containing a PEM-format CA certificate
      #
      def ca_file: () -> String

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # The path to a file containing a PEM-format CA certificate
      #
      def ca_file=: (String ca_file) -> String

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # The path to a directory containing CA certificates in PEM format.
      #
      # Files are looked up by subject's X509 name's hash value.
      #
      def ca_path: () -> String?

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # The path to a directory containing CA certificates in PEM format.
      #
      # Files are looked up by subject's X509 name's hash value.
      #
      def ca_path=: (String ca_path) -> String

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # Context certificate
      #
      # The *cert*, *key*, and *extra_chain_cert* attributes are deprecated. It is
      # recommended to use #add_certificate instead.
      #
      def cert: () -> X509::Certificate?

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # Context certificate
      #
      # The *cert*, *key*, and *extra_chain_cert* attributes are deprecated. It is
      # recommended to use #add_certificate instead.
      #
      def cert=: (X509::Certificate cert) -> X509::Certificate

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # An OpenSSL::X509::Store used for certificate verification.
      #
      def cert_store: () -> X509::Store?

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # An OpenSSL::X509::Store used for certificate verification.
      #
      def cert_store=: (X509::Store store) -> X509::Store

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ctx.ciphers => [[name, version, bits, alg_bits], ...]
      # -->
      # The list of cipher suites configured for this context.
      #
      def ciphers: () -> Array[[ String, String, Integer, Integer ]]

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ctx.ciphers = "cipher1:cipher2:..."
      #   - ctx.ciphers = [name, ...]
      #   - ctx.ciphers = [[name, version, bits, alg_bits], ...]
      # -->
      # Sets the list of available cipher suites for this context.  Note in a server
      # context some ciphers require the appropriate certificates.  For example, an
      # RSA cipher suite can only be chosen when an RSA certificate is available.
      #
      def ciphers=: (Array[[ String, String, Integer, Integer ]] ciphers) -> void
                  | (Array[String] ciphers) -> void
                  | (String colon_sep_ciphers) -> void

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # A certificate or Array of certificates that will be sent to the client.
      #
      def client_ca: () -> (Array[X509::Certificate] | X509::Certificate)

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # A certificate or Array of certificates that will be sent to the client.
      #
      def client_ca=: (Array[X509::Certificate] | X509::Certificate client_ca) -> void

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # A callback invoked when a client certificate is requested by a server and no
      # certificate has been set.
      #
      # The callback is invoked with a Session and must return an Array containing an
      # OpenSSL::X509::Certificate and an OpenSSL::PKey.  If any other value is
      # returned the handshake is suspended.
      #
      def client_cert_cb: () -> (^(Session) -> [ X509::Certificate, PKey::PKey ]? | nil)

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # A callback invoked when a client certificate is requested by a server and no
      # certificate has been set.
      #
      # The callback is invoked with a Session and must return an Array containing an
      # OpenSSL::X509::Certificate and an OpenSSL::PKey.  If any other value is
      # returned the handshake is suspended.
      #
      def client_cert_cb=: (^(Session) -> [ X509::Certificate, PKey::PKey ]? client_cert_cb) -> void

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ctx.ecdh_curves = curve_list -> curve_list
      # -->
      # Sets the list of "supported elliptic curves" for this context.
      #
      # For a TLS client, the list is directly used in the Supported Elliptic Curves
      # Extension. For a server, the list is used by OpenSSL to determine the set of
      # shared curves. OpenSSL will pick the most appropriate one from it.
      #
      # ### Example
      #     ctx1 = OpenSSL::SSL::SSLContext.new
      #     ctx1.ecdh_curves = "X25519:P-256:P-224"
      #     svr = OpenSSL::SSL::SSLServer.new(tcp_svr, ctx1)
      #     Thread.new { svr.accept }
      #
      #     ctx2 = OpenSSL::SSL::SSLContext.new
      #     ctx2.ecdh_curves = "P-256"
      #     cli = OpenSSL::SSL::SSLSocket.new(tcp_sock, ctx2)
      #     cli.connect
      #
      #     p cli.tmp_key.group.curve_name
      #     # => "prime256v1" (is an alias for NIST P-256)
      #
      def ecdh_curves=: (String ecdh_curves) -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ctx.enable_fallback_scsv() => nil
      # -->
      # Activate TLS_FALLBACK_SCSV for this context. See RFC 7507.
      #
      def enable_fallback_scsv: () -> nil

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # An Array of extra X509 certificates to be added to the certificate chain.
      #
      # The *cert*, *key*, and *extra_chain_cert* attributes are deprecated. It is
      # recommended to use #add_certificate instead.
      #
      def extra_chain_cert: () -> Array[X509::Certificate]?

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # An Array of extra X509 certificates to be added to the certificate chain.
      #
      # The *cert*, *key*, and *extra_chain_cert* attributes are deprecated. It is
      # recommended to use #add_certificate instead.
      #
      def extra_chain_cert=: (Array[X509::Certificate] extra_certs) -> Array[X509::Certificate]

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ctx.flush_sessions(time) -> self
      # -->
      # Removes sessions in the internal cache that have expired at *time*.
      #
      def flush_sessions: (Time time) -> self

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # This method is called automatically when a new SSLSocket is created. However,
      # it is not thread-safe and must be called before creating SSLSocket objects in
      # a multi-threaded program.
      #
      alias freeze setup

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # Context private key
      #
      # The *cert*, *key*, and *extra_chain_cert* attributes are deprecated. It is
      # recommended to use #add_certificate instead.
      #
      def key: () -> PKey::PKey?

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # Context private key
      #
      # The *cert*, *key*, and *extra_chain_cert* attributes are deprecated. It is
      # recommended to use #add_certificate instead.
      #
      def key=: (PKey::PKey) -> PKey::PKey

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/ssl.rb
      #   - ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION
      #   - ctx.max_version = :TLS1_2
      #   - ctx.max_version = nil
      # -->
      # Sets the upper bound of the supported SSL/TLS protocol version. See
      # #min_version= for the possible values.
      #
      def max_version=: (tls_version version) -> tls_version

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/ssl.rb
      #   - ctx.min_version = OpenSSL::SSL::TLS1_2_VERSION
      #   - ctx.min_version = :TLS1_2
      #   - ctx.min_version = nil
      # -->
      # Sets the lower bound on the supported SSL/TLS protocol version. The version
      # may be specified by an integer constant named OpenSSL::SSL::*_VERSION, a
      # Symbol, or `nil` which means "any version".
      #
      # Be careful that you don't overwrite OpenSSL::SSL::OP_NO_{SSL,TLS}v* options by
      # #options= once you have called #min_version= or #max_version=.
      #
      # ### Example
      #     ctx = OpenSSL::SSL::SSLContext.new
      #     ctx.min_version = OpenSSL::SSL::TLS1_1_VERSION
      #     ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION
      #
      #     sock = OpenSSL::SSL::SSLSocket.new(tcp_sock, ctx)
      #     sock.connect # Initiates a connection using either TLS 1.1 or TLS 1.2
      #
      def min_version=: (tls_version version) -> tls_version

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # An Enumerable of Strings. Each String represents a protocol to be advertised
      # as the list of supported protocols for Next Protocol Negotiation. Supported in
      # OpenSSL 1.0.1 and higher. Has no effect on the client side. If not set
      # explicitly, the NPN extension will not be sent by the server in the handshake.
      #
      # ### Example
      #
      #     ctx.npn_protocols = ["http/1.1", "spdy/2"]
      #
      def npn_protocols: () -> untyped

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # An Enumerable of Strings. Each String represents a protocol to be advertised
      # as the list of supported protocols for Next Protocol Negotiation. Supported in
      # OpenSSL 1.0.1 and higher. Has no effect on the client side. If not set
      # explicitly, the NPN extension will not be sent by the server in the handshake.
      #
      # ### Example
      #
      #     ctx.npn_protocols = ["http/1.1", "spdy/2"]
      #
      def npn_protocols=: (untyped) -> untyped

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # A callback invoked on the client side when the client needs to select a
      # protocol from the list sent by the server. Supported in OpenSSL 1.0.1 and
      # higher. The client MUST select a protocol of those advertised by the server.
      # If none is acceptable, raising an error in the callback will cause the
      # handshake to fail. Not setting this callback explicitly means not supporting
      # the NPN extension on the client - any protocols advertised by the server will
      # be ignored.
      #
      # ### Example
      #
      #     ctx.npn_select_cb = lambda do |protocols|
      #       # inspect the protocols and select one
      #       protocols.first
      #     end
      #
      def npn_select_cb: () -> untyped

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # A callback invoked on the client side when the client needs to select a
      # protocol from the list sent by the server. Supported in OpenSSL 1.0.1 and
      # higher. The client MUST select a protocol of those advertised by the server.
      # If none is acceptable, raising an error in the callback will cause the
      # handshake to fail. Not setting this callback explicitly means not supporting
      # the NPN extension on the client - any protocols advertised by the server will
      # be ignored.
      #
      # ### Example
      #
      #     ctx.npn_select_cb = lambda do |protocols|
      #       # inspect the protocols and select one
      #       protocols.first
      #     end
      #
      def npn_select_cb=: (untyped) -> untyped

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - options()
      # -->
      # Gets various OpenSSL options.
      #
      def options: () -> Integer

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - options=(p1)
      # -->
      # Sets various OpenSSL options.
      #
      def options=: (Integer ssl_options) -> Integer

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # A callback invoked whenever a new handshake is initiated on an established
      # connection. May be used to disable renegotiation entirely.
      #
      # The callback is invoked with the active SSLSocket. The callback's return value
      # is ignored. A normal return indicates "approval" of the renegotiation and will
      # continue the process. To forbid renegotiation and to cancel the process, raise
      # an exception within the callback.
      #
      # ### Disable client renegotiation
      #
      # When running a server, it is often desirable to disable client renegotiation
      # entirely. You may use a callback as follows to implement this feature:
      #
      #     ctx.renegotiation_cb = lambda do |ssl|
      #       raise RuntimeError, "Client renegotiation disabled"
      #     end
      #
      def renegotiation_cb: () -> (^(SSLSocket) -> void | nil)

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # A callback invoked whenever a new handshake is initiated on an established
      # connection. May be used to disable renegotiation entirely.
      #
      # The callback is invoked with the active SSLSocket. The callback's return value
      # is ignored. A normal return indicates "approval" of the renegotiation and will
      # continue the process. To forbid renegotiation and to cancel the process, raise
      # an exception within the callback.
      #
      # ### Disable client renegotiation
      #
      # When running a server, it is often desirable to disable client renegotiation
      # entirely. You may use a callback as follows to implement this feature:
      #
      #     ctx.renegotiation_cb = lambda do |ssl|
      #       raise RuntimeError, "Client renegotiation disabled"
      #     end
      #
      def renegotiation_cb=: (^(SSLSocket) -> void) -> void

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ctx.security_level -> Integer
      # -->
      # Returns the security level for the context.
      #
      # See also OpenSSL::SSL::SSLContext#security_level=.
      #
      def security_level: () -> Integer

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ctx.security_level = integer
      # -->
      # Sets the security level for the context. OpenSSL limits parameters according
      # to the level. The "parameters" include: ciphersuites, curves, key sizes,
      # certificate signature algorithms, protocol version and so on. For example,
      # level 1 rejects parameters offering below 80 bits of security, such as
      # ciphersuites using MD5 for the MAC or RSA keys shorter than 1024 bits.
      #
      # Note that attempts to set such parameters with insufficient security are also
      # blocked. You need to lower the level first.
      #
      # This feature is not supported in OpenSSL < 1.1.0, and setting the level to
      # other than 0 will raise NotImplementedError. Level 0 means everything is
      # permitted, the same behavior as previous versions of OpenSSL.
      #
      # See the manpage of SSL_CTX_set_security_level(3) for details.
      #
      def security_level=: (Integer sec_level) -> Integer

      # <!-- rdoc-file=ext/openssl/lib/openssl/ssl.rb -->
      # A callback invoked at connect time to distinguish between multiple server
      # names.
      #
      # The callback is invoked with an SSLSocket and a server name.  The callback
      # must return an SSLContext for the server name or nil.
      #
      def servername_cb: () -> (^(SSLSocket, String) -> SSLContext? | nil)

      # <!-- rdoc-file=ext/openssl/lib/openssl/ssl.rb -->
      # A callback invoked at connect time to distinguish between multiple server
      # names.
      #
      # The callback is invoked with an SSLSocket and a server name.  The callback
      # must return an SSLContext for the server name or nil.
      #
      def servername_cb=: (^(SSLSocket, String) -> SSLContext?) -> ^(SSLSocket, String) -> SSLContext?

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ctx.session_add(session) -> true | false
      # -->
      # Adds *session* to the session cache.
      #
      def session_add: (Session) -> bool

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ctx.session_cache_mode -> Integer
      # -->
      # The current session cache mode.
      #
      def session_cache_mode: () -> Integer

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ctx.session_cache_mode=(integer) -> Integer
      # -->
      # Sets the SSL session cache mode.  Bitwise-or together the desired
      # SESSION_CACHE_* constants to set.  See SSL_CTX_set_session_cache_mode(3) for
      # details.
      #
      def session_cache_mode=: (Integer) -> Integer

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ctx.session_cache_size -> Integer
      # -->
      # Returns the current session cache size.  Zero is used to represent an
      # unlimited cache size.
      #
      def session_cache_size: () -> Integer

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ctx.session_cache_size=(integer) -> Integer
      # -->
      # Sets the session cache size.  Returns the previously valid session cache size.
      #  Zero is used to represent an unlimited session cache size.
      #
      def session_cache_size=: (Integer) -> Integer

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ctx.session_cache_stats -> Hash
      # -->
      # Returns a Hash containing the following keys:
      #
      # :accept
      # :   Number of started SSL/TLS handshakes in server mode
      # :accept_good
      # :   Number of established SSL/TLS sessions in server mode
      # :accept_renegotiate
      # :   Number of start renegotiations in server mode
      # :cache_full
      # :   Number of sessions that were removed due to cache overflow
      # :cache_hits
      # :   Number of successfully reused connections
      # :cache_misses
      # :   Number of sessions proposed by clients that were not found in the cache
      # :cache_num
      # :   Number of sessions in the internal session cache
      # :cb_hits
      # :   Number of sessions retrieved from the external cache in server mode
      # :connect
      # :   Number of started SSL/TLS handshakes in client mode
      # :connect_good
      # :   Number of established SSL/TLS sessions in client mode
      # :connect_renegotiate
      # :   Number of start renegotiations in client mode
      # :timeouts
      # :   Number of sessions proposed by clients that were found in the cache but
      #     had expired due to timeouts
      #
      def session_cache_stats: () -> Hash[Symbol, Integer]

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # A callback invoked on a server when a session is proposed by the client but
      # the session could not be found in the server's internal cache.
      #
      # The callback is invoked with the SSLSocket and session id.  The callback may
      # return a Session from an external cache.
      #
      def session_get_cb: () -> (^(SSLSocket, Integer) -> Session? | nil)

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # A callback invoked on a server when a session is proposed by the client but
      # the session could not be found in the server's internal cache.
      #
      # The callback is invoked with the SSLSocket and session id.  The callback may
      # return a Session from an external cache.
      #
      def session_get_cb=: (^(SSLSocket, Integer) -> Session?) -> void

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # Sets the context in which a session can be reused.  This allows sessions for
      # multiple applications to be distinguished, for example, by name.
      #
      def session_id_context: () -> Integer?

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # Sets the context in which a session can be reused.  This allows sessions for
      # multiple applications to be distinguished, for example, by name.
      #
      def session_id_context=: (Integer) -> Integer

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # A callback invoked when a new session was negotiated.
      #
      # The callback is invoked with an SSLSocket.  If `false` is returned the session
      # will be removed from the internal cache.
      #
      def session_new_cb: () -> (^(SSLSocket) -> untyped | nil)

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # A callback invoked when a new session was negotiated.
      #
      # The callback is invoked with an SSLSocket.  If `false` is returned the session
      # will be removed from the internal cache.
      #
      def session_new_cb=: (^(SSLSocket) -> untyped) -> ^(SSLSocket) -> untyped

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ctx.session_remove(session) -> true | false
      # -->
      # Removes *session* from the session cache.
      #
      def session_remove: (Session session) -> bool

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # A callback invoked when a session is removed from the internal cache.
      #
      # The callback is invoked with an SSLContext and a Session.
      #
      # IMPORTANT NOTE: It is currently not possible to use this safely in a
      # multi-threaded application. The callback is called inside a global lock and it
      # can randomly cause deadlock on Ruby thread switching.
      #
      def session_remove_cb: () -> (^(SSLContext, Session) -> void | nil)

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # A callback invoked when a session is removed from the internal cache.
      #
      # The callback is invoked with an SSLContext and a Session.
      #
      # IMPORTANT NOTE: It is currently not possible to use this safely in a
      # multi-threaded application. The callback is called inside a global lock and it
      # can randomly cause deadlock on Ruby thread switching.
      #
      def session_remove_cb=: (^(SSLContext, Session) -> void) -> void

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/ssl.rb
      #   - ctx.set_params(params = {}) -> params
      # -->
      # Sets saner defaults optimized for the use with HTTP-like protocols.
      #
      # If a Hash *params* is given, the parameters are overridden with it. The keys
      # in *params* must be assignment methods on SSLContext.
      #
      # If the verify_mode is not VERIFY_NONE and ca_file, ca_path and cert_store are
      # not set then the system default certificate store is used.
      #
      def set_params: (?untyped params) -> untyped

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ctx.setup => Qtrue # first time
      #   - ctx.setup => nil # thereafter
      # -->
      # This method is called automatically when a new SSLSocket is created. However,
      # it is not thread-safe and must be called before creating SSLSocket objects in
      # a multi-threaded program.
      #
      def setup: () -> untyped

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # Maximum session lifetime in seconds.
      #
      alias ssl_timeout timeout

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # Maximum session lifetime in seconds.
      #
      alias ssl_timeout= timeout=

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/ssl.rb
      #   - ctx.ssl_version = :TLSv1
      #   - ctx.ssl_version = "SSLv23"
      # -->
      # Sets the SSL/TLS protocol version for the context. This forces connections to
      # use only the specified protocol version. This is deprecated and only provided
      # for backwards compatibility. Use #min_version= and #max_version= instead.
      #
      # ### History
      # As the name hints, this used to call the SSL_CTX_set_ssl_version() function
      # which sets the SSL method used for connections created from the context. As of
      # Ruby/OpenSSL 2.1, this accessor method is implemented to call #min_version=
      # and #max_version= instead.
      #
      def ssl_version=: (tls_version meth) -> tls_version

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # Maximum session lifetime in seconds.
      #
      def timeout: () -> Integer?

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # Maximum session lifetime in seconds.
      #
      def timeout=: (Integer) -> Integer

      # <!-- rdoc-file=ext/openssl/lib/openssl/ssl.rb -->
      # A callback invoked when DH parameters are required for ephemeral DH key
      # exchange.
      #
      # The callback is invoked with the SSLSocket, a flag indicating the use of an
      # export cipher and the keylength required.
      #
      # The callback must return an OpenSSL::PKey::DH instance of the correct key
      # length.
      #
      # **Deprecated in version 3.0.** Use #tmp_dh= instead.
      #
      def tmp_dh_callback: () -> (^(Session, Integer, Integer) -> PKey::DH | nil)

      # <!-- rdoc-file=ext/openssl/lib/openssl/ssl.rb -->
      # A callback invoked when DH parameters are required for ephemeral DH key
      # exchange.
      #
      # The callback is invoked with the SSLSocket, a flag indicating the use of an
      # export cipher and the keylength required.
      #
      # The callback must return an OpenSSL::PKey::DH instance of the correct key
      # length.
      #
      # **Deprecated in version 3.0.** Use #tmp_dh= instead.
      #
      def tmp_dh_callback=: (^(Session, Integer, Integer) -> PKey::DH) -> void

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # A callback for additional certificate verification.  The callback is invoked
      # for each certificate in the chain.
      #
      # The callback is invoked with two values.  *preverify_ok* indicates indicates
      # if the verification was passed (`true`) or not (`false`). *store_context* is
      # an OpenSSL::X509::StoreContext containing the context used for certificate
      # verification.
      #
      # If the callback returns `false`, the chain verification is immediately stopped
      # and a bad_certificate alert is then sent.
      #
      def verify_callback: () -> (^(bool, X509::StoreContext) -> untyped | nil)

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # A callback for additional certificate verification.  The callback is invoked
      # for each certificate in the chain.
      #
      # The callback is invoked with two values.  *preverify_ok* indicates indicates
      # if the verification was passed (`true`) or not (`false`). *store_context* is
      # an OpenSSL::X509::StoreContext containing the context used for certificate
      # verification.
      #
      # If the callback returns `false`, the chain verification is immediately stopped
      # and a bad_certificate alert is then sent.
      #
      def verify_callback=: (^(bool, X509::StoreContext) -> untyped) -> void

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # Number of CA certificates to walk when verifying a certificate chain.
      #
      def verify_depth: () -> Integer?

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # Number of CA certificates to walk when verifying a certificate chain.
      #
      def verify_depth=: (Integer) -> Integer

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # Whether to check the server certificate is valid for the hostname.
      #
      # In order to make this work, verify_mode must be set to VERIFY_PEER and the
      # server hostname must be given by OpenSSL::SSL::SSLSocket#hostname=.
      #
      def verify_hostname: () -> bool?

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # Whether to check the server certificate is valid for the hostname.
      #
      # In order to make this work, verify_mode must be set to VERIFY_PEER and the
      # server hostname must be given by OpenSSL::SSL::SSLSocket#hostname=.
      #
      def verify_hostname=: [U] (boolish) -> U

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # Session verification mode.
      #
      # Valid modes are VERIFY_NONE, VERIFY_PEER, VERIFY_CLIENT_ONCE,
      # VERIFY_FAIL_IF_NO_PEER_CERT and defined on OpenSSL::SSL
      #
      # The default mode is VERIFY_NONE, which does not perform any verification at
      # all.
      #
      # See SSL_CTX_set_verify(3) for details.
      #
      def verify_mode: () -> verify_mode?

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # Session verification mode.
      #
      # Valid modes are VERIFY_NONE, VERIFY_PEER, VERIFY_CLIENT_ONCE,
      # VERIFY_FAIL_IF_NO_PEER_CERT and defined on OpenSSL::SSL
      #
      # The default mode is VERIFY_NONE, which does not perform any verification at
      # all.
      #
      # See SSL_CTX_set_verify(3) for details.
      #
      def verify_mode=: (verify_mode) -> verify_mode

      private

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/ssl.rb
      #   - SSLContext.new           -> ctx
      #   - SSLContext.new(:TLSv1)   -> ctx
      #   - SSLContext.new("SSLv23") -> ctx
      # -->
      # Creates a new SSL context.
      #
      # If an argument is given, #ssl_version= is called with the value. Note that
      # this form is deprecated. New applications should use #min_version= and
      # #max_version= as necessary.
      #
      def initialize: (?tls_version version) -> void

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ctx.set_minmax_proto_version(min, max) -> nil
      # -->
      # Sets the minimum and maximum supported protocol versions. See #min_version=
      # and #max_version=.
      #
      def set_minmax_proto_version: (untyped, untyped) -> untyped

      DEFAULT_CERT_STORE: X509::Store

      DEFAULT_PARAMS: Hash[Symbol, untyped]

      DEFAULT_TMP_DH_CALLBACK: Proc

      # <!-- rdoc-file=ext/openssl/lib/openssl/ssl.rb -->
      # The list of available SSL/TLS methods. This constant is only provided for
      # backwards compatibility.
      #
      METHODS: Array[Symbol]

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # Both client and server sessions are added to the session cache
      #
      SESSION_CACHE_BOTH: Integer

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # Client sessions are added to the session cache
      #
      SESSION_CACHE_CLIENT: Integer

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # Normally the session cache is checked for expired sessions every 255
      # connections.  Since this may lead to a delay that cannot be controlled, the
      # automatic flushing may be disabled and #flush_sessions can be called
      # explicitly.
      #
      SESSION_CACHE_NO_AUTO_CLEAR: Integer

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # Enables both SESSION_CACHE_NO_INTERNAL_LOOKUP and
      # SESSION_CACHE_NO_INTERNAL_STORE.
      #
      SESSION_CACHE_NO_INTERNAL: Integer

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # Always perform external lookups of sessions even if they are in the internal
      # cache.
      #
      # This flag has no effect on clients
      #
      SESSION_CACHE_NO_INTERNAL_LOOKUP: Integer

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # Never automatically store sessions in the internal store.
      #
      SESSION_CACHE_NO_INTERNAL_STORE: Integer

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # No session caching for client or server
      #
      SESSION_CACHE_OFF: Integer

      # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
      # Server sessions are added to the session cache
      #
      SESSION_CACHE_SERVER: Integer
    end

    # <!-- rdoc-file=ext/openssl/ossl_ssl.c -->
    # Generic error class raised by SSLSocket and SSLContext.
    #
    class SSLError < OpenSSL::OpenSSLError
    end

    class SSLErrorWaitReadable < OpenSSL::SSL::SSLError
      include IO::WaitReadable
    end

    class SSLErrorWaitWritable < OpenSSL::SSL::SSLError
      include IO::WaitWritable
    end

    # <!-- rdoc-file=ext/openssl/lib/openssl/ssl.rb -->
    # SSLServer represents a TCP/IP server socket with Secure Sockets Layer.
    #
    class SSLServer
      include OpenSSL::SSL::SocketForwarder

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/ssl.rb
      #   - accept()
      # -->
      # Works similar to TCPServer#accept.
      #
      def accept: () -> SSLSocket

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/ssl.rb
      #   - close()
      # -->
      # See IO#close for details.
      #
      def close: () -> nil

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/ssl.rb
      #   - listen(backlog=Socket::SOMAXCONN)
      # -->
      # See TCPServer#listen for details.
      #
      def listen: (Integer backlog) -> void

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/ssl.rb
      #   - shutdown(how=Socket::SHUT_RDWR)
      # -->
      # See BasicSocket#shutdown for details.
      #
      def shutdown: (interned | Integer how) -> void

      # <!-- rdoc-file=ext/openssl/lib/openssl/ssl.rb -->
      # When true then #accept works exactly the same as TCPServer#accept
      #
      def start_immediately: () -> bool

      # <!-- rdoc-file=ext/openssl/lib/openssl/ssl.rb -->
      # When true then #accept works exactly the same as TCPServer#accept
      #
      def start_immediately=: [U] (boolish) -> U

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/ssl.rb
      #   - to_io()
      # -->
      # Returns the TCPServer passed to the SSLServer when initialized.
      #
      def to_io: () -> (TCPServer | UNIXServer)

      private

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/ssl.rb
      #   - new(svr, ctx)
      # -->
      # Creates a new instance of SSLServer.
      # *   *srv* is an instance of TCPServer.
      # *   *ctx* is an instance of OpenSSL::SSL::SSLContext.
      #
      def initialize: (TCPServer | UNIXServer svr, untyped ctx) -> void
    end

    class SSLSocket
      include OpenSSL::SSL::SocketForwarder

      include OpenSSL::Buffering

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/ssl.rb
      #   - open(remote_host, remote_port, local_host=nil, local_port=nil, context: nil)
      # -->
      # Creates a new instance of SSLSocket. *remote*host_ and *remote*port_ are used
      # to open TCPSocket. If *local*host_ and *local*port_ are specified, then those
      # parameters are used on the local end to establish the connection. If *context*
      # is provided, the SSL Sockets initial params will be taken from the context.
      #
      # ### Examples
      #
      #     sock = OpenSSL::SSL::SSLSocket.open('localhost', 443)
      #     sock.connect # Initiates a connection to localhost:443
      #
      # with SSLContext:
      #
      #     ctx = OpenSSL::SSL::SSLContext.new
      #     sock = OpenSSL::SSL::SSLSocket.open('localhost', 443, context: ctx)
      #     sock.connect # Initiates a connection to localhost:443 with SSLContext
      #
      def self.open: (untyped remote_host, untyped remote_port, ?untyped local_host, ?untyped local_port, ?context: untyped) -> untyped

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ssl.accept => self
      # -->
      # Waits for a SSL/TLS client to initiate a handshake.
      #
      def accept: () -> self

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ssl.accept_nonblock([options]) => self
      # -->
      # Initiates the SSL/TLS handshake as a server in non-blocking manner.
      #
      #     # emulates blocking accept
      #     begin
      #       ssl.accept_nonblock
      #     rescue IO::WaitReadable
      #       IO.select([s2])
      #       retry
      #     rescue IO::WaitWritable
      #       IO.select(nil, [s2])
      #       retry
      #     end
      #
      # By specifying a keyword argument *exception* to `false`, you can indicate that
      # accept_nonblock should not raise an IO::WaitReadable or IO::WaitWritable
      # exception, but return the symbol `:wait_readable` or `:wait_writable` instead.
      #
      def accept_nonblock: (?exception: true) -> self
                         | (exception: false) -> (self | :wait_readable | :wait_writable)

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ssl.alpn_protocol => String | nil
      # -->
      # Returns the ALPN protocol string that was finally selected by the server
      # during the handshake.
      #
      def alpn_protocol: () -> String?

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ssl.cert => cert or nil
      # -->
      # The X509 certificate for this socket endpoint.
      #
      def cert: () -> X509::Certificate?

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ssl.cipher -> nil or [name, version, bits, alg_bits]
      # -->
      # Returns the cipher suite actually used in the current session, or nil if no
      # session has been established.
      #
      def cipher: () -> [ String, String, Integer, Integer ]?

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ssl.client_ca => [x509name, ...]
      # -->
      # Returns the list of client CAs. Please note that in contrast to
      # SSLContext#client_ca= no array of X509::Certificate is returned but X509::Name
      # instances of the CA's subject distinguished name.
      #
      # In server mode, returns the list set by SSLContext#client_ca=. In client mode,
      # returns the list of client CAs sent from the server.
      #
      def client_ca: () -> (Array[X509::Name] | Array[X509::Certificate] | X509::Certificate)

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ssl.connect => self
      # -->
      # Initiates an SSL/TLS handshake with a server.
      #
      def connect: () -> self

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ssl.connect_nonblock([options]) => self
      # -->
      # Initiates the SSL/TLS handshake as a client in non-blocking manner.
      #
      #     # emulates blocking connect
      #     begin
      #       ssl.connect_nonblock
      #     rescue IO::WaitReadable
      #       IO.select([s2])
      #       retry
      #     rescue IO::WaitWritable
      #       IO.select(nil, [s2])
      #       retry
      #     end
      #
      # By specifying a keyword argument *exception* to `false`, you can indicate that
      # connect_nonblock should not raise an IO::WaitReadable or IO::WaitWritable
      # exception, but return the symbol `:wait_readable` or `:wait_writable` instead.
      #
      def connect_nonblock: (?exception: true) -> self
                          | (exception: false) -> (self | :wait_readable | :wait_writable)

      # <!-- rdoc-file=ext/openssl/lib/openssl/ssl.rb -->
      # The SSLContext object used in this connection.
      #
      def context: () -> SSLContext

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ssl.finished_message => "finished message"
      # -->
      # Returns the last **Finished** message sent
      #
      def finished_message: () -> String?

      def hostname: () -> String?

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ssl.hostname = hostname -> hostname
      # -->
      # Sets the server hostname used for SNI. This needs to be set before
      # SSLSocket#connect.
      #
      def hostname=: (String) -> String

      # <!-- rdoc-file=ext/openssl/lib/openssl/ssl.rb -->
      # The underlying IO object.
      #
      def io: () -> BasicSocket

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ssl.npn_protocol => String | nil
      # -->
      # Returns the protocol string that was finally selected by the client during the
      # handshake.
      #
      def npn_protocol: () -> String?

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ssl.peer_cert => cert or nil
      # -->
      # The X509 certificate for this socket's peer.
      #
      def peer_cert: () -> X509::Certificate?

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ssl.peer_cert_chain => [cert, ...] or nil
      # -->
      # The X509 certificate chain for this socket's peer.
      #
      def peer_cert_chain: () -> Array[X509::Certificate]?

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ssl.peer_finished_message => "peer finished message"
      # -->
      # Returns the last **Finished** message received
      #
      def peer_finished_message: () -> String?

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ssl.pending => Integer
      # -->
      # The number of bytes that are immediately available for reading.
      #
      def pending: () -> Integer

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/ssl.rb
      #   - ssl.post_connection_check(hostname) -> true
      # -->
      # Perform hostname verification following RFC 6125.
      #
      # This method MUST be called after calling #connect to ensure that the hostname
      # of a remote peer has been verified.
      #
      def post_connection_check: (String hostname) -> true

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/ssl.rb
      #   - ssl.session -> aSession
      # -->
      # Returns the SSLSession object currently used, or nil if the session is not
      # established.
      #
      def session: () -> Session?

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ssl.session = session -> session
      # -->
      # Sets the Session to be used when the connection is established.
      #
      def session=: (Session) -> Session

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ssl.session_reused? -> true | false
      # -->
      # Returns `true` if a reused session was negotiated during the handshake.
      #
      def session_reused?: () -> bool

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ssl.ssl_version => String
      # -->
      # Returns a String representing the SSL/TLS version that was negotiated for the
      # connection, for example "TLSv1.2".
      #
      def ssl_version: () -> tls_version

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ssl.state => string
      # -->
      # A description of the current connection state. This is for diagnostic purposes
      # only.
      #
      def state: () -> String

      # <!-- rdoc-file=ext/openssl/lib/openssl/ssl.rb -->
      # Whether to close the underlying socket as well, when the SSL/TLS connection is
      # shut down. This defaults to `false`.
      #
      def sync_close: () -> bool

      # <!-- rdoc-file=ext/openssl/lib/openssl/ssl.rb -->
      # Whether to close the underlying socket as well, when the SSL/TLS connection is
      # shut down. This defaults to `false`.
      #
      def sync_close=: [U] (boolish) -> U

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/ssl.rb
      #   - ssl.sysclose => nil
      # -->
      # Sends "close notify" to the peer and tries to shut down the SSL connection
      # gracefully.
      #
      # If sync_close is set to `true`, the underlying IO is also closed.
      #
      def sysclose: () -> nil

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ssl.sysread(length) => string
      #   - ssl.sysread(length, buffer) => buffer
      # -->
      # Reads *length* bytes from the SSL connection.  If a pre-allocated *buffer* is
      # provided the data will be written into it.
      #
      def sysread: (Integer length, ?String buffer) -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ssl.syswrite(string) => Integer
      # -->
      # Writes *string* to the SSL connection.
      #
      def syswrite: (String data) -> Integer

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ssl.tmp_key => PKey or nil
      # -->
      # Returns the ephemeral key used in case of forward secrecy cipher.
      #
      def tmp_key: () -> PKey::PKey?

      # <!-- rdoc-file=ext/openssl/lib/openssl/ssl.rb -->
      # The underlying IO object.
      #
      alias to_io io

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ssl.verify_result => Integer
      # -->
      # Returns the result of the peer certificates verification.  See verify(1) for
      # error values and descriptions.
      #
      # If no peer certificate was presented X509_V_OK is returned.
      #
      def verify_result: () -> Integer

      private

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/ssl.rb
      #   - client_cert_cb()
      # -->
      #
      def client_cert_cb: () -> untyped

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - SSLSocket.new(io) => aSSLSocket
      #   - SSLSocket.new(io, ctx) => aSSLSocket
      # -->
      # Creates a new SSL socket from *io* which must be a real IO object (not an
      # IO-like object that responds to read/write).
      #
      # If *ctx* is provided the SSL Sockets initial params will be taken from the
      # context.
      #
      # The OpenSSL::Buffering module provides additional IO methods.
      #
      # This method will freeze the SSLContext if one is provided; however, session
      # management is still allowed in the frozen SSLContext.
      #
      def initialize: (*untyped) -> void

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/ssl.rb
      #   - session_get_cb()
      # -->
      #
      def session_get_cb: () -> untyped

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/ssl.rb
      #   - session_new_cb()
      # -->
      #
      def session_new_cb: () -> untyped

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ssl.stop => nil
      # -->
      # Sends "close notify" to the peer and tries to shut down the SSL connection
      # gracefully.
      #
      def stop: () -> untyped

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ssl.sysread_nonblock(length) => string
      #   - ssl.sysread_nonblock(length, buffer) => buffer
      #   - ssl.sysread_nonblock(length[, buffer [, opts]) => buffer
      # -->
      # A non-blocking version of #sysread.  Raises an SSLError if reading would
      # block.  If "exception: false" is passed, this method returns a symbol of
      # :wait_readable, :wait_writable, or nil, rather than raising an exception.
      #
      # Reads *length* bytes from the SSL connection.  If a pre-allocated *buffer* is
      # provided the data will be written into it.
      #
      def sysread_nonblock: (*untyped) -> untyped

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl.c
      #   - ssl.syswrite_nonblock(string) => Integer
      # -->
      # Writes *string* to the SSL connection in a non-blocking manner.  Raises an
      # SSLError if writing would block.
      #
      def syswrite_nonblock: (*untyped) -> untyped

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/ssl.rb
      #   - tmp_dh_callback()
      # -->
      #
      def tmp_dh_callback: () -> untyped

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/ssl.rb
      #   - tmp_ecdh_callback()
      # -->
      #
      def tmp_ecdh_callback: () -> untyped

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/ssl.rb
      #   - using_anon_cipher?()
      # -->
      #
      def using_anon_cipher?: () -> untyped
    end

    class Session
      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl_session.c
      #   - session1 == session2 -> boolean
      # -->
      # Returns `true` if the two Session is the same, `false` if not.
      #
      def ==: (instance other) -> bool

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl_session.c
      #   - session.id -> String
      # -->
      # Returns the Session ID.
      #
      def id: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl_session.c
      #   - session.time -> Time
      # -->
      # Returns the time at which the session was established.
      #
      def time: () -> Time

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl_session.c
      #   - session.time = time
      #   - session.time = integer
      # -->
      # Sets start time of the session. Time resolution is in seconds.
      #
      def time=: (Time | Integer start_time) -> Time

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl_session.c
      #   - session.timeout -> Integer
      # -->
      # Returns the timeout value set for the session, in seconds from the established
      # time.
      #
      def timeout: () -> Integer

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl_session.c
      #   - session.timeout = integer
      # -->
      # Sets how long until the session expires in seconds.
      #
      def timeout=: (Integer timeout) -> Integer

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl_session.c
      #   - session.to_der -> String
      # -->
      # Returns an ASN1 encoded String that contains the Session object.
      #
      def to_der: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl_session.c
      #   - session.to_pem -> String
      # -->
      # Returns a PEM encoded String that contains the Session object.
      #
      def to_pem: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl_session.c
      #   - session.to_text -> String
      # -->
      # Shows everything in the Session object. This is for diagnostic purposes.
      #
      def to_text: () -> String

      private

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl_session.c
      #   - Session.new(ssl_socket) -> Session
      #   - Session.new(string) -> Session
      # -->
      # Creates a new Session object from an instance of SSLSocket or DER/PEM encoded
      # String.
      #
      def initialize: (SSLSocket | String sock_or_str) -> void

      # <!--
      #   rdoc-file=ext/openssl/ossl_ssl_session.c
      #   - initialize_copy(p1)
      # -->
      #
      def initialize_copy: (instance) -> void

      class SessionError < OpenSSL::OpenSSLError
      end
    end

    module SocketForwarder
      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/ssl.rb
      #   - addr()
      # -->
      #
      def addr: () -> Addrinfo?

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/ssl.rb
      #   - closed?()
      # -->
      #
      def closed?: () -> untyped

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/ssl.rb
      #   - do_not_reverse_lookup=(flag)
      # -->
      #
      def do_not_reverse_lookup=: (boolish flag) -> boolish

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/ssl.rb
      #   - fcntl(*args)
      # -->
      #
      def fcntl: (*untyped args) -> untyped

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/ssl.rb
      #   - fileno()
      # -->
      # The file descriptor for the socket.
      #
      def fileno: () -> Integer

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/ssl.rb
      #   - getsockopt(level, optname)
      # -->
      #
      def getsockopt: (Symbol | Integer level, Symbol | Integer optname) -> (Integer | boolish | String)

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/ssl.rb
      #   - peeraddr()
      # -->
      #
      def peeraddr: () -> untyped

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/ssl.rb
      #   - setsockopt(level, optname, optval)
      # -->
      #
      def setsockopt: (untyped level, untyped optname, untyped optval) -> untyped
    end
  end

  # <!-- rdoc-file=ext/openssl/ossl_ts.c -->
  # Provides classes and methods to request, create and validate
  # [RFC3161-compliant](http://www.ietf.org/rfc/rfc3161.txt) timestamps. Request
  # may be used to either create requests from scratch or to parse existing
  # requests that again can be used to request timestamps from a timestamp server,
  # e.g. via the net/http. The resulting timestamp response may be parsed using
  # Response.
  #
  # Please note that Response is read-only and immutable. To create a Response, an
  # instance of Factory as well as a valid Request are needed.
  #
  # ### Create a Response:
  #     #Assumes ts.p12 is a PKCS#12-compatible file with a private key
  #     #and a certificate that has an extended key usage of 'timeStamping'
  #     p12 = OpenSSL::PKCS12.new(File.binread('ts.p12'), 'pwd')
  #     md = OpenSSL::Digest.new('SHA1')
  #     hash = md.digest(data) #some binary data to be timestamped
  #     req = OpenSSL::Timestamp::Request.new
  #     req.algorithm = 'SHA1'
  #     req.message_imprint = hash
  #     req.policy_id = "1.2.3.4.5"
  #     req.nonce = 42
  #     fac = OpenSSL::Timestamp::Factory.new
  #     fac.gen_time = Time.now
  #     fac.serial_number = 1
  #     timestamp = fac.create_timestamp(p12.key, p12.certificate, req)
  #
  # ### Verify a timestamp response:
  #     #Assume we have a timestamp token in a file called ts.der
  #     ts = OpenSSL::Timestamp::Response.new(File.binread('ts.der'))
  #     #Assume we have the Request for this token in a file called req.der
  #     req = OpenSSL::Timestamp::Request.new(File.binread('req.der'))
  #     # Assume the associated root CA certificate is contained in a
  #     # DER-encoded file named root.cer
  #     root = OpenSSL::X509::Certificate.new(File.binread('root.cer'))
  #     # get the necessary intermediate certificates, available in
  #     # DER-encoded form in inter1.cer and inter2.cer
  #     inter1 = OpenSSL::X509::Certificate.new(File.binread('inter1.cer'))
  #     inter2 = OpenSSL::X509::Certificate.new(File.binread('inter2.cer'))
  #     ts.verify(req, root, inter1, inter2) -> ts or raises an exception if validation fails
  #
  module Timestamp
    # <!-- rdoc-file=ext/openssl/ossl_ts.c -->
    # Used to generate a Response from scratch.
    #
    # Please bear in mind that the implementation will always apply and prefer the
    # policy object identifier given in the request over the default policy id
    # specified in the Factory. As a consequence, `default_policy_id` will only be
    # applied if no Request#policy_id was given. But this also means that one needs
    # to check the policy identifier in the request manually before creating the
    # Response, e.g. to check whether it complies to a specific set of acceptable
    # policies.
    #
    # There exists also the possibility to add certificates (instances of
    # OpenSSL::X509::Certificate) besides the timestamping certificate that will be
    # included in the resulting timestamp token if Request#cert_requested? is
    # `true`. Ideally, one would also include any intermediate certificates (the
    # root certificate can be left out - in order to trust it any verifying party
    # will have to be in its possession anyway). This simplifies validation of the
    # timestamp since these intermediate certificates are "already there" and need
    # not be passed as external parameters to Response#verify anymore, thus
    # minimizing external resources needed for verification.
    #
    # ### Example: Inclusion of (untrusted) intermediate certificates
    #
    # Assume we received a timestamp request that has set Request#policy_id to `nil`
    # and Request#cert_requested? to true. The raw request bytes are stored in a
    # variable called `req_raw`. We'd still like to integrate the necessary
    # intermediate certificates (in `inter1.cer` and `inter2.cer`) to simplify
    # validation of the resulting Response. `ts.p12` is a PKCS#12-compatible file
    # including the private key and the timestamping certificate.
    #
    #     req = OpenSSL::Timestamp::Request.new(raw_bytes)
    #     p12 = OpenSSL::PKCS12.new(File.binread('ts.p12'), 'pwd')
    #     inter1 = OpenSSL::X509::Certificate.new(File.binread('inter1.cer'))
    #     inter2 = OpenSSL::X509::Certificate.new(File.binread('inter2.cer'))
    #     fac = OpenSSL::Timestamp::Factory.new
    #     fac.gen_time = Time.now
    #     fac.serial_number = 1
    #     fac.allowed_digests = ["sha256", "sha384", "sha512"]
    #     #needed because the Request contained no policy identifier
    #     fac.default_policy_id = '1.2.3.4.5'
    #     fac.additional_certificates = [ inter1, inter2 ]
    #     timestamp = fac.create_timestamp(p12.key, p12.certificate, req)
    #
    # ## Attributes
    #
    # ### default_policy_id
    #
    # Request#policy_id will always be preferred over this if present in the
    # Request, only if Request#policy_id is nil default_policy will be used. If none
    # of both is present, a TimestampError will be raised when trying to create a
    # Response.
    #
    # call-seq:
    #     factory.default_policy_id = "string" -> string
    #     factory.default_policy_id            -> string or nil
    #
    # ### serial_number
    #
    # Sets or retrieves the serial number to be used for timestamp creation. Must be
    # present for timestamp creation.
    #
    # call-seq:
    #     factory.serial_number = number -> number
    #     factory.serial_number          -> number or nil
    #
    # ### gen_time
    #
    # Sets or retrieves the Time value to be used in the Response. Must be present
    # for timestamp creation.
    #
    # call-seq:
    #     factory.gen_time = Time -> Time
    #     factory.gen_time        -> Time or nil
    #
    # ### additional_certs
    #
    # Sets or retrieves additional certificates apart from the timestamp certificate
    # (e.g. intermediate certificates) to be added to the Response. Must be an Array
    # of OpenSSL::X509::Certificate.
    #
    # call-seq:
    #     factory.additional_certs = [cert1, cert2] -> [ cert1, cert2 ]
    #     factory.additional_certs                  -> array or nil
    #
    # ### allowed_digests
    #
    # Sets or retrieves the digest algorithms that the factory is allowed create
    # timestamps for. Known vulnerable or weak algorithms should not be allowed
    # where possible. Must be an Array of String or OpenSSL::Digest subclass
    # instances.
    #
    # call-seq:
    #     factory.allowed_digests = ["sha1", OpenSSL::Digest.new('SHA256').new] -> [ "sha1", OpenSSL::Digest) ]
    #     factory.allowed_digests                                               -> array or nil
    #
    class Factory
      def additional_certs: () -> Array[X509::Certificate]?

      def additional_certs=: (Array[X509::Certificate]? certs) -> Array[X509::Certificate]?

      def allowed_digests: () -> Array[String | Digest]?

      def allowed_digests=: (Array[String | Digest]) -> Array[String | Digest]

      # <!--
      #   rdoc-file=ext/openssl/ossl_ts.c
      #   - factory.create_timestamp(key, certificate, request) -> Response
      # -->
      # Creates a Response with the help of an OpenSSL::PKey, an
      # OpenSSL::X509::Certificate and a Request.
      #
      # Mandatory parameters for timestamp creation that need to be set in the
      # Request:
      #
      # *   Request#algorithm
      # *   Request#message_imprint
      #
      #
      # Mandatory parameters that need to be set in the Factory:
      # *   Factory#serial_number
      # *   Factory#gen_time
      # *   Factory#allowed_digests
      #
      #
      # In addition one of either Request#policy_id or Factory#default_policy_id must
      # be set.
      #
      # Raises a TimestampError if creation fails, though successfully created error
      # responses may be returned.
      #
      def create_timestamp: (PKey::PKey key, X509::Certificate cert, Request request) -> Response

      def default_policy_id: () -> String?

      def default_policy_id=: (String) -> String

      def gen_time: () -> Time?

      def gen_time=: (Time) -> Time

      def serial_number: () -> Integer?

      def serial_number=: (Integer) -> Integer
    end

    # <!-- rdoc-file=ext/openssl/ossl_ts.c -->
    # Allows to create timestamp requests or parse existing ones. A Request is also
    # needed for creating timestamps from scratch with Factory. When created from
    # scratch, some default values are set:
    # *   version is set to `1`
    # *   cert_requested is set to `true`
    # *   algorithm, message_imprint, policy_id, and nonce are set to `false`
    #
    class Request
      # <!--
      #   rdoc-file=ext/openssl/ossl_ts.c
      #   - request.algorithm    -> string
      # -->
      # Returns the 'short name' of the object identifier that represents the
      # algorithm that was used to create the message imprint digest.
      #
      def algorithm: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_ts.c
      #   - request.algorithm = "string"    -> string
      # -->
      # Allows to set the object identifier  or the 'short name' of the algorithm that
      # was used to create the message imprint digest.
      #
      # ### Example:
      #     request.algorithm = "SHA1"
      #
      def algorithm=: (String) -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_ts.c
      #   - request.cert_requested = boolean -> true or false
      # -->
      # Specify whether the response shall contain the timestamp authority's
      # certificate or not. The default value is `true`.
      #
      def cert_requested=: [U] (boolish) -> U

      # <!--
      #   rdoc-file=ext/openssl/ossl_ts.c
      #   - request.cert_requested?  -> true or false
      # -->
      # Indicates whether the response shall contain the timestamp authority's
      # certificate or not.
      #
      def cert_requested?: () -> bool

      # <!--
      #   rdoc-file=ext/openssl/ossl_ts.c
      #   - request.message_imprint    -> string or nil
      # -->
      # Returns the message imprint (digest) of the data to be timestamped.
      #
      def message_imprint: () -> String?

      # <!--
      #   rdoc-file=ext/openssl/ossl_ts.c
      #   - request.message_imprint = "string"    -> string
      # -->
      # Set the message imprint digest.
      #
      def message_imprint=: (String) -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_ts.c
      #   - request.nonce    -> BN or nil
      # -->
      # Returns the nonce (number used once) that the server shall include in its
      # response.
      #
      def nonce: () -> BN?

      # <!--
      #   rdoc-file=ext/openssl/ossl_ts.c
      #   - request.nonce = number    -> BN
      # -->
      # Sets the nonce (number used once) that the server shall include in its
      # response. If the nonce is set, the server must return the same nonce value in
      # a valid Response.
      #
      def nonce=: (bn nonce) -> BN

      # <!--
      #   rdoc-file=ext/openssl/ossl_ts.c
      #   - request.policy_id    -> string or nil
      # -->
      # Returns the 'short name' of the object identifier that represents the
      # timestamp policy under which the server shall create the timestamp.
      #
      def policy_id: () -> String?

      # <!--
      #   rdoc-file=ext/openssl/ossl_ts.c
      #   - request.policy_id = "string"   -> string
      # -->
      # Allows to set the object identifier that represents the timestamp policy under
      # which the server shall create the timestamp. This may be left `nil`, implying
      # that the timestamp server will issue the timestamp using some default policy.
      #
      # ### Example:
      #     request.policy_id = "1.2.3.4.5"
      #
      def policy_id=: (String policy_id) -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_ts.c
      #   - request.to_der    -> DER-encoded string
      # -->
      # DER-encodes this Request.
      #
      def to_der: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_ts.c
      #   - request.version -> Integer
      # -->
      # Returns the version of this request. `1` is the default value.
      #
      def version: () -> Integer

      # <!--
      #   rdoc-file=ext/openssl/ossl_ts.c
      #   - request.version = number    -> Integer
      # -->
      # Sets the version number for this Request. This should be `1` for compliant
      # servers.
      #
      def version=: (Integer) -> Integer

      private

      # <!--
      #   rdoc-file=ext/openssl/ossl_ts.c
      #   - OpenSSL::Timestamp::Request.new(file)    -> request
      #   - OpenSSL::Timestamp::Request.new(string)  -> request
      #   - OpenSSL::Timestamp::Request.new          -> empty request
      # -->
      # When creating a Request with the `File` or `string` parameter, the
      # corresponding `File` or `string` must be DER-encoded.
      #
      def initialize: (?File | String request_der) -> void
    end

    # <!-- rdoc-file=ext/openssl/ossl_ts.c -->
    # Immutable and read-only representation of a timestamp response returned from a
    # timestamp server after receiving an associated Request. Allows access to
    # specific information about the response but also allows to verify the
    # Response.
    #
    class Response
      # <!--
      #   rdoc-file=ext/openssl/ossl_ts.c
      #   - response.failure_info -> nil or symbol
      # -->
      # In cases no timestamp token has been created, this field contains further info
      # about the reason why response creation failed. The method returns either nil
      # (the request was successful and a timestamp token was created) or one of the
      # following:
      # *   :BAD_ALG - Indicates that the timestamp server rejects the message imprint
      #     algorithm used in the Request
      # *   :BAD_REQUEST - Indicates that the timestamp server was not able to process
      #     the Request properly
      # *   :BAD_DATA_FORMAT - Indicates that the timestamp server was not able to
      #     parse certain data in the Request
      # *   :TIME_NOT_AVAILABLE - Indicates that the server could not access its time
      #     source
      # *   :UNACCEPTED_POLICY - Indicates that the requested policy identifier is not
      #     recognized or supported by the timestamp server
      # *   :UNACCEPTED_EXTENSIION - Indicates that an extension in the Request is not
      #     supported by the timestamp server
      # *   :ADD_INFO_NOT_AVAILABLE -Indicates that additional information requested
      #     is either not understood or currently not available
      # *   :SYSTEM_FAILURE - Timestamp creation failed due to an internal error that
      #     occurred on the timestamp server
      #
      def failure_info: () -> Symbol?

      # <!--
      #   rdoc-file=ext/openssl/ossl_ts.c
      #   - response.status -> BN (never nil)
      # -->
      # Returns one of GRANTED, GRANTED_WITH_MODS, REJECTION, WAITING,
      # REVOCATION_WARNING or REVOCATION_NOTIFICATION. A timestamp token has been
      # created only in case `status` is equal to GRANTED or GRANTED_WITH_MODS.
      #
      def status: () -> BN

      # <!--
      #   rdoc-file=ext/openssl/ossl_ts.c
      #   - response.status_text -> Array of strings or nil
      # -->
      # In cases of failure this field may contain an array of strings further
      # describing the origin of the failure.
      #
      def status_text: () -> Array[String]?

      # <!--
      #   rdoc-file=ext/openssl/ossl_ts.c
      #   - response.to_der -> string
      # -->
      # Returns the Response in DER-encoded form.
      #
      def to_der: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_ts.c
      #   - response.token -> nil or OpenSSL::PKCS7
      # -->
      # If a timestamp token is present, this returns it in the form of a
      # OpenSSL::PKCS7.
      #
      def token: () -> PKCS7?

      # <!--
      #   rdoc-file=ext/openssl/ossl_ts.c
      #   - response.token_info -> nil or OpenSSL::Timestamp::TokenInfo
      # -->
      # Get the response's token info if present.
      #
      def token_info: () -> TokenInfo?

      # <!--
      #   rdoc-file=ext/openssl/ossl_ts.c
      #   - response.tsa_certificate -> OpenSSL::X509::Certificate or nil
      # -->
      # If the Request specified to request the TSA certificate
      # (Request#cert_requested = true), then this field contains the certificate of
      # the timestamp authority.
      #
      def tsa_certificate: () -> X509::Certificate?

      # <!--
      #   rdoc-file=ext/openssl/ossl_ts.c
      #   - response.verify(Request, root_store) -> Response
      #   - response.verify(Request, root_store, [intermediate_cert]) -> Response
      # -->
      # Verifies a timestamp token by checking the signature, validating the
      # certificate chain implied by tsa_certificate and by checking conformance to a
      # given Request. Mandatory parameters are the Request associated to this
      # Response, and an OpenSSL::X509::Store of trusted roots.
      #
      # Intermediate certificates can optionally be supplied for creating the
      # certificate chain. These intermediate certificates must all be instances of
      # OpenSSL::X509::Certificate.
      #
      # If validation fails, several kinds of exceptions can be raised:
      # *   TypeError if types don't fit
      # *   TimestampError if something is wrong with the timestamp token itself, if
      #     it is not conformant to the Request, or if validation of the timestamp
      #     certificate chain fails.
      #
      def verify: (Request request, X509::Store store, ?X509::Certificate intermediate_cert) -> instance

      private

      # <!--
      #   rdoc-file=ext/openssl/ossl_ts.c
      #   - OpenSSL::Timestamp::Response.new(file)    -> response
      #   - OpenSSL::Timestamp::Response.new(string)  -> response
      # -->
      # Creates a Response from a `File` or `string` parameter, the corresponding
      # `File` or `string` must be DER-encoded. Please note that Response is an
      # immutable read-only class. If you'd like to create timestamps please refer to
      # Factory instead.
      #
      def initialize: (File | String response_der) -> void

      # <!-- rdoc-file=ext/openssl/ossl_ts.c -->
      # Indicates a successful response. Equal to `0`.
      #
      GRANTED: Integer

      # <!-- rdoc-file=ext/openssl/ossl_ts.c -->
      # Indicates a successful response that probably contains modifications from the
      # initial request. Equal to `1`.
      #
      GRANTED_WITH_MODS: Integer

      # <!-- rdoc-file=ext/openssl/ossl_ts.c -->
      # Indicates a failure. No timestamp token was created. Equal to `2`.
      #
      REJECTION: Integer

      # <!-- rdoc-file=ext/openssl/ossl_ts.c -->
      # Indicates a failure. No timestamp token was created. A certificate has been
      # revoked. Equal to `5`.
      #
      REVOCATION_NOTIFICATION: Integer

      # <!-- rdoc-file=ext/openssl/ossl_ts.c -->
      # Indicates a failure. No timestamp token was created. Revocation of a
      # certificate is imminent. Equal to `4`.
      #
      REVOCATION_WARNING: Integer

      # <!-- rdoc-file=ext/openssl/ossl_ts.c -->
      # Indicates a failure. No timestamp token was created. Equal to `3`.
      #
      WAITING: Integer
    end

    # <!-- rdoc-file=ext/openssl/ossl_ts.c -->
    # Generic exception class of the Timestamp module.
    #
    class TimestampError < OpenSSL::OpenSSLError
    end

    # <!-- rdoc-file=ext/openssl/ossl_ts.c -->
    # Immutable and read-only representation of a timestamp token info from a
    # Response.
    #
    class TokenInfo
      # <!--
      #   rdoc-file=ext/openssl/ossl_ts.c
      #   - token_info.algorithm -> string or nil
      # -->
      # Returns the 'short name' of the object identifier representing the algorithm
      # that was used to derive the message imprint digest. For valid timestamps, this
      # is the same value that was already given in the Request. If status is GRANTED
      # or GRANTED_WITH_MODS, this is never `nil`.
      #
      # ### Example:
      #     algo = token_info.algorithm
      #     puts algo                -> "SHA1"
      #
      def algorithm: () -> String?

      # <!--
      #   rdoc-file=ext/openssl/ossl_ts.c
      #   - token_info.gen_time -> Time
      # -->
      # Returns time when this timestamp token was created. If status is GRANTED or
      # GRANTED_WITH_MODS, this is never `nil`.
      #
      def gen_time: () -> Time

      # <!--
      #   rdoc-file=ext/openssl/ossl_ts.c
      #   - token_info.msg_imprint -> string.
      # -->
      # Returns the message imprint digest. For valid timestamps, this is the same
      # value that was already given in the Request. If status is GRANTED or
      # GRANTED_WITH_MODS, this is never `nil`.
      #
      # ### Example:
      #     mi = token_info.msg_imprint
      #     puts mi                -> "DEADBEEF"
      #
      def message_imprint: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_ts.c
      #   - token_info.nonce -> BN or nil
      # -->
      # If the timestamp token is valid then this field contains the same nonce that
      # was passed to the timestamp server in the initial Request.
      #
      def nonce: () -> BN?

      # <!--
      #   rdoc-file=ext/openssl/ossl_ts.c
      #   - token_info.ordering -> true, falses or nil
      # -->
      # If the ordering field is missing, or if the ordering field is present and set
      # to false, then the genTime field only indicates the time at which the
      # time-stamp token has been created by the TSA.  In such a case, the ordering of
      # time-stamp tokens issued by the same TSA or different TSAs is only possible
      # when the difference between the genTime of the first time-stamp token and the
      # genTime of the second time-stamp token is greater than the sum of the
      # accuracies of the genTime for each time-stamp token.
      #
      # If the ordering field is present and set to true, every time-stamp token from
      # the same TSA can always be ordered based on the genTime field, regardless of
      # the genTime accuracy.
      #
      def ordering: () -> bool?

      # <!--
      #   rdoc-file=ext/openssl/ossl_ts.c
      #   - token_info.policy_id -> string or nil
      # -->
      # Returns the timestamp policy object identifier of the policy this timestamp
      # was created under. If status is GRANTED or GRANTED_WITH_MODS, this is never
      # `nil`.
      #
      # ### Example:
      #     id = token_info.policy_id
      #     puts id                 -> "1.2.3.4.5"
      #
      def policy_id: () -> String?

      # <!--
      #   rdoc-file=ext/openssl/ossl_ts.c
      #   - token_info.serial_number -> BN or nil
      # -->
      # Returns serial number of the timestamp token. This value shall never be the
      # same for two timestamp tokens issued by a dedicated timestamp authority. If
      # status is GRANTED or GRANTED_WITH_MODS, this is never `nil`.
      #
      def serial_number: () -> BN?

      # <!--
      #   rdoc-file=ext/openssl/ossl_ts.c
      #   - token_info.to_der -> string
      # -->
      # Returns the TokenInfo in DER-encoded form.
      #
      def to_der: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_ts.c
      #   - token_info.version -> Integer or nil
      # -->
      # Returns the version number of the token info. With compliant servers, this
      # value should be `1` if present. If status is GRANTED or GRANTED_WITH_MODS.
      #
      def version: () -> Integer

      private

      # <!--
      #   rdoc-file=ext/openssl/ossl_ts.c
      #   - OpenSSL::Timestamp::TokenInfo.new(file)    -> token-info
      #   - OpenSSL::Timestamp::TokenInfo.new(string)  -> token-info
      # -->
      # Creates a TokenInfo from a `File` or `string` parameter, the corresponding
      # `File` or `string` must be DER-encoded. Please note that TokenInfo is an
      # immutable read-only class. If you'd like to create timestamps please refer to
      # Factory instead.
      #
      def initialize: (File | String token_der) -> void
    end
  end

  module X509
    DEFAULT_CERT_AREA: String

    DEFAULT_CERT_DIR: String

    DEFAULT_CERT_DIR_ENV: String

    DEFAULT_CERT_FILE: String

    DEFAULT_CERT_FILE_ENV: String

    DEFAULT_PRIVATE_DIR: String

    PURPOSE_ANY: Integer

    PURPOSE_CRL_SIGN: Integer

    PURPOSE_NS_SSL_SERVER: Integer

    PURPOSE_OCSP_HELPER: Integer

    PURPOSE_SMIME_ENCRYPT: Integer

    PURPOSE_SMIME_SIGN: Integer

    PURPOSE_SSL_CLIENT: Integer

    PURPOSE_SSL_SERVER: Integer

    PURPOSE_TIMESTAMP_SIGN: Integer

    TRUST_COMPAT: Integer

    TRUST_EMAIL: Integer

    TRUST_OBJECT_SIGN: Integer

    TRUST_OCSP_REQUEST: Integer

    TRUST_OCSP_SIGN: Integer

    TRUST_SSL_CLIENT: Integer

    TRUST_SSL_SERVER: Integer

    TRUST_TSA: Integer

    V_ERR_AKID_ISSUER_SERIAL_MISMATCH: Integer

    V_ERR_AKID_SKID_MISMATCH: Integer

    V_ERR_APPLICATION_VERIFICATION: Integer

    V_ERR_CA_KEY_TOO_SMALL: Integer

    V_ERR_CA_MD_TOO_WEAK: Integer

    V_ERR_CERT_CHAIN_TOO_LONG: Integer

    V_ERR_CERT_HAS_EXPIRED: Integer

    V_ERR_CERT_NOT_YET_VALID: Integer

    V_ERR_CERT_REJECTED: Integer

    V_ERR_CERT_REVOKED: Integer

    V_ERR_CERT_SIGNATURE_FAILURE: Integer

    V_ERR_CERT_UNTRUSTED: Integer

    V_ERR_CRL_HAS_EXPIRED: Integer

    V_ERR_CRL_NOT_YET_VALID: Integer

    V_ERR_CRL_PATH_VALIDATION_ERROR: Integer

    V_ERR_CRL_SIGNATURE_FAILURE: Integer

    V_ERR_DANE_NO_MATCH: Integer

    V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: Integer

    V_ERR_DIFFERENT_CRL_SCOPE: Integer

    V_ERR_EE_KEY_TOO_SMALL: Integer

    V_ERR_EMAIL_MISMATCH: Integer

    V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: Integer

    V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: Integer

    V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: Integer

    V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: Integer

    V_ERR_EXCLUDED_VIOLATION: Integer

    V_ERR_HOSTNAME_MISMATCH: Integer

    V_ERR_INVALID_CA: Integer

    V_ERR_INVALID_CALL: Integer

    V_ERR_INVALID_EXTENSION: Integer

    V_ERR_INVALID_NON_CA: Integer

    V_ERR_INVALID_POLICY_EXTENSION: Integer

    V_ERR_INVALID_PURPOSE: Integer

    V_ERR_IP_ADDRESS_MISMATCH: Integer

    V_ERR_KEYUSAGE_NO_CERTSIGN: Integer

    V_ERR_KEYUSAGE_NO_CRL_SIGN: Integer

    V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE: Integer

    V_ERR_NO_EXPLICIT_POLICY: Integer

    V_ERR_NO_VALID_SCTS: Integer

    V_ERR_OCSP_CERT_UNKNOWN: Integer

    V_ERR_OCSP_VERIFY_FAILED: Integer

    V_ERR_OCSP_VERIFY_NEEDED: Integer

    V_ERR_OUT_OF_MEM: Integer

    V_ERR_PATH_LENGTH_EXCEEDED: Integer

    V_ERR_PATH_LOOP: Integer

    V_ERR_PERMITTED_VIOLATION: Integer

    V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: Integer

    V_ERR_PROXY_PATH_LENGTH_EXCEEDED: Integer

    V_ERR_PROXY_SUBJECT_NAME_VIOLATION: Integer

    V_ERR_SELF_SIGNED_CERT_IN_CHAIN: Integer

    V_ERR_STORE_LOOKUP: Integer

    V_ERR_SUBJECT_ISSUER_MISMATCH: Integer

    V_ERR_SUBTREE_MINMAX: Integer

    V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256: Integer

    V_ERR_SUITE_B_INVALID_ALGORITHM: Integer

    V_ERR_SUITE_B_INVALID_CURVE: Integer

    V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM: Integer

    V_ERR_SUITE_B_INVALID_VERSION: Integer

    V_ERR_SUITE_B_LOS_NOT_ALLOWED: Integer

    V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: Integer

    V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: Integer

    V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: Integer

    V_ERR_UNABLE_TO_GET_CRL: Integer

    V_ERR_UNABLE_TO_GET_CRL_ISSUER: Integer

    V_ERR_UNABLE_TO_GET_ISSUER_CERT: Integer

    V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: Integer

    V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: Integer

    V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: Integer

    V_ERR_UNHANDLED_CRITICAL_EXTENSION: Integer

    V_ERR_UNNESTED_RESOURCE: Integer

    V_ERR_UNSPECIFIED: Integer

    V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: Integer

    V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: Integer

    V_ERR_UNSUPPORTED_EXTENSION_FEATURE: Integer

    V_ERR_UNSUPPORTED_NAME_SYNTAX: Integer

    V_FLAG_ALLOW_PROXY_CERTS: Integer

    V_FLAG_CHECK_SS_SIGNATURE: Integer

    V_FLAG_CRL_CHECK: Integer

    V_FLAG_CRL_CHECK_ALL: Integer

    V_FLAG_EXPLICIT_POLICY: Integer

    V_FLAG_EXTENDED_CRL_SUPPORT: Integer

    V_FLAG_IGNORE_CRITICAL: Integer

    V_FLAG_INHIBIT_ANY: Integer

    V_FLAG_INHIBIT_MAP: Integer

    V_FLAG_NOTIFY_POLICY: Integer

    V_FLAG_NO_ALT_CHAINS: Integer

    V_FLAG_NO_CHECK_TIME: Integer

    V_FLAG_PARTIAL_CHAIN: Integer

    V_FLAG_POLICY_CHECK: Integer

    V_FLAG_SUITEB_128_LOS: Integer

    V_FLAG_SUITEB_128_LOS_ONLY: Integer

    V_FLAG_SUITEB_192_LOS: Integer

    V_FLAG_TRUSTED_FIRST: Integer

    V_FLAG_USE_CHECK_TIME: Integer

    V_FLAG_USE_DELTAS: Integer

    V_FLAG_X509_STRICT: Integer

    V_OK: Integer

    class Attribute
      include OpenSSL::Marshal

      extend OpenSSL::Marshal::ClassMethods

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/x509.rb
      #   - ==(other)
      # -->
      #
      def ==: (instance other) -> bool

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509attr.c
      #   - attr.oid => string
      # -->
      #
      def oid: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509attr.c
      #   - attr.oid = string => string
      # -->
      #
      def oid=: (String) -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509attr.c
      #   - attr.to_der => string
      # -->
      #
      def to_der: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509attr.c
      #   - attr.value => asn1
      # -->
      #
      def value: () -> ASN1::Set

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509attr.c
      #   - attr.value = asn1 => asn1
      # -->
      #
      def value=: (ASN1::ASN1Data) -> ASN1::Set

      private

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509attr.c
      #   - Attribute.new(oid [, value]) => attr
      # -->
      #
      def initialize: (String der) -> void
                    | (String oid, ASN1::ASN1Data value) -> void

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509attr.c
      #   - initialize_copy(p1)
      # -->
      #
      def initialize_copy: (instance) -> void
    end

    class AttributeError < OpenSSL::OpenSSLError
    end

    class CRL
      include OpenSSL::X509::Extension::AuthorityKeyIdentifier

      include OpenSSL::Marshal

      extend OpenSSL::Marshal::ClassMethods

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/x509.rb
      #   - ==(other)
      # -->
      #
      def ==: (instance other) -> bool

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509crl.c
      #   - add_extension(p1)
      # -->
      #
      def add_extension: (Extension ext) -> Extension

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509crl.c
      #   - add_revoked(p1)
      # -->
      #
      def add_revoked: (Revoked revoked) -> Revoked

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509crl.c
      #   - extensions()
      # -->
      # Gets X509v3 extensions as array of X509Ext objects
      #
      def extensions: () -> Array[Extension]

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509crl.c
      #   - extensions=(p1)
      # -->
      # Sets X509_EXTENSIONs
      #
      def extensions=: (Array[Extension] extensions) -> Array[Extension]

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509crl.c
      #   - issuer()
      # -->
      #
      def issuer: () -> X509::Name

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509crl.c
      #   - issuer=(p1)
      # -->
      #
      def issuer=: (X509::Name issuer) -> X509::Name

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509crl.c
      #   - last_update()
      # -->
      #
      def last_update: () -> Time?

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509crl.c
      #   - last_update=(p1)
      # -->
      #
      def last_update=: (Time last_update) -> Time

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509crl.c
      #   - next_update()
      # -->
      #
      def next_update: () -> Time?

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509crl.c
      #   - next_update=(p1)
      # -->
      #
      def next_update=: (Time next_update) -> Time

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509crl.c
      #   - revoked()
      # -->
      #
      def revoked: () -> Array[Revoked]

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509crl.c
      #   - revoked=(p1)
      # -->
      #
      def revoked=: (Array[Revoked]) -> Array[Revoked]

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509crl.c
      #   - sign(p1, p2)
      # -->
      #
      def sign: (PKey::PKey key, Digest digest) -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509crl.c
      #   - signature_algorithm()
      # -->
      #
      def signature_algorithm: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509crl.c
      #   - to_der()
      # -->
      #
      def to_der: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509crl.c
      #   - to_pem()
      # -->
      #
      def to_pem: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509crl.c
      #   - to_s()
      # -->
      #
      alias to_s to_pem

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509crl.c
      #   - to_text()
      # -->
      #
      def to_text: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509crl.c
      #   - verify(p1)
      # -->
      #
      def verify: (PKey::PKey key) -> bool

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509crl.c
      #   - version()
      # -->
      #
      def version: () -> Integer

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509crl.c
      #   - version=(p1)
      # -->
      #
      def version=: (Integer) -> Integer

      private

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509crl.c
      #   - new(p1 = v1)
      # -->
      #
      def initialize: (?String der) -> void

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509crl.c
      #   - initialize_copy(p1)
      # -->
      #
      def initialize_copy: (instance) -> void
    end

    class CRLError < OpenSSL::OpenSSLError
    end

    # <!-- rdoc-file=ext/openssl/ossl_x509cert.c -->
    # Implementation of an X.509 certificate as specified in RFC 5280. Provides
    # access to a certificate's attributes and allows certificates to be read from a
    # string, but also supports the creation of new certificates from scratch.
    #
    # ### Reading a certificate from a file
    #
    # Certificate is capable of handling DER-encoded certificates and certificates
    # encoded in OpenSSL's PEM format.
    #
    #     raw = File.binread "cert.cer" # DER- or PEM-encoded
    #     certificate = OpenSSL::X509::Certificate.new raw
    #
    # ### Saving a certificate to a file
    #
    # A certificate may be encoded in DER format
    #
    #     cert = ...
    #     File.open("cert.cer", "wb") { |f| f.print cert.to_der }
    #
    # or in PEM format
    #
    #     cert = ...
    #     File.open("cert.pem", "wb") { |f| f.print cert.to_pem }
    #
    # X.509 certificates are associated with a private/public key pair, typically a
    # RSA, DSA or ECC key (see also OpenSSL::PKey::RSA, OpenSSL::PKey::DSA and
    # OpenSSL::PKey::EC), the public key itself is stored within the certificate and
    # can be accessed in form of an OpenSSL::PKey. Certificates are typically used
    # to be able to associate some form of identity with a key pair, for example web
    # servers serving pages over HTTPs use certificates to authenticate themselves
    # to the user.
    #
    # The public key infrastructure (PKI) model relies on trusted certificate
    # authorities ("root CAs") that issue these certificates, so that end users need
    # to base their trust just on a selected few authorities that themselves again
    # vouch for subordinate CAs issuing their certificates to end users.
    #
    # The OpenSSL::X509 module provides the tools to set up an independent PKI,
    # similar to scenarios where the 'openssl' command line tool is used for issuing
    # certificates in a private PKI.
    #
    # ### Creating a root CA certificate and an end-entity certificate
    #
    # First, we need to create a "self-signed" root certificate. To do so, we need
    # to generate a key first. Please note that the choice of "1" as a serial number
    # is considered a security flaw for real certificates. Secure choices are
    # integers in the two-digit byte range and ideally not sequential but secure
    # random numbers, steps omitted here to keep the example concise.
    #
    #     root_key = OpenSSL::PKey::RSA.new 2048 # the CA's public/private key
    #     root_ca = OpenSSL::X509::Certificate.new
    #     root_ca.version = 2 # cf. RFC 5280 - to make it a "v3" certificate
    #     root_ca.serial = 1
    #     root_ca.subject = OpenSSL::X509::Name.parse "/DC=org/DC=ruby-lang/CN=Ruby CA"
    #     root_ca.issuer = root_ca.subject # root CA's are "self-signed"
    #     root_ca.public_key = root_key.public_key
    #     root_ca.not_before = Time.now
    #     root_ca.not_after = root_ca.not_before + 2 * 365 * 24 * 60 * 60 # 2 years validity
    #     ef = OpenSSL::X509::ExtensionFactory.new
    #     ef.subject_certificate = root_ca
    #     ef.issuer_certificate = root_ca
    #     root_ca.add_extension(ef.create_extension("basicConstraints","CA:TRUE",true))
    #     root_ca.add_extension(ef.create_extension("keyUsage","keyCertSign, cRLSign", true))
    #     root_ca.add_extension(ef.create_extension("subjectKeyIdentifier","hash",false))
    #     root_ca.add_extension(ef.create_extension("authorityKeyIdentifier","keyid:always",false))
    #     root_ca.sign(root_key, OpenSSL::Digest.new('SHA256'))
    #
    # The next step is to create the end-entity certificate using the root CA
    # certificate.
    #
    #     key = OpenSSL::PKey::RSA.new 2048
    #     cert = OpenSSL::X509::Certificate.new
    #     cert.version = 2
    #     cert.serial = 2
    #     cert.subject = OpenSSL::X509::Name.parse "/DC=org/DC=ruby-lang/CN=Ruby certificate"
    #     cert.issuer = root_ca.subject # root CA is the issuer
    #     cert.public_key = key.public_key
    #     cert.not_before = Time.now
    #     cert.not_after = cert.not_before + 1 * 365 * 24 * 60 * 60 # 1 years validity
    #     ef = OpenSSL::X509::ExtensionFactory.new
    #     ef.subject_certificate = cert
    #     ef.issuer_certificate = root_ca
    #     cert.add_extension(ef.create_extension("keyUsage","digitalSignature", true))
    #     cert.add_extension(ef.create_extension("subjectKeyIdentifier","hash",false))
    #     cert.sign(root_key, OpenSSL::Digest.new('SHA256'))
    #
    class Certificate
      include OpenSSL::X509::Extension::AuthorityInfoAccess

      include OpenSSL::X509::Extension::CRLDistributionPoints

      include OpenSSL::X509::Extension::AuthorityKeyIdentifier

      include OpenSSL::X509::Extension::SubjectKeyIdentifier

      include OpenSSL::Marshal

      extend OpenSSL::Marshal::ClassMethods

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509cert.c
      #   - cert1 == cert2 -> true | false
      # -->
      # Compares the two certificates. Note that this takes into account all fields,
      # not just the issuer name and the serial number.
      #
      def ==: (instance other) -> bool

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509cert.c
      #   - cert.add_extension(extension) => extension
      # -->
      #
      def add_extension: (Extension ext) -> Extension

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509cert.c
      #   - cert.check_private_key(key) -> true | false
      # -->
      # Returns `true` if *key* is the corresponding private key to the Subject Public
      # Key Information, `false` otherwise.
      #
      def check_private_key: (PKey::PKey key) -> bool

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509cert.c
      #   - cert.extensions => [extension...]
      # -->
      #
      def extensions: () -> Array[Extension]

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509cert.c
      #   - cert.extensions = [ext...] => [ext...]
      # -->
      #
      def extensions=: (Array[Extension]) -> Array[Extension]

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509cert.c
      #   - inspect()
      # -->
      #
      def inspect: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509cert.c
      #   - cert.issuer => name
      # -->
      #
      def issuer: () -> Name

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509cert.c
      #   - cert.issuer = name => name
      # -->
      #
      def issuer=: (Name) -> Name

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509cert.c
      #   - cert.not_after => time
      # -->
      #
      def not_after: () -> Time?

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509cert.c
      #   - cert.not_after = time => time
      # -->
      #
      def not_after=: (Time) -> Time

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509cert.c
      #   - cert.not_before => time
      # -->
      #
      def not_before: () -> Time?

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509cert.c
      #   - cert.not_before = time => time
      # -->
      #
      def not_before=: (Time) -> Time

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/x509.rb
      #   - pretty_print(q)
      # -->
      #
      def pretty_print: (untyped q) -> untyped

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509cert.c
      #   - cert.public_key => key
      # -->
      #
      def public_key: () -> PKey::PKey

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509cert.c
      #   - cert.public_key = key
      # -->
      #
      def public_key=: (PKey::PKey pkey) -> PKey::PKey

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509cert.c
      #   - cert.serial => integer
      # -->
      #
      def serial: () -> BN

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509cert.c
      #   - cert.serial = integer => integer
      # -->
      #
      def serial=: (bn serial) -> bn

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509cert.c
      #   - cert.sign(key, digest) => self
      # -->
      #
      def sign: (PKey::PKey key, String digest) -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509cert.c
      #   - cert.signature_algorithm => string
      # -->
      #
      def signature_algorithm: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509cert.c
      #   - cert.subject => name
      # -->
      #
      def subject: () -> Name

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509cert.c
      #   - cert.subject = name => name
      # -->
      #
      def subject=: (Name) -> Name

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509cert.c
      #   - cert.to_der => string
      # -->
      #
      def to_der: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509cert.c
      #   - cert.to_pem => string
      # -->
      #
      def to_pem: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509cert.c
      #   - to_s()
      # -->
      #
      alias to_s to_pem

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509cert.c
      #   - cert.to_text => string
      # -->
      #
      def to_text: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509cert.c
      #   - cert.verify(key) => true | false
      # -->
      # Verifies the signature of the certificate, with the public key *key*. *key*
      # must be an instance of OpenSSL::PKey.
      #
      def verify: (PKey::PKey key) -> bool

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509cert.c
      #   - cert.version => integer
      # -->
      #
      def version: () -> Integer

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509cert.c
      #   - cert.version = integer => integer
      # -->
      #
      def version=: (Integer) -> Integer

      private

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509cert.c
      #   - Certificate.new => cert
      #   - Certificate.new(string) => cert
      # -->
      #
      def initialize: (?String pem) -> void

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509cert.c
      #   - initialize_copy(p1)
      # -->
      #
      def initialize_copy: (instance) -> void
    end

    class CertificateError < OpenSSL::OpenSSLError
    end

    class Extension
      include OpenSSL::Marshal

      extend OpenSSL::Marshal::ClassMethods

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/x509.rb
      #   - ==(other)
      # -->
      #
      def ==: (instance other) -> bool

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509ext.c
      #   - critical=(p1)
      # -->
      #
      def critical=: [U] (boolish) -> U

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509ext.c
      #   - critical?()
      # -->
      #
      def critical?: () -> bool

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509ext.c
      #   - oid()
      # -->
      #
      def oid: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509ext.c
      #   - oid=(p1)
      # -->
      #
      def oid=: (String oid) -> String

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/x509.rb
      #   - to_a()
      # -->
      #
      def to_a: () -> [ String, String, bool ]

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509ext.c
      #   - to_der()
      # -->
      #
      def to_der: () -> String

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/x509.rb
      #   - to_h()
      # -->
      #
      def to_h: () -> Hash[String, untyped]

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/x509.rb
      #   - to_s()
      # -->
      #
      def to_s: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509ext.c
      #   - value()
      # -->
      #
      def value: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509ext.c
      #   - value=(p1)
      # -->
      #
      def value=: (String | ASN1::_ToDer data) -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509ext.c
      #   - value_der()
      # -->
      #
      def value_der: () -> String

      private

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509ext.c
      #   - OpenSSL::X509::Extension.new(der)
      #   - OpenSSL::X509::Extension.new(oid, value)
      #   - OpenSSL::X509::Extension.new(oid, value, critical)
      # -->
      # Creates an X509 extension.
      #
      # The extension may be created from *der* data or from an extension *oid* and
      # *value*.  The *oid* may be either an OID or an extension name.  If *critical*
      # is `true` the extension is marked critical.
      #
      def initialize: (String der) -> void
                    | (String oid, String value, ?boolish critical) -> void

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509ext.c
      #   - initialize_copy(p1)
      # -->
      #
      def initialize_copy: (instance) -> void

      module AuthorityInfoAccess
        include OpenSSL::X509::Extension::Helpers

        # <!--
        #   rdoc-file=ext/openssl/lib/openssl/x509.rb
        #   - ca_issuer_uris()
        # -->
        # Get the information and services for the issuer from the certificate's
        # authority information access extension exteension, as described in RFC5280
        # Section 4.2.2.1.
        #
        # Returns an array of strings or nil or raises ASN1::ASN1Error.
        #
        def ca_issuer_uris: () -> Array[String]?

        # <!--
        #   rdoc-file=ext/openssl/lib/openssl/x509.rb
        #   - ocsp_uris()
        # -->
        # Get the URIs for OCSP from the certificate's authority information access
        # extension exteension, as described in RFC5280 Section 4.2.2.1.
        #
        # Returns an array of strings or nil or raises ASN1::ASN1Error.
        #
        def ocsp_uris: () -> Array[String]?

        private

        # <!--
        #   rdoc-file=ext/openssl/lib/openssl/x509.rb
        #   - parse_aia_asn1()
        # -->
        #
        def parse_aia_asn1: () -> untyped
      end

      module AuthorityKeyIdentifier
        include OpenSSL::X509::Extension::Helpers

        # <!--
        #   rdoc-file=ext/openssl/lib/openssl/x509.rb
        #   - authority_key_identifier()
        # -->
        # Get the issuing certificate's key identifier from the authorityKeyIdentifier
        # extension, as described in RFC5280 Section 4.2.1.1
        #
        # Returns the binary String keyIdentifier or nil or raises ASN1::ASN1Error.
        #
        def authority_key_identifier: () -> String?
      end

      module CRLDistributionPoints
        include OpenSSL::X509::Extension::Helpers

        # <!--
        #   rdoc-file=ext/openssl/lib/openssl/x509.rb
        #   - crl_uris()
        # -->
        # Get the distributionPoint fullName URI from the certificate's CRL distribution
        # points extension, as described in RFC5280 Section 4.2.1.13
        #
        # Returns an array of strings or nil or raises ASN1::ASN1Error.
        #
        def crl_uris: () -> Array[String]?
      end

      module Helpers
        # <!--
        #   rdoc-file=ext/openssl/lib/openssl/x509.rb
        #   - find_extension(oid)
        # -->
        #
        def find_extension: (String oid) -> Extension?
      end

      module SubjectKeyIdentifier
        include OpenSSL::X509::Extension::Helpers

        # <!--
        #   rdoc-file=ext/openssl/lib/openssl/x509.rb
        #   - subject_key_identifier()
        # -->
        # Get the subject's key identifier from the subjectKeyIdentifier exteension, as
        # described in RFC5280 Section 4.2.1.2.
        #
        # Returns the binary String key identifier or nil or raises ASN1::ASN1Error.
        #
        def subject_key_identifier: () -> String?
      end
    end

    class ExtensionError < OpenSSL::OpenSSLError
    end

    class ExtensionFactory
      def config: () -> Config?

      def config=: (Config config) -> Config

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509ext.c
      #   - ef.create_ext(ln_or_sn, "value", critical = false) -> X509::Extension
      #   - ef.create_ext(ln_or_sn, "critical,value")          -> X509::Extension
      # -->
      # Creates a new X509::Extension with passed values. See also x509v3_config(5).
      #
      def create_ext: (String oid, String value, ?boolish critical) -> Extension

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/x509.rb
      #   - create_ext_from_array(ary)
      # -->
      #
      def create_ext_from_array: ([ String, String ] | [ String, String, boolish ] ary) -> Extension

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/x509.rb
      #   - create_ext_from_hash(hash)
      # -->
      #
      def create_ext_from_hash: (Hash[String, String | boolish] hash) -> Extension

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/x509.rb
      #   - create_ext_from_string(str)
      # -->
      #
      def create_ext_from_string: (String str) -> Extension

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/x509.rb
      #   - create_extension(*arg)
      # -->
      #
      def create_extension: (String oid, String value, ?boolish critical) -> Extension

      def crl: () -> CRL?

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509ext.c
      #   - crl=(p1)
      # -->
      #
      def crl=: (CRL crl) -> CRL

      def issuer_certificate: () -> Certificate?

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509ext.c
      #   - issuer_certificate=(p1)
      # -->
      #
      def issuer_certificate=: (Certificate cert) -> Certificate

      def subject_certificate: () -> Certificate?

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509ext.c
      #   - subject_certificate=(p1)
      # -->
      #
      def subject_certificate=: (Certificate cert) -> Certificate

      def subject_request: () -> Request?

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509ext.c
      #   - subject_request=(p1)
      # -->
      #
      def subject_request=: (Request request) -> Request

      private

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509ext.c
      #   - new(p1 = v1, p2 = v2, p3 = v3, p4 = v4)
      # -->
      #
      def initialize: (?Certificate? issuer_cert, ?Certificate? subject_cert, ?Request? request, ?CRL? crl) -> void
    end

    # <!-- rdoc-file=ext/openssl/ossl_x509name.c -->
    # An X.509 name represents a hostname, email address or other entity associated
    # with a public key.
    #
    # You can create a Name by parsing a distinguished name String or by supplying
    # the distinguished name as an Array.
    #
    #     name = OpenSSL::X509::Name.parse_rfc2253 'DC=example,CN=nobody'
    #
    #     name = OpenSSL::X509::Name.new [['CN', 'nobody'], ['DC', 'example']]
    #
    class Name
      type distinguished_name = [ String, String ]

      type template = Hash[String, Integer]

      include OpenSSL::Marshal

      include Comparable

      extend OpenSSL::Marshal::ClassMethods

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/x509.rb
      #   - parse(str, template=OBJECT_TYPE_TEMPLATE)
      # -->
      #
      alias self.parse self.parse_openssl

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/x509.rb
      #   - parse_openssl(str, template=OBJECT_TYPE_TEMPLATE)
      # -->
      # Parses the string representation of a distinguished name. Two different forms
      # are supported:
      #
      # *   OpenSSL format (`X509_NAME_oneline()`) used by `#to_s`. For example:
      #     `/DC=com/DC=example/CN=nobody`
      # *   OpenSSL format (`X509_NAME_print()`) used by
      #     `#to_s(OpenSSL::X509::Name::COMPAT)`. For example: `DC=com, DC=example,
      #     CN=nobody`
      #
      #
      # Neither of them is standardized and has quirks and inconsistencies in handling
      # of escaped characters or multi-valued RDNs.
      #
      # Use of this method is discouraged in new applications. See Name.parse_rfc2253
      # and #to_utf8 for the alternative.
      #
      def self.parse_openssl: (String str, ?template template) -> instance

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/x509.rb
      #   - parse_rfc2253(str, template=OBJECT_TYPE_TEMPLATE)
      # -->
      # Parses the UTF-8 string representation of a distinguished name, according to
      # RFC 2253.
      #
      # See also #to_utf8 for the opposite operation.
      #
      def self.parse_rfc2253: (String str, ?template template) -> instance

      # <!-- rdoc-file=ext/openssl/ossl_x509name.c -->
      # Compares this Name with *other* and returns `0` if they are the same and `-1`
      # or `+1` if they are greater or less than each other respectively. Returns
      # `nil` if they are not comparable (i.e. different types).
      #
      alias <=> cmp

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509name.c
      #   - name.add_entry(oid, value [, type], loc: -1, set: 0) => self
      # -->
      # Adds a new entry with the given *oid* and *value* to this name.  The *oid* is
      # an object identifier defined in ASN.1.  Some common OIDs are:
      #
      # C
      # :   Country Name
      # CN
      # :   Common Name
      # DC
      # :   Domain Component
      # O
      # :   Organization Name
      # OU
      # :   Organizational Unit Name
      # ST
      # :   State or Province Name
      #
      #
      # The optional keyword parameters *loc* and *set* specify where to insert the
      # new attribute. Refer to the manpage of X509_NAME_add_entry(3) for details.
      # *loc* defaults to -1 and *set* defaults to 0. This appends a single-valued RDN
      # to the end.
      #
      def add_entry: (String oid, String value, ?loc: Integer, ?set: Integer) -> self

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509name.c
      #   - name.cmp(other) -> -1 | 0 | 1 | nil
      #   - name <=> other  -> -1 | 0 | 1 | nil
      # -->
      # Compares this Name with *other* and returns `0` if they are the same and `-1`
      # or `+1` if they are greater or less than each other respectively. Returns
      # `nil` if they are not comparable (i.e. different types).
      #
      def cmp: (untyped other) -> Integer?

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509name.c
      #   - name.eql?(other) -> true | false
      # -->
      # Returns true if *name* and *other* refer to the same hash key.
      #
      def eql?: (instance other) -> bool

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509name.c
      #   - name.hash => integer
      # -->
      # The hash value returned is suitable for use as a certificate's filename in a
      # CA path.
      #
      def hash: () -> Integer

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509name.c
      #   - name.hash_old => integer
      # -->
      # Returns an MD5 based hash used in OpenSSL 0.9.X.
      #
      def hash_old: () -> Integer

      def inspect: () -> String

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/x509.rb
      #   - pretty_print(q)
      # -->
      #
      def pretty_print: (untyped q) -> untyped

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509name.c
      #   - name.to_a => [[name, data, type], ...]
      # -->
      # Returns an Array representation of the distinguished name suitable for passing
      # to ::new
      #
      def to_a: () -> Array[[ String, String, Integer ]]

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509name.c
      #   - name.to_der => string
      # -->
      # Converts the name to DER encoding
      #
      def to_der: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509name.c
      #   - name.to_s         -> string
      #   - name.to_s(format) -> string
      # -->
      # Returns a String representation of the Distinguished Name. *format* is one of:
      #
      # *   OpenSSL::X509::Name::COMPAT
      # *   OpenSSL::X509::Name::RFC2253
      # *   OpenSSL::X509::Name::ONELINE
      # *   OpenSSL::X509::Name::MULTILINE
      #
      #
      # If *format* is omitted, the largely broken and traditional OpenSSL format
      # (`X509_NAME_oneline()` format) is chosen.
      #
      # **Use of this method is discouraged.** None of the formats other than
      # OpenSSL::X509::Name::RFC2253 is standardized and may show an inconsistent
      # behavior through OpenSSL versions.
      #
      # It is recommended to use #to_utf8 instead, which is equivalent to calling
      # `name.to_s(OpenSSL::X509::Name::RFC2253).force_encoding("UTF-8")`.
      #
      def to_s: (?format format) -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509name.c
      #   - name.to_utf8 -> string
      # -->
      # Returns an UTF-8 representation of the distinguished name, as specified in
      # [RFC 2253](https://www.ietf.org/rfc/rfc2253.txt).
      #
      def to_utf8: () -> String

      private

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509name.c
      #   - X509::Name.new                               => name
      #   - X509::Name.new(der)                          => name
      #   - X509::Name.new(distinguished_name)           => name
      #   - X509::Name.new(distinguished_name, template) => name
      # -->
      # Creates a new Name.
      #
      # A name may be created from a DER encoded string *der*, an Array representing a
      # *distinguished_name* or a *distinguished_name* along with a *template*.
      #
      #     name = OpenSSL::X509::Name.new [['CN', 'nobody'], ['DC', 'example']]
      #
      #     name = OpenSSL::X509::Name.new name.to_der
      #
      # See add_entry for a description of the *distinguished_name* Array's contents
      #
      def initialize: (distinguished_name name, template template) -> void
                    | (Array[distinguished_name] names) -> void
                    | (?String der) -> void

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509name.c
      #   - initialize_copy(p1)
      # -->
      #
      def initialize_copy: (instance) -> void

      # <!-- rdoc-file=ext/openssl/ossl_x509name.c -->
      # A flag for #to_s.
      #
      # Breaks the name returned into multiple lines if longer than 80 characters.
      #
      COMPAT: Integer

      # <!-- rdoc-file=ext/openssl/ossl_x509name.c -->
      # The default object type for name entries.
      #
      DEFAULT_OBJECT_TYPE: Integer

      # <!-- rdoc-file=ext/openssl/ossl_x509name.c -->
      # A flag for #to_s.
      #
      # Returns a multiline format.
      #
      MULTILINE: Integer

      # <!-- rdoc-file=ext/openssl/ossl_x509name.c -->
      # The default object type template for name entries.
      #
      OBJECT_TYPE_TEMPLATE: template

      # <!-- rdoc-file=ext/openssl/ossl_x509name.c -->
      # A flag for #to_s.
      #
      # Returns a more readable format than RFC2253.
      #
      ONELINE: Integer

      # <!-- rdoc-file=ext/openssl/ossl_x509name.c -->
      # A flag for #to_s.
      #
      # Returns an RFC2253 format name.
      #
      RFC2253: Integer

      type format = Integer

      module RFC2253DN
        def self.expand_hexstring: (untyped str) -> untyped

        def self.expand_pair: (untyped str) -> untyped

        def self.expand_value: (untyped str1, untyped str2, untyped str3) -> untyped

        def self.scan: (untyped dn) -> untyped

        private

        # <!--
        #   rdoc-file=ext/openssl/lib/openssl/x509.rb
        #   - expand_hexstring(str)
        # -->
        #
        def expand_hexstring: (untyped str) -> untyped

        # <!--
        #   rdoc-file=ext/openssl/lib/openssl/x509.rb
        #   - expand_pair(str)
        # -->
        #
        def expand_pair: (untyped str) -> untyped

        # <!--
        #   rdoc-file=ext/openssl/lib/openssl/x509.rb
        #   - expand_value(str1, str2, str3)
        # -->
        #
        def expand_value: (untyped str1, untyped str2, untyped str3) -> untyped

        # <!--
        #   rdoc-file=ext/openssl/lib/openssl/x509.rb
        #   - scan(dn)
        # -->
        #
        def scan: (String dn) -> Array[distinguished_name]

        AttributeType: Regexp

        AttributeValue: Regexp

        HexChar: Regexp

        HexPair: Regexp

        HexString: Regexp

        Pair: Regexp

        QuoteChar: Regexp

        Special: String

        StringChar: Regexp

        TypeAndValue: Regexp
      end
    end

    class NameError < OpenSSL::OpenSSLError
    end

    class Request
      include OpenSSL::Marshal

      extend OpenSSL::Marshal::ClassMethods

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/x509.rb
      #   - ==(other)
      # -->
      #
      def ==: (untyped other) -> bool

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509req.c
      #   - add_attribute(p1)
      # -->
      #
      def add_attribute: (Attribute attribute) -> Attribute

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509req.c
      #   - attributes()
      # -->
      #
      def attributes: () -> Array[Attribute]

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509req.c
      #   - attributes=(p1)
      # -->
      #
      def attributes=: (Array[Attribute] attributes) -> Array[Attribute]

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509req.c
      #   - public_key()
      # -->
      #
      def public_key: () -> PKey::PKey

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509req.c
      #   - public_key=(p1)
      # -->
      #
      def public_key=: (PKey::PKey public_key) -> PKey::PKey

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509req.c
      #   - sign(p1, p2)
      # -->
      #
      def sign: (PKey::PKey key, Digest | String digest) -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509req.c
      #   - signature_algorithm()
      # -->
      #
      def signature_algorithm: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509req.c
      #   - subject()
      # -->
      #
      def subject: () -> Name

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509req.c
      #   - subject=(p1)
      # -->
      #
      def subject=: (Name subject) -> Name

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509req.c
      #   - to_der()
      # -->
      #
      def to_der: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509req.c
      #   - to_pem()
      # -->
      #
      def to_pem: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509req.c
      #   - to_s()
      # -->
      #
      alias to_s to_pem

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509req.c
      #   - to_text()
      # -->
      #
      def to_text: () -> String

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509req.c
      #   - verify(p1)
      # -->
      # Checks that cert signature is made with PRIVversion of this PUBLIC 'key'
      #
      def verify: (PKey::PKey key) -> bool

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509req.c
      #   - version()
      # -->
      #
      def version: () -> Integer

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509req.c
      #   - version=(p1)
      # -->
      #
      def version=: (Integer version) -> Integer

      private

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509req.c
      #   - new(p1 = v1)
      # -->
      #
      def initialize: (?String der) -> void

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509req.c
      #   - initialize_copy(p1)
      # -->
      #
      def initialize_copy: (instance) -> void
    end

    class RequestError < OpenSSL::OpenSSLError
    end

    class Revoked
      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/x509.rb
      #   - ==(other)
      # -->
      #
      def ==: (untyped other) -> bool

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509revoked.c
      #   - add_extension(p1)
      # -->
      #
      def add_extension: (Extension ext) -> Extension

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509revoked.c
      #   - extensions()
      # -->
      # Gets X509v3 extensions as array of X509Ext objects
      #
      def extensions: () -> Array[Extension]

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509revoked.c
      #   - extensions=(p1)
      # -->
      # Sets X509_EXTENSIONs
      #
      def extensions=: (Array[Extension] extensions) -> Array[Extension]

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509revoked.c
      #   - serial()
      # -->
      #
      def serial: () -> Integer

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509revoked.c
      #   - serial=(p1)
      # -->
      #
      def serial=: (Integer integer) -> Integer

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509revoked.c
      #   - time()
      # -->
      #
      def time: () -> Time?

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509revoked.c
      #   - time=(p1)
      # -->
      #
      def time=: (Time time) -> Time

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509revoked.c
      #   - to_der()
      # -->
      #
      def to_der: () -> String

      private

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509revoked.c
      #   - new(*args)
      # -->
      #
      def initialize: (*untyped) -> void

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509revoked.c
      #   - initialize_copy(p1)
      # -->
      #
      def initialize_copy: (instance) -> void
    end

    class RevokedError < OpenSSL::OpenSSLError
    end

    # <!-- rdoc-file=ext/openssl/ossl_x509store.c -->
    # The X509 certificate store holds trusted CA certificates used to verify peer
    # certificates.
    #
    # The easiest way to create a useful certificate store is:
    #
    #     cert_store = OpenSSL::X509::Store.new
    #     cert_store.set_default_paths
    #
    # This will use your system's built-in certificates.
    #
    # If your system does not have a default set of certificates you can obtain a
    # set extracted from Mozilla CA certificate store by cURL maintainers here:
    # https://curl.haxx.se/docs/caextract.html (You may wish to use the
    # firefox-db2pem.sh script to extract the certificates from a local install to
    # avoid man-in-the-middle attacks.)
    #
    # After downloading or generating a cacert.pem from the above link you can
    # create a certificate store from the pem file like this:
    #
    #     cert_store = OpenSSL::X509::Store.new
    #     cert_store.add_file 'cacert.pem'
    #
    # The certificate store can be used with an SSLSocket like this:
    #
    #     ssl_context = OpenSSL::SSL::SSLContext.new
    #     ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER
    #     ssl_context.cert_store = cert_store
    #
    #     tcp_socket = TCPSocket.open 'example.com', 443
    #
    #     ssl_socket = OpenSSL::SSL::SSLSocket.new tcp_socket, ssl_context
    #
    class Store
      # <!--
      #   rdoc-file=ext/openssl/ossl_x509store.c
      #   - store.add_cert(cert) -> self
      # -->
      # Adds the OpenSSL::X509::Certificate *cert* to the certificate store.
      #
      # See also the man page X509_STORE_add_cert(3).
      #
      def add_cert: (Certificate certificate) -> self

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509store.c
      #   - store.add_crl(crl) -> self
      # -->
      # Adds the OpenSSL::X509::CRL *crl* to the store.
      #
      # See also the man page X509_STORE_add_crl(3).
      #
      def add_crl: (CRL crl) -> self

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509store.c
      #   - store.add_file(file) -> self
      # -->
      # Adds the certificates in *file* to the certificate store. *file* is the path
      # to the file, and the file contains one or more certificates in PEM format
      # concatenated together.
      #
      # See also the man page X509_LOOKUP_file(3).
      #
      def add_file: (String file) -> self

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509store.c
      #   - store.add_path(path) -> self
      # -->
      # Adds *path* as the hash dir to be looked up by the store.
      #
      # See also the man page X509_LOOKUP_hash_dir(3).
      #
      def add_path: (String path) -> self

      # <!-- rdoc-file=ext/openssl/ossl_x509store.c -->
      # The certificate chain constructed by the last call of #verify.
      #
      # See also StoreContext#chain.
      #
      def chain: () -> Array[Certificate]?

      # <!-- rdoc-file=ext/openssl/ossl_x509store.c -->
      # The error code set by the last call of #verify.
      #
      # See also StoreContext#error.
      #
      def error: () -> Integer?

      # <!-- rdoc-file=ext/openssl/ossl_x509store.c -->
      # The description for the error code set by the last call of #verify.
      #
      # See also StoreContext#error_string.
      #
      def error_string: () -> String?

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509store.c
      #   - store.flags = flags
      # -->
      # Sets the default flags used by certificate chain verification performed with
      # the Store.
      #
      # *flags* consists of zero or more of the constants defined in OpenSSL::X509
      # with name V_FLAG_* or'ed together.
      #
      # OpenSSL::X509::StoreContext#flags= can be used to change the flags for a
      # single verification operation.
      #
      # See also the man page X509_VERIFY_PARAM_set_flags(3).
      #
      def flags=: (Integer flags) -> Integer

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509store.c
      #   - store.purpose = purpose
      # -->
      # Sets the store's default verification purpose. If specified, the verifications
      # on the store will check every certificate's extensions are consistent with the
      # purpose. The purpose is specified by constants:
      #
      # *   X509::PURPOSE_SSL_CLIENT
      # *   X509::PURPOSE_SSL_SERVER
      # *   X509::PURPOSE_NS_SSL_SERVER
      # *   X509::PURPOSE_SMIME_SIGN
      # *   X509::PURPOSE_SMIME_ENCRYPT
      # *   X509::PURPOSE_CRL_SIGN
      # *   X509::PURPOSE_ANY
      # *   X509::PURPOSE_OCSP_HELPER
      # *   X509::PURPOSE_TIMESTAMP_SIGN
      #
      #
      # OpenSSL::X509::StoreContext#purpose= can be used to change the value for a
      # single verification operation.
      #
      # See also the man page X509_VERIFY_PARAM_set_purpose(3).
      #
      def purpose=: (Integer purpose) -> Integer

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509store.c
      #   - store.set_default_paths
      # -->
      # Configures *store* to look up CA certificates from the system default
      # certificate store as needed basis. The location of the store can usually be
      # determined by:
      #
      # *   OpenSSL::X509::DEFAULT_CERT_FILE
      # *   OpenSSL::X509::DEFAULT_CERT_DIR
      #
      #
      # See also the man page X509_STORE_set_default_paths(3).
      #
      def set_default_paths: () -> nil

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509store.c
      #   - store.time = time
      # -->
      # Sets the time to be used in the certificate verifications with the store. By
      # default, if not specified, the current system time is used.
      #
      # OpenSSL::X509::StoreContext#time= can be used to change the value for a single
      # verification operation.
      #
      # See also the man page X509_VERIFY_PARAM_set_time(3).
      #
      def time=: (Time time) -> Time

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509store.c
      #   - store.trust = trust
      # -->
      # Sets the default trust settings used by the certificate verification with the
      # store.
      #
      # OpenSSL::X509::StoreContext#trust= can be used to change the value for a
      # single verification operation.
      #
      # See also the man page X509_VERIFY_PARAM_set_trust(3).
      #
      def trust=: (Integer trust) -> Integer

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509store.c
      #   - store.verify(cert, chain = nil) -> true | false
      # -->
      # Performs a certificate verification on the OpenSSL::X509::Certificate *cert*.
      #
      # *chain* can be an array of OpenSSL::X509::Certificate that is used to
      # construct the certificate chain.
      #
      # If a block is given, it overrides the callback set by #verify_callback=.
      #
      # After finishing the verification, the error information can be retrieved by
      # #error, #error_string, and the resulting complete certificate chain can be
      # retrieved by #chain.
      #
      def verify: (Certificate certificate, ?Array[Certificate] chain) ?{ (bool preverify_ok, StoreContext store_ctx) -> boolish } -> boolish

      # <!-- rdoc-file=ext/openssl/ossl_x509store.c -->
      # The callback for additional certificate verification. It is invoked for each
      # certificate in the chain and can be used to implement custom certificate
      # verification conditions.
      #
      # The callback is invoked with two values, a boolean that indicates if the
      # pre-verification by OpenSSL has succeeded or not, and the StoreContext in use.
      #
      # The callback can use StoreContext#error= to change the error code as needed.
      # The callback must return either true or false.
      #
      # NOTE: any exception raised within the callback will be ignored.
      #
      # See also the man page X509_STORE_CTX_set_verify_cb(3).
      #
      def verify_callback: () -> (^(bool preverify_ok, StoreContext store_ctx) -> boolish | nil)

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509store.c
      #   - verify_callback=(p1)
      # -->
      # General callback for OpenSSL verify
      #
      def verify_callback=: [U] (^(bool preverify_ok, StoreContext store_ctx) -> boolish) -> U

      private

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509store.c
      #   - X509::Store.new => store
      # -->
      # Creates a new X509::Store.
      #
      def initialize: () -> void
    end

    # <!-- rdoc-file=ext/openssl/ossl_x509store.c -->
    # A StoreContext is used while validating a single certificate and holds the
    # status involved.
    #
    class StoreContext
      # <!--
      #   rdoc-file=ext/openssl/ossl_x509store.c
      #   - stctx.chain -> nil | Array of X509::Certificate
      # -->
      # Returns the verified chain.
      #
      # See also the man page X509_STORE_CTX_set0_verified_chain(3).
      #
      def chain: () -> Array[Certificate]?

      # <!--
      #   rdoc-file=ext/openssl/lib/openssl/x509.rb
      #   - cleanup()
      # -->
      #
      def cleanup: () -> void

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509store.c
      #   - stctx.current_cert -> X509::Certificate
      # -->
      # Returns the certificate which caused the error.
      #
      # See also the man page X509_STORE_CTX_get_current_cert(3).
      #
      def current_cert: () -> Certificate

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509store.c
      #   - stctx.current_crl -> X509::CRL
      # -->
      # Returns the CRL which caused the error.
      #
      # See also the man page X509_STORE_CTX_get_current_crl(3).
      #
      def current_crl: () -> CRL

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509store.c
      #   - stctx.error -> Integer
      # -->
      # Returns the error code of *stctx*. This is typically called after #verify is
      # done, or from the verification callback set to
      # OpenSSL::X509::Store#verify_callback=.
      #
      # See also the man page X509_STORE_CTX_get_error(3).
      #
      def error: () -> Integer?

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509store.c
      #   - stctx.error = error_code
      # -->
      # Sets the error code of *stctx*. This is used by the verification callback set
      # to OpenSSL::X509::Store#verify_callback=.
      #
      # See also the man page X509_STORE_CTX_set_error(3).
      #
      def error=: (Integer error) -> Integer

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509store.c
      #   - stctx.error_depth -> Integer
      # -->
      # Returns the depth of the chain. This is used in combination with #error.
      #
      # See also the man page X509_STORE_CTX_get_error_depth(3).
      #
      def error_depth: () -> Integer

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509store.c
      #   - stctx.error_string -> String
      # -->
      # Returns the human readable error string corresponding to the error code
      # retrieved by #error.
      #
      # See also the man page X509_verify_cert_error_string(3).
      #
      def error_string: () -> String?

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509store.c
      #   - stctx.flags = flags
      # -->
      # Sets the verification flags to the context. This overrides the default value
      # set by Store#flags=.
      #
      # See also the man page X509_VERIFY_PARAM_set_flags(3).
      #
      def flags=: (Integer flags) -> Integer

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509store.c
      #   - stctx.purpose = purpose
      # -->
      # Sets the purpose of the context. This overrides the default value set by
      # Store#purpose=.
      #
      # See also the man page X509_VERIFY_PARAM_set_purpose(3).
      #
      def purpose=: (Integer purpose) -> Integer

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509store.c
      #   - stctx.time = time
      # -->
      # Sets the time used in the verification. If not set, the current time is used.
      #
      # See also the man page X509_VERIFY_PARAM_set_time(3).
      #
      def time=: (Time time) -> Time

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509store.c
      #   - stctx.trust = trust
      # -->
      # Sets the trust settings of the context. This overrides the default value set
      # by Store#trust=.
      #
      # See also the man page X509_VERIFY_PARAM_set_trust(3).
      #
      def trust=: (Integer trust) -> Integer

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509store.c
      #   - stctx.verify -> true | false
      # -->
      # Performs the certificate verification using the parameters set to *stctx*.
      #
      # See also the man page X509_verify_cert(3).
      #
      def verify: () -> bool

      private

      # <!--
      #   rdoc-file=ext/openssl/ossl_x509store.c
      #   - StoreContext.new(store, cert = nil, untrusted = nil)
      # -->
      # Sets up a StoreContext for a verification of the X.509 certificate *cert*.
      #
      def initialize: (Store store, ?Certificate cert, ?Array[Certificate] chain) -> void
    end

    class StoreError < OpenSSL::OpenSSLError
    end
  end
end