@protontech/openpgp 5.7.0 → 5.9.0

package/dist/lightweight/openpgp.mjs

@@ -1,4 +1,4 @@
-/*! OpenPGP.js v5.7.0 - 2023-03-06 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
+/*! OpenPGP.js v5.9.0 - 2023-05-15 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
 const globalThis = typeof window !== 'undefined' ? window : typeof global !== 'undefined' ? global : typeof self !== 'undefined' ? self : {};
 
 const doneWritingPromise = Symbol('doneWritingPromise');
@@ -1907,7 +1907,7 @@ const util = {
     if (!util.isString(data)) {
       return false;
     }
-    const re = /^(([^<>()[\]\\.,;:\s@"]+(\.[^<>()[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+([a-zA-Z]{2,}|xn--[a-zA-Z\-0-9]+)))$/;
+    const re = /^(([^<>()[\]\\.,;:\s@"]+(\.[^<>()[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+([a-zA-Z]{2,}[0-9]*|xn--[a-zA-Z\-0-9]+)))$/;
     return re.test(data);
   },
 
@@ -2303,6 +2303,7 @@ var enums = {
     simple: 0,
     salted: 1,
     iterated: 3,
+    argon2: 4,
     gnu: 101
   },
 
@@ -2617,6 +2618,8 @@ var enums = {
     splitPrivateKey: 16,
     /** 0x20 - This key may be used for authentication. */
     authentication: 32,
+    /** This key may be used for forwarded communications */
+    forwardedCommunication: 64,
     /** 0x80 - The private component of this key may be in the
      *        possession of more than one person. */
     sharedPrivateKey: 128
@@ -2767,12 +2770,41 @@ var config = {
    */
   v5Keys: false,
   /**
-   * {@link https://tools.ietf.org/html/rfc4880#section-3.7.1.3|RFC4880 3.7.1.3}:
-   * Iteration Count Byte for S2K (String to Key)
+   * S2K (String to Key) type, used for key derivation in the context of secret key encryption
+   * and password-encrypted data. Weaker s2k options are not allowed.
+   * Note: Argon2 is the strongest option but not all OpenPGP implementations are compatible with it
+   * (pending standardisation).
+   * @memberof module:config
+   * @property {enums.s2k.argon2|enums.s2k.iterated} s2kType {@link module:enums.s2k}
+   */
+  s2kType: enums.s2k.iterated,
+  /**
+   * {@link https://tools.ietf.org/html/rfc4880#section-3.7.1.3| RFC4880 3.7.1.3}:
+   * Iteration Count Byte for Iterated and Salted S2K (String to Key).
+   * Only relevant if `config.s2kType` is set to `enums.s2k.iterated`.
+   * Note: this is the exponent value, not the final number of iterations (refer to specs for more details).
    * @memberof module:config
    * @property {Integer} s2kIterationCountByte
    */
   s2kIterationCountByte: 224,
+  /**
+   * {@link https://tools.ietf.org/html/draft-ietf-openpgp-crypto-refresh-07.html#section-3.7.1.4| draft-crypto-refresh 3.7.1.4}:
+   * Argon2 parameters for S2K (String to Key).
+   * Only relevant if `config.s2kType` is set to `enums.s2k.argon2`.
+   * Default settings correspond to the second recommendation from RFC9106 ("uniformly safe option"),
+   * to ensure compatibility with memory-constrained environments.
+   * For more details on the choice of parameters, see https://tools.ietf.org/html/rfc9106#section-4.
+   * @memberof module:config
+   * @property {Object} params
+   * @property {Integer} params.passes - number of iterations t
+   * @property {Integer} params.parallelism - degree of parallelism p
+   * @property {Integer} params.memoryExponent - one-octet exponent indicating the memory size, which will be: 2**memoryExponent kibibytes.
+   */
+  s2kArgon2Params: {
+    passes: 3,
+    parallelism: 4, // lanes
+    memoryExponent: 16 // 64 MiB of RAM
+  },
   /**
    * Allow decryption of messages without integrity protection.
    * This is an **insecure** setting:
@@ -2792,6 +2824,13 @@ var config = {
    * @property {Boolean} allowUnauthenticatedStream
    */
   allowUnauthenticatedStream: false,
+  /**
+   * Allow decrypting forwarded messages, using keys with 0x40 ('forwarded communication') flag.
+   * Note: this is related to a **non-standard feature**.
+   * @memberof module:config
+   * @property {Boolean} allowForwardedMessages
+   */
+  allowForwardedMessages: false,
   /**
    * @memberof module:config
    * @property {Boolean} checksumRequired Do not throw error when armor is missing a checksum
@@ -2868,6 +2907,14 @@ var config = {
    * @property {Boolean} ignoreMalformedPackets Ignore malformed packets on parsing instead of throwing an error
    */
   ignoreMalformedPackets: false,
+  /**
+   * Parsing of packets is normally restricted to a predefined set of packets. For example a Sym. Encrypted Integrity Protected Data Packet can only
+   * contain a certain set of packets including LiteralDataPacket. With this setting we can allow additional packets, which is probably not advisable
+   * as a global config setting, but can be used for specific function calls (e.g. decrypt method of Message).
+   * @memberof module:config
+   * @property {Array} additionalAllowedPackets Allow additional packets on parsing. Defined as array of packet classes, e.g. [PublicKeyPacket]
+   */
+  additionalAllowedPackets: [],
   /**
    * @memberof module:config
    * @property {Boolean} showVersion Whether to include {@link module:config/config.versionString} in armored messages
@@ -2882,7 +2929,7 @@ var config = {
    * @memberof module:config
    * @property {String} versionString A version string to be included in armored messages
    */
-  versionString: 'OpenPGP.js 5.7.0',
+  versionString: 'OpenPGP.js 5.9.0',
   /**
    * @memberof module:config
    * @property {String} commentString A comment string to be included in armored messages
@@ -14366,7 +14413,7 @@ function buildEcdhParam(public_algo, oid, kdfParams, fingerprint) {
   return util.concatUint8Array([
     oid.write(),
     new Uint8Array([public_algo]),
-    kdfParams.replacementKDFParams || kdfParams.write(),
+    kdfParams.write(true),
     util.stringToUint8Array('Anonymous Sender    '),
     kdfParams.replacementFingerprint || fingerprint.subarray(0, 20)
   ]);
@@ -15208,32 +15255,28 @@ class ECDHSymmetricKey {
 
 // OpenPGP.js - An OpenPGP implementation in javascript
 
+const VERSION_FORWARDING = 0xFF;
+
 class KDFParams {
   /**
    * @param  {Integer}          version                 Version, defaults to 1
    * @param  {enums.hash}       hash                    Hash algorithm
    * @param  {enums.symmetric}  cipher                  Symmetric algorithm
-   * @param  {enums.kdfFlags}   flags                   (v2 only) flags
-   * @param  {Uint8Array}       replacementFingerprint  (v2 only) fingerprint to use instead of recipient one (v5 keys, the 20 leftmost bytes of the fingerprint)
-   * @param  {Uint8Array}       replacementKDFParams    (v2 only) serialized KDF params to use in KDF digest computation
+   * @param  {Uint8Array}       replacementFingerprint  (forwarding only) fingerprint to use instead of recipient one (v5 keys, the 20 leftmost bytes of the fingerprint)
    */
   constructor(data) {
     if (data) {
-      const { version, hash, cipher, flags, replacementFingerprint, replacementKDFParams } = data;
+      const { version, hash, cipher, replacementFingerprint } = data;
       this.version = version || 1;
       this.hash = hash;
       this.cipher = cipher;
 
-      this.flags = flags;
       this.replacementFingerprint = replacementFingerprint;
-      this.replacementKDFParams = replacementKDFParams;
     } else {
       this.version = null;
       this.hash = null;
       this.cipher = null;
-      this.flags = null;
       this.replacementFingerprint = null;
-      this.replacementKDFParams = null;
     }
   }
 
@@ -15243,44 +15286,41 @@ class KDFParams {
    * @returns {Number} Number of read bytes.
    */
   read(input) {
+    const totalBytes = input[0];
     this.version = input[1];
     this.hash = input[2];
     this.cipher = input[3];
     let readBytes = 4;
 
-    if (this.version === 2) {
-      this.flags = input[readBytes++];
-      if (this.flags & enums.kdfFlags.replace_fingerprint) {
-        this.replacementFingerprint = input.slice(readBytes, readBytes + 20);
-        readBytes += 20;
-      }
-      if (this.flags & enums.kdfFlags.replace_kdf_params) {
-        const fieldLength = input[readBytes] + 1; // account for length
-        this.replacementKDFParams = input.slice(readBytes, readBytes + fieldLength);
-        readBytes += fieldLength;
-      }
+    if (this.version === VERSION_FORWARDING) {
+      const fingerprintLength = totalBytes - readBytes + 1; // acount for length byte
+      this.replacementFingerprint = input.slice(readBytes, readBytes + fingerprintLength);
+      readBytes += fingerprintLength;
     }
     return readBytes;
   }
 
   /**
    * Write KDFParams to an Uint8Array
+   * @param {Boolean} [forReplacementParams] - forwarding only: whether to serialize data to use for replacement params
    * @returns  {Uint8Array}  Array with the KDFParams value
    */
-  write() {
-    if (!this.version || this.version === 1) {
+  write(forReplacementParams) {
+    if (!this.version || this.version === 1 || forReplacementParams) {
       return new Uint8Array([3, 1, this.hash, this.cipher]);
     }
 
-    const v2Fields = util.concatUint8Array([
-      new Uint8Array([4, 2, this.hash, this.cipher, this.flags]),
-      this.replacementFingerprint || new Uint8Array(),
-      this.replacementKDFParams || new Uint8Array()
+    const forwardingFields = util.concatUint8Array([
+      new Uint8Array([
+        3 + this.replacementFingerprint.length,
+        this.version,
+        this.hash,
+        this.cipher
+      ]),
+      this.replacementFingerprint
     ]);
 
-    // update length field
-    v2Fields[0] = v2Fields.length - 1;
-    return new Uint8Array(v2Fields);
+    return forwardingFields;
   }
 }
 
@@ -15863,6 +15903,339 @@ const mod = {
 
 Object.assign(mod, crypto$1);
 
+const ARGON2_TYPE = 0x02; // id
+const ARGON2_VERSION = 0x13;
+const ARGON2_SALT_SIZE = 16;
+
+class Argon2OutOfMemoryError extends Error {
+  constructor(...params) {
+    super(...params);
+
+    if (Error.captureStackTrace) {
+      Error.captureStackTrace(this, Argon2OutOfMemoryError);
+    }
+
+    this.name = 'Argon2OutOfMemoryError';
+  }
+}
+
+// cache argon wasm module
+let loadArgonWasmModule;
+let argon2Promise;
+// reload wasm module above this treshold, to deallocated used memory
+const ARGON2_WASM_MEMORY_THRESHOLD_RELOAD = 2 << 19;
+
+class Argon2S2K {
+  /**
+  * @param {Object} [config] - Full configuration, defaults to openpgp.config
+  */
+  constructor(config$1 = config) {
+    const { passes, parallelism, memoryExponent } = config$1.s2kArgon2Params;
+
+    this.type = 'argon2';
+    /**  @type {Uint8Array} 16 bytes of salt */
+    this.salt = null;
+    /** @type {Integer} number of passes */
+    this.t = passes;
+    /** @type {Integer} degree of parallelism (lanes) */
+    this.p = parallelism;
+    /** @type {Integer} exponent indicating memory size */
+    this.encodedM = memoryExponent;
+  }
+
+  generateSalt() {
+    this.salt = mod.random.getRandomBytes(ARGON2_SALT_SIZE);
+  }
+
+  /**
+  * Parsing function for argon2 string-to-key specifier.
+  * @param {Uint8Array} bytes - Payload of argon2 string-to-key specifier
+  * @returns {Integer} Actual length of the object.
+  */
+  read(bytes) {
+    let i = 0;
+
+    this.salt = bytes.subarray(i, i + 16);
+    i += 16;
+
+    this.t = bytes[i++];
+    this.p = bytes[i++];
+    this.encodedM = bytes[i++]; // memory size exponent, one-octect
+
+    return i;
+  }
+
+  /**
+  * Serializes s2k information
+  * @returns {Uint8Array} Binary representation of s2k.
+  */
+  write() {
+    const arr = [
+      new Uint8Array([enums.write(enums.s2k, this.type)]),
+      this.salt,
+      new Uint8Array([this.t, this.p, this.encodedM])
+    ];
+
+    return util.concatUint8Array(arr);
+  }
+
+  /**
+  * Produces a key using the specified passphrase and the defined
+  * hashAlgorithm
+  * @param {String} passphrase - Passphrase containing user input
+  * @returns {Promise<Uint8Array>} Produced key with a length corresponding to `keySize`
+  * @throws {Argon2OutOfMemoryError|Errors}
+  * @async
+  */
+  async produceKey(passphrase, keySize) {
+    const decodedM = 2 << (this.encodedM - 1);
+
+    try {
+      if (!argon2Promise) { // first load
+        loadArgonWasmModule = loadArgonWasmModule || (await import('./argon2id.mjs')).default;
+        argon2Promise = loadArgonWasmModule();
+      }
+      // important to keep local ref to argon2 in case the module is reloaded by another instance
+      const argon2 = await argon2Promise;
+
+      const passwordBytes = util.encodeUTF8(passphrase);
+      const hash = argon2({
+        version: ARGON2_VERSION,
+        type: ARGON2_TYPE,
+        password: passwordBytes,
+        salt: this.salt,
+        tagLength: keySize,
+        memorySize: decodedM,
+        parallelism: this.p,
+        passes: this.t
+      });
+
+      // a lot of memory was used, reload to deallocate
+      if (decodedM > ARGON2_WASM_MEMORY_THRESHOLD_RELOAD) {
+        // it will be awaited if needed at the next `produceKey` invocation
+        argon2Promise = loadArgonWasmModule();
+      }
+      return hash;
+    } catch (e) {
+      if (e.message && (
+        e.message.includes('Unable to grow instance memory') || // Chrome
+        e.message.includes('failed to grow memory') || // Firefox
+        e.message.includes('WebAssembly.Memory.grow') || // Safari
+        e.message.includes('Out of memory') // Safari iOS
+      )) {
+        throw new Argon2OutOfMemoryError('Could not allocate required memory for Argon2');
+      } else {
+        throw e;
+      }
+    }
+  }
+}
+
+// GPG4Browsers - An OpenPGP implementation in javascript
+
+class GenericS2K {
+  /**
+   * @param {Object} [config] - Full configuration, defaults to openpgp.config
+   */
+  constructor(s2kType, config$1 = config) {
+    /**
+     * Hash function identifier, or 0 for gnu-dummy keys
+     * @type {module:enums.hash | 0}
+     */
+    this.algorithm = enums.hash.sha256;
+    /**
+     * enums.s2k identifier or 'gnu-dummy'
+     * @type {String}
+     */
+    this.type = enums.read(enums.s2k, s2kType);
+    /** @type {Integer} */
+    this.c = config$1.s2kIterationCountByte;
+    /** Eight bytes of salt in a binary string.
+     * @type {Uint8Array}
+     */
+    this.salt = null;
+  }
+
+  generateSalt() {
+    switch (this.type) {
+      case 'salted':
+      case 'iterated':
+        this.salt = mod.random.getRandomBytes(8);
+    }
+  }
+
+  getCount() {
+    // Exponent bias, defined in RFC4880
+    const expbias = 6;
+
+    return (16 + (this.c & 15)) << ((this.c >> 4) + expbias);
+  }
+
+  /**
+   * Parsing function for a string-to-key specifier ({@link https://tools.ietf.org/html/rfc4880#section-3.7|RFC 4880 3.7}).
+   * @param {Uint8Array} bytes - Payload of string-to-key specifier
+   * @returns {Integer} Actual length of the object.
+   */
+  read(bytes) {
+    let i = 0;
+    this.algorithm = bytes[i++];
+
+    switch (this.type) {
+      case 'simple':
+        break;
+
+      case 'salted':
+        this.salt = bytes.subarray(i, i + 8);
+        i += 8;
+        break;
+
+      case 'iterated':
+        this.salt = bytes.subarray(i, i + 8);
+        i += 8;
+
+        // Octet 10: count, a one-octet, coded value
+        this.c = bytes[i++];
+        break;
+      case 'gnu':
+        if (util.uint8ArrayToString(bytes.subarray(i, i + 3)) === 'GNU') {
+          i += 3; // GNU
+          const gnuExtType = 1000 + bytes[i++];
+          if (gnuExtType === 1001) {
+            this.type = 'gnu-dummy';
+            // GnuPG extension mode 1001 -- don't write secret key at all
+          } else {
+            throw new Error('Unknown s2k gnu protection mode.');
+          }
+        } else {
+          throw new Error('Unknown s2k type.');
+        }
+        break;
+
+      default:
+        throw new Error('Unknown s2k type.');
+    }
+
+    return i;
+  }
+
+  /**
+   * Serializes s2k information
+   * @returns {Uint8Array} Binary representation of s2k.
+   */
+  write() {
+    if (this.type === 'gnu-dummy') {
+      return new Uint8Array([101, 0, ...util.stringToUint8Array('GNU'), 1]);
+    }
+    const arr = [new Uint8Array([enums.write(enums.s2k, this.type), this.algorithm])];
+
+    switch (this.type) {
+      case 'simple':
+        break;
+      case 'salted':
+        arr.push(this.salt);
+        break;
+      case 'iterated':
+        arr.push(this.salt);
+        arr.push(new Uint8Array([this.c]));
+        break;
+      case 'gnu':
+        throw new Error('GNU s2k type not supported.');
+      default:
+        throw new Error('Unknown s2k type.');
+    }
+
+    return util.concatUint8Array(arr);
+  }
+
+  /**
+   * Produces a key using the specified passphrase and the defined
+   * hashAlgorithm
+   * @param {String} passphrase - Passphrase containing user input
+   * @returns {Promise<Uint8Array>} Produced key with a length corresponding to.
+   * hashAlgorithm hash length
+   * @async
+   */
+  async produceKey(passphrase, numBytes) {
+    passphrase = util.encodeUTF8(passphrase);
+
+    const arr = [];
+    let rlength = 0;
+
+    let prefixlen = 0;
+    while (rlength < numBytes) {
+      let toHash;
+      switch (this.type) {
+        case 'simple':
+          toHash = util.concatUint8Array([new Uint8Array(prefixlen), passphrase]);
+          break;
+        case 'salted':
+          toHash = util.concatUint8Array([new Uint8Array(prefixlen), this.salt, passphrase]);
+          break;
+        case 'iterated': {
+          const data = util.concatUint8Array([this.salt, passphrase]);
+          let datalen = data.length;
+          const count = Math.max(this.getCount(), datalen);
+          toHash = new Uint8Array(prefixlen + count);
+          toHash.set(data, prefixlen);
+          for (let pos = prefixlen + datalen; pos < count; pos += datalen, datalen *= 2) {
+            toHash.copyWithin(pos, prefixlen, pos);
+          }
+          break;
+        }
+        case 'gnu':
+          throw new Error('GNU s2k type not supported.');
+        default:
+          throw new Error('Unknown s2k type.');
+      }
+      const result = await mod.hash.digest(this.algorithm, toHash);
+      arr.push(result);
+      rlength += result.length;
+      prefixlen++;
+    }
+
+    return util.concatUint8Array(arr).subarray(0, numBytes);
+  }
+}
+
+const allowedS2KTypesForEncryption = new Set([enums.s2k.argon2, enums.s2k.iterated]);
+
+/**
+ * Instantiate a new S2K instance of the given type
+ * @param {module:enums.s2k} type
+ * @oaram {Object} [config]
+ * @returns {Object} New s2k object
+ * @throws {Error} for unknown or unsupported types
+ */
+function newS2KFromType(type, config$1 = config) {
+  switch (type) {
+    case enums.s2k.argon2:
+      return new Argon2S2K(config$1);
+    case enums.s2k.iterated:
+    case enums.s2k.gnu:
+    case enums.s2k.salted:
+    case enums.s2k.simple:
+      return new GenericS2K(type, config$1);
+    default:
+      throw new Error(`Unsupported S2K type ${type}`);
+  }
+}
+
+/**
+ * Instantiate a new S2K instance based on the config settings
+ * @oaram {Object} config
+ * @returns {Object} New s2k object
+ * @throws {Error} for unknown or unsupported types
+ */
+function newS2KFromConfig(config) {
+  const { s2kType } = config;
+
+  if (!allowedS2KTypesForEncryption.has(s2kType)) {
+    throw new Error('The provided `config.s2kType` value is not allowed');
+  }
+
+  return newS2KFromType(s2kType, config);
+}
+
 var TYPED_OK = typeof Uint8Array !== "undefined" &&
   typeof Uint16Array !== "undefined" &&
   typeof Int32Array !== "undefined";
@@ -23917,6 +24290,9 @@ class PacketList extends Array {
    * @async
    */
   async read(bytes, allowedPackets, config$1 = config) {
+    if (config$1.additionalAllowedPackets.length) {
+      allowedPackets = { ...allowedPackets, ...util.constructAllowedPackets(config$1.additionalAllowedPackets) };
+    }
     this.stream = transformPair(bytes, async (readable, writable) => {
       const writer = getWriter(writable);
       try {
@@ -24684,166 +25060,6 @@ class PublicKeyEncryptedSessionKeyPacket {
 
 // GPG4Browsers - An OpenPGP implementation in javascript
 
-class S2K {
-  /**
-   * @param {Object} [config] - Full configuration, defaults to openpgp.config
-   */
-  constructor(config$1 = config) {
-    /**
-     * Hash function identifier, or 0 for gnu-dummy keys
-     * @type {module:enums.hash | 0}
-     */
-    this.algorithm = enums.hash.sha256;
-    /**
-     * enums.s2k identifier or 'gnu-dummy'
-     * @type {String}
-     */
-    this.type = 'iterated';
-    /** @type {Integer} */
-    this.c = config$1.s2kIterationCountByte;
-    /** Eight bytes of salt in a binary string.
-     * @type {Uint8Array}
-     */
-    this.salt = null;
-  }
-
-  getCount() {
-    // Exponent bias, defined in RFC4880
-    const expbias = 6;
-
-    return (16 + (this.c & 15)) << ((this.c >> 4) + expbias);
-  }
-
-  /**
-   * Parsing function for a string-to-key specifier ({@link https://tools.ietf.org/html/rfc4880#section-3.7|RFC 4880 3.7}).
-   * @param {Uint8Array} bytes - Payload of string-to-key specifier
-   * @returns {Integer} Actual length of the object.
-   */
-  read(bytes) {
-    let i = 0;
-    this.type = enums.read(enums.s2k, bytes[i++]);
-    this.algorithm = bytes[i++];
-
-    switch (this.type) {
-      case 'simple':
-        break;
-
-      case 'salted':
-        this.salt = bytes.subarray(i, i + 8);
-        i += 8;
-        break;
-
-      case 'iterated':
-        this.salt = bytes.subarray(i, i + 8);
-        i += 8;
-
-        // Octet 10: count, a one-octet, coded value
-        this.c = bytes[i++];
-        break;
-
-      case 'gnu':
-        if (util.uint8ArrayToString(bytes.subarray(i, i + 3)) === 'GNU') {
-          i += 3; // GNU
-          const gnuExtType = 1000 + bytes[i++];
-          if (gnuExtType === 1001) {
-            this.type = 'gnu-dummy';
-            // GnuPG extension mode 1001 -- don't write secret key at all
-          } else {
-            throw new Error('Unknown s2k gnu protection mode.');
-          }
-        } else {
-          throw new Error('Unknown s2k type.');
-        }
-        break;
-
-      default:
-        throw new Error('Unknown s2k type.');
-    }
-
-    return i;
-  }
-
-  /**
-   * Serializes s2k information
-   * @returns {Uint8Array} Binary representation of s2k.
-   */
-  write() {
-    if (this.type === 'gnu-dummy') {
-      return new Uint8Array([101, 0, ...util.stringToUint8Array('GNU'), 1]);
-    }
-    const arr = [new Uint8Array([enums.write(enums.s2k, this.type), this.algorithm])];
-
-    switch (this.type) {
-      case 'simple':
-        break;
-      case 'salted':
-        arr.push(this.salt);
-        break;
-      case 'iterated':
-        arr.push(this.salt);
-        arr.push(new Uint8Array([this.c]));
-        break;
-      case 'gnu':
-        throw new Error('GNU s2k type not supported.');
-      default:
-        throw new Error('Unknown s2k type.');
-    }
-
-    return util.concatUint8Array(arr);
-  }
-
-  /**
-   * Produces a key using the specified passphrase and the defined
-   * hashAlgorithm
-   * @param {String} passphrase - Passphrase containing user input
-   * @returns {Promise<Uint8Array>} Produced key with a length corresponding to.
-   * hashAlgorithm hash length
-   * @async
-   */
-  async produceKey(passphrase, numBytes) {
-    passphrase = util.encodeUTF8(passphrase);
-
-    const arr = [];
-    let rlength = 0;
-
-    let prefixlen = 0;
-    while (rlength < numBytes) {
-      let toHash;
-      switch (this.type) {
-        case 'simple':
-          toHash = util.concatUint8Array([new Uint8Array(prefixlen), passphrase]);
-          break;
-        case 'salted':
-          toHash = util.concatUint8Array([new Uint8Array(prefixlen), this.salt, passphrase]);
-          break;
-        case 'iterated': {
-          const data = util.concatUint8Array([this.salt, passphrase]);
-          let datalen = data.length;
-          const count = Math.max(this.getCount(), datalen);
-          toHash = new Uint8Array(prefixlen + count);
-          toHash.set(data, prefixlen);
-          for (let pos = prefixlen + datalen; pos < count; pos += datalen, datalen *= 2) {
-            toHash.copyWithin(pos, prefixlen, pos);
-          }
-          break;
-        }
-        case 'gnu':
-          throw new Error('GNU s2k type not supported.');
-        default:
-          throw new Error('Unknown s2k type.');
-      }
-      const result = await mod.hash.digest(this.algorithm, toHash);
-      arr.push(result);
-      rlength += result.length;
-      prefixlen++;
-    }
-
-    return util.concatUint8Array(arr).subarray(0, numBytes);
-  }
-}
-
-// GPG4Browsers - An OpenPGP implementation in javascript
-
 /**
  * Symmetric-Key Encrypted Session Key Packets (Tag 3)
  *
@@ -24911,7 +25127,8 @@ class SymEncryptedSessionKeyPacket {
     }
 
     // A string-to-key (S2K) specifier, length as defined above.
-    this.s2k = new S2K();
+    const s2kType = bytes[offset++];
+    this.s2k = newS2KFromType(s2kType);
     offset += this.s2k.read(bytes.subarray(offset, bytes.length));
 
     if (this.version === 5) {
@@ -25000,8 +25217,8 @@ class SymEncryptedSessionKeyPacket {
 
     this.sessionKeyEncryptionAlgorithm = algo;
 
-    this.s2k = new S2K(config$1);
-    this.s2k.salt = mod.random.getRandomBytes(8);
+    this.s2k = newS2KFromConfig(config$1);
+    this.s2k.generateSalt();
 
     const { blockSize, keySize } = mod.getCipher(algo);
     const encryptionKey = await this.s2k.produceKey(passphrase, keySize);
@@ -25627,7 +25844,8 @@ class SecretKeyPacket extends PublicKeyPacket {
       // - [Optional] If string-to-key usage octet was 255, 254, or 253, a
       //   string-to-key specifier.  The length of the string-to-key
       //   specifier is implied by its type, as described above.
-      this.s2k = new S2K();
+      const s2kType = bytes[i++];
+      this.s2k = newS2KFromType(s2kType);
       i += this.s2k.read(bytes.subarray(i, bytes.length));
 
       if (this.s2k.type === 'gnu-dummy') {
@@ -25765,7 +25983,7 @@ class SecretKeyPacket extends PublicKeyPacket {
     }
     this.isEncrypted = null;
     this.keyMaterial = null;
-    this.s2k = new S2K(config$1);
+    this.s2k = newS2KFromType(enums.s2k.gnu, config$1);
     this.s2k.algorithm = 0;
     this.s2k.c = 0;
     this.s2k.type = 'gnu-dummy';
@@ -25796,8 +26014,8 @@ class SecretKeyPacket extends PublicKeyPacket {
       throw new Error('A non-empty passphrase is required for key encryption.');
     }
 
-    this.s2k = new S2K(config$1);
-    this.s2k.salt = mod.random.getRandomBytes(8);
+    this.s2k = newS2KFromConfig(config$1);
+    this.s2k.generateSalt();
     const cleartext = mod.serializeParams(this.algorithm, this.privateParams);
     this.symmetric = enums.symmetric.aes256;
     const key = await produceEncryptionKey(this.s2k, passphrase, this.symmetric);
@@ -27628,7 +27846,8 @@ function isValidDecryptionKeyPacket(signature, config) {
 
   return !signature.keyFlags ||
     (signature.keyFlags[0] & enums.keyFlags.encryptCommunication) !== 0 ||
-    (signature.keyFlags[0] & enums.keyFlags.encryptStorage) !== 0;
+    (signature.keyFlags[0] & enums.keyFlags.encryptStorage) !== 0 ||
+    (config.allowForwardedMessages && (signature.keyFlags[0] & enums.keyFlags.forwardedCommunication) !== 0);
 }
 
 /**
@@ -28576,7 +28795,7 @@ class Key {
       throw exception || new Error('Could not find primary user');
     }
     await Promise.all(users.map(async function (a) {
-      return a.user.revoked || a.user.isRevoked(a.selfCertification, null, date, config$1);
+      return a.selfCertification.revoked || a.user.isRevoked(a.selfCertification, null, date, config$1);
     }));
     // sort by primary user flag and signature creation time
     const primaryUser = users.sort(function(a, b) {
@@ -28799,7 +29018,8 @@ class Key {
 
       results.push(...signatures.map(
         signature => ({
-          userID: user.userID.userID,
+          userID: user.userID ? user.userID.userID : null,
+          userAttribute: user.userAttribute,
           keyID: signature.keyID,
           valid: signature.valid
         }))
@@ -29675,6 +29895,9 @@ class Message {
             decryptedSessionKeyPackets.push(skeskPacket);
           } catch (err) {
             util.printDebugError(err);
+            if (err instanceof Argon2OutOfMemoryError) {
+              exception = err;
+            }
           }
         }));
       }));
@@ -31329,4 +31552,4 @@ function formatObject(object, format, config) {
   }
 }
 
-export { AEADEncryptedDataPacket, CleartextMessage, CompressedDataPacket, LiteralDataPacket, MarkerPacket, Message, OnePassSignaturePacket, PacketList, PrivateKey, PublicKey, PublicKeyEncryptedSessionKeyPacket, PublicKeyPacket, PublicSubkeyPacket, SecretKeyPacket, SecretSubkeyPacket, Signature, SignaturePacket, Subkey, SymEncryptedIntegrityProtectedDataPacket, SymEncryptedSessionKeyPacket, SymmetricallyEncryptedDataPacket, TrustPacket, UnparseablePacket, UserAttributePacket, UserIDPacket, _224 as _, commonjsGlobal as a, armor, common$1 as b, createCommonjsModule as c, config, createCleartextMessage, createMessage, common as d, decrypt$4 as decrypt, decryptKey, decryptSessionKeys, _256 as e, encrypt$4 as encrypt, encryptKey, encryptSessionKey, enums, _384 as f, _512 as g, generateKey, generateSessionKey$1 as generateSessionKey, inherits_browser as i, minimalisticAssert as m, ripemd as r, readCleartextMessage, readKey, readKeys, readMessage, readPrivateKey, readPrivateKeys, readSignature, reformatKey, revokeKey, sign$5 as sign, utils as u, unarmor, verify$5 as verify };
+export { AEADEncryptedDataPacket, CleartextMessage, CompressedDataPacket, KDFParams, LiteralDataPacket, MarkerPacket, Message, OnePassSignaturePacket, PacketList, PrivateKey, PublicKey, PublicKeyEncryptedSessionKeyPacket, PublicKeyPacket, PublicSubkeyPacket, SecretKeyPacket, SecretSubkeyPacket, Signature, SignaturePacket, Subkey, SymEncryptedIntegrityProtectedDataPacket, SymEncryptedSessionKeyPacket, SymmetricallyEncryptedDataPacket, TrustPacket, UnparseablePacket, UserAttributePacket, UserIDPacket, _224 as _, commonjsGlobal as a, armor, common$1 as b, createCommonjsModule as c, config, createCleartextMessage, createMessage, common as d, decrypt$4 as decrypt, decryptKey, decryptSessionKeys, _256 as e, encrypt$4 as encrypt, encryptKey, encryptSessionKey, enums, _384 as f, _512 as g, generateKey, generateSessionKey$1 as generateSessionKey, inherits_browser as i, minimalisticAssert as m, ripemd as r, readCleartextMessage, readKey, readKeys, readMessage, readPrivateKey, readPrivateKeys, readSignature, reformatKey, revokeKey, sign$5 as sign, utils as u, unarmor, verify$5 as verify };