@protontech/openpgp 5.9.1-0 → 5.10.2

package/dist/node/openpgp.mjs

@@ -1,4 +1,4 @@
-/*! OpenPGP.js v5.9.1-0 - 2023-08-03 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
+/*! OpenPGP.js v5.10.2 - 2023-09-18 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
 const globalThis = typeof window !== 'undefined' ? window : typeof global !== 'undefined' ? global : typeof self !== 'undefined' ? self : {};
 
 import buffer from 'buffer';
@@ -1515,6 +1515,526 @@ async function getBigInteger() {
   }
 }
 
+/**
+ * @module enums
+ */
+
+const byValue = Symbol('byValue');
+
+var enums = {
+
+  /** Maps curve names under various standards to one
+   * @see {@link https://wiki.gnupg.org/ECC|ECC - GnuPG wiki}
+   * @enum {String}
+   * @readonly
+   */
+  curve: {
+    /** NIST P-256 Curve */
+    'p256':                'p256',
+    'P-256':               'p256',
+    'secp256r1':           'p256',
+    'prime256v1':          'p256',
+    '1.2.840.10045.3.1.7': 'p256',
+    '2a8648ce3d030107':    'p256',
+    '2A8648CE3D030107':    'p256',
+
+    /** NIST P-384 Curve */
+    'p384':         'p384',
+    'P-384':        'p384',
+    'secp384r1':    'p384',
+    '1.3.132.0.34': 'p384',
+    '2b81040022':   'p384',
+    '2B81040022':   'p384',
+
+    /** NIST P-521 Curve */
+    'p521':         'p521',
+    'P-521':        'p521',
+    'secp521r1':    'p521',
+    '1.3.132.0.35': 'p521',
+    '2b81040023':   'p521',
+    '2B81040023':   'p521',
+
+    /** SECG SECP256k1 Curve */
+    'secp256k1':    'secp256k1',
+    '1.3.132.0.10': 'secp256k1',
+    '2b8104000a':   'secp256k1',
+    '2B8104000A':   'secp256k1',
+
+    /** Ed25519 */
+    'ED25519':                'ed25519',
+    'ed25519':                'ed25519',
+    'Ed25519':                'ed25519',
+    '1.3.6.1.4.1.11591.15.1': 'ed25519',
+    '2b06010401da470f01':     'ed25519',
+    '2B06010401DA470F01':     'ed25519',
+
+    /** Curve25519 */
+    'X25519':                 'curve25519',
+    'cv25519':                'curve25519',
+    'curve25519':             'curve25519',
+    'Curve25519':             'curve25519',
+    '1.3.6.1.4.1.3029.1.5.1': 'curve25519',
+    '2b060104019755010501':   'curve25519',
+    '2B060104019755010501':   'curve25519',
+
+    /** BrainpoolP256r1 Curve */
+    'brainpoolP256r1':       'brainpoolP256r1',
+    '1.3.36.3.3.2.8.1.1.7':  'brainpoolP256r1',
+    '2b2403030208010107':    'brainpoolP256r1',
+    '2B2403030208010107':    'brainpoolP256r1',
+
+    /** BrainpoolP384r1 Curve */
+    'brainpoolP384r1':       'brainpoolP384r1',
+    '1.3.36.3.3.2.8.1.1.11': 'brainpoolP384r1',
+    '2b240303020801010b':    'brainpoolP384r1',
+    '2B240303020801010B':    'brainpoolP384r1',
+
+    /** BrainpoolP512r1 Curve */
+    'brainpoolP512r1':       'brainpoolP512r1',
+    '1.3.36.3.3.2.8.1.1.13': 'brainpoolP512r1',
+    '2b240303020801010d':    'brainpoolP512r1',
+    '2B240303020801010D':    'brainpoolP512r1'
+  },
+
+  /** KDF parameters flags
+   * Non-standard extensions (for now) to allow email forwarding
+   * @enum {Integer}
+   * @readonly
+   */
+  kdfFlags: {
+    /** Specify fingerprint to use instead of the recipient's */
+    replace_fingerprint: 0x01,
+    /** Specify custom parameters to use in the KDF digest computation */
+    replace_kdf_params: 0x02
+  },
+
+  /** A string to key specifier type
+   * @enum {Integer}
+   * @readonly
+   */
+  s2k: {
+    simple: 0,
+    salted: 1,
+    iterated: 3,
+    argon2: 4,
+    gnu: 101
+  },
+
+  /** {@link https://tools.ietf.org/html/draft-ietf-openpgp-crypto-refresh-08.html#section-9.1|crypto-refresh RFC, section 9.1}
+   * @enum {Integer}
+   * @readonly
+   */
+  publicKey: {
+    /** RSA (Encrypt or Sign) [HAC] */
+    rsaEncryptSign: 1,
+    /** RSA (Encrypt only) [HAC] */
+    rsaEncrypt: 2,
+    /** RSA (Sign only) [HAC] */
+    rsaSign: 3,
+    /** Elgamal (Encrypt only) [ELGAMAL] [HAC] */
+    elgamal: 16,
+    /** DSA (Sign only) [FIPS186] [HAC] */
+    dsa: 17,
+    /** ECDH (Encrypt only) [RFC6637] */
+    ecdh: 18,
+    /** ECDSA (Sign only) [RFC6637] */
+    ecdsa: 19,
+    /** EdDSA (Sign only) - deprecated by crypto-refresh (replaced by `ed25519` identifier below)
+     * [{@link https://tools.ietf.org/html/draft-koch-eddsa-for-openpgp-04|Draft RFC}] */
+    ed25519Legacy: 22, // NB: this is declared before `eddsa` to translate 22 to 'eddsa' for backwards compatibility
+    eddsa: 22, // to be deprecated in v6
+    /** Reserved for AEDH */
+    aedh: 23,
+    /** Reserved for AEDSA */
+    aedsa: 24,
+    /** X25519 (Encrypt only) */
+    x25519: 25,
+    /** X448 (Encrypt only) */
+    x448: 26,
+    /** Ed25519 (Sign only) */
+    ed25519: 27,
+    /** Ed448 (Sign only) */
+    ed448: 28,
+    /** Symmetric authenticated encryption algorithms */
+    aead: 100,
+    /** Authentication using CMAC */
+    hmac: 101
+  },
+
+  /** {@link https://tools.ietf.org/html/rfc4880#section-9.2|RFC4880, section 9.2}
+   * @enum {Integer}
+   * @readonly
+   */
+  symmetric: {
+    plaintext: 0,
+    /** Not implemented! */
+    idea: 1,
+    tripledes: 2,
+    cast5: 3,
+    blowfish: 4,
+    aes128: 7,
+    aes192: 8,
+    aes256: 9,
+    twofish: 10
+  },
+
+  /** {@link https://tools.ietf.org/html/rfc4880#section-9.3|RFC4880, section 9.3}
+   * @enum {Integer}
+   * @readonly
+   */
+  compression: {
+    uncompressed: 0,
+    /** RFC1951 */
+    zip: 1,
+    /** RFC1950 */
+    zlib: 2,
+    bzip2: 3
+  },
+
+  /** {@link https://tools.ietf.org/html/rfc4880#section-9.4|RFC4880, section 9.4}
+   * @enum {Integer}
+   * @readonly
+   */
+  hash: {
+    md5: 1,
+    sha1: 2,
+    ripemd: 3,
+    sha256: 8,
+    sha384: 9,
+    sha512: 10,
+    sha224: 11
+  },
+
+  /** A list of hash names as accepted by webCrypto functions.
+   * {@link https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest|Parameters, algo}
+   * @enum {String}
+   */
+  webHash: {
+    'SHA-1': 2,
+    'SHA-256': 8,
+    'SHA-384': 9,
+    'SHA-512': 10
+  },
+
+  /** {@link https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-9.6|RFC4880bis-04, section 9.6}
+   * @enum {Integer}
+   * @readonly
+   */
+  aead: {
+    eax: 1,
+    ocb: 2,
+    experimentalGCM: 100 // Private algorithm
+  },
+
+  /** A list of packet types and numeric tags associated with them.
+   * @enum {Integer}
+   * @readonly
+   */
+  packet: {
+    publicKeyEncryptedSessionKey: 1,
+    signature: 2,
+    symEncryptedSessionKey: 3,
+    onePassSignature: 4,
+    secretKey: 5,
+    publicKey: 6,
+    secretSubkey: 7,
+    compressedData: 8,
+    symmetricallyEncryptedData: 9,
+    marker: 10,
+    literalData: 11,
+    trust: 12,
+    userID: 13,
+    publicSubkey: 14,
+    userAttribute: 17,
+    symEncryptedIntegrityProtectedData: 18,
+    modificationDetectionCode: 19,
+    aeadEncryptedData: 20 // see IETF draft: https://tools.ietf.org/html/draft-ford-openpgp-format-00#section-2.1
+  },
+
+  /** Data types in the literal packet
+   * @enum {Integer}
+   * @readonly
+   */
+  literal: {
+    /** Binary data 'b' */
+    binary: 'b'.charCodeAt(),
+    /** Text data 't' */
+    text: 't'.charCodeAt(),
+    /** Utf8 data 'u' */
+    utf8: 'u'.charCodeAt(),
+    /** MIME message body part 'm' */
+    mime: 'm'.charCodeAt()
+  },
+
+
+  /** One pass signature packet type
+   * @enum {Integer}
+   * @readonly
+   */
+  signature: {
+    /** 0x00: Signature of a binary document. */
+    binary: 0,
+    /** 0x01: Signature of a canonical text document.
+     *
+     * Canonicalyzing the document by converting line endings. */
+    text: 1,
+    /** 0x02: Standalone signature.
+     *
+     * This signature is a signature of only its own subpacket contents.
+     * It is calculated identically to a signature over a zero-lengh
+     * binary document.  Note that it doesn't make sense to have a V3
+     * standalone signature. */
+    standalone: 2,
+    /** 0x10: Generic certification of a User ID and Public-Key packet.
+     *
+     * The issuer of this certification does not make any particular
+     * assertion as to how well the certifier has checked that the owner
+     * of the key is in fact the person described by the User ID. */
+    certGeneric: 16,
+    /** 0x11: Persona certification of a User ID and Public-Key packet.
+     *
+     * The issuer of this certification has not done any verification of
+     * the claim that the owner of this key is the User ID specified. */
+    certPersona: 17,
+    /** 0x12: Casual certification of a User ID and Public-Key packet.
+     *
+     * The issuer of this certification has done some casual
+     * verification of the claim of identity. */
+    certCasual: 18,
+    /** 0x13: Positive certification of a User ID and Public-Key packet.
+     *
+     * The issuer of this certification has done substantial
+     * verification of the claim of identity.
+     *
+     * Most OpenPGP implementations make their "key signatures" as 0x10
+     * certifications.  Some implementations can issue 0x11-0x13
+     * certifications, but few differentiate between the types. */
+    certPositive: 19,
+    /** 0x30: Certification revocation signature
+     *
+     * This signature revokes an earlier User ID certification signature
+     * (signature class 0x10 through 0x13) or direct-key signature
+     * (0x1F).  It should be issued by the same key that issued the
+     * revoked signature or an authorized revocation key.  The signature
+     * is computed over the same data as the certificate that it
+     * revokes, and should have a later creation date than that
+     * certificate. */
+    certRevocation: 48,
+    /** 0x18: Subkey Binding Signature
+     *
+     * This signature is a statement by the top-level signing key that
+     * indicates that it owns the subkey.  This signature is calculated
+     * directly on the primary key and subkey, and not on any User ID or
+     * other packets.  A signature that binds a signing subkey MUST have
+     * an Embedded Signature subpacket in this binding signature that
+     * contains a 0x19 signature made by the signing subkey on the
+     * primary key and subkey. */
+    subkeyBinding: 24,
+    /** 0x19: Primary Key Binding Signature
+     *
+     * This signature is a statement by a signing subkey, indicating
+     * that it is owned by the primary key and subkey.  This signature
+     * is calculated the same way as a 0x18 signature: directly on the
+     * primary key and subkey, and not on any User ID or other packets.
+     *
+     * When a signature is made over a key, the hash data starts with the
+     * octet 0x99, followed by a two-octet length of the key, and then body
+     * of the key packet.  (Note that this is an old-style packet header for
+     * a key packet with two-octet length.)  A subkey binding signature
+     * (type 0x18) or primary key binding signature (type 0x19) then hashes
+     * the subkey using the same format as the main key (also using 0x99 as
+     * the first octet). */
+    keyBinding: 25,
+    /** 0x1F: Signature directly on a key
+     *
+     * This signature is calculated directly on a key.  It binds the
+     * information in the Signature subpackets to the key, and is
+     * appropriate to be used for subpackets that provide information
+     * about the key, such as the Revocation Key subpacket.  It is also
+     * appropriate for statements that non-self certifiers want to make
+     * about the key itself, rather than the binding between a key and a
+     * name. */
+    key: 31,
+    /** 0x20: Key revocation signature
+     *
+     * The signature is calculated directly on the key being revoked.  A
+     * revoked key is not to be used.  Only revocation signatures by the
+     * key being revoked, or by an authorized revocation key, should be
+     * considered valid revocation signatures.a */
+    keyRevocation: 32,
+    /** 0x28: Subkey revocation signature
+     *
+     * The signature is calculated directly on the subkey being revoked.
+     * A revoked subkey is not to be used.  Only revocation signatures
+     * by the top-level signature key that is bound to this subkey, or
+     * by an authorized revocation key, should be considered valid
+     * revocation signatures.
+     *
+     * Key revocation signatures (types 0x20 and 0x28)
+     * hash only the key being revoked. */
+    subkeyRevocation: 40,
+    /** 0x40: Timestamp signature.
+     * This signature is only meaningful for the timestamp contained in
+     * it. */
+    timestamp: 64,
+    /** 0x50: Third-Party Confirmation signature.
+     *
+     * This signature is a signature over some other OpenPGP Signature
+     * packet(s).  It is analogous to a notary seal on the signed data.
+     * A third-party signature SHOULD include Signature Target
+     * subpacket(s) to give easy identification.  Note that we really do
+     * mean SHOULD.  There are plausible uses for this (such as a blind
+     * party that only sees the signature, not the key or source
+     * document) that cannot include a target subpacket. */
+    thirdParty: 80
+  },
+
+  /** Signature subpacket type
+   * @enum {Integer}
+   * @readonly
+   */
+  signatureSubpacket: {
+    signatureCreationTime: 2,
+    signatureExpirationTime: 3,
+    exportableCertification: 4,
+    trustSignature: 5,
+    regularExpression: 6,
+    revocable: 7,
+    keyExpirationTime: 9,
+    placeholderBackwardsCompatibility: 10,
+    preferredSymmetricAlgorithms: 11,
+    revocationKey: 12,
+    issuer: 16,
+    notationData: 20,
+    preferredHashAlgorithms: 21,
+    preferredCompressionAlgorithms: 22,
+    keyServerPreferences: 23,
+    preferredKeyServer: 24,
+    primaryUserID: 25,
+    policyURI: 26,
+    keyFlags: 27,
+    signersUserID: 28,
+    reasonForRevocation: 29,
+    features: 30,
+    signatureTarget: 31,
+    embeddedSignature: 32,
+    issuerFingerprint: 33,
+    preferredAEADAlgorithms: 34
+  },
+
+  /** Key flags
+   * @enum {Integer}
+   * @readonly
+   */
+  keyFlags: {
+    /** 0x01 - This key may be used to certify other keys. */
+    certifyKeys: 1,
+    /** 0x02 - This key may be used to sign data. */
+    signData: 2,
+    /** 0x04 - This key may be used to encrypt communications. */
+    encryptCommunication: 4,
+    /** 0x08 - This key may be used to encrypt storage. */
+    encryptStorage: 8,
+    /** 0x10 - The private component of this key may have been split
+     *        by a secret-sharing mechanism. */
+    splitPrivateKey: 16,
+    /** 0x20 - This key may be used for authentication. */
+    authentication: 32,
+    /** This key may be used for forwarded communications */
+    forwardedCommunication: 64,
+    /** 0x80 - The private component of this key may be in the
+     *        possession of more than one person. */
+    sharedPrivateKey: 128
+  },
+
+  /** Armor type
+   * @enum {Integer}
+   * @readonly
+   */
+  armor: {
+    multipartSection: 0,
+    multipartLast: 1,
+    signed: 2,
+    message: 3,
+    publicKey: 4,
+    privateKey: 5,
+    signature: 6
+  },
+
+  /** {@link https://tools.ietf.org/html/rfc4880#section-5.2.3.23|RFC4880, section 5.2.3.23}
+   * @enum {Integer}
+   * @readonly
+   */
+  reasonForRevocation: {
+    /** No reason specified (key revocations or cert revocations) */
+    noReason: 0,
+    /** Key is superseded (key revocations) */
+    keySuperseded: 1,
+    /** Key material has been compromised (key revocations) */
+    keyCompromised: 2,
+    /** Key is retired and no longer used (key revocations) */
+    keyRetired: 3,
+    /** User ID information is no longer valid (cert revocations) */
+    userIDInvalid: 32
+  },
+
+  /** {@link https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-5.2.3.25|RFC4880bis-04, section 5.2.3.25}
+   * @enum {Integer}
+   * @readonly
+   */
+  features: {
+    /** 0x01 - Modification Detection (packets 18 and 19) */
+    modificationDetection: 1,
+    /** 0x02 - AEAD Encrypted Data Packet (packet 20) and version 5
+     *         Symmetric-Key Encrypted Session Key Packets (packet 3) */
+    aead: 2,
+    /** 0x04 - Version 5 Public-Key Packet format and corresponding new
+      *        fingerprint format */
+    v5Keys: 4
+  },
+
+  /**
+   * Asserts validity of given value and converts from string/integer to integer.
+   * @param {Object} type target enum type
+   * @param {String|Integer} e value to check and/or convert
+   * @returns {Integer} enum value if it exists
+   * @throws {Error} if the value is invalid
+   */
+  write: function(type, e) {
+    if (typeof e === 'number') {
+      e = this.read(type, e);
+    }
+
+    if (type[e] !== undefined) {
+      return type[e];
+    }
+
+    throw new Error('Invalid enum value.');
+  },
+
+  /**
+   * Converts enum integer value to the corresponding string, if it exists.
+   * @param {Object} type target enum type
+   * @param {Integer} e value to convert
+   * @returns {String} name of enum value if it exists
+   * @throws {Error} if the value is invalid
+   */
+  read: function(type, e) {
+    if (!type[byValue]) {
+      type[byValue] = [];
+      Object.entries(type).forEach(([key, value]) => {
+        type[byValue][value] = key;
+      });
+    }
+
+    if (type[byValue][e] !== undefined) {
+      return type[byValue][e];
+    }
+
+    throw new Error('Invalid enum value.');
+  }
+};
+
 const debugMode = (() => {
   try {
     return process.env.NODE_ENV === 'development'; // eslint-disable-line no-process-env
@@ -2094,6 +2614,12 @@ const util = {
    */
   selectUint8: function(cond, a, b) {
     return (a & (256 - cond)) | (b & (255 + cond));
+  },
+  /**
+   * @param {module:enums.symmetric} cipherAlgo
+   */
+  isAES: function(cipherAlgo) {
+    return cipherAlgo === enums.symmetric.aes128 || cipherAlgo === enums.symmetric.aes192 || cipherAlgo === enums.symmetric.aes256;
   }
 };
 
@@ -2208,517 +2734,6 @@ function uint8ArrayToB64(bytes, url) {
   return encoded;
 }
 
-/**
- * @module enums
- */
-
-const byValue = Symbol('byValue');
-
-var enums = {
-
-  /** Maps curve names under various standards to one
-   * @see {@link https://wiki.gnupg.org/ECC|ECC - GnuPG wiki}
-   * @enum {String}
-   * @readonly
-   */
-  curve: {
-    /** NIST P-256 Curve */
-    'p256':                'p256',
-    'P-256':               'p256',
-    'secp256r1':           'p256',
-    'prime256v1':          'p256',
-    '1.2.840.10045.3.1.7': 'p256',
-    '2a8648ce3d030107':    'p256',
-    '2A8648CE3D030107':    'p256',
-
-    /** NIST P-384 Curve */
-    'p384':         'p384',
-    'P-384':        'p384',
-    'secp384r1':    'p384',
-    '1.3.132.0.34': 'p384',
-    '2b81040022':   'p384',
-    '2B81040022':   'p384',
-
-    /** NIST P-521 Curve */
-    'p521':         'p521',
-    'P-521':        'p521',
-    'secp521r1':    'p521',
-    '1.3.132.0.35': 'p521',
-    '2b81040023':   'p521',
-    '2B81040023':   'p521',
-
-    /** SECG SECP256k1 Curve */
-    'secp256k1':    'secp256k1',
-    '1.3.132.0.10': 'secp256k1',
-    '2b8104000a':   'secp256k1',
-    '2B8104000A':   'secp256k1',
-
-    /** Ed25519 */
-    'ED25519':                'ed25519',
-    'ed25519':                'ed25519',
-    'Ed25519':                'ed25519',
-    '1.3.6.1.4.1.11591.15.1': 'ed25519',
-    '2b06010401da470f01':     'ed25519',
-    '2B06010401DA470F01':     'ed25519',
-
-    /** Curve25519 */
-    'X25519':                 'curve25519',
-    'cv25519':                'curve25519',
-    'curve25519':             'curve25519',
-    'Curve25519':             'curve25519',
-    '1.3.6.1.4.1.3029.1.5.1': 'curve25519',
-    '2b060104019755010501':   'curve25519',
-    '2B060104019755010501':   'curve25519',
-
-    /** BrainpoolP256r1 Curve */
-    'brainpoolP256r1':       'brainpoolP256r1',
-    '1.3.36.3.3.2.8.1.1.7':  'brainpoolP256r1',
-    '2b2403030208010107':    'brainpoolP256r1',
-    '2B2403030208010107':    'brainpoolP256r1',
-
-    /** BrainpoolP384r1 Curve */
-    'brainpoolP384r1':       'brainpoolP384r1',
-    '1.3.36.3.3.2.8.1.1.11': 'brainpoolP384r1',
-    '2b240303020801010b':    'brainpoolP384r1',
-    '2B240303020801010B':    'brainpoolP384r1',
-
-    /** BrainpoolP512r1 Curve */
-    'brainpoolP512r1':       'brainpoolP512r1',
-    '1.3.36.3.3.2.8.1.1.13': 'brainpoolP512r1',
-    '2b240303020801010d':    'brainpoolP512r1',
-    '2B240303020801010D':    'brainpoolP512r1'
-  },
-
-  /** KDF parameters flags
-   * Non-standard extensions (for now) to allow email forwarding
-   * @enum {Integer}
-   * @readonly
-   */
-  kdfFlags: {
-    /** Specify fingerprint to use instead of the recipient's */
-    replace_fingerprint: 0x01,
-    /** Specify custom parameters to use in the KDF digest computation */
-    replace_kdf_params: 0x02
-  },
-
-  /** A string to key specifier type
-   * @enum {Integer}
-   * @readonly
-   */
-  s2k: {
-    simple: 0,
-    salted: 1,
-    iterated: 3,
-    argon2: 4,
-    gnu: 101
-  },
-
-  /** {@link https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-9.1|RFC4880bis-04, section 9.1}
-   * @enum {Integer}
-   * @readonly
-   */
-  publicKey: {
-    /** RSA (Encrypt or Sign) [HAC] */
-    rsaEncryptSign: 1,
-    /** RSA (Encrypt only) [HAC] */
-    rsaEncrypt: 2,
-    /** RSA (Sign only) [HAC] */
-    rsaSign: 3,
-    /** Elgamal (Encrypt only) [ELGAMAL] [HAC] */
-    elgamal: 16,
-    /** DSA (Sign only) [FIPS186] [HAC] */
-    dsa: 17,
-    /** ECDH (Encrypt only) [RFC6637] */
-    ecdh: 18,
-    /** ECDSA (Sign only) [RFC6637] */
-    ecdsa: 19,
-    /** EdDSA (Sign only)
-     * [{@link https://tools.ietf.org/html/draft-koch-eddsa-for-openpgp-04|Draft RFC}] */
-    eddsa: 22,
-    /** Reserved for AEDH */
-    aedh: 23,
-    /** Reserved for AEDSA */
-    aedsa: 24,
-    /** Symmetric authenticated encryption algorithms */
-    aead: 100,
-    /** Authentication using CMAC */
-    hmac: 101
-  },
-
-  /** {@link https://tools.ietf.org/html/rfc4880#section-9.2|RFC4880, section 9.2}
-   * @enum {Integer}
-   * @readonly
-   */
-  symmetric: {
-    plaintext: 0,
-    /** Not implemented! */
-    idea: 1,
-    tripledes: 2,
-    cast5: 3,
-    blowfish: 4,
-    aes128: 7,
-    aes192: 8,
-    aes256: 9,
-    twofish: 10
-  },
-
-  /** {@link https://tools.ietf.org/html/rfc4880#section-9.3|RFC4880, section 9.3}
-   * @enum {Integer}
-   * @readonly
-   */
-  compression: {
-    uncompressed: 0,
-    /** RFC1951 */
-    zip: 1,
-    /** RFC1950 */
-    zlib: 2,
-    bzip2: 3
-  },
-
-  /** {@link https://tools.ietf.org/html/rfc4880#section-9.4|RFC4880, section 9.4}
-   * @enum {Integer}
-   * @readonly
-   */
-  hash: {
-    md5: 1,
-    sha1: 2,
-    ripemd: 3,
-    sha256: 8,
-    sha384: 9,
-    sha512: 10,
-    sha224: 11
-  },
-
-  /** A list of hash names as accepted by webCrypto functions.
-   * {@link https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest|Parameters, algo}
-   * @enum {String}
-   */
-  webHash: {
-    'SHA-1': 2,
-    'SHA-256': 8,
-    'SHA-384': 9,
-    'SHA-512': 10
-  },
-
-  /** {@link https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-9.6|RFC4880bis-04, section 9.6}
-   * @enum {Integer}
-   * @readonly
-   */
-  aead: {
-    eax: 1,
-    ocb: 2,
-    experimentalGCM: 100 // Private algorithm
-  },
-
-  /** A list of packet types and numeric tags associated with them.
-   * @enum {Integer}
-   * @readonly
-   */
-  packet: {
-    publicKeyEncryptedSessionKey: 1,
-    signature: 2,
-    symEncryptedSessionKey: 3,
-    onePassSignature: 4,
-    secretKey: 5,
-    publicKey: 6,
-    secretSubkey: 7,
-    compressedData: 8,
-    symmetricallyEncryptedData: 9,
-    marker: 10,
-    literalData: 11,
-    trust: 12,
-    userID: 13,
-    publicSubkey: 14,
-    userAttribute: 17,
-    symEncryptedIntegrityProtectedData: 18,
-    modificationDetectionCode: 19,
-    aeadEncryptedData: 20 // see IETF draft: https://tools.ietf.org/html/draft-ford-openpgp-format-00#section-2.1
-  },
-
-  /** Data types in the literal packet
-   * @enum {Integer}
-   * @readonly
-   */
-  literal: {
-    /** Binary data 'b' */
-    binary: 'b'.charCodeAt(),
-    /** Text data 't' */
-    text: 't'.charCodeAt(),
-    /** Utf8 data 'u' */
-    utf8: 'u'.charCodeAt(),
-    /** MIME message body part 'm' */
-    mime: 'm'.charCodeAt()
-  },
-
-
-  /** One pass signature packet type
-   * @enum {Integer}
-   * @readonly
-   */
-  signature: {
-    /** 0x00: Signature of a binary document. */
-    binary: 0,
-    /** 0x01: Signature of a canonical text document.
-     *
-     * Canonicalyzing the document by converting line endings. */
-    text: 1,
-    /** 0x02: Standalone signature.
-     *
-     * This signature is a signature of only its own subpacket contents.
-     * It is calculated identically to a signature over a zero-lengh
-     * binary document.  Note that it doesn't make sense to have a V3
-     * standalone signature. */
-    standalone: 2,
-    /** 0x10: Generic certification of a User ID and Public-Key packet.
-     *
-     * The issuer of this certification does not make any particular
-     * assertion as to how well the certifier has checked that the owner
-     * of the key is in fact the person described by the User ID. */
-    certGeneric: 16,
-    /** 0x11: Persona certification of a User ID and Public-Key packet.
-     *
-     * The issuer of this certification has not done any verification of
-     * the claim that the owner of this key is the User ID specified. */
-    certPersona: 17,
-    /** 0x12: Casual certification of a User ID and Public-Key packet.
-     *
-     * The issuer of this certification has done some casual
-     * verification of the claim of identity. */
-    certCasual: 18,
-    /** 0x13: Positive certification of a User ID and Public-Key packet.
-     *
-     * The issuer of this certification has done substantial
-     * verification of the claim of identity.
-     *
-     * Most OpenPGP implementations make their "key signatures" as 0x10
-     * certifications.  Some implementations can issue 0x11-0x13
-     * certifications, but few differentiate between the types. */
-    certPositive: 19,
-    /** 0x30: Certification revocation signature
-     *
-     * This signature revokes an earlier User ID certification signature
-     * (signature class 0x10 through 0x13) or direct-key signature
-     * (0x1F).  It should be issued by the same key that issued the
-     * revoked signature or an authorized revocation key.  The signature
-     * is computed over the same data as the certificate that it
-     * revokes, and should have a later creation date than that
-     * certificate. */
-    certRevocation: 48,
-    /** 0x18: Subkey Binding Signature
-     *
-     * This signature is a statement by the top-level signing key that
-     * indicates that it owns the subkey.  This signature is calculated
-     * directly on the primary key and subkey, and not on any User ID or
-     * other packets.  A signature that binds a signing subkey MUST have
-     * an Embedded Signature subpacket in this binding signature that
-     * contains a 0x19 signature made by the signing subkey on the
-     * primary key and subkey. */
-    subkeyBinding: 24,
-    /** 0x19: Primary Key Binding Signature
-     *
-     * This signature is a statement by a signing subkey, indicating
-     * that it is owned by the primary key and subkey.  This signature
-     * is calculated the same way as a 0x18 signature: directly on the
-     * primary key and subkey, and not on any User ID or other packets.
-     *
-     * When a signature is made over a key, the hash data starts with the
-     * octet 0x99, followed by a two-octet length of the key, and then body
-     * of the key packet.  (Note that this is an old-style packet header for
-     * a key packet with two-octet length.)  A subkey binding signature
-     * (type 0x18) or primary key binding signature (type 0x19) then hashes
-     * the subkey using the same format as the main key (also using 0x99 as
-     * the first octet). */
-    keyBinding: 25,
-    /** 0x1F: Signature directly on a key
-     *
-     * This signature is calculated directly on a key.  It binds the
-     * information in the Signature subpackets to the key, and is
-     * appropriate to be used for subpackets that provide information
-     * about the key, such as the Revocation Key subpacket.  It is also
-     * appropriate for statements that non-self certifiers want to make
-     * about the key itself, rather than the binding between a key and a
-     * name. */
-    key: 31,
-    /** 0x20: Key revocation signature
-     *
-     * The signature is calculated directly on the key being revoked.  A
-     * revoked key is not to be used.  Only revocation signatures by the
-     * key being revoked, or by an authorized revocation key, should be
-     * considered valid revocation signatures.a */
-    keyRevocation: 32,
-    /** 0x28: Subkey revocation signature
-     *
-     * The signature is calculated directly on the subkey being revoked.
-     * A revoked subkey is not to be used.  Only revocation signatures
-     * by the top-level signature key that is bound to this subkey, or
-     * by an authorized revocation key, should be considered valid
-     * revocation signatures.
-     *
-     * Key revocation signatures (types 0x20 and 0x28)
-     * hash only the key being revoked. */
-    subkeyRevocation: 40,
-    /** 0x40: Timestamp signature.
-     * This signature is only meaningful for the timestamp contained in
-     * it. */
-    timestamp: 64,
-    /** 0x50: Third-Party Confirmation signature.
-     *
-     * This signature is a signature over some other OpenPGP Signature
-     * packet(s).  It is analogous to a notary seal on the signed data.
-     * A third-party signature SHOULD include Signature Target
-     * subpacket(s) to give easy identification.  Note that we really do
-     * mean SHOULD.  There are plausible uses for this (such as a blind
-     * party that only sees the signature, not the key or source
-     * document) that cannot include a target subpacket. */
-    thirdParty: 80
-  },
-
-  /** Signature subpacket type
-   * @enum {Integer}
-   * @readonly
-   */
-  signatureSubpacket: {
-    signatureCreationTime: 2,
-    signatureExpirationTime: 3,
-    exportableCertification: 4,
-    trustSignature: 5,
-    regularExpression: 6,
-    revocable: 7,
-    keyExpirationTime: 9,
-    placeholderBackwardsCompatibility: 10,
-    preferredSymmetricAlgorithms: 11,
-    revocationKey: 12,
-    issuer: 16,
-    notationData: 20,
-    preferredHashAlgorithms: 21,
-    preferredCompressionAlgorithms: 22,
-    keyServerPreferences: 23,
-    preferredKeyServer: 24,
-    primaryUserID: 25,
-    policyURI: 26,
-    keyFlags: 27,
-    signersUserID: 28,
-    reasonForRevocation: 29,
-    features: 30,
-    signatureTarget: 31,
-    embeddedSignature: 32,
-    issuerFingerprint: 33,
-    preferredAEADAlgorithms: 34
-  },
-
-  /** Key flags
-   * @enum {Integer}
-   * @readonly
-   */
-  keyFlags: {
-    /** 0x01 - This key may be used to certify other keys. */
-    certifyKeys: 1,
-    /** 0x02 - This key may be used to sign data. */
-    signData: 2,
-    /** 0x04 - This key may be used to encrypt communications. */
-    encryptCommunication: 4,
-    /** 0x08 - This key may be used to encrypt storage. */
-    encryptStorage: 8,
-    /** 0x10 - The private component of this key may have been split
-     *        by a secret-sharing mechanism. */
-    splitPrivateKey: 16,
-    /** 0x20 - This key may be used for authentication. */
-    authentication: 32,
-    /** This key may be used for forwarded communications */
-    forwardedCommunication: 64,
-    /** 0x80 - The private component of this key may be in the
-     *        possession of more than one person. */
-    sharedPrivateKey: 128
-  },
-
-  /** Armor type
-   * @enum {Integer}
-   * @readonly
-   */
-  armor: {
-    multipartSection: 0,
-    multipartLast: 1,
-    signed: 2,
-    message: 3,
-    publicKey: 4,
-    privateKey: 5,
-    signature: 6
-  },
-
-  /** {@link https://tools.ietf.org/html/rfc4880#section-5.2.3.23|RFC4880, section 5.2.3.23}
-   * @enum {Integer}
-   * @readonly
-   */
-  reasonForRevocation: {
-    /** No reason specified (key revocations or cert revocations) */
-    noReason: 0,
-    /** Key is superseded (key revocations) */
-    keySuperseded: 1,
-    /** Key material has been compromised (key revocations) */
-    keyCompromised: 2,
-    /** Key is retired and no longer used (key revocations) */
-    keyRetired: 3,
-    /** User ID information is no longer valid (cert revocations) */
-    userIDInvalid: 32
-  },
-
-  /** {@link https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-5.2.3.25|RFC4880bis-04, section 5.2.3.25}
-   * @enum {Integer}
-   * @readonly
-   */
-  features: {
-    /** 0x01 - Modification Detection (packets 18 and 19) */
-    modificationDetection: 1,
-    /** 0x02 - AEAD Encrypted Data Packet (packet 20) and version 5
-     *         Symmetric-Key Encrypted Session Key Packets (packet 3) */
-    aead: 2,
-    /** 0x04 - Version 5 Public-Key Packet format and corresponding new
-      *        fingerprint format */
-    v5Keys: 4
-  },
-
-  /**
-   * Asserts validity of given value and converts from string/integer to integer.
-   * @param {Object} type target enum type
-   * @param {String|Integer} e value to check and/or convert
-   * @returns {Integer} enum value if it exists
-   * @throws {Error} if the value is invalid
-   */
-  write: function(type, e) {
-    if (typeof e === 'number') {
-      e = this.read(type, e);
-    }
-
-    if (type[e] !== undefined) {
-      return type[e];
-    }
-
-    throw new Error('Invalid enum value.');
-  },
-
-  /**
-   * Converts enum integer value to the corresponding string, if it exists.
-   * @param {Object} type target enum type
-   * @param {Integer} e value to convert
-   * @returns {String} name of enum value if it exists
-   * @throws {Error} if the value is invalid
-   */
-  read: function(type, e) {
-    if (!type[byValue]) {
-      type[byValue] = [];
-      Object.entries(type).forEach(([key, value]) => {
-        type[byValue][value] = key;
-      });
-    }
-
-    if (type[byValue][e] !== undefined) {
-      return type[byValue][e];
-    }
-
-    throw new Error('Invalid enum value.');
-  }
-};
-
 // GPG4Browsers - An OpenPGP implementation in javascript
 
 var config = {
@@ -2935,7 +2950,7 @@ var config = {
    * @memberof module:config
    * @property {String} versionString A version string to be included in armored messages
    */
-  versionString: 'OpenPGP.js 5.9.1-0',
+  versionString: 'OpenPGP.js 5.10.2',
   /**
    * @memberof module:config
    * @property {String} commentString A comment string to be included in armored messages
@@ -3427,6 +3442,7 @@ class KeyID {
    */
   read(bytes) {
     this.bytes = util.uint8ArrayToString(bytes.subarray(0, 8));
+    return this.bytes.length;
   }
 
   /**
@@ -9983,7 +9999,7 @@ async function encrypt(algo, key, plaintext, iv, config) {
   if (util.getNodeCrypto() && nodeAlgos[algoName]) { // Node crypto library.
     return nodeEncrypt(algo, key, plaintext, iv);
   }
-  if (algoName.substr(0, 3) === 'aes') {
+  if (util.isAES(algo)) {
     return aesEncrypt(algo, key, plaintext, iv, config);
   }
 
@@ -10026,7 +10042,7 @@ async function decrypt(algo, key, ciphertext, iv) {
   if (util.getNodeCrypto() && nodeAlgos[algoName]) { // Node crypto library.
     return nodeDecrypt(algo, key, ciphertext, iv);
   }
-  if (algoName.substr(0, 3) === 'aes') {
+  if (util.isAES(algo)) {
     return aesDecrypt(algo, key, ciphertext, iv);
   }
 
@@ -10045,7 +10061,7 @@ async function decrypt(algo, key, ciphertext, iv) {
     let j = 0;
     while (chunk ? ct.length >= block_size : ct.length) {
       const decblock = cipherfn.encrypt(blockp);
-      blockp = ct;
+      blockp = ct.subarray(0, block_size);
       for (i = 0; i < block_size; i++) {
         plaintext[j++] = blockp[i] ^ decblock[i];
       }
@@ -13612,7 +13628,7 @@ const curves = {
   }
 };
 
-class Curve {
+class CurveWithOID {
   constructor(oidOrName, params) {
     try {
       if (util.isArray(oidOrName) ||
@@ -13689,7 +13705,7 @@ class Curve {
 async function generate$1(curve) {
   const BigInteger = await util.getBigInteger();
 
-  curve = new Curve(curve);
+  curve = new CurveWithOID(curve);
   const keyPair = await curve.genKeyPair();
   const Q = new BigInteger(keyPair.publicKey).toUint8Array();
   const secret = new BigInteger(keyPair.privateKey).toUint8Array('be', curve.payloadSize);
@@ -13878,7 +13894,7 @@ const nodeCrypto$8 = util.getNodeCrypto();
  * @async
  */
 async function sign$1(oid, hashAlgo, message, publicKey, privateKey, hashed) {
-  const curve = new Curve(oid);
+  const curve = new CurveWithOID(oid);
   if (message && !util.isStream(message)) {
     const keyPair = { publicKey, privateKey };
     switch (curve.type) {
@@ -13923,7 +13939,7 @@ async function sign$1(oid, hashAlgo, message, publicKey, privateKey, hashed) {
  * @async
  */
 async function verify$1(oid, hashAlgo, signature, message, publicKey, hashed) {
-  const curve = new Curve(oid);
+  const curve = new CurveWithOID(oid);
   if (message && !util.isStream(message)) {
     switch (curve.type) {
       case 'web':
@@ -13957,7 +13973,7 @@ async function verify$1(oid, hashAlgo, signature, message, publicKey, hashed) {
  * @async
  */
 async function validateParams$2(oid, Q, d) {
-  const curve = new Curve(oid);
+  const curve = new CurveWithOID(oid);
   // Reject curves x25519 and ed25519
   if (curve.keyType !== enums.publicKey.ecdsa) {
     return false;
@@ -14160,7 +14176,7 @@ var ecdsa = /*#__PURE__*/Object.freeze({
 naclFastLight.hash = bytes => new Uint8Array(_512().update(bytes).digest());
 
 /**
- * Sign a message using the provided key
+ * Sign a message using the provided legacy EdDSA key
  * @param {module:type/oid} oid - Elliptic curve object identifier
  * @param {module:enums.hash} hashAlgo - Hash algorithm used to sign (must be sha256 or stronger)
  * @param {Uint8Array} message - Message to sign
@@ -14188,7 +14204,7 @@ async function sign$2(oid, hashAlgo, message, publicKey, privateKey, hashed) {
 }
 
 /**
- * Verifies if a signature is valid for a message
+ * Verifies if a legacy EdDSA signature is valid for a message
  * @param {module:type/oid} oid - Elliptic curve object identifier
  * @param {module:enums.hash} hashAlgo - Hash algorithm used in the signature
  * @param  {{r: Uint8Array,
@@ -14204,7 +14220,7 @@ async function verify$2(oid, hashAlgo, { r, s }, m, publicKey, hashed) {
   return naclFastLight.sign.detached.verify(hashed, signature, publicKey.subarray(1));
 }
 /**
- * Validate EdDSA parameters
+ * Validate legacy EdDSA parameters
  * @param {module:type/oid} oid - Elliptic curve object identifier
  * @param {Uint8Array} Q - EdDSA public point
  * @param {Uint8Array} k - EdDSA secret seed
@@ -14224,9 +14240,10 @@ async function validateParams$3(oid, Q, k) {
   const { publicKey } = naclFastLight.sign.keyPair.fromSeed(k);
   const dG = new Uint8Array([0x40, ...publicKey]); // Add public key prefix
   return util.equalsUint8Array(Q, dG);
+
 }
 
-var eddsa = /*#__PURE__*/Object.freeze({
+var eddsa_legacy = /*#__PURE__*/Object.freeze({
   __proto__: null,
   sign: sign$2,
   verify: verify$2,
@@ -14235,6 +14252,113 @@ var eddsa = /*#__PURE__*/Object.freeze({
 
 // OpenPGP.js - An OpenPGP implementation in javascript
 
+naclFastLight.hash = bytes => new Uint8Array(_512().update(bytes).digest());
+
+/**
+ * Generate (non-legacy) EdDSA key
+ * @param {module:enums.publicKey} algo - Algorithm identifier
+ * @returns {Promise<{ A: Uint8Array, seed: Uint8Array }>}
+ */
+async function generate$2(algo) {
+  switch (algo) {
+    case enums.publicKey.ed25519: {
+      const seed = getRandomBytes(32);
+      const { publicKey: A } = naclFastLight.sign.keyPair.fromSeed(seed);
+      return { A, seed };
+    }
+    default:
+      throw new Error('Unsupported EdDSA algorithm');
+  }
+}
+
+/**
+ * Sign a message using the provided key
+ * @param {module:enums.publicKey} algo - Algorithm identifier
+ * @param {module:enums.hash} hashAlgo - Hash algorithm used to sign (must be sha256 or stronger)
+ * @param {Uint8Array} message - Message to sign
+ * @param {Uint8Array} publicKey - Public key
+ * @param {Uint8Array} privateKey - Private key used to sign the message
+ * @param {Uint8Array} hashed - The hashed message
+ * @returns {Promise<{
+ *   RS: Uint8Array
+ * }>} Signature of the message
+ * @async
+ */
+async function sign$3(algo, hashAlgo, message, publicKey, privateKey, hashed) {
+  if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(enums.hash.sha256)) {
+    // see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2
+    throw new Error('Hash algorithm too weak: sha256 or stronger is required for EdDSA.');
+  }
+  switch (algo) {
+    case enums.publicKey.ed25519: {
+      const secretKey = util.concatUint8Array([privateKey, publicKey]);
+      const signature = naclFastLight.sign.detached(hashed, secretKey);
+      return { RS: signature };
+    }
+    case enums.publicKey.ed448:
+    default:
+      throw new Error('Unsupported EdDSA algorithm');
+  }
+
+}
+
+/**
+ * Verifies if a signature is valid for a message
+ * @param {module:enums.publicKey} algo - Algorithm identifier
+ * @param {module:enums.hash} hashAlgo - Hash algorithm used in the signature
+ * @param  {{ RS: Uint8Array }} signature Signature to verify the message
+ * @param {Uint8Array} m - Message to verify
+ * @param {Uint8Array} publicKey - Public key used to verify the message
+ * @param {Uint8Array} hashed - The hashed message
+ * @returns {Boolean}
+ * @async
+ */
+async function verify$3(algo, hashAlgo, { RS }, m, publicKey, hashed) {
+  switch (algo) {
+    case enums.publicKey.ed25519: {
+      return naclFastLight.sign.detached.verify(hashed, RS, publicKey);
+    }
+    case enums.publicKey.ed448:
+    default:
+      throw new Error('Unsupported EdDSA algorithm');
+  }
+}
+/**
+ * Validate (non-legacy) EdDSA parameters
+ * @param {module:enums.publicKey} algo - Algorithm identifier
+ * @param {Uint8Array} A - EdDSA public point
+ * @param {Uint8Array} seed - EdDSA secret seed
+ * @param {Uint8Array} oid - (legacy only) EdDSA OID
+ * @returns {Promise<Boolean>} Whether params are valid.
+ * @async
+ */
+async function validateParams$4(algo, A, seed) {
+  switch (algo) {
+    case enums.publicKey.ed25519: {
+      /**
+       * Derive public point A' from private key
+       * and expect A == A'
+       */
+      const { publicKey } = naclFastLight.sign.keyPair.fromSeed(seed);
+      return util.equalsUint8Array(A, publicKey);
+    }
+
+    case enums.publicKey.ed448: // unsupported
+    default:
+      return false;
+  }
+}
+
+var eddsa = /*#__PURE__*/Object.freeze({
+  __proto__: null,
+  generate: generate$2,
+  sign: sign$3,
+  verify: verify$3,
+  validateParams: validateParams$4
+});
+
+// OpenPGP.js - An OpenPGP implementation in javascript
+
 /**
  * AES key wrap
  * @function
@@ -14422,7 +14546,7 @@ const nodeCrypto$9 = util.getNodeCrypto();
  * @returns {Promise<Boolean>} Whether params are valid.
  * @async
  */
-async function validateParams$4(oid, Q, d) {
+async function validateParams$5(oid, Q, d) {
   return validateStandardParams(enums.publicKey.ecdh, oid, Q, d);
 }
 
@@ -14464,7 +14588,7 @@ async function kdf(hashAlgo, X, length, param, stripLeading = false, stripTraili
 /**
  * Generate ECDHE ephemeral key and secret from public key
  *
- * @param {Curve} curve - Elliptic curve object
+ * @param {CurveWithOID} curve - Elliptic curve object
  * @param {Uint8Array} Q - Recipient public key
  * @returns {Promise<{publicKey: Uint8Array, sharedKey: Uint8Array}>}
  * @async
@@ -14507,7 +14631,7 @@ async function genPublicEphemeralKey(curve, Q) {
 async function encrypt$3(oid, kdfParams, data, Q, fingerprint) {
   const m = encode$1(data);
 
-  const curve = new Curve(oid);
+  const curve = new CurveWithOID(oid);
   const { publicKey, sharedKey } = await genPublicEphemeralKey(curve, Q);
   const param = buildEcdhParam(enums.publicKey.ecdh, oid, kdfParams, fingerprint);
   const { keySize } = getCipher(kdfParams.cipher);
@@ -14519,7 +14643,7 @@ async function encrypt$3(oid, kdfParams, data, Q, fingerprint) {
 /**
  * Generate ECDHE secret from private key and public part of ephemeral key
  *
- * @param {Curve} curve - Elliptic curve object
+ * @param {CurveWithOID} curve - Elliptic curve object
  * @param {Uint8Array} V - Public part of ephemeral key
  * @param {Uint8Array} Q - Recipient public key
  * @param {Uint8Array} d - Recipient private key
@@ -14567,7 +14691,7 @@ async function genPrivateEphemeralKey(curve, V, Q, d) {
  * @async
  */
 async function decrypt$3(oid, kdfParams, V, C, Q, d, fingerprint) {
-  const curve = new Curve(oid);
+  const curve = new CurveWithOID(oid);
   const { sharedKey } = await genPrivateEphemeralKey(curve, V, Q, d);
   const param = buildEcdhParam(enums.publicKey.ecdh, oid, kdfParams, fingerprint);
   const { keySize } = getCipher(kdfParams.cipher);
@@ -14587,7 +14711,7 @@ async function decrypt$3(oid, kdfParams, V, C, Q, d, fingerprint) {
 /**
  * Generate ECDHE secret from private key and public part of ephemeral key using webCrypto
  *
- * @param {Curve} curve - Elliptic curve object
+ * @param {CurveWithOID} curve - Elliptic curve object
  * @param {Uint8Array} V - Public part of ephemeral key
  * @param {Uint8Array} Q - Recipient public key
  * @param {Uint8Array} d - Recipient private key
@@ -14640,7 +14764,7 @@ async function webPrivateEphemeralKey(curve, V, Q, d) {
 /**
  * Generate ECDHE ephemeral key and secret from public key using webCrypto
  *
- * @param {Curve} curve - Elliptic curve object
+ * @param {CurveWithOID} curve - Elliptic curve object
  * @param {Uint8Array} Q - Recipient public key
  * @returns {Promise<{publicKey: Uint8Array, sharedKey: Uint8Array}>}
  * @async
@@ -14688,7 +14812,7 @@ async function webPublicEphemeralKey(curve, Q) {
 /**
  * Generate ECDHE secret from private key and public part of ephemeral key using indutny/elliptic
  *
- * @param {Curve} curve - Elliptic curve object
+ * @param {CurveWithOID} curve - Elliptic curve object
  * @param {Uint8Array} V - Public part of ephemeral key
  * @param {Uint8Array} d - Recipient private key
  * @returns {Promise<{secretKey: Uint8Array, sharedKey: Uint8Array}>}
@@ -14708,7 +14832,7 @@ async function ellipticPrivateEphemeralKey(curve, V, d) {
 /**
  * Generate ECDHE ephemeral key and secret from public key using indutny/elliptic
  *
- * @param {Curve} curve - Elliptic curve object
+ * @param {CurveWithOID} curve - Elliptic curve object
  * @param {Uint8Array} Q - Recipient public key
  * @returns {Promise<{publicKey: Uint8Array, sharedKey: Uint8Array}>}
  * @async
@@ -14728,7 +14852,7 @@ async function ellipticPublicEphemeralKey(curve, Q) {
 /**
  * Generate ECDHE secret from private key and public part of ephemeral key using nodeCrypto
  *
- * @param {Curve} curve - Elliptic curve object
+ * @param {CurveWithOID} curve - Elliptic curve object
  * @param {Uint8Array} V - Public part of ephemeral key
  * @param {Uint8Array} d - Recipient private key
  * @returns {Promise<{secretKey: Uint8Array, sharedKey: Uint8Array}>}
@@ -14745,7 +14869,7 @@ async function nodePrivateEphemeralKey(curve, V, d) {
 /**
  * Generate ECDHE ephemeral key and secret from public key using nodeCrypto
  *
- * @param {Curve} curve - Elliptic curve object
+ * @param {CurveWithOID} curve - Elliptic curve object
  * @param {Uint8Array} Q - Recipient public key
  * @returns {Promise<{publicKey: Uint8Array, sharedKey: Uint8Array}>}
  * @async
@@ -14760,18 +14884,204 @@ async function nodePublicEphemeralKey(curve, Q) {
 
 var ecdh = /*#__PURE__*/Object.freeze({
   __proto__: null,
-  validateParams: validateParams$4,
+  validateParams: validateParams$5,
   encrypt: encrypt$3,
   decrypt: decrypt$3
 });
 
+/**
+ * @fileoverview This module implements HKDF using either the WebCrypto API or Node.js' crypto API.
+ * @module crypto/hkdf
+ * @private
+ */
+
+const webCrypto$9 = util.getWebCrypto();
+const nodeCrypto$a = util.getNodeCrypto();
+const nodeSubtleCrypto = nodeCrypto$a && nodeCrypto$a.webcrypto && nodeCrypto$a.webcrypto.subtle;
+
+async function HKDF(hashAlgo, inputKey, salt, info, outLen) {
+  const hash = enums.read(enums.webHash, hashAlgo);
+  if (!hash) throw new Error('Hash algo not supported with HKDF');
+
+  if (webCrypto$9 || nodeSubtleCrypto) {
+    const crypto = webCrypto$9 || nodeSubtleCrypto;
+    const importedKey = await crypto.importKey('raw', inputKey, 'HKDF', false, ['deriveBits']);
+    const bits = await crypto.deriveBits({ name: 'HKDF', hash, salt, info }, importedKey, outLen * 8);
+    return new Uint8Array(bits);
+  }
+
+  if (nodeCrypto$a) {
+    const hashAlgoName = enums.read(enums.hash, hashAlgo);
+    // Node-only HKDF implementation based on https://www.rfc-editor.org/rfc/rfc5869
+
+    const computeHMAC = (hmacKey, hmacMessage) => nodeCrypto$a.createHmac(hashAlgoName, hmacKey).update(hmacMessage).digest();
+    // Step 1: Extract
+    // PRK = HMAC-Hash(salt, IKM)
+    const pseudoRandomKey = computeHMAC(salt, inputKey);
+
+    const hashLen = pseudoRandomKey.length;
+
+    // Step 2: Expand
+    // HKDF-Expand(PRK, info, L) -> OKM
+    const n = Math.ceil(outLen / hashLen);
+    const outputKeyingMaterial = new Uint8Array(n * hashLen);
+
+    // HMAC input buffer updated at each iteration
+    const roundInput = new Uint8Array(hashLen + info.length + 1);
+    // T_i and last byte are updated at each iteration, but `info` remains constant
+    roundInput.set(info, hashLen);
+
+    for (let i = 0; i < n; i++) {
+      // T(0) = empty string (zero length)
+      // T(i) = HMAC-Hash(PRK, T(i-1) | info | i)
+      roundInput[roundInput.length - 1] = i + 1;
+      // t = T(i+1)
+      const t = computeHMAC(pseudoRandomKey, i > 0 ? roundInput : roundInput.subarray(hashLen));
+      roundInput.set(t, 0);
+
+      outputKeyingMaterial.set(t, i * hashLen);
+    }
+
+    return outputKeyingMaterial.subarray(0, outLen);
+  }
+
+  throw new Error('No HKDF implementation available');
+}
+
+/**
+ * @fileoverview Key encryption and decryption for RFC 6637 ECDH
+ * @module crypto/public_key/elliptic/ecdh
+ * @private
+ */
+
+const HKDF_INFO = {
+  x25519: util.encodeUTF8('OpenPGP X25519')
+};
+
+/**
+ * Generate ECDH key for Montgomery curves
+ * @param {module:enums.publicKey} algo - Algorithm identifier
+ * @returns {Promise<{ A: Uint8Array, k: Uint8Array }>}
+ */
+async function generate$3(algo) {
+  switch (algo) {
+    case enums.publicKey.x25519: {
+      // k stays in little-endian, unlike legacy ECDH over curve25519
+      const k = getRandomBytes(32);
+      k[0] &= 248;
+      k[31] = (k[31] & 127) | 64;
+      const { publicKey: A } = naclFastLight.box.keyPair.fromSecretKey(k);
+      return { A, k };
+    }
+    default:
+      throw new Error('Unsupported ECDH algorithm');
+  }
+}
+
+/**
+* Validate ECDH parameters
+* @param {module:enums.publicKey} algo - Algorithm identifier
+* @param {Uint8Array} A - ECDH public point
+* @param {Uint8Array} k - ECDH secret scalar
+* @returns {Promise<Boolean>} Whether params are valid.
+* @async
+*/
+async function validateParams$6(algo, A, k) {
+  switch (algo) {
+    case enums.publicKey.x25519: {
+      /**
+       * Derive public point A' from private key
+       * and expect A == A'
+       */
+      const { publicKey } = naclFastLight.box.keyPair.fromSecretKey(k);
+      return util.equalsUint8Array(A, publicKey);
+    }
+
+    default:
+      return false;
+  }
+}
+
+/**
+ * Wrap and encrypt a session key
+ *
+ * @param {module:enums.publicKey} algo - Algorithm identifier
+ * @param {Uint8Array} data - session key data to be encrypted
+ * @param {Uint8Array} recipientA - Recipient public key (K_B)
+ * @returns {Promise<{
+ *  ephemeralPublicKey: Uint8Array,
+ * wrappedKey: Uint8Array
+ * }>} ephemeral public key (K_A) and encrypted key
+ * @async
+ */
+async function encrypt$4(algo, data, recipientA) {
+  switch (algo) {
+    case enums.publicKey.x25519: {
+      const ephemeralSecretKey = getRandomBytes(32);
+      const sharedSecret = naclFastLight.scalarMult(ephemeralSecretKey, recipientA);
+      const { publicKey: ephemeralPublicKey } = naclFastLight.box.keyPair.fromSecretKey(ephemeralSecretKey);
+      const hkdfInput = util.concatUint8Array([
+        ephemeralPublicKey,
+        recipientA,
+        sharedSecret
+      ]);
+      const { keySize } = getCipher(enums.symmetric.aes128);
+      const encryptionKey = await HKDF(enums.hash.sha256, hkdfInput, new Uint8Array(), HKDF_INFO.x25519, keySize);
+      const wrappedKey = wrap(encryptionKey, data);
+      return { ephemeralPublicKey, wrappedKey };
+    }
+
+    default:
+      throw new Error('Unsupported ECDH algorithm');
+  }
+}
+
+/**
+ * Decrypt and unwrap the session key
+ *
+ * @param {module:enums.publicKey} algo - Algorithm identifier
+ * @param {Uint8Array} ephemeralPublicKey - (K_A)
+ * @param {Uint8Array} wrappedKey,
+ * @param {Uint8Array} A - Recipient public key (K_b), needed for KDF
+ * @param {Uint8Array} k - Recipient secret key (b)
+ * @returns {Promise<Uint8Array>} decrypted session key data
+ * @async
+ */
+async function decrypt$4(algo, ephemeralPublicKey, wrappedKey, A, k) {
+  switch (algo) {
+    case enums.publicKey.x25519: {
+      const sharedSecret = naclFastLight.scalarMult(k, ephemeralPublicKey);
+      const hkdfInput = util.concatUint8Array([
+        ephemeralPublicKey,
+        A,
+        sharedSecret
+      ]);
+      const { keySize } = getCipher(enums.symmetric.aes128);
+      const encryptionKey = await HKDF(enums.hash.sha256, hkdfInput, new Uint8Array(), HKDF_INFO.x25519, keySize);
+      return unwrap(encryptionKey, wrappedKey);
+    }
+    default:
+      throw new Error('Unsupported ECDH algorithm');
+  }
+}
+
+var ecdh_x = /*#__PURE__*/Object.freeze({
+  __proto__: null,
+  generate: generate$3,
+  validateParams: validateParams$6,
+  encrypt: encrypt$4,
+  decrypt: decrypt$4
+});
+
 // OpenPGP.js - An OpenPGP implementation in javascript
 
 var elliptic = /*#__PURE__*/Object.freeze({
   __proto__: null,
-  Curve: Curve,
+  CurveWithOID: CurveWithOID,
   ecdh: ecdh,
+  ecdhX: ecdh_x,
   ecdsa: ecdsa,
+  eddsaLegacy: eddsa_legacy,
   eddsa: eddsa,
   generate: generate$1,
   getPreferredHashAlgo: getPreferredHashAlgo
@@ -14796,7 +15106,7 @@ var elliptic = /*#__PURE__*/Object.freeze({
  * @returns {Promise<{ r: Uint8Array, s: Uint8Array }>}
  * @async
  */
-async function sign$3(hashAlgo, hashed, g, p, q, x) {
+async function sign$4(hashAlgo, hashed, g, p, q, x) {
   const BigInteger = await util.getBigInteger();
   const one = new BigInteger(1);
   p = new BigInteger(p);
@@ -14855,7 +15165,7 @@ async function sign$3(hashAlgo, hashed, g, p, q, x) {
  * @returns {boolean}
  * @async
  */
-async function verify$3(hashAlgo, r, s, hashed, g, p, q, y) {
+async function verify$4(hashAlgo, r, s, hashed, g, p, q, y) {
   const BigInteger = await util.getBigInteger();
   const zero = new BigInteger(0);
   r = new BigInteger(r);
@@ -14898,7 +15208,7 @@ async function verify$3(hashAlgo, r, s, hashed, g, p, q, y) {
  * @returns {Promise<Boolean>} Whether params are valid.
  * @async
  */
-async function validateParams$5(p, q, g, y, x) {
+async function validateParams$7(p, q, g, y, x) {
   const BigInteger = await util.getBigInteger();
   p = new BigInteger(p);
   q = new BigInteger(q);
@@ -14953,9 +15263,9 @@ async function validateParams$5(p, q, g, y, x) {
 
 var dsa = /*#__PURE__*/Object.freeze({
   __proto__: null,
-  sign: sign$3,
-  verify: verify$3,
-  validateParams: validateParams$5
+  sign: sign$4,
+  verify: verify$4,
+  validateParams: validateParams$7
 });
 
 /**
@@ -15091,10 +15401,11 @@ function parseSignatureParams(algo, signature) {
       const s = util.readMPI(signature.subarray(read));
       return { r, s };
     }
-    // Algorithm-Specific Fields for EdDSA signatures:
+    // Algorithm-Specific Fields for legacy EdDSA signatures:
     // -  MPI of an EC point r.
     // -  EdDSA value s, in MPI, in the little endian representation
-    case enums.publicKey.eddsa: {
+    case enums.publicKey.eddsa:
+    case enums.publicKey.ed25519Legacy: {
       // When parsing little-endian MPI data, we always need to left-pad it, as done with big-endian values:
       // https://www.ietf.org/archive/id/draft-ietf-openpgp-rfc4880bis-10.html#section-3.2-9
       let r = util.readMPI(signature.subarray(read)); read += r.length + 2;
@@ -15103,7 +15414,12 @@ function parseSignatureParams(algo, signature) {
       s = util.leftPad(s, 32);
       return { r, s };
     }
-
+    // Algorithm-Specific Fields for Ed25519 signatures:
+    // - 64 octets of the native signature
+    case enums.publicKey.ed25519: {
+      const RS = signature.subarray(read, read + 64); read += RS.length;
+      return { RS };
+    }
     case enums.publicKey.hmac: {
       const mac = new ShortByteString(); mac.read(signature.subarray(read));
       return { mac };
@@ -15128,7 +15444,7 @@ function parseSignatureParams(algo, signature) {
  * @returns {Promise<Boolean>} True if signature is valid.
  * @async
  */
-async function verify$4(algo, hashAlgo, signature, publicParams, privateParams, data, hashed) {
+async function verify$5(algo, hashAlgo, signature, publicParams, privateParams, data, hashed) {
   switch (algo) {
     case enums.publicKey.rsaEncryptSign:
     case enums.publicKey.rsaEncrypt:
@@ -15144,16 +15460,21 @@ async function verify$4(algo, hashAlgo, signature, publicParams, privateParams,
     }
     case enums.publicKey.ecdsa: {
       const { oid, Q } = publicParams;
-      const curveSize = new publicKey.elliptic.Curve(oid).payloadSize;
+      const curveSize = new publicKey.elliptic.CurveWithOID(oid).payloadSize;
       // padding needed for webcrypto
       const r = util.leftPad(signature.r, curveSize);
       const s = util.leftPad(signature.s, curveSize);
       return publicKey.elliptic.ecdsa.verify(oid, hashAlgo, { r, s }, data, Q, hashed);
     }
-    case enums.publicKey.eddsa: {
+    case enums.publicKey.eddsa:
+    case enums.publicKey.ed25519Legacy: {
       const { oid, Q } = publicParams;
       // signature already padded on parsing
-      return publicKey.elliptic.eddsa.verify(oid, hashAlgo, signature, data, Q, hashed);
+      return publicKey.elliptic.eddsaLegacy.verify(oid, hashAlgo, signature, data, Q, hashed);
+    }
+    case enums.publicKey.ed25519: {
+      const { A } = publicParams;
+      return publicKey.elliptic.eddsa.verify(algo, hashAlgo, signature, data, A, hashed);
     }
     case enums.publicKey.hmac: {
       if (!privateParams) {
@@ -15183,7 +15504,7 @@ async function verify$4(algo, hashAlgo, signature, publicParams, privateParams,
  * @returns {Promise<Object>} Signature                      Object containing named signature parameters.
  * @async
  */
-async function sign$4(algo, hashAlgo, publicKeyParams, privateKeyParams, data, hashed) {
+async function sign$5(algo, hashAlgo, publicKeyParams, privateKeyParams, data, hashed) {
   if (!publicKeyParams || !privateKeyParams) {
     throw new Error('Missing key parameters');
   }
@@ -15209,10 +15530,16 @@ async function sign$4(algo, hashAlgo, publicKeyParams, privateKeyParams, data, h
       const { d } = privateKeyParams;
       return publicKey.elliptic.ecdsa.sign(oid, hashAlgo, data, Q, d, hashed);
     }
-    case enums.publicKey.eddsa: {
+    case enums.publicKey.eddsa:
+    case enums.publicKey.ed25519Legacy: {
       const { oid, Q } = publicKeyParams;
       const { seed } = privateKeyParams;
-      return publicKey.elliptic.eddsa.sign(oid, hashAlgo, data, Q, seed, hashed);
+      return publicKey.elliptic.eddsaLegacy.sign(oid, hashAlgo, data, Q, seed, hashed);
+    }
+    case enums.publicKey.ed25519: {
+      const { A } = publicKeyParams;
+      const { seed } = privateKeyParams;
+      return publicKey.elliptic.eddsa.sign(algo, hashAlgo, data, A, seed, hashed);
     }
     case enums.publicKey.hmac: {
       const { cipher: algo } = publicKeyParams;
@@ -15228,34 +15555,31 @@ async function sign$4(algo, hashAlgo, publicKeyParams, privateKeyParams, data, h
 var signature = /*#__PURE__*/Object.freeze({
   __proto__: null,
   parseSignatureParams: parseSignatureParams,
-  verify: verify$4,
-  sign: sign$4
+  verify: verify$5,
+  sign: sign$5
 });
 
 // OpenPGP.js - An OpenPGP implementation in javascript
 
 class ECDHSymmetricKey {
   constructor(data) {
-    if (typeof data === 'undefined') {
-      data = new Uint8Array([]);
-    } else if (util.isString(data)) {
-      data = util.stringToUint8Array(data);
-    } else {
-      data = new Uint8Array(data);
+    if (data) {
+      this.data = data;
     }
-    this.data = data;
   }
 
   /**
-   * Read an ECDHSymmetricKey from an Uint8Array
-   * @param {Uint8Array} input - Where to read the encoded symmetric key from
+   * Read an ECDHSymmetricKey from an Uint8Array:
+   * - 1 octect for the length `l`
+   * - `l` octects of encoded session key data
+   * @param {Uint8Array} bytes
    * @returns {Number} Number of read bytes.
    */
-  read(input) {
-    if (input.length >= 1) {
-      const length = input[0];
-      if (input.length >= 1 + length) {
-        this.data = input.subarray(1, 1 + length);
+  read(bytes) {
+    if (bytes.length >= 1) {
+      const length = bytes[0];
+      if (bytes.length >= 1 + length) {
+        this.data = bytes.subarray(1, 1 + length);
         return 1 + this.data.length;
       }
     }
@@ -15264,7 +15588,7 @@ class ECDHSymmetricKey {
 
   /**
    * Write an ECDHSymmetricKey as an Uint8Array
-   * @returns  {Uint8Array}  An array containing the value
+   * @returns  {Uint8Array} Serialised data
    */
   write() {
     return util.concatUint8Array([new Uint8Array([this.data.length]), this.data]);
@@ -15304,6 +15628,9 @@ class KDFParams {
    * @returns {Number} Number of read bytes.
    */
   read(input) {
+    if (input.length < 4 || (input[1] !== 1 && input[1] !== VERSION_FORWARDING)) {
+      throw new UnsupportedError('Cannot read KDFParams');
+    }
     const totalBytes = input[0];
     this.version = input[1];
     this.hash = input[2];
@@ -15391,12 +15718,57 @@ const AEADEnum = type_enum(enums.aead);
 const SymAlgoEnum = type_enum(enums.symmetric);
 const HashEnum = type_enum(enums.hash);
 
+/**
+ * Encoded symmetric key for x25519 and x448
+ * The payload format varies for v3 and v6 PKESK:
+ * the former includes an algorithm byte preceeding the encrypted session key.
+ *
+ * @module type/x25519x448_symkey
+ */
+
+class ECDHXSymmetricKey {
+  static fromObject({ wrappedKey, algorithm }) {
+    const instance = new ECDHXSymmetricKey();
+    instance.wrappedKey = wrappedKey;
+    instance.algorithm = algorithm;
+    return instance;
+  }
+
+  /**
+   * - 1 octect for the length `l`
+   * - `l` octects of encoded session key data (with optional leading algorithm byte)
+   * @param {Uint8Array} bytes
+   * @returns {Number} Number of read bytes.
+   */
+  read(bytes) {
+    let read = 0;
+    let followLength = bytes[read++];
+    this.algorithm = followLength % 2 ? bytes[read++] : null; // session key size is always even
+    followLength -= followLength % 2;
+    this.wrappedKey = bytes.subarray(read, read + followLength); read += followLength;
+  }
+
+  /**
+   * Write an MontgomerySymmetricKey as an Uint8Array
+   * @returns  {Uint8Array} Serialised data
+   */
+  write() {
+    return util.concatUint8Array([
+      this.algorithm ?
+        new Uint8Array([this.wrappedKey.length + 1, this.algorithm]) :
+        new Uint8Array([this.wrappedKey.length]),
+      this.wrappedKey
+    ]);
+  }
+}
+
 // GPG4Browsers - An OpenPGP implementation in javascript
 
 /**
  * Encrypts data using specified algorithm and public key parameters.
  * See {@link https://tools.ietf.org/html/rfc4880#section-9.1|RFC 4880 9.1} for public key algorithms.
- * @param {module:enums.publicKey} algo - Public key algorithm
+ * @param {module:enums.publicKey} keyAlgo - Public key algorithm
+ * @param {module:enums.symmetric} symmetricAlgo - Cipher algorithm
  * @param {Object} publicParams - Algorithm-specific public key parameters
  * @param {Object} privateParams - Algorithm-specific private key parameters
  * @param {Uint8Array} data - Data to be encrypted
@@ -15404,8 +15776,8 @@ const HashEnum = type_enum(enums.hash);
  * @returns {Promise<Object>} Encrypted session key parameters.
  * @async
  */
-async function publicKeyEncrypt(algo, publicParams, privateParams, data, fingerprint) {
-  switch (algo) {
+async function publicKeyEncrypt(keyAlgo, symmetricAlgo, publicParams, privateParams, data, fingerprint) {
+  switch (keyAlgo) {
     case enums.publicKey.rsaEncrypt:
     case enums.publicKey.rsaEncryptSign: {
       const { n, e } = publicParams;
@@ -15422,6 +15794,17 @@ async function publicKeyEncrypt(algo, publicParams, privateParams, data, fingerp
         oid, kdfParams, data, Q, fingerprint);
       return { V, C: new ECDHSymmetricKey(C) };
     }
+    case enums.publicKey.x25519: {
+      if (!util.isAES(symmetricAlgo)) {
+        // see https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/276
+        throw new Error('X25519 keys can only encrypt AES session keys');
+      }
+      const { A } = publicParams;
+      const { ephemeralPublicKey, wrappedKey } = await publicKey.elliptic.ecdhX.encrypt(
+        keyAlgo, data, A);
+      const C = ECDHXSymmetricKey.fromObject({ algorithm: symmetricAlgo, wrappedKey });
+      return { ephemeralPublicKey, C };
+    }
     case enums.publicKey.aead: {
       if (!privateParams) {
         throw new Error('Cannot encrypt with symmetric key missing private parameters');
@@ -15478,6 +15861,16 @@ async function publicKeyDecrypt(algo, publicKeyParams, privateKeyParams, session
       return publicKey.elliptic.ecdh.decrypt(
         oid, kdfParams, V, C.data, Q, d, fingerprint);
     }
+    case enums.publicKey.x25519: {
+      const { A } = publicKeyParams;
+      const { k } = privateKeyParams;
+      const { ephemeralPublicKey, C } = sessionKeyParams;
+      if (!util.isAES(C.algorithm)) {
+        throw new Error('AES session key expected');
+      }
+      return publicKey.elliptic.ecdhX.decrypt(
+        algo, ephemeralPublicKey, C.wrappedKey, A, k);
+    }
     case enums.publicKey.aead: {
       const { cipher: algo } = publicKeyParams;
       const algoValue = algo.getValue();
@@ -15529,7 +15922,8 @@ function parsePublicKeyParams(algo, bytes) {
       const Q = util.readMPI(bytes.subarray(read)); read += Q.length + 2;
       return { read: read, publicParams: { oid, Q } };
     }
-    case enums.publicKey.eddsa: {
+    case enums.publicKey.eddsa:
+    case enums.publicKey.ed25519Legacy: {
       const oid = new OID(); read += oid.read(bytes);
       checkSupportedCurve(oid);
       let Q = util.readMPI(bytes.subarray(read)); read += Q.length + 2;
@@ -15543,6 +15937,11 @@ function parsePublicKeyParams(algo, bytes) {
       const kdfParams = new KDFParams(); read += kdfParams.read(bytes.subarray(read));
       return { read: read, publicParams: { oid, Q, kdfParams } };
     }
+    case enums.publicKey.ed25519:
+    case enums.publicKey.x25519: {
+      const A = bytes.subarray(read, read + 32); read += A.length;
+      return { read, publicParams: { A } };
+    }
     case enums.publicKey.hmac:
     case enums.publicKey.aead: {
       const algo = new SymAlgoEnum(); read += algo.read(bytes);
@@ -15581,17 +15980,26 @@ function parsePrivateKeyParams(algo, bytes, publicParams) {
     }
     case enums.publicKey.ecdsa:
     case enums.publicKey.ecdh: {
-      const curve = new Curve(publicParams.oid);
+      const curve = new CurveWithOID(publicParams.oid);
       let d = util.readMPI(bytes.subarray(read)); read += d.length + 2;
       d = util.leftPad(d, curve.payloadSize);
       return { read, privateParams: { d } };
     }
-    case enums.publicKey.eddsa: {
-      const curve = new Curve(publicParams.oid);
+    case enums.publicKey.eddsa:
+    case enums.publicKey.ed25519Legacy: {
+      const curve = new CurveWithOID(publicParams.oid);
       let seed = util.readMPI(bytes.subarray(read)); read += seed.length + 2;
       seed = util.leftPad(seed, curve.payloadSize);
       return { read, privateParams: { seed } };
     }
+    case enums.publicKey.ed25519: {
+      const seed = bytes.subarray(read, read + 32); read += seed.length;
+      return { read, privateParams: { seed } };
+    }
+    case enums.publicKey.x25519: {
+      const k = bytes.subarray(read, read + 32); read += k.length;
+      return { read, privateParams: { k } };
+    }
     case enums.publicKey.hmac: {
       const { cipher: algo } = publicParams;
       const keySize = hash.getHashByteLength(algo.getValue());
@@ -15643,6 +16051,16 @@ function parseEncSessionKeyParams(algo, bytes) {
       const C = new ECDHSymmetricKey(); C.read(bytes.subarray(read));
       return { V, C };
     }
+    //   Algorithm-Specific Fields for X25519 encrypted session keys:
+    //       - 32 octets representing an ephemeral X25519 public key.
+    //       - A one-octet size of the following fields.
+    //       - The one-octet algorithm identifier, if it was passed (in the case of a v3 PKESK packet).
+    //       - The encrypted session key.
+    case enums.publicKey.x25519: {
+      const ephemeralPublicKey = bytes.subarray(read, read + 32); read += ephemeralPublicKey.length;
+      const C = new ECDHXSymmetricKey(); C.read(bytes.subarray(read));
+      return { ephemeralPublicKey, C };
+    }
     //   Algorithm-Specific Fields for symmetric AEAD encryption:
     //       - AEAD algorithm
     //       - Starting initialization vector
@@ -15669,22 +16087,13 @@ function parseEncSessionKeyParams(algo, bytes) {
  * @returns {Uint8Array} The array containing the MPIs.
  */
 function serializeParams(algo, params) {
-  let orderedParams;
-  switch (algo) {
-    case enums.publicKey.hmac:
-    case enums.publicKey.aead: {
-      orderedParams = Object.keys(params).map(name => {
-        const param = params[name];
-        return util.isUint8Array(param) ? param : param.write();
-      });
-      break;
-    }
-    default:
-      orderedParams = Object.keys(params).map(name => {
-        const param = params[name];
-        return util.isUint8Array(param) ? util.uint8ArrayToMPI(param) : param.write();
-      });
-  }
+  // Some algorithms do not rely on MPIs to store the binary params
+  const algosWithNativeRepresentation = new Set([enums.publicKey.ed25519, enums.publicKey.x25519, enums.publicKey.aead, enums.publicKey.hmac]);
+  const orderedParams = Object.keys(params).map(name => {
+    const param = params[name];
+    if (!util.isUint8Array(param)) return param.write();
+    return algosWithNativeRepresentation.has(algo) ? param : util.uint8ArrayToMPI(param);
+  });
   return util.concatUint8Array(orderedParams);
 }
 
@@ -15713,6 +16122,7 @@ function generateParams(algo, bits, oid, symmetric) {
         publicParams: { oid: new OID(oid), Q }
       }));
     case enums.publicKey.eddsa:
+    case enums.publicKey.ed25519Legacy:
       return publicKey.elliptic.generate(oid).then(({ oid, Q, secret }) => ({
         privateParams: { seed: secret },
         publicParams: { oid: new OID(oid), Q }
@@ -15726,6 +16136,16 @@ function generateParams(algo, bits, oid, symmetric) {
           kdfParams: new KDFParams({ hash, cipher })
         }
       }));
+    case enums.publicKey.ed25519:
+      return publicKey.elliptic.eddsa.generate(algo).then(({ A, seed }) => ({
+        privateParams: { seed },
+        publicParams: { A }
+      }));
+    case enums.publicKey.x25519:
+      return publicKey.elliptic.ecdhX.generate(algo).then(({ A, k }) => ({
+        privateParams: { k },
+        publicParams: { A }
+      }));
     case enums.publicKey.hmac: {
       const symAlgo = enums.write(enums.hash, symmetric);
       const keyMaterial = getRandomBytes(hash.getHashByteLength(symAlgo));
@@ -15767,7 +16187,7 @@ async function createSymmetricParams(key, algo) {
  * @returns {Promise<Boolean>} Whether the parameters are valid.
  * @async
  */
-async function validateParams$6(algo, publicParams, privateParams) {
+async function validateParams$8(algo, publicParams, privateParams) {
   if (!publicParams || !privateParams) {
     throw new Error('Missing key parameters');
   }
@@ -15796,10 +16216,21 @@ async function validateParams$6(algo, publicParams, privateParams) {
       const { d } = privateParams;
       return algoModule.validateParams(oid, Q, d);
     }
-    case enums.publicKey.eddsa: {
-      const { oid, Q } = publicParams;
+    case enums.publicKey.eddsa:
+    case enums.publicKey.ed25519Legacy: {
+      const { Q, oid } = publicParams;
       const { seed } = privateParams;
-      return publicKey.elliptic.eddsa.validateParams(oid, Q, seed);
+      return publicKey.elliptic.eddsaLegacy.validateParams(oid, Q, seed);
+    }
+    case enums.publicKey.ed25519: {
+      const { A } = publicParams;
+      const { seed } = privateParams;
+      return publicKey.elliptic.eddsa.validateParams(algo, A, seed);
+    }
+    case enums.publicKey.x25519: {
+      const { A } = publicParams;
+      const { k } = privateParams;
+      return publicKey.elliptic.ecdhX.validateParams(algo, A, k);
     }
     case enums.publicKey.hmac: {
       const { cipher: algo, digest } = publicParams;
@@ -15878,7 +16309,7 @@ var crypto$1 = /*#__PURE__*/Object.freeze({
   parseEncSessionKeyParams: parseEncSessionKeyParams,
   serializeParams: serializeParams,
   generateParams: generateParams,
-  validateParams: validateParams$6,
+  validateParams: validateParams$8,
   getPrefixRandom: getPrefixRandom,
   generateSessionKey: generateSessionKey,
   getAEADMode: getAEADMode,
@@ -16125,15 +16556,15 @@ class GenericS2K {
             this.type = 'gnu-dummy';
             // GnuPG extension mode 1001 -- don't write secret key at all
           } else {
-            throw new Error('Unknown s2k gnu protection mode.');
+            throw new UnsupportedError('Unknown s2k gnu protection mode.');
           }
         } else {
-          throw new Error('Unknown s2k type.');
+          throw new UnsupportedError('Unknown s2k type.');
         }
         break;
 
       default:
-        throw new Error('Unknown s2k type.');
+        throw new UnsupportedError('Unknown s2k type.'); // unreachable
     }
 
     return i;
@@ -16237,7 +16668,7 @@ function newS2KFromType(type, config$1 = config) {
     case enums.s2k.simple:
       return new GenericS2K(type, config$1);
     default:
-      throw new Error(`Unsupported S2K type ${type}`);
+      throw new UnsupportedError(`Unsupported S2K type ${type}`);
   }
 }
 
@@ -24991,13 +25422,17 @@ class PublicKeyEncryptedSessionKeyPacket {
    * @param {Uint8Array} bytes - Payload of a tag 1 packet
    */
   read(bytes) {
-    this.version = bytes[0];
+    let i = 0;
+    this.version = bytes[i++];
     if (this.version !== VERSION$3) {
       throw new UnsupportedError(`Version ${this.version} of the PKESK packet is unsupported.`);
     }
-    this.publicKeyID.read(bytes.subarray(1, bytes.length));
-    this.publicKeyAlgorithm = bytes[9];
-    this.encrypted = mod.parseEncSessionKeyParams(this.publicKeyAlgorithm, bytes.subarray(10));
+    i += this.publicKeyID.read(bytes.subarray(i));
+    this.publicKeyAlgorithm = bytes[i++];
+    this.encrypted = mod.parseEncSessionKeyParams(this.publicKeyAlgorithm, bytes.subarray(i), this.version);
+    if (this.publicKeyAlgorithm === enums.publicKey.x25519) {
+      this.sessionKeyAlgorithm = enums.write(enums.symmetric, this.encrypted.C.algorithm);
+    }
   }
 
   /**
@@ -25023,15 +25458,11 @@ class PublicKeyEncryptedSessionKeyPacket {
    * @async
    */
   async encrypt(key) {
-    const data = util.concatUint8Array([
-      new Uint8Array([enums.write(enums.symmetric, this.sessionKeyAlgorithm)]),
-      this.sessionKey,
-      util.writeChecksum(this.sessionKey)
-    ]);
     const algo = enums.write(enums.publicKey, this.publicKeyAlgorithm);
+    const encoded = encodeSessionKey(this.version, algo, this.sessionKeyAlgorithm, this.sessionKey);
     const privateParams = algo === enums.publicKey.aead ? key.privateParams : null;
     this.encrypted = await mod.publicKeyEncrypt(
-      algo, key.publicParams, privateParams, data, key.getFingerprintBytes());
+      algo, this.sessionKeyAlgorithm, key.publicParams, privateParams, encoded, key.getFingerprintBytes());
   }
 
   /**
@@ -25048,34 +25479,86 @@ class PublicKeyEncryptedSessionKeyPacket {
       throw new Error('Decryption error');
     }
 
-    const randomPayload = randomSessionKey ? util.concatUint8Array([
-      new Uint8Array([randomSessionKey.sessionKeyAlgorithm]),
-      randomSessionKey.sessionKey,
-      util.writeChecksum(randomSessionKey.sessionKey)
-    ]) : null;
-    const decoded = await mod.publicKeyDecrypt(this.publicKeyAlgorithm, key.publicParams, key.privateParams, this.encrypted, key.getFingerprintBytes(), randomPayload);
-    const symmetricAlgoByte = decoded[0];
-    const sessionKey = decoded.subarray(1, decoded.length - 2);
-    const checksum = decoded.subarray(decoded.length - 2);
-    const computedChecksum = util.writeChecksum(sessionKey);
-    const isValidChecksum = computedChecksum[0] === checksum[0] & computedChecksum[1] === checksum[1];
-
-    if (randomSessionKey) {
-      // We must not leak info about the validity of the decrypted checksum or cipher algo.
-      // The decrypted session key must be of the same algo and size as the random session key, otherwise we discard it and use the random data.
-      const isValidPayload = isValidChecksum & symmetricAlgoByte === randomSessionKey.sessionKeyAlgorithm & sessionKey.length === randomSessionKey.sessionKey.length;
-      this.sessionKeyAlgorithm = util.selectUint8(isValidPayload, symmetricAlgoByte, randomSessionKey.sessionKeyAlgorithm);
-      this.sessionKey = util.selectUint8Array(isValidPayload, sessionKey, randomSessionKey.sessionKey);
+    const randomPayload = randomSessionKey ?
+      encodeSessionKey(this.version, this.publicKeyAlgorithm, randomSessionKey.sessionKeyAlgorithm, randomSessionKey.sessionKey) :
+      null;
+    const decryptedData = await mod.publicKeyDecrypt(this.publicKeyAlgorithm, key.publicParams, key.privateParams, this.encrypted, key.getFingerprintBytes(), randomPayload);
 
-    } else {
-      const isValidPayload = isValidChecksum && enums.read(enums.symmetric, symmetricAlgoByte);
-      if (isValidPayload) {
-        this.sessionKey = sessionKey;
-        this.sessionKeyAlgorithm = symmetricAlgoByte;
+    const { sessionKey, sessionKeyAlgorithm } = decodeSessionKey(this.version, this.publicKeyAlgorithm, decryptedData, randomSessionKey);
+
+    // v3 Montgomery curves have cleartext cipher algo
+    if (this.publicKeyAlgorithm !== enums.publicKey.x25519) {
+      this.sessionKeyAlgorithm = sessionKeyAlgorithm;
+    }
+    this.sessionKey = sessionKey;
+  }
+}
+
+
+function encodeSessionKey(version, keyAlgo, cipherAlgo, sessionKeyData) {
+  switch (keyAlgo) {
+    case enums.publicKey.rsaEncrypt:
+    case enums.publicKey.rsaEncryptSign:
+    case enums.publicKey.elgamal:
+    case enums.publicKey.ecdh:
+    case enums.publicKey.aead: {
+      // add checksum
+      return util.concatUint8Array([
+        new Uint8Array([cipherAlgo]),
+        sessionKeyData,
+        util.writeChecksum(sessionKeyData.subarray(sessionKeyData.length % 8))
+      ]);
+    }
+    case enums.publicKey.x25519:
+      return sessionKeyData;
+    default:
+      throw new Error('Unsupported public key algorithm');
+  }
+}
+
+
+function decodeSessionKey(version, keyAlgo, decryptedData, randomSessionKey) {
+  switch (keyAlgo) {
+    case enums.publicKey.rsaEncrypt:
+    case enums.publicKey.rsaEncryptSign:
+    case enums.publicKey.elgamal:
+    case enums.publicKey.ecdh:
+    case enums.publicKey.aead: {
+      // verify checksum in constant time
+      const result = decryptedData.subarray(0, decryptedData.length - 2);
+      const checksum = decryptedData.subarray(decryptedData.length - 2);
+      const computedChecksum = util.writeChecksum(result.subarray(result.length % 8));
+      const isValidChecksum = computedChecksum[0] === checksum[0] & computedChecksum[1] === checksum[1];
+      const decryptedSessionKey = { sessionKeyAlgorithm: result[0], sessionKey: result.subarray(1) };
+      if (randomSessionKey) {
+        // We must not leak info about the validity of the decrypted checksum or cipher algo.
+        // The decrypted session key must be of the same algo and size as the random session key, otherwise we discard it and use the random data.
+        const isValidPayload = isValidChecksum &
+          decryptedSessionKey.sessionKeyAlgorithm === randomSessionKey.sessionKeyAlgorithm &
+          decryptedSessionKey.sessionKey.length === randomSessionKey.sessionKey.length;
+        return {
+          sessionKey: util.selectUint8Array(isValidPayload, decryptedSessionKey.sessionKey, randomSessionKey.sessionKey),
+          sessionKeyAlgorithm: util.selectUint8(
+            isValidPayload,
+            decryptedSessionKey.sessionKeyAlgorithm,
+            randomSessionKey.sessionKeyAlgorithm
+          )
+        };
       } else {
-        throw new Error('Decryption error');
+        const isValidPayload = isValidChecksum && enums.read(enums.symmetric, decryptedSessionKey.sessionKeyAlgorithm);
+        if (isValidPayload) {
+          return decryptedSessionKey;
+        } else {
+          throw new Error('Decryption error');
+        }
       }
     }
+    case enums.publicKey.x25519:
+      return {
+        sessionKey: decryptedData
+      };
+    default:
+      throw new Error('Unsupported public key algorithm');
   }
 }
 
@@ -25506,7 +25989,7 @@ class PublicKeyPacket {
       result.bits = util.uint8ArrayBitLength(modulo);
     } else if (this.publicParams.oid) {
       result.curve = this.publicParams.oid.getName();
-    } else {
+    } else if (this.publicParams.cipher) {
       result.symmetric = this.publicParams.cipher.getName();
     }
     return result;
@@ -25838,6 +26321,7 @@ class SecretKeyPacket extends PublicKeyPacket {
   async read(bytes) {
     // - A Public-Key or Public-Subkey packet, as described above.
     let i = await this.readPublicKey(bytes);
+    const startOfSecretKeyData = i;
 
     // - One octet indicating string-to-key usage conventions.  Zero
     //   indicates that the secret-key data is not encrypted.  255 or 254
@@ -25851,41 +26335,48 @@ class SecretKeyPacket extends PublicKeyPacket {
       i++;
     }
 
-    // - [Optional] If string-to-key usage octet was 255, 254, or 253, a
-    //   one-octet symmetric encryption algorithm.
-    if (this.s2kUsage === 255 || this.s2kUsage === 254 || this.s2kUsage === 253) {
-      this.symmetric = bytes[i++];
+    try {
+      // - [Optional] If string-to-key usage octet was 255, 254, or 253, a
+      //   one-octet symmetric encryption algorithm.
+      if (this.s2kUsage === 255 || this.s2kUsage === 254 || this.s2kUsage === 253) {
+        this.symmetric = bytes[i++];
 
-      // - [Optional] If string-to-key usage octet was 253, a one-octet
-      //   AEAD algorithm.
-      if (this.s2kUsage === 253) {
-        this.aead = bytes[i++];
-      }
+        // - [Optional] If string-to-key usage octet was 253, a one-octet
+        //   AEAD algorithm.
+        if (this.s2kUsage === 253) {
+          this.aead = bytes[i++];
+        }
 
-      // - [Optional] If string-to-key usage octet was 255, 254, or 253, a
-      //   string-to-key specifier.  The length of the string-to-key
-      //   specifier is implied by its type, as described above.
-      const s2kType = bytes[i++];
-      this.s2k = newS2KFromType(s2kType);
-      i += this.s2k.read(bytes.subarray(i, bytes.length));
+        // - [Optional] If string-to-key usage octet was 255, 254, or 253, a
+        //   string-to-key specifier.  The length of the string-to-key
+        //   specifier is implied by its type, as described above.
+        const s2kType = bytes[i++];
+        this.s2k = newS2KFromType(s2kType);
+        i += this.s2k.read(bytes.subarray(i, bytes.length));
 
-      if (this.s2k.type === 'gnu-dummy') {
-        return;
+        if (this.s2k.type === 'gnu-dummy') {
+          return;
+        }
+      } else if (this.s2kUsage) {
+        this.symmetric = this.s2kUsage;
       }
-    } else if (this.s2kUsage) {
-      this.symmetric = this.s2kUsage;
-    }
 
-    // - [Optional] If secret data is encrypted (string-to-key usage octet
-    //   not zero), an Initial Vector (IV) of the same length as the
-    //   cipher's block size.
-    if (this.s2kUsage) {
-      this.iv = bytes.subarray(
-        i,
-        i + mod.getCipher(this.symmetric).blockSize
-      );
+      // - [Optional] If secret data is encrypted (string-to-key usage octet
+      //   not zero), an Initial Vector (IV) of the same length as the
+      //   cipher's block size.
+      if (this.s2kUsage) {
+        this.iv = bytes.subarray(
+          i,
+          i + mod.getCipher(this.symmetric).blockSize
+        );
 
-      i += this.iv.length;
+        i += this.iv.length;
+      }
+    } catch (e) {
+      // if the s2k is unsupported, we still want to support encrypting and verifying with the given key
+      if (!this.s2kUsage) throw e; // always throw for decrypted keys
+      this.unparseableKeyMaterial = bytes.subarray(startOfSecretKeyData);
+      this.isEncrypted = true;
     }
 
     // - Only for a version 5 packet, a four-octet scalar octet count for
@@ -25921,8 +26412,15 @@ class SecretKeyPacket extends PublicKeyPacket {
    * @returns {Uint8Array} A string of bytes containing the secret key OpenPGP packet.
    */
   write() {
-    const arr = [this.writePublicKey()];
+    const serializedPublicKey = this.writePublicKey();
+    if (this.unparseableKeyMaterial) {
+      return util.concatUint8Array([
+        serializedPublicKey,
+        this.unparseableKeyMaterial
+      ]);
+    }
 
+    const arr = [serializedPublicKey];
     arr.push(new Uint8Array([this.s2kUsage]));
 
     const optionalFieldsArr = [];
@@ -25982,6 +26480,18 @@ class SecretKeyPacket extends PublicKeyPacket {
     return this.isEncrypted === false;
   }
 
+  /**
+   * Check whether the key includes secret key material.
+   * Some secret keys do not include it, and can thus only be used
+   * for public-key operations (encryption and verification).
+   * Such keys are:
+   * - GNU-dummy keys, where the secret material has been stripped away
+   * - encrypted keys with unsupported S2K or cipher
+   */
+  isMissingSecretKeyMaterial() {
+    return this.unparseableKeyMaterial !== undefined || this.isDummy();
+  }
+
   /**
    * Check whether this is a gnu-dummy key
    * @returns {Boolean}
@@ -26002,6 +26512,7 @@ class SecretKeyPacket extends PublicKeyPacket {
     if (this.isDecrypted()) {
       this.clearPrivateParams();
     }
+    delete this.unparseableKeyMaterial;
     this.isEncrypted = null;
     this.keyMaterial = null;
     this.s2k = newS2KFromType(enums.s2k.gnu, config$1);
@@ -26073,6 +26584,10 @@ class SecretKeyPacket extends PublicKeyPacket {
       return false;
     }
 
+    if (this.unparseableKeyMaterial) {
+      throw new Error('Key packet cannot be decrypted: unsupported S2K or cipher algo');
+    }
+
     if (this.isDecrypted()) {
       throw new Error('Key packet is already decrypted.');
     }
@@ -26157,7 +26672,7 @@ class SecretKeyPacket extends PublicKeyPacket {
    * Clear private key parameters
    */
   clearPrivateParams() {
-    if (this.isDummy()) {
+    if (this.isMissingSecretKeyMaterial()) {
       return;
     }
 
@@ -27566,7 +28081,9 @@ async function createBindingSignature(subkey, primaryKey, options, config) {
       signatureType: enums.signature.keyBinding
     }, options.date, undefined, undefined, undefined, config);
   } else {
-    subkeySignaturePacket.keyFlags = [enums.keyFlags.encryptCommunication | enums.keyFlags.encryptStorage];
+    subkeySignaturePacket.keyFlags = options.forwarding ?
+      [enums.keyFlags.forwardedCommunication] :
+      [enums.keyFlags.encryptCommunication | enums.keyFlags.encryptStorage];
   }
   if (options.keyExpirationTime > 0) {
     subkeySignaturePacket.keyExpirationTime = options.keyExpirationTime;
@@ -27804,6 +28321,10 @@ function sanitizeKeyOptions(options, subkeyDefaults = {}) {
   options.date = options.date || subkeyDefaults.date;
 
   options.sign = options.sign || false;
+  options.forwarding = options.forwarding || false;
+  if (options.sign && options.forwarding) {
+    throw new Error('Incompatible options: "sign" and "forwarding" cannot be set together');
+  }
 
   switch (options.type) {
     case 'ecc':
@@ -27844,6 +28365,7 @@ function isValidSigningKeyPacket(keyPacket, signature) {
   return keyAlgo !== enums.publicKey.rsaEncrypt &&
     keyAlgo !== enums.publicKey.elgamal &&
     keyAlgo !== enums.publicKey.ecdh &&
+    keyAlgo !== enums.publicKey.x25519 &&
     (!signature.keyFlags ||
       (signature.keyFlags[0] & enums.keyFlags.signData) !== 0);
 }
@@ -27854,13 +28376,19 @@ function isValidEncryptionKeyPacket(keyPacket, signature) {
     keyAlgo !== enums.publicKey.rsaSign &&
     keyAlgo !== enums.publicKey.ecdsa &&
     keyAlgo !== enums.publicKey.eddsa &&
+    keyAlgo !== enums.publicKey.ed25519 &&
     (!signature.keyFlags ||
       (signature.keyFlags[0] & enums.keyFlags.encryptCommunication) !== 0 ||
       (signature.keyFlags[0] & enums.keyFlags.encryptStorage) !== 0);
 }
 
 function isValidDecryptionKeyPacket(signature, config) {
-  if (config.allowInsecureDecryptionWithSigningKeys) {
+  const isSigningKey = !signature.keyFlags ||
+    (signature.keyFlags[0] & enums.keyFlags.sign) !== 0 ||
+    (signature.keyFlags[0] & enums.keyFlags.certifyKeys) !== 0 ||
+    (signature.keyFlags[0] & enums.keyFlags.authentication) !== 0;
+
+  if (isSigningKey && config.allowInsecureDecryptionWithSigningKeys) {
     // This is only relevant for RSA keys, all other signing algorithms cannot decrypt
     return true;
   }
@@ -29403,7 +29931,7 @@ function createKey(packetlist) {
  * @static
  * @private
  */
-async function generate$2(options, config) {
+async function generate$4(options, config) {
   options.sign = true; // primary key is always a signing key
   options = sanitizeKeyOptions(options);
   options.subkeys = options.subkeys.map((subkey, index) => sanitizeKeyOptions(options.subkeys[index], options));
@@ -29459,7 +29987,8 @@ async function reformat(options, config) {
         getLatestValidSignature(subkey.bindingSignatures, secretKeyPacket, enums.signature.subkeyBinding, dataToVerify, null, config)
       ).catch(() => ({}));
       return {
-        sign: bindingSignature.keyFlags && (bindingSignature.keyFlags[0] & enums.keyFlags.signData)
+        sign: bindingSignature.keyFlags && (bindingSignature.keyFlags[0] & enums.keyFlags.signData),
+        forwarding: bindingSignature.keyFlags && (bindingSignature.keyFlags[0] & enums.keyFlags.forwardedCommunication)
       };
     }));
   }
@@ -30081,6 +30610,15 @@ class Message {
       enums.read(enums.aead, await getPreferredAlgo('aead', encryptionKeys, date, userIDs, config$1)) :
       undefined;
 
+    await Promise.all(encryptionKeys.map(key => key.getEncryptionKey()
+      .catch(() => null) // ignore key strength requirements
+      .then(maybeKey => {
+        if (maybeKey && (maybeKey.keyPacket.algorithm === enums.publicKey.x25519) && !util.isAES(algo)) {
+          throw new Error('Could not generate a session key compatible with the given `encryptionKeys`: X22519 keys can only be used to encrypt AES session keys; change `config.preferredSymmetricAlgorithm` accordingly.');
+        }
+      })
+    ));
+
     const sessionKeyData = mod.generateSessionKey(algo);
     return { data: sessionKeyData, algorithm: algorithmName, aeadAlgorithm: aeadAlgorithmName };
   }
@@ -30388,7 +30926,7 @@ class Message {
     if (literalDataList.length !== 1) {
       throw new Error('Can only verify message with one literal data packet.');
     }
-    const signatureList = signature.packets;
+    const signatureList = signature.packets.filterByTag(enums.packet.signature); // drop UnparsablePackets
     return createVerificationObjects(signatureList, literalDataList, verificationKeys, date, true, config$1);
   }
 
@@ -30735,7 +31273,7 @@ class CleartextMessage {
    * @async
    */
   verify(keys, date = new Date(), config$1 = config) {
-    const signatureList = this.signature.packets;
+    const signatureList = this.signature.packets.filterByTag(enums.packet.signature); // drop UnparsablePackets
     const literalDataPacket = new LiteralDataPacket();
     // we assume that cleartext signature is generated based on UTF8 cleartext
     literalDataPacket.setText(this.text);
@@ -30820,7 +31358,7 @@ function verifyHeaders$1(headers, packetlist) {
   let oneHeader = null;
   let hashAlgos = [];
   headers.forEach(function(header) {
-    oneHeader = header.match(/Hash: (.+)/); // get header value
+    oneHeader = header.match(/^Hash: (.+)$/); // get header value
     if (oneHeader) {
       oneHeader = oneHeader[1].replace(/\s/g, ''); // remove whitespace
       oneHeader = oneHeader.split(',');
@@ -30912,7 +31450,7 @@ async function generateKey({ userIDs = [], passphrase, type = 'ecc', rsaBits = 4
   const options = { userIDs, passphrase, type, rsaBits, curve, keyExpirationTime, date, subkeys, symmetricHash, symmetricCipher };
 
   try {
-    const { key, revocationCertificate } = await generate$2(options, config$1);
+    const { key, revocationCertificate } = await generate$4(options, config$1);
     key.getKeys().forEach(({ keyPacket }) => checkKeyRequirements(keyPacket, config$1));
 
     return {
@@ -31106,7 +31644,7 @@ async function encryptKey({ privateKey, passphrase, config: config$1, ...rest })
  * @async
  * @static
  */
-async function encrypt$4({ message, encryptionKeys, signingKeys, passwords, sessionKey, format = 'armored', signature = null, wildcard = false, signingKeyIDs = [], encryptionKeyIDs = [], date = new Date(), signingUserIDs = [], encryptionUserIDs = [], signatureNotations = [], config: config$1, ...rest }) {
+async function encrypt$5({ message, encryptionKeys, signingKeys, passwords, sessionKey, format = 'armored', signature = null, wildcard = false, signingKeyIDs = [], encryptionKeyIDs = [], date = new Date(), signingUserIDs = [], encryptionUserIDs = [], signatureNotations = [], config: config$1, ...rest }) {
   config$1 = { ...config, ...config$1 }; checkConfig(config$1);
   checkMessage(message); checkOutputMessageFormat(format);
   encryptionKeys = toArray$1(encryptionKeys); signingKeys = toArray$1(signingKeys); passwords = toArray$1(passwords);
@@ -31175,7 +31713,7 @@ async function encrypt$4({ message, encryptionKeys, signingKeys, passwords, sess
  * @async
  * @static
  */
-async function decrypt$4({ message, decryptionKeys, passwords, sessionKeys, verificationKeys, expectSigned = false, format = 'utf8', signature = null, date = new Date(), config: config$1, ...rest }) {
+async function decrypt$5({ message, decryptionKeys, passwords, sessionKeys, verificationKeys, expectSigned = false, format = 'utf8', signature = null, date = new Date(), config: config$1, ...rest }) {
   config$1 = { ...config, ...config$1 }; checkConfig(config$1);
   checkMessage(message); verificationKeys = toArray$1(verificationKeys); decryptionKeys = toArray$1(decryptionKeys); passwords = toArray$1(passwords); sessionKeys = toArray$1(sessionKeys);
   if (rest.privateKeys) throw new Error('The `privateKeys` option has been removed from openpgp.decrypt, pass `decryptionKeys` instead');
@@ -31238,7 +31776,7 @@ async function decrypt$4({ message, decryptionKeys, passwords, sessionKeys, veri
  * @async
  * @static
  */
-async function sign$5({ message, signingKeys, format = 'armored', detached = false, signingKeyIDs = [], date = new Date(), signingUserIDs = [], signatureNotations = [], config: config$1, ...rest }) {
+async function sign$6({ message, signingKeys, format = 'armored', detached = false, signingKeyIDs = [], date = new Date(), signingUserIDs = [], signatureNotations = [], config: config$1, ...rest }) {
   config$1 = { ...config, ...config$1 }; checkConfig(config$1);
   checkCleartextOrMessage(message); checkOutputMessageFormat(format);
   signingKeys = toArray$1(signingKeys); signingKeyIDs = toArray$1(signingKeyIDs); signingUserIDs = toArray$1(signingUserIDs); signatureNotations = toArray$1(signatureNotations);
@@ -31307,7 +31845,7 @@ async function sign$5({ message, signingKeys, format = 'armored', detached = fal
  * @async
  * @static
  */
-async function verify$5({ message, verificationKeys, expectSigned = false, format = 'utf8', signature = null, date = new Date(), config: config$1, ...rest }) {
+async function verify$6({ message, verificationKeys, expectSigned = false, format = 'utf8', signature = null, date = new Date(), config: config$1, ...rest }) {
   config$1 = { ...config, ...config$1 }; checkConfig(config$1);
   checkCleartextOrMessage(message); verificationKeys = toArray$1(verificationKeys);
   if (rest.publicKeys) throw new Error('The `publicKeys` option has been removed from openpgp.verify, pass `verificationKeys` instead');
@@ -44476,7 +45014,7 @@ function* makePRNG(wasmContext, pass, lane, slice, m_, totalPasses, segmentLengt
   return [];
 }
 
-function validateParams$7({ type, version, tagLength, password, salt, ad, secret, parallelism, memorySize, passes }) {
+function validateParams$9({ type, version, tagLength, password, salt, ad, secret, parallelism, memorySize, passes }) {
   const assertLength = (name, value, min, max) => {
     if (value < min || value > max) { throw new Error(`${name} size should be between ${min} and ${max} bytes`); }
   };
@@ -44499,7 +45037,7 @@ const WASM_PAGE_SIZE = 64 * KB;
 function argon2id(params, { memory, instance: wasmInstance }) {
   if (!isLittleEndian$1) throw new Error('BigEndian system not supported'); // optmisations assume LE system
 
-  const ctx = validateParams$7({ type: TYPE$2, version: VERSION$4, ...params });
+  const ctx = validateParams$9({ type: TYPE$2, version: VERSION$4, ...params });
 
   const { G:wasmG, G2:wasmG2, xor:wasmXOR, getLZ:wasmLZ } = wasmInstance.exports;
   const wasmRefs = {};
@@ -44779,4 +45317,4 @@ var index = /*#__PURE__*/Object.freeze({
   'default': loadWasm
 });
 
-export { AEADEncryptedDataPacket, CleartextMessage, CompressedDataPacket, KDFParams, LiteralDataPacket, MarkerPacket, Message, OnePassSignaturePacket, PacketList, PrivateKey, PublicKey, PublicKeyEncryptedSessionKeyPacket, PublicKeyPacket, PublicSubkeyPacket, SecretKeyPacket, SecretSubkeyPacket, Signature, SignaturePacket, Subkey, SymEncryptedIntegrityProtectedDataPacket, SymEncryptedSessionKeyPacket, SymmetricallyEncryptedDataPacket, TrustPacket, UnparseablePacket, UserAttributePacket, UserIDPacket, armor, config, createCleartextMessage, createMessage, decrypt$4 as decrypt, decryptKey, decryptSessionKeys, encrypt$4 as encrypt, encryptKey, encryptSessionKey, enums, generateKey, generateSessionKey$1 as generateSessionKey, readCleartextMessage, readKey, readKeys, readMessage, readPrivateKey, readPrivateKeys, readSignature, reformatKey, revokeKey, sign$5 as sign, unarmor, verify$5 as verify };
+export { AEADEncryptedDataPacket, CleartextMessage, CompressedDataPacket, KDFParams, LiteralDataPacket, MarkerPacket, Message, OnePassSignaturePacket, PacketList, PrivateKey, PublicKey, PublicKeyEncryptedSessionKeyPacket, PublicKeyPacket, PublicSubkeyPacket, SecretKeyPacket, SecretSubkeyPacket, Signature, SignaturePacket, Subkey, SymEncryptedIntegrityProtectedDataPacket, SymEncryptedSessionKeyPacket, SymmetricallyEncryptedDataPacket, TrustPacket, UnparseablePacket, UserAttributePacket, UserIDPacket, armor, config, createCleartextMessage, createMessage, decrypt$5 as decrypt, decryptKey, decryptSessionKeys, encrypt$5 as encrypt, encryptKey, encryptSessionKey, enums, generateKey, generateSessionKey$1 as generateSessionKey, readCleartextMessage, readKey, readKeys, readMessage, readPrivateKey, readPrivateKeys, readSignature, reformatKey, revokeKey, sign$6 as sign, unarmor, verify$6 as verify };