@protontech/openpgp 5.10.2 → 5.11.1-0

package/dist/openpgp.js

@@ -1,4 +1,4 @@
-/*! OpenPGP.js v5.10.2 - 2023-09-18 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
+/*! OpenPGP.js v5.11.1-0 - 2024-02-14 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
 var openpgp = (function (exports) {
   'use strict';
 
@@ -244,18 +244,17 @@ var openpgp = (function (exports) {
               this.push(null);
               break;
             }
-            if (!this.push(value) || this._cancelling) {
-              this._reading = false;
+            if (!this.push(value)) {
               break;
             }
           }
-        } catch(e) {
-          this.emit('error', e);
+        } catch (e) {
+          this.destroy(e);
         }
       }
 
-      _destroy(reason) {
-        this._reader.cancel(reason);
+      async _destroy(error, callback) {
+        this._reader.cancel(error).then(callback, callback);
       }
     }
 
@@ -290,7 +289,7 @@ var openpgp = (function (exports) {
       const reader = input.getReader();
       this._read = reader.read.bind(reader);
       this._releaseLock = () => {};
-      this._cancel = () => {};
+      this._cancel = async () => {};
       return;
     }
     let streamType = isStream(input);
@@ -1555,17 +1554,21 @@ var openpgp = (function (exports) {
       '2b8104000a':   'secp256k1',
       '2B8104000A':   'secp256k1',
 
-      /** Ed25519 */
+      /** Ed25519 - deprecated by crypto-refresh (replaced by standaone Ed25519 algo) */
+      'ed25519Legacy':          'ed25519',
       'ED25519':                'ed25519',
+      /** @deprecated use `ed25519Legacy` instead */
       'ed25519':                'ed25519',
       'Ed25519':                'ed25519',
       '1.3.6.1.4.1.11591.15.1': 'ed25519',
       '2b06010401da470f01':     'ed25519',
       '2B06010401DA470F01':     'ed25519',
 
-      /** Curve25519 */
+      /** Curve25519 - deprecated by crypto-refresh (replaced by standaone X25519 algo) */
+      'curve25519Legacy':       'curve25519',
       'X25519':                 'curve25519',
       'cv25519':                'curve25519',
+      /** @deprecated use `curve25519Legacy` instead */
       'curve25519':             'curve25519',
       'Curve25519':             'curve25519',
       '1.3.6.1.4.1.3029.1.5.1': 'curve25519',
@@ -1636,8 +1639,11 @@ var openpgp = (function (exports) {
       ecdsa: 19,
       /** EdDSA (Sign only) - deprecated by crypto-refresh (replaced by `ed25519` identifier below)
        * [{@link https://tools.ietf.org/html/draft-koch-eddsa-for-openpgp-04|Draft RFC}] */
-      ed25519Legacy: 22, // NB: this is declared before `eddsa` to translate 22 to 'eddsa' for backwards compatibility
-      eddsa: 22, // to be deprecated in v6
+      eddsaLegacy: 22, // NB: this is declared before `eddsa` to translate 22 to 'eddsa' for backwards compatibility
+      /** @deprecated use `eddsaLegacy` instead */
+      ed25519Legacy: 22,
+      /** @deprecated use `eddsaLegacy` instead */
+      eddsa: 22,
       /** Reserved for AEDH */
       aedh: 23,
       /** Reserved for AEDSA */
@@ -2947,7 +2953,7 @@ var openpgp = (function (exports) {
      * @memberof module:config
      * @property {String} versionString A version string to be included in armored messages
      */
-    versionString: 'OpenPGP.js 5.10.2',
+    versionString: 'OpenPGP.js 5.11.1-0',
     /**
      * @memberof module:config
      * @property {String} commentString A comment string to be included in armored messages
@@ -2998,7 +3004,14 @@ var openpgp = (function (exports) {
      * @memberof module:config
      * @property {Set<String>} rejectCurves {@link module:enums.curve}
      */
-    rejectCurves: new Set([enums.curve.secp256k1])
+    rejectCurves: new Set([enums.curve.secp256k1]),
+    /**
+     * Whether to validate generated EdDSA signatures before returning them, to ensure they are not faulty signatures.
+     * This check will make signing 2-3 times slower.
+     * Faulty signatures may be generated (in principle) if random bitflips occur at specific points in the signature
+     * computation, and could be used to recover the signer's secret key given a second signature over the same data.
+     */
+    checkEdDSAFaultySignatures: true
   };
 
   /**
@@ -10974,42 +10987,42 @@ var openpgp = (function (exports) {
       throw new Error('GCM mode supports only AES cipher');
     }
 
-    if (util.getWebCrypto() && key.length !== 24) { // WebCrypto (no 192 bit support) see: https://www.chromium.org/blink/webcrypto#TOC-AES-support
-      const _key = await webCrypto$4.importKey('raw', key, { name: ALGO }, false, ['encrypt', 'decrypt']);
-
+    if (util.getNodeCrypto()) { // Node crypto library
       return {
         encrypt: async function(pt, iv, adata = new Uint8Array()) {
-          if (!pt.length) { // iOS does not support GCM-en/decrypting empty messages
-            return AES_GCM.encrypt(pt, key, iv, adata);
-          }
-          const ct = await webCrypto$4.encrypt({ name: ALGO, iv, additionalData: adata, tagLength: tagLength$2 * 8 }, _key, pt);
+          const en = new nodeCrypto$4.createCipheriv('aes-' + (key.length * 8) + '-gcm', key, iv);
+          en.setAAD(adata);
+          const ct = Buffer$2.concat([en.update(pt), en.final(), en.getAuthTag()]); // append auth tag to ciphertext
           return new Uint8Array(ct);
         },
 
         decrypt: async function(ct, iv, adata = new Uint8Array()) {
-          if (ct.length === tagLength$2) { // iOS does not support GCM-en/decrypting empty messages
-            return AES_GCM.decrypt(ct, key, iv, adata);
-          }
-          const pt = await webCrypto$4.decrypt({ name: ALGO, iv, additionalData: adata, tagLength: tagLength$2 * 8 }, _key, ct);
+          const de = new nodeCrypto$4.createDecipheriv('aes-' + (key.length * 8) + '-gcm', key, iv);
+          de.setAAD(adata);
+          de.setAuthTag(ct.slice(ct.length - tagLength$2, ct.length)); // read auth tag at end of ciphertext
+          const pt = Buffer$2.concat([de.update(ct.slice(0, ct.length - tagLength$2)), de.final()]);
           return new Uint8Array(pt);
         }
       };
     }
 
-    if (util.getNodeCrypto()) { // Node crypto library
+    if (util.getWebCrypto() && key.length !== 24) { // WebCrypto (no 192 bit support) see: https://www.chromium.org/blink/webcrypto#TOC-AES-support
+      const _key = await webCrypto$4.importKey('raw', key, { name: ALGO }, false, ['encrypt', 'decrypt']);
+
       return {
         encrypt: async function(pt, iv, adata = new Uint8Array()) {
-          const en = new nodeCrypto$4.createCipheriv('aes-' + (key.length * 8) + '-gcm', key, iv);
-          en.setAAD(adata);
-          const ct = Buffer$2.concat([en.update(pt), en.final(), en.getAuthTag()]); // append auth tag to ciphertext
+          if (!pt.length) { // iOS does not support GCM-en/decrypting empty messages
+            return AES_GCM.encrypt(pt, key, iv, adata);
+          }
+          const ct = await webCrypto$4.encrypt({ name: ALGO, iv, additionalData: adata, tagLength: tagLength$2 * 8 }, _key, pt);
           return new Uint8Array(ct);
         },
 
         decrypt: async function(ct, iv, adata = new Uint8Array()) {
-          const de = new nodeCrypto$4.createDecipheriv('aes-' + (key.length * 8) + '-gcm', key, iv);
-          de.setAAD(adata);
-          de.setAuthTag(ct.slice(ct.length - tagLength$2, ct.length)); // read auth tag at end of ciphertext
-          const pt = Buffer$2.concat([de.update(ct.slice(0, ct.length - tagLength$2)), de.final()]);
+          if (ct.length === tagLength$2) { // iOS does not support GCM-en/decrypting empty messages
+            return AES_GCM.decrypt(ct, key, iv, adata);
+          }
+          const pt = await webCrypto$4.decrypt({ name: ALGO, iv, additionalData: adata, tagLength: tagLength$2 * 8 }, _key, ct);
           return new Uint8Array(pt);
         }
       };
@@ -12012,11 +12025,11 @@ var openpgp = (function (exports) {
    */
   function getRandomBytes(length) {
     const buf = new Uint8Array(length);
-    if (typeof crypto !== 'undefined' && crypto.getRandomValues) {
-      crypto.getRandomValues(buf);
-    } else if (nodeCrypto$5) {
+    if (nodeCrypto$5) {
       const bytes = nodeCrypto$5.randomBytes(buf.length);
       buf.set(bytes);
+    } else if (typeof crypto !== 'undefined' && crypto.getRandomValues) {
+      crypto.getRandomValues(buf);
     } else {
       throw new Error('No secure random number generator available.');
     }
@@ -13578,7 +13591,7 @@ var openpgp = (function (exports) {
     },
     ed25519: {
       oid: [0x06, 0x09, 0x2B, 0x06, 0x01, 0x04, 0x01, 0xDA, 0x47, 0x0F, 0x01],
-      keyType: enums.publicKey.eddsa,
+      keyType: enums.publicKey.eddsaLegacy,
       hash: enums.hash.sha512,
       node: false, // nodeCurves.ed25519 TODO
       payloadSize: 32
@@ -14183,10 +14196,24 @@ var openpgp = (function (exports) {
   async function sign$2(oid, hashAlgo, message, publicKey, privateKey, hashed) {
     if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(enums.hash.sha256)) {
       // see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2
-      throw new Error('Hash algorithm too weak: sha256 or stronger is required for EdDSA.');
+      throw new Error('Hash algorithm too weak for EdDSA.');
     }
     const secretKey = util.concatUint8Array([privateKey, publicKey.subarray(1)]);
     const signature = naclFastLight.sign.detached(hashed, secretKey);
+    if (config.checkEdDSAFaultySignatures && !naclFastLight.sign.detached.verify(hashed, signature, publicKey.subarray(1))) {
+      /**
+       * Detect faulty signatures caused by random bitflips during `crypto_sign` which could lead to private key extraction
+       * if two signatures over the same message are obtained.
+       * See https://github.com/jedisct1/libsodium/issues/170.
+       * If the input data is not deterministic, e.g. thanks to the random salt in v6 OpenPGP signatures (not yet implemented),
+       * then the generated signature is always safe, and the verification step is skipped.
+       * Otherwise, we need to verify the generated to ensure that no bitflip occured:
+       * - in M between the computation of `r` and `h`.
+       * - in the public key before computing `h`
+       * The verification step is almost 2-3 times as slow as signing, but it's faster than re-signing + re-deriving the public key for separate checks.
+       */
+      throw new Error('Transient signing failure');
+    }
     // EdDSA signature params are returned in little-endian format
     return {
       r: signature.subarray(0, 32),
@@ -14207,6 +14234,9 @@ var openpgp = (function (exports) {
    * @async
    */
   async function verify$2(oid, hashAlgo, { r, s }, m, publicKey, hashed) {
+    if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(enums.hash.sha256)) {
+      throw new Error('Hash algorithm too weak for EdDSA.');
+    }
     const signature = util.concatUint8Array([r, s]);
     return naclFastLight.sign.detached.verify(hashed, signature, publicKey.subarray(1));
   }
@@ -14276,14 +14306,27 @@ var openpgp = (function (exports) {
    * @async
    */
   async function sign$3(algo, hashAlgo, message, publicKey, privateKey, hashed) {
-    if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(enums.hash.sha256)) {
-      // see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2
-      throw new Error('Hash algorithm too weak: sha256 or stronger is required for EdDSA.');
+    if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(getPreferredHashAlgo$1(algo))) {
+      throw new Error('Hash algorithm too weak for EdDSA.');
     }
     switch (algo) {
       case enums.publicKey.ed25519: {
         const secretKey = util.concatUint8Array([privateKey, publicKey]);
         const signature = naclFastLight.sign.detached(hashed, secretKey);
+        if (config.checkEdDSAFaultySignatures && !naclFastLight.sign.detached.verify(hashed, signature, publicKey)) {
+          /**
+           * Detect faulty signatures caused by random bitflips during `crypto_sign` which could lead to private key extraction
+           * if two signatures over the same message are obtained.
+           * See https://github.com/jedisct1/libsodium/issues/170.
+           * If the input data is not deterministic, e.g. thanks to the random salt in v6 OpenPGP signatures (not yet implemented),
+           * then the generated signature is always safe, and the verification step is skipped.
+           * Otherwise, we need to verify the generated to ensure that no bitflip occured:
+           * - in M between the computation of `r` and `h`.
+           * - in the public key before computing `h`
+           * The verification step is almost 2-3 times as slow as signing, but it's faster than re-signing + re-deriving the public key for separate checks.
+           */
+          throw new Error('Transient signing failure');
+        }
         return { RS: signature };
       }
       case enums.publicKey.ed448:
@@ -14305,6 +14348,9 @@ var openpgp = (function (exports) {
    * @async
    */
   async function verify$3(algo, hashAlgo, { RS }, m, publicKey, hashed) {
+    if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(getPreferredHashAlgo$1(algo))) {
+      throw new Error('Hash algorithm too weak for EdDSA.');
+    }
     switch (algo) {
       case enums.publicKey.ed25519: {
         return naclFastLight.sign.detached.verify(hashed, RS, publicKey);
@@ -14340,12 +14386,22 @@ var openpgp = (function (exports) {
     }
   }
 
+  function getPreferredHashAlgo$1(algo) {
+    switch (algo) {
+      case enums.publicKey.ed25519:
+        return enums.hash.sha256;
+      default:
+        throw new Error('Unknown EdDSA algo');
+    }
+  }
+
   var eddsa = /*#__PURE__*/Object.freeze({
     __proto__: null,
     generate: generate$2,
     sign: sign$3,
     verify: verify$3,
-    validateParams: validateParams$4
+    validateParams: validateParams$4,
+    getPreferredHashAlgo: getPreferredHashAlgo$1
   });
 
   // OpenPGP.js - An OpenPGP implementation in javascript
@@ -14959,8 +15015,6 @@ var openpgp = (function (exports) {
       case enums.publicKey.x25519: {
         // k stays in little-endian, unlike legacy ECDH over curve25519
         const k = getRandomBytes(32);
-        k[0] &= 248;
-        k[31] = (k[31] & 127) | 64;
         const { publicKey: A } = naclFastLight.box.keyPair.fromSecretKey(k);
         return { A, k };
       }
@@ -15395,8 +15449,7 @@ var openpgp = (function (exports) {
       // Algorithm-Specific Fields for legacy EdDSA signatures:
       // -  MPI of an EC point r.
       // -  EdDSA value s, in MPI, in the little endian representation
-      case enums.publicKey.eddsa:
-      case enums.publicKey.ed25519Legacy: {
+      case enums.publicKey.eddsaLegacy: {
         // When parsing little-endian MPI data, we always need to left-pad it, as done with big-endian values:
         // https://www.ietf.org/archive/id/draft-ietf-openpgp-rfc4880bis-10.html#section-3.2-9
         let r = util.readMPI(signature.subarray(read)); read += r.length + 2;
@@ -15457,8 +15510,7 @@ var openpgp = (function (exports) {
         const s = util.leftPad(signature.s, curveSize);
         return publicKey.elliptic.ecdsa.verify(oid, hashAlgo, { r, s }, data, Q, hashed);
       }
-      case enums.publicKey.eddsa:
-      case enums.publicKey.ed25519Legacy: {
+      case enums.publicKey.eddsaLegacy: {
         const { oid, Q } = publicParams;
         // signature already padded on parsing
         return publicKey.elliptic.eddsaLegacy.verify(oid, hashAlgo, signature, data, Q, hashed);
@@ -15521,8 +15573,7 @@ var openpgp = (function (exports) {
         const { d } = privateKeyParams;
         return publicKey.elliptic.ecdsa.sign(oid, hashAlgo, data, Q, d, hashed);
       }
-      case enums.publicKey.eddsa:
-      case enums.publicKey.ed25519Legacy: {
+      case enums.publicKey.eddsaLegacy: {
         const { oid, Q } = publicKeyParams;
         const { seed } = privateKeyParams;
         return publicKey.elliptic.eddsaLegacy.sign(oid, hashAlgo, data, Q, seed, hashed);
@@ -15913,8 +15964,7 @@ var openpgp = (function (exports) {
         const Q = util.readMPI(bytes.subarray(read)); read += Q.length + 2;
         return { read: read, publicParams: { oid, Q } };
       }
-      case enums.publicKey.eddsa:
-      case enums.publicKey.ed25519Legacy: {
+      case enums.publicKey.eddsaLegacy: {
         const oid = new OID(); read += oid.read(bytes);
         checkSupportedCurve(oid);
         let Q = util.readMPI(bytes.subarray(read)); read += Q.length + 2;
@@ -15976,8 +16026,7 @@ var openpgp = (function (exports) {
         d = util.leftPad(d, curve.payloadSize);
         return { read, privateParams: { d } };
       }
-      case enums.publicKey.eddsa:
-      case enums.publicKey.ed25519Legacy: {
+      case enums.publicKey.eddsaLegacy: {
         const curve = new CurveWithOID(publicParams.oid);
         let seed = util.readMPI(bytes.subarray(read)); read += seed.length + 2;
         seed = util.leftPad(seed, curve.payloadSize);
@@ -16112,8 +16161,7 @@ var openpgp = (function (exports) {
           privateParams: { d: secret },
           publicParams: { oid: new OID(oid), Q }
         }));
-      case enums.publicKey.eddsa:
-      case enums.publicKey.ed25519Legacy:
+      case enums.publicKey.eddsaLegacy:
         return publicKey.elliptic.generate(oid).then(({ oid, Q, secret }) => ({
           privateParams: { seed: secret },
           publicParams: { oid: new OID(oid), Q }
@@ -16207,8 +16255,7 @@ var openpgp = (function (exports) {
         const { d } = privateParams;
         return algoModule.validateParams(oid, Q, d);
       }
-      case enums.publicKey.eddsa:
-      case enums.publicKey.ed25519Legacy: {
+      case enums.publicKey.eddsaLegacy: {
         const { Q, oid } = publicParams;
         const { seed } = privateParams;
         return publicKey.elliptic.eddsaLegacy.validateParams(oid, Q, seed);
@@ -16291,6 +16338,23 @@ var openpgp = (function (exports) {
     }
   }
 
+  /**
+   * Get preferred hash algo for a given elliptic algo
+   * @param {module:enums.publicKey} algo - alrogithm identifier
+   * @param {module:type/oid} [oid] - curve OID if needed by algo
+   */
+  function getPreferredCurveHashAlgo(algo, oid) {
+    switch (algo) {
+      case enums.publicKey.ecdsa:
+      case enums.publicKey.eddsaLegacy:
+        return publicKey.elliptic.getPreferredHashAlgo(oid);
+      case enums.publicKey.ed25519:
+        return publicKey.elliptic.eddsa.getPreferredHashAlgo(algo);
+      default:
+        throw new Error('Unknown elliptic signing algo');
+    }
+  }
+
   var crypto$1 = /*#__PURE__*/Object.freeze({
     __proto__: null,
     publicKeyEncrypt: publicKeyEncrypt,
@@ -16304,7 +16368,8 @@ var openpgp = (function (exports) {
     getPrefixRandom: getPrefixRandom,
     generateSessionKey: generateSessionKey,
     getAEADMode: getAEADMode,
-    getCipher: getCipher
+    getCipher: getCipher,
+    getPreferredCurveHashAlgo: getPreferredCurveHashAlgo
   });
 
   /**
@@ -28062,25 +28127,22 @@ var openpgp = (function (exports) {
     const dataToSign = {};
     dataToSign.key = primaryKey;
     dataToSign.bind = subkey;
-    const subkeySignaturePacket = new SignaturePacket();
-    subkeySignaturePacket.signatureType = enums.signature.subkeyBinding;
-    subkeySignaturePacket.publicKeyAlgorithm = primaryKey.algorithm;
-    subkeySignaturePacket.hashAlgorithm = await getPreferredHashAlgo$1(null, subkey, undefined, undefined, config);
+    const signatureProperties = { signatureType: enums.signature.subkeyBinding };
     if (options.sign) {
-      subkeySignaturePacket.keyFlags = [enums.keyFlags.signData];
-      subkeySignaturePacket.embeddedSignature = await createSignaturePacket(dataToSign, null, subkey, {
+      signatureProperties.keyFlags = [enums.keyFlags.signData];
+      signatureProperties.embeddedSignature = await createSignaturePacket(dataToSign, null, subkey, {
         signatureType: enums.signature.keyBinding
       }, options.date, undefined, undefined, undefined, config);
     } else {
-      subkeySignaturePacket.keyFlags = options.forwarding ?
+      signatureProperties.keyFlags = options.forwarding ?
         [enums.keyFlags.forwardedCommunication] :
         [enums.keyFlags.encryptCommunication | enums.keyFlags.encryptStorage];
     }
     if (options.keyExpirationTime > 0) {
-      subkeySignaturePacket.keyExpirationTime = options.keyExpirationTime;
-      subkeySignaturePacket.keyNeverExpires = false;
+      signatureProperties.keyExpirationTime = options.keyExpirationTime;
+      signatureProperties.keyNeverExpires = false;
     }
-    await subkeySignaturePacket.sign(primaryKey, dataToSign, options.date);
+    const subkeySignaturePacket = await createSignaturePacket(dataToSign, null, primaryKey, signatureProperties, options.date, undefined, undefined, undefined, config);
     return subkeySignaturePacket;
   }
 
@@ -28094,7 +28156,7 @@ var openpgp = (function (exports) {
    * @returns {Promise<enums.hash>}
    * @async
    */
-  async function getPreferredHashAlgo$1(key, keyPacket, date = new Date(), userID = {}, config) {
+  async function getPreferredHashAlgo$2(key, keyPacket, date = new Date(), userID = {}, config) {
     let hashAlgo = config.preferredHashAlgorithm;
     let prefAlgo = hashAlgo;
     if (key) {
@@ -28105,17 +28167,11 @@ var openpgp = (function (exports) {
           prefAlgo : hashAlgo;
       }
     }
-    switch (Object.getPrototypeOf(keyPacket)) {
-      case SecretKeyPacket.prototype:
-      case PublicKeyPacket.prototype:
-      case SecretSubkeyPacket.prototype:
-      case PublicSubkeyPacket.prototype:
-        switch (keyPacket.algorithm) {
-          case enums.publicKey.ecdh:
-          case enums.publicKey.ecdsa:
-          case enums.publicKey.eddsa:
-            prefAlgo = mod.publicKey.elliptic.getPreferredHashAlgo(keyPacket.publicParams.oid);
-        }
+    switch (keyPacket.algorithm) {
+      case enums.publicKey.ecdsa:
+      case enums.publicKey.eddsaLegacy:
+      case enums.publicKey.ed25519:
+        prefAlgo = mod.getPreferredCurveHashAlgo(keyPacket.algorithm, keyPacket.publicParams.oid);
     }
     return mod.hash.getHashByteLength(hashAlgo) <= mod.hash.getHashByteLength(prefAlgo) ?
       prefAlgo : hashAlgo;
@@ -28183,7 +28239,7 @@ var openpgp = (function (exports) {
     const signaturePacket = new SignaturePacket();
     Object.assign(signaturePacket, signatureProperties);
     signaturePacket.publicKeyAlgorithm = signingKeyPacket.algorithm;
-    signaturePacket.hashAlgorithm = await getPreferredHashAlgo$1(privateKey, signingKeyPacket, date, userID, config);
+    signaturePacket.hashAlgorithm = await getPreferredHashAlgo$2(privateKey, signingKeyPacket, date, userID, config);
     signaturePacket.rawNotations = notations;
     await signaturePacket.sign(signingKeyPacket, dataToSign, date, detached);
     return signaturePacket;
@@ -28324,11 +28380,11 @@ var openpgp = (function (exports) {
         } catch (e) {
           throw new Error('Unknown curve');
         }
-        if (options.curve === enums.curve.ed25519 || options.curve === enums.curve.curve25519) {
-          options.curve = options.sign ? enums.curve.ed25519 : enums.curve.curve25519;
+        if (options.curve === enums.curve.ed25519Legacy || options.curve === enums.curve.curve25519Legacy) {
+          options.curve = options.sign ? enums.curve.ed25519Legacy : enums.curve.curve25519Legacy;
         }
         if (options.sign) {
-          options.algorithm = options.curve === enums.curve.ed25519 ? enums.publicKey.eddsa : enums.publicKey.ecdsa;
+          options.algorithm = options.curve === enums.curve.ed25519Legacy ? enums.publicKey.eddsaLegacy : enums.publicKey.ecdsa;
         } else {
           options.algorithm = enums.publicKey.ecdh;
         }
@@ -28366,7 +28422,7 @@ var openpgp = (function (exports) {
     return keyAlgo !== enums.publicKey.dsa &&
       keyAlgo !== enums.publicKey.rsaSign &&
       keyAlgo !== enums.publicKey.ecdsa &&
-      keyAlgo !== enums.publicKey.eddsa &&
+      keyAlgo !== enums.publicKey.eddsaLegacy &&
       keyAlgo !== enums.publicKey.ed25519 &&
       (!signature.keyFlags ||
         (signature.keyFlags[0] & enums.keyFlags.encryptCommunication) !== 0 ||
@@ -28412,7 +28468,7 @@ var openpgp = (function (exports) {
         }
         break;
       case enums.publicKey.ecdsa:
-      case enums.publicKey.eddsa:
+      case enums.publicKey.eddsaLegacy:
       case enums.publicKey.ecdh:
         if (config.rejectCurves.has(algoInfo.curve)) {
           throw new Error(`Support for ${algoInfo.algorithm} keys using curve ${algoInfo.curve} is disabled.`);
@@ -30039,50 +30095,50 @@ var openpgp = (function (exports) {
       const dataToSign = {};
       dataToSign.userID = userIDPacket;
       dataToSign.key = secretKeyPacket;
-      const signaturePacket = new SignaturePacket();
-      signaturePacket.signatureType = enums.signature.certGeneric;
-      signaturePacket.publicKeyAlgorithm = secretKeyPacket.algorithm;
-      signaturePacket.hashAlgorithm = await getPreferredHashAlgo$1(null, secretKeyPacket, undefined, undefined, config);
-      signaturePacket.keyFlags = [enums.keyFlags.certifyKeys | enums.keyFlags.signData];
-      signaturePacket.preferredSymmetricAlgorithms = createPreferredAlgos([
+
+      const signatureProperties = {};
+      signatureProperties.signatureType = enums.signature.certGeneric;
+      signatureProperties.keyFlags = [enums.keyFlags.certifyKeys | enums.keyFlags.signData];
+      signatureProperties.preferredSymmetricAlgorithms = createPreferredAlgos([
         // prefer aes256, aes128, then aes192 (no WebCrypto support: https://www.chromium.org/blink/webcrypto#TOC-AES-support)
         enums.symmetric.aes256,
         enums.symmetric.aes128,
         enums.symmetric.aes192
       ], config.preferredSymmetricAlgorithm);
       if (config.aeadProtect) {
-        signaturePacket.preferredAEADAlgorithms = createPreferredAlgos([
+        signatureProperties.preferredAEADAlgorithms = createPreferredAlgos([
           enums.aead.eax,
           enums.aead.ocb
         ], config.preferredAEADAlgorithm);
       }
-      signaturePacket.preferredHashAlgorithms = createPreferredAlgos([
+      signatureProperties.preferredHashAlgorithms = createPreferredAlgos([
         // prefer fast asm.js implementations (SHA-256)
         enums.hash.sha256,
         enums.hash.sha512
       ], config.preferredHashAlgorithm);
-      signaturePacket.preferredCompressionAlgorithms = createPreferredAlgos([
+      signatureProperties.preferredCompressionAlgorithms = createPreferredAlgos([
         enums.compression.zlib,
         enums.compression.zip,
         enums.compression.uncompressed
       ], config.preferredCompressionAlgorithm);
       if (index === 0) {
-        signaturePacket.isPrimaryUserID = true;
+        signatureProperties.isPrimaryUserID = true;
       }
       // integrity protection always enabled
-      signaturePacket.features = [0];
-      signaturePacket.features[0] |= enums.features.modificationDetection;
+      signatureProperties.features = [0];
+      signatureProperties.features[0] |= enums.features.modificationDetection;
       if (config.aeadProtect) {
-        signaturePacket.features[0] |= enums.features.aead;
+        signatureProperties.features[0] |= enums.features.aead;
       }
       if (config.v5Keys) {
-        signaturePacket.features[0] |= enums.features.v5Keys;
+        signatureProperties.features[0] |= enums.features.v5Keys;
       }
       if (options.keyExpirationTime > 0) {
-        signaturePacket.keyExpirationTime = options.keyExpirationTime;
-        signaturePacket.keyNeverExpires = false;
+        signatureProperties.keyExpirationTime = options.keyExpirationTime;
+        signatureProperties.keyNeverExpires = false;
       }
-      await signaturePacket.sign(secretKeyPacket, dataToSign, options.date);
+
+      const signaturePacket = await createSignaturePacket(dataToSign, null, secretKeyPacket, signatureProperties, options.date, undefined, undefined, undefined, config);
 
       return { userIDPacket, signaturePacket };
     })).then(list => {
@@ -30784,7 +30840,7 @@ var openpgp = (function (exports) {
         const signingKey = await primaryKey.getSigningKey(signingKeyID, date, userIDs, config$1);
         const onePassSig = new OnePassSignaturePacket();
         onePassSig.signatureType = signatureType;
-        onePassSig.hashAlgorithm = await getPreferredHashAlgo$1(primaryKey, signingKey.keyPacket, date, userIDs, config$1);
+        onePassSig.hashAlgorithm = await getPreferredHashAlgo$2(primaryKey, signingKey.keyPacket, date, userIDs, config$1);
         onePassSig.publicKeyAlgorithm = signingKey.keyPacket.algorithm;
         onePassSig.issuerKeyID = signingKey.getKeyID();
         if (i === signingKeys.length - 1) {
@@ -45303,6 +45359,8 @@ var openpgp = (function (exports) {
   });
 
   exports.AEADEncryptedDataPacket = AEADEncryptedDataPacket;
+  exports.Argon2OutOfMemoryError = Argon2OutOfMemoryError;
+  exports.Argon2S2K = Argon2S2K;
   exports.CleartextMessage = CleartextMessage;
   exports.CompressedDataPacket = CompressedDataPacket;
   exports.KDFParams = KDFParams;