@protontech/openpgp 5.9.1-1 → 5.11.0

package/dist/openpgp.mjs

@@ -1,4 +1,4 @@
-/*! OpenPGP.js v5.9.1-1 - 2023-09-06 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
+/*! OpenPGP.js v5.11.0 - 2023-11-27 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
 const globalThis = typeof window !== 'undefined' ? window : typeof global !== 'undefined' ? global : typeof self !== 'undefined' ? self : {};
 
 const doneWritingPromise = Symbol('doneWritingPromise');
@@ -241,18 +241,17 @@ if (NodeReadableStream$1) {
             this.push(null);
             break;
           }
-          if (!this.push(value) || this._cancelling) {
-            this._reading = false;
+          if (!this.push(value)) {
             break;
           }
         }
-      } catch(e) {
-        this.emit('error', e);
+      } catch (e) {
+        this.destroy(e);
       }
     }
 
-    _destroy(reason) {
-      this._reader.cancel(reason);
+    async _destroy(error, callback) {
+      this._reader.cancel(error).then(callback, callback);
     }
   }
 
@@ -287,7 +286,7 @@ function Reader(input) {
     const reader = input.getReader();
     this._read = reader.read.bind(reader);
     this._releaseLock = () => {};
-    this._cancel = () => {};
+    this._cancel = async () => {};
     return;
   }
   let streamType = isStream(input);
@@ -1507,6 +1506,533 @@ async function getBigInteger() {
   }
 }
 
+/**
+ * @module enums
+ */
+
+const byValue = Symbol('byValue');
+
+var enums = {
+
+  /** Maps curve names under various standards to one
+   * @see {@link https://wiki.gnupg.org/ECC|ECC - GnuPG wiki}
+   * @enum {String}
+   * @readonly
+   */
+  curve: {
+    /** NIST P-256 Curve */
+    'p256':                'p256',
+    'P-256':               'p256',
+    'secp256r1':           'p256',
+    'prime256v1':          'p256',
+    '1.2.840.10045.3.1.7': 'p256',
+    '2a8648ce3d030107':    'p256',
+    '2A8648CE3D030107':    'p256',
+
+    /** NIST P-384 Curve */
+    'p384':         'p384',
+    'P-384':        'p384',
+    'secp384r1':    'p384',
+    '1.3.132.0.34': 'p384',
+    '2b81040022':   'p384',
+    '2B81040022':   'p384',
+
+    /** NIST P-521 Curve */
+    'p521':         'p521',
+    'P-521':        'p521',
+    'secp521r1':    'p521',
+    '1.3.132.0.35': 'p521',
+    '2b81040023':   'p521',
+    '2B81040023':   'p521',
+
+    /** SECG SECP256k1 Curve */
+    'secp256k1':    'secp256k1',
+    '1.3.132.0.10': 'secp256k1',
+    '2b8104000a':   'secp256k1',
+    '2B8104000A':   'secp256k1',
+
+    /** Ed25519 - deprecated by crypto-refresh (replaced by standaone Ed25519 algo) */
+    'ed25519Legacy':          'ed25519',
+    'ED25519':                'ed25519',
+    /** @deprecated use `ed25519Legacy` instead */
+    'ed25519':                'ed25519',
+    'Ed25519':                'ed25519',
+    '1.3.6.1.4.1.11591.15.1': 'ed25519',
+    '2b06010401da470f01':     'ed25519',
+    '2B06010401DA470F01':     'ed25519',
+
+    /** Curve25519 - deprecated by crypto-refresh (replaced by standaone X25519 algo) */
+    'curve25519Legacy':       'curve25519',
+    'X25519':                 'curve25519',
+    'cv25519':                'curve25519',
+    /** @deprecated use `curve25519Legacy` instead */
+    'curve25519':             'curve25519',
+    'Curve25519':             'curve25519',
+    '1.3.6.1.4.1.3029.1.5.1': 'curve25519',
+    '2b060104019755010501':   'curve25519',
+    '2B060104019755010501':   'curve25519',
+
+    /** BrainpoolP256r1 Curve */
+    'brainpoolP256r1':       'brainpoolP256r1',
+    '1.3.36.3.3.2.8.1.1.7':  'brainpoolP256r1',
+    '2b2403030208010107':    'brainpoolP256r1',
+    '2B2403030208010107':    'brainpoolP256r1',
+
+    /** BrainpoolP384r1 Curve */
+    'brainpoolP384r1':       'brainpoolP384r1',
+    '1.3.36.3.3.2.8.1.1.11': 'brainpoolP384r1',
+    '2b240303020801010b':    'brainpoolP384r1',
+    '2B240303020801010B':    'brainpoolP384r1',
+
+    /** BrainpoolP512r1 Curve */
+    'brainpoolP512r1':       'brainpoolP512r1',
+    '1.3.36.3.3.2.8.1.1.13': 'brainpoolP512r1',
+    '2b240303020801010d':    'brainpoolP512r1',
+    '2B240303020801010D':    'brainpoolP512r1'
+  },
+
+  /** KDF parameters flags
+   * Non-standard extensions (for now) to allow email forwarding
+   * @enum {Integer}
+   * @readonly
+   */
+  kdfFlags: {
+    /** Specify fingerprint to use instead of the recipient's */
+    replace_fingerprint: 0x01,
+    /** Specify custom parameters to use in the KDF digest computation */
+    replace_kdf_params: 0x02
+  },
+
+  /** A string to key specifier type
+   * @enum {Integer}
+   * @readonly
+   */
+  s2k: {
+    simple: 0,
+    salted: 1,
+    iterated: 3,
+    argon2: 4,
+    gnu: 101
+  },
+
+  /** {@link https://tools.ietf.org/html/draft-ietf-openpgp-crypto-refresh-08.html#section-9.1|crypto-refresh RFC, section 9.1}
+   * @enum {Integer}
+   * @readonly
+   */
+  publicKey: {
+    /** RSA (Encrypt or Sign) [HAC] */
+    rsaEncryptSign: 1,
+    /** RSA (Encrypt only) [HAC] */
+    rsaEncrypt: 2,
+    /** RSA (Sign only) [HAC] */
+    rsaSign: 3,
+    /** Elgamal (Encrypt only) [ELGAMAL] [HAC] */
+    elgamal: 16,
+    /** DSA (Sign only) [FIPS186] [HAC] */
+    dsa: 17,
+    /** ECDH (Encrypt only) [RFC6637] */
+    ecdh: 18,
+    /** ECDSA (Sign only) [RFC6637] */
+    ecdsa: 19,
+    /** EdDSA (Sign only) - deprecated by crypto-refresh (replaced by `ed25519` identifier below)
+     * [{@link https://tools.ietf.org/html/draft-koch-eddsa-for-openpgp-04|Draft RFC}] */
+    eddsaLegacy: 22, // NB: this is declared before `eddsa` to translate 22 to 'eddsa' for backwards compatibility
+    /** @deprecated use `eddsaLegacy` instead */
+    ed25519Legacy: 22,
+    /** @deprecated use `eddsaLegacy` instead */
+    eddsa: 22,
+    /** Reserved for AEDH */
+    aedh: 23,
+    /** Reserved for AEDSA */
+    aedsa: 24,
+    /** X25519 (Encrypt only) */
+    x25519: 25,
+    /** X448 (Encrypt only) */
+    x448: 26,
+    /** Ed25519 (Sign only) */
+    ed25519: 27,
+    /** Ed448 (Sign only) */
+    ed448: 28,
+    /** Symmetric authenticated encryption algorithms */
+    aead: 100,
+    /** Authentication using CMAC */
+    hmac: 101
+  },
+
+  /** {@link https://tools.ietf.org/html/rfc4880#section-9.2|RFC4880, section 9.2}
+   * @enum {Integer}
+   * @readonly
+   */
+  symmetric: {
+    plaintext: 0,
+    /** Not implemented! */
+    idea: 1,
+    tripledes: 2,
+    cast5: 3,
+    blowfish: 4,
+    aes128: 7,
+    aes192: 8,
+    aes256: 9,
+    twofish: 10
+  },
+
+  /** {@link https://tools.ietf.org/html/rfc4880#section-9.3|RFC4880, section 9.3}
+   * @enum {Integer}
+   * @readonly
+   */
+  compression: {
+    uncompressed: 0,
+    /** RFC1951 */
+    zip: 1,
+    /** RFC1950 */
+    zlib: 2,
+    bzip2: 3
+  },
+
+  /** {@link https://tools.ietf.org/html/rfc4880#section-9.4|RFC4880, section 9.4}
+   * @enum {Integer}
+   * @readonly
+   */
+  hash: {
+    md5: 1,
+    sha1: 2,
+    ripemd: 3,
+    sha256: 8,
+    sha384: 9,
+    sha512: 10,
+    sha224: 11
+  },
+
+  /** A list of hash names as accepted by webCrypto functions.
+   * {@link https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest|Parameters, algo}
+   * @enum {String}
+   */
+  webHash: {
+    'SHA-1': 2,
+    'SHA-256': 8,
+    'SHA-384': 9,
+    'SHA-512': 10
+  },
+
+  /** {@link https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-9.6|RFC4880bis-04, section 9.6}
+   * @enum {Integer}
+   * @readonly
+   */
+  aead: {
+    eax: 1,
+    ocb: 2,
+    experimentalGCM: 100 // Private algorithm
+  },
+
+  /** A list of packet types and numeric tags associated with them.
+   * @enum {Integer}
+   * @readonly
+   */
+  packet: {
+    publicKeyEncryptedSessionKey: 1,
+    signature: 2,
+    symEncryptedSessionKey: 3,
+    onePassSignature: 4,
+    secretKey: 5,
+    publicKey: 6,
+    secretSubkey: 7,
+    compressedData: 8,
+    symmetricallyEncryptedData: 9,
+    marker: 10,
+    literalData: 11,
+    trust: 12,
+    userID: 13,
+    publicSubkey: 14,
+    userAttribute: 17,
+    symEncryptedIntegrityProtectedData: 18,
+    modificationDetectionCode: 19,
+    aeadEncryptedData: 20 // see IETF draft: https://tools.ietf.org/html/draft-ford-openpgp-format-00#section-2.1
+  },
+
+  /** Data types in the literal packet
+   * @enum {Integer}
+   * @readonly
+   */
+  literal: {
+    /** Binary data 'b' */
+    binary: 'b'.charCodeAt(),
+    /** Text data 't' */
+    text: 't'.charCodeAt(),
+    /** Utf8 data 'u' */
+    utf8: 'u'.charCodeAt(),
+    /** MIME message body part 'm' */
+    mime: 'm'.charCodeAt()
+  },
+
+
+  /** One pass signature packet type
+   * @enum {Integer}
+   * @readonly
+   */
+  signature: {
+    /** 0x00: Signature of a binary document. */
+    binary: 0,
+    /** 0x01: Signature of a canonical text document.
+     *
+     * Canonicalyzing the document by converting line endings. */
+    text: 1,
+    /** 0x02: Standalone signature.
+     *
+     * This signature is a signature of only its own subpacket contents.
+     * It is calculated identically to a signature over a zero-lengh
+     * binary document.  Note that it doesn't make sense to have a V3
+     * standalone signature. */
+    standalone: 2,
+    /** 0x10: Generic certification of a User ID and Public-Key packet.
+     *
+     * The issuer of this certification does not make any particular
+     * assertion as to how well the certifier has checked that the owner
+     * of the key is in fact the person described by the User ID. */
+    certGeneric: 16,
+    /** 0x11: Persona certification of a User ID and Public-Key packet.
+     *
+     * The issuer of this certification has not done any verification of
+     * the claim that the owner of this key is the User ID specified. */
+    certPersona: 17,
+    /** 0x12: Casual certification of a User ID and Public-Key packet.
+     *
+     * The issuer of this certification has done some casual
+     * verification of the claim of identity. */
+    certCasual: 18,
+    /** 0x13: Positive certification of a User ID and Public-Key packet.
+     *
+     * The issuer of this certification has done substantial
+     * verification of the claim of identity.
+     *
+     * Most OpenPGP implementations make their "key signatures" as 0x10
+     * certifications.  Some implementations can issue 0x11-0x13
+     * certifications, but few differentiate between the types. */
+    certPositive: 19,
+    /** 0x30: Certification revocation signature
+     *
+     * This signature revokes an earlier User ID certification signature
+     * (signature class 0x10 through 0x13) or direct-key signature
+     * (0x1F).  It should be issued by the same key that issued the
+     * revoked signature or an authorized revocation key.  The signature
+     * is computed over the same data as the certificate that it
+     * revokes, and should have a later creation date than that
+     * certificate. */
+    certRevocation: 48,
+    /** 0x18: Subkey Binding Signature
+     *
+     * This signature is a statement by the top-level signing key that
+     * indicates that it owns the subkey.  This signature is calculated
+     * directly on the primary key and subkey, and not on any User ID or
+     * other packets.  A signature that binds a signing subkey MUST have
+     * an Embedded Signature subpacket in this binding signature that
+     * contains a 0x19 signature made by the signing subkey on the
+     * primary key and subkey. */
+    subkeyBinding: 24,
+    /** 0x19: Primary Key Binding Signature
+     *
+     * This signature is a statement by a signing subkey, indicating
+     * that it is owned by the primary key and subkey.  This signature
+     * is calculated the same way as a 0x18 signature: directly on the
+     * primary key and subkey, and not on any User ID or other packets.
+     *
+     * When a signature is made over a key, the hash data starts with the
+     * octet 0x99, followed by a two-octet length of the key, and then body
+     * of the key packet.  (Note that this is an old-style packet header for
+     * a key packet with two-octet length.)  A subkey binding signature
+     * (type 0x18) or primary key binding signature (type 0x19) then hashes
+     * the subkey using the same format as the main key (also using 0x99 as
+     * the first octet). */
+    keyBinding: 25,
+    /** 0x1F: Signature directly on a key
+     *
+     * This signature is calculated directly on a key.  It binds the
+     * information in the Signature subpackets to the key, and is
+     * appropriate to be used for subpackets that provide information
+     * about the key, such as the Revocation Key subpacket.  It is also
+     * appropriate for statements that non-self certifiers want to make
+     * about the key itself, rather than the binding between a key and a
+     * name. */
+    key: 31,
+    /** 0x20: Key revocation signature
+     *
+     * The signature is calculated directly on the key being revoked.  A
+     * revoked key is not to be used.  Only revocation signatures by the
+     * key being revoked, or by an authorized revocation key, should be
+     * considered valid revocation signatures.a */
+    keyRevocation: 32,
+    /** 0x28: Subkey revocation signature
+     *
+     * The signature is calculated directly on the subkey being revoked.
+     * A revoked subkey is not to be used.  Only revocation signatures
+     * by the top-level signature key that is bound to this subkey, or
+     * by an authorized revocation key, should be considered valid
+     * revocation signatures.
+     *
+     * Key revocation signatures (types 0x20 and 0x28)
+     * hash only the key being revoked. */
+    subkeyRevocation: 40,
+    /** 0x40: Timestamp signature.
+     * This signature is only meaningful for the timestamp contained in
+     * it. */
+    timestamp: 64,
+    /** 0x50: Third-Party Confirmation signature.
+     *
+     * This signature is a signature over some other OpenPGP Signature
+     * packet(s).  It is analogous to a notary seal on the signed data.
+     * A third-party signature SHOULD include Signature Target
+     * subpacket(s) to give easy identification.  Note that we really do
+     * mean SHOULD.  There are plausible uses for this (such as a blind
+     * party that only sees the signature, not the key or source
+     * document) that cannot include a target subpacket. */
+    thirdParty: 80
+  },
+
+  /** Signature subpacket type
+   * @enum {Integer}
+   * @readonly
+   */
+  signatureSubpacket: {
+    signatureCreationTime: 2,
+    signatureExpirationTime: 3,
+    exportableCertification: 4,
+    trustSignature: 5,
+    regularExpression: 6,
+    revocable: 7,
+    keyExpirationTime: 9,
+    placeholderBackwardsCompatibility: 10,
+    preferredSymmetricAlgorithms: 11,
+    revocationKey: 12,
+    issuer: 16,
+    notationData: 20,
+    preferredHashAlgorithms: 21,
+    preferredCompressionAlgorithms: 22,
+    keyServerPreferences: 23,
+    preferredKeyServer: 24,
+    primaryUserID: 25,
+    policyURI: 26,
+    keyFlags: 27,
+    signersUserID: 28,
+    reasonForRevocation: 29,
+    features: 30,
+    signatureTarget: 31,
+    embeddedSignature: 32,
+    issuerFingerprint: 33,
+    preferredAEADAlgorithms: 34
+  },
+
+  /** Key flags
+   * @enum {Integer}
+   * @readonly
+   */
+  keyFlags: {
+    /** 0x01 - This key may be used to certify other keys. */
+    certifyKeys: 1,
+    /** 0x02 - This key may be used to sign data. */
+    signData: 2,
+    /** 0x04 - This key may be used to encrypt communications. */
+    encryptCommunication: 4,
+    /** 0x08 - This key may be used to encrypt storage. */
+    encryptStorage: 8,
+    /** 0x10 - The private component of this key may have been split
+     *        by a secret-sharing mechanism. */
+    splitPrivateKey: 16,
+    /** 0x20 - This key may be used for authentication. */
+    authentication: 32,
+    /** This key may be used for forwarded communications */
+    forwardedCommunication: 64,
+    /** 0x80 - The private component of this key may be in the
+     *        possession of more than one person. */
+    sharedPrivateKey: 128
+  },
+
+  /** Armor type
+   * @enum {Integer}
+   * @readonly
+   */
+  armor: {
+    multipartSection: 0,
+    multipartLast: 1,
+    signed: 2,
+    message: 3,
+    publicKey: 4,
+    privateKey: 5,
+    signature: 6
+  },
+
+  /** {@link https://tools.ietf.org/html/rfc4880#section-5.2.3.23|RFC4880, section 5.2.3.23}
+   * @enum {Integer}
+   * @readonly
+   */
+  reasonForRevocation: {
+    /** No reason specified (key revocations or cert revocations) */
+    noReason: 0,
+    /** Key is superseded (key revocations) */
+    keySuperseded: 1,
+    /** Key material has been compromised (key revocations) */
+    keyCompromised: 2,
+    /** Key is retired and no longer used (key revocations) */
+    keyRetired: 3,
+    /** User ID information is no longer valid (cert revocations) */
+    userIDInvalid: 32
+  },
+
+  /** {@link https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-5.2.3.25|RFC4880bis-04, section 5.2.3.25}
+   * @enum {Integer}
+   * @readonly
+   */
+  features: {
+    /** 0x01 - Modification Detection (packets 18 and 19) */
+    modificationDetection: 1,
+    /** 0x02 - AEAD Encrypted Data Packet (packet 20) and version 5
+     *         Symmetric-Key Encrypted Session Key Packets (packet 3) */
+    aead: 2,
+    /** 0x04 - Version 5 Public-Key Packet format and corresponding new
+      *        fingerprint format */
+    v5Keys: 4
+  },
+
+  /**
+   * Asserts validity of given value and converts from string/integer to integer.
+   * @param {Object} type target enum type
+   * @param {String|Integer} e value to check and/or convert
+   * @returns {Integer} enum value if it exists
+   * @throws {Error} if the value is invalid
+   */
+  write: function(type, e) {
+    if (typeof e === 'number') {
+      e = this.read(type, e);
+    }
+
+    if (type[e] !== undefined) {
+      return type[e];
+    }
+
+    throw new Error('Invalid enum value.');
+  },
+
+  /**
+   * Converts enum integer value to the corresponding string, if it exists.
+   * @param {Object} type target enum type
+   * @param {Integer} e value to convert
+   * @returns {String} name of enum value if it exists
+   * @throws {Error} if the value is invalid
+   */
+  read: function(type, e) {
+    if (!type[byValue]) {
+      type[byValue] = [];
+      Object.entries(type).forEach(([key, value]) => {
+        type[byValue][value] = key;
+      });
+    }
+
+    if (type[byValue][e] !== undefined) {
+      return type[byValue][e];
+    }
+
+    throw new Error('Invalid enum value.');
+  }
+};
+
 // GPG4Browsers - An OpenPGP implementation in javascript
 
 const debugMode = (() => {
@@ -2088,6 +2614,12 @@ const util = {
    */
   selectUint8: function(cond, a, b) {
     return (a & (256 - cond)) | (b & (255 + cond));
+  },
+  /**
+   * @param {module:enums.symmetric} cipherAlgo
+   */
+  isAES: function(cipherAlgo) {
+    return cipherAlgo === enums.symmetric.aes128 || cipherAlgo === enums.symmetric.aes192 || cipherAlgo === enums.symmetric.aes256;
   }
 };
 
@@ -2202,517 +2734,6 @@ function uint8ArrayToB64(bytes, url) {
   return encoded;
 }
 
-/**
- * @module enums
- */
-
-const byValue = Symbol('byValue');
-
-var enums = {
-
-  /** Maps curve names under various standards to one
-   * @see {@link https://wiki.gnupg.org/ECC|ECC - GnuPG wiki}
-   * @enum {String}
-   * @readonly
-   */
-  curve: {
-    /** NIST P-256 Curve */
-    'p256':                'p256',
-    'P-256':               'p256',
-    'secp256r1':           'p256',
-    'prime256v1':          'p256',
-    '1.2.840.10045.3.1.7': 'p256',
-    '2a8648ce3d030107':    'p256',
-    '2A8648CE3D030107':    'p256',
-
-    /** NIST P-384 Curve */
-    'p384':         'p384',
-    'P-384':        'p384',
-    'secp384r1':    'p384',
-    '1.3.132.0.34': 'p384',
-    '2b81040022':   'p384',
-    '2B81040022':   'p384',
-
-    /** NIST P-521 Curve */
-    'p521':         'p521',
-    'P-521':        'p521',
-    'secp521r1':    'p521',
-    '1.3.132.0.35': 'p521',
-    '2b81040023':   'p521',
-    '2B81040023':   'p521',
-
-    /** SECG SECP256k1 Curve */
-    'secp256k1':    'secp256k1',
-    '1.3.132.0.10': 'secp256k1',
-    '2b8104000a':   'secp256k1',
-    '2B8104000A':   'secp256k1',
-
-    /** Ed25519 */
-    'ED25519':                'ed25519',
-    'ed25519':                'ed25519',
-    'Ed25519':                'ed25519',
-    '1.3.6.1.4.1.11591.15.1': 'ed25519',
-    '2b06010401da470f01':     'ed25519',
-    '2B06010401DA470F01':     'ed25519',
-
-    /** Curve25519 */
-    'X25519':                 'curve25519',
-    'cv25519':                'curve25519',
-    'curve25519':             'curve25519',
-    'Curve25519':             'curve25519',
-    '1.3.6.1.4.1.3029.1.5.1': 'curve25519',
-    '2b060104019755010501':   'curve25519',
-    '2B060104019755010501':   'curve25519',
-
-    /** BrainpoolP256r1 Curve */
-    'brainpoolP256r1':       'brainpoolP256r1',
-    '1.3.36.3.3.2.8.1.1.7':  'brainpoolP256r1',
-    '2b2403030208010107':    'brainpoolP256r1',
-    '2B2403030208010107':    'brainpoolP256r1',
-
-    /** BrainpoolP384r1 Curve */
-    'brainpoolP384r1':       'brainpoolP384r1',
-    '1.3.36.3.3.2.8.1.1.11': 'brainpoolP384r1',
-    '2b240303020801010b':    'brainpoolP384r1',
-    '2B240303020801010B':    'brainpoolP384r1',
-
-    /** BrainpoolP512r1 Curve */
-    'brainpoolP512r1':       'brainpoolP512r1',
-    '1.3.36.3.3.2.8.1.1.13': 'brainpoolP512r1',
-    '2b240303020801010d':    'brainpoolP512r1',
-    '2B240303020801010D':    'brainpoolP512r1'
-  },
-
-  /** KDF parameters flags
-   * Non-standard extensions (for now) to allow email forwarding
-   * @enum {Integer}
-   * @readonly
-   */
-  kdfFlags: {
-    /** Specify fingerprint to use instead of the recipient's */
-    replace_fingerprint: 0x01,
-    /** Specify custom parameters to use in the KDF digest computation */
-    replace_kdf_params: 0x02
-  },
-
-  /** A string to key specifier type
-   * @enum {Integer}
-   * @readonly
-   */
-  s2k: {
-    simple: 0,
-    salted: 1,
-    iterated: 3,
-    argon2: 4,
-    gnu: 101
-  },
-
-  /** {@link https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-9.1|RFC4880bis-04, section 9.1}
-   * @enum {Integer}
-   * @readonly
-   */
-  publicKey: {
-    /** RSA (Encrypt or Sign) [HAC] */
-    rsaEncryptSign: 1,
-    /** RSA (Encrypt only) [HAC] */
-    rsaEncrypt: 2,
-    /** RSA (Sign only) [HAC] */
-    rsaSign: 3,
-    /** Elgamal (Encrypt only) [ELGAMAL] [HAC] */
-    elgamal: 16,
-    /** DSA (Sign only) [FIPS186] [HAC] */
-    dsa: 17,
-    /** ECDH (Encrypt only) [RFC6637] */
-    ecdh: 18,
-    /** ECDSA (Sign only) [RFC6637] */
-    ecdsa: 19,
-    /** EdDSA (Sign only)
-     * [{@link https://tools.ietf.org/html/draft-koch-eddsa-for-openpgp-04|Draft RFC}] */
-    eddsa: 22,
-    /** Reserved for AEDH */
-    aedh: 23,
-    /** Reserved for AEDSA */
-    aedsa: 24,
-    /** Symmetric authenticated encryption algorithms */
-    aead: 100,
-    /** Authentication using CMAC */
-    hmac: 101
-  },
-
-  /** {@link https://tools.ietf.org/html/rfc4880#section-9.2|RFC4880, section 9.2}
-   * @enum {Integer}
-   * @readonly
-   */
-  symmetric: {
-    plaintext: 0,
-    /** Not implemented! */
-    idea: 1,
-    tripledes: 2,
-    cast5: 3,
-    blowfish: 4,
-    aes128: 7,
-    aes192: 8,
-    aes256: 9,
-    twofish: 10
-  },
-
-  /** {@link https://tools.ietf.org/html/rfc4880#section-9.3|RFC4880, section 9.3}
-   * @enum {Integer}
-   * @readonly
-   */
-  compression: {
-    uncompressed: 0,
-    /** RFC1951 */
-    zip: 1,
-    /** RFC1950 */
-    zlib: 2,
-    bzip2: 3
-  },
-
-  /** {@link https://tools.ietf.org/html/rfc4880#section-9.4|RFC4880, section 9.4}
-   * @enum {Integer}
-   * @readonly
-   */
-  hash: {
-    md5: 1,
-    sha1: 2,
-    ripemd: 3,
-    sha256: 8,
-    sha384: 9,
-    sha512: 10,
-    sha224: 11
-  },
-
-  /** A list of hash names as accepted by webCrypto functions.
-   * {@link https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest|Parameters, algo}
-   * @enum {String}
-   */
-  webHash: {
-    'SHA-1': 2,
-    'SHA-256': 8,
-    'SHA-384': 9,
-    'SHA-512': 10
-  },
-
-  /** {@link https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-9.6|RFC4880bis-04, section 9.6}
-   * @enum {Integer}
-   * @readonly
-   */
-  aead: {
-    eax: 1,
-    ocb: 2,
-    experimentalGCM: 100 // Private algorithm
-  },
-
-  /** A list of packet types and numeric tags associated with them.
-   * @enum {Integer}
-   * @readonly
-   */
-  packet: {
-    publicKeyEncryptedSessionKey: 1,
-    signature: 2,
-    symEncryptedSessionKey: 3,
-    onePassSignature: 4,
-    secretKey: 5,
-    publicKey: 6,
-    secretSubkey: 7,
-    compressedData: 8,
-    symmetricallyEncryptedData: 9,
-    marker: 10,
-    literalData: 11,
-    trust: 12,
-    userID: 13,
-    publicSubkey: 14,
-    userAttribute: 17,
-    symEncryptedIntegrityProtectedData: 18,
-    modificationDetectionCode: 19,
-    aeadEncryptedData: 20 // see IETF draft: https://tools.ietf.org/html/draft-ford-openpgp-format-00#section-2.1
-  },
-
-  /** Data types in the literal packet
-   * @enum {Integer}
-   * @readonly
-   */
-  literal: {
-    /** Binary data 'b' */
-    binary: 'b'.charCodeAt(),
-    /** Text data 't' */
-    text: 't'.charCodeAt(),
-    /** Utf8 data 'u' */
-    utf8: 'u'.charCodeAt(),
-    /** MIME message body part 'm' */
-    mime: 'm'.charCodeAt()
-  },
-
-
-  /** One pass signature packet type
-   * @enum {Integer}
-   * @readonly
-   */
-  signature: {
-    /** 0x00: Signature of a binary document. */
-    binary: 0,
-    /** 0x01: Signature of a canonical text document.
-     *
-     * Canonicalyzing the document by converting line endings. */
-    text: 1,
-    /** 0x02: Standalone signature.
-     *
-     * This signature is a signature of only its own subpacket contents.
-     * It is calculated identically to a signature over a zero-lengh
-     * binary document.  Note that it doesn't make sense to have a V3
-     * standalone signature. */
-    standalone: 2,
-    /** 0x10: Generic certification of a User ID and Public-Key packet.
-     *
-     * The issuer of this certification does not make any particular
-     * assertion as to how well the certifier has checked that the owner
-     * of the key is in fact the person described by the User ID. */
-    certGeneric: 16,
-    /** 0x11: Persona certification of a User ID and Public-Key packet.
-     *
-     * The issuer of this certification has not done any verification of
-     * the claim that the owner of this key is the User ID specified. */
-    certPersona: 17,
-    /** 0x12: Casual certification of a User ID and Public-Key packet.
-     *
-     * The issuer of this certification has done some casual
-     * verification of the claim of identity. */
-    certCasual: 18,
-    /** 0x13: Positive certification of a User ID and Public-Key packet.
-     *
-     * The issuer of this certification has done substantial
-     * verification of the claim of identity.
-     *
-     * Most OpenPGP implementations make their "key signatures" as 0x10
-     * certifications.  Some implementations can issue 0x11-0x13
-     * certifications, but few differentiate between the types. */
-    certPositive: 19,
-    /** 0x30: Certification revocation signature
-     *
-     * This signature revokes an earlier User ID certification signature
-     * (signature class 0x10 through 0x13) or direct-key signature
-     * (0x1F).  It should be issued by the same key that issued the
-     * revoked signature or an authorized revocation key.  The signature
-     * is computed over the same data as the certificate that it
-     * revokes, and should have a later creation date than that
-     * certificate. */
-    certRevocation: 48,
-    /** 0x18: Subkey Binding Signature
-     *
-     * This signature is a statement by the top-level signing key that
-     * indicates that it owns the subkey.  This signature is calculated
-     * directly on the primary key and subkey, and not on any User ID or
-     * other packets.  A signature that binds a signing subkey MUST have
-     * an Embedded Signature subpacket in this binding signature that
-     * contains a 0x19 signature made by the signing subkey on the
-     * primary key and subkey. */
-    subkeyBinding: 24,
-    /** 0x19: Primary Key Binding Signature
-     *
-     * This signature is a statement by a signing subkey, indicating
-     * that it is owned by the primary key and subkey.  This signature
-     * is calculated the same way as a 0x18 signature: directly on the
-     * primary key and subkey, and not on any User ID or other packets.
-     *
-     * When a signature is made over a key, the hash data starts with the
-     * octet 0x99, followed by a two-octet length of the key, and then body
-     * of the key packet.  (Note that this is an old-style packet header for
-     * a key packet with two-octet length.)  A subkey binding signature
-     * (type 0x18) or primary key binding signature (type 0x19) then hashes
-     * the subkey using the same format as the main key (also using 0x99 as
-     * the first octet). */
-    keyBinding: 25,
-    /** 0x1F: Signature directly on a key
-     *
-     * This signature is calculated directly on a key.  It binds the
-     * information in the Signature subpackets to the key, and is
-     * appropriate to be used for subpackets that provide information
-     * about the key, such as the Revocation Key subpacket.  It is also
-     * appropriate for statements that non-self certifiers want to make
-     * about the key itself, rather than the binding between a key and a
-     * name. */
-    key: 31,
-    /** 0x20: Key revocation signature
-     *
-     * The signature is calculated directly on the key being revoked.  A
-     * revoked key is not to be used.  Only revocation signatures by the
-     * key being revoked, or by an authorized revocation key, should be
-     * considered valid revocation signatures.a */
-    keyRevocation: 32,
-    /** 0x28: Subkey revocation signature
-     *
-     * The signature is calculated directly on the subkey being revoked.
-     * A revoked subkey is not to be used.  Only revocation signatures
-     * by the top-level signature key that is bound to this subkey, or
-     * by an authorized revocation key, should be considered valid
-     * revocation signatures.
-     *
-     * Key revocation signatures (types 0x20 and 0x28)
-     * hash only the key being revoked. */
-    subkeyRevocation: 40,
-    /** 0x40: Timestamp signature.
-     * This signature is only meaningful for the timestamp contained in
-     * it. */
-    timestamp: 64,
-    /** 0x50: Third-Party Confirmation signature.
-     *
-     * This signature is a signature over some other OpenPGP Signature
-     * packet(s).  It is analogous to a notary seal on the signed data.
-     * A third-party signature SHOULD include Signature Target
-     * subpacket(s) to give easy identification.  Note that we really do
-     * mean SHOULD.  There are plausible uses for this (such as a blind
-     * party that only sees the signature, not the key or source
-     * document) that cannot include a target subpacket. */
-    thirdParty: 80
-  },
-
-  /** Signature subpacket type
-   * @enum {Integer}
-   * @readonly
-   */
-  signatureSubpacket: {
-    signatureCreationTime: 2,
-    signatureExpirationTime: 3,
-    exportableCertification: 4,
-    trustSignature: 5,
-    regularExpression: 6,
-    revocable: 7,
-    keyExpirationTime: 9,
-    placeholderBackwardsCompatibility: 10,
-    preferredSymmetricAlgorithms: 11,
-    revocationKey: 12,
-    issuer: 16,
-    notationData: 20,
-    preferredHashAlgorithms: 21,
-    preferredCompressionAlgorithms: 22,
-    keyServerPreferences: 23,
-    preferredKeyServer: 24,
-    primaryUserID: 25,
-    policyURI: 26,
-    keyFlags: 27,
-    signersUserID: 28,
-    reasonForRevocation: 29,
-    features: 30,
-    signatureTarget: 31,
-    embeddedSignature: 32,
-    issuerFingerprint: 33,
-    preferredAEADAlgorithms: 34
-  },
-
-  /** Key flags
-   * @enum {Integer}
-   * @readonly
-   */
-  keyFlags: {
-    /** 0x01 - This key may be used to certify other keys. */
-    certifyKeys: 1,
-    /** 0x02 - This key may be used to sign data. */
-    signData: 2,
-    /** 0x04 - This key may be used to encrypt communications. */
-    encryptCommunication: 4,
-    /** 0x08 - This key may be used to encrypt storage. */
-    encryptStorage: 8,
-    /** 0x10 - The private component of this key may have been split
-     *        by a secret-sharing mechanism. */
-    splitPrivateKey: 16,
-    /** 0x20 - This key may be used for authentication. */
-    authentication: 32,
-    /** This key may be used for forwarded communications */
-    forwardedCommunication: 64,
-    /** 0x80 - The private component of this key may be in the
-     *        possession of more than one person. */
-    sharedPrivateKey: 128
-  },
-
-  /** Armor type
-   * @enum {Integer}
-   * @readonly
-   */
-  armor: {
-    multipartSection: 0,
-    multipartLast: 1,
-    signed: 2,
-    message: 3,
-    publicKey: 4,
-    privateKey: 5,
-    signature: 6
-  },
-
-  /** {@link https://tools.ietf.org/html/rfc4880#section-5.2.3.23|RFC4880, section 5.2.3.23}
-   * @enum {Integer}
-   * @readonly
-   */
-  reasonForRevocation: {
-    /** No reason specified (key revocations or cert revocations) */
-    noReason: 0,
-    /** Key is superseded (key revocations) */
-    keySuperseded: 1,
-    /** Key material has been compromised (key revocations) */
-    keyCompromised: 2,
-    /** Key is retired and no longer used (key revocations) */
-    keyRetired: 3,
-    /** User ID information is no longer valid (cert revocations) */
-    userIDInvalid: 32
-  },
-
-  /** {@link https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-5.2.3.25|RFC4880bis-04, section 5.2.3.25}
-   * @enum {Integer}
-   * @readonly
-   */
-  features: {
-    /** 0x01 - Modification Detection (packets 18 and 19) */
-    modificationDetection: 1,
-    /** 0x02 - AEAD Encrypted Data Packet (packet 20) and version 5
-     *         Symmetric-Key Encrypted Session Key Packets (packet 3) */
-    aead: 2,
-    /** 0x04 - Version 5 Public-Key Packet format and corresponding new
-      *        fingerprint format */
-    v5Keys: 4
-  },
-
-  /**
-   * Asserts validity of given value and converts from string/integer to integer.
-   * @param {Object} type target enum type
-   * @param {String|Integer} e value to check and/or convert
-   * @returns {Integer} enum value if it exists
-   * @throws {Error} if the value is invalid
-   */
-  write: function(type, e) {
-    if (typeof e === 'number') {
-      e = this.read(type, e);
-    }
-
-    if (type[e] !== undefined) {
-      return type[e];
-    }
-
-    throw new Error('Invalid enum value.');
-  },
-
-  /**
-   * Converts enum integer value to the corresponding string, if it exists.
-   * @param {Object} type target enum type
-   * @param {Integer} e value to convert
-   * @returns {String} name of enum value if it exists
-   * @throws {Error} if the value is invalid
-   */
-  read: function(type, e) {
-    if (!type[byValue]) {
-      type[byValue] = [];
-      Object.entries(type).forEach(([key, value]) => {
-        type[byValue][value] = key;
-      });
-    }
-
-    if (type[byValue][e] !== undefined) {
-      return type[byValue][e];
-    }
-
-    throw new Error('Invalid enum value.');
-  }
-};
-
 // GPG4Browsers - An OpenPGP implementation in javascript
 
 var config = {
@@ -2929,7 +2950,7 @@ var config = {
    * @memberof module:config
    * @property {String} versionString A version string to be included in armored messages
    */
-  versionString: 'OpenPGP.js 5.9.1-1',
+  versionString: 'OpenPGP.js 5.11.0',
   /**
    * @memberof module:config
    * @property {String} commentString A comment string to be included in armored messages
@@ -2980,7 +3001,14 @@ var config = {
    * @memberof module:config
    * @property {Set<String>} rejectCurves {@link module:enums.curve}
    */
-  rejectCurves: new Set([enums.curve.secp256k1])
+  rejectCurves: new Set([enums.curve.secp256k1]),
+  /**
+   * Whether to validate generated EdDSA signatures before returning them, to ensure they are not faulty signatures.
+   * This check will make signing 2-3 times slower.
+   * Faulty signatures may be generated (in principle) if random bitflips occur at specific points in the signature
+   * computation, and could be used to recover the signer's secret key given a second signature over the same data.
+   */
+  checkEdDSAFaultySignatures: true
 };
 
 /**
@@ -3421,6 +3449,7 @@ class KeyID {
    */
   read(bytes) {
     this.bytes = util.uint8ArrayToString(bytes.subarray(0, 8));
+    return this.bytes.length;
   }
 
   /**
@@ -9967,7 +9996,7 @@ async function encrypt(algo, key, plaintext, iv, config) {
   if (util.getNodeCrypto() && nodeAlgos[algoName]) { // Node crypto library.
     return nodeEncrypt(algo, key, plaintext, iv);
   }
-  if (algoName.substr(0, 3) === 'aes') {
+  if (util.isAES(algo)) {
     return aesEncrypt(algo, key, plaintext, iv, config);
   }
 
@@ -10010,7 +10039,7 @@ async function decrypt(algo, key, ciphertext, iv) {
   if (util.getNodeCrypto() && nodeAlgos[algoName]) { // Node crypto library.
     return nodeDecrypt(algo, key, ciphertext, iv);
   }
-  if (algoName.substr(0, 3) === 'aes') {
+  if (util.isAES(algo)) {
     return aesDecrypt(algo, key, ciphertext, iv);
   }
 
@@ -10029,7 +10058,7 @@ async function decrypt(algo, key, ciphertext, iv) {
     let j = 0;
     while (chunk ? ct.length >= block_size : ct.length) {
       const decblock = cipherfn.encrypt(blockp);
-      blockp = ct;
+      blockp = ct.subarray(0, block_size);
       for (i = 0; i < block_size; i++) {
         plaintext[j++] = blockp[i] ^ decblock[i];
       }
@@ -10955,42 +10984,42 @@ async function GCM(cipher, key) {
     throw new Error('GCM mode supports only AES cipher');
   }
 
-  if (util.getWebCrypto() && key.length !== 24) { // WebCrypto (no 192 bit support) see: https://www.chromium.org/blink/webcrypto#TOC-AES-support
-    const _key = await webCrypto$4.importKey('raw', key, { name: ALGO }, false, ['encrypt', 'decrypt']);
-
+  if (util.getNodeCrypto()) { // Node crypto library
     return {
       encrypt: async function(pt, iv, adata = new Uint8Array()) {
-        if (!pt.length) { // iOS does not support GCM-en/decrypting empty messages
-          return AES_GCM.encrypt(pt, key, iv, adata);
-        }
-        const ct = await webCrypto$4.encrypt({ name: ALGO, iv, additionalData: adata, tagLength: tagLength$2 * 8 }, _key, pt);
+        const en = new nodeCrypto$4.createCipheriv('aes-' + (key.length * 8) + '-gcm', key, iv);
+        en.setAAD(adata);
+        const ct = Buffer$2.concat([en.update(pt), en.final(), en.getAuthTag()]); // append auth tag to ciphertext
         return new Uint8Array(ct);
       },
 
       decrypt: async function(ct, iv, adata = new Uint8Array()) {
-        if (ct.length === tagLength$2) { // iOS does not support GCM-en/decrypting empty messages
-          return AES_GCM.decrypt(ct, key, iv, adata);
-        }
-        const pt = await webCrypto$4.decrypt({ name: ALGO, iv, additionalData: adata, tagLength: tagLength$2 * 8 }, _key, ct);
+        const de = new nodeCrypto$4.createDecipheriv('aes-' + (key.length * 8) + '-gcm', key, iv);
+        de.setAAD(adata);
+        de.setAuthTag(ct.slice(ct.length - tagLength$2, ct.length)); // read auth tag at end of ciphertext
+        const pt = Buffer$2.concat([de.update(ct.slice(0, ct.length - tagLength$2)), de.final()]);
         return new Uint8Array(pt);
       }
     };
   }
 
-  if (util.getNodeCrypto()) { // Node crypto library
+  if (util.getWebCrypto() && key.length !== 24) { // WebCrypto (no 192 bit support) see: https://www.chromium.org/blink/webcrypto#TOC-AES-support
+    const _key = await webCrypto$4.importKey('raw', key, { name: ALGO }, false, ['encrypt', 'decrypt']);
+
     return {
       encrypt: async function(pt, iv, adata = new Uint8Array()) {
-        const en = new nodeCrypto$4.createCipheriv('aes-' + (key.length * 8) + '-gcm', key, iv);
-        en.setAAD(adata);
-        const ct = Buffer$2.concat([en.update(pt), en.final(), en.getAuthTag()]); // append auth tag to ciphertext
+        if (!pt.length) { // iOS does not support GCM-en/decrypting empty messages
+          return AES_GCM.encrypt(pt, key, iv, adata);
+        }
+        const ct = await webCrypto$4.encrypt({ name: ALGO, iv, additionalData: adata, tagLength: tagLength$2 * 8 }, _key, pt);
         return new Uint8Array(ct);
       },
 
       decrypt: async function(ct, iv, adata = new Uint8Array()) {
-        const de = new nodeCrypto$4.createDecipheriv('aes-' + (key.length * 8) + '-gcm', key, iv);
-        de.setAAD(adata);
-        de.setAuthTag(ct.slice(ct.length - tagLength$2, ct.length)); // read auth tag at end of ciphertext
-        const pt = Buffer$2.concat([de.update(ct.slice(0, ct.length - tagLength$2)), de.final()]);
+        if (ct.length === tagLength$2) { // iOS does not support GCM-en/decrypting empty messages
+          return AES_GCM.decrypt(ct, key, iv, adata);
+        }
+        const pt = await webCrypto$4.decrypt({ name: ALGO, iv, additionalData: adata, tagLength: tagLength$2 * 8 }, _key, ct);
         return new Uint8Array(pt);
       }
     };
@@ -11993,11 +12022,11 @@ const nodeCrypto$5 = util.getNodeCrypto();
  */
 function getRandomBytes(length) {
   const buf = new Uint8Array(length);
-  if (typeof crypto !== 'undefined' && crypto.getRandomValues) {
-    crypto.getRandomValues(buf);
-  } else if (nodeCrypto$5) {
+  if (nodeCrypto$5) {
     const bytes = nodeCrypto$5.randomBytes(buf.length);
     buf.set(bytes);
+  } else if (typeof crypto !== 'undefined' && crypto.getRandomValues) {
+    crypto.getRandomValues(buf);
   } else {
     throw new Error('No secure random number generator available.');
   }
@@ -13559,7 +13588,7 @@ const curves = {
   },
   ed25519: {
     oid: [0x06, 0x09, 0x2B, 0x06, 0x01, 0x04, 0x01, 0xDA, 0x47, 0x0F, 0x01],
-    keyType: enums.publicKey.eddsa,
+    keyType: enums.publicKey.eddsaLegacy,
     hash: enums.hash.sha512,
     node: false, // nodeCurves.ed25519 TODO
     payloadSize: 32
@@ -13598,7 +13627,7 @@ const curves = {
   }
 };
 
-class Curve {
+class CurveWithOID {
   constructor(oidOrName, params) {
     try {
       if (util.isArray(oidOrName) ||
@@ -13675,7 +13704,7 @@ class Curve {
 async function generate$1(curve) {
   const BigInteger = await util.getBigInteger();
 
-  curve = new Curve(curve);
+  curve = new CurveWithOID(curve);
   const keyPair = await curve.genKeyPair();
   const Q = new BigInteger(keyPair.publicKey).toUint8Array();
   const secret = new BigInteger(keyPair.privateKey).toUint8Array('be', curve.payloadSize);
@@ -13866,7 +13895,7 @@ const nodeCrypto$8 = util.getNodeCrypto();
  * @async
  */
 async function sign$1(oid, hashAlgo, message, publicKey, privateKey, hashed) {
-  const curve = new Curve(oid);
+  const curve = new CurveWithOID(oid);
   if (message && !util.isStream(message)) {
     const keyPair = { publicKey, privateKey };
     switch (curve.type) {
@@ -13911,7 +13940,7 @@ async function sign$1(oid, hashAlgo, message, publicKey, privateKey, hashed) {
  * @async
  */
 async function verify$1(oid, hashAlgo, signature, message, publicKey, hashed) {
-  const curve = new Curve(oid);
+  const curve = new CurveWithOID(oid);
   if (message && !util.isStream(message)) {
     switch (curve.type) {
       case 'web':
@@ -13945,7 +13974,7 @@ async function verify$1(oid, hashAlgo, signature, message, publicKey, hashed) {
  * @async
  */
 async function validateParams$2(oid, Q, d) {
-  const curve = new Curve(oid);
+  const curve = new CurveWithOID(oid);
   // Reject curves x25519 and ed25519
   if (curve.keyType !== enums.publicKey.ecdsa) {
     return false;
@@ -14148,7 +14177,7 @@ var ecdsa = /*#__PURE__*/Object.freeze({
 naclFastLight.hash = bytes => new Uint8Array(_512().update(bytes).digest());
 
 /**
- * Sign a message using the provided key
+ * Sign a message using the provided legacy EdDSA key
  * @param {module:type/oid} oid - Elliptic curve object identifier
  * @param {module:enums.hash} hashAlgo - Hash algorithm used to sign (must be sha256 or stronger)
  * @param {Uint8Array} message - Message to sign
@@ -14164,10 +14193,24 @@ naclFastLight.hash = bytes => new Uint8Array(_512().update(bytes).digest());
 async function sign$2(oid, hashAlgo, message, publicKey, privateKey, hashed) {
   if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(enums.hash.sha256)) {
     // see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2
-    throw new Error('Hash algorithm too weak: sha256 or stronger is required for EdDSA.');
+    throw new Error('Hash algorithm too weak for EdDSA.');
   }
   const secretKey = util.concatUint8Array([privateKey, publicKey.subarray(1)]);
   const signature = naclFastLight.sign.detached(hashed, secretKey);
+  if (config.checkEdDSAFaultySignatures && !naclFastLight.sign.detached.verify(hashed, signature, publicKey.subarray(1))) {
+    /**
+     * Detect faulty signatures caused by random bitflips during `crypto_sign` which could lead to private key extraction
+     * if two signatures over the same message are obtained.
+     * See https://github.com/jedisct1/libsodium/issues/170.
+     * If the input data is not deterministic, e.g. thanks to the random salt in v6 OpenPGP signatures (not yet implemented),
+     * then the generated signature is always safe, and the verification step is skipped.
+     * Otherwise, we need to verify the generated to ensure that no bitflip occured:
+     * - in M between the computation of `r` and `h`.
+     * - in the public key before computing `h`
+     * The verification step is almost 2-3 times as slow as signing, but it's faster than re-signing + re-deriving the public key for separate checks.
+     */
+    throw new Error('Transient signing failure');
+  }
   // EdDSA signature params are returned in little-endian format
   return {
     r: signature.subarray(0, 32),
@@ -14176,7 +14219,7 @@ async function sign$2(oid, hashAlgo, message, publicKey, privateKey, hashed) {
 }
 
 /**
- * Verifies if a signature is valid for a message
+ * Verifies if a legacy EdDSA signature is valid for a message
  * @param {module:type/oid} oid - Elliptic curve object identifier
  * @param {module:enums.hash} hashAlgo - Hash algorithm used in the signature
  * @param  {{r: Uint8Array,
@@ -14188,11 +14231,14 @@ async function sign$2(oid, hashAlgo, message, publicKey, privateKey, hashed) {
  * @async
  */
 async function verify$2(oid, hashAlgo, { r, s }, m, publicKey, hashed) {
+  if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(enums.hash.sha256)) {
+    throw new Error('Hash algorithm too weak for EdDSA.');
+  }
   const signature = util.concatUint8Array([r, s]);
   return naclFastLight.sign.detached.verify(hashed, signature, publicKey.subarray(1));
 }
 /**
- * Validate EdDSA parameters
+ * Validate legacy EdDSA parameters
  * @param {module:type/oid} oid - Elliptic curve object identifier
  * @param {Uint8Array} Q - EdDSA public point
  * @param {Uint8Array} k - EdDSA secret seed
@@ -14212,9 +14258,10 @@ async function validateParams$3(oid, Q, k) {
   const { publicKey } = naclFastLight.sign.keyPair.fromSeed(k);
   const dG = new Uint8Array([0x40, ...publicKey]); // Add public key prefix
   return util.equalsUint8Array(Q, dG);
+
 }
 
-var eddsa = /*#__PURE__*/Object.freeze({
+var eddsa_legacy = /*#__PURE__*/Object.freeze({
   __proto__: null,
   sign: sign$2,
   verify: verify$2,
@@ -14223,6 +14270,139 @@ var eddsa = /*#__PURE__*/Object.freeze({
 
 // OpenPGP.js - An OpenPGP implementation in javascript
 
+naclFastLight.hash = bytes => new Uint8Array(_512().update(bytes).digest());
+
+/**
+ * Generate (non-legacy) EdDSA key
+ * @param {module:enums.publicKey} algo - Algorithm identifier
+ * @returns {Promise<{ A: Uint8Array, seed: Uint8Array }>}
+ */
+async function generate$2(algo) {
+  switch (algo) {
+    case enums.publicKey.ed25519: {
+      const seed = getRandomBytes(32);
+      const { publicKey: A } = naclFastLight.sign.keyPair.fromSeed(seed);
+      return { A, seed };
+    }
+    default:
+      throw new Error('Unsupported EdDSA algorithm');
+  }
+}
+
+/**
+ * Sign a message using the provided key
+ * @param {module:enums.publicKey} algo - Algorithm identifier
+ * @param {module:enums.hash} hashAlgo - Hash algorithm used to sign (must be sha256 or stronger)
+ * @param {Uint8Array} message - Message to sign
+ * @param {Uint8Array} publicKey - Public key
+ * @param {Uint8Array} privateKey - Private key used to sign the message
+ * @param {Uint8Array} hashed - The hashed message
+ * @returns {Promise<{
+ *   RS: Uint8Array
+ * }>} Signature of the message
+ * @async
+ */
+async function sign$3(algo, hashAlgo, message, publicKey, privateKey, hashed) {
+  if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(getPreferredHashAlgo$1(algo))) {
+    throw new Error('Hash algorithm too weak for EdDSA.');
+  }
+  switch (algo) {
+    case enums.publicKey.ed25519: {
+      const secretKey = util.concatUint8Array([privateKey, publicKey]);
+      const signature = naclFastLight.sign.detached(hashed, secretKey);
+      if (config.checkEdDSAFaultySignatures && !naclFastLight.sign.detached.verify(hashed, signature, publicKey)) {
+        /**
+         * Detect faulty signatures caused by random bitflips during `crypto_sign` which could lead to private key extraction
+         * if two signatures over the same message are obtained.
+         * See https://github.com/jedisct1/libsodium/issues/170.
+         * If the input data is not deterministic, e.g. thanks to the random salt in v6 OpenPGP signatures (not yet implemented),
+         * then the generated signature is always safe, and the verification step is skipped.
+         * Otherwise, we need to verify the generated to ensure that no bitflip occured:
+         * - in M between the computation of `r` and `h`.
+         * - in the public key before computing `h`
+         * The verification step is almost 2-3 times as slow as signing, but it's faster than re-signing + re-deriving the public key for separate checks.
+         */
+        throw new Error('Transient signing failure');
+      }
+      return { RS: signature };
+    }
+    case enums.publicKey.ed448:
+    default:
+      throw new Error('Unsupported EdDSA algorithm');
+  }
+
+}
+
+/**
+ * Verifies if a signature is valid for a message
+ * @param {module:enums.publicKey} algo - Algorithm identifier
+ * @param {module:enums.hash} hashAlgo - Hash algorithm used in the signature
+ * @param  {{ RS: Uint8Array }} signature Signature to verify the message
+ * @param {Uint8Array} m - Message to verify
+ * @param {Uint8Array} publicKey - Public key used to verify the message
+ * @param {Uint8Array} hashed - The hashed message
+ * @returns {Boolean}
+ * @async
+ */
+async function verify$3(algo, hashAlgo, { RS }, m, publicKey, hashed) {
+  if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(getPreferredHashAlgo$1(algo))) {
+    throw new Error('Hash algorithm too weak for EdDSA.');
+  }
+  switch (algo) {
+    case enums.publicKey.ed25519: {
+      return naclFastLight.sign.detached.verify(hashed, RS, publicKey);
+    }
+    case enums.publicKey.ed448:
+    default:
+      throw new Error('Unsupported EdDSA algorithm');
+  }
+}
+/**
+ * Validate (non-legacy) EdDSA parameters
+ * @param {module:enums.publicKey} algo - Algorithm identifier
+ * @param {Uint8Array} A - EdDSA public point
+ * @param {Uint8Array} seed - EdDSA secret seed
+ * @param {Uint8Array} oid - (legacy only) EdDSA OID
+ * @returns {Promise<Boolean>} Whether params are valid.
+ * @async
+ */
+async function validateParams$4(algo, A, seed) {
+  switch (algo) {
+    case enums.publicKey.ed25519: {
+      /**
+       * Derive public point A' from private key
+       * and expect A == A'
+       */
+      const { publicKey } = naclFastLight.sign.keyPair.fromSeed(seed);
+      return util.equalsUint8Array(A, publicKey);
+    }
+
+    case enums.publicKey.ed448: // unsupported
+    default:
+      return false;
+  }
+}
+
+function getPreferredHashAlgo$1(algo) {
+  switch (algo) {
+    case enums.publicKey.ed25519:
+      return enums.hash.sha256;
+    default:
+      throw new Error('Unknown EdDSA algo');
+  }
+}
+
+var eddsa = /*#__PURE__*/Object.freeze({
+  __proto__: null,
+  generate: generate$2,
+  sign: sign$3,
+  verify: verify$3,
+  validateParams: validateParams$4,
+  getPreferredHashAlgo: getPreferredHashAlgo$1
+});
+
+// OpenPGP.js - An OpenPGP implementation in javascript
+
 /**
  * AES key wrap
  * @function
@@ -14410,7 +14590,7 @@ const nodeCrypto$9 = util.getNodeCrypto();
  * @returns {Promise<Boolean>} Whether params are valid.
  * @async
  */
-async function validateParams$4(oid, Q, d) {
+async function validateParams$5(oid, Q, d) {
   return validateStandardParams(enums.publicKey.ecdh, oid, Q, d);
 }
 
@@ -14452,7 +14632,7 @@ async function kdf(hashAlgo, X, length, param, stripLeading = false, stripTraili
 /**
  * Generate ECDHE ephemeral key and secret from public key
  *
- * @param {Curve} curve - Elliptic curve object
+ * @param {CurveWithOID} curve - Elliptic curve object
  * @param {Uint8Array} Q - Recipient public key
  * @returns {Promise<{publicKey: Uint8Array, sharedKey: Uint8Array}>}
  * @async
@@ -14495,7 +14675,7 @@ async function genPublicEphemeralKey(curve, Q) {
 async function encrypt$3(oid, kdfParams, data, Q, fingerprint) {
   const m = encode$1(data);
 
-  const curve = new Curve(oid);
+  const curve = new CurveWithOID(oid);
   const { publicKey, sharedKey } = await genPublicEphemeralKey(curve, Q);
   const param = buildEcdhParam(enums.publicKey.ecdh, oid, kdfParams, fingerprint);
   const { keySize } = getCipher(kdfParams.cipher);
@@ -14507,7 +14687,7 @@ async function encrypt$3(oid, kdfParams, data, Q, fingerprint) {
 /**
  * Generate ECDHE secret from private key and public part of ephemeral key
  *
- * @param {Curve} curve - Elliptic curve object
+ * @param {CurveWithOID} curve - Elliptic curve object
  * @param {Uint8Array} V - Public part of ephemeral key
  * @param {Uint8Array} Q - Recipient public key
  * @param {Uint8Array} d - Recipient private key
@@ -14555,7 +14735,7 @@ async function genPrivateEphemeralKey(curve, V, Q, d) {
  * @async
  */
 async function decrypt$3(oid, kdfParams, V, C, Q, d, fingerprint) {
-  const curve = new Curve(oid);
+  const curve = new CurveWithOID(oid);
   const { sharedKey } = await genPrivateEphemeralKey(curve, V, Q, d);
   const param = buildEcdhParam(enums.publicKey.ecdh, oid, kdfParams, fingerprint);
   const { keySize } = getCipher(kdfParams.cipher);
@@ -14575,7 +14755,7 @@ async function decrypt$3(oid, kdfParams, V, C, Q, d, fingerprint) {
 /**
  * Generate ECDHE secret from private key and public part of ephemeral key using webCrypto
  *
- * @param {Curve} curve - Elliptic curve object
+ * @param {CurveWithOID} curve - Elliptic curve object
  * @param {Uint8Array} V - Public part of ephemeral key
  * @param {Uint8Array} Q - Recipient public key
  * @param {Uint8Array} d - Recipient private key
@@ -14628,7 +14808,7 @@ async function webPrivateEphemeralKey(curve, V, Q, d) {
 /**
  * Generate ECDHE ephemeral key and secret from public key using webCrypto
  *
- * @param {Curve} curve - Elliptic curve object
+ * @param {CurveWithOID} curve - Elliptic curve object
  * @param {Uint8Array} Q - Recipient public key
  * @returns {Promise<{publicKey: Uint8Array, sharedKey: Uint8Array}>}
  * @async
@@ -14676,7 +14856,7 @@ async function webPublicEphemeralKey(curve, Q) {
 /**
  * Generate ECDHE secret from private key and public part of ephemeral key using indutny/elliptic
  *
- * @param {Curve} curve - Elliptic curve object
+ * @param {CurveWithOID} curve - Elliptic curve object
  * @param {Uint8Array} V - Public part of ephemeral key
  * @param {Uint8Array} d - Recipient private key
  * @returns {Promise<{secretKey: Uint8Array, sharedKey: Uint8Array}>}
@@ -14696,7 +14876,7 @@ async function ellipticPrivateEphemeralKey(curve, V, d) {
 /**
  * Generate ECDHE ephemeral key and secret from public key using indutny/elliptic
  *
- * @param {Curve} curve - Elliptic curve object
+ * @param {CurveWithOID} curve - Elliptic curve object
  * @param {Uint8Array} Q - Recipient public key
  * @returns {Promise<{publicKey: Uint8Array, sharedKey: Uint8Array}>}
  * @async
@@ -14716,7 +14896,7 @@ async function ellipticPublicEphemeralKey(curve, Q) {
 /**
  * Generate ECDHE secret from private key and public part of ephemeral key using nodeCrypto
  *
- * @param {Curve} curve - Elliptic curve object
+ * @param {CurveWithOID} curve - Elliptic curve object
  * @param {Uint8Array} V - Public part of ephemeral key
  * @param {Uint8Array} d - Recipient private key
  * @returns {Promise<{secretKey: Uint8Array, sharedKey: Uint8Array}>}
@@ -14733,7 +14913,7 @@ async function nodePrivateEphemeralKey(curve, V, d) {
 /**
  * Generate ECDHE ephemeral key and secret from public key using nodeCrypto
  *
- * @param {Curve} curve - Elliptic curve object
+ * @param {CurveWithOID} curve - Elliptic curve object
  * @param {Uint8Array} Q - Recipient public key
  * @returns {Promise<{publicKey: Uint8Array, sharedKey: Uint8Array}>}
  * @async
@@ -14748,18 +14928,202 @@ async function nodePublicEphemeralKey(curve, Q) {
 
 var ecdh = /*#__PURE__*/Object.freeze({
   __proto__: null,
-  validateParams: validateParams$4,
+  validateParams: validateParams$5,
   encrypt: encrypt$3,
   decrypt: decrypt$3
 });
 
+/**
+ * @fileoverview This module implements HKDF using either the WebCrypto API or Node.js' crypto API.
+ * @module crypto/hkdf
+ * @private
+ */
+
+const webCrypto$9 = util.getWebCrypto();
+const nodeCrypto$a = util.getNodeCrypto();
+const nodeSubtleCrypto = nodeCrypto$a && nodeCrypto$a.webcrypto && nodeCrypto$a.webcrypto.subtle;
+
+async function HKDF(hashAlgo, inputKey, salt, info, outLen) {
+  const hash = enums.read(enums.webHash, hashAlgo);
+  if (!hash) throw new Error('Hash algo not supported with HKDF');
+
+  if (webCrypto$9 || nodeSubtleCrypto) {
+    const crypto = webCrypto$9 || nodeSubtleCrypto;
+    const importedKey = await crypto.importKey('raw', inputKey, 'HKDF', false, ['deriveBits']);
+    const bits = await crypto.deriveBits({ name: 'HKDF', hash, salt, info }, importedKey, outLen * 8);
+    return new Uint8Array(bits);
+  }
+
+  if (nodeCrypto$a) {
+    const hashAlgoName = enums.read(enums.hash, hashAlgo);
+    // Node-only HKDF implementation based on https://www.rfc-editor.org/rfc/rfc5869
+
+    const computeHMAC = (hmacKey, hmacMessage) => nodeCrypto$a.createHmac(hashAlgoName, hmacKey).update(hmacMessage).digest();
+    // Step 1: Extract
+    // PRK = HMAC-Hash(salt, IKM)
+    const pseudoRandomKey = computeHMAC(salt, inputKey);
+
+    const hashLen = pseudoRandomKey.length;
+
+    // Step 2: Expand
+    // HKDF-Expand(PRK, info, L) -> OKM
+    const n = Math.ceil(outLen / hashLen);
+    const outputKeyingMaterial = new Uint8Array(n * hashLen);
+
+    // HMAC input buffer updated at each iteration
+    const roundInput = new Uint8Array(hashLen + info.length + 1);
+    // T_i and last byte are updated at each iteration, but `info` remains constant
+    roundInput.set(info, hashLen);
+
+    for (let i = 0; i < n; i++) {
+      // T(0) = empty string (zero length)
+      // T(i) = HMAC-Hash(PRK, T(i-1) | info | i)
+      roundInput[roundInput.length - 1] = i + 1;
+      // t = T(i+1)
+      const t = computeHMAC(pseudoRandomKey, i > 0 ? roundInput : roundInput.subarray(hashLen));
+      roundInput.set(t, 0);
+
+      outputKeyingMaterial.set(t, i * hashLen);
+    }
+
+    return outputKeyingMaterial.subarray(0, outLen);
+  }
+
+  throw new Error('No HKDF implementation available');
+}
+
+/**
+ * @fileoverview Key encryption and decryption for RFC 6637 ECDH
+ * @module crypto/public_key/elliptic/ecdh
+ * @private
+ */
+
+const HKDF_INFO = {
+  x25519: util.encodeUTF8('OpenPGP X25519')
+};
+
+/**
+ * Generate ECDH key for Montgomery curves
+ * @param {module:enums.publicKey} algo - Algorithm identifier
+ * @returns {Promise<{ A: Uint8Array, k: Uint8Array }>}
+ */
+async function generate$3(algo) {
+  switch (algo) {
+    case enums.publicKey.x25519: {
+      // k stays in little-endian, unlike legacy ECDH over curve25519
+      const k = getRandomBytes(32);
+      const { publicKey: A } = naclFastLight.box.keyPair.fromSecretKey(k);
+      return { A, k };
+    }
+    default:
+      throw new Error('Unsupported ECDH algorithm');
+  }
+}
+
+/**
+* Validate ECDH parameters
+* @param {module:enums.publicKey} algo - Algorithm identifier
+* @param {Uint8Array} A - ECDH public point
+* @param {Uint8Array} k - ECDH secret scalar
+* @returns {Promise<Boolean>} Whether params are valid.
+* @async
+*/
+async function validateParams$6(algo, A, k) {
+  switch (algo) {
+    case enums.publicKey.x25519: {
+      /**
+       * Derive public point A' from private key
+       * and expect A == A'
+       */
+      const { publicKey } = naclFastLight.box.keyPair.fromSecretKey(k);
+      return util.equalsUint8Array(A, publicKey);
+    }
+
+    default:
+      return false;
+  }
+}
+
+/**
+ * Wrap and encrypt a session key
+ *
+ * @param {module:enums.publicKey} algo - Algorithm identifier
+ * @param {Uint8Array} data - session key data to be encrypted
+ * @param {Uint8Array} recipientA - Recipient public key (K_B)
+ * @returns {Promise<{
+ *  ephemeralPublicKey: Uint8Array,
+ * wrappedKey: Uint8Array
+ * }>} ephemeral public key (K_A) and encrypted key
+ * @async
+ */
+async function encrypt$4(algo, data, recipientA) {
+  switch (algo) {
+    case enums.publicKey.x25519: {
+      const ephemeralSecretKey = getRandomBytes(32);
+      const sharedSecret = naclFastLight.scalarMult(ephemeralSecretKey, recipientA);
+      const { publicKey: ephemeralPublicKey } = naclFastLight.box.keyPair.fromSecretKey(ephemeralSecretKey);
+      const hkdfInput = util.concatUint8Array([
+        ephemeralPublicKey,
+        recipientA,
+        sharedSecret
+      ]);
+      const { keySize } = getCipher(enums.symmetric.aes128);
+      const encryptionKey = await HKDF(enums.hash.sha256, hkdfInput, new Uint8Array(), HKDF_INFO.x25519, keySize);
+      const wrappedKey = wrap(encryptionKey, data);
+      return { ephemeralPublicKey, wrappedKey };
+    }
+
+    default:
+      throw new Error('Unsupported ECDH algorithm');
+  }
+}
+
+/**
+ * Decrypt and unwrap the session key
+ *
+ * @param {module:enums.publicKey} algo - Algorithm identifier
+ * @param {Uint8Array} ephemeralPublicKey - (K_A)
+ * @param {Uint8Array} wrappedKey,
+ * @param {Uint8Array} A - Recipient public key (K_b), needed for KDF
+ * @param {Uint8Array} k - Recipient secret key (b)
+ * @returns {Promise<Uint8Array>} decrypted session key data
+ * @async
+ */
+async function decrypt$4(algo, ephemeralPublicKey, wrappedKey, A, k) {
+  switch (algo) {
+    case enums.publicKey.x25519: {
+      const sharedSecret = naclFastLight.scalarMult(k, ephemeralPublicKey);
+      const hkdfInput = util.concatUint8Array([
+        ephemeralPublicKey,
+        A,
+        sharedSecret
+      ]);
+      const { keySize } = getCipher(enums.symmetric.aes128);
+      const encryptionKey = await HKDF(enums.hash.sha256, hkdfInput, new Uint8Array(), HKDF_INFO.x25519, keySize);
+      return unwrap(encryptionKey, wrappedKey);
+    }
+    default:
+      throw new Error('Unsupported ECDH algorithm');
+  }
+}
+
+var ecdh_x = /*#__PURE__*/Object.freeze({
+  __proto__: null,
+  generate: generate$3,
+  validateParams: validateParams$6,
+  encrypt: encrypt$4,
+  decrypt: decrypt$4
+});
+
 // OpenPGP.js - An OpenPGP implementation in javascript
 
 var elliptic = /*#__PURE__*/Object.freeze({
   __proto__: null,
-  Curve: Curve,
+  CurveWithOID: CurveWithOID,
   ecdh: ecdh,
+  ecdhX: ecdh_x,
   ecdsa: ecdsa,
+  eddsaLegacy: eddsa_legacy,
   eddsa: eddsa,
   generate: generate$1,
   getPreferredHashAlgo: getPreferredHashAlgo
@@ -14784,7 +15148,7 @@ var elliptic = /*#__PURE__*/Object.freeze({
  * @returns {Promise<{ r: Uint8Array, s: Uint8Array }>}
  * @async
  */
-async function sign$3(hashAlgo, hashed, g, p, q, x) {
+async function sign$4(hashAlgo, hashed, g, p, q, x) {
   const BigInteger = await util.getBigInteger();
   const one = new BigInteger(1);
   p = new BigInteger(p);
@@ -14843,7 +15207,7 @@ async function sign$3(hashAlgo, hashed, g, p, q, x) {
  * @returns {boolean}
  * @async
  */
-async function verify$3(hashAlgo, r, s, hashed, g, p, q, y) {
+async function verify$4(hashAlgo, r, s, hashed, g, p, q, y) {
   const BigInteger = await util.getBigInteger();
   const zero = new BigInteger(0);
   r = new BigInteger(r);
@@ -14886,7 +15250,7 @@ async function verify$3(hashAlgo, r, s, hashed, g, p, q, y) {
  * @returns {Promise<Boolean>} Whether params are valid.
  * @async
  */
-async function validateParams$5(p, q, g, y, x) {
+async function validateParams$7(p, q, g, y, x) {
   const BigInteger = await util.getBigInteger();
   p = new BigInteger(p);
   q = new BigInteger(q);
@@ -14941,9 +15305,9 @@ async function validateParams$5(p, q, g, y, x) {
 
 var dsa = /*#__PURE__*/Object.freeze({
   __proto__: null,
-  sign: sign$3,
-  verify: verify$3,
-  validateParams: validateParams$5
+  sign: sign$4,
+  verify: verify$4,
+  validateParams: validateParams$7
 });
 
 /**
@@ -15079,10 +15443,10 @@ function parseSignatureParams(algo, signature) {
       const s = util.readMPI(signature.subarray(read));
       return { r, s };
     }
-    // Algorithm-Specific Fields for EdDSA signatures:
+    // Algorithm-Specific Fields for legacy EdDSA signatures:
     // -  MPI of an EC point r.
     // -  EdDSA value s, in MPI, in the little endian representation
-    case enums.publicKey.eddsa: {
+    case enums.publicKey.eddsaLegacy: {
       // When parsing little-endian MPI data, we always need to left-pad it, as done with big-endian values:
       // https://www.ietf.org/archive/id/draft-ietf-openpgp-rfc4880bis-10.html#section-3.2-9
       let r = util.readMPI(signature.subarray(read)); read += r.length + 2;
@@ -15091,7 +15455,12 @@ function parseSignatureParams(algo, signature) {
       s = util.leftPad(s, 32);
       return { r, s };
     }
-
+    // Algorithm-Specific Fields for Ed25519 signatures:
+    // - 64 octets of the native signature
+    case enums.publicKey.ed25519: {
+      const RS = signature.subarray(read, read + 64); read += RS.length;
+      return { RS };
+    }
     case enums.publicKey.hmac: {
       const mac = new ShortByteString(); mac.read(signature.subarray(read));
       return { mac };
@@ -15116,7 +15485,7 @@ function parseSignatureParams(algo, signature) {
  * @returns {Promise<Boolean>} True if signature is valid.
  * @async
  */
-async function verify$4(algo, hashAlgo, signature, publicParams, privateParams, data, hashed) {
+async function verify$5(algo, hashAlgo, signature, publicParams, privateParams, data, hashed) {
   switch (algo) {
     case enums.publicKey.rsaEncryptSign:
     case enums.publicKey.rsaEncrypt:
@@ -15132,16 +15501,20 @@ async function verify$4(algo, hashAlgo, signature, publicParams, privateParams,
     }
     case enums.publicKey.ecdsa: {
       const { oid, Q } = publicParams;
-      const curveSize = new publicKey.elliptic.Curve(oid).payloadSize;
+      const curveSize = new publicKey.elliptic.CurveWithOID(oid).payloadSize;
       // padding needed for webcrypto
       const r = util.leftPad(signature.r, curveSize);
       const s = util.leftPad(signature.s, curveSize);
       return publicKey.elliptic.ecdsa.verify(oid, hashAlgo, { r, s }, data, Q, hashed);
     }
-    case enums.publicKey.eddsa: {
+    case enums.publicKey.eddsaLegacy: {
       const { oid, Q } = publicParams;
       // signature already padded on parsing
-      return publicKey.elliptic.eddsa.verify(oid, hashAlgo, signature, data, Q, hashed);
+      return publicKey.elliptic.eddsaLegacy.verify(oid, hashAlgo, signature, data, Q, hashed);
+    }
+    case enums.publicKey.ed25519: {
+      const { A } = publicParams;
+      return publicKey.elliptic.eddsa.verify(algo, hashAlgo, signature, data, A, hashed);
     }
     case enums.publicKey.hmac: {
       if (!privateParams) {
@@ -15171,7 +15544,7 @@ async function verify$4(algo, hashAlgo, signature, publicParams, privateParams,
  * @returns {Promise<Object>} Signature                      Object containing named signature parameters.
  * @async
  */
-async function sign$4(algo, hashAlgo, publicKeyParams, privateKeyParams, data, hashed) {
+async function sign$5(algo, hashAlgo, publicKeyParams, privateKeyParams, data, hashed) {
   if (!publicKeyParams || !privateKeyParams) {
     throw new Error('Missing key parameters');
   }
@@ -15197,10 +15570,15 @@ async function sign$4(algo, hashAlgo, publicKeyParams, privateKeyParams, data, h
       const { d } = privateKeyParams;
       return publicKey.elliptic.ecdsa.sign(oid, hashAlgo, data, Q, d, hashed);
     }
-    case enums.publicKey.eddsa: {
+    case enums.publicKey.eddsaLegacy: {
       const { oid, Q } = publicKeyParams;
       const { seed } = privateKeyParams;
-      return publicKey.elliptic.eddsa.sign(oid, hashAlgo, data, Q, seed, hashed);
+      return publicKey.elliptic.eddsaLegacy.sign(oid, hashAlgo, data, Q, seed, hashed);
+    }
+    case enums.publicKey.ed25519: {
+      const { A } = publicKeyParams;
+      const { seed } = privateKeyParams;
+      return publicKey.elliptic.eddsa.sign(algo, hashAlgo, data, A, seed, hashed);
     }
     case enums.publicKey.hmac: {
       const { cipher: algo } = publicKeyParams;
@@ -15216,34 +15594,31 @@ async function sign$4(algo, hashAlgo, publicKeyParams, privateKeyParams, data, h
 var signature = /*#__PURE__*/Object.freeze({
   __proto__: null,
   parseSignatureParams: parseSignatureParams,
-  verify: verify$4,
-  sign: sign$4
+  verify: verify$5,
+  sign: sign$5
 });
 
 // OpenPGP.js - An OpenPGP implementation in javascript
 
 class ECDHSymmetricKey {
   constructor(data) {
-    if (typeof data === 'undefined') {
-      data = new Uint8Array([]);
-    } else if (util.isString(data)) {
-      data = util.stringToUint8Array(data);
-    } else {
-      data = new Uint8Array(data);
+    if (data) {
+      this.data = data;
     }
-    this.data = data;
   }
 
   /**
-   * Read an ECDHSymmetricKey from an Uint8Array
-   * @param {Uint8Array} input - Where to read the encoded symmetric key from
+   * Read an ECDHSymmetricKey from an Uint8Array:
+   * - 1 octect for the length `l`
+   * - `l` octects of encoded session key data
+   * @param {Uint8Array} bytes
    * @returns {Number} Number of read bytes.
    */
-  read(input) {
-    if (input.length >= 1) {
-      const length = input[0];
-      if (input.length >= 1 + length) {
-        this.data = input.subarray(1, 1 + length);
+  read(bytes) {
+    if (bytes.length >= 1) {
+      const length = bytes[0];
+      if (bytes.length >= 1 + length) {
+        this.data = bytes.subarray(1, 1 + length);
         return 1 + this.data.length;
       }
     }
@@ -15252,7 +15627,7 @@ class ECDHSymmetricKey {
 
   /**
    * Write an ECDHSymmetricKey as an Uint8Array
-   * @returns  {Uint8Array}  An array containing the value
+   * @returns  {Uint8Array} Serialised data
    */
   write() {
     return util.concatUint8Array([new Uint8Array([this.data.length]), this.data]);
@@ -15292,6 +15667,9 @@ class KDFParams {
    * @returns {Number} Number of read bytes.
    */
   read(input) {
+    if (input.length < 4 || (input[1] !== 1 && input[1] !== VERSION_FORWARDING)) {
+      throw new UnsupportedError('Cannot read KDFParams');
+    }
     const totalBytes = input[0];
     this.version = input[1];
     this.hash = input[2];
@@ -15379,12 +15757,57 @@ const AEADEnum = type_enum(enums.aead);
 const SymAlgoEnum = type_enum(enums.symmetric);
 const HashEnum = type_enum(enums.hash);
 
+/**
+ * Encoded symmetric key for x25519 and x448
+ * The payload format varies for v3 and v6 PKESK:
+ * the former includes an algorithm byte preceeding the encrypted session key.
+ *
+ * @module type/x25519x448_symkey
+ */
+
+class ECDHXSymmetricKey {
+  static fromObject({ wrappedKey, algorithm }) {
+    const instance = new ECDHXSymmetricKey();
+    instance.wrappedKey = wrappedKey;
+    instance.algorithm = algorithm;
+    return instance;
+  }
+
+  /**
+   * - 1 octect for the length `l`
+   * - `l` octects of encoded session key data (with optional leading algorithm byte)
+   * @param {Uint8Array} bytes
+   * @returns {Number} Number of read bytes.
+   */
+  read(bytes) {
+    let read = 0;
+    let followLength = bytes[read++];
+    this.algorithm = followLength % 2 ? bytes[read++] : null; // session key size is always even
+    followLength -= followLength % 2;
+    this.wrappedKey = bytes.subarray(read, read + followLength); read += followLength;
+  }
+
+  /**
+   * Write an MontgomerySymmetricKey as an Uint8Array
+   * @returns  {Uint8Array} Serialised data
+   */
+  write() {
+    return util.concatUint8Array([
+      this.algorithm ?
+        new Uint8Array([this.wrappedKey.length + 1, this.algorithm]) :
+        new Uint8Array([this.wrappedKey.length]),
+      this.wrappedKey
+    ]);
+  }
+}
+
 // GPG4Browsers - An OpenPGP implementation in javascript
 
 /**
  * Encrypts data using specified algorithm and public key parameters.
  * See {@link https://tools.ietf.org/html/rfc4880#section-9.1|RFC 4880 9.1} for public key algorithms.
- * @param {module:enums.publicKey} algo - Public key algorithm
+ * @param {module:enums.publicKey} keyAlgo - Public key algorithm
+ * @param {module:enums.symmetric} symmetricAlgo - Cipher algorithm
  * @param {Object} publicParams - Algorithm-specific public key parameters
  * @param {Object} privateParams - Algorithm-specific private key parameters
  * @param {Uint8Array} data - Data to be encrypted
@@ -15392,8 +15815,8 @@ const HashEnum = type_enum(enums.hash);
  * @returns {Promise<Object>} Encrypted session key parameters.
  * @async
  */
-async function publicKeyEncrypt(algo, publicParams, privateParams, data, fingerprint) {
-  switch (algo) {
+async function publicKeyEncrypt(keyAlgo, symmetricAlgo, publicParams, privateParams, data, fingerprint) {
+  switch (keyAlgo) {
     case enums.publicKey.rsaEncrypt:
     case enums.publicKey.rsaEncryptSign: {
       const { n, e } = publicParams;
@@ -15410,6 +15833,17 @@ async function publicKeyEncrypt(algo, publicParams, privateParams, data, fingerp
         oid, kdfParams, data, Q, fingerprint);
       return { V, C: new ECDHSymmetricKey(C) };
     }
+    case enums.publicKey.x25519: {
+      if (!util.isAES(symmetricAlgo)) {
+        // see https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/276
+        throw new Error('X25519 keys can only encrypt AES session keys');
+      }
+      const { A } = publicParams;
+      const { ephemeralPublicKey, wrappedKey } = await publicKey.elliptic.ecdhX.encrypt(
+        keyAlgo, data, A);
+      const C = ECDHXSymmetricKey.fromObject({ algorithm: symmetricAlgo, wrappedKey });
+      return { ephemeralPublicKey, C };
+    }
     case enums.publicKey.aead: {
       if (!privateParams) {
         throw new Error('Cannot encrypt with symmetric key missing private parameters');
@@ -15466,6 +15900,16 @@ async function publicKeyDecrypt(algo, publicKeyParams, privateKeyParams, session
       return publicKey.elliptic.ecdh.decrypt(
         oid, kdfParams, V, C.data, Q, d, fingerprint);
     }
+    case enums.publicKey.x25519: {
+      const { A } = publicKeyParams;
+      const { k } = privateKeyParams;
+      const { ephemeralPublicKey, C } = sessionKeyParams;
+      if (!util.isAES(C.algorithm)) {
+        throw new Error('AES session key expected');
+      }
+      return publicKey.elliptic.ecdhX.decrypt(
+        algo, ephemeralPublicKey, C.wrappedKey, A, k);
+    }
     case enums.publicKey.aead: {
       const { cipher: algo } = publicKeyParams;
       const algoValue = algo.getValue();
@@ -15517,7 +15961,7 @@ function parsePublicKeyParams(algo, bytes) {
       const Q = util.readMPI(bytes.subarray(read)); read += Q.length + 2;
       return { read: read, publicParams: { oid, Q } };
     }
-    case enums.publicKey.eddsa: {
+    case enums.publicKey.eddsaLegacy: {
       const oid = new OID(); read += oid.read(bytes);
       checkSupportedCurve(oid);
       let Q = util.readMPI(bytes.subarray(read)); read += Q.length + 2;
@@ -15531,6 +15975,11 @@ function parsePublicKeyParams(algo, bytes) {
       const kdfParams = new KDFParams(); read += kdfParams.read(bytes.subarray(read));
       return { read: read, publicParams: { oid, Q, kdfParams } };
     }
+    case enums.publicKey.ed25519:
+    case enums.publicKey.x25519: {
+      const A = bytes.subarray(read, read + 32); read += A.length;
+      return { read, publicParams: { A } };
+    }
     case enums.publicKey.hmac:
     case enums.publicKey.aead: {
       const algo = new SymAlgoEnum(); read += algo.read(bytes);
@@ -15569,17 +16018,25 @@ function parsePrivateKeyParams(algo, bytes, publicParams) {
     }
     case enums.publicKey.ecdsa:
     case enums.publicKey.ecdh: {
-      const curve = new Curve(publicParams.oid);
+      const curve = new CurveWithOID(publicParams.oid);
       let d = util.readMPI(bytes.subarray(read)); read += d.length + 2;
       d = util.leftPad(d, curve.payloadSize);
       return { read, privateParams: { d } };
     }
-    case enums.publicKey.eddsa: {
-      const curve = new Curve(publicParams.oid);
+    case enums.publicKey.eddsaLegacy: {
+      const curve = new CurveWithOID(publicParams.oid);
       let seed = util.readMPI(bytes.subarray(read)); read += seed.length + 2;
       seed = util.leftPad(seed, curve.payloadSize);
       return { read, privateParams: { seed } };
     }
+    case enums.publicKey.ed25519: {
+      const seed = bytes.subarray(read, read + 32); read += seed.length;
+      return { read, privateParams: { seed } };
+    }
+    case enums.publicKey.x25519: {
+      const k = bytes.subarray(read, read + 32); read += k.length;
+      return { read, privateParams: { k } };
+    }
     case enums.publicKey.hmac: {
       const { cipher: algo } = publicParams;
       const keySize = hash.getHashByteLength(algo.getValue());
@@ -15631,6 +16088,16 @@ function parseEncSessionKeyParams(algo, bytes) {
       const C = new ECDHSymmetricKey(); C.read(bytes.subarray(read));
       return { V, C };
     }
+    //   Algorithm-Specific Fields for X25519 encrypted session keys:
+    //       - 32 octets representing an ephemeral X25519 public key.
+    //       - A one-octet size of the following fields.
+    //       - The one-octet algorithm identifier, if it was passed (in the case of a v3 PKESK packet).
+    //       - The encrypted session key.
+    case enums.publicKey.x25519: {
+      const ephemeralPublicKey = bytes.subarray(read, read + 32); read += ephemeralPublicKey.length;
+      const C = new ECDHXSymmetricKey(); C.read(bytes.subarray(read));
+      return { ephemeralPublicKey, C };
+    }
     //   Algorithm-Specific Fields for symmetric AEAD encryption:
     //       - AEAD algorithm
     //       - Starting initialization vector
@@ -15657,22 +16124,13 @@ function parseEncSessionKeyParams(algo, bytes) {
  * @returns {Uint8Array} The array containing the MPIs.
  */
 function serializeParams(algo, params) {
-  let orderedParams;
-  switch (algo) {
-    case enums.publicKey.hmac:
-    case enums.publicKey.aead: {
-      orderedParams = Object.keys(params).map(name => {
-        const param = params[name];
-        return util.isUint8Array(param) ? param : param.write();
-      });
-      break;
-    }
-    default:
-      orderedParams = Object.keys(params).map(name => {
-        const param = params[name];
-        return util.isUint8Array(param) ? util.uint8ArrayToMPI(param) : param.write();
-      });
-  }
+  // Some algorithms do not rely on MPIs to store the binary params
+  const algosWithNativeRepresentation = new Set([enums.publicKey.ed25519, enums.publicKey.x25519, enums.publicKey.aead, enums.publicKey.hmac]);
+  const orderedParams = Object.keys(params).map(name => {
+    const param = params[name];
+    if (!util.isUint8Array(param)) return param.write();
+    return algosWithNativeRepresentation.has(algo) ? param : util.uint8ArrayToMPI(param);
+  });
   return util.concatUint8Array(orderedParams);
 }
 
@@ -15700,7 +16158,7 @@ function generateParams(algo, bits, oid, symmetric) {
         privateParams: { d: secret },
         publicParams: { oid: new OID(oid), Q }
       }));
-    case enums.publicKey.eddsa:
+    case enums.publicKey.eddsaLegacy:
       return publicKey.elliptic.generate(oid).then(({ oid, Q, secret }) => ({
         privateParams: { seed: secret },
         publicParams: { oid: new OID(oid), Q }
@@ -15714,6 +16172,16 @@ function generateParams(algo, bits, oid, symmetric) {
           kdfParams: new KDFParams({ hash, cipher })
         }
       }));
+    case enums.publicKey.ed25519:
+      return publicKey.elliptic.eddsa.generate(algo).then(({ A, seed }) => ({
+        privateParams: { seed },
+        publicParams: { A }
+      }));
+    case enums.publicKey.x25519:
+      return publicKey.elliptic.ecdhX.generate(algo).then(({ A, k }) => ({
+        privateParams: { k },
+        publicParams: { A }
+      }));
     case enums.publicKey.hmac: {
       const symAlgo = enums.write(enums.hash, symmetric);
       const keyMaterial = getRandomBytes(hash.getHashByteLength(symAlgo));
@@ -15755,7 +16223,7 @@ async function createSymmetricParams(key, algo) {
  * @returns {Promise<Boolean>} Whether the parameters are valid.
  * @async
  */
-async function validateParams$6(algo, publicParams, privateParams) {
+async function validateParams$8(algo, publicParams, privateParams) {
   if (!publicParams || !privateParams) {
     throw new Error('Missing key parameters');
   }
@@ -15784,10 +16252,20 @@ async function validateParams$6(algo, publicParams, privateParams) {
       const { d } = privateParams;
       return algoModule.validateParams(oid, Q, d);
     }
-    case enums.publicKey.eddsa: {
-      const { oid, Q } = publicParams;
+    case enums.publicKey.eddsaLegacy: {
+      const { Q, oid } = publicParams;
+      const { seed } = privateParams;
+      return publicKey.elliptic.eddsaLegacy.validateParams(oid, Q, seed);
+    }
+    case enums.publicKey.ed25519: {
+      const { A } = publicParams;
       const { seed } = privateParams;
-      return publicKey.elliptic.eddsa.validateParams(oid, Q, seed);
+      return publicKey.elliptic.eddsa.validateParams(algo, A, seed);
+    }
+    case enums.publicKey.x25519: {
+      const { A } = publicParams;
+      const { k } = privateParams;
+      return publicKey.elliptic.ecdhX.validateParams(algo, A, k);
     }
     case enums.publicKey.hmac: {
       const { cipher: algo, digest } = publicParams;
@@ -15857,6 +16335,23 @@ function checkSupportedCurve(oid) {
   }
 }
 
+/**
+ * Get preferred hash algo for a given elliptic algo
+ * @param {module:enums.publicKey} algo - alrogithm identifier
+ * @param {module:type/oid} [oid] - curve OID if needed by algo
+ */
+function getPreferredCurveHashAlgo(algo, oid) {
+  switch (algo) {
+    case enums.publicKey.ecdsa:
+    case enums.publicKey.eddsaLegacy:
+      return publicKey.elliptic.getPreferredHashAlgo(oid);
+    case enums.publicKey.ed25519:
+      return publicKey.elliptic.eddsa.getPreferredHashAlgo(algo);
+    default:
+      throw new Error('Unknown elliptic signing algo');
+  }
+}
+
 var crypto$1 = /*#__PURE__*/Object.freeze({
   __proto__: null,
   publicKeyEncrypt: publicKeyEncrypt,
@@ -15866,11 +16361,12 @@ var crypto$1 = /*#__PURE__*/Object.freeze({
   parseEncSessionKeyParams: parseEncSessionKeyParams,
   serializeParams: serializeParams,
   generateParams: generateParams,
-  validateParams: validateParams$6,
+  validateParams: validateParams$8,
   getPrefixRandom: getPrefixRandom,
   generateSessionKey: generateSessionKey,
   getAEADMode: getAEADMode,
-  getCipher: getCipher
+  getCipher: getCipher,
+  getPreferredCurveHashAlgo: getPreferredCurveHashAlgo
 });
 
 /**
@@ -16113,15 +16609,15 @@ class GenericS2K {
             this.type = 'gnu-dummy';
             // GnuPG extension mode 1001 -- don't write secret key at all
           } else {
-            throw new Error('Unknown s2k gnu protection mode.');
+            throw new UnsupportedError('Unknown s2k gnu protection mode.');
           }
         } else {
-          throw new Error('Unknown s2k type.');
+          throw new UnsupportedError('Unknown s2k type.');
         }
         break;
 
       default:
-        throw new Error('Unknown s2k type.');
+        throw new UnsupportedError('Unknown s2k type.'); // unreachable
     }
 
     return i;
@@ -16225,7 +16721,7 @@ function newS2KFromType(type, config$1 = config) {
     case enums.s2k.simple:
       return new GenericS2K(type, config$1);
     default:
-      throw new Error(`Unsupported S2K type ${type}`);
+      throw new UnsupportedError(`Unsupported S2K type ${type}`);
   }
 }
 
@@ -24979,13 +25475,17 @@ class PublicKeyEncryptedSessionKeyPacket {
    * @param {Uint8Array} bytes - Payload of a tag 1 packet
    */
   read(bytes) {
-    this.version = bytes[0];
+    let i = 0;
+    this.version = bytes[i++];
     if (this.version !== VERSION$3) {
       throw new UnsupportedError(`Version ${this.version} of the PKESK packet is unsupported.`);
     }
-    this.publicKeyID.read(bytes.subarray(1, bytes.length));
-    this.publicKeyAlgorithm = bytes[9];
-    this.encrypted = mod.parseEncSessionKeyParams(this.publicKeyAlgorithm, bytes.subarray(10));
+    i += this.publicKeyID.read(bytes.subarray(i));
+    this.publicKeyAlgorithm = bytes[i++];
+    this.encrypted = mod.parseEncSessionKeyParams(this.publicKeyAlgorithm, bytes.subarray(i), this.version);
+    if (this.publicKeyAlgorithm === enums.publicKey.x25519) {
+      this.sessionKeyAlgorithm = enums.write(enums.symmetric, this.encrypted.C.algorithm);
+    }
   }
 
   /**
@@ -25011,15 +25511,11 @@ class PublicKeyEncryptedSessionKeyPacket {
    * @async
    */
   async encrypt(key) {
-    const data = util.concatUint8Array([
-      new Uint8Array([enums.write(enums.symmetric, this.sessionKeyAlgorithm)]),
-      this.sessionKey,
-      util.writeChecksum(this.sessionKey)
-    ]);
     const algo = enums.write(enums.publicKey, this.publicKeyAlgorithm);
+    const encoded = encodeSessionKey(this.version, algo, this.sessionKeyAlgorithm, this.sessionKey);
     const privateParams = algo === enums.publicKey.aead ? key.privateParams : null;
     this.encrypted = await mod.publicKeyEncrypt(
-      algo, key.publicParams, privateParams, data, key.getFingerprintBytes());
+      algo, this.sessionKeyAlgorithm, key.publicParams, privateParams, encoded, key.getFingerprintBytes());
   }
 
   /**
@@ -25036,34 +25532,86 @@ class PublicKeyEncryptedSessionKeyPacket {
       throw new Error('Decryption error');
     }
 
-    const randomPayload = randomSessionKey ? util.concatUint8Array([
-      new Uint8Array([randomSessionKey.sessionKeyAlgorithm]),
-      randomSessionKey.sessionKey,
-      util.writeChecksum(randomSessionKey.sessionKey)
-    ]) : null;
-    const decoded = await mod.publicKeyDecrypt(this.publicKeyAlgorithm, key.publicParams, key.privateParams, this.encrypted, key.getFingerprintBytes(), randomPayload);
-    const symmetricAlgoByte = decoded[0];
-    const sessionKey = decoded.subarray(1, decoded.length - 2);
-    const checksum = decoded.subarray(decoded.length - 2);
-    const computedChecksum = util.writeChecksum(sessionKey);
-    const isValidChecksum = computedChecksum[0] === checksum[0] & computedChecksum[1] === checksum[1];
-
-    if (randomSessionKey) {
-      // We must not leak info about the validity of the decrypted checksum or cipher algo.
-      // The decrypted session key must be of the same algo and size as the random session key, otherwise we discard it and use the random data.
-      const isValidPayload = isValidChecksum & symmetricAlgoByte === randomSessionKey.sessionKeyAlgorithm & sessionKey.length === randomSessionKey.sessionKey.length;
-      this.sessionKeyAlgorithm = util.selectUint8(isValidPayload, symmetricAlgoByte, randomSessionKey.sessionKeyAlgorithm);
-      this.sessionKey = util.selectUint8Array(isValidPayload, sessionKey, randomSessionKey.sessionKey);
+    const randomPayload = randomSessionKey ?
+      encodeSessionKey(this.version, this.publicKeyAlgorithm, randomSessionKey.sessionKeyAlgorithm, randomSessionKey.sessionKey) :
+      null;
+    const decryptedData = await mod.publicKeyDecrypt(this.publicKeyAlgorithm, key.publicParams, key.privateParams, this.encrypted, key.getFingerprintBytes(), randomPayload);
 
-    } else {
-      const isValidPayload = isValidChecksum && enums.read(enums.symmetric, symmetricAlgoByte);
-      if (isValidPayload) {
-        this.sessionKey = sessionKey;
-        this.sessionKeyAlgorithm = symmetricAlgoByte;
+    const { sessionKey, sessionKeyAlgorithm } = decodeSessionKey(this.version, this.publicKeyAlgorithm, decryptedData, randomSessionKey);
+
+    // v3 Montgomery curves have cleartext cipher algo
+    if (this.publicKeyAlgorithm !== enums.publicKey.x25519) {
+      this.sessionKeyAlgorithm = sessionKeyAlgorithm;
+    }
+    this.sessionKey = sessionKey;
+  }
+}
+
+
+function encodeSessionKey(version, keyAlgo, cipherAlgo, sessionKeyData) {
+  switch (keyAlgo) {
+    case enums.publicKey.rsaEncrypt:
+    case enums.publicKey.rsaEncryptSign:
+    case enums.publicKey.elgamal:
+    case enums.publicKey.ecdh:
+    case enums.publicKey.aead: {
+      // add checksum
+      return util.concatUint8Array([
+        new Uint8Array([cipherAlgo]),
+        sessionKeyData,
+        util.writeChecksum(sessionKeyData.subarray(sessionKeyData.length % 8))
+      ]);
+    }
+    case enums.publicKey.x25519:
+      return sessionKeyData;
+    default:
+      throw new Error('Unsupported public key algorithm');
+  }
+}
+
+
+function decodeSessionKey(version, keyAlgo, decryptedData, randomSessionKey) {
+  switch (keyAlgo) {
+    case enums.publicKey.rsaEncrypt:
+    case enums.publicKey.rsaEncryptSign:
+    case enums.publicKey.elgamal:
+    case enums.publicKey.ecdh:
+    case enums.publicKey.aead: {
+      // verify checksum in constant time
+      const result = decryptedData.subarray(0, decryptedData.length - 2);
+      const checksum = decryptedData.subarray(decryptedData.length - 2);
+      const computedChecksum = util.writeChecksum(result.subarray(result.length % 8));
+      const isValidChecksum = computedChecksum[0] === checksum[0] & computedChecksum[1] === checksum[1];
+      const decryptedSessionKey = { sessionKeyAlgorithm: result[0], sessionKey: result.subarray(1) };
+      if (randomSessionKey) {
+        // We must not leak info about the validity of the decrypted checksum or cipher algo.
+        // The decrypted session key must be of the same algo and size as the random session key, otherwise we discard it and use the random data.
+        const isValidPayload = isValidChecksum &
+          decryptedSessionKey.sessionKeyAlgorithm === randomSessionKey.sessionKeyAlgorithm &
+          decryptedSessionKey.sessionKey.length === randomSessionKey.sessionKey.length;
+        return {
+          sessionKey: util.selectUint8Array(isValidPayload, decryptedSessionKey.sessionKey, randomSessionKey.sessionKey),
+          sessionKeyAlgorithm: util.selectUint8(
+            isValidPayload,
+            decryptedSessionKey.sessionKeyAlgorithm,
+            randomSessionKey.sessionKeyAlgorithm
+          )
+        };
       } else {
-        throw new Error('Decryption error');
+        const isValidPayload = isValidChecksum && enums.read(enums.symmetric, decryptedSessionKey.sessionKeyAlgorithm);
+        if (isValidPayload) {
+          return decryptedSessionKey;
+        } else {
+          throw new Error('Decryption error');
+        }
       }
     }
+    case enums.publicKey.x25519:
+      return {
+        sessionKey: decryptedData
+      };
+    default:
+      throw new Error('Unsupported public key algorithm');
   }
 }
 
@@ -25494,7 +26042,7 @@ class PublicKeyPacket {
       result.bits = util.uint8ArrayBitLength(modulo);
     } else if (this.publicParams.oid) {
       result.curve = this.publicParams.oid.getName();
-    } else {
+    } else if (this.publicParams.cipher) {
       result.symmetric = this.publicParams.cipher.getName();
     }
     return result;
@@ -25826,6 +26374,7 @@ class SecretKeyPacket extends PublicKeyPacket {
   async read(bytes) {
     // - A Public-Key or Public-Subkey packet, as described above.
     let i = await this.readPublicKey(bytes);
+    const startOfSecretKeyData = i;
 
     // - One octet indicating string-to-key usage conventions.  Zero
     //   indicates that the secret-key data is not encrypted.  255 or 254
@@ -25839,41 +26388,48 @@ class SecretKeyPacket extends PublicKeyPacket {
       i++;
     }
 
-    // - [Optional] If string-to-key usage octet was 255, 254, or 253, a
-    //   one-octet symmetric encryption algorithm.
-    if (this.s2kUsage === 255 || this.s2kUsage === 254 || this.s2kUsage === 253) {
-      this.symmetric = bytes[i++];
+    try {
+      // - [Optional] If string-to-key usage octet was 255, 254, or 253, a
+      //   one-octet symmetric encryption algorithm.
+      if (this.s2kUsage === 255 || this.s2kUsage === 254 || this.s2kUsage === 253) {
+        this.symmetric = bytes[i++];
 
-      // - [Optional] If string-to-key usage octet was 253, a one-octet
-      //   AEAD algorithm.
-      if (this.s2kUsage === 253) {
-        this.aead = bytes[i++];
-      }
+        // - [Optional] If string-to-key usage octet was 253, a one-octet
+        //   AEAD algorithm.
+        if (this.s2kUsage === 253) {
+          this.aead = bytes[i++];
+        }
 
-      // - [Optional] If string-to-key usage octet was 255, 254, or 253, a
-      //   string-to-key specifier.  The length of the string-to-key
-      //   specifier is implied by its type, as described above.
-      const s2kType = bytes[i++];
-      this.s2k = newS2KFromType(s2kType);
-      i += this.s2k.read(bytes.subarray(i, bytes.length));
+        // - [Optional] If string-to-key usage octet was 255, 254, or 253, a
+        //   string-to-key specifier.  The length of the string-to-key
+        //   specifier is implied by its type, as described above.
+        const s2kType = bytes[i++];
+        this.s2k = newS2KFromType(s2kType);
+        i += this.s2k.read(bytes.subarray(i, bytes.length));
 
-      if (this.s2k.type === 'gnu-dummy') {
-        return;
+        if (this.s2k.type === 'gnu-dummy') {
+          return;
+        }
+      } else if (this.s2kUsage) {
+        this.symmetric = this.s2kUsage;
       }
-    } else if (this.s2kUsage) {
-      this.symmetric = this.s2kUsage;
-    }
 
-    // - [Optional] If secret data is encrypted (string-to-key usage octet
-    //   not zero), an Initial Vector (IV) of the same length as the
-    //   cipher's block size.
-    if (this.s2kUsage) {
-      this.iv = bytes.subarray(
-        i,
-        i + mod.getCipher(this.symmetric).blockSize
-      );
+      // - [Optional] If secret data is encrypted (string-to-key usage octet
+      //   not zero), an Initial Vector (IV) of the same length as the
+      //   cipher's block size.
+      if (this.s2kUsage) {
+        this.iv = bytes.subarray(
+          i,
+          i + mod.getCipher(this.symmetric).blockSize
+        );
 
-      i += this.iv.length;
+        i += this.iv.length;
+      }
+    } catch (e) {
+      // if the s2k is unsupported, we still want to support encrypting and verifying with the given key
+      if (!this.s2kUsage) throw e; // always throw for decrypted keys
+      this.unparseableKeyMaterial = bytes.subarray(startOfSecretKeyData);
+      this.isEncrypted = true;
     }
 
     // - Only for a version 5 packet, a four-octet scalar octet count for
@@ -25909,8 +26465,15 @@ class SecretKeyPacket extends PublicKeyPacket {
    * @returns {Uint8Array} A string of bytes containing the secret key OpenPGP packet.
    */
   write() {
-    const arr = [this.writePublicKey()];
+    const serializedPublicKey = this.writePublicKey();
+    if (this.unparseableKeyMaterial) {
+      return util.concatUint8Array([
+        serializedPublicKey,
+        this.unparseableKeyMaterial
+      ]);
+    }
 
+    const arr = [serializedPublicKey];
     arr.push(new Uint8Array([this.s2kUsage]));
 
     const optionalFieldsArr = [];
@@ -25970,6 +26533,18 @@ class SecretKeyPacket extends PublicKeyPacket {
     return this.isEncrypted === false;
   }
 
+  /**
+   * Check whether the key includes secret key material.
+   * Some secret keys do not include it, and can thus only be used
+   * for public-key operations (encryption and verification).
+   * Such keys are:
+   * - GNU-dummy keys, where the secret material has been stripped away
+   * - encrypted keys with unsupported S2K or cipher
+   */
+  isMissingSecretKeyMaterial() {
+    return this.unparseableKeyMaterial !== undefined || this.isDummy();
+  }
+
   /**
    * Check whether this is a gnu-dummy key
    * @returns {Boolean}
@@ -25990,6 +26565,7 @@ class SecretKeyPacket extends PublicKeyPacket {
     if (this.isDecrypted()) {
       this.clearPrivateParams();
     }
+    delete this.unparseableKeyMaterial;
     this.isEncrypted = null;
     this.keyMaterial = null;
     this.s2k = newS2KFromType(enums.s2k.gnu, config$1);
@@ -26061,6 +26637,10 @@ class SecretKeyPacket extends PublicKeyPacket {
       return false;
     }
 
+    if (this.unparseableKeyMaterial) {
+      throw new Error('Key packet cannot be decrypted: unsupported S2K or cipher algo');
+    }
+
     if (this.isDecrypted()) {
       throw new Error('Key packet is already decrypted.');
     }
@@ -26145,7 +26725,7 @@ class SecretKeyPacket extends PublicKeyPacket {
    * Clear private key parameters
    */
   clearPrivateParams() {
-    if (this.isDummy()) {
+    if (this.isMissingSecretKeyMaterial()) {
       return;
     }
 
@@ -27544,25 +28124,22 @@ async function createBindingSignature(subkey, primaryKey, options, config) {
   const dataToSign = {};
   dataToSign.key = primaryKey;
   dataToSign.bind = subkey;
-  const subkeySignaturePacket = new SignaturePacket();
-  subkeySignaturePacket.signatureType = enums.signature.subkeyBinding;
-  subkeySignaturePacket.publicKeyAlgorithm = primaryKey.algorithm;
-  subkeySignaturePacket.hashAlgorithm = await getPreferredHashAlgo$1(null, subkey, undefined, undefined, config);
+  const signatureProperties = { signatureType: enums.signature.subkeyBinding };
   if (options.sign) {
-    subkeySignaturePacket.keyFlags = [enums.keyFlags.signData];
-    subkeySignaturePacket.embeddedSignature = await createSignaturePacket(dataToSign, null, subkey, {
+    signatureProperties.keyFlags = [enums.keyFlags.signData];
+    signatureProperties.embeddedSignature = await createSignaturePacket(dataToSign, null, subkey, {
       signatureType: enums.signature.keyBinding
     }, options.date, undefined, undefined, undefined, config);
   } else {
-    subkeySignaturePacket.keyFlags = options.forwarding ?
+    signatureProperties.keyFlags = options.forwarding ?
       [enums.keyFlags.forwardedCommunication] :
       [enums.keyFlags.encryptCommunication | enums.keyFlags.encryptStorage];
   }
   if (options.keyExpirationTime > 0) {
-    subkeySignaturePacket.keyExpirationTime = options.keyExpirationTime;
-    subkeySignaturePacket.keyNeverExpires = false;
+    signatureProperties.keyExpirationTime = options.keyExpirationTime;
+    signatureProperties.keyNeverExpires = false;
   }
-  await subkeySignaturePacket.sign(primaryKey, dataToSign, options.date);
+  const subkeySignaturePacket = await createSignaturePacket(dataToSign, null, primaryKey, signatureProperties, options.date, undefined, undefined, undefined, config);
   return subkeySignaturePacket;
 }
 
@@ -27576,7 +28153,7 @@ async function createBindingSignature(subkey, primaryKey, options, config) {
  * @returns {Promise<enums.hash>}
  * @async
  */
-async function getPreferredHashAlgo$1(key, keyPacket, date = new Date(), userID = {}, config) {
+async function getPreferredHashAlgo$2(key, keyPacket, date = new Date(), userID = {}, config) {
   let hashAlgo = config.preferredHashAlgorithm;
   let prefAlgo = hashAlgo;
   if (key) {
@@ -27587,17 +28164,11 @@ async function getPreferredHashAlgo$1(key, keyPacket, date = new Date(), userID
         prefAlgo : hashAlgo;
     }
   }
-  switch (Object.getPrototypeOf(keyPacket)) {
-    case SecretKeyPacket.prototype:
-    case PublicKeyPacket.prototype:
-    case SecretSubkeyPacket.prototype:
-    case PublicSubkeyPacket.prototype:
-      switch (keyPacket.algorithm) {
-        case enums.publicKey.ecdh:
-        case enums.publicKey.ecdsa:
-        case enums.publicKey.eddsa:
-          prefAlgo = mod.publicKey.elliptic.getPreferredHashAlgo(keyPacket.publicParams.oid);
-      }
+  switch (keyPacket.algorithm) {
+    case enums.publicKey.ecdsa:
+    case enums.publicKey.eddsaLegacy:
+    case enums.publicKey.ed25519:
+      prefAlgo = mod.getPreferredCurveHashAlgo(keyPacket.algorithm, keyPacket.publicParams.oid);
   }
   return mod.hash.getHashByteLength(hashAlgo) <= mod.hash.getHashByteLength(prefAlgo) ?
     prefAlgo : hashAlgo;
@@ -27665,7 +28236,7 @@ async function createSignaturePacket(dataToSign, privateKey, signingKeyPacket, s
   const signaturePacket = new SignaturePacket();
   Object.assign(signaturePacket, signatureProperties);
   signaturePacket.publicKeyAlgorithm = signingKeyPacket.algorithm;
-  signaturePacket.hashAlgorithm = await getPreferredHashAlgo$1(privateKey, signingKeyPacket, date, userID, config);
+  signaturePacket.hashAlgorithm = await getPreferredHashAlgo$2(privateKey, signingKeyPacket, date, userID, config);
   signaturePacket.rawNotations = notations;
   await signaturePacket.sign(signingKeyPacket, dataToSign, date, detached);
   return signaturePacket;
@@ -27806,11 +28377,11 @@ function sanitizeKeyOptions(options, subkeyDefaults = {}) {
       } catch (e) {
         throw new Error('Unknown curve');
       }
-      if (options.curve === enums.curve.ed25519 || options.curve === enums.curve.curve25519) {
-        options.curve = options.sign ? enums.curve.ed25519 : enums.curve.curve25519;
+      if (options.curve === enums.curve.ed25519Legacy || options.curve === enums.curve.curve25519Legacy) {
+        options.curve = options.sign ? enums.curve.ed25519Legacy : enums.curve.curve25519Legacy;
       }
       if (options.sign) {
-        options.algorithm = options.curve === enums.curve.ed25519 ? enums.publicKey.eddsa : enums.publicKey.ecdsa;
+        options.algorithm = options.curve === enums.curve.ed25519Legacy ? enums.publicKey.eddsaLegacy : enums.publicKey.ecdsa;
       } else {
         options.algorithm = enums.publicKey.ecdh;
       }
@@ -27838,6 +28409,7 @@ function isValidSigningKeyPacket(keyPacket, signature) {
   return keyAlgo !== enums.publicKey.rsaEncrypt &&
     keyAlgo !== enums.publicKey.elgamal &&
     keyAlgo !== enums.publicKey.ecdh &&
+    keyAlgo !== enums.publicKey.x25519 &&
     (!signature.keyFlags ||
       (signature.keyFlags[0] & enums.keyFlags.signData) !== 0);
 }
@@ -27847,7 +28419,8 @@ function isValidEncryptionKeyPacket(keyPacket, signature) {
   return keyAlgo !== enums.publicKey.dsa &&
     keyAlgo !== enums.publicKey.rsaSign &&
     keyAlgo !== enums.publicKey.ecdsa &&
-    keyAlgo !== enums.publicKey.eddsa &&
+    keyAlgo !== enums.publicKey.eddsaLegacy &&
+    keyAlgo !== enums.publicKey.ed25519 &&
     (!signature.keyFlags ||
       (signature.keyFlags[0] & enums.keyFlags.encryptCommunication) !== 0 ||
       (signature.keyFlags[0] & enums.keyFlags.encryptStorage) !== 0);
@@ -27892,7 +28465,7 @@ function checkKeyRequirements(keyPacket, config) {
       }
       break;
     case enums.publicKey.ecdsa:
-    case enums.publicKey.eddsa:
+    case enums.publicKey.eddsaLegacy:
     case enums.publicKey.ecdh:
       if (config.rejectCurves.has(algoInfo.curve)) {
         throw new Error(`Support for ${algoInfo.algorithm} keys using curve ${algoInfo.curve} is disabled.`);
@@ -29402,7 +29975,7 @@ function createKey(packetlist) {
  * @static
  * @private
  */
-async function generate$2(options, config) {
+async function generate$4(options, config) {
   options.sign = true; // primary key is always a signing key
   options = sanitizeKeyOptions(options);
   options.subkeys = options.subkeys.map((subkey, index) => sanitizeKeyOptions(options.subkeys[index], options));
@@ -29519,50 +30092,50 @@ async function wrapKeyObject(secretKeyPacket, secretSubkeyPackets, options, conf
     const dataToSign = {};
     dataToSign.userID = userIDPacket;
     dataToSign.key = secretKeyPacket;
-    const signaturePacket = new SignaturePacket();
-    signaturePacket.signatureType = enums.signature.certGeneric;
-    signaturePacket.publicKeyAlgorithm = secretKeyPacket.algorithm;
-    signaturePacket.hashAlgorithm = await getPreferredHashAlgo$1(null, secretKeyPacket, undefined, undefined, config);
-    signaturePacket.keyFlags = [enums.keyFlags.certifyKeys | enums.keyFlags.signData];
-    signaturePacket.preferredSymmetricAlgorithms = createPreferredAlgos([
+
+    const signatureProperties = {};
+    signatureProperties.signatureType = enums.signature.certGeneric;
+    signatureProperties.keyFlags = [enums.keyFlags.certifyKeys | enums.keyFlags.signData];
+    signatureProperties.preferredSymmetricAlgorithms = createPreferredAlgos([
       // prefer aes256, aes128, then aes192 (no WebCrypto support: https://www.chromium.org/blink/webcrypto#TOC-AES-support)
       enums.symmetric.aes256,
       enums.symmetric.aes128,
       enums.symmetric.aes192
     ], config.preferredSymmetricAlgorithm);
     if (config.aeadProtect) {
-      signaturePacket.preferredAEADAlgorithms = createPreferredAlgos([
+      signatureProperties.preferredAEADAlgorithms = createPreferredAlgos([
         enums.aead.eax,
         enums.aead.ocb
       ], config.preferredAEADAlgorithm);
     }
-    signaturePacket.preferredHashAlgorithms = createPreferredAlgos([
+    signatureProperties.preferredHashAlgorithms = createPreferredAlgos([
       // prefer fast asm.js implementations (SHA-256)
       enums.hash.sha256,
       enums.hash.sha512
     ], config.preferredHashAlgorithm);
-    signaturePacket.preferredCompressionAlgorithms = createPreferredAlgos([
+    signatureProperties.preferredCompressionAlgorithms = createPreferredAlgos([
       enums.compression.zlib,
       enums.compression.zip,
       enums.compression.uncompressed
     ], config.preferredCompressionAlgorithm);
     if (index === 0) {
-      signaturePacket.isPrimaryUserID = true;
+      signatureProperties.isPrimaryUserID = true;
     }
     // integrity protection always enabled
-    signaturePacket.features = [0];
-    signaturePacket.features[0] |= enums.features.modificationDetection;
+    signatureProperties.features = [0];
+    signatureProperties.features[0] |= enums.features.modificationDetection;
     if (config.aeadProtect) {
-      signaturePacket.features[0] |= enums.features.aead;
+      signatureProperties.features[0] |= enums.features.aead;
     }
     if (config.v5Keys) {
-      signaturePacket.features[0] |= enums.features.v5Keys;
+      signatureProperties.features[0] |= enums.features.v5Keys;
     }
     if (options.keyExpirationTime > 0) {
-      signaturePacket.keyExpirationTime = options.keyExpirationTime;
-      signaturePacket.keyNeverExpires = false;
+      signatureProperties.keyExpirationTime = options.keyExpirationTime;
+      signatureProperties.keyNeverExpires = false;
     }
-    await signaturePacket.sign(secretKeyPacket, dataToSign, options.date);
+
+    const signaturePacket = await createSignaturePacket(dataToSign, null, secretKeyPacket, signatureProperties, options.date, undefined, undefined, undefined, config);
 
     return { userIDPacket, signaturePacket };
   })).then(list => {
@@ -30081,6 +30654,15 @@ class Message {
       enums.read(enums.aead, await getPreferredAlgo('aead', encryptionKeys, date, userIDs, config$1)) :
       undefined;
 
+    await Promise.all(encryptionKeys.map(key => key.getEncryptionKey()
+      .catch(() => null) // ignore key strength requirements
+      .then(maybeKey => {
+        if (maybeKey && (maybeKey.keyPacket.algorithm === enums.publicKey.x25519) && !util.isAES(algo)) {
+          throw new Error('Could not generate a session key compatible with the given `encryptionKeys`: X22519 keys can only be used to encrypt AES session keys; change `config.preferredSymmetricAlgorithm` accordingly.');
+        }
+      })
+    ));
+
     const sessionKeyData = mod.generateSessionKey(algo);
     return { data: sessionKeyData, algorithm: algorithmName, aeadAlgorithm: aeadAlgorithmName };
   }
@@ -30255,7 +30837,7 @@ class Message {
       const signingKey = await primaryKey.getSigningKey(signingKeyID, date, userIDs, config$1);
       const onePassSig = new OnePassSignaturePacket();
       onePassSig.signatureType = signatureType;
-      onePassSig.hashAlgorithm = await getPreferredHashAlgo$1(primaryKey, signingKey.keyPacket, date, userIDs, config$1);
+      onePassSig.hashAlgorithm = await getPreferredHashAlgo$2(primaryKey, signingKey.keyPacket, date, userIDs, config$1);
       onePassSig.publicKeyAlgorithm = signingKey.keyPacket.algorithm;
       onePassSig.issuerKeyID = signingKey.getKeyID();
       if (i === signingKeys.length - 1) {
@@ -30388,7 +30970,7 @@ class Message {
     if (literalDataList.length !== 1) {
       throw new Error('Can only verify message with one literal data packet.');
     }
-    const signatureList = signature.packets;
+    const signatureList = signature.packets.filterByTag(enums.packet.signature); // drop UnparsablePackets
     return createVerificationObjects(signatureList, literalDataList, verificationKeys, date, true, config$1);
   }
 
@@ -30735,7 +31317,7 @@ class CleartextMessage {
    * @async
    */
   verify(keys, date = new Date(), config$1 = config) {
-    const signatureList = this.signature.packets;
+    const signatureList = this.signature.packets.filterByTag(enums.packet.signature); // drop UnparsablePackets
     const literalDataPacket = new LiteralDataPacket();
     // we assume that cleartext signature is generated based on UTF8 cleartext
     literalDataPacket.setText(this.text);
@@ -30820,7 +31402,7 @@ function verifyHeaders$1(headers, packetlist) {
   let oneHeader = null;
   let hashAlgos = [];
   headers.forEach(function(header) {
-    oneHeader = header.match(/Hash: (.+)/); // get header value
+    oneHeader = header.match(/^Hash: (.+)$/); // get header value
     if (oneHeader) {
       oneHeader = oneHeader[1].replace(/\s/g, ''); // remove whitespace
       oneHeader = oneHeader.split(',');
@@ -30912,7 +31494,7 @@ async function generateKey({ userIDs = [], passphrase, type = 'ecc', rsaBits = 4
   const options = { userIDs, passphrase, type, rsaBits, curve, keyExpirationTime, date, subkeys, symmetricHash, symmetricCipher };
 
   try {
-    const { key, revocationCertificate } = await generate$2(options, config$1);
+    const { key, revocationCertificate } = await generate$4(options, config$1);
     key.getKeys().forEach(({ keyPacket }) => checkKeyRequirements(keyPacket, config$1));
 
     return {
@@ -31106,7 +31688,7 @@ async function encryptKey({ privateKey, passphrase, config: config$1, ...rest })
  * @async
  * @static
  */
-async function encrypt$4({ message, encryptionKeys, signingKeys, passwords, sessionKey, format = 'armored', signature = null, wildcard = false, signingKeyIDs = [], encryptionKeyIDs = [], date = new Date(), signingUserIDs = [], encryptionUserIDs = [], signatureNotations = [], config: config$1, ...rest }) {
+async function encrypt$5({ message, encryptionKeys, signingKeys, passwords, sessionKey, format = 'armored', signature = null, wildcard = false, signingKeyIDs = [], encryptionKeyIDs = [], date = new Date(), signingUserIDs = [], encryptionUserIDs = [], signatureNotations = [], config: config$1, ...rest }) {
   config$1 = { ...config, ...config$1 }; checkConfig(config$1);
   checkMessage(message); checkOutputMessageFormat(format);
   encryptionKeys = toArray$1(encryptionKeys); signingKeys = toArray$1(signingKeys); passwords = toArray$1(passwords);
@@ -31175,7 +31757,7 @@ async function encrypt$4({ message, encryptionKeys, signingKeys, passwords, sess
  * @async
  * @static
  */
-async function decrypt$4({ message, decryptionKeys, passwords, sessionKeys, verificationKeys, expectSigned = false, format = 'utf8', signature = null, date = new Date(), config: config$1, ...rest }) {
+async function decrypt$5({ message, decryptionKeys, passwords, sessionKeys, verificationKeys, expectSigned = false, format = 'utf8', signature = null, date = new Date(), config: config$1, ...rest }) {
   config$1 = { ...config, ...config$1 }; checkConfig(config$1);
   checkMessage(message); verificationKeys = toArray$1(verificationKeys); decryptionKeys = toArray$1(decryptionKeys); passwords = toArray$1(passwords); sessionKeys = toArray$1(sessionKeys);
   if (rest.privateKeys) throw new Error('The `privateKeys` option has been removed from openpgp.decrypt, pass `decryptionKeys` instead');
@@ -31238,7 +31820,7 @@ async function decrypt$4({ message, decryptionKeys, passwords, sessionKeys, veri
  * @async
  * @static
  */
-async function sign$5({ message, signingKeys, format = 'armored', detached = false, signingKeyIDs = [], date = new Date(), signingUserIDs = [], signatureNotations = [], config: config$1, ...rest }) {
+async function sign$6({ message, signingKeys, format = 'armored', detached = false, signingKeyIDs = [], date = new Date(), signingUserIDs = [], signatureNotations = [], config: config$1, ...rest }) {
   config$1 = { ...config, ...config$1 }; checkConfig(config$1);
   checkCleartextOrMessage(message); checkOutputMessageFormat(format);
   signingKeys = toArray$1(signingKeys); signingKeyIDs = toArray$1(signingKeyIDs); signingUserIDs = toArray$1(signingUserIDs); signatureNotations = toArray$1(signatureNotations);
@@ -31307,7 +31889,7 @@ async function sign$5({ message, signingKeys, format = 'armored', detached = fal
  * @async
  * @static
  */
-async function verify$5({ message, verificationKeys, expectSigned = false, format = 'utf8', signature = null, date = new Date(), config: config$1, ...rest }) {
+async function verify$6({ message, verificationKeys, expectSigned = false, format = 'utf8', signature = null, date = new Date(), config: config$1, ...rest }) {
   config$1 = { ...config, ...config$1 }; checkConfig(config$1);
   checkCleartextOrMessage(message); verificationKeys = toArray$1(verificationKeys);
   if (rest.publicKeys) throw new Error('The `publicKeys` option has been removed from openpgp.verify, pass `verificationKeys` instead');
@@ -44476,7 +45058,7 @@ function* makePRNG(wasmContext, pass, lane, slice, m_, totalPasses, segmentLengt
   return [];
 }
 
-function validateParams$7({ type, version, tagLength, password, salt, ad, secret, parallelism, memorySize, passes }) {
+function validateParams$9({ type, version, tagLength, password, salt, ad, secret, parallelism, memorySize, passes }) {
   const assertLength = (name, value, min, max) => {
     if (value < min || value > max) { throw new Error(`${name} size should be between ${min} and ${max} bytes`); }
   };
@@ -44499,7 +45081,7 @@ const WASM_PAGE_SIZE = 64 * KB;
 function argon2id(params, { memory, instance: wasmInstance }) {
   if (!isLittleEndian$1) throw new Error('BigEndian system not supported'); // optmisations assume LE system
 
-  const ctx = validateParams$7({ type: TYPE$2, version: VERSION$4, ...params });
+  const ctx = validateParams$9({ type: TYPE$2, version: VERSION$4, ...params });
 
   const { G:wasmG, G2:wasmG2, xor:wasmXOR, getLZ:wasmLZ } = wasmInstance.exports;
   const wasmRefs = {};
@@ -44773,4 +45355,4 @@ var index = /*#__PURE__*/Object.freeze({
   'default': loadWasm
 });
 
-export { AEADEncryptedDataPacket, CleartextMessage, CompressedDataPacket, KDFParams, LiteralDataPacket, MarkerPacket, Message, OnePassSignaturePacket, PacketList, PrivateKey, PublicKey, PublicKeyEncryptedSessionKeyPacket, PublicKeyPacket, PublicSubkeyPacket, SecretKeyPacket, SecretSubkeyPacket, Signature, SignaturePacket, Subkey, SymEncryptedIntegrityProtectedDataPacket, SymEncryptedSessionKeyPacket, SymmetricallyEncryptedDataPacket, TrustPacket, UnparseablePacket, UserAttributePacket, UserIDPacket, armor, config, createCleartextMessage, createMessage, decrypt$4 as decrypt, decryptKey, decryptSessionKeys, encrypt$4 as encrypt, encryptKey, encryptSessionKey, enums, generateKey, generateSessionKey$1 as generateSessionKey, readCleartextMessage, readKey, readKeys, readMessage, readPrivateKey, readPrivateKeys, readSignature, reformatKey, revokeKey, sign$5 as sign, unarmor, verify$5 as verify };
+export { AEADEncryptedDataPacket, CleartextMessage, CompressedDataPacket, KDFParams, LiteralDataPacket, MarkerPacket, Message, OnePassSignaturePacket, PacketList, PrivateKey, PublicKey, PublicKeyEncryptedSessionKeyPacket, PublicKeyPacket, PublicSubkeyPacket, SecretKeyPacket, SecretSubkeyPacket, Signature, SignaturePacket, Subkey, SymEncryptedIntegrityProtectedDataPacket, SymEncryptedSessionKeyPacket, SymmetricallyEncryptedDataPacket, TrustPacket, UnparseablePacket, UserAttributePacket, UserIDPacket, armor, config, createCleartextMessage, createMessage, decrypt$5 as decrypt, decryptKey, decryptSessionKeys, encrypt$5 as encrypt, encryptKey, encryptSessionKey, enums, generateKey, generateSessionKey$1 as generateSessionKey, readCleartextMessage, readKey, readKeys, readMessage, readPrivateKey, readPrivateKeys, readSignature, reformatKey, revokeKey, sign$6 as sign, unarmor, verify$6 as verify };