@protontech/openpgp 5.9.1-0 → 5.10.2

package/dist/openpgp.js

@@ -1,4 +1,4 @@
-/*! OpenPGP.js v5.9.1-0 - 2023-08-03 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
+/*! OpenPGP.js v5.10.2 - 2023-09-18 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
 var openpgp = (function (exports) {
   'use strict';
 
@@ -1510,6 +1510,526 @@ var openpgp = (function (exports) {
     }
   }
 
+  /**
+   * @module enums
+   */
+
+  const byValue = Symbol('byValue');
+
+  var enums = {
+
+    /** Maps curve names under various standards to one
+     * @see {@link https://wiki.gnupg.org/ECC|ECC - GnuPG wiki}
+     * @enum {String}
+     * @readonly
+     */
+    curve: {
+      /** NIST P-256 Curve */
+      'p256':                'p256',
+      'P-256':               'p256',
+      'secp256r1':           'p256',
+      'prime256v1':          'p256',
+      '1.2.840.10045.3.1.7': 'p256',
+      '2a8648ce3d030107':    'p256',
+      '2A8648CE3D030107':    'p256',
+
+      /** NIST P-384 Curve */
+      'p384':         'p384',
+      'P-384':        'p384',
+      'secp384r1':    'p384',
+      '1.3.132.0.34': 'p384',
+      '2b81040022':   'p384',
+      '2B81040022':   'p384',
+
+      /** NIST P-521 Curve */
+      'p521':         'p521',
+      'P-521':        'p521',
+      'secp521r1':    'p521',
+      '1.3.132.0.35': 'p521',
+      '2b81040023':   'p521',
+      '2B81040023':   'p521',
+
+      /** SECG SECP256k1 Curve */
+      'secp256k1':    'secp256k1',
+      '1.3.132.0.10': 'secp256k1',
+      '2b8104000a':   'secp256k1',
+      '2B8104000A':   'secp256k1',
+
+      /** Ed25519 */
+      'ED25519':                'ed25519',
+      'ed25519':                'ed25519',
+      'Ed25519':                'ed25519',
+      '1.3.6.1.4.1.11591.15.1': 'ed25519',
+      '2b06010401da470f01':     'ed25519',
+      '2B06010401DA470F01':     'ed25519',
+
+      /** Curve25519 */
+      'X25519':                 'curve25519',
+      'cv25519':                'curve25519',
+      'curve25519':             'curve25519',
+      'Curve25519':             'curve25519',
+      '1.3.6.1.4.1.3029.1.5.1': 'curve25519',
+      '2b060104019755010501':   'curve25519',
+      '2B060104019755010501':   'curve25519',
+
+      /** BrainpoolP256r1 Curve */
+      'brainpoolP256r1':       'brainpoolP256r1',
+      '1.3.36.3.3.2.8.1.1.7':  'brainpoolP256r1',
+      '2b2403030208010107':    'brainpoolP256r1',
+      '2B2403030208010107':    'brainpoolP256r1',
+
+      /** BrainpoolP384r1 Curve */
+      'brainpoolP384r1':       'brainpoolP384r1',
+      '1.3.36.3.3.2.8.1.1.11': 'brainpoolP384r1',
+      '2b240303020801010b':    'brainpoolP384r1',
+      '2B240303020801010B':    'brainpoolP384r1',
+
+      /** BrainpoolP512r1 Curve */
+      'brainpoolP512r1':       'brainpoolP512r1',
+      '1.3.36.3.3.2.8.1.1.13': 'brainpoolP512r1',
+      '2b240303020801010d':    'brainpoolP512r1',
+      '2B240303020801010D':    'brainpoolP512r1'
+    },
+
+    /** KDF parameters flags
+     * Non-standard extensions (for now) to allow email forwarding
+     * @enum {Integer}
+     * @readonly
+     */
+    kdfFlags: {
+      /** Specify fingerprint to use instead of the recipient's */
+      replace_fingerprint: 0x01,
+      /** Specify custom parameters to use in the KDF digest computation */
+      replace_kdf_params: 0x02
+    },
+
+    /** A string to key specifier type
+     * @enum {Integer}
+     * @readonly
+     */
+    s2k: {
+      simple: 0,
+      salted: 1,
+      iterated: 3,
+      argon2: 4,
+      gnu: 101
+    },
+
+    /** {@link https://tools.ietf.org/html/draft-ietf-openpgp-crypto-refresh-08.html#section-9.1|crypto-refresh RFC, section 9.1}
+     * @enum {Integer}
+     * @readonly
+     */
+    publicKey: {
+      /** RSA (Encrypt or Sign) [HAC] */
+      rsaEncryptSign: 1,
+      /** RSA (Encrypt only) [HAC] */
+      rsaEncrypt: 2,
+      /** RSA (Sign only) [HAC] */
+      rsaSign: 3,
+      /** Elgamal (Encrypt only) [ELGAMAL] [HAC] */
+      elgamal: 16,
+      /** DSA (Sign only) [FIPS186] [HAC] */
+      dsa: 17,
+      /** ECDH (Encrypt only) [RFC6637] */
+      ecdh: 18,
+      /** ECDSA (Sign only) [RFC6637] */
+      ecdsa: 19,
+      /** EdDSA (Sign only) - deprecated by crypto-refresh (replaced by `ed25519` identifier below)
+       * [{@link https://tools.ietf.org/html/draft-koch-eddsa-for-openpgp-04|Draft RFC}] */
+      ed25519Legacy: 22, // NB: this is declared before `eddsa` to translate 22 to 'eddsa' for backwards compatibility
+      eddsa: 22, // to be deprecated in v6
+      /** Reserved for AEDH */
+      aedh: 23,
+      /** Reserved for AEDSA */
+      aedsa: 24,
+      /** X25519 (Encrypt only) */
+      x25519: 25,
+      /** X448 (Encrypt only) */
+      x448: 26,
+      /** Ed25519 (Sign only) */
+      ed25519: 27,
+      /** Ed448 (Sign only) */
+      ed448: 28,
+      /** Symmetric authenticated encryption algorithms */
+      aead: 100,
+      /** Authentication using CMAC */
+      hmac: 101
+    },
+
+    /** {@link https://tools.ietf.org/html/rfc4880#section-9.2|RFC4880, section 9.2}
+     * @enum {Integer}
+     * @readonly
+     */
+    symmetric: {
+      plaintext: 0,
+      /** Not implemented! */
+      idea: 1,
+      tripledes: 2,
+      cast5: 3,
+      blowfish: 4,
+      aes128: 7,
+      aes192: 8,
+      aes256: 9,
+      twofish: 10
+    },
+
+    /** {@link https://tools.ietf.org/html/rfc4880#section-9.3|RFC4880, section 9.3}
+     * @enum {Integer}
+     * @readonly
+     */
+    compression: {
+      uncompressed: 0,
+      /** RFC1951 */
+      zip: 1,
+      /** RFC1950 */
+      zlib: 2,
+      bzip2: 3
+    },
+
+    /** {@link https://tools.ietf.org/html/rfc4880#section-9.4|RFC4880, section 9.4}
+     * @enum {Integer}
+     * @readonly
+     */
+    hash: {
+      md5: 1,
+      sha1: 2,
+      ripemd: 3,
+      sha256: 8,
+      sha384: 9,
+      sha512: 10,
+      sha224: 11
+    },
+
+    /** A list of hash names as accepted by webCrypto functions.
+     * {@link https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest|Parameters, algo}
+     * @enum {String}
+     */
+    webHash: {
+      'SHA-1': 2,
+      'SHA-256': 8,
+      'SHA-384': 9,
+      'SHA-512': 10
+    },
+
+    /** {@link https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-9.6|RFC4880bis-04, section 9.6}
+     * @enum {Integer}
+     * @readonly
+     */
+    aead: {
+      eax: 1,
+      ocb: 2,
+      experimentalGCM: 100 // Private algorithm
+    },
+
+    /** A list of packet types and numeric tags associated with them.
+     * @enum {Integer}
+     * @readonly
+     */
+    packet: {
+      publicKeyEncryptedSessionKey: 1,
+      signature: 2,
+      symEncryptedSessionKey: 3,
+      onePassSignature: 4,
+      secretKey: 5,
+      publicKey: 6,
+      secretSubkey: 7,
+      compressedData: 8,
+      symmetricallyEncryptedData: 9,
+      marker: 10,
+      literalData: 11,
+      trust: 12,
+      userID: 13,
+      publicSubkey: 14,
+      userAttribute: 17,
+      symEncryptedIntegrityProtectedData: 18,
+      modificationDetectionCode: 19,
+      aeadEncryptedData: 20 // see IETF draft: https://tools.ietf.org/html/draft-ford-openpgp-format-00#section-2.1
+    },
+
+    /** Data types in the literal packet
+     * @enum {Integer}
+     * @readonly
+     */
+    literal: {
+      /** Binary data 'b' */
+      binary: 'b'.charCodeAt(),
+      /** Text data 't' */
+      text: 't'.charCodeAt(),
+      /** Utf8 data 'u' */
+      utf8: 'u'.charCodeAt(),
+      /** MIME message body part 'm' */
+      mime: 'm'.charCodeAt()
+    },
+
+
+    /** One pass signature packet type
+     * @enum {Integer}
+     * @readonly
+     */
+    signature: {
+      /** 0x00: Signature of a binary document. */
+      binary: 0,
+      /** 0x01: Signature of a canonical text document.
+       *
+       * Canonicalyzing the document by converting line endings. */
+      text: 1,
+      /** 0x02: Standalone signature.
+       *
+       * This signature is a signature of only its own subpacket contents.
+       * It is calculated identically to a signature over a zero-lengh
+       * binary document.  Note that it doesn't make sense to have a V3
+       * standalone signature. */
+      standalone: 2,
+      /** 0x10: Generic certification of a User ID and Public-Key packet.
+       *
+       * The issuer of this certification does not make any particular
+       * assertion as to how well the certifier has checked that the owner
+       * of the key is in fact the person described by the User ID. */
+      certGeneric: 16,
+      /** 0x11: Persona certification of a User ID and Public-Key packet.
+       *
+       * The issuer of this certification has not done any verification of
+       * the claim that the owner of this key is the User ID specified. */
+      certPersona: 17,
+      /** 0x12: Casual certification of a User ID and Public-Key packet.
+       *
+       * The issuer of this certification has done some casual
+       * verification of the claim of identity. */
+      certCasual: 18,
+      /** 0x13: Positive certification of a User ID and Public-Key packet.
+       *
+       * The issuer of this certification has done substantial
+       * verification of the claim of identity.
+       *
+       * Most OpenPGP implementations make their "key signatures" as 0x10
+       * certifications.  Some implementations can issue 0x11-0x13
+       * certifications, but few differentiate between the types. */
+      certPositive: 19,
+      /** 0x30: Certification revocation signature
+       *
+       * This signature revokes an earlier User ID certification signature
+       * (signature class 0x10 through 0x13) or direct-key signature
+       * (0x1F).  It should be issued by the same key that issued the
+       * revoked signature or an authorized revocation key.  The signature
+       * is computed over the same data as the certificate that it
+       * revokes, and should have a later creation date than that
+       * certificate. */
+      certRevocation: 48,
+      /** 0x18: Subkey Binding Signature
+       *
+       * This signature is a statement by the top-level signing key that
+       * indicates that it owns the subkey.  This signature is calculated
+       * directly on the primary key and subkey, and not on any User ID or
+       * other packets.  A signature that binds a signing subkey MUST have
+       * an Embedded Signature subpacket in this binding signature that
+       * contains a 0x19 signature made by the signing subkey on the
+       * primary key and subkey. */
+      subkeyBinding: 24,
+      /** 0x19: Primary Key Binding Signature
+       *
+       * This signature is a statement by a signing subkey, indicating
+       * that it is owned by the primary key and subkey.  This signature
+       * is calculated the same way as a 0x18 signature: directly on the
+       * primary key and subkey, and not on any User ID or other packets.
+       *
+       * When a signature is made over a key, the hash data starts with the
+       * octet 0x99, followed by a two-octet length of the key, and then body
+       * of the key packet.  (Note that this is an old-style packet header for
+       * a key packet with two-octet length.)  A subkey binding signature
+       * (type 0x18) or primary key binding signature (type 0x19) then hashes
+       * the subkey using the same format as the main key (also using 0x99 as
+       * the first octet). */
+      keyBinding: 25,
+      /** 0x1F: Signature directly on a key
+       *
+       * This signature is calculated directly on a key.  It binds the
+       * information in the Signature subpackets to the key, and is
+       * appropriate to be used for subpackets that provide information
+       * about the key, such as the Revocation Key subpacket.  It is also
+       * appropriate for statements that non-self certifiers want to make
+       * about the key itself, rather than the binding between a key and a
+       * name. */
+      key: 31,
+      /** 0x20: Key revocation signature
+       *
+       * The signature is calculated directly on the key being revoked.  A
+       * revoked key is not to be used.  Only revocation signatures by the
+       * key being revoked, or by an authorized revocation key, should be
+       * considered valid revocation signatures.a */
+      keyRevocation: 32,
+      /** 0x28: Subkey revocation signature
+       *
+       * The signature is calculated directly on the subkey being revoked.
+       * A revoked subkey is not to be used.  Only revocation signatures
+       * by the top-level signature key that is bound to this subkey, or
+       * by an authorized revocation key, should be considered valid
+       * revocation signatures.
+       *
+       * Key revocation signatures (types 0x20 and 0x28)
+       * hash only the key being revoked. */
+      subkeyRevocation: 40,
+      /** 0x40: Timestamp signature.
+       * This signature is only meaningful for the timestamp contained in
+       * it. */
+      timestamp: 64,
+      /** 0x50: Third-Party Confirmation signature.
+       *
+       * This signature is a signature over some other OpenPGP Signature
+       * packet(s).  It is analogous to a notary seal on the signed data.
+       * A third-party signature SHOULD include Signature Target
+       * subpacket(s) to give easy identification.  Note that we really do
+       * mean SHOULD.  There are plausible uses for this (such as a blind
+       * party that only sees the signature, not the key or source
+       * document) that cannot include a target subpacket. */
+      thirdParty: 80
+    },
+
+    /** Signature subpacket type
+     * @enum {Integer}
+     * @readonly
+     */
+    signatureSubpacket: {
+      signatureCreationTime: 2,
+      signatureExpirationTime: 3,
+      exportableCertification: 4,
+      trustSignature: 5,
+      regularExpression: 6,
+      revocable: 7,
+      keyExpirationTime: 9,
+      placeholderBackwardsCompatibility: 10,
+      preferredSymmetricAlgorithms: 11,
+      revocationKey: 12,
+      issuer: 16,
+      notationData: 20,
+      preferredHashAlgorithms: 21,
+      preferredCompressionAlgorithms: 22,
+      keyServerPreferences: 23,
+      preferredKeyServer: 24,
+      primaryUserID: 25,
+      policyURI: 26,
+      keyFlags: 27,
+      signersUserID: 28,
+      reasonForRevocation: 29,
+      features: 30,
+      signatureTarget: 31,
+      embeddedSignature: 32,
+      issuerFingerprint: 33,
+      preferredAEADAlgorithms: 34
+    },
+
+    /** Key flags
+     * @enum {Integer}
+     * @readonly
+     */
+    keyFlags: {
+      /** 0x01 - This key may be used to certify other keys. */
+      certifyKeys: 1,
+      /** 0x02 - This key may be used to sign data. */
+      signData: 2,
+      /** 0x04 - This key may be used to encrypt communications. */
+      encryptCommunication: 4,
+      /** 0x08 - This key may be used to encrypt storage. */
+      encryptStorage: 8,
+      /** 0x10 - The private component of this key may have been split
+       *        by a secret-sharing mechanism. */
+      splitPrivateKey: 16,
+      /** 0x20 - This key may be used for authentication. */
+      authentication: 32,
+      /** This key may be used for forwarded communications */
+      forwardedCommunication: 64,
+      /** 0x80 - The private component of this key may be in the
+       *        possession of more than one person. */
+      sharedPrivateKey: 128
+    },
+
+    /** Armor type
+     * @enum {Integer}
+     * @readonly
+     */
+    armor: {
+      multipartSection: 0,
+      multipartLast: 1,
+      signed: 2,
+      message: 3,
+      publicKey: 4,
+      privateKey: 5,
+      signature: 6
+    },
+
+    /** {@link https://tools.ietf.org/html/rfc4880#section-5.2.3.23|RFC4880, section 5.2.3.23}
+     * @enum {Integer}
+     * @readonly
+     */
+    reasonForRevocation: {
+      /** No reason specified (key revocations or cert revocations) */
+      noReason: 0,
+      /** Key is superseded (key revocations) */
+      keySuperseded: 1,
+      /** Key material has been compromised (key revocations) */
+      keyCompromised: 2,
+      /** Key is retired and no longer used (key revocations) */
+      keyRetired: 3,
+      /** User ID information is no longer valid (cert revocations) */
+      userIDInvalid: 32
+    },
+
+    /** {@link https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-5.2.3.25|RFC4880bis-04, section 5.2.3.25}
+     * @enum {Integer}
+     * @readonly
+     */
+    features: {
+      /** 0x01 - Modification Detection (packets 18 and 19) */
+      modificationDetection: 1,
+      /** 0x02 - AEAD Encrypted Data Packet (packet 20) and version 5
+       *         Symmetric-Key Encrypted Session Key Packets (packet 3) */
+      aead: 2,
+      /** 0x04 - Version 5 Public-Key Packet format and corresponding new
+        *        fingerprint format */
+      v5Keys: 4
+    },
+
+    /**
+     * Asserts validity of given value and converts from string/integer to integer.
+     * @param {Object} type target enum type
+     * @param {String|Integer} e value to check and/or convert
+     * @returns {Integer} enum value if it exists
+     * @throws {Error} if the value is invalid
+     */
+    write: function(type, e) {
+      if (typeof e === 'number') {
+        e = this.read(type, e);
+      }
+
+      if (type[e] !== undefined) {
+        return type[e];
+      }
+
+      throw new Error('Invalid enum value.');
+    },
+
+    /**
+     * Converts enum integer value to the corresponding string, if it exists.
+     * @param {Object} type target enum type
+     * @param {Integer} e value to convert
+     * @returns {String} name of enum value if it exists
+     * @throws {Error} if the value is invalid
+     */
+    read: function(type, e) {
+      if (!type[byValue]) {
+        type[byValue] = [];
+        Object.entries(type).forEach(([key, value]) => {
+          type[byValue][value] = key;
+        });
+      }
+
+      if (type[byValue][e] !== undefined) {
+        return type[byValue][e];
+      }
+
+      throw new Error('Invalid enum value.');
+    }
+  };
+
   // GPG4Browsers - An OpenPGP implementation in javascript
 
   const debugMode = (() => {
@@ -2091,6 +2611,12 @@ var openpgp = (function (exports) {
      */
     selectUint8: function(cond, a, b) {
       return (a & (256 - cond)) | (b & (255 + cond));
+    },
+    /**
+     * @param {module:enums.symmetric} cipherAlgo
+     */
+    isAES: function(cipherAlgo) {
+      return cipherAlgo === enums.symmetric.aes128 || cipherAlgo === enums.symmetric.aes192 || cipherAlgo === enums.symmetric.aes256;
     }
   };
 
@@ -2205,517 +2731,6 @@ var openpgp = (function (exports) {
     return encoded;
   }
 
-  /**
-   * @module enums
-   */
-
-  const byValue = Symbol('byValue');
-
-  var enums = {
-
-    /** Maps curve names under various standards to one
-     * @see {@link https://wiki.gnupg.org/ECC|ECC - GnuPG wiki}
-     * @enum {String}
-     * @readonly
-     */
-    curve: {
-      /** NIST P-256 Curve */
-      'p256':                'p256',
-      'P-256':               'p256',
-      'secp256r1':           'p256',
-      'prime256v1':          'p256',
-      '1.2.840.10045.3.1.7': 'p256',
-      '2a8648ce3d030107':    'p256',
-      '2A8648CE3D030107':    'p256',
-
-      /** NIST P-384 Curve */
-      'p384':         'p384',
-      'P-384':        'p384',
-      'secp384r1':    'p384',
-      '1.3.132.0.34': 'p384',
-      '2b81040022':   'p384',
-      '2B81040022':   'p384',
-
-      /** NIST P-521 Curve */
-      'p521':         'p521',
-      'P-521':        'p521',
-      'secp521r1':    'p521',
-      '1.3.132.0.35': 'p521',
-      '2b81040023':   'p521',
-      '2B81040023':   'p521',
-
-      /** SECG SECP256k1 Curve */
-      'secp256k1':    'secp256k1',
-      '1.3.132.0.10': 'secp256k1',
-      '2b8104000a':   'secp256k1',
-      '2B8104000A':   'secp256k1',
-
-      /** Ed25519 */
-      'ED25519':                'ed25519',
-      'ed25519':                'ed25519',
-      'Ed25519':                'ed25519',
-      '1.3.6.1.4.1.11591.15.1': 'ed25519',
-      '2b06010401da470f01':     'ed25519',
-      '2B06010401DA470F01':     'ed25519',
-
-      /** Curve25519 */
-      'X25519':                 'curve25519',
-      'cv25519':                'curve25519',
-      'curve25519':             'curve25519',
-      'Curve25519':             'curve25519',
-      '1.3.6.1.4.1.3029.1.5.1': 'curve25519',
-      '2b060104019755010501':   'curve25519',
-      '2B060104019755010501':   'curve25519',
-
-      /** BrainpoolP256r1 Curve */
-      'brainpoolP256r1':       'brainpoolP256r1',
-      '1.3.36.3.3.2.8.1.1.7':  'brainpoolP256r1',
-      '2b2403030208010107':    'brainpoolP256r1',
-      '2B2403030208010107':    'brainpoolP256r1',
-
-      /** BrainpoolP384r1 Curve */
-      'brainpoolP384r1':       'brainpoolP384r1',
-      '1.3.36.3.3.2.8.1.1.11': 'brainpoolP384r1',
-      '2b240303020801010b':    'brainpoolP384r1',
-      '2B240303020801010B':    'brainpoolP384r1',
-
-      /** BrainpoolP512r1 Curve */
-      'brainpoolP512r1':       'brainpoolP512r1',
-      '1.3.36.3.3.2.8.1.1.13': 'brainpoolP512r1',
-      '2b240303020801010d':    'brainpoolP512r1',
-      '2B240303020801010D':    'brainpoolP512r1'
-    },
-
-    /** KDF parameters flags
-     * Non-standard extensions (for now) to allow email forwarding
-     * @enum {Integer}
-     * @readonly
-     */
-    kdfFlags: {
-      /** Specify fingerprint to use instead of the recipient's */
-      replace_fingerprint: 0x01,
-      /** Specify custom parameters to use in the KDF digest computation */
-      replace_kdf_params: 0x02
-    },
-
-    /** A string to key specifier type
-     * @enum {Integer}
-     * @readonly
-     */
-    s2k: {
-      simple: 0,
-      salted: 1,
-      iterated: 3,
-      argon2: 4,
-      gnu: 101
-    },
-
-    /** {@link https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-9.1|RFC4880bis-04, section 9.1}
-     * @enum {Integer}
-     * @readonly
-     */
-    publicKey: {
-      /** RSA (Encrypt or Sign) [HAC] */
-      rsaEncryptSign: 1,
-      /** RSA (Encrypt only) [HAC] */
-      rsaEncrypt: 2,
-      /** RSA (Sign only) [HAC] */
-      rsaSign: 3,
-      /** Elgamal (Encrypt only) [ELGAMAL] [HAC] */
-      elgamal: 16,
-      /** DSA (Sign only) [FIPS186] [HAC] */
-      dsa: 17,
-      /** ECDH (Encrypt only) [RFC6637] */
-      ecdh: 18,
-      /** ECDSA (Sign only) [RFC6637] */
-      ecdsa: 19,
-      /** EdDSA (Sign only)
-       * [{@link https://tools.ietf.org/html/draft-koch-eddsa-for-openpgp-04|Draft RFC}] */
-      eddsa: 22,
-      /** Reserved for AEDH */
-      aedh: 23,
-      /** Reserved for AEDSA */
-      aedsa: 24,
-      /** Symmetric authenticated encryption algorithms */
-      aead: 100,
-      /** Authentication using CMAC */
-      hmac: 101
-    },
-
-    /** {@link https://tools.ietf.org/html/rfc4880#section-9.2|RFC4880, section 9.2}
-     * @enum {Integer}
-     * @readonly
-     */
-    symmetric: {
-      plaintext: 0,
-      /** Not implemented! */
-      idea: 1,
-      tripledes: 2,
-      cast5: 3,
-      blowfish: 4,
-      aes128: 7,
-      aes192: 8,
-      aes256: 9,
-      twofish: 10
-    },
-
-    /** {@link https://tools.ietf.org/html/rfc4880#section-9.3|RFC4880, section 9.3}
-     * @enum {Integer}
-     * @readonly
-     */
-    compression: {
-      uncompressed: 0,
-      /** RFC1951 */
-      zip: 1,
-      /** RFC1950 */
-      zlib: 2,
-      bzip2: 3
-    },
-
-    /** {@link https://tools.ietf.org/html/rfc4880#section-9.4|RFC4880, section 9.4}
-     * @enum {Integer}
-     * @readonly
-     */
-    hash: {
-      md5: 1,
-      sha1: 2,
-      ripemd: 3,
-      sha256: 8,
-      sha384: 9,
-      sha512: 10,
-      sha224: 11
-    },
-
-    /** A list of hash names as accepted by webCrypto functions.
-     * {@link https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest|Parameters, algo}
-     * @enum {String}
-     */
-    webHash: {
-      'SHA-1': 2,
-      'SHA-256': 8,
-      'SHA-384': 9,
-      'SHA-512': 10
-    },
-
-    /** {@link https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-9.6|RFC4880bis-04, section 9.6}
-     * @enum {Integer}
-     * @readonly
-     */
-    aead: {
-      eax: 1,
-      ocb: 2,
-      experimentalGCM: 100 // Private algorithm
-    },
-
-    /** A list of packet types and numeric tags associated with them.
-     * @enum {Integer}
-     * @readonly
-     */
-    packet: {
-      publicKeyEncryptedSessionKey: 1,
-      signature: 2,
-      symEncryptedSessionKey: 3,
-      onePassSignature: 4,
-      secretKey: 5,
-      publicKey: 6,
-      secretSubkey: 7,
-      compressedData: 8,
-      symmetricallyEncryptedData: 9,
-      marker: 10,
-      literalData: 11,
-      trust: 12,
-      userID: 13,
-      publicSubkey: 14,
-      userAttribute: 17,
-      symEncryptedIntegrityProtectedData: 18,
-      modificationDetectionCode: 19,
-      aeadEncryptedData: 20 // see IETF draft: https://tools.ietf.org/html/draft-ford-openpgp-format-00#section-2.1
-    },
-
-    /** Data types in the literal packet
-     * @enum {Integer}
-     * @readonly
-     */
-    literal: {
-      /** Binary data 'b' */
-      binary: 'b'.charCodeAt(),
-      /** Text data 't' */
-      text: 't'.charCodeAt(),
-      /** Utf8 data 'u' */
-      utf8: 'u'.charCodeAt(),
-      /** MIME message body part 'm' */
-      mime: 'm'.charCodeAt()
-    },
-
-
-    /** One pass signature packet type
-     * @enum {Integer}
-     * @readonly
-     */
-    signature: {
-      /** 0x00: Signature of a binary document. */
-      binary: 0,
-      /** 0x01: Signature of a canonical text document.
-       *
-       * Canonicalyzing the document by converting line endings. */
-      text: 1,
-      /** 0x02: Standalone signature.
-       *
-       * This signature is a signature of only its own subpacket contents.
-       * It is calculated identically to a signature over a zero-lengh
-       * binary document.  Note that it doesn't make sense to have a V3
-       * standalone signature. */
-      standalone: 2,
-      /** 0x10: Generic certification of a User ID and Public-Key packet.
-       *
-       * The issuer of this certification does not make any particular
-       * assertion as to how well the certifier has checked that the owner
-       * of the key is in fact the person described by the User ID. */
-      certGeneric: 16,
-      /** 0x11: Persona certification of a User ID and Public-Key packet.
-       *
-       * The issuer of this certification has not done any verification of
-       * the claim that the owner of this key is the User ID specified. */
-      certPersona: 17,
-      /** 0x12: Casual certification of a User ID and Public-Key packet.
-       *
-       * The issuer of this certification has done some casual
-       * verification of the claim of identity. */
-      certCasual: 18,
-      /** 0x13: Positive certification of a User ID and Public-Key packet.
-       *
-       * The issuer of this certification has done substantial
-       * verification of the claim of identity.
-       *
-       * Most OpenPGP implementations make their "key signatures" as 0x10
-       * certifications.  Some implementations can issue 0x11-0x13
-       * certifications, but few differentiate between the types. */
-      certPositive: 19,
-      /** 0x30: Certification revocation signature
-       *
-       * This signature revokes an earlier User ID certification signature
-       * (signature class 0x10 through 0x13) or direct-key signature
-       * (0x1F).  It should be issued by the same key that issued the
-       * revoked signature or an authorized revocation key.  The signature
-       * is computed over the same data as the certificate that it
-       * revokes, and should have a later creation date than that
-       * certificate. */
-      certRevocation: 48,
-      /** 0x18: Subkey Binding Signature
-       *
-       * This signature is a statement by the top-level signing key that
-       * indicates that it owns the subkey.  This signature is calculated
-       * directly on the primary key and subkey, and not on any User ID or
-       * other packets.  A signature that binds a signing subkey MUST have
-       * an Embedded Signature subpacket in this binding signature that
-       * contains a 0x19 signature made by the signing subkey on the
-       * primary key and subkey. */
-      subkeyBinding: 24,
-      /** 0x19: Primary Key Binding Signature
-       *
-       * This signature is a statement by a signing subkey, indicating
-       * that it is owned by the primary key and subkey.  This signature
-       * is calculated the same way as a 0x18 signature: directly on the
-       * primary key and subkey, and not on any User ID or other packets.
-       *
-       * When a signature is made over a key, the hash data starts with the
-       * octet 0x99, followed by a two-octet length of the key, and then body
-       * of the key packet.  (Note that this is an old-style packet header for
-       * a key packet with two-octet length.)  A subkey binding signature
-       * (type 0x18) or primary key binding signature (type 0x19) then hashes
-       * the subkey using the same format as the main key (also using 0x99 as
-       * the first octet). */
-      keyBinding: 25,
-      /** 0x1F: Signature directly on a key
-       *
-       * This signature is calculated directly on a key.  It binds the
-       * information in the Signature subpackets to the key, and is
-       * appropriate to be used for subpackets that provide information
-       * about the key, such as the Revocation Key subpacket.  It is also
-       * appropriate for statements that non-self certifiers want to make
-       * about the key itself, rather than the binding between a key and a
-       * name. */
-      key: 31,
-      /** 0x20: Key revocation signature
-       *
-       * The signature is calculated directly on the key being revoked.  A
-       * revoked key is not to be used.  Only revocation signatures by the
-       * key being revoked, or by an authorized revocation key, should be
-       * considered valid revocation signatures.a */
-      keyRevocation: 32,
-      /** 0x28: Subkey revocation signature
-       *
-       * The signature is calculated directly on the subkey being revoked.
-       * A revoked subkey is not to be used.  Only revocation signatures
-       * by the top-level signature key that is bound to this subkey, or
-       * by an authorized revocation key, should be considered valid
-       * revocation signatures.
-       *
-       * Key revocation signatures (types 0x20 and 0x28)
-       * hash only the key being revoked. */
-      subkeyRevocation: 40,
-      /** 0x40: Timestamp signature.
-       * This signature is only meaningful for the timestamp contained in
-       * it. */
-      timestamp: 64,
-      /** 0x50: Third-Party Confirmation signature.
-       *
-       * This signature is a signature over some other OpenPGP Signature
-       * packet(s).  It is analogous to a notary seal on the signed data.
-       * A third-party signature SHOULD include Signature Target
-       * subpacket(s) to give easy identification.  Note that we really do
-       * mean SHOULD.  There are plausible uses for this (such as a blind
-       * party that only sees the signature, not the key or source
-       * document) that cannot include a target subpacket. */
-      thirdParty: 80
-    },
-
-    /** Signature subpacket type
-     * @enum {Integer}
-     * @readonly
-     */
-    signatureSubpacket: {
-      signatureCreationTime: 2,
-      signatureExpirationTime: 3,
-      exportableCertification: 4,
-      trustSignature: 5,
-      regularExpression: 6,
-      revocable: 7,
-      keyExpirationTime: 9,
-      placeholderBackwardsCompatibility: 10,
-      preferredSymmetricAlgorithms: 11,
-      revocationKey: 12,
-      issuer: 16,
-      notationData: 20,
-      preferredHashAlgorithms: 21,
-      preferredCompressionAlgorithms: 22,
-      keyServerPreferences: 23,
-      preferredKeyServer: 24,
-      primaryUserID: 25,
-      policyURI: 26,
-      keyFlags: 27,
-      signersUserID: 28,
-      reasonForRevocation: 29,
-      features: 30,
-      signatureTarget: 31,
-      embeddedSignature: 32,
-      issuerFingerprint: 33,
-      preferredAEADAlgorithms: 34
-    },
-
-    /** Key flags
-     * @enum {Integer}
-     * @readonly
-     */
-    keyFlags: {
-      /** 0x01 - This key may be used to certify other keys. */
-      certifyKeys: 1,
-      /** 0x02 - This key may be used to sign data. */
-      signData: 2,
-      /** 0x04 - This key may be used to encrypt communications. */
-      encryptCommunication: 4,
-      /** 0x08 - This key may be used to encrypt storage. */
-      encryptStorage: 8,
-      /** 0x10 - The private component of this key may have been split
-       *        by a secret-sharing mechanism. */
-      splitPrivateKey: 16,
-      /** 0x20 - This key may be used for authentication. */
-      authentication: 32,
-      /** This key may be used for forwarded communications */
-      forwardedCommunication: 64,
-      /** 0x80 - The private component of this key may be in the
-       *        possession of more than one person. */
-      sharedPrivateKey: 128
-    },
-
-    /** Armor type
-     * @enum {Integer}
-     * @readonly
-     */
-    armor: {
-      multipartSection: 0,
-      multipartLast: 1,
-      signed: 2,
-      message: 3,
-      publicKey: 4,
-      privateKey: 5,
-      signature: 6
-    },
-
-    /** {@link https://tools.ietf.org/html/rfc4880#section-5.2.3.23|RFC4880, section 5.2.3.23}
-     * @enum {Integer}
-     * @readonly
-     */
-    reasonForRevocation: {
-      /** No reason specified (key revocations or cert revocations) */
-      noReason: 0,
-      /** Key is superseded (key revocations) */
-      keySuperseded: 1,
-      /** Key material has been compromised (key revocations) */
-      keyCompromised: 2,
-      /** Key is retired and no longer used (key revocations) */
-      keyRetired: 3,
-      /** User ID information is no longer valid (cert revocations) */
-      userIDInvalid: 32
-    },
-
-    /** {@link https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-5.2.3.25|RFC4880bis-04, section 5.2.3.25}
-     * @enum {Integer}
-     * @readonly
-     */
-    features: {
-      /** 0x01 - Modification Detection (packets 18 and 19) */
-      modificationDetection: 1,
-      /** 0x02 - AEAD Encrypted Data Packet (packet 20) and version 5
-       *         Symmetric-Key Encrypted Session Key Packets (packet 3) */
-      aead: 2,
-      /** 0x04 - Version 5 Public-Key Packet format and corresponding new
-        *        fingerprint format */
-      v5Keys: 4
-    },
-
-    /**
-     * Asserts validity of given value and converts from string/integer to integer.
-     * @param {Object} type target enum type
-     * @param {String|Integer} e value to check and/or convert
-     * @returns {Integer} enum value if it exists
-     * @throws {Error} if the value is invalid
-     */
-    write: function(type, e) {
-      if (typeof e === 'number') {
-        e = this.read(type, e);
-      }
-
-      if (type[e] !== undefined) {
-        return type[e];
-      }
-
-      throw new Error('Invalid enum value.');
-    },
-
-    /**
-     * Converts enum integer value to the corresponding string, if it exists.
-     * @param {Object} type target enum type
-     * @param {Integer} e value to convert
-     * @returns {String} name of enum value if it exists
-     * @throws {Error} if the value is invalid
-     */
-    read: function(type, e) {
-      if (!type[byValue]) {
-        type[byValue] = [];
-        Object.entries(type).forEach(([key, value]) => {
-          type[byValue][value] = key;
-        });
-      }
-
-      if (type[byValue][e] !== undefined) {
-        return type[byValue][e];
-      }
-
-      throw new Error('Invalid enum value.');
-    }
-  };
-
   // GPG4Browsers - An OpenPGP implementation in javascript
 
   var config = {
@@ -2932,7 +2947,7 @@ var openpgp = (function (exports) {
      * @memberof module:config
      * @property {String} versionString A version string to be included in armored messages
      */
-    versionString: 'OpenPGP.js 5.9.1-0',
+    versionString: 'OpenPGP.js 5.10.2',
     /**
      * @memberof module:config
      * @property {String} commentString A comment string to be included in armored messages
@@ -3424,6 +3439,7 @@ var openpgp = (function (exports) {
      */
     read(bytes) {
       this.bytes = util.uint8ArrayToString(bytes.subarray(0, 8));
+      return this.bytes.length;
     }
 
     /**
@@ -9970,7 +9986,7 @@ var openpgp = (function (exports) {
     if (util.getNodeCrypto() && nodeAlgos[algoName]) { // Node crypto library.
       return nodeEncrypt(algo, key, plaintext, iv);
     }
-    if (algoName.substr(0, 3) === 'aes') {
+    if (util.isAES(algo)) {
       return aesEncrypt(algo, key, plaintext, iv, config);
     }
 
@@ -10013,7 +10029,7 @@ var openpgp = (function (exports) {
     if (util.getNodeCrypto() && nodeAlgos[algoName]) { // Node crypto library.
       return nodeDecrypt(algo, key, ciphertext, iv);
     }
-    if (algoName.substr(0, 3) === 'aes') {
+    if (util.isAES(algo)) {
       return aesDecrypt(algo, key, ciphertext, iv);
     }
 
@@ -10032,7 +10048,7 @@ var openpgp = (function (exports) {
       let j = 0;
       while (chunk ? ct.length >= block_size : ct.length) {
         const decblock = cipherfn.encrypt(blockp);
-        blockp = ct;
+        blockp = ct.subarray(0, block_size);
         for (i = 0; i < block_size; i++) {
           plaintext[j++] = blockp[i] ^ decblock[i];
         }
@@ -13601,7 +13617,7 @@ var openpgp = (function (exports) {
     }
   };
 
-  class Curve {
+  class CurveWithOID {
     constructor(oidOrName, params) {
       try {
         if (util.isArray(oidOrName) ||
@@ -13678,7 +13694,7 @@ var openpgp = (function (exports) {
   async function generate$1(curve) {
     const BigInteger = await util.getBigInteger();
 
-    curve = new Curve(curve);
+    curve = new CurveWithOID(curve);
     const keyPair = await curve.genKeyPair();
     const Q = new BigInteger(keyPair.publicKey).toUint8Array();
     const secret = new BigInteger(keyPair.privateKey).toUint8Array('be', curve.payloadSize);
@@ -13869,7 +13885,7 @@ var openpgp = (function (exports) {
    * @async
    */
   async function sign$1(oid, hashAlgo, message, publicKey, privateKey, hashed) {
-    const curve = new Curve(oid);
+    const curve = new CurveWithOID(oid);
     if (message && !util.isStream(message)) {
       const keyPair = { publicKey, privateKey };
       switch (curve.type) {
@@ -13914,7 +13930,7 @@ var openpgp = (function (exports) {
    * @async
    */
   async function verify$1(oid, hashAlgo, signature, message, publicKey, hashed) {
-    const curve = new Curve(oid);
+    const curve = new CurveWithOID(oid);
     if (message && !util.isStream(message)) {
       switch (curve.type) {
         case 'web':
@@ -13948,7 +13964,7 @@ var openpgp = (function (exports) {
    * @async
    */
   async function validateParams$2(oid, Q, d) {
-    const curve = new Curve(oid);
+    const curve = new CurveWithOID(oid);
     // Reject curves x25519 and ed25519
     if (curve.keyType !== enums.publicKey.ecdsa) {
       return false;
@@ -14151,7 +14167,7 @@ var openpgp = (function (exports) {
   naclFastLight.hash = bytes => new Uint8Array(_512().update(bytes).digest());
 
   /**
-   * Sign a message using the provided key
+   * Sign a message using the provided legacy EdDSA key
    * @param {module:type/oid} oid - Elliptic curve object identifier
    * @param {module:enums.hash} hashAlgo - Hash algorithm used to sign (must be sha256 or stronger)
    * @param {Uint8Array} message - Message to sign
@@ -14179,7 +14195,7 @@ var openpgp = (function (exports) {
   }
 
   /**
-   * Verifies if a signature is valid for a message
+   * Verifies if a legacy EdDSA signature is valid for a message
    * @param {module:type/oid} oid - Elliptic curve object identifier
    * @param {module:enums.hash} hashAlgo - Hash algorithm used in the signature
    * @param  {{r: Uint8Array,
@@ -14195,7 +14211,7 @@ var openpgp = (function (exports) {
     return naclFastLight.sign.detached.verify(hashed, signature, publicKey.subarray(1));
   }
   /**
-   * Validate EdDSA parameters
+   * Validate legacy EdDSA parameters
    * @param {module:type/oid} oid - Elliptic curve object identifier
    * @param {Uint8Array} Q - EdDSA public point
    * @param {Uint8Array} k - EdDSA secret seed
@@ -14215,9 +14231,10 @@ var openpgp = (function (exports) {
     const { publicKey } = naclFastLight.sign.keyPair.fromSeed(k);
     const dG = new Uint8Array([0x40, ...publicKey]); // Add public key prefix
     return util.equalsUint8Array(Q, dG);
+
   }
 
-  var eddsa = /*#__PURE__*/Object.freeze({
+  var eddsa_legacy = /*#__PURE__*/Object.freeze({
     __proto__: null,
     sign: sign$2,
     verify: verify$2,
@@ -14226,6 +14243,113 @@ var openpgp = (function (exports) {
 
   // OpenPGP.js - An OpenPGP implementation in javascript
 
+  naclFastLight.hash = bytes => new Uint8Array(_512().update(bytes).digest());
+
+  /**
+   * Generate (non-legacy) EdDSA key
+   * @param {module:enums.publicKey} algo - Algorithm identifier
+   * @returns {Promise<{ A: Uint8Array, seed: Uint8Array }>}
+   */
+  async function generate$2(algo) {
+    switch (algo) {
+      case enums.publicKey.ed25519: {
+        const seed = getRandomBytes(32);
+        const { publicKey: A } = naclFastLight.sign.keyPair.fromSeed(seed);
+        return { A, seed };
+      }
+      default:
+        throw new Error('Unsupported EdDSA algorithm');
+    }
+  }
+
+  /**
+   * Sign a message using the provided key
+   * @param {module:enums.publicKey} algo - Algorithm identifier
+   * @param {module:enums.hash} hashAlgo - Hash algorithm used to sign (must be sha256 or stronger)
+   * @param {Uint8Array} message - Message to sign
+   * @param {Uint8Array} publicKey - Public key
+   * @param {Uint8Array} privateKey - Private key used to sign the message
+   * @param {Uint8Array} hashed - The hashed message
+   * @returns {Promise<{
+   *   RS: Uint8Array
+   * }>} Signature of the message
+   * @async
+   */
+  async function sign$3(algo, hashAlgo, message, publicKey, privateKey, hashed) {
+    if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(enums.hash.sha256)) {
+      // see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2
+      throw new Error('Hash algorithm too weak: sha256 or stronger is required for EdDSA.');
+    }
+    switch (algo) {
+      case enums.publicKey.ed25519: {
+        const secretKey = util.concatUint8Array([privateKey, publicKey]);
+        const signature = naclFastLight.sign.detached(hashed, secretKey);
+        return { RS: signature };
+      }
+      case enums.publicKey.ed448:
+      default:
+        throw new Error('Unsupported EdDSA algorithm');
+    }
+
+  }
+
+  /**
+   * Verifies if a signature is valid for a message
+   * @param {module:enums.publicKey} algo - Algorithm identifier
+   * @param {module:enums.hash} hashAlgo - Hash algorithm used in the signature
+   * @param  {{ RS: Uint8Array }} signature Signature to verify the message
+   * @param {Uint8Array} m - Message to verify
+   * @param {Uint8Array} publicKey - Public key used to verify the message
+   * @param {Uint8Array} hashed - The hashed message
+   * @returns {Boolean}
+   * @async
+   */
+  async function verify$3(algo, hashAlgo, { RS }, m, publicKey, hashed) {
+    switch (algo) {
+      case enums.publicKey.ed25519: {
+        return naclFastLight.sign.detached.verify(hashed, RS, publicKey);
+      }
+      case enums.publicKey.ed448:
+      default:
+        throw new Error('Unsupported EdDSA algorithm');
+    }
+  }
+  /**
+   * Validate (non-legacy) EdDSA parameters
+   * @param {module:enums.publicKey} algo - Algorithm identifier
+   * @param {Uint8Array} A - EdDSA public point
+   * @param {Uint8Array} seed - EdDSA secret seed
+   * @param {Uint8Array} oid - (legacy only) EdDSA OID
+   * @returns {Promise<Boolean>} Whether params are valid.
+   * @async
+   */
+  async function validateParams$4(algo, A, seed) {
+    switch (algo) {
+      case enums.publicKey.ed25519: {
+        /**
+         * Derive public point A' from private key
+         * and expect A == A'
+         */
+        const { publicKey } = naclFastLight.sign.keyPair.fromSeed(seed);
+        return util.equalsUint8Array(A, publicKey);
+      }
+
+      case enums.publicKey.ed448: // unsupported
+      default:
+        return false;
+    }
+  }
+
+  var eddsa = /*#__PURE__*/Object.freeze({
+    __proto__: null,
+    generate: generate$2,
+    sign: sign$3,
+    verify: verify$3,
+    validateParams: validateParams$4
+  });
+
+  // OpenPGP.js - An OpenPGP implementation in javascript
+
   /**
    * AES key wrap
    * @function
@@ -14413,7 +14537,7 @@ var openpgp = (function (exports) {
    * @returns {Promise<Boolean>} Whether params are valid.
    * @async
    */
-  async function validateParams$4(oid, Q, d) {
+  async function validateParams$5(oid, Q, d) {
     return validateStandardParams(enums.publicKey.ecdh, oid, Q, d);
   }
 
@@ -14455,7 +14579,7 @@ var openpgp = (function (exports) {
   /**
    * Generate ECDHE ephemeral key and secret from public key
    *
-   * @param {Curve} curve - Elliptic curve object
+   * @param {CurveWithOID} curve - Elliptic curve object
    * @param {Uint8Array} Q - Recipient public key
    * @returns {Promise<{publicKey: Uint8Array, sharedKey: Uint8Array}>}
    * @async
@@ -14498,7 +14622,7 @@ var openpgp = (function (exports) {
   async function encrypt$3(oid, kdfParams, data, Q, fingerprint) {
     const m = encode$1(data);
 
-    const curve = new Curve(oid);
+    const curve = new CurveWithOID(oid);
     const { publicKey, sharedKey } = await genPublicEphemeralKey(curve, Q);
     const param = buildEcdhParam(enums.publicKey.ecdh, oid, kdfParams, fingerprint);
     const { keySize } = getCipher(kdfParams.cipher);
@@ -14510,7 +14634,7 @@ var openpgp = (function (exports) {
   /**
    * Generate ECDHE secret from private key and public part of ephemeral key
    *
-   * @param {Curve} curve - Elliptic curve object
+   * @param {CurveWithOID} curve - Elliptic curve object
    * @param {Uint8Array} V - Public part of ephemeral key
    * @param {Uint8Array} Q - Recipient public key
    * @param {Uint8Array} d - Recipient private key
@@ -14558,7 +14682,7 @@ var openpgp = (function (exports) {
    * @async
    */
   async function decrypt$3(oid, kdfParams, V, C, Q, d, fingerprint) {
-    const curve = new Curve(oid);
+    const curve = new CurveWithOID(oid);
     const { sharedKey } = await genPrivateEphemeralKey(curve, V, Q, d);
     const param = buildEcdhParam(enums.publicKey.ecdh, oid, kdfParams, fingerprint);
     const { keySize } = getCipher(kdfParams.cipher);
@@ -14578,7 +14702,7 @@ var openpgp = (function (exports) {
   /**
    * Generate ECDHE secret from private key and public part of ephemeral key using webCrypto
    *
-   * @param {Curve} curve - Elliptic curve object
+   * @param {CurveWithOID} curve - Elliptic curve object
    * @param {Uint8Array} V - Public part of ephemeral key
    * @param {Uint8Array} Q - Recipient public key
    * @param {Uint8Array} d - Recipient private key
@@ -14631,7 +14755,7 @@ var openpgp = (function (exports) {
   /**
    * Generate ECDHE ephemeral key and secret from public key using webCrypto
    *
-   * @param {Curve} curve - Elliptic curve object
+   * @param {CurveWithOID} curve - Elliptic curve object
    * @param {Uint8Array} Q - Recipient public key
    * @returns {Promise<{publicKey: Uint8Array, sharedKey: Uint8Array}>}
    * @async
@@ -14679,7 +14803,7 @@ var openpgp = (function (exports) {
   /**
    * Generate ECDHE secret from private key and public part of ephemeral key using indutny/elliptic
    *
-   * @param {Curve} curve - Elliptic curve object
+   * @param {CurveWithOID} curve - Elliptic curve object
    * @param {Uint8Array} V - Public part of ephemeral key
    * @param {Uint8Array} d - Recipient private key
    * @returns {Promise<{secretKey: Uint8Array, sharedKey: Uint8Array}>}
@@ -14699,7 +14823,7 @@ var openpgp = (function (exports) {
   /**
    * Generate ECDHE ephemeral key and secret from public key using indutny/elliptic
    *
-   * @param {Curve} curve - Elliptic curve object
+   * @param {CurveWithOID} curve - Elliptic curve object
    * @param {Uint8Array} Q - Recipient public key
    * @returns {Promise<{publicKey: Uint8Array, sharedKey: Uint8Array}>}
    * @async
@@ -14719,7 +14843,7 @@ var openpgp = (function (exports) {
   /**
    * Generate ECDHE secret from private key and public part of ephemeral key using nodeCrypto
    *
-   * @param {Curve} curve - Elliptic curve object
+   * @param {CurveWithOID} curve - Elliptic curve object
    * @param {Uint8Array} V - Public part of ephemeral key
    * @param {Uint8Array} d - Recipient private key
    * @returns {Promise<{secretKey: Uint8Array, sharedKey: Uint8Array}>}
@@ -14736,7 +14860,7 @@ var openpgp = (function (exports) {
   /**
    * Generate ECDHE ephemeral key and secret from public key using nodeCrypto
    *
-   * @param {Curve} curve - Elliptic curve object
+   * @param {CurveWithOID} curve - Elliptic curve object
    * @param {Uint8Array} Q - Recipient public key
    * @returns {Promise<{publicKey: Uint8Array, sharedKey: Uint8Array}>}
    * @async
@@ -14751,18 +14875,204 @@ var openpgp = (function (exports) {
 
   var ecdh = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    validateParams: validateParams$4,
+    validateParams: validateParams$5,
     encrypt: encrypt$3,
     decrypt: decrypt$3
   });
 
+  /**
+   * @fileoverview This module implements HKDF using either the WebCrypto API or Node.js' crypto API.
+   * @module crypto/hkdf
+   * @private
+   */
+
+  const webCrypto$9 = util.getWebCrypto();
+  const nodeCrypto$a = util.getNodeCrypto();
+  const nodeSubtleCrypto = nodeCrypto$a && nodeCrypto$a.webcrypto && nodeCrypto$a.webcrypto.subtle;
+
+  async function HKDF(hashAlgo, inputKey, salt, info, outLen) {
+    const hash = enums.read(enums.webHash, hashAlgo);
+    if (!hash) throw new Error('Hash algo not supported with HKDF');
+
+    if (webCrypto$9 || nodeSubtleCrypto) {
+      const crypto = webCrypto$9 || nodeSubtleCrypto;
+      const importedKey = await crypto.importKey('raw', inputKey, 'HKDF', false, ['deriveBits']);
+      const bits = await crypto.deriveBits({ name: 'HKDF', hash, salt, info }, importedKey, outLen * 8);
+      return new Uint8Array(bits);
+    }
+
+    if (nodeCrypto$a) {
+      const hashAlgoName = enums.read(enums.hash, hashAlgo);
+      // Node-only HKDF implementation based on https://www.rfc-editor.org/rfc/rfc5869
+
+      const computeHMAC = (hmacKey, hmacMessage) => nodeCrypto$a.createHmac(hashAlgoName, hmacKey).update(hmacMessage).digest();
+      // Step 1: Extract
+      // PRK = HMAC-Hash(salt, IKM)
+      const pseudoRandomKey = computeHMAC(salt, inputKey);
+
+      const hashLen = pseudoRandomKey.length;
+
+      // Step 2: Expand
+      // HKDF-Expand(PRK, info, L) -> OKM
+      const n = Math.ceil(outLen / hashLen);
+      const outputKeyingMaterial = new Uint8Array(n * hashLen);
+
+      // HMAC input buffer updated at each iteration
+      const roundInput = new Uint8Array(hashLen + info.length + 1);
+      // T_i and last byte are updated at each iteration, but `info` remains constant
+      roundInput.set(info, hashLen);
+
+      for (let i = 0; i < n; i++) {
+        // T(0) = empty string (zero length)
+        // T(i) = HMAC-Hash(PRK, T(i-1) | info | i)
+        roundInput[roundInput.length - 1] = i + 1;
+        // t = T(i+1)
+        const t = computeHMAC(pseudoRandomKey, i > 0 ? roundInput : roundInput.subarray(hashLen));
+        roundInput.set(t, 0);
+
+        outputKeyingMaterial.set(t, i * hashLen);
+      }
+
+      return outputKeyingMaterial.subarray(0, outLen);
+    }
+
+    throw new Error('No HKDF implementation available');
+  }
+
+  /**
+   * @fileoverview Key encryption and decryption for RFC 6637 ECDH
+   * @module crypto/public_key/elliptic/ecdh
+   * @private
+   */
+
+  const HKDF_INFO = {
+    x25519: util.encodeUTF8('OpenPGP X25519')
+  };
+
+  /**
+   * Generate ECDH key for Montgomery curves
+   * @param {module:enums.publicKey} algo - Algorithm identifier
+   * @returns {Promise<{ A: Uint8Array, k: Uint8Array }>}
+   */
+  async function generate$3(algo) {
+    switch (algo) {
+      case enums.publicKey.x25519: {
+        // k stays in little-endian, unlike legacy ECDH over curve25519
+        const k = getRandomBytes(32);
+        k[0] &= 248;
+        k[31] = (k[31] & 127) | 64;
+        const { publicKey: A } = naclFastLight.box.keyPair.fromSecretKey(k);
+        return { A, k };
+      }
+      default:
+        throw new Error('Unsupported ECDH algorithm');
+    }
+  }
+
+  /**
+  * Validate ECDH parameters
+  * @param {module:enums.publicKey} algo - Algorithm identifier
+  * @param {Uint8Array} A - ECDH public point
+  * @param {Uint8Array} k - ECDH secret scalar
+  * @returns {Promise<Boolean>} Whether params are valid.
+  * @async
+  */
+  async function validateParams$6(algo, A, k) {
+    switch (algo) {
+      case enums.publicKey.x25519: {
+        /**
+         * Derive public point A' from private key
+         * and expect A == A'
+         */
+        const { publicKey } = naclFastLight.box.keyPair.fromSecretKey(k);
+        return util.equalsUint8Array(A, publicKey);
+      }
+
+      default:
+        return false;
+    }
+  }
+
+  /**
+   * Wrap and encrypt a session key
+   *
+   * @param {module:enums.publicKey} algo - Algorithm identifier
+   * @param {Uint8Array} data - session key data to be encrypted
+   * @param {Uint8Array} recipientA - Recipient public key (K_B)
+   * @returns {Promise<{
+   *  ephemeralPublicKey: Uint8Array,
+   * wrappedKey: Uint8Array
+   * }>} ephemeral public key (K_A) and encrypted key
+   * @async
+   */
+  async function encrypt$4(algo, data, recipientA) {
+    switch (algo) {
+      case enums.publicKey.x25519: {
+        const ephemeralSecretKey = getRandomBytes(32);
+        const sharedSecret = naclFastLight.scalarMult(ephemeralSecretKey, recipientA);
+        const { publicKey: ephemeralPublicKey } = naclFastLight.box.keyPair.fromSecretKey(ephemeralSecretKey);
+        const hkdfInput = util.concatUint8Array([
+          ephemeralPublicKey,
+          recipientA,
+          sharedSecret
+        ]);
+        const { keySize } = getCipher(enums.symmetric.aes128);
+        const encryptionKey = await HKDF(enums.hash.sha256, hkdfInput, new Uint8Array(), HKDF_INFO.x25519, keySize);
+        const wrappedKey = wrap(encryptionKey, data);
+        return { ephemeralPublicKey, wrappedKey };
+      }
+
+      default:
+        throw new Error('Unsupported ECDH algorithm');
+    }
+  }
+
+  /**
+   * Decrypt and unwrap the session key
+   *
+   * @param {module:enums.publicKey} algo - Algorithm identifier
+   * @param {Uint8Array} ephemeralPublicKey - (K_A)
+   * @param {Uint8Array} wrappedKey,
+   * @param {Uint8Array} A - Recipient public key (K_b), needed for KDF
+   * @param {Uint8Array} k - Recipient secret key (b)
+   * @returns {Promise<Uint8Array>} decrypted session key data
+   * @async
+   */
+  async function decrypt$4(algo, ephemeralPublicKey, wrappedKey, A, k) {
+    switch (algo) {
+      case enums.publicKey.x25519: {
+        const sharedSecret = naclFastLight.scalarMult(k, ephemeralPublicKey);
+        const hkdfInput = util.concatUint8Array([
+          ephemeralPublicKey,
+          A,
+          sharedSecret
+        ]);
+        const { keySize } = getCipher(enums.symmetric.aes128);
+        const encryptionKey = await HKDF(enums.hash.sha256, hkdfInput, new Uint8Array(), HKDF_INFO.x25519, keySize);
+        return unwrap(encryptionKey, wrappedKey);
+      }
+      default:
+        throw new Error('Unsupported ECDH algorithm');
+    }
+  }
+
+  var ecdh_x = /*#__PURE__*/Object.freeze({
+    __proto__: null,
+    generate: generate$3,
+    validateParams: validateParams$6,
+    encrypt: encrypt$4,
+    decrypt: decrypt$4
+  });
+
   // OpenPGP.js - An OpenPGP implementation in javascript
 
   var elliptic = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    Curve: Curve,
+    CurveWithOID: CurveWithOID,
     ecdh: ecdh,
+    ecdhX: ecdh_x,
     ecdsa: ecdsa,
+    eddsaLegacy: eddsa_legacy,
     eddsa: eddsa,
     generate: generate$1,
     getPreferredHashAlgo: getPreferredHashAlgo
@@ -14787,7 +15097,7 @@ var openpgp = (function (exports) {
    * @returns {Promise<{ r: Uint8Array, s: Uint8Array }>}
    * @async
    */
-  async function sign$3(hashAlgo, hashed, g, p, q, x) {
+  async function sign$4(hashAlgo, hashed, g, p, q, x) {
     const BigInteger = await util.getBigInteger();
     const one = new BigInteger(1);
     p = new BigInteger(p);
@@ -14846,7 +15156,7 @@ var openpgp = (function (exports) {
    * @returns {boolean}
    * @async
    */
-  async function verify$3(hashAlgo, r, s, hashed, g, p, q, y) {
+  async function verify$4(hashAlgo, r, s, hashed, g, p, q, y) {
     const BigInteger = await util.getBigInteger();
     const zero = new BigInteger(0);
     r = new BigInteger(r);
@@ -14889,7 +15199,7 @@ var openpgp = (function (exports) {
    * @returns {Promise<Boolean>} Whether params are valid.
    * @async
    */
-  async function validateParams$5(p, q, g, y, x) {
+  async function validateParams$7(p, q, g, y, x) {
     const BigInteger = await util.getBigInteger();
     p = new BigInteger(p);
     q = new BigInteger(q);
@@ -14944,9 +15254,9 @@ var openpgp = (function (exports) {
 
   var dsa = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    sign: sign$3,
-    verify: verify$3,
-    validateParams: validateParams$5
+    sign: sign$4,
+    verify: verify$4,
+    validateParams: validateParams$7
   });
 
   /**
@@ -15082,10 +15392,11 @@ var openpgp = (function (exports) {
         const s = util.readMPI(signature.subarray(read));
         return { r, s };
       }
-      // Algorithm-Specific Fields for EdDSA signatures:
+      // Algorithm-Specific Fields for legacy EdDSA signatures:
       // -  MPI of an EC point r.
       // -  EdDSA value s, in MPI, in the little endian representation
-      case enums.publicKey.eddsa: {
+      case enums.publicKey.eddsa:
+      case enums.publicKey.ed25519Legacy: {
         // When parsing little-endian MPI data, we always need to left-pad it, as done with big-endian values:
         // https://www.ietf.org/archive/id/draft-ietf-openpgp-rfc4880bis-10.html#section-3.2-9
         let r = util.readMPI(signature.subarray(read)); read += r.length + 2;
@@ -15094,7 +15405,12 @@ var openpgp = (function (exports) {
         s = util.leftPad(s, 32);
         return { r, s };
       }
-
+      // Algorithm-Specific Fields for Ed25519 signatures:
+      // - 64 octets of the native signature
+      case enums.publicKey.ed25519: {
+        const RS = signature.subarray(read, read + 64); read += RS.length;
+        return { RS };
+      }
       case enums.publicKey.hmac: {
         const mac = new ShortByteString(); mac.read(signature.subarray(read));
         return { mac };
@@ -15119,7 +15435,7 @@ var openpgp = (function (exports) {
    * @returns {Promise<Boolean>} True if signature is valid.
    * @async
    */
-  async function verify$4(algo, hashAlgo, signature, publicParams, privateParams, data, hashed) {
+  async function verify$5(algo, hashAlgo, signature, publicParams, privateParams, data, hashed) {
     switch (algo) {
       case enums.publicKey.rsaEncryptSign:
       case enums.publicKey.rsaEncrypt:
@@ -15135,16 +15451,21 @@ var openpgp = (function (exports) {
       }
       case enums.publicKey.ecdsa: {
         const { oid, Q } = publicParams;
-        const curveSize = new publicKey.elliptic.Curve(oid).payloadSize;
+        const curveSize = new publicKey.elliptic.CurveWithOID(oid).payloadSize;
         // padding needed for webcrypto
         const r = util.leftPad(signature.r, curveSize);
         const s = util.leftPad(signature.s, curveSize);
         return publicKey.elliptic.ecdsa.verify(oid, hashAlgo, { r, s }, data, Q, hashed);
       }
-      case enums.publicKey.eddsa: {
+      case enums.publicKey.eddsa:
+      case enums.publicKey.ed25519Legacy: {
         const { oid, Q } = publicParams;
         // signature already padded on parsing
-        return publicKey.elliptic.eddsa.verify(oid, hashAlgo, signature, data, Q, hashed);
+        return publicKey.elliptic.eddsaLegacy.verify(oid, hashAlgo, signature, data, Q, hashed);
+      }
+      case enums.publicKey.ed25519: {
+        const { A } = publicParams;
+        return publicKey.elliptic.eddsa.verify(algo, hashAlgo, signature, data, A, hashed);
       }
       case enums.publicKey.hmac: {
         if (!privateParams) {
@@ -15174,7 +15495,7 @@ var openpgp = (function (exports) {
    * @returns {Promise<Object>} Signature                      Object containing named signature parameters.
    * @async
    */
-  async function sign$4(algo, hashAlgo, publicKeyParams, privateKeyParams, data, hashed) {
+  async function sign$5(algo, hashAlgo, publicKeyParams, privateKeyParams, data, hashed) {
     if (!publicKeyParams || !privateKeyParams) {
       throw new Error('Missing key parameters');
     }
@@ -15200,10 +15521,16 @@ var openpgp = (function (exports) {
         const { d } = privateKeyParams;
         return publicKey.elliptic.ecdsa.sign(oid, hashAlgo, data, Q, d, hashed);
       }
-      case enums.publicKey.eddsa: {
+      case enums.publicKey.eddsa:
+      case enums.publicKey.ed25519Legacy: {
         const { oid, Q } = publicKeyParams;
         const { seed } = privateKeyParams;
-        return publicKey.elliptic.eddsa.sign(oid, hashAlgo, data, Q, seed, hashed);
+        return publicKey.elliptic.eddsaLegacy.sign(oid, hashAlgo, data, Q, seed, hashed);
+      }
+      case enums.publicKey.ed25519: {
+        const { A } = publicKeyParams;
+        const { seed } = privateKeyParams;
+        return publicKey.elliptic.eddsa.sign(algo, hashAlgo, data, A, seed, hashed);
       }
       case enums.publicKey.hmac: {
         const { cipher: algo } = publicKeyParams;
@@ -15219,34 +15546,31 @@ var openpgp = (function (exports) {
   var signature = /*#__PURE__*/Object.freeze({
     __proto__: null,
     parseSignatureParams: parseSignatureParams,
-    verify: verify$4,
-    sign: sign$4
+    verify: verify$5,
+    sign: sign$5
   });
 
   // OpenPGP.js - An OpenPGP implementation in javascript
 
   class ECDHSymmetricKey {
     constructor(data) {
-      if (typeof data === 'undefined') {
-        data = new Uint8Array([]);
-      } else if (util.isString(data)) {
-        data = util.stringToUint8Array(data);
-      } else {
-        data = new Uint8Array(data);
+      if (data) {
+        this.data = data;
       }
-      this.data = data;
     }
 
     /**
-     * Read an ECDHSymmetricKey from an Uint8Array
-     * @param {Uint8Array} input - Where to read the encoded symmetric key from
+     * Read an ECDHSymmetricKey from an Uint8Array:
+     * - 1 octect for the length `l`
+     * - `l` octects of encoded session key data
+     * @param {Uint8Array} bytes
      * @returns {Number} Number of read bytes.
      */
-    read(input) {
-      if (input.length >= 1) {
-        const length = input[0];
-        if (input.length >= 1 + length) {
-          this.data = input.subarray(1, 1 + length);
+    read(bytes) {
+      if (bytes.length >= 1) {
+        const length = bytes[0];
+        if (bytes.length >= 1 + length) {
+          this.data = bytes.subarray(1, 1 + length);
           return 1 + this.data.length;
         }
       }
@@ -15255,7 +15579,7 @@ var openpgp = (function (exports) {
 
     /**
      * Write an ECDHSymmetricKey as an Uint8Array
-     * @returns  {Uint8Array}  An array containing the value
+     * @returns  {Uint8Array} Serialised data
      */
     write() {
       return util.concatUint8Array([new Uint8Array([this.data.length]), this.data]);
@@ -15295,6 +15619,9 @@ var openpgp = (function (exports) {
      * @returns {Number} Number of read bytes.
      */
     read(input) {
+      if (input.length < 4 || (input[1] !== 1 && input[1] !== VERSION_FORWARDING)) {
+        throw new UnsupportedError('Cannot read KDFParams');
+      }
       const totalBytes = input[0];
       this.version = input[1];
       this.hash = input[2];
@@ -15382,12 +15709,57 @@ var openpgp = (function (exports) {
   const SymAlgoEnum = type_enum(enums.symmetric);
   const HashEnum = type_enum(enums.hash);
 
+  /**
+   * Encoded symmetric key for x25519 and x448
+   * The payload format varies for v3 and v6 PKESK:
+   * the former includes an algorithm byte preceeding the encrypted session key.
+   *
+   * @module type/x25519x448_symkey
+   */
+
+  class ECDHXSymmetricKey {
+    static fromObject({ wrappedKey, algorithm }) {
+      const instance = new ECDHXSymmetricKey();
+      instance.wrappedKey = wrappedKey;
+      instance.algorithm = algorithm;
+      return instance;
+    }
+
+    /**
+     * - 1 octect for the length `l`
+     * - `l` octects of encoded session key data (with optional leading algorithm byte)
+     * @param {Uint8Array} bytes
+     * @returns {Number} Number of read bytes.
+     */
+    read(bytes) {
+      let read = 0;
+      let followLength = bytes[read++];
+      this.algorithm = followLength % 2 ? bytes[read++] : null; // session key size is always even
+      followLength -= followLength % 2;
+      this.wrappedKey = bytes.subarray(read, read + followLength); read += followLength;
+    }
+
+    /**
+     * Write an MontgomerySymmetricKey as an Uint8Array
+     * @returns  {Uint8Array} Serialised data
+     */
+    write() {
+      return util.concatUint8Array([
+        this.algorithm ?
+          new Uint8Array([this.wrappedKey.length + 1, this.algorithm]) :
+          new Uint8Array([this.wrappedKey.length]),
+        this.wrappedKey
+      ]);
+    }
+  }
+
   // GPG4Browsers - An OpenPGP implementation in javascript
 
   /**
    * Encrypts data using specified algorithm and public key parameters.
    * See {@link https://tools.ietf.org/html/rfc4880#section-9.1|RFC 4880 9.1} for public key algorithms.
-   * @param {module:enums.publicKey} algo - Public key algorithm
+   * @param {module:enums.publicKey} keyAlgo - Public key algorithm
+   * @param {module:enums.symmetric} symmetricAlgo - Cipher algorithm
    * @param {Object} publicParams - Algorithm-specific public key parameters
    * @param {Object} privateParams - Algorithm-specific private key parameters
    * @param {Uint8Array} data - Data to be encrypted
@@ -15395,8 +15767,8 @@ var openpgp = (function (exports) {
    * @returns {Promise<Object>} Encrypted session key parameters.
    * @async
    */
-  async function publicKeyEncrypt(algo, publicParams, privateParams, data, fingerprint) {
-    switch (algo) {
+  async function publicKeyEncrypt(keyAlgo, symmetricAlgo, publicParams, privateParams, data, fingerprint) {
+    switch (keyAlgo) {
       case enums.publicKey.rsaEncrypt:
       case enums.publicKey.rsaEncryptSign: {
         const { n, e } = publicParams;
@@ -15413,6 +15785,17 @@ var openpgp = (function (exports) {
           oid, kdfParams, data, Q, fingerprint);
         return { V, C: new ECDHSymmetricKey(C) };
       }
+      case enums.publicKey.x25519: {
+        if (!util.isAES(symmetricAlgo)) {
+          // see https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/276
+          throw new Error('X25519 keys can only encrypt AES session keys');
+        }
+        const { A } = publicParams;
+        const { ephemeralPublicKey, wrappedKey } = await publicKey.elliptic.ecdhX.encrypt(
+          keyAlgo, data, A);
+        const C = ECDHXSymmetricKey.fromObject({ algorithm: symmetricAlgo, wrappedKey });
+        return { ephemeralPublicKey, C };
+      }
       case enums.publicKey.aead: {
         if (!privateParams) {
           throw new Error('Cannot encrypt with symmetric key missing private parameters');
@@ -15469,6 +15852,16 @@ var openpgp = (function (exports) {
         return publicKey.elliptic.ecdh.decrypt(
           oid, kdfParams, V, C.data, Q, d, fingerprint);
       }
+      case enums.publicKey.x25519: {
+        const { A } = publicKeyParams;
+        const { k } = privateKeyParams;
+        const { ephemeralPublicKey, C } = sessionKeyParams;
+        if (!util.isAES(C.algorithm)) {
+          throw new Error('AES session key expected');
+        }
+        return publicKey.elliptic.ecdhX.decrypt(
+          algo, ephemeralPublicKey, C.wrappedKey, A, k);
+      }
       case enums.publicKey.aead: {
         const { cipher: algo } = publicKeyParams;
         const algoValue = algo.getValue();
@@ -15520,7 +15913,8 @@ var openpgp = (function (exports) {
         const Q = util.readMPI(bytes.subarray(read)); read += Q.length + 2;
         return { read: read, publicParams: { oid, Q } };
       }
-      case enums.publicKey.eddsa: {
+      case enums.publicKey.eddsa:
+      case enums.publicKey.ed25519Legacy: {
         const oid = new OID(); read += oid.read(bytes);
         checkSupportedCurve(oid);
         let Q = util.readMPI(bytes.subarray(read)); read += Q.length + 2;
@@ -15534,6 +15928,11 @@ var openpgp = (function (exports) {
         const kdfParams = new KDFParams(); read += kdfParams.read(bytes.subarray(read));
         return { read: read, publicParams: { oid, Q, kdfParams } };
       }
+      case enums.publicKey.ed25519:
+      case enums.publicKey.x25519: {
+        const A = bytes.subarray(read, read + 32); read += A.length;
+        return { read, publicParams: { A } };
+      }
       case enums.publicKey.hmac:
       case enums.publicKey.aead: {
         const algo = new SymAlgoEnum(); read += algo.read(bytes);
@@ -15572,17 +15971,26 @@ var openpgp = (function (exports) {
       }
       case enums.publicKey.ecdsa:
       case enums.publicKey.ecdh: {
-        const curve = new Curve(publicParams.oid);
+        const curve = new CurveWithOID(publicParams.oid);
         let d = util.readMPI(bytes.subarray(read)); read += d.length + 2;
         d = util.leftPad(d, curve.payloadSize);
         return { read, privateParams: { d } };
       }
-      case enums.publicKey.eddsa: {
-        const curve = new Curve(publicParams.oid);
+      case enums.publicKey.eddsa:
+      case enums.publicKey.ed25519Legacy: {
+        const curve = new CurveWithOID(publicParams.oid);
         let seed = util.readMPI(bytes.subarray(read)); read += seed.length + 2;
         seed = util.leftPad(seed, curve.payloadSize);
         return { read, privateParams: { seed } };
       }
+      case enums.publicKey.ed25519: {
+        const seed = bytes.subarray(read, read + 32); read += seed.length;
+        return { read, privateParams: { seed } };
+      }
+      case enums.publicKey.x25519: {
+        const k = bytes.subarray(read, read + 32); read += k.length;
+        return { read, privateParams: { k } };
+      }
       case enums.publicKey.hmac: {
         const { cipher: algo } = publicParams;
         const keySize = hash.getHashByteLength(algo.getValue());
@@ -15634,6 +16042,16 @@ var openpgp = (function (exports) {
         const C = new ECDHSymmetricKey(); C.read(bytes.subarray(read));
         return { V, C };
       }
+      //   Algorithm-Specific Fields for X25519 encrypted session keys:
+      //       - 32 octets representing an ephemeral X25519 public key.
+      //       - A one-octet size of the following fields.
+      //       - The one-octet algorithm identifier, if it was passed (in the case of a v3 PKESK packet).
+      //       - The encrypted session key.
+      case enums.publicKey.x25519: {
+        const ephemeralPublicKey = bytes.subarray(read, read + 32); read += ephemeralPublicKey.length;
+        const C = new ECDHXSymmetricKey(); C.read(bytes.subarray(read));
+        return { ephemeralPublicKey, C };
+      }
       //   Algorithm-Specific Fields for symmetric AEAD encryption:
       //       - AEAD algorithm
       //       - Starting initialization vector
@@ -15660,22 +16078,13 @@ var openpgp = (function (exports) {
    * @returns {Uint8Array} The array containing the MPIs.
    */
   function serializeParams(algo, params) {
-    let orderedParams;
-    switch (algo) {
-      case enums.publicKey.hmac:
-      case enums.publicKey.aead: {
-        orderedParams = Object.keys(params).map(name => {
-          const param = params[name];
-          return util.isUint8Array(param) ? param : param.write();
-        });
-        break;
-      }
-      default:
-        orderedParams = Object.keys(params).map(name => {
-          const param = params[name];
-          return util.isUint8Array(param) ? util.uint8ArrayToMPI(param) : param.write();
-        });
-    }
+    // Some algorithms do not rely on MPIs to store the binary params
+    const algosWithNativeRepresentation = new Set([enums.publicKey.ed25519, enums.publicKey.x25519, enums.publicKey.aead, enums.publicKey.hmac]);
+    const orderedParams = Object.keys(params).map(name => {
+      const param = params[name];
+      if (!util.isUint8Array(param)) return param.write();
+      return algosWithNativeRepresentation.has(algo) ? param : util.uint8ArrayToMPI(param);
+    });
     return util.concatUint8Array(orderedParams);
   }
 
@@ -15704,6 +16113,7 @@ var openpgp = (function (exports) {
           publicParams: { oid: new OID(oid), Q }
         }));
       case enums.publicKey.eddsa:
+      case enums.publicKey.ed25519Legacy:
         return publicKey.elliptic.generate(oid).then(({ oid, Q, secret }) => ({
           privateParams: { seed: secret },
           publicParams: { oid: new OID(oid), Q }
@@ -15717,6 +16127,16 @@ var openpgp = (function (exports) {
             kdfParams: new KDFParams({ hash, cipher })
           }
         }));
+      case enums.publicKey.ed25519:
+        return publicKey.elliptic.eddsa.generate(algo).then(({ A, seed }) => ({
+          privateParams: { seed },
+          publicParams: { A }
+        }));
+      case enums.publicKey.x25519:
+        return publicKey.elliptic.ecdhX.generate(algo).then(({ A, k }) => ({
+          privateParams: { k },
+          publicParams: { A }
+        }));
       case enums.publicKey.hmac: {
         const symAlgo = enums.write(enums.hash, symmetric);
         const keyMaterial = getRandomBytes(hash.getHashByteLength(symAlgo));
@@ -15758,7 +16178,7 @@ var openpgp = (function (exports) {
    * @returns {Promise<Boolean>} Whether the parameters are valid.
    * @async
    */
-  async function validateParams$6(algo, publicParams, privateParams) {
+  async function validateParams$8(algo, publicParams, privateParams) {
     if (!publicParams || !privateParams) {
       throw new Error('Missing key parameters');
     }
@@ -15787,10 +16207,21 @@ var openpgp = (function (exports) {
         const { d } = privateParams;
         return algoModule.validateParams(oid, Q, d);
       }
-      case enums.publicKey.eddsa: {
-        const { oid, Q } = publicParams;
+      case enums.publicKey.eddsa:
+      case enums.publicKey.ed25519Legacy: {
+        const { Q, oid } = publicParams;
         const { seed } = privateParams;
-        return publicKey.elliptic.eddsa.validateParams(oid, Q, seed);
+        return publicKey.elliptic.eddsaLegacy.validateParams(oid, Q, seed);
+      }
+      case enums.publicKey.ed25519: {
+        const { A } = publicParams;
+        const { seed } = privateParams;
+        return publicKey.elliptic.eddsa.validateParams(algo, A, seed);
+      }
+      case enums.publicKey.x25519: {
+        const { A } = publicParams;
+        const { k } = privateParams;
+        return publicKey.elliptic.ecdhX.validateParams(algo, A, k);
       }
       case enums.publicKey.hmac: {
         const { cipher: algo, digest } = publicParams;
@@ -15869,7 +16300,7 @@ var openpgp = (function (exports) {
     parseEncSessionKeyParams: parseEncSessionKeyParams,
     serializeParams: serializeParams,
     generateParams: generateParams,
-    validateParams: validateParams$6,
+    validateParams: validateParams$8,
     getPrefixRandom: getPrefixRandom,
     generateSessionKey: generateSessionKey,
     getAEADMode: getAEADMode,
@@ -16116,15 +16547,15 @@ var openpgp = (function (exports) {
               this.type = 'gnu-dummy';
               // GnuPG extension mode 1001 -- don't write secret key at all
             } else {
-              throw new Error('Unknown s2k gnu protection mode.');
+              throw new UnsupportedError('Unknown s2k gnu protection mode.');
             }
           } else {
-            throw new Error('Unknown s2k type.');
+            throw new UnsupportedError('Unknown s2k type.');
           }
           break;
 
         default:
-          throw new Error('Unknown s2k type.');
+          throw new UnsupportedError('Unknown s2k type.'); // unreachable
       }
 
       return i;
@@ -16228,7 +16659,7 @@ var openpgp = (function (exports) {
       case enums.s2k.simple:
         return new GenericS2K(type, config$1);
       default:
-        throw new Error(`Unsupported S2K type ${type}`);
+        throw new UnsupportedError(`Unsupported S2K type ${type}`);
     }
   }
 
@@ -24982,13 +25413,17 @@ var openpgp = (function (exports) {
      * @param {Uint8Array} bytes - Payload of a tag 1 packet
      */
     read(bytes) {
-      this.version = bytes[0];
+      let i = 0;
+      this.version = bytes[i++];
       if (this.version !== VERSION$3) {
         throw new UnsupportedError(`Version ${this.version} of the PKESK packet is unsupported.`);
       }
-      this.publicKeyID.read(bytes.subarray(1, bytes.length));
-      this.publicKeyAlgorithm = bytes[9];
-      this.encrypted = mod.parseEncSessionKeyParams(this.publicKeyAlgorithm, bytes.subarray(10));
+      i += this.publicKeyID.read(bytes.subarray(i));
+      this.publicKeyAlgorithm = bytes[i++];
+      this.encrypted = mod.parseEncSessionKeyParams(this.publicKeyAlgorithm, bytes.subarray(i), this.version);
+      if (this.publicKeyAlgorithm === enums.publicKey.x25519) {
+        this.sessionKeyAlgorithm = enums.write(enums.symmetric, this.encrypted.C.algorithm);
+      }
     }
 
     /**
@@ -25014,15 +25449,11 @@ var openpgp = (function (exports) {
      * @async
      */
     async encrypt(key) {
-      const data = util.concatUint8Array([
-        new Uint8Array([enums.write(enums.symmetric, this.sessionKeyAlgorithm)]),
-        this.sessionKey,
-        util.writeChecksum(this.sessionKey)
-      ]);
       const algo = enums.write(enums.publicKey, this.publicKeyAlgorithm);
+      const encoded = encodeSessionKey(this.version, algo, this.sessionKeyAlgorithm, this.sessionKey);
       const privateParams = algo === enums.publicKey.aead ? key.privateParams : null;
       this.encrypted = await mod.publicKeyEncrypt(
-        algo, key.publicParams, privateParams, data, key.getFingerprintBytes());
+        algo, this.sessionKeyAlgorithm, key.publicParams, privateParams, encoded, key.getFingerprintBytes());
     }
 
     /**
@@ -25039,34 +25470,86 @@ var openpgp = (function (exports) {
         throw new Error('Decryption error');
       }
 
-      const randomPayload = randomSessionKey ? util.concatUint8Array([
-        new Uint8Array([randomSessionKey.sessionKeyAlgorithm]),
-        randomSessionKey.sessionKey,
-        util.writeChecksum(randomSessionKey.sessionKey)
-      ]) : null;
-      const decoded = await mod.publicKeyDecrypt(this.publicKeyAlgorithm, key.publicParams, key.privateParams, this.encrypted, key.getFingerprintBytes(), randomPayload);
-      const symmetricAlgoByte = decoded[0];
-      const sessionKey = decoded.subarray(1, decoded.length - 2);
-      const checksum = decoded.subarray(decoded.length - 2);
-      const computedChecksum = util.writeChecksum(sessionKey);
-      const isValidChecksum = computedChecksum[0] === checksum[0] & computedChecksum[1] === checksum[1];
-
-      if (randomSessionKey) {
-        // We must not leak info about the validity of the decrypted checksum or cipher algo.
-        // The decrypted session key must be of the same algo and size as the random session key, otherwise we discard it and use the random data.
-        const isValidPayload = isValidChecksum & symmetricAlgoByte === randomSessionKey.sessionKeyAlgorithm & sessionKey.length === randomSessionKey.sessionKey.length;
-        this.sessionKeyAlgorithm = util.selectUint8(isValidPayload, symmetricAlgoByte, randomSessionKey.sessionKeyAlgorithm);
-        this.sessionKey = util.selectUint8Array(isValidPayload, sessionKey, randomSessionKey.sessionKey);
+      const randomPayload = randomSessionKey ?
+        encodeSessionKey(this.version, this.publicKeyAlgorithm, randomSessionKey.sessionKeyAlgorithm, randomSessionKey.sessionKey) :
+        null;
+      const decryptedData = await mod.publicKeyDecrypt(this.publicKeyAlgorithm, key.publicParams, key.privateParams, this.encrypted, key.getFingerprintBytes(), randomPayload);
 
-      } else {
-        const isValidPayload = isValidChecksum && enums.read(enums.symmetric, symmetricAlgoByte);
-        if (isValidPayload) {
-          this.sessionKey = sessionKey;
-          this.sessionKeyAlgorithm = symmetricAlgoByte;
+      const { sessionKey, sessionKeyAlgorithm } = decodeSessionKey(this.version, this.publicKeyAlgorithm, decryptedData, randomSessionKey);
+
+      // v3 Montgomery curves have cleartext cipher algo
+      if (this.publicKeyAlgorithm !== enums.publicKey.x25519) {
+        this.sessionKeyAlgorithm = sessionKeyAlgorithm;
+      }
+      this.sessionKey = sessionKey;
+    }
+  }
+
+
+  function encodeSessionKey(version, keyAlgo, cipherAlgo, sessionKeyData) {
+    switch (keyAlgo) {
+      case enums.publicKey.rsaEncrypt:
+      case enums.publicKey.rsaEncryptSign:
+      case enums.publicKey.elgamal:
+      case enums.publicKey.ecdh:
+      case enums.publicKey.aead: {
+        // add checksum
+        return util.concatUint8Array([
+          new Uint8Array([cipherAlgo]),
+          sessionKeyData,
+          util.writeChecksum(sessionKeyData.subarray(sessionKeyData.length % 8))
+        ]);
+      }
+      case enums.publicKey.x25519:
+        return sessionKeyData;
+      default:
+        throw new Error('Unsupported public key algorithm');
+    }
+  }
+
+
+  function decodeSessionKey(version, keyAlgo, decryptedData, randomSessionKey) {
+    switch (keyAlgo) {
+      case enums.publicKey.rsaEncrypt:
+      case enums.publicKey.rsaEncryptSign:
+      case enums.publicKey.elgamal:
+      case enums.publicKey.ecdh:
+      case enums.publicKey.aead: {
+        // verify checksum in constant time
+        const result = decryptedData.subarray(0, decryptedData.length - 2);
+        const checksum = decryptedData.subarray(decryptedData.length - 2);
+        const computedChecksum = util.writeChecksum(result.subarray(result.length % 8));
+        const isValidChecksum = computedChecksum[0] === checksum[0] & computedChecksum[1] === checksum[1];
+        const decryptedSessionKey = { sessionKeyAlgorithm: result[0], sessionKey: result.subarray(1) };
+        if (randomSessionKey) {
+          // We must not leak info about the validity of the decrypted checksum or cipher algo.
+          // The decrypted session key must be of the same algo and size as the random session key, otherwise we discard it and use the random data.
+          const isValidPayload = isValidChecksum &
+            decryptedSessionKey.sessionKeyAlgorithm === randomSessionKey.sessionKeyAlgorithm &
+            decryptedSessionKey.sessionKey.length === randomSessionKey.sessionKey.length;
+          return {
+            sessionKey: util.selectUint8Array(isValidPayload, decryptedSessionKey.sessionKey, randomSessionKey.sessionKey),
+            sessionKeyAlgorithm: util.selectUint8(
+              isValidPayload,
+              decryptedSessionKey.sessionKeyAlgorithm,
+              randomSessionKey.sessionKeyAlgorithm
+            )
+          };
         } else {
-          throw new Error('Decryption error');
+          const isValidPayload = isValidChecksum && enums.read(enums.symmetric, decryptedSessionKey.sessionKeyAlgorithm);
+          if (isValidPayload) {
+            return decryptedSessionKey;
+          } else {
+            throw new Error('Decryption error');
+          }
         }
       }
+      case enums.publicKey.x25519:
+        return {
+          sessionKey: decryptedData
+        };
+      default:
+        throw new Error('Unsupported public key algorithm');
     }
   }
 
@@ -25497,7 +25980,7 @@ var openpgp = (function (exports) {
         result.bits = util.uint8ArrayBitLength(modulo);
       } else if (this.publicParams.oid) {
         result.curve = this.publicParams.oid.getName();
-      } else {
+      } else if (this.publicParams.cipher) {
         result.symmetric = this.publicParams.cipher.getName();
       }
       return result;
@@ -25829,6 +26312,7 @@ var openpgp = (function (exports) {
     async read(bytes) {
       // - A Public-Key or Public-Subkey packet, as described above.
       let i = await this.readPublicKey(bytes);
+      const startOfSecretKeyData = i;
 
       // - One octet indicating string-to-key usage conventions.  Zero
       //   indicates that the secret-key data is not encrypted.  255 or 254
@@ -25842,41 +26326,48 @@ var openpgp = (function (exports) {
         i++;
       }
 
-      // - [Optional] If string-to-key usage octet was 255, 254, or 253, a
-      //   one-octet symmetric encryption algorithm.
-      if (this.s2kUsage === 255 || this.s2kUsage === 254 || this.s2kUsage === 253) {
-        this.symmetric = bytes[i++];
+      try {
+        // - [Optional] If string-to-key usage octet was 255, 254, or 253, a
+        //   one-octet symmetric encryption algorithm.
+        if (this.s2kUsage === 255 || this.s2kUsage === 254 || this.s2kUsage === 253) {
+          this.symmetric = bytes[i++];
 
-        // - [Optional] If string-to-key usage octet was 253, a one-octet
-        //   AEAD algorithm.
-        if (this.s2kUsage === 253) {
-          this.aead = bytes[i++];
-        }
+          // - [Optional] If string-to-key usage octet was 253, a one-octet
+          //   AEAD algorithm.
+          if (this.s2kUsage === 253) {
+            this.aead = bytes[i++];
+          }
 
-        // - [Optional] If string-to-key usage octet was 255, 254, or 253, a
-        //   string-to-key specifier.  The length of the string-to-key
-        //   specifier is implied by its type, as described above.
-        const s2kType = bytes[i++];
-        this.s2k = newS2KFromType(s2kType);
-        i += this.s2k.read(bytes.subarray(i, bytes.length));
+          // - [Optional] If string-to-key usage octet was 255, 254, or 253, a
+          //   string-to-key specifier.  The length of the string-to-key
+          //   specifier is implied by its type, as described above.
+          const s2kType = bytes[i++];
+          this.s2k = newS2KFromType(s2kType);
+          i += this.s2k.read(bytes.subarray(i, bytes.length));
 
-        if (this.s2k.type === 'gnu-dummy') {
-          return;
+          if (this.s2k.type === 'gnu-dummy') {
+            return;
+          }
+        } else if (this.s2kUsage) {
+          this.symmetric = this.s2kUsage;
         }
-      } else if (this.s2kUsage) {
-        this.symmetric = this.s2kUsage;
-      }
 
-      // - [Optional] If secret data is encrypted (string-to-key usage octet
-      //   not zero), an Initial Vector (IV) of the same length as the
-      //   cipher's block size.
-      if (this.s2kUsage) {
-        this.iv = bytes.subarray(
-          i,
-          i + mod.getCipher(this.symmetric).blockSize
-        );
+        // - [Optional] If secret data is encrypted (string-to-key usage octet
+        //   not zero), an Initial Vector (IV) of the same length as the
+        //   cipher's block size.
+        if (this.s2kUsage) {
+          this.iv = bytes.subarray(
+            i,
+            i + mod.getCipher(this.symmetric).blockSize
+          );
 
-        i += this.iv.length;
+          i += this.iv.length;
+        }
+      } catch (e) {
+        // if the s2k is unsupported, we still want to support encrypting and verifying with the given key
+        if (!this.s2kUsage) throw e; // always throw for decrypted keys
+        this.unparseableKeyMaterial = bytes.subarray(startOfSecretKeyData);
+        this.isEncrypted = true;
       }
 
       // - Only for a version 5 packet, a four-octet scalar octet count for
@@ -25912,8 +26403,15 @@ var openpgp = (function (exports) {
      * @returns {Uint8Array} A string of bytes containing the secret key OpenPGP packet.
      */
     write() {
-      const arr = [this.writePublicKey()];
+      const serializedPublicKey = this.writePublicKey();
+      if (this.unparseableKeyMaterial) {
+        return util.concatUint8Array([
+          serializedPublicKey,
+          this.unparseableKeyMaterial
+        ]);
+      }
 
+      const arr = [serializedPublicKey];
       arr.push(new Uint8Array([this.s2kUsage]));
 
       const optionalFieldsArr = [];
@@ -25973,6 +26471,18 @@ var openpgp = (function (exports) {
       return this.isEncrypted === false;
     }
 
+    /**
+     * Check whether the key includes secret key material.
+     * Some secret keys do not include it, and can thus only be used
+     * for public-key operations (encryption and verification).
+     * Such keys are:
+     * - GNU-dummy keys, where the secret material has been stripped away
+     * - encrypted keys with unsupported S2K or cipher
+     */
+    isMissingSecretKeyMaterial() {
+      return this.unparseableKeyMaterial !== undefined || this.isDummy();
+    }
+
     /**
      * Check whether this is a gnu-dummy key
      * @returns {Boolean}
@@ -25993,6 +26503,7 @@ var openpgp = (function (exports) {
       if (this.isDecrypted()) {
         this.clearPrivateParams();
       }
+      delete this.unparseableKeyMaterial;
       this.isEncrypted = null;
       this.keyMaterial = null;
       this.s2k = newS2KFromType(enums.s2k.gnu, config$1);
@@ -26064,6 +26575,10 @@ var openpgp = (function (exports) {
         return false;
       }
 
+      if (this.unparseableKeyMaterial) {
+        throw new Error('Key packet cannot be decrypted: unsupported S2K or cipher algo');
+      }
+
       if (this.isDecrypted()) {
         throw new Error('Key packet is already decrypted.');
       }
@@ -26148,7 +26663,7 @@ var openpgp = (function (exports) {
      * Clear private key parameters
      */
     clearPrivateParams() {
-      if (this.isDummy()) {
+      if (this.isMissingSecretKeyMaterial()) {
         return;
       }
 
@@ -27557,7 +28072,9 @@ var openpgp = (function (exports) {
         signatureType: enums.signature.keyBinding
       }, options.date, undefined, undefined, undefined, config);
     } else {
-      subkeySignaturePacket.keyFlags = [enums.keyFlags.encryptCommunication | enums.keyFlags.encryptStorage];
+      subkeySignaturePacket.keyFlags = options.forwarding ?
+        [enums.keyFlags.forwardedCommunication] :
+        [enums.keyFlags.encryptCommunication | enums.keyFlags.encryptStorage];
     }
     if (options.keyExpirationTime > 0) {
       subkeySignaturePacket.keyExpirationTime = options.keyExpirationTime;
@@ -27795,6 +28312,10 @@ var openpgp = (function (exports) {
     options.date = options.date || subkeyDefaults.date;
 
     options.sign = options.sign || false;
+    options.forwarding = options.forwarding || false;
+    if (options.sign && options.forwarding) {
+      throw new Error('Incompatible options: "sign" and "forwarding" cannot be set together');
+    }
 
     switch (options.type) {
       case 'ecc':
@@ -27835,6 +28356,7 @@ var openpgp = (function (exports) {
     return keyAlgo !== enums.publicKey.rsaEncrypt &&
       keyAlgo !== enums.publicKey.elgamal &&
       keyAlgo !== enums.publicKey.ecdh &&
+      keyAlgo !== enums.publicKey.x25519 &&
       (!signature.keyFlags ||
         (signature.keyFlags[0] & enums.keyFlags.signData) !== 0);
   }
@@ -27845,13 +28367,19 @@ var openpgp = (function (exports) {
       keyAlgo !== enums.publicKey.rsaSign &&
       keyAlgo !== enums.publicKey.ecdsa &&
       keyAlgo !== enums.publicKey.eddsa &&
+      keyAlgo !== enums.publicKey.ed25519 &&
       (!signature.keyFlags ||
         (signature.keyFlags[0] & enums.keyFlags.encryptCommunication) !== 0 ||
         (signature.keyFlags[0] & enums.keyFlags.encryptStorage) !== 0);
   }
 
   function isValidDecryptionKeyPacket(signature, config) {
-    if (config.allowInsecureDecryptionWithSigningKeys) {
+    const isSigningKey = !signature.keyFlags ||
+      (signature.keyFlags[0] & enums.keyFlags.sign) !== 0 ||
+      (signature.keyFlags[0] & enums.keyFlags.certifyKeys) !== 0 ||
+      (signature.keyFlags[0] & enums.keyFlags.authentication) !== 0;
+
+    if (isSigningKey && config.allowInsecureDecryptionWithSigningKeys) {
       // This is only relevant for RSA keys, all other signing algorithms cannot decrypt
       return true;
     }
@@ -29394,7 +29922,7 @@ var openpgp = (function (exports) {
    * @static
    * @private
    */
-  async function generate$2(options, config) {
+  async function generate$4(options, config) {
     options.sign = true; // primary key is always a signing key
     options = sanitizeKeyOptions(options);
     options.subkeys = options.subkeys.map((subkey, index) => sanitizeKeyOptions(options.subkeys[index], options));
@@ -29450,7 +29978,8 @@ var openpgp = (function (exports) {
           getLatestValidSignature(subkey.bindingSignatures, secretKeyPacket, enums.signature.subkeyBinding, dataToVerify, null, config)
         ).catch(() => ({}));
         return {
-          sign: bindingSignature.keyFlags && (bindingSignature.keyFlags[0] & enums.keyFlags.signData)
+          sign: bindingSignature.keyFlags && (bindingSignature.keyFlags[0] & enums.keyFlags.signData),
+          forwarding: bindingSignature.keyFlags && (bindingSignature.keyFlags[0] & enums.keyFlags.forwardedCommunication)
         };
       }));
     }
@@ -30072,6 +30601,15 @@ var openpgp = (function (exports) {
         enums.read(enums.aead, await getPreferredAlgo('aead', encryptionKeys, date, userIDs, config$1)) :
         undefined;
 
+      await Promise.all(encryptionKeys.map(key => key.getEncryptionKey()
+        .catch(() => null) // ignore key strength requirements
+        .then(maybeKey => {
+          if (maybeKey && (maybeKey.keyPacket.algorithm === enums.publicKey.x25519) && !util.isAES(algo)) {
+            throw new Error('Could not generate a session key compatible with the given `encryptionKeys`: X22519 keys can only be used to encrypt AES session keys; change `config.preferredSymmetricAlgorithm` accordingly.');
+          }
+        })
+      ));
+
       const sessionKeyData = mod.generateSessionKey(algo);
       return { data: sessionKeyData, algorithm: algorithmName, aeadAlgorithm: aeadAlgorithmName };
     }
@@ -30379,7 +30917,7 @@ var openpgp = (function (exports) {
       if (literalDataList.length !== 1) {
         throw new Error('Can only verify message with one literal data packet.');
       }
-      const signatureList = signature.packets;
+      const signatureList = signature.packets.filterByTag(enums.packet.signature); // drop UnparsablePackets
       return createVerificationObjects(signatureList, literalDataList, verificationKeys, date, true, config$1);
     }
 
@@ -30726,7 +31264,7 @@ var openpgp = (function (exports) {
      * @async
      */
     verify(keys, date = new Date(), config$1 = config) {
-      const signatureList = this.signature.packets;
+      const signatureList = this.signature.packets.filterByTag(enums.packet.signature); // drop UnparsablePackets
       const literalDataPacket = new LiteralDataPacket();
       // we assume that cleartext signature is generated based on UTF8 cleartext
       literalDataPacket.setText(this.text);
@@ -30811,7 +31349,7 @@ var openpgp = (function (exports) {
     let oneHeader = null;
     let hashAlgos = [];
     headers.forEach(function(header) {
-      oneHeader = header.match(/Hash: (.+)/); // get header value
+      oneHeader = header.match(/^Hash: (.+)$/); // get header value
       if (oneHeader) {
         oneHeader = oneHeader[1].replace(/\s/g, ''); // remove whitespace
         oneHeader = oneHeader.split(',');
@@ -30903,7 +31441,7 @@ var openpgp = (function (exports) {
     const options = { userIDs, passphrase, type, rsaBits, curve, keyExpirationTime, date, subkeys, symmetricHash, symmetricCipher };
 
     try {
-      const { key, revocationCertificate } = await generate$2(options, config$1);
+      const { key, revocationCertificate } = await generate$4(options, config$1);
       key.getKeys().forEach(({ keyPacket }) => checkKeyRequirements(keyPacket, config$1));
 
       return {
@@ -31097,7 +31635,7 @@ var openpgp = (function (exports) {
    * @async
    * @static
    */
-  async function encrypt$4({ message, encryptionKeys, signingKeys, passwords, sessionKey, format = 'armored', signature = null, wildcard = false, signingKeyIDs = [], encryptionKeyIDs = [], date = new Date(), signingUserIDs = [], encryptionUserIDs = [], signatureNotations = [], config: config$1, ...rest }) {
+  async function encrypt$5({ message, encryptionKeys, signingKeys, passwords, sessionKey, format = 'armored', signature = null, wildcard = false, signingKeyIDs = [], encryptionKeyIDs = [], date = new Date(), signingUserIDs = [], encryptionUserIDs = [], signatureNotations = [], config: config$1, ...rest }) {
     config$1 = { ...config, ...config$1 }; checkConfig(config$1);
     checkMessage(message); checkOutputMessageFormat(format);
     encryptionKeys = toArray$1(encryptionKeys); signingKeys = toArray$1(signingKeys); passwords = toArray$1(passwords);
@@ -31166,7 +31704,7 @@ var openpgp = (function (exports) {
    * @async
    * @static
    */
-  async function decrypt$4({ message, decryptionKeys, passwords, sessionKeys, verificationKeys, expectSigned = false, format = 'utf8', signature = null, date = new Date(), config: config$1, ...rest }) {
+  async function decrypt$5({ message, decryptionKeys, passwords, sessionKeys, verificationKeys, expectSigned = false, format = 'utf8', signature = null, date = new Date(), config: config$1, ...rest }) {
     config$1 = { ...config, ...config$1 }; checkConfig(config$1);
     checkMessage(message); verificationKeys = toArray$1(verificationKeys); decryptionKeys = toArray$1(decryptionKeys); passwords = toArray$1(passwords); sessionKeys = toArray$1(sessionKeys);
     if (rest.privateKeys) throw new Error('The `privateKeys` option has been removed from openpgp.decrypt, pass `decryptionKeys` instead');
@@ -31229,7 +31767,7 @@ var openpgp = (function (exports) {
    * @async
    * @static
    */
-  async function sign$5({ message, signingKeys, format = 'armored', detached = false, signingKeyIDs = [], date = new Date(), signingUserIDs = [], signatureNotations = [], config: config$1, ...rest }) {
+  async function sign$6({ message, signingKeys, format = 'armored', detached = false, signingKeyIDs = [], date = new Date(), signingUserIDs = [], signatureNotations = [], config: config$1, ...rest }) {
     config$1 = { ...config, ...config$1 }; checkConfig(config$1);
     checkCleartextOrMessage(message); checkOutputMessageFormat(format);
     signingKeys = toArray$1(signingKeys); signingKeyIDs = toArray$1(signingKeyIDs); signingUserIDs = toArray$1(signingUserIDs); signatureNotations = toArray$1(signatureNotations);
@@ -31298,7 +31836,7 @@ var openpgp = (function (exports) {
    * @async
    * @static
    */
-  async function verify$5({ message, verificationKeys, expectSigned = false, format = 'utf8', signature = null, date = new Date(), config: config$1, ...rest }) {
+  async function verify$6({ message, verificationKeys, expectSigned = false, format = 'utf8', signature = null, date = new Date(), config: config$1, ...rest }) {
     config$1 = { ...config, ...config$1 }; checkConfig(config$1);
     checkCleartextOrMessage(message); verificationKeys = toArray$1(verificationKeys);
     if (rest.publicKeys) throw new Error('The `publicKeys` option has been removed from openpgp.verify, pass `verificationKeys` instead');
@@ -44467,7 +45005,7 @@ var openpgp = (function (exports) {
     return [];
   }
 
-  function validateParams$7({ type, version, tagLength, password, salt, ad, secret, parallelism, memorySize, passes }) {
+  function validateParams$9({ type, version, tagLength, password, salt, ad, secret, parallelism, memorySize, passes }) {
     const assertLength = (name, value, min, max) => {
       if (value < min || value > max) { throw new Error(`${name} size should be between ${min} and ${max} bytes`); }
     };
@@ -44490,7 +45028,7 @@ var openpgp = (function (exports) {
   function argon2id(params, { memory, instance: wasmInstance }) {
     if (!isLittleEndian$1) throw new Error('BigEndian system not supported'); // optmisations assume LE system
 
-    const ctx = validateParams$7({ type: TYPE$2, version: VERSION$4, ...params });
+    const ctx = validateParams$9({ type: TYPE$2, version: VERSION$4, ...params });
 
     const { G:wasmG, G2:wasmG2, xor:wasmXOR, getLZ:wasmLZ } = wasmInstance.exports;
     const wasmRefs = {};
@@ -44794,10 +45332,10 @@ var openpgp = (function (exports) {
   exports.config = config;
   exports.createCleartextMessage = createCleartextMessage;
   exports.createMessage = createMessage;
-  exports.decrypt = decrypt$4;
+  exports.decrypt = decrypt$5;
   exports.decryptKey = decryptKey;
   exports.decryptSessionKeys = decryptSessionKeys;
-  exports.encrypt = encrypt$4;
+  exports.encrypt = encrypt$5;
   exports.encryptKey = encryptKey;
   exports.encryptSessionKey = encryptSessionKey;
   exports.enums = enums;
@@ -44812,9 +45350,9 @@ var openpgp = (function (exports) {
   exports.readSignature = readSignature;
   exports.reformatKey = reformatKey;
   exports.revokeKey = revokeKey;
-  exports.sign = sign$5;
+  exports.sign = sign$6;
   exports.unarmor = unarmor;
-  exports.verify = verify$5;
+  exports.verify = verify$6;
 
   Object.defineProperty(exports, '__esModule', { value: true });