@protontech/openpgp 5.10.2 → 5.11.1-0

package/dist/openpgp.mjs

@@ -1,4 +1,4 @@
-/*! OpenPGP.js v5.10.2 - 2023-09-18 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
+/*! OpenPGP.js v5.11.1-0 - 2024-02-14 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
 const globalThis = typeof window !== 'undefined' ? window : typeof global !== 'undefined' ? global : typeof self !== 'undefined' ? self : {};
 
 const doneWritingPromise = Symbol('doneWritingPromise');
@@ -241,18 +241,17 @@ if (NodeReadableStream$1) {
             this.push(null);
             break;
           }
-          if (!this.push(value) || this._cancelling) {
-            this._reading = false;
+          if (!this.push(value)) {
             break;
           }
         }
-      } catch(e) {
-        this.emit('error', e);
+      } catch (e) {
+        this.destroy(e);
       }
     }
 
-    _destroy(reason) {
-      this._reader.cancel(reason);
+    async _destroy(error, callback) {
+      this._reader.cancel(error).then(callback, callback);
     }
   }
 
@@ -287,7 +286,7 @@ function Reader(input) {
     const reader = input.getReader();
     this._read = reader.read.bind(reader);
     this._releaseLock = () => {};
-    this._cancel = () => {};
+    this._cancel = async () => {};
     return;
   }
   let streamType = isStream(input);
@@ -1552,17 +1551,21 @@ var enums = {
     '2b8104000a':   'secp256k1',
     '2B8104000A':   'secp256k1',
 
-    /** Ed25519 */
+    /** Ed25519 - deprecated by crypto-refresh (replaced by standaone Ed25519 algo) */
+    'ed25519Legacy':          'ed25519',
     'ED25519':                'ed25519',
+    /** @deprecated use `ed25519Legacy` instead */
     'ed25519':                'ed25519',
     'Ed25519':                'ed25519',
     '1.3.6.1.4.1.11591.15.1': 'ed25519',
     '2b06010401da470f01':     'ed25519',
     '2B06010401DA470F01':     'ed25519',
 
-    /** Curve25519 */
+    /** Curve25519 - deprecated by crypto-refresh (replaced by standaone X25519 algo) */
+    'curve25519Legacy':       'curve25519',
     'X25519':                 'curve25519',
     'cv25519':                'curve25519',
+    /** @deprecated use `curve25519Legacy` instead */
     'curve25519':             'curve25519',
     'Curve25519':             'curve25519',
     '1.3.6.1.4.1.3029.1.5.1': 'curve25519',
@@ -1633,8 +1636,11 @@ var enums = {
     ecdsa: 19,
     /** EdDSA (Sign only) - deprecated by crypto-refresh (replaced by `ed25519` identifier below)
      * [{@link https://tools.ietf.org/html/draft-koch-eddsa-for-openpgp-04|Draft RFC}] */
-    ed25519Legacy: 22, // NB: this is declared before `eddsa` to translate 22 to 'eddsa' for backwards compatibility
-    eddsa: 22, // to be deprecated in v6
+    eddsaLegacy: 22, // NB: this is declared before `eddsa` to translate 22 to 'eddsa' for backwards compatibility
+    /** @deprecated use `eddsaLegacy` instead */
+    ed25519Legacy: 22,
+    /** @deprecated use `eddsaLegacy` instead */
+    eddsa: 22,
     /** Reserved for AEDH */
     aedh: 23,
     /** Reserved for AEDSA */
@@ -2944,7 +2950,7 @@ var config = {
    * @memberof module:config
    * @property {String} versionString A version string to be included in armored messages
    */
-  versionString: 'OpenPGP.js 5.10.2',
+  versionString: 'OpenPGP.js 5.11.1-0',
   /**
    * @memberof module:config
    * @property {String} commentString A comment string to be included in armored messages
@@ -2995,7 +3001,14 @@ var config = {
    * @memberof module:config
    * @property {Set<String>} rejectCurves {@link module:enums.curve}
    */
-  rejectCurves: new Set([enums.curve.secp256k1])
+  rejectCurves: new Set([enums.curve.secp256k1]),
+  /**
+   * Whether to validate generated EdDSA signatures before returning them, to ensure they are not faulty signatures.
+   * This check will make signing 2-3 times slower.
+   * Faulty signatures may be generated (in principle) if random bitflips occur at specific points in the signature
+   * computation, and could be used to recover the signer's secret key given a second signature over the same data.
+   */
+  checkEdDSAFaultySignatures: true
 };
 
 /**
@@ -10971,42 +10984,42 @@ async function GCM(cipher, key) {
     throw new Error('GCM mode supports only AES cipher');
   }
 
-  if (util.getWebCrypto() && key.length !== 24) { // WebCrypto (no 192 bit support) see: https://www.chromium.org/blink/webcrypto#TOC-AES-support
-    const _key = await webCrypto$4.importKey('raw', key, { name: ALGO }, false, ['encrypt', 'decrypt']);
-
+  if (util.getNodeCrypto()) { // Node crypto library
     return {
       encrypt: async function(pt, iv, adata = new Uint8Array()) {
-        if (!pt.length) { // iOS does not support GCM-en/decrypting empty messages
-          return AES_GCM.encrypt(pt, key, iv, adata);
-        }
-        const ct = await webCrypto$4.encrypt({ name: ALGO, iv, additionalData: adata, tagLength: tagLength$2 * 8 }, _key, pt);
+        const en = new nodeCrypto$4.createCipheriv('aes-' + (key.length * 8) + '-gcm', key, iv);
+        en.setAAD(adata);
+        const ct = Buffer$2.concat([en.update(pt), en.final(), en.getAuthTag()]); // append auth tag to ciphertext
         return new Uint8Array(ct);
       },
 
       decrypt: async function(ct, iv, adata = new Uint8Array()) {
-        if (ct.length === tagLength$2) { // iOS does not support GCM-en/decrypting empty messages
-          return AES_GCM.decrypt(ct, key, iv, adata);
-        }
-        const pt = await webCrypto$4.decrypt({ name: ALGO, iv, additionalData: adata, tagLength: tagLength$2 * 8 }, _key, ct);
+        const de = new nodeCrypto$4.createDecipheriv('aes-' + (key.length * 8) + '-gcm', key, iv);
+        de.setAAD(adata);
+        de.setAuthTag(ct.slice(ct.length - tagLength$2, ct.length)); // read auth tag at end of ciphertext
+        const pt = Buffer$2.concat([de.update(ct.slice(0, ct.length - tagLength$2)), de.final()]);
         return new Uint8Array(pt);
       }
     };
   }
 
-  if (util.getNodeCrypto()) { // Node crypto library
+  if (util.getWebCrypto() && key.length !== 24) { // WebCrypto (no 192 bit support) see: https://www.chromium.org/blink/webcrypto#TOC-AES-support
+    const _key = await webCrypto$4.importKey('raw', key, { name: ALGO }, false, ['encrypt', 'decrypt']);
+
     return {
       encrypt: async function(pt, iv, adata = new Uint8Array()) {
-        const en = new nodeCrypto$4.createCipheriv('aes-' + (key.length * 8) + '-gcm', key, iv);
-        en.setAAD(adata);
-        const ct = Buffer$2.concat([en.update(pt), en.final(), en.getAuthTag()]); // append auth tag to ciphertext
+        if (!pt.length) { // iOS does not support GCM-en/decrypting empty messages
+          return AES_GCM.encrypt(pt, key, iv, adata);
+        }
+        const ct = await webCrypto$4.encrypt({ name: ALGO, iv, additionalData: adata, tagLength: tagLength$2 * 8 }, _key, pt);
         return new Uint8Array(ct);
       },
 
       decrypt: async function(ct, iv, adata = new Uint8Array()) {
-        const de = new nodeCrypto$4.createDecipheriv('aes-' + (key.length * 8) + '-gcm', key, iv);
-        de.setAAD(adata);
-        de.setAuthTag(ct.slice(ct.length - tagLength$2, ct.length)); // read auth tag at end of ciphertext
-        const pt = Buffer$2.concat([de.update(ct.slice(0, ct.length - tagLength$2)), de.final()]);
+        if (ct.length === tagLength$2) { // iOS does not support GCM-en/decrypting empty messages
+          return AES_GCM.decrypt(ct, key, iv, adata);
+        }
+        const pt = await webCrypto$4.decrypt({ name: ALGO, iv, additionalData: adata, tagLength: tagLength$2 * 8 }, _key, ct);
         return new Uint8Array(pt);
       }
     };
@@ -12009,11 +12022,11 @@ const nodeCrypto$5 = util.getNodeCrypto();
  */
 function getRandomBytes(length) {
   const buf = new Uint8Array(length);
-  if (typeof crypto !== 'undefined' && crypto.getRandomValues) {
-    crypto.getRandomValues(buf);
-  } else if (nodeCrypto$5) {
+  if (nodeCrypto$5) {
     const bytes = nodeCrypto$5.randomBytes(buf.length);
     buf.set(bytes);
+  } else if (typeof crypto !== 'undefined' && crypto.getRandomValues) {
+    crypto.getRandomValues(buf);
   } else {
     throw new Error('No secure random number generator available.');
   }
@@ -13575,7 +13588,7 @@ const curves = {
   },
   ed25519: {
     oid: [0x06, 0x09, 0x2B, 0x06, 0x01, 0x04, 0x01, 0xDA, 0x47, 0x0F, 0x01],
-    keyType: enums.publicKey.eddsa,
+    keyType: enums.publicKey.eddsaLegacy,
     hash: enums.hash.sha512,
     node: false, // nodeCurves.ed25519 TODO
     payloadSize: 32
@@ -14180,10 +14193,24 @@ naclFastLight.hash = bytes => new Uint8Array(_512().update(bytes).digest());
 async function sign$2(oid, hashAlgo, message, publicKey, privateKey, hashed) {
   if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(enums.hash.sha256)) {
     // see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2
-    throw new Error('Hash algorithm too weak: sha256 or stronger is required for EdDSA.');
+    throw new Error('Hash algorithm too weak for EdDSA.');
   }
   const secretKey = util.concatUint8Array([privateKey, publicKey.subarray(1)]);
   const signature = naclFastLight.sign.detached(hashed, secretKey);
+  if (config.checkEdDSAFaultySignatures && !naclFastLight.sign.detached.verify(hashed, signature, publicKey.subarray(1))) {
+    /**
+     * Detect faulty signatures caused by random bitflips during `crypto_sign` which could lead to private key extraction
+     * if two signatures over the same message are obtained.
+     * See https://github.com/jedisct1/libsodium/issues/170.
+     * If the input data is not deterministic, e.g. thanks to the random salt in v6 OpenPGP signatures (not yet implemented),
+     * then the generated signature is always safe, and the verification step is skipped.
+     * Otherwise, we need to verify the generated to ensure that no bitflip occured:
+     * - in M between the computation of `r` and `h`.
+     * - in the public key before computing `h`
+     * The verification step is almost 2-3 times as slow as signing, but it's faster than re-signing + re-deriving the public key for separate checks.
+     */
+    throw new Error('Transient signing failure');
+  }
   // EdDSA signature params are returned in little-endian format
   return {
     r: signature.subarray(0, 32),
@@ -14204,6 +14231,9 @@ async function sign$2(oid, hashAlgo, message, publicKey, privateKey, hashed) {
  * @async
  */
 async function verify$2(oid, hashAlgo, { r, s }, m, publicKey, hashed) {
+  if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(enums.hash.sha256)) {
+    throw new Error('Hash algorithm too weak for EdDSA.');
+  }
   const signature = util.concatUint8Array([r, s]);
   return naclFastLight.sign.detached.verify(hashed, signature, publicKey.subarray(1));
 }
@@ -14273,14 +14303,27 @@ async function generate$2(algo) {
  * @async
  */
 async function sign$3(algo, hashAlgo, message, publicKey, privateKey, hashed) {
-  if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(enums.hash.sha256)) {
-    // see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2
-    throw new Error('Hash algorithm too weak: sha256 or stronger is required for EdDSA.');
+  if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(getPreferredHashAlgo$1(algo))) {
+    throw new Error('Hash algorithm too weak for EdDSA.');
   }
   switch (algo) {
     case enums.publicKey.ed25519: {
       const secretKey = util.concatUint8Array([privateKey, publicKey]);
       const signature = naclFastLight.sign.detached(hashed, secretKey);
+      if (config.checkEdDSAFaultySignatures && !naclFastLight.sign.detached.verify(hashed, signature, publicKey)) {
+        /**
+         * Detect faulty signatures caused by random bitflips during `crypto_sign` which could lead to private key extraction
+         * if two signatures over the same message are obtained.
+         * See https://github.com/jedisct1/libsodium/issues/170.
+         * If the input data is not deterministic, e.g. thanks to the random salt in v6 OpenPGP signatures (not yet implemented),
+         * then the generated signature is always safe, and the verification step is skipped.
+         * Otherwise, we need to verify the generated to ensure that no bitflip occured:
+         * - in M between the computation of `r` and `h`.
+         * - in the public key before computing `h`
+         * The verification step is almost 2-3 times as slow as signing, but it's faster than re-signing + re-deriving the public key for separate checks.
+         */
+        throw new Error('Transient signing failure');
+      }
       return { RS: signature };
     }
     case enums.publicKey.ed448:
@@ -14302,6 +14345,9 @@ async function sign$3(algo, hashAlgo, message, publicKey, privateKey, hashed) {
  * @async
  */
 async function verify$3(algo, hashAlgo, { RS }, m, publicKey, hashed) {
+  if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(getPreferredHashAlgo$1(algo))) {
+    throw new Error('Hash algorithm too weak for EdDSA.');
+  }
   switch (algo) {
     case enums.publicKey.ed25519: {
       return naclFastLight.sign.detached.verify(hashed, RS, publicKey);
@@ -14337,12 +14383,22 @@ async function validateParams$4(algo, A, seed) {
   }
 }
 
+function getPreferredHashAlgo$1(algo) {
+  switch (algo) {
+    case enums.publicKey.ed25519:
+      return enums.hash.sha256;
+    default:
+      throw new Error('Unknown EdDSA algo');
+  }
+}
+
 var eddsa = /*#__PURE__*/Object.freeze({
   __proto__: null,
   generate: generate$2,
   sign: sign$3,
   verify: verify$3,
-  validateParams: validateParams$4
+  validateParams: validateParams$4,
+  getPreferredHashAlgo: getPreferredHashAlgo$1
 });
 
 // OpenPGP.js - An OpenPGP implementation in javascript
@@ -14956,8 +15012,6 @@ async function generate$3(algo) {
     case enums.publicKey.x25519: {
       // k stays in little-endian, unlike legacy ECDH over curve25519
       const k = getRandomBytes(32);
-      k[0] &= 248;
-      k[31] = (k[31] & 127) | 64;
       const { publicKey: A } = naclFastLight.box.keyPair.fromSecretKey(k);
       return { A, k };
     }
@@ -15392,8 +15446,7 @@ function parseSignatureParams(algo, signature) {
     // Algorithm-Specific Fields for legacy EdDSA signatures:
     // -  MPI of an EC point r.
     // -  EdDSA value s, in MPI, in the little endian representation
-    case enums.publicKey.eddsa:
-    case enums.publicKey.ed25519Legacy: {
+    case enums.publicKey.eddsaLegacy: {
       // When parsing little-endian MPI data, we always need to left-pad it, as done with big-endian values:
       // https://www.ietf.org/archive/id/draft-ietf-openpgp-rfc4880bis-10.html#section-3.2-9
       let r = util.readMPI(signature.subarray(read)); read += r.length + 2;
@@ -15454,8 +15507,7 @@ async function verify$5(algo, hashAlgo, signature, publicParams, privateParams,
       const s = util.leftPad(signature.s, curveSize);
       return publicKey.elliptic.ecdsa.verify(oid, hashAlgo, { r, s }, data, Q, hashed);
     }
-    case enums.publicKey.eddsa:
-    case enums.publicKey.ed25519Legacy: {
+    case enums.publicKey.eddsaLegacy: {
       const { oid, Q } = publicParams;
       // signature already padded on parsing
       return publicKey.elliptic.eddsaLegacy.verify(oid, hashAlgo, signature, data, Q, hashed);
@@ -15518,8 +15570,7 @@ async function sign$5(algo, hashAlgo, publicKeyParams, privateKeyParams, data, h
       const { d } = privateKeyParams;
       return publicKey.elliptic.ecdsa.sign(oid, hashAlgo, data, Q, d, hashed);
     }
-    case enums.publicKey.eddsa:
-    case enums.publicKey.ed25519Legacy: {
+    case enums.publicKey.eddsaLegacy: {
       const { oid, Q } = publicKeyParams;
       const { seed } = privateKeyParams;
       return publicKey.elliptic.eddsaLegacy.sign(oid, hashAlgo, data, Q, seed, hashed);
@@ -15910,8 +15961,7 @@ function parsePublicKeyParams(algo, bytes) {
       const Q = util.readMPI(bytes.subarray(read)); read += Q.length + 2;
       return { read: read, publicParams: { oid, Q } };
     }
-    case enums.publicKey.eddsa:
-    case enums.publicKey.ed25519Legacy: {
+    case enums.publicKey.eddsaLegacy: {
       const oid = new OID(); read += oid.read(bytes);
       checkSupportedCurve(oid);
       let Q = util.readMPI(bytes.subarray(read)); read += Q.length + 2;
@@ -15973,8 +16023,7 @@ function parsePrivateKeyParams(algo, bytes, publicParams) {
       d = util.leftPad(d, curve.payloadSize);
       return { read, privateParams: { d } };
     }
-    case enums.publicKey.eddsa:
-    case enums.publicKey.ed25519Legacy: {
+    case enums.publicKey.eddsaLegacy: {
       const curve = new CurveWithOID(publicParams.oid);
       let seed = util.readMPI(bytes.subarray(read)); read += seed.length + 2;
       seed = util.leftPad(seed, curve.payloadSize);
@@ -16109,8 +16158,7 @@ function generateParams(algo, bits, oid, symmetric) {
         privateParams: { d: secret },
         publicParams: { oid: new OID(oid), Q }
       }));
-    case enums.publicKey.eddsa:
-    case enums.publicKey.ed25519Legacy:
+    case enums.publicKey.eddsaLegacy:
       return publicKey.elliptic.generate(oid).then(({ oid, Q, secret }) => ({
         privateParams: { seed: secret },
         publicParams: { oid: new OID(oid), Q }
@@ -16204,8 +16252,7 @@ async function validateParams$8(algo, publicParams, privateParams) {
       const { d } = privateParams;
       return algoModule.validateParams(oid, Q, d);
     }
-    case enums.publicKey.eddsa:
-    case enums.publicKey.ed25519Legacy: {
+    case enums.publicKey.eddsaLegacy: {
       const { Q, oid } = publicParams;
       const { seed } = privateParams;
       return publicKey.elliptic.eddsaLegacy.validateParams(oid, Q, seed);
@@ -16288,6 +16335,23 @@ function checkSupportedCurve(oid) {
   }
 }
 
+/**
+ * Get preferred hash algo for a given elliptic algo
+ * @param {module:enums.publicKey} algo - alrogithm identifier
+ * @param {module:type/oid} [oid] - curve OID if needed by algo
+ */
+function getPreferredCurveHashAlgo(algo, oid) {
+  switch (algo) {
+    case enums.publicKey.ecdsa:
+    case enums.publicKey.eddsaLegacy:
+      return publicKey.elliptic.getPreferredHashAlgo(oid);
+    case enums.publicKey.ed25519:
+      return publicKey.elliptic.eddsa.getPreferredHashAlgo(algo);
+    default:
+      throw new Error('Unknown elliptic signing algo');
+  }
+}
+
 var crypto$1 = /*#__PURE__*/Object.freeze({
   __proto__: null,
   publicKeyEncrypt: publicKeyEncrypt,
@@ -16301,7 +16365,8 @@ var crypto$1 = /*#__PURE__*/Object.freeze({
   getPrefixRandom: getPrefixRandom,
   generateSessionKey: generateSessionKey,
   getAEADMode: getAEADMode,
-  getCipher: getCipher
+  getCipher: getCipher,
+  getPreferredCurveHashAlgo: getPreferredCurveHashAlgo
 });
 
 /**
@@ -28059,25 +28124,22 @@ async function createBindingSignature(subkey, primaryKey, options, config) {
   const dataToSign = {};
   dataToSign.key = primaryKey;
   dataToSign.bind = subkey;
-  const subkeySignaturePacket = new SignaturePacket();
-  subkeySignaturePacket.signatureType = enums.signature.subkeyBinding;
-  subkeySignaturePacket.publicKeyAlgorithm = primaryKey.algorithm;
-  subkeySignaturePacket.hashAlgorithm = await getPreferredHashAlgo$1(null, subkey, undefined, undefined, config);
+  const signatureProperties = { signatureType: enums.signature.subkeyBinding };
   if (options.sign) {
-    subkeySignaturePacket.keyFlags = [enums.keyFlags.signData];
-    subkeySignaturePacket.embeddedSignature = await createSignaturePacket(dataToSign, null, subkey, {
+    signatureProperties.keyFlags = [enums.keyFlags.signData];
+    signatureProperties.embeddedSignature = await createSignaturePacket(dataToSign, null, subkey, {
       signatureType: enums.signature.keyBinding
     }, options.date, undefined, undefined, undefined, config);
   } else {
-    subkeySignaturePacket.keyFlags = options.forwarding ?
+    signatureProperties.keyFlags = options.forwarding ?
       [enums.keyFlags.forwardedCommunication] :
       [enums.keyFlags.encryptCommunication | enums.keyFlags.encryptStorage];
   }
   if (options.keyExpirationTime > 0) {
-    subkeySignaturePacket.keyExpirationTime = options.keyExpirationTime;
-    subkeySignaturePacket.keyNeverExpires = false;
+    signatureProperties.keyExpirationTime = options.keyExpirationTime;
+    signatureProperties.keyNeverExpires = false;
   }
-  await subkeySignaturePacket.sign(primaryKey, dataToSign, options.date);
+  const subkeySignaturePacket = await createSignaturePacket(dataToSign, null, primaryKey, signatureProperties, options.date, undefined, undefined, undefined, config);
   return subkeySignaturePacket;
 }
 
@@ -28091,7 +28153,7 @@ async function createBindingSignature(subkey, primaryKey, options, config) {
  * @returns {Promise<enums.hash>}
  * @async
  */
-async function getPreferredHashAlgo$1(key, keyPacket, date = new Date(), userID = {}, config) {
+async function getPreferredHashAlgo$2(key, keyPacket, date = new Date(), userID = {}, config) {
   let hashAlgo = config.preferredHashAlgorithm;
   let prefAlgo = hashAlgo;
   if (key) {
@@ -28102,17 +28164,11 @@ async function getPreferredHashAlgo$1(key, keyPacket, date = new Date(), userID
         prefAlgo : hashAlgo;
     }
   }
-  switch (Object.getPrototypeOf(keyPacket)) {
-    case SecretKeyPacket.prototype:
-    case PublicKeyPacket.prototype:
-    case SecretSubkeyPacket.prototype:
-    case PublicSubkeyPacket.prototype:
-      switch (keyPacket.algorithm) {
-        case enums.publicKey.ecdh:
-        case enums.publicKey.ecdsa:
-        case enums.publicKey.eddsa:
-          prefAlgo = mod.publicKey.elliptic.getPreferredHashAlgo(keyPacket.publicParams.oid);
-      }
+  switch (keyPacket.algorithm) {
+    case enums.publicKey.ecdsa:
+    case enums.publicKey.eddsaLegacy:
+    case enums.publicKey.ed25519:
+      prefAlgo = mod.getPreferredCurveHashAlgo(keyPacket.algorithm, keyPacket.publicParams.oid);
   }
   return mod.hash.getHashByteLength(hashAlgo) <= mod.hash.getHashByteLength(prefAlgo) ?
     prefAlgo : hashAlgo;
@@ -28180,7 +28236,7 @@ async function createSignaturePacket(dataToSign, privateKey, signingKeyPacket, s
   const signaturePacket = new SignaturePacket();
   Object.assign(signaturePacket, signatureProperties);
   signaturePacket.publicKeyAlgorithm = signingKeyPacket.algorithm;
-  signaturePacket.hashAlgorithm = await getPreferredHashAlgo$1(privateKey, signingKeyPacket, date, userID, config);
+  signaturePacket.hashAlgorithm = await getPreferredHashAlgo$2(privateKey, signingKeyPacket, date, userID, config);
   signaturePacket.rawNotations = notations;
   await signaturePacket.sign(signingKeyPacket, dataToSign, date, detached);
   return signaturePacket;
@@ -28321,11 +28377,11 @@ function sanitizeKeyOptions(options, subkeyDefaults = {}) {
       } catch (e) {
         throw new Error('Unknown curve');
       }
-      if (options.curve === enums.curve.ed25519 || options.curve === enums.curve.curve25519) {
-        options.curve = options.sign ? enums.curve.ed25519 : enums.curve.curve25519;
+      if (options.curve === enums.curve.ed25519Legacy || options.curve === enums.curve.curve25519Legacy) {
+        options.curve = options.sign ? enums.curve.ed25519Legacy : enums.curve.curve25519Legacy;
       }
       if (options.sign) {
-        options.algorithm = options.curve === enums.curve.ed25519 ? enums.publicKey.eddsa : enums.publicKey.ecdsa;
+        options.algorithm = options.curve === enums.curve.ed25519Legacy ? enums.publicKey.eddsaLegacy : enums.publicKey.ecdsa;
       } else {
         options.algorithm = enums.publicKey.ecdh;
       }
@@ -28363,7 +28419,7 @@ function isValidEncryptionKeyPacket(keyPacket, signature) {
   return keyAlgo !== enums.publicKey.dsa &&
     keyAlgo !== enums.publicKey.rsaSign &&
     keyAlgo !== enums.publicKey.ecdsa &&
-    keyAlgo !== enums.publicKey.eddsa &&
+    keyAlgo !== enums.publicKey.eddsaLegacy &&
     keyAlgo !== enums.publicKey.ed25519 &&
     (!signature.keyFlags ||
       (signature.keyFlags[0] & enums.keyFlags.encryptCommunication) !== 0 ||
@@ -28409,7 +28465,7 @@ function checkKeyRequirements(keyPacket, config) {
       }
       break;
     case enums.publicKey.ecdsa:
-    case enums.publicKey.eddsa:
+    case enums.publicKey.eddsaLegacy:
     case enums.publicKey.ecdh:
       if (config.rejectCurves.has(algoInfo.curve)) {
         throw new Error(`Support for ${algoInfo.algorithm} keys using curve ${algoInfo.curve} is disabled.`);
@@ -30036,50 +30092,50 @@ async function wrapKeyObject(secretKeyPacket, secretSubkeyPackets, options, conf
     const dataToSign = {};
     dataToSign.userID = userIDPacket;
     dataToSign.key = secretKeyPacket;
-    const signaturePacket = new SignaturePacket();
-    signaturePacket.signatureType = enums.signature.certGeneric;
-    signaturePacket.publicKeyAlgorithm = secretKeyPacket.algorithm;
-    signaturePacket.hashAlgorithm = await getPreferredHashAlgo$1(null, secretKeyPacket, undefined, undefined, config);
-    signaturePacket.keyFlags = [enums.keyFlags.certifyKeys | enums.keyFlags.signData];
-    signaturePacket.preferredSymmetricAlgorithms = createPreferredAlgos([
+
+    const signatureProperties = {};
+    signatureProperties.signatureType = enums.signature.certGeneric;
+    signatureProperties.keyFlags = [enums.keyFlags.certifyKeys | enums.keyFlags.signData];
+    signatureProperties.preferredSymmetricAlgorithms = createPreferredAlgos([
       // prefer aes256, aes128, then aes192 (no WebCrypto support: https://www.chromium.org/blink/webcrypto#TOC-AES-support)
       enums.symmetric.aes256,
       enums.symmetric.aes128,
       enums.symmetric.aes192
     ], config.preferredSymmetricAlgorithm);
     if (config.aeadProtect) {
-      signaturePacket.preferredAEADAlgorithms = createPreferredAlgos([
+      signatureProperties.preferredAEADAlgorithms = createPreferredAlgos([
         enums.aead.eax,
         enums.aead.ocb
       ], config.preferredAEADAlgorithm);
     }
-    signaturePacket.preferredHashAlgorithms = createPreferredAlgos([
+    signatureProperties.preferredHashAlgorithms = createPreferredAlgos([
       // prefer fast asm.js implementations (SHA-256)
       enums.hash.sha256,
       enums.hash.sha512
     ], config.preferredHashAlgorithm);
-    signaturePacket.preferredCompressionAlgorithms = createPreferredAlgos([
+    signatureProperties.preferredCompressionAlgorithms = createPreferredAlgos([
       enums.compression.zlib,
       enums.compression.zip,
       enums.compression.uncompressed
     ], config.preferredCompressionAlgorithm);
     if (index === 0) {
-      signaturePacket.isPrimaryUserID = true;
+      signatureProperties.isPrimaryUserID = true;
     }
     // integrity protection always enabled
-    signaturePacket.features = [0];
-    signaturePacket.features[0] |= enums.features.modificationDetection;
+    signatureProperties.features = [0];
+    signatureProperties.features[0] |= enums.features.modificationDetection;
     if (config.aeadProtect) {
-      signaturePacket.features[0] |= enums.features.aead;
+      signatureProperties.features[0] |= enums.features.aead;
     }
     if (config.v5Keys) {
-      signaturePacket.features[0] |= enums.features.v5Keys;
+      signatureProperties.features[0] |= enums.features.v5Keys;
     }
     if (options.keyExpirationTime > 0) {
-      signaturePacket.keyExpirationTime = options.keyExpirationTime;
-      signaturePacket.keyNeverExpires = false;
+      signatureProperties.keyExpirationTime = options.keyExpirationTime;
+      signatureProperties.keyNeverExpires = false;
     }
-    await signaturePacket.sign(secretKeyPacket, dataToSign, options.date);
+
+    const signaturePacket = await createSignaturePacket(dataToSign, null, secretKeyPacket, signatureProperties, options.date, undefined, undefined, undefined, config);
 
     return { userIDPacket, signaturePacket };
   })).then(list => {
@@ -30781,7 +30837,7 @@ class Message {
       const signingKey = await primaryKey.getSigningKey(signingKeyID, date, userIDs, config$1);
       const onePassSig = new OnePassSignaturePacket();
       onePassSig.signatureType = signatureType;
-      onePassSig.hashAlgorithm = await getPreferredHashAlgo$1(primaryKey, signingKey.keyPacket, date, userIDs, config$1);
+      onePassSig.hashAlgorithm = await getPreferredHashAlgo$2(primaryKey, signingKey.keyPacket, date, userIDs, config$1);
       onePassSig.publicKeyAlgorithm = signingKey.keyPacket.algorithm;
       onePassSig.issuerKeyID = signingKey.getKeyID();
       if (i === signingKeys.length - 1) {
@@ -45299,4 +45355,4 @@ var index = /*#__PURE__*/Object.freeze({
   'default': loadWasm
 });
 
-export { AEADEncryptedDataPacket, CleartextMessage, CompressedDataPacket, KDFParams, LiteralDataPacket, MarkerPacket, Message, OnePassSignaturePacket, PacketList, PrivateKey, PublicKey, PublicKeyEncryptedSessionKeyPacket, PublicKeyPacket, PublicSubkeyPacket, SecretKeyPacket, SecretSubkeyPacket, Signature, SignaturePacket, Subkey, SymEncryptedIntegrityProtectedDataPacket, SymEncryptedSessionKeyPacket, SymmetricallyEncryptedDataPacket, TrustPacket, UnparseablePacket, UserAttributePacket, UserIDPacket, armor, config, createCleartextMessage, createMessage, decrypt$5 as decrypt, decryptKey, decryptSessionKeys, encrypt$5 as encrypt, encryptKey, encryptSessionKey, enums, generateKey, generateSessionKey$1 as generateSessionKey, readCleartextMessage, readKey, readKeys, readMessage, readPrivateKey, readPrivateKeys, readSignature, reformatKey, revokeKey, sign$6 as sign, unarmor, verify$6 as verify };
+export { AEADEncryptedDataPacket, Argon2OutOfMemoryError, Argon2S2K, CleartextMessage, CompressedDataPacket, KDFParams, LiteralDataPacket, MarkerPacket, Message, OnePassSignaturePacket, PacketList, PrivateKey, PublicKey, PublicKeyEncryptedSessionKeyPacket, PublicKeyPacket, PublicSubkeyPacket, SecretKeyPacket, SecretSubkeyPacket, Signature, SignaturePacket, Subkey, SymEncryptedIntegrityProtectedDataPacket, SymEncryptedSessionKeyPacket, SymmetricallyEncryptedDataPacket, TrustPacket, UnparseablePacket, UserAttributePacket, UserIDPacket, armor, config, createCleartextMessage, createMessage, decrypt$5 as decrypt, decryptKey, decryptSessionKeys, encrypt$5 as encrypt, encryptKey, encryptSessionKey, enums, generateKey, generateSessionKey$1 as generateSessionKey, readCleartextMessage, readKey, readKeys, readMessage, readPrivateKey, readPrivateKeys, readSignature, reformatKey, revokeKey, sign$6 as sign, unarmor, verify$6 as verify };

package/openpgp.d.ts

@@ -345,7 +345,7 @@ interface Config {
   rejectPublicKeyAlgorithms: Set<enums.publicKey>;
   rejectCurves: Set<enums.curve>;
 }
-export var config: Config;
+export var config: Config & { checkEdDSAFaultySignatures: boolean }; // option only supported if set at the global openpgp.config level
 
 // PartialConfig has the same properties as Config, but declared as optional.
 // This interface is relevant for top-level functions, which accept a subset of configuration options
@@ -661,7 +661,7 @@ interface VerifyOptions {
   /** (optional) detached signature for verification */
   signature?: Signature;
   /** (optional) use the given date for verification instead of the current time */
-  date?: Date;
+  date?: Date | null;
   config?: PartialConfig;
 }
 
@@ -824,7 +824,9 @@ export namespace enums {
     dsa = 17,
     ecdh = 18,
     ecdsa = 19,
+    /** @deprecated use `eddsaLegacy` instead */
     eddsa = 22,
+    eddsaLegacy = 22,
     aedh = 23,
     aedsa = 24,
   }
@@ -833,8 +835,12 @@ export namespace enums {
     p256 = 'p256',
     p384 = 'p384',
     p521 = 'p521',
+    /** @deprecated use `ed25519Legacy` instead */
     ed25519 = 'ed25519',
+    ed25519Legacy = 'ed25519',
+    /** @deprecated use `curve25519Legacy` instead */
     curve25519 = 'curve25519',
+    curve25519Legacy = 'curve25519',
     secp256k1 = 'secp256k1',
     brainpoolP256r1 = 'brainpoolP256r1',
     brainpoolP384r1 = 'brainpoolP384r1',
@@ -918,6 +924,13 @@ export namespace enums {
   }
 }
 
+export declare class Argon2S2K {
+  constructor(config: Config);
+  salt: Uint8Array;
+  /** @throws Argon2OutOfMemoryError */
+  produceKey(passphrase: string, keySize: number): Promise<Uint8Array>;
+}
+
 interface KDFParamsData {
   version: number;
   hash: enums.hash;

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@protontech/openpgp",
   "description": "OpenPGP.js is a Javascript implementation of the OpenPGP protocol. This is defined in RFC 4880.",
-  "version": "5.10.2",
+  "version": "5.11.1-0",
   "license": "LGPL-3.0+",
   "homepage": "https://openpgpjs.org/",
   "engines": {
@@ -60,7 +60,7 @@
     "@openpgp/pako": "^1.0.12",
     "@openpgp/seek-bzip": "^1.0.5-git",
     "@openpgp/tweetnacl": "^1.0.3",
-    "@openpgp/web-stream-tools": "^0.0.11",
+    "@openpgp/web-stream-tools": "0.0.11-patch-0",
     "@rollup/plugin-commonjs": "^11.1.0",
     "@rollup/plugin-node-resolve": "^7.1.3",
     "@rollup/plugin-replace": "^2.3.2",